D-Link DFL-200 Product Manual - Page 27

Source Users/Groups

– Specifies if an authenticated username is needed for this policy

to match. Simply make a list of usernames separated by commas (,), specify an entire user

group, or write

Any

to indicate all authenticated users to enable authentication on this policy.

If it is left blank there is no need for authentication for the policy.

Destination Nets

– Specifies the span of IP addresses to be compared to the destination

IP of the received packet. Leave this blank to match everything.

Destination Users/Groups

– Specifies if an authenticated username is needed for this

policy to match. Either make a list of usernames, separated by a comma (,) or write Any for

any authenticated user. If it is left blank there is no need for authentication for the policy.

Service Filter

Either choose a predefined service from the dropdown menu or make a custom service.

The following custom services exist:

All

–

Matches all protocols.

TCP+UDP+ICMP

–

This service matches all ports on either the TCP or the UDP protocol,

including ICMP.

Custom TCP

–

This service is based on the TCP protocol.

Custom UDP

–

This service is based on the UDP protocol.

Custom TCP+UDP

–

This service uses both the TCP and UDP protocols.

The following is used when making a custom service:

Custom source/destination ports –

For many services, a single destination port is

sufficient. The source port used most often are all ports, 0-65535. The http service, for

instance, uses destination port 80. A port range can also be used, meaning that a range 137-

139 covers ports 137, 138, and 139. Multiple ranges or individual ports may also be entered,

separated by commas. For instance, a service can be defined as having source ports 1024-

65535 and destination ports 80-82, 90-92, and 95. In this case, a TCP or UDP packet with the

destination port being one of 80, 81, 82, 90, 91, 92 or 95, and the source port being in the

range 1024-65535, will match this service.

Schedule

If a schedule should be used for the policy, choose one from the dropdown menu. These

are specified on the

Schedules

page. If the policy should always be active, choose Always

from the dropdown menu.

Intrusion Detection / Prevention

The DFL-200 Intrusion Detection/Prevention System (IDS/IDP) is a real-time intrusion

detection and prevention sensor that identifies and takes action against a wide variety of

suspicious network activity. The IDS uses intrusion signatures, stored in the attack database,

to identify the most common attacks. In response to an attack, the IDS will protect the

networks behind the DFL-200 by dropping the traffic. To notify responsible parties of the

malicious attack, the IDS will send e-mails to the system administrators if e-mail alerting is

enabled and configured. D-Link updates the attack database periodically. There are two

modes that can be configured, either

Inspection Only

or

Prevention

. Inspection Only will

Section	Page
Features and Benefits	6
Introduction to Firewalls	6
Introduction to Local Area Networking	7
LEDs	8
Physical Connections	8
Package Contents	9
System Requirements	9
Managing D-Link DFL-200	10
Resetting the DFL-200	10
Administration Settings	11
Administrative Access	11
Add ping access to an interface	12
Add Admin access to an interface	12
Add Read-only access to an interface	13
Enable SNMP access to an interface	13
System	14
Interfaces	14
Change IP of the LAN or DMZ interface	14
WAN Interface Settings – Using Static IP	15
WAN Interface Settings – Using DHCP	15
WAN Interface Settings – Using PPPoE	16
WAN Interface Settings – Using PPTP	17
WAN Interface Settings – Using L2TP	18
WAN Interface Settings – Using BigPond	19
MTU Configuration	19
Routing	20
Add a new Static Route	21
Remove a Static Route	21
Logging	22
Enable Logging	23
Enable Audit Logging	23
Enable E-mail alerting for IDS/IDP events	23
Time	24
Changing time zone	25
Using NTP to sync time	25
Setting time and date manually	25
Firewall	26
Policy	26
Policy modes	26
Action Types	26
Source and Destination Filter	26
Service Filter	27
Schedule	27
Intrusion Detection / Prevention	27
Add a new policy	28
Change order of policy	29
Delete policy	29
Configure Intrusion Detection	29
Configure Intrusion Prevention	29
Port mapping / Virtual Servers	30
Add a new mapping	30
	30
Delete mapping	31
Administrative users	32
Change Administrative User Password	32
	32
	32
Users	33
The DFL-200 RADIUS Support	33
Enable User Authentication via HTTP / HTTPS	34
Enable RADIUS Support	34
Add User	35
Change User Password	35
Delete User	36
	36
Schedules	37
Add new recurring schedule	37
Add new one-time schedule	38
Services	39
Adding TCP, UDP or TCP/UDP Service	39
Adding IP Protocol	40
Grouping Services	40
Protocol-independent settings	41
VPN	42
Introduction to IPSec	42
	42
Introduction to PPTP	42
	43
Introduction to L2TP	43
Point-to-Point Protocol	43
Authentication Protocols	44
MPPE, Microsoft Point-To-Point Encryption	44
	44
L2TP/PPTP Clients	45
L2TP/PPTP Servers	46
IPSec VPN between two networks	47
Creating a LAN-to-LAN IPSec VPN Tunnel	47
VPN between client and an internal network	48
	48
Creating a Roaming Users IPSec Tunnel	48
	48
Adding an L2TP/PPTP VPN Client	49
	49
Adding an L2TP/PPTP VPN Server	49
VPN – Advanced Settings	50
Limit MTU	50
IKE Mode	50
IKE DH Group	50
PFS – Perfect Forward Secrecy	50
NAT Traversal	50
Keepalives	50
Proposal Lists	51
IKE Proposal List	51
IPSec Proposal List	51
Certificates	52
Trusting Certificates	52
Local identities	52
Certificates of remote peers	52
Certificate Authorities	53
Identities	53
Content Filtering	54
Edit the URL Global Whitelist	54
Edit the URL Global Blacklist	55
Active content handling	55
Servers	56
DHCP Server Settings	56
Enable DHCP Server	57
Enable DHCP Relay	57
Disable DHCP Server/Relay	57
DNS Relay Settings	58
Enable DNS Relayer	58
Disable DNS Relayer	58
Tools	59
Ping	59
Ping Example	59
Dynamic DNS	60
Add Dynamic DNS Settings	60
Backup	61
Exporting the DFL-200’s Configuration	61
Restoring the DFL-200’s Configuration	61
Restart/Reset	62
Restoring system settings to factory defaults	63
Upgrade	64
Upgrade Firmware	64
Upgrade IDS Signature-database	64
Status	65
System	65
Interfaces	66
VPN	67
Connections	68
DHCP Server	69
How to read the logs	70
	70
USAGE events	70
	70
DROP events	70
CONN events	71
Step by Step Guides	72
LAN-to-LAN VPN using IPSec	73
Settings for Main office	75
LAN-to-LAN VPN using PPTP	77
Settings for Main office	79
LAN-to-LAN VPN using L2TP	83
Settings for Branch office	83
Settings for Main office	86
A more secure LAN-to-LAN VPN solution	90
Settings for Branch office	90
Settings for Main office	93
	93
Windows XP client and PPTP server	94
Settings for the Windows XP client	94
Settings for Main office	101
Windows XP client and L2TP server	104
Settings for the Windows XP client	104
Settings for Main office	106
Intrusion Detection and Prevention	108
Appendixes	111
Appendix A: ICMP Types and Codes	111
Appendix B: Common IP Protocol Numbers	113
Appendix C: Multiple Public IP addresses	114
Appendix D: HTTP Content Filtering	122
Warranty	129
Copyright Statement: No part of this publication or documentation accompanying this Product may be reproduced in any form or by any means or used to make any derivative such as translation, transformation, or adaptation without permission from D-Link Corporation/D-Link Systems, Inc., as stipulated by the United States Copyright Act of 1976. Contents are subject to change without prior notice. Copyright© 2005 by D-Link Corporation/D-Link Systems, Inc. All rights reserved.	131

D-Link DFL-200 Product Manual - Page 27

Service Filter, Schedule, Intrusion Detection / Prevention, Source Users/Groups - port

Page 27 highlights