D-Link DFL-210 Product Manual
D-Link DFL-210 - NetDefend - Security Appliance Manual
 |
UPC - 790069288944
View all D-Link DFL-210 manuals
Add to My Manuals
Save this manual to your list of manuals |
D-Link DFL-210 manual content summary:
- D-Link DFL-210 | Product Manual - Page 1
Network Security Firewall User Manual DFL-210/ 800/1600/ 2500 DFL-260/ 860/1660/ 2560(G) Ver 2.27.01 SecurSiteycurity Network Security Solution http://www.dlink.com - D-Link DFL-210 | Product Manual - Page 2
User Manual DFL-210/260/800/860/1600/1660/2500/2560/2560G NetDefendOS Version 2.27.01 D-Link Corporation No. 289, Sinhu 3rd Rd, Neihu District, Taipei City 114, Taiwan R.O.C. http://www.DLink.com Published 2010-06-22 Copyright © 2010 - D-Link DFL-210 | Product Manual - Page 3
User Manual DFL-210/260/800/860/1600/1660/2500/2560/2560G NetDefendOS Version 2.27.01 warranties with respect to the contents hereof and specifically disclaims any implied warranties of merchantability or fitness for a particular purpose. D-Link reserves the right to revise this publication and - D-Link DFL-210 | Product Manual - Page 4
Up Configurations 73 2.7.3. Restore to Factory Defaults 74 3. Fundamentals 77 3.1. The Address Book 77 3.1.1. Overview 77 3.1.2. IP Addresses 77 3.1.3. Ethernet Addresses 79 3.1.4. Address Groups 80 3.1.5. Auto-Generated Address Objects 81 3.1.6. Address Book Folders 81 3.2. Services 82 - D-Link DFL-210 | Product Manual - Page 5
User Manual 3.2.3. ICMP Services 86 3.2.4. Custom IP Protocol Services 88 3.2.5. Service Groups 88 3.2.6. Custom Service Timeouts 89 3.3. Interfaces 90 3.3.1. Overview 90 3.3.2. Ethernet Interfaces 92 3.3.3. VLAN 97 3.3.4. PPPoE 101 3.3.5. GRE Tunnels 103 3.3.6. Interface Groups 107 3.4. - D-Link DFL-210 | Product Manual - Page 6
User Manual 4.7. Transparent Mode 207 4.7.1. Overview 207 4.7.2. Enabling Internet Access 211 4.7.3. Transparent Mode Scenarios 213 4.7.4. Spanning Tree BPDU Support 217 4.7.5. Advanced Settings for Transparent Mode 218 5. DHCP Services 223 5.1. Overview 223 5.2. DHCP Servers 224 5.2.1. - D-Link DFL-210 | Product Manual - Page 7
LDAP server 413 9.4.5. Troubleshooting with ikesnoop 414 9.4.6. IPsec Advanced Settings 421 9.5. PPTP/L2TP 425 9.5.1. PPTP Servers 425 9.5.2. L2TP Servers 426 9.5.3. L2TP/PPTP Server advanced settings 430 9.5.4. PPTP/L2TP Clients 431 9.6. CA Server Access 434 9.7. VPN Troubleshooting 437 - D-Link DFL-210 | Product Manual - Page 8
User Manual 9.7.2. Troubleshooting Certificates 437 9.7.3. IPsec Troubleshooting Commands 438 9.7.4. Management Interface Failure with VPN 439 9.7.5. Specific Error Messages 439 9.7.6. Specific Symptoms 442 10. Traffic Management 444 10.1. Traffic Shaping 444 10.1.1. Overview 444 10.1.2. - D-Link DFL-210 | Product Manual - Page 9
User Manual 13.1. IP Level Settings 504 13.2. TCP Level Settings 508 13.3. ICMP Level Settings 513 13.4. State Settings 514 13.5. Connection Timeout Settings 516 13.6. Length Limit - D-Link DFL-210 | Product Manual - Page 10
Limits Using Chains 450 10.4. The Eight Pipe Precedences 451 10.5. Minimum and Maximum Pipe Precedence 453 10.6. Traffic Grouped By IP Address 457 10.7. A Basic Traffic Shaping Scenario 460 10.8. IDP Traffic Shaping P2P Scenario 467 10.9. A Server Load Balancing Configuration 473 10 - D-Link DFL-210 | Product Manual - Page 11
User Manual 10.10. Connections from Three Clients 476 10.11. Stickiness and Round-Robin 477 10.12. Stickiness and Connection-rate 477 D.1. The 7 Layers of the OSI Model 537 11 - D-Link DFL-210 | Product Manual - Page 12
2.16. Complete Hardware Reset to Factory Defaults 74 3.1. Adding an IP Host 78 3.2. Adding an IP Network 78 3.3. Adding an IP Range 78 3.4. Deleting an Address Object 79 3.5. Adding an Ethernet Address 79 3.6. Listing the Available Services 82 3.7. Viewing a Specific Service 83 3.8. Creating - D-Link DFL-210 | Product Manual - Page 13
Web Server in a DMZ 344 7.4. Enabling Traffic to a Web Server on an Internal Network 346 7.5. Translating Traffic to Multiple Protected Web Servers 348 8.1. Creating an Authentication User Group 371 8.2. User Authentication Setup for Web Access 371 8.3. Configuring a RADIUS Server 372 - D-Link DFL-210 | Product Manual - Page 14
audience for this reference guide is Administrators who are responsible for configuring and managing NetDefend Firewalls which are running the NetDefendOS operating system. This guide assumes that the reader has some basic knowledge of networks and network security. Text Structure and Conventions - D-Link DFL-210 | Product Manual - Page 15
care is not exercised. Important This is an essential point that the reader should read and understand. Warning This is essential reading for the user as they should be aware that a serious situation may result if certain actions are taken or not taken. Trademarks Certain names in this publication - D-Link DFL-210 | Product Manual - Page 16
network/interface, protocol, ports, user credentials, time-of-day and more. Section 3.5, "IP Rule Sets", describes how to set up these policies to determine what traffic is allowed or rejected by NetDefendOS. For functionality as well as security reasons, NetDefendOS supports policy-based address - D-Link DFL-210 | Product Manual - Page 17
Filtering Traffic Management Chapter 1. NetDefendOS Overview NetDefendOS supports a range of Virtual Private Network (VPN) solutions. NetDefendOS supports IPsec, L2TP and PPTP based VPNs concurrently, can act as either server or client for all of the VPN types, and can provide individual security - D-Link DFL-210 | Product Manual - Page 18
using the ZoneDefense feature. This allows NetDefendOS to isolate portions of a network that contain hosts that are the source of undesirable network traffic. Note NetDefendOS ZoneDefense is only available on certain D-Link NetDefend product models. NetDefendOS Documentation Reading through - D-Link DFL-210 | Product Manual - Page 19
which network traffic enters or leaves the NetDefend Firewall. Without interfaces, a NetDefendOS system has no means for receiving or sending traffic. The following types of interface are supported in NetDefendOS: • Physical interfaces - These correspond to the actual physical Ethernet ports. • Sub - D-Link DFL-210 | Product Manual - Page 20
sets are used for actually implementing NetDefendOS security policies. The most fundamental set of rules are the IP Rules, which are used to define the layer 3 IP filtering policy as well as carrying out address translation and server load balancing. The Traffic Shaping Rules define the policy for - D-Link DFL-210 | Product Manual - Page 21
Source and destination network • IP protocol (for example TCP, UDP, ICMP) • TCP/UDP ports • ICMP types as address translation and server load balancing. The basic concept of dropping and allowing traffic is the traffic. • If the contents of the packet is encapsulated (such as with IPsec, PPTP/L2TP or - D-Link DFL-210 | Product Manual - Page 22
1.2.3. Basic Packet Flow Chapter 1. NetDefendOS Overview processing such as encryption or encapsulation might occur. The next section provides a set of diagrams illustrating the flow of packets through NetDefendOS. 22 - D-Link DFL-210 | Product Manual - Page 23
. There are three diagrams, each flowing into the next. It is not necessary to understand these diagrams, however, they can be useful as a reference when configuring NetDefendOS in certain situations. Figure 1.1. Packet Flow Schematic Part I The packet flow is continued on the following page. 23 - D-Link DFL-210 | Product Manual - Page 24
1.3. NetDefendOS State Engine Packet Flow Chapter 1. NetDefendOS Overview Figure 1.2. Packet Flow Schematic Part II The packet flow is continued on the following page. 24 - D-Link DFL-210 | Product Manual - Page 25
1.3. NetDefendOS State Engine Packet Flow Chapter 1. NetDefendOS Overview Figure 1.3. Packet Flow Schematic Part III 25 - D-Link DFL-210 | Product Manual - Page 26
1.3. NetDefendOS State Engine Packet Flow Chapter 1. NetDefendOS Overview Apply Rules The figure below presents the detailed logic of the Apply Rules function in Figure 1.2, "Packet Flow Schematic Part II" above. Figure 1.4. Expanded Apply Rules Logic 26 - D-Link DFL-210 | Product Manual - Page 27
1.3. NetDefendOS State Engine Packet Flow Chapter 1. NetDefendOS Overview 27 - D-Link DFL-210 | Product Manual - Page 28
of SCP clients available for nearly all workstation platforms. SCP is a complement to CLI usage and provides a secure means of file transfer between the administrator's workstation and the NetDefend Firewall. Various files used by NetDefendOS can be both uploaded and downloaded with SCP. 28 - D-Link DFL-210 | Product Manual - Page 29
for administrative users on a certain network, while at the same time allowing CLI access for a remote administrator connecting through a specific IPsec tunnel. By default, Web Interface access is enabled for users on the network connected via the LAN interface of the D-Link firewall (on products - D-Link DFL-210 | Product Manual - Page 30
allows the administrator to perform remote management from anywhere on a private network or the public Internet using a standard computer without having to install client software. Assignment of a Default IP Address For a new D-Link NetDefend firewall with factory defaults, a default internal IP - D-Link DFL-210 | Product Manual - Page 31
first time, the default username is always admin and the password is admin. After successful login, the WebUI user interface will be presented in the browser window. If no configuration changes have yet been uploaded to the NetDefend Firewall, the NetDefendOS Setup Wizard will start automatically - D-Link DFL-210 | Product Manual - Page 32
of the configuration to your local computer or restore a previously downloaded backup. • Reset - Restart the firewall or reset to factory default. • Upgrade - Upgrade the firewall's firmware. • Technical support - This option provides the option to download a file from the firewall which can - D-Link DFL-210 | Product Manual - Page 33
bar. Tip: Correctly routing management traffic If there is a problem with the management interface when communicating alongside VPN tunnels, check the main routing table and look for an all-nets route to the VPN tunnel. Management traffic may be using this route. If no specific route is set up for - D-Link DFL-210 | Product Manual - Page 34
separate D-Link CLI Reference Guide. The most often used CLI commands are: • add - Adds an object such as an IP address or a rule to a NetDefendOS configuration. • many versions of Microsoft Windows™, the up and down arrow keys allow the user to move through the list of commands in the CLI command - D-Link DFL-210 | Product Manual - Page 35
example Address=example_ip LogSeverity=< (tab) Will fill in the default value for LogSeverity: add LogReceiverSyslog example Address=example_ip object types for that category is displayed. Using categories means that the user has a simple way to specify what kind of object they are trying - D-Link DFL-210 | Product Manual - Page 36
route: gw-world:/main> add Route Name=new_route1 Interface=lan Network=lannet To deselect the category, the command is cc . For example, if three servers server1, server2, server3 need to the IP rule set have an ordering which is important. When adding using the CLI add command, the default is - D-Link DFL-210 | Product Manual - Page 37
PPTP tunnels. • The Host for LDAP servers. When DNS lookup needs to be done, at least one public DNS server must be configured in NetDefendOS for hostnames to be translated to IP addresses. Serial Console CLI Access The serial console port is a local RS-232 port on the NetDefend Firewall that allows - D-Link DFL-210 | Product Manual - Page 38
message has been set then it will be displayed directly after the logon. For security reasons, it is advisable to either disable or anonymize the CLI welcome message. Changing the admin User Password It is recommended to change the default password of the admin account from admin to something 38 - D-Link DFL-210 | Product Manual - Page 39
passwords related to user accounts. The console password is described in Section 2.1.7, "The Console Boot Menu". Changing the CLI Prompt The default CLI prompt is: gw-world:/> where Device is the model number of the NetDefend Firewall are made to the current configuration through the CLI, those - D-Link DFL-210 | Product Manual - Page 40
configuration about to be activated and list any problems. A possible problem that might be found in this way is a reference to an IP object in the address book that does not exist in a restored configuration has been enabled for the NetDefend Firewall. Managing Management Sessions with - D-Link DFL-210 | Product Manual - Page 41
syntax of the command is described in the CLI Reference Guide and specific examples of usage are detailed in the following sections. See also Section 2.1.4, "The CLI" in this manual. Only Four Commands are Allowed in Scripts The commands allowed in a script file are limited to four and these are - D-Link DFL-210 | Product Manual - Page 42
previously uploaded to the NetDefend Firewall. For example, Address=126.12.11.01 Comments="If1 address" Script Validation and Command Ordering CLI scripts are not, by default, validated. This means that the written ordering of the script does not matter. There can be a reference to a configuration - D-Link DFL-210 | Product Manual - Page 43
CLI script file encounters an error condition, the default behavior is for the script to terminate. Saving Scripts When a script file is uploaded to the NetDefend Firewall, it is initially kept only in temporary RAM memory of a specific uploaded script file, for example my_script.sgs the command would - D-Link DFL-210 | Product Manual - Page 44
configured that need to be copied, then running the script -create command on that installation provides a way to automatically create the required script file. This script file can then be downloaded to the local management workstation and then uploaded to and executed on other NetDefend Firewalls - D-Link DFL-210 | Product Manual - Page 45
-execute -name my_script2.sgs " " NetDefendOS allows the script file my_script2.sgs to execute another script file and so on. The maximum depth of this script nesting is 5. 2.1.6. Secure Copy To upload and download files to or from the NetDefend Firewall, the secure copy (SCP) protocol can be used - D-Link DFL-210 | Product Manual - Page 46
a header). If an administrator username is admin1 and the IP address of the NetDefend Firewall is 10.5.62.11 then to upload a configuration backup, the SCP command would be: > scp config.bak [email protected]: To download a configuration backup to the current local directory, the command would be - D-Link DFL-210 | Product Manual - Page 47
NetDefend Firewall then the download command would be: > scp [email protected]:script/my_script.sgs ./ Activating Uploads Like all configuration Initial Boot Menu Options without a Password Set When NetDefendOS is started for the first time with no console password set for console access then - D-Link DFL-210 | Product Manual - Page 48
on the NetDefend Firewall. 2. Reset unit to factory defaults This option will restore the hardware to its initial factory state. The operations performed if this option is selected are the following: • Remove console security so there is no console password. • Restore default NetDefendOS executables - D-Link DFL-210 | Product Manual - Page 49
Enable SSH traffic to the firewall regardless of configured IP Rules. Default: Enabled WebUI Before Rules Enable HTTP(S) traffic to the firewall regardless of configured IP Rules. Default: Enabled Local Console Timeout Number of seconds of inactivity until the local console user is automatically - D-Link DFL-210 | Product Manual - Page 50
the structure used in the Web Interface to allow quick access to the configuration objects in the CLI. The IP4Address, IP4Group and EthernetAddress types are, for instance, grouped in a category named Address, as they all represent different addresses. Consequently, Ethernet and VLAN objects are all - D-Link DFL-210 | Product Manual - Page 51
of NetDefendOS, you will most likely need to modify one or several configuration objects. This example shows how to edit the Comments property of the telnet service. Command-Line Interface gw-world:/> set Service ServiceTCPUDP telnet Comments="Modified Comment" Show the object again to verify the - D-Link DFL-210 | Product Manual - Page 52
4. In the Name text box, enter myhost 5. Enter 192.168.10.10 in the IP Address textbox 6. Click OK 7. Verify that the new IP4 address object has been added to the list Example 2.7. Deleting a Configuration Object This example shows how to delete the newly added IP4Address object. Command-Line - D-Link DFL-210 | Product Manual - Page 53
and NetDefendOS will attempt to initialize affected subsystems with the new configuration data. Important: Committing IPsec Changes The administrator should be aware that if any changes that affect the configurations of live IPsec tunnels are committed, then those live tunnels connections will be - D-Link DFL-210 | Product Manual - Page 54
Chapter 2. Management and Maintenance default) during which a connection to the administrator must be re-established. As described previously, if the configuration was activated via the CLI with the activate command then a commit command must be issued within that period. If a lost connection - D-Link DFL-210 | Product Manual - Page 55
traffic according to filtering policies. Whenever an event message is generated, it can be filtered and distributed to all configured Event Receivers. Multiple event receivers can be configured server. A list of all event messages can be found in the NetDefendOS Log Reference Guide. That guide also - D-Link DFL-210 | Product Manual - Page 56
Chapter 2. Management and Maintenance By default, NetDefendOS sends all messages of level Info and above to configured log servers. The Debug category is intended for troubleshooting only and should only be turned on if required when trying to solve a problem. All log messages of all severity - D-Link DFL-210 | Product Manual - Page 57
syslog receiver works. Syslog daemons on UNIX servers usually log to text files, line by line. Message Format Most Syslog recipients preface each log entry with a timestamp and the IP address of the machine that sent the log data: Feb 5 2000 09:45:23 firewall.ourcompany.com This is followed by the - D-Link DFL-210 | Product Manual - Page 58
step further by allowing any event network. The file DFLNNN-TRAP.MIB (where NNN indicates the model number of the firewall) is provided by D-Link NetDefend Firewall. Make sure that the correct file is used. For each NetDefend Firewall the problem • Reference Guide. Note with an IP address of 195. - D-Link DFL-210 | Product Manual - Page 59
for example my_snmp 3. Enter 195.11.22.55 as the IP Address 4. Enter an SNMP Community String if needed by the trap receiver sends a log message to a server whose log receiver is not active. The server will send back an ICMP bandwidth is consumed unnecessarily. Default: 3600 (once per hour - D-Link DFL-210 | Product Manual - Page 60
Name - The user name of the authenticated user. • NAS IP Address - The IP address of the NetDefend Firewall. • NAS Port - The port of the NAS on which the user was authenticated (this is a physical port and not a TCP or UDP port). • User IP Address - The IP address of the authenticated user. This is - D-Link DFL-210 | Product Manual - Page 61
IP Address - The IP address of the NetDefend Firewall. • NAS Port - The port on the NAS on which the user was authenticated. (This is a physical port and not a TCP or UDP port). • User IP Address - The IP address of the authenticated user. This is sent only if specified on the authentication server - D-Link DFL-210 | Product Manual - Page 62
and must be typed exactly the same for NetDefendOS and for the RADIUS server. Messages are sent using the UDP protocol and the default port number used is 1813 although this is user configurable. 2.3.6. RADIUS Accounting and High Availability In an HA cluster, accounting information is synchronized - D-Link DFL-210 | Product Manual - Page 63
user's IP address. Problems can therefore occur with users who have the same IP address. This can happen, for example, when several users are behind the same network using NAT to allow network access through a single external IP address. This means that as soon as one user is authenticated, traffic - D-Link DFL-210 | Product Manual - Page 64
number of contexts allowed with RADIUS. This applies to RADIUS use with both accounting and authentication. Default: 1024 Example 2.13. RADIUS Accounting Server Setup This example shows configuring of a local RADIUS server known as radius-accounting with IP address 123.04.03.01 using port 1813. Web - D-Link DFL-210 | Product Manual - Page 65
firewall. This feature is referred to as Hardware Monitoring. The D-Link NetDefend models that currently support hardware monitoring are the DFL-1600, 1660, 2500, 2560 and 2560G. Configuring monitor values. Minimum value: 100 Maximum value: 10000 Default: 500 Using the hwm CLI Command To get a - D-Link DFL-210 | Product Manual - Page 66
. When the value returned after polling falls outside this range, NetDefendOS optionally generates a log message that is sent to the configured log servers. Note: Different hardware has different sensors and ranges Each hardware model may have a different set of sensors and a different operating - D-Link DFL-210 | Product Manual - Page 67
- The NetDefendOS interface on which SNMP requests will arrive. • Network - The IP address or network from which SNMP requests will come. • Community - The community string which provides password security for the accesses. The Community String Security for SNMP Versions 1 and 2c is handled by the - D-Link DFL-210 | Product Manual - Page 68
VPN tunnel for it.) Command-Line Interface gw-world:/> add RemoteManagement RemoteMgmtSNMP my_snmp Interface=lan Network=mgmt-net SNMPGetCommunity=Mg1RQqR Should it be necessary to enable SNMPBeforeRules (which is enabled by default SNMP traffic to the firewall regardless of configured IP Rules. 68 - D-Link DFL-210 | Product Manual - Page 69
excess requests will be ignored by NetDefendOS. Default: 100 System Contact The contact person for the managed node. Default: N/A System Name The name for the managed node. Default: N/A System Location The physical location of the node. Default: N/A Interface Description (SNMP) What to display in - D-Link DFL-210 | Product Manual - Page 70
NetDefend Firewall. For this purpose, NetDefendOS provides the CLI command pcapdump which not only allows command is described in the CLI Reference Guide. A Simple Example An example of pcapdump this point, the file cap_int.cap should be downloaded to the management workstation for analysis. 5. A - D-Link DFL-210 | Product Manual - Page 71
can be specified and can be one of -tcp, -udp or -icmp. Downloading the Output File As shown in one of the examples above, the -write option of pcapdump can save buffered packet information to a file on the NetDefend Firewall. These output files are placed into the NetDefendOS root directory and the - D-Link DFL-210 | Product Manual - Page 72
the packets that are of interest. For example we might want to examine the packets going to a particular destination port at a particular destination IP address. Compatibility with Wireshark The open source tool Wireshark (formerly called Ethereal) is an extremely useful analysis tool for examining - D-Link DFL-210 | Product Manual - Page 73
feature D-Link maintains a global infrastructure of servers providing update services for NetDefend Firewalls. To configuration is to be changed and the NetDefendOS version upgraded. Backup files can be created both by downloading the files directly from the NetDefend Firewall using SCP (Secure - D-Link DFL-210 | Product Manual - Page 74
configuration. Dynamic information such as the DHCP server lease database or Anti-Virus/IDP databases will not be backed up. 2.7.3. Restore to Factory Defaults A restore to factory defaults can be applied so that it is possible to return to the original hardware state that existed when the NetDefend - D-Link DFL-210 | Product Manual - Page 75
860 To reset the NetDefend DFL-210/260/800/860 models, hold down the reset button located at the rear of the unit for 10-15 seconds while powering on the unit. After that, release the reset button and the unit will continue to load and startup with its default factory settings. The IP address 192 - D-Link DFL-210 | Product Manual - Page 76
2.7.3. Restore to Factory Defaults Chapter 2. Management and Maintenance 76 - D-Link DFL-210 | Product Manual - Page 77
. Depending on how the address is specified, an IP Address object can represent either a single IP address (a specific host), a network or a range of IP addresses. In addition, IP Address objects can be used for specifying the credentials used in user authentication. For more information about - D-Link DFL-210 | Product Manual - Page 78
3.1.2. IP Addresses Chapter 3. Fundamentals IP Network IP Range An IP Network is represented using Classless Inter Domain Routing (CIDR) form. CIDR uses a forward slash and a digit (0-32) to denote the size of the network as a postfix. This is also known as the netmask. /24 corresponds to a class - D-Link DFL-210 | Product Manual - Page 79
been successfully deleted but NetDefendOS will not allow the configuration to be saved to the NetDefend Firewall. 3.1.3. Ethernet Addresses Ethernet Address objects are used to define symbolic names for Ethernet addresses (also known as MAC addresses). This is useful, for example, when populating - D-Link DFL-210 | Product Manual - Page 80
not be referenced to as a single IP range. Consequently, individual IP Address objects have to be created for each server. Instead of having to cope with the burden of creating and maintaining separate filtering policies allowing traffic to each server, an Address Group named, for example web - D-Link DFL-210 | Product Manual - Page 81
from a DHCP server. If a default gateway address has been provided during the setup phase, the wan_gw object will contain that address. Otherwise, the object will be left empty (in other words, the IP address will be 0.0.0.0/0). The all-nets IP address object is initialized to the IP address - D-Link DFL-210 | Product Manual - Page 82
those rules only to a specific type of traffic. For example, an IP rule in a NetDefendOS IP rule set has a service object associated with it as a filtering parameter to decide whether or not to allow a specific type of traffic to traverse the NetDefend Firewall. Inclusion in IP rules is one the most - D-Link DFL-210 | Product Manual - Page 83
Go to Objects > Services 2. Select the specific service object in the table 3. A listing all services will be presented 3.2.2. Creating Custom Services If the list of predefined NetDefendOS service objects does not meet the requirements for certain traffic then a new service can be created. Reading - D-Link DFL-210 | Product Manual - Page 84
TCP/UDP services. TCP and UDP Based Services Most applications use TCP and/or UDP as transport protocol for transferring data over IP networks. Transmission applications where data delivery speed is of greatest importance, for example with streaming audio and video, the User Datagram Protocol (UDP) - D-Link DFL-210 | Product Manual - Page 85
option only exists for the TCP/IP service type. For more details on how this feature works see Section 6.6.8, "TCP SYN Flood Attacks". • Pass ICMP Errors If an attempt to open a TCP connection is made by a user application behind the NetDefend Firewall and the remote server is not in operation, an - D-Link DFL-210 | Product Manual - Page 86
as necessary to achieve the traffic filtering objective. Using the all_services object may be convenient but removes any security benefits that a more specific service object could provide. The best approach is to narrow the service filter in a security policy so it allows only the protocols that - D-Link DFL-210 | Product Manual - Page 87
3.2.4. Custom IP Protocol Services Chapter 3. Fundamentals ICMP messages are delivered in IP packets, and includes a Message datagrams for the Type of Service and the network • Code 3: Redirect datagrams for the Type of Service and the host Parameter Problem Identifies an incorrect parameter on - D-Link DFL-210 | Product Manual - Page 88
that uses the group. Suppose that we create a service group called email-services which combines the three services objects for SMTP, POP3 and IMAP. Now only one IP rule needs to be defined that uses this group service to allow all email related traffic to flow. Groups Can Contain Other Groups When - D-Link DFL-210 | Product Manual - Page 89
3. Fundamentals configuration and decrease the ability to troubleshoot problems. 3.2.6. Custom Service Timeouts Any service can have its custom timeouts set. These can also be set globally in NetDefendOS but it is more usual to change these values individually in a custom service. The timeout - D-Link DFL-210 | Product Manual - Page 90
Interfaces Each Ethernet interface represents a physical Ethernet port on a NetDefendOS-based product. All network traffic that originates from or enters a NetDefend Firewall will pass through one of the physical interfaces. NetDefendOS currently supports Ethernet as the only physical interface type - D-Link DFL-210 | Product Manual - Page 91
the core interface. • core indicates that it is NetDefendOS itself that will deal with traffic to and from this interface. Examples of the use of core are when the NetDefend Firewall acts as a PPTP or L2TP server or responds to ICMP "Ping" requests. By specifying the Destination Interface of a route - D-Link DFL-210 | Product Manual - Page 92
reflect their usage. For example, if an interface named dmz is connected to a wireless LAN, it might be convenient to change the interface name to radio. For maintenance and troubleshooting, it is recommended to tag the corresponding physical port with the new name. Note: Interface enumeration The - D-Link DFL-210 | Product Manual - Page 93
. In most of the examples in this guide lan is used for LAN traffic and wan is used for WAN traffic. If your NetDefend Firewall does not have these interfaces, please substitute the references with the name of your chosen interface. • IP Address Each Ethernet interface is required to have an - D-Link DFL-210 | Product Manual - Page 94
set of interface specific advanced settings: i. A preferred IP address can be requested. ii. A preferred lease time can be requested. iii. Static routes can be sent from the DHCP server. iv. Do not allow IP address collisions with static routes. v. Do not allow network collisions with static routes - D-Link DFL-210 | Product Manual - Page 95
of packets in bytes that can be sent on this interface. By default, the interface uses the maximum size supported. • High Availability There are two options which are specific to high availability clusters: 1. A private IP address can be specified for this interface. 2. An additional option is to - D-Link DFL-210 | Product Manual - Page 96
InterfaceAddresses/wan_net InterfaceAddresses/lan_net Server The CLI can be used to set the address of the interface: gw-world:/> set Address IP4Address InterfaceAddresses/wan_ip Address=172.16.5.1 Modified IP4Address InterfaceAddresses/wan_ip. The CLI can be used to enable DHCP on the interface - D-Link DFL-210 | Product Manual - Page 97
means that the number of physical Ethernet ports on a NetDefend Firewall need not limit how many totally separated external networks can be connected. Another typical usage of VLANs is to group together clients in an organisation so that the traffic belonging to different groups is kept completely - D-Link DFL-210 | Product Manual - Page 98
a combination of VLAN trunks from the NetDefend Firewall to switches and these switches are configured with port based VLANs on their interfaces. Any physical firewall interface can, at the same time, carry both non-VLAN traffic as well VLAN trunk traffic for one or multiple VLANs. VLAN Processing - D-Link DFL-210 | Product Manual - Page 99
as follows: • One of more VLANs are configured on a physical NetDefend Firewall interface and this is connected directly to a switch. This link acts as a VLAN trunk. The switch used must support port based VLANs. This means that each port on the switch can be configured with the ID of the VLAN or - D-Link DFL-210 | Product Manual - Page 100
interface in that they require both appropriate IP rules and routes to exist in the NetDefendOS configuration for traffic to flow through them. For example, if no IP rule with a particular VLAN interface as the source interface is defined allowing traffic to flow then packets arriving on that - D-Link DFL-210 | Product Manual - Page 101
PPPoE to their broadband service. Using PPPoE the ISP can: • Implement security and access-control using username/password authentication • Trace IP addresses to a specific user • Allocate IP address automatically for PC users (similar to DHCP). IP address provisioning can be per user group The PPP - D-Link DFL-210 | Product Manual - Page 102
traffic to through the PPPoE tunnel. The PPPoE client can be configured to use a service name to distinguish between different servers on the same Ethernet network. IP address information PPPoE uses automatic IP address allocation which is similar to DHCP. When NetDefendOS receives this IP address - D-Link DFL-210 | Product Manual - Page 103
: wan • Remote Network: all-nets (as we will route all traffic into the tunnel) • Service Name: Service name provided by the service provider • Username: Username provided by the service provider • Password: Password provided by the service provider • Confirm Password: Retype the password • Under - D-Link DFL-210 | Product Manual - Page 104
network that is not public. Setting Up GRE Like other tunnels in NetDefendOS such as an IPsec tunnel, a GRE Tunnel is treated as a logical interface by NetDefendOS, with the same filtering, traffic shaping and configuration capabilities as a standard interface. The GRE options are: • IP Address - D-Link DFL-210 | Product Manual - Page 105
not public there is no need for encryption. Setup for NetDefend Firewall "A" Assuming that the network 192.168.10.0/24 is lannet on the lan interface, the steps for setting up NetDefendOS on A are: 1. In the address book set up the following IP objects: • remote_net_B: 192.168.11.0/24 • remote_gw - D-Link DFL-210 | Product Manual - Page 106
rules in the IP rule set that allow traffic to pass through the tunnel: Name To_B From_B Action Allow Allow Src Int lan GRE_to_B Src Net lannet remote_net_B Dest Int GRE_to_B lan Dest Net remote_net_B lannet Service All All Setup for NetDefend Firewall "B" Assuming that the network 192.168 - D-Link DFL-210 | Product Manual - Page 107
configuration object which can be used in creating security IP rule , any of the interfaces in the group could provide a match for the rule. A group can consist of ordinary Ethernet interfaces or it could consist of other types such as VLAN interfaces or VPN sensible to allow certain connections - D-Link DFL-210 | Product Manual - Page 108
Resolution Protocol (ARP) allows the mapping of a network layer protocol (OSI layer 3) address to a data link layer hardware address (OSI layer 2). In data networks it is used to resolve an IP address into its corresponding Ethernet address. ARP operates at the OSI layer 2, data link layer, and is - D-Link DFL-210 | Product Manual - Page 109
traffic is going to be sent to the 192.168.0.10 IP address after the expiration, NetDefendOS will issue a new ARP request. The default MAC address of the host but sometimes it may be necessary to manually force there are several very large LANs directly connected to the firewall, it may be necessary - D-Link DFL-210 | Product Manual - Page 110
is reporting an incorrect MAC address. Some network devices, such as wireless modems, can have such problems. It may also be used to lock an IP address to a specific MAC address for increasing security or to avoid denial-of-service if there are rogue users in a network. However, such protection only - D-Link DFL-210 | Product Manual - Page 111
• Mode: Static • Interface: lan 3. Enter the following: • IP Address: 192.168.10.15 • MAC: 4b-86-f6-c5-a2-14 4. Click OK Chapter 3. Fundamentals Published ARP Objects NetDefendOS supports publishing IP addresses on a particular interface, optionally along with a specific MAC address instead of the - D-Link DFL-210 | Product Manual - Page 112
selected, the result will be the same. Publishing Entire Networks When using ARP entries, IP addresses can only be published one at a time. However, and redundancy devices, which make use of hardware layer multicast addresses. The default behavior of NetDefendOS is to drop and log such ARP requests - D-Link DFL-210 | Product Manual - Page 113
allows the administrator to specify whether or not such situations are logged. Sender IP 0.0.0.0 NetDefendOS can be configured for handling ARP queries that have a sender IP of 0.0.0.0. Such sender IPs are never valid as responses, but network units that have not yet learned of their IP address - D-Link DFL-210 | Product Manual - Page 114
facilitate hijacking of local connections. However, not allowing this may cause problems if, for example, a network adapter is replaced, as NetDefendOS will not accept the new address until the previous ARP table entry has timed out. Default: AcceptLog Static ARP Changes Determines how NetDefendOS - D-Link DFL-210 | Product Manual - Page 115
size should be twice as large as the table it is indexing. If the largest directly-connected LAN contains 500 IP addresses then the size of the ARP entry hash should be at least 1000 entries. Default: 512 ARP Hash Size VLAN Hashing is used to rapidly look up entries in a table. For maximum - D-Link DFL-210 | Product Manual - Page 116
NetDefendOS security policies, and which use the same filtering parameters described above (networks/interfaces/service), include: • IP Rules These determine which traffic is permitted to pass through the NetDefend Firewall as well as determining if the traffic is subject to address translation - D-Link DFL-210 | Product Manual - Page 117
is allowed or not allowed to pass through the NetDefend Firewall, and if necessary, how address translations like NAT are applied. By default, one NetDefendOS IP rule set always exist and this has the name main. There are two possible approaches to how traffic traversing the NetDefend Firewall could - D-Link DFL-210 | Product Manual - Page 118
the source of the traffic is found on the interface where the packets enter. • An IP rule in a NetDefendOS IP rule set which specifies the security policy that allows the packets from the source interface and network bound for the destination network to leave the NetDefend Firewall on the interface - D-Link DFL-210 | Product Manual - Page 119
final rule in the rule set with an action of Drop with Source/Destination Network all-nets and Source/Destination Interface all. This allows logging to be turned on for traffic that matches no IP rule. 3.5.3. IP Rule Actions A rule consists of two parts: the filtering parameters and the action to - D-Link DFL-210 | Product Manual - Page 120
is to define two rules, one rule for traffic in one direction and another rule for traffic coming back in the other direction. In fact nearly all IP Rules types allow bi-directional traffic flow once the initial connection is set up. The Source Network and Source Interface in the rule means the - D-Link DFL-210 | Product Manual - Page 121
cc IPRuleSet main Now, create the IP rule: gw-world:/main> add IPRule Action=Allow Service=http SourceInterface=lan SourceNetwork=lannet DestinationInterface=wan DestinationNetwork=all-nets Name=lan_http Return to the top level: gw-world:/main> cc Configuration changes must be saved by then issuing - D-Link DFL-210 | Product Manual - Page 122
can be very useful for someone seeing a configuration for the first time, such as technical support staff. In an IP rule set that contains hundreds of rules it can often prove difficult to quickly identify those rules associated with a specific aspect of NetDefendOS operation. Object Groups and the - D-Link DFL-210 | Product Manual - Page 123
title line and the IP rule as its only member. The default title of "(new Group)" is used. The entire group is also assigned a default color and the group from the context menu. A Group editing dialog will be displayed which allows two functions: • Specify the Title The title of the group can be - D-Link DFL-210 | Product Manual - Page 124
Configuration Object Groups Chapter 3. Fundamentals Any color can be chosen for the group. The color can be selected from the 16 predefined color boxes or entered as a hexadecimal RGB value. In addition, when the hexadecimal value box is selected, a full spectrum color palette appears which allows - D-Link DFL-210 | Product Manual - Page 125
3.5.6. Configuration Object Groups Chapter 3. Fundamentals Moving Groups Groups can be moved in the same way as individual objects. By right clicking the group title line, the - D-Link DFL-210 | Product Manual - Page 126
traffic from a certain department is only allowed access outside that department during normal office hours. Another example might be that authentication using a specific VPN schedule. This is used in user interface display and as a IP Rules, but is valid for most types of policies, including Traffic - D-Link DFL-210 | Product Manual - Page 127
to an IP Rule that allows HTTP traffic. Command-Line IP rule: gw-world:/main> add IPRule Action=NAT Service=http SourceInterface=lan SourceNetwork=lannet DestinationInterface=any DestinationNetwork=all-nets Schedule=OfficeHours name=AllowHTTP Return to the top level: gw-world:/main> cc Configuration - D-Link DFL-210 | Product Manual - Page 128
this manual to a certificate means a X.509 certificate. A certificate is a digital proof of identity. It links an user ID of an intended recipient. Certificates with VPN Tunnels The main usage of certificates in NetDefendOS is with VPN tunnels. The simplest and fastest way to provide security - D-Link DFL-210 | Product Manual - Page 129
the CRL can be downloaded. In some cases, certificates do not contain this field. In those cases the location of the CRL has to be configured manually. A CA usually updates all the remote identities that are allowed access through a specific VPN tunnel, provided the certificate validation procedure - D-Link DFL-210 | Product Manual - Page 130
instructions Example 3.19. Associating Certificates with IPsec Tunnels To associate an imported certificate with an IPsec tunnel. Web Interface 1. Go to Interfaces > IPsec 2. Display the properties of the IPsec known, predefined format. Manually Creating Windows CA Server Requests The NetDefendOS - D-Link DFL-210 | Product Manual - Page 131
stages are as follows: 1. Create the gateway certificate on the Windows CA server and export it to a .pfx file on the local NetDefendOS management workstation key might be the names. 4. Start a text editor and open the downloaded .pem file and locate the line that begins: -----BEGIN RSA PRIVATE KEY - D-Link DFL-210 | Product Manual - Page 132
-stamps in order to indicate when a specific event occurred. Not only does this assume the network. Time Synchronization Protocols NetDefendOS supports the servers which are known as Time Servers. 3.8.2. Setting Date and Time Current Date and Time The administrator can set the date and time manually - D-Link DFL-210 | Product Manual - Page 133
GMT. The NetDefendOS time zone setting reflects the time zone where the NetDefend Firewall is physically located. Example 3.21. Setting the Time Zone To to adjust for DST. Instead, this information has to be manually provided if daylight saving time is to be used. There are 3.8.3. Time Servers 133 - D-Link DFL-210 | Product Manual - Page 134
Time Servers. NetDefendOS supports the following time synchronization protocols: • SNTP Defined by RFC 2030, The Simple Network server is correctly configured in NetDefendOS so that Time Server URLs can be resolved (see Section 3.9, "DNS"). This is not needed if using IP addresses for the servers - D-Link DFL-210 | Product Manual - Page 135
2. For the setting Maximum time drift that a server is allowed to adjust, enter the maximum time difference in seconds that an external server is allowed to adjust for. There may be a valid reason why there is a significant difference such as an incorrect NetDefendOS configuration. 3. Click OK 135 - D-Link DFL-210 | Product Manual - Page 136
possible to manually force a Link Server option is chosen, a predefined set of recommended default values for the synchronization are used. Example 3.27. Enabling the D-Link NTP Server To enable the use of the D-Link NTP server an external DNS server configured so that the D-Link Time Server URLs can - D-Link DFL-210 | Product Manual - Page 137
SNTP (Simple Network Time Protocol). Default: SNTP Primary Time Server DNS hostname or IP Address of Timeserver 1. Default: None Secondary Time Server DNS hostname or IP Address of Timeserver 2. Default: None teriary Time Server DNS hostname or IP Address of Timeserver 3. Default: None Interval - D-Link DFL-210 | Product Manual - Page 138
3.8.4. Settings Summary for Date and Time Maximum time drift in seconds that a server is allowed to adjust. Default: 600 Group interval Interval according to which server responses will be grouped. Default: 10 Chapter 3. Fundamentals 138 - D-Link DFL-210 | Product Manual - Page 139
. • UTM features that require access to external servers such as anti-virus and IDP. Example 3.28. Configuring DNS Servers In this example, the DNS client is configured to use one primary and one secondary DNS server, having IP addresses 10.0.0.1 and 10.0.0.2 respectively. Command-Line Interface - D-Link DFL-210 | Product Manual - Page 140
used to troubleshoot problems by seeing what NetDefendOS is sending and what the servers are returning. Note: A high rate of server queries can cause problems Dynamic DNS services are often sensitive to repeated logon attempt over short periods of time and may blacklist IP addresses that are sending - D-Link DFL-210 | Product Manual - Page 141
3.9. DNS Chapter 3. Fundamentals 141 - D-Link DFL-210 | Product Manual - Page 142
fundamental functions of NetDefendOS. Any IP packet flowing through a NetDefend Firewall will be subjected to at least one routing decision at some point in time, and properly setting up routing is crucial for the system to function as expected. NetDefendOS offers support for the following types of - D-Link DFL-210 | Product Manual - Page 143
to the interface, this is not needed. When a router lies between the NetDefend Firewall and the destination network, a gateway IP must be specified. For example, if the route is for public Internet access via an ISP then the public IP address of the ISP's gateway router would be specified. • Local - D-Link DFL-210 | Product Manual - Page 144
NetDefend Firewall usage scenario. Figure 4.1. A Typical Routing Scenario In the above diagram, the LAN interface is connected to the network 192.168.0.0/24 and the DMZ interface is connected to the network 10.4.0.0/16. The WAN interface is connected to the network 195.66.77.0/24 and the address - D-Link DFL-210 | Product Manual - Page 145
physical interface's IP address. We would say that this network is not bound to the physical interface. Clients on this second network won't then be able to communicate with the NetDefend Firewall because ARP won't function between the clients and the interface. To solve this problem we would add - D-Link DFL-210 | Product Manual - Page 146
must also have their Default Gateway set to 10.2.2.1 in order to reach the NetDefend Firewall. This feature is normally used when an additional network is to be added to an interface but it is not desirable to change the existing IP addresses of the network. From a security standpoint, doing this - D-Link DFL-210 | Product Manual - Page 147
NetDefendOS, and how to configure static routing. NetDefendOS supports multiple routing tables. A default table called main is predefined likely. Many other products do not use the specific interface in the routing table, but specify the IP address of the interface instead. The routing table below - D-Link DFL-210 | Product Manual - Page 148
if there is a separate route which includes the gateway IP address and that routes traffic to a different interface. Composite Subnets can be Specified Another advantage with the NetDefendOS approach to route definition is that it allows the administrator to specify routes for destinations that are - D-Link DFL-210 | Product Manual - Page 149
Automatically for Each Interface When the NetDefend Firewall is started for the first time, NetDefendOS will automatically add a route in the main routing table for each physical interface. These routes are assigned a default IP address object in the address book and these IP objects must have their - D-Link DFL-210 | Product Manual - Page 150
routes are present for the system to understand where to route traffic that is destined for the system itself. There is one route added for each interface in the system. In other words, two interfaces named lan and wan, and with IP addresses 192.168.0.10 and 193.55.66.77, respectively, will result - D-Link DFL-210 | Product Manual - Page 151
CLI Reference Guide. 4.2.3. Route Failover Overview NetDefend Firewalls are often service providers often use different routes to avoid a single point of failure. To allow for a situation with multiple ISPs, NetDefendOS provides a Route Failover capability so that should one route fail, traffic - D-Link DFL-210 | Product Manual - Page 152
link status are instantly noticed, this method provides the fastest response to failure. Gateway Monitoring If a specific status in an NetDefendOS configuration and are treated differently. Route Metric When specifying routes, the administrator should manually set a route's Metric. The metric is - D-Link DFL-210 | Product Manual - Page 153
next best matching route will be used instead. The table below defines two default routes, both having all-nets as the destination, but using two different illustrate the problem, consider the following configuration: Firstly, there is one IP rule that will NAT all HTTP traffic destined for - D-Link DFL-210 | Product Manual - Page 154
reliable to check accessibility to external hosts. Just monitoring a link to a local switch may not indicate a problem in another part of the internal network. • Host monitoring can be used to help in setting the acceptable Quality of Service level of Internet response times. Internet access may be - D-Link DFL-210 | Product Manual - Page 155
the server will be valid. • IP Address The IP address of the host when using the ICMP or TCP option. • Port Number The port number for polling when using the TCP option. • Interval The interval in milliseconds between polling attempts. The default setting is 10,000 and the minimum value allowed is - D-Link DFL-210 | Product Manual - Page 156
server is operational but the application is offline. A Known Issue When No External Route is Specified With connections to an Internet ISP, an external network route should always be specified. This external route specifies on which interface the network which exists between the NetDefend Firewall - D-Link DFL-210 | Product Manual - Page 157
scenario, consider a network split into two sub-networks with a NetDefend Firewall between the two. Host A on one sub-network might send an ARP request to find out the MAC address for the IP address of host B on the other sub-network. With the proxy ARP feature configured, NetDefendOS responds to - D-Link DFL-210 | Product Manual - Page 158
directly to NetDefendOS which forwards the data to host B. In the process NetDefendOS checks the traffic against the configured rule sets. Setting Up has an ARP request for an IP address outside of the local network then this will be sent to the gateway configured for that host. The entire example - D-Link DFL-210 | Product Manual - Page 159
added routes. The reason why Proxy ARP cannot be enabled for these routes is because automatically created routes have a special status in the NetDefendOS configuration and are treated differently. If Proxy ARP is required on an automatically created route, the route should first be deleted and then - D-Link DFL-210 | Product Manual - Page 160
routing forwards packets according to destination IP address information traffic can be based on specific traffic parameters. Policy-based Routing can allow: Source based routing Service-based Routing User traffic. 4.3.2. Policy-based Routing Tables NetDefendOS, as standard, has one default routing - D-Link DFL-210 | Product Manual - Page 161
interface used for all rule look-ups was done with the original, untranslated address. 6. If allowed by the IP rule set, the new connection is opened in the NetDefendOS state table and the packet forwarded through this connection. 4.3.5. The Ordering parameter Once the routing table for a new - D-Link DFL-210 | Product Manual - Page 162
: The network to route • Gateway: The gateway to send routed packets to • Local IP Address: The IP address specified here will be automatically published on the corresponding interface. This address will also be used as the sender address in ARP queries. If no address is specified, the firewall - D-Link DFL-210 | Product Manual - Page 163
the ISP gateways and the NetDefend Firewall. In a provider-independent network, clients will likely have a single IP address, belonging to one of the ISPs. In a single-organization scenario, publicly accessible servers will be configured with two separate IP addresses: one from each ISP. However - D-Link DFL-210 | Product Manual - Page 164
4.3.5. The Ordering parameter Chapter 4. Routing Note Rules in the above example are added for both inbound and outbound connections. 164 - D-Link DFL-210 | Product Manual - Page 165
links so networks are not dependent on a single ISP. • To allow balancing of traffic across multiple VPN tunnels which might be setup routes is assembled. The routes in the list must cover the exact same IP address range (further explanation of this requirement can be found below). 2. If the - D-Link DFL-210 | Product Manual - Page 166
means that a particular destination application can see all traffic coming from the same source IP address. • Spillover Spillover is not similar to the the Hold Timer number of seconds (the default is 30 seconds) for the interface. When the traffic passing through the original route's interface falls - D-Link DFL-210 | Product Manual - Page 167
simplify specification of the values. Using Route Metrics with Round Robin An individual route has a metric associated with it, with the default metric value a scenario with two ISPs, if the requirement is that the bulk of traffic passes through one of the ISPs then this can be achieved by enabling - D-Link DFL-210 | Product Manual - Page 168
a connection carrying some assumed amount of traffic. An RLB Scenario Below is an illustration which shows a typical scenario where RLB might be used. Here, there is a group of clients on a network connected via the LAN interface of the NetDefend Firewall and these will access the internet. Internet - D-Link DFL-210 | Product Manual - Page 169
will allow traffic to flow to either ISP and will NAT the traffic using the external IP addresses of interfaces WAN1 and WAN2. Rule No. 1 1 Action NAT NAT Src Interface lan lan Src Network lannet lannet Dest Interace Dest Network WAN1 all-nets WAN2 all-nets Service All All The service All - D-Link DFL-210 | Product Manual - Page 170
an IP rule set to allow traffic to flow. The detailed steps for this are not included here but the created rules would follow the pattern described above. RLB with VPN When using RLB with VPN, a number of issues need to be overcome. If we were to try and use RLB to balance traffic between two IPsec - D-Link DFL-210 | Product Manual - Page 171
routing in that a routing network device, such as a NetDefend Firewall, can adapt to changes of network topology automatically. Dynamic routing but has some disadvantages in that it can be more susceptible to certain problems such as routing loops. One of two types of algorithms are generally - D-Link DFL-210 | Product Manual - Page 172
NetDefend Firewalls A and B connected together and configured to be in the same OSPF area (the concept of area will be explained later). Figure 4.8. A Simple OSPF Scenario OSPF allows firewall A to know that to reach network Y, traffic needs to be sent to firewall B. Instead of having to manually - D-Link DFL-210 | Product Manual - Page 173
of view, only the routes for directly connected networks need to be configured on each firewall. OSPF automatically provides the required routing information to find networks connected to other firewalls, even if traffic needs to transit several other firewalls to reach its destination. Tip: Ring - D-Link DFL-210 | Product Manual - Page 174
on all D-Link NetDefend models The OSPF feature is only available on the NetDefend DFL-800, 860, 1600, 1660 2500, 2560 and 2560G. OSPF is not available on the DFL-210 and 260. OSPF functions by routing IP packets based only on the destination IP address found in the IP packet header. IP packets are - D-Link DFL-210 | Product Manual - Page 175
routing traffic link to it. OSPF networks should be designed by beginning with the backbone. Stub Areas Stub areas are areas through which or into which AS external advertisements are not flooded. When an area is configured as a stub area, the router will automatically advertise a default - D-Link DFL-210 | Product Manual - Page 176
already a DR on the network, the router will accept out periodically on each interface using IP multicast. Routers become neighbors as does NOT include the Router ID of the firewall in it, the neighbor will be placed in combine groups of routes with common addresses into a single entry in the routing - D-Link DFL-210 | Product Manual - Page 177
fw1 with Router ID 192.168.1.1 and vice versa. These virtual links need to be configured in Area 1. B. Linking a Partitioned Backbone OSPF allows for linking a partitioned backbone using a virtual link. The virtual link should be configured between two separate ABRs that touch the backbone from each - D-Link DFL-210 | Product Manual - Page 178
, the scenario will be that we have two or more NetDefend Firewalls connected together in some way. OSPF allows any of these firewall to be able to correctly route traffic to a destination network connected to another firewall without having a route in its routing tables for the destination - D-Link DFL-210 | Product Manual - Page 179
on each NetDefend Firewall which is part of the OSPF network. General Parameters Name Router ID Private Router ID Specifies a symbolic name for the OSPF AS. Specifies the IP address that is used to identify the router in a AS. If no Router ID is configured, the firewall computes the Router - D-Link DFL-210 | Product Manual - Page 180
: cost = reference bandwidth / bandwidth Enable this if the NetDefend Firewall will be used in a environment that consists of routers that only support RFC 1583. Debug Protocol debug provides a troubleshooting tool by logging OSPF protocol specific information to the log. • Off - Nothing is logged - D-Link DFL-210 | Product Manual - Page 181
is specified the default is 1% of installed RAM. Specifying 0 indicates that the OSPF AS process is allowed to use all available ram in the firewall. 4.5.3.2. OSPF Area The Autonomous System (AS) is divided into smaller parts called an Area, this section explains how to configure areas. An area - D-Link DFL-210 | Product Manual - Page 182
the network addresses allowed to be imported from other routers inside the OSPF area. 4.5.3.3. OSPF Interface This section describes how to configure an OSPF Interface object. OSPF interface objects are children of OSPF areas. Unlike areas, they are not similar on each NetDefend Firewall in - D-Link DFL-210 | Product Manual - Page 183
instead of the metric. Authentication All OSPF protocol exchanges can be authenticated using a simple password or MD5 cryptographic hashes. If Use Default for Router Process is enabled then the values configured in the router process properties are used. If this is not enabled then the following - D-Link DFL-210 | Product Manual - Page 184
is used to combine groups of routes with common addresses into a single entry in the routing table. If advertised this will decreases the size of the routing table in the firewall, if not advertised this will hide the networks. NetDefendOS OSPF Aggregate objects are created within an OSPF - D-Link DFL-210 | Product Manual - Page 185
routing tables from the AS. 4.5.4.1. Overview The Final OSPF Setup Step is Creating Dynamic Routing Rules After the OSPF structure is created, the final step is always to create a Dynamic Routing Rule on each NetDefend Firewall which allows the routing information that the OSPF AS delivers from - D-Link DFL-210 | Product Manual - Page 186
Routing OSPF Requires at Least an Import Rule By default, NetDefendOS will not import or export any routes. For routing tables. Specifying a Filter Dynamic routing rules allow a filter to be specified which narrows the routes that are imported based on the network reached. In most cases, the Or is - D-Link DFL-210 | Product Manual - Page 187
Network Exactly Matches Or is within Specifies if the network needs to exactly match a specific network. Specifies if the network needs to be within a specific network General Parameters Export to Process Forward Tag Route Type OffsetMetric . If needed, specifies the IP to route via. Specifies a - D-Link DFL-210 | Product Manual - Page 188
large number of configuration possibilities that OSPF offers. However, in many cases a simple OSPF solution using a minimum of NetDefendOS objects is needed and setup can be straightforward. Let us examine again the simple scenario described earlier with just two NetDefend Firewalls. In this example - D-Link DFL-210 | Product Manual - Page 189
other words, with another NetDefend Firewall that acts as an OSPF router). For example, the interface may only be connected to a network of clients, in networks will be included in the OSPF system. If more than two firewalls will be part of the same OSPF area then all of them should be configured - D-Link DFL-210 | Product Manual - Page 190
B. The IPsec setup options are explained in Section 9.2, "VPN Quick Start". This IPsec tunnel is now treated like any other interface when configuring OSPF in NetDefendOS. 2. Choose a random internal IP network For each firewall we need to choose a random IP network using internal IP addresses. For - D-Link DFL-210 | Product Manual - Page 191
have done so far is allow OSPF traffic to flow from A to B. The steps above need to be repeated as a mirror image for firewall B using the same IPsec tunnel but using a different random internal IP network for OSPF setup. Tip: Non-OSPF traffic can also use the tunnel A VPN tunnel can carry both OSPF - D-Link DFL-210 | Product Manual - Page 192
OSPF Interface 3. Select the Interface. For example, lan 4. Click OK Just selecting the Interface means that the Network defaults to the network bound to that interface. In this case lannet. This should be repeated for all the interfaces on this NetDefend Firewall that will be part of the OSPF area - D-Link DFL-210 | Product Manual - Page 193
Action > Add > DynamicRountingRuleAddRoute 4. Move the routing table main from Available to Selected 5. Click OK Example 4.11. Exporting the Default Route into an OSPF AS In this example, the default all-nets route from the main routing table will be exported into an OSPF AS named as_0. This must - D-Link DFL-210 | Product Manual - Page 194
the problem by the network routers themselves, replicating and forwarding packets via the optimum route to all members of a group. The IETF standards that allow multicast routing are the following: • Class D of the IP address space which is reserved for multicast traffic. Each multicast IP address - D-Link DFL-210 | Product Manual - Page 195
the core interface. By default, the multicast IP range 224.0.0.0/4 is always routed to core and does not have to be manually added to the routing tables. Each specified output interface can individually be configured with static address translation of the destination address. The Interface field in - D-Link DFL-210 | Product Manual - Page 196
following steps need to be performed to configure the actual forwarding of the multicast traffic. IGMP has to be configured separately. Web Interface A. Create a custom service for multicast called multicast_service: 1. Go to Objects > Services > Add > TCP/UDP 2. Now enter: • Name: multicast_service - D-Link DFL-210 | Product Manual - Page 197
4.6.2. Multicast Forwarding with SAT Multiplex Rules Chapter 4. Routing B. Create an IP rule: 1. Go to Rules > IP Rules > Add > IP Rule 2. Under General enter. • Name: a name for the rule, for example Multicast_Multiplex • Action: Multiplex SAT • Service: multicast_service 3. Under Address Filter - D-Link DFL-210 | Product Manual - Page 198
, remember to add an Allow rule matching the SAT Multiplex rule. Example 4.13. Multicast Forwarding - Address Translation The following SAT Multiplex rule needs to be configured to match the scenario described above: Web Interface A. Create a custom service for multicast called multicast_service - D-Link DFL-210 | Product Manual - Page 199
source is located on a network directly connected to the router, no query rule is needed. 2. If a neighboring router is statically configured to deliver a multicast stream to the NetDefend Firewall, an IGMP query would also not have to be specified. NetDefendOS supports two IGMP modes of operation - D-Link DFL-210 | Product Manual - Page 200
4.6.3. IGMP Configuration Chapter 4. Routing Figure 4.16. Multicast Snoop Mode Figure 4.17. Multicast Proxy Mode In Snoop Mode, the NetDefend Firewall will act transparently between the hosts and another IGMP router. It will not send any IGMP Queries. It will only forward queries and reports - D-Link DFL-210 | Product Manual - Page 201
Translation The following example requires a configured interface group IfGrpClients including interfaces if1, if2 and if3. The ip address of the upstream IGMP router is known as UpstreamRouterIP. Two rules are needed. The first one is a report rule that allows the clients behind interfaces if1, if2 - D-Link DFL-210 | Product Manual - Page 202
configure IGMP according to the Address Translation scenario described above in Section 4.6.2.2, "Multicast Forwarding - Address interface) 3. Under Address Filter enter: • Source Interface: if1 • Source Network: if1net • Destination Interface: core • Destination Network: auto • Multicast Source - D-Link DFL-210 | Product Manual - Page 203
Example 4.16. if2 Configuration - Group Translation The following steps needs to be executed to create the report and query rule pair for if2 which translates the multicast group. Note that the group translated therefore the IGMP reports include the translated IP addresses and the queries will - D-Link DFL-210 | Product Manual - Page 204
IP address range 224.0.0.0/4. If the setting is disabled, multicast packets might be forwarded according to the default route. Default: Enabled IGMP Before Rules For IGMP traffic, by-pass the normal IP rule set and consult the IGMP rule set. Default: Enabled IGMP React To Own Queries The firewall - D-Link DFL-210 | Product Manual - Page 205
specific query. Global setting on interfaces without an overriding IGMP Setting. Default: 5,000 IGMP Max Total Requests The maximum global number of IGMP messages to process each second. Default an overriding IGMP Setting. Default: 2 IGMP Startup Query Count The firewall will send IGMP Startup Query - D-Link DFL-210 | Product Manual - Page 206
4.6.4. Advanced IGMP Settings Chapter 4. Routing The time in milliseconds between repetitions of an initial membership report. Global setting on interfaces without an overriding IGMP Setting. Default: 1,000 206 - D-Link DFL-210 | Product Manual - Page 207
and manage traffic flowing through that point. NetDefendOS can allow or deny access to different types of services (for example HTTP) and in specified directions. As long as users are accessing the services permitted, they will not be aware of the NetDefend Firewall's presence. Network security and - D-Link DFL-210 | Product Manual - Page 208
In Transparent Mode, NetDefendOS allows ARP transactions to pass through the NetDefend Firewall, and determines from this ARP traffic the relationship between IP addresses, physical addresses and interfaces. NetDefendOS remembers this address information in order to relay IP packets to the correct - D-Link DFL-210 | Product Manual - Page 209
as Security Allow Src Interface any Src Network all-nets Dest Interface any Dest Network all-nets Service all Restricting the Network Parameter As NetDefendOS listens to ARP traffic, it continuously adds single host routes to the routing table as it discovers on which interface IP addresses - D-Link DFL-210 | Product Manual - Page 210
table used for an interface is decided by the Routing Table Membership parameter for each interface. To implement separate Transparent Mode networks, interfaces must have their Routing Table Membership reset. By default, all interfaces have Routing Table Membership set to be all routing tables. By - D-Link DFL-210 | Product Manual - Page 211
IP addresses in a Transparent Mode setup if desired. With Internet connections, it may be the ISP's own DHCP server which will hand out public IP addresses to users. In this case, NetDefendOS MUST be correctly configured as a DHCP Relayer to forward DHCP traffic between users and the DHCP server - D-Link DFL-210 | Product Manual - Page 212
will allow traffic from the local users on Ethernet network pn2 to find the ISP gateway. These same users should also configure the Internet gateway on their local computers to be the ISPs gateway address. In non-transparent mode the user's gateway IP would be the NetDefend Firewall's IP address but - D-Link DFL-210 | Product Manual - Page 213
done by a device (possibly another NetDefend Firewall) between the 192.168.10.0/24 network and the public Internet. In this case, internal IP addresses could be used by the users on Ethernet network pn2. 4.7.3. Transparent Mode Scenarios Scenario 1 The firewall in Transparent Mode is placed between - D-Link DFL-210 | Product Manual - Page 214
Mode: Enable 3. Click OK 4. Go to Interfaces > Ethernet > Edit (lan) 5. Now enter: • IP Address: 10.0.0.2 • Network: 10.0.0.0/24 • Transparent Mode: Enable 6. Click OK Configure the rules: 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: HTTPAllow • Action: Allow • Service: http 214 - D-Link DFL-210 | Product Manual - Page 215
same network or placed on the DMZ. The hosts on the internal network are allowed to communicate with an HTTP server on DMZ while the HTTP server on the DMZ can be reached from the Internet. The NetDefend Firewall is transparent between the DMZ and LAN but traffic is still controlled by the IP rule - D-Link DFL-210 | Product Manual - Page 216
24 • Metric: 0 3. Click OK Configure the rules: 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: HTTP-LAN-to-DMZ • Action: Allow • Service: http • Source Interface: lan • Destination Interface: dmz • Source Network: 10.0.0.0/24 • Destination Network: 10.1.4.10 216 Chapter 4. Routing - D-Link DFL-210 | Product Manual - Page 217
: Allow • Service: http • Source Interface: wan • Destination Interface: dmz • Source Network: all-nets • Destination Network: wan_ip 9. Click OK 4.7.4. Spanning Tree BPDU Support NetDefendOS includes support for relaying the Bridge Protocol Data Units (BPDUs) across the NetDefend Firewall. BPDU - D-Link DFL-210 | Product Manual - Page 218
content type is supported. If it is not, the frame is dropped. Enabling/Disabling BPDU Relaying BPDU relaying is disabled by default and can be Learning Enable this if the firewall should be able to learn the destination for hosts by combining destination address information and information found in - D-Link DFL-210 | Product Manual - Page 219
should be decremented each time a packet traverses the firewall in Transparent Mode. Default: Disabled Dynamic CAM Size This setting can be used to manually configure the size of the CAM table. Normally Dynamic is the preferred value to use. Default: Dynamic CAM Size If the Dynamic CAM Size setting - D-Link DFL-210 | Product Manual - Page 220
• RewriteLog - Rewrite to the MAC of the forwarding interface and log • Drop - Drop packets • DropLog - Drop and log packets Default: DropLog Multicast Enet Sender Defines what to do when receiving a packet that has the sender hardware (MAC) address in Ethernet header set to a multicast Ethernet - D-Link DFL-210 | Product Manual - Page 221
4.7.5. Advanced Settings for Transparent Mode Chapter 4. Routing • Drop - Drop the packets • DropLog - Drop packets log the event Default: Drop Relay MPLS When set to Ignore all incoming MPLS packets are relayed in transparent mode. Options: • Ignore - Let the packets pass but do not - D-Link DFL-210 | Product Manual - Page 222
4.7.5. Advanced Settings for Transparent Mode Chapter 4. Routing 222 - D-Link DFL-210 | Product Manual - Page 223
services in NetDefendOS. • Overview, page 223 • DHCP Servers, page 224 • DHCP Relaying, page 230 • IP Pools, page 233 5.1. Overview Dynamic Host Configuration Protocol (DHCP) is a protocol that allows network administrators to automatically assign IP numbers to computers on a network. IP Address - D-Link DFL-210 | Product Manual - Page 224
one of the user interfaces. Using Relayer IP Address Filtering As explained above a DHCP server is selected based on a match of both interface and relayer IP filter. Each DNS server must have a relayer IP filter value specified and the possible values are as follows: • all-nets The default value is - D-Link DFL-210 | Product Manual - Page 225
5.2. DHCP Servers Chapter 5. DHCP Services The following options can be configured for a DHCP server: General Parameters Name Interface Filter IP Address Pool Netmask A symbolic name for the server. Used as an interface reference but also used as a reference in log messages. The source interface - D-Link DFL-210 | Product Manual - Page 226
5.2. DHCP Servers Chapter 5. DHCP Services This example shows how to set up a DHCP server called DHCPServer1 which assigns and manages IP addresses from an IP address pool called DHCPRange1. This example assumes that an IP range for the DHCP Server has already been created. Command-Line Interface - D-Link DFL-210 | Product Manual - Page 227
The following sections discuss these two DHCP server options. 5.2.1. Static DHCP Hosts Where the administrator requires a fixed relationship between a client and the assigned IP address, NetDefendOS allows the assignment of a given IP to a specific MAC address. In other words, the creation of - D-Link DFL-210 | Product Manual - Page 228
Options Adding a Custom Option to the DHCP server definition allows the administrator to send specific pieces of information to DHCP clients in the DHCP leases that are sent out. An example of this is certain switches that require the IP address of a TFTP server from which they can get certain extra - D-Link DFL-210 | Product Manual - Page 229
5.2.2. Custom Options Chapter 5. DHCP Services Custom Option Parameters The following parameters can large number of custom options which can be associated with a single DHCP server and these are described in: RFC 2132 - DHCP Options and BOOTP Vendor Extensions The code is entered according to the - D-Link DFL-210 | Product Manual - Page 230
allows clients on NetDefendOS VLAN interfaces to obtain IP addresses from a DHCP server. It is assumed the NetDefend Firewall is configured with VLAN interfaces vlan1 and vlan2 that use DHCP relaying, and the DHCP server IP address is defined in the NetDefendOS address book as ip-dhcp. NetDefendOS - D-Link DFL-210 | Product Manual - Page 231
send to through NetDefendOS to the dhcp-server during one minute. Default: 500 packets Max Hops How many hops the dhcp-request can take between the client and the dhcp-server. Default: 5 Max lease Time The maximum lease time allowed by NetDefendOS. If the DHCP server has a higher lease time, it 231 - D-Link DFL-210 | Product Manual - Page 232
Advanced Settings Chapter 5. DHCP Services will be reduced down to this value. Default: 10000 seconds Max Auto Routes How many relays that can be active at the same time. Default: 256 Auto Save Policy What policy should be used to save the relay list to the disk, possible settings are Disabled - D-Link DFL-210 | Product Manual - Page 233
As the single DHCP server on a specific interface • One of more can be specified by a list of unique IP address. IP Pools with Config Mode A primary usage of IP Pools is with IKE Config Mode which is a feature used for allocating IP addresses to remote clients connecting through IPsec tunnels. For - D-Link DFL-210 | Product Manual - Page 234
IP Pools Chapter 5. DHCP Services Receive Interface MAC Range Prefetch leases Maximum free Maximum clients Sender IP A "simulated" virtual DHCP server receiving interface. This setting is used to simulate a receiving interface when an IP pool is obtaining IP addresses from internal DHCP servers - D-Link DFL-210 | Product Manual - Page 235
command allow the administrator to change the pool size and to free up IP addresses. The complete list of command options can be found in the CLI Reference Guide. Example 5.5. Creating an IP Pool This example shows the creation of an IP Pool object that will use the DHCP server on IP address 28 - D-Link DFL-210 | Product Manual - Page 236
5.4. IP Pools Chapter 5. DHCP Services 236 - D-Link DFL-210 | Product Manual - Page 237
functions of NetDefendOS is to allow only authorized connections access to protected data resources. Access control is primarily addressed by the NetDefendOS IP rule set in which a range of protected LAN addresses are treated as trusted hosts, and traffic flow from untrusted sources is restricted - D-Link DFL-210 | Product Manual - Page 238
traffic with a source IP address belonging to an outside untrusted network is NOT allowed. The first point prevents an outsider from using a local host's address as its source address. The second point prevents any local host from launching the spoof. 6.1.3. Access Rule Settings The configuration - D-Link DFL-210 | Product Manual - Page 239
Rules when troubleshooting puzzling problems in case a rule is preventing some other function, such as VPN tunnel establishment, from working properly. Example 6.1. Setting up an Access Rule A rule is to be defined that ensures no traffic with a source address not within the lannet network is - D-Link DFL-210 | Product Manual - Page 240
outside the protected network, for example web access, file transfer and multimedia transfer. ALGs provide higher security than packet filtering since they are capable of scrutinizing all traffic for a specific protocol and perform checks at the higher levels of the TCP/IP stack. ALGs exist - D-Link DFL-210 | Product Manual - Page 241
with an ALG has a configurable parameter associated with it called Max Sessions and the default value varies according to the type of ALG. For instance, the default value for the HTTP ALG is 1000. This means that a 1000 connections are allowed in total for the HTTP service across all interfaces. The - D-Link DFL-210 | Product Manual - Page 242
Chapter 6. Security Mechanisms Anti-Virus scanning, if it is enabled, is always applied to the HTTP traffic even if it is whitelisted. These features are described in depth in Section 6.3.3, "Static Content Filtering". • Dynamic Content Filtering - Access to specific URLs can be allowed or blocked - D-Link DFL-210 | Product Manual - Page 243
6.2.2. The HTTP ALG Chapter 6. Security Mechanisms Note: Similarities with other NetDefendOS features The Verify MIME type and Allow/Block Selected Types options work in the same way for the FTP, POP3 and SMTP ALGs. • Download File Size Limit - A file size limit can additionally be specified for - D-Link DFL-210 | Product Manual - Page 244
the FTP client to the FTP server, just like the command channel. This is the often recommended default mode for FTP clients though some advice may recommend the opposite. A Discussion of FTP Security Issues Both active and passive modes of FTP operation present problems for NetDefend Firewalls. 244 - D-Link DFL-210 | Product Manual - Page 245
The FTP ALG Chapter 6. Security Mechanisms Consider a scenario where an FTP client on the internal network connects through the firewall to an FTP server on the Internet. The IP rule is then configured to allow network traffic from the FTP client to port 21 on the FTP server. When active mode is - D-Link DFL-210 | Product Manual - Page 246
6.2.3. The FTP ALG Chapter 6. Security Mechanisms Figure 6.3. FTP ALG Hybrid Mode Note: Hybrid conversion mode. A range of server data ports is specified with this option. The client will be allowed to connect to any of these if the server is using passive mode. The default range is 1024-65535. - D-Link DFL-210 | Product Manual - Page 247
Chapter 6. Security Mechanisms • Allow the SITE EXEC command to be sent to an FTP server by a client. • Allow the RESUME command even if content scanning terminated the connection. Note: Some commands are never allowed Some commands, such as encryption instructions, are never allowed. Encryption - D-Link DFL-210 | Product Manual - Page 248
configuration of the ALG that is to be affected by ZoneDefense when a virus is detected. For more information about this topic refer to Chapter 12, ZoneDefense. Example 6.2. Protecting an FTP Server with an ALG As shown, an FTP Server is connected to the NetDefend Firewall on a DMZ with private IP - D-Link DFL-210 | Product Manual - Page 249
and passive modes. • Disable the Allow server to use passive mode FTP ALG option. This is more secure for the server as it will never receive passive mode data. The FTP ALG will handle all conversion if a client connects using passive mode. The configuration is performed as follows: Web Interface - D-Link DFL-210 | Product Manual - Page 250
3. Click OK C. Define a rule to allow connections to the public IP on port 21 and forward that to the internal FTP server: 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: SAT-ftp-inbound • Action: SAT • Service: ftp-inbound-service 3. For Address Filter enter: • Source Interface: any - D-Link DFL-210 | Product Manual - Page 251
• Destination Network: wan_ip 4. Click OK Example 6.3. Protecting FTP Clients In this scenario shown below the NetDefend Firewall is protecting a workstation that will connect to FTP servers on the Internet. In this case, we will set the FTP ALG restrictions as follows. • Disable the Allow client - D-Link DFL-210 | Product Manual - Page 252
: • Name: Allow-ftp-outbound • Action: Allow • Service: ftp-outbound-service 3. For Address Filter enter: • Source Interface: lan • Destination Interface: wan • Source Network: lannet • Destination Network: all-nets 4. Click OK ii. Using Public IPs If the firewall is using private IPs with a single - D-Link DFL-210 | Product Manual - Page 253
be protected behind the NetDefend Firewall and NetDefendOS will SAT-Allow connections to it from external clients that are connecting across the public Internet. If FTP Passive mode is allowed and a client connects with this mode then the FTP server must return an IP address and port to the client - D-Link DFL-210 | Product Manual - Page 254
the Internet. Typically the local SMTP server will be located on a DMZ so that mail sent by remote SMTP servers will traverse the NetDefend Firewall to reach the local server (this setup is illustrated later in Section 6.2.5.1, "Anti-Spam Filtering"). Local users will then use email client software - D-Link DFL-210 | Product Manual - Page 255
6.2.5. The SMTP ALG Chapter 6. Security Mechanisms Email address blacklisting Email address whitelisting Verify MIME type Block/Allow filetype Anti-Virus scanning The administrator should therefore add a reasonable margin above the anticipated email size when setting this limit. A blacklist of - D-Link DFL-210 | Product Manual - Page 256
all addresses for a certain company called my_company then the blacklist address entry required could be *@my_company.com. If we want to now explicitly allow extensions from the supported extension list that is returned to the client by an SMTP server behind the NetDefend Firewall. When an extension - D-Link DFL-210 | Product Manual - Page 257
blocking, the administrator configures the ZoneDefense network range to include all local SMTP clients. It is made sure that the SMTP-server is excluded from this range. Tip: Exclusion can be manually configured It is possible to manually configure certain hosts and servers to be excluded from - D-Link DFL-210 | Product Manual - Page 258
filtering to emails as they pass through the NetDefend Firewall from an external remote SMTP server to a local SMTP server (from which local clients will later download their emails). Typically, the local, protected SMTP server will be set up on a DMZ network and there will usually be only one "hop - D-Link DFL-210 | Product Manual - Page 259
is done then any TXT messages sent by the DNSBL servers (described next) that identified the email as Spam can be optionally inserted by NetDefendOS into the header of the forwarded email. • If no receiver email address is configured for dropped emails then they are discarded by NetDefendOS. The - D-Link DFL-210 | Product Manual - Page 260
If an email is determined to be Spam and a forwarding address is configured for dropped emails, then the administrator has the option to Add TXT Records to the email. A TXT Record is the information sent back from the DNSBL server when the server thinks the sender is a source of Spam. This - D-Link DFL-210 | Product Manual - Page 261
source email address and IP as well as its weighted points score and which DNSBLs caused the event. • DNSBLs not responding - DNSBL query timeouts are logged. • All defined DNBSLs stop responding - This is a high severity event since all email will be allowed through if this happens. Setup Summary - D-Link DFL-210 | Product Manual - Page 262
Security Mechanisms For the DNSBL subsystem overall: • Number of emails checked. • Number of emails Spam tagged. • Number of dropped emails. For each DNSBL server accessed: • Number of positive (is Spam) responses from each configured DNSBL server of a specific ALG. It IP Cache disabled Configured - D-Link DFL-210 | Product Manual - Page 263
/password combination as clear text which can be easily read (some servers may not support other methods than this). Hide User This option prevents the POP3 server from revealing that a username does not exist. This prevents users from trying different usernames until they find a valid one. Allow - D-Link DFL-210 | Product Manual - Page 264
the same external IP address to the same endpoint. Figure 6.6. PPTP ALG Usage The PPTP ALG solves this problem. By using the ALG, the traffic from all the clients can be multiplexed through a single PPTP tunnel between the firewall and the server. PPTP ALG Setup Setting up the PPTP ALG is similar - D-Link DFL-210 | Product Manual - Page 265
NATs the traffic out to the Internet with a destination network of all-nets. The single IP rule below shows how the custom service object called pptp_service is associated with a typical NAT rule. The clients, which are the local end point of the PPTP tunnels, are located behind the firewall on the - D-Link DFL-210 | Product Manual - Page 266
and authorizing access to services. They also implement provider call-routing policies. The proxy is often located on the external, unprotected side of the NetDefend Firewall but can have other locations. All of these scenarios are supported by NetDefendOS. Registrars A server that handles SIP - D-Link DFL-210 | Product Manual - Page 267
the session is that NetDefendOS IP rules must be set up to allow all SIP messages through the NetDefend Firewall, and if the source network of the messages is not known then a large number of potentially dangerous connections must be allowed by the IP rule set. This problem does not occur if the - D-Link DFL-210 | Product Manual - Page 268
6. Security Mechanisms (sometimes described as SIP pinholes) for allowing the media data traffic to flow through the NetDefend Firewall. Tip Make sure there are no preceding rules already in the IP rule set disallowing or allowing the same kind of traffic. SIP Usage Scenarios NetDefendOS supports - D-Link DFL-210 | Product Manual - Page 269
set to 5060 (the default SIP signalling port). • Type set to TCP/UDP. 3. Define two rules in the IP rule set: • A NAT rule for outbound traffic from clients on the internal network to the SIP Proxy Server located externally. The SIP ALG will take care of all address translation needed by the NAT - D-Link DFL-210 | Product Manual - Page 270
wan lan (or core) Dest Network lannet (or ipwan) The advantage of using Record-Route is clear since now the destination network for outgoing traffic and the source network for incoming traffic have to include all IP addresses that are possible. The Service object for IP rules - D-Link DFL-210 | Product Manual - Page 271
IP address of the NetDefend Firewall. The setup steps are as follows: 1. Define a single SIP ALG object using the options described above. 2. Define a Service object which is associated with the SIP ALG object. The service should have: • Destination Port set to 5060 (the default SIP signalling port - D-Link DFL-210 | Product Manual - Page 272
Proxy on the DMZ interface This scenario is similar to the previous but the major difference is the location of the local SIP proxy server. The server is placed on a separate interface and network to the local clients. This setup adds an extra layer of security since the initial SIP traffic is never - D-Link DFL-210 | Product Manual - Page 273
be noted about this setup: • The IP address of the SIP proxy must be a globally routable IP address. The NetDefend Firewall does not support hiding of the proxy on the DMZ. • The IP address of the DMZ interface must be a globally routable IP address. This address can be the same address as the one - D-Link DFL-210 | Product Manual - Page 274
interface as the contact address. • An Allow rule for outbound traffic from the proxy behind the DMZ interface to the remote clients on the Internet. • An Allow rule for inbound SIP traffic from the SIP proxy behind the DMZ interface to the IP address of the NetDefend Firewall. This rule will have - D-Link DFL-210 | Product Manual - Page 275
Chapter 6. Security Mechanisms • Destination Port set to 5060 (the default SIP signalling port) • Type set to TCP/UDP 3. Define four rules in the IP rule set: • An Allow rule for outbound traffic from the clients on the internal network to the proxy located on the DMZ interface. • An Allow rule for - D-Link DFL-210 | Product Manual - Page 276
public IP. MCUs provide support for allows H.323 devices such as H.323 phones and applications to make and receive calls between each other when connected via private networks secured by NetDefend Firewalls. The H.323 specification was not designed to handle NAT, as IP addresses and ports - D-Link DFL-210 | Product Manual - Page 277
RAS traffic between H.323 endpoints and the gatekeeper, in order to correctly configure the NetDefend Firewall to let calls through. • NAT and SAT rules are supported, allowing clients and gatekeepers to use private IP addresses on a network behind the NetDefend Firewall. H.323 ALG Configuration The - D-Link DFL-210 | Product Manual - Page 278
H.323 ALG Chapter 6. Security Mechanisms Web Interface Outgoing Rule: 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: H323AllowOut • Action: Allow • Service: H323 • Source Interface: lan • Destination Interface: any • Source Network: lannet • Destination Network: 0.0.0.0/0 (all-nets - D-Link DFL-210 | Product Manual - Page 279
H.323 phone is connected to the NetDefend Firewall on a network with private IP addresses. To make it possible to place a call from this phone to another H.323 phone on the Internet, and to allow H.323 phones on the Internet to call this phone, we need to configure rules. The following rules need to - D-Link DFL-210 | Product Manual - Page 280
behind the NetDefend Firewall on a network with public IP addresses. In order to place calls on these phones over the Internet, the following rules need to be added to the rule listings in both firewalls. Make sure there are no rules disallowing or allowing the same kind of ports/traffic before - D-Link DFL-210 | Product Manual - Page 281
behind the NetDefend Firewall on a network with private IP addresses. In order to place calls on these phones over the Internet, the following rules need to be added to the rule set in the firewall. Make sure there are no rules disallowing or allowing the same kind of ports/traffic before these - D-Link DFL-210 | Product Manual - Page 282
placed in the DMZ of the NetDefend Firewall. A rule is configured in the firewall to allow traffic between the private network where the H.323 phones are connected on the internal network and to the Gatekeeper on the DMZ. The Gatekeeper on the DMZ is configured with a private address. The following - D-Link DFL-210 | Product Manual - Page 283
address of gatekeeper). 4. Click OK 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: H323In • Action: Allow • Service: H323-Gatekeeper • Source Interface: any • Destination Interface: core • Source Network: 0.0.0.0/0 (all-nets) • Destination Network: wan_ip (external IP of the firewall - D-Link DFL-210 | Product Manual - Page 284
: Allow • Service: H323-Gatekeeper • Source Interface: lan • Destination Interface: dmz • Source Network: lannet • Destination Network: ip-gatekeeper (IP address of the gatekeeper) • Comment: Allow incoming communication with the Gatekeeper 3. Click OK Note: Outgoing calls do not need a specific - D-Link DFL-210 | Product Manual - Page 285
head office DMZ a H.323 Gatekeeper is placed that can handle all H.323 clients in the head-, branch- and remote offices. This will allow the whole corporation to use the network for both voice communication and application sharing. It is assumed that the VPN tunnels are correctly configured and that - D-Link DFL-210 | Product Manual - Page 286
NetDefend Firewall. This firewall should be configured as follows: Web Interface 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: LanToGK • Action: Allow • Service: H323-Gatekeeper • Source Interface: lan • Destination Interface: dmz • Source Network: lannet • Destination Network: ip - D-Link DFL-210 | Product Manual - Page 287
Rules > Add > IPRule 2. Now enter: • Name: GWToLan • Action: Allow • Service: H323-Gatekeeper • Source Interface: dmz • Destination Interface: lan • Source Network: ip-gateway • Destination Network: lannet • Comment: Allow communication from the Gateway to H.323 phones on lannet 3. Click OK 1. Go to - D-Link DFL-210 | Product Manual - Page 288
should be configured as follows: (this rule should be in both the Branch and Remote Office firewalls). Web Interface 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: ToGK • Action: Allow • Service: H323-Gatekeeper • Source Interface: lan • Destination Interface: vpn-hq • Source Network - D-Link DFL-210 | Product Manual - Page 289
provide a convenient and simple solution for secure access by clients to servers and avoids many of the complexities of other types of VPN solutions such as using IPsec. Most web browsers support TLS and users can therefore easily have secure server access without requiring additional software. The - D-Link DFL-210 | Product Manual - Page 290
, however, vary and will depend on the comparative processing capabilities of the servers and the NetDefend Firewall. • Decrypted TLS traffic can be subject to other NetDefendOS features such as traffic shaping or looking for server threats with IDP scanning. • TLS can be combined with NetDefendOS - D-Link DFL-210 | Product Manual - Page 291
6.2.10. The TLS ALG Chapter 6. Security Mechanisms 4. Associate the TLS ALG object with the newly created service object. 5. Create a NAT or Allow IP rule for the targeted traffic and associate the custom service object with it. 6. Optionally, a SAT rule can be created to change the destination - D-Link DFL-210 | Product Manual - Page 292
6.3. Web Content Filtering Chapter 6. Security Mechanisms 6.3. Web Content Filtering 6.3.1. Overview Web traffic is one of the biggest sources for security issues and misuse of the Internet. Inappropriate surfing habits can expose a network to many security threats as well as legal and regulatory - D-Link DFL-210 | Product Manual - Page 293
Security pages based on configured lists of URLs which specific web sites, and make the decision as to whether they should be blocked or allowed allows the possibility of manually allowed, taking precedence over Dynamic Content Filtering. Wildcarding Both the URL blacklist and URL whitelist support - D-Link DFL-210 | Product Manual - Page 294
scenario a general surfing policy prevents users from downloading .exe-files. However, the D-Link website provides secure and necessary program files which should be allowed to download. Command-Line Interface Start by adding an HTTP ALG in order to filter HTTP traffic: gw-world:/> add ALG ALG_HTTP - D-Link DFL-210 | Product Manual - Page 295
many different languages and hosted on servers located in many different countries. Dynamic WCF is only available on certain NetDefend models Dynamic WCF is only available on the D-Link NetDefend DFL-260, 860, 1660, 2560 and 2560G. WCF Processing Flow When a user of a web browser requests access to - D-Link DFL-210 | Product Manual - Page 296
the URL. Dynamic WCF therefore requires a minimum of administration effort. Note: New URL submissions are done anonymously New, uncategorized URLs sent to the D-Link network are treated as anonymous submissions and no record of the source of new submissions is kept. Categorizing Pages and Not Sites - D-Link DFL-210 | Product Manual - Page 297
, URLs are allowed even though they might be disallowed if the WCF databases were accessible. Example 6.15. Enabling Dynamic Web Content Filtering This example shows how to setup a dynamic content filtering policy for HTTP traffic from intnet to all-nets. The policy will be configured to block all - D-Link DFL-210 | Product Manual - Page 298
OK Finally, modify the NAT rule to use the new service: 1. Go to Rules > IP Rules 2. Select the NAT rule handling your HTTP traffic 3. Select the Service tab 4. Select your new service, http_content_filtering, in the predefined Service list 5. Click OK Dynamic content filtering is now activated for - D-Link DFL-210 | Product Manual - Page 299
6. Security Mechanisms Example service, are described in the previous example. Allowing Override On some occasions, Active Content Filtering may prevent users supports a feature called Allow Override. With this feature enabled, the content filtering component will present a warning to the user - D-Link DFL-210 | Product Manual - Page 300
D-Link's central data warehouse for manual Allow Reclassification control 7. Click OK Then, continue setting up the service object and modifying the NAT rule as we have done in the previous examples. Dynamic content filtering is now activated for all web traffic from lannet to all-nets and the user - D-Link DFL-210 | Product Manual - Page 301
Filtering Chapter 6. Security Mechanisms of each and interviews, as well as staff recruitment and training services. Examples might be: • www.allthejobs.com • www if its content includes advertisement or encouragement of, or facilities allowing for the partaking of any form of gambling; For - D-Link DFL-210 | Product Manual - Page 302
selling and merchandising services. Examples might be: • www.megamall.com • www.buy-alcohol.se Category 7: Entertainment A web site may be classified under the Entertainment category if its content includes any general form of entertainment that is not specifically covered by another category - D-Link DFL-210 | Product Manual - Page 303
Filtering Chapter 6. Security Mechanisms computer game include contents such as brokerage services, online portfolio setup, money management forums or stock if its content includes the description or depiction of, or instruction in, systems of religious beliefs and practice. Examples might be - D-Link DFL-210 | Product Manual - Page 304
Dynamic Web Content Filtering Chapter 6. Security Mechanisms • www.political.com Category 16: Sports A web site may be classified under the Sports category if its content includes information or instructions relating to recreational or professional sports, or reviews on sporting events and sports - D-Link DFL-210 | Product Manual - Page 305
Web Content Filtering Chapter 6. Security Mechanisms Category 21: Health Sites A web site may be classified under the Health Sites category if its content includes health related information or services, including sexuality and sexual health, as well as support groups, hospital and surgical - D-Link DFL-210 | Product Manual - Page 306
Security Mechanisms • highschoolessays.org • www.learn-at-home.com Category 27: Advertising A web site may be classified under the Advertising category if its main focus includes providing advertising related information or services be: • www.the-cocktail-guide.com • www.stiffdrinks.com Category - D-Link DFL-210 | Product Manual - Page 307
Security simple way to download, edit and upload back to NetDefendOS. The original Default object cannot be edited. The User Authentication Rules 11. Select the relevant HTML ALG and click the Agent Options tab 12. Set the HTTP Banners option to be new_forbidden 13. Click OK 14. Go to Configuration - D-Link DFL-210 | Product Manual - Page 308
to download the original default HTML, 2.1.6, "Secure Copy". NetDefend Firewall . HTML Page Parameters The HTML pages contain a number of parameters that can be used as and where it is appropriate. The parameters available are: • %URL% - The URL which was requested • %IPADDR% - The IP address - D-Link DFL-210 | Product Manual - Page 309
on pattern matching against a database of known virus patterns and can determine, with a high degree of certainty, if a virus is in the process of being downloaded to a user behind the NetDefend Firewall. Once a virus is recognized in the contents of a file, the - D-Link DFL-210 | Product Manual - Page 310
is deployed, the deployment can be policy based. IP rules can specify that the ALG and its associated Anti-Virus scanning can apply to traffic going in a given direction and between specific source and destination IP addresses and/or networks. Scheduling can also be applied to virus scanning so - D-Link DFL-210 | Product Manual - Page 311
Link Anti-Virus Service 6.4.4. The Signature Database Chapter 6. Security Mechanisms SafeStream NetDefendOS Anti-Virus scanning is implemented by D-Link dropped. Instead, they will be allowed through and a log message will be as image files in HTTP downloads. NetDefendOS performs MIME content - D-Link DFL-210 | Product Manual - Page 312
Security taken. The Action can be one of: • Allow - The file is allowed through without virus scanning • Scan - Scan the the Anti-Virus databases for both the NetDefend Firewalls in an HA Cluster is performed automatically there is a new update and downloads the required files for the update. 2. - D-Link DFL-210 | Product Manual - Page 313
a virus, the NetDefend Firewall will upload blocking instructions to the local switches and instruct them to block all traffic from the infected host or server. Since ZoneDefense blocking state in the switches is a limited resource, the administrator has the possibility to configure which hosts and - D-Link DFL-210 | Product Manual - Page 314
(called NATHttp in this example) to use the new service: 1. Go to Rules > IP Rules 2. Select the NAT rule handling the traffic between lannet and all-nets 3. Click the Service tab 4. Select your new service, http_anti_virus, in the predefined Service dropdown list 5. Click OK Anti-Virus scanning is - D-Link DFL-210 | Product Manual - Page 315
to protect against these intrusion attempts. It operates by monitoring network traffic as it passes through the NetDefend Firewall, searching for patterns that indicate an intrusion is being attempted. Once detected, NetDefendOS IDP allows steps to be taken to neutralize both the intrusion attempt - D-Link DFL-210 | Product Manual - Page 316
6.5.2. IDP Availability for D-Link Models Chapter 6. Security Mechanisms • Maintenance IDP Maintenance IDP is the base IDP system included as standard with the NetDefend DFL 210, 800, 1600 and 2500. Maintenance IDP is a simplified IDP that gives basic protection against IDP attacks. It is - D-Link DFL-210 | Product Manual - Page 317
Chapter 6. Security Mechanisms A new, updated signature database is downloaded automatically by NetDefendOS system at a configurable interval. This is done via an HTTP connection to the D-Link server network which delivers the latest signature database updates. If the server's signature database - D-Link DFL-210 | Product Manual - Page 318
IDP to look for intrusions in all traffic, even the packets that are rejected by the IP rule set check for new connections, as well as packets that are not part of an existing connection. This provides the firewall administrator with a way to detect any traffic that appears to be an intrusion. With - D-Link DFL-210 | Product Manual - Page 319
to identify potential attacks when reassembling a TCP/IP stream although such an attack may have been present. This condition is caused by infrequent and unusually complex patterns of data in the stream. Recommended Configuration By default, Insertion/Evasion protection is enabled for all IDP - D-Link DFL-210 | Product Manual - Page 320
on the D-Link website at: http://security.dlink.com.tw Advisories can be found under the "NetDefend IDS" option in the "NetDefend Live" menu. IDP Signature types IDP offers three signature types which offer differing levels of certainty with regard to threats: • Intrusion Protection Signatures (IPS - D-Link DFL-210 | Product Manual - Page 321
Signature Groups Chapter 6. Security Mechanisms least possible number followed by the Sub-Category, since the Type could be any of IDS, IPS or POLICY. Processing Multiple Actions For any IDP rule, it is possible to type of traffic you are trying to protect. For instance, using IDS_WEB*, IPS_WEB - D-Link DFL-210 | Product Manual - Page 322
be appropriate for protecting an HTTP server. IDP traffic scanning creates an additional load on the hardware that in most cases should not noticeably degrade performance. Using too many signatures during scanning can make the load on the firewall hardware unnecessarily high, adversely affecting - D-Link DFL-210 | Product Manual - Page 323
6. Security Mechanisms Example 6.20. Configuring an SMTP Log Receiver In this example, an IDP Rule is configured with Server The following example details the steps needed to set up IDP for a simple scenario where a mail server is exposed to the Internet on the DMZ network with a public IP address - D-Link DFL-210 | Product Manual - Page 324
define where traffic is directed to, in this case the mail server. Destination Network should therefore be set to the object defining the mail server. Command-Line Interface Create an IDP Rule: gw-world:/> add IDPRule Service=smtp SourceInterface=wan SourceNetwork=wannet DestinationInterface=dmz - D-Link DFL-210 | Product Manual - Page 325
Security Mechanisms • Destination Network configured by clicking in the Rule Actions tab when creating an IDP rule and enabling logging. The Severity should be set to All in order to match all SMTP attacks. In summary, the following will occur: If traffic from the external network to the mail server - D-Link DFL-210 | Product Manual - Page 326
last thing any network administrator wants to experience. Attacks can appear out of thin air and the consequences can be devastating with crashed servers, jammed Internet connections and business critical systems in overload. This section deals with using NetDefend Firewalls to protect organizations - D-Link DFL-210 | Product Manual - Page 327
" by default, or if the configuration contains custom Access Rules, the name of the Access rule that dropped the packet. The sender IP address is of put the service in a tight loop that consumes all available CPU time. One such service was the NetBIOS over TCP/IP service on Windows machines - D-Link DFL-210 | Product Manual - Page 328
, being selected as an amplifier network can also consume great resources. In its default configuration, NetDefendOS explicitly drops packets sent to broadcast address of directly connected networks (configurable via Advanced Settings > IP > DirectedBroadcasts). However, with a reasonable inbound - D-Link DFL-210 | Product Manual - Page 329
. NetDefendOS can protect against TCP SYN Flood attacks if the Syn Flood Protection option is enabled in a service object associated with the rule in the IP rule set that triggers on the traffic. This is also sometimes referred to as the SYN Relay option. Flood protection is enabled automatically in - D-Link DFL-210 | Product Manual - Page 330
6.6.10. Distributed DoS Attacks Chapter 6. Security Mechanisms attacks on victim sites. These attacks typically exhaust bandwidth, router processing capacity, or network stack resources, breaking network connectivity to the victims. Although recent DDoS attacks have been launched from both private - D-Link DFL-210 | Product Manual - Page 331
Networks Chapter 6. Security Mechanisms 6.7. Blacklisting Hosts and Networks Overview NetDefendOS implements a Blacklist of host or network IP addresses which can be utilized to protect against traffic coming from specific only this Service By default Blacklisting blocks all services for the - D-Link DFL-210 | Product Manual - Page 332
Blacklisting Hosts and Networks Chapter 6. Security Mechanisms blacklisted, IP address can never be blacklisted. Command-Line Interface gw-world:/> add BlacklistWhiteHost Addresses=white_ip Service=all_tcp Web Interface 1. Goto System > Whitelist > Add > Whitelist host 2. Now select the IP address - D-Link DFL-210 | Product Manual - Page 333
6.7. Blacklisting Hosts and Networks Chapter 6. Security Mechanisms 333 - D-Link DFL-210 | Product Manual - Page 334
, which means that they can be applied to specific traffic based on the source/destination network/interface as well as based on the type of protocol. Two types of NetDefendOS IP rules, NAT rules and SAT rules are used to configure address translation. This section describes and provides examples of - D-Link DFL-210 | Product Manual - Page 335
of individual clients and hosts can be "hidden" behind the firewall's IP address. • Only the firewall needs a public IP address for public Internet access. Hosts and networks behind the firewall can be allocated private IP addresses but can still have access to the public Internet through the - D-Link DFL-210 | Product Manual - Page 336
• Specify a Specific IP Address A specific IP address can be specified as the new source IP address. The specified IP address needs to have a matching ARP Publish entry configured for the outbound interface. Otherwise, the return traffic will not be received by the NetDefend Firewall. This technique - D-Link DFL-210 | Product Manual - Page 337
all HTTP traffic originating from the internal network, follow the steps outlined below: Command-Line Interface First, change the current category to be the main IP rule set: gw-world:/> cc IPRuleSet main Now, create the IP rule: gw-world:/main> add IPRule Action=NAT Service=http SourceInterface=lan - D-Link DFL-210 | Product Manual - Page 338
had their sender addresses translated to the same IP. Some protocols, regardless of the method of transportation used, can cause problems during address translation. Anonymizing Internet Traffic with NAT A useful application of the NAT feature in NetDefendOS is for anonymizing service providers to - D-Link DFL-210 | Product Manual - Page 339
the public Internet so that the client's public IP address is not present in any server access requests or peer to peer traffic. We shall examine the typical case where the NetDefend Firewall acts as a PPTP server and terminates the PPTP tunnel for PPTP clients. Clients that wish to be anonymous - D-Link DFL-210 | Product Manual - Page 340
Internet through a proxy-server. The port number limitation is overcome by allocating extra external IP addresses for Internet access and the state table tracks all the connections for a single host behind the NetDefend Firewall no matter which external host the connection concerns. If Max States is - D-Link DFL-210 | Product Manual - Page 341
of IP addresses automatically through DHCP and can therefore supply external IP addresses automatically to a NAT Pool. See Section 5.4, "IP Pools" for more details about this topic. Proxy ARP Usage Where an external router sends ARP queries to the NetDefend Firewall to resolve external IP addresses - D-Link DFL-210 | Product Manual - Page 342
traffic on the wan interface. Web Interface A. First create an object in the address book for the address range: 1. Go to Objects > Address Book > Add > IP address 2. Specify a suitable name for the IP range nat_pool_range 3. Enter 10.6.13.10-10.16.13.15 in the IP Address textbox (a network such - D-Link DFL-210 | Product Manual - Page 343
these servers in the DMZ, we are creating a distinct separation from the more sensitive local, internal networks. This allows NetDefendOS to better control what traffic flows between the DMZ and internal networks and to better isolate any security breaches that might occur in DMZ servers. 343 - D-Link DFL-210 | Product Manual - Page 344
between the public Internet and servers in the DMZ, and between the DMZ and local clients on a network called LAN. Figure 7.4. The Role of the DMZ Note: The DMZ port could be any port On all models of D-Link NetDefend hardware, there is a specific Ethernet port which is marked as being - D-Link DFL-210 | Product Manual - Page 345
core Dest Net wan_ip wan_ip Parameters http SETDEST 10.10.10.5 80 http These two rules allow us to access the web server via the NetDefend Firewall's external IP address. Rule 1 states that address translation can take place if the connection has been permitted, and rule 2 permits the connection - D-Link DFL-210 | Product Manual - Page 346
a DMZ. However, due to its simplicity, we have chosen to use this model in our example. In order for external users to access the web server, they must be able to contact it using a public address. In this example, we have chosen to translate port 80 on the NetDefend Firewall's external address to - D-Link DFL-210 | Product Manual - Page 347
for traffic from the internal network. In order to illustrate exactly what happens, we use the following IP addresses: • wan_ip (195.55.66.77): a public IP address • lan_ip (10.0.0.1): the NetDefend Firewall's private internal IP address • wwwsrv (10.0.0.2): the web servers private IP address • PC1 - D-Link DFL-210 | Product Manual - Page 348
accessible using a unique public IP address. Example 7.5. Translating Traffic to Multiple Protected Web Servers In this example, we will create a SAT policy that will translate and allow connections from the Internet to five web servers located in a DMZ. The NetDefend Firewall is connected to the - D-Link DFL-210 | Product Manual - Page 349
world:/main> add IPRule Action=Allow Service=http SourceInterface=any SourceNetwork=all-nets DestinationInterface=wan DestinationNetwork=wwwsrv_pub Web Interface Create an address object for the public IP address: 1. Go to Objects > Address Book > Add > IP address 2. Specify a suitable name for the - D-Link DFL-210 | Product Manual - Page 350
Now enter: • Action: Allow • Service: http • Source Interface:any • Source Network: all-nets • Destination Interface: wan • Destination Network: wwwsrv_pub 4. Click OK 7.4.3. All-to-One Mappings (N:1) NetDefendOS can be used to translate ranges and/or groups into just one IP address. # Action Src - D-Link DFL-210 | Product Manual - Page 351
to communicate with the web servers public address - port 84, will result in a connection to the web servers private address - port 1084. Note: A custom service is needed for port translation In order to create a SAT rule that allows port translation, a Custom Service object must be used with - D-Link DFL-210 | Product Manual - Page 352
, although return traffic must be explicitly granted and translated. The following rules make up a working example of static address translation using FwdFast rules to a web server located on an internal network: # Action Src Iface 1 SAT any 2 SAT lan 3 FwdFast any 4 FwdFast lan Src Net - D-Link DFL-210 | Product Manual - Page 353
rules 1 and 4, and will be sent to wwwsrv. The sender address will be the NetDefend Firewall's internal IP address, guaranteeing that return traffic passes through the NetDefend Firewall. • Return traffic will automatically be handled by the NetDefend Firewall's stateful inspection mechanism. 353 - D-Link DFL-210 | Product Manual - Page 354
7.4.7. SAT and FwdFast Rules Chapter 7. Address Translation 354 - D-Link DFL-210 | Product Manual - Page 355
Use of Username/Password Combinations This chapter deals specifically with user authentication performed with username/password combinations that are manually entered by a user attempting to gain access to resources. Access to the external public Internet through a NetDefend Firewall by internal - D-Link DFL-210 | Product Manual - Page 356
8.1. Overview To remain secure, passwords should also: • Not be recorded anywhere in written form. • Never be revealed to anyone else. • Changed on a regular basis such as every three months. Chapter 8. User Authentication 356 - D-Link DFL-210 | Product Manual - Page 357
i. The local user database internal to NetDefendOS. ii. A RADIUS server which is external to the NetDefend Firewall. iii. An LDAP Server which is also external to the NetDefend Firewall. • Define an Authentication Rule which describes which describes which traffic passing through the firewall is to - D-Link DFL-210 | Product Manual - Page 358
allowed to view the configuration and cannot change it. PPTP/L2TP Configuration If a client is connecting to the NetDefend Firewall using PPTP/L2TP then the following three options called also be specified for the local NetDefendOS user database: • Static Client IP Address This is the IP address - D-Link DFL-210 | Product Manual - Page 359
to transfer username/password requests between client and RADIUS server, as well as using PPP authentication schemes such as PAP and CHAP. RADIUS messages are sent as UDP messages via UDP port 1812. Support for Groups RADIUS authentication supports the specification of groups for a user. This means - D-Link DFL-210 | Product Manual - Page 360
number of issues that can cause problems: • LDAP servers differ in their implementation. NetDefendOS provides a flexible way of configuring an LDAP server and some configuration options may have to be changed depending on the LDAP server software. • Authentication of PPTP or L2TP clients may require - D-Link DFL-210 | Product Manual - Page 361
and not the LDAP server. • IP Address The IP address of the LDAP server. • Port The port number on the LDAP server which will receive the client request which is sent using TCP/IP. This port is by default 389. • Timeout This is the timeout length for LDAP server user authentication attempts in - D-Link DFL-210 | Product Manual - Page 362
's IP address into a route. The default is the main routing table. Database Settings The Database Settings are as follows: • Base Object Defines where in the LDAP server tree search for user accounts shall begin. The users defined on an LDAP server database are organized into a tree structure. The - D-Link DFL-210 | Product Manual - Page 363
name when performing a bind request. Optional Settings There is one optional setting: • Password Attribute The password attribute specifies the ID of the tuple on the LDAP server that contains the user's password. The default ID is userPassword. This option should be left empty unless the LDAP - D-Link DFL-210 | Product Manual - Page 364
LDAP server access for user authentication: password. LDAP Authentication CLI Commands The CLI objects that correspond to LDAP servers used for authentication are called LDAPDatabase objects (LDAP servers used for certificate lookup are known as LDAPServer objects in the CLI). A specific LDAP server - D-Link DFL-210 | Product Manual - Page 365
the user's password will be sent to NetDefendOS by the client. NetDefendOS cannot just forward this digest to the LDAP server server that will contain the password when it's sent back. This ID must be different from the default password attribute (which is usually userPassword for most LDAP servers - D-Link DFL-210 | Product Manual - Page 366
User Authentication Figure 8.2. LDAP for PPP with CHAP, MS-CHAPv1 or MS-CHAPv2 Important: The link to the LDAP server must be protected Since the LDAP server is sending back passwords in plain text to NetDefendOS, the link between the NetDefend Firewall and the server must be protected. A VPN link - D-Link DFL-210 | Product Manual - Page 367
. XAuth is an extension to the normal IKE exchange and provides an addition to normal IPsec security which means that clients accessing a VPN must provide a login username and password. It should be noted that an interface value is not entered with an XAuth authentication rule since one single rule - D-Link DFL-210 | Product Manual - Page 368
on this interface, coming from this network and data which is one of the following types: • HTTP traffic • HTTPS traffic • IPsec tunnel traffic • L2TP tunnel traffic • PPTP tunnel traffic 3. If no rule matches, the connection is allowed, provided the IP rule set permits it, and nothing further - D-Link DFL-210 | Product Manual - Page 369
to set up the rules in the IP rule set as shown below: # Action Src Interface Src Network Dest Interface Dest Network Service 1 Allow lan trusted_net int important_net All 2 Allow lan untrusted_net dmz regular_net All If we wanted to allow the trusted group users to also be able to - D-Link DFL-210 | Product Manual - Page 370
http-all 3 NAT lan lannet wan all-nets dns-all The first rule allows the authentication process to take place and assumes the client is trying to access the lan_ip IP address, which is the IP address of the interface on the NetDefend Firewall where the local network connects. The second - D-Link DFL-210 | Product Manual - Page 371
and the authentication address object lannet_users have been defined. Web Interface A. Set up an IP rule to allow authentication. 1. Go to Rules > IP Rules > Add > IP rule 2. Now enter: • Name: http2fw • Action: Allow • Service: HTTP • Source Interface: lan • Source Network: lannet • Destination - D-Link DFL-210 | Product Manual - Page 372
users to browse the Web. 1. Go to Rules > IP Rules > Add> IP rule 2. Now enter: • Name: Allow_http_auth • Action: NAT • Service: HTTP • Source Interface: lan • Source Network: lannet_users • Destination Interface any • Destination Network all-nets 3. Click OK Example 8.3. Configuring a RADIUS Server - D-Link DFL-210 | Product Manual - Page 373
Customizing HTML Pages User Authentication makes use of a set of HTML files to present information to the user during the authentication process default at startup. They can be customized to suit a particular installation's needs either through by direct editing in Web Interface or by downloading - D-Link DFL-210 | Product Manual - Page 374
Chapter 8. User Authentication • %IPADDR% - The IP address which is being as the HTML Banner 12. Click OK 13. Go to Configuration > Save & Activate to activate the new file Tip: HTML are: 1. Since SCP cannot be used to download the original default HTML, the source code must be first copied from - D-Link DFL-210 | Product Manual - Page 375
Default user user authentication rule should now be set to use the ua_html. If the rule us called my_auth_rule, the command would be: set UserAuthRule my_auth_rule HTTPBanners=ua_html 5. As usual, use the activate followed by the commit CLI commands to activate the changes on the NetDefend Firewall - D-Link DFL-210 | Product Manual - Page 376
8.3. Customizing HTML Pages Chapter 8. User Authentication 376 - D-Link DFL-210 | Product Manual - Page 377
the Virtual Private Network (VPN) functionality in NetDefendOS. • Overview, page 377 • VPN Quick Start, page 381 • IPsec Components, page 391 • IPsec Tunnels, page 406 • PPTP/L2TP, page 425 • CA Server Access, page 434 • VPN Troubleshooting, page 437 9.1. Overview 9.1.1. VPN Usage The Internet - D-Link DFL-210 | Product Manual - Page 378
to LAN connection - Where many remote clients need to connect to an internal network over the Internet. In this case, the internal network is protected by the NetDefend Firewall to which the client connects and the VPN tunnel is set up between them. 9.1.2. VPN Encryption Encryption of VPN traffic - D-Link DFL-210 | Product Manual - Page 379
DMZs for services that need to be shared with other companies through VPNs. • Adapting VPN access policies for different groups of users. • Creating key distribution policies. Endpoint Security A common misconception is that VPN-connections are equivalents to the internal network from a security - D-Link DFL-210 | Product Manual - Page 380
9.1.5. The TLS Alternative for VPN "The TLS ALG". Chapter 9. VPN 380 - D-Link DFL-210 | Product Manual - Page 381
manually, the tunnel is treated exactly like a physical interface in the route properties, as it is in other aspects of NetDefendOS. In other words, the route is saying to NetDefendOS that a certain network is found at the other end of the tunnel. • Define an IP Rule to Allow VPN Traffic An IP - D-Link DFL-210 | Product Manual - Page 382
this object remote_net). • The local network behind the NetDefend Firewall which will communicate across the tunnel. Here we will assume that this is the predefined address lannet and this network is attached to the NetDefendOS lan interface. 4. Create an IPsec Tunnel object (let's call this object - D-Link DFL-210 | Product Manual - Page 383
9.2.2. IPsec LAN to LAN with Certificates Chapter 9. VPN Action Allow Src Interface ipsec_tunnel Src Network remote_net Dest Interface lan Dest Network lannet Service All The Service used in these rules is All but it could be a predefined service. 6. Define a new NetDefendOS Route which - D-Link DFL-210 | Product Manual - Page 384
been pre-allocated to the roaming clients before they connect. The client's IP address will be manually input into the VPN client software. 1. Set up user authentication. XAuth user authentication is not required with IPsec roaming clients but is recommended (this step could initially be left out - D-Link DFL-210 | Product Manual - Page 385
all-nets Dest Interface lan Dest Network lannet Service All Once an Allow rule permits the connection to be set up, bidirectional traffic flow is allowed which is why only one rule is used here. Instead of all-nets being used in the above, a more secure defined IP object could be used which - D-Link DFL-210 | Product Manual - Page 386
to be correctly configured. The client configuration will require the following: with as well as the pre-shared key. • Define the URL or IP address of the NetDefend Firewall. The client needs to locate the tunnel endpoint. • Define the pre-shared key that is used for IPsec security. • Define the - D-Link DFL-210 | Product Manual - Page 387
the destination network, as is the case here, the advanced setting option Add route for remote network must also be disabled. This setting is enabled by default. 5. Define an PPTP/L2TP Server object (let's call this object l2tp_tunnel) with the following parameters: • Set Inner IP Address to ip_int - D-Link DFL-210 | Product Manual - Page 388
l2tp_pool Dest Interface any ext Dest Network int_net all-nets Service All All The second rule would be included to allow clients to surf the Internet via the ext interface on the NetDefend Firewall. The client will be allocated a private internal IP address which must be NATed if connections - D-Link DFL-210 | Product Manual - Page 389
connection to the NetDefend Firewall. If NATing is tried then only the first client that tries to connect will succeed. The steps for PPTP setup are as follows: 1. In the Address Book define the following IP objects: • A pptp_pool IP object which is the range of internal IP addresses that will be - D-Link DFL-210 | Product Manual - Page 390
IP rules in the IP rule set: Action Allow NAT Src Interface pptp_tunnel pptp_tunnel Src Network pptp_pool pptp_pool Dest Interface any ext Dest Network int_net all-nets Service All All As described for L2TP, the NAT rule lets the clients access the public Internet via the NetDefend Firewall - D-Link DFL-210 | Product Manual - Page 391
network layer. An IPsec based VPN is made up of two parts: • Internet Key Exchange protocol (IKE) • IPsec protocols (AH/ESP/both) The first part, IKE, is the initial negotiation phase, where the two VPN endpoints agree on which methods will be used to provide security for the underlying IP traffic - D-Link DFL-210 | Product Manual - Page 392
VPN An SA is unidirectional and relates to traffic flow in one direction only. For the bidirectional traffic that is usually found in a VPN allows for the IPsec IPsec data flows. The VPN device initiating an IPsec connection will send a list of the algorithms combinations it supports Security Negotiation - D-Link DFL-210 | Product Manual - Page 393
importance that both endpoints are able to agree on all of these parameters. With two NetDefend Firewalls as VPN endpoints, the matching process is greatly simplified since the default NetDefendOS configuration parameters will be the same at either end. However, it may not be as straightforward - D-Link DFL-210 | Product Manual - Page 394
to another. In transport mode, the traffic will not be tunneled, and is hence not applicable to VPN tunnels. It can be used to secure a connection from a VPN client directly to the NetDefend Firewall, for example for IPsec protected remote configuration. This setting will typically be set to - D-Link DFL-210 | Product Manual - Page 395
older VPN implementations. The use of DES should be avoided whenever possible, since it is an older algorithm that is no longer considered to be sufficiently secure. This specifies the authentication algorithms used in the IKE negotiation phase. The algorithms supported by NetDefendOS IPsec are - D-Link DFL-210 | Product Manual - Page 396
Groups. The encryption algorithm that will be used on the protected IPsec traffic. This is not needed when AH is used, or when ESP is used without encryption. The algorithms supported by NetDefend Firewall VPNs are: • AES • Blowfish • Twofish • Cast128 • 3DES • DES This specifies the authentication - D-Link DFL-210 | Product Manual - Page 397
. The DH groups supported by NetDefendOS are as follows: • DH group 1 (768-bit) • DH group 2 (1024-bit) • DH group 5 (1536-bit) All these HA groups are available for use with IKE, IPsec and PFS. 9.3.3. IKE Authentication Manual Keying The "simplest" way of configuring a VPN is by using a method - D-Link DFL-210 | Product Manual - Page 398
all VPN clients and firewalls dependent on third parties. In other words, there are more aspects that have to be configured, and there is more that can go wrong. 9.3.4. IPsec Protocols (ESP/AH) The IPsec protocols are the protocols used to protect the actual traffic being passed through the VPN. The - D-Link DFL-210 | Product Manual - Page 399
ESP protocol is used for both encryption and authentication of the IP packet. It can also be used to do either encryption only, or authentication only. Figure 9.2. The ESP protocol 9.3.5. NAT Traversal Both IKE and IPsec protocols present a problem in the functioning of NAT. Both protocols were not - D-Link DFL-210 | Product Manual - Page 400
end of the tunnel that it understands NAT traversal, and which specific versions of the draft it supports. Achieving NAT Detection To achieve NAT detection both IPsec peers send hashes of their own IP addresses along with the source UDP port used in the IKE negotiations. This information is used to - D-Link DFL-210 | Product Manual - Page 401
lists are used during IKE Phase-1 (IKE Security Negotiation), while IPsec lists are using during IKE Phase-2 (IPsec Security Negotiation). Several algorithm proposal lists are already defined by default in NetDefendOS for different VPN scenarios and user defined lists can be added. Two IKE algorithm - D-Link DFL-210 | Product Manual - Page 402
the CLI Reference Guide). Beware of Non this can sometimes cause problems when setting up a specific IPsec tunnel object. Command-Line Interface First create a Pre-shared Key. To generate the key automatically with a 64 bit (the default) key, use: gw-world:/> pskgen MyPSK To have a longer, more secure - D-Link DFL-210 | Product Manual - Page 403
to different parts of the internal networks. For example, members of the sales force need access to servers running the order system, while technical engineers need access to technical databases. The Problem Since the IP addresses of the travelling employees VPN clients cannot be known beforehand - D-Link DFL-210 | Product Manual - Page 404
JohnDoe 4. Select Distinguished name in the Type control 5. Now enter: • Common Name: John Doe • Organization Name: D-Link • Organizational Unit: Support • Country: Sweden • Email Address: [email protected] 6. Click OK Finally, apply the Identification List to the IPsec tunnel: 1. Go to Interfaces - D-Link DFL-210 | Product Manual - Page 405
9.3.8. Identification Lists Chapter 9. VPN 2. Select the IPsec tunnel object of interest 3. Under the Authentication tab, choose X.509 Certificate 4. Select the appropriate certificate in the Root Certificate(s) and Gateway Certificate controls 5. Select MyIDList - D-Link DFL-210 | Product Manual - Page 406
, traffic shaping and configuration capabilities as regular interfaces. Remote Initiation of Tunnel Establishment When another NetDefend Firewall or another IPsec compliant networking product (also known as the remote endpoint) tries to establish an IPsec VPN tunnel to a local NetDefend Firewall - D-Link DFL-210 | Product Manual - Page 407
ping messages are not received then the tunnel link is assumed to be broken and an attempt is automatically made to re-establish the tunnel. This feature is only useful for LAN to LAN tunnels. Optionally, a specific source IP address and/or a destination IP address for the pings can be specified. It - D-Link DFL-210 | Product Manual - Page 408
at one location to the VPN gateway at another location. The NetDefend Firewall is therefore the implementer of the VPN, while at the same time applying normal security surveillance of traffic passing through the tunnel. This section deals specifically with setting up LAN to LAN tunnels created with - D-Link DFL-210 | Product Manual - Page 409
PSK based VPN tunnel for roaming clients This example describes how to configure an IPsec tunnel at the head office NetDefend Firewall for roaming clients that connect to the office to gain remote access. The head office network uses the 10.0.1.0/24 network span with external firewall IP wan_ip. Web - D-Link DFL-210 | Product Manual - Page 410
ID List that you want to associate with your VPN Tunnel. In our case that will be sales 5. Under the Routing tab: • Enable the option: Dynamically add route to the remote network when a tunnel is established. 6. Click OK E. Finally configure the IP rule set to allow traffic inside the tunnel. 410 - D-Link DFL-210 | Product Manual - Page 411
Certificate Services). For more information on CA server issued certificates see Section 3.7, "Certificates". Example 9.6. Setting up CA Server Certificate based VPN tunnels for roaming clients This example describes how to configure an IPsec tunnel at the head office NetDefend Firewall for roaming - D-Link DFL-210 | Product Manual - Page 412
configure the IP rule set to allow traffic inside the tunnel. Using Config Mode IKE Configuration Mode (Config Mode) is an extension to IKE that allows NetDefendOS to provide LAN configuration information to remote VPN clients. It is used to dynamically configure IPsec clients with IP addresses - D-Link DFL-210 | Product Manual - Page 413
. The default value for this setting is Disabled. 9.4.4. Fetching CRLs from an alternate LDAP server A Root Certificate usually includes the IP address or hostname of the Certificate Authority to contact when certificates or CRLs need to be downloaded to the NetDefend Firewall. Lightweight - D-Link DFL-210 | Product Manual - Page 414
Server 2. Now enter: • IP Address: 192.168.101.146 • Username: myusername • Password: mypassword • Confirm Password: mypassword • Port: 389 3. Click OK 9.4.5. Troubleshooting with ikesnoop VPN Tunnel Negotiation When setting up IPsec tunnels, problems Reference Guide. The Client and the Server The - D-Link DFL-210 | Product Manual - Page 415
Troubleshooting with ikesnoop negotiation and the server refers to the device which is the responder. Chapter 9. VPN Step 1. Client Initiates Exchange by Sending a Supported :8 Payloads: SA (Security Association) Payload data length : 152 bytes DOI : 1 (IPsec DOI) Proposal 1/1 Protocol - D-Link DFL-210 | Product Manual - Page 416
type: Seconds or kilobytes Life duration: No of seconds or kilobytes VID: The IPsec software vendor plus what standards are supported. For example, NAT-T Step 2. Server Responds to Client A typical response from the server is shown below. This must contain a proposal that is identical to one of - D-Link DFL-210 | Product Manual - Page 417
9.4.5. Troubleshooting with ikesnoop Chapter 9. VPN SA (Security Association) Payload data length : 52 bytes DOI : 1 (IPsec DOI) Proposal 9d 92 15 52 9d 56 Description : draft-ietf-ipsec-nat-t-ike-03 Step 3. Clients Begins Key Exchange The server has accepted a proposal at this point and the - D-Link DFL-210 | Product Manual - Page 418
Troubleshooting with ikesnoop NAT-D (NAT Detection) Payload data length : 16 bytes Chapter 9. VPN Step 4. Server Sends Key Exchange Data The Server Identification The initiator sends the identification which is normally an IP address or the Subject Alternative Name if certificates are used. - D-Link DFL-210 | Product Manual - Page 419
9.4.5. Troubleshooting with ikesnoop Chapter 9. VPN Step 6. Server ID Response The server now responds with its own ID. IkeSnoop: Supported IPsec Algorithms Now the client sends the list of supported IPsec algorithms to the server. It will also contain the proposed host/networks that are allowed - D-Link DFL-210 | Product Manual - Page 420
9.4.5. Troubleshooting with ikesnoop Chapter 9. VPN Key length : 128 Authentication algorithm : HMAC-MD5 network. If it contains any netmask it is usually SA per net and otherwise it is SA per host. Step 8. Client Sends a List of Supported Algorithms The server now responds with a matching IPsec - D-Link DFL-210 | Product Manual - Page 421
Client Confirms Tunnel Setup This last message is a message from the client saying that the tunnel is up and running. All client/server exchanges have been configuring IPsec tunnels. IPsec Max Rules This specifies the total number of IP rules that can be connected to IPsec tunnels. By default - D-Link DFL-210 | Product Manual - Page 422
Rules Pass IKE and IPsec (ESP/AH) traffic sent to NetDefendOS directly to the IPsec engine without consulting the rule set. Default: Enabled IKE CRL Validity Time A CRL contains a "next update" field that dictates the time and date when a new CRL will be available for download from the CA. The - D-Link DFL-210 | Product Manual - Page 423
IPsec Advanced Settings Chapter 9. VPN IPsec Cert Cache Max Certs Maximum number of certificates/CRLs that can be held in the internal certificate cache. When the certificate cache is full, entries will be removed according to an LRU (Least Recently Used) algorithm. Default: 1024 IPsec traffic or - D-Link DFL-210 | Product Manual - Page 424
9.4.6. IPsec Advanced Settings Chapter 9. VPN In other words, this is the length of time in seconds for which DPD-R-U-THERE messages will be sent. If the other to be dead (not reachable). The SA will then be placed in the dead cache. This setting is used with IKEv1 only. Default: 15 seconds 424 - D-Link DFL-210 | Product Manual - Page 425
the PPP protocol and then establishes a TCP/IP connection across the Internet to the NetDefend Firewall, which acts as the PPTP server (TCP port 1723 is used). The ISP is not aware of the VPN since the tunnel extends from the PPTP server to the client. The PPTP standard does not define how data is - D-Link DFL-210 | Product Manual - Page 426
9.5.2. L2TP Servers Chapter 9. VPN TCP port 1723 and/or IP protocol 47 before the PPTP connection can be made to the NetDefend Firewall. Examining the log can indicate if this problem occurred, with a log message of the following form appearing: Error PPP lcp_negotiation_stalled ppp_terminated - D-Link DFL-210 | Product Manual - Page 427
select L2TP_Pool in the IP Pool control. 5. Under the Add Route tab, select all_nets in the Allowed Networks control. 6. Click OK Use User Authentication Rules is enabled as default. To be able to authenticate the users using the PPTP tunnel you also need to configure authentication rules, which is - D-Link DFL-210 | Product Manual - Page 428
controls: • Allow DHCP over IPsec from single-host clients • Dynamically add route to the remote network when a tunnel is established 9. Click OK Now it is time to setup the L2TP Server. The inner IP address should be a part of the network which the clients are assigned IP addresses from, in - D-Link DFL-210 | Product Manual - Page 429
l2tp_pool in the IP Pool control 6. Under the Add Route tab, select all-nets in the Allowed Networks control 7. In the ProxyARP control, select the lan interface 8. Click OK In order to authenticate the users using the L2TP tunnel, a user authentication rule needs to be configured. D. Next will be - D-Link DFL-210 | Product Manual - Page 430
IP Rules > Add > IPRule 6. Enter a name for the rule, for example NATL2TP 7. Now enter: • Action: NAT • Service: all_services • Source Interface: l2tp_tunnel • Source Network: l2tp_pool • Destination Interface: any • Destination Network: all-nets 8. Click OK Chapter 9. VPN 9.5.3. L2TP/PPTP Server - D-Link DFL-210 | Product Manual - Page 431
PPTP/L2TP Clients Chapter 9. VPN Pass L2TP traffic sent to the NetDefend Firewall directly to the L2TP Server without consulting the rule set. Default: Enabled PPTP Before Rules Pass PPTP traffic sent to the NetDefend Firewall directly to the PPTP Server without consulting the rule set. Default - D-Link DFL-210 | Product Manual - Page 432
this, is for the NetDefend Firewall to act as a PPTP client when it connects to the PPTP server. To summarize the setup: • A PPTP tunnel is defined between NetDefendOS and the server. • A route is added to the routing table in NetDefendOS which specifies that traffic for the server should be routed - D-Link DFL-210 | Product Manual - Page 433
9.5.4. PPTP/L2TP Clients Chapter 9. VPN Figure 9.3. PPTP Client Usage 433 - D-Link DFL-210 | Product Manual - Page 434
In this case the following must be done: a. A private DNS server must be configured so that NetDefendOS can locate the private CA server to validate the certificates coming from clients. b. The external IP address of the NetDefend Firewall needs to be registered in the public DNS system so that the - D-Link DFL-210 | Product Manual - Page 435
, the appropriate rules in the NetDefendOS IP rule set need to be defined to allow this traffic through. Figure 9.4. Certificate Validation Components CA Server Access by Clients In a VPN tunnel with roaming clients connecting to the NetDefend Firewall, the VPN client software may need to access - D-Link DFL-210 | Product Manual - Page 436
NetDefend Firewall and the CA server is on the internal side of the firewall then the IP address of the internal DNS server must be configured in NetDefendOS so that these requests can be resolved. Turning Off FQDN Resolution As explained in the troubleshooting section below, identifying problems - D-Link DFL-210 | Product Manual - Page 437
Pinging the internal IP address of the local network interface on the NetDefend Firewall from a client (in LAN to LAN setups pinging could be done in any direction). If NetDefendOS is to respond to a Ping then the following rule must exist in the IP rule set: Action Allow Src Interface vpn_tunnel - D-Link DFL-210 | Product Manual - Page 438
certificates. The NetDefend Firewall's time zone may not be the same as the CA server's time zone server access could be the problem. CA Server issues are discussed further in Section 9.6, "CA Server Access". 9.7.3. IPsec Troubleshooting Commands A number of commands can be used to diagnose IPsec - D-Link DFL-210 | Product Manual - Page 439
tunnel. If the management interface is not reached by the VPN tunnel then the administrator needs to create a specific route that routes management interface traffic leaving the NetDefend Firewall back to the management sub-network. When any VPN tunnel is defined, an all-nets route is automatically - D-Link DFL-210 | Product Manual - Page 440
9.7.5. Specific Error Messages Chapter 9. VPN 1. Could not find acceptable proposal / no proposal chosen This is the most common IPsec related error message. It means that depending on which side initiates tunnel setup, the negotiations in either the IKE or the IPSec phase of setup failed since - D-Link DFL-210 | Product Manual - Page 441
what the problem could be. A good suggestion before you start to troubleshoot certificate based tunnels is to first configure it as server or the NetDefend Firewall or they are in different time zones. • The NetDefend Firewall is unable to reach the Certificate Revocation List (CRL) on the CA server - D-Link DFL-210 | Product Manual - Page 442
one side This is a common problem and is due to a mismatch of the size in local or remote network and/or the lifetime settings on the proposal list(s). To troubleshoot this you need to examine the settings for the local network, remote network, IKE proposal list and IPsec proposal list on both sides - D-Link DFL-210 | Product Manual - Page 443
9.7.6. Specific Symptoms Chapter 9. VPN 443 - D-Link DFL-210 | Product Manual - Page 444
traffic. If the users cannot be relied upon then the network equipment must make the decisions concerning priorities and bandwidth allocation. NetDefendOS provides QoS control by allowing the administrator to apply limits and guarantees to the network traffic passing through the NetDefend Firewall - D-Link DFL-210 | Product Manual - Page 445
an IP rule with a service object that uses the SIP ALG cannot be also subject to traffic shaping. 10.1.2. Traffic Shaping in NetDefendOS NetDefendOS offers extensive traffic shaping capabilities for the packets passing through the NetDefend Firewall. Different rate limits and traffic guarantees - D-Link DFL-210 | Product Manual - Page 446
destination interface/network as well as the service to which the rule is to apply. Once a new connection is permitted by the IP rule These lists are: • The Forward Chain These are the pipe or pipes that will be used for outgoing (leaving) traffic from the NetDefend Firewall. One, none or a series - D-Link DFL-210 | Product Manual - Page 447
tracking of connections. FwdFast IP rules do not set up a connection in the state engine. Instead, packets are considered not to be part of a connection and are forwarded individually to their destination, bypassing the state engine. Figure 10.2. FwdFast Rules Bypass Traffic Shaping 10.1.3. Simple - D-Link DFL-210 | Product Manual - Page 448
Service: all_services • Source Interface: lan • Source Network: lannet • Destination Interface: wan • Destination Network: all-nets 4. Under the Traffic Shaping tab, make std-in selected in the Return Chain control 5. Click OK This setup limits all traffic inbound traffic is allowed by NetDefendOS - D-Link DFL-210 | Product Manual - Page 449
goes through the setup for this. Example 10.2. Limiting Bandwidth in Both Directions Create a second pipe for outbound traffic: Command-Line Interface the previous example and choose Edit 3. Under the Traffic Shaping tab, select std-out in the Forward Chain list 4. Click OK This results in all - D-Link DFL-210 | Product Manual - Page 450
but it may also mean much slower speed if the connection is flooded. Setting up pipes in this way only puts limits on the maximum values for certain traffic types. It does not give priorities to different types of competing traffic. 10.1.6. Precedences The Default Precedence is Zero All packets that - D-Link DFL-210 | Product Manual - Page 451
as a separate traffic queue; traffic in precedence 2 will be forwarded before traffic in precedence 0, precedence 4 forwarded before 2. the Type of Service (ToS) bits are included in the IP packet header. Specifying Precedences Within Pipes When a pipe is configured, a Default Precedence, a Minimum - D-Link DFL-210 | Product Manual - Page 452
Traffic Management • Default Precedence: 0 • Maximum Precedence: 7 As described above, the Default Tip: Specifying bandwidth Remember that when specifying network traffic bandwidths, the prefix Kilo means 1000 and processed on a "first come, first forwarded" basis. Packets with a higher precedence - D-Link DFL-210 | Product Manual - Page 453
priority on packets related to these services and these packets are sent through the same pipe as other traffic. The pipe then makes sure that these higher priority packets are sent first when the total bandwidth limit specified in the pipe's configuration is exceeded. Lower priority packets will - D-Link DFL-210 | Product Manual - Page 454
, respectively: Keep the forward chain of both rules as std-out only. Again, to simplify this example, we concentrate only on inbound traffic, which is the direction that is the most likely to be the first one to fill up in client-oriented setups. Set the return chain of the port 22 rule to - D-Link DFL-210 | Product Manual - Page 455
precedence of all SSH and Telnet traffic by changing the default precedence of the ssh-in IP address. For example, port 1024 of host computer A is not the same as port 1024 of host computer B. It is the combination of port and IP address that identifies a unique user in a group. Grouping by Networks - D-Link DFL-210 | Product Manual - Page 456
user within the grouping. For example, if the grouping is by source IP address and the total specified is 100 Kbps then this is saying that no one IP address particular users. For example, if grouping is by source IP then different pipe rules will trigger on different IPs and send the traffic into - D-Link DFL-210 | Product Manual - Page 457
Bandwidth is now allocated on a "first come, first forwarded" basis but no single destination IP address can ever take more than 100 bps. No matter how for the same precedence is a limit. For example, if traffic is being grouped by source IP and the Group Limits precedence 5 value is 5 Kbps and - D-Link DFL-210 | Product Manual - Page 458
user on the internal network. Since the packets are inbound, we select the grouping for the ssh-in pipe to be Destination IP. Now specify per-user limits by setting the precedence 2 limit to 16 kbps per user. This means that each user will get no more than a 16 kbps guarantee for their SSH traffic - D-Link DFL-210 | Product Manual - Page 459
the same connection. Troubleshooting For a better understanding of what is happening in a live setup, the console command: gw-world:/> pipe -u can be used to display a list of currently active users in each pipe. 10.1.9. A Summary of Traffic Shaping NetDefendOS traffic shaping provides - D-Link DFL-210 | Product Manual - Page 460
precedence all packets are treated on a "first come, first forwarded" basis. • Within a pipe, traffic can also be separated on a Group basis. For example, by source IP address. Each user in a group (for example, each source IP address) can be given a maximum limit and precedences within a group - D-Link DFL-210 | Product Manual - Page 461
through the pipes. Rule Name all_1mbps Forward Pipes out-pipe Return Pipes in-pipe Source Interface lan Source Network lannet Destination Destination Interface Network wan all-nets Selected Service all The rule will force all traffic to the default precedence level and the pipes will limit - D-Link DFL-210 | Product Manual - Page 462
. The pipe chaining can be used as a solution to the problem of VPN overhead. A limit which allows for this overhead is placed on the VPN tunnel traffic and non-VPN traffic is inserted into a pipe that matches the speed of the physical link. To do this we first create separate pipes for the outgoing - D-Link DFL-210 | Product Manual - Page 463
all-nets Dest Int vpn vpn lan lan wan lan Destination Network vpn_remote_net vpn_remote_net lannet lannet all-nets lannet Selected Prece Service dence H323 6 All 0 H323 6 All 0 All 0 All 0 With this setup, all VPN traffic is limited to 1700 kbps, the total traffic is limited to 2000 - D-Link DFL-210 | Product Manual - Page 464
10.1.10. More Pipe Examples Chapter 10. Traffic Management Note: SAT and ARPed IP Addresses If the SAT is from an ARPed IP address, the wan interface needs to be the destination. 464 - D-Link DFL-210 | Product Manual - Page 465
P2P) data transfer applications which include such things as Bit Torrent and Direct Connect. The high traffic loads created by P2P transfers can often have a negative impact on the quality of service for other network users as bandwidth is quickly absorbed by such applications. An ISP or a corporate - D-Link DFL-210 | Product Manual - Page 466
traffic shaping. 5. Optionally specify a Network If the Time Window value is greater than zero, a Network can be specified. This IP address range allows the NetDefend Firewall and traffic begins to flow. The source and destination IP address of the connection is noted by NetDefendOS. 2. The traffic - D-Link DFL-210 | Product Manual - Page 467
avoid these unintended consequences, we specify the IP addresses of client A and client B in the Network range but not host X. This tells NetDefendOS that host X is not relevant in making a decision about including new non-IDP-triggering connections in traffic shaping. It may seem counter-intuitive - D-Link DFL-210 | Product Manual - Page 468
CLI Reference Guide. Viewing Pipes IDP Traffic Shaping configured bandwidth value, one for upstream (forward) traffic and one for downstream (return) traffic. Multiple hosts use the same pipe for each direction with traffic in the upstream pipe grouped using the "Per Source IP" feature and traffic - D-Link DFL-210 | Product Manual - Page 469
priority by default and are therefore guaranteed that bandwidth. 10.2.8. Logging IDP Traffic Shaping generates log messages on the following events: • When an IDP rule with the Pipe option has triggered and either host or client is present in the Network Guide. 469 - D-Link DFL-210 | Product Manual - Page 470
to external IP addresses. It might Link NetDefend DFL-800, 860, 1600, 1660, 2500, 2560 and 2560G. Threshold Policies A Threshold Rule is like other policy based rules found in NetDefendOS, a combination of source/destination network/interface can be specified for a rule and a type of service - D-Link DFL-210 | Product Manual - Page 471
Traffic Management This function is extremely useful when NAT pools are required due to the large number of connections generated by P2P users. 10.3.3. Grouping The two groupings are as follows: • Host Based - The threshold is applied separately to connections from different IP addresses. • Network - D-Link DFL-210 | Product Manual - Page 472
10.3.8. Threshold Rule Blacklisting Chapter 10. Traffic Management NetDefendOS. The length of time, in seconds, for which the source is blacklisted can also be set. This feature is discussed further in Section 6.7, "Blacklisting Hosts and Networks". 472 - D-Link DFL-210 | Product Manual - Page 473
facilitating the implementation of a cluster of servers (sometimes referred to as a server farm) that can handle many more requests than a single server. Note: SLB is not available on all D-Link NetDefend models The SLB feature is only available on the D-Link NetDefend DFL-800, 860, 1600, 1660, 2500 - D-Link DFL-210 | Product Manual - Page 474
SLB Distribution Algorithms Chapter 10. Traffic Management Figure 10.9. A Server Load Balancing Configuration Additional Benefits of SLB Besides improving performance and scalability, SLB provides other benefits: • SLB increases the reliability of network applications by actively monitoring the - D-Link DFL-210 | Product Manual - Page 475
same server. This is particularly important for TLS or SSL based services such as HTTPS, which require a repeated connection to the same host. This mode is similar to IP stickiness except that the stickiness can be associated with a network instead of a single IP address. The network is specified - D-Link DFL-210 | Product Manual - Page 476
then compare individual IP addresses but instead compares if the source IP address belongs to the same network as a previous connection already in the table. If they belong to the same network then stickiness to the same server will result. The default value for this setting is a network size of 24 - D-Link DFL-210 | Product Manual - Page 477
layer 3. SLB will ping the IP address of each individual server in the server farm. This will detect any failed servers. This works at OSI layer 4. SLB attempts to connect to a specified port on each server. For example, if a server is specified as running web services on port 80, the SLB will send - D-Link DFL-210 | Product Manual - Page 478
IP address of the NetDefend Firewall. Example 10.3. Setting up SLB In this example server load balancing is to be done between 2 HTTP webservers which are situated behind the NetDefend Firewall. The 2 webservers have the private IP addresses 192.168.1.10 and 192.168.1.11 respectively. The default - D-Link DFL-210 | Product Manual - Page 479
4. Under Server Addresses add server_group to Selected 5. Click OK D. Specify a matching NAT IP rule for internal clients: 1. Go to Rules > IP Rule Sets > main > Add > IP Rule 2. Enter: • Name: Web_SLB_NAT • Action: NAT • Service: HTTP • Source Interface: lan • Source Network: lannet • Destination - D-Link DFL-210 | Product Manual - Page 480
Setting Up SLB_SAT Rules 1. Go to Rules > IP Rule Sets > main > Add > IP Rule 2. Enter: • Name: Web_SLB_ALW • Action: Allow • Service: HTTP • Source Interface: any • Source Network: all-nets • Destination Interface: core • Destination Network: ip_ext 3. Click OK Chapter 10. Traffic Management 480 - D-Link DFL-210 | Product Manual - Page 481
10.4.6. Setting Up SLB_SAT Rules Chapter 10. Traffic Management 481 - D-Link DFL-210 | Product Manual - Page 482
DFL-1600, 1660, 2500, 2560 and 2560G. The Master and Active Units When reading this section on HA, it should be kept in mind that the master unit in a cluster is not always the same as the active unit in a cluster. The active unit is the NetDefend Firewall that is actually processing all traffic - D-Link DFL-210 | Product Manual - Page 483
state information to a dissimilar device. It is also strongly recommended that the NetDefend Firewalls used in cluster have identical configurations. They must also have identical licenses which allow identical capabilities including the ability to run in an HA cluster. Extending Redundancy - D-Link DFL-210 | Product Manual - Page 484
is a UDP packet, sent from port 999, to port 999. • The destination MAC address is the Ethernet multicast address corresponding to the shared hardware address. In other words, 11-00-00-C1-4A-nn. Link-level multicasts are used over normal unicast packets for security: using unicast packets would mean - D-Link DFL-210 | Product Manual - Page 485
update causes the following sequence of events to occur in an HA cluster: 1. The active (master) unit downloads the new database files from the D-Link servers. The download is done via the shared IP address of the cluster. 2. The active (master) node sends the new database files to the inactive peer - D-Link DFL-210 | Product Manual - Page 486
tunnels are heavily used, the ipsecglobalstat -verbose command could be used instead and significant differences in the numbers of IPsec SAs, IKE SAs, active users and IP pool statistics would indicate a failure to synchronize. If the sync interface is functioning correctly, there may still be some - D-Link DFL-210 | Product Manual - Page 487
translation, unless the configuration explicitly specifies another address. Note: Management cannot be done through the shared IP The shared IP address cannot be used for remote management or monitoring purposes. When using, for example, SSH for remote management of the NetDefend Firewalls in an HA - D-Link DFL-210 | Product Manual - Page 488
Manual HA Setup Chapter 11. High Availability The illustration below shows the arrangement of typical HA Cluster connections in a network. All interfaces on the master unit would normally also have corresponding interfaces on the slave unit and these would be connected to the same networks - D-Link DFL-210 | Product Manual - Page 489
IP address" is not strictly correct when used here. Either address used in an IP4 HA Address object may be public if management access across the public Internet is required. 9. Save and activate the new configuration. 10. Repeat the above steps for the other NetDefend Firewall will forward traffic) - D-Link DFL-210 | Product Manual - Page 490
Addresses For HA setup, NetDefendOS provides the advanced option Use Unique Shared MAC Address. By default, this is enabled and in most configurations disabled but can cause problems with a limited number of switch types where the switch uses a shared ARP table. Such problems can be hard to diagnose - D-Link DFL-210 | Product Manual - Page 491
in dynamically NATed connections or publishing services on them, will inevitably cause problems since unique IPs will disappear when the firewall they belong to does. The Shared IP Must Not Be 0.0.0.0 Assigning the IP address 0.0.0.0 as the shared IP address must be avoided. This is not valid for - D-Link DFL-210 | Product Manual - Page 492
there will also be a second, backup designated router to provide OSPF metrics if the main designated router should fail. PPPoE Tunnels and DHCP Clients For reasons connected with the shared IP addresses of an HA cluster, PPPoE tunnels and DHCP clients should not be configured in an HA cluster. 492 - D-Link DFL-210 | Product Manual - Page 493
. The typical output if the unit is active is shown below. gw-world:/> ha This device is a HA SLAVE This device is currently ACTIVE (will forward traffic) This device has been active: 430697 sec HA cluster peer is ALIVE This unit (the slave) is the currently active unit, so the other one - D-Link DFL-210 | Product Manual - Page 494
11.5. Upgrading an HA Cluster Chapter 11. High Availability console and issue the ha -deactivate command. This will cause the active unit to become inactive, and the inactive to become active. gw-world:/> ha -deactivate HA Was: ACTIVE HA going INACTIVE... To check that the failover has completed - D-Link DFL-210 | Product Manual - Page 495
network unnecessarily, after one minute has elapsed, the synchronization traffic is then only sent after repeated periods of silence. The length of this silence is this setting. Default: 5 Use Unique Shared Mac Use a unique shared MAC address configuration deployments. Default: Enabled Reconf - D-Link DFL-210 | Product Manual - Page 496
11.6. HA Advanced Settings Chapter 11. High Availability 496 - D-Link DFL-210 | Product Manual - Page 497
ZoneDefense allows a NetDefend Firewall to traffic for the host or network displaying the unusual behavior. Blocked hosts and networks remain blocked until the system administrator manually unblocks them using the Web or Command Line interface. Note: ZoneDefense is not available on all NetDefend - D-Link DFL-210 | Product Manual - Page 498
to be manually specified in the firewall configuration. The information needed in order to control a switch includes: • The IP address of the management interface of the switch • The switch model type • The SNMP community string (write access) The ZoneDefense feature currently supports the following - D-Link DFL-210 | Product Manual - Page 499
device, such as a NetDefend Firewall, uses the SNMP protocol to monitor and control network devices in the managed environment. The manager can query stored statistics from the controlled devices by using the SNMP Community String. This is similar to a userid or password which allows access to the - D-Link DFL-210 | Product Manual - Page 500
ZoneDefense. It is assumed that all interfaces on the firewall have already been configured. An HTTP threshold of 10 connections/second is applied. If the connection rate exceeds this limitation, the firewall will block the specific host (in network range 192.168.2.0/24 for example) from accessing - D-Link DFL-210 | Product Manual - Page 501
list. 3. Click OK Configure an HTTP threshold of 10 connections/second: 1. Go to Traffic Management > Threshold Rules > Add > Threshold Rule 2. For the Threshold Rule enter: • Name: HTTP-Threshold • Service: http 3. For Address Filter enter: • Source Interface: The firewall's management interface - D-Link DFL-210 | Product Manual - Page 502
or more. A second difference is the maximum number of rules supported by different switches. Some switches support a maximum of 50 rules while others support up to 800 (usually, in order to block a host or network, one rule per switch port is needed). When this limit has been reached no more hosts - D-Link DFL-210 | Product Manual - Page 503
12.3.5. Limitations Chapter 12. ZoneDefense 503 - D-Link DFL-210 | Product Manual - Page 504
configurable advanced settings for NetDefendOS that are not already described in the manual. network transport. All network units, both routers and workstations, drop IP packets that contain checksum errors. However, it is highly unlikely for an attack to be based on illegal checksums. Default - D-Link DFL-210 | Product Manual - Page 505
13.1. IP Level Settings Chapter 13. Advanced Settings Block 0000 Src Block 0.0.0.0 as source address. Default: Drop Block 0 Net Block 0.* as source addresses. Default: DropLog Block 127 Net Block 127.* as source addresses. Default: DropLog Block Multicast Src Block multicast both source addresses - D-Link DFL-210 | Product Manual - Page 506
an enormous security risk. NetDefendOS never obeys the source routes specified by these options, regardless of this setting. Default: DropLog IP Options Timestamps Time stamp options instruct each router and firewall on the packet's route to indicate at what time the packet was forwarded along the - D-Link DFL-210 | Product Manual - Page 507
: 65535 bytes Multicast Mismatch option What action to take when Ethernet and IP multicast addresses does not match. Default: DropLog Min Broadcast TTL option The shortest IP broadcast Time-To-Live value accepted on receipt. Default: 1 Low Broadcast TTL Action option What action to take on too low - D-Link DFL-210 | Product Manual - Page 508
value. Values that are too low could cause problems in poorly written TCP stacks. Default: DropLog TCP MSS Max Determines the maximum Default: 1460 bytes TCP MSS VPN Max As is the case with TCPMSSMax, this is the highest Maximum Segment Size allowed. However, this setting only controls MSS in VPN - D-Link DFL-210 | Product Manual - Page 509
OS Fingerprinting. WSOPT is a common occurrence in modern networks. Default: ValidateLogBad TCP Option SACK Determines how NetDefendOS will limit without the recipient being aware of it. This is not normally a problem. Using TSOPT, some TCP stacks optimize their connection by measuring the time it - D-Link DFL-210 | Product Manual - Page 510
the above settings. These options usually never appear on modern networks. Default: StripLog TCP SYN/URG Specifies how NetDefendOS will deal with PSH flag and allows the packet through despite the fact that such packets would be dropped if standards were strictly followed. Default: StripSilent TCP - D-Link DFL-210 | Product Manual - Page 511
such as FTP and MS SQL Server, nearly always use the URG flag. Default: StripLog TCPE ECN Specifies how operating systems supporting this standard, the flags should be stripped. Default: StripLog TCP and stealth port scanners, as some firewalls are unable to detect them. Default: DropLog TCP - D-Link DFL-210 | Product Manual - Page 512
-engine (not on packets forwarded using a FwdFast rule). Default: ValidateLogBad Notes on the TCPSequenceNumbers setting The default ValidateLogBad (or the alternative ValidateSilent) will allow concern for security) and this may not work well with these settings. Again, web-surfing traffic is most - D-Link DFL-210 | Product Manual - Page 513
. In other words, this setting limits how many Rejects per second may be generated by the Reject rules in the Rules section. Default: 500 Silently Drop State ICMPErrors Specifies if NetDefendOS should silently drop ICMP errors pertaining to statefully tracked open connections. If these errors are - D-Link DFL-210 | Product Manual - Page 514
if NetDefendOS is to log the occurrence of such packets. Default: Enabled Log Reverse Opens Determines if NetDefendOS logs packets that attempt consequently, it will not matter if logging is enabled for either Allow or NAT rules in the IP rule set; they will not be logged. However, FwdFast, - D-Link DFL-210 | Product Manual - Page 515
Traffic whose destination is the NetDefend Firewall itself, for example NetDefendOS management traffic, is not subject to this setting. The log message includes port, service, source/destination IP address NetDefendOS will try to use as many connections as is allowed by product. Default: 8192 515 - D-Link DFL-210 | Product Manual - Page 516
value is usually low, as UDP has no way of signalling when the connection is about to close. Default: 130 UDP Bidirectional Keep-alive This allows both sides to keep a UDP connection alive. The default is for NetDefendOS to mark a connection as alive (not idle) every time data is sent from the side - D-Link DFL-210 | Product Manual - Page 517
13.5. Connection Timeout Settings Chapter 13. Advanced Settings Other Idle Lifetime Specifies in seconds how long connections using an unknown protocol can remain idle before it is closed. Default: 130 517 - D-Link DFL-210 | Product Manual - Page 518
of an ESP packet. ESP, Encapsulation Security Payload, is used by IPsec where encryption is applied. This value should be set at the size of the largest packet allowed to pass through the VPN connections, regardless of its original protocol, plus approx. 50 bytes. Default: 2000 Max AH Length 518 - D-Link DFL-210 | Product Manual - Page 519
size of an OSPF packet. OSPF is a routing protocol mainly used in larger LANs. Default: 1480 Max IPIP/FWZ Length Specifies in bytes the maximum size of an IP-in-IP packet. IP-in-IP is used by Checkpoint Firewall-1 VPN connections when IPsec is not used. This value should be set at the size of the - D-Link DFL-210 | Product Manual - Page 520
IP header and information that will help the recipient reassemble the original packet correctly. Many IP and all previously stored fragments. Will not allow further fragments of this packet to pass through way block almost all communication. Default: DropLog - discards individual fragments - D-Link DFL-210 | Product Manual - Page 521
LogAll - Logs all failed reassembly attempts. • LogAllSubseq - As LogAll, but also logs subsequent fragments of the packet as and when they arrive. Default: LogSuspectSubseq Dropped Fragments If a packet is denied entry to the system as the result of the settings in the Rules section, it may also be - D-Link DFL-210 | Product Manual - Page 522
IP stacks, it is usually not possible to set this limit too high. It is rarely the case that senders create very small fragments. However, a sender may send 1480 byte fragments and a router or VPN potential problems this can cause, the default settings in NetDefendOS has been designed to allow the - D-Link DFL-210 | Product Manual - Page 523
13.7. Fragmentation Settings Chapter 13. Advanced Settings Reassembly Illegal Limit Once a whole packet has been marked as illegal, NetDefendOS is able to retain this in memory for this number of seconds in order to prevent further fragments of that packet from arriving. Default: 60 523 - D-Link DFL-210 | Product Manual - Page 524
13. Advanced Settings 13.8. Local Fragment Reassembly Settings Max Concurrent Maximum number of concurrent local reassemblies. Default: 256 Max Size Maximum size of a locally reassembled packet. Default: 10000 Large Buffers Number of large ( over 2K) local reassembly buffers (of the above size - D-Link DFL-210 | Product Manual - Page 525
of allowed connections. Minimum 1, Maximum 100. Default: users, or the number of statefully tracked connections. If there are no configured pipes, no pipe users will be allocated, regardless of this setting. For more information about pipes and pipe users, see Section 10.1, "Traffic Shaping". Default - D-Link DFL-210 | Product Manual - Page 526
13.9. Miscellaneous Settings Chapter 13. Advanced Settings 526 - D-Link DFL-210 | Product Manual - Page 527
NetDefend Firewall system and enter this activation code. NetDefendOS will indicate the code is accepted and the update service will be activated. (Make sure access to the public Internet is possible when' doing this). Tip: A registration guide can be downloaded A step-by-step "Registration manual - D-Link DFL-210 | Product Manual - Page 528
the status of AV updates: gw-world:/> updatecenter -status Antivirus Querying Server Status To get the status of the D-Link network servers use the command: gw-world:/> updatecenter -servers Deleting Local Databases Some technical problem in the operation of either IDP or the Anti-Virus modules may - D-Link DFL-210 | Product Manual - Page 529
the D-Link Advanced IDP Service. There is a version of each group under the three Types of IDS, IPS and Player Authenticantion Kerberos XTACACS Network backup solution Backup SQL Server MySQL DBMS Oracle DBMS Sybase server MS DCOM DHCP Client related activities DHCP protocol DHCP Server related - D-Link DFL-210 | Product Manual - Page 530
Embedded Web Server General HTTP activities HTTP Attacks specific to MS IIS web server Buffer overflow for HTTP servers Tomcat JSP ICMP protocol and implementation IGMP IMAP protocol/implementation AOL IM Instant Messenger implementations MSN Messenger Yahoo Messenger IP protocol and implementation - D-Link DFL-210 | Product Manual - Page 531
Service for POP Post Office Protocol v3 Password guessing and related login attack POP3 server overflow Request Error PortMapper LP printing server Security Systems software McAfee Symantec AV solution SMB Error SMB Exploit SMB attacks NetBIOS attacks SMB worms SMTP command attack Denial of Service - D-Link DFL-210 | Product Manual - Page 532
Coldfusion file inclusion File inclusion Web application attacks JSP file inclusion Popular web application packages PHP XML RPC SQL Injection Cross-Site-Scripting MS WINS Service Worms Generic X applications 532 - D-Link DFL-210 | Product Manual - Page 533
: • The HTTP ALG • The FTP ALG • The POP3 ALG • The SMTP ALG The ALGs listed above also offer the option to explicitly allow or block certain filetypes as downloads from a list of types. That list is the same one found in this appendix. For a more detailed description of MIME verification and the - D-Link DFL-210 | Product Manual - Page 534
Bitmap file Debian Linux Package file DjVu file Windows dynamic link library file DPA archive data TeX Device Independent Document EET sequence Sound Yamaha SMAF Synthetic Music Mobile Application Format Multi-image Network Graphic Animation Ultratracker module sound data MPEG Audio Stream, Layer - D-Link DFL-210 | Product Manual - Page 535
CODEC NES Sound file Windows object file, linux object file Object Linking and Embedding (OLE) Control Extension Ogg Vorbis Codec compressed WAV file Datastreams PAKLeo archive data PMarc archive data Portable (Public) Network Graphic PBM Portable Pixelmap Graphic PostScript file PSA archive data - D-Link DFL-210 | Product Manual - Page 536
Filetype extension tfm tiff, tif tnef torrent ttf txw ufa vcf viv wav wk wmv wrl, vrml xcf xm xml xmcd xpm yc zif zip zoo zpk z Appendix C. Verified MIME filetypes Application TeX font metric data Tagged Image Format file Transport Neutral Encapsulation Format BitTorrent Metainfo file TrueType Font - D-Link DFL-210 | Product Manual - Page 537
Controls data flow and provides error-handling. Protocols: TCP, UDP and similar. Layer 3 - Network Layer Performs addressing and routing. Protocols: IP, OSPF, ICMP, IGMP and similar. Layer 2 - Data-Link Layer Creates frames of data for transmission over the physical layer and includes error - D-Link DFL-210 | Product Manual - Page 538
, 29 changing password for, 38 multiple logins, 29 advanced settings ARP, 113 connection timeout, 516 DHCP relay, 231 DHCP server, 225 fragmentation, 520 fragment reassembly, 524 general, 504 hardware monitoring, 65 high availability, 495 ICMP, 513 IP level, 504 IPsec, 421 L2TP/PPTP, 430 length - D-Link DFL-210 | Product Manual - Page 539
(HA) setting, 495 dead peer detection (see IPsec) Decrement TTL setting, 219 default access rule, 147, 237 Default TTL setting, 505 demilitarized zone (see DMZ) denial of service, 326 destination RLB algorithm, 165 DHCP, 223 leases, 223 multiple servers, 224 over ethernet, 93 relay advanced settings - D-Link DFL-210 | Product Manual - Page 540
ethernet interface, 92 changing IP addresses, 95 CLI command summary, 95 default gateway, 93 IP address, 93 with DHCP, 93 evasion attack prevention, 318 events, 55 log message receivers, 56 log messages, 55 F Failed Fragment Reassembly setting, 521 filetype download block/allow in FTP ALG, 247 in - D-Link DFL-210 | Product Manual - Page 541
, 421 algorithm proposal lists, 401 and IP rules, 406 clients, 386 dead peer detection, 407 keep-alive, 407 LAN to LAN setup, 382 overview, 391 quick start guide, 381 roaming clients setup, 384 troubleshooting, 437 tunnel establishment, 406 tunnels, 406 IPsec Before Rules setting, 422 usage, 406 - D-Link DFL-210 | Product Manual - Page 542
, 160 Poll Interval setting, 65 POP3 ALG, 263 Port 0 setting, 525 port address translation, 350 port forwarding (see SAT) port mirroring (see pcapdump) PPP authentication with LDAP, 364 PPPoE, 101 client configuration, 101 unnumbered support, 102 with HA, 102 PPTP, 425 advanced settings, 430 542 - D-Link DFL-210 | Product Manual - Page 543
SAT, 343 all-to-1 mapping, 350 IP rules, 119 multiple address translation, 348 multiplex rule, 195 port forwarding, 343 second rule destination, 343 schedules, 126 SCP, 45 scripting (see CLI scripts) Secondary Time Server setting, 137 secure copy (see SCP) SecuRemoteUDP Compatibility setting, 506 - D-Link DFL-210 | Product Manual - Page 544
auth HTML customizing, 373 user based routing, 160 Use Unique Shared Mac (HA) setting, 490, 495 V Validation Timeout setting, 49 virtual LAN (see VLAN) virtual private networks (see VPN) VLAN, 97 advanced settings, 100 license limitations, 99 port based, 98 trunk, 98 voice over IP with H.323, 275 - D-Link DFL-210 | Product Manual - Page 545
VoIP (see voice over IP) VPN, 377 planning, 378 quick start guide, 381 troubleshooting, 437 W Watchdog Time setting, 525 WCF (see web content filtering) webauth, 369 web content filtering, 295 fail mode, 297 whitelisting, 296 web interface, 28, 29 default connection interface, 30 setting workstation
-
1 -
2 -
3 -
4 -
5 -
6 -
7 -
8
-
9
-
10
-
11
-
12
-
13
-
14
-
15
-
16
-
17
-
18
-
19
-
20
-
21
-
22
-
23
-
24
-
25
-
26
-
27
-
28
-
29
-
30
-
31
-
32
-
33
-
34
-
35
-
36
-
37
-
38
-
39
-
40
-
41
-
42
-
43
-
44
-
45
-
46
-
47
-
48
-
49
-
50
-
51
-
52
-
53
-
54
-
55
-
56
-
57
-
58
-
59
-
60
-
61
-
62
-
63
-
64
-
65
-
66
-
67
-
68
-
69
-
70
-
71
-
72
-
73
-
74
-
75
-
76
-
77
-
78
-
79
-
80
-
81
-
82
-
83
-
84
-
85
-
86
-
87
-
88
-
89
-
90
-
91
-
92
-
93
-
94
-
95
-
96
-
97
-
98
-
99
-
100
-
101
-
102
-
103
-
104
-
105
-
106
-
107
-
108
-
109
-
110
-
111
-
112
-
113
-
114
-
115
-
116
-
117
-
118
-
119
-
120
-
121
-
122
-
123
-
124
-
125
-
126
-
127
-
128
-
129
-
130
-
131
-
132
-
133
-
134
-
135
-
136
-
137
-
138
-
139
-
140
-
141
-
142
-
143
-
144
-
145
-
146
-
147
-
148
-
149
-
150
-
151
-
152
-
153
-
154
-
155
-
156
-
157
-
158
-
159
-
160
-
161
-
162
-
163
-
164
-
165
-
166
-
167
-
168
-
169
-
170
-
171
-
172
-
173
-
174
-
175
-
176
-
177
-
178
-
179
-
180
-
181
-
182
-
183
-
184
-
185
-
186
-
187
-
188
-
189
-
190
-
191
-
192
-
193
-
194
-
195
-
196
-
197
-
198
-
199
-
200
-
201
-
202
-
203
-
204
-
205
-
206
-
207
-
208
-
209
-
210
-
211
-
212
-
213
-
214
-
215
-
216
-
217
-
218
-
219
-
220
-
221
-
222
-
223
-
224
-
225
-
226
-
227
-
228
-
229
-
230
-
231
-
232
-
233
-
234
-
235
-
236
-
237
-
238
-
239
-
240
-
241
-
242
-
243
-
244
-
245
-
246
-
247
-
248
-
249
-
250
-
251
-
252
-
253
-
254
-
255
-
256
-
257
-
258
-
259
-
260
-
261
-
262
-
263
-
264
-
265
-
266
-
267
-
268
-
269
-
270
-
271
-
272
-
273
-
274
-
275
-
276
-
277
-
278
-
279
-
280
-
281
-
282
-
283
-
284
-
285
-
286
-
287
-
288
-
289
-
290
-
291
-
292
-
293
-
294
-
295
-
296
-
297
-
298
-
299
-
300
-
301
-
302
-
303
-
304
-
305
-
306
-
307
-
308
-
309
-
310
-
311
-
312
-
313
-
314
-
315
-
316
-
317
-
318
-
319
-
320
-
321
-
322
-
323
-
324
-
325
-
326
-
327
-
328
-
329
-
330
-
331
-
332
-
333
-
334
-
335
-
336
-
337
-
338
-
339
-
340
-
341
-
342
-
343
-
344
-
345
-
346
-
347
-
348
-
349
-
350
-
351
-
352
-
353
-
354
-
355
-
356
-
357
-
358
-
359
-
360
-
361
-
362
-
363
-
364
-
365
-
366
-
367
-
368
-
369
-
370
-
371
-
372
-
373
-
374
-
375
-
376
-
377
-
378
-
379
-
380
-
381
-
382
-
383
-
384
-
385
-
386
-
387
-
388
-
389
-
390
-
391
-
392
-
393
-
394
-
395
-
396
-
397
-
398
-
399
-
400
-
401
-
402
-
403
-
404
-
405
-
406
-
407
-
408
-
409
-
410
-
411
-
412
-
413
-
414
-
415
-
416
-
417
-
418
-
419
-
420
-
421
-
422
-
423
-
424
-
425
-
426
-
427
-
428
-
429
-
430
-
431
-
432
-
433
-
434
-
435
-
436
-
437
-
438
-
439
-
440
-
441
-
442
-
443
-
444
-
445
-
446
-
447
-
448
-
449
-
450
-
451
-
452
-
453
-
454
-
455
-
456
-
457
-
458
-
459
-
460
-
461
-
462
-
463
-
464
-
465
-
466
-
467
-
468
-
469
-
470
-
471
-
472
-
473
-
474
-
475
-
476
-
477
-
478
-
479
-
480
-
481
-
482
-
483
-
484
-
485
-
486
-
487
-
488
-
489
-
490
-
491
-
492
-
493
-
494
-
495
-
496
-
497
-
498
-
499
-
500
-
501
-
502
-
503
-
504
-
505
-
506
-
507
-
508
-
509
-
510
-
511
-
512
-
513
-
514
-
515
-
516
-
517
-
518
-
519
-
520
-
521
-
522
-
523
-
524
-
525
-
526
-
527
-
528
-
529
-
530
-
531
-
532
-
533
-
534
-
535
-
536
-
537
-
538
-
539
-
540
-
541
-
542
-
543
-
544
-
545
 |
 |
Network Security Solution
Security
Security
DFL-210/ 800/1600/ 2500
DFL-260/ 860/1660/ 2560(G)
Ver
2.27.01
Network Security Firewall
User Manual