Home » D-Link Manuals » Networking » D-Link DFL-2500 » Manual Viewer

D-Link DFL-2500 User Guide - Page 205

Signature Groups, Automatic Update of Signature, Database

Add to My Manuals
Save this manual to your list of manuals

Page 205 highlights

186 Chapter 19. Intrusion Detection System (IDS) 3. The pattern-matching engine searches the payload of the packet for pre-defined signatures. If a match is found, the final level of IDS processing is carried out - the action. If not, the packet is dropped. 4. As this packet will not be accepted by the firewall, the only interesting action is to log the attempted intrusion. 19.3 Signature Groups Usually, several attacks exist for a specific protocol, and it would be most favorable to search for all of them at the same time when analyzing network traffic. To do this, signatures that refer to the same protocol are grouped together. For example, all signatures that refer to the FTP protocol are located in one group, while signatures that refer to POP3 are located in another group. In addition to this, signatures that originate from the same source are also grouped together. This means that signatures that are only valid when originating from the external network are grouped together, while signatures that are valid when originating from the internal network are located in another group. This is done in order to allow more effective processing for the IDS. 19.4 Automatic Update of Signature Database Discovering new attacks is an ongoing process. New attacks are sometimes discovered daily, so it is important to have an up-to-date signature database in order to protect the network from the latest threats. The signature database contains all signatures and signature groups currently recognized by the IDS. A new, updated signature database can be automatically downloaded by the firewall, at a configurable interval. This is done through a HTTP connection to a D-Link server, hosting the latest signature database file. If this signature database file has a newer version than the current, the new signature database will be downloaded, thus replacing the old version. This will ensure that the signature database is always up-to-date. Figure 19.3 is a simplified picture that describes the communication flow when a new signature database file is downloaded: D-Link Firewalls User's Guide

Section	Page
I Preface	16
Document Version	18
Disclaimer	18
About this Document	18
Typographical Conventions	19
II Product Overview	20
1 Capabilities	22
1.1 Product Highlights	22
III Introduction to Networking	24
2 The OSI model	26
3 Firewall Principles	28
3.1 The Role of the Firewall	28
3.1.1 What is a Firewall?	28
3.1.2 How does a Firewall work?	28
3.2 What does a Firewall NOT protect against?	29
3.2.1 Attacks on Insecure pre-installed Components	30
3.2.2 Inexperienced Users on protected Networks	30
3.2.3 Data-Driven Network Attacks	30
3.2.4 Internal Attacks	32
3.2.5 Modems and VPN Connection	32
3.2.6 Holes between DMZs and Internal Networks	33
IV Administration	36
4 Configuration Platform	38
4.1 Configuring Via WebUI	38
4.1.1 Overview	38
4.1.2 Interface Layout	38
4.1.3 Configuration Operations	41
4.2 Monitoring Via CLI	42
5 Logging	44
5.1 Overview	44
5.1.1 Importance & Capability	44
5.1.2 Events	45
5.2 Log Receivers	47
5.2.1 Syslog Receiver	47
5.2.2 Memory Log Receiver	48
5.2.3 SMTP Event Receiver	48
6 Maintenance	50
6.1 Firmware Upgrades	50
6.2 Reset To Factory Defaults	51
6.3 Backup Configuration	53
7 Advanced Settings	54
7.1 Overview	54
V Fundamentals	56
8 Logical Objects	58
8.1 Address Book	58
8.1.1 IP address	58
8.1.2 Ethernet address	60
8.2 Services	60
8.2.1 Service Types	61
8.2.2 Error Report & Connection Protection	65
8.3 Schedules	67
8.4 X.509 Certificates	68
8.4.1 Introduction to Certificates	68
8.4.2 X.509 Certificates in D-Link Firewall	70
9 Interfaces	72
9.1 Ethernet	72
9.1.1 Ethernet Interfaces	72
9.1.2 Ethernet Interfaces in D-Link Firewalls	73
9.2 Virtual LAN (VLAN)	75
9.2.1 VLAN Infrastructure	75
9.2.2 802.1Q VLAN Standard	76
9.2.3 VLAN Implementation	77
9.2.4 Using Virtual LANs to Expand Firewall Interfaces	78
9.3 DHCP	79
9.3.1 DHCP Client	79
9.4 PPPoE	80
9.4.1 PPP	81
9.4.2 PPPoE Client Configuration	81
9.5 Interface Groups	84
9.6 ARP	85
9.6.1 ARP Table	85
10 Routing	88
10.1 Overview	88
10.2 Routing Hierarchy	89
10.3 Routing Algorithms	90
10.3.1 Static Routing	90
10.3.2 Dynamic Routing	91
10.3.3 OSPF	93
10.4 Route Failover	96
10.4.1 Scenario: Route Failover Configuration	97
10.5 Dynamic Routing Implementation	100
10.5.1 OSPF Process	100
10.5.2 Dynamic Routing Policy	100
10.5.3 Scenarios: Dynamic Routing Configuration	101
10.6 Scenario: Static Routing Configuration	106
10.7 Policy Based Routing(PBR)	107
10.7.1 Overview	107
10.7.2 Policy-based Routing Tables	108
10.7.3 Policy-based Routing Policy	108
10.7.4 PBR Execution	108
10.7.5 Scenario: PBR Configuration	110
10.8 Proxy ARP	113
11 Date & Time	114
11.1 Setting the Date and Time	115
11.1.1 Current Date and Time	115
11.1.2 Time Zone	115
11.1.3 Daylight Saving Time(DST)	116
11.2 Time Synchronization	117
11.2.1 Time Synchronization Protocols	117
11.2.2 Timeservers	117
11.2.3 Maximum Adjustment	118
11.2.4 Synchronization Interval	118
12 DNS	120
13 Log Settings	122
13.1 Implementation	122
13.1.1 Defining Syslog Receiver	122
13.1.2 Enabling Logging	123
VI Security Polices	126
14 IP Rules	128
14.1 Overview	128
14.1.1 Fields	129
14.1.2 Action types	130
14.2 Address Translation	131
14.2.1 Overview	131
14.2.2 NAT	131
14.2.3 Address translation in D-Link Firewall	133
14.3 Scenarios: IP Rules Configuration	135
15 Access (Anti-spoofing)	142
15.1 Overview	142
15.1.1 IP Spoofing	142
15.1.2 Anti-spoofing	143
15.2 Access Rule	143
15.2.1 Function	143
15.2.2 Settings	143
15.3 Scenario: Setting up Access Rule	145
16 DMZ & Port Forwarding	146
16.1 General	146
16.1.1 Concepts	146
16.1.2 DMZ Planning	148
16.1.3 Benefits	149
17 User Authentication	150
17.1 Authentication Overview	150
17.1.1 Authentication Methods	150
17.1.2 Password Criterion	151
17.1.3 User Types	152
17.2 Authentication Components	153
17.2.1 Local User Database(UserDB)	153
17.2.2 External Authentication Server	153
17.2.3 Authentication Agents	154
17.2.4 Authentication Rules	155
17.3 Authentication Process	156
17.4 Scenarios: User Authentication Configuration	156
VII Content Inspection	164
18 Application Layer Gateway (ALG)	166
18.1 Overview	166
18.2 FTP	167
18.2.1 FTP Connections	167
18.2.2 Scenarios: FTP ALG Configuration	169
18.3 HTTP	174
18.3.1 Components & Security Issues	174
18.3.2 Solution	175
18.4 H.323	177
18.4.1 H.323 Standard Overview	177
18.4.2 H.323 Components	177
18.4.3 H.323 Protocols	178
18.4.4 H.323 ALG Overview	179
18.4.5 Scenarios: H.323 ALG Configuration	180
19 Intrusion Detection System (IDS)	200
19.1 Overview	200
19.1.1 Intrusion Detection Rules	201
19.1.2 Pattern Matching	201
19.1.3 Action	201
19.2 Chain of Events	202
19.2.1 Scenario 1	202
19.2.2 Scenario 2	203
19.3 Signature Groups	205
19.4 Automatic Update of Signature Database	205
19.5 SMTP Log Receiver for IDS Events	206
19.6 Scenario: Setting up IDS	208
VIII Virtual Private Network (VPN)	210
20 VPN Basics	212
20.1 Introduction to VPN	212
20.1.1 VPNs vs Fixed Connections	212
20.2 Introduction to Cryptography	214
20.2.1 Encryption	214
20.2.2 Authentication & Integrity	217
20.3 Why VPN in Firewalls	219
20.3.1 VPN Deployment	220
21 VPN Planning	226
21.1 VPN Design Considerations	226
21.1.1 End Point Security	227
21.1.2 Key Distribution	229
22 VPN Protocols & Tunnels	232
22.1 IPsec	232
22.1.1 IPsec protocols	233
22.1.2 IPsec Modes	233
22.1.3 IKE	234
22.1.4 IKE Integrity & Authentication	238
22.1.5 Scenarios: IPSec Configuration	242
22.2 PPTP/ L2TP	247
22.2.1 PPTP	247
22.2.2 L2TP	253
22.3 SSL/TLS (HTTPS)	262
IX Traffic Management	264
23 Traffic Shaping	266
23.1 Overview	266
23.1.1 Functions	267
23.1.2 Features	268
23.2 Pipes	268
23.2.1 Precedences and Guarantees	269
23.2.2 Grouping Users of a Pipe	271
23.2.3 Dynamic Bandwidth Balancing	272
23.3 Pipe Rules	272
23.4 Scenarios: Setting up Traffic Shaping	272
24 Server Load Balancing (SLB)	280
24.1 Overview	280
24.1.1 The SLB Module	280
24.1.2 SLB Features	281
24.1.3 Benefits	282
24.2 SLB Implementation	283
24.2.1 Distribution Modes	283
24.2.2 Distribution Algorithms	283
24.2.3 Server Health Checks	284
24.2.4 Packets Flow by SAT	285
24.3 Scenario: Enabling SLB	285
X Misc. Features	288
25 Miscellaneous Clients	290
25.1 Overview	290
25.2 Dynamic DNS	290
25.3 Automatic Client Login	291
25.4 HTTP Poster	292
25.4.1 URL Format	292
26 DHCP Server & Relayer	294
26.1 DHCP Server	294
26.2 DHCP Relayer	296
XI Transparent Mode	298
27 Transparent Mode	300
27.1 Overview	300
27.2 Transparent Mode Implementation in D-Link Firewalls	301
27.3 Scenarios: Enabling Transparent Mode	303
XII Zone Defense	310
28 Zone Defense	312
28.1 Overview	312
28.2 Zone Defense Switches	312
28.2.1 SNMP	313
28.3 Threshold Rules	314
28.4 Manual Blocking & Exclude Lists	314
28.5 Limitations	315
28.6 Scenario: Setting Up Zone Defense	315
XIII High Availability	318
29 High Availability	320
29.1 High Availability Basics	320
29.1.1 What High Availability will do for you	320
29.1.2 What High Availability will NOT do for you	321
29.1.3 Example High Availability setup	322
29.2 How Rapid Failover is Accomplished	322
29.2.1 The shared IP address and the failover mechanism	323
29.2.2 Cluster heartbeats	324
29.2.3 The synchronization interface	325
29.3 Setting up a High Availability Cluster	325
29.3.1 Planning the High Availability cluster	326
29.3.2 Creating a High Availability cluster	326
29.4 Things to Keep in Mind	328
29.4.1 Statistics and Logging Issues	328
29.4.2 Configuration Issues	329
XIV Appendix	330
A Console Commands Reference	334
List of Commands	334
About	334
Access	335
ARP	335
ARPSnoop	336
Buffers	336
Certcache	337
CfgLog	338
Connections	338
Cpuid	339
DHCP	339
DHCPRelay	340
DHCPServer	340
DynRoute	340
Frags	341
HA	341
HTTPPoster	341
Ifacegroups	342
IfStat	342
Ikesnoop	343
Ipseckeepalive	344
IPSectunnels	344
IPSecstats	344
Killsa	345
License	345
Lockdown	346
Loghosts	346
Memory	346
Netcon	346
Netobjects	347
OSPF	347
Ping	348
Pipes	348
Proplists	349
ReConfigure	349
Remotes	350
Routes	350
Rules	351
Scrsave	351
Services	352
Shutdown	352
Sysmsgs	352
Settings	352
Stats	354
Time	355
Uarules	355
Userauth	355
Userdb	356
Vlan	357

Match case Limit results 1 per page

186

Chapter 19. Intrusion Detection System (IDS)

3. The pattern-matching engine searches the payload of the packet for

pre-deﬁned signatures. If a match is found, the ﬁnal level of IDS

processing is carried out – the action. If not, the packet is dropped.

4. As this packet will not be accepted by the ﬁrewall, the only

interesting action is to log the attempted intrusion.

19.3

Signature Groups

Usually, several attacks exist for a speciﬁc protocol, and it would be most

favorable to search for all of them at the same time when analyzing network

traﬃc. To do this, signatures that refer to the same protocol are grouped

together. For example, all signatures that refer to the FTP protocol are

located in one group, while signatures that refer to POP3 are located in

another group. In addition to this, signatures that originate from the same

source are also grouped together. This means that signatures that are only

valid when originating from the external network are grouped together,

while signatures that are valid when originating from the internal network

are located in another group. This is done in order to allow more eﬀective

processing for the IDS.

19.4

Automatic Update of Signature

Database

Discovering new attacks is an ongoing process. New attacks are sometimes

discovered daily, so it is important to have an up-to-date signature

database in order to protect the network from the latest threats. The

signature database contains all signatures and signature groups currently

recognized by the IDS.

A new, updated signature database can be automatically downloaded by

the ﬁrewall, at a conﬁgurable interval. This is done through a HTTP

connection to a D-Link server, hosting the latest signature database ﬁle. If

this signature database ﬁle has a newer version than the current, the new

signature database will be downloaded, thus replacing the old version. This

will ensure that the signature database is always up-to-date.

Figure

19.3

is a simpliﬁed picture that describes the communication ﬂow

when a new signature database ﬁle is downloaded:

D-Link Firewalls User’s Guide