Download Print this page

Advertisement

Network Security Firewall
DFL-210/ 800/1600/ 2500
DFL-260/ 860
Security
Security
Ver.
1.06
Network Security Solution
http://www.dlink.com

Advertisement

   Also See for D-Link NetDefend DFL-210

   Related Manuals for D-Link NetDefend DFL-210

   Summary of Contents for D-Link NetDefend DFL-210

  • Page 1

    Network Security Firewall User Manual DFL-210/ 800/1600/ 2500 DFL-260/ 860 Security Security Ver. 1.06 Network Security Solution http://www.dlink.com...

  • Page 2: User Manual

    User Manual DFL-210/260/800/860/1600/2500 NetDefendOS version 2.20 D-Link NetDefend Security http://security.dlink.com.tw Published 2007-12-24 Copyright © 2007...

  • Page 3

    D-LINK IS INFORMED OF THE POSSIBILITY OF SUCH DAMAGES. FURTHERMORE, D-LINK WILL NOT BE LIABLE FOR THIRD-PARTY CLAIMS AGAINST CUSTOMER FOR LOSSES OR DAMAGES. D-LINK WILL IN NO EVENT BE LIABLE FOR ANY DAMAGES IN EXCESS OF THE AMOUNT D-LINK RECEIVED FROM THE END-USER FOR THE...

  • Page 4: Table Of Contents

    Table of Contents Preface .......................12 1. Product Overview .....................14 1.1. About D-Link NetDefendOS ..............14 1.2. NetDefendOS Architecture ..............16 1.2.1. State-based Architecture ...............16 1.2.2. NetDefendOS Building Blocks ............16 1.2.3. Basic Packet Flow ................17 1.3. NetDefendOS State Engine Packet Flow .............19 2. Management and Maintenance ................23 2.1.

  • Page 5: Table Of Contents

    User Manual 3.4.3. ARP Cache .................68 3.4.4. Static and Published ARP Entries ............69 3.4.5. Advanced ARP Settings ..............71 3.5. The IP Rule Set ..................73 3.5.1. Security Policies ................73 3.5.2. IP Rule Evaluation ...............74 3.5.3. IP Rule Actions ................75 3.5.4. Editing IP rule set Entries ..............76 3.6.

  • Page 6: Table Of Contents

    6.4.2. Implementation ................. 183 6.4.3. Activating Anti-Virus Scanning ............ 184 6.4.4. The Signature Database .............. 184 6.4.5. Subscribing to the D-Link Anti-Virus Service ......... 184 6.4.6. Anti-Virus Options ..............184 6.5. Intrusion Detection and Prevention ............188 6.5.1. Overview ................. 188 6.5.2.

  • Page 7: Table Of Contents

    User Manual 9.2.3. IPsec Roaming Clients with Certificates ......... 234 9.2.4. L2TP Roaming Clients with Pre-Shared Keys ......... 234 9.2.5. L2TP Roaming Clients with Certificates ........236 9.2.6. PPTP Roaming Clients ............... 236 9.2.7. VPN Troubleshooting ..............237 9.3. IPsec ....................240 9.3.1.

  • Page 8: Table Of Contents

    13.19. Miscellaneous Settings ............... 336 A. Subscribing to Security Updates ................ 338 B. IDP Signature Groups ..................340 C. Checked MIME filetypes ................. 344 D. The OSI Framework ..................348 E. D-Link worldwide offices ................349 Alphabetical Index ..................... 351...

  • Page 9: Table Of Contents

    List of Figures 1.1. Packet Flow Schematic Part I ................19 1.2. Packet Flow Schematic Part II ................20 1.3. Packet Flow Schematic Part III .................20 3.1. An Example GRE Scenario ................64 4.1. A Route Failover Scenario for ISP Access ............94 4.2. Virtual Links Example 1 ................106 4.3.

  • Page 10: Table Of Contents

    3.24. Manually Triggering a Time Synchronization ............84 3.25. Modifying the Maximum Adjustment Value ............85 3.26. Forcing Time Synchronization ................85 3.27. Enabling the D-Link NTP Server ..............86 3.28. Configuring DNS Servers ................87 4.1. Displaying the Routing Table ................92 4.2. Displaying the Core Routes ................93 4.3.

  • Page 11: Table Of Contents

    6.7. Using Private IP Addresses ................161 6.8. H.323 with Gatekeeper .................. 162 6.9. H.323 with Gatekeeper and two D-Link Firewalls ..........164 6.10. Using the H.323 ALG in a Corporate Environment ........... 165 6.11. Configuring remote offices for H.323 ............. 167 6.12.

  • Page 12: Preface, Example Notation

    The target audience for this reference guide is Administrators who are responsible for configuring and managing D-Link Firewalls which are running the NetDefendOS operating system. This guide assumes that the reader has some basic knowledge of networks and network security.

  • Page 13

    Highlighted Content Preface Highlighted Content Special sections of text which the reader should pay special attention to are indicated by icons on the left hand side of the page followed by a short paragraph in italicized text. Such sections are of the following types with the following purposes: Note This indicates some piece of information that is an addition to the preceding text.

  • Page 14: Product Overview, About D-link Netdefendos

    • NetDefendOS Architecture, page 16 • NetDefendOS State Engine Packet Flow, page 19 1.1. About D-Link NetDefendOS D-Link NetDefendOS is the firmware, the software engine that drives and controls all D-Link Firewall products. Designed as a network security operating system, NetDefendOS features high throughput performance with high reliability plus super-granular control.

  • Page 15

    SNMP. For more information, please see Chapter 2, Management and Maintenance. ZoneDefense NetDefendOS can be used to control D-Link switches using the ZoneDefense feature. Reading through this documentation carefully will ensure that you get the most out of your NetDefendOS product.

  • Page 16: Netdefendos Architecture, State-based Architecture, Netdefendos Building Blocks

    1.2. NetDefendOS Architecture Chapter 1. Product Overview 1.2. NetDefendOS Architecture 1.2.1. State-based Architecture The NetDefendOS architecture is centered around the concept of state-based connections. Traditional IP routers or switches commonly inspect all packets and then perform forwarding decisions based on information found in the packet headers. With this approach, packets are forwarded without any sense of context which eliminates any possibility to detect and analyze complex protocols and enforce corresponding security policies.

  • Page 17: Basic Packet Flow

    1.2.3. Basic Packet Flow Chapter 1. Product Overview 1.2.3. Basic Packet Flow This section outlines the basic flow in the state-engine for packets received and forwarded by NetDefendOS. Please note that this description is simplified and might not be fully applicable in all scenarios.

  • Page 18

    1.2.3. Basic Packet Flow Chapter 1. Product Overview and the event is logged according to the log settings for the rule. If the action is Allow, the packet is allowed through the system. A corresponding state will be added to the connection table for matching subsequent packets belonging to the same connection.

  • Page 19: Netdefendos State Engine Packet Flow, Packet Flow Schematic Part I

    1.3. NetDefendOS State Engine Packet Chapter 1. Product Overview Flow 1.3. NetDefendOS State Engine Packet Flow The diagrams in this section provide a summary of the flow of packets through the NetDefendOS state-engine. There are three diagrams, each flowing into the next. Figure 1.1.

  • Page 20: Packet Flow Schematic Part Ii, Packet Flow Schematic Part Iii

    1.3. NetDefendOS State Engine Packet Chapter 1. Product Overview Flow Figure 1.2. Packet Flow Schematic Part II The packet flow is continued on the following page. Figure 1.3. Packet Flow Schematic Part III...

  • Page 21

    1.3. NetDefendOS State Engine Packet Chapter 1. Product Overview Flow...

  • Page 22

    1.3. NetDefendOS State Engine Packet Chapter 1. Product Overview Flow...

  • Page 23: Management And Maintenance, Managing Netdefendos, Overview, Default Administrator Accounts

    Chapter 2. Management and Maintenance This chapter describes the management, operations and maintenance related aspects of NetDefendOS. • Managing NetDefendOS, page 23 • Events and Logging, page 35 • RADIUS Accounting, page 39 • Monitoring, page 43 • Maintenance, page 45 2.1.

  • Page 24: The Cli

    Serial Console CLI Access The serial console port is a RS-232 port on the D-Link Firewall that allows access to the CLI through a serial connection to a PC or terminal. To locate the serial console port on your D-Link system, see the D-Link Quickstart Guide .

  • Page 25: Enabling Ssh Remote Access

    For security reasons, it can be advisable to disable or anonymize the CLI welcome message. Changing the CLI Prompt The default CLI prompt is Device:/> where Device is the model number of the D-Link Firewall. This can be customized, for example, to gw-world:/>, by using the CLI command:...

  • Page 26: The Webui

    To access the web interface, launch a standard web browser and point the browser at the IP address of the firewall. The factory default address for all D-Link Firewalls is 192.168.1.1. When performing this initial connection to NetDefendOS, the administrator MUST use https:// as the URL protocol in the browser (for example: https://192.168.1.1).

  • Page 27

    2.1.4. The WebUI Chapter 2. Management and Maintenance Enter your username and password and click the Login button. If the user credentials are correct, you will be transferred to the main web interface page. This page, with its essential parts highlighted, is shown below.

  • Page 28: Enabling Remote Management Via Https

    2.1.4. The WebUI Chapter 2. Management and Maintenance • Home - Navigates to the first page of the web interface. • Configuration • Save and Activate - Saves and activates the configuration. • Discard Changes - Discards any changes made to the configuration during the current session.

  • Page 29: Working With Configurations, Listing Configuration Objects

    2.1.5. Working with Configurations Chapter 2. Management and Maintenance • User Database: AdminUsers • Interface: any • Network: all-nets Click OK Caution The above example is provided for informational purposes only. It is never recommended to expose any management interface to any user on the Internet. Logging out from the Web Interface When you have finished working in the web interface, you should always logout to prevent other users with access to your workstation to get unauthorized access to the system.

  • Page 30: Displaying A Configuration Object

    2.1.5. Working with Configurations Chapter 2. Management and Maintenance gw-world:/> show Service A list of all services will be displayed, grouped by their respective type. Web Interface Go to Objects > Services A web page listing all services will be presented. A list contains the following basic elements: •...

  • Page 31: Editing A Configuration Object, Adding A Configuration Object

    2.1.5. Working with Configurations Chapter 2. Management and Maintenance Example 2.5. Editing a Configuration Object When you need to modify the behavior of NetDefendOS, you will most likely need to modify one or several configuration objects. This example shows how to edit the Comments property of the telnet service. gw-world:/>...

  • Page 32: Deleting A Configuration Object, Undeleting A Configuration Object, Listing Modified Configuration Objects

    2.1.5. Working with Configurations Chapter 2. Management and Maintenance Go to Objects > Address Book Click on the Add button In the dropdown menu displayed, select IP4 Address In the Name text box, enter myhost Enter 192.168.10.10 in the IP Address textbox Click OK Verify that the new IP4 address object has been added to the list Example 2.7.

  • Page 33: Activating And Committing A Configuration

    2.1.5. Working with Configurations Chapter 2. Management and Maintenance gw-world:/> show -changes Type Object ------------- ------ IP4Address myhost ServiceTCPUDP telnet A "+" character in front of the row indicates that the object has been added. A "*" character indicates that the object has been modified.

  • Page 34

    2.1.5. Working with Configurations Chapter 2. Management and Maintenance Note The configuration must be committed before changes are saved. All changes to a configuration can be ignored simply by not committing a changed configuration.

  • Page 35: Events And Logging, Overview, Event Messages, Event Message Distribution

    2.2. Events and Logging Chapter 2. Management and Maintenance 2.2. Events and Logging 2.2.1. Overview The ability to log and analyze system activities is an essential feature of NetDefendOS. Logging enables not only monitoring of system status and health, but also allows auditing of network usage and assists in trouble-shooting.

  • Page 36: Enable Logging To A Syslog Host

    2.2.3. Event Message Distribution Chapter 2. Management and Maintenance Memlog A D-Link Firewall has a built in logging mechanism known as the Memory Log. This retains all event log messages in memory and allows direct viewing of log messages through the web interface.

  • Page 37: Sending Snmp Traps To An Snmp Trap Receiver

    The file DFLNNN-TRAP.MIB (where NNN indicates the model number of the firewall) is provided by D-Link and defines the SNMP objects and datatypes that are used to describe an SNMP Trap received from NetDefendOS.

  • Page 38

    2.2.3. Event Message Distribution Chapter 2. Management and Maintenance gw-world:/> add LogReceiver EventReceiverSNMP2c my_snmp IPAddress=195.11.22.55 Web Interface Goto Log & Event Receivers > Add > EventReceiverSNMP2c Specify a name for the event receiver, eg. my_snmp Enter 195.11.22.55 as the IP Address Enter an SNMP Community String if needed by the trap receiver) Click OK The system will now be sending SNMP traps for all events with a severity greater than or equal to Alert to an...

  • Page 39: Radius Accounting, Overview, Radius Accounting Messages

    RADIUS sessions. All statistics are updated for an authenticated user whenever a connection related to an authenticated user is closed. When a new client session is started by a user establishing a new connection through the D-Link Firewall, NetDefendOS sends an AccountingRequest START message to a nominated RADIUS server, to record the start of the new session.

  • Page 40

    Delay Time - See the above comment about this parameter. • Timestamp - The number of seconds since 1970-01-01. Used to set a timestamp when this packet was sent from the D-Link Firewall. In addition to this, two more attributes are possibly sent: •...

  • Page 41: Interim Accounting Messages, Activating Radius Accounting, Radius Accounting Security, Radius Accounting And High Availability

    2.3.6. RADIUS Accounting and High Availability In an HA cluster, accounting information is synched between the active and passive D-Link Firewalls. This means that accounting information is automatically updated on both cluster members whenever a connection is closed. Two special accounting events are also used by the active unit to...

  • Page 42: Handling Unresponsive Servers, Accounting And System Shutdowns, Limitations With Nat

    This situation should be avoided. In the case that the D-Link Firewall administrator issues a shutdown command while authenticated users are still online, the AccountingRequest STOP packet will potentially never be sent. To avoid this, NetDefendOS has the advanced setting LogOutAccUsersAtShutdown.

  • Page 43: Monitoring, Snmp Monitoring

    2.4. Monitoring Chapter 2. Management and Maintenance 2.4. Monitoring 2.4.1. SNMP Monitoring Overview Simple Network Management Protocol (SNMP) is a standardized protocol for management of network devices. An SNMP compliant client can connect to a network device which supports the SNMP protocol to query and control it.

  • Page 44: Enabling Snmp Monitoring

    2.4.1. SNMP Monitoring Chapter 2. Management and Maintenance SNMP access. Port 161 is usually used for SNMP and NetDefendOS always expects SNMP traffic on that port. Remote Access Encryption It should be noted that SNMP Version 1 or 2c access means that the community string will be sent as plain text over a network.

  • Page 45: Resetting To Factory Defaults, Maintenance, Auto-update Mechanism, Configuration Backup And Restore

    A restore to factory defaults can be applied so that it is possible to return to the original hardware state that existed when the D-Link Firewall was shipped by D-Link. When a restore is applied all data such as the IDP and Ant-Virus databases are lost and must be reloaded.

  • Page 46: Reset Alternatives, Complete Hardware Reset To Factory Defaults

    Select Restore the entire unit to factory defaults then confirm and wait for the restore to complete. Reset alternative for the DFL-210/260/800/860 only To reset the DFL-210/260/800/860 you must hold down the reset button at the rear panel for 10-15 seconds while powering on the unit. After that, release the reset button and the DFL-210/800 will continue to load and startup in default mode, that is to say with 192.168.1.1 on the LAN interface.

  • Page 47

    2.5.3. Resetting to Factory Defaults Chapter 2. Management and Maintenance...

  • Page 48: Fundamentals, The Address Book, Overview, Ip Addresses

    Chapter 3. Fundamentals This chapter describes the fundamental logical objects upon which NetDefendOS is built. These objects include such things as addresses, services and schedules. In addition, the chapter explains how the various supported interfaces work, it outlines how secuirty policies are constructed and how basic system settings are configured.

  • Page 49: Adding An Ip Host, Adding An Ip Network, Adding An Ip Range

    3.1.2. IP Addresses Chapter 3. Fundamentals For example: 192.168.0.0/24 IP Range A range of IP addresses is represented on the form a.b.c.d - e.f.g.h. Please note that ranges are not limited to netmask boundaries; they may include any span of IP addresses.

  • Page 50: Ethernet Addresses, Deleting An Address Object, Adding An Ethernet Address

    3.1.3. Ethernet Addresses Chapter 3. Fundamentals Web Interface Go to Objects > Address Book > Add > IP address Specify a suitable name for the IP Range, for instance wwwservers. Enter 192.168.10.16-192.168.10.21 as the IP Address Click OK Example 3.4. Deleting an Address Object To delete an object named wwwsrv1 in the Address Book, do the following: gw-world:/>...

  • Page 51: Address Groups, Auto-generated Address Objects

    3.1.4. Address Groups Chapter 3. Fundamentals 3.1.4. Address Groups Address objects can be grouped in order to simplify configuration. Consider a number of public servers that should be accessible from the Internet. The servers have IP addresses that are not in a sequence, and can therefore not be referenced to as a single IP range.

  • Page 52: Services, Overview, Listing The Available Services, Viewing A Specific Service

    IP rule set can use a Service object as a filter to decide whether or not to allow certain traffic through the D-Link Firewall. For more information on how service objects are being used wit IP rules, see Section 3.5, “The IP Rule Set”.

  • Page 53: Tcp And Udp Based Services

    To define a TCP or UDP service in the D-Link Firewall, a TCP/UDP Service object is used. This type of object contains, apart from a unique name describing the service, also information on what protocol (TCP, UDP or both) and what source and destination ports are applicable for the service.

  • Page 54: Adding A Tcp/udp Service

    For a Service involving, for instance an HTTP ALG, the default value can often be too low if there are large numbers of clients connecting through the D-Link Firewall. It is therefore recommended to consider if a higher value is required for a particular scenario.

  • Page 55: Icmp Services, Custom Ip Protocol Services

    3.2.3. ICMP Services Chapter 3. Fundamentals When setting up rules that filter by services it is possible to use the service grouping all_services to refer to all protocols. If just referring to the main protocols of TCP, UDP and ICMP then the service group all_tcpudpicmp can be used.

  • Page 56: Adding An Ip Protocol Service

    3.2.4. Custom IP Protocol Services Chapter 3. Fundamentals number. Some of the common IP protocols, such as IGMP, are already pre-defined in the NetDefendOS system configuration. Similar to the TCP/UDP port ranges described previously, a range of IP protocol numbers can be used to specify multiple applications for one service.

  • Page 57: Interfaces, Overview

    3.3. Interfaces Chapter 3. Fundamentals 3.3. Interfaces 3.3.1. Overview An Interface is one of the most important logical building blocks in NetDefendOS. All network traffic that passes through or gets terminated in the system is done so through one or several interfaces.

  • Page 58: Ethernet

    NetDefendOS itself that will deal with the traffic. Examples of the use of core would be when the D-Link Firewall acts as a PPTP or L2TP server or is to respond to ICMP "Ping" requests. By specifying the Destination Interface of a route as core, NetDefendOS will then know that it is itself that is the ultimate destination of the traffic.

  • Page 59: Enabling Dhcp

    N represents the number of the interface if your D-Link Firewall has more than one of these interfaces. In most of the examples in this guide lan is used for LAN traffic and wan is used for WAN traffic.

  • Page 60: Vlan

    3.3.3. VLAN Chapter 3. Fundamentals gw-world:/> set Interface Ethernet wan DHCPEnabled=Yes Web Interface Go to Interfaces > Ethernet In the grid, click on the ethernet object of interest Enable the Enable DHCP client option Click OK 3.3.3. VLAN Overview Virtual LANs (VLANs) are useful in several different scenarios, for instance, when filtering of traffic is needed between different VLANs in an organization, or for any other reason where the administrator would like to expand the number of interfaces.

  • Page 61: Pppoe, Defining A Vlan

    3.3.4. PPPoE Chapter 3. Fundamentals Assign a VLAN ID that is unique on the physical interface. Optionally specify an IP address for the VLAN. Optionally specify an IP broadcast address for the VLAN. Create the required route(s) for the VLAN in the appropriate routing table. Create rules in the IP rule set to allow traffic through on the VLAN interface.

  • Page 62: Configuring A Pppoe Client On The Wan Interface With Traffic Routed Over Pppoe

    3.3.4. PPPoE Chapter 3. Fundamentals Control Protocols (NCPs) can be used to transport traffic for a particular protocol suite, so that multiple protocols can interoperate on the same link, for example, both IP and IPX traffic can share a PPP link. Authentication is an option with PPP.

  • Page 63: Gre Tunnels

    3.3.5. GRE Tunnels Chapter 3. Fundamentals • Service Name: Service name provided by the service provider • Username: Username provided by the service provider • Password: Password provided by the service provider • Confirm Password: Retype the password • Under Authentication specify which authentication protocol to use (the default settings will be used if not specified) •...

  • Page 64: An Example Gre Scenario

    An Example GRE Scenario The diagram below illustrates a typical GRE scenario, where two D-Link Firewalls A and B must communicate with each other through the intervening internal network 172.16.0.0/16. Any traffic passing between A and B is tunneled through the intervening network using a GRE tunnel and since the network is internal and not public there is no need for encryption.

  • Page 65

    3.3.5. GRE Tunnels Chapter 3. Fundamentals Setup for D-Link Firewall "A" Assuming that the network 192.168.10.0/24 is lannet on the lan interface, the steps for setting up NetDefendOS on A are: In the address book set up the following IP objects: •...

  • Page 66: Interface Groups, Creating An Interface Group

    3.3.6. Interface Groups Chapter 3. Fundamentals In the address book set up the following IP objects: • remote_net_A: 192.168.10.0/24 • remote_gw: 172.16.0.1 • ip_GRE: 192.168.0.2 Create a GRE Tunnel object called GRE_to_A with the following parameters: • IP Address: ip_GRE •...

  • Page 67

    3.3.6. Interface Groups Chapter 3. Fundamentals Click OK...

  • Page 68: Overview, Arp In Netdefendos, Arp Cache

    3.4. ARP Chapter 3. Fundamentals 3.4. ARP 3.4.1. Overview Address Resolution Protocol (ARP) is a protocol, which maps a network layer protocol address to a data link layer hardware address and it is used to resolve an IP address into its corresponding Ethernet address.

  • Page 69: Static And Published Arp Entries, Displaying The Arp Cache, Flushing The Arp Cache

    3.4.4. Static and Published ARP Chapter 3. Fundamentals Entries The default expiration time for dynamic ARP entries is 900 seconds (15 minutes). This can be changed by modifying the Advanced Setting ARPExpire. The setting ARPExpireUnknown specifies how long NetDefendOS is to remember addresses that cannot be reached. This is done to ensure that NetDefendOS does not continously request such addresses.

  • Page 70: Defining A Static Arp Entry

    3.4.4. Static and Published ARP Chapter 3. Fundamentals Entries NetDefendOS supports defining static ARP entries (static binding of IP addresses to Ethernet addresses) as well as publishing IP addresses with a specific Ethernet address. Static ARP Entries Static ARP items may help in situations where a device is reporting incorrect Ethernet address in response to ARP requests.

  • Page 71: Advanced Arp Settings

    3.4.5. Advanced ARP Settings Chapter 3. Fundamentals There are two publishing modes; Publish and XPublish. The difference between the two is that XPublish "lies" about the sender Ethernet address in the Ethernet header; this is set to be the same as the published Ethernet address rather than the actual Ethernet address of the Ethernet interface.

  • Page 72

    3.4.5. Advanced ARP Settings Chapter 3. Fundamentals situations are to be logged. Sender IP 0.0.0.0 NetDefendOS can be configured on what to do with ARP queries that have a sender IP of 0.0.0.0. Such sender IPs are never valid in responses, but network units that have not yet learned of their IP address sometimes ask ARP questions with an "unspecified"...

  • Page 73: The Ip Rule Set, Security Policies

    • The Destination Interface can be specified as core. This means that traffic, such as an ICMP Ping is destined for the D-Link Firewall itself and it is NetDefendOS that will respond to it.

  • Page 74: Ip Rule Evaluation

    Drop IP rule with logging enabled is placed as the last rule in the IP rule set. 3.5.2. IP Rule Evaluation When a new TCP/IP connection is being established through the D-Link Firewall, the list of IP rules are evaluated from top to bottom until a rule that matches the parameters of the new connection is found.

  • Page 75: Ip Rule Actions

    "stateful engine". FwdFast Let the packet pass through the D-Link Firewall without setting up a state for it in the state table. This means that the stateful inspection process is bypassed and is therefore less secure than Allow or NAT rules. Packet processing time is also slower than Allow rules since every packet is checked against the entire rule set.

  • Page 76: Editing Ip Rule Set Entries

    3.5.4. Editing IP rule set Entries Chapter 3. Fundamentals Using Reject In certain situations the Reject action is recommended instead of the Drop action because a polite reply is required from NetDefendOS. An example of such a situation is when responding to the IDENT user identification protocol.

  • Page 77: Schedules, Setting Up A Time-scheduled Policy

    3.6. Schedules Chapter 3. Fundamentals 3.6. Schedules In some scenarios, it might be useful to control not only what functionality is enabled, but also when that functionality is being used. For instance, the IT policy of an enterprise might stipulate that web traffic from a certain department is only allowed access outside that department during normal office hours.

  • Page 78

    3.6. Schedules Chapter 3. Fundamentals • Action: NAT • Service: http • Schedule: OfficeHours • SourceInterface: lan • SourceNetwork lannet • DestinationInterface: any • DestinationNetwork: all-nets Click OK...

  • Page 79: X.509 Certificates, Overview

    3.7. X.509 Certificates Chapter 3. Fundamentals 3.7. X.509 Certificates NetDefendOS supports digital certificates that comply with the ITU-T X.509 standard. This involves the use of an X.509 certificate hierarchy with public-key cryptography to accomplish key distribution and entity authentication. 3.7.1. Overview An X.509 certificate is a digital proof of identity.

  • Page 80: X.509 Certificates In Netdefendos, Uploading An X.509 Certificate

    VPN tunnels. 3.7.2. X.509 Certificates in NetDefendOS X.509 certificates can be uploaded to the D-Link Firewall for use in IKE/IPsec authentication, Webauth, etc. There are two types of certificates that can be uploaded, self signed certificates and remote certificates belonging to a remote peer or CA server.

  • Page 81: Associating X.509 Certificates With Ipsec Tunnels

    3.7.2. X.509 Certificates in Chapter 3. Fundamentals NetDefendOS Now select one of the following: • Upload self-signed X.509 Certificate • Upload a remote certificate Click OK and follow the instructions. Example 3.19. Associating X.509 Certificates with IPsec Tunnels To associate an imported certificate with an IPsec tunnel. Web Interface Go to Interfaces >...

  • Page 82: Setting Date And Time, General Date And Time Settings, Setting The Current Date And Time

    GMT. The NetDefendOS time zone setting reflects the time zone where the D-Link Firewall is physically located.

  • Page 83: Time Servers, Setting The Time Zone, Enabling Dst

    3.8.2. Time Servers Chapter 3. Fundamentals Example 3.21. Setting the Time Zone To modify the NetDefendOS time zone to be GMT plus 1 hour, follow the steps outlined below: gw-world:/> set DateTime Timezone=GMTplus1 Web Interface Go to System > Date and Time Select (GMT+01:00) in the Timezone drop-down list Click OK Daylight Saving Time...

  • Page 84: Enabling Time Synchronization Using Sntp, Manually Triggering A Time Synchronization

    3.8.2. Time Servers Chapter 3. Fundamentals Time Synchronization Protocols are standardised methods for retrieving time information from external Time Servers. NetDefendOS supports the following time synchronization protocols: • SNTP - Defined by RFC 2030, The Simple Network Time Protocol (SNTP) is a lightweight implementation of NTP (RFC 1305).

  • Page 85: Modifying The Maximum Adjustment Value, Forcing Time Synchronization

    3.8.2. Time Servers Chapter 3. Fundamentals gw-world:/> time -sync Attempting to synchronize system time... Server time: 2007-02-27 12:21:52 (UTC+00:00) Local time: 2007-02-27 12:24:30 (UTC+00:00) (diff: 158) Local time successfully changed to server time. Maximum Time Adjustment To avoid situations where a faulty Time Server causes the clock to be updated with a extremely inaccurate time, a Maximum Adjustment value (in seconds) can be set.

  • Page 86: Enabling The D-link Ntp Server

    3.8.2. Time Servers Chapter 3. Fundamentals D-Link Time Servers Using D-Link's own Time Servers is an option in NetDefendOS and this is the recommended way of synchronizing the firewall clock. These servers communicate with NetDefendOS using the SNTP protocol. When the D-Link Server option is chosen, a pre-defined set of recommended default values for the synchronization are used.

  • Page 87: Dns Lookup, Configuring Dns Servers

    3.9. DNS Lookup Chapter 3. Fundamentals 3.9. DNS Lookup A DNS server can resolve a Fully Qualified Domain Name (FQDN) into the corresponding numeric IP address. FQDNs are unambiguous textual domain names which specify a node's unique position in the Internet's DNS tree hierarchy. FQDN resolution allows the actual physical IP address to change while the FQDN can stay the same.

  • Page 88

    3.9. DNS Lookup Chapter 3. Fundamentals...

  • Page 89: Routing, Overview

    Chapter 4. Routing This chapter describes how to configure IP routing in NetDefendOS. • Overview, page 89 • Static Routing, page 90 • Policy-based Routing, page 98 • Dynamic Routing, page 103 • Multicast Routing, page 110 • Transparent Mode, page 119 4.1.

  • Page 90: Static Routing, Basic Principles Of Routing

    IP address of the next gateway in the path to the destination. The images below illustrates a typical D-Link Firewall deployment and how the associated routing table would look like.

  • Page 91

    4.2.2. Static Routing Chapter 4. Routing 4.2.2. Static Routing This section describes how routing is implemented in NetDefendOS, and how to configure static routing. NetDefendOS supports multiple routing tables. A default table called main is pre-defined and is always present in NetDefendOS. However, additional and completely separate routing tables can be defined by the administrator to provide alternate routing.

  • Page 92: Displaying The Routing Table

    4.2.2. Static Routing Chapter 4. Routing Persistent Routes: None The corresponding routing table in NetDefendOS is similar to this: Flags Network Iface Gateway Local IP Metric ----- ------------------ -------- -------------- --------- ------ 192.168.0.0/24 10.0.0.0/8 0.0.0.0/0 192.168.0.1 The NetDefendOS way of describing the routes is easier to read and understand. Another advantage with this form of notation is that you can specify a gateway for a particular route without having a route that covers the gateways's IP address or despite the fact that the route covers the gateway's IP address is normally routed via another interface.

  • Page 93: Displaying The Core Routes

    4.2.2. Static Routing Chapter 4. Routing 213.124.165.0/24 0.0.0.0/0 213.124.165.1 Web Interface To see the configured routing table: Go to Routing > Routing Tables Select and right-click the main routing table in the grid Choose Edit in the menu The main window will list the configured routes To see the active routing table, select the Routes item in the Status dropdown menu in the menu bar - the main window will list the active routing table Core Routes...

  • Page 94: Route Failover, A Route Failover Scenario For Isp Access

    4.2.3. Route Failover Overview D-Link Firewalls are often deployed in mission-critical locations where availability and connectivity is crucial. A corporation relying heavily on access to the Internet, for instance, could have their operations severely disrupted if an Internet connection fails.

  • Page 95

    4.2.3. Route Failover Chapter 4. Routing methods must be chosen: Interface Link Status NetDefendOS will monitor the link status of the interface specified in the route. As long as the interface is up, the route is diagnosed as healthy. This method is appropriate for monitoring that the interface is physically attached and that the cabling is working as expected.

  • Page 96: Proxy Arp

    Ethernet is separated into two parts with a routing device such as an installed D-Link Firewall, in between. In such a case, NetDefendOS itself can respond to ARP requests directed to the network on the other side of the D-Link Firewall using the feature known as Proxy ARP.

  • Page 97

    The splitting of an Ethernet network into two distinct parts is a common application of D-Link Firewall's Proxy ARP feature, where access between the parts needs to be controlled. In such a scenario NetDefendOS can monitor and regulate all traffic passing between the two parts.

  • Page 98: Policy-based Routing, Overview, Policy-based Routing Tables, Policy-based Routing Rules

    4.3. Policy-based Routing Chapter 4. Routing 4.3. Policy-based Routing 4.3.1. Overview Policy-based Routing (PBR) is an extension to the standard routing described previously. It offers administrators significant flexibility in implementing routing decision policies by being able to define rules so alternative routing tables are used. Normal routing forwards packets according to destination IP address information derived from static routes or from a dynamic routing protocol.

  • Page 99: Policy-based Routing Table Selection, The Ordering Parameter

    4.3.4. Policy-based Routing Table Chapter 4. Routing Selection Policy-based Routing rule can be triggered by the type of Service (HTTP for example) in combination with the Source/Destination Interface and Source/Destination Network. When looking up Policy-based Rules, it is the first matching rule found that is triggered. 4.3.4.

  • Page 100: Creating A Policy-based Routing Table, Creating The Route

    4.3.5. The Ordering parameter Chapter 4. Routing interfaces. The first two options can be regarded as combining the alternate table with the main table and assigning one route if there is a match in both tables. Important - Ensuring all-nets appears in the main table. A common mistake with Policy-based routing is the absence of the default route with a destination interface of all-nets in the default main routing table.

  • Page 101: Policy Based Routing Configuration

    This is a "drop-in" design, where there are no explicit routing subnets between the ISP gateways and the D-Link Firewall. In a provider-independent network, clients will likely have a single IP address, belonging to one of the ISPs. In a single-organization scenario, publicly accessible servers will be configured with two separate IP addresses: one from each ISP.

  • Page 102

    4.3.5. The Ordering parameter Chapter 4. Routing Note Rules in the above example are added for both inbound and outbound connections.

  • Page 103: Dynamic Routing, Dynamic Routing Overview

    4.4. Dynamic Routing 4.4.1. Dynamic Routing overview Dynamic routing is different to static routing in that the D-Link Firewall will adapt to changes of network topology or traffic load automatically. NetDefendOS first learns of all the directly connected networks and gets further route information from other routers. Detected routes are sorted and the most suitable routes for destinations are added into the routing table and this information is distributed to other routers.

  • Page 104: Ospf

    4.4.2. OSPF Chapter 4. Routing Routing metrics are the criteria a routing algorithm uses to compute the "best" route to a destination. A routing protocol relies on one or several metrics to evaluate links across a network and to determine the optimal path. The principal metrics used include: Path length The sum of the costs associated with each link.

  • Page 105

    4.4.2. OSPF Chapter 4. Routing to which they have an interface. ASBRs Routers that exchange routing information with routers in other Autonomous Systems are called Autonomous System Boundary Router (ASBRs). They advertise externally learned routes throughout the Autonomous System. Backbone Areas All OSPF networks need to have at least the backbone area, that is the area with ID 0.

  • Page 106: Virtual Links Example 1

    4.4.2. OSPF Chapter 4. Routing in the routing table. This is commonly used to minimize the routing table. Virtual Links Virtual links are used for: • Linking an area that does not have a direct connection to the backbone. • Linking the backbone in case of a partitioned backbone.

  • Page 107: Dynamic Routing Policy, Virtual Links Example 2

    This is done by forcing the router priority to 0. For OSPF HA support to work correctly, the D-Link Firewall needs to have a broadcast interface with at least ONE neighbor for ALL areas that the firewall is attached to. In essence, the inactive part of the cluster needs a neighbor to get the link state database from.

  • Page 108: Importing Routes From An Ospf As Into The Main Routing Table

    4.4.3. Dynamic Routing Policy Chapter 4. Routing In a dynamic routing environment, it is important for routers to be able to regulate to what extent they will participate in the routing exchange. It is not feasible to accept or trust all received routing information, and it might be crucial to avoid that parts of the routing database gets published to other routers.

  • Page 109: Exporting The Default Route Into An Ospf As

    4.4.3. Dynamic Routing Policy Chapter 4. Routing gw-world:/ImportOSPFRoutes> add DynamicRoutingRuleAddRoute Destination=MainRoutingTable Web Interface Go to Routing > Dynamic Routing Rules Click on the recently created ImportOSPFRoutes Go to OSPF Routing Action > Add > DynamicRountingRuleAddRoute In Destination, add the main routing table to the Selected list Click OK Example 4.7.

  • Page 110: Multicast Routing, Overview, Multicast Forwarding Using The Sat Multiplex Rule

    IP rule set in order to perform forwarding to the correct interfaces. This is demonstrated in the examples which follow. Note For multicast to function with an Ethernet interface on any D-Link Firewall, that interface must have multicast handling set to On or Auto. For further details on this see Section 3.3.2, “Ethernet”.

  • Page 111: Multicast Forwarding - No Address Translation

    4.5.2. Multicast Forwarding using the Chapter 4. Routing SAT Multiplex Rule The multiplex rule can operate in one of two modes: Use IGMP The traffic flow specififed by the multiplex rule must have been requested by hosts using IGMP before any multicast packets are forwarded through the specified interfaces.

  • Page 112: Multicast Forwarding - Address Translation, Forwarding Of Multicast Traffic Using The Sat Multiplex Rule

    4.5.2. Multicast Forwarding using the Chapter 4. Routing SAT Multiplex Rule Example 4.8. Forwarding of Multicast Traffic using the SAT Multiplex Rule In this example, we will create a multiplex rule in order to forward the multicast groups 239.192.10.0/24:1234 to the interfaces if1, if2 and if3.

  • Page 113

    4.5.2. Multicast Forwarding using the Chapter 4. Routing SAT Multiplex Rule This scenario is based on the previous scenario but now we are going to translate the multicast group. When the multicast streams 239.192.10.0/24 are forwarded through the if2 interface, the multicast groups should be translated into 237.192.10.0/24.

  • Page 114: Igmp Configuration, Multicast Snoop

    A second exception is if a neighbouring router is statically configured to deliver a multicast stream to the D-Link Firewall. In this case also, an IGMP query would not have to be specified. NetDefendOS supports two IGMP modes of operation - Snoop and Proxy.

  • Page 115: Multicast Proxy, Igmp - No Address Translation

    4.5.3. IGMP Configuration Chapter 4. Routing Figure 4.7. Multicast Proxy In Snoop mode, the router will act transparently between the hosts and another IGMP router. It will not send any IGMP Queries. It will only forward queries and reports between the other router and the hosts.

  • Page 116: Configuration If1

    4.5.3. IGMP Configuration Chapter 4. Routing • Source Network: if1net, if2net, if3net • Destination Interface: core • Destination Network: auto • Multicast Source: 192.168.10.1 • Multicast Group: 239.192.10.0/24 Click OK B. Create the second IGMP Rule: Again go to Routing > IGMP > IGMP Rules > Add > IGMP Rule Under General enter: •...

  • Page 117: Configuration If2 - Group Translation

    4.5.3. IGMP Configuration Chapter 4. Routing • Name: A suitable name for the rule, eg. Reports_if1 • Type: Report • Action: Proxy • Output: wan (this is the relay interface) Under Address Filter enter: • Source Interface: if1 • Source Network: if1net •...

  • Page 118: Advanced Igmp Settings

    4.5.3. IGMP Configuration Chapter 4. Routing • Type: Report • Action: Proxy • Output: wan (this is the relay interface) Under Address Filter enter: • Source Interface: if2 • Source Network: if2net • Destination Interface: core • Destination Network: auto •...

  • Page 119: Transparent Mode, Overview Of Transparent Mode, Comparison With Routing Mode, Transparent Mode Implementation

    The D-Link Firewall can operate in two modes: Routing Mode or Transparent Mode. In Routing Mode, the D-Link Firewall performs all the functions of a Layer 3 router; if the firewall is placed into a network for the first time, or if network topology changes, the routing configuration must therefore be thoroughly checked to ensure that the routing table is consistent with the new layout.

  • Page 120: Enabling Transparent Mode, High Availability With Transparent Mode, Transparent Mode Scenarios

    For each IP packet that passes through the D-Link Firewall, a route lookup for the destination is done. If the route of the packet matches a Switch Route or a Layer 3 Cache entry in the routing table, NetDefendOS knows that it should handle this packet in a transparent manner.

  • Page 121: Transparent Mode Scenario 1, Setting Up Transparent Mode - Scenario 1

    4.6.6. Transparent Mode Scenarios Chapter 4. Routing Figure 4.8. Transparent mode scenario 1 Example 4.13. Setting up Transparent Mode - Scenario 1 Web Interface Configure the interfaces: Go to Interfaces > Ethernet > Edit (wan) Now enter: • IP Address: 10.0.0.1 •...

  • Page 122: Transparent Mode Scenario 2, Setting Up Transparent Mode - Scenario 2

    Destination Network: all-nets (0.0.0.0/0) Click OK Scenario 2 Here the D-Link Firewall in Transparent Mode separates server resources from an internal network by connecting them to a separate interface without the need for different address ranges. Figure 4.9. Transparent mode scenario 2 All hosts connected to LAN and DMZ (the lan and dmz interfaces) share the 10.0.0.0/24 address...

  • Page 123

    4.6.6. Transparent Mode Scenarios Chapter 4. Routing Switch Route: Similar as shown in the previous example. Set up the switch route with the new interface group created earlier. Configure the rules: Go to Rules > New Rule The Rule Properties dialog will be displayed Specify a suitable name for the rule, for instance HTTP-LAN-to-DMZ Enter following: •...

  • Page 124

    4.6.6. Transparent Mode Scenarios Chapter 4. Routing Go to Interfaces > Ethernet > Edit (lan) Now enter: • IP Address: 10.0.0.1 • Network: 10.0.0.0/24 • Transparent Mode: Disable • Add route for interface network: Disable Click OK Go to Interfaces > Ethernet > Edit (dmz) Now enter: •...

  • Page 125

    4.6.6. Transparent Mode Scenarios Chapter 4. Routing Click OK Go to Rules > IP Rules > Add > IPRule Now enter: • Name: HTTP-WAN-to-DMZ • Action: SAT • Service: http • Source Interface: wan • Destination Interface: dmz • Source Network: all-nets •...

  • Page 126

    4.6.6. Transparent Mode Scenarios Chapter 4. Routing...

  • Page 127: Dhcp Services, Overview

    Chapter 5. DHCP Services This chapter describes DHCP services in NetDefendOS. • Overview, page 127 • DHCP Servers, page 128 • Static DHCP Assignment, page 130 • DHCP Relaying, page 131 • IP Pools, page 132 5.1. Overview DHCP (Dynamic Host Configuration Protocol) is a protocol that allows network administrators to automatically assign IP numbers to computers on a network.

  • Page 128: Dhcp Servers, Setting Up A Dhcp Server

    5.2. DHCP Servers Chapter 5. DHCP Services 5.2. DHCP Servers NetDefendOS has the ability to act as one or more logical DHCP servers. Filtering of DHCP client requests is based on interface, so each NetDefendOS interface can have, at most, one single logical DHCP server associated with it.

  • Page 129: Checking The Status Of A Dhcp Server

    5.2. DHCP Servers Chapter 5. DHCP Services Example 5.2. Checking the status of a DHCP server Web Interface Go to Status > DHCP Server in the menu bar. To see the status of all servers: gw-world:/> dhcpserver To list all configured servers: gw-world:/>...

  • Page 130: Static Dhcp Assignment, Setting Up Static Dhcp

    5.3. Static DHCP Assignment Chapter 5. DHCP Services 5.3. Static DHCP Assignment Where the administrator requires a fixed relationship between a client and the assigned IP address, NetDefendOS allows the assignment of a given IP to a specific MAC address. Example 5.3.

  • Page 131: Dhcp Relaying, Setting Up A Dhcp Relayer

    5.4. DHCP Relaying Chapter 5. DHCP Services 5.4. DHCP Relaying With DHCP, clients send requests to locate the DHCP server(s) using broadcast messages. However, broadcasts are normally only propagated across the local network. This means that the DHCP server and client would always need to be in the same physical network area to be able to communicate.

  • Page 132: Ip Pools

    5.5. IP Pools Chapter 5. DHCP Services 5.5. IP Pools Overview IP pools are used to offer other subsystems access to a cache of DHCP IP addresses. These addresses are gathered into a pool by internally maintaining a series of DHCP clients (one per IP). The DHCP servers used by a pool can either be external or be DHCP servers defined in NetDefendOS itself.

  • Page 133: Creating An Ip Pool

    5.5. IP Pools Chapter 5. DHCP Services greater than the prefetch parameter. The pool will start releasing (giving back IPs to the DHCP server) when the number of free clients exceeds this value. Maximum clients Optional setting used to specify the maximum number of clients (IPs) allowed in the pool.

  • Page 134

    5.5. IP Pools Chapter 5. DHCP Services...

  • Page 135: Security Mechanisms, Access Rules, Introduction, Ip Spoofing

    Chapter 6. Security Mechanisms This chapter describes NetDefendOS security features. • Access Rules, page 135 • Application Layer Gateways, page 138 • Web Content Filtering, page 169 • Anti-Virus Scanning, page 183 • Intrusion Detection and Prevention, page 188 • Denial-Of-Service (DoS) Attacks, page 198 •...

  • Page 136: Access Rule Settings

    6.1.3. Access Rule Settings Chapter 6. Security Mechanisms VPNs provide one means of avoiding spoofing but where a VPN is not an appropriate solution then Access Rules can provide an anti-spoofing capability by providing an extra filter for source address verification.

  • Page 137: Setting Up An Access Rule

    6.1.3. Access Rule Settings Chapter 6. Security Mechanisms Example 6.1. Setting up an Access Rule A rule is to be defined that ensures no traffic with a source address not within the lannet network is received on the lan interface. gw-world:/>...

  • Page 138: Application Layer Gateways, Overview

    6.2.1. Overview To complement low-level packet filtering, which only inspects packet headers in protocols such IP, TCP, UDP, and ICMP, D-Link Firewalls provide Application Layer Gateways (ALGs) which provide filtering at the higher application OSI level. An ALG object acts as a mediator in accessing commonly used Internet applications outside the protected network, for example web access, file transfer and multimedia transfer.

  • Page 139: Http

    6.2.2. HTTP Chapter 6. Security Mechanisms ALGs and Syn Flood Protection It should be noted that user-defined custom Service objects have the option to enable Syn Flood Protection, a feature which specifically targets Syn Flood attacks. If this option is enabled for a Service object then any ALG associated with that Service will not be used.

  • Page 140

    After granting access, the server will provide the client with a file/directory listing from which it can download/upload files (depending on access rights). The FTP ALG is used to manage FTP connections through the D-Link Firewall.

  • Page 141: Protecting An Ftp Server With An Alg

    The conversion also works the other way around, that is, with the FTP client using active mode and the FTP server using passive mode. Example 6.2. Protecting an FTP Server with an ALG As shown, an FTP Server is connected to the D-Link Firewall on a DMZ with private IP addresses, shown below:...

  • Page 142

    6.2.3. FTP Chapter 6. Security Mechanisms To make it possible to connect to this server from the Internet using the FTP ALG, the FTP ALG and rules should be configured as follows: Web Interface A. Define the ALG: Go to Objects > ALG > Add > FTP ALG Enter Name: ftp-inbound Check Allow client to use active mode Uncheck Allow server to use passive mode...

  • Page 143

    6.2.3. FTP Chapter 6. Security Mechanisms Now enter: • Name: SAT-ftp-inbound • Action: SAT • Service: ftp-inbound For Address Filter enter: • Source Interface: any • Destination Interface: core • Source Network: all-nets • Destination Network: wan_ip (assuming the external interface has been defined as this) For SAT check Translate the Destination IP Address Enter To: New IP Address: ftp-internal (assume this internal IP address for FTP server has been defined in the Address Book object)

  • Page 144: Protecting Ftp Clients

    Click OK Example 6.3. Protecting FTP Clients In this scenario shown below the D-Link Firewall is protecting a workstation that will connect to FTP servers on the Internet. To make it possible to connect to these servers from the internal network using the FTP ALG, the FTP ALG and...

  • Page 145: Tftp

    6.2.4. TFTP Chapter 6. Security Mechanisms • Destination: 21 (the port the ftp server resides on) • ALG: select the newly created ftp-outbound Click OK Rules (Using Public IPs). The following rule needs to be added to the IP rules if using public IP's; make sure there are no rules disallowing or allowing the same kind of ports/traffic before these rules.

  • Page 146: Smtp

    Internet. Typically the local SMTP server will be located on a DMZ so that mail sent by remote SMTP servers will traverse the D-Link Firewall to reach the local server (this setup is illustrated later in Section 6.2.5.1, “DNSBL SPAM Filtering”). Local users will then use email client software to retrieve their email from the local SMTP server.

  • Page 147: Dnsbl Spam Filtering

    SMTP functions as a protocol for sending emails between servers. NetDefendOS applies SPAM filtering to emails as they pass through a D-Link Firewall from a remote SMTP server to the local SMTP server (from which local clients will later download the emails). Typically the local SMTP server will be set up on a DMZ and there will usually be only one "hop"...

  • Page 148

    6.2.5. SMTP Chapter 6. Security Mechanisms When the NetDefendOS SPAM filtering function is configured, the IP address of the email's sending server can be sent to one or more DNSBL servers to find out if any DNSBL servers think it is from a spammer or not (NetDefendOS examines the IP packet headers to do this).

  • Page 149

    6.2.5. SMTP Chapter 6. Security Mechanisms Buy this stock today! And if the tag text is defined to be "*** SPAM ***", then the modified email's Subject field will become: *** SPAM *** Buy this stock today! And this is what the email's recipient will see in the summary of their inbox contents. The individual user could then decide to set up their own filters in the local client to deal with such tagged emails, possibly sending it to a separate folder.

  • Page 150

    6.2.5. SMTP Chapter 6. Security Mechanisms Logging There are three types of logging done by the SPAM filtering module: • Logging of dropped or SPAM tagged emails - These log messages include the source email address and IP as well as its weighted points score and which DNSBLs caused the event. •...

  • Page 151: Pop3

    6.2.6. POP3 Chapter 6. Security Mechanisms gw-world:/> dnsbl DNSBL Contexts: Name Status Spam Drop Accept ------------------------ -------- -------- -------- -------- my_smtp_alg active 34299 alt_smtp_alg inactive The -show option provides a summary of the SPAM filtering operation of a specific ALG. gw-world:/>...

  • Page 152

    6.2.7. SIP Chapter 6. Security Mechanisms Hide User This option prevents the POP3 server from revealing that a username does not exist. This prevents users from trying different usernames until they find a valid one. Allow Unknown Commands Non-standard POP3 commands not recognised by the ALG can be allowed or disallowed.

  • Page 153

    A refinement of the internal to internal scenario is the case where the two peers in a session reside on the same network. In all these three scenarios the proxy server is assumed to be on the unprotected side of the D-Link Firewall.

  • Page 154

    6.2.7. SIP Chapter 6. Security Mechanisms Maximum Sessions per ID The number of simultaneous sessions that a single peer can be involved with is restricted by this value. The default number is 5. Maximum Registration Time The maximum time for registration with a SIP Registrar. The default value is 3600 seconds.

  • Page 155: H.323

    NATed. • An Allow rule for inbound SIP traffic from the SIP proxy to the IP of the D-Link Firewall. This rule will use core (in other words NetDefendOS itself) as the destination interface. The reason for this is due to the NAT rule above. When an incoming call is received, NetDefendOS will automatically locate the local receiver, perform address translation and forward SIP messages to the receiver.

  • Page 156

    The H.323 specification was not designed to handle NAT, as IP addresses and ports are sent in the payload of H.323 messages. The H.323 ALG modifies and translates H.323 messages to make sure that H.323 messages will be routed to the correct destination and allowed through the D-Link Firewall.

  • Page 157: Protecting Phones Behind D-link Firewalls

    Example 6.4. Protecting Phones Behind D-Link Firewalls In the first scenario a H.323 phone is connected to the D-Link Firewall on a network (lannet) with public IP addresses. To make it possible to place a call from this phone to another H.323 phone on the Internet, and to allow H.323 phones on the Internet to call this phone, we need to configure rules.

  • Page 158

    6.2.8. H.323 Chapter 6. Security Mechanisms Web Interface Outgoing Rule: Go to Rules > IP Rules > Add > IPRule Now enter: • Name: H323AllowOut • Action: Allow • Service: H323 • Source Interface: lan • Destination Interface: any • Source Network: lannet •...

  • Page 159: H.323 With Private Ip Addresses

    Example 6.5. H.323 with private IP addresses In this scenario a H.323 phone is connected to the D-Link Firewall on a network with private IP addresses. To make it possible to place a call from this phone to another H.323 phone on the Internet, and to allow H.323 phones on the Internet to call this phone, we need to configure rules.

  • Page 160: Two Phones Behind Different D-link Firewalls

    Comment: Allow incoming calls to H.323 phone at ip-phone Click OK To place a call to the phone behind the D-Link Firewall, place a call to the external IP address on the firewall. If multiple H.323 phones are placed behind the firewall, one SAT rule has to be configured for each phone.

  • Page 161: Using Private Ip Addresses

    Example 6.7. Using Private IP Addresses This scenario consists of two H.323 phones, each one connected behind the D-Link Firewall on a network with private IP addresses. In order to place calls on these phones over the Internet, the following rules need to be added to the rule set in the firewall, make sure there are no rules disallowing or allowing the same kind of ports/traffic before these rules.

  • Page 162: H.323 With Gatekeeper

    Example 6.8. H.323 with Gatekeeper In this scenario, a H.323 gatekeeper is placed in the DMZ of the D-Link Firewall. A rule is configured in the firewall to allow traffic between the private network where the H.323 phones are connected on the internal network and to the Gatekeeper on the DMZ.

  • Page 163

    6.2.8. H.323 Chapter 6. Security Mechanisms Web Interface Incoming Gatekeeper Rules: Go to Rules > IP Rules > Add > IPRule Now enter: • Name: H323In • Action: SAT • Service: H323-Gatekeeper • Source Interface: any • Destination Interface: core •...

  • Page 164: H.323 With Gatekeeper And Two D-link Firewalls

    The D-Link Firewall with the Gatekeeper connected to the DMZ should be configured exactly as in scenario 3 The other D-Link Firewall should be configured as below. The rules need to be added to the rule listings, and it should be make sure there are no rules disallowing or allowing the same kind of ports/traffic before these rules.

  • Page 165: Using The H.323 Alg In A Corporate Environment

    IP-ranges on their local networks. All outside calls are done over the existing telephone network using the gateway (ip-gateway) connected to the ordinary telephone network. The head office has placed a H.323 Gatekeeper in the DMZ of the corporate D-Link Firewall. This firewall should be configured as follows: Web Interface Go to Rules >...

  • Page 166

    6.2.8. H.323 Chapter 6. Security Mechanisms • Comment: Allow H.323 entities on lannet to connect to the Gatekeeper Click OK Go to Rules > IP Rules > Add > IPRule Now enter: • Name: LanToGK • Action: Allow • Service: H323 •...

  • Page 167: Configuring Remote Offices For H.323, Allowing The H.323 Gateway To Register With The Gatekeeper

    If the branch and remote office H.323 phones and applications are to be configured to use the H.323 Gatekeeper at the head office, the D-Link Firewalls in the remote and branch offices should be configured as follows: (this rule should be in both the Branch and Remote Office firewalls).

  • Page 168

    6.2.8. H.323 Chapter 6. Security Mechanisms • Service: H323-Gatekeeper • Source Interface: dmz • Destination Interface: vpn-hq • Source Network: ip-branchgw • Destination Network: hq-net • Comment: Allow the Gateway to communicate with the Gatekeeper connected to the Head Office Click OK Note There is no need to specify a specific rule for outgoing calls.

  • Page 169: Web Content Filtering, Overview, Active Content Handling

    6.3. Web Content Filtering Chapter 6. Security Mechanisms 6.3. Web Content Filtering 6.3.1. Overview Web traffic is one of the biggest sources for security issues and misuse of the Internet. Inappropriate surfing habits can expose a network to many security threats as well as legal and regulatory liabilities.

  • Page 170: Static Content Filtering, Stripping Activex And Java Applets

    6.3.3. Static Content Filtering Chapter 6. Security Mechanisms Example 6.13. Stripping ActiveX and Java applets This example shows how to configure a HTTP Application Layer Gateway to strip ActiveX and Java applets. The example will use the content_filtering ALG object and presumes you have done one of the previous examples. gw-world:/>...

  • Page 171: Setting Up A White And Blacklist

    In this small scenario a general surfing policy prevents users from downloading .exe-files. However, the D-Link website provides secure and necessary program files which should be allowed to download.

  • Page 172: Dynamic Web Content Filtering, Dynamic Content Filtering Flow

    URLs to block or allow. Instead, D-Link maintains a global infrastructure of databases containing massive numbers of current web site URL addresses, grouped into a variety of categories such as shopping, news, sport and adult-oriented on so on.

  • Page 173: Enabling Dynamic Web Content Filtering

    6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms Note New, uncategorized URLs sent to the D-Link network are treated as anonymous submissions and no record of the source of new submissions is kept. Categorizing Pages and Not Sites NetDefendOS dynamic filtering categorizes web pages and not sites. In other words, a web site may contain particular pages that should be blocked without blocking the entire site.

  • Page 174: Enabling Audit Mode

    6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms In the Blocked Categories list, select Search Sites and click the >> button. Click OK Then, create a Service object using the new HTTP ALG: Go to Local Objects > Services > Add > TCP/UDP service Specify a suitable name for the Service, eg.

  • Page 175

    The URL to the requested web site as well as the proposed category will then be sent to D-Link's central data warehouse for manual inspection. That inspection may result in the web site being...

  • Page 176: Reclassifying A Blocked Site

    6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms Example 6.17. Reclassifying a blocked site This example shows how a user may propose a reclassification of a web site if he believes it is wrongly classified. This mechanism is enabled on a per-HTTP ALG level basis. First, create an HTTP Application Layer Gateway (ALG) Object: gw-world:/>...

  • Page 177

    6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms Category 2: News A web site may be classified under the News category if its content includes information articles on recent events pertaining to topics surrounding a locality (for example, town, city or nation) or culture, including weather forecasting information.

  • Page 178

    6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms • www.buy-alcohol.se Category 7: Entertainment A web site may be classified under the Entertainment category if its content includes any general form of entertainment that is not specifically covered by another category. Some examples of this are music sites, movies, hobbies, special interest, and fan clubs.

  • Page 179

    6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms • www.loadsofmoney.com.au • www.putsandcalls.com Category 12: E-Banking A web site may be classified under the E-Banking category if its content includes electronic banking information or services. This category does not include Investment related content; refer to the Investment Sites category (11).

  • Page 180

    6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms Category 17: www-Email Sites A web site may be classified under the www-Email Sites category if its content includes online, web-based email facilities. Examples might be: • www.coldmail.com • mail.yazoo.com Category 18: Violence / Undesirable A web site may be classified under the Violence / Undesirable category if its contents are extremely violent or horrific in nature.

  • Page 181

    6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms Examples might be: • www.sierra.org • www.walkingclub.org Category 23: Music Downloads A web site may be classified under the Music Downloads category if it provides online music downloading, uploading and sharing facilities as well as high bandwidth audio streaming. Examples might be: •...

  • Page 182

    6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms A web site may be classified under the Drugs/Alcohol category if its content includes drug and alcohol related information or services. Some URLs categorised under this category may also be categorised under the Health category. Examples might be: •...

  • Page 183: Anti-virus Scanning, Overview, Implementation

    D-Link Firewall. Once a virus is recognized in the contents of a file, the download can be terminated before it completes.

  • Page 184: Activating Anti-virus Scanning, The Signature Database, Subscribing To The D-link Anti-virus Service, Anti-virus Options

    6.4.3. Activating Anti-Virus Scanning Chapter 6. Security Mechanisms D-Link Firewall. However, the available free memory can place a limit on the number of concurrent scans that can be initiated. The administrator can increase the default amount of free memory available to Anti-Virus scanning through changing the AVSE_MAXMEMORY advanced setting.

  • Page 185

    6.4.6. Anti-Virus Options Chapter 6. Security Mechanisms 1. General options Mode This must be one of: A. Enabled which means Anti-Virus is active. B. Audit which means it is active but logging will be the only action. Fail mode behaviour If a virus scan fails for any reason then the transfer can be dropped or allowed, with the event being logged.

  • Page 186

    This second reconfiguration causes another failover so the passive unit reverts back to being active again. These steps result in both D-Link Firewalls in a cluster having updated databases and with the original active/passive roles. For more information about HA clusters refer to Chapter 11, High Availability.

  • Page 187

    6.4.6. Anti-Virus Options Chapter 6. Security Mechanisms Go to Objects > ALG > Add > HTTP ALG Specify a suitable name for the ALG, for instance anti_virus Click the Antivirus tab Select Protect in the Mode dropdown list Click OK B.

  • Page 188: Intrusion Detection And Prevention, Overview, Idp Availability In D-link Models

    It operates by monitoring network traffic as it passes through the D-Link Firewall, searching for patterns that indicate an intrusion is being attempted. Once detected, NetDefendOS IDP allows steps to be taken to neutralize both the intrusion attempt as well as its source.

  • Page 189: Idp Database Updating

    A new, updated signature database is downloaded automatically by NetDefendOS system at a configurable interval. This is done via an HTTP connection to the D-Link server network which delivers the latest signature database updates. If the server's signature database has a newer version than the current local database, the new database will be downloaded, replacing the older version.

  • Page 190: Idp Rules

    This second reconfiguration causes another failover so the passive unit reverts back to being active again. These steps result in both D-Link Firewalls in a cluster having updated databases and with the original active/passive roles. For more information about HA clusters refer to Chapter 11, High Availability.

  • Page 191: Insertion/evasion Attack Prevention

    6.5.4. Insertion/Evasion Attack Chapter 6. Security Mechanisms Prevention The option exists in NetDefendOS IDP to look for intrusions in all traffic, even the packets that are rejected by the IP rule set check for new connections, as well as packets that are not part of an existing connection.

  • Page 192: Idp Pattern Matching, Idp Signature Groups

    Attackers who build new intrusions often re-use older code. This means their new attacks can appear "in the wild" quickly. To counter this, D-Link IDP uses an approach where the module scans for these reusable components, with pattern matching looking for building blocks rather than the entire complete code patterns.

  • Page 193

    6.5.6. IDP Signature Groups Chapter 6. Security Mechanisms Using Groups Usually, several lines of attacks exist for a specific protocol, and it is best to search for all of them at the same time when analyzing network traffic. To do this, signatures related to a particular protocol are grouped together.

  • Page 194: Idp Actions, Smtp Log Receiver For Idp Events, Configuring An Smtp Log Receiver

    Section 6.7, “Blacklisting Hosts and Networks”. IDP ZoneDefense The Protect action includes the option that the particular D-Link switch that triggers the IDP Rule can be de-activated through the D-Link ZoneDefense feature. For more details on how ZoneDefense functions see Chapter 12, ZoneDefense.

  • Page 195: Setting Up Idp For A Mail Server

    6.5.8. SMTP Log Receiver for IDP Chapter 6. Security Mechanisms Events triggered. At least one new event occurs within the Hold Time of 120 seconds, thus reaching the log threshold level (at least 2 events have occurred). This results in an email being sent containing a summary of the IDP events.

  • Page 196

    6.5.8. SMTP Log Receiver for IDP Chapter 6. Security Mechanisms Events Create IDP Rule: gw-world:/> add IDPRule Service=smtp SourceInterface=wan SourceNetwork=wannet DestinationInterface=dmz DestinationNetwork=ip_mailserver Name=IDPMailSrvRule Create IDP Action: gw-world:/> cc IDPRule IDPMailSrvRule gw-world:/IDPMailSrvRule> add IDPRuleAction Action=Protect IDPServity=All Signatures=IPS_MAIL_SMTP Web Interface Create IDP Rule: This IDP rule will be called IDPMailSrvRule, and applies to the SMTP service.

  • Page 197

    6.5.8. SMTP Log Receiver for IDP Chapter 6. Security Mechanisms Events When this IDP Rule has been created, an action must also be created, specifying what signatures the IDP should use when scanning data matching the IDP Rule, and what NetDefendOS should do in case an intrusion is discovered.

  • Page 198: Denial-of-service (dos) Attacks, Overview, Dos Attack Mechanisms, Ping Of Death And Jolt Attacks

    Attacks can appear out of thin air and the consequences can be devastating with crashed servers, jammed Internet connections and business critical systems in overload. This section deals with using the D-Link Firewall to protect organizations against DoS attacks. 6.6.2. DoS Attack Mechanisms A DoS attack can be perpetrated in a number of ways but there are three basic types of attack: •...

  • Page 199: Fragmentation Overlap Attacks: Teardrop, Bonk, Boink And Nestea, The Land And Latierra Attacks

    6.6.4. Fragmentation overlap attacks: Chapter 6. Security Mechanisms Teardrop, Bonk, Boink and Nestea to run "ping -l 65510 1.2.3.4" on a Windows 95 system where 1.2.3.4 is the IP address of the intended victim. "Jolt" is simply a purpose-written program for generating such packets on operating systems whose ping commands refuse to generate oversized packets.

  • Page 200: Amplification Attacks: Smurf, Papasmurf, Fraggle

    6.6.7. Amplification attacks: Smurf, Chapter 6. Security Mechanisms Papasmurf, Fraggle services expected to only serve the local network. • By stripping the URG bit by default from all TCP segments traversing the system (configurable via Advanced Settings > TCP > TCPUrg). WinNuke attacks will usually show up in NetDefendOS logs as normal drops with the name of the rule in your policy that disallowed the connection attempt.

  • Page 201: Tcp Syn Flood Attacks, The Jolt2 Attack, Distributed Dos Attacks

    6.6.8. TCP SYN Flood Attacks Chapter 6. Security Mechanisms The Traffic Shaping feature built into NetDefendOS also help absorb some of the flood before it reaches protected servers. 6.6.8. TCP SYN Flood Attacks The TCP SYN Flood attack works by sending large amounts of TCP SYN packets to a given port and then not responding to SYN ACKs sent in response.

  • Page 202: Blacklisting Hosts And Networks

    To ensure that "good" Internet traffic sources are not blacklisted under any circumstances, a Whitelist is also maintained by NetDefendOS. It is advisable to add the D-Link Firewall itself to the Whitelist as well as the IP addresses of the management workstation.

  • Page 203

    6.7. Blacklisting Hosts and Networks Chapter 6. Security Mechanisms...

  • Page 204: Address Translation, Dynamic Network Address Translation

    • NAT Pools, page 207 • Static Address Translation, page 210 The ability of NetDefendOS to change the IP address of packets as they pass through a D-Link Firewall is known as address translation. NetDefendOS supports two types of translation: Dynamic Network Address Translation (NAT) and Static Address Translation (SAT).

  • Page 205: Adding A Nat Rule

    In this example, the Use Interface Address option is used, and we will use 195.11.22.33 as the interface address. In addition, the source port is changed to a free port on the D-Link Firewall, usually one above 32768. In this example, we will use port 32789. The packet is then sent to its destination.

  • Page 206

    7.1. Dynamic Network Address Chapter 7. Address Translation Translation Protocols Handled by NAT Dynamic address translation is able to deal with the TCP, UDP and ICMP protocols with a good level of functionality since the algorithm knows which values can be adjusted to become unique in the three protocols.

  • Page 207: Nat Pools

    NAT Pool object. The state table is not allocated all at once but is incremented in size as needed. One entry in the state table tracks all the connections for a single host behind the D-Link Firewall no matter which external host the connection concerns. If Max States is reached then an existing state with the longest idle time is replaced.

  • Page 208: Using Nat Pools

    Pool. See Section 5.5, “IP Pools” for more details on this topic. Proxy ARP Usage Where an external router sends ARP queries to the D-Link Firewall to resolve external IP addresses included in a NAT Pool, NetDefendOS will need to send the correct ARP replies for this resolution to take place through its Proxy ARP mechanism so the external router can correctly build its routing table.

  • Page 209

    7.2. NAT Pools Chapter 7. Address Translation Specify a suitable name for the IP range nat_pool_range Enter 10.6.13.10-10.16.13.15 in the IP Address textbox (a network eg 10.6.13.0/24 could be used here - the 0 and 255 addresses will be automatically removed) Click OK B.

  • Page 210: Static Address Translation, Translation Of A Single Ip Address (1:1)

    In this example, we will create a SAT policy that will translate and allow connections from the Internet to a web server located in a DMZ. The D-Link Firewall is connected to the Internet using the wan interface with address object wan_ip (defined as 195.55.66.77) as IP address.

  • Page 211

    These two rules allow us to access the web server via the D-Link Firewall's external IP address. Rule 1 states that address translation can take place if the connection has been permitted, and rule 2 permits the connection.

  • Page 212: Enabling Traffic To A Web Server On An Internal Network

    These two rules allow us to access the web server via the D-Link Firewall's external IP address. Rule 1 states that address translation can take place if the connection has been permitted, and rule 2 permits the connection.

  • Page 213: Translation Of Multiple Ip Addresses (m:n)

    10.0.0.2:80 => 10.0.0.3:1038 This reply arrives directly to PC1 without passing through the D-Link Firewall. This causes problems. The reason this will not work is because PC1 expects a reply from 195.55.66.77:80, not 10.0.0.2:80. The unexpected reply is discarded and PC1 continues to wait for a response from 195.55.66.77:80, which will never arrive.

  • Page 214: Translating Traffic To Multiple Protected Web Servers

    In this example, we will create a SAT policy that will translate and allow connections from the Internet to five web servers located in a DMZ. The D-Link Firewall is connected to the Internet using the wan interface, and the public IP addresses to use are in the range of 195.55.66.77 to 195.55.66.81.

  • Page 215: All-to-one Mappings (n:1)

    7.3.3. All-to-One Mappings (N:1) Chapter 7. Address Translation Click OK Publish the public adresses in the wan interface using ARP publish. One ARP item is needed for every IP address: Go to Interfaces > ARP > Add > ARP Now enter: •...

  • Page 216: Port Translation, Protocols Handled By Sat

    7.3.4. Port Translation Chapter 7. Address Translation NetDefendOS can be used to translate ranges and/or groups into just one IP address. Action Src Iface Src Net Dest Iface Dest Net Parameters all-nets core 194.1.2.16-194.1.2.20, http SETDEST all-to-one 194.1.2.30 192.168.0.50 80 This rule produces a N:1 translation of all addresses in the group (the range 194.1.2.16 - 194.1.2.20 and 194.1.2.30) to the IP 192.168.0.50.

  • Page 217: Multiple Sat Rule Matches, Sat And Fwdfast Rules

    7.3.6. Multiple SAT rule matches Chapter 7. Address Translation configuration. There is no definitive list of what protocols that can or cannot be address translated. A general rule is that VPN protocols cannot usually be translated. In addition, protocols that open secondary connections in addition to the initial connection can be difficult to translate.

  • Page 218

    Return traffic from wwwsrv:80 will match rules 2 and 3. • Internal traffic to wan_ip:80 will match rules 1 and 4, and will be sent to wwwsrv. The sender address will be the D-Link Firewall's internal IP address, guaranteeing that return traffic passes through the D-Link Firewall. •...

  • Page 219

    7.3.7. SAT and FwdFast Rules Chapter 7. Address Translation...

  • Page 220: User Authentication, Overview

    This chapter deals specifically with user authentication through validation of username/password combinations manually entered by a user attempting to gain access to resources. Access to the Internet using the HTTP protocol through a D-Link Firewall is an example of this where a username/password combination is the primary authentication method.

  • Page 221: Authentication Setup, Setup Summary, The Local Database, External Authentication Servers

    In a larger network topology with a larger administration workload, it is often preferable to have a central authentication database on a dedicated server. When there is more than one D-Link Firewall in the network and thousands of users, maintaining separate authentication databases on each device becomes problematic.

  • Page 222: Authentication Rules

    8.2.4. Authentication Rules Chapter 8. User Authentication NetDefendOS acts as a RADIUS client, sending user credentials and connection parameter information as a RADIUS message to a nominated RADIUS server. The server processes the requests and sends back a RADIUS message to accept or deny them. One or more external servers can be defined in NetDefendOS.

  • Page 223: Authentication Processing, Http Authentication

    The list below describes the processing flow through NetDefendOS for username/password authentication: A user creates a new connection to the D-Link Firewall. NetDefendOS sees the new user connection on an interface and checks the Authentication rule set to see if their is a matching rule for traffic on this interface, coming from this network and data which is one of the following types: •...

  • Page 224

    The first rule allows the authentication process to take place and assumes the client is trying to access the lan_ip IP address, which is the IP address of the interface on the D-Link Firewall where the local network connects.

  • Page 225

    8.2.6. HTTP Authentication Chapter 8. User Authentication Action Src Interface Src Network Dest Interface Dest Network Service Allow lannet core lan_ip http-all trusted_users all-nets http-all lannet all-nets dns-all lannet all-nets http-all all-to-one 127.0.0.1 Allow lannet all-nets http-all The SAT rule catches all unauthenticated requests and must be set up with an all-to-one address mapping that directs them to the address 127.0.0.1 which corresponds to core (NetDefendOS itself).

  • Page 226: Creating An Authentication User Group, User Authentication Setup For Web Access

    8.2.6. HTTP Authentication Chapter 8. User Authentication Example 8.1. Creating an authentication user group In the example of an authentication address object in the Address Book, a user group "users" is used to enable user authentication on "lannet". This example shows how to configure the user group in the NetDefendOS database.

  • Page 227: Configuring A Radius Server

    8.2.6. HTTP Authentication Chapter 8. User Authentication • Source Network: lannet • Destination Interface core • Destination Network lan_ip Click OK B. Set up the Authentication Rule Go to User Authentication > User Authentication Rules > Add > User Authentication Rule Now enter: •...

  • Page 228

    8.2.6. HTTP Authentication Chapter 8. User Authentication Port: 1812 (RADIUS service uses UDP port 1812 by default) Retry Timeout: 2 (NetDefendOS will resend the authentication request to the sever if there is no response after the timeout, for example every 2 seconds. This will be retried a maximum of 3 times) Shared Secret: Enter a text string here for basic encryption of the RADIUS messages.

  • Page 229: The Need For Vpns, Overview, Vpn Encryption, Vpn Planning

    Chapter 9. VPN This chapter describes VPN usage with NetDefendOS. • Overview, page 229 • VPN Quickstart Guide, page 231 • IPsec, page 240 • IPsec Tunnels, page 253 • PPTP/L2TP, page 260 9.1. Overview 9.1.1. The Need for VPNs Most networks are connected to each other through the Internet.

  • Page 230: Key Distribution

    9.1.4. Key Distribution Chapter 9. VPN • Protecting mobile and home computers • Restricting access through the VPN to needed services only, since mobile computers are vulnerable • Creating DMZs for services that need to be shared with other companies through VPNs •...

  • Page 231: Vpn Quickstart Guide, Ipsec Lan To Lan With Pre-shared Keys

    The remote network which lies behind the remote VPN gateway (let's call this object remote_net). • The local network behind the D-Link Firewall which will communicate across the tunnel. Here we will assume that this is the pre-defined address lannet and this network is attached to the NetDefendOS lan interface.

  • Page 232: Ipsec Roaming Clients With Pre-shared Keys

    9.2.2. IPsec Roaming Clients with Chapter 9. VPN Pre-shared Keys the Destination Interface. The rule's Destination Network is the remote network remote_net. • An Allow rule for inbound traffic that has the previously defined ipsec_tunnel object as the Source Interface. The Source Network is remote_net. Action Src Interface Src Network...

  • Page 233

    9.2.2. IPsec Roaming Clients with Chapter 9. VPN Pre-shared Keys Authentication section of an IP object. If that IP object is then used as the Source Network of a rule in the IP rule set, that rule will only apply to a user if their Group string matches the Group string of the IP object.

  • Page 234: Ipsec Roaming Clients With Certificates, L2tp Roaming Clients With Pre-shared Keys

    Enable the IKE Config Mode option in the IPsec Tunnel object ipsec_tunnel. Configuring the IPsec Client In both cases (A) and (B) above the IPsec client will need to configured with the URL of the D-Link Firewall as well as the pre-shared key.

  • Page 235

    9.2.4. L2TP Roaming Clients with Chapter 9. VPN Pre-Shared Keys Define a Pre-shared Key for the IPsec tunnel. Define an IPsec Tunnel object (let's call this object ipsec_tunnel) with the following parameters: • Set Local Network to ip_ext (specify all-nets instead if NetDefendOS is behind a NATing device).

  • Page 236: L2tp Roaming Clients With Certificates, Pptp Roaming Clients

    A major secondary disadvantage is not being able to NAT PPTP connections through a tunnel so multiple clients can use a single connection to the D-Link Firewall. If NATing is tried then only the first client that tries to connect will succeed.

  • Page 237: Vpn Troubleshooting

    As described for L2TP, the NAT rule lets the clients access the public Internet via the D-Link Firewall. Set up the client. For Windows XP, the procedure is exactly as described for L2TP above but without entering the pre-shared key.

  • Page 238

    Use ICMP Ping to confirm that the tunnel is working. With roaming clients this is best done by Pinging the internal IP address of the local network interface on the D-Link Firewall from a client (in LAN to LAN setups pinging could be done in any direction). If NetDefendOS is to able to respond to a Ping then the following rule must exist in the IP rule set.

  • Page 239: Management Interface Failure With Vpn

    Once this command is issued, an ICMP ping can be then sent to the D-Link Firewall from the other end of the tunnel. This will cause ikesnoop verbose to output details of the tunnel setup.

  • Page 240: Ipsec, Overview, Internet Key Exchange (ike)

    9.3. IPsec Chapter 9. VPN 9.3. IPsec 9.3.1. Overview Internet Protocol Security (IPsec), is a set of protocols defined by the Internet Engineering Task Force (IETF) to provide IP security at the network layer. An IPsec based VPN is made up by two parts: •...

  • Page 241

    9.3.2. Internet Key Exchange (IKE) Chapter 9. VPN IKE Negotiation The process of negotiating session parameters consists of a number of phases and modes. These are described in detail in the below sections. The flow of events can summarized as follows: IKE Phase-1 •...

  • Page 242

    When installing two D-Link Firewalls as VPN endpoints, this process is reduced to comparing fields in two identical dialog boxes. However, it is not quite as easy when equipment from different vendors is involved.

  • Page 243

    This field can also be set to "none", forcing the D-Link VPN to treat the remote address as the remote gateway. This is particularly useful in cases of roaming access, where the IP addresses of the remote VPN clients are not known beforehand.

  • Page 244

    9.3.2. Internet Key Exchange (IKE) Chapter 9. VPN • Cast128 • 3DES • DES is only included to be interoperable with other older VPN implementations. Use of DES should be avoided whenever possible, since it is an old algorithm that is no longer considered secure.

  • Page 245: Ike Authentication

    However, this one is used solely for PFS. IPsec Encryption The encryption algorithm to use on the protected traffic. This is not needed when AH is used, or when ESP is used without encryption. The algorithms supported by D-Link Firewall VPNs are: • • Blowfish •...

  • Page 246

    IKE is not used at all; the encryption and authentication keys as well as some other parameters are directly configured on both sides of the VPN tunnel. Note D-Link Firewalls do not support Manual Keying. Manual Keying Advantages Since it is very straightforward it will be quite interoperable. Most interoperability problems encountered today are in IKE.

  • Page 247: Ipsec Protocols (esp/ah), The Ah Protocol, The Esp Protocol

    9.3.4. IPsec Protocols (ESP/AH) Chapter 9. VPN roaming clients. Instead, should a client be compromised, the client's certificate can simply be revoked. No need to reconfigure every client. Certificate Disadvantages Added complexity. Certificate-based authentication may be used as part of a larger public key infrastructure, making all VPN clients and firewalls dependent on third parties.

  • Page 248: Nat Traversal

    9.3.5. NAT Traversal Chapter 9. VPN 9.3.5. NAT Traversal Both IKE and IPsec protocols present a problem in the functioning of NAT. Both protocols were not designed to work through NATs and because of this, a technique called "NAT traversal" has evolved.

  • Page 249: Proposal Lists, Using A Proposal List

    The ike-roamingclients and esp-tn-roamingclients proposal lists are suitable for VPN tunnels that are used for roaming VPN clients. These proposal lists are compatible with the default proposal lists in the D-Link VPN Client. As the name implies, the ike-lantolan and esp-tn-lantolan are suitable for LAN-to-LAN VPN solutions.

  • Page 250: Pre-shared Keys, Using A Pre-shared Key

    9.3.7. Pre-shared Keys Chapter 9. VPN Go to Objects > VPN Objects > IKE Algorithms > Add > IPsec Algorithms Enter a name for the list eg. esp-l2tptunnel. Now check the following: • • 3DES • SHA1 • Click OK Then, apply the proposal list to the IPsec tunnel: Go to Interfaces >...

  • Page 251: Identification Lists, Using An Identity List

    Click OK 9.3.8. Identification Lists When X.509 certificates are used as authentication method for IPsec tunnels, the D-Link Firewall will accept all remote firewalls or VPN clients that are capable of presenting a certificate signed by any of the trusted Certificate Authorities. This can be a potential problem, especially when using roaming clients.

  • Page 252

    • Organizational Unit: Support • Country: Sweden • Email Address: john.doe@D-Link.com Click OK Finally, apply the Identification List to the IPsec tunnel: Go to Interfaces > IPsec In the grid control, click on the IPsec tunnel object of interest Under the Authentication tab, choose X.509 Certificate Select the appropriate certificate in the Root Certificate(s) and Gateway Certificate controls.

  • Page 253: Ipsec Tunnels, Overview, Lan To Lan Tunnels With Pre-shared Keys, Roaming Clients

    Secure communication is achieved through the use of IPsec tunneling, with the tunnel extending from the VPN gateway at one location to the VPN gateway at another location. The D-Link Firewall is therefore the implementor of the VPN, while at the same time applying normal security surveillance of traffic passing through the tunnel.

  • Page 254: Setting Up A Psk Based Vpn Tunnel For Roaming Clients

    Dealing with Unknown IP addresses If the IP address of the client is not known before hand then the D-Link Firewall needs to create a route in its routing table dynamically as each client connects. In the example below this is the case and the IPsec tunnel is configured to dynamically add routes.

  • Page 255: Setting Up A Self-signed Certificate Based Vpn Tunnel For Roaming Clients

    Example 9.5. Setting up a Self-signed Certificate based VPN tunnel for roaming clients This example describes how to configure an IPsec tunnel at the head office D-Link Firewall for roaming clients that connect to the office to gain remote access. The head office network uses the 10.0.1.0/24 network span with external firewall IP wan_ip.

  • Page 256: Setting Up A Ca Server Issued Certificate Based Vpn Tunnel For Roaming Clients

    Example 9.6. Setting up a CA Server issued Certificate based VPN tunnel for roaming clients This example describes how to configure an IPsec tunnel at the head office D-Link Firewall for roaming clients that connect to the office to gain remote access. The head office network uses the 10.0.1.0/24 network span with external firewall IP wan_ip.

  • Page 257

    9.4.3. Roaming Clients Chapter 9. VPN Click OK Go to Objects > VPN Objects > ID List > Sales > Add > ID Enter the name for the client Select Email as Type In the Email address field, enter the email address selected when you created the certificate on the client Create a new ID for every client that you want to grant access rights according to the instructions above C.

  • Page 258: Setting Up Config Mode, Using Config Mode With Ipsec Tunnels

    9.4.3. Roaming Clients Chapter 9. VPN Currently only one Config Mode object can be defined in NetDefendOS and this is referred to as the Config Mode Pool object. The key parameters associated with it are as follows: Use Pre-defined IP Pool Object The IP Pool object that provides the IP addresses.

  • Page 259: Fetching Crls From An Alternate Ldap Server, Setting Up An Ldap Server

    An X.509 root certificate usually includes the IP address or hostname of the Certificate Authority to contact when certificates or Certificate Revocation Lists need to be downloaded to the D-Link Firewall. Lightweight Directory Access Protocol (LDAP) is used for these downloads.

  • Page 260: Pptp/l2tp, Pptp, Setting Up A Pptp Server

    A common problem with setting up PPTP is that a router and/or switch in a network is blocking TCP port 1723 and/or IP protocol 47 before the PPTP connection can be made to the D-Link Firewall. Examining the log can indicate if this problem occurred, with a log message of the...

  • Page 261: L2tp, Setting Up An L2tp Server

    IPsec. The client communicates with a Local Access Concentrator (LAC) and the LAC communicates across the Internet with a L2TP Network Server (LNS). The D-Link Firewall acts as the LNS. The LAC is, in effect, tunneling data, such as a PPP session, using IPsec to the LNS across the Internet.

  • Page 262: Setting Up An L2tp Tunnel

    9.5.2. L2TP Chapter 9. VPN Now enter: • Inner IP Address: ip_l2tp • Tunnel Protocol: L2TP • Outer Interface Filter: l2tp_ipsec • Outer Server IP: wan_ip Under the PPP Parameters tab, select L2TP_Pool in the IP Pool control Under the Add Route tab, select all_nets in the Allowed Networks control Click OK Use User Authentication Rules is enabled as default.

  • Page 263

    9.5.2. L2TP Chapter 9. VPN DHCPOverIPsec=Yes AddRouteToRemoteNet=Yes IPsecLifeTimeKilobytes=250000 IPsecLifeTimeSeconds=3600 Web Interface Go to Interfaces > IPsec > Add > IPsec Tunnel Enter a name for the IPsec tunnel, eg. l2tp_ipsec Now enter: Local Network: wan_ip Remote Network: all-nets Remote Endpoint: none Encapsulation Mode: Transport IKE Proposal List: ike-roamingclients IPsec Proposal List: esp-l2tptunnel...

  • Page 264

    9.5.2. L2TP Chapter 9. VPN In the ProxyARP control, select the lan interface. Click OK In order to authenticate the users using the L2TP tunnel, a user authentication rule needs to be configured. D. Next will be setting up the authentication rules: gw-world:/>...

  • Page 265

    9.5.2. L2TP Chapter 9. VPN Click OK Go to Rules > IP Rules > Add > IPRule Enter a name for the rule, eg. NATL2TP Now enter: • Action: NAT • Service: all_services • Source Interface: l2tp_tunnel • Source Network: l2tp_pool •...

  • Page 266

    9.5.2. L2TP Chapter 9. VPN...

  • Page 267: Traffic Management, Traffic Shaping, Introduction

    NetDefendOS provides QoS control by allowing the administrator to apply limits and guarantees to the network traffic passing through a D-Link Firewall. This approach is often referred to as traffic shaping and is well suited to managing bandwidth for LANs as well as to managing the bottlenecks that might be found in larger WANs.

  • Page 268: Traffic Shaping In Netdefendos

    Pipe Rule. These lists are: • The Forward Chain These are the pipes that will be used for outgoing (leaving) traffic from the D-Link Firewall. One, none or a series of pipes may be specified. •...

  • Page 269: Simple Bandwidth Limiting, Pipe Rule Set To Pipe Packet Flow, Applying A Simple Bandwidth Limit

    10.1.3. Simple Bandwidth Limiting Chapter 10. Traffic Management Figure 10.1. Pipe rule set to Pipe Packet Flow Where one pipe is specified in a list then that is the pipe whose characteristics will be applied to the traffic. If a series of pipes are specified then these will form a Chain of pipes through which traffic will pass.

  • Page 270: Limiting Bandwidth In Both Directions

    10.1.4. Limiting Bandwidth in Both Chapter 10. Traffic Management Directions gw-world:/> add PipeRule ReturnChain=std-in SourceInterface=lan SourceNetwork=lannet DestinationInterface=wan DestinationNetwork=all-nets Service=all_services name=Outbound Web Interface Go to Traffic Management > Traffic Shaping > Pipes > Add > Pipe Rule Specify a suitable name for the pipe, for instance outbound. Now enter: •...

  • Page 271: Creating Differentiated Limits With Chains

    10.1.5. Creating Differentiated Limits Chapter 10. Traffic Management with Chains gw-world:/> add Pipe std-out LimitKbpsTotal=2000 Web Interface Go to Traffic Management > Traffic Shaping > Pipes > Add > Pipe Specify a name for the pipe, eg. std-out Enter 2000 in Total textbox Click OK After creating a pipe for outbound bandwidth control, add it to the forward pipe chain of the rule created in the previous example:...

  • Page 272: Precedences, The Eight Pipe Precedences

    10.1.6. Precedences Chapter 10. Traffic Management Setting up pipes in this way only puts limits on the maximum values for certain traffic types. It does not give priorities to different types of competing traffic. 10.1.6. Precedences All packets that pass through NetDefendOS traffic shaping pipes have a precedence. In the examples so far, precedences have not been explicitly set and so all packets have had the same default precedence of 0.

  • Page 273: Minimum And Maximum Pipe Precedence

    10.1.6. Precedences Chapter 10. Traffic Management These limits can be specified in kilobits per second and/or packets per second (if both are specified then the first limit reached will be the limit used). In precedences are used then the total limit for the pipe as a whole must be specified so the pipe knows when what its capacity is and therefore when precedences are used.

  • Page 274: Guarantees, Differentiated Guarantees

    10.1.7. Guarantees Chapter 10. Traffic Management for other services such as surfing, DNS or FTP. A means is therefore required to ensure that lower priority traffic gets some portion of bandwidth and this is done with Bandwidth Guarantees. 10.1.7. Guarantees Bandwidth guarantees ensure that there is a minimum amount of bandwidth available for a given precedence.

  • Page 275: Groups, Traffic Grouped Per Ip Address

    10.1.9. Groups Chapter 10. Traffic Management telnet-in pipes. Notice that we did not set a total limit for the ssh-in and telnet-in pipes. We do not need to since the total limit will be enforced by the std-in pipe at the end of the respective chains. The ssh-in and telnet-in pipes act as a "priority filter": they make sure that no more than the reserved amount, 64 and 32 kbps, respectively, of precedence 2 traffic will reach std-in.

  • Page 276: Recommendations

    10.1.10. Recommendations Chapter 10. Traffic Management Instead of specifying a total group limit, the alternative is to enable the Dynamic Balancing option. This ensures that the available bandwidth is divided equally between all addresses regardless of how many there are and this is done up to the limit of the pipe. If a total group limit of 100 bps is also specified, as before, then no one user may take more than that amount of bandwidth.

  • Page 277: A Summary Of Traffic Shaping

    Traffic shaping cannot protect against incoming resource exhaustion attacks, such as DoS attacks or other flooding attacks. NetDefendOS will prevent these extraneous packets from reaching the hosts behind the D-Link Firewall, but cannot protect the connection becoming overloaded if an attack floods it.

  • Page 278

    10.1.11. A Summary of Traffic Shaping Chapter 10. Traffic Management • A pipe can have a limit which is the maximum amount of traffic allowed. • A pipe can only know when it is full if a limit is specified. •...

  • Page 279: Threshold Rules, Overview, Connection Rate/total Connection Limiting, Grouping, Rule Actions

    Total Connection Limiting allows the administrator to put a limit on the total number of connections opened to the D-Link Firewall. This function is extremely useful when NAT pools are required due to the large number of connections generated by P2P users.

  • Page 280: Multiple Triggered Actions, Exempted Connections, Threshold Rules And Zonedefense, Threshold Rule Blacklisting

    Threshold Rules. 10.2.7. Threshold Rules and ZoneDefense Threshold Rules are used in the D-Link ZoneDefense feature to block the source of excessive connection attmepts from internal hosts. For more information on this refer to Chapter 12, ZoneDefense.

  • Page 281: Server Load Balancing, Overview, A Server Load Balancing Configuration

    (sometimes called a "server farm") to handle many more requests than a single server. The image below illustrates a typical SLB scenario, with Internet access to applications being controlled by a D-Link Firewall.

  • Page 282: Identifying The Servers, The Load Distribution Mode, The Distribution Algorithm

    10.3.2. Identifying the Servers Chapter 10. Traffic Management SLB also means that network administrators can perform maintenance tasks on servers or applications without disrupting services. Individual servers can be restarted, upgraded, removed, or replaced, and new servers and applications can be added or moved without affecting the rest of a server farm, or taking down applications.

  • Page 283: Connections From Three Clients, Stickiness And Round-robin

    10 is used so that the number of new connections which were made to each server in the last 10 seconds will be remembered. An example is shown in the figure below. In this example, the D-Link Firewall is responsible for balancing connections from 3 clients with different addresses to 2 servers. Stickiness is set.

  • Page 284: Server Health Monitoring, Slb_sat Rules, Stickiness And Connection Rate

    SLB will use the default routing table unless the administrator sets a specific routing table location. D-Link Server Load Balancing provides the following monitoring modes: ICMP Ping This works at OSI layer 3. SLB will ping the IP address of each individual server in the server farm.

  • Page 285: Setting Up Slb

    The table below shows the rules that would be defined for a typical scenario of a set of webservers behind a D-Link Firewall for which the load is being balanced. The ALLOW rule allows external clients to access the webservers.

  • Page 286

    10.3.6. SLB_SAT Rules Chapter 10. Traffic Management Click OK Repeat the above to create an object called server2 for the 192.168.1.11 IP address. B. Create a Group which contains the 2 webserver objects: Go to Objects > Address Book > Add > IP4 Group Enter a suitable name, eg.

  • Page 287

    10.3.6. SLB_SAT Rules Chapter 10. Traffic Management • Service: HTTP • Source Interface: any • Source Network: all-nets • Destination Interface: core • Destination Network: ip_ext Click OK...

  • Page 288

    10.3.6. SLB_SAT Rules Chapter 10. Traffic Management...

  • Page 289: High Availability, Overview

    It should be kept in mind that the master unit in a cluster is not always the same as the active unit. The active unit is the D-Link Firewall that is processing all traffic at a given point in time. This could be the slave if a failover has occurred because the master's operation has been impaired.

  • Page 290

    11.1. Overview Chapter 11. High Availability D-Link HA will only operate between two D-Link Firewalls. As the internal operation of different security gateway manufacturer's software is completely dissimilar, there is no common method available to communicating state information to a dissimilar device.

  • Page 291: High Availability Mechanisms

    Chapter 11. High Availability 11.2. High Availability Mechanisms D-Link HA provides a redundant, state-synchronized hardware configuration. The state of the active unit, such as the connection table and other vital information, is continuously copied to the inactive unit via the sync interface. When cluster failover occurs, the inactive unit knows which connections are active, and traffic can continue to flow.

  • Page 292

    11.2. High Availability Mechanisms Chapter 11. High Availability packets destined for the shared hardware address.

  • Page 293: High Availability Setup, Hardware Setup

    This section provides a step-by-step guide for setting up an HA Cluster. 11.3.1. Hardware Setup Start with two physically similar D-Link Firewalls. Both may be newly purchased or one may have been purchased to be the back-up unit (in other words, to be the slave unit).

  • Page 294: Netdefendos Setup, Verifying Cluster Functioning

    (NetDefendOS will automatically select the appropriate address from the master and slave IP addresses defined for the object). Repeat the above steps for the other D-Link Firewall but select the node type to be Slave. The configuration on both D-Link Firewalls needs to be the same. Configurations between the units are automatically synchronized.

  • Page 295

    11.3.3. Verifying Cluster Functioning Chapter 11. High Availability This device is an HA MASTER This device is currently ACTIVE (will forward traffic) HA cluster peer is ALIVE Then use the stat command to verify that both master and slave have about the same number of connections.

  • Page 296: High Availability Issues

    11.4. High Availability Issues Chapter 11. High Availability 11.4. High Availability Issues The following points should be kept in mind when managing and configuring an HA Cluster. SNMP SNMP statistics are not shared between master and slave. SNMP managers have no failover capabilities.

  • Page 297

    11.4. High Availability Issues Chapter 11. High Availability...

  • Page 298: Zonedefense, Overview

    • ZoneDefense Switches, page 299 • ZoneDefense Operation, page 300 12.1. Overview ZoneDefense allows a D-Link Firewall to control locally attached switches. It can be used as a counter-measure to stop a virus-infected computer in a local network from infecting other computers.

  • Page 299: Zonedefense Switches

    The switch model type • The SNMP community string (write access) The ZoneDefense feature currently supports the following switches: • D-Link DES 3226S (minimum firmware: R4.02-B14) • D-Link DES 3250TG (minimum firmware: R3.00-B09) • D-Link DES 3326S (minimum firmware: R4.01-B39) •...

  • Page 300: Zonedefense Operation, Snmp, Threshold Rules, Manual Blocking And Exclude Lists

    SNMP Managers A typical managing device, such as a D-Link Firewall, uses the SNMP protocol to monitor and control network devices in the managed environment. The manager can query stored statistics from the controlled devices by using the SNMP Community String. This is similar to a userid or password which allows access to the device's state information.

  • Page 301: A Simple Zonedefense Scenario

    (in network range 192.168.2.0/24 for example) from accessing the switch completely. A D-Link switch model DES-3226S is used in this case, with a management interface address 192.168.1.250 connecting to the firewall's interface address 192.168.1.1. This firewall interface is added into the exclude list to prevent the firewall from being accidentally locked out from accessing the switch.

  • Page 302: Limitations

    12.3.4. Limitations Chapter 12. ZoneDefense For Addresses choose the object name of the firewall's interface address 192.168.1.1 from the Available list and put it into the Selected list. Click OK Configure an HTTP threshold of 10 connections/second: Go to Traffic Management > Threshold Rules > Add > Threshold Rule For the Threshold Rule enter: •...

  • Page 303

    12.3.4. Limitations Chapter 12. ZoneDefense...

  • Page 304: Advanced Settings, Ip Level Settings

    Note After an advanced setting is changed a reconfiguration must be performed in order for the new NetDefendOS configuration to be uploaded to the D-Link Firewall and the new value to take effect. • IP Level Settings, page 304 •...

  • Page 305

    LogReceivedTTL0 Chapter 13. Advanced Settings LogNonIP4 Logs occurrences of IP packets that are not version 4. NetDefendOS only accepts version 4 IP packets; everything else is discarded. Default: 256 LogReceivedTTL0 Logs occurrences of IP packets received with the "Time To Live" (TTL) value set to zero. Under no circumstances should any network unit send packets with a TTL of 0.

  • Page 306

    IPOptionSizes Chapter 13. Advanced Settings Verifies that the size information contained in each "layer" (Ethernet, IP, TCP, UDP, ICMP) is consistent with that of other layers. Default: ValidateLogBad IPOptionSizes Verifies the size of "IP options". These options are small blocks of information that may be added to the end of each IP header.

  • Page 307: Tcp Level Settings

    13.2. TCP Level Settings Chapter 13. Advanced Settings 13.2. TCP Level Settings TCPOptionSizes Verifies the size of TCP options. This function acts in the same way as IPOptionSizes described above. Default: ValidateLogBad TCPMSSMin Determines the minimum permissible size of the TCP MSS. Packets containing maximum segment sizes below this limit are handled according to the next setting.

  • Page 308

    TCPZeroUnusedACK Chapter 13. Advanced Settings Default: 7000 bytes TCPZeroUnusedACK Determines whether NetDefendOS should set the ACK sequence number field in TCP packets to zero if it is not used. Some operating systems reveal sequence number information this way, which can make it easier for intruders wanting to hijack established connections. Default: Enabled TCPZeroUnusedURG Strips the URG pointers from all packets.

  • Page 309

    TCPOPT_CC Chapter 13. Advanced Settings to transport alternate checksums where permitted by ALTCHKREQ above. Normally never seen on modern networks. Default: StripLog TCPOPT_CC Determines how NetDefendOS will handle connection count options. Default: StripLogBad TCPOPT_OTHER Specifies how NetDefendOS will deal with TCP options not covered by the above settings. These options usually never appear on modern networks.

  • Page 310

    TCPRF Chapter 13. Advanced Settings Specifies how NetDefendOS will deal with TCP packets with either the Xmas or Ymas flag turned on. These flags are currently mostly used by OS Fingerprinting. Note: an upcoming standard called Explicit Congestion Notification also makes use of these TCP flags, but as long as there are only a few operating systems supporting this standard, the flags should be stripped.

  • Page 311: Icmp Level Settings

    13.3. ICMP Level Settings Chapter 13. Advanced Settings 13.3. ICMP Level Settings ICMPSendPerSecLimit Specifies the maximum number of ICMP messages NetDefendOS may generate per second. This includes ping replies, destination unreachable messages and also TCP RST packets. In other words, this setting limits how many Rejects per second may be generated by the Reject rules in the Rules section.

  • Page 312: Arp Settings

    13.4. ARP Settings Chapter 13. Advanced Settings 13.4. ARP Settings ARPMatchEnetSender Determines if NetDefendOS will require the sender address at Ethernet level to comply with the hardware address reported in the ARP data. Default: DropLog ARPQueryNoSenderIP What to do with ARP queries that have a sender IP of 0.0.0.0. Such sender IPs are never valid in responses, but network units that have not yet learned of their IP address sometimes ask ARP questions with an "unspecified"...

  • Page 313

    ARPExpireUnknown Chapter 13. Advanced Settings ARPExpire Specifies how long a normal dynamic item in the ARP table is to be retained before it is removed from the table. Default: 900 seconds (15 minutes) ARPExpireUnknown Specifies how long NetDefendOS is to remember addresses that cannot be reached. This is done to ensure that NetDefendOS does not continuously request such addresses.

  • Page 314: Stateful Inspection Settings

    This generates a log message for every packet that passes through a connection that is set up in the NetDefendOS state-engine. Traffic whose destination is the D-Link Firewall itself, for example NetDefendOS management traffic, is not subject to this setting.

  • Page 315

    LogConnections Chapter 13. Advanced Settings • NoLog – Does not log any connections; consequently, it will not matter if logging is enabled for either Allow or NAT rules in the Rules section; they will not be logged. However, FwdFast, Drop and Reject rules will be logged as stipulated by the settings in the Rules section. •...

  • Page 316: Connection Timeouts

    13.6. Connection Timeouts Chapter 13. Advanced Settings 13.6. Connection Timeouts The settings in this section specify how long a connection can remain idle, ie. no data being sent through it, before it is automatically closed. Please note that each connection has two timeout values: one for each direction.

  • Page 317

    AllowBothSidesToKeepConnAlive_UDP Chapter 13. Advanced Settings Default: False...

  • Page 318: Size Limits By Protocol

    13.7. Size Limits by Protocol Chapter 13. Advanced Settings 13.7. Size Limits by Protocol This section contains information about the size limits imposed on the protocols directly under IP level, ie. TCP, UDP, ICMP, etc. The values specified here concern the IP data contained in packets. In the case of Ethernet, a single packet can contain up to 1480 bytes of IP data without fragmentation.

  • Page 319

    MaxOSPFLen Chapter 13. Advanced Settings MaxSKIPLen Specifies the maximum size of a SKIP packet. Default: 2000 bytes MaxOSPFLen Specifies the maximum size of an OSPF packet. OSPF is a routing protocol mainly used in larger LANs. Default: 1480 MaxIPIPLen Specifies the maximum size of an IP-in-IP packet. IP-in-IP is used by Checkpoint Firewall-1 VPN connections when IPsec is not used.

  • Page 320: Fragmentation Settings

    13.8. Fragmentation Settings Chapter 13. Advanced Settings 13.8. Fragmentation Settings IP is able to transport up to 65536 bytes of data. However, most media, such as Ethernet, cannot carry such huge packets. To compensate, the IP stack fragments the data to be sent into separate packets, each one given their own IP header and information that will help the recipient reassemble the original packet correctly.

  • Page 321

    FragReassemblyFail Chapter 13. Advanced Settings Default: Check8 – compare 8 random locations, a total of 32 bytes FragReassemblyFail Reassemblies may fail due to one of the following causes: • Some of the fragments did not arrive within the time stipulated by the ReassTimeout or ReassTimeLimit settings.

  • Page 322

    FragmentedICMP Chapter 13. Advanced Settings not match up. Possible settings are as follows: • NoLog - No logging is carried out under normal circumstances. • LogSuspect - Logs duplicated fragments if the reassembly procedure has been affected by "suspect" fragments. •...

  • Page 323

    ReassIllegalLinger Chapter 13. Advanced Settings Once a whole packet has been marked as illegal, NetDefendOS is able to retain this in its memory in order to prevent further fragments of that packet from arriving. Default: 60 seconds...

  • Page 324: Local Fragment Reassembly Settings

    13.9. Local Fragment Reassembly Chapter 13. Advanced Settings Settings 13.9. Local Fragment Reassembly Settings LocalReass_MaxConcurrent Maximum number of concurrent local reassemblies. Default: 256 LocalReass_MaxSize Maximum size of a locally reassembled packet. Default: 10000 LocalReass_NumLarge Number of large ( over 2K) local reassembly buffers (of the above size). Default: 32...

  • Page 325: Dhcp Settings

    13.10. DHCP Settings Chapter 13. Advanced Settings 13.10. DHCP Settings DHCP_MinimumLeaseTime Minimum lease time (seconds) accepted from the DHCP server. Default: 60 DHCP_ValidateBcast Require that the assigned broadcast address is the highest address in the assigned network. Default: Enabled DHCP_AllowGlobalBcast Allow DHCP server to assign 255.255.255.255 as broadcast.

  • Page 326: Dhcprelay Settings

    13.11. DHCPRelay Settings Chapter 13. Advanced Settings 13.11. DHCPRelay Settings DHCPRelay_MaxTransactions Maximum number of transactions at the same time. Default: 32 DHCPRelay_TransactionTimeout For how long a dhcp transaction can take place. Default: 10 seconds DHCPRelay_MaxPPMPerIface How many dhcp-packets a client can send to through NetDefendOS to the dhcp-server during one minute.

  • Page 327: Dhcpserver Settings

    13.12. DHCPServer Settings Chapter 13. Advanced Settings 13.12. DHCPServer Settings DHCPServer_SaveLeasePolicy What policy should be used to save the lease database to the disk, possible settings are Disabled, ReconfShut, or ReconfShutTimer. Default: ReconfShut DHCPServer_AutoSaveLeaseInterval How often should the leases database be saved to disk if DHCPServer_SaveLeasePolicy is set to ReconfShutTimer.

  • Page 328: Ipsec Settings

    13.13. IPsec Settings Chapter 13. Advanced Settings 13.13. IPsec Settings IKESendInitialContact Determines whether or not IKE should send the "Initial Contact" notification message. This message is sent to each remote gateway when a connection is opened to it and there are no previous IPsec SA using that gateway.

  • Page 329

    IPsecDeleteSAOnIPValidationFailure Chapter 13. Advanced Settings IPsecDeleteSAOnIPValidationFailure Controls what happens to the SAs if IP validation in Config Mode fails. If Enabled, the security associations (SAs) are deleted on failure. Default: Disabled...

  • Page 330: Logging Settings

    13.14. Logging Settings Chapter 13. Advanced Settings 13.14. Logging Settings LogSendPerSecLimit This setting limits how many log packets NetDefendOS may send out per second. This value should never be set too low, as this may result in important events not being logged, nor should it be set too high.

  • Page 331: Time Synchronization Settings

    13.15. Time Synchronization Settings Chapter 13. Advanced Settings 13.15. Time Synchronization Settings TimeSync_SyncInterval Seconds between each resynchronization. Default: 86400 TimeSync_MaxAdjust Maximum time drift that a server is allowed to adjust. Default: 3600 TimeSync_ServerType Type of server for time synchronization, UDPTime or SNTP (Simple Network Time Protocol). Default: SNTP TimeSync_GroupIntervalSize Interval according to which server responses will be grouped.

  • Page 332

    TimeSync_DSTStartDate Chapter 13. Advanced Settings DST offset in minutes. Default: 0 TimeSync_DSTStartDate What month and day DST starts, in the format MM-DD. Default: none TimeSync_DSTEndDate What month and day DST ends, in the format MM-DD. Default: none...

  • Page 333: Ppp Settings

    13.16. PPP Settings Chapter 13. Advanced Settings 13.16. PPP Settings PPP_L2TPBeforeRules Pass L2TP traffic sent to the D-Link Firewall directly to the L2TP Server without consulting the rule set. Default: Enabled PPP_PPTPBeforeRules Pass PPTP traffic sent to the D-Link Firewall directly to the PPTP Server without consulting the rule set.

  • Page 334: Hardware Monitor Settings

    13.17. Hardware Monitor Settings Chapter 13. Advanced Settings 13.17. Hardware Monitor Settings HWM_PollInterval Polling intervall for Hardware Monitor which is the delay in milliseconds between reading of hardware monitor values. Minimum 100, Maximum 10000. Default: 500 ms HWMMem_Interval Memory polling interval which is the delay in minutes between reading of memory values. Minimum 1, Maximum 200.

  • Page 335: Packet Re-assembly Settings

    13.18. Packet Re-assembly Settings Chapter 13. Advanced Settings 13.18. Packet Re-assembly Settings Packet re-assembly collects IP fragments into complete IP datagrams and, for TCP, reorders segments so that they are processed in the correct order and also to keep track of potential segment overlaps and to inform other subsystems of such overlaps.

  • Page 336: Miscellaneous Settings

    13.19. Miscellaneous Settings Chapter 13. Advanced Settings 13.19. Miscellaneous Settings BufFloodRebootTime As a final way out, NetDefendOS automatically reboots if its buffers have been flooded for a long time. This setting specifies this amount of time. Default: 3600 MaxPipeUsers The maximum number of pipe users to allocate. As pipe users are only tracked for a 20th of a second, this number usually does not need to be anywhere near the number of actual users, or the number of statefully tracked connections.

  • Page 337

    MaxPipeUsers Chapter 13. Advanced Settings...

  • Page 338: A. Subscribing To Security Updates

    On purchase, you will receive a unique activation code to identify you as a user of the service. • Go to Maintenance > License in the web interface of your D-Link Firewall system and enter this activation code. NetDefendOS will indicate the code is accepted and the update service will be activated.

  • Page 339

    To get the status of AV updates: gw-world:/> updatecenter -status Antivirus Querying Server Status To get the status of the D-Link network servers use the command: gw-world:/> updatecenter -servers Deleting Local Databases Some technical problem in the operation of either IDP or the Anti-Virus modules may be resolved by deleting the database and reloading.

  • Page 340: B. Idp Signature Groups

    For IDP scanning, the following signature groups are available for selection. These groups are available only for the D-Link Advanced IDP Service. There is a version of each group under the three Types of IDS, IPS and Policy. For further information see Section 6.5, “Intrusion Detection and Prevention”.

  • Page 341

    Appendix B. IDP Signature Groups Group Name Intrusion Type FTP_FORMATSTRING Format string attack FTP_GENERAL FTP protocol and implementation FTP_LOGIN Login attacks FTP_OVERFLOW FTP buffer overflow GAME_BOMBERCLONE Bomberclone game GAME_GENERAL Generic game servers/clients GAME_UNREAL UnReal Game server HTTP_APACHE Apache httpd HTTP_BADBLUE Badblue web server HTTP_CGI HTTP CGI...

  • Page 342

    Appendix B. IDP Signature Groups Group Name Intrusion Type POP3_DOS Denial of Service for POP POP3_GENERAL Post Office Protocol v3 POP3_LOGIN-ATTACKS Password guessing and related login attack POP3_OVERFLOW POP3 server overflow POP3_REQUEST-ERRORS Request Error PORTMAPPER_GENERAL PortMapper PRINT_GENERAL LP printing server: LPR LPD PRINT_OVERFLOW Overflow of LPR/LPD protocol/implementation REMOTEACCESS_GOTOMYPC...

  • Page 343

    Appendix B. IDP Signature Groups Group Name Intrusion Type TFTP_OPERATION Operation Attack TFTP_OVERFLOW TFTP buffer overflow attack TFTP_REPLY TFTP Reply attack TFTP_REQUEST TFTP request attack TROJAN_GENERAL Trojan UDP_GENERAL General UDP UDP_POPUP Pop-up window for MS Windows UPNP_GENERAL UPNP VERSION_CVS VERSION_SVN Subversion VIRUS_GENERAL Virus...

  • Page 344: C. Checked Mime Filetypes

    Appendix C. Checked MIME filetypes The HTTP Application Layer Gateway has the ability to verify that the contents of a file downloaded via the HTTP protocol is the type that the filetype in its filename indicates. This appendix lists the MIME filetypes that can be checked by NetDefendOS to make sure that the content matches the filetype of a download.

  • Page 345

    Appendix C. Checked MIME filetypes Filetype extension Application eMacs Lisp Byte-compiled Source Code ABT EMD Module/Song Format file ESP archive data Windows Executable Free Graphics Format file flac Free Lossless Audio Codec file FLIC Animated Picture FLIC Animation Macromedia Flash Video gdbm Database file Graphic Interchange Format file...

  • Page 346

    Appendix C. Checked MIME filetypes Filetype extension Application CrossePAC archive data Portable Bitmap Format Image Portable Bitmap Graphic Acrobat Portable Document Format Portable Executable file PostScript Type 1 Font Portable Graymap Graphic SysV R4 PKG Datastreams PAKLeo archive data PMarc archive data Portable (Public) Network Graphic PBM Portable Pixelmap Graphic PostScript file...

  • Page 347

    Appendix C. Checked MIME filetypes Filetype extension Application Lotus 1-2-3 document Windows Media file wrl, vrml Plain Text VRML file GIMP Image file Fast Tracker 2 Extended Module , audio file XML file xmcd xmcd database file for kscd BMC Software Patrol UNIX Icon file YAC compressed archive ZIF image Zip compressed archive file...

  • Page 348: D. The Osi Framework, D.1. The 7 Layers Of The Osi Model

    Appendix D. The OSI Framework The Open Systems Interconnection Model defines a framework for intercomputer communications. It categorizes different protocols for a great variety of network applications into seven smaller, more manageable layers. The model describes how data from an application in one computer can be transferred through a network medium to an application on another computer.

  • Page 349: E. D-link Worldwide Offices

    Appendix E. D-Link worldwide offices Below is a complete list of D-Link worldwide sales offices. Please check your own country area's local website for further details regarding support of D-Link products as well as contact details for local support. Australia 1 Giffnock Avenue, North Ryde, NSW 2113, Australia.

  • Page 350

    Appendix E. D-Link worldwide offices FAX: +972-9-9715601. Website: www.dlink.co.il Italy Via Nino Bonnet n. 6/b, 20154 – Milano, Italy. TEL: 39-02-2900-0676, FAX: 39-02-2900-1723. Website: www.dlink.it LatinAmerica Isidora Goyeechea 2934, Ofcina 702, Las Condes, Santiago – Chile. TEL: 56-2-232-3185, FAX: 56-2-232-0923. Website: www.dlink.cl...

  • Page 351: Alphabetical Index

    Alphabetical Index bandwidth guarantees, 274 blacklisting hosts and networks, 202 IDP, 194 access rules, 135 threshold rules, 280 accounting, 39 URL, 170 interim messages, 41 wildcarding, 170 limitations with NAT, 42 Block0000Src setting, 305 messages, 39 Block0Net setting, 305 system shutdowns, 42 Block127Net setting, 305 address book, 48 blocking applications with IDP, 188...

  • Page 352

    Alphabetical Index DHCP_UseLinkLocalIP setting, 325 cluster ID, 296 DHCP_ValidateBcast setting, 325 issues, 296 DHCPRelay_AutoSaveRelayInterval setting, 326 mechanisms, 291 DHCPRelay_MaxAutoRoutes setting, 326 setup, 293 DHCPRelay_MaxHops setting, 326 with transparent mode, 120 DHCPRelay_MaxLeaseTime setting, 326 HighBuffers setting DHCPRelay_MaxPPMPerIface setting, 326 with high availability, 295 DHCPRelay_MaxTransactions setting, 326 HTTP DHCPRelay_TransactionTimeout setting, 326...

  • Page 353

    Alphabetical Index L2TP, 261 packet flow quickstart guide, 234 diagram, 19 Lan to Lan tunnels, 253 phishing (see content filtering) LayerSizeConsistency setting, 305 pipe rules, 268, 268 LDAP servers, 259 pipes, 268, 268 link state algorithm, 103 policies, 73 LocalReass_MaxConcurrent setting, 324 policy based routing, 98 LocalReass_MaxSize setting, 324 POP3 ALG, 151...

  • Page 354

    Alphabetical Index TCP and UDP, 53 TimeSync_DSTEnabled setting, 331 SilentlyDropStateICMPErrors setting, 311 TimeSync_DSTEndDate setting, 332 simple network management protocol (see SNMP) TimeSync_DSTOffs setting, 331 TimeSync_DSTStartDate setting, 332 ALG, 152 TimeSync_GroupIntervalSize setting, 331 SMTP TimeSync_MaxAdjust setting, 331 ALG, 146 TimeSync_ServerType setting, 331 header verification, 149 TimeSync_SyncInterval setting, 331 SNMP...

  • Page 355

    Alphabetical Index X.509 certificates, 79 identification lists, 251 with IPsec, 234 zonedefense IDP, 194 zone defense, 298 switches, 299...

Comments to this Manuals

Symbols: 0
Latest comments: