Home » D-Link Manuals » Network Security & Firewall Devices » D-Link DFL-260E » Manual Viewer

D-Link DFL-260E User Manual for DFL-260E - Page 471

The SSL VPN Client Statistics, SSL VPN Client Operation

Add to My Manuals
Save this manual to your list of manuals

Page 471 highlights

9.6.3. Installing the SSL VPN Client Chapter 9. VPN Figure 9.6. The SSL VPN Client Statistics SSL VPN Client Operation Whenever the SSL VPN client application runs, the following happens: • A route is added to the Windows routing table. This route is equivalent to a NetDefendOS default all-nets route. • The added default route directs all traffic from the Windows client through the SSL tunnel. When the Windows SSL VPN client application ends, the SSL tunnel is closed and the default route in the Windows routing table is removed, returning the routing table to its original state. • An SSL connection is made to the configured Ethernet interface on a NetDefend Firewall and the next available IP address is handed out to the client from the associated SSL VPN object's IP pool. In addition, a single route for the client is added to the NetDefendOS routing table. This route maps the handed out client IP address to the associated SSL VPN interface. • Traffic can now flow between the client and the firewall, subject to NetDefendOS IP rules. Specifying IP Rules for Traffic Flow No IP rules need to be specified for the setup of an SSL VPN tunnel itself, provided that the advanced setting SSLVPNBeforeRules is enabled. However, appropriate IP rules need to be specified by the administrator to allow traffic to flow through the tunnel. Since SSL VPN connections originate from the client side, the SSL VPN interface object should be the source interface of the IP rule and the source network should be the range of possible IP addresses that the clients can be given. Specifying the source network as all-nets would of course work but it always more secure to use the narrowest possible IP address range. For more information about specifying IP rules see Section 3.6, "IP Rules". Client Cleanup Should the SSL VPN client application terminate prematurely for some reason, the Windows routing table may not be left in a consistent state and the automatically added all-nets route may not 471

Section	Page
User Manual	3
Table of Contents	4
Preface	15
Chapter 1. NetDefendOS Overview	17
1.1. Features	17
1.2. NetDefendOS Architecture	20
1.2.1. State-based Architecture	20
1.2.2. NetDefendOS Building Blocks	20
1.2.3. Basic Packet Flow	21
1.3. NetDefendOS State Engine Packet Flow	24
Chapter 2. Management and Maintenance	29
2.1. Managing NetDefendOS	29
2.1.1. Overview	29
2.1.2. The Default Administrator Account	30
2.1.3. The Web Interface	30
2.1.4. The CLI	36
2.1.5. CLI Scripts	44
2.1.6. Secure Copy	48
2.1.7. The Console Boot Menu	50
2.1.8. Management Advanced Settings	52
2.1.9. Working with Configurations	53
2.2. Events and Logging	59
2.2.1. Overview	59
2.2.2. Log Messages	59
2.2.3. Creating Log Receivers	60
2.2.4. Logging to MemoryLogReceiver	60
2.2.5. Logging to Syslog Hosts	60
2.2.6. Severity Filter and Message Exceptions	62
2.2.7. SNMP Traps	62
2.2.8. Advanced Log Settings	64
2.3. RADIUS Accounting	65
2.3.1. Overview	65
2.3.2. RADIUS Accounting Messages	65
2.3.3. Interim Accounting Messages	67
2.3.4. Activating RADIUS Accounting	67
2.3.5. RADIUS Accounting Security	68
2.3.6. RADIUS Accounting and High Availability	68
2.3.7. Handling Unresponsive RADIUS Servers	68
2.3.8. Accounting and System Shutdowns	69
2.3.9. Limitations with NAT	69
2.3.10. RADIUS Advanced Settings	69
2.4. Monitoring	71
2.4.1. The Link Monitor	71
2.4.2. SNMP Monitoring	73
2.4.3. Hardware Monitoring	76
2.4.4. Memory Monitoring Settings	78
2.5. The pcapdump Command	80
2.6. Maintenance	83
2.6.1. Auto-Update Mechanism	83
2.6.2. Backing Up Configurations	83
2.6.3. Restore to Factory Defaults	85
Chapter 3. Fundamentals	88
3.1. The Address Book	88
3.1.1. Overview	88
3.1.2. IP Addresses	88
3.1.3. Ethernet Addresses	90
3.1.4. Address Groups	91
3.1.5. Auto-Generated Address Objects	92
3.1.6. Address Book Folders	92
3.2. IPv6 Support	93
3.3. Services	98
3.3.1. Overview	98
3.3.2. Creating Custom Services	99
3.3.3. ICMP Services	102
3.3.4. Custom IP Protocol Services	104
3.3.5. Service Groups	104
3.3.6. Custom Service Timeouts	105
3.4. Interfaces	106
3.4.1. Overview	106
3.4.2. Ethernet Interfaces	108
3.4.2.1. Useful CLI Commands for Ethernet Interfaces	112
3.4.3. VLAN	115
3.4.4. PPPoE	118
3.4.5. GRE Tunnels	120
3.4.6. Interface Groups	124
3.5. ARP	126
3.5.1. Overview	126
3.5.2. The NetDefendOS ARP Cache	126
3.5.3. Creating ARP Objects	128
3.5.4. Using ARP Advanced Settings	130
3.5.5. ARP Advanced Settings Summary	131
3.6. IP Rules	135
3.6.1. Security Policies	135
3.6.2. IP Rule Evaluation	138
3.6.3. IP Rule Actions	139
3.6.4. Editing IP rule set Entries	140
3.6.5. IP Rule Set Folders	141
3.6.6. Configuration Object Groups	142
3.7. Schedules	146
3.8. Certificates	148
3.8.1. Overview	148
3.8.2. Certificates in NetDefendOS	150
3.8.3. CA Certificate Requests	151
3.9. Date and Time	153
3.9.1. Overview	153
3.9.2. Setting Date and Time	153
3.9.3. Time Servers	154
3.9.4. Settings Summary for Date and Time	157
3.10. DNS	160
Chapter 4. Routing	164
4.1. Overview	164
4.2. Static Routing	165
4.2.1. The Principles of Routing	165
4.2.2. Static Routing	169
4.2.3. Route Failover	174
4.2.4. Host Monitoring for Route Failover	177
4.2.5. Advanced Settings for Route Failover	179
4.2.6. Proxy ARP	180
4.3. Policy-based Routing	183
4.4. Route Load Balancing	190
4.5. OSPF	196
4.5.1. Dynamic Routing	196
4.5.2. OSPF Concepts	199
4.5.3. OSPF Components	204
4.5.3.1. OSPF Router Process	204
4.5.3.2. OSPF Area	206
4.5.3.3. OSPF Interface	207
4.5.3.4. OSPF Neighbors	209
4.5.3.5. OSPF Aggregates	209
4.5.3.6. OSPF VLinks	209
4.5.4. Dynamic Routing Rules	210
4.5.4.1. Overview	210
4.5.4.2. Dynamic Routing Rule	212
4.5.4.3. OSPF Action	212
4.5.4.4. Routing Action	213
4.5.5. Setting Up OSPF	213
4.5.6. An OSPF Example	217
4.6. Multicast Routing	220
4.6.1. Overview	220
4.6.2. Multicast Forwarding with SAT Multiplex Rules	221
4.6.2.1. Multicast Forwarding - No Address Translation	221
4.6.2.2. Multicast Forwarding - Address Translation Scenario	224
4.6.3. IGMP Configuration	225
4.6.3.1. IGMP Rules Configuration - No Address Translation	227
4.6.3.2. IGMP Rules Configuration - Address Translation	228
4.6.4. Advanced IGMP Settings	230
4.7. Transparent Mode	233
4.7.1. Overview	233
4.7.2. Enabling Internet Access	238
4.7.3. Transparent Mode Scenarios	239
4.7.4. Spanning Tree BPDU Support	243
4.7.5. Advanced Settings for Transparent Mode	244
Chapter 5. DHCP Services	249
5.1. Overview	249
5.2. DHCP Servers	250
5.2.1. Static DHCP Hosts	253
5.2.2. Custom Options	255
5.3. DHCP Relaying	256
5.3.1. DHCP Relay Advanced Settings	257
5.4. IP Pools	259
Chapter 6. Security Mechanisms	263
6.1. Access Rules	263
6.1.1. Overview	263
6.1.2. IP Spoofing	264
6.1.3. Access Rule Settings	264
6.2. ALGs	266
6.2.1. Overview	266
6.2.2. The HTTP ALG	267
6.2.3. The FTP ALG	270
6.2.4. The TFTP ALG	279
6.2.5. The SMTP ALG	280
6.2.5.1. Anti-Spam Filtering	283
6.2.6. The POP3 ALG	289
6.2.7. The PPTP ALG	290
6.2.8. The SIP ALG	291
6.2.9. The H.323 ALG	302
6.2.10. The TLS ALG	316
6.3. Web Content Filtering	319
6.3.1. Overview	319
6.3.2. Active Content Handling	319
6.3.3. Static Content Filtering	320
6.3.4. Dynamic Web Content Filtering	322
6.3.4.1. Overview	322
6.3.4.2. Setting Up WCF	323
6.3.4.3. Content Filtering Categories	327
6.3.4.4. Customizing WCF HTML Pages	334
6.4. Anti-Virus Scanning	337
6.4.1. Overview	337
6.4.2. Implementation	337
6.4.3. Activating Anti-Virus Scanning	338
6.4.4. The Signature Database	338
6.4.5. Subscribing to the D-Link Anti-Virus Service	339
6.4.6. Anti-Virus Options	339
6.5. Intrusion Detection and Prevention	343
6.5.1. Overview	343
6.5.2. IDP Availability for D-Link Models	343
6.5.3. IDP Rules	345
6.5.4. Insertion/Evasion Attack Prevention	347
6.5.5. IDP Pattern Matching	348
6.5.6. IDP Signature Groups	349
6.5.7. IDP Actions	350
6.5.8. SMTP Log Receiver for IDP Events	351
6.6. Denial-of-Service Attack Prevention	355
6.6.1. Overview	355
6.6.2. DoS Attack Mechanisms	355
6.6.3. Ping of Death and Jolt Attacks	355
6.6.4. Fragmentation overlap attacks: Teardrop, Bonk, Boink and Nestea	356
6.6.5. The Land and LaTierra attacks	356
6.6.6. The WinNuke attack	356
6.6.7. Amplification attacks: Smurf, Papasmurf, Fraggle	357
6.6.8. TCP SYN Flood Attacks	358
6.6.9. The Jolt2 Attack	358
6.6.10. Distributed DoS Attacks	358
6.7. Blacklisting Hosts and Networks	360
Chapter 7. Address Translation	363
7.1. Overview	363
7.2. NAT	364
7.3. NAT Pools	369
7.4. SAT	372
7.4.1. Translation of a Single IP Address (1:1)	372
7.4.2. Translation of Multiple IP Addresses (M:N)	377
7.4.3. All-to-One Mappings (N:1)	379
7.4.4. Port Translation	381
7.4.5. Protocols Handled by SAT	381
7.4.6. Multiple SAT Rule Matches	381
7.4.7. SAT and FwdFast Rules	382
Chapter 8. User Authentication	385
8.1. Overview	385
8.2. Authentication Setup	387
8.2.1. Setup Summary	387
8.2.2. The Local Database	387
8.2.3. External RADIUS Servers	389
8.2.4. External LDAP Servers	389
8.2.5. Authentication Rules	396
8.2.6. Authentication Processing	398
8.2.7. A Group Usage Example	399
8.2.8. HTTP Authentication	399
8.3. Customizing Authentication HTML Pages	404
Chapter 9. VPN	409
9.1. Overview	409
9.1.1. VPN Usage	409
9.1.2. VPN Encryption	410
9.1.3. VPN Planning	411
9.1.4. Key Distribution	411
9.1.5. The TLS Alternative for VPN	412
9.2. VPN Quick Start	413
9.2.1. IPsec LAN to LAN with Pre-shared Keys	414
9.2.2. IPsec LAN to LAN with Certificates	415
9.2.3. IPsec Roaming Clients with Pre-shared Keys	416
9.2.4. IPsec Roaming Clients with Certificates	418
9.2.5. L2TP Roaming Clients with Pre-Shared Keys	419
9.2.6. L2TP Roaming Clients with Certificates	421
9.2.7. PPTP Roaming Clients	421
9.3. IPsec Components	423
9.3.1. Overview	423
9.3.2. Internet Key Exchange (IKE)	423
9.3.3. IKE Authentication	429
9.3.4. IPsec Protocols (ESP/AH)	430
9.3.5. NAT Traversal	431
9.3.6. Algorithm Proposal Lists	433
9.3.7. Pre-shared Keys	434
9.3.8. Identification Lists	435
9.4. IPsec Tunnels	438
9.4.1. Overview	438
9.4.2. LAN to LAN Tunnels with Pre-shared Keys	440
9.4.3. Roaming Clients	440
9.4.4. Fetching CRLs from an alternate LDAP server	445
9.4.5. Troubleshooting with ikesnoop	446
9.4.6. IPsec Advanced Settings	453
9.5. PPTP/L2TP	457
9.5.1. PPTP Servers	457
9.5.2. L2TP Servers	458
9.5.3. L2TP/PPTP Server advanced settings	463
9.5.4. PPTP/L2TP Clients	463
9.6. SSL VPN	466
9.6.1. Overview	466
9.6.2. Configuring SSL VPN in NetDefendOS	467
9.6.3. Installing the SSL VPN Client	469
9.6.4. Setup Example	472
9.7. CA Server Access	474
9.8. VPN Troubleshooting	477
9.8.1. General Troubleshooting	477
9.8.2. Troubleshooting Certificates	478
9.8.3. IPsec Troubleshooting Commands	478
9.8.4. Management Interface Failure with VPN	479
9.8.5. Specific Error Messages	479
9.8.6. Specific Symptoms	482
Chapter 10. Traffic Management	485
10.1. Traffic Shaping	485
10.1.1. Overview	485
10.1.2. Traffic Shaping in NetDefendOS	486
10.1.3. Simple Bandwidth Limiting	488
10.1.4. Limiting Bandwidth in Both Directions	489
10.1.5. Creating Differentiated Limits Using Chains	490
10.1.6. Precedences	492
10.1.7. Pipe Groups	496
10.1.8. Traffic Shaping Recommendations	499
10.1.9. A Summary of Traffic Shaping	500
10.1.10. More Pipe Examples	501
10.2. IDP Traffic Shaping	506
10.2.1. Overview	506
10.2.2. Setting Up IDP Traffic Shaping	506
10.2.3. Processing Flow	507
10.2.4. The Importance of Specifying a Network	507
10.2.5. A P2P Scenario	508
10.2.6. Viewing Traffic Shaping Objects	509
10.2.7. Guaranteeing Instead of Limiting Bandwidth	510
10.2.8. Logging	510
10.3. Threshold Rules	511
10.4. Server Load Balancing	514
10.4.1. Overview	514
10.4.2. SLB Distribution Algorithms	515
10.4.3. Selecting Stickiness	516
10.4.4. SLB Algorithms and Stickiness	517
10.4.5. Server Health Monitoring	518
10.4.6. Setting Up SLB_SAT Rules	519
Chapter 11. High Availability	523
11.1. Overview	523
11.2. HA Mechanisms	525
11.3. Setting Up HA	528
11.3.1. HA Hardware Setup	528
11.3.2. NetDefendOS Manual HA Setup	529
11.3.3. Verifying the Cluster Functions	530
11.3.4. Unique Shared Mac Addresses	531
11.4. HA Issues	532
11.5. Upgrading an HA Cluster	534
11.6. Link Monitoring and HA	536
11.7. HA Advanced Settings	537
Chapter 12. ZoneDefense	539
12.1. Overview	539
12.2. ZoneDefense Switches	540
12.3. ZoneDefense Operation	541
12.3.1. SNMP	541
12.3.2. Threshold Rules	541
12.3.3. Manual Blocking and Exclude Lists	541
12.3.4. ZoneDefense with Anti-Virus Scanning	543
12.3.5. Limitations	543
Chapter 13. Advanced Settings	546
13.1. IP Level Settings	546
13.2. TCP Level Settings	550
13.3. ICMP Level Settings	555
13.4. State Settings	556
13.5. Connection Timeout Settings	558
13.6. Length Limit Settings	560
13.7. Fragmentation Settings	562
13.8. Local Fragment Reassembly Settings	566
13.9. Miscellaneous Settings	567
Appendix A. Subscribing to Updates	570
Appendix B. IDP Signature Groups	572
Appendix C. Verified MIME filetypes	576
Appendix D. The OSI Framework	580

Match case Limit results 1 per page

Figure 9.6. The SSL VPN Client Statistics

SSL VPN Client Operation

Whenever the SSL VPN client application runs, the following happens:

•

A route is added to the Windows routing table. This route is equivalent to a NetDefendOS

default

all-nets

route.

•

The added default route directs all traffic from the Windows client through the SSL tunnel.

When the Windows SSL VPN client application ends, the SSL tunnel is closed and the default

route in the Windows routing table is removed, returning the routing table to its original state.

•

An SSL connection is made to the configured Ethernet interface on a NetDefend Firewall and

the next available IP address is handed out to the client from the associated SSL VPN object's IP

pool.

In addition, a single route for the client is added to the NetDefendOS routing table. This route

maps the handed out client IP address to the associated SSL VPN interface.

•

Traffic can now flow between the client and the firewall, subject to NetDefendOS IP rules.

Specifying IP Rules for Traffic Flow

No IP rules need to be specified for the setup of an SSL VPN tunnel itself, provided that the

advanced setting

SSLVPNBeforeRules

is enabled. However, appropriate IP rules need to be

specified by the administrator to allow traffic to flow through the tunnel.

Since SSL VPN connections originate from the client side, the SSL VPN interface object should be

the source interface of the IP rule and the source network should be the range of possible IP

addresses that the clients can be given. Specifying the source network as

all-nets

would of course

work but it always more secure to use the narrowest possible IP address range.

For more information about specifying IP rules see

Section 3.6, “IP Rules”

Client Cleanup

Should the SSL VPN client application terminate prematurely for some reason, the Windows

routing table may not be left in a consistent state and the automatically added

all-nets

route may not

9.6.3. Installing the SSL VPN Client

Chapter 9. VPN

471