Page 1 Network Security Firewall User Manual DFL-210/ 800/1600/ 2500 DFL-260/ 860/1660/ 2560(G) Security Security 2.26.01 Network Security Solution http://www.dlink.com...
Page 2: User Manual
User Manual DFL-210/260/800/860/1600/1660/2500/2560/2560G NetDefendOS Version 2.26.01 D-Link Corporation No. 289, Sinhu 3rd Rd, Neihu District, Taipei City 114, Taiwan R.O.C. http://www.DLink.com Published 2010-01-11...
Page 3 D-Link reserves the right to revise this publication and to make changes from time to time in the content hereof without any obligation to notify any person or parties of such revision or changes.
Page 4: Table Of Contents
Table of Contents Preface .......................13 1. NetDefendOS Overview ..................15 1.1. Features ....................15 1.2. NetDefendOS Architecture ..............18 1.2.1. State-based Architecture ...............18 1.2.2. NetDefendOS Building Blocks ............18 1.2.3. Basic Packet Flow ................19 1.3. NetDefendOS State Engine Packet Flow .............21 2. Management and Maintenance ................26 2.1.
Page 5 User Manual 3.3. Interfaces ....................86 3.3.1. Overview ...................86 3.3.2. Ethernet Interfaces ...............87 3.3.3. VLAN ..................92 3.3.4. PPPoE ..................95 3.3.5. GRE Tunnels ................97 3.3.6. Interface Groups ................ 100 3.4. ARP ....................102 3.4.1. Overview ................. 102 3.4.2. ARP in NetDefendOS ..............102 3.4.3.
Page 6 6.4.2. Implementation ................. 272 6.4.3. Activating Anti-Virus Scanning ............ 273 6.4.4. The Signature Database .............. 274 6.4.5. Subscribing to the D-Link Anti-Virus Service ......... 274 6.4.6. Anti-Virus Options ..............274 6.5. Intrusion Detection and Prevention ............278 6.5.1. Overview ................. 278 6.5.2.
Page 7 User Manual 7.4.4. Port Translation ................. 313 7.4.5. Protocols Handled by SAT ............313 7.4.6. Multiple SAT Rule Matches ............313 7.4.7. SAT and FwdFast Rules .............. 314 8. User Authentication ..................317 8.1. Overview .................... 317 8.2. Authentication Setup ................319 8.2.1.
Page 8 User Manual 10.1.3. Simple Bandwidth Limiting ............405 10.1.4. Limiting Bandwidth in Both Directions ........406 10.1.5. Creating Differentiated Limits with Chains ........407 10.1.6. Precedences ................408 10.1.7. Guarantees ................410 10.1.8. Differentiated Guarantees ............410 10.1.9. Groups ................... 411 10.1.10.
Page 9 13.9. Miscellaneous Settings ................ 474 A. Subscribing to Security Updates ................ 476 B. IDP Signature Groups ..................478 C. Verified MIME filetypes ................. 482 D. The OSI Framework ..................486 E. D-Link Worldwide Offices ................487 Alphabetical Index ..................... 489...
Page 10 List of Figures 1.1. Packet Flow Schematic Part I ................21 1.2. Packet Flow Schematic Part II ................22 1.3. Packet Flow Schematic Part III .................23 1.4. Expanded Apply Rules Logic ................24 3.1. VLAN Connections ..................92 3.2. Simplified NetDefendOS Traffic Flow ............. 111 4.1.
Page 11 3.25. Manually Triggering a Time Synchronization ..........124 3.26. Modifying the Maximum Adjustment Value ............ 124 3.27. Forcing Time Synchronization ..............125 3.28. Enabling the D-Link NTP Server ..............125 3.29. Configuring DNS Servers ................128 4.1. Displaying the main Routing Table ..............137 4.2.
Page 12 User Manual 4.13. if2 Configuration - Group Translation ............. 173 4.14. Setting up Transparent Mode for Scenario 1 ............ 184 4.15. Setting up Transparent Mode for Scenario 2 ............ 185 5.1. Setting up a DHCP server ................194 5.2. Checking DHCP Server Status ................ 194 5.3.
Page 13: Preface
Preface Intended Audience The target audience for this reference guide is Administrators who are responsible for configuring and managing NetDefend Firewalls which are running the NetDefendOS operating system. This guide assumes that the reader has some basic knowledge of networks and network security. Text Structure and Conventions The text is broken down into chapters and sub-sections.
Page 14 Preface items in the tree-view list at the left of the interface or in the menu bar or in a context menu need to be opened followed by information about the data items that need to be entered: Go to Item X > Item Y > Item Z Now enter: •...
Page 15: Netdefendos Overview
• NetDefendOS Architecture, page 18 • NetDefendOS State Engine Packet Flow, page 21 1.1. Features D-Link NetDefendOS is the base software engine that drives and controls the range of NetDefend Firewall hardware products. NetDefendOS as a Network Security Operating System Designed as a network security operating system, NetDefendOS features high throughput performance with high reliability plus super-granular control.
Page 16 More information about the IDP capabilities of NetDefendOS can be found in Section 6.5, “Intrusion Detection and Prevention”. Note Full IDP is available on all D-Link NetDefend product models as a subscription service. On some models, a simplified IDP subsystem is provided as standard..
Page 17 Chapter 2, Management and Maintenance. ZoneDefense NetDefendOS can be used to control D-Link switches using the ZoneDefense feature. This allows NetDefendOS to isolate portions of a network that contain hosts that are the source of undesirable network traffic.
Page 18: Netdefendos Architecture
1.2. NetDefendOS Architecture Chapter 1. NetDefendOS Overview 1.2. NetDefendOS Architecture 1.2.1. State-based Architecture The NetDefendOS architecture is centered around the concept of state-based connections. Traditional IP routers or switches commonly inspect all packets and then perform forwarding decisions based on information found in the packet headers. With this approach, packets are forwarded without any sense of context which eliminates any possibility to detect and analyze complex protocols and enforce corresponding security policies.
Page 19: Basic Packet Flow
1.2.3. Basic Packet Flow Chapter 1. NetDefendOS Overview NetDefendOS Rule Sets Finally, rules which are defined by the administrator in the various rule sets are used for actually implementing NetDefendOS security policies. The most fundamental set of rules are the IP Rules, which are used to define the layer 3 IP filtering policy as well as carrying out address translation and server load balancing.
Page 20 1.2.3. Basic Packet Flow Chapter 1. NetDefendOS Overview • TCP/UDP ports • ICMP types • Point in time in reference to a predefined schedule If a match cannot be found, the packet is dropped. If a rule is found that matches the new connection, the Action parameter of the rule decides what NetDefendOS should do with the connection.
Page 21: Netdefendos State Engine Packet Flow
1.3. NetDefendOS State Engine Packet Chapter 1. NetDefendOS Overview Flow 1.3. NetDefendOS State Engine Packet Flow The diagrams in this section provide a summary of the flow of packets through the NetDefendOS state-engine. There are three diagrams, each flowing into the next. It is not necessary to understand these diagrams, however, they can be useful as a reference when configuring NetDefendOS in certain situations.
Page 22: Packet Flow Schematic Part Ii
1.3. NetDefendOS State Engine Packet Chapter 1. NetDefendOS Overview Flow Figure 1.2. Packet Flow Schematic Part II The packet flow is continued on the following page.
Page 23: Packet Flow Schematic Part Iii
1.3. NetDefendOS State Engine Packet Chapter 1. NetDefendOS Overview Flow Figure 1.3. Packet Flow Schematic Part III...
Page 24: Expanded Apply Rules Logic
1.3. NetDefendOS State Engine Packet Chapter 1. NetDefendOS Overview Flow Apply Rules The figure below presents the detailed logic of the Apply Rules function in Figure 1.2, “Packet Flow Schematic Part II” above. Figure 1.4. Expanded Apply Rules Logic...
Page 25 1.3. NetDefendOS State Engine Packet Chapter 1. NetDefendOS Overview Flow...
Page 26: Management And Maintenance
Chapter 2. Management and Maintenance This chapter describes the management, operations and maintenance related aspects of NetDefendOS. • Managing NetDefendOS, page 26 • Events and Logging, page 53 • RADIUS Accounting, page 58 • Hardware Monitoring, page 63 • SNMP Monitoring, page 65 •...
Page 27: The Default Administrator Account
IPsec tunnel. By default, Web Interface access is enabled for users on the network connected via the LAN interface of the D-Link firewall (on products where more than one LAN interface is available, LAN1 is the default interface).
Page 28 Assignment of a Default IP Address For a new D-Link NetDefend firewall with factory defaults, a default internal IP address is assigned automatically by NetDefendOS to the hardware's LAN1 interface (or the LAN interface on models wihout multiple LAN interfaces).
Page 29 The Web Interface login dialog offers the option to select a language other than English for the interface. Language support is provided by a set of separate resource files. These files can be downloaded from the D-Link website. It may occasionally be the case that a NetDefendOS upgrade can contain features that temporarily lack a complete non-english translation because of time constraints.
Page 30 2.1.3. The Web Interface Chapter 2. Management and Maintenance For information about the default user name and password, see Section 2.1.2, “The Default Administrator Account”. Note: Remote management access Access to the Web Interface is regulated by the configured remote management policy. By default, the system will only allow web access from the internal network.
Page 31: The Cli
2.1.4. The CLI Chapter 2. Management and Maintenance Controlling Access to the Web Interface By default, the Web Interface is accessible only from the internal network. If you need to enable access from other parts of the network, you can do so by modifying the remote management policy. Example 2.1.
Page 32 This section only provides a summary for using the CLI. For a complete reference for all CLI commands, see the separate D-Link CLI Reference Guide. The most often used CLI commands are: •...
Page 33 2.1.4. The CLI Chapter 2. Management and Maintenance command appears it can be re-executed in it's original form or changed first before execution. Tab Completion Remembering all the commands and their options can be difficult. NetDefendOS provides a feature called tab completion which means that pressing the tab key will cause automatically completion of the current part of the command.
Page 34 2.1.4. The CLI Chapter 2. Management and Maintenance Not all object types belong in a category. The object type UserAuthRule is a type without a category and will appear in the category list after pressing tab at the beginning of a command. The category is sometimes also referred to as a context.
Page 35 NetDefendOS CLI through a serial connection to a PC or dumb terminal. To locate the serial console port on your D-Link hardware, see the D-Link Quick Start Guide . To use the console port, you need the following equipment: •...
Page 36: Enabling Ssh Remote Access
2.1.4. The CLI Chapter 2. Management and Maintenance Press the enter key on the terminal. The NetDefendOS login prompt should appear on the terminal screen. SSH (Secure Shell) CLI Access The SSH (Secure Shell) protocol can be used to access the CLI over the network from a remote host.
Page 37 2.1.4. The CLI Chapter 2. Management and Maintenance else as soon as possible after initial startup. User passwords can be any combination of characters and cannot be greater than 256 characters in length. It is recommended to use only printable characters.
Page 38 2.1.4. The CLI Chapter 2. Management and Maintenance automatically undone and the old configuration restored. Checking Configuration Integrity After changing a NetDefendOS configuration and before issuing the activate and commit commands, it is possible to explicitly check for any problems in a configuration using the command: gw-world:/>...
Page 39: Cli Scripts
Create a text file with a text editor containing a sequential list of CLI commands, one per line. The D-Link recommended convention is for these files to use the file extension .sgs (Security Gateway Script). The filename, including the extension, should not be more than 16 characters.
Page 40 2.1.5. CLI Scripts Chapter 2. Management and Maintenance gw-world:/> script -execute -name=my_script.sgs Script Variables A script file can contain any number of script variables which are called: $1, $2, $3, $4..$n The values substituted for these variable names are specified as a list at the end of the script -execute command line.
Page 41 2.1.5. CLI Scripts Chapter 2. Management and Maintenance Any output from script execution will appear at the CLI console. Normally this output only consists of any error messages that occur during execution. To see the confirmation of each command completing, the -verbose option should be used: gw-world:/>...
Page 42: Secure Copy
2.1.6. Secure Copy Chapter 2. Management and Maintenance This creates a script file called new_script_sgs which contains all the CLI commands necessary to create all IP4Address address objects in that unit's configuration. The created file's contents might, for example, be: add IP4Address If1_ip Address=10.6.60.10 add IP4Address If1_net Address=10.6.60.0/24 add IP4Address If1_br Address=10.6.60.255...
Page 43 2.1.6. Secure Copy Chapter 2. Management and Maintenance To upload and download files to or from the NetDefend Firewall, the secure copy (SCP) protocol can be used. SCP is based on the SSH protocol and many freely available SCP clients exist for almost all platforms.
Page 44 2.1.7. The Console Boot Menu Chapter 2. Management and Maintenance config.bak full.bak script/ sshclientkey/ Apart from the individual files, the objects types listed are: • HTTPALGBanners/ - The banner files for user authentication HTML. Uploading these is described further in Section 6.3.4.4, “Customizing HTML Pages”. •...
Page 45: The Console Boot Menu
2.1.7. The Console Boot Menu Chapter 2. Management and Maintenance 2.1.7. The Console Boot Menu The NetDefendOS loader is the base software on top of which NetDefendOS runs and the administrator's direct interface to this is called the console boot menu (also known simply as the boot menu).
Page 46: Management Advanced Settings
2.1.8. Management Advanced Settings Chapter 2. Management and Maintenance selecting setting the password as soon as possible is recommended. After it is set, the console will prompt for the password before access is allowed to either the boot menu or the command line interface (CLI).
Page 47: Working With Configurations
2.1.9. Working with Configurations Chapter 2. Management and Maintenance Validation Timeout Specifies the amount of seconds to wait for the administrator to log in before reverting to the previous configuration. Default: 30 WebUI HTTP port Specifies the HTTP port for the Web Interface. Default: 80 WebUI HTTPS port Specifies the HTTP(S) port for the Web Interface.
Page 48: Listing Configuration Objects
2.1.9. Working with Configurations Chapter 2. Management and Maintenance Example 2.3. Listing Configuration Objects To find out what configuration objects exist, you can retrieve a listing of the objects. This example shows how to list all service objects. Command-Line Interface gw-world:/>...
Page 49: Editing A Configuration Object
2.1.9. Working with Configurations Chapter 2. Management and Maintenance Note When accessing object via the CLI you can omit the category name and just use the type name. The CLI command in the above example, for instance, could be simplified gw-world:/>...
Page 50: Deleting A Configuration Object
2.1.9. Working with Configurations Chapter 2. Management and Maintenance gw-world:/> show Address IP4Address myhost Property Value --------------------- ------------- Name: myhost Address: 192.168.10.10 UserAuthGroups: (none) NoDefinedCredentials: Comments: (none) Web Interface Go to Objects > Address Book Click on the Add button In the dropdown menu displayed, select IP Address In the Name text box, enter myhost Enter 192.168.10.10 in the IP Address textbox...
Page 51: Listing Modified Configuration Objects
2.1.9. Working with Configurations Chapter 2. Management and Maintenance Listing Modified Objects After modifying several configuration objects, you might want to see a list of the objects that were changed, added and removed since the last commit. Example 2.9. Listing Modified Configuration Objects This example shows how to list configuration objects that have been modified.
Page 52 2.1.9. Working with Configurations Chapter 2. Management and Maintenance The new configuration is now committed. Web Interface Go to Configuration > Save and Activate in the menu bar Click OK to confirm The web browser will automatically try to connect back to the Web Interface after 10 seconds. If the connection succeeds, this is interpreted by NetDefendOS that remote management is still working.
Page 53: Events And Logging
2.2. Events and Logging Chapter 2. Management and Maintenance 2.2. Events and Logging 2.2.1. Overview The ability to log and analyze system activities is an essential feature of NetDefendOS. Logging enables not only monitoring of system status and health, but also allows auditing of network usage and assists in trouble-shooting.
Page 54: Log Message Distribution
2.2.3. Log Message Distribution Chapter 2. Management and Maintenance By default, NetDefendOS sends all messages of level Info and above to configured log servers. The Debug category is intended for troubleshooting only and should only be turned on if required when trying to solve a problem.
Page 55: Enable Logging To A Syslog Host
The Prio and Severity fields The Prio= field in SysLog messages contains the same information as the Severity field for D-Link Logger messages. However, the ordering of the numbering is reversed. Example 2.11. Enable Logging to a Syslog Host To enable logging of all events with a severity greater than or equal to Notice to a Syslog server with IP address 195.11.22.55, follow the steps outlined below:...
Page 56: Advanced Log Settings
2.2.4. Advanced Log Settings Chapter 2. Management and Maintenance by D-Link and defines the SNMP objects and data types that are used to describe an SNMP Trap received from NetDefendOS. Note There is a different MIB file for each model of NetDefend Firewall. Make sure that the correct file is used.
Page 57 2.2.4. Advanced Log Settings Chapter 2. Management and Maintenance Send Limit This setting limits how many log packets NetDefendOS may send out per second. This value should never be set too low, as this may result in important events not being logged, nor should it be set too high.
Page 58: Radius Accounting
2.3. RADIUS Accounting Chapter 2. Management and Maintenance 2.3. RADIUS Accounting 2.3.1. Overview Within a network environment containing large numbers of users, it is advantageous to have one or a cluster of central servers that maintain user account information and are responsible for authentication and authorization tasks.
Page 59 2.3.2. RADIUS Accounting Messages Chapter 2. Management and Maintenance authentication server. • How Authenticated - How the user was authenticated. This is set to either RADIUS if the user was authenticated via RADIUS, or LOCAL if the user was authenticated via a local user database.
Page 60: Interim Accounting Messages
2.3.3. Interim Accounting Messages Chapter 2. Management and Maintenance Tip: The meaning of the asterisk after a list entry The asterisk "*" symbol after an entry in the list above indicates that the sending of the parameter is optional and is configurable. 2.3.3.
Page 61: Handling Unresponsive Servers
2.3.7. Handling Unresponsive Servers Chapter 2. Management and Maintenance Firewalls. This means that accounting information is automatically updated on both cluster members whenever a connection is closed. Two special accounting events are also used by the active unit to keep the passive unit synchronized: •...
Page 62: Radius Accounting Server Setup
2.3.10. RADIUS Advanced Settings Chapter 2. Management and Maintenance continue to be logged in. Disabling the setting will mean that the user will be logged out if the RADIUS accounting server cannot be reached even though the user has been previously authenticated. Default: Enabled Logout at shutdown If there is an orderly shutdown of the NetDefend Firewall by the administrator, then NetDefendOS...
Page 63: Hardware Monitoring
2.4. Hardware Monitoring Availability Certain D-Link hardware models allow the administrator to use the CLI to query the current value of various hardware operational parameters such as the current temperature inside the firewall. This feature is referred to as Hardware Monitoring.
Page 64 2.4. Hardware Monitoring Chapter 2. Management and Maintenance The -verbose option displays the current values plus the configured ranges: gw-world:/> hwm -a -v 2 sensors available Poll interval time = 500ms Name [type][number] = low_limit] current_value [high_limit (unit) ----------------------------------------------------------------- SYS Temp [TEMP 0] = 44.000]...
Page 65: Snmp Monitoring
2.5. SNMP Monitoring Chapter 2. Management and Maintenance 2.5. SNMP Monitoring Overview Simple Network Management Protocol (SNMP) is a standardized protocol for management of network devices. An SNMP compliant client can connect to a network device which supports the SNMP protocol to query and control it. NetDefendOS supports SNMP version 1 and version 2.
Page 66: Snmp Advanced Settings
2.5.1. SNMP Advanced Settings Chapter 2. Management and Maintenance SNMP access. Port 161 is usually used for SNMP and NetDefendOS always expects SNMP traffic on that port. Remote Access Encryption It should be noted that SNMP Version 1 or 2c access means that the community string will be sent as plain text over a network.
Page 67 2.5.1. SNMP Advanced Settings Chapter 2. Management and Maintenance Default: Enabled SNMP Request Limit Maximum number of SNMP requests that will be processed each second by NetDefendOS. Should SNMP requests exceed this rate then the excess requests will be ignored by NetDefendOS. Default: 100 System Contact The contact person for the managed node.
Page 68: The Pcapdump Command
2.6. The pcapdump Command Chapter 2. Management and Maintenance 2.6. The pcapdump Command A valuable diagnostic tool is the ability to examine the packets that enter and leave the interfaces of a NetDefend Firewall. For this purpose, NetDefendOS provides the CLI command pcapdump which not only allows the examination of packet streams entering and leaving interfaces but also allows the filtering of these streams according to specified criteria.
Page 69 2.6. The pcapdump Command Chapter 2. Management and Maintenance It is possible to have multiple pcapdump executions being performed at the same time. The following points describe this feature: All capture from all executions goes to the same memory buffer. The command can be launched multiple times with different interfaces specified.
Page 70 2.6. The pcapdump Command Chapter 2. Management and Maintenance • The filename and extension can only contain the characters A-Z, 0-9, "-" and "_". Combining Filters It is possible to use several of these filter expressions together in order to further refine the packets that are of interest.
Page 71: Maintenance
The Intrusion Prevention and Detection system and Anti-Virus modules require access to updated signature databases in order to provide protection against the latest threats. To facilitate the Auto-Update feature D-Link maintains a global infrastructure of servers providing update services for NetDefend Firewalls. To ensure availability and low response times, NetDefendOS employs a mechanism for automatically selecting the most appropriate server to supply updates.
Page 72: Restore To Factory Defaults
A restore to factory defaults can be applied so that it is possible to return to the original hardware state that existed when the NetDefend Firewall was shipped by D-Link. When a restore is applied all data such as the IDP and Ant-Virus databases are lost and must be reloaded.
Page 73 Reset Procedure for the NetDefend DFL-210, 260, 800 and 860 To reset the NetDefend DFL-210/260/800/860 models, hold down the reset button located at the rear of the unit for 10-15 seconds while powering on the unit. After that, release the reset button and the unit will continue to load and startup with its default factory settings.
Page 74 2.7.3. Restore to Factory Defaults Chapter 2. Management and Maintenance...
Page 75: Fundamentals
Chapter 3. Fundamentals This chapter describes the fundamental logical objects which make up a NetDefendOS configuration. These objects include such items as IP addresses and IP rules. Some exist by default and some must be defined by the administrator. In addition, the chapter explains the different interface types and explains how security policies are constructed the administrator.
Page 76: Adding An Ip Host
3.1.2. IP Addresses Chapter 3. Fundamentals corresponds to a 32 address net (netmask 255.255.255.224) and so on. The numbers 0-32 correspond to the number of binary ones in the netmask. For example: 192.168.0.0/24. IP Range A range of IP addresses is represented on the form a.b.c.d - e.f.g.h. Note that ranges are not limited to netmask boundaries.
Page 77: Ethernet Addresses
3.1.3. Ethernet Addresses Chapter 3. Fundamentals Address=192.168.10.16-192.168.10.21 Web Interface Go to Objects > Address Book > Add > IP address Specify a suitable name for the IP Range, for example wwwservers. Enter 192.168.10.16-192.168.10.21 as the IP Address Click OK Example 3.4. Deleting an Address Object To delete an object named wwwsrv1 in the Address Book, do the following: Command-Line Interface gw-world:/>...
Page 78: Address Groups
3.1.4. Address Groups Chapter 3. Fundamentals Address=08-a3-67-bc-2e-f2 Web Interface Go to Objects > Address Book > Add > Ethernet Address Specify a suitable name for the Ethernet Address object, for example wwwsrv1_mac Enter 08-a3-67-bc-2e-f2 as the MAC Address Click OK 3.1.4.
Page 79: Address Book Folders
3.1.6. Address Book Folders Chapter 3. Fundamentals client subsystem to store gateway address information acquired from a DHCP server. If a default gateway address has been provided during the setup phase, the wan_gw object will contain that address. Otherwise, the object will be left empty (in other words, the IP address will be 0.0.0.0/0).
Page 80: Services
3.2. Services Chapter 3. Fundamentals 3.2. Services 3.2.1. Overview A Service object is a reference to a specific IP protocol with associated parameters. A service definition is usually based on one of the major transport protocols such as TCP or UDP, with the associated port number(s).
Page 81: Tcp And Udp Based Services
3.2.2. TCP and UDP Based Services Chapter 3. Fundamentals Example 3.7. Viewing a Specific Service To view a specific service in the system: Command-Line Interface gw-world:/> show Service ServiceTCPUDP echo The output will look similar to the following listing: Property Value ----------------- ----------------...
Page 82: Adding A Tcp/Udp Service
3.2.2. TCP and UDP Based Services Chapter 3. Fundamentals uses port 25 and so on. For these types of service, the single port number is simply specified in the TCP/UDP service object. Port Ranges Some services use a range of destination ports. As an example, the NetBIOS protocol used by Microsoft Windows uses destination ports 137 to 139.
Page 83: Icmp Services
3.2.3. ICMP Services Chapter 3. Fundamentals server is not in operation, an ICMP error message is returned as the response. These ICMP errors can either be ignored or allowed to pass through, back to the requesting application. Application Layer Gateways A TCP/UDP service can be linked to an Application Layer Gateway (ALG) to enable deeper inspection of certain protocols.
Page 84: Custom Ip Protocol Services
3.2.4. Custom IP Protocol Services Chapter 3. Fundamentals • Code 2: Protocol Unreachable • Code 3: Port Unreachable • Code 4: Cannot Fragment • Code 5: Source Route Failed • Redirect: the source is told that there is a better route for a particular packet. Codes assigned are as follows: •...
Page 85: Service Groups
3.2.5. Service Groups Chapter 3. Fundamentals Go to Objects > Services > Add > IP protocol service Specify a suitable name for the service, for example VRRP Enter 112 in the IP Protocol control Optionally enter Virtual Router Redundancy Protocol in the Comments control Click OK 3.2.5.
Page 86: Interfaces
3.3. Interfaces Chapter 3. Fundamentals 3.3. Interfaces 3.3.1. Overview An Interface is one of the most important logical building blocks in NetDefendOS. All network traffic that passes through or gets terminated in the system is done so through one or several interfaces.
Page 87: Ethernet Interfaces
3.3.2. Ethernet Interfaces Chapter 3. Fundamentals found in Section 9.5, “PPTP/L2TP”. • GRE interfaces are used to establish GRE tunnels. More information about this topic can be found in Section 3.3.5, “GRE Tunnels”. Even though the various types of interfaces are very different in the way they are implemented and how they work, NetDefendOS treats all interfaces as logical IP interfaces.
Page 88 3.3.2. Ethernet Interfaces Chapter 3. Fundamentals data payload along with error checking bits. A pause between the broadcasting of individual frames allows devices time to process each frame before the next arrives and this pause becomes progressively smaller as the transmission rates get faster from normal Ethernet to Fast Ethernet and then Gigabit Ethernet.
Page 89: Enabling Dhcp
3.3.2. Ethernet Interfaces Chapter 3. Fundamentals As explained next, this way of changing the IP address is not recommended. • Instead, the ip_lan object in the NetDefendOS Address Book should be assigned the new address since it is this object that is used by many other NetDefendOS objects such as IP rules. The CLI command to do this would be: gw-world:/>...
Page 90 3.3.2. Ethernet Interfaces Chapter 3. Fundamentals Web Interface Go to Interfaces > Ethernet Select the Ethernet interface of interest Enable the Enable DHCP client option Click OK 3.3.2.1. Useful CLI Commands for Ethernet Interfaces This section summarizes the CLI commands most commonly used for examining and manipulating NetDefendOS Ethernet interfaces.
Page 91 Some interface settings are accessible only through a related set of CLI commands. These are particularly useful if D-Link hardware has been replaced and Ethernet card settings are to be changed, or if configuring the interfaces when running NetDefendOS on non-D-Link hardware. For example, to display Ethernet port information use the command: gw-world:/>...
Page 92: Vlan
3.3.3. VLAN Chapter 3. Fundamentals For a complete list of all CLI options see the CLI Reference Guide. 3.3.3. VLAN Overview Virtual LAN (VLAN) support in NetDefendOS allows the definition of one or more Virtual LAN interfaces which are associated with a particular physical interface. These are then considered to be logical interfaces by NetDefendOS and can be treated like any other interfaces in NetDefendOS rule sets and routing tables.
Page 93 3.3.3. VLAN Chapter 3. Fundamentals With NetDefendOS VLANs, the physical connections are as follows: • One of more VLANs are configured on a physical NetDefend Firewall interface and this is connected directly to a switch. This link acts as a VLAN trunk. The switch used must support port based VLANs.
Page 94: Defining A Vlan
3.3.3. VLAN Chapter 3. Fundamentals The number of VLAN interfaces that can be defined for a NetDefendOS installation is limited by the parameters of the license used. Different hardware models have different licenses and different limits on VLANs. Summary of VLAN Setup It is important to understand that the administrator should treat a VLAN interface just like a physical interface in that they require at least IP rules and routes to be defined in order to function.
Page 95: Pppoe
3.3.4. PPPoE Chapter 3. Fundamentals Default: DropLog 3.3.4. PPPoE 3.3.4.1. Overview Point-to-Point Protocol over Ethernet (PPPoE) is a tunneling protocol used for connecting multiple users on an Ethernet network to the Internet through a common serial interface, such as a single DSL line, wireless device or cable modem.
Page 96: Configuring A Pppoe Client
3.3.4. PPPoE Chapter 3. Fundamentals IP address information PPPoE uses automatic IP address allocation which is similar to DHCP. When NetDefendOS receives this IP address information from the ISP, it stores it in a network object and uses it as the IP address of the interface.
Page 97: Gre Tunnels
3.3.5. GRE Tunnels Chapter 3. Fundamentals Then enter: • Name: PPPoEClient • Physical Interface: wan • Remote Network: all-nets (as we will route all traffic into the tunnel) • Service Name: Service name provided by the service provider • Username: Username provided by the service provider •...
Page 98 3.3.5. GRE Tunnels Chapter 3. Fundamentals overhead. The lack of encryption can be acceptable in some circumstances if the tunneling is done across an internal network that is not public. Setting Up GRE Like other tunnels in NetDefendOS such as an IPsec tunnel, a GRE Tunnel is treated as a logical interface by NetDefendOS, with the same filtering, traffic shaping and configuration capabilities as a standard interface.
Page 99 3.3.5. GRE Tunnels Chapter 3. Fundamentals The diagram above shows a typical GRE scenario, where two NetDefend Firewalls A and B must communicate with each other through the intervening internal network 172.16.0.0/16. Any traffic passing between A and B is tunneled through the intervening network using a GRE tunnel and since the network is internal and not public there is no need for encryption.
Page 100: Interface Groups
3.3.6. Interface Groups Chapter 3. Fundamentals Setup for NetDefend Firewall "B" Assuming that the network 192.168.11.0/24 is lannet on the lan interface, the steps for setting up NetDefendOS on B are as follows: In the address book set up the following IP objects: •...
Page 101 3.3.6. Interface Groups Chapter 3. Fundamentals • Name: The name of the group to be used later • Security/Transport Equivalent: If enabled, the interface group can be used as a destination interface in rules where connections might need to be moved between the interfaces - examples of such usage are Route Fail-Over and OSPF •...
Page 102: Arp
3.4. ARP Chapter 3. Fundamentals 3.4. ARP 3.4.1. Overview Address Resolution Protocol (ARP) is a protocol, which maps a network layer protocol address to a data link layer hardware address and it is used to resolve an IP address into its corresponding Ethernet address.
Page 103: Displaying The Arp Cache
3.4.3. ARP Cache Chapter 3. Fundamentals The default expiration time for dynamic ARP entries is 900 seconds (15 minutes). This can be changed by modifying the advanced setting ARP Expire. The setting ARP Expire Unknown specifies how long NetDefendOS will remember addresses that cannot be reached.
Page 104: Static And Published Arp Entries
3.4.4. Static and Published ARP Chapter 3. Fundamentals Entries hash size for VLAN interfaces only. The default value is 64. 3.4.4. Static and Published ARP Entries NetDefendOS supports defining static ARP entries (static binding of IP addresses to Ethernet addresses) as well as publishing IP addresses with a specific Ethernet address. Static ARP Entries Static ARP items may help in situations where a device is reporting incorrect Ethernet address in response to ARP requests.
Page 105: Using Arp Advanced Settings
3.4.5. Using ARP Advanced Settings Chapter 3. Fundamentals the corresponding NetDefendOS interface. Another use is publishing multiple addresses on an external interface, enabling NetDefendOS to statically address translate communications to these addresses and send it onwards to internal servers with private IP addresses. There are two publishing modes;...
Page 106: Arp Advanced Settings Summary
3.4.6. ARP Advanced Settings Chapter 3. Fundamentals Summary Allowing this to take place may allow hijacking of local connections. However, not allowing this may cause problems if, for example, a network adapter is replaced, as NetDefendOS will not accept the new address until the previous ARP cache entry has timed out. The advanced setting ARP Changes can be changed to modify this behavior.
Page 107 3.4.6. ARP Advanced Settings Chapter 3. Fundamentals Summary Default: DropLog ARP Requests Determines if NetDefendOS will automatically add the data in ARP requests to its ARP table. The ARP specification states that this should be done, but as this procedure can facilitate hijacking of local connections, it is not normally allowed.
Page 108 3.4.6. ARP Advanced Settings Chapter 3. Fundamentals Summary broadcast addresses. Such claims are usually never correct. Default: DropLog ARP cache size How many ARP entries there can be in the cache in total. Default: 4096 ARP Hash Size Hashing is used to rapidly look up entries in a table. For maximum efficiency, the hash size should be twice as large as the table it is indexing.
Page 109: The Ip Rule Set
3.5. The IP Rule Set Chapter 3. Fundamentals 3.5. The IP Rule Set 3.5.1. Security Policies Common Policy Characteristics NetDefendOS Security Policies designed by the administrator, regulate the way in which traffic can flow through the NetDefend Firewall. Policies in NetDefendOS are defined by different NetDefendOS rule sets.
Page 110 3.5.1. Security Policies Chapter 3. Fundamentals and are described in Chapter 8, User Authentication. Specifying Any Interface or Network When specifying the filtering criteria in any of the rule sets specified above there are three useful predefined options that can be used: •...
Page 111: Ip Rule Evaluation
3.5.2. IP Rule Evaluation Chapter 3. Fundamentals If the IP rule used is an Allow rule then this is bi-directional by default. The ordering of these steps is important. The route lookup occurs first to determine the exiting interface and then NetDefendOS looks for an IP rule that allows the traffic to leave on that interface. If a rule doesn't exist then the traffic is dropped.
Page 112: Ip Rule Actions
3.5.3. IP Rule Actions Chapter 3. Fundamentals Stateful Inspection After initial rule evaluation of the opening connection, subsequent packets belonging to that connection will not need to be evaluated individually against the rule set. Instead, a highly efficient algorithm searches the state table for each packet to determine if it belongs to an established connection.
Page 113: Editing Ip Rule Set Entries
3.5.4. Editing IP rule set Entries Chapter 3. Fundamentals This functions like an Allow rule, but with dynamic address translation (NAT) enabled (see Section 7.2, “NAT” in Chapter 7, Address Translation for a detailed description). This tells NetDefendOS to perform static address translation. A SAT rule always requires a matching Allow, NAT or FwdFast IP rule further down the rule set (see Section 7.4, “SAT”...
Page 114: Adding An Allow Ip Rule
3.5.5. IP Rule Set Folders Chapter 3. Fundamentals In order to help organise large numbers of entries in IP rule sets, it is possible to create IP rule set folders. These folders are just like a folder in a computer's file system. They are created with a given name and can then be used to contain all the IP rules that are related together as a group.
Page 115: Schedules
3.6. Schedules Chapter 3. Fundamentals 3.6. Schedules In some scenarios, it might be useful to control not only what functionality is enabled, but also when that functionality is being used. For instance, the IT policy of an enterprise might stipulate that web traffic from a certain department is only allowed access outside that department during normal office hours.
Page 116 3.6. Schedules Chapter 3. Fundamentals Return to the top level: gw-world:/main> cc Configuration changes must be saved by then issuing an activate followed by a commit command. Web Interface Go to Objects > Schedules > Add > Schedule Enter the following: •...
Page 117: Certificates
3.7. Certificates Chapter 3. Fundamentals 3.7. Certificates 3.7.1. Overview X.509 NetDefendOS supports digital certificates that comply with the ITU-T X.509 standard. This involves the use of an X.509 certificate hierarchy with public-key cryptography to accomplish key distribution and entity authentication. References in this manual to a certificate means a X.509 certificate.
Page 118: Certificates In Netdefendos
3.7.2. Certificates in NetDefendOS Chapter 3. Fundamentals Validity Time A certificate is not valid forever. Each certificate contains the dates between which the certificate is valid. When this validity period expires, the certificate can no longer be used, and a new certificate has to be issued.
Page 119: Ca Certificate Requests
3.7.3. CA Certificate Requests Chapter 3. Fundamentals There are two types of certificates that can be uploaded: self-signed certificates and remote certificates belonging to a remote peer or CA server. Self-signed certificates can be generated by using one of a number of freely available utilities for doing this. Example 3.19.
Page 120 3.7.3. CA Certificate Requests Chapter 3. Fundamentals • Take out the relevant parts of the .pem file to form the required .cer and .key files. The detailed steps for the above stages are as follows: Create the gateway certificate on the Windows CA server and export it to a .pfx file on the local NetDefendOS management workstation disk.
Page 121: Date And Time
3.8. Date and Time Chapter 3. Fundamentals 3.8. Date and Time 3.8.1. Overview Correctly setting the date and time is important for NetDefendOS to operate properly. Time scheduled policies, auto-update of the IDP and Anti-Virus databases, and other product features require that the system clock is accurately set.
Page 122: Time Servers
3.8.3. Time Servers Chapter 3. Fundamentals counted as being inside a given time zone will then have the same local time and this will be one of the integer offsets from GMT. The NetDefendOS time zone setting reflects the time zone where the NetDefend Firewall is physically located.
Page 123: Enabling Time Synchronization Using Sntp
3.8.3. Time Servers Chapter 3. Fundamentals NetDefendOS is able to adjust the clock automatically based on information received from one or more Time Servers which provide a highly accurate time, usually using atomic clocks. Using Time Servers is highly recommended as it ensures NetDefendOS will have its date and time aligned with other network devices.
Page 124: Manually Triggering A Time Synchronization
3.8.3. Time Servers Chapter 3. Fundamentals • Secondary Time Server: dns:ntp2.sp.se Click OK The time server URLs must have the prefix dns: to specify that they should be resolved with a DNS server. NetDefendOS must therefore also have a DNS server defined so this resolution can be performed. Note If the TimeSyncInterval parameter is not specified when using the CLI to set the synchronization interval, the default of 86400 seconds (equivalent to one day) is used.
Page 125: Settings Summary For Date And Time
86,400 seconds (1 day), meaning that the time synchronization process is executed once in a 24 hour period. D-Link Time Servers Using D-Link's own Time Servers is an option in NetDefendOS and this is the recommended way of synchronizing the firewall clock. These servers communicate with NetDefendOS using the SNTP protocol.
Page 126 3.8.4. Settings Summary for Date and Chapter 3. Fundamentals Time Default: 0 DST Offset Daylight saving time offset in minutes. Default: 0 DST Start Date What month and day DST starts, in the format MM-DD. Default: none DST End Date What month and day DST ends, in the format MM-DD.
Page 127 3.8.4. Settings Summary for Date and Chapter 3. Fundamentals Time Default: 600 Group interval Interval according to which server responses will be grouped. Default: 10...
Page 128: Dns
3.9. DNS Chapter 3. Fundamentals 3.9. DNS Overview A DNS server can resolve a Fully Qualified Domain Name (FQDN) into the corresponding numeric IP address. FQDNs are unambiguous textual domain names which specify a node's unique position in the Internet's DNS tree hierarchy. FQDN resolution allows the actual physical IP address to change while the FQDN can stay the same.
Page 129 3.9. DNS Chapter 3. Fundamentals Dynamic DNS A DNS feature offered by NetDefendOS is the ability to explicitly inform DNS servers when the external IP address of the NetDefend Firewall has changed. This is sometimes referred to as Dynamic DNS and is useful where the NetDefend Firewall has an external IP address that can change.
Page 130 3.9. DNS Chapter 3. Fundamentals...
Page 131: Routing
Chapter 4. Routing This chapter describes how to configure IP routing in NetDefendOS. • Overview, page 131 • Static Routing, page 132 • Policy-based Routing, page 146 • Route Load Balancing, page 151 • Dynamic Routing, page 157 • Multicast Routing, page 165 •...
Page 132: Static Routing
4.2. Static Routing Chapter 4. Routing 4.2. Static Routing The most basic form of routing is known as Static Routing. The word "static" refers to the fact that entries in the routing table are manually added and are therefore permanent (or static) by nature. Due to this manual approach, static routing is most appropriate to use in smaller network deployments where addresses are fairly fixed and where the amount of connected networks are limited to a few.
Page 133: A Typical Routing Scenario
4.2.1. The Principles of Routing Chapter 4. Routing This parameter usually doesn't need to be specified. If it is specified, NetDefendOS responds to ARP queries sent to this address. A special section below explains this parameter in more depth. Local IP Address and Gateway are mutually exclusive and either one or the other should be specified.
Page 134 4.2.1. The Principles of Routing Chapter 4. Routing Route # Interface Destination Gateway all-nets 195.66.77.4 The above routing table provides the following information: • Route #1 All packets going to hosts on the 192.168.0.0/24 network should be sent out on the lan interface. As no gateway is specified for the route entry, the host is assumed to be located on the network segment directly reachable from the lan interface.
Page 135: Using Local Ip Address With An Unbound Network
4.2.1. The Principles of Routing Chapter 4. Routing • Interface: The interface on which the second network is found. • Network: The IP address range of the second network. • Local IP Address: An address within the second network's IP range. When the Default Gateway of the second network's clients is now set to the same value as the Local IP Address of the above route, the clients will be able to communicate successfully with the interface.
Page 136: Static Routing
4.2.2. Static Routing Chapter 4. Routing Something that is not intuitive when trying to understand routing in NetDefendOS is the fact that all traffic must have two routes associated with it. Not only must a route be defined for the destination network of a connection but also for the source network.
Page 137: Displaying The Main Routing Table
4.2.2. Static Routing Chapter 4. Routing Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.10 10.0.0.0 255.0.0.0 10.4.2.143 10.4.2.143 10.4.2.143 255.255.255.255 127.0.0.1 127.0.0.1 10.255.255.255 255.255.255.255 10.4.2.143 10.4.2.143 85.11.194.33 255.255.255.255 192.168.0.1 192.168.0.10 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 192.168.0.0 255.255.255.0 192.168.0.10 192.168.0.10 192.168.0.10 255.255.255.255 127.0.0.1...
Page 138 4.2.2. Static Routing Chapter 4. Routing gw-world:/> cc RoutingTable main gw-world:/main> show Route Interface Network Gateway Local IP --------- -------- ------------- -------- all-nets 213.124.165.1 (none) lannet (none) (none) wannet (none) (none) To see the active routing table enter: gw-world:/> routes Flags Network Iface Gateway...
Page 139: Displaying The Core Routes
4.2.2. Static Routing Chapter 4. Routing your ISP for public Internet access. If using the NetDefendOS setup wizard, this route is also added automatically. However, the option also exists for any physical interface to indicate that it should be used for connection to the Internet.
Page 140: Route Failover
4.2.3. Route Failover Chapter 4. Routing The main window will list the active routing table, including the core routes Tip: Understanding output from the routes command For detailed information about the output of the CLI routes command. Please see the CLI Reference Guide.
Page 141 4.2.3. Route Failover Chapter 4. Routing Interface Link Status NetDefendOS will monitor the link status of the interface specified in the route. As long as the interface is up, the route is diagnosed as healthy. This method is appropriate for monitoring that the interface is physically attached and that the cabling is working as expected.
Page 142: Host Monitoring For Route Failover
4.2.4. Host Monitoring for Route Chapter 4. Routing Failover Even if a route has been disabled, NetDefendOS will continue to check the status of that route. Should the route become available again, it will be re-enabled and existing connections will automatically be transferred back to it.
Page 143 4.2.4. Host Monitoring for Route Chapter 4. Routing Failover provides the additional capability to perform Host Monitoring. This feature means that one or more external host systems can be routinely polled to check that a particular route is available. The advantages of Host Monitoring are twofold: •...
Page 144 4.2.5. Proxy ARP Chapter 4. Routing minimum value allowed is 100 ms. • Sample The number of polling attempts used as a sample size for calculating the Percentage Loss and the Average Latency. This value cannot be less than 1. •...
Page 145: Proxy Arp
4.2.5. Proxy ARP Chapter 4. Routing 4.2.5. Proxy ARP Overview As discussed previously in Section 3.4, “ARP”, the ARP protocol facilitates a mapping between an IP address and the MAC address of a node on an Ethernet network. However, situations may exist where a network running Ethernet is separated into two parts with a routing device such as an installed NetDefend Firewall, in between.
Page 146: Policy-Based Routing
4.3. Policy-based Routing Chapter 4. Routing 4.3. Policy-based Routing 4.3.1. Overview Policy-based Routing (PBR) is an extension to the standard routing described previously. It offers administrators significant flexibility in implementing routing decision policies by being able to define rules so alternative routing tables are used. Normal routing forwards packets according to destination IP address information derived from static routes or from a dynamic routing protocol.
Page 147: Routing Table Selection
4.3.4. Routing Table Selection Chapter 4. Routing When looking up Policy-based Rules, it is the first matching rule found that is triggered. 4.3.4. Routing Table Selection When a packet corresponding to a new connection first arrives, the processing steps are as follows to determine which routing table is chosen: The Routing Rules must first be looked up but to do this the packet's destination interface must be determined and this is always done by a lookup in the main routing table.
Page 148: Creating A Policy-Based Routing Table
4.3.5. The Ordering parameter Chapter 4. Routing Important: Ensure all-nets appears in the main table A common mistake with policy-based routing is the absence of the default route with a destination interface of all-nets in the default main routing table. If there is no route that is an exact match then the absence of a default all-nets route will mean that the connection will be dropped.
Page 149: Policy-Based Routing Configuration
4.3.5. The Ordering parameter Chapter 4. Routing Example 4.5. Policy-based Routing Configuration This example illustrates a multiple ISP scenario which is a common use of Policy-based Routing. The following is assumed: • Each ISP will give you an IP network from its network range. We will assume a 2-ISP scenario, with the network 10.10.10.0/24 belonging to ISP A and 20.20.20.0/24 belonging to ISP B.
Page 150 4.3.5. The Ordering parameter Chapter 4. Routing Note Rules in the above example are added for both inbound and outbound connections.
Page 151: Route Load Balancing
4.4. Route Load Balancing Chapter 4. Routing 4.4. Route Load Balancing Overview NetDefendOS provides the option to perform Route Load Balancing (RLB). This is the ability to distribute traffic over multiple alternate routes based on a number of predefined distribution algorithms.
Page 152: The Rlb Round Robin Algorithm
4.4. Route Load Balancing Chapter 4. Routing If more than one matching route is found then RLB is used to choose which one to use. This is done according to which algorithm is selected in the table's RLB Instance object: •...
Page 153 4.4. Route Load Balancing Chapter 4. Routing Spillover Limits are set separately for ingoing and outgoing traffic with only one of these typically being specified. If both are specified then only one of them needs to be exceeded continuously for Hold Timer seconds for the next matching route to be chosen. The units of the limits, such as Mbps, can be selected to simplify specification of the values.
Page 154 4.4. Route Load Balancing Chapter 4. Routing Several alternative routes can be set up, each with their own interface limits and each with a different metric. The route with the lowest metric is chosen first and when that route's interface limits are exceeded, the route with the next highest metric is then chosen.
Page 155: A Route Load Balancing Scenario
4.4. Route Load Balancing Chapter 4. Routing to the firewall interfaces WAN1 and WAN2. RLB will be used to balance the connections between the two ISPs. Figure 4.6. A Route Load Balancing Scenario We first need to define two routes to these two ISPs in the main routing table as shown below: Route No.
Page 156 4.4. Route Load Balancing Chapter 4. Routing achieve stickiness so the server always sees the same source IP address (WAN1 or WAN2) from a single client. Command-Line Interface gw-world:/> add RouteBalancingInstance main Algorithm=Destination Web Interface Go to Routing > Route Load Balancing > Instances > Add > Route Balancing Instance The route balancing instance dialog will appear.
Page 157: Dynamic Routing
OSPF can provide a great deal of control over the routing process since its parameters can be finely tuned. OSPF is not available on all D-Link NetDefend models The OSPF feature is only available on the D-Link NetDefend DFL-800, 860, 1600, 1660 2500, 2560 and 2560G. OSPF is not available on the DFL-210 and 260.
Page 158: Ospf
The OSPF feature is only available on the NetDefend DFL-800, 860, 1600, 1660 2500, 2560 and 2560G. OSPF is not available on the DFL-210 and 260. The way OSPF routing functions is that it routes IP packets based only on the destination IP address found in the IP packet header.
Page 159 4.5.2. OSPF Chapter 4. Routing link-state database, describing the AS topology. From the information in this database, each router constructs a tree of shortest paths with itself as root. This shortest-path tree gives the best route to each destination in the AS. All OSPF protocol exchanges can be authenticated.
Page 160: Virtual Links Example 1
4.5.2. OSPF Chapter 4. Routing become neighbors as soon as they see themselves listed in the neighbor's Hello packet. This way, a two way communication is guaranteed. The following Neighbor States are defined: Down This is the initial state of the neighbor relationship. Init When a HELLO packet is received from a neighbor, but does NOT include the Router ID of the firewall in it, the neighbor will be placed in Init state.
Page 161: Virtual Links Example 2
4.5.2. OSPF Chapter 4. Routing In the above example, the Virtual Link is configured between fw1 and fw2 on Area 1, as it is used as the transit area. In this configuration only the Router ID has to be configured. The diagram shows that fw2 needs to have a Virtual Link to fw1 with Router ID 192.168.1.1 and vice versa.
Page 162: Dynamic Routing Policy
4.5.3. Dynamic Routing Policy Chapter 4. Routing The Virtual Link is configured between fw1 and fw2 on Area 1, as it is used as the transit area. In the configuration only the Router ID have to be configured, as in the example above show fw2 need to have a Virtual Link to fw1 with the Router ID 192.168.1.1 and vice versa.
Page 163: Importing Routes From An Ospf As Into The Main Routing Table
4.5.3. Dynamic Routing Policy Chapter 4. Routing Example 4.7. Importing Routes from an OSPF AS into the Main Routing Table In this example, the routes received using OSPF will be added into the main routing table. First of all a Dynamic Routing Policy filter needs to be created.
Page 164 4.5.3. Dynamic Routing Policy Chapter 4. Routing DestinationInterface=wan DestinationNetworkExactly=all-nets Web Interface Go to Routing > Dynamic Routing Rules > Add > Dynamic routing policy rule Specify a suitable name for the filter, for example ExportDefRoute For From Routing Table select Main Routing Table Choose wan for Destination Interface Choose all-nets in the ...Exactly Matches list Click OK...
Page 165: Multicast Routing
4.6. Multicast Routing Chapter 4. Routing 4.6. Multicast Routing 4.6.1. Overview Certain types of Internet interactions, such as conferencing and video broadcasts, require a single client or host to send the same packet to multiple receivers. This could be achieved through the sender duplicating the packet with different receiving IP addresses or by a broadcast of the packet across the Internet.
Page 166: Multicast Forwarding - No Address Translation
4.6.2. Multicast Forwarding with SAT Chapter 4. Routing Multiplex Rules The multiplex rule can operate in one of two modes: Using IGMP The traffic flow specified by the multiplex rule must have been requested by hosts using IGMP before any multicast packets are forwarded through the specified interfaces.
Page 167: Forwarding Of Multicast Traffic Using The Sat Multiplex Rule
4.6.2. Multicast Forwarding with SAT Chapter 4. Routing Multiplex Rules Note: SAT Multiplex rules must have a matching Allow rule Remember to add an Allow rule that matches the SAT Multiplex rule. The matching rule could also be a NAT rule for source address translation (see below) but cannot be a FwdFast or SAT rule.
Page 168: Multicast Forwarding - Address Translation
4.6.2. Multicast Forwarding with SAT Chapter 4. Routing Multiplex Rules gw-world:/> cc IPRuleset main The CLI command to create the multiplex rule is then: add IPRule SourceNetwork=<srcnet> SourceInterface=<srcif> DestinationInterface=<srcif> DestinationNetwork=<destnet> Action=MultiplexSAT Service=<service> MultiplexArgument={outif1;ip1},{outif2;ip2},{outif3;ip3}... The two values {outif;ip} represent a combination of output interface and, if address translation of a group is needed, an IP address.
Page 169: Igmp Configuration
4.6.3. IGMP Configuration Chapter 4. Routing As previously noted, remember to add an Allow rule matching the SAT Multiplex rule. Example 4.10. Multicast Forwarding - Address Translation The following SAT Multiplex rule needs to be configured to match the scenario described above: Web Interface A.
Page 170: Multicast Snoop
4.6.3. IGMP Configuration Chapter 4. Routing to new multicast groups or change current multicast subscriptions. IGMP Queries Queries are IGMP messages sent from the router towards the hosts in order to make sure that it will not close any stream that some host still wants to receive. Normally, both these types of rules has to be specified for IGMP to work.
Page 171: Igmp - No Address Translation
4.6.3. IGMP Configuration Chapter 4. Routing In Snoop mode, the router will act transparently between the hosts and another IGMP router. It will not send any IGMP Queries. It will only forward queries and reports between the other router and the hosts.
Page 172: If1 Configuration
4.6.3. IGMP Configuration Chapter 4. Routing • Source Interface: wan • Source Network: UpstreamRouterIp • Destination Interface: core • Destination Network: auto • Multicast Source: 192.168.10.1 • Multicast Group: 239.192.10.0/24 Click OK 4.6.3.2. IGMP Rules Configuration - Address Translation The following examples illustrates the IGMP rules needed to configure IGMP according to the Address Translation scenario described above in Section 4.6.2.2, “Multicast Forwarding - Address Translation Scenario”.
Page 173: If2 Configuration - Group Translation
4.6.3. IGMP Configuration Chapter 4. Routing Under General enter: • Name: A suitable name for the rule, for example Queries_if1 • Type: Query • Action: Proxy • Output: if1 (this is the relay interface) Under Address Filter enter: • Source Interface: wan •...
Page 174: Advanced Igmp Settings
4.6.4. Advanced IGMP Settings Chapter 4. Routing • Name: A suitable name for the rule, for example Queries_if2 • Type: Query • Action: Proxy • Output: if2 (this is the relay interface) Under Address Filter enter: • Source Interface: wan •...
Page 175 4.6.4. Advanced IGMP Settings Chapter 4. Routing IGMP Router Version The IGMP protocol version that will be globally used on interfaces without a configured IGMP Setting. Multiple querying IGMP routers on the same network must use the same IGMP version. Global setting on interfaces without an overriding IGMP Setting.
Page 176 4.6.4. Advanced IGMP Settings Chapter 4. Routing Default: 2 IGMP Startup Query Interval The interval of General Queries in milliseconds used during the startup phase. Global setting on interfaces without an overriding IGMP Setting. Default: 30,000 IGMP Unsolicated Report Interval The time in milliseconds between repetitions of an initial membership report.
Page 177: Transparent Mode
4.7. Transparent Mode Chapter 4. Routing 4.7. Transparent Mode 4.7.1. Overview Transparent Mode Usage The NetDefendOS Transparent Mode feature allows a NetDefend Firewall to be placed at a point in a network without any reconfiguration of the network and without hosts being aware of its presence. All NetDefendOS features can then be used to monitor and manage traffic flowing through that point.
Page 178 4.7.1. Overview Chapter 4. Routing the OSI model. If the firewall is placed into a network for the first time, or if network topology changes, the routing configuration must therefore be checked and adjusted to ensure that the routing table is consistent with the new layout. Reconfiguration of IP settings may be required for pre-existing routers and protected servers.
Page 179 4.7.1. Overview Chapter 4. Routing the network. Discovery is done by NetDefendOS sending out ARP as well as ICMP (ping) requests, acting as the initiating sender of the original IP packet for the destination on the interfaces specified in the Switch Route.
Page 180 4.7.1. Overview Chapter 4. Routing routing table will be connected together by NetDefendOS and no matter how interfaces are associated with the switch routes, transparency will exist between them. For example, if the interfaces if1 to if6 appear in a switch routes in routing table A, the resulting interconnections will be as illustrated below.
Page 181: Enabling Internet Access
4.7.2. Enabling Internet Access Chapter 4. Routing mode. Two VLAN interfaces with the same VLAN ID are defined on the two physical interfaces and they are called vlan5_if1 and vlan5_if2. For the VLAN to operate in transparent mode we create a routing table with the ordering set to only and which contains the following 2 switch routes: Network Interface...
Page 182: Transparent Mode Internet Access
4.7.2. Enabling Internet Access Chapter 4. Routing The non-switch route usually needed to allow Internet access would be: Route type Interface Destination Gateway Non-switch all-nets gw-ip Now lets suppose the NetDefend Firewall is to operate in transparent mode between the users and the ISP.
Page 183: Transparent Mode Scenarios
4.7.3. Transparent Mode Scenarios Chapter 4. Routing Route type Interface Destination Gateway Switch all-nets Switch all-nets Non-switch 85.12.184.39 gw-ip Non-switch 194.142.215.15 gw-ip The appropriate IP rules will also need to be added to the IP rule set to allow Internet access through the NetDefend Firewall.
Page 184: Setting Up Transparent Mode For Scenario 1
4.7.3. Transparent Mode Scenarios Chapter 4. Routing Example 4.14. Setting up Transparent Mode for Scenario 1 Web Interface Configure the interfaces: Go to Interfaces > Ethernet > Edit (wan) Now enter: • IP Address: 10.0.0.1 • Network: 10.0.0.0/24 • Default Gateway: 10.0.0.1 •...
Page 185: Transparent Mode Scenario 2
4.7.3. Transparent Mode Scenarios Chapter 4. Routing • Destination Network: all-nets (0.0.0.0/0) Click OK Scenario 2 Here the NetDefend Firewall in Transparent Mode separates server resources from an internal network by connecting them to a separate interface without the need for different address ranges. All hosts connected to LAN and DMZ (the lan and dmz interfaces) share the 10.0.0.0/24 address space.
Page 186 4.7.3. Transparent Mode Scenarios Chapter 4. Routing • Network: 10.0.0.0/24 • Transparent Mode: Disable • Add route for interface network: Disable Click OK Go to Interfaces > Ethernet > Edit (dmz) Now enter: • IP Address: 10.0.0.2 • Network: 10.0.0.0/24 •...
Page 187: Spanning Tree Bpdu Support
4.7.4. Spanning Tree BPDU Support Chapter 4. Routing • Name: HTTP-WAN-to-DMZ • Action: SAT • Service: http • Source Interface: wan • Destination Interface: dmz • Source Network: all-nets • Destination Network: wan_ip • Translate: Select Destination IP • New IP Address: 10.1.4.10 Click OK Go to Rules >...
Page 188: Advanced Settings For Transparent Mode
4.7.5. Advanced Settings for Chapter 4. Routing Transparent Mode • Multiple Spanning Tree Protocol (MSTP) • Cisco proprietary PVST+ Protocol (Per VLAN Spanning Tree Plus) NetDefendOS checks the contents of BDPU messages to make sure the content type is supported. If it is not, the frame is dropped.
Page 189 4.7.5. Advanced Settings for Chapter 4. Routing Transparent Mode Default: Dynamic Transparency ATS Expire Defines the lifetime of an unanswered ARP Transaction State (ATS) entry in seconds. Valid values are 1-60 seconds. Default: 3 seconds Transparency ATS Size Defines the maximum total number of ARP Transaction State (ATS) entries. Valid values are 128-65536 entries.
Page 190 4.7.5. Advanced Settings for Chapter 4. Routing Transparent Mode • Accept - Accept packet • AcceptLog - Accept packet and log • Rewrite - Rewrite to the MAC of the forwarding interface • RewriteLog - Rewrite to the MAC of the forwarding interface and log •...
Page 191 4.7.5. Advanced Settings for Chapter 4. Routing Transparent Mode...
Page 192: Dhcp Services
Chapter 5. DHCP Services This chapter describes DHCP services in NetDefendOS. • Overview, page 192 • DHCP Servers, page 193 • Static DHCP Assignment, page 196 • DHCP Relaying, page 198 • IP Pools, page 201 5.1. Overview Dynamic Host Configuration Protocol (DHCP) is a protocol that allows network administrators to automatically assign IP numbers to computers on a network.
Page 193: Dhcp Servers
5.2. DHCP Servers Chapter 5. DHCP Services 5.2. DHCP Servers DHCP servers assign and manage the IP addresses taken from a specified address pool. In NetDefendOS, DHCP servers are not limited to serving a single range of IP addresses but can use any IP address range that can be specified by a NetDefendOS IP address object.
Page 194: Setting Up A Dhcp Server
5.2. DHCP Servers Chapter 5. DHCP Services • WINS Servers - WINS servers the client can use for WINS lookup. • Next Server - the IP address of the next server in the boot process, this is usually a TFTP server. In addition, Custom Options can be specified in order to have the DHCP servers hand out all options supported by the DHCP standard.
Page 195 5.2. DHCP Servers Chapter 5. DHCP Services 10.4.13.241 00-0c-29-04-f8-3c ACTIVE(STATIC) 10.4.13.242 00-1e-0b-aa-ae-11 ACTIVE(STATIC) 10.4.13.243 00-1c-c4-36-6c-c4 INACTIVE(STATIC) 10.4.13.244 00-00-00-00-02-14 INACTIVE(STATIC) 10.4.13.254 00-00-00-00-02-54 INACTIVE(STATIC) 10.4.13.1 00-12-79-3b-dd-45 ACTIVE 10.4.13.2 00-12-79-c4-06-e7 ACTIVE 10.4.13.3 *00-a0-f8-23-45-a3 ACTIVE 10.4.13.4 *00-0e-7f-4b-e2-29 ACTIVE The asterisk "*" before a MAC address means that the DHCP server does not track the client using the MAC address but instead tracks the client through a client identifier which the client has given to the server.
Page 196: Static Dhcp Assignment
5.3. Static DHCP Assignment Chapter 5. DHCP Services 5.3. Static DHCP Assignment Where the administrator requires a fixed relationship between a client and the assigned IP address, NetDefendOS allows the assignment of a given IP to a specific MAC address. Example 5.3.
Page 197 5.3.1. DHCP Advanced Settings Chapter 5. DHCP Services Auto Save Policy What policy should be used to save the lease database to the disk, possible settings are Disabled, ReconfShut or ReconfShutTimer. Default: ReconfShut Lease Store Interval How often, in seconds, the leases database should be saved to disk if DHCPServer_SaveLeasePolicy is set to ReconfShutTimer.
Page 198: Dhcp Relaying
5.4. DHCP Relaying Chapter 5. DHCP Services 5.4. DHCP Relaying The DHCP Problem With DHCP, clients send requests to locate the DHCP server(s) using broadcast messages. However, broadcasts are normally only propagated across the local network. This means that the DHCP server and client always need to be on the same physical network.
Page 199: Dhcp Relay Advanced Settings
5.4.1. DHCP Relay Advanced Settings Chapter 5. DHCP Services • Name: ipgrp-dhcp • Interfaces: select vlan1 and vlan2 from the Available list and put them into the Selected list. Click OK Adding a DHCP relayer called as vlan-to-dhcpserver: Go to System > DHCP > Add > DHCP Relay Now enter: •...
Page 200 5.4.1. DHCP Relay Advanced Settings Chapter 5. DHCP Services will be reduced down to this value. Default: 10000 seconds Max Auto Routes How many relays that can be active at the same time. Default: 256 Auto Save Policy What policy should be used to save the relay list to the disk, possible settings are Disabled, ReconfShut, or ReconfShutTimer.
Page 201: Ip Pools
5.5. IP Pools Chapter 5. DHCP Services 5.5. IP Pools Overview IP pools are used to offer other subsystems access to a cache of DHCP IP addresses. These addresses are gathered into a pool by internally maintaining a series of DHCP clients (one per IP). The DHCP servers used by a pool can either be external or be DHCP servers defined in NetDefendOS itself.
Page 202: Creating An Ip Pool
5.5. IP Pools Chapter 5. DHCP Services server keeps giving out the same IP for each client. Prefetched leases Specifies the number of leases to keep prefetched. Prefetching will improve performance since there will not be any wait time when a system requests an IP (while there exists prefetched IPs).
Page 203 5.5. IP Pools Chapter 5. DHCP Services...
Page 204: Security Mechanisms
Chapter 6. Security Mechanisms This chapter describes NetDefendOS security features. • Access Rules, page 204 • ALGs, page 207 • Web Content Filtering, page 255 • Anti-Virus Scanning, page 272 • Intrusion Detection and Prevention, page 278 • Denial-of-Service Attack Prevention, page 289 •...
Page 205: Access Rule Settings
6.1.3. Access Rule Settings Chapter 6. Security Mechanisms VPNs provide one means of avoiding spoofing but where a VPN is not an appropriate solution then Access Rules can provide an anti-spoofing capability by providing an extra filter for source address verification.
Page 206: Setting Up An Access Rule
6.1.3. Access Rule Settings Chapter 6. Security Mechanisms problems in case a rule is preventing some other function, such as VPN tunnel establishment, from working properly. Example 6.1. Setting up an Access Rule A rule is to be defined that ensures no traffic with a source address not within the lannet network is received on the lan interface.
Page 207: Algs
6.2. ALGs Chapter 6. Security Mechanisms 6.2. ALGs 6.2.1. Overview To complement low-level packet filtering, which only inspects packet headers in protocols such as IP, TCP, UDP, and ICMP, NetDefend Firewalls provide Application Layer Gateways (ALGs) which provide filtering at the higher application OSI level. An ALG object acts as a mediator in accessing commonly used Internet applications outside the protected network, for example web access, file transfer and multimedia transfer.
Page 208: The Http Alg
6.2.2. The HTTP ALG Chapter 6. Security Mechanisms Maximum Connection Sessions The service associated with an ALG has a configurable parameter associated with it called Max Sessions and the default value varies according to the type of ALG. For instance, the default value for the HTTP ALG is 1000.
Page 209 6.2.2. The HTTP ALG Chapter 6. Security Mechanisms Anti-Virus scanning, if it is enabled, is always applied to the HTTP traffic even if it is whitelisted. These features are described in depth in Section 6.3.3, “Static Content Filtering”. • Dynamic Content Filtering - Access to specific URLs can be allowed or blocked according to policies for certain types of web content.
Page 210: Http Alg Processing Order
6.2.2. The HTTP ALG Chapter 6. Security Mechanisms Note: Similarities with other NetDefendOS features The Verify MIME type and Allow/Block Selected Types options work in the same way for the FTP, POP3 and SMTP ALGs. • Download File Size Limit - A file size limit can additionally be specified for any single download (this option is available only for HTTP and SMTP ALG downloads).
Page 211: The Ftp Alg
6.2.3. The FTP ALG Chapter 6. Security Mechanisms For example, the entry *.some_domain.com will block all pages whose URLs end with some_domain.com. If we want to now explicitly allow one particular page then this can be done with an entry in the whitelist of the form my_page.my_company.com and the blacklist will not prevent this page from being reachable since the whitelist has precedence.
Page 212 6.2.3. The FTP ALG Chapter 6. Security Mechanisms allow traffic from all ports on the FTP server to all ports on the FTP client. Obviously, this is not a good solution. When passive mode is used, the firewall does not need to allow connections from the FTP server. On the other hand, NetDefendOS still does not know what port the FTP client tries to use for the data channel.
Page 213: Protecting An Ftp Server With An Alg
6.2.3. The FTP ALG Chapter 6. Security Mechanisms Scanning”. FTP ALG with ZoneDefense Used together with the FTP ALG, ZoneDefense can be configured to protect an internal network from virus spreading servers and hosts. This is relevant to 2 scenarios: •...
Page 214 6.2.3. The FTP ALG Chapter 6. Security Mechanisms To make it possible to connect to this server from the Internet using the FTP ALG, the FTP ALG and rules should be configured as follows: Web Interface A. Define the ALG: Go to Objects >...
Page 215 6.2.3. The FTP ALG Chapter 6. Security Mechanisms • Name: SAT-ftp-inbound • Action: SAT • Service: ftp-inbound For Address Filter enter: • Source Interface: any • Destination Interface: core • Source Network: all-nets • Destination Network: wan_ip (assuming the external interface has been defined as this) For SAT check Translate the Destination IP Address Enter To: New IP Address: ftp-internal (assume this internal IP address for FTP server has been defined in the Address Book object)
Page 216: Protecting Ftp Clients
6.2.3. The FTP ALG Chapter 6. Security Mechanisms Example 6.3. Protecting FTP Clients In this scenario shown below the NetDefend Firewall is protecting a workstation that will connect to FTP servers on the Internet. To make it possible to connect to these servers from the internal network using the FTP ALG, the FTP ALG and rules should be configured as follows: Web Interface A.
Page 217: The Tftp Alg
6.2.4. The TFTP ALG Chapter 6. Security Mechanisms Rules (Using Public IPs). The following rule needs to be added to the IP rules if using public IP's; make sure there are no rules disallowing or allowing the same kind of ports/traffic before these rules. The service in use is the ftp-outbound, which should be using the ALG definition ftp-outbound as described earlier.
Page 218: The Smtp Alg
6.2.5. The SMTP ALG Chapter 6. Security Mechanisms Allow/Disallow Read The TFTP GET function can be disabled so that files cannot be retrieved by a TFTP client. The default value is Allow. Allow/Disallow Write The TFTP PUT function can be disabled so that files cannot be written by a TFTP client.
Page 219 6.2.5. The SMTP ALG Chapter 6. Security Mechanisms This is a very useful feature to have since it is possible to put in a block against either an infected client or an infected server sending large amounts of malware generated emails. Email size limiting A maximum allowable size of email messages can be specified.
Page 220: Smtp Alg Processing Order
6.2.5. The SMTP ALG Chapter 6. Security Mechanisms Anti-virus scanning (if enabled). As described above, if an address is found on the whitelist then it will not be blocked if it also found on the blacklist. SPAM filtering, if it is enabled, is still applied to whitelisted addresses but emails flagged as SPAM will not be tagged nor dropped, only logged.
Page 221 6.2.5. The SMTP ALG Chapter 6. Security Mechanisms The NetDefendOS SMTP ALG does not support all ESMTP extensions including Pipelining and Chunking. The ALG therefore removes any unsupported extensions from the supported extension list that is returned to the client by an SMTP server behind the NetDefend Firewall. When an extension is removed, a log message is generated with the text: unsupported_extension capability_removed...
Page 222: Dnsbl Spam Filtering
6.2.5. The SMTP ALG Chapter 6. Security Mechanisms security issue on the public Internet. Unsolicited email, sent out in massive quantities by groups known as spammers, can waste resources, transport malware as well as try to direct the reader to webpages which might exploit browser vulnerabilities.
Page 223 6.2.5. The SMTP ALG Chapter 6. Security Mechanisms weighted sum can then be calculated based on all responses. The administrator can configure one of the following actions based on the sum calculated: Dropped If the sum is greater than or equal to a predefined Drop threshold then the email is considered to be definitely SPAM and is discarded or alternatively sent to a single, special mailbox.
Page 224 6.2.5. The SMTP ALG Chapter 6. Security Mechanisms And this is what the email's recipient will see in the summary of their inbox contents. The individual user could then decide to set up their own filters in the local client to deal with such tagged emails, possibly sending it to a separate folder.
Page 225 6.2.5. The SMTP ALG Chapter 6. Security Mechanisms allowed through if this happens. Setup Summary To set up DNSBL SPAM filtering in the SMTP ALG, the following list summarizes the steps: • Specify which DNSBL servers are to be used. There can be multiple and they can act both as backups to each other as well as confirmation of a sender's status.
Page 226 6.2.6. The POP3 ALG Chapter 6. Security Mechanisms The dnsbl CLI command provides a means to control and monitor the operation of the SPAM filtering module. The dnsbl command on its own without options shows the overall status of all ALGs.
Page 227: The Pop3 Alg
6.2.7. The PPTP ALG Chapter 6. Security Mechanisms 6.2.6. The POP3 ALG POP3 is a mail transfer protocol that differs from SMTP in that the transfer of mail is directly from a server to a user's client software. POP3 ALG Options Key features of the POP3 ALG are: Block Clear Text Authentication Block connections between client and server that send the...
Page 228: Pptp Alg Usage
6.2.7. The PPTP ALG Chapter 6. Security Mechanisms same server C at the same endpoint IP address, the first connection for A will be lost. The reason is that both clients are trying to establish a PPTP tunnel from the same external IP address to the same endpoint.
Page 229: The Sip Alg
6.2.8. The SIP ALG Chapter 6. Security Mechanisms Action Src Interface Src Network Dest Interface Dest Network Service lannet all-nets pptp_service PPTP ALG Settings The following settings are available for the PPTP ALG: Name A descriptive name for the ALG. Echo timeout Idle timeout for Echo messages in the PPTP tunnel.
Page 230 6.2.8. The SIP ALG Chapter 6. Security Mechanisms Registrars A server that handles SIP REGISTER requests is given the special name of Registrar. The Registrar server has the task of locating the host where the other client is reachable. The Registrar and Proxy Server are logical entities and may, in fact, reside on the same physical server.
Page 231 6.2.8. The SIP ALG Chapter 6. Security Mechanisms To understand how to set up SIP scenarios with NetDefendOS, it is important to first understand the SIP proxy Record-Route option. SIP proxies have the Record-Route option either enabled or disabled. When it is switched on, a proxy is known as a Stateful proxy. When Record-Route is enabled, a proxy is saying it will be the intermediary for all SIP signalling that takes place between two clients.
Page 232 6.2.8. The SIP ALG Chapter 6. Security Mechanisms Protecting proxy and local clients - Proxy on the same network as clients The SIP session is between a client on the local, protected side of the NetDefend Firewall and a client which is on the external, unprotected side. The SIP proxy is located on the local, protected side of the NetDefend Firewall and can handle registrations from both clients located on the same local network as well as clients on the external, unprotected side.
Page 233 6.2.8. The SIP ALG Chapter 6. Security Mechanisms technique should not be used. The NetDefendOS SIP ALG will take care of all NAT traversal issues in a SIP scenario. The setup steps for this scenario are as follows: Define a SIP ALG object using the options described above. Define a Service object which is associated with the SIP ALG object.
Page 234 6.2.8. The SIP ALG Chapter 6. Security Mechanisms Action Src Interface Src Network Dest Interface Dest Network Allow lannet <All possible IPs> (or NAT) Allow <All possible IPs> lannet (or core) (or ipwan) The advantage of using Record-Route is clear since now the destination network for outgoing traffic and the source network for incoming traffic have to include all IP addresses that are possible.
Page 235 6.2.8. The SIP ALG Chapter 6. Security Mechanisms Define three rules in the IP rule set: • A NAT rule for outbound traffic from the local proxy and the clients on the internal network to the remote clients on, for example, the Internet. The SIP ALG will take care of all address translation needed by the NAT rule.
Page 236 6.2.8. The SIP ALG Chapter 6. Security Mechanisms The complexity is increased in this scenario since SIP messages flow across three interfaces: the receiving interface from the call initiator, the DMZ interface towards the proxy and the destination interface towards the call terminator. This the initial messages exchanges that take place when a call is setup in this scenario are illustrated below: The exchanges illustrated are as follows: •...
Page 237 6.2.8. The SIP ALG Chapter 6. Security Mechanisms • The IP address of the SIP proxy must be a globally routable IP address. The NetDefend Firewall does not support hiding of the proxy on the DMZ. • The IP address of the DMZ interface must be a globally routable IP address. This address can be the same address as the one used on the external interface.
Page 238 6.2.8. The SIP ALG Chapter 6. Security Mechanisms Action Src Interface Src Network Dest Interface Dest Network OutboundToProxy lannet ip_proxy OutboundFromProxy Allow ip_proxy all-nets InboundFromProxy Allow ip_proxy core dmz_ip InboundToProxy Allow all-nets ip_proxy With Record-Route disabled, the following IP rules must be added to those above: Action Src Interface Src Network...
Page 239: The H.323 Alg
6.2.9. The H.323 ALG Chapter 6. Security Mechanisms Action Src Interface Src Network Dest Interface Dest Network InboundBypassProxy Allow all-nets lannet 6.2.9. The H.323 ALG H.323 is a standard approved by the International Telecommunication Union (ITU) to allow compatibility in video conference transmissions over IP networks. It is used for real-time audio, video and data communication over packet-based networks such as the Internet.
Page 240 6.2.9. The H.323 ALG Chapter 6. Security Mechanisms communication. Video and T.120 channels are also called logical channels during negotiation. T.120 A suite of communication and application protocols. Depending on the type of H.323 product, T.120 protocol can be used for application sharing, file transfer as well as for conferencing features such as whiteboards.
Page 241: Protecting Phones Behind Netdefend Firewalls
6.2.9. The H.323 ALG Chapter 6. Security Mechanisms a configuration example of both the ALG and the rules are presented. The three service definitions used in these scenarios are: • Gatekeeper (UDP ALL > 1719) • H323 (H.323 ALG, TCP ALL > 1720) •...
Page 242: H.323 With Private Ip Addresses
6.2.9. The H.323 ALG Chapter 6. Security Mechanisms Go to Rules > IP Rules > Add > IPRule Now enter: • Name: H323AllowIn • Action: Allow • Service: H323 • Source Interface: any • Destination Interface: lan • Source Network: 0.0.0.0/0 (all-nets) •...
Page 243: Two Phones Behind Different Netdefend Firewalls
6.2.9. The H.323 ALG Chapter 6. Security Mechanisms • Destination Interface: core • Source Network: 0.0.0.0/0 (all-nets) • Destination Network: wan_ip (external IP of the firewall) • Comment: Allow incoming calls to H.323 phone at ip-phone For SAT enter Translate Destination IP Address: To New IP Address: ip-phone (IP address of phone) Click OK Go to Rules >...
Page 244: Using Private Ip Addresses
6.2.9. The H.323 ALG Chapter 6. Security Mechanisms Web Interface Outgoing Rule: Go to Rules > IP Rules > Add > IPRule Now enter: • Name: H323AllowOut • Action: Allow • Service: H323 • Source Interface: lan • Destination Interface: any •...
Page 245: H.323 With Gatekeeper
6.2.9. The H.323 ALG Chapter 6. Security Mechanisms • Service: H323 • Source Interface: lan • Destination Interface: any • Source Network: lannet • Destination Network: 0.0.0.0/0 (all-nets) • Comment: Allow outgoing calls Click OK Incoming Rules: Go to Rules > IP Rules > Add > IPRule Now enter: •...
Page 246 6.2.9. The H.323 ALG Chapter 6. Security Mechanisms In this scenario, a H.323 gatekeeper is placed in the DMZ of the NetDefend Firewall. A rule is configured in the firewall to allow traffic between the private network where the H.323 phones are connected on the internal network and to the Gatekeeper on the DMZ.
Page 247: H.323 With Gatekeeper And Two Netdefend Firewalls
6.2.9. The H.323 ALG Chapter 6. Security Mechanisms • Comment: Allow incoming communication with the Gatekeeper Click OK Go to Rules > IP Rules > Add > IPRule Now enter: • Name: H323In • Action: Allow • Service: H323-Gatekeeper • Source Interface: lan •...
Page 248: Using The H.323 Alg In A Corporate Environment
6.2.9. The H.323 ALG Chapter 6. Security Mechanisms Web Interface Go to Rules > IP Rules > Add > IPRule Now enter: • Name: H323Out • Action: NAT • Service: H323-Gatekeeper • Source Interface: lan • Destination Interface: any • Source Network: lannet •...
Page 249 6.2.9. The H.323 ALG Chapter 6. Security Mechanisms The head office has placed a H.323 Gatekeeper in the DMZ of the corporate NetDefend Firewall. This firewall should be configured as follows: Web Interface Go to Rules > IP Rules > Add > IPRule Now enter: •...
Page 250 6.2.9. The H.323 ALG Chapter 6. Security Mechanisms • Source Interface: lan • Destination Interface: dmz • Source Network: lannet • Destination Network: ip-gateway • Comment: Allow H.323 entities on lannet to call phones connected to the H.323 Gateway on the DMZ Click OK Go to Rules >...
Page 251: Configuring Remote Offices For H.323
6.2.9. The H.323 ALG Chapter 6. Security Mechanisms Click OK Example 6.11. Configuring remote offices for H.323 If the branch and remote office H.323 phones and applications are to be configured to use the H.323 Gatekeeper at the head office, the NetDefend Firewalls in the remote and branch offices should be configured as follows: (this rule should be in both the Branch and Remote Office firewalls).
Page 252: The Tls Alg
6.2.10. The TLS ALG Chapter 6. Security Mechanisms the communication between "external" phones and the Gatekeeper to make sure that it is possible for internal phones to call the external phones that are registered with the gatekeeper. 6.2.10. The TLS ALG Overview Transport Layer Security (TLS) is a protocol that provides secure communications over the public Internet between two end points through the use of cryptography as well as providing endpoint...
Page 253 6.2.10. The TLS ALG Chapter 6. Security Mechanisms Advantages of Using NetDefendOS for TLS Termination TLS can be implemented directly in the server to which clients connect, however, if the servers are protected behind a NetDefend Firewall, then NetDefendOS can take on the role of the TLS endpoint.
Page 254 6.2.10. The TLS ALG Chapter 6. Security Mechanisms Optionally, a SAT rule can be created to change the destination port for the unencrypted traffic. Alternatively an SLB_SAT rule can be used to do load balancing (the destination port can also be changed through a custom service object).
Page 255: Web Content Filtering
6.3. Web Content Filtering Chapter 6. Security Mechanisms 6.3. Web Content Filtering 6.3.1. Overview Web traffic is one of the biggest sources for security issues and misuse of the Internet. Inappropriate surfing habits can expose a network to many security threats as well as legal and regulatory liabilities.
Page 256: Static Content Filtering
6.3.3. Static Content Filtering Chapter 6. Security Mechanisms Removing such legitimate code could, at best, cause the web site to look distorted, at worst, cause it to not work in a browser at all. Active Content Handling should therefore only be used when the consequences are well understood. Example 6.13.
Page 257: Setting Up A White And Blacklist
In this small scenario a general surfing policy prevents users from downloading .exe-files. However, the D-Link website provides secure and necessary program files which should be allowed to download.
Page 258: Dynamic Web Content Filtering
NetDefendOS Dynamic WCF allows web page blocking to be automated so it is not necessary to manually specify beforehand which URLs to block or to allow. Instead, D-Link maintains a global infrastructure of databases containing huge numbers of current web site URL addresses which are already classified and grouped into a variety of categories such as shopping, news, sport, adult-oriented and so on.
Page 259: Dynamic Content Filtering Flow
If the requested web page URL is not present in the databases, then the webpage content at the URL will automatically be downloaded to D-Link's central data warehouse and automatically analyzed using a combination of software techniques. Once categorized, the URL is distributed to the global databases and NetDefendOS receives the category for the URL.
Page 260: Enabling Dynamic Web Content Filtering
6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms Activation Dynamic Content Filtering is a feature that is enabled by taking out a separate subscription to the service. This is an addition to the normal NetDefendOS license. Once a subscription is taken out, an HTTP Application Layer Gateway (ALG) Object should be defined with Dynamic Content Filtering enabled.
Page 261 6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms Go to Objects > ALG > Add > HTTP ALG Specify a suitable name for the ALG, for example content_filtering Click the Web Content Filtering tab Select Enabled in the Mode list In the Blocked Categories list, select Search Sites and click the >>...
Page 262: Enabling Audit Mode
6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms easier to evaluate if the goals of site blocking are being met. Example 6.16. Enabling Audit Mode This example is based on the same scenario as the previous example, but now with audit mode enabled. Command-Line Interface First, create an HTTP Application Layer Gateway (ALG) Object: gw-world:/>...
Page 263: Reclassifying A Blocked Site
The URL to the requested web site as well as the proposed category will then be sent to D-Link's central data warehouse for manual inspection. That inspection may result in the web site being reclassified, either according to the category proposed or to a category which is felt to be correct.
Page 264 6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms of each category. Category 1: Adult Content A web site may be classified under the Adult Content category if its content includes the description or depiction of erotic or sexual acts or sexually oriented material such as pornography. Exceptions to this are web sites that contain information relating to sexuality and sexual health, which may be classified under the Health Sites Category (21).
Page 265 6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms • www.flythere.nu • www.reallycheaptix.com.au Category 6: Shopping A web site may be classified under the Shopping category if its content includes any form of advertisement of goods or services to be exchanged for money, and may also include the facilities to perform that transaction online.
Page 266 6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms computer game related software, or playing or participating in online games. Examples might be: • www.gamesunlimited.com • www.gameplace.com Category 11: Investment Sites A web site may be classified under the Investment Sites category if its content includes information, services or facilities pertaining to personal investment.
Page 267 6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms • www.political.com Category 16: Sports A web site may be classified under the Sports category if its content includes information or instructions relating to recreational or professional sports, or reviews on sporting events and sports scores.
Page 268 6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms Category 21: Health Sites A web site may be classified under the Health Sites category if its content includes health related information or services, including sexuality and sexual health, as well as support groups, hospital and surgical information and medical journals.
Page 269 6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms • highschoolessays.org • www.learn-at-home.com Category 27: Advertising A web site may be classified under the Advertising category if its main focus includes providing advertising related information or services. Examples might be: •...
Page 270: Editing Content Filtering Http Banner Files
6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms Category 32: Non-Managed Unclassified sites and sites that do not fit one of the other categories will be placed in this category. It is unusual to block this category since this could result in most harmless URLs being blocked. 6.3.4.4.
Page 271 6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms Tip: Saving changes In the above example, more than one HTML file can be edited in a session but the Save button should be pressed to save any edits before beginning editing on another file.
Page 272: Anti-Virus Scanning
The POP3 ALG • The SMTP ALG Note: Anti-Virus is not available on all NetDefend models Anti-Virus scanning is available only on the D-Link NetDefend DFL-260, 860, 1660, 2560 and 2560G. 6.4.2. Implementation Streaming As a file transfer is streamed through the NetDefend Firewall, NetDefendOS will scan the data stream for the presence of viruses if the Anti-Virus module is enabled.
Page 273: Activating Anti-Virus Scanning
6.4.3. Activating Anti-Virus Scanning Chapter 6. Security Mechanisms Types of File Downloads Scanned As described above, Anti-Virus scanning is enabled on a per ALG basis and can scan file downloads associated with the HTTP, FTP, SMTP and POP3 ALGs. More specifically: •...
Page 274: The Signature Database
D-Link Anti-Virus subscription. 6.4.5. Subscribing to the D-Link Anti-Virus Service The D-Link Anti-Virus feature is purchased as an additional component to the base D-Link license and is bought in the form of a renewable subscription. An Anti-Virus subscription includes regular updates of the Kaspersky SafeStream database during the subscription period with the signatures of the latest virus threats.
Page 275 6.4.6. Anti-Virus Options Chapter 6. Security Mechanisms the excluded list is checked. 3. Compression Ratio Limit When scanning compressed files, NetDefendOS must apply decompression to examine the file's contents. Some types of data can result in very high compression ratios where the compressed file is a small fraction of the original uncompressed file size.
Page 276: Activating Anti-Virus Scanning
6.4.6. Anti-Virus Options Chapter 6. Security Mechanisms This reconfiguration causes a failover so the passive unit becomes the active unit. When the update is completed, the newly active unit also downloads the files for the update and performs a reconfiguration. This second reconfiguration causes another failover so the passive unit reverts back to being active again.
Page 277 6.4.6. Anti-Virus Options Chapter 6. Security Mechanisms Web Interface A. First, create an HTTP ALG Object: Go to Objects > ALG > Add > HTTP ALG Specify a suitable name for the ALG, for instance anti_virus Click the Antivirus tab Select Protect in the Mode dropdown list Click OK B.
Page 278: Intrusion Detection And Prevention
If NetDefendOS IDP detects an intrusion then the Action specified for the triggering IDP Rule is taken. IDP Rules, Pattern Matching and IDP Rule Actions are described in the sections which follow. 6.5.2. IDP Availability for D-Link Models Maintenance and Advanced IDP D-Link offers two types of IDP:...
Page 279: Idp Database Updating
The standard subscription is for 12 months and provides automatic IDP signature database updates. This IDP option is available for all D-Link NetDefend models, including those that don't come as standard with Maintenance IDP. Maintenance IDP can be viewed as a restricted subset of Advanced IDP and the following sections describe how the Advanced IDP option functions.
Page 280: Idp Rules
A new, updated signature database is downloaded automatically by NetDefendOS system at a configurable interval. This is done via an HTTP connection to the D-Link server network which delivers the latest signature database updates. If the server's signature database has a newer version than the current local database, the new database will be downloaded, replacing the older version.
Page 281: Insertion/Evasion Attack Prevention
6.5.4. Insertion/Evasion Attack Chapter 6. Security Mechanisms Prevention HTTP Normalization Each IDP rule has a section of settings for HTTP normalization. This allows the administrator to choose the actions that should be taken when IDP finds inconsistencies in the URIs embedded in incoming HTTP requests.
Page 282: Idp Pattern Matching
6.5.5. IDP Pattern Matching Chapter 6. Security Mechanisms aimed at evading IDP mechanisms. It exploits the fact that in a TCP/IP data transfer, the data stream must often be reassembled from smaller pieces of data because the individual pieces either arrive in the wrong order or are fragmented in some way.
Page 283: Idp Signature Groups
Attackers who build new intrusions often re-use older code. This means their new attacks can appear "in the wild" quickly. To counter this, D-Link IDP uses an approach where the module scans for these reusable components, with pattern matching looking for building blocks rather than the entire complete code patterns.
Page 284 6.5.6. IDP Signature Groups Chapter 6. Security Mechanisms least possible number of signatures. Specifying Signature Groups IDP Signature Groups fall into a three level hierarchical structure. The top level of this hierarchy is the signature Type, the second level the Category and the third level the Sub-Category. The signature group called POLICY_DB_MSSQL illustrates this principle where Policy is the Type, DB is the Category and MSSQL is the Sub-Category.
Page 285: Idp Actions
Section 6.7, “Blacklisting Hosts and Networks”. IDP ZoneDefense The Protect action includes the option that the particular D-Link switch that triggers the IDP Rule can be de-activated through the D-Link ZoneDefense feature. For more details on how ZoneDefense functions see Chapter 12, ZoneDefense.
Page 286: Configuring An Smtp Log Receiver
6.5.8. SMTP Log Receiver for IDP Chapter 6. Security Mechanisms Events Example 6.20. Configuring an SMTP Log Receiver In this example, an IDP Rule is configured with an SMTP Log Receiver. Once an IDP event occurs, the Rule is triggered. At least one new event occurs within the Hold Time of 120 seconds, thus reaching the log threshold level (at least 2 events have occurred).
Page 287 6.5.8. SMTP Log Receiver for IDP Chapter 6. Security Mechanisms Events the firewall on the WAN interface as illustrated below. An IDP rule called IDPMailSrvRule will be created, and the Service to use is the SMTP service. Source Interface and Source Network defines where traffic is coming from, in this example the external network. The Destination Interface and Destination Network define where traffic is directed to, in this case the mail server.
Page 288 6.5.8. SMTP Log Receiver for IDP Chapter 6. Security Mechanisms Events • Destination Network: ip_mailserver • Click OK Specify the Action: An action is now defined, specifying what signatures the IDP should use when scanning data matching the rule, and what NetDefendOS should do when a possible intrusion is detected. In this example, intrusion attempts will cause the connection to be dropped, so Action is set to Protect.
Page 289: Denial-Of-Service Attack Prevention
6.6. Denial-of-Service Attack Chapter 6. Security Mechanisms Prevention 6.6. Denial-of-Service Attack Prevention 6.6.1. Overview By embracing the Internet, enterprises experience new business opportunities and growth. The enterprise network and the applications that run over it are business critical. Not only can a company reach a larger number of customers via the Internet, it can serve them faster and more efficiently.
Page 290: Fragmentation Overlap Attacks: Teardrop, Bonk, Boink And Nestea
6.6.4. Fragmentation overlap attacks: Chapter 6. Security Mechanisms Teardrop, Bonk, Boink and Nestea intended victim. "Jolt" is simply a purpose-written program for generating such packets on operating systems whose ping commands refuse to generate oversized packets. The triggering factor is that the last fragment makes the total packet size exceed 65535 bytes, which is the highest number that a 16-bit integer can store.
Page 291: Amplification Attacks: Smurf, Papasmurf, Fraggle
6.6.7. Amplification attacks: Smurf, Chapter 6. Security Mechanisms Papasmurf, Fraggle • By stripping the URG bit by default from all TCP segments traversing the system (configurable via Advanced Settings > TCP > TCPUrg). WinNuke attacks will usually show up in NetDefendOS logs as normal drops with the name of the rule in your policy that disallowed the connection attempt.
Page 292: Tcp Syn Flood Attacks
6.6.9. The Jolt2 Attack Chapter 6. Security Mechanisms 6.6.8. TCP SYN Flood Attacks TCP SYN flood attacks work by sending large amounts of TCP SYN packets to a given port and then not responding to SYN ACKs sent in response. This will tie up local TCP stack resources on the victim's web server so that it is unable to respond to more SYN packets until the existing half-open connections have timed out.
Page 293 6.6.10. Distributed DoS Attacks Chapter 6. Security Mechanisms attacks on victim sites. These attacks typically exhaust bandwidth, router processing capacity, or network stack resources, breaking network connectivity to the victims. Although recent DDoS attacks have been launched from both private corporate and public institutional systems, hackers tend to often prefer university or institutional networks because of their open, distributed nature.
Page 294: Blacklisting Hosts And Networks
6.7. Blacklisting Hosts and Networks Chapter 6. Security Mechanisms 6.7. Blacklisting Hosts and Networks Overview NetDefendOS implements a Blacklist of host or network IP addresses which can be utilized to protect against traffic coming from specific Internet sources. Certain NetDefendOS subsystems have the ability to optionally blacklist a host or network when certain conditions are encountered.
Page 295: Adding A Host To The Whitelist
6.7. Blacklisting Hosts and Networks Chapter 6. Security Mechanisms blacklisted, it still does not prevent NetDefendOS mechanisms such as Threshold Rules from dropping or denying connections from that source. What whitelisting does is prevent a source being added to a blacklist if that is the action a rule has specified. For further details on usage see Section 6.5.7, “IDP Actions”, Section 10.3.8, “Threshold Rule Blacklisting”...
Page 296 6.7. Blacklisting Hosts and Networks Chapter 6. Security Mechanisms...
Page 297: Address Translation
Chapter 7. Address Translation This chapter describes NetDefendOS address translation capabilities. • Overview, page 297 • NAT, page 298 • NAT Pools, page 303 • SAT, page 306 7.1. Overview The ability of NetDefendOS to change the IP address of packets as they pass through the NetDefend Firewall is known as address translation.
Page 298: Nat
7.2. NAT Chapter 7. Address Translation 7.2. NAT Dynamic Network Address Translation (NAT) provides a mechanism for translating original source IP addresses to a different address. Outgoing packets then appear to come from a different IP address and incoming packets back to that address have their IP address translated back to the original IP address.
Page 299 7.2. NAT Chapter 7. Address Translation Tip: Use NAT pools to get around the connection limit The connection maximum per unique IP pair is normally adequate for all but the most extreme scenarios. However, to increase the number of NAT connections that can exist between the NetDefend Firewall and a particular external host IP, the NetDefendOS NAT pools feature can be used which can automatically make use of additional IP addresses on the firewall.
Page 300: Adding A Nat Rule
7.2. NAT Chapter 7. Address Translation NetDefendOS receives the packet and compares it to its list of open connections. Once it finds the connection in question, it restores the original address and forwards the packet. 195.55.66.77:80 => 192.168.1.5:1038 The original sender now receives the response. Example 7.1.
Page 301: Anonymizing With Nat
7.2. NAT Chapter 7. Address Translation This means that: • An internal machine can communicate with several external servers using the same IP protocol. • An internal machine can communicate with several external servers using different IP protocols. • Several internal machines can communicate with different external servers using the same IP protocol.
Page 302 7.2. NAT Chapter 7. Address Translation NetDefendOS is set up with NAT rules in the IP rule set so it takes communication traffic coming from the client and NATs it back out onto the Internet. Communication with the client is with the PPTP protocol but the PPTP tunnel from the client terminates at the firewall.
Page 303: Nat Pools
7.3. NAT Pools Chapter 7. Address Translation 7.3. NAT Pools Overview As discussed in Section 7.2, “NAT”, NAT provides a way to have multiple internal clients and hosts with unique private internal IP addresses communicate to remote hosts through a single external public IP address.
Page 304: Using Nat Pools
7.3. NAT Pools Chapter 7. Address Translation Stateless NAT Pools The Stateless option means that no state table is maintained and the external IP address chosen for each new connection is the one that has the least connections already allocated to it. This means two connections between one internal host to the same external host may use two different external IP addresses.
Page 305 7.3. NAT Pools Chapter 7. Address Translation Web Interface A. First create an object in the address book for the address range: Go to Objects > Address Book > Add > IP address Specify a suitable name for the IP range nat_pool_range Enter 10.6.13.10-10.16.13.15 in the IP Address textbox (a network such as 10.6.13.0/24 could be used here - the 0 and 255 addresses will be automatically removed)
Page 306: Sat
7.4. SAT Chapter 7. Address Translation 7.4. SAT NetDefendOS can translate entire ranges of IP addresses and/or ports. Such translations are transpositions, each address or port is mapped to a corresponding address or port in the new range, rather than translating them all to the same address or port. In NetDefendOS this functionality is known as Static Address Translation (SAT).
Page 307 7.4.1. Translation of a Single IP Chapter 7. Address Translation Address (1:1) SourceNetwork=all-nets DestinationInterface=core DestinationNetwork=wan_ip SATTranslate=DestinationIP SATTranslateToIP=10.10.10.5 Name=SAT_HTTP_To_DMZ Then create a corresponding Allow rule: gw-world:/main> add IPRule action=Allow Service=http SourceInterface=any SourceNetwork=all-nets DestinationInterface=core DestinationNetwork=wan_ip Name=Allow_HTTP_To_DMZ Web Interface First create a SAT rule: Go to Rules >...
Page 308: Enabling Traffic To A Web Server On An Internal Network
7.4.1. Translation of a Single IP Chapter 7. Address Translation Address (1:1) These two rules allow us to access the web server via the NetDefend Firewall's external IP address. Rule 1 states that address translation can take place if the connection has been permitted, and rule 2 permits the connection. Of course, we also need a rule that allows internal machines to be dynamically address translated to the Internet.
Page 309 7.4.1. Translation of a Single IP Chapter 7. Address Translation Address (1:1) In order for external users to access the web server, they must be able to contact it using a public address. In this example, we have chosen to translate port 80 on the NetDefend Firewall's external address to port 80 on the web server: Action Src Iface...
Page 310: Translation Of Multiple Ip Addresses (M:n)
7.4.2. Translation of Multiple IP Chapter 7. Address Translation Addresses (M:N) • The reply arrives and both address translations are restored: 195.55.66.77:80 => 10.0.0.3:1038 In this way, the reply arrives at PC1 from the expected address. Another possible solution to this problem is to allow internal clients to speak directly to 10.0.0.2 and this would completely avoid all the problems associated with address translation.
Page 311 7.4.2. Translation of Multiple IP Chapter 7. Address Translation Addresses (M:N) Address=195.55.66.77-195.55.66.81 Now, create another object for the base of the web server IP addresses: gw-world:/> add Address IP4Address wwwsrv_priv_base Address=10.10.10.5 Publish the public IP addresses on the wan interface using ARP publish. One ARP item is needed for every IP address: gw-world:/>...
Page 312: All-To-One Mappings (N:1)
7.4.3. All-to-One Mappings (N:1) Chapter 7. Address Translation Create a SAT rule for the translation: Go to Rules > IP Rules > Add > IPRule Specify a suitable name for the rule, for example SAT_HTTP_To_DMZ Now enter: • Action: SAT •...
Page 313: Port Translation
7.4.4. Port Translation Chapter 7. Address Translation Note When all-nets is the destination, All-to-One mapping is always done. 7.4.4. Port Translation Port Translation (PAT) (also known as Port Address Translation) can be used to modify the source or destination port. Action Src Iface Src Net...
Page 314: Sat And Fwdfast Rules
7.4.7. SAT and FwdFast Rules Chapter 7. Address Translation The phrase "each address" above means that two SAT rules can be in effect at the same time on the same connection, provided that one is translating the sender address whilst the other is translating the destination address.
Page 315 7.4.7. SAT and FwdFast Rules Chapter 7. Address Translation We will now try moving the NAT rule between the SAT and FwdFast rules: Action Src Iface Src Net Dest Iface Dest Net Parameters all-nets core wan_ip http SETDEST wwwsrv 80 wwwsrv all-nets 80 ->...
Page 316 7.4.7. SAT and FwdFast Rules Chapter 7. Address Translation...
Page 317: User Authentication
Chapter 8. User Authentication This chapter describes how NetDefendOS implements user authentication. • Overview, page 317 • Authentication Setup, page 319 • Customizing HTML Pages, page 333 8.1. Overview In situations where individual users connect to protected resources through the NetDefend Firewall, the administrator will often require that each user goes through a process of authentication before access is allowed.
Page 318 8.1. Overview Chapter 8. User Authentication • Changed on a regular basis such as every three months.
Page 319: Authentication Setup
8.2. Authentication Setup Chapter 8. User Authentication 8.2. Authentication Setup 8.2.1. Setup Summary The following list summarizes the steps for User Authentication setup with NetDefendOS: • Set up a database of users, each with a username/password combination. This can exist locally in a NetDefendOS User DB object, or remotely on a RADIUS server and will be designated as the Authentication Source.
Page 320: External Ldap Servers
8.2.4. External LDAP Servers Chapter 8. User Authentication RADIUS with NetDefendOS NetDefendOS acts as a RADIUS client, sending user credentials and connection parameter information as a RADIUS message to a nominated RADIUS server. The server processes the requests and sends back a RADIUS message to accept or deny them. One or more external servers can be defined in NetDefendOS.
Page 321 8.2.4. External LDAP Servers Chapter 8. User Authentication option in the NetDefendOS LDAP server setup which has special consideration with Active Directory and that is the Name Attribute. This should be set to SAMAccountName. Defining an LDAP Server One or more named LDAP server objects can be defined in NetDefendOS. These objects tell NetDefendOS which LDAP servers are available and how to access them.
Page 322 8.2.4. External LDAP Servers Chapter 8. User Authentication • Name Attribute The Name Attribute is the ID of the data field on the LDAP server that contains the username. The NetDefendOS default value for this is uid which is correct for most UNIX based servers. If using Microsoft Active Directory this should be set to SAMAccountName (which is NOT case sensitive).
Page 323 8.2.4. External LDAP Servers Chapter 8. User Authentication • Base Object Defines where in the LDAP server tree search for user accounts shall begin. The users defined on an LDAP server database are organized into a tree structure. The Base Object specifies where in this tree the relevant users are located.
Page 324 8.2.4. External LDAP Servers Chapter 8. User Authentication Bind Request Authentication LDAP server authentication is automatically configured to work using LDAP Bind Request Authentication. This means that authentication succeeds if successful connection is made to the LDAP server. Individual clients are not distinguished from one another. LDAP server referrals should not occur with bind request authentication but if they do, the server sending the referral will be regarded as not having responded.
Page 325: Normal Ldap Authentication
8.2.4. External LDAP Servers Chapter 8. User Authentication A specific LDAP server that is defined in NetDefendOS for authentication can be shown with the command: gw-world:/> show LDAPDatabase <object_name> The entire contents of the database can be displayed with the command: gw-world:/>...
Page 326: Authentication Rules
8.2.5. Authentication Rules Chapter 8. User Authentication This ID must be different from the default password attribute (which is usually userPassword for most LDAP servers). A suggestion is to use the description field in the LDAP database. • In order for the server to return the password in the database field with the ID specified, the LDAP administrator must make sure that the plain text password is found there.
Page 327 8.2.5. Authentication Rules Chapter 8. User Authentication • Interface The source interface on which the connections to be authenticated will arrive. • Source IP The source network from which new connections will arrive. • Authentication Source - This specifies that authentication is to be done against one of the following: •...
Page 328: Authentication Processing
8.2.6. Authentication Processing Chapter 8. User Authentication An Authentication Rule can specify how multiple logins are handled where more than one user from different source IP addresses try to login with the same username. The possible options are: • Allow multiple logins so that more than one client can use the same username/password combination.
Page 329 8.2.7. HTTP Authentication Chapter 8. User Authentication Changing the Management WebUI Port HTTP authentication will collide with the WebUI's remote management service which also uses TCP port 80. To avoid this, the WebUI port number should be changed before configuring authentication.
Page 330 8.2.7. HTTP Authentication Chapter 8. User Authentication authentication page we must add a SAT rule and its associated Allow rule. The rule set will now look like this: Action Src Interface Src Network Dest Interface Dest Network Service Allow lannet core lan_ip http-all...
Page 331: Creating An Authentication User Group
8.2.7. HTTP Authentication Chapter 8. User Authentication Example 8.1. Creating an Authentication User Group In the example of an authentication address object in the Address Book, a user group "users" is used to enable user authentication on "lannet". This example shows how to configure the user group in the NetDefendOS database.
Page 332: Configuring A Radius Server
8.2.7. HTTP Authentication Chapter 8. User Authentication • Destination Network lan_ip Click OK B. Set up the Authentication Rule Go to User Authentication > User Authentication Rules > Add > User Authentication Rule Now enter: • Name: HTTPLogin • Agent: HTTP •...
Page 333: Customizing Html
8.3. Customizing HTML Pages Chapter 8. User Authentication Shared Secret: Enter a text string here for basic encryption of the RADIUS messages Confirm Secret: Retype the string to confirm the one typed above Click OK 8.3. Customizing HTML Pages User Authentication makes use of a set of HTML files to present information to the user during the authentication process.
Page 334: Editing Content Filtering Http Banner Files
8.3. Customizing HTML Pages Chapter 8. User Authentication • %IPADDR% - The IP address which is being browsed from. • %REASON% - The reason that access was denied. • - The web page URL for redirects. The %REDIRURL% Parameter In certain banner web pages, the parameter %REDIRURL% appears. This is a placeholder for the original URL which was requested before the user login screen appeared for an unauthenticated user.
Page 335 8.3. Customizing HTML Pages Chapter 8. User Authentication A new Auth Banner Files object must exist which the edited file(s) is uploaded to. If the object is called ua_html, the CLI command to create this object is: gw-world:/> add HTTPAuthBanners ua_html This creates an object which contains a copy of all the Default user auth banner files.
Page 336 8.3. Customizing HTML Pages Chapter 8. User Authentication...
Page 337: Vpn
Chapter 9. VPN This chapter describes the Virtual Private Network (VPN) functionality in NetDefendOS. • Overview, page 337 • VPN Quick Start, page 341 • IPsec Components, page 351 • IPsec Tunnels, page 365 • PPTP/L2TP, page 383 • CA Server Access, page 392 •...
Page 338: Vpn Encryption
9.1.2. VPN Encryption Chapter 9. VPN Client to LAN connection - Where many remote clients need to connect to an internal network over the Internet. In this case, the internal network is protected by the NetDefend Firewall to which the client connects and the VPN tunnel is set up between them. 9.1.2.
Page 339: Key Distribution
9.1.4. Key Distribution Chapter 9. VPN • Restricting access through the VPN to needed services only, since mobile computers are vulnerable. • Creating DMZs for services that need to be shared with other companies through VPNs. • Adapting VPN access policies for different groups of users. •...
Page 340 9.1.5. The TLS Alternative for VPN Chapter 9. VPN “The TLS ALG”.
Page 341: Vpn Quick Start
9.2. VPN Quick Start Chapter 9. VPN 9.2. VPN Quick Start Overview Later sections in this chapter will explore VPN components in detail. To help put those later sections in context, this section is a quick start summary of the steps needed for VPN setup. It outlines the individual steps in setting up VPNs for the most common scenarios.
Page 342: Ipsec Lan To Lan With Pre-Shared Keys
9.2.1. IPsec LAN to LAN with Chapter 9. VPN Pre-shared Keys 9.2.1. IPsec LAN to LAN with Pre-shared Keys Create a Pre-shared Key object. Optionally create a new IKE Algorithms object and/or an IPsec Algorithms object if the default algorithm proposal lists do not provide a set of algorithms that are acceptable to the tunnel remote end point.
Page 343: Ipsec Lan To Lan With Certificates
9.2.2. IPsec LAN to LAN with Chapter 9. VPN Certificates Action Src Interface Src Network Dest Interface Dest Network Service Allow ipsec_tunnel remote_net lannet The Service used in these rules is All but it could be a predefined service. Define a new NetDefendOS Route which specifies that the VPN Tunnel ipsec_tunnel is the Interface to use for routing packets bound for the remote network at the other end of the tunnel.
Page 344: Ipsec Roaming Clients With Pre-Shared Keys
9.2.3. IPsec Roaming Clients with Chapter 9. VPN Pre-shared Keys considered adequate. Two self-signed certificates are required and the same two are used at either end of the tunnel but their usage is reversed. In other words: one certificate is used as the root certificate at one end, call it Side A, and as the host certificate at the other end, call it Side B.
Page 345 9.2.3. IPsec Roaming Clients with Chapter 9. VPN Pre-shared Keys The Group string for a user can be specified if its group's access is to be restricted to certain source networks. Group can be specified (with the same text string) in the Authentication section of an IP object.
Page 346: Ipsec Roaming Clients With Certificates
9.2.4. IPsec Roaming Clients with Chapter 9. VPN Certificates • Create a Config Mode Pool object (there can only be one associated with a NetDefendOS installation) and in it specify the address range. • Enable the IKE Config Mode option in the IPsec Tunnel object ipsec_tunnel. If client IP addresses are to be retrieved through DHCP: •...
Page 347: L2Tp Roaming Clients With Pre-Shared Keys
9.2.5. L2TP Roaming Clients with Chapter 9. VPN Pre-Shared Keys Note: The system time and date should be correct The NetDefendOS date and time should be set correctly since certificates have an expiry date and time. Also review Section 9.6, “CA Server Access”, which describes important considerations for certificate validation.
Page 348: L2Tp Roaming Clients With Certificates
9.2.6. L2TP Roaming Clients with Chapter 9. VPN Certificates • Set Outer Interface Filter to ipsec_tunnel. • Set Outer Server IP to ip_ext. • Select the Microsoft Point-to-Point Encryption allowed. Since IPsec encryption is used this can be set to be None only, otherwise double encryption will degrade throughput. •...
Page 349: Pptp Roaming Clients
9.2.7. PPTP Roaming Clients Chapter 9. VPN Load a Gateway Certificate and Root Certificate into NetDefendOS. When setting up the IPsec Tunnel object, specify the certificates to use under Authentication. This is done by: Enable the X.509 Certificate option. Select the Gateway Certificate. Add the Root Certificate to use.
Page 350 9.2.7. PPTP Roaming Clients Chapter 9. VPN Define a User Authentication Rule, this is almost identical to L2TP: Agent Auth Source Src Network Interface Client Source IP Local all-nets pptp_tunnel all-nets (0.0.0.0/0) Now set up the IP rules in the IP rule set: Action Src Interface Src Network...
Page 351: Ipsec Components
9.3. IPsec Components Chapter 9. VPN 9.3. IPsec Components 9.3.1. Overview Internet Protocol Security (IPsec) is a set of protocols defined by the Internet Engineering Task Force (IETF) to provide IP security at the network layer. An IPsec based VPN is made up of two parts: •...
Page 352 9.3.2. Internet Key Exchange (IKE) Chapter 9. VPN describing the incoming traffic, and the other the outgoing. In cases where ESP and AH are used in conjunction, four SAs will be created. IKE Negotiation The process of negotiating session parameters consists of a number of phases and modes. These are described in detail in the below sections.
Page 353 9.3.2. Internet Key Exchange (IKE) Chapter 9. VPN However, since we do not want to publish to much of the negotiation in plaintext, we first agree upon a way of protecting the rest of the IKE negotiation. This is done, as described in the previous section, by the initiator sending a proposal-list to the responder.
Page 354 9.3.2. Internet Key Exchange (IKE) Chapter 9. VPN This way, an eavesdropper will only see encrypted traffic going from one of VPN endpoint to another. In transport mode, the traffic will not be tunneled, and is hence not applicable to VPN tunnels. It can be used to secure a connection from a VPN client directly to the NetDefend Firewall, example...
Page 355 9.3.2. Internet Key Exchange (IKE) Chapter 9. VPN IKE Encryption This specifies the encryption algorithm used in the IKE negotiation, and depending on the algorithm, the size of the encryption key used. The algorithms supported by NetDefendOS IPsec are: • •...
Page 356 9.3.2. Internet Key Exchange (IKE) Chapter 9. VPN PFS DH Group This specifies the Diffie-Hellman group to use with PFS. The available DH groups are discussed below. IPsec DH Group This specifies the Diffie-Hellman group to use for IPsec communication. The available DH groups are discussed below in the section titled Diffie-Hellman Groups.
Page 357: Ike Authentication
9.3.3. IKE Authentication Chapter 9. VPN by NetDefendOS are as follows: • DH group 1 (768-bit) • DH group 2 (1024-bit) • DH group 5 (1536-bit) All these HA groups are available for use with IKE, IPsec and PFS. 9.3.3. IKE Authentication Manual Keying The "simplest"...
Page 358: Ipsec Protocols (Esp/Ah)
9.3.4. IPsec Protocols (ESP/AH) Chapter 9. VPN One thing that has to be considered when using Pre-Shared Keys is key distribution. How are the Pre-Shared Keys distributed to remote VPN clients and firewalls? This is a major issue, since the security of a PSK system is based on the PSKs being secret.
Page 359: Nat Traversal
9.3.5. NAT Traversal Chapter 9. VPN AH uses a cryptographic hash function to produce a MAC from the data in the IP packet. This MAC is then transmitted with the packet, allowing the remote endpoint to verify the integrity of the original IP packet, making sure the data has not been tampered with on its way through the Internet.
Page 360: Algorithm Proposal Lists
9.3.6. Algorithm Proposal Lists Chapter 9. VPN Achieving NAT Detection To achieve NAT detection both IPsec peers send hashes of their own IP addresses along with the source UDP port used in the IKE negotiations. This information is used to see whether the IP address and source port each peer uses is the same as what the other peer sees.
Page 361: Using An Algorithm Proposal List
9.3.7. Pre-shared Keys Chapter 9. VPN There are two types of proposal lists, IKE proposal lists and IPsec proposal lists. IKE lists are used during IKE Phase-1 (IKE Security Negotiation), while IPsec lists are using during IKE Phase-2 (IPsec Security Negotiation). Several algorithm proposal lists are already defined by default in NetDefendOS for different VPN scenarios and user defined lists can be added.
Page 362: Pre-Shared Keys
9.3.8. Identification Lists Chapter 9. VPN 9.3.7. Pre-shared Keys Pre-Shared Keys are used to authenticate VPN tunnels. The keys are secrets that are shared by the communicating parties before communication takes place. To communicate, both parties prove that they know the secret. The security of a shared secret depends on how "good" a passphrase is. Passphrases that are common words are extremely vulnerable to dictionary attacks.
Page 363: Identification Lists
First create an Identification List: gw-world:/> add IDList MyIDList Then, create an ID: gw-world:/> cc IDList MyIDList gw-world:/MyIDList> add ID JohnDoe Type=DistinguishedName CommonName="John Doe" OrganizationName=D-Link OrganizationalUnit=Support Country=Sweden EmailAddress=john.doe@D-Link.com gw-world:/MyIDList> cc Finally, apply the Identification List to the IPsec tunnel: gw-world:/> set Interface IPsecTunnel MyIPsecTunnel...
Page 364 Select MyIDList Enter a name for the ID, for example JohnDoe Select Distinguished name in the Type control Now enter: • Common Name: John Doe • Organization Name: D-Link • Organizational Unit: Support • Country: Sweden • Email Address: john.doe@D-Link.com...
Page 365: Ipsec Tunnels
9.4. IPsec Tunnels Chapter 9. VPN 9.4. IPsec Tunnels 9.4.1. Overview An IPsec Tunnel defines an endpoint of an encrypted tunnel. Each IPsec Tunnel is interpreted as a logical interface by NetDefendOS, with the same filtering, traffic shaping and configuration capabilities as regular interfaces.
Page 366: Lan To Lan Tunnels With Pre-Shared Keys
9.4.2. LAN to LAN Tunnels with Chapter 9. VPN Pre-shared Keys IPsec Tunnel Quick Start This section covers IPsec tunnels in some detail. A quick start checklist of setup steps for these protocols in typical scenarios can be found in the following sections: •...
Page 367: Setting Up A Psk Based Vpn Tunnel For Roaming Clients
9.4.3. Roaming Clients Chapter 9. VPN the algorithm proposal lists that are pre-configured in NetDefendOS. PSK based client tunnels The following example shows how a PSK based tunnel can be set up. Example 9.4. Setting up a PSK based VPN tunnel for roaming clients This example describes how to configure an IPsec tunnel at the head office NetDefend Firewall for roaming clients that connect to the office to gain remote access.
Page 368: Setting Up A Self-Signed Certificate Based Vpn Tunnel For Roaming Clients
9.4.3. Roaming Clients Chapter 9. VPN Example 9.5. Setting up a Self-signed Certificate based VPN tunnel for roaming clients This example describes how to configure an IPsec tunnel at the head office NetDefend Firewall for roaming clients that connect to the office to gain remote access. The head office network uses the 10.0.1.0/24 network span with external firewall IP wan_ip.
Page 369: Setting Up Ca Server Certificate Based Vpn Tunnels For Roaming Clients
9.4.3. Roaming Clients Chapter 9. VPN Under the Routing tab: • Enable the option: Dynamically add route to the remote network when a tunnel is established. Click OK E. Finally configure the IP rule set to allow traffic inside the tunnel. Tunnels Based on CA Server Certificates Setting up client tunnels using a CA issued certificate is largely the same as using Self-signed certificates with the exception of a couple of steps.
Page 370 9.4.3. Roaming Clients Chapter 9. VPN • Remote Endpoint: (None) • Encapsulation Mode: Tunnel For Algorithms enter: • IKE Algorithms: Medium or High • IPsec Algorithms: Medium or High For Authentication enter: • Choose X.509 Certificates as the authentication method •...
Page 371: Fetching Crls From An Alternate Ldap Server
9.4.4. Fetching CRLs from an alternate Chapter 9. VPN LDAP server Example 9.7. Setting Up Config Mode In this example, the Config Mode Pool object is enabled by associating with it an already configured IP Pool object called ip_pool1. Web Interface Go to Objects >...
Page 372: Troubleshooting With Ikesnoop
9.4.5. Troubleshooting with ikesnoop Chapter 9. VPN This example shows how to manually setup and specify an LDAP server. Command-Line Interface gw-world:/> add LDAPServer Host=192.168.101.146 Username=myusername Password=mypassword Port=389 Web Interface Go to Objects > VPN Objects > LDAP > Add > LDAP Server Now enter: •...
Page 373 9.4.5. Troubleshooting with ikesnoop Chapter 9. VPN Complete ikesnoop command options can be found in the CLI Reference Guide. The Client and the Server The two parties involved in the tunnel negotiation are referred to in this section as the client and server.
Page 374 9.4.5. Troubleshooting with ikesnoop Chapter 9. VPN Life type : Kilobytes Life duration : 50000 Transform 4/4 Transform ID : IKE Encryption algorithm : 3DES-cbc Hash algorithm : SHA Authentication method : Pre-Shared Key Group description : MODP 1024 Life type : Seconds Life duration : 43200...
Page 375 9.4.5. Troubleshooting with ikesnoop Chapter 9. VPN IkeSnoop: Sending IKE packet to 192.168.0.10:500 Exchange type : Identity Protection (main mode) ISAKMP Version : 1.0 Flags Cookies : 0x6098238b67d97ea6 -> 0x5e347cb76e95a Message ID : 0x00000000 Packet length : 224 bytes # payloads Payloads: SA (Security Association) Payload data length : 52 bytes...
Page 376 9.4.5. Troubleshooting with ikesnoop Chapter 9. VPN Packet length : 220 bytes # payloads Payloads: KE (Key Exchange) Payload data length : 128 bytes NONCE (Nonce) Payload data length : 16 bytes NAT-D (NAT Detection) Payload data length : 16 bytes NAT-D (NAT Detection) Payload data length : 16 bytes Step 4.
Page 377 9.4.5. Troubleshooting with ikesnoop Chapter 9. VPN Explanation of Above Values Flags: E means encryption (it is the only flag used). ID: Identification of the client The Notification field is given as Initial Contact to indicate this is not a re-key. Step 6.
Page 378 9.4.5. Troubleshooting with ikesnoop Chapter 9. VPN Transform ID : Rijndael (aes) Key length : 128 Authentication algorithm : HMAC-SHA-1 SA life type : Seconds SA life duration : 21600 SA life type : Kilobytes SA life duration : 50000 Encapsulation mode : Tunnel Transform 3/4...
Page 379: Ipsec Advanced Settings
9.4.6. IPsec Advanced Settings Chapter 9. VPN Packet length : 156 bytes # payloads Payloads: HASH (Hash) Payload data length : 16 bytes SA (Security Association) Payload data length : 56 bytes DOI : 1 (IPsec DOI) Proposal 1/1 Protocol 1/1 Protocol ID : ESP SPI Size...
Page 380 9.4.6. IPsec Advanced Settings Chapter 9. VPN Tunnels if the latter is changed. This linkage is broken once IPsec Max Rules is altered manually so that subsequent changes to IPsec Max Tunnels will not cause an automatic change in IPsec Max Rules.
Page 381 9.4.6. IPsec Advanced Settings Chapter 9. VPN When the signature of a user certificate is verified, NetDefendOS looks at the issuer name field in the user certificate to find the CA certificate the certificate was signed by. The CA certificate may in turn be signed by another CA, which may be signed by another CA, and so on.
Page 382 9.4.6. IPsec Advanced Settings Chapter 9. VPN This setting is used with IKEv1 only. Default: 2 (in other words, 2 x 10 = 20 seconds) DPD Expire Time The length of time in seconds for which DPD messages will be sent to the peer. If the peer has not responded to messages during this time it is considered to be dead.
Page 383: Pptp/L2Tp
9.5. PPTP/L2TP Chapter 9. VPN 9.5. PPTP/L2TP The access by a client using a modem link over dial-up public switched networks, possibly with an unpredictable IP address, to protected networks via a VPN poses particular problems. Both the PPTP and L2TP protocols provide two different means of achieving VPN access from remote clients.
Page 384: L2Tp Servers
9.5.2. L2TP Servers Chapter 9. VPN TCP port 1723 and/or IP protocol 47 before the PPTP connection can be made to the NetDefend Firewall. Examining the log can indicate if this problem occurred, with a log message of the following form appearing: Error PPP lcp_negotiation_stalled ppp_terminated Example 9.10.
Page 385: Setting Up An L2Tp Server
9.5.2. L2TP Servers Chapter 9. VPN Example 9.11. Setting up an L2TP server This example shows how to setup a L2TP Network Server. The example assumes that you have created some address objects in the Address Book. You will have to specify the IP address of the L2TP server interface, an outer IP address (that the L2TP server should listen to) and an IP pool that the L2TP server will use to give out IP addresses to the clients from.
Page 386 9.5.2. L2TP Servers Chapter 9. VPN Enter a suitable name for the user database, for example UserDB Go to User Authentication > Local User Databases > UserDB > Add > User Now enter: • Username: testuser • Password: mypassword • Confirm Password: mypassword Click OK Now we will setup the IPsec Tunnel, which will later be used in the L2TP section.
Page 387 9.5.2. L2TP Servers Chapter 9. VPN gw-world:/> add Interface L2TPServer l2tp_tunnel IP=lan_ip Interface=l2tp_ipsec ServerIP=wan_ip IPPool=l2tp_pool TunnelProtocol=L2TP AllowedRoutes=all-nets ProxyARPInterfaces=lan Web Interface Go to Interfaces > L2TP Servers > Add > L2TPServer Enter a name for the L2TP tunnel, for example l2tp_tunnel Now enter: •...
Page 388: L2Tp/Pptp Server Advanced Settings
9.5.3. L2TP/PPTP Server advanced Chapter 9. VPN settings First, change the current category to be the main IP rule set: gw-world:/> cc IPRuleSet main Now, add the IP rules: gw-world:/main> add IPRule action=Allow Service=all_services SourceInterface=l2tp_tunnel SourceNetwork=l2tp_pool DestinationInterface=any DestinationNetwork=all-nets name=AllowL2TP gw-world:/main> add IPRule action=NAT Service=all_services SourceInterface=l2tp_tunnel SourceNetwork=l2tp_pool DestinationInterface=any...
Page 389: Pptp/L2Tp Clients
9.5.4. PPTP/L2TP Clients Chapter 9. VPN Pass L2TP traffic sent to the NetDefend Firewall directly to the L2TP Server without consulting the rule set. Default: Enabled PPTP Before Rules Pass PPTP traffic sent to the NetDefend Firewall directly to the PPTP Server without consulting the rule set.
Page 390: Pptp Client Usage
9.5.4. PPTP/L2TP Clients Chapter 9. VPN specified gateway. Authentication • Username - Specifies the username to use for this PPTP/L2TP interface. • Password - Specifies the password for the interface. • Authentication - Specifies which authentication protocol to use. • MPPE - Specifies if Microsoft Point-to-Point Encryption is used and which level to use.
Page 391 9.5.4. PPTP/L2TP Clients Chapter 9. VPN...
Page 392: Ca Server Access
9.6. CA Server Access Chapter 9. VPN 9.6. CA Server Access Overview Where certificates are used, the two sides of a VPN tunnel exchange their certificates during the tunnel setup negotiation and either may then try to validate the received certificate by accessing a CA server.
Page 393: Certificate Validation Components
9.6. CA Server Access Chapter 9. VPN The CA server is a commercial server on the public Internet. In this, the simplest case, public DNS servers will resolve the FQDN. The only requirement is that NetDefendOS will need to have at least one public DNS server address configured to resolve the FQDNs in the certificates it receives.
Page 394 9.6. CA Server Access Chapter 9. VPN As explained previously, the address of the private CA server must be resolvable through public DNS servers for certificate validation requests coming from the public Internet. If the certificate queries are coming only from the NetDefend Firewall and the CA server is on the internal side of the firewall then the IP address of the internal DNS server must be configured in NetDefendOS so that these requests can be resolved.
Page 395: Vpn Troubleshooting
9.7. VPN Troubleshooting Chapter 9. VPN 9.7. VPN Troubleshooting This section deals with how to troubelshoot the common problems that are found with VPN. 9.7.1. General Troubleshooting In all types of VPNs some basic troubleshooting checks can be made: • Check that all IP addresses have been specified correctly.
Page 396: Ipsec Troubleshooting Commands
9.7.3. IPsec Troubleshooting Chapter 9. VPN Commands If certificates have been used in a VPN solution then the following should be looked at as a source of potential problems: • Check that the correct certificates have been used for the right purposes. •...
Page 397: Management Interface Failure With Vpn
9.7.4. Management Interface Failure Chapter 9. VPN with VPN Once issued, an ICMP ping can then be sent to the NetDefend Firewall from the remote end of the tunnel. This will cause ikesnoop to output details of the tunnel setup negotiation to the console and any algorithm proposal list incompatibilities can be seen.
Page 398 9.7.5. Specific Error Messages Chapter 9. VPN to set the lifetime in KB for the IKE Phase, only seconds. • If the negotiation fails during phase-2 – IPsec The IPsec proposal list does not match. Double check that the IPsec proposal list matches that of the remote side.
Page 399: Specific Symptoms
9.7.6. Specific Symptoms Chapter 9. VPN An investigation as to why the tunnel only went down from one side is recommended. It could be that DPD and/or Keep-Alive is only used on one side. Another possible cause could be that even though it has received a DELETE packet, it has not deleted/removed the tunnel.
Page 400 9.7.6. Specific Symptoms Chapter 9. VPN problem even though XAuth is not used. 1. The tunnel can only be initiated from one side This is a common problem and is due to a mismatch of the size in local or remote network and/or the lifetime settings on the proposal list(s).
Page 401 9.7.6. Specific Symptoms Chapter 9. VPN...
Page 402: Traffic Management
Chapter 10. Traffic Management This chapter describes how NetDefendOS can manage network traffic. • Traffic Shaping, page 402 • IDP Traffic Shaping, page 419 • Threshold Rules, page 424 • Server Load Balancing, page 426 10.1. Traffic Shaping 10.1.1. Overview QoS with TCP/IP A weakness of TCP/IP is the lack of true Quality of Service (QoS) functionality.
Page 403: Traffic Shaping In Netdefendos
10.1.2. Traffic Shaping in Chapter 10. Traffic Management NetDefendOS Traffic Shaping Objectives Traffic shaping operates by measuring and queuing IP packets with respect to a number of configurable parameters. The objectives are: • Applying bandwidth limits and queuing packets that exceed configured limits, then sending them later when bandwidth demands are lower.
Page 404: Packet Flow Of Pipe Rule Set To Pipe
10.1.2. Traffic Shaping in Chapter 10. Traffic Management NetDefendOS needed in an ISP scenario where individual pipes are allocated to each client. Pipe Rules Pipe Rules make up the Pipe Rule set. Each Rule is defined much like other NetDefendOS policies: by specifying the source/destination interface/network as well as the service to which the rule is to apply.
Page 405: Simple Bandwidth Limiting
10.1.3. Simple Bandwidth Limiting Chapter 10. Traffic Management It is important to understand that traffic shaping will not work with connection that are established because of a FwdFast rule in the NetDefendOS IP rule set. The reason for this is that traffic shaping is implemented based on the NetDefendOS state engine and a FwdFast IP rule does not set up a connection in the state engine.
Page 406: Limiting Bandwidth In Both Directions
10.1.4. Limiting Bandwidth in Both Chapter 10. Traffic Management Directions pass through the std-in pipe. Command-Line Interface gw-world:/> add PipeRule ReturnChain=std-in SourceInterface=lan SourceNetwork=lannet DestinationInterface=wan DestinationNetwork=all-nets Service=all_services name=Outbound Web Interface Go to Traffic Management > Traffic Shaping > Add > Pipe Rule Specify a suitable name for the pipe, for instance outbound Now enter: •...
Page 407: Creating Differentiated Limits With Chains
10.1.5. Creating Differentiated Limits Chapter 10. Traffic Management with Chains Example 10.2. Limiting Bandwidth in Both Directions Create a second pipe for outbound traffic: Command-Line Interface gw-world:/> add Pipe std-out LimitKbpsTotal=2000 Web Interface Go to Traffic Management > Traffic Shaping > Pipes > Add > Pipe Specify a name for the pipe, for example std-out Enter 2000 in Total textbox Click OK...
Page 408: Precedences
10.1.6. Precedences Chapter 10. Traffic Management This is not a bandwidth guarantee for web browsing but it is a 125 kbps bandwidth guarantee for everything except web browsing. For web browsing the normal rules of first-come, first-forwarded will apply when competing for bandwidth. This may mean 125 kbps, but it may also mean much slower speed if the connection is flooded.
Page 409: Minimum And Maximum Pipe Precedence
10.1.6. Precedences Chapter 10. Traffic Management The minimum and maximum precedences define the precedence range that the pipe will handle. If a packet arrives with an already allocated precedence below the minimum then its precedence is changed to the minimum. Similarly, if a packet arrives with an already allocated precedence above the maximum, its precedence is changed to the maximum.
Page 410: Guarantees
10.1.7. Guarantees Chapter 10. Traffic Management pipe's configuration is exceeded. Lower priority packets will be buffered and sent when higher priority traffic uses less than the maximum specified for the pipe. The buffering process is sometimes referred to as "throttling back" since it reduces the flow rate. The Need for Guarantees A problem can occur however if the prioritized traffic is a continuous stream such as real-time audio, resulting in continuous use all available bandwidth and resulting in unacceptably long...
Page 411: Groups
10.1.9. Groups Chapter 10. Traffic Management Keep the forward chain of both rules as std-out only. Again, to simplify this example, we concentrate only on inbound traffic, which is the direction that is the most likely to be the first one to fill up in client-oriented setups.
Page 412: Traffic Shaping Recommendations
10.1.10. Traffic Shaping Chapter 10. Traffic Management Recommendations computer A is not the same as port 1024 of computer B and individual connections are identifiable. If grouping by network is chosen, the network size should also be specified (this has the same meaning as the netmask).
Page 413 10.1.10. Traffic Shaping Chapter 10. Traffic Management Recommendations knows what its capacity is and the precedence mechanism is totally dependent on this. Pipe limits for VPN Traffic shaping measures the traffic inside VPN tunnels. This is the raw unencrypted data without any protocol overhead so it will be less than the actual VPN traffic.
Page 414: A Summary Of Traffic Shaping
10.1.11. A Summary of Traffic Shaping Chapter 10. Traffic Management consumed by parties outside of administrator control but sharing the same connection. Troubleshooting For a better understanding of what is happening in a live setup, the console command: gw-world:/> pipe -u <pipename> can be used to display a list of currently active users in each pipe.
Page 415 10.1.12. More Pipe Examples Chapter 10. Traffic Management The reason for using 2 different pipes in this case, is that these are easier to match to the physical link capacity. This is especially true with asynchronous links such as ADSL. First, two pipes called in-pipe and out-pipe need to be created with the following parameters: Pipe Name Min Prec...
Page 416 10.1.12. More Pipe Examples Chapter 10. Traffic Management • Priority 0 - Web plus remaining from other levels To implement this scheme, we can use the in-pipe and out-pipe. We first enter the Pipe Limits for each pipe. These limits correspond to the list above and are: •...
Page 417 10.1.12. More Pipe Examples Chapter 10. Traffic Management The pipe chaining can be used as a solution to the problem of VPN overhead. A limit which allows for this overhead is placed on the VPN tunnel traffic and non-VPN traffic is inserted into a pipe that matches the speed of the physical link.
Page 418 10.1.12. More Pipe Examples Chapter 10. Traffic Management If SAT is being used, for example with a web server or ftp server, that traffic also needs to be forced into pipes or it will escape traffic shaping and ruin the planned quality of service. In addition, server traffic is initiated from the outside so the order of pipes needs to be reversed: the forward pipe is the in-pipe and the return pipe is the out-pipe.
Page 419: Idp Traffic Shaping
10.2. IDP Traffic Shaping Chapter 10. Traffic Management 10.2. IDP Traffic Shaping 10.2.1. Overview The IDP Traffic Shaping feature is traffic shaping that is performed based on information coming from the NetDefendOS Intrusion Detection and Prevention (IDP) subsystem (for more information on IDP see Section 6.5, “Intrusion Detection and Prevention”).
Page 420: Processing Flow
10.2.3. Processing Flow Chapter 10. Traffic Management afterwards when other connections will be opened and subject to traffic shaping. Connections opened after the Time Window has expired will no longer be subject to traffic shaping. A Time Window value of 0 means that only traffic flowing over the initial triggering connection will be subject to traffic shaping.
Page 421: A P2P Scenario
10.2.5. A P2P Scenario Chapter 10. Traffic Management Network range but not host X. This tells NetDefendOS that host X is not relevant in making a decision about including new non-IDP-triggering connections in traffic shaping. It may seem counter-intuitive that client B is also included in the Network range but this is done on the assumption that client B is a user whose traffic might also have to be traffic shaped if they become involved in a P2P transfer.
Page 422: Guaranteeing Instead Of Limiting Bandwidth
10.2.7. Guaranteeing Instead of Chapter 10. Traffic Management Limiting Bandwidth IDP traffic shaping has a special CLI command associated with it called idppipes and this can examine and manipulate the hosts which are currently subject to traffic shaping. To display all hosts being traffic shaped by IDP Traffic Shaping, the command would be: gw-world:/>...
Page 423: Logging
10.2.8. Logging Chapter 10. Traffic Management If the administrator wants to guarantee a bandwidth level, say 10 Megabits, for an application then an IDP rule can be set up to trigger for that application with the Pipe action specifying the bandwidth required.
Page 424: Threshold Rules
"connection" in this context refers to all types of connections, such as TCP, UDP or ICMP, tracked by the NetDefendOS state-engine). Note: Threshold Rules are not available on all NetDefend models The Threshold Roles feature is only available on the D-Link NetDefend DFL-800, 860, 1600, 1660, 2500, 2560 and 2560G. Threshold Policies...
Page 425: Rule Actions
Rules if they are enabled. 10.3.7. Threshold Rules and ZoneDefense Threshold Rules are used in the D-Link ZoneDefense feature to block the source of excessive connection attmepts from internal hosts. For more information on this refer to Chapter 12, ZoneDefense.
Page 426: Server Load Balancing
NetDefend Firewall. Note: SLB is not available on all D-Link NetDefend models The SLB feature is only available on the D-Link NetDefend DFL-800, 860, 1600, 1660, 2500, 2560 and 2560G. Figure 10.8. A Server Load Balancing Configuration...
Page 427: Identifying The Servers
10.4.2. Identifying the Servers Chapter 10. Traffic Management The Additional Benefits of SLB Besides from improving performance and scalability, SLB provides a number of other benefits: • SLB increases the reliability of network applications by actively monitoring the servers sharing the load.
Page 428: The Distribution Algorithm
10.4.4. The Distribution Algorithm Chapter 10. Traffic Management to the same host. Network Stickiness This mode is similar to IP stickiness except that by using a subnet mask, a range of hosts in a subnet can be specified. 10.4.4. The Distribution Algorithm There are several ways to determine how a load is shared across a server farm.
Page 429: Stickiness And Round-Robin
10.4.5. Server Health Monitoring Chapter 10. Traffic Management When the Round Robin algorithm is used, the first arriving requests R1 and R2 from Client 1 are both assigned to one sever, say Server 1, according to stickiness. The next request R3 from Client 2 is then routed to Server 2.
Page 430: Server Health Monitoring
Regardless of the algorithms used, if a server is deemed to have failed, SLB will not open any more connections to it until the server is restored to full functionality. D-Link Server Load Balancing provides the following monitoring modes: ICMP Ping This works at OSI layer 3.
Page 431: Setting Up Slb
10.4.6. SLB_SAT Rules Chapter 10. Traffic Management Rule Name Rule Type Src Interface Src Network Dest Interface Dest Network WEB_SLB_ALW Allow all-nets core ip_ext Note that the destination interface is specified as core, meaning NetDefendOS itself deals with this. The key advantage of having a separate Allow rule is that the webservers can log the exact IP address that is generating external requests.
Page 432 10.4.6. SLB_SAT Rules Chapter 10. Traffic Management Go to Rules > IP Rule Sets > main > Add > IP Rule Enter: • Name: Web_SLB_NAT • Action: NAT • Service: HTTP • Source Interface: lan • Source Network: lannet • Destination Interface: core •...
Page 433 10.4.6. SLB_SAT Rules Chapter 10. Traffic Management...
Page 434: High Availability
This is sometimes known as an active-passive implementation of fault tolerance. Note: High Availability is not available on all NetDefend models The HA feature is only available on the D-Link NetDefend DFL-1600, 1660, 2500, 2560 and 2560G. The Master and Active Units When reading this section on HA, it should be kept in mind that the master unit in a cluster is not always the same as the active unit in a cluster.
Page 435 Load-sharing D-Link HA clusters do not provide load-sharing since only one unit will be active while the other is inactive and only two NetDefend Firewalls, the master and the slave, can exist in a single cluster.
Page 436: Ha Mechanisms
Basic Principles D-Link HA provides a redundant, state-synchronized hardware configuration. The state of the active unit, such as the connection table and other vital information, is continuously copied to the inactive unit via the sync interface. When cluster failover occurs, the inactive unit knows which connections are active, and traffic can continue to flow after the failover with negligible disruption.
Page 437 A database update causes the following sequence of events to occur in an HA cluster: The active (master) unit downloads the new database files from the D-Link servers. The download is done via the shared IP address of the cluster.
Page 438 11.2. HA Mechanisms Chapter 11. High Availability will lose their synchronization with each other. In other words, the inactive unit will no longer have a correct copy of the state of the active unit. A failover will not occur in this situation since the inactive unit will realize that synchronization has been lost.
Page 439: Ha Setup
11.3. HA Setup Chapter 11. High Availability 11.3. HA Setup This section provides a step-by-step guide for setting up an HA Cluster. 11.3.1. HA Hardware Setup The steps for the setup of hardware in an HA cluster are as follows: Start with two physically similar NetDefend Firewalls.
Page 440: Netdefendos Manual Ha Setup
11.3.2. NetDefendOS Manual HA Chapter 11. High Availability Setup Typical HA Cluster Network Connections The illustration below shows the arrangement of typical HA Cluster connections in a network. All interfaces on the master unit would normally also have corresponding interfaces on the slave unit and these would be connected to the same networks.
Page 441: Verifying The Cluster Functions
11.3.3. Verifying the Cluster Functions Chapter 11. High Availability Go to System > High Availability. Check the Enable High Availability checkbox. Set the Cluster ID. This must be unique for each cluster. Choose the Sync Interface. Select the node type to be Master. Go to Objects >...
Page 442: Unique Shared Mac Addresses
11.3.4. Unique Shared Mac Addresses Chapter 11. High Availability number on the right is the maximum number of connections allowed by the license. The following points are also relevant to cluster setup: • If this is not the first cluster in a network then the Cluster ID must be changed for the cluster so that it is unique (the default value is 0).
Page 443: Ha Issues
11.4. HA Issues Chapter 11. High Availability 11.4. HA Issues The following points should be kept in mind when managing and configuring an HA Cluster. All Cluster Interfaces Need IP Addresses All interfaces on both HA cluster units should have a valid private IP4 address object assigned to them.
Page 444: Ha Advanced Settings
11.5. HA Advanced Settings Chapter 11. High Availability 11.5. HA Advanced Settings The following NetDefendOS advanced settings are available for High Availability: Sync Buffer Size How much sync data, in Kbytes, to buffer while waiting for acknowledgments from the cluster peer. Default: 1024 Sync Packet Max Burst The maximum number of state sync packets to send in a burst.
Page 445 11.5. HA Advanced Settings Chapter 11. High Availability...
Page 446: Zonedefense
Blocked hosts and networks remain blocked until the system administrator manually unblocks them using the Web or Command Line interface. Note: ZoneDefense is not available on all NetDefend models The ZoneDefense feature is only available on the D-Link NetDefend DFL-800, 860, 1600, 1660, 2500, 2560 and 2560G.
Page 447: Zonedefense Switches
12.2. ZoneDefense Switches Chapter 12. ZoneDefense 12.2. ZoneDefense Switches Switch information regarding every switch that is to be controlled by the firewall has to be manually specified in the firewall configuration. The information needed in order to control a switch includes: •...
Page 448: Zonedefense Operation
Managed devices The managed devices must be SNMP compliant, as are D-Link switches. They store state data in databases known as the Management Information Base (MIB) and provide the information to the manager upon receiving an SNMP query.
Page 449: A Simple Zonedefense Scenario
(in network range 192.168.2.0/24 for example) from accessing the switch completely. A D-Link switch model DES-3226S is used in this case, with a management interface address 192.168.1.250 connecting to the firewall's interface address 192.168.1.1. This firewall interface is added into the exclude list to prevent the firewall from being accidentally locked out from accessing the switch.
Page 450: Zonedefense With Anti-Virus Scanning
12.3.4. ZoneDefense with Anti-Virus Chapter 12. ZoneDefense Scanning For Addresses choose the object name of the firewall's interface address 192.168.1.1 from the Available list and put it into the Selected list. Click OK Configure an HTTP threshold of 10 connections/second: Go to Traffic Management >...
Page 451 12.3.5. Limitations Chapter 12. ZoneDefense of latency time to implement blocking once the rule is triggered. Some models can activate blocking in less than a second while some models may require a minute or more. A second difference is the maximum number of rules supported by different switches. Some switches support a maximum of 50 rules while others support up to 800 (usually, in order to block a host or network, one rule per switch port is needed).
Page 452 12.3.5. Limitations Chapter 12. ZoneDefense...
Page 453: Advanced Settings
Chapter 13. Advanced Settings This chapter describes the configurable advanced settings for NetDefendOS. The settings are divided up into the following categories: Note: Activating changes After any advanced setting is changed, the new NetDefendOS configuration must be deployed in order for the new value to take effect. •...
Page 454 13.1. IP Level Settings Chapter 13. Advanced Settings Block 0.0.0.0 as source address. Default: Drop Block 0 Net Block 0.* as source addresses. Default: DropLog Block 127 Net Block 127.* as source addresses. Default: DropLog Block Multicast Src Block multicast both source addresses (224.0.0.0 - 255.255.255.255). Default: DropLog TTL Min The minimum TTL value accepted on receipt.
Page 455 13.1. IP Level Settings Chapter 13. Advanced Settings SecuRemoteUDP Compatibility Allow IP data to contain eight bytes more than the UDP total length field specifies. Checkpoint SecuRemote violates NAT-T drafts. Default: Disabled IP Option Sizes Verifies the size of "IP options". These options are small blocks of information that may be added to the end of each IP header.
Page 456 13.1. IP Level Settings Chapter 13. Advanced Settings IP Reserved Flag Indicates what NetDefendOS will do if there is data in the "reserved" fields of IP headers. In normal circumstances, these fields should read 0. Used by OS Fingerprinting. Default: DropLog Strip DontFragment Strip the Don't Fragment flag for packets equal to or smaller than the size specified by this setting.
Page 457: Tcp Level Settings
13.2. TCP Level Settings Chapter 13. Advanced Settings 13.2. TCP Level Settings TCP Option Sizes Verifies the size of TCP options. This function acts in the same way as IPOptionSizes described above. Default: ValidateLogBad TCP MSS Min Determines the minimum permissible size of the TCP MSS. Packets containing maximum segment sizes below this limit are handled according to the next setting.
Page 458 13.2. TCP Level Settings Chapter 13. Advanced Settings TCP Auto Clamping Automatically clamp TCP MSS according to MTU of involved interfaces, in addition to TCPMSSMax. Default: Enabled TCP Zero Unused ACK Determines whether NetDefendOS should set the ACK sequence number field in TCP packets to zero if it is not used.
Page 459 13.2. TCP Level Settings Chapter 13. Advanced Settings initially intended to be used in negotiating for the use of better checksums in TCP. However, these are not understood by any today's standard systems. As NetDefendOS cannot understand checksum algorithms other than the standard algorithm, these options can never be accepted. The ALTCHKREQ option is normally never seen on modern networks.
Page 460 13.2. TCP Level Settings Chapter 13. Advanced Settings TCP SYN/FIN The TCP FIN flag together with SYN; normally invalid (strip=strip FIN). Default: DropLog TCP FIN/URG Specifies how NetDefendOS will deal with TCP packets with both FIN (Finish, close connection) and URG flags turned on. This should normally never occur, as you do not usually attempt to close a connection at the same time as sending "important"...
Page 461 13.2. TCP Level Settings Chapter 13. Advanced Settings TCP sequence number validation is only possible on connections tracked by the state-engine (not on packets forwarded using a FwdFast rule). Possible values are: Ignore - Do not validate. Means that sequence number validation is completely turned off. ValidateSilent - Validate and pass on.
Page 462: Icmp Level Settings
13.3. ICMP Level Settings Chapter 13. Advanced Settings 13.3. ICMP Level Settings ICMP Sends Per Sec Limit Specifies the maximum number of ICMP messages NetDefendOS may generate per second. This includes ping replies, destination unreachable messages and also TCP RST packets. In other words, this setting limits how many Rejects per second may be generated by the Reject rules in the Rules section.
Page 463: State Settings
13.4. State Settings Chapter 13. Advanced Settings 13.4. State Settings Connection Replace Allows new additions to the NetDefendOS connection list to replace the oldest connections if there is no available space. Default: ReplaceLog Log Open Fails In some instances where the Rules section determines that a packet should be allowed through, the stateful inspection mechanism may subsequently decide that the packet cannot open a new connection.
Page 464 13.4. State Settings Chapter 13. Advanced Settings Default: Log Log Connection Usage This generates a log message for every packet that passes through a connection that is set up in the NetDefendOS state-engine. Traffic whose destination is the NetDefend Firewall itself, for example NetDefendOS management traffic, is not subject to this setting.
Page 465: Connection Timeout Settings
13.5. Connection Timeout Settings Chapter 13. Advanced Settings 13.5. Connection Timeout Settings The settings in this section specify how long a connection can remain idle, that is to say with no data being sent through it, before it is automatically closed. Please note that each connection has two timeout values: one for each direction.
Page 466 13.5. Connection Timeout Settings Chapter 13. Advanced Settings Other Idle Lifetime Specifies in seconds how long connections using an unknown protocol can remain idle before it is closed. Default: 130...
Page 467: Length Limit Settings
13.6. Length Limit Settings Chapter 13. Advanced Settings 13.6. Length Limit Settings This section contains information about the size limits imposed on the protocols directly under IP level, such as TCP, UDP and ICMP. The values specified here concern the IP data contained in packets. In the case of Ethernet, a single packet can contain up to 1480 bytes of IP data without fragmentation.
Page 468 13.6. Length Limit Settings Chapter 13. Advanced Settings Specifies in bytes the maximum size of an AH packet. AH, Authentication Header, is used by IPsec where only authentication is applied. This value should be set at the size of the largest packet allowed to pass through the VPN connections, regardless of its original protocol, plus approx.
Page 469: Fragmentation Settings
13.7. Fragmentation Settings Chapter 13. Advanced Settings 13.7. Fragmentation Settings IP is able to transport up to 65536 bytes of data. However, most media, such as Ethernet, cannot carry such huge packets. To compensate, the IP stack fragments the data to be sent into separate packets, each one given their own IP header and information that will help the recipient reassemble the original packet correctly.
Page 470 13.7. Fragmentation Settings Chapter 13. Advanced Settings Default: Check8 – compare 8 random locations, a total of 32 bytes Failed Fragment Reassembly Reassemblies may fail due to one of the following causes: • Some of the fragments did not arrive within the time stipulated by the ReassTimeout or ReassTimeLimit settings.
Page 471 13.7. Fragmentation Settings Chapter 13. Advanced Settings • NoLog - No logging is carried out under normal circumstances. • LogSuspect - Logs duplicated fragments if the reassembly procedure has been affected by "suspect" fragments. • LogAll - Always logs duplicated fragments. Default: LogSuspect Fragmented ICMP Other than ICMP ECHO (Ping), ICMP messages should not normally be fragmented as they contain...
Page 472 13.7. Fragmentation Settings Chapter 13. Advanced Settings Reassembly Illegal Limit Once a whole packet has been marked as illegal, NetDefendOS is able to retain this in memory for this number of seconds in order to prevent further fragments of that packet from arriving. Default: 60...
Page 473: Local Fragment Reassembly Settings
13.8. Local Fragment Reassembly Chapter 13. Advanced Settings Settings 13.8. Local Fragment Reassembly Settings Max Concurrent Maximum number of concurrent local reassemblies. Default: 256 Max Size Maximum size of a locally reassembled packet. Default: 10000 Large Buffers Number of large ( over 2K) local reassembly buffers (of the above size). Default: 32...
Page 474: Miscellaneous Settings
13.9. Miscellaneous Settings Chapter 13. Advanced Settings 13.9. Miscellaneous Settings UDP Source Port 0 How to treat UDP packets with source port 0. Default: DropLog Port 0 How to treat TCP/UDP packets with destination port 0 and TCP packets with source port 0. Default: DropLog Watchdog Time Number of non-responsive seconds before watchdog is triggered (0=disable).
Page 475 13.9. Miscellaneous Settings Chapter 13. Advanced Settings...
Page 476: Subscribing To Security Updates
Dynamic Web Content Filtering module all function using external D-Link databases which contain details of the latest viruses, security threats and URL categorization. These databases are constantly being updated and to get access to the latest updates a D-Link Security Update Subscription should be taken out. This is done by: •...
Page 477 To get the status of AV updates: gw-world:/> updatecenter -status Antivirus Querying Server Status To get the status of the D-Link network servers use the command: gw-world:/> updatecenter -servers Deleting Local Databases Some technical problem in the operation of either IDP or the Anti-Virus modules may be resolved by deleting the database and reloading.
Page 478: Idp Signature Groups
For IDP scanning, the following signature groups are available for selection. These groups are available only for the D-Link Advanced IDP Service. There is a version of each group under the three Types of IDS, IPS and Policy. For further information see Section 6.5, “Intrusion Detection and Prevention”.
Page 479 Appendix B. IDP Signature Groups Group Name Intrusion Type FTP_FORMATSTRING Format string attack FTP_GENERAL FTP protocol and implementation FTP_LOGIN Login attacks FTP_OVERFLOW FTP buffer overflow GAME_BOMBERCLONE Bomberclone game GAME_GENERAL Generic game servers/clients GAME_UNREAL UnReal Game server HTTP_APACHE Apache httpd HTTP_BADBLUE Badblue web server HTTP_CGI HTTP CGI...
Page 480 Appendix B. IDP Signature Groups Group Name Intrusion Type POP3_DOS Denial of Service for POP POP3_GENERAL Post Office Protocol v3 POP3_LOGIN-ATTACKS Password guessing and related login attack POP3_OVERFLOW POP3 server overflow POP3_REQUEST-ERRORS Request Error PORTMAPPER_GENERAL PortMapper PRINT_GENERAL LP printing server: LPR LPD PRINT_OVERFLOW Overflow of LPR/LPD protocol/implementation REMOTEACCESS_GOTOMYPC...
Page 481 Appendix B. IDP Signature Groups Group Name Intrusion Type TFTP_OPERATION Operation Attack TFTP_OVERFLOW TFTP buffer overflow attack TFTP_REPLY TFTP Reply attack TFTP_REQUEST TFTP request attack TROJAN_GENERAL Trojan UDP_GENERAL General UDP UDP_POPUP Pop-up window for MS Windows UPNP_GENERAL UPNP VERSION_CVS VERSION_SVN Subversion VIRUS_GENERAL Virus...
Page 482: Verified Mime Filetypes
Appendix C. Verified MIME filetypes Some NetDefendOS Application Layer Gateways (ALGs) have the optional ability to verify that the contents of a downloaded file matches the type that the filetype in the filename indicates. The filetypes for which MIME verification can be done are listed in this appendix and the ALGs to which this applies are: •...
Page 483 Appendix C. Verified MIME filetypes Filetype extension Application Windows Control Panel Extension file Database file Graphics Multipage PCX Bitmap file Debian Linux Package file djvu DjVu file Windows dynamic link library file DPA archive data TeX Device Independent Document EET archive Allegro datafile eMacs Lisp Byte-compiled Source Code ABT EMD Module/Song Format file...
Page 484 Appendix C. Verified MIME filetypes Filetype extension Application MPEG-1 Video file Microsoft files Microsoft office files, and other Microsoft files Atari MSA archive data niff, nif Navy Interchange file Format Bitmap Nancy Video CODEC NES Sound file obj, o Windows object file, linux object file Object Linking and Embedding (OLE) Control Extension Ogg Vorbis Codec compressed WAV file Linux executable...
Page 485 Appendix C. Verified MIME filetypes Filetype extension Application TeX font metric data tiff, tif Tagged Image Format file tnef Transport Neutral Encapsulation Format torrent BitTorrent Metainfo file TrueType Font Yamaha TX Wave audio files UFA archive data Vcard file VivoActive Player Streaming Video file Waveform Audio Lotus 1-2-3 document Windows Media file...
Page 486: The Osi Framework
Appendix D. The OSI Framework Overview The Open Systems Interconnection Model defines a framework for inter-computer communications. It categorizes different protocols for a great variety of network applications into seven smaller, more manageable layers. The model describes how data from an application in one computer can be transferred through a network medium to an application on another computer.
Page 487: D-Link Worldwide Offices
Appendix E. D-Link Worldwide Offices Below is a complete list of D-Link worldwide sales offices. Please check your own country area's local website for further details regarding support of D-Link products as well as contact details for local support. Australia 1 Giffnock Avenue, North Ryde, NSW 2113, Australia.
Page 488 Appendix E. D-Link Worldwide Offices Italy Via Nino Bonnet n. 6/b, 20154 – Milano, Italy. TEL: 39-02-2900-0676, FAX: 39-02-2900-1723. Website: www.dlink.it LatinAmerica Isidora Goyeechea 2934, Ofcina 702, Las Condes, Santiago – Chile. TEL: 56-2-232-3185, FAX: 56-2-232-0923. Website: www.dlink.cl Luxemburg Rue des Colonies 11, B-1000 Brussels, Belgium TEL: +32 (0)2 517 7111, FAX: +32 (0)2 517 6500.
Page 489: Alphabetical Index
anonymizing internet traffic, 301 anti-virus scanning, 272 Alphabetical Index activating, 273 database, 274 fail mode behaviour, 274 in the FTP ALG, 212 access rules, 204 in the HTTP ALG, 209 accounting, 58 in the POP3 ALG, 227 interim messages, 60 in the SMTP ALG, 218 limitations with NAT, 61 memory requirements, 272...
Page 490 Alphabetical Index Block 127 Net setting, 454 console blocking applications with IDP, 278 boot menu, 45 Block Multicast Src setting, 454 enabling password, 45 boot menu (see console boot menu) content filtering, 255 BOOTP, 198 active content, 255 BPDU relaying, 187 audit mode, 261 Broadcast Enet Sender setting, 189 categories, 263...
Page 491 Alphabetical Index Duplicated Fragment Data setting, 469 disabling heartbeat sending, 436 Duplicate Fragments setting, 470 heartbeats, 436 dynamic balancing (in pipes), 411 in demonstration mode, 435 Dynamic CAM Size setting, 188 issues, 443 dynamic DNS, 128 licensing, 435 Dynamic L3C Size setting, 188 making OSPF work, 443 Dynamic Max Connections setting, 464 mechanisms, 436...
Page 492 Alphabetical Index IKE CRL Validity Time setting, 380 server, 384 IKE Max CA Path setting, 380 L2TP Before Rules setting, 388 IKE Send CRLs setting, 380 L3 Cache Size setting, 188 IKE Send Initial Contact setting, 380 LAN to LAN tunnels, 366 ikesnoop VPN troubleshooting, 372, 396 quick start guide, 342, 343 Illegal Fragments setting, 469...
Page 493 Alphabetical Index Max Radius Contexts setting, 62 Ping Idle Lifetime setting, 465 Max Reassembly Time Limit setting, 471 pipe rules, 404 max sessions pipes, 403 services parameter, 83 policies, 109 Max Size (reassembly) setting, 473 policy based routing, 146 Max SKIP Length setting, 468 Poll Interval setting, 63 Max TCP Length setting, 467 POP3 ALG, 227...
Page 494 Alphabetical Index dynamic, 157 community string, 65 local IP address, 134 MIB, 65 metric for default routes, 138 monitoring, 65 metrics, 132, 158 traps, 55 monitoring, 140 with IP rules, 65 principles, 132 SNMP Before Rules setting, 66 routes added at startup, 138 SNMP Request Limit setting, 66, 67 static, 132 source based routing, 146...
Page 495 Alphabetical Index TCP SYN/URG setting, 459 license limitations, 93 TCP SYN Idle Lifetime setting, 465 port based, 92 TCP URG setting, 460 trunk, 92 TCP Zero Unused ACK setting, 458 voice over IP TCP Zero Unused URG setting, 458 with H.323, 239 Teriary Time Server setting, 126 with SIP, 229 TFTP ALG, 217...

This manual is also suitable for:

Dfl-1600 Dfl-800 Netdefend dfl-260 Netdefend dfl-860 Netdefend dfl-1660 Netdefend dfl-2560 ... Show all

D-Link NetDefend DFL-210 User Manual

1 Netdefendos Overview

2 Management and Maintenance

3 Fundamentals

4 Routing

5 DHCP Services

6 Security Mechanisms

7 Address Translation

Quick Links

Troubleshooting

Related Manuals for D-Link NetDefend DFL-210

Summary of Contents for D-Link NetDefend DFL-210