D-LINK IS INFORMED OF THE POSSIBILITY OF SUCH DAMAGES. FURTHERMORE, D-LINK WILL NOT BE LIABLE FOR THIRD-PARTY CLAIMS AGAINST CUSTOMER FOR LOSSES OR DAMAGES. D-LINK WILL IN NO EVENT BE LIABLE FOR ANY DAMAGES IN EXCESS OF THE AMOUNT D-LINK RECEIVED FROM THE END-USER FOR THE...
Table of Contents Preface .......................12 1. Product Overview .....................14 1.1. About D-Link NetDefendOS ..............14 1.2. NetDefendOS Architecture ..............16 1.2.1. State-based Architecture ...............16 1.2.2. NetDefendOS Building Blocks ............16 1.2.3. Basic Packet Flow ................17 1.3. NetDefendOS State Engine Packet Flow .............19 2. Management and Maintenance ................23 2.1.
User Manual 3.4.3. ARP Cache .................68 3.4.4. Static and Published ARP Entries ............69 3.4.5. Advanced ARP Settings ..............71 3.5. The IP Rule Set ..................73 3.5.1. Security Policies ................73 3.5.2. IP Rule Evaluation ...............74 3.5.3. IP Rule Actions ................75 3.5.4. Editing IP rule set Entries ..............76 3.6.
6.4.2. Implementation ................. 183 6.4.3. Activating Anti-Virus Scanning ............ 184 6.4.4. The Signature Database .............. 184 6.4.5. Subscribing to the D-Link Anti-Virus Service ......... 184 6.4.6. Anti-Virus Options ..............184 6.5. Intrusion Detection and Prevention ............188 6.5.1. Overview ................. 188 6.5.2.
13.19. Miscellaneous Settings ............... 336 A. Subscribing to Security Updates ................ 338 B. IDP Signature Groups ..................340 C. Checked MIME filetypes ................. 344 D. The OSI Framework ..................348 E. D-Link worldwide offices ................349 Alphabetical Index ..................... 351...
List of Figures 1.1. Packet Flow Schematic Part I ................19 1.2. Packet Flow Schematic Part II ................20 1.3. Packet Flow Schematic Part III .................20 3.1. An Example GRE Scenario ................64 4.1. A Route Failover Scenario for ISP Access ............94 4.2. Virtual Links Example 1 ................106 4.3.
3.24. Manually Triggering a Time Synchronization ............84 3.25. Modifying the Maximum Adjustment Value ............85 3.26. Forcing Time Synchronization ................85 3.27. Enabling the D-Link NTP Server ..............86 3.28. Configuring DNS Servers ................87 4.1. Displaying the Routing Table ................92 4.2. Displaying the Core Routes ................93 4.3.
6.7. Using Private IP Addresses ................161 6.8. H.323 with Gatekeeper .................. 162 6.9. H.323 with Gatekeeper and two D-Link Firewalls ..........164 6.10. Using the H.323 ALG in a Corporate Environment ........... 165 6.11. Configuring remote offices for H.323 ............. 167 6.12.
The target audience for this reference guide is Administrators who are responsible for configuring and managing D-Link Firewalls which are running the NetDefendOS operating system. This guide assumes that the reader has some basic knowledge of networks and network security.
Highlighted Content Preface Highlighted Content Special sections of text which the reader should pay special attention to are indicated by icons on the left hand side of the page followed by a short paragraph in italicized text. Such sections are of the following types with the following purposes: Note This indicates some piece of information that is an addition to the preceding text.
• NetDefendOS Architecture, page 16 • NetDefendOS State Engine Packet Flow, page 19 1.1. About D-Link NetDefendOS D-Link NetDefendOS is the firmware, the software engine that drives and controls all D-Link Firewall products. Designed as a network security operating system, NetDefendOS features high throughput performance with high reliability plus super-granular control.
SNMP. For more information, please see Chapter 2, Management and Maintenance. ZoneDefense NetDefendOS can be used to control D-Link switches using the ZoneDefense feature. Reading through this documentation carefully will ensure that you get the most out of your NetDefendOS product.
1.2. NetDefendOS Architecture Chapter 1. Product Overview 1.2. NetDefendOS Architecture 1.2.1. State-based Architecture The NetDefendOS architecture is centered around the concept of state-based connections. Traditional IP routers or switches commonly inspect all packets and then perform forwarding decisions based on information found in the packet headers. With this approach, packets are forwarded without any sense of context which eliminates any possibility to detect and analyze complex protocols and enforce corresponding security policies.
1.2.3. Basic Packet Flow Chapter 1. Product Overview 1.2.3. Basic Packet Flow This section outlines the basic flow in the state-engine for packets received and forwarded by NetDefendOS. Please note that this description is simplified and might not be fully applicable in all scenarios.
1.2.3. Basic Packet Flow Chapter 1. Product Overview and the event is logged according to the log settings for the rule. If the action is Allow, the packet is allowed through the system. A corresponding state will be added to the connection table for matching subsequent packets belonging to the same connection.
1.3. NetDefendOS State Engine Packet Chapter 1. Product Overview Flow 1.3. NetDefendOS State Engine Packet Flow The diagrams in this section provide a summary of the flow of packets through the NetDefendOS state-engine. There are three diagrams, each flowing into the next. Figure 1.1.
1.3. NetDefendOS State Engine Packet Chapter 1. Product Overview Flow Figure 1.2. Packet Flow Schematic Part II The packet flow is continued on the following page. Figure 1.3. Packet Flow Schematic Part III...
Serial Console CLI Access The serial console port is a RS-232 port on the D-Link Firewall that allows access to the CLI through a serial connection to a PC or terminal. To locate the serial console port on your D-Link system, see the D-Link Quickstart Guide .
For security reasons, it can be advisable to disable or anonymize the CLI welcome message. Changing the CLI Prompt The default CLI prompt is Device:/> where Device is the model number of the D-Link Firewall. This can be customized, for example, to gw-world:/>, by using the CLI command:...
To access the web interface, launch a standard web browser and point the browser at the IP address of the firewall. The factory default address for all D-Link Firewalls is 192.168.1.1. When performing this initial connection to NetDefendOS, the administrator MUST use https:// as the URL protocol in the browser (for example: https://192.168.1.1).
2.1.4. The WebUI Chapter 2. Management and Maintenance Enter your username and password and click the Login button. If the user credentials are correct, you will be transferred to the main web interface page. This page, with its essential parts highlighted, is shown below.
2.1.4. The WebUI Chapter 2. Management and Maintenance • Home - Navigates to the first page of the web interface. • Configuration • Save and Activate - Saves and activates the configuration. • Discard Changes - Discards any changes made to the configuration during the current session.
2.1.5. Working with Configurations Chapter 2. Management and Maintenance • User Database: AdminUsers • Interface: any • Network: all-nets Click OK Caution The above example is provided for informational purposes only. It is never recommended to expose any management interface to any user on the Internet. Logging out from the Web Interface When you have finished working in the web interface, you should always logout to prevent other users with access to your workstation to get unauthorized access to the system.
2.1.5. Working with Configurations Chapter 2. Management and Maintenance gw-world:/> show Service A list of all services will be displayed, grouped by their respective type. Web Interface Go to Objects > Services A web page listing all services will be presented. A list contains the following basic elements: •...
2.1.5. Working with Configurations Chapter 2. Management and Maintenance Example 2.5. Editing a Configuration Object When you need to modify the behavior of NetDefendOS, you will most likely need to modify one or several configuration objects. This example shows how to edit the Comments property of the telnet service. gw-world:/>...
2.1.5. Working with Configurations Chapter 2. Management and Maintenance Go to Objects > Address Book Click on the Add button In the dropdown menu displayed, select IP4 Address In the Name text box, enter myhost Enter 192.168.10.10 in the IP Address textbox Click OK Verify that the new IP4 address object has been added to the list Example 2.7.
2.1.5. Working with Configurations Chapter 2. Management and Maintenance gw-world:/> show -changes Type Object ------------- ------ IP4Address myhost ServiceTCPUDP telnet A "+" character in front of the row indicates that the object has been added. A "*" character indicates that the object has been modified.
2.1.5. Working with Configurations Chapter 2. Management and Maintenance Note The configuration must be committed before changes are saved. All changes to a configuration can be ignored simply by not committing a changed configuration.
2.2. Events and Logging Chapter 2. Management and Maintenance 2.2. Events and Logging 2.2.1. Overview The ability to log and analyze system activities is an essential feature of NetDefendOS. Logging enables not only monitoring of system status and health, but also allows auditing of network usage and assists in trouble-shooting.
2.2.3. Event Message Distribution Chapter 2. Management and Maintenance Memlog A D-Link Firewall has a built in logging mechanism known as the Memory Log. This retains all event log messages in memory and allows direct viewing of log messages through the web interface.
The file DFLNNN-TRAP.MIB (where NNN indicates the model number of the firewall) is provided by D-Link and defines the SNMP objects and datatypes that are used to describe an SNMP Trap received from NetDefendOS.
2.2.3. Event Message Distribution Chapter 2. Management and Maintenance gw-world:/> add LogReceiver EventReceiverSNMP2c my_snmp IPAddress=126.96.36.199 Web Interface Goto Log & Event Receivers > Add > EventReceiverSNMP2c Specify a name for the event receiver, eg. my_snmp Enter 188.8.131.52 as the IP Address Enter an SNMP Community String if needed by the trap receiver) Click OK The system will now be sending SNMP traps for all events with a severity greater than or equal to Alert to an...
RADIUS sessions. All statistics are updated for an authenticated user whenever a connection related to an authenticated user is closed. When a new client session is started by a user establishing a new connection through the D-Link Firewall, NetDefendOS sends an AccountingRequest START message to a nominated RADIUS server, to record the start of the new session.
Delay Time - See the above comment about this parameter. • Timestamp - The number of seconds since 1970-01-01. Used to set a timestamp when this packet was sent from the D-Link Firewall. In addition to this, two more attributes are possibly sent: •...
2.3.6. RADIUS Accounting and High Availability In an HA cluster, accounting information is synched between the active and passive D-Link Firewalls. This means that accounting information is automatically updated on both cluster members whenever a connection is closed. Two special accounting events are also used by the active unit to...
This situation should be avoided. In the case that the D-Link Firewall administrator issues a shutdown command while authenticated users are still online, the AccountingRequest STOP packet will potentially never be sent. To avoid this, NetDefendOS has the advanced setting LogOutAccUsersAtShutdown.
2.4. Monitoring Chapter 2. Management and Maintenance 2.4. Monitoring 2.4.1. SNMP Monitoring Overview Simple Network Management Protocol (SNMP) is a standardized protocol for management of network devices. An SNMP compliant client can connect to a network device which supports the SNMP protocol to query and control it.
2.4.1. SNMP Monitoring Chapter 2. Management and Maintenance SNMP access. Port 161 is usually used for SNMP and NetDefendOS always expects SNMP traffic on that port. Remote Access Encryption It should be noted that SNMP Version 1 or 2c access means that the community string will be sent as plain text over a network.
A restore to factory defaults can be applied so that it is possible to return to the original hardware state that existed when the D-Link Firewall was shipped by D-Link. When a restore is applied all data such as the IDP and Ant-Virus databases are lost and must be reloaded.
Select Restore the entire unit to factory defaults then confirm and wait for the restore to complete. Reset alternative for the DFL-210/260/800/860 only To reset the DFL-210/260/800/860 you must hold down the reset button at the rear panel for 10-15 seconds while powering on the unit. After that, release the reset button and the DFL-210/800 will continue to load and startup in default mode, that is to say with 192.168.1.1 on the LAN interface.
2.5.3. Resetting to Factory Defaults Chapter 2. Management and Maintenance...
Chapter 3. Fundamentals This chapter describes the fundamental logical objects upon which NetDefendOS is built. These objects include such things as addresses, services and schedules. In addition, the chapter explains how the various supported interfaces work, it outlines how secuirty policies are constructed and how basic system settings are configured.
3.1.2. IP Addresses Chapter 3. Fundamentals For example: 192.168.0.0/24 IP Range A range of IP addresses is represented on the form a.b.c.d - e.f.g.h. Please note that ranges are not limited to netmask boundaries; they may include any span of IP addresses.
3.1.3. Ethernet Addresses Chapter 3. Fundamentals Web Interface Go to Objects > Address Book > Add > IP address Specify a suitable name for the IP Range, for instance wwwservers. Enter 192.168.10.16-192.168.10.21 as the IP Address Click OK Example 3.4. Deleting an Address Object To delete an object named wwwsrv1 in the Address Book, do the following: gw-world:/>...
3.1.4. Address Groups Chapter 3. Fundamentals 3.1.4. Address Groups Address objects can be grouped in order to simplify configuration. Consider a number of public servers that should be accessible from the Internet. The servers have IP addresses that are not in a sequence, and can therefore not be referenced to as a single IP range.
IP rule set can use a Service object as a filter to decide whether or not to allow certain traffic through the D-Link Firewall. For more information on how service objects are being used wit IP rules, see Section 3.5, “The IP Rule Set”.
To define a TCP or UDP service in the D-Link Firewall, a TCP/UDP Service object is used. This type of object contains, apart from a unique name describing the service, also information on what protocol (TCP, UDP or both) and what source and destination ports are applicable for the service.
For a Service involving, for instance an HTTP ALG, the default value can often be too low if there are large numbers of clients connecting through the D-Link Firewall. It is therefore recommended to consider if a higher value is required for a particular scenario.
3.2.3. ICMP Services Chapter 3. Fundamentals When setting up rules that filter by services it is possible to use the service grouping all_services to refer to all protocols. If just referring to the main protocols of TCP, UDP and ICMP then the service group all_tcpudpicmp can be used.
3.2.4. Custom IP Protocol Services Chapter 3. Fundamentals number. Some of the common IP protocols, such as IGMP, are already pre-defined in the NetDefendOS system configuration. Similar to the TCP/UDP port ranges described previously, a range of IP protocol numbers can be used to specify multiple applications for one service.
3.3. Interfaces Chapter 3. Fundamentals 3.3. Interfaces 3.3.1. Overview An Interface is one of the most important logical building blocks in NetDefendOS. All network traffic that passes through or gets terminated in the system is done so through one or several interfaces.
NetDefendOS itself that will deal with the traffic. Examples of the use of core would be when the D-Link Firewall acts as a PPTP or L2TP server or is to respond to ICMP "Ping" requests. By specifying the Destination Interface of a route as core, NetDefendOS will then know that it is itself that is the ultimate destination of the traffic.
N represents the number of the interface if your D-Link Firewall has more than one of these interfaces. In most of the examples in this guide lan is used for LAN traffic and wan is used for WAN traffic.
3.3.3. VLAN Chapter 3. Fundamentals gw-world:/> set Interface Ethernet wan DHCPEnabled=Yes Web Interface Go to Interfaces > Ethernet In the grid, click on the ethernet object of interest Enable the Enable DHCP client option Click OK 3.3.3. VLAN Overview Virtual LANs (VLANs) are useful in several different scenarios, for instance, when filtering of traffic is needed between different VLANs in an organization, or for any other reason where the administrator would like to expand the number of interfaces.
3.3.4. PPPoE Chapter 3. Fundamentals Assign a VLAN ID that is unique on the physical interface. Optionally specify an IP address for the VLAN. Optionally specify an IP broadcast address for the VLAN. Create the required route(s) for the VLAN in the appropriate routing table. Create rules in the IP rule set to allow traffic through on the VLAN interface.
3.3.4. PPPoE Chapter 3. Fundamentals Control Protocols (NCPs) can be used to transport traffic for a particular protocol suite, so that multiple protocols can interoperate on the same link, for example, both IP and IPX traffic can share a PPP link. Authentication is an option with PPP.
3.3.5. GRE Tunnels Chapter 3. Fundamentals • Service Name: Service name provided by the service provider • Username: Username provided by the service provider • Password: Password provided by the service provider • Confirm Password: Retype the password • Under Authentication specify which authentication protocol to use (the default settings will be used if not specified) •...
An Example GRE Scenario The diagram below illustrates a typical GRE scenario, where two D-Link Firewalls A and B must communicate with each other through the intervening internal network 172.16.0.0/16. Any traffic passing between A and B is tunneled through the intervening network using a GRE tunnel and since the network is internal and not public there is no need for encryption.
3.3.5. GRE Tunnels Chapter 3. Fundamentals Setup for D-Link Firewall "A" Assuming that the network 192.168.10.0/24 is lannet on the lan interface, the steps for setting up NetDefendOS on A are: In the address book set up the following IP objects: •...
3.3.6. Interface Groups Chapter 3. Fundamentals In the address book set up the following IP objects: • remote_net_A: 192.168.10.0/24 • remote_gw: 172.16.0.1 • ip_GRE: 192.168.0.2 Create a GRE Tunnel object called GRE_to_A with the following parameters: • IP Address: ip_GRE •...
3.3.6. Interface Groups Chapter 3. Fundamentals Click OK...
3.4. ARP Chapter 3. Fundamentals 3.4. ARP 3.4.1. Overview Address Resolution Protocol (ARP) is a protocol, which maps a network layer protocol address to a data link layer hardware address and it is used to resolve an IP address into its corresponding Ethernet address.
3.4.4. Static and Published ARP Chapter 3. Fundamentals Entries The default expiration time for dynamic ARP entries is 900 seconds (15 minutes). This can be changed by modifying the Advanced Setting ARPExpire. The setting ARPExpireUnknown specifies how long NetDefendOS is to remember addresses that cannot be reached. This is done to ensure that NetDefendOS does not continously request such addresses.
3.4.4. Static and Published ARP Chapter 3. Fundamentals Entries NetDefendOS supports defining static ARP entries (static binding of IP addresses to Ethernet addresses) as well as publishing IP addresses with a specific Ethernet address. Static ARP Entries Static ARP items may help in situations where a device is reporting incorrect Ethernet address in response to ARP requests.
3.4.5. Advanced ARP Settings Chapter 3. Fundamentals There are two publishing modes; Publish and XPublish. The difference between the two is that XPublish "lies" about the sender Ethernet address in the Ethernet header; this is set to be the same as the published Ethernet address rather than the actual Ethernet address of the Ethernet interface.
3.4.5. Advanced ARP Settings Chapter 3. Fundamentals situations are to be logged. Sender IP 0.0.0.0 NetDefendOS can be configured on what to do with ARP queries that have a sender IP of 0.0.0.0. Such sender IPs are never valid in responses, but network units that have not yet learned of their IP address sometimes ask ARP questions with an "unspecified"...
Drop IP rule with logging enabled is placed as the last rule in the IP rule set. 3.5.2. IP Rule Evaluation When a new TCP/IP connection is being established through the D-Link Firewall, the list of IP rules are evaluated from top to bottom until a rule that matches the parameters of the new connection is found.
"stateful engine". FwdFast Let the packet pass through the D-Link Firewall without setting up a state for it in the state table. This means that the stateful inspection process is bypassed and is therefore less secure than Allow or NAT rules. Packet processing time is also slower than Allow rules since every packet is checked against the entire rule set.
3.5.4. Editing IP rule set Entries Chapter 3. Fundamentals Using Reject In certain situations the Reject action is recommended instead of the Drop action because a polite reply is required from NetDefendOS. An example of such a situation is when responding to the IDENT user identification protocol.
3.6. Schedules Chapter 3. Fundamentals 3.6. Schedules In some scenarios, it might be useful to control not only what functionality is enabled, but also when that functionality is being used. For instance, the IT policy of an enterprise might stipulate that web traffic from a certain department is only allowed access outside that department during normal office hours.
3.7. X.509 Certificates Chapter 3. Fundamentals 3.7. X.509 Certificates NetDefendOS supports digital certificates that comply with the ITU-T X.509 standard. This involves the use of an X.509 certificate hierarchy with public-key cryptography to accomplish key distribution and entity authentication. 3.7.1. Overview An X.509 certificate is a digital proof of identity.
VPN tunnels. 3.7.2. X.509 Certificates in NetDefendOS X.509 certificates can be uploaded to the D-Link Firewall for use in IKE/IPsec authentication, Webauth, etc. There are two types of certificates that can be uploaded, self signed certificates and remote certificates belonging to a remote peer or CA server.
3.7.2. X.509 Certificates in Chapter 3. Fundamentals NetDefendOS Now select one of the following: • Upload self-signed X.509 Certificate • Upload a remote certificate Click OK and follow the instructions. Example 3.19. Associating X.509 Certificates with IPsec Tunnels To associate an imported certificate with an IPsec tunnel. Web Interface Go to Interfaces >...
3.8.2. Time Servers Chapter 3. Fundamentals Example 3.21. Setting the Time Zone To modify the NetDefendOS time zone to be GMT plus 1 hour, follow the steps outlined below: gw-world:/> set DateTime Timezone=GMTplus1 Web Interface Go to System > Date and Time Select (GMT+01:00) in the Timezone drop-down list Click OK Daylight Saving Time...
3.8.2. Time Servers Chapter 3. Fundamentals Time Synchronization Protocols are standardised methods for retrieving time information from external Time Servers. NetDefendOS supports the following time synchronization protocols: • SNTP - Defined by RFC 2030, The Simple Network Time Protocol (SNTP) is a lightweight implementation of NTP (RFC 1305).
3.8.2. Time Servers Chapter 3. Fundamentals gw-world:/> time -sync Attempting to synchronize system time... Server time: 2007-02-27 12:21:52 (UTC+00:00) Local time: 2007-02-27 12:24:30 (UTC+00:00) (diff: 158) Local time successfully changed to server time. Maximum Time Adjustment To avoid situations where a faulty Time Server causes the clock to be updated with a extremely inaccurate time, a Maximum Adjustment value (in seconds) can be set.
3.8.2. Time Servers Chapter 3. Fundamentals D-Link Time Servers Using D-Link's own Time Servers is an option in NetDefendOS and this is the recommended way of synchronizing the firewall clock. These servers communicate with NetDefendOS using the SNTP protocol. When the D-Link Server option is chosen, a pre-defined set of recommended default values for the synchronization are used.
3.9. DNS Lookup Chapter 3. Fundamentals 3.9. DNS Lookup A DNS server can resolve a Fully Qualified Domain Name (FQDN) into the corresponding numeric IP address. FQDNs are unambiguous textual domain names which specify a node's unique position in the Internet's DNS tree hierarchy. FQDN resolution allows the actual physical IP address to change while the FQDN can stay the same.
3.9. DNS Lookup Chapter 3. Fundamentals...
4.2.2. Static Routing Chapter 4. Routing 4.2.2. Static Routing This section describes how routing is implemented in NetDefendOS, and how to configure static routing. NetDefendOS supports multiple routing tables. A default table called main is pre-defined and is always present in NetDefendOS. However, additional and completely separate routing tables can be defined by the administrator to provide alternate routing.
4.2.2. Static Routing Chapter 4. Routing Persistent Routes: None The corresponding routing table in NetDefendOS is similar to this: Flags Network Iface Gateway Local IP Metric ----- ------------------ -------- -------------- --------- ------ 192.168.0.0/24 10.0.0.0/8 0.0.0.0/0 192.168.0.1 The NetDefendOS way of describing the routes is easier to read and understand. Another advantage with this form of notation is that you can specify a gateway for a particular route without having a route that covers the gateways's IP address or despite the fact that the route covers the gateway's IP address is normally routed via another interface.
4.2.2. Static Routing Chapter 4. Routing 184.108.40.206/24 0.0.0.0/0 220.127.116.11 Web Interface To see the configured routing table: Go to Routing > Routing Tables Select and right-click the main routing table in the grid Choose Edit in the menu The main window will list the configured routes To see the active routing table, select the Routes item in the Status dropdown menu in the menu bar - the main window will list the active routing table Core Routes...
4.2.3. Route Failover Overview D-Link Firewalls are often deployed in mission-critical locations where availability and connectivity is crucial. A corporation relying heavily on access to the Internet, for instance, could have their operations severely disrupted if an Internet connection fails.
4.2.3. Route Failover Chapter 4. Routing methods must be chosen: Interface Link Status NetDefendOS will monitor the link status of the interface specified in the route. As long as the interface is up, the route is diagnosed as healthy. This method is appropriate for monitoring that the interface is physically attached and that the cabling is working as expected.
Ethernet is separated into two parts with a routing device such as an installed D-Link Firewall, in between. In such a case, NetDefendOS itself can respond to ARP requests directed to the network on the other side of the D-Link Firewall using the feature known as Proxy ARP.
The splitting of an Ethernet network into two distinct parts is a common application of D-Link Firewall's Proxy ARP feature, where access between the parts needs to be controlled. In such a scenario NetDefendOS can monitor and regulate all traffic passing between the two parts.
4.3. Policy-based Routing Chapter 4. Routing 4.3. Policy-based Routing 4.3.1. Overview Policy-based Routing (PBR) is an extension to the standard routing described previously. It offers administrators significant flexibility in implementing routing decision policies by being able to define rules so alternative routing tables are used. Normal routing forwards packets according to destination IP address information derived from static routes or from a dynamic routing protocol.
4.3.4. Policy-based Routing Table Chapter 4. Routing Selection Policy-based Routing rule can be triggered by the type of Service (HTTP for example) in combination with the Source/Destination Interface and Source/Destination Network. When looking up Policy-based Rules, it is the first matching rule found that is triggered. 4.3.4.
4.3.5. The Ordering parameter Chapter 4. Routing interfaces. The first two options can be regarded as combining the alternate table with the main table and assigning one route if there is a match in both tables. Important - Ensuring all-nets appears in the main table. A common mistake with Policy-based routing is the absence of the default route with a destination interface of all-nets in the default main routing table.
This is a "drop-in" design, where there are no explicit routing subnets between the ISP gateways and the D-Link Firewall. In a provider-independent network, clients will likely have a single IP address, belonging to one of the ISPs. In a single-organization scenario, publicly accessible servers will be configured with two separate IP addresses: one from each ISP.
4.3.5. The Ordering parameter Chapter 4. Routing Note Rules in the above example are added for both inbound and outbound connections.
4.4. Dynamic Routing 4.4.1. Dynamic Routing overview Dynamic routing is different to static routing in that the D-Link Firewall will adapt to changes of network topology or traffic load automatically. NetDefendOS first learns of all the directly connected networks and gets further route information from other routers. Detected routes are sorted and the most suitable routes for destinations are added into the routing table and this information is distributed to other routers.
4.4.2. OSPF Chapter 4. Routing Routing metrics are the criteria a routing algorithm uses to compute the "best" route to a destination. A routing protocol relies on one or several metrics to evaluate links across a network and to determine the optimal path. The principal metrics used include: Path length The sum of the costs associated with each link.
4.4.2. OSPF Chapter 4. Routing to which they have an interface. ASBRs Routers that exchange routing information with routers in other Autonomous Systems are called Autonomous System Boundary Router (ASBRs). They advertise externally learned routes throughout the Autonomous System. Backbone Areas All OSPF networks need to have at least the backbone area, that is the area with ID 0.
4.4.2. OSPF Chapter 4. Routing in the routing table. This is commonly used to minimize the routing table. Virtual Links Virtual links are used for: • Linking an area that does not have a direct connection to the backbone. • Linking the backbone in case of a partitioned backbone.
This is done by forcing the router priority to 0. For OSPF HA support to work correctly, the D-Link Firewall needs to have a broadcast interface with at least ONE neighbor for ALL areas that the firewall is attached to. In essence, the inactive part of the cluster needs a neighbor to get the link state database from.
4.4.3. Dynamic Routing Policy Chapter 4. Routing In a dynamic routing environment, it is important for routers to be able to regulate to what extent they will participate in the routing exchange. It is not feasible to accept or trust all received routing information, and it might be crucial to avoid that parts of the routing database gets published to other routers.
4.4.3. Dynamic Routing Policy Chapter 4. Routing gw-world:/ImportOSPFRoutes> add DynamicRoutingRuleAddRoute Destination=MainRoutingTable Web Interface Go to Routing > Dynamic Routing Rules Click on the recently created ImportOSPFRoutes Go to OSPF Routing Action > Add > DynamicRountingRuleAddRoute In Destination, add the main routing table to the Selected list Click OK Example 4.7.
IP rule set in order to perform forwarding to the correct interfaces. This is demonstrated in the examples which follow. Note For multicast to function with an Ethernet interface on any D-Link Firewall, that interface must have multicast handling set to On or Auto. For further details on this see Section 3.3.2, “Ethernet”.
4.5.2. Multicast Forwarding using the Chapter 4. Routing SAT Multiplex Rule The multiplex rule can operate in one of two modes: Use IGMP The traffic flow specififed by the multiplex rule must have been requested by hosts using IGMP before any multicast packets are forwarded through the specified interfaces.
4.5.2. Multicast Forwarding using the Chapter 4. Routing SAT Multiplex Rule Example 4.8. Forwarding of Multicast Traffic using the SAT Multiplex Rule In this example, we will create a multiplex rule in order to forward the multicast groups 18.104.22.168/24:1234 to the interfaces if1, if2 and if3.
4.5.2. Multicast Forwarding using the Chapter 4. Routing SAT Multiplex Rule This scenario is based on the previous scenario but now we are going to translate the multicast group. When the multicast streams 22.214.171.124/24 are forwarded through the if2 interface, the multicast groups should be translated into 126.96.36.199/24.
A second exception is if a neighbouring router is statically configured to deliver a multicast stream to the D-Link Firewall. In this case also, an IGMP query would not have to be specified. NetDefendOS supports two IGMP modes of operation - Snoop and Proxy.
4.5.3. IGMP Configuration Chapter 4. Routing Figure 4.7. Multicast Proxy In Snoop mode, the router will act transparently between the hosts and another IGMP router. It will not send any IGMP Queries. It will only forward queries and reports between the other router and the hosts.
The D-Link Firewall can operate in two modes: Routing Mode or Transparent Mode. In Routing Mode, the D-Link Firewall performs all the functions of a Layer 3 router; if the firewall is placed into a network for the first time, or if network topology changes, the routing configuration must therefore be thoroughly checked to ensure that the routing table is consistent with the new layout.
For each IP packet that passes through the D-Link Firewall, a route lookup for the destination is done. If the route of the packet matches a Switch Route or a Layer 3 Cache entry in the routing table, NetDefendOS knows that it should handle this packet in a transparent manner.
Destination Network: all-nets (0.0.0.0/0) Click OK Scenario 2 Here the D-Link Firewall in Transparent Mode separates server resources from an internal network by connecting them to a separate interface without the need for different address ranges. Figure 4.9. Transparent mode scenario 2 All hosts connected to LAN and DMZ (the lan and dmz interfaces) share the 10.0.0.0/24 address...
4.6.6. Transparent Mode Scenarios Chapter 4. Routing Switch Route: Similar as shown in the previous example. Set up the switch route with the new interface group created earlier. Configure the rules: Go to Rules > New Rule The Rule Properties dialog will be displayed Specify a suitable name for the rule, for instance HTTP-LAN-to-DMZ Enter following: •...
4.6.6. Transparent Mode Scenarios Chapter 4. Routing Go to Interfaces > Ethernet > Edit (lan) Now enter: • IP Address: 10.0.0.1 • Network: 10.0.0.0/24 • Transparent Mode: Disable • Add route for interface network: Disable Click OK Go to Interfaces > Ethernet > Edit (dmz) Now enter: •...
4.6.6. Transparent Mode Scenarios Chapter 4. Routing Click OK Go to Rules > IP Rules > Add > IPRule Now enter: • Name: HTTP-WAN-to-DMZ • Action: SAT • Service: http • Source Interface: wan • Destination Interface: dmz • Source Network: all-nets •...
5.2. DHCP Servers Chapter 5. DHCP Services 5.2. DHCP Servers NetDefendOS has the ability to act as one or more logical DHCP servers. Filtering of DHCP client requests is based on interface, so each NetDefendOS interface can have, at most, one single logical DHCP server associated with it.
5.2. DHCP Servers Chapter 5. DHCP Services Example 5.2. Checking the status of a DHCP server Web Interface Go to Status > DHCP Server in the menu bar. To see the status of all servers: gw-world:/> dhcpserver To list all configured servers: gw-world:/>...
5.3. Static DHCP Assignment Chapter 5. DHCP Services 5.3. Static DHCP Assignment Where the administrator requires a fixed relationship between a client and the assigned IP address, NetDefendOS allows the assignment of a given IP to a specific MAC address. Example 5.3.
5.4. DHCP Relaying Chapter 5. DHCP Services 5.4. DHCP Relaying With DHCP, clients send requests to locate the DHCP server(s) using broadcast messages. However, broadcasts are normally only propagated across the local network. This means that the DHCP server and client would always need to be in the same physical network area to be able to communicate.
5.5. IP Pools Chapter 5. DHCP Services 5.5. IP Pools Overview IP pools are used to offer other subsystems access to a cache of DHCP IP addresses. These addresses are gathered into a pool by internally maintaining a series of DHCP clients (one per IP). The DHCP servers used by a pool can either be external or be DHCP servers defined in NetDefendOS itself.
5.5. IP Pools Chapter 5. DHCP Services greater than the prefetch parameter. The pool will start releasing (giving back IPs to the DHCP server) when the number of free clients exceeds this value. Maximum clients Optional setting used to specify the maximum number of clients (IPs) allowed in the pool.
5.5. IP Pools Chapter 5. DHCP Services...
6.1.3. Access Rule Settings Chapter 6. Security Mechanisms VPNs provide one means of avoiding spoofing but where a VPN is not an appropriate solution then Access Rules can provide an anti-spoofing capability by providing an extra filter for source address verification.
6.1.3. Access Rule Settings Chapter 6. Security Mechanisms Example 6.1. Setting up an Access Rule A rule is to be defined that ensures no traffic with a source address not within the lannet network is received on the lan interface. gw-world:/>...
6.2.1. Overview To complement low-level packet filtering, which only inspects packet headers in protocols such IP, TCP, UDP, and ICMP, D-Link Firewalls provide Application Layer Gateways (ALGs) which provide filtering at the higher application OSI level. An ALG object acts as a mediator in accessing commonly used Internet applications outside the protected network, for example web access, file transfer and multimedia transfer.
6.2.2. HTTP Chapter 6. Security Mechanisms ALGs and Syn Flood Protection It should be noted that user-defined custom Service objects have the option to enable Syn Flood Protection, a feature which specifically targets Syn Flood attacks. If this option is enabled for a Service object then any ALG associated with that Service will not be used.
After granting access, the server will provide the client with a file/directory listing from which it can download/upload files (depending on access rights). The FTP ALG is used to manage FTP connections through the D-Link Firewall.
The conversion also works the other way around, that is, with the FTP client using active mode and the FTP server using passive mode. Example 6.2. Protecting an FTP Server with an ALG As shown, an FTP Server is connected to the D-Link Firewall on a DMZ with private IP addresses, shown below:...
6.2.3. FTP Chapter 6. Security Mechanisms To make it possible to connect to this server from the Internet using the FTP ALG, the FTP ALG and rules should be configured as follows: Web Interface A. Define the ALG: Go to Objects > ALG > Add > FTP ALG Enter Name: ftp-inbound Check Allow client to use active mode Uncheck Allow server to use passive mode...
6.2.3. FTP Chapter 6. Security Mechanisms Now enter: • Name: SAT-ftp-inbound • Action: SAT • Service: ftp-inbound For Address Filter enter: • Source Interface: any • Destination Interface: core • Source Network: all-nets • Destination Network: wan_ip (assuming the external interface has been defined as this) For SAT check Translate the Destination IP Address Enter To: New IP Address: ftp-internal (assume this internal IP address for FTP server has been defined in the Address Book object)
Click OK Example 6.3. Protecting FTP Clients In this scenario shown below the D-Link Firewall is protecting a workstation that will connect to FTP servers on the Internet. To make it possible to connect to these servers from the internal network using the FTP ALG, the FTP ALG and...
6.2.4. TFTP Chapter 6. Security Mechanisms • Destination: 21 (the port the ftp server resides on) • ALG: select the newly created ftp-outbound Click OK Rules (Using Public IPs). The following rule needs to be added to the IP rules if using public IP's; make sure there are no rules disallowing or allowing the same kind of ports/traffic before these rules.
Internet. Typically the local SMTP server will be located on a DMZ so that mail sent by remote SMTP servers will traverse the D-Link Firewall to reach the local server (this setup is illustrated later in Section 188.8.131.52, “DNSBL SPAM Filtering”). Local users will then use email client software to retrieve their email from the local SMTP server.
SMTP functions as a protocol for sending emails between servers. NetDefendOS applies SPAM filtering to emails as they pass through a D-Link Firewall from a remote SMTP server to the local SMTP server (from which local clients will later download the emails). Typically the local SMTP server will be set up on a DMZ and there will usually be only one "hop"...
6.2.5. SMTP Chapter 6. Security Mechanisms When the NetDefendOS SPAM filtering function is configured, the IP address of the email's sending server can be sent to one or more DNSBL servers to find out if any DNSBL servers think it is from a spammer or not (NetDefendOS examines the IP packet headers to do this).
6.2.5. SMTP Chapter 6. Security Mechanisms Buy this stock today! And if the tag text is defined to be "*** SPAM ***", then the modified email's Subject field will become: *** SPAM *** Buy this stock today! And this is what the email's recipient will see in the summary of their inbox contents. The individual user could then decide to set up their own filters in the local client to deal with such tagged emails, possibly sending it to a separate folder.
6.2.5. SMTP Chapter 6. Security Mechanisms Logging There are three types of logging done by the SPAM filtering module: • Logging of dropped or SPAM tagged emails - These log messages include the source email address and IP as well as its weighted points score and which DNSBLs caused the event. •...
6.2.6. POP3 Chapter 6. Security Mechanisms gw-world:/> dnsbl DNSBL Contexts: Name Status Spam Drop Accept ------------------------ -------- -------- -------- -------- my_smtp_alg active 34299 alt_smtp_alg inactive The -show option provides a summary of the SPAM filtering operation of a specific ALG. gw-world:/>...
6.2.7. SIP Chapter 6. Security Mechanisms Hide User This option prevents the POP3 server from revealing that a username does not exist. This prevents users from trying different usernames until they find a valid one. Allow Unknown Commands Non-standard POP3 commands not recognised by the ALG can be allowed or disallowed.
A refinement of the internal to internal scenario is the case where the two peers in a session reside on the same network. In all these three scenarios the proxy server is assumed to be on the unprotected side of the D-Link Firewall.
6.2.7. SIP Chapter 6. Security Mechanisms Maximum Sessions per ID The number of simultaneous sessions that a single peer can be involved with is restricted by this value. The default number is 5. Maximum Registration Time The maximum time for registration with a SIP Registrar. The default value is 3600 seconds.
NATed. • An Allow rule for inbound SIP traffic from the SIP proxy to the IP of the D-Link Firewall. This rule will use core (in other words NetDefendOS itself) as the destination interface. The reason for this is due to the NAT rule above. When an incoming call is received, NetDefendOS will automatically locate the local receiver, perform address translation and forward SIP messages to the receiver.
The H.323 specification was not designed to handle NAT, as IP addresses and ports are sent in the payload of H.323 messages. The H.323 ALG modifies and translates H.323 messages to make sure that H.323 messages will be routed to the correct destination and allowed through the D-Link Firewall.
Example 6.4. Protecting Phones Behind D-Link Firewalls In the first scenario a H.323 phone is connected to the D-Link Firewall on a network (lannet) with public IP addresses. To make it possible to place a call from this phone to another H.323 phone on the Internet, and to allow H.323 phones on the Internet to call this phone, we need to configure rules.
6.2.8. H.323 Chapter 6. Security Mechanisms Web Interface Outgoing Rule: Go to Rules > IP Rules > Add > IPRule Now enter: • Name: H323AllowOut • Action: Allow • Service: H323 • Source Interface: lan • Destination Interface: any • Source Network: lannet •...
Example 6.5. H.323 with private IP addresses In this scenario a H.323 phone is connected to the D-Link Firewall on a network with private IP addresses. To make it possible to place a call from this phone to another H.323 phone on the Internet, and to allow H.323 phones on the Internet to call this phone, we need to configure rules.
Comment: Allow incoming calls to H.323 phone at ip-phone Click OK To place a call to the phone behind the D-Link Firewall, place a call to the external IP address on the firewall. If multiple H.323 phones are placed behind the firewall, one SAT rule has to be configured for each phone.
Example 6.7. Using Private IP Addresses This scenario consists of two H.323 phones, each one connected behind the D-Link Firewall on a network with private IP addresses. In order to place calls on these phones over the Internet, the following rules need to be added to the rule set in the firewall, make sure there are no rules disallowing or allowing the same kind of ports/traffic before these rules.
Example 6.8. H.323 with Gatekeeper In this scenario, a H.323 gatekeeper is placed in the DMZ of the D-Link Firewall. A rule is configured in the firewall to allow traffic between the private network where the H.323 phones are connected on the internal network and to the Gatekeeper on the DMZ.
6.2.8. H.323 Chapter 6. Security Mechanisms Web Interface Incoming Gatekeeper Rules: Go to Rules > IP Rules > Add > IPRule Now enter: • Name: H323In • Action: SAT • Service: H323-Gatekeeper • Source Interface: any • Destination Interface: core •...
The D-Link Firewall with the Gatekeeper connected to the DMZ should be configured exactly as in scenario 3 The other D-Link Firewall should be configured as below. The rules need to be added to the rule listings, and it should be make sure there are no rules disallowing or allowing the same kind of ports/traffic before these rules.
IP-ranges on their local networks. All outside calls are done over the existing telephone network using the gateway (ip-gateway) connected to the ordinary telephone network. The head office has placed a H.323 Gatekeeper in the DMZ of the corporate D-Link Firewall. This firewall should be configured as follows: Web Interface Go to Rules >...
6.2.8. H.323 Chapter 6. Security Mechanisms • Comment: Allow H.323 entities on lannet to connect to the Gatekeeper Click OK Go to Rules > IP Rules > Add > IPRule Now enter: • Name: LanToGK • Action: Allow • Service: H323 •...
If the branch and remote office H.323 phones and applications are to be configured to use the H.323 Gatekeeper at the head office, the D-Link Firewalls in the remote and branch offices should be configured as follows: (this rule should be in both the Branch and Remote Office firewalls).
6.2.8. H.323 Chapter 6. Security Mechanisms • Service: H323-Gatekeeper • Source Interface: dmz • Destination Interface: vpn-hq • Source Network: ip-branchgw • Destination Network: hq-net • Comment: Allow the Gateway to communicate with the Gatekeeper connected to the Head Office Click OK Note There is no need to specify a specific rule for outgoing calls.
6.3. Web Content Filtering Chapter 6. Security Mechanisms 6.3. Web Content Filtering 6.3.1. Overview Web traffic is one of the biggest sources for security issues and misuse of the Internet. Inappropriate surfing habits can expose a network to many security threats as well as legal and regulatory liabilities.
6.3.3. Static Content Filtering Chapter 6. Security Mechanisms Example 6.13. Stripping ActiveX and Java applets This example shows how to configure a HTTP Application Layer Gateway to strip ActiveX and Java applets. The example will use the content_filtering ALG object and presumes you have done one of the previous examples. gw-world:/>...
URLs to block or allow. Instead, D-Link maintains a global infrastructure of databases containing massive numbers of current web site URL addresses, grouped into a variety of categories such as shopping, news, sport and adult-oriented on so on.
6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms Note New, uncategorized URLs sent to the D-Link network are treated as anonymous submissions and no record of the source of new submissions is kept. Categorizing Pages and Not Sites NetDefendOS dynamic filtering categorizes web pages and not sites. In other words, a web site may contain particular pages that should be blocked without blocking the entire site.
6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms In the Blocked Categories list, select Search Sites and click the >> button. Click OK Then, create a Service object using the new HTTP ALG: Go to Local Objects > Services > Add > TCP/UDP service Specify a suitable name for the Service, eg.
The URL to the requested web site as well as the proposed category will then be sent to D-Link's central data warehouse for manual inspection. That inspection may result in the web site being...
6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms Example 6.17. Reclassifying a blocked site This example shows how a user may propose a reclassification of a web site if he believes it is wrongly classified. This mechanism is enabled on a per-HTTP ALG level basis. First, create an HTTP Application Layer Gateway (ALG) Object: gw-world:/>...
6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms Category 2: News A web site may be classified under the News category if its content includes information articles on recent events pertaining to topics surrounding a locality (for example, town, city or nation) or culture, including weather forecasting information.
6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms • www.buy-alcohol.se Category 7: Entertainment A web site may be classified under the Entertainment category if its content includes any general form of entertainment that is not specifically covered by another category. Some examples of this are music sites, movies, hobbies, special interest, and fan clubs.
6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms • www.loadsofmoney.com.au • www.putsandcalls.com Category 12: E-Banking A web site may be classified under the E-Banking category if its content includes electronic banking information or services. This category does not include Investment related content; refer to the Investment Sites category (11).
6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms Category 17: www-Email Sites A web site may be classified under the www-Email Sites category if its content includes online, web-based email facilities. Examples might be: • www.coldmail.com • mail.yazoo.com Category 18: Violence / Undesirable A web site may be classified under the Violence / Undesirable category if its contents are extremely violent or horrific in nature.
6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms Examples might be: • www.sierra.org • www.walkingclub.org Category 23: Music Downloads A web site may be classified under the Music Downloads category if it provides online music downloading, uploading and sharing facilities as well as high bandwidth audio streaming. Examples might be: •...
6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms A web site may be classified under the Drugs/Alcohol category if its content includes drug and alcohol related information or services. Some URLs categorised under this category may also be categorised under the Health category. Examples might be: •...
6.4.3. Activating Anti-Virus Scanning Chapter 6. Security Mechanisms D-Link Firewall. However, the available free memory can place a limit on the number of concurrent scans that can be initiated. The administrator can increase the default amount of free memory available to Anti-Virus scanning through changing the AVSE_MAXMEMORY advanced setting.
6.4.6. Anti-Virus Options Chapter 6. Security Mechanisms 1. General options Mode This must be one of: A. Enabled which means Anti-Virus is active. B. Audit which means it is active but logging will be the only action. Fail mode behaviour If a virus scan fails for any reason then the transfer can be dropped or allowed, with the event being logged.
This second reconfiguration causes another failover so the passive unit reverts back to being active again. These steps result in both D-Link Firewalls in a cluster having updated databases and with the original active/passive roles. For more information about HA clusters refer to Chapter 11, High Availability.
6.4.6. Anti-Virus Options Chapter 6. Security Mechanisms Go to Objects > ALG > Add > HTTP ALG Specify a suitable name for the ALG, for instance anti_virus Click the Antivirus tab Select Protect in the Mode dropdown list Click OK B.
It operates by monitoring network traffic as it passes through the D-Link Firewall, searching for patterns that indicate an intrusion is being attempted. Once detected, NetDefendOS IDP allows steps to be taken to neutralize both the intrusion attempt as well as its source.
A new, updated signature database is downloaded automatically by NetDefendOS system at a configurable interval. This is done via an HTTP connection to the D-Link server network which delivers the latest signature database updates. If the server's signature database has a newer version than the current local database, the new database will be downloaded, replacing the older version.
This second reconfiguration causes another failover so the passive unit reverts back to being active again. These steps result in both D-Link Firewalls in a cluster having updated databases and with the original active/passive roles. For more information about HA clusters refer to Chapter 11, High Availability.
6.5.4. Insertion/Evasion Attack Chapter 6. Security Mechanisms Prevention The option exists in NetDefendOS IDP to look for intrusions in all traffic, even the packets that are rejected by the IP rule set check for new connections, as well as packets that are not part of an existing connection.
Attackers who build new intrusions often re-use older code. This means their new attacks can appear "in the wild" quickly. To counter this, D-Link IDP uses an approach where the module scans for these reusable components, with pattern matching looking for building blocks rather than the entire complete code patterns.
6.5.6. IDP Signature Groups Chapter 6. Security Mechanisms Using Groups Usually, several lines of attacks exist for a specific protocol, and it is best to search for all of them at the same time when analyzing network traffic. To do this, signatures related to a particular protocol are grouped together.
Section 6.7, “Blacklisting Hosts and Networks”. IDP ZoneDefense The Protect action includes the option that the particular D-Link switch that triggers the IDP Rule can be de-activated through the D-Link ZoneDefense feature. For more details on how ZoneDefense functions see Chapter 12, ZoneDefense.
6.5.8. SMTP Log Receiver for IDP Chapter 6. Security Mechanisms Events triggered. At least one new event occurs within the Hold Time of 120 seconds, thus reaching the log threshold level (at least 2 events have occurred). This results in an email being sent containing a summary of the IDP events.
6.5.8. SMTP Log Receiver for IDP Chapter 6. Security Mechanisms Events Create IDP Rule: gw-world:/> add IDPRule Service=smtp SourceInterface=wan SourceNetwork=wannet DestinationInterface=dmz DestinationNetwork=ip_mailserver Name=IDPMailSrvRule Create IDP Action: gw-world:/> cc IDPRule IDPMailSrvRule gw-world:/IDPMailSrvRule> add IDPRuleAction Action=Protect IDPServity=All Signatures=IPS_MAIL_SMTP Web Interface Create IDP Rule: This IDP rule will be called IDPMailSrvRule, and applies to the SMTP service.
6.5.8. SMTP Log Receiver for IDP Chapter 6. Security Mechanisms Events When this IDP Rule has been created, an action must also be created, specifying what signatures the IDP should use when scanning data matching the IDP Rule, and what NetDefendOS should do in case an intrusion is discovered.
Attacks can appear out of thin air and the consequences can be devastating with crashed servers, jammed Internet connections and business critical systems in overload. This section deals with using the D-Link Firewall to protect organizations against DoS attacks. 6.6.2. DoS Attack Mechanisms A DoS attack can be perpetrated in a number of ways but there are three basic types of attack: •...
6.6.4. Fragmentation overlap attacks: Chapter 6. Security Mechanisms Teardrop, Bonk, Boink and Nestea to run "ping -l 65510 184.108.40.206" on a Windows 95 system where 220.127.116.11 is the IP address of the intended victim. "Jolt" is simply a purpose-written program for generating such packets on operating systems whose ping commands refuse to generate oversized packets.
6.6.7. Amplification attacks: Smurf, Chapter 6. Security Mechanisms Papasmurf, Fraggle services expected to only serve the local network. • By stripping the URG bit by default from all TCP segments traversing the system (configurable via Advanced Settings > TCP > TCPUrg). WinNuke attacks will usually show up in NetDefendOS logs as normal drops with the name of the rule in your policy that disallowed the connection attempt.
6.6.8. TCP SYN Flood Attacks Chapter 6. Security Mechanisms The Traffic Shaping feature built into NetDefendOS also help absorb some of the flood before it reaches protected servers. 6.6.8. TCP SYN Flood Attacks The TCP SYN Flood attack works by sending large amounts of TCP SYN packets to a given port and then not responding to SYN ACKs sent in response.
To ensure that "good" Internet traffic sources are not blacklisted under any circumstances, a Whitelist is also maintained by NetDefendOS. It is advisable to add the D-Link Firewall itself to the Whitelist as well as the IP addresses of the management workstation.
• NAT Pools, page 207 • Static Address Translation, page 210 The ability of NetDefendOS to change the IP address of packets as they pass through a D-Link Firewall is known as address translation. NetDefendOS supports two types of translation: Dynamic Network Address Translation (NAT) and Static Address Translation (SAT).
In this example, the Use Interface Address option is used, and we will use 18.104.22.168 as the interface address. In addition, the source port is changed to a free port on the D-Link Firewall, usually one above 32768. In this example, we will use port 32789. The packet is then sent to its destination.
7.1. Dynamic Network Address Chapter 7. Address Translation Translation Protocols Handled by NAT Dynamic address translation is able to deal with the TCP, UDP and ICMP protocols with a good level of functionality since the algorithm knows which values can be adjusted to become unique in the three protocols.
NAT Pool object. The state table is not allocated all at once but is incremented in size as needed. One entry in the state table tracks all the connections for a single host behind the D-Link Firewall no matter which external host the connection concerns. If Max States is reached then an existing state with the longest idle time is replaced.
Pool. See Section 5.5, “IP Pools” for more details on this topic. Proxy ARP Usage Where an external router sends ARP queries to the D-Link Firewall to resolve external IP addresses included in a NAT Pool, NetDefendOS will need to send the correct ARP replies for this resolution to take place through its Proxy ARP mechanism so the external router can correctly build its routing table.
7.2. NAT Pools Chapter 7. Address Translation Specify a suitable name for the IP range nat_pool_range Enter 10.6.13.10-10.16.13.15 in the IP Address textbox (a network eg 10.6.13.0/24 could be used here - the 0 and 255 addresses will be automatically removed) Click OK B.
In this example, we will create a SAT policy that will translate and allow connections from the Internet to a web server located in a DMZ. The D-Link Firewall is connected to the Internet using the wan interface with address object wan_ip (defined as 22.214.171.124) as IP address.
These two rules allow us to access the web server via the D-Link Firewall's external IP address. Rule 1 states that address translation can take place if the connection has been permitted, and rule 2 permits the connection.
These two rules allow us to access the web server via the D-Link Firewall's external IP address. Rule 1 states that address translation can take place if the connection has been permitted, and rule 2 permits the connection.
10.0.0.2:80 => 10.0.0.3:1038 This reply arrives directly to PC1 without passing through the D-Link Firewall. This causes problems. The reason this will not work is because PC1 expects a reply from 126.96.36.199:80, not 10.0.0.2:80. The unexpected reply is discarded and PC1 continues to wait for a response from 188.8.131.52:80, which will never arrive.
In this example, we will create a SAT policy that will translate and allow connections from the Internet to five web servers located in a DMZ. The D-Link Firewall is connected to the Internet using the wan interface, and the public IP addresses to use are in the range of 184.108.40.206 to 220.127.116.11.
7.3.3. All-to-One Mappings (N:1) Chapter 7. Address Translation Click OK Publish the public adresses in the wan interface using ARP publish. One ARP item is needed for every IP address: Go to Interfaces > ARP > Add > ARP Now enter: •...
7.3.4. Port Translation Chapter 7. Address Translation NetDefendOS can be used to translate ranges and/or groups into just one IP address. Action Src Iface Src Net Dest Iface Dest Net Parameters all-nets core 18.104.22.168-22.214.171.124, http SETDEST all-to-one 126.96.36.199 192.168.0.50 80 This rule produces a N:1 translation of all addresses in the group (the range 188.8.131.52 - 184.108.40.206 and 220.127.116.11) to the IP 192.168.0.50.
7.3.6. Multiple SAT rule matches Chapter 7. Address Translation configuration. There is no definitive list of what protocols that can or cannot be address translated. A general rule is that VPN protocols cannot usually be translated. In addition, protocols that open secondary connections in addition to the initial connection can be difficult to translate.
Return traffic from wwwsrv:80 will match rules 2 and 3. • Internal traffic to wan_ip:80 will match rules 1 and 4, and will be sent to wwwsrv. The sender address will be the D-Link Firewall's internal IP address, guaranteeing that return traffic passes through the D-Link Firewall. •...
7.3.7. SAT and FwdFast Rules Chapter 7. Address Translation...
This chapter deals specifically with user authentication through validation of username/password combinations manually entered by a user attempting to gain access to resources. Access to the Internet using the HTTP protocol through a D-Link Firewall is an example of this where a username/password combination is the primary authentication method.
In a larger network topology with a larger administration workload, it is often preferable to have a central authentication database on a dedicated server. When there is more than one D-Link Firewall in the network and thousands of users, maintaining separate authentication databases on each device becomes problematic.
8.2.4. Authentication Rules Chapter 8. User Authentication NetDefendOS acts as a RADIUS client, sending user credentials and connection parameter information as a RADIUS message to a nominated RADIUS server. The server processes the requests and sends back a RADIUS message to accept or deny them. One or more external servers can be defined in NetDefendOS.
The list below describes the processing flow through NetDefendOS for username/password authentication: A user creates a new connection to the D-Link Firewall. NetDefendOS sees the new user connection on an interface and checks the Authentication rule set to see if their is a matching rule for traffic on this interface, coming from this network and data which is one of the following types: •...
The first rule allows the authentication process to take place and assumes the client is trying to access the lan_ip IP address, which is the IP address of the interface on the D-Link Firewall where the local network connects.
8.2.6. HTTP Authentication Chapter 8. User Authentication Action Src Interface Src Network Dest Interface Dest Network Service Allow lannet core lan_ip http-all trusted_users all-nets http-all lannet all-nets dns-all lannet all-nets http-all all-to-one 127.0.0.1 Allow lannet all-nets http-all The SAT rule catches all unauthenticated requests and must be set up with an all-to-one address mapping that directs them to the address 127.0.0.1 which corresponds to core (NetDefendOS itself).
8.2.6. HTTP Authentication Chapter 8. User Authentication Example 8.1. Creating an authentication user group In the example of an authentication address object in the Address Book, a user group "users" is used to enable user authentication on "lannet". This example shows how to configure the user group in the NetDefendOS database.
8.2.6. HTTP Authentication Chapter 8. User Authentication • Source Network: lannet • Destination Interface core • Destination Network lan_ip Click OK B. Set up the Authentication Rule Go to User Authentication > User Authentication Rules > Add > User Authentication Rule Now enter: •...
8.2.6. HTTP Authentication Chapter 8. User Authentication Port: 1812 (RADIUS service uses UDP port 1812 by default) Retry Timeout: 2 (NetDefendOS will resend the authentication request to the sever if there is no response after the timeout, for example every 2 seconds. This will be retried a maximum of 3 times) Shared Secret: Enter a text string here for basic encryption of the RADIUS messages.
Chapter 9. VPN This chapter describes VPN usage with NetDefendOS. • Overview, page 229 • VPN Quickstart Guide, page 231 • IPsec, page 240 • IPsec Tunnels, page 253 • PPTP/L2TP, page 260 9.1. Overview 9.1.1. The Need for VPNs Most networks are connected to each other through the Internet.
9.1.4. Key Distribution Chapter 9. VPN • Protecting mobile and home computers • Restricting access through the VPN to needed services only, since mobile computers are vulnerable • Creating DMZs for services that need to be shared with other companies through VPNs •...
The remote network which lies behind the remote VPN gateway (let's call this object remote_net). • The local network behind the D-Link Firewall which will communicate across the tunnel. Here we will assume that this is the pre-defined address lannet and this network is attached to the NetDefendOS lan interface.
9.2.2. IPsec Roaming Clients with Chapter 9. VPN Pre-shared Keys the Destination Interface. The rule's Destination Network is the remote network remote_net. • An Allow rule for inbound traffic that has the previously defined ipsec_tunnel object as the Source Interface. The Source Network is remote_net. Action Src Interface Src Network...
9.2.2. IPsec Roaming Clients with Chapter 9. VPN Pre-shared Keys Authentication section of an IP object. If that IP object is then used as the Source Network of a rule in the IP rule set, that rule will only apply to a user if their Group string matches the Group string of the IP object.
Enable the IKE Config Mode option in the IPsec Tunnel object ipsec_tunnel. Configuring the IPsec Client In both cases (A) and (B) above the IPsec client will need to configured with the URL of the D-Link Firewall as well as the pre-shared key.
9.2.4. L2TP Roaming Clients with Chapter 9. VPN Pre-Shared Keys Define a Pre-shared Key for the IPsec tunnel. Define an IPsec Tunnel object (let's call this object ipsec_tunnel) with the following parameters: • Set Local Network to ip_ext (specify all-nets instead if NetDefendOS is behind a NATing device).
A major secondary disadvantage is not being able to NAT PPTP connections through a tunnel so multiple clients can use a single connection to the D-Link Firewall. If NATing is tried then only the first client that tries to connect will succeed.
As described for L2TP, the NAT rule lets the clients access the public Internet via the D-Link Firewall. Set up the client. For Windows XP, the procedure is exactly as described for L2TP above but without entering the pre-shared key.
Use ICMP Ping to confirm that the tunnel is working. With roaming clients this is best done by Pinging the internal IP address of the local network interface on the D-Link Firewall from a client (in LAN to LAN setups pinging could be done in any direction). If NetDefendOS is to able to respond to a Ping then the following rule must exist in the IP rule set.
9.3. IPsec Chapter 9. VPN 9.3. IPsec 9.3.1. Overview Internet Protocol Security (IPsec), is a set of protocols defined by the Internet Engineering Task Force (IETF) to provide IP security at the network layer. An IPsec based VPN is made up by two parts: •...
9.3.2. Internet Key Exchange (IKE) Chapter 9. VPN IKE Negotiation The process of negotiating session parameters consists of a number of phases and modes. These are described in detail in the below sections. The flow of events can summarized as follows: IKE Phase-1 •...
When installing two D-Link Firewalls as VPN endpoints, this process is reduced to comparing fields in two identical dialog boxes. However, it is not quite as easy when equipment from different vendors is involved.
This field can also be set to "none", forcing the D-Link VPN to treat the remote address as the remote gateway. This is particularly useful in cases of roaming access, where the IP addresses of the remote VPN clients are not known beforehand.
9.3.2. Internet Key Exchange (IKE) Chapter 9. VPN • Cast128 • 3DES • DES is only included to be interoperable with other older VPN implementations. Use of DES should be avoided whenever possible, since it is an old algorithm that is no longer considered secure.
However, this one is used solely for PFS. IPsec Encryption The encryption algorithm to use on the protected traffic. This is not needed when AH is used, or when ESP is used without encryption. The algorithms supported by D-Link Firewall VPNs are: • • Blowfish •...
IKE is not used at all; the encryption and authentication keys as well as some other parameters are directly configured on both sides of the VPN tunnel. Note D-Link Firewalls do not support Manual Keying. Manual Keying Advantages Since it is very straightforward it will be quite interoperable. Most interoperability problems encountered today are in IKE.
9.3.4. IPsec Protocols (ESP/AH) Chapter 9. VPN roaming clients. Instead, should a client be compromised, the client's certificate can simply be revoked. No need to reconfigure every client. Certificate Disadvantages Added complexity. Certificate-based authentication may be used as part of a larger public key infrastructure, making all VPN clients and firewalls dependent on third parties.
9.3.5. NAT Traversal Chapter 9. VPN 9.3.5. NAT Traversal Both IKE and IPsec protocols present a problem in the functioning of NAT. Both protocols were not designed to work through NATs and because of this, a technique called "NAT traversal" has evolved.
The ike-roamingclients and esp-tn-roamingclients proposal lists are suitable for VPN tunnels that are used for roaming VPN clients. These proposal lists are compatible with the default proposal lists in the D-Link VPN Client. As the name implies, the ike-lantolan and esp-tn-lantolan are suitable for LAN-to-LAN VPN solutions.
9.3.7. Pre-shared Keys Chapter 9. VPN Go to Objects > VPN Objects > IKE Algorithms > Add > IPsec Algorithms Enter a name for the list eg. esp-l2tptunnel. Now check the following: • • 3DES • SHA1 • Click OK Then, apply the proposal list to the IPsec tunnel: Go to Interfaces >...
Click OK 9.3.8. Identification Lists When X.509 certificates are used as authentication method for IPsec tunnels, the D-Link Firewall will accept all remote firewalls or VPN clients that are capable of presenting a certificate signed by any of the trusted Certificate Authorities. This can be a potential problem, especially when using roaming clients.
• Organizational Unit: Support • Country: Sweden • Email Address: john.doe@D-Link.com Click OK Finally, apply the Identification List to the IPsec tunnel: Go to Interfaces > IPsec In the grid control, click on the IPsec tunnel object of interest Under the Authentication tab, choose X.509 Certificate Select the appropriate certificate in the Root Certificate(s) and Gateway Certificate controls.
Secure communication is achieved through the use of IPsec tunneling, with the tunnel extending from the VPN gateway at one location to the VPN gateway at another location. The D-Link Firewall is therefore the implementor of the VPN, while at the same time applying normal security surveillance of traffic passing through the tunnel.
Dealing with Unknown IP addresses If the IP address of the client is not known before hand then the D-Link Firewall needs to create a route in its routing table dynamically as each client connects. In the example below this is the case and the IPsec tunnel is configured to dynamically add routes.
Example 9.5. Setting up a Self-signed Certificate based VPN tunnel for roaming clients This example describes how to configure an IPsec tunnel at the head office D-Link Firewall for roaming clients that connect to the office to gain remote access. The head office network uses the 10.0.1.0/24 network span with external firewall IP wan_ip.
Example 9.6. Setting up a CA Server issued Certificate based VPN tunnel for roaming clients This example describes how to configure an IPsec tunnel at the head office D-Link Firewall for roaming clients that connect to the office to gain remote access. The head office network uses the 10.0.1.0/24 network span with external firewall IP wan_ip.
9.4.3. Roaming Clients Chapter 9. VPN Click OK Go to Objects > VPN Objects > ID List > Sales > Add > ID Enter the name for the client Select Email as Type In the Email address field, enter the email address selected when you created the certificate on the client Create a new ID for every client that you want to grant access rights according to the instructions above C.
9.4.3. Roaming Clients Chapter 9. VPN Currently only one Config Mode object can be defined in NetDefendOS and this is referred to as the Config Mode Pool object. The key parameters associated with it are as follows: Use Pre-defined IP Pool Object The IP Pool object that provides the IP addresses.
An X.509 root certificate usually includes the IP address or hostname of the Certificate Authority to contact when certificates or Certificate Revocation Lists need to be downloaded to the D-Link Firewall. Lightweight Directory Access Protocol (LDAP) is used for these downloads.
A common problem with setting up PPTP is that a router and/or switch in a network is blocking TCP port 1723 and/or IP protocol 47 before the PPTP connection can be made to the D-Link Firewall. Examining the log can indicate if this problem occurred, with a log message of the...
IPsec. The client communicates with a Local Access Concentrator (LAC) and the LAC communicates across the Internet with a L2TP Network Server (LNS). The D-Link Firewall acts as the LNS. The LAC is, in effect, tunneling data, such as a PPP session, using IPsec to the LNS across the Internet.
9.5.2. L2TP Chapter 9. VPN Now enter: • Inner IP Address: ip_l2tp • Tunnel Protocol: L2TP • Outer Interface Filter: l2tp_ipsec • Outer Server IP: wan_ip Under the PPP Parameters tab, select L2TP_Pool in the IP Pool control Under the Add Route tab, select all_nets in the Allowed Networks control Click OK Use User Authentication Rules is enabled as default.
9.5.2. L2TP Chapter 9. VPN DHCPOverIPsec=Yes AddRouteToRemoteNet=Yes IPsecLifeTimeKilobytes=250000 IPsecLifeTimeSeconds=3600 Web Interface Go to Interfaces > IPsec > Add > IPsec Tunnel Enter a name for the IPsec tunnel, eg. l2tp_ipsec Now enter: Local Network: wan_ip Remote Network: all-nets Remote Endpoint: none Encapsulation Mode: Transport IKE Proposal List: ike-roamingclients IPsec Proposal List: esp-l2tptunnel...
9.5.2. L2TP Chapter 9. VPN In the ProxyARP control, select the lan interface. Click OK In order to authenticate the users using the L2TP tunnel, a user authentication rule needs to be configured. D. Next will be setting up the authentication rules: gw-world:/>...
9.5.2. L2TP Chapter 9. VPN Click OK Go to Rules > IP Rules > Add > IPRule Enter a name for the rule, eg. NATL2TP Now enter: • Action: NAT • Service: all_services • Source Interface: l2tp_tunnel • Source Network: l2tp_pool •...
NetDefendOS provides QoS control by allowing the administrator to apply limits and guarantees to the network traffic passing through a D-Link Firewall. This approach is often referred to as traffic shaping and is well suited to managing bandwidth for LANs as well as to managing the bottlenecks that might be found in larger WANs.
10.1.3. Simple Bandwidth Limiting Chapter 10. Traffic Management Figure 10.1. Pipe rule set to Pipe Packet Flow Where one pipe is specified in a list then that is the pipe whose characteristics will be applied to the traffic. If a series of pipes are specified then these will form a Chain of pipes through which traffic will pass.
10.1.4. Limiting Bandwidth in Both Chapter 10. Traffic Management Directions gw-world:/> add PipeRule ReturnChain=std-in SourceInterface=lan SourceNetwork=lannet DestinationInterface=wan DestinationNetwork=all-nets Service=all_services name=Outbound Web Interface Go to Traffic Management > Traffic Shaping > Pipes > Add > Pipe Rule Specify a suitable name for the pipe, for instance outbound. Now enter: •...
10.1.5. Creating Differentiated Limits Chapter 10. Traffic Management with Chains gw-world:/> add Pipe std-out LimitKbpsTotal=2000 Web Interface Go to Traffic Management > Traffic Shaping > Pipes > Add > Pipe Specify a name for the pipe, eg. std-out Enter 2000 in Total textbox Click OK After creating a pipe for outbound bandwidth control, add it to the forward pipe chain of the rule created in the previous example:...
10.1.6. Precedences Chapter 10. Traffic Management Setting up pipes in this way only puts limits on the maximum values for certain traffic types. It does not give priorities to different types of competing traffic. 10.1.6. Precedences All packets that pass through NetDefendOS traffic shaping pipes have a precedence. In the examples so far, precedences have not been explicitly set and so all packets have had the same default precedence of 0.
10.1.6. Precedences Chapter 10. Traffic Management These limits can be specified in kilobits per second and/or packets per second (if both are specified then the first limit reached will be the limit used). In precedences are used then the total limit for the pipe as a whole must be specified so the pipe knows when what its capacity is and therefore when precedences are used.
10.1.7. Guarantees Chapter 10. Traffic Management for other services such as surfing, DNS or FTP. A means is therefore required to ensure that lower priority traffic gets some portion of bandwidth and this is done with Bandwidth Guarantees. 10.1.7. Guarantees Bandwidth guarantees ensure that there is a minimum amount of bandwidth available for a given precedence.
10.1.9. Groups Chapter 10. Traffic Management telnet-in pipes. Notice that we did not set a total limit for the ssh-in and telnet-in pipes. We do not need to since the total limit will be enforced by the std-in pipe at the end of the respective chains. The ssh-in and telnet-in pipes act as a "priority filter": they make sure that no more than the reserved amount, 64 and 32 kbps, respectively, of precedence 2 traffic will reach std-in.
10.1.10. Recommendations Chapter 10. Traffic Management Instead of specifying a total group limit, the alternative is to enable the Dynamic Balancing option. This ensures that the available bandwidth is divided equally between all addresses regardless of how many there are and this is done up to the limit of the pipe. If a total group limit of 100 bps is also specified, as before, then no one user may take more than that amount of bandwidth.
Traffic shaping cannot protect against incoming resource exhaustion attacks, such as DoS attacks or other flooding attacks. NetDefendOS will prevent these extraneous packets from reaching the hosts behind the D-Link Firewall, but cannot protect the connection becoming overloaded if an attack floods it.
10.1.11. A Summary of Traffic Shaping Chapter 10. Traffic Management • A pipe can have a limit which is the maximum amount of traffic allowed. • A pipe can only know when it is full if a limit is specified. •...
Total Connection Limiting allows the administrator to put a limit on the total number of connections opened to the D-Link Firewall. This function is extremely useful when NAT pools are required due to the large number of connections generated by P2P users.
Threshold Rules. 10.2.7. Threshold Rules and ZoneDefense Threshold Rules are used in the D-Link ZoneDefense feature to block the source of excessive connection attmepts from internal hosts. For more information on this refer to Chapter 12, ZoneDefense.
(sometimes called a "server farm") to handle many more requests than a single server. The image below illustrates a typical SLB scenario, with Internet access to applications being controlled by a D-Link Firewall.
10.3.2. Identifying the Servers Chapter 10. Traffic Management SLB also means that network administrators can perform maintenance tasks on servers or applications without disrupting services. Individual servers can be restarted, upgraded, removed, or replaced, and new servers and applications can be added or moved without affecting the rest of a server farm, or taking down applications.
10 is used so that the number of new connections which were made to each server in the last 10 seconds will be remembered. An example is shown in the figure below. In this example, the D-Link Firewall is responsible for balancing connections from 3 clients with different addresses to 2 servers. Stickiness is set.
SLB will use the default routing table unless the administrator sets a specific routing table location. D-Link Server Load Balancing provides the following monitoring modes: ICMP Ping This works at OSI layer 3. SLB will ping the IP address of each individual server in the server farm.
The table below shows the rules that would be defined for a typical scenario of a set of webservers behind a D-Link Firewall for which the load is being balanced. The ALLOW rule allows external clients to access the webservers.
10.3.6. SLB_SAT Rules Chapter 10. Traffic Management Click OK Repeat the above to create an object called server2 for the 192.168.1.11 IP address. B. Create a Group which contains the 2 webserver objects: Go to Objects > Address Book > Add > IP4 Group Enter a suitable name, eg.
It should be kept in mind that the master unit in a cluster is not always the same as the active unit. The active unit is the D-Link Firewall that is processing all traffic at a given point in time. This could be the slave if a failover has occurred because the master's operation has been impaired.
11.1. Overview Chapter 11. High Availability D-Link HA will only operate between two D-Link Firewalls. As the internal operation of different security gateway manufacturer's software is completely dissimilar, there is no common method available to communicating state information to a dissimilar device.
Chapter 11. High Availability 11.2. High Availability Mechanisms D-Link HA provides a redundant, state-synchronized hardware configuration. The state of the active unit, such as the connection table and other vital information, is continuously copied to the inactive unit via the sync interface. When cluster failover occurs, the inactive unit knows which connections are active, and traffic can continue to flow.
11.2. High Availability Mechanisms Chapter 11. High Availability packets destined for the shared hardware address.
This section provides a step-by-step guide for setting up an HA Cluster. 11.3.1. Hardware Setup Start with two physically similar D-Link Firewalls. Both may be newly purchased or one may have been purchased to be the back-up unit (in other words, to be the slave unit).
(NetDefendOS will automatically select the appropriate address from the master and slave IP addresses defined for the object). Repeat the above steps for the other D-Link Firewall but select the node type to be Slave. The configuration on both D-Link Firewalls needs to be the same. Configurations between the units are automatically synchronized.
11.3.3. Verifying Cluster Functioning Chapter 11. High Availability This device is an HA MASTER This device is currently ACTIVE (will forward traffic) HA cluster peer is ALIVE Then use the stat command to verify that both master and slave have about the same number of connections.
11.4. High Availability Issues Chapter 11. High Availability 11.4. High Availability Issues The following points should be kept in mind when managing and configuring an HA Cluster. SNMP SNMP statistics are not shared between master and slave. SNMP managers have no failover capabilities.
11.4. High Availability Issues Chapter 11. High Availability...
• ZoneDefense Switches, page 299 • ZoneDefense Operation, page 300 12.1. Overview ZoneDefense allows a D-Link Firewall to control locally attached switches. It can be used as a counter-measure to stop a virus-infected computer in a local network from infecting other computers.
The switch model type • The SNMP community string (write access) The ZoneDefense feature currently supports the following switches: • D-Link DES 3226S (minimum firmware: R4.02-B14) • D-Link DES 3250TG (minimum firmware: R3.00-B09) • D-Link DES 3326S (minimum firmware: R4.01-B39) •...
SNMP Managers A typical managing device, such as a D-Link Firewall, uses the SNMP protocol to monitor and control network devices in the managed environment. The manager can query stored statistics from the controlled devices by using the SNMP Community String. This is similar to a userid or password which allows access to the device's state information.
(in network range 192.168.2.0/24 for example) from accessing the switch completely. A D-Link switch model DES-3226S is used in this case, with a management interface address 192.168.1.250 connecting to the firewall's interface address 192.168.1.1. This firewall interface is added into the exclude list to prevent the firewall from being accidentally locked out from accessing the switch.
12.3.4. Limitations Chapter 12. ZoneDefense For Addresses choose the object name of the firewall's interface address 192.168.1.1 from the Available list and put it into the Selected list. Click OK Configure an HTTP threshold of 10 connections/second: Go to Traffic Management > Threshold Rules > Add > Threshold Rule For the Threshold Rule enter: •...
Note After an advanced setting is changed a reconfiguration must be performed in order for the new NetDefendOS configuration to be uploaded to the D-Link Firewall and the new value to take effect. • IP Level Settings, page 304 •...
LogReceivedTTL0 Chapter 13. Advanced Settings LogNonIP4 Logs occurrences of IP packets that are not version 4. NetDefendOS only accepts version 4 IP packets; everything else is discarded. Default: 256 LogReceivedTTL0 Logs occurrences of IP packets received with the "Time To Live" (TTL) value set to zero. Under no circumstances should any network unit send packets with a TTL of 0.
IPOptionSizes Chapter 13. Advanced Settings Verifies that the size information contained in each "layer" (Ethernet, IP, TCP, UDP, ICMP) is consistent with that of other layers. Default: ValidateLogBad IPOptionSizes Verifies the size of "IP options". These options are small blocks of information that may be added to the end of each IP header.
13.2. TCP Level Settings Chapter 13. Advanced Settings 13.2. TCP Level Settings TCPOptionSizes Verifies the size of TCP options. This function acts in the same way as IPOptionSizes described above. Default: ValidateLogBad TCPMSSMin Determines the minimum permissible size of the TCP MSS. Packets containing maximum segment sizes below this limit are handled according to the next setting.
TCPZeroUnusedACK Chapter 13. Advanced Settings Default: 7000 bytes TCPZeroUnusedACK Determines whether NetDefendOS should set the ACK sequence number field in TCP packets to zero if it is not used. Some operating systems reveal sequence number information this way, which can make it easier for intruders wanting to hijack established connections. Default: Enabled TCPZeroUnusedURG Strips the URG pointers from all packets.
TCPOPT_CC Chapter 13. Advanced Settings to transport alternate checksums where permitted by ALTCHKREQ above. Normally never seen on modern networks. Default: StripLog TCPOPT_CC Determines how NetDefendOS will handle connection count options. Default: StripLogBad TCPOPT_OTHER Specifies how NetDefendOS will deal with TCP options not covered by the above settings. These options usually never appear on modern networks.
TCPRF Chapter 13. Advanced Settings Specifies how NetDefendOS will deal with TCP packets with either the Xmas or Ymas flag turned on. These flags are currently mostly used by OS Fingerprinting. Note: an upcoming standard called Explicit Congestion Notification also makes use of these TCP flags, but as long as there are only a few operating systems supporting this standard, the flags should be stripped.
13.3. ICMP Level Settings Chapter 13. Advanced Settings 13.3. ICMP Level Settings ICMPSendPerSecLimit Specifies the maximum number of ICMP messages NetDefendOS may generate per second. This includes ping replies, destination unreachable messages and also TCP RST packets. In other words, this setting limits how many Rejects per second may be generated by the Reject rules in the Rules section.
13.4. ARP Settings Chapter 13. Advanced Settings 13.4. ARP Settings ARPMatchEnetSender Determines if NetDefendOS will require the sender address at Ethernet level to comply with the hardware address reported in the ARP data. Default: DropLog ARPQueryNoSenderIP What to do with ARP queries that have a sender IP of 0.0.0.0. Such sender IPs are never valid in responses, but network units that have not yet learned of their IP address sometimes ask ARP questions with an "unspecified"...
ARPExpireUnknown Chapter 13. Advanced Settings ARPExpire Specifies how long a normal dynamic item in the ARP table is to be retained before it is removed from the table. Default: 900 seconds (15 minutes) ARPExpireUnknown Specifies how long NetDefendOS is to remember addresses that cannot be reached. This is done to ensure that NetDefendOS does not continuously request such addresses.
This generates a log message for every packet that passes through a connection that is set up in the NetDefendOS state-engine. Traffic whose destination is the D-Link Firewall itself, for example NetDefendOS management traffic, is not subject to this setting.
LogConnections Chapter 13. Advanced Settings • NoLog – Does not log any connections; consequently, it will not matter if logging is enabled for either Allow or NAT rules in the Rules section; they will not be logged. However, FwdFast, Drop and Reject rules will be logged as stipulated by the settings in the Rules section. •...
13.6. Connection Timeouts Chapter 13. Advanced Settings 13.6. Connection Timeouts The settings in this section specify how long a connection can remain idle, ie. no data being sent through it, before it is automatically closed. Please note that each connection has two timeout values: one for each direction.
13.7. Size Limits by Protocol Chapter 13. Advanced Settings 13.7. Size Limits by Protocol This section contains information about the size limits imposed on the protocols directly under IP level, ie. TCP, UDP, ICMP, etc. The values specified here concern the IP data contained in packets. In the case of Ethernet, a single packet can contain up to 1480 bytes of IP data without fragmentation.
MaxOSPFLen Chapter 13. Advanced Settings MaxSKIPLen Specifies the maximum size of a SKIP packet. Default: 2000 bytes MaxOSPFLen Specifies the maximum size of an OSPF packet. OSPF is a routing protocol mainly used in larger LANs. Default: 1480 MaxIPIPLen Specifies the maximum size of an IP-in-IP packet. IP-in-IP is used by Checkpoint Firewall-1 VPN connections when IPsec is not used.
13.8. Fragmentation Settings Chapter 13. Advanced Settings 13.8. Fragmentation Settings IP is able to transport up to 65536 bytes of data. However, most media, such as Ethernet, cannot carry such huge packets. To compensate, the IP stack fragments the data to be sent into separate packets, each one given their own IP header and information that will help the recipient reassemble the original packet correctly.
FragReassemblyFail Chapter 13. Advanced Settings Default: Check8 – compare 8 random locations, a total of 32 bytes FragReassemblyFail Reassemblies may fail due to one of the following causes: • Some of the fragments did not arrive within the time stipulated by the ReassTimeout or ReassTimeLimit settings.
FragmentedICMP Chapter 13. Advanced Settings not match up. Possible settings are as follows: • NoLog - No logging is carried out under normal circumstances. • LogSuspect - Logs duplicated fragments if the reassembly procedure has been affected by "suspect" fragments. •...
ReassIllegalLinger Chapter 13. Advanced Settings Once a whole packet has been marked as illegal, NetDefendOS is able to retain this in its memory in order to prevent further fragments of that packet from arriving. Default: 60 seconds...
13.9. Local Fragment Reassembly Chapter 13. Advanced Settings Settings 13.9. Local Fragment Reassembly Settings LocalReass_MaxConcurrent Maximum number of concurrent local reassemblies. Default: 256 LocalReass_MaxSize Maximum size of a locally reassembled packet. Default: 10000 LocalReass_NumLarge Number of large ( over 2K) local reassembly buffers (of the above size). Default: 32...
13.10. DHCP Settings Chapter 13. Advanced Settings 13.10. DHCP Settings DHCP_MinimumLeaseTime Minimum lease time (seconds) accepted from the DHCP server. Default: 60 DHCP_ValidateBcast Require that the assigned broadcast address is the highest address in the assigned network. Default: Enabled DHCP_AllowGlobalBcast Allow DHCP server to assign 255.255.255.255 as broadcast.
13.11. DHCPRelay Settings Chapter 13. Advanced Settings 13.11. DHCPRelay Settings DHCPRelay_MaxTransactions Maximum number of transactions at the same time. Default: 32 DHCPRelay_TransactionTimeout For how long a dhcp transaction can take place. Default: 10 seconds DHCPRelay_MaxPPMPerIface How many dhcp-packets a client can send to through NetDefendOS to the dhcp-server during one minute.
13.12. DHCPServer Settings Chapter 13. Advanced Settings 13.12. DHCPServer Settings DHCPServer_SaveLeasePolicy What policy should be used to save the lease database to the disk, possible settings are Disabled, ReconfShut, or ReconfShutTimer. Default: ReconfShut DHCPServer_AutoSaveLeaseInterval How often should the leases database be saved to disk if DHCPServer_SaveLeasePolicy is set to ReconfShutTimer.
13.13. IPsec Settings Chapter 13. Advanced Settings 13.13. IPsec Settings IKESendInitialContact Determines whether or not IKE should send the "Initial Contact" notification message. This message is sent to each remote gateway when a connection is opened to it and there are no previous IPsec SA using that gateway.
IPsecDeleteSAOnIPValidationFailure Chapter 13. Advanced Settings IPsecDeleteSAOnIPValidationFailure Controls what happens to the SAs if IP validation in Config Mode fails. If Enabled, the security associations (SAs) are deleted on failure. Default: Disabled...
13.14. Logging Settings Chapter 13. Advanced Settings 13.14. Logging Settings LogSendPerSecLimit This setting limits how many log packets NetDefendOS may send out per second. This value should never be set too low, as this may result in important events not being logged, nor should it be set too high.
13.15. Time Synchronization Settings Chapter 13. Advanced Settings 13.15. Time Synchronization Settings TimeSync_SyncInterval Seconds between each resynchronization. Default: 86400 TimeSync_MaxAdjust Maximum time drift that a server is allowed to adjust. Default: 3600 TimeSync_ServerType Type of server for time synchronization, UDPTime or SNTP (Simple Network Time Protocol). Default: SNTP TimeSync_GroupIntervalSize Interval according to which server responses will be grouped.
TimeSync_DSTStartDate Chapter 13. Advanced Settings DST offset in minutes. Default: 0 TimeSync_DSTStartDate What month and day DST starts, in the format MM-DD. Default: none TimeSync_DSTEndDate What month and day DST ends, in the format MM-DD. Default: none...
13.16. PPP Settings Chapter 13. Advanced Settings 13.16. PPP Settings PPP_L2TPBeforeRules Pass L2TP traffic sent to the D-Link Firewall directly to the L2TP Server without consulting the rule set. Default: Enabled PPP_PPTPBeforeRules Pass PPTP traffic sent to the D-Link Firewall directly to the PPTP Server without consulting the rule set.
13.17. Hardware Monitor Settings Chapter 13. Advanced Settings 13.17. Hardware Monitor Settings HWM_PollInterval Polling intervall for Hardware Monitor which is the delay in milliseconds between reading of hardware monitor values. Minimum 100, Maximum 10000. Default: 500 ms HWMMem_Interval Memory polling interval which is the delay in minutes between reading of memory values. Minimum 1, Maximum 200.
13.18. Packet Re-assembly Settings Chapter 13. Advanced Settings 13.18. Packet Re-assembly Settings Packet re-assembly collects IP fragments into complete IP datagrams and, for TCP, reorders segments so that they are processed in the correct order and also to keep track of potential segment overlaps and to inform other subsystems of such overlaps.
13.19. Miscellaneous Settings Chapter 13. Advanced Settings 13.19. Miscellaneous Settings BufFloodRebootTime As a final way out, NetDefendOS automatically reboots if its buffers have been flooded for a long time. This setting specifies this amount of time. Default: 3600 MaxPipeUsers The maximum number of pipe users to allocate. As pipe users are only tracked for a 20th of a second, this number usually does not need to be anywhere near the number of actual users, or the number of statefully tracked connections.
On purchase, you will receive a unique activation code to identify you as a user of the service. • Go to Maintenance > License in the web interface of your D-Link Firewall system and enter this activation code. NetDefendOS will indicate the code is accepted and the update service will be activated.
To get the status of AV updates: gw-world:/> updatecenter -status Antivirus Querying Server Status To get the status of the D-Link network servers use the command: gw-world:/> updatecenter -servers Deleting Local Databases Some technical problem in the operation of either IDP or the Anti-Virus modules may be resolved by deleting the database and reloading.
For IDP scanning, the following signature groups are available for selection. These groups are available only for the D-Link Advanced IDP Service. There is a version of each group under the three Types of IDS, IPS and Policy. For further information see Section 6.5, “Intrusion Detection and Prevention”.
Appendix B. IDP Signature Groups Group Name Intrusion Type FTP_FORMATSTRING Format string attack FTP_GENERAL FTP protocol and implementation FTP_LOGIN Login attacks FTP_OVERFLOW FTP buffer overflow GAME_BOMBERCLONE Bomberclone game GAME_GENERAL Generic game servers/clients GAME_UNREAL UnReal Game server HTTP_APACHE Apache httpd HTTP_BADBLUE Badblue web server HTTP_CGI HTTP CGI...
Appendix B. IDP Signature Groups Group Name Intrusion Type POP3_DOS Denial of Service for POP POP3_GENERAL Post Office Protocol v3 POP3_LOGIN-ATTACKS Password guessing and related login attack POP3_OVERFLOW POP3 server overflow POP3_REQUEST-ERRORS Request Error PORTMAPPER_GENERAL PortMapper PRINT_GENERAL LP printing server: LPR LPD PRINT_OVERFLOW Overflow of LPR/LPD protocol/implementation REMOTEACCESS_GOTOMYPC...
Appendix B. IDP Signature Groups Group Name Intrusion Type TFTP_OPERATION Operation Attack TFTP_OVERFLOW TFTP buffer overflow attack TFTP_REPLY TFTP Reply attack TFTP_REQUEST TFTP request attack TROJAN_GENERAL Trojan UDP_GENERAL General UDP UDP_POPUP Pop-up window for MS Windows UPNP_GENERAL UPNP VERSION_CVS VERSION_SVN Subversion VIRUS_GENERAL Virus...
Appendix C. Checked MIME filetypes The HTTP Application Layer Gateway has the ability to verify that the contents of a file downloaded via the HTTP protocol is the type that the filetype in its filename indicates. This appendix lists the MIME filetypes that can be checked by NetDefendOS to make sure that the content matches the filetype of a download.
Appendix C. Checked MIME filetypes Filetype extension Application eMacs Lisp Byte-compiled Source Code ABT EMD Module/Song Format file ESP archive data Windows Executable Free Graphics Format file flac Free Lossless Audio Codec file FLIC Animated Picture FLIC Animation Macromedia Flash Video gdbm Database file Graphic Interchange Format file...
Appendix C. Checked MIME filetypes Filetype extension Application CrossePAC archive data Portable Bitmap Format Image Portable Bitmap Graphic Acrobat Portable Document Format Portable Executable file PostScript Type 1 Font Portable Graymap Graphic SysV R4 PKG Datastreams PAKLeo archive data PMarc archive data Portable (Public) Network Graphic PBM Portable Pixelmap Graphic PostScript file...
Appendix C. Checked MIME filetypes Filetype extension Application Lotus 1-2-3 document Windows Media file wrl, vrml Plain Text VRML file GIMP Image file Fast Tracker 2 Extended Module , audio file XML file xmcd xmcd database file for kscd BMC Software Patrol UNIX Icon file YAC compressed archive ZIF image Zip compressed archive file...
Appendix D. The OSI Framework The Open Systems Interconnection Model defines a framework for intercomputer communications. It categorizes different protocols for a great variety of network applications into seven smaller, more manageable layers. The model describes how data from an application in one computer can be transferred through a network medium to an application on another computer.
Appendix E. D-Link worldwide offices Below is a complete list of D-Link worldwide sales offices. Please check your own country area's local website for further details regarding support of D-Link products as well as contact details for local support. Australia 1 Giffnock Avenue, North Ryde, NSW 2113, Australia.
Appendix E. D-Link worldwide offices FAX: +972-9-9715601. Website: www.dlink.co.il Italy Via Nino Bonnet n. 6/b, 20154 – Milano, Italy. TEL: 39-02-2900-0676, FAX: 39-02-2900-1723. Website: www.dlink.it LatinAmerica Isidora Goyeechea 2934, Ofcina 702, Las Condes, Santiago – Chile. TEL: 56-2-232-3185, FAX: 56-2-232-0923. Website: www.dlink.cl...