D-Link DFL-1660 User Manual

D-Link DFL-1660 User Manual

Network security firewall
Hide thumbs Also See for DFL-1660:
Table of Contents

Advertisement

Network Security Firewall
User Manual
NetDefendOS
Security
Security
Ver.
2.40.03
Network Security Solution
http://www.dlink.com

Advertisement

Table of Contents
loading

Summary of Contents for D-Link DFL-1660

  • Page 1 Network Security Firewall User Manual NetDefendOS Security Security Ver. 2.40.03 Network Security Solution http://www.dlink.com...
  • Page 2 User Manual DFL-260E/860E/1660/2560/2560G NetDefendOS Version 2.40.03 D-Link Corporation No. 289, Sinhu 3rd Rd, Neihu District, Taipei City 114, Taiwan R.O.C. http://www.DLink.com Published 2013-02-20 Copyright © 2013...
  • Page 3 D-Link reserves the right to revise this publication and to make changes from time to time in the content hereof without any obligation to notify any person or parties of such revision or changes.
  • Page 4: Table Of Contents

    Table of Contents Preface .......................15 1. NetDefendOS Overview ..................17 1.1. Features ....................17 1.2. NetDefendOS Architecture ..............20 1.2.1. State-based Architecture ...............20 1.2.2. NetDefendOS Building Blocks ............20 1.2.3. Basic Packet Flow ................21 1.3. NetDefendOS State Engine Packet Flow .............24 2. Management and Maintenance ................29 2.1.
  • Page 5 User Manual 3.2. IPv6 Support ..................94 3.3. Services ....................100 3.3.1. Overview ................. 100 3.3.2. Creating Custom Services ............101 3.3.3. ICMP Services ................104 3.3.4. Custom IP Protocol Services ............106 3.3.5. Service Groups ................106 3.3.6. Custom Service Timeouts ............107 3.4.
  • Page 6 6.4.2. Implementation ................. 343 6.4.3. Activating Anti-Virus Scanning ............ 344 6.4.4. The Signature Database .............. 344 6.4.5. Subscribing to the D-Link Anti-Virus Service ......... 345 6.4.6. Anti-Virus Options ..............345 6.5. Intrusion Detection and Prevention ............349 6.5.1. Overview ................. 349 6.5.2.
  • Page 7 User Manual 6.6.10. Distributed DoS Attacks ............364 6.7. Blacklisting Hosts and Networks ............. 366 7. Address Translation ..................369 7.1. Overview .................... 369 7.2. NAT ....................370 7.3. NAT Pools ..................375 7.4. SAT ....................378 7.4.1. Translation of a Single IP Address (1:1) ......... 378 7.4.2.
  • Page 8 User Manual 9.6. SSL VPN .................... 472 9.6.1. Overview ................. 472 9.6.2. Configuring SSL VPN in NetDefendOS ......... 473 9.6.3. Installing the SSL VPN Client ............475 9.6.4. Setup Example ................478 9.7. CA Server Access ................480 9.8. VPN Troubleshooting ................483 9.8.1.
  • Page 9 User Manual 12.3.5. Limitations ................549 13. Advanced Settings ..................552 13.1. IP Level Settings ................552 13.2. TCP Level Settings ................556 13.3. ICMP Level Settings ................561 13.4. State Settings ..................562 13.5. Connection Timeout Settings ..............564 13.6.
  • Page 10 List of Figures 1.1. Packet Flow Schematic Part I ................24 1.2. Packet Flow Schematic Part II ................25 1.3. Packet Flow Schematic Part III .................26 1.4. Expanded Apply Rules Logic ................27 3.1. VLAN Connections ..................118 3.2. An ARP Publish Ethernet Frame ..............132 3.3.
  • Page 11 User Manual 10.5. Minimum and Maximum Pipe Precedence ............500 10.6. Traffic Grouped By IP Address ..............504 10.7. A Basic Traffic Shaping Scenario ..............508 10.8. IDP Traffic Shaping P2P Scenario ..............514 10.9. A Server Load Balancing Configuration ............520 10.10.
  • Page 12 3.29. Manually Triggering a Time Synchronization ..........159 3.30. Modifying the Maximum Adjustment Value ............ 159 3.31. Forcing Time Synchronization ..............160 3.32. Enabling the D-Link NTP Server ..............160 3.33. Configuring DNS Servers ................163 4.1. Displaying the main Routing Table ..............174 4.2.
  • Page 13 User Manual 4.9. Creating an OSPF Router Process ..............220 4.10. Add an OSPF Area ..................221 4.11. Add OSPF Interface Objects ................. 221 4.12. Import Routes from an OSPF AS into the Main Routing Table ......222 4.13. Exporting the Routes into an OSPF AS ............223 4.14.
  • Page 14 User Manual 10.1. Applying a Simple Bandwidth Limit .............. 494 10.2. Limiting Bandwidth in Both Directions ............496 10.3. Setting up SLB ................... 525 12.1. A simple ZoneDefense scenario ..............548...
  • Page 15: Preface

    Preface Intended Audience The target audience for this reference guide is Administrators who are responsible for configuring and managing NetDefend Firewalls which are running the NetDefendOS operating system. This guide assumes that the reader has some basic knowledge of networks and network security. Text Structure and Conventions The text is broken down into chapters and sub-sections.
  • Page 16 Preface The Web Interface actions for the example are shown here. They are also typically a numbered list showing what items in the tree-view list at the left of the interface or in the menu bar or in a context menu need to be opened followed by information about the data items that need to be entered: Go to: Item X >...
  • Page 17: Netdefendos Overview

    • NetDefendOS Architecture, page 20 • NetDefendOS State Engine Packet Flow, page 24 1.1. Features D-Link NetDefendOS is the base software engine that drives and controls the range of NetDefend Firewall hardware products. NetDefendOS as a Network Security Operating System Designed as a network security operating system, NetDefendOS features high throughput performance with high reliability plus super-granular control.
  • Page 18 More information about the IDP capabilities of NetDefendOS can be found in Section 6.5, “Intrusion Detection and Prevention”. Note Full IDP is available on all D-Link NetDefend product models as a subscription service. On some models, a simplified IDP subsystem is provided as standard.
  • Page 19 Chapter 2, Management and Maintenance. ZoneDefense NetDefendOS can be used to control D-Link switches using the ZoneDefense feature. This allows NetDefendOS to isolate portions of a network that contain hosts that are the source of undesirable network traffic.
  • Page 20: Netdefendos Architecture

    1.2. NetDefendOS Architecture Chapter 1. NetDefendOS Overview 1.2. NetDefendOS Architecture 1.2.1. State-based Architecture The NetDefendOS architecture is centered around the concept of state-based connections. Traditional IP routers or switches commonly inspect all packets and then perform forwarding decisions based on information found in the packet headers. With this approach, packets are forwarded without any sense of context which eliminates any possibility to detect and analyze complex protocols and enforce corresponding security policies.
  • Page 21: Basic Packet Flow

    1.2.3. Basic Packet Flow Chapter 1. NetDefendOS Overview NetDefendOS Rule Sets Finally, rules which are defined by the administrator in the various rule sets are used for actually implementing NetDefendOS security policies. The most fundamental set of rules are the IP Rules, which are used to define the layer 3 IP filtering policy as well as carrying out address translation and server load balancing.
  • Page 22 1.2.3. Basic Packet Flow Chapter 1. NetDefendOS Overview • Source and destination interfaces • Source and destination network • IP protocol (for example TCP, UDP, ICMP) • TCP/UDP ports • ICMP types • Point in time in reference to a predefined schedule If a match cannot be found, the packet is dropped.
  • Page 23 1.2.3. Basic Packet Flow Chapter 1. NetDefendOS Overview If the destination interface is a tunnel interface or a physical sub-interface, additional processing such as encryption or encapsulation might occur. The next section provides a set of diagrams illustrating the flow of packets through NetDefendOS.
  • Page 24: Netdefendos State Engine Packet Flow

    1.3. NetDefendOS State Engine Packet Chapter 1. NetDefendOS Overview Flow 1.3. NetDefendOS State Engine Packet Flow The diagrams in this section provide a summary of the flow of packets through the NetDefendOS state-engine. There are three diagrams, each flowing into the next. It is not necessary to understand these diagrams, however, they can be useful as a reference when configuring NetDefendOS in certain situations.
  • Page 25 1.3. NetDefendOS State Engine Packet Chapter 1. NetDefendOS Overview Flow Figure 1.2. Packet Flow Schematic Part II The packet flow is continued on the following page.
  • Page 26: Packet Flow Schematic Part Iii

    1.3. NetDefendOS State Engine Packet Chapter 1. NetDefendOS Overview Flow Figure 1.3. Packet Flow Schematic Part III...
  • Page 27: Expanded Apply Rules Logic

    1.3. NetDefendOS State Engine Packet Chapter 1. NetDefendOS Overview Flow Apply Rules The figure below presents the detailed logic of the Apply Rules function in Figure 1.2, “Packet Flow Schematic Part II” above. Figure 1.4. Expanded Apply Rules Logic...
  • Page 28 1.3. NetDefendOS State Engine Packet Chapter 1. NetDefendOS Overview Flow...
  • Page 29: Management And Maintenance

    Chapter 2. Management and Maintenance This chapter describes the management, operations and maintenance related aspects of NetDefendOS. • Managing NetDefendOS, page 29 • Events and Logging, page 60 • RADIUS Accounting, page 66 • Monitoring, page 72 • The pcapdump Command, page 81 •...
  • Page 30: The Default Administrator Account

    By default, Web Interface access is enabled for users on the network connected via the LAN interface of the D-Link firewall (on products where more than one LAN interface is available, LAN1 is the default interface). 2.1.2. The Default Administrator Account By default, NetDefendOS has a local user database, AdminUsers, that contains one predefined administrator account.
  • Page 31 Opera (version 10.5 and later) Assignment of a Default IP Address For a new D-Link NetDefend firewall with factory defaults, a default internal IP address is assigned automatically by NetDefendOS to the hardware's LAN1 interface (or the LAN interface on models wihout multiple LAN interfaces).
  • Page 32 The Web Interface login dialog offers the option to select a language other than English for the interface. Language support is provided by a set of separate resource files. These files can be downloaded from the D-Link website. It may occasionally be the case that a NetDefendOS upgrade can contain features that temporarily lack a complete non-english translation because of time constraints.
  • Page 33 2.1.3. The Web Interface Chapter 2. Management and Maintenance For information about the default user name and password, see Section 2.1.2, “The Default Administrator Account” . Note: Remote management access Access to the Web Interface is regulated by the configured remote management policy. By default, the system will only allow web access from the internal network.
  • Page 34 2.1.3. The Web Interface Chapter 2. Management and Maintenance • Maintenance Update Center - Manually update or schedule updates of the intrusion detection and antivirus signatures. License - View license details or enter activation code. iii. Backup - Make a backup of the configuration to a local computer or restore a previously downloaded backup.
  • Page 35: Enabling Remote Management Via Https

    2.1.3. The Web Interface Chapter 2. Management and Maintenance Controlling Access to the Web Interface By default, the Web Interface is accessible only from the internal network. If it is required to have access from other parts of the network, this can be done by modifying the remote management policy.
  • Page 36: The Cli

    This section only provides a summary for using the CLI. For a complete reference for all CLI commands, see the separate D-Link CLI Reference Guide. The most often used CLI commands are: •...
  • Page 37 2.1.4. The CLI Chapter 2. Management and Maintenance avoided in order to avoid ambiguity when reading configurations. Note: The terms Category and Context When describing the CLI, the term object category is also sometimes referred to as the object context. A command like add can also include object properties.
  • Page 38 2.1.4. The CLI Chapter 2. Management and Maintenance add IPRule Na If the tab key is now pressed, the letters Na will not be completed to be Name= because Name is optional and all the mandatory parameters must be entered before tab completion works for optional parameters.
  • Page 39 2.1.4. The CLI Chapter 2. Management and Maintenance It has been mentioned that objects are grouped by type, such as IP4Address. Types themselves are grouped by category. The type IP4Address belongs to the category Address. The main use of categories is in tab completion when searching for the right object type to use. If a command such as add is entered and then the tab key is pressed, NetDefendOS displays all the available categories.
  • Page 40 The serial console port is a local RS-232 port on the NetDefend Firewall that allows direct access to the NetDefendOS CLI through a serial connection to a PC or dumb terminal. To locate the serial console port on D-Link hardware, see the D-Link Quick Start Guide . To use the console port, the following equipment is required: •...
  • Page 41: Enabling Ssh Remote Access

    2.1.4. The CLI Chapter 2. Management and Maintenance • A RS-232 cable with appropriate connectors. An appliance package includes a RS-232 null-modem cable. To connect a terminal to the console port, follow these steps: Set the terminal protocol as described previously. Connect one of the connectors of the RS-232 cable directly to the console port on the NetDefend Firewall system.
  • Page 42 2.1.4. The CLI Chapter 2. Management and Maintenance as well as providing user information for auditing. When accessing the CLI remotely through SSH, NetDefendOS will respond with a login prompt. Enter the username and press the Enter key, followed by the password and then Enter again. After a successful logon, the CLI command prompt will appear: gw-world:/>...
  • Page 43 2.1.4. The CLI Chapter 2. Management and Maintenance tree. Activating and Committing Changes If any changes are made to the current configuration through the CLI, those changes will not be uploaded to NetDefendOS until the command: gw-world:/> activate is issued. Immediately following the activate command, the command: gw-world:/>...
  • Page 44 2.1.4. The CLI Chapter 2. Management and Maintenance connections or VPN tunnels. However, with some IPsec tunnel changes, a reconfiguration will mean the tunnels are lost and have to be reestablished because the tunnel SAs are no longer valid. Checking Configuration Integrity After changing a NetDefendOS configuration and before issuing the activate and commit commands, it is possible to explicitly check for any problems in a configuration using the command: gw-world:/>...
  • Page 45: Cli Scripts

    Create a text file with a text editor containing a sequential list of CLI commands, one per line. The D-Link recommended convention is for these files to use the file extension .sgs (Security Gateway Script). The filename, including the extension, should not be more than 16 characters.
  • Page 46 2.1.5. CLI Scripts Chapter 2. Management and Maintenance Note Uploaded CLI script files are not held in permanent memory and will disappear after system restarts. Only Four Commands are Allowed in Scripts The commands allowed in a script file are limited to four and these are: •...
  • Page 47 2.1.5. CLI Scripts Chapter 2. Management and Maintenance Script Validation and Command Ordering CLI scripts are not, by default, validated. This means that the written ordering of the script does not matter. There can be a reference to a configuration object at the beginning of a script which is only created at the end of the script.
  • Page 48 2.1.5. CLI Scripts Chapter 2. Management and Maintenance Listing Scripts The script on its own, command without any parameters, lists all the scripts currently available and indicates the size of each script as well as the type of memory where it resides (residence in non-volatile memory is indicated by the word "Disk"...
  • Page 49: Secure Copy

    2.1.6. Secure Copy Chapter 2. Management and Maintenance This is instead of the usual way of qualifying the object with its category name: add Address IP4Address... Both are valid forms of the command. If an object type can be uniquely identified with its name, its object category need not be specified.
  • Page 50 2.1.6. Secure Copy Chapter 2. Management and Maintenance almost all platforms. The command line examples below are based on the most common command format for SCP client software. SCP Command Format SCP command syntax is straightforward for most console based clients. The basic command used here is scp followed by the source and destination for the file transfer.
  • Page 51: The Console Boot Menu

    2.1.7. The Console Boot Menu Chapter 2. Management and Maintenance sshclientkey/ Apart from the individual files, the objects types listed are: • HTTPALGBanners/ - The banner files for user authentication HTML. Uploading these is described further in Section 6.3.4.4, “Customizing WCF HTML Pages”. •...
  • Page 52 2.1.7. The Console Boot Menu Chapter 2. Management and Maintenance The NetDefendOS loader is the base software on top of which NetDefendOS runs and the administrator's direct interface to this is called the console boot menu (also known simply as the boot menu).
  • Page 53: Management Advanced Settings

    2.1.8. Management Advanced Settings Chapter 2. Management and Maintenance will prompt for the password before access is allowed to either the boot menu or the command line interface (CLI). Initial Options with a Console Password Set If a console password is set then the initial options that appear when NetDefendOS loading is interrupted with a key press are shown below.
  • Page 54: Working With Configurations

    2.1.9. Working with Configurations Chapter 2. Management and Maintenance Validation Timeout Specifies the amount of seconds to wait for the administrator to log in before reverting to the previous configuration. Default: 30 WebUI HTTP port Specifies the HTTP port for the Web Interface. Default: 80 WebUI HTTPS port Specifies the HTTP(S) port for the Web Interface.
  • Page 55: Listing Configuration Objects

    2.1.9. Working with Configurations Chapter 2. Management and Maintenance Example 2.3. Listing Configuration Objects To find out what configuration objects exist, you can retrieve a listing of the objects. This example shows how to list all service objects. Command-Line Interface gw-world:/>...
  • Page 56: Editing A Configuration Object

    2.1.9. Working with Configurations Chapter 2. Management and Maintenance Note When accessing object via the CLI you can omit the category name and just use the type name. The CLI command in the above example, for instance, could be simplified gw-world:/>...
  • Page 57: Deleting A Configuration Object

    2.1.9. Working with Configurations Chapter 2. Management and Maintenance Show the new object: gw-world:/> show Address IP4Address myhost Property Value --------------------- ------------- Name: myhost Address: 192.168.10.10 UserAuthGroups: (none) NoDefinedCredentials: Comments: (none) Web Interface Go to: Objects > Address Book Click on the Add button In the dropdown menu displayed, select IP Address In the Name text box, enter myhost Enter 192.168.10.10 in the IP Address textbox...
  • Page 58: Listing Modified Configuration Objects

    2.1.9. Working with Configurations Chapter 2. Management and Maintenance In the dropdown menu displayed, select Undo Delete Listing Modified Objects After modifying several configuration objects, you might want to see a list of the objects that were changed, added and removed since the last commit. Example 2.9.
  • Page 59 2.1.9. Working with Configurations Chapter 2. Management and Maintenance gw-world:/> activate The system will validate and start using the new configuration. When the command prompt is shown again: gw-world:/> commit The new configuration is now committed. Web Interface Go to: Configuration > Save and Activate in the menu bar Click OK to confirm The web browser will automatically try to connect back to the Web Interface after 10 seconds.
  • Page 60: Events And Logging

    2.2. Events and Logging Chapter 2. Management and Maintenance 2.2. Events and Logging 2.2.1. Overview The ability to log and analyze system activities is an essential feature of NetDefendOS. Logging enables not only monitoring of system status and health, but also allows auditing of network usage and assists in trouble-shooting.
  • Page 61: Creating Log Receivers

    2.2.3. Creating Log Receivers Chapter 2. Management and Maintenance • Debug By default, NetDefendOS sends all messages of level Info and above to any configured log servers but the level for sending can be changed by the administrator. The Debug severity is intended for system troubleshooting only and should only be used if required.
  • Page 62: Enable Logging To A Syslog Host

    Note: The Prio and Severity fields The Prio= field in SysLog messages contains the same information as the Severity field for D-Link Logger messages. However, the ordering of the numbering is reversed. Example 2.11. Enable Logging to a Syslog Host To enable logging of all events with a severity greater than or equal to Notice to a Syslog server with IP address 195.11.22.55, follow the steps outlined below:...
  • Page 63: Severity Filter And Message Exceptions

    2.2.6. Severity Filter and Message Chapter 2. Management and Maintenance Exceptions Note: Syslog server configuration The syslog server may have to be configured to receive log messages from NetDefendOS. Please see the documentation for specific Syslog servers in order to correctly configure it.
  • Page 64: Sending Snmp Traps To An Snmp Trap Receiver

    The file DFLNNN-TRAP.MIB (where NNN indicates the model number of the firewall) is provided by D-Link and defines the SNMP objects and data types that are used to describe an SNMP Trap received from NetDefendOS.
  • Page 65: Advanced Log Settings

    2.2.8. Advanced Log Settings Chapter 2. Management and Maintenance 2.2.8. Advanced Log Settings The following advanced settings for NetDefendOS event logging are available to the administrator: Send Limit This setting specifies the maximum log messages that NetDefendOS will send per second. This value should never be set too low as this may result in important events not being logged, nor should it be set too high.
  • Page 66: Radius Accounting

    2.3. RADIUS Accounting Chapter 2. Management and Maintenance 2.3. RADIUS Accounting 2.3.1. Overview The Central Database Approach Within a network environment containing large numbers of users, it is advantageous to have one or a cluster of central servers that maintain user account information and are responsible for authentication and authorization tasks.
  • Page 67 2.3.2. RADIUS Accounting Messages Chapter 2. Management and Maintenance • ID - A unique 7 character random string identifier to enable matching of an AccountingRequest with Acct-Status-Type set to STOP. • User Name - The user name of the authenticated user. •...
  • Page 68: Interim Accounting Messages

    2.3.3. Interim Accounting Messages Chapter 2. Management and Maintenance • Timestamp - The number of seconds since 1970-01-01. Used to set a timestamp when this packet was sent from the NetDefend Firewall. In addition, two more attributes may be sent: •...
  • Page 69: Radius Accounting Security

    2.3.5. RADIUS Accounting Security Chapter 2. Management and Maintenance Some important points should be noted about activation: • RADIUS Accounting will not function where a connection is subject to a FwdFast rule in the IP rule set. • The same RADIUS server does not need to handle both authentication and accounting; one server can be responsible for authentication while another is responsible for accounting tasks.
  • Page 70: Handling Unresponsive Radius Servers

    2.3.7. Handling Unresponsive RADIUS Chapter 2. Management and Maintenance Servers In an HA cluster, accounting information is synchronized between the active and passive NetDefend Firewalls. This means that accounting information is automatically updated on both cluster members whenever a connection is closed. Special Accounting Events Two special accounting events are also used by the active unit to keep the passive unit synchronized:...
  • Page 71: Advanced Radius Settings

    2.3.10. Advanced RADIUS Settings Chapter 2. Management and Maintenance one authenticated user even though it may come from other users on the same network. NetDefendOS RADIUS Accounting will therefore gather statistics for all the users on the network together as though they were one user instead of individuals. 2.3.10.
  • Page 72: Monitoring

    IP addresses. The administrator can select one of a number of actions to occur should a pathway appear to be broken for some reason. Note: Link monitoring is not available on all NetDefend models The link monitoring feature is only available with the D-Link NetDefend DFL-1600, 1660, 2500, 2560 and 2560G. Link Monitor Actions...
  • Page 73 2.4.1. The Link Monitor Chapter 2. Management and Maintenance links to external devices are renegotiated. • In an HA cluster setup, the link from the master to the external Internet (or other part of a network) can be continually monitored so that should the link fail, the slave will take over (assuming that the slave has a different physical connection to the monitored address).
  • Page 74: Snmp Monitoring

    2.4.2. SNMP Monitoring Chapter 2. Management and Maintenance Maximum Loss A single host is considered unreachable if this number of consecutive ping responses to that host are not replied to. Grace Period Do not allow the link monitor to trigger an action for this number of seconds after the last reconfiguration.
  • Page 75: Enabling Snmp Monitoring

    2.4.2. SNMP Monitoring Chapter 2. Management and Maintenance Security for SNMP Versions 1 and 2c is handled by the Community String which is the same as a password for SNMP access. The Community String should be difficult to guess and should therefore be constructed in the same way as any other password, using combinations of upper and lower case letters along with digits.
  • Page 76 2.4.2. SNMP Monitoring Chapter 2. Management and Maintenance Click OK Should it be necessary to enable SNMP Before Rules (which is enabled by default) then the setting can be found in System > Remote Management > Advanced Settings. SNMP Advanced Settings The following SNMP advanced settings can be found under the Remote Management section in the Web Interface.
  • Page 77: Hardware Monitoring

    2.4.3. Hardware Monitoring Feature Availability Certain D-Link hardware models allow the administrator to use the CLI to query the current value of various hardware operational parameters such as the current temperature inside the firewall. This feature is referred to as Hardware Monitoring.
  • Page 78 2.4.3. Hardware Monitoring Chapter 2. Management and Maintenance CPU Temp 41.500 (C) The SYS temperature is for the overall temperature inside the hardware unit. The CPU temperature relates specifically to the unit's central processor which can be lower than the overall temperature due to the method of cooling.
  • Page 79: Memory Monitoring Settings

    2.4.4. Memory Monitoring Settings Chapter 2. Management and Maintenance displayed next to the sensor in the output from the hwm command. Controlling the Event Sending Frequency The maximum frequency of log event generation when hardware monitoring values fall outside their preset range can be limited using the AlarmRepeatInterval setting in the LogSettings object.
  • Page 80 2.4.4. Memory Monitoring Settings Chapter 2. Management and Maintenance Generate a Critical log message if free memory is below this number of bytes. Disable by setting to 0. Maximum value is 10,000. Default: 0 Warning Level Generate a Warning log message if free memory is below this number of bytes. Disable by setting to 0.
  • Page 81: The Pcapdump Command

    2.5. The pcapdump Command Chapter 2. Management and Maintenance 2.5. The pcapdump Command A valuable diagnostic tool is the ability to examine the packets that enter and leave the interfaces of a NetDefend Firewall. For this purpose, NetDefendOS provides the CLI command pcapdump which not only allows the examination of packet streams entering and leaving interfaces but also allows the filtering of these streams according to specified criteria.
  • Page 82 2.5. The pcapdump Command Chapter 2. Management and Maintenance It is possible to have multiple pcapdump executions being performed at the same time. The following points describe this feature: All capture from all executions goes to the same memory buffer. The command can be launched multiple times with different interfaces specified.
  • Page 83 2.5. The pcapdump Command Chapter 2. Management and Maintenance Output File Naming Restrictions The name of the file used for pcapdump output must comply with the following rules: • Excluding the filename extension, the name may not exceed 8 characters in length. •...
  • Page 84: Maintenance

    The Intrusion Prevention and Detection system and Anti-Virus modules require access to updated signature databases in order to provide protection against the latest threats. To facilitate the Auto-Update feature D-Link maintains a global infrastructure of servers providing update services for NetDefend Firewalls. To ensure availability and low response times, NetDefendOS employs a mechanism for automatically selecting the most appropriate server to supply updates.
  • Page 85 2.6.2. Backing Up Configurations Chapter 2. Management and Maintenance Version Compatability Since a full system backup includes a NetDefendOS version, compatability is not an issue with these types of backup. With configuration only backups, the following should be noted: • A configuration backup created on a higher NetDefendOS version should never be uploaded to a lower NetDefendOS version.
  • Page 86: Restore To Factory Defaults

    A restore to factory defaults can be applied so that it is possible to return to the original hardware state that existed when the NetDefend Firewall was shipped by D-Link. When a restore is applied all data such as the IDP and Anti-Virus databases are lost and must be reloaded.
  • Page 87 The IPv4 address 192.168.1.1 will be assigned to the default management interface LAN1 on the DFL-1600 and DFL-2500 models. The management interface IP address for the DFL-1660, DFL-2560 and DFL-2560G models will default to 192.168.10.1.
  • Page 88 2.6.3. Restore to Factory Defaults Chapter 2. Management and Maintenance...
  • Page 89: Fundamentals

    Chapter 3. Fundamentals This chapter describes the fundamental logical objects which make up a NetDefendOS configuration. These objects include such items as IP addresses and IP rules. Some exist by default and some must be defined by the administrator. In addition, the chapter explains the different interface types and explains how security policies are constructed by the administrator.
  • Page 90: Adding An Ip Host Address

    3.1.2. IP Addresses Chapter 3. Fundamentals Host A single host is represented simply by its IP address. For example, 192.168.0.14. IP Network An IP Network is represented using Classless Inter Domain Routing (CIDR) form. CIDR uses a forward slash and a digit (0-32) to denote the size of the network as a postfix.
  • Page 91: Ethernet Addresses

    3.1.3. Ethernet Addresses Chapter 3. Fundamentals Example 3.3. Adding an IP Range This example adds a range of IPv4 addresses from 192.168.10.16 to 192.168.10.21 and names the range wwwservers: Command-Line Interface gw-world:/> add Address IP4Address wwwservers Address=192.168.10.16-192.168.10.21 Web Interface Go to: Objects > Address Book > Add > IP4 Address Specify a suitable name for the IP Range, for example wwwservers.
  • Page 92: Address Groups

    3.1.4. Address Groups Chapter 3. Fundamentals Example 3.5. Adding an Ethernet Address The following example adds an Ethernet Address object named wwwsrv1_mac with the numerical MAC address 08-a3-67-bc-2e-f2. Command-Line Interface gw-world:/> add Address EthernetAddress wwwsrv1_mac Address=08-a3-67-bc-2e-f2 Web Interface Go to: Objects > Address Book > Add > Ethernet Address Specify a suitable name for the Ethernet Address object, for example wwwsrv1_mac Enter 08-a3-67-bc-2e-f2 as the MAC Address Click OK...
  • Page 93: Auto-Generated Address Objects

    3.1.5. Auto-Generated Address Chapter 3. Fundamentals Objects The result of combining these two will be a single address range containing 192.168.0.10 - 192.168.0.19. 3.1.5. Auto-Generated Address Objects To simplify the configuration, a number of address objects in the address book are automatically created by NetDefendOS when the system starts for the first time and these objects are used in various parts of the initial configuration.
  • Page 94: Ipv6 Support

    3.2. IPv6 Support Chapter 3. Fundamentals 3.2. IPv6 Support All the IP addresses discussed so far are of the IPv4 type. The IP address standard IPv6 is designed as a successor to IPv4 with the principal advantage of providing a much larger 128 bit address space.
  • Page 95: Enabling Ipv6 Globally

    3.2. IPv6 Support Chapter 3. Fundamentals Click OK Note: The prefix 2001:DB8::/32 is reserved for documentation As described in RFC3849, the IPv6 prefix 2001:DB8::/32 is specifically reserved for documentation purposes. All IPv6 examples in this manual therefore use this network or addresses from it.
  • Page 96: Enabling Ipv6 Advertisements

    3.2. IPv6 Support Chapter 3. Fundamentals This example enables IPv6 on the wan Ethernet interface using the address objects created previously. Command-Line Interface gw-world:/> set Interface Ethernet wan EnableIPv6=Yes IPv6IP=wan_ip6 IPv6Network=wan_net6 Web Interface Go to: Interfaces > Ethernet > wan Enable the option: Enable IPv6 Now enter: •...
  • Page 97: Adding An Ipv6 Route And Enabling Proxy Nd

    3.2. IPv6 Support Chapter 3. Fundamentals IPv6 address objects are created and managed in a similar way to IPv4 objects They are called an IP6 Address and can be used in NetDefendOS rules and other objects in the same way as an IPv4 address.
  • Page 98 3.2. IPv6 Support Chapter 3. Fundamentals Command-Line Interface First, change the CLI context to be the main routing table: gw-world:/> cc RoutingTable main Add the IPv6 route: gw-world:/main> add Route6 Network=my_ipv6_net Interface=If1 ProxyNDInterfaces=If3 Lastly, return to the default CLI context: gw-world:/main>...
  • Page 99 3.2. IPv6 Support Chapter 3. Fundamentals iv. Multiplex SAT • Routes using IPv4 and IPv6 addresses can coexist in the same routing table set but a single route cannot combine IPv4 and IPv6. • Routing rules using IPv4 and IPv6 addresses coexist but a single rule cannot combine IPv4 and IPv6.
  • Page 100: Services

    3.3. Services Chapter 3. Fundamentals 3.3. Services 3.3.1. Overview A Service object is a reference to a specific IP protocol with associated parameters. A service definition is usually based on one of the major transport protocols such as TCP or UDP which is associated with a specific source and/or destination port number(s).
  • Page 101: Creating Custom Services

    3.3.2. Creating Custom Services Chapter 3. Fundamentals Name Comments ------------ -------------------------------------------------- all_icmp All ICMP services " " Web Interface Go to: Objects > Services Example 3.12. Viewing a Specific Service To view a specific service in the system: Command-Line Interface gw-world:/>...
  • Page 102 3.3.2. Creating Custom Services Chapter 3. Fundamentals Let us now take a closer look at TCP/UDP services. TCP and UDP Based Services Most applications use TCP and/or UDP as transport protocol for transferring data over IP networks. Transmission Control Protocol (TCP) is a connection-oriented protocol that includes mechanisms for reliable point to point transmission of data.
  • Page 103 3.3.2. Creating Custom Services Chapter 3. Fundamentals Tip: Specifying source ports It is usual with many services that the source ports are left as their default value which is the range 0-65535 (corresponding to all possible source ports). With certain application, it can be useful to also specify the source port if this is always within a limited range of values.
  • Page 104: Icmp Services

    3.3.3. ICMP Services Chapter 3. Fundamentals to refer to all protocols. However, using this is not recommended and specifying a narrower service provides better security. If, for example, the requirement is only to filter using the principal protocols of TCP, UDP and ICMP then the service group all_tcpudpicmp can be used instead.
  • Page 105 3.3.3. ICMP Services Chapter 3. Fundamentals ICMP Types and Codes ICMP messages are delivered in IP packets, and includes a Message Type that specifies the format of the ICMP message and a Code that is used to further qualify the message. For example, the message type Destination Unreachable uses the Code parameter to specify the exact reason for the error.
  • Page 106: Custom Ip Protocol Services

    3.3.4. Custom IP Protocol Services Chapter 3. Fundamentals has filled up. Time Exceeded The packet has been discarded as it has taken too long to be delivered. 3.3.4. Custom IP Protocol Services Services that run over IP and perform application/transport layer functions can be uniquely identified by IP protocol numbers.
  • Page 107: Custom Service Timeouts

    3.3.6. Custom Service Timeouts Chapter 3. Fundamentals service to allow all email related traffic to flow. Groups Can Contain Other Groups When a group is defined then it can contain individual services and/or service groups. This ability to have groups within groups should be used with caution since it can increase the complexity of a configuration and decrease the ability to troubleshoot problems.
  • Page 108: Interfaces

    3.4. Interfaces Chapter 3. Fundamentals 3.4. Interfaces 3.4.1. Overview An Interface is an important logical building block in NetDefendOS. All network traffic that transits through, originates from or is terminated in the NetDefend Firewall, does so through one or more interfaces.
  • Page 109 3.4.1. Overview Chapter 3. Fundamentals Tunnel interfaces are used when network traffic is being tunneled between the system and another tunnel end-point in the network, before it gets routed to its final destination. VPN tunnels are often used to implement virtual private networks (VPNs) which can secure communication between two firewalls.
  • Page 110: Ethernet Interfaces

    3.4.2. Ethernet Interfaces Chapter 3. Fundamentals Disabling an Interface Should it be desirable to disable an interface so that no traffic can flow through it, this can be done with the CLI using the command: gw-world:/> set Interface Ethernet <interface-name> -disable Where <interface-name>...
  • Page 111 3.4.2. Ethernet Interfaces Chapter 3. Fundamentals Ethernet Interface Parameters The following are the various parameters that can be set for an Ethernet interface: • Interface Name The names of the Ethernet interfaces are predefined by the system, and are mapped to the names of the physical interfaces.
  • Page 112 3.4.2. Ethernet Interfaces Chapter 3. Fundamentals • Enable DHCP Client NetDefendOS includes a DHCP client feature for dynamic assignment of address information by a connected DHCP server. This feature is often used for receiving external IP address information from an ISP's DHCP server for public Internet connection. The information that can be set using DHCP includes the IP address of the interface, the local network that the interface is attached to, and the default gateway.
  • Page 113 3.4.2. Ethernet Interfaces Chapter 3. Fundamentals The MAC address can be set if it needs to be different to the MAC address built into the hardware. Some ISP connections might require this. • Virtual Routing To implement virtual routing where the routes related to different interfaces are kept in separate routing table, there are a number of options: Make the interface a member of all routing tables.
  • Page 114 3.4.2. Ethernet Interfaces Chapter 3. Fundamentals This same operation could also be done through the Web Interface. A summary of CLI commands that can be used with Ethernet interfaces can be found in Section 3.4.2.1, “Useful CLI Commands for Ethernet Interfaces”. The Difference Between Logical and Physical Ethernet Interfaces The difference between logical and physical interfaces can sometimes be confusing.
  • Page 115: Enabling Dhcp

    3.4.2. Ethernet Interfaces Chapter 3. Fundamentals UserAuthGroups: <empty> NoDefinedCredentials: Comments: Network on interface wan To show the current interface assigned to the gateway wan_gw: gw-world:/> show Address IP4Address InterfaceAddresses/wan_gw Property Value --------------------- --------------------------------- Name: wan_gw Address: 0.0.0.0 UserAuthGroups: <empty> NoDefinedCredentials: Comments: Default gateway for interface wan By using the tab key at the end of a line, tab completion can be used to complete the command:...
  • Page 116 Some interface settings provide direct management of the Ethernet settings themselves. These are particularly useful if D-Link hardware has been replaced and Ethernet card settings are to be changed, or if configuring the interfaces when running NetDefendOS on non-D-Link hardware.
  • Page 117: Vlan

    3.4.3. VLAN Chapter 3. Fundamentals physical interface to a logical interface in the confguration, the logical interface is mapped to the physical interface. However, this mapping must be done before the configuration is activated. For a complete list of all CLI options see the CLI Reference Guide. 3.4.3.
  • Page 118: Vlan Connections

    3.4.3. VLAN Chapter 3. Fundamentals Physical VLAN Connection with VLAN The illustration below shows the connections for a typical NetDefendOS VLAN scenario. Figure 3.1. VLAN Connections With NetDefendOS VLANs, the physical connections are as follows: • One of more VLANs are configured on a physical NetDefend Firewall interface and this is connected directly to a switch.
  • Page 119: Defining A Vlan

    3.4.3. VLAN Chapter 3. Fundamentals Note: 802.1ad is not supported NetDefendOS does not support the IEEE 802.1ad (provider bridges) standard which allows VLANs to be run inside other VLANs. License Limitations The number of VLAN interfaces that can be defined for a NetDefendOS installation is limited by the parameters of the license used.
  • Page 120: Pppoe

    3.4.4. PPPoE Chapter 3. Fundamentals Network=all-nets VLANID=10 Web Interface Go to: Interfaces > VLAN > Add > VLAN Now enter: • Name: Enter a name, for example VLAN10 • Interface: lan • VLAN ID: 10 • IP Address: vlan10_ip • Network: all-nets Click OK 3.4.4.
  • Page 121 3.4.4. PPPoE Chapter 3. Fundamentals PPPoE Client Configuration Since the PPPoE protocol allows PPP to operate over Ethernet, the firewall needs to use one of the normal physical Ethernet interfaces to run PPPoE over. Each PPPoE tunnel is interpreted as a logical interface by NetDefendOS, with the same routing and configuration capabilities as regular interfaces and with IP rules being applied to all traffic.
  • Page 122: Gre Tunnels

    3.4.5. GRE Tunnels Chapter 3. Fundamentals or NATed by the NetDefend Firewall. Note: PPPoE has a discovery protocol To provide a point-to-point connection over Ethernet, each PPP session must learn the Ethernet address of the remote peer, as well as establish a unique session identifier. PPPoE includes a discovery protocol that provides this.
  • Page 123 3.4.5. GRE Tunnels Chapter 3. Fundamentals GRE does not provide any security features but this means that its use has extremely low overhead. Using GRE GRE is typically used to provide a method of connecting two networks together across a third network such as the Internet.
  • Page 124 3.4.5. GRE Tunnels Chapter 3. Fundamentals between them. • Additional Encapsulation Checksum The GRE protocol allows for an additional checksum over and above the IPv4 checksum. This provides an extra check of data integrity. The Advanced settings for a GRE interface are: •...
  • Page 125 3.4.5. GRE Tunnels Chapter 3. Fundamentals Setup for NetDefend Firewall "A" Assuming that the network 192.168.10.0/24 is lannet on the lan interface, the steps for setting up NetDefendOS on A are: In the address book set up the following IP objects: •...
  • Page 126: Interface Groups

    3.4.6. Interface Groups Chapter 3. Fundamentals Define a route in the main routing table which routes all traffic to remote_net_A on the GRE_to_A GRE interface. This is not necessary if the option Add route for remote network is enabled in the Advanced tab, since this will add the route automatically. Create the following rules in the IP rule set that allow traffic to pass through the tunnel: Name Action...
  • Page 127 3.4.6. Interface Groups Chapter 3. Fundamentals gw-world:/> add Interface InterfaceGroup examplegroup Members=exampleif1,exampleif2 Web Interface Go to: Interfaces > Interface Groups > Add > InterfaceGroup Enter the following information to define the group: • Name: The name of the group to be used later •...
  • Page 128: Arp

    3.5. ARP Chapter 3. Fundamentals 3.5. ARP 3.5.1. Overview Address Resolution Protocol (ARP) allows the mapping of a network layer protocol (OSI layer 3) address to a data link layer hardware address (OSI layer 2). In data networks it is used to resolve an IPv4 address into its corresponding Ethernet address.
  • Page 129: Displaying The Arp Cache

    3.5.2. The ARP Cache Chapter 3. Fundamentals The third column in the table, Expires, is used to indicate how much longer the ARP entry will be valid for. For example, the first entry has an expiry value of 45 which means that this entry will be rendered invalid and removed from the ARP Cache in 45 seconds.
  • Page 130: Arp Publish

    3.5.3. ARP Publish Chapter 3. Fundamentals connected to the firewall, it may be necessary to adjust this value upwards. This can be done by modifying the ARP advanced setting ARP Cache Size. Hash tables are used to rapidly look up entries in the ARP Cache. For maximum efficiency, a hash table should be twice as large as the entries it is indexing, so if the largest directly connected LAN contains 500 IP addresses, the size of the ARP entry hash table should be at least 1000.
  • Page 131 3.5.3. ARP Publish Chapter 3. Fundamentals An ARP object has the following properties: Mode The type of ARP object. As explained above, this can be one of: • Static - Create a fixed mapping in the local ARP cache. • Publish - Publish an IP address on a particular MAC address (or this interface).
  • Page 132: An Arp Publish Ethernet Frame

    3.5.3. ARP Publish Chapter 3. Fundamentals These are shown in the illustration below of an Ethernet frame containing an ARP response: Figure 3.2. An ARP Publish Ethernet Frame The Publish option uses the real MAC address of the sending interface for the address (1) in the Ethernet frame.
  • Page 133: Using Arp Advanced Settings

    3.5.4. Using ARP Advanced Settings Chapter 3. Fundamentals Select the following: • Mode: Static • Interface: lan Enter the following: • IP Address: 192.168.10.15 • MAC: 4b-86-f6-c5-a2-14 Click OK 3.5.4. Using ARP Advanced Settings This section presents some of the advanced settings related to ARP. In most cases, these settings need not to be changed, but in some deployments, modifications might be needed.
  • Page 134: Arp Advanced Settings Summary

    3.5.5. ARP Advanced Settings Chapter 3. Fundamentals Summary The advanced setting Static ARP Changes can modify this behavior. The default behavior is that NetDefendOS will allow changes to take place, but all such changes will be logged. A similar issue occurs when information in ARP replies or ARP requests could collide with static entries in the ARP cache.
  • Page 135 3.5.5. ARP Advanced Settings Chapter 3. Fundamentals Summary ARP Requests Determines if NetDefendOS will automatically add the data in ARP requests to its ARP table. The ARP specification states that this should be done, but as this procedure can facilitate hijacking of local connections, it is not normally allowed.
  • Page 136 3.5.5. ARP Advanced Settings Chapter 3. Fundamentals Summary balancing and redundancy devices, which make use of hardware layer multicast addresses. Default: DropLog ARP Broadcast Determines how NetDefendOS deals with ARP requests and ARP replies that state that they are broadcast addresses. Such claims are usually never correct. Default: DropLog ARP cache size How many ARP entries there can be in the cache in total.
  • Page 137: Ip Rules

    3.6. IP Rules Chapter 3. Fundamentals 3.6. IP Rules 3.6.1. Security Policies Before examining IP rule sets in detail, we will first look at the generic concept of security polices to which IP rule sets belong. Security Policy Characteristics NetDefendOS security policies are configured by the administrator to regulate the way in which traffic can flow through the NetDefend Firewall.
  • Page 138 3.6.1. Security Policies Chapter 3. Fundamentals • Policy-based Routing Rules These rules determine the routing table to be used by traffic and are described in Section 4.3, “Policy-based Routing”. The network filter for these rules can be IPv4 or IPv6 addresses (but not both in a single rule).
  • Page 139 3.6.1. Security Policies Chapter 3. Fundamentals features as IDP. • The Service can be specified as all_services which includes all possible protocols. Creating a Drop All Rule Traffic that does not match any rule in the IP rule set is, by default, dropped by NetDefendOS. In order to be able to log the dropped connections, it is recommended that an explicit IP rule with an action of Drop for all source/destination networks/interfaces is placed as the last IP rule in the IP rule set.
  • Page 140: Ip Rule Evaluation

    3.6.2. IP Rule Evaluation Chapter 3. Fundamentals Figure 3.3. Simplified NetDefendOS Traffic Flow This description of traffic flow is an extremely simplified version of the full flow description found in Section 1.3, “NetDefendOS State Engine Packet Flow”. For example, before the route lookup is done, NetDefendOS first checks that traffic from the source network should, in fact, be arriving on the interface where it was received.
  • Page 141: Ip Rule Actions

    3.6.3. IP Rule Actions Chapter 3. Fundamentals This approach is known as stateful inspection and is applied not only to stateful protocols such as TCP but also by means of "pseudo-connections" to stateless protocols such as UDP and ICMP. This approach means that evaluation against the IP rule set is only done in the initial opening phase of a connection.
  • Page 142: Editing Ip Rule Set Entries

    3.6.4. Editing IP rule set Entries Chapter 3. Fundamentals version of Reject in that no reply is sent back to the sender. It is often preferable since it gives a potential attacker no clues about what happened to their packets. Reject This acts like Drop but will return a TCP RST or ICMP Unreachable message, informing the sending computer that the packet was dropped.
  • Page 143: Ip Rule Set Folders

    3.6.5. IP Rule Set Folders Chapter 3. Fundamentals 3.6.5. IP Rule Set Folders In order to help organise large numbers of entries in IP rule sets, it is possible to create IP rule set folders. These folders are just like a folder in a computer's file system. They are created with a given name and can then be used to contain all the IP rules that are related together as a group.
  • Page 144: Configuration Object Groups

    3.6.6. Configuration Object Groups Chapter 3. Fundamentals 3.6.6. Configuration Object Groups The concept of folders can be used to organise groups of NetDefendOS objects into related collections. These work much like the folders concept found in a computer's file system. Folders are described in relation to the address book in Section 3.1.6, “Address Book Folders”...
  • Page 145 3.6.6. Configuration Object Groups Chapter 3. Fundamentals • A group is now created with a title line and the IP rule as its only member. The default title of "(new Group)" is used. The entire group is also assigned a default color and the group member is also indented. The object inside the group retains the same index number to indicate its position in the whole table.
  • Page 146 3.6.6. Configuration Object Groups Chapter 3. Fundamentals Adding Additional Objects A new group will always contain just one object. Now, we must add more objects to the group. By right clicking the object that immediately follows the group, we can select the Join Preceding option to add it to the preceding group.
  • Page 147 3.6.6. Configuration Object Groups Chapter 3. Fundamentals If an object in a group is right clicked then the context menu contains the option Leave Group. Selecting this removes the object from the group AND moves it down to a position immediately following the group.
  • Page 148: Schedules

    3.7. Schedules Chapter 3. Fundamentals 3.7. Schedules In some scenarios, it might be useful to control not only what functionality is enabled, but also when that functionality is being used. For instance, the IT policy of an enterprise might stipulate that web traffic from a certain department is only allowed access outside that department during normal office hours.
  • Page 149: Setting Up A Time-Scheduled Security Policy

    3.7. Schedules Chapter 3. Fundamentals Example 3.22. Setting up a Time-Scheduled Security Policy This example creates a schedule object for office hours on weekdays, and attaches the object to an IP Rule that allows HTTP traffic. Command-Line Interface gw-world:/> add ScheduleProfile OfficeHours Mon=8-17 Tue=8-17 Wed=8-17 Thu=8-17 Fri=8-17 Now create the IP rule that uses this schedule.
  • Page 150: Certificates

    3.8. Certificates Chapter 3. Fundamentals 3.8. Certificates 3.8.1. Overview The X.509 Standard NetDefendOS supports digital certificates that comply with the ITU-T X.509 standard. This involves the use of an X.509 certificate hierarchy with public-key cryptography to accomplish key distribution and entity authentication. References in this document to certificates mean X.509 certificates.
  • Page 151 3.8.1. Overview Chapter 3. Fundamentals A CA can also issue certificates to other CAs. This leads to a chain-like certificate hierarchy. The highest certificate is called the Root Certificate and it is signed by the Root CA. Each certificate in the chain is signed by the CA of the certificate directly above it in the chain.
  • Page 152: Certificates In Netdefendos

    3.8.2. Certificates in NetDefendOS Chapter 3. Fundamentals CA is configured. Typically, this is somewhere between an hour to several days. Trusting Certificates When using certificates, NetDefendOS trusts anyone whose certificate is signed by a given CA. Before a certificate is accepted, the following steps are taken to verify the validity of the certificate: •...
  • Page 153: Uploading A Certificate With Web Interface

    3.8.3. CA Certificate Requests Chapter 3. Fundamentals • Upload through the Web Interface. The following command lines show how a typical SCP utility might upload a certificate consisting of the two files called cert-1.cer and cert-1.key to a firewall which has the management IP address 192.168.3.1: >...
  • Page 154: Ca Certificate Requests

    3.8.3. CA Certificate Requests Chapter 3. Fundamentals 3.8.3. CA Certificate Requests To request certificates from a CA server or CA company, the best method is to send a CA Certificate Request which is a file that contains a request for a certificate in a well known, predefined format.
  • Page 155 3.8.3. CA Certificate Requests Chapter 3. Fundamentals Back in the .pem file, locate the line that begins: -----BEGIN CERTIFICATE----- and copy into the system clipboard that line and everything under it, up to and including: -----END CERTIFICATE----- Now paste this copied text into the .cer file and save it. The saved .key and .cer files are now ready for upload into NetDefendOS.
  • Page 156: Date And Time

    3.9. Date and Time Chapter 3. Fundamentals 3.9. Date and Time 3.9.1. Overview Correctly setting the date and time is important for NetDefendOS to operate properly. Time scheduled policies, auto-update of the IDP and Anti-Virus databases, and other product features such as digital certificates require that the system clock is accurately set.
  • Page 157: Time Servers

    3.9.3. Time Servers Chapter 3. Fundamentals The world is divided up into a number of time zones with Greenwich Mean Time (GMT) in London at zero longitude being taken as the base time zone. All other time zones going east and west from zero longitude are taken as being GMT plus or minus a given integer number of hours.
  • Page 158: Enabling Time Synchronization Using Sntp

    3.9.3. Time Servers Chapter 3. Fundamentals The hardware clock which NetDefendOS uses can sometimes become fast or slow after a period of operation. This is normal behavior in most network and computer equipment and is solved by utilizing Time Servers. NetDefendOS is able to adjust the clock automatically based on information received from one or more Time Servers which provide a highly accurate time, usually using atomic clocks.
  • Page 159: Manually Triggering A Time Synchronization

    3.9.3. Time Servers Chapter 3. Fundamentals Now enter: • Time Server Type: SNTP • Primary Time Server: dns:ntp1.sp.se • Secondary Time Server: dns:ntp2.sp.se Click OK The time server URLs must have the prefix dns: to specify that they should be resolved with a DNS server. NetDefendOS must therefore also have a DNS server defined so this resolution can be performed.
  • Page 160: Settings Summary For Date And Time

    86,400 seconds (1 day), meaning that the time synchronization process is executed once in a 24 hour period. D-Link Time Servers Using D-Link's own Time Servers is an option in NetDefendOS and this is the recommended way of synchronizing the firewall clock. These servers communicate with NetDefendOS using the SNTP protocol.
  • Page 161 3.9.4. Settings Summary for Date and Chapter 3. Fundamentals Time Time zone offset in minutes. Default: 0 DST Offset Daylight saving time offset in minutes. Default: 0 DST Start Date What month and day DST starts, in the format MM-DD. Default: none DST End Date What month and day DST ends, in the format MM-DD.
  • Page 162 3.9.4. Settings Summary for Date and Chapter 3. Fundamentals Time Maximum time drift in seconds that a server is allowed to adjust. Default: 600 Group interval Interval according to which server responses will be grouped. Default: 10...
  • Page 163: Dns

    3.10. DNS Chapter 3. Fundamentals 3.10. DNS Overview A DNS server can resolve a Fully Qualified Domain Name (FQDN) into the corresponding numeric IP address. FQDNs are unambiguous textual domain names which specify a node's unique position in the Internet's DNS tree hierarchy. FQDN resolution allows the actual physical IP address to change while the FQDN can stay the same.
  • Page 164 3.10. DNS Chapter 3. Fundamentals DNS Lookup and IP Rules In the case of DNS server request being generated by NetDefendOS itself, no IP rules need to be defined for the connection to succeed. This is because connections initiated by NetDefendOS are considered to be trusted.
  • Page 165 3.10. DNS Chapter 3. Fundamentals Note: A high rate of server queries can cause problems Dynamic DNS services are often sensitive to repeated logon attempts over short periods of time and may blacklist source IP addresses that are sending excessive requests.
  • Page 166 3.10. DNS Chapter 3. Fundamentals...
  • Page 167: Routing

    Chapter 4. Routing This chapter describes how to configure IP routing in NetDefendOS. • Overview, page 167 • Static Routing, page 168 • Policy-based Routing, page 186 • Route Load Balancing, page 193 • OSPF, page 199 • Multicast Routing, page 227 •...
  • Page 168: Static Routing

    4.2. Static Routing Chapter 4. Routing 4.2. Static Routing The most basic form of routing is known as Static Routing. The term "static" is used because most entries in a routing table are part of the NetDefendOS system's static configuration. They usually remain unchanged during long periods of system operation.
  • Page 169: A Typical Routing Scenario

    4.2.1. The Principles of Routing Chapter 4. Routing • Local IP address This parameter usually does not need to be specified. If it is specified, NetDefendOS responds to ARP queries sent to this address. A special section below explains this parameter in more depth. Local IP Address and Gateway are mutually exclusive and either one or the other should be specified.
  • Page 170 4.2.1. The Principles of Routing Chapter 4. Routing Route # Interface Destination Gateway 10.4.0.0/16 195.66.77.0/24 all-nets 195.66.77.4 The above routing table provides the following information: • Route #1 All packets going to hosts on the 192.168.0.0/24 network should be sent out on the lan interface. As no gateway is specified for the route entry, the host is assumed to be located on the network segment directly reachable from the lan interface.
  • Page 171: Using Local Ip Address With An Unbound Network

    4.2.1. The Principles of Routing Chapter 4. Routing A second network might then be added to the same physical interface via a switch, but with a new network range that does not include the physical interface's IP address. This network is said to be not bound to the physical interface.
  • Page 172: Static Routing

    4.2.2. Static Routing Chapter 4. Routing This feature is normally used when an additional network is to be added to an interface but it is not desirable to change the existing IP addresses of the network. From a security standpoint, doing this can present significant risks since different networks will typically be joined together through a switch which imposes no controls on traffic passing between those networks.
  • Page 173 4.2.2. Static Routing Chapter 4. Routing this way is easier to understand, making errors less likely. Many other products do not use the specific interface in the routing table, but specify the IP address of the interface instead. The routing table below is from a Microsoft Windows XP workstation: ==================================================================== Interface List 0x1 ......
  • Page 174: Displaying The Main Routing Table

    4.2.2. Static Routing Chapter 4. Routing For example, it is perfectly legal to define one route for the destination IP address range 192.168.0.5 to 192.168.0.17 and another route for IP addresses 192.168.0.18 to 192.168.0.254. This is a feature that makes NetDefendOS highly suitable for routing in highly complex network topologies. Displaying Routing Tables It is important to note that routing tables that are initially configured by the administrator can have routes added, deleted and changed automatically during live operation and these changes will appear...
  • Page 175: Adding A Route To The Main Table

    4.2.2. Static Routing Chapter 4. Routing routing table with the cc command (meaning change category or change context) before manipulating individual routes. This is necessary for any category that could contain more than one named group of objects. Default Static Routes are Added Automatically for Each Interface When the NetDefend Firewall is started for the first time, NetDefendOS will automatically add a route in the main routing table for each physical interface.
  • Page 176: Displaying The Core Routes

    4.2.2. Static Routing Chapter 4. Routing Web Interface Go to: Routing > Routing Tables > main > Add > Route Now enter: • Interface: wan • Network: all-nets • Gateway: isp_gw_ip Click OK Routes can Contain IPv4 or IPv6 Addresses A single route can contain either an IPv4 or IPv6 address but not both.
  • Page 177: Route Failover

    4.2.3. Route Failover Chapter 4. Routing 127.0.3.1 core (Iface IP) 127.0.4.1 core (Iface IP) 192.168.0.0/24 213.124.165.0/24 224.0.0.0/4 core (Iface IP) 0.0.0.0/0 213.124.165.1 Web Interface Select the Routes item in the Status dropdown menu in the menu bar Check the Show all routes checkbox and click the Apply button The main window will list the active routing table, including the core routes Tip: Understanding output from the routes command For detailed information about the output of the CLI routes command.
  • Page 178 4.2.3. Route Failover Chapter 4. Routing Setting Up Route Failover To set up route failover, Route Monitoring must be enabled and this is an option that is enabled on a route by route basis. To enable route failover in a scenario with a preferred and a backup route, the preferred route will have route monitoring enabled, however the backup route does not require this since it will usually have no route to failover to.
  • Page 179 4.2.3. Route Failover Chapter 4. Routing connections, a route lookup will be performed to find the next best matching route and the connections will then switch to using the new route. For new connections, route lookup will ignore disabled routes and the next best matching route will be used instead. The table below defines two default routes, both having all-nets as the destination, but using two different gateways.
  • Page 180: Host Monitoring For Route Failover

    4.2.4. Host Monitoring for Route Chapter 4. Routing Failover then use the dsl interface. When a new HTTP connection is then established from the intnet network, a route lookup will be made resulting in a destination interface of dsl. The IP rules will then be evaluated, but the original NAT rule assumes the destination interface to be wan so the new connection will be dropped by the rule set.
  • Page 181 4.2.4. Host Monitoring for Route Chapter 4. Routing Failover For each host specified for host monitoring there are a number of property parameters that should be set: • Method The method by which the host is to be polled. This can be one of: •...
  • Page 182: Advanced Settings For Route Failover

    4.2.5. Advanced Settings for Route Chapter 4. Routing Failover • Request URL The URL which is to be requested. • Expected Response The text that is expected back from querying the URL. Testing for a specific response text provides the possibility of testing if an application is offline. If, for example, a web page response from a server can indicate if a specific database is operational with text such as "Database OK", then the absence of that response can indicate that the server is operational but the application is offline.
  • Page 183: Proxy Arp

    4.2.6. Proxy ARP Chapter 4. Routing Default: 5 Consecutive success The number of consecutive successes that must occur before a route is marked as being available. Default: 5 Gratuitous ARP on fail Send a gratuitous ARP on HA failover to alert hosts of the changes in interface Ethernet and IP addresses.
  • Page 184: A Proxy Arp Example

    4.2.6. Proxy ARP Chapter 4. Routing In the same way, net_2 could be published on the interface if1 so that there is a mirroring of routes and ARP proxy publishing. Route # Network Interface Proxy ARP Published net_1 net_2 In this way there is complete separation of the sub-networks but the hosts are unaware of this. The routes are a pair which are a mirror image of each other but there is no requirement that proxy ARP is used in a pairing like this.
  • Page 185 4.2.6. Proxy ARP Chapter 4. Routing Proxy ARP cannot be enabled for automatically added routes. For example, the routes that NetDefendOS creates at initial startup for physical interfaces are automatically added routes. The reason why Proxy ARP cannot be enabled for these routes is because automatically created routes have a special status in the NetDefendOS configuration and are treated differently.
  • Page 186: Policy-Based Routing

    4.3. Policy-based Routing Chapter 4. Routing 4.3. Policy-based Routing Overview Policy-based Routing (PBR) is an extension to the standard routing described previously. It offers administrators significant flexibility in implementing routing decision policies by being able to use different routing tables according to specified criteria. Normal routing forwards packets according to destination IP address information derived from static routes or from a dynamic routing protocol.
  • Page 187: Creating A Routing Table

    4.3. Policy-based Routing Chapter 4. Routing NetDefendOS, as standard, has one default routing table called main. In addition to the main table, it is possible to define one or more, additional routing tables for policy-based routing. (these will sometimes be referred to as alternate routng tables). Alternate routing tables contain the same information for describing routes as main, except that there is an extra property defined for each of them which is called ordering.
  • Page 188: Creating A Routing Rule

    4.3. Policy-based Routing Chapter 4. Routing Go to: Routing > Routing Tables > MyPBRTable > Add > Route Now enter: • Interface: lan • Network: my_network • Gateway: The gateway router is there is one • Local IP Address: The IP address specified here will be automatically published on the corresponding interface.
  • Page 189 4.3. Policy-based Routing Chapter 4. Routing the core interface (which are routes to NetDefendOS itself). Click OK Routing Rules can use IPv4 or IPv6 Addresses Routing rules support either IPv4 or IPv6 addresses as the source and destination network for a rule's filtering properties.
  • Page 190 4.3. Policy-based Routing Chapter 4. Routing exists which can catch anything not explicitly matched. A search is now made for a routing rule that matches the packet's source/destination interface/network as well as service. If a matching rule is found then this determines the routing table to use.
  • Page 191: Policy-Based Routing With Multiple Isps

    4.3. Policy-based Routing Chapter 4. Routing Important: Ensure all-nets appears in the main table A common mistake when setting up policy-based routing is the absence of a default route with a destination interface of all-nets in the default main routing table. If there is no route that is an exact match then the absence of a default all-nets route will mean that the connection will be dropped.
  • Page 192 4.3. Policy-based Routing Chapter 4. Routing Create a routing table called "r2" and make sure the ordering is set to "Default". Add the route found in the list of routes in the routing table "r2", as shown earlier. Add two VR policies according to the list of policies shown earlier. •...
  • Page 193: Route Load Balancing

    4.4. Route Load Balancing Chapter 4. Routing 4.4. Route Load Balancing Overview NetDefendOS provides the option to perform Route Load Balancing (RLB). This is the ability to distribute traffic over multiple alternate routes using one of a number of distribution algorithms. The purpose of this feature is to provide the following: •...
  • Page 194: The Rlb Round Robin Algorithm

    4.4. Route Load Balancing Chapter 4. Routing done according to which algorithm is selected in the table's RLB Instance object: • Round Robin Successive routes are chosen from the matching routes in a "round robin" fashion provided that the metric of the routes is the same. This results in route lookups being spread evenly across matching routes with same metric.
  • Page 195: The Rlb Spillover Algorithm

    4.4. Route Load Balancing Chapter 4. Routing Figure 4.6. The RLB Spillover Algorithm Spillover Limits are set separately for ingoing and outgoing traffic with only one of these typically being specified. If both are specified then only one of them needs to be exceeded continuously for Hold Timer seconds for the next matching route to be chosen.
  • Page 196 4.4. Route Load Balancing Chapter 4. Routing When that new route's interface limits are also exceeded then the route with the next highest metric is taken and so on. As soon as any route with a lower metric falls below its interface limit for its Hold Timer number of seconds, then it reverts to being the chosen route.
  • Page 197: A Route Load Balancing Scenario

    4.4. Route Load Balancing Chapter 4. Routing Figure 4.7. A Route Load Balancing Scenario We first need to define two routes to these two ISPs in the main routing table as shown below: Route No. Interface Destination Gateway Metric WAN1 all-nets WAN2 all-nets...
  • Page 198 4.4. Route Load Balancing Chapter 4. Routing In this example, the details of the RLB scenario described above will be implemented. The assumption is made that the various IP address book objects needed have already been defined. The IP objects WAN1 and WAN2 represent the interfaces that connect to the two ISPs and the IP objects GW1 and GW2 represent the IP addresses of the gateway routers at the two ISPs.
  • Page 199: Ospf

    4.5. OSPF Chapter 4. Routing 4.5. OSPF The feature called Dynamic Routing is implemented in NetDefendOS using the Open Shortest Path First (OSPF) architecture. This section begins by looking generally at what dynamic routing is and how it can be implemented. It then goes on to look at how OSPF can provide dynamic routing followed by a description of how a simple OSPF network can be set up.
  • Page 200: A Simple Ospf Scenario

    NetDefendOS using OSPF. OSPF is not available on all D-Link NetDefend models The OSPF feature is only available on the D-Link NetDefend DFL-860E, 1660, 2560 and 2560G. OSPF is not available on the DFL-210, 260 and 260E.
  • Page 201: Ospf Providing Route Redundancy

    4.5.1. Dynamic Routing Chapter 4. Routing Instead of having to manually insert this routing information into the routing tables of A, OSPF allows B's routing table information to be automatically shared with A. In the same way, OSPF allows firewall B to automatically become aware that network X is attached to firewall A.
  • Page 202: Ospf Concepts

    Engineering Task Force (IETF). The NetDefendOS OSPF implementation is based upon RFC 2328, with compatibility to RFC 1583. OSPF is not available on all D-Link NetDefend models The OSPF feature is only available on the NetDefend DFL-860E, 1660, 2560 and 2560G.
  • Page 203 4.5.2. OSPF Concepts Chapter 4. Routing Authentication. All OSPF protocol exchanges can, if required, be authenticated. This means that only routers with the correct authentication can join an AS. Different authentication schemes can be used and with NetDefendOS the scheme can be either a passphrase or an MD5 digest. It is possible to configure separate authentication methods for each AS.
  • Page 204 4.5.2. OSPF Concepts Chapter 4. Routing Router. The routers use OSPF Hello messages to elect the DR and BDR for the network based on the priorities advertised by all the routers. If there is already a DR on the network, the router will accept that one, regardless of its own router priority.
  • Page 205: Virtual Links Connecting Areas

    4.5.2. OSPF Concepts Chapter 4. Routing links can provide an area with a logical path to the backbone area. This virtual link is established between two Area Border Routers (ABRs) that are on one common area, with one of the ABRs connected to the backbone area. In the example below two routers are connected to the same area (Area 1) but just one of them, fw1, is connected physically to the backbone area.
  • Page 206: Virtual Links With Partitioned Backbone

    4.5.2. OSPF Concepts Chapter 4. Routing Figure 4.11. Virtual Links with Partitioned Backbone The virtual link is configured between fw1 and fw2 on Area 1 as it is used as the transit area. In the configuration, only the Router ID has to be configured, as in the example above show fw2 need to have a virtual link to fw1 with the Router ID 192.168.1.1 and vice versa.
  • Page 207: Ospf Components

    4.5.3. OSPF Components Chapter 4. Routing routing tables for the destination. The key aspect of an OSPF setup is that connected NetDefend Firewalls share the information in their routing tables so that traffic entering an interface on one of the firewalls can be automatically routed so that it exits the interface on another gateway which is attached to the correct destination network.
  • Page 208 4.5.3. OSPF Components Chapter 4. Routing Private Router ID This is used in an HA cluster and is the ID for this firewall and not the cluster. Note When running OSPF on a HA Cluster there is a need for a private master and private slave Router ID as well as the shared Router ID.
  • Page 209: Ospf Area

    4.5.3. OSPF Components Chapter 4. Routing Time Settings SPF Hold Time Specifies the minimum time, in seconds, between two SPF calculations. The default time is 10 seconds. A value of 0 means that there is no delay. Note however that SPF can potentially be a CPU demanding process, so in a big network it might not be a good idea to run it to often.
  • Page 210 4.5.3. OSPF Components Chapter 4. Routing The import filter is used to filter what can be imported in the OSPF AS from either external sources (like the main routing table or a policy based routing table) or inside the OSPF area. External Specifies the network addresses allowed to be imported into this OSPF area from external routing sources.
  • Page 211 4.5.3. OSPF Components Chapter 4. Routing Metric Specifies the metric for this OSPF interface. This represents the "cost" of sending packets over this interface. This cost is inversely proportional to the bandwidth of the interface. Bandwidth If the metric is not specified, the bandwidth is specified instead. If the bandwidth is known then this can be specified directly instead of the metric.
  • Page 212 4.5.3. OSPF Components Chapter 4. Routing OSPF routers connected to this interface ("Passive"). This is an alternative to using a Dynamic Routing Policy to import static routes into the OSPF routing process. If the Ignore received OSPF MTU restrictions is enabled, OSPF MTU mismatches will be allowed.
  • Page 213: Dynamic Routing Rules

    4.5.4. Dynamic Routing Rules Chapter 4. Routing Use Default For AS Use the values configured in the AS properties page. Note: Linking partitioned backbones If the backbone area is partitioned, a virtual link is used to connect the different parts. In most, simple OSPF scenarios, OSPF VLink objects will not be needed.
  • Page 214: Dynamic Routing Rule Objects

    4.5.4. Dynamic Routing Rules Chapter 4. Routing OSPF Requires at Least an Import Rule By default, NetDefendOS will not import or export any routes. For OSPF to function, it is therefore mandatory to define at least one dynamic routing rule which will be an Import rule. This Import rule specifies the local OSPF Router Process object.
  • Page 215 4.5.4. Dynamic Routing Rules Chapter 4. Routing From Routing Table Specifies from which routing table a route should be imported into the OSPF AS or copied into another routing table. Destination Interface Specifies if the rule has to have a match to a certain destination interface.
  • Page 216: Setting Up Ospf

    4.5.5. Setting Up OSPF Chapter 4. Routing Destination Specifies into which routing table the route changes to the OSPF AS should be imported. Offset Metric Increases the metric by this value. Offset Metric Type 2 Increases the Type 2 router's metric by this value. Limit Metric To Limits the metrics for these routes to a minimum and maximum value.
  • Page 217 4.5.5. Setting Up OSPF Chapter 4. Routing another NetDefend Firewall that acts as an OSPF router). For example, the interface may only be connected to a network of clients, in which case the option would be enabled. The option must be disabled if the physical interface is connected to another firewall which is set up as an OSPF Router.
  • Page 218 4.5.5. Setting Up OSPF Chapter 4. Routing As the new configurations are created in the above steps and then deployed, OSPF will automatically start and begin exchanging routing information. Since OSPF is a dynamic and distributed system, it does not matter in which order the configurations of the individual firewalls are deployed.
  • Page 219: An Ospf Example

    4.5.6. An OSPF Example Chapter 4. Routing Define an NetDefendOS OSPF Interface object which has the IPsec tunnel for the Interface parameter. Specify the Type parameter to be point-to-point and the Network parameter to be the network chosen in the previous step, 192.168.55.0/24. This OSPF Interface tells NetDefendOS that any OPSF related connections to addresses within the network 192.168.55.0/24 should be routed into the IPsec tunnel.
  • Page 220: An Ospf Example

    4.5.6. An OSPF Example Chapter 4. Routing Figure 4.14. An OSPF Example Here, two identical NetDefend Firewalls called A and B are joined together directly via their If3 interfaces. Each has a network of hosts attached to its If1 interface. On one side, If1_net is the IPv4 network 10.4.0.0/16 and on the other side it is the IPv4 network 192.168.0.0/24.
  • Page 221: Add An Ospf Area

    4.5.6. An OSPF Example Chapter 4. Routing Example 4.10. Add an OSPF Area Now add an OSPF Area object to the OSPF Router Process object as_0 on firewall A. This area will be the OSPF backbone area and will therefore have the ID 0.0.0.0. Assume the name for the area object will be area_0. Command-Line Interface First, change the CLI context to be the OSPFProcess object created above: gw-world:/>...
  • Page 222: Import Routes From An Ospf As Into The Main Routing Table

    4.5.6. An OSPF Example Chapter 4. Routing Web Interface Go to: Routing > OSPF > as_0 > area_0 > OSPF Interfaces Select Add > OSPF Interface Select the Interface. In this case, If1 Select the Advanced tab Select No OSPF routers connected to this interface Click OK Just selecting the Interface means that the Network defaults to the network bound to that interface.
  • Page 223: Exporting The Routes Into An Ospf As

    4.5.6. An OSPF Example Chapter 4. Routing gw-world:/1(ImportOSPFRoutes)> add DynamicRoutingRuleAddRoute Destination=main Web Interface Go to: Routing > Dynamic Routing Rules Click on the newly created ImportOSPFRoutes Go to: Routing Action > Add > DynamicRoutingRuleAddRoute Move the routing table main from Available to Selected Click OK The same procedure should be repeated for firewall B.
  • Page 224: Ospf Troubleshooting

    4.5.7. OSPF Troubleshooting Chapter 4. Routing Web Interface Go to: Routing > Dynamic Routing Rules Click on the newly created ExportAllNets Go to: OSPF Actions > Add > DynamicRoutingRuleExportOSPF For Export to process choose as_0 Click OK The same procedure should be repeated for firewall B. 4.5.7.
  • Page 225: Enabling Ospf Debug Log Events

    4.5.7. OSPF Troubleshooting Chapter 4. Routing • High - Logs everything with maximum detail. Note: The high setting generates large amounts of data When using the High setting, the firewall will log a large amount of information, even when just connected to a small AS. Changing the advanced setting Log Send Per Sec Limit may be required.
  • Page 226 4.5.7. OSPF Troubleshooting Chapter 4. Routing To restart the same interface: gw-world:/> ospf -ifacedown ospf_if1 An entire functioning OSPFRouteProcess can also be halted. For example, assuming that there is only one OSPFRouteProcess object defined in the configuration, the CLI command to halt it is: gw-world:/>...
  • Page 227: Multicast Routing

    4.6. Multicast Routing Chapter 4. Routing 4.6. Multicast Routing 4.6.1. Overview The Multicast Problem Certain types of Internet interactions, such as conferencing and video broadcasts, require a single client or host to send the same packet to multiple receivers. This could be achieved through the sender duplicating the packet with different receiving IP addresses or by a broadcast of the packet across the Internet.
  • Page 228: Multicast Forwarding With Sat Multiplex Rules

    4.6.2. Multicast Forwarding with SAT Chapter 4. Routing Multiplex Rules see Section 3.4.2, “Ethernet Interfaces”. 4.6.2. Multicast Forwarding with SAT Multiplex Rules The SAT Multiplex rule is used to achieve duplication and forwarding of packets through more than one interface. This feature implements multicast forwarding in NetDefendOS, where a multicast packet is sent through several interfaces.
  • Page 229: Multicast Forwarding - No Address Translation

    4.6.2. Multicast Forwarding with SAT Chapter 4. Routing Multiplex Rules Figure 4.15. Multicast Forwarding - No Address Translation Note: SAT Multiplex rules must have a matching Allow rule Remember to add an Allow rule that matches the SAT Multiplex rule. The matching rule could also be a NAT rule for source address translation (see below) but cannot be a FwdFast or SAT rule.
  • Page 230 4.6.2. Multicast Forwarding with SAT Chapter 4. Routing Multiplex Rules • Destination: 1234 B. Create an IP rule: Go to: Policies > Add > IP Rule Under General enter. • Name: a name for the rule, for example Multicast_Multiplex • Action: Multiplex SAT •...
  • Page 231: Multicast Forwarding - Address Translation

    4.6.2. Multicast Forwarding with SAT Chapter 4. Routing Multiplex Rules MultiplexArgument={if2;<new_ip_address>},{if3;} 4.6.2.2. Multicast Forwarding - Address Translation Scenario Figure 4.16. Multicast Forwarding - Address Translation This scenario is based on the previous scenario but this time the multicast group is translated. When the multicast streams 239.192.10.0/24 are forwarded through the if2 interface, the multicast groups should be translated into 237.192.10.0/24.
  • Page 232: Igmp Configuration

    4.6.3. IGMP Configuration Chapter 4. Routing B. Create an IP rule: Go to: Policies > Add > IP Rule Under General enter. • Name: a name for the rule, for example Multicast_Multiplex • Action: Multiplex SAT • Service: multicast_service Under Address Filter enter: •...
  • Page 233: Multicast Snoop Mode

    4.6.3. IGMP Configuration Chapter 4. Routing • Proxy Mode The operation of these two modes are shown in the following illustrations: Figure 4.17. Multicast Snoop Mode Figure 4.18. Multicast Proxy Mode In Snoop Mode, the NetDefend Firewall will act transparently between the hosts and another IGMP router.
  • Page 234: Igmp - No Address Translation

    4.6.3. IGMP Configuration Chapter 4. Routing 4.6.3.1. IGMP Rules Configuration - No Address Translation This example describes the IGMP rules needed for configuring IGMP according to the No Address Translation scenario described above. The router is required to act as a host towards the upstream router and therefore IGMP must be configured to run in proxy mode.
  • Page 235: If1 Configuration

    4.6.3. IGMP Configuration Chapter 4. Routing • Destination Network: auto • Multicast Source: 192.168.10.1 • Multicast Group: 239.192.10.0/24 Click OK 4.6.3.2. IGMP Rules Configuration - Address Translation The following examples illustrates the IGMP rules needed to configure IGMP according to the Address Translation scenario described above in Section 4.6.2.2, “Multicast Forwarding - Address Translation Scenario”.
  • Page 236: If2 Configuration - Group Translation

    4.6.3. IGMP Configuration Chapter 4. Routing • Name: A suitable name for the rule, for example Queries_if1 • Type: Query • Action: Proxy • Output: if1 (this is the relay interface) Under Address Filter enter: • Source Interface: wan • Source Network: UpstreamRouterIp •...
  • Page 237: Advanced Igmp Settings

    4.6.4. Advanced IGMP Settings Chapter 4. Routing • Name: A suitable name for the rule, for example Queries_if2 • Type: Query • Action: Proxy • Output: if2 (this is the relay interface) Under Address Filter enter: • Source Interface: wan •...
  • Page 238 4.6.4. Advanced IGMP Settings Chapter 4. Routing IGMP messages with a version lower than this will be logged and ignored. Global setting on interfaces without an overriding IGMP Setting. Default: IGMPv1 IGMP Router Version The IGMP protocol version that will be globally used on interfaces without a configured IGMP Setting.
  • Page 239 4.6.4. Advanced IGMP Settings Chapter 4. Routing The firewall will send IGMP Startup Query Count general queries with an interval of IGMPStartupQueryInterval at startup. Global setting on interfaces without an overriding IGMP Setting. Default: 2 IGMP Startup Query Interval The interval of General Queries in milliseconds used during the startup phase. Global setting on interfaces without an overriding IGMP Setting.
  • Page 240: Transparent Mode

    4.7. Transparent Mode Chapter 4. Routing 4.7. Transparent Mode 4.7.1. Overview Transparent Mode Usage The NetDefendOS Transparent Mode feature allows a NetDefend Firewall to be placed at a point in a network without any reconfiguration of the network and without hosts being aware of its presence. All NetDefendOS features can then be used to monitor and manage traffic flowing through that point.
  • Page 241 4.7.1. Overview Chapter 4. Routing With non-switch routes, the NetDefend Firewall acts as a router and routing operates at layer 3 of the OSI model. If the firewall is placed into a network for the first time, or if network topology changes, the routing configuration must therefore be checked and adjusted to ensure that the routing table is consistent with the new layout.
  • Page 242 4.7.1. Overview Chapter 4. Routing forward the packet to the destination. If the route was a Switch Route, no specific information about the destination is available and the firewall will have to discover where the destination is located in the network. Discovery is done by NetDefendOS sending out ARP as well as ICMP (ping) requests, acting as the initiating sender of the original IP packet for the destination on the interfaces specified in the Switch Route.
  • Page 243 4.7.1. Overview Chapter 4. Routing An alternative to one switch route is to not use an interface group but instead use an individual switch route for each interface. The end result is the same. All the switch routes defined in a single routing table will be connected together by NetDefendOS and no matter how interfaces are associated with the switch routes, transparency will exist between them.
  • Page 244 4.7.1. Overview Chapter 4. Routing To better explain this, let us consider a VLAN vlan5 which is defined on two physical interfaces called if1 and if2. Both physical interfaces have switch routes defined so they operate in transparent mode. Two VLAN interfaces with the same VLAN ID are defined on the two physical interfaces and they are called vlan5_if1 and vlan5_if2.
  • Page 245: Enabling Internet Access

    4.7.2. Enabling Internet Access Chapter 4. Routing • Define a static ARP table entry which maps the MAC address FF-FF-FF-FF-FF-FF to the IPv4 address 255.255.255.255. • Configure DHCP relay to the DHCP server IP address 255.255.255.255. 4.7.2. Enabling Internet Access A common misunderstanding when setting up Transparent Mode is how to correctly set up access to the public Internet.
  • Page 246: Transparent Mode Scenarios

    4.7.3. Transparent Mode Scenarios Chapter 4. Routing gateway address. In non-transparent mode the user's gateway IP would be the NetDefend Firewall's IP address but in transparent mode the ISP's gateway is on the same logical IP network as the users and will therefore be gw-ip.
  • Page 247: Transparent Mode Scenario 1

    4.7.3. Transparent Mode Scenarios Chapter 4. Routing Figure 4.21. Transparent Mode Scenario 1 Example 4.20. Setting up Transparent Mode for Scenario 1 Web Interface Configure the interfaces: Go to: Interfaces > Ethernet > Edit (wan) Now enter: • IP Address: 10.0.0.1 •...
  • Page 248: Transparent Mode Scenario 2

    4.7.3. Transparent Mode Scenarios Chapter 4. Routing • Source Interface: lan • Destination Interface: any • Source Network: 10.0.0.0/24 • Destination Network: all-nets (0.0.0.0/0) Click OK Scenario 2 Here the NetDefend Firewall in Transparent Mode separates server resources from an internal network by connecting them to a separate interface without the need for different address ranges.
  • Page 249 4.7.3. Transparent Mode Scenarios Chapter 4. Routing Go to: Interfaces > Ethernet > Edit (lan) Now enter: • IP Address: 10.0.0.1 • Network: 10.0.0.0/24 • Transparent Mode: Disable • Add route for interface network: Disable Click OK Go to: Interfaces > Ethernet > Edit (dmz) Now enter: •...
  • Page 250: Spanning Tree Bpdu Support

    4.7.4. Spanning Tree BPDU Support Chapter 4. Routing Click OK Go to: Rules > IP Rules > Add > IPRule Now enter: • Name: HTTP-WAN-to-DMZ • Action: SAT • Service: http • Source Interface: wan • Destination Interface: dmz • Source Network: all-nets •...
  • Page 251: Advanced Settings For Transparent Mode

    4.7.5. Advanced Settings for Chapter 4. Routing Transparent Mode Figure 4.23. An Example BPDU Relaying Scenario Implementing BPDU Relaying The NetDefendOS BDPU relaying implementation only carries STP messages. These STP messages can be of three types: • Normal Spanning Tree Protocol (STP) •...
  • Page 252 4.7.5. Advanced Settings for Chapter 4. Routing Transparent Mode Default: Enabled Decrement TTL Enable this if the TTL should be decremented each time a packet traverses the firewall in Transparent Mode. Default: Disabled Dynamic CAM Size This setting can be used to manually configure the size of the CAM table. Normally Dynamic is the preferred value to use.
  • Page 253 4.7.5. Advanced Settings for Chapter 4. Routing Transparent Mode • Ignore - Let the packets pass but do not log • Log - Let the packets pass and log the event • Drop - Drop the packets • DropLog - Drop packets log the event Default: Drop...
  • Page 254 4.7.5. Advanced Settings for Chapter 4. Routing Transparent Mode...
  • Page 255: Dhcp Services

    Chapter 5. DHCP Services This chapter describes DHCP services in NetDefendOS. • Overview, page 255 • DHCP Servers, page 256 • DHCP Relaying, page 262 • IP Pools, page 265 5.1. Overview Dynamic Host Configuration Protocol (DHCP) is a protocol that allows network administrators to automatically assign IP numbers to computers on a network.
  • Page 256: Dhcp Servers

    5.2. DHCP Servers Chapter 5. DHCP Services 5.2. DHCP Servers DHCP servers assign and manage the IP addresses taken from a specified address pool. In NetDefendOS, DHCP servers are not limited to serving a single range of IP addresses but can use any IP address range that can be specified by a NetDefendOS IP address object.
  • Page 257: Setting Up A Dhcp Server

    5.2. DHCP Servers Chapter 5. DHCP Services The following options can be configured for a DHCP server: General Parameters Name A symbolic name for the server. Used as an interface reference but also used as a reference in log messages. Interface Filter The source interface on which NetDefendOS will listen for DHCP requests.
  • Page 258 5.2. DHCP Servers Chapter 5. DHCP Services This example shows how to set up a DHCP server called DHCPServer1 which assigns and manages IP addresses from an IPv4 address pool called DHCPRange1. This example assumes that an IP range for the DHCP Server has already been created. Command-Line Interface gw-world:/>...
  • Page 259: Static Dhcp Hosts

    5.2.1. Static DHCP Hosts Chapter 5. DHCP Services Tip: Lease database saving between restarts DHCP leases are, by default, remembered by NetDefendOS between system restarts. The DHCP advanced settings can be adjusted to control how often the lease database is saved. The DHCP Server Blacklist Sometimes, an IP address offered in a lease is rejected by the client.
  • Page 260: Static Dhcp Host Assignment

    5.2.2. Custom Options Chapter 5. DHCP Services parameters: Host This is the IP address that will be handed out to the client. MAC Address This is the MAC address of the client. Either the MAC address can be used or the alternative Client Identified parameter can be used. Client Identified If the MAC address is not used for identifying the client then the client can send an identifier in its DHCP request.
  • Page 261: Custom Options

    5.2.2. Custom Options Chapter 5. DHCP Services 5.2.2. Custom Options Adding a Custom Option to the DHCP server definition allows the administrator to send specific pieces of information to DHCP clients in the DHCP leases that are sent out. An example of this is certain switches that require the IP address of a TFTP server from which they can get certain extra information.
  • Page 262: Dhcp Relaying

    5.3. DHCP Relaying Chapter 5. DHCP Services 5.3. DHCP Relaying The DHCP Problem With DHCP, clients send requests to locate the DHCP server(s) using broadcast messages. However, broadcasts are normally only propagated across the local network. This means that the DHCP server and client always need to be on the same physical network.
  • Page 263: Dhcp Relay Advanced Settings

    5.3.1. DHCP Relay Advanced Settings Chapter 5. DHCP Services • Name: ipgrp-dhcp • Interfaces: select vlan1 and vlan2 from the Available list and put them into the Selected list. Click OK Adding a DHCP relayer called as vlan-to-dhcpserver: Go to: System > DHCP > Add > DHCP Relay Now enter: •...
  • Page 264 5.3.1. DHCP Relay Advanced Settings Chapter 5. DHCP Services The maximum lease time allowed by NetDefendOS. If the DHCP server has a higher lease time, it will be reduced down to this value. Default: 10000 seconds Max Auto Routes How many relays that can be active at the same time. Default: 256 Auto Save Policy What policy should be used to save the relay list to the disk, possible settings are Disabled,...
  • Page 265: Ip Pools

    5.4. IP Pools Chapter 5. DHCP Services 5.4. IP Pools Overview An IP pool is used to offer other subsystems access to a cache of DHCP IP addresses. These addresses are gathered into a pool by internally maintaining a series of DHCP clients (one DHCP client per IP address).
  • Page 266 5.4. IP Pools Chapter 5. DHCP Services Receive Interface A "simulated" virtual DHCP server receiving interface. This setting is used to simulate a receiving interface when an IP pool is obtaining IP addresses from internal DHCP servers. This is needed since the filtering criteria of a DHCP server includes a Receive Interface.
  • Page 267: Creating An Ip Pool

    5.4. IP Pools Chapter 5. DHCP Services Other options in the ippool command allow the administrator to change the pool size and to free up IP addresses. The complete list of command options can be found in the CLI Reference Guide. Example 5.4.
  • Page 268 5.4. IP Pools Chapter 5. DHCP Services...
  • Page 269: Security Mechanisms

    Chapter 6. Security Mechanisms This chapter describes NetDefendOS security features. • Access Rules, page 269 • ALGs, page 272 • Web Content Filtering, page 325 • Anti-Virus Scanning, page 343 • Intrusion Detection and Prevention, page 349 • Denial-of-Service Attack Prevention, page 361 •...
  • Page 270: Ip Spoofing

    6.1.2. IP Spoofing Chapter 6. Security Mechanisms add them if there is a requirement for stricter checking on new connections. 6.1.2. IP Spoofing Traffic that pretends it comes from a trusted host can be sent by an attacker to try and get past a firewall's security mechanisms.
  • Page 271: Setting Up An Access Rule

    6.1.3. Access Rule Settings Chapter 6. Security Mechanisms Turning Off Default Access Rule Messages If, for some reason, the Default Access Rule log message is continuously being generated by some source and needs to be turned off, then the way to do this is to specify an Access Rule for that source with an action of Drop.
  • Page 272: Algs

    6.2. ALGs Chapter 6. Security Mechanisms 6.2. ALGs 6.2.1. Overview To complement low-level packet filtering, which only inspects packet headers in protocols such as IP, TCP, UDP, and ICMP, NetDefend Firewalls provide Application Layer Gateways (ALGs) which provide filtering at the higher application OSI level. An ALG object acts as a mediator in accessing commonly used Internet applications outside the protected network, for example web access, file transfer and multimedia transfer.
  • Page 273: The Http Alg

    6.2.2. The HTTP ALG Chapter 6. Security Mechanisms Maximum Connection Sessions The service associated with an ALG has a configurable parameter associated with it called Max Sessions and the default value varies according to the type of ALG. For instance, the default value for the HTTP ALG is 1000.
  • Page 274 6.2.2. The HTTP ALG Chapter 6. Security Mechanisms cannot be dropped by web content filtering (if that is enabled, although it will be logged). Anti-Virus scanning, if it is enabled, is always applied to the HTTP traffic even if it is whitelisted.
  • Page 275: Http Alg Processing Order

    6.2.2. The HTTP ALG Chapter 6. Security Mechanisms Note: Similarities with other NetDefendOS features The Verify MIME type and Allow/Block Selected Types options work in the same way for the FTP, POP3 and SMTP ALGs. • Download File Size Limit - A file size limit can additionally be specified for any single download (this option is only available for HTTP and SMTP ALG downloads).
  • Page 276: The Ftp Alg

    6.2.3. The FTP ALG Chapter 6. Security Mechanisms Entries made in the white and blacklists can make use of wildcarding to have a single entry be equivalent to a large number of possible URLs. The wildcard character "*" can be used to represent any sequence of characters.
  • Page 277 6.2.3. The FTP ALG Chapter 6. Security Mechanisms Both active and passive modes of FTP operation present problems for NetDefend Firewalls. Consider a scenario where an FTP client on the internal network connects through the firewall to an FTP server on the Internet. The IP rule is then configured to allow network traffic from the FTP client to port 21 on the FTP server.
  • Page 278: Ftp Alg Hybrid Mode

    6.2.3. The FTP ALG Chapter 6. Security Mechanisms Figure 6.3. FTP ALG Hybrid Mode Note: Hybrid conversion is automatic Hybrid mode does not need to enabled. The conversion between modes occurs automatically within the FTP ALG. Connection Restriction Options The FTP ALG has two options to restrict which type of mode the FTP client and the FTP server can use: •...
  • Page 279 6.2.3. The FTP ALG Chapter 6. Security Mechanisms standard set. • Allow the SITE EXEC command to be sent to an FTP server by a client. • Allow the RESUME command even if content scanning terminated the connection. Note: Some commands are never allowed Some commands, such as encryption instructions, are never allowed.
  • Page 280: Protecting An Ftp Server With An Alg

    6.2.3. The FTP ALG Chapter 6. Security Mechanisms Anti-Virus Scanning The NetDefendOS Anti-Virus subsystem can be enabled to scan all FTP downloads searching for malicious code. Suspect files can be de dropped or just logged. This feature is common to a number of ALGs and is described fully in Section 6.4, “Anti-Virus Scanning”.
  • Page 281 6.2.3. The FTP ALG Chapter 6. Security Mechanisms In this case, we will set the FTP ALG restrictions as follows. • Enable the Allow client to use active mode FTP ALG option so clients can use both active and passive modes.
  • Page 282 6.2.3. The FTP ALG Chapter 6. Security Mechanisms • Destination: 21 (the port the FTP server resides on) • ALG: select ftp-inbound created above Click OK C. Define a rule to allow connections to the public IP on port 21 and forward that to the internal FTP server: Go to: Rules >...
  • Page 283: Protecting Ftp Clients

    6.2.3. The FTP ALG Chapter 6. Security Mechanisms For Address Filter enter: • Source Interface: any • Destination Interface: core • Source Network: all-nets • Destination Network: wan_ip Click OK Example 6.3. Protecting FTP Clients In this scenario shown below the NetDefend Firewall is protecting a workstation that will connect to FTP servers on the Internet.
  • Page 284 6.2.3. The FTP ALG Chapter 6. Security Mechanisms Go to: Objects > ALG > Add > FTP ALG Enter Name: ftp-outbound Uncheck Allow client to use active mode Check Allow server to use passive mode Click OK B. Create the Service Go to: Objects >...
  • Page 285: The Tftp Alg

    6.2.4. The TFTP ALG Chapter 6. Security Mechanisms • Source Interface: lan • Destination Interface: wan • Source Network: lannet • Destination Network: all-nets Check Use Interface Address Click OK Setting Up FTP Servers with Passive Mode An important point about FTP server setup needs to be made if the FTP ALG is being used along with passive mode.
  • Page 286: The Smtp Alg

    6.2.5. The SMTP ALG Chapter 6. Security Mechanisms TFTP Request Options As long as the Remove Request Option described above is set to false (options are not removed) then the following request option settings can be applied: Maximum Blocksize The maximum blocksize allowed can be specified. The allowed range is 0 to 65,464 bytes.
  • Page 287 6.2.5. The SMTP ALG Chapter 6. Security Mechanisms The administrator should therefore add a reasonable margin above the anticipated email size when setting this limit. Email address blacklisting A blacklist of sender or recipient email addresses can be specified so that mail from/to those addresses is blocked. The blacklist is applied after the whitelist so that if an address matches a whitelist entry it is not then checked against the blacklist.
  • Page 288: Smtp Alg Processing Order

    6.2.5. The SMTP ALG Chapter 6. Security Mechanisms Figure 6.4. SMTP ALG Processing Order Using Wildcards in White and Blacklists Entries made in the white and blacklists can make use of wildcarding to have a single entry cover a large number of potential email addresses. The wildcard character "*" can be used to represent any sequence of characters.
  • Page 289 6.2.5. The SMTP ALG Chapter 6. Security Mechanisms server response. For example, this parameter may appear in the log message as: capa=PIPELINING To indicate that the pipelining extension was removed from the SMTP server reply to an EHLO client command. Although ESMTP extensions may be removed by the ALG and related log messages generated, this does not mean that any emails are dropped.
  • Page 290: Anti-Spam Filtering

    6.2.5. The SMTP ALG Chapter 6. Security Mechanisms • Dropping email which has a very high probability of being spam. • Letting through but flagging email that has a moderate probability of being spam. The NetDefendOS Anti-Spam Implementation SMTP functions as a protocol for sending emails between servers. NetDefendOS applies Spam filtering to emails as they pass through the NetDefend Firewall from an external remote SMTP server to a local SMTP server (from which local clients will later download their emails).
  • Page 291 6.2.5. The SMTP ALG Chapter 6. Security Mechanisms servers are queried to assess the likelihood that the email is Spam, based on its origin address. The NetDefendOS administrator assigns a weight greater than zero to each configured server so that a weighted sum can then be calculated based on all responses.
  • Page 292 6.2.5. The SMTP ALG Chapter 6. Security Mechanisms *** SPAM *** Buy this stock today! And this is what the email's recipient will see in the summary of their inbox contents. The individual user could then decide to set up their own filters in the local client to deal with such tagged emails, possibly sending it to a separate folder.
  • Page 293 6.2.5. The SMTP ALG Chapter 6. Security Mechanisms When sender address verification is enabled, there is an additional option to only compare the domain names in the "From" addresses. Logging There are three types of logging done by the Spam filtering module: •...
  • Page 294 6.2.5. The SMTP ALG Chapter 6. Security Mechanisms The default value if 600 seconds. The Anti-Spam address cache is emptied at startup or reconfiguration. For the DNSBL subsystem overall: • Number of emails checked. • Number of emails Spam tagged. •...
  • Page 295: The Pop3 Alg

    6.2.6. The POP3 ALG Chapter 6. Security Mechanisms asdf.egrhb.net active To examine the statistics for a particular DNSBL server, the following command can be used. gw-world:/> dnsbl smtp_test zen.spamhaus.org -show BlackList: zen.spamhaus.org Status : active Weight value : 25 Number of mails checked : 56 Number of matches in list Number of failed checks (times disabled)
  • Page 296: The Pptp Alg

    6.2.7. The PPTP ALG Chapter 6. Security Mechanisms allowed as mail attachments and new filetypes can be added to the list. This same option is also available in the HTTP ALG and a fuller description of how it works can be found in Section 6.2.2, “The HTTP ALG”.
  • Page 297: The Sip Alg

    6.2.8. The SIP ALG Chapter 6. Security Mechanisms Setting up the PPTP ALG is similar to the set up of other ALG types. The ALG object must be associated with the relevant service and the service is then associated with an IP rule. The full sequence of steps for setup is as follows: •...
  • Page 298 6.2.8. The SIP ALG Chapter 6. Security Mechanisms SIP Sets Up Sessions SIP does not know about the details of a session's content and is only responsible for initiating, terminating and modifying sessions. Sessions set up by SIP are typically used for the streaming of audio and video over the Internet using the RTP/RTCP protocol (which is based on UDP) but they might also involve traffic based on the TCP protocol.
  • Page 299 6.2.8. The SIP ALG Chapter 6. Security Mechanisms The following components are the logical building blocks for SIP communication: User Agents These are the end points or clients that are involved in the client-to-client communication. These would typically be the workstation or device used in an IP telephony conversation.
  • Page 300 6.2.8. The SIP ALG Chapter 6. Security Mechanisms value is 43200 seconds. Data Channel Timeout The maximum time allowed for periods with no traffic in a SIP session. A timeout condition occurs if this value is exceeded. The default value is 120 seconds. Allow Media Bypass If this option is enabled then data.
  • Page 301 6.2.8. The SIP ALG Chapter 6. Security Mechanisms SIP Usage Scenarios NetDefendOS supports a variety of SIP usage scenarios. The following three scenarios cover nearly all possible types of usage: • Scenario 1 Protecting local clients - Proxy located on the Internet The SIP session is between a client on the local, protected side of the NetDefend Firewall and a client which is on the external, unprotected side.
  • Page 302 6.2.8. The SIP ALG Chapter 6. Security Mechanisms The SIP proxy in the above diagram could alternatively be located remotely across the Internet. The proxy should be configured with the Record-Route feature enabled to insure all SIP traffic to and from the office clients will be sent through the SIP Proxy.
  • Page 303 6.2.8. The SIP ALG Chapter 6. Security Mechanisms traversal issues with NAT in a SIP setup. The IP rules with the Record-Route option enabled would be as shown below, the changes that apply when NAT is used are shown in parentheses "(..)". Action Src Interface Src Network...
  • Page 304 6.2.8. The SIP ALG Chapter 6. Security Mechanisms • Without NAT so the network topology is exposed. Solution A - Using NAT Here, the proxy and the local clients are hidden behind the IP address of the NetDefend Firewall. The setup steps are as follows: Define a single SIP ALG object using the options described above.
  • Page 305 6.2.8. The SIP ALG Chapter 6. Security Mechanisms Action Src Interface Src Network Dest Interface Dest Network Proxy&Clients (ip_proxy) InboundTo Allow all-nets lannet Proxy&Clients (ip_proxy) If Record-Route is enabled then the networks in the above rules can be further restricted by using "(ip_proxy)"...
  • Page 306 6.2.8. The SIP ALG Chapter 6. Security Mechanisms The exchanges illustrated are as follows: • 1,2 - An initial INVITE is sent to the outbound local proxy server on the DMZ. • 3,4 - The proxy server sends the SIP messages towards the destination on the Internet. •...
  • Page 307 6.2.8. The SIP ALG Chapter 6. Security Mechanisms DMZ interface as the contact address. • An Allow rule for outbound traffic from the proxy behind the DMZ interface to the remote clients on the Internet. • An Allow rule for inbound SIP traffic from the SIP proxy behind the DMZ interface to the IP address of the NetDefend Firewall.
  • Page 308: The H.323 Alg

    6.2.9. The H.323 ALG Chapter 6. Security Mechanisms • Destination Port set to 5060 (the default SIP signalling port) • Type set to TCP/UDP Define four rules in the IP rule set: • An Allow rule for outbound traffic from the clients on the internal network to the proxy located on the DMZ interface.
  • Page 309 6.2.9. The H.323 ALG Chapter 6. Security Mechanisms "software phones" such as the product "NetMeeting". Gateways An H.323 gateway connects two dissimilar networks and translates traffic between them. It provides connectivity between H.323 networks and non-H.323 networks such as public switched telephone networks (PSTN), translating protocols and converting media streams.
  • Page 310 6.2.9. The H.323 ALG Chapter 6. Security Mechanisms The H.323 ALG has the following features: • The H.323 ALG supports version 5 of the H.323 specification. This specification is built upon H.225.0 v5 and H.245 v10. • In addition to support voice and video calls, the H.323 ALG supports application sharing over the T.120 protocol.
  • Page 311: Protecting Phones Behind Netdefend Firewalls

    6.2.9. The H.323 ALG Chapter 6. Security Mechanisms Example 6.4. Protecting Phones Behind NetDefend Firewalls In the first scenario a H.323 phone is connected to the NetDefend Firewall on a network (lannet) with public IP addresses. To make it possible to place a call from this phone to another H.323 phone on the Internet, and to allow H.323 phones on the Internet to call this phone, we need to configure rules.
  • Page 312: H.323 With Private Ipv4 Addresses

    6.2.9. The H.323 ALG Chapter 6. Security Mechanisms • Destination Interface: lan • Source Network: 0.0.0.0/0 (all-nets) • Destination Network: lannet • Comment: Allow incoming calls Click OK Example 6.5. H.323 with Private IPv4 Addresses In this scenario a H.323 phone is connected to the NetDefend Firewall on a network with private IPv4 addresses. To make it possible to place a call from this phone to another H.323 phone on the Internet, and to allow H.323 phones on the Internet to call this phone, we need to configure rules.
  • Page 313: Two Phones Behind Different Netdefend Firewalls

    6.2.9. The H.323 ALG Chapter 6. Security Mechanisms Click OK Go to: Rules > IP Rules > Add > IPRule Now enter: • Name: H323In • Action: Allow • Service: H323 • Source Interface: any • Destination Interface: core • Source Network: 0.0.0.0/0 (all-nets) •...
  • Page 314: Using Private Ipv4 Addresses

    6.2.9. The H.323 ALG Chapter 6. Security Mechanisms • Action: Allow • Service: H323 • Source Interface: lan • Destination Interface: any • Source Network: lannet • Destination Network: 0.0.0.0/0 (all-nets) • Comment: Allow outgoing calls Click OK Incoming Rule: Go to: Rules >...
  • Page 315: H.323 With Gatekeeper

    6.2.9. The H.323 ALG Chapter 6. Security Mechanisms • Destination Network: 0.0.0.0/0 (all-nets) • Comment: Allow outgoing calls Click OK Incoming Rules: Go to: Rules > IP Rules > Add > IPRule Now enter: • Name: H323In • Action: SAT •...
  • Page 316 6.2.9. The H.323 ALG Chapter 6. Security Mechanisms Web Interface Incoming Gatekeeper Rules: Go to: Rules > IP Rules > Add > IPRule Now enter: • Name: H323In • Action: SAT • Service: H323-Gatekeeper • Source Interface: any • Destination Interface: core •...
  • Page 317: H.323 With Gatekeeper And Two Netdefend Firewalls

    6.2.9. The H.323 ALG Chapter 6. Security Mechanisms Go to: Rules > IP Rules > Add > IPRule Now enter: • Name: H323In • Action: Allow • Service: H323-Gatekeeper • Source Interface: lan • Destination Interface: dmz • Source Network: lannet •...
  • Page 318: Using The H.323 Alg In A Corporate Environment

    6.2.9. The H.323 ALG Chapter 6. Security Mechanisms Go to: Rules > IP Rules > Add > IPRule Now enter: • Name: H323Out • Action: NAT • Service: H323-Gatekeeper • Source Interface: lan • Destination Interface: any • Source Network: lannet •...
  • Page 319 6.2.9. The H.323 ALG Chapter 6. Security Mechanisms The head office has placed a H.323 Gatekeeper in the DMZ of the corporate NetDefend Firewall. This firewall should be configured as follows: Web Interface Go to: Rules > IP Rules > Add > IPRule Now enter: •...
  • Page 320 6.2.9. The H.323 ALG Chapter 6. Security Mechanisms • Source Interface: lan • Destination Interface: dmz • Source Network: lannet • Destination Network: ip-gateway • Comment: Allow H.323 entities on lannet to call phones connected to the H.323 Gateway on the DMZ Click OK Go to: Rules >...
  • Page 321: Configuring Remote Offices For H.323

    6.2.9. The H.323 ALG Chapter 6. Security Mechanisms • Comment: Allow communication with the Gatekeeper on DMZ from the Remote network Click OK Example 6.11. Configuring remote offices for H.323 If the branch and remote office H.323 phones and applications are to be configured to use the H.323 Gatekeeper at the head office, the NetDefend Firewalls in the remote and branch offices should be configured as follows: (this rule should be in both the Branch and Remote Office firewalls).
  • Page 322: The Tls Alg

    6.2.10. The TLS ALG Chapter 6. Security Mechanisms Note: Outgoing calls do not need a specific rule There is no need to specify a specific rule for outgoing calls. NetDefendOS monitors the communication between "external" phones and the Gatekeeper to make sure that it is possible for internal phones to call the external phones that are registered with the gatekeeper.
  • Page 323: Tls Termination

    6.2.10. The TLS ALG Chapter 6. Security Mechanisms Figure 6.7. TLS Termination Advantages of Using NetDefendOS for TLS Termination TLS can be implemented directly in the server to which clients connect, however, if the servers are protected behind a NetDefend Firewall, then NetDefendOS can take on the role of the TLS endpoint.
  • Page 324 6.2.10. The TLS ALG Chapter 6. Security Mechanisms Associate the TLS ALG object with the newly created service object. Create a NAT or Allow IP rule for the targeted traffic and associate the custom service object with it. Optionally, a SAT rule can be created to change the destination port for the unencrypted traffic. Alternatively an SLB_SAT rule can be used to do load balancing (the destination port can also be changed through a custom service object).
  • Page 325: Web Content Filtering

    6.3. Web Content Filtering Chapter 6. Security Mechanisms 6.3. Web Content Filtering 6.3.1. Overview Web traffic is one of the biggest sources for security issues and misuse of the Internet. Inappropriate surfing habits can expose a network to many security threats as well as legal and regulatory liabilities.
  • Page 326: Static Content Filtering

    6.3.3. Static Content Filtering Chapter 6. Security Mechanisms Removing such legitimate code could, at best, cause the web site to look distorted, at worst, cause it to not work in a browser at all. Active Content Handling should therefore only be used when the consequences are well understood. Example 6.13.
  • Page 327: Setting Up A White And Blacklist

    In this small scenario a general surfing policy prevents users from downloading .exe-files. However, the D-Link website provides secure and necessary program files which should be allowed to download.
  • Page 328: Dynamic Web Content Filtering

    NetDefendOS Dynamic WCF allows web page blocking to be automated so it is not necessary to manually specify beforehand which URLs to block or to allow. Instead, D-Link maintains a global infrastructure of databases containing huge numbers of current web site URL addresses which are already classified and grouped into a variety of categories such as shopping, news, sport, adult-oriented and so on.
  • Page 329: Dynamic Content Filtering Flow

    If the requested web page URL is not present in the databases, then the webpage content at the URL will automatically be downloaded to D-Link's central data warehouse and automatically analyzed using a combination of software techniques. Once categorized, the URL is distributed to the global databases and NetDefendOS receives the category for the URL.
  • Page 330: Enabling Dynamic Web Content Filtering

    6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms blocked by the filtering policy. WCF and Whitelisting If a particular URL is whitelisted then it will bypass the WCF subsystem. No classification will be done on the URL and it will always be allowed. This applies if the URL has an exact match with an entry on the whitelist or if it matches an entry that makes use of wildcarding.
  • Page 331 6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms DestinationPorts=80 ALG=content_filtering Finally, modify the NAT rule to use the new service. Assume rule is called NATHttp: gw-world:/> set IPRule NATHttp Service=http_content_filtering Web Interface First, create an HTTP Application Layer Gateway (ALG) Object: Go to: Objects >...
  • Page 332: Enabling Audit Mode

    6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms After running in Audit Mode for some period of time, it is easier to then have a better understanding of the surfing behavior of different user groups and also to better understand the potential impact of turning on the WCF feature.
  • Page 333: Reclassifying A Blocked Site

    The URL to the requested web site as well as the proposed category will then be sent to D-Link's central data warehouse for manual inspection. That inspection may result in the web site being reclassified, either according to the category proposed or to a category which is felt to be correct.
  • Page 334 6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms On a workstation on the lannet network, launch a standard web browser. Try to browse to a search site, for example www.google.com. If everything is configured correctly, the web browser will present a block page where a dropdown list containing all available categories is included.
  • Page 335 6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms otherwise. This includes online gaming, bookmaker odds and lottery web sites. This does not include traditional or computer based games; refer to the Games Sites category (10). Examples might be: • www.blackjackspot.com •...
  • Page 336 6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms Category 9: Dating Sites A web site may be classified under the Dating Sites category if its content includes facilities to submit and review personal advertisements, arrange romantic meetings with other people, mail order bride / foreign spouse introductions and escort services.
  • Page 337 6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms A web site may be classified under the Personal Beliefs / Cults category if its content includes the description or depiction of, or instruction in, systems of religious beliefs and practice. Examples might be: •...
  • Page 338 6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms authentication details by pretending to be a legitimate organization. Examples might be: • hastalavista.baby.nu Category 20: Search Sites A web site may be classified under the Search Sites category if its main focus is providing online Internet search facilities.
  • Page 339 6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms This category is populated by URLs specified by a government agency, and contains URLs that are deemed unsuitable for viewing by the general public by way of their very extreme nature. Examples might be: •...
  • Page 340 6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms • www.vickys-secret.com • sportspictured.cnn.com/features/2002/swimsuit Category 31: Spam A web site may be classified under the Spam category if it is found to be contained in bulk or spam emails. Examples might be: •...
  • Page 341: Editing Content Filtering Http Banner Files

    6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms Customizing Banner Files To perform customization it is necessary to first create a new, named ALG Banner Files object. This new object automatically contains a copy of all the files in the Default ALG Banner Files object.
  • Page 342 6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms gw-world:/> add HTTPALGBanners mytxt This creates an object which contains a copy of all the Default content filtering banner files. The modified file is then uploaded using SCP. It is uploaded to the object type HTTPALGBanner and the object mytxt with the property name URLForbidden.
  • Page 343: Anti-Virus Scanning

    6.4. Anti-Virus Scanning Chapter 6. Security Mechanisms 6.4. Anti-Virus Scanning 6.4.1. Overview The NetDefendOS Anti-Virus module protects against malicious code carried in file downloads. Files may be downloaded as part of a web-page in an HTTP transfer, in an FTP download, or perhaps as an attachment to an email delivered through SMTP.
  • Page 344: Activating Anti-Virus Scanning

    6.4.3. Activating Anti-Virus Scanning Chapter 6. Security Mechanisms • Any uncompressed file type transferred through these ALGs can be scanned. • If the download has been compressed, ZIP and GZIP file downloads can be scanned. The administrator has the option to always drop specific files as well as the option to specify a size limit on scanned files.
  • Page 345: Subscribing To The D-Link Anti-Virus Service

    D-Link Anti-Virus subscription. 6.4.5. Subscribing to the D-Link Anti-Virus Service The D-Link Anti-Virus feature is purchased as an additional component to the base D-Link license and is bought in the form of a renewable subscription. An Anti-Virus subscription includes regular updates of the Kaspersky SafeStream database during the subscription period with the signatures of the latest virus threats.
  • Page 346 6.4.6. Anti-Virus Options Chapter 6. Security Mechanisms When scanning compressed files, NetDefendOS must apply decompression to examine the file's contents. Some types of data can result in very high compression ratios where the compressed file is a small fraction of the original uncompressed file size. This can mean that a comparatively small compressed file attachment might need to be uncompressed into a much larger file which can place an excessive load on NetDefendOS resources and noticeably slowdown throughput.
  • Page 347 6.4.6. Anti-Virus Options Chapter 6. Security Mechanisms This second reconfiguration causes another failover so the passive unit reverts back to being active again. These steps result in both NetDefend Firewalls in a cluster having updated databases and with the original active/passive roles. For more information about HA clusters refer to Chapter 11, High Availability.
  • Page 348 6.4.6. Anti-Virus Options Chapter 6. Security Mechanisms Specify a suitable name for the ALG, for instance anti_virus Click the Antivirus tab Select Protect in the Mode dropdown list Click OK B. Then, create a Service object using the new HTTP ALG: Go to: Local Objects >...
  • Page 349: Intrusion Detection And Prevention

    If NetDefendOS IDP detects an intrusion then the Action specified for the triggering IDP Rule is taken. IDP Rules, Pattern Matching and IDP Rule Actions are described in the sections which follow. 6.5.2. IDP Availability for D-Link Models Maintenance and Advanced IDP...
  • Page 350: Idp Database Updating

    The standard subscription is for 12 months and provides automatic IDP signature database updates. This IDP option is available for all D-Link NetDefend models, including those that don't come as standard with Maintenance IDP. Maintenance IDP can be viewed as a restricted subset of Advanced IDP and the following sections describe how the Advanced IDP option functions.
  • Page 351: Idp Rules

    A new, updated signature database is downloaded automatically by NetDefendOS system at a configurable interval. This is done via an HTTP connection to the D-Link server network which delivers the latest signature database updates. If the server's signature database has a newer version than the current local database, the new database will be downloaded, replacing the older version.
  • Page 352: Idp Signature Selection

    6.5.3. IDP Rules Chapter 6. Security Mechanisms Rule specifies the Action to take on detecting an intrusion in the traffic targeted by the rule. IDP Signature Selection When using the Web Interface, all IDP signatures in the local signature database are shown under the heading IDP Signatures.
  • Page 353: Insertion/Evasion Attack Prevention

    6.5.4. Insertion/Evasion Attack Chapter 6. Security Mechanisms Prevention Initial Packet Processing The initial order of packet processing with IDP is as follows: A packet arrives at the firewall and NetDefendOS performs normal verification. If the packet is part of a new connection then it is checked against the IP rule set before being passed to the IDP module.
  • Page 354: Idp Pattern Matching

    Attackers who build new intrusions often re-use older code. This means their new attacks can appear "in the wild" quickly. To counter this, D-Link IDP uses an approach where the module scans for these reusable components, with pattern matching looking for building blocks rather than the entire complete code patterns.
  • Page 355: Idp Signature Groups

    An advisory is a explanatory textual description of a signature. Reading a signature's advisory will explain to the administrator what the signature will search for. Due to the changing nature of the signature database, advisories are not included in D-Link documentation but instead, are available on the D-Link website at: http://security.dlink.com.tw...
  • Page 356: Idp Actions

    6.5.7. IDP Actions Chapter 6. Security Mechanisms This second level of naming describes the type of application or protocol. Examples are: • BACKUP • • • • HTTP 3. Signature Group Sub-Category The third level of naming further specifies the target of the group and often specifies the application, for example MSSQL.
  • Page 357: Smtp Log Receiver For Idp Events

    Section 6.7, “Blacklisting Hosts and Networks”. IDP ZoneDefense The Protect action includes the option that the particular D-Link switch that triggers the IDP Rule can be de-activated through the D-Link ZoneDefense feature. For more details on how ZoneDefense functions see Chapter 12, ZoneDefense.
  • Page 358: Setting Up Idp For A Mail Server

    6.5.8. SMTP Log Receiver for IDP Chapter 6. Security Mechanisms Events gw-world:/> cc IDPRule examplerule gw-world:/examplerule> set IDPRuleAction 1 LogEnabled=Yes Web Interface Adding an SMTP log receiver: Go to: System > Log and Event Receivers > Add > SMTP Event Receiver Now enter: •...
  • Page 359 6.5.8. SMTP Log Receiver for IDP Chapter 6. Security Mechanisms Events An IDP rule called IDPMailSrvRule will be created, and the Service to use is the SMTP service. Source Interface and Source Network defines where traffic is coming from, in this example the external network. The Destination Interface and Destination Network define where traffic is directed to, in this case the mail server.
  • Page 360 6.5.8. SMTP Log Receiver for IDP Chapter 6. Security Mechanisms Events • Destination Network: ip_mailserver • Click OK Specify the Action: An action is now defined, specifying what signatures the IDP should use when scanning data matching the rule, and what NetDefendOS should do when a possible intrusion is detected. In this example, intrusion attempts will cause the connection to be dropped, so Action is set to Protect.
  • Page 361: Denial-Of-Service Attack Prevention

    6.6. Denial-of-Service Attack Chapter 6. Security Mechanisms Prevention 6.6. Denial-of-Service Attack Prevention 6.6.1. Overview By embracing the Internet, enterprises experience new business opportunities and growth. The enterprise network and the applications that run over it are business critical. Not only can a company reach a larger number of customers via the Internet, it can serve them faster and more efficiently.
  • Page 362: Fragmentation Overlap Attacks: Teardrop, Bonk, Boink And Nestea

    6.6.4. Fragmentation overlap attacks: Chapter 6. Security Mechanisms Teardrop, Bonk, Boink and Nestea intended victim. "Jolt" is simply a purpose-written program for generating such packets on operating systems whose ping commands refuse to generate oversized packets. The triggering factor is that the last fragment makes the total packet size exceed 65535 bytes, which is the highest number that a 16-bit integer can store.
  • Page 363: Amplification Attacks: Smurf, Papasmurf, Fraggle

    6.6.7. Amplification attacks: Smurf, Chapter 6. Security Mechanisms Papasmurf, Fraggle • By stripping the URG bit by default from all TCP segments traversing the system (configurable via Advanced Settings > TCP > TCPUrg). WinNuke attacks will usually show up in NetDefendOS logs as normal drops with the name of the IP rule that disallowed the connection attempt.
  • Page 364: Tcp Syn Flood Attacks

    6.6.8. TCP SYN Flood Attacks Chapter 6. Security Mechanisms The Traffic Shaping feature built into NetDefendOS also help absorb some of the flood before it reaches protected servers. 6.6.8. TCP SYN Flood Attacks TCP SYN flood attacks work by sending large amounts of TCP SYN packets to a given port and then not responding to SYN ACKs sent in response.
  • Page 365 6.6.10. Distributed DoS Attacks Chapter 6. Security Mechanisms A more sophisticated form of DoS is the Distributed Denial of Service (DoS) attack. DDoS attacks involve breaking into hundreds or thousands of machines all over the Internet to installs DDoS software on them, allowing the hacker to control all these burgled machines to launch coordinated attacks on victim sites.
  • Page 366: Blacklisting Hosts And Networks

    6.7. Blacklisting Hosts and Networks Chapter 6. Security Mechanisms 6.7. Blacklisting Hosts and Networks Overview NetDefendOS implements a Blacklist of host or network IP addresses which can be utilized to protect against traffic coming from specific Internet sources. Certain NetDefendOS subsystems have the ability to optionally blacklist a host or network when certain conditions are encountered.
  • Page 367: Adding A Host To The Whitelist

    6.7. Blacklisting Hosts and Networks Chapter 6. Security Mechanisms It is also important to understand that although whitelisting prevents a particular source from being blacklisted, it still does not prevent NetDefendOS mechanisms such as threshold rules from dropping or denying connections from that source. What whitelisting does is prevent a source being added to a blacklist if that is the action a rule has specified.
  • Page 368 6.7. Blacklisting Hosts and Networks Chapter 6. Security Mechanisms...
  • Page 369: Address Translation

    Chapter 7. Address Translation This chapter describes NetDefendOS address translation capabilities. • Overview, page 369 • NAT, page 370 • NAT Pools, page 375 • SAT, page 378 7.1. Overview The ability of NetDefendOS to change the IP address of packets as they pass through the NetDefend Firewall is known as address translation.
  • Page 370: Nat

    7.2. NAT Chapter 7. Address Translation 7.2. NAT Dynamic Network Address Translation (NAT) provides a mechanism for translating original source IP addresses to a different address. Outgoing packets then appear to come from a different IP address and incoming packets back to that address have their IP address translated back to the original IP address.
  • Page 371 7.2. NAT Chapter 7. Address Translation However, since there is a possible range of 64,500 source ports and the same number for destination ports, it is theoretically possible to have over 4 billion connections between two IP addresses if all ports are used.
  • Page 372: A Nat Example

    7.2. NAT Chapter 7. Address Translation The recipient server then processes the packet and sends its response. 195.55.66.77:80 => 195.11.22.33:32789 NetDefendOS receives the packet and compares it to its list of open connections. Once it finds the connection in question, it restores the original address and forwards the packet. 195.55.66.77:80 =>...
  • Page 373 7.2. NAT Chapter 7. Address Translation gw-world:/main> cc The NATAction option could be left out since the default value is to use the interface address. The alternative is to specify UseSenderAddress and use the NATSenderAddress option to specify the IP address to use. The sender address will also need to be explicitly ARP published on the interface.
  • Page 374: Anonymizing With Nat

    7.2. NAT Chapter 7. Address Translation Some protocols, regardless of the method of transportation used, can cause problems during address translation. Anonymizing Internet Traffic with NAT A useful application of the NAT feature in NetDefendOS is for anonymizing service providers to anonymize traffic between clients and servers across the public Internet so that the client's public IP address is not present in any server access requests or peer to peer traffic.
  • Page 375: Nat Pools

    7.3. NAT Pools Chapter 7. Address Translation 7.3. NAT Pools Overview Network Address Translation (NAT) provides a way to have multiple internal clients and hosts with unique private, internal IP addresses communicate to remote hosts through a single external public IPv4 address (this is discussed in depth in Section 7.2, “NAT”).
  • Page 376: Using Nat Pools

    7.3. NAT Pools Chapter 7. Address Translation There is only one state table per NAT Pool so that if a single NAT Pool is re-used in multiple NAT IP rules they share the same state table. Stateless NAT Pools The Stateless option means that no state table is maintained and the external IP address chosen for each new connection is the one that has the least connections already allocated to it.
  • Page 377 7.3. NAT Pools Chapter 7. Address Translation This example creates a NAT pool with the external IP address range 10.6.13.10 to 10.16.13.15 which is then used in a NAT IP rule for HTTP traffic on the wan interface. Web Interface A.
  • Page 378: Sat

    7.4. SAT Chapter 7. Address Translation 7.4. SAT NetDefendOS can translate entire ranges of IP addresses and/or port numbers. Such translations are transpositions where each address or port is mapped to a corresponding address or port in a new range, rather than translating them all to the same address or port. This functionality is known as Static Address Translation (SAT).
  • Page 379: The Role Of The Dmz

    Figure 7.4. The Role of the DMZ Note: The DMZ port could be any port On all models of D-Link NetDefend hardware, there is a specific Ethernet interface which is marked as being for the DMZ network. Although this is the port's intended use it could be used for other purposes and any Ethernet interface could also be used instead for a DMZ.
  • Page 380 7.4.1. Translation of a Single IP Chapter 7. Address Translation Address (1:1) SATTranslateToIP=10.10.10.5 Name=SAT_HTTP_To_DMZ Then create a corresponding Allow rule: gw-world:/main> add IPRule action=Allow Service=http SourceInterface=any SourceNetwork=all-nets DestinationInterface=core DestinationNetwork=wan_ip Name=Allow_HTTP_To_DMZ Web Interface First create a SAT rule: Go to: Rules > IP Rules > Add > IPRule Specify a suitable name for the rule, for example SAT_HTTP_To_DMZ Now enter: •...
  • Page 381: Enabling Traffic To A Web Server On An Internal Network

    7.4.1. Translation of a Single IP Chapter 7. Address Translation Address (1:1) address translation can take place if the connection has been permitted, and rule 2 permits the connection. The SAT rule destination interface must be core because interface IPs are always routed on core. A NAT rule may also be needed to allow internal computers access to the public Internet: Action Src Iface...
  • Page 382 7.4.1. Translation of a Single IP Chapter 7. Address Translation Address (1:1) Action Src Iface Src Net Dest Iface Dest Net Parameters all-nets core wan_ip http SETDEST wwwsrv 80 Allow all-nets core wan_ip http These two rules allow us to access the web server via the firewall's external IP address. Rule 1 states that address translation will take place if the connection is permitted, and rule 2 permits the connection.
  • Page 383: Translation Of Multiple Ip Addresses (M:n)

    7.4.2. Translation of Multiple IP Chapter 7. Address Translation Addresses (M:N) • The reply arrives and both address translations are restored: 195.55.66.77:80 => 10.0.0.3:1038 In this way, the reply arrives at PC1 from the expected address. Another possible solution to this problem is to allow internal clients to speak directly to 10.0.0.2 and this would completely avoid all the problems associated with address translation.
  • Page 384 7.4.2. Translation of Multiple IP Chapter 7. Address Translation Addresses (M:N) Command-Line Interface Create an address object for the public IPv4 addresses: gw-world:/> add Address IP4Address wwwsrv_pub Address=195.55.66.77-195.55.66.81 Now, create another object for the base of the web server IP addresses: gw-world:/>...
  • Page 385: All-To-One Mappings (N:1)

    7.4.3. All-to-One Mappings (N:1) Chapter 7. Address Translation • Interface: wan • IP Address: 195.55.66.77 Click OK and repeat for all 5 public IPv4 addresses Create a SAT rule for the translation: Go to: Rules > IP Rules > Add > IPRule Specify a suitable name for the rule, for example SAT_HTTP_To_DMZ Now enter: •...
  • Page 386: Translating Traffic To A Single Protected Web Server (N:1)

    7.4.3. All-to-One Mappings (N:1) Chapter 7. Address Translation • Attempts to communicate with 194.1.2.16 - port 80, will result in a connection to 192.168.0.50. • Attempts to communicate with 194.1.2.30 - port 80, will result in a connection to 192.168.0.50. Note When all-nets is the destination, All-to-One mapping is always done.
  • Page 387: Port Translation

    7.4.4. Port Translation Chapter 7. Address Translation DestinationNetwork=wwwsrv_pub Return to the default CLI context with the command: gw-world:/IPRuleSet/main> cc 7.4.4. Port Translation Port Translation (PAT) (also known as Port Address Translation) can be used to modify the source or destination port. Action Src Iface Src Net...
  • Page 388: Sat And Fwdfast Rules

    7.4.7. SAT and FwdFast Rules Chapter 7. Address Translation matching rule does NetDefendOS execute the static address translation. Despite this, the first matching SAT rule found for each address is the one that will be carried out. The phrase "each address" above means that two SAT rules can be in effect at the same time on the same connection, provided that one is translating the sender address whilst the other is translating the destination address.
  • Page 389 7.4.7. SAT and FwdFast Rules Chapter 7. Address Translation themselves. This will not work, as the packets will be interpreted as coming from the wrong address. We will now try moving the NAT rule between the SAT and FwdFast rules: Action Src Iface Src Net...
  • Page 390 7.4.7. SAT and FwdFast Rules Chapter 7. Address Translation...
  • Page 391: User Authentication

    Chapter 8. User Authentication This chapter describes how NetDefendOS implements user authentication. • Overview, page 391 • Authentication Setup, page 393 • Customizing Authentication HTML Pages, page 410 8.1. Overview In situations where individual users connect to protected resources through the NetDefend Firewall, the administrator will often require that each user goes through a process of authentication before access is allowed.
  • Page 392 8.1. Overview Chapter 8. User Authentication To remain secure, passwords should also: • Not be recorded anywhere in written form. • Never be revealed to anyone else. • Changed on a regular basis such as every three months.
  • Page 393: Authentication Setup

    8.2. Authentication Setup Chapter 8. User Authentication 8.2. Authentication Setup 8.2.1. Setup Summary The following list summarizes the steps for User Authentication setup with NetDefendOS: • Have an authentication source which consists of a database of users, each with a username/password combination.
  • Page 394 8.2.2. The Local Database Chapter 8. User Authentication The purpose of this is to restrict access to certain networks to a particular group by having IP rules which will only apply to members of that group. To gain access to a resource there must be an IP rule that allows it and the client must belong to the same group as the rule's Source Network group.
  • Page 395: External Radius Servers

    8.2.3. External RADIUS Servers Chapter 8. User Authentication NetDefendOS SSH Client Key object. When the user connects, there is an automatic checking of the keys used by the client to verify their identity. Once verified, there is no need for the user to input their username and password. To make use of this feature, the relevant SSH Client Key object or objects must first be defined separately in NetDefendOS.
  • Page 396 8.2.4. External LDAP Servers Chapter 8. User Authentication Setting Up LDAP Authentication There are two steps for setting up user authentication with LDAP servers: • Define one or more user authentication LDAP server objects in NetDefendOS. • Specify one or a list of these LDAP server objects in a user authentication rule. One or more LDAP servers can be associated as a list within a user authentication rule.
  • Page 397 8.2.4. External LDAP Servers Chapter 8. User Authentication tuple for a username attribute that has an ID of username and a value of Smith. These attributes can be used in different ways and their meaning to the LDAP server is usually defined by the server's database schema.
  • Page 398 8.2.4. External LDAP Servers Chapter 8. User Authentication The Membership Attribute defines which groups a user is a member of. This is similar to the way a user belongs to either the admin or audit database group in NetDefendOS. This is another tuple defined by the server's database schema and the default ID is MemberOf.
  • Page 399 8.2.4. External LDAP Servers Chapter 8. User Authentication • Administrator Account The LDAP server will require that the user establishing a connection to do a search has administrator privileges. The Administration Account specifies the administrator username. This username may be requested by the server in a special format in the same way as described previously with Use Domain Name.
  • Page 400 8.2.4. External LDAP Servers Chapter 8. User Authentication • The server does not respond within the Timeout period specified for the server. If only one server is specified then authentication will be considered to have failed. If there are alternate servers defined for the user authentication rule then these are queried next.
  • Page 401: Normal Ldap Authentication

    8.2.4. External LDAP Servers Chapter 8. User Authentication server which then performs the authentication and sends back a bind response with the result. Figure 8.1. Normal LDAP Authentication The processing is different if a group membership is being retrieved since a request is sent to the LDAP server to search for memberships and any group memberships are then sent back in the response.
  • Page 402: Authentication Rules

    8.2.5. Authentication Rules Chapter 8. User Authentication Figure 8.2. LDAP for PPP with CHAP, MS-CHAPv1 or MS-CHAPv2 Important: The link to the LDAP server must be protected Since the LDAP server is sending back passwords in plain text to NetDefendOS, the link between the NetDefend Firewall and the server must be protected.
  • Page 403 8.2.5. Authentication Rules Chapter 8. User Authentication the detailed HTTP explanation below). An IP rule allowing client access to core is also required with this agent type. iii. XAUTH This is the IKE authentication method which is used as part of VPN tunnel establishment with IPsec.
  • Page 404: Authentication Processing

    8.2.6. Authentication Processing Chapter 8. User Authentication Connection Timeouts An Authentication Rule can specify the following timeouts related to a user session: • Idle Timeout How long a connection is idle before being automatically terminated (1800 seconds by default). • Session Timeout The maximum time that a connection can exist (no value is specified by default).
  • Page 405: A Group Usage Example

    8.2.7. A Group Usage Example Chapter 8. User Authentication authentication rule. This will be either a local NetDefendOS database, an external RADIUS database server or an external LDAP server. NetDefendOS then allows further traffic through this connection as long as authentication was successful and the service requested is allowed by a rule in the IP rule set.
  • Page 406 8.2.8. HTTP Authentication Chapter 8. User Authentication the setting WebUI HTTP Port. Port number 81 could instead, be used for this setting. The same is true for HTTPS authentication and the default HTTPS management port number of 443 must also be changed. HTTP(s) Agent Options For HTTP and HTTPS authentication there is a set of options in an authentication rule called Agent Options.
  • Page 407 8.2.8. HTTP Authentication Chapter 8. User Authentication six hexadecimal two character lower-case values separated by a hyphen ("-") character. For example: 00-0c-19-f9-14-6f IP Rules are Needed HTTP authentication cannot operate unless a rule is added to the IP rule set to explicitly allow authentication to take place.
  • Page 408: Creating An Authentication User Group

    8.2.8. HTTP Authentication Chapter 8. User Authentication Example 8.1. Creating an Authentication User Group In the example of an authentication address object in the address book, a user group "users" is used to enable user authentication on "lannet". This example shows how to configure the user group in the NetDefendOS database.
  • Page 409: Configuring A Radius Server

    8.2.8. HTTP Authentication Chapter 8. User Authentication • Destination Interface core • Destination Network lan_ip Click OK B. Set up an Authentication Rule Go to: User Authentication > User Authentication Rules > Add > User Authentication Rule Now enter: • Name: HTTPLogin •...
  • Page 410: Customizing Authentication Html

    8.3. Customizing Authentication Chapter 8. User Authentication HTML Pages Retry Timeout: 2 (NetDefendOS will resend the authentication request to the sever if there is no response after the timeout, for example every 2 seconds. This will be retried a maximum of 3 times) Shared Secret: Enter a text string here for basic encryption of the RADIUS messages Confirm Secret: Retype the string to confirm the one typed above Click OK...
  • Page 411: Editing Content Filtering Http Banner Files

    8.3. Customizing Authentication Chapter 8. User Authentication HTML Pages HTML back to NetDefendOS. To perform customization it is necessary to first create a new Auth Banner Files object with a new name. This new object automatically contains a copy of all the files in the Default Auth Banner Files object.
  • Page 412 8.3. Customizing Authentication Chapter 8. User Authentication HTML Pages This example shows how to modify the contents of the URL forbidden HTML page. Web Interface Go to: Objects > HTTP Banner files > Add > Auth Banner Files Enter a name such as new_forbidden and press OK The dialog for the new set of ALG banner files will appear Click the Edit &...
  • Page 413 8.3. Customizing Authentication Chapter 8. User Authentication HTML Pages set UserAuthRule my_auth_rule HTTPBanners=ua_html As usual, use the activate followed by the commit CLI commands to activate the changes on the NetDefend Firewall.
  • Page 414 8.3. Customizing Authentication Chapter 8. User Authentication HTML Pages...
  • Page 415: Vpn

    Chapter 9. VPN This chapter describes the Virtual Private Network (VPN) functionality in NetDefendOS. • Overview, page 415 • VPN Quick Start, page 419 • IPsec Components, page 429 • IPsec Tunnels, page 444 • PPTP/L2TP, page 463 • SSL VPN, page 472 •...
  • Page 416: Vpn Encryption

    9.1.2. VPN Encryption Chapter 9. VPN Client to LAN connection - Where many remote clients need to connect to an internal network over the Internet. In this case, the internal network is protected by the NetDefend Firewall to which the client connects and the VPN tunnel is set up between them. 9.1.2.
  • Page 417: Vpn Planning

    9.1.3. VPN Planning Chapter 9. VPN side-effect of authentication. VPNs are normally only concerned with confidentiality and authentication. Non-repudiation is normally not handled at the network level but rather is usually done at a higher, transaction level. 9.1.3. VPN Planning An attacker targeting a VPN connection will typically not attempt to crack the VPN encryption since this requires enormous effort.
  • Page 418: The Tls Alternative For Vpn

    9.1.5. The TLS Alternative for VPN Chapter 9. VPN It is probably better using more keys than is necessary today since it will be easier to adjust access per user (group) in the future. • Should the keys be changed? If they are changed, how often? In cases where keys are shared by multiple users, consider using overlapping schemes, so that the old keys work for a short period of time when new keys have been issued.
  • Page 419: Vpn Quick Start

    9.2. VPN Quick Start Chapter 9. VPN 9.2. VPN Quick Start Overview Later sections in this chapter will explore VPN components in detail. To help put those later sections in context, this section is a quick start summary of the steps needed for VPN setup. It outlines the individual steps in setting up VPNs for the most common scenarios.
  • Page 420: Ipsec Lan To Lan With Pre-Shared Keys

    9.2.1. IPsec LAN to LAN with Chapter 9. VPN Pre-shared Keys 9.2.1. IPsec LAN to LAN with Pre-shared Keys The objective is to create a secure means of joining two networks: a Local Network which is on the protected side of a local firewall; and a Remote Network which is on the other side of some remote device, located across an insecure network.
  • Page 421: Ipsec Lan To Lan With Certificates

    9.2.2. IPsec LAN to LAN with Chapter 9. VPN Certificates remote_net. • An Allow rule for inbound traffic that has the previously defined ipsec_tunnel object as the Source Interface. The Source Network is remote_net. Action Src Interface Src Network Dest Interface Dest Network Service Allow...
  • Page 422: Ipsec Roaming Clients With Pre-Shared Keys

    9.2.3. IPsec Roaming Clients with Chapter 9. VPN Pre-shared Keys Also review Section 9.7, “CA Server Access” below, which describes important considerations for certificate validation. Self-signed certificates instead of CA signed can be used for LAN to LAN tunnels but the Web Interface and other interfaces do not have a feature to generate them.
  • Page 423 9.2.3. IPsec Roaming Clients with Chapter 9. VPN Pre-shared Keys • An external authentication server. An internal user database is easier to set up and is assumed here. Changing this to an external server is simple to do later. To implement user authentication with an internal database: •...
  • Page 424: Ipsec Roaming Clients With Certificates

    9.2.4. IPsec Roaming Clients with Chapter 9. VPN Certificates Once an Allow rule permits the connection to be set up, bidirectional traffic flow is allowed which is why only one rule is used here. Instead of all-nets being used in the above, a more secure defined IP object could be used which specifies the exact range of the pre-allocated IP addresses.
  • Page 425: L2Tp Roaming Clients With Pre-Shared Keys

    9.2.5. L2TP Roaming Clients with Chapter 9. VPN Pre-Shared Keys This is done by doing the following: Enable the X.509 Certificate option. Select the Gateway Certificate. Add the Root Certificate to use. The IPsec client software will need to be appropriately configured with the certificates and remote IP addresses.
  • Page 426 9.2.5. L2TP Roaming Clients with Chapter 9. VPN Pre-Shared Keys • Set Encapsulation Mode to Transport. • Select the IKE and IPsec algorithm proposal lists to be used. • Enable the IPsec tunnel routing option Dynamically add route to the remote network when tunnel established.
  • Page 427: L2Tp Roaming Clients With Certificates

    9.2.6. L2TP Roaming Clients with Chapter 9. VPN Certificates Connections should be selected to start the New Connection Wizard. The key information to enter in this wizard is: the resolvable URL of the NetDefend Firewall or alternatively its ip_ext IP address. Then choose Network >...
  • Page 428 9.2.7. PPTP Roaming Clients Chapter 9. VPN Define a PPTP/L2TP object (let's call it pptp_tunnel) with the following parameters: • Set Inner IP Address to ip_net. • Set Tunnel Protocol to PPTP. • Set Outer Interface Filter to ext. • Set Outer server IP to ip_ext.
  • Page 429: Ipsec Components

    9.3. IPsec Components Chapter 9. VPN 9.3. IPsec Components This section looks at the IPsec standards and describes in general terms the various components, techniques and algorithms that are used in IPsec based VPNs. 9.3.1. Overview Internet Protocol Security (IPsec) is a set of protocols defined by the Internet Engineering Task Force (IETF) to provide IP security at the network layer.
  • Page 430 9.3.2. Internet Key Exchange (IKE) Chapter 9. VPN An SA is unidirectional and relates to traffic flow in one direction only. For the bidirectional traffic that is usually found in a VPN, there is therefore a need for more than one SA per connection. In most cases, where only one of ESP or AH is used, two SAs will be created for each connection, one describing the incoming traffic, and the other the outgoing.
  • Page 431 9.3.2. Internet Key Exchange (IKE) Chapter 9. VPN An IKE negotiation is performed in two phases. The first phase, phase 1, is used to authenticate the two VPN firewalls or VPN Clients to each other, by confirming that the remote device has a matching Pre-Shared Key.
  • Page 432 9.3.2. Internet Key Exchange (IKE) Chapter 9. VPN Tunnel mode indicates that the traffic will be tunneled to a remote device, which will decrypt/authenticate the data, extract it from its tunnel and pass it on to its final destination. This way, an eavesdropper will only see encrypted traffic going from one of VPN endpoint to another.
  • Page 433 9.3.2. Internet Key Exchange (IKE) Chapter 9. VPN Note NetDefendOS does not support AH. IKE Encryption This specifies the encryption algorithm used in the IKE negotiation, and depending on the algorithm, the size of the encryption key used. The algorithms supported by NetDefendOS IPsec are: •...
  • Page 434 9.3.2. Internet Key Exchange (IKE) Chapter 9. VPN where the identities are also protected, by deleting the phase-1 SA every time a phase-2 negotiation has been finished, making sure no more than one phase-2 negotiation is encrypted using the same key. PFS is generally not needed, since it is very unlikely that any encryption or authentication keys will be compromised.
  • Page 435: Ike Authentication

    9.3.3. IKE Authentication Chapter 9. VPN Diffie-Hellman (DH) is a cryptographic protocol that allows two parties that have no prior knowledge of each other to establish a shared secret key over an insecure communications channel through a series of plain text exchanges. Even though the exchanges between the parties might be monitored by a third party, Diffie-Hellman makes it extremely difficult for the third party to determine what the agreed shared secret key is and to decrypt data that is encrypted using the key.
  • Page 436: Ipsec Protocols (Esp/Ah)

    9.3.4. IPsec Protocols (ESP/AH) Chapter 9. VPN PSK Advantages Pre-Shared Keying has a lot of advantages over manual keying. These include endpoint authentication, which is what the PSKs are really for. It also includes all the benefits of using IKE. Instead of using a fixed set of encryption keys, session keys will be used for a limited period of time, where after a new set of session keys are used.
  • Page 437: Nat Traversal

    9.3.5. NAT Traversal Chapter 9. VPN Figure 9.1. The AH protocol AH uses a cryptographic hash function to produce a MAC from the data in the IP packet. This MAC is then transmitted with the packet, allowing the remote endpoint to verify the integrity of the original IP packet, making sure the data has not been tampered with on its way through the Internet.
  • Page 438 9.3.5. NAT Traversal Chapter 9. VPN evolved. NAT traversal is an add-on to the IKE and IPsec protocols that allows them to function when being NATed. NetDefendOS supports the RFC3947 standard for NAT-Traversal with IKE. NAT traversal is divided into two parts: •...
  • Page 439: Algorithm Proposal Lists

    9.3.6. Algorithm Proposal Lists Chapter 9. VPN recommended setting unless the two firewalls have the same external IP address. • IP - An IP address can be manually entered • DNS - A DNS address can be manually entered • Email - An email address can be manually entered 9.3.6.
  • Page 440: Pre-Shared Keys

    9.3.7. Pre-shared Keys Chapter 9. VPN Go to: Objects > VPN Objects > IPsec Algorithms > Add > IPsec Algorithms Enter a name for the list, for example esp-l2tptunnel Now check the following: • • 3DES • SHA1 • Click OK Then, apply the algorithm proposal list to the IPsec tunnel: Go to: Interfaces >...
  • Page 441: Identification Lists

    9.3.8. Identification Lists Chapter 9. VPN gw-world:/> add PSK MyPSK Type=HEX PSKHex=<enter the key here> Now apply the Pre-shared Key to the IPsec tunnel: gw-world:/> set Interface IPsecTunnel MyIPsecTunnel PSK=MyPSK Web Interface First create a Pre-shared Key: Go to: Objects > Authentication Objects > Add > Pre-shared key Enter a name for the pre-shared key, for example MyPSK Choose Hexadecimal Key and click Generate Random Key to generate a key to the Passphrase textbox Click OK...
  • Page 442: Using An Identity List

    Select MyIDList Enter a name for the ID, for example JohnDoe Select Distinguished name in the Type control Now enter: • Common Name: John Doe • Organization Name: D-Link • Organizational Unit: Support • Country: Sweden • Email Address: john.doe@D-Link.com...
  • Page 443 9.3.8. Identification Lists Chapter 9. VPN Finally, apply the Identification List to the IPsec tunnel: Go to: Interfaces > IPsec Select the IPsec tunnel object of interest Under the Authentication tab, choose X.509 Certificate Select the appropriate certificate in the Root Certificate(s) and Gateway Certificate controls Select MyIDList in the Identification List Click OK...
  • Page 444: Ipsec Tunnels

    9.4. IPsec Tunnels Chapter 9. VPN 9.4. IPsec Tunnels This section looks more closely at IPsec tunnels in NetDefendOS, their definition, options and usage. 9.4.1. Overview An IPsec Tunnel defines an endpoint of an encrypted tunnel. Each IPsec Tunnel is interpreted as a logical interface by NetDefendOS, with the same filtering, traffic shaping and configuration capabilities as regular interfaces.
  • Page 445 9.4.1. Overview Chapter 9. VPN connection attempts coming from a particular IP address or group of addresses. This can degrade the performance of the NetDefendOS IPsec engine and explicitly dropping such traffic with an IP rule is an efficient way of preventing it reaching the engine. In other words, IP rules can be used for complete control over all traffic related to the tunnel.
  • Page 446: Lan To Lan Tunnels With Pre-Shared Keys

    9.4.2. LAN to LAN Tunnels with Chapter 9. VPN Pre-shared Keys • Section 9.2.1, “IPsec LAN to LAN with Pre-shared Keys”. • Section 9.2.2, “IPsec LAN to LAN with Certificates”. • Section 9.2.3, “IPsec Roaming Clients with Pre-shared Keys”. • Section 9.2.4, “IPsec Roaming Clients with Certificates”.
  • Page 447: Setting Up A Psk Based Vpn Tunnel For Roaming Clients

    9.4.3. Roaming Clients Chapter 9. VPN Example 9.4. Setting up a PSK based VPN tunnel for roaming clients This example describes how to configure an IPsec tunnel at the head office NetDefend Firewall for roaming clients that connect to the office to gain remote access. The head office network uses the 10.0.1.0/24 network span with external firewall IP wan_ip.
  • Page 448 9.4.3. Roaming Clients Chapter 9. VPN span with external firewall IP wan_ip. Web Interface A. Create a Self-signed Certificate for IPsec authentication: The step to actually create self-signed certificates is performed outside the Web Interface using a suitable software product. The certificate should be in the PEM (Privacy Enhanced Mail) file format. B.
  • Page 449: Setting Up Ca Server Certificate Based Vpn Tunnels For Roaming Clients

    9.4.3. Roaming Clients Chapter 9. VPN E. Finally configure the IP rule set to allow traffic inside the tunnel. Tunnels Based on CA Server Certificates Setting up client tunnels using a CA issued certificate is largely the same as using Self-signed certificates with the exception of a couple of steps.
  • Page 450 9.4.3. Roaming Clients Chapter 9. VPN • IKE Algorithms: Medium or High • IPsec Algorithms: Medium or High For Authentication enter: • Choose X.509 Certificates as the authentication method • Root Certificate(s): Select the CA server root certificate imported earlier and add it to the Selected list •...
  • Page 451: Fetching Crls From An Alternate Ldap Server

    9.4.4. Fetching CRLs from an alternate Chapter 9. VPN LDAP server Example 9.7. Setting Up Config Mode In this example, the Config Mode Pool object is enabled by associating with it an already configured IP Pool object called ip_pool1. Web Interface Go to: Objects >...
  • Page 452: Troubleshooting With Ikesnoop

    9.4.5. Troubleshooting with ikesnoop Chapter 9. VPN Example 9.9. Setting up an LDAP server This example shows how to manually setup and specify an LDAP server. Command-Line Interface gw-world:/> add LDAPServer Host=192.168.101.146 Username=myusername Password=mypassword Port=389 Web Interface Go to: Objects > VPN Objects > LDAP > Add > LDAP Server Now enter: •...
  • Page 453 9.4.5. Troubleshooting with ikesnoop Chapter 9. VPN The output from verbose option can be troublesome to interpret by an administrator seeing it for the first time. Presented below is some typical ikesnoop output with annotations to explain it. The tunnel negotiation considered is based on Pre-shared Keys.
  • Page 454 9.4.5. Troubleshooting with ikesnoop Chapter 9. VPN Encryption algorithm : 3DES-cbc Hash algorithm : MD5 Authentication method : Pre-Shared Key Group description : MODP 1024 Life type : Seconds Life duration : 43200 Life type : Kilobytes Life duration : 50000 Transform 4/4 Transform ID : IKE...
  • Page 455 9.4.5. Troubleshooting with ikesnoop Chapter 9. VPN A typical response from the server is shown below. This must contain a proposal that is identical to one of the choices from the client list above. If no match was found by the server then a "No proposal chosen"...
  • Page 456 9.4.5. Troubleshooting with ikesnoop Chapter 9. VPN IkeSnoop: Received IKE packet from 192.168.0.10:500 Exchange type : Identity Protection (main mode) ISAKMP Version : 1.0 Flags Cookies : 0x6098238b67d97ea6 -> 0x5e347cb76e95a Message ID : 0x00000000 Packet length : 220 bytes # payloads Payloads: KE (Key Exchange) Payload data length : 128 bytes...
  • Page 457 9.4.5. Troubleshooting with ikesnoop Chapter 9. VPN Payload data length : 8 bytes Protocol ID : ISAKMP Notification : Initial contact Explanation of Above Values Flags: E means encryption (it is the only flag used). ID: Identification of the client The Notification field is given as Initial Contact to indicate this is not a re-key.
  • Page 458 9.4.5. Troubleshooting with ikesnoop Chapter 9. VPN SA life type : Seconds SA life duration : 21600 SA life type : Kilobytes SA life duration : 50000 Encapsulation mode : Tunnel Transform 2/4 Transform ID : Rijndael (aes) Key length : 128 Authentication algorithm : HMAC-SHA-1 SA life type...
  • Page 459: Ipsec Advanced Settings

    9.4.6. IPsec Advanced Settings Chapter 9. VPN IkeSnoop: Sending IKE packet to 192.168.0.10:500 Exchange type : Quick mode ISAKMP Version : 1.0 Flags : E (encryption) Cookies : 0x6098238b67d97ea6 -> 0x5e347cb76e95a Message ID : 0xaa71428f Packet length : 156 bytes # payloads Payloads: HASH (Hash)
  • Page 460 9.4.6. IPsec Advanced Settings Chapter 9. VPN This specifies the total number of IP rules that can be connected to IPsec tunnels. By default, this is initially approximately 4 times the licensed IPsecMaxTunnels and system memory for this is allocated at startup. By reducing the number of rules, memory requirements can be reduced but making this change is not recommended.
  • Page 461 9.4.6. IPsec Advanced Settings Chapter 9. VPN Default: 86400 seconds IKE Max CA Path When the signature of a user certificate is verified, NetDefendOS looks at the issuer name field in the user certificate to find the CA certificate the certificate was signed by. The CA certificate may in turn be signed by another CA, which may be signed by another CA, and so on.
  • Page 462 9.4.6. IPsec Advanced Settings Chapter 9. VPN of the tunnel has not responded to DPD-R-U-THERE messages for DPD Expire Time x 10 seconds and there is no other evidence of life. When the SA is placed in the dead cache, NetDefendOS will not try to re-negotiate the tunnel.
  • Page 463: Pptp/L2Tp

    9.5. PPTP/L2TP Chapter 9. VPN 9.5. PPTP/L2TP The access by a client using a modem link over dial-up public switched networks, possibly with an unpredictable IP address, to protected networks via a VPN poses particular problems. Both the PPTP and L2TP protocols provide two different means of achieving VPN access from remote clients.
  • Page 464: L2Tp Servers

    9.5.2. L2TP Servers Chapter 9. VPN A common problem with setting up PPTP is that a router and/or switch in a network is blocking TCP port 1723 and/or IP protocol 47 before the PPTP connection can be made to the NetDefend Firewall.
  • Page 465: Setting Up An L2Tp Server

    9.5.2. L2TP Servers Chapter 9. VPN arguably offers better security than PPTP. Unlike PPTP, it is possible to set up multiple virtual networks across a single tunnel. Because it is IPsec based, L2TP requires NAT traversal (NAT-T) to be implemented on the LNS side of the tunnel. Note: All DHCP special parameters are not sent to clients When DHCP is configured on an L2TP/IPsec interface to hand out client IPs, NetDefendOS does not return all the DHCP special parameters.
  • Page 466 9.5.2. L2TP Servers Chapter 9. VPN A. Start by preparing a new Local User Database: Command-Line Interface gw-world:/> add LocalUserDatabase UserDB gw-world:/> cc LocalUserDatabase UserDB gw-world:/UserDB> add User testuser Password=mypassword Web Interface Go to: User Authentication > Local User Databases > Add > Local User Database Enter a suitable name for the user database, for example UserDB Go to: User Authentication >...
  • Page 467 9.5.2. L2TP Servers Chapter 9. VPN Enter 250000 in the IPsec Life Time kilobytes control Under the Authentication tab, select Pre-shared Key Select MyPSK in the Pre-shared Key control Under the Routing tab, check the following controls: • Allow DHCP over IPsec from single-host clients •...
  • Page 468 9.5.2. L2TP Servers Chapter 9. VPN Go to: User Authentication > User Authentication Rules > Add > UserAuthRule Enter a suitable name for the rule, for example L2TP_Auth Now enter: • Agent: PPP • Authentication Source: Local • Interface: l2tp_tunnel •...
  • Page 469: L2Tp/Pptp Server Advanced Settings

    9.5.3. L2TP/PPTP Server advanced Chapter 9. VPN settings Enter a name for the rule, for example NATL2TP Now enter: • Action: NAT • Service: all_services • Source Interface: l2tp_tunnel • Source Network: l2tp_pool • Destination Interface: any • Destination Network: all-nets Click OK 9.5.3.
  • Page 470 9.5.4. PPTP/L2TP Clients Chapter 9. VPN • Interface Type - Specifies if it is a PPTP or L2TP client. • Remote Endpoint - The IP address of the remote endpoint. Where this is specified as a URL, the prefix dns: must be precede it. Names of Assigned Addresses Both PPTP and L2TP utilizes dynamic IP configuration using the PPP LCP protocol.
  • Page 471: Pptp Client Usage

    9.5.4. PPTP/L2TP Clients Chapter 9. VPN • A PPTP tunnel is defined between NetDefendOS and the server. • A route is added to the routing table in NetDefendOS which specifies that traffic for the server should be routed through the PPTP tunnel. Figure 9.3.
  • Page 472: Ssl Vpn

    9.6. SSL VPN Chapter 9. VPN 9.6. SSL VPN 9.6.1. Overview NetDefendOS provides an additional type of VPN connection called SSL VPN. This makes use of the Secure Sockets Layer (SSL) protocol to provide a secure tunnel between a remote client computer and a NetDefend Firewall.
  • Page 473: Configuring Ssl Vpn In Netdefendos

    • On the Windows based client side: A proprietary D-Link VPN SSL client application needs to be installed and configured to route traffic to the correct interface on the firewall. Installing and running the SSL VPN client software is done as part of the logging in process for users as they access the firewall through a web browser.
  • Page 474 9.6.2. Configuring SSL VPN in Chapter 9. VPN NetDefendOS • Outer Interface The interface on which to listen for SSL VPN connection attempts. This could be a physical Ethernet interface but it could also be another logical interface. For example, a PPPoE or VLAN interface could be used.
  • Page 475: Installing The Ssl Vpn Client

    9.6.3. Installing the SSL VPN Client For the SSL VPN to function, a proprietary D-Link SSL VPN client application must be installed on the client computer. This is done with the following steps:...
  • Page 476: The Ssl Vpn Client Login

    9.6.3. Installing the SSL VPN Client Chapter 9. VPN Figure 9.5. The SSL VPN Client Login The difference between the two approaches above is that when the SSL VPN client software is started by browsing to the SSL VPN interface, the correct settings for the tunnel are downloaded to the SSL VPN client software and stored as the client's configuration file.
  • Page 477: The Ssl Vpn Client Statistics

    9.6.3. Installing the SSL VPN Client Chapter 9. VPN Figure 9.6. The SSL VPN Client Statistics SSL VPN Client Operation Whenever the SSL VPN client application runs, the following happens: • A route is added to the Windows routing table. This route is equivalent to a NetDefendOS default all-nets route.
  • Page 478: Setup Example

    9.6.4. Setup Example Chapter 9. VPN have been removed. To remedy this problem, the D-Link SSL VPN client software should be started by selecting it in the Windows Start menu and then stopped. 9.6.4. Setup Example Example 9.13. Setting Up an SSL VPN Interface This example shows how to set up a new SSL VPN interface called my_sslvpn.
  • Page 479 9.6.4. Setup Example Chapter 9. VPN Web Interface Go to: User Authentication > User Authentication Rules > Add > User Authentication Rule Now enter: • Name: ssl_login • Agent: L2TP/PPTP/SSL VPN • Authentication Source: Local • Interface: my_sslvpn_if • Originator IP: all-nets (a more specific range is more secure) •...
  • Page 480: Ca Server Access

    9.7. CA Server Access Chapter 9. VPN 9.7. CA Server Access Overview Certificate validation can be done by accessing a separate Certifícation Server (CA) server. For example, the two sides of an IPsec tunnel exchange their certificates during the tunnel setup negotiation and either may then try to validate the received certificate.
  • Page 481: Certificate Validation Components

    9.7. CA Server Access Chapter 9. VPN The same steps should be followed if the other side of the tunnel is another firewall instead of being many clients. The CA server is a commercial server on the public Internet. In this, the simplest case, public DNS servers will resolve the FQDN.
  • Page 482 9.7. CA Server Access Chapter 9. VPN Placement of Private CA Servers The easiest solution for placement of a private CA server is to have it on the unprotected side of the NetDefend Firewall. This however, is not recommended from a security viewpoint. It is better to place it on the inside (or preferably in the DMZ if available) and to have NetDefendOS control access to it.
  • Page 483: Vpn Troubleshooting

    9.8. VPN Troubleshooting Chapter 9. VPN 9.8. VPN Troubleshooting This section deals with how to troubleshoot the common problems that are found with VPN. 9.8.1. General Troubleshooting In all types of VPNs some basic troubleshooting checks can be made: • Check that all IP addresses have been specified correctly.
  • Page 484: Troubleshooting Certificates

    9.8.3. IPsec Troubleshooting Chapter 9. VPN Commands 9.8.2. Troubleshooting Certificates If certificates have been used in a VPN solution then the following should be looked at as a source of potential problems: • Check that the correct certificates have been used for the right purposes. •...
  • Page 485: Management Interface Failure With Vpn

    9.8.4. Management Interface Failure Chapter 9. VPN with VPN gw-world:/> ipsecstat -num=all Another example of what to avoid with many tunnels is: gw-world:/> ipsectunnels -num=all In these circumstances, using the option with a small number, for example -num=10, is recommended. The ikesnoop console command A common problem with setting up IPsec is a list of proposed algorithms that is unacceptable to the device at the other end of the tunnel.
  • Page 486 9.8.5. Specific Error Messages Chapter 9. VPN 2. Incorrect pre-shared key. 3. Ike_invalid_payload, Ike_invalid_cookie. 4. Payload_Malformed. 5. No public key found. 1. Could not find acceptable proposal / no proposal chosen This is the most common IPsec related error message. It means that depending on which side initiates tunnel setup, the negotiations in either the IKE or the IPSec phase of setup failed since they were unable to find a matching proposal that both sides could agree on.
  • Page 487 9.8.5. Specific Error Messages Chapter 9. VPN Since the tunnel L2TP in the above table is above the tunnel VPN-3, a match will trigger before VPN-3 because of the all-nets remote gateway (all-nets will match any network). Since these two tunnels use different pre-shared keys, NetDefendOS will generate an "Incorrect pre-shared key"...
  • Page 488: Specific Symptoms

    9.8.6. Specific Symptoms Chapter 9. VPN Also make sure that there is a DNS client configured for NetDefendOS in order to be able to correctly resolve the path to the CRL on the CA server. Note: L2TP with Microsoft Vista With L2TP, Microsoft Vista tries by default to contact and download the CRL list, while Microsoft XP does not.
  • Page 489 9.8.6. Specific Symptoms Chapter 9. VPN when there is something that fails in terms of network size on either local network or remote network. Since NetDefendOS has determined that it is a type of network size problem, it will try one last attempt to get the correct network by sending a config mode request.
  • Page 490 9.8.6. Specific Symptoms Chapter 9. VPN...
  • Page 491: Traffic Management

    Chapter 10. Traffic Management This chapter describes how NetDefendOS can manage network traffic. • Traffic Shaping, page 491 • IDP Traffic Shaping, page 512 • Threshold Rules, page 517 • Server Load Balancing, page 520 10.1. Traffic Shaping 10.1.1. Overview QoS with TCP/IP A weakness of TCP/IP is the lack of true Quality of Service (QoS) functionality.
  • Page 492: Traffic Shaping In Netdefendos

    10.1.2. Traffic Shaping in Chapter 10. Traffic Management NetDefendOS Traffic Shaping Objectives Traffic shaping operates by measuring and queuing IP packets with respect to a number of configurable parameters. The objectives are: • Applying bandwidth limits and queuing packets that exceed configured limits, then sending them later when bandwidth demands are lower.
  • Page 493: Pipe Rules Determine Pipe Usage

    10.1.2. Traffic Shaping in Chapter 10. Traffic Management NetDefendOS Pipe Rules One or more Pipe Rules make up the NetDefendOS Pipe Rule set which determine what traffic will flow through which pipes. Each pipe rule is defined like other NetDefendOS secuirity policies: by specifying the source/destination interface/network as well as the service to which the rule is to apply.
  • Page 494: Simple Bandwidth Limiting

    10.1.3. Simple Bandwidth Limiting Chapter 10. Traffic Management will form a Chain of pipes through which traffic will pass. A chain can be made up of a maximum of 8 pipes. Explicitly Excluding Traffic from Shaping If no pipe is specified in a pipe rule list then traffic that triggers the rule will not flow through any pipe.
  • Page 495: Limiting Bandwidth In Both Directions

    10.1.4. Limiting Bandwidth in Both Chapter 10. Traffic Management Directions Web Interface Go to: Traffic Management > Traffic Shaping > Pipes > Add > Pipe Specify a suitable name for the pipe, for instance std-in Enter 2000 in the Total textbox under Pipe Limits Click OK Traffic needs to be passed through the pipe and this is done by using the pipe in a Pipe Rule.
  • Page 496: Creating Differentiated Limits Using Chains

    10.1.5. Creating Differentiated Limits Chapter 10. Traffic Management Using Chains Just inserting std-in in the forward chain will not work since we probably want the 2 Mbps limit for outbound traffic to be separate from the 2 Mbps limit for inbound traffic. If 2 Mbps of outbound traffic attempts to flow through the pipe in addition to 2 Mbps of inbound traffic, the total attempting to flow is 4 Mbps.
  • Page 497: Differentiated Limits Using Chains

    10.1.6. Precedences Chapter 10. Traffic Management The Incorrect Solution Two "surfing" pipes for inbound and outbound traffic could be set up. However, it is not usually required to limit outbound traffic since most web surfing usually consists of short outbound server requests followed by long inbound responses.
  • Page 498: Precedences

    10.1.6. Precedences Chapter 10. Traffic Management 10.1.6. Precedences The Default Precedence is Zero All packets that pass through NetDefendOS traffic shaping pipes have a Precedence. In the examples so far, precedences have not been explicitly set and so all packets have had the same default precedence which is 0.
  • Page 499 10.1.6. Precedences Chapter 10. Traffic Management Specifying Precedences Within Pipes When a pipe is configured, a Default Precedence, a Minimum Precedence and a Maximum Precedence can be specified. The default precedences are: • Minimum Precedence: 0 • Default Precedence: 0 •...
  • Page 500: Minimum And Maximum Pipe Precedence

    10.1.6. Precedences Chapter 10. Traffic Management Figure 10.5. Minimum and Maximum Pipe Precedence Lowest Precedence Limits It is usually is not needed to have a limit specified for the lowest (best effort) precedence since this precedence simply uses any spare bandwidth not used by higher precedences. However, a limit could be specified if there is a need to restrict the bandwidth used by the lowest precedence.
  • Page 501 10.1.6. Precedences Chapter 10. Traffic Management The Need for Guarantees A problem can occur however if prioritized traffic is a continuous stream such as real-time audio, resulting in continuous use of all available bandwidth and resulting in unacceptably long queuing times for other services such as surfing, DNS or FTP.
  • Page 502: Pipe Groups

    10.1.7. Pipe Groups Chapter 10. Traffic Management Set the return chain of the port 23 rule to telnet-in followed by std-in. Set the priority assignment for both rules to Use defaults from first pipe; the default precedence of both the ssh-in and telnet-in pipes is 2. Using this approach rather than hard-coding precedence 2 in the rule set, it is easy to change the precedence of all SSH and Telnet traffic by changing the default precedence of the ssh-in and telnet-in pipes.
  • Page 503 10.1.7. Pipe Groups Chapter 10. Traffic Management other words the netmask for the network must be specified for NetDefendOS. Specifying Group Limits Once the way the method of grouping is selected, the next step is to specify the Group Limits. These limits can consist of one or both of the following: •...
  • Page 504: Traffic Grouped By Ip Address

    10.1.7. Pipe Groups Chapter 10. Traffic Management Figure 10.6. Traffic Grouped By IP Address Another Simple Groups Example Consider another situation where the total bandwidth limit for a pipe is 400 bps. If the aim is to allocate this bandwidth amongst many destination IP addresses so that no single IP address can take more then 100 bps of bandwidth, the following steps are needed.
  • Page 505: Traffic Shaping Recommendations

    10.1.8. Traffic Shaping Chapter 10. Traffic Management Recommendations of how many there are. This is done up to the limit of the pipe. If a total group limit of 100 bps is also specified with dynamic balancing, then this still means that no single user may take more than that amount of bandwidth.
  • Page 506: A Summary Of Traffic Shaping

    10.1.9. A Summary of Traffic Shaping Chapter 10. Traffic Management A special case when a total pipe limit is not specified is when a group limit is used instead. The bandwidth limit is then placed on, for example, each user of a network where the users must share a fixed bandwidth resource.
  • Page 507: More Pipe Examples

    10.1.10. More Pipe Examples Chapter 10. Traffic Management NetDefendOS traffic shaping provides a sophisticated set of mechanisms for controlling and prioritising network packets. The following points summarize its use: • Select the traffic to manage through Pipe Rules. • Pipe Rules send traffic through Pipes. •...
  • Page 508: A Basic Traffic Shaping Scenario

    10.1.10. More Pipe Examples Chapter 10. Traffic Management Figure 10.7. A Basic Traffic Shaping Scenario The reason for using 2 different pipes in this case, is that these are easier to match to the physical link capacity. This is especially true with asynchronous links such as ADSL. First, two pipes called in-pipe and out-pipe need to be created with the following parameters: Pipe Name Min Prec...
  • Page 509 10.1.10. More Pipe Examples Chapter 10. Traffic Management • Priority 4 - Citrix (250 kpbs) • Priority 2 - Other traffic (1000 kpbs) • Priority 0 - Web plus remaining from other levels To implement this scheme, we can use the in-pipe and out-pipe. We first enter the Pipe Limits for each pipe.
  • Page 510 10.1.10. More Pipe Examples Chapter 10. Traffic Management reasonable for a VPN tunnel where the underlying physical connection capacity is 2 Mbps. It is also important to remember to insert into the pipe all non-VPN traffic using the same physical link.
  • Page 511 10.1.10. More Pipe Examples Chapter 10. Traffic Management VoIP to the remote site is guaranteed 500 kbps of capacity before it is forced to best effort. SAT with Pipes If SAT is being used, for example with a web server or ftp server, that traffic also needs to be forced into pipes or it will escape traffic shaping and ruin the planned quality of service.
  • Page 512: Idp Traffic Shaping

    10.2. IDP Traffic Shaping Chapter 10. Traffic Management 10.2. IDP Traffic Shaping 10.2.1. Overview The IDP Traffic Shaping feature is traffic shaping that is performed based on information coming from the NetDefendOS Intrusion Detection and Prevention (IDP) subsystem (for more information on IDP see Section 6.5, “Intrusion Detection and Prevention”).
  • Page 513: Processing Flow

    10.2.3. Processing Flow Chapter 10. Traffic Management Typically, a P2P transfer starts with an initial connection to allow transfer of control information followed by a number of data transfer connections to other hosts. It is the initial connection that IDP detects and the Time Window specifies the expected period afterwards when other connections will be opened and subject to traffic shaping.
  • Page 514: A P2P Scenario

    10.2.5. A P2P Scenario Chapter 10. Traffic Management connection just because host X is involved. Excluding Hosts To avoid these unintended consequences, we specify the IPv4 addresses of client A and client B in the Network range but not host X. This tells NetDefendOS that host X is not relevant in making a decision about including new non-IDP-triggering connections in traffic shaping.
  • Page 515: Viewing Traffic Shaping Objects

    10.2.6. Viewing Traffic Shaping Chapter 10. Traffic Management Objects 10.2.6. Viewing Traffic Shaping Objects Viewing Hosts IDP traffic shaping has a special CLI command associated with it called idppipes and this can examine and manipulate the hosts which are currently subject to traffic shaping. To display all hosts being traffic shaped by IDP Traffic Shaping, the command would be: gw-world:/>...
  • Page 516: Guaranteeing Instead Of Limiting Bandwidth

    10.2.7. Guaranteeing Instead of Chapter 10. Traffic Management Limiting Bandwidth using the "Per Destination IP" feature. 10.2.7. Guaranteeing Instead of Limiting Bandwidth If desired, IDP Traffic Shaping can be used to do the opposite of limiting bandwidth for certain applications. If the administrator wants to guarantee a bandwidth level, say 10 Megabits, for an application then an IDP rule can be set up to trigger for that application with the Pipe action specifying the bandwidth required.
  • Page 517: Threshold Rules

    "connection" in this context refers to all types of connections, such as TCP, UDP or ICMP, tracked by the NetDefendOS state-engine). Note: Threshold Rules are not available on all NetDefend models The Threshold Roles feature is only available on the D-Link NetDefend DFL-860E, 1660, 2560 and 2560G. Threshold Policies...
  • Page 518 Rules if they are enabled. Threshold Rules and ZoneDefense Threshold Rules are used in the D-Link ZoneDefense feature to block the source of excessive connection attmepts from internal hosts. More information on this feature can be found in Chapter 12, ZoneDefense.
  • Page 519 10.3. Threshold Rules Chapter 10. Traffic Management rule, is added automatically to a Blacklist of IP addresses or networks. If several Protect actions with blacklisting enabled are triggered at the same time, only the first triggered blacklisting action will be executed by NetDefendOS. A host based action with blacklisting enabled will blacklist a single host when triggered.
  • Page 520: Server Load Balancing

    Note: SLB is not available on all D-Link NetDefend models The SLB feature is only available on the D-Link NetDefend DFL-860E, 1660, 2560 and 2560G. The illustration below shows a typical SLB scenario, with Internet access to internal server...
  • Page 521: Slb Distribution Algorithms

    10.4.2. SLB Distribution Algorithms Chapter 10. Traffic Management Figure 10.9. A Server Load Balancing Configuration Additional Benefits of SLB Besides improving performance and scalability, SLB provides other benefits: • SLB increases the reliability of network applications by actively monitoring the servers sharing the load.
  • Page 522: Selecting Stickiness

    10.4.3. Selecting Stickiness Chapter 10. Traffic Management receiving over a certain time period. This time period is known as the Window Time. SLB sends the next request to the server that has received the least number of connections during the last Window Time number of seconds.
  • Page 523: Slb Algorithms And Stickiness

    10.4.4. SLB Algorithms and Stickiness Chapter 10. Traffic Management (the Idle Timeout has not been exceeded). The consequence of a full table can be that stickiness will be lost for any discarded source IP addresses. The administrator should therefore try to ensure that the Max Slots parameter is set to a value that can accommodate the expected number of connections that require stickiness.
  • Page 524: Server Health Monitoring

    Regardless of the algorithms used, if a server is deemed to have failed, SLB will not open any more connections to it until the server is restored to full functionality. D-Link Server Load Balancing provides the following monitoring modes: ICMP Ping This works at OSI layer 3.
  • Page 525: Setting Up Slb_Sat Rules

    10.4.6. Setting Up SLB_SAT Rules Chapter 10. Traffic Management 10.4.6. Setting Up SLB_SAT Rules The key component in setting up SLB are IP rules that have SLB_SAT as the action. The steps that should be followed for setting up such rules are: Define an IP address object for each server for which SLB is to enabled.
  • Page 526 10.4.6. Setting Up SLB_SAT Rules Chapter 10. Traffic Management Web Interface A. Create an Object for each of the webservers: Go to: Objects > Address Book > Add > IP4 Address Enter a suitable name, for example server1 Enter the IP Address as 192.168.1.10 Click OK Repeat the above to create an object called server2 for the 192.168.1.11 IP address B.
  • Page 527 10.4.6. Setting Up SLB_SAT Rules Chapter 10. Traffic Management Go to: Rules > IP Rule Sets > main > Add > IP Rule Enter: • Name: Web_SLB_ALW • Action: Allow • Service: HTTP • Source Interface: any • Source Network: all-nets •...
  • Page 528 10.4.6. Setting Up SLB_SAT Rules Chapter 10. Traffic Management...
  • Page 529: High Availability

    This is sometimes known as an active-passive implementation of fault tolerance. Note: HA is only available on some NetDefend models The HA feature is only available on the D-Link NetDefend DFL-1660, 2560 and 2560G. The Master and Active Units When reading this section on HA, it should be kept in mind that the master unit in a cluster is not always the same as the active unit in a cluster.
  • Page 530 Load-sharing D-Link HA clusters do not provide load-sharing since only one unit will be active while the other is inactive and only two NetDefend Firewalls, the master and the slave, can exist in a single cluster. The only processing role that the inactive unit plays is to replicate the state of the active unit and to take over all traffic processing if it detects the active unit is not responding.
  • Page 531: Ha Mechanisms

    Basic Principles D-Link HA provides a redundant, state-synchronized hardware configuration. The state of the active unit, such as the connection table and other vital information, is continuously copied to the inactive unit via the sync interface. When cluster failover occurs, the inactive unit knows which connections are active, and traffic can continue to flow after the failover with negligible disruption.
  • Page 532 A database update causes the following sequence of events to occur in an HA cluster: The active (master) unit downloads the new database files from the D-Link servers. The download is done via the shared IP address of the cluster.
  • Page 533 11.2. HA Mechanisms Chapter 11. High Availability to the slave unit. The slave is now the active unit. After reconfiguration of the master is complete, failover occurs again so that the master once again becomes the active unit. Dealing with Sync Failure An unusual situation that can occur in an HA cluster is if the sync connection between the master and slave experiences a failure with the result that heartbeats and state updates are no longer received by the inactive unit.
  • Page 534: Setting Up Ha

    11.3. Setting Up HA Chapter 11. High Availability 11.3. Setting Up HA This section provides a step-by-step guide for setting up an HA Cluster. 11.3.1. HA Hardware Setup The steps for the setup of hardware in an HA cluster are as follows: Start with two physically similar NetDefend Firewalls.
  • Page 535: Netdefendos Manual Ha Setup

    11.3.2. NetDefendOS Manual HA Chapter 11. High Availability Setup Typical HA Cluster Network Connections The illustration below shows the arrangement of typical HA Cluster connections in a network. All interfaces on the master unit would normally also have corresponding interfaces on the slave unit and these would be connected to the same networks.
  • Page 536: Verifying The Cluster Functions

    11.3.3. Verifying the Cluster Functions Chapter 11. High Availability Go to: System > High Availability. Check the Enable High Availability checkbox. Set the Cluster ID. This must be unique for each cluster. Choose the Sync Interface. Select the node type to be Master. Go to: Objects >...
  • Page 537: Unique Shared Mac Addresses

    11.3.4. Unique Shared Mac Addresses Chapter 11. High Availability The lower number on the left in this output is the current number of connections and the higher number on the right is the maximum number of connections allowed by the license. The following points are also relevant to cluster setup: •...
  • Page 538: Ha Issues

    11.4. HA Issues Chapter 11. High Availability 11.4. HA Issues The following points should be kept in mind when managing and configuring an HA Cluster. All Cluster Interfaces Need IP Addresses All interfaces on both HA cluster units should have a valid private IP4 address object assigned to them.
  • Page 539 11.4. HA Issues Chapter 11. High Availability router. If OSPF is to work then there must be another designated router available in the same OSPF area as the cluster. Ideally, there will also be a second, backup designated router to provide OSPF metrics if the main designated router should fail.
  • Page 540: Upgrading An Ha Cluster

    11.5. Upgrading an HA Cluster Chapter 11. High Availability 11.5. Upgrading an HA Cluster The NetDefendOS software versions running on the master and slave in an HA cluster should be the same. When a new NetDefendOS version becomes available and is to be installed on both units, the upgrade is done one unit at a time.
  • Page 541 11.5. Upgrading an HA Cluster Chapter 11. High Availability Now, connect to the active unit (which is still running the old NetDefendOS version) with a CLI console and issue the ha -deactivate command. This will cause the active unit to become inactive, and the inactive to become active.
  • Page 542: Link Monitoring And Ha

    11.6. Link Monitoring and HA Chapter 11. High Availability 11.6. Link Monitoring and HA Redundant Network Paths When using an HA configuration, it can be important to use redundant paths to vital resources such as the Internet. The paths through the network from the master device in an HA configuration may fail in which case it may be desirable to have this failure trigger a failover to the slave unit which has a different path to the resource.
  • Page 543: Ha Advanced Settings

    11.7. HA Advanced Settings Chapter 11. High Availability 11.7. HA Advanced Settings The following NetDefendOS advanced settings are available for High Availability: Sync Buffer Size How much sync data, in Kbytes, to buffer while waiting for acknowledgments from the cluster peer. Default: 1024 Sync Packet Max Burst The maximum number of state sync packets to send in a burst.
  • Page 544 11.7. HA Advanced Settings Chapter 11. High Availability...
  • Page 545: Zonedefense

    Blocked hosts and networks remain blocked until the system administrator manually unblocks them using the Web or Command Line interface. Note: ZoneDefense is not available on all NetDefend models The ZoneDefense feature is only available on the D-Link NetDefend DFL-860E, 1660, 2560 and 2560G.
  • Page 546: Zonedefense Switches

    12.2. ZoneDefense Switches Chapter 12. ZoneDefense 12.2. ZoneDefense Switches Switch information regarding every switch that is to be controlled by the firewall has to be manually specified in the firewall configuration. The information needed in order to control a switch includes: •...
  • Page 547: Zonedefense Operation

    Managed devices The managed devices must be SNMP compliant, as are D-Link switches. They store state data in databases known as the Management Information Base (MIB) and provide the information to the manager upon receiving an SNMP query.
  • Page 548: A Simple Zonedefense Scenario

    (in network range 192.168.2.0/24 for example) from accessing the switch completely. A D-Link switch model DES-3226S is used in this case, with a management interface address 192.168.1.250 connecting to the firewall's interface address 192.168.1.1. This firewall interface is added into the exclude list to prevent the firewall from being accidentally locked out from accessing the switch.
  • Page 549: Zonedefense With Anti-Virus Scanning

    12.3.4. ZoneDefense with Anti-Virus Chapter 12. ZoneDefense Scanning For Addresses choose the object name of the firewall's interface address 192.168.1.1 from the Available list and put it into the Selected list. Click OK Configure an HTTP threshold of 10 connections/second: Go to: Traffic Management >...
  • Page 550 12.3.5. Limitations Chapter 12. ZoneDefense actually starts blocking out the traffic matched by the rule. All switch models require a short period of latency time to implement blocking once the rule is triggered. Some models can activate blocking in less than a second while some models may require a minute or more. A second difference is the maximum number of rules supported by different switches.
  • Page 551 12.3.5. Limitations Chapter 12. ZoneDefense...
  • Page 552: Advanced Settings

    Chapter 13. Advanced Settings This chapter describes the additional configurable advanced settings for NetDefendOS that are not already described in the manual. In the Web Interface these settings are found under System > Advanced Settings. The settings are divided up into the following categories: Note: Activating setting changes After any advanced setting is changed, the new NetDefendOS configuration must be activated in order for the new value to take effect.
  • Page 553 13.1. IP Level Settings Chapter 13. Advanced Settings Block 0000 Src Block 0.0.0.0 as source address. Default: Drop Block 0 Net Block 0.* as source addresses. Default: DropLog Block 127 Net Block 127.* as source addresses. Default: DropLog Block Multicast Src Block multicast both source addresses (224.0.0.0 - 255.255.255.255).
  • Page 554 13.1. IP Level Settings Chapter 13. Advanced Settings Default: ValidateLogBad SecuRemoteUDP Compatibility Allow IP data to contain eight bytes more than the UDP total length field specifies. Checkpoint SecuRemote violates NAT-T drafts. Default: Disabled IP Option Sizes Verifies the size of "IP options". These options are small blocks of information that may be added to the end of each IP header.
  • Page 555 13.1. IP Level Settings Chapter 13. Advanced Settings IP Reserved Flag Indicates what NetDefendOS will do if there is data in the "reserved" fields of IP headers. In normal circumstances, these fields should read 0. Used by OS Fingerprinting. Default: DropLog Strip DontFragment Strip the Don't Fragment flag for packets equal to or smaller than the size specified by this setting.
  • Page 556: Tcp Level Settings

    13.2. TCP Level Settings Chapter 13. Advanced Settings 13.2. TCP Level Settings TCP Option Sizes Verifies the size of TCP options. This function acts in the same way as IPOptionSizes described above. Default: ValidateLogBad TCP MSS Min Determines the minimum permissible size of the TCP MSS. Packets containing maximum segment sizes below this limit are handled according to the next setting.
  • Page 557 13.2. TCP Level Settings Chapter 13. Advanced Settings Default: 7000 bytes TCP Auto Clamping Automatically clamp TCP MSS according to MTU of involved interfaces, in addition to TCPMSSMax. Default: Enabled TCP Zero Unused ACK Determines whether NetDefendOS should set the ACK sequence number field in TCP packets to zero if it is not used.
  • Page 558 13.2. TCP Level Settings Chapter 13. Advanced Settings Determines how NetDefendOS will handle alternate checksum request options. These options were initially intended to be used in negotiating for the use of better checksums in TCP. However, these are not understood by any today's standard systems. As NetDefendOS cannot understand checksum algorithms other than the standard algorithm, these options can never be accepted.
  • Page 559 13.2. TCP Level Settings Chapter 13. Advanced Settings Default: DropLog TCP SYN/FIN The TCP FIN flag together with SYN; normally invalid (strip=strip FIN). Default: DropLog TCP FIN/URG Specifies how NetDefendOS will deal with TCP packets with both FIN (Finish, close connection) and URG flags turned on.
  • Page 560 13.2. TCP Level Settings Chapter 13. Advanced Settings Determines if the sequence number range occupied by a TCP segment will be compared to the receive window announced by the receiving peer before the segment is forwarded. TCP sequence number validation is only possible on connections tracked by the state-engine (not on packets forwarded using a FwdFast rule).
  • Page 561: Icmp Level Settings

    13.3. ICMP Level Settings Chapter 13. Advanced Settings 13.3. ICMP Level Settings ICMP Sends Per Sec Limit Specifies the maximum number of ICMP messages NetDefendOS may generate per second. This includes ping replies, destination unreachable messages and also TCP RST packets. In other words, this setting limits how many Rejects per second may be generated by the Reject rules in the Rules section.
  • Page 562: State Settings

    13.4. State Settings Chapter 13. Advanced Settings 13.4. State Settings Connection Replace Allows new additions to the NetDefendOS connection list to replace the oldest connections if there is no available space. Default: ReplaceLog Log Open Fails In some instances where the Rules section determines that a packet should be allowed through, the stateful inspection mechanism may subsequently decide that the packet cannot open a new connection.
  • Page 563 13.4. State Settings Chapter 13. Advanced Settings Default: Log Log Connection Usage This generates a log message for every packet that passes through a connection that is set up in the NetDefendOS state-engine. Traffic whose destination is the NetDefend Firewall itself, for example NetDefendOS management traffic, is not subject to this setting.
  • Page 564: Connection Timeout Settings

    13.5. Connection Timeout Settings Chapter 13. Advanced Settings 13.5. Connection Timeout Settings The settings in this section specify how long a connection can remain idle, that is to say with no data being sent through it, before it is automatically closed. Please note that each connection has two timeout values: one for each direction.
  • Page 565 13.5. Connection Timeout Settings Chapter 13. Advanced Settings Default: 12 Other Idle Lifetime Specifies in seconds how long connections using an unknown protocol can remain idle before it is closed. Default: 130...
  • Page 566: Length Limit Settings

    13.6. Length Limit Settings Chapter 13. Advanced Settings 13.6. Length Limit Settings This section contains information about the size limits imposed on the protocols directly under IP level, such as TCP, UDP and ICMP. The values specified here concern the IP data contained in packets. In the case of Ethernet, a single packet can contain up to 1480 bytes of IP data without fragmentation.
  • Page 567 13.6. Length Limit Settings Chapter 13. Advanced Settings Specifies in bytes the maximum size of an AH packet. AH, Authentication Header, is used by IPsec where only authentication is applied. This value should be set at the size of the largest packet allowed to pass through the VPN connections, regardless of its original protocol, plus approx.
  • Page 568: Fragmentation Settings

    13.7. Fragmentation Settings Chapter 13. Advanced Settings 13.7. Fragmentation Settings IP is able to transport up to 65536 bytes of data. However, most media, such as Ethernet, cannot carry such huge packets. To compensate, the IP stack fragments the data to be sent into separate packets, each one given their own IP header and information that will help the recipient reassemble the original packet correctly.
  • Page 569 13.7. Fragmentation Settings Chapter 13. Advanced Settings Default: Check8 – compare 8 random locations, a total of 32 bytes Failed Fragment Reassembly Reassemblies may fail due to one of the following causes: • Some of the fragments did not arrive within the time stipulated by the ReassTimeout or ReassTimeLimit settings.
  • Page 570 13.7. Fragmentation Settings Chapter 13. Advanced Settings • NoLog - No logging is carried out under normal circumstances. • LogSuspect - Logs duplicated fragments if the reassembly procedure has been affected by "suspect" fragments. • LogAll - Always logs duplicated fragments. Default: LogSuspect Fragmented ICMP Other than ICMP ECHO (Ping), ICMP messages should not normally be fragmented as they contain...
  • Page 571 13.7. Fragmentation Settings Chapter 13. Advanced Settings Reassembly Illegal Limit Once a whole packet has been marked as illegal, NetDefendOS is able to retain this in memory for this number of seconds in order to prevent further fragments of that packet from arriving. Default: 60...
  • Page 572: Local Fragment Reassembly Settings

    13.8. Local Fragment Reassembly Chapter 13. Advanced Settings Settings 13.8. Local Fragment Reassembly Settings Max Concurrent Maximum number of concurrent local reassemblies. Default: 256 Max Size Maximum size of a locally reassembled packet. Default: 10000 Large Buffers Number of large ( over 2K) local reassembly buffers (of the above size). Default: 32...
  • Page 573: Miscellaneous Settings

    13.9. Miscellaneous Settings Chapter 13. Advanced Settings 13.9. Miscellaneous Settings UDP Source Port 0 How to treat UDP packets with source port 0. Default: DropLog Port 0 How to treat TCP/UDP packets with destination port 0 and TCP packets with source port 0. Default: DropLog Watchdog Time Number of non-responsive seconds before watchdog is triggered (0=disable).
  • Page 574 13.9. Miscellaneous Settings Chapter 13. Advanced Settings Default: 512...
  • Page 575 13.9. Miscellaneous Settings Chapter 13. Advanced Settings...
  • Page 576: Subscribing To Updates

    Dynamic Web Content Filtering module all function using external D-Link databases which contain details of the latest viruses, security threats and URL categorization. These databases are constantly being updated and to get access to the latest updates a D-Link Security Update Subscription should be taken out. This is done by: •...
  • Page 577 To get the status of AV updates: gw-world:/> updatecenter -status Antivirus Querying Server Status To get the status of the D-Link network servers use the command: gw-world:/> updatecenter -servers Deleting Local Databases Some technical problem in the operation of either IDP or the Anti-Virus modules may be resolved by deleting the database and reloading.
  • Page 578: Idp Signature Groups

    For IDP scanning, the following signature groups are available for selection. These groups are only available for the D-Link Advanced IDP Service. There is a version of each group under the three Types of IDS, IPS and Policy. For further information see Section 6.5, “Intrusion Detection and Prevention”.
  • Page 579 Appendix B. IDP Signature Groups Group Name Intrusion Type FTP_FORMATSTRING Format string attack FTP_GENERAL FTP protocol and implementation FTP_LOGIN Login attacks FTP_OVERFLOW FTP buffer overflow GAME_BOMBERCLONE Bomberclone game GAME_GENERAL Generic game servers/clients GAME_UNREAL UnReal Game server HTTP_APACHE Apache httpd HTTP_BADBLUE Badblue web server HTTP_CGI HTTP CGI...
  • Page 580 Appendix B. IDP Signature Groups Group Name Intrusion Type PBX_GENERAL POP3_DOS Denial of Service for POP POP3_GENERAL Post Office Protocol v3 POP3_LOGIN-ATTACKS Password guessing and related login attack POP3_OVERFLOW POP3 server overflow POP3_REQUEST-ERRORS Request Error PORTMAPPER_GENERAL PortMapper PRINT_GENERAL LP printing server: LPR LPD PRINT_OVERFLOW Overflow of LPR/LPD protocol/implementation REMOTEACCESS_GOTOMYPC...
  • Page 581 Appendix B. IDP Signature Groups Group Name Intrusion Type TFTP_DIR_NAME Directory Name attack TFTP_GENERAL TFTP protocol and implementation TFTP_OPERATION Operation Attack TFTP_OVERFLOW TFTP buffer overflow attack TFTP_REPLY TFTP Reply attack TFTP_REQUEST TFTP request attack TROJAN_GENERAL Trojan UDP_GENERAL General UDP UDP_POPUP Pop-up window for MS Windows UPNP_GENERAL UPNP...
  • Page 582: Verified Mime Filetypes

    Appendix C. Verified MIME filetypes Some NetDefendOS Application Layer Gateways (ALGs) have the optional ability to verify that the contents of a downloaded file matches the type that the filetype in the filename indicates. The filetypes for which MIME verification can be done are listed in this appendix and the ALGs to which this applies are: •...
  • Page 583 Appendix C. Verified MIME filetypes Filetype extension Application Windows Control Panel Extension file Database file Graphics Multipage PCX Bitmap file Debian Linux Package file djvu DjVu file Windows dynamic link library file DPA archive data TeX Device Independent Document EET archive Allegro datafile eMacs Lisp Byte-compiled Source Code ABT EMD Module/Song Format file...
  • Page 584 Appendix C. Verified MIME filetypes Filetype extension Application mpg,mpeg MPEG 1 System Stream , Video file MPEG-1 Video file Microsoft files Microsoft office files, and other Microsoft files Atari MSA archive data niff, nif Navy Interchange file Format Bitmap Nancy Video CODEC NES Sound file obj, o Windows object file, linux object file...
  • Page 585 Appendix C. Verified MIME filetypes Filetype extension Application Macromedia Flash Format file Tape archive file TeX font metric data tiff, tif Tagged Image Format file tnef Transport Neutral Encapsulation Format torrent BitTorrent Metainfo file TrueType Font Yamaha TX Wave audio files UFA archive data Vcard file VivoActive Player Streaming Video file...
  • Page 586: The Osi Framework

    Appendix D. The OSI Framework Overview The Open Systems Interconnection (OSI) model defines a framework for inter-computer communications. It categorizes different protocols for a great variety of network applications into seven smaller, more manageable layers. The model describes how data from an application in one computer can be transferred through a network medium to an application on another computer.
  • Page 587: Alphabetical Index

    SIP, 297 SMTP, 286 Alphabetical Index TFTP, 285 TLS, 322 all-nets IP object, 93, 138 Allow IP rule, 141 access rules, 269 Allow on error (RADIUS) setting, 71 accounting, 66 Allow TCP Reopen setting, 560 advanced settings, 71 amplification attacks, 363 configuring, 68 anonymizing internet traffic, 374 interim messages, 68...
  • Page 588 Alphabetical Index with a MAC address, 406 object category, 38 XAuth, 402 object context, 39 Auto Add Multicast Route setting, 237 object type, 36 autonomous system (see OSPF) omitting the object category, 39, 48 Auto Save Interval (DHCP) setting, 264 prompt change, 42 Auto Save Policy (DHCP) setting, 264 reconfiguring NetDefendOS, 43...
  • Page 589 Alphabetical Index core routes, 176 Critical Level setting, 79 Enable Sensors setting, 77 end of life procedures, 87 date and time, 156 ESMTP extensions, 288 Deactivate Before Reconf (HA) setting, 543 Ethernet interface, 110 dead peer detection, 445 changing IP addresses, 113 Decrement TTL setting, 252 CLI command summary, 114 default access rule, 172, 269...
  • Page 590 Alphabetical Index hardware IGMP Query Response Interval setting, 238 monitoring, 77 IGMP React To Own Queries setting, 237 monitoring message frequency, 65, 79 IGMP Robustness Variable setting, 238 heartbeats (see high availability) IGMP Router Version setting, 238 high availability, 529 IGMP Startup Query Count setting, 238 advanced settings, 543 IGMP Startup Query Interval setting, 239...
  • Page 591 Alphabetical Index roaming clients setup, 422 severity filter, 63 troubleshooting, 483 SNMP traps, 63 tunnel establishment, 444 syslog, 61 tunnels, 444 login authentication, 402 IPsec Before Rules setting, 460 log messages, 60 usage, 444 Log non IPv4/IPv6 setting, 552 IPsec Certificate Cache Max setting, 461 Log Open Fails setting, 562 IPsec Gateway Name Cache Time setting, 461 Logout at shutdown (RADIUS) setting, 70, 71...
  • Page 592 Alphabetical Index MIME filetype verification Ping Idle Lifetime setting, 564 in FTP ALG, 279 Ping poll interval setting, 182 in HTTP ALG, 274 pipe rules, 492 in POP3 ALG, 295 pipes, 492 in SMTP ALG, 286 policies, 137 list of filetypes, 582 Poll Interval setting, 77 Min Broadcast TTL setting, 555 POP3 ALG, 295...
  • Page 593 Alphabetical Index reverse route lookup, 140, 172, 269 serial console (see console) roaming clients, 446 serial console port, 40 roundrobin RLB algorithm, 193 server load balancing, 520 route failover, 177 connection-rate algorithm, 521 host monitoring, 180 idle timeout setting, 522 route load balancing, 193 max slots setting, 522 algorithms, 193...
  • Page 594 Alphabetical Index configuring, 473 in zonedefense, 547 custom server connection, 476 time synchronization, 157 installing the client, 475 Time Sync Server Type setting, 161 IP rules for traffic, 477 Time Zone setting, 160 outer interface types, 473 TLS ALG, 322 pinging the inner IP, 473 advantages, 323 proxy ARP, 474...
  • Page 595 Alphabetical Index with SIP, 297 VoIP (see voice over IP) VPN, 415 encryption, 416 IPsec, 429 key distribution, 417 planning, 417 quick start guide, 419 SSL VPN, 472 troubleshooting, 483 usage, 415 Warning Level setting, 80 Watchdog Time setting, 573 WCF (see web content filtering) webauth, 405 web content filtering, 328...

This manual is also suitable for:

Dfl-2560Dfl-2560gDfl-260eDfl-860e

Table of Contents