D-Link DFL-1600 Product Manual
D-Link DFL-1600 - Security Appliance Manual
 |
UPC - 790069282225
View all D-Link DFL-1600 manuals
Add to My Manuals
Save this manual to your list of manuals |
D-Link DFL-1600 manual content summary:
- D-Link DFL-1600 | Product Manual - Page 1
Network Security Firewall User Manual DFL-210/ 800/1600/ 2500 DFL-260/ 860/1660/ 2560(G) Ver 2.27.01 SecurSiteycurity Network Security Solution http://www.dlink.com - D-Link DFL-1600 | Product Manual - Page 2
User Manual DFL-210/260/800/860/1600/1660/2500/2560/2560G NetDefendOS Version 2.27.01 D-Link Corporation No. 289, Sinhu 3rd Rd, Neihu District, Taipei City 114, Taiwan R.O.C. http://www.DLink.com Published 2010-06-22 Copyright © 2010 - D-Link DFL-1600 | Product Manual - Page 3
User Manual DFL-210/260/800/860/1600/1660/2500/2560/2560G NetDefendOS Version 2.27.01 Published 2010-06-22 Copyright © 2010 Copyright Notice This publication purpose. D-Link reserves the right to revise this publication and to make changes from time to time in the content hereof without any - D-Link DFL-1600 | Product Manual - Page 4
Table of Contents Preface ...14 1. NetDefendOS Overview 16 1.1. Features 16 1.2. NetDefendOS Architecture 19 1.2.1. State-based Architecture Backing Up Configurations 73 2.7.3. Restore to Factory Defaults 74 3. Fundamentals 77 3.1. The Address Book 77 3.1.1. Overview 77 3.1.2. IP Addresses - D-Link DFL-1600 | Product Manual - Page 5
User Manual 3.2.3. ICMP Services 86 3.2.4. Custom IP Protocol Services 88 3.2.5. Service Groups 88 3.2.6. Custom Service Timeouts 89 3.3. Interfaces 90 3.3.1. Overview 90 3.3.2. Ethernet Interfaces 92 3.3.3. VLAN 97 3.3.4. PPPoE 101 3.3.5. GRE Tunnels 103 3.3.6. Interface Groups 107 3.4. - D-Link DFL-1600 | Product Manual - Page 6
User Manual 4.7. Transparent Mode 207 4.7.1. Overview 207 4.7.2. Enabling Internet Access 211 4.7.3. Transparent Mode Scenarios 213 4.7.4. Spanning Tree BPDU Support 217 4.7.5. Advanced Settings for Transparent Mode 218 5. DHCP Services 223 5.1. Overview 223 5.2. DHCP Servers 224 5.2.1. - D-Link DFL-1600 | Product Manual - Page 7
Identification Lists 403 9.4. IPsec Tunnels 406 9.4.1. Overview 406 9.4.2. LAN to LAN Tunnels with Pre-shared Keys 408 9.4.3. Roaming Clients 408 9.4.4. Fetching CRLs from an alternate LDAP server 413 9.4.5. Troubleshooting with ikesnoop 414 9.4.6. IPsec Advanced Settings 421 9.5. PPTP - D-Link DFL-1600 | Product Manual - Page 8
User Manual 9.7.2. Troubleshooting Certificates 437 9.7.3. IPsec Troubleshooting Commands 438 9.7.4. Management Interface Failure with VPN 439 9.7.5. Specific Error Messages 439 9.7.6. Specific Symptoms 442 10. Traffic Management 444 10.1. Traffic Shaping 444 10.1.1. Overview - D-Link DFL-1600 | Product Manual - Page 9
User Manual 13.1. IP Level Settings 504 13.2. TCP Level Settings 508 13.3. ICMP Level Settings 513 13.4. State Settings 514 13.5. Connection Timeout Settings 516 13.6. Length Limit - D-Link DFL-1600 | Product Manual - Page 10
ALG Hybrid Mode 245 6.4. SMTP ALG Processing Order 256 6.5. Anti-Spam Filtering 258 6.6. PPTP ALG Usage 264 6.7. TLS Termination 290 6.8. Dynamic Content Filtering Flow 296 6.9. IDP Database Updating 316 7.1. NAT IP Address Translation 335 7.2. A NAT Example 337 7.3. Anonymizing with NAT - D-Link DFL-1600 | Product Manual - Page 11
User Manual 10.10. Connections from Three Clients 476 10.11. Stickiness and Round-Robin 477 10.12. Stickiness and Connection-rate 477 D.1. The 7 Layers of the OSI Model 537 11 - D-Link DFL-1600 | Product Manual - Page 12
Ethernet Address 79 3.6. Listing the Available Services 82 3.7. Viewing a Specific Service 83 3.8. Creating a Custom TCP/UDP Service 86 3.9. Adding an IP Protocol Service 88 3.10. Defining a VLAN 100 3.11. Configuring a PPPoE Client 103 3.12. Creating an Interface Group 107 3.13. Displaying - D-Link DFL-1600 | Product Manual - Page 13
Internal Network 346 7.5. Translating Traffic to Multiple Protected Web Servers 348 8.1. Creating an Authentication User Group 371 8.2. User Authentication Setup for Web Access 371 8.3. Configuring a RADIUS Server 372 8.4. Editing Content Filtering HTTP Banner Files 374 9.1. Using an Algorithm - D-Link DFL-1600 | Product Manual - Page 14
some systems may not allow this). For example, http://www.dlink.com. Screenshots This guide contains a minimum of screenshots. This is deliberate and is done because the manual deals specifically with NetDefendOS and administrators have a choice of management user interfaces. It was decided that the - D-Link DFL-1600 | Product Manual - Page 15
Now enter: • DataItem1: datavalue1 • DataItem2: datavalue2 Highlighted Content Special sections of text which the reader should pay special This is essential reading for the user as they should be aware that a serious . Trademarks Certain names in this publication are the trademarks of their respective - D-Link DFL-1600 | Product Manual - Page 16
the key features of the product: IP Routing Firewalling Policies Address Translation NetDefendOS provides a variety of options for IP routing including static routing, dynamic routing, as well as multicast routing capabilities. In addition, NetDefendOS supports features such as Virtual LANs, Route - D-Link DFL-1600 | Product Manual - Page 17
D-Link NetDefend product models as a subscription service. On some models, a simplified IDP subsystem is provided as standard.. NetDefendOS provides various mechanisms for filtering web content that is deemed inappropriate according to a web usage policy. With Web Content Filtering (WCF) web content - D-Link DFL-1600 | Product Manual - Page 18
enables a device running NetDefendOS to distribute network load to multiple hosts. These features are discussed in detail in Chapter 10, Traffic Management. Note Threshold Rules are only available on certain D-Link NetDefend product models. Administrator management of NetDefendOS is possible through - D-Link DFL-1600 | Product Manual - Page 19
the NetDefend Firewall. Without interfaces, a NetDefendOS system has no means for receiving or sending traffic. The following types of interface are supported in NetDefendOS: • Physical interfaces - These correspond to the actual physical Ethernet ports. • Sub-interfaces - These include VLAN and - D-Link DFL-1600 | Product Manual - Page 20
IP Rules, which are used to define the layer 3 IP filtering VLAN ID (Virtual LAN identifier), the system checks for a configured VLAN interface with a corresponding VLAN ID. If one is found, that VLAN In other words, by default, an interface will only accept source IP addresses that belong to - D-Link DFL-1600 | Product Manual - Page 21
interfaces • Source and destination network • IP protocol (for example TCP, UDP, ICMP) • TCP/UDP . In addition, the service object which matched the IP protocol and ports might the contents of the packet is encapsulated (such as with IPsec, PPTP/L2TP or some other type of tunneled protocol - D-Link DFL-1600 | Product Manual - Page 22
1.2.3. Basic Packet Flow Chapter 1. NetDefendOS Overview processing such as encryption or encapsulation might occur. The next section provides a set of diagrams illustrating the flow of packets through NetDefendOS. 22 - D-Link DFL-1600 | Product Manual - Page 23
. There are three diagrams, each flowing into the next. It is not necessary to understand these diagrams, however, they can be useful as a reference when configuring NetDefendOS in certain situations. Figure 1.1. Packet Flow Schematic Part I The packet flow is continued on the following page. 23 - D-Link DFL-1600 | Product Manual - Page 24
1.3. NetDefendOS State Engine Packet Flow Chapter 1. NetDefendOS Overview Figure 1.2. Packet Flow Schematic Part II The packet flow is continued on the following page. 24 - D-Link DFL-1600 | Product Manual - Page 25
1.3. NetDefendOS State Engine Packet Flow Chapter 1. NetDefendOS Overview Figure 1.3. Packet Flow Schematic Part III 25 - D-Link DFL-1600 | Product Manual - Page 26
1.3. NetDefendOS State Engine Packet Flow Chapter 1. NetDefendOS Overview Apply Rules The figure below presents the detailed logic of the Apply Rules function in Figure 1.2, "Packet Flow Schematic Part II" above. Figure 1.4. Expanded Apply Rules Logic 26 - D-Link DFL-1600 | Product Manual - Page 27
1.3. NetDefendOS State Engine Packet Flow Chapter 1. NetDefendOS Overview 27 - D-Link DFL-1600 | Product Manual - Page 28
configuration User Interface or WebUI) is built into NetDefendOS and provides a user-friendly and intuitive graphical management interface, accessible from a standard web browser (Microsoft Internet NetDefend Firewall. Various files used by NetDefendOS can be both uploaded and downloaded with SCP. - D-Link DFL-1600 | Product Manual - Page 29
through a specific IPsec tunnel. By default, Web Interface access is enabled for users on the network connected via the LAN interface of the D-Link firewall (on products where more than one LAN interface is available, LAN1 is the default interface). 2.1.2. The Default Administrator Account By - D-Link DFL-1600 | Product Manual - Page 30
the public Internet using a standard computer without having to install client software. Assignment of a Default IP Address For a new D-Link NetDefend firewall with factory defaults, a default internal IP address is assigned automatically by NetDefendOS to the hardware's LAN1 interface (or the LAN - D-Link DFL-1600 | Product Manual - Page 31
in the browser window. If no configuration changes have yet been uploaded to the NetDefend Firewall, the NetDefendOS Setup Wizard will start automatically to take a new user through the essential steps for NetDefendOS setup and establishing public Internet access. Important: Switch off popup - D-Link DFL-1600 | Product Manual - Page 32
of the configuration to your local computer or restore a previously downloaded backup. • Reset - Restart the firewall or reset to factory default. • Upgrade - Upgrade the firewall's firmware. • Technical support - This option provides the option to download a file from the firewall which can - D-Link DFL-1600 | Product Manual - Page 33
example is provided for informational purposes only. It is never recommended to expose any management interface to any user on the Internet. problem with the management interface when communicating alongside VPN tunnels, check the main routing table and look for an all-nets route to the VPN tunnel - D-Link DFL-1600 | Product Manual - Page 34
Link CLI Reference Guide. The most often used CLI commands are: • add - Adds an object such as an IP address or a rule to a NetDefendOS configuration. • set - Sets some property of an object to a value. For example the user to move through the list of commands in the CLI command history. For example, - D-Link DFL-1600 | Product Manual - Page 35
Completion of Parameters Another useful feature with tab completion is the example: add LogReceiverSyslog example Address=example_ip LogSeverity=< (tab) Will fill in the default value for LogSeverity: add LogReceiverSyslog example . Using categories means that the user has a simple way to specify - D-Link DFL-1600 | Product Manual - Page 36
: gw-world:/main> add Route Name=new_route1 Interface=lan Network=lannet To deselect the category, the command is multiple values, they should be separated by a comma "," character. For example, the IP rule set have an ordering which is important. When adding using the CLI add command, the default is - D-Link DFL-1600 | Product Manual - Page 37
and PPTP tunnels. • The Host for LDAP servers. When DNS lookup needs to be done, at least one public DNS server must be configured in NetDefendOS for hostnames to be translated to IP addresses. Serial Console CLI Access The serial console port is a local RS-232 port on the NetDefend Firewall that - D-Link DFL-1600 | Product Manual - Page 38
supports version 1, 1.5 and 2 of the SSH protocol. SSH access is regulated by the remote management policy in NetDefendOS, and is disabled by default. Example 2.2. Enabling SSH Remote Access This example shows how to enable remote SSH access from the lannet network through the lan interface - D-Link DFL-1600 | Product Manual - Page 39
default CLI prompt is: gw-world:/> where Device is the model number of the NetDefend Firewall. This can be customized, for example, to my-prompt:/>, by using the CLI command: gw-world:/> set device name="my-prompt" The CLI Reference Guide are made to the current configuration through the CLI, those - D-Link DFL-1600 | Product Manual - Page 40
if2_net Address=10.8.1.0/24 In this example, local IP addresses are used for illustration but these could be public IP addresses instead. Next, create a ISP's gateway. In other words, Internet access has been enabled for the NetDefend Firewall. Managing Management Sessions with sessionmanager The - D-Link DFL-1600 | Product Manual - Page 41
and execution. The complete syntax of the command is described in the CLI Reference Guide and specific examples of usage are detailed in the following sections. See also Section 2.1.4, "The CLI" in this manual. Only Four Commands are Allowed in Scripts The commands allowed in a script file are - D-Link DFL-1600 | Product Manual - Page 42
uploaded to the NetDefend Firewall. For example, to execute the 12.11.01 Comments="If1 address" Script Validation and Command Ordering CLI scripts are not, by default, validated. This means that the written ordering of the script does not matter. There can be a reference to a configuration - D-Link DFL-1600 | Product Manual - Page 43
script file encounters an error condition, the default behavior is for the script to terminate. Scripts When a script file is uploaded to the NetDefend Firewall, it is initially kept only in temporary RAM memory content of a specific uploaded script file, for example my_script.sgs the command would be: - D-Link DFL-1600 | Product Manual - Page 44
Chapter 2. Management and Maintenance gw-world:/> script -show -name=my_script.sgs Creating Scripts Automatically When the same configuration objects needs to be copied between multiple NetDefend Firewalls, then one way to do this with the CLI is to create a script file that creates the required - D-Link DFL-1600 | Product Manual - Page 45
performed with the command: > scp Download is done with the command: > scp The source or destination NetDefend Firewall is of the form: @:. For example: [email protected]:config.bak - D-Link DFL-1600 | Product Manual - Page 46
a header). If an administrator username is admin1 and the IP address of the NetDefend Firewall is 10.5.62.11 then to upload a configuration backup, the SCP command would be: > scp config.bak [email protected]: To download a configuration backup to the current local directory, the command would be - D-Link DFL-1600 | Product Manual - Page 47
If we have the same CLI script file called my_scripts.sgs stored on the NetDefend Firewall then the download command would be: > scp [email protected]:script/my_script.sgs ./ Activating Uploads Like all configuration changes, SCP uploads only become active after the CLI commands activate have been - D-Link DFL-1600 | Product Manual - Page 48
2. Management and Maintenance The options available in the boot menu are: 1. Start firewall This initiates the complete startup of the NetDefendOS software on the NetDefend Firewall. 2. Reset unit to factory defaults This option will restore the hardware to its initial factory state. The operations - D-Link DFL-1600 | Product Manual - Page 49
: Enabled WebUI Before Rules Enable HTTP(S) traffic to the firewall regardless of configured IP Rules. Default: Enabled Local Console Timeout Number of seconds of inactivity until the local console user is automatically logged out. Default: 900 Validation Timeout Specifies the amount of seconds to - D-Link DFL-1600 | Product Manual - Page 50
the objects. Example 2.4. Displaying a Configuration Object The simplest operation on a configuration object is to show its contents, in other words the values of the object properties. This example shows how to display the contents of a configuration object representing the telnet service. Command - D-Link DFL-1600 | Product Manual - Page 51
of NetDefendOS, you will most likely need to modify one or several configuration objects. This example shows how to edit the Comments property of the telnet service. Command-Line Interface gw-world:/> set Service ServiceTCPUDP telnet Comments="Modified Comment" Show the object again to verify the - D-Link DFL-1600 | Product Manual - Page 52
object will not be applied to a running system until the new NetDefendOS configuration is activated. Example 2.6. Adding a Configuration Object This example shows how to add a new IP4Address object, here creating the IP address 192.168.10.10, to the address book. Command-Line Interface - D-Link DFL-1600 | Product Manual - Page 53
the last commit. Example 2.9. Listing Modified Configuration Objects This example shows how to list configuration objects that have been configurations of live IPsec tunnels are committed, then those live tunnels connections will be terminated and must be re-established. If the new configuration - D-Link DFL-1600 | Product Manual - Page 54
and Maintenance default) during which a connection to the administrator must be re-established. As described previously, if the configuration was activated out. Example 2.10. Activating and Committing a Configuration This example shows how to activate and commit a new configuration. Command- - D-Link DFL-1600 | Product Manual - Page 55
. Examples of such events are the establishment and teardown of connections, receipt of malformed packets as well as the dropping of traffic according to filtering policies. Whenever an event message is generated, it can be filtered and distributed to all configured Event Receivers. Multiple event - D-Link DFL-1600 | Product Manual - Page 56
default, NetDefendOS sends all messages of level Info and above to configured log servers. The Debug category is intended for troubleshooting only and should only be turned on if required when trying to solve a problem feature that allows logging direct to memory in the NetDefend Firewall - D-Link DFL-1600 | Product Manual - Page 57
IP address of the machine that sent the log data: Feb 5 2000 09:45:23 firewall example my_syslog 3. Enter 195.11.22.55 as the IP Address 4. Select an appropriate facility from the Facility list - the facility name is commonly used as a filter configuration The syslog server may have to be configured - D-Link DFL-1600 | Product Manual - Page 58
taking This information can be cross-referenced to the Log Reference Guide. Note: SNMP Trap standards NetDefendOS sends SNMP Traps which are based on the SNMPv2c standard as defined by RFC1901, RFC1905 and RFC1906. Example 2.12. Sending SNMP Traps to an SNMP Trap Receiver To enable generation - D-Link DFL-1600 | Product Manual - Page 59
SNMP2cEventReceiver 2. Specify a name for the event receiver, for example my_snmp 3. Enter 195.11.22.55 as the IP Address 4. Enter an SNMP Community String if needed by such an undesirable situation where bandwidth is consumed unnecessarily. Default: 3600 (once per hour) Alarm Repetition Interval - D-Link DFL-1600 | Product Manual - Page 60
as signalling the beginning of the service (START). • ID - A unique identifier to enable matching of an AccountingRequest with Acct-Status-Type set to STOP. • User Name - The user name of the authenticated user. • NAS IP Address - The IP address of the NetDefend Firewall. • NAS Port - The port of - D-Link DFL-1600 | Product Manual - Page 61
sent AccountingRequest packet, with Acct-Status-Type set to START. • User Name - The user name of the authenticated user. • NAS IP Address - The IP address of the NetDefend Firewall. • NAS Port - The port on the NAS on which the user was authenticated. (This is a physical port and not a TCP or - D-Link DFL-1600 | Product Manual - Page 62
the same for NetDefendOS and for the RADIUS server. Messages are sent using the UDP protocol and the default port number used is 1813 although this is user configurable. 2.3.6. RADIUS Accounting and High Availability In an HA cluster, accounting information is synchronized between the active and - D-Link DFL-1600 | Product Manual - Page 63
any configured RADIUS servers before commencing with the shutdown. 2.3.9. Limitations with NAT The User Authentication module in NetDefendOS is based on the user's IP address. Problems can therefore occur with users who have the same IP address. This can happen, for example, when several users are - D-Link DFL-1600 | Product Manual - Page 64
allowed with RADIUS. This applies to RADIUS use with both accounting and authentication. Default: 1024 Example 2.13. RADIUS Accounting Server Setup This example shows configuring of a local RADIUS server known as radius-accounting with IP address 123.04.03.01 using port 1813. Web Interface 1. Go to - D-Link DFL-1600 | Product Manual - Page 65
firewall. This feature is referred to as Hardware Monitoring. The D-Link NetDefend models that currently support hardware monitoring are the DFL-1600, 1660, 2500, 2560 and 2560G. Configuring monitor values. Minimum value: 100 Maximum value: 10000 Default: 500 Using the hwm CLI Command To get a - D-Link DFL-1600 | Product Manual - Page 66
, NetDefendOS optionally generates a log message that is sent to the configured log servers. Note: Different hardware has different sensors and ranges Each is the Name of the sensor as shown in the CLI output above. For example, SYS Temp. • Enabled An individual sensor can be enabled or disabled used - D-Link DFL-1600 | Product Manual - Page 67
for security reasons. Specifically, NetDefendOS supports the following SNMP request operations by MIB (where NNN indicates the model number of the firewall) and this should be transferred to the hard controls if the IP rule set checks all accesses by SNMP clients. This is by default disabled and the - D-Link DFL-1600 | Product Manual - Page 68
the public Internet. It is therefore advisable to have remote access take place over an encrypted VPN tunnel or Filter enter: • Interface: lan • Network: mgmt-net 4. Click OK Should it be necessary to enable SNMPBeforeRules (which is enabled by default) firewall regardless of configured IP Rules. 68 - D-Link DFL-1600 | Product Manual - Page 69
excess requests will be ignored by NetDefendOS. Default: 100 System Contact The contact person for the managed node. Default: N/A System Name The name for the managed node. Default: N/A System Location The physical location of the node. Default: N/A Interface Description (SNMP) What to display in - D-Link DFL-1600 | Product Manual - Page 70
, the file cap_int.cap should be downloaded to the management workstation for analysis. 5. A final cleanup is performed and all memory taken is released. gw-world:/> pcapdump -cleanup Re-using Capture Files Since the only way to delete files from the NetDefend Firewall is through the serial console - D-Link DFL-1600 | Product Manual - Page 71
can be specified and can be one of -tcp, -udp or -icmp. Downloading the Output File As shown in one of the examples above, the -write option of pcapdump can save buffered packet information to a file on the NetDefend Firewall. These output files are placed into the NetDefendOS root directory and the - D-Link DFL-1600 | Product Manual - Page 72
It is possible to use several of these filter expressions together in order to further refine the packets that are of interest. For example we might want to examine the packets going to a particular destination port at a particular destination IP address. Compatibility with Wireshark The open source - D-Link DFL-1600 | Product Manual - Page 73
in order to provide protection against the latest threats. To facilitate the Auto-Update feature D-Link maintains a global infrastructure of servers providing update services for NetDefend Firewalls. To ensure availability and low response times, NetDefendOS employs a mechanism for automatically - D-Link DFL-1600 | Product Manual - Page 74
original hardware state that existed when the NetDefend Firewall was shipped by D-Link. When a restore is applied all data such as the IDP and Anti-Virus databases are lost and must be reloaded. Example 2.16. Complete Hardware Reset to Factory Defaults Command-Line Interface gw-world:/> reset -unit - D-Link DFL-1600 | Product Manual - Page 75
, 260, 800 and 860 To reset the NetDefend DFL-210/260/800/860 models, hold down the reset button located at the rear of the unit for 10-15 seconds while powering on the unit. After that, release the reset button and the unit will continue to load and startup with its default factory settings. The IP - D-Link DFL-1600 | Product Manual - Page 76
2.7.3. Restore to Factory Defaults Chapter 2. Management and Maintenance 76 - D-Link DFL-1600 | Product Manual - Page 77
Chapter 3. Fundamentals This chapter describes the fundamental logical objects which make up a NetDefendOS configuration. These objects include such items as IP addresses and IP rules. Some exist by default and some must be defined by the administrator. In addition, the chapter explains the - D-Link DFL-1600 | Product Manual - Page 78
net (netmask 255.255.255.224) and so on. The numbers 0-32 correspond to the number of binary ones in the netmask. For example: 192.168.0.0/24. A range of IP addresses is represented with the form a.b.c.d - e.f.g.h. Note that ranges are not limited to netmask boundaries. They may include any span of - D-Link DFL-1600 | Product Manual - Page 79
to the NetDefend Firewall. 3.1.3. Ethernet Addresses Ethernet Address objects are used to define symbolic names for Ethernet addresses (also known as MAC addresses). This is useful, for example, when populating the ARP table with static ARP entries, or for other parts of the configuration where - D-Link DFL-1600 | Product Manual - Page 80
example wwwsrv1_mac 3. Enter 08-a3-67-bc-2e-f2 as the MAC Address 4. Click OK 3.1.4. Address Groups Groups Simplify Configuration Address objects can be grouped in order to simplify configuration. Consider a number of public servers that should be accessible from the Internet. The servers have IP - D-Link DFL-1600 | Product Manual - Page 81
objects are named _net. As an example, an interface named lan will have an associated interface IP object named lan_ip, and a network object named lannet. An IP Address object named wan_gw is auto-generated and represents the default gateway of the system. The wan_gw object is used - D-Link DFL-1600 | Product Manual - Page 82
to a specific type of traffic. For example, an IP rule in a NetDefendOS IP rule set has a service object associated with it as a filtering parameter to decide whether or not to allow a specific type of traffic to traverse the NetDefend Firewall. Inclusion in IP rules is one the most important usage - D-Link DFL-1600 | Product Manual - Page 83
is discussed further in Section 3.2.3, "ICMP Services". • IP Protocol Service - A service based on a user defined protocol. This is discussed further in Section 3.2.4, "Custom IP Protocol Services". • Service Group - A service group consisting of a number of services. This is discussed further in - D-Link DFL-1600 | Product Manual - Page 84
can be entered in user interfaces. They can be specified for both the Source Port and/or the Destination Port of a service in the following ways: Single Port For many services, a single destination port is sufficient. For example, HTTP usually uses destination port 80. The SMTP protocol uses port - D-Link DFL-1600 | Product Manual - Page 85
This option only exists for the TCP/IP service type. For more details on how this feature works see Section 6.6.8, "TCP SYN Flood Attacks". • Pass ICMP Errors If an attempt to open a TCP connection is made by a user application behind the NetDefend Firewall and the remote server is not in operation - D-Link DFL-1600 | Product Manual - Page 86
Click OK 3.2.3. ICMP Services Another type of custom service that can be created is an ICMP Service. The Internet Control Message Protocol (ICMP) is a protocol that is integrated with IP for error reporting and transmitting control information. For example, the ICMP Ping feature uses ICMP to test - D-Link DFL-1600 | Product Manual - Page 87
service (there are 256 possible types) or it is possible to filter the types. Specifying Codes If a type is selected then the codes for that type can be specified in the same way that port numbers are specified. For example The source is told that a problem has occurred when delivering a packet. - D-Link DFL-1600 | Product Manual - Page 88
be used to specify multiple applications for one service. For example, specifying the range 1-4,7 will match the protocols ICMP, IGMP, GGP, IP-in-IP and CBT. IP protocol numbers The currently assigned IP protocol numbers and references are published by the Internet Assigned Numbers Authority (IANA - D-Link DFL-1600 | Product Manual - Page 89
3. Fundamentals configuration and decrease the ability to troubleshoot problems. 3.2.6. Custom Service Timeouts Any service can have its custom timeouts set. These can also be set globally in NetDefendOS but it is more usual to change these values individually in a custom service. The timeout - D-Link DFL-1600 | Product Manual - Page 90
through, originates from or is terminated in the NetDefend Firewall, does so through one or more interfaces. support for two types of sub-interfaces: • Virtual LAN (VLAN) interfaces as specified by IEEE 802.1Q. When routing IP packets over a Virtual LAN interface, they will be encapsulated in VLAN - D-Link DFL-1600 | Product Manual - Page 91
on the type of tunnel interface. For example, when routing traffic over an IPsec interface, the payload is usually encrypted to achieve confidentiality. NetDefendOS supports the following tunnel interface types: i. IPsec interfaces are used as end-points for IPsec VPN tunnels. More information about - D-Link DFL-1600 | Product Manual - Page 92
a physical Ethernet port in the system. The number of ports, their link speed and the way the ports are realized, is dependent on the example, if an interface named dmz is connected to a wireless LAN, it might be convenient to change the interface name to radio. For maintenance and troubleshooting - D-Link DFL-1600 | Product Manual - Page 93
of these interfaces. In most of the examples in this guide lan is used for LAN traffic and wan is used for WAN traffic. If your NetDefend Firewall does not have these interfaces, please substitute the references with the name of your chosen interface. • IP Address Each Ethernet interface is required - D-Link DFL-1600 | Product Manual - Page 94
is a set of interface specific advanced settings: i. A preferred IP address can be requested. ii. A preferred lease time can be this option. When enabled, default switch routes are automatically added . The available options are: i. The speed of the link can be set. Usually this is best left as Auto - D-Link DFL-1600 | Product Manual - Page 95
for any VLAN packets. This is disabled by default. Changing the IP Address of an Ethernet Interface To change the IP address on an interface, we can use one of two methods: • Change the IP address directly on the interface. For example, if we want to change the IP address of the lan interface to - D-Link DFL-1600 | Product Manual - Page 96
: 0.0.0.0 UserAuthGroups: NoDefinedCredentials: No Comments: IP address of interface wan To show the current interface assigned : Address: UserAuthGroups: NoDefinedCredentials: Comments: Value wan_gw 0.0.0.0 No Default gateway for interface wan By using the tab key at the end of - D-Link DFL-1600 | Product Manual - Page 97
to be changed, or if configuring the interfaces when running NetDefendOS on non-D-Link hardware. For example, to display Ethernet port the CLI Reference Guide. 3.3.3. VLAN Overview Virtual LAN (VLAN) support in NetDefendOS allows the definition of one or more Virtual LAN interfaces which are - D-Link DFL-1600 | Product Manual - Page 98
trunks from the NetDefend Firewall to switches and these switches are configured with port based VLANs on their interfaces. Any physical firewall interface can, at the same time, carry both non-VLAN traffic as well VLAN trunk traffic for one or multiple VLANs. VLAN Processing NetDefendOS follows - D-Link DFL-1600 | Product Manual - Page 99
of more VLANs are configured on a physical NetDefend Firewall interface and this is connected directly to a switch. This link acts as a VLAN trunk. The switch used must support port based VLANs. This means that each port on the switch can be configured with the ID of the VLAN or VLANs that a port - D-Link DFL-1600 | Product Manual - Page 100
is a single advanced setting for VLAN: Unknown VLAN Tags What to do with VLAN packets tagged with an unknown ID. Default: DropLog Example 3.10. Defining a VLAN This simple example defines a virtual LAN called VLAN10 with a VLAN ID of 10. The IP address of the VLAN is assumed to be already defined - D-Link DFL-1600 | Product Manual - Page 101
PPPoE Chapter 3. Fundamentals • Interface: lan • VLAN ID: 10 • IP Address: vlan10_ip • Network: all-nets 3. Click OK 3.3.4. PPPoE Point-to-Point Protocol over Ethernet (PPPoE) is a tunneling protocol used for connecting multiple users on an Ethernet network to the Internet through a common serial - D-Link DFL-1600 | Product Manual - Page 102
, support for unnumbered PPPoE is provided by default. The additional option also exists to force unnumbered PPPoE to be used in PPPoE sessions. Unnumbered PPPoE is typically used when ISPs want to allocate one or more preassigned IP addresses to users. These IP addresses are then manually entered - D-Link DFL-1600 | Product Manual - Page 103
GRE Tunnels Chapter 3. Fundamentals PPPoE cannot be used with HA For reasons connected with the way IP addresses are shared in a NetDefendOS high availability cluster, PPPoE will not operate correctly. It should there not be configured with HA. Example 3.11. Configuring a PPPoE Client This example - D-Link DFL-1600 | Product Manual - Page 104
that is not public. Setting Up GRE Like other tunnels in NetDefendOS such as an IPsec tunnel, a GRE Tunnel is treated as a logical interface by NetDefendOS, with the same filtering, traffic shaping and configuration capabilities as a standard interface. The GRE options are: • IP Address This is - D-Link DFL-1600 | Product Manual - Page 105
tunnel and since the network is internal and not public there is no need for encryption. Setup for NetDefend Firewall "A" Assuming that the network 192.168.10.0/24 is lannet on the lan interface, the steps for setting up NetDefendOS on A are: 1. In the address book set up the following IP objects - D-Link DFL-1600 | Product Manual - Page 106
following rules in the IP rule set that allow traffic to pass through the tunnel: Name To_B From_B Action Allow Allow Src Int lan GRE_to_B Src Net lannet remote_net_B Dest Int GRE_to_B lan Dest Net remote_net_B lannet Service All All Setup for NetDefend Firewall "B" Assuming that the network - D-Link DFL-1600 | Product Manual - Page 107
Chapter 3. Fundamentals IPsec tunnels have a status of being either up or not up. With GRE tunnels in NetDefendOS this doesn't really apply. The GRE tunnel is up if it exists in the configuration. However, we can check on the what is going on with a GRE tunnel. For example, if the tunnel is called - D-Link DFL-1600 | Product Manual - Page 108
firewalls, is an important component in the implementation of ARP. It consists of a dynamic table that stores the mappings between IP 12:6c:89:a4 Expires 45 136 - The explanation for the table contents are as follows: • The first entry in this ARP Cache is a dynamic ARP entry which tells us that IP - D-Link DFL-1600 | Product Manual - Page 109
default value for this setting is 3 seconds. Example 3.13. Displaying the ARP Cache The contents of the ARP Cache can be displayed from within the CLI. Command-Line Interface gw-world:/> arp -show ARP cache of iface lan sometimes it may be necessary to manually force the update. The easiest way - D-Link DFL-1600 | Product Manual - Page 110
address. Some network devices, such as wireless modems, can have such problems. It may also be used to lock an IP address to a specific MAC address for increasing security or to avoid denial-of-service if there are rogue users in a network. However, such protection only applies to packets being sent - D-Link DFL-1600 | Product Manual - Page 111
from the dropdown lists: • Mode: Static • Interface: lan 3. Enter the following: • IP Address: 192.168.10.15 • MAC: 4b-86-f6-c5-a2-14 4. Click OK Chapter 3. Fundamentals Published ARP Objects NetDefendOS supports publishing IP addresses on a particular interface, optionally along with a specific - D-Link DFL-1600 | Product Manual - Page 112
ARP entries, IP addresses can only be published one at a time. However, the administrator can use the alternative Proxy ARP feature in NetDefendOS to redundancy devices, which make use of hardware layer multicast addresses. The default behavior of NetDefendOS is to drop and log such ARP requests and - D-Link DFL-1600 | Product Manual - Page 113
hijack a connection, NetDefendOS will by default drop and log unsolicited ARP replies However, not allowing this may cause problems if, for example, a network adapter is replaced since IP 0.0.0.0 NetDefendOS can be configured for handling ARP queries that have a sender IP of 0.0.0.0. Such sender IPs - D-Link DFL-1600 | Product Manual - Page 114
IP of 0.0.0.0. Such sender IPs are never valid in responses, but network units that have not yet learned of their IP address sometimes ask ARP questions with an "unspecified" sender IP. Default: DropLog ARP Sender IP Determines if the IP this may cause problems if, for example, a network adapter - D-Link DFL-1600 | Product Manual - Page 115
be twice as large as the table it is indexing. If the largest directly-connected LAN contains 500 IP addresses then the size of the ARP entry hash should be at least 1000 entries. Default: 512 ARP Hash Size VLAN Hashing is used to rapidly look up entries in a table. For maximum efficiency, the - D-Link DFL-1600 | Product Manual - Page 116
security policies are configured by the administrator to regulate the way in which traffic can flow through the NetDefend Firewall. Such policies are described by the contents of different NetDefendOS rule sets. These rule sets share a uniform means of specifying filtering criteria which determine - D-Link DFL-1600 | Product Manual - Page 117
8, User Authentication. IP Rules and the Default main IP Rule Set IP rule sets are the most important of these security policy rule sets. They determine the critical packet filtering function of NetDefendOS, regulating what is allowed or not allowed to pass through the NetDefend Firewall, and - D-Link DFL-1600 | Product Manual - Page 118
the NetDefend Firewall on the interface decided by the route. If the IP rule used is an Allow rule then this is bi-directional by default. The description found in Section 1.3, "NetDefendOS State Engine Packet Flow". For example, before the route lookup is done, NetDefendOS first checks that traffic - D-Link DFL-1600 | Product Manual - Page 119
NetDefend Firewall. If the action is Drop or Reject then the new connection is refused. Tip: Rules in the wrong order sometimes cause problems It is important to remember the principle that NetDefendOS searches the IP rules from top to bottom, looking for the first matching rule. If an IP - D-Link DFL-1600 | Product Manual - Page 120
Destination Network • Service When an IP rule is triggered engine". FwdFast Let the packet pass through the NetDefend Firewall without setting up a state for it in required from NetDefendOS. An example of such a situation is when responding to the IDENT user identification protocol. Some - D-Link DFL-1600 | Product Manual - Page 121
cc IPRuleSet main Now, create the IP rule: gw-world:/main> add IPRule Action=Allow Service=http SourceInterface=lan SourceNetwork=lannet DestinationInterface=wan DestinationNetwork=all-nets Name=lan_http Return to the top level: gw-world:/main> cc Configuration changes must be saved by then issuing - D-Link DFL-1600 | Product Manual - Page 122
. Tip: Object groups help to document configurations Object groups are a recommended way to document the contents of NetDefendOS configurations. This can be very useful for someone seeing a configuration for the first time, such as technical support staff. In an IP rule set that contains hundreds of - D-Link DFL-1600 | Product Manual - Page 123
3.5.6. Configuration Object Groups Chapter 3. Fundamentals Note The screen images used in this example show just the first few columns of the object properties. We would like to create an object group for the two IP rules for web surfing. This is done with the following steps: • Select the first - D-Link DFL-1600 | Product Manual - Page 124
3.5.6. Configuration Object Groups Chapter 3. Fundamentals Any color can be chosen for the group. Join Preceding option to add it to the preceding group. Once we do this for the second IP rule in our example then the result will be the following: To add any object to the group we must first - D-Link DFL-1600 | Product Manual - Page 125
Configuration Object Groups Chapter 3. Fundamentals Moving Groups Groups can be moved in the same way as individual objects. By right clicking the group title line, the context menu includes options to move the entire group. For example use these features to best arrange NetDefendOS objects. 125 - D-Link DFL-1600 | Product Manual - Page 126
. Another example might be Multiple Time Ranges A Schedule object also offers the possibility to enter multiple the schedule. This is used in user interface display and as a reference is not limited to IP Rules, but is valid some other features such as certificate usage in VPN tunnels. Preferably, - D-Link DFL-1600 | Product Manual - Page 127
main Now, create the IP rule: gw-world:/main> add IPRule Action=NAT Service=http SourceInterface=lan SourceNetwork=lannet DestinationInterface=any DestinationNetwork=all-nets Schedule=OfficeHours name=AllowHTTP Return to the top level: gw-world:/main> cc Configuration changes must be saved by - D-Link DFL-1600 | Product Manual - Page 128
to accomplish key distribution and entity authentication. References in this manual to a certificate means a X.509 certificate. A certificate is a digital proof of identity. It links an identity to a public key in order to establish whether a public key truly belongs to the supposed owner. By doing - D-Link DFL-1600 | Product Manual - Page 129
of large user communities. CRLs are published on servers that all certificate users can access downloaded. In some cases, certificates do not contain this field. In those cases the location of the CRL has to be configured manually through a specific VPN tunnel, provided the certificate validation - D-Link DFL-1600 | Product Manual - Page 130
instructions Example 3.19. Associating Certificates with IPsec Tunnels To associate an imported certificate with an IPsec tunnel. Web Interface 1. Go to Interfaces > IPsec 2. Display the properties of the IPsec tunnel . It is possible, however, to manually create the required files for a Windows - D-Link DFL-1600 | Product Manual - Page 131
the files the same filename but use the extension .cer for one and .key for the other. For example, gateway.cer and gateway.key might be the names. 4. Start a text editor and open the downloaded .pem file and locate the line that begins: -----BEGIN RSA PRIVATE KEY----- 5. Mark and copy into the - D-Link DFL-1600 | Product Manual - Page 132
sent over the public Internet to special external servers which are known as Time Servers. 3.8.2. Setting Date and Time Current Date and Time The administrator can set the date and time manually and this is recommended when a new NetDefendOS installation is started for the first time. Example 3.20 - D-Link DFL-1600 | Product Manual - Page 133
NetDefendOS time zone setting reflects the time zone where the NetDefend Firewall is physically located. Example 3.21. Setting the Time Zone To modify the NetDefendOS time when to adjust for DST. Instead, this information has to be manually provided if daylight saving time is to be used. There are - D-Link DFL-1600 | Product Manual - Page 134
time synchronization service over the Internet. The protocol provides a site-independent, machine-readable date and time. The server sends back the time in seconds since midnight on January first, 1900. Most public Time Servers run the NTP protocol and are accessible using SNTP. Configuring Time - D-Link DFL-1600 | Product Manual - Page 135
the CLI to set the synchronization interval, the default of 86400 seconds (equivalent to one day) is used. Example 3.24. Manually Triggering a Time Synchronization Time synchronization can be why there is a significant difference such as an incorrect NetDefendOS configuration. 3. Click OK 135 - D-Link DFL-1600 | Product Manual - Page 136
firewall clock. These servers communicate with NetDefendOS using the SNTP protocol. When the D-Link Server option is chosen, a predefined set of recommended default values for the synchronization are used. Example 3.27. Enabling the D-Link DNS server configured so that the D-Link Time Server - D-Link DFL-1600 | Product Manual - Page 137
: SNTP Primary Time Server DNS hostname or IP Address of Timeserver 1. Default: None Secondary Time Server DNS hostname or IP Address of Timeserver 2. Default: None teriary Time Server DNS hostname or IP Address of Timeserver 3. Default: None Interval between synchronization Seconds between each - D-Link DFL-1600 | Product Manual - Page 138
3.8.4. Settings Summary for Date and Time Maximum time drift in seconds that a server is allowed to adjust. Default: 600 Group interval Interval according to which server responses will be grouped. Default: 10 Chapter 3. Fundamentals 138 - D-Link DFL-1600 | Product Manual - Page 139
node's unique position in the Internet's DNS tree hierarchy. FQDN resolution allows the actual physical IP address to change while the FQDN features that require access to external servers such as anti-virus and IDP. Example 3.28. Configuring DNS Servers In this example, the DNS client is configured - D-Link DFL-1600 | Product Manual - Page 140
the NetDefend Firewall has an external IP address that can change. Dynamic DNS can also be useful in VPN scenarios where both ends of the tunnel have dynamic IP addresses. If only one side of the tunnel has a dynamic address then the NetDefendOS VPN keep alive feature solves this problem. Under - D-Link DFL-1600 | Product Manual - Page 141
3.9. DNS Chapter 3. Fundamentals 141 - D-Link DFL-1600 | Product Manual - Page 142
fundamental functions of NetDefendOS. Any IP packet flowing through a NetDefend Firewall will be subjected to at least one routing decision at some point in time, and properly setting up routing is crucial for the system to function as expected. NetDefendOS offers support for the following types of - D-Link DFL-1600 | Product Manual - Page 143
or whenever the network topology is complex, the work of manually maintaining static routing tables can be time-consuming and also NetDefend Firewall and the destination network, a gateway IP must be specified. For example, if the route is for public Internet access via an ISP then the public IP - D-Link DFL-1600 | Product Manual - Page 144
parameter in more depth. Local IP Address and Gateway are mutually NetDefend Firewall usage scenario. Figure 4.1. A Typical Routing Scenario In the above diagram, the LAN public Internet is 195.66.77.4. The associated routing table for this would be as follows: Route # 1 2 3 Interface lan - D-Link DFL-1600 | Product Manual - Page 145
with the destination all-nets is often referred to as the Default Route as it will match all packets for which no specific route has been configured. This route usually specifies the interface which is connected to the public internet. When a routing table is evaluated, the ordering of the routes is - D-Link DFL-1600 | Product Manual - Page 146
in this second network must also have their Default Gateway set to 10.2.2.1 in order to reach the NetDefend Firewall. This feature is normally used when an additional network is to be added to an interface but it is not desirable to change the existing IP addresses of the network. From a security - D-Link DFL-1600 | Product Manual - Page 147
configure static routing. NetDefendOS supports multiple routing tables. A default user-defined extra routing toubles can be used to implement Policy Based Routing which means the administrator can set up rules in the IP policy rules get evaluated (for example, IP rules). Consequently, the destination - D-Link DFL-1600 | Product Manual - Page 148
255.255 192.168.0.10 192.168.0.10 1 Default Gateway: 192.168.0.1 Persistent Routes: None The corresponding routing table in NetDefendOS will be similar to the following: Flags Network Iface Gateway Local IP Metric 192.168.0.0/24 lan 20 10.0.0.0/8 wan 1 0.0.0.0/0 wan 192.168 - D-Link DFL-1600 | Product Manual - Page 149
the main Routing Table This example illustrates how to display the contents of the default main routing table. Command-Line Interface To see the configured routing table: gw-world:/> cc RoutingTable main gw-world:/main> show Route # Interface - --------1 wan 2 lan 3 wan Network -------all-nets - D-Link DFL-1600 | Product Manual - Page 150
default routes is 100 The metric assigned to the default routes automatically created for the physical interfaces is always 100. These automatically added routes cannot be removed manually public Internet access. If using the NetDefendOS setup interfaces named lan and wan, and with IP addresses 192. - D-Link DFL-1600 | Product Manual - Page 151
. Please see the CLI Reference Guide. 4.2.3. Route Failover Overview NetDefend Firewalls are often deployed in mission-critical locations where availability and connectivity is crucial. For example, an enterprise relying heavily on access to the Internet could have operations severely disrupted if - D-Link DFL-1600 | Product Manual - Page 152
must be chosen: Interface Link Status NetDefendOS will monitor the link status of the interface routes. For example, the routes status in an NetDefendOS configuration and are treated differently. Metric When specifying routes, the administrator should manually set a route's Metric. The metric is - D-Link DFL-1600 | Product Manual - Page 153
example "10"), and a secondary, failover route should have a higher metric value (for example "20"). Multiple problem, consider the following configuration: Firstly, there is one IP rule that will NAT all HTTP traffic destined for the Internet through the wan interface: Action NAT Src Iface lan - D-Link DFL-1600 | Product Manual - Page 154
accessibility to external hosts. Just monitoring a link to a local switch may not indicate a problem in another part of the internal network. • Host monitoring can be used to help in setting the acceptable Quality of Service level of Internet response times. Internet access may be functioning but it - D-Link DFL-1600 | Product Manual - Page 155
have multiple hosts associated with it for monitoring. Multiple hosts can provide a higher certainty that any network problem resides NetDefend Firewall which NetDefendOS will wait before starting Route Monitoring. This waiting period allows time for all network links to initialize once the firewall - D-Link DFL-1600 | Product Manual - Page 156
is mandatory. Where multiple hosts are specified is offline. If, for example, a web page response from Internet ISP, an external network route should always be specified. This external route specifies on which interface the network which exists between the NetDefend Firewall failure. Default: 500 - D-Link DFL-1600 | Product Manual - Page 157
split into two sub-networks with a NetDefend Firewall between the two. Host A on one sub-network might send an ARP request to find out the MAC address for the IP address of host B on the other sub-network. With the proxy ARP feature configured, NetDefendOS responds to this ARP request instead - D-Link DFL-1600 | Product Manual - Page 158
mind that if the host has an ARP request for an IP address outside of the local network then this will be sent to the gateway configured for that host. The entire example is illustrated below. Figure 4.4. A Proxy ARP Example Transparent Mode as an Alternative Transparent Mode is an alternative and - D-Link DFL-1600 | Product Manual - Page 159
possible to have Proxy ARP functioning for Ethernet and VLAN interfaces. Proxy ARP is not relevant for other for automatically added routes. For example, the routes that NetDefendOS creates routes have a special status in the NetDefendOS configuration and are treated differently. If Proxy ARP is - D-Link DFL-1600 | Product Manual - Page 160
according to destination IP address information derived from static routes or from a dynamic routing protocol. For example, using OSPF, to provide Internet services, Policy-based Routing can route traffic originating from different sets of users through different routes. For example, traffic from - D-Link DFL-1600 | Product Manual - Page 161
this check (see Section 6.1, "Access Rules" for more details of this feature). If there are no Access Rules or a match with the rules cannot the previously selected routing table is done using the source IP address. If the check fails then a Default access rule log error message is generated. 4. At - D-Link DFL-1600 | Product Manual - Page 162
of a default all-nets route will mean that the connection will be dropped. Example 4.3. Creating a Policy-based Routing Table In this example we create sender address in ARP queries. If no address is specified, the firewall's interface IP address will be used. • Metric: Specifies the metric for this - D-Link DFL-1600 | Product Manual - Page 163
single-organization scenario, publicly accessible servers will be configured with two separate IP addresses: one from each ISP. However, this difference does not matter for the policy routing setup itself. Note that, for a single organization, Internet connectivity through multiple ISPs is normally - D-Link DFL-1600 | Product Manual - Page 164
4.3.5. The Ordering parameter Chapter 4. Routing Note Rules in the above example are added for both inbound and outbound connections. 164 - D-Link DFL-1600 | Product Manual - Page 165
feature is to provide the following: • Balancing of traffic between interfaces in a policy driven fashion. • To balance simultaneous utilization of multiple Internet links so networks are not dependent on a single ISP. • To allow balancing of traffic across multiple VPN tunnels which might be setup - D-Link DFL-1600 | Product Manual - Page 166
similar to Round Robin but provides "stickiness" so that unique destination IP addresses always get the same route from a lookup. The importance of RLB Algorithm Settings along with the Hold Timer number of seconds (the default is 30 seconds) for the interface. When the traffic passing through the - D-Link DFL-1600 | Product Manual - Page 167
to simplify specification of the values. Using Route Metrics with Round Robin An individual route has a metric associated with it, with the default metric value being zero. With the Round Robin and the associated Destination algorithms, the metric value can be set differently on matching routes - D-Link DFL-1600 | Product Manual - Page 168
has the narrowest range that matches the destination IP address used in the lookup. In the above example, 10.4.16.0/24 may be chosen over clients on a network connected via the LAN interface of the NetDefend Firewall and these will access the internet. Internet access is available from either one of - D-Link DFL-1600 | Product Manual - Page 169
Interface lan lan Src Network lannet lannet Dest Interace Dest Network WAN1 all-nets WAN2 all-nets Service All All The service All is used in the above IP rules but this should be further refined to a service or service group that covers all the traffic that will be allowed to flow. Example - D-Link DFL-1600 | Product Manual - Page 170
providing redundancy should one ISP link fail. • Use VPN with one tunnel that is IPsec based and another tunnel that is uses a different protocol. If both tunnels must be, for example, IPsec connects, it is possible to wrap IPsec in a GRE tunnel (in other words, the IPsec tunnel is carried by a GRE - D-Link DFL-1600 | Product Manual - Page 171
feature routing network device, such as a NetDefend Firewall, can adapt to changes of network that it can be more susceptible to certain problems such as routing loops. One of two types mechanism: • A Distance Vector (DV) algorithm. • A Link State (LS) algorithm. How a router decides the optimal or - D-Link DFL-1600 | Product Manual - Page 172
Link NetDefend models The OSPF feature is only available on the D-Link NetDefend DFL-800, 860, 1600, 1660 2500, 2560 and 2560G. OSPF is not available on the DFL-210 and 260 IP and example of what OSPF can achieve. Here we have two NetDefend Firewalls A and B connected together and configured - D-Link DFL-1600 | Product Manual - Page 173
, we now have route redundancy between any two of the firewalls. For example, if the direct link between A and C fails then OSPF allows both firewalls to know immediately that there is an alternate route between them via firewall B. For instance, traffic from network X which is destined for network - D-Link DFL-1600 | Product Manual - Page 174
Link NetDefend models The OSPF feature is only available on the NetDefend DFL-800, 860, 1600, 1660 2500, 2560 and 2560G. OSPF is not available on the DFL-210 and 260. OSPF functions by routing IP packets based only on the destination IP address found in the IP packet header. IP NetDefend Firewall - D-Link DFL-1600 | Product Manual - Page 175
Router object. There can be more than one area within an AS so multiple OSPF Area objects could be added to a single OSPF Router. In most cases, one is enough and it should be defined separately on each NetDefend Firewall which will be part of the OSPF network. This NetDefendOS object is described - D-Link DFL-1600 | Product Manual - Page 176
periodically on each interface using IP multicast. Routers become neighbors as NOT include the Router ID of the firewall in it, the neighbor will be placed feature up in NetDefendOS, see Section 4.5.3.5, "OSPF Aggregates". Virtual Links Virtual links are used for the following scenarios: A. Linking - D-Link DFL-1600 | Product Manual - Page 177
two routers are connected to the same area (Area 1) but just one of them, fw1, is connected physically to the backbone area. Figure 4.10. Virtual Links Connecting Areas In the above example, a Virtual Link is configured between fw1 and fw2 on Area 1 as it is used as the transit area. In this - D-Link DFL-1600 | Product Manual - Page 178
as in the example above show fw2 need to have a virtual link to fw1 with the Router ID 192.168.1.1 and vice versa. These virtual links need to be configured in Area 1. To set this feature up in NetDefendOS, see Section 4.5.3.6, "OSPF VLinks". OSPF High Availability Support There are some limitations - D-Link DFL-1600 | Product Manual - Page 179
on each NetDefend Firewall which is part of the OSPF network. General Parameters Name Router ID Private Router ID Specifies a symbolic name for the OSPF AS. Specifies the IP address that is used to identify the router in a AS. If no Router ID is configured, the firewall computes the Router - D-Link DFL-1600 | Product Manual - Page 180
the NetDefend Firewall will be used in a environment that consists of routers that only support RFC 1583. Debug Protocol debug provides a troubleshooting tool a VPN. For example, using IPsec. Sending OSPF packets through an IPsec tunnel is discussed further in Section 4.5.5, "Setting Up OSPF". 180 - D-Link DFL-1600 | Product Manual - Page 181
configured for OSPF, the passphrase or authentication key must be the same on all OSPF Routers in that Autonomous System. In other words, the OSPF authentication method must be replicated on all NetDefend Firewalls and when it starts a SPF calculation. The default time is 5 seconds. A value of 0 - D-Link DFL-1600 | Product Manual - Page 182
. • Point-to-Point - Point-to-Point is used for direct links which involve only two routers (in other words, two firewalls). A typical example of this is a VPN tunnel which is used to transfer OSPF traffic between two firewalls. The neighbor address of such a link is configured by defining 182 - D-Link DFL-1600 | Product Manual - Page 183
tunnels is discussed further in Section 4.5.5, "Setting Up OSPF". • Point-to-Multipoint - The Point-to-Multipoint interface type is a collection of Point-to-Point networks, where there is more then one router in a link If Use Default for Router Process is enabled then the values configured in the - D-Link DFL-1600 | Product Manual - Page 184
example, when the connection is not between physical interfaces. The most common situation for using this is when a VPN tunnel is used to connect two neighbors and we need to tell NetDefendOS that the OSPF connection needs to be made through the tunnel. This type of VPN usage with IPsec tunnels Link - D-Link DFL-1600 | Product Manual - Page 185
4.5.4. Dynamic Routing Rules Chapter 4. Routing Authentication Use Default For AS Use the values configured in the AS properties page. Note: Linking partitioned backbones If the backbone area is partitioned, a virtual link is used to connect the different parts. In most, simple OSPF scenarios, - D-Link DFL-1600 | Product Manual - Page 186
Least an Import Rule By default, NetDefendOS will not import option should be specified as all-nets so that no filter is applied. When to Use Export Rules Although an Import destination network. The all-nets route defined for Internet access via an ISP is an example of such a route. In this case, a - D-Link DFL-1600 | Product Manual - Page 187
To Specifies into which OSPF AS the route change should be imported. If needed, specifies the IP to route via. Specifies a tag for this route. This tag can be used in other routers for filtering. Specifies what the kind of external route type. Specify 1 if OSPF should regard external routes as - D-Link DFL-1600 | Product Manual - Page 188
number of configuration possibilities that OSPF offers. However, in many cases a simple OSPF solution using a minimum of NetDefendOS objects is needed and setup can be straightforward. Let us examine again the simple scenario described earlier with just two NetDefend Firewalls. In this example we - D-Link DFL-1600 | Product Manual - Page 189
NetDefend Firewall that acts as an OSPF router). For example filter parameter for the destination network must be set to be all-nets. We could use a narrower filter the external public Internet where the firewalls will be part of the same OSPF area then all of them should be configured similarly. 189 - D-Link DFL-1600 | Product Manual - Page 190
command are fully described in the CLI Reference Guide. Sending OSPF Traffic Through a VPN Tunnel In some cases, the link between two NetDefend Firewalls which are configured with OSPF Router Process objects may be insecure. For example, over the public Internet. In this case, we can secure the - D-Link DFL-1600 | Product Manual - Page 191
tunnel. 5. Set the Local IP of the tunnel endpoint To finish the setup for firewall A there needs to be two changes made to the IPsec tunnel setup on firewall B. These are: i. In the IPsec tunnel properties, the Local Network for the tunnel needs to be set to all-nets. This setting acts as a filter - D-Link DFL-1600 | Product Manual - Page 192
Add > OSPF Interface 3. Select the Interface. For example, lan 4. Click OK Just selecting the Interface means that the Network defaults to the network bound to that interface. In this case lannet. This should be repeated for all the interfaces on this NetDefend Firewall that will be part of the OSPF - D-Link DFL-1600 | Product Manual - Page 193
to Selected 5. Click OK Example 4.11. Exporting the Default Route into an OSPF AS In this example, the default all-nets route from the Choose all-nets in the ...Or is within filter 6. Click OK Next, create an OSPF Action that will export the filtered route to the specified OSPF AS: Web Interface - D-Link DFL-1600 | Product Manual - Page 194
are set up in the IP rule set in order to perform forwarding to the correct interfaces. This is demonstrated in the examples described later. Note: Interface multicast handling must be On or Auto For multicast to function with an Ethernet interface on any NetDefend Firewall, that interface must have - D-Link DFL-1600 | Product Manual - Page 195
default, the multicast IP range 224.0.0.0/4 is always routed to core and does not have to be manually added to the routing tables. Each specified output interface can individually be configured The example below only covers the multicast forwarding part of the configuration. The IGMP configuration - D-Link DFL-1600 | Product Manual - Page 196
. Example 4.12. Forwarding of Multicast Traffic using the SAT Multiplex Rule In this example, configure the actual forwarding of the multicast traffic. IGMP has to be configured separately. Web Interface A. Create a custom service for multicast called multicast_service: 1. Go to Objects > Services - D-Link DFL-1600 | Product Manual - Page 197
Rules Chapter 4. Routing B. Create an IP rule: 1. Go to Rules > IP Rules > Add > IP Rule 2. Under General enter. • Name: a name for the rule, for example Multicast_Multiplex • Action: Multiplex SAT • Service: multicast_service 3. Under Address Filter enter: • Source Interface: wan • Source - D-Link DFL-1600 | Product Manual - Page 198
add an Allow rule matching the SAT Multiplex rule. Example 4.13. Multicast Forwarding - Address Translation The following SAT Multiplex rule needs to be configured to match the scenario described above: Web Interface A. Create a custom service for multicast called multicast_service: 1. Go to Objects - D-Link DFL-1600 | Product Manual - Page 199
4.6.3. IGMP Configuration Chapter 4. Routing • Action: Multiplex SAT • Service: multicast_service 3. Under Address Filter enter: • Source statically configured to deliver a multicast stream to the NetDefend Firewall, an IGMP query would also not have to be specified. NetDefendOS supports two - D-Link DFL-1600 | Product Manual - Page 200
send queries. Towards the upstream router, the firewall will be acting as a normal host, subscribing to multicast groups on behalf of its clients. 4.6.3.1. IGMP Rules Configuration - No Address Translation This example describes the IGMP rules needed for configuring IGMP according to the No Address - D-Link DFL-1600 | Product Manual - Page 201
Address Translation The following example requires a configured interface group IfGrpClients including interfaces if1, if2 and if3. The ip address of the upstream the rule, for example Reports • Type: Report • Action: Proxy • Output: wan (this is the relay interface) 3. Under Address Filter enter: • - D-Link DFL-1600 | Product Manual - Page 202
and query rule. The upstream multicast router uses IP UpstreamRouterIP. Example 4.15. if1 Configuration The following steps needs to be executed to the rule, for example Reports_if1 • Type: Report • Action: Proxy • Output: wan (this is the relay interface) 3. Under Address Filter enter: • Source - D-Link DFL-1600 | Product Manual - Page 203
IP addresses Web Interface A. Create the first IGMP Rule: 1. Go to Routing > IGMP > IGMP Rules > Add > IGMP Rule 2. Under General enter: • Name: A suitable name for the rule, for example Reports_if2 • Type: Report • Action: Proxy • Output: wan (this is the relay interface) 3. Under Address Filter - D-Link DFL-1600 | Product Manual - Page 204
be logged and ignored. Global setting on interfaces without an overriding IGMP Setting. Default: IGMPv1 IGMP Router Version The IGMP protocol version that will be globally used on interfaces without a configured IGMP Setting. Multiple querying IGMP routers on the same network must use the same IGMP - D-Link DFL-1600 | Product Manual - Page 205
is robust to (IGMP Robustness Variable - 1) packet losses. Global setting on interfaces without an overriding IGMP Setting. Default: 2 IGMP Startup Query Count The firewall will send IGMP Startup Query Count general queries with an interval of IGMPStartupQueryInterval at startup. Global setting on - D-Link DFL-1600 | Product Manual - Page 206
4.6.4. Advanced IGMP Settings Chapter 4. Routing The time in milliseconds between repetitions of an initial membership report. Global setting on interfaces without an overriding IGMP Setting. Default: 1,000 206 - D-Link DFL-1600 | Product Manual - Page 207
's hosts. By deploying a single NetDefend Firewall between the two department's physical networks, transparent but controlled access can be achieved. • Controlling Internet Access An organization allows traffic between the external Internet and a range of public IP addresses on an internal network - D-Link DFL-1600 | Product Manual - Page 208
NetDefend Firewall to act as though they were a single logical IP IP address (assuming their IP address is fixed). The user can still obtain the same services as before (for example the destination within a configurable timeout period, it store this information: the Content Addressable Memory (CAM) - D-Link DFL-1600 | Product Manual - Page 209
Service all Restricting the Network Parameter As NetDefendOS listens to ARP traffic, it continuously adds single host routes to the routing table as it discovers on which interface IP may not be the case. Multiple Switch Routes are Connected Together The setup steps listed above describe placing all - D-Link DFL-1600 | Product Manual - Page 210
For example, if default, all interfaces have Routing Table Membership set to be all routing tables. By default VLANs If transparent mode is being set up for all hosts and users on a VLAN then the technique described above of using multiple VLAN is defined. To better explain this, let us consider a VLAN - D-Link DFL-1600 | Product Manual - Page 211
a DHCP server could be used to allocate user IP addresses in a Transparent Mode setup if desired. With Internet connections, it may be the ISP's own DHCP server which will hand out public IP addresses to users. In this case, NetDefendOS MUST be correctly configured as a DHCP Relayer to forward DHCP - D-Link DFL-1600 | Product Manual - Page 212
is on the same logical IP network as the users and will therefore be gw-ip. NetDefendOS May Also Need Internet Access The NetDefend Firewall also needs to find the public Internet if it is to perform NetDefendOS functions such as DNS lookup, Web Content Filtering or Anti-Virus and IDP updating - D-Link DFL-1600 | Product Manual - Page 213
using NAT is that IP addresses of users accessing the Internet usually need to be public IP addresses. If NATing needs to be performed in the example above to hide individual addresses from the Internet, it would have to be done by a device (possibly another NetDefend Firewall) between the 192.168 - D-Link DFL-1600 | Product Manual - Page 214
• Network: 10.0.0.0/24 • Default Gateway: 10.0.0.1 • Transparent Mode: Enable 3. Click OK 4. Go to Interfaces > Ethernet > Edit (lan) 5. Now enter: • IP Address: 10.0.0.2 • Network: 10.0.0.0/24 • Transparent Mode: Enable 6. Click OK Configure the rules: 1. Go to Rules > IP Rules > Add > IPRule - D-Link DFL-1600 | Product Manual - Page 215
be reached from the Internet. The NetDefend Firewall is transparent between the DMZ and LAN but traffic is still controlled by the IP rule set. Figure 4.21. Transparent Mode Scenario 2 Example 4.18. Setting up Transparent Mode for Scenario 2 Configure a Switch Route over the LAN and DMZ interfaces - D-Link DFL-1600 | Product Manual - Page 216
: TransparentGroup • Network: 10.0.0.0/24 • Metric: 0 3. Click OK Configure the rules: 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: HTTP-LAN-to-DMZ • Action: Allow • Service: http • Source Interface: lan • Destination Interface: dmz • Source Network: 10.0.0.0/24 • Destination - D-Link DFL-1600 | Product Manual - Page 217
: Allow • Service: http • Source Interface: wan • Destination Interface: dmz • Source Network: all-nets • Destination Network: wan_ip 9. Click OK 4.7.4. Spanning Tree BPDU Support NetDefendOS includes support for relaying the Bridge Protocol Data Units (BPDUs) across the NetDefend Firewall. BPDU - D-Link DFL-1600 | Product Manual - Page 218
Multiple Spanning Tree Protocol (MSTP) • Cisco proprietary PVST+ Protocol (Per VLAN Spanning Tree Plus) NetDefendOS checks the contents of BDPU messages to make sure the content type is supported To L3 Cache Dest Learning Enable this if the firewall should be able to learn the destination for hosts - D-Link DFL-1600 | Product Manual - Page 219
should be decremented each time a packet traverses the firewall in Transparent Mode. Default: Disabled Dynamic CAM Size This setting can be used to manually configure the size of the CAM table. Normally Dynamic is the preferred value to use. Default: Dynamic CAM Size If the Dynamic CAM Size setting - D-Link DFL-1600 | Product Manual - Page 220
the sender hardware (MAC) address in Ethernet header set to null (0000:0000:0000). Options: • Drop - Drop packets • DropLog - Drop and log packets Default: DropLog Broadcast Enet Sender Defines what to do when receiving a packet that has the sender hardware (MAC) address in Ethernet header set to - D-Link DFL-1600 | Product Manual - Page 221
4.7.5. Advanced Settings for Transparent Mode Chapter 4. Routing • Drop - Drop the packets • DropLog - Drop packets log the event Default: Drop Relay MPLS When set to Ignore all incoming MPLS packets are relayed in transparent mode. Options: • Ignore - Let the packets pass but do not - D-Link DFL-1600 | Product Manual - Page 222
4.7.5. Advanced Settings for Transparent Mode Chapter 4. Routing 222 - D-Link DFL-1600 | Product Manual - Page 223
This chapter describes DHCP services in NetDefendOS. • Overview, page 223 • DHCP Servers, page 224 • DHCP Relaying, page 230 • IP Pools, page 233 5.1. Overview Dynamic Host Configuration Protocol (DHCP) is a protocol that allows network administrators to automatically assign IP numbers to computers - D-Link DFL-1600 | Product Manual - Page 224
one of the user interfaces. Using Relayer IP Address Filtering As explained above a DHCP server is selected based on a match of both interface and relayer IP filter. Each DNS server must have a relayer IP filter value specified and the possible values are as follows: • all-nets The default value is - D-Link DFL-1600 | Product Manual - Page 225
5.2. DHCP Servers Chapter 5. DHCP Services The following options can be configured for a DHCP server: General Parameters Name Interface Filter IP Address Pool Netmask A symbolic name for the server. Used as an interface reference but also used as a reference in log messages. The source interface - D-Link DFL-1600 | Product Manual - Page 226
Now enter: • Name: DHCPServer1 • Interface Filter: lan • IP Address Pool: DHCPRange1 • Netmask: 255.255.255.0 3. Click OK Example 5.2. Checking DHCP Server Status Command-Line Interface To 13.254 00-00-00-00-02-54 10.4.13.1 00-12-79-3b-dd-45 10.4.13.2 00-12-79-c4-06-e7 10.4.13.3 *00-a0-f8-23 - D-Link DFL-1600 | Product Manual - Page 227
the server. Tip: Lease database saving DHCP leases are, by default, remembered by NetDefendOS between system restarts. The DHCP advanced settings can DHCP server and each object has the following parameters: Host This is the IP address that will be handed out to the client. MAC Address This is - D-Link DFL-1600 | Product Manual - Page 228
Services can be specified as this parameter. The option exists to also specify if the identifier will be sent as an ASCII or Hexadecimal value. Example 5.3. Static DHCP Host Assignment This example shows how to assign the IP address 192.168.1.1 to the MAC address 00-90-12-13-14-15. The examples - D-Link DFL-1600 | Product Manual - Page 229
5. DHCP Services Custom Option Parameters The following parameters can be set for a custom option: Code This is the code that describes the type of information being sent to the client. A large list of possible codes exists. Type This describes the type of data which will be sent. For example, if - D-Link DFL-1600 | Product Manual - Page 230
interface is the source interface and not core. Example 5.4. Setting up a DHCP Relayer This example allows clients on NetDefendOS VLAN interfaces to obtain IP addresses from a DHCP server. It is assumed the NetDefend Firewall is configured with VLAN interfaces vlan1 and vlan2 that use DHCP relaying - D-Link DFL-1600 | Product Manual - Page 231
Relay 2. Now enter: • Name: vlan-to-dhcpserver • Action: Relay • Source Interface: ipgrp-dhcp • DHCP Server to relay to: ip-dhcp • Allowed IP offers from server: all-nets 3. at the same time. Default: 32 Transaction Timeout For how long a dhcp transaction can take place. Default: 10 seconds Max PPM - D-Link DFL-1600 | Product Manual - Page 232
Auto Save Policy What policy should be used to save the relay list to the disk, possible settings are Disabled, ReconfShut, or ReconfShutTimer. Default: ReconfShut Auto Save Interval How often, in seconds, should the relay list be saved to disk if DHCPServer_SaveRelayPolicy is set to ReconfShutTimer - D-Link DFL-1600 | Product Manual - Page 233
One of more can be specified by a list of unique IP address. IP Pools with Config Mode A primary usage of IP Pools is with IKE Config Mode which is a feature used for allocating IP addresses to remote clients connecting through IPsec tunnels. For more information on this see Section 9.4.3, "Roaming - D-Link DFL-1600 | Product Manual - Page 234
interface when an IP pool is obtaining IP addresses from internal DHCP servers. This is needed since the filtering criteria of a at the current status of an IP pool. The simplest form of the command is: gw-world:/> ippool -show This displays all the configured IP pools along with their status. The - D-Link DFL-1600 | Product Manual - Page 235
IP Pools Chapter 5. DHCP Services Other options in the ippool command allow the administrator to change the pool size and to free up IP addresses. The complete list of command options can be found in the CLI Reference Guide. Example 5.5. Creating an IP Pool This example shows the creation of an IP - D-Link DFL-1600 | Product Manual - Page 236
5.4. IP Pools Chapter 5. DHCP Services 236 - D-Link DFL-1600 | Product Manual - Page 237
6. Security Mechanisms This chapter describes NetDefendOS security features. • Access Rules, page 237 • ALGs, page 240 • Web Content Filtering, page 292 • Anti-Virus Scanning, page 309 • Intrusion Detection and Prevention, page 315 • Denial-of-Service Attack Prevention, page 326 • Blacklisting Hosts - D-Link DFL-1600 | Product Manual - Page 238
firewall's security mechanisms. Such an attack is commonly known as Spoofing. IP spoofing is one of the most common spoofing attacks. Trusted IP addresses are used to bypass filtering. The header of an IP configuration of an access rule is similar to other types of rules. It contains Filtering - D-Link DFL-1600 | Product Manual - Page 239
, precisely because of this. It is always advisable to check Access Rules when troubleshooting puzzling problems in case a rule is preventing some other function, such as VPN tunnel establishment, from working properly. Example 6.1. Setting up an Access Rule A rule is to be defined that ensures no - D-Link DFL-1600 | Product Manual - Page 240
protocols such as IP, TCP, UDP, and ICMP, NetDefend Firewalls provide Application Layer Gateways (ALGs) which provide filtering at the higher application OSI level. An ALG object acts as a mediator in accessing commonly used Internet applications outside the protected network, for example web access - D-Link DFL-1600 | Product Manual - Page 241
exist and because of the range of file types that can be downloaded using the protocol. HTTP ALG Features The HTTP ALG is an extensive NetDefendOS subsystem consisting of the options described below: • Static Content Filtering - This deals with Blacklisting and Whitelisting of specific URLs. 1. URL - D-Link DFL-1600 | Product Manual - Page 242
news sites might be allowed whereas access to gaming sites might be blocked. This feature is described in depth in Section 6.3.4, "Dynamic Web Content Filtering". • Anti-Virus Scanning - The contents of HTTP file downloads can be scanned for viruses. Suspect files can be dropped or just logged. This - D-Link DFL-1600 | Product Manual - Page 243
option is available only for HTTP and SMTP ALG downloads). The Ordering for HTTP Filtering HTTP filtering obeys the following processing order and is similar to the order followed by the SMTP ALG: 1. Whitelist. 2. Blacklist. 3. Web content filtering (if enabled). 4. Anti-virus scanning (if enabled - D-Link DFL-1600 | Product Manual - Page 244
the FTP client to the FTP server, just like the command channel. This is the often recommended default mode for FTP clients though some advice may recommend the opposite. A Discussion of FTP Security Issues Both active and passive modes of FTP operation present problems for NetDefend Firewalls. 244 - D-Link DFL-1600 | Product Manual - Page 245
The FTP ALG Chapter 6. Security Mechanisms Consider a scenario where an FTP client on the internal network connects through the firewall to an FTP server on the Internet. The IP rule is then configured to allow network traffic from the FTP client to port 21 on the FTP server. When active mode is - D-Link DFL-1600 | Product Manual - Page 246
to connect to any of these if the client is using active mode. The default range is 1024-65535. • Allow the server to use passive mode. If passive mode. The default range is 1024-65535. These options can determine if hybrid mode is required to complete the connection. For example, if the client - D-Link DFL-1600 | Product Manual - Page 247
are allowed in the control channel. Allowing 8-bit characters enables support for filenames containing international characters. For example, accented or umlauted characters. Filetype Checking The FTP ALG offers the same filetype verification for downloaded files that is found in the HTTP ALG. This - D-Link DFL-1600 | Product Manual - Page 248
configuration of the ALG that is to be affected by ZoneDefense when a virus is detected. For more information about this topic refer to Chapter 12, ZoneDefense. Example 6.2. Protecting an FTP Server with an ALG As shown, an FTP Server is connected to the NetDefend Firewall on a DMZ with private IP - D-Link DFL-1600 | Product Manual - Page 249
configuration is performed as follows: Web Interface A. Define the ALG: (The ALG ftp-inbound is already predefined by NetDefendOS but in this example OK B. Define the Service: 1. Go to Objects > Services > Add > TCP/UDP Service 2. Enter the following: • Name: ftp-inbound-service • Type: select TCP - D-Link DFL-1600 | Product Manual - Page 250
from the internal interface needs to be NATed through a single public IP address: 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: NAT-ftp • Action: NAT • Service: ftp-inbound-service 3. For Address Filter enter: • Source Interface: dmz • Destination Interface: core • Source Network - D-Link DFL-1600 | Product Manual - Page 251
Example 6.3. Protecting FTP Clients In this scenario shown below the NetDefend Firewall is protecting a workstation that will connect to FTP servers on the Internet to connect to FTP servers that support active and passive mode across the Internet. The configuration is performed as follows: Web - D-Link DFL-1600 | Product Manual - Page 252
: Allow • Service: ftp-outbound-service 3. For Address Filter enter: • Source Interface: lan • Destination Interface: wan • Source Network: lannet • Destination Network: all-nets 4. Click OK ii. Using Public IPs If the firewall is using private IPs with a single external public IP, the following - D-Link DFL-1600 | Product Manual - Page 253
about FTP server setup needs to be made if the FTP ALG is being used along with passive mode. Usually, the FTP server will be protected behind the NetDefend Firewall and NetDefendOS will SAT-Allow connections to it from external clients that are connecting across the public Internet. If FTP Passive - D-Link DFL-1600 | Product Manual - Page 254
over the Internet. Typically the local SMTP server will be located on a DMZ so that mail sent by remote SMTP servers will traverse the NetDefend Firewall to reach the local server (this setup is illustrated later in Section 6.2.5.1, "Anti-Spam Filtering"). Local users will then use email client - D-Link DFL-1600 | Product Manual - Page 255
. This feature is common to a number of ALGs and is described fully in Section 6.4, "Anti-Virus Scanning". The Ordering for SMTP Filtering SMTP filtering obeys the following processing order and is similar to the order followed by the HTTP ALG except for the addition of Spam filtering: 1. Whitelist - D-Link DFL-1600 | Product Manual - Page 256
some_domain.com can be used to specify all possible email addresses for some_domain.com. If, for example, wildcarding is used in the blacklist to block extensions from the supported extension list that is returned to the client by an SMTP server behind the NetDefend Firewall. When an extension - D-Link DFL-1600 | Product Manual - Page 257
spam filtering to incoming email as it passes through the NetDefend Firewall on its way to a local SMTP email server. Filtering is done based on the email's origin. This approach can significantly reduce the burden of such email in the mailboxes of users behind the NetDefend Firewall. NetDefendOS - D-Link DFL-1600 | Product Manual - Page 258
functions as a protocol for sending emails between servers. NetDefendOS applies Spam filtering to emails as they pass through the NetDefend Firewall from an external remote SMTP server to a local SMTP server (from which local clients will later download their emails). Typically, the local, protected - D-Link DFL-1600 | Product Manual - Page 259
into it. A Threshold Calculation Example As an example, lets suppose that three DNSBL servers are configured: dnsbl1, dnsbl2 and dnsbl3. Weights of 3, 2 and 2 are assigned to these respectively. The Spam threshold is then set to be 5. If dnsbl1 and dnsbl2 say an email is Spam but dnsbl3 does not - D-Link DFL-1600 | Product Manual - Page 260
of their inbox contents. The individual user could then decide to set up their own filters in the local client to deal with such tagged emails, possibly sending it to a separate folder. Adding X-Spam Information If an email is determined to be Spam and a forwarding address is configured for dropped - D-Link DFL-1600 | Product Manual - Page 261
high severity event since all email will be allowed through if this happens. Setup Summary To set up DNSBL Spam filtering in the SMTP ALG, the following list summarizes the steps: • Specify the DNSBL servers that are to be used. There can be one or multiple. Multiple servers can act both as backups - D-Link DFL-1600 | Product Manual - Page 262
filtering operation of a specific ALG. It is used below to examine activity for my_smtp_alg although in this case, the ALG object has not yet processed any emails. gw-world:/> dnsbl my_smtp_alg -show Drop Threshold : 20 Spam Threshold : 10 Use TXT records : yes IP Cache disabled Configured - D-Link DFL-1600 | Product Manual - Page 263
SMTP in that the transfer of mail is directly from a server to a user's client software. POP3 ALG Options Key features of the POP3 ALG are: Block clients from sending USER When content scanning find bad file integrity then the file can be allowed or disallowed. Verify MIME type The content of - D-Link DFL-1600 | Product Manual - Page 264
be multiplexed through a single PPTP tunnel between the firewall and the server. PPTP ALG Setup Setting up the PPTP ALG is similar to the set up of other ALG types. The ALG object must be associated with the relevant service and the service is then associated with an IP rule. The full sequence of - D-Link DFL-1600 | Product Manual - Page 265
The single IP rule below shows how the custom service object called pptp_service is associated with a typical NAT rule. The clients, which are the local end point of the PPTP tunnels, are located behind the firewall on the network lannet which is connected to the lan interface. The Internet is found - D-Link DFL-1600 | Product Manual - Page 266
authenticating and authorizing access to services. They also implement provider call-routing policies. The proxy is often located on the external, unprotected side of the NetDefend Firewall but can have other locations. All of these scenarios are supported by NetDefendOS. Registrars A server that - D-Link DFL-1600 | Product Manual - Page 267
NetDefend Firewall, and if the source network of the messages is not known then a large number of potentially dangerous connections must be allowed by the IP rule set. This problem , for example the coded voice data which constitute a VoIP phone call. In the SIP setups described below, IP rules need - D-Link DFL-1600 | Product Manual - Page 268
proxy is located on the external, unprotected side of the NetDefend Firewall. Communication typically takes place across the public Internet with clients on the internal, protected side registering with a proxy on the public, unprotected side. • Scenario 2 Protecting proxy and local clients - Proxy - D-Link DFL-1600 | Product Manual - Page 269
alternatively be located remotely across the Internet. The proxy should be configured with the Record-Route feature enabled to insure all SIP traffic that the local users are being NATed. • An Allow rule for inbound SIP traffic from the SIP proxy to the IP of the NetDefend Firewall. This rule will - D-Link DFL-1600 | Product Manual - Page 270
the client will have a way of retrieving the proxy's IP address automatically such as through DHCP. Note: NAT traversal should not be configured SIP User Agents and SIP Proxies should not be configured to employ NAT Traversal in any setup. For instance, the Simple Traversal of UDP through NATs - D-Link DFL-1600 | Product Manual - Page 271
. Solution A - Using NAT Here, the proxy and the local clients are hidden behind the IP address of the NetDefend Firewall. The setup steps are as follows: 1. Define a single SIP ALG object using the options described above. 2. Define a Service object which is associated with the SIP ALG object. The - D-Link DFL-1600 | Product Manual - Page 272
outbound traffic from proxy users can be further restricted This will happen automatically without further configuration. Solution B - Without NAT lan wan Src Network lannet (ip_proxy) all-nets Dest Interface Dest Network wan all-nets lan to the local clients. This setup adds an extra layer of - D-Link DFL-1600 | Product Manual - Page 273
SIP messages towards the destination on the Internet. • 5,6 - A remote client setup: • The IP address of the SIP proxy must be a globally routable IP address. The NetDefend Firewall does not support hiding of the proxy on the DMZ. • The IP address of the DMZ interface must be a globally routable IP - D-Link DFL-1600 | Product Manual - Page 274
traffic from the proxy behind the DMZ interface to the remote clients on the Internet. • An Allow rule for inbound SIP traffic from the SIP proxy behind the DMZ interface to the IP address of the NetDefend Firewall. This rule will have core (in other words, NetDefendOS itself) as the destination - D-Link DFL-1600 | Product Manual - Page 275
(the default SIP signalling port) • Type set to TCP/UDP 3. Define four rules in the IP rule set Internet to clients on the local network. The IP rules with Record-Route enabled are: OutboundToProxy OutboundFromProxy InboundFromProxy InboundToProxy Action Allow Allow Allow Allow Src Interface lan - D-Link DFL-1600 | Product Manual - Page 276
handle NAT, as IP addresses and ports are sent in the payload of H.323 messages. The H.323 ALG modifies and translates H.323 messages to make sure that H.323 messages will be routed to the correct destination and allowed through the NetDefend Firewall. The H.323 ALG has the following features: 276 - D-Link DFL-1600 | Product Manual - Page 277
phone is connected to the NetDefend Firewall on a network (lannet) with public IP addresses. To make it possible to place a call from this phone to another H.323 phone on the Internet, and to allow H.323 phones on the Internet to call this phone, we need to configure rules. The following rules need - D-Link DFL-1600 | Product Manual - Page 278
H.323 ALG Chapter 6. Security Mechanisms Web Interface Outgoing Rule: 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: H323AllowOut • Action: Allow • Service: H323 • Source Interface: lan • Destination Interface: any • Source Network: lannet • Destination Network: 0.0.0.0/0 (all-nets - D-Link DFL-1600 | Product Manual - Page 279
H.323 phone is connected to the NetDefend Firewall on a network with private IP addresses. To make it possible to place a call from this phone to another H.323 phone on the Internet, and to allow H.323 phones on the Internet to call this phone, we need to configure rules. The following rules need to - D-Link DFL-1600 | Product Manual - Page 280
one external address. Example 6.6. Two Phones Behind Different NetDefend Firewalls This scenario consists of two H.323 phones, each one connected behind the NetDefend Firewall on a network with public IP addresses. In order to place calls on these phones over the Internet, the following rules - D-Link DFL-1600 | Product Manual - Page 281
as in the example below. The object ip-phone below should be the internal IP of the H.323 phone behind each firewall. Web Interface Outgoing Rule: 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: H323Out • Action: NAT • Service: H323 • Source Interface: lan • Destination Interface: any - D-Link DFL-1600 | Product Manual - Page 282
OK To place a call to the phone behind the NetDefend Firewall, place a call to the external IP address on the firewall. If multiple H.323 phones are placed behind the firewall, one SAT rule has to be configured for each phone. This means that multiple external addresses have to be used. However, it - D-Link DFL-1600 | Product Manual - Page 283
Rules > Add > IPRule 2. Now enter: • Name: H323In • Action: SAT • Service: H323-Gatekeeper • Source Interface: any • Destination Interface: core • Source Network: 0.0.0.0/0 (all-nets) • Destination Network: wan_ip (external IP of the firewall) • Comment: SAT rule for incoming communication with the - D-Link DFL-1600 | Product Manual - Page 284
gatekeeper. Example 6.9. H.323 with Gatekeeper and two NetDefend Firewalls This scenario is quite similar to scenario 3, with the difference that the NetDefend Firewall is protecting the "external" phones. The NetDefend Firewall with the Gatekeeper connected to the DMZ should be configured exactly - D-Link DFL-1600 | Product Manual - Page 285
H323Out • Action: NAT • Service: H323-Gatekeeper • Source Interface: lan • Destination Interface: any the gatekeeper. Example 6.10. Using the H.323 ALG in a Corporate Environment This scenario is an example of a the VPN tunnels are correctly configured and that all offices use private IP-ranges on - D-Link DFL-1600 | Product Manual - Page 286
in the DMZ of the corporate NetDefend Firewall. This firewall should be configured as follows: Web Interface 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: LanToGK • Action: Allow • Service: H323-Gatekeeper • Source Interface: lan • Destination Interface: dmz • Source Network: lannet - D-Link DFL-1600 | Product Manual - Page 287
323 Gateway on the DMZ 3. Click OK 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: GWToLan • Action: Allow • Service: H323-Gatekeeper • Source Interface: dmz • Destination Interface: lan • Source Network: ip-gateway • Destination Network: lannet • Comment: Allow communication from the - D-Link DFL-1600 | Product Manual - Page 288
branch offices should be configured as follows: (this rule should be in both the Branch and Remote Office firewalls). Web Interface 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: ToGK • Action: Allow • Service: H323-Gatekeeper • Source Interface: lan • Destination Interface: vpn-hq - D-Link DFL-1600 | Product Manual - Page 289
secure communications over the public Internet between two end using IPsec. Most web browsers support TLS and users can NetDefend Firewall is providing SSL termination since it is acting as an SSL end-point. Regarding the SSL and TLS standards supported, NetDefendOS provides termination support - D-Link DFL-1600 | Product Manual - Page 290
of this approach are: • TLS support can be centralized in the NetDefend Firewall instead of being set up on individual the servers and the NetDefend Firewall. • Decrypted TLS traffic can be subject to other NetDefendOS features such as traffic shaping Service object based on the TCP protocol. 290 - D-Link DFL-1600 | Product Manual - Page 291
newly created service object. 5. Create a NAT or Allow IP rule for the targeted traffic and associate the custom service object with supported (where NetDefend Firewall authenticates the identity of the client). • Renegotation is not supported. • Sending server key exchange messages is not supported - D-Link DFL-1600 | Product Manual - Page 292
powerful feature that enables the administrator to allow or block access to web sites depending on the category they have been classified into by an automatic classification service. Dynamic content filtering requires a minimum of administration effort and has very high accuracy. Note: Enabling WCF - D-Link DFL-1600 | Product Manual - Page 293
ALG, NetDefendOS can block or permit certain web pages based on configured lists of URLs which are called blacklists and whitelists. This type of filtering is also known as Static Content Filtering. The main benefit with Static Content Filtering is that it is an excellent tool to target specific web - D-Link DFL-1600 | Product Manual - Page 294
. As the usability of static content filtering will be illustrated, dynamic content filtering and active content handling will not be enabled in this example. In this small scenario a general surfing policy prevents users from downloading .exe-files. However, the D-Link website provides secure and - D-Link DFL-1600 | Product Manual - Page 295
and hosted on servers located in many different countries. Dynamic WCF is only available on certain NetDefend models Dynamic WCF is only available on the D-Link NetDefend DFL-260, 860, 1660, 2560 and 2560G. WCF Processing Flow When a user of a web browser requests access to a web site, NetDefendOS - D-Link DFL-1600 | Product Manual - Page 296
surfs to a limited range of websites. Figure 6.8. Dynamic Content Filtering Flow If the requested web page URL is not present in the databases, then the webpage content at the URL will automatically be downloaded to D-Link's central data warehouse and automatically analyzed using a combination of - D-Link DFL-1600 | Product Manual - Page 297
though they might be disallowed if the WCF databases were accessible. Example 6.15. Enabling Dynamic Web Content Filtering This example shows how to setup a dynamic content filtering policy for HTTP traffic from intnet to all-nets. The policy will be configured to block all search sites, and this - D-Link DFL-1600 | Product Manual - Page 298
site. For example, www.google.com. 3. If everything is configured correctly, the web browser will present a web page that informs the user about that the requested site is blocked. Audit Mode In Audit Mode, the system will classify and log all surfing according to the content filtering policy, but - D-Link DFL-1600 | Product Manual - Page 299
new service, are described in the previous example. Allowing Override On some occasions, Active Content Filtering may prevent users carrying , NetDefendOS supports a feature called Allow Override. With this feature enabled, the content filtering component will present a warning to the user that he - D-Link DFL-1600 | Product Manual - Page 300
category will then be sent to D-Link's central data warehouse for manual inspection. That inspection may result in service object and modifying the NAT rule as we have done in the previous examples. Dynamic content filtering is now activated for all web traffic from lannet to all-nets and the user - D-Link DFL-1600 | Product Manual - Page 301
posting and interviews, as well as staff recruitment and training services. Examples might be: • www.allthejobs.com • www.yourcareer.com Category 4: Gambling A web site may be classified under the Gambling category if its content includes advertisement or encouragement of, or facilities allowing for - D-Link DFL-1600 | Product Manual - Page 302
escort services. Examples might be: • adultmatefinder.com • www.marriagenow.com Category 10: Game Sites A web site may be classified under the Game Sites category if its content focuses on or includes the review of games, traditional or computer based, or incorporates the facilities for downloading - D-Link DFL-1600 | Product Manual - Page 303
to personal investment. URLs in this category include contents such as brokerage services, online portfolio setup, money management forums or stock quotes. This category does not include electronic banking facilities; refer to the E-Banking category (12). Examples might be: • www.loadsofmoney.com.au - D-Link DFL-1600 | Product Manual - Page 304
under the Sports category if its content includes information or instructions relating to recreational or professional sports, or reviews on sporting events and sports scores. Examples might be: • www.sportstoday.com • www.soccerball.com Category 17: www-Email Sites A web site may be classified - D-Link DFL-1600 | Product Manual - Page 305
under the Clubs and Societies category if its content includes information or services of relating to a club or society. This includes team or conference web sites. Examples might be: • www.sierra.org • www.walkingclub.org Category 23: Music Downloads A web site may be classified under the Music - D-Link DFL-1600 | Product Manual - Page 306
, lingerie or general fashion models. Examples might be: • www.vickys-secret.com • sportspictured.cnn.com/features/2002/swimsuit Category 31: Spam A web site may be classified under the Spam category if it is found to be contained in bulk or spam emails. Examples might be: • kaqsovdij.gjibhgk.info - D-Link DFL-1600 | Product Manual - Page 307
then be edited and uploaded back to NetDefendOS. The original Default object cannot be edited. The following example goes through the necessary steps. Example 6.18. Editing Content Filtering HTTP Banner Files This example shows how to modify the contents of the URL forbidden HTML page. Web Interface - D-Link DFL-1600 | Product Manual - Page 308
Content Filtering Chapter 6. Security Mechanisms Tip: Saving changes In the above example SCP cannot be used to download the original default HTML, the source code must a copy of all the Default content filtering banner files. 3. The the changes on the NetDefend Firewall. HTML Page Parameters The - D-Link DFL-1600 | Product Manual - Page 309
The POP3 ALG • The SMTP ALG Note: Anti-Virus is not available on all NetDefend models Anti-Virus scanning is available only on the D-Link NetDefend DFL-260, 860, 1660, 2560 and 2560G. 6.4.2. Implementation Streaming As a file transfer is streamed through the NetDefend Firewall, NetDefendOS will scan - D-Link DFL-1600 | Product Manual - Page 310
default upper limit on file sizes. Simultaneous Scans There is no fixed limit on how many Anti-Virus scans can take place simultaneously in a single NetDefend Firewall. Gateway (ALG), specific protocol specific features are implemented in NetDefendOS. With FTP, for example, scanning is aware of the - D-Link DFL-1600 | Product Manual - Page 311
service is enabled as part of the subscription to the D-Link Anti-Virus subscription. 6.4.5. Subscribing to the D-Link Anti-Virus Service The D-Link Anti-Virus feature scenario, such as image files in HTTP downloads. NetDefendOS performs MIME content checking on all the filetypes listed in Appendix - D-Link DFL-1600 | Product Manual - Page 312
Virus scanning to check that the file's contents matches the MIME type it claims to be feature. This can also be done through the WebUI. Updating in High Availability Clusters Updating the Anti-Virus databases for both the NetDefend Firewalls new update and downloads the required files for the - D-Link DFL-1600 | Product Manual - Page 313
the Anti-Virus configuration in the ALGs. Depending on the protocol used, there exist different scenarios of how the feature can be used. For more information about this topic refer to Chapter 12, ZoneDefense. Example 6.19. Activating Anti-Virus Scanning This example shows how to setup an Anti - D-Link DFL-1600 | Product Manual - Page 314
Port textbox 5. Select the HTTP ALG you just created in the ALG dropdown list 6. Click OK C. Finally, modify the NAT rule (called NATHttp in this example) to use the new service: 1. Go to Rules > IP Rules 2. Select the NAT rule handling the traffic between lannet and all-nets 3. Click the - D-Link DFL-1600 | Product Manual - Page 315
backdoor exploits are examples of such attacks which download and this is normally downloaded to a client system. An intrusion manifests itself as a malicious pattern of Internet through the NetDefend Firewall, searching for Link Models Maintenance and Advanced IDP D-Link offers two types of IDP: 315 - D-Link DFL-1600 | Product Manual - Page 316
with the NetDefend DFL 210, 800, 1600 and 2500. Maintenance IDP is a simplified IDP that gives basic protection against IDP attacks. It is upgradeable to the higher level and more comprehensive Advanced IDP which is discussed next. IDP does not come as standard with the DFL-260, 860, 1660, 2560 - D-Link DFL-1600 | Product Manual - Page 317
database will be downloaded, replacing the older version. The Terms IDP, IPS and IDS The terms Intrusion Detection and Prevention (IDP), Intrusion Prevention System (IDP) and Intrusion Detection System (IDS) are used interchangeably in D-Link literature. They all refer to the same feature, which is - D-Link DFL-1600 | Product Manual - Page 318
hex sequence which itself is encoded using other hex escape sequences. An example would be the original sequence %2526 where %25 is then might be at the firewall and NetDefendOS performs normal verification. If the packet is part of a new connection then it is checked against the IP rule set - D-Link DFL-1600 | Product Manual - Page 319
This results is two different streams of data. As an example, consider a data stream broken up into 4 packets: p1 IP stream although such an attack may have been present. This condition is caused by infrequent and unusually complex patterns of data in the stream. Recommended Configuration By default - D-Link DFL-1600 | Product Manual - Page 320
on the D-Link website at: http://security.dlink.com.tw Advisories can be found under the "NetDefend IDS" option in the "NetDefend Live" menu. IDP Signature types IDP offers three signature types which offer differing levels of certainty with regard to threats: • Intrusion Protection Signatures (IPS - D-Link DFL-1600 | Product Manual - Page 321
Category This second level of naming describes the type of application or protocol. Examples are: • BACKUP • DB • DNS • FTP • HTTP 3. Signature Type could be any of IDS, IPS or POLICY. Processing Multiple Actions For any IDP rule, it is possible to specify multiple actions and an action type such - D-Link DFL-1600 | Product Manual - Page 322
load on the firewall hardware unnecessarily high, Link ZoneDefense feature. For more details on how ZoneDefense functions see Chapter 12, ZoneDefense. 6.5.8. SMTP Log Receiver for IDP Events In order to receive notifications via email of IDP events, a SMTP Log receiver can be configured. This email - D-Link DFL-1600 | Product Manual - Page 323
Log Settings tab 5. Click OK Example 6.21. Setting up IDP for a Mail Server The following example details the steps needed to set up IDP for a simple scenario where a mail server is exposed to the Internet on the DMZ network with a public IP address. The public Internet can be reached through 323 - D-Link DFL-1600 | Product Manual - Page 324
IDP Events the firewall on the WAN interface as illustrated below. Chapter 6. Security Mechanisms An IDP rule called IDPMailSrvRule will be created, and the Service to use is the SMTP service. Source Interface and Source Network defines where traffic is coming from, in this example the external - D-Link DFL-1600 | Product Manual - Page 325
NetDefendOS should do when a possible intrusion is detected. In this example, intrusion attempts will cause the connection to be dropped, so configured by clicking in the Rule Actions tab when creating an IDP rule and enabling logging. The Severity should be set to All in order to match all SMTP - D-Link DFL-1600 | Product Manual - Page 326
Internet, it can serve them faster and more efficiently. At the same time, using a public IP distributed topology of the Internet to launch Denial of Service (DoS) attacks against Internet connections and business critical systems in overload. This section deals with using NetDefend Firewalls - D-Link DFL-1600 | Product Manual - Page 327
by applying IP spoofing protection to all packets. In its default configuration, it will simply compare arriving packets to the contents of the reduced. Only exposed services could possibly become victims to the attack, and public services tend to be more well-written than services expected to only - D-Link DFL-1600 | Product Manual - Page 328
has already been done by the time the packets reach the firewall. However, NetDefendOS can help in keeping the load off of internal servers, making them available for internal service, or perhaps service via a secondary Internet connection not targeted by the attack. • Smurf and Papasmurf type - D-Link DFL-1600 | Product Manual - Page 329
other operating systems can exhibit problems with as few as 5 IP address may be spoofed. 6.6.10. Distributed DoS Attacks A more sophisticated form of DoS is the Distributed Denial of Service (DoS) attack. DDoS attacks involve breaking into hundreds or thousands of machines all over the Internet - D-Link DFL-1600 | Product Manual - Page 330
stack resources, breaking network connectivity to the victims. Although recent DDoS attacks have been launched from both private corporate and public institutional systems, hackers tend to often prefer university or institutional networks because of their open, distributed nature. Tools used to - D-Link DFL-1600 | Product Manual - Page 331
for the period of time specified. Note: Restarts do not effect the blacklist The contents of the blacklist is not lost if the NetDefend Firewall shuts down and restarts. Whitelisting To ensure that Internet traffic coming from trusted sources, such as the management workstation, are not blacklisted - D-Link DFL-1600 | Product Manual - Page 332
a Host to the Whitelist In this example we will add an IP address object called white_ip to the whitelist. This will mean this IP address can never be blacklisted. Command-Line Interface gw-world:/> add BlacklistWhiteHost Addresses=white_ip Service=all_tcp Web Interface 1. Goto System > Whitelist - D-Link DFL-1600 | Product Manual - Page 333
6.7. Blacklisting Hosts and Networks Chapter 6. Security Mechanisms 333 - D-Link DFL-1600 | Product Manual - Page 334
through the NetDefend Firewall is known as address translation. The ability to transform one IP address to another can have many benefits. Two of the most important are: • Private IP addresses can be used on a protected network where protected hosts need to have access to the public Internet. There - D-Link DFL-1600 | Product Manual - Page 335
be "hidden" behind the firewall's IP address. • Only the firewall needs a public IP address for public Internet access. Hosts and networks behind the firewall can be allocated private IP addresses but can still have access to the public Internet through the public IP address. NAT Provides many-to - D-Link DFL-1600 | Product Manual - Page 336
to have a matching ARP Publish entry configured for the outbound interface. Otherwise, the return traffic will not be received by the NetDefend Firewall. This technique might be used when the source IP is to differ based on the source of the traffic. For example, an ISP that is using NAT, might - D-Link DFL-1600 | Product Manual - Page 337
of these events is illustrated further in the diagram below. Figure 7.2. A NAT Example Example 7.1. Adding a NAT Rule To add a NAT rule that will perform address IP rule set: gw-world:/> cc IPRuleSet main Now, create the IP rule: gw-world:/main> add IPRule Action=NAT Service=http SourceInterface=lan - D-Link DFL-1600 | Product Manual - Page 338
their sender addresses translated to the same IP. Some protocols, regardless of the method of transportation used, can cause problems during address translation. Anonymizing Internet Traffic with NAT A useful application of the NAT feature in NetDefendOS is for anonymizing service providers to 338 - D-Link DFL-1600 | Product Manual - Page 339
clients and servers across the public Internet so that the client's public IP address is not present in any server access requests or peer to peer traffic. We shall examine the typical case where the NetDefend Firewall acts as a PPTP server and terminates the PPTP tunnel for PPTP clients. Clients - D-Link DFL-1600 | Product Manual - Page 340
IP addresses communicate to remote hosts through a single external public IP address (this is discussed in depth in Section 7.2, "NAT"). When multiple public external IP all the connections for a single host behind the NetDefend Firewall no matter which external host the connection concerns. If - D-Link DFL-1600 | Product Manual - Page 341
ARP queries to the NetDefend Firewall to resolve external IP addresses included in a NAT default, the administrator must specify in NAT Pool setup which interfaces will be used by NAT pools. The option exists however to enable Proxy ARP for a NAT Pool on all interfaces but this can cause problems - D-Link DFL-1600 | Product Manual - Page 342
Go to Rules > IP Rules > Add > IP Rule 2. Under General enter: • Name: Enter a suitable name such as nat_pool_rule • Action: NAT 3. Under Address filter enter: • Source Interface: int • Source Network: int-net • Destination Interface: wan • Destination Network: all-nets • Service: HTTP 4. Select the - D-Link DFL-1600 | Product Manual - Page 343
firewall. The Second Rule Must Trigger on the Untranslated Destination IP An important principle to keep in mind when creating the IP rules for SAT is that the second rule, for example and typically this access takes place across the public Internet. These servers will have the maximum exposure to - D-Link DFL-1600 | Product Manual - Page 344
arrangement with the NetDefend Firewall mediating communications between the public Internet and servers in the DMZ, and between the DMZ and local clients on a network called LAN. Figure 7.4. The Role of the DMZ Note: The DMZ port could be any port On all models of D-Link NetDefend hardware, there - D-Link DFL-1600 | Product Manual - Page 345
Firewall's external IP address. Rule 1 states that address translation can take place if the connection has been permitted, and rule 2 permits the connection. Of course, we also need a rule that allows internal machines to be dynamically address translated to the Internet. In this example, we - D-Link DFL-1600 | Product Manual - Page 346
IP Address (1:1) Chapter 7. Address Translation # Action Src Iface 3 NAT lan Internet-connected example. In order for external users to access the web server, they must be able to contact it using a public address. In this example, we have chosen to translate port 80 on the NetDefend Firewall - D-Link DFL-1600 | Product Manual - Page 347
The problem with this rule set is that it will not work at all for traffic from the internal network. In order to illustrate exactly what happens, we use the following IP addresses: • wan_ip (195.55.66.77): a public IP address • lan_ip (10.0.0.1): the NetDefend Firewall's private internal IP address - D-Link DFL-1600 | Product Manual - Page 348
accessible using a unique public IP address. Example 7.5. Translating Traffic to Multiple Protected Web Servers In this example, we will create a SAT policy that will translate and allow connections from the Internet to five web servers located in a DMZ. The NetDefend Firewall is connected to the - D-Link DFL-1600 | Product Manual - Page 349
Allow Service=http SourceInterface=any SourceNetwork=all-nets DestinationInterface=wan DestinationNetwork=wwwsrv_pub Web Interface Create an address object for the public IP address: 1. Go to Objects > Address Book > Add > IP address 2. Specify a suitable name for the object, for example wwwsrv_pub - D-Link DFL-1600 | Product Manual - Page 350
7. Click OK Finally, create a corresponding Allow rule: 1. Go to Rules > IP Rules > Add > IPRule 2. Specify a suitable name for the rule, for example Allow_HTTP_To_DMZ 3. Now enter: • Action: Allow • Service: http • Source Interface:any • Source Network: all-nets • Destination Interface: wan - D-Link DFL-1600 | Product Manual - Page 351
embedded in the data. Examples of this include FTP and logons to NT domains via NetBIOS. • Either party is attempting to open new dynamic connections to the addresses visible to that party. In some cases, this can be resolved by modifying the application or the firewall configuration. There is no - D-Link DFL-1600 | Product Manual - Page 352
servers public address, it will example of static address translation using FwdFast rules to a web server located on an internal network: # Action Src Iface 1 SAT any 2 SAT lan 3 FwdFast any 4 FwdFast lan network to the Internet: # Action 5 NAT Src Iface lan Src Net lannet - D-Link DFL-1600 | Product Manual - Page 353
problem can be solved using the following rule set: # Action Src Iface 1 SAT any 2 SAT lan 3 FwdFast lan 4 NAT lan 5 FwdFast lan address will be the NetDefend Firewall's internal IP address, guaranteeing that return traffic passes through the NetDefend Firewall. • Return traffic will - D-Link DFL-1600 | Product Manual - Page 354
7.4.7. SAT and FwdFast Rules Chapter 7. Address Translation 354 - D-Link DFL-1600 | Product Manual - Page 355
performed with username/password combinations that are manually entered by a user attempting to gain access to resources. Access to the external public Internet through a NetDefend Firewall by internal clients using the HTTP protocol is an example of this. In using this approach, username - D-Link DFL-1600 | Product Manual - Page 356
8.1. Overview To remain secure, passwords should also: • Not be recorded anywhere in written form. • Never be revealed to anyone else. • Changed on a regular basis such as every three months. Chapter 8. User Authentication 356 - D-Link DFL-1600 | Product Manual - Page 357
user database internal to NetDefendOS. ii. A RADIUS server which is external to the NetDefend Firewall. iii. An LDAP Server which is also external to the NetDefend Firewall rule as the originator IP or can be associated with an Authentication Group. • Set up IP rules to allow the authentication - D-Link DFL-1600 | Product Manual - Page 358
and cannot change it. PPTP/L2TP Configuration If a client is connecting to the NetDefend Firewall using PPTP/L2TP then the following three options called also be specified for the local NetDefendOS user database: • Static Client IP Address This is the IP address which the client must have if - D-Link DFL-1600 | Product Manual - Page 359
from NetDefendOS. To provide this, NetDefendOS supports the Remote Authentication Dial-in User Service (RADIUS) protocol. RADIUS Usage with This is implemented by the NetDefend Firewall acting as a client to one or more LDAP servers. Multiple servers can be configured to provide redundancy if any - D-Link DFL-1600 | Product Manual - Page 360
as, for example, RADIUS setup. Careful consideration of the parameters used in defining the LDAP server to NetDefendOS is required. There are a number of issues that can cause problems: • LDAP servers differ in their implementation. NetDefendOS provides a flexible way of configuring an LDAP server - D-Link DFL-1600 | Product Manual - Page 361
User Authentication The following general parameters are used for configuration of each server: • Name The name given to the server object for reference purposes in NetDefendOS. For example TCP/IP. This port is by default 389. • Timeout This is the timeout length for LDAP server user authentication - D-Link DFL-1600 | Product Manual - Page 362
User Authentication successful authentication. The domain name is the host name of the LDAP server, for example myldapserver. The choices for this parameter are: i. None - This will not modify the username in any way. For example resolve the server's IP address into a route. The default is the main - D-Link DFL-1600 | Product Manual - Page 363
contains the user's password. The default ID is user password in plain text. The LDAP server administrator must make sure that this field actually does contain the password. This is explained in greater detail later. Bind Request Authentication LDAP server authentication is automatically configured - D-Link DFL-1600 | Product Manual - Page 364
are available for real-time monitoring of LDAP server access for user authentication: • Number of authentications per second. • Total number shown with the command: gw-world:/> show LDAPDatabase The entire contents of the database can be displayed with the command: gw-world:/> show - D-Link DFL-1600 | Product Manual - Page 365
the password when it's sent back. This ID must be different from the default password attribute (which is usually userPassword for most LDAP servers). A suggestion is must therefore be done manually by the administrator as they add new users and change existing users passwords. This clearly involves - D-Link DFL-1600 | Product Manual - Page 366
Rules Chapter 8. User Authentication Figure 8.2. LDAP for PPP with CHAP, MS-CHAPv1 or MS-CHAPv2 Important: The link to the LDAP server must be protected Since the LDAP server is sending back passwords in plain text to NetDefendOS, the link between the NetDefend Firewall and the server - D-Link DFL-1600 | Product Manual - Page 367
8.2.5. Authentication Rules Chapter 8. User Authentication This is the IKE authentication method which is used as part of VPN tunnel establishment with IPsec. XAuth is an extension to the normal IKE exchange and provides an addition to normal IPsec security which means that clients accessing a VPN - D-Link DFL-1600 | Product Manual - Page 368
Firewall. 2. NetDefendOS sees the new user connection on an interface and checks the Authentication rule set to see if there is a matching rule for traffic on this interface, coming from this network and data which is one of the following types: • HTTP traffic • HTTPS traffic • IPsec tunnel - D-Link DFL-1600 | Product Manual - Page 369
Example Chapter 8. User Authentication Any packets from an IP address that fails authentication are discarded. 8.2.7. A Group Usage Example To illustrate Authentication Group usage, lets suppose that there are a set of users which will login from a network 192.168.1.0/24 connected to the lan - D-Link DFL-1600 | Product Manual - Page 370
the example of a number of clients on the local network lannet who would like access to the public Internet through the wan interface then the IP rule set would contain the following rules: # Action Src Interface Src Network Dest Interface Dest Network Service 1 Allow lan lannet core - D-Link DFL-1600 | Product Manual - Page 371
folder Example 8.2. User Authentication Setup for Web Access The configurations below shows how to enable HTTP user authentication for the user group users on lannet. Only users that belong to the group users can get Web browsing service after authentication, as it is defined in the IP rule - D-Link DFL-1600 | Product Manual - Page 372
authenticated users to browse the Web. 1. Go to Rules > IP Rules > Add> IP rule 2. Now enter: • Name: Allow_http_auth • Action: NAT • Service: HTTP • Source Interface: lan • Source Network: lannet_users • Destination Interface any • Destination Network all-nets 3. Click OK Example 8.3. Configuring - D-Link DFL-1600 | Product Manual - Page 373
HTML Pages User Authentication makes use of a set of HTML files to present information to the user during the a simple way to download and edit the files and uploaded back to NetDefendOS. The original Default object cannot be edited. The example given below goes through the customization steps - D-Link DFL-1600 | Product Manual - Page 374
user becomes redirected to the URL held by this parameter. Since %REDIRURL% only has this internal purpose, it should not be removed from web pages and should appear in the FormLogin page if that is used. Example 8.4. Editing Content Filtering be used to download the original default HTML, the source - D-Link DFL-1600 | Product Manual - Page 375
HTTPAuthBanners ua_html This creates an object which contains a copy of all the Default user auth banner files. 3. The modified file is then uploaded using SCP. It in Section 2.1.6, "Secure Copy". 4. Using the CLI, the relevant user authentication rule should now be set to use the ua_html. If the - D-Link DFL-1600 | Product Manual - Page 376
8.3. Customizing HTML Pages Chapter 8. User Authentication 376 - D-Link DFL-1600 | Product Manual - Page 377
security is encryption. There are two common scenarios where VPN is used: 1. LAN to LAN connection - Where two internal networks need to be connected together over the Internet. In this case, each network is protected by an individual NetDefend Firewall and the VPN tunnel is set up between them. 377 - D-Link DFL-1600 | Product Manual - Page 378
Encryption Chapter 9. VPN 2. Client to LAN connection - Where many remote clients need to connect to an internal network over the Internet. In this case, the internal network is protected by the NetDefend Firewall to which the client connects and the VPN tunnel is set up between them. 9.1.2. VPN - D-Link DFL-1600 | Product Manual - Page 379
to this task. By doing this, the administrator can restrict which services can be accessed via the VPN and ensure that these services are well protected against intruders. In instances where the firewall features an integrated VPN feature, it is usually possible to dictate the types of communication - D-Link DFL-1600 | Product Manual - Page 380
9.1.5. The TLS Alternative for VPN "The TLS ALG". Chapter 9. VPN 380 - D-Link DFL-1600 | Product Manual - Page 381
are: • IPsec LAN to LAN with Pre-shared Keys • IPsec LAN to LAN with Certificates • IPsec Roaming Clients with Pre-shared Keys • IPsec Roaming Clients with Certificates • L2TP Roaming Clients with Pre-Shared Keys • L2TP Roaming Clients with Certificates • PPTP Roaming Clients Common Tunnel Setup - D-Link DFL-1600 | Product Manual - Page 382
). • The local network behind the NetDefend Firewall which will communicate across the tunnel. Here we will assume that this is the predefined address lannet and this network is attached to the NetDefendOS lan interface. 4. Create an IPsec Tunnel object (let's call this object ipsec_tunnel - D-Link DFL-1600 | Product Manual - Page 383
end, a root certificate and a gateway certificate) are required for a LAN to LAN tunnel authentication. The setup steps are as follows: 1. Open the WebUI management interface for the NetDefend Firewall at one end of the tunnel. 2. Under Authentication Objects, add the Root Certificate and Host - D-Link DFL-1600 | Product Manual - Page 384
Clients with Pre-shared Keys This section details the setup with roaming clients connecting through an IPsec tunnel with pre-shared keys. There are two types of roaming clients: A. The IP addresses of the clients are already allocated. B. The IP addresses of clients are not known beforehand and - D-Link DFL-1600 | Product Manual - Page 385
user authentication for inbound IPsec tunnels. This will enable a search for the first matching XAUTH rule in the authentication rules. 3. The IP rule set should contain the single rule: Action Allow Src Interface ipsec_tunnel Src Network all-nets Dest Interface lan Dest Network lannet Service - D-Link DFL-1600 | Product Manual - Page 386
in the IPsec Tunnel object ipsec_tunnel. Configuring IPsec Clients In both cases (A) and (B) above, the IPsec client will need to be correctly configured. The client configuration will require the following: with as well as the pre-shared key. • Define the URL or IP address of the NetDefend Firewall - D-Link DFL-1600 | Product Manual - Page 387
public IP address through which clients connect (let's assume this is on the ext interface). • ip_int which is the internal IP address of the interface to which the internal network is connected (let's call this interface int). 3. Define a Pre-shared Key for the IPsec tunnel. 4. Define an IPsec - D-Link DFL-1600 | Product Manual - Page 388
Service All All The second rule would be included to allow clients to surf the Internet via the ext interface on the NetDefend Firewall. The client will be allocated a private internal IP address which must be NATed if connections are then made out to the public Internet via the NetDefend Firewall - D-Link DFL-1600 | Product Manual - Page 389
is not being able to NAT PPTP connections through a tunnel so multiple clients can use a single connection to the NetDefend Firewall. If NATing is tried then only the first client that tries to connect will succeed. The steps for PPTP setup are as follows: 1. In the Address Book define the - D-Link DFL-1600 | Product Manual - Page 390
IP rules in the IP rule set: Action Allow NAT Src Interface pptp_tunnel pptp_tunnel Src Network pptp_pool pptp_pool Dest Interface any ext Dest Network int_net all-nets Service All All As described for L2TP, the NAT rule lets the clients access the public Internet via the NetDefend Firewall - D-Link DFL-1600 | Product Manual - Page 391
the various components, techniques and algorithms that are used in IPsec based VPNs. 9.3.1. Overview Internet Protocol Security (IPsec) is a set of protocols defined by the Internet Engineering Task Force (IETF) to provide IP security at the network layer. An IPsec based VPN is made up of two parts - D-Link DFL-1600 | Product Manual - Page 392
9.3.2. Internet Key Exchange (IKE) Chapter 9. VPN An SA is unidirectional and proposal list is a suggestion of how to protect IPsec data flows. The VPN device initiating an IPsec connection will send a list of the algorithms combinations it supports for protecting the connection and it is then - D-Link DFL-1600 | Product Manual - Page 393
importance that both endpoints are able to agree on all of these parameters. With two NetDefend Firewalls as VPN endpoints, the matching process is greatly simplified since the default NetDefendOS configuration parameters will be the same at either end. However, it may not be as straightforward - D-Link DFL-1600 | Product Manual - Page 394
directly to the NetDefend Firewall, for example for IPsec protected remote configuration. This setting will typically be set to "tunnel" in most configurations. The remote that AH also authenticates parts of the outer IP header, for instance source and destination addresses, making certain that - D-Link DFL-1600 | Product Manual - Page 395
Internet Key Exchange (IKE) Chapter 9. VPN IKE Encryption IKE Authentication IKE DH Group IKE Lifetime PFS Note NetDefendOS does not support again. This value must be set greater than the IPsec SA lifetime. With Perfect Forwarding Secrecy (PFS) disabled, initial keying material is "created" during - D-Link DFL-1600 | Product Manual - Page 396
Diffie-Hellman Groups. The encryption algorithm that will be used on the protected IPsec traffic. This is not needed when AH is used, or when ESP is used without encryption. The algorithms supported by NetDefend Firewall VPNs are: • AES • Blowfish • Twofish • Cast128 • 3DES • DES This specifies the - D-Link DFL-1600 | Product Manual - Page 397
tunnel. Note NetDefendOS does not support manual keying. Manual Keying Advantages Since it is very straightforward it will be quite interoperable. Most interoperability problems encountered today are in IKE. Manual keying completely bypasses IKE and sets up its own set of IPsec SAs. Manual Keying - D-Link DFL-1600 | Product Manual - Page 398
used as part of a larger public key infrastructure, making all VPN clients and firewalls dependent on third parties. In other words, there are more aspects that have to be configured, and there is more that can go wrong. 9.3.4. IPsec Protocols (ESP/AH) The IPsec protocols are the protocols used to - D-Link DFL-1600 | Product Manual - Page 399
sure the data has not been tampered with on its way through the Internet. Apart from the IP packet data, AH also authenticates parts of the IP header. The AH protocol inserts an AH header after the original IP header. In tunnel mode, the AH header is inserted after the outer header, but before the - D-Link DFL-1600 | Product Manual - Page 400
IKE and IPsec protocols. NAT traversal is only used if both ends have support for it. filter on the source IP of received IKE packets. This should be set to allow the NATed IP address of the initiator. • When individual pre-shared keys are used with multiple tunnels connecting to one remote firewall - D-Link DFL-1600 | Product Manual - Page 401
recommended setting unless, in an unlikely event, the two firewalls have the same external IP address. • IP - An IP address can be manually entered • DNS - A DNS address can be manually entered • Email - An email address can be manually entered 9.3.6. Algorithm Proposal Lists To agree on the VPN - D-Link DFL-1600 | Product Manual - Page 402
in the CLI Reference Guide). Beware of Non-ASCII problem with non-ASCII characters. Windows, for example example does not illustrate how to add the specific IPsec tunnel object. Command-Line Interface First create a Pre-shared Key. To generate the key automatically with a 64 bit (the default - D-Link DFL-1600 | Product Manual - Page 403
are used as authentication method for IPsec tunnels, the NetDefend Firewall will accept all remote devices or VPN clients that are capable of presenting a certificate signed by any of the trusted Certificate Authorities. This can be a potential problem, especially when using roaming clients - D-Link DFL-1600 | Product Manual - Page 404
, for example JohnDoe 4. Select Distinguished name in the Type control 5. Now enter: • Common Name: John Doe • Organization Name: D-Link • Organizational Unit: Support • Country: Sweden • Email Address: [email protected] 6. Click OK Finally, apply the Identification List to the IPsec tunnel: 1. Go - D-Link DFL-1600 | Product Manual - Page 405
9.3.8. Identification Lists Chapter 9. VPN 2. Select the IPsec tunnel object of interest 3. Under the Authentication tab, choose X.509 Certificate 4. Select the appropriate certificate in the Root Certificate(s) and Gateway Certificate controls 5. Select MyIDList in - D-Link DFL-1600 | Product Manual - Page 406
An IPsec Tunnel defines an endpoint of an encrypted tunnel. Each IPsec Tunnel is interpreted as a logical interface by NetDefendOS, with the same filtering, traffic shaping and configuration capabilities as regular interfaces. Remote Initiation of Tunnel Establishment When another NetDefend Firewall - D-Link DFL-1600 | Product Manual - Page 407
"IPsec Advanced Settings". DPD is enabled by default for NetDefendOS IPsec tunnels. tunnel link is assumed to be broken and an attempt is automatically made to re-establish the tunnel. This feature is only useful for LAN to LAN tunnels. Optionally, a specific source IP address and/or a destination IP - D-Link DFL-1600 | Product Manual - Page 408
. Dealing with Unknown IP addresses If the IP address of the client is not known before hand then the NetDefend Firewall needs to create a route in its routing table dynamically as each client connects. In the example below this is the case and the IPsec tunnel is configured to dynamically add - D-Link DFL-1600 | Product Manual - Page 409
PSK based VPN tunnel for roaming clients This example describes how to configure an IPsec tunnel at the head office NetDefend Firewall for roaming clients that connect to the office to gain remote access. The head office network uses the 10.0.1.0/24 network span with external firewall IP wan_ip. Web - D-Link DFL-1600 | Product Manual - Page 410
ID List 2. Enter a suitable name, for example sales 3. Click OK 4. Go to Objects > instructions above D. Configure the IPsec tunnel: 1. Go to Interfaces > IPsec > Add > IPsec Tunnel 2. Now enter: • Name: RoamingIPsecTunnel • Local Network: 10.0.1.0/24 (This is the local network that the roaming users - D-Link DFL-1600 | Product Manual - Page 411
Certificate Services). For more information on CA server issued certificates see Section 3.7, "Certificates". Example 9.6. Setting up CA Server Certificate based VPN tunnels for roaming clients This example describes how to configure an IPsec tunnel at the head office NetDefend Firewall for roaming - D-Link DFL-1600 | Product Manual - Page 412
OK D. Finally configure the IP rule set to allow traffic inside the tunnel. Using Config Mode IKE Configuration Mode (Config Mode) is an extension to IKE that allows NetDefendOS to provide LAN configuration information to remote VPN clients. It is used to dynamically configure IPsec clients with - D-Link DFL-1600 | Product Manual - Page 413
to be downloaded to the NetDefend Firewall. Lightweight Directory Access Protocol (LDAP) is used for these downloads. However, in some scenarios, this information is missing, or the administrator wishes to use another LDAP server. The LDAP configuration section can then be used to manually specify - D-Link DFL-1600 | Product Manual - Page 414
LDAP > Add > LDAP Server 2. Now enter: • IP Address: 192.168.101.146 • Username: myusername • Password: mypassword • Confirm Password: mypassword • Port: 389 3. Click OK 9.4.5. Troubleshooting with ikesnoop VPN Tunnel Negotiation When setting up IPsec tunnels, problems can arise because the initial - D-Link DFL-1600 | Product Manual - Page 415
Troubleshooting with ikesnoop negotiation and the server refers to the device which is the responder. Chapter 9. VPN Step 1. Client Initiates Exchange by Sending a Supported Association) Payload data length : 152 bytes DOI : 1 (IPsec DOI) Proposal 1/1 Protocol 1/1 Protocol ID : ISAKMP SPI - D-Link DFL-1600 | Product Manual - Page 416
Diffie Hellman (DH) group Life type: Seconds or kilobytes Life duration: No of seconds or kilobytes VID: The IPsec software vendor plus what standards are supported. For example, NAT-T Step 2. Server Responds to Client A typical response from the server is shown below. This must contain a proposal - D-Link DFL-1600 | Product Manual - Page 417
9.4.5. Troubleshooting with ikesnoop Chapter 9. VPN SA (Security Association) Payload data length : 52 bytes DOI : 1 (IPsec DOI) Proposal 1/1 61 05 c4 22 e7 68 47 e4 3f 96 84 80 12 92 ae cd Description : draft-stenberg-ipsec-nat-traversal-02 VID (Vendor ID) Payload data length : 16 - D-Link DFL-1600 | Product Manual - Page 418
9.4.5. Troubleshooting with ikesnoop NAT-D (NAT Detection) Payload data length : 16 bytes 16 bytes Step 5. Client Sends Identification The initiator sends the identification which is normally an IP address or the Subject Alternative Name if certificates are used. IkeSnoop: Received IKE packet from - D-Link DFL-1600 | Product Manual - Page 419
9.4.5. Troubleshooting with ikesnoop Chapter 9. VPN Step 6. Server ID Response The a List of Supported IPsec Algorithms Now the client sends the list of supported IPsec algorithms to the server. It will also contain the proposed host/networks that are allowed in the tunnel. IkeSnoop: Received - D-Link DFL-1600 | Product Manual - Page 420
Identification) Payload data length : 12 bytes ID : ipv4_subnet(any Supported Algorithms The server now responds with a matching IPsec proposal from the list sent by the client. As in step 2 above, if no match can be found by the server then a "No proposal chosen" message will be seen, tunnel setup - D-Link DFL-1600 | Product Manual - Page 421
12 bytes ID : ipv4_subnet(any:0,[0..7]=10.4.0.0/16) Step 9. Client Confirms Tunnel Setup This last message is a message from the client saying that the tunnel configuring IPsec tunnels. IPsec Max Rules This specifies the total number of IP rules that can be connected to IPsec tunnels. By default - D-Link DFL-1600 | Product Manual - Page 422
upwards, depending on how the CA is configured. Most CA software allow the CA administrator to issue new CRLs at any time, so even if the "next update" field says that a new CRL is available in 12 hours, there may already be a new CRL for download. This setting limits the time a CRL is - D-Link DFL-1600 | Product Manual - Page 423
. Default: 1024 IPsec Gateway example, if the other side of the tunnel has not sent any ESP packets for a long period but at least one IKE-packet has been seen within the last (10 x the configured value) seconds, then NetDefendOS will not send more DPD-R-U-THERE messages to the other side. Default - D-Link DFL-1600 | Product Manual - Page 424
for which DPD-R-U-THERE messages will be sent. If the other side of the tunnel has not sent a response to any messages then it is considered to be dead (not reachable). The SA will then be placed in the dead cache. This setting is used with IKEv1 only. Default: 15 seconds 424 - D-Link DFL-1600 | Product Manual - Page 425
in the normal way using the PPP protocol and then establishes a TCP/IP connection across the Internet to the NetDefend Firewall, which acts as the PPTP server (TCP port 1723 is used). The ISP is not aware of the VPN since the tunnel extends from the PPTP server to the client. The PPTP standard does - D-Link DFL-1600 | Product Manual - Page 426
is enabled as default. To be able to authenticate the users using the PPTP tunnel you also need to configure authentication rules, which will not be covered in this example. 9.5.2. L2TP Servers Layer 2 Tunneling Protocol (L2TP) is an IETF open standard that overcomes many of the problems of PPTP - D-Link DFL-1600 | Product Manual - Page 427
as default. To be able to authenticate the users using the PPTP tunnel you also need to configure authentication rules, which is not covered in this example. Example 9.12. Setting up an L2TP Tunnel Over IPsec This example shows how to setup a fully working L2TP Tunnel based on IPsec encryption - D-Link DFL-1600 | Product Manual - Page 428
5. Click OK Now we will setup the IPsec Tunnel, which will later be used in the L2TP section. As we are going to use L2TP, the Local Network is the same IP as the IP that the L2TP tunnel will connect to, wan_ip. Furthermore, the IPsec tunnel needs to be configured to dynamically add routes to the - D-Link DFL-1600 | Product Manual - Page 429
=all-nets ProxyARPInterfaces=lan Web Interface 1. Go to Interfaces > L2TP Servers > Add > L2TPServer 2. Enter a name for the L2TP tunnel, for example l2tp_tunnel 3. Now enter: • Inner IP Address: lan_ip • Tunnel Protocol: L2TP • Outer Interface Filter: l2tp_ipsec • Server IP: wan_ip 4. Under the - D-Link DFL-1600 | Product Manual - Page 430
=any DestinationNetwork=all-nets name=NATL2TP Web Interface 1. Go to Rules > IP Rules > Add > IPRule 2. Enter a name for the rule, for example AllowL2TP 3. Now enter: • Action: Allow • Service: all_services • Source Interface: l2tp_tunnel • Source Network: l2tp_pool • Destination Interface: any - D-Link DFL-1600 | Product Manual - Page 431
IPsec. One NetDefend Firewall can act as a client and connect to another unit which acts as the server. Client Setup PPTP and L2TP shares a common approach to client setup of Assigned Addresses Both PPTP and L2TP utilizes dynamic IP configuration using the PPP LCP protocol. When NetDefendOS receives - D-Link DFL-1600 | Product Manual - Page 432
not work because of the NATing. The only way of achieving multiple PPTP clients being NATed like this, is for the NetDefend Firewall to act as a PPTP client when it connects to the PPTP server. To summarize the setup: • A PPTP tunnel is defined between NetDefendOS and the server. • A route is added - D-Link DFL-1600 | Product Manual - Page 433
9.5.4. PPTP/L2TP Clients Chapter 9. VPN Figure 9.3. PPTP Client Usage 433 - D-Link DFL-1600 | Product Manual - Page 434
used, the two sides of a VPN tunnel exchange their certificates during the tunnel setup negotiation and either may then try to IP address. The following scenarios are possible: 1. The CA server is a private server behind the NetDefend Firewall and the tunnels are set up over the public Internet - D-Link DFL-1600 | Product Manual - Page 435
that NetDefendOS will need to have at least one public DNS server address configured to resolve the FQDNs in the certificates it receives. • It must be also possible for an HTTP PUT request to pass from the validation request source (either the NetDefend Firewall or a client) to the CA server and an - D-Link DFL-1600 | Product Manual - Page 436
NetDefend Firewall and the CA server is on the internal side of the firewall then the IP address of the internal DNS server must be configured in NetDefendOS so that these requests can be resolved. Turning Off FQDN Resolution As explained in the troubleshooting section below, identifying problems - D-Link DFL-1600 | Product Manual - Page 437
correctly entered. • Use ICMP Ping to confirm that the tunnel is working. With roaming clients this is best done by Pinging the internal IP address of the local network interface on the NetDefend Firewall from a client (in LAN to LAN setups pinging could be done in any direction). If NetDefendOS is - D-Link DFL-1600 | Product Manual - Page 438
Consider time-zone issues with newly generated certificates. The NetDefend Firewall's time zone may not be the same as problem. CA Server issues are discussed further in Section 9.6, "CA Server Access". 9.7.3. IPsec Troubleshooting Commands A number of commands can be used to diagnose IPsec tunnels - D-Link DFL-1600 | Product Manual - Page 439
then be sent to the NetDefend Firewall from the remote end of the tunnel. This will cause ikesnoop to output details of the tunnel setup negotiation to the console and any algorithm proposal list incompatibilities can be seen. If there are multiple tunnels in a setup or multiple clients on a single - D-Link DFL-1600 | Product Manual - Page 440
mode, DH Group (for the IKE phase) and PFS (for IPsec phase). 2. Incorrect pre-shared key A problem with the pre-shared key on either side has caused the tunnel negotiation to fail. This is perhaps the easiest of all the error messages to troubleshoot since it can be only one thing, and that - D-Link DFL-1600 | Product Manual - Page 441
sides of the IPsec tunnel. If one side is using Hex and the other Passphrase, this is most likely the error message that you will receive. 5. No public key found This is a very common error message when dealing with tunnels that use certificates for authentication. Troubleshooting this error message - D-Link DFL-1600 | Product Manual - Page 442
proposal list(s). To troubleshoot this you need to examine the settings for the local network, remote network, IKE proposal list and IPsec proposal list on both sides to try to identify a miss-match. For example, suppose we have the following IPsec settings at either end of a tunnel: • Side A Local - D-Link DFL-1600 | Product Manual - Page 443
9.7.6. Specific Symptoms Chapter 9. VPN 443 - D-Link DFL-1600 | Product Manual - Page 444
these bits from the data traffic inside VPN tunnels to the encapsulating packets. • As described later in this chapter, DSCP bits can be used by the NetDefendOS traffic shaping subsystem as a basis for prioritizing traffic passing through the NetDefend Firewall. It is important to understand that - D-Link DFL-1600 | Product Manual - Page 445
IP rule with a service object that uses the SIP ALG cannot be also subject to traffic shaping. 10.1.2. Traffic Shaping in NetDefendOS NetDefendOS offers extensive traffic shaping capabilities for the packets passing through the NetDefend Firewall apply the administrator configured limits for the - D-Link DFL-1600 | Product Manual - Page 446
/network as well as the service to which the rule is to apply. Once a new connection is permitted by the IP rule set, the pipe rule are the pipe or pipes that will be used for outgoing (leaving) traffic from the NetDefend Firewall. One, none or a series of pipes may be specified. • The Return Chain - D-Link DFL-1600 | Product Manual - Page 447
traffic that is flows as a result of triggering a FwdFast IP rule in the NetDefendOS IP rule sets. The reason for this is that traffic shaping is only. This is the direction most likely to cause problems for Internet connections. Example 10.1. Applying a Simple Bandwidth Limit Begin with creating - D-Link DFL-1600 | Product Manual - Page 448
Service: all_services • Source Interface: lan • Source Network: lannet • Destination Interface: wan • Destination Network: all-nets 4. Under the Traffic Shaping tab, make std-in selected in the Return Chain control 5. Click OK This setup limits all traffic from the outside (the Internet example - D-Link DFL-1600 | Product Manual - Page 449
in each direction. Raising the total pipe limit to 4 Mbps will not solve the problem since the single pipe will not know that 2 Mbps of inbound and 2 Mbps to achieve the desired result. The following example goes through the setup for this. Example 10.2. Limiting Bandwidth in Both Directions Create - D-Link DFL-1600 | Product Manual - Page 450
It does not give priorities to different types of competing traffic. 10.1.6. Precedences The Default Precedence is Zero All packets that pass through NetDefendOS traffic shaping pipes have a Precedence. In the examples so far, precedences have not been explicitly set and so all packets have had the - D-Link DFL-1600 | Product Manual - Page 451
or lower than another precedence and not from the number itself. For example, if two precedences are used in a traffic shaping scenario, choosing precedences of Service (ToS) bits are included in the IP packet header. Specifying Precedences Within Pipes When a pipe is configured, a Default Precedence - D-Link DFL-1600 | Product Manual - Page 452
Chapter 10. Traffic Management • Default Precedence: 0 • Maximum Precedence: 7 As described above, the Default Precedence is the precedence taken by network traffic bandwidths, the prefix Kilo means 1000 and NOT 1024. For example, 3 Kbps means 3000 bits per second. Similarly, the prefix Mega means - D-Link DFL-1600 | Product Manual - Page 453
Continuing to use the previous traffic shaping example, let us add the requirement that SSH the higher priority on packets related to these services and these packets are sent through the same total bandwidth limit specified in the pipe's configuration is exceeded. Lower priority packets will - D-Link DFL-1600 | Product Manual - Page 454
problem can occur however if prioritized traffic is a continuous stream such as real-time audio, resulting in continuous use of all available bandwidth and resulting in unacceptably long queuing times for other services traffic from the previous example to a 96 kbps in client-oriented setups. Set the - D-Link DFL-1600 | Product Manual - Page 455
changing the default precedence of as a "priority filter": they make sure feature is enabled by enabling the Grouping option in a pipe. The individual users of a group can then have a limit and/or guarantee specified for them in the pipe. For example, if grouping is done by source IP then each user - D-Link DFL-1600 | Product Manual - Page 456
to specify the Group Limits. These limits can consist of one or both of the following: • Group Limit Total This value specifies a limit for each user within the grouping. For example, if the grouping is by source IP address and the total specified is 100 Kbps then this is saying that no one - D-Link DFL-1600 | Product Manual - Page 457
this case, the Group Limits precedence value is a guarantee and the Pipe Limits value for the same precedence is a limit. For example, if traffic is being grouped by source IP and the Group Limits precedence 5 value is 5 Kbps and the Pipe Limits precedence 5 value is 20 Kbps, then after the fourth - D-Link DFL-1600 | Product Manual - Page 458
IP. Now specify per-user limits by setting the precedence 2 limit to 16 kbps per user. This means that each user user to some value, such as 40 kbps. There will be a problem if there are more than 5 users the traffic inside VPN tunnels. This is the raw VPN protocols such as IPsec can add significant - D-Link DFL-1600 | Product Manual - Page 459
connections where packets leave the NetDefend Firewall, there is always the Internet connection that the pipes do not know about, they cannot know when the Internet connection is full. The problems connection. Troubleshooting For a better understanding of what is happening in a live setup, the - D-Link DFL-1600 | Product Manual - Page 460
to specify that all users in a group get a fair and equal amount of bandwidth. 10.1.10. More Pipe Examples This section looks at some more scenarios and how traffic shaping can be used to solve particular problems. A Basic Scenario The first scenario will examine the configuration shown in the image - D-Link DFL-1600 | Product Manual - Page 461
that all users will be allocated a fair share of this capacity. Using Several Precedences We now extend the above example by allocating priorities to different kinds of traffic accessing the Internet from a headquarters office. Lets assume we have a symmetric 2/2 Mbps link to the Internet. We will - D-Link DFL-1600 | Product Manual - Page 462
lan Source Network lannet Dest Interface wan Dest Network all-nets Selected Service occurring inside a single NetDefend Firewall. VPN is typically link. The pipe chaining can be used as a solution to the problem of VPN overhead. A limit which allows for this overhead is placed on the VPN tunnel - D-Link DFL-1600 | Product Manual - Page 463
lan lan wan lan Destination Network vpn_remote_net vpn_remote_net lannet lannet all-nets lannet Selected Prece Service dence H323 6 All 0 H323 6 All 0 All 0 All 0 With this setup coming from the inside and going to the external IP address. This last rule will therefore be: Rule Name - D-Link DFL-1600 | Product Manual - Page 464
10.1.10. More Pipe Examples Chapter 10. Traffic Management Note: SAT and ARPed IP Addresses If the SAT is from an ARPed IP address, the wan interface needs to be the destination. 464 - D-Link DFL-1600 | Product Manual - Page 465
Usage A typical problem that can be bandwidth hungry applications. A typical example of this is traffic related to the quality of service for other network users as bandwidth is of these two features, where traffic flows Shaping The steps for IDP Traffic Shaping setup are as follows: 1. Define an - D-Link DFL-1600 | Product Manual - Page 466
. At least one side of associated connection has to be in the IP range specified for it to be included in traffic shaping. 10.2.3. Processing opened by one host to another through the NetDefend Firewall and traffic begins to flow. The source and destination IP address of the connection is noted by - D-Link DFL-1600 | Product Manual - Page 467
Network range but this is done on the assumption that client B is a user whose traffic might also have to be traffic shaped if they become involved in P2P data transfer. The sequence of events is: • The client with IP address 192.168.1.15 initiates a P2P file transfer through a connection (1) to - D-Link DFL-1600 | Product Manual - Page 468
CLI Reference Guide. Viewing pipes command. For example, to show all configured bandwidth value, one for upstream (forward) traffic and one for downstream (return) traffic. Multiple hosts use the same pipe for each direction with traffic in the upstream pipe grouped using the "Per Source IP" feature - D-Link DFL-1600 | Product Manual - Page 469
required. The traffic shaping pipes that are then automatically created get the highest priority by default and are therefore guaranteed that bandwidth. 10.2.8. Logging IDP Traffic Shaping generates log messages on common conditions. All log messages are documented in the Log Reference Guide. 469 - D-Link DFL-1600 | Product Manual - Page 470
Roles feature is only available on the D-Link NetDefend DFL-800, 860, 1600, 1660, 2500, 2560 and 2560G. Threshold Policies A Threshold Rule is like other policy based rules found in NetDefendOS, a combination of source/destination network/interface can be specified for a rule and a type of service - D-Link DFL-1600 | Product Manual - Page 471
Multiple in the user interface. If Link ZoneDefense feature to block the source of excessive connection attmepts from internal hosts. For more information on this refer to Chapter 12, ZoneDefense. 10.3.8. Threshold Rule Blacklisting If the Protect option is used, Threshold Rules can be configured - D-Link DFL-1600 | Product Manual - Page 472
10.3.8. Threshold Rule Blacklisting Chapter 10. Traffic Management NetDefendOS. The length of time, in seconds, for which the source is blacklisted can also be set. This feature is discussed further in Section 6.7, "Blacklisting Hosts and Networks". 472 - D-Link DFL-1600 | Product Manual - Page 473
D-Link NetDefend models The SLB feature is only available on the D-Link NetDefend DFL-800, 860, 1600, 1660, 2500, 2560 and 2560G. The illustration below shows a typical SLB scenario, with Internet access to internal server applications by external clients being managed by a NetDefend Firewall. 473 - D-Link DFL-1600 | Product Manual - Page 474
A Server Load Balancing Configuration Additional Benefits of SLB Besides maintenance tasks on servers or applications without disrupting services. Individual servers can be restarted, upgraded, across a set of servers. NetDefendOS SLB supports the following two algorithms for load distribution: - D-Link DFL-1600 | Product Manual - Page 475
except that the stickiness can be associated with a network instead of a single IP address. The network is specified by stating its size as a parameter. For example, if the network size is specified as 24 (the default) then an IP address 10.01.01.02 will be assumed to belong to the network 10 - D-Link DFL-1600 | Product Manual - Page 476
source IP addresses default value for this setting is a network size of 24. 10.4.4. SLB Algorithms and Stickiness This section discusses further how stickiness functions with the different SLB algorithms. An example scenario is illustrated in the figure below. In this example, the NetDefend Firewall - D-Link DFL-1600 | Product Manual - Page 477
Figure 10.12. Stickiness and configuration Link Server Load IP address of each individual server in the server farm. This will detect any failed servers. This works at OSI layer 4. SLB attempts to connect to a specified port on each server. For example, if a server is specified as running web services - D-Link DFL-1600 | Product Manual - Page 478
IP address of the NetDefend Firewall. Example 10.3. Setting up SLB In this example server load balancing is to be done between 2 HTTP webservers which are situated behind the NetDefend Firewall. The 2 webservers have the private IP addresses 192.168.1.10 and 192.168.1.11 respectively. The default - D-Link DFL-1600 | Product Manual - Page 479
Objects > Address Book > Add > IP Address 2. Enter a suitable name, for example server1 3. Enter the IP Address as 192.168.1.10 4. IP rule for internal clients: 1. Go to Rules > IP Rule Sets > main > Add > IP Rule 2. Enter: • Name: Web_SLB_NAT • Action: NAT • Service: HTTP • Source Interface: lan - D-Link DFL-1600 | Product Manual - Page 480
10.4.6. Setting Up SLB_SAT Rules 1. Go to Rules > IP Rule Sets > main > Add > IP Rule 2. Enter: • Name: Web_SLB_ALW • Action: Allow • Service: HTTP • Source Interface: any • Source Network: all-nets • Destination Interface: core • Destination Network: ip_ext 3. Click OK Chapter 10. Traffic - D-Link DFL-1600 | Product Manual - Page 481
10.4.6. Setting Up SLB_SAT Rules Chapter 10. Traffic Management 481 - D-Link DFL-1600 | Product Manual - Page 482
capability to NetDefend Firewall installations. HA works by adding a back-up slave NetDefend Firewall to an existing master firewall. The master High Availability is only available on some NetDefend models The HA feature is only available on the D-Link NetDefend DFL-1600, 1660, 2500, 2560 and 2560G - D-Link DFL-1600 | Product Manual - Page 483
management interface as a single logical NetDefend Firewall. Administration operations such as changing rules in the IP rule set are carried out as normal with the changes automatically being made to the configurations of both the master and the slave. Load-sharing D-Link HA clusters do not provide - D-Link DFL-1600 | Product Manual - Page 484
feature. Basic Principles D-Link HA provides a redundant, state-synchronized hardware configuration operation. An operation, for example opening a file, could result IP is the interface address of the sending firewall. • The destination IP is the broadcast address on the sending interface. • The IP - D-Link DFL-1600 | Product Manual - Page 485
to occur for the new database contents to become active. A database update causes the following sequence of events to occur in an HA cluster: 1. The active (master) unit downloads the new database files from the D-Link servers. The download is done via the shared IP address of the cluster. 2. The - D-Link DFL-1600 | Product Manual - Page 486
of connections could be compared with the stats command. If IPsec tunnels are heavily used, the ipsecglobalstat -verbose command could be used instead and significant differences in the numbers of IPsec SAs, IKE SAs, active users and IP pool statistics would indicate a failure to synchronize. If the - D-Link DFL-1600 | Product Manual - Page 487
translation, unless the configuration explicitly specifies another address. Note: Management cannot be done through the shared IP The shared IP address cannot be used for remote management or monitoring purposes. When using, for example, SSH for remote management of the NetDefend Firewalls in an HA - D-Link DFL-1600 | Product Manual - Page 488
the external Internet. Note: The illustration shows a crossover cable sync connection The illustration above shows a direct crossover cable connection between the sync interfaces of each unit. This connection could, instead, be via a switch or broadcast domain. 11.3.2. NetDefendOS Manual HA Setup To - D-Link DFL-1600 | Product Manual - Page 489
"private IP address" is not strictly correct when used here. Either address used in an IP4 HA Address object may be public if management access across the public Internet is required. 9. Save and activate the new configuration. 10. Repeat the above steps for the other NetDefend Firewall but this - D-Link DFL-1600 | Product Manual - Page 490
HA setup, NetDefendOS provides the advanced option Use Unique Shared MAC Address. By default, this is enabled and in most configurations it should for example, the lan1 interface on the master unit will appear to have the same MAC address as the lan1 interface on the slave unit. Problem Diagnosis - D-Link DFL-1600 | Product Manual - Page 491
, such as for source IPs in dynamically NATed connections or publishing services on them, will inevitably cause problems since unique IPs will disappear when the firewall they belong to does. The Shared IP Must Not Be 0.0.0.0 Assigning the IP address 0.0.0.0 as the shared IP address must be avoided - D-Link DFL-1600 | Product Manual - Page 492
there will also be a second, backup designated router to provide OSPF metrics if the main designated router should fail. PPPoE Tunnels and DHCP Clients For reasons connected with the shared IP addresses of an HA cluster, PPPoE tunnels and DHCP clients should not be configured in an HA cluster. 492 - D-Link DFL-1600 | Product Manual - Page 493
inactive unit is identified, upgrade this unit with the new NetDefendOS version. This is done exactly as though the unit were not in a cluster. For example, the Web Interface can be used to do the upgrade. Important: Make sure the inactive unit is ALIVE Before going to the next step make - D-Link DFL-1600 | Product Manual - Page 494
11.5. Upgrading an HA Cluster Chapter 11. High Availability console and issue the ha -deactivate command. This will cause the active unit to become inactive, and the inactive to become active. gw-world:/> ha -deactivate HA Was: ACTIVE HA going INACTIVE... To check that the failover has completed - D-Link DFL-1600 | Product Manual - Page 495
repeated periods of silence. The length of this silence is this setting. Default: 5 Use Unique Shared Mac Use a unique shared MAC address for each the time where no node is active during configuration deployments. Default: Enabled Reconf Failover Time Number of non-responsive seconds before - D-Link DFL-1600 | Product Manual - Page 496
11.6. HA Advanced Settings Chapter 11. High Availability 496 - D-Link DFL-1600 | Product Manual - Page 497
This chapter describes the D-Link ZoneDefense feature. • Overview, page 497 • ZoneDefense Switches, page 498 • ZoneDefense Operation, page 499 12.1. Overview ZoneDefense Controls Switches ZoneDefense allows a NetDefend Firewall to control locally attached switches. It can be used as a counter - D-Link DFL-1600 | Product Manual - Page 498
ZoneDefense Switches Chapter 12. ZoneDefense 12.2. ZoneDefense Switches Switch information regarding every switch that is to be controlled by the firewall has to be manually specified in the firewall configuration. The information needed in order to control a switch includes: • The IP address of - D-Link DFL-1600 | Product Manual - Page 499
Operation 12.3.1. SNMP Simple Network Management Protocol (SNMP) is an application layer protocol for complex network management. SNMP allows the managers and managed devices in a network to communicate with each other. SNMP Managers A typical managing device, such as a NetDefend Firewall, uses - D-Link DFL-1600 | Product Manual - Page 500
switch. This prevents the firewall from being accidentally blocked out. Example 12.1. A simple ZoneDefense scenario The following simple example illustrates the steps needed to set up ZoneDefense. It is assumed that all interfaces on the firewall have already been configured. An HTTP threshold of - D-Link DFL-1600 | Product Manual - Page 501
list. 3. Click OK Configure an HTTP threshold of 10 connections/second: 1. Go to Traffic Management > Threshold Rules > Add > Threshold Rule 2. For the Threshold Rule enter: • Name: HTTP-Threshold • Service: http 3. For Address Filter enter: • Source Interface: The firewall's management interface - D-Link DFL-1600 | Product Manual - Page 502
Chapter 12. ZoneDefense of latency time to implement blocking once the rule is triggered. Some models can activate blocking in less than a second while some models may require a minute or more. A second difference is the maximum number of rules supported by different switches. Some switches support - D-Link DFL-1600 | Product Manual - Page 503
12.3.5. Limitations Chapter 12. ZoneDefense 503 - D-Link DFL-1600 | Product Manual - Page 504
configuration must be activated in order for the new value to take effect. • IP Default: Enabled Log non IP4 Logs occurrences of IP packets that are not version 4. NetDefendOS only accepts version 4 IP packets; everything else is discarded. Default: Enabled Log Received TTL 0 Logs occurrences of IP - D-Link DFL-1600 | Product Manual - Page 505
13.1. IP Level Settings Chapter 13. Advanced Settings Block 0000 Src Block 0.0.0.0 as source address. Default: Drop Block 0 Net Block 0.* as source addresses. Default: DropLog Block 127 Net Block 127.* as source addresses. Default: DropLog Block Multicast Src Block multicast both source addresses - D-Link DFL-1600 | Product Manual - Page 506
security risk. NetDefendOS never obeys the source routes specified by these options, regardless of this setting. Default: DropLog IP Options Timestamps Time stamp options instruct each router and firewall on the packet's route to indicate at what time the packet was forwarded along the route. These - D-Link DFL-1600 | Product Manual - Page 507
: 65535 bytes Multicast Mismatch option What action to take when Ethernet and IP multicast addresses does not match. Default: DropLog Min Broadcast TTL option The shortest IP broadcast Time-To-Live value accepted on receipt. Default: 1 Low Broadcast TTL Action option What action to take on too low - D-Link DFL-1600 | Product Manual - Page 508
taken on packets whose TCP MSS option falls below the stipulated TCPMSSMin value. Values that are too low could cause problems in poorly written TCP stacks. Default: DropLog TCP MSS Max Determines the maximum permissible TCP MSS size. Packets containing maximum segment sizes exceeding this limit are - D-Link DFL-1600 | Product Manual - Page 509
to MTU of involved interfaces, in addition to TCPMSSMax. Default: Enabled TCP Zero Unused ACK Determines whether NetDefendOS should set limit without the recipient being aware of it. This is not normally a problem. Using TSOPT, some TCP stacks optimize their connection by measuring the time it - D-Link DFL-1600 | Product Manual - Page 510
attention. These two flags should not be turned on in a single packet as they are used exclusively to crash computers with poorly implemented TCP stacks. Default: DropLog TCP SYN/PSH Specifies how NetDefendOS will deal with TCP packets with SYN and PSH (push) flags both turned on. The PSH flag means - D-Link DFL-1600 | Product Manual - Page 511
are only a few operating systems supporting this standard, the flags should be stripped. Default: StripLog TCP Reserved Field Specifies how OS Fingerprinting and stealth port scanners, as some firewalls are unable to detect them. Default: DropLog TCP Sequence Numbers Determines if the sequence - D-Link DFL-1600 | Product Manual - Page 512
, web-surfing traffic is most likely to be affected, although the impact is likely to occur randomly. Using these values instead of the default setting will completely disable sequence number validation for TCP re-open attempts. Once the connection has been established, normal TCP sequence number - D-Link DFL-1600 | Product Manual - Page 513
. In other words, this setting limits how many Rejects per second may be generated by the Reject rules in the Rules section. Default: 500 Silently Drop State ICMPErrors Specifies if NetDefendOS should silently drop ICMP errors pertaining to statefully tracked open connections. If these errors are - D-Link DFL-1600 | Product Manual - Page 514
for example, getting TCP FIN packets in response to TCP SYN packets. Default: Enabled Log Connections Specifies how NetDefendOS, will log connections: • NoLog - Does not log any connections; consequently, it will not matter if logging is enabled for either Allow or NAT rules in the IP - D-Link DFL-1600 | Product Manual - Page 515
set up in the NetDefendOS state-engine. Traffic whose destination is the NetDefend Firewall itself, for example NetDefendOS management traffic, is not subject to this setting. The log message includes port, service, source/destination IP address and interface. This setting should only be enabled for - D-Link DFL-1600 | Product Manual - Page 516
before being closed. Default: 60 TCP Idle both directions. Default: 262144 TCP has passed in any direction. Default: 80 UDP Idle Lifetime Specifies in Default: 130 UDP Bidirectional Keep-alive This allows both sides to keep a UDP connection alive. The default data. Default: Disabled Ping Idle Lifetime - D-Link DFL-1600 | Product Manual - Page 517
13.5. Connection Timeout Settings Chapter 13. Advanced Settings Other Idle Lifetime Specifies in seconds how long connections using an unknown protocol can remain idle before it is closed. Default: 130 517 - D-Link DFL-1600 | Product Manual - Page 518
usually correlates with the amount of IP data that can be accommodated in not wish to use large Ping packets. Default: 10000 Max GRE Length Specifies in bytes transportation of PPTP, Point to Point Tunneling Protocol, data. This value should Payload, is used by IPsec where encryption is applied. - D-Link DFL-1600 | Product Manual - Page 519
size of an OSPF packet. OSPF is a routing protocol mainly used in larger LANs. Default: 1480 Max IPIP/FWZ Length Specifies in bytes the maximum size of an IP-in-IP packet. IP-in-IP is used by Checkpoint Firewall-1 VPN connections when IPsec is not used. This value should be set at the size of the - D-Link DFL-1600 | Product Manual - Page 520
each one given their own IP header and information that will help the recipient reassemble the original packet correctly. Many IP stacks, however, are unable reassembly, and in this way block almost all communication. Default: DropLog - discards individual fragments and remembers that the reassembly - D-Link DFL-1600 | Product Manual - Page 521
were lost on their way across the Internet, which is a quite common occurrence. fragments. Such failures may arise if, for example, the IllegalFrags setting has been set to fragments of the packet as and when they arrive. Default: LogSuspectSubseq Dropped Fragments If a packet is denied entry - D-Link DFL-1600 | Product Manual - Page 522
Default problems for IP tunnel on the route to the recipient subsequently reduce the effective MTU to 1440 bytes. This would result in the creation of a number of 1440 byte fragments and an equal number of 40 byte fragments. Because of potential problems this can cause, the default Default Default - D-Link DFL-1600 | Product Manual - Page 523
13.7. Fragmentation Settings Chapter 13. Advanced Settings Reassembly Illegal Limit Once a whole packet has been marked as illegal, NetDefendOS is able to retain this in memory for this number of seconds in order to prevent further fragments of that packet from arriving. Default: 60 523 - D-Link DFL-1600 | Product Manual - Page 524
13. Advanced Settings 13.8. Local Fragment Reassembly Settings Max Concurrent Maximum number of concurrent local reassemblies. Default: 256 Max Size Maximum size of a locally reassembled packet. Default: 10000 Large Buffers Number of large ( over 2K) local reassembly buffers (of the above size - D-Link DFL-1600 | Product Manual - Page 525
100. Default: 3 Max Pipe Users The maximum number of pipe users to allocate. As pipe users are only tracked for a 20th of a second, this number usually does not need to be anywhere near the number of actual users, or the number of statefully tracked connections. If there are no configured pipes - D-Link DFL-1600 | Product Manual - Page 526
13.9. Miscellaneous Settings Chapter 13. Advanced Settings 526 - D-Link DFL-1600 | Product Manual - Page 527
NetDefend Firewall system and enter this activation code. NetDefendOS will indicate the code is accepted and the update service will be activated. (Make sure access to the public Internet is possible when' doing this). Tip: A registration guide can be downloaded A step-by-step "Registration manual - D-Link DFL-1600 | Product Manual - Page 528
of the D-Link network servers use the command: gw-world:/> updatecenter -servers Deleting Local Databases Some technical problem in the operation a couple of seconds to be optimized once an update is downloaded. This will cause the firewall to momentarily pause in its operation. It can therefore be - D-Link DFL-1600 | Product Manual - Page 529
, the following signature groups are available for selection. These groups are available only for the D-Link Advanced IDP Service. There is a version of each group under the three Types of IDS, IPS and Policy. For further information see Section 6.5, "Intrusion Detection and Prevention". Group Name - D-Link DFL-1600 | Product Manual - Page 530
and implementation IGMP IMAP protocol/implementation AOL IM Instant Messenger implementations MSN Messenger Yahoo Messenger IP protocol and implementation Overflow of IP protocol/implementation Internet Relay Chat General LDAP clients/servers Open LDAP License management for CA software General - D-Link DFL-1600 | Product Manual - Page 531
Nessus Scanner Anti-virus solutions Internet Security Systems software McAfee Symantec AV solution SMB Error SMB Exploit SMB attacks NetBIOS attacks SMB worms SMTP command attack Denial of Service for SMTP SMTP protocol and implementation SMTP Overflow SPAM SNMP encoding SNMP protocol/implementation - D-Link DFL-1600 | Product Manual - Page 532
Coldfusion file inclusion File inclusion Web application attacks JSP file inclusion Popular web application packages PHP XML RPC SQL Injection Cross-Site-Scripting MS WINS Service Worms Generic X applications 532 - D-Link DFL-1600 | Product Manual - Page 533
ALGs) have the optional ability to verify that the contents of a downloaded file matches the type that the filetype in the ALG • The POP3 ALG • The SMTP ALG The ALGs listed above also offer the option to explicitly allow or block certain filetypes as downloads from a list of types. That list - D-Link DFL-1600 | Product Manual - Page 534
filetypes Application Windows Control Panel Extension file Database file Graphics Multipage PCX Bitmap file Debian Linux Package file DjVu file Windows dynamic link library file DPA archive data TeX Device Independent Document EET archive Allegro datafile eMacs Lisp Byte-compiled Source Code ABT EMD - D-Link DFL-1600 | Product Manual - Page 535
nsf obj, o ocx ogg out pac pbf pbm pdf pe pfb pgm pkg pll pma png ppm ps psa Sound file Windows object file, linux object file Object Linking and Embedding (OLE) Control Extension Ogg Vorbis Codec PAKLeo archive data PMarc archive data Portable (Public) Network Graphic PBM Portable Pixelmap Graphic - D-Link DFL-1600 | Product Manual - Page 536
Filetype extension tfm tiff, tif tnef torrent ttf txw ufa vcf viv wav wk wmv wrl, vrml xcf xm xml xmcd xpm yc zif zip zoo zpk z Appendix C. Verified MIME filetypes Application TeX font metric data Tagged Image Format file Transport Neutral Encapsulation Format BitTorrent Metainfo file TrueType Font - D-Link DFL-1600 | Product Manual - Page 537
features such as ARP, Services Link Physical Figure D.1. The 7 Layers of the OSI Model Layer Functions The different layers perform the following functions: Layer 7 - Application Layer Defines the user interface that supports applications directly. Protocols: HTTP, FTP, TFTP. DNS, SMTP - D-Link DFL-1600 | Product Manual - Page 538
SMTP, 254 spam filtering, 257 TFTP, 253 TLS, 289 algorithm proposal list (see proposal lists) all-nets IP object, 81, 117 Allow IP rule, 119 Allow on error (RADIUS) setting, 63 Allow TCP Reopen setting, 512 amplification attacks, 328 anonymizing internet traffic, 338 anti-spam filtering (see spam - D-Link DFL-1600 | Product Manual - Page 539
reclassification, 299 spam, 306 static, 293 content filtering HTML customizing, 307 core interface, 91, 117 core routes, 150 D date and time, 132 Deactivate Before Reconf (HA) setting, 495 dead peer detection (see IPsec) Decrement TTL setting, 219 default access rule, 147, 237 Default TTL setting - D-Link DFL-1600 | Product Manual - Page 540
, 139 DNS black lists for Spam filtering, 258 documentation, 18 DoS attack (see denial of service) downloading files with SCP, 45 DPD Expire Time (IPsec) setting, 423 DPD Keep Time (IPsec) setting, 423 DPD Metric (IPsec) setting, 423 drop all IP rule, 117 Drop IP rule, 119 Dropped Fragments setting - D-Link DFL-1600 | Product Manual - Page 541
, 421 algorithm proposal lists, 401 and IP rules, 406 clients, 386 dead peer detection, 407 keep-alive, 407 LAN to LAN setup, 382 overview, 391 quick start guide, 381 roaming clients setup, 384 troubleshooting, 437 tunnel establishment, 406 tunnels, 406 IPsec Before Rules setting, 422 usage, 406 - D-Link DFL-1600 | Product Manual - Page 542
Max IPsec Pipe Users services in SMTP multiple IP links, 176, 184 Other Idle Lifetimes setting, 516 overriding content filtering, 299 P packet flow full description, 23 simplified, 118 password length, 38 pcapdump, 70 downloading configuration, 101 unnumbered support, 102 with HA, 102 PPTP, - D-Link DFL-1600 | Product Manual - Page 543
IP rule, 119 Relay MPLS setting, 221 Relay Spanning-tree BPDUs setting, 218, 220 restore to factory defaults, 74 restoring configuration backups route, 267 SLB (see server load balancing) SMTP ALG, 254 ESMTP extensions, 256 header verification, 260 log receiver with IDP, 322 whitelist precedence, - D-Link DFL-1600 | Product Manual - Page 544
advanced settings, 218 and internet access, 211 and NAT, 213 grouping IP addresses, 213 implementation, 208 single host routes, 209 switch routes, 207, 209 with high availability, 211 with VLANs, 210 vs routing mode, 207 TTL Min setting, 505 TTL on Low setting, 505 tunnels, 90 U UDP Bidirectional - D-Link DFL-1600 | Product Manual - Page 545
VoIP (see voice over IP) VPN, 377 planning, 378 quick start guide, 381 troubleshooting, 437 W Watchdog Time setting, 525 WCF (see web content filtering) webauth, 369 web content filtering, 295 fail mode, 297 whitelisting, 296 web interface, 28, 29 default connection interface, 30 setting workstation
-
1 -
2 -
3 -
4 -
5 -
6 -
7 -
8
-
9
-
10
-
11
-
12
-
13
-
14
-
15
-
16
-
17
-
18
-
19
-
20
-
21
-
22
-
23
-
24
-
25
-
26
-
27
-
28
-
29
-
30
-
31
-
32
-
33
-
34
-
35
-
36
-
37
-
38
-
39
-
40
-
41
-
42
-
43
-
44
-
45
-
46
-
47
-
48
-
49
-
50
-
51
-
52
-
53
-
54
-
55
-
56
-
57
-
58
-
59
-
60
-
61
-
62
-
63
-
64
-
65
-
66
-
67
-
68
-
69
-
70
-
71
-
72
-
73
-
74
-
75
-
76
-
77
-
78
-
79
-
80
-
81
-
82
-
83
-
84
-
85
-
86
-
87
-
88
-
89
-
90
-
91
-
92
-
93
-
94
-
95
-
96
-
97
-
98
-
99
-
100
-
101
-
102
-
103
-
104
-
105
-
106
-
107
-
108
-
109
-
110
-
111
-
112
-
113
-
114
-
115
-
116
-
117
-
118
-
119
-
120
-
121
-
122
-
123
-
124
-
125
-
126
-
127
-
128
-
129
-
130
-
131
-
132
-
133
-
134
-
135
-
136
-
137
-
138
-
139
-
140
-
141
-
142
-
143
-
144
-
145
-
146
-
147
-
148
-
149
-
150
-
151
-
152
-
153
-
154
-
155
-
156
-
157
-
158
-
159
-
160
-
161
-
162
-
163
-
164
-
165
-
166
-
167
-
168
-
169
-
170
-
171
-
172
-
173
-
174
-
175
-
176
-
177
-
178
-
179
-
180
-
181
-
182
-
183
-
184
-
185
-
186
-
187
-
188
-
189
-
190
-
191
-
192
-
193
-
194
-
195
-
196
-
197
-
198
-
199
-
200
-
201
-
202
-
203
-
204
-
205
-
206
-
207
-
208
-
209
-
210
-
211
-
212
-
213
-
214
-
215
-
216
-
217
-
218
-
219
-
220
-
221
-
222
-
223
-
224
-
225
-
226
-
227
-
228
-
229
-
230
-
231
-
232
-
233
-
234
-
235
-
236
-
237
-
238
-
239
-
240
-
241
-
242
-
243
-
244
-
245
-
246
-
247
-
248
-
249
-
250
-
251
-
252
-
253
-
254
-
255
-
256
-
257
-
258
-
259
-
260
-
261
-
262
-
263
-
264
-
265
-
266
-
267
-
268
-
269
-
270
-
271
-
272
-
273
-
274
-
275
-
276
-
277
-
278
-
279
-
280
-
281
-
282
-
283
-
284
-
285
-
286
-
287
-
288
-
289
-
290
-
291
-
292
-
293
-
294
-
295
-
296
-
297
-
298
-
299
-
300
-
301
-
302
-
303
-
304
-
305
-
306
-
307
-
308
-
309
-
310
-
311
-
312
-
313
-
314
-
315
-
316
-
317
-
318
-
319
-
320
-
321
-
322
-
323
-
324
-
325
-
326
-
327
-
328
-
329
-
330
-
331
-
332
-
333
-
334
-
335
-
336
-
337
-
338
-
339
-
340
-
341
-
342
-
343
-
344
-
345
-
346
-
347
-
348
-
349
-
350
-
351
-
352
-
353
-
354
-
355
-
356
-
357
-
358
-
359
-
360
-
361
-
362
-
363
-
364
-
365
-
366
-
367
-
368
-
369
-
370
-
371
-
372
-
373
-
374
-
375
-
376
-
377
-
378
-
379
-
380
-
381
-
382
-
383
-
384
-
385
-
386
-
387
-
388
-
389
-
390
-
391
-
392
-
393
-
394
-
395
-
396
-
397
-
398
-
399
-
400
-
401
-
402
-
403
-
404
-
405
-
406
-
407
-
408
-
409
-
410
-
411
-
412
-
413
-
414
-
415
-
416
-
417
-
418
-
419
-
420
-
421
-
422
-
423
-
424
-
425
-
426
-
427
-
428
-
429
-
430
-
431
-
432
-
433
-
434
-
435
-
436
-
437
-
438
-
439
-
440
-
441
-
442
-
443
-
444
-
445
-
446
-
447
-
448
-
449
-
450
-
451
-
452
-
453
-
454
-
455
-
456
-
457
-
458
-
459
-
460
-
461
-
462
-
463
-
464
-
465
-
466
-
467
-
468
-
469
-
470
-
471
-
472
-
473
-
474
-
475
-
476
-
477
-
478
-
479
-
480
-
481
-
482
-
483
-
484
-
485
-
486
-
487
-
488
-
489
-
490
-
491
-
492
-
493
-
494
-
495
-
496
-
497
-
498
-
499
-
500
-
501
-
502
-
503
-
504
-
505
-
506
-
507
-
508
-
509
-
510
-
511
-
512
-
513
-
514
-
515
-
516
-
517
-
518
-
519
-
520
-
521
-
522
-
523
-
524
-
525
-
526
-
527
-
528
-
529
-
530
-
531
-
532
-
533
-
534
-
535
-
536
-
537
-
538
-
539
-
540
-
541
-
542
-
543
-
544
-
545
 |
 |
Network Security Solution
Security
Security
DFL-210/ 800/1600/ 2500
DFL-260/ 860/1660/ 2560(G)
Ver
2.27.01
Network Security Firewall
User Manual