D-Link DFL-260 Product Manual

D-Link DFL-260 - NetDefend - Security Appliance Manual

Get D-Link DFL-260 - NetDefend - Security Appliance manuals and user guides
UPC - 790069296802
Free D-Link DFL-260 manuals!

D-Link DFL-260 manual table of contents:

  • D-Link DFL-260 | Product Manual - Page 1
    Network Security Firewall User Manual DFL-210/ 800/1600/ 2500 DFL-260/ 860/1660/ 2560(G) Ver 2.27.01 Security Security Network Security Solution http://www.dlink.com
  • D-Link DFL-260 | Product Manual - Page 2
    User Manual DFL-210/260/800/860/1600/1660/2500/2560/2560G NetDefendOS Version 2.27.01 D-Link Corporation No. 289, Sinhu 3rd Rd, Neihu District, Taipei City 114, Taiwan R.O.C. http://www.DLink.com Published 2010-06-22 Copyright © 2010
  • D-Link DFL-260 | Product Manual - Page 3
    User Manual DFL-210/260/800/860/1600/1660/2500/2560/2560G NetDefendOS Version 2.27.01 Published 2010-06-22 ...and software, is protected under international copyright laws, with all rights reserved. Neither this manual, nor any of the material contained herein, may be reproduced without the ...
  • D-Link DFL-260 | Product Manual - Page 4
    ...77 3.1. The Address Book ...77 3.1.1. Overview ...77 3.1.2. IP Addresses ...77 3.1.3. Ethernet Addresses ...79 3.1.4. Address Groups ...80 3.1.5. Auto-Generated Address Objects ...81 3.1.6. Address Book Folders ...81 3.2. Services ...82 3.2.1. Overview ...82 3.2.2. Creating Custom Services ...83 4
  • D-Link DFL-260 | Product Manual - Page 5
    User Manual 3.2.3. ICMP Services ...86 3.2.4. Custom IP Protocol Services ...88 3.2.5. Service Groups ...88 3.2.6. Custom Service Timeouts ...89 3.3. Interfaces ...90 3.3.1. Overview ...90 3.3.2. Ethernet ... ...119 3.5.4. Editing IP rule set Entries ...120 3.5.5. IP Rule Set Folders ...121 ...
  • D-Link DFL-260 | Product Manual - Page 6
    ... Transparent Mode Scenarios ...213 4.7.4. Spanning Tree BPDU Support ...217 4.7.5. Advanced Settings for Transparent Mode ...218 5. DHCP Services ...223 5.1. ... The Signature Database ...311 6.4.5. Subscribing to the D-Link Anti-Virus Service ...311 6.4.6. Anti-Virus Options ...311 6.5. ...
  • D-Link DFL-260 | Product Manual - Page 7
    ... ...408 9.4.4. Fetching CRLs from an alternate LDAP server ...413 9.4.5. Troubleshooting with ikesnoop ...414 9.4.6. IPsec Advanced Settings ...421 9.5. PPTP/... ...430 9.5.4. PPTP/L2TP Clients ...431 9.6. CA Server Access ...434 9.7. VPN Troubleshooting ...437 9.7.1. General Troubleshooting ...437 7
  • D-Link DFL-260 | Product Manual - Page 8
    User Manual 9.7.2. Troubleshooting Certificates ...437 9.7.3. IPsec Troubleshooting Commands ...438 9.7.4. Management Interface Failure with VPN ...439 9.7.5. Specific Error Messages ...439 9.7.6. Specific Symptoms ...442 10. Traffic Management ...444 10.1. ...
  • D-Link DFL-260 | Product Manual - Page 9
    User Manual 13.1. IP Level Settings ...504 13.2. TCP Level Settings ...508 13.3. ICMP Level Settings ...513 13.4. State Settings ...514 13.5. Connection Timeout Settings ...516 13.6. Length Limit Settings ...518 13.7. Fragmentation Settings ...520 13.8. Local Fragment Reassembly Settings ...524 13...
  • D-Link DFL-260 | Product Manual - Page 10
    List of Figures 1.1. Packet Flow Schematic Part I ...23 1.2. Packet Flow Schematic Part II ...24 1.3. Packet Flow Schematic Part III ...25 1.4. Expanded Apply Rules Logic ...26 3.1. VLAN Connections ...99 3.2. An ARP Publish Ethernet Frame ...112 3.3. Simplified NetDefendOS Traffic Flow ...118 4.1....
  • D-Link DFL-260 | Product Manual - Page 11
    User Manual 10.10. Connections from Three Clients ...476 10.11. Stickiness and Round-Robin ...477 10.12. Stickiness and Connection-rate ...477 D.1. The 7 Layers of the OSI Model ...537 11
  • D-Link DFL-260 | Product Manual - Page 12
    ...Object ...79 3.5. Adding an Ethernet Address ...79 3.6. Listing the Available Services ...82 3.7. Viewing a Specific ...Service ...86 3.9. Adding an IP Protocol Service ...88 3.10. Defining a VLAN ...100 3.11... Synchronization using SNTP ...134 3.24. Manually Triggering a Time Synchronization ...135 3.25...
  • D-Link DFL-260 | Product Manual - Page 13
    User Manual 4.14. IGMP - No Address Translation ...201 4.15. if1 Configuration ...202 4.16. if2 Configuration - Group Translation ...203 4.17. Setting up Transparent Mode for Scenario 1 ...214 4.18. Setting up Transparent Mode for Scenario 2 ...215 5.1. Setting up a DHCP server ...225 5.2. Checking...
  • D-Link DFL-260 | Product Manual - Page 14
    ... in a new window (some systems may not allow this). For example, http://www.dlink.com. Screenshots This guide contains a minimum of screenshots. This is deliberate and is done because the manual deals specifically with NetDefendOS and administrators have a ...
  • D-Link DFL-260 | Product Manual - Page 15
    Preface items in the tree-view list at the left of the interface or in the menu bar or in a context menu need to be opened followed by information about the data items that need to be entered: 1. 2. Go to Item X > Item Y > Item Z Now enter: • • DataItem1: datavalue1 DataItem2: datavalue2 ...
  • D-Link DFL-260 | Product Manual - Page 16
    ... routing, as well as multicast routing capabilities. In addition, NetDefendOS supports features such as Virtual LANs, Route Monitoring, Proxy ... rejected by NetDefendOS. For functionality as well as security reasons, NetDefendOS supports policy-based address translation. Dynamic Address Translation (...
  • D-Link DFL-260 | Product Manual - Page 17
    ...Features Chapter 1. NetDefendOS Overview VPN NetDefendOS supports a range of Virtual Private Network (VPN) solutions. NetDefendOS supports IPsec, L2TP and PPTP based VPNs concurrently, can ... in Section 9.2, "VPN Quick Start". NetDefendOS supports TLS termination so that the NetDefend Firewall ...
  • D-Link DFL-260 | Product Manual - Page 18
    ... detailed event and logging capabilities plus support for monitoring through SNMP. More detailed ... should also be aware of the companion reference guides: • • The CLI Reference Guide which details all NetDefendOS CLI commands. The NetDefendOS Log Reference Guide which details all NetDefendOS log ...
  • D-Link DFL-260 | Product Manual - Page 19
    ... no means for receiving or sending traffic. The following types of interface are supported in NetDefendOS Physical interfaces - These correspond to the actual ... host and network addresses. Another example of logical objects are services which represent specific protocol and port combinations. Also ...
  • D-Link DFL-260 | Product Manual - Page 20
    1.2.3. Basic Packet Flow Chapter 1. NetDefendOS Overview NetDefendOS Rule Sets Finally, rules which are defined by the administrator in the various rule sets are used for actually implementing NetDefendOS security policies. The most fundamental set of rules are the IP Rules, which are used to ...
  • D-Link DFL-260 | Product Manual - Page 21
    ... through the system. A corresponding state will be added to the connection table for matching subsequent packets belonging to the same connection. In addition, the service object which matched the IP protocol and ports might have contained a reference to an Application Layer Gateway (ALG) object. ...
  • D-Link DFL-260 | Product Manual - Page 22
    1.2.3. Basic Packet Flow Chapter 1. NetDefendOS Overview processing such as encryption or encapsulation might occur. The next section provides a set of diagrams illustrating the flow of packets through NetDefendOS. 22
  • D-Link DFL-260 | Product Manual - Page 23
    1.3. NetDefendOS State Engine Packet Flow Chapter 1. NetDefendOS Overview 1.3. NetDefendOS State Engine Packet Flow The diagrams in this section provide a summary of the flow of packets through the NetDefendOS state-engine. There are three diagrams, each flowing into the next. It is not necessary...
  • D-Link DFL-260 | Product Manual - Page 24
    1.3. NetDefendOS State Engine Packet Flow Chapter 1. NetDefendOS Overview Figure 1.2. Packet Flow Schematic Part II The packet flow is continued on the following page. 24
  • D-Link DFL-260 | Product Manual - Page 25
    1.3. NetDefendOS State Engine Packet Flow Chapter 1. NetDefendOS Overview Figure 1.3. Packet Flow Schematic Part III 25
  • D-Link DFL-260 | Product Manual - Page 26
    1.3. NetDefendOS State Engine Packet Flow Chapter 1. NetDefendOS Overview Apply Rules The figure below presents the detailed logic of the Apply Rules function in Figure 1.2, "Packet Flow Schematic Part II" above. Figure 1.4. Expanded Apply Rules Logic 26
  • D-Link DFL-260 | Product Manual - Page 27
    1.3. NetDefendOS State Engine Packet Flow Chapter 1. NetDefendOS Overview 27
  • D-Link DFL-260 | Product Manual - Page 28
    Chapter 2. Management and Maintenance This chapter describes the management, operations and maintenance related aspects of NetDefendOS. • Managing NetDefendOS, page 28 • Events and Logging, page 55 • RADIUS Accounting, page 60 • Hardware Monitoring, page 65 • SNMP Monitoring, page 67 • ...
  • D-Link DFL-260 | Product Manual - Page 29
    ...used to do basic configuration through the boot menu. This menu can be entered by pressing any console key between power-up and NetDefendOS starting. ... use with the WebUI. Other browsers may also provide full support. Remote Management Policies Access to remote management interfaces can be regulated...
  • D-Link DFL-260 | Product Manual - Page 30
    ... to the management interface differs according to the NetDefend model as follows: • • On the NetDefend DFL-210, 260, 800, 860, 1600 and 2500, the default management interface IP address is 192.168.1.1. On the NetDefend DFL-1660, 2560 and 2560G, the default management interface ...
  • D-Link DFL-260 | Product Manual - Page 31
    ...NetDefendOS Setup Wizard to run since this appears in a popup window. Multi-language Support The Web Interface login dialog offers the option to select a language other than English for the interface. Language support is provided by a set of separate resource files. These files can be ...
  • D-Link DFL-260 | Product Manual - Page 32
    ... firewall which can be studied locally or sent to a technical support specialist to analyze a problem. This can be very useful since the information provided automatically includes many details that are required for troubleshooting. B. Navigator The navigator located on the left-hand side of ...
  • D-Link DFL-260 | Product Manual - Page 33
    ... the system. Logout by clicking on the Logout button at the right of the menu bar. Tip: Correctly routing management traffic If there is a problem with the management interface when communicating alongside VPN tunnels, check the main routing table and look for an all-nets route to the VPN tunnel. ...
  • D-Link DFL-260 | Product Manual - Page 34
    ...a complete reference for all CLI commands, see the separate D-Link CLI Reference Guide. The most often used CLI commands are add - Adds an ... user to move through the list of commands in the CLI command history. For example, pressing the up arrow key once will make the last command executed appear at...
  • D-Link DFL-260 | Product Manual - Page 35
    ...feature called tab completion which means that pressing the tab key will cause automatically completion .... If completion is not possible then pressing the tab key will alternatively display the possible ...add is entered and then the tab key is pressed, NetDefendOS displays all the available categories....
  • D-Link DFL-260 | Product Manual - Page 36
    ... all object types belong in a category. The object type UserAuthRule is a type without a category and will appear in the category list after pressing tab at the beginning of a command. The category is sometimes also referred to as a context. Selecting Object Categories With some categories, it is ...
  • D-Link DFL-260 | Product Manual - Page 37
    ...list position, or by alternatively using the name assigned to it. The CLI Reference Guide lists the parameter options available for each NetDefendOS object, including the ... port on your D-Link hardware, see the D-Link Quick Start Guide . To use the console port, you need the following equipment: • ...
  • D-Link DFL-260 | Product Manual - Page 38
    ... CLI Chapter 2. Management and Maintenance 4. Press the enter key on the terminal. The NetDefendOS login ...available for almost all hardware platforms. NetDefendOS supports version 1, 1.5 and 2 of the SSH protocol. SSH ... prompt. Enter your username and press the Enter key, followed by your password ...
  • D-Link DFL-260 | Product Manual - Page 39
    ... Firewall. This can be customized, for example, to my-prompt:/>, by using the CLI command: gw-world:/> set device name="my-prompt" The CLI Reference Guide uses the command prompt gw-world:/> throughout. Tip: The CLI prompt is the WebUI device name When the command line prompt is changed to a new ...
  • D-Link DFL-260 | Product Manual - Page 40
    ... the activate and commit commands, it is possible to explicitly check for any problems in a configuration using the command: gw-world:/> show -errors This...to scan the configuration about to be activated and list any problems. A possible problem that might be found in this way is a reference to an IP ...
  • D-Link DFL-260 | Product Manual - Page 41
    .... The sessionmanager command options are fully documented in the CLI Reference Guide. 2.1.5. CLI Scripts To allow the administrator to easily store and execute ... in the following sections. See also Section 2.1.4, "The CLI" in this manual. Only Four Commands are Allowed in Scripts The commands ...
  • D-Link DFL-260 | Product Manual - Page 42
    2.1.5. CLI Scripts Chapter 2. Management and Maintenance delete cc If any other command appears in a script file, it is ignored during execution and a warning message is output. For example, the ping command will be ignored. Executing Scripts As mentioned above, the script -execute command ...
  • D-Link DFL-260 | Product Manual - Page 43
    2.1.5. CLI Scripts Chapter 2. Management and Maintenance If an executing CLI script file encounters an error condition, the default behavior is for the script to terminate. This behavior can be overridden by using the -force option. To run a script file called my_script2.sgs in this way, the CLI ...
  • D-Link DFL-260 | Product Manual - Page 44
    2.1.5. CLI Scripts Chapter 2. Management and Maintenance gw-world:/> script -show -name=my_script.sgs Creating Scripts Automatically When the same configuration objects needs to be copied between multiple NetDefend Firewalls, then one way to do this with the CLI is to create a script file that ...
  • D-Link DFL-260 | Product Manual - Page 45
    2.1.6. Secure Copy Chapter 2. Management and Maintenance Any line in a script file that begins with the # character is treated as a comment. For example: # The following line defines the If1 IP address add IP4Address If1_ip Address=10.6.60.10 Scripts Running Other Scripts It is possible for one ...
  • D-Link DFL-260 | Product Manual - Page 46
    2.1.6. Secure Copy Chapter 2. Management and Maintenance File type Firmware upgrades Certificates SSH public keys Web auth banner files Web content filter banner files Upload possible Yes Yes Yes Yes Yes Download possible No No No Yes Yes NetDefendOS File organization NetDefendOS maintains a ...
  • D-Link DFL-260 | Product Manual - Page 47
    ..., there is a 3 second interval before NetDefendOS starts up and in that time the message Press any key to abort and load boot menu is displayed as shown below: If any console key is pressed during these 3 seconds then NetDefendOS startup pauses and the console boot menu is ...
  • D-Link DFL-260 | Product Manual - Page 48
    ...set then the initial options that appear when NetDefendOS loading is interrupted with a key press are shown below. The 1. Start firewall option re-continues the ...in the boot menu and entering nothing as the password and just pressing the Enter key to the prompt. The Console Password is Only for the...
  • D-Link DFL-260 | Product Manual - Page 49
    ... which certificate to use for HTTPS traffic. Only RSA certificates are supported. Default: HTTPS 2.1.9. Working with Configurations Configuration Objects The system ...of configuration objects are routing table entries, address book entries, service definitions, IP rules and so on. Each configuration ...
  • D-Link DFL-260 | Product Manual - Page 50
    ...listing of the objects. This example shows how to list all service objects. Command-Line Interface gw-...their respective type. Web Interface 1. 2. Go to Objects > Services A web page listing all ... the contents of a configuration object representing the telnet service. Command-Line Interface gw-world:/>...
  • D-Link DFL-260 | Product Manual - Page 51
    ... the corresponding property values. Web Interface 1. 2. 3. Go to Objects > Services Click on the telnet hyperlink in the list A web page displaying the...) 1000 Modified Comment Web Interface 1. 2. 3. 4. Go to Objects > Services Click on the telnet hyperlink in the list In the Comments textbox, enter ...
  • D-Link DFL-260 | Product Manual - Page 52
    2.1.9. Working with Configurations Chapter 2. Management and Maintenance Important: Configuration changes must be activated Changes to a configuration object will not be applied to a running system until the new NetDefendOS configuration is activated. Example 2.6. Adding a Configuration Object ...
  • D-Link DFL-260 | Product Manual - Page 53
    2.1.9. Working with Configurations Chapter 2. Management and Maintenance Example 2.8. Undeleting a Configuration Object A deleted object can always be restored until the configuration has been activated and committed. This example shows how to restore the deleted IP4Address object shown in the ...
  • D-Link DFL-260 | Product Manual - Page 54
    2.1.9. Working with Configurations Chapter 2. Management and Maintenance default) during which a connection to the administrator must be re-established. As described previously, if the configuration was activated via the CLI with the activate command then a commit command must be issued within ...
  • D-Link DFL-260 | Product Manual - Page 55
    ...and health, but also allows auditing of network usage and assists in trouble-shooting. Log Message Generation NetDefendOS defines a large number of... list of all event messages can be found in the NetDefendOS Log Reference Guide. That guide also describes the design of event messages, the meaning of ...
  • D-Link DFL-260 | Product Manual - Page 56
    ... of level Info and above to configured log servers. The Debug category is intended for troubleshooting only and should only be turned on if required when trying to solve a problem. All log messages of all severity levels are found listed in the NetDefendOS...
  • D-Link DFL-260 | Product Manual - Page 57
    2.2.6. SNMP Traps Chapter 2. Management and Maintenance Syslog is a standardized protocol for sending log data although there is no standardized format for the log messages themselves. The format used by NetDefendOS is well suited to automated processing, filtering and searching. Although the ...
  • D-Link DFL-260 | Product Manual - Page 58
    ...trap Severity - Severity of the message Category - What NetDefendOS subsystem is reporting the problem ID - Unique identification within the category Description - A ... taking This information can be cross-referenced to the Log Reference Guide. Note: SNMP Trap standards NetDefendOS sends SNMP Traps ...
  • D-Link DFL-260 | Product Manual - Page 59
    2.2.7. Advanced Log Settings Chapter 2. Management and Maintenance Web Interface 1. 2. 3. 4. 5. Go to Log & Event Receivers > Add > SNMP2cEventReceiver Specify a name for the event receiver, for example my_snmp Enter 195.11.22.55 as the IP Address Enter an SNMP Community String if needed by the ...
  • D-Link DFL-260 | Product Manual - Page 60
    ... reducing administration complexity. The Remote Authentication Dial-in User Service (RADIUS) is an Authentication, Authorization and Accounting (AAA...by NetDefendOS are Type - Marks this AccountingRequest as signalling the beginning of the service (START). ID - A unique identifier to enable matching ...
  • D-Link DFL-260 | Product Manual - Page 61
    2.3.2. RADIUS Accounting Messages Chapter 2. Management and Maintenance authentication server. • How Authenticated - How the user was authenticated. This is set to either RADIUS if the user was authenticated via RADIUS, or LOCAL if the user was authenticated via a local user database. Delay ...
  • D-Link DFL-260 | Product Manual - Page 62
    2.3.3. Interim Accounting Messages Chapter 2. Management and Maintenance Tip: The meaning of the asterisk after a list entry The asterisk "*" symbol after an entry in the list above indicates that the sending of the parameter is optional and is configurable. 2.3.3. Interim Accounting Messages In...
  • D-Link DFL-260 | Product Manual - Page 63
    ... that accounting information should be stored for a specific authenticated user. A problem with accounting information synchronization could occur if an ... out before it is synchronized on the inactive unit. To get around this problem, a special AccountingUpdate event is sent to the passive unit on a ...
  • D-Link DFL-260 | Product Manual - Page 64
    ... This example shows configuring of a local RADIUS server known as radius-accounting with IP address 123.04.03.01 using port 1813. Web Interface 1. 2. Go to ... Servers > Add > Radius Server Now enter 3. Name: radius-accounting IP Address: 123.04.03.01 Port: 1813 Retry Timeout: 2 Shared Secret:enter a ...
  • D-Link DFL-260 | Product Manual - Page 65
    .... This feature is referred to as Hardware Monitoring. The D-Link NetDefend models that currently support hardware monitoring are the DFL-1600, 1660, 2500, 2560 and 2560G. Configuring and performing hardware monitoring can be done either through the...
  • D-Link DFL-260 | Product Manual - Page 66
    2.4. Hardware Monitoring Chapter 2. Management and Maintenance The -verbose option displays the current values plus the configured ranges: gw-world:/> hwm -a -v 2 sensors available Poll interval time = 500ms Name [type][number] = low_limit] current_value [high_limit (unit SYS Temp [TEMP ][ 0] = ...
  • D-Link DFL-260 | Product Manual - Page 67
    ... can connect to a network device which supports the SNMP protocol to query and control it. NetDefendOS supports SNMP version 1 and version 2. Connection can be made by any SNMP ... are permitted for security reasons. Specifically, NetDefendOS supports the following SNMP request operations by a client ...
  • D-Link DFL-260 | Product Manual - Page 68
    2.5.1. SNMP Advanced Settings Chapter 2. Management and Maintenance SNMP access. Port 161 is usually used for SNMP and NetDefendOS always expects SNMP traffic on that port. Remote Access Encryption It should be noted that SNMP Version 1 or 2c access means that the community string will be sent ...
  • D-Link DFL-260 | Product Manual - Page 69
    2.5.1. SNMP Advanced Settings Chapter 2. Management and Maintenance Default: Enabled SNMP Request Limit Maximum number of SNMP requests that will be processed each second by NetDefendOS. Should SNMP requests exceed this rate then the excess requests will be ignored by NetDefendOS. Default: 100 ...
  • D-Link DFL-260 | Product Manual - Page 70
    ... .cap which is the defacto libpcap library file format standard for packet capture. The complete syntax of the pcapdump command is described in the CLI Reference Guide. A Simple Example An example of pcapdump usage is the following sequence: gw-world:/> gw-world:/> gw-world:/> gw-world:/> gw-world...
  • D-Link DFL-260 | Product Manual - Page 71
    2.6. The pcapdump Command Chapter 2. Management and Maintenance It is possible to have multiple pcapdump executions being performed at the same time. The following points describe this feature: 1. All capture from all executions goes to the same memory buffer. The command can be launched multiple...
  • D-Link DFL-260 | Product Manual - Page 72
    2.6. The pcapdump Command Chapter 2. Management and Maintenance The name of the file used for pcapdump output must comply with the following rules Excluding the filename extension, the name may not exceed 8 characters in length. The filename extension cannot exceed 3 characters in length. The ...
  • D-Link DFL-260 | Product Manual - Page 73
    ... protection against the latest threats. To facilitate the Auto-Update feature D-Link maintains a global infrastructure of servers providing update services for NetDefend Firewalls. To ensure availability and low response times, NetDefendOS employs a mechanism for automatically selecting the most ...
  • D-Link DFL-260 | Product Manual - Page 74
    ... example we will backup the entire system on 12 December 2008. Web Interface 1. 2. 3. 4. 5. Go to Maintenance > Backup The Backup dialog will be shown Press the Backup configuration button A file dialog is shown - choose a directory for the created file Download of the backup file will then start ...
  • D-Link DFL-260 | Product Manual - Page 75
    ... DFL-210, 260, 800 and 860 To reset the NetDefend DFL-210/260/800/860 models, hold down the reset button located at the rear of ... assigned to the LAN interface. Reset Procedure for the NetDefend DFL-1600, 1660, 2500, 2560 and 2560G To reset the DFL-1600/1660/2500/2560/2560G models, press any key...
  • D-Link DFL-260 | Product Manual - Page 76
    2.7.3. Restore to Factory Defaults Chapter 2. Management and Maintenance 76
  • D-Link DFL-260 | Product Manual - Page 77
    ... administrator. In addition, the chapter explains the different interface types and explains how security policies are constructed the administrator. • The Address Book, page 77 • Services, page 82 • Interfaces, page 90 • ARP, page 108 • IP Rule Sets, page 116 • Schedules, page 126 • ...
  • D-Link DFL-260 | Product Manual - Page 78
    3.1.2. IP Addresses Chapter 3. Fundamentals IP Network An IP Network is represented using Classless Inter Domain Routing (CIDR) form. CIDR uses a forward slash and a digit (0-32) to denote the size of the network as a postfix. This is also known as the netmask. /24 corresponds to a class C net ...
  • D-Link DFL-260 | Product Manual - Page 79
    3.1.3. Ethernet Addresses Chapter 3. Fundamentals This example adds a range of IP addresses from 192.168.10.16 to 192.168.10.21 and names the range wwwservers: Command-Line Interface gw-world:/> add Address IP4Address wwwservers Address=192.168.10.16-192.168.10.21 Web Interface 1. 2. 3. 4. Go to...
  • D-Link DFL-260 | Product Manual - Page 80
    3.1.4. Address Groups Chapter 3. Fundamentals The following example adds an Ethernet Address object named wwwsrv1_mac with the numerical MAC address 08-a3-67-bc-2e-f2. Command-Line Interface gw-world:/> add Address EthernetAddress wwwsrv1_mac Address=08-a3-67-bc-2e-f2 Web Interface 1. 2. 3. 4. ...
  • D-Link DFL-260 | Product Manual - Page 81
    3.1.6. Address Book Folders Chapter 3. Fundamentals 3.1.5. Auto-Generated Address Objects To simplify the configuration, a number of address objects in the address book are automatically created by NetDefendOS when the system starts for the first time and these objects are used in various parts ...
  • D-Link DFL-260 | Product Manual - Page 82
    ...reference to a specific IP protocol with associated parameters. A service definition is usually based on one of the major ...and/or destination port number(s). For example, the HTTP service is defined as using the TCP protocol with the associated... Comments All ICMP, TCP and UDP services All TCP and UDP...
  • D-Link DFL-260 | Product Manual - Page 83
    ...-Line Interface gw-world:/> show Service ServiceTCPUDP echo The output will look similar... the requirements for certain traffic then a new service can be created. Reading this section will explain... based on the UDP or TCP protocol or both. This type of service is discussed further in this section. ICMP...
  • D-Link DFL-260 | Product Manual - Page 84
    ... is used. Apart from a unique name describing the service, the object contains information about what protocol (TCP,... what source and destination ports are applicable for the service. Specifying Port Numbers Port numbers ... using only a single TCP/UDP service object. For example, all Microsoft Windows...
  • D-Link DFL-260 | Product Manual - Page 85
    ... this is always within a limited range of values. Making the service definition as narrow as possible is the recommended approach. Other Service ... 6.2, "ALGs". • Max Sessions An important parameter associated with a service is Max Sessions. This parameter is allocated a default value when the ...
  • D-Link DFL-260 | Product Manual - Page 86
    ... this is not recommended and specifying a narrower service provides better security. If, for example,... of TCP, UDP and ICMP then the service group all_tcpudpicmp can be used instead... only the protocols that are absolutely necessary. The all_tcpudpicmp service object is often a first choice for general...
  • D-Link DFL-260 | Product Manual - Page 87
    ...to a destination in order to check connectivity. The source is told that a problem has occurred when delivering a packet. There are codes ...the network Code 3: Redirect datagrams for the Type of Service and the host Parameter Problem Echo Reply Source Quenching Time Exceeded Identifies an incorrect ...
  • D-Link DFL-260 | Product Manual - Page 88
    ... IP protocol numbers can be used to specify multiple applications for one service. For example, specifying the range 1-4,7 will match the protocols ICMP, IGMP, ... as the name suggests, a NetDefendOS object that consists of a collection of services. Although the group concept is simple, it can be very ...
  • D-Link DFL-260 | Product Manual - Page 89
    3.2.6. Custom Service Timeouts Chapter 3. Fundamentals configuration and decrease the ability to troubleshoot problems. 3.2.6. Custom Service Timeouts Any service can have its custom timeouts set. These can also be set globally in NetDefendOS but it is ...
  • D-Link DFL-260 | Product Manual - Page 90
    ... itself is the source or destination for traffic. Interface Types NetDefendOS supports a number of interface types, which can be divided into ... Firewall will pass through one of the physical interfaces. NetDefendOS currently supports Ethernet as the only physical interface type. For more information...
  • D-Link DFL-260 | Product Manual - Page 91
    ... type of tunnel interface. For example, when routing traffic over an IPsec interface, the payload is usually encrypted to achieve confidentiality. NetDefendOS supports the following tunnel interface types: i. ii. IPsec interfaces are used as end-points for IPsec VPN tunnels. More information about ...
  • D-Link DFL-260 | Product Manual - Page 92
    ... an interface named dmz is connected to a wireless LAN, it might be convenient to change the interface name to radio. For maintenance and troubleshooting, it is recommended to tag the corresponding physical port with the new name. Note: Interface enumeration The startup process will enumerate all ...
  • D-Link DFL-260 | Product Manual - Page 93
    ... lanN, wanN and dmz, where N represents the number of the interface if your NetDefend Firewall has more than one of these interfaces. In most of the examples in this guide lan is used for LAN traffic and wan is used for WAN traffic. If your NetDefend Firewall does not have these interfaces, please ...
  • D-Link DFL-260 | Product Manual - Page 94
    3.3.2. Ethernet Interfaces Chapter 3. Fundamentals allocated to NetDefendOS address objects with the names _dns1 and _dns2. Note: A gateway IP cannot be deleted with DHCP enabled If DHCP is enabled for a given Ethernet interface then any gateway IP address that is...
  • D-Link DFL-260 | Product Manual - Page 95
    ... sent on this interface. By default, the interface uses the maximum size supported. • High Availability There are two options which are specific ... to disable the sending of HA cluster heartbeats from this interface. • Quality Of Service The option exists to copy the IP DSCP precedence to the ...
  • D-Link DFL-260 | Product Manual - Page 96
    3.3.2. Ethernet Interfaces Chapter 3. Fundamentals Property Value Name: wan_ip Address: 0.0.0.0 UserAuthGroups: NoDefinedCredentials: No Comments: IP address of interface wan To show the current interface assigned to the network wan_net: gw-world:/> show Address IP4Address ...
  • D-Link DFL-260 | Product Manual - Page 97
    ...=0 PCISlot=0 PCIPort=2 For a complete list of all CLI options see the CLI Reference Guide. 3.3.3. VLAN Overview Virtual LAN (VLAN) support in NetDefendOS allows the definition of one or more Virtual LAN interfaces which are associated with a particular ...
  • D-Link DFL-260 | Product Manual - Page 98
    3.3.3. VLAN Chapter 3. Fundamentals As explained in more detail below, VLAN configuration with NetDefendOS involves a combination of VLAN trunks from the NetDefend Firewall to switches and these switches are configured with port based VLANs on their interfaces. Any physical firewall interface can...
  • D-Link DFL-260 | Product Manual - Page 99
    ... This link acts as a VLAN trunk. The switch used must support port based VLANs. This means that each port on the...to carry traffic with the same VLAN ID. Note: 802.1ad is not supported NetDefendOS does not support the IEEE 802.1ad (provider bridges) standard which allows VLANs to be run inside other ...
  • D-Link DFL-260 | Product Manual - Page 100
    3.3.3. VLAN Chapter 3. Fundamentals License Limitations The number of VLAN interfaces that can be defined for a NetDefendOS installation is limited by the parameters of the license used. Different hardware models have different licenses and different limits on VLANs. Summary of VLAN Setup Below ...
  • D-Link DFL-260 | Product Manual - Page 101
    ... often require customers to connect through PPPoE to their broadband service. Using PPPoE the ISP can Implement security and ...PPP Authentication PPP authentication is optional with PPP. Authentication protocols supported are Password Authentication Protocol (PAP), Challenge Handshake Authentication ...
  • D-Link DFL-260 | Product Manual - Page 102
    .... The PPPoE client can be configured to use a service name to distinguish between different servers... PPPoE When NetDefendOS acts as a PPPoE client, support for unnumbered PPPoE is provided by default. The additional... to users. These IP addresses are then manually entered into client computers. The ISP...
  • D-Link DFL-260 | Product Manual - Page 103
    ... Remote Network: all-nets (as we will route all traffic into the tunnel) Service Name: Service name provided by the service provider ...Username provided by the service provider Password: Password provided by the service provider Confirm Password: Retype the password Under Authentication specify which ...
  • D-Link DFL-260 | Product Manual - Page 104
    ... it is necessary to transit through a network device which does not support multicasting. GRE allows tunneling though the network device. GRE ...This option would normally be checked in order that the routing table is automatically updated. The alternative is to manually create the required route. 104
  • D-Link DFL-260 | Product Manual - Page 105
    3.3.5. GRE Tunnels Chapter 3. Fundamentals • Address to use as source IP - It is possible to specify a particular IP address as the source interface IP for the GRE tunnel. The tunnel setup will appear to be initiated by this IP address instead of the IP address of the interface that actually ...
  • D-Link DFL-260 | Product Manual - Page 106
    ... Src Net lannet remote_net_B Dest Int GRE_to_B lan Dest Net remote_net_B lannet Service All All 4. Setup for NetDefend Firewall "B" Assuming that the network 192.168.... Src Net lannet remote_net_A Dest Int GRE_to_A lan Dest Net remote_net_A lannet Service All All 4. Checking GRE Tunnel Status 106
  • D-Link DFL-260 | Product Manual - Page 107
    3.3.6. Interface Groups Chapter 3. Fundamentals IPsec tunnels have a status of being either up or not up. With GRE tunnels in NetDefendOS this doesn't really apply. The GRE tunnel is up if it exists in the configuration. However, we can check on the what is going on with a GRE tunnel. For example...
  • D-Link DFL-260 | Product Manual - Page 108
    3.4. ARP Chapter 3. Fundamentals 3.4. ARP 3.4.1. Overview Address Resolution Protocol (ARP) allows the mapping of a network layer protocol (OSI layer 3) address to a data link layer hardware address (OSI layer 2). In data networks it is used to resolve an IP address into its corresponding ...
  • D-Link DFL-260 | Product Manual - Page 109
    ... never reach its destination. After the ARP entry expiration time, NetDefendOS will learn the new MAC address of the host but sometimes it may be necessary to manually force the update. The easiest way to achieve this is by flushing the ARP cache. This deletes all dynamic ARP entries from the cache ...
  • D-Link DFL-260 | Product Manual - Page 110
    ...MAC address. Some network devices, such as wireless modems, can have such problems. It may also be used to lock an IP address to a specific MAC address for increasing security or to avoid denial-of-service if there are rogue users in a network. However, such protection only applies ...
  • D-Link DFL-260 | Product Manual - Page 111
    ... the following: • • IP Address: 192.168.10.15 MAC: 4b-86-f6-c5-a2-14 4. Click OK Published ARP Objects NetDefendOS supports publishing IP addresses on a particular interface, optionally along with a specific MAC address instead of the interfaces MAC address. NetDefendOS will then send out ...
  • D-Link DFL-260 | Product Manual - Page 112
    3.4.4. Using ARP Advanced Settings Chapter 3. Fundamentals Figure 3.2. An ARP Publish Ethernet Frame The Publish option uses the real MAC address of the sending interface for the address (1) in the Ethernet frame. In rare cases, some network equipment will require that both MAC addresses in the ...
  • D-Link DFL-260 | Product Manual - Page 113
    ... an existing entry in the ARP cache. Allowing this to take place may allow hijacking of local connections. However, not allowing this may cause problems if, for example, a network adapter is replaced since NetDefendOS will not accept the new address until the previous ARP cache entry has timed out. ...
  • D-Link DFL-260 | Product Manual - Page 114
    ...an existing item in the ARP table. Allowing this to take place may facilitate hijacking of local connections. However, not allowing this may cause problems if, for example, a network adapter is replaced, as NetDefendOS will not accept the new address until the previous ARP table entry has timed out....
  • D-Link DFL-260 | Product Manual - Page 115
    3.4.5. ARP Advanced Settings Summary Chapter 3. Fundamentals Default: 900 seconds (15 minutes) ARP Expire Unknown Specifies in seconds how long NetDefendOS is to remember addresses that cannot be reached. This is done to ensure that NetDefendOS does not continuously request such addresses. ...
  • D-Link DFL-260 | Product Manual - Page 116
    ... type. Examples are HTTP and ICMP. Service objects also define any ALG which ... traffic NetDefendOS provides a large number of predefined service objects but administrator defined custom ... about this topic. Destination Interface Destination Network Service The NetDefendOS Security Policy Rule Sets ...
  • D-Link DFL-260 | Product Manual - Page 117
    ... what interface to what interface traffic flows. From what network to what network the traffic flows. What kind of protocol is affected (the service). What action the rule will take when a match on the filter triggers. Specifying Any Interface or Network When specifying the filtering criteria in ...
  • D-Link DFL-260 | Product Manual - Page 118
    3.5.2. IP Rule Evaluation Chapter 3. Fundamentals all source/destination networks/interfaces, and with logging enabled, is placed as the last rule in the IP rule set. This is often referred to as a drop all rule. Traffic Flow Needs an IP Rule and a Route As stated above, when NetDefendOS is ...
  • D-Link DFL-260 | Product Manual - Page 119
    ... the NetDefend Firewall. If the action is Drop or Reject then the new connection is refused. Tip: Rules in the wrong order sometimes cause problems It is important to remember the principle that NetDefendOS searches the IP rules from top to bottom, looking for the first matching rule. If an IP rule...
  • D-Link DFL-260 | Product Manual - Page 120
    3.5.4. Editing IP rule set Entries Chapter 3. Fundamentals • • Destination Network Service When an IP rule is triggered by a match then one of the following Actions can ... various rules to the rule set editing any rule can be achieved in the Web Interface by right clicking on that line. 120
  • D-Link DFL-260 | Product Manual - Page 121
    ... create the IP rule: gw-world:/main> add IPRule Action=Allow Service=http SourceInterface=lan SourceNetwork=lannet DestinationInterface=wan DestinationNetwork=all-nets Name=...rule, for example LAN_HTTP Now enter Name: A suitable name for the rule. For example lan_http Action: Allow Service: http 121
  • D-Link DFL-260 | Product Manual - Page 122
    ...way to document the contents of NetDefendOS configurations. This can be very useful for someone seeing a configuration for the first time, such as technical support staff. In an IP rule set that contains hundreds of rules it can often prove difficult to quickly identify those rules associated with a...
  • D-Link DFL-260 | Product Manual - Page 123
    ... be displayed which allows two functions: • Specify the Title The title of the group can be any text that is required and can contain new lines as well as empty lines. There is also no requirement that the group name is unique since it is used purely as a label. • Change the Display Color 123
  • D-Link DFL-260 | Product Manual - Page 124
    3.5.6. Configuration Object Groups Chapter 3. Fundamentals Any color can be chosen for the group. The color can be selected from the 16 predefined color boxes or entered as a hexadecimal RGB value. In addition, when the hexadecimal value box is selected, a full spectrum color palette appears ...
  • D-Link DFL-260 | Product Manual - Page 125
    .... However, a folder can not be part of a group. Groups collect together related basic objects and a folder is not of this type. It is possible, on the other hand, to use groups within a folder. It is up to the administrator how to best use these features to best arrange NetDefendOS objects. 125
  • D-Link DFL-260 | Product Manual - Page 126
    3.6. Schedules Chapter 3. Fundamentals 3.6. Schedules In some scenarios, it might be useful to control not only what functionality is enabled, but also when that functionality is being used. For instance, the IT policy of an enterprise might stipulate that web traffic from a certain department is...
  • D-Link DFL-260 | Product Manual - Page 127
    ... IP rule: gw-world:/main> add IPRule Action=NAT Service=http SourceInterface=lan SourceNetwork=lannet DestinationInterface=any DestinationNetwork=...: AllowHTTP 3. Select the following from the dropdown lists Action: NAT Service: http Schedule: OfficeHours SourceInterface: lan SourceNetwork lannet ...
  • D-Link DFL-260 | Product Manual - Page 128
    ... Certificates Chapter 3. Fundamentals 3.7. Certificates 3.7.1. Overview X.509 NetDefendOS supports digital certificates that comply with the ITU-T X.509 standard. ... key distribution and entity authentication. References in this manual to a certificate means a X.509 certificate. A certificate is a ...
  • D-Link DFL-260 | Product Manual - Page 129
    ... from where the CRL can be downloaded. In some cases, certificates do not contain this field. In those cases the location of the CRL has to be configured manually. A CA usually updates its CRL at a given interval. The length of this interval depends on how the CA is configured. Typically, this is ...
  • D-Link DFL-260 | Product Manual - Page 130
    ...509 Certificate Upload a remote certificate Click OK and follow the instructions Example 3.19. Associating Certificates with IPsec Tunnels To associate an ... .cer and .key files required by NetDefendOS. It is possible, however, to manually create the required files for a Windows CA server using the ...
  • D-Link DFL-260 | Product Manual - Page 131
    3.7.3. CA Certificate Requests Chapter 3. Fundamentals • Take out the relevant parts of the .pem file to form the required .cer and .key files. The detailed steps for the above stages are as follows: 1. 2. Create the gateway certificate on the Windows CA server and export it to a .pfx file on...
  • D-Link DFL-260 | Product Manual - Page 132
    ...synchronized with other equipment in the network. Time Synchronization Protocols NetDefendOS supports the optional use of Time Synchronization Protocols in order to ... Time The administrator can set the date and time manually and this is recommended when a new NetDefendOS installation is started for ...
  • D-Link DFL-260 | Product Manual - Page 133
    ... there can be variations within the same country. For this reason, NetDefendOS does not automatically know when to adjust for DST. Instead, this information has to be manually provided if daylight saving time is to be used. There are two parameters governing daylight saving time; the DST period and ...
  • D-Link DFL-260 | Product Manual - Page 134
    ... for retrieving time information from external Time Servers. NetDefendOS supports the following time synchronization protocols: • SNTP Defined by RFC...Protocol (UDP/TIME) is an older method of providing time synchronization service over the Internet. The protocol provides a site-independent, machine...
  • D-Link DFL-260 | Product Manual - Page 135
    ... not specified when using the CLI to set the synchronization interval, the default of 86400 seconds (equivalent to one day) is used. Example 3.24. Manually Triggering a Time Synchronization Time synchronization can be triggered from the CLI. The output below shows a typical response. Command-Line ...
  • D-Link DFL-260 | Product Manual - Page 136
    ... time synchronization has just been enabled and the initial time difference is greater than the maximum adjust value. It is then possible to manually force a synchronization and disregard the maximum adjustment parameter. Example 3.26. Forcing Time Synchronization This example demonstrates how to ...
  • D-Link DFL-260 | Product Manual - Page 137
    3.8.4. Settings Summary for Date and Time Time zone offset in minutes. Default: 0 Chapter 3. Fundamentals DST Offset Daylight saving time offset in minutes. Default: 0 DST Start Date What month and day DST starts, in the format MM-DD. Default: none DST End Date What month and day DST ends, in ...
  • D-Link DFL-260 | Product Manual - Page 138
    3.8.4. Settings Summary for Date and Time Maximum time drift in seconds that a server is allowed to adjust. Default: 600 Chapter 3. Fundamentals Group interval Interval according to which server responses will be grouped. Default: 10 138
  • D-Link DFL-260 | Product Manual - Page 139
    3.9. DNS Chapter 3. Fundamentals 3.9. DNS Overview A DNS server can resolve a Fully Qualified Domain Name (FQDN) into the corresponding numeric IP address. FQDNs are unambiguous textual domain names which specify a node's unique position in the Internet's DNS tree hierarchy. FQDN resolution ...
  • D-Link DFL-260 | Product Manual - Page 140
    ...feature solves this problem. Under System > Misc. Clients in the WebUI, several dynamic DNS services ...CLI console command httpposter can be used to troubleshoot problems by seeing what NetDefendOS is sending and... of server queries can cause problems Dynamic DNS services are often sensitive to repeated...
  • D-Link DFL-260 | Product Manual - Page 141
    3.9. DNS Chapter 3. Fundamentals 141
  • D-Link DFL-260 | Product Manual - Page 142
    ... up routing is crucial for the system to function as expected. NetDefendOS offers support for the following types of routing mechanisms: • • Static routing Dynamic routing NetDefendOS additionally supports route monitoring to achieve route and link redundancy with fail...
  • D-Link DFL-260 | Product Manual - Page 143
    .... The word "static" refers to the fact that entries in the routing table are manually added and are therefore permanent (or static) by nature. Due ... However, for larger networks, or whenever the network topology is complex, the work of manually maintaining static routing tables can be time-consuming ...
  • D-Link DFL-260 | Product Manual - Page 144
    4.2.1. The Principles of Routing Chapter 4. Routing This parameter usually doesn't need to be specified. If it is specified, NetDefendOS responds to ARP queries sent to this address. A special section below explains this parameter in more depth. Local IP Address and Gateway are mutually exclusive...
  • D-Link DFL-260 | Product Manual - Page 145
    ... to the physical interface. Clients on this second network won't then be able to communicate with the NetDefend Firewall because ARP won't function between the clients and the interface. To solve this problem we would add a new route to NetDefendOS which would have the following parameters: 145
  • D-Link DFL-260 | Product Manual - Page 146
    4.2.1. The Principles of Routing Chapter 4. Routing • • • Interface: The interface on which the second network is found. Network: The IP address range of the second network. Local IP Address: An address within the second network's IP range. When the Default Gateway of the second network's...
  • D-Link DFL-260 | Product Manual - Page 147
    ... is specified as Core. 4.2.2. Static Routing This section describes how routing is implemented in NetDefendOS, and how to configure static routing. NetDefendOS supports multiple routing tables. A default table called main is predefined and is always present in NetDefendOS. However, additional and ...
  • D-Link DFL-260 | Product Manual - Page 148
    4.2.2. Static Routing Chapter 4. Routing Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.10 20 10.0.0.0 255.0.0.0 10.4.2.143 10.4.2.143 1 10.4.2.143 255.255.255.255 127.0.0.1 127.0.0.1 50 10.255.255.255 255.255.255.255 10.4.2.143 10.4.2....
  • D-Link DFL-260 | Product Manual - Page 149
    4.2.2. Static Routing Chapter 4. Routing when the routing table contents are displayed. These routing table changes can take place for different reasons. For example, if dynamic routing with OSPF has been enabled then routing tables will become populated with new routes learned from communicating...
  • D-Link DFL-260 | Product Manual - Page 150
    ... metric assigned to the default routes automatically created for the physical interfaces is always 100. These automatically added routes cannot be removed manually by deleting them one at a time from a routing table. Instead, the properties of the interface must be selected and the advanced option ...
  • D-Link DFL-260 | Product Manual - Page 151
    ... routes command. Please see the CLI Reference Guide. 4.2.3. Route Failover Overview NetDefend Firewalls ... to the external Internet via a single Internet Service Provider (ISP) fails. It is therefore not ... using a secondary ISP. The connections to the two service providers often use different routes ...
  • D-Link DFL-260 | Product Manual - Page 152
    ...created route, the route should first be deleted and then recreated manually as a new route. Monitoring can then be enabled on the new route. Setting the Route Metric When specifying routes, the administrator should manually set a route's Metric. The metric is a positive integer that indicates how ...
  • D-Link DFL-260 | Product Manual - Page 153
    ...If this could happen, it is necessary to take some precautionary steps to ensure that policies and existing connections will be maintained. To illustrate the problem, consider the following configuration: Firstly, there is one IP rule that will NAT all HTTP traffic destined for the Internet through ...
  • D-Link DFL-260 | Product Manual - Page 154
    ...route should fail. There are, however, some problems with this setup: if a route failover occurs,...link to a local switch may not indicate a problem in another part of the internal network. Host ...can be used to help in setting the acceptable Quality of Service level of Internet response times. Internet...
  • D-Link DFL-260 | Product Manual - Page 155
    ... enabled and a single route can have multiple hosts associated with it for monitoring. Multiple hosts can provide a higher certainty that any network problem resides in the local network rather than because one remote host itself is down. In association with Host Monitoring there are two numerical ...
  • D-Link DFL-260 | Product Manual - Page 156
    4.2.5. Advanced Settings for Route Failover Chapter 4. Routing The Reachability Required option An important option that can be enabled for a host is the Reachability Required option. When this is selected, the host must be determined as accessible in order for that route to be considered to be ...
  • D-Link DFL-260 | Product Manual - Page 157
    4.2.6. Proxy ARP Chapter 4. Routing Ping poll interval The time in milliseconds between sending a Ping to hosts. Default: 1000 Grace time The length of time in seconds between startup or reconfigure and monitoring start. Default: 30 Consecutive fails The number of consecutive failures that ...
  • D-Link DFL-260 | Product Manual - Page 158
    4.2.6. Proxy ARP Chapter 4. Routing pretending to be the target host. After receiving the reply, Host A then sends data directly to NetDefendOS which forwards the data to host B. In the process NetDefendOS checks the traffic against the configured rule sets. Setting Up Proxy ARP Setting up proxy...
  • D-Link DFL-260 | Product Manual - Page 159
    ... created routes have a special status in the NetDefendOS configuration and are treated differently. If Proxy ARP is required on an automatically created route, the route should first be deleted and then manually recreated as a new route. Proxy ARP can then be enabled on the new route. 159
  • D-Link DFL-260 | Product Manual - Page 160
    ... proxies such as Web caches. Specific services might also be routed to a specific ISP ...use different ISPs, subscribing to different providers. Service-based Routing User based Routing... Routing rule can be triggered by the type of service (HTTP for example) in combination with the Source/Destination ...
  • D-Link DFL-260 | Product Manual - Page 161
    ... anything not explicitly matched. A search is now made for a Policy-based Routing Rule that matches the packet's source/destination interface/network as well as service. If a matching rule is found then this determines the routing table to use. If no Routing Rule is found then the main table will be...
  • D-Link DFL-260 | Product Manual - Page 162
    4.3.5. The Ordering parameter Chapter 4. Routing Important: Ensure all-nets appears in the main table A common mistake with policy-based routing is the absence of the default route with a destination interface of all-nets in the default main routing table. If there is no route that is an exact ...
  • D-Link DFL-260 | Product Manual - Page 163
    ...Routing Policy: Source Interface lan1 wan2 Source Range 10.10.10.0/24 all-nets Destination Interface wan2 lan1 Destination Range all-nets 20.20.20.0/24 Selected/ Service ALL ALL Forward VR table r2 r2 Return VR table r2 r2 To configure this example scenario: Web Interface 1. 2. 3. 4. Add the routes...
  • D-Link DFL-260 | Product Manual - Page 164
    4.3.5. The Ordering parameter Chapter 4. Routing Note Rules in the above example are added for both inbound and outbound connections. 164
  • D-Link DFL-260 | Product Manual - Page 165
    4.4. Route Load Balancing Chapter 4. Routing 4.4. Route Load Balancing Overview NetDefendOS provides the option to perform Route Load Balancing (RLB). This is the ability to distribute traffic over multiple alternate routes using one of a number of distribution algorithms. The purpose of this ...
  • D-Link DFL-260 | Product Manual - Page 166
    4.4. Route Load Balancing Chapter 4. Routing done according to which algorithm is selected in the table's RLB Instance object: • Round Robin Successive routes are chosen from the matching routes in a "round robin" fashion provided that the metric of the routes is the same. This results in route...
  • D-Link DFL-260 | Product Manual - Page 167
    4.4. Route Load Balancing Chapter 4. Routing Figure 4.6. The RLB Spillover Algorithm Spillover Limits are set separately for ingoing and outgoing traffic with only one of these typically being specified. If both are specified then only one of them needs to be exceeded continuously for Hold Timer ...
  • D-Link DFL-260 | Product Manual - Page 168
    4.4. Route Load Balancing Chapter 4. Routing When that new route's interface limits are also exceeded then the route with the next highest metric is taken and so on. As soon as any route with a lower metric falls below its interface limit for its Hold Timer number of seconds, then it reverts to ...
  • D-Link DFL-260 | Product Manual - Page 169
    ... lannet lannet Dest Interace Dest Network WAN1 WAN2 all-nets all-nets Service All All The service All is used in the above IP rules but this should be further refined to a service or service group that covers all the traffic that will be allowed to flow. Example ...
  • D-Link DFL-260 | Product Manual - Page 170
    ... with VPN, a number of issues need to be overcome. If we were to try and use RLB to balance traffic between two IPsec tunnels, the problem that arises is that the Remote Endpoint for any two IPsec tunnels in NetDefendOS must be different. The solutions to this issue are as follows: • Use two ISPs,...
  • D-Link DFL-260 | Product Manual - Page 171
    ... added into local routing tables. Dynamic routing responds to routing updates dynamically but has some disadvantages in that it can be more susceptible to certain problems such as routing loops. One of two types of algorithms are generally used to implement the dynamic routing mechanism: • • A ...
  • D-Link DFL-260 | Product Manual - Page 172
    ... on all D-Link NetDefend models The OSPF feature is only available on the D-Link NetDefend DFL-800, 860, 1600, 1660 2500, 2560 and 2560G. OSPF is not available on the DFL-210 and 260. An OSPF enabled router first identifies the routers and sub-networks ...
  • D-Link DFL-260 | Product Manual - Page 173
    4.5.1. Dynamic Routing Chapter 4. Routing allows B's routing table information to be automatically shared with A. In the same way, OSPF allows firewall B to automatically become aware that network X is attached to firewall A. Under OSPF, this exchange of routing information is completely ...
  • D-Link DFL-260 | Product Manual - Page 174
    ...is not available on all D-Link NetDefend models The OSPF feature is only available on the NetDefend DFL-800, 860, 1600, 1660 2500, 2560 and 2560G. OSPF is not available on the DFL-210 and 260. OSPF functions by routing IP packets based only on the ...
  • D-Link DFL-260 | Product Manual - Page 175
    4.5.2. OSPF Concepts Chapter 4. Routing Authentication. All OSPF protocol exchanges can, if required, be authenticated. This means that only routers with the correct authentication can join an AS. Different authentication schemes can be used and with NetDefendOS the scheme can be either a ...
  • D-Link DFL-260 | Product Manual - Page 176
    4.5.2. OSPF Concepts Chapter 4. Routing the priorities advertised by all the routers. If there is already a DR on the network, the router will accept that one, regardless of its own router priority. With NetDefendOS, the DR and the BDR are automatically assigned. Neighbors Routers that are in ...
  • D-Link DFL-260 | Product Manual - Page 177
    4.5.2. OSPF Concepts Chapter 4. Routing This virtual link is established between two Area Border Routers (ABRs) that are on one common area, with one of the ABRs connected to the backbone area. In the example below two routers are connected to the same area (Area 1) but just one of them, fw1, is ...
  • D-Link DFL-260 | Product Manual - Page 178
    ...up in NetDefendOS, see Section 4.5.3.6, "OSPF VLinks". OSPF High Availability Support There are some limitations in High Availability support for OSPF that ... networks. This is done by forcing the router priority to 0. For OSPF HA support to work correctly, the NetDefend Firewall needs to have a ...
  • D-Link DFL-260 | Product Manual - Page 179
    4.5.3. OSPF Components Chapter 4. Routing The key aspect of an OSPF setup is that connected NetDefend Firewalls share the information in their routing tables so that traffic entering an interface on one of the firewalls can be automatically routed so that it exits the interface on another gateway...
  • D-Link DFL-260 | Product Manual - Page 180
    ... Compatibility Enable this if the NetDefend Firewall will be used in a environment that consists of routers that only support RFC 1583. Debug Protocol debug provides a troubleshooting tool by logging OSPF protocol specific information to the log Off - Nothing...
  • D-Link DFL-260 | Product Manual - Page 181
    4.5.3. OSPF Components Chapter 4. Routing Note: Authentication must be the same on all routers If a passphrase or MD5 authentication is configured for OSPF, the passphrase or authentication key must be the same on all OSPF Routers in that Autonomous System. In other words, the OSPF authentication...
  • D-Link DFL-260 | Product Manual - Page 182
    4.5.3. OSPF Components Chapter 4. Routing There can only be one backbone area and it forms the central portion of an AS. Routing information that is exchanged between different area always transits the backbone area. Is stub area Become Default Router Enable this option if the area is a stub area...
  • D-Link DFL-260 | Product Manual - Page 183
    4.5.3. OSPF Components Chapter 4. Routing an OSPF Neighbour object. Using VPN tunnels is discussed further in Section 4.5.5, "Setting Up OSPF". • Point-to-Multipoint - The Point-to-Multipoint interface type is a collection of Point-to-Point networks, where there is more then one router in a...
  • D-Link DFL-260 | Product Manual - Page 184
    4.5.3. OSPF Components Chapter 4. Routing Sometimes there is a need to include networks into the OSPF routing process, without running OSPF on the interface connected to that network. This is done by enabling the option: No OSPF routers connected to this interface ("Passive"). This is an ...
  • D-Link DFL-260 | Product Manual - Page 185
    4.5.4. Dynamic Routing Rules Chapter 4. Routing Authentication Use Default For AS Use the values configured in the AS properties page. Note: Linking partitioned backbones If the backbone area is partitioned, a virtual link is used to connect the different parts. In most, simple OSPF scenarios, ...
  • D-Link DFL-260 | Product Manual - Page 186
    4.5.4. Dynamic Routing Rules Chapter 4. Routing OSPF Requires at Least an Import Rule By default, NetDefendOS will not import or export any routes. For OSPF to function, it is therefore mandatory to define at least one dynamic routing rule which will be an Import rule. This Import rule specifies ...
  • D-Link DFL-260 | Product Manual - Page 187
    4.5.4. Dynamic Routing Rules Chapter 4. Routing From OSPF AS Specifies the from which OSPF AS (in other words, an OSPF Router Process) the route should be imported from into either a routing table or another AS. Specifies from which routing table a route should be imported into the OSPF AS or ...
  • D-Link DFL-260 | Product Manual - Page 188
    4.5.5. Setting Up OSPF Chapter 4. Routing A Routing Action is used to manipulate and export routing changes to one or more local routing tables. Destination Offset Metric Offset Metric Type 2 Limit Metric To Specifies into which routing table the route changes to the OSPF AS should be imported. ...
  • D-Link DFL-260 | Product Manual - Page 189
    4.5.5. Setting Up OSPF Chapter 4. Routing • The advanced option No OSPF routers connected to this interface must be enabled if the physical interface doesn't connect directly to another OSPF Router (in other words, with another NetDefend Firewall that acts as an OSPF router). For example, the ...
  • D-Link DFL-260 | Product Manual - Page 190
    ... to reach it. The CLI command ospf can also be used to indicate OSPF status. The options for this command are fully described in the CLI Reference Guide. Sending OSPF Traffic Through a VPN Tunnel In some cases, the link between two NetDefend Firewalls which are configured with OSPF Router Process ...
  • D-Link DFL-260 | Product Manual - Page 191
    ... traffic is allowed into the tunnel and all-nets will allow all traffic into the tunnel. In the routing section of the IPsec properties, the Specify address manually option needs to be enabled and the IP address in this example of 192.168.55.1 needs to be entered. This sets the tunnel endpoint IP to...
  • D-Link DFL-260 | Product Manual - Page 192
    4.5.6. An OSPF Example Chapter 4. Routing Example 4.7. Creating an OSPF Router Process On the first firewall involved in the OSPF AS, create an OSPF Router Process. Web Interface 1. 2. 3. Go to Routing > OSPF > Add > OSPF Routing Process Specify a suitable name for the process, for example as_0 ...
  • D-Link DFL-260 | Product Manual - Page 193
    4.5.6. An OSPF Example Chapter 4. Routing Web Interface 1. 2. 3. 4. 5. 6. Go to Routing > Dynamic Routing Rules > Add > Dynamic Routing Policy Rule Specify a suitable name for the rule. For example, ImportOSPFRoutes. Select the option From OSPF Process Move as0 from Available to Selected Choose ...
  • D-Link DFL-260 | Product Manual - Page 194
    ...Multicast Routing Chapter 4. Routing 4.6. Multicast Routing 4.6.1. Overview The Multicast Problem Certain types of Internet interactions, such as conferencing ... The Multicast Routing Solution Multicast Routing solves the problem by the network routers themselves, replicating and forwarding packets...
  • D-Link DFL-260 | Product Manual - Page 195
    ... to be routed to the core interface. By default, the multicast IP range 224.0.0.0/4 is always routed to core and does not have to be manually added to the routing tables. Each specified output interface can individually be configured with static address translation of the destination address. The ...
  • D-Link DFL-260 | Product Manual - Page 196
    ... multicast traffic. IGMP has to be configured separately. Web Interface A. Create a custom service for multicast called multicast_service: 1. 2. Go to Objects > Services > Add > TCP/UDP Now enter Name: multicast_service Type: UDP Destination: 1234 196
  • D-Link DFL-260 | Product Manual - Page 197
    ... for the rule, for example Multicast_Multiplex Action: Multiplex SAT Service: multicast_service Under Address Filter enter Source Interface: ...= DestinationInterface= DestinationNetwork= Action=MultiplexSAT Service= MultiplexArgument={outif1;ip1},{outif2;ip2},{outif3;...
  • D-Link DFL-260 | Product Manual - Page 198
    ...be configured to match the scenario described above: Web Interface A. Create a custom service for multicast called multicast_service: 1. 2. Go to Objects > Services > Add > TCP/UDP Now enter Name: multicast_service Type: UDP Destination: 1234 B. Create an IP ...
  • D-Link DFL-260 | Product Manual - Page 199
    4.6.3. IGMP Configuration Chapter 4. Routing • • 3. Action: Multiplex SAT Service: multicast_service Under Address Filter enter Source Interface: wan ..., an IGMP query would also not have to be specified. NetDefendOS supports two IGMP modes of operation: • • Snoop Mode Proxy Mode The ...
  • D-Link DFL-260 | Product Manual - Page 200
    4.6.3. IGMP Configuration Chapter 4. Routing Figure 4.16. Multicast Snoop Mode Figure 4.17. Multicast Proxy Mode In Snoop Mode, the NetDefend Firewall will act transparently between the hosts and another IGMP router. It will not send any IGMP Queries. It will only forward queries and reports ...
  • D-Link DFL-260 | Product Manual - Page 201
    4.6.3. IGMP Configuration Chapter 4. Routing Example 4.14. IGMP - No Address Translation The following example requires a configured interface group IfGrpClients including interfaces if1, if2 and if3. The ip address of the upstream IGMP router is known as UpstreamRouterIP. Two rules are needed. ...
  • D-Link DFL-260 | Product Manual - Page 202
    4.6.3. IGMP Configuration Chapter 4. Routing 4.6.3.2. IGMP Rules Configuration - Address Translation The following examples illustrates the IGMP rules needed to configure IGMP according to the Address Translation scenario described above in Section 4.6.2.2, "Multicast Forwarding - Address ...
  • D-Link DFL-260 | Product Manual - Page 203
    4.6.3. IGMP Configuration Chapter 4. Routing • • • 4. Destination Network: auto Multicast Source: 192.168.10.1 Multicast Group: 239.192.10.0/24 Click OK Example 4.16. if2 Configuration - Group Translation The following steps needs to be executed to create the report and query rule pair ...
  • D-Link DFL-260 | Product Manual - Page 204
    4.6.4. Advanced IGMP Settings Chapter 4. Routing • • 4. Multicast Source: 192.168.10.1 Multicast Group: 239.192.10.0/24 Click OK Advanced IGMP Settings There are a number of IGMP advanced settings which are global and apply to all interfaces which do not have IGMP settings explicitly ...
  • D-Link DFL-260 | Product Manual - Page 205
    ...interval in milliseconds between General Queries sent by the device to refresh its IGMP state. Global setting on interfaces without an overriding IGMP Setting. Default: 125,000 IGMP Query Response Interval The maximum time in milliseconds until a host has to send a reply to a query. Global setting ...
  • D-Link DFL-260 | Product Manual - Page 206
    4.6.4. Advanced IGMP Settings Chapter 4. Routing The time in milliseconds between repetitions of an initial membership report. Global setting on interfaces without an overriding IGMP Setting. Default: 1,000 206
  • D-Link DFL-260 | Product Manual - Page 207
    ...can allow or deny access to different types of services (for example HTTP) and in specified directions.... require access to only a restricted set of services (HTTP for example) on the sales department's servers .... Transparent Mode can control what kind of service is permitted to these IP addresses and ...
  • D-Link DFL-260 | Product Manual - Page 208
    ...to another in a "plug-n-play" fashion, without changing their IP address (assuming their IP address is fixed). The user can still obtain the same services as before (for example HTTP, FTP) without any need to change routes. The same network address range can exist on several interfaces. • Note: ...
  • D-Link DFL-260 | Product Manual - Page 209
    ... but more restrictive IP rules are recommended. Action Allow Src Interface any Src Network all-nets Dest Interface any Dest Network all-nets Service all 2. Restricting the Network Parameter As NetDefendOS listens to ARP traffic, it continuously adds single host routes to the routing table as it ...
  • D-Link DFL-260 | Product Manual - Page 210
    4.7.1. Overview Chapter 4. Routing routing table will be connected together by NetDefendOS and no matter how interfaces are associated with the switch routes, transparency will exist between them. For example, if the interfaces if1 to if6 appear in a switch routes in routing table A, the ...
  • D-Link DFL-260 | Product Manual - Page 211
    ... not be able to roam between NetDefendOS interfaces, retaining the same IP address. Secondly, and more importantly, their network routes will need to be manually configured for proxy ARP. Transparent Mode with DHCP In most Transparent Mode scenarios, the IP address of users is predefined and fixed ...
  • D-Link DFL-260 | Product Manual - Page 212
    4.7.2. Enabling Internet Access Chapter 4. Routing Figure 4.18. Non-transparent Mode Internet Access The non-switch route usually needed to allow Internet access would be: Route type Non-switch Interface if1 Destination all-nets Gateway gw-ip Now lets suppose the NetDefend Firewall is to operate...
  • D-Link DFL-260 | Product Manual - Page 213
    4.7.3. Transparent Mode Scenarios Chapter 4. Routing If the IP addresses that need to be reached by NetDefendOS are 85.12.184.39 and 194.142.215.15 then the complete routing table for the above example would be: Route type Switch Switch Non-switch Non-switch Interface if1 if2 if1 if1 Destination ...
  • D-Link DFL-260 | Product Manual - Page 214
    ....0.0.1 Transparent Mode: Enable Click OK Go to Interfaces > Ethernet > Edit (lan) Now enter IP Address: 10.0.0.2 Network: 10.0.0.0/24 Transparent Mode: Enable 6. Click OK Configure the rules: 1. 2. Go to Rules > IP Rules > Add > IPRule Now enter Name: HTTPAllow Action: Allow Service: http 214
  • D-Link DFL-260 | Product Manual - Page 215
    4.7.3. Transparent Mode Scenarios Chapter 4. Routing 3. Source Interface: lan Destination Interface: any Source Network: 10.0.0.0/24 Destination Network: all-nets (0.0.0.0/0) Click OK Scenario 2 Here the NetDefend Firewall in Transparent Mode separates server resources from an internal ...
  • D-Link DFL-260 | Product Manual - Page 216
    ...: TransparentGroup Network: 10.0.0.0/24 Metric: 0 Click OK Configure the rules: 1. 2. Go to Rules > IP Rules > Add > IPRule Now enter Name: HTTP-LAN-to-DMZ Action: Allow Service: http Source Interface: lan Destination Interface: dmz Source Network: 10.0.0.0/24 Destination Network: 10.1.4.10 216
  • D-Link DFL-260 | Product Manual - Page 217
    4.7.4. Spanning Tree BPDU Support Chapter 4. Routing 3. 4. 5. Click OK Go to Rules > IP Rules ... Name: HTTP-WAN-to-DMZ Action: Allow Service: http Source Interface: wan Destination Interface... Click OK 4.7.4. Spanning Tree BPDU Support NetDefendOS includes support for relaying the Bridge Protocol ...
  • D-Link DFL-260 | Product Manual - Page 218
    ...) Cisco proprietary PVST+ Protocol (Per VLAN Spanning Tree Plus) NetDefendOS checks the contents of BDPU messages to make sure the content type is supported. If it is not, the frame is dropped. Enabling/Disabling BPDU Relaying BPDU relaying is disabled by default and can be controlled through the ...
  • D-Link DFL-260 | Product Manual - Page 219
    ... Mode. Default: Disabled Dynamic CAM Size This setting can be used to manually configure the size of the CAM table. Normally Dynamic is the preferred ... dynamically. Default: Enabled L3 Cache Size This setting is used to manually configure the size of the Layer 3 Cache. Enabling Dynamic L3C Size is ...
  • D-Link DFL-260 | Product Manual - Page 220
    4.7.5. Advanced Settings for Transparent Mode Chapter 4. Routing Null Enet Sender Defines what to do when receiving a packet that has the sender hardware (MAC) address in Ethernet header set to null (0000:0000:0000). Options: • • Drop - Drop packets DropLog - Drop and log packets Default: ...
  • D-Link DFL-260 | Product Manual - Page 221
    4.7.5. Advanced Settings for Transparent Mode Chapter 4. Routing • • Drop - Drop the packets DropLog - Drop packets log the event Default: Drop Relay MPLS When set to Ignore all incoming MPLS packets are relayed in transparent mode. Options Ignore - Let the packets pass but do not log Log...
  • D-Link DFL-260 | Product Manual - Page 222
    4.7.5. Advanced Settings for Transparent Mode Chapter 4. Routing 222
  • D-Link DFL-260 | Product Manual - Page 223
    Chapter 5. DHCP Services This chapter describes DHCP services in NetDefendOS. • Overview, page 223 • DHCP Servers, page 224 • DHCP Relaying, page 230 • IP Pools, page 233 5.1. Overview Dynamic Host Configuration Protocol (DHCP) is a protocol that allows network administrators to ...
  • D-Link DFL-260 | Product Manual - Page 224
    5.2. DHCP Servers Chapter 5. DHCP Services 5.2. DHCP Servers DHCP servers assign and manage the IP addresses taken from ...the last defined being at the top of the list. When NetDefendOS searches for a DHCP server to service a request, it goes through the list from top to bottom and chooses the first...
  • D-Link DFL-260 | Product Manual - Page 225
    5.2. DHCP Servers Chapter 5. DHCP Services The following options can be configured for a DHCP server: General Parameters Name Interface ... the primary and secondary DNS servers. IP of the Windows Internet Name Service (WINS) servers that are used in Microsoft environments which uses the NetBIOS Name...
  • D-Link DFL-260 | Product Manual - Page 226
    5.2. DHCP Servers Chapter 5. DHCP Services This example shows how to set up a DHCP server called DHCPServer1 which assigns and manages IP addresses from an IP address pool called DHCPRange1. This example assumes that an IP range for the DHCP Server has already been created. Command-Line Interface ...
  • D-Link DFL-260 | Product Manual - Page 227
    5.2.1. Static DHCP Hosts Chapter 5. DHCP Services The asterisk "*" before a MAC address means that the DHCP server does not track the client using the MAC address but instead tracks the client through a client identifier which the client has given to the server. Tip: Lease database saving DHCP ...
  • D-Link DFL-260 | Product Manual - Page 228
    5.2.2. Custom Options Chapter 5. DHCP Services can be specified as this parameter. The option exists to also specify if the identifier will be sent as an ASCII or Hexadecimal value. Example 5.3. Static DHCP Host Assignment This example shows how to assign the IP address 192.168.1.1 to the MAC ...
  • D-Link DFL-260 | Product Manual - Page 229
    5.2.2. Custom Options Chapter 5. DHCP Services Custom Option Parameters The following parameters can be set for a custom option: Code Type Data This is the code that describes the type of information being sent to the client. A large list of possible codes exists. This describes the type of data ...
  • D-Link DFL-260 | Product Manual - Page 230
    5.3. DHCP Relaying Chapter 5. DHCP Services 5.3. DHCP Relaying The DHCP Problem With DHCP, clients send requests to locate the DHCP ..., this means there would have to be a different DHCP server on every network. This problem is solved by the use of a DHCP relayer. The DHCP Relayer Solution A DHCP ...
  • D-Link DFL-260 | Product Manual - Page 231
    5.3.1. DHCP Relay Advanced Settings Chapter 5. DHCP Services • • 3. Name: ipgrp-dhcp Interfaces: select vlan1 and vlan2 from the Available list and put them into the Selected list. Click OK Adding a DHCP relayer called as vlan-to-dhcpserver: 1. 2. Go to System > DHCP > Add > DHCP Relay Now ...
  • D-Link DFL-260 | Product Manual - Page 232
    5.3.1. DHCP Relay Advanced Settings Chapter 5. DHCP Services will be reduced down to this value. Default: 10000 seconds Max Auto Routes How many relays that can be active at the same time. Default: 256 Auto Save Policy What policy should be used to save the relay list to the disk, possible ...
  • D-Link DFL-260 | Product Manual - Page 233
    5.4. IP Pools Chapter 5. DHCP Services 5.4. IP Pools Overview An IP pool is used to offer other subsystems access to a cache of DHCP IP addresses. These addresses are gathered into a pool by internally maintaining a series of DHCP clients (one DHCP client per IP address). More than one DHCP server...
  • D-Link DFL-260 | Product Manual - Page 234
    5.4. IP Pools Chapter 5. DHCP Services Receive Interface A "simulated" virtual DHCP server receiving interface. This setting is used to simulate a receiving interface when an IP pool is obtaining IP addresses from internal DHCP servers. This is needed since the filtering criteria of a DHCP server...
  • D-Link DFL-260 | Product Manual - Page 235
    5.4. IP Pools Chapter 5. DHCP Services Other options in the ippool command allow the administrator to change the pool size and to ... IP addresses. The complete list of command options can be found in the CLI Reference Guide. Example 5.5. Creating an IP Pool This example shows the creation of an IP ...
  • D-Link DFL-260 | Product Manual - Page 236
    5.4. IP Pools Chapter 5. DHCP Services 236
  • D-Link DFL-260 | Product Manual - Page 237
    ...dropped and a Default Access Rule log message will be generated. When troubleshooting dropped connections, the administrator should look out for Default Access Rule messages in the logs. The solution to the problem is to create a route for the interface where the connection arrives so that the ...
  • D-Link DFL-260 | Product Manual - Page 238
    ...a trusted source. Although the packet source cannot be responded to correctly, there is the potential for unnecessary network congestion to be created and potentially a Denial of Service (DoS) condition could occur. Even if the firewall is able to detect a DoS condition, it is hard to trace or stop ...
  • D-Link DFL-260 | Product Manual - Page 239
    ... specify an Access Rule for that source with an action of Drop. Troubleshooting Access Rule Related Problems It should be noted that Access Rules are a first .... It is always advisable to check Access Rules when troubleshooting puzzling problems in case a rule is preventing some other function, such ...
  • D-Link DFL-260 | Product Manual - Page 240
    ... an ALG Once a new ALG object is defined by the administrator, it is brought into use by first associating it with a Service object and then associating that service with an IP rule in the NetDefendOS IP rule set. Figure 6.1. Deploying an ALG 240
  • D-Link DFL-260 | Product Manual - Page 241
    ... The HTTP ALG Chapter 6. Security Mechanisms Maximum Connection Sessions The service associated with an ALG has a configurable parameter associated with it ...is 1000. This means that a 1000 connections are allowed in total for the HTTP service across all interfaces. The full list of default maximum ...
  • D-Link DFL-260 | Product Manual - Page 242
    6.2.2. The HTTP ALG Chapter 6. Security Mechanisms Anti-Virus scanning, if it is enabled, is always applied to the HTTP traffic even if it is whitelisted. These features are described in depth in Section 6.3.3, "Static Content Filtering". • Dynamic Content Filtering - Access to specific ...
  • D-Link DFL-260 | Product Manual - Page 243
    6.2.2. The HTTP ALG Chapter 6. Security Mechanisms Note: Similarities with other NetDefendOS features The Verify MIME type and Allow/Block Selected Types options work in the same way for the FTP, POP3 and SMTP ALGs. • Download File Size Limit - A file size limit can additionally be specified ...
  • D-Link DFL-260 | Product Manual - Page 244
    ...IP rule set. A number of predefined HTTP services could be used with the ALG. For example, the http... might be selected for this purpose. As long as the associated service is associated with an IP rule then the ALG... active and passive modes of FTP operation present problems for NetDefend Firewalls. 244...
  • D-Link DFL-260 | Product Manual - Page 245
    6.2.3. The FTP ALG Chapter 6. Security Mechanisms Consider a scenario where an FTP client on the internal network connects through the firewall to an FTP server on the Internet. The IP rule is then configured to allow network traffic from the FTP client to port 21 on the FTP server. When active ...
  • D-Link DFL-260 | Product Manual - Page 246
    6.2.3. The FTP ALG Chapter 6. Security Mechanisms Figure 6.3. FTP ALG Hybrid Mode Note: Hybrid conversion is automatic Hybrid mode does not need to enabled. The conversion between modes occurs automatically within the FTP ALG. Connection Restriction Options The FTP ALG has two options to ...
  • D-Link DFL-260 | Product Manual - Page 247
    ... Some commands are never allowed Some commands, such as encryption instructions, are never allowed. Encryption would mean that the FTP command...allowed in the control channel. Allowing 8-bit characters enables support for filenames containing international characters. For example, accented or umlauted...
  • D-Link DFL-260 | Product Manual - Page 248
    ... a virus infected file to an FTP server, NetDefendOS notices that the client belongs to the local network and will therefore upload blocking instructions to the local switches. The host will be blocked from accessing the local network and can no longer do any harm. Note: ZoneDefense won't block ...
  • D-Link DFL-260 | Product Manual - Page 249
    ...use active mode Uncheck Allow server to use passive mode Click OK B. Define the Service: 1. 2. Go to Objects > Services > Add > TCP/UDP Service Enter the following Name: ftp-inbound-service Type: select TCP from the list Destination: 21 (the port the FTP server resides ...
  • D-Link DFL-260 | Product Manual - Page 250
    ...3. Name: SAT-ftp-inbound Action: SAT Service: ftp-inbound-service For Address Filter enter Source Interface: ... 3. Name: NAT-ftp Action: NAT Service: ftp-inbound-service For Address Filter enter Source ... 3. Name: Allow-ftp Action: Allow Service: ftp-inbound-service For Address Filter enter: 250
  • D-Link DFL-260 | Product Manual - Page 251
    ...is much safer for the client. Enable the Allow server to use passive mode FTP ALG option. This allows clients on the inside to connect to FTP servers that support active and passive mode across the Internet. The configuration is performed as follows: Web Interface A. Create the FTP ALG (The ALG ftp...
  • D-Link DFL-260 | Product Manual - Page 252
    ... use passive mode Click OK B. Create the Service 1. 2. Go to Objects > Services > Add > TCP/UDP Service Now enter 3. Name: ftp-outbound-service Type: select TCP from the dropdown list Destination:... same kind of ports/traffic before these rules. The service used here is the ftp-outbound-service ...
  • D-Link DFL-260 | Product Manual - Page 253
    ... must return an IP address and port to the client on which it can set up the data transfer connection. This IP address is normally manually specified by the administrator in the FTP server software and the natural choice is to specify the external IP address of the interface on the firewall that ...
  • D-Link DFL-260 | Product Manual - Page 254
    ...It should be kept in mind that an email with, for example, an attachment of 100 Kbytes, will be larger than 100 Kbytes. The transferred size might be 120 Kbytes or more since the encoding which takes place automatically for attachments may substantially increase the transferred attachment size. 254
  • D-Link DFL-260 | Product Manual - Page 255
    6.2.5. The SMTP ALG Chapter 6. Security Mechanisms The administrator should therefore add a reasonable margin above the anticipated email size when setting this limit. Email address blacklisting A blacklist of sender or recipient email addresses can be specified so that mail from/to those ...
  • D-Link DFL-260 | Product Manual - Page 256
    ... which is defined in RFC 3030. The NetDefendOS SMTP ALG does not support all ESMTP extensions including Pipelining and Chunking. The ALG therefore removes any unsupported extensions from the supported extension list that is returned to the client by an SMTP server behind the NetDefend ...
  • D-Link DFL-260 | Product Manual - Page 257
    ... range to include all local SMTP clients. It is made sure that the SMTP-server is excluded from this range. Tip: Exclusion can be manually configured It is possible to manually configure certain hosts and servers to be excluded from being blocked by adding them to the ZoneDefense Exclude List. When...
  • D-Link DFL-260 | Product Manual - Page 258
    ... Internet. These lists are known as DNS Black List (DNSBL) databases and the information is accessible using a standardized query method supported by NetDefendOS. The image below illustrates all the components involved: DNSBL Server Queries When the NetDefendOS Anto-Spam filtering function is ...
  • D-Link DFL-260 | Product Manual - Page 259
    6.2.5. The SMTP ALG Chapter 6. Security Mechanisms servers are queried to assess the likelihood that the email is Spam, based on its origin address. The NetDefendOS administrator assigns a weight greater than zero to each configured server so that a weighted sum can then be calculated based on ...
  • D-Link DFL-260 | Product Manual - Page 260
    6.2.5. The SMTP ALG Chapter 6. Security Mechanisms And this is what the email's recipient will see in the summary of their inbox contents. The individual user could then decide to set up their own filters in the local client to deal with such tagged emails, possibly sending it to a separate ...
  • D-Link DFL-260 | Product Manual - Page 261
    6.2.5. The SMTP ALG Chapter 6. Security Mechanisms Logging There are three types of logging done by the Spam filtering module Logging of dropped or Spam tagged emails - These log messages include the source email address and IP as well as its weighted points score and which DNSBLs caused the ...
  • D-Link DFL-260 | Product Manual - Page 262
    6.2.5. The SMTP ALG Chapter 6. Security Mechanisms For the DNSBL subsystem overall Number of emails checked. Number of emails Spam tagged. Number of dropped emails. For each DNSBL server accessed Number of positive (is Spam) responses from each configured DNSBL server. Number of queries sent ...
  • D-Link DFL-260 | Product Manual - Page 263
    ... Block connections between client and server that send the username/password combination as clear text which can be easily read (some servers may not support other methods than this). This option prevents the POP3 server from revealing that a username does not exist. This prevents users from trying ...
  • D-Link DFL-260 | Product Manual - Page 264
    ...same endpoint. Figure 6.6. PPTP ALG Usage The PPTP ALG solves this problem. By using the ALG, the traffic from all the clients can be multiplexed through a... ALG types. The ALG object must be associated with the relevant service and the service is then associated with an IP rule. The full sequence of...
  • D-Link DFL-260 | Product Manual - Page 265
    ...can be used for this purpose. Alternatively, a new custom service object can be defined, for example called ... step. In this case, it was called pptp_alg. • Associate this service object with the NAT IP rule that permits... wan Dest Network all-nets Service pptp_service PPTP ALG Settings The following...
  • D-Link DFL-260 | Product Manual - Page 266
    ... other locations. All of these scenarios are supported by NetDefendOS. Registrars A server that handles SIP ... the following steps are needed Define a single Service object for SIP communication. Define a SIP ... for SIP communications which use the defined Service object. SIP ALG Options The following...
  • D-Link DFL-260 | Product Manual - Page 267
    ... session. A timeout condition occurs if this value is exceeded. The default value is 120 seconds. If this option is enabled then data. such as RTP/RTCP ...large number of potentially dangerous connections must be allowed by the IP rule set. This problem does not occur if the local proxy is set up with ...
  • D-Link DFL-260 | Product Manual - Page 268
    ... there are no preceding rules already in the IP rule set disallowing or allowing the same kind of traffic. SIP Usage Scenarios NetDefendOS supports a variety of SIP usage scenarios. The following three scenarios cover nearly all possible types of usage: • Scenario 1 Protecting local clients - ...
  • D-Link DFL-260 | Product Manual - Page 269
    ...: 1. 2. Define a SIP ALG object using the options described above. Define a Service object which is associated with the SIP ALG object. The service should have: • • 3. Destination Port set to 5060 (the default SIP signalling port). Type set to TCP/UDP....
  • D-Link DFL-260 | Product Manual - Page 270
    ... have to include all IP addresses that are possible. The Service object for IP rules In this section, tables which... IP rules like those above, will omit the Service object associated with the rule. The same, custom Service object is used for all SIP scenarios. Scenario 2 Protecting proxy and local ...
  • D-Link DFL-260 | Product Manual - Page 271
    ...: 1. 2. Define a single SIP ALG object using the options described above. Define a Service object which is associated with the SIP ALG object. The service should have: • • 3. Destination Port set to 5060 (the default SIP signalling port) Type set to TCP/UDP ...
  • D-Link DFL-260 | Product Manual - Page 272
    6.2.8. The SIP ALG Chapter 6. Security Mechanisms If Record-Route is enabled then the Source Network for outbound traffic from proxy users can be further restricted in the above rules by using "ip_proxy" as indicated. When an incoming call is received, the SIP ALG will follow the SAT rule and ...
  • D-Link DFL-260 | Product Manual - Page 273
    ... IP address. The NetDefend Firewall does not support hiding of the proxy on the DMZ. The IP address of... using the options described above. Define a Service object which is associated with the SIP ALG object. The service should have: • • 3. Destination Port set to 5060 (the default SIP signalling ...
  • D-Link DFL-260 | Product Manual - Page 274
    ... lannet all-nets Dest Interface wan core Dest Network all-nets ipdmz Solution B - Without NAT The setup steps are as follows: 1. 2. Define a single SIP ALG object using the options described above. Define a Service object which is associated with the SIP ALG object. The service should have: 274
  • D-Link DFL-260 | Product Manual - Page 275
    6.2.9. The H.323 ALG Chapter 6. Security Mechanisms • • 3. Destination Port set to 5060 (the default SIP signalling port) Type set to TCP/UDP Define four rules in the IP rule set An Allow rule for outbound traffic from the clients on the internal network to the proxy located on the DMZ ...
  • D-Link DFL-260 | Product Manual - Page 276
    ...only one public IP. MCUs provide support for conferences of three or more H.323 terminals....channel used for voice communication. Video and T.120 channels are also called logical channels ...application protocols. Depending on the type of H.323 product, T.120 protocol can be used for application sharing,...
  • D-Link DFL-260 | Product Manual - Page 277
    ...ALG Chapter 6. Security Mechanisms • • The H.323 ALG supports version 5 of the H.323 specification. This specification is built..., the H.323 ALG supports application sharing over the T.120 protocol. T.120 uses TCP... through. NAT and SAT rules are supported, allowing clients and gatekeepers to use...
  • D-Link DFL-260 | Product Manual - Page 278
    ... Rules > Add > IPRule Now enter 3. Name: H323AllowOut Action: Allow Service: H323 Source Interface: lan Destination Interface: any Source Network: lannet...Rules > Add > IPRule Now enter 3. Name: H323AllowIn Action: Allow Service: H323 Source Interface: any Destination Interface: lan Source Network: ...
  • D-Link DFL-260 | Product Manual - Page 279
    ... IPRule Now enter 3. Name: H323Out Action: NAT Service: H323 Source Interface: lan Destination Interface: ... IPRule Now enter 3. 4. 1. 2. Name: H323In Action: SAT Service: H323 Source Interface: any Destination Interface:... Now enter Name: H323In Action: Allow Service: H323 Source Interface: any 279
  • D-Link DFL-260 | Product Manual - Page 280
    ... rules. Web Interface Outgoing Rule: 1. 2. Go to Rules > IP Rules > Add > IPRule Now enter 3. Name: H323AllowOut Action: Allow Service: H323 Source Interface: lan Destination Interface: any Source Network: lannet Destination Network: 0.0.0.0/0 (all-nets) Comment: Allow outgoing calls Click OK ...
  • D-Link DFL-260 | Product Manual - Page 281
    ...> IPRule Now enter 3. Name: H323AllowIn Action: Allow Service: H323 Source Interface: any Destination Interface: ... IPRule Now enter 3. Name: H323Out Action: NAT Service: H323 Source Interface: lan Destination Interface: ... IP Rules > Add > IPRule Now enter Name: H323In Action: SAT Service: H323 281
  • D-Link DFL-260 | Product Manual - Page 282
    ... Address: ip-phone (IP address of phone) Click OK Go to Rules > IP Rules > Add > IPRule Now enter Name: H323In Action: Allow Service: H323 Source Interface: any Destination Interface: core Source Network: 0.0.0.0/0 (all-nets) Destination Network: wan_ip (external IP of the firewall) Comment: Allow ...
  • D-Link DFL-260 | Product Manual - Page 283
    ... Rules > Add > IPRule Now enter 3. 4. 1. 2. Name: H323In Action: SAT Service: H323-Gatekeeper Source Interface: any Destination Interface: core Source Network...Rules > Add > IPRule Now enter Name: H323In Action: Allow Service: H323-Gatekeeper Source Interface: any Destination Interface: core Source ...
  • D-Link DFL-260 | Product Manual - Page 284
    6.2.9. The H.323 ALG Chapter 6. Security Mechanisms 2. Now enter Name: H323In Action: Allow Service: H323-Gatekeeper Source Interface: lan Destination Interface: dmz Source Network: lannet Destination Network: ip-gatekeeper (IP address of the gatekeeper) Comment: Allow incoming communication ...
  • D-Link DFL-260 | Product Manual - Page 285
    6.2.9. The H.323 ALG Chapter 6. Security Mechanisms 2. Now enter Name: H323Out Action: NAT Service: H323-Gatekeeper Source Interface: lan Destination Interface: any Source Network: lannet Destination Network: 0.0.0.0/0 (all-nets) Comment: Allow outgoing communication with a gatekeeper 3. Click...
  • D-Link DFL-260 | Product Manual - Page 286
    ... Rules > IP Rules > Add > IPRule Now enter 3. 1. 2. Name: LanToGK Action: Allow Service: H323-Gatekeeper Source Interface: lan Destination Interface: dmz Source Network: lannet Destination ... OK Go to Rules > IP Rules > Add > IPRule Now enter Name: LanToGK Action: Allow Service: H323-Gatekeeper 286
  • D-Link DFL-260 | Product Manual - Page 287
    ... IPRule Now enter Name: GWToLan Action: Allow Service: H323-Gatekeeper Source Interface: dmz Destination ... Now enter Name: BranchToGW Action: Allow Service: H323-Gatekeeper Source Interface: vpn-branch ... Now enter Name: BranchToGW Action: Allow Service: H323-Gatekeeper Source Interface: vpn-remote ...
  • D-Link DFL-260 | Product Manual - Page 288
    ...> IP Rules > Add > IPRule Now enter 3. Name: ToGK Action: Allow Service: H323-Gatekeeper Source Interface: lan Destination Interface: vpn-hq Source ...> IP Rules > Add > IPRule Now enter 3. Name: GWToGK Action: Allow Service: H323-Gatekeeper Source Interface: dmz Destination Interface: vpn-hq Source ...
  • D-Link DFL-260 | Product Manual - Page 289
    ... such as using IPsec. Most web browsers support TLS and users can therefore easily ... SSL end-point. Regarding the SSL and TLS standards supported, NetDefendOS provides termination support... TLS 1.0, with RFC 2246 defining the TLS 1.0 support (with NetDefendOS supporting the server side part of RFC 2246...
  • D-Link DFL-260 | Product Manual - Page 290
    ... and the transfer of unencrypted data to/from servers. The advantages of this approach are TLS support can be centralized in the NetDefend Firewall instead of being set up ... certificate should both be set to the same certificate. Create a new custom Service object based on the TCP protocol. 3. 290
  • D-Link DFL-260 | Product Manual - Page 291
    .... NetDefendOS TLS Limitations As discussed above, NetDefendOS TLS provides support for server side termination only. The other limitations that should be noted Client authentication is not supported (where NetDefend Firewall authenticates the identity of the client). Renegotation is ...
  • D-Link DFL-260 | Product Manual - Page 292
    .... Static Content Filtering provides a means for manually classifying web sites as "good" or "bad... been classified into by an automatic classification service. Dynamic content filtering requires a minimum... into web pages. NetDefendOS includes support for removing the following types of objects from web...
  • D-Link DFL-260 | Product Manual - Page 293
    ...before Dynamic Content Filtering (described below), which allows the possibility of manually making exceptions from the automatic dynamic classification process. In a...Filtering. Wildcarding Both the URL blacklist and URL whitelist support wildcard matching of URLs in order to be more flexible. This ...
  • D-Link DFL-260 | Product Manual - Page 294
    6.3.3. Static Content Filtering Chapter 6. Security Mechanisms */*.gif www.example.com *example.com/* Good. This will block all files with .gif as the file name extension. Bad. This will only block the first request to the web site. Surfing to www.example.com/index.html, for example, will not be...
  • D-Link DFL-260 | Product Manual - Page 295
    ... different countries. Dynamic WCF is only available on certain NetDefend models Dynamic WCF is only available on the D-Link NetDefend DFL-260, 860, 1660, 2560 and 2560G. WCF Processing Flow When a user of a web browser requests access to a web site...
  • D-Link DFL-260 | Product Manual - Page 296
    6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms community, such as a group of university students, often surfs to a limited range of websites. Figure 6.8. Dynamic Content Filtering Flow If the requested web page URL is not present in the databases, then the webpage content at...
  • D-Link DFL-260 | Product Manual - Page 297
    ... is a feature that is enabled by taking out a separate subscription to the service. This is an addition to the normal NetDefendOS license. Once a subscription ... content_filtering WebContentFilteringMode=Enabled FilteringCategories=SEARCH_SITES Then, create a service object using the new HTTP ALG: gw-...
  • D-Link DFL-260 | Product Manual - Page 298
    ... Sites and click the >> button. Click OK Then, create a service object using the new HTTP ALG: 1. 2. ... Click OK Finally, modify the NAT rule to use the new service: 1. 2. 3. 4. 5. Go to Rules > IP Rules Select the NAT rule handling your HTTP traffic Select the Service tab Select your new service, ...
  • D-Link DFL-260 | Product Manual - Page 299
    ...button Click OK The steps to then create a service object using the new HTTP ALG and modifying the NAT rule to use the new service, are described in the previous example. Allowing Override ...able to do his job. For this reason, NetDefendOS supports a feature called Allow Override. With this feature ...
  • D-Link DFL-260 | Product Manual - Page 300
    ...Web Content Filtering Chapter 6. Security Mechanisms manually propose a new classification of sites. This mechanism ... be sent to D-Link's central data warehouse for manual inspection. That inspection may result in the web ...=Yes Then, continue setting up the service object and modifying the NAT rule ...
  • D-Link DFL-260 | Product Manual - Page 301
    ... submit online employment applications. This also includes resume writing and posting and interviews, as well as staff recruitment and training services. Examples might be: • • www.allthejobs.com www.yourcareer.com Category 4: Gambling A web site may be classified under the Gambling category if...
  • D-Link DFL-260 | Product Manual - Page 302
    ... category are market promotions, catalogue selling and merchandising services. Examples might be: • • www.megamall.com www.buy-alcohol.se Category 7:... order bride / foreign spouse introductions and escort services. Examples might be: • • adultmatefinder.com www.marriagenow.com Category 10: ...
  • D-Link DFL-260 | Product Manual - Page 303
    .../ Terrorism category if its content includes the description, promotion or instruction in, criminal or terrorist activities, cultures or opinions. Examples ... Cults category if its content includes the description or depiction of, or instruction in, systems of religious beliefs and practice. Examples ...
  • D-Link DFL-260 | Product Manual - Page 304
    ...• www.political.com Category 16: Sports A web site may be classified under the Sports category if its content includes information or instructions relating to recreational or professional sports, or reviews on sporting events and sports scores. Examples might be: • • www.sportstoday.com www....
  • D-Link DFL-260 | Product Manual - Page 305
    ... includes health related information or services, including sexuality and sexual health, as well as support groups, hospital and surgical information and ...and Societies category if its content includes information or services of relating to a club or society. This includes team or ...
  • D-Link DFL-260 | Product Manual - Page 306
    ... main focus includes providing advertising related information or services. Examples might be: • • www.admessages.com www.tripleclick.com Category 28: ... category if its content includes computing related information or services. Examples might be: • • www.purplehat.com www.gnu.org Category ...
  • D-Link DFL-260 | Product Manual - Page 307
    ... ALG Banner Files Enter a name such as new_forbidden and press OK The dialog for the new set of ALG banner files ... URL page Use Preview to check the layout if required Press Save to save the changes Click OK to exit ... > Save & Activate to activate the new file 15. Press Save and then click OK The new ...
  • D-Link DFL-260 | Product Manual - Page 308
    ...Chapter 6. Security Mechanisms Tip: Saving changes In the above example, more than one HTML file can be edited in a session but the Save button should be pressed to save any edits before beginning editing on another file. Uploading with SCP It is possible to upload new HTTP Banner files using SCP....
  • D-Link DFL-260 | Product Manual - Page 309
    ... Anti-Virus is not available on all NetDefend models Anti-Virus scanning is available only on the D-Link NetDefend DFL-260, 860, 1660, 2560 and 2560G. 6.4.2. Implementation Streaming As a file transfer is streamed through the NetDefend Firewall, NetDefendOS ...
  • D-Link DFL-260 | Product Manual - Page 310
    ... with the Anti-Virus option enabled. As always, an ALG must then be associated with an appropriate service object for the protocol to be scanned. The service object is then associated with a rule in the IP rule set which defines the origin and destination of the traffic...
  • D-Link DFL-260 | Product Manual - Page 311
    ... of the SafeStream database should therefore be updated regularly and this updating service is enabled as part of the subscription to the D-Link Anti-Virus subscription. 6.4.5. Subscribing to the D-Link Anti-Virus Service The D-Link Anti-Virus feature is purchased as an additional ...
  • D-Link DFL-260 | Product Manual - Page 312
    6.4.6. Anti-Virus Options Chapter 6. Security Mechanisms the excluded list is checked. 3. Compression Ratio Limit When scanning compressed files, NetDefendOS must apply decompression to examine the file's contents. Some types of data can result in very high compression ratios where the ...
  • D-Link DFL-260 | Product Manual - Page 313
    ... engine has detected a virus, the NetDefend Firewall will upload blocking instructions to the local switches and instruct them to block all traffic from the infected host or server. Since ZoneDefense blocking ... anti_virus Antivirus=Protect Next, create a Service object using the new HTTP ALG: gw-...
  • D-Link DFL-260 | Product Manual - Page 314
    ...the Mode dropdown list Click OK B. Then, create a Service object using the new HTTP ALG: 1. ... NAT rule (called NATHttp in this example) to use the new service: 1. 2. 3. 4. 5. Go to Rules > IP Rules Select the NAT... the traffic between lannet and all-nets Click the Service tab Select your new service, ...
  • D-Link DFL-260 | Product Manual - Page 315
    6.5. Intrusion Detection and Prevention Chapter 6. Security Mechanisms 6.5. Intrusion Detection and Prevention 6.5.1. Overview Intrusion Definition Computer servers can sometimes have vulnerabilities which leave them exposed to attacks carried by network traffic. Worms, trojans and backdoor ...
  • D-Link DFL-260 | Product Manual - Page 316
    ...IDP is the base IDP system included as standard with the NetDefend DFL 210, 800, 1600 and 2500. Maintenance IDP ... more comprehensive Advanced IDP which is discussed next. IDP does not come as standard with the DFL-260, 860, 1660, 2560 and 2560G and a subscription to Advanced IDP must be purchased for...
  • D-Link DFL-260 | Product Manual - Page 317
    ... 6.5.3. IDP Rules Rule Components An IDP Rule defines what kind of traffic, or service, should be analyzed. An IDP Rule is similar in makeup to an ... a given combination source/destination interfaces/addresses as well as being associated with a service object which defines which protocols to scan. A ...
  • D-Link DFL-260 | Product Manual - Page 318
    6.5.4. Insertion/Evasion Attack Prevention Chapter 6. Security Mechanisms HTTP Normalization Each IDP rule has a section of settings for HTTP normalization. This allows the administrator to choose the actions that should be taken when IDP finds inconsistencies in the URIs embedded in incoming ...
  • D-Link DFL-260 | Product Manual - Page 319
    6.5.5. IDP Pattern Matching Chapter 6. Security Mechanisms aimed at evading IDP mechanisms. It exploits the fact that in a TCP/IP data transfer, the data stream must often be reassembled from smaller pieces of data because the individual pieces either arrive in the wrong order or are fragmented ...
  • D-Link DFL-260 | Product Manual - Page 320
    ... the changing nature of the signature database, advisories are not included in D-Link documentation but instead, are available on the D-Link website at: http://security.dlink.com.tw Advisories can be found under the "NetDefend IDS" option in the "NetDefend Live" menu. IDP Signature types IDP offers...
  • D-Link DFL-260 | Product Manual - Page 321
    6.5.6. IDP Signature Groups Chapter 6. Security Mechanisms least possible number of signatures. Specifying Signature Groups IDP Signature Groups fall into a three level hierarchical structure. The top level of this hierarchy is the signature Type, the second level the Category and the third ...
  • D-Link DFL-260 | Product Manual - Page 322
    6.5.7. IDP Actions Chapter 6. Security Mechanisms IDS_HTTP* and IPS_HTTP* IDP groups would be appropriate for protecting an HTTP server. IDP traffic scanning creates an additional load on the hardware that in most cases should not noticeably degrade performance. Using too many signatures during ...
  • D-Link DFL-260 | Product Manual - Page 323
    ... Rule is triggered. At least one new event occurs within the Hold Time of 120 seconds, thus reaching the log threshold level (at least 2 events have occurred...: hostmaster Subject: Log event from NetDefendOS Minimum Repeat Delay: 600 Hold Time: 120 Log Threshold: 2 Click OK IDP Rules: 1. 2. 3. 4. 5. ...
  • D-Link DFL-260 | Product Manual - Page 324
    ... IDP Rule: gw-world:/> add IDPRule Service=smtp SourceInterface=wan SourceNetwork=wannet DestinationInterface... rule is called IDPMailSrvRule, and applies to the SMTP service. Source Interface and Source Network define...IDP Rule Now enter Name: IDPMailSrvRule Service: smtp Also inspect dropped packets:...
  • D-Link DFL-260 | Product Manual - Page 325
    6.5.8. SMTP Log Receiver for IDP Events Chapter 6. Security Mechanisms • • Destination Network: ip_mailserver Click OK Specify the Action: An action is now defined, specifying what signatures the IDP should use when scanning data matching the rule, and what NetDefendOS should do when a ...
  • D-Link DFL-260 | Product Manual - Page 326
    ...-of-Service Attack Prevention Chapter 6. Security Mechanisms 6.6. Denial-of-Service Attack Prevention 6.6.1. Overview By embracing the Internet, enterprises ... techniques utilize the distributed topology of the Internet to launch Denial of Service (DoS) attacks against organizations resulting in ...
  • D-Link DFL-260 | Product Manual - Page 327
    ... attack The WinNuke attack works by connecting to a TCP service that does not have handlers for "out-... still accepts such data. This will usually put the service in a tight loop that consumes all available ... surface is greatly reduced. Only exposed services could possibly become victims to the attack,...
  • D-Link DFL-260 | Product Manual - Page 328
    ... factors since there are fewer hosts on the Internet that have the UDP echo service enabled. • Smurf attacks will show up in NetDefendOS logs as ... load off of internal servers, making them available for internal service, or perhaps service via a secondary Internet connection not targeted by the ...
  • D-Link DFL-260 | Product Manual - Page 329
    ... with the client before doing a second handshake of its own with the target service. Overload situations have difficulty occurring in NetDefendOS due to...other operating systems. While other operating systems can exhibit problems with as few as 5 outstanding half-open connections, NetDefendOS can fill...
  • D-Link DFL-260 | Product Manual - Page 330
    6.6.10. Distributed DoS Attacks Chapter 6. Security Mechanisms attacks on victim sites. These attacks typically exhaust bandwidth, router processing capacity, or network stack resources, breaking network connectivity to the victims. Although recent DDoS attacks have been launched from both ...
  • D-Link DFL-260 | Product Manual - Page 331
    ...words, it is not cumulative). By default Blacklisting blocks all services for the triggering host. If there are established connections that have the... will not be dropped if this option is set. Block only this Service Exempt already established connections from Blacklisting IP addresses or networks...
  • D-Link DFL-260 | Product Manual - Page 332
    .... Command-Line Interface gw-world:/> add BlacklistWhiteHost Addresses=white_ip Service=all_tcp Web Interface 1. 2. 3. 4. Goto System > Whitelist > Add >... the IP address object white_ip so it is added to the whitelist Select the service all_tcp to be associated with this whitelist entry Click OK 332
  • D-Link DFL-260 | Product Manual - Page 333
    6.7. Blacklisting Hosts and Networks Chapter 6. Security Mechanisms 333
  • D-Link DFL-260 | Product Manual - Page 334
    ... internal IP addresses which means that an attack coming from the "outside" is much more difficult. • Types of Translation NetDefendOS supports two types of translation: • • Dynamic Network Address Translation (NAT). Static Address Translation (SAT). Both types of translation are policy-...
  • D-Link DFL-260 | Product Manual - Page 335
    7.2. NAT Chapter 7. Address Translation 7.2. NAT Dynamic Network Address Translation (NAT) provides a mechanism for translating original source IP addresses to a different address. Outgoing packets then appear to come from a different IP address and incoming packets back to that address have ...
  • D-Link DFL-260 | Product Manual - Page 336
    7.2. NAT Chapter 7. Address Translation address on the firewall then this will constitute two, unique IP pairs. The 64,500 figure is therefore not a limitation for the entire NetDefend Firewall. Tip: Use NAT pools to get around the connection limit The connection maximum per unique IP pair is ...
  • D-Link DFL-260 | Product Manual - Page 337
    ... main IP rule set: gw-world:/> cc IPRuleSet main Now, create the IP rule: gw-world:/main> add IPRule Action=NAT Service=http SourceInterface=lan SourceNetwork=lannet DestinationInterface=any DestinationNetwork=all-nets Name=NAT_HTTP NATAction=UseInterfaceAddress Return to the top level: gw-world:/...
  • D-Link DFL-260 | Product Manual - Page 338
    ... the rule, for example NAT_HTTP Now enter 4. 5. Action: NAT Service: http Source Interface: lan Source Network: lannet Destination Interface:... IP. Some protocols, regardless of the method of transportation used, can cause problems during address translation. Anonymizing Internet Traffic with NAT A ...
  • D-Link DFL-260 | Product Manual - Page 339
    ... with their local ISP using PPTP. The traffic is directed to the anonymizing service provider where a NetDefend Firewall is installed to act as the PPTP ... requests from the client it appears as though they are coming from the anonymizing service provider's external IP address and not the client's IP....
  • D-Link DFL-260 | Product Manual - Page 340
    7.3. NAT Pools Chapter 7. Address Translation 7.3. NAT Pools Overview Network Address Translation (NAT) provides a way to have multiple internal clients and hosts with unique private internal IP addresses communicate to remote hosts through a single external public IP address (this is discussed ...
  • D-Link DFL-260 | Product Manual - Page 341
    ... interfaces will be used by NAT pools. The option exists however to enable Proxy ARP for a NAT Pool on all interfaces but this can cause problems sometimes by possibly creating routes to interfaces on which packets should not arrive. It is therefore recommended that the interface(s) to be used for ...
  • D-Link DFL-260 | Product Manual - Page 342
    ... as nat_pool_rule Action: NAT Under Address filter enter Source Interface: int Source Network: int-net Destination Interface: wan Destination Network: all-nets Service: HTTP 4. Select the NAT tab and enter: • • Check the Use NAT Pool option Select stateful_natpool from the drop-down list 5....
  • D-Link DFL-260 | Product Manual - Page 343
    .... This scenario is also sometimes referred to as a Virtual IP or Virtual Server in some other manufacturer's products. The Role of the DMZ At this point in the manual, it's relevant to discuss the concept and role of the network known as the Demilitarized Zone (DMZ). The DMZ's purpose is to have a ...
  • D-Link DFL-260 | Product Manual - Page 344
    ... IP rule set: gw-world:/> cc IPRuleSet main Next, create a SAT IP rule: gw-world:/main> add IPRule Action=SAT Service=http SourceInterface=any SourceNetwork=all-nets DestinationInterface=core DestinationNetwork=wan_ip SATTranslate=DestinationIP SATTranslateToIP=10.10.10.5 Name=SAT_HTTP_To_DMZ 344
  • D-Link DFL-260 | Product Manual - Page 345
    ... example SAT_HTTP_To_DMZ Now enter 4. 5. 6. Action: SAT Service: http Source Interface: any Source ... example Allow_HTTP_To_DMZ Now enter 4. 5. Action: Allow Service: http Source Interface: any Source ...: core Destination Network: wan_ip Under the Service tab, select http in the Predefined list Click...
  • D-Link DFL-260 | Product Manual - Page 346
    7.4.1. Translation of a Single IP Address (1:1) Chapter 7. Address Translation # 3 Action NAT Src Iface lan Src Net lannet Dest Iface any Dest Net all-nets Parameters All Now, what is wrong with this rule set? If we assume that we want to implement address translation for reasons of ...
  • D-Link DFL-260 | Product Manual - Page 347
    ... directly to PC1 without passing through the NetDefend Firewall. This causes problems. The reason this will not work is because PC1 expects a reply from 195... to the rule set in the same way as described above, will solve the problem. In this example, for no particular reason, we choose to use option ...
  • D-Link DFL-260 | Product Manual - Page 348
    ... IP Addresses (M:N) Chapter 7. Address Translation Another possible solution to this problem is to allow internal clients to speak directly to 10.0.0.2 and this would completely avoid all the problems associated with address translation. However, this is not always practical. ...
  • D-Link DFL-260 | Product Manual - Page 349
    ... rule for the translation: gw-world:/main> add IPRule Action=SAT Service=http SourceInterface=any SourceNetwork=all-nets DestinationInterface=wan DestinationNetwork=... Allow Rule: gw-world:/main> add IPRule Action=Allow Service=http SourceInterface=any SourceNetwork=all-nets DestinationInterface=wan ...
  • D-Link DFL-260 | Product Manual - Page 350
    ...3. Go to Rules > IP Rules > Add > IPRule Specify a suitable name for the rule, for example Allow_HTTP_To_DMZ Now enter 4. Action: Allow Service: http Source Interface:any Source Network: all-nets Destination Interface: wan Destination Network: wwwsrv_pub Click OK 7.4.3. All-to-One Mappings (N:1) ...
  • D-Link DFL-260 | Product Manual - Page 351
    ...a connection to the web servers private address - port 1084. Note: A custom service is needed for port translation In order to create a SAT rule that allows port translation, a Custom Service object must be used with the rule. 7.4.5. Protocols Handled by SAT Generally, static ...
  • D-Link DFL-260 | Product Manual - Page 352
    7.4.7. SAT and FwdFast Rules Chapter 7. Address Translation The two above rules may both be carried out concurrently on the same connection. In this instance, internal sender addresses will be translated to addresses in pubnet in a 1:1 relationship. In addition, if anyone tries to connect to the ...
  • D-Link DFL-260 | Product Manual - Page 353
    ... match rules 2 and 3. The replies will therefore be dynamically address translated. This changes the source port to a completely different port, which will not work. The problem can be solved using the following rule set: # 1 2 3 4 5 Action SAT SAT FwdFast NAT FwdFast Src Iface any lan lan lan lan ...
  • D-Link DFL-260 | Product Manual - Page 354
    7.4.7. SAT and FwdFast Rules Chapter 7. Address Translation 354
  • D-Link DFL-260 | Product Manual - Page 355
    ...a special piece of equipment such as a biometric reader. Another problem with A is that the special attribute often cannot be replaced if it ...specifically with user authentication performed with username/password combinations that are manually entered by a user attempting to gain access to resources....
  • D-Link DFL-260 | Product Manual - Page 356
    8.1. Overview Chapter 8. User Authentication To remain secure, passwords should also Not be recorded anywhere in written form. Never be revealed to anyone else. Changed on a regular basis such as every three months. 356
  • D-Link DFL-260 | Product Manual - Page 357
    8.2. Authentication Setup Chapter 8. User Authentication 8.2. Authentication Setup 8.2.1. Setup Summary The following list summarizes the steps for User Authentication setup with NetDefendOS: • Have an authentication source which consists of a database of users, each with a username/password ...
  • D-Link DFL-260 | Product Manual - Page 358
    8.2.2. The Local Database Chapter 8. User Authentication The purpose of this is to restrict access to certain networks to a particular group by having IP rules which will only apply to members of that group. To gain access to a resource there must be an IP rule that allows it and the client must ...
  • D-Link DFL-260 | Product Manual - Page 359
    ... authentication server can validate username/password combinations by responding to requests from NetDefendOS. To provide this, NetDefendOS supports the Remote Authentication Dial-in User Service (RADIUS) protocol. RADIUS Usage with NetDefendOS ...
  • D-Link DFL-260 | Product Manual - Page 360
    ... to NetDefendOS is required. There are a number of issues that can cause problems: • LDAP servers differ in their implementation. NetDefendOS provides a ...is a tuple (a pair of data values) consisting of an attribute name (in this manual we will call this the attribute ID to avoid confusion) and an ...
  • D-Link DFL-260 | Product Manual - Page 361
    ... if the groups that a user belongs to should be retrieved from the LDAP server. The group name is often used when granting user access to a service after a successful logon. If the Retrieve Group Membership option is enabled then the Membership Attribute option, described next can also be set. • ...
  • D-Link DFL-260 | Product Manual - Page 362
    8.2.4. External LDAP Servers Chapter 8. User Authentication successful authentication. The domain name is the host name of the LDAP server, for example myldapserver. The choices for this parameter are: i. ii. None - This will not modify the username in any way. For example, testuser. Username ...
  • D-Link DFL-260 | Product Manual - Page 363
    8.2.4. External LDAP Servers Chapter 8. User Authentication • Domain Name The Domain Name is used when formatting usernames. This is the first part of the full domain name. In our examples above, the Domain Name is myldapserver. The full domain name is a dot separated set of labels, for ...
  • D-Link DFL-260 | Product Manual - Page 364
    8.2.4. External LDAP Servers Chapter 8. User Authentication If the domain is mydomain.com then the username for myuser might need to be specified as myuser@mydomain.com. With some LDAP servers this might be myuser@domain mydomain.com\myuser or even mydomain\myuser. The format depends entirely on ...
  • D-Link DFL-260 | Product Manual - Page 365
    ... found there. LDAP servers store passwords in encrypted digest form and do not provide automatic mechanisms for doing this. It must therefore be done manually by the administrator as they add new users and change existing users passwords. This clearly involves some effort from the administrator, as ...
  • D-Link DFL-260 | Product Manual - Page 366
    8.2.5. Authentication Rules Chapter 8. User Authentication Figure 8.2. LDAP for PPP with CHAP, MS-CHAPv1 or MS-CHAPv2 Important: The link to the LDAP server must be protected Since the LDAP server is sending back passwords in plain text to NetDefendOS, the link between the NetDefend Firewall and...
  • D-Link DFL-260 | Product Manual - Page 367
    8.2.5. Authentication Rules Chapter 8. User Authentication This is the IKE authentication method which is used as part of VPN tunnel establishment with IPsec. XAuth is an extension to the normal IKE exchange and provides an addition to normal IPsec security which means that clients accessing a ...
  • D-Link DFL-260 | Product Manual - Page 368
    ... RADIUS database server or an external LDAP server. NetDefendOS then allows further traffic through this connection as long as authentication was successful and the service requested is allowed by a rule in the IP rule set. That rule's Source Network object has either the No Defined Credentials ...
  • D-Link DFL-260 | Product Manual - Page 369
    ... trusted_net untrusted_net int dmz important_net regular_net Service All All If we wanted to ... int dmz dmz important_net regular_net regular_net Service All All All 8.2.8. HTTP Authentication Where... HTTP authentication will collide with the WebUI's remote management service which also uses TCP port ...
  • D-Link DFL-260 | Product Manual - Page 370
    ... Dest Network lannet trusted_users lannet core wan wan lan_ip all-nets all-nets Service http-all http-all dns-all The first rule allows the authentication process ... wan lan_ip all-nets all-nets all-nets all-to-one 127.0.0.1 all-nets Service http-all http-all dns-all http-all 5 Allow lan lannet ...
  • D-Link DFL-260 | Product Manual - Page 371
    ... Only users that belong to the group users can get Web browsing service after authentication, as it is defined in the IP rule. We assume that lannet, users, ... > Add > IP rule Now enter Name: http2fw Action: Allow Service: HTTP Source Interface: lan Source Network: lannet Destination Interface core ...
  • D-Link DFL-260 | Product Manual - Page 372
    ...Rules > Add> IP rule Now enter 3. Name: Allow_http_auth Action: NAT Service: HTTP Source Interface: lan Source Network: lannet_users Destination Interface any ... if the server has been defined in the Address Book Port: 1812 (RADIUS service uses UDP port 1812 by default) Retry Timeout: 2 (NetDefendOS ...
  • D-Link DFL-260 | Product Manual - Page 373
    8.3. Customizing HTML Pages Chapter 8. User Authentication f. g. 3. Shared Secret: Enter a text string here for basic encryption of the RADIUS messages Confirm Secret: Retype the string to confirm the one typed above Click OK 8.3. Customizing HTML Pages User Authentication makes use of a set ...
  • D-Link DFL-260 | Product Manual - Page 374
    ... Banner Files Enter a name such as new_forbidden and press OK The dialog for the new set of ALG banner ... page Use Preview to check the layout if required Press Save to save the changes Click OK to ...be edited in a session but the Save button should be pressed to save any edits before beginning editing ...
  • D-Link DFL-260 | Product Manual - Page 375
    8.3. Customizing HTML Pages Chapter 8. User Authentication 2. A new Auth Banner Files object must exist which the edited file(s) is uploaded to. If the object is called ua_html, the CLI command to create this object is: gw-world:/> add HTTPAuthBanners ua_html This creates an object which ...
  • D-Link DFL-260 | Product Manual - Page 376
    8.3. Customizing HTML Pages Chapter 8. User Authentication 376
  • D-Link DFL-260 | Product Manual - Page 377
    ... • IPsec Components, page 391 • IPsec Tunnels, page 406 • PPTP/L2TP, page 425 • CA Server Access, page 434 • VPN Troubleshooting, page 437 9.1. Overview 9.1.1. VPN Usage The Internet is increasingly used as a means to connect together computers since it offers efficient and inexpensive ...
  • D-Link DFL-260 | Product Manual - Page 378
    9.1.2. VPN Encryption Chapter 9. VPN 2. Client to LAN connection - Where many remote clients need to connect to an internal network over the Internet. In this case, the internal network is protected by the NetDefend Firewall to which the client connects and the VPN tunnel is set up between them....
  • D-Link DFL-260 | Product Manual - Page 379
    ...VPN Restricting access through the VPN to needed services only, since mobile computers are vulnerable. Creating DMZs for services that need to be shared with other companies through VPNs. Adapting VPN .... By doing this, the administrator can restrict which services can be accessed via the VPN and...
  • D-Link DFL-260 | Product Manual - Page 380
    9.1.5. The TLS Alternative for VPN Chapter 9. VPN "The TLS ALG". 380
  • D-Link DFL-260 | Product Manual - Page 381
    ... cases, this route is created automatically when the tunnel is defined and this can be checked by examining the routing tables. If a route is defined manually, the tunnel is treated exactly like a physical interface in the route properties, as it is in other aspects of NetDefendOS. In other words, ...
  • D-Link DFL-260 | Product Manual - Page 382
    ...the remote network remote_net. An Allow rule for inbound traffic that has the previously defined ipsec_tunnel object as the Source Interface. The Source Network is remote_net. Src Interface lan Src Network lannet Dest Interface ipsec_tunnel Dest Network remote_net Service All • Action Allow 382
  • D-Link DFL-260 | Product Manual - Page 383
    ... Src Network remote_net Dest Interface lan Dest Network lannet Service All The Service used in these rules is All but it could be a predefined service. 6. Define a new NetDefendOS Route which specifies that the VPN Tunnel ipsec_tunnel is the Interface to use for routing packets bound for the ...
  • D-Link DFL-260 | Product Manual - Page 384
    ... The IP addresses may be known beforehand and have been pre-allocated to the roaming clients before they connect. The client's IP address will be manually input into the VPN client software. 1. Set up user authentication. XAuth user authentication is not required with IPsec roaming clients but is ...
  • D-Link DFL-260 | Product Manual - Page 385
    ... rules. The IP rule set should contain the single rule: Action Allow Src Interface ipsec_tunnel Src Network all-nets Dest Interface lan Dest Network lannet Service All Once an Allow rule permits the connection to be set up, bidirectional traffic flow is allowed which is why only one rule is used ...
  • D-Link DFL-260 | Product Manual - Page 386
    ... the IPsec algorithms that will be used and which are supported by NetDefendOS. Specify if the client will use ... products available from a number of suppliers and this manual will not focus on any specific one.... IPsec client products are available and this manual will not discuss any particular client...
  • D-Link DFL-260 | Product Manual - Page 387
    9.2.5. L2TP Roaming Clients with Pre-Shared Keys Chapter 9. VPN Note: The system time and date should be correct The NetDefendOS date and time should be set correctly since certificates have an expiry date and time. Also review Section 9.6, "CA Server Access", which describes important ...
  • D-Link DFL-260 | Product Manual - Page 388
    ...the IP rule set: Action Allow NAT Src Interface l2tp_tunnel ipsec_tunnel Src Network l2tp_pool l2tp_pool Dest Interface any ext Dest Network int_net all-nets Service All All The second rule would be included to allow clients to surf the Internet via the ext interface on the NetDefend Firewall. The ...
  • D-Link DFL-260 | Product Manual - Page 389
    9.2.7. PPTP Roaming Clients Chapter 9. VPN 1. 2. 3. The NetDefendOS date and time must be set correctly since certificates can expire. Load a Gateway Certificate and Root Certificate into NetDefendOS. When setting up the IPsec Tunnel object, specify the certificates to use under Authentication. ...
  • D-Link DFL-260 | Product Manual - Page 390
    ... IP rule set: Action Allow NAT Src Interface pptp_tunnel pptp_tunnel Src Network pptp_pool pptp_pool Dest Interface any ext Dest Network int_net all-nets Service All All As described for L2TP, the NAT rule lets the clients access the public Internet via the NetDefend Firewall. 5. Set up the client....
  • D-Link DFL-260 | Product Manual - Page 391
    9.3. IPsec Components Chapter 9. VPN 9.3. IPsec Components This section looks at the IPsec standards and describes in general terms the various components, techniques and algorithms that are used in IPsec based VPNs. 9.3.1. Overview Internet Protocol Security (IPsec) is a set of protocols ...
  • D-Link DFL-260 | Product Manual - Page 392
    ...device initiating an IPsec connection will send a list of the algorithms combinations it supports for protecting the connection and it is then up to the device.... The responding VPN device, upon receiving the list of supported algorithms, will choose the algorithm combination that best matches its own...
  • D-Link DFL-260 | Product Manual - Page 393
    ...-Shared Keys, certificates or public key encryption. Pre-Shared Keys is the most common authentication method today. PSK and certificates are supported by the NetDefendOS VPN module. IKE Phase-2 - IPsec Security Negotiation In phase 2, another negotiation is performed, detailing the parameters for ...
  • D-Link DFL-260 | Product Manual - Page 394
    9.3.2. Internet Key Exchange (IKE) Chapter 9. VPN remote device, which will decrypt/authenticate the data, extract it from its tunnel and pass it on to its final destination. This way, an eavesdropper will only see encrypted traffic going from one of VPN endpoint to another. In transport mode, ...
  • D-Link DFL-260 | Product Manual - Page 395
    ... on the algorithm, the size of the encryption key used. The algorithms supported by NetDefendOS IPsec are AES Blowfish Twofish Cast128 3DES DES... the authentication algorithms used in the IKE negotiation phase. The algorithms supported by NetDefendOS IPsec are: • • IKE DH Group IKE Lifetime SHA1 ...
  • D-Link DFL-260 | Product Manual - Page 396
    ... AH is used, or when ESP is used without encryption. The algorithms supported by NetDefend Firewall VPNs are IPsec Authentication AES Blowfish Twofish ...it is not recommended to use ESP without authentication. The algorithms supported by NetDefend Firewall VPNs are: • • SHA1 MD5 IPsec Lifetime ...
  • D-Link DFL-260 | Product Manual - Page 397
    ...but also the processing overhead. The DH groups supported by NetDefendOS are as follows DH group 1 (768-.... Note NetDefendOS does not support manual keying. Manual Keying Advantages Since ... interoperable. Most interoperability problems encountered today are in IKE. Manual keying completely bypasses ...
  • D-Link DFL-260 | Product Manual - Page 398
    9.3.4. IPsec Protocols (ESP/AH) Chapter 9. VPN Pre-Shared Keying has a lot of advantages over manual keying. These include endpoint authentication, which is what the PSKs are really for. It also includes all the benefits of using IKE. Instead of using a fixed set of encryption keys, session keys ...
  • D-Link DFL-260 | Product Manual - Page 399
    ... used to do either encryption only, or authentication only. Figure 9.2. The ESP protocol 9.3.5. NAT Traversal Both IKE and IPsec protocols present a problem in the functioning of NAT. Both protocols were not designed to work through NATs and because of this, a technique called "NAT traversal" has ...
  • D-Link DFL-260 | Product Manual - Page 400
    ... that allows them to function when being NATed. NetDefendOS supports the RFC3947 standard for NAT-Traversal with IKE.... used if both ends have support for it. For this purpose, NAT traversal aware VPNs... has changed. UDP Encapsulation Another problem that NAT traversal resolves is that the ESP protocol...
  • D-Link DFL-260 | Product Manual - Page 401
    ... and IPsec security associations (SAs) are established. A proposal list of supported algorithms is the starting point for the negotiation. Each entry in ... end point device is capable of supporting (the shorter term tunnel endpoint will also be used in this manual). The initial negotiation attempts to...
  • D-Link DFL-260 | Product Manual - Page 402
    ... different encodings on different platforms can cause a problem with non-ASCII characters. Windows, for example, ...there will be a mismatch and this can sometimes cause problems when setting up a Windows L2TP client ...pskgen MyPSK -size=512 Or alternatively, to add the Pre-shared Key manually, use: 402
  • D-Link DFL-260 | Product Manual - Page 403
    ... signed by any of the trusted Certificate Authorities. This can be a potential problem, especially when using roaming clients. A Typical Scenario Consider ... List Solution The concept of Identification Lists presents a solution to this problem. An identification list contains one or more identities (...
  • D-Link DFL-260 | Product Manual - Page 404
    ...ID JohnDoe Type=DistinguishedName CommonName="John Doe" OrganizationName=D-Link OrganizationalUnit=Support Country=Sweden EmailAddress=john.doe@D-Link.com gw-world:/...Common Name: John Doe Organization Name: D-Link Organizational Unit: Support Country: Sweden Email Address: john.doe@D-Link.com Click...
  • D-Link DFL-260 | Product Manual - Page 405
    9.3.8. Identification Lists Chapter 9. VPN 2. 3. 4. 5. 6. Select the IPsec tunnel object of interest Under the Authentication tab, choose X.509 Certificate Select the appropriate certificate in the Root Certificate(s) and Gateway Certificate controls Select MyIDList in the Identification List ...
  • D-Link DFL-260 | Product Manual - Page 406
    9.4. IPsec Tunnels Chapter 9. VPN 9.4. IPsec Tunnels This section looks more closely at IPsec tunnels in NetDefendOS, their definition, options and usage. 9.4.1. Overview An IPsec Tunnel defines an endpoint of an encrypted tunnel. Each IPsec Tunnel is interpreted as a logical interface by ...
  • D-Link DFL-260 | Product Manual - Page 407
    9.4.1. Overview Chapter 9. VPN performance of the NetDefendOS IPsec engine and explicitly dropping such traffic with an IP rule is an efficient way of preventing it reaching the engine. In other words, IP rules can be used to have complete control over all traffic related to the tunnel. Dead ...
  • D-Link DFL-260 | Product Manual - Page 408
    9.4.2. LAN to LAN Tunnels with Pre-shared Keys Chapter 9. VPN • • • Section 9.2.2, "IPsec LAN to LAN with Certificates". Section 9.2.3, "IPsec Roaming Clients with Pre-shared Keys". Section 9.2.4, "IPsec Roaming Clients with Certificates". In addition to the quick start ...
  • D-Link DFL-260 | Product Manual - Page 409
    9.4.3. Roaming Clients Chapter 9. VPN Example 9.4. Setting up a PSK based VPN tunnel for roaming clients This example describes how to configure an IPsec tunnel at the head office NetDefend Firewall for roaming clients that connect to the office to gain remote access. The head office network uses...
  • D-Link DFL-260 | Product Manual - Page 410
    ...selected when you created the certificate on the client Create a new ID for every client that you want to grant access rights according to the instructions above D. Configure the IPsec tunnel: 1. 2. Go to Interfaces > IPsec > Add > IPsec Tunnel Now enter 3. Name: RoamingIPsecTunnel Local Network: ...
  • D-Link DFL-260 | Product Manual - Page 411
    ... to a CA server (in Windows 2000 Server this is found in Certificate Services). For more information on CA server issued certificates see Section 3.7, ... every client that you want to grant access rights according to the instructions above C. Configure the IPsec tunnel: 1. 2. Go to Interfaces > IPsec...
  • D-Link DFL-260 | Product Manual - Page 412
    ... of the DNS used for URL resolution (already provided by an IP Pool). The IP address for NBNS/WINS resolution (already provided by an IP Pool). Instructs the host to send any internal DHCP requests to this address. A list of the subnets that the client can access. Example 9.7. Setting Up Config ...
  • D-Link DFL-260 | Product Manual - Page 413
    ... use another LDAP server. The LDAP configuration section can then be used to manually specify alternate LDAP servers. Example 9.9. Setting up an LDAP server This example shows how to manually setup and specify an LDAP server. Command-Line Interface gw-world:/> ...
  • D-Link DFL-260 | Product Manual - Page 414
    ...146 Username: myusername Password: mypassword Confirm Password: mypassword Port: 389 Click OK 9.4.5. Troubleshooting with ikesnoop VPN Tunnel Negotiation When setting up IPsec tunnels, problems can arise because the initial negotiation fails ...
  • D-Link DFL-260 | Product Manual - Page 415
    9.4.5. Troubleshooting with ikesnoop Chapter 9. VPN negotiation and the server refers to the device which is the responder. Step 1. Client ... the server. This list details the protocols and encryption methods it can support. The purpose of the algorithm list is that the client is trying to find a ...
  • D-Link DFL-260 | Product Manual - Page 416
    9.4.5. Troubleshooting with ikesnoop Chapter 9. VPN Life duration : 43200 Life type : Kilobytes Life duration : 50000 VID (Vendor ...: No of seconds or kilobytes VID: The IPsec software vendor plus what standards are supported. For example, NAT-T Step 2. Server Responds to Client A typical response ...
  • D-Link DFL-260 | Product Manual - Page 417
    9.4.5. Troubleshooting with ikesnoop Chapter 9. VPN SA (Security Association) Payload data length : 52 bytes DOI : 1 (IPsec DOI) Proposal 1/1 Protocol 1/1 Protocol ID : ISAKMP SPI Size : 0 Transform 1/1 Transform ID : IKE Encryption algorithm : Rijndael-cbc (aes) Key length : 128 Hash algorithm : ...
  • D-Link DFL-260 | Product Manual - Page 418
    9.4.5. Troubleshooting with ikesnoop Chapter 9. VPN NAT-D (NAT Detection) Payload data length : 16 bytes Step 4. Server Sends Key Exchange Data The Server now sends key exchange data back to the client. IkeSnoop: Sending IKE packet to 192.168.0.10:500 Exchange type : Identity Protection (main ...
  • D-Link DFL-260 | Product Manual - Page 419
    9.4.5. Troubleshooting with ikesnoop Chapter 9. VPN Step 6. Server ID Response The server now responds with its own ID. IkeSnoop: Sending ... (Hash) Payload data length : 16 bytes Step 7. Client Sends a List of Supported IPsec Algorithms Now the client sends the list of supported IPsec algorithms to...
  • D-Link DFL-260 | Product Manual - Page 420
    9.4.5. Troubleshooting with ikesnoop Chapter 9. VPN Key length : 128 Authentication algorithm : HMAC-MD5 SA life type : Seconds SA ... net and otherwise it is SA per host. Step 8. Client Sends a List of Supported Algorithms The server now responds with a matching IPsec proposal from the list sent by...
  • D-Link DFL-260 | Product Manual - Page 421
    ...be reset automatically to be approximately 4 times IPsec Max Tunnels if the latter is changed. This linkage is broken once IPsec Max Rules is altered manually so that subsequent changes to IPsec Max Tunnels will not cause an automatic change in IPsec Max Rules. Default: 4 times the license limit of ...
  • D-Link DFL-260 | Product Manual - Page 422
    9.4.6. IPsec Advanced Settings Chapter 9. VPN Specifies the total number of IPsec tunnels allowed. This value is initially taken from the maximum tunnels allowed by the license. The setting is used by NetDefendOS to allocate memory for IPsec. If it is desirable to have less memory allocated for ...
  • D-Link DFL-260 | Product Manual - Page 423
    9.4.6. IPsec Advanced Settings Chapter 9. VPN IPsec Cert Cache Max Certs Maximum number of certificates/CRLs that can be held in the internal certificate cache. When the certificate cache is full, entries will be removed according to an LRU (Least Recently Used) algorithm. Default: 1024 IPsec ...
  • D-Link DFL-260 | Product Manual - Page 424
    9.4.6. IPsec Advanced Settings Chapter 9. VPN In other words, this is the length of time in seconds for which DPD-R-U-THERE messages will be sent. If the other side of the tunnel has not sent a response to any messages then it is considered to be dead (not reachable). The SA will then be placed ...
  • D-Link DFL-260 | Product Manual - Page 425
    ... address, to protected networks via a VPN poses particular problems. Both the PPTP and L2TP protocols provide two different ... systems since Windows95 and therefore has a large number of clients with the software already installed. Troubleshooting PPTP A common problem with setting up PPTP is that a ...
  • D-Link DFL-260 | Product Manual - Page 426
    ... the NetDefend Firewall. Examining the log can indicate if this problem occurred, with a log message of the following form appearing: Error ...Tunneling Protocol (L2TP) is an IETF open standard that overcomes many of the problems of PPTP. Its design is a combination of Layer 2 Forwarding (L2F) protocol...
  • D-Link DFL-260 | Product Manual - Page 427
    9.5.2. L2TP Servers Chapter 9. VPN Example 9.11. Setting up an L2TP server This example shows how to setup a L2TP Network Server. The example assumes that you have created some IP address objects. You will have to specify the IP address of the L2TP server interface, an outer IP address (that the ...
  • D-Link DFL-260 | Product Manual - Page 428
    9.5.2. L2TP Servers Chapter 9. VPN 2. 3. 4. Enter a suitable name for the user database, for example UserDB Go to User Authentication > Local User Databases > UserDB > Add > User Now enter Username: testuser Password: mypassword Confirm Password: mypassword 5. Click OK Now we will setup the ...
  • D-Link DFL-260 | Product Manual - Page 429
    9.5.2. L2TP Servers Chapter 9. VPN gw-world:/> add Interface L2TPServer l2tp_tunnel IP=lan_ip Interface=l2tp_ipsec ServerIP=wan_ip IPPool=l2tp_pool TunnelProtocol=L2TP AllowedRoutes=all-nets ProxyARPInterfaces=lan Web Interface 1. 2. 3. Go to Interfaces > L2TP Servers > Add > L2TPServer Enter a ...
  • D-Link DFL-260 | Product Manual - Page 430
    ...:/main> add IPRule action=Allow Service=all_services SourceInterface=l2tp_tunnel SourceNetwork=l2tp_pool... AllowL2TP Now enter 4. 5. 6. 7. Action: Allow Service: all_services Source Interface: l2tp_tunnel Source... NATL2TP Now enter Action: NAT Service: all_services Source Interface: l2tp_tunnel Source...
  • D-Link DFL-260 | Product Manual - Page 431
    9.5.4. PPTP/L2TP Clients Chapter 9. VPN Pass L2TP traffic sent to the NetDefend Firewall directly to the L2TP Server without consulting the rule set. Default: Enabled PPTP Before Rules Pass PPTP traffic sent to the NetDefend Firewall directly to the PPTP Server without consulting the rule set. ...
  • D-Link DFL-260 | Product Manual - Page 432
    9.5.4. PPTP/L2TP Clients Chapter 9. VPN specified gateway. Authentication Username - Specifies the username to use for this PPTP/L2TP interface. Password - Specifies the password for the interface. Authentication - Specifies which authentication protocol to use. MPPE - Specifies if Microsoft ...
  • D-Link DFL-260 | Product Manual - Page 433
    9.5.4. PPTP/L2TP Clients Chapter 9. VPN Figure 9.3. PPTP Client Usage 433
  • D-Link DFL-260 | Product Manual - Page 434
    9.6. CA Server Access Chapter 9. VPN 9.6. CA Server Access Overview Where certificates are used, the two sides of a VPN tunnel exchange their certificates during the tunnel setup negotiation and either may then try to validate the received certificate by accessing a CA server. A certificate ...
  • D-Link DFL-260 | Product Manual - Page 435
    9.6. CA Server Access Chapter 9. VPN 3. The CA server is a commercial server on the public Internet. In this, the simplest case, public DNS servers will resolve the FQDN. The only requirement is that NetDefendOS will need to have at least one public DNS server address configured to resolve the ...
  • D-Link DFL-260 | Product Manual - Page 436
    ... must be configured in NetDefendOS so that these requests can be resolved. Turning Off FQDN Resolution As explained in the troubleshooting section below, identifying problems with CA server access can be done by turning off the requirement to ...
  • D-Link DFL-260 | Product Manual - Page 437
    ... Chapter 9. VPN 9.7. VPN Troubleshooting This section deals with how to troubleshoot the common problems that are found with VPN. ... In all types of VPNs some basic troubleshooting checks can be made Check that all IP ... core Dest Network all-nets Service ICMP • Ensure that another IPsec Tunnel ...
  • D-Link DFL-260 | Product Manual - Page 438
    9.7.3. IPsec Troubleshooting Commands Chapter 9. VPN If certificates have been used in a VPN ... see if CA server access could be the problem. CA Server issues are discussed further in Section 9.6, "CA Server Access". • 9.7.3. IPsec Troubleshooting Commands A number of commands can be used to...
  • D-Link DFL-260 | Product Manual - Page 439
    ... example -num=10, is recommended. The ikesnoop console command A common problem with setting up IPsec is a list of proposed algorithms that is ... For a more detailed discussion of this topic, see Section 9.4.5, "Troubleshooting with ikesnoop". 9.7.4. Management Interface Failure with VPN If any ...
  • D-Link DFL-260 | Product Manual - Page 440
    ...matching proposal that both sides could agree on. Troubleshooting this error message can be involved since ...IPsec phase). 2. Incorrect pre-shared key A problem with the pre-shared key on either side.... This is perhaps the easiest of all the error messages to troubleshoot since it can be only one thing...
  • D-Link DFL-260 | Product Manual - Page 441
    ... that use certificates for authentication. Troubleshooting this error message can be very difficult as the possible cause of the problem can be quite ... logs can provide important clues as to what the problem could be. A good suggestion before you start to troubleshoot certificate based tunnels is to ...
  • D-Link DFL-260 | Product Manual - Page 442
    ... or remote network and/or the lifetime settings on the proposal list(s). To troubleshoot this you need to examine the settings for the local network, remote ... With that information you should be able to spot the network problem. It can be that it's a network size mismatch or that it doesn't match at ...
  • D-Link DFL-260 | Product Manual - Page 443
    9.7.6. Specific Symptoms Chapter 9. VPN 443
  • D-Link DFL-260 | Product Manual - Page 444
    ...TCP/IP A weakness of TCP/IP is the lack of true Quality of Service (QoS) functionality. QoS is the ability to guarantee and limit network ...to provide network devices with QoS information. NetDefendOS Diffserv Support NetDefendOS supports the Diffserv architecture the following ways: • NetDefendOS ...
  • D-Link DFL-260 | Product Manual - Page 445
    ... the throughput of prioritized traffic. Note: Traffic shaping will not work with the SIP ALG Any traffic connections that trigger an IP rule with a service object that uses the SIP ALG cannot be also subject to traffic shaping. 10.1.2. Traffic Shaping in NetDefendOS NetDefendOS offers extensive ...
  • D-Link DFL-260 | Product Manual - Page 446
    ... flow through which pipes. Each pipe rule is defined like other NetDefendOS secuirity policies: by specifying the source/destination interface/network as well as the service to which the rule is to apply. Once a new connection is permitted by the IP rule set, the pipe rule set is then checked for ...
  • D-Link DFL-260 | Product Manual - Page 447
    ... does not require much planning. The example that follows applies a bandwidth limit to inbound traffic only. This is the direction most likely to cause problems for Internet connections. Example 10.1. Applying a Simple Bandwidth Limit Begin with creating a simple pipe that limits all traffic that ...
  • D-Link DFL-260 | Product Manual - Page 448
    ... SourceInterface=lan SourceNetwork=lannet DestinationInterface=wan DestinationNetwork=all-nets Service=all_services name=Outbound Web Interface 1. 2. 3. Go...Specify a suitable name for the pipe, for instance outbound Now enter 4. 5. Service: all_services Source Interface: lan Source Network: lannet ...
  • D-Link DFL-260 | Product Manual - Page 449
    ...in each direction. Raising the total pipe limit to 4 Mbps will not solve the problem since the single pipe will not know that 2 Mbps of inbound ... traffic? Assume that the total bandwidth limit is 250 kbps and 125 kbps of that is to be allocated to web surfing inbound traffic. The Incorrect Solution ...
  • D-Link DFL-260 | Product Manual - Page 450
    ... achieve the desired effect, which is allocating a maximum of 125 kbps to inbound surfing traffic as part of... pass through surf-in and be limited to a maximum of 125 kbps. Then, it will pass through the std-... kbps will occupy half of the std-in pipe leaving 125 kbps for the rest of the traffic. If no ...
  • D-Link DFL-260 | Product Manual - Page 451
    .... • Use the DSCP bits Take the precedence from the DSCP bits in the packet. DSCP is a subset of the Diffserv architecture where the Type of Service (ToS) bits are included in the IP packet header. Specifying Precedences Within Pipes When a pipe is configured, a Default Precedence, a Minimum ...
  • D-Link DFL-260 | Product Manual - Page 452
    10.1.6. Precedences Chapter 10. Traffic Management • • Default Precedence: 0 Maximum Precedence: 7 As described above, the Default Precedence is the precedence taken by a packet if it is not explicitly assigned by a pipe rule. The minimum and maximum precedences define the precedence range ...
  • D-Link DFL-260 | Product Manual - Page 453
    ... rule as are used for other traffic. The effect of doing this is that the SSH and Telnet rule sets the higher priority on packets related to these services and these packets are sent through the same pipe as other traffic. The pipe then makes sure that these higher priority packets are sent first ...
  • D-Link DFL-260 | Product Manual - Page 454
    ... has no meaning and will be ignored by NetDefendOS. Differentiated Guarantees A problem arises if the aim is to give a specific 32 kbps guarantee to...of traffic through each precedence. However, there are two obvious problems with this approach: • • Which traffic is more important? This question ...
  • D-Link DFL-260 | Product Manual - Page 455
    10.1.7. Pipe Groups Chapter 10. Traffic Management Set the priority assignment for both rules to Use defaults from first pipe; the default precedence of both the ssh-in and telnet-in pipes is 2. Using this approach rather than hard-coding precedence 2 in the rule set, you can easily change the ...
  • D-Link DFL-260 | Product Manual - Page 456
    10.1.7. Pipe Groups Chapter 10. Traffic Management Specifying Group Limits Once the way the method of grouping is selected, the next step is to specify the Group Limits. These limits can consist of one or both of the following: • Group Limit Total This value specifies a limit for each user ...
  • D-Link DFL-260 | Product Manual - Page 457
    10.1.7. Pipe Groups Chapter 10. Traffic Management Figure 10.6. Traffic Grouped By IP Address Another Simple Groups Example Consider another situation where the total bandwidth limit for a pipe is 400 bps. If the aim is to allocate this bandwidth amongst many destination IP addresses so that no ...
  • D-Link DFL-260 | Product Manual - Page 458
    ... guarantee for their SSH traffic. If desired, we could also limit the group total bandwidth for each user to some value, such as 40 kbps. There will be a problem if there are more than 5 users utilizing SSH simultaneously: 16 kbps times 5 is more than 64 kbps. The total limit for the pipe will still...
  • D-Link DFL-260 | Product Manual - Page 459
    ...know about, they cannot know when the Internet connection is full. The problems resulting from leaks are exactly the same as in the cases described above. ... of administrator control but sharing the same connection. Troubleshooting For a better understanding of what is happening in a live setup, the ...
  • D-Link DFL-260 | Product Manual - Page 460
    .... • • 10.1.10. More Pipe Examples This section looks at some more scenarios and how traffic shaping can be used to solve particular problems. A Basic Scenario The first scenario will examine the configuration shown in the image below, in which incoming and outgoing traffic is to be limited to...
  • D-Link DFL-260 | Product Manual - Page 461
    ... lan Source Network lannet Destination Destination Interface Network wan all-nets Selected Service all The rule will force all traffic to the default precedence level and the ... Interface lan Source Network lannet Dest Interface wan Dest Network all-nets Selected Service http_all Prece dence 0 461
  • D-Link DFL-260 | Product Manual - Page 462
    ... order to identify particular types of traffic. The all service at the end, catches anything that falls through from...wan Dest Network all-nets Selected Service All Prece dence 2 Note that in-other ...link. The pipe chaining can be used as a solution to the problem of VPN overhead. A limit which allows ...
  • D-Link DFL-260 | Product Manual - Page 463
    ... lannet lannet all-nets lannet Selected Prece Service dence H323 All H323 All All All 6 ... escape traffic shaping and ruin the planned quality of service. In addition, server traffic is initiated from the outside so the ... Dest Interface core Dest Network all-nets Selected Service All Prece dence 0 463
  • D-Link DFL-260 | Product Manual - Page 464
    10.1.10. More Pipe Examples Chapter 10. Traffic Management Note: SAT and ARPed IP Addresses If the SAT is from an ARPed IP address, the wan interface needs to be the destination. 464
  • D-Link DFL-260 | Product Manual - Page 465
    ..."Intrusion Detection and Prevention"). Application Related Bandwidth Usage A typical problem that can be solved with IDP Traffic Shaping is dealing with ... by P2P transfers can often have a negative impact on the quality of service for other network users as bandwidth is quickly absorbed by such ...
  • D-Link DFL-260 | Product Manual - Page 466
    10.2.3. Processing Flow Chapter 10. Traffic Management information followed by a number of data transfer connections to other hosts. It is the initial connection that IDP detects and the Time Window specifies the expected period afterwards when other connections will be opened and subject to ...
  • D-Link DFL-260 | Product Manual - Page 467
    10.2.5. A P2P Scenario Chapter 10. Traffic Management Excluding Hosts To avoid these unintended consequences, we specify the IP addresses of client A and client B in the Network range but not host X. This tells NetDefendOS that host X is not relevant in making a decision about including new non-...
  • D-Link DFL-260 | Product Manual - Page 468
    ... command: gw-world:/> idppipes -unpipe -host=192.168.1.1 A full description of the idppipes command can be found in the separate CLI Reference Guide. Viewing Pipes IDP Traffic Shaping makes use of normal NetDefendOS pipe objects which are created automatically. These pipes are always allocated the ...
  • D-Link DFL-260 | Product Manual - Page 469
    .... When a timer for piping news connections expires, a log message is generated indicating that new connections to or from the host are no longer piped. There are also some other log messages which indicate less common conditions. All log messages are documented in the Log Reference Guide. 469
  • D-Link DFL-260 | Product Manual - Page 470
    ...: Threshold Rules are not available on all NetDefend models The Threshold Roles feature is only available on the D-Link NetDefend DFL-800, 860, 1600, 1660, 2500, 2560 and 2560G. Threshold Policies A Threshold Rule is like other policy based rules ...
  • D-Link DFL-260 | Product Manual - Page 471
    ... blacklist the source network associated with the rule. If the Threshold Rule is linked to a service then it is possible to block only that service. When Blacklisting is selected, the administrator can choose to leave pre-existing connections from the triggering source unaffected, or ...
  • D-Link DFL-260 | Product Manual - Page 472
    10.3.8. Threshold Rule Blacklisting Chapter 10. Traffic Management NetDefendOS. The length of time, in seconds, for which the source is blacklisted can also be set. This feature is discussed further in Section 6.7, "Blacklisting Hosts and Networks". 472
  • D-Link DFL-260 | Product Manual - Page 473
    ... server. Note: SLB is not available on all D-Link NetDefend models The SLB feature is only available on the D-Link NetDefend DFL-800, 860, 1600, 1660, 2500, 2560 and 2560G. The illustration below shows a typical SLB scenario, with Internet access to ...
  • D-Link DFL-260 | Product Manual - Page 474
    ... load sharing also provides an extra level of protection against Denial Of Service (DoS) attacks. • • SLB Deployment Considerations The following issues should...a load is shared across a set of servers. NetDefendOS SLB supports the following two algorithms for load distribution: Round-robin The...
  • D-Link DFL-260 | Product Manual - Page 475
    ... In this mode, a series of connections from a specific client will be handled by the same server. This is particularly important for TLS or SSL based services such as HTTPS, which require a repeated connection to the same host. This mode is similar to IP stickiness except that the stickiness can be ...
  • D-Link DFL-260 | Product Manual - Page 476
    10.4.4. SLB Algorithms and Stickiness Chapter 10. Traffic Management The consequence of a full table can be that stickiness will be lost for any discarded source IP addresses. The administrator should therefore try to ensure that the Max Slots parameter is set to a value that can accommodate the ...
  • D-Link DFL-260 | Product Manual - Page 477
    ... any failed servers. This works at OSI layer 4. SLB attempts to connect to a specified port on each server. For example, if a server is specified as running web services on port 80, the SLB will send a TCP SYN request to that port. If SLB does not receive a TCP SYN/ACK back, it will mark port 80 on ...
  • D-Link DFL-260 | Product Manual - Page 478
    10.4.6. Setting Up SLB_SAT Rules Chapter 10. Traffic Management 10.4.6. Setting Up SLB_SAT Rules The key component in setting up SLB are IP rules that have SLB_SAT as the action. The steps that should be followed for setting up such rules are: 1. 2. 3. 4. Define an IP address object for each ...
  • D-Link DFL-260 | Product Manual - Page 479
    ...> main > Add > IP Rule Enter 3. 4. 5. Name: Web_SLB Action: SLB_SAT Service: HTTP Source Interface: any Source Network: all-nets Destination Interface:... main > Add > IP Rule Enter 3. Name: Web_SLB_NAT Action: NAT Service: HTTP Source Interface: lan Source Network: lannet Destination Interface: core...
  • D-Link DFL-260 | Product Manual - Page 480
    10.4.6. Setting Up SLB_SAT Rules Chapter 10. Traffic Management 1. 2. Go to Rules > IP Rule Sets > main > Add > IP Rule Enter Name: Web_SLB_ALW Action: Allow Service: HTTP Source Interface: any Source Network: all-nets Destination Interface: core Destination Network: ip_ext 3. Click OK 480
  • D-Link DFL-260 | Product Manual - Page 481
    10.4.6. Setting Up SLB_SAT Rules Chapter 10. Traffic Management 481
  • D-Link DFL-260 | Product Manual - Page 482
    ... an active-passive implementation of fault tolerance. Note: High Availability is only available on some NetDefend models The HA feature is only available on the D-Link NetDefend DFL-1600, 1660, 2500, 2560 and 2560G. The Master and Active Units When reading this section on HA, it should be kept in ...
  • D-Link DFL-260 | Product Manual - Page 483
    11.1. Overview Chapter 11. High Availability interface and all other interfaces from one unit to the other. These packets allow the health of both units to be monitored. Heartbeat packets are sent in both directions so that the passive unit knows about the health of the active unit and the active...
  • D-Link DFL-260 | Product Manual - Page 484
    ... to cause the inactive system to go active, even though the other is still active. Disabling Heartbeat Sending on Interfaces The administrator can manually disable heartbeat sending on any interface if that is desired. This is not recommended since the fewer interfaces that send heartbeats, the ...
  • D-Link DFL-260 | Product Manual - Page 485
    11.2. HA Mechanisms Chapter 11. High Availability Failover Time The time for failover is typically about one second which means that clients may experience a failover as a slight burst of packet loss. In the case of TCP, the failover time is well within the range of normal retransmit timeouts so ...
  • D-Link DFL-260 | Product Manual - Page 486
    11.2. HA Mechanisms Chapter 11. High Availability Should such a failure occur then the consequence is that both units will continue to function but they will lose their synchronization with each other. In other words, the inactive unit will no longer have a correct copy of the state of the active...
  • D-Link DFL-260 | Product Manual - Page 487
    11.3. Setting Up HA Chapter 11. High Availability 11.3. Setting Up HA This section provides a step-by-step guide for setting up an HA Cluster. 11.3.1. HA Hardware Setup The steps for the setup of hardware in an HA cluster are as follows: 1. Start with two physically similar NetDefend Firewalls. ...
  • D-Link DFL-260 | Product Manual - Page 488
    11.3.2. NetDefendOS Manual HA Setup Chapter 11. High Availability The illustration below shows... via a switch or broadcast domain. 11.3.2. NetDefendOS Manual HA Setup To set up an HA cluster manually, the steps are as follows: 1. 2. 3. Connect to the master unit with the WebUI. Go to System > High ...
  • D-Link DFL-260 | Product Manual - Page 489
    11.3.3. Verifying the Cluster Functions Chapter 11. High Availability 4. 5. 6. 7. Set the Cluster ID. This must be unique for each cluster. Choose the Sync Interface. Select the node type to be Master. Go to Objects > Address Book and create an IP4 HA Address object for each interface pair. Each...
  • D-Link DFL-260 | Product Manual - Page 490
    ...same MAC address as the lan1 interface on the slave unit. Problem Diagnosis An HA cluster will function if this setting is disabled but can cause problems with a limited number of switch types where the switch uses a shared ARP table. Such problems can be hard to diagnose which is why it...
  • D-Link DFL-260 | Product Manual - Page 491
    ...IPs in dynamically NATed connections or publishing services on them, will inevitably cause problems since unique IPs will disappear when the firewall they belong to does.... the hardware address of the shared IPs and will cause problems for all units attached to the local LAN, as ...
  • D-Link DFL-260 | Product Manual - Page 492
    11.4. HA Issues Chapter 11. High Availability If OSPF is to work then there must be another designated router available in the same OSPF area as the cluster. Ideally, there will also be a second, backup designated router to provide OSPF metrics if the main designated router should fail. PPPoE ...
  • D-Link DFL-260 | Product Manual - Page 493
    11.5. Upgrading an HA Cluster Chapter 11. High Availability 11.5. Upgrading an HA Cluster The NetDefendOS software versions running on the master and slave in an HA cluster should be the same. When a new NetDefendOS version becomes available and is to be installed on both units, the upgrade is ...
  • D-Link DFL-260 | Product Manual - Page 494
    11.5. Upgrading an HA Cluster Chapter 11. High Availability console and issue the ha -deactivate command. This will cause the active unit to become inactive, and the inactive to become active. gw-world:/> ha -deactivate HA Was: ACTIVE HA going INACTIVE...To check that the failover has completed ...
  • D-Link DFL-260 | Product Manual - Page 495
    11.6. HA Advanced Settings Chapter 11. High Availability 11.6. HA Advanced Settings The following NetDefendOS advanced settings are available for High Availability: Sync Buffer Size How much sync data, in Kbytes, to buffer while waiting for acknowledgments from the cluster peer. Default: 1024 ...
  • D-Link DFL-260 | Product Manual - Page 496
    11.6. HA Advanced Settings Chapter 11. High Availability 496
  • D-Link DFL-260 | Product Manual - Page 497
    ... Blocked hosts and networks remain blocked until the system administrator manually unblocks them using the Web or Command Line interface. Note... is not available on all NetDefend models The ZoneDefense feature is only available on the D-Link NetDefend DFL-800, 860, 1600, 1660, 2500, 2560 and 2560G. ...
  • D-Link DFL-260 | Product Manual - Page 498
    ... information regarding every switch that is to be controlled by the firewall has to be manually specified in the firewall configuration. The information needed in order ... community string (write access) The ZoneDefense feature currently supports the following switches DES-3226S (Version R4.02-B26 ...
  • D-Link DFL-260 | Product Manual - Page 499
    ... parameters Source interface and source network Destination interface and destination network Service Type of threshold: Host and/or network based Traffic that matches the above ... specified and function, please see Section 10.3, "Threshold Rules". 12.3.3. Manual Blocking and Exclude Lists 499
  • D-Link DFL-260 | Product Manual - Page 500
    ... Exclude Lists Chapter 12. ZoneDefense As a complement to threshold rules, it is also possible to manually define hosts and networks that are to be statically blocked or excluded. Manually blocked hosts and networks can be blocked by default or based on a schedule. It is ...
  • D-Link DFL-260 | Product Manual - Page 501
    ...: 1. 2. Go to Traffic Management > Threshold Rules > Add > Threshold Rule For the Threshold Rule enter: • • 3. Name: HTTP-Threshold Service: http For Address Filter enter Source Interface: The firewall's management interface Destination Interface: any Source Network: 192.168.2.0/24 (or the ...
  • D-Link DFL-260 | Product Manual - Page 502
    ...while some models may require a minute or more. A second difference is the maximum number of rules supported by different switches. Some switches support a maximum of 50 rules while others support up to 800 (usually, in order to block a host or network, one rule...
  • D-Link DFL-260 | Product Manual - Page 503
    12.3.5. Limitations Chapter 12. ZoneDefense 503
  • D-Link DFL-260 | Product Manual - Page 504
    Chapter 13. Advanced Settings This chapter describes the additional configurable advanced settings for NetDefendOS that are not already described in the manual. In the Web Interface these settings are found under System > Advanced Settings. The settings are divided up into the following categories:...
  • D-Link DFL-260 | Product Manual - Page 505
    13.1. IP Level Settings Chapter 13. Advanced Settings Block 0000 Src Block 0.0.0.0 as source address. Default: Drop Block 0 Net Block 0.* as source addresses. Default: DropLog Block 127 Net Block 127.* as source addresses. Default: DropLog Block Multicast Src Block multicast both source ...
  • D-Link DFL-260 | Product Manual - Page 506
    ...NetDefendOS never obeys the source routes specified by these options, regardless of this setting. Default: DropLog IP Options Timestamps Time stamp options instruct each router and firewall on the packet's route to indicate at what time the packet was forwarded along the route. These options do not...
  • D-Link DFL-260 | Product Manual - Page 507
    13.1. IP Level Settings Chapter 13. Advanced Settings IP Reserved Flag Indicates what NetDefendOS will do if there is data in the "reserved" fields of IP headers. In normal circumstances, these fields should read 0. Used by OS Fingerprinting. Default: DropLog Strip DontFragment Strip the Don't ...
  • D-Link DFL-260 | Product Manual - Page 508
    ...falls below the stipulated TCPMSSMin value. Values that are too low could cause problems in poorly written TCP stacks. Default: DropLog TCP MSS Max ... exceeds the stipulated TCPMSSMax value. Values that are too high could cause problems in poorly written TCP stacks or give rise to large quantities of...
  • D-Link DFL-260 | Product Manual - Page 509
    ..., TSOPT is used to prevent the sequence numbers (a 32-bit figure) from "exceeding" their upper limit without the recipient being aware of it. This is not normally a problem. Using TSOPT, some TCP stacks optimize their connection by measuring the time it takes for a packet to travel to and from its ...
  • D-Link DFL-260 | Product Manual - Page 510
    13.2. TCP Level Settings Chapter 13. Advanced Settings initially intended to be used in negotiating for the use of better checksums in TCP. However, these are not understood by any today's standard systems. As NetDefendOS cannot understand checksum algorithms other than the standard algorithm, ...
  • D-Link DFL-260 | Product Manual - Page 511
    ...standard called Explicit Congestion Notification also makes use of these TCP flags, but as long as there are only a few operating systems supporting this standard, the flags should be stripped. Default: StripLog TCP Reserved Field Specifies how NetDefendOS will deal with information present in the ...
  • D-Link DFL-260 | Product Manual - Page 512
    13.2. TCP Level Settings Chapter 13. Advanced Settings TCP sequence number validation is only possible on connections tracked by the state-engine (not on packets forwarded using a FwdFast rule). Possible values are: Ignore - Do not validate. Means that sequence number validation is completely ...
  • D-Link DFL-260 | Product Manual - Page 513
    13.3. ICMP Level Settings Chapter 13. Advanced Settings 13.3. ICMP Level Settings ICMP Sends Per Sec Limit Specifies the maximum number of ICMP messages NetDefendOS may generate per second. This includes ping replies, destination unreachable messages and also TCP RST packets. In other words, this...
  • D-Link DFL-260 | Product Manual - Page 514
    13.4. State Settings Chapter 13. Advanced Settings 13.4. State Settings Connection Replace Allows new additions to the NetDefendOS connection list to replace the oldest connections if there is no available space. Default: ReplaceLog Log Open Fails In some instances where the Rules section ...
  • D-Link DFL-260 | Product Manual - Page 515
    ... whose destination is the NetDefend Firewall itself, for example NetDefendOS management traffic, is not subject to this setting. The log message includes port, service, source/destination IP address and interface. This setting should only be enabled for diagnostic and testing purposes since it ...
  • D-Link DFL-260 | Product Manual - Page 516
    13.5. Connection Timeout Settings Chapter 13. Advanced Settings 13.5. Connection Timeout Settings The settings in this section specify how long a connection can remain idle, that is to say with no data being sent through it, before it is automatically closed. Please note that each connection has ...
  • D-Link DFL-260 | Product Manual - Page 517
    13.5. Connection Timeout Settings Chapter 13. Advanced Settings Other Idle Lifetime Specifies in seconds how long connections using an unknown protocol can remain idle before it is closed. Default: 130 517
  • D-Link DFL-260 | Product Manual - Page 518
    13.6. Length Limit Settings Chapter 13. Advanced Settings 13.6. Length Limit Settings This section contains information about the size limits imposed on the protocols directly under IP level, such as TCP, UDP and ICMP. The values specified here concern the IP data contained in packets. In the ...
  • D-Link DFL-260 | Product Manual - Page 519
    13.6. Length Limit Settings Chapter 13. Advanced Settings Specifies in bytes the maximum size of an AH packet. AH, Authentication Header, is used by IPsec where only authentication is applied. This value should be set at the size of the largest packet allowed to pass through the VPN connections, ...
  • D-Link DFL-260 | Product Manual - Page 520
    13.7. Fragmentation Settings Chapter 13. Advanced Settings 13.7. Fragmentation Settings IP is able to transport up to 65536 bytes of data. However, most media, such as Ethernet, cannot carry such huge packets. To compensate, the IP stack fragments the data to be sent into separate packets, each ...
  • D-Link DFL-260 | Product Manual - Page 521
    13.7. Fragmentation Settings Chapter 13. Advanced Settings Default: Check8 - compare 8 random locations, a total of 32 bytes Failed Fragment Reassembly Reassemblies may fail due to one of the following causes: • Some of the fragments did not arrive within the time stipulated by the ...
  • D-Link DFL-260 | Product Manual - Page 522
    ... the arrival of too many fragments that are too small may cause problems for IP stacks, it is usually not possible to set this limit too ... fragments and an equal number of 40 byte fragments. Because of potential problems this can cause, the default settings in NetDefendOS has been designed to allow ...
  • D-Link DFL-260 | Product Manual - Page 523
    13.7. Fragmentation Settings Chapter 13. Advanced Settings Reassembly Illegal Limit Once a whole packet has been marked as illegal, NetDefendOS is able to retain this in memory for this number of seconds in order to prevent further fragments of that packet from arriving. Default: 60 523
  • D-Link DFL-260 | Product Manual - Page 524
    13.8. Local Fragment Reassembly Settings Chapter 13. Advanced Settings 13.8. Local Fragment Reassembly Settings Max Concurrent Maximum number of concurrent local reassemblies. Default: 256 Max Size Maximum size of a locally reassembled packet. Default: 10000 Large Buffers Number of large ( over...
  • D-Link DFL-260 | Product Manual - Page 525
    13.9. Miscellaneous Settings Chapter 13. Advanced Settings 13.9. Miscellaneous Settings UDP Source Port 0 How to treat UDP packets with source port 0. Default: DropLog Port 0 How to treat TCP/UDP packets with destination port 0 and TCP packets with source port 0. Default: DropLog Watchdog Time ...
  • D-Link DFL-260 | Product Manual - Page 526
    13.9. Miscellaneous Settings Chapter 13. Advanced Settings 526
  • D-Link DFL-260 | Product Manual - Page 527
    ... Subscribing to Updates Overview The NetDefendOS Anti-Virus (AV) module, the Intrusion Detection and Prevention (...step-by-step "Registration manual" which explains registration and update service procedures in more ...Console Commands IDP and Anti-Virus (AV) databases can be controlled directly through ...
  • D-Link DFL-260 | Product Manual - Page 528
    ... the command: gw-world:/> updatecenter -status IDP To get the status of AV updates: gw-world:/> updatecenter -status Antivirus Querying Server Status To...gw-world:/> updatecenter -servers Deleting Local Databases Some technical problem in the operation of either IDP or the Anti-Virus modules may be ...
  • D-Link DFL-260 | Product Manual - Page 529
    ...IDP Signature Groups For IDP scanning, the following signature groups are available for selection. These groups are available only for the D-Link Advanced IDP Service. There is a version of each group under the three Types of IDS, IPS and Policy. For further information see Section 6.5, "Intrusion...
  • D-Link DFL-260 | Product Manual - Page 530
    Appendix B. IDP Signature Groups Group Name FTP_FORMATSTRING FTP_GENERAL FTP_LOGIN FTP_OVERFLOW GAME_BOMBERCLONE GAME_GENERAL GAME_UNREAL HTTP_APACHE HTTP_BADBLUE HTTP_CGI HTTP_CISCO HTTP_GENERAL HTTP_MICROSOFTIIS HTTP_OVERFLOWS HTTP_TOMCAT ICMP_GENERAL IGMP_GENERAL IMAP_GENERAL IM_AOL IM_GENERAL ...
  • D-Link DFL-260 | Product Manual - Page 531
    ... TELNET_OVERFLOW TFTP_DIR_NAME TFTP_GENERAL Intrusion Type Denial of Service for POP Post Office Protocol v3 Password ... Internet Security Systems software McAfee Symantec AV solution SMB Error SMB Exploit SMB ... SMB worms SMTP command attack Denial of Service for SMTP SMTP protocol and implementation ...
  • D-Link DFL-260 | Product Manual - Page 532
    ... CVS Subversion Virus VoIP protocol and implementation SIP protocol and implementation Coldfusion file inclusion File inclusion Web application attacks JSP file inclusion Popular web application packages PHP XML RPC SQL Injection Cross-Site-Scripting MS WINS Service Worms Generic X applications 532
  • D-Link DFL-260 | Product Manual - Page 533
    Appendix C. Verified MIME filetypes Some NetDefendOS Application Layer Gateways (ALGs) have the optional ability to verify that the contents of a downloaded file matches the type that the filetype in the filename indicates. The filetypes for which MIME verification can be done are listed in this ...
  • D-Link DFL-260 | Product Manual - Page 534
    Appendix C. Verified MIME filetypes Filetype extension cpl dbm dcx deb djvu dll dpa dvi eet egg elc emd esp exe fgf flac flc fli flv gdbm gif gzip, gz, tgz hap hpk hqx icc icm ico imf Inf it java jar jng jpg, jpeg, jpe, jff, jfif, jif jrc jsw kdelnk lha lim lisp lzh md mdb mid,midi mmf mng mod mp3...
  • D-Link DFL-260 | Product Manual - Page 535
    Appendix C. Verified MIME filetypes Filetype extension mpv Microsoft files msa niff, nif noa nsf obj, o ocx ogg out pac pbf pbm pdf pe pfb pgm pkg pll pma png ppm ps psa psd qt, mov, moov qxd ra, ram rar rbs riff, rif rm rpm rtf, wri sar sbi sc sgi sid sit sky snd, au so sof sqw sqz stm svg svr4 ...
  • D-Link DFL-260 | Product Manual - Page 536
    Appendix C. Verified MIME filetypes Filetype extension tfm tiff, tif tnef torrent ttf txw ufa vcf viv wav wk wmv wrl, vrml xcf xm xml xmcd xpm yc zif zip zoo zpk z Application TeX font metric data Tagged Image Format file Transport Neutral Encapsulation Format BitTorrent Metainfo file TrueType ...
  • D-Link DFL-260 | Product Manual - Page 537
    ... relevant to understanding the operation of many NetDefendOS features such as ARP, Services and ALGs. Layer number Layer 7 Layer 6 Layer 5...perform the following functions: Layer 7 - Application Layer Defines the user interface that supports applications directly. Protocols: HTTP, FTP, TFTP. DNS, SMTP...
  • D-Link DFL-260 | Product Manual - Page 538
    Alphabetical Index A access rules, 237 accounting, 60 interim messages, 62 limitations with NAT, 63 messages, 60 system shutdowns, 63 address book, 77 ethernet addresses in, 79 folders, 81 IP addresses in, 77 address groups, 80 excluding addresses, 80 address translation, 334 admin account, 29 ...
  • D-Link DFL-260 | Product Manual - Page 539
    ... 383, 409 validity, 128 with IPsec, 386 VPN troubleshooting, 437 chains (in traffic shaping), 445 CLI, ... groups, 122 and folders, 125 and the CLI, 122 editing properties of, 123 configurations, 49 checking ..., 505 demilitarized zone (see DMZ) denial of service, 326 destination RLB algorithm, 165 DHCP, ...
  • D-Link DFL-260 | Product Manual - Page 540
    ... filtering, 258 documentation, 18 DoS attack (see denial of service) downloading files with SCP, 45 DPD Expire Time (IPsec... 186 OSPF action, 187 routing action, 187 DynDNS service, 139 hybrid mode, 245 server IP setup for... I ICMP Sends Per Sec Limit setting, 513 ICMP Unreachable message, 59, 120 540
  • D-Link DFL-260 | Product Manual - Page 541
    ... setting, 422 IKE Send Initial Contact setting, 422 ikesnoop VPN troubleshooting, 414, 439 Illegal Fragments setting, 520 Initial Silence (HA)...LAN setup, 382 overview, 391 quick start guide, 381 roaming clients setup, 384 troubleshooting, 437 tunnel establishment, 406 tunnels, 406 IPsec Before Rules ...
  • D-Link DFL-260 | Product Manual - Page 542
    ...Radius Contexts setting, 64 Max Reassembly Time Limit setting, 522 max sessions services parameter, 85 Max Size (reassembly) setting, 524 Max SKIP Length ...) PPP authentication with LDAP, 364 PPPoE, 101 client configuration, 101 unnumbered support, 102 with HA, 102 PPTP, 425 advanced settings, 430 542
  • D-Link DFL-260 | Product Manual - Page 543
    Alphabetical Index ALG, 264 client, 431 problem with NAT, 432 quick start guide, 389 server, 425 ...-shared keys, 382, 402 non-ascii character problem, 402 Primary Time Server setting, 137 ..., 85 pass ICMP errors, 85 specifying all services, 85 specifying port number, 84 SYN flood...
  • D-Link DFL-260 | Product Manual - Page 544
    Alphabetical Index SNMP Request Limit setting, 68, 69 source based routing, 160 spam filtering, 257 caching, 261 logging, 260 tagging, 259 spam WCF category, 306 spanning tree relaying, 217 spillover RLB algorithm, 165 spoofing, 238 SSH, 38 SSH Before Rules setting, 48 SSH client keys, 358 SSL ...
  • D-Link DFL-260 | Product Manual - Page 545
    Alphabetical Index with SIP, 265 VoIP (see voice over IP) VPN, 377 planning, 378 quick start guide, 381 troubleshooting, 437 W Watchdog Time setting, 525 WCF (see web content filtering) webauth, 369 web content filtering, 295 fail mode, 297 ...



Type your new search above

The manual viewer requires the flash plugin to be installed and enabled.
To view this page ensure that Adobe Flash Player version 10 or greater is installed.

D-Link DFL-260 - NetDefend - Security Appliance Manual