Download Print this page

D-Link DFL-260E User Manual

Network security firewall netdefendos version 2.27.03
Hide thumbs

Advertisement

Network Security Firewall
User Manual
NetDefendOS
Security
Security
Ver.
2.27.03
Network Security Solution
http://www.dlink.com

Advertisement

loading

  Also See for D-Link DFL-260E

  Related Manuals for D-Link DFL-260E

  Summary of Contents for D-Link DFL-260E

  • Page 1 Network Security Firewall User Manual NetDefendOS Security Security Ver. 2.27.03 Network Security Solution http://www.dlink.com...
  • Page 2: User Manual

    User Manual DFL-210/260/260E/800/860/860E DFL-1600/1660/2500/2560/2560G NetDefendOS Version 2.27.03 D-Link Corporation No. 289, Sinhu 3rd Rd, Neihu District, Taipei City 114, Taiwan R.O.C. http://www.DLink.com Published 2010-11-11 Copyright © 2010...
  • Page 3 D-Link reserves the right to revise this publication and to make changes from time to time in the content hereof without any obligation to notify any person or parties of such revision or changes.
  • Page 4: Table Of Contents

    Table of Contents Preface .......................14 1. NetDefendOS Overview ..................16 1.1. Features ....................16 1.2. NetDefendOS Architecture ..............19 1.2.1. State-based Architecture ...............19 1.2.2. NetDefendOS Building Blocks ............19 1.2.3. Basic Packet Flow ................20 1.3. NetDefendOS State Engine Packet Flow .............23 2. Management and Maintenance ................28 2.1.
  • Page 5 User Manual 3.2.3. ICMP Services ................89 3.2.4. Custom IP Protocol Services ............91 3.2.5. Service Groups ................91 3.2.6. Custom Service Timeouts ..............92 3.3. Interfaces ....................93 3.3.1. Overview ...................93 3.3.2. Ethernet Interfaces ...............95 3.3.3. VLAN ..................101 3.3.4. PPPoE ..................105 3.3.5. GRE Tunnels ................107 3.3.6.
  • Page 6 6.4.2. Implementation ................. 314 6.4.3. Activating Anti-Virus Scanning ............ 315 6.4.4. The Signature Database .............. 316 6.4.5. Subscribing to the D-Link Anti-Virus Service ......... 316 6.4.6. Anti-Virus Options ..............316 6.5. Intrusion Detection and Prevention ............320 6.5.1. Overview ................. 320 6.5.2.
  • Page 7 User Manual 7. Address Translation ..................340 7.1. Overview .................... 340 7.2. NAT ....................341 7.3. NAT Pools ..................346 7.4. SAT ....................349 7.4.1. Translation of a Single IP Address (1:1) ......... 349 7.4.2. Translation of Multiple IP Addresses (M:N) ........354 7.4.3.
  • Page 8 User Manual 9.7.2. Troubleshooting Certificates ............443 9.7.3. IPsec Troubleshooting Commands ..........444 9.7.4. Management Interface Failure with VPN ........445 9.7.5. Specific Error Messages .............. 445 9.7.6. Specific Symptoms ..............448 10. Traffic Management ..................451 10.1. Traffic Shaping .................. 451 10.1.1.
  • Page 9 User Manual 13.1. IP Level Settings ................511 13.2. TCP Level Settings ................515 13.3. ICMP Level Settings ................520 13.4. State Settings ..................521 13.5. Connection Timeout Settings ..............523 13.6. Length Limit Settings ................525 13.7. Fragmentation Settings ................ 527 13.8.
  • Page 10 List of Figures 1.1. Packet Flow Schematic Part I ................23 1.2. Packet Flow Schematic Part II ................24 1.3. Packet Flow Schematic Part III .................25 1.4. Expanded Apply Rules Logic ................26 3.1. VLAN Connections ..................103 3.2. An ARP Publish Ethernet Frame ..............116 3.3.
  • Page 11 User Manual 10.9. A Server Load Balancing Configuration ............480 10.10. Connections from Three Clients ..............483 10.11. Stickiness and Round-Robin ............... 484 10.12. Stickiness and Connection-rate ..............484 D.1. The 7 Layers of the OSI Model ..............544...
  • Page 12 3.24. Manually Triggering a Time Synchronization ..........140 3.25. Modifying the Maximum Adjustment Value ............ 140 3.26. Forcing Time Synchronization ..............141 3.27. Enabling the D-Link NTP Server ..............141 3.28. Configuring DNS Servers ................144 4.1. Displaying the main Routing Table ..............154 4.2.
  • Page 13 User Manual 4.14. IGMP - No Address Translation ..............206 4.15. if1 Configuration ..................207 4.16. if2 Configuration - Group Translation ............. 208 4.17. Setting up Transparent Mode for Scenario 1 ............ 219 4.18. Setting up Transparent Mode for Scenario 2 ............ 220 5.1.
  • Page 14: Preface

    Preface Intended Audience The target audience for this reference guide is Administrators who are responsible for configuring and managing NetDefend Firewalls which are running the NetDefendOS operating system. This guide assumes that the reader has some basic knowledge of networks and network security. Text Structure and Conventions The text is broken down into chapters and sub-sections.
  • Page 15 Preface items in the tree-view list at the left of the interface or in the menu bar or in a context menu need to be opened followed by information about the data items that need to be entered: Go to Item X > Item Y > Item Z Now enter: •...
  • Page 16: Netdefendos Overview

    • NetDefendOS Architecture, page 19 • NetDefendOS State Engine Packet Flow, page 23 1.1. Features D-Link NetDefendOS is the base software engine that drives and controls the range of NetDefend Firewall hardware products. NetDefendOS as a Network Security Operating System Designed as a network security operating system, NetDefendOS features high throughput performance with high reliability plus super-granular control.
  • Page 17 More information about the IDP capabilities of NetDefendOS can be found in Section 6.5, “Intrusion Detection and Prevention”. Note Full IDP is available on all D-Link NetDefend product models as a subscription service. On some models, a simplified IDP subsystem is provided as standard..
  • Page 18 Chapter 2, Management and Maintenance. ZoneDefense NetDefendOS can be used to control D-Link switches using the ZoneDefense feature. This allows NetDefendOS to isolate portions of a network that contain hosts that are the source of undesirable network traffic.
  • Page 19: Netdefendos Architecture

    1.2. NetDefendOS Architecture Chapter 1. NetDefendOS Overview 1.2. NetDefendOS Architecture 1.2.1. State-based Architecture The NetDefendOS architecture is centered around the concept of state-based connections. Traditional IP routers or switches commonly inspect all packets and then perform forwarding decisions based on information found in the packet headers. With this approach, packets are forwarded without any sense of context which eliminates any possibility to detect and analyze complex protocols and enforce corresponding security policies.
  • Page 20: Basic Packet Flow

    1.2.3. Basic Packet Flow Chapter 1. NetDefendOS Overview NetDefendOS Rule Sets Finally, rules which are defined by the administrator in the various rule sets are used for actually implementing NetDefendOS security policies. The most fundamental set of rules are the IP Rules, which are used to define the layer 3 IP filtering policy as well as carrying out address translation and server load balancing.
  • Page 21 1.2.3. Basic Packet Flow Chapter 1. NetDefendOS Overview • Source and destination interfaces • Source and destination network • IP protocol (for example TCP, UDP, ICMP) • TCP/UDP ports • ICMP types • Point in time in reference to a predefined schedule If a match cannot be found, the packet is dropped.
  • Page 22 1.2.3. Basic Packet Flow Chapter 1. NetDefendOS Overview processing such as encryption or encapsulation might occur. The next section provides a set of diagrams illustrating the flow of packets through NetDefendOS.
  • Page 23: Netdefendos State Engine Packet Flow

    1.3. NetDefendOS State Engine Packet Chapter 1. NetDefendOS Overview Flow 1.3. NetDefendOS State Engine Packet Flow The diagrams in this section provide a summary of the flow of packets through the NetDefendOS state-engine. There are three diagrams, each flowing into the next. It is not necessary to understand these diagrams, however, they can be useful as a reference when configuring NetDefendOS in certain situations.
  • Page 24: Packet Flow Schematic Part Ii

    1.3. NetDefendOS State Engine Packet Chapter 1. NetDefendOS Overview Flow Figure 1.2. Packet Flow Schematic Part II The packet flow is continued on the following page.
  • Page 25: Packet Flow Schematic Part Iii

    1.3. NetDefendOS State Engine Packet Chapter 1. NetDefendOS Overview Flow Figure 1.3. Packet Flow Schematic Part III...
  • Page 26: Expanded Apply Rules Logic

    1.3. NetDefendOS State Engine Packet Chapter 1. NetDefendOS Overview Flow Apply Rules The figure below presents the detailed logic of the Apply Rules function in Figure 1.2, “Packet Flow Schematic Part II” above. Figure 1.4. Expanded Apply Rules Logic...
  • Page 27 1.3. NetDefendOS State Engine Packet Chapter 1. NetDefendOS Overview Flow...
  • Page 28: Management And Maintenance

    Chapter 2. Management and Maintenance This chapter describes the management, operations and maintenance related aspects of NetDefendOS. • Managing NetDefendOS, page 28 • Events and Logging, page 57 • RADIUS Accounting, page 62 • Hardware Monitoring, page 67 • SNMP Monitoring, page 69 •...
  • Page 29: The Default Administrator Account

    By default, Web Interface access is enabled for users on the network connected via the LAN interface of the D-Link firewall (on products where more than one LAN interface is available, LAN1 is the default interface). 2.1.2. The Default Administrator Account By default, NetDefendOS has a local user database, AdminUsers, that contains one predefined administrator account.
  • Page 30: The Web Interface

    Assignment of a Default IP Address For a new D-Link NetDefend firewall with factory defaults, a default internal IP address is assigned automatically by NetDefendOS to the hardware's LAN1 interface (or the LAN interface on models wihout multiple LAN interfaces).
  • Page 31 The Web Interface login dialog offers the option to select a language other than English for the interface. Language support is provided by a set of separate resource files. These files can be downloaded from the D-Link website. It may occasionally be the case that a NetDefendOS upgrade can contain features that temporarily lack a complete non-english translation because of time constraints.
  • Page 32 2.1.3. The Web Interface Chapter 2. Management and Maintenance For information about the default user name and password, see Section 2.1.2, “The Default Administrator Account” . Note: Remote management access Access to the Web Interface is regulated by the configured remote management policy. By default, the system will only allow web access from the internal network.
  • Page 33: Enabling Remote Management Via Https

    2.1.3. The Web Interface Chapter 2. Management and Maintenance Update Center - Manually update or schedule updates of the intrusion detection and antivirus signatures. License - View license details or enter activation code. iii. Backup - Make a backup of the configuration to a local computer or restore a previously downloaded backup.
  • Page 34: The Cli

    This section only provides a summary for using the CLI. For a complete reference for all CLI commands, see the separate D-Link CLI Reference Guide. The most often used CLI commands are: •...
  • Page 35 2.1.4. The CLI Chapter 2. Management and Maintenance interface on an IP rule. • show - Displays the current categories or display the values of a particular object. • delete - Deletes a specific object. CLI Command Structure CLI commands usually begin with the structure: <command> <object_type> <object_name>. For example, to display an IP address object called my_address, the command would be: gw-world:/>...
  • Page 36 2.1.4. The CLI Chapter 2. Management and Maintenance been entered. For example, when creating an IP rule for a particular IP rule set, the command line might begin: add IPRule If the tab key is now pressed, the mandatory parameters are displayed by NetDefendOS: A value is required for the following properties: Action DestinationNetwork...
  • Page 37 2.1.4. The CLI Chapter 2. Management and Maintenance add LogReceiverSyslog example Address=example_ip LogSeverity=Emergency However, if the "." character is used instead: add LogReceiverSyslog example Address=example_ip LogSeverity=. (tab) A list of all possible values is given: add LogReceiverSyslog example Address=example_ip LogSeverity=Emergency,Alert,Critical,Error,Warning,Notice,Info This list can then be edited with the back arrow and backspace keys.
  • Page 38 2.1.4. The CLI Chapter 2. Management and Maintenance Specifying Multiple Property Values Sometimes a command property may need multiple values. For example, some commands use the property AccountingServers and more than one value can be specified for this property. When specifying multiple values, they should be separated by a comma ","...
  • Page 39: Enabling Ssh Remote Access

    The serial console port is a local RS-232 port on the NetDefend Firewall that allows direct access to the NetDefendOS CLI through a serial connection to a PC or dumb terminal. To locate the serial console port on D-Link hardware, see the D-Link Quick Start Guide . To use the console port, the following equipment is required: •...
  • Page 40 2.1.4. The CLI Chapter 2. Management and Maintenance • Interface: lan • Network: lannet Click OK Logging on to the CLI When access to the CLI has been established to NetDefendOS through the serial console or an SSH client, the administrator will need to logon to the system before being able to execute any CLI command.
  • Page 41 2.1.4. The CLI Chapter 2. Management and Maintenance gw-world:/> where Device is the model number of the NetDefend Firewall. This can be customized, for example, to my-prompt:/>, by using the CLI command: gw-world:/> set device name="my-prompt" The CLI Reference Guide uses the command prompt gw-world:/> throughout. Tip: The CLI prompt is the WebUI device name When the command line prompt is changed to a new string value, this string also appears as the new device name in the top level node of the WebUI tree-view.
  • Page 42 2.1.4. The CLI Chapter 2. Management and Maintenance address book, starting with the interface IP: gw-world:/> set Address IP4Address if2_ip Address=10.8.1.34 The network IP address for the interface must also be set to the appropriate value: gw-world:/> set Address IP4Address if2_net Address=10.8.1.0/24 In this example, local IP addresses are used for illustration but these could be public IP addresses instead.
  • Page 43: Cli Scripts

    Create a text file with a text editor containing a sequential list of CLI commands, one per line. The D-Link recommended convention is for these files to use the file extension .sgs (Security Gateway Script). The filename, including the extension, should not be more than 16 characters.
  • Page 44 2.1.5. CLI Scripts Chapter 2. Management and Maintenance Note: The symbol $0 is reserved Notice that the name of the first variable is $1. The variable $0 is reserved and is always replaced before execution by the name of the script file itself. For example, a script called my_script.sgs is to be executed with IP address 126.12.11.01 replacing all occurrences of $1 in the script file and the string If1 address replacing all occurrences of $2.
  • Page 45 2.1.5. CLI Scripts Chapter 2. Management and Maintenance To move the example my_script.sgs to non-volatile memory the command would be: gw-world:/> script -store -name=my_script.sgs Alternatively, all scripts can be moved to non-volatile memory with the command: gw-world:/> script -store -all Removing Scripts To remove a saved script.
  • Page 46: Secure Copy

    2.1.6. Secure Copy Chapter 2. Management and Maintenance add IP4Address If1_ip Address=10.6.60.10 add IP4Address If1_net Address=10.6.60.0/24 add IP4Address If1_br Address=10.6.60.255 add IP4Address If1_dns1 Address=141.1.1.1 " " " The file new_script_sgs can then be downloaded with SCP to the local management workstation and then uploaded and executed on the other NetDefend Firewalls.
  • Page 47 2.1.6. Secure Copy Chapter 2. Management and Maintenance format for SCP client software. SCP Command Format SCP command syntax is straightforward for most console based clients. The basic command used here is scp followed by the source and destination for the file transfer. Upload is performed with the command: >...
  • Page 48: The Console Boot Menu

    2.1.7. The Console Boot Menu Chapter 2. Management and Maintenance Apart from the individual files, the objects types listed are: • HTTPALGBanners/ - The banner files for user authentication HTML. Uploading these is described further in Section 6.3.4.4, “Customizing HTML Pages”. •...
  • Page 49 2.1.7. The Console Boot Menu Chapter 2. Management and Maintenance Accessing the Console Boot Menu The boot menu is only accessible through a console device attached directly to the serial console located on the NetDefend Firewall. It can be accessed through the console after the NetDefend Firewall is powered up and before NetDefendOS is fully started.
  • Page 50: Management Advanced Settings

    2.1.8. Management Advanced Settings Chapter 2. Management and Maintenance Initial Options with a Console Password Set If a console password is set then the initial options that appear when NetDefendOS loading is interrupted with a key press are shown below. The 1.
  • Page 51: Working With Configurations

    2.1.9. Working with Configurations Chapter 2. Management and Maintenance Default: 30 WebUI HTTP port Specifies the HTTP port for the Web Interface. Default: 80 WebUI HTTPS port Specifies the HTTP(S) port for the Web Interface. Default: 443 HTTPS Certificate Specifies which certificate to use for HTTPS traffic. Only RSA certificates are supported. Default: HTTPS 2.1.9.
  • Page 52: Displaying A Configuration Object

    2.1.9. Working with Configurations Chapter 2. Management and Maintenance Command-Line Interface gw-world:/> show Service A list of all services will be displayed, grouped by their respective type. Web Interface Go to Objects > Services A web page listing all services will be presented. A list contains the following basic elements: •...
  • Page 53: Editing A Configuration Object

    2.1.9. Working with Configurations Chapter 2. Management and Maintenance Example 2.5. Editing a Configuration Object When the behavior of NetDefendOS is changed, it is most likely necessary to modify one or several configuration objects. This example shows how to edit the Comments property of the telnet service. Command-Line Interface gw-world:/>...
  • Page 54: Deleting A Configuration Object

    2.1.9. Working with Configurations Chapter 2. Management and Maintenance Web Interface Go to Objects > Address Book Click on the Add button In the dropdown menu displayed, select IP Address In the Name text box, enter myhost Enter 192.168.10.10 in the IP Address textbox Click OK Verify that the new IP4 address object has been added to the list Example 2.7.
  • Page 55: Listing Modified Configuration Objects

    2.1.9. Working with Configurations Chapter 2. Management and Maintenance Example 2.9. Listing Modified Configuration Objects This example shows how to list configuration objects that have been modified. Command-Line Interface gw-world:/> show -changes Type Object ------------- ------ IP4Address myhost ServiceTCPUDP telnet A "+"...
  • Page 56 2.1.9. Working with Configurations Chapter 2. Management and Maintenance The web browser will automatically try to connect back to the Web Interface after 10 seconds. If the connection succeeds, this is interpreted by NetDefendOS as confirmation that remote management is still working. The new configuration is then automatically committed.
  • Page 57: Events And Logging

    2.2. Events and Logging Chapter 2. Management and Maintenance 2.2. Events and Logging 2.2.1. Overview The ability to log and analyze system activities is an essential feature of NetDefendOS. Logging enables not only monitoring of system status and health, but also allows auditing of network usage and assists in trouble-shooting.
  • Page 58: Creating Log Receivers

    2.2.3. Creating Log Receivers Chapter 2. Management and Maintenance By default, NetDefendOS sends all messages of level Info and above to configured log servers. The Debug category is intended for troubleshooting only and should only be turned on if required when trying to solve a problem.
  • Page 59: Enable Logging To A Syslog Host

    The Prio and Severity fields The Prio= field in SysLog messages contains the same information as the Severity field for D-Link Logger messages. However, the ordering of the numbering is reversed. Example 2.11. Enable Logging to a Syslog Host To enable logging of all events with a severity greater than or equal to Notice to a Syslog server with IP address 195.11.22.55, follow the steps outlined below:...
  • Page 60: Snmp Traps

    The file DFLNNN-TRAP.MIB (where NNN indicates the model number of the firewall) is provided by D-Link and defines the SNMP objects and data types that are used to describe an SNMP Trap received from NetDefendOS.
  • Page 61: Advanced Log Settings

    2.2.7. Advanced Log Settings Chapter 2. Management and Maintenance Web Interface Go to Log & Event Receivers > Add > SNMP2cEventReceiver Specify a name for the event receiver, for example my_snmp Enter 195.11.22.55 as the IP Address Enter an SNMP Community String if needed by the trap receiver Click OK The system will now be sending SNMP traps for all events with a severity greater than or equal to Alert to an SNMP trap receiver at 195.11.22.55.
  • Page 62: Radius Accounting

    2.3. RADIUS Accounting Chapter 2. Management and Maintenance 2.3. RADIUS Accounting 2.3.1. Overview Within a network environment containing large numbers of users, it is advantageous to have one or a cluster of central servers that maintain user account information and are responsible for authentication and authorization tasks.
  • Page 63 2.3.2. RADIUS Accounting Messages Chapter 2. Management and Maintenance authentication server. • How Authenticated - How the user was authenticated. This is set to either RADIUS if the user was authenticated via RADIUS, or LOCAL if the user was authenticated via a local user database.
  • Page 64: Interim Accounting Messages

    2.3.3. Interim Accounting Messages Chapter 2. Management and Maintenance Tip: The meaning of the asterisk after a list entry The asterisk "*" symbol after an entry in the list above indicates that the sending of the parameter is optional and is configurable. 2.3.3.
  • Page 65: Handling Unresponsive Servers

    2.3.7. Handling Unresponsive Servers Chapter 2. Management and Maintenance Firewalls. This means that accounting information is automatically updated on both cluster members whenever a connection is closed. Two special accounting events are also used by the active unit to keep the passive unit synchronized: •...
  • Page 66: Radius Accounting Server Setup

    2.3.10. RADIUS Advanced Settings Chapter 2. Management and Maintenance continue to be logged in. Disabling the setting will mean that the user will be logged out if the RADIUS accounting server cannot be reached even though the user has been previously authenticated. Default: Enabled Logout at shutdown If there is an orderly shutdown of the NetDefend Firewall by the administrator, then NetDefendOS...
  • Page 67: Hardware Monitoring

    2.4. Hardware Monitoring Availability Certain D-Link hardware models allow the administrator to use the CLI to query the current value of various hardware operational parameters such as the current temperature inside the firewall. This feature is referred to as Hardware Monitoring.
  • Page 68 2.4. Hardware Monitoring Chapter 2. Management and Maintenance The -verbose option displays the current values plus the configured ranges: gw-world:/> hwm -a -v 2 sensors available Poll interval time = 500ms Name [type][number] = low_limit] current_value [high_limit (unit) ----------------------------------------------------------------- SYS Temp [TEMP 0] = 44.000]...
  • Page 69: Snmp Monitoring

    2.5. SNMP Monitoring Chapter 2. Management and Maintenance 2.5. SNMP Monitoring Overview Simple Network Management Protocol (SNMP) is a standardized protocol for management of network devices. An SNMP compliant client can connect to a network device which supports the SNMP protocol to query and control it. NetDefendOS supports SNMP version 1 and version 2.
  • Page 70: Snmp Advanced Settings

    2.5.1. SNMP Advanced Settings Chapter 2. Management and Maintenance SNMP access. Port 161 is usually used for SNMP and NetDefendOS always expects SNMP traffic on that port. Remote Access Encryption It should be noted that SNMP Version 1 or 2c access means that the community string will be sent as plain text over a network.
  • Page 71 2.5.1. SNMP Advanced Settings Chapter 2. Management and Maintenance Default: Enabled SNMP Request Limit Maximum number of SNMP requests that will be processed each second by NetDefendOS. Should SNMP requests exceed this rate then the excess requests will be ignored by NetDefendOS. Default: 100 System Contact The contact person for the managed node.
  • Page 72: The Pcapdump Command

    2.6. The pcapdump Command Chapter 2. Management and Maintenance 2.6. The pcapdump Command A valuable diagnostic tool is the ability to examine the packets that enter and leave the interfaces of a NetDefend Firewall. For this purpose, NetDefendOS provides the CLI command pcapdump which not only allows the examination of packet streams entering and leaving interfaces but also allows the filtering of these streams according to specified criteria.
  • Page 73 2.6. The pcapdump Command Chapter 2. Management and Maintenance It is possible to have multiple pcapdump executions being performed at the same time. The following points describe this feature: All capture from all executions goes to the same memory buffer. The command can be launched multiple times with different interfaces specified.
  • Page 74 2.6. The pcapdump Command Chapter 2. Management and Maintenance The name of the file used for pcapdump output must comply with the following rules: • Excluding the filename extension, the name may not exceed 8 characters in length. • The filename extension cannot exceed 3 characters in length. •...
  • Page 75: Maintenance

    The Intrusion Prevention and Detection system and Anti-Virus modules require access to updated signature databases in order to provide protection against the latest threats. To facilitate the Auto-Update feature D-Link maintains a global infrastructure of servers providing update services for NetDefend Firewalls. To ensure availability and low response times, NetDefendOS employs a mechanism for automatically selecting the most appropriate server to supply updates.
  • Page 76 2.7.2. Backing Up Configurations Chapter 2. Management and Maintenance Since a full system backup includes a NetDefendOS version, compatability is not an issue with these types of backup. With configuration only backups, the following should be noted: • A configuration backup created on a higher NetDefendOS version should never be uploaded to a lower NetDefendOS version.
  • Page 77: Restore To Factory Defaults

    A restore to factory defaults can be applied so that it is possible to return to the original hardware state that existed when the NetDefend Firewall was shipped by D-Link. When a restore is applied all data such as the IDP and Anti-Virus databases are lost and must be reloaded.
  • Page 78 The IP address 192.168.1.1 will be assigned to the LAN interface on the DFL-210, 260, 800 and 860 models. The IP address 192.168.10.1 is assigned to the LAN interface on the DFL-260E and DFL-860E models.
  • Page 79 2.7.3. Restore to Factory Defaults Chapter 2. Management and Maintenance...
  • Page 80: Fundamentals

    Chapter 3. Fundamentals This chapter describes the fundamental logical objects which make up a NetDefendOS configuration. These objects include such items as IP addresses and IP rules. Some exist by default and some must be defined by the administrator. In addition, the chapter explains the different interface types and explains how security policies are constructed the administrator.
  • Page 81: Adding An Ip Host

    3.1.2. IP Addresses Chapter 3. Fundamentals IP Network An IP Network is represented using Classless Inter Domain Routing (CIDR) form. CIDR uses a forward slash and a digit (0-32) to denote the size of the network as a postfix. This is also known as the netmask. /24 corresponds to a class C net with 256 addresses (netmask 255.255.255.0), /27 corresponds to a 32 address net (netmask 255.255.255.224) and so on.
  • Page 82: Ethernet Addresses

    3.1.3. Ethernet Addresses Chapter 3. Fundamentals This example adds a range of IP addresses from 192.168.10.16 to 192.168.10.21 and names the range wwwservers: Command-Line Interface gw-world:/> add Address IP4Address wwwservers Address=192.168.10.16-192.168.10.21 Web Interface Go to Objects > Address Book > Add > IP address Specify a suitable name for the IP Range, for example wwwservers.
  • Page 83: Address Groups

    3.1.4. Address Groups Chapter 3. Fundamentals The following example adds an Ethernet Address object named wwwsrv1_mac with the numerical MAC address 08-a3-67-bc-2e-f2. Command-Line Interface gw-world:/> add Address EthernetAddress wwwsrv1_mac Address=08-a3-67-bc-2e-f2 Web Interface Go to Objects > Address Book > Add > Ethernet Address Specify a suitable name for the Ethernet Address object, for example wwwsrv1_mac Enter 08-a3-67-bc-2e-f2 as the MAC Address Click OK...
  • Page 84: Auto-Generated Address Objects

    3.1.6. Address Book Folders Chapter 3. Fundamentals 3.1.5. Auto-Generated Address Objects To simplify the configuration, a number of address objects in the address book are automatically created by NetDefendOS when the system starts for the first time and these objects are used in various parts of the initial configuration.
  • Page 85: Services

    3.2. Services Chapter 3. Fundamentals 3.2. Services 3.2.1. Overview A Service object is a reference to a specific IP protocol with associated parameters. A service definition is usually based on one of the major transport protocols such as TCP or UDP which is associated with a specific source and/or destination port number(s).
  • Page 86: Creating Custom Services

    3.2.2. Creating Custom Services Chapter 3. Fundamentals Name Comments ------------ -------------------------------------------------- all_icmp All ICMP services " " Web Interface Go to Objects > Services Example 3.7. Viewing a Specific Service To view a specific service in the system: Command-Line Interface gw-world:/>...
  • Page 87 3.2.2. Creating Custom Services Chapter 3. Fundamentals Let us now take a closer look at TCP/UDP services. TCP and UDP Based Services Most applications use TCP and/or UDP as transport protocol for transferring data over IP networks. Transmission Control Protocol (TCP) is a connection-oriented protocol that includes mechanisms for reliable point to point transmission of data.
  • Page 88 3.2.2. Creating Custom Services Chapter 3. Fundamentals Tip: Specifying source ports It is usual with many services that the source ports are left as their default value which is the range 0-65535 (corresponding to all possible source ports). With certain application, it can be useful to also specify the source port if this is always within a limited range of values.
  • Page 89: Icmp Services

    3.2.3. ICMP Services Chapter 3. Fundamentals to refer to all protocols. However, using this is not recommended and specifying a narrower service provides better security. If, for example, the requirement is only to filter using the principal protocols of TCP, UDP and ICMP then the service group all_tcpudpicmp can be used instead.
  • Page 90 3.2.4. Custom IP Protocol Services Chapter 3. Fundamentals ICMP messages are delivered in IP packets, and includes a Message Type that specifies the format of the ICMP message and a Code that is used to further qualify the message. For example, the message type Destination Unreachable uses the Code parameter to specify the exact reason for the error.
  • Page 91: Custom Ip Protocol Services

    3.2.5. Service Groups Chapter 3. Fundamentals 3.2.4. Custom IP Protocol Services Services that run over IP and perform application/transport layer functions can be uniquely identified by IP protocol numbers. IP can carry data for a number of different protocols. These protocols are each identified by a unique IP protocol number specified in a field of the IP header.
  • Page 92: Custom Service Timeouts

    3.2.6. Custom Service Timeouts Chapter 3. Fundamentals configuration and decrease the ability to troubleshoot problems. 3.2.6. Custom Service Timeouts Any service can have its custom timeouts set. These can also be set globally in NetDefendOS but it is more usual to change these values individually in a custom service. The timeout settings that can be customized are as follows: •...
  • Page 93: Interfaces

    3.3. Interfaces Chapter 3. Fundamentals 3.3. Interfaces 3.3.1. Overview An Interface is an important logical building block in NetDefendOS. All network traffic that transits through, originates from or is terminated in the NetDefend Firewall, does so through one or more interfaces.
  • Page 94 3.3.1. Overview Chapter 3. Fundamentals Tunnel interfaces are used when network traffic is being tunneled between the system and another tunnel end-point in the network, before it gets routed to its final destination. VPN tunnels are often used to implement virtual private networks (VPNs) which can secure communication between two firewalls.
  • Page 95: Ethernet Interfaces

    3.3.2. Ethernet Interfaces Chapter 3. Fundamentals Should it be desirable to disable an interface so that no traffic can flow through it, this can be done with the CLI using the command: gw-world:/> set Interface Ethernet <interface-name> -disable Where <interface-name> is the interface to be disabled. To re-enable an interface, the command is: gw-world:/>...
  • Page 96 3.3.2. Ethernet Interfaces Chapter 3. Fundamentals The names of the Ethernet interfaces are predefined by the system, and are mapped to the names of the physical interfaces. The names of the Ethernet interfaces can be changed to better reflect their usage. For example, if an interface named dmz is connected to a wireless LAN, it might be convenient to change the interface name to radio.
  • Page 97 3.3.2. Ethernet Interfaces Chapter 3. Fundamentals All addresses received from the DHCP server are assigned to corresponding IP4Address objects. In this way, dynamically assigned addresses can be used throughout the configuration in the same way as static addresses. By default, the objects in use are the same ones as defined in Section 3.1.5, “Auto-Generated Address Objects”.
  • Page 98 3.3.2. Ethernet Interfaces Chapter 3. Fundamentals Make the interface a member of all routing tables. This option is enabled by default and means that traffic arriving on the interface will be routed according to the main routing table. Routes for the interface IP will be inserted into all routing tables. The alternative to the above is to insert the route for this interface into only a specific routing table.
  • Page 99 3.3.2. Ethernet Interfaces Chapter 3. Fundamentals The difference between logical and physical interfaces can sometimes be confusing. The logical Ethernet interfaces are those which are referred to in a NetDefendOS configuration. When using the Web Interface, only the logical interfaces are visible and can be managed. When using the CLI, both the logical and physical interfaces can be managed.
  • Page 100: Enabling Dhcp

    Some interface settings provide direct management of the Ethernet settings themselves. These are particularly useful if D-Link hardware has been replaced and Ethernet card settings are to be changed, or if configuring the interfaces when running NetDefendOS on non-D-Link hardware.
  • Page 101: Vlan

    3.3.3. VLAN Chapter 3. Fundamentals Those interfaces that physically exist but are not part of the configuration are indicated with a minus "-" symbol at the left. These will be deleted after the configuration is activated. If a deleted interface in the interface list is to be restored, this can be done with the undelete command: gw-world:/>...
  • Page 102 3.3.3. VLAN Chapter 3. Fundamentals interfaces on a NetDefend Firewall need not limit how many totally separated external networks can be connected. Another typical usage of VLANs is to group together clients in an organisation so that the traffic belonging to different groups is kept completely separate in different VLANs. Traffic can then only flow between the different VLANs under the control of NetDefendOS and is filtered using the security policies described by the NetDefendOS rule sets.
  • Page 103: Vlan Connections

    3.3.3. VLAN Chapter 3. Fundamentals Figure 3.1. VLAN Connections With NetDefendOS VLANs, the physical connections are as follows: • One of more VLANs are configured on a physical NetDefend Firewall interface and this is connected directly to a switch. This link acts as a VLAN trunk. The switch used must support port based VLANs.
  • Page 104: Defining A Vlan

    3.3.3. VLAN Chapter 3. Fundamentals License Limitations The number of VLAN interfaces that can be defined for a NetDefendOS installation is limited by the parameters of the license used. Different hardware models have different licenses and different limits on VLANs. Summary of VLAN Setup Below are the key steps for setting up a VLAN interface.
  • Page 105: Pppoe

    3.3.4. PPPoE Chapter 3. Fundamentals • Interface: lan • VLAN ID: 10 • IP Address: vlan10_ip • Network: all-nets Click OK 3.3.4. PPPoE Point-to-Point Protocol over Ethernet (PPPoE) is a tunneling protocol used for connecting multiple users on an Ethernet network to the Internet through a common serial interface, such as a single DSL line, wireless device or cable modem.
  • Page 106 3.3.4. PPPoE Chapter 3. Fundamentals source interface. For outbound traffic, the PPPoE tunnel interface will be the destination interface. As with any interface, one or more routes are defined so NetDefendOS knows what IP addresses it should accept traffic from and which to send traffic to through the PPPoE tunnel. The PPPoE client can be configured to use a service name to distinguish between different servers on the same Ethernet network.
  • Page 107: Gre Tunnels

    3.3.5. GRE Tunnels Chapter 3. Fundamentals PPPoE cannot be used with HA For reasons connected with the way IP addresses are shared in a NetDefendOS high availability cluster, PPPoE will not operate correctly. It should there not be configured with HA. Example 3.11.
  • Page 108 3.3.5. GRE Tunnels Chapter 3. Fundamentals • Tunneling IPv6 traffic across an IPv4 network. • Where a UDP data stream is to be multicast and it is necessary to transit through a network device which does not support multicasting. GRE allows tunneling though the network device. GRE Security and Performance A GRE tunnel does not use any encryption for the communication and is therefore not, in itself, secure.
  • Page 109 3.3.5. GRE Tunnels Chapter 3. Fundamentals • Address to use as source IP - It is possible to specify a particular IP address as the source interface IP for the GRE tunnel. The tunnel setup will appear to be initiated by this IP address instead of the IP address of the interface that actually sets up the tunnel.
  • Page 110 3.3.5. GRE Tunnels Chapter 3. Fundamentals Create a GRE Tunnel object called GRE_to_B with the following parameters: • IP Address: ip_GRE • Remote Network: remote_net_B • Remote Endpoint: remote_gw • Use Session Key: 1 • Additional Encapulation Checksum: Enabled Define a route in the main routing table which routes all traffic to remote_net_B on the GRE_to_B GRE interface.
  • Page 111: Interface Groups

    3.3.6. Interface Groups Chapter 3. Fundamentals IPsec tunnels have a status of being either up or not up. With GRE tunnels in NetDefendOS this does not really apply. The GRE tunnel is up if it exists in the configuration. However, we can check on the what is going on with a GRE tunnel. For example, if the tunnel is called gre_interface then we can use the ifstat CLI command: gw-world:/>...
  • Page 112: Arp

    3.4. ARP Chapter 3. Fundamentals 3.4. ARP 3.4.1. Overview Address Resolution Protocol (ARP) allows the mapping of a network layer protocol (OSI layer 3) address to a data link layer hardware address (OSI layer 2). In data networks it is used to resolve an IP address into its corresponding Ethernet address.
  • Page 113: Displaying The Arp Cache

    3.4.2. The NetDefendOS ARP Cache Chapter 3. Fundamentals valid for. For example, the first entry has an expiry value of 45 which means that this entry will be rendered invalid and removed from the ARP Cache in 45 seconds. If traffic is going to be sent to the 192.168.0.10 IP address after the expiration, NetDefendOS will issue a new ARP request.
  • Page 114: Creating Arp Objects

    3.4.3. Creating ARP Objects Chapter 3. Fundamentals Hash tables are used to rapidly look up entries in the ARP Cache. For maximum efficiency, a hash table should be twice as large as the entries it is indexing, so if the largest directly connected LAN contains 500 IP addresses, the size of the ARP entry hash table should be at least 1000.
  • Page 115 3.4.3. Creating ARP Objects Chapter 3. Fundamentals Select the following from the dropdown lists: • Mode: Static • Interface: lan Enter the following: • IP Address: 192.168.10.15 • MAC: 4b-86-f6-c5-a2-14 Click OK Published ARP Objects NetDefendOS supports publishing IP addresses on a particular interface, optionally along with a specific MAC address instead of the interfaces MAC address.
  • Page 116: Using Arp Advanced Settings

    3.4.4. Using ARP Advanced Settings Chapter 3. Fundamentals Figure 3.2. An ARP Publish Ethernet Frame The Publish option uses the real MAC address of the sending interface for the address (1) in the Ethernet frame. In rare cases, some network equipment will require that both MAC addresses in the response (1 and 2 above) are the same.
  • Page 117: Arp Advanced Settings Summary

    3.4.5. ARP Advanced Settings Chapter 3. Fundamentals Summary It is possible for a host on a connected network to send an ARP reply to NetDefendOS even though a corresponding ARP request was not issued. This is known as an unsolicited ARP reply. According to the ARP specification, the recipient should accept these types of ARP replies.
  • Page 118 3.4.5. ARP Advanced Settings Chapter 3. Fundamentals Summary ARP Query No Sender Handles ARP queries that have a sender IP of 0.0.0.0. Such sender IPs are never valid in responses, but network units that have not yet learned of their IP address sometimes ask ARP questions with an "unspecified"...
  • Page 119 3.4.5. ARP Advanced Settings Chapter 3. Fundamentals Summary requests. Default: Enabled ARP Expire Specifies how long a normal dynamic item in the ARP table is to be retained before it is removed from the table. Default: 900 seconds (15 minutes) ARP Expire Unknown Specifies in seconds how long NetDefendOS is to remember addresses that cannot be reached.
  • Page 120 3.4.5. ARP Advanced Settings Chapter 3. Fundamentals Summary ARP IP Collision Determines the behavior when receiving an ARP request with a sender IP address that collides with one already used on the receive interface. Possible actions: Drop or Notify. Default: Drop...
  • Page 121: Ip Rule Sets

    3.5. IP Rule Sets Chapter 3. Fundamentals 3.5. IP Rule Sets 3.5.1. Security Policies Before examining IP rule sets in detail, we will first look at the generic concept of security polices to which IP rule sets belong. Security Policy Characteristics NetDefendOS security policies are configured by the administrator to regulate the way in which traffic can flow through the NetDefend Firewall.
  • Page 122 3.5.1. Security Policies Chapter 3. Fundamentals These rules determine the routing table to be used by traffic and are described in Section 4.3, “Policy-based Routing”. • Authentication Rules These determine which traffic triggers authentication to take place (source net/interface only) and are described in Chapter 8, User Authentication.
  • Page 123: Simplified Netdefendos Traffic Flow

    3.5.1. Security Policies Chapter 3. Fundamentals Creating a Drop All Rule Traffic that does not match any rule in the IP rule set is, by default, dropped by NetDefendOS. For logging purposes it is nevertheless recommended that an explicit IP rule with an action of Drop for all source/destination networks/interfaces, and with logging enabled, is placed as the last rule in the IP rule set.
  • Page 124: Ip Rule Evaluation

    3.5.2. IP Rule Evaluation Chapter 3. Fundamentals This description of traffic flow is an extremely simplified version of the full flow description found in Section 1.3, “NetDefendOS State Engine Packet Flow”. For example, before the route lookup is done, NetDefendOS first checks that traffic from the source network should, in fact, be arriving on the interface where it was received.
  • Page 125: Ip Rule Actions

    3.5.3. IP Rule Actions Chapter 3. Fundamentals rule. 3.5.3. IP Rule Actions A rule consists of two parts: the filtering parameters and the action to take if there is a match with those parameters. As described above, the parameters of any NetDefendOS rule, including IP rules are: •...
  • Page 126: Editing Ip Rule Set Entries

    3.5.4. Editing IP rule set Entries Chapter 3. Fundamentals Using Reject In certain situations the Reject action is recommended instead of the Drop action because a "polite" reply is required from NetDefendOS. An example of such a situation is when responding to the IDENT user identification protocol.
  • Page 127: Configuration Object Groups

    3.5.6. Configuration Object Groups Chapter 3. Fundamentals Configuration changes must be saved by then issuing an activate followed by a commit command. Web Interface Go to Rules > IP Rules > Add > IPRule Specify a suitable name for the rule, for example LAN_HTTP Now enter: •...
  • Page 128 3.5.6. Configuration Object Groups Chapter 3. Fundamentals A Simple Example As an example, consider the IP rule set main which contains just two rules to allow web surfing from an internal network and a third Drop-all rule to catch any other traffic so that it can be logged: Note The screen images used in this example show just the first few columns of the object properties.
  • Page 129 3.5.6. Configuration Object Groups Chapter 3. Fundamentals A Group editing dialog will be displayed which allows two functions: • Specify the Title The title of the group can be any text that is required and can contain new lines as well as empty lines.
  • Page 130 3.5.6. Configuration Object Groups Chapter 3. Fundamentals If an object precedes a group or is in any position other than immediately following the group, then this is done in a multi-step process: Right click the object and select the Move to option. Enter the index of the position immediately following the target group.
  • Page 131: Schedules

    3.6. Schedules Chapter 3. Fundamentals 3.6. Schedules In some scenarios, it might be useful to control not only what functionality is enabled, but also when that functionality is being used. For instance, the IT policy of an enterprise might stipulate that web traffic from a certain department is only allowed access outside that department during normal office hours.
  • Page 132: Setting Up A Time-Scheduled Policy

    3.6. Schedules Chapter 3. Fundamentals Example 3.17. Setting up a Time-Scheduled Policy This example creates a schedule object for office hours on weekdays, and attaches the object to an IP Rule that allows HTTP traffic. Command-Line Interface gw-world:/> add ScheduleProfile OfficeHours Mon=8-17 Tue=8-17 Wed=8-17 Thu=8-17 Fri=8-17 Now create the IP rule that uses this schedule.
  • Page 133: Certificates

    3.7. Certificates Chapter 3. Fundamentals 3.7. Certificates 3.7.1. Overview X.509 NetDefendOS supports digital certificates that comply with the ITU-T X.509 standard. This involves the use of an X.509 certificate hierarchy with public-key cryptography to accomplish key distribution and entity authentication. References in this manual to a certificate means a X.509 certificate.
  • Page 134: Certificates In Netdefendos

    3.7.2. Certificates in NetDefendOS Chapter 3. Fundamentals Validity Time A certificate is not valid forever. Each certificate contains the dates between which the certificate is valid. When this validity period expires, the certificate can no longer be used, and a new certificate has to be issued.
  • Page 135: Ca Certificate Requests

    3.7.3. CA Certificate Requests Chapter 3. Fundamentals There are two types of certificates that can be uploaded: self-signed certificates and remote certificates belonging to a remote peer or CA server. Self-signed certificates can be generated by using one of a number of freely available utilities for doing this. Example 3.18.
  • Page 136 3.7.3. CA Certificate Requests Chapter 3. Fundamentals • Take out the relevant parts of the .pem file to form the required .cer and .key files. The detailed steps for the above stages are as follows: Create the gateway certificate on the Windows CA server and export it to a .pfx file on the local NetDefendOS management workstation disk.
  • Page 137: Date And Time

    3.8. Date and Time Chapter 3. Fundamentals 3.8. Date and Time 3.8.1. Overview Correctly setting the date and time is important for NetDefendOS to operate properly. Time scheduled policies, auto-update of the IDP and Anti-Virus databases, and other product features such as digital certificates require that the system clock is accurately set.
  • Page 138: Time Servers

    3.8.3. Time Servers Chapter 3. Fundamentals The world is divided up into a number of time zones with Greenwich Mean Time (GMT) in London at zero longitude being taken as the base time zone. All other time zones going east and west from zero longitude are taken as being GMT plus or minus a given integer number of hours.
  • Page 139: Enabling Time Synchronization Using Sntp

    3.8.3. Time Servers Chapter 3. Fundamentals The hardware clock which NetDefendOS uses can sometimes become fast or slow after a period of operation. This is normal behavior in most network and computer equipment and is solved by utilizing Time Servers. NetDefendOS is able to adjust the clock automatically based on information received from one or more Time Servers which provide a highly accurate time, usually using atomic clocks.
  • Page 140: Manually Triggering A Time Synchronization

    3.8.3. Time Servers Chapter 3. Fundamentals Now enter: • Time Server Type: SNTP • Primary Time Server: dns:ntp1.sp.se • Secondary Time Server: dns:ntp2.sp.se Click OK The time server URLs must have the prefix dns: to specify that they should be resolved with a DNS server. NetDefendOS must therefore also have a DNS server defined so this resolution can be performed.
  • Page 141: Settings Summary For Date And Time

    86,400 seconds (1 day), meaning that the time synchronization process is executed once in a 24 hour period. D-Link Time Servers Using D-Link's own Time Servers is an option in NetDefendOS and this is the recommended way of synchronizing the firewall clock. These servers communicate with NetDefendOS using the SNTP protocol.
  • Page 142 3.8.4. Settings Summary for Date and Chapter 3. Fundamentals Time Time zone offset in minutes. Default: 0 DST Offset Daylight saving time offset in minutes. Default: 0 DST Start Date What month and day DST starts, in the format MM-DD. Default: none DST End Date What month and day DST ends, in the format MM-DD.
  • Page 143 3.8.4. Settings Summary for Date and Chapter 3. Fundamentals Time Maximum time drift in seconds that a server is allowed to adjust. Default: 600 Group interval Interval according to which server responses will be grouped. Default: 10...
  • Page 144: Dns

    3.9. DNS Chapter 3. Fundamentals 3.9. DNS Overview A DNS server can resolve a Fully Qualified Domain Name (FQDN) into the corresponding numeric IP address. FQDNs are unambiguous textual domain names which specify a node's unique position in the Internet's DNS tree hierarchy. FQDN resolution allows the actual physical IP address to change while the FQDN can stay the same.
  • Page 145 3.9. DNS Chapter 3. Fundamentals Dynamic DNS A DNS feature offered by NetDefendOS is the ability to explicitly inform DNS servers when the external IP address of the NetDefend Firewall has changed. This is sometimes referred to as Dynamic DNS and is useful where the NetDefend Firewall has an external IP address that can change.
  • Page 146 3.9. DNS Chapter 3. Fundamentals...
  • Page 147: Routing

    Chapter 4. Routing This chapter describes how to configure IP routing in NetDefendOS. • Overview, page 147 • Static Routing, page 148 • Policy-based Routing, page 165 • Route Load Balancing, page 170 • OSPF, page 176 • Multicast Routing, page 199 •...
  • Page 148: Static Routing

    4.2. Static Routing Chapter 4. Routing 4.2. Static Routing The most basic form of routing is known as Static Routing. The word "static" refers to the fact that entries in the routing table are manually added and are therefore permanent (or static) by nature. Due to this manual approach, static routing is most appropriate to use in smaller network deployments where addresses are fairly fixed and where the amount of connected networks are limited to a few.
  • Page 149: A Typical Routing Scenario

    4.2.1. The Principles of Routing Chapter 4. Routing This parameter usually does not need to be specified. If it is specified, NetDefendOS responds to ARP queries sent to this address. A special section below explains this parameter in more depth. Local IP Address and Gateway are mutually exclusive and either one or the other should be specified.
  • Page 150 4.2.1. The Principles of Routing Chapter 4. Routing Route # Interface Destination Gateway all-nets 195.66.77.4 The above routing table provides the following information: • Route #1 All packets going to hosts on the 192.168.0.0/24 network should be sent out on the lan interface. As no gateway is specified for the route entry, the host is assumed to be located on the network segment directly reachable from the lan interface.
  • Page 151: Using Local Ip Address With An Unbound Network

    4.2.1. The Principles of Routing Chapter 4. Routing communicate with the NetDefend Firewall because ARP won't function between the clients and the interface. To solve this problem we would add a new route to NetDefendOS which would have the following parameters: •...
  • Page 152: Static Routing

    4.2.2. Static Routing Chapter 4. Routing switch which imposes no controls on traffic passing between those networks. Caution should therefore be exercised before using this feature. All Traffic Must have Two Associated Routes Something that is not intuitive when trying to understand routing in NetDefendOS is the fact that all traffic must have two routes associated with it.
  • Page 153 4.2.2. Static Routing Chapter 4. Routing ==================================================================== Interface List 0x1 ......MS TCP Loopback interface 0x10003 ...00 13 d4 51 8d dd ..Intel(R) PRO/1000 CT Network 0x20004 ...00 53 45 00 00 00 ..WAN (PPP/SLIP) Interface =================================================================== =================================================================== Active Routes: Network Destination Netmask...
  • Page 154: Displaying The Main Routing Table

    4.2.2. Static Routing Chapter 4. Routing Displaying Routing Tables It is important to note that routing tables that are initially configured by the administrator can have routes added, deleted and changed automatically during live operation and these changes will appear when the routing table contents are displayed.
  • Page 155: Displaying The Core Routes

    4.2.2. Static Routing Chapter 4. Routing route in the main routing table for each physical interface. These routes are assigned a default IP address object in the address book and these IP objects must have their addresses changed to the appropriate range for traffic to flow.
  • Page 156: Route Failover

    4.2.3. Route Failover Chapter 4. Routing This example illustrates how to display the core routes in the active routing table. Command-Line Interface gw-world:/> routes -all Flags Network Iface Gateway Local IP Metric ----- ------------------ ---------- ------------- -------- ------ 127.0.0.1 core (Shared IP) 192.168.0.1 core...
  • Page 157: A Route Failover Scenario For Isp Access

    4.2.3. Route Failover Chapter 4. Routing Figure 4.3. A Route Failover Scenario for ISP Access Setting Up Route Failover To set up route failover, Route Monitoring must be enabled and this is an option that is enabled on a route by route basis. To enable route failover in a scenario with a preferred and a backup route, the preferred route will have route monitoring enabled, however the backup route does not require this since it will usually have no route to failover to.
  • Page 158 4.2.3. Route Failover Chapter 4. Routing lowest metric value for sending data (if two routes have the same metric, the route found first in the routing table will be chosen). A primary, preferred route should have a lower metric (for example "10"), and a secondary, failover route should have a higher metric value (for example "20").
  • Page 159: Host Monitoring For Route Failover

    4.2.4. Host Monitoring for Route Chapter 4. Routing Failover The routing table consequently contains the following default route: Interface Destination Gateway Metric Monitoring all-nets 195.66.77.1 Now a secondary route is added over a backup DSL connection and Route Monitoring is enabled for this.
  • Page 160 4.2.4. Host Monitoring for Route Chapter 4. Routing Failover As part of Route Properties Host Monitoring can be enabled and a single route can have multiple hosts associated with it for monitoring. Multiple hosts can provide a higher certainty that any network problem resides in the local network rather than because one remote host itself is down.
  • Page 161: Advanced Settings For Route Failover

    4.2.5. Advanced Settings for Route Chapter 4. Routing Failover The Reachability Required option An important option that can be enabled for a host is the Reachability Required option. When this is selected, the host must be determined as accessible in order for that route to be considered to be functioning.
  • Page 162: Proxy Arp

    4.2.6. Proxy ARP Chapter 4. Routing Ping poll interval The time in milliseconds between sending a Ping to hosts. Default: 1000 Grace time The length of time in seconds between startup or reconfigure and monitoring start. Default: 30 Consecutive fails The number of consecutive failures that occurs before a route is marked as being unavailable.
  • Page 163: A Proxy Arp Example

    4.2.6. Proxy ARP Chapter 4. Routing pretending to be the target host. After receiving the reply, Host A then sends data directly to NetDefendOS which forwards the data to host B. In the process NetDefendOS checks the traffic against the configured rule sets. Setting Up Proxy ARP Setting up proxy ARP is done by specifying the option for a route in a routing table.
  • Page 164 4.2.6. Proxy ARP Chapter 4. Routing Proxy ARP and High Availability Clusters In HA clusters, switch routes cannot be used and transparent mode is therefore not an option. However, proxy ARP does function with HA and is consequently the only way to implement transparent mode functionality with a cluster.
  • Page 165: Policy-Based Routing

    4.3. Policy-based Routing Chapter 4. Routing 4.3. Policy-based Routing 4.3.1. Overview Policy-based Routing (PBR) is an extension to the standard routing described previously. It offers administrators significant flexibility in implementing routing decision policies by being able to define rules so alternative routing tables are used. Normal routing forwards packets according to destination IP address information derived from static routes or from a dynamic routing protocol.
  • Page 166: Routing Table Selection

    4.3.4. Routing Table Selection Chapter 4. Routing When looking up Policy-based Rules, it is the first matching rule found that is triggered. 4.3.4. Routing Table Selection When a packet corresponding to a new connection first arrives, the processing steps are as follows to determine which routing table is chosen: The Routing Rules must first be looked up but to do this the packet's destination interface must be determined and this is always done by a lookup in the main routing table.
  • Page 167: Creating A Policy-Based Routing Table

    4.3.5. The Ordering parameter Chapter 4. Routing Important: Ensure all-nets appears in the main table A common mistake with policy-based routing is the absence of the default route with a destination interface of all-nets in the default main routing table. If there is no route that is an exact match then the absence of a default all-nets route will mean that the connection will be dropped.
  • Page 168: Policy-Based Routing Configuration

    4.3.5. The Ordering parameter Chapter 4. Routing Example 4.5. Policy-based Routing Configuration This example illustrates a multiple ISP scenario which is a common use of Policy-based Routing. The following is assumed: • Each ISP will provide an IP network from its network range. A 2 ISP scenario is assumed in this case, with the network 10.10.10.0/24 belonging to ISP A and 20.20.20.0/24 belonging to ISP B.
  • Page 169 4.3.5. The Ordering parameter Chapter 4. Routing Note Rules in the above example are added for both inbound and outbound connections.
  • Page 170: Route Load Balancing

    4.4. Route Load Balancing Chapter 4. Routing 4.4. Route Load Balancing Overview NetDefendOS provides the option to perform Route Load Balancing (RLB). This is the ability to distribute traffic over multiple alternate routes using one of a number of distribution algorithms. The purpose of this feature is to provide the following: •...
  • Page 171: The Rlb Round Robin Algorithm

    4.4. Route Load Balancing Chapter 4. Routing done according to which algorithm is selected in the table's RLB Instance object: • Round Robin Successive routes are chosen from the matching routes in a "round robin" fashion provided that the metric of the routes is the same. This results in route lookups being spread evenly across matching routes with same metric.
  • Page 172: The Rlb Spillover Algorithm

    4.4. Route Load Balancing Chapter 4. Routing Figure 4.6. The RLB Spillover Algorithm Spillover Limits are set separately for ingoing and outgoing traffic with only one of these typically being specified. If both are specified then only one of them needs to be exceeded continuously for Hold Timer seconds for the next matching route to be chosen.
  • Page 173 4.4. Route Load Balancing Chapter 4. Routing When that new route's interface limits are also exceeded then the route with the next highest metric is taken and so on. As soon as any route with a lower metric falls below its interface limit for its Hold Timer number of seconds, then it reverts to being the chosen route.
  • Page 174: A Route Load Balancing Scenario

    4.4. Route Load Balancing Chapter 4. Routing Figure 4.7. A Route Load Balancing Scenario We first need to define two routes to these two ISPs in the main routing table as shown below: Route No. Interface Destination Gateway Metric WAN1 all-nets WAN2 all-nets...
  • Page 175 4.4. Route Load Balancing Chapter 4. Routing In this example, the details of the RLB scenario described above will be implemented. The assumption is made that the various IP address book objects needed have already been defined. The IP objects WAN1 and WAN2 represent the interfaces that connect to the two ISPs and the IP objects GW1 and GW2 represent the IP addresses of the gateway routers at the two ISPs.
  • Page 176: Ospf

    4.5. OSPF Chapter 4. Routing 4.5. OSPF The feature called Dynamic Routing is implemented with NetDefendOS using the OSPF architecture. This section begins by looking generally at what dynamic routing is and how it can be implemented. It then goes on to look at how OSPF can provide dynamic routing followed by a description of how a simple OSPF network can be set up.
  • Page 177: A Simple Ospf Scenario

    NetDefendOS using OSPF. OSPF is not available on all D-Link NetDefend models The OSPF feature is only available on the D-Link NetDefend DFL-800, 860, 860E, 1600, 1660 2500, 2560 and 2560G. OSPF is not available on the DFL-210, 260 and 260E.
  • Page 178: Ospf Providing Route Redundancy

    4.5.1. Dynamic Routing Chapter 4. Routing allows B's routing table information to be automatically shared with A. In the same way, OSPF allows firewall B to automatically become aware that network X is attached to firewall A. Under OSPF, this exchange of routing information is completely automatic. OSPF Provides Route Redundancy If we now take the above scenario and add a third NetDefend Firewall called C then we have a situation where all three firewalls are aware, through OSPF, of what networks are attached to the...
  • Page 179: Ospf Concepts

    The OSPF feature is only available on the NetDefend DFL-800, 860, 860E, 1600, 1660 2500, 2560 and 2560G. OSPF is not available on the DFL-210, DFL-260 and DFL-260E. OSPF functions by routing IP packets based only on the destination IP address found in the IP packet header.
  • Page 180 4.5.2. OSPF Concepts Chapter 4. Routing Authentication. All OSPF protocol exchanges can, if required, be authenticated. This means that only routers with the correct authentication can join an AS. Different authentication schemes can be used and with NetDefendOS the scheme can be either a passphrase or an MD5 digest. It is possible to configure separate authentication methods for each AS.
  • Page 181 4.5.2. OSPF Concepts Chapter 4. Routing the priorities advertised by all the routers. If there is already a DR on the network, the router will accept that one, regardless of its own router priority. With NetDefendOS, the DR and the BDR are automatically assigned. Neighbors Routers that are in the same area become neighbors in that area.
  • Page 182: Virtual Links Connecting Areas

    4.5.2. OSPF Concepts Chapter 4. Routing This virtual link is established between two Area Border Routers (ABRs) that are on one common area, with one of the ABRs connected to the backbone area. In the example below two routers are connected to the same area (Area 1) but just one of them, fw1, is connected physically to the backbone area.
  • Page 183: Virtual Links With Partitioned Backbone

    4.5.2. OSPF Concepts Chapter 4. Routing Figure 4.11. Virtual Links with Partitioned Backbone The virtual link is configured between fw1 and fw2 on Area 1 as it is used as the transit area. In the configuration, only the Router ID has to be configured, as in the example above show fw2 need to have a virtual link to fw1 with the Router ID 192.168.1.1 and vice versa.
  • Page 184: Ospf Components

    4.5.3. OSPF Components Chapter 4. Routing The key aspect of an OSPF setup is that connected NetDefend Firewalls share the information in their routing tables so that traffic entering an interface on one of the firewalls can be automatically routed so that it exits the interface on another gateway which is attached to the correct destination network.
  • Page 185 4.5.3. OSPF Components Chapter 4. Routing not the cluster. Note When running OSPF on a HA Cluster there is a need for a private master and private slave Router ID as well as the shared Router ID. Reference Bandwidth Set the reference bandwidth that is used when calculating the default interface cost for routes.
  • Page 186 4.5.3. OSPF Components Chapter 4. Routing Note: Authentication must be the same on all routers If a passphrase or MD5 authentication is configured for OSPF, the passphrase or authentication key must be the same on all OSPF Routers in that Autonomous System. In other words, the OSPF authentication method must be replicated on all NetDefend Firewalls.
  • Page 187 4.5.3. OSPF Components Chapter 4. Routing There can only be one backbone area and it forms the central portion of an AS. Routing information that is exchanged between different area always transits the backbone area. Is stub area Enable this option if the area is a stub area. Become Default Router It is possible to configure if the firewall should become the default router for the stub area, and with what metric.
  • Page 188 4.5.3. OSPF Components Chapter 4. Routing an OSPF Neighbour object. Using VPN tunnels is discussed further in Section 4.5.5, “Setting Up OSPF”. • Point-to-Multipoint - The Point-to-Multipoint interface type is a collection of Point-to-Point networks, where there is more then one router in a link that does not have OSI Layer 2 broadcast/multicast capabilities.
  • Page 189 4.5.3. OSPF Components Chapter 4. Routing Sometimes there is a need to include networks into the OSPF routing process, without running OSPF on the interface connected to that network. This is done by enabling the option: No OSPF routers connected to this interface ("Passive"). This is an alternative to using a Dynamic Routing Policy to import static routes into the OSPF routing process.
  • Page 190: Dynamic Routing Rules

    4.5.4. Dynamic Routing Rules Chapter 4. Routing Authentication Use Default For AS Use the values configured in the AS properties page. Note: Linking partitioned backbones If the backbone area is partitioned, a virtual link is used to connect the different parts. In most, simple OSPF scenarios, OSPF VLink objects will not be needed.
  • Page 191: Dynamic Routing Rule Objects

    4.5.4. Dynamic Routing Rules Chapter 4. Routing OSPF Requires at Least an Import Rule By default, NetDefendOS will not import or export any routes. For OSPF to function, it is therefore mandatory to define at least one dynamic routing rule which will be an Import rule. This Import rule specifies the local OSPF Router Process object.
  • Page 192 4.5.4. Dynamic Routing Rules Chapter 4. Routing From OSPF AS Specifies the from which OSPF AS (in other words, an OSPF Router Process) the route should be imported from into either a routing table or another AS. From Routing Table Specifies from which routing table a route should be imported into the OSPF AS or copied into another routing table.
  • Page 193: Setting Up Ospf

    4.5.5. Setting Up OSPF Chapter 4. Routing A Routing Action is used to manipulate and export routing changes to one or more local routing tables. Destination Specifies into which routing table the route changes to the OSPF AS should be imported. Offset Metric Increases the metric by this value.
  • Page 194 4.5.5. Setting Up OSPF Chapter 4. Routing • The advanced option No OSPF routers connected to this interface must be enabled if the physical interface does not connect directly to another OSPF Router (in other words, with another NetDefend Firewall that acts as an OSPF router). For example, the interface may only be connected to a network of clients, in which case the option would be enabled.
  • Page 195 4.5.5. Setting Up OSPF Chapter 4. Routing OSPF Routing Information Exchange Begins Automatically As the new configurations are created in the above steps and then deployed, OSPF will automatically start and begin exchanging routing information. Since OSPF is a dynamic and distributed system, it does not matter in which order the configurations of the individual firewalls are deployed.
  • Page 196: An Ospf Example

    4.5.6. An OSPF Example Chapter 4. Routing This network is used just as a convenience with OSPF setup and will never be associated with a real physical network. 3. Define an OSPF Interface for the tunnel Define an NetDefendOS OSPF Interface object which has the IPsec tunnel for the Interface parameter.
  • Page 197: Creating An Ospf Router Process

    4.5.6. An OSPF Example Chapter 4. Routing Example 4.7. Creating an OSPF Router Process On the first firewall involved in the OSPF AS, create an OSPF Router Process. Web Interface Go to Routing > OSPF > Add > OSPF Routing Process Specify a suitable name for the process, for example as_0 Click OK This should be repeated for all the NetDefend Firewalls that will be part of the OSPF AS.
  • Page 198: Exporting The Default Route Into An Ospf As

    4.5.6. An OSPF Example Chapter 4. Routing Web Interface Go to Routing > Dynamic Routing Rules > Add > Dynamic Routing Policy Rule Specify a suitable name for the rule. For example, ImportOSPFRoutes. Select the option From OSPF Process Move as0 from Available to Selected Choose all-nets in the ...Or is within filter option Click OK Now, create a Dynamic Routing Action that will do the actual importing of the routes into a routing table.
  • Page 199: Multicast Routing

    4.6. Multicast Routing Chapter 4. Routing 4.6. Multicast Routing 4.6.1. Overview The Multicast Problem Certain types of Internet interactions, such as conferencing and video broadcasts, require a single client or host to send the same packet to multiple receivers. This could be achieved through the sender duplicating the packet with different receiving IP addresses or by a broadcast of the packet across the Internet.
  • Page 200: Multicast Forwarding With Sat Multiplex Rules

    4.6.2. Multicast Forwarding with SAT Chapter 4. Routing Multiplex Rules 4.6.2. Multicast Forwarding with SAT Multiplex Rules The SAT Multiplex rule is used to achieve duplication and forwarding of packets through more than one interface. This feature implements multicast forwarding in NetDefendOS, where a multicast packet is sent through several interfaces.
  • Page 201: Multicast Forwarding - No Address Translation

    4.6.2. Multicast Forwarding with SAT Chapter 4. Routing Multiplex Rules Figure 4.14. Multicast Forwarding - No Address Translation Note: SAT Multiplex rules must have a matching Allow rule Remember to add an Allow rule that matches the SAT Multiplex rule. The matching rule could also be a NAT rule for source address translation (see below) but cannot be a FwdFast or SAT rule.
  • Page 202 4.6.2. Multicast Forwarding with SAT Chapter 4. Routing Multiplex Rules B. Create an IP rule: Go to Rules > IP Rules > Add > IP Rule Under General enter. • Name: a name for the rule, for example Multicast_Multiplex • Action: Multiplex SAT •...
  • Page 203: Multicast Forwarding - Address Translation

    4.6.2. Multicast Forwarding with SAT Chapter 4. Routing Multiplex Rules Figure 4.15. Multicast Forwarding - Address Translation This scenario is based on the previous scenario but this time the multicast group is translated. When the multicast streams 239.192.10.0/24 are forwarded through the if2 interface, the multicast groups should be translated into 237.192.10.0/24.
  • Page 204: Igmp Configuration

    4.6.3. IGMP Configuration Chapter 4. Routing • Action: Multiplex SAT • Service: multicast_service Under Address Filter enter: • Source Interface: wan • Source Network: 192.168.10.1 • Destination Interface: core • Destination Network: 239.192.10.0/24 Click the Multiplex SAT tab Add interface if1 but leave the IPAddress empty Add interface if2 but this time, enter 237.192.10.0 as the IPAddress Make sure the Forwarded using IGMP checkbox is enabled Click OK...
  • Page 205: Multicast Snoop Mode

    4.6.3. IGMP Configuration Chapter 4. Routing Figure 4.16. Multicast Snoop Mode Figure 4.17. Multicast Proxy Mode In Snoop Mode, the NetDefend Firewall will act transparently between the hosts and another IGMP router. It will not send any IGMP Queries. It will only forward queries and reports between the other router and the hosts.
  • Page 206: Igmp - No Address Translation

    4.6.3. IGMP Configuration Chapter 4. Routing Example 4.14. IGMP - No Address Translation The following example requires a configured interface group IfGrpClients including interfaces if1, if2 and if3. The ip address of the upstream IGMP router is known as UpstreamRouterIP. Two rules are needed.
  • Page 207: If1 Configuration

    4.6.3. IGMP Configuration Chapter 4. Routing 4.6.3.2. IGMP Rules Configuration - Address Translation The following examples illustrates the IGMP rules needed to configure IGMP according to the Address Translation scenario described above in Section 4.6.2.2, “Multicast Forwarding - Address Translation Scenario”. We need two IGMP report rules, one for each client interface. The interface if1 uses no address translation and if2 translates the multicast group to 237.192.10.0/24.
  • Page 208: If2 Configuration - Group Translation

    4.6.3. IGMP Configuration Chapter 4. Routing • Destination Network: auto • Multicast Source: 192.168.10.1 • Multicast Group: 239.192.10.0/24 Click OK Example 4.16. if2 Configuration - Group Translation The following steps needs to be executed to create the report and query rule pair for if2 which translates the multicast group.
  • Page 209: Advanced Igmp Settings

    4.6.4. Advanced IGMP Settings Chapter 4. Routing • Multicast Source: 192.168.10.1 • Multicast Group: 239.192.10.0/24 Click OK Advanced IGMP Settings There are a number of IGMP advanced settings which are global and apply to all interfaces which do not have IGMP settings explicitly specified for them. 4.6.4.
  • Page 210 4.6.4. Advanced IGMP Settings Chapter 4. Routing group-and-source specific query. Global setting on interfaces without an overriding IGMP Setting. Default: 5,000 IGMP Max Total Requests The maximum global number of IGMP messages to process each second. Default: 1000 IGMP Max Interface Requests The maximum number of requests per interface and second.
  • Page 211 4.6.4. Advanced IGMP Settings Chapter 4. Routing The time in milliseconds between repetitions of an initial membership report. Global setting on interfaces without an overriding IGMP Setting. Default: 1,000...
  • Page 212: Transparent Mode

    4.7. Transparent Mode Chapter 4. Routing 4.7. Transparent Mode 4.7.1. Overview Transparent Mode Usage The NetDefendOS Transparent Mode feature allows a NetDefend Firewall to be placed at a point in a network without any reconfiguration of the network and without hosts being aware of its presence. All NetDefendOS features can then be used to monitor and manage traffic flowing through that point.
  • Page 213 4.7.1. Overview Chapter 4. Routing the OSI model. If the firewall is placed into a network for the first time, or if network topology changes, the routing configuration must therefore be checked and adjusted to ensure that the routing table is consistent with the new layout. Reconfiguration of IP settings may be required for pre-existing routers and protected servers.
  • Page 214 4.7.1. Overview Chapter 4. Routing the network. Discovery is done by NetDefendOS sending out ARP as well as ICMP (ping) requests, acting as the initiating sender of the original IP packet for the destination on the interfaces specified in the Switch Route.
  • Page 215 4.7.1. Overview Chapter 4. Routing routing table will be connected together by NetDefendOS and no matter how interfaces are associated with the switch routes, transparency will exist between them. For example, if the interfaces if1 to if6 appear in a switch routes in routing table A, the resulting interconnections will be as illustrated below.
  • Page 216 4.7.1. Overview Chapter 4. Routing mode. Two VLAN interfaces with the same VLAN ID are defined on the two physical interfaces and they are called vlan5_if1 and vlan5_if2. For the VLAN to operate in transparent mode we create a routing table with the ordering set to only and which contains the following 2 switch routes: Network Interface...
  • Page 217: Enabling Internet Access

    4.7.2. Enabling Internet Access Chapter 4. Routing • Configure DHCP relay to the DHCP server IP address 255.255.255.255. 4.7.2. Enabling Internet Access A common misunderstanding when setting up Transparent Mode is how to correctly set up access to the public Internet. Below is a typical scenario where a number of users on an IP network called lannet access the Internet via an ISP's gateway with IP address gw-ip.
  • Page 218: Transparent Mode Scenarios

    4.7.3. Transparent Mode Scenarios Chapter 4. Routing NetDefendOS May Also Need Internet Access The NetDefend Firewall also needs to find the public Internet if it is to perform NetDefendOS functions such as DNS lookup, Web Content Filtering or Anti-Virus and IDP updating. To allow this, individual "normal"...
  • Page 219: Transparent Mode Scenario 1

    4.7.3. Transparent Mode Scenarios Chapter 4. Routing Figure 4.20. Transparent Mode Scenario 1 Example 4.17. Setting up Transparent Mode for Scenario 1 Web Interface Configure the interfaces: Go to Interfaces > Ethernet > Edit (wan) Now enter: • IP Address: 10.0.0.1 •...
  • Page 220: Transparent Mode Scenario 2

    4.7.3. Transparent Mode Scenarios Chapter 4. Routing • Source Interface: lan • Destination Interface: any • Source Network: 10.0.0.0/24 • Destination Network: all-nets (0.0.0.0/0) Click OK Scenario 2 Here the NetDefend Firewall in Transparent Mode separates server resources from an internal network by connecting them to a separate interface without the need for different address ranges.
  • Page 221 4.7.3. Transparent Mode Scenarios Chapter 4. Routing Go to Interfaces > Ethernet > Edit (lan) Now enter: • IP Address: 10.0.0.1 • Network: 10.0.0.0/24 • Transparent Mode: Disable • Add route for interface network: Disable Click OK Go to Interfaces > Ethernet > Edit (dmz) Now enter: •...
  • Page 222: Spanning Tree Bpdu Support

    4.7.4. Spanning Tree BPDU Support Chapter 4. Routing Click OK Go to Rules > IP Rules > Add > IPRule Now enter: • Name: HTTP-WAN-to-DMZ • Action: SAT • Service: http • Source Interface: wan • Destination Interface: dmz • Source Network: all-nets •...
  • Page 223: Advanced Settings For Transparent Mode

    4.7.5. Advanced Settings for Chapter 4. Routing Transparent Mode Figure 4.22. An Example BPDU Relaying Scenario Implementing BPDU Relaying The NetDefendOS BDPU relaying implementation only carries STP messages. These STP messages can be of three types: • Normal Spanning Tree Protocol (STP) •...
  • Page 224 4.7.5. Advanced Settings for Chapter 4. Routing Transparent Mode Default: Enabled Decrement TTL Enable this if the TTL should be decremented each time a packet traverses the firewall in Transparent Mode. Default: Disabled Dynamic CAM Size This setting can be used to manually configure the size of the CAM table. Normally Dynamic is the preferred value to use.
  • Page 225 4.7.5. Advanced Settings for Chapter 4. Routing Transparent Mode Null Enet Sender Defines what to do when receiving a packet that has the sender hardware (MAC) address in Ethernet header set to null (0000:0000:0000). Options: • Drop - Drop packets •...
  • Page 226 4.7.5. Advanced Settings for Chapter 4. Routing Transparent Mode • Drop - Drop the packets • DropLog - Drop packets log the event Default: Drop Relay MPLS When set to Ignore all incoming MPLS packets are relayed in transparent mode. Options: •...
  • Page 227 4.7.5. Advanced Settings for Chapter 4. Routing Transparent Mode...
  • Page 228: Dhcp Services

    Chapter 5. DHCP Services This chapter describes DHCP services in NetDefendOS. • Overview, page 228 • DHCP Servers, page 229 • DHCP Relaying, page 235 • IP Pools, page 238 5.1. Overview Dynamic Host Configuration Protocol (DHCP) is a protocol that allows network administrators to automatically assign IP numbers to computers on a network.
  • Page 229: Dhcp Servers

    5.2. DHCP Servers Chapter 5. DHCP Services 5.2. DHCP Servers DHCP servers assign and manage the IP addresses taken from a specified address pool. In NetDefendOS, DHCP servers are not limited to serving a single range of IP addresses but can use any IP address range that can be specified by a NetDefendOS IP address object.
  • Page 230: Setting Up A Dhcp Server

    5.2. DHCP Servers Chapter 5. DHCP Services The following options can be configured for a DHCP server: General Parameters Name A symbolic name for the server. Used as an interface reference but also used as a reference in log messages. Interface Filter The source interface on which NetDefendOS will listen for DHCP requests.
  • Page 231: Checking Dhcp Server Status

    5.2. DHCP Servers Chapter 5. DHCP Services This example shows how to set up a DHCP server called DHCPServer1 which assigns and manages IP addresses from an IP address pool called DHCPRange1. This example assumes that an IP range for the DHCP Server has already been created. Command-Line Interface gw-world:/>...
  • Page 232: Static Dhcp Hosts

    5.2.1. Static DHCP Hosts Chapter 5. DHCP Services The asterisk "*" before a MAC address means that the DHCP server does not track the client using the MAC address but instead tracks the client through a client identifier which the client has given to the server.
  • Page 233: Custom Options

    5.2.2. Custom Options Chapter 5. DHCP Services can be specified as this parameter. The option exists to also specify if the identifier will be sent as an ASCII or Hexadecimal value. Example 5.3. Static DHCP Host Assignment This example shows how to assign the IP address 192.168.1.1 to the MAC address 00-90-12-13-14-15. The examples assumes that the DHCP server DHCPServer1 has already been defined.
  • Page 234 5.2.2. Custom Options Chapter 5. DHCP Services Custom Option Parameters The following parameters can be set for a custom option: Code This is the code that describes the type of information being sent to the client. A large list of possible codes exists.
  • Page 235: Dhcp Relaying

    5.3. DHCP Relaying Chapter 5. DHCP Services 5.3. DHCP Relaying The DHCP Problem With DHCP, clients send requests to locate the DHCP server(s) using broadcast messages. However, broadcasts are normally only propagated across the local network. This means that the DHCP server and client always need to be on the same physical network.
  • Page 236: Dhcp Relay Advanced Settings

    5.3.1. DHCP Relay Advanced Settings Chapter 5. DHCP Services • Name: ipgrp-dhcp • Interfaces: select vlan1 and vlan2 from the Available list and put them into the Selected list. Click OK Adding a DHCP relayer called as vlan-to-dhcpserver: Go to System > DHCP > Add > DHCP Relay Now enter: •...
  • Page 237 5.3.1. DHCP Relay Advanced Settings Chapter 5. DHCP Services will be reduced down to this value. Default: 10000 seconds Max Auto Routes How many relays that can be active at the same time. Default: 256 Auto Save Policy What policy should be used to save the relay list to the disk, possible settings are Disabled, ReconfShut, or ReconfShutTimer.
  • Page 238: Ip Pools

    5.4. IP Pools Chapter 5. DHCP Services 5.4. IP Pools Overview An IP pool is used to offer other subsystems access to a cache of DHCP IP addresses. These addresses are gathered into a pool by internally maintaining a series of DHCP clients (one DHCP client per IP address).
  • Page 239 5.4. IP Pools Chapter 5. DHCP Services Receive Interface A "simulated" virtual DHCP server receiving interface. This setting is used to simulate a receiving interface when an IP pool is obtaining IP addresses from internal DHCP servers. This is needed since the filtering criteria of a DHCP server includes a Receive Interface.
  • Page 240: Creating An Ip Pool

    5.4. IP Pools Chapter 5. DHCP Services Other options in the ippool command allow the administrator to change the pool size and to free up IP addresses. The complete list of command options can be found in the CLI Reference Guide. Example 5.5.
  • Page 241 5.4. IP Pools Chapter 5. DHCP Services...
  • Page 242: Security Mechanisms

    Chapter 6. Security Mechanisms This chapter describes NetDefendOS security features. • Access Rules, page 242 • ALGs, page 245 • Web Content Filtering, page 297 • Anti-Virus Scanning, page 314 • Intrusion Detection and Prevention, page 320 • Denial-of-Service Attack Prevention, page 332 •...
  • Page 243: Ip Spoofing

    6.1.3. Access Rule Settings Chapter 6. Security Mechanisms 6.1.2. IP Spoofing Traffic that pretends it comes from a trusted host can be sent by an attacker to try and get past a firewall's security mechanisms. Such an attack is commonly known as Spoofing. IP spoofing is one of the most common spoofing attacks.
  • Page 244: Setting Up An Access Rule

    6.1.3. Access Rule Settings Chapter 6. Security Mechanisms If, for some reason, the Default Access Rule log message is continuously being generated by some source and needs to be turned off, then the way to do this is to specify an Access Rule for that source with an action of Drop.
  • Page 245: Algs

    6.2. ALGs Chapter 6. Security Mechanisms 6.2. ALGs 6.2.1. Overview To complement low-level packet filtering, which only inspects packet headers in protocols such as IP, TCP, UDP, and ICMP, NetDefend Firewalls provide Application Layer Gateways (ALGs) which provide filtering at the higher application OSI level. An ALG object acts as a mediator in accessing commonly used Internet applications outside the protected network, for example web access, file transfer and multimedia transfer.
  • Page 246: The Http Alg

    6.2.2. The HTTP ALG Chapter 6. Security Mechanisms Maximum Connection Sessions The service associated with an ALG has a configurable parameter associated with it called Max Sessions and the default value varies according to the type of ALG. For instance, the default value for the HTTP ALG is 1000.
  • Page 247 6.2.2. The HTTP ALG Chapter 6. Security Mechanisms Anti-Virus scanning, if it is enabled, is always applied to the HTTP traffic even if it is whitelisted. These features are described in depth in Section 6.3.3, “Static Content Filtering”. • Dynamic Content Filtering - Access to specific URLs can be allowed or blocked according to policies for certain types of web content.
  • Page 248: Http Alg Processing Order

    6.2.2. The HTTP ALG Chapter 6. Security Mechanisms Note: Similarities with other NetDefendOS features The Verify MIME type and Allow/Block Selected Types options work in the same way for the FTP, POP3 and SMTP ALGs. • Download File Size Limit - A file size limit can additionally be specified for any single download (this option is only available for HTTP and SMTP ALG downloads).
  • Page 249: The Ftp Alg

    6.2.3. The FTP ALG Chapter 6. Security Mechanisms equivalent to a large number of possible URLs. The wildcard character "*" can be used to represent any sequence of characters. For example, the entry *.some_domain.com will block all pages whose URLs end with some_domain.com.
  • Page 250 6.2.3. The FTP ALG Chapter 6. Security Mechanisms Consider a scenario where an FTP client on the internal network connects through the firewall to an FTP server on the Internet. The IP rule is then configured to allow network traffic from the FTP client to port 21 on the FTP server.
  • Page 251: Ftp Alg Hybrid Mode

    6.2.3. The FTP ALG Chapter 6. Security Mechanisms Figure 6.3. FTP ALG Hybrid Mode Note: Hybrid conversion is automatic Hybrid mode does not need to enabled. The conversion between modes occurs automatically within the FTP ALG. Connection Restriction Options The FTP ALG has two options to restrict which type of mode the FTP client and the FTP server can use: •...
  • Page 252 6.2.3. The FTP ALG Chapter 6. Security Mechanisms • Allow the SITE EXEC command to be sent to an FTP server by a client. • Allow the RESUME command even if content scanning terminated the connection. Note: Some commands are never allowed Some commands, such as encryption instructions, are never allowed.
  • Page 253: Protecting An Ftp Server With An Alg

    6.2.3. The FTP ALG Chapter 6. Security Mechanisms The NetDefendOS Anti-Virus subsystem can be enabled to scan all FTP downloads searching for malicious code. Suspect files can be de dropped or just logged. This feature is common to a number of ALGs and is described fully in Section 6.4, “Anti-Virus Scanning”.
  • Page 254 6.2.3. The FTP ALG Chapter 6. Security Mechanisms In this case, we will set the FTP ALG restrictions as follows. • Enable the Allow client to use active mode FTP ALG option so clients can use both active and passive modes.
  • Page 255 6.2.3. The FTP ALG Chapter 6. Security Mechanisms • ALG: select ftp-inbound created above Click OK C. Define a rule to allow connections to the public IP on port 21 and forward that to the internal FTP server: Go to Rules > IP Rules > Add > IPRule Now enter: •...
  • Page 256: Protecting Ftp Clients

    6.2.3. The FTP ALG Chapter 6. Security Mechanisms • Source Interface: any • Destination Interface: core • Source Network: all-nets • Destination Network: wan_ip Click OK Example 6.3. Protecting FTP Clients In this scenario shown below the NetDefend Firewall is protecting a workstation that will connect to FTP servers on the Internet.
  • Page 257 6.2.3. The FTP ALG Chapter 6. Security Mechanisms Enter Name: ftp-outbound Uncheck Allow client to use active mode Check Allow server to use passive mode Click OK B. Create the Service Go to Objects > Services > Add > TCP/UDP Service Now enter: •...
  • Page 258: The Tftp Alg

    6.2.4. The TFTP ALG Chapter 6. Security Mechanisms • Destination Interface: wan • Source Network: lannet • Destination Network: all-nets Check Use Interface Address Click OK Setting Up FTP Servers with Passive Mode An important point about FTP server setup needs to be made if the FTP ALG is being used along with passive mode.
  • Page 259: The Smtp Alg

    6.2.5. The SMTP ALG Chapter 6. Security Mechanisms TFTP Request Options As long as the Remove Request Option described above is set to false (options are not removed) then the following request option settings can be applied: Maximum Blocksize The maximum blocksize allowed can be specified. The allowed range is 0 to 65,464 bytes.
  • Page 260 6.2.5. The SMTP ALG Chapter 6. Security Mechanisms The administrator should therefore add a reasonable margin above the anticipated email size when setting this limit. Email address blacklisting A blacklist of sender or recipient email addresses can be specified so that mail from/to those addresses is blocked. The blacklist is applied after the whitelist so that if an address matches a whitelist entry it is not then checked against the blacklist.
  • Page 261: Smtp Alg Processing Order

    6.2.5. The SMTP ALG Chapter 6. Security Mechanisms Figure 6.4. SMTP ALG Processing Order Using Wildcards in White and Blacklists Entries made in the white and blacklists can make use of wildcarding to have a single entry cover a large number of potential email addresses. The wildcard character "*" can be used to represent any sequence of characters.
  • Page 262 6.2.5. The SMTP ALG Chapter 6. Security Mechanisms capa=PIPELINING To indicate that the pipelining extension was removed from the SMTP server reply to an EHLO client command. Although ESMTP extensions may be removed by the ALG and related log messages generated, this does not mean that any emails are dropped.
  • Page 263: Anti-Spam Filtering

    6.2.5. The SMTP ALG Chapter 6. Security Mechanisms • Dropping email which has a very high probability of being spam. • Letting through but flagging email that has a moderate probability of being spam. The NetDefendOS Anti-Spam Implementation SMTP functions as a protocol for sending emails between servers. NetDefendOS applies Spam filtering to emails as they pass through the NetDefend Firewall from an external remote SMTP server to a local SMTP server (from which local clients will later download their emails).
  • Page 264 6.2.5. The SMTP ALG Chapter 6. Security Mechanisms servers are queried to assess the likelihood that the email is Spam, based on its origin address. The NetDefendOS administrator assigns a weight greater than zero to each configured server so that a weighted sum can then be calculated based on all responses.
  • Page 265 6.2.5. The SMTP ALG Chapter 6. Security Mechanisms And this is what the email's recipient will see in the summary of their inbox contents. The individual user could then decide to set up their own filters in the local client to deal with such tagged emails, possibly sending it to a separate folder.
  • Page 266 6.2.5. The SMTP ALG Chapter 6. Security Mechanisms Logging There are three types of logging done by the Spam filtering module: • Logging of dropped or Spam tagged emails - These log messages include the source email address and IP as well as its weighted points score and which DNSBLs caused the event. •...
  • Page 267 6.2.5. The SMTP ALG Chapter 6. Security Mechanisms For the DNSBL subsystem overall: • Number of emails checked. • Number of emails Spam tagged. • Number of dropped emails. For each DNSBL server accessed: • Number of positive (is Spam) responses from each configured DNSBL server. •...
  • Page 268: The Pop3 Alg

    6.2.6. The POP3 ALG Chapter 6. Security Mechanisms BlackList: zen.spamhaus.org Status : active Weight value : 25 Number of mails checked : 56 Number of matches in list Number of failed checks (times disabled) To clean out the dnsbl cache for my_smtp_alg and to reset all its statistical counters, the following command option can be used: gw-world:/>...
  • Page 269: The Pptp Alg

    6.2.7. The PPTP ALG Chapter 6. Security Mechanisms can be dropped or just logged. This feature is common to a number of ALGs and is described fully in Section 6.4, “Anti-Virus Scanning”. 6.2.7. The PPTP ALG Why the PPTP ALG is Needed The PPTP ALG is provided to deal with a specific issue when PPTP tunnels are used with NAT.
  • Page 270: The Sip Alg

    6.2.8. The SIP ALG Chapter 6. Security Mechanisms pptp-ctl can be used for this purpose. Alternatively, a new custom service object can be defined, for example called pptp_service. The service must have the following characteristics: Select the Type (the protocol) as TCP. The Source port range can be the default of 0-65535.
  • Page 271 6.2.8. The SIP ALG Chapter 6. Security Mechanisms Note: Traffic shaping will not work with the SIP ALG Any traffic connections that trigger an IP rule with a service object that uses the SIP ALG cannot be also subject to traffic shaping. SIP Components The following components are the logical building blocks for SIP communication: User Agents...
  • Page 272 6.2.8. The SIP ALG Chapter 6. Security Mechanisms Maximum Sessions per ID The number of simultaneous sessions that a single client can be involved with is restricted by this value. The default number is 5. Maximum Registration Time The maximum time for registration with a SIP Registrar. The default value is 3600 seconds.
  • Page 273 6.2.8. The SIP ALG Chapter 6. Security Mechanisms (sometimes described as SIP pinholes) for allowing the media data traffic to flow through the NetDefend Firewall. Make sure there are no preceding rules already in the IP rule set disallowing or allowing the same kind of traffic.
  • Page 274 6.2.8. The SIP ALG Chapter 6. Security Mechanisms The SIP proxy in the above diagram could alternatively be located remotely across the Internet. The proxy should be configured with the Record-Route feature enabled to insure all SIP traffic to and from the office clients will be sent through the SIP Proxy.
  • Page 275 6.2.8. The SIP ALG Chapter 6. Security Mechanisms sends its own IP address as contact information to the SIP proxy. NetDefendOS registers the client's local contact information and uses this to redirect incoming requests to the user. The ALG takes care of the address translations needed. Ensure the clients are correctly configured.
  • Page 276 6.2.8. The SIP ALG Chapter 6. Security Mechanisms This scenario can be implemented in two ways: • Using NAT to hide the network topology. • Without NAT so the network topology is exposed. Solution A - Using NAT Here, the proxy and the local clients are hidden behind the IP address of the NetDefend Firewall. The setup steps are as follows: Define a single SIP ALG object using the options described above.
  • Page 277 6.2.8. The SIP ALG Chapter 6. Security Mechanisms If Record-Route is enabled then the Source Network for outbound traffic from proxy users can be further restricted in the above rules by using "ip_proxy" as indicated. When an incoming call is received, the SIP ALG will follow the SAT rule and forward the SIP request to the proxy server.
  • Page 278 6.2.8. The SIP ALG Chapter 6. Security Mechanisms The exchanges illustrated are as follows: • 1,2 - An initial INVITE is sent to the outbound local proxy server on the DMZ. • 3,4 - The proxy server sends the SIP messages towards the destination on the Internet. •...
  • Page 279 6.2.8. The SIP ALG Chapter 6. Security Mechanisms DMZ interface as the contact address. • An Allow rule for outbound traffic from the proxy behind the DMZ interface to the remote clients on the Internet. • An Allow rule for inbound SIP traffic from the SIP proxy behind the DMZ interface to the IP address of the NetDefend Firewall.
  • Page 280: The H.323 Alg

    6.2.9. The H.323 ALG Chapter 6. Security Mechanisms • Destination Port set to 5060 (the default SIP signalling port) • Type set to TCP/UDP Define four rules in the IP rule set: • An Allow rule for outbound traffic from the clients on the internal network to the proxy located on the DMZ interface.
  • Page 281 6.2.9. The H.323 ALG Chapter 6. Security Mechanisms Gateways An H.323 gateway connects two dissimilar networks and translates traffic between them. It provides connectivity between H.323 networks and non-H.323 networks such as public switched telephone networks (PSTN), translating protocols and converting media streams. A gateway is not required for communication between two H.323 terminals.
  • Page 282: Protecting Phones Behind Netdefend Firewalls

    6.2.9. The H.323 ALG Chapter 6. Security Mechanisms • The H.323 ALG supports version 5 of the H.323 specification. This specification is built upon H.225.0 v5 and H.245 v10. • In addition to support voice and video calls, the H.323 ALG supports application sharing over the T.120 protocol.
  • Page 283 6.2.9. The H.323 ALG Chapter 6. Security Mechanisms Web Interface Outgoing Rule: Go to Rules > IP Rules > Add > IPRule Now enter: • Name: H323AllowOut • Action: Allow • Service: H323 • Source Interface: lan • Destination Interface: any •...
  • Page 284: H.323 With Private Ip Addresses

    6.2.9. The H.323 ALG Chapter 6. Security Mechanisms Example 6.5. H.323 with private IP addresses In this scenario a H.323 phone is connected to the NetDefend Firewall on a network with private IP addresses. To make it possible to place a call from this phone to another H.323 phone on the Internet, and to allow H.323 phones on the Internet to call this phone, we need to configure rules.
  • Page 285: Two Phones Behind Different Netdefend Firewalls

    6.2.9. The H.323 ALG Chapter 6. Security Mechanisms • Destination Interface: core • Source Network: 0.0.0.0/0 (all-nets) • Destination Network: wan_ip (external IP of the firewall) • Comment: Allow incoming calls to H.323 phone at ip-phone Click OK To place a call to the phone behind the NetDefend Firewall, place a call to the external IP address on the firewall.
  • Page 286: Using Private Ip Addresses

    6.2.9. The H.323 ALG Chapter 6. Security Mechanisms Incoming Rule: Go to Rules > IP Rules > Add > IPRule Now enter: • Name: H323AllowIn • Action: Allow • Service: H323 • Source Interface: any • Destination Interface: lan • Source Network: 0.0.0.0/0 (all-nets) •...
  • Page 287: H.323 With Gatekeeper

    6.2.9. The H.323 ALG Chapter 6. Security Mechanisms • Source Interface: any • Destination Interface: core • Source Network: 0.0.0.0/0 (all-nets) • Destination Network: wan_ip (external IP of the firewall) • Comment: Allow incoming calls to H.323 phone at ip-phone For SAT enter Translate Destination IP Address: To New IP Address: ip-phone (IP address of phone) Click OK Go to Rules >...
  • Page 288 6.2.9. The H.323 ALG Chapter 6. Security Mechanisms Web Interface Incoming Gatekeeper Rules: Go to Rules > IP Rules > Add > IPRule Now enter: • Name: H323In • Action: SAT • Service: H323-Gatekeeper • Source Interface: any • Destination Interface: core •...
  • Page 289: H.323 With Gatekeeper And Two Netdefend Firewalls

    6.2.9. The H.323 ALG Chapter 6. Security Mechanisms Now enter: • Name: H323In • Action: Allow • Service: H323-Gatekeeper • Source Interface: lan • Destination Interface: dmz • Source Network: lannet • Destination Network: ip-gatekeeper (IP address of the gatekeeper) •...
  • Page 290: Using The H.323 Alg In A Corporate Environment

    6.2.9. The H.323 ALG Chapter 6. Security Mechanisms Now enter: • Name: H323Out • Action: NAT • Service: H323-Gatekeeper • Source Interface: lan • Destination Interface: any • Source Network: lannet • Destination Network: 0.0.0.0/0 (all-nets) • Comment: Allow outgoing communication with a gatekeeper Click OK Note: Outgoing calls do not need a specific rule There is no need to specify a specific rule for outgoing calls.
  • Page 291 6.2.9. The H.323 ALG Chapter 6. Security Mechanisms The head office has placed a H.323 Gatekeeper in the DMZ of the corporate NetDefend Firewall. This firewall should be configured as follows: Web Interface Go to Rules > IP Rules > Add > IPRule Now enter: •...
  • Page 292 6.2.9. The H.323 ALG Chapter 6. Security Mechanisms • Source Interface: lan • Destination Interface: dmz • Source Network: lannet • Destination Network: ip-gateway • Comment: Allow H.323 entities on lannet to call phones connected to the H.323 Gateway on the DMZ Click OK Go to Rules >...
  • Page 293: Configuring Remote Offices For H.323

    6.2.9. The H.323 ALG Chapter 6. Security Mechanisms Click OK Example 6.11. Configuring remote offices for H.323 If the branch and remote office H.323 phones and applications are to be configured to use the H.323 Gatekeeper at the head office, the NetDefend Firewalls in the remote and branch offices should be configured as follows: (this rule should be in both the Branch and Remote Office firewalls).
  • Page 294: The Tls Alg

    6.2.10. The TLS ALG Chapter 6. Security Mechanisms the communication between "external" phones and the Gatekeeper to make sure that it is possible for internal phones to call the external phones that are registered with the gatekeeper. 6.2.10. The TLS ALG Overview Transport Layer Security (TLS) is a protocol that provides secure communications over the public Internet between two end points through the use of cryptography as well as providing endpoint...
  • Page 295: Tls Termination

    6.2.10. The TLS ALG Chapter 6. Security Mechanisms Figure 6.7. TLS Termination Advantages of Using NetDefendOS for TLS Termination TLS can be implemented directly in the server to which clients connect, however, if the servers are protected behind a NetDefend Firewall, then NetDefendOS can take on the role of the TLS endpoint.
  • Page 296 6.2.10. The TLS ALG Chapter 6. Security Mechanisms Associate the TLS ALG object with the newly created service object. Create a NAT or Allow IP rule for the targeted traffic and associate the custom service object with it. Optionally, a SAT rule can be created to change the destination port for the unencrypted traffic. Alternatively an SLB_SAT rule can be used to do load balancing (the destination port can also be changed through a custom service object).
  • Page 297: Web Content Filtering

    6.3. Web Content Filtering Chapter 6. Security Mechanisms 6.3. Web Content Filtering 6.3.1. Overview Web traffic is one of the biggest sources for security issues and misuse of the Internet. Inappropriate surfing habits can expose a network to many security threats as well as legal and regulatory liabilities.
  • Page 298: Static Content Filtering

    6.3.3. Static Content Filtering Chapter 6. Security Mechanisms Removing such legitimate code could, at best, cause the web site to look distorted, at worst, cause it to not work in a browser at all. Active Content Handling should therefore only be used when the consequences are well understood. Example 6.13.
  • Page 299: Setting Up A White And Blacklist

    In this small scenario a general surfing policy prevents users from downloading .exe-files. However, the D-Link website provides secure and necessary program files which should be allowed to download.
  • Page 300: Dynamic Web Content Filtering

    NetDefendOS Dynamic WCF allows web page blocking to be automated so it is not necessary to manually specify beforehand which URLs to block or to allow. Instead, D-Link maintains a global infrastructure of databases containing huge numbers of current web site URL addresses which are already classified and grouped into a variety of categories such as shopping, news, sport, adult-oriented and so on.
  • Page 301: Dynamic Content Filtering Flow

    If the requested web page URL is not present in the databases, then the webpage content at the URL will automatically be downloaded to D-Link's central data warehouse and automatically analyzed using a combination of software techniques. Once categorized, the URL is distributed to the global databases and NetDefendOS receives the category for the URL.
  • Page 302: Enabling Dynamic Web Content Filtering

    6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms Activation Dynamic Content Filtering is a feature that is enabled by taking out a separate subscription to the service. This is an addition to the normal NetDefendOS license. Once a subscription is taken out, an HTTP Application Layer Gateway (ALG) Object should be defined with Dynamic Content Filtering enabled.
  • Page 303 6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms Go to Objects > ALG > Add > HTTP ALG Specify a suitable name for the ALG, for example content_filtering Click the Web Content Filtering tab Select Enabled in the Mode list In the Blocked Categories list, select Search Sites and click the >>...
  • Page 304: Enabling Audit Mode

    6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms easier to evaluate if the goals of site blocking are being met. Example 6.16. Enabling Audit Mode This example is based on the same scenario as the previous example, but now with audit mode enabled. Command-Line Interface First, create an HTTP Application Layer Gateway (ALG) Object: gw-world:/>...
  • Page 305: Reclassifying A Blocked Site

    The URL to the requested web site as well as the proposed category will then be sent to D-Link's central data warehouse for manual inspection. That inspection may result in the web site being reclassified, either according to the category proposed or to a category which is felt to be correct.
  • Page 306 6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms of each category. Category 1: Adult Content A web site may be classified under the Adult Content category if its content includes the description or depiction of erotic or sexual acts or sexually oriented material such as pornography. Exceptions to this are web sites that contain information relating to sexuality and sexual health, which may be classified under the Health Sites Category (21).
  • Page 307 6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms • www.flythere.nu • www.reallycheaptix.com.au Category 6: Shopping A web site may be classified under the Shopping category if its content includes any form of advertisement of goods or services to be exchanged for money, and may also include the facilities to perform that transaction online.
  • Page 308 6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms computer game related software, or playing or participating in online games. Examples might be: • www.gamesunlimited.com • www.gameplace.com Category 11: Investment Sites A web site may be classified under the Investment Sites category if its content includes information, services or facilities pertaining to personal investment.
  • Page 309 6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms • www.political.com Category 16: Sports A web site may be classified under the Sports category if its content includes information or instructions relating to recreational or professional sports, or reviews on sporting events and sports scores.
  • Page 310 6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms Category 21: Health Sites A web site may be classified under the Health Sites category if its content includes health related information or services, including sexuality and sexual health, as well as support groups, hospital and surgical information and medical journals.
  • Page 311 6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms • highschoolessays.org • www.learn-at-home.com Category 27: Advertising A web site may be classified under the Advertising category if its main focus includes providing advertising related information or services. Examples might be: •...
  • Page 312: Editing Content Filtering Http Banner Files

    6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms Category 32: Non-Managed Unclassified sites and sites that do not fit one of the other categories will be placed in this category. It is unusual to block this category since this could result in most harmless URLs being blocked. 6.3.4.4.
  • Page 313 6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms Tip: Saving changes In the above example, more than one HTML file can be edited in a session but the Save button should be pressed to save any edits before beginning editing on another file.
  • Page 314: Anti-Virus Scanning

    The POP3 ALG • The SMTP ALG Note: Anti-Virus is not available on all NetDefend models Anti-Virus scanning is only available on the D-Link NetDefend DFL-260, 260E, 860, 860E, 1660, 2560 and 2560G. 6.4.2. Implementation Streaming As a file transfer is streamed through the NetDefend Firewall, NetDefendOS will scan the data stream for the presence of viruses if the Anti-Virus module is enabled.
  • Page 315: Activating Anti-Virus Scanning

    6.4.3. Activating Anti-Virus Scanning Chapter 6. Security Mechanisms Types of File Downloads Scanned As described above, Anti-Virus scanning is enabled on a per ALG basis and can scan file downloads associated with the HTTP, FTP, SMTP and POP3 ALGs. More specifically: •...
  • Page 316: The Signature Database

    D-Link Anti-Virus subscription. 6.4.5. Subscribing to the D-Link Anti-Virus Service The D-Link Anti-Virus feature is purchased as an additional component to the base D-Link license and is bought in the form of a renewable subscription. An Anti-Virus subscription includes regular updates of the Kaspersky SafeStream database during the subscription period with the signatures of the latest virus threats.
  • Page 317 6.4.6. Anti-Virus Options Chapter 6. Security Mechanisms the excluded list is checked. 3. Compression Ratio Limit When scanning compressed files, NetDefendOS must apply decompression to examine the file's contents. Some types of data can result in very high compression ratios where the compressed file is a small fraction of the original uncompressed file size.
  • Page 318: Activating Anti-Virus Scanning

    6.4.6. Anti-Virus Options Chapter 6. Security Mechanisms This reconfiguration causes a failover so the passive unit becomes the active unit. When the update is completed, the newly active unit also downloads the files for the update and performs a reconfiguration. This second reconfiguration causes another failover so the passive unit reverts back to being active again.
  • Page 319 6.4.6. Anti-Virus Options Chapter 6. Security Mechanisms Web Interface A. First, create an HTTP ALG Object: Go to Objects > ALG > Add > HTTP ALG Specify a suitable name for the ALG, for instance anti_virus Click the Antivirus tab Select Protect in the Mode dropdown list Click OK B.
  • Page 320: Intrusion Detection And Prevention

    If NetDefendOS IDP detects an intrusion then the Action specified for the triggering IDP Rule is taken. IDP Rules, Pattern Matching and IDP Rule Actions are described in the sections which follow. 6.5.2. IDP Availability for D-Link Models Maintenance and Advanced IDP D-Link offers two types of IDP:...
  • Page 321: Idp Database Updating

    The standard subscription is for 12 months and provides automatic IDP signature database updates. This IDP option is available for all D-Link NetDefend models, including those that don't come as standard with Maintenance IDP. Maintenance IDP can be viewed as a restricted subset of Advanced IDP and the following sections describe how the Advanced IDP option functions.
  • Page 322: Idp Rules

    A new, updated signature database is downloaded automatically by NetDefendOS system at a configurable interval. This is done via an HTTP connection to the D-Link server network which delivers the latest signature database updates. If the server's signature database has a newer version than the current local database, the new database will be downloaded, replacing the older version.
  • Page 323: Idp Signature Selection

    6.5.3. IDP Rules Chapter 6. Security Mechanisms IDP Signature Selection When using the Web Interface, all IDP signatures in the local signature database are shown under the heading IDP Signatures. This displays a two level tree of all signatures ordered by group. However, its purpose is for reference only and it is not possible to add signatures through this tree.
  • Page 324: Insertion/Evasion Attack Prevention

    6.5.4. Insertion/Evasion Attack Chapter 6. Security Mechanisms Prevention Initial Packet Processing The initial order of packet processing with IDP is as follows: A packet arrives at the firewall and NetDefendOS performs normal verification. If the packet is part of a new connection then it is checked against the IP rule set before being passed to the IDP module.
  • Page 325: Idp Pattern Matching

    Attackers who build new intrusions often re-use older code. This means their new attacks can appear "in the wild" quickly. To counter this, D-Link IDP uses an approach where the module scans for these reusable components, with pattern matching looking for building blocks rather than the entire complete code patterns.
  • Page 326: Idp Signature Groups

    An advisory is a explanatory textual description of a signature. Reading a signature's advisory will explain to the administrator what the signature will search for. Due to the changing nature of the signature database, advisories are not included in D-Link documentation but instead, are available on the D-Link website at: http://security.dlink.com.tw...
  • Page 327: Idp Actions

    6.5.7. IDP Actions Chapter 6. Security Mechanisms • HTTP 3. Signature Group Sub-Category The third level of naming further specifies the target of the group and often specifies the application, for example MSSQL. The Sub-Category may not be necessary if the Type and Category are sufficient to specify the group, for example APP_ITUNES.
  • Page 328: Smtp Log Receiver For Idp Events

    Section 6.7, “Blacklisting Hosts and Networks”. IDP ZoneDefense The Protect action includes the option that the particular D-Link switch that triggers the IDP Rule can be de-activated through the D-Link ZoneDefense feature. For more details on how ZoneDefense functions see Chapter 12, ZoneDefense.
  • Page 329: Setting Up Idp For A Mail Server

    6.5.8. SMTP Log Receiver for IDP Chapter 6. Security Mechanisms Events • SMTP Server: smtp-server • Server Port: 25 • Specify alternative email addresses (up to 3) • Sender: hostmaster • Subject: Log event from NetDefendOS • Minimum Repeat Delay: 600 •...
  • Page 330 6.5.8. SMTP Log Receiver for IDP Chapter 6. Security Mechanisms Events SourceNetwork=wannet DestinationInterface=dmz DestinationNetwork=ip_mailserver Name=IDPMailSrvRule Specify the Rule Action: gw-world:/> cc IDPRule IDPMailSrvRule gw-world:/IDPMailSrvRule> add IDPRuleAction Action=Protect IDPServity=All Signatures=IPS_MAIL_SMTP Web Interface Create an IDP Rule: This IDP rule is called IDPMailSrvRule, and applies to the SMTP service. Source Interface and Source Network define where traffic is coming from, in this example, the external network.
  • Page 331 6.5.8. SMTP Log Receiver for IDP Chapter 6. Security Mechanisms Events to instead specify indvidual signatures or a list of signatures for an IDP rule. Individual signatures are identified by their unique number ID and multiple signatures is specified as a comma seperated list of these IDs.
  • Page 332: Denial-Of-Service Attack Prevention

    6.6. Denial-of-Service Attack Chapter 6. Security Mechanisms Prevention 6.6. Denial-of-Service Attack Prevention 6.6.1. Overview By embracing the Internet, enterprises experience new business opportunities and growth. The enterprise network and the applications that run over it are business critical. Not only can a company reach a larger number of customers via the Internet, it can serve them faster and more efficiently.
  • Page 333: Fragmentation Overlap Attacks: Teardrop, Bonk, Boink And Nestea

    6.6.4. Fragmentation overlap attacks: Chapter 6. Security Mechanisms Teardrop, Bonk, Boink and Nestea intended victim. "Jolt" is simply a purpose-written program for generating such packets on operating systems whose ping commands refuse to generate oversized packets. The triggering factor is that the last fragment makes the total packet size exceed 65535 bytes, which is the highest number that a 16-bit integer can store.
  • Page 334: Amplification Attacks: Smurf, Papasmurf, Fraggle

    6.6.7. Amplification attacks: Smurf, Chapter 6. Security Mechanisms Papasmurf, Fraggle • By stripping the URG bit by default from all TCP segments traversing the system (configurable via Advanced Settings > TCP > TCPUrg). WinNuke attacks will usually show up in NetDefendOS logs as normal drops with the name of the IP rule that disallowed the connection attempt.
  • Page 335: Tcp Syn Flood Attacks

    6.6.8. TCP SYN Flood Attacks Chapter 6. Security Mechanisms The Traffic Shaping feature built into NetDefendOS also help absorb some of the flood before it reaches protected servers. 6.6.8. TCP SYN Flood Attacks TCP SYN flood attacks work by sending large amounts of TCP SYN packets to a given port and then not responding to SYN ACKs sent in response.
  • Page 336 6.6.10. Distributed DoS Attacks Chapter 6. Security Mechanisms A more sophisticated form of DoS is the Distributed Denial of Service (DoS) attack. DDoS attacks involve breaking into hundreds or thousands of machines all over the Internet to installs DDoS software on them, allowing the hacker to control all these burgled machines to launch coordinated attacks on victim sites.
  • Page 337: Blacklisting Hosts And Networks

    6.7. Blacklisting Hosts and Networks Chapter 6. Security Mechanisms 6.7. Blacklisting Hosts and Networks Overview NetDefendOS implements a Blacklist of host or network IP addresses which can be utilized to protect against traffic coming from specific Internet sources. Certain NetDefendOS subsystems have the ability to optionally blacklist a host or network when certain conditions are encountered.
  • Page 338: Adding A Host To The Whitelist

    6.7. Blacklisting Hosts and Networks Chapter 6. Security Mechanisms blacklisted, it still does not prevent NetDefendOS mechanisms such as threshold rules from dropping or denying connections from that source. What whitelisting does is prevent a source being added to a blacklist if that is the action a rule has specified. For further details on usage see Section 6.5.7, “IDP Actions”, Section 10.3.8, “Threshold Rule Blacklisting”...
  • Page 339 6.7. Blacklisting Hosts and Networks Chapter 6. Security Mechanisms...
  • Page 340: Address Translation

    Chapter 7. Address Translation This chapter describes NetDefendOS address translation capabilities. • Overview, page 340 • NAT, page 341 • NAT Pools, page 346 • SAT, page 349 7.1. Overview The ability of NetDefendOS to change the IP address of packets as they pass through the NetDefend Firewall is known as address translation.
  • Page 341: Nat

    7.2. NAT Chapter 7. Address Translation 7.2. NAT Dynamic Network Address Translation (NAT) provides a mechanism for translating original source IP addresses to a different address. Outgoing packets then appear to come from a different IP address and incoming packets back to that address have their IP address translated back to the original IP address.
  • Page 342 7.2. NAT Chapter 7. Address Translation address on the firewall then this will constitute two, unique IP pairs. The 64,500 figure is therefore not a limitation for the entire NetDefend Firewall. Tip: Use NAT pools to get around the connection limit The connection maximum per unique IP pair is normally adequate for all but the most extreme scenarios.
  • Page 343: A Nat Example

    7.2. NAT Chapter 7. Address Translation 195.55.66.77:80 => 195.11.22.33:32789 NetDefendOS receives the packet and compares it to its list of open connections. Once it finds the connection in question, it restores the original address and forwards the packet. 195.55.66.77:80 => 192.168.1.5:1038 The original sender now receives the response.
  • Page 344 7.2. NAT Chapter 7. Address Translation Web Interface Go to Rules > IP Rules > Add > IPRule Specify a suitable name for the rule, for example NAT_HTTP Now enter: • Action: NAT • Service: http • Source Interface: lan •...
  • Page 345: Anonymizing With Nat

    7.2. NAT Chapter 7. Address Translation anonymize traffic between clients and servers across the public Internet so that the client's public IP address is not present in any server access requests or peer to peer traffic. We shall examine the typical case where the NetDefend Firewall acts as a PPTP server and terminates the PPTP tunnel for PPTP clients.
  • Page 346: Nat Pools

    7.3. NAT Pools Chapter 7. Address Translation 7.3. NAT Pools Overview Network Address Translation (NAT) provides a way to have multiple internal clients and hosts with unique private internal IP addresses communicate to remote hosts through a single external public IP address (this is discussed in depth in Section 7.2, “NAT”).
  • Page 347: Using Nat Pools

    7.3. NAT Pools Chapter 7. Address Translation There is only one state table per NAT Pool so that if a single NAT Pool is re-used in multiple NAT IP rules they share the same state table. Stateless NAT Pools The Stateless option means that no state table is maintained and the external IP address chosen for each new connection is the one that has the least connections already allocated to it.
  • Page 348 7.3. NAT Pools Chapter 7. Address Translation This example creates a NAT pool with the external IP address range 10.6.13.10 to 10.16.13.15 which is then used in a NAT IP rule for HTTP traffic on the wan interface. Web Interface A.
  • Page 349: Sat

    7.4. SAT Chapter 7. Address Translation 7.4. SAT NetDefendOS can translate entire ranges of IP addresses and/or ports. Such translations are transpositions, each address or port is mapped to a corresponding address or port in the new range, rather than translating them all to the same address or port. In NetDefendOS this functionality is known as Static Address Translation (SAT).
  • Page 350: The Role Of The Dmz

    Figure 7.4. The Role of the DMZ Note: The DMZ port could be any port On all models of D-Link NetDefend hardware, there is a specific Ethernet interface which is marked as being for the DMZ network. Although this is the port's intended use it could be used for other purposes and any Ethernet interface could also be used instead for a DMZ.
  • Page 351 7.4.1. Translation of a Single IP Chapter 7. Address Translation Address (1:1) Then create a corresponding Allow rule: gw-world:/main> add IPRule action=Allow Service=http SourceInterface=any SourceNetwork=all-nets DestinationInterface=core DestinationNetwork=wan_ip Name=Allow_HTTP_To_DMZ Web Interface First create a SAT rule: Go to Rules > IP Rules > Add > IPRule Specify a suitable name for the rule, for example SAT_HTTP_To_DMZ Now enter: •...
  • Page 352: Enabling Traffic To A Web Server On An Internal Network

    7.4.1. Translation of a Single IP Chapter 7. Address Translation Address (1:1) Action Src Iface Src Net Dest Iface Dest Net Parameters lannet all-nets Now, what is wrong with this rule set? If we assume that we want to implement address translation for reasons of security as well as functionality, we discover that this rule set makes our internal addresses visible to machines in the DMZ.
  • Page 353 7.4.1. Translation of a Single IP Chapter 7. Address Translation Address (1:1) Action Src Iface Src Net Dest Iface Dest Net Parameters Allow all-nets core wan_ip http These two rules allow us to access the web server via the NetDefend Firewall's external IP address. Rule 1 states that address translation can take place if the connection has been permitted, and rule 2 permits the connection.
  • Page 354: Translation Of Multiple Ip Addresses (M:n)

    7.4.2. Translation of Multiple IP Chapter 7. Address Translation Addresses (M:N) Another possible solution to this problem is to allow internal clients to speak directly to 10.0.0.2 and this would completely avoid all the problems associated with address translation. However, this is not always practical. 7.4.2.
  • Page 355 7.4.2. Translation of Multiple IP Chapter 7. Address Translation Addresses (M:N) Address=10.10.10.5 Publish the public IP addresses on the wan interface using ARP publish. One ARP item is needed for every IP address: gw-world:/> add ARP Interface=wan IP=195.55.66.77 mode=Publish Repeat this for all the five public IP addresses. Next, change the current category to be the main IP rule set: gw-world:/>...
  • Page 356: All-To-One Mappings (N:1)

    7.4.3. All-to-One Mappings (N:1) Chapter 7. Address Translation Now enter: • Action: SAT • Servce: http • Source Interface:any • Source Network: all-nets • Destination Interface: wan • Destination Network: wwwsrv_pub Switch to the SAT tab Make sure that the Destination IP Address option is selected In the New IP Address dropdown list, select wwwsrv_priv Click OK Finally, create a corresponding Allow rule:...
  • Page 357: Protocols Handled By Sat

    7.4.5. Protocols Handled by SAT Chapter 7. Address Translation Port Translation (PAT) (also known as Port Address Translation) can be used to modify the source or destination port. Action Src Iface Src Net Dest Iface Dest Net Parameters all-nets wwwsrv_pub TCP 80-85 SETDEST 192.168.0.50 1000 This rule produces a 1:1 translation of all ports in the range 80 - 85 to the range 1080 - 1085.
  • Page 358: Sat And Fwdfast Rules

    7.4.7. SAT and FwdFast Rules Chapter 7. Address Translation The two above rules may both be carried out concurrently on the same connection. In this instance, internal sender addresses will be translated to addresses in pubnet in a 1:1 relationship. In addition, if anyone tries to connect to the public address of the web server, the destination address will be changed to its private address.
  • Page 359 7.4.7. SAT and FwdFast Rules Chapter 7. Address Translation What happens now? • External traffic to wan_ip:80 will match rules 1 and 4, and will be sent to wwwsrv. Correct. • Return traffic from wwwsrv:80 will match rules 2 and 3. The replies will therefore be dynamically address translated.
  • Page 360 7.4.7. SAT and FwdFast Rules Chapter 7. Address Translation...
  • Page 361: User Authentication

    Chapter 8. User Authentication This chapter describes how NetDefendOS implements user authentication. • Overview, page 361 • Authentication Setup, page 363 • Customizing HTML Pages, page 379 8.1. Overview In situations where individual users connect to protected resources through the NetDefend Firewall, the administrator will often require that each user goes through a process of authentication before access is allowed.
  • Page 362 8.1. Overview Chapter 8. User Authentication To remain secure, passwords should also: • Not be recorded anywhere in written form. • Never be revealed to anyone else. • Changed on a regular basis such as every three months.
  • Page 363: Authentication Setup

    8.2. Authentication Setup Chapter 8. User Authentication 8.2. Authentication Setup 8.2.1. Setup Summary The following list summarizes the steps for User Authentication setup with NetDefendOS: • Have an authentication source which consists of a database of users, each with a username/password combination.
  • Page 364 8.2.2. The Local Database Chapter 8. User Authentication The purpose of this is to restrict access to certain networks to a particular group by having IP rules which will only apply to members of that group. To gain access to a resource there must be an IP rule that allows it and the client must belong to the same group as the rule's Source Network group.
  • Page 365: External Radius Servers

    8.2.3. External RADIUS Servers Chapter 8. User Authentication When the user connects, there is an automatic checking of the keys used by the client to verify their identity. Once verified, there is no need for the user to input their username and password. To make use of this feature, the relevant SSH Client Key object or objects must first be defined separately in NetDefendOS.
  • Page 366 8.2.4. External LDAP Servers Chapter 8. User Authentication One or more LDAP servers can be associated as a list within a user authentication rule. The ordering of the list determines the order in which server access is attempted. The first server in the list has the highest precedence and will be used first. If authentication fails or the server is unreachable then the second in the list is used and so on.
  • Page 367 8.2.4. External LDAP Servers Chapter 8. User Authentication The following general parameters are used for configuration of each server: • Name The name given to the server object for reference purposes in NetDefendOS. For example, NetDefendOS authentication rules may be defined which reference this name. This value has nothing to do with the Name Attribute described below.
  • Page 368 8.2.4. External LDAP Servers Chapter 8. User Authentication successful authentication. The domain name is the host name of the LDAP server, for example myldapserver. The choices for this parameter are: None - This will not modify the username in any way. For example, testuser. Username Prefix - When authenticating, this will put <domain name>\ in front of the username.
  • Page 369 8.2.4. External LDAP Servers Chapter 8. User Authentication • Domain Name The Domain Name is used when formatting usernames. This is the first part of the full domain name. In our examples above, the Domain Name is myldapserver. The full domain name is a dot separated set of labels, for example, myldapserver.local.eu.com.
  • Page 370 8.2.4. External LDAP Servers Chapter 8. User Authentication If the domain is mydomain.com then the username for myuser might need to be specified as myuser@mydomain.com. With some LDAP servers this might be myuser@domain mydomain.com\myuser or even mydomain\myuser. The format depends entirely on the LDAP server and what it expects.
  • Page 371: Normal Ldap Authentication

    8.2.4. External LDAP Servers Chapter 8. User Authentication Figure 8.1. Normal LDAP Authentication The processing is different if a group membership is being retrieved since a request is sent to the LDAP server to search for memberships and any group memberships are then sent back in the response.
  • Page 372: Authentication Rules

    8.2.5. Authentication Rules Chapter 8. User Authentication Figure 8.2. LDAP for PPP with CHAP, MS-CHAPv1 or MS-CHAPv2 Important: The link to the LDAP server must be protected Since the LDAP server is sending back passwords in plain text to NetDefendOS, the link between the NetDefend Firewall and the server must be protected.
  • Page 373 8.2.5. Authentication Rules Chapter 8. User Authentication This is the IKE authentication method which is used as part of VPN tunnel establishment with IPsec. XAuth is an extension to the normal IKE exchange and provides an addition to normal IPsec security which means that clients accessing a VPN must provide a login username and password.
  • Page 374: Authentication Processing

    8.2.6. Authentication Processing Chapter 8. User Authentication The maximum time that a connection can exist (no value is specified by default). If an authentication server is being used then the option to Use timeouts received from the authentication server can be enabled to have these values set from the server. Multiple Logins An Authentication Rule can specify how multiple logins are handled where more than one user from different source IP addresses try to login with the same username.
  • Page 375: A Group Usage Example

    8.2.7. A Group Usage Example Chapter 8. User Authentication Any packets from an IP address that fails authentication are discarded. 8.2.7. A Group Usage Example To illustrate Authentication Group usage, lets suppose that there are a set of users which will login from a network 192.168.1.0/24 connected to the lan interface.
  • Page 376 8.2.8. HTTP Authentication Chapter 8. User Authentication combination. A Realm String can optionally be specified which will appear in the browser's dialog. FORM is recommended over BASICAUTH because in some cases the browser might hold the login data in its cache. •...
  • Page 377: Creating An Authentication User Group

    8.2.8. HTTP Authentication Chapter 8. User Authentication Example 8.1. Creating an Authentication User Group In the example of an authentication address object in the address book, a user group "users" is used to enable user authentication on "lannet". This example shows how to configure the user group in the NetDefendOS database.
  • Page 378: Configuring A Radius Server

    8.2.8. HTTP Authentication Chapter 8. User Authentication • Destination Network lan_ip Click OK B. Set up the Authentication Rule Go to User Authentication > User Authentication Rules > Add > User Authentication Rule Now enter: • Name: HTTPLogin • Agent: HTTP •...
  • Page 379: Customizing Html

    8.3. Customizing HTML Pages Chapter 8. User Authentication Shared Secret: Enter a text string here for basic encryption of the RADIUS messages Confirm Secret: Retype the string to confirm the one typed above Click OK 8.3. Customizing HTML Pages User Authentication makes use of a set of HTML files to present information to the user during the authentication process.
  • Page 380: Editing Content Filtering Http Banner Files

    8.3. Customizing HTML Pages Chapter 8. User Authentication • %IPADDR% - The IP address which is being browsed from. • %REASON% - The reason that access was denied. • - The web page URL for redirects. The %REDIRURL% Parameter In certain banner web pages, the parameter %REDIRURL% appears. This is a placeholder for the original URL which was requested before the user login screen appeared for an unauthenticated user.
  • Page 381 8.3. Customizing HTML Pages Chapter 8. User Authentication A new Auth Banner Files object must exist which the edited file(s) is uploaded to. If the object is called ua_html, the CLI command to create this object is: gw-world:/> add HTTPAuthBanners ua_html This creates an object which contains a copy of all the Default user auth banner files.
  • Page 382 8.3. Customizing HTML Pages Chapter 8. User Authentication...
  • Page 383: Vpn

    Chapter 9. VPN This chapter describes the Virtual Private Network (VPN) functionality in NetDefendOS. • Overview, page 383 • VPN Quick Start, page 387 • IPsec Components, page 397 • IPsec Tunnels, page 412 • PPTP/L2TP, page 431 • CA Server Access, page 440 •...
  • Page 384: Vpn Encryption

    9.1.2. VPN Encryption Chapter 9. VPN Client to LAN connection - Where many remote clients need to connect to an internal network over the Internet. In this case, the internal network is protected by the NetDefend Firewall to which the client connects and the VPN tunnel is set up between them. 9.1.2.
  • Page 385: Key Distribution

    9.1.4. Key Distribution Chapter 9. VPN • Restricting access through the VPN to needed services only, since mobile computers are vulnerable. • Creating DMZs for services that need to be shared with other companies through VPNs. • Adapting VPN access policies for different groups of users. •...
  • Page 386 9.1.5. The TLS Alternative for VPN Chapter 9. VPN “The TLS ALG”.
  • Page 387: Vpn Quick Start

    9.2. VPN Quick Start Chapter 9. VPN 9.2. VPN Quick Start Overview Later sections in this chapter will explore VPN components in detail. To help put those later sections in context, this section is a quick start summary of the steps needed for VPN setup. It outlines the individual steps in setting up VPNs for the most common scenarios.
  • Page 388: Ipsec Lan To Lan With Pre-Shared Keys

    9.2.1. IPsec LAN to LAN with Chapter 9. VPN Pre-shared Keys 9.2.1. IPsec LAN to LAN with Pre-shared Keys Create a Pre-shared Key object. Optionally create a new IKE Algorithms object and/or an IPsec Algorithms object if the default algorithm proposal lists do not provide a set of algorithms that are acceptable to the tunnel remote end point.
  • Page 389: Ipsec Lan To Lan With Certificates

    9.2.2. IPsec LAN to LAN with Chapter 9. VPN Certificates Action Src Interface Src Network Dest Interface Dest Network Service Allow ipsec_tunnel remote_net lannet The Service used in these rules is All but it could be a predefined service. Define a new NetDefendOS Route which specifies that the VPN Tunnel ipsec_tunnel is the Interface to use for routing packets bound for the remote network at the other end of the tunnel.
  • Page 390: Ipsec Roaming Clients With Pre-Shared Keys

    9.2.3. IPsec Roaming Clients with Chapter 9. VPN Pre-shared Keys considered adequate. Two self-signed certificates are required and the same two are used at either end of the tunnel but their usage is reversed. In other words: one certificate is used as the root certificate at one end, call it Side A, and as the host certificate at the other end, call it Side B.
  • Page 391 9.2.3. IPsec Roaming Clients with Chapter 9. VPN Pre-shared Keys The Group string for a user can be specified if its group's access is to be restricted to certain source networks. Group can be specified (with the same text string) in the Authentication section of an IP object.
  • Page 392: Ipsec Roaming Clients With Certificates

    9.2.4. IPsec Roaming Clients with Chapter 9. VPN Certificates • Create a Config Mode Pool object (there can only be one associated with a NetDefendOS installation) and in it specify the address range. • Enable the IKE Config Mode Pool option in the IPsec Tunnel object ipsec_tunnel. If client IP addresses are to be retrieved through DHCP: •...
  • Page 393: L2Tp Roaming Clients With Pre-Shared Keys

    9.2.5. L2TP Roaming Clients with Chapter 9. VPN Pre-Shared Keys The step to set up user authentication is optional since this is additional security to certificates. Note: The system time and date should be correct The NetDefendOS date and time should be set correctly since certificates have an expiry date and time.
  • Page 394: L2Tp Roaming Clients With Certificates

    9.2.6. L2TP Roaming Clients with Chapter 9. VPN Certificates • Set Inner IP Address to ip_int. • Set Tunnel Protocol to L2TP. • Set Outer Interface Filter to ipsec_tunnel. • Set Outer Server IP to ip_ext. • Select the Microsoft Point-to-Point Encryption allowed. Since IPsec encryption is used this can be set to be None only, otherwise double encryption will degrade throughput.
  • Page 395: Pptp Roaming Clients

    9.2.7. PPTP Roaming Clients Chapter 9. VPN the setup described above are: The NetDefendOS date and time must be set correctly since certificates can expire. Load a Gateway Certificate and Root Certificate into NetDefendOS. When setting up the IPsec Tunnel object, specify the certificates to use under Authentication. This is done by: Enable the X.509 Certificate option.
  • Page 396 9.2.7. PPTP Roaming Clients Chapter 9. VPN • Enable Proxy ARP on the int interface. • As in L2TP, enable the insertion of new routes automatically into the main routing table. Define a User Authentication Rule, this is almost identical to L2TP: Agent Auth Source Src Network...
  • Page 397: Ipsec Components

    9.3. IPsec Components Chapter 9. VPN 9.3. IPsec Components This section looks at the IPsec standards and describes in general terms the various components, techniques and algorithms that are used in IPsec based VPNs. 9.3.1. Overview Internet Protocol Security (IPsec) is a set of protocols defined by the Internet Engineering Task Force (IETF) to provide IP security at the network layer.
  • Page 398 9.3.2. Internet Key Exchange (IKE) Chapter 9. VPN An SA is unidirectional and relates to traffic flow in one direction only. For the bidirectional traffic that is usually found in a VPN, there is therefore a need for more than one SA per connection. In most cases, where only one of ESP or AH is used, two SAs will be created for each connection, one describing the incoming traffic, and the other the outgoing.
  • Page 399 9.3.2. Internet Key Exchange (IKE) Chapter 9. VPN two VPN firewalls or VPN Clients to each other, by confirming that the remote device has a matching Pre-Shared Key. However, since we do not want to publish to much of the negotiation in plaintext, we first agree upon a way of protecting the rest of the IKE negotiation.
  • Page 400 9.3.2. Internet Key Exchange (IKE) Chapter 9. VPN remote device, which will decrypt/authenticate the data, extract it from its tunnel and pass it on to its final destination. This way, an eavesdropper will only see encrypted traffic going from one of VPN endpoint to another. In transport mode, the traffic will not be tunneled, and is hence not applicable to VPN tunnels.
  • Page 401 9.3.2. Internet Key Exchange (IKE) Chapter 9. VPN Note NetDefendOS does not support AH. IKE Encryption This specifies the encryption algorithm used in the IKE negotiation, and depending on the algorithm, the size of the encryption key used. The algorithms supported by NetDefendOS IPsec are: •...
  • Page 402 9.3.2. Internet Key Exchange (IKE) Chapter 9. VPN phase-1 SA every time a phase-2 negotiation has been finished, making sure no more than one phase-2 negotiation is encrypted using the same key. PFS is generally not needed, since it is very unlikely that any encryption or authentication keys will be compromised.
  • Page 403: Ike Authentication

    9.3.3. IKE Authentication Chapter 9. VPN through a series of plain text exchanges. Even though the exchanges between the parties might be monitored by a third party, Diffie-Hellman makes it extremely difficult for the third party to determine what the agreed shared secret key is and to decrypt data that is encrypted using the key. Diffie-Hellman is used to establish the shared secret keys for IKE, IPsec and PFS.
  • Page 404: Ipsec Protocols (Esp/Ah)

    9.3.4. IPsec Protocols (ESP/AH) Chapter 9. VPN Pre-Shared Keying has a lot of advantages over manual keying. These include endpoint authentication, which is what the PSKs are really for. It also includes all the benefits of using IKE. Instead of using a fixed set of encryption keys, session keys will be used for a limited period of time, where after a new set of session keys are used.
  • Page 405: Nat Traversal

    9.3.5. NAT Traversal Chapter 9. VPN Figure 9.1. The AH protocol AH uses a cryptographic hash function to produce a MAC from the data in the IP packet. This MAC is then transmitted with the packet, allowing the remote endpoint to verify the integrity of the original IP packet, making sure the data has not been tampered with on its way through the Internet.
  • Page 406 9.3.5. NAT Traversal Chapter 9. VPN evolved. NAT traversal is an add-on to the IKE and IPsec protocols that allows them to function when being NATed. NetDefendOS supports the RFC3947 standard for NAT-Traversal with IKE. NAT traversal is divided into two parts: •...
  • Page 407: Algorithm Proposal Lists

    9.3.6. Algorithm Proposal Lists Chapter 9. VPN recommended setting unless the two firewalls have the same external IP address. • IP - An IP address can be manually entered • DNS - A DNS address can be manually entered • Email - An email address can be manually entered 9.3.6.
  • Page 408: Pre-Shared Keys

    9.3.7. Pre-shared Keys Chapter 9. VPN Enter a name for the list, for example esp-l2tptunnel Now check the following: • • 3DES • SHA1 • Click OK Then, apply the algorithm proposal list to the IPsec tunnel: Go to Interfaces > IPsec Select the target IPsec tunnel Select the recently created esp-l2tptunnel in the IPsec Algorithms control Click OK...
  • Page 409: Identification Lists

    9.3.8. Identification Lists Chapter 9. VPN Now apply the Pre-shared Key to the IPsec tunnel: gw-world:/> set Interface IPsecTunnel MyIPsecTunnel PSK=MyPSK Web Interface First create a Pre-shared Key: Go to Objects > Authentication Objects > Add > Pre-shared key Enter a name for the pre-shared key, for example MyPSK Choose Hexadecimal Key and click Generate Random Key to generate a key to the Passphrase textbox Click OK Then, apply the pre-shared key to the IPsec tunnel:...
  • Page 410 Select MyIDList Enter a name for the ID, for example JohnDoe Select Distinguished name in the Type control Now enter: • Common Name: John Doe • Organization Name: D-Link • Organizational Unit: Support • Country: Sweden • Email Address: john.doe@D-Link.com...
  • Page 411 9.3.8. Identification Lists Chapter 9. VPN Select the appropriate certificate in the Root Certificate(s) and Gateway Certificate controls Select MyIDList in the Identification List Click OK...
  • Page 412: Ipsec Tunnels

    9.4. IPsec Tunnels Chapter 9. VPN 9.4. IPsec Tunnels This section looks more closely at IPsec tunnels in NetDefendOS, their definition, options and usage. 9.4.1. Overview An IPsec Tunnel defines an endpoint of an encrypted tunnel. Each IPsec Tunnel is interpreted as a logical interface by NetDefendOS, with the same filtering, traffic shaping and configuration capabilities as regular interfaces.
  • Page 413 9.4.1. Overview Chapter 9. VPN performance of the NetDefendOS IPsec engine and explicitly dropping such traffic with an IP rule is an efficient way of preventing it reaching the engine. In other words, IP rules can be used to have complete control over all traffic related to the tunnel.
  • Page 414: Lan To Lan Tunnels With Pre-Shared Keys

    9.4.2. LAN to LAN Tunnels with Chapter 9. VPN Pre-shared Keys • Section 9.2.2, “IPsec LAN to LAN with Certificates”. • Section 9.2.3, “IPsec Roaming Clients with Pre-shared Keys”. • Section 9.2.4, “IPsec Roaming Clients with Certificates”. In addition to the quick start section, more explanation of tunnel setup is given below. 9.4.2.
  • Page 415: Setting Up A Psk Based Vpn Tunnel For Roaming Clients

    9.4.3. Roaming Clients Chapter 9. VPN Example 9.4. Setting up a PSK based VPN tunnel for roaming clients This example describes how to configure an IPsec tunnel at the head office NetDefend Firewall for roaming clients that connect to the office to gain remote access. The head office network uses the 10.0.1.0/24 network span with external firewall IP wan_ip.
  • Page 416 9.4.3. Roaming Clients Chapter 9. VPN Web Interface A. Create a Self-signed Certificate for IPsec authentication: The step to actually create self-signed certificates is performed outside the WebUI using a suitable software product. The certificate should be in the PEM (Privacy Enhanced Mail) file format. B.
  • Page 417: Setting Up Ca Server Certificate Based Vpn Tunnels For Roaming Clients

    9.4.3. Roaming Clients Chapter 9. VPN Tunnels Based on CA Server Certificates Setting up client tunnels using a CA issued certificate is largely the same as using Self-signed certificates with the exception of a couple of steps. It is the responsibility of the administrator to acquire the appropriate certificate from an issuing authority for client tunnels.
  • Page 418: Setting Up Config Mode

    9.4.3. Roaming Clients Chapter 9. VPN • Choose X.509 Certificates as the authentication method • Root Certificate(s): Select the CA server root certificate imported earlier and add it to the Selected list • Gateway Certificate: Choose the newly created firewall certificate •...
  • Page 419: Fetching Crls From An Alternate Ldap Server

    9.4.4. Fetching CRLs from an alternate Chapter 9. VPN LDAP server Web Interface Go to Objects > VPN Objects > IKE Config Mode Pool The Config Mode Pool object properties web page now appears Select Use a predefined IPPool object Choose the ip_pool1 object from the IP Pool drop-down list Click OK After defining the Config Mode object, the only remaining action is to enable Config Mode to be...
  • Page 420: Troubleshooting With Ikesnoop

    9.4.5. Troubleshooting with ikesnoop Chapter 9. VPN Web Interface Go to Objects > VPN Objects > LDAP > Add > LDAP Server Now enter: • IP Address: 192.168.101.146 • Username: myusername • Password: mypassword • Confirm Password: mypassword • Port: 389 Click OK 9.4.5.
  • Page 421 9.4.5. Troubleshooting with ikesnoop Chapter 9. VPN negotiation and the server refers to the device which is the responder. Step 1. Client Initiates Exchange by Sending a Supported Algorithm List The verbose option output initially shows the proposed list of algorithms that the client first sends to the server.
  • Page 422 9.4.5. Troubleshooting with ikesnoop Chapter 9. VPN Life duration : 43200 Life type : Kilobytes Life duration : 50000 VID (Vendor ID) Payload data length : 16 bytes Vendor ID : 8f 9c c9 4e 01 24 8e cd f1 47 59 4c 28 4b 21 3b Description : SSH Communications Security QuickSec 2.1.0 VID (Vendor ID) Payload data length : 16 bytes...
  • Page 423 9.4.5. Troubleshooting with ikesnoop Chapter 9. VPN SA (Security Association) Payload data length : 52 bytes DOI : 1 (IPsec DOI) Proposal 1/1 Protocol 1/1 Protocol ID : ISAKMP SPI Size Transform 1/1 Transform ID : IKE Encryption algorithm : Rijndael-cbc (aes) Key length : 128 Hash algorithm...
  • Page 424 9.4.5. Troubleshooting with ikesnoop Chapter 9. VPN NAT-D (NAT Detection) Payload data length : 16 bytes Step 4. Server Sends Key Exchange Data The Server now sends key exchange data back to the client. IkeSnoop: Sending IKE packet to 192.168.0.10:500 Exchange type : Identity Protection (main mode) ISAKMP Version : 1.0 Flags Cookies...
  • Page 425 9.4.5. Troubleshooting with ikesnoop Chapter 9. VPN Step 6. Server ID Response The server now responds with its own ID. IkeSnoop: Sending IKE packet to 192.168.0.10:500 Exchange type : Identity Protection (main mode) ISAKMP Version : 1.0 Flags : E (encryption) Cookies : 0x6098238b67d97ea6 ->...
  • Page 426 9.4.5. Troubleshooting with ikesnoop Chapter 9. VPN Key length : 128 Authentication algorithm : HMAC-MD5 SA life type : Seconds SA life duration : 21600 SA life type : Kilobytes SA life duration : 50000 Encapsulation mode : Tunnel Transform 4/4 Transform ID : Blowfish Key length...
  • Page 427: Ipsec Advanced Settings

    9.4.6. IPsec Advanced Settings Chapter 9. VPN Protocol ID : ESP SPI Size SPI Value : 0xafba2d15 Transform 1/1 Transform ID : Rijndael (aes) Key length : 128 Authentication algorithm : HMAC-MD5 SA life type : Seconds SA life duration : 21600 SA life type : Kilobytes...
  • Page 428 9.4.6. IPsec Advanced Settings Chapter 9. VPN Specifies the total number of IPsec tunnels allowed. This value is initially taken from the maximum tunnels allowed by the license. The setting is used by NetDefendOS to allocate memory for IPsec. If it is desirable to have less memory allocated for IPsec then this setting can be reduced.
  • Page 429 9.4.6. IPsec Advanced Settings Chapter 9. VPN IPsec Cert Cache Max Certs Maximum number of certificates/CRLs that can be held in the internal certificate cache. When the certificate cache is full, entries will be removed according to an LRU (Least Recently Used) algorithm.
  • Page 430 9.4.6. IPsec Advanced Settings Chapter 9. VPN sent. If the other side of the tunnel has not sent a response to any messages then it is considered to be dead (not reachable). The SA will then be placed in the dead cache. This setting is used with IKEv1 only.
  • Page 431: Pptp/L2Tp

    9.5. PPTP/L2TP Chapter 9. VPN 9.5. PPTP/L2TP The access by a client using a modem link over dial-up public switched networks, possibly with an unpredictable IP address, to protected networks via a VPN poses particular problems. Both the PPTP and L2TP protocols provide two different means of achieving VPN access from remote clients.
  • Page 432: L2Tp Servers

    9.5.2. L2TP Servers Chapter 9. VPN TCP port 1723 and/or IP protocol 47 before the PPTP connection can be made to the NetDefend Firewall. Examining the log can indicate if this problem occurred, with a log message of the following form appearing: Error PPP lcp_negotiation_stalled ppp_terminated Example 9.10.
  • Page 433: Setting Up An L2Tp Server

    9.5.2. L2TP Servers Chapter 9. VPN Example 9.11. Setting up an L2TP server This example shows how to setup a L2TP Network Server. The example assumes that you have created some IP address objects. You will have to specify the IP address of the L2TP server interface, an outer IP address (that the L2TP server should listen to) and an IP pool that the L2TP server will use to give out IP addresses to the clients from.
  • Page 434 9.5.2. L2TP Servers Chapter 9. VPN Go to User Authentication > Local User Databases > Add > Local User Database Enter a suitable name for the user database, for example UserDB Go to User Authentication > Local User Databases > UserDB > Add > User Now enter: •...
  • Page 435 9.5.2. L2TP Servers Chapter 9. VPN Command-Line Interface gw-world:/> add Interface L2TPServer l2tp_tunnel IP=lan_ip Interface=l2tp_ipsec ServerIP=wan_ip IPPool=l2tp_pool TunnelProtocol=L2TP AllowedRoutes=all-nets ProxyARPInterfaces=lan Web Interface Go to Interfaces > L2TP Servers > Add > L2TPServer Enter a name for the L2TP tunnel, for example l2tp_tunnel Now enter: •...
  • Page 436: L2Tp/Pptp Server Advanced Settings

    9.5.3. L2TP/PPTP Server advanced Chapter 9. VPN settings Command-Line Interface First, change the current category to be the main IP rule set: gw-world:/> cc IPRuleSet main Now, add the IP rules: gw-world:/main> add IPRule action=Allow Service=all_services SourceInterface=l2tp_tunnel SourceNetwork=l2tp_pool DestinationInterface=any DestinationNetwork=all-nets name=AllowL2TP gw-world:/main>...
  • Page 437: Pptp/L2Tp Clients

    9.5.4. PPTP/L2TP Clients Chapter 9. VPN L2TP Before Rules Pass L2TP traffic sent to the NetDefend Firewall directly to the L2TP Server without consulting the rule set. Default: Enabled PPTP Before Rules Pass PPTP traffic sent to the NetDefend Firewall directly to the PPTP Server without consulting the rule set.
  • Page 438 9.5.4. PPTP/L2TP Clients Chapter 9. VPN Note: The default PPTP/L2TP route A PPTP/L2TP server will not provide information such as gateway or broadcast addresses, as this is not used with PPTP/L2TP tunnels. When using PPTP/L2TP, the default route is normally routed directly across the PPTP/L2TP tunnel without a specified gateway.
  • Page 439: Pptp Client Usage

    9.5.4. PPTP/L2TP Clients Chapter 9. VPN Figure 9.3. PPTP Client Usage...
  • Page 440: Ca Server Access

    9.6. CA Server Access Chapter 9. VPN 9.6. CA Server Access Overview Where certificates are used, the two sides of a VPN tunnel exchange their certificates during the tunnel setup negotiation and either may then try to validate the received certificate by accessing a CA server.
  • Page 441: Certificate Validation Components

    9.6. CA Server Access Chapter 9. VPN The CA server is a commercial server on the public Internet. In this, the simplest case, public DNS servers will resolve the FQDN. The only requirement is that NetDefendOS will need to have at least one public DNS server address configured to resolve the FQDNs in the certificates it receives.
  • Page 442 9.6. CA Server Access Chapter 9. VPN As explained previously, the address of the private CA server must be resolvable through public DNS servers for certificate validation requests coming from the public Internet. If the certificate queries are coming only from the NetDefend Firewall and the CA server is on the internal side of the firewall then the IP address of the internal DNS server must be configured in NetDefendOS so that these requests can be resolved.
  • Page 443: Vpn Troubleshooting

    9.7. VPN Troubleshooting Chapter 9. VPN 9.7. VPN Troubleshooting This section deals with how to troubleshoot the common problems that are found with VPN. 9.7.1. General Troubleshooting In all types of VPNs some basic troubleshooting checks can be made: • Check that all IP addresses have been specified correctly.
  • Page 444: Ipsec Troubleshooting Commands

    9.7.3. IPsec Troubleshooting Chapter 9. VPN Commands If certificates have been used in a VPN solution then the following should be looked at as a source of potential problems: • Check that the correct certificates have been used for the right purposes. •...
  • Page 445: Management Interface Failure With Vpn

    9.7.4. Management Interface Failure Chapter 9. VPN with VPN Another example of what to avoid with many tunnels is: gw-world:/> ipsectunnels -num=all In these circumstances, using the option with a small number, for example -num=10, is recommended. The ikesnoop console command A common problem with setting up IPsec is a list of proposed algorithms that is unacceptable to the device at the other end of the tunnel.
  • Page 446 9.7.5. Specific Error Messages Chapter 9. VPN 1. Could not find acceptable proposal / no proposal chosen This is the most common IPsec related error message. It means that depending on which side initiates tunnel setup, the negotiations in either the IKE or the IPSec phase of setup failed since they were unable to find a matching proposal that both sides could agree on.
  • Page 447 9.7.5. Specific Error Messages Chapter 9. VPN The problem is solved if we reorder the list and move VPN-3 above L2TP. The gateway office3gw will be then matched correctly and VPN-3 will be the tunnel selected by NetDefendOS. 3. Ike_invalid_payload, Ike_invalid_cookie In this case the IPsec engine in NetDefendOS receives an IPsec IKE packet but is unable to match it against an existing IKE.
  • Page 448: Specific Symptoms

    9.7.6. Specific Symptoms Chapter 9. VPN Note: L2TP with Microsoft Vista With L2TP, Microsoft Vista tries by default to contact and download the CRL list, while Microsoft XP does not. This can be turned off in Vista. • If multiple similar or roaming tunnels exist and there is a need to separate them using ID lists, a possible cause can be that none of the ID lists match the certificate properties of the connecting user.
  • Page 449 9.7.6. Specific Symptoms Chapter 9. VPN By using ikesnoop when both sides initiate the tunnel, it should be simple to compare the network that both sides are sending in phase-2. With that information it should be possible to spot the network problem.
  • Page 450 9.7.6. Specific Symptoms Chapter 9. VPN...
  • Page 451: Traffic Management

    Chapter 10. Traffic Management This chapter describes how NetDefendOS can manage network traffic. • Traffic Shaping, page 451 • IDP Traffic Shaping, page 472 • Threshold Rules, page 477 • Server Load Balancing, page 480 10.1. Traffic Shaping 10.1.1. Overview QoS with TCP/IP A weakness of TCP/IP is the lack of true Quality of Service (QoS) functionality.
  • Page 452: Traffic Shaping In Netdefendos

    10.1.2. Traffic Shaping in Chapter 10. Traffic Management NetDefendOS Traffic Shaping Objectives Traffic shaping operates by measuring and queuing IP packets with respect to a number of configurable parameters. The objectives are: • Applying bandwidth limits and queuing packets that exceed configured limits, then sending them later when bandwidth demands are lower.
  • Page 453: Pipe Rules Determine Pipe Usage

    10.1.2. Traffic Shaping in Chapter 10. Traffic Management NetDefendOS Pipe Rules One or more Pipe Rules make up the NetDefendOS Pipe Rule set which determine what traffic will flow through which pipes. Each pipe rule is defined like other NetDefendOS secuirity policies: by specifying the source/destination interface/network as well as the service to which the rule is to apply.
  • Page 454: Simple Bandwidth Limiting

    10.1.3. Simple Bandwidth Limiting Chapter 10. Traffic Management of 8 pipes. Explicitly Excluding Traffic from Shaping If no pipe is specified in a pipe rule list then traffic that triggers the rule will not flow through any pipe. It also means that the triggering traffic will not be subject to any other matching pipe rules that might be found later in the rule set.
  • Page 455: Limiting Bandwidth In Both Directions

    10.1.4. Limiting Bandwidth in Both Chapter 10. Traffic Management Directions Web Interface Go to Traffic Management > Traffic Shaping > Pipes > Add > Pipe Specify a suitable name for the pipe, for instance std-in Enter 2000 in the Total textbox under Pipe Limits Click OK Traffic needs to be passed through the pipe and this is done by using the pipe in a Pipe Rule.
  • Page 456: Creating Differentiated Limits Using Chains

    10.1.5. Creating Differentiated Limits Chapter 10. Traffic Management Using Chains attempting to flow is 4 Mbps. Since the pipe limit is 2 Mbps, the actual flow will be close to 1 Mbps in each direction. Raising the total pipe limit to 4 Mbps will not solve the problem since the single pipe will not know that 2 Mbps of inbound and 2 Mbps of outbound are the intended limits.
  • Page 457: Precedences

    10.1.6. Precedences Chapter 10. Traffic Management requests followed by long inbound responses. A surf-in pipe is therefore first created for inbound traffic with a 125 kbps limit. Next, a new Pipe Rule is set up for surfing that uses the surf-in pipe and it is placed before the rule that directs everything else through the std-in pipe.
  • Page 458: The Eight Pipe Precedences

    10.1.6. Precedences Chapter 10. Traffic Management default precedence which is 0. There are 8 Possible Precedence Levels Eight precedences exist which are numbered from 0 to 7. Precedence 0 is the least important (lowest priority) precedence and 7 is the most important (highest priority) precedence. A precedence can be viewed as a separate traffic queue;...
  • Page 459 10.1.6. Precedences Chapter 10. Traffic Management • Default Precedence: 0 • Maximum Precedence: 7 As described above, the Default Precedence is the precedence taken by a packet if it is not explicitly assigned by a pipe rule. The minimum and maximum precedences define the precedence range that the pipe will handle. If a packet arrives with an already allocated precedence below the minimum then its precedence is changed to the minimum.
  • Page 460: Minimum And Maximum Pipe Precedence

    10.1.6. Precedences Chapter 10. Traffic Management Figure 10.5. Minimum and Maximum Pipe Precedence Lowest Precedence Limits It is usually is not needed to have a limit specified for the lowest (best effort) precedence since this precedence simply uses any spare bandwidth not used by higher precedences. However, a limit could be specified if there is a need to restrict the bandwidth used by the lowest precedence.
  • Page 461 10.1.6. Precedences Chapter 10. Traffic Management The Need for Guarantees A problem can occur however if prioritized traffic is a continuous stream such as real-time audio, resulting in continuous use of all available bandwidth and resulting in unacceptably long queuing times for other services such as surfing, DNS or FTP.
  • Page 462: Pipe Groups

    10.1.7. Pipe Groups Chapter 10. Traffic Management Set the priority assignment for both rules to Use defaults from first pipe; the default precedence of both the ssh-in and telnet-in pipes is 2. Using this approach rather than hard-coding precedence 2 in the rule set, it is easy to change the precedence of all SSH and Telnet traffic by changing the default precedence of the ssh-in and telnet-in pipes.
  • Page 463 10.1.7. Pipe Groups Chapter 10. Traffic Management Specifying Group Limits Once the way the method of grouping is selected, the next step is to specify the Group Limits. These limits can consist of one or both of the following: • Group Limit Total This value specifies a limit for each user within the grouping.
  • Page 464: Traffic Grouped By Ip Address

    10.1.7. Pipe Groups Chapter 10. Traffic Management Figure 10.6. Traffic Grouped By IP Address Another Simple Groups Example Consider another situation where the total bandwidth limit for a pipe is 400 bps. If the aim is to allocate this bandwidth amongst many destination IP addresses so that no single IP address can take more then 100 bps of bandwidth, the following steps are needed.
  • Page 465: Traffic Shaping Recommendations

    10.1.8. Traffic Shaping Chapter 10. Traffic Management Recommendations If a total group limit of 100 bps is also specified with dynamic balancing, then this still means that no single user may take more than that amount of bandwidth. Precedences and Dynamic Balancing As discussed, in addition to specifying a total limit for a grouping, limits can be specified for each precedence within a grouping.
  • Page 466: A Summary Of Traffic Shaping

    10.1.9. A Summary of Traffic Shaping Chapter 10. Traffic Management fixed bandwidth resource. An ISP might use this approach to limit individual user bandwidth by specifying a "Per Destination IP" grouping. Knowing when the pipe is full is not important since the only constraint is on each user.
  • Page 467: More Pipe Examples

    10.1.10. More Pipe Examples Chapter 10. Traffic Management • Select the traffic to manage through Pipe Rules. • Pipe Rules send traffic through Pipes. • A pipe can have a limit which is the maximum amount of traffic allowed. • A pipe can only know when it is full if a total limit for the pipe is specified.
  • Page 468: A Basic Traffic Shaping Scenario

    10.1.10. More Pipe Examples Chapter 10. Traffic Management Figure 10.7. A Basic Traffic Shaping Scenario The reason for using 2 different pipes in this case, is that these are easier to match to the physical link capacity. This is especially true with asynchronous links such as ADSL. First, two pipes called in-pipe and out-pipe need to be created with the following parameters: Pipe Name Min Prec...
  • Page 469 10.1.10. More Pipe Examples Chapter 10. Traffic Management Rule Forward Return Source Source Dest Dest Selected Prece Name Pipes Pipes Interface Network Interface Network Service dence voip out-pipe in-pipe lannet all-nets H323 citrix out-pipe in-pipe lannet all-nets citrix other out-pipe in-pipe lannet all-nets...
  • Page 470 10.1.10. More Pipe Examples Chapter 10. Traffic Management Total: 1700 • vpn-out • Priority 6: VoIP 500 kpbs • Priority 0: Best effort Total: 1700 • in-pipe • Priority 6: VoIP 500 kpbs Total: 2000 • out-pipe • Priority 6: VoIP 500 kpbs Total: 2000 The following pipe rules are then needed to force traffic into the correct pipes and precedence levels:...
  • Page 471 10.1.10. More Pipe Examples Chapter 10. Traffic Management Note: SAT and ARPed IP Addresses If the SAT is from an ARPed IP address, the wan interface needs to be the destination.
  • Page 472: Idp Traffic Shaping

    10.2. IDP Traffic Shaping Chapter 10. Traffic Management 10.2. IDP Traffic Shaping 10.2.1. Overview The IDP Traffic Shaping feature is traffic shaping that is performed based on information coming from the NetDefendOS Intrusion Detection and Prevention (IDP) subsystem (for more information on IDP see Section 6.5, “Intrusion Detection and Prevention”).
  • Page 473: Processing Flow

    10.2.3. Processing Flow Chapter 10. Traffic Management information followed by a number of data transfer connections to other hosts. It is the initial connection that IDP detects and the Time Window specifies the expected period afterwards when other connections will be opened and subject to traffic shaping. Connections opened after the Time Window has expired will no longer be subject to traffic shaping.
  • Page 474: A P2P Scenario

    10.2.5. A P2P Scenario Chapter 10. Traffic Management Excluding Hosts To avoid these unintended consequences, we specify the IP addresses of client A and client B in the Network range but not host X. This tells NetDefendOS that host X is not relevant in making a decision about including new non-IDP-triggering connections in traffic shaping.
  • Page 475: Viewing Traffic Shaping Objects

    10.2.7. Guaranteeing Instead of Chapter 10. Traffic Management Limiting Bandwidth 10.2.6. Viewing Traffic Shaping Objects Viewing Hosts IDP traffic shaping has a special CLI command associated with it called idppipes and this can examine and manipulate the hosts which are currently subject to traffic shaping. To display all hosts being traffic shaped by IDP Traffic Shaping, the command would be: gw-world:/>...
  • Page 476: Guaranteeing Instead Of Limiting Bandwidth

    10.2.8. Logging Chapter 10. Traffic Management 10.2.7. Guaranteeing Instead of Limiting Bandwidth If desired, IDP Traffic Shaping can be used to do the opposite of limiting bandwidth for certain applications. If the administrator wants to guarantee a bandwidth level, say 10 Megabits, for an application then an IDP rule can be set up to trigger for that application with the Pipe action specifying the bandwidth required.
  • Page 477: Threshold Rules

    "connection" in this context refers to all types of connections, such as TCP, UDP or ICMP, tracked by the NetDefendOS state-engine). Note: Threshold Rules are not available on all NetDefend models The Threshold Roles feature is only available on the D-Link NetDefend DFL-800, 860, 860E, 1600, 1660, 2500, 2560 and 2560G. Threshold Policies...
  • Page 478: Grouping

    Rules if they are enabled. 10.3.7. Threshold Rules and ZoneDefense Threshold Rules are used in the D-Link ZoneDefense feature to block the source of excessive connection attmepts from internal hosts. For more information on this refer to Chapter 12, ZoneDefense.
  • Page 479 10.3.8. Threshold Rule Blacklisting Chapter 10. Traffic Management NetDefendOS. The length of time, in seconds, for which the source is blacklisted can also be set. This feature is discussed further in Section 6.7, “Blacklisting Hosts and Networks”.
  • Page 480: Server Load Balancing

    Note: SLB is not available on all D-Link NetDefend models The SLB feature is only available on the D-Link NetDefend DFL-800, 860, 860E, 1600, 1660, 2500, 2560 and 2560G. The illustration below shows a typical SLB scenario, with Internet access to internal server...
  • Page 481: Slb Distribution Algorithms

    10.4.2. SLB Distribution Algorithms Chapter 10. Traffic Management Figure 10.9. A Server Load Balancing Configuration Additional Benefits of SLB Besides improving performance and scalability, SLB provides other benefits: • SLB increases the reliability of network applications by actively monitoring the servers sharing the load.
  • Page 482: Selecting Stickiness

    10.4.3. Selecting Stickiness Chapter 10. Traffic Management receiving over a certain time period. This time period is known as the Window Time. SLB sends the next request to the server that has received the least number of connections during the last Window Time number of seconds.
  • Page 483: Slb Algorithms And Stickiness

    10.4.4. SLB Algorithms and Stickiness Chapter 10. Traffic Management The consequence of a full table can be that stickiness will be lost for any discarded source IP addresses. The administrator should therefore try to ensure that the Max Slots parameter is set to a value that can accommodate the expected number of connections that require stickiness.
  • Page 484: Server Health Monitoring

    Regardless of the algorithms used, if a server is deemed to have failed, SLB will not open any more connections to it until the server is restored to full functionality. D-Link Server Load Balancing provides the following monitoring modes: ICMP Ping This works at OSI layer 3.
  • Page 485: Setting Up Slb_Sat Rules

    10.4.6. Setting Up SLB_SAT Rules Chapter 10. Traffic Management 10.4.6. Setting Up SLB_SAT Rules The key component in setting up SLB are IP rules that have SLB_SAT as the action. The steps that should be followed for setting up such rules are: Define an IP address object for each server for which SLB is to enabled.
  • Page 486 10.4.6. Setting Up SLB_SAT Rules Chapter 10. Traffic Management Web Interface A. Create an Object for each of the webservers: Go to Objects > Address Book > Add > IP Address Enter a suitable name, for example server1 Enter the IP Address as 192.168.1.10 Click OK Repeat the above to create an object called server2 for the 192.168.1.11 IP address B.
  • Page 487 10.4.6. Setting Up SLB_SAT Rules Chapter 10. Traffic Management Go to Rules > IP Rule Sets > main > Add > IP Rule Enter: • Name: Web_SLB_ALW • Action: Allow • Service: HTTP • Source Interface: any • Source Network: all-nets •...
  • Page 488 10.4.6. Setting Up SLB_SAT Rules Chapter 10. Traffic Management...
  • Page 489: High Availability

    Note: High Availability is only available on some NetDefend models The HA feature is only available on the D-Link NetDefend DFL-1600, 1660, 2500, 2560 and 2560G. The Master and Active Units When reading this section on HA, it should be kept in mind that the master unit in a cluster is not always the same as the active unit in a cluster.
  • Page 490 Load-sharing D-Link HA clusters do not provide load-sharing since only one unit will be active while the other is inactive and only two NetDefend Firewalls, the master and the slave, can exist in a single cluster. The only processing role that the inactive unit plays is to replicate the state of the active unit and to take over all traffic processing if it detects the active unit is not responding.
  • Page 491: Ha Mechanisms

    Basic Principles D-Link HA provides a redundant, state-synchronized hardware configuration. The state of the active unit, such as the connection table and other vital information, is continuously copied to the inactive unit via the sync interface. When cluster failover occurs, the inactive unit knows which connections are active, and traffic can continue to flow after the failover with negligible disruption.
  • Page 492 A database update causes the following sequence of events to occur in an HA cluster: The active (master) unit downloads the new database files from the D-Link servers. The download is done via the shared IP address of the cluster.
  • Page 493 11.2. HA Mechanisms Chapter 11. High Availability Should such a failure occur then the consequence is that both units will continue to function but they will lose their synchronization with each other. In other words, the inactive unit will no longer have a correct copy of the state of the active unit.
  • Page 494: Setting Up Ha

    11.3. Setting Up HA Chapter 11. High Availability 11.3. Setting Up HA This section provides a step-by-step guide for setting up an HA Cluster. 11.3.1. HA Hardware Setup The steps for the setup of hardware in an HA cluster are as follows: Start with two physically similar NetDefend Firewalls.
  • Page 495: Netdefendos Manual Ha Setup

    11.3.2. NetDefendOS Manual HA Chapter 11. High Availability Setup The illustration below shows the arrangement of typical HA Cluster connections in a network. All interfaces on the master unit would normally also have corresponding interfaces on the slave unit and these would be connected to the same networks. This is achieved by connecting the same interfaces on both master and slave via a separate switch (or broadcast domain) to other network portions.
  • Page 496: Verifying The Cluster Functions

    11.3.3. Verifying the Cluster Functions Chapter 11. High Availability Set the Cluster ID. This must be unique for each cluster. Choose the Sync Interface. Select the node type to be Master. Go to Objects > Address Book and create an IP4 HA Address object for each interface pair. Each must contain the master and slave interface IP addresses for the pair.
  • Page 497: Unique Shared Mac Addresses

    11.3.4. Unique Shared Mac Addresses Chapter 11. High Availability • If this is not the first cluster in a network then the Cluster ID must be changed for the cluster so that it is unique (the default value is 0). The Cluster ID determines that the MAC address for the cluster is unique.
  • Page 498: Ha Issues

    11.4. HA Issues Chapter 11. High Availability 11.4. HA Issues The following points should be kept in mind when managing and configuring an HA Cluster. All Cluster Interfaces Need IP Addresses All interfaces on both HA cluster units should have a valid private IP4 address object assigned to them.
  • Page 499 11.4. HA Issues Chapter 11. High Availability If OSPF is to work then there must be another designated router available in the same OSPF area as the cluster. Ideally, there will also be a second, backup designated router to provide OSPF metrics if the main designated router should fail.
  • Page 500: Upgrading An Ha Cluster

    11.5. Upgrading an HA Cluster Chapter 11. High Availability 11.5. Upgrading an HA Cluster The NetDefendOS software versions running on the master and slave in an HA cluster should be the same. When a new NetDefendOS version becomes available and is to be installed on both units, the upgrade is done one unit at a time.
  • Page 501 11.5. Upgrading an HA Cluster Chapter 11. High Availability console and issue the ha -deactivate command. This will cause the active unit to become inactive, and the inactive to become active. gw-world:/> ha -deactivate HA Was: ACTIVE HA going INACTIVE... To check that the failover has completed successfully, an ha command can be issued again and the text "INACTIVE"...
  • Page 502: Ha Advanced Settings

    11.6. HA Advanced Settings Chapter 11. High Availability 11.6. HA Advanced Settings The following NetDefendOS advanced settings are available for High Availability: Sync Buffer Size How much sync data, in Kbytes, to buffer while waiting for acknowledgments from the cluster peer. Default: 1024 Sync Packet Max Burst The maximum number of state sync packets to send in a burst.
  • Page 503 11.6. HA Advanced Settings Chapter 11. High Availability...
  • Page 504: Zonedefense

    Web or Command Line interface. Note: ZoneDefense is not available on all NetDefend models The ZoneDefense feature is only available on the D-Link NetDefend DFL-800, 860, 860E, 1600, 1660, 2500, 2560 and 2560G.
  • Page 505: Zonedefense Switches

    12.2. ZoneDefense Switches Chapter 12. ZoneDefense 12.2. ZoneDefense Switches Switch information regarding every switch that is to be controlled by the firewall has to be manually specified in the firewall configuration. The information needed in order to control a switch includes: •...
  • Page 506: Zonedefense Operation

    Managed devices The managed devices must be SNMP compliant, as are D-Link switches. They store state data in databases known as the Management Information Base (MIB) and provide the information to the manager upon receiving an SNMP query.
  • Page 507: A Simple Zonedefense Scenario

    (in network range 192.168.2.0/24 for example) from accessing the switch completely. A D-Link switch model DES-3226S is used in this case, with a management interface address 192.168.1.250 connecting to the firewall's interface address 192.168.1.1. This firewall interface is added into the exclude list to prevent the firewall from being accidentally locked out from accessing the switch.
  • Page 508: Zonedefense With Anti-Virus Scanning

    12.3.4. ZoneDefense with Anti-Virus Chapter 12. ZoneDefense Scanning For Addresses choose the object name of the firewall's interface address 192.168.1.1 from the Available list and put it into the Selected list. Click OK Configure an HTTP threshold of 10 connections/second: Go to Traffic Management >...
  • Page 509 12.3.5. Limitations Chapter 12. ZoneDefense of latency time to implement blocking once the rule is triggered. Some models can activate blocking in less than a second while some models may require a minute or more. A second difference is the maximum number of rules supported by different switches. Some switches support a maximum of 50 rules while others support up to 800 (usually, in order to block a host or network, one rule per switch port is needed).
  • Page 510 12.3.5. Limitations Chapter 12. ZoneDefense...
  • Page 511: Advanced Settings

    Chapter 13. Advanced Settings This chapter describes the additional configurable advanced settings for NetDefendOS that are not already described in the manual. In the Web Interface these settings are found under System > Advanced Settings. The settings are divided up into the following categories: Note: Activating setting changes After any advanced setting is changed, the new NetDefendOS configuration must be activated in order for the new value to take effect.
  • Page 512 13.1. IP Level Settings Chapter 13. Advanced Settings Block 0000 Src Block 0.0.0.0 as source address. Default: Drop Block 0 Net Block 0.* as source addresses. Default: DropLog Block 127 Net Block 127.* as source addresses. Default: DropLog Block Multicast Src Block multicast both source addresses (224.0.0.0 - 255.255.255.255).
  • Page 513 13.1. IP Level Settings Chapter 13. Advanced Settings Default: ValidateLogBad SecuRemoteUDP Compatibility Allow IP data to contain eight bytes more than the UDP total length field specifies. Checkpoint SecuRemote violates NAT-T drafts. Default: Disabled IP Option Sizes Verifies the size of "IP options". These options are small blocks of information that may be added to the end of each IP header.
  • Page 514 13.1. IP Level Settings Chapter 13. Advanced Settings IP Reserved Flag Indicates what NetDefendOS will do if there is data in the "reserved" fields of IP headers. In normal circumstances, these fields should read 0. Used by OS Fingerprinting. Default: DropLog Strip DontFragment Strip the Don't Fragment flag for packets equal to or smaller than the size specified by this setting.
  • Page 515: Tcp Level Settings

    13.2. TCP Level Settings Chapter 13. Advanced Settings 13.2. TCP Level Settings TCP Option Sizes Verifies the size of TCP options. This function acts in the same way as IPOptionSizes described above. Default: ValidateLogBad TCP MSS Min Determines the minimum permissible size of the TCP MSS. Packets containing maximum segment sizes below this limit are handled according to the next setting.
  • Page 516 13.2. TCP Level Settings Chapter 13. Advanced Settings TCP Auto Clamping Automatically clamp TCP MSS according to MTU of involved interfaces, in addition to TCPMSSMax. Default: Enabled TCP Zero Unused ACK Determines whether NetDefendOS should set the ACK sequence number field in TCP packets to zero if it is not used.
  • Page 517 13.2. TCP Level Settings Chapter 13. Advanced Settings initially intended to be used in negotiating for the use of better checksums in TCP. However, these are not understood by any today's standard systems. As NetDefendOS cannot understand checksum algorithms other than the standard algorithm, these options can never be accepted. The ALTCHKREQ option is normally never seen on modern networks.
  • Page 518 13.2. TCP Level Settings Chapter 13. Advanced Settings TCP SYN/FIN The TCP FIN flag together with SYN; normally invalid (strip=strip FIN). Default: DropLog TCP FIN/URG Specifies how NetDefendOS will deal with TCP packets with both FIN (Finish, close connection) and URG flags turned on. This should normally never occur, as it is not usually attempted to close a connection at the same time as sending "important"...
  • Page 519 13.2. TCP Level Settings Chapter 13. Advanced Settings TCP sequence number validation is only possible on connections tracked by the state-engine (not on packets forwarded using a FwdFast rule). Possible values are: Ignore - Do not validate. Means that sequence number validation is completely turned off. ValidateSilent - Validate and pass on.
  • Page 520: Icmp Level Settings

    13.3. ICMP Level Settings Chapter 13. Advanced Settings 13.3. ICMP Level Settings ICMP Sends Per Sec Limit Specifies the maximum number of ICMP messages NetDefendOS may generate per second. This includes ping replies, destination unreachable messages and also TCP RST packets. In other words, this setting limits how many Rejects per second may be generated by the Reject rules in the Rules section.
  • Page 521: State Settings

    13.4. State Settings Chapter 13. Advanced Settings 13.4. State Settings Connection Replace Allows new additions to the NetDefendOS connection list to replace the oldest connections if there is no available space. Default: ReplaceLog Log Open Fails In some instances where the Rules section determines that a packet should be allowed through, the stateful inspection mechanism may subsequently decide that the packet cannot open a new connection.
  • Page 522 13.4. State Settings Chapter 13. Advanced Settings Default: Log Log Connection Usage This generates a log message for every packet that passes through a connection that is set up in the NetDefendOS state-engine. Traffic whose destination is the NetDefend Firewall itself, for example NetDefendOS management traffic, is not subject to this setting.
  • Page 523: Connection Timeout Settings

    13.5. Connection Timeout Settings Chapter 13. Advanced Settings 13.5. Connection Timeout Settings The settings in this section specify how long a connection can remain idle, that is to say with no data being sent through it, before it is automatically closed. Please note that each connection has two timeout values: one for each direction.
  • Page 524 13.5. Connection Timeout Settings Chapter 13. Advanced Settings Other Idle Lifetime Specifies in seconds how long connections using an unknown protocol can remain idle before it is closed. Default: 130...
  • Page 525: Length Limit Settings

    13.6. Length Limit Settings Chapter 13. Advanced Settings 13.6. Length Limit Settings This section contains information about the size limits imposed on the protocols directly under IP level, such as TCP, UDP and ICMP. The values specified here concern the IP data contained in packets. In the case of Ethernet, a single packet can contain up to 1480 bytes of IP data without fragmentation.
  • Page 526 13.6. Length Limit Settings Chapter 13. Advanced Settings Specifies in bytes the maximum size of an AH packet. AH, Authentication Header, is used by IPsec where only authentication is applied. This value should be set at the size of the largest packet allowed to pass through the VPN connections, regardless of its original protocol, plus approx.
  • Page 527: Fragmentation Settings

    13.7. Fragmentation Settings Chapter 13. Advanced Settings 13.7. Fragmentation Settings IP is able to transport up to 65536 bytes of data. However, most media, such as Ethernet, cannot carry such huge packets. To compensate, the IP stack fragments the data to be sent into separate packets, each one given their own IP header and information that will help the recipient reassemble the original packet correctly.
  • Page 528 13.7. Fragmentation Settings Chapter 13. Advanced Settings Default: Check8 – compare 8 random locations, a total of 32 bytes Failed Fragment Reassembly Reassemblies may fail due to one of the following causes: • Some of the fragments did not arrive within the time stipulated by the ReassTimeout or ReassTimeLimit settings.
  • Page 529 13.7. Fragmentation Settings Chapter 13. Advanced Settings • NoLog - No logging is carried out under normal circumstances. • LogSuspect - Logs duplicated fragments if the reassembly procedure has been affected by "suspect" fragments. • LogAll - Always logs duplicated fragments. Default: LogSuspect Fragmented ICMP Other than ICMP ECHO (Ping), ICMP messages should not normally be fragmented as they contain...
  • Page 530 13.7. Fragmentation Settings Chapter 13. Advanced Settings Reassembly Illegal Limit Once a whole packet has been marked as illegal, NetDefendOS is able to retain this in memory for this number of seconds in order to prevent further fragments of that packet from arriving. Default: 60...
  • Page 531: Local Fragment Reassembly Settings

    13.8. Local Fragment Reassembly Chapter 13. Advanced Settings Settings 13.8. Local Fragment Reassembly Settings Max Concurrent Maximum number of concurrent local reassemblies. Default: 256 Max Size Maximum size of a locally reassembled packet. Default: 10000 Large Buffers Number of large ( over 2K) local reassembly buffers (of the above size). Default: 32...
  • Page 532: Miscellaneous Settings

    13.9. Miscellaneous Settings Chapter 13. Advanced Settings 13.9. Miscellaneous Settings UDP Source Port 0 How to treat UDP packets with source port 0. Default: DropLog Port 0 How to treat TCP/UDP packets with destination port 0 and TCP packets with source port 0. Default: DropLog Watchdog Time Number of non-responsive seconds before watchdog is triggered (0=disable).
  • Page 533 13.9. Miscellaneous Settings Chapter 13. Advanced Settings...
  • Page 534: Subscribing To Updates

    Dynamic Web Content Filtering module all function using external D-Link databases which contain details of the latest viruses, security threats and URL categorization. These databases are constantly being updated and to get access to the latest updates a D-Link Security Update Subscription should be taken out. This is done by: •...
  • Page 535 To get the status of AV updates: gw-world:/> updatecenter -status Antivirus Querying Server Status To get the status of the D-Link network servers use the command: gw-world:/> updatecenter -servers Deleting Local Databases Some technical problem in the operation of either IDP or the Anti-Virus modules may be resolved by deleting the database and reloading.
  • Page 536: Idp Signature Groups

    For IDP scanning, the following signature groups are available for selection. These groups are only available for the D-Link Advanced IDP Service. There is a version of each group under the three Types of IDS, IPS and Policy. For further information see Section 6.5, “Intrusion Detection and Prevention”.
  • Page 537 Appendix B. IDP Signature Groups Group Name Intrusion Type FTP_FORMATSTRING Format string attack FTP_GENERAL FTP protocol and implementation FTP_LOGIN Login attacks FTP_OVERFLOW FTP buffer overflow GAME_BOMBERCLONE Bomberclone game GAME_GENERAL Generic game servers/clients GAME_UNREAL UnReal Game server HTTP_APACHE Apache httpd HTTP_BADBLUE Badblue web server HTTP_CGI HTTP CGI...
  • Page 538 Appendix B. IDP Signature Groups Group Name Intrusion Type POP3_DOS Denial of Service for POP POP3_GENERAL Post Office Protocol v3 POP3_LOGIN-ATTACKS Password guessing and related login attack POP3_OVERFLOW POP3 server overflow POP3_REQUEST-ERRORS Request Error PORTMAPPER_GENERAL PortMapper PRINT_GENERAL LP printing server: LPR LPD PRINT_OVERFLOW Overflow of LPR/LPD protocol/implementation REMOTEACCESS_GOTOMYPC...
  • Page 539 Appendix B. IDP Signature Groups Group Name Intrusion Type TFTP_OPERATION Operation Attack TFTP_OVERFLOW TFTP buffer overflow attack TFTP_REPLY TFTP Reply attack TFTP_REQUEST TFTP request attack TROJAN_GENERAL Trojan UDP_GENERAL General UDP UDP_POPUP Pop-up window for MS Windows UPNP_GENERAL UPNP VERSION_CVS VERSION_SVN Subversion VIRUS_GENERAL Virus...
  • Page 540: Verified Mime Filetypes

    Appendix C. Verified MIME filetypes Some NetDefendOS Application Layer Gateways (ALGs) have the optional ability to verify that the contents of a downloaded file matches the type that the filetype in the filename indicates. The filetypes for which MIME verification can be done are listed in this appendix and the ALGs to which this applies are: •...
  • Page 541 Appendix C. Verified MIME filetypes Filetype extension Application Windows Control Panel Extension file Database file Graphics Multipage PCX Bitmap file Debian Linux Package file djvu DjVu file Windows dynamic link library file DPA archive data TeX Device Independent Document EET archive Allegro datafile eMacs Lisp Byte-compiled Source Code ABT EMD Module/Song Format file...
  • Page 542 Appendix C. Verified MIME filetypes Filetype extension Application MPEG-1 Video file Microsoft files Microsoft office files, and other Microsoft files Atari MSA archive data niff, nif Navy Interchange file Format Bitmap Nancy Video CODEC NES Sound file obj, o Windows object file, linux object file Object Linking and Embedding (OLE) Control Extension Ogg Vorbis Codec compressed WAV file Linux executable...
  • Page 543 Appendix C. Verified MIME filetypes Filetype extension Application TeX font metric data tiff, tif Tagged Image Format file tnef Transport Neutral Encapsulation Format torrent BitTorrent Metainfo file TrueType Font Yamaha TX Wave audio files UFA archive data Vcard file VivoActive Player Streaming Video file Waveform Audio Lotus 1-2-3 document Windows Media file...
  • Page 544: The Osi Framework

    Appendix D. The OSI Framework Overview The Open Systems Interconnection Model defines a framework for inter-computer communications. It categorizes different protocols for a great variety of network applications into seven smaller, more manageable layers. The model describes how data from an application in one computer can be transferred through a network medium to an application on another computer.
  • Page 545: Alphabetical Index

    Allow TCP Reopen setting, 519 amplification attacks, 334 Alphabetical Index anonymizing internet traffic, 344 anti-spam filtering (see spam filtering) anti-virus scanning, 314 activating, 315 access rules, 242 database, 316 accounting, 62 fail mode behaviour, 316 interim messages, 64 in the FTP ALG, 252 limitations with NAT, 65 in the HTTP ALG, 247 messages, 62...
  • Page 546 Alphabetical Index banner files validation, 44 in user authentication, 379 variables, 43 in web content filtering, 312 verbose output, 44 blacklisting cluster (see high availability) hosts and networks, 337 cluster ID (see high availability) threshold rules, 478 command line interface (see CLI) URLs, 298 config mode, 418 wildcarding, 298...
  • Page 547 Alphabetical Index pcapdump, 72 Fragmented ICMP setting, 529 diffie-hellman (see DH Groups) FTP ALG, 249 diffserv, 451 command restrictions, 251 Directed Broadcasts setting, 513 connection restriction options, 251 distance vector algorithms, 176 control channel restrictions, 252 DMZ, 349 filetype checking, 252 DNS, 144 hybrid mode, 250 dynamic lookup, 144...
  • Page 548 Alphabetical Index HTTP URI normalization in IDP, 323 IP Option Sizes setting, 513 IP Options Other setting, 513 IP Option Source/Return setting, 513 IP Options Timestamps setting, 513 ICMP Sends Per Sec Limit setting, 520 IP pools, 238 ICMP Unreachable message, 125 with config mode, 418 IDENT and IP rules, 125 IP Reserved Flag setting, 513...
  • Page 549 Alphabetical Index advanced settings, 61 address translation, 202 memlog, 58 forwarding, 200 SNMP traps, 60 IGMP, 204 syslog, 58 reverse path forwarding, 199 login authentication, 372 Multicast Enet Sender setting, 225 log messages, 57 Multicast Mismatch setting, 514 Log non IP4 setting, 511 Multicast TTL on Low setting, 512 Log Open Fails setting, 521 multiple login authentication, 372...
  • Page 550 Alphabetical Index port forwarding (see SAT) monitoring, 156 port mirroring (see pcapdump) narrowest matching principle, 150 PPP authentication with LDAP, 370 principles, 148 PPPoE, 105 routes added at startup, 154 client configuration, 105 static, 148 unnumbered support, 106 the all-nets route, 155 with HA, 106 PPTP, 431 advanced settings, 436...
  • Page 551 Alphabetical Index log receiver with IDP, 328 TCP Option WSOPT setting, 516 whitelist precedence, 260 TCP Reserved Field setting, 518 SNMP TCP Sequence Numbers setting, 518 advanced settings, 70 TCP SYN/FIN setting, 517 community string, 69 TCP SYN/PSH setting, 517 MIB, 69 TCP SYN/RST setting, 517 monitoring, 69...
  • Page 552 Alphabetical Index Validation Timeout setting, 50 virtual LAN (see VLAN) virtual private networks (see VPN) VLAN, 101 advanced settings, 104 license limitations, 103 port based, 102 trunk, 102 voice over IP with H.323, 280 with SIP, 270 VoIP (see voice over IP) VPN, 383 planning, 384 quick start guide, 387...