D-Link DFL-800-AV-12 User Manual
D-Link DFL-800-AV-12 Manual
 |
View all D-Link DFL-800-AV-12 manuals
Add to My Manuals
Save this manual to your list of manuals |
D-Link DFL-800-AV-12 manual content summary:
- D-Link DFL-800-AV-12 | User Manual - Page 1
Network Security Firewall User Manual DFL-210/ 800/1600/ 2500 DFL-260/ 860 Ver. 1.06 SecurSiteycurity Network Security Solution http://www.dlink.com - D-Link DFL-800-AV-12 | User Manual - Page 2
User Manual DFL-210/260/800/860/1600/2500 NetDefendOS version 2.20 D-Link NetDefend Security http://security.dlink.com.tw Published 2007-12-24 Copyright © 2007 - D-Link DFL-800-AV-12 | User Manual - Page 3
User Manual DFL-210/260/800/860/1600/2500 NetDefendOS version 2.20 Published 2007-12-24 Copyright © 2007 Copyright Notice This publication, including all photographs, illustrations and software, is protected under international copyright laws, with all rights reserved. Neither this manual, nor any - D-Link DFL-800-AV-12 | User Manual - Page 4
Architecture 16 1.2.2. NetDefendOS Building Blocks 16 1.2.3. Basic Packet Flow 17 RADIUS Accounting and High Availability 41 2.3.7. Handling Unresponsive Servers Services 52 3.2.1. Overview 52 3.2.2. TCP and UDP Based Services 53 3.2.3. ICMP Services 55 3.2.4. Custom IP Protocol Services - D-Link DFL-800-AV-12 | User Manual - Page 5
User Manual 3.4.3. ARP Cache 68 3.4.4. Static and Published ARP Entries 69 3.4.5. Advanced ARP Settings 71 3.5. 119 4.6.4. Enabling Transparent Mode 120 4.6.5. High Availability with Transparent Mode 120 4.6.6. Transparent Mode Scenarios 120 5. DHCP Services 127 5.1. Overview 127 5.2. - D-Link DFL-800-AV-12 | User Manual - Page 6
User Manual 6.2.8. H.323 155 6.3. Web Service 184 6.4.6. Anti-Virus Options 184 6.5. Intrusion Detection and Prevention 188 6.5.1. Overview 188 6.5.2. IDP Availability VPN Planning 229 9.1.4. Key Distribution 230 9.2. VPN Quickstart Guide 231 9.2.1. IPsec LAN to LAN with Pre-shared Keys 231 - D-Link DFL-800-AV-12 | User Manual - Page 7
User Manual 9.2.3. IPsec Roaming Clients with Certificates 234 9.2.4. L2TP Roaming Clients with Pre-Shared Keys 234 9.2.5. L2TP Roaming Clients with Certificates 236 9.2.6. PPTP Roaming Clients 236 9.2.7. VPN Troubleshooting 237 9.3. IPsec 240 9.3.1. Overview 240 9.3.2. Internet Key Exchange - D-Link DFL-800-AV-12 | User Manual - Page 8
12.3.1. SNMP 300 12.3.2. Threshold Rules 300 12.3.3. Manual Blocking and Exclude Lists 300 12.3.4. Limitations 302 13. Advanced Settings 304 13.1. IP Level Settings 304 13.2. TCP Level Settings 307 13.3. ICMP Level Settings - D-Link DFL-800-AV-12 | User Manual - Page 9
.5. A Server Load Balancing configuration 281 10.6. Connections from Three Clients 283 10.7. Stickiness and Round-Robin 283 10.8. Stickiness and Connection Rate 284 11.1. High Availability Setup 293 D.1. The 7 layers of the OSI model 348 9 - D-Link DFL-800-AV-12 | User Manual - Page 10
Listing the Available Services 52 3.7. Viewing a Specific Service 52 3.8. Adding a TCP/UDP Service 54 3.9. Adding an IP Protocol Service 56 3.10 83 3.23. Enabling Time Synchronization using SNTP 84 3.24. Manually Triggering a Time Synchronization 84 3.25. Modifying the Maximum Adjustment - D-Link DFL-800-AV-12 | User Manual - Page 11
User Manual 5.1. Setting up a DHCP server 128 5.2. Checking the status of a DHCP server 6.15. Enabling Dynamic Web Content Filtering 173 6.16. Enabling Audit Mode 174 6.17. Reclassifying a blocked site 176 6.18. Activating Anti-Virus Scanning 186 6.19. Configuring an SMTP Log Receiver 194 6.20 - D-Link DFL-800-AV-12 | User Manual - Page 12
broken down into chapters and sub-sections. Numbered sub-sections are shown in the table of systems may not allow this). For example: http://www.dlink.com. Examples Examples in the text are denoted by the as appropriate. (The accompanying "CLI Reference Guide" documents all CLI commands). Example 1. - D-Link DFL-800-AV-12 | User Manual - Page 13
Highlighted Content Preface Highlighted Content Special sections of text which the reader should pay special attention to are indicated by icons on the left hand side of the page followed by a short paragraph in italicized text. Such sections are of the following types with the following purposes: - D-Link DFL-800-AV-12 | User Manual - Page 14
blocks or objects, which allow the configuration of the product in an almost limitless number routing capabilities. In addition, NetDefendOS supports features such as Virtual LANs, Route application-layer attacks towards vulnerabilities in services and applications, NetDefendOS provides a powerful - D-Link DFL-800-AV-12 | User Manual - Page 15
Web content can be blocked based on category, a Virtual Private Network (VPN). NetDefendOS supports IPsec, L2TP and PPTP based VPNs Guide which details all NetDefendOS log event messages. These documents together form the essential documentation for NetDefendOS operation. Note High Availability - D-Link DFL-800-AV-12 | User Manual - Page 16
Several types of interfaces are supported; Physical Interfaces, Physical Sub- Logical objects can be seen as pre-defined building blocks for use by the rule sets. The address book addresses. Another example of logical objects are services , representing specific protocol and port combinations. - D-Link DFL-800-AV-12 | User Manual - Page 17
interface for the packet. 3. The IP datagram within the packet is passed on to the NetDefendOS Consistency Checker. The consistency checker performs a number of sanity checks on the packet, including validation of checksums, protocol flags, packet length and so on. If the consistency checks fail - D-Link DFL-800-AV-12 | User Manual - Page 18
subsequent packets belonging to the same connection. In addition, the Service object which matched the IP protocol and ports might have log settings of the rule. Note There are actually a number of additional actions available such as address translation and server load balancing. The basic - D-Link DFL-800-AV-12 | User Manual - Page 19
1.3. NetDefendOS State Engine Packet Flow Chapter 1. Product Overview 1.3. NetDefendOS State Engine Packet Flow The diagrams in this section provide a summary of the flow of packets through the NetDefendOS state-engine. There are three diagrams, each flowing into the next. Figure 1.1. Packet - D-Link DFL-800-AV-12 | User Manual - Page 20
1.3. NetDefendOS State Engine Packet Flow Figure 1.2. Packet Flow Schematic Part II Chapter 1. Product Overview The packet flow is continued on the following page. Figure 1.3. Packet Flow Schematic Part III 20 - D-Link DFL-800-AV-12 | User Manual - Page 21
1.3. NetDefendOS State Engine Packet Flow Chapter 1. Product Overview 21 - D-Link DFL-800-AV-12 | User Manual - Page 22
1.3. NetDefendOS State Engine Packet Flow Chapter 1. Product Overview 22 - D-Link DFL-800-AV-12 | User Manual - Page 23
the recommended web-browsers to use with the WebUI. Other browsers may also provide full support. Access to remote management interfaces can be regulated by a remote management policy so where more than one LAN interface is available, LAN1 is the default). 2.1.2. Default Administrator Accounts 23 - D-Link DFL-800-AV-12 | User Manual - Page 24
control of system configuration. The CLI is available either locally through the serial console port, for all CLI commands see the separate D-Link CLI Reference Guide. Serial Console CLI Access The serial console port is a communications software. 4. Press the enter key on the terminal. The NetDefendOS - D-Link DFL-800-AV-12 | User Manual - Page 25
clients are feely available for almost all hardware platforms. NetDefendOS supports version 1, 1.5 will respond with a login prompt. Enter your username and press Enter, followed by your password and then Enter again. Device is the model number of the D-Link Firewall. This can be customized, for example - D-Link DFL-800-AV-12 | User Manual - Page 26
Maintenance Device:/> set device name="gw-world" The CLI Reference Guide uses the command prompt gw-world:/> throughout. Note When the value, this string also appears as the new device name in the top level node of the WebUI tree-view. Activate and Committing Changes If any changes are made to - D-Link DFL-800-AV-12 | User Manual - Page 27
to select a language other than english for the interface. Language support is provided by a separate set of resource files provided with bar The menu bar located at the top of the web interface contains a number of buttons and drop-down menus that are used to perform configuration tasks as - D-Link DFL-800-AV-12 | User Manual - Page 28
be used for system diagnostics. • Maintenance • Update Center - Manually update or schedule updates of the intrusion detection and antivirus signatures. configuration. The tree is divided into a number of sections corresponding to the major building blocks of the configuration. The tree can be - D-Link DFL-800-AV-12 | User Manual - Page 29
Tip If there is a problem with the management interface when service definitions, IP rules and so on. Each configuration object has a number of properties that constitute the values of the object. A configuration object has a well-defined type. The type defines the properties that are available - D-Link DFL-800-AV-12 | User Manual - Page 30
properties. This example shows how to display the contents of a configuration object representing the telnet service. CLI gw-world:/> show Service ServiceTCPUDP telnet Property Name: DestinationPorts: Type: SourcePorts: SYNRelay: PassICMPReturn: ALG: MaxSessions: Comments: Value ------telnet 23 - D-Link DFL-800-AV-12 | User Manual - Page 31
: SYNRelay: PassICMPReturn: ALG: MaxSessions: Comments: Value ------telnet 23 TCP 0-65535 No No (none) 1000 Modified Comment Web Interface 1. Go to Objects > Services 2. Click on the telnet hyperlink in the list 3. In the Comments textbox, enter your new comment 4. Click OK Verify that the new - D-Link DFL-800-AV-12 | User Manual - Page 32
2.1.5. Working with Configurations Chapter 2. Management and Maintenance 1. Go to Objects > Address Book 2. Click on the Add button 3. In the dropdown menu displayed, select IP4 Address 4. In the Name text box, enter myhost 5. Enter 192.168.10.10 in the IP Address textbox 6. Click OK 7. Verify - D-Link DFL-800-AV-12 | User Manual - Page 33
2.1.5. Working with Configurations Chapter 2. Management and Maintenance CLI gw-world:/> show -changes Type Object - IP4Address myhost * ServiceTCPUDP telnet A "+" character in front of the row indicates that the object has been added. A "*" character indicates that the object has been - D-Link DFL-800-AV-12 | User Manual - Page 34
2.1.5. Working with Configurations Chapter 2. Management and Maintenance Note The configuration must be committed before changes are saved. All changes to a configuration can be ignored simply by not committing a changed configuration. 34 - D-Link DFL-800-AV-12 | User Manual - Page 35
of network usage and assists in trouble-shooting. NetDefendOS defines a number of event messages, which are generated troubleshooting only and should only be turned on if required to try and solve a problem. Messages of all severity levels are found listed in the NetDefendOS Log Reference Guide - D-Link DFL-800-AV-12 | User Manual - Page 36
Note The Prio= field in SysLog messages contains the same information as the Severity field for D-Link Logger messages, however the ordering of the numbering is reversed. Example 2.11. Enable Logging to a Syslog Host To enable logging of all events with a severity greater than or equal to Notice to - D-Link DFL-800-AV-12 | User Manual - Page 37
DFLNNN-TRAP.MIB (where NNN indicates the model number of the firewall) is provided by D-Link and defines - What NetDefendOS subsystem is reporting the problem • ID - Unique identification within the category can be cross-referenced to the Log Reference Guide. Note NetDefendOS sends SNMP Traps which are - D-Link DFL-800-AV-12 | User Manual - Page 38
2.2.3. Event Message Distribution Chapter 2. Management and Maintenance CLI gw-world:/> add LogReceiver EventReceiverSNMP2c my_snmp IPAddress=195.11.22.55 Web Interface 1. Goto Log & Event Receivers > Add > EventReceiverSNMP2c 2. Specify a name for the event receiver, eg. my_snmp 3. Enter 195.11. - D-Link DFL-800-AV-12 | User Manual - Page 39
RADIUS Accounting Messages Statistics, such as number of bytes sent and received, and number of packets sent and received are updated are: • Type - Marks this AccountingRequest as signaling the beginning of the service (START). • ID - A unique identifier to enable matching of an AccountingRequest - D-Link DFL-800-AV-12 | User Manual - Page 40
via RADIUS, or LOCAL if the user was authenticated via a local user database. • Delay Time - See the above comment about this parameter. • Timestamp - The number of seconds since 1970-01-01. Used to set a timestamp when this packet was sent from the D-Link Firewall. In addition to this, two more - D-Link DFL-800-AV-12 | User Manual - Page 41
and for the RADIUS server. Messages are sent using the UDP protocol and the default port number used is 1813 although this is user configurable. 2.3.6. RADIUS Accounting and High Availability In an HA cluster, accounting information is synched between the active and passive D-Link Firewalls. This - D-Link DFL-800-AV-12 | User Manual - Page 42
replies to. NetDefendOS will re-send the request after the user-specified number of seconds. This will however mean that a user will still The User Authentication module in NetDefendOS is based on the user's IP address. Problems can therefore occur with users who have the same IP address. This can - D-Link DFL-800-AV-12 | User Manual - Page 43
only query operations are permitted for security reasons. Specifically, NetDefendOS supports the following SNMP request operations by a client: • The as a file with the name DFLNNN-TRAP.MIB (where NNN indicates the model number of the firewall) and this should be transferred to the hard disk of the - D-Link DFL-800-AV-12 | User Manual - Page 44
take place over an encrypted VPN tunnel or similarly secure means of communication. Preventing SNMP Overload The advanced setting SNMPReqLimit restricts the number of SNMP requests allowed per second. This can help prevent attacks through SNMP overload. Example 2.13. Enabling SNMP Monitoring This - D-Link DFL-800-AV-12 | User Manual - Page 45
and Maintenance 2.5. Maintenance 2.5.1. Auto-Update Mechanism A number of the NetDefendOS security features rely on external servers for maintains a global infrastructure of servers providing update services for D-Link Firewalls. To ensure availability and low response times, NetDefendOS employs a - D-Link DFL-800-AV-12 | User Manual - Page 46
-210/800 will continue to load and startup in default mode, that is to say with 192.168.1.1 on the LAN interface. Reset alternatives for the DFL-1600 and DFL-2500 only Press any key on the keypad when the "Press keypad to Enter Setup" message appears on the display. Select "Reset firewall", confirm - D-Link DFL-800-AV-12 | User Manual - Page 47
2.5.3. Resetting to Factory Defaults Chapter 2. Management and Maintenance 47 - D-Link DFL-800-AV-12 | User Manual - Page 48
objects include such things as addresses, services and schedules. In addition, the chapter explains how the various supported interfaces work, it outlines how secuirty address net (netmask 255.255.255.224) and so on. The numbers 0-32 correspond to the number of binary ones in the netmask. 48 - D-Link DFL-800-AV-12 | User Manual - Page 49
3.1.2. IP Addresses Chapter 3. Fundamentals IP Range For example: 192.168.0.0/24 A range of IP addresses is represented on the form a.b.c.d - e.f.g.h. Please note that ranges are not limited to netmask boundaries; they may include any span of IP addresses. For example: 192.168.0.10-192.168.0.15 - D-Link DFL-800-AV-12 | User Manual - Page 50
3.1.3. Ethernet Addresses Web Interface 1. Go to Objects > Address Book > Add > IP address 2. Specify a suitable name for the IP Range, for instance wwwservers. 3. Enter 192.168.10.16-192.168.10.21 as the IP Address 4. Click OK Chapter 3. Fundamentals Example 3.4. Deleting an Address Object To - D-Link DFL-800-AV-12 | User Manual - Page 51
3.1.4. Address Groups Chapter 3. Fundamentals 3.1.4. Address Groups Address objects can be grouped in order to simplify configuration. Consider a number of public servers that should be accessible from the Internet. The servers have IP addresses that are not in a sequence, and can therefore not be - D-Link DFL-800-AV-12 | User Manual - Page 52
UDP, with the associated port number(s). The HTTP service, for instance, is defined as using the TCP protocol with associated port 80. However, service objects are in no way the Available Services To produce a listing of the available services in the system: CLI gw-world:/> show Service The - D-Link DFL-800-AV-12 | User Manual - Page 53
, uses destination port 80 in most cases. SMTP uses port 25 and so on. For these types of Service, the single port number is simply specified in the TCP/UDP Service object. Some services use a range of destination ports. As an example, the NetBIOS protocol used by Microsoft Windows uses destination - D-Link DFL-800-AV-12 | User Manual - Page 54
other sections of this users guide: SYN Flood Protection Passing ICMP Errors Application Layer Gateway A TCP based service can be configured to enable Service across all interfaces. For a Service involving, for instance an HTTP ALG, the default value can often be too low if there are large numbers - D-Link DFL-800-AV-12 | User Manual - Page 55
. • Destination Unreachable: the source is told that a problem has occurred when delivering a packet. There are codes from numbers 1, 2, and 8 respectively. NetDefendOS supports these types of IP protocols by using the concept of Custom IP Protocol Services. A Custom IP Protocol service is a service - D-Link DFL-800-AV-12 | User Manual - Page 56
TCP/UDP port ranges described previously, a range of IP protocol numbers can be used to specify multiple applications for one service. Note The currently assigned IP protocol numbers and references are published by the Internet Assigned Numbers Authority (IANA) and can be found at http://www.iana - D-Link DFL-800-AV-12 | User Manual - Page 57
Overview An Interface is one of the most important logical building blocks in NetDefendOS. All network traffic that passes through or gets terminated to as the sending interface (or sometimes egress interface). NetDefendOS supports a number of interface types, which can be divided into the following - D-Link DFL-800-AV-12 | User Manual - Page 58
faster from normal to Fast and then Gigabit Ethernet. Each Ethernet interface in a D-Link Firewall corresponds to a physical Ethernet port in the system. The number of ports, their link speed and the way the ports are realized, is dependent on the hardware model. Note Some systems use an integrated - D-Link DFL-800-AV-12 | User Manual - Page 59
troubleshooting, it is recommended to tag the corresponding physical port with the new name. Note The startup process will enumerate all available N represents the number of the interface if your D-Link Firewall has more than one of these interfaces. In most of the examples in this guide lan is used - D-Link DFL-800-AV-12 | User Manual - Page 60
is needed between different VLANs in an organization, or for any other reason where the administrator would like to expand the number of interfaces. Virtual LAN support in NetDefendOS allows the definition of one or more Virtual LAN interfaces to be associated with a particular physical interface - D-Link DFL-800-AV-12 | User Manual - Page 61
control can be done on a per-user basis. Internet server providers (ISPs) often require customers to connect through PPPoE to their broadband service. Using PPPoE the provider can: • Implement security and access-control using username/password authentication • Trace IP addresses to a specific user - D-Link DFL-800-AV-12 | User Manual - Page 62
link. Authentication is an option with PPP. Authentication protocols supported are Password Authentication Protocol (PAP), Challenge Handshake Authentication tunnel. The PPPoE client can be configured to use a service name to distinguish between different servers on the same Ethernet network - D-Link DFL-800-AV-12 | User Manual - Page 63
Service Name: Service name provided by the service provider • Username: Username provided by the service provider • Password: Password provided by the service Traversing network equipment that blocks a particular protocol. network device which does not support multicasting. GRE allows tunneling - D-Link DFL-800-AV-12 | User Manual - Page 64
which the tunnel will connect with. • Use Session Key - A unique number can optionally specified for this tunnel. This allows more than one GRE tunnel order that the routing table is automatically updated. The alternative is to manually create the required route. • Address to use as source IP - - D-Link DFL-800-AV-12 | User Manual - Page 65
traffic to pass through the tunnel: Name To_B From_B Action Allow Allow Src Interface lan GRE_to_B Src Network Dest Interface Dest Network Service lannet GRE_to_B remote_net_B All remote_net_B lan lannet All Setup for D-Link Firewall "B" Assuming that the network 192.168.11.0/24 is lannet - D-Link DFL-800-AV-12 | User Manual - Page 66
to pass through the tunnel: Name To_A From_A Action Allow Allow Src Interface lan GRE_to_A Src Network Dest Interface Dest Network Service lannet GRE_to_A remote_net_A All remote_net_A lan lannet All 3.3.6. Interface Groups Multiple NetDefendOS interfaces can be grouped together to form an - D-Link DFL-800-AV-12 | User Manual - Page 67
3.3.6. Interface Groups 3. Click OK Chapter 3. Fundamentals 67 - D-Link DFL-800-AV-12 | User Manual - Page 68
provides not only standard support for ARP, but also adds a number of security checks on ". NetDefendOS supports both dynamic ARP as well as static ARP, and the latter is available in two cache of the system. Static ARP is used for manually lock an IP address to a specific Ethernet address. - D-Link DFL-800-AV-12 | User Manual - Page 69
Naturally, after the ARP expiration time, NetDefendOS will learn the new Ethernet address of the requested host, but sometimes it might be necessary to manually force a re-query. This is easiest achieved by flushing the ARP cache, an operation which will delete all dynamic ARP entries from the cache - D-Link DFL-800-AV-12 | User Manual - Page 70
such problems. It may also be used to lock an IP address to a specific Ethernet address for increasing security or to avoid denial-of-service if 4b-86-f6-c5-a2-14 4. Click OK Published ARP Entries NetDefendOS supports publishing ARP entries, meaning that you can define IP addresses (and optionally - D-Link DFL-800-AV-12 | User Manual - Page 71
alter an existing item in the ARP cache. Allowing this to take place may allow hijacking of local connections. However, not allowing this may cause problems if, for example, a network adapter is replaced, as NetDefendOS will not accept the new address until the previous ARP cache entry has timed out - D-Link DFL-800-AV-12 | User Manual - Page 72
3.4.5. Advanced ARP Settings Chapter 3. Fundamentals situations are to be logged. Sender IP 0.0.0.0 NetDefendOS can be configured on what to do with ARP queries that have a sender IP of 0.0.0.0. Such sender IPs are never valid in responses, but network units that have not yet learned of their IP - D-Link DFL-800-AV-12 | User Manual - Page 73
the type of traffic to which they will apply. This set of criteria consists of: Source Interface Source Network Destination Interface Destination Network Service An Interface or Interface Group where the packet is received at the D-Link Firewall. This can also be a VPN tunnel. The network that - D-Link DFL-800-AV-12 | User Manual - Page 74
3.5.2. IP Rule Evaluation Chapter 3. Fundamentals IP Rules The IP rule set is the most important of these security policy rule sets. It determines the critical packet filtering function of NetDefendOS, regulating what is allowed or not allowed to pass through the D-Link Firewall, and if necessary, - D-Link DFL-800-AV-12 | User Manual - Page 75
an IP rule is also important because if an Application Layer Gateway object is to be applied to traffic then it must be associated with a Service object (see Section 6.2, "Application Layer Gateways"). When an IP rule is triggered by a match then one of the following Actions can occur: Allow The - D-Link DFL-800-AV-12 | User Manual - Page 76
3.5.4. Editing IP rule set Entries Chapter 3. Fundamentals Using Reject In certain situations the Reject action is recommended instead of the Drop action because a polite reply is required from NetDefendOS. An example of such a situation is when responding to the IDENT user identification protocol - D-Link DFL-800-AV-12 | User Manual - Page 77
:/> add ScheduleProfile OfficeHours Mon=8-17 Tue=8-17 Wed=8-17 Thu=8-17 Fri=8-17 gw-world:/> add IPRule Action=NAT Service=http SourceInterface=lan SourceNetwork=lannet DestinationInterface=any DestinationNetwork=all-nets Schedule=OfficeHours name=AllowHTTP Web Interface 1. Go to Objects > Schedules - D-Link DFL-800-AV-12 | User Manual - Page 78
3.6. Schedules • Action: NAT • Service: http • Schedule: OfficeHours • SourceInterface: lan • SourceNetwork lannet • DestinationInterface: any • DestinationNetwork: all-nets 4. Click OK Chapter 3. Fundamentals 78 - D-Link DFL-800-AV-12 | User Manual - Page 79
3.7. X.509 Certificates Chapter 3. Fundamentals 3.7. X.509 Certificates NetDefendOS supports digital certificates that comply with the ITU-T X.509 standard. This involves the use of an X.509 certificate hierarchy with public-key cryptography to accomplish key - D-Link DFL-800-AV-12 | User Manual - Page 80
this field. In those cases the location of the CRL has to be configured manually. The CA updates its CRL at a given interval. The length of this one VPN tunnel in NetDefendOS, it can still be reused with any number of other, different VPN tunnels. 3.7.2. X.509 Certificates in NetDefendOS X.509 - D-Link DFL-800-AV-12 | User Manual - Page 81
3. Now select one of the following: • Upload self-signed X.509 Certificate • Upload a remote certificate 4. Click OK and follow the instructions. Chapter 3. Fundamentals Example 3.19. Associating X.509 Certificates with IPsec Tunnels To associate an imported certificate with an IPsec tunnel. Web - D-Link DFL-800-AV-12 | User Manual - Page 82
of power. In addition, NetDefendOS supports Time Synchronization Protocols in order to The administrator can set the date and time manually and this is recommended when a new NetDefendOS as being GMT plus or minus a given integer number of hours. All locations counted as being inside a - D-Link DFL-800-AV-12 | User Manual - Page 83
when to adjust for DST. Instead, this information has to be manually provided if daylight saving time is to be used. There are two on what dates daylight saving time starts and ends. The DST offset indicates the number of minutes to advance the clock during the daylight saving time period. Example - D-Link DFL-800-AV-12 | User Manual - Page 84
Servers. NetDefendOS supports the following is an older method of providing time synchronization service over the Internet. The protocol provides a can be used to list publicly available Time Servers. Important Make sure an is used. Example 3.24. Manually Triggering a Time Synchronization Time - D-Link DFL-800-AV-12 | User Manual - Page 85
has just been enabled and the inital time difference is greater than the maximum adjust value. It is then possible to manually force a synchronization and disregard the maximum adjustment parameter. Example 3.26. Forcing Time Synchronization This example demonstrates how to force time - D-Link DFL-800-AV-12 | User Manual - Page 86
3.8.2. Time Servers Chapter 3. Fundamentals D-Link Time Servers Using D-Link's own Time Servers is an option in NetDefendOS and this is the recommended way of synchronizing the firewall clock. These servers communicate with NetDefendOS using the SNTP protocol. When the D-Link Server option is - D-Link DFL-800-AV-12 | User Manual - Page 87
can resolve a Fully Qualified Domain Name (FQDN) into the corresponding numeric IP address. FQDNs are unambiguous textual domain names which specify a node's unique position in the Internet's DNS tree hierarchy. FQDN resolution allows the actual physical IP address to change while the FQDN can stay - D-Link DFL-800-AV-12 | User Manual - Page 88
3.9. DNS Lookup Chapter 3. Fundamentals 88 - D-Link DFL-800-AV-12 | User Manual - Page 89
of routing is crucial for a NetDefendOS system to function as expected. NetDefendOS offers support for the following types of routing mechanisms: • Static routing. • Dynamic routing. NetDefendOS additionally supports route monitoring to achieve route and link redundancy with fail-over capability. 89 - D-Link DFL-800-AV-12 | User Manual - Page 90
(or whenever the network topology is complex), the work of manually maintaining static routing tables will be time-consuming and problematic. As IP packets from their source to their ultimate destination through a number of intermediary nodes, most often referred to as routers or firewalls. In each - D-Link DFL-800-AV-12 | User Manual - Page 91
4. Routing 4.2.2. Static Routing This section describes how routing is implemented in NetDefendOS, and how to configure static routing. NetDefendOS supports multiple routing tables. A default table called main is pre-defined and is always present in NetDefendOS. However, additional and completely - D-Link DFL-800-AV-12 | User Manual - Page 92
in the system, and the routing table that you configure. The routing table that you configure contains only the routes that you have added manually (in other words, the static routes). The content of the active routing table, however, will vary depending on several factors. For instance, if dynamic - D-Link DFL-800-AV-12 | User Manual - Page 93
4.2.2. Static Routing Chapter 4. Routing 213.124.165.0/24 wan 0 0.0.0.0/0 wan 213.124.165.1 0 Web Interface To see the configured routing table: 1. Go to Routing > Routing Tables 2. Select and right-click the main routing table in the grid 3. Choose Edit in the menu The main window will list - D-Link DFL-800-AV-12 | User Manual - Page 94
Reference Guide. 4.2.3. Route Failover Overview D-Link Firewalls are often deployed in mission-critical locations where availability and Internet connectivity using a secondary Internet Service Provider (ISP). The connections to the two service providers often use different access methods - D-Link DFL-800-AV-12 | User Manual - Page 95
. Setting the Route Metric When specifying routes, the administrator should manually set a route's Metric. The Metric is a positive integer that . Failover Processing Whenever monitoring determines that a route is not available, NetDefendOS will mark the route as disabled and instigate Route - D-Link DFL-800-AV-12 | User Manual - Page 96
policies and existing connections will be maintained. To illustrate the problem, consider the following configuration: First, there is one IP rule facilitates a mapping between an IP address and the MAC address of a node on an Ethernet network. However, situations may exist where a network running - D-Link DFL-800-AV-12 | User Manual - Page 97
4.2.4. Proxy ARP Chapter 4. Routing IP address of host B on another separate network. The proxy ARP feature means that NetDefendOS responds to this ARP request instead of host B. The NetDefendOS sends its own MAC address instead in reply, essentially pretending to be the target host. After - D-Link DFL-800-AV-12 | User Manual - Page 98
traffic. When more than one ISP is used to provide Internet services, Policy-based Routing can route traffic originating from different sets of users Policy-based Routing implementation in NetDefendOS is based on two building blocks: • One or more user-defined alternate Policy-based Routing Tables - D-Link DFL-800-AV-12 | User Manual - Page 99
Rule that matches the packets's source/destination interface/network as well as service. If a matching rule is found then this determines the routing table combined with the main table to lookup the appropriate route. The three available options are: 1. Default - The default behaviour is to first - D-Link DFL-800-AV-12 | User Manual - Page 100
4.3.5. The Ordering parameter Chapter 4. Routing interfaces. The first two options can be regarded as combining the alternate table with the main table and assigning one route if there is a match in both tables. Important - Ensuring all-nets appears in the main table. A common mistake with Policy- - D-Link DFL-800-AV-12 | User Manual - Page 101
Policy: Source Interface lan1 wan2 Source Range 10.10.10.0/24 all-nets Destination Interface wan2 lan1 Destination Range all-nets 20.20.20.0/24 Service ALL ALL Forward VR Return VR table table r2 r2 r2 r2 To configure this example scenario: Web Interface 1. Add the routes found in the - D-Link DFL-800-AV-12 | User Manual - Page 102
4.3.5. The Ordering parameter Chapter 4. Routing Note Rules in the above example are added for both inbound and outbound connections. 102 - D-Link DFL-800-AV-12 | User Manual - Page 103
the fly but has the disadvantage that it is more susceptible to certain problems such as routing loops. In the Internet, two types of dynamic routing algorithm is based on the "length" of the path which is the number of intermediate routers {also known as "hops"}. After updating its own - D-Link DFL-800-AV-12 | User Manual - Page 104
Bandwidth Load Delay The sum of the costs associated with each link. A commonly used value for this metric is called "hop count" which is the number of routing devices a packet must pass through when it travels from source to destination. The traffic capacity of a path, rated by "Mbps". The usage - D-Link DFL-800-AV-12 | User Manual - Page 105
4.4.2. OSPF Chapter 4. Routing ASBRs Backbone Areas Stub Areas Transit Areas to which they have an interface. Routers that exchange routing information with routers in other Autonomous Systems are called Autonomous System Boundary Router (ASBRs). They advertise externally learned routes - D-Link DFL-800-AV-12 | User Manual - Page 106
4.4.2. OSPF Chapter 4. Routing in the routing table. This is commonly used to minimize the routing table. Virtual Links Virtual links are used for: • Linking an area that does not have a direct connection to the backbone. • Linking the backbone in case of a partitioned backbone. Areas without - D-Link DFL-800-AV-12 | User Manual - Page 107
Link to fw1 with the Router ID 192.168.1.1 and vice versa. These VLinks need to be configured in Area 1. OSPF High Availability Support There are some limitations in High Availability support for OSPF that should be noted: Both the active and the inactive part of an HA cluster will run separate OSPF - D-Link DFL-800-AV-12 | User Manual - Page 108
4.4.3. Dynamic Routing Policy Chapter 4. Routing In a dynamic routing environment, it is important for routers to be able to regulate to what extent they will participate in the routing exchange. It is not feasible to accept or trust all received routing information, and it might be crucial to - D-Link DFL-800-AV-12 | User Manual - Page 109
4.4.3. Dynamic Routing Policy Chapter 4. Routing gw-world:/ImportOSPFRoutes> add DynamicRoutingRuleAddRoute Destination=MainRoutingTable Web Interface 1. Go to Routing > Dynamic Routing Rules 2. Click on the recently created ImportOSPFRoutes 3. Go to OSPF Routing Action > Add > - D-Link DFL-800-AV-12 | User Manual - Page 110
should also be able to scale to large numbers of receivers. Multicast Routing solves the problem by the network routers themselves, replicating and .0.0.0/4 is always routed to core and does not have to be manually added to the routing tables. Each specified output interface can individually - D-Link DFL-800-AV-12 | User Manual - Page 111
4.5.2. Multicast Forwarding using the SAT Multiplex Rule Chapter 4. Routing The multiplex rule can operate in one of two modes: Use IGMP Not using IGMP The traffic flow specififed by the multiplex rule must have been requested by hosts using IGMP before any multicast packets are forwarded - D-Link DFL-800-AV-12 | User Manual - Page 112
> IP Rules > Add > IP Rule 2. Under General enter. • Name: a name for the rule, eg. Multicast_Multiplex • Action: Multiplex SAT • Service: multicast_service 3. Under Address Filter enter: • Source Interface: wan • Source Network: 192.168.10.1 • Destination Interface: core • Destination Network: 239 - D-Link DFL-800-AV-12 | User Manual - Page 113
SAT Multiplex rule needs to be configured to match the scenario described above: Web Interface A. Create a custom service for multicast called multicast_service: 1. Go to Objects > Services > Add > TCP/UDP 2. Now enter: • Name: multicast_service • Type: UDP • Destination: 1234 B. Create an IP rule - D-Link DFL-800-AV-12 | User Manual - Page 114
is statically configured to deliver a multicast stream to the D-Link Firewall. In this case also, an IGMP query would not have to be specified. NetDefendOS supports two IGMP modes of operation - Snoop and Proxy. Figure 4.6. Multicast Snoop 114 - D-Link DFL-800-AV-12 | User Manual - Page 115
4.5.3. IGMP Configuration Figure 4.7. Multicast Proxy Chapter 4. Routing In Snoop mode, the router will act transparently between the hosts and another IGMP router. It will not send any IGMP Queries. It will only forward queries and reports between the other router and the hosts. In Proxy mode, - D-Link DFL-800-AV-12 | User Manual - Page 116
4.5.3. IGMP Configuration Chapter 4. Routing • Source Network: if1net, if2net, if3net • Destination Interface: core • Destination Network: auto • Multicast Source: 192.168.10.1 • Multicast Group: 239.192.10.0/24 4. Click OK B. Create the second IGMP Rule: 1. Again go to Routing > IGMP > IGMP Rules - D-Link DFL-800-AV-12 | User Manual - Page 117
4.5.3. IGMP Configuration • Name: A suitable name for the rule, eg. Reports_if1 • Type: Report • Action: Proxy • Output: wan (this is the relay interface) 3. Under Address Filter enter: • Source Interface: if1 • Source Network: if1net • Destination Interface: core • Destination Network: auto • - D-Link DFL-800-AV-12 | User Manual - Page 118
: core • Destination Network: auto • Multicast Source: 192.168.10.1 • Multicast Group: 239.192.10.0/24 4. Click OK Advanced IGMP Settings There are a number of advanced settings which are global and apply to all interfaces which do not have IGMP setttings explicitly specified for them. These global - D-Link DFL-800-AV-12 | User Manual - Page 119
topology can significantly strengthen security. It is simple to do and doesn't require reconfiguration of existing nodes. Once deployed, NetDefendOS can then allow or deny access to different types of services (for example HTTP) and in specified directions. As long as users of the network are - D-Link DFL-800-AV-12 | User Manual - Page 120
to the destination. If the route was a Switch Route, no specific information about the destination is available and the firewall will have to discover where the destination is located in the network. Discovery is done the internal network are allowed to access the Internet via the HTTP protocol. 120 - D-Link DFL-800-AV-12 | User Manual - Page 121
: 10.0.0.2 • Network: 10.0.0.0/24 • Transparent Mode: Enable 6. Click OK Configure the rules: 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: HTTPAllow • Action: Allow • Service: http • Source Interface: lan 121 - D-Link DFL-800-AV-12 | User Manual - Page 122
4.6.6. Transparent Mode Scenarios Chapter 4. Routing • Destination Interface: any • Source Network: 10.0.0.0/24 • Destination Network: all-nets (0.0.0.0/0) 3. Click OK Scenario 2 Here the D-Link Firewall in Transparent Mode separates server resources from an internal network by connecting them to - D-Link DFL-800-AV-12 | User Manual - Page 123
all-nets • Destination Network: 10.1.4.10 5. Under the Service tab, choose http in the Pre-defined control 6. Click • Destination Network: wan_ip 11. Under the Service tab, choose http in the Pre-defined control : wan_ip 18. Under the Service tab, choose http in the Pre-defined control - D-Link DFL-800-AV-12 | User Manual - Page 124
24 • Metric: 0 3. Click OK Configure the rules: 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: HTTP-LAN-to-DMZ • Action: Allow • Service: http • Source Interface: lan • Destination Interface: dmz • Source Network: 10.0.0.0/24 • Destination Network: 10.1.4.10 124 Chapter 4. Routing - D-Link DFL-800-AV-12 | User Manual - Page 125
5. Now enter: • Name: HTTP-WAN-to-DMZ • Action: SAT • Service: http • Source Interface: wan • Destination Interface: dmz • Source Network: all IPRule 8. Now enter: • Name: HTTP-WAN-to-DMZ • Action: Allow • Service: http • Source Interface: wan • Destination Interface: dmz • Source Network: all-nets - D-Link DFL-800-AV-12 | User Manual - Page 126
4.6.6. Transparent Mode Scenarios Chapter 4. Routing 126 - D-Link DFL-800-AV-12 | User Manual - Page 127
DHCP services in NetDefendOS. • Overview, page 127 • DHCP Servers, page 128 • Static DHCP Assignment, page 130 • DHCP Relaying, page 131 • IP Pools, page 132 5.1. Overview DHCP (Dynamic Host Configuration Protocol) is a protocol that allows network administrators to automatically assign IP numbers - D-Link DFL-800-AV-12 | User Manual - Page 128
5. DHCP Services 5.2. DHCP address ranges depending on what interface they are located on. A number of standard options can be configured for each DHCP server instance: order to have the DHCP servers hand out all types of options supported by the DHCP standard. DHCP servers assign and manage the IP - D-Link DFL-800-AV-12 | User Manual - Page 129
5.2. DHCP Servers Chapter 5. DHCP Services Example 5.2. Checking the status of a DHCP server Web Interface Go to Status > DHCP Server in the menu bar. CLI To see the status of all - D-Link DFL-800-AV-12 | User Manual - Page 130
5.3. Static DHCP Assignment Chapter 5. DHCP Services 5.3. Static DHCP Assignment Where the administrator ------+ 1 (none) An individual static assignment can be shown using its index number: gw-world:/> show DHCPServerPoolStaticHost 1 Property ----------- Index: Host: MACAddress: Comments: - D-Link DFL-800-AV-12 | User Manual - Page 131
DHCP Services 5.4. DHCP means there has to be a different server on every network. This problem is solved by the use of a DHCP relayer. A DHCP relayer • Name: ipgrp-dhcp • Interfaces: select "vlan1" and "vlan2" from the Available list and put them into the Selected list. 3. Click OK Adding a DHCP - D-Link DFL-800-AV-12 | User Manual - Page 132
5. DHCP Services 5.5. IP Pools Config Mode". Basic IP Pool Options The basic options available for an IP Pool are: DHCP Server behind interface keeps giving out the same IP for each client. Specifies the number of leases to keep prefetched. Prefetching will improve performance since there won - D-Link DFL-800-AV-12 | User Manual - Page 133
5.5. IP Pools Chapter 5. DHCP Services Maximum clients greater than the prefetch parameter. The pool will start releasing (giving back IPs to the DHCP server) when the number of free clients exceeds this value. Optional setting used to specify the maximum number of clients (IPs) allowed in the - D-Link DFL-800-AV-12 | User Manual - Page 134
5.5. IP Pools Chapter 5. DHCP Services 134 - D-Link DFL-800-AV-12 | User Manual - Page 135
. Although the packet source cannot be responded to correctly, there is the potential for unnecessary network congestion to be created and potentially a Denial of Service (DoS) condition could occur. Even if the firewall is able to detect a DoS condition, it is hard to trace or stop it because of - D-Link DFL-800-AV-12 | User Manual - Page 136
needs to be turned off, then the way to do this is to specify an Access Rule for that source with an action of Drop. Troubleshooting Access Rule Related Problems It should be noted that Access Rules are a first filter of traffic before any other NetDefendOS modules can see it. Sometimes - D-Link DFL-800-AV-12 | User Manual - Page 137
6.1.3. Access Rule Settings Chapter 6. Security Mechanisms Example 6.1. Setting up an Access Rule A rule is to be defined that ensures no traffic with a source address not within the lannet network is received on the lan interface. CLI gw-world:/> add Access Name=lan_Access Interface=lan Network= - D-Link DFL-800-AV-12 | User Manual - Page 138
of the TCP/IP stack. The following protocols are supported by NetDefendOS ALGs: • HTTP • FTP • a 1000 connections are allowed in total for the HTTP Service across all interfaces. The full list of default maximum session there are large number of clients connecting through the D-Link Firewall and it - D-Link DFL-800-AV-12 | User Manual - Page 139
enabled for a Service object then any ALG associated with that Service will not be number of modules. These consist of the following features which are described in the indicated dedicated sections of the manual whereas access to gaming sites might be blocked. This feature is described in depth in - D-Link DFL-800-AV-12 | User Manual - Page 140
be blocked if .exe files are blocked. Blocking is Service object and then associating that Service object with an IP rule in the IP rule set. A number of pre-defined HTTP Services could be used with the ALG. For example, the http service problems for firewalls. Consider a scenario where an FTP 140 - D-Link DFL-800-AV-12 | User Manual - Page 141
the incoming connection for the data channel will be dropped. As the port number used for the data channel is dynamic, the only way to solve this capable of using passive mode. The Solution The FTP ALG solves this problem by fully reassembling the TCP stream of the command channel and examining its - D-Link DFL-800-AV-12 | User Manual - Page 142
-inbound 3. Check Allow client to use active mode 4. Uncheck Allow server to use passive mode 5. Click OK B. Define the Service: 1. Go to Objects > Services > Add > TCP/UDP Service 2. Enter the following: • Name: ftp-inbound • Type: select TCP from the list • Destination: 21 (the port the FTP server - D-Link DFL-800-AV-12 | User Manual - Page 143
internal interface needs to be NATed: 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: NAT-ftp • Action: NAT • Service: ftp-inbound 3. For Address Filter enter: • Source Interface: dmz • Destination Interface: core • Source Network: dmznet • Destination Network: wan_ip 4. For NAT check - D-Link DFL-800-AV-12 | User Manual - Page 144
> Add > FTP ALG 2. Enter Name: ftp-outbound 3. Uncheck Allow client to use active mode 4. Check Allow server to use passive mode 5. Click OK B. Create the Service: 1. Go to Objects > Services > Add > TCP/UDP Service 2. Now enter: • Name: ftp-outbound • Type: select TCP from the dropdown list 144 - D-Link DFL-800-AV-12 | User Manual - Page 145
IP rules if using public IP's; make sure there are no rules disallowing or allowing the same kind of ports/traffic before these rules. The service in use is the ftp-outbound, which should be using the ALG definition ftp-outbound as described earlier. C. Allow connections to ftp-servers on the - D-Link DFL-800-AV-12 | User Manual - Page 146
of security to TFTP in being able to put restrictions on its use. General TFTP Options Allow/Disallow Read Allow/Disallow Write Remove Request Option Block Unknown Options The TFTP GET function can be disabled so that files cannot be retrieved by a TFTP client. The default value is Allow. The TFTP - D-Link DFL-800-AV-12 | User Manual - Page 147
KBytes. The transferred size might be 120 KBytes or more since the encoding specified so that mail from those addresses is blocked. A whitelist of email addresses can be specified local, receiving server. A number of trusted organisations maintain publicly available databases of the origin IP - D-Link DFL-800-AV-12 | User Manual - Page 148
6.2.5. SMTP Chapter 6. Security Mechanisms When the NetDefendOS SPAM filtering function is configured, the IP address of the email's sending server can be sent to one or more DNSBL servers to find out if any DNSBL servers think it is from a spammer or not (NetDefendOS examines the IP packet - D-Link DFL-800-AV-12 | User Manual - Page 149
6.2.5. SMTP Chapter 6. Security Mechanisms Buy this stock today! And if the tag text is defined to be "*** SPAM ***", then the modified email's Subject field will become: *** SPAM *** Buy this stock today! And this is what the email's recipient will see in the summary of their inbox contents. The - D-Link DFL-800-AV-12 | User Manual - Page 150
6.2.5. SMTP Chapter 6. Security Mechanisms Logging There are three types of logging done by the SPAM filtering module: • Logging of dropped or SPAM tagged emails - These log messages include the source email address and IP as well as its weighted points score and which DNSBLs caused the event. • - D-Link DFL-800-AV-12 | User Manual - Page 151
: Total number of mails checked : 34520 Number of mails dropped : 65 Number of mails spam tagged : 156 Number of mails POP3 ALG Options Key features of the POP3 ALG are: Block Clear Text Authentication Block connections between client and server that send the username/password combination - D-Link DFL-800-AV-12 | User Manual - Page 152
code. This feature is described fully in Section 6.4, "Anti-Virus Scanning". The available options are: • Disable - Turn off scanning. • Protect - Drop downloads that telephony can become another IP application which can integrate into other services. SIP does not know about the details of a session - D-Link DFL-800-AV-12 | User Manual - Page 153
are the logical building blocks for SIP communication: User authenticating and authorizing access to services. They also implement provider call and this is the proxy location supported by the NetDefendOS SIP ALG. Protocols SIP sessions make use of a number of sub-protocols: SDP Session Description - D-Link DFL-800-AV-12 | User Manual - Page 154
restricted by this value. The default number is 5. The maximum time for if this value is exceeded. The default value is 120 seconds SIP Setup Summary For setup we will assume above. 2. A Service object is used for the ALG which has the above SIP ALG associated with it. The Service should have: • - D-Link DFL-800-AV-12 | User Manual - Page 155
6.2.8. H.323 Chapter 6. Security Mechanisms • A NAT rule for outbound traffic from user agents on the internal network to the SIP Proxy Server located externally. The SIP ALG will take care of all address translation needed by the NAT rule. This translation will occur both on the IP level and the - D-Link DFL-800-AV-12 | User Manual - Page 156
H.323 terminal behind a NATing device with only one public IP. MCUs provide support for conferences of three or more H.323 terminals. All H.323 terminals participating in protocols. Depending on the type of H.323 product, T.120 protocol can be used for application sharing, file transfer as - D-Link DFL-800-AV-12 | User Manual - Page 157
support voice and video calls, the H.323 ALG supports application sharing over the T.120 protocol. T.120 the T.120 protocol. • Number of TCP Data Channels - The number of probability of a problem if the and the rules are presented. The three service definitions used in these scenarios are: • - D-Link DFL-800-AV-12 | User Manual - Page 158
calls 3. Click OK Incoming Rule: 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: H323AllowIn • Action: Allow • Service: H323 • Source Interface: any • Destination Interface: lan • Source Network: 0.0.0.0/0 (all-nets) • Destination Network: lannet • Comment: Allow incoming calls - D-Link DFL-800-AV-12 | User Manual - Page 159
Allow outgoing calls 3. Click OK Incoming Rules: 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: H323In • Action: SAT • Service: H323 • Source Interface: any • Destination Interface: core • Source Network: 0.0.0.0/0 (all-nets) • Destination Network: wan_ip (external IP of the firewall - D-Link DFL-800-AV-12 | User Manual - Page 160
rules. Web Interface Outgoing Rule: 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: H323AllowOut • Action: Allow • Service: H323 • Source Interface: lan • Destination Interface: any • Source Network: lannet • Destination Network: 0.0.0.0/0 (all-nets) • Comment: Allow outgoing calls - D-Link DFL-800-AV-12 | User Manual - Page 161
each firewall. Web Interface Outgoing Rule: 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: H323Out • Action: NAT • Service: H323 • Source Interface: lan • Destination Interface: any • Source Network: lannet • Destination Network: 0.0.0.0/0 (all-nets) • Comment: Allow outgoing calls - D-Link DFL-800-AV-12 | User Manual - Page 162
(IP address of phone) 4. Click OK 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: H323In • Action: Allow • Service: H323 • Source Interface: any • Destination Interface: core • Source Network: 0.0.0.0/0 (all-nets) • Destination Network: wan_ip (external IP of the firewall) • Comment - D-Link DFL-800-AV-12 | User Manual - Page 163
communication with the Gatekeeper 3. Click OK 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: H323In • Action: Allow • Service: Gatekeeper • Source Interface: lan • Destination Interface: dmz • Source Network: lannet • Destination Network: ip-gatekeeper (IP address of the gatekeeper - D-Link DFL-800-AV-12 | User Manual - Page 164
before these rules. Web Interface 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: H323Out • Action: NAT • Service: H323-Gatekeeper • Source Interface: lan • Destination Interface: any • Source Network: lannet • Destination Network: 0.0.0.0/0 (all-nets) • Comment: Allow outgoing - D-Link DFL-800-AV-12 | User Manual - Page 165
Firewall. This firewall should be configured as follows: Web Interface 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: LanToGK • Action: Allow • Service: Gatekeeper • Source Interface: lan • Destination Interface: dmz • Source Network: lannet • Destination Network: ip-gatekeeper 165 - D-Link DFL-800-AV-12 | User Manual - Page 166
to connect to the Gatekeeper 3. Click OK 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: LanToGK • Action: Allow • Service: H323 • Source Interface: lan • Destination Interface: dmz • Source Network: lannet • Destination Network: ip-gateway • Comment: Allow H.323 entities on lannet to - D-Link DFL-800-AV-12 | User Manual - Page 167
and Remote Office firewalls). Web Interface 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: ToGK • Action: Allow • Service: H323-Gatekeeper • Source Interface: lan • Destination Interface: vpn-hq • Source Network: lannet • Destination Network: hq-net • Comment: Allow communication - D-Link DFL-800-AV-12 | User Manual - Page 168
6.2.8. H.323 Chapter 6. Security Mechanisms • Service: H323-Gatekeeper • Source Interface: dmz • Destination Interface: vpn-hq • Source Network: ip-branchgw • Destination Network: hq-net • Comment: Allow the Gateway to communicate with the - D-Link DFL-800-AV-12 | User Manual - Page 169
Content Filtering provides a means for manually classifying web sites as "good" block access to web sites depending on the category they have been classified into by an automatic classification service embedded into web pages. NetDefendOS includes support for removing the following types of objects - D-Link DFL-800-AV-12 | User Manual - Page 170
which allows the possibility of manually making exceptions from the automatic might be set to prevent access to shopping sites by blocking the "Shopping" category. By entering the on-line store Wildcarding Both the URL blacklist and URL whitelist support wildcard matching of URLs in order to be - D-Link DFL-800-AV-12 | User Manual - Page 171
Hosts and Networks". Example 6.14. Setting up a white and blacklist This example shows the use of static content filtering where NetDefendOS can block or permit certain web pages based on blacklists and whitelists. As the usability of static content filtering will be illustrated, dynamic content - D-Link DFL-800-AV-12 | User Manual - Page 172
to manually specify which URLs to block or allow. Instead, D-Link maintains a global infrastructure of databases containing massive numbers of Dynamic Web Content Filtering Availability on D-Link Models Dynamic Content Filtering is available on the D-Link DFL-260 and DFL-860 only. URL Processing - D-Link DFL-800-AV-12 | User Manual - Page 173
page level so that users may still access parts of websites that aren't blocked by the filtering policy. Activation Dynamic Content Filtering is a feature that is enabled by taking out a separate subscription to the service. This is an addition to the normal NetDefendOS license. For complete details - D-Link DFL-800-AV-12 | User Manual - Page 174
Mechanisms 5. In the Blocked Categories list, select Search Sites and click the >> button. 6. Click OK Then, create a Service object using the new HTTP ALG: 1. Go to Local Objects > Services > Add > TCP/UDP service 2. Specify a suitable name for the Service, eg. http_content_filtering 3. Select - D-Link DFL-800-AV-12 | User Manual - Page 175
Service object using the new HTTP ALG and modifing the NAT rule to use the new service blocks gambling web-sites, he won't be able to do his job. For this reason, NetDefendOS supports block web page will include a dropdown list containing all available data warehouse for manual inspection. That - D-Link DFL-800-AV-12 | User Manual - Page 176
FilteringCategories=SEARCH_SITES AllowReclassification=Yes Then, continue setting up the service object and modifing the NAT rule as we have configured correctly, your web browser will present a block page where a dropdown list containing all available categories is included. 4. The user is now - D-Link DFL-800-AV-12 | User Manual - Page 177
.au Category 6: Shopping A web site may be classified under the Shopping category if its content includes any form of advertisement of goods or services to be exchanged for money, and may also include the facilities to perform that transaction online. Included in this category are market promotions - D-Link DFL-800-AV-12 | User Manual - Page 178
this are music sites, movies, hobbies, special interest, and fan clubs. This category also includes personal web pages such as those provided with other people, mail order bride / foreign spouse introductions and escort services. Examples might be: • adultmatefinder.com • www.marriagenow.com Category - D-Link DFL-800-AV-12 | User Manual - Page 179
Banking category if its content includes electronic banking information or services. This category does not include Investment related content; Cults category if its content includes the description or depiction of, or instruction in, systems of religious beliefs and practice. Examples might be: - D-Link DFL-800-AV-12 | User Manual - Page 180
as support groups, hospital and surgical information and medical journals. Examples might be: • www.thehealthzone.com • www.safedrugs.com Category 22: Clubs and Societies A web site may be classified under the Clubs and Societies category if its content includes information or services of relating - D-Link DFL-800-AV-12 | User Manual - Page 181
most cases not be considered unproductive or inappropriate. Category 25: Government Blocking List This category is populated by URLs specified by a government agency, belong to other categories but has content that relates to educational services or has been deemed of educational value, or to be an - D-Link DFL-800-AV-12 | User Manual - Page 182
category. Examples might be: • www.the-cocktail-guide.com • www.stiffdrinks.com Category 29: Computing/IT /IT category if its content includes computing related information or services. Examples might be: • www.purplehat.com • www block this category since this could result in most harmless URLs being - D-Link DFL-800-AV-12 | User Manual - Page 183
annoyance to more sinister aims such as sending back passwords, credit card numbers and other sensitive information. The term "Virus" can be used 6.2.2, "HTTP"). Anti-Virus Availability on D-Link Models Anti-Virus scanning is available on the D-Link DFL-260 and DFL-860 only. 6.4.2. Implementation - D-Link DFL-800-AV-12 | User Manual - Page 184
available free memory can place a limit on the number of concurrent scans that can be initiated. The administrator can increase the default amount of free memory available be associated with the appropriate Service object for the protocol to be scanned. This Service object is then associated with - D-Link DFL-800-AV-12 | User Manual - Page 185
When a particular download file type is encountered, the administrator can explicitly state if the file is to be allowed or blocked as a download. File types The file type to be blocked or allowed can be added into the list. For example "GIF" could be added. If a filetype is on the allowed - D-Link DFL-800-AV-12 | User Manual - Page 186
perform regular checking for new database updates. If a new database update becomes available the sequence of events will be as follows: 1. The active unit determines there world:/> set ALG ALG_HTTP anti_virus Antivirus=Protect Then, create a Service object using the new HTTP ALG: gw-world:/> add - D-Link DFL-800-AV-12 | User Manual - Page 187
ALG you just created in the ALG dropdown list 6. Click OK C. Finally, modify the NAT rule (called NATHttp in this example) to use the new service: 1. Go to Rules > IP Rules 2. In the grid control, click the NAT rule handling the traffic between lannet and all-nets 3. Click the - D-Link DFL-800-AV-12 | User Manual - Page 188
for the triggering IDP Rule is taken. IDP Rules, Pattern Matching and IDP Rule Actions are described in the sections which follow. 6.5.2. IDP Availability in D-Link Models Maintenance and Advanced IDP D-Link offers two types of IDP: • Maintenance IDP is a basic IDP system included as standard with - D-Link DFL-800-AV-12 | User Manual - Page 189
6.5.2. IDP Availability in D-Link Models Chapter 6. Security Mechanisms DFL-210/800/1600/2500 firewalls. This is a simplfied IDP that with the latest intrusion threats. For full details about obtaining the IDP service please refer to Appendix A, Subscribing to Security Updates. Figure 6.3. IDP - D-Link DFL-800-AV-12 | User Manual - Page 190
and with the original active/passive roles. For more information about HA clusters refer to Chapter 11, High Availability. 6.5.3. IDP Rules Rule Components An IDP Rule defines what kind of traffic, or service, should be analyzed. An IDP Rule is similar in makeup to an IP Rule. IDP Rules are - D-Link DFL-800-AV-12 | User Manual - Page 191
6.5.4. Insertion/Evasion Attack Prevention Chapter 6. Security Mechanisms The option exists in NetDefendOS IDP to look for intrusions in all traffic, even the packets that are rejected by the IP rule set check for new connections, as well as packets that are not part of an existing connection. - D-Link DFL-800-AV-12 | User Manual - Page 192
IDP signature is designated by a unique number. Consider the following simple attack example involving , with pattern matching looking for building blocks rather than the entire complete code patterns but instead, are available on the D-Link website at: http://security.dlink.com.tw Advisories can - D-Link DFL-800-AV-12 | User Manual - Page 193
be concerned about individual signatures. For performance purposes, the aim should be to have NetDefendOS search data using the least possible number of signatures. Specifying Signature Groups IDP Signature Groups fall into a three level hierarchical structure. The top level of this hierarchy is - D-Link DFL-800-AV-12 | User Manual - Page 194
IDP event occurrs, the NetDefendOS will wait for Hold Time seconds before sending the notification email. However, the email will only be sent if the number of events occurred in this period of time is equal to, or bigger than the Log Threshold. When this email has been sent, NetDefendOS will - D-Link DFL-800-AV-12 | User Manual - Page 195
6.5.8. SMTP Log Receiver for IDP Events Chapter 6. Security Mechanisms triggered. At least one new event occurs within the Hold Time of 120 seconds, thus reaching the log threshold level (at least 2 events have occurred). This results in an email being sent containing a summary of the IDP events. - D-Link DFL-800-AV-12 | User Manual - Page 196
should therefore be set to the object defining the mail server. 1. Go to IDP > IDP Rules > Add > IDP Rule 2. Now enter: • Name: IDPMailSrvRule • Service: smtp • Also inspect dropped packets: In case all traffic matching this rule should be scanned (this also means traffic that the main rule set - D-Link DFL-800-AV-12 | User Manual - Page 197
6.5.8. SMTP Log Receiver for IDP Events Chapter 6. Security Mechanisms When this IDP Rule has been created, an action must also be created, specifying what signatures the IDP should use when scanning data matching the IDP Rule, and what NetDefendOS should do in case an intrusion is discovered. - D-Link DFL-800-AV-12 | User Manual - Page 198
Service (DoS) Attacks 6.6.1. Overview By embracing the Internet, enterprises experience new business opportunities and growth. The enterprise network and the applications that run over it are business critical. Not only can a company reach a larger number tools are readily available on the Internet - D-Link DFL-800-AV-12 | User Manual - Page 199
, which is the highest number that a 16-bit integer can store. When the value overflows, it jumps back to a very small number. What happens then is usually put the service in a tight loop that consumes all available CPU time. One such service was the NetBIOS over TCP/IP service on Windows machines, - D-Link DFL-800-AV-12 | User Manual - Page 200
reach the firewall. However, NetDefendOS may be of some help in keeping the load off of internal servers, making them available for internal service, or perhaps service via a secondary Internet connection not targeted by the attack. • Smurf and Papasmurf floods will be seen as ICMP Echo Responses - D-Link DFL-800-AV-12 | User Manual - Page 201
blown operating system. While a normal operating system can exhibit problems with as few as 5 outstanding half-open connections, NetDefendOS should ne noted that if Syn Flood Protection is enabled on a Service object and that Service object has an ALG associated with it then the ALG will be disabled - D-Link DFL-800-AV-12 | User Manual - Page 202
by specifying the Protect action for when a rule is triggered. Once enabled there are three Blacklisting options: Time to Block Host/Network in seconds Block only this Service Exempt already established connections from Blacklisting The host or network which is the source of the traffic will stay - D-Link DFL-800-AV-12 | User Manual - Page 203
6.7. Blacklisting Hosts and Networks Chapter 6. Security Mechanisms 203 - D-Link DFL-800-AV-12 | User Manual - Page 204
is known as address translation. NetDefendOS supports two types of translation: Dynamic Network Address traffic based on source/destination network/interface as well as service. Two types of IP rules, NAT rules and SAT addresses must use a unique port number and IP address combination as its - D-Link DFL-800-AV-12 | User Manual - Page 205
Web Interface 1. Go to Rules > IP Rules > Add > IPRule 2. Specify a suitable name for the rule, eg. NAT_HTTP 3. Now enter: • Action: NAT • Service: http • Source Interface: lan • Source Network: lannet • Destination Interface: any • Destination Network: all-nets 4. Under the NAT tab, make sure that - D-Link DFL-800-AV-12 | User Manual - Page 206
are identified by their sender addresses, destination addresses and protocol numbers. This means that: • An internal machine can communicate with ICMP such as telnet, FTP, HTTP, SMTP, etc. NetDefendOS can alter port number information in the TCP and UDP headers to make each connection unique, even - D-Link DFL-800-AV-12 | User Manual - Page 207
external public IP address. When multiple public external IP addresses are available then a NAT Pool object can be used to allocate new connections As a rule of thumb, the Max States value should be at least the number of local hosts or clients that will connect to the Internet. There is only one - D-Link DFL-800-AV-12 | User Manual - Page 208
interfaces will be used by NAT pools. The option exists however to enable Proxy ARP for a NAT Pool on all interfaces but this can cause problems sometimes by possibly creating routes to interfaces on which packets shouldn't arrive. It is therefore recommended that the interface(s) to be used for the - D-Link DFL-800-AV-12 | User Manual - Page 209
Action: NAT 3. Under Address filter enter: • Source Interface: int • Source Network: int-net • Destination Interface: wan • Destination Network: all-nets • Service: HTTP 4. Select the Address Translation tab and enter: • Check the Use NAT Pool option • Select stateful_natpool from the drop-down list - D-Link DFL-800-AV-12 | User Manual - Page 210
rule: 1. Go to Rules > IP Rules > Add > IPRule 2. Specify a suitable name for the rule, eg. SAT_HTTP_To_DMZ 3. Now enter: • Action: SAT • Service: http • Source Interface: any • Source Network: all-nets • Destination Interface: core • Destination Network: wan_ip 4. Under the SAT tab, make sure that - D-Link DFL-800-AV-12 | User Manual - Page 211
corresponding Allow rule: 1. Go to Rules > IP Rules > Add > IPRule 2. Specify a suitable name for the rule, eg. Allow_HTTP_To_DMZ 3. Now enter: • Action: Allow • Service: http • Source Interface: any • Source Network: all-nets • Destination Interface: core • Destination Network: wan_ip 4. Under the - D-Link DFL-800-AV-12 | User Manual - Page 212
all-nets All 3 Allow any all-nets core wan_ip http This means that the number of rules does not need to be increased. This is good as long as lan Src Net lannet Dest Iface Dest Net any all-nets Parameters All The problem with this rule set is that it will not work at all for traffic - D-Link DFL-800-AV-12 | User Manual - Page 213
arrives directly to PC1 without passing through the D-Link Firewall. This causes problems. The reason this will not work is because PC1 expects a reply to the rule set in the same way as described above, will solve the problem. In this example, for no particular reason, we choose to use option 2: - D-Link DFL-800-AV-12 | User Manual - Page 214
for all the five public IP addresses. Create a SAT rule for the translation: gw-world:/> add IPRule Action=SAT Service=http SourceInterface=any SourceNetwork=all-nets DestinationInterface=core DestinationNetwork=wwwsrv_pub SATTranslateToIP=wwwsrv_priv_base SATTranslate=DestinationIP Finally, create - D-Link DFL-800-AV-12 | User Manual - Page 215
Go to Rules > IP Rules > Add > IPRule 2. Specify a suitable name for the rule, eg. Allow_HTTP_To_DMZ 3. Now enter: • Action: Allow • Service: http • Source Interface:any • Source Network: all-nets • Destination Interface: core • Destination Network: wwwsrv_pub 4. Click OK 7.3.3. All-to-One Mappings - D-Link DFL-800-AV-12 | User Manual - Page 216
result in a connection to the web servers private address, port 1084. Note In order to create a SAT Rule that allows port transation, a Custom Service must be used with the SAT Rule. 7.3.5. Protocols handled by SAT Generally, static address translation can handle all protocols that allow address - D-Link DFL-800-AV-12 | User Manual - Page 217
and/or alter application data. These are commonly referred to as Application Layer Gateways or Application Layer Filters. NetDefendOS supports a number of such Application Layer Gateways and for more information please see Section 6.2, "Application Layer Gateways". 7.3.6. Multiple SAT rule matches - D-Link DFL-800-AV-12 | User Manual - Page 218
2 and 3. The replies will therefore be dynamically address translated. This changes the source port to a completely different port, which will not work. The problem can be solved using the following rule set: # Action 1 SAT 2 SAT 3 FwdFast 4 NAT 5 FwdFast Src Iface any lan lan lan lan Src Net - D-Link DFL-800-AV-12 | User Manual - Page 219
7.3.7. SAT and FwdFast Rules Chapter 7. Address Translation 219 - D-Link DFL-800-AV-12 | User Manual - Page 220
knows such as a password. Method A may require a special biometric reader. Another problem is that the feature often can't be replaced if it is lost. Methods B with user authentication through validation of username/password combinations manually entered by a user attempting to gain access to - D-Link DFL-800-AV-12 | User Manual - Page 221
that belong to the auditors group are only allowed to view the configuration. Press the buttons under the Groups edit box to grant these group memberships to NetDefendOS. To provide this, NetDefendOS supports the Remote Authentication Dial-in User Service (RADIUS) protocol. RADIUS with NetDefendOS - D-Link DFL-800-AV-12 | User Manual - Page 222
8.2.4. Authentication Rules Chapter 8. User Authentication NetDefendOS acts as a RADIUS client, sending user credentials and connection parameter information as a RADIUS message to a nominated RADIUS server. The server processes the requests and sends back a RADIUS message to accept or deny them. - D-Link DFL-800-AV-12 | User Manual - Page 223
or an external RADIUS database server. 7. NetDefendOS then allows further traffic through this connection as long as authentication was successful and the service requested is allowed by a rule in the IP rule set. That rule's Source Network object has either the No Defined Credentials option - D-Link DFL-800-AV-12 | User Manual - Page 224
User Authentication Changing the Management WebUI Port HTTP authentication will collide with the WebUI's remote management service which also uses TCP port 80. To avoid this, the WebUI port number should be changed before configuring authentication. Do this by going to Remote Management > Advanced - D-Link DFL-800-AV-12 | User Manual - Page 225
8.2.6. HTTP Authentication Chapter 8. User Authentication Action Src Interface Src Network Dest Interface Dest Network Service 1 Allow lan lannet core lan_ip http-all 2 NAT lan trusted_users wan all-nets http-all 3 NAT lan lannet wan all-nets dns-all 4 SAT lan - D-Link DFL-800-AV-12 | User Manual - Page 226
how to enable HTTP user authentication for the user group users on lannet. Only users that belong to the group users can get Web browsing service after authentication, as it is defined in the IP rule. We assume that lannet, users, lan_ip, local user database folder - "lannet_auth_users", and an - D-Link DFL-800-AV-12 | User Manual - Page 227
users to browse the Web. 1. Go to Rules > IP Rules > Add> IP rule 2. Now enter: • Name: Allow_http_auth • Action: NAT • Service: HTTP • Source Interface: lan • Source Network: lannet_users • Destination Interface any • Destination Network all-nets 3. Click OK Example 8.3. Configuring a RADIUS - D-Link DFL-800-AV-12 | User Manual - Page 228
8.2.6. HTTP Authentication Chapter 8. User Authentication d. Port: 1812 (RADIUS service uses UDP port 1812 by default) e. Retry Timeout: 2 (NetDefendOS will resend the authentication request to the sever if there is no response after the timeout, - D-Link DFL-800-AV-12 | User Manual - Page 229
Chapter 9. VPN This chapter describes VPN usage with NetDefendOS. • Overview, page 229 • VPN Quickstart Guide, page 231 • IPsec, page 240 • IPsec Tunnels, page 253 • PPTP/L2TP, page 260 9.1. Overview 9.1.1. The Need for VPNs Most networks are connected to each other - D-Link DFL-800-AV-12 | User Manual - Page 230
in a special DMZ or outside a firewall dedicated to this task. By doing this, you can restrict which services can be accessed via VPN and modem and ensure that these services are well protected against intruders. In instances where the firewall features an integrated VPN feature, it is usually - D-Link DFL-800-AV-12 | User Manual - Page 231
Chapter 9. VPN 9.2. VPN Quickstart Guide Later sections in this chapter will explore VPN components in detail. To help put those later sections in context, this section is a quickstart summary of - D-Link DFL-800-AV-12 | User Manual - Page 232
Dest Network remote_net lannet Service All All The Service used in these rules is All but it could be a predefined service. 6. Define a roaming clients before they connect. The client's IP address will be will be manually input into the VPN client software. 1. Set up user authentication. XAuth - D-Link DFL-800-AV-12 | User Manual - Page 233
Interface ipsec_tunnel Src Network all-nets Dest Interface lan Dest Network lannet Service All Once an Allow rule permits the connection to be set up, 1. If a specific IP address range is to be used as a pool of available addresses then: • Create a Config Mode Pool object (there can only be one - D-Link DFL-800-AV-12 | User Manual - Page 234
9.2.3. IPsec Roaming Clients with Certificates Chapter 9. VPN • Create a Config Mode Pool object (there can only be one associated with a NetDefendOS installation) and associate with it the IP Pool object defined in the previous step. • Enable the IKE Config Mode option in the IPsec Tunnel object - D-Link DFL-800-AV-12 | User Manual - Page 235
9.2.4. L2TP Roaming Clients with Pre-Shared Keys Chapter 9. VPN 3. Define a Pre-shared Key for the IPsec tunnel. 4. Define an IPsec Tunnel object (let's call this object ipsec_tunnel) with the following parameters: • Set Local Network to ip_ext (specify all-nets instead if NetDefendOS is behind a - D-Link DFL-800-AV-12 | User Manual - Page 236
Chapter 9. VPN Action Allow NAT Src Interface l2tp_tunnel ipsec_tunnel Src Network l2tp_pool l2tp_pool Dest Interface any ext Dest Network int_net all-nets Service All All The second rule would be included to allow clients to surf the Internet via the ext interface on the D-Link Firewall - D-Link DFL-800-AV-12 | User Manual - Page 237
Network pptp_pool pptp_pool Dest Interface any ext Dest Network int_net all-nets Service All All As described for L2TP, the NAT rule lets the the pre-shared key. 9.2.7. VPN Troubleshooting General Troubleshooting In all types of VPNs some basic troubleshooting checks can be made: • Check - D-Link DFL-800-AV-12 | User Manual - Page 238
Dest Interface core Dest Network all-nets Service ICMP • Ensure that another IPsec Tunnel the correct tunnel being reached. The symptom of this problem is often an Incorrect Pre-shared Key message. • destination interface of core. Troubleshooting IPsec Tunnels A number of commands can be used - D-Link DFL-800-AV-12 | User Manual - Page 239
9.2.7. VPN Troubleshooting Chapter 9. VPN IPsec Tunnel -----------L2TP_IPSec IPsec_Tun1 Local set up and then the management interface no longer operates then it is likely to be a problem with the management traffic being routed back through the VPN tunnel instead of the correct interface. This - D-Link DFL-800-AV-12 | User Manual - Page 240
part is the actual IP data being transferred, using the encryption and authentication methods agreed upon in the IKE negotiation. This can be accomplished in a number of ways; by using IPsec protocols ESP, AH, or a combination of both. The flow of events can be briefly described as follows: • IKE - D-Link DFL-800-AV-12 | User Manual - Page 241
9.3.2. Internet Key Exchange (IKE) Chapter 9. VPN IKE Negotiation The process of negotiating session parameters consists of a number of phases and modes. These are described in detail in the below sections. The flow of events can summarized as follows: IKE Phase-1 IKE Phase-2 • - D-Link DFL-800-AV-12 | User Manual - Page 242
is the most common authentication method today. PSK and certificates are supported by the NetDefendOS VPN module. IKE Phase-2 - IPsec Security connection is established and ready for use. IKE Parameters There are a number of parameters used in the negotiation process. Below is a summary of - D-Link DFL-800-AV-12 | User Manual - Page 243
the packet really came from who the IP header claims it is from. More on AH in AH (Authentication Header). Note D-Link Firewalls do not support AH. This specifies the encryption algorithm used in the IKE negotiation, and depending on the algorithm, the size of the encryption key used. The algorithms - D-Link DFL-800-AV-12 | User Manual - Page 244
• MD5 IKE DH (Diffie-Hellman) Group This specifies the Diffie-Hellman group to use when doing key exchanges in IKE. The Diffie-Hellman groups supported by NetDefendOS are: • DH group 1 (768-bit) • DH group 2 (1024-bit) • DH group 5 (1536-bit) Security of the key exchanges increases as the DH - D-Link DFL-800-AV-12 | User Manual - Page 245
IPsec Authentication IPsec Lifetime This specifies the PFS group to use with PFS. The PFS groups supported by NetDefendOS are: • 1 modp 768-bit • 2 modp 1024-bit • 5 modp 1536 IKE lifetime. 9.3.3. IKE Authentication Manual Keying The "simplest" way of configuring a VPN is by using a method called - D-Link DFL-800-AV-12 | User Manual - Page 246
support Manual Keying. Manual Keying Advantages Since it is very straightforward it will be quite interoperable. Most interoperability problems encountered today are in IKE. Manual a number of limitations, such as having to use the same encryption/authentication key always, no anti-replay services, - D-Link DFL-800-AV-12 | User Manual - Page 247
9.3.4. IPsec Protocols (ESP/AH) Chapter 9. VPN roaming clients. Instead, should a client be compromised, the client's certificate can simply be revoked. No need to reconfigure every client. Certificate Disadvantages Added complexity. Certificate-based authentication may be used as part of a larger - D-Link DFL-800-AV-12 | User Manual - Page 248
IKE and IPsec protocols that allows them to function when being NATed. NetDefendOS supports the RFC3947 standard for NAT-Traversal with IKE. NAT traversal is divided UDP packets in an effort to work around the NAT problems with IKE. The problem is that this special handling of IKE packets may in - D-Link DFL-800-AV-12 | User Manual - Page 249
An IP address can be manually entered • DNS - A DNS address can be manually entered • Email - An email address can be manually entered 9.3.6. Proposal Lists To instance encryption algorithm, life times, etc., that the VPN firewall supports. There are two types of proposals, IKE proposals and IPsec - D-Link DFL-800-AV-12 | User Manual - Page 250
using the command pskgen (this command is fully documented in the CLI Reference Guide). Example 9.2. Using a Pre-Shared key This example shows how to create :/> pskgen MyPSK -size=512 Or alternatively, to add the Pre-shared Key manually, use: gw-world:/> add PSK MyPSK Type=HEX PSKHex= - D-Link DFL-800-AV-12 | User Manual - Page 251
the internal networks. The concept of Identification Lists presents a solution to this problem. An identification list contains one or more identities (IDs), where each CommonName="John Doe" OrganizationName=D-Link OrganizationalUnit=Support Country=Sweden [email protected] 251 - D-Link DFL-800-AV-12 | User Manual - Page 252
the ID eg. JohnDoe 4. Select Distinguished name in the Type control 5. Now enter: • Common Name: John Doe • Organization Name:D-Link • Organizational Unit: Support • Country: Sweden • Email Address: [email protected] 6. Click OK Finally, apply the Identification List to the IPsec tunnel: 1. Go to - D-Link DFL-800-AV-12 | User Manual - Page 253
security surveillance of traffic passing through the tunnel. This section deals specifically with setting up Lan to Lan tunnels created with a Pre-shared Key (PSK). A number of steps are required to set up LAN to LAN tunnels with PSK: • Set up a Pre-shared Key or secret for the VPN tunnel. • Set - D-Link DFL-800-AV-12 | User Manual - Page 254
9.4.3. Roaming Clients Chapter 9. VPN computer from different locations is a typical example of a roaming client. Apart from the need for secure VPN access, the other major issue with roaming clients is that the mobile user's IP address is often not known beforehand. To handle the unknown IP - D-Link DFL-800-AV-12 | User Manual - Page 255
the certificate on the client 8. Create a new ID for every client that you want to grant access rights according to the instructions above D. Configure the IPsec tunnel: 1. Go to Interfaces > IPsec > Add > IPsec Tunnel 2. Now enter: • Name: RoamingIPsecTunnel • Local Network: 10.0.1.0/24 (This - D-Link DFL-800-AV-12 | User Manual - Page 256
, such as Windows 2000 Server, there is built-in access to a CA server (in Windows 2000 Server this is found in Certificate Services). For more information on CA server issued certificates see Section 3.7, "X.509 Certificates". It is the responsibility of the administrator to aquire the appropriate - D-Link DFL-800-AV-12 | User Manual - Page 257
the certificate on the client 8. Create a new ID for every client that you want to grant access rights according to the instructions above C. Configure the IPsec tunnel: 1. Go to Interfaces > IPsec > Add > IPsec Tunnel 2. Now enter: • Name: RoamingIPsecTunnel • Local Network: 10.0.1.0/24 (This - D-Link DFL-800-AV-12 | User Manual - Page 258
the DNS used for URL resolution (already provided by an IP Pool). The IP address for NBNS/WINS resolution (already provided by an IP Pool). Instructs the host to send any internal DHCP requests to this address. A list of the subnets that the client can access. Example 9.7. Setting Up Config Mode - D-Link DFL-800-AV-12 | User Manual - Page 259
administrator wishes to use another LDAP server. The LDAP configuration section can then be used to manually specify alternate LDAP servers. Example 9.9. Setting up an LDAP server This example shows how to manually setup and specify a LDAP server. CLI gw-world:/> add LDAPServer Host=192.168.101.146 - D-Link DFL-800-AV-12 | User Manual - Page 260
Microsoft in its operating systems since Windows95 and therefore has a large number of clients with the software already installed. Troubleshooting PPTP A common problem with setting up PPTP is that a router and/or switch in a network is blocking TCP port 1723 and/or IP protocol 47 before the PPTP - D-Link DFL-800-AV-12 | User Manual - Page 261
Tunneling protocol (L2TP) is an IETF open standard that overcomes many of the problems of PPTP. Its design is a combination of Layer 2 Forwarding (L2F) is certificate based and therefore is simpler to administer with a large number of clients and arguably offers better security than PPTP. Unlike PPTP - D-Link DFL-800-AV-12 | User Manual - Page 262
9.5.2. L2TP Chapter 9. VPN 3. Now enter: • Inner IP Address: ip_l2tp • Tunnel Protocol: L2TP • Outer Interface Filter: l2tp_ipsec • Outer Server IP: wan_ip 4. Under the PPP Parameters tab, select L2TP_Pool in the IP Pool control 5. Under the Add Route tab, select all_nets in the Allowed Networks - D-Link DFL-800-AV-12 | User Manual - Page 263
9.5.2. L2TP Chapter 9. VPN DHCPOverIPsec=Yes AddRouteToRemoteNet=Yes IPsecLifeTimeKilobytes=250000 IPsecLifeTimeSeconds=3600 Web Interface 1. Go to Interfaces > IPsec > Add > IPsec Tunnel 2. Enter a name for the IPsec tunnel, eg. l2tp_ipsec 3. Now enter: a. Local Network: wan_ip b. Remote Network: - D-Link DFL-800-AV-12 | User Manual - Page 264
through from the tunnel, two IP rules should be added. E. Finally, set up the rules: CLI gw-world:/> add IPRule action=Allow Service=all_services SourceInterface=l2tp_tunnel SourceNetwork=l2tp_pool DestinationInterface=any DestinationNetwork=all-nets name=AllowL2TP gw-world:/> add IPRule action=NAT - D-Link DFL-800-AV-12 | User Manual - Page 265
4. Click OK 5. Go to Rules > IP Rules > Add > IPRule 6. Enter a name for the rule, eg. NATL2TP 7. Now enter: • Action: NAT • Service: all_services • Source Interface: l2tp_tunnel • Source Network: l2tp_pool • Destination Interface: any • Destination Network: all-nets 8. Click OK Chapter 9. VPN 265 - D-Link DFL-800-AV-12 | User Manual - Page 266
9.5.2. L2TP Chapter 9. VPN 266 - D-Link DFL-800-AV-12 | User Manual - Page 267
Support NetDefendOS supports the Diffserv architecture in two ways: firstly NetDefendOS forwarding the 6 bits which make up the Diffserv Differentiated Services operates by measuring and queuing IP packets with respect to a number of configurable parameters. The objectives are: • Applying bandwidth - D-Link DFL-800-AV-12 | User Manual - Page 268
up the Pipe Rule set. Each Rule is defined much like other NetDefendOS policies: by specifying the source/destination interface/network as well as the Service to which the rule is to apply. Once a new connection is permitted by the IP rule set, the Pipe rule set is always checked for - D-Link DFL-800-AV-12 | User Manual - Page 269
require much planning. The example that follows applies a bandwidth limit to inbound traffic only. This is the direction most likely to cause problems for Internet connections. Example 10.1. Applying a Simple Bandwidth Limit Begin with creating a simple pipe that limits all traffic that gets passed - D-Link DFL-800-AV-12 | User Manual - Page 270
name for the pipe, for instance outbound. 3. Now enter: • Service: all_services • Source Interface: lan • Source Network: lannet • Destination in each direction. Raising the total pipe limit to 4 Mbps won't solve the problem since the single pipe will not know that 2 Mbps inbound and 2 Mbps outbound - D-Link DFL-800-AV-12 | User Manual - Page 271
. If no surfing is taking place then all of the 250 kbps allowed through std-in will be available for other traffic. This is not a bandwidth guarantee for web browsing but it is a 125 kbps bandwidth guarantee for everything except web browsing. For web browsing the normal rules of first-come, first - D-Link DFL-800-AV-12 | User Manual - Page 272
all packets have had the same default precedence of 0. Eight precedences exist, numbered from 0 to 7. Precedence 0 is the least important and 7 is the packet. DSCP is a subset of the Diffserv architecture where the Type of Service (ToS) bits are included in the IP packet header. Pipe Precedences When - D-Link DFL-800-AV-12 | User Manual - Page 273
SSH and Telnet rule sets the higher priority on packets related to these services and these packets are sent through the same pipe as other traffic. problem can occur however if the prioritized traffic is a continous stream such as real-time audio, resulting in continuous use all available bandwidth - D-Link DFL-800-AV-12 | User Manual - Page 274
with this approach: • Which traffic is more important? This question does not pose much of a problem here, but it becomes more pronounced as your traffic shaping scenario becomes more complex. • The number of precedences is limited. This may not be sufficient in all cases, even barring the "which - D-Link DFL-800-AV-12 | User Manual - Page 275
ssh-in and telnet-in, then traffic will reach std-in at the lowest precedence only and hence compete for the 250 kbps of available bandwidth with other traffic. 10.1.9. Groups NetDefendOS provides further granularity of control within pipes through the ability to split pipe bandwidth according to - D-Link DFL-800-AV-12 | User Manual - Page 276
for inbound SSH traffic. This prevents a single user from using up all available high-priority bandwidth. First we group the users of the ssh-in pipe for each user to some value, such as 40 kbps. There will be a problem if there are more than 5 users utilizing SSH simultaneously: 16 kbps times 5 is - D-Link DFL-800-AV-12 | User Manual - Page 277
lower precedences. Limits should be slightly less than available bandwidth Pipe limits should be slightly below the the Internet connection is full. The problems resulting from leaks are exactly the same control but sharing the same connection. Troubleshooting For a better understanding of what is - D-Link DFL-800-AV-12 | User Manual - Page 278
10.1.11. A Summary of Traffic Shaping Chapter 10. Traffic Management • A pipe can have a limit which is the maximum amount of traffic allowed. • A pipe can only know when it is full if a limit is specified. • A single pipe should handle traffic in only one direction (although 2 way pipes are - D-Link DFL-800-AV-12 | User Manual - Page 279
. It might alternatively be some external source trying to open excessive numbers of connections. (A "connection" in this context refers to all source/destination network/interface can be specified for a rule and a type of service such as HTTP can be associated with it. Each rule can have associated - D-Link DFL-800-AV-12 | User Manual - Page 280
with blacklisting enabled will blacklist the source network associated with the rule. If the Threshold Rule is linked to a service then it is possible to block only that service. When Blacklisting is chosen, then the administrator can elect that existing connections from the triggering source can be - D-Link DFL-800-AV-12 | User Manual - Page 281
tool that can improve the following aspects of network applications: • Performance • Scalability • Reliability • Ease of administration SLB allows network service demands to be shared among multiple servers. This improves both the performance and the scalability applications by allowing a cluster of - D-Link DFL-800-AV-12 | User Manual - Page 282
have different needs. In the IP rule set the administrator can configure rules for specific services. SLB will then filter the packet flow according to these rules. NetDefendOS SLB supports the following distribution modes: Per-state Distribution IP Address Stickiness Network Stickiness In this - D-Link DFL-800-AV-12 | User Manual - Page 283
the load to servers in order. Regardless of each server's capability and other aspects, for instance, the number of existing connections on a server or its response time, all the available servers take turns in being assigned the next connection. This algorithm ensures that all servers receive an - D-Link DFL-800-AV-12 | User Manual - Page 284
R3 and R4 will be routed to another server since the number of new connections on each server within the Window Time span is counted specified port on each server. For example, if a server is specified as running web services on port 80, the SLB will send a TCP SYN request to that port. If - D-Link DFL-800-AV-12 | User Manual - Page 285
10.3.6. SLB_SAT Rules Chapter 10. Traffic Management The key component in setting up SLB is the SLB_SAT rule in the IP rule set. The steps that should be followed are: 1. Define an Object for each server for which SLB is to be done. 2. Define a Group which included all these objects 3. Define an - D-Link DFL-800-AV-12 | User Manual - Page 286
NAT IP rule for internal clients: 1. Go to Rules > IP Rule Sets > main > Add > IP Rule 2. Enter: • Name: Web_SLB_NAT • Action: NAT • Service: HTTP • Source Interface: lan • Source Network: lannet • Destination Interface: core • Destination Network: ip_ext 3. Click OK E. Specify an ALLOW IP rule for - D-Link DFL-800-AV-12 | User Manual - Page 287
10.3.6. SLB_SAT Rules • Service: HTTP • Source Interface: any • Source Network: all-nets • Destination Interface: core • Destination Network: ip_ext 3. Click OK Chapter 10. Traffic Management 287 - D-Link DFL-800-AV-12 | User Manual - Page 288
10.3.6. SLB_SAT Rules Chapter 10. Traffic Management 288 - D-Link DFL-800-AV-12 | User Manual - Page 289
on certain models of D-Link Firewalls. Currently the firewalls that offer this feature are the DFL-1600 and DFL-2500 models. The pre-installed licenses for these models include HA support. HA Clusters D-Link High Availability (HA) works by adding a back-up slave D-Link Firewall to an existing master - D-Link DFL-800-AV-12 | User Manual - Page 290
D-Link Firewalls. As the internal operation of different security gateway manufacturer's software is completely dissimilar, there is no common method available to communicating state information to a dissimilar device. It is also strongly recommended that the D-Link Firewalls used in cluster have - D-Link DFL-800-AV-12 | User Manual - Page 291
Mechanisms Chapter 11. High Availability 11.2. High Availability Mechanisms D-Link HA provides a redundant, state-synchronized hardware configuration. The state of the active unit, such as the connection table and other vital information, is - D-Link DFL-800-AV-12 | User Manual - Page 292
11.2. High Availability Mechanisms packets destined for the shared hardware address. Chapter 11. High Availability 292 - D-Link DFL-800-AV-12 | User Manual - Page 293
Setup Chapter 11. High Availability 11.3. High Availability Setup This section provides a step-by-step guide for setting up an HA and slave, assuming they are similar systems. Figure 11.1. High Availability Setup The illustration above shows the typical HA Cluster connections. All interfaces - D-Link DFL-800-AV-12 | User Manual - Page 294
Connect to the master unit with the WebUI. 2. Go to System > High Availability 3. Check the Enable High Availability checkbox 4. Set the Cluster ID. This must be unique for each cluster. 5. Choose the Sync Interface 6. Select the node type to be Master 7. Go to Objects > Address book and create an - D-Link DFL-800-AV-12 | User Manual - Page 295
Cluster Functioning Chapter 11. High Availability This device is an HA MASTER This device is currently ACTIVE (will forward traffic) HA cluster peer is ALIVE Then use the stat command to verify that both master and slave have about the same number of connections. The output should contain - D-Link DFL-800-AV-12 | User Manual - Page 296
Issues Chapter 11. High Availability 11.4. High Availability Issues The following points should be kept in mind else such as for source IPs in dynamically NATed connections or publishing services on them, will inevitably cause problems, as unique IPs will disappear when the firewall it belongs to - D-Link DFL-800-AV-12 | User Manual - Page 297
11.4. High Availability Issues Chapter 11. High Availability 297 - D-Link DFL-800-AV-12 | User Manual - Page 298
often by large numbers of new blocks all traffic for the host or network displaying the unusual behaviour. Blocked hosts and networks remain blocked until the system administrator manually unblocks them using the Web or Command Line interface. Note ZoneDefense is available on the D-Link DFL-800 - D-Link DFL-800-AV-12 | User Manual - Page 299
is to be controlled by the firewall has to be manually specified in the firewall configuration. The information needed in switch model type • The SNMP community string (write access) The ZoneDefense feature currently supports the following switches: • D-Link DES 3226S (minimum firmware: R4.02-B14) - D-Link DFL-800-AV-12 | User Manual - Page 300
rule will trigger ZoneDefense to block out a specific host or if the total number of connections to the and destination network • Service • Type of threshold: the switch(es). All blocking in response to threshold violations the source network will be blocked out instead of just the offending - D-Link DFL-800-AV-12 | User Manual - Page 301
blocked or excluded. Manually blocked hosts and networks can be blocked by default or based on a schedule. It is also possible to specify which protocols and protocol port numbers are to be blocked Community String configured for the switch 4. Press Check Switch to verify the firewall can - D-Link DFL-800-AV-12 | User Manual - Page 302
interface address 192.168.1.1 from the Available list and put it into the enter: • Name: HTTP-Threshold • Service: http 3. For Address Filter enter: number of rules supported by different switches. Some switches support a maximum of 50 rules while others support up to 800 (usually, in order to block - D-Link DFL-800-AV-12 | User Manual - Page 303
12.3.4. Limitations Chapter 12. ZoneDefense 303 - D-Link DFL-800-AV-12 | User Manual - Page 304
Chapter 13. Advanced Settings This chapter describes the configurable advanced setings for NetDefendOS. The settings are divided up into the following categories: Note After an advanced setting is changed a reconfiguration must be performed in order for the new NetDefendOS configuration to be - D-Link DFL-800-AV-12 | User Manual - Page 305
packets with a TTL of 0. Default: Enabled Block0000Src Block 0.0.0.0 as source address. Default: Drop Block0Net Block 0.* as source addresses. Default: DropLog Block127Net Block 127.* as source addresses. Default: DropLog BlockMulticastSrc Block multicast both source addresses (224.0.0.0 - 255.255 - D-Link DFL-800-AV-12 | User Manual - Page 306
: ValidateLogBad IPOptionSizes Verifies the size of "IP options". These options are small blocks of information that may be added to the end of each IP header. regardless of this setting. Default: DropLog IPOPT_TS Time stamp options instruct each router and firewall on the packet's route to indicate - D-Link DFL-800-AV-12 | User Manual - Page 307
the action taken on packets whose TCP MSS option falls below the stipulated TCPMSSMin value. Values that are too low could cause problems in poorly written TCP stacks. Default: DropLog TCPMSSMax Determines the maximum permissible TCP MSS size. Packets containing maximum segment sizes exceeding this - D-Link DFL-800-AV-12 | User Manual - Page 308
) method, TSOPT is used to prevent the sequence numbers (a 32-bit figure) from "exceeding" their upper limit without the recipient being aware of it. This is not normally a problem. Using TSOPT, some TCP stacks optimize their connection by measuring the time it takes for a packet to travel to and - D-Link DFL-800-AV-12 | User Manual - Page 309
TCPOPT_CC Chapter 13. Advanced Settings to transport alternate checksums where permitted by ALTCHKREQ above. Normally never seen on modern networks. Default: StripLog TCPOPT_CC Determines how NetDefendOS will handle connection count options. Default: StripLogBad TCPOPT_OTHER Specifies how - D-Link DFL-800-AV-12 | User Manual - Page 310
, but as long as there are only a few operating systems supporting this standard, the flags should be stripped. Default: StripLog TCPRF is set to ValidateLogBad such drops will also be logged. TCP sequence number validation is only possible on connections tracked by the state-engine (not on - D-Link DFL-800-AV-12 | User Manual - Page 311
13.3. ICMP Level Settings Chapter 13. Advanced Settings 13.3. ICMP Level Settings ICMPSendPerSecLimit Specifies the maximum number of ICMP messages NetDefendOS may generate per second. This includes ping replies, destination unreachable messages and also TCP RST packets. In other words, this - D-Link DFL-800-AV-12 | User Manual - Page 312
an existing item in the ARP table. Allowing this to take place may facilitate hijacking of local connections. However, not allowing this may cause problems if, for example, a network adapter is replaced, as NetDefendOS will not accept the new address until the previous ARP table entry has timed out - D-Link DFL-800-AV-12 | User Manual - Page 313
ARPExpireUnknown Chapter 13. Advanced Settings ARPExpire Specifies how long a normal dynamic item in the ARP table is to be retained before it is removed from the table. Default: 900 seconds (15 minutes) ARPExpireUnknown Specifies how long NetDefendOS is to remember addresses that cannot be - D-Link DFL-800-AV-12 | User Manual - Page 314
is not subject to this setting. The log message includes port, service, source/destination IP address and interface. This setting should only be connection list to replace the oldest connections if there is no available space. Default: ReplaceLog LogOpenFails In some instances where the Rules - D-Link DFL-800-AV-12 | User Manual - Page 315
LogConnections Chapter 13. Advanced Settings • NoLog - Does not log any connections; consequently, it will not matter if logging is enabled for either Allow or NAT rules in the Rules section; they will not be logged. However, FwdFast, Drop and Reject rules will be logged as stipulated by the - D-Link DFL-800-AV-12 | User Manual - Page 316
13.6. Connection Timeouts Chapter 13. Advanced Settings 13.6. Connection Timeouts The settings in this section specify how long a connection can remain idle, ie. no data being sent through it, before it is automatically closed. Please note that each connection has two timeout values: one for each - D-Link DFL-800-AV-12 | User Manual - Page 317
AllowBothSidesToKeepConnAlive_UDP Default: False Chapter 13. Advanced Settings 317 - D-Link DFL-800-AV-12 | User Manual - Page 318
13.7. Size Limits by Protocol Chapter 13. Advanced Settings 13.7. Size Limits by Protocol This section contains information about the size limits imposed on the protocols directly under IP level, ie. TCP, UDP, ICMP, etc. The values specified here concern the IP data contained in packets. In the - D-Link DFL-800-AV-12 | User Manual - Page 319
MaxOSPFLen Chapter 13. Advanced Settings MaxSKIPLen Specifies the maximum size of a SKIP packet. Default: 2000 bytes MaxOSPFLen Specifies the maximum size of an OSPF packet. OSPF is a routing protocol mainly used in larger LANs. Default: 1480 MaxIPIPLen Specifies the maximum size of an IP-in-IP - D-Link DFL-800-AV-12 | User Manual - Page 320
by sending illegal fragments during a reassembly, and in this way block almost all communication. Default: DropLog - discards individual fragments and being sampled. If the comparison is made in a larger number of samples, it is more likely to find mismatching duplicates. However, more comparisons result in - D-Link DFL-800-AV-12 | User Manual - Page 321
may arise if, for example, the IllegalFrags setting has been set to Drop rather than DropPacket. The following settings are available for FragReassemblyFail: • NoLog - No logging is done when a reassembly attempt fails. • LogSuspect - Logs failed reassembly attempts only if "suspect" fragments - D-Link DFL-800-AV-12 | User Manual - Page 322
subsequently reduce the effective MTU to 1440 bytes. This would result in the creation of a number of 1440 byte fragments and an equal number of 40 byte fragments. Because of potential problems this can cause, the default settings in NetDefendOS has been designed to allow the smallest possible - D-Link DFL-800-AV-12 | User Manual - Page 323
ReassIllegalLinger Chapter 13. Advanced Settings Once a whole packet has been marked as illegal, NetDefendOS is able to retain this in its memory in order to prevent further fragments of that packet from arriving. Default: 60 seconds 323 - D-Link DFL-800-AV-12 | User Manual - Page 324
13.9. Local Fragment Reassembly Settings Chapter 13. Advanced Settings 13.9. Local Fragment Reassembly Settings LocalReass_MaxConcurrent Maximum number of concurrent local reassemblies. Default: 256 LocalReass_MaxSize Maximum size of a locally reassembled packet. Default: 10000 LocalReass_NumLarge - D-Link DFL-800-AV-12 | User Manual - Page 325
13.10. DHCP Settings Chapter 13. Advanced Settings 13.10. DHCP Settings DHCP_MinimumLeaseTime Minimum lease time (seconds) accepted from the DHCP server. Default: 60 DHCP_ValidateBcast Require that the assigned broadcast address is the highest address in the assigned network. Default: Enabled - D-Link DFL-800-AV-12 | User Manual - Page 326
13.11. DHCPRelay Settings Chapter 13. Advanced Settings 13.11. DHCPRelay Settings DHCPRelay_MaxTransactions Maximum number of transactions at the same time. Default: 32 DHCPRelay_TransactionTimeout For how long a dhcp transaction can take place. Default: 10 seconds DHCPRelay_MaxPPMPerIface How - D-Link DFL-800-AV-12 | User Manual - Page 327
13.12. DHCPServer Settings Chapter 13. Advanced Settings 13.12. DHCPServer Settings DHCPServer_SaveLeasePolicy What policy should be used to save the lease database to the disk, possible settings are Disabled, ReconfShut, or ReconfShutTimer. Default: ReconfShut DHCPServer_AutoSaveLeaseInterval How - D-Link DFL-800-AV-12 | User Manual - Page 328
any time, so even if the "next update" field says that a new CRL is available in 12 hours, there may already be a new CRL for download. This setting limits certificate will be considered invalid. Default: 15 IPsecCertCacheMaxCerts Maximum number of certificates/CRLs that can be held in the internal - D-Link DFL-800-AV-12 | User Manual - Page 329
IPsecDeleteSAOnIPValidationFailure Chapter 13. Advanced Settings IPsecDeleteSAOnIPValidationFailure Controls what happens to the SAs if IP validation in Config Mode fails. If Enabled, the security associations (SAs) are deleted on failure. Default: Disabled 329 - D-Link DFL-800-AV-12 | User Manual - Page 330
NetDefendOS to send another log message, which in turn will result in another ICMP UNREACHABLE message, and so on. By limiting the number of log messages NetDefendOS sends every second, you avoid encountering such devastating bandwidth consuming scenarios. Default: 3600 seconds, once an hour 330 - D-Link DFL-800-AV-12 | User Manual - Page 331
13.15. Time Synchronization Settings Chapter 13. Advanced Settings 13.15. Time Synchronization Settings TimeSync_SyncInterval Seconds between each resynchronization. Default: 86400 TimeSync_MaxAdjust Maximum time drift that a server is allowed to adjust. Default: 3600 TimeSync_ServerType Type of - D-Link DFL-800-AV-12 | User Manual - Page 332
TimeSync_DSTStartDate DST offset in minutes. Default: 0 TimeSync_DSTStartDate What month and day DST starts, in the format MM-DD. Default: none TimeSync_DSTEndDate What month and day DST ends, in the format MM-DD. Default: none Chapter 13. Advanced Settings 332 - D-Link DFL-800-AV-12 | User Manual - Page 333
13.16. PPP Settings Chapter 13. Advanced Settings 13.16. PPP Settings PPP_L2TPBeforeRules Pass L2TP traffic sent to the D-Link Firewall directly to the L2TP Server without consulting the rule set. Default: Enabled PPP_PPTPBeforeRules Pass PPTP traffic sent to the D-Link Firewall directly to the - D-Link DFL-800-AV-12 | User Manual - Page 334
13.17. Hardware Monitor Settings Chapter 13. Advanced Settings 13.17. Hardware Monitor Settings HWM_PollInterval Polling intervall for Hardware Monitor which is the delay in milliseconds between reading of hardware monitor values. Minimum 100, Maximum 10000. Default: 500 ms HWMMem_Interval Memory - D-Link DFL-800-AV-12 | User Manual - Page 335
specifies how many connections can use the re-assembly system at the same time. It is expressed as a percentage of the total number of allowed connections. Minimum 1, Maximum 100. Default: 80 Reassembly_MaxProcessingMem This setting specifies how much memory that the re-assembly system can allocate - D-Link DFL-800-AV-12 | User Manual - Page 336
of pipe users to allocate. As pipe users are only tracked for a 20th of a second, this number usually does not need to be anywhere near the number of actual users, or the number of statefully tracked connections. If there are no configured pipes, no pipe users will be allocated, regardless of this - D-Link DFL-800-AV-12 | User Manual - Page 337
MaxPipeUsers Chapter 13. Advanced Settings 337 - D-Link DFL-800-AV-12 | User Manual - Page 338
manual" which explains registration and update service procedures in more detail is available manually initiate updating by selecting Update now to download the latest signatures to the database. Database Console Commands IDP and Anti-Virus (AV) databases can be controlled directly through a number - D-Link DFL-800-AV-12 | User Manual - Page 339
: gw-world:/> updatecenter -status IDP To get the status of AV updates: gw-world:/> updatecenter -status Antivirus Querying Server Status To command: gw-world:/> updatecenter -servers Deleting Local Databases Some technical problem in the operation of either IDP or the Anti-Virus modules may - D-Link DFL-800-AV-12 | User Manual - Page 340
Appendix B. IDP Signature Groups For IDP scanning, the following signature groups are available for selection. These groups are available only for the D-Link Advanced IDP Service. There is a version of each group under the three Types of IDS, IPS and Policy. For further information see Section 6.5, - D-Link DFL-800-AV-12 | User Manual - Page 341
Group Name FTP_FORMATSTRING FTP_GENERAL FTP_LOGIN FTP_OVERFLOW GAME_BOMBERCLONE GAME_GENERAL GAME_UNREAL HTTP_APACHE HTTP_BADBLUE HTTP_CGI HTTP_CISCO HTTP_GENERAL HTTP_MICROSOFTIIS HTTP_OVERFLOWS HTTP_TOMCAT ICMP_GENERAL IGMP_GENERAL IMAP_GENERAL IM_AOL IM_GENERAL IM_MSN IM_YAHOO IP_GENERAL - D-Link DFL-800-AV-12 | User Manual - Page 342
scanners Nessus Scanner Anti-virus solutions Internet Security Systems software McAfee Symantec AV solution SMB Error SMB Exploit SMB attacks NetBIOS attacks SMB worms SMTP command attack Denial of Service for SMTP SMTP protocol and implementation SMTP Overflow SPAM SNMP encoding SNMP protocol - D-Link DFL-800-AV-12 | User Manual - Page 343
Coldfusion file inclusion File inclusion Web application attacks JSP file inclusion Popular web application packages PHP XML RPC SQL Injection Cross-Site-Scripting MS WINS Service Worms Generic X applications 343 - D-Link DFL-800-AV-12 | User Manual - Page 344
Appendix C. Checked MIME filetypes The HTTP Application Layer Gateway has the ability to verify that the contents of a file downloaded via the HTTP protocol is the type that the filetype in its filename indicates. This appendix lists the MIME filetypes that can be checked by NetDefendOS to make sure - D-Link DFL-800-AV-12 | User Manual - Page 345
Filetype extension elc emd esp exe fgf flac flc fli flv gdbm gif gzip, gz, tgz hap hpk hqx icc icm ico imf Inf it java jar jng jpg, jpeg, jpe, jff, jfif, jif jrc jsw kdelnk lha lim lisp lzh md mdb mid,midi mmf mng mod mp3 mp4 mpg,mpeg mpv Microsoft files msa niff, nif noa nsf obj, o ocx ogg out - D-Link DFL-800-AV-12 | User Manual - Page 346
Filetype extension pac pbf pbm pdf pe pfb pgm pkg pll pma png ppm ps psa psd qt, mov, moov qxd ra, ram rar rbs riff, rif rm rpm rtf, wri sar sbi sc sgi sid sit sky snd, au so sof sqw sqz stm svg svr4 swf tar tfm tiff, tif tnef torrent ttf txw ufa vcf viv wav Appendix C. Checked MIME filetypes - D-Link DFL-800-AV-12 | User Manual - Page 347
Filetype extension wk wmv wrl, vrml xcf xm xml xmcd xpm yc zif zip zoo zpk z Appendix C. Checked MIME filetypes Application Lotus 1-2-3 document Windows Media file Plain Text VRML file GIMP Image file Fast Tracker 2 Extended Module , audio file XML file xmcd database file for kscd BMC Software - D-Link DFL-800-AV-12 | User Manual - Page 348
be implemented independently. Figure D.1. The 7 layers of the OSI model Layer number Layer 7 Layer 6 Layer 5 Layer 4 Layer 3 Layer 2 Layer 1 Network Layer Data-Link Layer Physical Layer Defines the user interface that supports applications directly. Protocols: HTTP, FTP, DNS, SMTP, Telnet, SNMP - D-Link DFL-800-AV-12 | User Manual - Page 349
for further details regarding support of D-Link products as well as contact details for local support. Australia Belgium Brazil Brussels, Belgium. Tel: +32(0)2 517 7111, Fax: +32(0)2 517 6500. Website: www.dlink.be Av das Nacoes Unidas, 11857 - 14- andar - cj 141/142, Brooklin Novo, Sao Paulo - - D-Link DFL-800-AV-12 | User Manual - Page 350
dlink dlink.pl Rua Fernando Pahla, 50 Edificio Simol, 1900 Lisbon, Portugal. TEL: +351 21 8688493. Website: www.dlink dlink-intl.com Einstein Park II, Block dlink.es P.O. Box 15036, S-167 15 Bromma, Sweden. TEL: 46-(0)8564-61900, FAX: 46-(0)8564-61901. Website: www.dlink . Website: www.dlink.ch No. 289 - D-Link DFL-800-AV-12 | User Manual - Page 351
Block0Net setting, 305 Block127Net setting, 305 blocking applications with IDP, 188 BlockMulticastSrc setting change, 25 cluster (see high availability) cluster ID (see high availability) command line interface (see CLI) 135 DefaultTTL setting, 305 denial of service, 198 DHCP, 127 over ethernet, - D-Link DFL-800-AV-12 | User Manual - Page 352
attack (see denial of service) Drop IP rule, 75 availability) HA cluster (see high availability) high availability, 289 cluster ID, 296 issues, 296 mechanisms, 291 setup, 293 with transparent mode, 120 HighBuffers setting with high availability 240 quickstart guide, 231 troubleshooting, 237 tunnels - D-Link DFL-800-AV-12 | User Manual - Page 353
319 MaxOtherSubIPLen setting, 319 MaxPipeUsers setting, 336 max sessions services parameter, 54 MaxSKIPLen setting, 318 MaxTCPLen setting, 318 , 62 PPP_L2TPBeforeRules setting, 333 PPP_PPTPBeforeRules setting, 333 PPTP, 260 quickstart guide, 236 precedences in pipes, 272 pre-shared keys, 231, 250 - D-Link DFL-800-AV-12 | User Manual - Page 354
, 272 recommendations, 276 summary, 277 transparent mode, 119 implementation, 119 with high availability, 120 vs routing mode, 119 TTLMin setting, 305 TTLOnLow setting, 305 tunnels, 57 U SIP, 152 VOIP (see voice over IP) VPN, 229 planning, 229 quickstart guide, 231 troubleshooting, 237 X 354 - D-Link DFL-800-AV-12 | User Manual - Page 355
X.509 certificates, 79 identification lists, 251 with IPsec, 234 Z zonedefense IDP, 194 zone defense, 298 switches, 299 Alphabetical Index 355
-
1 -
2 -
3 -
4 -
5 -
6 -
7 -
8
-
9
-
10
-
11
-
12
-
13
-
14
-
15
-
16
-
17
-
18
-
19
-
20
-
21
-
22
-
23
-
24
-
25
-
26
-
27
-
28
-
29
-
30
-
31
-
32
-
33
-
34
-
35
-
36
-
37
-
38
-
39
-
40
-
41
-
42
-
43
-
44
-
45
-
46
-
47
-
48
-
49
-
50
-
51
-
52
-
53
-
54
-
55
-
56
-
57
-
58
-
59
-
60
-
61
-
62
-
63
-
64
-
65
-
66
-
67
-
68
-
69
-
70
-
71
-
72
-
73
-
74
-
75
-
76
-
77
-
78
-
79
-
80
-
81
-
82
-
83
-
84
-
85
-
86
-
87
-
88
-
89
-
90
-
91
-
92
-
93
-
94
-
95
-
96
-
97
-
98
-
99
-
100
-
101
-
102
-
103
-
104
-
105
-
106
-
107
-
108
-
109
-
110
-
111
-
112
-
113
-
114
-
115
-
116
-
117
-
118
-
119
-
120
-
121
-
122
-
123
-
124
-
125
-
126
-
127
-
128
-
129
-
130
-
131
-
132
-
133
-
134
-
135
-
136
-
137
-
138
-
139
-
140
-
141
-
142
-
143
-
144
-
145
-
146
-
147
-
148
-
149
-
150
-
151
-
152
-
153
-
154
-
155
-
156
-
157
-
158
-
159
-
160
-
161
-
162
-
163
-
164
-
165
-
166
-
167
-
168
-
169
-
170
-
171
-
172
-
173
-
174
-
175
-
176
-
177
-
178
-
179
-
180
-
181
-
182
-
183
-
184
-
185
-
186
-
187
-
188
-
189
-
190
-
191
-
192
-
193
-
194
-
195
-
196
-
197
-
198
-
199
-
200
-
201
-
202
-
203
-
204
-
205
-
206
-
207
-
208
-
209
-
210
-
211
-
212
-
213
-
214
-
215
-
216
-
217
-
218
-
219
-
220
-
221
-
222
-
223
-
224
-
225
-
226
-
227
-
228
-
229
-
230
-
231
-
232
-
233
-
234
-
235
-
236
-
237
-
238
-
239
-
240
-
241
-
242
-
243
-
244
-
245
-
246
-
247
-
248
-
249
-
250
-
251
-
252
-
253
-
254
-
255
-
256
-
257
-
258
-
259
-
260
-
261
-
262
-
263
-
264
-
265
-
266
-
267
-
268
-
269
-
270
-
271
-
272
-
273
-
274
-
275
-
276
-
277
-
278
-
279
-
280
-
281
-
282
-
283
-
284
-
285
-
286
-
287
-
288
-
289
-
290
-
291
-
292
-
293
-
294
-
295
-
296
-
297
-
298
-
299
-
300
-
301
-
302
-
303
-
304
-
305
-
306
-
307
-
308
-
309
-
310
-
311
-
312
-
313
-
314
-
315
-
316
-
317
-
318
-
319
-
320
-
321
-
322
-
323
-
324
-
325
-
326
-
327
-
328
-
329
-
330
-
331
-
332
-
333
-
334
-
335
-
336
-
337
-
338
-
339
-
340
-
341
-
342
-
343
-
344
-
345
-
346
-
347
-
348
-
349
-
350
-
351
-
352
-
353
-
354
-
355
 |
 |
Network Security Solution
Security
Security
DFL-210/ 800/1600/ 2500
DFL-260/ 860
Ver.
1.06
Network Security Firewall
User Manual