Home » D-Link Manuals » Networking » D-Link DFL-2500 » Manual Viewer

D-Link DFL-2500 User Guide - Page 61

Service Types

Add to My Manuals
Save this manual to your list of manuals

Page 61 highlights

42 Chapter 8. Logical Objects one user's program to other parties in a network. At this layer, other parties are identified and can be reached by specific application protocol types and corresponding parameters, such as port numbers. For example, the Web-browsing service HTTP is defined as to use the TCP protocol with destination port 80. Some of the other popular services at this layer include FTP, POP3, SMTP, Telnet, and so on. Beside these officially defined applications, user customized services can also be created in D-Link firewalls. Services are simplistic, in that they cannot carry out any action in the firewall on their own. Thus, a service definition does not include any information whether the service should be allowed through the firewall or not. That decision is made entirely by the firewall's IP rules, in which the service is used as a filter parameter. For more information about how to use services in rules, please see 14 IP Rules. 8.2.1 Service Types In D-Link firewalls, services can be configured via three options: TCP/UDP, ICMP, and IP Protocol service. A service is basically defined by a descriptive name, the type of the protocol, and protocol parameters. Different services can be united into one Service Group to simplify policy configuration, so that the administrators do not need to configure one rule for every service. TCP and UDP based services Service applications most commonly run on TCP or UDP, and are often associated with a well-known port number. In the firewall, they are defined by the type of protocol that the application uses, and the assigned port number or port range. For many services, a single destination port is sufficient. The HTTP service, for instance, uses TCP destination port 80, Telnet uses TCP 23, and SMTP uses TCP 25. In these cases, all ports (0-65535) will be accepted as source ports. Multiple ports or port ranges may also be set, for instance, a service can be defined as having source ports 1024-65535 and destination ports 80-82, 90-92, 95. In this case, a TCP or UDP packet with the destination port being one of 80, 81, 82, 90, 91, 92 or 95, and the source port being in the range 1024-65535, will match this service. D-Link Firewalls User's Guide

Section	Page
I Preface	16
Document Version	18
Disclaimer	18
About this Document	18
Typographical Conventions	19
II Product Overview	20
1 Capabilities	22
1.1 Product Highlights	22
III Introduction to Networking	24
2 The OSI model	26
3 Firewall Principles	28
3.1 The Role of the Firewall	28
3.1.1 What is a Firewall?	28
3.1.2 How does a Firewall work?	28
3.2 What does a Firewall NOT protect against?	29
3.2.1 Attacks on Insecure pre-installed Components	30
3.2.2 Inexperienced Users on protected Networks	30
3.2.3 Data-Driven Network Attacks	30
3.2.4 Internal Attacks	32
3.2.5 Modems and VPN Connection	32
3.2.6 Holes between DMZs and Internal Networks	33
IV Administration	36
4 Configuration Platform	38
4.1 Configuring Via WebUI	38
4.1.1 Overview	38
4.1.2 Interface Layout	38
4.1.3 Configuration Operations	41
4.2 Monitoring Via CLI	42
5 Logging	44
5.1 Overview	44
5.1.1 Importance & Capability	44
5.1.2 Events	45
5.2 Log Receivers	47
5.2.1 Syslog Receiver	47
5.2.2 Memory Log Receiver	48
5.2.3 SMTP Event Receiver	48
6 Maintenance	50
6.1 Firmware Upgrades	50
6.2 Reset To Factory Defaults	51
6.3 Backup Configuration	53
7 Advanced Settings	54
7.1 Overview	54
V Fundamentals	56
8 Logical Objects	58
8.1 Address Book	58
8.1.1 IP address	58
8.1.2 Ethernet address	60
8.2 Services	60
8.2.1 Service Types	61
8.2.2 Error Report & Connection Protection	65
8.3 Schedules	67
8.4 X.509 Certificates	68
8.4.1 Introduction to Certificates	68
8.4.2 X.509 Certificates in D-Link Firewall	70
9 Interfaces	72
9.1 Ethernet	72
9.1.1 Ethernet Interfaces	72
9.1.2 Ethernet Interfaces in D-Link Firewalls	73
9.2 Virtual LAN (VLAN)	75
9.2.1 VLAN Infrastructure	75
9.2.2 802.1Q VLAN Standard	76
9.2.3 VLAN Implementation	77
9.2.4 Using Virtual LANs to Expand Firewall Interfaces	78
9.3 DHCP	79
9.3.1 DHCP Client	79
9.4 PPPoE	80
9.4.1 PPP	81
9.4.2 PPPoE Client Configuration	81
9.5 Interface Groups	84
9.6 ARP	85
9.6.1 ARP Table	85
10 Routing	88
10.1 Overview	88
10.2 Routing Hierarchy	89
10.3 Routing Algorithms	90
10.3.1 Static Routing	90
10.3.2 Dynamic Routing	91
10.3.3 OSPF	93
10.4 Route Failover	96
10.4.1 Scenario: Route Failover Configuration	97
10.5 Dynamic Routing Implementation	100
10.5.1 OSPF Process	100
10.5.2 Dynamic Routing Policy	100
10.5.3 Scenarios: Dynamic Routing Configuration	101
10.6 Scenario: Static Routing Configuration	106
10.7 Policy Based Routing(PBR)	107
10.7.1 Overview	107
10.7.2 Policy-based Routing Tables	108
10.7.3 Policy-based Routing Policy	108
10.7.4 PBR Execution	108
10.7.5 Scenario: PBR Configuration	110
10.8 Proxy ARP	113
11 Date & Time	114
11.1 Setting the Date and Time	115
11.1.1 Current Date and Time	115
11.1.2 Time Zone	115
11.1.3 Daylight Saving Time(DST)	116
11.2 Time Synchronization	117
11.2.1 Time Synchronization Protocols	117
11.2.2 Timeservers	117
11.2.3 Maximum Adjustment	118
11.2.4 Synchronization Interval	118
12 DNS	120
13 Log Settings	122
13.1 Implementation	122
13.1.1 Defining Syslog Receiver	122
13.1.2 Enabling Logging	123
VI Security Polices	126
14 IP Rules	128
14.1 Overview	128
14.1.1 Fields	129
14.1.2 Action types	130
14.2 Address Translation	131
14.2.1 Overview	131
14.2.2 NAT	131
14.2.3 Address translation in D-Link Firewall	133
14.3 Scenarios: IP Rules Configuration	135
15 Access (Anti-spoofing)	142
15.1 Overview	142
15.1.1 IP Spoofing	142
15.1.2 Anti-spoofing	143
15.2 Access Rule	143
15.2.1 Function	143
15.2.2 Settings	143
15.3 Scenario: Setting up Access Rule	145
16 DMZ & Port Forwarding	146
16.1 General	146
16.1.1 Concepts	146
16.1.2 DMZ Planning	148
16.1.3 Benefits	149
17 User Authentication	150
17.1 Authentication Overview	150
17.1.1 Authentication Methods	150
17.1.2 Password Criterion	151
17.1.3 User Types	152
17.2 Authentication Components	153
17.2.1 Local User Database(UserDB)	153
17.2.2 External Authentication Server	153
17.2.3 Authentication Agents	154
17.2.4 Authentication Rules	155
17.3 Authentication Process	156
17.4 Scenarios: User Authentication Configuration	156
VII Content Inspection	164
18 Application Layer Gateway (ALG)	166
18.1 Overview	166
18.2 FTP	167
18.2.1 FTP Connections	167
18.2.2 Scenarios: FTP ALG Configuration	169
18.3 HTTP	174
18.3.1 Components & Security Issues	174
18.3.2 Solution	175
18.4 H.323	177
18.4.1 H.323 Standard Overview	177
18.4.2 H.323 Components	177
18.4.3 H.323 Protocols	178
18.4.4 H.323 ALG Overview	179
18.4.5 Scenarios: H.323 ALG Configuration	180
19 Intrusion Detection System (IDS)	200
19.1 Overview	200
19.1.1 Intrusion Detection Rules	201
19.1.2 Pattern Matching	201
19.1.3 Action	201
19.2 Chain of Events	202
19.2.1 Scenario 1	202
19.2.2 Scenario 2	203
19.3 Signature Groups	205
19.4 Automatic Update of Signature Database	205
19.5 SMTP Log Receiver for IDS Events	206
19.6 Scenario: Setting up IDS	208
VIII Virtual Private Network (VPN)	210
20 VPN Basics	212
20.1 Introduction to VPN	212
20.1.1 VPNs vs Fixed Connections	212
20.2 Introduction to Cryptography	214
20.2.1 Encryption	214
20.2.2 Authentication & Integrity	217
20.3 Why VPN in Firewalls	219
20.3.1 VPN Deployment	220
21 VPN Planning	226
21.1 VPN Design Considerations	226
21.1.1 End Point Security	227
21.1.2 Key Distribution	229
22 VPN Protocols & Tunnels	232
22.1 IPsec	232
22.1.1 IPsec protocols	233
22.1.2 IPsec Modes	233
22.1.3 IKE	234
22.1.4 IKE Integrity & Authentication	238
22.1.5 Scenarios: IPSec Configuration	242
22.2 PPTP/ L2TP	247
22.2.1 PPTP	247
22.2.2 L2TP	253
22.3 SSL/TLS (HTTPS)	262
IX Traffic Management	264
23 Traffic Shaping	266
23.1 Overview	266
23.1.1 Functions	267
23.1.2 Features	268
23.2 Pipes	268
23.2.1 Precedences and Guarantees	269
23.2.2 Grouping Users of a Pipe	271
23.2.3 Dynamic Bandwidth Balancing	272
23.3 Pipe Rules	272
23.4 Scenarios: Setting up Traffic Shaping	272
24 Server Load Balancing (SLB)	280
24.1 Overview	280
24.1.1 The SLB Module	280
24.1.2 SLB Features	281
24.1.3 Benefits	282
24.2 SLB Implementation	283
24.2.1 Distribution Modes	283
24.2.2 Distribution Algorithms	283
24.2.3 Server Health Checks	284
24.2.4 Packets Flow by SAT	285
24.3 Scenario: Enabling SLB	285
X Misc. Features	288
25 Miscellaneous Clients	290
25.1 Overview	290
25.2 Dynamic DNS	290
25.3 Automatic Client Login	291
25.4 HTTP Poster	292
25.4.1 URL Format	292
26 DHCP Server & Relayer	294
26.1 DHCP Server	294
26.2 DHCP Relayer	296
XI Transparent Mode	298
27 Transparent Mode	300
27.1 Overview	300
27.2 Transparent Mode Implementation in D-Link Firewalls	301
27.3 Scenarios: Enabling Transparent Mode	303
XII Zone Defense	310
28 Zone Defense	312
28.1 Overview	312
28.2 Zone Defense Switches	312
28.2.1 SNMP	313
28.3 Threshold Rules	314
28.4 Manual Blocking & Exclude Lists	314
28.5 Limitations	315
28.6 Scenario: Setting Up Zone Defense	315
XIII High Availability	318
29 High Availability	320
29.1 High Availability Basics	320
29.1.1 What High Availability will do for you	320
29.1.2 What High Availability will NOT do for you	321
29.1.3 Example High Availability setup	322
29.2 How Rapid Failover is Accomplished	322
29.2.1 The shared IP address and the failover mechanism	323
29.2.2 Cluster heartbeats	324
29.2.3 The synchronization interface	325
29.3 Setting up a High Availability Cluster	325
29.3.1 Planning the High Availability cluster	326
29.3.2 Creating a High Availability cluster	326
29.4 Things to Keep in Mind	328
29.4.1 Statistics and Logging Issues	328
29.4.2 Configuration Issues	329
XIV Appendix	330
A Console Commands Reference	334
List of Commands	334
About	334
Access	335
ARP	335
ARPSnoop	336
Buffers	336
Certcache	337
CfgLog	338
Connections	338
Cpuid	339
DHCP	339
DHCPRelay	340
DHCPServer	340
DynRoute	340
Frags	341
HA	341
HTTPPoster	341
Ifacegroups	342
IfStat	342
Ikesnoop	343
Ipseckeepalive	344
IPSectunnels	344
IPSecstats	344
Killsa	345
License	345
Lockdown	346
Loghosts	346
Memory	346
Netcon	346
Netobjects	347
OSPF	347
Ping	348
Pipes	348
Proplists	349
ReConfigure	349
Remotes	350
Routes	350
Rules	351
Scrsave	351
Services	352
Shutdown	352
Sysmsgs	352
Settings	352
Stats	354
Time	355
Uarules	355
Userauth	355
Userdb	356
Vlan	357

Match case Limit results 1 per page

Chapter 8. Logical Objects

one user’s program to other parties in a network. At this layer, other

parties are identiﬁed and can be reached by speciﬁc

application protocol

types

and corresponding parameters, such as

port numbers

. For

example, the Web-browsing service HTTP is deﬁned as to use the

TCP

protocol

with destination

port 80

. Some of the other popular services at this

layer include FTP, POP3, SMTP, Telnet, and so on. Beside these oﬃcially

deﬁned applications, user customized services can also be created in D-Link

ﬁrewalls.

Services are simplistic, in that they cannot carry out any action in the

ﬁrewall on their own. Thus, a service deﬁnition does not include any

information whether the service should be allowed through the ﬁrewall or

not. That decision is made entirely by the ﬁrewall’s

IP rules

, in which the

service is used as a ﬁlter parameter. For more information about how to

use services in rules, please see

14 IP Rules

8.2.1

Service Types

In D-Link ﬁrewalls, services can be conﬁgured via three options:

TCP/UDP, ICMP,

and

IP Protocol

service. A service is basically deﬁned

by a descriptive

name

, the

type

of the protocol, and protocol

parameters

Diﬀerent services can be united into one

Service Group

to simplify policy

conﬁguration, so that the administrators do not need to conﬁgure one rule

for every service.

TCP and UDP based services

Service applications most commonly run on TCP or UDP, and are often

associated with a well-known port number. In the ﬁrewall, they are deﬁned

by the type of protocol that the application uses, and the assigned port

number or port range. For many services, a single

destination port

suﬃcient. The HTTP service, for instance, uses TCP destination port 80,

Telnet uses TCP 23, and SMTP uses TCP 25. In these cases, all ports

(0-65535) will be accepted as source ports.

Multiple

ports

port ranges

may also be set, for instance, a service can

be deﬁned as having source ports 1024-65535 and destination ports 80-82,

90-92, 95. In this case, a TCP or UDP packet with the destination port

being one of 80, 81, 82, 90, 91, 92 or 95, and the source port being in the

range 1024-65535, will match this service.

D-Link Firewalls User’s Guide