D-Link DFL-210-AV-12 User Manual - Page 10

List of Figures

1.1. Packet Flow Schematic Part I

...........................................................................

23

1.2. Packet Flow Schematic Part II

..........................................................................

24

1.3. Packet Flow Schematic Part III

.........................................................................

25

1.4. Expanded

Apply Rules

Logic

............................................................................

26

3.1. VLAN Connections

......................................................................................

103

3.2. An ARP Publish Ethernet Frame

.....................................................................

116

3.3. Simplified NetDefendOS Traffic Flow

.............................................................

123

4.1. A Typical Routing Scenario

...........................................................................

149

4.2. Using

Local IP Address

with an Unbound Network

............................................

151

4.3. A Route Failover Scenario for ISP Access

.........................................................

157

4.4. A Proxy ARP Example

..................................................................................

163

4.5. The RLB Round Robin Algorithm

...................................................................

171

4.6. The RLB Spillover Algorithm

.........................................................................

172

4.7. A Route Load Balancing Scenario

...................................................................

174

4.8. A Simple OSPF Scenario

...............................................................................

177

4.9. OSPF Providing Route Redundancy

.................................................................

178

4.10. Virtual Links Connecting Areas

....................................................................

182

4.11. Virtual Links with Partitioned Backbone

.........................................................

183

4.12. NetDefendOS OSPF Objects

........................................................................

184

4.13. Dynamic Routing Rule Objects

.....................................................................

191

4.14. Multicast Forwarding - No Address Translation

................................................

201

4.15. Multicast Forwarding - Address Translation

....................................................

203

4.16. Multicast Snoop Mode

.................................................................................

205

4.17. Multicast Proxy Mode

.................................................................................

205

4.18. Non-transparent Mode Internet Access

...........................................................

217

4.19. Transparent Mode Internet Access

.................................................................

217

4.20. Transparent Mode Scenario 1

........................................................................

219

4.21. Transparent Mode Scenario 2

........................................................................

220

4.22. An Example BPDU Relaying Scenario

...........................................................

223

5.1. DHCP Server Objects

...................................................................................

232

6.1. Deploying an ALG

.......................................................................................

245

6.2. HTTP ALG Processing Order

.........................................................................

248

6.3. FTP ALG Hybrid Mode

.................................................................................

250

6.4. SMTP ALG Processing Order

.........................................................................

261

6.5. Anti-Spam Filtering

......................................................................................

263

6.6. PPTP ALG Usage

........................................................................................

269

6.7. TLS Termination

..........................................................................................

295

6.8. Dynamic Content Filtering Flow

.....................................................................

301

6.9. IDP Database Updating

.................................................................................

321

6.10. IDP Signature Selection

...............................................................................

323

7.1. NAT IP Address Translation

..........................................................................

341

7.2. A NAT Example

..........................................................................................

343

7.3. Anonymizing with NAT

................................................................................

345

7.4. The Role of the DMZ

....................................................................................

350

8.1. Normal LDAP Authentication

........................................................................

371

8.2. LDAP for PPP with CHAP, MS-CHAPv1 or MS-CHAPv2

..................................

372

9.1. The AH protocol

..........................................................................................

405

9.2. The ESP protocol

.........................................................................................

405

9.3. PPTP Client Usage

.......................................................................................

439

9.4. Certificate Validation Components

..................................................................

441

10.1. Pipe Rules Determine Pipe Usage

..................................................................

453

10.2.

FwdFast

Rules Bypass Traffic Shaping

...........................................................

454

10.3. Differentiated Limits Using Chains

................................................................

457

10.4. The Eight Pipe Precedences

..........................................................................

458

10.5. Minimum and Maximum Pipe Precedence

.......................................................

460

10.6. Traffic Grouped By IP Address

.....................................................................

464

10.7. A Basic Traffic Shaping Scenario

..................................................................

467

10.8. IDP Traffic Shaping P2P Scenario

.................................................................

474

10

D-Link DFL-210-AV-12 User Manual - Page 10

List of s, 2. LDAP for PPP with CHAP, MS-CHAPv1 or MS-CHAPv2 - 123

Page 10 highlights

Section	Page
User Manual	3
Table of Contents	4
Preface	14
Chapter 1. NetDefendOS Overview	16
1.1. Features	16
1.2. NetDefendOS Architecture	19
1.2.1. State-based Architecture	19
1.2.2. NetDefendOS Building Blocks	19
1.2.3. Basic Packet Flow	20
1.3. NetDefendOS State Engine Packet Flow	23
Chapter 2. Management and Maintenance	28
2.1. Managing NetDefendOS	28
2.1.1. Overview	28
2.1.2. The Default Administrator Account	29
2.1.3. The Web Interface	30
2.1.4. The CLI	34
2.1.5. CLI Scripts	43
2.1.6. Secure Copy	46
2.1.7. The Console Boot Menu	48
2.1.8. Management Advanced Settings	50
2.1.9. Working with Configurations	51
2.2. Events and Logging	57
2.2.1. Overview	57
2.2.2. Log Messages	57
2.2.3. Creating Log Receivers	58
2.2.4. Logging to MemoryLogReceiver	58
2.2.5. Logging to Syslog Hosts	58
2.2.6. SNMP Traps	60
2.2.7. Advanced Log Settings	61
2.3. RADIUS Accounting	62
2.3.1. Overview	62
2.3.2. RADIUS Accounting Messages	62
2.3.3. Interim Accounting Messages	64
2.3.4. Activating RADIUS Accounting	64
2.3.5. RADIUS Accounting Security	64
2.3.6. RADIUS Accounting and High Availability	64
2.3.7. Handling Unresponsive Servers	65
2.3.8. Accounting and System Shutdowns	65
2.3.9. Limitations with NAT	65
2.3.10. RADIUS Advanced Settings	65
2.4. Hardware Monitoring	67
2.5. SNMP Monitoring	69
2.5.1. SNMP Advanced Settings	70
2.6. The pcapdump Command	72
2.7. Maintenance	75
2.7.1. Auto-Update Mechanism	75
2.7.2. Backing Up Configurations	75
2.7.3. Restore to Factory Defaults	77
Chapter 3. Fundamentals	80
3.1. The Address Book	80
3.1.1. Overview	80
3.1.2. IP Addresses	80
3.1.3. Ethernet Addresses	82
3.1.4. Address Groups	83
3.1.5. Auto-Generated Address Objects	84
3.1.6. Address Book Folders	84
3.2. Services	85
3.2.1. Overview	85
3.2.2. Creating Custom Services	86
3.2.3. ICMP Services	89
3.2.4. Custom IP Protocol Services	91
3.2.5. Service Groups	91
3.2.6. Custom Service Timeouts	92
3.3. Interfaces	93
3.3.1. Overview	93
3.3.2. Ethernet Interfaces	95
3.3.2.1. Useful CLI Commands for Ethernet Interfaces	99
3.3.3. VLAN	101
3.3.4. PPPoE	105
3.3.5. GRE Tunnels	107
3.3.6. Interface Groups	111
3.4. ARP	112
3.4.1. Overview	112
3.4.2. The NetDefendOS ARP Cache	112
3.4.3. Creating ARP Objects	114
3.4.4. Using ARP Advanced Settings	116
3.4.5. ARP Advanced Settings Summary	117
3.5. IP Rule Sets	121
3.5.1. Security Policies	121
3.5.2. IP Rule Evaluation	124
3.5.3. IP Rule Actions	125
3.5.4. Editing IP rule set Entries	126
3.5.5. IP Rule Set Folders	126
3.5.6. Configuration Object Groups	127
3.6. Schedules	131
3.7. Certificates	133
3.7.1. Overview	133
3.7.2. Certificates in NetDefendOS	134
3.7.3. CA Certificate Requests	135
3.8. Date and Time	137
3.8.1. Overview	137
3.8.2. Setting Date and Time	137
3.8.3. Time Servers	138
3.8.4. Settings Summary for Date and Time	141
3.9. DNS	144
Chapter 4. Routing	147
4.1. Overview	147
4.2. Static Routing	148
4.2.1. The Principles of Routing	148
4.2.2. Static Routing	152
4.2.3. Route Failover	156
4.2.4. Host Monitoring for Route Failover	159
4.2.5. Advanced Settings for Route Failover	161
4.2.6. Proxy ARP	162
4.3. Policy-based Routing	165
4.3.1. Overview	165
4.3.2. Policy-based Routing Tables	165
4.3.3. Policy-based Routing Rules	165
4.3.4. Routing Table Selection	166
4.3.5. The Ordering parameter	166
4.4. Route Load Balancing	170
4.5. OSPF	176
4.5.1. Dynamic Routing	176
4.5.2. OSPF Concepts	179
4.5.3. OSPF Components	184
4.5.3.1. OSPF Router Process	184
4.5.3.2. OSPF Area	186
4.5.3.3. OSPF Interface	187
4.5.3.4. OSPF Neighbors	189
4.5.3.5. OSPF Aggregates	189
4.5.3.6. OSPF VLinks	189
4.5.4. Dynamic Routing Rules	190
4.5.4.1. Overview	190
4.5.4.2. Dynamic Routing Rule	191
4.5.4.3. OSPF Action	192
4.5.4.4. Routing Action	192
4.5.5. Setting Up OSPF	193
4.5.6. An OSPF Example	196
4.6. Multicast Routing	199
4.6.1. Overview	199
4.6.2. Multicast Forwarding with SAT Multiplex Rules	200
4.6.2.1. Multicast Forwarding - No Address Translation	200
4.6.2.2. Multicast Forwarding - Address Translation Scenario	202
4.6.3. IGMP Configuration	204
4.6.3.1. IGMP Rules Configuration - No Address Translation	205
4.6.3.2. IGMP Rules Configuration - Address Translation	207
4.6.4. Advanced IGMP Settings	209
4.7. Transparent Mode	212
4.7.1. Overview	212
4.7.2. Enabling Internet Access	217
4.7.3. Transparent Mode Scenarios	218
4.7.4. Spanning Tree BPDU Support	222
4.7.5. Advanced Settings for Transparent Mode	223
Chapter 5. DHCP Services	228
5.1. Overview	228
5.2. DHCP Servers	229
5.2.1. Static DHCP Hosts	232
5.2.2. Custom Options	233
5.3. DHCP Relaying	235
5.3.1. DHCP Relay Advanced Settings	236
5.4. IP Pools	238
Chapter 6. Security Mechanisms	242
6.1. Access Rules	242
6.1.1. Overview	242
6.1.2. IP Spoofing	243
6.1.3. Access Rule Settings	243
6.2. ALGs	245
6.2.1. Overview	245
6.2.2. The HTTP ALG	246
6.2.3. The FTP ALG	249
6.2.4. The TFTP ALG	258
6.2.5. The SMTP ALG	259
6.2.5.1. Anti-Spam Filtering	262
6.2.6. The POP3 ALG	268
6.2.7. The PPTP ALG	269
6.2.8. The SIP ALG	270
6.2.9. The H.323 ALG	280
6.2.10. The TLS ALG	294
6.3. Web Content Filtering	297
6.3.1. Overview	297
6.3.2. Active Content Handling	297
6.3.3. Static Content Filtering	298
6.3.4. Dynamic Web Content Filtering	300
6.3.4.1. Overview	300
6.3.4.2. Setting Up WCF	301
6.3.4.3. Content Filtering Categories	305
6.3.4.4. Customizing HTML Pages	312
6.4. Anti-Virus Scanning	314
6.4.1. Overview	314
6.4.2. Implementation	314
6.4.3. Activating Anti-Virus Scanning	315
6.4.4. The Signature Database	316
6.4.5. Subscribing to the D-Link Anti-Virus Service	316
6.4.6. Anti-Virus Options	316
6.5. Intrusion Detection and Prevention	320
6.5.1. Overview	320
6.5.2. IDP Availability for D-Link Models	320
6.5.3. IDP Rules	322
6.5.4. Insertion/Evasion Attack Prevention	324
6.5.5. IDP Pattern Matching	325
6.5.6. IDP Signature Groups	326
6.5.7. IDP Actions	327
6.5.8. SMTP Log Receiver for IDP Events	328
6.6. Denial-of-Service Attack Prevention	332
6.6.1. Overview	332
6.6.2. DoS Attack Mechanisms	332
6.6.3. Ping of Death and Jolt Attacks	332
6.6.4. Fragmentation overlap attacks: Teardrop, Bonk, Boink and Nestea	333
6.6.5. The Land and LaTierra attacks	333
6.6.6. The WinNuke attack	333
6.6.7. Amplification attacks: Smurf, Papasmurf, Fraggle	334
6.6.8. TCP SYN Flood Attacks	335
6.6.9. The Jolt2 Attack	335
6.6.10. Distributed DoS Attacks	335
6.7. Blacklisting Hosts and Networks	337
Chapter 7. Address Translation	340
7.1. Overview	340
7.2. NAT	341
7.3. NAT Pools	346
7.4. SAT	349
7.4.1. Translation of a Single IP Address (1:1)	349
7.4.2. Translation of Multiple IP Addresses (M:N)	354
7.4.3. All-to-One Mappings (N:1)	356
7.4.4. Port Translation	356
7.4.5. Protocols Handled by SAT	357
7.4.6. Multiple SAT Rule Matches	357
7.4.7. SAT and FwdFast Rules	358
Chapter 8. User Authentication	361
8.1. Overview	361
8.2. Authentication Setup	363
8.2.1. Setup Summary	363
8.2.2. The Local Database	363
8.2.3. External RADIUS Servers	365
8.2.4. External LDAP Servers	365
8.2.5. Authentication Rules	372
8.2.6. Authentication Processing	374
8.2.7. A Group Usage Example	375
8.2.8. HTTP Authentication	375
8.3. Customizing HTML Pages	379
Chapter 9. VPN	383
9.1. Overview	383
9.1.1. VPN Usage	383
9.1.2. VPN Encryption	384
9.1.3. VPN Planning	384
9.1.4. Key Distribution	385
9.1.5. The TLS Alternative for VPN	385
9.2. VPN Quick Start	387
9.2.1. IPsec LAN to LAN with Pre-shared Keys	388
9.2.2. IPsec LAN to LAN with Certificates	389
9.2.3. IPsec Roaming Clients with Pre-shared Keys	390
9.2.4. IPsec Roaming Clients with Certificates	392
9.2.5. L2TP Roaming Clients with Pre-Shared Keys	393
9.2.6. L2TP Roaming Clients with Certificates	394
9.2.7. PPTP Roaming Clients	395
9.3. IPsec Components	397
9.3.1. Overview	397
9.3.2. Internet Key Exchange (IKE)	397
9.3.3. IKE Authentication	403
9.3.4. IPsec Protocols (ESP/AH)	404
9.3.5. NAT Traversal	405
9.3.6. Algorithm Proposal Lists	407
9.3.7. Pre-shared Keys	408
9.3.8. Identification Lists	409
9.4. IPsec Tunnels	412
9.4.1. Overview	412
9.4.2. LAN to LAN Tunnels with Pre-shared Keys	414
9.4.3. Roaming Clients	414
9.4.4. Fetching CRLs from an alternate LDAP server	419
9.4.5. Troubleshooting with ikesnoop	420
9.4.6. IPsec Advanced Settings	427
9.5. PPTP/L2TP	431
9.5.1. PPTP Servers	431
9.5.2. L2TP Servers	432
9.5.3. L2TP/PPTP Server advanced settings	436
9.5.4. PPTP/L2TP Clients	437
9.6. CA Server Access	440
9.7. VPN Troubleshooting	443
9.7.1. General Troubleshooting	443
9.7.2. Troubleshooting Certificates	443
9.7.3. IPsec Troubleshooting Commands	444
9.7.4. Management Interface Failure with VPN	445
9.7.5. Specific Error Messages	445
9.7.6. Specific Symptoms	448
Chapter 10. Traffic Management	451
10.1. Traffic Shaping	451
10.1.1. Overview	451
10.1.2. Traffic Shaping in NetDefendOS	452
10.1.3. Simple Bandwidth Limiting	454
10.1.4. Limiting Bandwidth in Both Directions	455
10.1.5. Creating Differentiated Limits Using Chains	456
10.1.6. Precedences	457
10.1.7. Pipe Groups	462
10.1.8. Traffic Shaping Recommendations	465
10.1.9. A Summary of Traffic Shaping	466
10.1.10. More Pipe Examples	467
10.2. IDP Traffic Shaping	472
10.2.1. Overview	472
10.2.2. Setting Up IDP Traffic Shaping	472
10.2.3. Processing Flow	473
10.2.4. The Importance of Specifying a Network	473
10.2.5. A P2P Scenario	474
10.2.6. Viewing Traffic Shaping Objects	475
10.2.7. Guaranteeing Instead of Limiting Bandwidth	476
10.2.8. Logging	476
10.3. Threshold Rules	477
10.3.1. Overview	477
10.3.2. Limiting the Connection Rate/Total Connections	477
10.3.3. Grouping	478
10.3.4. Rule Actions	478
10.3.5. Multiple Triggered Actions	478
10.3.6. Exempted Connections	478
10.3.7. Threshold Rules and ZoneDefense	478
10.3.8. Threshold Rule Blacklisting	478
10.4. Server Load Balancing	480
10.4.1. Overview	480
10.4.2. SLB Distribution Algorithms	481
10.4.3. Selecting Stickiness	482
10.4.4. SLB Algorithms and Stickiness	483
10.4.5. Server Health Monitoring	484
10.4.6. Setting Up SLB_SAT Rules	485
Chapter 11. High Availability	489
11.1. Overview	489
11.2. HA Mechanisms	491
11.3. Setting Up HA	494
11.3.1. HA Hardware Setup	494
11.3.2. NetDefendOS Manual HA Setup	495
11.3.3. Verifying the Cluster Functions	496
11.3.4. Unique Shared Mac Addresses	497
11.4. HA Issues	498
11.5. Upgrading an HA Cluster	500
11.6. HA Advanced Settings	502
Chapter 12. ZoneDefense	504
12.1. Overview	504
12.2. ZoneDefense Switches	505
12.3. ZoneDefense Operation	506
12.3.1. SNMP	506
12.3.2. Threshold Rules	506
12.3.3. Manual Blocking and Exclude Lists	506
12.3.4. ZoneDefense with Anti-Virus Scanning	508
12.3.5. Limitations	508
Chapter 13. Advanced Settings	511
13.1. IP Level Settings	511
13.2. TCP Level Settings	515
13.3. ICMP Level Settings	520
13.4. State Settings	521
13.5. Connection Timeout Settings	523
13.6. Length Limit Settings	525
13.7. Fragmentation Settings	527
13.8. Local Fragment Reassembly Settings	531
13.9. Miscellaneous Settings	532
Appendix A. Subscribing to Updates	534
Appendix B. IDP Signature Groups	536
Appendix C. Verified MIME filetypes	540
Appendix D. The OSI Framework	544