Page 1

Network Security Firewall User Manual DFL-210/ 800/1600/ 2500 DFL-260/ 860 curity curity Ver. 1.08 Network Security Solution http://www.dlink.com...
Page 2: User Manual

User Manual DFL-210/260/800/860/1600/2500 NetDefendOS version 2.25.01 D-Link Corporation No. 289, Sinhu 3rd Rd, Neihu District, Taipei City 114, Taiwan R.O.C. http://www.DLink.com Published 2009-05-26 Copyright © 2009...
Page 3

D-LINK IS INFORMED OF THE POSSIBILITY OF SUCH DAMAGES. FURTHERMORE, D-LINK WILL NOT BE LIABLE FOR THIRD-PARTY CLAIMS AGAINST CUSTOMER FOR LOSSES OR DAMAGES. D-LINK WILL IN NO EVENT BE LIABLE FOR ANY DAMAGES IN EXCESS OF THE AMOUNT D-LINK RECEIVED FROM THE END-USER FOR THE...
Page 4: Table Of Contents

Table of Contents Preface .......................12 1. NetDefendOS Overview ..................14 1.1. Features ....................14 1.2. NetDefendOS Architecture ..............17 1.2.1. State-based Architecture ...............17 1.2.2. NetDefendOS Building Blocks ............17 1.2.3. Basic Packet Flow ................18 1.3. NetDefendOS State Engine Packet Flow .............20 2. Management and Maintenance ................25 2.1.
Page 5: Table Of Contents

User Manual 3.3.1. Overview ...................80 3.3.2. Ethernet Interfaces ...............81 3.3.3. VLAN ..................85 3.3.4. PPPoE ..................87 3.3.5. GRE Tunnels ................89 3.3.6. Interface Groups ................92 3.4. ARP ....................94 3.4.1. Overview ...................94 3.4.2. ARP in NetDefendOS ..............94 3.4.3. ARP Cache .................94 3.4.4. Static and Published ARP Entries ............96 3.4.5.
Page 6: Table Of Contents

6.4.2. Implementation ................. 259 6.4.3. Activating Anti-Virus Scanning ............ 260 6.4.4. The Signature Database .............. 260 6.4.5. Subscribing to the D-Link Anti-Virus Service ......... 261 6.4.6. Anti-Virus Options ..............261 6.5. Intrusion Detection and Prevention ............265 6.5.1. Overview ................. 265 6.5.2.
Page 7: Table Of Contents

User Manual 7.3.7. SAT and FwdFast Rules .............. 298 8. User Authentication ..................302 8.1. Overview .................... 302 8.2. Authentication Setup ................304 8.2.1. Setup Summary ................. 304 8.2.2. The Local Database ..............304 8.2.3. External RADIUS Servers ............304 8.2.4.
Page 8: Table Of Contents

13.9. Miscellaneous Settings ................ 448 A. Subscribing to Security Updates ................ 450 B. IDP Signature Groups ..................452 C. Verified MIME filetypes ................. 456 D. The OSI Framework ..................460 E. D-Link Worldwide Offices ................461 Alphabetical Index ..................... 463...
Page 9: Table Of Contents

List of Figures 1.1. Packet Flow Schematic Part I ................20 1.2. Packet Flow Schematic Part II ................21 1.3. Packet Flow Schematic Part III .................22 1.4. Expanded Apply Rules Logic ................23 3.1. Simplified NetDefendOS Traffic Flow ............. 102 4.1. Using Local IP Address with an Unbound Network ..........126 4.2.
Page 10: Table Of Contents

3.25. Manually Triggering a Time Synchronization ..........116 3.26. Modifying the Maximum Adjustment Value ............ 116 3.27. Forcing Time Synchronization ..............116 3.28. Enabling the D-Link NTP Server ..............117 3.29. Configuring DNS Servers ................119 4.1. Displaying the Routing Table ................. 128 4.2.
Page 11: Table Of Contents

6.7. Using Private IP Addresses ................232 6.8. H.323 with Gatekeeper .................. 233 6.9. H.323 with Gatekeeper and two D-Link Firewalls ..........235 6.10. Using the H.323 ALG in a Corporate Environment ........... 236 6.11. Configuring remote offices for H.323 ............. 238 6.12.
Page 12: Preface, Example Notation

The target audience for this reference guide is Administrators who are responsible for configuring and managing D-Link Firewalls which are running the NetDefendOS operating system. This guide assumes that the reader has some basic knowledge of networks and network security.
Page 13

Preface items in the tree-view list at the left of the interface or in the menu bar or in a context menu need to be opened followed by information about the data items that need to be entered: Go to Item X > Item Y > Item Z Now enter: •...
Page 14: Netdefendos Overview, Features

• NetDefendOS Architecture, page 17 • NetDefendOS State Engine Packet Flow, page 20 1.1. Features D-Link NetDefendOS is the base software engine that drives and controls an advanced range of D-Link Firewall products. NetDefendOS as a Network Operating System Designed as a network security operating system, NetDefendOS features high throughput performance with high reliability plus super-granular control.
Page 15

“The TLS ALG”. Anti-Virus Scanning NetDefendOS features integrated anti-virus functionality. Traffic passing through the D-Link Firewall can be subjected to in-depth scanning for viruses, and virus sending hosts can be black-listed and blocked. For details of this feature, seeSection 6.4, “Anti-Virus Scanning”.
Page 16

Note High Availability, Anti-Virus, Web Content Filtering, Server Load Balancing, Threshold Rules and ZoneDefense are not available with some D-Link firewall models that run NetDefendOS. The relevant model numbers are specified in the specific chapter that relates to each of those features.
Page 17: Netdefendos Architecture, State-based Architecture, Netdefendos Building Blocks

1.2. NetDefendOS Architecture Chapter 1. NetDefendOS Overview 1.2. NetDefendOS Architecture 1.2.1. State-based Architecture The NetDefendOS architecture is centered around the concept of state-based connections. Traditional IP routers or switches commonly inspect all packets and then perform forwarding decisions based on information found in the packet headers. With this approach, packets are forwarded without any sense of context which eliminates any possibility to detect and analyze complex protocols and enforce corresponding security policies.
Page 18: Basic Packet Flow

1.2.3. Basic Packet Flow Chapter 1. NetDefendOS Overview NetDefendOS Rule Sets Finally, rules which are defined by the administrator in the various rule sets are used for actually implementing NetDefendOS security policies. The most fundamental set of rules are the IP Rules, which are used to define the layer 3 IP filtering policy as well as carrying out address translation and server load balancing.
Page 19

1.2.3. Basic Packet Flow Chapter 1. NetDefendOS Overview • TCP/UDP ports • ICMP types • Point in time in reference to a pre-defined schedule If a match cannot be found, the packet is dropped. If a rule is found that matches the new connection, the Action parameter of the rule decides what NetDefendOS should do with the connection.
Page 20: Netdefendos State Engine Packet Flow, Packet Flow Schematic Part I

1.3. NetDefendOS State Engine Packet Chapter 1. NetDefendOS Overview Flow 1.3. NetDefendOS State Engine Packet Flow The diagrams in this section provide a summary of the flow of packets through the NetDefendOS state-engine. There are three diagrams, each flowing into the next. Figure 1.1.
Page 21: Packet Flow Schematic Part Ii

1.3. NetDefendOS State Engine Packet Chapter 1. NetDefendOS Overview Flow Figure 1.2. Packet Flow Schematic Part II The packet flow is continued on the following page.
Page 22: Packet Flow Schematic Part Iii

1.3. NetDefendOS State Engine Packet Chapter 1. NetDefendOS Overview Flow Figure 1.3. Packet Flow Schematic Part III...
Page 23: Expanded Apply Rules Logic

1.3. NetDefendOS State Engine Packet Chapter 1. NetDefendOS Overview Flow Apply Rules The figure below presents the detailed logic of the Apply Rules function in Figure 1.2, “Packet Flow Schematic Part II” above. Figure 1.4. Expanded Apply Rules Logic...
Page 24

1.3. NetDefendOS State Engine Packet Chapter 1. NetDefendOS Overview Flow...
Page 25: Management And Maintenance, Managing Netdefendos, Overview

SCP is a complement to CLI usage and provides a secure means of file transfer between the administrator's workstation and the D-Link Firewall. Various files used by NetDefendOS can be both uploaded and downloaded with SCP.
Page 26: The Default Administrator Account, The Web Interface

IPsec tunnel. By default, Web Interface access is enabled for users on the network connected via the LAN interface of the D-Link firewall (on products where more than one LAN interface is available, LAN1 is the default interface).
Page 27

Chapter 2. Management and Maintenance Setting the Workstation IP The assigned D-Link Firewall interface and the workstation interface must be on the same IP network for inital communication between them to succeed so the static IP address of the workstation must be set to the following values: •...
Page 28

2.1.3. The Web Interface Chapter 2. Management and Maintenance It may occasionally be the case that a NetDefendOS upgrade might contain features that temporarily lack a complete non-english translation because of time constraints. In this case the original english will be used as a temporary solution. The Web Browser Interface On the left hand side of the WebUI is a tree which allows navigation to the various NetDefendOS modules.
Page 29: Enabling Remote Management Via Https

2.1.3. The Web Interface Chapter 2. Management and Maintenance • View Changes - List the changes made to the configuration since it was last saved. • Tools - Contains a number of tools that are useful for maintaining the system. •...
Page 30: The Cli

This section only provides a summary for using the CLI. For a complete reference for all CLI commands, see the separate D-Link CLI Reference Guide. The most often used CLI commands are: •...
Page 31

2.1.4. The CLI Chapter 2. Management and Maintenance gw-world:/> show Address IP4Address my_address The second part of the command specifies the object type and is necessary to identify what category of object the object name refers to (consider that the same name might exist in two different categories).
Page 32

2.1.4. The CLI Chapter 2. Management and Maintenance In a similar way, the "<" character before a tab can be used to automatically fill in the default value for a parameter if no value has yet been set. For example: add LogReceiverSyslog example Address=example_ip LogSeverity=<...
Page 33

2.1.4. The CLI Chapter 2. Management and Maintenance gw-world:/> The categories that require an initial cc command before object manipulation have a "/" character following their names when displayed by a show command. For example: RoutingTable/. Specifying Multiple Property Values Sometimes a command property may need multiple values.
Page 34: Enabling Ssh Remote Access

NetDefendOS for hostnames to be translated to IP addresses. Serial Console CLI Access The serial console port is a local RS-232 port on the D-Link Firewall that allows direct access to the NetDefendOS CLI through a serial connection to a PC or dumb terminal. To locate the serial console port on your D-Link hardware, see the D-Link Quick Start Guide .
Page 35

.. Changing the CLI Prompt The default CLI prompt is: gw-world:/> where Device is the model number of the D-Link Firewall. This can be customized, for example, to my-prompt:/>, by using the CLI command: gw-world:/> set device name="my-prompt"...
Page 36: Cli Scripts

To allow the administrator to easily store and execute sets of CLI commands, NetDefendOS provides a feature called CLI scripting. A CLI script is a predefined sequence of CLI commands which can be executed after they are saved to a file and the file is then uploaded to the D-Link Firewall.
Page 37

Executing Scripts As mentioned above, the script -execute command launches a named script file that has been previously uploaded to the D-Link Firewall. For example, to execute the script file my_script.sgs which has already been uploaded, the CLI command would be: gw-world:/>...
Page 38

-execute -name=my_script2.sgs -verbose Saving Scripts When a script file is uploaded to the D-Link Firewall, it is initially kept only in temporary RAM memory. If NetDefendOS restarts then any uploaded scripts will be lost from this volatile memory and must be uploaded again to run.
Page 39: Secure Copy

The file new_script_sgs can then be downloaded with SCP to the local management workstation and then uploaded and executed on the other D-Link Firewalls. The end result is that all units will have the same IP4Address objects in their address book.
Page 40

> scp <local_filename> <destination_gateway> Download is done with the command: > scp <source_gateway> <local_filename> source destination D-Link Firewall form: <user_name>@<gateway_ip_address>:<filepath>. For example: admin@10.62.11.10:config.bak. The <user_name> must be a defined NetDefendOS user in the administrator user group. Note on the password prompt SCP will normally prompt for the user password after the command line but that prompt is not shown in the examples that follow.
Page 41: The Console Boot Menu

(all files do not have a header). If an administrator username is admin1 and the IP address of the D-Link Firewall is 10.5.62.11 then to upload a configuration backup, the SCP command would be: >...
Page 42

The boot menu is only accessible through a console device attached directly to the serial console located on the D-Link Firewall. It can be accessed through the console after the D-Link Firewall is powered up and before NetDefendOS is fully started.
Page 43: Management Advanced Settings

2.1.8. Management Advanced Settings Chapter 2. Management and Maintenance Initial Options with a Console Password Set If a console password is set then the initial options that appear when NetDefendOS loading is interrupted with a key press are shown below. The 1.
Page 44: Working With Configurations, Listing Configuration Objects

2.1.9. Working with Configurations Chapter 2. Management and Maintenance Default: 30 WebUI HTTP port Specifies the HTTP port for the Web Interface. Default: 80 WebUI HTTPS port Specifies the HTTP(S) port for the Web Interface. Default: 443 HTTPS Certificate Specifies which certificate to use for HTTPS traffic. Only RSA certificates are supported. Default: HTTPS 2.1.9.
Page 45: Displaying A Configuration Object, Editing A Configuration Object

2.1.9. Working with Configurations Chapter 2. Management and Maintenance A web page listing all services will be presented. A list contains the following basic elements: • Add Button - Displays a dropdown menu when clicked. The menu will list all types of configuration items that can be added to the list.
Page 46: Adding A Configuration Object

2.1.9. Working with Configurations Chapter 2. Management and Maintenance gw-world:/> set Service ServiceTCPUDP telnet Comments="Modified Comment" Show the object again to verify the new property value: gw-world:/> show Service ServiceTCPUDP telnet Property Value ----------------- ------- Name: telnet DestinationPorts: Type: SourcePorts: 0-65535 SYNRelay: PassICMPReturn:...
Page 47: Deleting A Configuration Object, Undeleting A Configuration Object, Listing Modified Configuration Objects

2.1.9. Working with Configurations Chapter 2. Management and Maintenance Enter 192.168.10.10 in the IP Address textbox Click OK Verify that the new IP4 address object has been added to the list Example 2.7. Deleting a Configuration Object This example shows how to delete the newly added IP4Address object. gw-world:/>...
Page 48: Activating And Committing A Configuration

2.1.9. Working with Configurations Chapter 2. Management and Maintenance ServiceTCPUDP telnet A "+" character in front of the row indicates that the object has been added. A "*" character indicates that the object has been modified. A "-" character indicates that the object has been marked for deletion. Web Interface Go to Configuration >...
Page 49: Events And Logging, Overview, Event Messages, Event Message Distribution

2.2. Events and Logging Chapter 2. Management and Maintenance 2.2. Events and Logging 2.2.1. Overview The ability to log and analyze system activities is an essential feature of NetDefendOS. Logging enables not only monitoring of system status and health, but also allows auditing of network usage and assists in trouble-shooting.
Page 50: Enable Logging To A Syslog Host

2.2.3.1. Logging to Memlog Memlog is an optional NetDefendOS feature that allows logging direct to memory in the D-Link Firewall instead of sending messages to an external server. Memlog messages can be examined through the standard user interfaces.
Page 51: Snmp Traps

The file DFLNNN-TRAP.MIB (where NNN indicates the model number of the firewall) is provided by D-Link and defines the SNMP objects and data types that are used to describe an SNMP Trap received from NetDefendOS.
Page 52: Advanced Log Settings, Sending Snmp Traps To An Snmp Trap Receiver

2.2.4. Advanced Log Settings Chapter 2. Management and Maintenance • Category - What NetDefendOS subsystem is reporting the problem • ID - Unique identification within the category • Description - A short textual description • Action - What action is NetDefendOS taking This information can be cross-referenced to the Log Reference Guide.
Page 53

2.2.4. Advanced Log Settings Chapter 2. Management and Maintenance The delay in seconds between alarms when a continuous alarm is used. Minimum 0, Maximum 10,000. Default: 60 (one minute)
Page 54: Radius Accounting, Overview, Radius Accounting Messages

RADIUS sessions. All statistics are updated for an authenticated user whenever a connection related to an authenticated user is closed. When a new client session is started by a user establishing a new connection through the D-Link Firewall, NetDefendOS sends an AccountingRequest START message to a nominated RADIUS server, to record the start of the new session.
Page 55

User Name - The user name of the authenticated user. • NAS IP Address - The IP address of the D-Link Firewall. • NAS Port - The port on the NAS on which the user was authenticated. (This is a physical port and not a TCP or UDP port).
Page 56: Interim Accounting Messages, Activating Radius Accounting, Radius Accounting Security, Radius Accounting And High Availability

Messages are sent using the UDP protocol and the default port number used is 1813 although this is user configurable. 2.3.6. RADIUS Accounting and High Availability In an HA cluster, accounting information is synchronized between the active and passive D-Link Firewalls. This means that accounting information is automatically updated on both cluster members...
Page 57: Handling Unresponsive Servers, Accounting And System Shutdowns, Limitations With Nat, Radius Advanced Settings

This situation should be avoided. In the case that the D-Link Firewall administrator issues a shutdown command while authenticated users are still online, the AccountingRequest STOP packet will potentially never be sent. To avoid...
Page 58: Radius Accounting Server Setup

Default: Enabled Logout at shutdown If there is an orderly shutdown of the D-Link Firewall by the administrator, then NetDefendOS will delay the shutdown until it has sent RADIUS accounting STOP messages to any configured RADIUS server.
Page 59: Snmp Monitoring

2.4. SNMP Monitoring Chapter 2. Management and Maintenance 2.4. SNMP Monitoring Overview Simple Network Management Protocol (SNMP) is a standardized protocol for management of network devices. An SNMP compliant client can connect to a network device which supports the SNMP protocol to query and control it. NetDefendOS supports SNMP version 1 and version 2.
Page 60: Snmp Advanced Settings, Enabling Snmp Monitoring

2.4.1. SNMP Advanced Settings Chapter 2. Management and Maintenance SNMP access. Port 161 is usually used for SNMP and NetDefendOS always expects SNMP traffic on that port. Remote Access Encryption It should be noted that SNMP Version 1 or 2c access means that the community string will be sent as plain text over a network.
Page 61

2.4.1. SNMP Advanced Settings Chapter 2. Management and Maintenance Default: Enabled SNMP Request Limit Maximum number of SNMP requests that will be processed each second by NetDefendOS. Should SNMP requests exceed this rate then the excess requests will be ignored by NetDefendOS. Default: 100 System Contact The contact person for the managed node.
Page 62: The Pcapdump Command

> pcapdump -cleanup Re-using Capture Files Since the only way to delete files from the D-Link Firewall is through the serial console, the recommendation is to always use the same filename when using the pcapdump -write option. Each new write operation will then overwrite the old file.
Page 63

As shown in one of the examples above, the -write option of pcapdump can save buffered packet information to a file on the D-Link Firewall. These output files are placed into the NetDefendOS root directory and the file name is specified in the pcapdump command line, usually with a filetype of .cap.
Page 64

2.5. The pcapdump Command Chapter 2. Management and Maintenance Combining Filters It is possible to use several of these filter expressions together in order to further refine the packets that are of interest. For example we might want to examine the packets going to a particular destination port at a particular destination IP address.
Page 65: Maintenance, Auto-update Mechanism, Creating Backup Files

NetDefendOS software. This is useful if both the configuration is to be changed and the NetDefendOS version upgraded. Backup files can be created both by downloading the files directly from the D-Link Firewall using SCP (Secure Copy) or alternatively using the WebUI. It cannot be done though the CLI.
Page 66: Configuration Backup And Restore, Backing Up The Entire System

November 21st, 2008. To restore a backup file, the administrator should upload the file to the D-Link Firewall. The name of the file does not need to be changed in any way and can retain the date since NetDefendOS will read a header in the file to determine what it is.
Page 67: Restore To Factory Defaults, Complete Hardware Reset To Factory Defaults

Reset alternative for the DFL-210/260/800/860 only To reset the DFL-210/260/800/860 you must hold down the reset button at the rear panel for 10-15 seconds while powering on the unit. After that, release the reset button and the unit will continue to load and startup in default mode as though it were brand new.
Page 68

The restore to factory defaults option should also be used as part of the end of life procedure when a D-Link Firewall is taken out of operation and will no longer be used. As part of the decommissioning procedure, a restore to factory defaults should always be run in order to remove all sensitive information such as VPN settings.
Page 69

2.6.4. Restore to Factory Defaults Chapter 2. Management and Maintenance...
Page 70: Fundamentals, The Address Book, Overview, Ip Addresses

Chapter 3. Fundamentals This chapter describes the fundamental logical objects upon which NetDefendOS is built. These objects include such items as addresses, services and schedules. In addition, the chapter explains how the various supported interfaces work, it outlines how security policies are constructed and how basic system settings are configured.
Page 71: Adding An Ip Host, Adding An Ip Network, Adding An Ip Range

3.1.2. IP Addresses Chapter 3. Fundamentals The numbers 0-32 correspond to the number of binary ones in the netmask. For example: 192.168.0.0/24. IP Range A range of IP addresses is represented on the form a.b.c.d - e.f.g.h. Note that ranges are not limited to netmask boundaries. They may include any span of IP addresses.
Page 72: Ethernet Addresses, Deleting An Address Object, Adding An Ethernet Address

In other words, it will appear that the object has been successfully deleted but NetDefendOS will not allow the configuration to be saved to the D-Link Firewall. 3.1.3. Ethernet Addresses Ethernet Address objects are used to define symbolic names for Ethernet addresses (also known as MAC addresses).
Page 73: Address Groups, Auto-generated Address Objects

3.1.4. Address Groups Chapter 3. Fundamentals Specify a suitable name for the Ethernet Address object, for example wwwsrv1_mac Enter 08-a3-67-bc-2e-f2 as the MAC Address Click OK 3.1.4. Address Groups Groups Simplify Configuration Address objects can be grouped in order to simplify configuration. Consider a number of public servers that should be accessible from the Internet.
Page 74: Address Book Folders

3.1.6. Address Book Folders Chapter 3. Fundamentals all-nets The all-nets IP address object is initialized to the IP address 0.0.0.0/0, thus representing all possible IP addresses. This object is used extensively throughout the configuration. 3.1.6. Address Book Folders In order to help organise large numbers of entries in the address book, it is possible to create Address Book folders.
Page 75: Services, Overview, Listing The Available Services, Viewing A Specific Service

IP rule set can use a Service object as a filter to decide whether or not to allow certain traffic through the D-Link Firewall. For more information on how service objects are being used with IP rules, see Section 3.5, “The IP Rule Set”.
Page 76: Tcp And Udp Based Services

TCP and UDP Service Definition To define a TCP or UDP service in the D-Link Firewall, a TCP/UDP Service object is used. This type of object contains, apart from a unique name describing the service, also information on what protocol (TCP, UDP or both) and what source and destination ports are applicable for the service.
Page 77: Adding A Tcp/udp Service

Passing ICMP Errors If an attempt to open a TCP connection is made by a user application behind the D-Link Firewall and the remote server is not in operation, an ICMP error message is returned as the response. These ICMP errors can either be ignored or allowed to pass through, back to the requesting application.
Page 78: Icmp Services

For a Service involving, for instance an HTTP ALG, the default value can often be too low if there are large numbers of clients connecting through the D-Link Firewall. It is therefore recommended to consider if a higher value is required for a particular scenario.
Page 79: Custom Ip Protocol Services, Adding An Ip Protocol Service

3.2.4. Custom IP Protocol Services Chapter 3. Fundamentals • Source Quenching: the source is sending data too fast for the receiver, the buffer has filled up. • Time Exceeded: the packet has been discarded as it has taken too long to be delivered. 3.2.4.
Page 80: Interfaces, Overview

3.3. Interfaces Chapter 3. Fundamentals 3.3. Interfaces 3.3.1. Overview An Interface is one of the most important logical building blocks in NetDefendOS. All network traffic that passes through or gets terminated in the system is done so through one or several interfaces.
Page 81: Ethernet Interfaces

NetDefendOS itself that will deal with traffic to and from this interface. Examples of the use of core are when the D-Link Firewall acts as a PPTP or L2TP server or responds to ICMP "Ping" requests. By specifying the Destination Interface of a route as core, NetDefendOS will then know that it is itself that is the ultimate destination of the traffic.
Page 82

N represents the number of the interface if your D-Link Firewall has more than one of these interfaces. In most of the examples in this guide lan is used for LAN traffic and wan is used for WAN traffic.
Page 83: Enabling Dhcp

3.3.2. Ethernet Interfaces Chapter 3. Fundamentals The CLI command to do this would be: gw-world:/> set Address IP4Address ip_lan Address=10.1.1.2 This same operation could also be done through the Web Interface. A summary of CLI commands that can be used with Ethernet interfaces can be found in Section 3.3.2.1, “Useful CLI Commands for Ethernet Interfaces”.
Page 84

3.3.2. Ethernet Interfaces Chapter 3. Fundamentals Ethernet interfaces can also be examined through the Web Interface but for some operations the CLI must be used. To show the current interface assigned to the IP address wan_ip: gw-world:/> show Address IP4Address InterfaceAddresses/wan_ip Property Value ---------------------...
Page 85: Vlan

Some interface settings are accessible only through a related set of CLI commands. These are particularly useful if D-Link hardware has been replaced and Ethernet card settings are to be changed, or if configuring the interfaces when running NetDefendOS on non-D-Link hardware. For example, to display Ethernet port information use the command: gw-world:/>...
Page 86: Defining A Vlan

3.3.3. VLAN Chapter 3. Fundamentals VLAN Operation NetDefendOS follows the IEEE 802.1Q specification for VLAN. On a protocol level, VLAN works by adding a Virtual LAN Identifier (VLAN ID) to Ethernet frame headers. The VLAN ID is a number from 0 up to 4095 which is used to identify the specific Virtual LAN to which the frame belongs.
Page 87: Pppoe

3.3.4. PPPoE Chapter 3. Fundamentals Go to Interfaces > VLAN > Add > VLAN Enter a suitable name for the VLAN, in this case VLAN10 Now enter: • Interface: lan • VLAN ID: 10 Click OK VLAN advanced settings There is a single advanced setting for VLAN: Unknown VLAN Tags What to do with VLAN packets tagged with an unknown ID.
Page 88

3.3.4. PPPoE Chapter 3. Fundamentals Microsoft CHAP (version 1 and 2). If authentication is used, at least one of the peers has to authenticate itself before the network layer protocol parameters can be negotiated using NCP. During the LCP and NCP negotiation, optional parameters such as encryption, can be negotiated. 3.3.4.2.
Page 89: Gre Tunnels, Configuring A Pppoe Client

PPPoE is not forced, will serve as the IP address of the PPPoE client interface. This will be used as the local IP address for traffic leaving the interface when the traffic is originated or NATed by the D-Link Firewall. Example 3.12. Configuring a PPPoE client This example shows how to configure a PPPoE client on the wan interface with traffic routed over PPPoE.
Page 90

3.3.5. GRE Tunnels Chapter 3. Fundamentals network such as the Internet. The two networks being connected together communicate with a common protocol which is tunneled using GRE through the intervening network. Examples of GRE usage are: • Traversing network equipment that blocks a particular protocol. •...
Page 91

Chapter 3. Fundamentals An Example GRE Scenario The diagram above shows a typical GRE scenario, where two D-Link Firewalls A and B must communicate with each other through the intervening internal network 172.16.0.0/16. Any traffic passing between A and B is tunneled through the intervening network using a GRE tunnel and since the network is internal and not public there is no need for encryption.
Page 92: Interface Groups, Creating An Interface Group

GRE_to_B remote_net_B lan lannet Setup for D-Link Firewall "B" Assuming that the network 192.168.11.0/24 is lannet on the lan interface, the steps for setting up NetDefendOS on B are as follows: In the address book set up the following IP objects: •...
Page 93

3.3.6. Interface Groups Chapter 3. Fundamentals Web Interface Go to Interfaces > Interface Groups > Add > InterfaceGroup Enter the following information to define the group: • Name: The name of the group to be used later • Security/Transport Equivalent: If enabled, the interface group can be used as a destination interface in rules where connections might need to be moved between the interfaces - examples of such usage are Route Fail-Over and OSPF •...
Page 94: Overview, Arp In Netdefendos, Arp Cache

3.4. ARP Chapter 3. Fundamentals 3.4. ARP 3.4.1. Overview Address Resolution Protocol (ARP) is a protocol, which maps a network layer protocol address to a data link layer hardware address and it is used to resolve an IP address into its corresponding Ethernet address.
Page 95: Displaying The Arp Cache, Flushing The Arp Cache

3.4.3. ARP Cache Chapter 3. Fundamentals The default expiration time for dynamic ARP entries is 900 seconds (15 minutes). This can be changed by modifying the advanced setting ARP Expire. The setting ARP Expire Unknown specifies how long NetDefendOS will remember addresses that cannot be reached.
Page 96: Static And Published Arp Entries, Defining A Static Arp Entry

3.4.4. Static and Published ARP Chapter 3. Fundamentals Entries hash size for VLAN interfaces only. The default value is 64. 3.4.4. Static and Published ARP Entries NetDefendOS supports defining static ARP entries (static binding of IP addresses to Ethernet addresses) as well as publishing IP addresses with a specific Ethernet address. Static ARP Entries Static ARP items may help in situations where a device is reporting incorrect Ethernet address in response to ARP requests.
Page 97: Using Arp Advanced Settings

3.4.5. Using ARP Advanced Settings Chapter 3. Fundamentals Another use is publishing multiple addresses on an external interface, enabling NetDefendOS to statically address translate communications to these addresses and send it onwards to internal servers with private IP addresses. There are two publishing modes; Publish and XPublish. The difference between the two is that XPublish "lies"...
Page 98: Arp Advanced Settings Summary

3.4.6. ARP Advanced Settings Chapter 3. Fundamentals Summary The advanced setting ARP Changes can be changed to modify this behavior. The default behavior is that NetDefendOS will allow changes to take place, but all such changes will be logged. Another, similar, situation occurs when information in ARP replies or ARP requests could collide with static entries in the ARP cache.
Page 99

3.4.6. ARP Advanced Settings Chapter 3. Fundamentals Summary ARP Requests Determines if NetDefendOS will automatically add the data in ARP requests to its ARP table. The ARP specification states that this should be done, but as this procedure can facilitate hijacking of local connections, it is not normally allowed.
Page 100

3.4.6. ARP Advanced Settings Chapter 3. Fundamentals Summary Default: DropLog ARP cache size How many ARP entries there can be in the cache in total. Default: 4096 ARP Hash Size Hashing is used to rapidly look up entries in a table. For maximum efficiency, the hash size should be twice as large as the table it is indexing.
Page 101: The Ip Rule Set, Security Policies

(networks/interfaces/service), include: • IP Rules These determine which traffic is permitted to pass through the D-Link Firewall as well as determining if the traffic is subject to address translation. They are described below. • Pipe Rules These determine which traffic triggers traffic shaping to take place and are described in Section 10.1, “Traffic Shaping”.
Page 102: Simplified Netdefendos Traffic Flow

NetDefendOS, regulating what is allowed or not allowed to pass through the D-Link Firewall, and if necessary, how address translations like NAT are applied. There are two possible approaches to how traffic traversing the D-Link Firewall could be dealt with: •...
Page 103: Ip Rule Evaluation

3.5.2. IP Rule Evaluation When a new connection, such as a TCP/IP connection, is being established through the D-Link Firewall, the list of IP rules are evaluated from top to bottom until a rule that matches the parameters of the new connection is found.
Page 104: Ip Rule Actions

"stateful engine". FwdFast Let the packet pass through the D-Link Firewall without setting up a state for it in the state table. This means that the stateful inspection process is bypassed and is therefore less secure than Allow or NAT rules. Packet processing time is also slower than Allow rules since every packet is checked against the entire rule set.
Page 105: Editing Ip Rule Set Entries, Ip Rule Set Folders, Adding An Allow Ip Rule

3.5.4. Editing IP rule set Entries Chapter 3. Fundamentals The exception to this bi-directional flow is FwdFast rules. If the FwdFast action is used, the rule will not allow traffic to flow from the destination back to the source. If bi-directional flow is required then two FwdFast rules are needed, one for either direction.
Page 106

3.5.5. IP Rule Set Folders Chapter 3. Fundamentals Return to the top level: gw-world:/main> cc Configuration changes must be saved by then issuing an activate followed by a commit command. Web Interface Go to Rules > IP Rules > Add > IPRule Specify a suitable name for the rule, for example LAN_HTTP Now enter: •...
Page 107: Schedules, Setting Up A Time-scheduled Policy

3.6. Schedules Chapter 3. Fundamentals 3.6. Schedules In some scenarios, it might be useful to control not only what functionality is enabled, but also when that functionality is being used. For instance, the IT policy of an enterprise might stipulate that web traffic from a certain department is only allowed access outside that department during normal office hours.
Page 108

3.6. Schedules Chapter 3. Fundamentals Return to the top level: gw-world:/main> cc Configuration changes must be saved by then issuing an activate followed by a commit command. Web Interface Go to Objects > Schedules > Add > Schedule Enter the following: •...
Page 109: Certificates, Overview

3.7. Certificates Chapter 3. Fundamentals 3.7. Certificates 3.7.1. Overview X.509 NetDefendOS supports digital certificates that comply with the ITU-T X.509 standard. This involves the use of an X.509 certificate hierarchy with public-key cryptography to accomplish key distribution and entity authentication. References in this manual to a certificate means a X.509 certificate.
Page 110

3.7.2. Certificates in NetDefendOS Chapter 3. Fundamentals Note A CA is sometimes referred to as a "certification authority". Validity Time A certificate is not valid forever. Each certificate contains the dates between which the certificate is valid. When this validity period expires, the certificate can no longer be used, and a new certificate has to be issued.
Page 111: Certificates In Netdefendos, Ca Certificate Requests, Uploading A Certificate, Associating Certificates With Ipsec Tunnels

3.7.3. CA Certificate Requests Chapter 3. Fundamentals 3.7.2. Certificates in NetDefendOS Certificates can be uploaded to NetDefendOS for use in IKE/IPsec authentication, Webauth, etc. There are two types of certificates that can be uploaded: self-signed certificates and remote certificates belonging to a remote peer or CA server. Self-signed certificates can be generated by using one of a number of freely available utilities for doing this.
Page 112

3.7.3. CA Certificate Requests Chapter 3. Fundamentals • Convert the .pfx file into the .pem format. • Take out the relevant parts of the .pem file to form the required .cer and .key files. The detailed steps for the above stages are as follows: Create the gateway certificate on the Windows CA server and export it to a .pfx file on the local NetDefendOS management workstation disk.
Page 113: Date And Time, Overview, Setting Date And Time, Setting The Current Date And Time

3.8. Date and Time Chapter 3. Fundamentals 3.8. Date and Time 3.8.1. Overview Correctly setting the date and time is important for NetDefendOS to operate properly. Time scheduled policies, auto-update of the IDP and Anti-Virus databases, and other product features require that the system clock is accurately set.
Page 114: Time Servers, Setting The Time Zone, Enabling Dst

3.8.3. Time Servers Chapter 3. Fundamentals The NetDefendOS time zone setting reflects the time zone where the D-Link Firewall is physically located. Example 3.22. Setting the Time Zone To modify the NetDefendOS time zone to be GMT plus 1 hour, follow the steps outlined below: gw-world:/>...
Page 115: Enabling Time Synchronization Using Sntp

3.8.3. Time Servers Chapter 3. Fundamentals other network devices. Time Synchronization Protocols Time Synchronization Protocols are standardized methods for retrieving time information from external Time Servers. NetDefendOS supports the following time synchronization protocols: • SNTP - Defined by RFC 2030, The Simple Network Time Protocol (SNTP) is a lightweight implementation of NTP (RFC 1305).
Page 116: Manually Triggering A Time Synchronization, Modifying The Maximum Adjustment Value, Forcing Time Synchronization

3.8.3. Time Servers Chapter 3. Fundamentals Example 3.25. Manually Triggering a Time Synchronization Time synchronization can be triggered from the CLI. The output below shows a typical response. gw-world:/> time -sync Attempting to synchronize system time... Server time: 2008-02-27 12:21:52 (UTC+00:00) Local time: 2008-02-27 12:24:30 (UTC+00:00) (diff: 158) Local time successfully changed to server time.
Page 117: Settings Summary For Date And Time, Enabling The D-link Ntp Server

86,400 seconds (1 day), meaning that the time synchronization process is executed once in a 24 hour period. D-Link Time Servers Using D-Link's own Time Servers is an option in NetDefendOS and this is the recommended way of synchronizing the firewall clock. These servers communicate with NetDefendOS using the SNTP protocol.
Page 118

3.8.4. Settings Summary for Date and Chapter 3. Fundamentals Time DST End Date What month and day DST ends, in the format MM-DD. Default: none Time Sync Server Type Type of server for time synchronization, UDPTime or SNTP (Simple Network Time Protocol). Default: SNTP Primary Time Server DNS hostname or IP Address of Timeserver 1.
Page 119: Configuring Dns Servers

3.9. DNS Chapter 3. Fundamentals 3.9. DNS Overview A DNS server can resolve a Fully Qualified Domain Name (FQDN) into the corresponding numeric IP address. FQDNs are unambiguous textual domain names which specify a node's unique position in the Internet's DNS tree hierarchy. FQDN resolution allows the actual physical IP address to change while the FQDN can stay the same.
Page 120

A DNS feature offered by NetDefendOS is the ability to explicitly inform DNS servers when the external IP address of the D-Link Firewall has changed. This is sometimes referred to as Dynamic DNS and is useful where the D-Link Firewall has an external IP address that can change.
Page 121

3.9. DNS Chapter 3. Fundamentals...
Page 122: Routing, Overview

IP routing is one of the most fundamental functions of NetDefendOS. Any IP packet flowing through a D-Link Firewall will be subjected to at least one routing decision at some point in time, and properly setting up routing is crucial for the system to function as expected.
Page 123: Static Routing, The Principles Of Routing

This is optional. If the destination network is connected directly to the interface, this is not needed. When a router lies between the D-Link Firewall and the destination network, a gateway IP must be specified. For example, if the route is for public Internet access via an ISP then the public IP address of the ISP's gateway router would be specified.
Page 124

Failover”. A Typical Routing Scenario The diagram below illustrates a typical D-Link Firewall scenario: In the above diagram, the LAN interface is connected to the network 192.168.0.0/24 and the DMZ interface is connected to the network 10.4.0.0/16. The WAN interface is connected to the network 195.66.77.0/24 and the address of the ISP gateway to the public Internet is 195.66.77.4.
Page 125

We can say that the network is bound to a physical interface and clients on the connected network can automatically find the D-Link Firewall through ARP queries. ARP works because the clients and the NetDefendOS interface are part of the same network.
Page 126: Using Local Ip Address With An Unbound Network

Default Gateway set to 10.2.2.1 in order to reach the D-Link Firewall. This feature is normally used when an additional network is to be added to an interface but it is not desirable to change the existing IP addresses of the network.
Page 127

4.2.2. Static Routing Chapter 4. Routing routing but instead as a check that the source network should be found on the interface where it arrived. If this check fails, NetDefendOS generates a Default Access Rule error message. Even traffic destined for Core (NetDefendOS itself), such as ICMP ping requests must follow this rule of having two routes associated with it.
Page 128: Displaying The Routing Table

4.2.2. Static Routing Chapter 4. Routing 192.168.0.0 255.255.255.0 192.168.0.10 192.168.0.10 192.168.0.10 255.255.255.255 127.0.0.1 127.0.0.1 192.168.0.255 255.255.255.255 192.168.0.10 192.168.0.10 224.0.0.0 240.0.0.0 10.4.2.143 10.4.2.143 224.0.0.0 240.0.0.0 192.168.0.10 192.168.0.10 255.255.255.255 255.255.255.255 10.4.2.143 10.4.2.143 255.255.255.255 255.255.255.255 192.168.0.10 192.168.0.10 Default Gateway: 192.168.0.1 ==================================================================== Persistent Routes: None The corresponding routing table in NetDefendOS is similar to this: Flags Network...
Page 129

Initial Static Routes When the D-Link Firewall is configured for the first time, the routing table will have one route defined for each interface. The routes will have default IP addresses which must be changed to the appropriate IP address ranges for traffic to flow.
Page 130: Route Failover, Displaying The Core Routes

4.2.3. Route Failover Overview D-Link Firewalls are often deployed in mission-critical locations where availability and connectivity is crucial. A corporation relying heavily on access to the Internet, for instance, could have their operations severely disrupted if an Internet connection fails.
Page 131: A Route Failover Scenario For Isp Access

4.2.3. Route Failover Chapter 4. Routing Figure 4.2. A Route Failover Scenario for ISP Access Setting Up Route Failover Route Monitoring should be enabled on a per-route basis. To enable the Route Failover feature in a scenario with a preferred and a backup route, the preferred route will have Route Monitoring enabled, however the backup route does not require it to be enabled since it will usually have no route to failover to.
Page 132

4.2.3. Route Failover Chapter 4. Routing second failover route. The first two routes would have Route Monitoring enabled in the routing table but the last one (with the highest Metric) would not since it has no route to failover to. Failover Processing Whenever monitoring determines that a route is not available, NetDefendOS will mark the route as disabled and instigate Route Failover for existing and new connections.
Page 133: Host Monitoring For Route Failover

Grace Period This is the period of time after startup or after reconfiguration of the D-Link Firewall which NetDefendOS will wait before starting Route Monitoring. This waiting period allows time for all network links to initialize once the firewall comes online.
Page 134

4.2.4. Host Monitoring for Route Chapter 4. Routing Failover Specifying Hosts For each host specified for host monitoring there are a number of property parameters that should be set: • Method The method by which the host is to be polled. This can be one of: •...
Page 135: Proxy Arp

Ethernet is separated into two parts with a routing device such as an installed D-Link Firewall, in between. In such a case, NetDefendOS itself can respond to ARP requests directed to the network on the other side of the D-Link Firewall using the feature known as Proxy ARP.
Page 136

4.2.5. Proxy ARP Chapter 4. Routing Using switch routes is fully explained in Section 4.7, “Transparent Mode”. In HA clusters, switch routes cannot be used and proxy ARP is the only way to implement transparent mode functionality. Note It is only possible to have Proxy ARP functioning for Ethernet and VLAN interfaces.
Page 137: Policy-based Routing, Overview, Policy-based Routing Tables, Policy-based Routing Rules

4.3. Policy-based Routing Chapter 4. Routing 4.3. Policy-based Routing 4.3.1. Overview Policy-based Routing (PBR) is an extension to the standard routing described previously. It offers administrators significant flexibility in implementing routing decision policies by being able to define rules so alternative routing tables are used. Normal routing forwards packets according to destination IP address information derived from static routes or from a dynamic routing protocol.
Page 138: Pbr Table Selection, The Ordering Parameter

4.3.4. PBR Table Selection Chapter 4. Routing When looking up Policy-based Rules, it is the first matching rule found that is triggered. 4.3.4. PBR Table Selection When a packet corresponding to a new connection first arrives, the processing steps are as follows to determine which routing table is chosen: The PBR Rules must first be looked up but to do this the packet's destination interface must be determined and this is always done by a lookup in the main routing table.
Page 139: Creating A Policy-based Routing Table, Creating The Route, Policy-based Routing Configuration

4.3.5. The Ordering parameter Chapter 4. Routing Important - Ensuring all-nets appears in the main table A common mistake with Policy-based routing is the absence of the default route with a destination interface of all-nets in the default main routing table. If there is no route that is an exact match then the absence of a default all-nets route will mean that the connection will be dropped.
Page 140

This is a "drop-in" design, where there are no explicit routing subnets between the ISP gateways and the D-Link Firewall. In a provider-independent network, clients will likely have a single IP address, belonging to one of the ISPs. In a single-organization scenario, publicly accessible servers will be configured with two separate IP addresses: one from each ISP.
Page 141: Route Load Balancing

4.4. Route Load Balancing Chapter 4. Routing 4.4. Route Load Balancing Overview NetDefendOS provides the option to perform Route Load Balancing (RLB). This is the ability to distribute traffic over multiple alternate routes based on a number of predefined distribution algorithms.
Page 142: The Rlb Round Robin Algorithm, The Rlb Spillover Algorithm

4.4. Route Load Balancing Chapter 4. Routing If more than one matching route is found then RLB is used to choose which one to use. This is done according to which algorithm is selected in the table's RLB Instance object: •...
Page 143

4.4. Route Load Balancing Chapter 4. Routing Spillover Limits are set separately for ingoing and outgoing traffic with only one of these typically being specified. If both are specified then only one of them needs to be exceeded continuously for Hold Timer seconds for the next matching route to be chosen. The units of the limits, such as Mbps, can be selected to simplify specification of the values.
Page 144

An RLB Scenario Below is an illustration which shows a typical scenario where RLB might be used. Here, there is a group of clients on a network connected via the LAN interface of the D-Link Firewall and these will access the internet.
Page 145: A Route Load Balancing Scenario, Setting Up Rlb

4.4. Route Load Balancing Chapter 4. Routing the two ISPs. Figure 4.5. A Route Load Balancing Scenario We first need to define two routes to these two ISPs in the main routing table as shown below: Route No. Interface Destination Gateway Metric WAN1...
Page 146

4.4. Route Load Balancing Chapter 4. Routing gw-world:/> add RouteBalancingInstance main Algorithm=Destination Web Interface Go to Routing > Route Load Balancing > Instances > Add > Route Balancing Instance The route balancing instance dialog will appear. Now select: • Routing Table: main •...
Page 147: Dynamic Routing, Dynamic Routing Overview

4.5. Dynamic Routing 4.5.1. Dynamic Routing overview Dynamic routing is different to static routing in that the D-Link Firewall will adapt to changes of network topology or traffic load automatically. NetDefendOS first learns of all the directly connected networks and gets further route information from other routers. Detected routes are sorted and the most suitable routes for destinations are added into the routing table and this information is distributed to other routers.
Page 148: Ospf

RFC 1583. Note: OSPF is not available on all D-Link models The OSPF feature is only available on the D-Link DFL-800, DFL-860, DFL-1600 and DFL-2500 product models. The way OSPF routing functions is that it routes IP packets based only on the destination IP address found in the IP packet header.
Page 149

4.5.2. OSPF Chapter 4. Routing All OSPF protocol exchanges can be authenticated. This means that only routers with the correct authentication can join the AS. Different authentication schemes can be used, like none, passphrase or MD5 digest. It is possible to configure separate authentication methods for each AS. OSPF Areas OSPF allows sets of networks to be grouped together and this is called an OSPF Area.
Page 150: Virtual Links Example 1

4.5.2. OSPF Chapter 4. Routing Down This is the initial state of the neighbor relationship. Init When a HELLO packet is received from a neighbor, but does NOT include the Router ID of the firewall in it, the neighbor will be placed in Init state. As soon as the neighbor in question receives a HELLO packet it will know the sending routers Router ID and will send a HELLO packet with that included.
Page 151: Virtual Links Example 2

4.5.2. OSPF Chapter 4. Routing In the above example, the Virtual Link is configured between fw1 and fw2 on Area 1, as it is used as the transit area. In this configuration only the Router ID has to be configured. The diagram shows that fw2 needs to have a Virtual Link to fw1 with Router ID 192.168.1.1 and vice versa.
Page 152: Dynamic Routing Policy, Importing Routes From An Ospf As Into The Main Routing Table

This is done by forcing the router priority to 0. For OSPF HA support to work correctly, the D-Link Firewall needs to have a broadcast interface with at least ONE neighbor for ALL areas that the firewall is attached to. In essence, the inactive part of the cluster needs a neighbor to get the link state database from.
Page 153: Exporting The Default Route Into An Ospf As

4.5.3. Dynamic Routing Policy Chapter 4. Routing In this example, the routes received using OSPF will be added into the main routing table. First of all a Dynamic Routing Policy filter needs to be created. The filter needs to have a name, in this example ImportOSPFRoutes is used, as it explains what the filter does.
Page 154

4.5.3. Dynamic Routing Policy Chapter 4. Routing Specify a suitable name for the filter, for example ExportDefRoute For From Routing Table select Main Routing Table Choose wan for Destination Interface Choose all-nets in the ...Exactly Matches list Click OK Next, create an OSPF Action that will export the filtered route to the specified OSPF AS: gw-world:/>...
Page 155: Multicast Routing, Overview, Multicast Forwarding Using The Sat Multiplex Rule

This is demonstrated in the examples which follow. Note For multicast to function with an Ethernet interface on any D-Link Firewall, that interface must have multicast handling set to On or Auto. For further details on this see Section 3.3.2, “Ethernet Interfaces”.
Page 156: Multicast Forwarding - No Address Translation

4.6.2. Multicast Forwarding using the Chapter 4. Routing SAT Multiplex Rule Using IGMP The traffic flow specified by the multiplex rule must have been requested by hosts using IGMP before any multicast packets are forwarded through the specified interfaces. This is the default behavior of NetDefendOS. Not using IGMP The traffic flow will be forwarded according to the specified interfaces directly without any inference from IGMP.
Page 157: Forwarding Of Multicast Traffic Using The Sat Multiplex Rule

4.6.2. Multicast Forwarding using the Chapter 4. Routing SAT Multiplex Rule Example 4.9. Forwarding of Multicast Traffic using the SAT Multiplex Rule In this example, we will create a multiplex rule in order to forward the multicast groups 239.192.10.0/24:1234 to the interfaces if1, if2 and if3.
Page 158: Multicast Forwarding - Address Translation

4.6.2. Multicast Forwarding using the Chapter 4. Routing SAT Multiplex Rule The two values {outif;ip} represent a combination of output interface and, if address translation of a group is needed, an IP address. If, for example, multiplexing of the multicast group 239.192.100.50 is required to the output interfaces if2 and if3, then the command to create the rule would be: add IPRule SourceNetwork=<srcnet>...
Page 159: Igmp Configuration

A second exception is if a neighboring router is statically configured to deliver a multicast stream to the D-Link Firewall. In this case also, an IGMP query would not have to be specified. NetDefendOS supports two IGMP modes of operation - Snoop and Proxy.
Page 160: Multicast Snoop, Multicast Proxy

4.6.3. IGMP Configuration Chapter 4. Routing Figure 4.10. Multicast Snoop Figure 4.11. Multicast Proxy In Snoop mode, the router will act transparently between the hosts and another IGMP router. It will not send any IGMP Queries. It will only forward queries and reports between the other router and the hosts.
Page 161: Igmp - No Address Translation

4.6.3. IGMP Configuration Chapter 4. Routing Example 4.11. IGMP - No Address Translation The following example requires a configured interface group IfGrpClients including interfaces if1, if2 and if3. The ip address of the upstream IGMP router is known as UpstreamRouterIP. Two rules are needed.
Page 162: If1 Configuration

4.6.3. IGMP Configuration Chapter 4. Routing 4.6.3.2. IGMP Rules Configuration - Address Translation The following examples illustrates the IGMP rules needed to configure IGMP according to the Address Translation scenario described above in Section 4.6.2.2, “Multicast Forwarding - Address Translation Scenario”. We need two IGMP report rules, one for each client interface. If1 uses no address translation and if2 translates the multicast group to 237.192.10.0/24.
Page 163: If2 Configuration - Group Translation

4.6.3. IGMP Configuration Chapter 4. Routing • Multicast Source: 192.168.10.1 • Multicast Group: 239.192.10.0/24 Click OK Example 4.13. if2 Configuration - Group Translation The following steps needs to be executed to create the report and query rule pair for if2 which translates the multicast group.
Page 164: Advanced Igmp Settings

4.6.4. Advanced IGMP Settings Chapter 4. Routing • Multicast Group: 239.192.10.0/24 Click OK Advanced IGMP Settings There are a number of IGMP advanced settings which are global and apply to all interfaces which do not have IGMP settings explicitly specified for them. 4.6.4.
Page 165

4.6.4. Advanced IGMP Settings Chapter 4. Routing Default: 5,000 IGMP Max Total Requests The maximum global number of IGMP messages to process each second. Default: 1000 IGMP Max Interface Requests The maximum number of requests per interface and second. Global setting on interfaces without an overriding IGMP Setting.
Page 166

4.6.4. Advanced IGMP Settings Chapter 4. Routing interfaces without an overriding IGMP Setting. Default: 1,000...
Page 167: Transparent Mode, Overview

4.7.1. Overview Transparent Mode Usage The NetDefendOS Transparent Mode feature allows a D-Link Firewall to be placed at a point in a network without any reconfiguration of the network and without hosts being aware of its presence. All NetDefendOS features can then be used to monitor and manage traffic flowing through that point.
Page 168

4.7.1. Overview Chapter 4. Routing the D-Link Firewall is placed into a network for the first time, or if network topology changes, the routing configuration must therefore be checked and adjusted to ensure that the routing table is consistent with the new layout. Reconfiguration of IP settings may be required for pre-existing routers and protected servers.
Page 169

4.7.1. Overview Chapter 4. Routing initiating sender of the original IP packet for the destination on the interfaces specified in the Switch Route. If an ARP reply is received, NetDefendOS will update the CAM table and Layer 3 Cache and forward the packet to the destination. If the CAM table or the Layer 3 Cache is full, the tables are partially flushed automatically.
Page 170

4.7.1. Overview Chapter 4. Routing For example, if the interfaces if1 to if6 appear in a switch routes in routing table A, the resulting interconnections will be as illustrated below. Connecting together switch routes in this way only applies, however, if all interfaces are associated with the same routing table.
Page 171: Enabling Internet Access, Non-transparent Mode Internet Access

Now lets suppose the D-Link Firewall is to operate in transparent mode between the users and the ISP. The illustration below shows how, using switch routes, the D-Link Firewall is set up to be transparent between the internal physical Ethernet network (pn2) and the Ethernet network to the ISP's gateway (pn1).
Page 172: Transparent Mode Internet Access

Using NAT NAT should not be enabled for NetDefendOS in Transparent Mode since, as explained previously, the D-Link Firewall is acting like a level 2 switch and address translation is done at the higher IP OSI layer. The other consequence of not using NAT is that IP addresses of users accessing the Internet usually...
Page 173: Transparent Mode Scenarios, Transparent Mode Scenario 1, Setting Up Transparent Mode For Scenario 1

If NATing needs to be performed in the example above to hide individual addresses from the Internet, it would have to be done by a device (possibly another D-Link Firewall) between the 192.168.10.0/24 network and the public Internet. In this case, internal IP addresses could be used by the users on Ethernet network pn2.
Page 174: Transparent Mode Scenario 2

DMZ. The hosts on the internal network are allowed to communicate with an HTTP server on DMZ while the HTTP server on the DMZ can be reached from the Internet. The D-Link Firewall is transparent between the DMZ and LAN but traffic is still controlled by the IP rule set.
Page 175: Setting Up Transparent Mode For Scenario 2

4.7.3. Transparent Mode Scenarios Chapter 4. Routing Example 4.15. Setting up Transparent Mode for Scenario 2 Configure a Switch Route over the LAN and DMZ interfaces for address range 10.0.0.0/24 (assume the WAN interface is already configured). Web Interface Configure the interfaces: Go to Interfaces >...
Page 176

4.7.3. Transparent Mode Scenarios Chapter 4. Routing • Interfaces: Select lan and dmz Click OK Configure the routing: Go to Routing > Main Routing Table > Add > SwitchRoute Now enter: • Switched Interfaces: TransparentGroup • Network: 10.0.0.0/24 • Metric: 0 Click OK Configure the rules: Go to Rules >...
Page 177: Spanning Tree Bpdu Support, Advanced Settings For Transparent Mode, An Example Bpdu Relaying Scenario

The diagram below illustrates a situation where BPDU messages would occur if the administrator enables the switches to run the STP protocol. Two D-Link Firewalls are deployed in transparent mode between the two sides of the network. The switches on either side of the firewall need to communicate and require NetDefendOS to relay switch BPDU messages in order that packets do not loop between the firewalls.
Page 178

4.7.5. Advanced Settings for Chapter 4. Routing Transparent Mode Default: Enabled Decrement TTL Enable this if the TTL should be decremented each time a packet traverses the firewall in Transparent Mode. Default: Disabled Dynamic CAM Size This setting can be used to manually configure the size of the CAM table. Normally Dynamic is the preferred value to use.
Page 179

4.7.5. Advanced Settings for Chapter 4. Routing Transparent Mode Null Enet Sender Defines what to do when receiving a packet that has the sender hardware (MAC) address in ethernet header set to null (0000:0000:0000). Options: • Drop - Drop packets •...
Page 180

4.7.5. Advanced Settings for Chapter 4. Routing Transparent Mode • Drop - Drop the packets • DropLog - Drop packets log the event Default: Drop Relay MPLS When set to Ignore all incoming MPLS packets are relayed in transparent mode. Options: •...
Page 181

4.7.5. Advanced Settings for Chapter 4. Routing Transparent Mode...
Page 182: Dhcp Services, Overview

Chapter 5. DHCP Services This chapter describes DHCP services in NetDefendOS. • Overview, page 182 • DHCP Servers, page 183 • Static DHCP Assignment, page 185 • DHCP Relaying, page 187 • IP Pools, page 190 5.1. Overview Dynamic Host Configuration Protocol (DHCP) is a protocol that allows network administrators to automatically assign IP numbers to computers on a network.
Page 183: Dhcp Servers

5.2. DHCP Servers Chapter 5. DHCP Services 5.2. DHCP Servers DHCP servers assign and manage the IP addresses taken from a specified address pool. In NetDefendOS, DHCP servers are not limited to serving a single range of IP addresses but can use any IP address range that can be specified by a NetDefendOS IP address object.
Page 184: Setting Up A Dhcp Server, Checking The Status Of A Dhcp Server

5.2. DHCP Servers Chapter 5. DHCP Services • WINS Servers - WINS servers the client can use for WINS lookup. • Next Server - the IP address of the next server in the boot process, this is usually a TFTP server. In addition, Custom Options can be specified in order to have the DHCP servers hand out all options supported by the DHCP standard.
Page 185: Static Dhcp Assignment, Dhcp Advanced Settings, Setting Up Static Dhcp

5.3. Static DHCP Assignment Chapter 5. DHCP Services 5.3. Static DHCP Assignment Where the administrator requires a fixed relationship between a client and the assigned IP address, NetDefendOS allows the assignment of a given IP to a specific MAC address. Example 5.3.
Page 186

5.3.1. DHCP Advanced Settings Chapter 5. DHCP Services Auto Save Policy What policy should be used to save the lease database to the disk, possible settings are Disabled, ReconfShut or ReconfShutTimer. Default: ReconfShut Lease Store Interval How often, in seconds, the leases database should be saved to disk if DHCPServer_SaveLeasePolicy is set to ReconfShutTimer.
Page 187: Dhcp Relaying, Setting Up A Dhcp Relayer

This example allows clients on NetDefendOS VLAN interfaces to obtain IP addresses from a DHCP server. It is assumed the D-Link Firewall is configured with VLAN interfaces vlan1 and vlan2 that use DHCP relaying, and the DHCP server IP address is defined in the NetDefendOS address book as ip-dhcp. NetDefendOS will add a route for the client when it has finalized the DHCP process and obtained an IP.
Page 188: Dhcp Relay Advanced Settings

5.4.1. DHCP Relay Advanced Settings Chapter 5. DHCP Services Click OK Adding a DHCP relayer called as vlan-to-dhcpserver: Go to System > DHCP > Add > DHCP Relay Now enter: • Name: vlan-to-dhcpserver • Action: Relay • Source Interface: ipgrp-dhcp •...
Page 189

5.4.1. DHCP Relay Advanced Settings Chapter 5. DHCP Services Max Auto Routes How many relays that can be active at the same time. Default: 256 Auto Save Policy What policy should be used to save the relay list to the disk, possible settings are Disabled, ReconfShut, or ReconfShutTimer.
Page 190: Ip Pools

5.5. IP Pools Chapter 5. DHCP Services 5.5. IP Pools Overview IP pools are used to offer other subsystems access to a cache of DHCP IP addresses. These addresses are gathered into a pool by internally maintaining a series of DHCP clients (one per IP). The DHCP servers used by a pool can either be external or be DHCP servers defined in NetDefendOS itself.
Page 191: Creating An Ip Pool

5.5. IP Pools Chapter 5. DHCP Services Maximum free The maximum number of "free" IPs to be kept. Must be equal to or greater than the prefetch parameter. The pool will start releasing (giving back IPs to the DHCP server) when the number of free clients exceeds this value.
Page 192

5.5. IP Pools Chapter 5. DHCP Services...
Page 193: Security Mechanisms, Access Rules, Introduction, Ip Spoofing

Chapter 6. Security Mechanisms This chapter describes NetDefendOS security features. • Access Rules, page 193 • ALGs, page 196 • Web Content Filtering, page 242 • Anti-Virus Scanning, page 259 • Intrusion Detection and Prevention, page 265 • Denial-of-Service Attack Prevention, page 276 •...
Page 194: Access Rule Settings

6.1.3. Access Rule Settings Chapter 6. Security Mechanisms VPNs provide one means of avoiding spoofing but where a VPN is not an appropriate solution then Access Rules can provide an anti-spoofing capability by providing an extra filter for source address verification.
Page 195: Setting Up An Access Rule

6.1.3. Access Rule Settings Chapter 6. Security Mechanisms working properly. Example 6.1. Setting up an Access Rule A rule is to be defined that ensures no traffic with a source address not within the lannet network is received on the lan interface. gw-world:/>...
Page 196: Algs, Overview, Deploying An Alg

6.2.1. Overview To complement low-level packet filtering, which only inspects packet headers in protocols such as IP, TCP, UDP, and ICMP, D-Link Firewalls provide Application Layer Gateways (ALGs) which provide filtering at the higher application OSI level. An ALG object acts as a mediator in accessing commonly used Internet applications outside the protected network, for example web access, file transfer and multimedia transfer.
Page 197: The Http Alg

Note This default value can often be too low for HTTP if there are large number of clients connecting through the D-Link Firewall and it is therefore recommended to consider using a higher value in such circumstances. ALGs and Syn Flood Protection It should be noted that user-defined custom Service objects have the option to enable Syn Flood Protection, a feature which specifically targets Syn Flood attacks.
Page 198

6.2.2. The HTTP ALG Chapter 6. Security Mechanisms • URL Whitelisting The opposite to blacklisting, this makes sure certain URLs are always allowed. Wildcarding can also be used for these URLs, as described below. It is important to note that whitelisting a URL means that it cannot be blacklisted and it also cannot be dropped by web content filtering (if that is enabled, although it will be logged).
Page 199: Http Alg Processing Order

6.2.2. The HTTP ALG Chapter 6. Security Mechanisms Additional filetypes not included by default can be added to the Allow/Block list however these cannot be subject to content checking meaning that the file extension will be trusted as being correct for the contents of the file. Note The Verify MIME type and Allow/Block Selected Types options work in the same way for the FTP, POP3 and SMTP ALGs.
Page 200: The Ftp Alg

After granting access, the server will provide the client with a file/directory listing from which it can download/upload files (depending on access rights). The FTP ALG is used to manage FTP connections through the D-Link Firewall.
Page 201

The FTP server can be configured to use active mode, which is the safer mode for servers. • When an FTP session is established, the D-Link Firewall will automatically and transparently receive the passive data channel from the FTP client and the active data channel from the server, and tie them together.
Page 202: Protecting An Ftp Server With An Alg

For more information on this topic refer to Chapter 12, ZoneDefense. Example 6.2. Protecting an FTP Server with an ALG As shown, an FTP Server is connected to the D-Link Firewall on a DMZ with private IP addresses, shown below:...
Page 203

6.2.3. The FTP ALG Chapter 6. Security Mechanisms To make it possible to connect to this server from the Internet using the FTP ALG, the FTP ALG and rules should be configured as follows: Web Interface A. Define the ALG: Go to Objects >...
Page 204

6.2.3. The FTP ALG Chapter 6. Security Mechanisms • Action: SAT • Service: ftp-inbound For Address Filter enter: • Source Interface: any • Destination Interface: core • Source Network: all-nets • Destination Network: wan_ip (assuming the external interface has been defined as this) For SAT check Translate the Destination IP Address Enter To: New IP Address: ftp-internal (assume this internal IP address for FTP server has been defined in the Address Book object)
Page 205: Protecting Ftp Clients

Chapter 6. Security Mechanisms Example 6.3. Protecting FTP Clients In this scenario shown below the D-Link Firewall is protecting a workstation that will connect to FTP servers on the Internet. To make it possible to connect to these servers from the internal network using the FTP ALG, the FTP ALG and...
Page 206: The Tftp Alg

6.2.4. The TFTP ALG Chapter 6. Security Mechanisms Rules (Using Public IPs). The following rule needs to be added to the IP rules if using public IP's; make sure there are no rules disallowing or allowing the same kind of ports/traffic before these rules. The service in use is the ftp-outbound, which should be using the ALG definition ftp-outbound as described earlier.
Page 207: The Smtp Alg

Internet. Typically the local SMTP server will be located on a DMZ so that mail sent by remote SMTP servers will traverse the D-Link Firewall to reach the local server (this setup is illustrated later in Section 6.2.5.1, “DNSBL SPAM Filtering”). Local users will then use email client software to retrieve their email from the local SMTP server.
Page 208

6.2.5. The SMTP ALG Chapter 6. Security Mechanisms This is a very useful feature to have since it is possible to put in a block against either an infected client or an infected server sending large amounts of malware generated emails. Email Size Limiting A maximum allowable size of email messages can be specified.
Page 209: Smtp Alg Processing Order

6.2.5. The SMTP ALG Chapter 6. Security Mechanisms Anti-virus scanning (if enabled). As described above, if an address is found on the whitelist then it will not be blocked if it also found on the blacklist. SPAM filtering, if it is enabled, is still applied to whitelisted addresses but emails flagged as SPAM will not be tagged nor dropped, only logged.
Page 210: Dnsbl Spam Filtering

Chunking. The ALG therefore removes any unsupported extensions from the supported extension list that is returned to the client by an SMTP server behind the D-Link Firewall. When an extension is removed, a log message is generated with the text:...
Page 211: Dnsbl Spam Filtering

SMTP functions as a protocol for sending emails between servers. NetDefendOS applies SPAM filtering to emails as they pass through the D-Link Firewall from a remote SMTP server to the local SMTP server (from which local clients will later download the emails). Typically the local SMTP server will be set up on a DMZ and there will usually be only one "hop"...
Page 212

6.2.5. The SMTP ALG Chapter 6. Security Mechanisms the following actions based on the sum calculated: Dropped If the sum is greater than or equal to a pre-defined Drop threshold then the email is considered to be definitely SPAM and is discarded or alternatively sent to a single, special mailbox. If it is discarded then the administrator has the option that an error message is sent back to the sending SMTP server (this error message is similar to the one used with blacklisting).
Page 213

6.2.5. The SMTP ALG Chapter 6. Security Mechanisms And this is what the email's recipient will see in the summary of their inbox contents. The individual user could then decide to set up their own filters in the local client to deal with such tagged emails, possibly sending it to a separate folder.
Page 214

6.2.5. The SMTP ALG Chapter 6. Security Mechanisms allowed through if this happens. Setup Summary To set up DNSBL SPAM filtering in the SMTP ALG, the following list summarizes the steps: • Specify which DNSBL servers are to be used. There can be multiple and they can act both as backups to each other as well as confirmation of a sender's status.
Page 215

6.2.6. The POP3 ALG Chapter 6. Security Mechanisms The dnsbl CLI command provides a means to control and monitor the operation of the SPAM filtering module. The dnsbl command on its own without options shows the overall status of all ALGs.
Page 216: The Pop3 Alg, The Sip Alg

6.2.7. The SIP ALG Chapter 6. Security Mechanisms 6.2.6. The POP3 ALG POP3 is a mail transfer protocol that differs from SMTP in that the transfer of mail is directly from a server to a user's client software. POP3 ALG Options Key features of the POP3 ALG are: Block Clear Text Authentication Block connections between client and server that send the...
Page 217

They also implement provider call-routing policies. The proxy is often located on the external, unprotected side of the D-Link Firewall but can have other locations. All of these scenarios are supported by NetDefendOS.
Page 218

The disadvantage of removing proxies from the session is that NetDefendOS IP rules must be set up to allow all SIP messages through the D-Link Firewall, and if the source network of the messages is not known then a large number of potentially dangerous connections must be allowed by the IP rule set.
Page 219

Protecting local clients - Proxy located on the Internet The SIP session is between a client on the local, protected side of the D-Link Firewall and a client which is on the external, unprotected side. The SIP proxy is located on the external, unprotected side of the D-Link Firewall.
Page 220

Neither the clients or the proxies need to be aware that the local users are being NATed. • An Allow rule for inbound SIP traffic from the SIP proxy to the IP of the D-Link Firewall. This rule will use core (in other words, NetDefendOS itself) as the destination interface.
Page 221

6.2.7. The SIP ALG Chapter 6. Security Mechanisms local contact information and uses this to redirect incoming requests to the user. The ALG takes care of the address translations needed. Ensure the clients are correctly configured. The SIP Proxy Server plays a key role in locating the current location of the other client for the session.
Page 222

Without NAT so the network topology is exposed. Solution A - Using NAT Here, the proxy and the local clients are hidden behind the IP address of the D-Link Firewall. The setup steps are as follows: Define a single SIP ALG object using the options described above.
Page 223

6.2.7. The SIP ALG Chapter 6. Security Mechanisms If Record-Route is enabled then the Source Network for outbound traffic from proxy users can be further restricted in the above rules by using "ip_proxy" as indicated. When an incoming call is received, the SIP ALG will follow the SAT rule and forward the SIP request to the proxy server.
Page 224

Solution A - Using NAT The following should be noted about this setup: • The IP address of the SIP proxy must be a globally routable IP address. The D-Link Firewall does not support hiding of the proxy on the DMZ. •...
Page 225

• An Allow rule for inbound SIP traffic from the SIP proxy behind the DMZ interface to the IP address of the D-Link Firewall. This rule will have core (in other words, NetDefendOS itself) as the destination interface. The reason for this is because of the NAT rule above. When an incoming call is received, NetDefendOS automatically locates the local receiver, performs address translation and forwards SIP messages to the receiver.
Page 226: The H.323 Alg

6.2.8. The H.323 ALG Chapter 6. Security Mechanisms • An Allow rule for outbound traffic from the clients on the internal network to the proxy located on the DMZ interface. • An Allow rule for outbound traffic from the proxy behind the DMZ interface to the remote clients on the Internet.
Page 227

The H.323 specification was not designed to handle NAT, as IP addresses and ports are sent in the payload of H.323 messages. The H.323 ALG modifies and translates H.323 messages to make sure that H.323 messages will be routed to the correct destination and allowed through the D-Link Firewall.
Page 228: Protecting Phones Behind D-link Firewalls

Example 6.4. Protecting Phones Behind D-Link Firewalls In the first scenario a H.323 phone is connected to the D-Link Firewall on a network (lannet) with public IP addresses. To make it possible to place a call from this phone to another H.323 phone on the Internet, and to allow H.323 phones on the Internet to call this phone, we need to configure rules.
Page 229

6.2.8. The H.323 ALG Chapter 6. Security Mechanisms Web Interface Outgoing Rule: Go to Rules > IP Rules > Add > IPRule Now enter: • Name: H323AllowOut • Action: Allow • Service: H323 • Source Interface: lan • Destination Interface: any •...
Page 230: H.323 With Private Ip Addresses

Example 6.5. H.323 with private IP addresses In this scenario a H.323 phone is connected to the D-Link Firewall on a network with private IP addresses. To make it possible to place a call from this phone to another H.323 phone on the Internet, and to allow H.323 phones on the Internet to call this phone, we need to configure rules.
Page 231: Two Phones Behind Different D-link Firewalls

Comment: Allow incoming calls to H.323 phone at ip-phone Click OK To place a call to the phone behind the D-Link Firewall, place a call to the external IP address on the firewall. If multiple H.323 phones are placed behind the firewall, one SAT rule has to be configured for each phone.
Page 232: Using Private Ip Addresses

Example 6.7. Using Private IP Addresses This scenario consists of two H.323 phones, each one connected behind the D-Link Firewall on a network with private IP addresses. In order to place calls on these phones over the Internet, the following rules need to be added to the rule set in the firewall.
Page 233: H.323 With Gatekeeper

Example 6.8. H.323 with Gatekeeper In this scenario, a H.323 gatekeeper is placed in the DMZ of the D-Link Firewall. A rule is configured in the firewall to allow traffic between the private network where the H.323 phones are connected on the internal network and to the Gatekeeper on the DMZ.
Page 234

6.2.8. The H.323 ALG Chapter 6. Security Mechanisms Incoming Gatekeeper Rules: Go to Rules > IP Rules > Add > IPRule Now enter: • Name: H323In • Action: SAT • Service: H323-Gatekeeper • Source Interface: any • Destination Interface: core •...
Page 235: H.323 With Gatekeeper And Two D-link Firewalls

The D-Link Firewall with the Gatekeeper connected to the DMZ should be configured exactly as in scenario 3. The other D-Link Firewall should be configured as below. The rules need to be added to the rule listings, and it should be make sure there are no rules disallowing or allowing the same kind of ports/traffic before these rules.
Page 236: Using The H.323 Alg In A Corporate Environment

IP-ranges on their local networks. All outside calls are done over the existing telephone network using the gateway (ip-gateway) connected to the ordinary telephone network. The head office has placed a H.323 Gatekeeper in the DMZ of the corporate D-Link Firewall. This firewall should be configured as follows: Web Interface Go to Rules >...
Page 237

6.2.8. The H.323 ALG Chapter 6. Security Mechanisms Go to Rules > IP Rules > Add > IPRule Now enter: • Name: LanToGK • Action: Allow • Service: H323-Gatekeeper • Source Interface: lan • Destination Interface: dmz • Source Network: lannet •...
Page 238: Configuring Remote Offices For H.323, Allowing The H.323 Gateway To Register With The Gatekeeper

If the branch and remote office H.323 phones and applications are to be configured to use the H.323 Gatekeeper at the head office, the D-Link Firewalls in the remote and branch offices should be configured as follows: (this rule should be in both the Branch and Remote Office firewalls).
Page 239: The Tls Alg, Tls Termination

TLS and SSL can be regarded as equivalent. In the context of the TLS ALG, we can say that the D-Link Firewall is providing SSL termination since it is acting as an SSL end-point. Regarding the SSL and TLS standards supported, NetDefendOS provides termination support for SSL 3.0 as well as TLS 1.0, with RFC 2246 defining the TLS 1.0 support (with NetDefendOS...
Page 240

TLS can be implemented directly in the server to which clients connect, however, if the servers are protected behind a D-Link Firewall, then NetDefendOS can take on the role of the TLS endpoint. NetDefendOS then performs TLS authentication, encryption and unencryption of data to/from clients and the transfer of unencrypted data to/from servers.
Page 241

D-Link Firewall. What this means is that if a client connects to a webserver behind the D-Link Firewall using the https:// protocol then any web pages delivered back containing absolute URLs with the http:// protocol (perhaps to refer to other pages on the same site) will not have these URLs converted to https:// by NetDefendOS.
Page 242: Web Content Filtering, Overview, Active Content Handling

6.3. Web Content Filtering Chapter 6. Security Mechanisms 6.3. Web Content Filtering 6.3.1. Overview Web traffic is one of the biggest sources for security issues and misuse of the Internet. Inappropriate surfing habits can expose a network to many security threats as well as legal and regulatory liabilities.
Page 243: Static Content Filtering, Stripping Activex And Java Applets

6.3.3. Static Content Filtering Chapter 6. Security Mechanisms Removing such legitimate code could, at best, cause the web site to look distorted, at worst, cause it to not work in a browser at all. Active Content Handling should therefore only be used when the consequences are well understood. Example 6.13.
Page 244: Setting Up A White And Blacklist

In this small scenario a general surfing policy prevents users from downloading .exe-files. However, the D-Link website provides secure and necessary program files which should be allowed to download.
Page 245: Dynamic Web Content Filtering, Dynamic Content Filtering Flow

NetDefendOS WCF allows web page blocking to be automated so it is not necessary to manually specify which URLs to block or allow. Instead, D-Link maintains a global infrastructure of databases containing massive numbers of current web site URL addresses, grouped into a variety of categories such as shopping, news, sport, adult-oriented and so on.
Page 246

If the requested web page URL is not present in the databases, then the webpage content at the URL will automatically be downloaded to D-Link's central data warehouse and automatically analyzed using a combination of software techniques. Once categorized, the URL is distributed to the global databases and NetDefendOS receives the category for the URL.
Page 247: Enabling Dynamic Web Content Filtering

6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms defined with Dynamic Content Filtering enabled. This object is then associated with a Service object and the Service object is then associated with a rule in the IP rule set to determine which traffic should be subject to the filtering.
Page 248: Enabling Audit Mode

6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms Go to Local Objects > Services > Add > TCP/UDP service Specify a suitable name for the Service, for example http_content_filtering Select the TCP in the Type dropdown list Enter 80 in the Destination Port textbox Select the HTTP ALG you just created in the ALG list Click OK Finally, modify the NAT rule to use the new service:...
Page 249

The URL to the requested web site as well as the proposed category will then be sent to D-Link's central data warehouse for manual inspection. That inspection may result in the web site being...
Page 250: Reclassifying A Blocked Site

6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms Example 6.17. Reclassifying a blocked site This example shows how a user may propose a reclassification of a web site if he believes it is wrongly classified. This mechanism is enabled on a per-HTTP ALG level basis. First, create an HTTP Application Layer Gateway (ALG) Object: gw-world:/>...
Page 251

6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms Category 2: News A web site may be classified under the News category if its content includes information articles on recent events pertaining to topics surrounding a locality (for example, town, city or nation) or culture, including weather forecasting information.
Page 252

6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms • www.buy-alcohol.se Category 7: Entertainment A web site may be classified under the Entertainment category if its content includes any general form of entertainment that is not specifically covered by another category. Some examples of this are music sites, movies, hobbies, special interest, and fan clubs.
Page 253

6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms • www.loadsofmoney.com.au • www.putsandcalls.com Category 12: E-Banking A web site may be classified under the E-Banking category if its content includes electronic banking information or services. This category does not include Investment related content; refer to the Investment Sites category (11).
Page 254

6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms Category 17: www-Email Sites A web site may be classified under the www-Email Sites category if its content includes online, web-based email facilities. Examples might be: • www.coldmail.com • mail.yazoo.com Category 18: Violence / Undesirable A web site may be classified under the Violence / Undesirable category if its contents are extremely violent or horrific in nature.
Page 255

6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms information or services of relating to a club or society. This includes team or conference web sites. Examples might be: • www.sierra.org • www.walkingclub.org Category 23: Music Downloads A web site may be classified under the Music Downloads category if it provides online music downloading, uploading and sharing facilities as well as high bandwidth audio streaming.
Page 256

6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms Category 28: Drugs/Alcohol A web site may be classified under the Drugs/Alcohol category if its content includes drug and alcohol related information or services. Some URLs categorized under this category may also be categorized under the Health category.
Page 257: Editing Content Filtering Http Banner Files

6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms URLForbidden RestrictedSiteNotice ReclassifyURL To perform customization it is necessary to first create a new, named ALG Banner Files object. This new object automatically contains a copy of all the files in the Default ALG Banner Files object.
Page 258

ALG_HTTP my_http_alg HTTPBanners=mytxt As usual, the activate followed by the commit CLI commands must be used to activate the changes on the D-Link Firewall. HTML Page Parameters The HTML pages contain a number of parameters that can be used as and where it is appropriate.
Page 259: Anti-virus Scanning, Overview, Implementation

D-Link Firewall. Once a virus is recognized in the contents of a file, the download can be terminated before it completes.
Page 260: Activating Anti-virus Scanning, The Signature Database

Simultaneous Scans There is no fixed limit on how many Anti-Virus scans can take place simultaneously in a single D-Link Firewall. However, the available free memory can place a limit on the number of concurrent scans that can be initiated.
Page 261: Subscribing To The D-link Anti-virus Service, Anti-virus Options

D-Link Anti-Virus subscription. 6.4.5. Subscribing to the D-Link Anti-Virus Service The D-Link Anti-Virus feature is purchased as an additional component to the base D-Link license and is bought in the form of a renewable subscription. An Anti-Virus subscription includes regular updates of the Kaspersky SafeStream database during the subscription period with the signatures of the latest virus threats.
Page 262

When the update is completed, the newly active unit also downloads the files for the update and performs a reconfiguration. This second reconfiguration causes another failover so the passive unit reverts back to being active again. These steps result in both D-Link Firewalls in a cluster having updated databases and with the...
Page 263

When the NetDefendOS virus scanning engine has detected a virus, the D-Link Firewall will upload blocking instructions to the local switches and instruct them to block all traffic from the infected host or server.
Page 264

6.4.6. Anti-Virus Options Chapter 6. Security Mechanisms B. Then, create a Service object using the new HTTP ALG: Go to Local Objects > Services > Add > TCP/UDP service Specify a suitable name for the Service, for instance http_anti_virus Select the TCP in the Type dropdown list Enter 80 in the Destination Port textbox Select the HTTP ALG you just created in the ALG dropdown list Click OK...
Page 265: Intrusion Detection And Prevention, Overview, Idp Availability In D-link Models

It operates by monitoring network traffic as it passes through the D-Link Firewall, searching for patterns that indicate an intrusion is being attempted. Once detected, NetDefendOS IDP allows steps to be taken to neutralize both the intrusion attempt as well as its source.
Page 266: Idp Database Updating

A new, updated signature database is downloaded automatically by NetDefendOS system at a configurable interval. This is done via an HTTP connection to the D-Link server network which delivers the latest signature database updates. If the server's signature database has a newer version than the current local database, the new database will be downloaded, replacing the older version.
Page 267: Idp Rules

This second reconfiguration causes another failover so the passive unit reverts back to being active again. These steps result in both D-Link Firewalls in a cluster having updated databases and with the original active/passive roles. For more information about HA clusters refer to Chapter 11, High Availability.
Page 268: Insertion/evasion Attack Prevention

6.5.4. Insertion/Evasion Attack Chapter 6. Security Mechanisms Prevention something which is not a valid hexadecimal value. • Double encoding This looks for any hex sequence which itself is encoded using other hex escape sequences. An example would be the original sequence %2526 where %25 is then might be decoded by the HTTP server to '%' and results in the sequence '%26'.
Page 269: Idp Pattern Matching

6.5.5. IDP Pattern Matching Chapter 6. Security Mechanisms and believes it has the full data stream. The attacker now sends two further packets, p2 and p3, which will be accepted by the application which can now complete reassembly but resulting in a different data stream to that seen by the IDP subsystem.
Page 270: Idp Signature Groups

Attackers who build new intrusions often re-use older code. This means their new attacks can appear "in the wild" quickly. To counter this, D-Link IDP uses an approach where the module scans for these reusable components, with pattern matching looking for building blocks rather than the entire complete code patterns.
Page 271: Idp Actions

6.5.7. IDP Actions Chapter 6. Security Mechanisms 2. Signature Group Category This second level of naming describes the type of application or protocol. Examples are: • BACKUP • • • • HTTP 3. Signature Group Sub-Category The third level of naming further specifies the target of the group and often specifies the application, for example MSSQL.
Page 272: Smtp Log Receiver For Idp Events, Configuring An Smtp Log Receiver

Section 6.7, “Blacklisting Hosts and Networks”. IDP ZoneDefense The Protect action includes the option that the particular D-Link switch that triggers the IDP Rule can be de-activated through the D-Link ZoneDefense feature. For more details on how ZoneDefense functions see Chapter 12, ZoneDefense.
Page 273: Setting Up Idp For A Mail Server

6.5.8. SMTP Log Receiver for IDP Chapter 6. Security Mechanisms Events gw-world:/examplerule> set IDPRuleAction 1 LogEnabled=Yes Web Interface Adding an SMTP log receiver: Go to System > Log and Event Receivers > Add > SMTP Event Receiver Now enter: • Name: smtp4IDP •...
Page 274

6.5.8. SMTP Log Receiver for IDP Chapter 6. Security Mechanisms Events An IDP rule called IDPMailSrvRule will be created, and the Service to use is the SMTP service. Source Interface and Source Network defines where traffic is coming from, in this example the external network. The Destination Interface and Destination Network define where traffic is directed to, in this case the mail server.
Page 275

6.5.8. SMTP Log Receiver for IDP Chapter 6. Security Mechanisms Events If logging of intrusion attempts is desired, this can be configured in the Log Settings tab. Create IDP Action: When this IDP Rule has been created, an action must also be created, specifying what signatures the IDP should use when scanning data matching the IDP Rule, and what NetDefendOS should do in case an intrusion is discovered.
Page 276: Denial-of-service Attack Prevention, Overview, Dos Attack Mechanisms, Ping Of Death And Jolt Attacks

Attacks can appear out of thin air and the consequences can be devastating with crashed servers, jammed Internet connections and business critical systems in overload. This section deals with using D-Link Firewalls to protect organizations against these attacks. 6.6.2. DoS Attack Mechanisms A DoS attack can be perpetrated in a number of ways but there are three basic types of attack: •...
Page 277: Fragmentation Overlap Attacks: Teardrop, Bonk, Boink And Nestea, The Land And Latierra Attacks

6.6.4. Fragmentation overlap attacks: Chapter 6. Security Mechanisms Teardrop, Bonk, Boink and Nestea intended victim. "Jolt" is simply a purpose-written program for generating such packets on operating systems whose ping commands refuse to generate oversized packets. The triggering factor is that the last fragment makes the total packet size exceed 65535 bytes, which is the highest number that a 16-bit integer can store.
Page 278: Amplification Attacks: Smurf, Papasmurf, Fraggle

6.6.7. Amplification attacks: Smurf, Chapter 6. Security Mechanisms Papasmurf, Fraggle • By stripping the URG bit by default from all TCP segments traversing the system (configurable via Advanced Settings > TCP > TCPUrg). WinNuke attacks will usually show up in NetDefendOS logs as normal drops with the name of the rule in your policy that disallowed the connection attempt.
Page 279: Tcp Syn Flood Attacks, The Jolt2 Attack, Distributed Dos Attacks

6.6.9. The Jolt2 Attack Chapter 6. Security Mechanisms 6.6.8. TCP SYN Flood Attacks The TCP SYN Flood attack works by sending large amounts of TCP SYN packets to a given port and then not responding to SYN ACKs sent in response. This will tie up local TCP stack resources on the victim machine until it is unable to respond to more SYN packets until the existing half-open connections have timed out.
Page 280: Blacklisting Hosts And Networks

Tip: Important IP addresses should be whitelisted It is recommended to add the D-Link Firewall itself to the whitelist as well as the IP address or network of the management workstation since blacklisting of either could have serious consequences for network operations.
Page 281: Adding A Host To The Whitelist

6.7. Blacklisting Hosts and Networks Chapter 6. Security Mechanisms For further details on usage see Section 6.5.7, “IDP Actions”, Section 10.3.8, “Threshold Rule Blacklisting” and Section 10.3, “Threshold Rules”. Note: The content filtering blacklist is separate Content filtering blacklisting is a separate subject and uses a separate logical list (see Section 6.3, “Web Content Filtering”).
Page 282

6.7. Blacklisting Hosts and Networks Chapter 6. Security Mechanisms...
Page 283: Address Translation

• NAT Pools, page 288 • SAT, page 291 The ability of NetDefendOS to change the IP address of packets as they pass through the D-Link Firewall is known as address translation. The ability to transform one IP address to another can have many benefits. Two of the most important are: •...
Page 284: Nat Ip Address Translation

ARP Publish entry configured for the outbound interface. Otherwise, the return traffic will not be received by the D-Link Firewall. This technique might be used when the source IP is to differ based on the source of the traffic. For example, an ISP that is using NAT, might use different IP addresses for different customers.
Page 285: Adding A Nat Rule

In this example, the Use Interface Address option is used, and we will use 195.11.22.33 as the interface address. In addition, the source port is changed to a free port on the D-Link Firewall, usually one above 32768. In this example, we will use port 32789. The packet is then sent to its destination.
Page 286

We shall examine the typical case where the D-Link Firewall acts as a PPTP server and terminates the PPTP tunnel for PPTP clients. Clients that wish to be anonymous, communicate with their local...
Page 287: Anonymizing With Nat

7.1. NAT Chapter 7. Address Translation ISP using PPTP. The traffic is directed to the anonymizing service provider where a D-Link Firewall is installed to act as the PPTP server for the client, terminating the PPTP tunnel. This arrangement is illustrated in the diagram below.
Page 288: Nat Pools

NAT Pool object. The state table is not allocated all at once but is incremented in size as needed. One entry in the state table tracks all the connections for a single host behind the D-Link Firewall no matter which external host the connection concerns. If Max States is reached then an existing state with the longest idle time is replaced.
Page 289: Using Nat Pools

Pool. See Section 5.5, “IP Pools” for more details on this topic. Proxy ARP Usage Where an external router sends ARP queries to the D-Link Firewall to resolve external IP addresses included in a NAT Pool, NetDefendOS will need to send the correct ARP replies for this resolution to take place through its Proxy ARP mechanism so the external router can correctly build its routing table.
Page 290

7.2. NAT Pools Chapter 7. Address Translation Web Interface A. First create an object in the address book for the address range: Go to Objects > Address Book > Add > IP address Specify a suitable name for the IP range nat_pool_range Enter 10.6.13.10-10.16.13.15 in the IP Address textbox (a network such as 10.6.13.0/24 could be used here - the 0 and 255 addresses will be automatically removed)
Page 291: Translation Of A Single Ip Address (1:1)

In this example, we will create a SAT policy that will translate and allow connections from the Internet to a web server located in a DMZ. The D-Link Firewall is connected to the Internet using the wan interface with address object wan_ip (defined as 195.55.66.77) as IP address.
Page 292

These two rules allow us to access the web server via the D-Link Firewall's external IP address. Rule 1 states that address translation can take place if the connection has been permitted, and rule 2 permits the connection.
Page 293: Enabling Traffic To A Web Server On An Internal Network

These two rules allow us to access the web server via the D-Link Firewall's external IP address. Rule 1 states that address translation can take place if the connection has been permitted, and rule 2 permits the connection.
Page 294: Translation Of Multiple Ip Addresses (m:n)

10.0.0.2:80 => 10.0.0.3:1038 This reply arrives directly to PC1 without passing through the D-Link Firewall. This causes problems. The reason this will not work is because PC1 expects a reply from 195.55.66.77:80, not 10.0.0.2:80. The unexpected reply is discarded and PC1 continues to wait for a response from 195.55.66.77:80, which will never arrive.
Page 295: Translating Traffic To Multiple Protected Web Servers

In this example, we will create a SAT policy that will translate and allow connections from the Internet to five web servers located in a DMZ. The D-Link Firewall is connected to the Internet using the wan interface, and the public IP addresses to use are in the range of 195.55.66.77 to 195.55.66.81.
Page 296

7.3.2. Translation of Multiple IP Chapter 7. Address Translation Addresses (M:N) Create an address object for the public IP address: Go to Objects > Address Book > Add > IP address Specify a suitable name for the object, for example wwwsrv_pub Enter 195.55.66.77 - 195.55.66.77.81 as the IP Address Click OK Now, create another address object for the base of the web server IP addresses:...
Page 297: All-to-one Mappings (n:1), Port Translation, Protocols Handled By Sat

7.3.3. All-to-One Mappings (N:1) Chapter 7. Address Translation • Source Interface:any • Source Network: all-nets • Destination Interface: wan • Destination Network: wwwsrv_pub Click OK 7.3.3. All-to-One Mappings (N:1) NetDefendOS can be used to translate ranges and/or groups into just one IP address. Action Src Iface Src Net Dest Iface...
Page 298: Multiple Sat Rule Matches, Sat And Fwdfast Rules

7.3.6. Multiple SAT rule matches Chapter 7. Address Translation Protocols that are impossible to translate using SAT are most likely also impossible to translate using NAT. Reasons for this include: • The protocol cryptographically requires that the addresses are unaltered; this applies to many VPN protocols.
Page 299

Return traffic from wwwsrv:80 will match rules 2 and 3. • Internal traffic to wan_ip:80 will match rules 1 and 4, and will be sent to wwwsrv. The sender address will be the D-Link Firewall's internal IP address, guaranteeing that return traffic passes through the D-Link Firewall. •...
Page 300

7.3.7. SAT and FwdFast Rules Chapter 7. Address Translation mechanism.
Page 301

7.3.7. SAT and FwdFast Rules Chapter 7. Address Translation...
Page 302: User Authentication, Overview

This chapter deals specifically with user authentication through validation of username/password combinations manually entered by a user attempting to gain access to resources. Access to the Internet using the HTTP protocol through the D-Link Firewall is an example of this, where a username/password combination is the primary authentication method.
Page 303

8.1. Overview Chapter 8. User Authentication • Changed on a regular basis such as every three months.
Page 304: Authentication Setup, Setup Summary, The Local Database, External Radius Servers

In a larger network topology with a larger administration workload, it is often preferable to have a central authentication database on a dedicated server. When there is more than one D-Link Firewall in the network and thousands of users, maintaining separate authentication databases on each device becomes problematic.
Page 305: External Ldap Servers

Lightweight Directory Access Protocol (LDAP) servers can also be used with NetDefendOS as an authentication source. This is implemented by the D-Link Firewall acting as a client to one or more LDAP servers. Multiple servers can be configured to provide redundancy if any servers become unreachable.
Page 306

8.2.4. External LDAP Servers Chapter 8. User Authentication unreachable. The default value for this setting is 5. • Name Attribute The name of the field in the LDAP server containing the username. The default value is uid. This should be set to samaccountname if using Active Directory. •...
Page 307

8.2.4. External LDAP Servers Chapter 8. User Authentication LDAP server authentication is automatically configured to work using LDAP Bind Request Authentication. This means that authentication succeeds if successful connection is made to the LDAP server. Individual clients are not distinguished from one another. LDAP server referrals should not occur with bind request authentication but if they do, the server sending the referral will be regarded as not having responded.
Page 308: Normal Ldap Authentication

A successful digest match then results in successful authentication. The essential difference with the normal event sequence in A above is that it is the D-Link Firewall itself which is performing the authentication.
Page 309: Authentication Rules, Ldap For Ppp With Chap, Ms-chapv1 Or Ms-chapv2

An Authentication Rule should be defined when the user establishing a connection through the D-Link Firewall is to be prompted for a username/password login sequence. Authentication Rules are set up in a way that is similar to other NetDefendOS security policies, by specifying which traffic is to be subject to the rule.
Page 310: Authentication Processing

8.2.6. Authentication Processing Chapter 8. User Authentication A further option, Disallow, can be used so that a negative rule can be created which says "never authenticate given these conditions". This option might be used, for instance, to never authenticate connections coming in on a particular interface. These Disallow rules are usually best located at the end of the authentication rule set.
Page 311: Http Authentication

Chapter 8. User Authentication authentication: A user creates a new connection to the D-Link Firewall. NetDefendOS sees the new user connection on an interface and checks the Authentication rule set to see if there is a matching rule for traffic on this interface, coming from this network and data which is one of the following types: •...
Page 312

The first rule allows the authentication process to take place and assumes the client is trying to access the lan_ip IP address, which is the IP address of the interface on the D-Link Firewall where the local network connects.
Page 313: Creating An Authentication User Group, User Authentication Setup For Web Access

8.2.7. HTTP Authentication Chapter 8. User Authentication Example 8.1. Creating an Authentication User Group In the example of an authentication address object in the Address Book, a user group "users" is used to enable user authentication on "lannet". This example shows how to configure the user group in the NetDefendOS database.
Page 314: Configuring A Radius Server

8.2.7. HTTP Authentication Chapter 8. User Authentication Click OK B. Set up the Authentication Rule Go to User Authentication > User Authentication Rules > Add > User Authentication Rule Now enter: • Name: HTTPLogin • Agent: HTTP • Authentication Source: Local •...
Page 315: Customizing Html

8.3. Customizing HTML Pages Chapter 8. User Authentication Click OK 8.3. Customizing HTML Pages User Authentication makes use of a set of HTML files to present information to the user during the authentication process. The options available for HTTP authentication processing are as follows: •...
Page 316

8.3. Customizing HTML Pages Chapter 8. User Authentication • - The web page URL for redirects. The %REDIRURL% Parameter In certain banner web pages, the parameter %REDIRURL% appears. This is a placeholder for the original URL which was requested before the user login screen appeared for an unauthenticated user.
Page 317

Using the CLI, the relevant user authentication rule should now be set to use the ua_html. If the rule us called my_auth_rule, the command would be: set UserAuthRule my_auth_rule HTTPBanners=ua_html As usual, use the activate followed by the commit CLI commands to activate the changes on the D-Link Firewall.
Page 318

8.3. Customizing HTML Pages Chapter 8. User Authentication...
Page 319: Vpn Usage, Overview

There are two common scenarios where VPN is used: LAN to LAN connection - Where two internal networks need to be connected together over the Internet. In this case, each network is protected by an individual D-Link Firewall and the VPN tunnel is set up between them.
Page 320: Vpn Encryption, Vpn Planning

Client to LAN connection - Where many remote clients need to connect to an internal network over the Internet. In this case, the internal network is protected by the D-Link Firewall to which the client connects and the VPN tunnel is set up between them.
Page 321: Key Distribution, The Tls Alternative For Vpn

If secure access by clients to web servers using HTTP is the scenario under consideration, then using a D-Link Firewall for TLS termination can offer an alternative "lightweight" VPN approach that is quickly and easily implemented. This topic is described further in Section 6.2.9, “The TLS...
Page 322

9.1.5. The TLS Alternative for VPN Chapter 9. VPN ALG”.
Page 323: Vpn Quick Start, Ipsec Lan To Lan With Pre-shared Keys

The remote network which lies behind the remote VPN gateway (let's call this object remote_net). • The local network behind the D-Link Firewall which will communicate across the tunnel. Here we will assume that this is the pre-defined address lannet and this network is attached to the NetDefendOS lan interface.
Page 324: Ipsec Lan To Lan With Certificates

The certificate setup steps are: The NetDefendOS date and time must be set correctly since certificates can expire. Open the WebUI management interface for the D-Link Firewall at one end of the tunnel. Under Authentication Objects, add the Root Certificate and Host Certificate into...
Page 325: Ipsec Roaming Clients With Pre-shared Keys

Add the Root Certificate to use. Select the Gateway Certificate. Open the WebUI management interface for the D-Link Firewall at the other side of the tunnel and repeat the above steps but reversing the certificate usage. What was the root certificate is now added as the gateway certificate, and its private key file is not used.
Page 326

9.2.3. IPsec Roaming Clients with Chapter 9. VPN Pre-shared Keys • An external authentication server. An internal user database is easier to set up and is assumed here. Changing this to an external server is simple to do later. To implement user authentication with an internal database: •...
Page 327: Ipsec Roaming Clients With Certificates

In both cases (A) and (B) above, the IPsec client will need to be correctly configured. The client configuration will require the following: with as well as the pre-shared key. • Define the URL or IP address of the D-Link Firewall. The client needs to locate the tunnel endpoint. •...
Page 328: L2tp Roaming Clients With Pre-shared Keys

9.2.5. L2TP Roaming Clients with Chapter 9. VPN Pre-Shared Keys Add the Root Certificate to use. The IPsec client software will need to be appropriately configured with the certificates and remote IP addresses. As already mentioned above, many third party IPsec client products are available and this manual will not focus on any one of these clients.
Page 329: L2tp Roaming Clients With Certificates

The second rule would be included to allow clients to surf the Internet via the ext interface on the D-Link Firewall. The client will be allocated a private internal IP address which must be NATed if connections are then made out to the public Internet via the D-Link Firewall.
Page 330: Pptp Roaming Clients

A major secondary disadvantage is not being able to NAT PPTP connections through a tunnel so multiple clients can use a single connection to the D-Link Firewall. If NATing is tried then only the first client that tries to connect will succeed.
Page 331

As described for L2TP, the NAT rule lets the clients access the public Internet via the D-Link Firewall. Set up the client. For Windows XP, the procedure is exactly as described for L2TP above but without entering the pre-shared key.
Page 332: Ipsec Components, Overview, Internet Key Exchange (ike)

9.3. IPsec Components Chapter 9. VPN 9.3. IPsec Components 9.3.1. Overview Internet Protocol Security (IPsec) is a set of protocols defined by the Internet Engineering Task Force (IETF) to provide IP security at the network layer. An IPsec based VPN is made up of two parts: •...
Page 333

9.3.2. Internet Key Exchange (IKE) Chapter 9. VPN describing the incoming traffic, and the other the outgoing. In cases where ESP and AH are used in conjunction, four SAs will be created. IKE Negotiation The process of negotiating session parameters consists of a number of phases and modes. These are described in detail in the below sections.
Page 334

When installing two D-Link Firewalls as VPN endpoints, this process is reduced to comparing fields in two identical dialog boxes. However, it is not quite as easy when equipment from different vendors is involved.
Page 335

9.3.2. Internet Key Exchange (IKE) Chapter 9. VPN In transport mode, the traffic will not be tunneled, and is hence not applicable to VPN tunnels. It can be used to secure a connection from a VPN client directly to the D-Link Firewall, example IPsec...
Page 336

9.3.2. Internet Key Exchange (IKE) Chapter 9. VPN The algorithms supported by NetDefendOS IPsec are: • • Blowfish • Twofish • Cast128 • 3DES • DES is only included to be interoperable with other older VPN implementations. The use of DES should be avoided whenever possible, since it is an older algorithm that is no longer considered to be sufficiently secure.
Page 337

IPsec Encryption The encryption algorithm that will be used on the protected IPsec traffic. This is not needed when AH is used, or when ESP is used without encryption. The algorithms supported by D-Link Firewall VPNs are: • • Blowfish •...
Page 338: Ike Authentication

IKE is not used at all; the encryption and authentication keys as well as some other parameters are directly configured on both sides of the VPN tunnel. Note D-Link Firewalls do not support Manual Keying. Manual Keying Advantages Since it is very straightforward it will be quite interoperable. Most interoperability problems encountered today are in IKE.
Page 339: Ipsec Protocols (esp/ah), The Ah Protocol

9.3.4. IPsec Protocols (ESP/AH) Chapter 9. VPN Certificates Each VPN firewall has its own certificate, and one or more trusted root certificates. The authentication is based on several things: • That each endpoint has the private key corresponding to the public key found in its certificate, and that nobody else has access to the private key.
Page 340: Nat Traversal, The Esp Protocol

9.3.5. NAT Traversal Chapter 9. VPN Apart from the IP packet data, AH also authenticates parts of the IP header. The AH protocol inserts an AH header after the original IP header. In tunnel mode, the AH header is inserted after the outer header, but before the original, inner IP header. ESP (Encapsulating Security Payload) The ESP protocol inserts an ESP header after the original IP header, in tunnel mode, the ESP header is inserted after the outer header, but before the original, inner IP header.
Page 341: Algorithm Proposal Lists

9.3.6. Algorithm Proposal Lists Chapter 9. VPN To achieve NAT detection both IPsec peers send hashes of their own IP addresses along with the source UDP port used in the IKE negotiations. This information is used to see whether the IP address and source port each peer uses is the same as what the other peer sees.
Page 342: Pre-shared Keys, Using An Algorithm Proposal List

9.3.7. Pre-shared Keys Chapter 9. VPN Several algorithm proposal lists are already defined by default in NetDefendOS for different VPN scenarios and user defined lists can be added. Two IKE algorithm lists and two IPsec lists are already defined by default: •...
Page 343: Using A Pre-shared Key

9.3.8. Identification Lists Chapter 9. VPN Pre-Shared Keys are used to authenticate VPN tunnels. The keys are secrets that are shared by the communicating parties before communication takes place. To communicate, both parties prove that they know the secret. The security of a shared secret depends on how "good" a passphrase is. Passphrases that are common words are extremely vulnerable to dictionary attacks.
Page 344: Identification Lists, Using An Identity List

Chapter 9. VPN 9.3.8. Identification Lists When certificates are used as authentication method for IPsec tunnels, the D-Link Firewall will accept all remote devices or VPN clients that are capable of presenting a certificate signed by any of the trusted Certificate Authorities. This can be a potential problem, especially when using roaming clients.
Page 345

Chapter 9. VPN Enter a name for the ID, for example JohnDoe Select Distinguished name in the Type control Now enter: • Common Name: John Doe • Organization Name: D-Link • Organizational Unit: Support • Country: Sweden • Email Address: john.doe@D-Link.com...
Page 346: Ipsec Tunnels, Overview, Lan To Lan Tunnels With Pre-shared Keys

Secure communication is achieved through the use of IPsec tunneling, with the tunnel extending from the VPN gateway at one location to the VPN gateway at another location. The D-Link Firewall is therefore the implementer of the VPN, while at the same time applying normal security surveillance of traffic passing through the tunnel.
Page 347: Roaming Clients, Setting Up A Psk Based Vpn Tunnel For Roaming Clients

Dealing with Unknown IP addresses If the IP address of the client is not known before hand then the D-Link Firewall needs to create a route in its routing table dynamically as each client connects. In the example below this is the case and the IPsec tunnel is configured to dynamically add routes.
Page 348: Setting Up A Self-signed Certificate Based Vpn Tunnel For Roaming Clients

Example 9.5. Setting up a Self-signed Certificate based VPN tunnel for roaming clients This example describes how to configure an IPsec tunnel at the head office D-Link Firewall for roaming clients that connect to the office to gain remote access. The head office network uses the 10.0.1.0/24 network span with external firewall IP wan_ip.
Page 349: Setting Up A Ca Server Issued Certificate Based Vpn Tunnel For Roaming Clients

Example 9.6. Setting up a CA Server issued Certificate based VPN tunnel for roaming clients This example describes how to configure an IPsec tunnel at the head office D-Link Firewall for roaming clients that connect to the office to gain remote access. The head office network uses the 10.0.1.0/24 network span with external firewall IP wan_ip.
Page 350

9.4.3. Roaming Clients Chapter 9. VPN Select the X.509 Certificate option Click OK B. Create Identification Lists: Go to Objects > VPN Objects > ID List > Add > ID List Enter a descriptive name, for example sales Click OK Go to Objects >...
Page 351: Setting Up Config Mode, Using Config Mode With Ipsec Tunnels

9.4.3. Roaming Clients Chapter 9. VPN An IP pool is a cache of IP addresses collected from DHCP servers and leases on these addresses are automatically renewed when the lease time is about to expire. IP Pools also manage additional information such as DNS and WINS/NBNS, just as an ordinary DHCP server would.
Page 352: Fetching Crls From An Alternate Ldap Server, Troubleshooting With Ikesnoop, Setting Up An Ldap Server

9.4.4. Fetching CRLs from an alternate LDAP server A Root Certificate usually includes the IP address or hostname of the Certificate Authority to contact when certificates or CRLs need to be downloaded to the D-Link Firewall. Lightweight Directory Access Protocol (LDAP) is used for these downloads.
Page 353

9.4.5. Troubleshooting with ikesnoop Chapter 9. VPN The ikesnoop command can be entered via a CLI console or directly via the RS232 Console. To begin monitoring the full command is: gw-world:/> ikesnoop -on -verbose This means that ikesnoop output will be sent to the console for every VPN tunnel IKE negotiation. The output can be overwhelming so to limit the output to a single IP address, for example the IP address 10.1.1.10, the command would be: gw-world:/>...
Page 354

9.4.5. Troubleshooting with ikesnoop Chapter 9. VPN Authentication method : Pre-Shared Key Group description : MODP 1024 Life type : Seconds Life duration : 43200 Life type : Kilobytes Life duration : 50000 Transform 2/4 Transform ID : IKE Encryption algorithm : Rijndael-cbc (aes) Key length : 128...
Page 355

9.4.5. Troubleshooting with ikesnoop Chapter 9. VPN Explanation of Values Exchange type: Main mode or aggressive mode Cookies: A random number to identify the negotiation Encryption algorithm: Cipher Key length: Cipher key length Hash algorithm: Hash Authentication method: Pre-shared key or certificate Group description: Diffie Hellman (DH) group Life type: Seconds or kilobytes Life duration: No of seconds or kilobytes...
Page 356

9.4.5. Troubleshooting with ikesnoop Chapter 9. VPN Payload data length : 16 bytes Vendor ID : cd 60 46 43 35 df 21 f8 7c fd b2 fc 68 b6 a4 48 Description : draft-ietf-ipsec-nat-t-ike-02 VID (Vendor ID) Payload data length : 16 bytes Vendor ID : 90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f Description : draft-ietf-ipsec-nat-t-ike-02...
Page 357

9.4.5. Troubleshooting with ikesnoop Chapter 9. VPN Step 5. Client Sends Identification The initiator sends the identification which is normally an IP address or the Subject Alternative Name if certificates are used. IkeSnoop: Received IKE packet from 192.168.0.10:500 Exchange type : Identity Protection (main mode) ISAKMP Version : 1.0 Flags : E (encryption)
Page 358

9.4.5. Troubleshooting with ikesnoop Chapter 9. VPN Quick mode ISAKMP Version : 1.0 Flags : E (encryption) Cookies : 0x6098238b67d97ea6 -> 0x5e347cb76e95a Message ID : 0xaa71428f Packet length : 264 bytes # payloads Payloads: HASH (Hash) Payload data length : 16 bytes SA (Security Association) Payload data length : 164 bytes DOI : 1 (IPsec DOI)
Page 359

9.4.5. Troubleshooting with ikesnoop Chapter 9. VPN Authentication algorithm: HMAC (Hash) Group description: PFS and PFS group SA life type: Seconds or Kilobytes SA life duration: Number seconds or kilobytes Encapsulation mode: Could be transport, tunnel or UDP tunnel (NAT-T) ID: ipv4(any:0,[0..3]=10.4.2.6) Here the first ID is the local network of the tunnel from the client's point of view and the second ID is the remote network.
Page 360: Ipsec Advanced Settings

9.4.6. IPsec Advanced Settings Chapter 9. VPN Flags : E (encryption) Cookies : 0x6098238b67d97ea6 -> 0x5e347cb76e95a Message ID : 0xaa71428f Packet length : 48 bytes # payloads Payloads: HASH (Hash) Payload data length : 16 bytes 9.4.6. IPsec Advanced Settings The following NetDefendOS advanced settings are available for configuring IPsec tunnels.
Page 361

9.4.6. IPsec Advanced Settings Chapter 9. VPN IPsec Before Rules Pass IKE and IPsec (ESP/AH) traffic sent to NetDefendOS directly to the IPsec engine without consulting the rule set. Default: Enabled IKE CRL Validity Time A CRL contains a "next update" field that dictates the time and date when a new CRL will be available for download from the CA.
Page 362

9.4.6. IPsec Advanced Settings Chapter 9. VPN In other words, the amount of time in tens of seconds that a tunnel is without traffic or any other sign of life before the peer is considered dead. If DPD is due to be triggered but other evidence of life is seen (such as IKE packets from the other side of the tunnel) within the time frame, no DPD-R-U-THERE messages will be sent.
Page 363: Pptp/l2tp, Pptp Servers

- IP protocol 47). The client first establishes a connection to an ISP in the normal way using the PPP protocol and then establishes a TCP/IP connection across the Internet to the D-Link Firewall, which acts as the PPTP server (TCP port 1723 is used). The ISP is not aware of the VPN since the tunnel extends from the PPTP server to the client.
Page 364: L2tp Servers, Setting Up A Pptp Server, Setting Up An L2tp Server

9.5.2. L2TP Servers Chapter 9. VPN TCP port 1723 and/or IP protocol 47 before the PPTP connection can be made to the D-Link Firewall. Examining the log can indicate if this problem occurred, with a log message of the following form appearing: Error PPP lcp_negotiation_stalled ppp_terminated Example 9.10.
Page 365: Setting Up An L2tp Tunnel Over Ipsec

9.5.2. L2TP Servers Chapter 9. VPN This example shows how to setup a L2TP Network Server. The example assumes that you have created some address objects in the Address Book. You will have to specify the IP address of the L2TP server interface, an outer IP address (that the L2TP server should listen to) and an IP pool that the L2TP server will use to give out IP addresses to the clients from.
Page 366

9.5.2. L2TP Servers Chapter 9. VPN • Password: mypassword • Confirm Password: mypassword Click OK Now we will setup the IPsec Tunnel, which will later be used in the L2TP section. As we are going to use L2TP, the Local Network is the same IP as the IP that the L2TP tunnel will connect to, wan_ip. Furthermore, the IPsec tunnel needs to be configured to dynamically add routes to the remote network when the tunnel is established.
Page 367

9.5.2. L2TP Servers Chapter 9. VPN Enter a name for the L2TP tunnel, for example l2tp_tunnel Now enter: • Inner IP Address: lan_ip • Tunnel Protocol: L2TP • Outer Interface Filter: l2tp_ipsec • Server IP: wan_ip Under the PPP Parameters tab, check the Use User Authentication Rules control Select l2tp_pool in the IP Pool control Under the Add Route tab, select all-nets in the Allowed Networks control In the ProxyARP control, select the lan interface...
Page 368: L2tp/pptp Server Advanced Settings

9.5.3. L2TP/PPTP Server advanced settings The following L2TP/PPTP server advanced settings are available to the administrator: L2TP Before Rules Pass L2TP traffic sent to the D-Link Firewall directly to the L2TP Server without consulting the rule set. Default: Enabled PPTP Before Rules Pass PPTP traffic sent to the D-Link Firewall directly to the PPTP Server without consulting the rule set.
Page 369: Pptp/l2tp Clients

PPTP or L2TP server, NetDefendOS also offers the ability to act as a PPTP or L2TP clients. This can be useful if PPTP or L2TP is preferred as the VPN protocol instead of IPsec. One D-Link Firewall can act as a client and connect to another unit which acts as the server.
Page 370: Pptp Client Usage

Here a number of clients are being NATed through NetDefendOS before being connected to a PPTP server on the other side of the D-Link Firewall. If more that one of the clients is acting as a PPTP client which is trying to connect to the PPTP server then this will not work because of the NATing.
Page 371: Ca Server Access

IP address. The following scenarios are possible: The CA server is a private server behind the D-Link Firewall and the tunnels are set up over the public Internet but to clients that will not try to validate the certificate sent by NetDefendOS.
Page 372: Certificate Validation Components

It must be also possible for an HTTP PUT request to pass from the validation request source (either the D-Link Firewall or a client) to the CA server and an HTTP reply to be received. If the request is going to pass through the D-Link Firewall, the appropriate rules in the NetDefendOS IP rule set need to be defined to allow this traffic through.
Page 373

DNS servers for certificate validation requests coming from the public Internet. If the certificate queries are coming only from the D-Link Firewall and the CA server is on the internal side of the firewall then the IP address of the internal DNS server must be configured in NetDefendOS so that these requests can be resolved.
Page 374: Vpn Troubleshooting

Use ICMP Ping to confirm that the tunnel is working. With roaming clients this is best done by Pinging the internal IP address of the local network interface on the D-Link Firewall from a client (in LAN to LAN setups pinging could be done in any direction). If NetDefendOS is to...
Page 375

The basic form of this command is: ikesnoop -on -verbose Once issued, an ICMP ping can then be sent to the D-Link Firewall from the remote end of the tunnel. This will cause ikesnoop to output details of the tunnel setup negotiation to the console and any algorithm proposal list incompatibilities can be seen.
Page 376: Management Interface Failure With Vpn

VPN tunnel. If the management interface is not reached by the VPN tunnel then the administrator needs to create a specific route that routes management interface traffic leaving the D-Link Firewall back to the management subnet. When any VPN tunnel is defined, an all-nets route is automatically defined in the routing table so the administrator should always set up a specific route for the management interface to be correctly routed.
Page 377

Management Interface Failure with Chapter 9. VPN...
Page 378: Traffic Management, Traffic Shaping, Introduction

NetDefendOS provides QoS control by allowing the administrator to apply limits and guarantees to the network traffic passing through the D-Link Firewall. This approach is often referred to as traffic shaping and is well suited to managing bandwidth for local area networks as well as to managing the bottlenecks that might be found in larger wide area networks.
Page 379: Traffic Shaping In Netdefendos

NetDefendOS offers extensive traffic shaping capabilities for the packets passing through the D-Link Firewall. Different rate limits and traffic guarantees can be created as policies based on the traffic's source, destination and protocol, similar to the way in which IP rule set policies are created.
Page 380: Packet Flow Of Pipe Rule Set To Pipe, Fwdfast Rules Bypass Traffic Shaping

Pipe Rule. These lists are: • The Forward Chain These are the pipes that will be used for outgoing (leaving) traffic from the D-Link Firewall. One, none or a series of pipes may be specified. •...
Page 381: Simple Bandwidth Limiting, Applying A Simple Bandwidth Limit

10.1.3. Simple Bandwidth Limiting Chapter 10. Traffic Management 10.1.3. Simple Bandwidth Limiting The simplest use of pipes is for bandwidth limiting. This is also a scenario that does not require much planning. The example that follows applies a bandwidth limit to inbound traffic only. This is the direction most likely to cause problems for Internet connections.
Page 382: Limiting Bandwidth In Both Directions

10.1.4. Limiting Bandwidth in Both Chapter 10. Traffic Management Directions Now enter: • Service: all_services • Source Interface: lan • Source Network: lannet • Destination Interface: wan • Destination Network: all-nets Under the Traffic Shaping tab, make std-in selected in the Return Chain control Click OK This setup limits all traffic from the outside (the Internet) to 2 megabits per second.
Page 383: Creating Differentiated Limits With Chains, Precedences

10.1.5. Creating Differentiated Limits Chapter 10. Traffic Management with Chains Specify a name for the pipe, for example std-out Enter 2000 in Total textbox Click OK After creating a pipe for outbound bandwidth control, add it to the forward pipe chain of the rule created in the previous example: gw-world:/>...
Page 384: The Eight Pipe Precedences

10.1.6. Precedences Chapter 10. Traffic Management default precedence of 0. Eight precedences exist, numbered from 0 to 7. Precedence 0 is the least important and 7 is the most important. A precedence can be viewed as a separate traffic queue; traffic in precedence 2 will be forwarded before traffic in precedence 0, precedence 4 forwarded before 2.
Page 385: Guarantees, Minimum And Maximum Pipe Precedence

10.1.7. Guarantees Chapter 10. Traffic Management The precedence defined as the minimum pipe precedence has a special meaning: it acts as the Best Effort Precedence. All packets arriving at this precedence will always be processed on a "first come, first forwarded" basis and cannot be sent to another precedence. Packets with a higher precedence and that exceed the limits of that precedence will automatically be transferred down into this Best Effort precedence and they will no longer be treated differently from packets with lower priorities.
Page 386: Differentiated Guarantees

10.1.8. Differentiated Guarantees Chapter 10. Traffic Management Bandwidth guarantees ensure that there is a minimum amount of bandwidth available for a given precedence. This is done by specifying a maximum limit for the precedence in a pipe. This will be the maximum amount of bandwidth that the precedence will accept and will send ahead of lower precedences.
Page 387: Groups, Traffic Grouped Per Ip Address

10.1.9. Groups Chapter 10. Traffic Management reserved amount, 64 and 32 kbps, respectively, of precedence 2 traffic will reach std-in. SSH and Telnet traffic exceeding their guarantees will reach std-in as precedence 0, the best-effort precedence of the std-in and ssh-in pipes. Note Here, the ordering of the pipes in the return chain is important.
Page 388: Recommendations

10.1.10. Recommendations Chapter 10. Traffic Management Group Limits and Guarantees In addition to specifying a total limit for group users, limits can be specified for each preference. If we specify a group user limit of 30 bps for precedence 2 then this means that users assigned a precedence of 2 by a Pipe Rule will be guaranteed 30 bps no matter how many users are using the pipe.
Page 389: A Summary Of Traffic Shaping

Traffic shaping cannot protect against incoming resource exhaustion attacks, such as DoS attacks or other flooding attacks. NetDefendOS will prevent these extraneous packets from reaching the hosts behind the D-Link Firewall, but cannot protect the connection becoming overloaded if an attack floods it.
Page 390: More Pipe Examples, A Basic Traffic Shaping Scenario

10.1.12. More Pipe Examples Chapter 10. Traffic Management • Pipe Rules send traffic through Pipes. • A pipe can have a limit which is the maximum amount of traffic allowed. • A pipe can only know when it is full if a limit is specified. •...
Page 391

10.1.12. More Pipe Examples Chapter 10. Traffic Management The reason for using 2 different pipes in this case, is that these are easier to match to the physical link capacity. This is especially true with asynchronous links such as ADSL. First, two pipes called in-pipe and out-pipe need to be created with the following parameters: Pipe Name Min Prec...
Page 392

VoIP, Citrix and Web-surfing traffic. A VPN Scenario In the cases discussed so far, all traffic shaping is occurring inside a single D-Link Firewall. VPN is typically used for communication between a headquarters and branch offices in which case pipes can control traffic flow in both directions.
Page 393

10.1.12. More Pipe Examples Chapter 10. Traffic Management • Priority 0: Best effort Total: 1700 • in-pipe • Priority 6: VoIP 500 kpbs Total: 2000 • out-pipe • Priority 6: VoIP 500 kpbs Total: 2000 The following pipe rules are then needed to force traffic into the correct pipes and precedence levels: Rule Forward...
Page 394: Idp Traffic Shaping, Overview, Setup

10.2. IDP Traffic Shaping Chapter 10. Traffic Management 10.2. IDP Traffic Shaping 10.2.1. Overview The IDP Traffic Shaping feature is traffic shaping that is performed based on information coming from the NetDefendOS Intrusion Detection and Prevention (IDP) subsystem (for more information on IDP see Section 6.5, “Intrusion Detection and Prevention”).
Page 395: Processing Flow, The Importance Of Specifying A Network

To better understand how IDP Traffic Shaping is applied, the following are the processing steps that occur: A new connection is opened by one host to another through the D-Link Firewall and traffic begins to flow. The source and destination IP address of the connection is noted by NetDefendOS.
Page 396: A P2p Scenario, Viewing Traffic Shaping Objects, Idp Traffic Shaping P2p Scenario

10.2.5. A P2P Scenario Chapter 10. Traffic Management Network range but not host X. This tells NetDefendOS that host X is not relevant in making a decision about including new non-IDP-triggering connections in traffic shaping. It may seem counter-intuitive that client B is also included in the Network range but this is done on the assumption that client B is a user whose traffic might also have to be traffic shaped if they become involved in a P2P transfer.
Page 397: Guaranteeing Instead Of Limiting Bandwidth

10.2.7. Guaranteeing Instead of Chapter 10. Traffic Management Limiting Bandwidth IDP traffic shaping has a special CLI command associated with it called idppipes and this can examine and manipulate the hosts which are currently subject to traffic shaping. To display all hosts being traffic shaped by IDP Traffic Shaping, the command would be: gw-world:/>...
Page 398: Logging

10.2.8. Logging Chapter 10. Traffic Management If the administrator wants to guarantee a bandwidth level, say 10 Megabits, for an application then an IDP rule can be set up to trigger for that application with the Pipe action specifying the bandwidth required.
Page 399: Threshold Rules, Overview, Limiting The Connection Rate/total Connections, Grouping, Rule Actions

Total Connection Limiting allows the administrator to put a limit on the total number of connections opened to the D-Link Firewall. This function is extremely useful when NAT pools are required due to the large number of connections generated by P2P users.
Page 400: Multiple Triggered Actions, Exempted Connections, Threshold Rules And Zonedefense, Threshold Rule Blacklisting

Rules if they are enabled. 10.3.7. Threshold Rules and ZoneDefense Threshold Rules are used in the D-Link ZoneDefense feature to block the source of excessive connection attmepts from internal hosts. For more information on this refer to Chapter 12, ZoneDefense.
Page 401: Server Load Balancing, Overview, A Server Load Balancing Configuration

D-Link Firewall. Note: SLB is not available on all D-Link models The SLB feature is only available on the D-Link DFL-800, DFL-860, DFL-1600 and DFL-2500 product models. Figure 10.8. A Server Load Balancing Configuration...
Page 402: Identifying The Servers, The Load Distribution Mode

10.4.2. Identifying the Servers Chapter 10. Traffic Management The Additional Benefits of SLB Besides from improving performance and scalability, SLB provides a number of other benefits: • SLB increases the reliability of network applications by actively monitoring the servers sharing the load.
Page 403: The Distribution Algorithm, Connections From Three Clients

10 seconds will be remembered. An Example Connection Scenario An example scenario is illustrated in the figure below. In this example, the D-Link Firewall is responsible for balancing connections from 3 clients with different addresses to 2 servers. Stickiness is enabled.
Page 404: Stickiness And Round-robin, Stickiness And Connection Rate

10.4.5. Server Health Monitoring Chapter 10. Traffic Management When the Round Robin algorithm is used, the first arriving requests R1 and R2 from Client 1 are both assigned to one sever, say Server 1, according to stickiness. The next request R3 from Client 2 is then routed to Server 2.
Page 405: Server Health Monitoring, Slb_sat Rules

The table below shows the rules that would be defined for a typical scenario of a set of webservers behind the D-Link Firewall for which the load is being balanced. The Allow rule allows external clients to access the webservers.
Page 406: Setting Up Slb

In this example server load balancing is to be done between 2 HTTP webservers which are situated behind the D-Link Firewall. The 2 webservers have the private IP addresses 192.168.1.10 and 192.168.1.11 respectively. The default SLB values for monitoring, distribution method and stickiness are used.
Page 407

10.4.6. SLB_SAT Rules Chapter 10. Traffic Management • Source Network: lannet • Destination Interface: core • Destination Network: ip_ext Click OK E. Specify an Allow IP rule for the external clients: Go to Rules > IP Rule Sets > main > Add > IP Rule Enter: •...
Page 408

10.4.6. SLB_SAT Rules Chapter 10. Traffic Management...
Page 409: High Availability, Overview

The active unit is the D-Link Firewall that is actually processing all traffic at a given point in time. This could be the slave unit if a failover has occurred because the master is no longer operational.
Page 410

Load-sharing D-Link HA clusters do not provide load-sharing since only one unit will be active while the other is inactive and only two D-Link Firewalls, the master and the slave, can exist in a single cluster. The only processing role that the inactive unit plays is to replicate the state of the active unit and to take over all traffic processing if it detects the active unit is not responding.
Page 411: Ha Mechanisms

11.2. HA Mechanisms Basic Principles D-Link HA provides a redundant, state-synchronized hardware configuration. The state of the active unit, such as the connection table and other vital information, is continuously copied to the inactive unit via the sync interface. When cluster failover occurs, the inactive unit knows which connections are active, and traffic can continue to flow.
Page 412

A database update causes the following sequence of events to occur in an HA cluster: The active (master) unit downloads the new database files from the D-Link servers. The download is done via the shared IP address of the cluster.
Page 413: Ha Setup, Hardware Setup, High Availability Setup

This section provides a step-by-step guide for setting up an HA Cluster. 11.3.1. Hardware Setup Start with two physically similar D-Link Firewalls. Both may be newly purchased or one may have been purchased to be the back-up unit (in other words, to be the slave unit).
Page 414: Netdefendos Manual Ha Setup

Note The shared IP address cannot be used for remote management or monitoring purposes. When using, for example, SSH for remote management of the D-Link Firewalls in an HA Cluster, the individual IP addresses of the firewall's interfaces must be used and these are specified in IP4 HA Address objects as discussed above.
Page 415: Verifying The Cluster Is Functioning

IP4 HA Address object may be public if management access across the public Internet is required. Save and activate the new configuration. 10. Repeat the above steps for the other D-Link Firewall but this time select the node type to be Slave. Making Cluster Configuration Changes The configuration on both D-Link Firewalls needs to be the same.
Page 416: Using Unique Shared Mac Addresses

11.3.4. Using Unique Shared Mac Chapter 11. High Availability Addresses • Make sure that the advanced setting High Buffers is set to be automatic for both units in the cluster. This setting determines how memory is allocated by NetDefendOS for handling increasing numbers of connections.
Page 417: Ha Issues

11.4. HA Issues Chapter 11. High Availability 11.4. HA Issues The following points should be kept in mind when managing and configuring an HA Cluster. SNMP SNMP statistics are not shared between master and slave. SNMP managers have no failover capabilities.
Page 418: Ha Advanced Settings

11.5. HA Advanced Settings Chapter 11. High Availability 11.5. HA Advanced Settings The following NetDefendOS advanced settings are available for High Availability: Sync Buffer Size How much sync data, in Kbytes, to buffer while waiting for acknowledgments from the cluster peer. Default: 1024 Sync Packet Max Burst The maximum number of state sync packets to send in a burst.
Page 419

11.5. HA Advanced Settings Chapter 11. High Availability...
Page 420: Zonedefense, Overview

• ZoneDefense Operation, page 422 12.1. Overview ZoneDefense Controls Switches ZoneDefense allows a D-Link Firewall to control locally attached switches. It can be used as a counter-measure to stop a virus-infected computer in a local network from infecting other computers.
Page 421: Zonedefense Switches

12.2. ZoneDefense Switches Chapter 12. ZoneDefense 12.2. ZoneDefense Switches Switch information regarding every switch that is to be controlled by the firewall has to be manually specified in the firewall configuration. The information needed in order to control a switch includes: •...
Page 422: Zonedefense Operation, Snmp, Threshold Rules, Manual Blocking And Exclude Lists

SNMP Managers A typical managing device, such as a D-Link Firewall, uses the SNMP protocol to monitor and control network devices in the managed environment. The manager can query stored statistics from the controlled devices by using the SNMP Community String. This is similar to a userid or password which allows access to the device's state information.
Page 423: A Simple Zonedefense Scenario

(in network range 192.168.2.0/24 for example) from accessing the switch completely. A D-Link switch model DES-3226S is used in this case, with a management interface address 192.168.1.250 connecting to the firewall's interface address 192.168.1.1. This firewall interface is added into the exclude list to prevent the firewall from being accidentally locked out from accessing the switch.
Page 424: Zonedefense With Anti-virus Scanning, Limitations

12.3.4. ZoneDefense with Anti-Virus Chapter 12. ZoneDefense Scanning and put it into the Selected list. Click OK Configure an HTTP threshold of 10 connections/second: Go to Traffic Management > Threshold Rules > Add > Threshold Rule For the Threshold Rule enter: •...
Page 425

12.3.5. Limitations Chapter 12. ZoneDefense in less than a second while some models may require a minute or more. A second difference is the maximum number of rules supported by different switches. Some switches support a maximum of 50 rules while others support up to 800 (usually, in order to block a host or network, one rule per switch port is needed).
Page 426

12.3.5. Limitations Chapter 12. ZoneDefense...
Page 427: Advanced Settings, Ip Level Settings

Chapter 13. Advanced Settings This chapter describes the configurable advanced settings for NetDefendOS. The settings are divided up into the following categories: Note: Activate after changes After an advanced setting is changed an activate operation must be performed in order for the new NetDefendOS configuration to take effect.
Page 428

13.1. IP Level Settings Chapter 13. Advanced Settings Block 0.0.0.0 as source address. Default: Drop Block 0 Net Block 0.* as source addresses. Default: DropLog Block 127 Net Block 127.* as source addresses. Default: DropLog Block Multicast Src Block multicast both source addresses (224.0.0.0 - 255.255.255.255). Default: DropLog TTL Min The minimum TTL value accepted on receipt.
Page 429

13.1. IP Level Settings Chapter 13. Advanced Settings SecuRemoteUDP Compatibility Allow IP data to contain eight bytes more than the UDP total length field specifies. Checkpoint SecuRemote violates NAT-T drafts. Default: Disabled IP Option Sizes Verifies the size of "IP options". These options are small blocks of information that may be added to the end of each IP header.
Page 430

13.1. IP Level Settings Chapter 13. Advanced Settings IP Reserved Flag Indicates what NetDefendOS will do if there is data in the "reserved" fields of IP headers. In normal circumstances, these fields should read 0. Used by OS Fingerprinting. Default: DropLog Strip DontFragment Strip the Don’t Fragment flag for packets equal to or smaller than the size specified by this setting.
Page 431: Tcp Level Settings

13.2. TCP Level Settings Chapter 13. Advanced Settings 13.2. TCP Level Settings TCP Option Sizes Verifies the size of TCP options. This function acts in the same way as IPOptionSizes described above. Default: ValidateLogBad TCP MSS Min Determines the minimum permissible size of the TCP MSS. Packets containing maximum segment sizes below this limit are handled according to the next setting.
Page 432

13.2. TCP Level Settings Chapter 13. Advanced Settings TCP Auto Clamping Automatically clamp TCP MSS according to MTU of involved interfaces, in addition to TCPMSSMax. Default: Enabled TCP Zero Unused ACK Determines whether NetDefendOS should set the ACK sequence number field in TCP packets to zero if it is not used.
Page 433

13.2. TCP Level Settings Chapter 13. Advanced Settings are not understood by any today's standard systems. As NetDefendOS cannot understand checksum algorithms other than the standard algorithm, these options can never be accepted. The ALTCHKREQ option is normally never seen on modern networks. Default: StripLog TCP Option ALTCHKDATA Determines how NetDefendOS will handle alternate checksum data options.
Page 434

13.2. TCP Level Settings Chapter 13. Advanced Settings The TCP FIN flag together with SYN; normally invalid (strip=strip FIN). Default: DropLog TCP FIN/URG Specifies how NetDefendOS will deal with TCP packets with both FIN (Finish, close connection) and URG flags turned on. This should normally never occur, as you do not usually attempt to close a connection at the same time as sending "important"...
Page 435

13.2. TCP Level Settings Chapter 13. Advanced Settings Possible values are: Ignore - Do not validate. Means that sequence number validation is completely turned off. ValidateSilent - Validate and pass on. ValidateLogBad - Validate and pass on, log if bad. ValidateReopen - Validate reopen attempt like normal traffic;...
Page 436: Icmp Level Settings

13.3. ICMP Level Settings Chapter 13. Advanced Settings 13.3. ICMP Level Settings ICMP Sends Per Sec Limit Specifies the maximum number of ICMP messages NetDefendOS may generate per second. This includes ping replies, destination unreachable messages and also TCP RST packets. In other words, this setting limits how many Rejects per second may be generated by the Reject rules in the Rules section.
Page 437: State Settings

13.4. State Settings Chapter 13. Advanced Settings 13.4. State Settings Connection Replace Allows new additions to the NetDefendOS connection list to replace the oldest connections if there is no available space. Default: ReplaceLog Log Open Fails In some instances where the Rules section determines that a packet should be allowed through, the stateful inspection mechanism may subsequently decide that the packet cannot open a new connection.
Page 438

This generates a log message for every packet that passes through a connection that is set up in the NetDefendOS state-engine. Traffic whose destination is the D-Link Firewall itself, for example NetDefendOS management traffic, is not subject to this setting.
Page 439: Connection Timeout Settings

13.5. Connection Timeout Settings Chapter 13. Advanced Settings 13.5. Connection Timeout Settings The settings in this section specify how long a connection can remain idle, that is to say with no data being sent through it, before it is automatically closed. Please note that each connection has two timeout values: one for each direction.
Page 440

13.5. Connection Timeout Settings Chapter 13. Advanced Settings Other Idle Lifetime Specifies in seconds how long connections using an unknown protocol can remain idle before it is closed. Default: 130...
Page 441: Length Limit Settings

13.6. Length Limit Settings Chapter 13. Advanced Settings 13.6. Length Limit Settings This section contains information about the size limits imposed on the protocols directly under IP level, such as TCP, UDP and ICMP. The values specified here concern the IP data contained in packets. In the case of Ethernet, a single packet can contain up to 1480 bytes of IP data without fragmentation.
Page 442

13.6. Length Limit Settings Chapter 13. Advanced Settings Specifies in bytes the maximum size of an AH packet. AH, Authentication Header, is used by IPsec where only authentication is applied. This value should be set at the size of the largest packet allowed to pass through the VPN connections, regardless of its original protocol, plus approx.
Page 443: Fragmentation Settings

13.7. Fragmentation Settings Chapter 13. Advanced Settings 13.7. Fragmentation Settings IP is able to transport up to 65536 bytes of data. However, most media, such as Ethernet, cannot carry such huge packets. To compensate, the IP stack fragments the data to be sent into separate packets, each one given their own IP header and information that will help the recipient reassemble the original packet correctly.
Page 444

13.7. Fragmentation Settings Chapter 13. Advanced Settings Default: Check8 – compare 8 random locations, a total of 32 bytes Failed Fragment Reassembly Reassemblies may fail due to one of the following causes: • Some of the fragments did not arrive within the time stipulated by the ReassTimeout or ReassTimeLimit settings.
Page 445

13.7. Fragmentation Settings Chapter 13. Advanced Settings • NoLog - No logging is carried out under normal circumstances. • LogSuspect - Logs duplicated fragments if the reassembly procedure has been affected by "suspect" fragments. • LogAll - Always logs duplicated fragments. Default: LogSuspect Fragmented ICMP Other than ICMP ECHO (Ping), ICMP messages should not normally be fragmented as they contain...
Page 446

13.7. Fragmentation Settings Chapter 13. Advanced Settings Reassembly Illegal Limit Once a whole packet has been marked as illegal, NetDefendOS is able to retain this in memory for this number of seconds in order to prevent further fragments of that packet from arriving. Default: 60...
Page 447: Local Fragment Reassembly Settings

13.8. Local Fragment Reassembly Chapter 13. Advanced Settings Settings 13.8. Local Fragment Reassembly Settings Max Concurrent Maximum number of concurrent local reassemblies. Default: 256 Max Size Maximum size of a locally reassembled packet. Default: 10000 Large Buffers Number of large ( over 2K) local reassembly buffers (of the above size). Default: 32...
Page 448: Miscellaneous Settings

13.9. Miscellaneous Settings Chapter 13. Advanced Settings 13.9. Miscellaneous Settings UDP Source Port 0 How to treat UDP packets with source port 0. Default: DropLog Port 0 How to treat TCP/UDP packets with destination port 0 and TCP packets with source port 0. Default: DropLog Watchdog Time Number of non-responsive seconds before watchdog is triggered (0=disable).
Page 449

13.9. Miscellaneous Settings Chapter 13. Advanced Settings...
Page 450: A. Subscribing To Security Updates

On purchase, you will receive a unique activation code to identify you as a user of the service. • Go to Maintenance > License in the Web Interface of your D-Link Firewall system and enter this activation code. NetDefendOS will indicate the code is accepted and the update service will be activated.
Page 451

To get the status of AV updates: gw-world:/> updatecenter -status Antivirus Querying Server Status To get the status of the D-Link network servers use the command: gw-world:/> updatecenter -servers Deleting Local Databases Some technical problem in the operation of either IDP or the Anti-Virus modules may be resolved by deleting the database and reloading.
Page 452: B. Idp Signature Groups

For IDP scanning, the following signature groups are available for selection. These groups are available only for the D-Link Advanced IDP Service. There is a version of each group under the three Types of IDS, IPS and Policy. For further information see Section 6.5, “Intrusion Detection and Prevention”.
Page 453

Appendix B. IDP Signature Groups Group Name Intrusion Type FTP_FORMATSTRING Format string attack FTP_GENERAL FTP protocol and implementation FTP_LOGIN Login attacks FTP_OVERFLOW FTP buffer overflow GAME_BOMBERCLONE Bomberclone game GAME_GENERAL Generic game servers/clients GAME_UNREAL UnReal Game server HTTP_APACHE Apache httpd HTTP_BADBLUE Badblue web server HTTP_CGI HTTP CGI...
Page 454

Appendix B. IDP Signature Groups Group Name Intrusion Type POP3_DOS Denial of Service for POP POP3_GENERAL Post Office Protocol v3 POP3_LOGIN-ATTACKS Password guessing and related login attack POP3_OVERFLOW POP3 server overflow POP3_REQUEST-ERRORS Request Error PORTMAPPER_GENERAL PortMapper PRINT_GENERAL LP printing server: LPR LPD PRINT_OVERFLOW Overflow of LPR/LPD protocol/implementation REMOTEACCESS_GOTOMYPC...
Page 455

Appendix B. IDP Signature Groups Group Name Intrusion Type TFTP_OPERATION Operation Attack TFTP_OVERFLOW TFTP buffer overflow attack TFTP_REPLY TFTP Reply attack TFTP_REQUEST TFTP request attack TROJAN_GENERAL Trojan UDP_GENERAL General UDP UDP_POPUP Pop-up window for MS Windows UPNP_GENERAL UPNP VERSION_CVS VERSION_SVN Subversion VIRUS_GENERAL Virus...
Page 456: C. Verified Mime Filetypes

Appendix C. Verified MIME filetypes Some NetDefendOS Application Layer Gateways (ALGs) have the optional ability to verify that the contents of a downloaded file matches the type that the filetype in the filename indicates. The filetypes for which MIME verification can be done are listed in this appendix and the ALGs to which this applies are: •...
Page 457

Appendix C. Verified MIME filetypes Filetype extension Application Windows Control Panel Extension file Database file Graphics Multipage PCX Bitmap file Debian Linux Package file djvu DjVu file Windows dynamic link library file DPA archive data TeX Device Independent Document EET archive Allegro datafile eMacs Lisp Byte-compiled Source Code ABT EMD Module/Song Format file...
Page 458

Appendix C. Verified MIME filetypes Filetype extension Application MPEG-1 Video file Microsoft files Microsoft office files, and other Microsoft files Atari MSA archive data niff, nif Navy Interchange file Format Bitmap Nancy Video CODEC NES Sound file obj, o Windows object file, linux object file Object Linking and Embedding (OLE) Control Extension Ogg Vorbis Codec compressed WAV file Linux executable...
Page 459

Appendix C. Verified MIME filetypes Filetype extension Application TeX font metric data tiff, tif Tagged Image Format file tnef Transport Neutral Encapsulation Format torrent BitTorrent Metainfo file TrueType Font Yamaha TX Wave audio files UFA archive data Vcard file VivoActive Player Streaming Video file Waveform Audio Lotus 1-2-3 document Windows Media file...
Page 460: D. The Osi Framework, D.1. The 7 Layers Of The Osi Model

Appendix D. The OSI Framework Overview The Open Systems Interconnection Model defines a framework for inter-computer communications. It categorizes different protocols for a great variety of network applications into seven smaller, more manageable layers. The model describes how data from an application in one computer can be transferred through a network medium to an application on another computer.
Page 461: E. D-link Worldwide Offices

Appendix E. D-Link Worldwide Offices Below is a complete list of D-Link worldwide sales offices. Please check your own country area's local website for further details regarding support of D-Link products as well as contact details for local support. Australia 1 Giffnock Avenue, North Ryde, NSW 2113, Australia.
Page 462

Appendix E. D-Link Worldwide Offices Italy Via Nino Bonnet n. 6/b, 20154 – Milano, Italy. TEL: 39-02-2900-0676, FAX: 39-02-2900-1723. Website: www.dlink.it LatinAmerica Isidora Goyeechea 2934, Ofcina 702, Las Condes, Santiago – Chile. TEL: 56-2-232-3185, FAX: 56-2-232-0923. Website: www.dlink.cl Luxemburg Rue des Colonies 11, B-1000 Brussels, Belgium TEL: +32 (0)2 517 7111, FAX: +32 (0)2 517 6500.
Page 463: Alphabetical Index

fail mode behaviour, 261 in the FTP ALG, 201 Alphabetical Index in the HTTP ALG, 198 in the POP3 ALG, 216 in the SMTP ALG, 207 memory requirements, 259 access rules, 193 relationship with IDP, 260 accounting, 54 simultaneous scans, 259 interim messages, 56 with zonedefense, 263 limitations with NAT, 57...
Page 464

Alphabetical Index BOOTP, 187 phishing, 254 BPDU relaying, 177 setup, 246 Broadcast Enet Sender setting, 179 site reclassification, 249 spam, 256 static, 243 content filtering HTML CAM Size setting, 178 customizing, 256 CAM To L3 Cache Dest Learning setting, 177 core interface, 81 CA servers core routes, 129...
Page 465

Alphabetical Index ALG, 197 authentication, 311 whitelist precedence, 199 end of life procedures, 67 HTTP poster, 119 ESMTP extensions, 209 HTTPS Certificate setting, 44 ethernet interface, 81 HTTP URI normalization in IDP, 267 changing IP addresses, 82 CLI command summary, 83 default gateway, 83 IP address, 82 ICMP Sends Per Sec Limit setting, 436...
Page 466

Alphabetical Index IP Option Source/Return setting, 429 Logout at shutdown (RADIUS) setting, 57, 58 IP Options Timestamps setting, 429 logout from CLI, 36 IP pools, 190 Log Oversized Packets setting, 442 with config mode, 350 Log Received TTL 0 setting, 427 IP Reserved Flag setting, 429 Log Reverse Opens setting, 437 IP router alert option setting, 429...
Page 467

Alphabetical Index creating with CLI, 157 QoS (see quality of service) NAT, 283 quality of service, 378 anonymizing with, 286 IP rules, 104 pools, 288 RADIUS stateful pools, 288 accounting, 54 traversal, 340 advanced settings, 57 network address translation (see NAT) authentication, 304 NTP (see time synchronization) Reassembly Done Limit setting, 445...
Page 468

Alphabetical Index max sessions, 78 TCP MSS Log Level setting, 431 specifying port number, 76 TCP MSS Max setting, 431 SYN flood protection, 77 TCP MSS Min setting, 431 TCP and UDP, 76 TCP MSS On High setting, 431 sgs file extension, 36 TCP MSS on Low setting, 431 Silently Drop State ICMPErrors setting, 436 TCP MSS VPN Max setting, 431...
Page 469

Alphabetical Index UDP Bidirectional Keep-alive setting, 439 with anti-virus, 263 UDP Idle Lifetime setting, 439 with FTP ALG, 202 UDP Source Port 0 setting, 448 with IDP, 272 Unknown VLAN Tags setting, 87 with SMTP ALG, 210 unnumbered PPPoE, 88 Unsolicited ARP Replies setting, 98 uploading files with SCP, 39 user authentication (see authentication)

This manual also for:

Dfl- 800 Dfl-1600 Dfl- 2500 Netdefend dfl-260 Dfl- 860 Netdefend dfl-800... Show all