D-Link DFL-2500 User Guide
D-Link DFL-2500 - Security Appliance Manual
 |
View all D-Link DFL-2500 manuals
Add to My Manuals
Save this manual to your list of manuals |
D-Link DFL-2500 manual content summary:
- D-Link DFL-2500 | User Guide - Page 1
DFL - 800/1600/2500 User's Guide < Version: 1.0 > - D-Link DFL-2500 | User Guide - Page 2
How does a Firewall work 9 3.2 What does a Firewall NOT protect against 10 3.2.1 Attacks on Insecure pre-installed Components . . . . . 11 3.2.2 Inexperienced Users on protected Networks 11 3.2.3 Data-Driven Network Attacks 11 3.2.4 Internal Attacks 13 3.2.5 Modems and VPN Connection 13 - D-Link DFL-2500 | User Guide - Page 3
IP address 39 8.1.2 Ethernet address 41 8.2 Services 41 8.2.1 Service Types 42 8.2.2 Error Report & Connection Protection 46 8.3 Schedules 48 8.4 X.509 Certificates 49 8.4.1 Introduction to Certificates 49 8.4.2 X.509 Certificates in D-Link Firewall 51 D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 4
.7.2 Policy-based Routing Tables 89 10.7.3 Policy-based Routing Policy 89 10.7.4 PBR Execution 89 10.7.5 Scenario: PBR Configuration 91 10.8 Proxy ARP 94 D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 5
Firewall 114 14.3 Scenarios: IP Rules Configuration 116 15 Access (Anti-spoofing) 123 15.1 Overview 123 15.1.1 IP Spoofing 123 15.1.2 Anti-spoofing 124 15.2 Access Rule 124 15.2.1 Function 124 15.2.2 Settings 124 15.3 Scenario: Setting up Access Rule 126 D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 6
Port Forwarding 127 16.1 General 127 16.1.1 Concepts 127 16.1.2 DMZ Planning 129 16.1.3 Benefits 130 17 User Authentication 131 17.1 Authentication Overview 131 17.1.1 Authentication Methods 131 17.1.2 Password Criterion 132 17.1.3 User Matching 182 D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 7
213 22.1 IPsec 213 22.1.1 IPsec protocols 214 22.1.2 IPsec Modes 214 22.1.3 IKE 215 22.1.4 IKE Integrity & Authentication 219 22.1.5 Scenarios: IPSec Configuration 223 22.2 PPTP/ L2TP 228 22.2.1 PPTP 228 22.2.2 L2TP 234 22.3 SSL/TLS (HTTPS 243 D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 8
248 23.1.2 Features 249 23.2 Pipes 249 23.2.1 Precedences and Guarantees 250 23.2.2 Grouping Users of a Pipe 252 23.2.3 Dynamic Bandwidth Balancing 253 23.3 Pipe Rules 253 23.4 Scenarios & Relayer 275 26.1 DHCP Server 275 26.2 DHCP Relayer 277 D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 9
Switches 293 28.2.1 SNMP 294 28.3 Threshold Rules 295 28.4 Manual Blocking & Exclude Lists 295 28.5 Limitations 296 28.6 Scenario 29.2 How Rapid Failover is Accomplished 303 29.2.1 The shared IP address and the failover mechanism . . 304 29.2.2 Cluster 315 D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 10
Memory 327 Netcon 327 Netobjects 328 OSPF 328 Ping 329 Pipes 329 Proplists 330 ReConfigure 330 Remotes 331 Routes 331 Rules 332 Scrsave 332 Services 333 Shutdown 333 D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 11
x Sysmsgs 333 Settings 333 Stats 335 Time 336 Uarules 336 Userauth 336 Userdb 337 Vlan 338 B Customer Support 341 D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 12
FIGURES & TABLES 2.1 The OSI 7-Layer Model 8 4.1 WebUI Authentication Window 20 4.2 WebUI Main Display 20 9.1 A VLAN Infrastructure 57 9.1 802.1Q Standard Ethernet Frame 58 10.1 Route Failover Scenario 78 10.2 OSPF Process Scenario 82 10.3 Static Routing Scenario 87 14.1 Dynamic NAT 114 14 - D-Link DFL-2500 | User Guide - Page 13
VPN Deployment Scenario 1 201 20.2 VPN Deployment Scenario 2 202 20.3 VPN Deployment Scenario 3 203 20.4 VPN Deployment Scenario 4 203 20.5 VPN Deployment Scenario 5 204 20.6 VPN Deployment Scenario 6 205 22.1 LAN-to-LAN Example Scenario 223 22.2 IPSec Setup 303 D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 14
Section 14.3: IP Rules Configuration 116 Section 15.3: Setting up Access Rule 126 Section 17.4: User Authentication Confi guration 137 Section 18.2: FTP ALG Configuration 150 Section 18.4: H.323 ALG Configuration 161 Section 19.6: Setting up IDS 189 Section 22.1: IPSec - D-Link DFL-2500 | User Guide - Page 15
xiv - D-Link DFL-2500 | User Guide - Page 16
Part I Preface - D-Link DFL-2500 | User Guide - Page 17
- D-Link DFL-2500 | User Guide - Page 18
Document Version Version No.: 1.0 Disclaimer Information in this user's guide is subject to change without notice. About this Document This User's Guide is designed to be a handy configuration manual as well as an Internetworking and security knowledge learning tool for network administrators. The - D-Link DFL-2500 | User Guide - Page 19
certain function. WebUI : Example steps for WebUI. Note Additional information the user should be aware of. Tip Suggestions on configuration that may be taken into consideration. Caution Critical information the user should follow when performing certain action. Warning Critical information the - D-Link DFL-2500 | User Guide - Page 20
Part II Product Overview - D-Link DFL-2500 | User Guide - Page 21
- D-Link DFL-2500 | User Guide - Page 22
• Web-based graphical user interface (WebUI) • Effective and easy to maintenance • Complete control of security policies • Advanced application layer gateways (FTP, HTTP, H.323) • Advanced monitoring & logging methods • Full VLAN compliance • Support for building VPN (IPSec, PPTP, L2TP) • Route - D-Link DFL-2500 | User Guide - Page 23
4 Chapter 1. Capabilities • Zone Defence • High Availability (Some models) Details about how to make these features work can be found in specific chapters in this user's guide. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 24
Part III Introduction to Networking - D-Link DFL-2500 | User Guide - Page 25
- D-Link DFL-2500 | User Guide - Page 26
7 layers. The basic functions and common protocols involved in each layer are explained below. Application Layer - defines the user interface that supports applications directly. Protocols: HTTP, FTP, DNS, SMTP, Telnet, SNMP, etc. Presentation Layer - translates the various applications to uniform - D-Link DFL-2500 | User Guide - Page 27
. Data-Link Layer - frames the data. Protocols: Ethernet, PPP, etc. Physical Layer - defines hardware supports. D-Link firewalls handle network traffics and perform diverse functions for security guarantee and application support throughout the 7 layers of the OSI model. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 28
of the Firewall 3.1.1 What is a Firewall? When unauthorized communication is blocked and logged. 3.1.2 How does a Firewall work? The primary purpose of a firewall is to enforce destination address, protocol and ports. This allows you to install less secure network services on your protected networks - D-Link DFL-2500 | User Guide - Page 29
the surface in terms of the number of existing problems. Complete protection can only be achieved through thorough understanding of all possible weaknesses in network protocols and in the software used, and by implementing appropriate measures to compensate for these. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 30
Firewall NOT protect against? 11 3.2.1 Attacks on Insecure pre-installed Components A very common problem is the fact that operating systems and applications usually contain insecure pre-installed components. Such components include undocumented services of attack, D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 31
Firewall Principles apart from better written software, is to disable such services or limiting surfing to less sensitive computers. • HTML pages that link in the contents of local files when they are opened without scripts. Such pages can, often with the help of unsuspecting local users this problem - D-Link DFL-2500 | User Guide - Page 32
problems are the results of internal attacks. Some sources put this figure as high at 80%. 3.2.5 Modems and VPN Connection A common misconception is that modems and VPN gateways are as secure as the protected network and can be connected directly to it without protection. D-Link Firewalls User - D-Link DFL-2500 | User Guide - Page 33
facility. 3.2.6 Holes between DMZs and Internal Networks Although the advent of extranets and e-commerce has served to drive development forwards, and as more and more companies begin to make internal data available via web servers, security hazards are increasing as a D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 34
The problem here is not IP packets being routed via the servers in the DMZ, so therefore disabling "IP forwarding" would not provide any protection. The problem is NetBEUI. Again, the problem is not IP packets traversing from insecure networks to the internal network. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 35
the day. An insurmountable problem may arise when the web server needs to update the data source. The best way of tackling such a problem is to move the affected data source to a separate network segment, thereby decreasing the potential damage in the case of intrusion. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 36
Part IV Administration - D-Link DFL-2500 | User Guide - Page 37
This part covers basic aspects of D-Link firewall management and administration, including: • Configuration Platform • Logging • Maintenance • Advanced Settings - D-Link DFL-2500 | User Guide - Page 38
Configuration Platform 4.1 Configuring Via WebUI 4.1.1 Overview The D-Link firewall can be configured using a web interface. A in the world. 4.1.2 Interface Layout Before using the WebUI interface, the user will have to be authenticated by entering username/password in the authentication window, - D-Link DFL-2500 | User Guide - Page 39
20 Chapter 4. Configuration Platform Figure 4.1: WebUI Authentication Window. Figure 4.2: WebUI Main Display. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 40
. Useful for problem solving and debugging IPSec: Displays IPSec status information. - Routes: Displays the current routing table. - DHCP Server: Displays usage information for DHCP servers. - IDS: Displays IDS status information. - SLB: Displays SLB status information. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 41
the firewall configuration. When the user has configured the firewall via the WebUI, the configuration will have to be saved and activated before the new configuration will be used by the firewall. This is done via the "Save and Activate" menu bar option under "Configuration". D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 42
troubleshooting. A detailed reference of various commands that can be used in this interface is covered in Appendix A, Console Commands Reference. Note Currently, the CLI can only be used for statistics and status display. The firewall can NOT be configured via this interface. D-Link Firewalls User - D-Link DFL-2500 | User Guide - Page 43
24 Chapter 4. Configuration Platform D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 44
the firewall is enforcing. The log file generated from logging helps administrators to observe in details of what events have occurred. D-Link firewalls provide a variety of options for logging its activities. 5.1.1 Importance & Capability Regardless of what security policy is being implemented by the - D-Link DFL-2500 | User Guide - Page 45
services. By reviewing the output of logging, there is a good chance that the administrator will be able to figure out the problematic events, and take necessary actions to correct the problems. Once the problem • HWM- hardware monitor events. • SYSTEM- startup & shutdown D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 46
. • FRAG - log messages coming from the fragment handling engine. • OSPF/DYNROUTING - information for dynamic routing. • RFO - route fail over events. • PPP/PPPOE/PPTP/L2TP/GRE/IPSEC - events for different tunnels. • USERAUTH - events for user authentication. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 47
with a timestamp and the IP address of the machine that sent the log data: Feb 5 2000 09:45:23 gateway.ourcompany.com This is followed by the text the sender has chosen to send. All log entries from D-Link Firewall are prefaced with "FW:" and a category, e.g. "DROP:". D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 48
dependent on the event that has occurred. In order to facilitate automated processing of all messages, D-Link Firewall writes all log data to a single line of text. All data following the initial text is function, please refer to 19.5 SMTP Log Receiver for IDS Events. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 49
30 Chapter 5. Logging D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 50
new firmwares to introduce new functionality and fix known problems. Make sure to regularly check on the D-Link support website for new firmware upgrades. Example: Upgrading Firmware This example describes how to upgrade a D-Link Firewall with a new firmware version. WebUI : 1. Check Current Version - D-Link DFL-2500 | User Guide - Page 51
the firmware upgrade file you recently downloaded from the D-Link support website. Click on the "Upload Firmware" button and wait until the file is uploaded and further instructions are shown on the page. Caution DO NOT ABORT THE FIRMWARE UPLOAD PROCESS. The firmware upload may take several minutes - D-Link DFL-2500 | User Guide - Page 52
the revert process to complete and the firewall to start. The following procedure only applies to the DFL-1600/2500: 3. Reset To Factory Defaults Using the Keypad and Display Reset the firewall. Press any key , the settings of the firewall will be permanently restored. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 53
34 Chapter 6. Maintenance 6.3 Backup Configuration D-Link Firewalls configuration can be backed up to and restored at request. This could for instance be used to information such as the DHCP server lease database or the Zone Defense blocking list will not be backed up. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 54
page inside the relevant sections. One case that requires changes to the advanced settings is explained in 17.4, Example: Enabling HTTP authentication via local user database. Note that in this example, advanced settings in the firewall's Remote Management section need to be changed to resolve a TCP - D-Link DFL-2500 | User Guide - Page 55
36 Chapter 7. Advanced Settings D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 56
Part V Fundamentals - D-Link DFL-2500 | User Guide - Page 57
From both physical and logical perspectives, this part introduces the basic components of D-Link firewalls, which are the building blocks for security policies and advanced functions. Topics in this part includes: • Logical Objects • Interfaces • Routing • Date & Time • DNS • Log - D-Link DFL-2500 | User Guide - Page 58
book which records people's name with one's phone number and email address, the address book in a Firewall is a list of symbolic names associated with various types of addresses, including IP addresses and ethernet MAC addresses. These items are fundamental elements heavily used in the firewall's con - D-Link DFL-2500 | User Guide - Page 59
.0.0/24" is defined as "lannet". WebUI : Objects → Address Book → InterfaceAddresses → Add → IP4 Host/Network → General: Enter the following and then click OK: Name: lannet IP Address: 192.168.0.0/24 D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 60
group as explained in 8.1.1 above. 8.2 Services Services are software programs using protocol definitions to provide various applications to the network users. Most applications rely on protocols located at OSI layer 7 - Application layer - to provide communication from D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 61
can be defined as having source ports 1024-65535 and destination ports 80-82, 90-92, 95. In this case, a TCP or UDP packet with the destination port being one of 80, 81, 82, 90, 91, 92 or 95, and the source port being in the range 1024-65535, will match this service. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 62
told that a problem has occurred when delivering a packet. There are codes from 0 to 5 for this type: - Code 0. Net Unreachable - Code 1. Host Unreachable - Code 2. Protocol Unreachable - Code 3. Port Unreachable - Code 4. Cannot Fragment - Code 5. Source Route Failed D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 63
Add → ICMP Service → General: Enter a Name for the new ICMP service. → ICMP Parameters Select the ICMP type and specify the codes for the service. (If the All ICMP Message Types option is selected, this service will match all 256 possible ICMP Message Types.) Click OK. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 64
for one service. Example: Adding a service that matches the GRE protocol ( For more information about GRE, please refer to 22.2 PPTP/L2TP ) WebUI : Objects → Services → Add → IP Protocol Service General Enter the following and then click OK: Name: GRE IP Protocol: 47 D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 65
connection and dropped, if not explicitly allowed by the firewall rule-set. Allowing any inbound ICMP message to be able to have those error messages forwarded is generally not D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 66
(ALG) An application layer gateway can be specified to handle different services. More information can be found in 18 Application Layer Gateway (ALG). For an ALG enabled service, the maximum numbers of sessions that are permitted by using this service can be defined. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 67
time periods in a day. Example: An office-hour schedule An organization may only want the internal network users to access the Internet during work hours, and expect this constraint to be valid for one year. End Date: (same as "Start Date" above) and then click OK. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 68
8.4. X.509 Certificates 49 8.4 X.509 Certificates D-Link firewalls support certificates that comply with the ITU-T X.509 international standard. This technology certificates from one certificate to another. When verifying the validity of a user certificate, the entire path D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 69
certificates do not contain this field. In those cases the location of the CRL has to be configured manually. See 22.1.4, LDAP . The CA updates its CRL at a given interval. The length of this interval depends ficate: - Construct a certification path up to the trusted root CA. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 70
VPN tunnel, provided the certificate validation procedure described above succeeded. 8.4.2 X.509 Certificates in D-Link Firewall X.509 certificates can be uploaded to the D-Link Firewall for use in IKE/IPSec ficate Then click OK and follow the instructions on the screen. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 71
52 Chapter 8. Logical Objects D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 72
introduced in sections 9.2 VLAN and 9.4 PPPoE in this chapter, others like IPsec, PPTP, L2TP, and ARP are covered later in the document. 9.1.1 of an IP address and other parameters, to make the interface accessible to the network layer. When installing a D-Link firewall, all supported Ethernet - D-Link DFL-2500 | User Guide - Page 73
interfaces share one common IP address and each has a private IP address to uniquely identify one cluster node. The private IP is derived from the are forwarded to "core" to be controlled by security policies. "any" represents all possible interfaces including "core". D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 74
interface configuration The interface connected to LAN (or one of the LANs) is configured with "lan ip", "lannet", and the default gateway address "lan gate". WebUI : 1. Specifying the IP4 Host - "lan ip" value is 100.) High Availability: Private IP Address selection. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 75
of VLAN is shown in Figure 9.1. In this case, a D-Link firewall is configured to have 2 VLAN interfaces. Now, although the clients and servers are still sharing the same physical media, Client A can only communicate with Server D and the firewall since they are configured D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 76
are 12 bits for VID within each 4-byte tag. With these 12 bits of identifier, there could be up to 4096 VLANs on a physical network. However, all ones are reserved and all zeros indicate no VLAN association. All other identifiers can be used to indicate a particular VLAN. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 77
and destination of that VLAN communication. VLANs in D-Link firewalls are useful in several different scenarios, for instance, when firewall filtering is needed between different departments in an organization, or when the number of interfaces needs to be expanded. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 78
be used on the terminating side.) Address Settings IP Address: Select the IP address this VLAN interface should use. If not configured, the IP of the Ethernet interface will be used. ( documentation. • Connect the gigabit uplink port of the switch to one of the gigabit D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 79
, for instance, port 12 will be received by interface vlan12 in the firewall. In the example above, a gigabit uplink port on the switch and IP address dynamically from a DHCP server for its physical interface. A DHCP client may receive offers from multiple DHCP servers D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 80
can easily perform the following functions for each user: • Support security and access-control - username/password authentication is required. The provider can track IP address to a specific user. • Automatic IP address allocation for PC users (similar to DHCP 9.3). D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 81
them on to the Internet, and forward requested Internet responses back to the user. Relative to the OSI reference model, PPP provides Layer 2 (data-link layer) service. At Layer 2, PPP defines an encapsulation mechanism to support multi-protocol packets to travel through IP networks. It starts with - D-Link DFL-2500 | User Guide - Page 82
IP addresses should be accepted and sent through the PPPoE tunnel. PPPoE can use a service name to distinguish between different servers on the same Ethernet network. IP address information PPPoE uses automatic IP wait with no activity before the tunnel is disconnected. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 83
Interfaces Example: A PPPoE Client configuration This example describes how to ) Service Name: If your service provider has provided you with a service name, enter the service name here. Username: The username provided to you by your service provider . Then click OK D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 84
common policy. An interface group can consist of regular Ethernet interfaces, VLAN interfaces, or VPN Tunnels (see 22). All members of an interface group do not need to be configurations. For example, IP rules and user authentication rules can use interface groups. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 85
IP address. Publishing an IP address using ARP can serve two purposes: • To aid nearby network equipment responding to ARP in an incorrect manner. This area of use is less common. • To give the impression that an interface of the firewall has more than one IP address. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 86
10.8 Proxy ARP. Note For published IP addresses to work correctly it might be necessary to add a new route. (See 10 Routing) If an additional address is added for an interface, the core interface should probably be specified as the interface when configuring the route. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 87
Entry: Enter the following: Mode: Publish Interface: Select the interface that should have the extra IP address IP Address: Specify the IP address to add to the above interface. MAC: Leave it at 00-00-00-00-00-00 to use the MAC address of the interface. Then click OK D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 88
the path selections. Each entry in this mapping table describes an available route. The definition of the route here is the connection that links the two communication ends and also all the intermediate routing devices. The description of route inside the routing table indicates the address of the - D-Link DFL-2500 | User Guide - Page 89
physical address of the packet to the address of the next hop, and forwards the packet to the next hop with the destination IP address unchanged. In a real-life scenario, many firewalls/routers may come independently, while still being able to connect to the "outside" D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 90
table. In case of a device failure (a down link) in a selected path or other problems that make the path unreachable, the algorithm selects the table, and manually add every necessary route and related information into the table for successful packet forwarding. Any change Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 91
responses to routing updates on the fly and is more susceptible to problems such as routing loops. In the Internet, two types of dynamic broadcasts its attached links and link costs to all the other routers in the network. A router, upon receiving broadcasts from the D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 92
length - Path length is the sum of the costs associated with each link. A commonly used value for this metric is called hop count, the number of routing devices, i.e. routers/firewalls, through the path that a packet takes to travel from the source to its destination. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 93
Link state routing algorithm. Now we look at the actual operation of this algorithm. Areas & Routers OSPF features hierarchical routing to give better support has a unique router ID with the format of an IP address. On top of the OSPF hierarchy is a Link (VLink) can be D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 94
an interface. The routers reside in the same OSPF area only need to learn and synchronize link-state information with the ABR. Some Routers that exchange routing information with routers in other ASs the election. The router with the highest priority number becomes D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 95
links. Due to any change in routing information, a router will save a new copy of link state into its database and send LSA to DR. The DR then flood the update to all participating routers in the area to synchronize the link-state database. Path determination - "SPF" D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 96
least-cost) path for data forwarding to any destination in the IP routing table. Upon any update to the link during the link-state information link, while with MD5 message-digest algorithm, the key will not pass over the link route can be considered down if link status on the interface is down, - D-Link DFL-2500 | User Guide - Page 97
WAN1 interface of the firewall and ISP B is connected to interface WAN2. In order to configure the D-Link firewall to use ISP A as primary ISP, and ISP B as backup ISP, monitored routes will have to : Add default route if default gateway is specified: Disable Then click OK D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 98
IP Address: (None) Metric: 1 Monitor Monitor This Route: Enable Monitor Interface Link Status: Enable Monitor Gateway Using ARP Lookup: Enable Then click OK Note It is possible to manually : Default gateway of ISP B. Local IP Address: (None) Metric: 2 Then click OK D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 99
interface group as destination interface. See 14.3 IP Rules Configuration for details on how to configure rules. Note The default route for interface WAN2 will not be monitored. The reason for this is that we have no backup route for the route over interface WAN2. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 100
process enabled on a router is given a unique Router ID in an IP address format and an authentication method is chosen. The areas are defined or more specific neighbors need to be configured for the interface manually. Routing metrics used for OSPF can also be set or modified Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 101
any static routes in its routing table(s)(except the routes for the 3 interfaces participating in this OSPF process). To control this information exchange, dynamic routing D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 102
: - specifying an area to the "ospf-proc1" process. In the "ospf-proc1" configuration page: Add → Area: General: Name: "area0" Area ID: 0.0.0.0 Then click OK. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 103
box. Interfaces: Select "lan1" and "lan2" from Available list and put them into the Selected list. Then click OK. Note Make sure that the firewall's IP rules, which allowing traffics going through these interfaces, use this interface group as source interface. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 104
"ospf-proc1" will be added into the main routing table, as this is not done automatically in the D-Link firewall. WebUI : 1. Dynamic Routing Rule: Routing → Dynamic Routing Policy → Add → Dynamic Routing Rule: main routing table as long as they don't override any static D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 105
: In the "exportDefRoute" configuration page: → OSPF Actions → Add → Export OSPF: General Export to process: Select "ospf-proc1" from the dropdown list. Then click OK. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 106
). Then click OK. This will allow the firewall to route traffic destined for the 192.168.2.0/24 network through the router at 192.168.1.10. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 107
used to provide Internet services, PBR can route traffic originating from different sets of users through different paths across the firewall. • Service based routing - PBR can route certain protocols through transparent proxies, such as Web caches and anti-virus scanners. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 108
routing tables. Each PBR rule is triggered by the fields of service type and source & destination interface and network. During the firewall's rules can specify which routing table to use in both forward and return direction. 10.7.4 PBR Execution The sequence of PBR PBR D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 109
nor PBR will be performed. The firewall will forward the packets according to the main routing table only. 4. IP Routes: If enabled, the default interface routes are removed, i.e. routes to the core interface, which are routes to the firewall itself. Then click OK D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 110
as the sender address in ARP queries. If no address is specified, the firewalls interface IP address will be used. Metric: Specifies the metric for this route. (Mostly used in route respectively. • All addresses in this scenario are public addresses, for simplicity's sake. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 111
normally best done through BGP, where you do not need to worry about different IP spans or policy routing. Unfortunately, this is not always possible, and this is LAN1 Destination Range 0.0.0.0/0 2.3.4.0/24 Service ALL ALL Forward PBR r2 Return PBR r2 D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 112
Policy → Add → Policy-based Routing Rule: Enter the information found in the list of policies displayed earlier. Repeat this step to add the second rule. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 113
responds to the ARP request for another system. For example, host A sends an ARP request to resolve the IP address of host B. Instead of Host B, the firewall responds to this ARP request. In essence, Proxy ARP only possible to Proxy ARP on a Ethernet and VLAN interfaces. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 114
clock. The clock is also equipped with a backup battery to ensure operation even if the product should have lost its power. In addition, the product supports time synchronization protocols in order to automatically adjust the clock based on information from other devices. 95 - D-Link DFL-2500 | User Guide - Page 115
: System → Date and Time: Time zone and daylight saving time settings Time zone: select the appropriate time zone in the dropdown list. Then click OK. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 116
the product does not automatically know when to adjust for DST. Instead, this information has to be manually provided if daylight saving time is to be used. There are basically two parameters governing daylight saving . End Date: select the ending date. Then click OK. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 117
on atomic clocks. 11.2.1 Time Synchronization Protocols The product supports two kinds of protocols to be used for time time synchronization service over the Internet. The protocol provides a site-independent, machine-readable date and time. The time service sends Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 118
lists: Time Server Type: SNTP Primary Time Server: dns:ntp1.sp.se Secondary Time Server: dns:ntp2.sp.se Tertiary Time Server: (None) Click OK. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 119
100 Chapter 11. Date & Time Note This example uses domain names instead of IP addresses. Therefore, make sure the DNS client settings of the system are properly configured as described in 12 DNS. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 120
describes how to configure DNS servers in D-Link firewalls. The configured servers are used by the internal DNS client as well as other subsystems such as the DHCP server. Example: Configuring DNS server(s) WebUI : System → DNS: Primary Server: Enter the IP address of the primary DNS server or select - D-Link DFL-2500 | User Guide - Page 121
102 Chapter 12. DNS D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 122
will be generated automatically, for example, the firewall's startup and shutdown, logging needs to be enabled manually in specific sections of the firewall's configuration. To set up logging in D-Link firewalls, the following two steps are required: 1. Define one or several log receivers. 2. Enable the - D-Link DFL-2500 | User Guide - Page 123
Address Book), or enter the IP address directly into the edit box. Facility: Choose one of the facilities from the dropdown list. Port: 514 (by default) Then assume an IP rule has been defined previously, and enable logging on this rule to monitor its action to traffics. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 124
13.1. Implementation 105 WebUI : Rules → IP Rules: Click the IP rule item → Log Settings: General Check Enable logging Severity: Choose one of the severity levels : 100 items of newly generated events can be displayed per page. To see previous events, press next. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 125
106 Chapter 13. Log Settings D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 126
Part VI Security Polices - D-Link DFL-2500 | User Guide - Page 127
use. D-Link firewalls feature for providing various mechanisms to aid the administrators in building security polices for attacks prevention, privacy protection, identification, and access control. Topics in this part includes: • IP Rules • Access (Anti-spoofing) • DMZ & Port Forwarding • User - D-Link DFL-2500 | User Guide - Page 128
14 CHAPTER IP Rules 14.1 Overview The list of rules defined on the basis of network objects - addresses, protocols, services - is the heart of highest possible level of security, default deny is the default policy in D-Link firewalls. The default deny is accomplished without a visible rule in the - D-Link DFL-2500 | User Guide - Page 129
the firewall. ◦ Source Network: the network that the source IP address of the packet matches. ◦ Destination Interface: one or a group of interfaces where the packet is aiming at. ◦ Destination Network: the network that the destination IP address of the packet matches. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 130
immediately discard the packet. ◦ Reject: Acts like Drop, but will return a TCP-RST or ICMP-Unreachable message, telling the sender that the packet was disallowed. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 131
into a single Internet connection. • Security - Computers locating at the local network and using a range of private addresses are not directly accessible from the Internet. To D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 132
port plus its translated source port number to a destination address and port. When it receives any returning packets, it can therefore reverse the translation to route them back to the correct clients. Because the mapping table relates complete connection information - D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 133
, port 1038, to a server, e.g. 195.55.66.77 port 80. Usually, the firewall translates the sender address to the address of the interface closest to the destination address. In this example, we use 195.11.22.33 as the public address. In addition, the firewall changes the D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 134
is mapped to a public static IP address, which can be seen from the Internet. In D-Link firewalls, SAT is implemented to provide many important functions, for example: - DMZ & Port Forwarding: SAT supports the use of DMZ network to provide pubic services to the Internet, meanwhile protecting the - D-Link DFL-2500 | User Guide - Page 135
on ip ext network. WebUI : 1. Create Ping-Inbound Service If no ping-inbound service is defined, we need to create a new service. Objects → Services → Add → ICMP Service: Name: ping-inbound ICMP Parameters ICMP Message Types: Echo Request (Codes 0-255) Then click OK D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 136
the internal network to any destination interface on any network. WebUI : 1. Create HTTP Service If no http service is defined, we need to create a new service. Objects → Services → Add → TCP/UDP Service: Name: http Type: TCP Source: 0-65535 Destination: 80 Then click OK D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 137
NAT DNS traffic from internal interfaces out on external interfaces. Rules → IP Rules → Add → IP Rule: Name: DNS from LAN Action: NAT Service: dns-all Source Interface: LAN Source Network: lan-net Destination Interface: any Destination Network: all-nets Then click OK D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 138
the IP address that internal IP addresses users to access the web server, the server must be reachable from a public address. Thus, we translate port 80 on the firewalls external address to port 80 on the web server: 1. Add a "HTTP" service object that use TCP port 80. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 139
→ IP Rules → Add → IP Rule: Name: SAT to WebServer Action: SAT Service: http Source Interface: any Source Network: all-nets Destination Interface: core Destination Network: ip ext SAT Translate the: Destination IP Address To New IP Address: ip webserver Then click OK D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 140
on the local network to access the Internet via HTTP. Rules → IP Rules → Add → IP Rule: Name: HTTP from LAN Action: NAT Service: http Source Interface: LAN Source Network: lan-net Destination Interface: any match with the packet received and a SAT rule, the firewall will D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 141
external connections (most likely interface WAN) on all-nets to the firewalls external public address ip ext. Tip Determining the best course of action and the sequential order of the rules must be done on a case-by-case basis, taking all circumstances into account. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 142
only authorized connections are allowed. Access control is basically addressed in the firewall's IP rules (introduced in 14. IP Rules). According to the rules, the firewall considers a range of protected LAN source, there is potential for unnecessary network congestion and denial of service (DoS) 123 - D-Link DFL-2500 | User Guide - Page 143
described as follows: • Any incoming traffic with a source IP address belonging to a local trusted host is NOT allowed. • Any outgoing traffic with a source IP address belonging to an outside untrusted network is NOT allowed. to take. If the traffic matches all the fields, D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 144
out by the firewall. Filtering Fields ◦ Interface: The interface that the packet arrives on. ◦ Network: The IP span that the sender address should belong to. Action ◦ Drop: to discard the packets that match the defi on demand for these Actions. (Refer to 5 Logging) D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 145
network is received on the LAN interface. Rules → Access → Add → Access Rule: Name: LAN Access Action: Expect Interface: LAN Network: lan-net Then click OK D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 146
initiating inbound requests, and it forwards traffic from the Internet to DMZ computers without direct contact with the inner LAN. Obviously, this approach adds an extra layer of protection to the Intranet-firewall-Internet infrastructure. D-Link firewalls offer supports to DMZ planning and protection - D-Link DFL-2500 | User Guide - Page 147
sever is placed in the DMZ. Requests to Web browsing service go through the firewall, and are forwarded to the Web server. We can define Rules that let the server in the DMZ accepts only certain types of service requests, HTTP-based requests in this case, to protect the D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 148
to the minimum necessary numbers to support the services. 16.1.2 DMZ Planning The utilization of ports on Int net to access the Database Server. If the Web Server is taken over by intrusion, the Database Server and other components on Int netmay expose to attacks. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 149
130 Chapter 16. DMZ & Port Forwarding Approach 2 - Move the Database this scenario is dividing the DMZ net into different subnetworks according to different services and security levels of the components. We put the Database Sever and the Web different subnetworks. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 150
Authentication 17.1 Authentication Overview Before any user's service request is authorized according to the firewall's security policies, the firewall need to verify the identity of the user, to ensure that the corresponsive user is who she or he claims to be. Authentication is the process to address - D-Link DFL-2500 | User Guide - Page 151
person with a password. User authentication is frequently used in services, such as HTTP, FTP, and VPN. D-Link firewalls use Username/ a dictionary, or user's personal information, such as name, telephone number, and birth date are vulnerable to this attack. • Find: D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 152
password also helps in protecting the Layer 2 tunnels, which apply encryption on the basis of user input passwords (See 22.2 PPTP/L2TP). 17.1.3 User Types D-Link firewalls and authentication schemes give support to diverse users. The user types can be: • administrators D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 153
its internal user profiles to authenticate the user before approving any user's request. 17.2.2 External Authentication Server In a larger network topology, it is preferable to have one central database within a dedicated server or a cluster of servers to handle all the D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 154
which is easily administered. D-Link firewalls support the use of RADIUS(Remote Authentication Dial-in User Service) Server to offer - Authentication via web browsing. Users surf on the firewall and login either through a HTML form or a 401 Authentication Required dialog. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 155
to specify the receiving interface, or source network, as this information is not available at the XAUTH phase. For the same reason, only one XAUTH user authentication rule can be defined. XAUTH is only used to set up IPsec VPN tunnels. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 156
: User Authentication Configuration In this section, guidelines and examples for authentication through HTTP/HTTPS agent are covered. For more examples about PPP and XAuth, please refer to 9.4.2, PPPoE Client Configuration, and 22, VPN Protocols & Tunnels, respectively. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 157
members of the administrators group are allowed to change the firewall configuration, while users that belong to the auditors group are only allowed to view the firewall configuration. Press the buttons under the Groups edit box to grant these group memberships to a user. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 158
authenticated users should be appended under the Allow rule from the first step. As explained in 14 IP Rules, all the other traffics that are not explicitly allowed by the IP rule, for example, the unauthenticated traffic coming from the interface where authentication is D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 159
(See 8.2.1 Example: Specifying a TCP service - HTTP) Address Filter Choose the following from the drop down lists: Source Destination Interface: lan core Network: lannet lan ip Comments: Allow HTTP connections to the firewall's authentication agent. Click OK. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 160
Source Destination Interface: lan any Network: lannet users all-nets (Note here the source network is an address object containing user authen- tication information.) Comments: Allow authenticated "users" from "lannet" to Web browsing onto Internet. Click OK. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 161
port 81 instead. 2. In HTTP(s) Agent Options, there are two login types available, HTMLForm and BasicAuth. The problem . • Idle Timeout: If a user has successfully been authenticated, and no traffic has been seen from his IP address for this number of seconds, below: D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 162
firewall will check if the authenticated user has been idle for a period of time. If so, the old user will be removed, and this new user will be logged in. If not, the new login-request will be rejected. The time period for this option can be defined in the edit box. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 163
144 Chapter 17. User Authentication D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 164
Part VII Content Inspection - D-Link DFL-2500 | User Guide - Page 165
In addition to inspect the packets at the network layer (OSI layer 3), D-Link firewalls are capable of examining the content of each packet to give far more powerful and flexible protection on higher layers. Topics in this part - D-Link DFL-2500 | User Guide - Page 166
security than packet-filtering-only firewalls, since they are capable of scrutinizing all traffic for specific service protocols to give protection at the top level of the TCP/IP stack. In this chapter, the following application standards supported by D-Link ALGs are described. • FTP • HTTP • H.323 147 - D-Link DFL-2500 | User Guide - Page 167
problems for firewalls. Consider a scenario where an FTP client on the internal network connects through the firewall to an FTP server on the Internet. The IP rule in the firewall is then configured to allow network traffic from the FTP client to port 21 on the FTP server. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 168
mode. Solution The FTP ALG solves this problem by fully reassembling the TCP stream of the command channel and examining its contents. Thus, the firewall knows what port to be opened for the data channel. client using active mode and the FTP server using passive mode. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 169
Figure 18.1: FTP ALG Scenario 1 In this example, a FTP Server is connected to a D-Link firewall on a DMZ with private IP addresses, shown in Figure 18.1. To make it possible to connect to this server from the Internet to use passive mode (unsafe for server) Then click OK. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 170
-ext (assume the external interface has been defined as "ip-ext") SAT: Check Translate the Destination IP Address To: New IP Address: ftp-internal. (Assume this internal IP address of FTP server has been defined in the Address Book object.) New Port: 21. Then click OK. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 171
OK. - Allow incoming connections (SAT needs a second Allow rule): Rules → IP Rules → Add → IP Rule: General: Name: Allow-ftp Action: Allow Service: ftp-inbound Address Filter: Source Destination Interface: any core Network: all-nets ip-ext Then click OK. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 172
FTP Clients Figure 18.2: FTP ALG Scenario 2 In this scenario, shown in Figure 18.2, a D-Link firewall is protecting a workstation that will connect to FTP servers on the internet. To make it Check Allow server to use passive mode (unsafe for server) Then click OK. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 173
earlier. - Allow connections to ftp-servers on the outside: Rules → IP Rules → Add → IP Rule: General: Name: Allow-ftp-outbound Action: Allow Service: ftp-outbound Address Filter: Source Interface: lan Network: lannet Then click OK. Destination wan all-nets D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 174
typically sends a request by establishing a TCP/IP connection to a particular port (usually port 80) on a remote server. The server services, some add-on components, known as "active contents", are usually accompanied with the HTTP response to the client computer. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 175
An applet can contain malicious code, which lead to security problems. Cookies A cookie is a small text file, stored Link HTTP ALG configuration, some or all of the active contents mentioned previously can be stripped away from HTTP traffic upon administrator's requests. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 176
access to the specific resource. Example: Configuring HTTP ALG In this example, a HTTP ALG in a D-Link firewall is created. It is con configured in a similar way. We assume that the HTTP service object and an IP rule to allow the HTTP traffic have been defined in the click OK. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 177
Then click OK. 2. Service - Adding the HTTP ALG into the corresponding service object. Objects → Services → HTTP: Application Layer Gateway IP (VoIP). 18.4.2 H.323 Components The H.323 standard consists of these four main components: • Terminals • Gateways • Gatekeepers D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 178
me, forward on busy, etc. A gatekeeper is needed when there is more then one H.323 terminal behind a NATing firewall with only one public IP. MCUs (Multipoint Control Units) MCUs provide support for conferences different protocols used in H.323 is shortly described below: D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 179
other while connected to private networks secured by D-Link Firewalls. The H.323 specification was not designed to handle NAT, as IP addresses and ports are sent in the payload of H.323 version 5 (H.225.0 v5, H.245 v10) • Application sharing (T.120) • Gatekeeper support D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 180
NAT and SAT rules are supported, allowing clients and gatekeepers to use private IP addresses on a network behind service definitions used in these scenarios are: • Gatekeeper (UDP ALL → 1719) • H323 (H.323 ALG, TCP ALL → 1720) • H323-Gatekeeper (H.323 ALG, UDP → 1719) D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 181
a D-Link Firewall Figure 18.3: H.323 Scenario 1. Using Public IP Addresses In the first scenario a H.323 phone is connected to a D-Link Firewall on a network (lan-net) with public IP addresses. disallowing or allowing the same kind of ports/traffic before these rules. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 182
phone is connected to a D-Link Firewall on a network with private IP addresses. To make it possible to place a call from this phone to another H.323 phone on the Internet, and to allow H.323 phones on the Internet to call this phone, we need to configure firewall rules. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 183
Outgoing Rule Rules → IP Rules → Add → IP Rule: Enter the following: Name: H323Out Action: NAT Service: H323 Source Interface: LAN Destination Interface: any Source Network: lan-net Destination Network: 0.0.0.0/0 (all-nets) Comment: Allow outgoing calls. Then click OK D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 184
Allow Service: H323 Source Interface: any Destination Interface: core Source Network: 0.0.0.0/0 (all-nets) Destination Network: ip-wan (external IP of the firewall) Comment: Allow incoming calls to H.323 phone at ip-phone. Then click OK To place a call to the phone behind the D-Link Firewall, place - D-Link DFL-2500 | User Guide - Page 185
with public IP addresses. In order to place calls on these phones over the Internet, the following rules need to be added to the rule listings in both firewalls. Make sure there are no rules disallowing or allowing the same kind of ports/traffic before these rules. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 186
private IP addresses. In order to place calls on these phones over the Internet, the following rules need to be added to the rule listings in the firewall, make sure there are no rules disallowing or allowing the same kind of ports/traffic before these rules. As we are D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 187
Interface: core Source Network: 0.0.0.0/0 (all-nets) Destination Network: ip-wan (external IP of the firewall) Comment: Allow incoming calls to H.323 phone at ip-phone. SAT Translate Destination IP Address: To New IP Address: ip-phone (IP address of phone) Then click OK D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 188
Allow Service: H323 Source Interface: any Destination Interface: core Source Network: 0.0.0.0/0 (all-nets) Destination Network: ip-wan (external IP of the firewall) Comment: Allow incoming calls to H.323 phone at ip-phone. Then click OK To place a call to the phone behind the D-Link Firewall, place - D-Link DFL-2500 | User Guide - Page 189
all-nets) Destination Network: ip-wan (external IP of the firewall) Comment: SAT rule for incoming communication with the Gatekeeper located at ip-gatekeeper. SAT Translate Destination IP Address: To New IP Address: ip-gatekeeper (IP address of gatekeeper) Then click OK D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 190
no need to specify a specific rule for outgoing calls. The D-Link Firewall monitors the communication between "external" phones and the Gatekeeper to make sure that it is possible for internal phones to call the external phones that are registered with the gatekeeper. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 191
like in scenario 3 (see 18.4.5). The other D-Link Firewall should be configured as follows. The following rules need to be added to the rule listings in the firewall, make sure there are no rules disallowing or allowing the same kind of ports/traffic before these rules. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 192
Gatekeeper Rule Rules → IP Rules → Add → IP Rule: Enter the following: Name: H323Out Action: NAT Service: H323-Gatekeeper Source Interface VPN tunnels are correctly configured and that all offices use private IP-ranges on their local networks. All outside calls are done D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 193
telephone network using the gateway (ip-gateway) connected to the ordinary telephone network. Head Office Firewall Configuration The head office has placed a H.323 Gatekeeper in the DMZ of the corporate D-Link Firewall. This D-Link Firewall should be configured as follows. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 194
Service: H323 Source Interface: LAN Destination Interface: DMZ Source Network: lan-net Destination Network: ip-gateway Comment: Allow H.323 entities on lan-net to call phones connected to the H.323 Gateway on the DMZ. Remember to use the correct service. Then click OK D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 195
Action: Allow Service: H323-Gatekeeper Source Interface: vpn-branch Destination Interface: DMZ Source Network: branch-net Destination Network: ip-gatekeeper, ip-gateway Comment: Allow communication with the Gatekeeper on DMZ from the Branch network Then click OK D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 196
and remote office H.323 phones and applications will be configured to use the H.323 Gatekeeper at the head office. The D-Link Firewalls in the remote and branch offices should be configured as follows. The following rule should be in both the Branch and Remote Office firewalls. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 197
with the Gatekeeper connected to the Head Office DMZ. Then click OK The branch office D-Link Firewall has a H.323 Gateway connected to it's DMZ. In order to allow the Gateway to register with the H.323 Gatekeeper at the Head Office, the following rule has to be configured. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 198
no need to specify a specific rule for outgoing calls. The D-Link Firewall monitors the communication between "external" phones and the Gatekeeper to make sure that it is possible for internal phones to call the external phones that are registered with the gatekeeper. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 199
180 Chapter 18. Application Layer Gateway (ALG) D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 200
by an attacker, Intrusion Detection is an important technology to identify and prevent these threats. In order to make an effective and reliable IDS, D-Link IDS goes through three levels of processing and addresses the following questions: • What traffic to analyze • What to search for (i.e. what is an - D-Link DFL-2500 | User Guide - Page 201
Detection Rule defines the kind of traffic - service - that should be analyzed. Filtering fields regarding source and destination interfaces, networks, ports, and protocols are also defined here. Only tra attack, traffic can either be dropped, logged, both, or simply ignored. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 202
ffic even if the rule set decides that the packet should be dropped. 19.2.1 Scenario 1 Traffic is only passed on to the IDS if the firewall's IP rule set decides that it is valid, shown in Figure 19.1. Figure 19.1: IDS Chain of Events Scenario 1 D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 203
arrives on the firewall and initial verifications regarding source/destination IP addresses and source/destination ports are performed. The firewall's IP rule set decides that this packet should be dropped, but before - pattern matching. If not, the packet is dropped. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 204
19.2. Chain of Events 185 Figure 19.2: IDS Chain of Events Scenario 2 D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 205
firewall, at a configurable interval. This is done through a HTTP connection to a D-Link server, hosting the latest signature database file. If this signature database file has a newer version describes the communication flow when a new signature database file is downloaded: D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 206
seconds before sending a new e-mail. Example: Configuring a SMTP Log Receiver In this example, an Intrusion Detection Rule is configured with a SMTP Log Receiver and the following values: Minimum Repeat Time: 600 seconds Hold Time: 120 seconds Log Threshold: 2 events D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 207
IP Firewall Minimum Repeat Delay: 600 Hold Time: 120 Log Threshold: 2 Then click OK. 2. IDS Rules: - Enabling logging in the "Log Settings" configuration page for a specific IDS rule and using All receivers or specific receiver "smtp4IDS" configured above as log receiver. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 208
server is exposed to the Internet on the DMZ network, with a public IP address, and is to be protected by the IDS, as shown in Figure a service for SMTP does not already exist, it must be created, which is done in Objects → Services. Type is TCP, and destination port is Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 209
IDS Rules → Add → IDS/IDP Rule: Name: IDSMailSrvRule Service: smtp Also inspect dropped packets: In case all traffic WAN Source Network: wan-net Destination Interface: DMZ Destination Network: ip mailserver Then click OK If logging of intrusion attempts is desired, this D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 210
Part VIII Virtual Private Network (VPN) - D-Link DFL-2500 | User Guide - Page 211
application of Encryption and Authentication, offering good flexibility, effective protection, and cost efficiency on connections over the Internet. Topics in this part includes: • Introduction to VPN • Introduction to Cryptography • VPN in Firewalls • VPN Protocols & Tunnels • VPN Planning - D-Link DFL-2500 | User Guide - Page 212
no one is falsifying information, i.e. pretending to be someone else. VPNs, Virtual Private Networks, provide a very cost efficient means of establishing secure links to parties that wish to exchange information in a trustworthy manner. 20.1.1 VPNs vs Fixed Connections Using leased lines or other non - D-Link DFL-2500 | User Guide - Page 213
194 Chapter 20. VPN Basics computers began talking to each other. In the beginning, communication was limited to local area communication links, but in time, people were finding reasons confirmations travel through the hands of one of their competitors? - Hardly. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 214
the reverse procedure - decryption, to return to the original plaintext. The algorithms of Encryption can be categorized into three types - symmetric, asymmetric, and hybrid encryption. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 215
faster and simpler computation method, but the key distribution among users in the first place is a major problem, which must be carried out very carefully to prevent from to the ageing DES. D-Link firewall's VPN implementation supports all the above algorithms. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 216
secrets, which is one of the most widely used key exchange methods supporting various secure Internet protocols, e.g. SSL, SSH, and IPsec. In the protocol, each side of the connection generates a related as a shared secret key for symmetric encryption. In such a way, D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 217
198 Chapter 20. VPN Basics the critical keying information is not transmitted through the insecure connection. 20.2.2 Authentication & Integrity In easily repudiate the message that has been signed. The procedure of producing a digital signature works as follows: D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 218
is valid. Certificate As it is introduced in 8.4 X.509 Certificates, D-Link firewalls also support the digital certificate to be used to further authenticate that the public key really is real. The digital certificates supported by D-Link firewalls conform to X.509 standard. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 219
the firewall protect the security gateway and log attempted attacks on it? ◦ Does the configuration support roaming clients? ◦ Can the firewall inspect and log traffic passing in and out of the VPN? ◦ Does the configuration add points of failure to the Internet connection? D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 220
• The Security Gateway is not protected by the firewall • The firewall cannot easily determine which traffic came through an authenticated VPN and which came from the Internet, especially in the case of roaming clients • Internet connectivity depends on the Security Gateway D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 221
firewall • Support for roaming clients is nearly impossible Between the Firewall and the Internal Network (Figure 20.3) ♦ Benefits • Supports roaming clients • No special routing information needed in the firewall • The firewall can protect the Security Gateway ♦ Drawbacks D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 222
does not depend on the Security Gateway ♦ Drawbacks • The firewall cannot inspect nor log plaintext from the VPN • Special routes need to be added to the firewall, or to all internal clients participating in the VPN • Support for roaming clients is very hard to achieve D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 223
the Security Gateway in order to reach the VPN clients with moving IPs Incorporated in the Firewall (Figure 20.6) ♦ Benefits • The firewall can protect the Security Gateway subsystem • The firewall can inspect and log plaintext from the VPN • Supports roaming clients D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 224
piece of hardware to the chain of points that may fail. This solution provides the highest degree of functionality & security and is chosen by D-Link's design. All normal modes of operation are supported, and all traffic may be inspected and logged by the firewall. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 225
206 Chapter 20. VPN Basics D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 226
computers. • Restricting access through the VPN to needed services only, since mobile computers are vulnerable. • Creating DMZs for services that need to be shared with other companies through VPNs. • Adapting VPN access policies for different groups of users. • Creating key distribution policies - D-Link DFL-2500 | User Guide - Page 227
to this task. By doing this, you can restrict which services can be accessed via VPN and modem and ensure that these services are well protected against intruders. In instances where the firewall Actually, higher restrictions should be placed on the roaming clients. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 228
any sort of information, is not telling the truth. • If the VPN client offers a method for remembering all passwords without having the user supply any information, disable that feature. If not, sooner or later, since that leaves the least amount of files in local storage. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 229
grant VPN user (group) in the future. • Should the keys be changed? If so, how often? In cases where keys are shared by multiple users, you may want to consider overlapping schemes, so that the old keys work for a short period of time when new keys have been issued. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 230
changed of course. • In cases where the key is not directly programmed into a network unit such as a VPN gateway, how should the key be stored? Should it be on a floppy? As a pass phrase to memorize? On a smart card? If it is a physical token, how should it be handled? D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 231
212 Chapter 21. VPN Planning D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 232
most widely used standard for implementing VPNs. IPsec is designed to work for all IP traffic, independently of application. This approach results in the advantage that neither the applications nor the users need to know any details about the encryption. IPsec uses Diffie-Hellman key exchange protocol - D-Link DFL-2500 | User Guide - Page 233
or not depends on the IPsec modes. 22.1.2 IPsec Modes IPsec supports two different modes: Transport and Tunnel modes. Transport mode - encapsulates the data of the packet and leaves the IP header unchanged, which is typically used in a client-to-gateway scenario. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 234
IPsec gateway-to-gateway scenario. In transport mode, the ESP protocol inserts an ESP header after the original IP header, and in tunnel mode, the ESP header is inserted after a new outer IP header, but before the original, inner, IP a way for the VPN endpoints to agree on Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 235
exchange in phase-1, to provide session keys to use in protecting the VPN data flow. Both the IKE SAs and the IPsec SAs have limited lifetimes, described as time (seconds), and data (kilobytes importance of having "compatible" configurations on both communication ends. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 236
-2 negotiation has been finished, making sure no more than one phase-2 negotiation is encrypted using the same key. IKE creates a new SA for every new IPsec SA needed. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 237
, and which specific versions of the draft it supports. To detect the necessity of using NAT traversal, both IPsec peers send hashes of their own IP addresses along with the source UDP port used in the IKE negotiations. This information is used to see whether the IP D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 238
sound mathematical algorithms. D-Link VPNs embed various methods for achieving these critical tasks, i.e., hash functions for message integrity, pre-shared keys and X.509 certificates based on asymmetric encryption algorithms (i.e. RSA, DSA ) for verifying identities. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 239
How are the pre-shared keys distributed to remote VPN clients and gateways? This is a major issue, since the security of a PSK system is based on the PSKs being secret. Should one PSK be compromised in some way, the configuration will need to be changed to use a new PSK. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 240
IPsec 221 X.509 Certificate The other option for primary authentication is to use X.509 Certificate within each VPN IP addresses of the travelling employees VPN clients cannot be foreseen, the incoming VPN problem. An identification list contains one or more configurable D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 241
authentication of the user that using the device. With XAuth, IKE can now authenticate the users after the device has been authenticated during phase-1 negotiation. If enabled, a combination of username & password will be requested for the add-on user authentication. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 242
use the 10.0.1.0/24 network span with external firewall IP ip head wan. The branch office use the 10.0.2.0/24 network span with external firewall IP ip branch wan. The following configuration will have to be done on both the head office firewall and the branch office firewall. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 243
IPsec authentication. Objects → VPN Objects ip head wan. Encapsulation Mode: Tunnel Algorithms IKE Algorithms: Medium or High IPsec Algorithms: Medium or High Authentication Pre-Shared Key: Select the pre-shared key created earlier, TestKey in this case. Then click OK D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 244
Roaming Client Example Scenario. This example describes how to configure a IPSec tunnel, used for roaming clients (mobile users) that connect to the head office to gain remote access. The head office network use the 10.0.1.0/24 network span with external firewall IP ip wan. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 245
VPN Objects → Pre-Shared Keys → Add → Pre-Shared Key: Enter the following: Name: Enter a name for the pre-shared key, SecretKey for instance. Passphrase/Shared Secret: Enter a secret passphrase. Passphrase/Confirm Secret: Enter the secret passphrase again. Then click OK D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 246
the pre-shared key created earlier, SecretKey in this case. Routing Automatic Routing The IPSec tunnel needs to be configured to dynamically add routes to the remote network traffic inside the tunnel. See 14.3 IP Rules Configuration for details on how to configure rules. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 247
layer header and trailer are put onto the PPTP encapsulated packet to form the tunneling data. PPTP uses TCP port 1723 for it's control connection and GRE (IP protocol 47) for the PPP data. IP Header GRE Header PPP Payload PPP Frame Table 22.1: PPTP Encapsulation. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 248
Point-to-Point Encryption (MPPE) may be used with PPTP to support an encrypted data tunnel. MPPE uses the RSA RC4 algorithm for encryption and supports 40-bit, 56-bit and 128-bit session keys, which true strength of the key is governed by the randomness of the password. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 249
→ VPN Local User Databases → UserDB → Add → User: Enter the following: Username: testuser Password: testpassword Confirm Password: testpassword It is possible to configure a static IP for this user in the Per-user PPTP/L2TP IP Configuration section. Then click OK D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 250
any eventual NBNS (WINS) servers to hand out to connected clients. Proxy ARP: Leave as default, or specifically select the LAN interface if the IP:s in the IP Pool are a part of the network on the LAN interface. Then click OK D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 251
configuration is saved and activated, it should be possible for PPTP clients to connect to the PPTP server on 10.0.0.1 on the WAN interface. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 252
Configuring PPTP Name: PPTPClient Tunnel Protocol: PPTP Remote Endpoint: 10.0.0.1 (The IP of the PPTP server) Remote Network: 0.0.0.0/0 (all-nets, as provided to you by your service provider. Password: The password provided to you by your service provider. Confirm Password: Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 253
put onto the L2TP encapsulated packet to form the tunneling data. L2TP uses UDP port 1701 for it's control and data connections. L2TP authentication PPTP and L2TP tunnels use the same authentication mechanisms as PPP connections such as, PAP, CHAP, MS-CHAP v1 and v2. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 254
with IPsec, using pre-shared keys. The LAN network is a 192.68.1.0/24 network, and 10.0.0.0/24 is the network on the WAN interface. L2TP clients will connect to the L2TP/IPsec server on 10.0.0.1 on the WAN interface, in order to access resources on the LAN interface. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 255
→ VPN Local User Databases → UserDB → Add → User: Enter the following: Username: testuser Password: testpassword Confirm Password: testpassword It is possible to configure a static IP for this user in the Per-user PPTP/L2TP IP Configuration section. Then click OK D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 256
user's source IP IPSec tunnel needs to be configured to dynamically add routes to the remote network when the tunnel is established. This is done under the Routing tab. Dynamically add route to the remote network when a tunnel is established: Enable Then click OK D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 257
any eventual NBNS (WINS) servers to hand out to connected clients. Proxy ARP: Leave as default, or specifically select the LAN interface if the IP:s in the IP Pool are a part of the network on the LAN interface. Then click OK D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 258
for example) a NAT rule has to be configured as well. When the configuration is saved and activated, it should be possible for L2TP/IPsec clients to connect to the L2TP/IPsec server on 10.0.0.1 on the WAN interface. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 259
240 Chapter 22. VPN Protocols & Tunnels Example: Configuring L2TP/IPsec Client This example describes how to set up a L2TP client with IPsec, using pre-shared keys. on the L2TP/IPsec server) Passphrase/Confirm Secret: Enter the secret passphrase again. Then click OK D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 260
Routing The IPSec tunnel needs to be configured to notdynamically add routes to the remote network when the tunnel is established. This is done under the Routing tab. Dynamically add route to the remote network when a tunnel is established: Disable Then click OK D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 261
) Gateway: (None) Local IP Address: (None) Metric: 0 Then click OK When the configuration is saved and activated, the L2TP/IPsec client should connect to the L2TP/IPsec server, and all traffic (except traffic to 10.0.0.1) should be routed over the L2TP/IPsec interface. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 262
IPsec-based VPNs browsing service support HTTPS, and more and more web sites use the protocol to obtain confidential user information, such as credit card numbers. There are a number of versions of the SSL/TLS protocol. D-Link firewalls fully support SSLv3 and TLSv1. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 263
244 Chapter 22. VPN Protocols & Tunnels D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 264
Part IX Traffic Management - D-Link DFL-2500 | User Guide - Page 265
and minimizing possible delay and congestion on networks. It encompasses the measuring of network capacity and traffic modelling to manage network resources efficiently and provide services the bandwidth they need. Topics in this part includes: • Traffic Shaping • Server Load Balancing (SLB) - D-Link DFL-2500 | User Guide - Page 266
to carry traffic belonging to a growing variety of users with diverse service requirements, for example, bulk data transfer, IP Telephony, VPNs, and multimedia applications. But one of the major drawbacks of TCP/IP is the lack of true Quality of Service (QoS) functionality, which is the ability to - D-Link DFL-2500 | User Guide - Page 267
control in well-defined choke points. A D-Link firewall has an extensible traffic shaper integrated inside. The traffic shaper works by measuring and queuing IP packets, in transit, with respect to a number that it will not interfere with the throughput of prioritized traffic. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 268
user can be configured to the same extent as the main pipe. A group is specified with respect to a number of parameters, for instance, source or destination IP network, IP address or port of D-Link firewalls and is the base for all bandwidth control. Pipes are fairly D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 269
on particular applications or manual configurations, traffics can be treated as having different levels of importance. In an IP version 4 packet, there is a 1-byte field called Type-of-Service(ToS) in the . The actual limiting of bandwidth is performed inside each precedence; D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 270
as long as there is room in this precedence. 1 byte 1 byte Version IP Header Length Type-of-Service Identification Time-to-Live Protocol Source Address Destination Address Options(padding) Data 2 be guaranteed if available bandwidth is not known at all times D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 271
and guarantee bandwidth per IP address communicating through the pipe. Limits can be set either by specifying the maximum bandwidth per group manually or using the Dynamic Banlancing. The control first occurs per user group and then continues with the pipe as a whole. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 272
one used. 23.4 Scenarios: Setting up Traffic Shaping As seen from the previous sections, in D-Link firewalls, all measuring, limiting, guaranteeing and balancing is carried out in Pipes. However, a pipe by itself is meaningless unless it is put into use in the Pipe Rules D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 273
traffic is first filtered within the firewall's normal IP ruleset; if allowed, it is then compared with the Pipe limited with respect to the configuration and is then forwarded to its destination, or to the next pipe in a services, the fixed precedence "Low" is defined on them. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 274
to WAN for all services(defined by the Services object "all-services"): Traffic Shaping → Pipe Rules → Add → Pipe Rule: → General Enter the following: Name: ToInternet Service: all-services Address Filter Source Destination Interface: lan wan Network: lannet wannet D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 275
Pipe Chains Forward Chain: Select "std-in" from Available list and put it into Selected list. Return Chain: Select "std-out" from Available list and put it into Selected list. Precedence Check Use Fixed Precedence Select Low from the dropdown list and then click OK. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 276
: → General Enter the following: Name: HTTP Service: HTTP Address Filter Source Destination Interface: lan wan Network: lannet wannet → Traffic Shaping Pipe Chains Forward Chain: Select "std-out" from Available list click the "HTTP" rule item and click Move to Top. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 277
a pipe A pipe can be further divided into several groups with regard to particular network, IP, port, or interface; and the total bandwidth of the pipe can be fairly distributed onto each the dropdown list. Check Enable dynamic balancing of groups and then click OK. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 278
: Pipe Chains Return Chain: Select "http-in" from Available list and put it into Selected list on TOP of "std-in" and then click OK. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 279
260 Chapter 23. Traffic Shaping Note An appropriate order for pipes in a chain must be set carefully. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 280
server, and to tolerate a server failure. This technology is integrated in D-Link firewalls to enable high performance and throughput of the network. 24.1.1 The module. In this module, 3 servers construct a server farm, and a D-Link firewall acts as a sever load balancer. Server farm A collection of - D-Link DFL-2500 | User Guide - Page 281
traffic to a certain sever within the server farm, and monitoring the availability of the servers. D-Link firewalls are capable server load balancers, which can be configured to perform load distribution and servers. It works at different layers of the OSI module, real-time D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 282
can filter unwanted traffic based on both IP address and TCP or UDP port numbers, and helps to protect against multiple forms of denial-of-service(DoS) attacks. Ease of Maintenance Administration of for real server changes, which are transparent to the external network. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 283
the server farm as a single virtual server to the D-Link firewall (load balancer), using a public IP address. In this environment, clients are configured to connect the server farm. D-Link firewalls offer the following algorithms to accomplish the load distribution tasks: D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 284
real server's IP address to see whether the port 80, the firewall will try to establish a connection to bind to that port. It sends a TCP SYN request to port 80 on that server and waits for a TCP SYN/ACK in return; if failing, it marks the port 80 to be down on that server. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 285
is being opened, the SAT rule is triggered; it translates the public server farm IP address to a real server address. Necessary modification to the packets is performed distribution policies the firewall should use. Example: SLB Configuration Figure 24.2: A SLB Scenario D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 286
→ IP Rules → Add → IP Rule: Name: SSH SLB Action: SLB SAT Service: ssh Source Interface: any Source Network: all-nets Destination Interface: core Destination Network: ip ext SAT Server Load Balancing Server Addresses: Select SSH Server1 and SSH Server2. Then click OK D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 287
NAT Service: ssh Source Interface: any Source Network: all-nets Destination Interface: core Destination Network: ip ext Then click OK Note It is possible to configure settings for monitoring, distribution method and stickiness. But in this example the default values are used. D-Link Firewalls User - D-Link DFL-2500 | User Guide - Page 288
Part X Misc. Features - D-Link DFL-2500 | User Guide - Page 289
Besides safety protection to the network, D-Link firewalls can act as intermediary agents for miscellaneous Internet services to ease the use of various protocols on behalf of the clients. Topics in this part includes: • Miscellaneous Clients • DHCP Server & Relayer - D-Link DFL-2500 | User Guide - Page 290
, the services providers that are supported by the firewall include: • Dyndns.org • Dyns.cx • Cjb.net • Oray.net - Peanut Hull DynDNS • Telia • BigPond 25.2 Dynamic DNS Dynamic Domain Name System (DynDNS), is a method of keeping a domain name linked to a changing IP address. When a user connects to - D-Link DFL-2500 | User Guide - Page 291
service providers require users to login via a URL each time before any service is delivered. Currently, D-Link firewalls offers automatic client login to the following providers: • Telia - A major telecommunication service company in the Nordic and Baltic region. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 292
specific service provider. Basically, a URL contains Username/Password, provider's domain name, and other parameters. For example, the URL format for DynDNS service provided by Dyndns.org is: http://MYUID:[email protected]/nic/update?hostname= MYDNS.dyndns.org D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 293
274 Chapter 25. Miscellaneous Clients D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 294
clients. When a DHCP server receives a request from a DHCP client, it returns the configuration parameters (such as an IP address, a MAC address, a domain name, and a lease for the IP address) to the client in a unicast message. Because the DHCP server maintains configurations for several subnets, an - D-Link DFL-2500 | User Guide - Page 295
: Specifies the IP address of next server in the boot process, this is usually a TFTP server. This can be left to (None). Custom Options Here you can add custom options to the DHCP lease. It is possible to specify the code, type and parameter. When finished, click OK D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 296
This problem is forwards the response to the client. The DHCP relayers follow the BOOTP relay agent functionality and retain the BOOTP message format and communication protocol, and hence, they are often called BOOTP relay agents. Example: Configuring the firewall IP. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 297
" System → DHCP Settings → DHCP Relays → Add → DHCP Relay: → General: General Name: vlan-to-dhcpserver Action: Relay Source Interface: ipgrp-dhcp DHCP Server to relay to: ip-dhcp → Add Route: Check Add dynamic routes for this relayed DHCP lease. Then click OK. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 298
Part XI Transparent Mode - D-Link DFL-2500 | User Guide - Page 299
- D-Link DFL-2500 | User Guide - Page 300
the transparent mode feature and introduce how transparent mode is implemented in D-Link firewalls in detail. Configuration examples of simple network layouts and on both side of a firewall. A firewall is considered transparent to users if they do not notice the firewall in the packet flow. When adding - D-Link DFL-2500 | User Guide - Page 301
a switch. It screens IP packets traversing the firewall and forwards them transparently on the services as before without routing reconfiguration. In transparent mode, the firewall allows ARP transactions over the firewall, and learns from ARP traffic the relation between the IP Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 302
as the initiating sender of the original IP packet, for the destination on the interfaces forward the packet to the destination. If the CAM table or the Layer 3 Cache is full, the tables are partially flushed automatically. Using the discovery mechanism, the firewall will D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 303
scenario a router is used to share an Internet connection with a single public IP address. The internal NAT:ed network behind the firewall is in the 10 gure IP addresses on the WAN and LAN interfaces, as this can improve performance during automatic discovering of hosts. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 304
Mode: Enable Then click OK 2. Rules Rules → IP Rules → Add → IP Rule: Enter the following: Name: HTTPAllow Action: Allow Service: http Source Interface: LAN Destination Interface: any Source Network: 10.0.0.0/24 Destination Network: 0.0.0.0/0 (all-nets) Then click OK D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 305
286 Chapter 27. Transparent Mode D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 306
using Transparent Mode any IP address can be used IP ruleset. Here we allow the hosts on the internal network to communicate with an HTTP server on DMZ. Furthermore, we allow the HTTP server on DMZ to be reached from the internet. Additional rules could be added to allow D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 307
. WebUI : 1. Interfaces Interfaces → Ethernet → Edit (LAN): Enter the following: IP Address: 10.0.0.1 Network: 10.0.0.0/24 Transparent Mode: Disable Add route for interface network: Switched Interfaces: TransparentGroup Network: 10.0.0.0/24 Metric: 0 Then click OK D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 308
IP New IP Address: 10.1.4.10 Then click OK Rules → IP Rules → Add → IP Rule: Enter the following: Name: HTTP-WAN-to-DMZ Action: Allow Service: http Source Interface: WAN Destination Interface: DMZ Source Network: 10.0.0.0/24 Destination Network: wan-ip Then click OK D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 309
290 Chapter 27. Transparent Mode D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 310
Part XII Zone Defense - D-Link DFL-2500 | User Guide - Page 311
- D-Link DFL-2500 | User Guide - Page 312
is a feature in D-Link firewalls, which lets the a specified CIDR network range (an IP address range specified by a combination of an IP address and its associated network mask). When hosts and networks remain blocked until the system administrator manually unblocks them using the firewall's Web or - D-Link DFL-2500 | User Guide - Page 313
stored statistics from the controlled devices by using the SNMP community string , which is like a user id or password to allow access to the device's database. If the community string type is "write", the manager will be allowed to modify properties in the device. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 314
exceeded. Similar to the IP rules, a threshold rule network. • Service. • Type of port numbers that are to be blocked. Exclude lists can be created and used in order to exclude hosts from being blocked when a threshold rule limit is reached. Good practice includes D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 315
) from accessing the switch completely. A D-Link switch model DES-3226S is used in this case, with a management interface address 192.168.1.250 connecting to the firewall's interface address 192.168.1.1. This firewall interface is added into the exclude list to prevent D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 316
new switch into Zone Defense section. Zone Defense → Switches → Switch: General Name: switch1 Switch model: DES-3226S IP Address: 192.168.1.250 (or use the object name if it has been defined in the address objects) the correct community string is entered. Then click OK. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 317
General: General: Name: HTTP-Threshold Service: HTTP Address Filter Source Destination Interface: (the firewall's management interface) any Network: 192.168.2.0/24(or the object name) all-nets → Action: Action: ZoneDefense Host-based Threshold: 10 Then click OK. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 318
Part XIII High Availability - D-Link DFL-2500 | User Guide - Page 319
- D-Link DFL-2500 | User Guide - Page 320
includes the following topics: • What High Availability will do for you • What High Availability will NOT do for you • Example High Availability setup D-Link High Availability works by adding a back-up firewall to your existing firewall. The back-up firewall has the same configuration as the primary - D-Link DFL-2500 | User Guide - Page 321
"master" and a "slave", is supported. As is the case with all other firewalls supporting stateful failover, the D-Link High Availability will only work between two D-Link Firewalls. As the internal workings of different though one or more interfaces may be inoperative. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 322
likely lead to loss of connectivity for extended periods of time. 29.2 How Rapid Failover is Accomplished This section includes the following topics: • The shared IP address and the failover mechanism • Cluster heartbeats • The synchronization interface D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 323
firewall. The hardware address of the shared IP address, and other published addresses for that IP address always has the same hardware address, there will be no latency time in updating ARP caches of units attached to the same LAN as the cluster when failover occurs. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 324
second failover time. The problem with detection times less IP is the shared IP address • The IP TTL is always 255. If a firewall receives a cluster heartbeat with any other TTL, it is assumed that the packet has traversed a router, and hence cannot be trusted at all. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 325
packet, sent from port 999, to port 999. • The destination MAC address is the ethernet multicast address corresponding to the shared hardware address, i.e. 11-00-00-C1-4A-nn. Link-level multicasts were chosen the configuration is transferred to the other cluster member. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 326
crossover Ethernet cable. 29.3.2 Creating a High Availability cluster Example: Configuring the Firewall as a Cluster Member Each firewall in the cluster will have to and shared IP addresses on interfaces, as well as selecting a cluster ID and synchronization interface. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 327
Private IP Address: lan-priv-ip Then click OK Interfaces → Ethernet → Edit (WAN): IP Address: 10.4.10.1 Advanced/High Availability Private IP Address: wan-priv-ip Then click OK When the configuration is saved and activated, the firewall will act as a HA cluster member. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 328
Things to Keep in Mind 309 Note All Ethernet and VLAN interfaces will have to be assigned a private IP address when the firewall is configured to be a HA member. However, in this example we traffic, so the output will likely look much the way it did with only one firewall. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 329
for anything but managing the firewalls. Using them for anything else: gatewaying, using them as source IPs in dynamically NATed connections or publishing services on them, will inevitably cause problems, as unique IPs will disappear when the firewall it belongs to does. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 330
Part XIV Appendix - D-Link DFL-2500 | User Guide - Page 331
- D-Link DFL-2500 | User Guide - Page 332
, 200, 204, 207, 210 DNS, 101 DoS, 47, 123, 263 DR, 75 DSA, 197 DST, 97 DynDNS, 271 ESP, 214 Ethernet, 53 Ethernet address, 41 Firewall, 9 GRE, 27, 45, 228 H.225, 160 H.245, 160 H.323, 158 High availability, 54 Hop, 69 HTTP, 155 HTTPPoster, 273 HTTPS, 46, 136, 243 IANA, 45 - D-Link DFL-2500 | User Guide - Page 333
314 IKE, 213 IKE XAuth, 222 IP address, 39 IP spoofing, 123 IPsec, 27, 213 L2TP, 27, 228 LAN, 53, 56 LCP, 62 LDAP, 50, 222 LSA, 76 Man-in-the-middle TLS, 136, 243 ToS, 250 Twofish, 196 UDP/TIME, 98 URL, 157 VLAN, 56 VLink, 74 VoIP, 158 VPN, 13, 193, 207 WWW, 155 D-Link Firewalls User's Guide INDEX - D-Link DFL-2500 | User Guide - Page 334
list of commands that can be used in CLI for monitoring and troubleshooting the firewall. For information about how to access the CLI : about Example : Cmd> about D-Link DFL 2.01.00V Copyright Clavister 1996-2005. All rights reserved SSH IPSEC Express SSHIPM version 5.1.1 library 5.1.1 Copyright - D-Link DFL-2500 | User Guide - Page 335
contents of the Access configuration section. • Syntax: access Example : Cmd> access Source IP Address Access list (spoofing protection) Rule Name Action Iface Source Range If no access rule ARP cache of iface wan Dynamic 194.2.1.1 = 0020:d216:5eec Expire=141 D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 336
wan dmz ARP on wan: gw-world requesting ip ext ARP on lan: 192.168.123.5 requesting lan ip ... Buffers This command can be useful in troubleshooting; e.g. if an unexpectedly large number of packets -- buffers Brings up a list of most recently freed buffers. Example : D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 337
Decode of buffer number 1059 lan:Enet 0050:dadf:7bbf->0003:325c:cc00, type 0x0800, len 1058 IP 192.168.123.10->193.13.79.1 IHL:20 DataLen:1024 TTL:254 Proto:ICMP ICMP Echo reply ID:6666 Seq:0 Certcache Displays the contents of the certificate cache. • Syntax: certcache D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 338
up. • Syntax: cfglog Example : Cmd> cfglog Configuration log: License file successfully loaded. Configuration done Connections Shows the last 20 connections opened through the - RAWIP The connection uses an IP protocol other than TCP, UDP or ICMP • Syntax: connections D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 339
DHCP • Syntax: dhcp [options] • Options: - renew - Force interface to renew it's lease - release - Force interface to release it's lease Example : Cmd> dhcp -renew wan D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 340
- Releases an active or blacklisted IP Example : Cmd> dhcpserver DynRoute Displays the dynamic routing policy filter ruleset and current exports. • Syntax: dynroute [options] • Options: - rules - Display dynamic routing filter ruleset - exports - Display current exports D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 341
Syntax: ha Example : Cmd> ha This device is a HA SLAVE This device is currently ACTIVE (will forward traffic) HA cluster peer is ALIVE HTTPPoster Show the configured httpposter urls and status. • Syntax: httpposter [options] • Options: - repost - Re-post all URLs now. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 342
,vlan2,vlan3 IfStat • Syntax: -- ifstat Shows a list of the interfaces installed in the firewall. Example : Cmd> ifstat Configured interfaces: Interface name IP Address core 127.0.0.1 wan 172.16.87.252 lan 192.168.121.1 Interface type Null (sink) ... ... D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 343
-- ikesnoop off Turn IKE snooping off. -- ikesnoop on [ipaddr] Turn IKE snooping on, if a IP is specified only ike traffic from that IP will be showed. -- ikesnoop verbose [ipaddr] Enable verbose output, if a IP is specified only ike traffic from that IP will be showed. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 344
-tn-roamingclients IPSecstats Display connected IPSec VPN gateways and remote clients. • Syntax: ipsecstats [options] • Options: - ike Displays IKE SAs - ipsec Displays IPsec SAs (default) - u Displays detailed SA statistic information - v Displays verbose information D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 345
Cmd> ipsecstats --- IPsec SAs: Displaying one line per SA-bundle ... Killsa Kills all IPsec and IKE SAs for the specified IP-address. • Syntax: DFL-... Registration date: ... Issued date: ... Last modified: ... New upgrades until: ... Ethernet Interfaces: ... ... D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 346
to licensing or configuration problems, this command will NOT remove users currently connected to the firewall via the netcon management protocol. • Syntax: netcon Example : Cmd> netcon Currently connected NetCon users: Iface IP address port lan 192.168.123.11 39495 D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 347
a specified LSA - snoop [on | off], Display troubleshooting messages on the console - ifacedown , Takes specified interface offline - ifaceup , Takes specified interface online - stop, Stop OSPF process - start, Start OSPF process - restart, Restart OSPF process D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 348
connectivity problems. • 12.1 seq=0 time= 10 ms TTL=255 Pipes Shows the list of configured pipes; the contents of the Pipes configuration section, along with basic throughput figures of each pipe. • Syntax: pipes [options] • Options: - s Display overall statistics D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 349
configured proposal lists. • Syntax: proplists [vpnconn] Example : Cmd> propl Displaying all configured proposal lists: ike-default ... ReConfigure Re-reads the FWCore.cfg file from disk RECONFIGURE. Active in 1 seconds. Shutdown reason: Reconfigure due to console command D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 350
: Cmd> remotes Hosts/nets with remote control of firewall: ... WebUI HTTP (port 80) and HTTPS (port 443) access Routes Displays information about the routing tables, list of named (PBR) routing tables - lookup , Lookup the route for the given IP address - v, Verbose D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 351
is DROP Act. Source Destination Protocol/Ports 1 Allow lan: ... core: ... "HTTP" "HTTP-fw" Use: 0 FWLOG:notice SYSLOG:notice Scrsave Activates the screensaver included with the firewall core. • Syntax: scrsave Example : Cmd> scr Activating screen saver... D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 352
inside rules are not displayed. • Syntax: services [name or wildcard] Example : Cmd> services Configured services: HTTP TCP ALL > 80 Shutdown Instructs the firewall to perform a shutdown in section. • Syntax: -- settings Shows available groups of settings. D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 353
sett Available categories in the Settings section: IP - IP (Internet Protocol) Settings TCP - TCP Configuration Protocol) Client Settings DHCPRelay - DHCP/BOOTP Relaying Settings DHCPServer - DHCP Server Settings IPsec - IPsec Misc - Miscellaneous Settings D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 354
= 2802 KB Fragbufs allocated : 16 Fragbufs memory : 16 x 10040 = 156 KB Out-of-buffers :0 ARP one-shot cache : Hits : 409979144 Misses : 186865338 Interfaces: Phys:2 VLAN:5 VPN:0 Access entries:18 Rule entries:75 Using configuration file "FWCore.cfg", ver ... D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 355
Displays currently logged-on users and other information. Also allows logged-on users to be forcibly logged out. • Syntax: userauth [options] • Options: - l, displays a list of all authenticated users - p, displays a list of all known privileges (usernames and groups) D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 356
to only show users matching that pattern or if a username is specified information regarding that user will be shown. • Options: - num, Displays the specified number of users (default 20) Example : Cmd> userdb Configured user databases: Name users AdminUsers 1 D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 357
Console Commands Reference Example : Cmd> userdb AdminUsers Configured user databases: Username Groups Static IP admin administrators Remote Networks Example : Cmd> userdb 192.168.123.1 ID: 2 Iface: lan vlan3 IPAddr: 192.168.123.1 ID: 3 Iface: lan D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 358
information about specified VLAN. Example : Cmd> vlan vlan1 VLAN vlan1 Iface lan, VLAN ID: 1 Iface : lan IP Address : 192.168.123.1 Hw Address : 0003:474e:25f9 Software Statistics: Soft received : 0 Soft sent: 0 Send failures: 0 Dropped : 0 IP Input Errs : 0 D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 359
340 Chapter A. Console Commands Reference D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 360
B APPENDIX Customer Support 341 - D-Link DFL-2500 | User Guide - Page 361
-2900-0676 FAX: 39-02-2900-1723 URL: www.dlink.it Sweden P.O. Box 15036, S-167 15 Bromma Sweden TEL: 46-(0)8564-61900 FAX: 46-(0)8564-61901 URL: www.dlink.se Denmark Naverland 2, DK-2600 Glostrup, Copenhagen Denmark TEL: 45-43-969040 FAX: 45-43-424347 URL: www.dlink.dk D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 362
URL: www.dlink.be Poland Budynek Aurum ul. Walic-w 11 PL-00-851 Warszawa Poland TEL : +48 (0) 22 583 92 75 FAX: +48 (0) 22 583 92 76 URL: www.dlink.pl Hungary R-k-czi-t 70-72 HU-1074 Budapest Hungary TEL : +36 (0) 1 461 30 00 FAX: +36 (0) 1 461 30 09 URL: www.dlink.hu D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 363
06 URL: www.dlink.com.tr Chapter B. Customer Support Egypt 19 El- dlink.cl Brazil Av das Nacoes Unidas 11857 14- andar - cj 141/142 Brooklin Novo Sao Paulo - SP - Brazil CEP 04578-000 (Zip Code) TEL: (55 11) 21859300 FAX: (55 11) 21859322 URL: www.dlinkbrasil.com.br D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 364
.dlink.com.cn Taiwan 2F, No. 119, Pao-Chung Rd. Hsin-Tien, Taipei Taiwan TEL: 886-2-2910-2626 FAX: 886-2-2910-1515 URL: www.dlinktw.com.tw Headquarters 2F, No. 233-2, Pao-Chiao Rd. Hsin-Tien, Taipei Taiwan TEL: 886-2-2916-1600 FAX: 886-2-2914-6299 URL: www.dlink.com.tw D-Link Firewalls User's Guide - D-Link DFL-2500 | User Guide - Page 365
346 Chapter B. Customer Support D-Link Firewalls User's Guide
-
1 -
2 -
3 -
4 -
5 -
6 -
7 -
8
-
9
-
10
-
11
-
12
-
13
-
14
-
15
-
16
-
17
-
18
-
19
-
20
-
21
-
22
-
23
-
24
-
25
-
26
-
27
-
28
-
29
-
30
-
31
-
32
-
33
-
34
-
35
-
36
-
37
-
38
-
39
-
40
-
41
-
42
-
43
-
44
-
45
-
46
-
47
-
48
-
49
-
50
-
51
-
52
-
53
-
54
-
55
-
56
-
57
-
58
-
59
-
60
-
61
-
62
-
63
-
64
-
65
-
66
-
67
-
68
-
69
-
70
-
71
-
72
-
73
-
74
-
75
-
76
-
77
-
78
-
79
-
80
-
81
-
82
-
83
-
84
-
85
-
86
-
87
-
88
-
89
-
90
-
91
-
92
-
93
-
94
-
95
-
96
-
97
-
98
-
99
-
100
-
101
-
102
-
103
-
104
-
105
-
106
-
107
-
108
-
109
-
110
-
111
-
112
-
113
-
114
-
115
-
116
-
117
-
118
-
119
-
120
-
121
-
122
-
123
-
124
-
125
-
126
-
127
-
128
-
129
-
130
-
131
-
132
-
133
-
134
-
135
-
136
-
137
-
138
-
139
-
140
-
141
-
142
-
143
-
144
-
145
-
146
-
147
-
148
-
149
-
150
-
151
-
152
-
153
-
154
-
155
-
156
-
157
-
158
-
159
-
160
-
161
-
162
-
163
-
164
-
165
-
166
-
167
-
168
-
169
-
170
-
171
-
172
-
173
-
174
-
175
-
176
-
177
-
178
-
179
-
180
-
181
-
182
-
183
-
184
-
185
-
186
-
187
-
188
-
189
-
190
-
191
-
192
-
193
-
194
-
195
-
196
-
197
-
198
-
199
-
200
-
201
-
202
-
203
-
204
-
205
-
206
-
207
-
208
-
209
-
210
-
211
-
212
-
213
-
214
-
215
-
216
-
217
-
218
-
219
-
220
-
221
-
222
-
223
-
224
-
225
-
226
-
227
-
228
-
229
-
230
-
231
-
232
-
233
-
234
-
235
-
236
-
237
-
238
-
239
-
240
-
241
-
242
-
243
-
244
-
245
-
246
-
247
-
248
-
249
-
250
-
251
-
252
-
253
-
254
-
255
-
256
-
257
-
258
-
259
-
260
-
261
-
262
-
263
-
264
-
265
-
266
-
267
-
268
-
269
-
270
-
271
-
272
-
273
-
274
-
275
-
276
-
277
-
278
-
279
-
280
-
281
-
282
-
283
-
284
-
285
-
286
-
287
-
288
-
289
-
290
-
291
-
292
-
293
-
294
-
295
-
296
-
297
-
298
-
299
-
300
-
301
-
302
-
303
-
304
-
305
-
306
-
307
-
308
-
309
-
310
-
311
-
312
-
313
-
314
-
315
-
316
-
317
-
318
-
319
-
320
-
321
-
322
-
323
-
324
-
325
-
326
-
327
-
328
-
329
-
330
-
331
-
332
-
333
-
334
-
335
-
336
-
337
-
338
-
339
-
340
-
341
-
342
-
343
-
344
-
345
-
346
-
347
-
348
-
349
-
350
-
351
-
352
-
353
-
354
-
355
-
356
-
357
-
358
-
359
-
360
-
361
-
362
-
363
-
364
-
365
 |
 |
DFL - 800/1600/2500
User’s Guide
< Version:
1.0 >