Download Print this page

D-Link DFL-1600 User Manual

Network security firewall
Hide thumbs

Advertisement

Advertisement

loading

  Also See for D-Link DFL-1600

  Related Manuals for D-Link DFL-1600

  Summary of Contents for D-Link DFL-1600

  • Page 3: Table Of Contents

    Preface Document Version ......xvii Disclaimer ........xvii About this Document .
  • Page 4 Introduction to Certificates ....8.4.2 X.509 Certificates in D-Link Firewall ..D-Link Firewalls User’s Guide...
  • Page 5 ..... . 9.1.2 Ethernet Interfaces in D-Link Firewalls ..9.2 Virtual LAN (VLAN) .
  • Page 6 ....... 112 14.2.3 Address translation in D-Link Firewall ..114 14.3 Scenarios: IP Rules Configuration...
  • Page 7 ....182 19.1.2 Pattern Matching ..... . . 182 D-Link Firewalls User’s Guide...
  • Page 8 ......234 22.3 SSL/TLS (HTTPS) ......243 D-Link Firewalls User’s Guide...
  • Page 9 ......277 26.2 DHCP Relayer ......279 D-Link Firewalls User’s Guide...
  • Page 10 ....... . 283 27.2 Transparent Mode Implementation in D-Link Firewalls .
  • Page 11 ....... . . 334 Shutdown ....... . 334 D-Link Firewalls User’s Guide...
  • Page 12 ........339 B Customer Support D-Link Firewalls User’s Guide...
  • Page 13 2.1 The OSI 7-Layer Model......4.1 WebUI Authentication Window....4.2 WebUI Main Display.
  • Page 14 ..... . . 297 29.1 Example HA Setup......303 D-Link Firewalls User’s Guide...
  • Page 15 Section 10.4: Route Failover Configuration ....Section 10.5: Dynamic Routing Configuration ... . Section 10.6: Static Routing Configuration .
  • Page 19: Document Version

    Document Version Version No.: 1.02 Disclaimer Information in this user’s guide is subject to change without notice. About this Document This User’s Guide is designed to be a handy configuration manual as well as an Internetworking and security knowledge learning tool for network administrators.
  • Page 20: Typographical Conventions

    Typographical Conventions Example: Configuration steps for achieving certain function. WebUI Example steps for WebUI. Note Additional information user should aware Suggestions on configuration that may be taken into consideration. Caution Critical information the user should follow when performing certain action. Warning Critical information the user MUST follow to avoid potential harm.
  • Page 23: Capabilities

    Capabilities Product Highlights The key features of D-Link firewalls can be outlined as: Easy to use start-up wizard Web-based graphical user interface (WebUI) Effective and easy to maintenance Complete control of security policies Advanced application layer gateways (FTP, HTTP, H.323) Advanced monitoring &...
  • Page 24 Chapter 1. Capabilities ZoneDefense High Availability (Some models) Details about how to make these features work can be found in specific chapters in this user’s guide. D-Link Firewalls User’s Guide...
  • Page 27: The Osi Model

    The OSI Model Open System Interconnection (OSI) model defines a primary framework for intercomputer communications, by categorizing different protocols for a great variety of network applications into seven smaller, more manageable layers. The model describes how data from an application in one computer can be transferred through a network medium to an application in another computer.
  • Page 28 – frames the data. Protocols: Ethernet, PPP, etc. Physical Layer – defines hardware supports. D-Link firewalls handle network traffics and perform diverse functions for security guarantee and application support throughout the 7 layers of the OSI model. D-Link Firewalls User’s Guide...
  • Page 29: Firewall Principles

    This allows you to install less secure network services on your protected networks and prevent all outsiders from ever gaining access to these services. Most firewalls, including D-Link firewalls, ensure that network traffic...
  • Page 30: What Does A Firewall Not Protect Against

    firewall is a necessary first step towards securing your network and computers. This section is not specifically devoted to D-Link firewalls; instead it discusses firewalls in general. The problems described here will occur no matter which firewall you choose to install.
  • Page 31: Attacks On Insecure Pre-Installed Components

    Such attacks include: HTML pages containing javascript or Java that attack the network ”from the inside” when the page is viewed in a browser or e-mail program. The only possible protection against this sort of attack, D-Link Firewalls User’s Guide...
  • Page 32 At present, the most common targets for data-driven attacks are: Public servers such as mail servers, DNS servers and web servers. Web servers are clearly over-represented in this category due to their enormous complexity. D-Link Firewalls User’s Guide...
  • Page 33: Internal Attacks

    Some sources put this figure as high at 80%. 3.2.5 Modems and VPN Connection A common misconception is that modems and VPN gateways are as secure as the protected network and can be connected directly to it without protection. D-Link Firewalls User’s Guide...
  • Page 34: Holes Between Dmzs And Internal Networks

    In instances where the firewall features an integrated VPN gateway, it is usually possible to dictate the types of communication permitted. The D-Link Firewall features just such a facility. 3.2.6 Holes between DMZs and Internal Networks Although the advent of extranets and e-commerce has served to drive...
  • Page 35 DMZ and the internal network is made up of a non-routable protocol such as NetBEUI. Again, the problem is not IP packets traversing from insecure networks to the internal network. D-Link Firewalls User’s Guide...
  • Page 36 An insurmountable problem may arise when the web server needs to update the data source. The best way of tackling such a problem is to move the affected data source to a separate network segment, thereby decreasing the potential damage in the case of intrusion. D-Link Firewalls User’s Guide...
  • Page 38: Administration

    This part covers basic aspects of D-Link firewall management and administration, including: Configuration Platform Logging Maintenance Advanced Settings...
  • Page 39: Configuration Platform

    Configuring Via WebUI 4.1.1 Overview The D-Link firewall can be configured using a web interface. A web interface is usually a fast and efficient way to configure a firewall, that does not require the administrator to install any specific programs to configure the firewall.
  • Page 40 Chapter 4. Configuration Platform Figure 4.1: WebUI Authentication Window. Figure 4.2: WebUI Main Display. D-Link Firewalls User’s Guide...
  • Page 41 - Interfaces: Diplays status for interfaces and tunnels. - IPSec: Displays IPSec status information. - Routes: Displays the current routing table. - DHCP Server: Displays usage information for DHCP servers. - IDS: Displays IDS status information. - SLB: Displays SLB status information. D-Link Firewalls User’s Guide...
  • Page 42: Configuration Operations

    When the user has configured the firewall via the WebUI, the configuration will have to be saved and activated before the new configuration will be used by the firewall. This is done via the ”Save and Activate” menu bar option under ”Configuration”. D-Link Firewalls User’s Guide...
  • Page 43: Monitoring Via Cli

    4.2. Monitoring Via CLI Monitoring Via CLI Administrators can also monitor and troubleshoot the D-Link firewall via Command-Line Interface (CLI), by employing the Console port on the firewall. The serial console port is a RS-232 port that enables a connection to a PC or terminal.
  • Page 44 Chapter 4. Configuration Platform D-Link Firewalls User’s Guide...
  • Page 45: Logging

    Logging is a practice to keep track of activities that pertinent to firewall operation and the security policy the firewall is enforcing. The log file generated from logging helps administrators to observe in details of what events have occurred. D-Link firewalls provide a variety of options for logging its activities. 5.1.1 Importance &...
  • Page 46: Events

    5.1.2 Events There are a number of different situations that will cause D-Link firewalls to generate and deliver log data. Each such occasion is referred to as an event.
  • Page 47 – log messages coming from the ARP engine. FRAG – log messages coming from the fragment handling engine. OSPF/DYNROUTING – information for dynamic routing. – route fail over events. PPP/PPPOE/PPTP/L2TP/GRE/IPSEC – events for different tunnels. USERAUTH – events for user authentication. D-Link Firewalls User’s Guide...
  • Page 48: Log Receivers

    5.2.1 Syslog Receiver D-Link Firewall can send log data to syslog recipients. Syslog is a standardized protocol for sending log data to loghosts, although there is no standardized format of these log messages. The format used by D-Link Firewall is well suited for automated processing, filtering and searching.
  • Page 49: Memory Log Receiver

    find the values they are looking for without assuming that a specific piece of data is in a specific location in the log entry. In a D-Link firewall, up to 8 Syslog receivers can be configured, and they can be grouped into one or more receiver groups.
  • Page 50 Chapter 5. Logging D-Link Firewalls User’s Guide...
  • Page 51: Maintenance

    This example describes how to upgrade a D-Link Firewall with a new firmware version. WebUI 1. Check Current Version First of all, check which firmware version is currently running on the D-Link Firewall. Status System: Take note of the ”Firmware Version” number seen under ”System Status”.
  • Page 52: Reset To Factory Defaults

    The firmware upload may take several minutes depending on the speed of your connection to the firewall. Reset To Factory Defaults There are three ways to reset the D-Link Firewall to its default firmware and configuration. 1. Reset To Factory Defaults From the WebUI...
  • Page 53 DFL-210/800 will continue to load and startup in default mode, i.e. with 192.168.1.1 on the LAN interface. The following procedure only applies to the DFL-1600/2500: 3. Reset To Factory Defaults Using the Keypad and Display Reset the firewall.
  • Page 54: Backup Configuration

    Chapter 6. Maintenance Backup Configuration D-Link Firewalls configuration can be backed up to and restored at request. This could for instance be used to recall the ”last known good” configuration when experimenting with different configuration setups. To create a backup of the current running configuration:...
  • Page 55: Advanced Settings

    Advanced Settings Overview Advanced Settings contain various global settings for a firewall in terms of packet size limits, connection timeouts, protocol parameters, the structural integrity tests each packet shall be subjected to, etc. Generally, the default values given in these sections are appropriate for most installations.
  • Page 56 Chapter 7. Advanced Settings D-Link Firewalls User’s Guide...
  • Page 58: Fundamentals

    From both physical and logical perspectives, this part introduces the basic components of D-Link firewalls, which are the building blocks for security policies and advanced functions. Topics in this part includes: Logical Objects Interfaces Routing Date & Time Log Settings...
  • Page 59: Logical Objects

    Logical Objects Logical objects are basic network elements defined in the firewall, referring to the entities needed to be protected and also the untrusted resources and applications that should be monitored by the security policies. Address Book Like the contacts book which records people’s name with one’s phone number and email address, the address book in a Firewall is a list of symbolic names associated with various types of addresses, including IP addresses and ethernet MAC addresses.
  • Page 60 Chapter 8. Logical Objects network to indicate its location. The address book in D-Link firewalls allows administrators to name IP addresses either for a single host, a network, a master/slave pair used in high availability, or a group of computers or interfaces. An address ”0.0.0.0/0”...
  • Page 61: Ethernet Address

    8.1.1 above. Services Services are software programs using protocol definitions to provide various applications to the network users. Most applications rely on protocols located at OSI layer 7 – Application layer – to provide communication from D-Link Firewalls User’s Guide...
  • Page 62: Service Types

    80. Some of the other popular services at this layer include FTP, POP3, SMTP, Telnet, and so on. Beside these officially defined applications, user customized services can also be created in D-Link firewalls. Services are simplistic, in that they cannot carry out any action in the firewall on their own.
  • Page 63 IP packets, and each message is a separate protocol having its own format. Its content changes depending on the Message Type & Code. The ICMP message types that can be configured in D-Link firewalls along with the various codes are listed as follows: Echo Request –...
  • Page 64 Enter a Name for the new ICMP service. ICMP Parameters Select the ICMP type and specify the codes for the service. (If the All ICMP Message Types option is selected, this service will match all 256 possible ICMP Message Types.) Click OK. D-Link Firewalls User’s Guide...
  • Page 65 Adding a service that matches the GRE protocol ( For more information about GRE, please refer to 22.2 PPTP/L2TP WebUI Objects Services IP Protocol Service General Enter the following and then click OK: Name: GRE IP Protocol: 47 D-Link Firewalls User’s Guide...
  • Page 66: Error Report & Connection Protection

    The result is that the ICMP error message will be interpreted by the firewall as a new connection and dropped, if not explicitly allowed by the firewall rule-set. Allowing any inbound ICMP message to be able to have those error messages forwarded is generally not D-Link Firewalls User’s Guide...
  • Page 67 DoS (Denial of Service) in particular. To solve this problem, D-Link firewalls can be configured to pass an ICMP error message only if it is related to an existing connection of a service.
  • Page 68: Schedules

    Start Date: Fill in the start time in a format of ”yyyy-mm-dd hh:mm:ss” or click the calendar icon and choose a date from the pop-up window. End Date: (same as ”Start Date” above) and then click OK. D-Link Firewalls User’s Guide...
  • Page 69: X.509 Certificates

    8.4. X.509 Certificates X.509 Certificates D-Link firewalls support certificates that comply with the ITU-T X.509 international standard. This technology use an X.509 certificate hierarchy with public-key cryptography (See 20.2, Introduction to Cryptography) to accomplish key distribution and entities authentication. 8.4.1 Introduction to Certificates...
  • Page 70 When using certificates, the firewall trusts anyone whose certificate is signed by a given CA. Before a certificate is accepted, the following steps are taken to verify the validity of the certificate: - Construct a certification path up to the trusted root CA. D-Link Firewalls User’s Guide...
  • Page 71: Certificates In D-Link Firewall

    8.4.2 X.509 Certificates in D-Link Firewall X.509 certificates can be uploaded to the D-Link Firewall for use in IKE/IPSec authentication, webauth etc. There are two types of certificates that can be uploaded, self signed certificates and remote certificates belonging to a remote peer or CA server.
  • Page 72 Chapter 8. Logical Objects D-Link Firewalls User’s Guide...
  • Page 73: Interfaces

    An Ethernet interface represents a physical Ethernet adapter used in the firewall. The configuration of an Ethernet interface involves the assignment of an IP address and other parameters, to make the interface accessible to the network layer. When installing a D-Link firewall, all supported Ethernet adapters in the...
  • Page 74: Ethernet Interfaces In D-Link Firewalls

    IP addresses of an interface after the primary installation. 9.1.2 Ethernet Interfaces in D-Link Firewalls Configuration of an Ethernet interface mainly includes specifying the name and the addresses. An IP address is bound to every interface that may be used to ping the firewall, remotely control it, and be set by the firewall as...
  • Page 75 (By checking these options and specifying the metric value, the interface configured here will be added into the Main Routing Table as routes for destination address information. The default metric value is 100.) High Availability: Private IP Address selection. D-Link Firewalls User’s Guide...
  • Page 76: Virtual Lan (Vlan)

    A simple infrastructure of VLAN is shown in Figure 9.1. In this case, a D-Link firewall is configured to have 2 VLAN interfaces. Now, although the clients and servers are still sharing the same physical media, Client A can only communicate with Server D and the firewall since they are configured...
  • Page 77: Q Vlan Standard

    There are 12 bits for VID within each 4-byte tag. With these 12 bits of identifier, there could be up to 4096 VLANs on a physical network. However, all ones are reserved and all zeros indicate no VLAN association. All other identifiers can be used to indicate a particular VLAN. D-Link Firewalls User’s Guide...
  • Page 78: Vlan Implementation

    firewall will be able to recognize the membership and destination of that VLAN communication. VLANs in D-Link firewalls are useful in several different scenarios, for instance, when firewall filtering is needed between different departments in an organization, or when the number of interfaces needs to be expanded.
  • Page 79: Using Virtual Lans To Expand Firewall Interfaces

    Interfaces Virtual LANs are excellent tools for expanding the number of interfaces in D-Link Firewalls. The D-Link Firewalls with gigabit Ethernet interfaces can easily be expanded with 16 new interfaces by using a 16-port Ethernet switch with gigabit uplink port and Virtual LAN support.
  • Page 80: Dhcp

    IP address. D-Link Firewall appliance can act as either a DHCP client, a server, or a relayer through the interfaces.
  • Page 81: Pppoe

    Support security and access-control – username/password authentication is required. The provider can track IP address to a specific user. Automatic IP address allocation for PC users (similar to DHCP 9.3). D-Link Firewalls User’s Guide...
  • Page 82: Ppp

    More about the application and security of PPP can be found in section 22.2 PPTP/L2TP. 9.4.2 PPPoE Client Configuration D-Link firewalls allow users a secure and easy-to-manage connection to the ISP. D-Link Firewalls User’s Guide...
  • Page 83 PPPoE interface. It is possible to configure how the firewall should sense activity on the interface, either on outgoing traffic, incoming traffic or both. Also configurable is the time to wait with no activity before the tunnel is disconnected. D-Link Firewalls User’s Guide...
  • Page 84 It is possible to specify exactly which protocols the PPPoE client should try to authenticate with. We keep the default settings for authentication. Dial-on-demand Enable Dial-on-demand: Disable Advanced If ”Add route for remote network” is enabled, a new route will be added for this interface. Then click OK D-Link Firewalls User’s Guide...
  • Page 85: Interface Groups

    Interfaces: Select the interfaces that should be a part of the group. Then click OK Use the Interface Group An interface group can be used in various object configurations. For example, IP rules and user authentication rules can use interface groups. D-Link Firewalls User’s Guide...
  • Page 86: Arp

    Publishing an IP address using ARP can serve two purposes: To aid nearby network equipment responding to ARP in an incorrect manner. This area of use is less common. To give the impression that an interface of the firewall has more than one IP address. D-Link Firewalls User’s Guide...
  • Page 87 For published IP addresses to work correctly it might be necessary to add a new route. (See Routing) If an additional address is added for an interface, the core interface should probably be specified as the interface when configuring the route. D-Link Firewalls User’s Guide...
  • Page 88 Interface: Select the interface that should have the extra IP address IP Address: Specify the IP address to add to the above interface. MAC: Leave it at 00-00-00-00-00-00 to use the MAC address of the interface. Then click OK D-Link Firewalls User’s Guide...
  • Page 89: Routing

    Routing 10.1 Overview Routing is a major role in the network layer (OSI layer 3), which determines how to transport packets from the initiating host to the desired receiving end. The devices functioning at the network layer, such as routers or firewalls, perform routing to achieve two tasks primarily, the Path Determination and the Packet Switching.
  • Page 90: Routing Hierarchy

    An AS can be, for example, all computer networks owned by a university or a company’s private network. The organization is able to run and administer its network with its own policies and preferable routing algorithm independently, while still being able to connect to the ”outside” D-Link Firewalls User’s Guide...
  • Page 91: Routing Algorithms

    In the case that a route is not properly configured into the routing table, the router looks up in the table to make path determination and no suitable route can be found, it will D-Link Firewalls User’s Guide...
  • Page 92: Dynamic Routing

    As defined in this algorithm, each router broadcasts its attached links and link costs to all the other routers in the network. A router, upon receiving broadcasts from the D-Link Firewalls User’s Guide...
  • Page 93 OSPF demands relatively higher cost, i.e. more CPU power and memory, than RIP, therefore, can be more expensive to implement. D-Link firewalls deploy OSPF as the dynamic routing algorithm. Routing metrics Routing metrics(the costs) are the criterion a routing algorithm uses to compute the ”best”...
  • Page 94: Ospf

    10.3.3 OSPF OSPF is the embedded dynamic routing algorithm in D-Link firewalls. From the previous section, we see the main characteristics of OSPF as a Link state routing algorithm. Now we look at the actual operation of this algorithm.
  • Page 95 DR and BDR are automatically elected by ”Hello” protocol on every OSPF broadcast network. The which is configurable on a per-interface basis is the parameter that controls the election. The router with the highest priority number becomes D-Link Firewalls User’s Guide...
  • Page 96 Due to any change in routing information, a router will save a new copy of link state into its database and send LSA to DR. The DR then flood the update to all participating routers in the area to synchronize the link-state database. Path determination – ”SPF” D-Link Firewalls User’s Guide...
  • Page 97: Route Failover

    Routes can be monitored in two ways. A monitored route can be considered down if link status on the interface is down, or if the default gateway doesn’t answer on ARP requests. It is possible to use both monitoring methods at the same time. D-Link Firewalls User’s Guide...
  • Page 98: Scenario: Route Failover Configuration

    Internet. ISP A is connected to the WAN1 interface of the firewall and ISP B is connected to interface WAN2. In order to configure the D-Link firewall to use ISP A as primary ISP, and ISP B as backup ISP, monitored routes will have to be configured.
  • Page 99 Next step is to add default route for interface WAN2. Routes Main Routing Table Route: Enter the following: General Interface: WAN2 Network: 0.0.0.0/0 Gateway: Default gateway of ISP B. Local IP Address: (None) Metric: 2 Then click OK D-Link Firewalls User’s Guide...
  • Page 100 14.3 IP Rules Configuration for details on how to configure rules. Note The default route for interface WAN2 will not be monitored. The reason for this is that we have no backup route for the route over interface WAN2. D-Link Firewalls User’s Guide...
  • Page 101: Dynamic Routing Implementation

    10.5. Dynamic Routing Implementation 10.5 Dynamic Routing Implementation In D-Link firewalls, the implementation of dynamic routing involves two primary configuration tasks: OSPF process & dynamic routing policy. Note OSPF functionality is only available in the D-Link firewall modules DFL-800/1600/2500. 10.5.1 OSPF Process OSPF process configured in the firewall groups OSPF participating...
  • Page 102: Scenarios: Dynamic Routing Configuration

    Some of the networks will be accessible through both interfaces, so that some redundancy might be achieved if one path becomes unreachable. This is done by placing the two interfaces ”lan1” and ”lan2” into a security equivalent interface group. D-Link Firewalls User’s Guide...
  • Page 103 Select one of the authentication types to be used in the process (none, password, or MD5). Then click OK 2. Area: – specifying an area to the ”ospf-proc1” process. In the ”ospf-proc1” configuration page: Area: General: Name: ”area0” Area ID: 0.0.0.0 Then click OK. D-Link Firewalls User’s Guide...
  • Page 104 Select ”lan1” and ”lan2” from Available list and put them into the Selected list. Then click OK. Note Make sure that the firewall’s IP rules, which allowing traffics going through these interfaces, use this interface group as source interface. D-Link Firewalls User’s Guide...
  • Page 105 It is assumed that a previously configured OSPF process named ”ospf-proc1” has been created. In this scenario, all received routes from ”ospf-proc1” will be added into the main routing table, as this is not done automatically in the D-Link firewall. WebUI 1. Dynamic Routing Rule:...
  • Page 106 Select the main routing table from Available list and put it into Selected list. Destination Network Exactly Matches: all-nets Then click OK. 2. OSPF Actions: In the ”exportDefRoute” configuration page: OSPF Actions Export OSPF: General Export to process: Select ”ospf-proc1” from the dropdown list. Then click OK. D-Link Firewalls User’s Guide...
  • Page 107: Scenario: Static Routing Configuration

    Interface: Select ”lan”. Network: Select the network address object (192.168.2.0/24). Gateway: Select the router’s address object (192.168.1.10). Then click OK. This will allow the firewall to route traffic destined for the 192.168.2.0/24 network through the router at 192.168.1.10. D-Link Firewalls User’s Guide...
  • Page 108: Policy Based Routing(Pbr)

    flow based on various criterion, such as source addresses and service types. Moreover, D-Link firewalls extend the benefits of PBR further by not just looking at the packets one by one, but also at state information, so that the policy can provide control on both forward and return directions.
  • Page 109: Policy-Based Routing Tables

    – All users share a common active backbone, but can use different ISPs, subscribing to different streaming media providers. PBR implementation in D-Link firewalls consists of two elements: One or more named PBR tables in addition to the normal routing table.
  • Page 110 Remove Interface IP Routes: If enabled, the default interface routes are removed, i.e. routes to the core interface, which are routes to the firewall itself. Then click OK D-Link Firewalls User’s Guide...
  • Page 111: Scenario: Pbr Configuration

    2-ISP scenario, with the network 1.2.3.0/24 belonging to ”ISP A” and ”2.3.4.0/24” belonging to ”ISP B”. The ISP gateways are 1.2.3.1 and 2.3.4.1, respectively. All addresses in this scenario are public addresses, for simplicity’s sake. D-Link Firewalls User’s Guide...
  • Page 112 (0.0.0.0/0). Contents of the Policy-based Routing Policy: Source Source Dest. Dest. Service Forward Return Interface Range Interface Range LAN1 2.3.4.0/24 WAN2 0.0.0.0/0 main WAN2 0.0.0.0/0 LAN1 2.3.4.0/24 main D-Link Firewalls User’s Guide...
  • Page 113 We need to add two PBR policies according to the list of policies shown earlier. Routing Policy-based Routing Policy Policy- based Routing Rule: Enter the information found in the list of policies displayed earlier. Repeat this step to add the second rule. D-Link Firewalls User’s Guide...
  • Page 114: Proxy Arp

    firewall always publishes the addresses as belonging to the firewall itself; it is therefore not possible to publish addresses belonging to other hardware addresses. Note It is only possible to Proxy ARP on a Ethernet and VLAN interfaces. D-Link Firewalls User’s Guide...
  • Page 115: Date & Time

    Date & Time Correctly set date and time is of greatest importance for the product to operate properly. For instance, time scheduled policies and auto-update of IDS signatures are two features that require the clock to be correctly set. In addition, log messages are tagged with time stamps in order to point out exactly when a specific event did occur.
  • Page 116: Setting The Date And Time

    To modify the time zone, follow the steps outlined below: WebUI System Date and Time: Time zone and daylight saving time settings Time zone: select the appropriate time zone in the dropdown list. Then click OK. D-Link Firewalls User’s Guide...
  • Page 117: Daylight Saving Time(Dst)

    Check Enable daylight saving time Offset: enter the number of minutes the clock should be advanced during DST. Start Date: select the starting date for DST period in the dropdown list. End Date: select the ending date. Then click OK. D-Link Firewalls User’s Guide...
  • Page 118: Time Synchronization

    Please note that the product always queries all configured timeservers in order to compute an average time based on the responses from all servers. Search engines on the Internet can be used to find updated lists of publicly available timeservers. D-Link Firewalls User’s Guide...
  • Page 119: Maximum Adjustment

    System Date and Time: Automatic time synchronization Check Enable time synchronization. Select the following from the dropdown lists: Time Server Type: SNTP Primary Time Server: dns:ntp1.sp.se Secondary Time Server: dns:ntp2.sp.se Tertiary Time Server: (None) Click OK. D-Link Firewalls User’s Guide...
  • Page 120 Chapter 11. Date & Time Note This example uses domain names instead of IP addresses. Therefore, make sure the DNS client settings of the system are properly configured as described in DNS. D-Link Firewalls User’s Guide...
  • Page 121: Dns

    DNS servers configured in the firewall to all clients that request an IP lease. The example below describes how to configure DNS servers in D-Link firewalls. The configured servers are used by the internal DNS client as well as other subsystems such as the DHCP server.
  • Page 122 Chapter 12. DNS D-Link Firewalls User’s Guide...
  • Page 123: Log Settings

    firewall’s startup and shutdown, logging needs to be enabled manually in specific sections of the firewall’s configuration. To set up logging in D-Link firewalls, the following two steps are required: 1. Define one or several log receivers.
  • Page 124: Enabling Logging

    Syslog facilities ”local0” through ”local7”. Severity is the degree of emergency attached to the logged event message for debug. D-Link firewalls can be set to send messages at different severity levels. Sorted from highest to lowest importance, these levels are : Emergency, Alert, Critical, Error, Warning, Notice, Info, and Debug.
  • Page 125 To check the log file contents stored by the memory log receiver, follow the steps below: WebUI Menu Bar: Status Logging: 100 items of newly generated events can be displayed per page. To see previous events, press next. D-Link Firewalls User’s Guide...
  • Page 126 Chapter 13. Log Settings D-Link Firewalls User’s Guide...
  • Page 128: Security Polices

    Security policies regulate the manner of network applications to protect from abuse and inappropriate use. D-Link firewalls feature for providing various mechanisms to aid the administrators in building security polices for attacks prevention, privacy protection, identification, and access control. Topics in this part includes: IP Rules Access (Anti-spoofing)
  • Page 129: Ip Rules

    Everything is permitted unless specifically denied. In order to provide the highest possible level of security, default deny is the default policy in D-Link firewalls. The default deny is accomplished without a visible rule in the list. However, for logging purposes, rule list commonly has a DropAll rule at the bottom with logging enabled.
  • Page 130: Fields

    firewall. A rule is expressed in a definite form, consisting of two logical parts: the fields and the action. The subsections below explain the parameters of a rule that are available in D-Link firewalls. 14.1.1 Fields Fields are some pre-defined and reusable network objects, such as Addresses...
  • Page 131: Action Types

    NAT or FwdFast rule further down. (See Example) Drop: Tells the firewall to immediately discard the packet. Reject: Acts like Drop, but will return a TCP–RST or ICMP–Unreachable message, telling the sender that the packet was disallowed. D-Link Firewalls User’s Guide...
  • Page 132: Address Translation

    Overview For functionality and security considerations, Network Address translation(NAT) is widely applied for home and office use today. D-Link firewall provides options to support both Dynamic and Static NAT. These two types are represented by the NAT and SAT rule settings respectively.
  • Page 133 NAT-enabled firewalls, for example, D-Link firewalls, handle all the translation and redirection work for passing traffic and can provide ways to restrict access to the Internet at the same time.
  • Page 134: Address Translation In D-Link Firewall

    NAT-enabled firewall with rule settings specified for traffic. 14.2.3 Address translation in D-Link Firewall D-Link firewalls support two types of address translation: dynamic (NAT hide), and static (SAT). Dynamic Network Address Translation The process of dynamic address translation involves the translation of multiple sender addresses into one or more sender addresses, like private IP addresses are mapped to a set of public IP addresses.
  • Page 135 The private IP address of the server is mapped to a public static IP address, which can be seen from the Internet. In D-Link firewalls, SAT is implemented to provide many important functions, for example: - DMZ & Port Forwarding: SAT supports the use of DMZ network to provide pubic services to the Internet, meanwhile protecting the private network from unnecessary disclosure to the outside world.
  • Page 136: Scenarios: Ip Rules Configuration

    firewall. 1. Define an ICMP service object and name it ”ping-inbound”. (Note that the D-Link Firewall is delivered with a ”ping-inbound” service configured as default which can be used) 2. Create a new Rule with name ”Ping to Ext”, and Allow the service from Any interface on all-nets to the firewall’s core interface on ip ext...
  • Page 137 WebUI 1. Create HTTP Service If no http service is defined, we need to create a new service. Objects Services TCP/UDP Service: Name: http Type: TCP Source: 0-65535 Destination: 80 Then click OK D-Link Firewalls User’s Guide...
  • Page 138 Final step is to create the rule that will NAT DNS traffic from inter- nal interfaces out on external interfaces. Rules IP Rules IP Rule: Name: DNS from LAN Action: NAT Service: dns-all Source Interface: LAN Source Network: lan-net Destination Interface: any Destination Network: all-nets Then click OK D-Link Firewalls User’s Guide...
  • Page 139 Thus, we translate port 80 on the firewalls external address to port 80 on the web server: 1. Add a ”HTTP” service object that use TCP port 80. D-Link Firewalls User’s Guide...
  • Page 140 IP Rule: Name: SAT to WebServer Action: SAT Service: http Source Interface: any Source Network: all-nets Destination Interface: core Destination Network: ip ext Translate the: Destination IP Address To New IP Address: ip webserver Then click OK D-Link Firewalls User’s Guide...
  • Page 141 NAT, and this second rule line must be placed below the initiating SAT rule. The initiating SAT rule does nothing to the actual data. If there is a match with the packet received and a SAT rule, the firewall will D-Link Firewalls User’s Guide...
  • Page 142 WAN) on all-nets to the firewalls external public address ip ext. Determining the best course of action and the sequential order of the rules must be done on a case-by-case basis, taking all circumstances into account. D-Link Firewalls User’s Guide...
  • Page 143: Access (Anti-Spoofing)

    Access (Anti-spoofing) 15.1 Overview The primary function of any firewall is to control the access to protected data resources, so that only authorized connections are allowed. Access control is basically addressed in the firewall’s IP rules (introduced in 14. Rules). According to the rules, the firewall considers a range of protected LAN addresses as trusted hosts, and restricts the traffic flow from the untrusted Internet going into the trusted area, and also the other way around.
  • Page 144: Anti-Spoofing

    Anti-spoofing To equip the firewalls with Anti-spoofing capability, an extra filter against the source address verification is in need. D-Link firewalls provide the network administrators choices to do the source based IP filtering by Other features provided by D-Link firewalls, such as User Authentication...
  • Page 145 If the interface matches, the packet is accepted in the same manner as by the Accept action. If the interfaces do not match, the packet is dropped in the same manner as by the Drop action. Logging can be enabled on demand for these Actions. (Refer to Logging) D-Link Firewalls User’s Guide...
  • Page 146: Scenario: Setting Up Access Rule

    The following rule will make sure that no traffic with a source ad- dress not within the lan-net network is received on the LAN interface. Rules Access Access Rule: Name: LAN Access Action: Expect Interface: LAN Network: lan-net Then click OK D-Link Firewalls User’s Guide...
  • Page 147: Dmz & Port Forwarding

    Internet to DMZ computers without direct contact with the inner LAN. Obviously, this approach adds an extra layer of protection to the Intranet–firewall–Internet infrastructure. D-Link firewalls offer supports to DMZ planning and protection through network object Interface and Rules configurations.
  • Page 148 – DMZ. Figure 16.1: A Web Server in DMZ In this example, we have a D-Link firewall connecting a private LAN, a DMZ subnetwork, and the Internet, shown in Figure 16.1. The firewall takes charge of a) all the connections from the Internet to the DMZ; b) necessary connections from the DMZ to the private LAN.
  • Page 149: Dmz Planning

    : The Web server on DMZ net needs to open some ports on Int net to access the Database Server. If the Web Server is taken over by intrusion, the Database Server and other components on Int netmay expose to attacks. D-Link Firewalls User’s Guide...
  • Page 150: Benefits

    Dividing DMZ into different zones helps to restrict security policies upon components that having different functions and levels of security. The scalability of the network architecture is increased by placing components on different subnetworks. D-Link Firewalls User’s Guide...
  • Page 151: User Authentication

    User Authentication 17.1 Authentication Overview Before any user’s service request is authorized according to the firewall’s security policies, the firewall need to verify the identity of the user, to ensure that the corresponsive user is who she or he claims to be. Authentication is the process to address such issue.
  • Page 152: Password Criterion

    User authentication is frequently used in services, such as HTTP, FTP, and VPN. D-Link firewalls use Username/Password as primary authentication method, strengthened by encryption algorithms. The basic concepts of encryption is covered by 20.2 Introduction to...
  • Page 153: User Types

    Layer 2 tunnels, which apply encryption on the basis of user input passwords (See 22.2 PPTP/L2TP). 17.1.3 User Types D-Link firewalls and authentication schemes give support to diverse users. The user types can be: administrators D-Link Firewalls User’s Guide...
  • Page 154: Authentication Components

    – group of users that are subject to same regulation criterion 17.2 Authentication Components D-Link firewalls can either use a locally stored database, or a database on an external server to provide user authentication. 17.2.1 Local User Database(UserDB) The Local User Database is a built-in registry inside D-Link firewalls,...
  • Page 155: Authentication Agents

    CHAP. Originally developed for dial-up remote access, RADIUS is now supported by VPN, wireless access points, and other network access types. A RADIUS client, i.e. D-Link firewall, sends user credentials and connection parameter information in the form of a RADIUS message to a RADIUS server.
  • Page 156: Authentication Rules

    XAUTH phase. For the same reason, only one XAUTH user authentication rule can be defined. XAUTH is only used to set up IPsec VPN tunnels. D-Link Firewalls User’s Guide...
  • Page 157: Authentication Process

    17.3. Authentication Process 17.3 Authentication Process A D-Link firewall proceeds user authentication as follows: A user connects to the firewall to initiate authentication. The firewall receives user’s request from its interface, and notes in the IP rule set that this traffic is allowed to reach its core authentication agent.
  • Page 158 firewall configuration, while users that belong to the auditors group are only allowed to view the firewall configuration. Press the buttons under the Groups edit box to grant these group memberships to a user. D-Link Firewalls User’s Guide...
  • Page 159 first step. As explained in 14 IP Rules, all the other traffics that are not explicitly allowed by the IP rule, for example, the unauthenticated traffic coming from the interface where authentication is D-Link Firewalls User’s Guide...
  • Page 160 Example: Specifying a TCP service – HTTP) Address Filter Choose the following from the drop down lists: Source Destination Interface: lan core Network: lannet lan ip Comments: Allow HTTP connections to the firewall’s authentication agent. Click OK. D-Link Firewalls User’s Guide...
  • Page 161 Address Filter Source Destination Interface: lan Network: lannet users all-nets (Note here the source network is an address object containing user authen- tication information.) Comments: Allow authenticated ”users” from ”lannet” to Web browsing onto Internet. Click OK. D-Link Firewalls User’s Guide...
  • Page 162 firewall will try to use these timeouts, prior to the timeout values specified above. If no timeouts are received from the authentication server, the timeout values specified above will be used. 4. Another Restrictions configuration is the Multiple Username Logins. Three options are available as explained below: D-Link Firewalls User’s Guide...
  • Page 163 If so, the old user will be removed, and this new user will be logged in. If not, the new login-request will be rejected. The time period for this option can be defined in the edit box. D-Link Firewalls User’s Guide...
  • Page 164 Chapter 17. User Authentication D-Link Firewalls User’s Guide...
  • Page 166: Content Inspection

    In addition to inspect the packets at the network layer (OSI layer 3), D-Link firewalls are capable of examining the content of each packet to give far more powerful and flexible protection on higher layers. Topics in this part includes:...
  • Page 167: Application Layer Gateway (Alg)

    Overview To complement the limitations of packet filtering, which only inspect in the packet headers, such as IP, TCP, UDP, and ICMP headers, D-Link firewalls embed an Application Layer Gateway (ALG) to support higher level protocols that have address information within the payload.
  • Page 168: Ftp

    FTP client on the internal network connects through the firewall to an FTP server on the Internet. The IP rule in the firewall is then configured to allow network traffic from the FTP client to port 21 on the FTP server. D-Link Firewalls User’s Guide...
  • Page 169 This implementation results in that both the FTP client and the FTP server work in their most secure mode. Naturally, the conversion also works the other way around, that is, with the FTP client using active mode and the FTP server using passive mode. D-Link Firewalls User’s Guide...
  • Page 170: Scenarios: Ftp Alg Configuration

    Protecting a FTP Server Figure 18.1: FTP ALG Scenario 1 In this example, a FTP Server is connected to a D-Link firewall on a DMZ with private IP addresses, shown in Figure 18.1. To make it possible to connect to this server from the Internet using the FTP ALG, the FTP ALG and firewall rules should be configured as follows:...
  • Page 171 (assume the external interface has been defined as ”ip-ext”) SAT: Check Translate the Destination IP Address New IP Address: ftp-internal. (Assume this internal IP address of FTP server has been defined in the Address Book object.) New Port: 21. Then click OK. D-Link Firewalls User’s Guide...
  • Page 172 Then click OK. – Allow incoming connections (SAT needs a second Allow rule): Rules IP Rules IP Rule: General: Name: Allow-ftp Action: Allow Service: ftp-inbound Address Filter: Source Destination Interface: any core Network: all-nets ip-ext Then click OK. D-Link Firewalls User’s Guide...
  • Page 173 Protecting FTP Clients Figure 18.2: FTP ALG Scenario 2 In this scenario, shown in Figure 18.2, a D-Link firewall is protecting a workstation that will connect to FTP servers on the internet. To make it possible to connect to these servers from the internal network using the FTP ALG, the FTP ALG and firewall rules should be configured as follows:...
  • Page 174 ”ftp-outbound” as described earlier. – Allow connections to ftp-servers on the outside: Rules IP Rules IP Rule: General: Name: Allow-ftp-outbound Action: Allow Service: ftp-outbound Address Filter: Source Destination Interface: lan Network: lannet all-nets Then click OK. D-Link Firewalls User’s Guide...
  • Page 175: Http

    18.3.1 Components & Security Issues To enable more advanced functions and extensions to HTTP services, some add-on components, known as ”active contents”, are usually accompanied with the HTTP response to the client computer. D-Link Firewalls User’s Guide...
  • Page 176: Solution

    This can also contain confidential information. 18.3.2 Solution D-Link firewalls address the security issues shown in the previous section by Stripping Contents and URL Filtering. Stripping Contents In D-Link HTTP ALG configuration, some or all of the active contents mentioned previously can be stripped away from HTTP traffic upon...
  • Page 177 Example: Configuring HTTP ALG In this example, a HTTP ALG in a D-Link firewall is created. It is configured to strip ActiveX objects, which will block displays such as Macromedia flash and shockwave. An undesired address is added into the blacklist.
  • Page 178: H.323

    H.323 is considered to be the standard for interoperability in audio, video and data transmissions as well as Internet phone and voice-over-IP (VoIP). 18.4.2 H.323 Components The H.323 standard consists of these four main components: Terminals Gateways Gatekeepers D-Link Firewalls User’s Guide...
  • Page 179: Protocols

    The different protocols used in H.323 is shortly described below: H.225 RAS Signaling and Call Control (Setup) Signaling The H.225 protocol is used for call signaling, that means that it’s used to establish a connection between two H.323 endpoints (terminals). This call D-Link Firewalls User’s Guide...
  • Page 180: H.323 Alg Overview

    The H.323 ALG is a flexible application layer gateway that allows H.323 devices such as H.323 phones and applications to make and receive calls between each other while connected to private networks secured by D-Link Firewalls. The H.323 specification was not designed to handle NAT, as IP addresses and ports are sent in the payload of H.323 messages.
  • Page 181: Scenarios: H.323 Alg Configuration

    For each scenario a configuration example of both the ALG and the rules are presented. The three service definitions used in these scenarios are: Gatekeeper (UDP ALL 1719) H323 (H.323 ALG, TCP ALL 1720) H323-Gatekeeper (H.323 ALG, UDP 1719) D-Link Firewalls User’s Guide...
  • Page 182 Figure 18.3: H.323 Scenario 1. Using Public IP Addresses In the first scenario a H.323 phone is connected to a D-Link Firewall on a network (lan-net) with public IP addresses. To make it possible to place a call from this phone to another H.323 phone on the Internet, and to allow H.323 phones on the Internet to call this phone, we need to configure...
  • Page 183 Then click OK Using Private IP Addresses In this scenario a H.323 phone is connected to a D-Link Firewall on a network with private IP addresses. To make it possible to place a call from this phone to another H.323 phone on the Internet, and to allow H.323 phones on the Internet to call this phone, we need to configure firewall rules.
  • Page 184 1. Outgoing Rule Rules IP Rules IP Rule: Enter the following: Name: H323Out Action: NAT Service: H323 Source Interface: LAN Destination Interface: any Source Network: lan-net Destination Network: 0.0.0.0/0 (all-nets) Comment: Allow outgoing calls. Then click OK D-Link Firewalls User’s Guide...
  • Page 185 Comment: Allow incoming calls to H.323 phone at ip-phone. Then click OK To place a call to the phone behind the D-Link Firewall, place a call to the external IP address on the firewall. If multiple H.323 phones are placed behind the firewall, one SAT rule has to be configured for each phone.
  • Page 186 Using Public IP Addresses This scenario consists of two H.323 phones, each one connected behind a D-Link Firewall on a network with public IP addresses. In order to place calls on these phones over the Internet, the following rules need to be added to the rule listings in both firewalls.
  • Page 187 Using Private IP Addresses This scenario consists of two H.323 phones, each one connected behind a D-Link Firewall on a network with private IP addresses. In order to place calls on these phones over the Internet, the following rules need to be added to the rule listings in the firewall, make sure there are no rules disallowing...
  • Page 188 Source Network: 0.0.0.0/0 (all-nets) Destination Network: ip-wan (external IP of the firewall) Comment: Allow incoming calls to H.323 phone at ip-phone. Translate Destination IP Address: To New IP Address: ip-phone (IP address of phone) Then click OK D-Link Firewalls User’s Guide...
  • Page 189 Comment: Allow incoming calls to H.323 phone at ip-phone. Then click OK To place a call to the phone behind the D-Link Firewall, place a call to the external IP address on the firewall. If multiple H.323 phones are placed behind the firewall, one SAT rule has to be configured for each phone.
  • Page 190 Destination Network: ip-wan (external IP of the firewall) Comment: SAT rule for incoming communication with the Gatekeeper located at ip-gatekeeper. Translate Destination IP Address: To New IP Address: ip-gatekeeper (IP address of gatekeeper) Then click OK D-Link Firewalls User’s Guide...
  • Page 191 Then click OK Note There is no need to specify a specific rule for outgoing calls. The D-Link Firewall monitors the communication between ”external” phones and the Gatekeeper to make sure that it is possible for internal phones to call the external phones that are registered with the gatekeeper.
  • Page 192 H.323 with Gatekeeper and two D-Link Firewalls Figure 18.6: H.323 Scenario 4. This scenario is quite similar to scenario 3, with the difference of a D-Link Firewall protecting the ”external” phones. The D-Link Firewall with the Gatekeeper connected to the DMZ should be configured exactly like in scenario 3 (see 18.4.5).
  • Page 193 Then click OK Note There is no need to specify a specific rule for outgoing calls. The D-Link Firewall monitors the communication between ”external” phones and the Gatekeeper to make sure that it is possible for internal phones to call the external phones that are registered with the gatekeeper.
  • Page 194 (ip-gateway) connected to the ordinary telephone network. Head Office Firewall Configuration The head office has placed a H.323 Gatekeeper in the DMZ of the corporate D-Link Firewall. This D-Link Firewall should be configured as follows. D-Link Firewalls User’s Guide...
  • Page 195 Source Interface: LAN Destination Interface: DMZ Source Network: lan-net Destination Network: ip-gateway Comment: Allow H.323 entities on lan-net to call phones connected to the H.323 Gateway on the DMZ. Remember to use the correct service. Then click OK D-Link Firewalls User’s Guide...
  • Page 196 Enter the following: Name: BranchToGW Action: Allow Service: H323-Gatekeeper Source Interface: vpn-branch Destination Interface: DMZ Source Network: branch-net Destination Network: ip-gatekeeper, ip-gateway Comment: Allow communication with the Gatekeeper on DMZ from the Branch network Then click OK D-Link Firewalls User’s Guide...
  • Page 197 Branch and Remote Office Firewall The branch and remote office H.323 phones and applications will be configured to use the H.323 Gatekeeper at the head office. The D-Link Firewalls in the remote and branch offices should be configured as follows.
  • Page 198 Head Office DMZ. Then click OK The branch office D-Link Firewall has a H.323 Gateway connected to it’s DMZ. In order to allow the Gateway to register with the H.323 Gatekeeper at the Head Office, the following rule has to be configured.
  • Page 199 Then click OK Note There is no need to specify a specific rule for outgoing calls. The D-Link Firewall monitors the communication between ”external” phones and the Gatekeeper to make sure that it is possible for internal phones to call the external phones that are registered with the gatekeeper.
  • Page 200 Chapter 18. Application Layer Gateway (ALG) D-Link Firewalls User’s Guide...
  • Page 201: Intrusion Detection System (Ids)

    Internet, and can often be easily automatized by an attacker, Intrusion Detection is an important technology to identify and prevent these threats. In order to make an effective and reliable IDS, D-Link IDS goes through three levels of processing and addresses the following questions: What traffic to analyze What to search for (i.e.
  • Page 202: Intrusion Detection Rules

    Chapter 19. Intrusion Detection System (IDS) D-Link IDS uses a combination of , and , in order to answer the three questions mentioned above. 19.1.1 Intrusion Detection Rules An Intrusion Detection Rule defines the kind of traffic – service – that should be analyzed.
  • Page 203: Chain Of Events

    19.2.1 Scenario 1 Traffic is only passed on to the IDS if the firewall’s IP rule set decides that it is valid, shown in Figure 19.1. Figure 19.1: IDS Chain of Events Scenario 1 D-Link Firewalls User’s Guide...
  • Page 204: Scenario 2

    2. The source and destination information of new packet is compared to the Intrusion Detection Rules. If a match is found, it is passed on to the next level of IDS processing - pattern matching. If not, the packet is dropped. D-Link Firewalls User’s Guide...
  • Page 205 19.2. Chain of Events Figure 19.2: IDS Chain of Events Scenario 2 D-Link Firewalls User’s Guide...
  • Page 206: Signature Groups

    A new, updated signature database can be automatically downloaded by the firewall, at a configurable interval. This is done through a HTTP connection to a D-Link server, hosting the latest signature database file. If this signature database file has a newer version than the current, the new signature database will be downloaded, thus replacing the old version.
  • Page 207: Smtp Log Receiver For Ids Events

    This e-mail will contain a summery of IDS events that has occurred in a user-configurable period of time. When an IDS event has occurred, the D-Link firewall will wait for seconds before sending the notification e-mail. However, the e-mail...
  • Page 208 Server Port: 25 (by Internet standard) Fill in alternative e-mail addresses in the edit boxes(up to 3 addresses can be configured). Sender: hostmaster Subject: Log event from D-Link Firewall Minimum Repeat Delay: 600 Hold Time: 120 Log Threshold: 2 Then click OK.
  • Page 209: 19.6. Scenario: Setting Up Ids

    The Destination Interface and Destination Network define where traffic is directed to, in this case the mail server. Destination Network should therefore be set to the object defining the mail server. D-Link Firewalls User’s Guide...
  • Page 210 FROM EXT MAIL SMTP signature group, the connection will be dropped, thus protecting the mail server. If a log receiver has been configured, the intrusion attempt will also be logged. D-Link Firewalls User’s Guide...
  • Page 212: Virtual Private Network (Vpn)

    VPNs, Virtual Private Networks, provide means of establishing secure links to parties. It is extended over public networks via the application of Encryption and Authentication, offering good flexibility, effective protection, and cost efficiency on connections over the Internet. Topics in this part includes: Introduction to VPN Introduction to Cryptography VPN in Firewalls...
  • Page 213: Vpn Basics

    VPN Basics 20.1 Introduction to VPN Long gone is the time when corporate networks were separate isles of local connectivity. Today, most networks are connected to each other by the Internet. Issues of protecting the local networks from Internet-based crime and intrusion are being solved by firewalls, intrusion detection systems, anti-virus software and other security investments.
  • Page 214 - Would any one of them accept that their orders and delivery confirmations travel through the hands of one of their competitors? - Hardly. D-Link Firewalls User’s Guide...
  • Page 215: Introduction To Cryptography

    – decryption, to return to the original plaintext. The algorithms of Encryption can be categorized into three types – symmetric, asymmetric, and hybrid encryption. D-Link Firewalls User’s Guide...
  • Page 216 – A 64-bit block cipher with a 128-bit key, less frequently employed than Blowfish. – A 128-bit block size with key lengths of 128-256 bits, a sound alternative to the ageing DES. D-Link firewall’s VPN implementation supports all the above algorithms. D-Link Firewalls User’s Guide...
  • Page 217 The resulting key is common to both sides, and can be used as a shared secret key for symmetric encryption. In such a way, D-Link Firewalls User’s Guide...
  • Page 218: Authentication & Integrity

    The signature is created using the asymmetric encryption scheme; it cannot be imitated by someone else, and the sender cannot easily repudiate the message that has been signed. The procedure of producing a digital signature works as follows: D-Link Firewalls User’s Guide...
  • Page 219 CA, so that a recipient can verify that the certificate is real. The digital certificates supported by D-Link firewalls conform to X.509 standard. D-Link Firewalls User’s Guide...
  • Page 220: Why Vpn In Firewalls

    Can the firewall protect the security gateway and log attempted attacks on it? Does the configuration support roaming clients? Can the firewall inspect and log traffic passing in and out of the VPN? Does the configuration add points of failure to the Internet connection? D-Link Firewalls User’s Guide...
  • Page 221: Vpn Deployment

    Does it require additional configuration to the firewall or hosts participating in the VPN? In D-Link firewalls, the Security Gateway VPN is integrated in the firewall itself. The reasons for this design can be found in the scenario analysis presented next.
  • Page 222 Support for roaming clients is nearly impossible Between the Firewall and the Internal Network (Figure 20.3) Benefits Supports roaming clients No special routing information needed in the firewall The firewall can protect the Security Gateway Drawbacks D-Link Firewalls User’s Guide...
  • Page 223 The firewall cannot inspect nor log plaintext from the VPN Special routes need to be added to the firewall, or to all internal clients participating in the VPN Support for roaming clients is very hard to achieve D-Link Firewalls User’s Guide...
  • Page 224 Security Gateway in order to reach the VPN clients with moving IPs Incorporated in the Firewall (Figure 20.6) Benefits The firewall can protect the Security Gateway subsystem The firewall can inspect and log plaintext from the VPN Supports roaming clients D-Link Firewalls User’s Guide...
  • Page 225 This solution provides the highest degree of functionality & security and is chosen by D-Link’s design. All normal modes of operation are supported, and all traffic may be inspected and logged by the firewall. D-Link Firewalls User’s Guide...
  • Page 226 Chapter 20. VPN Basics D-Link Firewalls User’s Guide...
  • Page 227: Vpn Planning

    VPN Planning 21.1 VPN Design Considerations ”A chain is never stronger than its weakest link”. An attacker wishing to make use of a VPN connection will typically not attempt to crack the VPN encryption, since this requires enormous amounts of computation and time. Rather, he/she will see VPN traffic as an indication that there is something really soft and chewy on the other end of the connection.
  • Page 228: End Point Security

    In instances where the firewall features an integrated VPN gateway, it is usually possible to dictate the types of communication permitted. The D-Link VPN module features just such a facility. 21.1.1 End Point Security...
  • Page 229 Keep data stored locally on portable computers to a minimum to reduce the impact of theft. This includes e-mail cache folders. Actually, it may be best if mail is read through a web gateway, since that leaves the least amount of files in local storage. D-Link Firewalls User’s Guide...
  • Page 230: Key Distribution

    Should the keys be changed? If so, how often? In cases where keys are shared by multiple users, you may want to consider overlapping schemes, so that the old keys work for a short period of time when new keys have been issued. D-Link Firewalls User’s Guide...
  • Page 231 VPN gateway, how should the key be stored? Should it be on a floppy? As a pass phrase to memorize? On a smart card? If it is a physical token, how should it be handled? D-Link Firewalls User’s Guide...
  • Page 232 Chapter 21. VPN Planning D-Link Firewalls User’s Guide...
  • Page 233: Vpn Protocols & Tunnels

    Before IPsec can begin encrypting and transferring the data stream, some preliminary negotiation is necessary. This is accomplished with the Internet Key Exchange Protocol (IKE). In summary, an IPsec based VPN, such as D-Link VPN, is made up by two parts: Internet Key Exchange protocol (IKE)
  • Page 234: Ipsec Protocols

    AH provides only authentication but not encryption to data packets. AH does not offer confidentiality to the data transfer and is rarely used; it is NOT supported by D-Link firewalls. Whether IPsec protocol modifies the original IP header or not depends on the IPsec modes.
  • Page 235: Ike

    In cases where ESP and AH are used in conjunction, four SAs will be created. IKE Negotiation The process of negotiating connection parameters mainly consists of two phases: IKE Phase-1 – Negotiate how IKE should be protected for further negotiations. D-Link Firewalls User’s Guide...
  • Page 236 When using aggressive mode, some configuration parameters, such as Diffie-Hellman groups, can not be negotiated, resulting in a greater importance of having ”compatible” configurations on both communication ends. D-Link Firewalls User’s Guide...
  • Page 237 The data flow transferred in VPN connections are encrypted using symmetric encryption scheme. As it is described in 20.2.1 Symmetric Encryption, D-Link firewalls support the algorithms listed below: 3DES Blowfish Twofish...
  • Page 238 IKE exchanges the symmetric encryption key using Diffie-Hellman key exchange protocol. The level of security it offers is configurable by specifying the Diffie-Hellman(DH) group. The Diffie-Hellman groups supported by D-Link VPN are: DH group 1 (768-bit) DH group 2 (1024-bit)
  • Page 239: Ike Integrity & Authentication

    D-Link VPNs embed various methods for achieving these critical tasks, i.e., hash functions for message integrity, pre-shared keys and X.509 certificates based on asymmetric encryption algorithms (i.e.
  • Page 240 The shared key is a secret passphrase, normally a string of ASCII characters or a set of random Hexadecimal numbers. In D-Link VPNs, the user can either enter an ASCII password or use the automatic random key generation.
  • Page 241 This means that the firewall is unable to control the access to various parts of the internal networks. The concept of Identification Lists(ID Lists) presents a solution to this problem. An identification list contains one or more configurable D-Link Firewalls User’s Guide...
  • Page 242 With XAuth, IKE can now authenticate the users after the device has been authenticated during phase-1 negotiation. If enabled, a combination of username & password will be requested for the add-on user authentication. D-Link Firewalls User’s Guide...
  • Page 243: Scenarios: Ipsec Configuration

    firewall IP ip head wan. The branch office use the 10.0.2.0/24 network span with external firewall IP ip branch wan. The following configuration will have to be done on both the head office firewall and the branch office firewall. D-Link Firewalls User’s Guide...
  • Page 244 firewall will use ip head wan. Encapsulation Mode: Tunnel Algorithms IKE Algorithms: Medium or High IPsec Algorithms: Medium or High Authentication Pre-Shared Key: Select the pre-shared key created earlier, TestKey in this case. Then click OK D-Link Firewalls User’s Guide...
  • Page 245 This example describes how to configure a IPsec tunnel, used for roaming clients (mobile users) that connect to the head office to gain remote access. The head office network use the 10.0.1.0/24 network span with external firewall IP ip wan. D-Link Firewalls User’s Guide...
  • Page 246 VPN Objects Pre-Shared Keys Pre-Shared Key: Enter the following: Name: Enter a name for the pre-shared key, SecretKey for instance. Passphrase/Shared Secret: Enter a secret passphrase. Passphrase/Confirm Secret: Enter the secret passphrase again. Then click OK D-Link Firewalls User’s Guide...
  • Page 247 Enable Then click OK 3. Configure Rules Finally we need to configure the rules to allow traffic inside the tun- nel. See 14.3 IP Rules Configuration for details on how to configure rules. D-Link Firewalls User’s Guide...
  • Page 248: Pptp/ L2Tp

    PPTP encapsulated packet to form the tunneling data. PPTP uses TCP port 1723 for it’s control connection and GRE (IP protocol 47) for the PPP data. IP Header GRE Header Payload PPP Frame Table 22.1: PPTP Encapsulation. D-Link Firewalls User’s Guide...
  • Page 249 Since PPTP security is password-based, the choice of a good password is an important security consideration. Regardless of the key length chosen (40, 56 or 128-bit), the true strength of the key is governed by the randomness of the password. D-Link Firewalls User’s Guide...
  • Page 250 Local User Databases UserDB User: Enter the following: Username: testuser Password: testpassword Confirm Password: testpassword It is possible to configure a static IP for this user in the Per-user PPTP/L2TP IP Configuration section. Then click OK D-Link Firewalls User’s Guide...
  • Page 251 Add Route Proxy ARP: Leave as default, or specifically select the LAN interface if the IP:s in the IP Pool are a part of the network on the LAN interface. Then click OK D-Link Firewalls User’s Guide...
  • Page 252 Internet for example) a NAT rule has to be configured as well. When the configuration is saved and activated, it should be possible for PPTP clients to connect to the PPTP server on 10.0.0.1 on the WAN interface. D-Link Firewalls User’s Guide...
  • Page 253 PPTP client interface. It is possible to configure how the firewall should sense activity on the interface, and how long time to wait with no activity before the tunnel is disconnected. Then click OK D-Link Firewalls User’s Guide...
  • Page 254: L2Tp

    L2TP encapsulated packet to form the tunneling data. L2TP uses UDP port 1701 for it’s control and data connections. L2TP authentication PPTP and L2TP tunnels use the same authentication mechanisms as PPP connections such as, PAP, CHAP, MS-CHAP v1 and v2. D-Link Firewalls User’s Guide...
  • Page 255 The LAN network is a 192.168.1.0/24 network, and 10.0.0.0/24 is the network on the WAN interface. L2TP clients will connect to the L2TP/IPsec server on 10.0.0.1 on the WAN interface, in order to access resources on the LAN interface. D-Link Firewalls User’s Guide...
  • Page 256 Local User Databases UserDB User: Enter the following: Username: testuser Password: testpassword Confirm Password: testpassword It is possible to configure a static IP for this user in the Per-user PPTP/L2TP IP Configuration section. Then click OK D-Link Firewalls User’s Guide...
  • Page 257 The IPsec tunnel needs to be configured to dynamically add routes to the remote network when the tunnel is established. This is done under the Routing tab. Dynamically add route to the remote network when a tunnel is established: Enable Then click OK D-Link Firewalls User’s Guide...
  • Page 258 Add Route Proxy ARP: Leave as default, or specifically select the LAN interface if the IP:s in the IP Pool are a part of the network on the LAN interface. Then click OK D-Link Firewalls User’s Guide...
  • Page 259 Internet for example) a NAT rule has to be configured as well. When the configuration is saved and activated, it should be possible for L2TP/IPsec clients to connect to the L2TP/IPsec server on 10.0.0.1 on the WAN interface. D-Link Firewalls User’s Guide...
  • Page 260 Name: Enter a name for the pre-shared key, L2TPKey for instance. Passphrase/Shared Secret: Enter the secret passphrase. (Has to be the same as configured on the L2TP/IPsec server) Passphrase/Confirm Secret: Enter the secret passphrase again. Then click OK D-Link Firewalls User’s Guide...
  • Page 261 The IPsec tunnel needs to be configured to notdynamically add routes to the remote network when the tunnel is established. This is done under the Routing tab. Dynamically add route to the remote network when a tunnel is established: Disable Then click OK D-Link Firewalls User’s Guide...
  • Page 262 Local IP Address: (None) Metric: 0 Then click OK When the configuration is saved and activated, the L2TP/IPsec client should connect to the L2TP/IPsec server, and all traffic (except traffic to 10.0.0.1) should be routed over the L2TP/IPsec interface. D-Link Firewalls User’s Guide...
  • Page 263: Ssl/Tls (Https)

    HTTPS, and more and more web sites use the protocol to obtain confidential user information, such as credit card numbers. There are a number of versions of the SSL/TLS protocol. D-Link firewalls fully support SSLv3 and TLSv1. D-Link Firewalls User’s Guide...
  • Page 264 Chapter 22. VPN Protocols & Tunnels D-Link Firewalls User’s Guide...
  • Page 266: Traffic Management

    Traffic management is concerned with controlling and allocating network bandwidth and minimizing possible delay and congestion on networks. It encompasses the measuring of network capacity and traffic modelling to manage network resources efficiently and provide services the bandwidth they need. Topics in this part includes: Traffic Shaping Server Load Balancing (SLB)
  • Page 267: Traffic Shaping

    To address the above problems, D-Link firewalls provide QoS functionality, and apply limits and guarantees for QoS to the network traffic itself, rather than trusting the applications/users to make the choices.
  • Page 268: Functions

    A D-Link firewall has an extensible traffic shaper integrated inside. The traffic shaper works by measuring and queuing IP packets, in transit, with respect to a number of configurable parameters.
  • Page 269: Features

    A closer look into these features are given in the sections next. 23.2 Pipes A Pipe is a central concept in the traffic shaping functionality of D-Link firewalls and is the base for all bandwidth control. Pipes are fairly D-Link Firewalls User’s Guide...
  • Page 270: Precedences And Guarantees

    7 are reserved for network control packets, so the values through 0-5 can be set for priority based on IP networks or applications. Corresponding to these 8 levels, a pipe in a D-Link firewall contains 4 precedences – Low, Medium, High, and Highest – for clarifying the relative importance of the traffic.
  • Page 271 If the pipe limits are set higher than the actual available bandwidth, the pipe will never know that the connection is full, and hence be unable to throttle the lower-precedence traffic. 3. Bandwidth cannot be guaranteed if available bandwidth is not known at all times D-Link Firewalls User’s Guide...
  • Page 272: Grouping Users Of A Pipe

    This mode of operation is likely sufficient for managing simple traffic limits and guarantees. However, D-Link firewalls have the ability to group traffic within each pipe. This means that traffic will be classified and grouped with respect to the source or destination of each packet passing through the pipe.
  • Page 273: Dynamic Bandwidth Balancing

    But what if the bandwidth for the pipe as a whole has a limit, and that limit is exceeded? Such problem is addressed by a feature in D-Link firewalls called Dynamic Balancing. This algorithm ensures that the bandwidth limit of each group is dynamically lowered (or raised) in order to evenly balance the available bandwidth between the groups of the pipe.
  • Page 274 After setting the total limits in the two pipes, two pipe rules need to be specified to assign pipes onto proper directions, interfaces, and networks. Since these two primary rules are applied to all possible services, the fixed precedence ”Low” is defined on them. D-Link Firewalls User’s Guide...
  • Page 275 Rule ”ToInternet” assigning pipes to traffics going through the fire- wall from LAN to WAN for all services(defined by the Services object ”all-services”): Traffic Shaping Pipe Rules Pipe Rule: General Enter the following: Name: ToInternet Service: all-services Address Filter Source Destination Interface: Network: lannet all-nets D-Link Firewalls User’s Guide...
  • Page 276 Forward Chain: Select ”std-in” from Available list and put it into Selected list. Return Chain: Select ”std-out” from Available list and put it into Selected list. Precedence Check Use Fixed Precedence Select Low from the dropdown list and then click OK. D-Link Firewalls User’s Guide...
  • Page 277 Return Chain: Select ”std-in” from Available list and put it into Selected list. Precedence Check Use Fixed Precedence Select Medium from the dropdown list and then click OK. Right click the ”HTTP” rule item and click Move to Top. D-Link Firewalls User’s Guide...
  • Page 278 Check Enable dynamic balancing of groups and then click OK. 2. Editing pipe ”std-out” Traffic Shaping Pipes std-out: Grouping Grouping: Select SourceIP from the dropdown list. Check Enable dynamic balancing of groups and then click OK. D-Link Firewalls User’s Guide...
  • Page 279 2. Revising pipe rule ”HTTP” to create a return pipe chain Traffic Shaping Pipe Rules HTTP Traffic Shaping: Pipe Chains Return Chain: Select ”http-in” from Available list and put it into Selected list and then click OK. D-Link Firewalls User’s Guide...
  • Page 280 Chapter 23. Traffic Shaping Note An appropriate order for pipes in a chain must be set carefully. D-Link Firewalls User’s Guide...
  • Page 281: Server Load Balancing (Slb)

    Figure 24.1 illustrates a logical view of a SLB module. In this module, 3 servers construct a server farm, and a D-Link firewall acts as a sever load balancer. Server farm A collection of computer servers usually maintained by an enterprise to...
  • Page 282: Slb Features

    D-Link firewalls are capable server load balancers, which can be configured to perform load distribution and monitoring functions. 24.1.2...
  • Page 283: Benefits

    Administration of server applications is easier. The sever farm is seen as a single virtual server by the Clients with one public address; no administration is required for real server changes, which are transparent to the external network. D-Link Firewalls User’s Guide...
  • Page 284: Slb Implementation

    To implement the SLB method, the administrator defines a server farm containing multiple real servers, and binds the server farm as a single virtual server to the D-Link firewall (load balancer), using a public IP address. In this environment, clients are configured to connect to the public address of the sever farm.
  • Page 285 24.2. SLB Implementation D-Link firewalls offer the following algorithms to accomplish the load distribution tasks: 1. Round-Robin Algorithm: The algorithm distributes new coming connections to a list of servers on a rotating bases. For the first connection, the algorithm picks a server from the farm randomly, and assigns the connection to it.
  • Page 286: Server Health Checks

    Performing various checks to determine the ”health” condition of servers is one of the most important benefits of the SLB. At different OSI layers, D-Link firewalls can carry out certain network-level checks. When a server fails, the firewall removes it from the active server list, and will not route any packet to this server until it resumes back.
  • Page 287 24.2. SLB Implementation Figure 24.3: Distribution by Stickiness and Round-Robin Algorithm Figure 24.4: Distribution by Stickiness and Connection-Rate Algorithm D-Link Firewalls User’s Guide...
  • Page 288: Packets Flow By Sat

    80 to be down on that server. 24.2.4 Packets Flow by SAT In D-Link firewalls, load-balancing enabled SAT rule is used to translate packets exchanged between a client and real servers. When a new connection is being opened, the SAT rule is triggered; it translates the public server farm IP address to a real server address.
  • Page 289 Figure 24.5: A SLB Scenario This example describes how SLB can be used to load balance SSH connections to two SSH servers behind a D-Link Firewall connected to the Internet with IP address ip ext, as shown in Figure 24.5. The two SSH servers have the private IP addresses 192.168.1.10 and 192.168.1.11.
  • Page 290 Source Interface: any Source Network: all-nets Destination Interface: core Destination Network: ip ext Then click OK Note It is possible to configure settings for monitoring, distribution method and stickiness. But in this example the default values are used. D-Link Firewalls User’s Guide...
  • Page 292: Misc Features

    Besides safety protection to the network, D-Link firewalls can act as intermediary agents for miscellaneous Internet services to ease the use of various protocols on behalf of the clients. Topics in this part includes: Miscellaneous Clients DHCP Server & Relayer...
  • Page 293: Miscellaneous Clients

    Miscellaneous Clients 25.1 Overview D-Link firewalls offer supports to miscellaneous network clients for Dynamic DNS and similar services. Currently, the services providers that are supported by the firewall include: Dyndns.org Dyns.cx Cjb.net Oray.net – Peanut Hull DynDNS Telia BigPond 25.2...
  • Page 294: Automatic Client Login

    Automatic Client Login Some Internet service providers require users to login via a URL each time before any service is delivered. Currently, D-Link firewalls offers automatic client login to the following providers: Telia – A major telecommunication service company in the Nordic and Baltic region.
  • Page 295: Http Poster

    The URL format used in the HTTP Poster various depending on the specific service provider. Basically, a URL contains Username/Password, provider’s domain name, and other parameters. For example, the URL format for DynDNS service provided by Dyndns.org is: http://MYUID:MYPWD@members.dyndns.org/nic/update?hostname= MYDNS.dyndns.org D-Link Firewalls User’s Guide...
  • Page 296 Chapter 25. Miscellaneous Clients D-Link Firewalls User’s Guide...
  • Page 297: Dhcp Server & Relayer

    DHCP Server & Relayer 26.1 DHCP Server The DHCP server implement the task to assign and manage IP addresses from specified address pools to DHCP clients. When a DHCP server receives a request from a DHCP client, it returns the configuration parameters (such as an IP address, a MAC address, a domain name, and a lease for the IP address) to the client in a unicast message.
  • Page 298 Chapter 26. DHCP Server & Relayer Example: Configuring the firewall as a DHCP server This example describes how to configure a DHCP server on the internal interface (LAN)(Refer to 9.1.2, Ethernet Interfaces in D-Link Firewalls). WebUI Configure DHCP Server System...
  • Page 299: Dhcp Relayer

    For information about VLAN configuration, please refer to 9.2.3, VLAN Implementation. In this case, two VLAN interfaces named as ”vlan1” and ”vlan2” are used. The firewall will also install a route for the client when it has finalized the DHCP process and obtained an IP. D-Link Firewalls User’s Guide...
  • Page 300 System DHCP Settings DHCP Relays DHCP Relay: General: General Name: vlan-to-dhcpserver Action: Relay Source Interface: ipgrp-dhcp DHCP Server to relay to: ip-dhcp Add Route: Check Add dynamic routes for this relayed DHCP lease. Then click OK. D-Link Firewalls User’s Guide...
  • Page 303: Transparent Mode

    Transparent Mode The Transparent Mode feature provided by D-Link firewalls aims at simplifying the deployment of firewall appliances into the existing network topology, to strengthen security. It helps to ease the administration work in a way that there is no need to reconfigure all the settings for the nodes within the current network, when a firewall is introduced into the...
  • Page 304: Transparent Mode Implementation In D-Link Firewalls

    Transparent Mode Implementation in D-Link Firewalls As explained above, D-Link firewall allows ARP transactions when it is set to be transparent mode and in that sense it works almost as a Layer 2 switch in the network. The firewall uses the ARP traffic as one source of information when building its switch route table.
  • Page 305 ARP Transaction State. During the ARP transaction, the firewall learns the source address information of both ends from the request and reply. Inside the D-Link firewall, two tables are maintained that are used to store such information, called Content -Addressable Memory(CAM) Table and Layer 3 Cache respectively.
  • Page 306: Scenarios: Enabling Transparent Mode

    The WAN and LAN interfaces of the firewall will have to be configured to operate in Transparent Mode. It is preferred to configure IP addresses on the WAN and LAN interfaces, as this can improve performance during automatic discovering of hosts. D-Link Firewalls User’s Guide...
  • Page 307 Transparent Mode: Enable Then click OK 2. Rules Rules IP Rules IP Rule: Enter the following: Name: HTTPAllow Action: Allow Service: http Source Interface: LAN Destination Interface: any Source Network: 10.0.0.0/24 Destination Network: 0.0.0.0/0 (all-nets) Then click OK D-Link Firewalls User’s Guide...
  • Page 308 Here we allow the hosts on the internal network to communicate with an HTTP server on DMZ. Furthermore, we allow the HTTP server on DMZ to be reached from the internet. Additional rules could be added to allow other traffic. D-Link Firewalls User’s Guide...
  • Page 309 Enter the following: Name: TransparentGroup Security/Transport Equivalent: Disable Interfaces: Select LAN and DMZ Then click OK 3. Routing Routing Main Routing Table Switch Route: Enter the following: Switched Interfaces: TransparentGroup Network: 10.0.0.0/24 Metric: 0 Then click OK D-Link Firewalls User’s Guide...
  • Page 310 New IP Address: 10.1.4.10 Then click OK Rules IP Rules IP Rule: Enter the following: Name: HTTP-WAN-to-DMZ Action: Allow Service: http Source Interface: WAN Destination Interface: DMZ Source Network: all-nets Destination Network: wan-ip Then click OK D-Link Firewalls User’s Guide...
  • Page 312: Zonedefense

    *ZoneDefense functionality described in this part is only available in the D-Link firewall modules DFL-800/1600/2500.
  • Page 313: Zonedefense

    ZoneDefense 28.1 Overview ZoneDefense is a feature in D-Link firewalls, which lets the firewall control locally attached switches. This can be used as a countermeasure to stop a worm-infected computer in the local network from infecting other computers. By setting up threshold rules on the firewall, hosts or networks that are exceeding the defined threshold can be dynamically blocked out.
  • Page 314: Snmp

    Manager A typical manager, such as a D-Link firewall, executes SNMP protocol to monitor and control network devices in the managed environment. The manager can query stored statistics from the...
  • Page 315: Threshold Rules

    28.3. Threshold Rules Managed devices The managed devices are SNMP compliant, such as D-Link switches. They store management data in their databases, known as Management Information Base (MIB), and provide the information to the manager upon queries. 28.3 Threshold Rules As explained previously, a threshold rule will trigger ZoneDefense to block out a specific host or a network if the connection rate limit specified in the...
  • Page 316: Limitations

    ZoneDefense setup. 28.6 : Setting Up ZoneDefense The following simple example illustrates the steps needed to set up ZoneDefense function in D-Link firewalls. We assume that all the interfaces on the firewall have already been properly configured. Example: Configuring ZoneDefense In this simplified scenario, a HTTP threshold of 10 connections/second is...
  • Page 317 28.6. Scenario: Setting Up ZoneDefense Figure 28.1: A ZoneDefense Scenario. A D-Link switch model DES-3226S is used in this case, with a management interface address 192.168.1.250 connecting to the firewall’s interface address 192.168.1.1. This firewall interface is added into the exclude list to prevent the firewall from being accidentally locked out from accessing the switch.
  • Page 318 – configuring a HTTP threshold of 10 connections/second. ZoneDefense Threshold Threshold: General: General: Name: HTTP-Threshold Service: HTTP Address Filter Source Destination Interface: (the firewall’s management interface) any Network: 192.168.2.0/24(or the object name) all-nets Action: Action: ZoneDefense Host-based Threshold: 10 Then click OK. D-Link Firewalls User’s Guide...
  • Page 320: High Availability

    * High Availability functionality described in this part is only available in the D-Link firewall modules DFL-1600/2500.
  • Page 321: High Availability

    What High Availability will NOT do for you Example High Availability setup D-Link High Availability works by adding a back-up firewall to your existing firewall. The back-up firewall has the same configuration as the primary firewall. It will stay inactive, monitoring the primary firewall, until it deems that the primary firewall is no longer functioning, at which point...
  • Page 322: What High Availability Will Not Do For You

    Redundancy for your routers, switches, and your Internet connection are also issues that need to be addressed. D-Link High Availability clusters will not create a load-sharing cluster. One firewall will be active, and the other will be inactive. Multiple back-up firewalls cannot be used in a cluster. Only two firewalls, a ”master”...
  • Page 323: Example High Availability Setup

    29.2 How Rapid Failover is Accomplished This section includes the following topics: The shared IP address and the failover mechanism Cluster heartbeats The synchronization interface D-Link Firewalls User’s Guide...
  • Page 324: The Shared Ip Address And The Failover Mechanism

    Settings section. As the shared IP address always has the same hardware address, there will be no latency time in updating ARP caches of units attached to the same LAN as the cluster when failover occurs. D-Link Firewalls User’s Guide...
  • Page 325: Cluster Heartbeats

    The destination IP is the shared IP address The IP TTL is always 255. If a firewall receives a cluster heartbeat with any other TTL, it is assumed that the packet has traversed a router, and hence cannot be trusted at all. D-Link Firewalls User’s Guide...
  • Page 326: The Synchronization Interface

    A cluster can be created by either installing a pair of new firewalls, or by converting already installed firewalls to cluster members. The firewall with the highest version number of its configuration will always make sure that the configuration is transferred to the other cluster member. D-Link Firewalls User’s Guide...
  • Page 327: Planning The High Availability Cluster

    29.3.1 Planning the High Availability cluster As an example throughout this guide, two D-Link Firewalls are used as cluster members. To simplify this guide, only two of the interfaces on each cluster member are used for network traffic. The following setup is used: The LAN interfaces on the cluster members are both connected to the same switch.
  • Page 328 Private IP Address: lan-priv-ip Then click OK Interfaces Ethernet Edit (WAN): IP Address: 10.4.10.1 Advanced/High Availability Private IP Address: wan-priv-ip Then click OK When the configuration is saved and activated, the firewall will act as a HA cluster member. D-Link Firewalls User’s Guide...
  • Page 329: Things To Keep In Mind

    Normally, the inactive firewall won’t be sending log entries about live traffic, so the output will likely look much the way it did with only one firewall. D-Link Firewalls User’s Guide...
  • Page 330: Configuration Issues

    Using them for anything else: gatewaying, using them as source IPs in dynamically NATed connections or publishing services on them, will inevitably cause problems, as unique IPs will disappear when the firewall it belongs to does. D-Link Firewalls User’s Guide...
  • Page 333 INDEX ABR, DMZ, 14, 119, 150, 200, 204, 207, ACL, ActiveX, DNS, DoS, 47, 123, AES, DSA, ALG, DST, ARP, DynDNS, ARP, ESP, ASBRs, Ethernet, Ethernet address, Backbone area, BDR, Firewall, Blowfish, BOOTP, GRE, 27, 45, Brute force attack, H.225, CA, 49, H.245, CAST,...
  • Page 334 OSI, VPN, 13, 193, OSPF, 73, WWW, PAP, 62, 135, PBR, PFS, PPP, 27, 62, 135, PPPoE, 27, PPTP, 27, Proxy ARP, PSK, 216, QoS, 247, RADIUS, Replay attack, RIP, Route, RouteFailover, Router priority, Routing table, D-Link Firewalls User’s Guide...
  • Page 335: A Console Commands Reference

    Brings up information pertaining to the version of the firewall core in use and a copyright notice. Syntax: about Example: Cmd> about D-Link DFL 2.01.00V Copyright Clavister 1996-2005. All rights reserved SSH IPSEC Express SSHIPM version 5.1.1 library 5.1.1 Copyright 1997-2003 SSH Communications Security Corp. Build : Jun 3 2005...
  • Page 336: Access

    - hashinfo –Display information on hash table health - flush –Flush ARP cache of ALL interfaces - flushif –Flush ARP cache of an iface Example: Cmd> arp wan ARP cache of iface wan Dynamic 194.2.1.1 = 0020:d216:5eec Expire=141 D-Link Firewalls User’s Guide...
  • Page 337: Arpsnoop

    flowing for some inexplicable reason. By analyzing the contents of the buffers, it is possible to determine whether such traffic is making it to the firewall at all. Syntax: -- buffers Brings up a list of most recently freed buffers. Example: D-Link Firewalls User’s Guide...
  • Page 338: Certcache

    Example: Cmd> buff . Decode of buffer number 1059 lan:Enet 0050:dadf:7bbf->0003:325c:cc00, type 0x0800, len 1058 IP 192.168.123.10->193.13.79.1 IHL:20 DataLen:1024 TTL:254 Proto:ICMP ICMP Echo reply ID:6666 Seq:0 Certcache Displays the contents of the certificate cache. Syntax: certcache D-Link Firewalls User’s Guide...
  • Page 339: Cfglog

    - FIN RECV TCP packet with FIN/RST flag received - PING The connection is an ICMP ECHO connection - UDP The connection is a UDP connection - RAWIP The connection uses an IP protocol other than TCP, UDP or ICMP Syntax: connections D-Link Firewalls User’s Guide...
  • Page 340: Cpuid

    0x66: 1st-level data cache: 8-KB, 4-way set associative, sectored cache, 64-byte line size DHCP Syntax: dhcp [options] <interface> Options: - renew – Force interface to renew it’s lease - release – Force interface to release it’s lease D-Link Firewalls User’s Guide...
  • Page 341: Dhcprelay

    Options: - rules – Shows dhcp server rules - leases – Shows dhcp server leases - mappings – Shows dhcp server IP MAC mappings - release – Releases an active or blacklisted IP Example: Cmd> dhcpserver D-Link Firewalls User’s Guide...
  • Page 342: Dynroute

    Accept 23.3.8.4 10.5.3.2 ICMP 1480 60 Shows information about a HA cluster. Syntax: ha Example: Cmd> ha This device is a HA SLAVE This device is currently ACTIVE (will forward traffic) HA cluster peer is ALIVE D-Link Firewalls User’s Guide...
  • Page 343: Httpposter

    HTTPPoster Show the configured httpposter urls and status. Syntax: httpposter [options] Options: - repost – Re-post all URLs now. D-Link Firewalls User’s Guide...
  • Page 344: Ifacegroups

    IfStat Syntax: -- ifstat Shows a list of the interfaces installed in the firewall. Example: Cmd> ifstat Configured interfaces: Interface name IP Address Interface type -------------- ------------ ------------- core 127.0.0.1 Null (sink) 172.16.87.252 ... 192.168.121.1 ... D-Link Firewalls User’s Guide...
  • Page 345: Ikesnoop

    Turn IKE snooping on, if a IP is specified only ike traffic from that IP will be showed. -- ikesnoop verbose [ipaddr] Enable verbose output, if a IP is specified only ike traffic from that IP will be showed. D-Link Firewalls User’s Guide...
  • Page 346: Ipseckeepalive

    IKE proplist: ike-default, IPsec proplist: esp-tn-roamingclients IPSecstats Display connected IPSec VPN gateways and remote clients. Syntax: ipsecstats [options] Options: - ike Displays IKE SAs - ipsec Displays IPsec SAs (default) Displays detailed SA statistic information Displays verbose information D-Link Firewalls User’s Guide...
  • Page 347: Killsa

    firewall with this command, by doing a license remove. Syntax: license [remove] Example: Cmd> lic Contents of the License file ---------------------------- Registration key: Bound to MAC address: ... Model: DFL-... Registration date: Issued date: Last modified: New upgrades until: Ethernet Interfaces: D-Link Firewalls User’s Guide...
  • Page 348: Lockdown

    Syntax: memory Netcon Shows a list of users currently connected to the firewall via the netcon management protocol. Syntax: netcon Example: Cmd> netcon Currently connected NetCon users: Iface IP address port 192.168.123.11 39495 D-Link Firewalls User’s Guide...
  • Page 349: Netobjects

    - snoop [on off], Display troubleshooting messages on the console - ifacedown iface , Takes specified interface offline - ifaceup iface , Takes specified interface online - stop, Stop OSPF process - start, Start OSPF process - restart, Restart OSPF process D-Link Firewalls User’s Guide...
  • Page 350: Ping

    "main". Echo reply from 192.168.12.1 seq=0 time= 10 ms TTL=255 Pipes Shows the list of configured pipes; the contents of the Pipes configuration section, along with basic throughput figures of each pipe. Syntax: pipes [options] name Options: Display overall statistics D-Link Firewalls User’s Guide...
  • Page 351: Proplists

    FWCore.cfg after the bi-directional verification timeout period has expired (typically 30 seconds). Syntax: reconfiure Example: Cmd> reconfigure Shutdown RECONFIGURE. Active in 1 seconds. Shutdown reason: Reconfigure due to console command D-Link Firewalls User’s Guide...
  • Page 352: Remotes

    , Limit display to entries (default: 20) - nonhost, Do not show single-host routes - tables, Display list of named (PBR) routing tables - lookup ip , Lookup the route for the given IP address - v, Verbose D-Link Firewalls User’s Guide...
  • Page 353: Rules

    Source Destination Protocol/Ports -- ----- -------------- -------------- --------------- Allow lan: ... core: ... "HTTP" "HTTP-fw" Use: 0 FWLOG:notice SYSLOG:notice Scrsave Activates the screensaver included with the firewall core. Syntax: scrsave Example: Cmd> scr Activating screen saver... D-Link Firewalls User’s Guide...
  • Page 354: Services

    Sysmsgs Show the contents of the OS sysmsg buffer. Syntax: sysmsgs Example: Cmd> sysmsg Contents of OS sysmsg buffer: Settings Shows the contents of the Settings configuration section. Syntax: -- settings Shows available groups of settings. D-Link Firewalls User’s Guide...
  • Page 355 - Settings regarding the builtin web server HwPerformance - Hardware performance parameters IfaceMon - Interface Monitor RouteFailOver - Route Fail Over Default values - Intrusion Detection / Prevention Settings - PPP (L2TP/PPTP/PPPoE) Settings Misc - Miscellaneous Settings D-Link Firewalls User’s Guide...
  • Page 356: Stats

    Fragbufs allocated : 16 Fragbufs memory : 16 x 10040 = 156 KB Out-of-buffers ARP one-shot cache : Hits : 409979144 Misses : 186865338 Interfaces: Phys:2 VLAN:5 VPN:0 Access entries:18 Rule entries:75 Using configuration file "FWCore.cfg", ver ... D-Link Firewalls User’s Guide...
  • Page 357: Time

    Displays currently logged-on users and other information. Also allows logged-on users to be forcibly logged out. Syntax: userauth [options] Options: - l, displays a list of all authenticated users - p, displays a list of all known privileges (usernames and groups) D-Link Firewalls User’s Guide...
  • Page 358: Userdb

    Options: - num, Displays the specified number of users (default 20) Example: Cmd> userdb Configured user databases: Name users ------------- ------- AdminUsers D-Link Firewalls User’s Guide...
  • Page 359: Vlan

    Shows information about configured VLANs. Syntax: -- vlan List attached VLANs Example: Cmd> vlan VLANs: vlan1 IPAddr: 192.168.123.1 ID: 1 Iface: lan vlan2 IPAddr: 192.168.123.1 ID: 2 Iface: lan vlan3 IPAddr: 192.168.123.1 ID: 3 Iface: lan D-Link Firewalls User’s Guide...
  • Page 360 Iface lan, VLAN ID: 1 Iface : lan IP Address : 192.168.123.1 Hw Address : 0003:474e:25f9 Software Statistics: Soft received : 0 Soft sent: 0 Send failures: 0 Dropped : 0 IP Input Errs : 0 D-Link Firewalls User’s Guide...
  • Page 361: B Customer Support

    Customer Support...
  • Page 362 URL: www.dlink.se FAX: 49-6196-7799300 URL: www.dlink.de Denmark France Naverland 2, DK-2600 Glostrup, No.2 all’ee de la Fresnerie 78330 Fontenay le Fleury Copenhagen France Denmark TEL: 33-1-30238688 TEL: 45-43-969040 FAX: 45-43-424347 FAX: 33-1-30238689 URL: www.dlink.fr URL: www.dlink.dk D-Link Firewalls User’s Guide...
  • Page 363 #03-12 The Synergy Glatt Tower, 2.OG CH-8301 Singapore 609917 Glattzentrum Postfach 2.OG TEL: 65-6774-6233 Switzerland FAX: 65-6774-6322 TEL : +41 (0) 1 832 11 00 URL: www.dlink-intl.com FAX: +41 (0) 1 832 11 01 URL: www.dlink.ch D-Link Firewalls User’s Guide...
  • Page 364 TEL: 61-2-8899-1800 Hertzelia-Pituach 46120 FAX: 61-2-8899-1868 Israel URL: www.dlink.com.au TEL: +972-9-9715700 FAX: +972-9-9715601 India URL: www.dlink.co.il D-Link House, Kurla Bandra Complex Road OffCST Road, LatinAmerica Santacruz (East) Isidora Goyeechea 2934 Mumbai - 400098 Ofcina 702 India Las Condes TEL: 91-022-26526696/56902210...
  • Page 365 TEL: 7-495-744-0099 Chaoyang District, FAX: 7-495-744-0099 #350 Beijing 100025, China URL: www.dlink.ru TEL +86-10-58635800 FAX: +86-10-58635799 URL: www.dlink.com.cn Taiwan No. 289, Sinhu 3rd Rd., Neihu District, Taipei City 114, Taiwan TEL: 886-2-6600-0123 FAX: 886-2-6600-1188 URL: www.dlinktw.com.tw D-Link Firewalls User’s Guide...
  • Page 366 Chapter B. Customer Support D-Link Firewalls User’s Guide...