Page 3: Table Of Contents
Preface Document Version ......xvii Disclaimer ........xvii About this Document .
Page 4 Introduction to Certiﬁcates ....8.4.2 X.509 Certiﬁcates in D-Link Firewall ..D-Link Firewalls User’s Guide...
Page 5 ..... . 9.1.2 Ethernet Interfaces in D-Link Firewalls ..9.2 Virtual LAN (VLAN) .
Page 6 ....... 112 14.2.3 Address translation in D-Link Firewall ..114 14.3 Scenarios: IP Rules Conﬁguration...
Page 7 ....182 19.1.2 Pattern Matching ..... . . 182 D-Link Firewalls User’s Guide...
Page 8 ......234 22.3 SSL/TLS (HTTPS) ......243 D-Link Firewalls User’s Guide...
Page 9 ......277 26.2 DHCP Relayer ......279 D-Link Firewalls User’s Guide...
Page 10 ....... . 283 27.2 Transparent Mode Implementation in D-Link Firewalls .
Page 11 ....... . . 334 Shutdown ....... . 334 D-Link Firewalls User’s Guide...
Page 12 ........339 B Customer Support D-Link Firewalls User’s Guide...
Page 13 2.1 The OSI 7-Layer Model......4.1 WebUI Authentication Window....4.2 WebUI Main Display.
Page 14 ..... . . 297 29.1 Example HA Setup......303 D-Link Firewalls User’s Guide...
Page 15 Section 10.4: Route Failover Conﬁguration ....Section 10.5: Dynamic Routing Conﬁguration ... . Section 10.6: Static Routing Conﬁguration .
Page 19: Document Version
Document Version Version No.: 1.02 Disclaimer Information in this user’s guide is subject to change without notice. About this Document This User’s Guide is designed to be a handy conﬁguration manual as well as an Internetworking and security knowledge learning tool for network administrators.
Page 20: Typographical Conventions
Typographical Conventions Example: Conﬁguration steps for achieving certain function. WebUI Example steps for WebUI. Note Additional information user should aware Suggestions on conﬁguration that may be taken into consideration. Caution Critical information the user should follow when performing certain action. Warning Critical information the user MUST follow to avoid potential harm.
Page 23: Capabilities
Capabilities Product Highlights The key features of D-Link ﬁrewalls can be outlined as: Easy to use start-up wizard Web-based graphical user interface (WebUI) Eﬀective and easy to maintenance Complete control of security policies Advanced application layer gateways (FTP, HTTP, H.323) Advanced monitoring &...
Page 24 Chapter 1. Capabilities ZoneDefense High Availability (Some models) Details about how to make these features work can be found in speciﬁc chapters in this user’s guide. D-Link Firewalls User’s Guide...
Page 27: The Osi Model
The OSI Model Open System Interconnection (OSI) model deﬁnes a primary framework for intercomputer communications, by categorizing diﬀerent protocols for a great variety of network applications into seven smaller, more manageable layers. The model describes how data from an application in one computer can be transferred through a network medium to an application in another computer.
Page 28 – frames the data. Protocols: Ethernet, PPP, etc. Physical Layer – deﬁnes hardware supports. D-Link ﬁrewalls handle network traﬃcs and perform diverse functions for security guarantee and application support throughout the 7 layers of the OSI model. D-Link Firewalls User’s Guide...
Page 29: Firewall Principles
This allows you to install less secure network services on your protected networks and prevent all outsiders from ever gaining access to these services. Most ﬁrewalls, including D-Link ﬁrewalls, ensure that network traﬃc...
Page 30: What Does A Firewall Not Protect Against
ﬁrewall is a necessary ﬁrst step towards securing your network and computers. This section is not speciﬁcally devoted to D-Link ﬁrewalls; instead it discusses ﬁrewalls in general. The problems described here will occur no matter which ﬁrewall you choose to install.
Page 31: Attacks On Insecure Pre-Installed Components
Such attacks include: HTML pages containing javascript or Java that attack the network ”from the inside” when the page is viewed in a browser or e-mail program. The only possible protection against this sort of attack, D-Link Firewalls User’s Guide...
Page 32 At present, the most common targets for data-driven attacks are: Public servers such as mail servers, DNS servers and web servers. Web servers are clearly over-represented in this category due to their enormous complexity. D-Link Firewalls User’s Guide...
Page 33: Internal Attacks
Some sources put this ﬁgure as high at 80%. 3.2.5 Modems and VPN Connection A common misconception is that modems and VPN gateways are as secure as the protected network and can be connected directly to it without protection. D-Link Firewalls User’s Guide...
Page 34: Holes Between Dmzs And Internal Networks
In instances where the ﬁrewall features an integrated VPN gateway, it is usually possible to dictate the types of communication permitted. The D-Link Firewall features just such a facility. 3.2.6 Holes between DMZs and Internal Networks Although the advent of extranets and e-commerce has served to drive...
Page 35 DMZ and the internal network is made up of a non-routable protocol such as NetBEUI. Again, the problem is not IP packets traversing from insecure networks to the internal network. D-Link Firewalls User’s Guide...
Page 36 An insurmountable problem may arise when the web server needs to update the data source. The best way of tackling such a problem is to move the aﬀected data source to a separate network segment, thereby decreasing the potential damage in the case of intrusion. D-Link Firewalls User’s Guide...
Page 38: Administration
This part covers basic aspects of D-Link ﬁrewall management and administration, including: Conﬁguration Platform Logging Maintenance Advanced Settings...
Page 39: Conﬁguration Platform
Conﬁguring Via WebUI 4.1.1 Overview The D-Link ﬁrewall can be conﬁgured using a web interface. A web interface is usually a fast and eﬃcient way to conﬁgure a ﬁrewall, that does not require the administrator to install any speciﬁc programs to conﬁgure the ﬁrewall.
Page 40 Chapter 4. Conﬁguration Platform Figure 4.1: WebUI Authentication Window. Figure 4.2: WebUI Main Display. D-Link Firewalls User’s Guide...
Page 41 - Interfaces: Diplays status for interfaces and tunnels. - IPSec: Displays IPSec status information. - Routes: Displays the current routing table. - DHCP Server: Displays usage information for DHCP servers. - IDS: Displays IDS status information. - SLB: Displays SLB status information. D-Link Firewalls User’s Guide...
Page 42: Conﬁguration Operations
When the user has conﬁgured the ﬁrewall via the WebUI, the conﬁguration will have to be saved and activated before the new conﬁguration will be used by the ﬁrewall. This is done via the ”Save and Activate” menu bar option under ”Conﬁguration”. D-Link Firewalls User’s Guide...
Page 43: Monitoring Via Cli
4.2. Monitoring Via CLI Monitoring Via CLI Administrators can also monitor and troubleshoot the D-Link ﬁrewall via Command-Line Interface (CLI), by employing the Console port on the ﬁrewall. The serial console port is a RS-232 port that enables a connection to a PC or terminal.
Page 44 Chapter 4. Conﬁguration Platform D-Link Firewalls User’s Guide...
Page 45: Logging
Logging is a practice to keep track of activities that pertinent to ﬁrewall operation and the security policy the ﬁrewall is enforcing. The log ﬁle generated from logging helps administrators to observe in details of what events have occurred. D-Link ﬁrewalls provide a variety of options for logging its activities. 5.1.1 Importance &...
Page 46: Events
5.1.2 Events There are a number of diﬀerent situations that will cause D-Link ﬁrewalls to generate and deliver log data. Each such occasion is referred to as an event.
Page 47 – log messages coming from the ARP engine. FRAG – log messages coming from the fragment handling engine. OSPF/DYNROUTING – information for dynamic routing. – route fail over events. PPP/PPPOE/PPTP/L2TP/GRE/IPSEC – events for diﬀerent tunnels. USERAUTH – events for user authentication. D-Link Firewalls User’s Guide...
Page 48: Log Receivers
5.2.1 Syslog Receiver D-Link Firewall can send log data to syslog recipients. Syslog is a standardized protocol for sending log data to loghosts, although there is no standardized format of these log messages. The format used by D-Link Firewall is well suited for automated processing, ﬁltering and searching.
Page 49: Memory Log Receiver
ﬁnd the values they are looking for without assuming that a speciﬁc piece of data is in a speciﬁc location in the log entry. In a D-Link ﬁrewall, up to 8 Syslog receivers can be conﬁgured, and they can be grouped into one or more receiver groups.
Page 50 Chapter 5. Logging D-Link Firewalls User’s Guide...
Page 51: Maintenance
This example describes how to upgrade a D-Link Firewall with a new ﬁrmware version. WebUI 1. Check Current Version First of all, check which ﬁrmware version is currently running on the D-Link Firewall. Status System: Take note of the ”Firmware Version” number seen under ”System Status”.
Page 52: Reset To Factory Defaults
The ﬁrmware upload may take several minutes depending on the speed of your connection to the ﬁrewall. Reset To Factory Defaults There are three ways to reset the D-Link Firewall to its default ﬁrmware and conﬁguration. 1. Reset To Factory Defaults From the WebUI...
Page 53 DFL-210/800 will continue to load and startup in default mode, i.e. with 192.168.1.1 on the LAN interface. The following procedure only applies to the DFL-1600/2500: 3. Reset To Factory Defaults Using the Keypad and Display Reset the ﬁrewall.
Page 54: Backup Conﬁguration
Chapter 6. Maintenance Backup Conﬁguration D-Link Firewalls conﬁguration can be backed up to and restored at request. This could for instance be used to recall the ”last known good” conﬁguration when experimenting with diﬀerent conﬁguration setups. To create a backup of the current running conﬁguration:...
Page 55: Advanced Settings
Advanced Settings Overview Advanced Settings contain various global settings for a ﬁrewall in terms of packet size limits, connection timeouts, protocol parameters, the structural integrity tests each packet shall be subjected to, etc. Generally, the default values given in these sections are appropriate for most installations.
Page 56 Chapter 7. Advanced Settings D-Link Firewalls User’s Guide...
Page 58: Fundamentals
From both physical and logical perspectives, this part introduces the basic components of D-Link ﬁrewalls, which are the building blocks for security policies and advanced functions. Topics in this part includes: Logical Objects Interfaces Routing Date & Time Log Settings...
Page 59: Logical Objects
Logical Objects Logical objects are basic network elements deﬁned in the ﬁrewall, referring to the entities needed to be protected and also the untrusted resources and applications that should be monitored by the security policies. Address Book Like the contacts book which records people’s name with one’s phone number and email address, the address book in a Firewall is a list of symbolic names associated with various types of addresses, including IP addresses and ethernet MAC addresses.
Page 60 Chapter 8. Logical Objects network to indicate its location. The address book in D-Link ﬁrewalls allows administrators to name IP addresses either for a single host, a network, a master/slave pair used in high availability, or a group of computers or interfaces. An address ”0.0.0.0/0”...
Page 61: Ethernet Address
8.1.1 above. Services Services are software programs using protocol deﬁnitions to provide various applications to the network users. Most applications rely on protocols located at OSI layer 7 – Application layer – to provide communication from D-Link Firewalls User’s Guide...
Page 62: Service Types
80. Some of the other popular services at this layer include FTP, POP3, SMTP, Telnet, and so on. Beside these oﬃcially deﬁned applications, user customized services can also be created in D-Link ﬁrewalls. Services are simplistic, in that they cannot carry out any action in the ﬁrewall on their own.
Page 63 IP packets, and each message is a separate protocol having its own format. Its content changes depending on the Message Type & Code. The ICMP message types that can be conﬁgured in D-Link ﬁrewalls along with the various codes are listed as follows: Echo Request –...
Page 64 Enter a Name for the new ICMP service. ICMP Parameters Select the ICMP type and specify the codes for the service. (If the All ICMP Message Types option is selected, this service will match all 256 possible ICMP Message Types.) Click OK. D-Link Firewalls User’s Guide...
Page 65 Adding a service that matches the GRE protocol ( For more information about GRE, please refer to 22.2 PPTP/L2TP WebUI Objects Services IP Protocol Service General Enter the following and then click OK: Name: GRE IP Protocol: 47 D-Link Firewalls User’s Guide...
Page 66: Error Report & Connection Protection
The result is that the ICMP error message will be interpreted by the ﬁrewall as a new connection and dropped, if not explicitly allowed by the ﬁrewall rule-set. Allowing any inbound ICMP message to be able to have those error messages forwarded is generally not D-Link Firewalls User’s Guide...
Page 67 DoS (Denial of Service) in particular. To solve this problem, D-Link ﬁrewalls can be conﬁgured to pass an ICMP error message only if it is related to an existing connection of a service.
Page 68: Schedules
Start Date: Fill in the start time in a format of ”yyyy-mm-dd hh:mm:ss” or click the calendar icon and choose a date from the pop-up window. End Date: (same as ”Start Date” above) and then click OK. D-Link Firewalls User’s Guide...
Page 69: X.509 Certiﬁcates
8.4. X.509 Certiﬁcates X.509 Certiﬁcates D-Link ﬁrewalls support certiﬁcates that comply with the ITU-T X.509 international standard. This technology use an X.509 certiﬁcate hierarchy with public-key cryptography (See 20.2, Introduction to Cryptography) to accomplish key distribution and entities authentication. 8.4.1 Introduction to Certiﬁcates...
Page 70 When using certiﬁcates, the ﬁrewall trusts anyone whose certiﬁcate is signed by a given CA. Before a certiﬁcate is accepted, the following steps are taken to verify the validity of the certiﬁcate: - Construct a certiﬁcation path up to the trusted root CA. D-Link Firewalls User’s Guide...
Page 71: Certiﬁcates In D-Link Firewall
8.4.2 X.509 Certiﬁcates in D-Link Firewall X.509 certiﬁcates can be uploaded to the D-Link Firewall for use in IKE/IPSec authentication, webauth etc. There are two types of certiﬁcates that can be uploaded, self signed certiﬁcates and remote certiﬁcates belonging to a remote peer or CA server.
Page 72 Chapter 8. Logical Objects D-Link Firewalls User’s Guide...
Page 73: Interfaces
An Ethernet interface represents a physical Ethernet adapter used in the ﬁrewall. The conﬁguration of an Ethernet interface involves the assignment of an IP address and other parameters, to make the interface accessible to the network layer. When installing a D-Link ﬁrewall, all supported Ethernet adapters in the...
Page 74: Ethernet Interfaces In D-Link Firewalls
IP addresses of an interface after the primary installation. 9.1.2 Ethernet Interfaces in D-Link Firewalls Conﬁguration of an Ethernet interface mainly includes specifying the name and the addresses. An IP address is bound to every interface that may be used to ping the ﬁrewall, remotely control it, and be set by the ﬁrewall as...
Page 75 (By checking these options and specifying the metric value, the interface conﬁgured here will be added into the Main Routing Table as routes for destination address information. The default metric value is 100.) High Availability: Private IP Address selection. D-Link Firewalls User’s Guide...
Page 76: Virtual Lan (Vlan)
A simple infrastructure of VLAN is shown in Figure 9.1. In this case, a D-Link ﬁrewall is conﬁgured to have 2 VLAN interfaces. Now, although the clients and servers are still sharing the same physical media, Client A can only communicate with Server D and the ﬁrewall since they are conﬁgured...
Page 77: Q Vlan Standard
There are 12 bits for VID within each 4-byte tag. With these 12 bits of identiﬁer, there could be up to 4096 VLANs on a physical network. However, all ones are reserved and all zeros indicate no VLAN association. All other identiﬁers can be used to indicate a particular VLAN. D-Link Firewalls User’s Guide...
Page 78: Vlan Implementation
ﬁrewall will be able to recognize the membership and destination of that VLAN communication. VLANs in D-Link ﬁrewalls are useful in several diﬀerent scenarios, for instance, when ﬁrewall ﬁltering is needed between diﬀerent departments in an organization, or when the number of interfaces needs to be expanded.
Page 79: Using Virtual Lans To Expand Firewall Interfaces
Interfaces Virtual LANs are excellent tools for expanding the number of interfaces in D-Link Firewalls. The D-Link Firewalls with gigabit Ethernet interfaces can easily be expanded with 16 new interfaces by using a 16-port Ethernet switch with gigabit uplink port and Virtual LAN support.
Page 80: Dhcp
IP address. D-Link Firewall appliance can act as either a DHCP client, a server, or a relayer through the interfaces.
Page 81: Pppoe
Support security and access-control – username/password authentication is required. The provider can track IP address to a speciﬁc user. Automatic IP address allocation for PC users (similar to DHCP 9.3). D-Link Firewalls User’s Guide...
Page 82: Ppp
More about the application and security of PPP can be found in section 22.2 PPTP/L2TP. 9.4.2 PPPoE Client Conﬁguration D-Link ﬁrewalls allow users a secure and easy-to-manage connection to the ISP. D-Link Firewalls User’s Guide...
Page 83 PPPoE interface. It is possible to conﬁgure how the ﬁrewall should sense activity on the interface, either on outgoing traﬃc, incoming traﬃc or both. Also conﬁgurable is the time to wait with no activity before the tunnel is disconnected. D-Link Firewalls User’s Guide...
Page 84 It is possible to specify exactly which protocols the PPPoE client should try to authenticate with. We keep the default settings for authentication. Dial-on-demand Enable Dial-on-demand: Disable Advanced If ”Add route for remote network” is enabled, a new route will be added for this interface. Then click OK D-Link Firewalls User’s Guide...
Page 85: Interface Groups
Interfaces: Select the interfaces that should be a part of the group. Then click OK Use the Interface Group An interface group can be used in various object conﬁgurations. For example, IP rules and user authentication rules can use interface groups. D-Link Firewalls User’s Guide...
Page 86: Arp
Publishing an IP address using ARP can serve two purposes: To aid nearby network equipment responding to ARP in an incorrect manner. This area of use is less common. To give the impression that an interface of the ﬁrewall has more than one IP address. D-Link Firewalls User’s Guide...
Page 87 For published IP addresses to work correctly it might be necessary to add a new route. (See Routing) If an additional address is added for an interface, the core interface should probably be speciﬁed as the interface when conﬁguring the route. D-Link Firewalls User’s Guide...
Page 88 Interface: Select the interface that should have the extra IP address IP Address: Specify the IP address to add to the above interface. MAC: Leave it at 00-00-00-00-00-00 to use the MAC address of the interface. Then click OK D-Link Firewalls User’s Guide...
Page 89: Routing
Routing 10.1 Overview Routing is a major role in the network layer (OSI layer 3), which determines how to transport packets from the initiating host to the desired receiving end. The devices functioning at the network layer, such as routers or ﬁrewalls, perform routing to achieve two tasks primarily, the Path Determination and the Packet Switching.
Page 90: Routing Hierarchy
An AS can be, for example, all computer networks owned by a university or a company’s private network. The organization is able to run and administer its network with its own policies and preferable routing algorithm independently, while still being able to connect to the ”outside” D-Link Firewalls User’s Guide...
Page 91: Routing Algorithms
In the case that a route is not properly conﬁgured into the routing table, the router looks up in the table to make path determination and no suitable route can be found, it will D-Link Firewalls User’s Guide...
Page 92: Dynamic Routing
As deﬁned in this algorithm, each router broadcasts its attached links and link costs to all the other routers in the network. A router, upon receiving broadcasts from the D-Link Firewalls User’s Guide...
Page 93 OSPF demands relatively higher cost, i.e. more CPU power and memory, than RIP, therefore, can be more expensive to implement. D-Link ﬁrewalls deploy OSPF as the dynamic routing algorithm. Routing metrics Routing metrics(the costs) are the criterion a routing algorithm uses to compute the ”best”...
Page 94: Ospf
10.3.3 OSPF OSPF is the embedded dynamic routing algorithm in D-Link ﬁrewalls. From the previous section, we see the main characteristics of OSPF as a Link state routing algorithm. Now we look at the actual operation of this algorithm.
Page 95 DR and BDR are automatically elected by ”Hello” protocol on every OSPF broadcast network. The which is conﬁgurable on a per-interface basis is the parameter that controls the election. The router with the highest priority number becomes D-Link Firewalls User’s Guide...
Page 96 Due to any change in routing information, a router will save a new copy of link state into its database and send LSA to DR. The DR then ﬂood the update to all participating routers in the area to synchronize the link-state database. Path determination – ”SPF” D-Link Firewalls User’s Guide...
Page 97: Route Failover
Routes can be monitored in two ways. A monitored route can be considered down if link status on the interface is down, or if the default gateway doesn’t answer on ARP requests. It is possible to use both monitoring methods at the same time. D-Link Firewalls User’s Guide...
Page 98: Scenario: Route Failover Conﬁguration
Internet. ISP A is connected to the WAN1 interface of the ﬁrewall and ISP B is connected to interface WAN2. In order to conﬁgure the D-Link ﬁrewall to use ISP A as primary ISP, and ISP B as backup ISP, monitored routes will have to be conﬁgured.
Page 99 Next step is to add default route for interface WAN2. Routes Main Routing Table Route: Enter the following: General Interface: WAN2 Network: 0.0.0.0/0 Gateway: Default gateway of ISP B. Local IP Address: (None) Metric: 2 Then click OK D-Link Firewalls User’s Guide...
Page 100 14.3 IP Rules Conﬁguration for details on how to conﬁgure rules. Note The default route for interface WAN2 will not be monitored. The reason for this is that we have no backup route for the route over interface WAN2. D-Link Firewalls User’s Guide...
Page 101: Dynamic Routing Implementation
10.5. Dynamic Routing Implementation 10.5 Dynamic Routing Implementation In D-Link ﬁrewalls, the implementation of dynamic routing involves two primary conﬁguration tasks: OSPF process & dynamic routing policy. Note OSPF functionality is only available in the D-Link ﬁrewall modules DFL-800/1600/2500. 10.5.1 OSPF Process OSPF process conﬁgured in the ﬁrewall groups OSPF participating...
Page 102: Scenarios: Dynamic Routing Conﬁguration
Some of the networks will be accessible through both interfaces, so that some redundancy might be achieved if one path becomes unreachable. This is done by placing the two interfaces ”lan1” and ”lan2” into a security equivalent interface group. D-Link Firewalls User’s Guide...
Page 103 Select one of the authentication types to be used in the process (none, password, or MD5). Then click OK 2. Area: – specifying an area to the ”ospf-proc1” process. In the ”ospf-proc1” conﬁguration page: Area: General: Name: ”area0” Area ID: 0.0.0.0 Then click OK. D-Link Firewalls User’s Guide...
Page 104 Select ”lan1” and ”lan2” from Available list and put them into the Selected list. Then click OK. Note Make sure that the ﬁrewall’s IP rules, which allowing traﬃcs going through these interfaces, use this interface group as source interface. D-Link Firewalls User’s Guide...
Page 105 It is assumed that a previously conﬁgured OSPF process named ”ospf-proc1” has been created. In this scenario, all received routes from ”ospf-proc1” will be added into the main routing table, as this is not done automatically in the D-Link ﬁrewall. WebUI 1. Dynamic Routing Rule:...
Page 106 Select the main routing table from Available list and put it into Selected list. Destination Network Exactly Matches: all-nets Then click OK. 2. OSPF Actions: In the ”exportDefRoute” conﬁguration page: OSPF Actions Export OSPF: General Export to process: Select ”ospf-proc1” from the dropdown list. Then click OK. D-Link Firewalls User’s Guide...
Page 107: Scenario: Static Routing Conﬁguration
Interface: Select ”lan”. Network: Select the network address object (192.168.2.0/24). Gateway: Select the router’s address object (192.168.1.10). Then click OK. This will allow the ﬁrewall to route traﬃc destined for the 192.168.2.0/24 network through the router at 192.168.1.10. D-Link Firewalls User’s Guide...
Page 108: Policy Based Routing(Pbr)
ﬂow based on various criterion, such as source addresses and service types. Moreover, D-Link ﬁrewalls extend the beneﬁts of PBR further by not just looking at the packets one by one, but also at state information, so that the policy can provide control on both forward and return directions.
Page 109: Policy-Based Routing Tables
– All users share a common active backbone, but can use diﬀerent ISPs, subscribing to diﬀerent streaming media providers. PBR implementation in D-Link ﬁrewalls consists of two elements: One or more named PBR tables in addition to the normal routing table.
Page 110 Remove Interface IP Routes: If enabled, the default interface routes are removed, i.e. routes to the core interface, which are routes to the ﬁrewall itself. Then click OK D-Link Firewalls User’s Guide...
Page 111: Scenario: Pbr Conﬁguration
2-ISP scenario, with the network 1.2.3.0/24 belonging to ”ISP A” and ”2.3.4.0/24” belonging to ”ISP B”. The ISP gateways are 1.2.3.1 and 2.3.4.1, respectively. All addresses in this scenario are public addresses, for simplicity’s sake. D-Link Firewalls User’s Guide...
Page 112 (0.0.0.0/0). Contents of the Policy-based Routing Policy: Source Source Dest. Dest. Service Forward Return Interface Range Interface Range LAN1 2.3.4.0/24 WAN2 0.0.0.0/0 main WAN2 0.0.0.0/0 LAN1 2.3.4.0/24 main D-Link Firewalls User’s Guide...
Page 113 We need to add two PBR policies according to the list of policies shown earlier. Routing Policy-based Routing Policy Policy- based Routing Rule: Enter the information found in the list of policies displayed earlier. Repeat this step to add the second rule. D-Link Firewalls User’s Guide...
Page 114: Proxy Arp
ﬁrewall always publishes the addresses as belonging to the ﬁrewall itself; it is therefore not possible to publish addresses belonging to other hardware addresses. Note It is only possible to Proxy ARP on a Ethernet and VLAN interfaces. D-Link Firewalls User’s Guide...
Page 115: Date & Time
Date & Time Correctly set date and time is of greatest importance for the product to operate properly. For instance, time scheduled policies and auto-update of IDS signatures are two features that require the clock to be correctly set. In addition, log messages are tagged with time stamps in order to point out exactly when a speciﬁc event did occur.
Page 116: Setting The Date And Time
To modify the time zone, follow the steps outlined below: WebUI System Date and Time: Time zone and daylight saving time settings Time zone: select the appropriate time zone in the dropdown list. Then click OK. D-Link Firewalls User’s Guide...
Page 117: Daylight Saving Time(Dst)
Check Enable daylight saving time Oﬀset: enter the number of minutes the clock should be advanced during DST. Start Date: select the starting date for DST period in the dropdown list. End Date: select the ending date. Then click OK. D-Link Firewalls User’s Guide...
Page 118: Time Synchronization
Please note that the product always queries all conﬁgured timeservers in order to compute an average time based on the responses from all servers. Search engines on the Internet can be used to ﬁnd updated lists of publicly available timeservers. D-Link Firewalls User’s Guide...
Page 119: Maximum Adjustment
System Date and Time: Automatic time synchronization Check Enable time synchronization. Select the following from the dropdown lists: Time Server Type: SNTP Primary Time Server: dns:ntp1.sp.se Secondary Time Server: dns:ntp2.sp.se Tertiary Time Server: (None) Click OK. D-Link Firewalls User’s Guide...
Page 120 Chapter 11. Date & Time Note This example uses domain names instead of IP addresses. Therefore, make sure the DNS client settings of the system are properly conﬁgured as described in DNS. D-Link Firewalls User’s Guide...
Page 121: Dns
DNS servers conﬁgured in the ﬁrewall to all clients that request an IP lease. The example below describes how to conﬁgure DNS servers in D-Link ﬁrewalls. The conﬁgured servers are used by the internal DNS client as well as other subsystems such as the DHCP server.
Page 122 Chapter 12. DNS D-Link Firewalls User’s Guide...
Page 123: Log Settings
ﬁrewall’s startup and shutdown, logging needs to be enabled manually in speciﬁc sections of the ﬁrewall’s conﬁguration. To set up logging in D-Link ﬁrewalls, the following two steps are required: 1. Deﬁne one or several log receivers.
Page 124: Enabling Logging
Syslog facilities ”local0” through ”local7”. Severity is the degree of emergency attached to the logged event message for debug. D-Link ﬁrewalls can be set to send messages at diﬀerent severity levels. Sorted from highest to lowest importance, these levels are : Emergency, Alert, Critical, Error, Warning, Notice, Info, and Debug.
Page 125 To check the log ﬁle contents stored by the memory log receiver, follow the steps below: WebUI Menu Bar: Status Logging: 100 items of newly generated events can be displayed per page. To see previous events, press next. D-Link Firewalls User’s Guide...
Page 126 Chapter 13. Log Settings D-Link Firewalls User’s Guide...
Page 128: Security Polices
Security policies regulate the manner of network applications to protect from abuse and inappropriate use. D-Link ﬁrewalls feature for providing various mechanisms to aid the administrators in building security polices for attacks prevention, privacy protection, identiﬁcation, and access control. Topics in this part includes: IP Rules Access (Anti-spooﬁng)
Page 129: Ip Rules
Everything is permitted unless speciﬁcally denied. In order to provide the highest possible level of security, default deny is the default policy in D-Link ﬁrewalls. The default deny is accomplished without a visible rule in the list. However, for logging purposes, rule list commonly has a DropAll rule at the bottom with logging enabled.
Page 130: Fields
ﬁrewall. A rule is expressed in a deﬁnite form, consisting of two logical parts: the ﬁelds and the action. The subsections below explain the parameters of a rule that are available in D-Link ﬁrewalls. 14.1.1 Fields Fields are some pre-deﬁned and reusable network objects, such as Addresses...
Page 131: Action Types
NAT or FwdFast rule further down. (See Example) Drop: Tells the ﬁrewall to immediately discard the packet. Reject: Acts like Drop, but will return a TCP–RST or ICMP–Unreachable message, telling the sender that the packet was disallowed. D-Link Firewalls User’s Guide...
Page 132: Address Translation
Overview For functionality and security considerations, Network Address translation(NAT) is widely applied for home and oﬃce use today. D-Link ﬁrewall provides options to support both Dynamic and Static NAT. These two types are represented by the NAT and SAT rule settings respectively.
Page 133 NAT-enabled ﬁrewalls, for example, D-Link ﬁrewalls, handle all the translation and redirection work for passing traﬃc and can provide ways to restrict access to the Internet at the same time.
Page 134: Address Translation In D-Link Firewall
NAT-enabled ﬁrewall with rule settings speciﬁed for traﬃc. 14.2.3 Address translation in D-Link Firewall D-Link ﬁrewalls support two types of address translation: dynamic (NAT hide), and static (SAT). Dynamic Network Address Translation The process of dynamic address translation involves the translation of multiple sender addresses into one or more sender addresses, like private IP addresses are mapped to a set of public IP addresses.
Page 135 The private IP address of the server is mapped to a public static IP address, which can be seen from the Internet. In D-Link ﬁrewalls, SAT is implemented to provide many important functions, for example: - DMZ & Port Forwarding: SAT supports the use of DMZ network to provide pubic services to the Internet, meanwhile protecting the private network from unnecessary disclosure to the outside world.
Page 136: Scenarios: Ip Rules Conﬁguration
ﬁrewall. 1. Deﬁne an ICMP service object and name it ”ping-inbound”. (Note that the D-Link Firewall is delivered with a ”ping-inbound” service conﬁgured as default which can be used) 2. Create a new Rule with name ”Ping to Ext”, and Allow the service from Any interface on all-nets to the ﬁrewall’s core interface on ip ext...
Page 137 WebUI 1. Create HTTP Service If no http service is deﬁned, we need to create a new service. Objects Services TCP/UDP Service: Name: http Type: TCP Source: 0-65535 Destination: 80 Then click OK D-Link Firewalls User’s Guide...
Page 138 Final step is to create the rule that will NAT DNS traﬃc from inter- nal interfaces out on external interfaces. Rules IP Rules IP Rule: Name: DNS from LAN Action: NAT Service: dns-all Source Interface: LAN Source Network: lan-net Destination Interface: any Destination Network: all-nets Then click OK D-Link Firewalls User’s Guide...
Page 139 Thus, we translate port 80 on the ﬁrewalls external address to port 80 on the web server: 1. Add a ”HTTP” service object that use TCP port 80. D-Link Firewalls User’s Guide...
Page 140 IP Rule: Name: SAT to WebServer Action: SAT Service: http Source Interface: any Source Network: all-nets Destination Interface: core Destination Network: ip ext Translate the: Destination IP Address To New IP Address: ip webserver Then click OK D-Link Firewalls User’s Guide...
Page 141 NAT, and this second rule line must be placed below the initiating SAT rule. The initiating SAT rule does nothing to the actual data. If there is a match with the packet received and a SAT rule, the ﬁrewall will D-Link Firewalls User’s Guide...
Page 142 WAN) on all-nets to the ﬁrewalls external public address ip ext. Determining the best course of action and the sequential order of the rules must be done on a case-by-case basis, taking all circumstances into account. D-Link Firewalls User’s Guide...
Page 143: Access (Anti-Spooﬁng)
Access (Anti-spooﬁng) 15.1 Overview The primary function of any ﬁrewall is to control the access to protected data resources, so that only authorized connections are allowed. Access control is basically addressed in the ﬁrewall’s IP rules (introduced in 14. Rules). According to the rules, the ﬁrewall considers a range of protected LAN addresses as trusted hosts, and restricts the traﬃc ﬂow from the untrusted Internet going into the trusted area, and also the other way around.
Page 144: Anti-Spooﬁng
Anti-spooﬁng To equip the ﬁrewalls with Anti-spooﬁng capability, an extra ﬁlter against the source address veriﬁcation is in need. D-Link ﬁrewalls provide the network administrators choices to do the source based IP ﬁltering by Other features provided by D-Link ﬁrewalls, such as User Authentication...
Page 145 If the interface matches, the packet is accepted in the same manner as by the Accept action. If the interfaces do not match, the packet is dropped in the same manner as by the Drop action. Logging can be enabled on demand for these Actions. (Refer to Logging) D-Link Firewalls User’s Guide...
Page 146: Scenario: Setting Up Access Rule
The following rule will make sure that no traﬃc with a source ad- dress not within the lan-net network is received on the LAN interface. Rules Access Access Rule: Name: LAN Access Action: Expect Interface: LAN Network: lan-net Then click OK D-Link Firewalls User’s Guide...
Page 147: Dmz & Port Forwarding
Internet to DMZ computers without direct contact with the inner LAN. Obviously, this approach adds an extra layer of protection to the Intranet–ﬁrewall–Internet infrastructure. D-Link ﬁrewalls oﬀer supports to DMZ planning and protection through network object Interface and Rules conﬁgurations.
Page 148 – DMZ. Figure 16.1: A Web Server in DMZ In this example, we have a D-Link ﬁrewall connecting a private LAN, a DMZ subnetwork, and the Internet, shown in Figure 16.1. The ﬁrewall takes charge of a) all the connections from the Internet to the DMZ; b) necessary connections from the DMZ to the private LAN.
Page 149: Dmz Planning
: The Web server on DMZ net needs to open some ports on Int net to access the Database Server. If the Web Server is taken over by intrusion, the Database Server and other components on Int netmay expose to attacks. D-Link Firewalls User’s Guide...
Page 150: Beneﬁts
Dividing DMZ into diﬀerent zones helps to restrict security policies upon components that having diﬀerent functions and levels of security. The scalability of the network architecture is increased by placing components on diﬀerent subnetworks. D-Link Firewalls User’s Guide...
Page 151: User Authentication
User Authentication 17.1 Authentication Overview Before any user’s service request is authorized according to the ﬁrewall’s security policies, the ﬁrewall need to verify the identity of the user, to ensure that the corresponsive user is who she or he claims to be. Authentication is the process to address such issue.
Page 152: Password Criterion
User authentication is frequently used in services, such as HTTP, FTP, and VPN. D-Link ﬁrewalls use Username/Password as primary authentication method, strengthened by encryption algorithms. The basic concepts of encryption is covered by 20.2 Introduction to...
Page 153: User Types
Layer 2 tunnels, which apply encryption on the basis of user input passwords (See 22.2 PPTP/L2TP). 17.1.3 User Types D-Link ﬁrewalls and authentication schemes give support to diverse users. The user types can be: administrators D-Link Firewalls User’s Guide...
Page 154: Authentication Components
– group of users that are subject to same regulation criterion 17.2 Authentication Components D-Link ﬁrewalls can either use a locally stored database, or a database on an external server to provide user authentication. 17.2.1 Local User Database(UserDB) The Local User Database is a built-in registry inside D-Link ﬁrewalls,...
Page 155: Authentication Agents
CHAP. Originally developed for dial-up remote access, RADIUS is now supported by VPN, wireless access points, and other network access types. A RADIUS client, i.e. D-Link ﬁrewall, sends user credentials and connection parameter information in the form of a RADIUS message to a RADIUS server.
Page 156: Authentication Rules
XAUTH phase. For the same reason, only one XAUTH user authentication rule can be deﬁned. XAUTH is only used to set up IPsec VPN tunnels. D-Link Firewalls User’s Guide...
Page 157: Authentication Process
17.3. Authentication Process 17.3 Authentication Process A D-Link ﬁrewall proceeds user authentication as follows: A user connects to the ﬁrewall to initiate authentication. The ﬁrewall receives user’s request from its interface, and notes in the IP rule set that this traﬃc is allowed to reach its core authentication agent.
Page 158 ﬁrewall conﬁguration, while users that belong to the auditors group are only allowed to view the ﬁrewall conﬁguration. Press the buttons under the Groups edit box to grant these group memberships to a user. D-Link Firewalls User’s Guide...
Page 159 ﬁrst step. As explained in 14 IP Rules, all the other traﬃcs that are not explicitly allowed by the IP rule, for example, the unauthenticated traﬃc coming from the interface where authentication is D-Link Firewalls User’s Guide...
Page 160 Example: Specifying a TCP service – HTTP) Address Filter Choose the following from the drop down lists: Source Destination Interface: lan core Network: lannet lan ip Comments: Allow HTTP connections to the ﬁrewall’s authentication agent. Click OK. D-Link Firewalls User’s Guide...
Page 161 Address Filter Source Destination Interface: lan Network: lannet users all-nets (Note here the source network is an address object containing user authen- tication information.) Comments: Allow authenticated ”users” from ”lannet” to Web browsing onto Internet. Click OK. D-Link Firewalls User’s Guide...
Page 162 ﬁrewall will try to use these timeouts, prior to the timeout values speciﬁed above. If no timeouts are received from the authentication server, the timeout values speciﬁed above will be used. 4. Another Restrictions conﬁguration is the Multiple Username Logins. Three options are available as explained below: D-Link Firewalls User’s Guide...
Page 163 If so, the old user will be removed, and this new user will be logged in. If not, the new login-request will be rejected. The time period for this option can be deﬁned in the edit box. D-Link Firewalls User’s Guide...
Page 164 Chapter 17. User Authentication D-Link Firewalls User’s Guide...
Page 166: Content Inspection
In addition to inspect the packets at the network layer (OSI layer 3), D-Link ﬁrewalls are capable of examining the content of each packet to give far more powerful and ﬂexible protection on higher layers. Topics in this part includes:...
Page 167: Application Layer Gateway (Alg)
Overview To complement the limitations of packet ﬁltering, which only inspect in the packet headers, such as IP, TCP, UDP, and ICMP headers, D-Link ﬁrewalls embed an Application Layer Gateway (ALG) to support higher level protocols that have address information within the payload.
Page 168: Ftp
FTP client on the internal network connects through the ﬁrewall to an FTP server on the Internet. The IP rule in the ﬁrewall is then conﬁgured to allow network traﬃc from the FTP client to port 21 on the FTP server. D-Link Firewalls User’s Guide...
Page 169 This implementation results in that both the FTP client and the FTP server work in their most secure mode. Naturally, the conversion also works the other way around, that is, with the FTP client using active mode and the FTP server using passive mode. D-Link Firewalls User’s Guide...
Page 170: Scenarios: Ftp Alg Conﬁguration
Protecting a FTP Server Figure 18.1: FTP ALG Scenario 1 In this example, a FTP Server is connected to a D-Link ﬁrewall on a DMZ with private IP addresses, shown in Figure 18.1. To make it possible to connect to this server from the Internet using the FTP ALG, the FTP ALG and ﬁrewall rules should be conﬁgured as follows:...
Page 171 (assume the external interface has been deﬁned as ”ip-ext”) SAT: Check Translate the Destination IP Address New IP Address: ftp-internal. (Assume this internal IP address of FTP server has been deﬁned in the Address Book object.) New Port: 21. Then click OK. D-Link Firewalls User’s Guide...
Page 172 Then click OK. – Allow incoming connections (SAT needs a second Allow rule): Rules IP Rules IP Rule: General: Name: Allow-ftp Action: Allow Service: ftp-inbound Address Filter: Source Destination Interface: any core Network: all-nets ip-ext Then click OK. D-Link Firewalls User’s Guide...
Page 173 Protecting FTP Clients Figure 18.2: FTP ALG Scenario 2 In this scenario, shown in Figure 18.2, a D-Link ﬁrewall is protecting a workstation that will connect to FTP servers on the internet. To make it possible to connect to these servers from the internal network using the FTP ALG, the FTP ALG and ﬁrewall rules should be conﬁgured as follows:...
Page 174 ”ftp-outbound” as described earlier. – Allow connections to ftp-servers on the outside: Rules IP Rules IP Rule: General: Name: Allow-ftp-outbound Action: Allow Service: ftp-outbound Address Filter: Source Destination Interface: lan Network: lannet all-nets Then click OK. D-Link Firewalls User’s Guide...
Page 175: Http
18.3.1 Components & Security Issues To enable more advanced functions and extensions to HTTP services, some add-on components, known as ”active contents”, are usually accompanied with the HTTP response to the client computer. D-Link Firewalls User’s Guide...
Page 176: Solution
This can also contain conﬁdential information. 18.3.2 Solution D-Link ﬁrewalls address the security issues shown in the previous section by Stripping Contents and URL Filtering. Stripping Contents In D-Link HTTP ALG conﬁguration, some or all of the active contents mentioned previously can be stripped away from HTTP traﬃc upon...
Page 177 Example: Configuring HTTP ALG In this example, a HTTP ALG in a D-Link ﬁrewall is created. It is conﬁgured to strip ActiveX objects, which will block displays such as Macromedia ﬂash and shockwave. An undesired address is added into the blacklist.
Page 178: H.323
H.323 is considered to be the standard for interoperability in audio, video and data transmissions as well as Internet phone and voice-over-IP (VoIP). 18.4.2 H.323 Components The H.323 standard consists of these four main components: Terminals Gateways Gatekeepers D-Link Firewalls User’s Guide...
Page 179: Protocols
The diﬀerent protocols used in H.323 is shortly described below: H.225 RAS Signaling and Call Control (Setup) Signaling The H.225 protocol is used for call signaling, that means that it’s used to establish a connection between two H.323 endpoints (terminals). This call D-Link Firewalls User’s Guide...
Page 180: H.323 Alg Overview
The H.323 ALG is a ﬂexible application layer gateway that allows H.323 devices such as H.323 phones and applications to make and receive calls between each other while connected to private networks secured by D-Link Firewalls. The H.323 speciﬁcation was not designed to handle NAT, as IP addresses and ports are sent in the payload of H.323 messages.
Page 181: Scenarios: H.323 Alg Conﬁguration
For each scenario a conﬁguration example of both the ALG and the rules are presented. The three service deﬁnitions used in these scenarios are: Gatekeeper (UDP ALL 1719) H323 (H.323 ALG, TCP ALL 1720) H323-Gatekeeper (H.323 ALG, UDP 1719) D-Link Firewalls User’s Guide...
Page 182 Figure 18.3: H.323 Scenario 1. Using Public IP Addresses In the ﬁrst scenario a H.323 phone is connected to a D-Link Firewall on a network (lan-net) with public IP addresses. To make it possible to place a call from this phone to another H.323 phone on the Internet, and to allow H.323 phones on the Internet to call this phone, we need to conﬁgure...
Page 183 Then click OK Using Private IP Addresses In this scenario a H.323 phone is connected to a D-Link Firewall on a network with private IP addresses. To make it possible to place a call from this phone to another H.323 phone on the Internet, and to allow H.323 phones on the Internet to call this phone, we need to conﬁgure ﬁrewall rules.
Page 184 1. Outgoing Rule Rules IP Rules IP Rule: Enter the following: Name: H323Out Action: NAT Service: H323 Source Interface: LAN Destination Interface: any Source Network: lan-net Destination Network: 0.0.0.0/0 (all-nets) Comment: Allow outgoing calls. Then click OK D-Link Firewalls User’s Guide...
Page 185 Comment: Allow incoming calls to H.323 phone at ip-phone. Then click OK To place a call to the phone behind the D-Link Firewall, place a call to the external IP address on the ﬁrewall. If multiple H.323 phones are placed behind the ﬁrewall, one SAT rule has to be conﬁgured for each phone.
Page 186 Using Public IP Addresses This scenario consists of two H.323 phones, each one connected behind a D-Link Firewall on a network with public IP addresses. In order to place calls on these phones over the Internet, the following rules need to be added to the rule listings in both ﬁrewalls.
Page 187 Using Private IP Addresses This scenario consists of two H.323 phones, each one connected behind a D-Link Firewall on a network with private IP addresses. In order to place calls on these phones over the Internet, the following rules need to be added to the rule listings in the ﬁrewall, make sure there are no rules disallowing...
Page 188 Source Network: 0.0.0.0/0 (all-nets) Destination Network: ip-wan (external IP of the ﬁrewall) Comment: Allow incoming calls to H.323 phone at ip-phone. Translate Destination IP Address: To New IP Address: ip-phone (IP address of phone) Then click OK D-Link Firewalls User’s Guide...
Page 189 Comment: Allow incoming calls to H.323 phone at ip-phone. Then click OK To place a call to the phone behind the D-Link Firewall, place a call to the external IP address on the ﬁrewall. If multiple H.323 phones are placed behind the ﬁrewall, one SAT rule has to be conﬁgured for each phone.
Page 190 Destination Network: ip-wan (external IP of the ﬁrewall) Comment: SAT rule for incoming communication with the Gatekeeper located at ip-gatekeeper. Translate Destination IP Address: To New IP Address: ip-gatekeeper (IP address of gatekeeper) Then click OK D-Link Firewalls User’s Guide...
Page 191 Then click OK Note There is no need to specify a speciﬁc rule for outgoing calls. The D-Link Firewall monitors the communication between ”external” phones and the Gatekeeper to make sure that it is possible for internal phones to call the external phones that are registered with the gatekeeper.
Page 192 H.323 with Gatekeeper and two D-Link Firewalls Figure 18.6: H.323 Scenario 4. This scenario is quite similar to scenario 3, with the diﬀerence of a D-Link Firewall protecting the ”external” phones. The D-Link Firewall with the Gatekeeper connected to the DMZ should be conﬁgured exactly like in scenario 3 (see 18.4.5).
Page 193 Then click OK Note There is no need to specify a speciﬁc rule for outgoing calls. The D-Link Firewall monitors the communication between ”external” phones and the Gatekeeper to make sure that it is possible for internal phones to call the external phones that are registered with the gatekeeper.
Page 194 (ip-gateway) connected to the ordinary telephone network. Head Oﬃce Firewall Conﬁguration The head oﬃce has placed a H.323 Gatekeeper in the DMZ of the corporate D-Link Firewall. This D-Link Firewall should be conﬁgured as follows. D-Link Firewalls User’s Guide...
Page 195 Source Interface: LAN Destination Interface: DMZ Source Network: lan-net Destination Network: ip-gateway Comment: Allow H.323 entities on lan-net to call phones connected to the H.323 Gateway on the DMZ. Remember to use the correct service. Then click OK D-Link Firewalls User’s Guide...
Page 196 Enter the following: Name: BranchToGW Action: Allow Service: H323-Gatekeeper Source Interface: vpn-branch Destination Interface: DMZ Source Network: branch-net Destination Network: ip-gatekeeper, ip-gateway Comment: Allow communication with the Gatekeeper on DMZ from the Branch network Then click OK D-Link Firewalls User’s Guide...
Page 197 Branch and Remote Oﬃce Firewall The branch and remote oﬃce H.323 phones and applications will be conﬁgured to use the H.323 Gatekeeper at the head oﬃce. The D-Link Firewalls in the remote and branch oﬃces should be conﬁgured as follows.
Page 198 Head Oﬃce DMZ. Then click OK The branch oﬃce D-Link Firewall has a H.323 Gateway connected to it’s DMZ. In order to allow the Gateway to register with the H.323 Gatekeeper at the Head Oﬃce, the following rule has to be conﬁgured.
Page 199 Then click OK Note There is no need to specify a speciﬁc rule for outgoing calls. The D-Link Firewall monitors the communication between ”external” phones and the Gatekeeper to make sure that it is possible for internal phones to call the external phones that are registered with the gatekeeper.
Page 200 Chapter 18. Application Layer Gateway (ALG) D-Link Firewalls User’s Guide...
Page 201: Intrusion Detection System (Ids)
Internet, and can often be easily automatized by an attacker, Intrusion Detection is an important technology to identify and prevent these threats. In order to make an eﬀective and reliable IDS, D-Link IDS goes through three levels of processing and addresses the following questions: What traﬃc to analyze What to search for (i.e.
Page 202: Intrusion Detection Rules
Chapter 19. Intrusion Detection System (IDS) D-Link IDS uses a combination of , and , in order to answer the three questions mentioned above. 19.1.1 Intrusion Detection Rules An Intrusion Detection Rule deﬁnes the kind of traﬃc – service – that should be analyzed.
Page 203: Chain Of Events
19.2.1 Scenario 1 Traﬃc is only passed on to the IDS if the ﬁrewall’s IP rule set decides that it is valid, shown in Figure 19.1. Figure 19.1: IDS Chain of Events Scenario 1 D-Link Firewalls User’s Guide...
Page 204: Scenario 2
2. The source and destination information of new packet is compared to the Intrusion Detection Rules. If a match is found, it is passed on to the next level of IDS processing - pattern matching. If not, the packet is dropped. D-Link Firewalls User’s Guide...
Page 205 19.2. Chain of Events Figure 19.2: IDS Chain of Events Scenario 2 D-Link Firewalls User’s Guide...
Page 206: Signature Groups
A new, updated signature database can be automatically downloaded by the ﬁrewall, at a conﬁgurable interval. This is done through a HTTP connection to a D-Link server, hosting the latest signature database ﬁle. If this signature database ﬁle has a newer version than the current, the new signature database will be downloaded, thus replacing the old version.
Page 207: Smtp Log Receiver For Ids Events
This e-mail will contain a summery of IDS events that has occurred in a user-conﬁgurable period of time. When an IDS event has occurred, the D-Link ﬁrewall will wait for seconds before sending the notiﬁcation e-mail. However, the e-mail...
Page 208 Server Port: 25 (by Internet standard) Fill in alternative e-mail addresses in the edit boxes(up to 3 addresses can be conﬁgured). Sender: hostmaster Subject: Log event from D-Link Firewall Minimum Repeat Delay: 600 Hold Time: 120 Log Threshold: 2 Then click OK.
Page 209: 19.6. Scenario: Setting Up Ids
The Destination Interface and Destination Network deﬁne where traﬃc is directed to, in this case the mail server. Destination Network should therefore be set to the object deﬁning the mail server. D-Link Firewalls User’s Guide...
Page 210 FROM EXT MAIL SMTP signature group, the connection will be dropped, thus protecting the mail server. If a log receiver has been conﬁgured, the intrusion attempt will also be logged. D-Link Firewalls User’s Guide...
Page 212: Virtual Private Network (Vpn)
VPNs, Virtual Private Networks, provide means of establishing secure links to parties. It is extended over public networks via the application of Encryption and Authentication, oﬀering good ﬂexibility, eﬀective protection, and cost eﬃciency on connections over the Internet. Topics in this part includes: Introduction to VPN Introduction to Cryptography VPN in Firewalls...
Page 213: Vpn Basics
VPN Basics 20.1 Introduction to VPN Long gone is the time when corporate networks were separate isles of local connectivity. Today, most networks are connected to each other by the Internet. Issues of protecting the local networks from Internet-based crime and intrusion are being solved by ﬁrewalls, intrusion detection systems, anti-virus software and other security investments.
Page 214 - Would any one of them accept that their orders and delivery conﬁrmations travel through the hands of one of their competitors? - Hardly. D-Link Firewalls User’s Guide...
Page 215: Introduction To Cryptography
– decryption, to return to the original plaintext. The algorithms of Encryption can be categorized into three types – symmetric, asymmetric, and hybrid encryption. D-Link Firewalls User’s Guide...
Page 216 – A 64-bit block cipher with a 128-bit key, less frequently employed than Blowﬁsh. – A 128-bit block size with key lengths of 128-256 bits, a sound alternative to the ageing DES. D-Link ﬁrewall’s VPN implementation supports all the above algorithms. D-Link Firewalls User’s Guide...
Page 217 The resulting key is common to both sides, and can be used as a shared secret key for symmetric encryption. In such a way, D-Link Firewalls User’s Guide...
Page 218: Authentication & Integrity
The signature is created using the asymmetric encryption scheme; it cannot be imitated by someone else, and the sender cannot easily repudiate the message that has been signed. The procedure of producing a digital signature works as follows: D-Link Firewalls User’s Guide...
Page 219 CA, so that a recipient can verify that the certiﬁcate is real. The digital certiﬁcates supported by D-Link ﬁrewalls conform to X.509 standard. D-Link Firewalls User’s Guide...
Page 220: Why Vpn In Firewalls
Can the ﬁrewall protect the security gateway and log attempted attacks on it? Does the conﬁguration support roaming clients? Can the ﬁrewall inspect and log traﬃc passing in and out of the VPN? Does the conﬁguration add points of failure to the Internet connection? D-Link Firewalls User’s Guide...
Page 221: Vpn Deployment
Does it require additional conﬁguration to the ﬁrewall or hosts participating in the VPN? In D-Link ﬁrewalls, the Security Gateway VPN is integrated in the ﬁrewall itself. The reasons for this design can be found in the scenario analysis presented next.
Page 222 Support for roaming clients is nearly impossible Between the Firewall and the Internal Network (Figure 20.3) Beneﬁts Supports roaming clients No special routing information needed in the ﬁrewall The ﬁrewall can protect the Security Gateway Drawbacks D-Link Firewalls User’s Guide...
Page 223 The ﬁrewall cannot inspect nor log plaintext from the VPN Special routes need to be added to the ﬁrewall, or to all internal clients participating in the VPN Support for roaming clients is very hard to achieve D-Link Firewalls User’s Guide...
Page 224 Security Gateway in order to reach the VPN clients with moving IPs Incorporated in the Firewall (Figure 20.6) Beneﬁts The ﬁrewall can protect the Security Gateway subsystem The ﬁrewall can inspect and log plaintext from the VPN Supports roaming clients D-Link Firewalls User’s Guide...
Page 225 This solution provides the highest degree of functionality & security and is chosen by D-Link’s design. All normal modes of operation are supported, and all traﬃc may be inspected and logged by the ﬁrewall. D-Link Firewalls User’s Guide...
Page 226 Chapter 20. VPN Basics D-Link Firewalls User’s Guide...
Page 227: Vpn Planning
VPN Planning 21.1 VPN Design Considerations ”A chain is never stronger than its weakest link”. An attacker wishing to make use of a VPN connection will typically not attempt to crack the VPN encryption, since this requires enormous amounts of computation and time. Rather, he/she will see VPN traﬃc as an indication that there is something really soft and chewy on the other end of the connection.
Page 228: End Point Security
In instances where the ﬁrewall features an integrated VPN gateway, it is usually possible to dictate the types of communication permitted. The D-Link VPN module features just such a facility. 21.1.1 End Point Security...
Page 229 Keep data stored locally on portable computers to a minimum to reduce the impact of theft. This includes e-mail cache folders. Actually, it may be best if mail is read through a web gateway, since that leaves the least amount of ﬁles in local storage. D-Link Firewalls User’s Guide...
Page 230: Key Distribution
Should the keys be changed? If so, how often? In cases where keys are shared by multiple users, you may want to consider overlapping schemes, so that the old keys work for a short period of time when new keys have been issued. D-Link Firewalls User’s Guide...
Page 231 VPN gateway, how should the key be stored? Should it be on a ﬂoppy? As a pass phrase to memorize? On a smart card? If it is a physical token, how should it be handled? D-Link Firewalls User’s Guide...
Page 232 Chapter 21. VPN Planning D-Link Firewalls User’s Guide...
Page 233: Vpn Protocols & Tunnels
Before IPsec can begin encrypting and transferring the data stream, some preliminary negotiation is necessary. This is accomplished with the Internet Key Exchange Protocol (IKE). In summary, an IPsec based VPN, such as D-Link VPN, is made up by two parts: Internet Key Exchange protocol (IKE)
Page 234: Ipsec Protocols
AH provides only authentication but not encryption to data packets. AH does not oﬀer conﬁdentiality to the data transfer and is rarely used; it is NOT supported by D-Link ﬁrewalls. Whether IPsec protocol modiﬁes the original IP header or not depends on the IPsec modes.
Page 235: Ike
In cases where ESP and AH are used in conjunction, four SAs will be created. IKE Negotiation The process of negotiating connection parameters mainly consists of two phases: IKE Phase-1 – Negotiate how IKE should be protected for further negotiations. D-Link Firewalls User’s Guide...
Page 236 When using aggressive mode, some conﬁguration parameters, such as Diﬃe-Hellman groups, can not be negotiated, resulting in a greater importance of having ”compatible” conﬁgurations on both communication ends. D-Link Firewalls User’s Guide...
Page 237 The data ﬂow transferred in VPN connections are encrypted using symmetric encryption scheme. As it is described in 20.2.1 Symmetric Encryption, D-Link ﬁrewalls support the algorithms listed below: 3DES Blowﬁsh Twoﬁsh...
Page 238 IKE exchanges the symmetric encryption key using Diﬃe-Hellman key exchange protocol. The level of security it oﬀers is conﬁgurable by specifying the Diﬃe-Hellman(DH) group. The Diﬃe-Hellman groups supported by D-Link VPN are: DH group 1 (768-bit) DH group 2 (1024-bit)
Page 239: Ike Integrity & Authentication
D-Link VPNs embed various methods for achieving these critical tasks, i.e., hash functions for message integrity, pre-shared keys and X.509 certiﬁcates based on asymmetric encryption algorithms (i.e.
Page 240 The shared key is a secret passphrase, normally a string of ASCII characters or a set of random Hexadecimal numbers. In D-Link VPNs, the user can either enter an ASCII password or use the automatic random key generation.
Page 241 This means that the ﬁrewall is unable to control the access to various parts of the internal networks. The concept of Identiﬁcation Lists(ID Lists) presents a solution to this problem. An identiﬁcation list contains one or more conﬁgurable D-Link Firewalls User’s Guide...
Page 242 With XAuth, IKE can now authenticate the users after the device has been authenticated during phase-1 negotiation. If enabled, a combination of username & password will be requested for the add-on user authentication. D-Link Firewalls User’s Guide...
Page 243: Scenarios: Ipsec Conﬁguration
ﬁrewall IP ip head wan. The branch oﬃce use the 10.0.2.0/24 network span with external ﬁrewall IP ip branch wan. The following conﬁguration will have to be done on both the head oﬃce ﬁrewall and the branch oﬃce ﬁrewall. D-Link Firewalls User’s Guide...
Page 244 ﬁrewall will use ip head wan. Encapsulation Mode: Tunnel Algorithms IKE Algorithms: Medium or High IPsec Algorithms: Medium or High Authentication Pre-Shared Key: Select the pre-shared key created earlier, TestKey in this case. Then click OK D-Link Firewalls User’s Guide...
Page 245 This example describes how to conﬁgure a IPsec tunnel, used for roaming clients (mobile users) that connect to the head oﬃce to gain remote access. The head oﬃce network use the 10.0.1.0/24 network span with external ﬁrewall IP ip wan. D-Link Firewalls User’s Guide...
Page 246 VPN Objects Pre-Shared Keys Pre-Shared Key: Enter the following: Name: Enter a name for the pre-shared key, SecretKey for instance. Passphrase/Shared Secret: Enter a secret passphrase. Passphrase/Conﬁrm Secret: Enter the secret passphrase again. Then click OK D-Link Firewalls User’s Guide...
Page 247 Enable Then click OK 3. Conﬁgure Rules Finally we need to conﬁgure the rules to allow traﬃc inside the tun- nel. See 14.3 IP Rules Conﬁguration for details on how to conﬁgure rules. D-Link Firewalls User’s Guide...
Page 248: Pptp/ L2Tp
PPTP encapsulated packet to form the tunneling data. PPTP uses TCP port 1723 for it’s control connection and GRE (IP protocol 47) for the PPP data. IP Header GRE Header Payload PPP Frame Table 22.1: PPTP Encapsulation. D-Link Firewalls User’s Guide...
Page 249 Since PPTP security is password-based, the choice of a good password is an important security consideration. Regardless of the key length chosen (40, 56 or 128-bit), the true strength of the key is governed by the randomness of the password. D-Link Firewalls User’s Guide...
Page 250 Local User Databases UserDB User: Enter the following: Username: testuser Password: testpassword Conﬁrm Password: testpassword It is possible to conﬁgure a static IP for this user in the Per-user PPTP/L2TP IP Conﬁguration section. Then click OK D-Link Firewalls User’s Guide...
Page 251 Add Route Proxy ARP: Leave as default, or speciﬁcally select the LAN interface if the IP:s in the IP Pool are a part of the network on the LAN interface. Then click OK D-Link Firewalls User’s Guide...
Page 252 Internet for example) a NAT rule has to be conﬁgured as well. When the conﬁguration is saved and activated, it should be possible for PPTP clients to connect to the PPTP server on 10.0.0.1 on the WAN interface. D-Link Firewalls User’s Guide...
Page 253 PPTP client interface. It is possible to conﬁgure how the ﬁrewall should sense activity on the interface, and how long time to wait with no activity before the tunnel is disconnected. Then click OK D-Link Firewalls User’s Guide...
Page 254: L2Tp
L2TP encapsulated packet to form the tunneling data. L2TP uses UDP port 1701 for it’s control and data connections. L2TP authentication PPTP and L2TP tunnels use the same authentication mechanisms as PPP connections such as, PAP, CHAP, MS-CHAP v1 and v2. D-Link Firewalls User’s Guide...
Page 255 The LAN network is a 192.168.1.0/24 network, and 10.0.0.0/24 is the network on the WAN interface. L2TP clients will connect to the L2TP/IPsec server on 10.0.0.1 on the WAN interface, in order to access resources on the LAN interface. D-Link Firewalls User’s Guide...
Page 256 Local User Databases UserDB User: Enter the following: Username: testuser Password: testpassword Conﬁrm Password: testpassword It is possible to conﬁgure a static IP for this user in the Per-user PPTP/L2TP IP Conﬁguration section. Then click OK D-Link Firewalls User’s Guide...
Page 257 The IPsec tunnel needs to be conﬁgured to dynamically add routes to the remote network when the tunnel is established. This is done under the Routing tab. Dynamically add route to the remote network when a tunnel is established: Enable Then click OK D-Link Firewalls User’s Guide...
Page 258 Add Route Proxy ARP: Leave as default, or speciﬁcally select the LAN interface if the IP:s in the IP Pool are a part of the network on the LAN interface. Then click OK D-Link Firewalls User’s Guide...
Page 259 Internet for example) a NAT rule has to be conﬁgured as well. When the conﬁguration is saved and activated, it should be possible for L2TP/IPsec clients to connect to the L2TP/IPsec server on 10.0.0.1 on the WAN interface. D-Link Firewalls User’s Guide...
Page 260 Name: Enter a name for the pre-shared key, L2TPKey for instance. Passphrase/Shared Secret: Enter the secret passphrase. (Has to be the same as conﬁgured on the L2TP/IPsec server) Passphrase/Conﬁrm Secret: Enter the secret passphrase again. Then click OK D-Link Firewalls User’s Guide...
Page 261 The IPsec tunnel needs to be conﬁgured to notdynamically add routes to the remote network when the tunnel is established. This is done under the Routing tab. Dynamically add route to the remote network when a tunnel is established: Disable Then click OK D-Link Firewalls User’s Guide...
Page 262 Local IP Address: (None) Metric: 0 Then click OK When the conﬁguration is saved and activated, the L2TP/IPsec client should connect to the L2TP/IPsec server, and all traﬃc (except traﬃc to 10.0.0.1) should be routed over the L2TP/IPsec interface. D-Link Firewalls User’s Guide...
Page 263: Ssl/Tls (Https)
HTTPS, and more and more web sites use the protocol to obtain conﬁdential user information, such as credit card numbers. There are a number of versions of the SSL/TLS protocol. D-Link ﬁrewalls fully support SSLv3 and TLSv1. D-Link Firewalls User’s Guide...
Page 264 Chapter 22. VPN Protocols & Tunnels D-Link Firewalls User’s Guide...
Page 266: Traﬃc Management
Traﬃc management is concerned with controlling and allocating network bandwidth and minimizing possible delay and congestion on networks. It encompasses the measuring of network capacity and traﬃc modelling to manage network resources eﬃciently and provide services the bandwidth they need. Topics in this part includes: Traﬃc Shaping Server Load Balancing (SLB)
Page 267: Traﬃc Shaping
To address the above problems, D-Link ﬁrewalls provide QoS functionality, and apply limits and guarantees for QoS to the network traﬃc itself, rather than trusting the applications/users to make the choices.
Page 268: Functions
A D-Link ﬁrewall has an extensible traﬃc shaper integrated inside. The traﬃc shaper works by measuring and queuing IP packets, in transit, with respect to a number of conﬁgurable parameters.
Page 269: Features
A closer look into these features are given in the sections next. 23.2 Pipes A Pipe is a central concept in the traﬃc shaping functionality of D-Link ﬁrewalls and is the base for all bandwidth control. Pipes are fairly D-Link Firewalls User’s Guide...
Page 270: Precedences And Guarantees
7 are reserved for network control packets, so the values through 0-5 can be set for priority based on IP networks or applications. Corresponding to these 8 levels, a pipe in a D-Link ﬁrewall contains 4 precedences – Low, Medium, High, and Highest – for clarifying the relative importance of the traﬃc.
Page 271 If the pipe limits are set higher than the actual available bandwidth, the pipe will never know that the connection is full, and hence be unable to throttle the lower-precedence traﬃc. 3. Bandwidth cannot be guaranteed if available bandwidth is not known at all times D-Link Firewalls User’s Guide...
Page 272: Grouping Users Of A Pipe
This mode of operation is likely suﬃcient for managing simple traﬃc limits and guarantees. However, D-Link ﬁrewalls have the ability to group traﬃc within each pipe. This means that traﬃc will be classiﬁed and grouped with respect to the source or destination of each packet passing through the pipe.
Page 273: Dynamic Bandwidth Balancing
But what if the bandwidth for the pipe as a whole has a limit, and that limit is exceeded? Such problem is addressed by a feature in D-Link ﬁrewalls called Dynamic Balancing. This algorithm ensures that the bandwidth limit of each group is dynamically lowered (or raised) in order to evenly balance the available bandwidth between the groups of the pipe.
Page 274 After setting the total limits in the two pipes, two pipe rules need to be speciﬁed to assign pipes onto proper directions, interfaces, and networks. Since these two primary rules are applied to all possible services, the ﬁxed precedence ”Low” is deﬁned on them. D-Link Firewalls User’s Guide...
Page 275 Rule ”ToInternet” assigning pipes to traﬃcs going through the ﬁre- wall from LAN to WAN for all services(deﬁned by the Services object ”all-services”): Traﬃc Shaping Pipe Rules Pipe Rule: General Enter the following: Name: ToInternet Service: all-services Address Filter Source Destination Interface: Network: lannet all-nets D-Link Firewalls User’s Guide...
Page 276 Forward Chain: Select ”std-in” from Available list and put it into Selected list. Return Chain: Select ”std-out” from Available list and put it into Selected list. Precedence Check Use Fixed Precedence Select Low from the dropdown list and then click OK. D-Link Firewalls User’s Guide...
Page 277 Return Chain: Select ”std-in” from Available list and put it into Selected list. Precedence Check Use Fixed Precedence Select Medium from the dropdown list and then click OK. Right click the ”HTTP” rule item and click Move to Top. D-Link Firewalls User’s Guide...
Page 278 Check Enable dynamic balancing of groups and then click OK. 2. Editing pipe ”std-out” Traﬃc Shaping Pipes std-out: Grouping Grouping: Select SourceIP from the dropdown list. Check Enable dynamic balancing of groups and then click OK. D-Link Firewalls User’s Guide...
Page 279 2. Revising pipe rule ”HTTP” to create a return pipe chain Traﬃc Shaping Pipe Rules HTTP Traﬃc Shaping: Pipe Chains Return Chain: Select ”http-in” from Available list and put it into Selected list and then click OK. D-Link Firewalls User’s Guide...
Page 280 Chapter 23. Trafﬁc Shaping Note An appropriate order for pipes in a chain must be set carefully. D-Link Firewalls User’s Guide...
Page 281: Server Load Balancing (Slb)
Figure 24.1 illustrates a logical view of a SLB module. In this module, 3 servers construct a server farm, and a D-Link ﬁrewall acts as a sever load balancer. Server farm A collection of computer servers usually maintained by an enterprise to...
Page 282: Slb Features
D-Link ﬁrewalls are capable server load balancers, which can be conﬁgured to perform load distribution and monitoring functions. 24.1.2...
Page 283: Beneﬁts
Administration of server applications is easier. The sever farm is seen as a single virtual server by the Clients with one public address; no administration is required for real server changes, which are transparent to the external network. D-Link Firewalls User’s Guide...
Page 284: Slb Implementation
To implement the SLB method, the administrator deﬁnes a server farm containing multiple real servers, and binds the server farm as a single virtual server to the D-Link ﬁrewall (load balancer), using a public IP address. In this environment, clients are conﬁgured to connect to the public address of the sever farm.
Page 285 24.2. SLB Implementation D-Link ﬁrewalls oﬀer the following algorithms to accomplish the load distribution tasks: 1. Round-Robin Algorithm: The algorithm distributes new coming connections to a list of servers on a rotating bases. For the ﬁrst connection, the algorithm picks a server from the farm randomly, and assigns the connection to it.
Page 286: Server Health Checks
Performing various checks to determine the ”health” condition of servers is one of the most important beneﬁts of the SLB. At diﬀerent OSI layers, D-Link ﬁrewalls can carry out certain network-level checks. When a server fails, the ﬁrewall removes it from the active server list, and will not route any packet to this server until it resumes back.
Page 287 24.2. SLB Implementation Figure 24.3: Distribution by Stickiness and Round-Robin Algorithm Figure 24.4: Distribution by Stickiness and Connection-Rate Algorithm D-Link Firewalls User’s Guide...
Page 288: Packets Flow By Sat
80 to be down on that server. 24.2.4 Packets Flow by SAT In D-Link ﬁrewalls, load-balancing enabled SAT rule is used to translate packets exchanged between a client and real servers. When a new connection is being opened, the SAT rule is triggered; it translates the public server farm IP address to a real server address.
Page 289 Figure 24.5: A SLB Scenario This example describes how SLB can be used to load balance SSH connections to two SSH servers behind a D-Link Firewall connected to the Internet with IP address ip ext, as shown in Figure 24.5. The two SSH servers have the private IP addresses 192.168.1.10 and 192.168.1.11.
Page 290 Source Interface: any Source Network: all-nets Destination Interface: core Destination Network: ip ext Then click OK Note It is possible to conﬁgure settings for monitoring, distribution method and stickiness. But in this example the default values are used. D-Link Firewalls User’s Guide...
Page 292: Misc Features
Besides safety protection to the network, D-Link ﬁrewalls can act as intermediary agents for miscellaneous Internet services to ease the use of various protocols on behalf of the clients. Topics in this part includes: Miscellaneous Clients DHCP Server & Relayer...
Page 293: Miscellaneous Clients
Miscellaneous Clients 25.1 Overview D-Link ﬁrewalls oﬀer supports to miscellaneous network clients for Dynamic DNS and similar services. Currently, the services providers that are supported by the ﬁrewall include: Dyndns.org Dyns.cx Cjb.net Oray.net – Peanut Hull DynDNS Telia BigPond 25.2...
Page 294: Automatic Client Login
Automatic Client Login Some Internet service providers require users to login via a URL each time before any service is delivered. Currently, D-Link ﬁrewalls oﬀers automatic client login to the following providers: Telia – A major telecommunication service company in the Nordic and Baltic region.
Page 295: Http Poster
The URL format used in the HTTP Poster various depending on the speciﬁc service provider. Basically, a URL contains Username/Password, provider’s domain name, and other parameters. For example, the URL format for DynDNS service provided by Dyndns.org is: http://MYUID:MYPWD@members.dyndns.org/nic/update?hostname= MYDNS.dyndns.org D-Link Firewalls User’s Guide...
Page 296 Chapter 25. Miscellaneous Clients D-Link Firewalls User’s Guide...
Page 297: Dhcp Server & Relayer
DHCP Server & Relayer 26.1 DHCP Server The DHCP server implement the task to assign and manage IP addresses from speciﬁed address pools to DHCP clients. When a DHCP server receives a request from a DHCP client, it returns the conﬁguration parameters (such as an IP address, a MAC address, a domain name, and a lease for the IP address) to the client in a unicast message.
Page 298 Chapter 26. DHCP Server & Relayer Example: Configuring the firewall as a DHCP server This example describes how to conﬁgure a DHCP server on the internal interface (LAN)(Refer to 9.1.2, Ethernet Interfaces in D-Link Firewalls). WebUI Conﬁgure DHCP Server System...
Page 299: Dhcp Relayer
For information about VLAN conﬁguration, please refer to 9.2.3, VLAN Implementation. In this case, two VLAN interfaces named as ”vlan1” and ”vlan2” are used. The ﬁrewall will also install a route for the client when it has ﬁnalized the DHCP process and obtained an IP. D-Link Firewalls User’s Guide...
Page 300 System DHCP Settings DHCP Relays DHCP Relay: General: General Name: vlan-to-dhcpserver Action: Relay Source Interface: ipgrp-dhcp DHCP Server to relay to: ip-dhcp Add Route: Check Add dynamic routes for this relayed DHCP lease. Then click OK. D-Link Firewalls User’s Guide...
Page 303: Transparent Mode
Transparent Mode The Transparent Mode feature provided by D-Link ﬁrewalls aims at simplifying the deployment of ﬁrewall appliances into the existing network topology, to strengthen security. It helps to ease the administration work in a way that there is no need to reconﬁgure all the settings for the nodes within the current network, when a ﬁrewall is introduced into the...
Page 304: Transparent Mode Implementation In D-Link Firewalls
Transparent Mode Implementation in D-Link Firewalls As explained above, D-Link ﬁrewall allows ARP transactions when it is set to be transparent mode and in that sense it works almost as a Layer 2 switch in the network. The ﬁrewall uses the ARP traﬃc as one source of information when building its switch route table.
Page 305 ARP Transaction State. During the ARP transaction, the ﬁrewall learns the source address information of both ends from the request and reply. Inside the D-Link ﬁrewall, two tables are maintained that are used to store such information, called Content -Addressable Memory(CAM) Table and Layer 3 Cache respectively.
Page 306: Scenarios: Enabling Transparent Mode
The WAN and LAN interfaces of the ﬁrewall will have to be conﬁgured to operate in Transparent Mode. It is preferred to conﬁgure IP addresses on the WAN and LAN interfaces, as this can improve performance during automatic discovering of hosts. D-Link Firewalls User’s Guide...
Page 307 Transparent Mode: Enable Then click OK 2. Rules Rules IP Rules IP Rule: Enter the following: Name: HTTPAllow Action: Allow Service: http Source Interface: LAN Destination Interface: any Source Network: 10.0.0.0/24 Destination Network: 0.0.0.0/0 (all-nets) Then click OK D-Link Firewalls User’s Guide...
Page 308 Here we allow the hosts on the internal network to communicate with an HTTP server on DMZ. Furthermore, we allow the HTTP server on DMZ to be reached from the internet. Additional rules could be added to allow other traﬃc. D-Link Firewalls User’s Guide...
Page 309 Enter the following: Name: TransparentGroup Security/Transport Equivalent: Disable Interfaces: Select LAN and DMZ Then click OK 3. Routing Routing Main Routing Table Switch Route: Enter the following: Switched Interfaces: TransparentGroup Network: 10.0.0.0/24 Metric: 0 Then click OK D-Link Firewalls User’s Guide...
Page 310 New IP Address: 10.1.4.10 Then click OK Rules IP Rules IP Rule: Enter the following: Name: HTTP-WAN-to-DMZ Action: Allow Service: http Source Interface: WAN Destination Interface: DMZ Source Network: all-nets Destination Network: wan-ip Then click OK D-Link Firewalls User’s Guide...
Page 312: Zonedefense
*ZoneDefense functionality described in this part is only available in the D-Link ﬁrewall modules DFL-800/1600/2500.
Page 313: Zonedefense
ZoneDefense 28.1 Overview ZoneDefense is a feature in D-Link ﬁrewalls, which lets the ﬁrewall control locally attached switches. This can be used as a countermeasure to stop a worm-infected computer in the local network from infecting other computers. By setting up threshold rules on the ﬁrewall, hosts or networks that are exceeding the deﬁned threshold can be dynamically blocked out.
Page 314: Snmp
Manager A typical manager, such as a D-Link ﬁrewall, executes SNMP protocol to monitor and control network devices in the managed environment. The manager can query stored statistics from the...
Page 315: Threshold Rules
28.3. Threshold Rules Managed devices The managed devices are SNMP compliant, such as D-Link switches. They store management data in their databases, known as Management Information Base (MIB), and provide the information to the manager upon queries. 28.3 Threshold Rules As explained previously, a threshold rule will trigger ZoneDefense to block out a speciﬁc host or a network if the connection rate limit speciﬁed in the...
Page 316: Limitations
ZoneDefense setup. 28.6 : Setting Up ZoneDefense The following simple example illustrates the steps needed to set up ZoneDefense function in D-Link ﬁrewalls. We assume that all the interfaces on the ﬁrewall have already been properly conﬁgured. Example: Configuring ZoneDefense In this simpliﬁed scenario, a HTTP threshold of 10 connections/second is...
Page 317 28.6. Scenario: Setting Up ZoneDefense Figure 28.1: A ZoneDefense Scenario. A D-Link switch model DES-3226S is used in this case, with a management interface address 192.168.1.250 connecting to the ﬁrewall’s interface address 192.168.1.1. This ﬁrewall interface is added into the exclude list to prevent the ﬁrewall from being accidentally locked out from accessing the switch.
Page 318 – conﬁguring a HTTP threshold of 10 connections/second. ZoneDefense Threshold Threshold: General: General: Name: HTTP-Threshold Service: HTTP Address Filter Source Destination Interface: (the ﬁrewall’s management interface) any Network: 192.168.2.0/24(or the object name) all-nets Action: Action: ZoneDefense Host-based Threshold: 10 Then click OK. D-Link Firewalls User’s Guide...
Page 320: High Availability
* High Availability functionality described in this part is only available in the D-Link ﬁrewall modules DFL-1600/2500.
Page 321: High Availability
What High Availability will NOT do for you Example High Availability setup D-Link High Availability works by adding a back-up ﬁrewall to your existing ﬁrewall. The back-up ﬁrewall has the same conﬁguration as the primary ﬁrewall. It will stay inactive, monitoring the primary ﬁrewall, until it deems that the primary ﬁrewall is no longer functioning, at which point...
Page 322: What High Availability Will Not Do For You
Redundancy for your routers, switches, and your Internet connection are also issues that need to be addressed. D-Link High Availability clusters will not create a load-sharing cluster. One ﬁrewall will be active, and the other will be inactive. Multiple back-up ﬁrewalls cannot be used in a cluster. Only two ﬁrewalls, a ”master”...
Page 323: Example High Availability Setup
29.2 How Rapid Failover is Accomplished This section includes the following topics: The shared IP address and the failover mechanism Cluster heartbeats The synchronization interface D-Link Firewalls User’s Guide...
Page 324: The Shared Ip Address And The Failover Mechanism
Settings section. As the shared IP address always has the same hardware address, there will be no latency time in updating ARP caches of units attached to the same LAN as the cluster when failover occurs. D-Link Firewalls User’s Guide...
Page 325: Cluster Heartbeats
The destination IP is the shared IP address The IP TTL is always 255. If a ﬁrewall receives a cluster heartbeat with any other TTL, it is assumed that the packet has traversed a router, and hence cannot be trusted at all. D-Link Firewalls User’s Guide...
Page 326: The Synchronization Interface
A cluster can be created by either installing a pair of new ﬁrewalls, or by converting already installed ﬁrewalls to cluster members. The ﬁrewall with the highest version number of its conﬁguration will always make sure that the conﬁguration is transferred to the other cluster member. D-Link Firewalls User’s Guide...
Page 327: Planning The High Availability Cluster
29.3.1 Planning the High Availability cluster As an example throughout this guide, two D-Link Firewalls are used as cluster members. To simplify this guide, only two of the interfaces on each cluster member are used for network traﬃc. The following setup is used: The LAN interfaces on the cluster members are both connected to the same switch.
Page 328 Private IP Address: lan-priv-ip Then click OK Interfaces Ethernet Edit (WAN): IP Address: 10.4.10.1 Advanced/High Availability Private IP Address: wan-priv-ip Then click OK When the conﬁguration is saved and activated, the ﬁrewall will act as a HA cluster member. D-Link Firewalls User’s Guide...
Page 329: Things To Keep In Mind
Normally, the inactive ﬁrewall won’t be sending log entries about live traﬃc, so the output will likely look much the way it did with only one ﬁrewall. D-Link Firewalls User’s Guide...
Page 330: Conﬁguration Issues
Using them for anything else: gatewaying, using them as source IPs in dynamically NATed connections or publishing services on them, will inevitably cause problems, as unique IPs will disappear when the ﬁrewall it belongs to does. D-Link Firewalls User’s Guide...
Page 333 INDEX ABR, DMZ, 14, 119, 150, 200, 204, 207, ACL, ActiveX, DNS, DoS, 47, 123, AES, DSA, ALG, DST, ARP, DynDNS, ARP, ESP, ASBRs, Ethernet, Ethernet address, Backbone area, BDR, Firewall, Blowﬁsh, BOOTP, GRE, 27, 45, Brute force attack, H.225, CA, 49, H.245, CAST,...
Page 334 OSI, VPN, 13, 193, OSPF, 73, WWW, PAP, 62, 135, PBR, PFS, PPP, 27, 62, 135, PPPoE, 27, PPTP, 27, Proxy ARP, PSK, 216, QoS, 247, RADIUS, Replay attack, RIP, Route, RouteFailover, Router priority, Routing table, D-Link Firewalls User’s Guide...
Page 335: A Console Commands Reference
Brings up information pertaining to the version of the ﬁrewall core in use and a copyright notice. Syntax: about Example: Cmd> about D-Link DFL 2.01.00V Copyright Clavister 1996-2005. All rights reserved SSH IPSEC Express SSHIPM version 5.1.1 library 5.1.1 Copyright 1997-2003 SSH Communications Security Corp. Build : Jun 3 2005...
Page 336: Access
- hashinfo –Display information on hash table health - ﬂush –Flush ARP cache of ALL interfaces - ﬂushif –Flush ARP cache of an iface Example: Cmd> arp wan ARP cache of iface wan Dynamic 194.2.1.1 = 0020:d216:5eec Expire=141 D-Link Firewalls User’s Guide...
Page 337: Arpsnoop
ﬂowing for some inexplicable reason. By analyzing the contents of the buﬀers, it is possible to determine whether such traﬃc is making it to the ﬁrewall at all. Syntax: -- buffers Brings up a list of most recently freed buffers. Example: D-Link Firewalls User’s Guide...
Page 338: Certcache
Example: Cmd> buff . Decode of buffer number 1059 lan:Enet 0050:dadf:7bbf->0003:325c:cc00, type 0x0800, len 1058 IP 192.168.123.10->193.13.79.1 IHL:20 DataLen:1024 TTL:254 Proto:ICMP ICMP Echo reply ID:6666 Seq:0 Certcache Displays the contents of the certiﬁcate cache. Syntax: certcache D-Link Firewalls User’s Guide...
Page 339: Cfglog
- FIN RECV TCP packet with FIN/RST ﬂag received - PING The connection is an ICMP ECHO connection - UDP The connection is a UDP connection - RAWIP The connection uses an IP protocol other than TCP, UDP or ICMP Syntax: connections D-Link Firewalls User’s Guide...
Page 340: Cpuid
0x66: 1st-level data cache: 8-KB, 4-way set associative, sectored cache, 64-byte line size DHCP Syntax: dhcp [options] <interface> Options: - renew – Force interface to renew it’s lease - release – Force interface to release it’s lease D-Link Firewalls User’s Guide...
Page 341: Dhcprelay
Options: - rules – Shows dhcp server rules - leases – Shows dhcp server leases - mappings – Shows dhcp server IP MAC mappings - release – Releases an active or blacklisted IP Example: Cmd> dhcpserver D-Link Firewalls User’s Guide...
Page 342: Dynroute
Accept 23.3.8.4 10.5.3.2 ICMP 1480 60 Shows information about a HA cluster. Syntax: ha Example: Cmd> ha This device is a HA SLAVE This device is currently ACTIVE (will forward traffic) HA cluster peer is ALIVE D-Link Firewalls User’s Guide...
Page 343: Httpposter
HTTPPoster Show the conﬁgured httpposter urls and status. Syntax: httpposter [options] Options: - repost – Re-post all URLs now. D-Link Firewalls User’s Guide...
Page 344: Ifacegroups
IfStat Syntax: -- ifstat Shows a list of the interfaces installed in the firewall. Example: Cmd> ifstat Configured interfaces: Interface name IP Address Interface type -------------- ------------ ------------- core 127.0.0.1 Null (sink) 172.16.87.252 ... 192.168.121.1 ... D-Link Firewalls User’s Guide...
Page 345: Ikesnoop
Turn IKE snooping on, if a IP is specified only ike traffic from that IP will be showed. -- ikesnoop verbose [ipaddr] Enable verbose output, if a IP is specified only ike traffic from that IP will be showed. D-Link Firewalls User’s Guide...
Page 346: Ipseckeepalive
IKE proplist: ike-default, IPsec proplist: esp-tn-roamingclients IPSecstats Display connected IPSec VPN gateways and remote clients. Syntax: ipsecstats [options] Options: - ike Displays IKE SAs - ipsec Displays IPsec SAs (default) Displays detailed SA statistic information Displays verbose information D-Link Firewalls User’s Guide...
Page 347: Killsa
ﬁrewall with this command, by doing a license remove. Syntax: license [remove] Example: Cmd> lic Contents of the License file ---------------------------- Registration key: Bound to MAC address: ... Model: DFL-... Registration date: Issued date: Last modified: New upgrades until: Ethernet Interfaces: D-Link Firewalls User’s Guide...
Page 348: Lockdown
Syntax: memory Netcon Shows a list of users currently connected to the ﬁrewall via the netcon management protocol. Syntax: netcon Example: Cmd> netcon Currently connected NetCon users: Iface IP address port 192.168.123.11 39495 D-Link Firewalls User’s Guide...
Page 349: Netobjects
- snoop [on oﬀ], Display troubleshooting messages on the console - ifacedown iface , Takes speciﬁed interface oﬄine - ifaceup iface , Takes speciﬁed interface online - stop, Stop OSPF process - start, Start OSPF process - restart, Restart OSPF process D-Link Firewalls User’s Guide...
Page 350: Ping
"main". Echo reply from 192.168.12.1 seq=0 time= 10 ms TTL=255 Pipes Shows the list of conﬁgured pipes; the contents of the Pipes conﬁguration section, along with basic throughput ﬁgures of each pipe. Syntax: pipes [options] name Options: Display overall statistics D-Link Firewalls User’s Guide...
Page 351: Proplists
FWCore.cfg after the bi-directional veriﬁcation timeout period has expired (typically 30 seconds). Syntax: reconfiure Example: Cmd> reconfigure Shutdown RECONFIGURE. Active in 1 seconds. Shutdown reason: Reconfigure due to console command D-Link Firewalls User’s Guide...
Page 352: Remotes
, Limit display to entries (default: 20) - nonhost, Do not show single-host routes - tables, Display list of named (PBR) routing tables - lookup ip , Lookup the route for the given IP address - v, Verbose D-Link Firewalls User’s Guide...
Page 353: Rules
Source Destination Protocol/Ports -- ----- -------------- -------------- --------------- Allow lan: ... core: ... "HTTP" "HTTP-fw" Use: 0 FWLOG:notice SYSLOG:notice Scrsave Activates the screensaver included with the ﬁrewall core. Syntax: scrsave Example: Cmd> scr Activating screen saver... D-Link Firewalls User’s Guide...
Page 354: Services
Sysmsgs Show the contents of the OS sysmsg buﬀer. Syntax: sysmsgs Example: Cmd> sysmsg Contents of OS sysmsg buffer: Settings Shows the contents of the Settings conﬁguration section. Syntax: -- settings Shows available groups of settings. D-Link Firewalls User’s Guide...
Page 355 - Settings regarding the builtin web server HwPerformance - Hardware performance parameters IfaceMon - Interface Monitor RouteFailOver - Route Fail Over Default values - Intrusion Detection / Prevention Settings - PPP (L2TP/PPTP/PPPoE) Settings Misc - Miscellaneous Settings D-Link Firewalls User’s Guide...
Page 356: Stats
Fragbufs allocated : 16 Fragbufs memory : 16 x 10040 = 156 KB Out-of-buffers ARP one-shot cache : Hits : 409979144 Misses : 186865338 Interfaces: Phys:2 VLAN:5 VPN:0 Access entries:18 Rule entries:75 Using configuration file "FWCore.cfg", ver ... D-Link Firewalls User’s Guide...
Page 357: Time
Displays currently logged-on users and other information. Also allows logged-on users to be forcibly logged out. Syntax: userauth [options] Options: - l, displays a list of all authenticated users - p, displays a list of all known privileges (usernames and groups) D-Link Firewalls User’s Guide...
Page 358: Userdb
Options: - num, Displays the speciﬁed number of users (default 20) Example: Cmd> userdb Configured user databases: Name users ------------- ------- AdminUsers D-Link Firewalls User’s Guide...
Page 359: Vlan
Shows information about conﬁgured VLANs. Syntax: -- vlan List attached VLANs Example: Cmd> vlan VLANs: vlan1 IPAddr: 192.168.123.1 ID: 1 Iface: lan vlan2 IPAddr: 192.168.123.1 ID: 2 Iface: lan vlan3 IPAddr: 192.168.123.1 ID: 3 Iface: lan D-Link Firewalls User’s Guide...
Page 360 Iface lan, VLAN ID: 1 Iface : lan IP Address : 192.168.123.1 Hw Address : 0003:474e:25f9 Software Statistics: Soft received : 0 Soft sent: 0 Send failures: 0 Dropped : 0 IP Input Errs : 0 D-Link Firewalls User’s Guide...
Page 361: B Customer Support
Customer Support...
Page 362 URL: www.dlink.se FAX: 49-6196-7799300 URL: www.dlink.de Denmark France Naverland 2, DK-2600 Glostrup, No.2 all’ee de la Fresnerie 78330 Fontenay le Fleury Copenhagen France Denmark TEL: 33-1-30238688 TEL: 45-43-969040 FAX: 45-43-424347 FAX: 33-1-30238689 URL: www.dlink.fr URL: www.dlink.dk D-Link Firewalls User’s Guide...
Page 363 #03-12 The Synergy Glatt Tower, 2.OG CH-8301 Singapore 609917 Glattzentrum Postfach 2.OG TEL: 65-6774-6233 Switzerland FAX: 65-6774-6322 TEL : +41 (0) 1 832 11 00 URL: www.dlink-intl.com FAX: +41 (0) 1 832 11 01 URL: www.dlink.ch D-Link Firewalls User’s Guide...
Page 364 TEL: 61-2-8899-1800 Hertzelia-Pituach 46120 FAX: 61-2-8899-1868 Israel URL: www.dlink.com.au TEL: +972-9-9715700 FAX: +972-9-9715601 India URL: www.dlink.co.il D-Link House, Kurla Bandra Complex Road OﬀCST Road, LatinAmerica Santacruz (East) Isidora Goyeechea 2934 Mumbai - 400098 Ofcina 702 India Las Condes TEL: 91-022-26526696/56902210...
Page 365 TEL: 7-495-744-0099 Chaoyang District, FAX: 7-495-744-0099 #350 Beijing 100025, China URL: www.dlink.ru TEL +86-10-58635800 FAX: +86-10-58635799 URL: www.dlink.com.cn Taiwan No. 289, Sinhu 3rd Rd., Neihu District, Taipei City 114, Taiwan TEL: 886-2-6600-0123 FAX: 886-2-6600-1188 URL: www.dlinktw.com.tw D-Link Firewalls User’s Guide...
Page 366 Chapter B. Customer Support D-Link Firewalls User’s Guide...

This manual is also suitable for:

Netdefend dfl-210 Netdefend dfl-2500 Dfl-800 Netdefend dfl-1600 Netdefend dfl-800

D-Link DFL-1600 User Manual

Product Overview

1 Capabilities

2 The OSI Model

3 Firewall Principles

Administration

4 Conﬁguration Platform

5 Logging

6 Maintenance

7 Advanced Settings

Fundamentals

8 Logical Objects

9 Interfaces

10 Routing

11 Date & Time

12 Dns

13 Log Settings

Security Polices

14 IP Rules

15 Access (Anti-Spooﬁng)

16 DMZ & Port Forwarding

17 User Authentication

Content Inspection

18 Application Layer Gateway (ALG)

19 Intrusion Detection System (IDS)

Virtual Private Network (VPN)

20 VPN Basics

21 VPN Planning

22 VPN Protocols & Tunnels

TraﬃC Management

23 TraﬃC Shaping

24 Server Load Balancing (SLB)

Misc Features

25 Miscellaneous Clients

26 DHCP Server & Relayer

Transparent Mode

Zonedefense

28 Zonedefense

High Availability

29 High Availability

Appendix

A Console Commands Reference

Quick Links

Related Manuals for D-Link DFL-1600

Summary of Contents for D-Link DFL-1600