Service Filter; Schedule; Intrusion Detection / Prevention - D-Link DFL-1100 User Manual

Source Users/Groups – Specifies if an authenticated username is needed for this policy
to match. Either make a list of usernames, separated by a comma, or write Any for any
authenticated user. If it's left blank there is no need for authentication for the policy.
Destination Nets – Specifies the span of IP addresses to be compared to the destination
IP of the received packet. Leave this blank to match everything.
Destination Users/Groups – Specifies if an authenticated username is needed for this
policy to match. Either make a list of usernames, separated by a comma, or write Any for
any authenticated user. If it's left blank there is no need for authentication for the policy.

Service Filter

Either choose a predefined service from the dropdown menu or make a custom filter.
The following custom services exist:
All – This service matches all protocols.
TCP+UDP+ICMP – This service matches all ports on either the TCP or the UDP protocol,
including ICMP.
Custom TCP – This service is based on the TCP protocol.
Custom UDP – This service is based on the UDP protocol.
Custom TCP+UDP – This service is based on either the TCP or the UDP protocol.
The following is used when making a custom service:
Custom source/destination ports – For many services, a single destination port is
sufficient. The source port most often will be all ports, 0-65535. The http service, for
instance, uses destination port 80. (A port range can also be used, meaning that a range
137-139 covers ports 137, 138 and 139.) Multiple ranges or individual ports may also be
entered, separated by commas. For instance, a service can be defined as having source
ports 1024-65535 and destination ports 80-82, 90-92, 95. In this case, a TCP or UDP
packet with the destination port being one of 80, 81, 82, 90, 91, 92 or 95, and the source
port being in the range 1024-65535, will match this service.

Schedule

If a schedule should be used for the policy, choose one from the dropdown menu. These are
specified on the Schedules page. If the policy should always be active, choose Always from
the dropdown menu.

Intrusion Detection / Prevention

The DFL-1100 Intrusion Detection/Prevention System (IDS/IDP) is a real-time intrusion
detection and prevention sensor that identifies and takes action against a wide variety of
suspicious network activity. The IDS uses intrusion signatures, stored in the attack database,
to identify the most common attacks. In response to an attack, the IDS protects the networks
behind the DFL-1100 by dropping the traffic. To notify of the attacks, the IDS sends an email
to the system administrators, if email alerting has been configured. D-Link updates the attack
database periodically. Signatures are available for download at http://support.dlink.com. There
are two modes that can be configured, either Inspection Only or Prevention. Inspection
Only will only inspect the traffic. If the DFL-1100 sees anything, it will log, email an alert