Home » D-Link Manuals » Network Security & Firewall Devices » D-Link DFL-860E » Manual Viewer

D-Link DFL-860E User Manual for DFL-260E - Page 18

TLS Termination, Anti-Virus Scanning, Intrusion Detection and, Prevention, Web Content Filtering

Add to My Manuals
Save this manual to your list of manuals

Page 18 highlights

1.1. Features Chapter 1. NetDefendOS Overview VPN TLS Termination Anti-Virus Scanning Intrusion Detection and Prevention Web Content Filtering Traffic Management Operations and Maintenance NetDefendOS supports a range of Virtual Private Network (VPN) solutions. Support exists for IPsec, L2TP and PPTP as well as SSL VPN with security policies definable for individual VPN connections. This topic is covered in Chapter 9, VPN. NetDefendOS supports TLS termination so that the NetDefend Firewall can act as the end point for connections by HTTP web-browser clients (this feature is sometimes called SSL termination). For detailed information, see Section 6.2.10, "The TLS ALG". NetDefendOS features integrated anti-virus functionality. Traffic passing through the NetDefend Firewall can be subjected to in-depth scanning for viruses, and virus sending hosts can be black-listed and blocked. For details of this feature, seeSection 6.4, "Anti-Virus Scanning". To mitigate application-layer attacks towards vulnerabilities in services and applications, NetDefendOS provides a powerful Intrusion Detection and Prevention (IDP) engine. The IDP engine is policy-based and is able to perform high-performance scanning and detection of attacks and can perform blocking and optional black-listing of attacking hosts. More information about the IDP capabilities of NetDefendOS can be found in Section 6.5, "Intrusion Detection and Prevention". Note Full IDP is available on all D-Link NetDefend product models as a subscription service. On some models, a simplified IDP subsystem is provided as standard. NetDefendOS provides various mechanisms for filtering web content that is deemed inappropriate according to a web usage policy. With Web Content Filtering (WCF) web content can be blocked based on category (Dynamic WCF), malicious objects can be removed from web pages and web sites can be whitelisted or blacklisted. More information about this topic can be found in Section 6.3, "Web Content Filtering". NetDefendOS provides broad traffic management capabilities through Traffic Shaping, Threshold Rules (certain models only) and Server Load Balancing. Traffic Shaping enables limiting and balancing of bandwidth; Threshold Rules allow specification of thresholds for sending alarms and/or limiting network traffic; Server Load Balancing enables a device running NetDefendOS to distribute network load to multiple hosts. These features are discussed in detail in Chapter 10, Traffic Management. Note Threshold Rules are only available on certain D-Link NetDefend product models. Administrator management of NetDefendOS is possible through either a Web-based User Interface (the WebUI) or via a Command Line Interface (the CLI). NetDefendOS also 18

Section	Page
User Manual	3
Table of Contents	4
Preface	15
Chapter 1. NetDefendOS Overview	17
1.1. Features	17
1.2. NetDefendOS Architecture	20
1.2.1. State-based Architecture	20
1.2.2. NetDefendOS Building Blocks	20
1.2.3. Basic Packet Flow	21
1.3. NetDefendOS State Engine Packet Flow	24
Chapter 2. Management and Maintenance	29
2.1. Managing NetDefendOS	29
2.1.1. Overview	29
2.1.2. The Default Administrator Account	30
2.1.3. The Web Interface	30
2.1.4. The CLI	36
2.1.5. CLI Scripts	44
2.1.6. Secure Copy	48
2.1.7. The Console Boot Menu	50
2.1.8. Management Advanced Settings	52
2.1.9. Working with Configurations	53
2.2. Events and Logging	59
2.2.1. Overview	59
2.2.2. Log Messages	59
2.2.3. Creating Log Receivers	60
2.2.4. Logging to MemoryLogReceiver	60
2.2.5. Logging to Syslog Hosts	60
2.2.6. Severity Filter and Message Exceptions	62
2.2.7. SNMP Traps	62
2.2.8. Advanced Log Settings	64
2.3. RADIUS Accounting	65
2.3.1. Overview	65
2.3.2. RADIUS Accounting Messages	65
2.3.3. Interim Accounting Messages	67
2.3.4. Activating RADIUS Accounting	67
2.3.5. RADIUS Accounting Security	68
2.3.6. RADIUS Accounting and High Availability	68
2.3.7. Handling Unresponsive RADIUS Servers	68
2.3.8. Accounting and System Shutdowns	69
2.3.9. Limitations with NAT	69
2.3.10. RADIUS Advanced Settings	69
2.4. Monitoring	71
2.4.1. The Link Monitor	71
2.4.2. SNMP Monitoring	73
2.4.3. Hardware Monitoring	76
2.4.4. Memory Monitoring Settings	78
2.5. The pcapdump Command	80
2.6. Maintenance	83
2.6.1. Auto-Update Mechanism	83
2.6.2. Backing Up Configurations	83
2.6.3. Restore to Factory Defaults	85
Chapter 3. Fundamentals	88
3.1. The Address Book	88
3.1.1. Overview	88
3.1.2. IP Addresses	88
3.1.3. Ethernet Addresses	90
3.1.4. Address Groups	91
3.1.5. Auto-Generated Address Objects	92
3.1.6. Address Book Folders	92
3.2. IPv6 Support	93
3.3. Services	98
3.3.1. Overview	98
3.3.2. Creating Custom Services	99
3.3.3. ICMP Services	102
3.3.4. Custom IP Protocol Services	104
3.3.5. Service Groups	104
3.3.6. Custom Service Timeouts	105
3.4. Interfaces	106
3.4.1. Overview	106
3.4.2. Ethernet Interfaces	108
3.4.2.1. Useful CLI Commands for Ethernet Interfaces	112
3.4.3. VLAN	115
3.4.4. PPPoE	118
3.4.5. GRE Tunnels	120
3.4.6. Interface Groups	124
3.5. ARP	126
3.5.1. Overview	126
3.5.2. The NetDefendOS ARP Cache	126
3.5.3. Creating ARP Objects	128
3.5.4. Using ARP Advanced Settings	130
3.5.5. ARP Advanced Settings Summary	131
3.6. IP Rules	135
3.6.1. Security Policies	135
3.6.2. IP Rule Evaluation	138
3.6.3. IP Rule Actions	139
3.6.4. Editing IP rule set Entries	140
3.6.5. IP Rule Set Folders	141
3.6.6. Configuration Object Groups	142
3.7. Schedules	146
3.8. Certificates	148
3.8.1. Overview	148
3.8.2. Certificates in NetDefendOS	150
3.8.3. CA Certificate Requests	151
3.9. Date and Time	153
3.9.1. Overview	153
3.9.2. Setting Date and Time	153
3.9.3. Time Servers	154
3.9.4. Settings Summary for Date and Time	157
3.10. DNS	160
Chapter 4. Routing	164
4.1. Overview	164
4.2. Static Routing	165
4.2.1. The Principles of Routing	165
4.2.2. Static Routing	169
4.2.3. Route Failover	174
4.2.4. Host Monitoring for Route Failover	177
4.2.5. Advanced Settings for Route Failover	179
4.2.6. Proxy ARP	180
4.3. Policy-based Routing	183
4.4. Route Load Balancing	190
4.5. OSPF	196
4.5.1. Dynamic Routing	196
4.5.2. OSPF Concepts	199
4.5.3. OSPF Components	204
4.5.3.1. OSPF Router Process	204
4.5.3.2. OSPF Area	206
4.5.3.3. OSPF Interface	207
4.5.3.4. OSPF Neighbors	209
4.5.3.5. OSPF Aggregates	209
4.5.3.6. OSPF VLinks	209
4.5.4. Dynamic Routing Rules	210
4.5.4.1. Overview	210
4.5.4.2. Dynamic Routing Rule	212
4.5.4.3. OSPF Action	212
4.5.4.4. Routing Action	213
4.5.5. Setting Up OSPF	213
4.5.6. An OSPF Example	217
4.6. Multicast Routing	220
4.6.1. Overview	220
4.6.2. Multicast Forwarding with SAT Multiplex Rules	221
4.6.2.1. Multicast Forwarding - No Address Translation	221
4.6.2.2. Multicast Forwarding - Address Translation Scenario	224
4.6.3. IGMP Configuration	225
4.6.3.1. IGMP Rules Configuration - No Address Translation	227
4.6.3.2. IGMP Rules Configuration - Address Translation	228
4.6.4. Advanced IGMP Settings	230
4.7. Transparent Mode	233
4.7.1. Overview	233
4.7.2. Enabling Internet Access	238
4.7.3. Transparent Mode Scenarios	239
4.7.4. Spanning Tree BPDU Support	243
4.7.5. Advanced Settings for Transparent Mode	244
Chapter 5. DHCP Services	249
5.1. Overview	249
5.2. DHCP Servers	250
5.2.1. Static DHCP Hosts	253
5.2.2. Custom Options	255
5.3. DHCP Relaying	256
5.3.1. DHCP Relay Advanced Settings	257
5.4. IP Pools	259
Chapter 6. Security Mechanisms	263
6.1. Access Rules	263
6.1.1. Overview	263
6.1.2. IP Spoofing	264
6.1.3. Access Rule Settings	264
6.2. ALGs	266
6.2.1. Overview	266
6.2.2. The HTTP ALG	267
6.2.3. The FTP ALG	270
6.2.4. The TFTP ALG	279
6.2.5. The SMTP ALG	280
6.2.5.1. Anti-Spam Filtering	283
6.2.6. The POP3 ALG	289
6.2.7. The PPTP ALG	290
6.2.8. The SIP ALG	291
6.2.9. The H.323 ALG	302
6.2.10. The TLS ALG	316
6.3. Web Content Filtering	319
6.3.1. Overview	319
6.3.2. Active Content Handling	319
6.3.3. Static Content Filtering	320
6.3.4. Dynamic Web Content Filtering	322
6.3.4.1. Overview	322
6.3.4.2. Setting Up WCF	323
6.3.4.3. Content Filtering Categories	327
6.3.4.4. Customizing WCF HTML Pages	334
6.4. Anti-Virus Scanning	337
6.4.1. Overview	337
6.4.2. Implementation	337
6.4.3. Activating Anti-Virus Scanning	338
6.4.4. The Signature Database	338
6.4.5. Subscribing to the D-Link Anti-Virus Service	339
6.4.6. Anti-Virus Options	339
6.5. Intrusion Detection and Prevention	343
6.5.1. Overview	343
6.5.2. IDP Availability for D-Link Models	343
6.5.3. IDP Rules	345
6.5.4. Insertion/Evasion Attack Prevention	347
6.5.5. IDP Pattern Matching	348
6.5.6. IDP Signature Groups	349
6.5.7. IDP Actions	350
6.5.8. SMTP Log Receiver for IDP Events	351
6.6. Denial-of-Service Attack Prevention	355
6.6.1. Overview	355
6.6.2. DoS Attack Mechanisms	355
6.6.3. Ping of Death and Jolt Attacks	355
6.6.4. Fragmentation overlap attacks: Teardrop, Bonk, Boink and Nestea	356
6.6.5. The Land and LaTierra attacks	356
6.6.6. The WinNuke attack	356
6.6.7. Amplification attacks: Smurf, Papasmurf, Fraggle	357
6.6.8. TCP SYN Flood Attacks	358
6.6.9. The Jolt2 Attack	358
6.6.10. Distributed DoS Attacks	358
6.7. Blacklisting Hosts and Networks	360
Chapter 7. Address Translation	363
7.1. Overview	363
7.2. NAT	364
7.3. NAT Pools	369
7.4. SAT	372
7.4.1. Translation of a Single IP Address (1:1)	372
7.4.2. Translation of Multiple IP Addresses (M:N)	377
7.4.3. All-to-One Mappings (N:1)	379
7.4.4. Port Translation	381
7.4.5. Protocols Handled by SAT	381
7.4.6. Multiple SAT Rule Matches	381
7.4.7. SAT and FwdFast Rules	382
Chapter 8. User Authentication	385
8.1. Overview	385
8.2. Authentication Setup	387
8.2.1. Setup Summary	387
8.2.2. The Local Database	387
8.2.3. External RADIUS Servers	389
8.2.4. External LDAP Servers	389
8.2.5. Authentication Rules	396
8.2.6. Authentication Processing	398
8.2.7. A Group Usage Example	399
8.2.8. HTTP Authentication	399
8.3. Customizing Authentication HTML Pages	404
Chapter 9. VPN	409
9.1. Overview	409
9.1.1. VPN Usage	409
9.1.2. VPN Encryption	410
9.1.3. VPN Planning	411
9.1.4. Key Distribution	411
9.1.5. The TLS Alternative for VPN	412
9.2. VPN Quick Start	413
9.2.1. IPsec LAN to LAN with Pre-shared Keys	414
9.2.2. IPsec LAN to LAN with Certificates	415
9.2.3. IPsec Roaming Clients with Pre-shared Keys	416
9.2.4. IPsec Roaming Clients with Certificates	418
9.2.5. L2TP Roaming Clients with Pre-Shared Keys	419
9.2.6. L2TP Roaming Clients with Certificates	421
9.2.7. PPTP Roaming Clients	421
9.3. IPsec Components	423
9.3.1. Overview	423
9.3.2. Internet Key Exchange (IKE)	423
9.3.3. IKE Authentication	429
9.3.4. IPsec Protocols (ESP/AH)	430
9.3.5. NAT Traversal	431
9.3.6. Algorithm Proposal Lists	433
9.3.7. Pre-shared Keys	434
9.3.8. Identification Lists	435
9.4. IPsec Tunnels	438
9.4.1. Overview	438
9.4.2. LAN to LAN Tunnels with Pre-shared Keys	440
9.4.3. Roaming Clients	440
9.4.4. Fetching CRLs from an alternate LDAP server	445
9.4.5. Troubleshooting with ikesnoop	446
9.4.6. IPsec Advanced Settings	453
9.5. PPTP/L2TP	457
9.5.1. PPTP Servers	457
9.5.2. L2TP Servers	458
9.5.3. L2TP/PPTP Server advanced settings	463
9.5.4. PPTP/L2TP Clients	463
9.6. SSL VPN	466
9.6.1. Overview	466
9.6.2. Configuring SSL VPN in NetDefendOS	467
9.6.3. Installing the SSL VPN Client	469
9.6.4. Setup Example	472
9.7. CA Server Access	474
9.8. VPN Troubleshooting	477
9.8.1. General Troubleshooting	477
9.8.2. Troubleshooting Certificates	478
9.8.3. IPsec Troubleshooting Commands	478
9.8.4. Management Interface Failure with VPN	479
9.8.5. Specific Error Messages	479
9.8.6. Specific Symptoms	482
Chapter 10. Traffic Management	485
10.1. Traffic Shaping	485
10.1.1. Overview	485
10.1.2. Traffic Shaping in NetDefendOS	486
10.1.3. Simple Bandwidth Limiting	488
10.1.4. Limiting Bandwidth in Both Directions	489
10.1.5. Creating Differentiated Limits Using Chains	490
10.1.6. Precedences	492
10.1.7. Pipe Groups	496
10.1.8. Traffic Shaping Recommendations	499
10.1.9. A Summary of Traffic Shaping	500
10.1.10. More Pipe Examples	501
10.2. IDP Traffic Shaping	506
10.2.1. Overview	506
10.2.2. Setting Up IDP Traffic Shaping	506
10.2.3. Processing Flow	507
10.2.4. The Importance of Specifying a Network	507
10.2.5. A P2P Scenario	508
10.2.6. Viewing Traffic Shaping Objects	509
10.2.7. Guaranteeing Instead of Limiting Bandwidth	510
10.2.8. Logging	510
10.3. Threshold Rules	511
10.4. Server Load Balancing	514
10.4.1. Overview	514
10.4.2. SLB Distribution Algorithms	515
10.4.3. Selecting Stickiness	516
10.4.4. SLB Algorithms and Stickiness	517
10.4.5. Server Health Monitoring	518
10.4.6. Setting Up SLB_SAT Rules	519
Chapter 11. High Availability	523
11.1. Overview	523
11.2. HA Mechanisms	525
11.3. Setting Up HA	528
11.3.1. HA Hardware Setup	528
11.3.2. NetDefendOS Manual HA Setup	529
11.3.3. Verifying the Cluster Functions	530
11.3.4. Unique Shared Mac Addresses	531
11.4. HA Issues	532
11.5. Upgrading an HA Cluster	534
11.6. Link Monitoring and HA	536
11.7. HA Advanced Settings	537
Chapter 12. ZoneDefense	539
12.1. Overview	539
12.2. ZoneDefense Switches	540
12.3. ZoneDefense Operation	541
12.3.1. SNMP	541
12.3.2. Threshold Rules	541
12.3.3. Manual Blocking and Exclude Lists	541
12.3.4. ZoneDefense with Anti-Virus Scanning	543
12.3.5. Limitations	543
Chapter 13. Advanced Settings	546
13.1. IP Level Settings	546
13.2. TCP Level Settings	550
13.3. ICMP Level Settings	555
13.4. State Settings	556
13.5. Connection Timeout Settings	558
13.6. Length Limit Settings	560
13.7. Fragmentation Settings	562
13.8. Local Fragment Reassembly Settings	566
13.9. Miscellaneous Settings	567
Appendix A. Subscribing to Updates	570
Appendix B. IDP Signature Groups	572
Appendix C. Verified MIME filetypes	576
Appendix D. The OSI Framework	580

Match case Limit results 1 per page

VPN

NetDefendOS supports a range of Virtual Private Network

(VPN) solutions. Support exists for IPsec, L2TP and PPTP as

well

SSL

VPN

with

security

policies

definable

for

individual

VPN

connections.

This

topic

covered

Chapter 9, VPN

TLS Termination

NetDefendOS

supports

TLS

termination

that

the

NetDefend Firewall can act as the end point for connections

by HTTP web-browser clients (this feature is sometimes

called

SSL

termination

For

detailed

information,

see

Section 6.2.10, “The TLS ALG”

Anti-Virus Scanning

NetDefendOS

features

integrated

anti-virus

functionality.

Traffic

passing

through

the

NetDefend

Firewall

can

subjected to in-depth scanning for viruses, and virus sending

hosts can be black-listed and blocked. For details of this

feature, see

Section 6.4, “Anti-Virus Scanning”

Intrusion Detection and

Prevention

To mitigate application-layer attacks towards vulnerabilities

services

and

applications,

NetDefendOS

provides

powerful

Intrusion Detection and Prevention

(IDP) engine.

The IDP engine is policy-based and is able to perform

high-performance scanning and detection of attacks and can

perform

blocking

and

optional

black-listing

attacking

hosts.

information

about

the

IDP

capabilities

NetDefendOS

can

found

Section

6.5,

“Intrusion

Detection and Prevention”

Note

Full IDP is available on all D-Link NetDefend

product models as a subscription service. On

some models, a simplified IDP subsystem is

provided as standard.

Web Content Filtering

NetDefendOS provides various mechanisms for filtering web

content that is deemed inappropriate according to a web usage

policy. With

Web Content Filtering

(WCF) web content can

be blocked based on category (

Dynamic WCF

), malicious

objects can be removed from web pages and web sites can be

whitelisted or blacklisted. More information about this topic

can be found in

Section 6.3, “Web Content Filtering”

Traffic Management

NetDefendOS provides broad traffic management capabilities

through

Traffic Shaping

Threshold Rules

(certain models

only) and

Server Load Balancing

Traffic Shaping enables limiting and balancing of bandwidth;

Threshold Rules allow specification of thresholds for sending

alarms and/or limiting network traffic; Server Load Balancing

enables a device running NetDefendOS to distribute network

load to multiple hosts. These features are discussed in detail

Chapter 10, Traffic Management

Note

Threshold Rules are only available on certain

D-Link NetDefend product models.

Operations and Maintenance

Administrator

management

NetDefendOS

possible

through either a Web-based User Interface (the WebUI) or via

a Command Line Interface (the CLI). NetDefendOS also

1.1. Features

Chapter 1. NetDefendOS Overview