Home » D-Link Manuals » Networking » D-Link DFL-2500 » Manual Viewer

D-Link DFL-2500 User Guide - Page 69

Validity Time, Certiﬁcate Revocation Lists CRL, Trusting Certiﬁcates

Add to My Manuals
Save this manual to your list of manuals

Page 69 highlights

50 Chapter 8. Logical Objects from the user certificate up to the trusted root certificate has to be examined before establishing the validity of the user certificate. The CA certificate is just like any other certificates, except that it allows the corresponding private key to sign other certificates. Should the private key of the CA be compromised, the whole CA, including every certificate it has signed, is also compromised. Validity Time A certificate is not valid forever. Each certificate contains the dates between which the certificate is valid. When this validity period expires, the certificate can no longer be used, and a new certificate has to be issued. Certificate Revocation Lists (CRL) A certificate revocation list (CRL) contains a list of all certificates that has been cancelled before their expiration date. This can happen for several reasons. One reason could be that the keys of the certificate have been compromised in some way, or perhaps that the owner of the certificate has lost the rights to authenticate using that certificate. This could happen, for instance, if an employee has left the company from whom the certificate was issued. A CRL is regularly published on a server that all certificate users can access, using either the LDAP or HTTP protocols. Certificates often contain a CRL Distribution Point (CDP) field, which specifies the location from where the CRL can be downloaded. In some cases certificates do not contain this field. In those cases the location of the CRL has to be configured manually. See 22.1.4, LDAP . The CA updates its CRL at a given interval. The length of this interval depends on how the CA is configured. Typically, this is somewhere between an hour to several days. Trusting Certificates When using certificates, the firewall trusts anyone whose certificate is signed by a given CA. Before a certificate is accepted, the following steps are taken to verify the validity of the certificate: - Construct a certification path up to the trusted root CA. D-Link Firewalls User's Guide

Section	Page
I Preface	16
Document Version	18
Disclaimer	18
About this Document	18
Typographical Conventions	19
II Product Overview	20
1 Capabilities	22
1.1 Product Highlights	22
III Introduction to Networking	24
2 The OSI model	26
3 Firewall Principles	28
3.1 The Role of the Firewall	28
3.1.1 What is a Firewall?	28
3.1.2 How does a Firewall work?	28
3.2 What does a Firewall NOT protect against?	29
3.2.1 Attacks on Insecure pre-installed Components	30
3.2.2 Inexperienced Users on protected Networks	30
3.2.3 Data-Driven Network Attacks	30
3.2.4 Internal Attacks	32
3.2.5 Modems and VPN Connection	32
3.2.6 Holes between DMZs and Internal Networks	33
IV Administration	36
4 Configuration Platform	38
4.1 Configuring Via WebUI	38
4.1.1 Overview	38
4.1.2 Interface Layout	38
4.1.3 Configuration Operations	41
4.2 Monitoring Via CLI	42
5 Logging	44
5.1 Overview	44
5.1.1 Importance & Capability	44
5.1.2 Events	45
5.2 Log Receivers	47
5.2.1 Syslog Receiver	47
5.2.2 Memory Log Receiver	48
5.2.3 SMTP Event Receiver	48
6 Maintenance	50
6.1 Firmware Upgrades	50
6.2 Reset To Factory Defaults	51
6.3 Backup Configuration	53
7 Advanced Settings	54
7.1 Overview	54
V Fundamentals	56
8 Logical Objects	58
8.1 Address Book	58
8.1.1 IP address	58
8.1.2 Ethernet address	60
8.2 Services	60
8.2.1 Service Types	61
8.2.2 Error Report & Connection Protection	65
8.3 Schedules	67
8.4 X.509 Certificates	68
8.4.1 Introduction to Certificates	68
8.4.2 X.509 Certificates in D-Link Firewall	70
9 Interfaces	72
9.1 Ethernet	72
9.1.1 Ethernet Interfaces	72
9.1.2 Ethernet Interfaces in D-Link Firewalls	73
9.2 Virtual LAN (VLAN)	75
9.2.1 VLAN Infrastructure	75
9.2.2 802.1Q VLAN Standard	76
9.2.3 VLAN Implementation	77
9.2.4 Using Virtual LANs to Expand Firewall Interfaces	78
9.3 DHCP	79
9.3.1 DHCP Client	79
9.4 PPPoE	80
9.4.1 PPP	81
9.4.2 PPPoE Client Configuration	81
9.5 Interface Groups	84
9.6 ARP	85
9.6.1 ARP Table	85
10 Routing	88
10.1 Overview	88
10.2 Routing Hierarchy	89
10.3 Routing Algorithms	90
10.3.1 Static Routing	90
10.3.2 Dynamic Routing	91
10.3.3 OSPF	93
10.4 Route Failover	96
10.4.1 Scenario: Route Failover Configuration	97
10.5 Dynamic Routing Implementation	100
10.5.1 OSPF Process	100
10.5.2 Dynamic Routing Policy	100
10.5.3 Scenarios: Dynamic Routing Configuration	101
10.6 Scenario: Static Routing Configuration	106
10.7 Policy Based Routing(PBR)	107
10.7.1 Overview	107
10.7.2 Policy-based Routing Tables	108
10.7.3 Policy-based Routing Policy	108
10.7.4 PBR Execution	108
10.7.5 Scenario: PBR Configuration	110
10.8 Proxy ARP	113
11 Date & Time	114
11.1 Setting the Date and Time	115
11.1.1 Current Date and Time	115
11.1.2 Time Zone	115
11.1.3 Daylight Saving Time(DST)	116
11.2 Time Synchronization	117
11.2.1 Time Synchronization Protocols	117
11.2.2 Timeservers	117
11.2.3 Maximum Adjustment	118
11.2.4 Synchronization Interval	118
12 DNS	120
13 Log Settings	122
13.1 Implementation	122
13.1.1 Defining Syslog Receiver	122
13.1.2 Enabling Logging	123
VI Security Polices	126
14 IP Rules	128
14.1 Overview	128
14.1.1 Fields	129
14.1.2 Action types	130
14.2 Address Translation	131
14.2.1 Overview	131
14.2.2 NAT	131
14.2.3 Address translation in D-Link Firewall	133
14.3 Scenarios: IP Rules Configuration	135
15 Access (Anti-spoofing)	142
15.1 Overview	142
15.1.1 IP Spoofing	142
15.1.2 Anti-spoofing	143
15.2 Access Rule	143
15.2.1 Function	143
15.2.2 Settings	143
15.3 Scenario: Setting up Access Rule	145
16 DMZ & Port Forwarding	146
16.1 General	146
16.1.1 Concepts	146
16.1.2 DMZ Planning	148
16.1.3 Benefits	149
17 User Authentication	150
17.1 Authentication Overview	150
17.1.1 Authentication Methods	150
17.1.2 Password Criterion	151
17.1.3 User Types	152
17.2 Authentication Components	153
17.2.1 Local User Database(UserDB)	153
17.2.2 External Authentication Server	153
17.2.3 Authentication Agents	154
17.2.4 Authentication Rules	155
17.3 Authentication Process	156
17.4 Scenarios: User Authentication Configuration	156
VII Content Inspection	164
18 Application Layer Gateway (ALG)	166
18.1 Overview	166
18.2 FTP	167
18.2.1 FTP Connections	167
18.2.2 Scenarios: FTP ALG Configuration	169
18.3 HTTP	174
18.3.1 Components & Security Issues	174
18.3.2 Solution	175
18.4 H.323	177
18.4.1 H.323 Standard Overview	177
18.4.2 H.323 Components	177
18.4.3 H.323 Protocols	178
18.4.4 H.323 ALG Overview	179
18.4.5 Scenarios: H.323 ALG Configuration	180
19 Intrusion Detection System (IDS)	200
19.1 Overview	200
19.1.1 Intrusion Detection Rules	201
19.1.2 Pattern Matching	201
19.1.3 Action	201
19.2 Chain of Events	202
19.2.1 Scenario 1	202
19.2.2 Scenario 2	203
19.3 Signature Groups	205
19.4 Automatic Update of Signature Database	205
19.5 SMTP Log Receiver for IDS Events	206
19.6 Scenario: Setting up IDS	208
VIII Virtual Private Network (VPN)	210
20 VPN Basics	212
20.1 Introduction to VPN	212
20.1.1 VPNs vs Fixed Connections	212
20.2 Introduction to Cryptography	214
20.2.1 Encryption	214
20.2.2 Authentication & Integrity	217
20.3 Why VPN in Firewalls	219
20.3.1 VPN Deployment	220
21 VPN Planning	226
21.1 VPN Design Considerations	226
21.1.1 End Point Security	227
21.1.2 Key Distribution	229
22 VPN Protocols & Tunnels	232
22.1 IPsec	232
22.1.1 IPsec protocols	233
22.1.2 IPsec Modes	233
22.1.3 IKE	234
22.1.4 IKE Integrity & Authentication	238
22.1.5 Scenarios: IPSec Configuration	242
22.2 PPTP/ L2TP	247
22.2.1 PPTP	247
22.2.2 L2TP	253
22.3 SSL/TLS (HTTPS)	262
IX Traffic Management	264
23 Traffic Shaping	266
23.1 Overview	266
23.1.1 Functions	267
23.1.2 Features	268
23.2 Pipes	268
23.2.1 Precedences and Guarantees	269
23.2.2 Grouping Users of a Pipe	271
23.2.3 Dynamic Bandwidth Balancing	272
23.3 Pipe Rules	272
23.4 Scenarios: Setting up Traffic Shaping	272
24 Server Load Balancing (SLB)	280
24.1 Overview	280
24.1.1 The SLB Module	280
24.1.2 SLB Features	281
24.1.3 Benefits	282
24.2 SLB Implementation	283
24.2.1 Distribution Modes	283
24.2.2 Distribution Algorithms	283
24.2.3 Server Health Checks	284
24.2.4 Packets Flow by SAT	285
24.3 Scenario: Enabling SLB	285
X Misc. Features	288
25 Miscellaneous Clients	290
25.1 Overview	290
25.2 Dynamic DNS	290
25.3 Automatic Client Login	291
25.4 HTTP Poster	292
25.4.1 URL Format	292
26 DHCP Server & Relayer	294
26.1 DHCP Server	294
26.2 DHCP Relayer	296
XI Transparent Mode	298
27 Transparent Mode	300
27.1 Overview	300
27.2 Transparent Mode Implementation in D-Link Firewalls	301
27.3 Scenarios: Enabling Transparent Mode	303
XII Zone Defense	310
28 Zone Defense	312
28.1 Overview	312
28.2 Zone Defense Switches	312
28.2.1 SNMP	313
28.3 Threshold Rules	314
28.4 Manual Blocking & Exclude Lists	314
28.5 Limitations	315
28.6 Scenario: Setting Up Zone Defense	315
XIII High Availability	318
29 High Availability	320
29.1 High Availability Basics	320
29.1.1 What High Availability will do for you	320
29.1.2 What High Availability will NOT do for you	321
29.1.3 Example High Availability setup	322
29.2 How Rapid Failover is Accomplished	322
29.2.1 The shared IP address and the failover mechanism	323
29.2.2 Cluster heartbeats	324
29.2.3 The synchronization interface	325
29.3 Setting up a High Availability Cluster	325
29.3.1 Planning the High Availability cluster	326
29.3.2 Creating a High Availability cluster	326
29.4 Things to Keep in Mind	328
29.4.1 Statistics and Logging Issues	328
29.4.2 Configuration Issues	329
XIV Appendix	330
A Console Commands Reference	334
List of Commands	334
About	334
Access	335
ARP	335
ARPSnoop	336
Buffers	336
Certcache	337
CfgLog	338
Connections	338
Cpuid	339
DHCP	339
DHCPRelay	340
DHCPServer	340
DynRoute	340
Frags	341
HA	341
HTTPPoster	341
Ifacegroups	342
IfStat	342
Ikesnoop	343
Ipseckeepalive	344
IPSectunnels	344
IPSecstats	344
Killsa	345
License	345
Lockdown	346
Loghosts	346
Memory	346
Netcon	346
Netobjects	347
OSPF	347
Ping	348
Pipes	348
Proplists	349
ReConfigure	349
Remotes	350
Routes	350
Rules	351
Scrsave	351
Services	352
Shutdown	352
Sysmsgs	352
Settings	352
Stats	354
Time	355
Uarules	355
Userauth	355
Userdb	356
Vlan	357

Match case Limit results 1 per page

Chapter 8. Logical Objects

from the user certiﬁcate up to the trusted root certiﬁcate has to be

examined before establishing the validity of the user certiﬁcate.

The CA certiﬁcate is just like any other certiﬁcates, except that it allows

the corresponding private key to sign other certiﬁcates. Should the private

key of the CA be compromised, the whole CA, including every certiﬁcate it

has signed, is also compromised.

Validity Time

A certiﬁcate is not valid forever. Each certiﬁcate contains the dates

between which the certiﬁcate is valid. When this validity period expires,

the certiﬁcate can no longer be used, and a new certiﬁcate has to be issued.

Certiﬁcate Revocation Lists (CRL)

A certiﬁcate revocation list (CRL) contains a list of all certiﬁcates that has

been cancelled before their expiration date. This can happen for several

reasons. One reason could be that the keys of the certiﬁcate have been

compromised in some way, or perhaps that the owner of the certiﬁcate has

lost the rights to authenticate using that certiﬁcate. This could happen, for

instance, if an employee has left the company from whom the certiﬁcate

was issued.

A CRL is regularly published on a server that all certiﬁcate users can

access, using either the LDAP or HTTP protocols.

Certiﬁcates often contain a CRL Distribution Point (CDP) ﬁeld, which

speciﬁes the location from where the CRL can be downloaded. In some

cases certiﬁcates do not contain this ﬁeld. In those cases the location of the

CRL has to be conﬁgured manually. See

22.1.4

LDAP

The CA updates its CRL at a given interval. The length of this interval

depends on how the CA is conﬁgured. Typically, this is somewhere between

an hour to several days.

Trusting Certiﬁcates

When using certificates, the firewall trusts anyone whose certificate is

signed by a given CA. Before a certiﬁcate is accepted, the following steps

are taken to verify the validity of the certiﬁcate:

- Construct a certiﬁcation path up to the trusted root CA.

D-Link Firewalls User’s Guide