Download Print this page

D-Link DFL-1100 User Manual

Network security firewall
Hide thumbs


D-Link DFL-1100
Network Security Firewall
October 7, 2004
Building Networks for People



  Also See for D-Link DFL-1100

  Related Manuals for D-Link DFL-1100

  Summary of Contents for D-Link DFL-1100

  • Page 1 D-Link DFL-1100 Network Security Firewall Manual October 7, 2004 Building Networks for People...
  • Page 2: Table Of Contents

    Introduction to Local Area Networking ... 7 LEDs & Hardware Connections... 8 Package Contents... 9 System Requirements ... 9 Managing D-Link N Administration Settings... 11 Administrative Access ... 11 Add ping access to an interface...12 Add Admin access to an interface ...12 Add Read-only access to an interface ...13...
  • Page 3 Add Administrative User...40 Change Administrative User Access level ...41 Change Administrative User Password ...41 Delete Administrative User...42 Users ... 43 The DFL-1100 RADIUS Support...43 Enable User Authentication via HTTP / HTTPS...44 Enable RADIUS Support...44 Add User ...45 Change User Password ...45 Delete User ...46...
  • Page 4 Services ... 49 Adding TCP, UDP or TCP/UDP Service...49 Adding IP Protocol ...50 Grouping Services ...50 Protocol-independent settings ...51 VPN ... 52 IPSec VPN between two networks ...53 Creating a LAN-to-LAN VPN Tunnel...53 IPSec VPN between client and an internal network ...54 Creating a Roaming Users Tunnel...54 VPN –...
  • Page 5 Backup... 68 Exporting the DFL-1100’s Configuration ...68 Restoring the DFL-1100’s Configuration...68 Restart/Reset ... 69 Restarting the DFL-1100 ...69 Restoring system settings to factory defaults ...69 Upgrade ... 71 Upgrade Firmware ...71 Upgrade IDS Signature-database...71 Status ... 72 System... 72 Interfaces ... 73 HA...
  • Page 6: Introduction

    Introduction The N DFL-1100 provides four 10/100MB Ethernet network interface ports: EFEND Internal/LAN, External/WAN, a DMZ port and a port that can be configured as a High Availability Sync port or as an ETH4 port. It also provides an easily operated Web interface that allows users to set system parameters or monitor network activities using a Web browser.
  • Page 7: Introduction To Local Area Networking

    Introduction to Local Area Networking Local Area Networking (LAN) is the term used when connecting several computers together over a small area such as a building or group of buildings. LANs can be connected over large areas. A collection of LANs connected over a large area is called a Wide Area Network (WAN).
  • Page 8: Leds & Hardware Connections

    LEDs & Hardware Connections WAN, LAN, DMZ & ETH4/Sync: Ethernet Link port indicators, Green. The Act LED flickers when the ports are sending or receiving data. Power: A solid light indicates a proper connection to the power supply. Status: System status indicators, flashes to indicate an active system. If the LED has a solid light please contact technical support.
  • Page 9: Package Contents

    If any of the above items are missing, please contact your reseller. System Requirements Computer with a Windows, Macintosh, or Unix based operating system with an installed Ethernet adapter Internet Explorer or Netscape Navigator, version 6.0 or above, with JavaScript enabled. DFL-1100 Firewall...
  • Page 10: Et Defend Dfl-1100

    When all changes have been made, click Activate Changes Activate Configuration Changes page. The DFL-1100 will save the configuration, reload it, and the new changes will take effect. For the change to become permanent, the admin needs to login again.
  • Page 11: Administration Settings

    Ping – If enabled, specifies who can ping the interface IP of the N The default setting allows anyone to ping the interface IP. Admin – If enabled allows all users with admin access to connect to the DFL-1100 and change the configuration, which can be HTTPS or HTTP and HTTPS.
  • Page 12: Add Ping Access To An Interface

    SNMP – Specifies if SNMP should be allowed or not on the interface, the DFL-1100 supports read-only access. Add ping access to an interface Follow these steps to add ping access to an interface. Step 1. Click on the interface to which you would like to add ping access.
  • Page 13: Add Read-Only Access To An Interface

    Step 3. Specify which networks are allowed to access the interface, for example for a whole network, or – for a range. Step 4. Specify the protocol used to access the DFL-1100 from the dropdown menu, both HTTP and HTTPS (Secure HTTP), or only HTTPS.
  • Page 14: System

    System Interfaces Click on System in the menu bar, and then click interfaces below it. Change the IP of the LAN, DMZ or ETH4 interface Follow these steps to change the IP of the LAN or DMZ interface. Step 1. Choose which interface to view or change under the Available interfaces list. Step 2.
  • Page 15: Wan Interface Settings - Using Static Ip

    WAN Interface Settings – Using Static IP If you are using Static IP you must fill in the IP address information provided to you by your ISP. All fields are required except the Secondary DNS Server. The numbers displayed in these fields are used only as examples.
  • Page 16: Wan Interface Settings - Using Pppoe

    Service Name – When using PPPoE, some ISPs require you to fill in a Service Name. Primary and Secondary DNS Server – The IP addresses of your DNS servers, these are optional and are often provided by the PPPoE service. DFL-1100 external interface to use EFEND...
  • Page 17: Wan Interface Settings - Using Pptp

    Password – The password supplied to you by your ISP. PPTP Server IP – The IP address of the PPTP server that connects to the DFL-1100. EFEND Before PPTP can be used to connect to your ISP, the physical (WAN) interface parameters need to be supplied.
  • Page 18: Wan Interface Settings - Using Bigpond

    Note: If the limit is set too high, i.e. higher then your Internet connection, the traffic shaping will not work at all. The password supplied to you by your ISP. DFL-1100. For example, the policy for EFEND...
  • Page 19: Mtu Configuration

    Ideally, you want this MTU to be the same as the smallest MTU of all the networks between the DFL-1100 and the Internet. If the packets the DFL-1100 sends are larger, they get broken up or fragmented, which could slow down transmission speeds.
  • Page 20: Vlan

    VLAN Click on System in the menu bar, and then click VLAN below it, this will give a list of all configured VLANs, it will look something like this: Add a new VLAN Follow these steps to add a new VLAN. Step 1.
  • Page 21: Routing

    Click on System in the menu bar, and then click Routing, this will give a list of all configured routes, it will look something like this: The Routing configuration section shows the firewall’s routing table. DFL-1100 has an easy to use interface.
  • Page 22: Add A New Static Route

    Add a new Static Route Follow these steps to add a new route. Step 1. Go to System and Routing. Step 2. Click on Add new in the bottom of the routing table. Step 3. Choose the interface that the route should be sent through from the dropdown menu.
  • Page 23: High Availability

    High Availability D-Link High Availability works by adding a back-up firewall to your existing firewall. The back- up firewall has the same configuration as the primary firewall. It will stay inactive, monitoring the primary firewall, until it deems that the primary firewall is no longer functioning, at which point it will go active and assume the active role in the cluster.
  • Page 24: Ip Addresses Explained

    IP Addresses explained For each cluster interface, there are three IP addresses: Two "real" IP addresses; one for each firewall. These addresses are used to communicate with the firewalls themselves, i.e., for remote control and monitoring. They should not be associated in any way with traffic flowing through the cluster;...
  • Page 25: Cluster Heartbeats

    Cluster heartbeats A firewall detects that its peer is no longer operational when it can no longer hear "cluster heartbeats" from its peer. Currently, a firewall will send five cluster heartbeats per second. When a firewall has "missed" three heartbeats, i.e., after 0.6 seconds, it will be declared inoperative.
  • Page 26: Setting Up A High Availability Cluster

    First of all, the two DFL-1100s need to be setup so that you can manage them over the web interface. In this example the two units are configured as follows, the master DFL-1100 will be configured with on its internal interface, and the slave DFL-1100 with
  • Page 27: Interface Monitoring

    When HA is configured it’s possible to configure something called Interface Monitoring, this is used to monitor up to 6 IP addresses on each segment (LAN/WAN or DMZ) of the DFL-1100 cluster. If 50% of the listed addresses are unreachable for several seconds, the active node...
  • Page 28: Logging

    DFL-1100 provides several options for logging its activity. EFEND The D-Link DFL-1100 logs its activities by sending the log data to one or two log receivers in the network. All logging is done to Syslog recipients. The log format used for syslog logging is suitable for automated processing and searching.
  • Page 29: Enable Logging

    Step 2. Choose the sensitivity level. Step 3. In the SMTP Server field, fill in the SMTP server to which the DFL-1100 should send email. Step 4. Specify up to three valid email addresses to receive the email alerts.
  • Page 30: Time

    Time Click on System in the menu bar, and then click Time. This will give you the option to either set the system time by syncing to an Internet Network Time Server (NTP) or by entering the system time manually.
  • Page 31: Changing The Time Zone

    Changing the time zone Follow these steps to change the time zone. Step 1. Choose the correct time zone in the dropdown menu. Step 2. Specify your daylight time or choose no daylight saving time by checking the correct box. Click Apply to apply the setting, or click Cancel to discard the changes.
  • Page 32: Firewall

    The first step in configuring security policies is to configure the mode for the firewall. The firewall can run in NAT or No NAT (Route) mode. Select NAT mode to use DFL-1100 network address translation to protect private networks from public networks. In NAT mode, you can connect a private network to the internal interface, a DMZ network to the DMZ interface, and a public network, such as the Internet, to the external interface.
  • Page 33: Service Filter

    In response to an attack, the IDS protects the networks behind the DFL-1100 by dropping the traffic. To notify of the attacks, the IDS sends an email to the system administrators, if email alerting has been configured. D-Link updates the attack database periodically.
  • Page 34: Traffic Shaping

    What is commonly referred to as policy based routing, is, simply put, an extension of what fields of the packet we look at to determine the routing decision. In the DFL-1100, each rule in the firewall policy can specify its own routing decision; in essence, we route according to the source and destination IP addresses and ports.
  • Page 35: Add A New Policy

    Add a new policy Follow these steps to add a new outgoing policy. Step 1. Choose the LAN > WAN policy list from the available policy lists. Step 2. Click on the Add new link. Step 3. Fill in the following values: Name: Specifies a symbolic name for the rule.
  • Page 36: Change Order Of Policy

    Change order of policy Follow these steps to change the order of a policy. Step 1. Choose the policy list. Step 2. Click on the Edit link on the rule you want to change. Step 3. Change the number in the Position to the new position. After the apply button is clicked the policy will be moved to the new position.
  • Page 37: Configure Intrusion Prevention

    Configure Intrusion Prevention Follow these steps to configure IDP on a policy. Step 1. Choose the policy. Step 2. Click on Edit. Step 3. Enable the Intrusion Detection / Prevention checkbox. Step 4. Choose Prevention from the mode drop down list. Step 5.
  • Page 38: Port Mapping / Virtual Servers

    Port mapping / Virtual Servers The Port mapping / Virtual Servers configuration section is where you can configure virtual servers, like Web servers. It’s also possible to regulate how bandwidth management, traffic shaping, is applied to traffic flowing through the WAN interface of the firewall. It is also possible to use Intrusion Detection / Prevention and Traffic shaping on Port mapped services.
  • Page 39: Delete Mapping

    Delete mapping Follow these steps to delete a mapping. Step 1. Choose the mapping list (WAN, LAN or DMZ) Step 2. Click on Edit. Step 3. Enable the Delete mapping checkbox. Click Apply to apply the change, or click Cancel to discard the changes.
  • Page 40: Administrative Users

    The first column shows the access levels, Administrator and Read-only. An Administrator user can add, edit and remove rules, change settings of the DFL-1100 and so on. The Read-only user can only look at the configuration. The second column shows the users in each access level.
  • Page 41: Change Administrative User Access Level

    Change Administrative User Access level To change the access level of a user, click on the user name and you will see the following screen. From here you can change the access level by choosing the appropriate level from the drop-down menu. Access levels Administrator –...
  • Page 42: Delete Administrative User

    Delete Administrative User To delete a user, click on the user name, and you will see the following screen. Follow these steps to delete an Administrative User. Step 1. Click on the user. Step 2. Enable the Delete user checkbox. Click Apply to apply the setting, or click Cancel to discard changes.
  • Page 43: Users

    Before any traffic is allowed to pass through any policies configured with username or groups, the users must first be authenticated. The DFL-1100 can either verify the user against a local database, or pass along the user information to an external authentication server. This server will verify the user and the given password, and transmit the results back to the firewall.
  • Page 44: Enable User Authentication Via Http / Https

    Enable User Authentication via HTTP / HTTPS Follow these steps to enable User Authentication. Step 1. Enable the checkbox for User Authentication. Step 2. Specify if HTTP and HTTPS or only HTTPS should be used for the login. Step 3. Specify the idle-timeout, the time a user can be idle before being logged out by the firewall.
  • Page 45: Add User

    Add User Follow these steps to add a new user. Step 1. Click on add after the type of user you would like to add, Admin or Read-only. Step 2. Fill in the User name; make sure you are not trying to add one that already exists.
  • Page 46: Delete User

    Delete User To delete a user click on the user name and you will see the following screen. Follow these steps to delete a user. Step 1. Click on the user. Step 2. Enable the Delete user checkbox. Click Apply to apply the setting, or click Cancel to discard the changes. irreversible;...
  • Page 47: Schedules

    The DFL-1100 can be configured to have a start time and stop time, as well as creating 2 different time periods in a day. For example, an organization may only want the firewall to allow the internal network users to access the Internet during work hours.
  • Page 48: Add New One-Time Schedule

    Add new one-time schedule Follow these steps to add new one-time schedule. Step 1. Go to Firewall>Schedules, and choose Add new. Step 2. Choose the starting and ending date, and the hour when the schedule should be active. Step 3. Use the checkboxes to set the times this schedule should be active inside the specified timeframe.
  • Page 49: Services

    Services A service is basically a definition of a specific IP protocol with corresponding parameters. The service http, for instance, is defined as the use of TCP protocol with a destination port 80. Services are simplistic, in that they cannot carry out any action in the firewall on their own. Thus, a service definition does not include any information whether the service should be allowed through the firewall or not.
  • Page 50: Adding Ip Protocol

    Adding other IP Protocols When the desired type of service is IP Protocol, an IP protocol number may be specified in the text field. To have the service match the GRE protocol, for example, the IP protocol should be specified as 47. A list of some defined IP protocols can be found in the appendix named IP Protocol Numbers.
  • Page 51: Protocol-Independent Settings

    Allowing any inbound ICMP message to have those error messages forwarded is generally not a good idea. To solve this problem, DFL-1100 can be instructed to pass an ICMP error message only if it is related to an existing connection. Check this option to enable this feature for connections using this service.
  • Page 52: Vpn

    IPSec, Internet Protocol Security, is a set of protocols defined by the IETF, Internet Engineering Task Force, to provide IP security at the network layer. An IPSec based VPN, such as the DFL-1100 VPN, is made up of two parts: Internet Key Exchange protocol (IKE)
  • Page 53: Ipsec Vpn Between Two Networks

    If you choose PSK make sure both firewalls use exactly the same PSK. Step 5. As Tunnel Type choose LAN-to-LAN tunnel and specify the network behind the other DFL-1100 as Remote Net, also specify the external IP of the other DFL-1100; this can be an IP or a DNS name.
  • Page 54: Ipsec Vpn Between Client And An Internal Network

    Internet. Communication the client and the internal network takes place in an encrypted VPN tunnel that connects the DFL-1100 and the roaming users across the Internet. The example shows a VPN between a roaming VPN client and the internal...
  • Page 55: Vpn - Advanced Settings

    VPN – Advanced Settings Advanced settings for a VPN tunnel are used when one needs to change some characteristics of the tunnel when, for example, trying to connect to a third party VPN Gateway. The different settings to set per tunnel are the following: Limit MTU With this setting it’s possible to limit the MTU (Max Transferable Unit) of the VPN tunnel.
  • Page 56: Proposal Lists

    Proposal Lists To agree on the VPN connection parameters, a negotiation process is performed. As the result of the negotiations, the IKE and IPSec security associations (SAs) are established. As the name implies, a proposal is the starting point for the negotiation. A proposal defines encryption parameters, for instance encryption algorithm, life times etc, that the VPN gateway supports.
  • Page 57: Certificates

    HTTPS access. Note: The certificate named Admin can only be replaced, not deleted or renamed. This is used for HTTPS access to the DFL-1100. Certificates of remote peers This is a list of all certificates of individual remote peers.
  • Page 58: Identities

    upload the certificate file. This certificate can be selected in the Certificates field on the VPN page. Note: If the uploaded certificate is a CA certificate, it will automatically be placed in the Certificate Authorities list, even if Add New was clicked in the Remote Peers list. Similiarly, a non-CA certificate will be placed in the Remote Peers list even if Add New was clicked from the Certificate Authorities list.
  • Page 59: Content Filtering

    Content Filtering DFL-1100 HTTP content filtering can be configured to scan all HTTP content protocol streams for URLs or for Web page content. If a requested URL is on the URL block list, the DFL-1100 will block that Web page.
  • Page 60: Edit The Url Global Blacklist

    Edit the URL Global Blacklist Follow these steps to add or remove a URL. Step 1. Go to Firewall and Content Filtering and choose Edit global URL blacklist Step 2. Add/edit or remove the URL that should be checked with the Content Filtering.
  • Page 61: Active Content Handling

    Active content handling Active content handling can be enabled or disabled by checking the checkbox before each type you would like to strip. For example, to strip ActiveX and Flash, enable the checkbox named Strip ActiveX objects. It’s possible to strip ActiveX, Flash, Java, JavaScript and VBScript.
  • Page 62: Servers

    Note: Leases are remembered over a re-configure or reboot of the firewall. The DFL-1100 also includes a DHCP Relayer. A DHCP relayer is a form of gateway between a DHCP Server and its users. The relayer intercepts DHCP queries from the users and forwards them to a DHCP server, while setting up dynamic routes based on leases.
  • Page 63: Enable Dhcp Server

    Enable DHCP Server To enable the DHCP Server on an interface, click on Servers in the menu bar, and then click DHCP Server below it. Follow these steps to enable the DHCP Server on the LAN interface. Step 1. Choose the LAN interface from the Available interfaces list. Step 2.
  • Page 64: Dns Relayer Settings

    DNS Relayer Settings Click on Servers in the menu bar, and then click DNS Relay below it. The DFL-1100 contains a DNS relayer that can be configured to relay DNS queries from the internal LAN to the DNS servers used by the firewall itself.
  • Page 65: Disable Dns Relayer

    Disable DNS Relayer Follow these steps to disable the DNS Relayer. Step 1. Disable by un-checking the Enable DNS Relayer box. Click the Apply button below to apply the setting or click Cancel to discard changes.
  • Page 66: Tools

    Tools Ping Click on Tools in the menu bar, and then click Ping below it. This tool is used to send a specified number of ICMP Echo Request packets to a given destination. All packets are sent in immediate succession rather than one per second. This behavior is the best one suited for diagnosing connectivity problems.
  • Page 67: Dynamic Dns

    Dynamic DNS The Dynamic DNS (requires Dynamic DNS Service) allows you to alias a dynamic IP address to a static hostname, allowing your device to be more easily accessed by specific name. When this function is enabled, the IP address in Dynamic DNS Server will be automatically updated with the new IP address provided by the ISP.
  • Page 68: Backup

    System Administrators can restore the firewall’s configuration file with the one stored on the hard drive. Exporting the DFL-1100’s Configuration Follow these steps to export the configuration. Step 1. Under the Tools menu and the Backup section, click on the Download configuration button.
  • Page 69: Restart/Reset

    Restoring system settings to factory defaults Use the following procedure to restore system settings to the values set at the factory. This procedure may change the DFL-1100 firmware version to a lower version (if it has been upgraded). This procedure deletes all of the changes that you have made to the DFL-1100 configuration...
  • Page 70 Step 2. Click OK in the dialog to reset the unit to factory default, or press Cancel to cancel. You can restore your system settings by uploading a previously downloaded system configurations file to the DFL-1100 if a backup of the device has been done.
  • Page 71: Upgrade

    Upgrade IDS Signature-database To upgrade the signature-database first download the newest IDS signatures from D-Link. After having the newest version of software connect to the firewall’s configuration utility, enter Upgrade on the Tools menu, click Browse in the Upgrade Unit’s signature-database section and choose the file name of the newest version of the IDS signatures, then click Upload signature database.
  • Page 72: Status

    Status In this section, the DFL-1100 displays the status information about the Firewall. The Administrator may use Status to check the System Status, Interface statistics, VPN, connections and DHCP Servers. System Click on Status in the menu bar, and then click System below it. A window will appear...
  • Page 73: Interfaces

    Click on Status in the menu bar, and then click Interfaces below it. A window will appear providing information about the interfaces in the DFL-1100. By default information about the LAN interface will be show, to see another one click on that interface (WAN or DMZ).
  • Page 74 HA below it. A window will appear providing information about the HA Cluster configured in the DFL-1100. Status - Status of the cluster, will show if the unit is active or inactive. Cluster Peer - Status of the other unit in the cluster.
  • Page 75: Vlan

    VLAN Click on Status in the menu bar, and then click VLAN below it. A window will appear providing information about the virtual interfaces configured in the DFL-1100. VLAN Interface – Name of the virtual interface shown. VLAN ID – ID assigned to the VLAN.
  • Page 76: Vpn

    Interfaces below it. A window will appear providing information about the VPN connections in the DFL-1100. By default, information about the first VPN tunnel will be shown. Click on that VPN tunnel’s name to view it.
  • Page 77: Connections

    Connections Click on Status in the menu bar, and then click Connections below it. A window will appear providing information about the content of the state table. Shown are the last 100 connections opened through the firewall. Connections are created when traffic is permitted to pass via the policies.
  • Page 78: Dhcp Server

    DHCP Server Click on Status in the menu bar, and then click DHCP Server below it. A window will appear providing information about the configured DHCP Servers. By default, information about the LAN interface will be shown. To view another one, click on that interface. Interface –...
  • Page 79: How To Read The Logs

    Oct 20 2003 09:45:23 gateway This is followed by the text the sender has chosen to send. All log entries from DFL-1100 are prefaced with "EFW:" and a category, e.g. "DROP:" Oct 20 2003 09:45:23 gateway EFW: DROP: Subsequent text is dependent on the event that has occurred.
  • Page 80 Oct 20 2003 09:47:56 gateway EFW: CONN: prio=1 rule=Rule_8 conn=open connipproto=TCP conndestif=wan conndestip= conndestport=80 In this line, traffic from on the LAN interface is connecting to on port 80 on the WAN side of the firewall (internet). Another event is generated when the connection is closed. The information included in the event is the same as in the event sent when the connection was opened, with the exception that statistics regarding sent and received traffic is also included.
  • Page 81: Appendixes

    Appendixes Appendix A: ICMP Types and Codes The Internet Control Message Protocol (ICMP) has many messages that are identified by a “type” field; many of these ICMP types have a "code" field. Here we list the types with their assigned code fields. Type Name Echo Reply...
  • Page 82 Echo Router Advertisement Router Selection Time Exceeded Parameter Problem Timestamp Timestamp Reply Information Request Information Reply Address Mask Request Address Mask Reply Traceroute Datagram Conversion Error Photuris Source: Redirect Datagram for the Host Redirect Datagram for the Type of Service and Network Redirect Datagram for the Type of Service and Host No Code...
  • Page 83: Appendix B: Common Ip Protocol Numbers

    Appendix B: Common IP Protocol Numbers These are some of the more common IP Protocols, for all follow the link after the table. Decimal Keyword ICMP IGMP IPComp VRRP L2TP Source: Description Internet Control Message Internet Group Management Gateway-to-Gateway IP in IP (encapsulation) Stream Transmission Control...
  • Page 84: Limited Warranty

    D-Link at an Authorized D-Link Service Office. Hardware need not be new or have an identical make, model or part. D-Link may in its sole discretion replace the defective Hardware (or any part thereof) with any reconditioned product that D-Link reasonably determines is substantially equivalent (or superior) in all material respects to the defective Hardware.
  • Page 85 Mt. Herrmann, Fountain Valley, CA 92708. D-Link will not be held responsible for any packages that are lost in transit to D-Link. The repaired or replaced packages will be shipped to the customer via UPS Ground or any common carrier selected by D-Link, with shipping charges prepaid.

This manual is also suitable for:

Netdefend dfl-1100