Home » D-Link Manuals » Networking » D-Link DFL-2500 » Manual Viewer

D-Link DFL-2500 User Guide - Page 240

X.509 Certiﬁcate, Identiﬁcation Lists ID Lists

Add to My Manuals
Save this manual to your list of manuals

Page 240 highlights

22.1. IPsec 221 X.509 Certificate The other option for primary authentication is to use X.509 Certificate within each VPN gateway. To prove the identity, each gateway owns a certificate signed by a trusted CA. The certificate proves that the public key attached to it truly belongs to the gateway holder, and every gateway also keeps a copy of CA's public key to be able to trust the CA and validate the certificates of other gateways issued from that CA. Compared to the use of PSK, certificates are more flexible. Many VPN clients, for instance, can be managed without having the same pre-shared key configured on all of them, which is often the case when using pre-shared keys and roaming clients. Instead, should a client be compromised, the client's certificate can simply be revoked. No need to reconfigure every client. But complexity is also added by this method. Certificate-based authentication may be used as part of a larger infrastructure, making all VPN clients and gateways dependent on third parties. In other words, there are more things that have to be configured, and there are more things that can go wrong. Identification Lists (ID Lists) When X.509 certificates are used as authentication method, the firewall will accept all remote gateways or VPN clients that are capable of presenting a certificate signed by any of the trusted Certificate Authorities(CAs). This can be a potential problem, especially when using roaming clients. Consider a scenario where employees on the road shall be given access to the internal corporate networks using VPN clients. The organization administers their own CA, and certificates have been issued to the employees. Different groups of employees are likely to have access to different parts of the internal networks. For instance, members of the sales force need access to servers running the order system, while technical engineers need access to technical databases. As the IP addresses of the travelling employees VPN clients cannot be foreseen, the incoming VPN connections from the clients cannot be differentiated. This means that the firewall is unable to control the access to various parts of the internal networks. The concept of Identification Lists(ID Lists) presents a solution to this problem. An identification list contains one or more configurable D-Link Firewalls User's Guide

Section	Page
I Preface	16
Document Version	18
Disclaimer	18
About this Document	18
Typographical Conventions	19
II Product Overview	20
1 Capabilities	22
1.1 Product Highlights	22
III Introduction to Networking	24
2 The OSI model	26
3 Firewall Principles	28
3.1 The Role of the Firewall	28
3.1.1 What is a Firewall?	28
3.1.2 How does a Firewall work?	28
3.2 What does a Firewall NOT protect against?	29
3.2.1 Attacks on Insecure pre-installed Components	30
3.2.2 Inexperienced Users on protected Networks	30
3.2.3 Data-Driven Network Attacks	30
3.2.4 Internal Attacks	32
3.2.5 Modems and VPN Connection	32
3.2.6 Holes between DMZs and Internal Networks	33
IV Administration	36
4 Configuration Platform	38
4.1 Configuring Via WebUI	38
4.1.1 Overview	38
4.1.2 Interface Layout	38
4.1.3 Configuration Operations	41
4.2 Monitoring Via CLI	42
5 Logging	44
5.1 Overview	44
5.1.1 Importance & Capability	44
5.1.2 Events	45
5.2 Log Receivers	47
5.2.1 Syslog Receiver	47
5.2.2 Memory Log Receiver	48
5.2.3 SMTP Event Receiver	48
6 Maintenance	50
6.1 Firmware Upgrades	50
6.2 Reset To Factory Defaults	51
6.3 Backup Configuration	53
7 Advanced Settings	54
7.1 Overview	54
V Fundamentals	56
8 Logical Objects	58
8.1 Address Book	58
8.1.1 IP address	58
8.1.2 Ethernet address	60
8.2 Services	60
8.2.1 Service Types	61
8.2.2 Error Report & Connection Protection	65
8.3 Schedules	67
8.4 X.509 Certificates	68
8.4.1 Introduction to Certificates	68
8.4.2 X.509 Certificates in D-Link Firewall	70
9 Interfaces	72
9.1 Ethernet	72
9.1.1 Ethernet Interfaces	72
9.1.2 Ethernet Interfaces in D-Link Firewalls	73
9.2 Virtual LAN (VLAN)	75
9.2.1 VLAN Infrastructure	75
9.2.2 802.1Q VLAN Standard	76
9.2.3 VLAN Implementation	77
9.2.4 Using Virtual LANs to Expand Firewall Interfaces	78
9.3 DHCP	79
9.3.1 DHCP Client	79
9.4 PPPoE	80
9.4.1 PPP	81
9.4.2 PPPoE Client Configuration	81
9.5 Interface Groups	84
9.6 ARP	85
9.6.1 ARP Table	85
10 Routing	88
10.1 Overview	88
10.2 Routing Hierarchy	89
10.3 Routing Algorithms	90
10.3.1 Static Routing	90
10.3.2 Dynamic Routing	91
10.3.3 OSPF	93
10.4 Route Failover	96
10.4.1 Scenario: Route Failover Configuration	97
10.5 Dynamic Routing Implementation	100
10.5.1 OSPF Process	100
10.5.2 Dynamic Routing Policy	100
10.5.3 Scenarios: Dynamic Routing Configuration	101
10.6 Scenario: Static Routing Configuration	106
10.7 Policy Based Routing(PBR)	107
10.7.1 Overview	107
10.7.2 Policy-based Routing Tables	108
10.7.3 Policy-based Routing Policy	108
10.7.4 PBR Execution	108
10.7.5 Scenario: PBR Configuration	110
10.8 Proxy ARP	113
11 Date & Time	114
11.1 Setting the Date and Time	115
11.1.1 Current Date and Time	115
11.1.2 Time Zone	115
11.1.3 Daylight Saving Time(DST)	116
11.2 Time Synchronization	117
11.2.1 Time Synchronization Protocols	117
11.2.2 Timeservers	117
11.2.3 Maximum Adjustment	118
11.2.4 Synchronization Interval	118
12 DNS	120
13 Log Settings	122
13.1 Implementation	122
13.1.1 Defining Syslog Receiver	122
13.1.2 Enabling Logging	123
VI Security Polices	126
14 IP Rules	128
14.1 Overview	128
14.1.1 Fields	129
14.1.2 Action types	130
14.2 Address Translation	131
14.2.1 Overview	131
14.2.2 NAT	131
14.2.3 Address translation in D-Link Firewall	133
14.3 Scenarios: IP Rules Configuration	135
15 Access (Anti-spoofing)	142
15.1 Overview	142
15.1.1 IP Spoofing	142
15.1.2 Anti-spoofing	143
15.2 Access Rule	143
15.2.1 Function	143
15.2.2 Settings	143
15.3 Scenario: Setting up Access Rule	145
16 DMZ & Port Forwarding	146
16.1 General	146
16.1.1 Concepts	146
16.1.2 DMZ Planning	148
16.1.3 Benefits	149
17 User Authentication	150
17.1 Authentication Overview	150
17.1.1 Authentication Methods	150
17.1.2 Password Criterion	151
17.1.3 User Types	152
17.2 Authentication Components	153
17.2.1 Local User Database(UserDB)	153
17.2.2 External Authentication Server	153
17.2.3 Authentication Agents	154
17.2.4 Authentication Rules	155
17.3 Authentication Process	156
17.4 Scenarios: User Authentication Configuration	156
VII Content Inspection	164
18 Application Layer Gateway (ALG)	166
18.1 Overview	166
18.2 FTP	167
18.2.1 FTP Connections	167
18.2.2 Scenarios: FTP ALG Configuration	169
18.3 HTTP	174
18.3.1 Components & Security Issues	174
18.3.2 Solution	175
18.4 H.323	177
18.4.1 H.323 Standard Overview	177
18.4.2 H.323 Components	177
18.4.3 H.323 Protocols	178
18.4.4 H.323 ALG Overview	179
18.4.5 Scenarios: H.323 ALG Configuration	180
19 Intrusion Detection System (IDS)	200
19.1 Overview	200
19.1.1 Intrusion Detection Rules	201
19.1.2 Pattern Matching	201
19.1.3 Action	201
19.2 Chain of Events	202
19.2.1 Scenario 1	202
19.2.2 Scenario 2	203
19.3 Signature Groups	205
19.4 Automatic Update of Signature Database	205
19.5 SMTP Log Receiver for IDS Events	206
19.6 Scenario: Setting up IDS	208
VIII Virtual Private Network (VPN)	210
20 VPN Basics	212
20.1 Introduction to VPN	212
20.1.1 VPNs vs Fixed Connections	212
20.2 Introduction to Cryptography	214
20.2.1 Encryption	214
20.2.2 Authentication & Integrity	217
20.3 Why VPN in Firewalls	219
20.3.1 VPN Deployment	220
21 VPN Planning	226
21.1 VPN Design Considerations	226
21.1.1 End Point Security	227
21.1.2 Key Distribution	229
22 VPN Protocols & Tunnels	232
22.1 IPsec	232
22.1.1 IPsec protocols	233
22.1.2 IPsec Modes	233
22.1.3 IKE	234
22.1.4 IKE Integrity & Authentication	238
22.1.5 Scenarios: IPSec Configuration	242
22.2 PPTP/ L2TP	247
22.2.1 PPTP	247
22.2.2 L2TP	253
22.3 SSL/TLS (HTTPS)	262
IX Traffic Management	264
23 Traffic Shaping	266
23.1 Overview	266
23.1.1 Functions	267
23.1.2 Features	268
23.2 Pipes	268
23.2.1 Precedences and Guarantees	269
23.2.2 Grouping Users of a Pipe	271
23.2.3 Dynamic Bandwidth Balancing	272
23.3 Pipe Rules	272
23.4 Scenarios: Setting up Traffic Shaping	272
24 Server Load Balancing (SLB)	280
24.1 Overview	280
24.1.1 The SLB Module	280
24.1.2 SLB Features	281
24.1.3 Benefits	282
24.2 SLB Implementation	283
24.2.1 Distribution Modes	283
24.2.2 Distribution Algorithms	283
24.2.3 Server Health Checks	284
24.2.4 Packets Flow by SAT	285
24.3 Scenario: Enabling SLB	285
X Misc. Features	288
25 Miscellaneous Clients	290
25.1 Overview	290
25.2 Dynamic DNS	290
25.3 Automatic Client Login	291
25.4 HTTP Poster	292
25.4.1 URL Format	292
26 DHCP Server & Relayer	294
26.1 DHCP Server	294
26.2 DHCP Relayer	296
XI Transparent Mode	298
27 Transparent Mode	300
27.1 Overview	300
27.2 Transparent Mode Implementation in D-Link Firewalls	301
27.3 Scenarios: Enabling Transparent Mode	303
XII Zone Defense	310
28 Zone Defense	312
28.1 Overview	312
28.2 Zone Defense Switches	312
28.2.1 SNMP	313
28.3 Threshold Rules	314
28.4 Manual Blocking & Exclude Lists	314
28.5 Limitations	315
28.6 Scenario: Setting Up Zone Defense	315
XIII High Availability	318
29 High Availability	320
29.1 High Availability Basics	320
29.1.1 What High Availability will do for you	320
29.1.2 What High Availability will NOT do for you	321
29.1.3 Example High Availability setup	322
29.2 How Rapid Failover is Accomplished	322
29.2.1 The shared IP address and the failover mechanism	323
29.2.2 Cluster heartbeats	324
29.2.3 The synchronization interface	325
29.3 Setting up a High Availability Cluster	325
29.3.1 Planning the High Availability cluster	326
29.3.2 Creating a High Availability cluster	326
29.4 Things to Keep in Mind	328
29.4.1 Statistics and Logging Issues	328
29.4.2 Configuration Issues	329
XIV Appendix	330
A Console Commands Reference	334
List of Commands	334
About	334
Access	335
ARP	335
ARPSnoop	336
Buffers	336
Certcache	337
CfgLog	338
Connections	338
Cpuid	339
DHCP	339
DHCPRelay	340
DHCPServer	340
DynRoute	340
Frags	341
HA	341
HTTPPoster	341
Ifacegroups	342
IfStat	342
Ikesnoop	343
Ipseckeepalive	344
IPSectunnels	344
IPSecstats	344
Killsa	345
License	345
Lockdown	346
Loghosts	346
Memory	346
Netcon	346
Netobjects	347
OSPF	347
Ping	348
Pipes	348
Proplists	349
ReConfigure	349
Remotes	350
Routes	350
Rules	351
Scrsave	351
Services	352
Shutdown	352
Sysmsgs	352
Settings	352
Stats	354
Time	355
Uarules	355
Userauth	355
Userdb	356
Vlan	357

Match case Limit results 1 per page

22.1. IPsec

221

X.509 Certiﬁcate

The other option for primary authentication is to use

X.509 Certiﬁcate

within each VPN gateway. To prove the identity, each gateway owns a

certiﬁcate signed by a trusted CA. The certiﬁcate proves that the public

key attached to it truly belongs to the gateway holder, and every gateway

also keeps a copy of CA’s public key to be able to trust the CA and

validate the certiﬁcates of other gateways issued from that CA.

Compared to the use of PSK, certiﬁcates are more ﬂexible. Many VPN

clients, for instance, can be managed without having the same pre-shared

key conﬁgured on all of them, which is often the case when using pre-shared

keys and roaming clients. Instead, should a client be compromised, the

client’s certiﬁcate can simply be revoked. No need to reconﬁgure every

client. But complexity is also added by this method. Certiﬁcate-based

authentication may be used as part of a larger infrastructure, making all

VPN clients and gateways dependent on third parties. In other words,

there are more things that have to be conﬁgured, and there are more things

that can go wrong.

Identiﬁcation Lists (ID Lists)

When X.509 certiﬁcates are used as authentication method, the ﬁrewall will

accept all remote gateways or VPN clients that are capable of presenting a

certiﬁcate signed by any of the trusted Certiﬁcate Authorities(CAs). This

can be a potential problem, especially when using roaming clients.

Consider a scenario where employees on the road shall be given access to

the internal corporate networks using VPN clients. The organization

administers their own CA, and certiﬁcates have been issued to the

employees. Diﬀerent groups of employees are likely to have access to

diﬀerent parts of the internal networks. For instance, members of the sales

force need access to servers running the order system, while technical

engineers need access to technical databases.

As the IP addresses of the travelling employees VPN clients cannot be

foreseen, the incoming VPN connections from the clients cannot be

diﬀerentiated. This means that the ﬁrewall is unable to control the access

to various parts of the internal networks.

The concept of

Identiﬁcation Lists(ID Lists)

presents a solution to this

problem. An identiﬁcation list contains one or more conﬁgurable

D-Link Firewalls User’s Guide