D-Link DFL-260E User Manual for DFL-260E
D-Link DFL-260E Manual
 |
View all D-Link DFL-260E manuals
Add to My Manuals
Save this manual to your list of manuals |
D-Link DFL-260E manual content summary:
- D-Link DFL-260E | User Manual for DFL-260E - Page 1
Network Security Firewall User Manual NetDefendOS Ver. 2.40.00 SecurSiteycurity Network Security Solution http://www.dlink.com - D-Link DFL-260E | User Manual for DFL-260E - Page 2
User Manual DFL-260E/860E/1660/2560/2560G NetDefendOS Version 2.40.00 D-Link Corporation No. 289, Sinhu 3rd Rd, Neihu District, Taipei City 114, Taiwan R.O.C. http://www.DLink.com Published 2011-09-06 Copyright © 2011 - D-Link DFL-260E | User Manual for DFL-260E - Page 3
User Manual DFL-260E/860E/1660/2560/2560G NetDefendOS Version 2.40.00 Published 2011-09-06 Copyright © 2011 Copyright Notice This publication, including all photographs, illustrations and software, is protected under international copyright laws, with all rights reserved. Neither this manual D-LINK - D-Link DFL-260E | User Manual for DFL-260E - Page 4
2.4.1. The Link Monitor 71 2.4.2. SNMP Monitoring 73 2.4.3. Hardware Monitoring 76 2.4.4. Memory Monitoring Settings 78 2.5. The pcapdump Command 80 2.6. Maintenance 83 2.6.1. Auto-Update Mechanism 83 2.6.2. Backing Up Configurations 83 2.6.3. Restore to Factory Defaults 85 3. Fundamentals - D-Link DFL-260E | User Manual for DFL-260E - Page 5
User Manual 3.2. IPv6 Support 93 3.3. Services 98 3.3.1. Overview 98 3.3.2. Creating Custom Services 99 3.3.3. ICMP Services 102 3.3.4. Custom IP Protocol Services 104 3.3.5. Service Groups 104 3.3.6. Custom Service Timeouts 105 3.4. Interfaces 106 3.4.1. Overview 106 3.4.2. Ethernet - D-Link DFL-260E | User Manual for DFL-260E - Page 6
BPDU Support 243 4.7.5. Advanced Settings for Transparent Mode 244 5. DHCP Services 249 5.1. Overview 249 5.2. DHCP Servers 250 5.2.1. Static DHCP Hosts 253 5.2.2. Custom Options 255 5.3. DHCP Relaying 256 5.3.1. DHCP Relay Advanced Settings 257 5.4. IP Pools 259 6. Security Mechanisms - D-Link DFL-260E | User Manual for DFL-260E - Page 7
9.4.4. Fetching CRLs from an alternate LDAP server 445 9.4.5. Troubleshooting with ikesnoop 446 9.4.6. IPsec Advanced Settings 453 9.5. PPTP/L2TP 457 9.5.1. PPTP Servers 457 9.5.2. L2TP Servers 458 9.5.3. L2TP/PPTP Server advanced settings 463 9.5.4. PPTP/L2TP Clients 463 9.6. SSL VPN 466 7 - D-Link DFL-260E | User Manual for DFL-260E - Page 8
User Manual 9.6.1. Overview 466 9.6.2. Configuring SSL VPN in NetDefendOS 467 9.6.3. Installing the SSL VPN Client 469 9.6.4. Setup Example 472 9.7. CA Server Access 474 9.8. VPN Troubleshooting 477 9.8.1. General Troubleshooting 477 9.8.2. Troubleshooting Certificates 478 9.8.3. IPsec - D-Link DFL-260E | User Manual for DFL-260E - Page 9
User Manual 13. Advanced Settings 546 13.1. IP Level Settings 546 13.2. TCP Level Settings 550 13.3. ICMP Level 13.8. Local Fragment Reassembly Settings 566 13.9. Miscellaneous Settings 567 A. Subscribing to Updates 570 B. IDP Signature Groups 572 C. Verified MIME filetypes 576 D. The OSI - D-Link DFL-260E | User Manual for DFL-260E - Page 10
Local IP Address with an Unbound Network 168 Virtual Links Connecting Areas 202 4.11. Virtual Links with Partitioned Backbone 203 4.12. NetDefendOS OSPF Objects 204 4.13. Dynamic Routing Rule Objects 211 4.14. Multicast Forwarding Scenario 244 5.1. DHCP Server Objects 253 6.1. Deploying - D-Link DFL-260E | User Manual for DFL-260E - Page 11
User Manual 10.6. Traffic Grouped By IP Address 498 10.7. A Basic Traffic Shaping Scenario 502 10.8. IDP Traffic Shaping P2P Scenario 508 10.9. A Server Load Balancing Configuration 514 10.10. Connections from Three Clients 517 10.11. Stickiness and Round-Robin 518 10.12. Stickiness and - D-Link DFL-260E | User Manual for DFL-260E - Page 12
61 2.12. Sending SNMP Traps to an SNMP Trap Receiver 63 2.13. RADIUS Accounting Server Setup 70 2.14. Enabling SNMP Monitoring 74 2.15. Performing a Complete System Backup 85 2.16. Complete Hardware Reset to Factory Defaults 85 3.1. Adding an IP Host Address 89 3.2. Adding an IP Network 89 - D-Link DFL-260E | User Manual for DFL-260E - Page 13
User Manual 4.10. Add an OSPF Area 217 4.11. Add OSPF Interface Objects 217 4.12. Import Routes from an OSPF AS into the Main Routing Table 218 4.13. Exporting the Default Route into an OSPF AS 218 4.14. Forwarding of Multicast Traffic using the SAT Multiplex Rule 222 4.15. Multicast Forwarding - D-Link DFL-260E | User Manual for DFL-260E - Page 14
User Manual 10.3. Setting up SLB 519 12.1. A simple ZoneDefense scenario 542 14 - D-Link DFL-260E | User Manual for DFL-260E - Page 15
audience for this reference guide is Administrators who are responsible for configuring and managing NetDefend Firewalls which are running the NetDefendOS operating system. This guide assumes that the reader has some basic knowledge of networks and network security. Text Structure and Conventions - D-Link DFL-260E | User Manual for DFL-260E - Page 16
care is not exercised. Important This is an essential point that the reader should read and understand. Warning This is essential reading for the user as they should be aware that a serious situation may result if certain actions are taken or not taken. Trademarks Certain names in this publication - D-Link DFL-260E | User Manual for DFL-260E - Page 17
network/interface, protocol, ports, user credentials, time-of-day and more. Section 3.6, "IP Rules", describes how to set up these policies to determine what traffic is allowed or rejected by NetDefendOS. Address Translation For functionality as well as security reasons, NetDefendOS supports - D-Link DFL-260E | User Manual for DFL-260E - Page 18
supports a range of Virtual Private Network (VPN) solutions. Support exists for IPsec, L2TP and PPTP as well as SSL VPN with security policies definable for individual VPN connections. This topic is covered in Chapter 9, VPN. NetDefendOS supports TLS termination so that the NetDefend Firewall - D-Link DFL-260E | User Manual for DFL-260E - Page 19
contain hosts that are the source of undesirable network traffic. Note NetDefendOS ZoneDefense is only available on certain D-Link NetDefend product models. IPv6 addresses are supported on interfaces and within rulesets. This feature is not enabled by default and must be explicitly enables on an - D-Link DFL-260E | User Manual for DFL-260E - Page 20
Interfaces are the doorways through which network traffic enters or leaves the NetDefend Firewall. Without interfaces, a NetDefendOS system representing host and network addresses. Another example of logical objects are services which represent specific protocol and port combinations. Also important - D-Link DFL-260E | User Manual for DFL-260E - Page 21
the Ethernet frame contains a VLAN ID (Virtual LAN identifier), the system checks for a configured VLAN interface with a corresponding VLAN ID. routing tables. In other words, by default, an interface will only accept source IP addresses that belong to networks routed over that interface. A reverse - D-Link DFL-260E | User Manual for DFL-260E - Page 22
network • IP protocol (for example TCP, UDP, ICMP) • TCP/UDP ports service object which matched the IP protocol and ports and server load to do with the incoming packet: • If encapsulated (such as with IPsec, PPTP/L2TP or some forwarded out on the destination interface according to the state. 22 - D-Link DFL-260E | User Manual for DFL-260E - Page 23
1.2.3. Basic Packet Flow Chapter 1. NetDefendOS Overview If the destination interface is a tunnel interface or a physical sub-interface, additional processing such as encryption or encapsulation might occur. The next section provides a set of diagrams illustrating the flow of packets through - D-Link DFL-260E | User Manual for DFL-260E - Page 24
. There are three diagrams, each flowing into the next. It is not necessary to understand these diagrams, however, they can be useful as a reference when configuring NetDefendOS in certain situations. Figure 1.1. Packet Flow Schematic Part I The packet flow is continued on the following page. 24 - D-Link DFL-260E | User Manual for DFL-260E - Page 25
1.3. NetDefendOS State Engine Packet Flow Chapter 1. NetDefendOS Overview Figure 1.2. Packet Flow Schematic Part II The packet flow is continued on the following page. 25 - D-Link DFL-260E | User Manual for DFL-260E - Page 26
1.3. NetDefendOS State Engine Packet Flow Chapter 1. NetDefendOS Overview Figure 1.3. Packet Flow Schematic Part III 26 - D-Link DFL-260E | User Manual for DFL-260E - Page 27
1.3. NetDefendOS State Engine Packet Flow Chapter 1. NetDefendOS Overview Apply Rules The figure below presents the detailed logic of the Apply Rules function in Figure 1.2, "Packet Flow Schematic Part II" above. Figure 1.4. Expanded Apply Rules Logic 27 - D-Link DFL-260E | User Manual for DFL-260E - Page 28
1.3. NetDefendOS State Engine Packet Flow Chapter 1. NetDefendOS Overview 28 - D-Link DFL-260E | User Manual for DFL-260E - Page 29
on how NetDefendOS configuration is performed server, allowing web pages to be used as the management interface. This feature is fully described in Section 2.1.3, "The Web Interface". The CLI The Command Line Interface (CLI), accessible locally via serial console port or remotely using the Secure - D-Link DFL-260E | User Manual for DFL-260E - Page 30
"Secure Copy". Before NetDefendOS starts running, a console connected directly to the NetDefend Firewall's RS232 port can be used to do basic configuration through the boot menu. This menu can be entered by pressing any console key between power-up and NetDefendOS starting. It is the D-Link firmware - D-Link DFL-260E | User Manual for DFL-260E - Page 31
800, 860, 1600 and 2500, the default management interface IP address is 192.168.1.1. • On the NetDefend DFL-260E, 860E, 1660, 2560 and 2560G, the default management interface IP address is 192.168.10.1. Setting the Management Workstation IP The default management Ethernet interface of the firewall - D-Link DFL-260E | User Manual for DFL-260E - Page 32
on for the first time, the default username is always admin and the password is admin . After successful login, the WebUI user interface will be presented in the browser window. If no configuration changes have yet been uploaded to the NetDefend Firewall, the NetDefendOS Setup Wizard will start - D-Link DFL-260E | User Manual for DFL-260E - Page 33
the default user name and password, see Section 2.1.2, "The Default Administrator Account" . Note: Remote management access Access to the Web Interface is regulated by the configured remote management policy. By default, the system will only allow web access from the internal network. Interface - D-Link DFL-260E | User Manual for DFL-260E - Page 34
of the configuration to a local computer or restore a previously downloaded backup. iv. Reset - Restart the firewall or reset to factory default. v. Upgrade - Upgrade the firewall's firmware. vi. Technical support - This option provides the ability to download a file from the firewall which can - D-Link DFL-260E | User Manual for DFL-260E - Page 35
By default, the Web Interface is accessible only from the internal network. If it is required to have access from other parts of the network, this 4. Select the following from the dropdown lists: • User Database: AdminUsers • Interface: any • Network: all-nets 5. Click OK Caution: Don't expose - D-Link DFL-260E | User Manual for DFL-260E - Page 36
problem with the management interface when communicating alongside VPN tunnels, check the main routing table and look for an all-nets route to the VPN Link CLI Reference Guide. The most often used CLI commands are: • add - Adds an object such as an IP address or a rule to a NetDefendOS configuration - D-Link DFL-260E | User Manual for DFL-260E - Page 37
keys allow the user to move IP rule set, the command line might begin: add IPRule If the tab key is now pressed, the mandatory parameters are displayed by NetDefendOS: A value is required for the following properties: Action DestinationNetwork SourceInterface DestinationInterface Service - D-Link DFL-260E | User Manual for DFL-260E - Page 38
examining and understanding the configuration easier. Specifying the Default Value The period "." character before . A default value is not always available. For example, the Action of an IP rule has no default. Another is displayed. Using categories means that the user has a simple way to specify what kind - D-Link DFL-260E | User Manual for DFL-260E - Page 39
add Route Name=new_route1 Interface=lan Network=lannet To deselect the category, the if three servers server1, server2, IP rule set have an ordering which is important. When adding using the CLI add command, the default assigned to it. The CLI Reference Guide lists the parameter options available for - D-Link DFL-260E | User Manual for DFL-260E - Page 40
needs to be done, at least one public DNS server must be configured in NetDefendOS for hostnames to be translated to IP addresses. Serial Console CLI Access The serial console port is a local RS-232 port on the NetDefend Firewall that allows direct access to the NetDefendOS CLI through a serial - D-Link DFL-260E | User Manual for DFL-260E - Page 41
been set then it will be displayed directly after the logon. For security reasons, it is advisable to either disable or anonymize the CLI welcome message. Changing the admin User Password It is recommended to change the default password of the admin account from admin to something else as soon as - D-Link DFL-260E | User Manual for DFL-260E - Page 42
user accounts. The console password is described in Section 2.1.7, "The Console Boot Menu". Changing the CLI Prompt The default CLI prompt is: gw-world:/> where Device is the model number of the NetDefend Firewall any changes are made to the current configuration through the CLI, those changes will - D-Link DFL-260E | User Manual for DFL-260E - Page 43
configuration about to be activated and list any problems. A possible problem that might be found in this way is a reference to an IP object in the address book that does not exist in a restored configuration interface IP: gw-world:/> set Address IP4Address if2_ip Address=10.8.1.34 The network IP - D-Link DFL-260E | User Manual for DFL-260E - Page 44
commands, one per line. The D-Link recommended convention is for these files to use the file extension .sgs (Security Gateway Script). The filename, including the extension, should not be more than 16 characters. 2. Upload the file to the NetDefend Firewall using Secure Copy (SCP). Script files must - D-Link DFL-260E | User Manual for DFL-260E - Page 45
detail in Section 2.1.6, "Secure Copy". 3. Use the Guide and specific examples of usage are detailed in the following sections. See also Section 2.1.4, "The CLI" in this manual previously uploaded to the NetDefend Firewall. For example, to is to be executed with IP address 126.12.11.01 replacing all - D-Link DFL-260E | User Manual for DFL-260E - Page 46
12.11.01 Comments="If1 address" Script Validation and Command Ordering CLI scripts are not, by default, validated. This means that the written ordering of the script does not matter. There can be a reference to a configuration file is uploaded to the NetDefend Firewall, it is initially kept only - D-Link DFL-260E | User Manual for DFL-260E - Page 47
configured that need to be copied, then running the script -create command on that installation provides a way to automatically create the required script file. This script file can then be downloaded to the local management workstation and then uploaded to and executed on other NetDefend Firewalls - D-Link DFL-260E | User Manual for DFL-260E - Page 48
as a comment. For example: # The following line defines the If1 IP address add IP4Address If1_ip Address=10.6.60.10 Scripts Running Other Scripts It of this script nesting is 5. 2.1.6. Secure Copy To upload and download files to or from the NetDefend Firewall, the secure copy (SCP) protocol can be - D-Link DFL-260E | User Manual for DFL-260E - Page 49
2.1.6. Secure Copy Chapter 2. Management and Maintenance Download is done with the command: > scp The source or destination NetDefend Firewall is of the form: @:. For example: [email protected]:config.bak. The - D-Link DFL-260E | User Manual for DFL-260E - Page 50
If we have the same CLI script file called my_scripts.sgs stored on the NetDefend Firewall then the download command would be: > scp [email protected]:script/my_script.sgs ./ Activating Uploads Like all configuration changes, SCP uploads only become active after the CLI commands activate have been - D-Link DFL-260E | User Manual for DFL-260E - Page 51
startup of the NetDefendOS software on the NetDefend Firewall. 2. Reset unit to factory defaults This option will restore the hardware to its initial factory state. The operations performed if this option is selected are the following: • Remove console security so there is no console password - D-Link DFL-260E | User Manual for DFL-260E - Page 52
: Enabled WebUI Before Rules Enable HTTP(S) traffic to the firewall regardless of configured IP Rules. Default: Enabled Local Console Timeout Number of seconds of inactivity until the local console user is automatically logged out. Default: 900 Validation Timeout Specifies the amount of seconds to - D-Link DFL-260E | User Manual for DFL-260E - Page 53
supported. Default: HTTPS 2.1.9. Working with Configurations Configuration Objects The system configuration is built up by Configuration Objects, where each object represents a configurable item of any kind. Examples of configuration objects are routing table entries, address book entries, service - D-Link DFL-260E | User Manual for DFL-260E - Page 54
of the object properties. This example shows how to display the contents of a configuration object representing the telnet service. Command-Line Interface gw-world:/> show Service ServiceTCPUDP telnet Property Name: DestinationPorts: Type: SourcePorts: SYNRelay: PassICMPReturn: ALG: MaxSessions - D-Link DFL-260E | User Manual for DFL-260E - Page 55
Interface 1. Go to: Objects > Services 2. Click on the telnet hyperlink in the list 3. In the Comments textbox, a suitable comment 4. Click OK Verify that the new comment has been updated in the list. Important: Configuration changes must be activated Changes to a configuration object will not be - D-Link DFL-260E | User Manual for DFL-260E - Page 56
4. In the Name text box, enter myhost 5. Enter 192.168.10.10 in the IP Address textbox 6. Click OK 7. Verify that the new IP4 address object has been added to the list Example 2.7. Deleting a Configuration Object This example shows how to delete the newly added IP4Address object. Command-Line - D-Link DFL-260E | User Manual for DFL-260E - Page 57
any changes that affect the configurations of live IPsec tunnels are committed, then those live tunnels connections will be terminated and must be re-established. If the new configuration is validated, NetDefendOS will wait for a short period (30 seconds by default) during which a connection to the - D-Link DFL-260E | User Manual for DFL-260E - Page 58
NetDefendOS as confirmation that remote management is still working. The new configuration is then automatically committed. Note: Changes must be committed The configuration must be committed before changes are saved. All changes to a configuration can be ignored simply by not committing a changed - D-Link DFL-260E | User Manual for DFL-260E - Page 59
status and health, but also allows auditing of network usage and assists in trouble-shooting. Log Message Generation NetDefendOS defines a large on an external log server. A list of all event messages can be found in the NetDefendOS Log Reference Guide. That guide also describes the design of - D-Link DFL-260E | User Manual for DFL-260E - Page 60
Chapter 2. Management and Maintenance • Debug By default, NetDefendOS sends all messages of level Info and above to any configured log servers but the level for sending can be changed by the administrator. The Debug severity is intended for system troubleshooting only and should only be used if - D-Link DFL-260E | User Manual for DFL-260E - Page 61
servers usually log to text files, line by line. Message Format Most Syslog recipients preface each log entry with a timestamp and the IP address of the machine that sent the log data: Feb 5 2000 09:45:23 firewall information as the Severity field for D-Link Logger messages. However, the ordering of - D-Link DFL-260E | User Manual for DFL-260E - Page 62
Chapter 2. Management and Maintenance Note: Syslog server configuration The syslog server may have to be configured to receive log messages from NetDefendOS. Please see the documentation for specific Syslog servers in order to correctly configure it. 2.2.6. Severity Filter and Message Exceptions - D-Link DFL-260E | User Manual for DFL-260E - Page 63
a network. The file DFLNNN-TRAP.MIB (where NNN indicates the model number of the firewall) is provided by D-Link and defines the SNMP objects and data types that are used to describe an SNMP Trap received from NetDefendOS. Note There is a different MIB file for each model of NetDefend Firewall. Make - D-Link DFL-260E | User Manual for DFL-260E - Page 64
make a case by case judgement about the message load that log servers can deal with. This can often depend on the server hardware platform being used and if the resources of the platform are being shared with other tasks. Default: 2000 Alarm Repeat Interval The delay in seconds between alarms when - D-Link DFL-260E | User Manual for DFL-260E - Page 65
server architecture. The NetDefend Firewall acts as the client of the RADIUS server, creating and sending requests to a dedicated server(s). In RADIUS terminology the firewall acts as the Network Access Server (NAS). For user authentication, the RADIUS server statistics is user configurable. The - D-Link DFL-260E | User Manual for DFL-260E - Page 66
- The IP address of the NetDefend Firewall. • NAS Port - The port of the NAS on which the user was authenticated (this is a physical interface and not a TCP or UDP port). • User IP Address - The IP address of the authenticated user. This is sent only if specified on the authentication server. • How - D-Link DFL-260E | User Manual for DFL-260E - Page 67
was sent from the NetDefend Firewall. In addition, two configurable. 2.3.3. Interim Accounting Messages In addition to START and STOP messages NetDefendOS can optionally periodically send Interim Accounting Messages to update the accounting server with the current status of an authenticated user - D-Link DFL-260E | User Manual for DFL-260E - Page 68
the RADIUS server. Messages are sent using the UDP protocol and the default port number used is 1813 although this is user configurable. 2.3.6. RADIUS Accounting and High Availability In an HA cluster, accounting information is synchronized between the active and passive NetDefend Firewalls. This - D-Link DFL-260E | User Manual for DFL-260E - Page 69
though the user has been previously authenticated. Default: Enabled Logout at shutdown If there is an orderly shutdown of the NetDefend Firewall by the administrator, then NetDefendOS will delay the shutdown until it has sent RADIUS accounting STOP messages to any configured RADIUS server. If this - D-Link DFL-260E | User Manual for DFL-260E - Page 70
authentication. Default: 1024 Example 2.13. RADIUS Accounting Server Setup This example shows configuring of a local RADIUS server known as radius-accounting with IP address 123.04.03.01 using port 1813. Web Interface 1. Go to: User Authentication > Accounting Servers > Add > Radius Server 2. Now - D-Link DFL-260E | User Manual for DFL-260E - Page 71
problem with its link to the NetDefend Firewall and the physical link needs to be renegotiated. Such problems can occur sometimes with some older equipment such as ADSL Modems. For this scenario action 1. Reconfigure should be selected. A reconfigure means that the NetDefendOS configuration - D-Link DFL-260E | User Manual for DFL-260E - Page 72
the Link Monitor. For example, if a particular router connected to the master NetDefend Firewall was being "pinged" by Link configuration will therefore be treated as a two-host group until the third host becomes reachable. This also means that if a link problem triggers an action and the problem - D-Link DFL-260E | User Manual for DFL-260E - Page 73
link negotiation. The default network device which supports the SNMP protocol to query and control it. NetDefendOS supports SNMP version 1 and version 2. Connection can be made by any SNMP compliant clients to devices running NetDefendOS. However, only query operations are permitted for security - D-Link DFL-260E | User Manual for DFL-260E - Page 74
by default disabled and the recommendation is to always enable this setting. The effect of enabling this setting is to add an invisible Allow rule at the top of the IP rule set which automatically permits accesses on port 161 from the network and on the interface specified for SNMP access. Port 161 - D-Link DFL-260E | User Manual for DFL-260E - Page 75
Management section in the Web Interface. They can also be set through the CLI. SNMP Before RulesLimit Enable SNMP traffic to the firewall regardless of configured IP Rules. Default: Enabled SNMP Request Limit Maximum number of SNMP requests that will be processed each second by NetDefendOS. Should - D-Link DFL-260E | User Manual for DFL-260E - Page 76
firewall. This feature is referred to as Hardware Monitoring. Note: Hardware monitoring is not available on all NetDefend models The hardware monitoring feature is only available on the D-Link NetDefend DFL-1660, 2560 and 2560G. Configuring : 100 Maximum value: 10000 Default: 500 Using the hwm CLI - D-Link DFL-260E | User Manual for DFL-260E - Page 77
. When the value returned after polling falls outside this range, NetDefendOS optionally generates a log message that is sent to the configured log servers. Note: Different hardware has different sensors and ranges Each hardware model may have a different set of sensors and a different operating - D-Link DFL-260E | User Manual for DFL-260E - Page 78
. If True, a message is sent each time Memory Poll Interval is triggered. If False, a message is sent when a value goes from one level to another. Default: False Alert Level Generate an Alert log message if free memory is below this number of bytes. Disable by setting to 0. Maximum value is 10 - D-Link DFL-260E | User Manual for DFL-260E - Page 79
and Maintenance Generate a Critical log message if free memory is below this number of bytes. Disable by setting to 0. Maximum value is 10,000. Default: 0 Warning Level Generate a Warning log message if free memory is below this number of bytes. Disable by setting to 0. Maximum value 10,000 - D-Link DFL-260E | User Manual for DFL-260E - Page 80
described in the CLI Reference Guide. A Simple Example An downloaded to the management workstation for analysis. 5. A final cleanup is performed and all memory taken is released. gw-world:/> pcapdump -cleanup Re-using Capture Files Since the only way to delete files from the NetDefend Firewall - D-Link DFL-260E | User Manual for DFL-260E - Page 81
can be specified and can be one of -tcp, -udp or -icmp. Downloading the Output File As shown in one of the examples above, the -write option of pcapdump can save buffered packet information to a file on the NetDefend Firewall. These output files are placed into the NetDefendOS root directory and the - D-Link DFL-260E | User Manual for DFL-260E - Page 82
refine the packets that are of interest. For example we might want to examine the packets going to a particular destination port at a particular destination IP address. Compatibility with Wireshark The open source tool Wireshark (formerly called Ethereal) is an extremely useful analysis tool for - D-Link DFL-260E | User Manual for DFL-260E - Page 83
the Auto-Update feature D-Link maintains a global infrastructure of servers providing update services for NetDefend Firewalls. To ensure to recreate a configuration by manually adding its contents, piece by piece. • A System Backup This a complete backup of both the configuration and the installed - D-Link DFL-260E | User Manual for DFL-260E - Page 84
be indicated by messages from NetDefendOS when the uploaded configuration is activated. Such problems can result in a NetDefendOS restart. For this reason backup, configuration and system, can be performed either by downloading the file directly from the NetDefend Firewall using SCP (Secure Copy) - D-Link DFL-260E | User Manual for DFL-260E - Page 85
that existed when the NetDefend Firewall was shipped by D-Link. When a restore is applied all data such as the IDP and Anti-Virus databases are lost and must be reloaded. Example 2.16. Complete Hardware Reset to Factory Defaults Command-Line Interface gw-world:/> reset -unit Web Interface 1. Go - D-Link DFL-260E | User Manual for DFL-260E - Page 86
startup with its default factory settings. The IPv4 address 192.168.1.1 will be assigned to the LAN interface on the DFL-210, 260, 800 and 860 models. The IPv4 address 192.168.10.1 is assigned to the LAN interface on the DFL-260E and DFL-860E models. Reset Procedure for the NetDefend DFL-1600, 1660 - D-Link DFL-260E | User Manual for DFL-260E - Page 87
2.6.3. Restore to Factory Defaults Chapter 2. Management and Maintenance 87 - D-Link DFL-260E | User Manual for DFL-260E - Page 88
addresses and IP rules. Some exist by default and some must be defined by the administrator. In addition, the chapter explains the different interface types and explains how security policies are constructed the administrator. • The Address Book, page 88 • IPv6 Support, page 93 • Services, page 98 - D-Link DFL-260E | User Manual for DFL-260E - Page 89
3. Fundamentals Host IP Network IP Range A single host is represented simply by its IP address. For example, 192.168.0.14. An IP Network is represented using Classless Inter Domain Routing (CIDR) form. CIDR uses a forward slash and a digit (0-32) to denote the size of the network as a postfix - D-Link DFL-260E | User Manual for DFL-260E - Page 90
2. Specify a suitable name for the IP Range, for example wwwservers. 3. Enter 192.168.10.16-192.168.10.21 as the IP Address 4. Click OK Example 3.4. Deleting but NetDefendOS will not allow the configuration to be saved to the NetDefend Firewall. 3.1.3. Ethernet Addresses Ethernet Address objects - D-Link DFL-260E | User Manual for DFL-260E - Page 91
Configuration Address objects can be grouped in order to simplify configuration. Consider a number of public servers that should be accessible from the Internet. The servers have IP creating groups with the CLI. For example, if a network object is the network 192.168.2.0/24 and this is added to a - D-Link DFL-260E | User Manual for DFL-260E - Page 92
and these objects are used in various parts of the initial configuration. The following address objects are auto-generated: Interface Addresses The Default Gateway Address all-nets For each Ethernet interface in the system, two IP Address objects are predefined; one object for the IPv4 address of - D-Link DFL-260E | User Manual for DFL-260E - Page 93
number of public IPv4 addresses. NetDefendOS Configuration Objects Supporting IPv6 The following parts of NetDefendOS provide IPv6 support: • The address book. • Routing tables. • Routing rules. • IP rules (excluding some actions). Adding an IPv6 Address IPv6 address objects are created in the - D-Link DFL-260E | User Manual for DFL-260E - Page 94
3.2. IPv6 Support Chapter 3. Fundamentals 4. Click OK Note: The prefix 2001:DB8::/32 is reserved for documentation As described in RFC3849, the IPv6 prefix 2001:DB8::/32 is specifically reserved for documentation purposes. All IPv6 examples in this manual therefore use this network or addresses - D-Link DFL-260E | User Manual for DFL-260E - Page 95
=Yes IPv6IP=wan_ip6 IPv6Network=wan_net6 Web Interface 1. Go to: Interfaces > Ethernet > wan 2. Enable the option: Enable IPv6 3. Now enter: • IP Address: wan_ip6 • Network: wan_net6 4. Click OK An IPv6 gateway address could also be entered for the interface if it is connected to an ISP router. An - D-Link DFL-260E | User Manual for DFL-260E - Page 96
with any NetDefendOS management interface is not possible using IPv6. • IP rules using IPv4 and IPv6 addresses can coexist in the same IP rule set but a single rule cannot combine IPv4 and IPv6. • IPv6 addresses are not currently supported in IP rules with the following actions: i. NAT ii. SAT iii - D-Link DFL-260E | User Manual for DFL-260E - Page 97
will be lost when one unit takes over processing from the other and IPv6 connections will be lost. In an HA configuration where interfaces have IPv6 enabled and IPv6 addresses assigned, there is no private and shared IPv6 IP for each pair of interfaces. Each interface pair will have the same - D-Link DFL-260E | User Manual for DFL-260E - Page 98
ICMP messages as well as a user-definable IP protocol. A Service is Passive Services are passive NetDefendOS objects in that they do not themselves carry out any action in the configuration. Instead, service objects must be associated with the security policies defined by various NetDefendOS rule - D-Link DFL-260E | User Manual for DFL-260E - Page 99
is discussed further in Section 3.3.3, "ICMP Services". • IP Protocol Service - A service based on a user defined protocol. This is discussed further in Section 3.3.4, "Custom IP Protocol Services". • Service Group - A service group consisting of a number of services. This is discussed further in - D-Link DFL-260E | User Manual for DFL-260E - Page 100
services. TCP and UDP Based Services Most applications use TCP and/or UDP as transport protocol for transferring data over IP networks and video, the User Datagram Protocol ports using only a single TCP/UDP service object. For example, all Microsoft Windows networking can be covered using a port - D-Link DFL-260E | User Manual for DFL-260E - Page 101
option only exists for the TCP/IP service type. For more details on how this feature works see Section 6.6.8, "TCP SYN Flood Attacks". • Pass ICMP Errors If an attempt to open a TCP connection is made by a user application behind the NetDefend Firewall and the remote server is not in operation, an - D-Link DFL-260E | User Manual for DFL-260E - Page 102
than are normally necessary and the administrator can often narrow the range of allowed protocols further. Example 3.12. Creating a Custom TCP/UDP Service This example shows how to add a TCP/UDP service, using destination port 3306, which is used by MySQL: Command-Line Interface gw-world:/> add - D-Link DFL-260E | User Manual for DFL-260E - Page 103
Services Chapter 3. Fundamentals ICMP Types and Codes ICMP messages are delivered in IP can be specified in the same way that port numbers are specified. For example, if the Destination Unreachable Service and the network • Code 3: Redirect datagrams for the Type of Service and the host Parameter Problem - D-Link DFL-260E | User Manual for DFL-260E - Page 104
://www.iana.org/assignments/protocol-numbers Example 3.13. Adding an IP Protocol Service This example shows how to add an IP Protocol service, with the Virtual Router Redundancy Protocol. Command-Line Interface gw-world:/> add Service ServiceIPProto VRRP IPProto=112 Web Interface 1. Go to: Objects - D-Link DFL-260E | User Manual for DFL-260E - Page 105
the complexity of a configuration and decrease the ability to troubleshoot problems. 3.3.6. Custom Service Timeouts Any service can have its custom considered to be closed and is removed from the NetDefendOS state table. The default setting for this time with TCP/UDP connections is 3 days. • Closing - D-Link DFL-260E | User Manual for DFL-260E - Page 106
represents a physical Ethernet interface on a NetDefendOS-based product. All network traffic that originates from or enters a NetDefend Firewall will pass through one of the physical interfaces. NetDefendOS currently supports Ethernet as the only physical interface type. For more information about - D-Link DFL-260E | User Manual for DFL-260E - Page 107
between the system and another tunnel end-point in the network, before it gets routed to its final destination. VPN tunnels are often used to implement virtual private networks (VPNs) which can secure communication between two firewalls. To accomplish tunneling, additional headers are added to the - D-Link DFL-260E | User Manual for DFL-260E - Page 108
ports" to a physical transport mechanism such as a coaxial cable. Using the CSMA/CD protocol, each Ethernet connected device "listens" to the network with the port associated with IP communication. Ethernet interfaces, their link speed and the and the NetDefendOS configuration uses a single - D-Link DFL-260E | User Manual for DFL-260E - Page 109
and troubleshooting, it guide lan is used for LAN traffic and wan is used for WAN traffic. If the NetDefend Firewall does not have these interface names, please substitute the references with the actual names of the interfaces. • IP network over the actual interface. • Default Gateway A Default - D-Link DFL-260E | User Manual for DFL-260E - Page 110
the IP address of the interface, the local network that the interface is attached to, and the default gateway. All addresses received from the DHCP server are assigned to corresponding IP4Address objects. In this way, dynamically assigned addresses can be used throughout the configuration in - D-Link DFL-260E | User Manual for DFL-260E - Page 111
the hardware. Some ISP connections might require this. • Virtual Routing To implement virtual routing where the routes related to different interfaces are kept Of Service The option exists to copy the IP DSCP precedence to the VLAN priority field for any VLAN packets. This is disabled by default. - D-Link DFL-260E | User Manual for DFL-260E - Page 112
those which are referred to in a NetDefendOS configuration. When using the Web Interface, only the logical the physical Ethernet card including the bus, slot and port number of the card as well as the Ethernet driver IP address of interface wan To show the current interface assigned to the network - D-Link DFL-260E | User Manual for DFL-260E - Page 113
Network on interface wan To show the current interface assigned to the gateway wan_gw: gw-world:/> show Address IP4Address InterfaceAddresses/wan_gw Property Name: Address: UserAuthGroups: NoDefinedCredentials: Comments: Value wan_gw 0.0.0.0 No Default /lan_net Server Setting - D-Link DFL-260E | User Manual for DFL-260E - Page 114
if configuring the interfaces when running NetDefendOS on non-D-Link port combination 0, 0, 2 on the wan interface, the set command would be: gw-world:/> set EthernetDevice lan EthernetDriver=IXP4NPEEthernetDriver PCIBus=0 PCISlot=0 PCIPort=2 This command is useful when a restored configuration - D-Link DFL-260E | User Manual for DFL-260E - Page 115
and is filtered using the security policies described by the NetDefendOS rule sets. As explained in more detail below, VLAN configuration with NetDefendOS involves a combination of VLAN trunks from the NetDefend Firewall to switches and these switches are configured with port based VLANs on their - D-Link DFL-260E | User Manual for DFL-260E - Page 116
as follows: • One of more VLANs are configured on a physical NetDefend Firewall interface and this is connected directly to a switch. This link acts as a VLAN trunk. The switch used must support port based VLANs. This means that each port on the switch can be configured with the ID of the VLAN or - D-Link DFL-260E | User Manual for DFL-260E - Page 117
is not supported NetDefendOS does not support the IP rules and routes to exist in the NetDefendOS configuration for traffic to flow through them. For example, if no IP Default: DropLog Example 3.14. Defining a VLAN This simple example defines a virtual LAN called VLAN10 with a VLAN ID of 10. The IP - D-Link DFL-260E | User Manual for DFL-260E - Page 118
on a per-user basis. Internet server providers (ISPs) often require customers to connect through PPPoE to their broadband service. Using PPPoE the ISP can: • Implement security and access-control using username/password authentication • Trace IP addresses to a specific user • Allocate IP address - D-Link DFL-260E | User Manual for DFL-260E - Page 119
to send traffic to through the PPPoE tunnel. The PPPoE client can be configured to use a service name to distinguish between different servers on the same Ethernet network. IP address information PPPoE uses automatic IP address allocation which is similar to DHCP. When NetDefendOS receives this - D-Link DFL-260E | User Manual for DFL-260E - Page 120
provided by the service provider • Confirm Password: Retype the password • Under Authentication specify which authentication protocol to use (the default settings will be used if not specified) • Disable the option Enable dial-on-demand • Under Advanced, if Add route for remote network is enabled - D-Link DFL-260E | User Manual for DFL-260E - Page 121
a particular protocol. • Tunneling IPv6 traffic across an IPv4 network. • Where a UDP data stream is to be multicast and it is necessary to transit through a network device which does not support multicasting. GRE allows tunneling though the network device. GRE Security and Performance A GRE tunnel - D-Link DFL-260E | User Manual for DFL-260E - Page 122
defined so NetDefendOS knows what IP addresses should be accepted and sent through the tunnel. An Example GRE Scenario The diagram above shows a typical GRE scenario, where two NetDefend Firewalls A and B must communicate with each other through the intervening internal network 172.16.0.0/16. Any - D-Link DFL-260E | User Manual for DFL-260E - Page 123
Net remote_net_B lannet Service all_services all_services Setup for NetDefend Firewall "B" Assuming that the network 192.168.11.0/24 is lannet on the lan interface, the steps for setting up NetDefendOS on B are as follows: 1. In the address book set up the following IP objects: • remote_net_A: 192 - D-Link DFL-260E | User Manual for DFL-260E - Page 124
lan Dest Net remote_net_A lannet Service all_services all_services Checking GRE Tunnel Status IPsec tunnels have a status of being either up or not up. With GRE tunnels in NetDefendOS this does not really apply. The GRE tunnel is up if it exists in the configuration. However, we can check on - D-Link DFL-260E | User Manual for DFL-260E - Page 125
> Interface Groups > Add > InterfaceGroup 2. Enter the following information to define the group: • Name: The name of the group to be used later • Security/Transport Equivalent: If enabled, the interface group can be used as a destination interface in rules where connections might need to be moved - D-Link DFL-260E | User Manual for DFL-260E - Page 126
ARP 3.5.1. Overview Address Resolution Protocol (ARP) allows the mapping of a network layer protocol (OSI layer 3) address to a data link layer hardware address (OSI layer 2). In data networks it is used to resolve an IP address into its corresponding Ethernet address. ARP operates at the OSI layer - D-Link DFL-260E | User Manual for DFL-260E - Page 127
Cache If a host in a network is replaced with new hardware and retains the same IP address then it will probably have but sometimes it may be necessary to manually force the update. The easiest way to achieve this flushed. The Size of the ARP Cache By default, the ARP Cache is able to hold 4096 ARP - D-Link DFL-260E | User Manual for DFL-260E - Page 128
wireless modems, can have such problems. It may also be used to lock an IP address to a specific MAC address for increasing security or to avoid denial-of-service if there are rogue users in a network. However, such protection only applies to packets being sent to that IP address. It does not apply - D-Link DFL-260E | User Manual for DFL-260E - Page 129
c5-a2-14 4. Click OK Chapter 3. Fundamentals ARP Publish NetDefendOS supports publishing IP addresses on a particular interface, optionally along with a specific MAC onwards to internal servers with private IPv4 addresses. • A less common purpose is to aid nearby network equipment responding to - D-Link DFL-260E | User Manual for DFL-260E - Page 130
selected, the result will be the same. Publishing Entire Networks When using ARP entries, IP addresses can only be published one at a time. However redundancy devices, which make use of hardware layer multicast addresses. The default behavior of NetDefendOS is to drop and log such ARP requests and - D-Link DFL-260E | User Manual for DFL-260E - Page 131
will by default drop and host should update its cause problems if, for example, a network adapter IP 0.0.0.0 NetDefendOS can be configured for handling ARP queries that have a sender IP of 0.0.0.0. Such sender IPs are never valid as responses, but network units that have not yet learned of their IP - D-Link DFL-260E | User Manual for DFL-260E - Page 132
IP of 0.0.0.0. Such sender IPs are never valid in responses, but network units that have not yet learned of their IP address sometimes ask ARP questions with an "unspecified" sender IP. Default: DropLog ARP Sender IP Determines if the IP this may cause problems if, for example, a network adapter is - D-Link DFL-260E | User Manual for DFL-260E - Page 133
troubleshooting network related problems. However, disabling logging can prevent attempts to "spam" log receivers with failed resolve requests. Default: directly-connected LAN contains 500 IP addresses then the size of the ARP entry hash should be at least 1000 entries. Default: 512 ARP Hash Size - D-Link DFL-260E | User Manual for DFL-260E - Page 134
3.5.5. ARP Advanced Settings Summary Chapter 3. Fundamentals Default: 64 ARP IP Collision Determines the behavior when receiving an ARP request with a sender IP address that collides with one already used on the receive interface. Possible actions: Drop or Notify. Default: Drop 134 - D-Link DFL-260E | User Manual for DFL-260E - Page 135
packet would leave the NetDefend Firewall. This could also be a VPN tunnel. Destination Network The network to which the destination IP address of the packet belongs. This might be a NetDefendOS IP object which could define a single IP address or range of addresses. Service The protocol type to - D-Link DFL-260E | User Manual for DFL-260E - Page 136
8, User Authentication. IP Rules and the Default main IP Rule Set IP rule sets are the most important of these security policy rule sets. They determine the critical packet filtering function of NetDefendOS, regulating what is allowed or not allowed to pass through the NetDefend Firewall, and - D-Link DFL-260E | User Manual for DFL-260E - Page 137
set which specifies the security policy that allows the packets from the source interface and network bound for the destination network to leave the NetDefend Firewall on the interface decided by the route. If the IP rule used is an Allow rule then this is bi-directional by default. The ordering of - D-Link DFL-260E | User Manual for DFL-260E - Page 138
that the routing tables are searched for a route that indicates the network should be found on that interface. This second route should logically 3.6.2. IP Rule Evaluation When a new connection, such as a TCP/IP connection, is being established through the NetDefend Firewall, the list of IP rules - D-Link DFL-260E | User Manual for DFL-260E - Page 139
Incoming IP rules are: • Source Interface • Source Network • Destination Interface • Destination Network • Service When an IP NetDefend Firewall without setting up a state for it in the state table. This means that the stateful inspection process is bypassed and is therefore less secure - D-Link DFL-260E | User Manual for DFL-260E - Page 140
This is a "polite" version of the Drop IP rule action. Reject is useful where applications that send network equipment, the TCP sequence number needs to remain the same as data traffic traverses the firewall traffic flow and will appear grayed out in the user interface. It can be re-enabled at any - D-Link DFL-260E | User Manual for DFL-260E - Page 141
cc IPRuleSet main Now, create the IP rule: gw-world:/main> add IPRule Action=Allow Service=http SourceInterface=lan SourceNetwork=lannet DestinationInterface=wan DestinationNetwork=all-nets Name=lan_http Return to the top level: gw-world:/main> cc Configuration changes must be saved by then issuing - D-Link DFL-260E | User Manual for DFL-260E - Page 142
configuration objects under a specified title text so their relationships are more easily understood when they are diaplayed in a NetDefendOS graphical user As an example, consider the IP rule set main which contains just two rules to allow web surfing from an internal network and a third Drop-all - D-Link DFL-260E | User Manual for DFL-260E - Page 143
3.6.6. Configuration Object Groups Chapter 3. Fundamentals • A group is now created with a title line and the IP rule as its only member. The default title of "(new Group)" is used. The entire group is also assigned a default color and the group member is also indented. The object inside the group - D-Link DFL-260E | User Manual for DFL-260E - Page 144
3.6.6. Configuration Object Groups Chapter 3. Fundamentals Adding Additional Objects A new object again and select the Join Preceding option. Moving Group Objects Once an object, such as an IP rule, is within a group, the context of move operations becomes the group. For example, right clicking - D-Link DFL-260E | User Manual for DFL-260E - Page 145
3.6.6. Configuration Object Groups Chapter 3. Fundamentals If an object in a group is right clicked then the context menu contains the option Leave Group. Selecting this removes the - D-Link DFL-260E | User Manual for DFL-260E - Page 146
types of security policies to accomplish schedule. This is used in user interface display and as a IP Rules, but is valid for most types of policies, including Traffic Shaping rules, Intrusion Detection and Prevention (IDP) rules and Virtual such as certificate usage in VPN tunnels. Preferably, time - D-Link DFL-260E | User Manual for DFL-260E - Page 147
main Now, create the IP rule: gw-world:/main> add IPRule Action=NAT Service=http SourceInterface=lan SourceNetwork=lannet DestinationInterface=any DestinationNetwork=all-nets Schedule=OfficeHours name=AllowHTTP Return to the top level: gw-world:/main> cc Configuration changes must be saved by - D-Link DFL-260E | User Manual for DFL-260E - Page 148
of identity. It links an identity to a user ID of an intended recipient. Certificates with VPN Tunnels The main usage of certificates in NetDefendOS is with VPN tunnels. The simplest and fastest way to provide security between the ends of a tunnel is to use Pre-shared Keys (PSKs). As a VPN network - D-Link DFL-260E | User Manual for DFL-260E - Page 149
Point (CDP) field, which specifies the location from where the CRL can be downloaded. In some cases, certificates do not contain this field. In those cases the location of the CRL has to be configured manually. A CA usually updates its CRL at a given interval. The length of this interval depends on - D-Link DFL-260E | User Manual for DFL-260E - Page 150
CA is configured. Typically, allowed access through a specific VPN tunnel, provided the certificate must be resolved to an IP address using a public DNS server. At least one DNS server that can resolve this FQDN uploaded to NetDefendOS for use in IKE/IPsec authentication, Webauth, etc. There are - D-Link DFL-260E | User Manual for DFL-260E - Page 151
instructions Example 3.23. Associating Certificates with IPsec Tunnels To associate an imported certificate with an IPsec tunnel. Web Interface 1. Go to: Interfaces > IPsec 2. Display the properties of the IPsec known, predefined format. Manually Creating Windows CA Server Requests The NetDefendOS - D-Link DFL-260E | User Manual for DFL-260E - Page 152
pem -nodes In this command line example, the file exported from the CA server is assumed to be called gateway.pfx and it is assumed to be and gateway.key might be the names. 4. Start a text editor and open the downloaded .pem file and locate the line that begins: -----BEGIN RSA PRIVATE KEY----- 5. - D-Link DFL-260E | User Manual for DFL-260E - Page 153
properly. Time scheduled policies, auto-update of the IDP and Anti-Virus in the network. Time Synchronization Protocols NetDefendOS supports the optional servers which are known as Time Servers. 3.9.2. Setting Date and Time Current Date and Time The administrator can set the date and time manually - D-Link DFL-260E | User Manual for DFL-260E - Page 154
GMT. The NetDefendOS time zone setting reflects the time zone where the NetDefend Firewall is physically located. Example 3.25. Setting the Time Zone To to adjust for DST. Instead, this information has to be manually provided if daylight saving time is to be used. There are 3.9.3. Time Servers 154 - D-Link DFL-260E | User Manual for DFL-260E - Page 155
Time Servers. NetDefendOS supports the following time synchronization protocols: • SNTP Defined by RFC 2030, The Simple Network server is correctly configured in NetDefendOS so that Time Server URLs can be resolved (see Section 3.10, "DNS"). This is not needed if using IP addresses for the servers - D-Link DFL-260E | User Manual for DFL-260E - Page 156
:52 (UTC+00:00) Local time: 2008-02-27 12:24:30 (UTC+00:00) (diff: 158) Local time successfully changed to server time. Maximum Time Adjustment To avoid situations where a faulty Time Server causes the clock to be updated with a extremely inaccurate time, a Maximum Adjustment value (in seconds) can - D-Link DFL-260E | User Manual for DFL-260E - Page 157
then possible to manually force a synchronization firewall clock. These servers communicate with NetDefendOS using the SNTP protocol. When the D-Link Server option is chosen, a predefined set of recommended default have an external DNS server configured so that the D-Link Time Server URLs can be - D-Link DFL-260E | User Manual for DFL-260E - Page 158
SNTP (Simple Network Time Protocol). Default: SNTP Primary Time Server DNS hostname or IP Address of Timeserver 1. Default: None Secondary Time Server DNS hostname or IP Address of Timeserver 2. Default: None teriary Time Server DNS hostname or IP Address of Timeserver 3. Default: None Interval - D-Link DFL-260E | User Manual for DFL-260E - Page 159
3.9.4. Settings Summary for Date and Time Maximum time drift in seconds that a server is allowed to adjust. Default: 600 Group interval Interval according to which server responses will be grouped. Default: 10 Chapter 3. Fundamentals 159 - D-Link DFL-260E | User Manual for DFL-260E - Page 160
hierarchy. FQDN resolution allows the actual physical IP address to change while the FQDN can stay server for CA signed certificates. • UTM features that require access to external servers such as anti-virus and IDP. Example 3.32. Configuring DNS Servers In this example, the DNS client is configured - D-Link DFL-260E | User Manual for DFL-260E - Page 161
to explicitly inform DNS servers when the external IP address of the NetDefend Firewall has changed. This is sometimes referred to as Dynamic DNS and is useful where the NetDefend Firewall has an external address that can change. Dynamic DNS can also be useful in VPN scenarios where both ends - D-Link DFL-260E | User Manual for DFL-260E - Page 162
3.10. DNS Chapter 3. Fundamentals Note: A high rate of server queries can cause problems Dynamic DNS services are often sensitive to repeated logon attempts over short periods of time and may blacklist source IP addresses that are sending excessive requests. It is therefore not advisable to query - D-Link DFL-260E | User Manual for DFL-260E - Page 163
3.10. DNS Chapter 3. Fundamentals 163 - D-Link DFL-260E | User Manual for DFL-260E - Page 164
fundamental functions of NetDefendOS. Any IP packet flowing through a NetDefend Firewall will be subjected to at least one routing decision at some point in time, and properly setting up routing is crucial for the system to function as expected. NetDefendOS offers support for the following types of - D-Link DFL-260E | User Manual for DFL-260E - Page 165
The interface to forward the packet on in order to reach the destination network. In other words, the interface to which the destination IP range is connected, either directly or through a router. The interface might be a physical interface of the firewall or it might be VPN tunnel (tunnels are - D-Link DFL-260E | User Manual for DFL-260E - Page 166
. A special section below explains this parameter in more depth. Local IP Address and Gateway are mutually exclusive and either one or the other should NetDefend Firewall usage scenario. Figure 4.1. A Typical Routing Scenario In the above diagram, the LAN interface is connected to the network - D-Link DFL-260E | User Manual for DFL-260E - Page 167
such as lan is connected to a single network and the interface and network are on the same network. We can say that the network is bound to a physical interface and clients on the connected network can automatically find the NetDefend Firewall through ARP queries. ARP works because the clients - D-Link DFL-260E | User Manual for DFL-260E - Page 168
to communicate with the NetDefend Firewall because ARP won't function between the clients and the interface. To solve this problem, a new route is added to NetDefendOS with the following parameters: • Interface: The interface on which the second network is found. • Network: The IP address range of - D-Link DFL-260E | User Manual for DFL-260E - Page 169
IP addresses of the network. From a security standpoint, doing this can present significant risks since different networks configure static routing. NetDefendOS supports multiple routing tables. A default and is one reason for the high forwarding performance of NetDefendOS. If an established - D-Link DFL-260E | User Manual for DFL-260E - Page 170
255.255.255.255 192.168.0.10 192.168.0.10 1 Default Gateway: 192.168.0.1 Persistent Routes: None The corresponding routing table in NetDefendOS will be similar to the following: Flags Network Iface Gateway Local IP Metric 192.168.0.0/24 lan 20 10.0.0.0/8 wan 1 0.0.0.0/0 wan - D-Link DFL-260E | User Manual for DFL-260E - Page 171
the destination IP address range 192.168.0.5 to 192.168.0.17 and another route for IP addresses 192. default main routing table. Command-Line Interface To see the configured routing table: gw-world:/> cc RoutingTable main gw-world:/main> show Route # Interface - --------1 wan 2 lan 3 wan Network - D-Link DFL-260E | User Manual for DFL-260E - Page 172
Static Routes are Added Automatically for Each Interface When the NetDefend Firewall is started for the first time, NetDefendOS will automatically add a route in the main routing table for each physical interface. These routes are assigned a default IP address object in the address book and these - D-Link DFL-260E | User Manual for DFL-260E - Page 173
described further in Section 3.2, "IPv6 Support". Routes to the Core Interface NetDefendOS Network Iface Gateway Local IP Metric 127.0.0.1 core (Shared IP) 0 192.168.0.1 core (Iface IP) 0 213.124.165.181 core (Iface IP) 0 127.0.3.1 core (Iface IP) 0 127.0.4.1 core (Iface IP - D-Link DFL-260E | User Manual for DFL-260E - Page 174
command. Please see the CLI Reference Guide. 4.2.3. Route Failover Overview NetDefend Firewalls are often deployed in mission-critical backup Internet connectivity using a secondary ISP. The connections to the two service providers often use different routes to avoid a single point of failure. - D-Link DFL-260E | User Manual for DFL-260E - Page 175
. As any changes to the link status are instantly noticed, this in an NetDefendOS configuration and are treated differently Metric When specifying routes, the administrator should manually set a route's Metric. The metric instead. The table below defines two default routes, both having all-nets as - D-Link DFL-260E | User Manual for DFL-260E - Page 176
maintained. To illustrate the problem, consider the following configuration: Firstly, there is one IP rule that will NAT problems with this setup: if a route failover occurs, the default route will then use the dsl interface. When a new HTTP connection is then established from the intnet network - D-Link DFL-260E | User Manual for DFL-260E - Page 177
is the period of time after startup or after reconfiguration of the NetDefend Firewall which NetDefendOS will wait before starting Route Monitoring. This waiting period allows time for all network links to initialize once the firewall comes online. Minimum Number of Hosts Available This is the - D-Link DFL-260E | User Manual for DFL-260E - Page 178
specified, any response from the server will be valid. • IP Address The IP address of the host when using the ICMP or TCP option. • Port Number The port number for polling when using the TCP option. • Interval The interval in milliseconds between polling attempts. The default setting is 10,000 and - D-Link DFL-260E | User Manual for DFL-260E - Page 179
server is operational but the application is offline. A Known Issue When No External Route is Specified With connections to an Internet ISP, an external network route should always be specified. This external route specifies on which interface the network which exists between the NetDefend Firewall - D-Link DFL-260E | User Manual for DFL-260E - Page 180
scenario, consider a network split into two sub-networks with a NetDefend Firewall between the two. Host A on one sub-network might send an ARP request to find out the MAC address for the IP address of host B on the other sub-network. With the proxy ARP feature configured, NetDefendOS responds to - D-Link DFL-260E | User Manual for DFL-260E - Page 181
is used in a pairing like this. Keep in mind that if the host has an ARP request for an IP address outside of the local network then this will be sent to the gateway configured for that host. The entire example is illustrated below. Figure 4.4. A Proxy ARP Example Transparent Mode as an Alternative - D-Link DFL-260E | User Manual for DFL-260E - Page 182
added routes. The reason why Proxy ARP cannot be enabled for these routes is because automatically created routes have a special status in the NetDefendOS configuration and are treated differently. If Proxy ARP is required on an automatically created route, the route should first be deleted and then - D-Link DFL-260E | User Manual for DFL-260E - Page 183
routing forwards packets according to destination IP address services, policy-based routing can route traffic originating from different sets of users user identity or the group to which the user belongs. This is particularly useful in provider-independent metropolitan area networks where all users - D-Link DFL-260E | User Manual for DFL-260E - Page 184
the configured routing Interface IP Routes is enabled, the default interface network my_network is to be defined for the lan interface. Command-Line Interface Change the context to the routing table: gw-world:/> cc RoutingTable MyPBRTable Add a route gw-world:/main> add Route Interface=lan Network - D-Link DFL-260E | User Manual for DFL-260E - Page 185
address in ARP queries. If no address is specified, the firewall's interface IP address will be used. • Metric: Specifies the metric for IP rule. A rule can trigger on a type of service (HTTP for example) in combination with the specified Source/Destination Interface and Source/Destination Network - D-Link DFL-260E | User Manual for DFL-260E - Page 186
properties. However both the source and destination network must be either IPv4 or IPv6. It is not permissible to combine IPv4 and IPv6 addresses in a single rule. For further discussion of this topic, see Section 3.2, "IPv6 Support". The Forward and Return Routing Table can be Different In - D-Link DFL-260E | User Manual for DFL-260E - Page 187
interface/network as well as service. If virtual systems, the Only ordering option should be used. 5. The connection is then subject to the normal IP IP rule set, the new connection is opened in the NetDefendOS state table and the packet forwarded alternate table then the default route in the main - D-Link DFL-260E | User Manual for DFL-260E - Page 188
between the ISP gateways and the NetDefend Firewall. In a provider-independent network, clients will likely have a single IP address, belonging to one of the ISPs. In a single-organization scenario, publicly accessible servers will be configured with two separate IP addresses: one from each ISP - D-Link DFL-260E | User Manual for DFL-260E - Page 189
4.3. Policy-based Routing Chapter 4. Routing 2. Create a routing table called "r2" and make sure the ordering is set to "Default". 3. Add the route found in the list of routes in the routing table "r2", as shown earlier. 4. Add two VR policies according to the list - D-Link DFL-260E | User Manual for DFL-260E - Page 190
multiple Internet links so networks are not dependent on a single ISP. • To allow balancing of traffic across multiple VPN tunnels which matching routes is assembled. The routes in the list must cover the exact same IP address range (further explanation of this requirement can be found below). 2. If - D-Link DFL-260E | User Manual for DFL-260E - Page 191
similar to Round Robin but provides "stickiness" so that unique destination IP addresses always get the same route from a lookup. The importance of RLB Algorithm Settings along with the Hold Timer number of seconds (the default is 30 seconds) for the interface. When the traffic passing through the - D-Link DFL-260E | User Manual for DFL-260E - Page 192
to simplify specification of the values. Using Route Metrics with Round Robin An individual route has a metric associated with it, with the default metric value being zero. With the Round Robin and the associated Destination algorithms, the metric value can be set differently on matching routes - D-Link DFL-260E | User Manual for DFL-260E - Page 193
10.4.16.0/24 for an IP address they both contain. RLB Resets There are two occasions when all RLB algorithms will reset to their initial state: , there is a group of clients on a network connected via the LAN interface of the NetDefend Firewall and these will access the internet. Internet access is - D-Link DFL-260E | User Manual for DFL-260E - Page 194
NAT NAT Src Interface lan lan Src Network lannet lannet Dest Interace Dest Network WAN1 all-nets WAN2 all-nets Service all_services all_services The service All is used in the above IP rules but this should be further refined to a service or service group that covers all the traffic that - D-Link DFL-260E | User Manual for DFL-260E - Page 195
will be selected to achieve stickiness so the server always sees the same source IP address (WAN1 or WAN2) from a single solution has the advantage of providing redundancy should one ISP link fail. • Use VPN with one tunnel that is IPsec based and another tunnel that is uses a different protocol - D-Link DFL-260E | User Manual for DFL-260E - Page 196
network device, such as a NetDefend Firewall, can adapt to changes of network updates dynamically but has some disadvantages in that it can be more susceptible to certain problems A Link State (LS) algorithm. How a router decides the optimal or "best" route and shares updated information with - D-Link DFL-260E | User Manual for DFL-260E - Page 197
. OSPF is not available on all D-Link NetDefend models The OSPF feature is only available on the D-Link NetDefend DFL-860E, 1660, 2560 and 2560G. OSPF is not available on the DFL-210, 260 and 260E. An OSPF enabled router first identifies the routers and sub-networks that are directly connected to it - D-Link DFL-260E | User Manual for DFL-260E - Page 198
of view, only the routes for directly connected networks need to be configured on each firewall. OSPF automatically provides the required routing information to find networks connected to other firewalls, even if traffic needs to transit several other firewalls to reach its destination. Tip: Ring - D-Link DFL-260E | User Manual for DFL-260E - Page 199
protocol developed for IP networks by the Internet Engineering Task Force (IETF). The NetDefendOS OSPF implementation is based upon RFC 2328, with compatibility to RFC 1583. OSPF is not available on all D-Link NetDefend models The OSPF feature is only available on the NetDefend DFL-860E, 1660, 2560 - D-Link DFL-260E | User Manual for DFL-260E - Page 200
needs a virtual link to it. OSPF networks should be designed by beginning with the backbone. Stub Areas Stub areas are areas through which or into which AS external advertisements are not flooded. When an area is configured as a stub area, the router will automatically advertise a default route - D-Link DFL-260E | User Manual for DFL-260E - Page 201
network based on the priorities advertised by all the routers. If there is already a DR on the network using IP ID of the firewall in it, Virtual Links Virtual links are used for the following scenarios: A. Linking an area that does not have a direct connection to the backbone area. B. Linking - D-Link DFL-260E | User Manual for DFL-260E - Page 202
fw1 with Router ID 192.168.1.1 and vice versa. These virtual links need to be configured in Area 1. B. Linking a Partitioned Backbone OSPF allows for linking a partitioned backbone using a virtual link. The virtual link should be configured between two separate ABRs that touch the backbone from each - D-Link DFL-260E | User Manual for DFL-260E - Page 203
Router ID 192.168.1.1 and vice versa. These virtual links need to be configured in Area 1. To set this feature up in NetDefendOS, see Section 4.5.3.6, "OSPF VLinks". OSPF High Availability Support There are some limitations in High Availability support for OSPF that should be noted: Both the active - D-Link DFL-260E | User Manual for DFL-260E - Page 204
should be defined on each NetDefend Firewall which is part of the OSPF network. General Parameters Name Router ID Specifies a symbolic name for the OSPF AS. Specifies the IP address that is used to identify the router in a AS. If no Router ID is configured, the firewall computes the Router ID - D-Link DFL-260E | User Manual for DFL-260E - Page 205
if the NetDefend Firewall will be used in a environment that consists of routers that only support RFC 1583. Debug Protocol debug provides a troubleshooting tool by they must be sent using a VPN. For example, using IPsec. Sending OSPF packets through an IPsec tunnel is discussed further in 205 - D-Link DFL-260E | User Manual for DFL-260E - Page 206
to use all available ram in the firewall. 4.5.3.2. OSPF Area The Autonomous System (AS) is divided into smaller parts called an Area, this section explains how to configure areas. An area collects together OSPF interfaces, neighbors, aggregates and virtual links. An OSPF area is a child of the - D-Link DFL-260E | User Manual for DFL-260E - Page 207
the OSPF area. 4.5.3.3. OSPF Interface This section describes how to configure an OSPF Interface object. OSPF interface objects are children of OSPF areas. Unlike areas, they are not similar on each NetDefend Firewall in the OSPF network. The purpose of an OSPF interface object is to describe - D-Link DFL-260E | User Manual for DFL-260E - Page 208
firewalls. The neighbor address of such a link is configured by defining an OSPF Neighbour object. Using VPN tunnels is discussed further in Section 4.5.5, "Setting Up OSPF". • Point-to-Multipoint - The Point-to-Multipoint interface type is a collection of Point-to-Point networks takes to forward a - D-Link DFL-260E | User Manual for DFL-260E - Page 209
made through the tunnel. This type of VPN usage with IPsec tunnels is described further in Section 4.5.5, " routing table in the firewall, if not advertised this will hide the networks. NetDefendOS OSPF Aggregate objects Virtual Link (VLink) can be used to connect to the backbone through a - D-Link DFL-260E | User Manual for DFL-260E - Page 210
virtual link. Authentication Use Default For AS Use the values configured in the AS properties page. Note: Linking partitioned backbones If the backbone area is partitioned, a virtual link NetDefend Firewall which allows the routing information that the OSPF AS delivers from remote firewalls to - D-Link DFL-260E | User Manual for DFL-260E - Page 211
to another OSPF AS. Note The last usage of joining asynchronous systems together is rarely encountered except in very large networks. OSPF Requires at Least an Import Rule By default, NetDefendOS will not import or export any routes. For OSPF to function, it is therefore mandatory to define at least - D-Link DFL-260E | User Manual for DFL-260E - Page 212
Network Exactly Matches Or is within Specifies if the network needs to exactly match a specific network. Specifies if the network needs to be within a specific network Process Forward Tag Route Type Specifies into which OSPF AS the route change should be imported. If needed, specifies the IP to - D-Link DFL-260E | User Manual for DFL-260E - Page 213
large number of configuration possibilities that OSPF offers. However, in many cases a simple OSPF solution using a minimum of NetDefendOS objects is needed and setup can be straightforward. Let us examine again the simple scenario described earlier with just two NetDefend Firewalls. In this example - D-Link DFL-260E | User Manual for DFL-260E - Page 214
. For example if lan is the interface then lannet will be the default network. • Interface Type - this would normally be Auto so that the in other words, with another NetDefend Firewall that acts as an OSPF router). For example, the interface may only be connected to a network of clients, in which - D-Link DFL-260E | User Manual for DFL-260E - Page 215
Flags Network Iface Gateway Local IP Metric Guide. Sending OSPF Traffic Through a VPN Tunnel In some cases, the link between two NetDefend Firewalls which are configured with OSPF Router Process objects may be insecure. For example, over the public Internet. In this case, we can secure the link - D-Link DFL-260E | User Manual for DFL-260E - Page 216
setup options are explained in Section 9.2, "VPN Quick Start". This IPsec tunnel is now treated like any other interface when configuring OSPF in NetDefendOS. 2. Choose a random internal IP network For each firewall, we need to choose a random IP network using internal, private IPv4 addresses. For - D-Link DFL-260E | User Manual for DFL-260E - Page 217
Up OSPF". The VPN IPsec scenario is not included. Example 4.9. Creating an OSPF Router Process On the first firewall involved in the OSPF the process, for example as_0 3. Click OK This should be repeated for all the NetDefend Firewalls that will be part of the OSPF AS. Example 4.10. Add an OSPF Area - D-Link DFL-260E | User Manual for DFL-260E - Page 218
defaults to the network bound to that interface. In this case lannet. This should be repeated for all the interfaces on this NetDefend Firewall that will be part of the OSPF area and then repeated for all the other firewalls. Example 4.12. Import Routes from an OSPF AS into the Main Routing Table - D-Link DFL-260E | User Manual for DFL-260E - Page 219
4.5.6. An OSPF Example Chapter 4. Routing Next, create an OSPF Action that will export the filtered route to the specified OSPF AS: Web Interface 1. Go to: Routing > Dynamic Routing Rules 2. Click on the newly created ExportAllNets 3. Go to: OSPF Actions > Add > DynamicRoutingRuleExportOSPF 4. For - D-Link DFL-260E | User Manual for DFL-260E - Page 220
are set up in the IP rule set in order to perform forwarding to the correct interfaces. This is demonstrated in the examples described later. Note: Interface multicast handling must be On or Auto For multicast to function with an Ethernet interface on any NetDefend Firewall, that interface must have - D-Link DFL-260E | User Manual for DFL-260E - Page 221
default, the multicast IP range 224.0.0.0/4 is always routed to core and does not have to be manually added to the routing tables. Each specified output interface can individually be configured Forwarding - No Address Translation This scenario describes how to configure multicast forwarding - D-Link DFL-260E | User Manual for DFL-260E - Page 222
using IGMP. The following steps need to be performed to configure the actual forwarding of the multicast traffic. IGMP has to be configured separately. Web Interface A. Create a custom service for multicast called multicast_service: 1. Go to: Objects > Services > Add > TCP/UDP 2. Now enter: • Name - D-Link DFL-260E | User Manual for DFL-260E - Page 223
: 1234 B. Create an IP rule: 1. Go to: Rules > IP Rules > Add > IP Rule 2. Under General enter. • Name: a name for the rule, for example Multicast_Multiplex • Action: Multiplex SAT • Service: multicast_service 3. Under Address Filter enter: • Source Interface: wan • Source Network: 192.168.10 - D-Link DFL-260E | User Manual for DFL-260E - Page 224
an Allow rule matching the SAT Multiplex rule. Example 4.15. Multicast Forwarding - Address Translation The following SAT Multiplex rule needs to be configured to match the scenario described above: Web Interface A. Create a custom service for multicast called multicast_service: 1. Go to: Objects - D-Link DFL-260E | User Manual for DFL-260E - Page 225
there are two exceptions: 1. If the multicast source is located on a network directly connected to the router, no query rule is needed. 2. If a neighboring router is statically configured to deliver a multicast stream to the NetDefend Firewall, an IGMP query would also not have to be specified. 225 - D-Link DFL-260E | User Manual for DFL-260E - Page 226
IGMP Configuration Chapter 4. Routing NetDefendOS supports two IGMP modes of operation: • Snoop Mode • Proxy Mode The operation of these two modes are shown in the following illustrations: Figure 4.16. Multicast Snoop Mode Figure 4.17. Multicast Proxy Mode In Snoop Mode, the NetDefend Firewall - D-Link DFL-260E | User Manual for DFL-260E - Page 227
the firewall will be acting as a normal host, subscribing to multicast groups on behalf of its clients. 4.6.3.1. IGMP Rules Configuration : • Source Interface: lfGrpClients • Source Network: if1net, if2net, if3net • Destination Interface: core • Destination Network: auto • Multicast Source: 192.168. - D-Link DFL-260E | User Manual for DFL-260E - Page 228
configure IGMP according to the Address Translation scenario described above in Section 4.6.2.2, "Multicast Forwarding router uses IP UpstreamRouterIP. Example 4.17. if1 Configuration The following : if1 • Source Network: if1net • Destination Interface: core • Destination Network: auto • Multicast - D-Link DFL-260E | User Manual for DFL-260E - Page 229
Network: UpstreamRouterIp • Destination Interface: core • Destination Network: auto • Multicast Source: 192.168.10.1 • Multicast Group: 239.192.10.0/24 4. Click OK Chapter 4. Routing Example 4.18. if2 Configuration the translated IP addresses and the queries will contain the original IP addresses - D-Link DFL-260E | User Manual for DFL-260E - Page 230
Source Network: UpstreamRouterIp • Destination Interface: core • Destination Network: forwarded according to the default route. Default: Enabled IGMP Before Rules For IGMP traffic, by-pass the normal IP rule set and consult the IGMP rule set. Default: Enabled IGMP React To Own Queries The firewall - D-Link DFL-260E | User Manual for DFL-260E - Page 231
configured IGMP Setting. Multiple querying IGMP routers on the same network must use the same IGMP version. Global setting on interfaces without an overriding IGMP Setting. Default Default: 5,000 IGMP Max Total Requests . Default: IGMP Setting. Default: 125,000 IGMP Setting. Default: 10,000 - D-Link DFL-260E | User Manual for DFL-260E - Page 232
The interval of General Queries in milliseconds used during the startup phase. Global setting on interfaces without an overriding IGMP Setting. Default: 30,000 IGMP Unsolicated Report Interval The time in milliseconds between repetitions of an initial membership report. Global setting on interfaces - D-Link DFL-260E | User Manual for DFL-260E - Page 233
users are accessing the services permitted, they will not be aware of the NetDefend Firewall's presence. Network security and control can therefore be significantly enhanced with deployment of a NetDefend Firewall connected Ethernet network to identify and keep track of which host IP addresses are - D-Link DFL-260E | User Manual for DFL-260E - Page 234
for pre-existing routers and protected servers. This works well when comprehensive control over routing is desired. With switch routes, the NetDefend Firewall operates in Transparent Mode and resembles a OSI Layer 2 Switch in that it screens IP packets and forwards them transparently to the correct - D-Link DFL-260E | User Manual for DFL-260E - Page 235
in transparent mode, the following single IP rule could be added but more restrictive IP rules are recommended. Action Allow Src Interface any Src Network all-nets Dest Interface any Dest Network all-nets Service all_services Restricting the Network Parameter As NetDefendOS listens to ARP - D-Link DFL-260E | User Manual for DFL-260E - Page 236
table used for an interface is decided by the Routing Table Membership parameter for each interface. To implement separate Transparent Mode networks, interfaces must have their Routing Table Membership reset. By default, all interfaces have Routing Table Membership set to be all routing tables. By - D-Link DFL-260E | User Manual for DFL-260E - Page 237
be the ISP's own DHCP server which will hand out public IPv4 addresses to users. In this case, NetDefendOS MUST be correctly configured as a DHCP Relayer to forward DHCP traffic between users and the DHCP server. It may be the case that the exact IP address of the DHCP server is unknown but what is - D-Link DFL-260E | User Manual for DFL-260E - Page 238
all-nets Gateway gw-ip Now lets suppose the NetDefend Firewall is to operate in transparent mode between the users and the ISP. The illustration below shows how, using switch routes, the NetDefend Firewall is set up to be transparent between the internal physical Ethernet network (pn2) and the - D-Link DFL-260E | User Manual for DFL-260E - Page 239
the same logical IP network as the users and will therefore be gw-ip. NetDefendOS May Also Need Internet Access The NetDefend Firewall also needs to find the public Internet if it is to perform NetDefendOS functions such as DNS lookup, Web Content Filtering or Anti-Virus and IDP updating. To allow - D-Link DFL-260E | User Manual for DFL-260E - Page 240
Scenario 1 Example 4.19. Setting up Transparent Mode for Scenario 1 Web Interface Configure the interfaces: 1. Go to: Interfaces > Ethernet > Edit (wan) 2. Now enter: • IP Address: 10.0.0.1 • Network: 10.0.0.0/24 • Default Gateway: 10.0.0.1 • Transparent Mode: Enable 3. Click OK 4. Go to: Interfaces - D-Link DFL-260E | User Manual for DFL-260E - Page 241
the HTTP server on the DMZ can be reached from the Internet. The NetDefend Firewall is transparent between the DMZ and LAN but traffic is still controlled by the IP rule set. Figure 4.21. Transparent Mode Scenario 2 Example 4.20. Setting up Transparent Mode for Scenario 2 Configure a Switch Route - D-Link DFL-260E | User Manual for DFL-260E - Page 242
> SwitchRoute 2. Now enter: • Switched Interfaces: TransparentGroup • Network: 10.0.0.0/24 • Metric: 0 3. Click OK Configure the rules: 1. Go to: Rules > IP Rules > Add > IPRule 2. Now enter: • Name: HTTP-LAN-to-DMZ • Action: Allow • Service: http • Source Interface: lan • Destination Interface: dmz - D-Link DFL-260E | User Manual for DFL-260E - Page 243
: Allow • Service: http • Source Interface: wan • Destination Interface: dmz • Source Network: all-nets • Destination Network: wan_ip 9. Click OK 4.7.4. Spanning Tree BPDU Support NetDefendOS includes support for relaying the Bridge Protocol Data Units (BPDUs) across the NetDefend Firewall. BPDU - D-Link DFL-260E | User Manual for DFL-260E - Page 244
the content type is supported. If it is not, the frame is dropped. Enabling/Disabling BPDU Relaying BPDU relaying is disabled by default and can be except the incoming interface. 4.7.5. Advanced Settings for Transparent Mode CAM To L3 Cache Dest Learning Enable this if the firewall should be - D-Link DFL-260E | User Manual for DFL-260E - Page 245
should be decremented each time a packet traverses the firewall in Transparent Mode. Default: Disabled Dynamic CAM Size This setting can be used to manually configure the size of the CAM table. Normally Dynamic is the preferred value to use. Default: Dynamic CAM Size If the Dynamic CAM Size setting - D-Link DFL-260E | User Manual for DFL-260E - Page 246
• Rewrite - Rewrite to the MAC of the forwarding interface • RewriteLog - Rewrite to the MAC of the forwarding interface and log • Drop - Drop packets • DropLog - Drop and log packets Default: DropLog Relay Spanning-tree BPDUs When set to Ignore all incoming STP, RSTP and MSTP BPDUs are relayed to - D-Link DFL-260E | User Manual for DFL-260E - Page 247
4. Routing • Log - Let the packets pass and log the event • Drop - Drop the packets • DropLog - Drop packets log the event Default: Drop Relay MPLS When set to Ignore all incoming MPLS packets are relayed in transparent mode. Options: • Ignore - Let the packets pass but do not log • Log - Let the - D-Link DFL-260E | User Manual for DFL-260E - Page 248
4.7.5. Advanced Settings for Transparent Mode Chapter 4. Routing 248 - D-Link DFL-260E | User Manual for DFL-260E - Page 249
DHCP services in NetDefendOS. • Overview, page 249 • DHCP Servers, page 250 • DHCP Relaying, page 256 • IP Pools, page 259 5.1. Overview Dynamic Host Configuration Protocol (DHCP) is a protocol that allows network administrators to automatically assign IP numbers to computers on a network. IP - D-Link DFL-260E | User Manual for DFL-260E - Page 250
one of the user interfaces. Using Relayer IP Address Filtering As explained above a DHCP server is selected based on a match of both interface and relayer IP filter. Each DNS server must have a relayer IP filter value specified and the possible values are as follows: • all-nets The default value is - D-Link DFL-260E | User Manual for DFL-260E - Page 251
be a single interface or a group of interfaces. An IP range, group or network that the DHCP server will use as an IP address pool for handing out DHCP leases. The netmask which will be sent to DHCP clients. Optional Parameters Default GW This specifies what IP should be sent to the client for use - D-Link DFL-260E | User Manual for DFL-260E - Page 252
5.2. DHCP Servers Chapter 5. DHCP Services This example shows how to set up a DHCP server called DHCPServer1 which assigns and manages IP addresses from an IPv4 address pool called DHCPRange1. This example assumes that an IP range for the DHCP Server has already been created. Command-Line - D-Link DFL-260E | User Manual for DFL-260E - Page 253
5. DHCP Services Tip: Lease database saving between restarts DHCP leases are, by default, remembered by NetDefendOS between system restarts. The DHCP advanced settings can be adjusted to control how often the lease database is saved. The DHCP Server Blacklist Sometimes, an IP address offered - D-Link DFL-260E | User Manual for DFL-260E - Page 254
MAC Address Client Identified Chapter 5. DHCP Services This is the IP address that will be handed out to IP address 192.168.1.12 with the following command: gw-world:/> set DHCPServerPoolStaticHost 1 Host=192.168.1.12 MACAddress=00-90-12-13-14-15 Web Interface 1. Go to: System > DHCP > DHCP Servers - D-Link DFL-260E | User Manual for DFL-260E - Page 255
5. DHCP Services 5.2.2. Custom Options Adding a Custom Option to the DHCP server definition allows the administrator to send specific pieces of information to DHCP clients in the DHCP leases that are sent out. An example of this is certain switches that require the IP address of a TFTP server from - D-Link DFL-260E | User Manual for DFL-260E - Page 256
Relayer This example allows clients on NetDefendOS VLAN interfaces to obtain IP addresses from a DHCP server. It is assumed the NetDefend Firewall is configured with VLAN interfaces vlan1 and vlan2 that use DHCP relaying, and the DHCP server IP address is defined in the NetDefendOS address book as - D-Link DFL-260E | User Manual for DFL-260E - Page 257
IP offers from server: all-nets 3. Under the Add Route tab, check Add dynamic routes for this relayed DHCP lease 4. Click OK 5.3.1. DHCP Relay Advanced Settings The following advanced settings are available with DHCP relaying. Max Transactions Maximum number of transactions at the same time. Default - D-Link DFL-260E | User Manual for DFL-260E - Page 258
Advanced Settings Chapter 5. DHCP Services The maximum lease time allowed by NetDefendOS. If the DHCP server has a higher lease time, it will be reduced down to this value. Default: 10000 seconds Max Auto Routes How many relays that can be active at the same time. Default: 256 Auto Save Policy - D-Link DFL-260E | User Manual for DFL-260E - Page 259
servers. Client IP filter This is an optional setting used to specify which offered IPs are acceptable. In most cases this will be set to the default a DHCP server response with an unacceptable IP address. Advanced IP Pool Options Advanced options available for IP Pool configuration are: Routing - D-Link DFL-260E | User Manual for DFL-260E - Page 260
IP Pools Chapter 5. DHCP Services Receive Interface MAC Range Prefetch leases Maximum free Maximum clients Sender IP A "simulated" virtual DHCP server receiving interface. This setting is used to simulate a receiving interface when an IP pool is obtaining IP addresses from internal DHCP servers - D-Link DFL-260E | User Manual for DFL-260E - Page 261
command options can be found in the CLI Reference Guide. Example 5.4. Creating an IP Pool This example shows the creation of an IP Pool object that will use the DHCP server on IP address 28.10.14.1 with 10 prefetched leases. It is assumed that this IP address is already defined in the address book - D-Link DFL-260E | User Manual for DFL-260E - Page 262
5.4. IP Pools Chapter 5. DHCP Services 262 - D-Link DFL-260E | User Manual for DFL-260E - Page 263
. The solution to the problem is to create a route for the interface where the connection arrives so that the route's destination network is the same as or contains the incoming connection's source IP. Custom Access Rules are Optional For most configurations the Default Access Rule is sufficient and - D-Link DFL-260E | User Manual for DFL-260E - Page 264
source. Although the packet source cannot be responded to correctly, there is the potential for unnecessary network congestion to be created and potentially a Denial of Service (DoS) condition could occur. Even if the firewall is able to detect a DoS condition, it is hard to trace or stop because of - D-Link DFL-260E | User Manual for DFL-260E - Page 265
Settings Chapter 6. Security Mechanisms Turning Off Default Access Rule Messages If, for some reason, the Default Access Rule log to check Access Rules when troubleshooting puzzling problems in case a rule is preventing some other function, such as VPN tunnel establishment, from working properly - D-Link DFL-260E | User Manual for DFL-260E - Page 266
in protocols such as IP, TCP, UDP, and ICMP, NetDefend Firewalls provide Application Layer Gateways (ALGs) which provide filtering at the higher application OSI level. An ALG object acts as a mediator in accessing commonly used Internet applications outside the protected network, for example web - D-Link DFL-260E | User Manual for DFL-260E - Page 267
6.2.2. The HTTP ALG Chapter 6. Security Mechanisms Maximum Connection Sessions The service associated with an ALG has a configurable parameter associated with it called Max Sessions and the default value varies according to the type of ALG. For instance, the default value for the HTTP ALG is 1000. - D-Link DFL-260E | User Manual for DFL-260E - Page 268
by NetDefendOS on the assumption that it can be a security threat. 2. Allow/Block Selected Types This option operates independently data then the download will be dropped. If nothing is marked in this mode then no files can be downloaded. Additional filetypes not included by default can be added - D-Link DFL-260E | User Manual for DFL-260E - Page 269
6.2.2. The HTTP ALG Chapter 6. Security Mechanisms Note: Similarities with other NetDefendOS features The Verify MIME type and Allow/Block Selected Types options work in the same way for the FTP, POP3 and SMTP ALGs. • Download File Size Limit - A file size limit can additionally be specified for - D-Link DFL-260E | User Manual for DFL-260E - Page 270
the NetDefend Firewall. FTP Connections FTP uses two communication channels, one for control commands and one for the actual files being transferred. When an FTP session is opened, the FTP client establishes a TCP connection (the control channel) to port 21 (by default) on the FTP server. What - D-Link DFL-260E | User Manual for DFL-260E - Page 271
6. Security Mechanisms Both active and passive modes of FTP operation present problems for NetDefend Firewalls. Consider a scenario where an FTP client on the internal network connects through the firewall to an FTP server on the Internet. The IP rule is then configured to allow network traffic - D-Link DFL-260E | User Manual for DFL-260E - Page 272
6.2.3. The FTP ALG Chapter 6. Security Mechanisms Figure 6.3. FTP ALG Hybrid Mode Note: Hybrid conversion mode. A range of server data ports is specified with this option. The client will be allowed to connect to any of these if the server is using passive mode. The default range is 1024-65535. - D-Link DFL-260E | User Manual for DFL-260E - Page 273
may need to be raised. The shorter the limit, the better the security. • Maximum number of commands per second To prevent automated attacks against FTP server, restricting the frequency of commands can be useful. The default limit is 20 commands per second. • Allow 8-bit strings in control channel - D-Link DFL-260E | User Manual for DFL-260E - Page 274
infected servers If a client downloads an infected file from a remote FTP server on the Internet, the server will not be blocked by ZoneDefense since it is outside of the configured network range. The virus is, however, still blocked by the NetDefend Firewall. B. Blocking infected servers. Depending - D-Link DFL-260E | User Manual for DFL-260E - Page 275
to use passive mode FTP ALG option. This is more secure for the server as it will never receive passive mode data. The FTP ALG will handle all conversion if a client connects using passive mode. The configuration is performed as follows: Web Interface A. Define the ALG: (The ALG ftp-inbound is - D-Link DFL-260E | User Manual for DFL-260E - Page 276
the public IP on port 21 and forward that to the internal FTP server: 1. Go to: Rules > IP Rules > Add > IPRule 2. Now enter: • Name: SAT-ftp-inbound • Action: SAT • Service: ftp-inbound-service 3. For Address Filter enter: • Source Interface: any • Destination Interface: core • Source Network: all - D-Link DFL-260E | User Manual for DFL-260E - Page 277
Network: all-nets • Destination Network: wan_ip 4. Click OK Example 6.3. Protecting FTP Clients In this scenario shown below the NetDefend Firewall is protecting a workstation that will connect to FTP servers FTP servers that support active and passive mode across the Internet. The configuration is - D-Link DFL-260E | User Manual for DFL-260E - Page 278
-ftp-outbound • Action: Allow • Service: ftp-outbound-service 3. For Address Filter enter: • Source Interface: lan • Destination Interface: wan • Source Network: lannet • Destination Network: all-nets 4. Click OK ii. Using Public IPs If the firewall is using private IPs with a single external public - D-Link DFL-260E | User Manual for DFL-260E - Page 279
be protected behind the NetDefend Firewall and NetDefendOS will SAT-Allow connections to it from external clients that are connecting across the public Internet. If FTP Passive mode is allowed and a client connects with this mode then the FTP server must return an IP address and port to the client - D-Link DFL-260E | User Manual for DFL-260E - Page 280
Security can be restricted. By default this is the absolute maximum coming from the same source IP address and port within a fixed period of servers will traverse the NetDefend Firewall to reach the local server (this setup is illustrated later in Section 6.2.5.1, "Anti-Spam Filtering"). Local users - D-Link DFL-260E | User Manual for DFL-260E - Page 281
6.2.5. The SMTP ALG Chapter 6. Security Mechanisms Email address blacklisting Email address whitelisting Verify MIME type Block/Allow filetype Anti-Virus scanning The administrator should therefore add a reasonable margin above the - D-Link DFL-260E | User Manual for DFL-260E - Page 282
6.2.5. The SMTP ALG Chapter 6. Security Mechanisms Figure 6.4. SMTP ALG Processing Order Using Wildcards in therefore removes any unsupported extensions from the supported extension list that is returned to the client by an SMTP server behind the NetDefend Firewall. When an extension is removed, a - D-Link DFL-260E | User Manual for DFL-260E - Page 283
to the NetDefendOS SMTP ALG is a spam module that provides the ability to apply spam filtering to incoming email as it passes through the NetDefend Firewall on its way to a local SMTP email server. Filtering is done based on the email's origin. This approach can significantly reduce the burden of - D-Link DFL-260E | User Manual for DFL-260E - Page 284
filtering to emails as they pass through the NetDefend Firewall from an external remote SMTP server to a local SMTP server (from which local clients will later download their emails). Typically, the local, protected SMTP server will be set up on a DMZ network and there will usually be only one "hop - D-Link DFL-260E | User Manual for DFL-260E - Page 285
6.2.5. The SMTP ALG Chapter 6. Security Mechanisms servers are queried to assess the likelihood that the email is Spam, based on its origin address. The NetDefendOS administrator assigns a weight greater than zero to each configured server so that a weighted sum can then be calculated based on all - D-Link DFL-260E | User Manual for DFL-260E - Page 286
If an email is determined to be Spam and a forwarding address is configured for dropped emails, then the administrator has the option to Add TXT Records to the email. A TXT Record is the information sent back from the DNSBL server when the server thinks the sender is a source of Spam. This - D-Link DFL-260E | User Manual for DFL-260E - Page 287
Security These log messages include the source email address and IP as well as its weighted points score and which TXT messages sent by the DNSBL servers that failed are inserted into the header over first. There are two parameters which can be configured for the address cache: • Cache Size This is - D-Link DFL-260E | User Manual for DFL-260E - Page 288
Security Mechanisms The default value if 600 seconds. The Anti-Spam address cache is emptied at startup or reconfiguration. For the DNSBL subsystem overall: • Number of emails checked. • Number of emails Spam tagged. • Number of dropped emails. For each DNSBL server IP Cache disabled Configured - D-Link DFL-260E | User Manual for DFL-260E - Page 289
/password combination as clear text which can be easily read (some servers may not support other methods than this). Hide User This option prevents the POP3 server from revealing that a username does not exist. This prevents users from trying different usernames until they find a valid one. Allow - D-Link DFL-260E | User Manual for DFL-260E - Page 290
behind a NetDefend Firewall. The firewall is connected to the external Internet and a NAT rule is defined to allow traffic from the clients to flow to the Internet. Both clients will therefore appear to have from the same IP address as they make connections to servers across the Internet. One - D-Link DFL-260E | User Manual for DFL-260E - Page 291
of all-nets. The single IP rule below shows how the custom service object called pptp_service is associated with a typical NAT rule. The clients, which are the local end point of the PPTP tunnels, are located behind the firewall on the network lannet which is connected to the lan interface. The - D-Link DFL-260E | User Manual for DFL-260E - Page 292
that do not work with the SIP ALG may come pre-configured by service providers with restricted configuration possibilities. NAT traversal techniques like STUN also lie outside of RFC 3261 and need to be disabled. NetDefendOS Supports Three Scenarios Before continuing to describe SIP in more depth - D-Link DFL-260E | User Manual for DFL-260E - Page 293
and authorizing access to services. They also implement provider call-routing policies. The proxy is often located on the external, unprotected side of the NetDefend Firewall but can have other locations. All of these scenarios are supported by NetDefendOS. A server that handles SIP REGISTER - D-Link DFL-260E | User Manual for DFL-260E - Page 294
rules must be set up to allow all SIP messages through the NetDefend Firewall, and if the source network of the messages is not known then a large number of potentially dangerous connections must be allowed by the IP rule set. This problem does not occur if the local proxy is set up with the Record - D-Link DFL-260E | User Manual for DFL-260E - Page 295
6.2.8. The SIP ALG Chapter 6. Security Mechanisms SIP Usage Scenarios NetDefendOS supports a variety of SIP usage scenarios. The on the local, protected side of the NetDefend Firewall and can handle registrations from both clients located on the same local network as well as clients on the external - D-Link DFL-260E | User Manual for DFL-260E - Page 296
the SIP ALG object. The service should have: • Destination Port set to 5060 (the default SIP signalling port). • Type set to TCP/UDP. 3. Define two rules in the IP rule set: • A NAT rule for outbound traffic from clients on the internal network to the SIP Proxy Server located externally. The SIP ALG - D-Link DFL-260E | User Manual for DFL-260E - Page 297
advantage of using Record-Route is clear since now the destination network for outgoing traffic and the source network for incoming traffic have to include all IP addresses that are possible. The Service object for IP rules In this section, tables which list IP rules like those above, will omit the - D-Link DFL-260E | User Manual for DFL-260E - Page 298
IP address of the NetDefend Firewall. The setup steps are as follows: 1. Define a single SIP ALG object using the options described above. 2. Define a Service object which is associated with the SIP ALG object. The service should have: • Destination Port set to 5060 (the default SIP signalling port - D-Link DFL-260E | User Manual for DFL-260E - Page 299
the previous but the major difference is the location of the local SIP proxy server. The server is placed on a separate interface and network to the local clients. This setup adds an extra layer of security since the initial SIP traffic is never exchanged directly between a remote endpoint and the - D-Link DFL-260E | User Manual for DFL-260E - Page 300
is associated with the SIP ALG object. The service should have: • Destination Port set to 5060 (the default SIP signalling port) • Type set to TCP/UDP 3. Define four rules in the IP rule set: • A NAT rule for outbound traffic from the clients on the internal network to the proxy located on the DMZ - D-Link DFL-260E | User Manual for DFL-260E - Page 301
the NetDefend Firewall. This rule will have core (in other words, NetDefendOS itself) as the destination interface. The reason for this is because of the NAT rule above. When an incoming call is received, NetDefendOS automatically locates the local receiver, performs address translation and forwards - D-Link DFL-260E | User Manual for DFL-260E - Page 302
6.2.9. The H.323 ALG Chapter 6. Security Mechanisms • Destination Port set to 5060 (the default SIP signalling port) • Type set to TCP/UDP 3. Define four rules in the IP rule set: • An Allow rule for outbound traffic from the clients on the internal network to the proxy located on the DMZ - D-Link DFL-260E | User Manual for DFL-260E - Page 303
forward on busy, etc. It is needed when there is more then one H.323 terminal behind a NATing device with only one public IP. MCUs provide support communication. Video and T. networks secured by NetDefend Firewalls. The H.323 specification was not designed to handle NAT, as IP addresses and ports - D-Link DFL-260E | User Manual for DFL-260E - Page 304
gatekeeper, in order to correctly configure the NetDefend Firewall to let calls through. • NAT and SAT rules are supported, allowing clients and gatekeepers to use private IPv4 addresses on a network behind the NetDefend Firewall. H.323 ALG Configuration The configuration of the standard H.323 ALG - D-Link DFL-260E | User Manual for DFL-260E - Page 305
phone is connected to the NetDefend Firewall on a network (lannet) with public IP addresses. To make it possible to place a call from this phone to another H.323 phone on the Internet, and to allow H.323 phones on the Internet to call this phone, we need to configure rules. The following rules need - D-Link DFL-260E | User Manual for DFL-260E - Page 306
6. Security Mechanisms • Destination Interface: lan • Source Network: 0.0.0.0/0 (all-nets) • Destination Network: lannet • Comment: Allow incoming calls 3. Click OK Example 6.5. H.323 with Private IPv4 Addresses In this scenario a H.323 phone is connected to the NetDefend Firewall on a network with - D-Link DFL-260E | User Manual for DFL-260E - Page 307
• Service: H323 • Source Interface: any • Destination Interface: core • Source Network: 0.0.0.0/0 (all-nets) • Destination Network: wan_ip (external IP of the firewall) • Comment: Allow incoming calls to H.323 phone at ip-phone 3. Click OK To place a call to the phone behind the NetDefend Firewall - D-Link DFL-260E | User Manual for DFL-260E - Page 308
H.323 ALG Chapter 6. Security Mechanisms • Action: Allow • Service: H323 • Source Interface: lan • Destination Interface: any • Source Network: lannet • Destination Network: 0.0.0.0/0 (all-nets) • Comment: Allow outgoing calls 3. Click OK Incoming Rule: 1. Go to: Rules > IP Rules > Add > IPRule - D-Link DFL-260E | User Manual for DFL-260E - Page 309
• Service: H323 • Source Interface: any • Destination Interface: core • Source Network: 0.0.0.0/0 (all-nets) • Destination Network: wan_ip (external IP of the firewall) • Comment: Allow incoming calls to H.323 phone at ip-phone 3. Click OK To place a call to the phone behind the NetDefend Firewall - D-Link DFL-260E | User Manual for DFL-260E - Page 310
2. Now enter: • Name: H323In • Action: SAT • Service: H323-Gatekeeper • Source Interface: any • Destination Interface: core • Source Network: 0.0.0.0/0 (all-nets) • Destination Network: wan_ip (external IP of the firewall) • Comment: SAT rule for incoming communication with the Gatekeeper located at - D-Link DFL-260E | User Manual for DFL-260E - Page 311
to the DMZ should be configured exactly as in scenario 3. The other NetDefend Firewall should be configured as below. The rules need to be added to the rule listings, and it should be make sure there are no rules disallowing or allowing the same kind of ports/traffic before these rules. Web - D-Link DFL-260E | User Manual for DFL-260E - Page 312
. This will allow the whole corporation to use the network for both voice communication and application sharing. It is assumed that the VPN tunnels are correctly configured and that all offices use private IP-ranges on their local networks. All outside calls are done over the existing telephone - D-Link DFL-260E | User Manual for DFL-260E - Page 313
NetDefend Firewall. This firewall should be configured as follows: Web Interface 1. Go to: Rules > IP Rules > Add > IPRule 2. Now enter: • Name: LanToGK • Action: Allow • Service: H323-Gatekeeper • Source Interface: lan • Destination Interface: dmz • Source Network: lannet • Destination Network: ip - D-Link DFL-260E | User Manual for DFL-260E - Page 314
Add > IPRule 2. Now enter: • Name: BranchToGW • Action: Allow • Service: H323-Gatekeeper • Source Interface: vpn-branch • Destination Interface: dmz • Source Network: branch-net • Destination Network: ip-gatekeeper, ip-gateway • Comment: Allow communication with the Gatekeeper on DMZ from the Branch - D-Link DFL-260E | User Manual for DFL-260E - Page 315
be configured as follows: (this rule should be in both the Branch and Remote Office firewalls). Web Interface 1. Go to: Rules > IP Rules > Add > IPRule 2. Now enter: • Name: ToGK • Action: Allow • Service: H323-Gatekeeper • Source Interface: lan • Destination Interface: vpn-hq • Source Network - D-Link DFL-260E | User Manual for DFL-260E - Page 316
provide a convenient and simple solution for secure access by clients to servers and avoids many of the complexities of other types of VPN solutions such as using IPsec. Most web browsers support TLS and users can therefore easily have secure server access without requiring additional software. The - D-Link DFL-260E | User Manual for DFL-260E - Page 317
. The advantages of this approach are: • TLS support can be centralized in the NetDefend Firewall instead of being set up on individual servers. • Certificates can be managed centrally in the NetDefend Firewall instead of on individual servers. Unique certificates (or one wildcard certificate) does - D-Link DFL-260E | User Manual for DFL-260E - Page 318
do load balancing (the destination port can also be changed through a custom service object). URLs Delivered by Servers It should be noted that using NetDefendOS for TLS termination will not change URLs in webpages delivered by servers which lie behind the NetDefend Firewall. What this means is that - D-Link DFL-260E | User Manual for DFL-260E - Page 319
service. Dynamic content filtering requires a minimum of administration effort and has very high accuracy. Note: Enabling WCF network from where the user is surfing. Typically, such code is embedded into various types of objects or files which are embedded into web pages. NetDefendOS includes support - D-Link DFL-260E | User Manual for DFL-260E - Page 320
6. Security Mechanisms and Java applets This example shows how to configure a HTTP Application Layer Gateway to strip ActiveX which allows the possibility of manually making exceptions from the automatic Both the URL blacklist and URL whitelist support wildcard matching of URLs in order to - D-Link DFL-260E | User Manual for DFL-260E - Page 321
is a separate concept from Section 6.7, "Blacklisting Hosts and Networks". Example 6.14. Setting up a white and blacklist This policy prevents users from downloading .exe-files. However, the D-Link website provides secure and necessary program files which should be allowed to download. Command- - D-Link DFL-260E | User Manual for DFL-260E - Page 322
are updated almost hourly with new, categorized URLs while at the same time older, invalid URLs are dropped. The scope of the URLs in the databases is global, covering websites in many different languages and hosted on servers located in many different countries. WCF Processing Flow When a user of - D-Link DFL-260E | User Manual for DFL-260E - Page 323
6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms Figure 6.8. Dynamic Content Filtering Flow If the requested web page URL is not present in the databases, then the webpage content at the URL will automatically be downloaded to D-Link's central data warehouse and automatically - D-Link DFL-260E | User Manual for DFL-260E - Page 324
Gateway (ALG) Object should be defined with Dynamic Content Filtering enabled. This object is then associated with a service object and the service object is then associated with a rule in the IP rule set to determine which traffic should be subject to the filtering. This makes possible the setting - D-Link DFL-260E | User Manual for DFL-260E - Page 325
following steps: 1. On a workstation on the lannet network, launch a standard web browser. 2. Try to browse to a search site. For example, www.google.com. 3. If everything is configured correctly, the web browser will present a web page that informs the user about that the requested site is blocked - D-Link DFL-260E | User Manual for DFL-260E - Page 326
new service, are described in the previous example. Allowing Override On some occasions, Active Content Filtering may prevent users carrying NetDefendOS supports a feature called Allow Override. With this feature enabled, the content filtering component will present a warning to the user that he - D-Link DFL-260E | User Manual for DFL-260E - Page 327
on the lannet network, launch a standard web browser. 2. Try to browse to a search site, for example www.google.com. 3. If everything is configured correctly, the web browser will present a block page where a dropdown list containing all available categories is included. 4. The user is now able - D-Link DFL-260E | User Manual for DFL-260E - Page 328
6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms Category 1: Adult Content A web site may also includes resume writing and posting and interviews, as well as staff recruitment and training services. Examples might be: • www.allthejobs.com • www.yourcareer.com Category 4: Gambling - D-Link DFL-260E | User Manual for DFL-260E - Page 329
escort services. Examples might be: • adultmatefinder.com • www.marriagenow.com Category 10: Game Sites A web site may be classified under the Game Sites category if its content focuses on or includes the review of games, traditional or computer based, or incorporates the facilities for downloading - D-Link DFL-260E | User Manual for DFL-260E - Page 330
12: E-Banking A web site may be classified under the E-Banking category if its content includes electronic banking information or services. / Cults category if its content includes the description or depiction of, or instruction in, systems of religious beliefs and practice. Examples might be: • www - D-Link DFL-260E | User Manual for DFL-260E - Page 331
Dynamic Web Content Filtering Chapter 6. Security Mechanisms • www.political.com Category 16: Sports A web site may be classified under the Sports category if its content includes information or instructions relating to recreational or professional sports, or reviews on sporting events and sports - D-Link DFL-260E | User Manual for DFL-260E - Page 332
Security Mechanisms Category 21: Health Sites A web site may be classified under the Health Sites category if its content includes health related information or services, including sexuality and sexual health, as well as support the Internet, for example Web browser updates. Access to web sites in - D-Link DFL-260E | User Manual for DFL-260E - Page 333
learn-at-home.com Chapter 6. Security Mechanisms Category 27: Advertising A . Examples might be: • www.the-cocktail-guide.com • www.stiffdrinks.com Category 29: Computing IT category if its content includes computing related information or services. Examples might be: • www.purplehat.com • - D-Link DFL-260E | User Manual for DFL-260E - Page 334
since this could result in most harmless URLs being blocked. 6.3.4.4. Customizing WCF HTML Pages The Web Content Filtering (WCF) feature of the HTTP ALG make use of a set of HTML files to present information to the user whencertain conditions occur such as trying to access a blocked site. These - D-Link DFL-260E | User Manual for DFL-260E - Page 335
User Authentication > User Authentication Rules 11. Select the relevant HTML ALG and click the Agent Options tab 12. Set the HTTP Banners option to be new_forbidden 13. Click OK 14. Go to: Configuration be used to download the original default HTML, the in Section 2.1.6, "Secure Copy". 4. Using - D-Link DFL-260E | User Manual for DFL-260E - Page 336
6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms set ALG_HTTP my_http_alg HTTPBanners=mytxt 5. As usual, the activate followed by the commit CLI commands must be used to activate the changes on the NetDefend Firewall. 336 - D-Link DFL-260E | User Manual for DFL-260E - Page 337
primarily directed at attacks against servers, Anti-Virus scanning is focused on downloads by clients. NetDefendOS Anti downloaded to a user behind the NetDefend Firewall. Once a virus is recognized in the contents of a file, the download can be terminated before it completes. Types of File Downloads - D-Link DFL-260E | User Manual for DFL-260E - Page 338
default upper limit on file sizes. Simultaneous Scans There is no fixed limit on how many Anti-Virus scans can take place simultaneously in a single NetDefend Firewall given direction and between specific source and destination IP addresses and/or networks. Scheduling can also be applied to virus - D-Link DFL-260E | User Manual for DFL-260E - Page 339
updated regularly and this updating service is enabled as part of the subscription to the D-Link Anti-Virus subscription. 6.4.5. Subscribing to the D-Link Anti-Virus Service The D-Link particular scenario, such as image files in HTTP downloads. NetDefendOS performs MIME content checking on all the - D-Link DFL-260E | User Manual for DFL-260E - Page 340
Security update feature. This can also be done through the WebUI. Updating in High Availability Clusters Updating the Anti-Virus databases for both the NetDefend Firewalls update and downloads the required files for the update. 2. The active unit performs an automatic reconfiguration to update - D-Link DFL-260E | User Manual for DFL-260E - Page 341
a virus, the NetDefend Firewall will upload blocking instructions to the local switches and instruct them to block all traffic from the infected host or server. Since ZoneDefense blocking state in the switches is a limited resource, the administrator has the possibility to configure which hosts and - D-Link DFL-260E | User Manual for DFL-260E - Page 342
the Type dropdown list 4. Enter 80 in the Destination Port textbox 5. Select the HTTP ALG just created in the ALG dropdown list 6. Click OK C. Finally, modify the NAT rule (called NATHttp in this example) to use the new service: 1. Go to: Rules > IP Rules 2. Select the NAT rule handling the traffic - D-Link DFL-260E | User Manual for DFL-260E - Page 343
download and this is normally downloaded to a client system. An intrusion manifests itself as a malicious pattern of Internet data aimed at bypassing server security network traffic as it passes through the NetDefend Firewall Rule as it streams through the firewall. 3. If NetDefendOS IDP detects an - D-Link DFL-260E | User Manual for DFL-260E - Page 344
range of database signatures for more demanding installations. The standard subscription is for 12 months and provides automatic IDP signature database updates. This IDP option is available for all D-Link NetDefend models, including those that don't come as standard with Maintenance IDP. Maintenance - D-Link DFL-260E | User Manual for DFL-260E - Page 345
Chapter 6. Security Mechanisms A new, updated signature database is downloaded automatically by NetDefendOS system at a configurable interval. This is done via an HTTP connection to the D-Link server network which delivers the latest signature database updates. If the server's signature database - D-Link DFL-260E | User Manual for DFL-260E - Page 346
6.5.3. IDP Rules Chapter 6. Security Mechanisms IDP Signature Selection When using the Web inconsistencies in the URIs embedded in incoming HTTP requests. Some server attacks are based on creating URIs with sequences that can exploit weaknesses in some HTTP server products. The URI conditions which - D-Link DFL-260E | User Manual for DFL-260E - Page 347
Prevention Chapter 6. Security Mechanisms Initial Packet Processing The initial order of packet processing with IDP is as follows: 1. A packet arrives at the firewall and NetDefendOS performs normal verification. If the packet is part of a new connection then it is checked against the IP rule set - D-Link DFL-260E | User Manual for DFL-260E - Page 348
Security IP stream although such an attack may have been present. This condition is caused by infrequent and unusually complex patterns of data in the stream. Recommended Configuration By default server. A rogue user might try to retrieve the password file "passwd" from an FTP server , D-Link IDP uses - D-Link DFL-260E | User Manual for DFL-260E - Page 349
Link website at: http://security.dlink.com.tw Advisories can be found under the "NetDefend IDS" option in the "NetDefend Live" menu. IDP Signature types IDP offers three signature types which offer differing levels of certainty with regard to threats: • Intrusion Protection Signatures (IPS network - D-Link DFL-260E | User Manual for DFL-260E - Page 350
IDP Actions Chapter 6. Security Mechanisms This second the Sub-Category, since the Type could be any of IDS, IPS or POLICY. Processing Multiple Actions For any IDP rule, it is and IPS_HTTP* would be appropriate for protecting an HTTP server. IDP traffic scanning creates an additional load on the - D-Link DFL-260E | User Manual for DFL-260E - Page 351
that the particular host or network that triggers the IDP Rule Link ZoneDefense feature. For more details on how ZoneDefense functions see Chapter 12, ZoneDefense. 6.5.8. SMTP Log Receiver for IDP Events In order to receive notifications via email of IDP events, a SMTP Log receiver can be configured - D-Link DFL-260E | User Manual for DFL-260E - Page 352
6.21. Setting up IDP for a Mail Server The following example details the steps needed to set up IDP for a simple scenario where a mail server is exposed to the Internet on the DMZ network with a public IPv4 address. The public Internet can be reached through the firewall on the WAN interface as - D-Link DFL-260E | User Manual for DFL-260E - Page 353
where traffic is directed to, in this case the mail server. Destination Network should therefore be set to the object defining the mail server. 1. Go to: IDP > IDP Rules > Add > IDP Rule 2. Now enter: • Name: IDPMailSrvRule • Service: smtp • Also inspect dropped packets: In case all traffic matching - D-Link DFL-260E | User Manual for DFL-260E - Page 354
6. Security Mechanisms • Destination Network: ip_mailserver If logging of intrusion attempts is desired, this can be configured by clicking in the Rule Actions tab when creating an IDP will occur: If traffic from the external network to the mail server occurs, IDP will be activated. If traffic - D-Link DFL-260E | User Manual for DFL-260E - Page 355
last thing any network administrator wants to experience. Attacks can appear out of thin air and the consequences can be devastating with crashed servers, jammed Internet connections and business critical systems in overload. This section deals with using NetDefend Firewalls to protect organizations - D-Link DFL-260E | User Manual for DFL-260E - Page 356
Security default, or if the configuration contains custom Access Rules, the name of the Access rule that dropped the packet. The sender IP services could possibly become victims to the attack, and public services tend to be more well-written than services expected to only serve the local network - D-Link DFL-260E | User Manual for DFL-260E - Page 357
, being selected as an amplifier network can also consume great resources. In its default configuration, NetDefendOS explicitly drops packets sent to broadcast address of directly connected networks (configurable via Advanced Settings > IP > DirectedBroadcasts). However, with a reasonable inbound - D-Link DFL-260E | User Manual for DFL-260E - Page 358
Flood Attacks Chapter 6. Security Mechanisms The Traffic Shaping feature built into NetDefendOS also help absorb some of the flood before it reaches protected servers. 6.6.8. TCP SYN Flood Attacks TCP SYN flood attacks work by sending large amounts of TCP SYN packets to a given port and then not - D-Link DFL-260E | User Manual for DFL-260E - Page 359
10. Distributed DoS Attacks Chapter 6. Security Mechanisms A more sophisticated form of DoS is the Distributed Denial of Service (DoS) attack. DDoS attacks exhaust bandwidth, router processing capacity, or network stack resources, breaking network connectivity to the victims. Although recent DDoS - D-Link DFL-260E | User Manual for DFL-260E - Page 360
it is not cumulative). Block only this Service By default Blacklisting blocks all services for the triggering host. Exempt already established IP addresses should be whitelisted It is recommended to add the NetDefend Firewall itself to the whitelist as well as the IP address or network - D-Link DFL-260E | User Manual for DFL-260E - Page 361
6.7. Blacklisting Hosts and Networks Chapter 6. Security Mechanisms It is also important to understand that although Service=all_tcp Web Interface 1. Goto System > Whitelist > Add > Whitelist host 2. Now select the IP address object white_ip so it is added to the whitelist 3. Select the service - D-Link DFL-260E | User Manual for DFL-260E - Page 362
6.7. Blacklisting Hosts and Networks Chapter 6. Security Mechanisms 362 - D-Link DFL-260E | User Manual for DFL-260E - Page 363
on the specified security policies, which means that they are applied to specific traffic based on filtering rules that define combinations of source/destination network/interface as well as service. Two types of NetDefendOS IP rules, NAT rules and SAT rules are used to configure address translation - D-Link DFL-260E | User Manual for DFL-260E - Page 364
of individual clients and hosts can be "hidden" behind the firewall's IP address. • Only the firewall needs a public IPv4 address for public Internet access. Hosts and networks behind the firewall can be allocated private IPv4 addresses but can still have access to the public Internet through - D-Link DFL-260E | User Manual for DFL-260E - Page 365
between the NetDefend Firewall and a particular external host IP, the NetDefendOS NAT pools feature can be used which can automatically make use of additional IP addresses on the firewall. This is useful in situations where a remote server requires that all connections are to a single port number - D-Link DFL-260E | User Manual for DFL-260E - Page 366
will add a NAT rule that will perform address translation for all HTTP traffic originating from the internal network lan as it flows out to the public Internet on the wan interface. The IP address of the wan interface will be used as the NATing address for all connections. Command-Line Interface - D-Link DFL-260E | User Manual for DFL-260E - Page 367
. Web Interface 1. Go to: Rules > IP Rules > Add > IPRule 2. Specify a suitable name for the rule, for example NAT_HTTP 3. Now enter: • Action: NAT • Service: http • Source Interface: lan • Source Network: lannet • Destination Interface: wan • Destination Network: all-nets 4. Under the NAT tab - D-Link DFL-260E | User Manual for DFL-260E - Page 368
is for anonymizing service providers to anonymize traffic between clients and servers across the public Internet so that the client's public IP address is not present in any server access requests or peer to peer traffic. We shall examine the typical case where the NetDefend Firewall acts as a PPTP - D-Link DFL-260E | User Manual for DFL-260E - Page 369
proxy-server. The port number limitation is overcome by allocating extra external IP addresses links while ensuring that an external host will always communicate back to the same IP the connections for a single host behind the NetDefend Firewall no matter which external host the connection concerns. - D-Link DFL-260E | User Manual for DFL-260E - Page 370
ARP queries to the NetDefend Firewall to resolve external IP addresses included in a NAT default, the administrator must specify in NAT Pool setup which interfaces will be used by NAT pools. The option exists however to enable Proxy ARP for a NAT Pool on all interfaces but this can cause problems - D-Link DFL-260E | User Manual for DFL-260E - Page 371
to: Rules > IP Rules > Add > IP Rule 2. Under General enter: • Name: Enter a suitable name such as nat_pool_rule • Action: NAT 3. Under Address filter enter: • Source Interface: int • Source Network: int-net • Destination Interface: wan • Destination Network: all-nets • Service: HTTP 4. Select the - D-Link DFL-260E | User Manual for DFL-260E - Page 372
external users to access a protected server in a DMZ that has a private address. This is also sometimes referred to as implementing a Virtual IP or as a Virtual Server and is often used in confunction with a DMZ. The Role of a DMZ At this point, it is relevant to discuss the role of the network - D-Link DFL-260E | User Manual for DFL-260E - Page 373
arrangement with a NetDefend Firewall mediating communications between the public Internet and servers in the DMZ and between the DMZ and local clients on a network called LAN. Figure 7.4. The Role of the DMZ Note: The DMZ port could be any port On all models of D-Link NetDefend hardware, there is - D-Link DFL-260E | User Manual for DFL-260E - Page 374
two rules in the IP rule set: # Action 1 SAT 2 Allow Src Iface any any Src Net all-nets all-nets Dest Iface core core Dest Net wan_ip wan_ip Parameters http SETDEST 10.10.10.5 80 http These two rules allow web server access via the NetDefend Firewall's external IP address. Rule 1 states that - D-Link DFL-260E | User Manual for DFL-260E - Page 375
is inadvisable from a security standpoint as web servers are best located in a DMZ. In order for external users to access the web server, they must be able to contact it using a public address. In this example, we have chosen to translate port 80 on the firewall's external address to port 80 on the - D-Link DFL-260E | User Manual for DFL-260E - Page 376
traffic from the internal network. In order to illustrate exactly what happens, we use the following IP addresses: • wan_ip (195.55.66.77): a public IPv4 address • lan_ip (10.0.0.1): the NetDefend Firewall's internal, private IPv4 address • wwwsrv (10.0.0.2): the web server's private IPv4 address - D-Link DFL-260E | User Manual for DFL-260E - Page 377
using a unique public IPv4 address. Example 7.5. Translating Traffic to Multiple Protected Web Servers In this example, a SAT IP rule will translate from five public IPv4 addresses to five web servers located in a DMZ. The firewall is connected to the Internet via the wan interface and the public - D-Link DFL-260E | User Manual for DFL-260E - Page 378
.77-195.55.66.81 Now, create another object for the base of the web server IP addresses: gw-world:/> add Address IP4Address wwwsrv_priv_base Address=10.10.10.5 Publish the public gw-world:/main> add IPRule Action=Allow Service=http SourceInterface=any SourceNetwork=all-nets DestinationInterface=wan - D-Link DFL-260E | User Manual for DFL-260E - Page 379
OK Finally, create a corresponding Allow rule: 1. Go to: Rules > IP Rules > Add > IPRule 2. Specify a suitable name for the rule, for example Allow_HTTP_To_DMZ 3. Now enter: • Action: Allow • Service: http • Source Interface:any • Source Network: all-nets • Destination Interface: wan • Destination - D-Link DFL-260E | User Manual for DFL-260E - Page 380
communicate with 194.1.2.16 - port 80, will result in a connection to 192.168.0.50. • Attempts to communicate with 194.1.2.30 - port 80, will result in this time a SAT IP will translate from five public IPv4 addresses to a single web server located in a DMZ. The NetDefend Firewall is connected to the - D-Link DFL-260E | User Manual for DFL-260E - Page 381
cases, this can be resolved by modifying the application or the firewall configuration. There is no definitive list of what protocols that can or cannot be address translated. A general rule is that VPN protocols cannot usually be translated. In addition, protocols that open secondary connections - D-Link DFL-260E | User Manual for DFL-260E - Page 382
explicitly granted and translated. The following rules make up a working example of static address translation using FwdFast rules to a web server located on an internal network: # Action Src Iface 1 SAT any 2 SAT lan 3 FwdFast any 4 FwdFast lan Src Net all-nets wwwsrv all-nets wwwsrv - D-Link DFL-260E | User Manual for DFL-260E - Page 383
translated. This changes the source port to a completely different port, which will not work. The problem can be solved using the following address will be the NetDefend Firewall's internal IP address, guaranteeing that return traffic passes through the NetDefend Firewall. • Return traffic will - D-Link DFL-260E | User Manual for DFL-260E - Page 384
7.4.7. SAT and FwdFast Rules Chapter 7. Address Translation 384 - D-Link DFL-260E | User Manual for DFL-260E - Page 385
the user knows such as a password. Method A may require a special piece of equipment such as a biometric reader. Another problem with A is that the special attribute often cannot be replaced if it is lost. Methods B and C are therefore the most common means of identification in network security - D-Link DFL-260E | User Manual for DFL-260E - Page 386
8.1. Overview To remain secure, passwords should also: • Not be recorded anywhere in written form. • Never be revealed to anyone else. • Changed on a regular basis such as every three months. Chapter 8. User Authentication 386 - D-Link DFL-260E | User Manual for DFL-260E - Page 387
following can be an authentication source: i. The local user database internal to NetDefendOS. ii. A RADIUS server which is external to the NetDefend Firewall. iii. An LDAP Server which is also external to the NetDefend Firewall. • Define an Authentication Rule which describes which traffic passing - D-Link DFL-260E | User Manual for DFL-260E - Page 388
and cannot change it. PPTP/L2TP Configuration If a client is connecting to the NetDefend Firewall using PPTP/L2TP then the following three options called also be specified for the local NetDefendOS user database: • Static Client IP Address This is the IP address which the client must have if - D-Link DFL-260E | User Manual for DFL-260E - Page 389
workload, it is often preferable to have a central authentication database on a dedicated server. When there is more than one NetDefend Firewall in the network and thousands of users, maintaining separate authentication databases on each device becomes problematic. Instead, an external - D-Link DFL-260E | User Manual for DFL-260E - Page 390
problems: • LDAP servers differ in their implementation. NetDefendOS provides a flexible way of configuring an LDAP server and some configuration options may have to be changed depending on the LDAP server consisting of an attribute name (in this manual we will call this the attribute ID to avoid confusion) - D-Link DFL-260E | User Manual for DFL-260E - Page 391
and not the LDAP server. • IP Address The IP address of the LDAP server. • Port The port number on the LDAP server which will receive the client request which is sent using TCP/IP. This port is by default 389. • Timeout This is the timeout length for LDAP server user authentication attempts in - D-Link DFL-260E | User Manual for DFL-260E - Page 392
's IP address into a route. The default is the main routing table. Database Settings The Database Settings are as follows: • Base Object Defines where in the LDAP server tree search for user accounts shall begin. The users defined on an LDAP server database are organized into a tree structure. The - D-Link DFL-260E | User Manual for DFL-260E - Page 393
The password attribute specifies the ID of the tuple on the LDAP server that contains the user's password. The default ID is userPassword. This option should be left empty unless the LDAP server is being used to authenticate users connecting via PPP with CHAP, MS-CHAPv1 or MS-CHAPv2. When it - D-Link DFL-260E | User Manual for DFL-260E - Page 394
statistics are available for real-time monitoring of LDAP server access for user authentication: • Number of authentications per second. Authentication Normal LDAP authentication for Webauth, XAuth, or PPP with PAP security is illustrated in the diagram below. An authentication bind request with the - D-Link DFL-260E | User Manual for DFL-260E - Page 395
the user's password will be sent to NetDefendOS by the client. NetDefendOS cannot just forward this digest to the LDAP server default password attribute (which is usually userPassword for most LDAP servers). A suggestion is to use the description field in the LDAP database. • In order for the server - D-Link DFL-260E | User Manual for DFL-260E - Page 396
User Authentication Figure 8.2. LDAP for PPP with CHAP, MS-CHAPv1 or MS-CHAPv2 Important: The link to the LDAP server must be protected Since the LDAP server is sending back passwords in plain text to NetDefendOS, the link between the NetDefend Firewall and the server must be protected. A VPN link - D-Link DFL-260E | User Manual for DFL-260E - Page 397
). An IP rule allowing client access to core is also required with this agent type. iii. XAUTH This is the IKE authentication method which is used as part of VPN tunnel establishment with IPsec. XAuth is an extension to the normal IKE exchange and provides an addition to normal IPsec security which - D-Link DFL-260E | User Manual for DFL-260E - Page 398
the NetDefend Firewall. 2. NetDefendOS sees the new user connection on an interface and checks the Authentication rule set to see if there is a matching rule for traffic on this interface, coming from this network and data which is one of the following types: • HTTP traffic • HTTPS traffic • IPsec - D-Link DFL-260E | User Manual for DFL-260E - Page 399
Must Be Changed HTTP authentication will collide with the WebUI's remote management service which also uses TCP port 80 by default. To avoid this problem, the WebUI port number must be changed before configuring authentication. Do this by going to Remote Management > advanced settings in the WebUI - D-Link DFL-260E | User Manual for DFL-260E - Page 400
to determine that the client is behind a router by detecting the mismatch between the source IP address and the router MAC address. • By default, the password sent to the authentication source (for example, a RADIUS server) is also the MAC address of the client (or the MAC address of an intervening - D-Link DFL-260E | User Manual for DFL-260E - Page 401
allows the authentication process to take place and assumes the client is trying to access the lan_ip IP address, which is the IP address of the interface on the NetDefend Firewall where the local network connects. The second rule allows normal surfing activity but we cannot just use lannet as the - D-Link DFL-260E | User Manual for DFL-260E - Page 402
The configurations below shows how to enable HTTP user authentication for the user group users on lannet. Only users that belong to the group users can get Web browsing service after authentication, as it is defined in the IP rule. We assume that lannet, users, lan_ip, local user database folder - D-Link DFL-260E | User Manual for DFL-260E - Page 403
User Database 2. Now enter: a. Name: Enter a name for the server, for example ex-users b. Type: Select RADIUS c. IP Address: Enter the IP address of the server, or enter the symbolic name if the server has been defined in the Address Book d. Port: 1812 (RADIUS service uses UDP port 1812 by default - D-Link DFL-260E | User Manual for DFL-260E - Page 404
HTML Pages User Authentication makes use of a set of HTML files to present information to the user during the authentication default at initial NetDefendOS startup. These files can be customized to suit a particular installation's needs either by direct editing in Web Interface or by downloading - D-Link DFL-260E | User Manual for DFL-260E - Page 405
be edited and uploaded back to NetDefendOS. The original Default object cannot be edited. The example given below goes IP of the client. • %DEVICENAME% - The name of the authenticating firewall. The LoginFailure Page with MAC Authentication If authentication fails with MAC authentication, the %USER - D-Link DFL-260E | User Manual for DFL-260E - Page 406
. Select new_forbidden as the HTML Banner 12. Click OK 13. Go to: Configuration > Save & Activate to activate the 1. Since SCP cannot be used to download the original default HTML, the source code must be in Section 2.1.6, "Secure Copy". 4. Using the CLI, the relevant user authentication rule should - D-Link DFL-260E | User Manual for DFL-260E - Page 407
8.3. Customizing Authentication HTML Pages Chapter 8. User Authentication set UserAuthRule my_auth_rule HTTPBanners=ua_html 5. As usual, use the activate followed by the commit CLI commands to activate the changes on the NetDefend Firewall. 407 - D-Link DFL-260E | User Manual for DFL-260E - Page 408
8.3. Customizing Authentication HTML Pages Chapter 8. User Authentication 408 - D-Link DFL-260E | User Manual for DFL-260E - Page 409
, in other words, pretending to be someone else. Virtual Private Networks (VPNs) meet this need, providing a highly cost effective means of establishing secure links between two co-operating computers so that data can be exchanged in a secure manner. VPN allows the setting up of a tunnel between two - D-Link DFL-260E | User Manual for DFL-260E - Page 410
remote clients need to connect to an internal network over the Internet. In this case, the internal network is protected by the NetDefend Firewall to which the client connects and the VPN tunnel is set up between them. 9.1.2. VPN Encryption Encryption of VPN traffic is done using the science of - D-Link DFL-260E | User Manual for DFL-260E - Page 411
services that need to be shared with other companies through VPNs. • Adapting VPN access policies for different groups of users. • Creating key distribution policies. Endpoint Security A common misconception is that VPN-connections are equivalents to the internal network from a security standpoint - D-Link DFL-260E | User Manual for DFL-260E - Page 412
how should it be handled? 9.1.5. The TLS Alternative for VPN If secure access by clients to web servers using HTTP is the scenario under consideration, then using a NetDefend Firewall for TLS termination can offer an alternative "lightweight" VPN approach that is quickly and easily implemented. This - D-Link DFL-260E | User Manual for DFL-260E - Page 413
IPsec manually, the tunnel is treated exactly like a physical interface in the route properties, as it is in other aspects of NetDefendOS. In other words, the route is saying to NetDefendOS that a certain network is found at the other end of the tunnel. • Define an IP Rule to Allow VPN Traffic An IP - D-Link DFL-260E | User Manual for DFL-260E - Page 414
LAN to LAN with Pre-shared Keys Chapter 9. VPN 9.2.1. IPsec LAN to LAN with Pre-shared Keys The objective is to create a secure means of joining two networks: a Local Network which is on the protected side of a local firewall; and a Remote Network which is on the other side of some remote device - D-Link DFL-260E | User Manual for DFL-260E - Page 415
VPN Tunnel ipsec_tunnel is the Interface to use for routing packets bound for the remote network at the other end of the tunnel. Interface ipsec_tunnel Network remote_net Gateway 9.2.2. IPsec LAN to LAN with Certificates LAN to LAN security interface for the NetDefend Firewall at the - D-Link DFL-260E | User Manual for DFL-260E - Page 416
connecting through an IPsec tunnel using pre-shared keys to a protected Local Network which is located behind a NetDefend Firewall. There are two IP address will be manually input into the VPN client software. 1. Set up user authentication. XAuth user authentication is not required with IPsec - D-Link DFL-260E | User Manual for DFL-260E - Page 417
user authentication for inbound IPsec tunnels. This will enable a search for the first matching XAUTH rule in the authentication rules. 3. The IP rule set should contain the single rule: Action Allow Src Interface ipsec_tunnel Src Network all-nets Dest Interface lan Dest Network lannet Service - D-Link DFL-260E | User Manual for DFL-260E - Page 418
. The client configuration will require the following: • Define the URL or IP address of the NetDefend Firewall. The client needs to locate the tunnel endpoint. • Define the pre-shared key that is used for IPsec security. • Define the IPsec algorithms that will be used and which are supported by - D-Link DFL-260E | User Manual for DFL-260E - Page 419
be appropriately configured with the certificates and remote IP addresses. As already mentioned above, many third party IPsec client products are available and this manual will not discuss any particular client. The step to set up user authentication is optional since this is additional security to - D-Link DFL-260E | User Manual for DFL-260E - Page 420
l2tp_pool Dest Interface any ext Dest Network int_net all-nets Service all_services all_services The second rule would be included to allow clients to surf the Internet via the ext interface on the NetDefend Firewall. The client will be allocated a private internal IP address which must be NATed - D-Link DFL-260E | User Manual for DFL-260E - Page 421
Roaming Clients with Certificates Chapter 9. VPN Connections should be selected to start the New Connection Wizard. The key information to enter in this wizard is: the resolvable URL of the NetDefend Firewall or alternatively its ip_ext IP address. Then choose Network > Properties. In the dialog - D-Link DFL-260E | User Manual for DFL-260E - Page 422
IP rule set: Action Allow NAT Src Interface pptp_tunnel pptp_tunnel Src Network pptp_pool pptp_pool Dest Interface any ext Dest Network int_net all-nets Service all_services all_services As described for L2TP, the NAT rule lets the clients access the public Internet via the NetDefend Firewall - D-Link DFL-260E | User Manual for DFL-260E - Page 423
) is a set of protocols defined by the Internet Engineering Task Force (IETF) to provide IP security at the network layer. An IPsec based VPN is made up of two parts: • Internet Key Exchange protocol (IKE) • IPsec protocols (AH/ESP/both) The first part, IKE, is the initial negotiation phase, where - D-Link DFL-260E | User Manual for DFL-260E - Page 424
one describing the incoming traffic, and the IPsec data flows. The VPN device initiating an IPsec connection will send a list of the algorithms combinations it supports VPN device, upon receiving the list of supported algorithms, will choose the algorithm combination that best matches its own security - D-Link DFL-260E | User Manual for DFL-260E - Page 425
today. PSK and certificates are supported by the NetDefendOS VPN module. IKE Phase-2 - IPsec Security Negotiation In phase 2, another parameters. With two NetDefend Firewalls as VPN endpoints, the matching process is greatly simplified since the default NetDefendOS configuration parameters will be - D-Link DFL-260E | User Manual for DFL-260E - Page 426
. In transport mode, the traffic will not be tunneled, and is hence not applicable to VPN tunnels. It can be used to secure a connection from a VPN client directly to the NetDefend Firewall, for example for IPsec protected remote configuration. This setting will typically be set to "tunnel" in most - D-Link DFL-260E | User Manual for DFL-260E - Page 427
be sufficiently secure. This specifies the authentication algorithms used in the IKE negotiation phase. The algorithms supported by NetDefendOS IPsec are: wants to use the VPN connection again. This value must be set greater than the IPsec SA lifetime. With Perfect Forwarding Secrecy (PFS) disabled - D-Link DFL-260E | User Manual for DFL-260E - Page 428
Groups. The encryption algorithm that will be used on the protected IPsec traffic. This is not needed when AH is used, or when ESP is used without encryption. The algorithms supported by NetDefend Firewall VPNs are: • AES • Blowfish • Twofish • Cast128 • 3DES • DES This specifies the authentication - D-Link DFL-260E | User Manual for DFL-260E - Page 429
for use with IKE, IPsec and PFS. 9.3.3. IKE Authentication Manual Keying The "simplest" way of configuring a VPN is by using a method called manual keying. This is no anti-replay services, and it is not very flexible. There is also no way of assuring that the remote host/firewall really is the one - D-Link DFL-260E | User Manual for DFL-260E - Page 430
9.3.4. IPsec Protocols (ESP/AH) Chapter 9. VPN PSK Advantages Pre-Shared Keying has a lot of advantages over manual keying. These VPN clients and firewalls? This is a major issue, since the security of a PSK system is based on the PSKs being secret. Should one PSK be compromised, the configuration - D-Link DFL-260E | User Manual for DFL-260E - Page 431
IP header. ESP (Encapsulating Security Payload) The ESP protocol inserts an ESP header after the original IP header IP packet. It can also be used to do either encryption only, or authentication only. Figure 9.2. The ESP protocol 9.3.5. NAT Traversal Both IKE and IPsec protocols present a problem - D-Link DFL-260E | User Manual for DFL-260E - Page 432
that it understands NAT traversal, and which specific versions of the draft it supports. Achieving NAT Detection To achieve NAT detection both IPsec peers send hashes of their own IP addresses along with the source UDP port used in the IKE negotiations. This information is used to see whether the - D-Link DFL-260E | User Manual for DFL-260E - Page 433
lists are used during IKE Phase-1 (IKE Security Negotiation), while IPsec lists are using during IKE Phase-2 (IPsec Security Negotiation). Several algorithm proposal lists are already defined by default in NetDefendOS for different VPN scenarios and user defined lists can be added. Two IKE algorithm - D-Link DFL-260E | User Manual for DFL-260E - Page 434
CLI Reference Guide). Beware sometimes cause problems when setting it to a VPN tunnel. Since regular IPsec tunnel object. Command-Line Interface First create a Pre-shared Key. To generate the key automatically with a 64 bit (the default) key, use: gw-world:/> pskgen MyPSK To have a longer, more secure - D-Link DFL-260E | User Manual for DFL-260E - Page 435
databases. The Problem Since the IP addresses of the travelling employees VPN clients cannot be known beforehand, the incoming VPN connections from the clients cannot be differentiated. This means that the firewall is unable to control the access to various parts of the internal networks. The ID - D-Link DFL-260E | User Manual for DFL-260E - Page 436
ID JohnDoe Type=DistinguishedName CommonName="John Doe" OrganizationName=D-Link OrganizationalUnit=Support Country=Sweden [email protected] gw-world:/MyIDList> cc Finally, apply the Identification List to the IPsec tunnel: gw-world:/> set Interface IPsecTunnel MyIPsecTunnel AuthMethod - D-Link DFL-260E | User Manual for DFL-260E - Page 437
9.3.8. Identification Lists Chapter 9. VPN Finally, apply the Identification List to the IPsec tunnel: 1. Go to: Interfaces > IPsec 2. Select the IPsec tunnel object of interest 3. Under the Authentication tab, choose X.509 Certificate 4. Select the appropriate certificate in the Root Certificate - D-Link DFL-260E | User Manual for DFL-260E - Page 438
of Tunnel Establishment When another NetDefend Firewall or another IPsec compliant networking product (also known as the remote endpoint) tries to establish an IPsec VPN tunnel to a local NetDefend Firewall, the list of currently defined IPsec tunnels in the NetDefendOS configuration is examined. If - D-Link DFL-260E | User Manual for DFL-260E - Page 439
Chapter 9. VPN connection attempts coming from a particular IP address or group of addresses. This can degrade the performance of the NetDefendOS IPsec engine and explicitly dropping such traffic with an IP rule is an efficient way of preventing it reaching the engine. In other words, IP rules can - D-Link DFL-260E | User Manual for DFL-260E - Page 440
that existing if they communicated through a dedicated, private link. Secure communication is achieved through the use of IPsec tunneling, with the tunnel extending from the VPN gateway at one location to the VPN gateway at another location. The NetDefend Firewall is therefore the implementer of the - D-Link DFL-260E | User Manual for DFL-260E - Page 441
PSK based VPN tunnel for roaming clients This example describes how to configure an IPsec tunnel at the head office NetDefend Firewall for roaming clients that connect to the office to gain remote access. The head office network uses the 10.0.1.0/24 network span with external firewall IP wan_ip. Web - D-Link DFL-260E | User Manual for DFL-260E - Page 442
rights, according to the instructions above D. Configure the IPsec tunnel: 1. Go to: Interfaces > IPsec > Add > IPsec Tunnel 2. Now enter: • Name: RoamingIPsecTunnel • Local Network: 10.0.1.0/24 (This is the local network that the roaming users will connect to) • Remote Network: all-nets • Remote - D-Link DFL-260E | User Manual for DFL-260E - Page 443
". Example 9.6. Setting up CA Server Certificate based VPN tunnels for roaming clients This example describes how to configure an IPsec tunnel at the head office NetDefend Firewall for roaming clients that connect to the office to gain remote access. The head office network uses the 10.0.1.0/24 - D-Link DFL-260E | User Manual for DFL-260E - Page 444
firewall certificate • Identification List: Select the ID List that is to be associated with the VPN Tunnel. In this case, it will be sales 5. Under the Routing tab: • Enable the option: Dynamically add route to the remote network when a tunnel is established 6. Click OK D. Finally configure the IP - D-Link DFL-260E | User Manual for DFL-260E - Page 445
to be downloaded to the NetDefend Firewall. Lightweight Directory Access Protocol (LDAP) is used for these downloads. However, in some scenarios, this information is missing, or the administrator wishes to use another LDAP server. The LDAP configuration section can then be used to manually specify - D-Link DFL-260E | User Manual for DFL-260E - Page 446
LDAP > Add > LDAP Server 2. Now enter: • IP Address: 192.168.101.146 • Username: myusername • Password: mypassword • Confirm Password: mypassword • Port: 389 3. Click OK 9.4.5. Troubleshooting with ikesnoop VPN Tunnel Negotiation When setting up IPsec tunnels, problems can arise because the initial - D-Link DFL-260E | User Manual for DFL-260E - Page 447
Troubleshooting with ikesnoop Chapter 9. VPN found in the CLI Reference Guide. The Client and the Server The two parties involved to the server. This list details the protocols and encryption methods it can support. The (Security Association) Payload data length : 152 bytes DOI : 1 (IPsec DOI - D-Link DFL-260E | User Manual for DFL-260E - Page 448
Troubleshooting with ikesnoop Chapter 9. VPN 21 3b Description : SSH Communications Security QuickSec 2.1.0 VID (Vendor ID) 84 80 12 92 ae cd Description : draft-stenberg-ipsec-nat-traversal- IPsec software vendor plus what standards are supported. For example, NAT-T Step 2. Server Responds to - D-Link DFL-260E | User Manual for DFL-260E - Page 449
Troubleshooting with ikesnoop Chapter 9. VPN A typical response from the server is shown below. This must contain a proposal that is identical to one of the choices from the client list above. If no match was found by the server Security 12 92 ae cd Description : draft-stenberg-ipsec - D-Link DFL-260E | User Manual for DFL-260E - Page 450
9.4.5. Troubleshooting with ikesnoop Chapter 9. VPN IkeSnoop: Payload data length : 16 bytes Step 4. Server Sends Key Exchange Data The Server now sends key exchange data back to the initiator sends the identification which is normally an IP address or the Subject Alternative Name if certificates - D-Link DFL-260E | User Manual for DFL-260E - Page 451
Troubleshooting with ikesnoop Chapter 9. VPN Supported IPsec Algorithms Now the client sends the list of supported IPsec algorithms to the server. It will also contain the proposed host/networks 16 bytes SA (Security Association) Payload data length : 164 bytes DOI : 1 (IPsec DOI) Proposal 1/1 - D-Link DFL-260E | User Manual for DFL-260E - Page 452
Troubleshooting with ikesnoop Chapter 9. VPN ) Payload data length : 12 bytes ID : ipv4_subnet(any network. If it contains any netmask it is usually SA per net and otherwise it is SA per host. Step 8. Client Sends a List of Supported Algorithms The server now responds with a matching IPsec - D-Link DFL-260E | User Manual for DFL-260E - Page 453
IPsec Advanced Settings Chapter 9. VPN Security Association) Payload data length : 56 bytes DOI : 1 (IPsec length : 12 bytes ID running. All client/server exchanges have been IPsec Advanced Settings The following NetDefendOS advanced settings are available for configuring IPsec tunnels. IPsec - D-Link DFL-260E | User Manual for DFL-260E - Page 454
rule set. Default: Enabled IKE CRL Validity Time A CRL contains a "next update" field that dictates the time and date when a new CRL will be available for download from the CA. The time between CRL updates can be anything from a few hours and upwards, depending on how the CA is configured. Most CA - D-Link DFL-260E | User Manual for DFL-260E - Page 455
IPsec Advanced Settings Chapter 9. VPN Default: 86400 seconds IKE Max CA Path When the signature of a user certificate is verified, NetDefendOS looks at the issuer name field in the user configured value) seconds, then NetDefendOS will not send more DPD-R-U-THERE messages to the other side. Default - D-Link DFL-260E | User Manual for DFL-260E - Page 456
9.4.6. IPsec Advanced Settings Chapter 9. VPN of the tunnel has not responded to DPD-R-U-THERE messages for DPD will not trigger if the SA is already cached as dead. This setting is used with IKEv1 only. Default: 2 (in other words, 2 x 10 = 20 seconds) DPD Expire Time The length of time in seconds - D-Link DFL-260E | User Manual for DFL-260E - Page 457
way using the PPP protocol and then establishes a TCP/IP connection across the Internet to the NetDefend Firewall, which acts as the PPTP server (TCP port 1723 is used). The ISP is not aware of the VPN since the tunnel extends from the PPTP server to the client. The PPTP standard does not define - D-Link DFL-260E | User Manual for DFL-260E - Page 458
9.5.2. L2TP Servers Chapter 9. VPN A common problem with setting up PPTP is that a router and/or switch in a network is blocking TCP port 1723 and/or IP protocol 47 before the PPTP connection can be made to the NetDefend Firewall. Examining the log can indicate if this problem occurred, with a log - D-Link DFL-260E | User Manual for DFL-260E - Page 459
9.5.2. L2TP Servers Chapter 9. VPN arguably offers better security than PPTP. Unlike PPTP, it is possible to set up multiple virtual networks across a single tunnel. Because it is IPsec based, L2TP requires NAT traversal (NAT-T) to be implemented on the LNS side of the tunnel. Example 9.11. - D-Link DFL-260E | User Manual for DFL-260E - Page 460
in the L2TP section. As we are going to use L2TP, the Local Network is the same IP as the IP that the L2TP tunnel will connect to, wan_ip. Furthermore, the IPsec tunnel needs to be configured to dynamically add routes to the remote network when the tunnel is established. B. Continue setting up the - D-Link DFL-260E | User Manual for DFL-260E - Page 461
be a part of the network which the clients are assigned IP addresses from, in this lan_ip. The outer interface filter is the interface that the L2TP server will accept connections on, this will be the earlier created l2tp_ipsec. ProxyARP also needs to be configured for the IPs used by the L2TP - D-Link DFL-260E | User Manual for DFL-260E - Page 462
9.5.2. L2TP Servers Chapter 9. VPN • Authentication Source: Local • Interface: l2tp_tunnel • Originator IP: all-nets • Terminator IP: wan_ip 4. Under the Authentication Options tab enter UserDB as the Local User DB 5. Click OK When the other parts are done, all that is left is the rules. To let - D-Link DFL-260E | User Manual for DFL-260E - Page 463
or L2TP clients. This can be useful if PPTP or L2TP is preferred as the VPN protocol instead of IPsec. One NetDefend Firewall can act as a client and connect to another unit which acts as the server. Client Setup PPTP and L2TP shares a common approach to client setup which involves the following - D-Link DFL-260E | User Manual for DFL-260E - Page 464
VPN Names of Assigned Addresses Both PPTP and L2TP utilizes dynamic IP configuration using the PPP LCP protocol. When NetDefendOS receives this information, it is stored in symbolic host/network names. The settings for this are: • Inner IP PPTP server on the other side of the NetDefend Firewall. If - D-Link DFL-260E | User Manual for DFL-260E - Page 465
9.5.4. PPTP/L2TP Clients Chapter 9. VPN Figure 9.3. PPTP Client Usage 465 - D-Link DFL-260E | User Manual for DFL-260E - Page 466
requires the following steps: • On the NetDefend Firewall side: i. An SSL VPN Interface object needs to be created which configures a particular Ethernet interface to accept SSL VPN connections. ii. An Authentication Rule needs to be defined for incoming SSL VPN clients and the rule must have the - D-Link DFL-260E | User Manual for DFL-260E - Page 467
relationship between the firewall and the connecting clients. A private IP network should be used for this purpose. The Inner IP itself must not be one of the IP Pool addresses that can be handed out to connecting SSL VPN clients. Tip: The Inner IP can be pinged For troubleshooting purposes, an ICMP - D-Link DFL-260E | User Manual for DFL-260E - Page 468
Interface. • Server Port The TCP/IP port number at the Server IP used in listening for SSL VPN connection attempts by clients. The default value is 443 which is the standard port number for SSL. Client IP Options • Dynamic Server Address Instead of a fixed IP address for the SSL VPN Server IP being - D-Link DFL-260E | User Manual for DFL-260E - Page 469
Server IP configured in the interface's SSL VPN object. The port can also be specified after the IP address if it is different from the default value of 443. With https, the firewall will send a certificate to the browser that is not CA signed and this must be accepted as an exception by the user - D-Link DFL-260E | User Manual for DFL-260E - Page 470
a NetDefend Firewall that has not been connected to before. This is done by enabling the option Specify Custom Server and explicitly specifying the IP address, port and login credentials for the server. With the Specify Custom Server option enabled, the SSL VPN client ignores any configuration file - D-Link DFL-260E | User Manual for DFL-260E - Page 471
the default route in the Windows routing table is removed, returning the routing table to its original state. • An SSL connection is made to the configured Ethernet interface on a NetDefend Firewall and the next available IP address is handed out to the client from the associated SSL VPN object's IP - D-Link DFL-260E | User Manual for DFL-260E - Page 472
listen to client connections and this will have an external IP address already defined in the address book called sslvpn_server_ip. Connections will be made using SSL VPN to a server located on the network connected to the firewall's If3 Ethernet interface. Assume also that the IPv4 addresses that - D-Link DFL-260E | User Manual for DFL-260E - Page 473
/SSL VPN • Authentication Source: Local • Interface: my_sslvpn_if • Originator IP: all-nets (a more specific range is more secure) • Terminator IP: sslvpn_server_ip 3. For Local User DB choose lannet_auth_users. 4. For Login Type choose HTMLForm 5. Click OK The new NetDefendOS configuration should - D-Link DFL-260E | User Manual for DFL-260E - Page 474
In this case the following must be done: a. A private DNS server must be configured so that NetDefendOS can locate the private CA server to validate the certificates coming from clients. b. The external IP address of the NetDefend Firewall needs to be registered in the public DNS system so that the - D-Link DFL-260E | User Manual for DFL-260E - Page 475
connecting to the NetDefend Firewall, the VPN client software may need to access the CA server. Not all VPN client software will need this access. In the Microsoft clients prior to Vista, CA server requests are not sent at all. With Microsoft Vista validation became the default with the option - D-Link DFL-260E | User Manual for DFL-260E - Page 476
only from the NetDefend Firewall and the CA server is on the internal side of the firewall then the IP address of the internal DNS server must be configured in NetDefendOS so that these requests can be resolved. Turning Off validation As explained in the troubleshooting section below, identifying - D-Link DFL-260E | User Manual for DFL-260E - Page 477
If a roaming client becomes temporarily part of a network such as a Wi-Fi network at an airport, the client will get an IP address from the Wi-Fi network's DHCP server. If that IP also belongs to the network behind the NetDefend Firewall accessible through a tunnel, then Windows will still continue - D-Link DFL-260E | User Manual for DFL-260E - Page 478
IPsec Troubleshooting Commands Chapter 9. VPN 9.8.2. Troubleshooting Certificates If certificates have been used in a VPN solution then the following should be looked at as a source of potential problems . The NetDefend Firewall's time zone may not be the same as the CA server's time zone - D-Link DFL-260E | User Manual for DFL-260E - Page 479
Troubleshooting with ikesnoop". 9.8.4. Management Interface Failure with VPN If any VPN tunnel is set up and then the management interface no longer operates then it is likely to be a problem traffic leaving the NetDefend Firewall back to the management sub-network. When any VPN tunnel is defined, - D-Link DFL-260E | User Manual for DFL-260E - Page 480
placed above it in the NetDefendOS tunnel list. For example, consider the following IPsec tunnel definitions: Name VPN-1 VPN-2 L2TP VPN-3 Local Network lannet lannet ip_wan lannet Remote Network office1net office2net all-nets office3net Remote Gateway office1gw office2gw all-nets office3gw 480 - D-Link DFL-260E | User Manual for DFL-260E - Page 481
what the problem could be. A good suggestion before starting to troubleshoot certificate based tunnels is to first configure it as server or the NetDefend Firewall or they are in different time zones. • The NetDefend Firewall is unable to reach the Certificate Revocation List (CRL) on the CA server - D-Link DFL-260E | User Manual for DFL-260E - Page 482
Specific Symptoms Chapter 9. VPN Also make sure that there is a DNS client configured for NetDefendOS in order to be able to correctly resolve the path to the CRL on the CA server. Note: L2TP with Microsoft Vista With L2TP, Microsoft Vista tries by default to contact and download the CRL list - D-Link DFL-260E | User Manual for DFL-260E - Page 483
9.8.6. Specific Symptoms Chapter 9. VPN when there is something that fails in terms of network size on either local network or remote network. Since NetDefendOS has determined that it is a type of network size problem, it will try one last attempt to get the correct network by sending a config - D-Link DFL-260E | User Manual for DFL-260E - Page 484
9.8.6. Specific Symptoms Chapter 9. VPN 484 - D-Link DFL-260E | User Manual for DFL-260E - Page 485
Rules, page 511 • Server Load Balancing, page 514 10.1. Traffic Shaping 10.1.1. Overview QoS with TCP/IP A weakness of TCP/IP is the lack of true Quality of Service (QoS) functionality. QoS is the ability to guarantee and limit network bandwidth for certain services and users. Solutions such as the - D-Link DFL-260E | User Manual for DFL-260E - Page 486
NetDefend Firewall. Different rate limits and traffic guarantees can be created as policies based on the traffic's source, destination and protocol, similar to the way in which security policies are created based on IP None are defined by default. Pipes are simplistic administrator configured limits - D-Link DFL-260E | User Manual for DFL-260E - Page 487
/destination interface/network as well as the service to which the rule is to apply. Once a new connection is permitted by the IP rule set These lists are: • The Forward Chain These are the pipe or pipes that will be used for outgoing (leaving) traffic from the NetDefend Firewall. One, none or a - D-Link DFL-260E | User Manual for DFL-260E - Page 488
as a result of triggering a FwdFast IP rule in the NetDefendOS IP rule sets. The reason for this is to be part of a connection and are forwarded individually to their destination, bypassing the state This is the direction most likely to cause problems for Internet connections. Example 10.1. Applying - D-Link DFL-260E | User Manual for DFL-260E - Page 489
> Add > Pipe Rule 2. Specify a suitable name for the pipe, for instance outbound 3. Now enter: • Service: all_services • Source Interface: lan • Source Network: lannet • Destination Interface: wan • Destination Network: all-nets 4. Under the Traffic Shaping tab, make std-in selected in the Return - D-Link DFL-260E | User Manual for DFL-260E - Page 490
in each direction. Raising the total pipe limit to 4 Mbps will not solve the problem since the single pipe will not know that 2 Mbps of inbound and 2 Mbps Edit 3. Under the Traffic Shaping tab, select std-out in the Forward Chain list 4. Click OK This results in all outbound connections being - D-Link DFL-260E | User Manual for DFL-260E - Page 491
limit outbound traffic since most web surfing usually consists of short outbound server requests followed by long inbound responses. A surf-in pipe is therefore else. For web browsing the normal rules of first-come, first-forwarded will apply when competing for the 125 kbps bandwidth. This may mean - D-Link DFL-260E | User Manual for DFL-260E - Page 492
the default precedence of the first pipe they pass through. • Use a fixed precedence The triggering pipe rule explicitly allocates a fixed precedence. • Use the DSCP bits Take the precedence from the DSCP bits in the packet. DSCP is a subset of the Diffserv architecture where the Type of Service - D-Link DFL-260E | User Manual for DFL-260E - Page 493
configured, a Default Precedence, a Minimum Precedence and a Maximum Precedence can be specified. The default precedences are: • Minimum Precedence: 0 • Default bandwidth Remember that when specifying network traffic bandwidths, the prefix Kilo a "first come, first forwarded" basis. Packets with a - D-Link DFL-260E | User Manual for DFL-260E - Page 494
SSH and Telnet rule sets the higher priority on packets related to these services and these packets are sent through the same pipe as other traffic. are sent first when the total bandwidth limit specified in the pipe's configuration is exceeded. Lower priority packets will be buffered and sent when - D-Link DFL-260E | User Manual for DFL-260E - Page 495
2, and the precedence 2 limits to 32 and 64 kbps, respectively. Then, split the previously defined rule covering ports 22 through 23 into two rules, covering 22 and 23, respectively: Keep the forward chain of both rules as std-out only. Again, to simplify this example, we concentrate only on inbound - D-Link DFL-260E | User Manual for DFL-260E - Page 496
SSH and Telnet traffic by changing the default precedence of the ssh-in and telnet- user. Individual users can be distinguished according to one of the following: • Source IP • Destination IP • Source Network • Destination Network • Source Port (includes the IP) • Destination Port (includes the IP - D-Link DFL-260E | User Manual for DFL-260E - Page 497
. Traffic Management other words the netmask for the network must be specified for NetDefendOS. Specifying Group Limits Group Limit Total This value specifies a limit for each user within the grouping. For example, if the grouping is by source IP address and the total specified is 100 Kbps then this - D-Link DFL-260E | User Manual for DFL-260E - Page 498
• Set the total for the pipe's Group Limits to be 100 bps. Bandwidth is now allocated on a "first come, first forwarded" basis but no single destination IP address can ever take more than 100 bps. No matter how many connections are involved the combined total bandwidth can still not exceed the pipe - D-Link DFL-260E | User Manual for DFL-260E - Page 499
pipe so limits will apply to each user on the internal network. Since the packets are inbound, we select the grouping for the ssh-in pipe to be Destination IP. Now specify per-user limits by setting the precedence 2 limit to 16 kbps per user. This means that each user will get no more than a 16 - D-Link DFL-260E | User Manual for DFL-260E - Page 500
will prevent these extraneous packets from reaching the hosts behind the NetDefend Firewall, but cannot protect the connection becoming overloaded if an attack floods it. Watching for Leaks When setting out to protect and shape a network bottleneck, make sure that all traffic passing through that - D-Link DFL-260E | User Manual for DFL-260E - Page 501
network forwarded" basis. • Within a pipe, traffic can also be separated on a Group basis. For example, by source IP address. Each user in a group (for example, each source IP problems. A Basic Scenario The first scenario will examine the configuration shown in the image below, in which incoming - D-Link DFL-260E | User Manual for DFL-260E - Page 502
through the pipes. Rule Name all_1mbps Forward Pipes out-pipe Return Pipes in-pipe Source Interface lan Source Network lannet Destination Destination Interface Network wan all-nets Selected Service all The rule will force all traffic to the default precedence level and the pipes will limit - D-Link DFL-260E | User Manual for DFL-260E - Page 503
Forward Pipes out-other out-pipe Return Pipes in-other in-pipe Source Interface lan Source Network lannet Dest Interface wan Dest Network all-nets Selected Service A VPN Scenario In the cases discussed so far, all traffic shaping is occurring inside a single NetDefend Firewall. VPN is - D-Link DFL-260E | User Manual for DFL-260E - Page 504
. The pipe chaining can be used as a solution to the problem of VPN overhead. A limit which allows for this overhead is placed on the VPN tunnel traffic and non-VPN traffic is inserted into a pipe that matches the speed of the physical link. To do this we first create separate pipes for the outgoing - D-Link DFL-260E | User Manual for DFL-260E - Page 505
from the inside and going to the external IP address. This last rule will therefore be: Rule Name all-in Forward Pipes in-pipe Return Pipes out-pipe Source Interface wan Source Network all-nets Dest Interface core Dest Network all-nets Selected Service All Prece dence 0 Note: SAT and ARPed - D-Link DFL-260E | User Manual for DFL-260E - Page 506
Intrusion Detection and Prevention"). Application Related Bandwidth Usage A typical problem that can be solved with IDP Traffic Shaping is dealing quality of service for other network users as bandwidth is quickly absorbed by such applications. An ISP or a corporate network administrator may - D-Link DFL-260E | User Manual for DFL-260E - Page 507
through the NetDefend Firewall and traffic begins to flow. The source and destination IP address of it can be better understood why specifying a Network is important. The IDP subsystem cannot know initiating client side and sometimes the responding server. If traffic flow on both sides becomes - D-Link DFL-260E | User Manual for DFL-260E - Page 508
that client B is also included in the Network range but this is done on the assumption that client B is a user whose traffic might also have to be traffic is: • The client with IP address 192.168.1.15 initiates a P2P file transfer through a connection (1) to the tracking server at 81.150.0.10. • - D-Link DFL-260E | User Manual for DFL-260E - Page 509
found in the separate CLI Reference Guide. Viewing Pipes IDP Traffic Shaping configured bandwidth value, one for upstream (forward) traffic and one for downstream (return) traffic. Multiple hosts use the same pipe for each direction with traffic in the upstream pipe grouped using the "Per Source IP - D-Link DFL-260E | User Manual for DFL-260E - Page 510
using the "Per Destination IP" feature. 10.2.7. Guaranteeing automatically created get the highest priority by default and are therefore guaranteed that bandwidth. has triggered and either host or client is present in the Network range. • When the subsystem adds a host that will Guide. 510 - D-Link DFL-260E | User Manual for DFL-260E - Page 511
IP Link NetDefend DFL-860E, 1660, 2560 and 2560G. Threshold Policies A Threshold Rule is like other policy based rules found in NetDefendOS, a combination of source/destination network/interface can be specified for a rule and a type of service or Network based. NetDefend Firewall NetDefend Firewall - D-Link DFL-260E | User Manual for DFL-260E - Page 512
to connections from different IP addresses. • Network Based The threshold is the order they appear in the user interface. If several actions that used in the D-Link ZoneDefense feature to 12, ZoneDefense. Threshold Rule Blacklisting If the Protect option is used, Threshold Rules can be configured - D-Link DFL-260E | User Manual for DFL-260E - Page 513
Traffic Management rule, is added automatically to a Blacklist of IP addresses or networks. If several Protect actions with blacklisting enabled are triggered at source network associated with the rule. If the Threshold Rule is linked to a service then it is possible to block only that service. When - D-Link DFL-260E | User Manual for DFL-260E - Page 514
available on all D-Link NetDefend models The SLB feature is only available on the D-Link NetDefend DFL-860E, 1660, 2560 and 2560G. The illustration below shows a typical SLB scenario, with Internet access to internal server applications by external clients being managed by a NetDefend Firewall. 514 - D-Link DFL-260E | User Manual for DFL-260E - Page 515
to work as a single "virtual server". The servers that are to be treated as a single virtual server by SLB must be specified. 10.4.2. SLB Distribution Algorithms There are several ways to determine how a load is shared across a set of servers. NetDefendOS SLB supports the following two algorithms - D-Link DFL-260E | User Manual for DFL-260E - Page 516
same server. This is particularly important for TLS or SSL based services such as HTTPS, which require a repeated connection to the same host. This mode is similar to IP stickiness except that the stickiness can be associated with a network instead of a single IP address. The network is specified - D-Link DFL-260E | User Manual for DFL-260E - Page 517
addresses but instead compares if the source IP address belongs to the same network as a previous connection already in the table. If they belong to the same network then stickiness to the same server will result. The default value for this setting is a network size of 24. 10.4.4. SLB Algorithms and - D-Link DFL-260E | User Manual for DFL-260E - Page 518
layer 3. SLB will ping the IP address of each individual server in the server farm. This will detect any failed servers. This works at OSI layer 4. SLB attempts to connect to a specified port on each server. For example, if a server is specified as running web services on port 80, the SLB will send - D-Link DFL-260E | User Manual for DFL-260E - Page 519
any any Src Network all-nets all-nets Dest Interface core core Dest Network ip_ext ip_ext If there are clients on the same network as the that webservers would see only the IP address of the NetDefend Firewall. Example 10.3. Setting up SLB In this example server load balancing is to be done - D-Link DFL-260E | User Manual for DFL-260E - Page 520
the SLB_SAT IP rule: 1. Go to: Rules > IP Rule Sets > main > Add > IP Rule 2. Enter: • Name: Web_SLB • Action: SLB_SAT • Service: HTTP • Source Interface: any • Source Network: all-nets • Destination Interface: core • Destination Network: ip_ext 3. Select tab SAT SLB 4. Under Server Addresses add - D-Link DFL-260E | User Manual for DFL-260E - Page 521
Setting Up SLB_SAT Rules 1. Go to: Rules > IP Rule Sets > main > Add > IP Rule 2. Enter: • Name: Web_SLB_ALW • Action: Allow • Service: HTTP • Source Interface: any • Source Network: all-nets • Destination Interface: core • Destination Network: ip_ext 3. Click OK Chapter 10. Traffic Management - D-Link DFL-260E | User Manual for DFL-260E - Page 522
10.4.6. Setting Up SLB_SAT Rules Chapter 10. Traffic Management 522 - D-Link DFL-260E | User Manual for DFL-260E - Page 523
only available on the D-Link NetDefend DFL-1660, 2560 and 2560G. The Master and Active Units When reading this section on HA, it should be kept in mind that the master unit in a cluster is not always the same as the active unit in a cluster. The active unit is the NetDefend Firewall that is actually - D-Link DFL-260E | User Manual for DFL-260E - Page 524
Configuration changes are not automatically duplicated between the cluster peers. Load-sharing D-Link HA clusters do not provide load-sharing since only one unit will be active while the other is inactive and only two NetDefend Firewalls Network Failures Using HA and Link Monitor The NetDefendOS Link - D-Link DFL-260E | User Manual for DFL-260E - Page 525
firewall. • The destination IP is the broadcast address on the sending interface. • The IP TTL is always 255. If NetDefendOS receives a cluster heartbeat with any other TTL, it is assumed that the packet has traversed a router and therefore cannot be trusted. • It is a UDP packet, sent from port - D-Link DFL-260E | User Manual for DFL-260E - Page 526
the new database contents to become active. A database update causes the following sequence of events to occur in an HA cluster: 1. The active (master) unit downloads the new database files from the D-Link servers. The download is done via the shared IP address of the cluster. 2. The active (master - D-Link DFL-260E | User Manual for DFL-260E - Page 527
master and slave experiences a failure with the result that heartbeats and state updates are no longer received by the inactive unit. Should such a failure instead and significant differences in the numbers of IPsec SAs, IKE SAs, active users and IP pool statistics would indicate a failure to - D-Link DFL-260E | User Manual for DFL-260E - Page 528
translation, unless the configuration explicitly specifies another address. Note: Management cannot be done through the shared IP The shared IP address cannot be used for remote management or monitoring purposes. When using, for example, SSH for remote management of the NetDefend Firewalls in an HA - D-Link DFL-260E | User Manual for DFL-260E - Page 529
Manual HA Setup Chapter 11. High Availability The illustration below shows the arrangement of typical HA Cluster connections in a network. All interfaces on the master unit would normally also have corresponding interfaces on the slave unit and these would be connected to the same networks network. - D-Link DFL-260E | User Manual for DFL-260E - Page 530
default address localhost must be used which is an IP from the 127.0.0.0/8 sub-network NetDefend Firewall but this time select the node type to be Slave. Making Cluster Configuration Changes The configuration on both NetDefend Firewalls needs to be the same. The configurations (will forward traffic) - D-Link DFL-260E | User Manual for DFL-260E - Page 531
a network then the Cluster ID must be changed for the cluster so that it is unique (the default value is MAC Address. By default, this is enabled and in most configurations it should not need unit. Problem Diagnosis An HA cluster will function if this setting is disabled but can cause problems with - D-Link DFL-260E | User Manual for DFL-260E - Page 532
in mind when managing and configuring an HA Cluster. All Cluster Interfaces Need IP Addresses All interfaces on both IPs in dynamically NATed connections or publishing services on them, will inevitably cause problems since unique IPs will disappear when the firewall they belong to does. The Shared IP - D-Link DFL-260E | User Manual for DFL-260E - Page 533
OSPF metrics if the main designated router should fail. PPPoE Tunnels and DHCP Clients For reasons connected with the shared IP addresses of an HA cluster, PPPoE tunnels and DHCP clients should not be configured in an HA cluster. IPv6 Support Support for IPv6 addresses is discussed in Section - D-Link DFL-260E | User Manual for DFL-260E - Page 534
. The typical output if the unit is active is shown below. gw-world:/> ha This device is a HA SLAVE This device is currently ACTIVE (will forward traffic) This device has been active: 430697 sec HA cluster peer is ALIVE This unit (the slave) is the currently active unit, so the other - D-Link DFL-260E | User Manual for DFL-260E - Page 535
11.5. Upgrading an HA Cluster Chapter 11. High Availability Now, connect to the active unit (which is still running the old NetDefendOS version) with a CLI console and issue the ha -deactivate command. This will cause the active unit to become inactive, and the inactive to become active. gw-world - D-Link DFL-260E | User Manual for DFL-260E - Page 536
Chapter 11. High Availability 11.6. Link Monitoring and HA Redundant Network Paths When using an HA configuration, it can be important to use redundant paths to vital resources such as the Internet. The paths through the network from the master device in an HA configuration may fail in which case - D-Link DFL-260E | User Manual for DFL-260E - Page 537
inactive unit will again become reachable. In order not to flood the network unnecessarily, after one minute has elapsed, the synchronization traffic is then the time where no node is active during configuration deployments. Default: Enabled Reconf Failover Time Number of non-responsive seconds - D-Link DFL-260E | User Manual for DFL-260E - Page 538
11.7. HA Advanced Settings Chapter 11. High Availability 538 - D-Link DFL-260E | User Manual for DFL-260E - Page 539
behavior. Blocked hosts and networks remain blocked until the system administrator manually unblocks them using the Web or Command Line interface. Note: ZoneDefense is not available on all NetDefend models The ZoneDefense feature is only available on the D-Link NetDefend DFL-860E, 1660, 2560 and - D-Link DFL-260E | User Manual for DFL-260E - Page 540
firewall has to be manually specified in the firewall configuration. The information needed in order to control a switch includes: • The IP address of the management interface of the switch • The switch model type • The SNMP community string (write access) The ZoneDefense feature currently supports - D-Link DFL-260E | User Manual for DFL-260E - Page 541
12.3.1. SNMP Simple Network Management Protocol (SNMP) is an application layer protocol for complex network management. SNMP allows the managers and managed devices in a network to communicate with each other. SNMP Managers A typical managing device, such as a NetDefend Firewall, uses the SNMP - D-Link DFL-260E | User Manual for DFL-260E - Page 542
on the firewall have already been configured. An HTTP threshold of 10 connections/second is applied. If the connection rate exceeds this limitation, the firewall will block the specific host (in network range 192.168.2.0/24 for example) from accessing the switch completely. A D-Link switch model - D-Link DFL-260E | User Manual for DFL-260E - Page 543
the Threshold Rule enter: • Name: HTTP-Threshold • Service: http 3. For Address Filter enter: • Source Interface: The firewall's management interface • Destination Interface: any • Source Network: 192.168.2.0/24 (or the object name) • Destination Network: all-nets 4. Click OK Specify the threshold - D-Link DFL-260E | User Manual for DFL-260E - Page 544
or more. A second difference is the maximum number of rules supported by different switches. Some switches support a maximum of 50 rules while others support up to 800 (usually, in order to block a host or network, one rule per switch port is needed). When this limit has been reached no more hosts - D-Link DFL-260E | User Manual for DFL-260E - Page 545
12.3.5. Limitations Chapter 12. ZoneDefense 545 - D-Link DFL-260E | User Manual for DFL-260E - Page 546
configurable advanced settings for NetDefendOS that are not already described in the manual. network transport. All network units, both routers and workstations, drop IP packets that contain checksum errors. However, it is highly unlikely for an attack to be based on illegal checksums. Default - D-Link DFL-260E | User Manual for DFL-260E - Page 547
13.1. IP Level Settings Chapter 13. Advanced Settings Block 0000 Src Block 0.0.0.0 as source address. Default: Drop Block 0 Net Block 0.* as source addresses. Default: DropLog Block 127 Net Block 127.* as source addresses. Default: DropLog Block Multicast Src Block multicast both source addresses - D-Link DFL-260E | User Manual for DFL-260E - Page 548
an enormous security risk. NetDefendOS never obeys the source routes specified by these options, regardless of this setting. Default: DropLog IP Options Timestamps Time stamp options instruct each router and firewall on the packet's route to indicate at what time the packet was forwarded along the - D-Link DFL-260E | User Manual for DFL-260E - Page 549
: 65535 bytes Multicast Mismatch option What action to take when Ethernet and IP multicast addresses does not match. Default: DropLog Min Broadcast TTL option The shortest IP broadcast Time-To-Live value accepted on receipt. Default: 1 Low Broadcast TTL Action option What action to take on too low - D-Link DFL-260E | User Manual for DFL-260E - Page 550
cause problems in poorly written TCP stacks. Default: VPN connection even if hosts do not know how to perform MTU discovery. This setting must be less than the maximum IPsec MTU size and the maximum IPsec MTU size must be less than the maximum packet size handled by the physical interface. Default - D-Link DFL-260E | User Manual for DFL-260E - Page 551
OS Fingerprinting. WSOPT is a common occurrence in modern networks. Default: ValidateLogBad TCP Option SACK Determines how NetDefendOS will limit without the recipient being aware of it. This is not normally a problem. Using TSOPT, some TCP stacks optimize their connection by measuring the time it - D-Link DFL-260E | User Manual for DFL-260E - Page 552
Option Other Specifies how NetDefendOS will deal with TCP options not covered by the above settings. These options usually never appear on modern networks. Default: StripLog TCP SYN/URG Specifies how NetDefendOS will deal with TCP packets with SYN (synchronize) flags and URG (urgent data) flags both - D-Link DFL-260E | User Manual for DFL-260E - Page 553
such as FTP and MS SQL Server, nearly always use the URG flag. Default: StripLog TCPE ECN Specifies how operating systems supporting this standard, the flags should be stripped. Default: StripLog TCP port scanners, as some firewalls are unable to detect them. Default: DropLog TCP Sequence Numbers 553 - D-Link DFL-260E | User Manual for DFL-260E - Page 554
by the state-engine (not on packets forwarded using a FwdFast rule). Possible values are an old TCP connection (usually out of a concern for security) and this may not work well with these settings. . Using these values instead of the default setting will completely disable sequence number validation - D-Link DFL-260E | User Manual for DFL-260E - Page 555
. In other words, this setting limits how many Rejects per second may be generated by the Reject rules in the Rules section. Default: 500 Silently Drop State ICMPErrors Specifies if NetDefendOS should silently drop ICMP errors pertaining to statefully tracked open connections. If these errors are - D-Link DFL-260E | User Manual for DFL-260E - Page 556
determines if NetDefendOS is to log the occurrence of such packets. Default: Enabled Log Reverse Opens Determines if NetDefendOS logs packets that attempt not matter if logging is enabled for either Allow or NAT rules in the IP rule set; they will not be logged. However, FwdFast, Drop and Reject - D-Link DFL-260E | User Manual for DFL-260E - Page 557
NetDefend Firewall itself, for example NetDefendOS management traffic, is not subject to this setting. The log message includes port, service, source/destination IP throughput performance. Default: Disabled Dynamic Max Connections Allocate the Max Connection value dynamically. Default: Enabled Max - D-Link DFL-260E | User Manual for DFL-260E - Page 558
about to close may idle before finally being closed. Connections reach this state when a packet with its FIN flag on has passed in any direction. Default: 80 UDP Idle Lifetime Specifies in seconds how long UDP connections may idle before being closed. This timeout value is usually low, as UDP has - D-Link DFL-260E | User Manual for DFL-260E - Page 559
13.5. Connection Timeout Settings Chapter 13. Advanced Settings Default: 12 Other Idle Lifetime Specifies in seconds how long connections using an unknown protocol can remain idle before it is closed. Default: 130 559 - D-Link DFL-260E | User Manual for DFL-260E - Page 560
the largest packet allowed to pass through the VPN connections, regardless of its original protocol, plus approx. 50 bytes. Default: 2000 Max ESP Length Specifies in bytes the maximum size of an ESP packet. ESP, Encapsulation Security Payload, is used by IPsec where encryption is applied. This value - D-Link DFL-260E | User Manual for DFL-260E - Page 561
of an OSPF packet. OSPF is a routing protocol mainly used in larger LANs. Default: 1480 Max IPIP/FWZ Length Specifies in bytes the maximum size of an IP-in-IP packet. IP-in-IP is used by Checkpoint Firewall-1 VPN connections when IPsec is not used. This value should be set at the size of the largest - D-Link DFL-260E | User Manual for DFL-260E - Page 562
each one given their own IP header and information that will help the recipient reassemble the original packet correctly. Many IP stacks, however, are unable reassembly, and in this way block almost all communication. Default: DropLog - discards individual fragments and remembers that the reassembly - D-Link DFL-260E | User Manual for DFL-260E - Page 563
LogAll - Logs all failed reassembly attempts. • LogAllSubseq - As LogAll, but also logs subsequent fragments of the packet as and when they arrive. Default: LogSuspectSubseq Dropped Fragments If a packet is denied entry to the system as the result of the settings in the Rules section, it may also be - D-Link DFL-260E | User Manual for DFL-260E - Page 564
may cause problems for IP stacks, it VPN tunnel on the route to the recipient subsequently reduce the effective MTU to 1440 bytes. This would result in the creation of a number of 1440 byte fragments and an equal number of 40 byte fragments. Because of potential problems this can cause, the default - D-Link DFL-260E | User Manual for DFL-260E - Page 565
13.7. Fragmentation Settings Chapter 13. Advanced Settings Reassembly Illegal Limit Once a whole packet has been marked as illegal, NetDefendOS is able to retain this in memory for this number of seconds in order to prevent further fragments of that packet from arriving. Default: 60 565 - D-Link DFL-260E | User Manual for DFL-260E - Page 566
13. Advanced Settings 13.8. Local Fragment Reassembly Settings Max Concurrent Maximum number of concurrent local reassemblies. Default: 256 Max Size Maximum size of a locally reassembled packet. Default: 10000 Large Buffers Number of large ( over 2K) local reassembly buffers (of the above size - D-Link DFL-260E | User Manual for DFL-260E - Page 567
100. Default: 3 Max Pipe Users The maximum number of pipe users to allocate. As pipe users are only tracked for a 20th of a second, this number usually does not need to be anywhere near the number of actual users, or the number of statefully tracked connections. If there are no configured pipes - D-Link DFL-260E | User Manual for DFL-260E - Page 568
13.9. Miscellaneous Settings Default: 512 Chapter 13. Advanced Settings 568 - D-Link DFL-260E | User Manual for DFL-260E - Page 569
13.9. Miscellaneous Settings Chapter 13. Advanced Settings 569 - D-Link DFL-260E | User Manual for DFL-260E - Page 570
NetDefend Firewall system and enter this activation code. NetDefendOS will indicate the code is accepted and the update service will be activated. (Make sure access to the public Internet is possible when' doing this). Tip: A registration guide can be downloaded A step-by-step "Registration manual - D-Link DFL-260E | User Manual for DFL-260E - Page 571
-status IDP To get the status of AV updates: gw-world:/> updatecenter -status Antivirus Querying Server Status To get the status of the D-Link network servers use the command: gw-world:/> updatecenter -servers Deleting Local Databases Some technical problem in the operation of either IDP or the - D-Link DFL-260E | User Manual for DFL-260E - Page 572
the D-Link Advanced IDP Service. There is a version of each group under the three Types of IDS, IPS and Player Authenticantion Kerberos XTACACS Network backup solution Backup SQL Server MySQL DBMS Oracle DBMS Sybase server MS DCOM DHCP Client related activities DHCP protocol DHCP Server related - D-Link DFL-260E | User Manual for DFL-260E - Page 573
protocol/implementation AOL IM Instant Messenger implementations MSN Messenger Yahoo Messenger IP protocol and implementation Overflow of IP protocol/implementation Internet Relay Chat General LDAP clients/servers Open LDAP License management for CA software General License Manager Malware attack - D-Link DFL-260E | User Manual for DFL-260E - Page 574
Attack targeting at VNC servers Windows terminal/Remote Desktop Security Systems software McAfee Symantec AV solution SMB Error SMB Exploit SMB attacks NetBIOS attacks SMB worms SMTP command attack Denial of Service for SMTP SMTP protocol and implementation SMTP Overflow SPAM SNMP encoding SNMP - D-Link DFL-260E | User Manual for DFL-260E - Page 575
Coldfusion file inclusion File inclusion Web application attacks JSP file inclusion Popular web application packages PHP XML RPC SQL Injection Cross-Site-Scripting MS WINS Service Worms Generic X applications 575 - D-Link DFL-260E | User Manual for DFL-260E - Page 576
The ALGs listed above also offer the option to explicitly allow or block certain filetypes as downloads from a list of types. That list is the same one found in this appendix. SHELF Macro Archive file ALZip compressed file Audio Video Interleave file Compressed archive QuArk compressed file archive - D-Link DFL-260E | User Manual for DFL-260E - Page 577
source code Java JAR archive JNG Video Format JPEG file Jrchive compressed archive Just System Word Processor Ichitaro KDE link file LHA compressed archive file Application Format Multi-image Network Graphic Animation Ultratracker module sound data MPEG Audio Stream, Layer III MPEG-4 Video file 577 - D-Link DFL-260E | User Manual for DFL-260E - Page 578
Navy Interchange file Format Bitmap Nancy Video CODEC NES Sound file Windows object file, linux object file Object Linking and Embedding (OLE) Control Datastreams PAKLeo archive data PMarc archive data Portable (Public) Network Graphic PBM Portable Pixelmap Graphic PostScript file PSA archive - D-Link DFL-260E | User Manual for DFL-260E - Page 579
Neutral Encapsulation Format BitTorrent Metainfo file TrueType Font Yamaha TX Wave audio files UFA archive data Vcard file VivoActive Player Streaming Video file Waveform Audio Lotus 1-2-3 document Windows Media file Plain Text VRML file GIMP Image file Fast Tracker 2 Extended Module , audio file - D-Link DFL-260E | User Manual for DFL-260E - Page 580
Transport Network Data-Link Physical Figure D.1. The 7 Layers of the OSI Model Layer Functions The different layers perform the following functions: Layer 7 - Application Layer Defines the user interface that supports applications directly. Protocols: HTTP, FTP, TFTP. DNS, SMTP, Telnet, SNMP - D-Link DFL-260E | User Manual for DFL-260E - Page 581
, 30 advanced settings ARP, 131 connection timeout, 558 DHCP relay, 257 DHCP server, 251 fragmentation, 562 fragment reassembly, 566 general, 546 hardware monitoring, 76 high availability, 537 ICMP, 555 IP level, 546 IPsec, 453 IPv6, 94 L2TP/PPTP, 463 length limit, 560 logging, 64 memory monitoring - D-Link DFL-260E | User Manual for DFL-260E - Page 582
476 private server placement, 475 certificates, 148 CA authority, 148 certificate chains, 148 certificate requests, 151 identification lists, 435 intermediate, 148 revocation list, 149 self-signed, 150, 415, 441 the certificate cache, 149 validity, 149 with IPsec, 418 VPN troubleshooting, 478 chains - D-Link DFL-260E | User Manual for DFL-260E - Page 583
Spam filtering, 284 documentation, 19 DoS attack (see denial of service) downloading files with SCP, 48 DPD Expire Time (IPsec) setting, 456 DPD Keep Time (IPsec) setting, 455 DPD Metric (IPsec) setting, 455 drop all IP rule, 137 Drop IP rule, 139 Dropped Fragments setting, 563 DSCP, 485 in setting - D-Link DFL-260E | User Manual for DFL-260E - Page 584
algorithm proposal lists, 433 and IP rules, 438 clients, 418 dead peer detection, 439 keep-alive, 439 LAN to LAN setup, 414 NAT traversal, 431 overview, 423 quick start guide, 413 roaming clients setup, 416 troubleshooting, 477 tunnel establishment, 438 tunnels, 438 IPsec Before Rules setting, 454 - D-Link DFL-260E | User Manual for DFL-260E - Page 585
setting, 245 LAN to LAN tunnels, 440 quick start guide, 414, 415 Large Buffers (reassembly) setting, 566 Layer Size Consistency setting, 547 LDAP authentication, 389 authentication with PPP, 394 MS Active Directory, 390 servers, 445 link monitor, 71 initializing NICs, 71 Reconf Failover Time, 72 - D-Link DFL-260E | User Manual for DFL-260E - Page 586
SAT) port forwarding (see SAT) port mirroring (see pcapdump) PPP authentication with LDAP, 394 PPPoE, 118 client configuration, 118 unnumbered support, 119 with HA, 120 Alphabetical Index with SSL VPN, 467 PPTP, 457 advanced settings, 463 ALG, 290 client, 463 problem with NAT, 464 quick start guide - D-Link DFL-260E | User Manual for DFL-260E - Page 587
183 the all-nets route, 172 user-based, 183 S SA (see security association) SafeStream, 338 SAT, 372 all-to-1 translation, 379 IP rules, 139 many-to-many translation, 377 multiple rule matches, 381 multiplex rule, 221 one-to-one translation, 372 port forwarding, 372 port translation, 381 second rule - D-Link DFL-260E | User Manual for DFL-260E - Page 588
(see VLAN) virtual private networks (see VPN) VLAN, 115 advanced settings, 117 license limitations, 117 port based, 116 trunk, 116 voice over IP with H.323, 302 with SIP, 291 VoIP (see voice over IP) VPN, 409 encryption, 410 IPsec, 423 key distribution, 411 planning, 411 quick start guide, 413 SSL - D-Link DFL-260E | User Manual for DFL-260E - Page 589
recommended browsers, 31 setting workstation IP, 31 WebUI (see web interface) WebUI Before Rules setting, 52 WebUI HTTP port setting, 52 WebUI HTTPS port setting, 53 whitelisting hosts and networks, 360 URLs, 320 wildcarding, 320 wildcarding in blacklists and whitelists, 282, 320 in IDP rules, 350
-
1 -
2 -
3 -
4 -
5 -
6 -
7 -
8
-
9
-
10
-
11
-
12
-
13
-
14
-
15
-
16
-
17
-
18
-
19
-
20
-
21
-
22
-
23
-
24
-
25
-
26
-
27
-
28
-
29
-
30
-
31
-
32
-
33
-
34
-
35
-
36
-
37
-
38
-
39
-
40
-
41
-
42
-
43
-
44
-
45
-
46
-
47
-
48
-
49
-
50
-
51
-
52
-
53
-
54
-
55
-
56
-
57
-
58
-
59
-
60
-
61
-
62
-
63
-
64
-
65
-
66
-
67
-
68
-
69
-
70
-
71
-
72
-
73
-
74
-
75
-
76
-
77
-
78
-
79
-
80
-
81
-
82
-
83
-
84
-
85
-
86
-
87
-
88
-
89
-
90
-
91
-
92
-
93
-
94
-
95
-
96
-
97
-
98
-
99
-
100
-
101
-
102
-
103
-
104
-
105
-
106
-
107
-
108
-
109
-
110
-
111
-
112
-
113
-
114
-
115
-
116
-
117
-
118
-
119
-
120
-
121
-
122
-
123
-
124
-
125
-
126
-
127
-
128
-
129
-
130
-
131
-
132
-
133
-
134
-
135
-
136
-
137
-
138
-
139
-
140
-
141
-
142
-
143
-
144
-
145
-
146
-
147
-
148
-
149
-
150
-
151
-
152
-
153
-
154
-
155
-
156
-
157
-
158
-
159
-
160
-
161
-
162
-
163
-
164
-
165
-
166
-
167
-
168
-
169
-
170
-
171
-
172
-
173
-
174
-
175
-
176
-
177
-
178
-
179
-
180
-
181
-
182
-
183
-
184
-
185
-
186
-
187
-
188
-
189
-
190
-
191
-
192
-
193
-
194
-
195
-
196
-
197
-
198
-
199
-
200
-
201
-
202
-
203
-
204
-
205
-
206
-
207
-
208
-
209
-
210
-
211
-
212
-
213
-
214
-
215
-
216
-
217
-
218
-
219
-
220
-
221
-
222
-
223
-
224
-
225
-
226
-
227
-
228
-
229
-
230
-
231
-
232
-
233
-
234
-
235
-
236
-
237
-
238
-
239
-
240
-
241
-
242
-
243
-
244
-
245
-
246
-
247
-
248
-
249
-
250
-
251
-
252
-
253
-
254
-
255
-
256
-
257
-
258
-
259
-
260
-
261
-
262
-
263
-
264
-
265
-
266
-
267
-
268
-
269
-
270
-
271
-
272
-
273
-
274
-
275
-
276
-
277
-
278
-
279
-
280
-
281
-
282
-
283
-
284
-
285
-
286
-
287
-
288
-
289
-
290
-
291
-
292
-
293
-
294
-
295
-
296
-
297
-
298
-
299
-
300
-
301
-
302
-
303
-
304
-
305
-
306
-
307
-
308
-
309
-
310
-
311
-
312
-
313
-
314
-
315
-
316
-
317
-
318
-
319
-
320
-
321
-
322
-
323
-
324
-
325
-
326
-
327
-
328
-
329
-
330
-
331
-
332
-
333
-
334
-
335
-
336
-
337
-
338
-
339
-
340
-
341
-
342
-
343
-
344
-
345
-
346
-
347
-
348
-
349
-
350
-
351
-
352
-
353
-
354
-
355
-
356
-
357
-
358
-
359
-
360
-
361
-
362
-
363
-
364
-
365
-
366
-
367
-
368
-
369
-
370
-
371
-
372
-
373
-
374
-
375
-
376
-
377
-
378
-
379
-
380
-
381
-
382
-
383
-
384
-
385
-
386
-
387
-
388
-
389
-
390
-
391
-
392
-
393
-
394
-
395
-
396
-
397
-
398
-
399
-
400
-
401
-
402
-
403
-
404
-
405
-
406
-
407
-
408
-
409
-
410
-
411
-
412
-
413
-
414
-
415
-
416
-
417
-
418
-
419
-
420
-
421
-
422
-
423
-
424
-
425
-
426
-
427
-
428
-
429
-
430
-
431
-
432
-
433
-
434
-
435
-
436
-
437
-
438
-
439
-
440
-
441
-
442
-
443
-
444
-
445
-
446
-
447
-
448
-
449
-
450
-
451
-
452
-
453
-
454
-
455
-
456
-
457
-
458
-
459
-
460
-
461
-
462
-
463
-
464
-
465
-
466
-
467
-
468
-
469
-
470
-
471
-
472
-
473
-
474
-
475
-
476
-
477
-
478
-
479
-
480
-
481
-
482
-
483
-
484
-
485
-
486
-
487
-
488
-
489
-
490
-
491
-
492
-
493
-
494
-
495
-
496
-
497
-
498
-
499
-
500
-
501
-
502
-
503
-
504
-
505
-
506
-
507
-
508
-
509
-
510
-
511
-
512
-
513
-
514
-
515
-
516
-
517
-
518
-
519
-
520
-
521
-
522
-
523
-
524
-
525
-
526
-
527
-
528
-
529
-
530
-
531
-
532
-
533
-
534
-
535
-
536
-
537
-
538
-
539
-
540
-
541
-
542
-
543
-
544
-
545
-
546
-
547
-
548
-
549
-
550
-
551
-
552
-
553
-
554
-
555
-
556
-
557
-
558
-
559
-
560
-
561
-
562
-
563
-
564
-
565
-
566
-
567
-
568
-
569
-
570
-
571
-
572
-
573
-
574
-
575
-
576
-
577
-
578
-
579
-
580
-
581
-
582
-
583
-
584
-
585
-
586
-
587
-
588
-
589
 |
 |
Network Security Solution
NetDefendOS
Ver.
2.40.00
Network Security Firewall
User Manual
Security
Security