Page 1 Network Security Firewall User Manual NetDefendOS Security Security Ver. 11.04.01 Network Security Solution http://www.dlink.com...
Page 2: User Manual
User Manual DFL-260E/860E/870/1660/2560/2560G NetDefendOS Version 11.04.01 D-Link Corporation No. 289, Sinhu 3rd Rd, Neihu District, Taipei City 114, Taiwan R.O.C. http://www.DLink.com Published 2016-10-03 Copyright © 2016...
Page 3 EVEN IF D-LINK IS INFORMED OF THE POSSIBILITY OF SUCH DAMAGES. FURTHERMORE, D-LINK WILL NOT BE LIABLE FOR THIRD-PARTY CLAIMS AGAINST CUSTOMER FOR LOSSES OR DAMAGES. D-LINK WILL IN NO EVENT BE LIABLE FOR ANY DAMAGES IN EXCESS OF THE AMOUNT D-LINK RECEIVED FROM THE END-USER FOR THE PRODUCT.
Page 4: Table Of Contents
1.2.1. State-based Architecture .............. 24 1.2.2. NetDefendOS Building Blocks ............24 1.2.3. Basic Packet Flow ................. 25 1.3. NetDefendOS State Engine Packet Flow ............. 28 2. Management and Maintenance ................33 2.1. Managing NetDefendOS ................. 33 2.1.1. Overview ..................33 2.1.2.
Page 5 User Manual 2.6.9. The selftest Command ..............133 2.7. Maintenance ..................135 2.7.1. Version Update Alerts ..............135 2.7.2. Auto-Update Mechanism ............136 2.7.3. Backing Up Configurations ............136 2.7.4. Restore to Factory Defaults ............139 2.8. Languages ..................141 2.9.
Page 6 User Manual 4. Routing ......................285 4.1. Overview .................... 285 4.2. Static Routing ..................286 4.2.1. The Principles of Routing ............286 4.2.2. Static Routing ................290 4.2.3. Route Failover ................296 4.2.4. Host Monitoring for Route Failover ..........299 4.2.5.
Page 7 User Manual 6.2.5. The TFTP ALG ................447 6.2.6. The SMTP ALG ................448 6.2.7. The POP3 ALG ................457 6.2.8. The PPTP ALG ................461 6.2.9. The SIP ALG ................463 6.2.10. The H.323 ALG ................. 479 6.2.11. The TLS ALG ................500 6.3.
Page 8 User Manual 8.2.1. Setup Summary ................. 610 8.2.2. Local User Databases ..............610 8.2.3. External RADIUS Servers ............. 614 8.2.4. External LDAP Servers ..............616 8.2.5. Authentication Rules ..............624 8.2.6. Authentication Processing ............626 8.2.7. HTTP Authentication ..............627 8.2.8.
Page 9 9.6.2. L2TPv3 Client ................748 9.7. SSL VPN ....................752 9.7.1. Overview .................. 752 9.7.2. Configuring SSL VPN in NetDefendOS ........... 753 9.7.3. Installing the SSL VPN Client ............755 9.7.4. SSL VPN Setup Example .............. 759 9.8. VPN Troubleshooting ................762 9.8.1.
Page 10 User Manual 11.4. HA Issues ..................834 11.5. Upgrading an HA Cluster ..............837 11.6. Link Monitoring and HA ..............839 11.7. HA Advanced Settings ................. 840 12. ZoneDefense ....................843 13. Advanced Settings ..................849 13.1. IP Level Settings ................. 849 13.2.
Page 11 3.9. Setting Up Loopback Interfaces with Routing Tables .......... 216 3.10. Components of Loopback Interface Setup ............217 3.11. An ARP Publish Ethernet Frame ..............225 3.12. Simplified NetDefendOS Traffic Flow ............. 231 3.13. Certificate Validation Components ..............278 4.1. A Typical Routing Scenario ................287 4.2.
Page 12 User Manual 6.11. Anti-Virus Malicious File Message ..............543 6.12. Anti-Virus Malicious URL Message ..............543 6.13. IDP Database Updating ................553 6.14. IDP Signature Selection ................555 7.1. NAT IP Address Translation ................576 7.2. A NAT Example .................... 578 7.3.
Page 13 2.20. Setting the Time Zone ................... 79 2.21. Enabling DST with the tz Database ..............80 2.22. Enabling DST Manually .................. 81 2.23. Using the D-Link Time Server ................. 83 2.24. Configuring Custom Time Servers ..............83 2.25. Manually Triggering a Time Synchronization ............ 84 2.26.
Page 14 User Manual 3.17. Adding an IP Protocol Service ............... 172 3.18. Creating a Service ..................173 3.19. Enabling Path MTU Discovery ............... 176 3.20. Link Aggregation ..................195 3.21. Defining a VLAN ..................198 3.22. Defining a Service VLAN ................200 3.23.
Page 15 User Manual 6.1. Setting up an Access Rule ................423 6.2. Using the Light Weight HTTP ALG ..............433 6.3. Protecting an FTP Server with an ALG .............. 440 6.4. Protecting FTP Clients ................... 444 6.5. SMTP ALG Setup ..................453 6.6.
Page 16 User Manual 9.13. Setting up an L2TP server ................731 9.14. Setting up an L2TP Tunnel Over IPsec ............732 9.15. L2TPv3 Server Setup ................... 743 9.16. L2TPv3 Server Setup With IPsec ..............744 9.17. L2TPv3 Server Setup For VLANs ..............746 9.18.
Page 17: Preface
This guide contains a minimum of screenshots. This is deliberate and is done because the manual deals specifically with NetDefendOS and administrators have a choice of management user interfaces. It was decided that the manual would be less cluttered and easier to read if it concentrated on describing how NetDefendOS functions rather than including large numbers of screenshots showing how the various interfaces are used.
Page 18 Preface Web Interface The Web Interface actions for the example are shown here. They are also typically a numbered list showing what items need to be opened followed by information about the data items that need to be entered: Go to: Item X > Item Y > Item Z Now enter: •...
Page 19 Preface Certain names in this publication are the trademarks of their respective owners. Windows is either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Apple, Mac and Mac OS are trademarks of Apple Inc. registered in the United States and/or other countries.
Page 20: Netdefendos Overview
• NetDefendOS Architecture, page 24 • NetDefendOS State Engine Packet Flow, page 28 1.1. Features D-Link NetDefendOS is the base software engine that drives and controls the range of NetDefend Firewall hardware products. NetDefendOS as a Network Security Operating System Designed as a network security operating system, NetDefendOS features high throughput performance with high reliability plus super-granular control.
Page 21 Chapter 1: NetDefendOS Overview NetDefendOS supports features such as Virtual LANs, Route Monitoring, Proxy ARP and Transparency. For more information about this, see Chapter 4, Routing. Firewalling Policies NetDefendOS provides stateful inspection-based firewalling for a wide range of protocols such as TCP, UDP and ICMP.
Page 22 Operations and Maintenance Administrator management of NetDefendOS is possible through either a Web-based User Interface (the WebUI) or via a Command Line Interface (the CLI). NetDefendOS also provides detailed event and logging capabilities plus support for monitoring through SNMP. More detailed information about this topic can be found in Chapter 2, Management and Maintenance.
Page 23 More information about this topic can be found in Section 3.2, “IPv6 Support”. In addition to the list above, NetDefendOS includes a number of other features such as RADIUS Accounting, DHCP services, protection against Denial-of-Service (DoS) attacks, support for PPPoE, GRE, dynamic DNS services and much more.
Page 24: Netdefendos Architecture
By doing this, NetDefendOS is able to understand the context of the network traffic which enables it to perform in-depth traffic scanning, apply bandwidth management and a variety of other functions.
Page 25: Basic Packet Flow
Finally, rules which are defined by the administrator in the various rule sets are used for actually implementing NetDefendOS security policies. The most fundamental set of rules are the IP Rules, which are used to define the layer 3 IP filtering policy as well as carrying out address translation and server load balancing.
Page 26 The Traffic Shaping and the Threshold Limit rule sets are now searched. If a match is found, the corresponding information is recorded with the state. This will enable proper traffic management on the connection. 10. From the information in the state, NetDefendOS now knows what to do with the incoming packet: •...
Page 27 If one is found, the packet is decapsulated and the payload (the plaintext) is sent into NetDefendOS again, now with source interface being the matched tunnel interface. In other words, the process continues at step 3 above.
Page 28: Netdefendos State Engine Packet Flow
Chapter 1: NetDefendOS Overview 1.3. NetDefendOS State Engine Packet Flow The diagrams in this section provide a summary of the flow of packets through the NetDefendOS state-engine. There are three diagrams, each flowing into the next. It is not necessary to understand these diagrams, however, they can be useful as a reference when configuring NetDefendOS in certain situations.
Page 29: Packet Flow Schematic Part Ii
Chapter 1: NetDefendOS Overview Figure 1.2. Packet Flow Schematic Part II The packet flow is continued on the following page.
Page 30: Packet Flow Schematic Part Iii
Chapter 1: NetDefendOS Overview Figure 1.3. Packet Flow Schematic Part III...
Page 31: Expanded Apply Rules Logic
Chapter 1: NetDefendOS Overview Apply Rules The figure below presents the detailed logic of the Apply Rules function in Figure 1.2, “Packet Flow Schematic Part II” above. Figure 1.4. Expanded Apply Rules Logic...
Page 32 Chapter 1: NetDefendOS Overview...
Page 33: Management And Maintenance
2.1. Managing NetDefendOS 2.1.1. Overview NetDefendOS is designed to give both high performance and high reliability. Not only does it provide an extensive feature set, it also enables the administrator to be in full control of almost every detail of the´system. This means the product can be deployed in the most challenging environments.
Page 34: Configuring Management Access
Chapter 2: Management and Maintenance • Web Interface The Web Interface (also known as the Web User Interface or WebUI) is built into NetDefendOS and provides a user-friendly and intuitive graphical management interface, accessible from a standard web browser. The browser connects to one of the hardware's Ethernet interfaces using HTTP or HTTPS (by default, only HTTPS is enabled) and NetDefendOS responds like a web server, allowing web pages to be used as the management interface.
Page 35 The Default Interface and IP for Management Access The default management interface chosen by NetDefendOS can be different depending on the hardware but is usually the first one found by NetDefendOS when the available interfaces are first scanned on initial startup.
Page 36 Preventing Loss of Management Access When the IP address of the management interface or a remote management rule is changed, there is a risk that the change can prevent further management access. NetDefendOS prevents this in the following ways: •...
Page 37: Changing The Management Validation Timeout
Chapter 2: Management and Maintenance Example 2.1. Changing the Management Validation Timeout This example will change the validation timeout from its default value of 30 seconds to 60 seconds. Command-Line Interface gw-world:/> set Settings RemoteMgmtSettings NetconBiDirTimeout=60 Web Interface Go to: System > Device > Remote Management > Advanced Settings Set the following: •...
Page 38: Changing The Management Interface Ip Address
Chapter 2: Management and Maintenance Example 2.2. Changing the Management Interface IP Address This example will change the IPv4 address on the management If1 interface from 192.168.1.1 to 192.168.1.2. Since these belong to the same network, the network or the management policies do not need to be changed.
Page 39: Changing The Ha Management Ip Address
Click OK HA Cluster Management IPs Must Be Different In a NetDefendOS high availability cluster, the management IPs should always be different on the master and slave units for their management interfaces. The shared IP address cannot be used for NetDefendOS management.
Page 40: Administrator Account
Network: all-nets Click OK 2.1.3. Administrator Account By default, NetDefendOS has a local user database, AdminUsers, that contains one predefined administrator account. This account has the username admin with password admin. This account has full administrative read/write privileges for NetDefendOS.
Page 41: The Web Interface
Chapter 2: Management and Maintenance NetDefendOS does not allow more than one administrator account to be logged in at the same time. If one administrator logs in, then a second or more (using different credentials) will be allowed to login but they will only have audit privileges. In other words, the second or more administrators who login will only be able to read configurations and will not be able to change them.
Page 42: Management Workstation Connection
IPv4 address: 192.168.10.1. Note that the protocol must be https:// when accessing NetDefendOS for the first time (HTTP can be enabled later. With HTTPS, NetDefendOS will send back its own self-signed certificate for the encryption and the browser will ask the administrator to confirm that a security exception should be made.
Page 43 Chapter 2: Management and Maintenance The Web Interface prevents the caching of the password from the login credentials. This is also done in other NetDefendOS features where a password is requested through a browser screen. For example, with VPN authentication.
Page 44 Chapter 2: Management and Maintenance For information about the default user name and password, see Section 2.1.3, “Administrator Account”. Note: Security policies control remote management access Access to the Web Interface is regulated by the configured remote management policy. By default, the system will only allow web access from the internal network. For more information about this topic, see Section 2.1.2, “Configuring Management Access”.
Page 45 Web Interface menu option Configuration > Save and Activate. NetDefendOS will then perform a reconfigure operation which might cause only a slight, brief delay to current data traffic. To prevent a change locking out the administrator, NetDefendOS will revert to the old configuration if communication is lost with the web browser after a fixed time delay (30 seconds by default).
Page 46: The Cli
If no specific route is set up for the management interface then all management traffic coming from NetDefendOS will automatically be routed into the VPN tunnel. If this is the case then a route should be added by the administrator to route management traffic destined for the management network to the correct interface.
Page 47 The most often used CLI commands are: • add - Adds an object such as an IP address or a rule to a NetDefendOS configuration. • set - Sets some property of an object to a value. For example, this might be used to set the source interface on an IP rule.
Page 48 For example, when creating an IP rule for a particular IP rule set, the command line might begin: gw-world:/> add IPRule If the tab key is now pressed, the mandatory parameters are displayed by NetDefendOS: A value is required for the following properties:...
Page 49 Chapter 2: Management and Maintenance broken into indented separate lines. In a console window they would appear as a single continuous line which folds at the right margin. For example, if the following command is typed: gw-world:/> add IPRule SourceInterface=If2 SourceNetwork=all-nets DestinationInterface=If2 DestinationNetwork=all-nets...
Page 50 If a command such as add is entered and then the tab key is pressed, NetDefendOS displays all the available categories. By choosing a category and then pressing tab again all the object types for that category is displayed.
Page 51 The CLI will enforce unique naming within an object type. For reasons of backward compatibility to earlier NetDefendOS releases, an exception exists with IP rules which can have duplicate names, however it is strongly recommended to avoid this. If a duplicate IP rule name is used in two IP rules then only the Index value can uniquely identify each IP rule in subsequent CLI commands.
Page 52: Enabling Ssh Remote Access
SSH clients are freely available for almost all hardware platforms. NetDefendOS supports version 2 of the SSH protocol. SSH access is regulated by the remote management policy in NetDefendOS, and is disabled by default.
Page 53: Enabling Ssh Authentication Using Ssh Keys
Install the key files into the SSH client. This may already have been done if the client was used to generate the keys. Upload the public key file to NetDefendOS using SCP. The file must be stored in the NetDefendOS folder called sshclientkeys (SCP and this folder are described further in Section 2.1.7, “Secure Copy”).
Page 54 Click OK Logging In to the CLI When access to the CLI has been established to NetDefendOS through the local console or an SSH client, the administrator will need to log on to the system before being able to execute any CLI command.
Page 55 Note: Examples in this guide assume activation will be performed Most of the examples in this guide deal with editing a NetDefendOS configuration. The final activation step is usually not explicitly stated.
Page 56 -reboot The -reboot option is rarely needed in normal circumstances and because it requires more time for the restart it is best not to use it. When NetDefendOS is upgraded the -reboot option is executed automatically during the upgrade process.
Page 57 -errors This will cause NetDefendOS to scan the configuration about to be activated and list any problems. A possible problem that might be found in this way is a reference to an IP object in the address book that does not exist in a restored configuration backup.
Page 58: Cli Scripts
The sessionmanager command options are fully documented in the CLI Reference Guide. 2.1.6. CLI Scripts To allow the administrator to easily store and execute sets of CLI commands, NetDefendOS provides a feature called CLI scripting. A CLI script is a predefined sequence of CLI commands which can be executed after they are saved to a file and the file is then uploaded to the NetDefend Firewall.
Page 59 Chapter 2: Management and Maintenance The CLI script command is the tool used for script management and execution. The complete syntax of the command is described in the CLI Reference Guide and specific examples of usage are detailed in the following sections. See also Section 2.1.5, “The CLI”. Note: Uploaded scripts are lost after a restart Uploaded CLI script files are not held in permanent memory and will disappear after system restarts.
Page 60 When a script file is uploaded to the NetDefend Firewall, it is initially kept only in temporary RAM memory. If NetDefendOS restarts then any uploaded scripts will be lost from this volatile memory and must be uploaded again to run. To store a script between restarts, it must explicitly...
Page 61 If we already have a NetDefendOS installation that already has the objects configured that need to be copied, then running the script -create command on that installation provides a way to automatically create the required script file.
Page 62 Chapter 2: Management and Maintenance add IP4Address If1_br Address=10.6.60.255 add IP4Address If1_dns1 Address=141.1.1.1 " " " The file new_script_sgs can then be downloaded with SCP to the local management workstation and then uploaded and executed on the other NetDefend Firewalls. The end result is that all units will have the same IP4Address objects in their address book.
Page 63: Running A Cli Script From The Web Interface
EthernetDevice • Device These node types are skipped when the script file is created and NetDefendOS gives the message No objects of selected category or type. Tip: Listing created script commands on the console To list the created CLI commands on the console instead of saving them to a file, leave out the option -name= in the script -create command.
Page 64: Secure Copy
> scp <source_firewall> <local_filename> The source or destination NetDefend Firewall is of the form: <user_name>@<firewall_ip_address>:<filepath>. For example: admin@10.62.11.10:config.bak. The <user_name> must be a defined NetDefendOS user in the administrator user group. Note: SCP examples do not show the password prompt SCP will normally prompt for the user password after the command line but that prompt is not shown in the examples given here.
Page 65 However, these "directories" such as sshlclientkey should be more correctly thought of as object types. All the files stored in the NetDefendOS root as well as all the object types can be displayed using the CLI command ls.
Page 66: The Console Boot Menu
Press any key to abort and load boot menu is displayed as shown below: If any console key is pressed during these 3 seconds then NetDefendOS startup pauses and the console boot menu is displayed.
Page 67: Radius Management Authentication
(CLI). Initial Options with a Console Password Set If a console password is set then the initial options that appear when NetDefendOS loading is interrupted with a key press are shown below. The 1. Start firewall option re-continues the interrupted NetDefendOS startup process. If the 2.
Page 68 If the RADIUS server is required to send the group membership, it is necessary to use the user group vendor specific attribute vendor when configuring the server. The NetDefendOS Vendor ID is 5089 and the user group is defined as vendor-type 1 with a string value type.
Page 69 The userdb field will have the value of the RADIUS server object name used. • The server_ip is the IP of the NetDefendOS interface the client is connecting to. It is not the IP of the authenticating RADIUS server. •...
Page 70: Management Advanced Settings
The Authentication Order will be set to Local First which will mean that the local NetDefendOS database will be consulted first. If the user is not found there then the RADIUS servers will be queried.
Page 71: Working With Configurations
Chapter 2: Management and Maintenance Under the Remote Management section of the Web Interface a number of advanced settings can be found. These are: SSH Before Rules Enable SSH traffic to the firewall regardless of configured IP Rules. Default: Enabled WebUI Before Rules Enable HTTP(S) traffic to the firewall regardless of configured IP Rules.
Page 72: Listing Configuration Objects
Chapter 2: Management and Maintenance address book entries, service definitions, IP rules and so on. Each configuration object has a number of properties that constitute the values of the object. Object Types A configuration object has a well-defined type. The type defines the properties that are available for the configuration object, as well as the constraints for those properties.
Page 73: Displaying A Configuration Object
ServiceTCPUDP telnet Example 2.13. Editing a Configuration Object When the behavior of NetDefendOS is changed, it is most likely necessary to modify one or several configuration objects. This example shows how to edit the Comments property of the telnet service.
Page 74: Adding A Configuration Object
Important: Configuration changes must be activated Changes to a configuration object will not be applied to a running system until the new NetDefendOS configuration is activated. Example 2.14. Adding a Configuration Object This example shows how to add a new IP4Address object, here creating the IPv4 address 192.168.10.10, to the address book.
Page 75: Deleting A Configuration Object
Chapter 2: Management and Maintenance In the dropdown menu displayed, select IP Address In the Name text box, enter myhost Enter 192.168.10.10 in the IP Address textbox Click OK Verify that the new IP4 address object has been added to the list Example 2.15.
Page 76: Listing Modified Configuration Objects
IPsec tunnels are committed, then those live tunnels connections will be terminated and must be re-established. If the new configuration is validated, NetDefendOS will wait for a short period (30 seconds by default) during which a connection to the administrator must be re-established. As described previously, if the configuration was activated via the CLI with the activate command then a commit command must be issued within that period.
Page 77 The web browser will automatically try to connect back to the Web Interface after 10 seconds. If the connection succeeds, this is interpreted by NetDefendOS as confirmation that remote management is still working. The new configuration is then automatically committed.
Page 78: System Date And Time
2.2. System Date and Time 2.2.1. Overview Correctly setting the date and time is important for NetDefendOS to operate properly. Time scheduled policies, auto-update of the IDP and Anti-Virus databases, and other product features such as digital certificates require that the system clock is accurately set.
Page 79: Daylight Saving Time
Set year, month, day and time via the dropdown controls Click OK Note: A reconfigure is not required A new date and time will be applied by NetDefendOS as soon as it is set. There is no need to reconfigure or restart the system. Time Zones The world is divided up into a number of time zones with Greenwich Mean Time (GMT) in London at zero longitude being taken as the base time zone.
Page 80: Enabling Dst With The Tz Database
Specifying a Location Name for tz Database Lookup NetDefendOS has a local copy of the tz database which is used to map a location name to the daylight saving rules for that location. The administrator just has to specify the correct location name so NetDefendOS can perform a lookup in the database to find the DST rules to apply.
Page 81: Enabling Dst Manually
Chapter 2: Management and Maintenance Web Interface Go to: System > Device > Date and Time Check Enable daylight saving time Enable Automatic For Location select Europe/Stockholm Click OK Specifying the DST Offset Manually When setting DST manually, the Time Zone needs to be specified as GMT plus or minus a number of hours and then the following properties need to be set: •...
Page 82: Using External Time Servers
Configuring the D-Link Time Server A single property exists to switch on or off usage of the D-Link time server. This is the easiest way of configuring a time server since no other server details need to be specified. NetDefendOS will find the IP address of the time server by performing a DNS lookup of the time server's FQDN.
Page 83: Using The D-Link Time Server
Click OK Configuring Custom Time Servers NetDefendOS can be configured to query multiple external time servers. By using more than a single server, situations where an unreachable server causes the time synchronization process to fail can be prevented. NetDefendOS always queries all configured time servers and then computes an average time based on all responses.
Page 84: Manually Triggering A Time Synchronization
Maximum Adjustment value (in seconds) can be set. If the difference between the current NetDefendOS time and the time received from a time server is greater than this maximum adjustment value, then the time server response will be discarded.
Page 85: Settings Summary For Date And Time
Chapter 2: Management and Maintenance Web Interface Go to: System > Device > Date and Time Set Max drift to 40000 Click OK Sometimes it might be necessary to override the maximum adjustment. For example, if time synchronization has just been enabled and the initial time difference is greater than the maximum adjust value.
Page 86 Chapter 2: Management and Maintenance DST End Date What month and day DST ends, in the format MM-DD. Default: none Time Sync Server Type Type of server for time synchronization, UDPTime or SNTP (Simple Network Time Protocol). Default: SNTP Primary Time Server DNS hostname or IP Address of Timeserver 1.
Page 87: Events And Logging
All event messages have a common format, with attributes that include category, severity and recommended actions. These attributes enable easy filtering of messages, either within NetDefendOS prior to sending to an event receiver, or as part of the analysis after logging and storing messages on an external log server.
Page 88: Log Receiver Types
2.3.3. Log Receiver Types The event messages generated by NetDefendOS can be sent to various types of log receivers. To receive messages, it is necessary to configure in NetDefendOS one or more event receivers objects that specify what events to capture, and where to send them.
Page 89: The Memory Log Receiver (Memlog)
2.3.4. The Memory Log Receiver (Memlog) Overview The Memory Log Receiver (also known as Memlog) is a NetDefendOS feature that allows logging direct to memory in the NetDefend Firewall instead of sending messages to an external server. These messages can be examined through the standard user interfaces.
Page 90: Enable Logging To A Syslog Host
Subsequent text is dependent on the event that has occurred. In order to facilitate automated processing of all messages, NetDefendOS writes all log data to a single line of text. All data following the initial text is presented in the format name=value. This enables automatic filters to easily find the values they are looking for without assuming that a specific piece of data is in a specific location in the log entry.
Page 91: Enabling Syslog Rfc 5424 Compliance With Hostname
By default, NetDefendOS sends Syslog messages in a format that is suitable for most Syslog servers. However, some servers may require stricter adherence to the latest Syslog standard as defined by RFC 5424. For this reason, NetDefendOS provides the option to enable strict RFC 5424 compliance.
Page 92: Mail Alerting
The intended purpose of this feature is to provide a means of quickly altering the administrator of any important NetDefendOS events so the selected level of severity for the events sent in this way will usually be very high.
Page 93 Keep collecting before sending If an email is ready to be sent, NetDefendOS will wait this number of minutes before sending it. Any new events that occur while the email is waiting to be sent are added to the pending email.
Page 94 (after waiting the Keep collecting before sending number of minutes during which time any new log events will be added to the email). NetDefendOS drops the 1st, 2nd and 3rd events so these are not included in the email.
Page 95: Setting Up A Mail Alerting Object
Mail Size Limit In order to limit the available memory that NetDefendOS uses for buffering log messages and building the email body, a limit is set on the email size. This limit is 8 Kbytes. When this limit is reached but the email had not yet been sent, any new log messages will be dropped.
Page 96: Severity Filter And Message Exceptions
Chapter 2: Management and Maintenance All other configurable properties will be left at their default value. Command-Line Interface gw-world:/> add LogReceiver MailAlerting my_mail_alert IPAddress=203.0.113.10 Receiver=admn@example.com Sender=device1 Subject="Log message summary" LogSeverity=Emergency,Alert Web Interface Go to: System > Device > Log and Event Receivers > Add > Mail Alerting Now enter: •...
Page 97: Snmp Traps
NMS about a change of state. SNMP Traps in NetDefendOS NetDefendOS takes the concept of an SNMP Trap one step further by allowing any event message to be sent as an SNMP trap. This means that the administrator can set up SNMP Trap notification of events that are considered significant in the operation of a network.
Page 98: Advanced Log Settings
Send Limit This setting specifies the maximum log messages that NetDefendOS will send per second. This value should never be set too low as this may result in important events not being logged. When the maximum is exceeded, the excess messages are dropped and are not buffered.
Page 99: Logsnoop
To switch on snooping, the basic form of the command is: gw-world:/> logsnoop -on All log messages generated by NetDefendOS will now appear on the CLI console and each individual message is prefixed by the word "LOG". For example: LOG: 2014-01-13 13:53:39 SYSTEM prio=Alert id=03200021 rev=1...
Page 100 Note that it is only possible to filter on a single severity level at once. • Filter by log ID number: gw-world:/> logsnoop -on -logid=1500001 All the ID numbers can be found in the separate NetDefendOS Log Reference Guide. Leading zeros do not need to be specified. • Filter by Source IP: gw-world:/>...
Page 101 This will show only the first 100 log messages. After that, logsnoop is switched off. Examining Memlog History Memlog is the name of the local memory buffer that NetDefendOS uses to store a given number of the most recent log messages generated. It is enabled by default. When using logsnoop, examining memlog is done using the special parameter -source=memlog.
Page 102 Chapter 2: Management and Maintenance without enclosing quotes. For example: 2014-01-12. The time always defaults to 00:00:00 so this example is equivalent to 2014-01-12 00:00:00. To look at log messages for the whole of the 12th of January, the command would be: gw-world:/>...
Page 103: Monitoring
2.4.2. The Link Monitor Overview The Link Monitor is a NetDefendOS feature that allows monitoring of the connectivity to one or more IP addresses external to the NetDefend Firewall. This monitoring is done using standard...
Page 104 Chapter 2: Management and Maintenance ICMP "Ping" requests and allows NetDefendOS to assess the availability of the network pathways to these IP addresses. The administrator can select one of a number of actions to occur should a pathway appear to be broken for some reason.
Page 105 This property specifies the IP address of one or more hosts to monitor. For multiple hosts, if half (50%) or more respond then there is assumed to be no problem. If less than half of multiple hosts do not respond, NetDefendOS assumes that there is a link...
Page 106: Link Monitor Setup
Example 2.32. Link Monitor Setup This example creates a Link Monitor object that will monitor the availability of the host found at the IPv4 address my_host. It is assumed this IPv4 address is already defined in the NetDefendOS address book.
Page 107: Hardware Monitoring
2.4.3. Hardware Monitoring Feature Availability Certain D-Link hardware models allow the administrator to use the CLI to query the current value of various hardware operational parameters such as the current temperature inside the firewall. This feature is referred to as Hardware Monitoring.
Page 108 Each physical attribute listed on the left is given a minimum and maximum range within which it should operate. When the value returned after polling falls outside this range, NetDefendOS optionally generates a log message that is sent to the configured log servers.
Page 109: Memory Monitoring Settings
Chapter 2: Management and Maintenance This is the Name of the sensor as shown in the CLI output above. For example, SYS Temp. • Enabled An individual sensor can be enabled or disabled used this setting. When enabled, an "(x)" is displayed next to the sensor in the output from the hwm command.
Page 110 Chapter 2: Management and Maintenance to 0. Maximum value is 10,000. Default: 0 Critical Level Generate a Critical log message if free memory is below this number of bytes. Disable by setting to 0. Maximum value is 10,000. Default: 0 Warning Level Generate a Warning log message if free memory is below this number of bytes.
Page 111: Snmp
Simple Network Management Protocol (SNMP) is a standardized protocol for management of network devices. An SNMP compliant client can connect to a network device which supports the SNMP protocol to perform management tasks. NetDefendOS supports access by SNMP clients using the following versions of the SNMP protocol: •...
Page 112 Base (MIB) is a database, usually in the form of a plain text file, that defines the parameters on a network device that an SNMP client can access. The MIB files for NetDefendOS are contained with NetDefendOS itself. They are located within a NetDefendOS folder called SNMP_MIB and have the following names: •...
Page 113: Enabling Snmp Versions 1 And 2C Monitoring
The effect of enabling this setting is to add an invisible Allow rule at the top of the IP rule set which automatically permits accesses on port 161 from the network and on the interface specified for SNMP access. Port 161 is usually used for SNMP and NetDefendOS always expects SNMP traffic on that port.
Page 114: Enabling Snmp Version 3 Monitoring
Chapter 2: Management and Maintenance • Network: mgmt-net For Authentication enter: • Community: Mg1RQqR Click OK Should it be necessary to enable SNMP Before Rules (which is enabled by default) then the setting can be found in System > Device > Remote Management > Advanced Settings. Example 2.34.
Page 115: Persistent Snmp Interface Indexes
The Problem is Adding or Subtracting Interfaces By default, the index table is built every time NetDefendOS restarts but this can mean that a given interface could get a new index number because new interfaces are added to or subtracted from the configuration.
Page 116: Snmp Advanced Settings
Extra resources are not consumed because of fragmentation. Caution: Restoring a backup will renumber interface indexes If a restore of a NetDefendOS system backup is performed (either full or configuration only), this will cause the interface index numbers to return to the values of the backup.
Page 117 Chapter 2: Management and Maintenance Default: N/A System Name The name for the managed node. Default: N/A System Location The physical location of the node. Default: N/A Interface Description (SNMP) What to display in the SNMP MIB-II ifDescr variables. Default: Name Interface Alias What to display in the SNMP ifMIB ifAlias variables.
Page 118: Diagnostic Tools
2.6.2. The ping Command The combination of the ICMP echo request and echo reply messages are known as ping. They provide a simple diagnostic tool to find out if a host is reachable. In the NetDefendOS CLI, the ping command provides this feature.
Page 119 IP Rules and Policies for Outgoing Ping Messages When the ICMP ping message is outgoing from NetDefendOS, it does not require any IP rules or IP policies to allow the traffic since NetDefendOS is always trusted. In the NetDefendOS event message logs, an outgoing ping will generate a conn_open and conn_close log event using the Stock_Allow_All_Rule.
Page 120 Sent: 1, Received:1, Loss: 0%, Avg RTT: 50.0 ms Incoming Packet Simulation with -srcif Instead of testing the responsiveness of a remote host, the NetDefendOS ping command can be used to simulate an incoming ICMP ping message and thereby test the locally configured IP rules/policies and routes.
Page 121 Using IPv6 with ping is discussed further in Section 3.2, “IPv6 Support”. FQDN Resolution When issuing a ping request from NetDefendOS, it is possible to specify the destination as a fully qualified domain name (FQDN). This is then resolved by NetDefendOS to a numerical IP address by using an external DNS server.
Page 122: The Stats Command
If only an IPv6 address is returned then that will be used by the ping command for the ICMP message. • If both an IPv4 and an IPv6 address is available, NetDefendOS will use the IPv4 address by default. However, NetDefendOS can be forced to use the IPv6 address with the -6 command option. For example: gw-world:/>...
Page 123: The Connections Command
The first percentage is the load for the CPU core that is running most of NetDefendOS. The second percentage shows the load for the CPU core that is running the interface polling subsystem. An example of this output is shown below:...
Page 124 This consists of: The source interface. This could be the name of any type of NetDefendOS interface object such as a VLAN or IPsec tunnel. It can also be Core which indicates NetDefendOS itself is the connection's source. The source IP address for the connection.
Page 125: The Dconsole Command
When the -verbose option is used, the connections command adds another line of output for each connection that is prefixed with ...term:. This line shows the changes, if any, made by NetDefendOS in the interface or IP or port number as the connection traverses the firewall. For example, consider this output showing a single connection: gw-world:/>...
Page 126: The Pcapdump Command
A valuable diagnostic tool is the ability to examine the packets that enter and leave the interfaces of a NetDefend Firewall. For this purpose, NetDefendOS provides the CLI command pcapdump which not only allows the examination of packet streams entering and leaving interfaces but also allows the filtering of these streams according to specified criteria.
Page 127 Chapter 2: Management and Maintenance gw-world:/> pcapdump -write lan -filename=cap_lan.cap At this point, the file cap_lan.cap should be downloaded to the management workstation for analysis. 5. A final cleanup is performed and all memory taken is released. gw-world:/> pcapdump -cleanup Re-using Capture Files Since the only way to delete files from the NetDefend Firewall is through the local console, the recommendation is to always use the same filename when using the pcapdump -write option.
Page 128: The Traceroute Command
Files can be downloaded to the local workstation using Secure Copy (SCP) (see Section 2.1.7, “Secure Copy”). A list of all files in the NetDefendOS root directory can be viewed by issuing the ls CLI command.
Page 129 A traceroute command is found on many other systems such as Microsoft Windows™. Like Windows, NetDefendOS sends its traceroute packets as ICMP ping messages. The basic form of the CLI command in NetDefendOS is: gw-world:/>...
Page 130 Chapter 2: Management and Maintenance • When the destination is specified as an FQDN, NetDefendOS will only request an IPv4 address from the resolving DNS server and will use that as the destination address. This option must be used if an IPv6 address is to be requested from the DNS server and used as the destination address.
Page 131: The Frags Command
-stop • -timeout This is the amount of time NetDefendOS will wait for a response from a router or the destination before it increases the time-to-live and tries again. gw-world:/> traceroute server.example.com -timeout=2000 Any timeout conditions are indicated in the traceroute output. An example of this is shown below: gw-world:/>...
Page 132 To see reassembly operations that are complete use the -done option: gw-world:/> frags -done Maximum Length Settings NetDefendOS allows the following settings to be used to control the maximum size of incoming packets for different protocols so that packets exceeding these sizes are dropped: •...
Page 133: The Selftest Command
1500 so packets would be split into 41 fragments (60,000/1500). Keeping these maximum settings to the lowest possible value is beneficial since unreasonably large packets can be used as a form of attack and they are immediately rejected by NetDefendOS when they exceed the set maximum.
Page 134 Chapter 2: Management and Maintenance Throughput Testing The following command options test traffic throughput: • -throughout This generates the maximum achievable traffic flow through all specified interfaces using the maximum packet size. This option does not validate the received packets. •...
Page 135: Maintenance
When enabled, alerts of available upgrades appear only in the Alerts portion of the NetDefendOS Web Interface toolbar. Communication with D-Link Servers is Encrypted and Periodic...
Page 136: Auto-Update Mechanism
Section 6.3, “Web Content Filtering” 2.7.3. Backing Up Configurations The administrator has the ability to take a snapshot of a NetDefendOS system at a given point in time and restore it when necessary. The snapshot can be of two types: •...
Page 137 DHCP server lease database or Anti-Virus/IDP databases will not be backed up. Version Compatibility Since a full system backup includes a NetDefendOS version, compatibility is not an issue with these types of backup. With configuration only backups, the following should be noted: •...
Page 138: Performing A Complete System Backup
Furthermore, a configuration .bak file only shows object property values that are different from the default values. Therefore, the best way to examine the configuration in a .bak file is to load it into NetDefendOS and use the Web Interface to view it without saving and activating it.
Page 139: Restore To Factory Defaults
Resetting the DFL-260E, 860E, and 870 To reset the D-Link DFL-260E, 860E, and 870 models, hold down the reset button on the unit for 10-15 seconds while powering up. After that, release the button and the unit will continue to load and startup with its default factory settings.
Page 140 Chapter 2: Management and Maintenance Warning: Do NOT abort a reset to defaults If the process of resetting to factory defaults is aborted before it finishes, the NetDefend Firewall can then cease to function properly with the complete loss of all stored user data.
Page 141: Languages
Removing "LNG-CH.RC" ...OK If there are no language files present, the following output is seen: gw-world:/> languagefiles Language files No language files found The default language of English is hard-coded into NetDefendOS and does not appear as a file in the list.
Page 142: Diagnostics And Improvements
2.9. Diagnostics and Improvements Overview To help D-Link improve NetDefendOS and related services, NetDefendOS provides a feature known as Diagnostics and Improvements. This consists of the optional ability of NetDefendOS to automatically send informational messages back to D-Link servers about the NetDefendOS installation.
Page 143: Disabling Diagnostics And Quality Improvements Messaging
Note: Log event messages are not generated No log messages are generated when diagnostics and improvement information is sent by NetDefendOS back to D-Link. Example 2.39. Disabling Diagnostics and Quality Improvements Messaging This example shows how to disable the diagnostics and quality improvements feature.
Page 144 Chapter 2: Management and Maintenance...
Page 145: Fundamentals
Chapter 3: Fundamentals This chapter describes the fundamental logical objects which make up a NetDefendOS configuration. These objects include such items as IP addresses and IP rules. Some exist by default and some must be defined by the administrator. In addition, the chapter explains the different interface types and explains how security policies are constructed by the administrator.
Page 146: Ip Addresses
Chapter 3: Fundamentals • By defining an IP address object just once in the address book, changing the definition automatically also changes all references to it. 3.1.2. IP Addresses IP Address objects are used to define symbolic names for various types of IP addresses. Depending on how the address is specified, an IP Address object can represent either a single IP address (a specific host), a network or a range of IP addresses.
Page 147: Adding An Ip Network
Chapter 3: Fundamentals Example 3.2. Adding an IP Network This example adds an IPv4 network named wwwsrvnet with address 192.168.10.0/24 to the address book: Command-Line Interface gw-world:/> add Address IP4Address wwwsrvnet Address=192.168.10.0/24 Web Interface Go to: Objects > Address Book > Add > IP4 Address Specify a suitable name for the IP network, for example wwwsrvnet Enter 192.168.10.0/24 as the IP Address Click OK...
Page 148: Ethernet Addresses
Click OK Deleting In-use IP Objects If an IP object is deleted that is in use by another object then NetDefendOS will not allow the configuration to be deployed and will generate a warning message. In other words, it will appear that the object has been successfully deleted but NetDefendOS will not allow the configuration to be saved to the NetDefend Firewall.
Page 149: Auto-Generated Address Objects
3.1.5. Auto-Generated Address Objects To simplify the configuration, a number of address objects in the address book are automatically created by NetDefendOS when the system starts for the first time and these objects are used in various parts of the initial configuration.
Page 150: Address Book Folders
IP address objects. The folder concept is also used by NetDefendOS in other contexts such as IP rule sets, where related IP rules can be grouped together in administrator created folders.
Page 151 IP Policy objects returns the same results as the DNS lookup used by hosts that are affected by those policies. The best way to do this is to ensure that NetDefendOS is using the same DNS server as the hosts it is protecting.
Page 152 Live (TTL) value. This value is stored with the entry for the FQDN Address object in the DNS cache. When the TTL expires, NetDefendOS will refresh the cache entry by issuing a new DNS query. The TTL returned from the DNS server could be very low or even zero. For this reason, NetDefendOS provides a global DNS setting called Minimum TTL.
Page 153: Adding An Fqdn Address Object
NetDefendOS address book. The FQDN Address object will contain the address for the FQDN server.example.com. It is assumed that a least one DNS server is already configured in NetDefendOS so the FQDN can be resolved to an IP address. Command-Line Interface gw-world:/>...
Page 154: Using Fqdn Objects With An Ip Policy
Chapter 3: Fundamentals Now enter: • Minimum TTL: 10 • Minimum Cache Time: 1000 Click OK Example 3.8. Using FQDN Objects with an IP Policy In this example, connections from internal clients on the lannet network to the web site www.example.com will not be allowed.
Page 155 Chapter 3: Fundamentals • Name: deny_lan_to_example • Action: Deny • Source Interface: lan • Source Network: lannet • Destination Interface: any • Destination Network: example_website • Service: all_services Select OK...
Page 156: Ipv6 Support
The HTTP and LW-HTTP ALGs when used with IP rules or IP policies. IPv6 Must be Enabled Globally and on Each Interface IPv6 must be explicitly enabled in NetDefendOS for it to function. This is done in the following two ways: A.
Page 157: Enabling Ipv6 On An Interface
Chapter 3: Fundamentals Command-Line Interface gw-world:/> set Settings IPSettings EnableIPv6=Yes Web Interface Go to: System > Advanced Settings > IP Settings Enable the setting: Enable IPv6 Click OK B. Enable IPv6 on an Interface Once IPv6 is enabled globally, IPv6 should then be enabled on any Ethernet interface with which it is to be used.
Page 158: Manually Adding Ipv6 Interface Addresses
Alternative Methods of Creating Interface Address Objects IPv6 address objects are created in the NetDefendOS address book as objects which are distinct from IPv4 objects. Only the all-nets6 object (IPv6 address ::/0) is already predefined in the NetDefendOS address book.
Page 159 IPv6 address objects are created and managed in a similar way to IPv4 objects They are called an IP6 Address and can be used in NetDefendOS rules and other objects in the same way as an IPv4 address. However, it is not possible to combine the two in one configuration object.
Page 160: Enabling Ipv6 Advertisements
IPv6 Neighbor Discovery (ND) is the IPv6 equivalent of the IPv4 ARP protocol. When IPv6 is enabled for a given Ethernet interface, NetDefendOS will respond to any IPv6 Neighbor Solicitations (NS) sent to that interface with IPv6 Neighbor Advertisements (NA) for the IPv6 address configured for that interface.
Page 161: Adding An Ipv6 Route And Enabling Proxy Nd
Chapter 3: Fundamentals B. Publish an address as part of a static route. When a route for an IPv6 address on a given Ethernet interface is created, IPv6 should already be enabled for the interface which means that IPv6 neighbor discovery is operational. Optionally, Proxy Neighbor Discovery (Proxy ND) can also be enabled for an IPv6 route so that all or selected interfaces will also respond to any neighbor solicitations for the route's network.
Page 162 IP policy must be set up to allow this, just as it is needed for IPv4. Such an IP rule or policy would use the predefined Service object called ping6-inbound The service object called all_icmpv6 covers all IPv6 ICMP messages except mobile ICMP messages. An appropriate IP rule to allow NetDefendOS to respond to IPv6 ping messages would be the following: Action...
Page 163 Neighbor discovery handling in NetDefendOS resembles ARP handling in that a cache is maintained in local memory of IPv6 hosts, retaining information about external host's link-layer and IP address tuples. Below is a summary of the NetDefendOS ND cache states (these are also defined in RFC 4861): •...
Page 164 Chapter 3: Fundamentals • When NetDefendOS is about to send a packet to a neighbor, an entry is created. • When NetDefendOS receives neighbor solicitations containing source link-layer address options, an entry is created. • When static entries are added by the administrator. These are regarded as always being in the REACHABLE state.
Page 165: Services
Services are passive NetDefendOS objects in that they do not themselves carry out any action in the configuration. Instead, service objects must be associated with the security policies defined by various NetDefendOS rule sets and then act as a filter to apply those rules only to a specific type of traffic.
Page 166: Listing The Available Services
In a new NetDefendOS 11.01 or later, these removed services and ALGs can be recreated as custom services and ALGs if desired but a better option is to use an IP Policy object instead of an IP Rule.
Page 167: Creating Custom Services
A listing all services will be presented 3.3.2. Creating Custom Services If the list of predefined NetDefendOS service objects does not meet the requirements for certain traffic then a new service can be created. Reading this section will explain not only how new services are created but also provides an understanding of the properties of predefined services.
Page 168 TCP and UDP Service Definition To define a TCP or UDP based protocol to NetDefendOS, a TCP/UDP service object is used. Apart from a unique name describing the service, the object contains information about what protocol (TCP, UDP or both) and what source and destination ports are applicable for the service.
Page 169 If an attempt to open a TCP connection is made by a user application behind the NetDefend Firewall and the remote server is not in operation, an ICMP error message is returned as the response. Such ICMP messages are interpreted by NetDefendOS as new connections and will be dropped unless an IP rule explicitly allows them.
Page 170: Creating A Custom Tcp/Udp Service
Chapter 3: Fundamentals An important parameter associated with a service is Max Sessions. This parameter is given a default value when the service is associated with an ALG. The default value varies according to the ALG it is associated with. If the default is, for example 100, this would mean that only 100 connections are allowed in total for this service across all interfaces.
Page 171: Icmp Services
Chapter 3: Fundamentals Specify a suitable name for the service, for example MySQL Now enter: • Type: TCP • Source: 0-65535 • Destination: 3306 Click OK 3.3.3. ICMP Services Another type of custom service that can be created is an ICMP Service. The Internet Control Message Protocol (ICMP) is a protocol that is integrated with IP for error reporting and transmitting control information.
Page 172: Custom Ip Protocol Services
Chapter 3: Fundamentals • Code 3: Port Unreachable • Code 4: Cannot Fragment • Code 5: Source Route Failed Redirect The source is told that there is a better route for a particular packet. Codes assigned are as follows: • Code 0: Redirect datagrams for the network •...
Page 173: Service Groups
Click OK 3.3.5. Service Groups A Service Group is, exactly as the name suggests, a NetDefendOS object that consists of a collection of services. Although the group concept is simple, it can be very useful when constructing security policies since the group can be used instead of an individual service.
Page 174: Custom Service Timeouts
Click OK 3.3.6. Custom Service Timeouts Any service can have its custom timeouts set. These can also be set globally in NetDefendOS but it is more usual to change these values individually in a custom service. The timeout settings that can be customized are as follows: •...
Page 175: Path Mtu Discovery Processing
NetDefendOS will only forward ICMP messages or generate messages indicating the acceptable MTU of its own outgoing interface. Path MTU discovery is always enabled by default for IPv6 on all NetDefendOS interfaces and will not be discussed further in this section. For IPv4, it must be enabled as described next.
Page 176: Enabling Path Mtu Discovery
The client now resends the packet with the requested 1300 size and this is forwarded by NetDefendOS towards the server. The router in front of the server sends back an ICMP message to NetDefendOS to indicate that the packet size is too big and an MTU size of 1000 or less is acceptable.
Page 177 Chapter 3: Fundamentals Next, modify the NAT IP rule to use the new service. gw-world:/> set IPRule int_to_ext_http Service=my_http_pmd_service Web Interface First, create a new service object: Go to: Local Objects > Services > Add > TCP/UDP service Enter the following: •...
Page 178: Interfaces
All traffic passing through NetDefendOS has both a source and destination interface. As explained in more depth later, the special logical interface core is used when NetDefendOS itself is the source or destination for traffic.
Page 179 Interfaces have Unique Names Each interface in NetDefendOS is given a unique name to be able to identify and select it for use with other NetDefendOS objects in a configuration. Some interface types, such as physical Ethernet interfaces, are already provided by NetDefendOS with relevant default names that are possible to modify if required.
Page 180: Ethernet Interfaces
• core indicates that it is NetDefendOS itself that will deal with traffic to and from this interface. Examples of the use of core are when the NetDefend Firewall acts as a PPTP or L2TP server or responds to ICMP "Ping"...
Page 181 Such joined interfaces are seen as a single interface by NetDefendOS and the NetDefendOS configuration uses a single logical interface name to refer to all of them. The specifications for different hardware models will indicate where this is the case.
Page 182 In other words, those residing on the same LAN segment as the interface itself. In the routing table associated with the interface, NetDefendOS will automatically create a direct route to the specified network over the actual interface.
Page 183 Shared HA IP address not set when trying to commit the configuration. DNS server addresses received through DHCP on an interface which is named <interface-name> will be allocated to NetDefendOS address objects with the names <interface-name>_dns1 and <interface-name>_dns2. Note: A gateway IP cannot be deleted with DHCP enabled If DHCP is enabled for a given Ethernet interface then any gateway IP address (for example, the address of an ISP) that is defined for that interface cannot be deleted.
Page 184 Chapter 3: Fundamentals interface and any corresponding non-switch routes are automatically removed. • Hardware Settings In some circumstances it may be necessary to change hardware settings for an interface. The available options are: The speed of the link can be set. Usually this is best left as Auto. The MAC address can be set if it needs to be different to the MAC address built into the hardware.
Page 185 Instead, the lan_ip object in the NetDefendOS Address Book should be assigned the new address since it is this object that is used by many other NetDefendOS objects such as IP rules. The CLI command to do this would be: gw-world:/>...
Page 186 Chapter 3: Fundamentals Ethernet interfaces are those which are referred to in a NetDefendOS configuration. When using the Web Interface, only the logical interfaces are visible and can be managed. When using the CLI, both the logical and physical interfaces can be managed. For example, to change the name of the logical interface If1 to be lan, the CLI command is: gw-world:/>...
Page 187: Enabling Dhcp
Some interface settings provide direct management of the Ethernet settings themselves. These are particularly useful if D-Link hardware has been replaced and Ethernet card settings are to be changed, or if configuring the interfaces when running NetDefendOS on non-D-Link hardware.
Page 188 This section details the advanced settings available for NetDefendOS Ethernet interfaces. The settings are global and affect all physical interfaces. DHCP Settings Below, is a list of the advanced DHCP settings for NetDefendOS Ethernet interfaces. DHCP_AllowGlobalBcast Allow DHCP server to assign 255.255.255.255 as broadcast. (Non-standard.)
Page 189 Chapter 3: Fundamentals DHCP_DisableArpOnOffer Disable the ARP check done by NetDefendOS on the offered IP. The check issues an ARP request to see if the IP address is already in use. Default: Disabled DHCP_UseLinkLocalIP If this is enabled NetDefendOS will use a Link Local IP (169.254.*.*) instead of 0.0.0.0 while waiting for a lease.
Page 190 Default: 256 Ringsize_yukonii_tx Size of Yukon-II send ring (per interface). Default: 256 Interface Monitor Settings Below, is a list of the monitor settings that are available for NetDefendOS Ethernet interfaces. IfaceMon_e1000 Enable interface monitor for e1000 interfaces. Default: Enabled IfaceMon_BelowCPULoad Temporarily disable ifacemon if CPU load goes above this percentage.
Page 191: Link Aggregation
Where individual physical Ethernet interfaces of a NetDefend Firewall cannot provide the bandwidth required for a specific stream of traffic, it is possible to use the NetDefendOS Link Aggregation feature to combine two or more physical interfaces together so they act as one logical NetDefendOS interface.
Page 192: Link Aggregation
All the physical interfaces must be connected to the same external switch Configuring the Mode The LinkAggregation object's Mode property and as the external switch are configured in either of the following modes: • Static When the aggregation is static, NetDefendOS cannot know if one of the interfaces in the...
Page 193 NetDefendOS will only try to send traffic over the remaining operating links. The advantage over the Static setting is that NetDefendOS will try to send a limited number of packets over the failed connection before it switches to an alternate, working link. This means that the connection will not be dropped and the connection's external endpoint will experience only minor packet loss.
Page 194 The physical cable links between the firewall and the external switch can be made either before or after creating the LinkAggregation object and activating the changed configuration. NetDefendOS will try to send data on the aggregated interfaces as soon as the configuration changes become active.
Page 195: Vlan
3.4.4. VLAN Overview Virtual LAN (VLAN) support in NetDefendOS allows the definition of one or more Virtual LAN interfaces which are associated with a particular physical interface. These are then considered to be logical interfaces by NetDefendOS and can be treated like any other interfaces in...
Page 196 NetDefendOS and an unknown_vlanid log message is generated. • The VLAN ID must be unique for a single NetDefendOS physical interface but the same VLAN ID can be used on more than one physical interface. In other words, the same VLAN can span many physical interfaces.
Page 197: Vlan Connections
Chapter 3: Fundamentals Figure 3.3. VLAN Connections With NetDefendOS VLANs, the physical connections are as follows: • One or more VLANs are configured on a physical NetDefend Firewall interface and this is connected directly to a switch. This link acts as a VLAN trunk. The switch used must support port based VLANs.
Page 198: Defining A Vlan
Chapter 3: Fundamentals The number of VLAN interfaces that can be defined for a NetDefendOS installation is limited by the type of NetDefendOS license. Different hardware models have different licenses and different limits on VLANs. Summary of VLAN Setup Below are the key steps for setting up a VLAN interface.
Page 199: Service Vlan
In certain scenarios, it is desirable to wrap traffic from multiple VLANs inside a single parent VLAN. This is sometimes referred to as a Q-in-Q VLAN or a Stacked VLAN. In NetDefendOS, it is called a Service VLAN and follows the standard defined by IEEE 802.1ad. It can be said that a service LAN tunnels other VLANs and provides a convenient method of using a single logical connection on a single Ethernet interface through which multiple VLANs can flow.
Page 200: A Service Vlan Use Case
LAN which tunnels the 101 and 102 VLANs. Defining a Service VLAN The standard NetDefendOS VLAN object is used to define a service VLAN but the Type property for the object is set to 0x88a8. This Type property corresponds to the TPID setting in the VLAN tag and this is explained further at the end of this section.
Page 201 Chapter 3: Fundamentals gw-world:/> add Interface VLAN vlan1 BaseInterface=svlan_A VLANID=1 IP=vlan1_ip Network=vlan1_net Web Interface Go to: Network > Interfaces and VPN > VLAN > Add > VLAN Now enter: • Name: svlan_A • Type: 0x88a8 • Base Interface: If3 • VLANID: 100 •...
Page 202: Pppoe
VLAN can contain another service VLAN. Although unusual beyond a couple of levels, NetDefendOS permits up to 16 levels of nesting, with a VLAN object at the first level wrapped by a maximum of 15 levels of nested service VLAN objects.
Page 203 NCP negotiation, optional parameters such as encryption, can be negotiated. PPPoE Client Configuration It is possible to run the NetDefendOS PPPoE client over either a physical Ethernet interface or a VLAN interface. Each PPPoE tunnel is interpreted as a logical interface by NetDefendOS, with the same routing and configuration capabilities as regular interfaces and with IP rules being applied to all traffic.
Page 204: Configuring A Pppoe Client
PPPoE includes a discovery protocol that provides this. PPPoE cannot be used with HA For reasons connected with the way IP addresses are shared in a NetDefendOS high availability cluster, PPPoE will not operate correctly. It should therefore not be configured with HA.
Page 205: Gre Tunnels
Setting Up GRE Like other tunnels in NetDefendOS such as an IPsec tunnel, a GRE Tunnel is treated as a logical interface by NetDefendOS, with the same filtering, traffic shaping and configuration capabilities as a standard interface.
Page 206 GRE tunnel is trusted. On the contrary, network traffic coming from the GRE tunnel will be transferred to the NetDefendOS IP rule set for evaluation. The source interface of the network traffic will be the name of the associated GRE Tunnel.
Page 207: An Example Of Gre Usage
Chapter 3: Fundamentals The same is true for traffic in the opposite direction, that is, going into a GRE tunnel. Furthermore a Route has to be defined so NetDefendOS knows what IP addresses should be accepted and sent through the tunnel.
Page 208 Checking GRE Tunnel Status IPsec tunnels have a status of being either up or not up. With GRE tunnels in NetDefendOS this does not really apply. The GRE tunnel is up if it exists in the configuration. However, we can check on the what is going on with a GRE tunnel. For example, if the tunnel is...
Page 209: 6In4 Tunnels
Internet with an IPv6 address. This is solved by using 6in4 tunnels which are an implementation of RFC 4213 (Basic Transition Mechanisms for IPv6 Hosts and Routers). The 6in4 Tunnel configuration object provides this feature in NetDefendOS. It can be said that the NetDefend Firewall then acts as a 6in4 tunnel encapsulator.
Page 210: Ip6In4 Tunnel Usage
This is the local IPv6 address inside the tunnel. It may be provided by the tunnel broker in which case it can be pinged to establish if the tunnel is alive. If this is the case then the appropriate NetDefendOS IP rule or policy needs to be set up so that the ICMP ping is answered.
Page 211: In4 Tunnel Configuration
Click OK Routing Table Usage with 6in4 Tunnels By default, the lookup of the IPv4 remote endpoint is done in the NetDefendOS main routing table. This can be changed to be a specific routing table. The route for the Remote Network property of the tunnel is also added, by default, to all routing tables including the main table.
Page 212: Acting As A 6In4 Tunnel Server
NetDefendOS Acting as Tunnel Server It has been assumed so far that NetDefendOS is acting as the client for an external tunnel server. However, the NetDefend Firewall itself can be a tunnel server. A typical usage of this is where clients at the branch offices of a company require IPv6 access.
Page 213: Loopback Interfaces
When acting as a server, a single 6in4 Tunnel object can accept a connection from only one incoming tunnel. Separate tunnel objects must be configured for other incoming tunnels. ICMP error messages must also be allowed when NetDefendOS acts as a server so that MTU sizes can be correctly adjusted.
Page 214 The following are the properties can be specified for a loopback interface: Name The logical name of the interface for display and reference in NetDefendOS. Loop To This is the name of the other loopback interface in the pair. The other interface will have this loopback interface for its Loop to property.
Page 215: A Use Case For Loopback Interfaces
Chapter 3: Fundamentals Loopback interfaces are configured with IP addresses, just as with any other interface type. The following should be noted for the IPv4 address assigned to the IP Address property assigned to a Loopback Interface object: • The IPv4 addresses can be fictitious and the addresses for the an interface pair can be on the same network, although they must not be the same.
Page 216: Setting Up Loopback Interfaces With Routing Tables
Chapter 3: Fundamentals Figure 3.9. Setting Up Loopback Interfaces with Routing Tables A more detailed description of these steps is as follows: Create a pair of loopback interfaces called LB1 and LB2, each has the other as its Loop to parameter.
Page 217: Components Of Loopback Interface Setup
Chapter 3: Fundamentals Figure 3.10. Components of Loopback Interface Setup Example 3.25. Creating a Loopback Interface Pair This example shows how to create a loopback interface pair called LB1 belonging to the RT1 routing table and LB2 belonging to the RT2 routing table. LB1 will have the IPv4 address 127.0.6.1 and network 127.0.6.0/24.
Page 218: Interface Groups
This new connection is then checked against the NetDefendOS rule sets. In some cases, such as an alternative interface that is much slower, it may not be sensible to allow certain connections over the new interface.
Page 219: Layer 2 Pass Through
Click OK 3.4.11. Layer 2 Pass Through On some interface types, NetDefendOS provides the ability to enable layer 2 pass through either or both DHCP and non-IP protocols. Both are disabled by default but can be enabled on the following interface configuration types: •...
Page 220 Chapter 3: Fundamentals • Enable DHCP passthrough • Enable L2 passthrough for non-IP protocols Click OK...
Page 221: Arp
ARP. It consists of a dynamic table that stores the mappings between IP addresses and Ethernet MAC addresses. NetDefendOS uses an ARP cache in exactly the same way as other network equipment. Initially, the cache is empty at NetDefendOS startup and becomes populated with entries as traffic flows.
Page 222: Displaying The Arp Cache
If a host in a network is replaced with new hardware and retains the same IP address then it will probably have a new MAC address. If NetDefendOS has an old ARP entry for the host in its ARP cache then that entry will become invalid because of the changed MAC address and this will cause data to be sent to the host over Ethernet which will never reach its destination.
Page 223: Arp Publish
3.5.3. ARP Publish Overview NetDefendOS supports the publishing of IP addresses on interfaces other than the one the IP address is actually connected to. This can optionally be done along with a specific MAC address instead of the publishing interface's MAC address. NetDefendOS will then send out ARP replies for ARP requests received on the interface for the published IP addresses.
Page 224 Static Mode ARP Objects A Static ARP object inserts a mapping into the NetDefendOS ARP cache which connects a specified IP address with the associated Ethernet interface's MAC address. This mode is not for publishing the address for external devices but rather for telling NetDefendOS itself how to reach external devices.
Page 225: An Arp Publish Ethernet Frame
The Difference Between Publish and XPublish Modes To understand the difference between Publish and XPublish it is necessary to understand that when NetDefendOS responds to an ARP query, there are two MAC addresses in the Ethernet frame sent back with the ARP response: The MAC address in the Ethernet frame of the Ethernet interface sending the response.
Page 226: Using Arp Advanced Settings
Broadcast. Unsolicited ARP Replies It is possible for a host on a connected network to send an ARP reply to NetDefendOS even though a corresponding ARP request was not issued. This is known as an unsolicited ARP reply. According to the ARP specification, the recipient should accept these types of ARP replies.
Page 227 ARP Changes allows the administrator to specify whether or not such situations are logged. Sender IP 0.0.0.0 NetDefendOS can be configured for handling ARP queries that have a sender IP of 0.0.0.0. Such sender IPs are never valid as responses, but network units that have not yet learned of their IP address sometimes ask ARP questions with an "unspecified"...
Page 228: Ip Rules And Ip Policies
An important principle to note is that usually all filtering criteria must match a data flow through NetDefendOS for the rule to be applied. The Service filter is particularly useful since it is possible with this to target only a certain protocol such as HTTP or SMTP.
Page 229 To provide the best security, the first of these approaches is adopted by NetDefendOS. This means that when first installed and started, the NetDefendOS has no IP rules or IP policies defined in the main IP rule set and all traffic is therefore dropped. In order to permit any traffic to...
Page 230 Ping, is destined for the NetDefend Firewall itself and NetDefendOS will respond to it. New connections that are initiated by NetDefendOS itself do not need an explicit IP rule or IP policy because they are allowed by default. For this reason, the interface core is not used as the source interface.
Page 231: Simplified Netdefendos Traffic Flow
As stated above, when NetDefendOS is started for the first time, the default IP rules drop all traffic so at least one IP rule must be added to allow traffic to flow. In fact, two NetDefendOS components need to be present: •...
Page 232: Ip Rule Set Evaluation
NetDefend Firewall. If the action is Drop or Reject then the new connection is refused. Tip: Rules in the wrong order sometimes cause problems It is important to remember the principle that NetDefendOS searches the IP rule set from top to bottom, looking for the first matching IP rule or IP policy.
Page 233: Ip Rule
The packet is allowed to pass. As the rule is applied to only the opening of a connection, an entry in the "state table" is made to record that a connection is open. The remaining packets related to this connection will pass through the NetDefendOS "stateful engine". •...
Page 234 In certain situations the Reject action is recommended instead of the Drop action because a "polite" reply is required from NetDefendOS. An example of such a situation is when responding to the IDENT user identification protocol. Some applications will pause for a timeout if Drop is...
Page 235: Multiple Ip Rule Sets
NetDefendOS allows the administrator to define multiple IP rule sets which can both simplify and provide greater flexibility when defining security policies. The default IP rule set is known as main and is always present in NetDefendOS. Additional rule sets can be defined as needed and are given a name by the administrator.
Page 236 Note: The main rule set cannot contain a Return rule NetDefendOS does not allow a Return rule to be added to the IP rule set main and this is not possible to configure using the Web Interface or the CLI.
Page 237 Chapter 3: Fundamentals A Simple Multiple Rule Set Example Below are two simple IP Rule set tables which illustrate how multiple rule sets might be used. The main rule set contains a first Goto rule which will jump to the named administrator defined table called ExtraRules.
Page 238: Adding A Goto Rule
Chapter 3: Fundamentals When a new connection is opened with dmz_net as the destination, NetDefendOS first performs a lookup in the main table. The appropriate Goto rule triggers and the rule search continues in the rule set called dmz_ip_rules. The diagram below illustrates the example.
Page 239: Adding A Return Rule
Chapter 3: Fundamentals Go to: Policies > Firewalling > Add > Goto rule Now enter: • Name: goto_dmz • RuleSet: dmz_rules • Source Interface: any • Source Network: all-nets • Destination Interface: any • Destination Network: dmz_net • Service: all_services Select OK Adding a Return Rule As noted earlier, a Return rule cannot be added to the rule set main.
Page 240: Ip Rule Set Folders
NetDefendOS continues to see all entries as though they were in a single set of IP rules. The folder concept is also used by NetDefendOS in the address book, where related IP address objects can be grouped together in administrator created folders.
Page 241: Configuration Object Groups
NetDefendOS objects are displayed as tables and each line represents an object instance. The most common usage of this feature is likely to be for either the NetDefendOS Address Book to arrange IP addresses or for organizing rules in IP rule sets.
Page 242 Chapter 3: Fundamentals Object Groups and the CLI The display function of object groups means they do not have relevance to the command line interface (CLI). It is not possible to define or otherwise modify object groups with the CLI and they will not be displayed in CLI output.
Page 243 Chapter 3: Fundamentals Editing Group Properties To change the properties of a group, right click the group title line and select the Edit option from the context menu. A Group editing dialog will be displayed which allows two functions: • Specify the Title The title of the group can be any text that is required and can contain new lines as well as empty lines.
Page 244 Chapter 3: Fundamentals Once we do this for the second IP rule in our example then the result will be the following: To add any object to the group we must first position it immediately following the group and then select the Join Preceding option. This is explained in more detail next. Adding Preceding Objects If an object precedes a group or is in any position other than immediately following the group, then this is done in a multi-step process:...
Page 245: Ip Policy
It is possible, on the other hand, to use groups within a folder. It is up to the administrator how to best use these features to best arrange NetDefendOS objects. 3.6.7. IP Policy The IP Rule objects described previously provide very finely grained control over how arriving traffic is handled by NetDefendOS.
Page 246 As mentioned above, certain IP policy options can be used only if associated Service object that has its Protocol property set to the correct profile. This property indicates to NetDefendOS if an ALG is to be used. Any newly created, custom services must have the protocol set if they are to...
Page 247: Setting Up A Policy To Allow Connections To A Dmz
Chapter 3: Fundamentals For example, if Dynamic Web Content Filtering is to be enabled with an IP Policy object then the associated Service object must have its Protocol property set to HTTP. Application control is the one IP policy option which does not require the Service object to have its Protocol property set since application control does not make use of an ALG.
Page 248: Setting Up A Sat Policy To An Internal Web Server
Enter the web server's IP address for New IP Geolocation An additional traffic filtering option that is only available in NetDefendOS IP Policy objects is Geolocation. This feature allows filterering of IPv4 and IPv6 addresses for the traffic source and/or destination according to its geographic association.
Page 249: Setting Up A Geolocation Filter
The area selected in an IP Policy object as a filter can be one of the following two types: • A predefined region NetDefendOS provides a predefined list of large world regions. These regions consist of the following: • Africa •...
Page 250 Chapter 3: Fundamentals used here for the purpose of illustration. Command-Line Interface A. Create the GeolocationFilter object: gw-world:/> add GeolocationFilter hackerland_filter Countries=Hackerland MatchUnknown=true B. Next, create the IP Policy object that uses this filter: gw-world:/> add IPPolicy SourceInterface=any SourceNetwork=all-nets DestinationInterface=any DestinationNetwork=all-nets Service=all_services Name=lan_to_dmz...
Page 251: Stateless Policy
A stateless connection means that packets pass through the NetDefend Firewall without a state for the connection being set up in NetDefendOS's state table. Since the stateful inspection process is bypassed, this is less secure than a stateful connection. The traffic processing is also slower since every packet is checked against the entire rule set.
Page 252 Chapter 3: Fundamentals DestinationInterface=lan DestinationNetwork=dmznet Service=all_tcp Name=stateless_dmz_to_lan Action=Allow Web Interface Allow stateless TCP flow from lannet to dmznet: Go to: Policies > Firewalling > Add > Stateless Policy Now enter: • Name: stateless_lan_to_dmz • Action: Allow • Source Interface: lan •...
Page 253: Application Control
The application control subsystem is driven using a database of application signatures. Each signature corresponding to one type of application. The entire signature database is listed in the separate document entitled NetDefendOS Application Control Signatures. Application control is a subscription based feature and a subscription must have been purchased for application control to function.
Page 254 Chapter 3: Fundamentals First, the appcontrol command must be used to create a list of the applications we are interested gw-world:/> appcontrol -filter -name=*_groups -save_list This creates a list with a designation of 1. Next, the list is used in an IP rule. gw-world:/>...
Page 255: Using An Application Control Rule Set
• Traffic Shaping Settings Predefined NetDefendOS Pipe objects can be associated with the rule so the bandwidth limit specified by pipe objects can be placed on the either direction of data flow or both. This feature therefore allows bandwidth limits to be placed on a given application and, if used in conjunction with the authentication setting, on particular users or user groups using that application.
Page 256 This might be done by using a RADIUS server or using other means such as authenticating against an LDAP server. The means of authentication is not discussed further. • A Pipe object called narrow_025_pipe has already been defined in NetDefendOS that permits this data flow. •...
Page 257 Chapter 3: Fundamentals gw-world:/> set IPPolicy lan_to_wan_policy AppControl=Yes AC_RuleList=bt_app_list Finally, set the source network address object of lan_to_wan_policy so it has the same group name as the application rule: gw-world:/> set Address IP4Address lan_users_net UserAuthGroups=rogue_users Note that the following would also allow application control to function: gw-world:/>...
Page 258 The NetDefendOS application control subsystem processes a connection's data flow until it decides if a connection is unclassifiable or not. The maximum amount of data processed to make this decision is specified in NetDefendOS as both a number of packets and a number of bytes. By default, these two values are: •...
Page 259: Application Content Control
So far, application control has been described in terms of targeting specific applications such as BitTorrent or Facebook™. However, NetDefendOS allows a further level of filtering within application control where the content of targeted applications decide if the traffic will be allowed, blocked or just logged.
Page 260: Application Content Control With Logging
Extended Logging When using application content control, it is possible to enable logging for different content. This means that special log messages will be generated by NetDefendOS when the rule triggers on a configured piece of content. For example, if the user_agent in application content has logging enabled and the Allow Selected string is set to firefox, this will allow the Firefox browser to be used and also generate a log message to indicate that Firefox caused the rule to trigger.
Page 261 Chapter 3: Fundamentals user tries to use the chat function. Associating the application rule set created together with an IP policy will not be included in the example but follows the same steps shown in the previous example. Web Interface First, define the Application Rule Set: Go to: Policies >...
Page 262 Chapter 3: Fundamentals Browsing the Application Control Database In the CLI, the command appcontrol can be used to examine the application control database of application definitions. Without any parameters, this command shows the database size. For example: gw-world:/> appcontrol Application library contents: 842 application definitions.
Page 263 Chapter 3: Fundamentals The name parameter must always be the first in a search but the asterisk "*" character can be used as a wildcard. For example: gw-world:/> appcontrol -name=* -family=mail -risk=HIGH As demonstrated earlier, the -save_list option is used to save a filter list so it can be used with IP rules and IP policies.
Page 264 Application control will continue to function so that traffic continues to flow through NetDefendOS but, whenever it triggers, the data type will be set to Unknown. For example, if the administrator had configured BitTorrent traffic to be dropped, it will no longer be dropped because it has been recognized and then reclassified as Unknown traffic.
Page 265: Schedules
VPN connection is only permitted on weekdays before noon. Schedule Objects NetDefendOS addresses this requirement by providing Schedule objects (often referred to as simply schedules) that can be selected and used with various types of security policies to accomplish time-based control.
Page 266: Setting Up A Time-Scheduled Security Policy
Chapter 3: Fundamentals policies will be enabled and disabled at the right time. For more information, please see Section 2.2, “System Date and Time”. Example 3.43. Setting up a Time-Scheduled Security Policy This example creates a schedule object for office hours on weekdays, and attaches the object to an IP Rule that allows HTTP traffic.
Page 267 Chapter 3: Fundamentals • SourceNetwork lannet • DestinationInterface: any • DestinationNetwork: all-nets Click OK...
Page 268: Certificates
Certificates in NetDefendOS A certificate is stored in a NetDefendOS configuration as a Certificate object. There is always one certificate object already predefined in NetDefendOS which is the self-signed certificate HTTPSAdminCert and this is sent to the browser when opening a Web Interface session using HTTPS and is also used with SSL VPN.
Page 269 This is the type for remote certificates which have the public key file residing locally in NetDefendOS and the private key file present on a CA server. Often, the certificate is a CA signed root certificate used to validate other certificates.
Page 270 • Creating a Self-signed Certificate The Web Interface can be used to get NetDefendOS to create the files for a self-signed certificate. In the Web Interface, go to Objects > Key Ring > Add > Certificate then choose the Generate (RSA) from the Source options for the new certificate. This allows the following properties to be specified for the self-signed certificate: Common Name.
Page 271 If the host certificate is CA signed then the Root Certificate provided by the signing CA will also need to be loaded into NetDefendOS. This is just a single .cer file containing the public key of the CA. Self-signed certificates will not have a corresponding root certificate.
Page 272 CA is configured. Typically, this is somewhere between an hour to several days. For NetDefendOS to check the CRL for a given certificate it may need access to an external CA server. Allowing this access is discussed in detail in Section 3.9.4, “CA Server Access”.
Page 273: Uploading And Using Certificates
Host certificates have two files associated with them and these have the filetypes .key file and .cer. The filename of these files must be the same for NetDefendOS to be able to use them. For example, if the certificate is called my_cert then the files my_cert.key and my_cert.cer.
Page 274: Uploading A Certificate With The Web Interface
A Remote Certificate is issued by a CA authority and consists of just a single file with a filetype of .cer and this is the public key. The private key is kept on the CA server. The NetDefendOS upload procedure consists of uploading this one file.
Page 275: Crl Distribution Point Lists
It does not matter if the certificate has its own embedded CDPL or not, the CDPL associated with it in NetDefendOS will always be used. In the case of a certificate chain, only the certificate at the top of the chain needs to associated with the CDPL defined in NetDefendOS.
Page 276 Chapter 3: Fundamentals The CRL checks property for the certificate will be left as the default value of Enforced which means that a CRL check against the list retrieved from the http://crls.example.com server will always be done. Command-Line Interface A. Configure the distribution point list: First, add the distribution point list: gw-world:/>...
Page 277: Ca Server Access
Internet. The CA server is a private server with tunnels set up over the public Internet and with clients that will try to validate the certificate received from NetDefendOS. In this case the following must be done: A private DNS server must be configured so that NetDefendOS can locate the private CA server to validate the certificates coming from clients.
Page 278: Certificate Validation Components
NetDefendOS IP rule set need to be defined to allow this traffic through. IP rules are not required if it NetDefendOS itself that is issuing the request to the CA server. Actions taken by NetDefendOS are trusted by default. This is a general rule that also applies to DNS resolution requests issued by NetDefendOS.
Page 279: Creating Windows Ca Server Requests
The easiest solution for placement of a private CA server is to have it on the unprotected side of the NetDefend Firewall. However, this is not recommended from a security viewpoint. It is better to place it on the inside (or preferably in the DMZ if available) and to have NetDefendOS control access to it.
Page 280 -----END CERTIFICATE----- Now paste this copied text into the .cer file and save it. The saved .key and .cer files are now ready for upload into NetDefendOS.
Page 281: Dns
DNS with NetDefendOS To accomplish DNS resolution, NetDefendOS has a built-in DNS client that can be configured to make use of up to three IPv4 and/or IPv6 DNS servers. These are called the Primary Server, the Secondary Server and the Tertiary Server. For DNS to function, at least the one (the primary) server must be configured.
Page 282 Section 5.6.1, “DHCPv6 Client”. DNS Lookup and IP Rules In the case of DNS server request being generated by NetDefendOS itself, no IP rules need to be defined for the connection to succeed. This is because connections initiated by NetDefendOS are considered to be trusted.
Page 283 -repost=2 HTTP Poster Has Other Uses HTTP Poster may be used for other purposes than dynamic DNS. Any requirement for NetDefendOS to send an HTTP GET or POST message to a particular URL could be met using this feature.
Page 284 Chapter 3: Fundamentals...
Page 285: Routing
• Transparent Mode, page 379 4.1. Overview IP routing is one of the most fundamental functions of NetDefendOS. Any IP packet flowing through a NetDefend Firewall will be subjected to at least one routing decision at some point in time, and properly setting up routing is crucial for the system to function as expected.
Page 286: Static Routing
The most basic form of routing is known as Static Routing. The term "static" is used because most entries in a routing table are part of the NetDefendOS system's static configuration. They usually remain unchanged during long periods of system operation.
Page 287: A Typical Routing Scenario
IPv4 address of the ISP's gateway router would be specified. • Local IP Address This parameter usually does not need to be specified. If it is specified, NetDefendOS responds to ARP queries sent to this address. A special section below explains this parameter in more depth.
Page 288 Chapter 4: Routing Route # Interface Destination Gateway 192.168.0.0/24 10.4.0.0/16 195.66.77.0/24 all-nets 195.66.77.4 The above routing table provides the following information: • Route #1 All packets going to hosts on the 192.168.0.0/24 network should be sent out on the lan interface.
Page 289: Using Local Ip Address With An Unbound Network
Chapter 4: Routing ARP queries. ARP works because the clients and the NetDefendOS interface are part of the same network. A second network might then be added to the same physical interface via a switch, but with a new network range that does not include the physical interface's IP address. This network is said to be not bound to the physical interface.
Page 290: Static Routing
If this check fails, NetDefendOS generates a Default Access Rule error log message. Even traffic destined for Core (NetDefendOS itself ), such as ICMP ping requests must follow this rule of having two routes associated with it. In this case, the interface of one of the routes is specified as Core.
Page 291 (for example, IP rules). Consequently, the destination interface is known at the time NetDefendOS decides if the connection should be allowed or dropped. This design allows for a more fine-grained control in security policies.
Page 292: Displaying The Main Routing Table
Composite Subnets can be Specified Another advantage with the NetDefendOS approach to route definition is that it allows the administrator to specify routes for destinations that are not aligned with traditional subnet masks.
Page 293 Default Static Routes are Added Automatically for Each Interface When the NetDefend Firewall is started for the first time, NetDefendOS will automatically add a route in the main routing table for each physical interface. These routes are assigned a default IP address object in the address book and these IP objects must have their addresses changed to the appropriate range for traffic to flow.
Page 294: Adding A Route To The Main Table
NetDefendOS automatically populates the active routing table with Core Routes. These routes are present for NetDefendOS to understand how to route traffic that is destined for NetDefendOS itself. A good example for such traffic are ICMP ping message sent to an Ethernet interface where...
Page 295: Displaying The Core Routes
When the system receives an IP packet whose destination address is one of the interface IPs, the packet will be routed to the core interface. In other words, it is processed by NetDefendOS itself. There is also a core route added for all multicast addresses:...
Page 296: Route Failover
• Interface Link Status NetDefendOS will monitor the link status of the interface specified in the route. As long as the interface is up, the route is diagnosed as healthy. This method is appropriate for monitoring that the interface is physically attached and that the cabling is working as expected. As any changes to the link status are instantly noticed, this method provides the fastest response to failure.
Page 297 When two routes offer a means to reach the same destination, NetDefendOS will select the one with the lowest metric value for sending data (if two routes have the same metric, the route found first in the routing table will be chosen).
Page 298 If the primary WAN router should then fail, this will be detected by NetDefendOS, and the first route will be disabled. As a consequence, a new route lookup will be performed and the second route will be selected with the first one being marked as disabled.
Page 299: Host Monitoring For Route Failover
4.2.4. Host Monitoring for Route Failover Overview To provide a more flexible and configurable way to monitor the integrity of routes, NetDefendOS provides the additional capability to perform Host Monitoring. This feature means that one or more external host systems can be routinely polled to check that a particular route is available.
Page 300 Chapter 4: Routing Specifying Hosts For each host specified for host monitoring, there are a number of property parameters that should be set: • Method The method by which the host is to be polled. This can be one of: •...
Page 301: Advanced Settings For Route Failover
Where multiple hosts are specified for host monitoring, more than one of them could have Reachability Required enabled. If NetDefendOS determines that any host with this option enabled is not reachable, Route Failover is initiated.
Page 302: Proxy Arp
However, situations may exist where a network running Ethernet is separated into two parts with a routing device such as a NetDefend Firewall in between. In such a case, NetDefendOS itself can respond to ARP requests directed to the network on the other side of the NetDefend Firewall using the feature known as Proxy ARP.
Page 303: A Proxy Arp Example
The network net_1 is connected to the interface if1 and the network net_2 is connected to the interface if2. In NetDefendOS there will be a route configured that says net_1 can be found on if1. This might be called route_1.
Page 304: Broadcast Packet Forwarding
Note: Not all interfaces can make use of Proxy ARP It is only possible to have Proxy ARP functioning for Ethernet and VLAN interfaces. Proxy ARP is not relevant for other types of NetDefendOS interfaces since ARP is not involved. Automatically Added Routes Proxy ARP cannot be enabled for automatically added routes.
Page 305 Transparent Mode Broadcast Forwarding is Always Stateless It is important to note that broadcast packets are always forwarded statelessly by NetDefendOS when in transparent mode. In other words, even if an IP rule with an action of Allow permits transparent mode broadcast packets to flow, they will be forwarded as though the rule had an action of FwdFast.
Page 306: Enabling Broadcast Forwarding On A Route
Chapter 4: Routing All these multiple log messages can be turned off by disabling log messages on the triggering IP rule/policy. • broadcast_nat This is generated when a broadcast packet has triggered a NAT rule/policy in transparent mode and has been dropped. A typical log message of this type will look similar to the following: prio=Notice id=06000014 rev=1 event=broadcast_nat action=drop rule=a recvif=If3 srcip=192.168.100.25 destip=192.168.100.255 ipproto=UDP...
Page 307 Chapter 4: Routing Go to: Network > Routing > Routing Tables > main Select the route my_route Enable the option Forward Broadcast Traffic Click OK...
Page 308: Policy-Based Routing
ISPs and subscribe to different providers. PBR Components Policy-based routing implementation in NetDefendOS is implemented using two components: • Additional Routing Tables One or more user-defined alternate Routing Tables are created in addition to the standard default main routing table.
Page 309: Creating A Routing Table
Chapter 4: Routing Routing Tables NetDefendOS, as standard, has one default routing table called main. In addition to the main table, it is possible to define one or more, additional routing tables for policy-based routing. (these will sometimes be referred to as alternate routing tables).
Page 310: Adding Routes
Chapter 4: Routing Example 4.6. Adding Routes After defining the routing table MyPBRTable, routes can be added to the table. Assume that the route to a network my_network is to be defined for the lan interface. Command-Line Interface Change the context to be the routing table: gw-world:/>...
Page 311 ReturnRoutingTable: MyPBRTable If Remove Interface IP Routes is enabled, the default interface routes are removed, that is to say routes to the core interface (which are routes to NetDefendOS itself ). Click OK Routing Rules can use IPv4 or IPv6 Addresses Routing rules support either IPv4 or IPv6 addresses as the source and destination network for a rule's filtering properties.
Page 312 Chapter 4: Routing The isp2 routing table Index # Interface Destination Gateway wan2 all-nets isp2_ip If traffic coming through wan2 is to have access to If1_net then a routing rule needs to constructed as follows: Source Source Destination Destination Forward Return Interface Network...
Page 313: Policy-Based Routing With Multiple Isps
Note that the original route lookup to find the destination interface used for all rule look-ups was done with the original, untranslated address. If allowed by the IP rule set, the new connection is opened in the NetDefendOS state table and the packet forwarded through this connection.
Page 314 Chapter 4: Routing This example illustrates a multiple ISP scenario which is a common use of policy-based routing. The following is assumed: • Each ISP will provide an IPv4 network from its network range. A 2 ISP scenario is assumed in this case, with the network 10.10.10.0/24 belonging to ISP A and 20.20.20.0/24 belonging to ISP B.
Page 315 Chapter 4: Routing Add the PBR routing rules according to the list with the following: • Go to: Network > Routing > Policy-based Routing Rules > Add > Routing Rule • Enter the information from the list • Repeat to add the next rule Note Routing rules in the above example are added for both inbound and outbound connections.
Page 316: Route Load Balancing
4.4. Route Load Balancing Overview NetDefendOS provides the option to perform Route Load Balancing (RLB). This is the ability to distribute traffic over multiple alternate routes using one of a number of distribution algorithms. The purpose of this feature is to provide the following: •...
Page 317: The Rlb Round Robin Algorithm
Chapter 4: Routing processing steps is as follows: Route lookup is done in the routing table and a list of all matching routes is assembled. The routes in the list must cover the exact same IP address range (further explanation of this requirement can be found below).
Page 318: The Rlb Spillover Algorithm
• Route metrics should always be set. With spillover, NetDefendOS always chooses the route in the matching routes list that has the lowest metric. The algorithm is not intended to be used with routes having the same metric so the administrator should set different metrics for all the routes to which spillover applies.
Page 319 RLB Resets There are two occasions when all RLB algorithms will reset to their initial state: • After NetDefendOS reconfiguration. • After a high availability failover. In both these cases, the chosen route will revert to the one selected when the algorithms began operation.
Page 320: A Route Load Balancing Scenario
Chapter 4: Routing Internet access is available from either one of two ISPs, whose gateways GW1 GW2 are connected to the firewall interfaces WAN1 and WAN2. RLB will be used to balance the connections between the two ISPs. Figure 4.7. A Route Load Balancing Scenario We first need to define two routes to these two ISPs in the main routing table as shown below: Route No.
Page 321: Setting Up Rlb
If we were to try and use RLB to balance traffic between two IPsec tunnels, the problem that arises is that the Remote Endpoint for any two IPsec tunnels in NetDefendOS must be different. The solutions to this issue are as follows: •...
Page 322 Chapter 4: Routing If both tunnels must be, for example, IPsec connects, it is possible to wrap IPsec in a GRE tunnel (in other words, the IPsec tunnel is carried by a GRE tunnel). GRE is a simple tunneling protocol without encryption and therefore involves a minimum of extra overhead. See Section 3.4.7, “GRE Tunnels”...
Page 323: Virtual Routing
4.5. Virtual Routing 4.5.1. Overview Virtual Routing is a NetDefendOS feature that allows the creation of multiple, logically separated virtual systems within NetDefendOS, each with its own routing table. These systems can behave as physically separated NetDefend Firewalls and almost everything that can be done with separate firewalls can be done with them, including dynamic routing with OSPF.
Page 324: Virtual Routing
Since route lookup is done in completely separate routing tables, there are no conflicts. VPN Tunnels are Interfaces VPN tunnels are also considered to be interfaces in NetDefendOS and can therefore also be associated with their own routing tables just as physical interfaces can.
Page 325: The Disadvantage Of Routing Rules
Chapter 4: Routing communication between the virtual systems. For example, Department A does not need to communicate with Department B. If communication between them is needed then an appropriate loopback interface pair would have to be defined to allow this. After we define a loopback interface, all traffic sent to that interface automatically appears as being received on another interface.
Page 326: The Advantage Of Virtual Routing
Chapter 4: Routing Route # Interface Network Gateway 192.168.0.0/24 Getting traffic from each network to and from the Internet is straightforward. Assuming only outbound traffic, it requires only two Routing Rule objects. Assuming that each organization has a public IPv4 address which maps to servers on the respective networks then outbound as well as inbound traffic can be handled with the following four routing rules: Route # Name...
Page 327 Chapter 4: Routing Here, each organization gets a virtual system of its own. These connect to the main routing table using pairs of loopback interfaces. The routing tables would have the following entries: Routing Table main Route # Interface Network Gateway main-wan all-nets...
Page 328: Ip Rule Sets With Virtual Routing
4.5.4. IP Rule Sets with Virtual Routing The IP rule sets for different virtual systems can be split into separate rule sets using the NetDefendOS feature of creating multiple IP rule sets (see Section 3.6.4, “Multiple IP Rule Sets” for more detail on this feature).
Page 329: Multiple Ip Rule Sets
Chapter 4: Routing Note that SAT rules do not need to take into account that there are more organizations connected to the same physical unit. There is no direct connection between them; everything arrives through the same interface, connected to the main routing table. If this was done without virtual routing, the Allow rules would have to be preceded by NAT rules for traffic from other organizations.
Page 330 Chapter 4: Routing way expected in a given virtual system. (Hint: "-lookup" may be shortened to "-l".) • Use "conn -v" to view verbose information about open connections. Both ends of a connection will be shown; before and after address translation. Also, the routing tables used in the forward and return direction will be shown.
Page 331: Ospf
Chapter 4: Routing 4.6. OSPF The feature called Dynamic Routing is implemented in NetDefendOS using the Open Shortest Path First (OSPF) architecture. Note: OSPF is not available on all NetDefend models The OSPF feature is not available on the DFL-260E.
Page 332: A Simple Ospf Scenario
The OSPF Solution Open Shortest Path First (OSPF) is a widely used protocol based on an LS algorithm. Dynamic routing is implemented in NetDefendOS using OSPF. An OSPF enabled router first identifies the routers and sub-networks that are directly connected to it and then broadcasts the information to all the other routers.
Page 333: Ospf Providing Route Redundancy
Chapter 4: Routing OSPF allows firewall A to know that to reach network Y, traffic needs to be sent to firewall B. Instead of having to manually insert this routing information into the routing tables of A, OSPF allows B's routing table information to be automatically shared with A. In the same way, OSPF allows firewall B to automatically become aware that network X is attached to firewall A.
Page 334: Ospf Concepts
OSPF components. In NetDefendOS, an AS corresponds to an OSPF Router object. This must be defined first when setting up OSPF. In most scenarios only one OSPF router is required to be defined and it must be defined separately on each NetDefend Firewall involved in the OSPF network.
Page 335 IP subnetted network. In NetDefendOS, areas are defined by OSPF Area objects and are added to the AS which is itself defined by an OSPF Router object. There can be more than one area within an AS so multiple OSPF Area objects could be added to a single OSPF Router.
Page 336 OSPF Aggregation is used to combine groups of routes with common addresses into a single entry in the routing table. This is commonly used to minimize the routing table. To set this feature up in NetDefendOS, see Section 4.6.3.5, “OSPF Aggregates”. Virtual Links Virtual links are used for the following scenarios: A.
Page 337: Virtual Links Connecting Areas
Chapter 4: Routing impossible to have an area physically connected to the backbone, a Virtual Link is used. Virtual links can provide an area with a logical path to the backbone area. This virtual link is established between two Area Border Routers (ABRs) that are on one common area, with one of the ABRs connected to the backbone area.
Page 338: Virtual Links With Partitioned Backbone
Using OSPF with NetDefendOS When using OSPF with NetDefendOS, the scenario will be that we have two or more NetDefend Firewalls connected together in some way. OSPF allows any of these firewall to be able to...
Page 339: Ospf Components
4.6.3. OSPF Components This section looks at the NetDefendOS objects that need to be configured for OSPF routing. Defining these objects creates the OSPF network. The objects should be defined on each NetDefend Firewall that is part of the OSPF network and should describe the same network.
Page 340 Chapter 4: Routing participating in the OSPF AS. Private Router ID This is used in an HA cluster and is the ID for this firewall and not the cluster. Note When running OSPF on a HA Cluster there is a need for a private master and private slave Router ID as well as the shared Router ID.
Page 341: Ospf Area
Chapter 4: Routing In other words, the OSPF authentication method must be replicated on all NetDefend Firewalls. Advanced Time Settings SPF Hold Time Specifies the minimum time, in seconds, between two SPF calculations. The default time is 10 seconds. A value of 0 means that there is no delay.
Page 342 Specifies the IPv4 network address for this OSPF interface. If is not specified it defaults to the network assigned to the underlying NetDefendOS interface. This network is automatically exported to the OSPF AS and does not require a Dynamic Routing Rule.
Page 343 Chapter 4: Routing multicast address 224.0.0.5. Those packets will be heard by all other the OSPF routers on the network. For this reason, no configuration of OSPF Neighbor objects is required for the discovery of neighboring routers. • Point-to-Point - Point-to-Point is used for direct links which involve only two routers (in other words, two firewalls).
Page 344 This mode means that traffic with a destination MAC address that does not match the Ethernet interface's MAC address will be sent to NetDefendOS and not discarded by the interface. Promiscuous mode is enabled automatically by NetDefendOS and the administrator does not need to worry about doing this.
Page 345: Dynamic Routing Rules
If advertised this will decreases the size of the routing table in the firewall, if not advertised this will hide the networks. NetDefendOS OSPF Aggregate objects are created within an OSPF Area and each object has the following parameters: Network The network consisting of the smaller routers.
Page 346 OSPF Requires at Least an Import Rule By default, NetDefendOS will not import or export any routes. For OSPF to function, it is therefore mandatory to define at least one dynamic routing rule which will be an Import rule.
Page 347: Dynamic Routing Rule Objects
A dynamic routing export rule must be created to explicitly export the route to the OSPF AS. Dynamic Routing Rule Objects The diagram below shows the relationship between the NetDefendOS dynamic routing rule objects. Figure 4.16. Dynamic Routing Rule Objects 4.6.4.2.
Page 348: Setting Up Ospf
Chapter 4: Routing rule to be triggered. Metric Specifies an interval that the metric of the routers needs to be in between. Router ID Specifies if the rule should filter on Router ID. OSPF Route Type Specifies if the rule should filter on the OSPF Router Type. OSPF Tag Specifies an interval that the tag of the routers needs to be in between.
Page 349 OSPF autonomous system (AS). If unfamiliar with these OSPF concepts, please refer to earlier sections for further explanation. Beginning with just one of these firewalls, the NetDefendOS setup steps are as follows: 1. Create an OSPF Router object Create a NetDefendOS OSPF Router Process object. This will represent an OSPF Autonomous Area (AS) which is the highest level in the OSPF hierarchy.
Page 350 Chapter 4: Routing OSPF AS. In addition, the optional Or is within filter parameter for the destination network must be set to be all-nets. We could use a narrower filter for the destination network but in this case we want all networks. Within the Dynamic Routing Policy Rule just added, we now add a Routing Action object.
Page 351 First set up an IPsec tunnel in the normal way between the two firewalls A and B. The IPsec setup options are explained in Section 9.2, “VPN Quick Start”. This IPsec tunnel is now treated like any other interface when configuring OSPF in NetDefendOS. 2. Choose a random internal IP network For each firewall, we need to choose a random IP network using internal, private IPv4 addresses.
Page 352: An Ospf Example
For the IPv4 address of the router, we simply use any single IP address from the network 192.168.55.0/24. For example, 192.168.55.1. When NetDefendOS sets up OSPF, it will look at this OSPF Neighbor object and will try to send OSPF messages to the IPv4 address 192.168.55.1. The OSPF Interface object defined in the previous step tells NetDefendOS that OSPF related traffic to this IP address should be routed into the IPsec tunnel.
Page 353: An Ospf Example
Chapter 4: Routing Figure 4.17. An OSPF Example Here, two identical NetDefend Firewalls called A and B are joined together directly via their If3 interfaces. Each has a network of hosts attached to its If1 interface. On one side, If1_net is the IPv4 network 10.4.0.0/16 and on the other side it is the IPv4 network 192.168.0.0/24.
Page 354: Add An Ospf Area
Chapter 4: Routing Example 4.11. Add an OSPF Area Now add an OSPF Area object to the OSPF Router Process object as_0 on firewall A. This area will be the OSPF backbone area and will therefore have the ID 0.0.0.0. Assume the name for the area object will be area_0.
Page 355: Import Routes From An Ospf As Into The Main Routing Table
Chapter 4: Routing Next, add the OSPFInterface object: gw-world:/as_0/area_0> add OSPFInterface If1 Passive=Yes Enabling the Passive option means that this interface is not connected to another OSPF router. Finally, return to the default CLI context: gw-world:/as_0/area_0> cc gw-world:/> Web Interface Go to: Network >...
Page 356: Exporting The Routes Into An Ospf As
Chapter 4: Routing Go to: Network > Routing > Routing Rules > Add > Dynamic Routing Policy Rule Specify a suitable name for the rule. For example, ImportOSPFRoutes. Select the option From OSPF Process Move as_0 from Available to Selected Choose all-nets in the ...Or is within filter option for Destination Interface Click OK Now, create a Dynamic Routing Action that will import routes into the routing table.
Page 357: Ospf Troubleshooting
Chapter 4: Routing OSPFProcess=as_0 Name=ExportDefRoute DestinationNetworkIn=all-nets DestinationInterface=If3 From=RTable RoutingTable=main Web Interface Go to: Network > Routing > Routing Rules > Add > Dynamic Routing Policy Rule Specify a name for the rule. In this case, ExportAllNets Select the option From Routing Table Move the routing table main to the Selected list Choose all-nets in the ...Or is within filter for Destination Interface Click OK...
Page 358: Enabling Ospf Debug Log Events
Additional OSPF Log Event Messages By default, a range of basic log event messages are generated by OSPF operation within NetDefendOS. For example, if the OSPFProcess object running under NetDefendOS is called my_ospf_proc, normal log generation would be enabled with the CLI command: gw-world:/>...
Page 359 Chapter 4: Routing Web Interface Go to: Network > Routing > OSPF > my_ospf_proc Select the Debug option Now enter: • Hello Packets: Low • Routing Table Manipulation: High Click OK The ospf CLI command The CLI command ospf provides various options for examining the behavior of OSPF in real-time on a particular.
Page 360 Chapter 4: Routing The ospf command options are fully described in the separate NetDefendOS CLI Reference Guide.
Page 361: Multicast Routing
By default, multicast packets are routed by NetDefendOS to the core interface (in other words, to NetDefendOS itself ). SAT Multiplex rules are set up in the IP rule set in order to perform forwarding to the correct interfaces. This is demonstrated in the examples described later.
Page 362: Multicast Forwarding With Sat Multiplex Rules
Promiscuous mode means that traffic with a destination MAC address that does not match the Ethernet interface's MAC address will be sent to NetDefendOS and not discarded by the interface. Promiscuous mode is enabled automatically by NetDefendOS and the administrator does not need to worry about doing this.
Page 363: Multicast Forwarding - No Address Translation
Chapter 4: Routing configuration can be found later in Section 4.7.3.1, “IGMP Rules Configuration - No Address Translation”. Figure 4.18. Multicast Forwarding - No Address Translation Note: SAT Multiplex rules must have a matching Allow rule Remember to add an Allow rule that matches the SAT Multiplex rule. The matching rule could also be a NAT rule for source address translation (see below) but cannot be a FwdFast or SAT rule.
Page 364 Chapter 4: Routing A. Create a custom Service object for multicast: Go to: Objects > Services > Add > TCP/UDP Now enter: • Name: my_multicast_service • Type: UDP • Destination: 1234 B. Create an IP Rule object: Go to: Policies > Firewalling > Main IP Rules > Add > IP Rule Now enter: •...
Page 365: Forwarding Multicast Traffic With A Multicast Policy
Chapter 4: Routing If, for example, multiplexing of the multicast group 239.192.100.50 is required to the output interfaces if2 and if3, then the command to create the rule would be: gw-world:/> add IPRule SourceNetwork=<srcnet> SourceInterface=<if1> DestinationInterface=core DestinationNetwork=239.192.100.50 Action=MultiplexSAT Service=<service> MultiplexArgument={if2;},{if3;} The destination interface is core since 239.192.100.50 is a multicast group.
Page 366 Chapter 4: Routing • Type: UDP • Destination: 1234 B. Create a Multicast Policy object: Go to: Policies > Firewalling > Main IP Rules > Add > Multicast Policy Now enter:: • Name: my_multicast_policy • Source Interface: wan • Source Network: 192.168.10.1 •...
Page 367: Multicast Forwarding - Address Translation
Chapter 4: Routing Figure 4.19. Multicast Forwarding - Address Translation No address translation should be made when forwarding through interface if1. The configuration of the corresponding IGMP rules can be found below in Section 4.7.3.2, “IGMP Rules Configuration - Address Translation”. As previously noted, remember to add an Allow rule matching the SAT Multiplex rule.
Page 368: Igmp Configuration
Chapter 4: Routing • Name: a name for the rule, for example Multicast_Multiplex • Action: Multiplex SAT • Service: multicast_service Under Address Filter enter: • Source Interface: wan • Source Network: 192.168.10.1 • Destination Interface: core • Destination Network: 239.192.10.0/24 Click the Multiplex SAT tab Add interface if1 but leave the IPAddress empty Add interface if2 but this time, enter 237.192.10.0 as the IPAddress...
Page 369: Multicast Snoop Mode
Chapter 4: Routing NetDefendOS supports two IGMP modes of operation: • Snoop Mode • Proxy Mode The operation of these two modes are shown in the following illustrations: Figure 4.20. Multicast Snoop Mode Figure 4.21. Multicast Proxy Mode In Snoop Mode, the NetDefend Firewall will act transparently between the hosts and another IGMP router.
Page 370: Igmp - No Address Translation
Chapter 4: Routing queries. Towards the upstream router, the firewall will be acting as a normal host, subscribing to multicast groups on behalf of its clients. 4.7.3.1. IGMP Rules Configuration - No Address Translation This example describes the IGMP rules needed for configuring IGMP according to the No Address Translation scenario described above.
Page 371: If1 Configuration
Chapter 4: Routing • Name: A suitable name for the rule, for example Queries • Type: Query • Action: Proxy • Output: IfGrpClients (this is the relay interface) Under Address Filter enter: • Source Interface: wan • Source Network: UpstreamRouterIp •...
Page 372: If2 Configuration - Group Translation
Chapter 4: Routing • Action: Proxy • Output: wan (this is the relay interface) Under Address Filter enter: • Source Interface: if1 • Source Network: if1net • Destination Interface: core • Destination Network: auto • Multicast Source: 192.168.10.1 • Multicast Group: 239.192.10.0/24 Click OK B.
Page 373 Chapter 4: Routing Web Interface A. Create the first IGMP Rule: Go to: Network > Routing > IGMP Rules > Add > IGMP Rule Under General enter: • Name: A suitable name for the rule, for example Reports_if2 • Type: Report •...
Page 374: Advanced Igmp Settings
Chapter 4: Routing Advanced IGMP Settings There are a number of IGMP advanced settings which are global and apply to all interfaces which do not have IGMP settings explicitly specified for them. 4.7.4. Advanced IGMP Settings The following advanced settings for IGMP can be found in the Web Interface by going to: Network >...
Page 375 Chapter 4: Routing Default: 5,000 IGMP Max Total Requests The maximum global number of IGMP messages to process each second. Default: 1000 IGMP Max Interface Requests The maximum number of requests per interface and second. Global setting on interfaces without an overriding IGMP Setting.
Page 376: Tunneling Multicast Using Gre
Default: 1,000 4.7.5. Tunneling Multicast using GRE It is possible to tunnel NetDefendOS multicast between two NetDefend Firewalls through a GRE tunnel. The multicast server will be behind one firewall and the clients behind the other with a GRE tunnel linking the two firewalls.
Page 377: Tunneling Multicast Using Gre
Remote Network gre_to_clients If2_ip client_interface_ip client_net Routes Provided that the above GRE object has the option to automatically add routes enabled, the following route will be added by NetDefendOS to the main routing table. Network Interface client_net gre_to_clients Services Name...
Page 378 Remote Network gre_to_server If3_ip server_interface_ip server_net Routes Provided that the above GRE object has the option to automatically add routes enabled, the following route will be added by NetDefendOS to the main routing table. Network Interface server_net gre_to_server Services Name...
Page 379: Transparent Mode
4.8.1. Overview Transparent Mode Usage The NetDefendOS Transparent Mode feature allows a NetDefend Firewall to be placed at a point in a network without any reconfiguration of the network and without hosts being aware of its presence. All NetDefendOS features can then be used to monitor and manage traffic flowing through that point.
Page 380 IP or Ethernet levels. This is achieved by NetDefendOS keeping track of the MAC addresses of the connected hosts and NetDefendOS allows physical Ethernet networks on either side of the NetDefend Firewall to act as though they were a single logical IP network.
Page 381 Discovery is done by NetDefendOS sending out ARP as well as ICMP (ping) requests, acting as the initiating sender of the original IP packet for the destination on the interfaces specified in the Switch Route.
Page 382 Restricting the Network Parameter As NetDefendOS listens to ARP traffic, it continuously adds single host routes to the routing table as it discovers on which interface IP addresses are located. As the name suggests, single host routes give a route for a single IP address. The number of these routes can therefore become large as connections are made to more and more hosts.
Page 383 Chapter 4: Routing The diagram above illustrates how switch route interconnections for one routing table are completely separate from the switch route interconnections for another routing table. By using different routing tables in this way we can create two separate transparent mode networks. The routing table used for an interface is decided by the Routing Table Membership parameter for each interface.
Page 384: Enabling Internet Access
This is described further in Section 4.2.6, “Proxy ARP”. The key disadvantage with this approach is that firstly, clients will not be able to roam between NetDefendOS interfaces, retaining the same IP address. Secondly, and more importantly, their network routes will need to be manually configured for proxy ARP.
Page 385: Transparent Mode Internet Access
NetDefendOS May Also Need Internet Access The NetDefend Firewall also needs to find the public Internet if it is to perform NetDefendOS functions such as DNS lookup, Web Content Filtering or Anti-Virus and IDP updating. To allow this, individual "normal"...
Page 386: A Transparent Mode Use Case
85.12.184.39 and 194.142.215.15 could be grouped into a single object in this way. Using NAT NAT should not be enabled for NetDefendOS in Transparent Mode since, as explained previously, the NetDefend Firewall is acting like a level 2 switch and address translation is done at the higher IP OSI layer.
Page 387 Chapter 4: Routing Configure the wan interface: gw-world:/> set Interface Ethernet wan IP=10.0.0.1 Network=10.0.0.0/24 DefaultGateway=10.0.0.1 AutoSwitchRoute=Yes Configure the lan interface: gw-world:/> set Interface Ethernet lan IP=10.0.0.2 Network=10.0.0.0/24 AutoSwitchRoute=Yes Add the IP rule: gw-world:/> add IPRule Action=Allow Service=http SourceInterface=lan SourceNetwork=10.0.0.0/24 DestinationInterface=any DestinationNetwork=all-nets Name=http_allow Web Interface...
Page 388: Spanning Tree Bpdu Support
STP protocol. Two NetDefend Firewalls are deployed in transparent mode between the two sides of the network. The switches on either side of the firewall need to communicate and require NetDefendOS to relay switch BPDU messages in order that packets do not loop between the firewalls.
Page 389: Mpls Pass Through
Multiple Spanning Tree Protocol (MSTP) • Cisco proprietary PVST+ Protocol (Per VLAN Spanning Tree Plus) NetDefendOS checks the contents of BDPU messages to make sure the content type is supported. If it is not, the frame is dropped. Enabling/Disabling BPDU Relaying BPDU relaying is disabled by default and can be controlled through the advanced setting Relay Spanning-tree BPDUs.
Page 390: Advanced Settings For Transparent Mode
NetDefendOS MPLS Support NetDefendOS supports MPLS Pass Through. This is relevant in transparent mode scenarios where the MPLS labeled packets are allowed to traverse the NetDefend Firewall. NetDefendOS can optionally validate the integrity of these MPLS packets and the administrator can change the advanced setting Relay MPLS to specify the specific action to be taken.
Page 391 Chapter 4: Routing Default: 8192 Dynamic L3C Size Allocate the L3 Cache Size value dynamically. Default: Enabled L3 Cache Size This setting is used to manually configure the size of the Layer 3 Cache. Enabling Dynamic L3C Size is normally preferred. Default: Dynamic Relay Spanning-tree BPDUs When set to Ignore all incoming STP, RSTP and MSTP BPDUs are relayed to all transparent...
Page 392 Chapter 4: Routing...
Page 393: Dhcp Services
Chapter 5: DHCP Services This chapter describes DHCP services in NetDefendOS. • Overview, page 393 • IPv4 DHCP Client, page 395 • IPv4 DHCP Server, page 397 • IPv4 DHCP Relay, page 404 • IP Pools, page 408 • DHCPv6, page 411 5.1.
Page 394 Chapter 5: DHCP Services wishes to use the IP address it was assigned, and may terminate the lease and release the IP address. The lease time can be configured in a DHCP server by the administrator.
Page 395: Ipv4 Dhcp Client
The same process of requesting a lease will also take place if NetDefendOS is restarted. If the DHCP is subsequently disabled on an interface, the administrator will need to manually assign the IPv4 address and network.
Page 396 Chapter 5: DHCP Services Web Interface Go to: Network > Ethernet > If1 Select Enable DHCP Click OK...
Page 397: Ipv4 Dhcp Server
Multiple DHCP servers form a list as they are defined, the last defined being at the top of the list. When NetDefendOS searches for a DHCP server to service a request, it goes through the list from top to bottom and chooses the first server with a matching combination of interface and relayer IP filter value.
Page 398 A symbolic name for the server. Used as an interface reference but also used as a reference in log messages. Interface Filter The source interface on which NetDefendOS will listen for DHCP requests. This can be a single interface or a group of interfaces. Relay Filter A filter for the relay address.
Page 399: Setting Up An Ipv4 Dhcp Server
Chapter 5: DHCP Services The policy for saving the lease database to disk. The options are: Never - Never save the database. ReconfShut - Save the database on a reconfigure or a shutdown. iii. ReconfShutTimer - Save the database on a reconfigure or a shutdown and also periodically.
Page 400 NetDefendOS DHCP server adds the IP address to its own blacklist. The CLI can be used to clear the DHCP server blacklist with the command: gw-world:/> dhcpserver -release=blacklist Additional Server Settings A NetDefendOS DHCP server can have two other sets of objects associated with it: • Static Hosts. •...
Page 401: Static Ipv4 Dhcp Hosts
5.3.1. Static IPv4 DHCP Hosts Where the administrator requires a fixed relationship between a client and the assigned IP address, NetDefendOS allows the assignment of a given IP to a specific MAC address. In other words, the creation of a static host.
Page 402: Custom Ipv4 Options
Chapter 5: DHCP Services Host=192.168.1.1 MACAddress=00-90-12-13-14-15 All static assignments can then be listed and each is listed with an index number: gw-world:/DHCPServer1> show Comments ------- <empty> An individual static assignment can be shown using its index number: gw-world:/DHCPServer1> show DHCPServerPoolStaticHost 1 Property Value -----------...
Page 403 RFC 2132 - DHCP Options and BOOTP Vendor Extensions The code is entered according to the value specified in RFC 2132. The data associated with the code is first specified in NetDefendOS as a Type followed by the Data.
Page 404: Ipv4 Dhcp Relay
The Source IP of Relayed DHCP Traffic For relayed DHCP traffic, the option exists in NetDefendOS to use the interface on which it listens as the source interface for forwarded traffic or alternatively the interface on which it sends out the forwarded request.
Page 405: Dhcp Relay With Proxy Arp
It is assumed the NetDefend Firewall is configured with VLAN interfaces vlan1 and vlan2 that use DHCP relaying, and the DHCP server IP address is defined in the NetDefendOS address book as ip-dhcp. NetDefendOS will add a route for the client when it has finalized the DHCP process and obtained an IP.
Page 406 Maximum number of transactions at the same time. Default: 32 Transaction Timeout For how long a dhcp transaction can take place. Default: 10 seconds Max PPM How many dhcp-packets a client can send to through NetDefendOS to the dhcp-server during one minute.
Page 407 How many hops the dhcp-request can take between the client and the dhcp-server. Default: 5 Max lease Time The maximum lease time allowed by NetDefendOS. If the DHCP server has a higher lease time, it will be reduced down to this value. Default: 10000 seconds Max Auto Routes How many relays that can be active at the same time.
Page 408: Ip Pools
IP address). More than one DHCP server can be used by a pool and can either be external or be local DHCP servers defined in NetDefendOS itself. Multiple IP Pools can be set up with different identifying names.
Page 409 As mentioned in the previous section, the Prefetched Leases option specifies the size of the cache of leases which is maintained by NetDefendOS. This cache provides fast lease allocation and can improve overall system performance. It should be noted however that the entire prefetched number of leases is requested at system startup and if this number is too large then this can degrade initial performance.
Page 410: Creating An Ip Pool
Chapter 5: DHCP Services This displays all the configured IP pools along with their status. The status information is divided into four parts: • Zombies - The number of allocated but inactive addresses. • In progress - The number of addresses that in the process of being allocated. •...
Page 411: Dhcpv6
An IPv6 address for the interface. • The addresses of up to three IPv6 DNS servers. NetDefendOS will only read the first two. The third will be discarded. As explained later in the section, the IPv6 network address and IPv6 gateway address can also be automatically retrieved if the interface property Router Discovery is enabled.
Page 412 • Server Filter This is a range of IPv6 addresses for servers from which NetDefendOS will accept leases. The Router Discovery Option An Ethernet configuration object has an additional property called Router Discovery which is either disabled or enabled.
Page 413: Dhcpv6 Client Setup
DHCPv6DNS1 and DHCPv6DNS2. Created DNS Address Objects For the first DNSv6 server address in a lease, NetDefendOS will automatically create a new IPv6 address book object with the name <interface>_dns6_<num>, where <interface> is the interface receiving the lease and <num>...
Page 414: Dhcpv6 Server
Click OK 5.6.2. DHCPv6 Server NetDefendOS provides the ability to set up one or more DHCPv6 servers. Configuring these is almost identical to configuring an IPv4 DHCP server. However, there are some object properties which are available with DHCPv6 but not with standard IPv4 DHCP. These are as follows: •...
Page 415 When no more memory is available, NetDefendOS will cease to assign new leases and will behave as though there are no free IPs left in the pool. NetDefendOS will signal a general out-of-memory condition and this will appear on the management console. This condition would require a very large number of leases to be allocated.
Page 416: Dhcpv6 Server Setup
DHCPv6 server is being added to the network. If another device (either a D-Link firewall or third party device) on the network is going to send the router advertisements for the DHCPv6 server, that device must be similarly configured with the settings described above.
Page 417 Chapter 5: DHCP Services gw-world:/1(my_ra)> cc Web Interface Create the server: Go to: Network > Network Services > DHCPv6 Servers >Add > DHCPv6Server Now enter: • Name: dhcpv6_server1 • Interface Filter: lan • IP Address Pool: dhcpv6_range1 Select the Options tab Enable Handle Rapid Commit Option Enable Send Preference Option Set the Preference value to be 100...
Page 418: Static Dhcpv6 Host Assignment
Where the administrator requires a fixed relationship between a client and the assigned IP address, NetDefendOS allows the assignment of a given IPv6 address to a specific MAC address just as it was assigned for IPv4 as described in Section 5.3.1, “Static IPv4 DHCP Hosts”.
Page 419 Chapter 5: DHCP Services • Host: 2001:DB8::1 • MAC: 00-90-12-13-14-15 Click OK...
Page 420 Chapter 5: DHCP Services...
Page 421: Security Mechanisms
6.1. Access Rules 6.1.1. Overview One of the principal functions of NetDefendOS is to allow only authorized connections access to protected data resources. Access control is primarily addressed by the NetDefendOS IP rule set in which a range of protected LAN addresses are treated as trusted hosts, and traffic flow from untrusted sources is restricted from entering trusted areas.
Page 422: Ip Spoofing
The configuration of an access rule is similar to other types of rules. It contains Filtering Fields as well as the Action to take. If there is a match, the rule is triggered, and NetDefendOS will carry out the specified Action.
Page 423: Setting Up An Access Rule
Drop. Troubleshooting Access Rule Related Problems It should be noted that Access Rules are a first filter of traffic before any other NetDefendOS modules can see it. Sometimes problems can appear, such as setting up VPN tunnels, precisely because of this.
Page 424 Chapter 6: Security Mechanisms Now enter: • Name: lan_Access • Action: Expect • Interface: lan • Network: lannet Click OK...
Page 425: Algs
Deploying an ALG Once a new ALG object is defined by the administrator, it is brought into use by first associating it with a Service object and then associating that service with an IP rule in the NetDefendOS IP rule set.
Page 426: Deploying An Alg
Figure 6.1. Deploying an ALG ALGs Are Not State Synchronized No aspect of ALGs are state synchronized in a NetDefendOS high availability cluster. This means that all traffic handled by ALGs will freeze when a cluster fails over to the other peer.
Page 427: The Http Alg
Service objects can be used directly with an IP policy and all of the properties previously available in the ALG object will become properties of the IP Policy object. The only ALGs that cannot be used with IP policies in any version of NetDefendOS are the SIP and H323 ALGs.
Page 428 Microsoft Bing™ or Yahoo™ search engines are performed using the SafeSearch feature of the engine in the Strict mode. Other search engines must be explicitly blocked, for example, by using the NetDefendOS application control feature. Enforcing SafeSearch is not possible for HTTPS because the URL is encrypted uses SSL. For this reason, HTTP must also be enforced for SafeSearch enforcement to work.
Page 429 The filetypes marked in the list will be dropped as downloads. To make sure that this is not circumvented by renaming a file, NetDefendOS looks at the file's contents (in a way similar to MIME checking) to confirm the file is what it claims to be.
Page 430 Service object is set for HTTP or HTTPS. This property is disabled by default which means that any connection using a protocol that NetDefendOS does not recognize as HTTP or HTTPS will be dropped. This setting can be enabled to allow these connections with a protocol that is not recognizable as HTTP.
Page 431: Http Alg Processing Order
Chapter 6: Security Mechanisms on the blacklist. Figure 6.2. HTTP ALG Processing Order Using Wildcards in White and Blacklists Entries made in the white and blacklists can make use of wildcarding to have a single entry be equivalent to a large number of possible URLs. The wildcard character "*" can be used to represent any sequence of characters.
Page 432: The Light Weight Http Alg
• Gives higher throughput performance than the standard HTTP ALG. • Consumes much less memory than the standard HTTP ALG. This allows NetDefendOS to support a much greater number of concurrent connections. • Can perform certain functions that the standard HTTP ALG cannot perform. These are listed next.
Page 433: Using The Light Weight Http Alg
*Firefox/* When a User-Agent is blocked, NetDefendOS sends a predefined web page to the client's browser to alert them that this has happened. This page is not editable by the administrator at this time. Note: Specifying no filters means all agents will be allowed If no User Agent Filter objects are added to an LW-HTTP ALG object then all User-Agents will be allowed.
Page 434 Chapter 6: Security Mechanisms It is assumed that a single NAT IP rule is already configured which allows traffic from the internal network to the Internet. This rule is called int_to_ext_http Command-Line Interface First, create an LW-HTTP ALG object: gw-world:/> add ALG ALG_LWHTTP my_lw_http_alg AllowProtocolUpgrade=Yes UserAgentFilterMode=AllowSelected Change the CLI context to be the new ALG:...
Page 435: The Ftp Alg
Chapter 6: Security Mechanisms Select: my_lw_http_alg Select User-Agent Filter Select Add and enter the following to allow Firefox: • User-Agent: *Firefox/* • Click OK Select Add and enter the following to allow Chrome: • User-Agent: *Chrome/* • Click OK Click OK Now, create a service object and associate it with this new ALG: Go to: Local Objects >...
Page 436 When passive mode is used, the firewall does not need to allow connections from the FTP server. On the other hand, NetDefendOS still does not know what port the FTP client will try to use for the data channel. This means that it has to allow traffic from all ports on the FTP client to all ports on the FTP server.
Page 437: Ftp Alg Hybrid Mode
If this is enabled, FTP clients are allowed to use both passive and active transfer modes. With this option disabled, the client is limited to using passive mode. If the FTP server requires active mode, the NetDefendOS FTP ALG will handle the conversion automatically to active mode.
Page 438 The FTP protocol consists of a set of standard commands that are sent between server and client. If the NetDefendOS FTP ALG sees a command it does not recognize then the command is blocked. This blocking must be explicitly lifted and the options for lifting blocking are: •...
Page 439 If selected in blocking mode, specified filetypes are dropped when downloaded. If selected in allow mode, only the specified filetypes are allowed as downloads. NetDefendOS also performs a check to make sure the filetype matches the contents of the file. New filetypes can be added to the predefined list of types.
Page 440: Protecting An Ftp Server With An Alg
The administrator configures the network range to include the local hosts of the network. If a local client tries to upload a virus infected file to an FTP server, NetDefendOS notices that the client belongs to the local network and will therefore upload blocking instructions to the local switches.
Page 441 Chapter 6: Security Mechanisms The FTP ALG restrictions will be set as follows: • Enable the Allow client to use active mode FTP ALG option so clients can use both active and passive modes. • Disable the Allow server to use passive mode FTP ALG option. This is more secure for the server as it will never receive passive mode data.
Page 442 Name=Allow-ftp Web Interface A. Define the ALG: (The ALG ftp-inbound is already predefined by NetDefendOS but in this example we will show how it can be created from scratch.) Go to: Objects > ALG > Add > FTP ALG Enter Name: ftp-inbound...
Page 443 Chapter 6: Security Mechanisms Now enter: • Name: SAT-ftp-inbound • Action: SAT • Service: ftp-inbound-service For Address Filter enter: • Source Interface: any • Destination Interface: core • Source Network: all-nets • Destination Network: wan_ip (assuming the external interface has been defined as this) For SAT check Translate the Destination IP Address Enter To: New IP Address: ftp-internal...
Page 444: Protecting Ftp Clients
Chapter 6: Security Mechanisms • Action: Allow • Service: ftp-inbound-service For Address Filter enter: • Source Interface: any • Destination Interface: core • Source Network: all-nets • Destination Network: wan_ip Click OK Example 6.4. Protecting FTP Clients This example shows how to protect an FTP client behind a NetDefend Firewall that is connecting to FTP servers on the Internet.
Page 445 Name=NAT-ftp-outbound Web Interface A. Create the FTP ALG: (The ALG ftp-outbound is already predefined by NetDefendOS but in this example we will show how it can be created from scratch.) Go to: Objects > ALG > Add > FTP ALG...
Page 446 Chapter 6: Security Mechanisms Go to: Objects > Services > Add > TCP/UDP Service Now enter: • Name: ftp-outbound-service • Type: select TCP from the dropdown list • Destination: 21 (the port the ftp server resides on) • ALG: ftp-outbound Click OK C.
Page 447: The Tftp Alg
TFTP is recognized as being an inherently insecure protocol and its usage is often confined to internal networks. The NetDefendOS ALG provides an extra layer of security to TFTP in being able to put restrictions on its use.
Page 448: The Smtp Alg
(".."). Allowing Request Timeouts The NetDefendOS TFTP ALG blocks the repetition of an TFTP request coming from the same source IP address and port within a fixed period of time. The reason for this is that some TFTP clients might issue requests from the same source port without allowing an appropriate timeout period.
Page 449: Smtp Alg Usage
Enable Syn Flood Protection if traffic is coming from the Internet. Having this disabled will use less NetDefendOS resources but disable it only where a denial-of-service attack is unlikely. This is now a copy of the predefined Service object called smtp-in. If Syn Flood Protection is...
Page 450 Chapter 6: Security Mechanisms disabled, it is a copy of the predefined Service object called smtp. Predefined Service objects could be used but this is not recommended. • Associate the new SMTP ALG object with the newly created Service object. •...
Page 451 • Anti-Virus scanning The NetDefendOS Anti-Virus subsystem can scan email attachments searching for malicious code. Suspect files can be dropped or just logged. This feature is common to a number of ALGs and is described fully in Section 6.5, “Anti-Virus Scanning”.
Page 452: Smtp Alg Processing Order
SMTP Pipelining extension. Another common extension is Chunking which is defined in RFC 3030. The NetDefendOS SMTP ALG does not support all ESMTP extensions including Pipelining and Chunking. The ALG therefore removes any unsupported extensions from the supported extension list that is returned to the client by an SMTP server behind the NetDefend Firewall.
Page 453: Smtp Alg Setup
Chapter 6: Security Mechanisms capa=PIPELINING To indicate that the pipelining extension was removed from the SMTP server reply to an EHLO client command. Although ESMTP extensions may be removed by the ALG and related log messages generated, this does not mean that any emails are dropped. Email transfers will take place as usual but without making use of unsupported extensions removed by the ALG.
Page 454 Chapter 6: Security Mechanisms Command-Line Interface A. Create an SMTP ALG object: gw-world:/> add ALG ALG_SMTP smtp_inbound_alg VerifySenderEmail=Yes FileListType=Block File=exe,msi VerifyContentMimetype=Yes Antivirus=Protect DNSBL=Yes DNSBlackLists={zen.spamhaus.org;5},{dnsbl.dronebl.org;3} Also in this ALG, blacklist all mails sent from the example.com domain: gw-world:/> cc ALG ALG_SMTP smtp_inbound_alg gw-world:/smtp_inbound_alg>...
Page 455 Chapter 6: Security Mechanisms A. Create an SMTP ALG object: Go to: Objects > ALG > Add > SMTP ALG Under General enter: • Name: SMTP_inbound_alg Under File Integrity enter: • Select exe and msi for blocked file types • Enable the option Block file with extension that does not match MIME type Under Anti-Virus enter: •...
Page 456 Click OK 6.2.6.1. ZoneDefense with the SMTP ALG ZoneDefense is a feature that allows NetDefendOS to block hosts and networks by sending management commands to certain types of external network switches. SMTP is used for both mail clients that want to send emails as well as mail servers that relay emails to other mail servers.
Page 457: The Pop3 Alg
POP3 protocol. The clients initiate the transfer with POP3, sending a request to the mail server for the download of emails also using POP3. As the emails traverse the firewall, the NetDefendOS POP3 ALG examines the data and can block or allow them according to the behavior specified in the ALG configuration object.
Page 458: Pop3 Alg Usage
Figure 6.6. POP3 ALG Usage In this scenario, the SMTP traffic arriving at the mail server on the DMZ also traverses the firewall and this traffic can be examined using the NetDefendOS SMTP ALG. This is discussed further in Section 6.2.6, “The SMTP ALG”.
Page 459: Pop3 Alg Setup
ALGs and is described fully in Section 6.5, “Anti-Virus Scanning”. Virus scanning by the POP3 ALG is redundant is scanning is already performed on mail traffic before it reaches the mail server. This scanning could be done by the NetDefendOS SMTP ALG.
Page 460 Chapter 6: Security Mechanisms • Scan all allowed attachments for viruses. Command-Line Interface A. Create a POP3 ALG object: gw-world:/> add ALG ALG_POP3 pop3_client_alg HideUser=Yes FileListType=Block File=exe,msi VerifyContentMimetype=Yes Antivirus=Protect B. Create a new Service object for POP3: gw-world:/> add Service ServiceTCPUDP pop3_client_service Type=TCP DestinationPorts=110 ALG=pop3_client_alg...
Page 461: The Pptp Alg
Chapter 6: Security Mechanisms Go to: Objects > Services > Add > TCP/UDP Service Now enter: • Name: pop3_client_service • Type: TCP • Destination: 110 • ALG: pop3_client_alg Click OK C. Create an IP Rule for email traffic from the mail server: Go to: Policies >...
Page 462: Pptp Alg Usage
Chapter 6: Security Mechanisms Figure 6.7. PPTP ALG Usage The PPTP ALG solves this problem. By using the ALG, the traffic from all the clients can be multiplexed through a single PPTP tunnel between the firewall and the server. PPTP ALG Setup Setting up the PPTP ALG is similar to the setup of other ALG types.
Page 463: The Sip Alg
Unfortunately, some third party SIP equipment may use techniques that lie outside RFC 3261 and it may not be possible to configure the equipment to disable these. For this reason, such equipment may not be able to operate successfully with the NetDefendOS SIP ALG.
Page 464 Chapter 6: Security Mechanisms NetDefendOS Supports Three Scenarios Before continuing to describe SIP in more depth, it is important to understand that NetDefendOS supports SIP usage in three distinct scenarios: • Protecting Local Clients In this scenario, the proxy is located somewhere on the public Internet.
Page 465 ALG object is not used. Instead, a VoIP Profile object is first created and the IP Policy object must then refer to this. In NetDefendOS version 11.03 and later, a predefined SIP ALG is not present in the default configuration and therefore a new SIP ALG object must always be created when using an IP Rule object with SIP.
Page 466 Disabled. The SIP Proxy Record-Route Option To understand how to set up SIP scenarios with NetDefendOS, it is important to first understand the SIP proxy Record-Route option. SIP proxies have the Record-Route option either enabled or disabled. When it is switched on, a proxy is known as a Stateful proxy. When Record-Route is enabled, a proxy is saying it will be the intermediary for all SIP signaling that takes place between two clients.
Page 467 SIP Usage Scenarios NetDefendOS supports a variety of SIP usage scenarios. The following three scenarios cover nearly all possible types of usage. The example setups are described using IP Rule objects but these could easily be IP Policy objects instead.
Page 468 Chapter 6: Security Mechanisms located on the same local network as well as clients on the external, unprotected side. Communication can take place across the public Internet or between clients on the local network. • Scenario 3 Protecting proxy and local clients - Proxy on a DMZ interface The SIP session is between a client on the local, protected side of the NetDefend Firewall and a client which is on the external, unprotected side.
Page 469 Chapter 6: Security Mechanisms should not be used. The NetDefendOS SIP ALG will take care of all NAT traversal issues in a SIP scenario. The setup steps for this scenario are as follows: Define a SIP ALG object using the options described above.
Page 470: Sip With Local Clients/Internet Proxy Using Ip Rules
Chapter 6: Security Mechanisms The advantage of using Record-Route is clear since now the destination network for outgoing traffic and the source network for incoming traffic have to include all IP addresses that are possible. Note: Tables omit the Service object In this section, tables which list IP rules/policies like those above, will omit the Service object associated with the rule.
Page 471: Sip With Local Clients/Internet Proxy Using Ip Policies
Chapter 6: Security Mechanisms D. Define the IP rule for outgoing SIP traffic: Go to: Rules > IP Rule Set > main > Add > IP Rule Now enter: • Name: sip_nat • Action: NAT • Source Interface: if1 • Source Network: if1_net •...
Page 472 Chapter 6: Security Mechanisms • if1_net: 192.168.1.0/24 (the internal network) • proxy_ip: 81.100.55.2 (the SIP proxy) • ip_wan: 81.100.55.1 (the NetDefend Firewall's public IPv4 address) B. Define a VoIP Profile object: Go to: Policies > Firewalling > VoIP > Add > VoIP Profile Specify a name for the profile, in this case my_sip_profile Click OK C.
Page 473 Chapter 6: Security Mechanisms Click OK E. Define the IP Policy for incoming SIP traffic: Go to: Rules > IP Rule Set > main > Add > IP Policy Now enter: • Name: sip_allow • Action: Allow • Source Interface: ext •...
Page 474 A SAT rule for redirecting inbound SIP traffic to the private IPv4 address of the NATed local proxy. This rule will have core as the destination interface (in other words, NetDefendOS itself ) since inbound traffic will be sent to the private IPv4 address of the SIP proxy.
Page 475 Chapter 6: Security Mechanisms Action Src Interface Src Network Dest Interface Dest Network OutboundFrom Allow lannet all-nets Proxy&Clients (ip_proxy) InboundTo Allow all-nets lannet Proxy&Clients (ip_proxy) If Record-Route is enabled then the networks in the above can be further restricted by using "(ip_proxy)", as indicated.
Page 476 Chapter 6: Security Mechanisms The exchanges illustrated in the above diagram are as follows: • 1,2 - An initial INVITE is sent to the outbound local proxy server on the DMZ. • 3,4 - The proxy server sends the SIP messages towards the destination on the Internet. •...
Page 477 DMZ. This rule/policy has core as the destination interface (in other words, NetDefendOS itself ). When an incoming call is received, NetDefendOS uses the registration information of the local receiver to automatically locate this receiver, perform address translation and forward SIP messages to the receiver. This will be done based on the internal state of the SIP ALG.
Page 478 Chapter 6: Security Mechanisms Solution B - Without NAT The setup steps are as follows: Define a single SIP ALG object using the options described above. Define a Service object which is associated with the SIP ALG object. The service should have: •...
Page 479: The H.323 Alg
Chapter 6: Security Mechanisms 6.2.10. The H.323 ALG Overview H.323 is a standard approved by the International Telecommunication Union (ITU) to allow compatibility in video conference transmissions over IP networks. It is used for real-time audio, video and data communication over packet-based networks such as the Internet. It specifies the components, protocols and procedures for providing such multimedia communication, including Internet phone and voice-over-IP (VoIP).
Page 480 IP Rule objects that control H.323 traffic flow. In NetDefendOS version 11.03 and later, a predefined H.323 ALG is not present in the default configuration and therefore a new H.323 ALG object must always be created when using an IP Rule object with H.323.
Page 481 IP Policy, it should be checked that the Protocol property of the Service is set to H.323. This is automatically true for the default configuration of NetDefendOS 11.03 or later but not true for upgrades from versions prior to 11.03.
Page 482: Protecting Internal H.323 Phones Using Ip Rules
Chapter 6: Security Mechanisms Example 6.9. Protecting Internal H.323 Phones Using IP Rules In this example, an internal H.323 phone is situated on lannet and has a public IP address. To make it possible to place a call from this phone to another H.323 phone on the Internet, and to allow H.323 phones on the Internet to call this phone, we need to configure IP Rule objects.
Page 483: Protecting Internal H.323 Phones Using Ip Policy Objects
Chapter 6: Security Mechanisms Go to: Policies > Firewalling > Main IP Rules > Add > IP Rule Now enter: • Name: H323AllowOut • Action: Allow • Source Interface: lan • Source Network: lannet • Destination Interface: any • Destination Network: all-nets •...
Page 484 Chapter 6: Security Mechanisms Create a new VoIP Profile object: Go to: Policies > Firewalling > VoIP > Add > VoIP Profile Specify a name for the profile, in this case my_h323_profile Click OK Create a custom Service object for H.323: Go to: Objects >...
Page 485: H.323 With A Private Address Using Ip Rules
Chapter 6: Security Mechanisms • Source Interface: any • Source Network: all-nets • Destination Interface: lan • Destination Network: lannet • Service: my_h323_policy_service • Comment: Allow incoming H.323 calls. Select the VoIP tab, enable VoIP and select my_h323_profile Click OK Note: Further IP Policy examples will not be given For brevity, the other setup examples in this section will use only IP Rule objects.
Page 486 Chapter 6: Security Mechanisms • Type: TCP • ALG: my_h323_alg • Destination port: 1720 Click OK Create the outgoing IP rule: Go to: Policies > Firewalling > Main IP Rules > Add > IP Rule Now enter: • Name: H323Out •...
Page 487: Phones Behind Different Netdefend Firewalls Using Ip Rules
Chapter 6: Security Mechanisms Go to: Policies > Firewalling > Main IP Rules > Add > IP Rule Now enter: • Name: H323In • Action: Allow • Source Interface: any • Source Network: all-nets • Destination Interface: core • Destination Network: wan_ip (external IP of the firewall) •...
Page 488 Chapter 6: Security Mechanisms Go to: Objects > ALG > Add > H.323 ALG Specify a name for the ALG, in this case my_h323_alg Click OK Create a custom Service object for H.323: Go to: Objects > Services > Add > TCP/UDP Now enter: •...
Page 489: Using Private Ipv4 Addresses
Chapter 6: Security Mechanisms • Destination Interface: lan • Destination Network: lannet • Service: my_h323_service • Comment: Allow incoming H.323 calls. Click OK Example 6.13. Using Private IPv4 Addresses This scenario consists of two H.323 phones, each one connected behind the NetDefend Firewall on a network with private IPv4 addresses.
Page 490 Chapter 6: Security Mechanisms • Action: NAT • Source Interface: lan • Source Network: lannet • Destination Interface: any • Destination Network: all-nets • Service: my_h323_service • Comment: Allow outgoing H.323 calls. Click OK Create the incoming traffic SAT IP rules: Go to: Policies >...
Page 491: H.323 With Gatekeeper
Chapter 6: Security Mechanisms • Service: my_h323_service • Comment: Allow incoming calls to H.323 phone at ip-phone. Click OK To place a call to the phone behind the NetDefend Firewall, place a call to the external IP address on the firewall. If multiple H.323 phones are placed behind the firewall, one SAT rule has to be configured for each phone.
Page 492 Chapter 6: Security Mechanisms • Name: my_h323_gatekeeper_service • Type: UDP • ALG: my_h323_alg • Destination port: 1719 Click OK Create the SAT IP rules for incoming gatekeeper traffic: Go to: Policies > Firewalling > Main IP Rules > Add > IP Rule Now enter: •...
Page 493: H.323 With Gatekeeper And Two Netdefend Firewalls
Click OK Note: Outgoing calls do not need a specific rule/policy There is no need to specify a specific rule/policy for outgoing calls. NetDefendOS monitors the communication between "external" phones and the Gatekeeper to make sure that it is possible for internal phones to call the external phones that are registered with the gatekeeper.
Page 494 Chapter 6: Security Mechanisms Web Interface Create a new H.323 ALG object: Go to: Objects > ALG > Add > H.323 ALG Specify a name for the ALG, in this case my_h323_alg Click OK Create a custom Service object for the H.323 gatekeeper: Go to: Objects >...
Page 495: Using H.323 In An Enterprise Environment
Click OK Note: Outgoing calls do not need a specific rule/policy There is no need to specify a specific rule/policy for outgoing calls. NetDefendOS monitors the communication between "external" phones and the Gatekeeper to make sure that it is possible for internal phones to call the external phones that are registered with the gatekeeper.
Page 496 Chapter 6: Security Mechanisms The head office has placed a H.323 Gatekeeper in the DMZ of the corporate NetDefend Firewall. This firewall should be configured as follows: Web Interface Create a new H.323 ALG object: Go to: Objects > ALG > Add > H.323 ALG Specify a name for the ALG, in this case my_h323_alg Click OK Create a custom Service object for the H.323 gatekeeper:...
Page 497 Chapter 6: Security Mechanisms Create an IP rule for traffic from lannet to gatekeeper: Go to: Policies > Firewalling > Main IP Rules > Add > IP Rule Now enter: • Name: LanToGK • Action: Allow • Source Interface: lan •...
Page 498: Configuring Remote Offices For H.323
Here, the interface called vpn-hq is the VPN tunnel to the network hq-net located at headquarters. Note: This IP rule/policy should exist in both the branch and remote office NetDefendOS configurations. Web Interface Go to: Policies > Firewalling > Main IP Rules > Add > IP Rule...
Page 499: Allowing The H.323 Gateway To Register With The Gatekeeper
Chapter 6: Security Mechanisms Now enter: • Name: ToGK • Action: Allow • Source Interface: lan • Source Network: lannet • Destination Interface: vpn-hq • Destination Network: hq-net • Service: my_h323_gatekeeper_service • Comment: Allow communication with the gatekeeper connected to the head office DMZ.
Page 500: The Tls Alg
TLS and SSL can be regarded as equivalent. However, NetDefendOS only supports TLS and any reference to SSL in NetDefendOS documentation should be assumed to be referring to TLS. The TLS ALG can be said to provide SSL termination since it is acting as an SSL end-point.
Page 501: Tls Termination
TLS can be implemented directly in the server to which clients connect, however, if the servers are protected behind a NetDefend Firewall, then NetDefendOS can take on the role of the TLS endpoint. NetDefendOS then performs TLS authentication, encryption and unencryption of data to/from clients and the transfer of unencrypted data to/from servers.
Page 502 URLs with the http:// protocol (perhaps to refer to other pages on the same site) will not have these URLs converted to https:// by NetDefendOS. The solution to this issue is for the servers to use relative URLs instead of absolute ones.
Page 503: Web Content Filtering
Inappropriate surfing habits can expose a network to many security threats as well as legal and regulatory liabilities. Productivity and Internet bandwidth can also be impaired. Filtering Mechanisms Through the HTTP ALG, NetDefendOS provides the following mechanisms for filtering out web content that is deemed inappropriate for an organization or group of users: •...
Page 504: Static Content Filtering
6.3.3. Static Content Filtering URL Filtering Through the HTTP ALG, NetDefendOS can block or permit certain web pages based on configured lists of URLs which are called blacklists and whitelists. This type of filtering is also known as Static Content Filtering. The main benefit with Static Content Filtering is that it is an excellent tool to target specific web sites, and make the decision as to whether they should be blocked or allowed.
Page 505 Chapter 6: Security Mechanisms Static and Dynamic Filtering Order Additionally, Static Content Filtering takes place before Dynamic Content Filtering (described below), which allows the possibility of manually making exceptions from the automatic dynamic classification process. In a scenario where goods have to be purchased from a particular online store, dynamic content filtering might be set to prevent access to shopping sites by blocking the "Shopping"...
Page 506: Url Filtering Using Ip Rules
Chapter 6: Security Mechanisms Note: Only domains can be targeted with HTTPS Due to the encrypted nature of HTTPS, it is only possible to whitelist or blacklist at the domain level. For example, only the form *.example.com/* can be used for blacklisting or whitelisting with HTTPS.
Page 507: Dynamic Web Content Filtering
Click the HTTP URL tab Now click Add and select HTTP ALG URL from the menu Select Whitelist as the Action In the URL textbox, enter www.D-Link.com/*.exe Click OK Simply continue adding specific blacklists and whitelists until the filter satisfies the needs.
Page 508 WCF Processing Flow When a user of a web browser requests access to a web site, NetDefendOS queries the external WCF databases in order to retrieve the category of the requested site. Access to the URL can then be allowed or denied based on the filtering policy that the administrator has put in place for that particular category.
Page 509: Web Content Filtering Flow
Categorizing Pages and Not Sites NetDefendOS WCF categorizes web pages and not sites. In other words, a web site may contain particular pages that should be blocked without blocking the entire site. NetDefendOS provides blocking down to the page level so that users may still access those pages of a website that are not blocked by the filtering policy.
Page 510 Appendix A, Subscribing to Updates along with details of WCF behavior after subscription expiry. Setup Methods Once a WCF subscription is purchased, the feature can be configured in NetDefendOS. There are two ways of configuring WCF: •...
Page 511: Enabling Web Content Filtering Using Ip Rules
Chapter 6: Security Mechanisms • Allow If the external WCF database is not accessible, URLs are allowed even though they might be disallowed if the WCF databases were accessible. Example 6.21. Enabling Web Content Filtering Using IP Rules This example shows how to set up web content filtering for HTTP traffic from a protected network to all-nets.
Page 512 This means the content filtering feature of NetDefendOS can then be used as an analysis tool to analysis what categories of websites are being accessed by a user community and how often.
Page 513: Enabling Audit Mode
For this reason, NetDefendOS supports a feature called Allow Override. With this feature enabled, the content filtering component will present a warning to the user that he is about to enter a...
Page 514: Reclassifying A Blocked Site
The URL to the requested web site as well as the proposed category will then be sent to D-Link's central data warehouse for manual inspection. That inspection may result in the web site being reclassified, either according to the category proposed or to a category which is felt to be correct.
Page 515 Chapter 6: Security Mechanisms Click the Web Content Filtering tab Select Enabled in the Mode list In the Blocked Categories list, select Search Sites and click the >> button Check the Allow Reclassification control Click OK Then, continue setting up the service object and modifying the NAT rule as we have done in the previous examples.
Page 516: Enabling Wcf With Ip Policies
Service objects where the Protocol property will already be correctly set. For WCF, this is the http-outbound service. With a NetDefendOS installation that is upgraded to 11.03 or later, the Protocol property will need to be explicitly set on services. For clarity, the example in this section will create a custom Service object and explicitly set the Protocol property.
Page 517 Chapter 6: Security Mechanisms • Destination port: 80 • Protocol: HTTP Click OK Create a Web Profile object: Go to: Policies > Firewalling > Web > Add > Web Profile Specify the Name as my_wcf_profile Enable Web Content Filtering Add Shopping tn the Restricted list Click OK Modify the IP Policy to use the new service and the profile: Go to: Policies...
Page 518 Chapter 6: Security Mechanisms Category 3: Job Search A web site may be classified under the Job Search category if its content includes facilities to search for or submit online employment applications. This also includes resume writing and posting and interviews, as well as staff recruitment and training services. Category 4: Gambling A web site may be classified under the Gambling category if its content includes advertisement or encouragement of, or facilities allowing for the partaking of any form of gambling;...
Page 519 Chapter 6: Security Mechanisms Category 11: Investment Sites A web site may be classified under the Investment Sites category if its content includes information, services or facilities pertaining to personal investment. URLs in this category include contents such as brokerage services, online portfolio setup, money management forums or stock quotes.
Page 520 Chapter 6: Security Mechanisms bandwidth. This category also includes "Phishing" URLs which designed to capture secret user authentication details by pretending to be a legitimate organization. Category 20: Search Sites A web site may be classified under the Search Sites category if its main focus is providing online Internet search facilities.
Page 521 These HTML web pages stored as files in NetDefendOS and these files are known as HTTP Banner Files. The administrator can customize the appearance of the HTML in these files to suit a particular installation's needs.
Page 522: Editing Content Filtering Http Banner Files
This new object automatically contains a copy of all the files in the Default ALG Banner Files object. These new files can then be edited and uploaded back to NetDefendOS. The original Default object cannot be edited. The following example goes through the necessary steps.
Page 523 NetDefend Firewall. 6.3.4.6. The WCF Performance Log NetDefendOS provides an option for looking more closely at what the web content filtering subsystem is doing and this is called the WCF Performance Log. It is intended to be used by qualified support technicians but it is useful to know that it exists and how to enable it.
Page 524 The last snapshot sent as a log message can also be viewed on a management console using the NetDefendOS CLI command httpalg -wcf. Below is an example of the output from the command and as shown there is additional information compared with the wcf_performance_notice log event message.
Page 525: Enabling The Wcf Performance Log
Chapter 6: Security Mechanisms Dynamic Web Content Filter Statistics Counter Value ---------------------- --------------- Cache Size: URLs Cache Hit Rate: per second. Cache Miss Rate: per second. Request Lookups: per second. Request Queue Length: URLs. Requests In Transit: URLs. RTT per transaction: milliseconds.
Page 526: Email Filtering And Anti-Spam
NetDefendOS provides two different email filtering subsystems: • IP Policy based Email Filtering for IMAP, POP3 and SMTP This is enabled directly on an IP Policy object and includes a fully comprehensive anti-spam capability.
Page 527 Some servers might send an error message which gives an indication which of the credentials is incorrect and this could be helpful in a security attack. Instead, NetDefendOS will send back its own general error message to the client. By default, this option is disabled.
Page 528 Chapter 6: Security Mechanisms disabled by default and this is the recommended setting. • Block USER/PASS Commands This blocks clients sending their credentials in plain text. SMTP Options The following options are available for SMTP traffic only: • Maximum email rate This option is available for SMTP only and is the maximum number of emails per second that will be accepted.
Page 529 Note that at least one DNS server must be configured in NetDefendOS for this option to work. If no DNS server is configured, this test will not be performed and its sub-score will not be added.
Page 530 The Malicious Link Protection filter for anti-spam allows undesirable links in email traffic to be neutralized as the email passes through NetDefendOS. It is part of anti-spam filtering and can only be enabled when anti-spam is enabled. Links within emails are evaluated by NetDefendOS using the Dynamic Web Content Filtering subsystem which is described in Section 6.3.4, “Dynamic...
Page 531: Email Filtering Of Imap Traffic
Since NetDefendOS may perform some of its spam scoring based on the email body, the initial header information displayed by the client may not yet correctly show the spam text in the subject line.
Page 532 Chapter 6: Security Mechanisms The additional requirements are as follows: • Enable the anti-spam function. • Whitelist all mails from example.com so they are never dropped or marked as spam. • Assign a sub-score of 5 to both domain verification and link protection •...
Page 533 Chapter 6: Security Mechanisms C. Create a custom Service for IMAP: Command-Line Interface gw-world:/> add Service ServiceTCPUDP my_imap_service Type=TCP DestinationPorts=143 Protocol=IMAP D. Add an IPPolicy to allow IMAP traffic and associate the profile with it: gw-world:/> add IPPolicy SourceInterface=lan SourceNetwork=lan_net DestinationInterface=dmz DestinationNetwork=dmz_net Service=my_imap_service...
Page 534: Alg Based Email Filtering
6.4.2. ALG Based Email Filtering A function of the NetDefendOS SMTP ALG is basic email filtering that provides the ability to filter mail as it passes to a mail server via the SMTP protocol. Anti-spam filtering can be done based on...
Page 535 Chapter 6: Security Mechanisms The ALG Anti-Spam Implementation SMTP functions as a protocol for sending emails between servers. NetDefendOS applies spam filtering to emails as they pass through the NetDefend Firewall from an external remote SMTP server to a local SMTP server (from which local clients will later download their emails). Typically, the local, protected SMTP server will be set up on a DMZ network and there will usually be only one "hop"...
Page 536 If no receiver email address is configured for dropped emails then they are discarded by NetDefendOS. The administrator can specify that an error message is sent back to the sender address along with the TXT messages from the DNSBL servers that failed the email.
Page 537 Chapter 6: Security Mechanisms If a query to a DNSBL server times out then NetDefendOS will consider that the query has failed and the weight given to that server will be automatically subtracted from both the spam and drop thresholds for the scoring calculation done for that email.
Page 538 After this period of time has expired, a new query for a cached sender address must be sent to the DNSBL servers. The default value if 600 seconds. The address cache is emptied when NetDefendOS restarts or a reconfiguration operation is performed. For the DNSBL subsystem overall: •...
Page 539: Dnsbl Databases
Chapter 6: Security Mechanisms DNSBL Contexts: Name Status Spam Drop Accept ------------------------ -------- -------- -------- -------- my_smtp_alg active 34299 alt_smtp_alg inactive The -show option provides a summary of the spam filtering operation of a specific ALG. It is used below to examine activity for my_smtp_alg although in this case, the ALG object has not yet processed any emails.
Page 540: Anti-Spam Filtering
When the NetDefendOS anti-spam filtering function is configured, the IP address of the email's sending server is sent to one or more DNSBL servers to find out if any DNSBL servers think the email is from a spammer or not. NetDefendOS examines the IP packet headers to do this. Figure 6.10. Anti-Spam Filtering The reply sent back by a server is either a not listed response or a listed response.
Page 541: Anti-Virus Scanning
Unlike IDP, which is primarily directed at attacks against servers, anti-virus scanning is focused on downloads by clients. NetDefendOS anti-virus is designed to be a complement to the standard anti-virus scanning normally carried out locally by specialized software installed on client computers.
Page 542: Implementation
HTTPS traffic cannot be scanned so this does not apply for that protocol. As well as the connection being dropped, NetDefendOS will try to insert a message into the web browser HTML of the affected user indicating the action taken (in some cases it might not be possible to do this successfully).
Page 543: Anti-Virus Malicious File Message
Subscribing to the D-Link Anti-Virus Service The D-Link anti-virus feature requires the purchase of a renewable subscription in order for it to function. This includes regular updates of the Kaspersky SafeStream database during the subscription period with signatures for the latest virus threats.
Page 544 Auto-update Requires the Correct Time It is important that a NetDefendOS has the correct system time set if the auto-update feature in the anti-virus module can function correctly. An incorrect time can mean the auto-updating is disabled.
Page 545: Anti-Virus Options
Blocking the server's IP address would only consume blocking entries in the switches. For NetDefendOS to know which hosts and servers to block, the administrator has the ability to specify a network range that should be affected by a ZoneDefense block. All hosts and servers that are within this range will be blocked.
Page 546: Activating Anti-Virus Scanning
NetDefendOS resources and noticeably slow down throughput. To prevent this situation, the administrator should specify a Compression Ratio limit. If the limit of the ration is specified as 10 then this will mean that if the uncompressed file is 10 times larger than the compressed file, the specified Action should be taken.
Page 547: Activating Anti-Virus With An Ip Rule
Chapter 6: Security Mechanisms • Directly with an IP policy. The Service object used with the policy must have the Protocol property set to a protocol that supports anti-virus scanning. Activating Anti-Virus Scanning with IP Rules IP rules are one of the means by which the anti-virus feature is deployed, the deployment. IP rules specify that the ALG and its associated anti-virus scanning can apply to traffic going in a given direction and between specific source and destination IP addresses and/or networks.
Page 548: Activating Anti-Virus With An Ip Policy
A custom or predefined service could be used with the IP policy. Only some predefined service objects in NetDefendOS have this property already set. If this property is not set, the anti-virus controls will be disabled in the Web Interface.
Page 549 The Service object http is used in this example. If a configuration was upgraded from a NetDefendOS version prior to 11.01, then the http service can be used if its protocol property is set to HTTP but the predefined service http-outbound could also be used instead if it is still present.
Page 550: The Anti-Virus Cache
Anti-Virus Cache Lifetime. After the lifetime expires, the entry is removed from the cache and a fresh anti-virus scan of the file is done by NetDefendOS if a new download is requested. This means that if the problem with the file is fixed between the URL entering the cache and being deleted from the cache (by default, the cache lifetime is 20 minutes) then the file will be successfully downloaded on the next attempt.
Page 551 URL enters the cache for the first time. The counter is zeroed after a NetDefendOS restart. It can also be zeroed by disabling the cache then re-enabling. This is done by changing the value of the setting AVCache_Lfetime to zero and then back to a positive value.
Page 552: Intrusion Detection And Prevention
• IDP Rules are configured by the administrator to determine what traffic should be scanned. • Pattern Matching is applied by NetDefendOS IDP to the traffic that matches an IDP Rule as it streams through the firewall. • If NetDefendOS IDP detects an intrusion then the Action specified for the triggering IDP Rule...
Page 553: Idp Subscriptions
IDP behavior after subscription expiry. Setting the Correct System Time It is important that a NetDefendOS has the correct system time set if the auto-update feature in the IDP module can function correctly. An incorrect time can mean the auto-updating is disabled.
Page 554: Idp Rules
Updating the IDP databases for both the units in an HA Cluster is performed automatically by NetDefendOS. In a cluster there is always an active unit and an inactive unit. Only the active unit in the cluster will perform regular checking for new database updates. If a new database update...
Page 555: Idp Signature Selection
The initial order of packet processing with IDP is as follows: A packet arrives at the firewall and NetDefendOS performs normal verification. If the packet is part of a new connection then it is checked against the IP rule set before being passed to...
Page 556: Insertion/Evasion Attack Prevention
NetDefendOS automatically corrects the data stream by removing the extraneous data associated with the attack. Insertion/Evasion Log Events The insertion/evasion attack subsystem in NetDefendOS can generate two types of log message: • An Attack Detected log message, indicating an attack has been identified and prevented.
Page 557: Idp Pattern Matching
These predefined patterns, also known as signatures, are stored in a local NetDefendOS database and are used by the IDP subsystem to analyze traffic for attack patterns. Each IDP signature is designated by a unique number.
Page 558: Idp Signature Groups
It is best to specify a group that relates to the traffic being searched than be concerned about individual signatures. For performance purposes, the aim should be to have NetDefendOS search data using the least possible number of signatures.
Page 559: Setting Up Idp
Chapter 6: Security Mechanisms application, for example MSSQL. The Sub-Category may not be necessary if the Type and Category are sufficient to specify the group, for example APP_ITUNES. Listing of IDP Groups A listing of IDP groupings can be found in Appendix B, IDP Signature Groups. The listing shows group names consisting of the Category followed by the Sub-Category, since the Type could be any of IDS, IPS or POLICY.
Page 560: Setting Up Idp For A Mail Server
Section 6.8, “Blacklisting Hosts and Networks”. Any IP address that exists in the NetDefendOS whitelist cannot be blacklisted. For this reason it is recommended that the IP address of the management workstation and the NetDefend Firewall itself is added to the whitelist when using IDP.
Page 561 An action now needs to be defined for the rule which specifies what signatures the IDP should use when scanning data triggering rule and what NetDefendOS should do when a possible intrusion is detected. In this example, intrusion attempts will cause the connection to be dropped so the Action property is set to Protect.
Page 562: Smtp Log Receiver For Idp Events
This email will contain a summary of IDP events that have occurred in a user-configurable period of time. When an IDP event occurs, the NetDefendOS will wait for Hold Time seconds before sending the notification email. However, the email will only be sent if the number of events occurred in this period of time is equal to, or bigger than the Log Threshold.
Page 563: Configuring An Smtp Log Receiver
This results in an email being sent containing a summary of the IDP events. Several more IDP events may occur after this, but to prevent flooding the mail server, NetDefendOS will wait 600 seconds (equivalent to 10 minutes) before sending a new email.
Page 564: Best Practice Deployment
After a few days running in Audit mode with satisfactory results showing in the logs, switch over IDP to Protect mode so that triggering connection are dropped by NetDefendOS. However, IDS signatures are best kept in Audit mode as they can interrupt normal traffic flows because of false positives.
Page 565 Chapter 6: Security Mechanisms The IDP signature database can be updated automatically and certain signatures can be dropped or updated and new signatures introduced. In some cases, it can be preferable to force the database update manually so that the effect of any changes can be observed following the update.
Page 566: Denial-Of-Service Attacks
Attacks can appear out of thin air and the consequences can be devastating with crashed servers, jammed Internet connections and business critical systems overloaded. This section deals with how NetDefendOS is used to protect against these attacks. 6.7.2. DoS Attack Mechanisms A DoS attack can be perpetrated in a number of ways but there are three basic types of attack: •...
Page 567: Fragmentation Overlap Attacks
65535 bytes. In addition to that, there are configurable limits for IP packet sizes in NetDefendOS's advanced settings. This type of attack will show up in NetDefendOS event logs as drops with the IP rule name set to LogOversizedPackets. The sender IP address may be spoofed.
Page 568: Amplification Attacks
Web Interface by going to: System > Advanced Settings > TCP Settings > TCP URG. WinNuke attacks will usually show up in NetDefendOS logs as normal drops with the name of the IP rule that disallowed the connection attempt.
Page 569: Tcp Syn Flood Attacks
Fraggle packets may arrive at any UDP destination port targeted by the attacker. Tightening the inbound rule set may help. The Traffic Shaping feature built into NetDefendOS also help absorb some of the flood before it reaches protected servers. 6.7.8. TCP SYN Flood Attacks TCP SYN flood attacks work by sending large amounts of TCP SYN packets to a given port and then not responding to SYN ACKs sent in response.
Page 570: Distributed Dos Attacks
System > Advanced Settings > Length Limit Settings, the packets will not even get that far and will be dropped immediately. Jolt2 attacks may or may not show up in NetDefendOS logs. If the attacker chooses a too-high fragment offset for the attack, they will show up as drops from the rule set to "LogOversizedPackets".
Page 571: Blacklisting Hosts And Networks
6.8. Blacklisting Hosts and Networks Overview NetDefendOS implements a Blacklist of host or network IP addresses which can be utilized to protect against traffic coming from specific Internet sources. Certain NetDefendOS subsystems have the ability to optionally blacklist a host or network when certain conditions are encountered.
Page 572: Adding A Host To The Whitelist
It is also important to understand that although whitelisting prevents a particular source from being blacklisted, it still does not prevent NetDefendOS mechanisms such as threshold rules from dropping or denying connections from that source. What whitelisting does is prevent a source being added to a blacklist if that is the action a rule has specified.
Page 573 Chapter 6: Security Mechanisms...
Page 574: Address Translation
• SAT, page 588 7.1. Overview The ability of NetDefendOS to change the IP address of packets as they pass through the NetDefend Firewall is known as address translation. The ability to transform one IP address to another can have many benefits. Two of the most important are: •...
Page 575 Chapter 7: Address Translation This section describes and provides examples of configuring NAT and SAT rules.
Page 576: Nat
To maintain session state information, each connection from dynamically translated addresses uses a unique port number and IP address combination as its sender. NetDefendOS performs automatic translation of the source port number as well as the IP address. In other words, the...
Page 577 In such cases, the 64,500 limit for unique IP address pairs will apply. See Section 7.3, “NAT Pools” for more information about this topic. The Source IP Address Used for Translation There are three options for how NetDefendOS determines the source IP address that will be used for NAT: •...
Page 578: A Nat Example
The recipient server then processes the packet and sends its response. 195.55.66.77:80 => 195.11.22.33:32789 NetDefendOS receives the packet and compares it to its list of open connections. Once it finds the connection in question, it restores the original address and forwards the packet.
Page 579: Specifying A Nat Ip Policy
Specifying NAT with an IP Policy A NetDefendOS IP Policy object can be used instead of an IP Rule object. An IP policy is essentially equivalent in function but makes it simpler to associate other functions with NAT such as authentication, application control and traffic shaping.
Page 580 Chapter 7: Address Translation The NATAction option could be left out since the default value is to use the interface address. The alternative is to specify UseSenderAddress and use the NATSenderAddress option to specify the IP address to use. The sender address will also need to be explicitly ARP published on the interface. Web Interface Go to: Policies >...
Page 581: Automatic Address Translation
Automatic translation is enabled by choosing the Auto option for source address translation and this is selected by default in an IP Policy object. NetDefendOS will then decide which, if any, translation to perform by applying the rules summarized in the table below.
Page 582 Anonymizing Internet Traffic with NAT A useful application of the NAT feature in NetDefendOS is for anonymizing service providers to anonymize traffic between clients and servers across the public Internet so that the client's public IP address is not present in any server access requests or peer to peer traffic.
Page 583: Anonymizing With Nat
Figure 7.4. Anonymizing with NAT NetDefendOS is set up with NAT rules in the IP rule set so it takes communication traffic coming from the client and NATs it back out onto the Internet. Communication with the client is with the PPTP protocol but the PPTP tunnel from the client terminates at the firewall.
Page 584: Nat Pools
NetDefendOS keeps a record in memory of all such connections. Subsequent connections involving the same internal client/host will then use the same external IP address.
Page 585 Where an external router sends ARP queries to the NetDefend Firewall to resolve external IP addresses included in a NAT Pool, NetDefendOS will need to send the correct ARP replies for this resolution to take place through its Proxy ARP mechanism so the external router can correctly build its routing table.
Page 586: Using Nat Pools
Chapter 7: Address Translation Example 7.3. Using NAT Pools This example creates a stateful NAT pool with the external IP address range 10.6.13.10 to 10.16.13.15. This is then used with a NAT IP rule for HTTP traffic on the wan interface originating from the lan_net.
Page 587 Chapter 7: Address Translation • IP Range: nat_pool_range Select the Proxy ARP tab and add the WAN interface Click OK C. Finally, define the NAT rule in the IP rule set: Go to: Policies > Firewalling > Main IP Rules > Add > IP Rule Under General enter: •...
Page 588: Sat
However, NetDefendOS does not terminate rule set lookups after finding a matching SAT rule. Instead, the rule set search continues for a matching Allow, NAT or FwdFast rule. Only when NetDefendOS finds such a second matching rule is the SAT rule applied to the traffic.
Page 589 Section 7.4.7, “Using an IP Policy for SAT”. Specifying the Type of IP Address Mapping NetDefendOS recognizes the type of SAT IP address mapping using the following rules: • If the original address is a single IP address then a one-to-one mapping is always performed.
Page 590: One-To-One Ip Translation
A SAT rule with an original, untranslated address of all-nets always results in an all-to-one mapping. Specifying the Type of Port Mapping If the Port property is specified for the SAT rule, NetDefendOS performs port translation in a way that is slightly different to IP address translation. It uses the following rules: •...
Page 591: One-To-One Ip Translation
Chapter 7: Address Translation it could be used for other purposes and any Ethernet interface could also be used instead for a DMZ. Example 7.4. One-to-One IP Translation In this example, SAT will be used to translate and allow connections from the public Internet to a web server located in a DMZ.
Page 592 Note that only HTTP traffic will be translated since the service must also match for the SAT rule to trigger. The SAT rule destination interface must be core (NetDefendOS itself ) because interface IPs are always routed on core. The scenario is illustrated in the diagram below.
Page 593: Many-To-Many Ip Translation
IP address in the new range or network, then the second to the second, and so on. To tell NetDefendOS to perform this type of translation, the original IP address must be a range or network and the IP rule's All to One property must be disabled. The new range or network is specified using a single IP address which is the starting address for the transposition.
Page 594: Many-To-Many Ip Translation
Chapter 7: Address Translation These IP rules would result in the following translations: Original Destination Address Translated Destination Address 194.1.2.16 192.168.0.50 194.1.2.17 192.168.0.51 194.1.2.18 192.168.0.52 194.1.2.19 192.168.0.53 194.1.2.20 192.168.0.54 194.1.2.21 192.168.0.55 194.1.2.22 192.168.0.56 194.1.2.23 192.168.0.57 These translations will mean: • Attempts to communicate with 194.1.2.16 will result in a connection to 192.168.0.50.
Page 595 Chapter 7: Address Translation needed for every IP address: gw-world:/> add ARP Interface=wan IP=195.55.66.77 mode=Publish Repeat this for all the five public IPv4 addresses. Create a SAT rule for the translation: gw-world:/> add IPRule Action=SAT Service=http-all SourceInterface=any SourceNetwork=all-nets DestinationInterface=wan DestinationNetwork=wwwsrv_pub SATTranslateToIP=wwwsrv_priv_base SATTranslate=DestinationIP Finally, create an associated Allow Rule:...
Page 596: All-To-One Ip Translation
Click OK 7.4.4. All-to-One IP Translation NetDefendOS can be used to translate a range or a network to a single IP address. Suppose that the requirement is to translate a range of destination IPv4 addresses which includes 194.1.2.16 to 194.1.2.20 plus 194.1.2.30 to the single IPv4 address 102.168.0.50. The port number will remain...
Page 597: All-To-One Ip Translation
Note: An untranslated network of all-nets is always all-to-one When all-nets is specified as the original, untranslated address in a SAT rule, NetDefendOS will assume that the All-to-One property is enabled even though the administrator does not enable it explicitly.
Page 598 Chapter 7: Address Translation gw-world:/> add Address IPAddress wwwsrv_priv Address=10.10.10.5 Publish the five public IPv4 addresses on the wan interface using ARP publish. A CLI command like the following is needed for each IP address: gw-world:/> add ARP Interface=wan IP=195.55.66.77 mode=Publish Create a SAT IP rule for the translation: gw-world:/>...
Page 599: Port Translation
Chapter 7: Address Translation Go to: Policies > Firewalling > Main IP Rules > Add > IP Rule Specify a suitable name for the rule, for example Allow_HTTP_To_DMZ Now enter: • Action: Allow • Service: http-all • Source Interface: any •...
Page 600: Sat With Fwdfast Rules
Chapter 7: Address Translation connection to the web server's private address - port 1084. If the Service was changed so that only the single value 80 was specified for is Port property then the SAT rule would only trigger for port 80 and it would always be translated to the new port 1080 (a one-to-one relationship) 7.4.6.
Page 601: Using An Ip Policy For Sat
Chapter 7: Address Translation • Return traffic from wwwsrv will match rules 2 and 3. The replies will therefore be dynamically address translated. This changes the source port to a different port, which is incorrect. The correct set of IP rules that will provide the desired effect is the following: # Action Src Iface Src Net Dest Iface Dest Net...
Page 602: Protocols Handled By Sat
Chapter 7: Address Translation iii. Transposed - This transposes a range of port numbers to a new range using the new port number as a base for the transposition. This is for a many-to-many port translation. Example 7.7. Setting up a SAT IP Policy This example has the same aim as the example described previously but an IP Policy object will be used instead of multiple IP rules.
Page 603: Sat With Nat
Chapter 7: Address Translation Generally, SAT can handle all protocols that allow address translation to take place. However, there are protocols that can only be translated in special cases, and other protocols that cannot be translated at all. Protocols that are impossible to translate using SAT are most likely also impossible to translate using NAT.
Page 604 The local client performs a public DNS lookup for the web server IP and then sends an HTTP request to wan_ip to reach the web server. 10.0.0.3:1038 => 203.0.113.10:80 NetDefendOS translates the address in accordance with SAT rule 1 and forwards the packet in accordance with Allow rule 2: 10.0.0.3:1038 => 10.0.0.2:80 The server at wwwsrv_ip processes the packet and replies: 10.0.0.2:80 =>...
Page 605 The server at wwwsrv_ip processes the traffic and replies: 10.0.0.2:80 => 10.0.0.1:32789 The reply is processed by NetDefendOS so that the translation rules are applied in the reverse order and it arrives at the client with the expected source address: 203.0.113.10:80 =>...
Page 606 Chapter 7: Address Translation private IPv4 address of the web server. • NAT rule 2 performs further translation of HTTP traffic arriving from internal clients so it has wan_ip as the source before forwarding it to the web server. • Allow rule 3 allows traffic from the Internet to reach the web server after it has been translated by the SAT rule.
Page 607 Chapter 7: Address Translation...
Page 608: User Authentication
Firewall, the administrator will often require that each user goes through a process of authentication before access is allowed. This chapter deals with setting up authentication for NetDefendOS but first the general issues involved in authentication will be examined. Proving Identity The aim of authentication is to have the user prove their identity so that the network administrator can allow or deny access to resources based on that identity.
Page 609 Chapter 8: User Authentication C. Something the user knows such as a password. Method A may require a special piece of equipment such as a biometric reader. Another problem with A is that the special attribute often cannot be replaced if it is lost. Methods B and C are therefore the most common means of identification in network security.
Page 610: Authentication Setup
Section 8.2.5, “Authentication Rules” 8.2.2. Local User Databases A Local User Database is a registry internal to NetDefendOS which contains the profiles of authorized users and user groups. Combinations of usernames/password can be entered into these with passwords stored using reversible cryptography for security. By default, a single local user database exists called AdminUsers.
Page 611: Adding A User With Group Membership
This is done by specifying one or more group names for the Group property of the User object. Only two groups are already defined in NetDefendOS and they have the group names administrators and the auditors. The privileges given to these groups are described later in the section.
Page 612 • The administrators group Members of this group can log into NetDefendOS through the Web Interface as well as through the remote CLI interface and are allowed to edit the NetDefendOS configuration. Only one user can be logged in with administrator privileges at once (although that single administrator can be logged in with more than one simultaneous session).
Page 613 If the Network behind user option is specified then this is the metric that will be used with the route that is automatically added by NetDefendOS. If there are two routes which give a match for the same network then this metric decides which should be used.
Page 614: External Radius Servers
To make use of this feature, the relevant SSH Client Key object or objects must first be defined separately in NetDefendOS. Client keys are found as an object type within Key Ring in the Web Interface. Definition requires the uploading of the public key file for the key pair used by the client.
Page 615: Configuring A Radius Server
If the RADIUS server is required to send the group membership, it is necessary to use the user group vendor specific attribute vendor when configuring the server. The NetDefendOS Vendor ID is 5089 and the user group is defined as vendor-type 1 with a string value type.
Page 616: External Ldap Servers
The connecting port will be 1812 (the default) and a shared secret of mysecretcode will be used for security. A retry timeout value of 2 means that NetDefendOS will resend the authentication request to the sever if there is no response after 2 seconds. There will be a maximum of 3 retries.
Page 617 Microsoft Active Directory as the LDAP Server A Microsoft Active Directory can be configured in NetDefendOS as an LDAP server. There is one option in the NetDefendOS LDAP server setup which has special consideration with Active Directory and that is the Name Attribute.
Page 618 The Name Attribute is the ID of the data field on the LDAP server that contains the username. The NetDefendOS default value for this is uid which is correct for most UNIX based servers. If using Microsoft Active Directory this should be set to SAMAccountName (which is NOT case sensitive).
Page 619 The Membership Attribute defines which groups a user is a member of. This is similar to the way a user belongs to either the admin or audit database group in NetDefendOS. This is another tuple defined by the server's database schema and the default ID is MemberOf.
Page 620 • Routing Table The NetDefendOS routing table where route lookup will be done to resolve the server's IP address into a route. The default is the main routing table. Database Settings The Database Settings are as follows: •...
Page 621 LDAP server referrals should not occur with bind request authentication but if they do, the server sending the referral will be regarded as not having responded. LDAP Server Responses When an LDAP server is queried by NetDefendOS with a user authentication request, the following are the possible outcomes: •...
Page 622 The CLI objects that correspond to LDAP servers used for authentication are called LDAPDatabase objects (LDAP servers used for certificate lookup are known as LDAPServer objects in the CLI). A specific LDAP server that is defined in NetDefendOS for authentication can be shown with the command: gw-world:/> show LDAPDatabase <object_name>...
Page 623: Normal Ldap Authentication
NetDefendOS by the client. NetDefendOS cannot just forward this digest to the LDAP server since this will not be understood. The solution is for NetDefendOS to obtain the password in plain-text from the LDAP server, create a digest itself, and then compare the created digest with the digest from the client.
Page 624: Authentication Rules
NetDefend Firewall is to be prompted for a username/password login sequence. Authentication Rules are set up in a similar way to other NetDefendOS security policies, and that is by specifying which traffic is to be subject to the rule. They differ from other policies in that the connection's destination network/interface is not of interest but only the source network/interface of the client being authenticated.
Page 625 Any Disallow rules are best located at the end of the authentication rule set. Local - A local user database defined within NetDefendOS is used for looking up user credentials. Allow - With this option, all connections that trigger this rule will be authenticated automatically.
Page 626: Authentication Processing
A user creates a new connection to the NetDefend Firewall. NetDefendOS sees the new user connection on an interface and checks the Authentication rule set to see if there is a matching rule for traffic on this interface, coming from this network and data which is one of the following types: •...
Page 627: Http Authentication
If no rule matches, the connection is allowed, provided the IP rule set permits it, and nothing further happens in the authentication process. Based on the settings of the first matching authentication rule, NetDefendOS may prompt the user with an authentication request which requires a username/password pair to be entered.
Page 628 • If the Agent is set to HTTPS then the Host Certificate and Root Certificate(s) have to be chosen from a list of certificates already loaded into NetDefendOS. Certificate chaining is supported for the root certificate. IP Rules are Needed HTTP authentication cannot operate unless a rule is added to the IP rule set to explicitly allow authentication to take place.
Page 629: User Authentication Setup For Web Access
The SAT rule catches all unauthenticated requests and must be set up with an all-to-one address mapping that directs them to the address 127.0.0.1 which corresponds to core (NetDefendOS itself ). Example 8.4. User Authentication Setup for Web Access The configurations below shows how to enable HTTP user authentication for the user group lan_group on lannet.
Page 630: Brute Force Protection
By default, NetDefendOS applies brute force protection to any authentication which involves the validation of username/password credentials against a local user database (a database defined within NetDefendOS and not an external database). This means that a management login via the Web Interface or SSH is also protected by this feature.
Page 631 When a certain number of initial username/password validation attempts fail, NetDefendOS will add the user to a "blocked user list" and they will remain on the list until a NetDefendOS reconfigure or restart. A user on this list has an integer property called Blocked remaining which is a decrementing number of seconds.
Page 632 Interface by going to Status > Run-time Information > User Authentication Status. • Log Event Messages NetDefendOS generates a log event messages whenever the brute force protection mechananism places a username on the block list. The following is a typical message: SYSTEM prio=Notice id=03200802 rev=1 event=user_blocked database=AdminUsers username=admin blockedremaining=10s blockedsince="2016-06-10 09:42:12"...
Page 633: Arp Authentication
NetDefendOS sends the MAC address of the connecting client to a RADIUS or LDAP server which looks the address up in its database and tells NetDefendOS if the client is authenticated or not. (Using a local database with ARP authentication is not supported.) ARP authentication can be configured in one of two ways: •...
Page 634 The MAC address is entered as a text string in the database of the authenticating server. This text string must follow the format sent by NetDefendOS and this is a series of six hexadecimal two character lower-case values separated by a hyphen ("-") character. For example:...
Page 635: Customizing Authentication Html
HTTP Banner Files The web page files, also referred to as HTTP banner files, are stored within NetDefendOS and already exist by default at initial NetDefendOS startup. These files can be customized to suit a particular installation's needs either by direct editing in Web Interface or by downloading and re-uploading through an SCP client.
Page 636: Editing Content Filtering Http Banner Files
Chapter 8: User Authentication HTML Page Parameters The HTML pages for WebAuth can contain a number of parameters which are used as needed. These are: • %CHALLENGE_MESSAGE% - The question text asked. • %IPADDR% - The IP address which is being browsed from. •...
Page 637 Chapter 8: User Authentication Go to: System > Advanced Settings > HTTP Banner files > Add > ALG Banner Files Enter a name such as new_forbidden and press OK The dialog for the new set of ALG banner files will appear Click the Edit &...
Page 638 Chapter 8: User Authentication set UserAuthRule my_auth_rule HTTPBanners=ua_html As usual, use the activate followed by the commit CLI commands to activate the changes on the NetDefend Firewall.
Page 639: Policies Requiring Authentication
Chapter 8: User Authentication 8.5. Policies Requiring Authentication Once a user is authenticated to NetDefendOS, it is then possible to create security policies in the form of IP rules or IP policies which demand that a user is authenticated before they can access certain resources.
Page 640 Chapter 8: User Authentication Web Interface Create the IP4Address object that specifies the IP range of connecting clients with the authentication group client_group: Go to: Objects > Address Book > Add > IP4 Address Now enter: • Name: client_net • IP Address: 192.168.10.10-192.168.10.255 •...
Page 641: User Identity Awareness
The user is authenticated against a Windows Active Directory server. • The D-Link Identity Awareness Agent (IDA) is running on at least one server in the domain. This software listens for successful client authentications. When a client is authenticated, the agent sends the following to the configured NetDefend Firewall: The user name.
Page 642: Enabling User Identity Awareness
Awareness Agent. However, the default key is the same across all NetDefendOS systems and should be used for testing purposes only. An IP rule or IP policy is not needed in NetDefendOS to allow the traffic coming from the agent.
Page 643 It is also assumed that the D-Link Authentication Agent software has already been installed on a single external Windows domain server and is configured with the IPv4 address defined by the address book object aa_server_ip and the pre-shared key defined by the aa_server_key PSK object.
Page 644 Controller, it must be installed using an account that has Domain Controller administrator privileges and not a local system account. The agent is not included with NetDefendOS release packets but is provided as a download from the D-Link website. It can be installed on any of the following Windows server products:...
Page 645 Important: The Windows Server event IDs must be correct The D-Link IDA software will only listen for certain event IDs so the Windows Server should be configured so that the correct IDs are generated. The IDs that the IDA listens...
Page 646: The Event Monitoring Tab In The Ida Interface
IDA installation. More than one IDP installation can monitor the same domain server and more than one IDP installation can send the same authentication event to NetDefendOS (duplicate received IDA events are recognized by NetDefendOS and ignored).
Page 647: The Security Tab In The Ida Interface
In this tab, it is possible to set up an exclusion list for the IDA so that users on the list will not have their authentication status sent back to NetDefendOS by the IDA service. The full User Principal Name (UPN) must be used to specify excluded users, for example: myusername@mydomainname.local...
Page 648: The Excluded Users Tab In The Ida Interface
The purpose of the IDA service is to send details of authentication events to NetDefendOS. This communication is one way and the IDA service is not aware of the authentications being carried out by NetDefendOS and does not display this information in its interface.
Page 649 The administrator can ask NetDefendOS to show details of identity awareness activity. In the Web Interface, the administrator can go to Status > Run-time Information > Authentication Agents to see that the IDA service is connected to NetDefendOS. In the CLI, the same can be achieved with the command: gw-world:/>...
Page 650: Multi Factor Authentication
The RADIUS server verifies the code. If the user is authenticated then an Access-Accept is sent back to NetDefendOS and the client is given access to protected resources. If it is not verfied, the server sends back an Access-Reject message to NetDefendOS and access is denied.
Page 651 Some points to note about setting up multi factor authentication with NetDefendOS are the following: • The same NetDefendOS setup is used if the challenge code is generated by a local code generating device such as the RSA SecureID™ product or if a RADIUS server causes it to be sent to the user.
Page 652: Radius Relay
To gain access to the resources behind the NetDefend Firewall, the UE must authenticate itself via the AP using a RADIUS server. A RADIUS authentication request is sent to NetDefendOS by the AP which relays it to a RADIUS server. The server's reply is relayed back to the AP and authenticated users are entered into the NetDefendOS user list so that they can then be granted access to resources based on NetDefendOS security policies.
Page 653 Important: Enable the DHCP server LeasesRequireAuth option If RADIUS relay is being used in a NetDefendOS configuration, all DHCP servers must be configured to only distribute leases to configured clients. This is done by enabling the LeasesRequireAuth property in the CLI and in the Web Interface, enabling the option Distribute leases only to RADIUS relay authenticated clients.
Page 654 Chapter 8: User Authentication By default, a user is authenticated using the same interface that is used for forwarding data traffic and that is the value set for the Source Interface property above. This can pose a security risk and it is recommended to use different interfaces for these two functions. The Override User Data Interface property is set to the interface used only for data.
Page 655: Radius Relay
If2 interface. The following assumptions are made: • Two VLANs are already configured and these NetDefendOS objects are called vlan_auth for client authentication traffic and vlan_data for data traffic flowing to the backbone. •...
Page 656 Chapter 8: User Authentication gw-world:/> add Address IP4Address client_net Address=192.168.10.10-192.168.10.255 UserAuthGroups=ue_group B. Create the IP4Address object that defines the IP address pool for the DHCP server. This must be a different object although it uses the same IP range: gw-world:/> add Address IP4Address client_ip_range Address=192.168.10.10-192.168.10.255 C.
Page 657 Chapter 8: User Authentication Go to: Objects > Address Book > Add > IP4 Address Now enter: • Name: client_ip_range • IP Address: 192.168.10.10-192.168.10.255 Click OK C. Create the DHCPServer object that hands out these addresses: Go to: Network > Network Services > DHCP Servers > Add > DHCPServer Now enter: •...
Page 658 When configuring the external RADIUS server to provide group information for the logged in user to NetDefendOS, it is necessary to use the user group vendor specific attribute. The NetDefendOS Vendor ID is 5089 and the user group is defined as...
Page 659: Radius Accounting
With the RFC 2866 standard, RADIUS was extended to handle the delivery of accounting information and this is the standard followed by NetDefendOS for user accounting. In this way, all the benefits of centralized servers are thus extended to user connection accounting.
Page 660 Chapter 8: User Authentication Parameters included in START messages sent by NetDefendOS are: • Type - Marks this AccountingRequest as signaling the beginning of the service (START). • ID - A unique random 7 character string identifier to enable matching of an AccountingRequest with Acct-Status-Type set to STOP.
Page 661: Interim Accounting Messages
Message Frequency The frequency of interim accounting messages can be specified either on the authentication server or in NetDefendOS. Switching on the setting in NetDefendOS will override the setting on the accounting server. 8.9.4. Configuring RADIUS Accounting In order to activate RADIUS accounting a number of steps must be followed: •...
Page 662: Radius Accounting Server Setup
Manual, a specific source IP address can be used for traffic sent to the server. If the source IP address is specified, the administrator must also manually configure NetDefendOS to ARP publish the IP address on the sending interface. Doing this is described in Section 3.5.3, “ARP Publish”.
Page 663: Radius Accounting Security
It can happen that a RADIUS client sends an AccountingRequest START packet which a RADIUS server never replies to. If this happens, NetDefendOS will re-send the request after the user-specified number of seconds. This will mean, however, that a user will still have authenticated access while NetDefendOS is trying to contact to the accounting server.
Page 664: Accounting And System Shutdowns
Chapter 8: User Authentication Only after NetDefendOS has made three attempts to reach the server will it conclude that the accounting server is unreachable. The administrator can use the NetDefendOS advanced setting Allow on error to determine how this situation is handled.
Page 665 Chapter 8: User Authentication Default: Enabled Maximum Radius Contexts The maximum number of contexts allowed with RADIUS. This applies to RADIUS use with both accounting and authentication. Default: 1024...
Page 666 Chapter 8: User Authentication...
Page 667: Vpn
Chapter 9: VPN This chapter describes the Virtual Private Network (VPN) functionality in NetDefendOS. • Overview, page 667 • VPN Quick Start, page 671 • IPsec Components, page 683 • IPsec Tunnels, page 701 • PPTP/L2TP, page 729 • L2TP Version 3, page 741 •...
Page 668: Vpn Encryption
Chapter 9: VPN Client to LAN connection - Where many remote clients need to connect to an internal network over the Internet. In this case, the internal network is protected by the NetDefend Firewall to which the client connects and the VPN tunnel is set up between them. 9.1.2.
Page 669: Vpn Planning
In instances where the firewall features an integrated VPN feature, it is usually possible to dictate the types of communication permitted and NetDefendOS VPN has this feature. 9.1.4. Key Distribution Key distribution schemes are best planned in advance. Issues that need to be addressed include:...
Page 670: The Tls Alternative For Vpn
Chapter 9: VPN • How will keys be distributed? Email is not a good solution. Phone conversations might be secure enough. • How many different keys should be used? One key per user? One per group of users? One per LAN-to-LAN connection? One key for all users and one key for all LAN-to-LAN connections? It is probably better using more keys than is necessary today since it will be easier to adjust access per user (group) in the future.
Page 671: Vpn Quick Start
• A Route Must Exist Before any traffic can flow into the tunnel, a route must be defined in a NetDefendOS routing table. This route tells NetDefendOS which network can be found at the other end of the tunnel so it knows which traffic to send into the tunnel.
Page 672: Ipsec Lan-To-Lan With Pre-Shared Keys
Here we will assume that this is the predefined address lannet and this network is attached to the NetDefendOS lan interface which has the IPv4 address lan_ip. Create an IPsec Tunnel object (let's call this object ipsec_tunnel). Specify the following tunnel parameters: •...
Page 673: Ipsec Lan-To-Lan With Certificates
• For Authentication select the Pre-shared Key object defined in step (1) above. The IPsec Tunnel object can be treated exactly like any NetDefendOS Interface object in later steps. Set up two IP rules in the IP rule set for the tunnel: •...
Page 674: Ipsec Roaming Clients With Pre-Shared Keys
Interface and other interfaces do not have a feature to generate them. Instead, they must be generated by another utility and imported into NetDefendOS. This means that they are not truly self-signed since they are generated outside of NetDefendOS control and it should be remembered that there is no guarantee that their private key is unique.
Page 675 (this step could initially be left out to simplify setup). The authentication source can be one of the following: • A Local User DB object which is internal to NetDefendOS. • An external authentication server. An internal user database is easier to set up and is assumed here. Changing this to an external server is simple to do later.
Page 676 IP object could be used which specifies the exact range of the pre-allocated IP addresses. B. IP addresses handed out by NetDefendOS If the client IP addresses are not known then they must be handed out by NetDefendOS. To do this the above must be modified with the following: If a specific IP address range is to be used as a pool of available addresses then: •...
Page 677: Ipsec Roaming Clients With Certificates
• Define the pre-shared key that is used for IPsec security. • Define the IPsec algorithms that will be used and which are supported by NetDefendOS. • Specify if the client will use config mode. There are a variety of IPsec client software products available from a number of suppliers and this manual will not focus on any specific one.
Page 678: L2Tp/Ipsec Roaming Clients With Pre-Shared Keys
The step to set up user authentication is optional since this is additional security to certificates. Note: The system time and date should be correct The NetDefendOS date and time should be set correctly since certificates have an expiry date and time.
Page 679 Chapter 9: VPN • When all-nets is the destination network, as is the case here, the advanced setting option Add route statically must also be disabled. This setting is enabled by default. Define an PPTP/L2TP Server object (let's call this object l2tp_tunnel) with the following parameters: •...
Page 680: L2Tp/Ipsec Roaming Clients With Certificates
If certificates are used with L2TP roaming clients instead of pre-shared keys then the differences in the setup described above are as follows: • The NetDefendOS date and time must be set correctly since certificates can expire. • Load a Gateway Certificate and Root Certificate into NetDefendOS.
Page 681: Ios Setup
9.2.8. iOS Setup The standard IPsec client built into Apple iOS™ devices can be used to connect to a NetDefend Firewall using standard IPsec tunnels defined in NetDefendOS. The NetDefendOS setup steps are as follows: Create address book objects for the tunnel. These will consist of: The network to which the local endpoint and the client addresses belong.
Page 682 Chapter 9: VPN could also be performed by a RADIUS server. Define an IPsec tunnel object using the default proposal lists and with the following properties: Local Network: all-nets Remote Network: all-nets iii. Remote Endpoint: None Encapsulation mode: Tunnel IKE Config Mode Pool: Select the static IP pool Authentication: Select the PSK defined above.
Page 683: Ipsec Components
Chapter 9: VPN 9.3. IPsec Components This section looks at the IPsec standards and describes in general terms the various components, techniques and algorithms that are used in IPsec based VPNs. 9.3.1. Overview Internet Protocol Security (IPsec) is a set of protocols defined by the Internet Engineering Task Force (IETF) to provide IP security at the network layer.
Page 684 Chapter 9: VPN IPsec protocol used (ESP/AH/both) as well as the session keys used to encrypt/decrypt and/or authenticate/verify the transmitted data. An SA is unidirectional and relates to traffic flow in one direction only. For the bidirectional traffic that is usually found in a VPN, there is therefore a need for more than one SA per connection. In most cases, where only one of ESP or AH is used, two SAs will be created for each connection, one describing the incoming traffic, and the other the outgoing.
Page 685 With two NetDefend Firewalls as IPsec endpoints, the matching process is greatly simplified since the default NetDefendOS configuration parameters will be the same at either end. However, it may not be as straightforward when equipment from different vendors is involved in establishing the VPN tunnel.
Page 686 IDs, this property can be set to specify which ID in the certificate to use. The Enforce Local ID property can be enabled so that when NetDefendOS is acting as responder, the ID proposed by the initiator must match the Local ID value. The default behavior is to ignore the proposed ID.
Page 687 NetDefendOS does not support AH. • IKE Encryption This specifies the encryption algorithm used in the IKE negotiation, and depending on the algorithm, the size of the encryption key used. The algorithms supported by NetDefendOS IPsec are: • • Blowfish •...
Page 688 Chapter 9: VPN This specifies the authentication algorithms used in the IKE negotiation phase. The algorithms supported by NetDefendOS IPsec are: • • SHA1 • SHA256 • SHA512 • AES-XCBC (IKEv2 only) • IKE DH Group This specifies the Diffie-Hellman group to use for the IKE exchange. The available DH groups are discussed below in the section titled Diffie-Hellman Groups.
Page 689 IPsec Encryption The encryption algorithm that will be used on the protected IPsec traffic. This is not needed when AH is used, or when ESP is used without encryption. The encryption algorithms supported by NetDefendOS are as follows: Blowfish iii.
Page 690: Ike Authentication
PFS in NetDefendOS. The administrator configured Diffie-Hellman group number indicates to NetDefendOS the level of security that is to be used for DH exchanges. The higher the group number, the greater the security, but this will also increase the hardware processing resources required.
Page 691: Ipsec Protocols (Esp/Ah)
Chapter 9: VPN This type of connection is also vulnerable for something called "replay attacks", meaning a malicious entity which has access to the encrypted traffic can record some packets, store them, and send them to its destination at a later time. The destination VPN endpoint will have no way of telling if this packet is a "replayed"...
Page 692: The Ah Protocol
Chapter 9: VPN VPN. The actual protocols used and the keys used with those protocols are negotiated by IKE. There are two protocols associated with IPsec, AH and ESP. These are covered in the sections below. AH (Authentication Header) AH is a protocol used for authenticating a data stream. Figure 9.1.
Page 693: Nat Traversal
NAT and because of this, the technique called NAT traversal has evolved. NAT traversal is an add-on to the IKE and IPsec protocols that allows them to function when being NATed. NetDefendOS supports the RFC 3947 standard for NAT-Traversal with IKE. NAT traversal is divided into two parts: •...
Page 694: Algorithm Proposal Lists
IKE Phase-1 (IKE Security Negotiation), while IPsec lists are using during IKE Phase-2 (IPsec Security Negotiation). Several algorithm proposal lists are already defined by default in NetDefendOS for different VPN scenarios and user defined lists can be added. Two IKE algorithm lists and two IPsec lists are already defined by default: •...
Page 695: Using An Algorithm Proposal List
Chapter 9: VPN • AES-XCBC • Medium This consists of the following, longer list of algorithms that provide less security but greater compatibility with older endpoint devices: • 3DES • • Twofish • SHA1 • SHA256 • SHA512 • AES-XCBC Example 9.1.
Page 696: Pre-Shared Keys
Windows, for example, encodes pre-shared keys containing non ASCII characters in UTF-16 while NetDefendOS uses UTF-8. Even though they can seem the same at either end of the tunnel there will be a mismatch and this can sometimes cause problems when setting up a Windows L2TP client that connects to NetDefendOS.
Page 697: Using Id Lists With Certificates
IP address. The ID List Solution Identification lists (ID lists) provide a solution to this problem. A NetDefendOS ID List object contains one or more ID objects as children. An IPsec Tunnel object can then have its Remote ID...
Page 698: Using An Id List
ID. If the certificate does, authentication is complete and the tunnel can be established. If the ID is not in the certificate, NetDefendOS flags that there is an authentication failure and the client connection is dropped.
Page 699: Diffserv With Ipsec
Select my_id_list Enter a name for the ID, for example JohnDoe Select Distinguished name in the Type control Now enter: • Common Name: John Doe • Organization Name: D-Link • Organizational Unit: Support • Country: Sweden • Email Address: john.doe@D-Link.com...
Page 700 Specifying the DiffServ Field for IKE Traffic By default, all IKE packets sent by NetDefendOS during tunnel setup have their DiffServ value set to zero. This can be changed to a fixed value for a tunnel by setting the IKEDSField property of the IPsecTunnel object.
Page 701: Ipsec Tunnels
IP address. If this property is assigned an IP address, the administrator must also manually configure NetDefendOS to ARP publish the IP address on the sending interface. Doing this is described in Section 3.5.3, “ARP Publish”. Setting the Source Interface If set, the Source Interface property of a tunnel determines which Ethernet interface NetDefendOS will listen on for incoming IPsec connections.
Page 702 The HA IP address. This address will be used in HA clusters as the shared and private IP. If the local network for the tunnel is all-nets then NetDefendOS will not be able to assign an IP address and a value will have to be assigned manually.
Page 703 IP rules that explicitly allow the packets that implement IPsec itself. IKE and ESP packets are, by default, dealt with by the NetDefendOS's internal IPsec engine and the IP rule set is not consulted.
Page 704: Lan-To-Lan Tunnels With Pre-Shared Keys
If the peer does not respond to these messages during a period of time (specified by the advanced setting DPD Expire Time) then the peer is considered dead and the tunnel is closed. NetDefendOS will then automatically try to re-establish the tunnel after a period of time (specified by the advanced setting DPD Keep Time).
Page 705: Psk Based Lan-To-Lan Ipsec Tunnel Setup
Chapter 9: VPN • Set up the IP Rule objects to allow traffic flow in either direction. • Set up the Route in the main routing table (or another table if an alternate is being used). • Set up the peer at the other end of the tunnel in a similar way. The local and remote networks are reversed.
Page 706 Chapter 9: VPN gw-world:/> add IPRule Action=Allow Service=all_services SourceInterface=lan SourceNetwork=172.16.1.0/24 DestinationInterface=ipsec_hq_to_branch DestinationNetwork=192.168.11.0/24 Name=hq_to_branch ii. Add an IP rule to allow traffic to flow from remote to local network: gw-world:/> add IPRule Action=Allow Service=all_services SourceInterface=ipsec_hq_to_branch SourceNetwork=192.168.11.0/24 DestinationInterface=lan DestinationNetwork=172.16.1.0/24 Name=branch_to_hq D. Add a route that routes the remote network on the tunnel: Change the context to be the routing table: gw-world:/>...
Page 707 Chapter 9: VPN • Local Network: 172.16.1.0/24 (This is the local network that the roaming users will connect to) • Remote Network: 192.168.11.0/24 • Remote Endpoint: 203.0.113.1 Under Authentication enter Pre-Shared Key: my_secret_key Click OK C. Configure 2 IP rules to allow traffic flow both ways in the tunnel: i.
Page 708: Roaming Clients
172.16.1.0/24 which is on the lan interface. It is assumed the default NetDefendOS IKE and IPsec proposal list are used on the firewall and that the clients will use proposal lists that will result in an acceptable match during the IKE negotiation phase of tunnel setup.
Page 709 Chapter 9: VPN A. Create a pre-shared key for IPsec authentication: gw-world:/> add PSK my_scecret_key Type=ASCII PSKascii=somesecretasciikey B. Configure the IPsec tunnel: gw-world:/> add Interface IPsecTunnel ipsec_roaming LocalNetwork=172.16.1.0/24 RemoteNetwork=all-nets PSK=my_secret_key C. Create an IP rule to allow traffic from clients: gw-world:/>...
Page 710: Certificate Based Ipsec Tunnels For Roaming Clients
203.0.113.0/24 network with external firewall IP wan_ip. Web Interface A. Upload the required certificates to NetDefendOS and for each certificate: Go to: Objects > Key Ring > Add > Certificate Enter a suitable name for the Certificate object Select the X.509 Certificate option...
Page 711 Using IKE Config Mode IKE Configuration Mode (Config Mode) is an extension to IKE that allows NetDefendOS to provide configuration information to remote IPsec clients. It is used to dynamically configure IPsec clients with IP addresses and corresponding netmasks, and to exchange other types of information associated with DHCP.
Page 712: Setting Up Config Mode Using A Predefined Ip Pool
• Predefined The IPv4 addresses to be handed out are derived from a separate, specified IP Pool object in the NetDefendOS configuration. See Section 5.5, “IP Pools” for information about configuring these objects. • Static The IPv4 addresses to be handed out are derived from the Config Mode Pool object itself.
Page 713: Ikev2 Support
Click OK IP Validation NetDefendOS always checks if the source IP address of each packet inside an IPsec tunnel is the same as the IP address assigned to the IPsec client with IKE config mode. If a mismatch is detected the packet is always dropped and a log message generated with a severity level of Warning.
Page 714: Ikev2 Client Setup
IKEv2 - NetDefendOS will use IKEv2 for tunnel setup. • Auto - NetDefendOS will first attempt to use IKEv2 for tunnel setup and revert back to IKEv1 if unsuccessful. Configuring IKEv2 based IPsec tunnels is almost exactly the same as for IKEv1 but the following differences should be noted: •...
Page 715 The certificate setup with other client platforms, such as Apple iOS or Android, should be straightforward and will not described in detail. • The same CA root certificate used by the client should also be installed in NetDefendOS. • In addition, NetDefendOS should also have a host certificate (also known as the gateway certificate) installed which is signed by the root CA.
Page 716: Ikev2 Eap Client Setup
In NetDefendOS configure a Config Mode Pool object that will provide the IP addresses to the connecting clients. Add the same CA root certificate to the NetDefendOS along with a host certificate signed by the root certificate. Configure an IPsec Tunnel object that will be used for client connection.
Page 717 Chapter 9: VPN and on the client, as described previously. It also assumes that the RADIUS server used for authentication is also correctly configured. Note that the authentication rule in this example uses all-nets and any as its traffic filtering parameters.
Page 718 Chapter 9: VPN • IP Pool : 192.168.189.30-192.168.189.50 • Netmask : 255.255.255.0 • DNS : 192.168.28.4 Click OK B. Configure the IPsec tunnel: Go to: Network > Interfaces and VPN > IPsec > Add > IPsec Tunnel Now enter: • Name: my_ikev2_client_tunnel •...
Page 719: Fetching Crls From An Alternate Ldap Server
Chapter 9: VPN Click OK D. Configure the authentication rule for the tunnel: Go to: Policies > User Authentication > Authentication Rules > Add > Authentication Rule Now enter: • Name: my_ikev2_auth_rule • Authentication agent: EAP • Authentication source: RADIUS •...
Page 720: The Ipsec Tunnel Selection Process
Port: 389 Click OK 9.4.7. The IPsec Tunnel Selection Process When an external network device initiates the setting up of an IPsec tunnel, NetDefendOS must decide which IPsec Tunnel object in the configuration will be used when responding to the request.
Page 721: Ipsec Tunnel Monitoring
Chapter 9: VPN Remote Network. iii. IPsec Algorithms. Encapsulation Mode. PFS/DH Group. Setup SA Per. 9.4.8. IPsec Tunnel Monitoring Overview An IPsec Tunnel object has some additional properties which, together, provide a feature called tunnel monitoring. This is used for checking the health of a tunnel and re-establishing it should a problem be detected.
Page 722: Enabling Ipsec Tunnel Monitoring
If, instead, the hostmon -verbose command is used, the source IP of the ICMP messages can also be seen. Logging A log event message is generated by NetDefendOS in the following instances: • When a host is determined to be reachable, the following log message is generated: IPSEC prio=Info id=01803600 rev=1 event=monitored_host_reachable action=none ip=192.168.1.2 tunnel=PSK-NAT...
Page 723: Ipsec Advanced Settings
The IPsec DS Field This setting is specified on a per tunnel value. The value specified is copied into the Differentiated Service Field in the outer IP header of ESP packets sent by NetDefendOS as part of the IPsec tunnel. In other words, no matter what the DS field value of the inner ESP packets being carried by the tunnel, this value will replace it.
Page 724 Default: 86400 seconds IKE Max CA Path When the signature of a user certificate is verified, NetDefendOS looks at the issuer name field in the user certificate to find the CA certificate the certificate was signed by. The CA certificate may in turn be signed by another CA, which may be signed by another CA, and so on.
Page 725 IP address, it will not be possible to send the true IP address to the RADIUS server. Default: Disabled XCBC Fallback When enabled, NetDefendOS will fallback to using XCBC (RFC 3664) if XCBC (RFC 4344) fails during EAP authentication. AES-XCBC-MAC is a method of generating the message authentication code (MAC) used in IKEv2 negotiations.
Page 726 4500 instead of 500 even when there is no NAT. If this is the case, NetDefendOS can accept the IKEv2 connection but when the client sends IKE data, it is sent as raw ESP packets and without this setting enabled, NetDefendOS will drop the packets since they will be expected to be encapsulated in UDP.
Page 727 Default: 3 (in other words, 3 x 10 = 30 seconds) DPD Keep Time The amount of time in tens of seconds that a peer is assumed to be dead after NetDefendOS has detected it to be so. While the peer is considered dead, NetDefendOS will not try to re-negotiate the tunnel or send DPD messages to the peer.
Page 728 Chapter 9: VPN not responded to messages during this time it is considered to be dead. In other words, this is the length of time in seconds for which DPD-R-U-THERE messages will be sent. If the other side of the tunnel has not sent a response to any messages then it is considered to be dead (not reachable).
Page 729: Pptp/L2Tp
The most commonly used feature that is relevant in this scenario is the ability of NetDefendOS to act as either a PPTP or L2TP server and the first two sections below deal with this. The third section deals with the further ability of NetDefendOS to act as a PPTP or L2TP client.
Page 730: L2Tp Servers
Click OK Use User Authentication Rules is enabled as default. To be able to authenticate the users using the PPTP tunnel it is required to configure NetDefendOS Authentication Rules but that will not be covered in this example. 9.5.2. L2TP Servers...
Page 731: Setting Up An L2Tp Server
When DHCP is configured on an L2TP/IPsec interface to hand out client IPs, NetDefendOS does not return all the DHCP special parameters. This can be the source of issues with Windows based L2TP clients running under Vista or Windows 7.
Page 732: Setting Up An L2Tp Tunnel Over Ipsec
Click OK Use User Authentication Rules is enabled as default. To be able to authenticate users using the PPTP tunnel, it is necessary to configure NetDefendOS Authentication Rules but that is not covered in this example. Example 9.14. Setting up an L2TP Tunnel Over IPsec This example shows how to set up a fully working L2TP Tunnel based on IPsec encryption and will cover many parts of basic VPN configuration.
Page 733 Chapter 9: VPN Now, we will setup the IPsec Tunnel which will later be used with L2TP. As we are going to use L2TP, the Local Network is the same IP as the IP that the L2TP tunnel will connect to, wan_ip. In addition, the IPsec tunnel needs to be configured so that routes are not defined statically or add dynamically when the tunnel is established.
Page 734 Chapter 9: VPN Command-Line Interface gw-world:/> add Interface L2TPServer l2tp_tunnel IP=lan_ip Interface=l2tp_ipsec ServerIP=wan_ip IPPool=l2tp_pool TunnelProtocol=L2TP AllowedRoutes=all-nets ProxyARPInterfaces=lan Web Interface Go to: Network > Interfaces and VPN > PPTP/L2TP Servers > Add > PPTP/L2TP Server Enter a name for the L2TP tunnel, for example l2tp_tunnel Now enter: •...
Page 735 Chapter 9: VPN • Agent: PPP • Authentication Source: Local • Interface: l2tp_tunnel • Originator IP: all-nets • Terminator IP: wan_ip Under the Authentication Options tab enter UserDB as the Local User DB Click OK When the other parts are done, all that is left is the rules. To let traffic through from the tunnel, two IP rules should be added.
Page 736: L2Tp/Pptp Server Advanced Settings
L2TP. • When using transport mode with IKEv1, only the Local Endpoint and Remote Endpoint properties of the IPsec Tunnel object are used by NetDefendOS for tunnel setup. The Local Network and Remote Network properties are ignored. •...
Page 737: Pptp/L2Tp Clients
The PPTP and L2TP protocols are described in the previous section. In addition to being able to act as a PPTP or L2TP server, NetDefendOS also offers the ability to act as a PPTP or L2TP client. This can be useful if PPTP or L2TP is preferred as the VPN protocol instead of IPsec. One NetDefend Firewall can act as a client and connect to another unit which acts as the server.
Page 738 A PPTP tunnel is defined between NetDefendOS and the server. • A route is added to the routing table in NetDefendOS which specifies that traffic for the server should be routed through the PPTP tunnel. Using this client approach is suitable for situations where an ISP requires PPTP for authentication.
Page 739: The L2Tp And Pptp Commands
Chapter 9: VPN Figure 9.3. PPTP Client Usage 9.5.5. The l2tp and pptp Commands NetDefendOS provides two CLI commands for monitoring the status of L2TP and PPP: • The l2tp CLI Command NetDefendOS provides the CLI command l2tp to show information about both L2TP clients and servers.
Page 740 Remote GW State ------------------ ------------------ ------------------ my_pptp_tunnel1 Listening my_pptp_tunnel1 203.0.113.6 Established Both these commands and their options are fully described in the separate NetDefendOS CLI Reference Guide. Neither of these commands currently have an equivalent function in the Web Interface.
Page 741: L2Tp Version 3
Like standard L2TP, L2TPv3 does not provide encryption of transmitted data. If the L2TPv3 tunnel is to be secure, it should be used with IPsec or PPPoE. • NetDefendOS L2TPv3 can only be used with IPv4. IPv6 is not supported by NetDefendOS at this time. •...
Page 742: An L2Tpv3 Example
Chapter 9: VPN Inner IP Address - Set this to any IPv4 address within the network used for the Local Network property. As a convention, it is recommended to use the IPv4 address of the physical interface connected to the protected network. iii.
Page 743: L2Tpv3 Server Setup
Chapter 9: VPN Example 9.15. L2TPv3 Server Setup Assume an L2TPv3 Server object called my_l2tpv3_if is to be set up so that L2TPv3 clients can connect to it on the If2 interface. The aim is to have the protected network If3_net on the If3 interface accessible to these clients using L2TPv3.
Page 744: L2Tpv3 Server Setup With Ipsec
Chapter 9: VPN • Using UDP as the lower level transport protocol is the default setting for this property and is recommended. It ensures that communication is able to traverse most network equipment and particularly if NAT is being employed in the path through network. •...
Page 745 VLAN connections. To do this with NetDefendOS, a pair of VLANs need to be configured, both with the same VLAN ID as the ID used by the clients. One VLAN is configured on the local, protected Ethernet interface.
Page 746: L2Tpv3 Server Setup For Vlans
In addition, the clients will access over a VLAN within the tunnel that has a VLAN ID of 555. It is assumed two arbitrary IPv4 addresses called If3_arbitrary_ip1 and If3_arbitrary_ip2 from the protected network If3_net have already been defined in the NetDefendOS address book. Command-Line Interface A.
Page 747 Chapter 9: VPN Web Interface A. First, define a L2TPv3 Server object: Go to: Network > Interfaces and VPN > L2TPv3 Servers > Add > L2TPv3 Server Now enter: • Name: my_l2tpv3_if • Inner IP Address: If3_ip • Local Network: If3_net •...
Page 748: L2Tpv3 Client
L2TPv3 client to act as a concentrator of traffic from locally connected clients so it is sent through a single L2TPv3 tunnel to an L2TPv3 server. The following steps are required to configure NetDefendOS to be an L2TPv3 client: A. Define an L2TPv3Client object with the following properties: Inner IP Address - The local IP address inside the tunnel.
Page 749: L2Tpv3 Client Setup
Chapter 9: VPN B. Enable transparent mode on the inner interface where the protected network is located. Example 9.18. L2TPv3 Client Setup In this example, an L2TPv3 Client object called my_l2tpv3_client is to be created. This will connect with the L2TPv3 server with the IP address l2tpv3_server_ip. This client will connect to the server over an IPsec tunnel called l2tpv3_ipsec_tunnel.
Page 750: L2Tpv3 Client Setup With Ipsec
Chapter 9: VPN Using IPsec for Encryption As stated previously, L2TPv3 does not provide encryption. For encryption across the public Internet, IPsec should be used. The following example shows how this is achieved by specifying the IPsec tunnel to be used as a property of the L2TPv3 client object. Example 9.19.
Page 751 Click OK Setup With VLANs The NetDefendOS L2TPv3 client can handle VLAN tagged Ethernet frames so that a protected internal network can be access an external network over VLAN connections. The setup of the VLANs is done in the same way as for the server and this is fully described in Section 9.6.1, “L2TPv3 Server”.
Page 752: Ssl Vpn
9.7. SSL VPN 9.7.1. Overview NetDefendOS provides an additional type of VPN connection called SSL VPN. This makes use of the Secure Sockets Layer (SSL) protocol to provide a secure tunnel between a remote client computer and a NetDefend Firewall. Any application on the client can then communicate securely with servers located on the protected side of the firewall.
Page 753: Configuring Ssl Vpn In Netdefendos
Setting up a PPPoE interface object is described in Section 3.4.6, “PPPoE”. 9.7.2. Configuring SSL VPN in NetDefendOS To configure the SSL VPN in NetDefendOS, an SSL VPN Interface object must be defined for each interface on which connections will be made. The object properties are as follows: General Options •...
Page 754 For troubleshooting purposes, an ICMP Ping can be sent to the Inner IP address. In order for NetDefendOS to be able to respond, an IP rule must exist that allows traffic to flow from the SSL VPN interface to core (in other words, to NetDefendOS itself).
Page 755: Installing The Ssl Vpn Client
IPv4 addresses. This pool is specified by an IP address object defined in the NetDefendOS address book. It is not the same as an IP Pool object used with IPsec. The pool addresses do not need to be a continuous range but must belong to the same network.
Page 756: Ssl Vpn Browser Connection Choices
Figure 9.5. SSL VPN Browser Connection Choices Using CA Signed Certificates By default, NetDefendOS uses a self-signed certificate when it displays the dialog shown above. If it is desirable to use a CA signed certificate, that may or may not use certificate chaining, this can be configured on the RemoteMgmtSettings object.
Page 757: The Ssl Vpn Client Login
Chapter 9: VPN Figure 9.6. The SSL VPN Client Login The difference between the two approaches above is that when the SSL VPN client software is started by browsing to the SSL VPN interface, the correct settings for the tunnel are downloaded to the SSL VPN client software and stored as the client's configuration file.
Page 758: The Ssl Vpn Client Statistics
IP address is handed out to the client from the associated SSL VPN object's IP pool. In addition, a single route for the client is added to the NetDefendOS routing table. This route maps the handed out client IP address to the associated SSL VPN interface.
Page 759: Ssl Vpn Setup Example
To remedy this problem, the D-Link SSL VPN client software should be started by selecting it in the Windows Start menu and then stopped.
Page 760 For Login Type choose HTMLForm Click OK The new NetDefendOS configuration should now be deployed. For external client connection, a web browser should be directed to the IP address my_sslvpn_if. This is done either by typing the actual IP address or using a URL that can resolve to the IP...
Page 761: Setting Ssl Vpn Interface Client Routes
This example shows how change the SSL VPN tunnel called my_sslvpn_if so that the only route added to the routing table of clients is a route to the protected network protected_server_net which is already defined in the NetDefendOS address book. Command-Line Interface gw-world:/>...
Page 762: Vpn Troubleshooting
Ensure that another IPsec Tunnel definition is not preventing the correct definition being reached. The tunnel list is scanned from top to bottom by NetDefendOS and a tunnel in a higher position with the Remote Network set to all-nets and the Remote Endpoint set to none could prevent the correct tunnel being reached.
Page 763: Troubleshooting Certificates
• Check that the NetDefendOS date and time is set correctly. If the system time and date is wrong then certificates can appear as being expired when, in fact, they are not.
Page 764: The Ike -Snoop Command
Chapter 9: VPN gw-world:/> ike -tunnels -num=all In these circumstances, using the option with a small number, for example -num=10, is recommended. 9.8.4. The ike -snoop Command VPN Tunnel Negotiation When setting up IPsec tunnels, problems can arise because the initial negotiation fails when the devices at either end of a VPN tunnel try but fail to agree on which protocols and encryption methods will be used.
Page 765 Chapter 9: VPN sends to the server. This list details the protocols and encryption methods it can support. The purpose of the algorithm list is that the client is trying to find a matching set of protocols/methods supported by the server. The server examines the list and attempts to find a combination of the protocols/methods sent by the client which it can support.
Page 766 Chapter 9: VPN Description : draft-stenberg-ipsec-nat-traversal-02 VID (Vendor ID) Payload data length : 16 bytes Vendor ID : 44 85 15 2d 18 b6 bb cd 0b e8 a8 46 95 79 dd cc Description : draft-ietf-ipsec-nat-t-ike-00 VID (Vendor ID) Payload data length : 16 bytes Vendor ID : cd 60 46 43 35 df 21 f8 7c fd b2 fc 68 b6 a4 48...
Page 767 Chapter 9: VPN Vendor ID : 8f 9c c9 4e 01 24 8e cd f1 47 59 4c 28 4b 21 3b Description : SSH Communications Security QuickSec 2.1.0 VID (Vendor ID) Payload data length : 16 bytes Vendor ID : 27 ba b5 dc 01 ea 07 60 ea 4e 31 90 ac 27 c0 d0 Description : draft-stenberg-ipsec-nat-traversal-01 VID (Vendor ID)
Page 768 Chapter 9: VPN Payload data length : 16 bytes NAT-D (NAT Detection) Payload data length : 16 bytes NAT-D (NAT Detection) Payload data length : 16 bytes Step 5. Client Sends Identification The initiator sends the identification which is normally an IP address or the Subject Alternative Name if certificates are used.
Page 769 Chapter 9: VPN Now the client sends the list of supported IPsec algorithms to the server. It will also contain the proposed host/networks that are allowed in the tunnel. Received IKE packet from 192.168.0.10:500 Exchange type : Quick mode ISAKMP Version : 1.0 Flags : E (encryption) Cookies...
Page 770 Chapter 9: VPN Group description: PFS and PFS group SA life type: Seconds or Kilobytes SA life duration: Number seconds or kilobytes Encapsulation mode: Could be transport, tunnel or UDP tunnel (NAT-T) ID: ipv4(any:0,[0..3]=10.4.2.6) Here the first ID is the local network of the tunnel from the client's point of view and the second ID is the remote network.
Page 771: Management Interface Failure With Vpn
Chapter 9: VPN Payloads: HASH (Hash) Payload data length : 16 bytes 9.8.5. Management Interface Failure with VPN If any VPN tunnel is set up and then the management interface no longer operates then it is likely to be a problem with the management traffic being routed back through the VPN tunnel instead of the correct interface.
Page 772 VPN-3 will be the tunnel selected by NetDefendOS. 3. Ike_invalid_payload, Ike_invalid_cookie In this case the IPsec engine in NetDefendOS receives an IPsec IKE packet but is unable to match it against an existing IKE.
Page 773 (Note that usage of the CRL feature can be turned off.) Also make sure that there is a DNS client configured for NetDefendOS in order to be able to correctly resolve the path to the CRL on the CA server.
Page 774: Specific Symptoms
Since NetDefendOS has determined that it is a type of network size problem, it will try one last attempt to get the correct network by sending a config mode request.
Page 775 Chapter 9: VPN...
Page 776: Traffic Management
Point (DSCP). • As described later in this chapter, DSCP bits can be used by the NetDefendOS traffic shaping subsystem as a basis for prioritizing traffic passing through the NetDefend Firewall. It is important to understand that NetDefendOS traffic shaping does not add new DiffServ information as packets traverse a NetDefend Firewall.
Page 777: Traffic Shaping In Netdefendos
If the users cannot be relied upon then the network equipment must make the decisions concerning priorities and bandwidth allocation. NetDefendOS provides QoS control by allowing the administrator to apply limits and guarantees to the network traffic passing through the NetDefend Firewall. This approach is often referred to as traffic shaping and is well suited to managing bandwidth for local area networks as well as to managing the bottlenecks that might be found in larger wide area networks.
Page 778 ISP scenario where individual pipes are allocated to each client. Pipe Rules One or more Pipe Rules make up the NetDefendOS Pipe Rule set which determine what traffic will flow through which pipes. Each pipe rule is defined like other NetDefendOS security policies: by specifying both the source and destination for the interface and network, as well as the service to which the rule is to apply.
Page 779: Pipe Rules Determine Pipe Usage
FwdFast IP rule in the NetDefendOS IP rule sets. The reason for this is that traffic shaping is implemented by using the NetDefendOS state engine which is the subsystem that deals with the tracking of connections. FwdFast IP rules do not set up a connection in the state engine.
Page 780: Simple Bandwidth Limiting
Chapter 10: Traffic Management Figure 10.2. FwdFast Rules Bypass Traffic Shaping Using Pipes with Application Control When using the Application Control feature, it is possible to associate a pipe object directly with an Application Rule object in order to define a bandwidth for a particular application. For example, the bandwidth allocated to the BitTorrent peer-to-peer application could be limited in this way.
Page 781: Limiting Bandwidth In Both Directions
Using the same pipe for both outbound and inbound traffic is allowed by NetDefendOS but this will not partition the pipe limit exactly in two between the two directions. In the previous example only bandwidth in the inbound direction is limited. In most situations, this is the direction that becomes full first.
Page 782: Limiting Bandwidth In Both Directions
Chapter 10: Traffic Management Just inserting std-in in the forward chain will not work since we probably want the 2 Mbps limit for outbound traffic to be separate from the 2 Mbps limit for inbound traffic. If 2 Mbps of outbound traffic attempts to flow through the pipe in addition to 2 Mbps of inbound traffic, the total attempting to flow is 4 Mbps.
Page 783: Creating Differentiated Limits Using Chains
Chapter 10: Traffic Management 10.1.5. Creating Differentiated Limits Using Chains In the previous examples a static traffic limit for all outbound connections was applied. What if the aim is to limit web surfing more than other traffic? Assume that the total bandwidth limit is 250 Kbps and 125 Kbps of that is to be allocated to web surfing inbound traffic.
Page 784: Precedences
10.1.6. Precedences The Default Precedence is Zero All packets that pass through NetDefendOS traffic shaping pipes have a Precedence. In the examples so far, precedences have not been explicitly set and so all packets have had the same default precedence which is 0.
Page 785 Chapter 10: Traffic Management • Use a fixed precedence The triggering pipe rule explicitly allocates a fixed precedence. • Use the DSCP bits Take the precedence from the DSCP bits in the packet. DSCP is a subset of the DiffServ architecture where the Type of Service (ToS) bits are included in the IP packet header.
Page 786: Minimum And Maximum Pipe Precedence
(it becomes "full") there is no competition between precedences. When the pipe is full, traffic is prioritized by NetDefendOS according to precedence with higher precedence packets that do not exceed the precedence limit being sent before lower precedence packets.
Page 787 Note: A limit on the lowest precedence has no meaning Setting a maximum limit for the lowest (best effort) precedence or any lower precedences has no meaning and will be ignored by NetDefendOS. Differentiated Guarantees A problem arises if the aim is to give a specific 32 Kbps guarantee to Telnet traffic, and a specific 64 Kbps guarantee to SSH traffic.
Page 788: Pipe Groups
250 Kbps of available bandwidth with other traffic. 10.1.7. Pipe Groups NetDefendOS provides a further level of control within pipes through the ability to split pipe bandwidth into individual resource users within a group and to apply a limit and guarantee to each user.
Page 789 Grouping by Networks Requires the Size If the grouping is by source or destination network then the network size must also be specified In other words, the netmask for the network must be specified for NetDefendOS. Specifying Group Limits Once the way the method of grouping is selected, the next step is to specify the Group Limits.
Page 790: Traffic Grouped By Ip Address
Chapter 10: Traffic Management Figure 10.6. Traffic Grouped By IP Address Another Simple Groups Example Consider another situation where the total bandwidth limit for a pipe is 400 Kbps. If the aim is to allocate this bandwidth amongst many destination IP addresses so that no single IP address can take more than 100 Kbps of bandwidth, the following steps are needed.
Page 791: Traffic Shaping Recommendations
The Importance of a Pipe Limit Traffic shaping only comes into effect when a NetDefendOS pipe is full. That is to say, it is passing as much traffic as the total limit allows. If a 500 Kbps pipe is carrying 400 Kbps of low priority traffic and 90 Kbps of high priority traffic then there is 10 Kbps of bandwidth left and there is no reason to throttle back anything.
Page 792 For inbound connections, there is less control over what is arriving and what has to be processed by the traffic shaping subsystem and it is therefore more important to set pipe limits slightly below the real connection limit to account for the time needed for NetDefendOS to adapt to changing conditions.
Page 793: A Summary Of Traffic Shaping
10.1.9. A Summary of Traffic Shaping NetDefendOS traffic shaping provides a sophisticated set of mechanisms for controlling and prioritizing network packets. The following points summarize its use: •...
Page 794: A Basic Traffic Shaping Scenario
Chapter 10: Traffic Management Figure 10.7. A Basic Traffic Shaping Scenario The reason for using 2 different pipes in this case, is that these are easier to match to the physical link capacity. This is especially true with asynchronous links such as ADSL. First, two pipes called in-pipe and out-pipe need to be created with the following parameters: Pipe Name Min Prec...
Page 795 Chapter 10: Traffic Management • Priority 6 - VoIP (500 Kbps) • Priority 4 - Citrix (250 Kbps) • Priority 2 - Other traffic (1000 Kpbs) • Priority 0 - Web plus remaining from other levels To implement this scheme, we can use the in-pipe and out-pipe. We first enter the Pipe Limits for each pipe.
Page 796 Chapter 10: Traffic Management An important consideration which has been discussed previously, is allowance in the Pipe Total values for the overhead used by VPN protocols. As a rule of thumb, a pipe total of 1700 bps is reasonable for a VPN tunnel where the underlying physical connection capacity is 2 Mbps. It is also important to remember to insert into the pipe all non-VPN traffic using the same physical link.
Page 797 Chapter 10: Traffic Management Rule Forward Return Source Dest Destination Selected Prece Name Pipes Pipes Network Network Service dence in-pipe out-pipe wan all-nets lannet all_services 0 With this setup, all VPN traffic is limited to 1700 Kbps, the total traffic is limited to 2000 Kbps and VoIP to the remote site is guaranteed 500 Kbps of capacity before it is forced to best effort.
Page 798: Idp Traffic Shaping
The signature database of NetDefendOS IDP already provides a highly effective means to perform this recognition and as an extension to this, NetDefendOS also provides the ability to apply throttling through the NetDefendOS traffic shaping subsystem when the targeted traffic is recognized.
Page 799: Processing Flow
A new connection is opened by one host to another through the NetDefend Firewall and traffic begins to flow. The source and destination IP address of the connection is noted by NetDefendOS. The traffic flowing on the connection triggers an IDP rule. The IDP rule has Pipe as action so the traffic on the connection is now subject to the pipe traffic shaping bandwidth specified in the IDP rule.
Page 800: A P2P Scenario
To avoid these unintended consequences, we specify the IPv4 addresses of client A and client B in the Network range but not host X. This tells NetDefendOS that host X is not relevant in making a decision about including new non-IDP-triggering connections in traffic shaping.
Page 801: Viewing Traffic Shaping Objects
A full description of the idppipes command can be found in the separate CLI Reference Guide. Viewing Pipes IDP Traffic Shaping makes use of normal NetDefendOS pipe objects which are created automatically. These pipes are always allocated the highest priority and use the Group feature to throttle traffic.
Page 802: Guaranteeing Instead Of Limiting Bandwidth
-show The IDP Traffic Shaping pipes can be recognized by their distinctive naming convention which is explained next. Pipe Naming NetDefendOS names the pipes it automatically creates in IDP Traffic Shaping using the pattern IDPPipe_<bandwidth> pipes with upstream...
Page 803: Threshold Rules
The threshold rules feature is not available on the DFL-260E. Threshold Policies A threshold rule is like other policy based rules found in NetDefendOS. A filtering combination of source/destination network/interface can be specified as well as a service such as HTTP. Each rule can have one or more Threshold Action objects added to it as children and these specify how to handle different threshold conditions.
Page 804 Protect for a higher threshold. Multiple Triggered Actions When a rule is triggered then NetDefendOS will perform the associated rule actions that match the condition that has occurred. If more than one action matches the condition then those matching actions are applied in the order they appear in the user interface.
Page 805: Creating A Threshold Rule
When blacklisting is selected, the administrator can choose to leave pre-existing connections from the triggering source unaffected, or can alternatively choose to have the connections dropped by NetDefendOS. The length of time, in seconds, for which the source is blacklisted can also be set.
Page 806 Chapter 10: Traffic Management • Destination Interface: core • Destination Network: wan_ip Next, add the threshold action to the rule: Select Threshold Action Select Add > Threshold Action Now enter: • Action: Protect • Group by: Host based • Enable Blacklist •...
Page 807: Server Load Balancing
Chapter 10: Traffic Management 10.4. Server Load Balancing 10.4.1. Overview The Server Load Balancing (SLB) feature allows the administrator to spread client application requests over a number of servers using either an IP Rule with an Action of SLB_SAT or using an SLB Policy object.
Page 808: A Server Load Balancing Configuration
SLB increases the reliability of network applications by actively monitoring the servers sharing the load. NetDefendOS SLB can detect when a server fails or becomes congested and will not direct any further requests to that server until it recovers or has less load.
Page 809: Slb Distribution Algorithms
"virtual server". The servers that are to be treated as a single virtual server by SLB must be specified. 10.4.2. SLB Distribution Algorithms There are several ways to determine how a load is shared across a set of servers. NetDefendOS SLB supports the following two algorithms for load distribution: •...
Page 810 Chapter 10: Traffic Management coming from the same client. If this is the case then stickiness is required. • IP Address Stickiness In this mode, a series of connections from a specific client will be handled by the same server. This is particularly important for TLS or SSL based services such as HTTPS, which require a repeated connection to the same host.
Page 811: Slb Algorithms And Stickiness
Chapter 10: Traffic Management The default value for this setting is a network size of 24. 10.4.4. SLB Algorithms and Stickiness This section discusses further how stickiness functions with the different SLB algorithms. An example scenario is illustrated in the figure below. In this example, the NetDefend Firewall is responsible for balancing connections from 3 clients with different addresses to 2 servers.
Page 812: Server Health Monitoring
Regardless of the algorithms used, if a server is deemed to have failed, SLB will not open any more connections to it until the server is restored to full functionality. D-Link Server Load Balancing provides the following monitoring modes: ICMP Ping This works at OSI layer 3.
Page 813: Setting Up Slb With Ip Rules
In the IP rules, the destination interface is always specified as core, meaning NetDefendOS itself deals with the connection. The key advantage of having a separate Allow rule is that the web servers can log the exact IP address that is generating external requests.
Page 814 Chapter 10: Traffic Management using a single IP Policy object, in Example 10.4, “Setting up SLB with IP Rules”. Command-Line Interface A. Create an address object for each of the web servers: gw-world:/> add Address IP4Address server1 Address=192.168.1.10 gw-world:/> add Address IP4Address server2 Address=192.168.1.11 B.
Page 815 Chapter 10: Traffic Management Repeat the above to create an object called server2 for the 192.168.1.11 IP address B. Create an IP4Group which contains the 2 web server addresses: Go to: Objects > Address Book > Add > IP4 Group Enter a suitable name, for example server_group Add server1 and server2 to the group Click OK...
Page 816: Slb Policy
Chapter 10: Traffic Management E. Specify an Allow IP rule for the external clients: Go to: Policies > Firewalling > Main IP Rules > Add > IP Rule Now enter: • Name: web_slb_allow • Action: Allow • Service: http-all • Source Interface: wan •...
Page 817 Chapter 10: Traffic Management The above will only allow access by external clients on the Internet. To also allow internal clients on lannet access, the IP Policy must be rewritten using an Interface Group object which combines both the wan and lan interfaces. A-2: First, create the InterfaceGroup: add Interface InterfaceGroup my_if_group Members=wan,lan B-2: Now, create an SLBPolicy object:...
Page 818 Chapter 10: Traffic Management A-2: First, create an InterfaceGroup: Go to: Network > Interfaces and VPN > Interface Groups > Add > Interface Group Enter: • Name: my_if_group • Selected: wan and lan Add server1 and server2 to Selected Click OK B-2.
Page 819 Chapter 10: Traffic Management...
Page 820: High Availability
11.1. Overview HA Clusters NetDefendOS High Availability (HA) provides a fault tolerant capability for NetDefend Firewall installations. HA works by adding a back-up slave NetDefend Firewall to an existing master firewall. The master and slave are connected together by a synchronization link and make up a logical HA Cluster.
Page 821: Enabling Automatic Cluster Synchronization
In a cluster, the master and slave units must be directly connected to each other by a synchronization connection which is known to NetDefendOS as the sync interface. One of the normal interfaces on the master and the slave are dedicated for this purpose and are connected together with a crossover cable.
Page 822 Protecting Against Network Failures Using HA and Link Monitor The NetDefendOS Link Monitor feature can be used to check connection with a host so that when it is no longer reachable an HA failover is initiated to a peer which has a different connection to the host.
Page 823: Ha Mechanisms
The destination IP is the broadcast address on the sending interface. • The IP TTL is always 255. If NetDefendOS receives a cluster heartbeat with any other TTL, it is assumed that the packet has traversed a router and therefore cannot be trusted.
Page 824 Instead the MAC address is constructed by NetDefendOS from the Cluster ID in the form 11-00-00-C1-4A-nn where nn is derived by combining the configured Cluster ID with the hardware bus/slot/port of the interface. The Cluster ID must be unique for each NetDefendOS cluster in a network.
Page 825 Chapter 11: High Availability If a NetDefendOS cluster has the Anti-Virus or IDP subsystems enabled then updates to the Anti-Virus signature database or IDP pattern database will routinely occur. These updates involve downloads from the external D-Link databases and they require NetDefendOS reconfiguration to occur for the new database contents to become active.
Page 826 Chapter 11: High Availability successfully if there is a system failure. A restart of the inactive unit is the only time when the entire state of the active unit is sent to the inactive unit.
Page 827: Setting Up Ha
If such an interface is used as the HA sync interface then the other interfaces connected to the same switch fabric cannot be used for other purposes. Also keep in mind that there should be no NetDefendOS IP rules configured that include the sync interface.
Page 828 Chapter 11: High Availability • The individual addresses specified for an interface in an IP4 HA Address object allow remote management through that interface. These addresses can also be "pinged" using ICMP provided that IP rules are defined to permit this (by default, ICMP queries are dropped by the rule set).
Page 829: Wizard Ha Setup
Section 11.3.2, “Wizard HA Setup” for fast, simple setup. • Section 11.3.3, “Manual HA Setup” for step by step manual setup, without the wizard. 11.3.2. Wizard HA Setup NetDefendOS provides a wizard to automate the HA setup procedure. The wizard needs to be...
Page 830 Chapter 11: High Availability run twice: once when connected to the master unit in the HA cluster, and a second time when connected to the slave unit in the cluster. The procedure for doing this with each unit is as follows: Connect to the NetDefend Firewall through the Web Interface.
Page 831: Manual Ha Setup
Chapter 11: High Availability Method A. Copying the slave configuration to the new master The easiest and quickest way to configure a new master unit is as follows: Use the normal configuration backup function to make a backup of the configuration that exists on the existing slave unit.
Page 832: Verifying That The Cluster Functions Correctly
Also select the Advanced tab for each interface and set the High Availability, Private IP Address field to be the name of the IP4 HA Address object created previously for the interface (NetDefendOS will automatically select the appropriate address from the master and slave addresses defined in the object).
Page 833: Unique Shared Mac Addresses
Misc. Settings in the Web Interface) is set to be automatic for both units in the cluster. This setting determines how memory is allocated by NetDefendOS for handling increasing numbers of connections. A NetDefendOS restart is required for a change in this setting to take effect and this can be achieved with the CLI command: gw-world:/>...
Page 834: Ha Issues
The following points should be kept in mind when configuring and managing an HA Cluster. ALGs are Not State Synchronized No aspect of ALGs are state synchronized in a NetDefendOS high availability cluster. This means that all traffic handled by ALGs will freeze when a cluster fails over to the other peer. However, if the cluster fails back over to the original peer within approximately half a minute, frozen sessions and their associated transfers should begin working again.
Page 835 NetDefendOS to enter Lockdown Mode. Failed Interfaces Failed interfaces will not be detected unless they fail to the point where NetDefendOS cannot continue to function. This means that failover will not occur if the active unit can still send "I am alive"...
Page 836 Chapter 11: High Availability as the cluster. Ideally, there will also be a second, backup designated router to provide OSPF metrics if the main designated router should fail. PPPoE Tunnels and DHCP Clients For reasons connected with the shared IP addresses of an HA cluster, PPPoE tunnels and DHCP clients should not be configured in an HA cluster.
Page 837: Upgrading An Ha Cluster
Chapter 11: High Availability 11.5. Upgrading an HA Cluster The NetDefendOS software versions running on the master and slave in an HA cluster should be the same. When a new NetDefendOS version becomes available and is to be installed on both units, the upgrade is done one unit at a time.
Page 838 Chapter 11: High Availability C. Cause a failover to occur Now, connect to the active unit (which is still running the old NetDefendOS version) with a CLI console and issue the ha -deactivate command. This will cause the active unit to become inactive, and the inactive to become active.
Page 839: Link Monitoring And Ha
Monitoring Paths Monitoring the availability of specific network paths can be done with the NetDefendOS Link Monitor. The Link Monitor allows the administrator to specify particular hosts whose reachability is monitored using ICMP "Ping"...
Page 840: Ha Advanced Settings
Chapter 11: High Availability 11.7. HA Advanced Settings The following NetDefendOS advanced settings are available for High Availability: Sync Buffer Size How much sync data, in Kbytes, to buffer while waiting for acknowledgments from the cluster peer. Default: 1024 Sync Packet Max Burst The maximum number of state sync packets to send in a burst.
Page 841 Chapter 11: High Availability Number of milliseconds that the active unit in the cluster has been unresponsive before a failover is initiated by the inactive unit. Default: 750...
Page 842 Chapter 11: High Availability...
Page 843: Zonedefense
All relevant MIB files are already loaded into NetDefendOS but when configuring ZoneDefense, NetDefendOS needs to be told which MIB to use. For older D-Link switches this is done by specifying the exact switch product name. However, newer D-Link switches use a common Universal MIB so the exact switch type need not to be specified.
Page 844 These rules are discussed further in Section 10.3, “Threshold Rules”. Blocking Uses ACL Uploads When NetDefendOS detects that a host or a network has reached the specified threshold limit, it uploads Access Control List (ACL) rules to the relevant switch and this blocks all traffic for the host or network displaying the unusual behavior.
Page 845 Chapter 12: ZoneDefense • DXS-3326GSR (Version R4.30-B11 or later) • DXS-3350SR (Version R4.30-B11 or later) • DHS-3618 (Version R1.00-B03 or later) • DHS-3626 (Version R1.00-B03 or later) Tip: Switch firmware versions should be the latest It is advisable when using ZoneDefense to make sure that all switches have the latest firmware version installed.
Page 846: Setting Up Zonedefense
An HTTP threshold of 10 connections/second is to be applied to traffic. If the connection rate exceeds this, NetDefendOS will instruct the switch to block the host (within the network range 192.168.2.0/24). A D-Link switch of model type DES-3226S is assumed, with a management interface address of 192.168.1.250 and it is connected to a firewall interface with address 192.168.1.1.
Page 847 Chapter 12: ZoneDefense switch. Click Check Switch to verify that the firewall can communicate with the switch and the community string is correct. Click OK Add the firewall's management interface into the exclude list: Go to: Policies > Intrusion Prevention > ZoneDefense > Exclude list For Addresses choose the object name of the firewall's interface address 192.168.1.1 from the Available list and put it into the Selected list.
Page 848 ZoneDefense with Anti-Virus Scanning ZoneDefense can also be used in conjunction with the NetDefendOS Anti-Virus scanning feature. NetDefendOS can first identify a virus source through antivirus scanning and then block the source by communicating with switches configured to work with ZoneDefense.
Page 849: Advanced Settings
Chapter 13: Advanced Settings This chapter describes the additional configurable advanced settings for NetDefendOS that are not already described in the manual. In the Web Interface these settings are found under System > Advanced Settings. The settings are divided up into the following categories:...
Page 850 Chapter 13: Advanced Settings attack to be based on illegal checksums. Default: Enabled Log non IPv4/IPv6 Logs occurrences of IP packets that are not IPv4 or IPv6. Default: Enabled Log Received TTL 0 Logs occurrences of IP packets received with the "Time To Live" (TTL) value set to zero. Under no circumstances should any network unit send packets with a TTL of 0.
Page 851 Multicast TTL on Low What action to take on too low multicast TTL values. Default: DropLog Default TTL Indicates which TTL NetDefendOS is to use when originating a packet. These values are usually between 64 and 255. Default: 255 Layer Size Consistency Verifies that the size information contained in each "layer"...
Page 852 Rules section since it is more specialized. Default: DropLog IP Reserved Flag Indicates what NetDefendOS will do if there is data in the "reserved" fields of IP headers. In normal circumstances, these fields should read 0. Used by OS Fingerprinting. Default: DropLog...
Page 853: Tcp Level Settings
As is the case with TCPMSSMax, this is the highest Maximum Segment Size allowed. However, this setting only controls MSS in VPN connections. This way, NetDefendOS can reduce the effective segment size used by TCP in all VPN connections. This reduces TCP fragmentation in the VPN connection even if hosts do not know how to perform MTU discovery.
Page 854 Default: Enabled TCP Zero Unused ACK Determines whether NetDefendOS should set the ACK sequence number field in TCP packets to zero if it is not used. Some operating systems reveal sequence number information this way, which can make it easier for intruders wanting to hijack established connections.
Page 855 Note that this TCP option is obsoleted by RFC 6247 and only some network equipment will make use of it. Default: StripLogBad TCP Option Other Specifies how NetDefendOS will deal with TCP options not covered by the above settings. These options usually never appear on modern networks. Default: StripLog TCP SYN/URG Specifies how NetDefendOS will deal with TCP packets with SYN (synchronize) flags and URG (urgent data) flags both turned on.
Page 856 Default: DropLog TCP URG Specifies how NetDefendOS will deal with TCP packets with the URG flag turned on, regardless of any other flags. Many TCP stacks and applications deal with Urgent flags in the wrong way and can, in the worst case scenario, cease working. Note however that some programs, such as FTP and MS SQL Server, nearly always use the URG flag.
Page 857 Default: DropLog TCP NULL Specifies how NetDefendOS will deal with TCP packets that do not have any of the SYN, ACK, FIN or RST flags turned on. According to the TCP standard, such packets are illegal and are used by both OS Fingerprinting and stealth port scanners, as some firewalls are unable to detect them.
Page 858 Chapter 13: Advanced Settings Allow TCP Reopen Allow clients to re-open TCP connections that are in the closed state. Default: Disabled...
Page 859: Icmp Level Settings
13.3. ICMP Level Settings ICMP Sends Per Sec Limit Specifies the maximum number of ICMP messages NetDefendOS may generate per second. This includes ping replies, destination unreachable messages and also TCP RST packets. In other words, this setting limits how many Rejects per second may be generated by the Reject rules in the Rules section.
Page 860: State Settings
SYN flag off. Such packets can never open new connections. In addition, new connections can never be opened by ICMP messages other than ICMP ECHO (Ping). This setting determines if NetDefendOS is to log the occurrence of such packets.
Page 861 This setting applies if Dynamic Max Connections above is disabled. Specifies how many connections NetDefendOS may keep open at any one time. Each connection consumes approximately 150 bytes RAM. When this setting is dynamic, NetDefendOS will try to use as many connections as is allowed by product.
Page 862: Connection Timeout Settings
Default: 130 UDP Bidirectional Keep-alive This allows both sides to keep a UDP connection alive. The default is for NetDefendOS to mark a connection as alive (not idle) every time data is sent from the side that opened the connection.
Page 863 Chapter 13: Advanced Settings Connection lifetime for IGMP in seconds. Default: 12 Other Idle Lifetime Specifies in seconds how long connections using an unknown protocol can remain idle before it is closed. Default: 130...
Page 864: Length Limit Settings
Chapter 13: Advanced Settings 13.6. Length Limit Settings This section contains information about the size limits imposed on the protocols directly under IP level, such as TCP, UDP and ICMP. The values specified here concern the IP data contained in packets. In the case of Ethernet, a single packet can contain up to 1480 bytes of IP data without fragmentation.
Page 865 Specifies in bytes the maximum size of a Layer 2 Tunneling Protocol packet. Default: 2000 Max Other Length Specifies in bytes the maximum size of packets belonging to protocols that are not specified above. Default: 1480 Log Oversized Packets Specifies if NetDefendOS will log occurrences of oversized packets.
Page 866 Chapter 13: Advanced Settings Default: Enabled...
Page 867: Fragmentation Settings
In order to determine which is more likely, NetDefendOS compares the data components of the fragment. The comparison can be made in 2 to 512 random locations in the...
Page 868 Internet, which is a quite common occurrence. • NetDefendOS was forced to interrupt the reassembly procedure due to new fragmented packets arriving and the system temporarily running out of resources. In situations such as these, old reassembly attempts are either discarded or marked as "failed".
Page 869 A reassembly attempt will always be interrupted Reassembly Time Limit seconds after the first received fragment arrived. Default: 90 Reassembly Done Limit Once a packet has been reassembled, NetDefendOS is able to remember reassembly for this number of seconds in order to prevent further fragments, for example old duplicate fragments,...
Page 870 Default: 20 Reassembly Illegal Limit Once a whole packet has been marked as illegal, NetDefendOS is able to retain this in memory for this number of seconds in order to prevent further fragments of that packet from arriving. Default: 60...
Page 871: Local Fragment Reassembly Settings
Chapter 13: Advanced Settings 13.8. Local Fragment Reassembly Settings Max Concurrent Maximum number of concurrent local reassemblies. Default: 256 Max Size Maximum size of a locally reassembled packet. Default: 10000 Large Buffers Number of large ( over 2K) local reassembly buffers (of the above size). Default: 32...
Page 872: Ssl/Tls Settings
TLSv1.0 - Either TLS version 1.0 or 1.2 is acceptable. • TLSv1.2- Only TLS version 1.2 is acceptable. NetDefendOS provides support for TLS version 1.2 as defined by RFC 5246. TLS version 1.1 is not supported. Default: TLSv1.2 SSL Processing Priority The maximum amount of CPU resources that SSL processing is allowed to use for opening new SSL connections.
Page 873 Chapter 13: Advanced Settings TLS RSA WITH AES 128 CBC SHA256 Enable cipher TLS_RSA_WITH_AES_128_CBC_SHA256. Default: Enabled TLS RSA WITH AES 128 CBC SHA1 Enable cipher TLS_RSA_WITH_AES_128_CBC_SHA1. Default: Enabled TLS RSA 3DES 168 SHA1 Enable cipher RSA_WITH_3DES_168_SHA1. Default: Enabled Deprecated SSL/TLS Cipher Suites The following cipher-suites are deprecated because of poor security and disabled by default but can be enabled if required although this is not recommended.
Page 874 The algorithms disabled by default are considered to be insecure at the time this document was written. If the administrator does enable any of the weaker algorithms, NetDefendOS will issue a warning when the configuration is committed and will continue to display a warning in...
Page 875: Miscellaneous Settings
Default: 180 Flood Reboot Time As a final way out, NetDefendOS automatically reboots if its buffers have been flooded for a long time. This setting specifies the amount of time the buffers are flooded before the reboot occurs. Default: 3600 Dynamic High Buffers This setting decides if NetDefendOS will automatically specify the High Buffers value.
Page 876 Default: Disabled Allow IP Rules This enables or disables the usage of IP rules in NetDefendOS. When disabled, only IP Policy objects can be configured in IP rule sets. Existing IP Rule objects will not be affected when this setting is disabled.
Page 877 Screen Saver Settings Timeout The time in seconds before NetDefendOS automatically enables its screen saver for a NetDefendOS Software only installation. The screen saver will automatically adapt its activity to the current CPU load of the system. During high loads, it will update once per second, consuming a fraction of a percent of CPU load.
Page 878 Chapter 13: Advanced Settings Screen Saver Selection The type of screen saver used. Default: Blank Status Bar Selection The status bar control. Default: Auto...
Page 879 Chapter 13: Advanced Settings...
Page 880: Subscribing To Updates
In addition, the databases related to some of these features are constantly being updated. For these features to function, and to have access to the latest database updates, a valid D-Link Security Update Subscription must exist. This is done with the following steps: •...
Page 881 Packet loss - The packet loss seen in the test for that server. Precedence - One server will be designated as Primary and the others Backup. The Primary will always be the one used for downloads to NetDefendOS. If it becomes unavailable, one of the backup servers will become the primary.
Page 882 To remove the anti-virus database, use the command: gw-world:/> updatecenter -removedb=antivirus Once removed, NetDefendOS should be restarted and a database update initiated. Removing the database is also recommended if either IDP or anti-virus is not used for long periods of time.
Page 883 Appendix A: Subscribing to Updates DCC checking will be bypassed. iii. A log message will be generated for every email not checked with DCC. • Application Control Subscription expiry results in all applications being tagged as unknown. Traffic will be allowed or dropped depending on how the administrator has configured application control to behave with the unknown tag.
Page 884: Idp Signature Groups
For IDP scanning, the following signature groups are available for selection. These groups are only available for the D-Link Advanced IDP Service. There is a version of each group under the three Types of IDS, IPS and Policy. For further information see Section 6.6, “Intrusion Detection and Prevention”.
Page 885 Appendix B: IDP Signature Groups Group Name Intrusion Type FS_AFS Andrew File System FTP_DIRNAME Directory name attack FTP_FORMATSTRING Format string attack FTP_GENERAL FTP protocol and implementation FTP_LOGIN Login attacks FTP_OVERFLOW FTP buffer overflow GAME_BOMBERCLONE Bomberclone game GAME_GENERAL Generic game servers/clients GAME_UNREAL UnReal Game server HTTP_APACHE...
Page 886 Appendix B: IDP Signature Groups Group Name Intrusion Type P2P_EMULE eMule P2P tool P2P_GENERAL General P2P tools P2P_GNUTELLA Gnutella P2P tool PACKINGTOOLS_GENERAL General packing tools attack PBX_GENERAL POP3_DOS Denial of Service for POP POP3_GENERAL Post Office Protocol v3 POP3_LOGIN-ATTACKS Password guessing and related login attack POP3_OVERFLOW POP3 server overflow POP3_REQUEST-ERRORS...
Page 887 Appendix B: IDP Signature Groups Group Name Intrusion Type SSH_OPENSSH OpenSSH Server SSL_GENERAL SSL protocol and implementation TCP_GENERAL TCP protocol and implementation TCP_PPTP Point-to-Point Tunneling Protocol TELNET_GENERAL Telnet protocol and implementation TELNET_OVERFLOW Telnet buffer overflow attack TFTP_DIR_NAME Directory Name attack TFTP_GENERAL TFTP protocol and implementation TFTP_OPERATION...
Page 888: Verified Mime Filetypes
Appendix C: Verified MIME filetypes Some NetDefendOS Application Layer Gateways (ALGs) have the optional ability to verify that the contents of a downloaded file matches the type that the filetype in the filename indicates. The filetypes for which MIME verification can be done are listed in this appendix and the ALGs to which this applies are: •...
Page 889 Appendix C: Verified MIME filetypes Filetype extension Application Creative Music file core/coredump Unix core dump Windows Control Panel Extension file Database file Graphics Multipage PCX Bitmap file Debian Linux Package file djvu DjVu file Windows dynamic link library file DPA archive data TeX Device Independent Document EET archive Allegro datafile...
Page 890 Appendix C: Verified MIME filetypes Filetype extension Application Yamaha SMAF Synthetic Music Mobile Application Format Multi-image Network Graphic Animation Ultratracker module sound data MPEG Audio Stream, Layer III MPEG-4 Video file mpg,mpeg MPEG 1 System Stream , Video file MPEG-1 Video file Microsoft files Microsoft office files, and other Microsoft files Atari MSA archive data...
Page 891 Appendix C: Verified MIME filetypes Filetype extension Application UNIX Shared Library file ReSOF archive SQWEZ archive data Squeeze It archive data Scream Tracker v2 Module Scalable Vector Graphics file svr4 SysV R4 PKG Datastreams Macromedia Flash Format file Tape archive file TeX font metric data tiff, tif Tagged Image Format file...
Page 892: The Osi Framework
The model is relevant to understanding the operation of many NetDefendOS features such as ARP, Services and ALGs. Layer number Layer purpose...
Page 893: Dfl-260E/860E Port Based Vlan
On Ethernet interfaces other than LAN interfaces, VLANs are created by configuring them in NetDefendOS in the normal way. It is NetDefendOS that then takes on the task of adding and recognizing VLAN tags in packets. It is not a hardware function.
Page 894 Appendix E: DFL-260E/860E Port Based VLAN 2. Associate the VLANs with LAN interfaces Go to Network > Interfaces and VPN > VLAN > Switch Management, enable port based VLAN and set each numbered LAN interface to be associated with the relevant VLAN to get the desired configuration.
Page 895: Third Party Software Licenses
Appendix F: Third Party Software Licenses The NetDefendOS product makes use of a number of third party software modules which are subject to the following licensing agreements: MIT License for iBox, jQuery, jQueryUI, SlickGrid, DataMaps Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction,...
Page 896 Appendix F: Third Party Software Licenses to that copy. Object Code Incorporating Material from Library Header Files. The object code form of an Application may incorporate material from a header file that is part of the Library. You may convey such object code under terms of your choice, provided that, if the incorporated material is not limited to numerical parameters, data structure layouts and accessors, or small macros, inline functions and templates (ten or fewer lines in length), you do both of the following:...
Page 897 Appendix F: Third Party Software Licenses work. 6. Revised Versions of the GNU Lesser General Public License. The Free Software Foundation may publish revised and/or new versions of the GNU Lesser General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns.
Page 898 Appendix F: Third Party Software Licenses royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies...
Page 899 Appendix F: Third Party Software Licenses Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE.
Page 900 D-Link’s products that are released under General Public License (GPL) or similar licenses mandating code availability. To obtain such a copy, send a written request along with a certified check or money order for 35 US Dollars, made out to D-Link Systems Inc., to the following address: NetDefendOS GPL Source Request D-Link Systems Inc.
Page 901: Alphabetical Index
6in4 tunnel encapsulator, 209, 212 no HA state synchronization, 426, 834 6in4 tunnel servers/brokers, 209 not needed with IP policies, 427 MTU resizing, 211 POP3, 457 NetDefendOS as tunnel server, 212 PPTP, 461 routing table usage, 211 SIP, 463 SMTP, 448 TFTP, 447...
Page 902 Alphabetical Index data leakage, 261 auto-update, 136 direct usage with IP rules, 253 enabling, 253 extended logging, 260 backing up configurations, 136 license expiry behavior, 264 bandwidth guarantees, 787 managing filters, 263 banner files maximum unclassified setting, 258 for web authentication, 635 memory optimization setting, 876 for web content filtering, 521 risk guidelines, 263...
Page 903 (Olson) database, 80 omitting the object category, 50 dconsole CLI command, 125 prompt change, 55 Deactivate Before Reconf (HA) setting, 840 reconfiguring NetDefendOS, 56 dead peer detection, 703 restarting/rebooting NetDefendOS, 56 Decrement TTL setting, 390 secure shell, 52...
Page 904 Alphabetical Index pcapdump, 126 changing IP addresses, 185 ping CLI command, 118 CLI command summary, 186 selftest CLI command, 133 default gateway, 182 stats CLI command, 122 disabling, 188 traceroute CLI command, 128 enabling, 188 WCF performance log, 523 IP address, 181 diffie-hellman groups, 689 logical/physical difference, 185 higher groups consume resources, 690...
Page 905 MAC, 833 IGMP Last Member Query Interval setting, 374 unused interface problem, 823, 836 IGMP Lowest Compatible Version setting, 374 upgrading NetDefendOS, 837 IGMP Max Interface Requests setting, 375 VPN tunnel synchronization, 834 IGMP Max Total Requests setting, 375...
Page 906 Alphabetical Index Interface Alias (SNMP) setting, 117 enforce local ID, 686 Interface Description (SNMP) setting, 117 HA synchronization support, 834 interfaces, 178 health monitoring options, 721 aggregation, 191 ID lists, 273, 686 core, 179 ike -snoop CLI command, 764 disabling, 180 IKEv2 client setup, 714 groups, 218 invalid IKE payload/cookie error, 772...
Page 907 IPv6, 162 local IP address in routes, 288 configuring remote access, 57 Log Checksum Errors setting, 849 managing NetDefendOS, 33 Log Connections setting, 860 Max AH Length setting, 864 Log Connection Usage setting, 861 Max Auto Routes (DHCP) setting, 407...
Page 908 Max IPsec IPComp Length setting, 865 cache, 163 Max L2TP Length setting, 865 timing settings, 164 Max lease Time (DHCP) setting, 407 NetDefendOS Max Memory (reassembly) setting, 877 overview, 20 Max OSPF Length setting, 865 packet flow description, 28 Max Other Length setting, 865...
Page 909 (see SAT) interface IP addresses, 140 port mirroring (see pcapdump) to base configuration, 133, 139 to factory defaults, 139 authentication with LDAP, 622 restarting NetDefendOS PPPoE, 202 with the CLI, 56 client configuration, 203 restoring backups, 136 client VLAN support, 203...
Page 910 Alphabetical Index client and server on same network, 603 predefined SIP ALG object, 465 IP rules, 233 record-route, 466 many-to-many IP translation, 593 supported scenarios, 463 multiplex rule, 362 using IP policies, 465 one-to-one IP translation, 590 with route failover, 464 paired with NAT, 603 with virtual routing, 464 port forwarding, 588...
Page 911 803, 845 Unsolicited ARP Replies setting, 227 in zonedefense, 845 updatecenter CLI command, 881 Timeout setting, 877 upgrading NetDefendOS time servers, 82 release notification alerts, 135 Time Sync Server Type setting, 86 with an HA cluster, 837 Time Zone setting, 85...
Page 912 Alphabetical Index user authentication (see authentication) with IP rules or IP policies, 503 user identity awareness, 641 with whitelisting, 509 IDA excluded users list, 647 web interface, 34, 41 identity awareness agent (IDA), 644 access with CA signed certificates, 45 monitoring, 649 activating configuration changes, 45 with a terminal server, 648...

D-Link NetDefendOS User Manual

1 Netdefendos Overview

2 Management and Maintenance

3 Fundamentals

4 Routing

5 DHCP Services

6 Security Mechanisms

Quick Links

Troubleshooting

Related Manuals for D-Link NetDefendOS

Summary of Contents for D-Link NetDefendOS