D-Link DFL-1000 Manual
  1. Manuals
  2. Brands
  3. D-Link Manuals
  4. Network Hardware
  5. DFL-1000
  6. Manual
D-Link DFL-1000 Manual

D-Link DFL-1000 Manual

Network security firewall
Hide thumbs Also See for DFL-1000:
Table of Contents

Advertisement

Quick Links

Download this manual
DFL-1000 User Manual
D-Link DFL
DFL- - - - 1000
DFL
DFL
Network Security Firewall
Manual
Building Networks for People
1000
1000
1000
1

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the DFL-1000 and is the answer not in the manual?

Questions and answers

Related Manuals for D-Link DFL-1000

Summary of Contents for D-Link DFL-1000

  • Page 1 D-Link DFL DFL- - - - 1000 1000 1000 1000 Network Security Firewall Manual Building Networks for People DFL-1000 User Manual...
  • Page 2 No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of D-Link Systems, Inc. DFL-1000 User Manual Version 2.27...

  • Page 3: Table Of Contents

    Starting the firewall setup wizard ......................21 Reconnecting to the web-based manager ..................21 Using the command line interface......................21 Connecting to the CLI .........................21 Configuring the DFL-1000 to run in NAT/Route mode ...............22 Connecting to your network ........................23 Configuring your internal network ......................23 Completing the configuration ........................24 Configuring the DMZ interface......................24...
  • Page 4 Starting the setup wizard ........................27 Reconnecting to the web-based manager ..................27 Using the command line interface......................27 Connecting to the CLI .........................27 Configuring the DFL-1000 to run in Transparent mode..............28 Setting the date and time ........................29 Connecting to your network ........................29 Firewall configuration................30 Policy modes............................30...
  • Page 5 Manual key IPSec VPN for remote clients ....................70 Configuring the VPN tunnel ........................71 Testing a VPN ............................71 IPSec pass through..........................71 IPSec client to network pass through ....................72 IPSec network to network pass through .....................74 PPTP and L2TP VPNs ................76 DFL-1000 User Manual...
  • Page 6 PPTP pass through ..........................80 PPTP client to network pass through....................80 L2TP VPN configuration .........................82 Configuring the DFL-1000 as an L2TP gateway ................82 Configuring a Windows 2000 Client for L2TP..................83 Configuring a Windows XP Client for L2TP ..................84 RADIUS authentication for PPTP and L2TP VPNs ................86 Adding RADIUS server addresses .....................86...
  • Page 7 Logging and reporting................105 Configuring logging ..........................105 Recording logs on a remote computer....................105 Recording logs on a WebTrends server ...................105 Recording logs on the DFL-1000 hard disk ..................106 Selecting what to log.........................107 Log message formats..........................107 Traffic log message format .......................107 Event log message format ........................107 Attack log message format .......................109...
  • Page 8 Configuring SNMP ..........................128 Alert email ............................130 Glossary ....................132 Troubleshooting FAQs .................135 General administration ..........................135 Network configuration ...........................135 Firewall policies.............................135 Schedules .............................136 VPN ...............................136 Virus protection *............................136 Web content filtering ..........................137 Logging ..............................137 Technical Support.................138 Limited Warranty...................141 Registration ...................144 DFL-1000 User Manual...

  • Page 9: Introduction

    (SMTP, POP3, and IMAP protocols) as it passes through the DFL-1000. The content can be contained in normal network traffic that is allowed to pass between DFL-1000 interfaces as well as in IPSec VPN traffic. Antivirus protection can scan HTTP and email files and attachments in MIME (Multipurpose Internet Mail Extensions) and Uuencode format.

  • Page 10: Web Content Filtering

    If a match is found between a URL on the URL block list, or if a web page is found to contain a word or phrase in the content block list, the DFL-1000 blocks the web page. The blocked web page is replaced with a message that you can edit using the DFL-1000 web-based manager.

  • Page 11: Transparent Mode

    Transparent Mode is used to provide firewall protection to a pre-existing network with public addresses. All of the DFL-1000 network interfaces must be in the same subnet and the DFL-1000 can be inserted into your network at any point without the need to make any changes to your network.

  • Page 12: Secure Installation, Configuration, And Management

    (CLI) by connecting a management computer serial port to the DFL-1000 RS-232 serial Console connector. You can also use the SSH protocol to create a secure connection to the DFL-1000 CLI from any network connected to the DFL-1000, including the Internet. Connecting to and using the DFL-1000 CLI is described in the DFL-1000 CLI Reference Guide .

  • Page 13: About This Document

    • Troubleshooting FAQs help you find the information you need if you run into problems For more information In addition to the DFL-1000 User Manual , you have access to the following DFL-1000 documentation: • DFL-1000 QuickStart Guide • DFL-1000 CLI Reference Guide •...

  • Page 14: Customer Service And Technical Support

    Customer service and technical support For firmware, attack database, and antivirus database updates, updated product documentation, technical support information, and other resources, please visit local D-Link website and follow the link to the support page. You can contact D-Link Technical Support at: •...

  • Page 15: Getting Started

    The DFL-1000 can be installed on any stable surface. Make sure the appliance has at least 1.5 in. (3.75 cm) of clearance on each side to allow for adequate air flow and cooling. The DFL-1000 can also be mounted on a standard 19-inch rack. It requires 1 U of vertical space in the rack.

  • Page 16: Environmental Specifications

    • Turn on the power switch. The DFL-1000 starts up. The Power and Status lights light. The Status light flashes while the DFL- 1000 is starting up and remains lit when the system is up and running. Front and back view of the DFL-1000...

  • Page 17: Next Steps

    Flashing Amber Network activity at this interface. interfaces No link established. Next steps Now that your DFL-1000 is up and running, you can proceed to configure it for operation: • If you are going to run your DFL-1000 in NAT/Route mode, go to NAT/Route mode installation •...

  • Page 18: Nat/Route Mode Installation

    NAT/Route mode installation This chapter describes how to install your DFL-1000 in NAT/Route mode. If you want to install the DFL- 1000 in Transparent mode, see Transparent mode installation. This chapter includes: • Preparing to configure NAT/Route mode • Using the setup wizard •...

  • Page 19: Advanced Nat/Route Mode Settings

    _____._____._____._____ Ending IP: _____._____._____._____ Netmask: _____._____._____._____ DHCP Server Settings: Default Route: _____._____._____._____ DNS IP: _____._____._____._____ The DFL-1000 contains a DHCP server that you can configure to automatically set the addresses of the computers on your internal network. DFL-1000 User Manual...

  • Page 20: Dmz Interface

    DMZ interface DMZ interface (Optional) to record the IP address and netmask of the DFL-1000 DMZ interface if you are configuring it during installation. DMZ interface (Optional) DMZ: IP: _____._____._____._____ Netmask: _____._____._____._____ Using the setup wizard Use the procedures in this section to connect to the web-based manager and the setup wizard to create the initial configuration of your DFL-1000.

  • Page 21: Starting The Firewall Setup Wizard

    Otherwise, you can reconnect to the web-based manager by browsing to https://192.168.1.99. You have now completed the initial configuration of your DFL-1000, and you can proceed to connect the DFL-1000 to your network using the information in Connecting to your network.

  • Page 22: Configuring The Dfl-1000 To Run In Nat/Route Mode

    Confirm that the addresses are correct. Enter: get system interface The CLI lists the IP address and netmask settings for each of the DFL-1000 interfaces as well as the mode of the external interface (Manual, DHCP, or PPPoE). Configure the NAT/Route mode default gateway •...

  • Page 23: Connecting To Your Network

    DFL-1000 NAT/Route mode connections Configuring your internal network If you are running the DFL-1000 in NAT/Route mode, your internal network must be configured to route all internet traffic to the address of the internal interface of the DFL-1000. This means changing the default gateway address of all computers and routers connected directly to the internal network.

  • Page 24: Completing The Configuration

    If you are using the DFL-1000 as the DHCP server for your internal network, configure the computers on your internal network for DHCP. Use the internal address of the DFL-1000 as the DHCP server IP address. Once the DFL-1000 is connected, make sure it is functioning properly by connecting to the Internet from a computer on your internal network.

  • Page 25: Transparent Mode Installation

    Transparent mode installation This chapter describes how to install your DFL-1000 in Transparent mode. If you want to install the DFL- 1000 in NAT/Route mode, see NAT/Route mode installation. This chapter includes: • Preparing to configure Transparent mode • Using the setup wizard •...

  • Page 26: Using The Setup Wizard

    Type admin in the Name field and select Login. DFL-1000 login page Changing to Transparent mode The first time you connect to the DFL-1000 it is configured to run in NAT/Route mode. To switch to Transparent mode using the web-based manager: •...

  • Page 27: Starting The Setup Wizard

    IP default gateway field. Using the command line interface As an alternative to the setup wizard, you can configure the DFL-1000 using the Command Line Interface (CLI). To connect to the DFL-1000 command line interface (CLI) you require: •...

  • Page 28: Configuring The Dfl-1000 To Run In Transparent Mode

    Type ? for a list of commands. • Confirm that the DFL-1000 has switched to Transparent mode. Enter: get system status The CLI displays the status of the DFL-1000. The last line shows the current operation mode. For the DFL-1000: Version:DFL-1000 2.26,build041,020617 virus-db:3.1(06/13/2002 15:30) ids-db:1.0(06/05/2002 11:33)

  • Page 29: Setting The Date And Time

    For effective scheduling and logging, the DFL-1000 date and time should be accurate. You can either manually set the time or you can configure the DFL-1000 to automatically keep its time correct by synchronizing with a Network Time Protocol (NTP) server.

  • Page 30: Firewall Configuration

    (port number). For the packet to be connected through the DFL-1000, you must have added a policy to the interface that receives the packet. The policy must match the packet's source address, destination address, and service.

  • Page 31: Transparent Mode

    Select Transparent Mode to provide firewall protection to a network with public addresses. There are no restrictions on the addresses of the interfaces of the DFL-1000. Therefore, the DFL-1000 can be inserted into your network at any point without the need to make changes to your network. In transparent mode, the DFL-1000 acts like a router.

  • Page 32: Adding Policies

    • Click Apply. Adding policies Add security policies to control connections and traffic between DFL-1000 interfaces. The first step to adding a policy is to select a policy list. There are 6 policy lists: Int to Ext Policies for connections from the internal network to the external network (the Internet).
  • Page 33 The policy is added to the selected policy list. You must arrange policies in the policy list so that they have the results that you expect. Arranging policies in a policy list is described in Ordering policies in policy lists. Sample Route mode policy (NAT/Route mode) DFL-1000 User Manual...

  • Page 34: Adding Nat Mode Policies

    Select OK to add the policy. The policy is added to the selected policy list. You must arrange policies in the policy list so that they have the results that you expect. See Ordering policies in policy lists for more information. DFL-1000 User Manual...

  • Page 35: Editing Policies

    POP3 to get email, use FTP to download files through the DFL-1000 and so on. If the default policy is at the top of the Int to Ext policy list, the firewall allows all connections from the internal network to the Internet because all connections match the default policy.

  • Page 36: Adding Addresses

    These addresses must be valid addresses for the network connected to that interface. By default the DFL-1000 includes two addresses that cannot be edited or deleted: •...

  • Page 37: Editing Addresses

    To add an address group using the web-based manager: • Go to Firewall > Address > Group . • Select the interface to which to add the address group. DFL-1000 User Manual...

  • Page 38: Adding Virtual Ips

    IP to the destination address of the Ext to DMZ policy that provides users on the Internet with access to the web server. Adding Virtual IPs To add a virtual IP: • Go to Firewall > Virtual IP . • Select New to add the virtual IP. DFL-1000 User Manual...

  • Page 39: Services

    Internet, the IP address must be a static IP address obtained from your ISP for your web server and must not be the same as the external address of the DFL-1000. However, your ISP must route this address to the external interface of the DFL-1000.

  • Page 40: Providing Access To Custom Services

    For remote communications between an X-Window server and X-WINDOWS 1-65535 6000 X-Window clients. Providing access to custom services Add a custom service if you need to create a policy for a service that is not in the predefined services list. DFL-1000 User Manual...

  • Page 41: Grouping Services

    PC, connections to be accepted by the DFL-1000. Adding this service to an Ext to Int policy would allow a user on the Internet to use pcAnywhere to connect to one or more computers on the internal network.

  • Page 42: Schedules

    To create a one-time schedule using the web-based manager: • Go to Firewall > Schedule > One-time . DFL-1000 User Manual...

  • Page 43: Creating Recurring Schedules

    - and _. Other special characters and spaces are not allowed. • Select the days of the week that are working days. • Set the Start Hour and the End Hour to the start and end of the work day. DFL-1000 User Manual...

  • Page 44: Adding A Schedule To A Policy

    Choose the one-time schedule that you added and set Action to Deny. Then place the policy containing the one-time schedule in the policy list above the policy to be denied. DFL-1000 User Manual...

  • Page 45: Users And Authentication

    Arranging a one-time schedule in the policy list to deny access Users and authentication You can configure the DFL-1000 to require users to authenticate (enter a user name and password) to access HTTP, FTP, or Telnet services through the firewall. To configure authentication you need to add user names and passwords to the firewall and then add policies that require authentication.

  • Page 46: Setting Authentication Time Out

    Port forwarding Port forwarding routes packets that are received by the DFL-1000 external interface according to the packet's destination service port. When the packet is intercepted, the firewall changes the packet's destination address to an address on a network connected to the internal or DMZ interface.

  • Page 47: Port Forwarding Example

    Usually you would select the same service as you selected in the External Service Port list, but you can select a different service port to have the DFL-1000 change the destination port of packets before they are forwarded to the server.

  • Page 48: Ip/Mac Binding

    IP/MAC binding table must have the correct MAC address or it is blocked. You can also configure the DFL-1000 to block all traffic with a source address that is not found in the IP/MAC binding table, and to only allow traffic with a source address in the IP/MAC binding table if the IP address and MAC address pair matches an entry in the table.

  • Page 49: Traffic Shaping

    Traffic Shaping makes it possible to control which policies have the highest priority when large amounts of data are moving through the DFL-1000. For example, the policy for the corporate web server might be given higher priority than the policies for most employees' computers. An employee who needs unusually high speed Internet access could have a special outgoing policy set up with higher bandwidth.

  • Page 50: Example Policies

    The following example route mode policy to accept connections from the Internet and forward them to the DMZ is similar to any route mode policy. In this example, the DFL-1000 is running in NAT/Route mode and the mode for connections between the external and dmz interfaces is set to route mode. You can use route mode policies for connections from the Internet to the DMZ if addresses on the DMZ are routable from the Internet.

  • Page 51: Transparent Mode Policy For Public Access To A Server

    Policies that deny connections from the Internet can control access to policies that accept connections from the Internet. You can deny connections: • From specific Internet addresses • To specific internal or DMZ addresses • To specific services • According to a one-time or recurring schedule DFL-1000 User Manual...

  • Page 52: Using A Schedule To Deny Access

    Internet is similar to any procedure to deny a connection that would otherwise be accepted by the default policy. In this example, the DFL-1000 is running in NAT/Route mode. To deny a connection to the Internet: •...

  • Page 53: Adding Policies That Accept Connections

    The following example procedure to accept connections from the internal network to the Internet is similar to any procedure to accept connections. In this example, the DFL-1000 is running in NAT/Route mode. To accept a connection to the Internet: •...

  • Page 54: Requiring Authentication To Connect To The Internet

    According to a schedule The following example procedure requiring users on the internal network to authenticate to access HTTP servers on the Internet is similar to any procedure requiring authentication. In this example, the DFL-1000 is running in NAT/Route mode.

  • Page 55: Ipsec Vpns

    The DFL-1000 is an excellent choice for providing secure VPN access for small businesses and branch offices. Users of the VPN service could be telecommuters that connect to the main office network for email and other network services. The DFL-1000 can also be used to connect a branch office to a main office VPN.

  • Page 56: Autokey Ipsec Vpn Between Two Networks

    VPN that connects the branch office network to the main office network. You can use any DFL-1000 product configured as an IPSec VPN gateway to protect the branch office or main office depending on the capacity that you require. You can also use the DFL-1000 IPSec VPN to connect to a network protected by a third-party VPN gateway that supports IPSec and Autokey IKE.

  • Page 57: Creating The Vpn Tunnel

    On both gateways the tunnel should have the same authentication key. When the DFL-1000 receives IPSec packets from the IP address of the VPN tunnel remote gateway, it attempts to start a VPN tunnel with the remote gateway using the VPN tunnel configuration that you have created.
  • Page 58 During the second phase (P2) the VPN gateways negotiate to select a common algorithm for data communication. When you select algorithms for the P2 Proposal, you are selecting the algorithms that the DFL-1000 will propose during Phase 2 negotiation. Again, during P2, each VPN gateway must have at least one algorithm in common.

  • Page 59: Adding Source And Destination Addresses

    Source, the IP address of the network behind the local VPN gateway The source address can be an address or address group on your internal or DMZ network. • Destination, the IP address of the network behind the other VPN gateway DFL-1000 User Manual...
  • Page 60 Enter the Address Name and the IP Address and NetMask of the network that can connect to the near end of the VPN. Example internal source address for VPN gateway 1 • Select OK to save the source address. DFL-1000 User Manual...

  • Page 61: Adding An Ipsec Vpn Policy

    Select New to add a new IPSec VPN policy. • Select a Source address. • Select a Destination address. • Select the VPN Tunnel Name. • Select OK to save the VPN policy. Example Main office VPN policy DFL-1000 User Manual...

  • Page 62: Autokey Ipsec Vpn For Remote Clients

    Communication between the remote client and the internal or DMZ network takes place over an encrypted VPN tunnel that connects the remote client to the DFL-1000 VPN gateway across the Internet. Once connected to the VPN, the remote client computer seems to be installed on the internal or DMZ network.

  • Page 63: Adding Source And Destination Addresses

    Select OK to save the Autokey IKE VPN tunnel. Adding source and destination addresses The next step in configuring the DFL-1000 VPN gateway is to add the source and destination addresses for the VPN policy. For each client VPN tunnel you require two addresses: •...

  • Page 64: Adding An Ipsec Vpn Policy

    2.2.2.2). Netmask 255.255.255.255 Complete the following procedures on the DFL-1000 VPN gateway to add the source and destination addresses. Adding a source address In this example, the source address is a single internal address. However, you can create a VPN that connects to the DMZ network by adding a DMZ address.

  • Page 65: Configuring The Ipsec Vpn Client

    The VPN client PC must be running industry standard IPSec Autokey IKE VPN client software. D-Link recommends the SafeNet/Soft-PK client from IRE, Inc. Configure the client as required to connect to the DFL-1000 VPN gateway using an IPSec VPN configuration. Make sure the client configuration includes the settings in VPN client configuration.

  • Page 66: Adding A Dial-Up Vpn Tunnel

    Select the Encryption algorithms to propose for Phase 1 of the IPSec VPN DES and P1 Proposal connection. See About P1 and P2 proposals. 3DES Select the Authentication algorithms to propose for Phase 1 of the IPSec VPN connection. DFL-1000 User Manual...

  • Page 67: Configuring Remote Ipsec Vpn Clients

    Configuring remote IPSec VPN gateways The remote IPSec VPN gateways must be DFL-1000 IPSec VPN gateways or third-party IPSec VPN gateways running industry standard IPSec Autokey IKE VPN software. Configure the VPN gateway as required to connect to the dial-up VPN gateway using an IPSec VPN configuration.

  • Page 68: Viewing Vpn Tunnel Status

    All of the active dial-up tunnels are listed. The following information is included for each tunnel: The Local IP column is always set to 0.0.0.0/0.0.0.0. The Local Gateway column displays the IP address of the DFL-1000 external interface. DFL-1000 User Manual...

  • Page 69: Manual Key Ipsec Vpn Between Two Networks

    Manual key IPSec VPN between two networks DFL-1000 IPSec VPNs can be configured to use Autokey IKE or manual key exchange. In most cases Autokey key exchange is preferred because it is easier to configure and maintain. However, manual key exchange may be necessary in some cases for compatibility with third party VPN products.

  • Page 70: Manual Key Ipsec Vpn For Remote Clients

    Manual key exchange VPNs do not support VPN clients with dynamic IP addresses. The VPN client PC must have industry standard IPSec VPN client software installed. The DFL-1000 VPN is based on the industry standard IPSec implementation of VPN making it interoperable with other IPSec...

  • Page 71: Configuring The Vpn Tunnel

    The IPSec VPN tunnel starts automatically when the first data packet destined for the VPN is intercepted by the DFL-1000. To confirm that a VPN between a network and one or more clients has been configured correctly, start a VPN client and use the ping command to connect to a computer on the internal network.

  • Page 72: Ipsec Client To Network Pass Through

    Other than enabling IPSec pass through, no special configuration is required for the DFL-1000 that will be passed through. The VPN tunnel configuration of the VPN gateway on the Internet (or remote side) must be changed to accept connections from the IP address of the external interface of the DFL-1000 that will be passed through.
  • Page 73 The administrator of the remote IPSec VPN gateway creates a standard VPN gateway configuration. However, the remote gateway address of the VPN tunnel is set to the external address of the DFL-1000 to be passed through, rather than the IP address of the VPN client. Using the example in...

  • Page 74: Ipsec Network To Network Pass Through

    IPSec pass through, allows the DFL-1000 internal IPSec VPN gateway to connect to the DFL-1000 Internet IPSec VPN gateway. You can substitute any suitable DFL-1000 product for the IPSec VPN gateways. One or both of these IPSec VPN gateways could also be a third-party VPN gateway.
  • Page 75 192.168.2.0 with a netmask of 255.255.255.0. The remote gateway address of the VPN tunnel is set to the external address of the DFL-1000 to be passed through, rather than the external IP address of the internal IPSec VPN gateway. Using the...

  • Page 76: Pptp And L2Tp Vpns

    RADIUS authentication for PPTP and L2TP VPNs PPTP VPN configuration You configure your DFL-1000 to support PPTP by adding PPTP users and specifying a PPTP address range. You can also require PPTP VPN users to authenticate to your RADIUS server. Finally, to connect to the PPTP VPN, your remote Windows clients must be configured for PPTP.

  • Page 77: Configuring The Dfl-1000 As A Pptp Gateway

    PPTP VPN between a Windows client and the DFL-1000 Configuring the DFL-1000 as a PPTP gateway Use the following procedure to configure the DFL-1000 to be a PPTP gateway: • Go to VPN > PPTP > PPTP User . •...

  • Page 78: Configuring A Windows 98 Client For Pptp

    Use the following procedure to configure a client machine running Windows 98 so that it can connect to a DFL-1000 PPTP VPN. To configure the Windows 98 client, you must install and configure windows dial- up networking and virtual private networking support.

  • Page 79: Configuring A Windows 2000 Client For Pptp

    If the Public Network dialog box appears, choose the appropriate initial connection and select Next. • In the VPN Server Selection dialog, enter the external IP address or hostname of the DFL-1000 to connect to and select Next. DFL-1000 User Manual...

  • Page 80: Pptp Pass Through

    VPN is originating from the external interface of your DFL-1000. Turning on PPTP pass through is the only change you have to make to your DFL-1000 configuration. No configuration changes are required for the PPTP VPN client and gateway.
  • Page 81 Configuring a Windows 2000 Client for PPTP • Configuring a Windows XP Client for PPTP • Set the default gateway of the PPTP VPN client computer to the internal interface of the DFL-1000 to be passed through. • Configure the PPTP VPN gateway. See Configuring the DFL-1000 as a PPTP gateway.

  • Page 82: L2Tp Vpn Configuration

    IP address of the external interface of the DFL-1000. The DFL-1000 then forwards the PPTP packets to the PPTP VPN gateway. L2TP VPN configuration Configuring L2TP is similar to configuring PPTP. You configure the DFL-1000 to support L2TP by adding L2TP users and specifying an L2TP address range.

  • Page 83: Configuring A Windows 2000 Client For L2Tp

    For Network Connection Type, select Connect to a private network through the Internet and select Next. • For Destination Address, enter the external address of the DFL-1000 to connect to and select Next. • Set Connection Availability to Only for myself and select Next.

  • Page 84: Configuring A Windows Xp Client For L2Tp

    This user name and password is not the same as your VPN user name and password. Configuring a Windows XP Client for L2TP Use the following procedure to configure a client machine running Windows XP so that it can connect to a DFL-1000 L2TP VPN. Configuring an L2TP VPN dial-up connection •...
  • Page 85 • If the Public Network dialog box appears, choose the appropriate initial connection and select Next. • In the VPN Server Selection dialog, enter the external IP address or hostname of the DFL-1000 to connect to and select Next. •...

  • Page 86: Radius Authentication For Pptp And L2Tp Vpns

    PPTP or L2TP user connects to a DFL-1000, the user name and password is checked against the DFL- 1000 PPTP or L2TP user name and password list. If a match is not found locally, the DFL-1000 contacts the RADIUS server for authentication.

  • Page 87: Turning On Radius Authentication For Pptp

    Turning on RADIUS authentication for L2TP RADIUS authentication can be turned on separately for PPTP and L2TP. To turn on RADIUS authentication for L2TP users: • Go to VPN > L2TP > L2TP Range . • Check Enable RADIUS. • Select Apply. DFL-1000 User Manual...

  • Page 88: Network Intrusion Detection System (Nids)

    Network Intrusion detection system (NIDS)* The DFL-1000 NIDS is a real-time network intrusion detection sensor that can identify a wide variety of suspicious network traffic including direct attacks, and take action as required. The NIDS uses attack signatures, stored in the attack database, to identify common attacks. In response to an attack, the NIDS protects the DFL-1000 and the networks connected to it by: •...

  • Page 89: Exploits

    NIDS can run checksum verifications on IP, TCP, UDP, and ICMP traffic. For maximum protection, you can turn on checksum verification for all types of traffic. However, if the DFL-1000 does not need to do checksum verification, you can turn it off for some or all types of traffic to improve performance.

  • Page 90: Viewing The Attack List

    Email to send alerts in Alert emails. SNMP will be available in a future release. • For Message, select Summary or Full. Summary Record a brief summary message stating the name of the attack and the source and destination addresses. DFL-1000 User Manual...
  • Page 91 NIDS replaces the checked IP addresses of attacks with xxx.xxx.xxx.xxx. • Select Apply to save your changes. NIDS alerts configuration * Note: Antivirus definitions and NIDS updates has been removed in firmware versions starting from v.236. DFL-1000 User Manual...

  • Page 92: Virus Protection

    (SMTP, POP3, and IMAP protocols) as it passes through the DFL-1000. The content can be contained in normal network traffic that is allowed to pass between DFL-1000 interfaces as well as in IPSec VPN traffic. Antivirus protection can scan HTTP and email files and attachments in MIME (Multipurpose Internet Mail Extensions) and Uuencode format.

  • Page 93: Configuring Antivirus Protection

    Configure Ext to DMZ SMTP virus protection if you have an SMTP server on your DMZ that can be accessed from the Internet by other SMTP servers Configure Ext to DMZ POP3 and IMAP virus protection if you have a POP3 or IMAP server on your DFL-1000 User Manual...

  • Page 94: Configuring Antivirus Protection

    Protection that you are configuring. Settings Select Scan or Block. DFL-1000 antivirus protection extracts the following files from the protocol data stream and scans them for viruses: Executable files (exe, bat, and com) Visual basic files (vbs) Compressed files (zip, gzip, tar, hta, and rar)

  • Page 95: Worm Protection

    Select Protection Status for each of the connection types to turn on worm protection for that connection type. Customize antivirus messages* Use the following procedures to customize the message that appears when DFL-1000 antivirus protection removes a file from a content protocol stream. •...

  • Page 96: Customizing Messages Added To Web Pages

    This database is continuously updated by D-Link as new viruses and worms are encountered and defined. You should keep your antivirus database up to date so that the DFL-1000 can protect your network from new viruses. You can configure the DFL-1000 to update the antivirus database manually. See: •...

  • Page 97: Displaying Virus And Worm Lists

    To display the worm list, go to Anti-Virus > Config > Worm List . • Scroll through the worm list to view the names of all of the worms in the list. * Note: Antivirus definitions and NIDS updates has been removed in firmware versions starting from v.236. DFL-1000 User Manual...

  • Page 98: Web Content Filtering

    Block web pages that contain unwanted content by enabling content blocking and then creating a list of banned words and phrases. The DFL-1000 blocks access to all web content that contains any of the banned words or phrases received at any interface. When the DFL-1000 blocks a web page, the user who requested the blocked page receives a block message and the DFL-1000 writes a message to the Event log.

  • Page 99: Temporarily Disabling The Banned Word List

    • Type a banned word or phrase. If you type a single word (for example, banned ), the DFL-1000 blocks all web pages that contain that word. If you type a phrase (for example, banned phrase ), the DFL-1000 blocks web pages that contain both of the words.

  • Page 100: Clearing The Banned Word List

    When the DFL-1000 blocks a web page, the user who requested the blocked page receives a block message and the DFL-1000 writes a message to the Event log.

  • Page 101: Enabling The Url Block List

    Select Enable URL Block to turn on URL blocking. The DFL-1000 now blocks web pages added to the URL block list. Changing the URL block message To customize the message that users receive when the DFL-1000 blocks web pages. • Go to Web Filter > URL Block .

  • Page 102: Temporarily Disabling The Url Block List

    Uploading a URL block list You can create a URL block list in a text editor and then upload the text file to the DFL-1000. Add one URL to each line of the text file. You can follow the URL with a space and then a 1 to enable or a zero (0) to disable the URL.

  • Page 103: Remove Scripts From Web Pages

    URLs to add to the blacklists. You can upload the squidGuard blacklists to the DFL-1000, as a text file, with only minimal editing to remove comments at the top of each list, and to combine the lists that you want into a single file.
  • Page 104 Example script filter settings to block Java Applets and ActiveX DFL-1000 User Manual...

  • Page 105: Logging And Reporting

    • Selecting what to log Recording logs on a remote computer Use the following procedure to configure the DFL-1000 to record logs onto a remote computer. The remote computer must be configured with a syslog server. • Go to Log&Report > Log setting .

  • Page 106: Recording Logs On The Dfl-1000 Hard Disk

    Recording logs on the DFL-1000 hard disk You can record log files on the DFL-1000 hard disk if one is installed on your system. If you do not have a hard disk installed, see Recording logs on a remote computer Recording logs on a WebTrends server.

  • Page 107: Selecting What To Log

    Select Apply to save your log settings. Log message formats The DFL-1000 Traffic logs, Event logs, and Attack logs all have their own message format. All of these message formats are compatible with the WebTrends Enhanced Log Format (WELF). Use the information in the following sections to interpret DFL-1000 log messages: •...
  • Page 108 NIDS messages NIDS log messages record when the NIDS system detects an attack. NIDS messages have the following format: <date> <time> src=<source IP> dst=<destination IP> msg="type=<Firewall event type> attack=<description of intrusion detected>" Example NIDS messages: DFL-1000 User Manual...

  • Page 109: Attack Log Message Format

    2002 Jun 19 15:35:09 msg="Sync Attack: TCP, src=1.1.1.1 dst=2.2.2.2" Viewing and maintaining logs If your DFL-1000 contains a hard disk for recording logs, you can use the web-based manager to view, search, and maintain traffic, event, and attack logs. This section describes: •...

  • Page 110: Searching Logs

    • Select one or more of the following search criteria: Keyword To search for any text in a log message. Keyword searching is case-sensitive. Source To search for any source IP address (Traffic and Attack logs only). DFL-1000 User Manual...

  • Page 111: Downloading A Log File To The Management Computer

    For each log, the list shows the date and time at which an entry was last added to the log, the size of the log file, and its name. • To delete a saved log file, select Delete • Select OK to delete the log file. DFL-1000 User Manual...

  • Page 112: Administration

    To connect to the web-based manager: • Make sure the computer from which you are going to connect to the web-based manager is correctly configured on the same network as the DFL-1000 interface to which you are going to connect. DFL-1000 User Manual...

  • Page 113: System Status

    • If the DFL-1000 is running in NAT mode, connect to an interface that is configured for HTTPS management • If the DFL-1000 is running in Transparent Mode, connect to the management interface • Start Internet Explorer and browse to the address https://address where address is the IP address of the interface to which you are connecting.

  • Page 114: Upgrading The Dfl-1000 Firmware

    Use the following procedure to upgrade the DFL-1000 firmware using the CLI. To run this procedure you must install a TFTP server and be able to connect to this server from the DFL-1000 internal interface. The TFTP server should be on the same subnet as the internal interface. You can download a free TFTP server from: http://site.ifrance.com/freewares/P_tftpd32.htm.
  • Page 115 Make sure the internal interface of the DFL-1000 is connected to your internal network. • To confirm that you can connect to the TFTP server from the DFL-1000, start the DFL-1000 CLI and use the following command to ping the computer running the TFTP server. If the TFTP server's IP address is 192.168.1.168:...

  • Page 116: Manual Antivirus Database Updates

    You only have 3 seconds to press any key. If you do not press any key soon enough the DFL-1000 reboots and you must log in and repeat the execute reboot command. • Type the address of the TFTP server and press Enter.

  • Page 117: Displaying The Dfl-1000 Serial Number

    Use the following procedure to restore system settings to the values set at the factory. This procedure does not change the DFL-1000 firmware version or the Antivirus database. This procedure deletes all of the changes that you have made to the DFL-1000 configuration and reverts the system to its original configuration including resetting interface addresses.

  • Page 118: Restarting The Dfl-1000

    System status monitor You can use the system status monitor to view system activity including the number of active connections to the DFL-1000 and information about the connections. The connections list is divided into Route traffic connections and NAT traffic connections.

  • Page 119: Network Configuration

    The destination port of the connection. Expire The time, in seconds, before the connection expires. Network configuration Go to System > Network to make any of the following changes to the DFL-1000 network settings: • Configuring the internal interface •...

  • Page 120: Configuring The External Interface

    • Go to System > Network > Interface. • For the external interface, select Modify • Set Addressing Mode to Manual. • Change the IP address and Netmask as required. • Select OK to save your changes. DFL-1000 User Manual...
  • Page 121 Configuring the external interface for DHCP Use the following procedure to configure the DFL-1000 external interface to use DHCP. This configuration is required if your ISP uses DHCP to assign the IP address of the DFL-1000 external interface. To configure the external interface to use DHCP: •...
  • Page 122 (MTU) of the packets that the DFL-1000 transmits from its external interface. Ideally, you want this MTU to be the same as the smallest MTU of all the networks between the DFL-1000 and the Internet. If the packets the DFL-1000 sends are larger, they get broken up or fragmented, which slows down transmission speeds.

  • Page 123: Configuring The Dmz Interface

    Change the IP and Netmask as required. This must be a valid address for the network from which you will manage the DFL-1000. • Add a default gateway IP address if the DFL-1000 must connect to a default gateway to reach the management computer. •...

  • Page 124: Enabling Rip Server Support

    Select External Interface to enable RIP server support from the external interface. Providing DHCP services to your internal network If it is operating in NAT mode, you can configure the DFL-1000 to be the DHCP server for your internal network: •...

  • Page 125: System Configuration

    Configure the IP network settings of the computers on your network to use DHCP. Use the address of the DFL-1000 internal interface as the DHCP server address. Sample DHCP settings System configuration Go to System > Config to make any of the following changes to the DFL-1000 system configuration: • Setting system date and time •...

  • Page 126: Changing Web-Based Manager Options

    • Select your Time Zone from the list. • Optionally select Set Time and set the DFL-1000 date and time to the correct date and time. • To configure the DFL-1000 to use NTP, select Synchronize with NTP server. By default, the DFL-1000 is configured to connect to an NTP server at IP address 192.5.5.250, which is the IP address of an NTP server maintained by the Internet Software Consortium at Palo Alto, CA, USA.

  • Page 127: Adding And Editing Administrator Accounts

    The options that you have selected take affect. Adding and editing administrator accounts When the DFL-1000 is initially installed, it is configured with a single administrator account with the user name admin. From this administrator account, you can add and edit administrator accounts. You can also control the access level of each of these administrator accounts and, optionally, control the IP address from which the administrator can connect to the DFL-1000.

  • Page 128: Configuring Snmp

    To delete an administrator account, choose the account to delete and select Delete Configuring SNMP Configure SNMP for the DFL-1000 so that the SNMP agent running on the DFL-1000 can report system information and send traps. The DFL-1000 agent supports SNMP v1 and v2c. System information can be monitored by any SNMP manager configured to get system information from your DFL-1000.
  • Page 129 Script DFL-1000 traps The DFL-1000 agent can send traps to up to 3 SNMP trap receivers on your network that are configured to receive traps from the DFL-1000. The DFL-1000 agent sends traps in response to the events listed in SNMP traps.

  • Page 130: Alert Email

    • Select Apply. Sample SNMP configuration Alert email You can configure the DFL-1000 to send email alerts to up to three email addresses when the NIDS detects an attack. Configuring alert email • Go to System >Config > Alert Mail .
  • Page 131 Make sure that the DNS server settings are correct for the DFL-1000. See Setting DNS server addresses. Because the DFL-1000 uses the SMTP server name to connect to the mail server, it must be able to look up this name on your DNS server. Example alert email settings Testing email alerts You can test your email alert settings by sending a test email.

  • Page 132: Glossary

    (private) network. Typically, the DMZ contains servers accessible to Internet traffic, such as Web (HTTP) servers, FTP servers, SMTP (e-mail) servers and DNS servers. DMZ interface : The DFL-1000 interface that is connected to your servers that are separate from your internal network and accessible from the Internet.
  • Page 133 SSH provides strong secure authentication and secure communications over insecure channels. Subnet : A portion of a network that shares a common address component. On TCP/IP networks, subnets are defined as all devices whose IP addresses have the same prefix. For example, all devices DFL-1000 User Manual...
  • Page 134 Worm : A program or algorithm that replicates itself over a computer network, usually through email, and performs malicious actions, such as using up the computer's resources and possibly shutting the system down. DFL-1000 User Manual...

  • Page 135: Troubleshooting Faqs

    Change the administrator password. See Adding and editing administrator accounts. Q: I have the DFL-1000 configured the way I want it. Is there some way to save the configuration before making any more changes? Backing up system settings Restoring system settings.

  • Page 136: Schedules

    When antivirus protection for HTTP or any of the email protocols is set to block, potentially dangerous file types are blocked. Under normal conditions, antivirus protection can safely be set to scam. Block should only be used in extreme circumstances when a new virus has been found. DFL-1000 User Manual...

  • Page 137: Web Content Filtering

    Q: How can I record DFL-1000 logs on a remote computer, such as a management computer? You can send DFL-1000 logs to a WebTrends server or a syslog server. To do this, configure one of these servers and go to Log&Report > Log Setting . Select Log to remote host and enter the IP address of the computer running the syslog server.

  • Page 138: Technical Support

    Le Florilege #2, Allee de la Fresnerie, 78330 Fontenay le Fleury France TEL: 33-1-302-38688 FAX: 33-1-3023-8689 E-MAIL: info@dlink-france.fr URL: www.dlink-france.fr GERMANY D-LINK Central Europe/D-Link Deutschland GmbH Schwalbacher Strasse 74, D-65760 Eschborn, Germany TEL: 49-6196-77990 FAX: 49-6196-7799300 INFO LINE: 00800-7250-0000 (toll free) HELP LINE: 00800-7250-4000 (toll free)

  • Page 139: Registration Card

    8. What category best describes your company? Aerospace Engineering Education Finance Hospital Legal Insurance/Real Estate Manufacturing Retail/Chainstore/Wholesale Government Transportation/Utilities/Communication System house/company Other________________________________ 9. Would you recommend your D-Link product to a friend? Don't know yet 10.Your comments on this product? __________________________________________________________________________________________ __________________________________________________________________________________________ DFL-1000 User Manual...
  • Page 140 DFL-1000 User Manual...

  • Page 141: Limited Warranty

    Spare parts and spare kits Ninety (90) days. D-Link’s sole obligation shall be to repair or replace the defective Hardware at no charge to the original owner. Such repair or replacement will be rendered by D-Link at an Authorized D-Link Service Office. The replacement Hardware need not be new or of an identical make, model or part;...
  • Page 142 D-Link Systems Inc., 53 Discovery Drive, Irvine CA 92618. D-Link may reject or return any product that is not packaged and shipped in strict compliance with the foregoing requirements, or for which an RMA number is not visible from the outside of the package. The product owner agrees to pay D-Link’s reasonable handling and return shipping charges for any product...
  • Page 143 Trademarks Copyright® 2001 D-Link Corporation. Contents subject to change without prior notice. D-Link is a registered trademark of D-Link Corporation/D-Link Systems, Inc. All other trademarks belong to their respective proprietors.

  • Page 144: Registration

    Registration Register the D-Link DFL-500 Office Firewall online at http://www.dlink.com/sales/reg DFL-1000 User Manual...

Table of Contents