Page 1 Network Security Firewall User Manual DFL-210/ 800/1600/ 2500 DFL-260/ 860 Security Security Ver. 1.05 Network Security Solution http://www.dlink.com...
Page 2 User Manual DFL-210/260/800/860/1600/2500 NetDefendOS version 2.12 D-Link Corporation No. 289, Sinhu 3rd Rd, Neihu District, Taipei City 114, Taiwan R.O.C. http://www.DLink.com Published 2007-05-29 Copyright © 2007...
Page 3 OF THE POSSIBILITY OF SUCH DAMAGES. FURTHERMORE, D-LINK WILL NOT BE LI- ABLE FOR THIRD-PARTY CLAIMS AGAINST CUSTOMER FOR LOSSES OR DAMAGES. D-LINK WILL IN NO EVENT BE LIABLE FOR ANY DAMAGES IN EXCESS OF THE AMOUNT D-LINK RECEIVED FROM THE END-USER FOR THE PRODUCT.
Page 4: Table Of Contents
Table of Contents Preface ......................xii 1. Product Overview ....................1 1.1. About D-Link NetDefendOS ..............1 1.2. NetDefendOS Architecture ............... 3 1.2.1. State-based Architecture ..............3 1.2.2. NetDefendOS Building Blocks ............3 1.2.3. Basic Packet Flow ................. 3 1.3. NetDefendOS Packet Flow ................ 6 2.
Page 5 6.2.5. H.323 ..................111 6.3. Intrusion Detection and Prevention ............125 6.3.1. Overview ................. 125 6.3.2. IDP Availability in D-Link Models ..........125 6.3.3. IDP Rules ................. 126 6.3.4. Insertion/Evasion Attack Prevention ..........127 6.3.5. IDP Pattern Matching ..............128...
Page 6 6.4.1. Overview ................. 135 6.4.2. Implementation ................. 135 6.4.3. Activation ................136 6.4.4. The Signature Database .............. 136 6.4.5. Subscribing to the D-Link Anti-Virus Service ......... 136 6.4.6. Anti-Virus Options ..............137 6.5. Web Content Filtering ................140 6.5.1. Overview ................. 140 6.5.2.
Page 7 User Manual 9.4. PPTP/L2TP ..................202 9.4.1. PPTP ..................202 9.4.2. L2TP ..................203 10. Traffic Management ..................209 10.1. Traffic Shaping .................. 209 10.1.1. Introduction ................209 10.1.2. Traffic Shaping Basics .............. 209 10.1.3. Traffic Shaping in NetDefendOS ..........210 10.1.4.
Page 8 13.24. Miscellaneous Settings ............... 279 A. Subscribing to Security Updates ................ 281 B. IDP Signature Groups ..................283 C. Anti-Virus MIME filetypes ................287 D. The OSI Framework ..................291 E. D-Link worldwide offices ................292 Alphabetical Index ..................... 294 viii...
Page 9: List Of Figures
List of Figures 1.1. Packet Flow Schematic Part I ................6 1.2. Packet Flow Schematic Part II ................7 1.3. Packet Flow Schematic Part III ................8 4.1. A Route Failover Scenario for ISP Access ............71 4.2. Virtual Links Example 1 ..................83 4.3.
Page 10 5.3. Setting up Static DHCP ...................99 5.4. Setting up a DHCP relayer ................100 6.1. Setting up an Access Rule ................104 6.2. Protecting an FTP Server with ALG ..............106 6.3. Protecting FTP Clients .................. 109 6.4. Protecting Phones Behind D-Link Firewalls ............113...
Page 11 6.7. Using Private IP Addresses ................116 6.8. H.323 with Gatekeeper .................. 118 6.9. H.323 with Gatekeeper and two D-Link Firewalls ..........119 6.10. Using the H.323 ALG in a Corporate Environment ........... 120 6.11. Configuring remote offices for H.323 ............. 123 6.12.
Page 12: Preface
The target audience for this reference guide is Administrators who are responsible for configuring and managing D-Link Firewalls which are running the NetDefendOS operating system. This guide assumes that the reader has some basic knowledge of networks and network security.
Page 13 Notes to the main text Preface Notes to the main text Special sections of text which the reader should pay special attention to are indicated by icons on the the left hand side of the page followed by a short paragraph in italicized text. Such sections have the following types and purposes: Note This indicates some piece of information that is an addition to the preceding text.
Page 14: Product Overview
• NetDefendOS Architecture, page 3 • NetDefendOS Packet Flow, page 6 1.1. About D-Link NetDefendOS D-Link NetDefendOS is the firmware, the software engine that drives and controls all D-Link Fire- wall products. Designed as a network security operating system, NetDefendOS features high throughput perform- ance with high reliability plus super-granular control.
Page 15 Chapter 2, Operations and Maintenance. ZoneDefense NetDefendOS can be used to control D-Link switches using the ZoneDefense feature. Reading through this documentation carefully will ensure that you get the most out of your NetDe- fendOS product. In addition to this document, the reader should also be aware of the companion volumes: •...
Page 16: Netdefendos Architecture
1.2. NetDefendOS Architecture Chapter 1. Product Overview 1.2. NetDefendOS Architecture 1.2.1. State-based Architecture The NetDefendOS architecture is centered around the concept of state-based connections. Tradition- al IP routers or switches commonly inspect all packets and then perform forwarding decisions based on information found in the packet headers.
Page 17 1.2.3. Basic Packet Flow Chapter 1. Product Overview • If the Ethernet frame contains a PPP payload, the system checks for a matching PPPoE in- terface. If one is found, that interface becomes the source interface for the packet. If no matching interface is found, the packet is dropped and the event is logged.
Page 18 1.2.3. Basic Packet Flow Chapter 1. Product Overview connection. 10. The Traffic Shaping and the Threshold Limit Rule-sets are now searched. If a match is found, the corresponding information is recorded with the state. This will enable proper traffic man- agement on the connection.
Page 19: Netdefendos Packet Flow
1.3. NetDefendOS Packet Flow Chapter 1. Product Overview 1.3. NetDefendOS Packet Flow The diagrams in this section provide a summary of the flow of packets through the NetDefendOS state-engine. There are three diagrams, each flowing into the next. Figure 1.1. Packet Flow Schematic Part I The packet flow is continued on the following page.
Page 20: Packet Flow Schematic Part Ii
1.3. NetDefendOS Packet Flow Chapter 1. Product Overview Figure 1.2. Packet Flow Schematic Part II The packet flow is continued on the following page.
Page 21: Packet Flow Schematic Part Iii
1.3. NetDefendOS Packet Flow Chapter 1. Product Overview Figure 1.3. Packet Flow Schematic Part III...
Page 22 1.3. NetDefendOS Packet Flow Chapter 1. Product Overview...
Page 23: Operations And Maintenance
Chapter 2. Operations and Maintenance This chapter describes the operations and maintenance related aspects of NetDefendOS. • Configuring NetDefendOS, page 10 • Events and Logging, page 21 • RADIUS Accounting, page 24 • Maintenance, page 28 2.1. Configuring NetDefendOS 2.1.1. Overview NetDefendOS is designed to give both high performance and high reliability.
Page 24: Command Line Interface (Cli)
The serial console port is a RS-232 port that enables access to the CLI through a serial connection to a PC or terminal. To locate the serial console port on your D-Link system, please see the D-Link quickstart guide .
Page 25: Enabling Ssh Remote Access
2.1.4. Web Interface Chapter 2. Operations and Maintenance SSH (Secure Shell) The SSH (Secure Shell) protocol can be used to access the CLI over the network from a remote host. SSH is a protocol primarily used for secure communication over insecure networks, providing strong authentication and data integrity.
Page 26: Web Interface
To access the web interface, launch a standard web browser and point the browser at the IP address of the firewall. The factory default address for all D-Link Firewalls is 192.168.1.1. You MUST use https:// as the protocol of the URL in the browser eg: https://192.168.1.1 (https will protect the username and password with encryption when they are sent to NetDefendOS).
Page 27: Enabling Remote Management Via Https
2.1.4. Web Interface Chapter 2. Operations and Maintenance Note Access to the web interface is regulated by the remote management policy. By default, the system will only allow web access from the internal network. 2.1.4.2. Interface Layout The main web interface page is divided into three major sections: Menu bar The menu bar located at the top of the web interface contains a number of but- tons and drop-down menus that are used to perform configuration tasks as well as...
Page 28: Working With Configurations
2.1.5. Working with Configurations Chapter 2. Operations and Maintenance gw-world:/> add RemoteManagement RemoteMgmtHTTP https Network=all-nets Interface=any LocalUserDatabase=AdminUsers HTTPS=Yes Web Interface Go to System > Remote Management > Add > HTTP/HTTPS Management Enter a Name for the HTTP/HTTPS remote management policy, e.g. https. Check the HTTPS checkbox.
Page 29: Listing Configuration Objects
2.1.5. Working with Configurations Chapter 2. Operations and Maintenance Example 2.3. Listing Configuration Objects This example shows how to list all service objects. gw-world:/> show Service A list of all services will be displayed, grouped by their respective type. Web Interface Go to Objects >...
Page 30: Editing A Configuration Object
2.1.5. Working with Configurations Chapter 2. Operations and Maintenance Note When accessing object via the CLI you can omit the category name and just use the type name. The CLI command in the above example, for instance, could be simplified gw-world:/>...
Page 31: Deleting A Configuration Object
2.1.5. Working with Configurations Chapter 2. Operations and Maintenance dress Book. gw-world:/> add Address IP4Address myhost Address=192.168.10.10 Show the new object: gw-world:/> show Address IP4Address myhost Property Value --------------------- ------------- Name: myhost Address: 192.168.10.10 UserAuthGroups: (none) NoDefinedCredentials: Comments: (none) Web Interface Go to Objects >...
Page 32: Listing Modified Configuration Objects
2.1.5. Working with Configurations Chapter 2. Operations and Maintenance gw-world:/> undelete Address IP4Address myhost Web Interface Go to Objects > Address Book Right-click on the row containing the myhost object. In the dropdown menu displayed, select Undo Delete. Listing Modified Objects After modifying several configuration objects, you might want to see a list of the objects that were changed, added and removed since the last commit.
Page 33: Activating And Committing A Configuration
2.1.5. Working with Configurations Chapter 2. Operations and Maintenance Example 2.10. Activating and Committing a Configuration This example shows how to activate and commit a new configuration. gw-world:/> activate The system will validate and start using the new configuration. When the command prompt is shown again: gw-world:/>...
Page 34: Events And Logging
NetDefendOS can distribute event messages using the following standards and protocols: Memlog A D-Link Firewall has a built in logging mechanism known as the Memory Log. This re- tains all event log messages in memory and allows direct viewing of log messages through the web interface.
Page 35: Enable Logging To A Syslog Host
2.2.3. Event Message Distribution Chapter 2. Operations and Maintenance 2.2.3.1. Logging to Syslog Hosts Syslog is a standardized protocol for sending log data to loghosts, although there is no standardized format of these log messages. The format used by NetDefendOS is well suited for automated pro- cessing, filtering and searching.
Page 36 2.2.3. Event Message Distribution Chapter 2. Operations and Maintenance...
Page 37: Radius Accounting
RADIUS sessions. All statistics are updated for an authenticated user whenever a connection related to an authenticated user is closed. When a new client session is started by a user establishing a new connection through the D-Link Firewall, NetDefendOS sends an AccountingRequest START message to a nominated RADIUS server, to record the start of the new session.
Page 38 Delay Time - See the above comment about this parameter. • Timestamp - The number of seconds since 1970-01-01. Used to set a timestamp when this packet was sent from the D-Link Firewall. In addition to this, two more attributes are possibly sent: •...
Page 39: Interim Accounting Messages
2.3.3. Interim Accounting Messages Chapter 2. Operations and Maintenance Note The (*) symbol in the above list indicates that the sending of the parameter is user configurable. 2.3.3. Interim Accounting Messages In addition to START and STOP messages NetDefendOS can optionally periodically send Interim Accounting Messages to update the accounting server with the current status of an authenticated user.
Page 40: Handling Unresponsive Servers
2.3.7. Handling Unresponsive Servers Chapter 2. Operations and Maintenance In an HA cluster, accounting information is synched between the active and passive D-Link Fire- walls. This means that accounting information is automatically updated on both cluster members whenever a connection is closed. Two special accounting events are also used by the active unit to keep the passive unit synchronized: •...
Page 41: Maintenance
Reset alternative for the DFL-210/260/800/860 only To reset the DFL-210/260/800/860 you must hold down the reset button at the rear panel for 10-15 seconds while powering on the unit. After that, release the reset button and the DFL-210/800 will continue to load and startup in default mode, i.e.
Page 42: Auto-Update Mechanism
To facilitate the Auto-Update feature D-Link maintains a global infrastructure of servers providing update services for D-Link Firewalls. To ensure availability and low response times, NetDefendOS employs a mechanism for automatically selecting the most appropriate server to supply updates.
Page 43 2.4.3. Auto-Update Mechanism Chapter 2. Operations and Maintenance...
Page 44: Fundamentals
Chapter 3. Fundamentals This chapter describes the fundamental logical objects upon which NetDefendOS is built. These lo- gical objects include such things as addresses, services and schedules. In addition, this chapter ex- plains how the various supported interfaces work, it outlines how policies are constructed and how basic system settings are configured.
Page 45: Adding An Ip Host
3.1.2. IP Addresses Chapter 3. Fundamentals For example: 192.168.0.0/24 IP Range A range of IP addresses is represented on the form a.b.c.d - e.f.g.h. Please note that ranges are not limited to netmask boundaries; they may include any span of IP ad- dresses.
Page 46: Ethernet Addresses
3.1.3. Ethernet Addresses Chapter 3. Fundamentals Go to Objects > Address Book > Add > IP address Specify a suitable name for the IP Range, for instance wwwservers. Enter 192.168.10.16-192.168.10.21 in the IP Address textbox. Click OK. Example 3.4. Deleting an Address Object To delete an object named wwwsrv1 in the Address Book, do the following: gw-world:/>...
Page 47: Address Groups
3.1.5. Auto-Generated Address Ob- Chapter 3. Fundamentals jects 3.1.4. Address Groups Address objects can be grouped in order to simplify configuration. Consider a number of public servers that should be accessible from the Internet. The servers have IP addresses that are not in a sequence, and can therefore not be referenced to as a single IP range.
Page 48: Services
3.2. Services Chapter 3. Fundamentals 3.2. Services 3.2.1. Overview A Service object is a reference to a specific IP protocol with associated parameters. A Service defin- ition is usually based on one of the major transport protocols such as TCP or UDP, with the associ- ated port number(s).
Page 49: Tcp And Udp Based Services
To define a TCP or UDP service in the D-Link Firewall, a TCP/UDP Service object is used. This type of object contains, apart from a unique name describing the service, also information on what protocol (TCP, UDP or both) and what source and destination ports are applicable for the service.
Page 50: Icmp Services
Passing ICMP Errors If an attempt to open a TCP connection is made by a user ap- plication behind the D-Link Firewall and the remote server is not in operation, an ICMP error message is returned as the re- sponse. These ICMP errors can either be ignored or allowed to pass through, back to the requesting application.
Page 51: Custom Ip Protocol Services
3.2.4. Custom IP Protocol Services Chapter 3. Fundamentals The ICMP message types that can be configured in NetDefendOS are listed as follows: • Echo Request: sent by PING to a destination in order to check connectivity. • Destination Unreachable: the source is told that a problem has occurred when delivering a pack- et.
Page 52: Adding A Ip Protocol Service
3.2.4. Custom IP Protocol Services Chapter 3. Fundamentals Example 3.9. Adding a IP Protocol Service This example shows how to add an IP Protocol Service, with the Virtual Router Redundancy Protocol. gw-world:/> add Service ServiceIPProto VRRP IPProto=112 Web Interface Go to Objects > Services > Add > IP protocol service Specify a suitable name for the service, for instance VRRP.
Page 53: Interfaces
3.3. Interfaces Chapter 3. Fundamentals 3.3. Interfaces 3.3.1. Overview An Interface is one of the most important logical building blocks in NetDefendOS. All network traffic that passes through or gets terminated in the system is done so through one or several inter- faces.
Page 54: Ethernet
NetDefendOS itself that will deal with the traffic. Examples of the use of core would be when the D-Link Firewall acts as a PPTP or L2TP server or is to respond to ICMP "Ping" requests. By specifying the Destination Interface of a route as core, NetDefen- dOS will then know that it is itself that is the ultimate destination of the traffic.
Page 55: Enabling Dhcp
N represents the number of the interface if your D-Link Firewall has more than one of these interfaces. In most of the examples in this guide lan is used for LAN traffic and wan is used for WAN traffic.
Page 56: Virtual Lan
3.3.3. Virtual LAN Chapter 3. Fundamentals Check the Enable DHCP client control. Click OK. 3.3.3. Virtual LAN NetDefendOS is fully compliant with the IEEE 802.1Q specification for Virtual LANs. On a pro- tocol level, Virtual LANs work by adding a Virtual LAN identifier (VLAN ID) to the Ethernet frame header.
Page 57 3.3.4. PPPoE Chapter 3. Fundamentals DSL line, wireless device or cable modem. All the users on the Ethernet share a common connec- tion, while access control can be done on a per-user basis. Internet server providers (ISPs) often require customers to connect through PPPoE to their broad- band service.
Page 58: Interface Groups
3.3.5. Interface Groups Chapter 3. Fundamentals If dial-on-demand is enabled, the PPPoE connection will only be up when there is traffic on the PPPoE interface. It is possible to configure how the firewall should sense activity on the interface, either on outgoing traffic, incoming traffic or both. Also configurable is the time to wait with no activity before the tunnel is disconnected.
Page 59 3.3.5. Interface Groups Chapter 3. Fundamentals Web Interface Go to Interfaces > Interface Groups > Add > InterfaceGroup Enter the following information to define the group: • Name: The name of the group to be used later • Security/Transport Equivalent: If enabled, the interface group can be used as a destination interface in rules where connections might need to be moved between the interfaces.
Page 60: Arp
3.4. ARP Chapter 3. Fundamentals 3.4. ARP 3.4.1. Overview Address Resolution Protocol (ARP) is a protocol, which maps a network layer protocol address to a data link layer hardware address and it is used to resolve an IP address into its corresponding Ether- net address.
Page 61: Static And Published Arp Entries
3.4.4. Static and Published ARP Chapter 3. Fundamentals Entries cifies how long NetDefendOS is to remember addresses that cannot be reached. This is done to en- sure that NetDefendOS does not continously request such addresses. The default value for this set- ting is 3 seconds.
Page 62: Defining A Static Arp Entry
3.4.4. Static and Published ARP Chapter 3. Fundamentals Entries dresses) as well as publishing IP addresses with a specific Ethernet address. Static ARP Entries Static ARP items may help in situations where a device is reporting incorrect Ethernet address in re- sponse to ARP requests.
Page 63: Advanced Arp Settings
3.4.5. Advanced ARP Settings Chapter 3. Fundamentals XPublish "lies" about the sender Ethernet address in the Ethernet header; this is set to be the same as the published Ethernet address rather than the actual Ethernet address of the Ethernet interface. If a published Ethernet address is the same as the Ethernet address of the interface, it will make no dif- ference if you select Publish or XPublish, the result will be the same.
Page 64 3.4.5. Advanced ARP Settings Chapter 3. Fundamentals Sender IP 0.0.0.0 NetDefendOS can be configured on what to do with ARP queries that have a sender IP of 0.0.0.0. Such sender IPs are never valid in responses, but network units that have not yet learned of their IP address sometimes ask ARP questions with an "unspecified"...
Page 65: The Ip Rule-Set
3.5.2. Rule Evaluation When a new TCP/IP connection is being established through the D-Link Firewall, the list of IP rules are evaluated from top to bottom until a rule that matches the parameters of that new connection is found.
Page 66: Ip Rule Components
3.5.4. Editing IP Rule-set Entries Chapter 3. Fundamentals 3.5.3. IP Rule components A rule consists of two logical parts: the connection parameters and the action to take if there is a match with those parameters. Rule parameters are pre-defined and reusable network objects such as Addresses and Services, which can be used in any rule to specify the criteria for a match.
Page 67: Editing Ip Rule-Set Entries
3.5.4. Editing IP Rule-set Entries Chapter 3. Fundamentals 3.5.4. Editing IP Rule-set Entries After adding various rules to the rule-set editing any line can be achieved in the Web-UI by right clicking on that line. A context menu will appear with the following options: Edit This allows the contents of the rule to be changed.
Page 68: Schedules
3.6. Schedules Chapter 3. Fundamentals 3.6. Schedules In some scenarios, it might be useful to control not only what functionality is enabled, but also when that functionality is being used. For instance, the IT policy of an enterprise might stipulate that web traffic from a certain department is only allowed access outside that department during normal office hours.
Page 69 3.6. Schedules Chapter 3. Fundamentals • Action: NAT • Service: http • Schedule: OfficeHours • SourceInterface: lan • SourceNetwork lannet • DestinationInterface: any • DestinationNetwork: all-nets Click OK.
Page 70: Certificates
3.7. X.509 Certificates Chapter 3. Fundamentals 3.7. X.509 Certificates NetDefendOS supports digital certificates that comply with the ITU-T X.509 standard. This in- volves the use of an X.509 certificate hierarchy with public-key cryptography to accomplish key distribution and entity authentication. 3.7.1.
Page 71: Trusting Certificates
VPN tunnel, provided the certificate validation procedure described above succeeded. 3.7.7. X.509 Certificates in NetDefendOS X.509 certificates can be uploaded to the D-Link Firewall for use in IKE/IPsec authentication, Webauth etc. There are two types of certificates that can be uploaded, self signed certificates and re- mote certificates belonging to a remote peer or CA server.
Page 72: Setting Date And Time
GMT. The NetDefendOS time zone setting reflects the time zone where the D-Link Firewall is physically located.
Page 73: Time Servers
3.8.2. Time Servers Chapter 3. Fundamentals Example 3.20. Setting the Time Zone To modify the NetDefendOS time zone to be GMT plus 1 hour, follow the steps outlined below: gw-world:/> set DateTime Timezone=GMTplus1 Web Interface Go to System > Date and Time Select (GMT+01:00) in the Timezone drop-down list.
Page 74: Enabling Time Synchronization Using Sntp
3.8.2. Time Servers Chapter 3. Fundamentals 3.8.2.1. Time Synchronization Protocols Time Synchronization Protocols are standardised methods for retrieving time information from ex- ternal Time Servers. NetDefendOS supports the following time synchronization protocols: • SNTP - Defined by RFC 2030, The Simple Network Time Protocol (SNTP) is a lightweight im- plementation of NTP (RFC 1305).
Page 75: Manually Triggering A Time Synchronization
3.8.2. Time Servers Chapter 3. Fundamentals Example 3.23. Manually Triggering a Time Synchronization Time synchronization can be triggered from the CLI. The output below shows a typical response. gw-world:/> time -sync Attempting to synchronize system time... Server time: 2007-02-27 12:21:52 (UTC+00:00) Local time: 2007-02-27 12:24:30 (UTC+00:00) (diff: 158) Local time successfully changed to server time.
Page 76: Enabling The D-Link Ntp Server
86,400 seconds (1 day), meaning that the time synchronization process is executed once in a 24 hour period. 3.8.2.5. D-Link Time Servers Using D-Link's own Time Servers is an option in NetDefendOS and this is the recommended way of synchronizing the firewall clock. These servers communicate with NetDefendOS using the SNTP protocol.
Page 77: Dns Lookup
3.9. DNS Lookup Chapter 3. Fundamentals 3.9. DNS Lookup A DNS server resolves a textual URL address into a numeric IP address. This allows the actual physical IP address to change while the URL can stay the same. URLs can be used in various areas of a NetDefendOS configuration where IP addresses are un- known, or where it makes more sense to make use of DNS resolution instead of using static IP ad- dresses.
Page 78 3.9. DNS Lookup Chapter 3. Fundamentals...
Page 79: Routing
Chapter 4. Routing This chapter describes how to configure IP routing in NetDefendOS. • Overview, page 66 • Static Routing, page 67 • Policy-based Routing, page 76 • Dynamic Routing, page 80 • Transparent Mode, page 88 4.1. Overview IP routing capabilities belong to the most fundamental functionalities of NetDefendOS: any IP pack- et flowing through the system will be subjected to at least one routing decision at some point in time, and proper setup of routing is crucial for a NetDefendOS system to function as expected.
Page 80: Static Routing
IP address of the next gateway in the path to the destination. The images below illustrates a typical D-Link Firewall deployment and how the associated routing table would look like.
Page 81: Static Routing In Netdefendos
4.2.1. Static Routing in NetDefendOS Chapter 4. Routing 4.2.1. Static Routing in NetDefendOS This section describes how routing is implemented in NetDefendOS, and how to configure static routing. NetDefendOS supports multiple routing tables. A default table called main is pre-defined and is al- ways present in NetDefendOS.
Page 82: Displaying The Routing Table
4.2.1. Static Routing in NetDefendOS Chapter 4. Routing Persistent Routes: None The corresponding routing table in NetDefendOS is similar to this: Flags Network Iface Gateway Local IP Metric ----- ------------------ -------- -------------- --------- ------ 192.168.0.0/24 10.0.0.0/8 0.0.0.0/0 192.168.0.1 The NetDefendOS way of describing the routes is easier to read and understand. Another advantage with this form of notation is that you can specify a gateway for a particular route without having a route that covers the gateways's IP address or despite the fact that the route covers the gateway's IP address is normally routed via another interface.
Page 83: Displaying The Core Routes
4.2.1. Static Routing in NetDefendOS Chapter 4. Routing 213.124.165.0/24 0.0.0.0/0 213.124.165.1 Web Interface To see the configured routing table: Go to Routing > Routing Tables Select and right-click the main routing table in the grid. Choose Edit in the menu. The main window will list the configured routes.
Page 84: Route Failover
4.2.2. Route Failover Overview D-Link Firewalls are often deployed in mission-critical locations where availability and connectivity is crucial. A corporation relying heavily on access to the Internet, for instance, could have their op- erations severely disrupted if an Internet connection fails.
Page 85 Host Monitoring The first two options check the accessibility of components local to the D-Link Firewall. An alternative is to monitor the accessibil- ity of one or more nominated remote hosts. These hosts might have known high availability and polling them can indicate if traffic from the local D-Link Firewall is reaching them.
Page 86 4.2.2. Route Failover Chapter 4. Routing in the route that has the lowest Metric being chosen. If the primary WAN router should then fail, this will be detected by NetDefendOS, and the first route will be disabled. As a consequence, a new route lookup will be performed and the second route will be selected with the first one being marked as disabled.
Page 87 Grace Period This is the period of time after startup or after reconfiguration of the D-Link Firewall which NetDefendOS will wait before starting Route Monitoring. This waiting period allows time for all network links to initialize once the firewall comes on- line.
Page 88: Proxy Arp
Ethernet is separated into two parts with a routing device such as an in- stalled D-Link Firewall, in between. In such a case, NetDefendOS itself can respond to ARP re- quests directed to the network on the other side of the D-Link Firewall using the feature known as Proxy ARP.
Page 89: Policy-Based Routing
4.3. Policy-based Routing Chapter 4. Routing 4.3. Policy-based Routing 4.3.1. Overview Policy-based Routing is an extension to the standard approach to routing described previously. It of- fers administrators significant flexibility in implementing routing decision policies by be able to define Policy-based Routing Rules. Normal routing forwards packets according to destination IP address information derived from static routes or from a dynamic routing protocol.
Page 90: Policy-Based Routing Table Selection
4.3.4. Policy-based Routing Table Se- Chapter 4. Routing lection based Routing rule can be triggered by the type of Service (eg. HTTP) in combination with the Source/Destination Interface and Source/Destination Network. When looking up Policy-based Rules, it is the first matching rule found that is triggered. 4.3.4.
Page 91: Creating A Policy-Based Routing Table
4.3.5. The Ordering parameter Chapter 4. Routing Example 4.3. Creating a Policy-Based Routing table In this example we create a Policy-based Routing table named "TestPBRTable". Web Interface Go to Routing > Routing Tables > Add > RoutingTable Now enter: • Name: TestPBRTable •...
Page 92 4.3.5. The Ordering parameter Chapter 4. Routing • This is a "drop-in" design, where there are no explicit routing subnets between the ISP gateways and the D- Link Firewall. In a provider-independent metropolitan area network, clients will likely have a single IP address, belonging to one of the ISPs.
Page 93: Dynamic Routing
4.4. Dynamic Routing 4.4.1. Dynamic Routing overview Dynamic routing is different to static routing in that the D-Link Firewall will adapt to changes of network topology or traffic load automatically. NetDefendOS first learns of all the directly connec- ted networks and gets further route information from other routers. Detected routes are sorted and the most suitable routes for destinations are added into the routing table and this information is dis- tributed to other routers.
Page 94: Ospf
4.4.2. OSPF Chapter 4. Routing Path length The sum of the costs associated with each link. A commonly used value for this metric is called "hop count" which is the number of routing devices a packet must pass through when it travels from source to destination. Item Bandwidth The traffic capacity of a path, rated by "Mbps".
Page 95 4.4.2. OSPF Chapter 4. Routing advertise externally learned routes throughout the Autonomous System. Backbone Areas All OSPF networks need to have at least the backbone area, that is the area with ID 0. This is the area that all other areas should be connected to, and the backbone make sure to distribute routing information between the connected areas.
Page 96: Virtual Links Example 1
4.4.2. OSPF Chapter 4. Routing Virtual links are used for: • Linking an area that does not have a direct connection to the backbone. • Linking the backbone in case of a partitioned backbone. Area without direct connection to the backbone The backbone always need to be the center of all other areas.
Page 97: Dynamic Routing Policy
4.4.3. Dynamic Routing Policy Chapter 4. Routing Figure 4.3. Virtual Links Example 2 The Virtual Link is configured between fw1 and fw2 on Area 1, as it is used as the transit area. In the configuration only the Router ID have to be configured, as in the example above show fw2 need to have a Virtual Link to fw1 with the Router ID 192.168.1.1 and vice versa.
Page 98: Importing Routes From An Ospf As Into The Main Routing Table
4.4.3. Dynamic Routing Policy Chapter 4. Routing In a dynamic routing environment, it is important for routers to be able to regulate to what extent they will participate in the routing exchange. It is not feasible to accept or trust all received routing information, and it might be crucial to avoid that parts of the routing database gets published to oth- er routers.
Page 99: Exporting The Default Route Into An Ospf As
4.4.3. Dynamic Routing Policy Chapter 4. Routing ble. Specify the destination routing table that the routes should be added to, in this case main. gw-world:/> cc DynamicRoutingRule ImportOSPFRoutes gw-world:/ImportOSPFRoutes> add DynamicRoutingRuleAddRoute Destination=MainRoutingTable Web Interface Go to Routing > Dynamic Routing Rules Click on the recently created ImportOSPFRoutes Go to OSPF Routing Action >...
Page 100 4.4.3. Dynamic Routing Policy Chapter 4. Routing Click on the recently created ExportDefRoute. Go to OSPF Action > Add > DynamicRoutingRuleExportOSPF. In the Export to process control, choose as0. Click OK.
Page 101: Transparent Mode
The D-Link Firewall can operate in two modes: Routing Mode or Transparent Mode. In Routing Mode, the D-Link Firewall performs all the functions of a Layer 3 router; if the firewall is placed in- to a network for the first time, or if network topology changes, the routing configuration must there- fore be thoroughly checked to ensure that the routing table is consistent with the new layout.
Page 102: Enabling Transparent Mode
4.5.4. Enabling Transparent Mode Chapter 4. Routing When beginning communication, a host will locate the target host's physical address by broadcast- ing an ARP request. This request is intercepted by NetDefendOS and it sets up an internal ARP Transaction State entry and broadcasts the ARP request to all the other switch-route interfaces ex- cept the interface the ARP request was received on.
Page 103: Setting Up Transparent Mode - Scenario 1
4.5.5. Transparent Mode example Chapter 4. Routing scenarios Example 4.8. Setting up Transparent Mode - Scenario 1 Web Interface Configure the interfaces: Go to Interfaces > Ethernet > Edit (wan) Now enter: • IP Address: 10.0.0.1 • Network: 10.0.0.0/24 • Default Gateway: 10.0.0.1 •...
Page 104: Transparent Mode Scenario 2
Scenario 2 Figure 4.5. Transparent mode scenario 2 Here the D-Link Firewall in Transparent Mode separates server resources from an internal network by connecting them to a separate interface without the need for different address ranges. All hosts connected to LAN and DMZ (the lan and dmz interfaces) share the 10.0.0.0/24 address space. As...
Page 105 4.5.5. Transparent Mode example Chapter 4. Routing scenarios Specify a suitable name for the rule, for instance HTTP-LAN-to-DMZ. Enter following: • Action: Allow • Source Interface: lan • Destination Interface: dmz • Source Network: all-nets • Destination Network: 10.1.4.10 Under the Service tab, choose http in the Pre-defined control Click the OK.
Page 106 4.5.5. Transparent Mode example Chapter 4. Routing scenarios • Transparent Mode: Disable • Add route for interface network: Disable Click OK. Go to Interfaces > Ethernet > Edit (dmz) Now enter: • IP Address: 10.0.0.2 • Network: 10.0.0.0/24 • Transparent Mode: Disable •...
Page 107 4.5.5. Transparent Mode example Chapter 4. Routing scenarios • Action: SAT • Service: http • Source Interface: wan • Destination Interface: dmz • Source Network: all-nets • Destination Network: wan_ip • Translate: Select Destination IP • New IP Address: 10.1.4.10 Click OK.
Page 108 4.5.5. Transparent Mode example Chapter 4. Routing scenarios...
Page 109: Dhcp Services
Chapter 5. DHCP Services This chapter describes DHCP services in NetDefendOS. • Overview, page 96 • DHCP Servers, page 97 • Static DHCP Assignment, page 99 • DHCP Relaying, page 100 5.1. Overview DHCP (Dynamic Host Configuration Protocol) is a protocol that allows network administrators to automatically assign IP numbers to computers on a network.
Page 110: Dhcp Servers
5.2. DHCP Servers Chapter 5. DHCP Services 5.2. DHCP Servers NetDefendOS has the ability to act as one or more logical DHCP servers. Filtering of DHCP client requests is based on interface, so each NetDefendOS interface can have, at most, one single logical DHCP server associated with it.
Page 111: Checking The Status Of A Dhcp Server
5.2. DHCP Servers Chapter 5. DHCP Services Example 5.2. Checking the status of a DHCP server Web Interface Select DHCP Server in the Status dropdown menu in the menu bar. DHCP leases are remembered by the system between system restarts.
Page 112: Static Dhcp Assignment
5.3. Static DHCP Assignment Chapter 5. DHCP Services 5.3. Static DHCP Assignment Where the administrator requires a fixed relationship between a client and the assigned IP address, NetDefendOS allows the assignment of a given IP to a specific MAC address. Example 5.3.
Page 113: Dhcp Relaying
5.4. DHCP Relaying Chapter 5. DHCP Services 5.4. DHCP Relaying With DHCP, clients send requests to locate the DHCP server(s) using broadcast messages. However, broadcasts are normally only propagated across the local network. This means that the DHCP server and client would always need to be in the same physical network area to be able to communicate.
Page 114 5.4. DHCP Relaying Chapter 5. DHCP Services...
Page 115: Security Mechanisms
Chapter 6. Security Mechanisms This chapter describes NetDefendOS security features. • Access Rules, page 102 • Application Layer Gateways, page 105 • Intrusion Detection and Prevention, page 125 • Anti-Virus, page 135 • Web Content Filtering, page 140 • Denial-Of-Service (DoS) Attacks, page 155 •...
Page 116: Access Rule Settings
6.1.3. Access Rule Settings Chapter 6. Security Mechanisms Access Rules can provide an anti-spoofing capability by providing an extra filter for source address verification. An Access Rule can verify that packets arriving at a given interface do not have a source address which is associated with a network of another interface.
Page 117: Setting Up An Access Rule
6.1.3. Access Rule Settings Chapter 6. Security Mechanisms of this. It is always advisable to check Access Rules when troubleshooting puzzling problems in case a rule is preventing some other function, such as VPN tunnel astablishment, from working properly. Example 6.1. Setting up an Access Rule A rule is to be defined that ensures no traffic with a source address not within the lannet network is received on the lan interface.
Page 118: Application Layer Gateways
After granting access, the server will provide the client with a file/directory listing from which it can download/upload files (depending on access rights). The FTP ALG is used to manage FTP connections through the D-Link Firewall.
Page 119: Protecting An Ftp Server With Alg
The conversion also works the other way around, that is, with the FTP client using active mode and the FTP server using passive mode. Example 6.2. Protecting an FTP Server with ALG As shown, an FTP Server is connected to the D-Link Firewall on a DMZ with private IP addresses, shown below:...
Page 120 6.2.3. File Transfer Protocol Chapter 6. Security Mechanisms To make it possible to connect to this server from the Internet using the FTP ALG, the FTP ALG and rules should be configured as follows: Web Interface Define the ALG: Go to Objects > ALG > Add > FTP ALG Enter Name: ftp-inbound Check Allow client to use active mode Uncheck Allow server to use passive mode...
Page 121 6.2.3. File Transfer Protocol Chapter 6. Security Mechanisms • Name: SAT-ftp-inbound • Action: SAT • Service: ftp-inbound For Address Filter enter: • Source Interface: any • Destination Interface: core • Source Network: all-nets • Destination Network: wan_ip (assuming the external interface has been defined as this) For SAT check Translate the Destination IP Address.
Page 122: Protecting Ftp Clients
Chapter 6. Security Mechanisms Example 6.3. Protecting FTP Clients In this scenario shown below the D-Link Firewall is protecting a workstation that will connect to FTP servers on the internet. To make it possible to connect to these servers from the internal network using the FTP ALG, the FTP ALG and...
Page 123: Simple Mail Transfer Protocol
6.2.4. Simple Mail Transfer Protocol Chapter 6. Security Mechanisms are no rules disallowing or allowing the same kind of ports/traffic before these rules. The service in use is the "ftp- outbound", which should be using the ALG definition "ftp-outbound" as described earlier. Allow connections to ftp-servers on the outside: Go to Rules >...
Page 124: 111
6.2.5. H.323 Chapter 6. Security Mechanisms • MIME Checking - Mail attachment file content can be checked against its filetype. A list of all filetypes checked can be found in Appendix C, Anti-Virus MIME filetypes. • Anti-Virus Scanning - The NetDefendOS Anti-Virus module can scan email attachments searching for malicious code.
Page 125 The H.323 specification was not designed to handle NAT, as IP addresses and ports are sent in the payload of H.323 messages. The H.323 ALG modifies and translates H.323 messages to make sure that H.323 messages will be routed to the correct destination and allowed through the D-Link Fire- wall.
Page 126: Protecting Phones Behind D-Link Firewalls
Example 6.4. Protecting Phones Behind D-Link Firewalls In the first scenario a H.323 phone is connected to the D-Link Firewall on a network (lannet) with public IP ad- dresses. To make it possible to place a call from this phone to another H.323 phone on the Internet, and to allow H.323 phones on the Internet to call this phone, we need to configure rules.
Page 127: With Private Ip Addresses
Example 6.5. H.323 with private IP addresses In this scenario a H.323 phone is connected to the D-Link Firewall on a network with private IP addresses. To make it possible to place a call from this phone to another H.323 phone on the Internet, and to allow H.323 phones on the Internet to call this phone, we need to configure rules.
Page 128: Two Phones Behind Different D-Link Firewalls
Click OK To place a call to the phone behind the D-Link Firewall, place a call to the external IP address on the firewall. If multiple H.323 phones are placed behind the firewall, one SAT rule has to be con- figured for each phone.
Page 129: Using Private Ip Addresses
6.2.5. H.323 Chapter 6. Security Mechanisms Web Interface Outgoing Rule: Go to Rules > IP Rules > Add > IPRule Now enter: • Name: H323AllowOut • Action: Allow • Service: H323 • Source Interface: lan • Destination Interface: any • Source Network: lannet •...
Page 130 Chapter 6. Security Mechanisms This scenario consists of two H.323 phones, each one connected behind the D-Link Firewall on a network with private IP addresses. In order to place calls on these phones over the Internet, the following rules need to be ad- ded to the rule-set in the firewall, make sure there are no rules disallowing or allowing the same kind of ports/ traffic before these rules.
Page 131: With Gatekeeper
Example 6.8. H.323 with Gatekeeper In this scenario, a H.323 gatekeeper is placed in the DMZ of the D-Link Firewall. A rule is configured in the firewall to allow traffic between the private network where the H.323 phones are connected on the internal network and to the Gatekeeper on the DMZ.
Page 132: With Gatekeeper And Two D-Link Firewalls
The D-Link Firewall with the Gatekeeper connected to the DMZ should be configured exactly as in scen- ario 3 The other D-Link Firewall should be configured as below. The rules need to be added to the rule listings, and it should be make sure there are no rules disallowing or allowing the same kind of ports/traffic before these...
Page 133: Using The H.323 Alg In A Corporate Environment
6.2.5. H.323 Chapter 6. Security Mechanisms Web Interface Go to Rules > IP Rules > Add > IPRule Now enter: • Name: H323Out • Action: NAT • Service: H323-Gatekeeper • Source Interface: lan • Destination Interface: any • Source Network: lannet •...
Page 134 6.2.5. H.323 Chapter 6. Security Mechanisms The head office has placed a H.323 Gatekeeper in the DMZ of the corporate D-Link Firewall. This firewall should be configured as follows: Web Interface Go to Rules > IP Rules > Add > IPRule Now enter: •...
Page 135 6.2.5. H.323 Chapter 6. Security Mechanisms • Source Interface: lan • Destination Interface: dmz • Source Network: lannet • Destination Network: ip-gateway • Comment: Allow H.323 entities on lannet to call phones connected to the H.323 Gateway on the DMZ. Click OK.
Page 136: Configuring Remote Offices For H.323
Example 6.12. Allowing the H.323 Gateway to register with the Gatekeeper The branch office D-Link Firewall has a H.323 Gateway connected to its DMZ. In order to allow the Gateway to re- gister with the H.323 Gatekeeper at the Head Office, the following rule has to be configured: Web Interface Go to Rules >...
Page 137 6.2.5. H.323 Chapter 6. Security Mechanisms Note There is no need to specify a specific rule for outgoing calls. NetDefendOS monitors the communication between "external" phones and the Gatekeeper to make sure that it is possible for internal phones to call the external phones that are registered with the gatekeeper.
Page 138: Intrusion Detection And Prevention
It operates by monitoring network traffic as it passes through the D-Link Firewall, searching for patterns that indicate an intrusion is being attempted. Once detected, NetDefendOS IDP allows steps to be taken to neutralize both the intrusion attempt as well as its source.
Page 139: Idp Rules
A new, updated signature database is downloaded automatically by NetDefendOS system at a con- figurable interval. This is done via an HTTP connection to the D-Link server network which deliv- ers the latest signature database updates. If the server's signature database has a newer version than the current local database, the new database will be downloaded, replacing the older version.
Page 140: Insertion/Evasion Attack Prevention
6.3.4. Insertion/Evasion Attack Pre- Chapter 6. Security Mechanisms vention Rule Components An IDP Rule defines what kind of traffic, or service, should be analyzed. An IDP Rule is similar in makeup to an IP Rule. An IDP Rule specifies a given combination source/destination interfaces/ad- dresses as well as being associated with a Service object which defines which protocols to scan.
Page 141: Idp Pattern Matching
6.3.5. IDP Pattern Matching Chapter 6. Security Mechanisms believes it has the full data stream. The attacker now sends two futher packets, p2 and p3, which will be accepted by the application which can now complete reassembly but resulting in a different data stream to that seen by the IDP subsystem.
Page 142: Idp Signature Groups
Attackers who build new intrusions often re-use older code. This means their new attacks can appear "in the wild" quickly. To counter this, D-Link IDP uses an approach where the module scans for these reusable components, with pattern matching looking for building blocks rather than the entire complete code patterns.
Page 143 6.3.7. IDP Actions Chapter 6. Security Mechanisms The group type is one of the values IDS, IPS or Policy. These types are explained above. 2. Signature Group Category This second level of naming describes the type of application or protocol. Examples are: •...
Page 144: Idp Actions
Section 6.7, “Blacklisting Hosts and Networks”. IDP ZoneDefense The Protect action includes the option that the particular D-Link switch that triggers the IDP Rule can be de-activated through the D-Link ZoneDefense feature. For more details on how ZoneDefense functions see Chapter 12, ZoneDefense.
Page 145: Setting Up Idp For A Mail Server
6.3.8. SMTP Log Receiver for IDP Chapter 6. Security Mechanisms Events gw-world:/examplerule> set IDPRuleAction 1 LogEnabled=Yes Web Interface Adding an SMTP log receiver: Go to System > Log and Event Receivers > Add > SMTP Event Receiver Now enter: • Name: smtp4IDP •...
Page 146 6.3.8. SMTP Log Receiver for IDP Chapter 6. Security Mechanisms Events Create IDP Rule: gw-world:/> add IDPRule Service=smtp SourceInterface=wan SourceNetwork=wannet DestinationInterface=dmz DestinationNetwork=ip_mailserver Name=IDPMailSrvRule Create IDP Action: gw-world:/> cc IDPRule IDPMailSrvRule gw-world:/IDPMailSrvRule> add IDPRuleAction Action=Protect IDPServity=All Signatures=IPS_MAIL_SMTP Web Interface Create IDP Rule: This IDP rule will be called IDPMailSrvRule, and applies to the SMTP service.
Page 147 6.3.8. SMTP Log Receiver for IDP Chapter 6. Security Mechanisms Events When this IDP Rule has been created, an action must also be created, specifying what signatures the IDP should use when scanning data matching the IDP Rule, and what NetDefendOS should do in case an intrusion is dis- covered.
Page 148: Anti-Virus
D-Link Firewall. Once a virus is recognized in the contents of a file, the download can be terminated before it completes.
Page 149: Activation
D-Link Anti-Virus subscription. 6.4.5. Subscribing to the D-Link Anti-Virus Service The D-Link Anti-Virus feature is purchased as an additional component to the base D-Link license and is bought in the form of a renewable subscription. An Anti-Virus subscription includes regular updates of the Kaspersky SafeStream database during the subscription period with the signatures of the latest virus threats.
Page 150: Anti-Virus Options
6.4.6. Anti-Virus Options Chapter 6. Security Mechanisms 6.4.6. Anti-Virus Options When configuring Anti-Virus scanning in an ALG, the following parameters can be set: 1. General options Mode When Enabled Anti-Virus is active Verify MIME type The MIME type identifies a file's type. For instance a file might be identified as being of type .gif and therefore should contain image data of that type.
Page 151: Enabling Anti-Virus Scanning
6.4.6. Anti-Virus Options Chapter 6. Security Mechanisms To prevent this situation, the adminstrator should specify a Compression Ratio limit. If the limit of the ration is specified as 10 then this will mean that if the uncompressed file is 10 times larger than the compressed file, the specified Action should be taken.
Page 152 6.4.6. Anti-Virus Options Chapter 6. Security Mechanisms Click the Service tab Select your new service, http_anti_virus, in the pre-defined Service dropdown list Click OK Anti-Virus scanning is now activated for all web traffic from lannet to all-nets.
Page 153: Web Content Filtering
6.5. Web Content Filtering Chapter 6. Security Mechanisms 6.5. Web Content Filtering 6.5.1. Overview Web traffic is one of the biggest sources for security issues and misuse of the Internet. Inappropriate surfing habits can expose a network to many security threats as well as legal and regulatory liabilit- ies.
Page 154: Static Content Filtering
6.5.3. Static Content Filtering Chapter 6. Security Mechanisms Example 6.16. Stripping ActiveX and Java applets This example shows how to configure a HTTP Application Layer Gateway to strip ActiveX and Java applets. The example will use the content_filtering ALG object and presumes you have done one of the previous examples. gw-world:/>...
Page 155: Setting Up A White And Blacklist
In this small scenario a general surfing policy prevents users from downloading .exe-files. However, the D-Link website provides secure and necessary program files which should be allowed to download.
Page 156: Dynamic Content Filtering
Dynamic Web Content Filtering Availability on D-Link Models Dynamic Content Filtering is available on the D-Link DFL-260 and DFL-860 only. URL Processing Flow When a user requests access to a web site, NetDefendOS sends a query to these databases to retrieve the category of the requested site.
Page 157: Enable Dynamic Content Filtering
URL. Dynamic Content Filtering therefore requires a minimum of administration effort. Note New, uncategorized URLs sent to the D-Link network are treated as anonymous sub- missions and no record of the source of new submissions is kept. Categorizing Pages and Not Sites NetDefendOS dynamic filtering categorizes web pages and not sites.
Page 158: Enabling Audit Mode
6.5.4. Dynamic Content Filtering Chapter 6. Security Mechanisms Click the Web Content Filtering tab. Select Enabled in the Mode dropdown list. In the Blocked Categories list, select Search Sites and click the >> button. Click OK. Then, create a Service object using the new HTTP ALG: Go to Local Objects >...
Page 159 The URL to the requested web site as well as the proposed category will then be sent to D-Link's central data warehouse for manual inspection. That inspection may result in the web site being re-...
Page 160: Reclassifying A Blocked Site
6.5.4. Dynamic Content Filtering Chapter 6. Security Mechanisms Example 6.20. Reclassifying a blocked site This example shows how a user may propose a reclassification of a web site if he believes it is wrongly classified. This mechanism is enabled on a per-HTTP ALG level basis. First, create an HTTP Application Layer Gateway (ALG) Object: gw-world:/>...
Page 161 6.5.4. Dynamic Content Filtering Chapter 6. Security Mechanisms • www.fullonxxx.com Category 2: News A web site may be classified under the News category if its content includes information articles on recent events pertaining to topics surrounding a locality (eg. a town, city or nation) or culture, in- cluding weather forecasting information.
Page 162 6.5.4. Dynamic Content Filtering Chapter 6. Security Mechanisms isement of goods or services to be exchanged for money, and may also include the facilities to per- form that transaction online. Included in this category are market promotions, catalogue selling and merchandising services.
Page 163 6.5.4. Dynamic Content Filtering Chapter 6. Security Mechanisms Category 11: Investment Sites A web site may be classified under the Investment Sites category if its content includes information, services or facilities pertaining to personal investment. URLs in this category include contents such as brokerage services, online portfolio setup, money management forums or stock quotes.
Page 164 6.5.4. Dynamic Content Filtering Chapter 6. Security Mechanisms Category 16: Sports A web site may be classified under the Sports category if its content includes information or instruc- tions relating to recreational or professional sports, or reviews on sporting events and sports scores. Examples might be: •...
Page 165 6.5.4. Dynamic Content Filtering Chapter 6. Security Mechanisms Category 21: Health Sites A web site may be classified under the Health Sites category if its content includes health related in- formation or services, including sexuality and sexual health, as well as support groups, hospital and surgical information and medical journals.
Page 166 6.5.4. Dynamic Content Filtering Chapter 6. Security Mechanisms that relates to educational services or has been deemed of educational value, or to be an educational resource, by educational organisations. This category is populated by request or submission from various educational organisations. Examples might be: •...
Page 167 6.5.4. Dynamic Content Filtering Chapter 6. Security Mechanisms • kaqsovdij.gjibhgk.info • www.pleaseupdateyourdetails.com Category 32: Non-Managed Unclassified sites and sites that don't fit one of the other categories will be placed in this category. It is unusual to block this category since this could result in most harmless URLs being blocked.
Page 168: Denial-Of-Service (Dos) Attacks
Attacks can appear out of thin air and the consequences can be devastating with crashed servers, jammed Internet connections and business critical systems in overload. This section deals with using the D-Link Firewall to protect organizations against DoS attacks. 6.6.2. DoS Attack Mechanisms A DoS attack can be perpetrated in a number of ways but there are three basic types of attack: •...
Page 169: Fragmentation Overlap Attacks: Teardrop, Bonk, Boink And Nestea
6.6.4. Fragmentation overlap attacks: Chapter 6. Security Mechanisms Teardrop, Bonk, Boink and Nestea to run "ping -l 65510 1.2.3.4" on a Windows 95 system where 1.2.3.4 is the IP address of the inten- ded victim. "Jolt" is simply a purpose-written program for generating such packets on operating sys- tems whose ping commands refuse to generate oversized packets.
Page 170: Amplification Attacks: Smurf, Papasmurf, Fraggle
6.6.7. Amplification attacks: Smurf, Chapter 6. Security Mechanisms Papasmurf, Fraggle vices expected to only serve the local network. • By stripping the URG bit by default from all TCP segments traversing the system (configurable via Advanced Settings > TCP > TCPUrg). WinNuke attacks will usually show up in NetDefendOS logs as normal drops with the name of the rule in your policy that disallowed the connection attempt.
Page 171: Tcp Syn Flood Attacks
6.6.8. TCP SYN Flood Attacks Chapter 6. Security Mechanisms The Traffic Shaping feature built into NetDefendOS also help absorb some of the flood before it reaches protected servers. 6.6.8. TCP SYN Flood Attacks The TCP SYN Flood attack works by sending large amounts of TCP SYN packets to a given port and then not responding to SYN ACKs sent in response.
Page 172: Blacklisting Hosts And Networks
To ensure that "good" internet traffic sources are not blacklisted under any circumstances, a Whitel- ist is also maintained by NetDefendOS. It can be advisable to add the D-Link Firewall itself to the Whitelist as well as the IP addresses of all management workstations.
Page 173 6.7. Blacklisting Hosts and Networks Chapter 6. Security Mechanisms...
Page 174: Address Translation
IP addresses on one of your internal networks, and would like the outbound connec- tions to appear as they are originating from the D-Link Firewall itself. NAT is a many-to-one translation, meaning that each NAT rule will translate several source IP ad- dresses into a single source IP address.
Page 175: Which Protocols Can Nat Handle
In this example, the Use Interface Address option is used, and we will use 195.11.22.33 as the interface address. In addition, the source port is changed to a free port on the D-Link Firewall, usually one above 32768. In this example, we will use port 32789. The packet is then sent to its destination.
Page 176 7.1.1. Which Protocols can NAT Chapter 7. Address Translation handle? dresses, destination addresses and protocol numbers. This means that: • An internal machine can communicate with several external servers using the same IP protocol. • An internal machine can communicate with several external servers using different IP protocols. •...
Page 177: Static Address Translation (Sat)
In this example, we will create a SAT policy that will translate and allow connections from the Internet to a web server located in a DMZ. The D-Link Firewall is connected to the Internet using the wan interface with address ob- ject wan_ip (defined as 195.55.66.77) as IP address.
Page 178 These two rules allow us to access the web server via the D-Link Firewall's external IP address. Rule 1 states that address translation can take place if the connection has been permitted, and rule 2 permits the connection.
Page 179: Enabling Traffic To A Web Server On An Internal Network
These two rules allow us to access the web server via the D-Link Firewall's external IP address. Rule 1 states that address translation can take place if the connection has been permitted, and rule 2 permits the connection.
Page 180: Translation Of Multiple Ip Addresses (M:n)
Chapter 7. Address Translation dresses (M:N) This reply arrives directly to PC1 without passing through the D-Link Firewall. This causes problems. The reason this will not work is because PC1 expects a reply from 195.55.66.77:80, not 10.0.0.2:80. The unexpected reply is discarded and PC1 continues to wait for a response from 195.55.66.77:80, which will never arrive.
Page 181: Translating Traffic To Multiple Protected Web Servers
In this example, we will create a SAT policy that will translate and allow connections from the Internet to five web servers located in a DMZ. The D-Link Firewall is connected to the Internet using the wan interface, and the public IP addresses to use are in the range of 195.55.66.77 to 195.55.66.81.
Page 182: All-To-One Mappings (N:1)
7.2.3. All-to-One Mappings (N:1) Chapter 7. Address Translation Go to Interfaces > ARP > Add > ARP Now enter: • Mode: Publish • Interface: wan • IP Address: 195.55.66.77 Click OK and repeat for all the five public IP addresses. Create a SAT rule for the translation: Go to Rules >...
Page 183: Port Translation
7.2.4. Port Translation Chapter 7. Address Translation and 194.1.2.30) to the IP 192.168.0.50. • Attempts to communicate with 194.1.2.16, port 80, will result in a connection to 192.168.0.50 • Attempts to communicate with 194.1.2.30, port 80, will result in a connection to 192.168.0.50 Note When 0.0.0.0/0 is the destination, All-to-One mapping is always done.
Page 184: Which Sat Rule Is Executed If Several Are Matching
7.2.6. Which SAT Rule is executed if Chapter 7. Address Translation several are matching? designed to read and/or alter application data. These are commonly referred to as Application Layer Gateways or Application Layer Filters. NetDefendOS supports a number of such Application Layer Gateways and for more information please see Section 6.2, “Application Layer Gateways”.
Page 185 Return traffic from wwwsrv:80 will match rules 2 and 3. Correct. • Internal traffic to wan_ip:80 will match rules 1 and 4, and will be sent to wwwsrv. The sender address will be the D-Link Firewall's internal IP address, guaranteeing that return traffic passes through the firewall. •...
Page 186 7.2.7. SAT and FwdFast Rules Chapter 7. Address Translation...
Page 187: User Authentication
Chapter 8. User Authentication This chapter describes how NetDefendOS implements user authentication. • Overview, page 174 • Authentication Components, page 176 • Authentication Process, page 178 8.1. Overview Before any user service request is authorized by firewall's security policies, NetDefendOS needs to verify the identity of that user through a process of authentication.
Page 188: User Types
8.1.3. User Types Chapter 8. User Authentication • Changed on a regular basis Good passwords help secure networks, including Layer 2 tunnels, which use passwords for encryp- tion. 8.1.3. User Types NetDefendOS has authentication schemes which support diverse user types. These can be: •...
Page 189: Authentication Components
When there is more than one D-Link Firewall in the network and thousands of users, the ad- ministrator then doesn't have to maintain separate authentication databases on each firewall. Instead, the external authentication server can validate usernames and passwords against its central database by responding to requests from each D-Link Firewall.
Page 190: Authentication Rules
8.2.4. Authentication Rules Chapter 8. User Authentication 8.2.4. Authentication Rules A user authentication rule specifies: • From where (i.e. receiving interface, source network) users are allowed to authenticate them- selves at the firewall. • Which agent will be used by NetDefendOS to prompt users for authentication. •...
Page 191: Authentication Process
8.3. Authentication Process Chapter 8. User Authentication 8.3. Authentication Process NetDefendOS performs user authentication in the following series of steps: • A user creates a new connection to the firewall. • NetDefendOS sees the new user connection on an interface, and checks the IP Rule-set to see if their is an authentication policy set for traffic on this interface and coming from this network.
Page 192 8.3. Authentication Process Chapter 8. User Authentication • Groups: One user can be specified into more than one group. Enter the group names here separated by comma, e.g. "users" for this example. Click OK. Repeat Step B. to add all the "lannet" users having the membership of "users" group into the lan- net_auth_users folder.
Page 193 8.3. Authentication Process Chapter 8. User Authentication...
Page 194: Virtual Private Networks
Chapter 9. Virtual Private Networks This chapter describes VPN usage with NetDefendOS. • VPN overview, page 181 • IPsec, page 183 • IPsec Tunnels, page 196 • PPTP/L2TP, page 202 9.1. VPN overview 9.1.1. The need for VPNs Most networks today are connected to each other by the Internet. Business increasingly utilizes the Internet since it offers efficient and inexpensive communication.
Page 195: Key Distribution
9.1.3. Planning a VPN Chapter 9. Virtual Private Networks • Protecting mobile and home computers • Restricting access through the VPN to needed services only, since mobile computers are vulner- able • Creating DMZs for services that need to be shared with other companies through VPNs •...
Page 196: Ipsec
9.2. IPsec Chapter 9. Virtual Private Networks 9.2. IPsec 9.2.1. IPsec Basics 9.2.1.1. Introduction to IPsec IPsec, Internet Protocol Security, is a set of protocols defined by the IETF, Internet Engineering Task Force, to provide IP security at the network layer. An IPsec based VPN is made up by two parts: •...
Page 197 9.2.1. IPsec Basics Chapter 9. Virtual Private Networks IKE Negotiation The process of negotiating session parameters consists of a number of phases and modes. These are described in detail in the below sections. The flow of events can summarized as follows: IKE Phase-1 •...
Page 198 When installing two D-Link Firewalls as VPN endpoints, this process is reduced to comparing fields in two identical dialog boxes. However, it is not quite as easy when equipment from different vendors is involved.
Page 199 IP header claims it is from. More on AH in AH (Authentication Header). Note D-Link Firewalls do not support AH. IKE Encryption This specifies the encryption algorithm used in the IKE nego- tiation, and depending on the algorithm, the size of the en- cryption key used.
Page 200 • SHA1 • IKE DH (Diffie-Hellman) Group This specifies the Diffie-Hellman group to use when doing key exchanges in IKE. The Diffie-Hellman groups supported by D-Link Firewall VPNs are: • DH group 1 (768-bit) • DH group 2 (1024-bit) •...
Page 201 9.2.1. IPsec Basics Chapter 9. Virtual Private Networks without encryption. The algorithms supported by D-Link Firewall VPNs are: • • Blowfish • Twofish • Cast128 • 3DES • IPsec Authentication This specifies the authentication algorithm used on the pro- tected traffic.
Page 202 9.2.1. IPsec Basics Chapter 9. Virtual Private Networks cryption/authentication key always, no anti-replay services, and it is not very flexible. There is also no way of assuring that the remote host/firewall really is the one it says it is. This type of connection is also vulnerable for something called "replay attacks", meaning a mali- cious entity which has access to the encrypted traffic can record some packets, store them, and send them to its destination at a later time.
Page 203: The Ah Protocol
9.2.1. IPsec Basics Chapter 9. Virtual Private Networks There are two protocols associated with IPsec, AH and ESP. These are covered in the sections be- low. AH (Authentication Header) AH is a protocol used for authenticating a data stream. It uses a cryptographic hash function to pro- duce a MAC from the data in the IP packet.
Page 204: Nat Traversal
9.2.1. IPsec Basics Chapter 9. Virtual Private Networks 9.2.1.5. NAT Traversal Both IKE and IPsec protocols present a problem in the functioning of NAT. Both protocols were not designed to work through NATs and because of this, a technique called "NAT traversal" has evolved.
Page 205: Proposal Lists
The ike-roamingclients and esp-tn-roamingclients proposal lists are suitable for VPN tunnels that are used for roaming VPN clients. These proposal lists are compatible with the default proposal lists in the D-Link VPN Client. As the name implies, the ike-lantolan and esp-tn-lantolan are suitable for LAN-to-LAN VPN solu- tions.
Page 206: Pre-Shared Keys
Click OK 9.2.4. Identification Lists When X.509 certificates are used as authentication method for IPsec tunnels, the D-Link Firewall will accept all remote firewalls or VPN clients that are capable of presenting a certificate signed by any of the trusted Certificate Authorities. This can be a potential problem, especially when using...
Page 207: Using An Identity List
First create an Identification List: gw-world:/> add IDList MyIDList Then, create an ID: gw-world:/> cc IDList MyIDList gw-world:/MyIDList> add ID JohnDoe Type=DistinguishedName CommonName="John Doe" OrganizationName=D-Link OrganizationalUnit=Support Country=Sweden EmailAddress=john.doe@D-Link.com gw-world:/MyIDList> cc Finally, apply the Identification List to the IPsec tunnel: gw-world:/> set Interface IPsecTunnel MyIPsecTunnel AuthMethod=Certificate...
Page 208 • Organizational Unit: Support • Country: Sweden • Email Address: john.doe@D-Link.com Click OK. Finally, apply the Identification List to the IPsec tunnel: Go to Interfaces > IPsec In the grid control, click on the IPsec tunnel object of interest. Under the Authentication tab, choose X.509 Certificate Select the appropriate certificate in the Root Certificate(s) and Gateway Certificate controls.
Page 209: Ipsec Tunnels
When another D-Link Firewall or D-Link VPN Client (or any IPsec compliant product) tries to es- tablish a IPsec VPN tunnel to the D-Link Firewall, the configured IPsec Tunnels are evaluated. If a matching IPsec Tunnel definition is found, the IKE and IPsec negotiations then take place, resulting in a IPsec VPN tunnel being established.
Page 210: Setting Up A Psk Based Vpn Tunnel For Roaming Clients
Dealing with unknown IP addresses If the IP address of the client is not known before hand then the D-Link Firewall needs to create a route in its routing table dynamically as each client connects. In the example below this is the case and the IPsec tunnel is configured to dynamically add routes.
Page 211: Setting Up A Self-Signed Certificate Based Vpn Tunnel For Roaming Clients
Example 9.5. Setting up a Self-signed Certificate based VPN tunnel for roaming clients This example describes how to configure an IPsec tunnel at the head office D-Link Firewall for roaming clients that connect to the office to gain remote access. The head office network uses the 10.0.1.0/24 network span with external firewall IP wan_ip.
Page 212: Setting Up A Ca Server Issued Certificate Based Vpn Tunnel For Roaming Clients
Example 9.6. Setting up a CA Server issued Certificate based VPN tunnel for roaming clients This example describes how to configure an IPsec tunnel at the head office D-Link Firewall for roaming clients that connect to the office to gain remote access. The head office network uses the 10.0.1.0/24 network span with external firewall IP wan_ip.
Page 213: Fetching Crls From An Alternate Ldap Server
An X.509 root certificate usually includes the IP address or hostname of the Certificate Authority to contact when certificates or Certificate Revocation Lists need to be downloaded to the D-Link Fire- wall. Lightweight Directory Access Protocol (LDAP) is used for these downloads.
Page 214 9.3.4. Fetching CRLs from an alternate Chapter 9. Virtual Private Networks LDAP server gw-world:/> add LDAPServer Host=192.168.101.146 Username=myusername Password=mypassword Port=389 Web Interface Go to Objects > VPN Objects > LDAP > Add > LDAP Server Now enter: • IP Address: 192.168.101.146 •...
Page 215: Pptp/L2Tp
A common problem with setting up PPTP is that a router and/or switch in a network is blocking TCP port 1723 and/or IP protocol 47 before the PPTP connection can be made to the D-Link Fire- wall. Examining the log can indicate if this problem occurred, with a log message of the following...
Page 216: L2Tp
IPsec. The client communicates with a Local Access Concentrator (LAC) and the LAC commu- nicates across the internet with a L2TP Network Server (LNS). The D-Link Firewall acts as the LNS. The LAC is, in effect, tunneling data, such as a PPP session, using IPsec to the LNS across the internet.
Page 217: Setting Up An L2Tp Tunnel
9.4.2. L2TP Chapter 9. Virtual Private Networks Enter a suitable name for the L2TP Server, for instance MyL2TPServer. Now enter: • Inner IP Address: ip_l2tp • Tunnel Protocol: L2TP • Outer Interface Filter: l2tp_ipsec • Outer Server IP: wan_ip Under the PPP Parameters tab, select L2TP_Pool in the IP Pool control. Under the Add Route tab, select all_nets in the Allowed Networks control.
Page 218 9.4.2. L2TP Chapter 9. Virtual Private Networks IPsecAlgorithms=esp-l2tptunnel PSK=MyPSK EncapsulationMode=Transport DHCPOverIPsec=Yes AddRouteToRemoteNet=Yes IPsecLifeTimeKilobytes=250000 IPsecLifeTimeSeconds=3600 Web Interface Go to Interfaces > IPsec > Add > IPsec Tunnel Enter a name for the IPsec tunnel e.g. l2tp_ipsec. Now enter: Local Network: wan_ip Remote Network: all-nets Remote Endpoint: none Encapsulation Mode: Transport...
Page 219 9.4.2. L2TP Chapter 9. Virtual Private Networks In the ProxyARP control, select the lan interface. Click OK In order to authenticate the users using the L2TP tunnel, a user authentication rule needs to be configured. 4. Next will be setting up the authentication rules: gw-world:/>...
Page 220 9.4.2. L2TP Chapter 9. Virtual Private Networks Go to Rules > IP Rules > Add > IPRule Enter a name for the rule e.g. NATL2TP Now enter: • Action: NAT • Service: all_services • Source Interface: l2tp_tunnel • Source Network: l2tp_pool •...
Page 221 9.4.2. L2TP Chapter 9. Virtual Private Networks...
Page 222: Traffic Management
Chapter 10. Traffic Management This chapter describes how NetDefendOS can manage network traffic. • Traffic Shaping, page 209 • Threshold Rules, page 221 • Server Load Balancing, page 223 10.1. Traffic Shaping 10.1.1. Introduction A weakness of the TCP/IP protocol is the lack of true Quality of Service (QoS) functionality. QoS in networks is the ability to be able to guarantee and limit bandwidth for certain services and users.
Page 223: Traffic Shaping In Netdefendos
10.1.3. Traffic Shaping in NetDefendOS NetDefendOS offers extensive traffic shaping capailities. Since any D-Link Firewall is a central and vital part of a network, there are many benefits of having it handle traffic control.
Page 224: Pipes Basics
10.1.4. Pipes Basics Chapter 10. Traffic Management 10.1.4. Pipes Basics 10.1.4.1. Definition of a Pipe A Pipe is a central concept in the traffic shaping functionality of NetDefendOS and is the basis for all bandwidth control. Pipes are configured in the Pipes section of the firewall configuration. Pipes are fairly simplistic, in that they do not know much about the types of traffic that pass through them, and they know nothing about direction.
Page 225 10.1.4. Pipes Basics Chapter 10. Traffic Management Go to Traffic Management > Traffic Shaping > Pipes > Add > Pipe Specify a suitable name for the pipe, for instance std-in. Enter 2000 in Total textbox. Click OK. However, simply creating the pipe will not accomplish much; traffic actually needs to be passed through the pipe. This is done by assigning the pipe to an IP rule.
Page 226: Applying A Two-Way Bandwidth Limit
10.1.4. Pipes Basics Chapter 10. Traffic Management However, you cannot just raise the total limit to 4 Mbps and hope for the best. Why? Again, pipes are simple things. This single pipe will not know that you mean 2 Mbps inbound and 2 Mbps out- bound.
Page 227: Priorities And Guarantees
10.1.5. Priorities and Guarantees Chapter 10. Traffic Management Now that we have the pipe defined, what do we do with it? Well, first we will need to set up a rule that covers surfing and place it before the rule that covers "everything else". This way we can get surfing traffic to go through the specific pipes that we want it to, but still let everything else be handled by the "default"...
Page 228: A Pipe Defined With Minimum Precedence And Maximum Precedence
10.1.5. Priorities and Guarantees Chapter 10. Traffic Management Note The respective precedences are not "special" in any way. Their meaning is only defined by the limits and guarantees that you configure. The difference is only in relat- ive importance: traffic in precedence 2 will be passed on before traffic in precedence 0, traffic in precedence 4 before 2 and 0, and so on.
Page 229 10.1.5. Priorities and Guarantees Chapter 10. Traffic Management 10.1.5.2. Applying Simple Priorities Now, how can we use precedences to make some types of traffic more important than others? Let's continue work on our previous example, by giving SSH and Telnet traffic a higher priority than everything else passing through our pipes.
Page 230 10.1.5. Priorities and Guarantees Chapter 10. Traffic Management "which traffic is more important?" problem. The solution here is to create two new pipes: one for telnet traffic, and one for SSH traffic, much like the "surf" pipe that we created earlier on. First, remove the 96 kbps limit from the std-in pipe, then create two new pipes: "ssh-in"...
Page 231 10.1.6. Grouping Users of a Pipe Chapter 10. Traffic Management Measuring and shaping at the entrance of a choke point If you are protecting the "entrance" to a network bottleneck, i.e. outbound data in your firewall, you can probably set the total limit very close to the bandwidth of your connection. Measuring and shaping at the exit of a choke point If you're protecting the "exit"...
Page 232: Grouping Users Of A Pipe
10.1.6. Grouping Users of a Pipe Chapter 10. Traffic Management 10.1.6. Grouping Users of a Pipe 10.1.6.1. Overview If pipes were restricted to the functionality described so far, traffic would be limited without respect to source or destination. This mode of operation is likely sufficient for managing simple traffic lim- its and guarantees.
Page 233 10.1.6. Grouping Users of a Pipe Chapter 10. Traffic Management each inside user gets for inbound SSH traffic. This keeps one single user from using up all available high-priority bandwidth. First, we will have to figure out how to group the users of the ssh-in pipe. What we want to do is ap- ply our limits to each user on the internal network.
Page 234: Threshold Rules
Total Connection Limiting allows the administrator to put a limit on the total number of connections opened to the D-Link Firewall. This function is extremely useful when NAT pools are required due to the large number of connections generated by P2P users.
Page 235: Multiple Triggered Actions
Threshold Rules. 10.2.7. Threshold Rules and ZoneDefense Threshold Rules are used in the D-Link ZoneDefense feature to block the source of excessive con- nection attmepts from internal hosts. For more information on this refer to Chapter 12, ZoneDefense.
Page 236: Server Load Balancing
(sometimes called a "server farm") to handle many more requests than a single server. The image below illus- trates a typical SLB scenario, with internet access to applications being controlled by a D-Link Fire- wall.
Page 237: Identifying The Servers
10.3.2. Identifying the Servers Chapter 10. Traffic Management SLB also means that network administrators can perform maintenance tasks on servers or applica- tions without disrupting services. Individual servers can be restarted, upgraded, removed, or re- placed, and new servers and applications can be added or moved without affecting the rest of a serv- er farm, or taking down applications.
Page 238: Connections From Three Clients
10 is used so that the number of new connections which were made to each server in the last 10 seconds will be remembered. An example is shown in the figure below. In this example, the D-Link Firewall is responsible for balancing connections from 3 clients with different addresses to 2 servers. Stickiness is set.
Page 239: Server Health Monitoring
SLB will use the default routing table unless the administrator sets a specific routing table location. D-Link Server Load Balancing provides the following monitoring modes: ICMP Ping This works at OSI layer 3. SLB will ping the IP address of each individual server in the server farm.
Page 240 The table below shows the rules that would be defined for a typical scenario of a set of webservers behind a D-Link Firewall for which the load is being balanced. The ALLOW rule allows external clients to access the webservers.
Page 241 10.3.6. SLB_SAT Rules Chapter 10. Traffic Management...
Page 242: High Availability
• High Availability Issues, page 233 11.1. Overview High Availability (HA) is a fault-tolerant capability that is available on certain models of D-Link Firewalls. Currently the firewalls that offer this feature are the DFL-1600 and DFL-2500 models. D- Link offers an active-passive HA implementation.
Page 243: High Availability Setup Example
High Availability Setup Example Chapter 11. High Availability Broken interfaces will not be detected by the current implementation of D-Link High Availability, unless they are broken to the point where the firewall cannot continue to run. This means that fail- over will not occur if the active firewall can communicate "being alive"...
Page 244: How Rapid Failover Is Accomplished
The shared IP address should not be used for remote management or monitoring pur- poses. When using, for example, SNMP for remote management of the D-Link Fire- walls in an HA configuration, the individual IP addresses of the firewalls should be used.
Page 245: The Synchronization Interface
11.2.3. The synchronization interface Chapter 11. High Availability When three heartbeats are missed, i.e. after 0.6 seconds, the peer will be deemed inoperative. So, why not make it even faster? Maybe send a hundred heartbeats per second and declare a firewall inoperative after missing only two of them? This would after all result in a 0.02-second failover time.
Page 246: High Availability Issues
11.3. High Availability Issues Chapter 11. High Availability 11.3. High Availability Issues Even though a high availability cluster will behave like a single firewall in most respects, there are some things which should be kept in mind when managing and configuring it. 11.3.1.
Page 247 11.3.1. High Availability Configuration Chapter 11. High Availability...
Page 248: Zonedefense
• ZoneDefense Switches, page 236 • ZoneDefense Operation, page 237 12.1. Overview ZoneDefense allows a D-Link Firewall to control locally attached switches. It can be used as a counter-measure to stop a virus-infected computer in a local network from infecting other com- puters.
Page 249: Zonedefense Switches
The switch model type • The SNMP community string (write access) The ZoneDefense feature currently supports the following switches: • D-Link DES 3226S (minimum firmware: R4.02-B14) • D-Link DES 3250TG (minimum firmware: R3.00-B09) • D-Link DES 3326S (minimum firmware: R4.01-B39) •...
Page 250: Zonedefense Operation
SNMP Managers A typical managing device, such as a D-Link Firewall, uses the SNMP protocol to monitor and con- trol network devices in the managed environment. The manager can query stored statistics from the controlled devices by using the SNMP Community String. This is similar to a userid or password which allows access to the device's state information.
Page 251: Manual Blocking And Exclude Lists
(in network range 192.168.2.0/24 for example) from accessing the switch completely. A D-Link switch model DES-3226S is used in this case, with a management interface address 192.168.1.250 con- necting to the firewall's interface address 192.168.1.1. This firewall interface is added into the exclude list to pre- vent the firewall from being accidentally locked out from accessing the switch.
Page 252: Limitations
12.3.4. Limitations Chapter 12. ZoneDefense Go to Zone Defense > Exclude list For Addresses choose the object name of the firewall's interface address 192.168.1.1 from the Available list and put it into the Selected list. Click OK. Configure an HTTP threshold of 10 connections/second: Go to Traffic Management >...
Page 253 12.3.4. Limitations Chapter 12. ZoneDefense...
Page 254: Advanced Settings
Chapter 13. Advanced Settings This chapter describes the configurable advanced setings for NetDefendOS. The settings are divided up into the following categories: • IP Level Settings, page 241 • TCP Level Settings, page 245 • ICMP Level Settings, page 249 •...
Page 255 LogNonIP4 Chapter 13. Advanced Settings based on illegal checksums. Default: Enabled LogNonIP4 Logs occurrences of IP packets that are not version 4. NetDefendOS only accepts version 4 IP pack- ets; everything else is discarded. Default: 256 LogReceivedTTL0 Logs occurrences of IP packets received with the "Time To Live" (TTL) value set to zero. Under no circumstances should any network unit send packets with a TTL of 0.
Page 256 LayerSizeConsistency Chapter 13. Advanced Settings Default: 255 LayerSizeConsistency Verifies that the size information contained in each "layer" (Ethernet, IP, TCP, UDP, ICMP) is con- sistent with that of other layers. Default: ValidateLogBad IPOptionSizes Verifies the size of "IP options". These options are small blocks of information that may be added to the end of each IP header.
Page 257 StripDFOnSmall Chapter 13. Advanced Settings Strip the Don’t Fragment flag for packets equal to or smaller than the size specified by this setting. Default: 65535 bytes...
Page 258: Tcp Level Settings
13.2. TCP Level Settings Chapter 13. Advanced Settings 13.2. TCP Level Settings TCPOptionSizes Verifies the size of TCP options. This function acts in the same way as IPOptionSizes described above. Default: ValidateLogBad TCPMSSMin Determines the minimum permissible size of the TCP MSS. Packets containing maximum segment sizes below this limit are handled according to the next setting.
Page 259 TCPZeroUnusedACK Chapter 13. Advanced Settings Default: 7000 bytes TCPZeroUnusedACK Determines whether NetDefendOS should set the ACK sequence number field in TCP packets to zero if it is not used. Some operating systems reveal sequence number information this way, which can make it easier for intruders wanting to hijack established connections. Default: Enabled TCPZeroUnusedURG Strips the URG pointers from all packets.
Page 260 TCPOPT_CC Chapter 13. Advanced Settings to transport alternate checksums where permitted by ALTCHKREQ above. Normally never seen on modern networks. Default: StripLog TCPOPT_CC Determines how NetDefendOS will handle connection count options. Default: StripLogBad TCPOPT_OTHER Specifies how NetDefendOS will deal with TCP options not covered by the above settings. These options usually never appear on modern networks.
Page 261 TCPRF Chapter 13. Advanced Settings Specifies how NetDefendOS will deal with TCP packets with either the Xmas or Ymas flag turned on. These flags are currently mostly used by OS Fingerprinting. Note: an upcoming standard called Explicit Congestion Notification also makes use of these TCP flags, but as long as there are only a few operating systems supporting this standard, the flags should be stripped.
Page 262: Icmp Level Settings
13.3. ICMP Level Settings Chapter 13. Advanced Settings 13.3. ICMP Level Settings ICMPSendPerSecLimit Specifies the maximum number of ICMP messages NetDefendOS may generate per second. This in- cludes ping replies, destination unreachable messages and also TCP RST packets. In other words, this setting limits how many Rejects per second may be generated by the Reject rules in the Rules section.
Page 263: Arp Settings
13.4. ARP Settings Chapter 13. Advanced Settings 13.4. ARP Settings ARPMatchEnetSender Determines if NetDefendOS will require the sender address at Ethernet level to comply with the hardware address reported in the ARP data. Default: DropLog ARPQueryNoSenderIP What to do with ARP queries that have a sender IP of 0.0.0.0. Such sender IPs are never valid in re- sponses, but network units that have not yet learned of their IP address sometimes ask ARP ques- tions with an "unspecified"...
Page 264 ARPExpireUnknown Chapter 13. Advanced Settings ARPExpire Specifies how long a normal dynamic item in the ARP table is to be retained before it is removed from the table. Default: 900 seconds (15 minutes) ARPExpireUnknown Specifies how long NetDefendOS is to remember addresses that cannot be reached. This is done to ensure that NetDefendOS does not continuously request such addresses.
Page 265: Stateful Inspection Settings
This generates a log message for every packet that passes through a connection that is set up in the NetDefendOS state engine. Traffic whose destination is the D-Link Firewall itself eg. NetDefendOS management traffic, is not subject to this setting.
Page 266 LogConnections Chapter 13. Advanced Settings • NoLog – Does not log any connections; consequently, it will not matter if logging is enabled for either Allow or NAT rules in the Rules section; they will not be logged. However, FwdFast, Drop and Reject rules will be logged as stipulated by the settings in the Rules section. •...
Page 267: Connection Timeouts
13.6. Connection Timeouts Chapter 13. Advanced Settings 13.6. Connection Timeouts The settings in this section specify how long a connection can remain idle, i.e. no data being sent through it, before it is automatically closed. Please note that each connection has two timeout val- ues: one for each direction.
Page 268: Size Limits By Protocol
13.7. Size Limits by Protocol Chapter 13. Advanced Settings 13.7. Size Limits by Protocol This section contains information about the size limits imposed on the protocols directly under IP level, i.e. TCP, UDP, ICMP, etc The values specified here concern the IP data contained in packets. In the case of Ethernet, a single packet can contain up to 1480 bytes of IP data without fragmentation.
Page 269 MaxIPIPLen Chapter 13. Advanced Settings Specifies the maximum size of an OSPF packet. OSPF is a routing protocol mainly used in larger LANs. Default: 1480 MaxIPIPLen Specifies the maximum size of an IP-in-IP packet. IP-in-IP is used by Checkpoint Firewall-1 VPN connections when IPsec is not used.
Page 270: Fragmentation Settings
13.8. Fragmentation Settings Chapter 13. Advanced Settings 13.8. Fragmentation Settings IP is able to transport up to 65536 bytes of data. However, most media, such as Ethernet, cannot carry such huge packets. To compensate, the IP stack fragments the data to be sent into separate packets, each one given their own IP header and information that will help the recipient reassemble the original packet correctly.
Page 271 FragReassemblyFail Chapter 13. Advanced Settings Default: Check8 – compare 8 random locations, a total of 32 bytes FragReassemblyFail Reassemblies may fail due to one of the following causes: • Some of the fragments did not arrive within the time stipulated by the ReassTimeout or Reas- sTimeLimit settings.
Page 272 FragmentedICMP Chapter 13. Advanced Settings up. Possible settings are as follows: • NoLog - No logging is carried out under normal circumstances. • LogSuspect - Logs duplicated fragments if the reassembly procedure has been affected by "sus- pect" fragments. • LogAll - Always logs duplicated fragments.
Page 273 ReassIllegalLinger Chapter 13. Advanced Settings order to prevent further fragments of that packet from arriving. Default: 60 seconds...
Page 274: Local Fragment Reassembly Settings
13.9. Local Fragment Reassembly Set- Chapter 13. Advanced Settings tings 13.9. Local Fragment Reassembly Settings LocalReass_MaxConcurrent Maximum number of concurrent local reassemblies. Default: 256 LocalReass_MaxSize Maximum size of a locally reassembled packet. Default: 10000 LocalReass_NumLarge Number of large ( over 2K) local reassembly buffers (of the above size). Default: 32...
Page 275: Dhcp Settings
13.10. DHCP Settings Chapter 13. Advanced Settings 13.10. DHCP Settings DHCP_MinimumLeaseTime Minimum lease time (seconds) accepted from the DHCP server. Default: 60 DHCP_ValidateBcast Require that the assigned broadcast address is the highest address in the assigned network. Default: Enabled DHCP_AllowGlobalBcast Allow DHCP server to assign 255.255.255.255 as broadcast.
Page 276: Dhcprelay Settings
13.11. DHCPRelay Settings Chapter 13. Advanced Settings 13.11. DHCPRelay Settings DHCPRelay_MaxTransactions Maximum number of transactions at the same time. Default: 32 DHCPRelay_TransactionTimeout For how long a dhcp transaction can take place. Default: 10 seconds DHCPRelay_MaxPPMPerIface How many dhcp-packets a client can send to through NetDefendOS to the dhcp-server during one minute.
Page 277: Dhcpserver Settings
13.12. DHCPServer Settings Chapter 13. Advanced Settings 13.12. DHCPServer Settings DHCPServer_SaveLeasePolicy What policy should be used to save the lease database to the disk, possible settings are Disabled, Re- confShut, or ReconfShutTimer. Default: ReconfShut DHCPServer_AutoSaveLeaseInterval How often should the leases database be saved to disk if DHCPServer_SaveLeasePolicy is set to ReconfShutTimer.
Page 278: Ipsec Settings
13.13. IPsec Settings Chapter 13. Advanced Settings 13.13. IPsec Settings IKESendInitialContact Determines whether or not IKE should send the "Initial Contact" notification message. This message is sent to each remote gateway when a connection is opened to it and there are no previous IPsec SA using that gateway.
Page 279 IPsecDeleteSAOnIPValidationFailure Chapter 13. Advanced Settings IPsecDeleteSAOnIPValidationFailure Controls what happens to the SAs if IP validation in Config Mode fails. If Enabled, the SAs are dropped on failure. Default: Disabled...
Page 280: Transparent Mode Settings
13.14. Transparent Mode Settings Chapter 13. Advanced Settings 13.14. Transparent Mode Settings Transp_CAMToL3CDestLearning Enable this if the firewall should be able to learn the destination for hosts by combining destination address information and information found in the CAM table. Default: Enabled Transp_DecrementTTL Enable this if the TTL should be decremented each time a packet traverses the firewall in Transpar- ent Mode.
Page 281 MulticastEnetSender Chapter 13. Advanced Settings Default: DropLog MulticastEnetSender Defines what to do when receiving a packet that has the sender hardware (MAC) address in ethernet header set to a multicast ethernet address. Options: • Accept - Accept packet • AcceptLog - Accept packet and log •...
Page 282: Logging Settings
13.15. Logging Settings Chapter 13. Advanced Settings 13.15. Logging Settings LogSendPerSecLimit This setting limits how many log packets NetDefendOS may send out per second. This value should never be set too low, as this may result in important events not being logged, nor should it be set too high.
Page 283: High Availability Settings
Chapter 13. Advanced Settings 13.16. High Availability Settings ClusterID A (locally) unique cluster ID to use in identifying this group of HA D-Link Firewalls. Default: 0 HASyncBufSize How much sync data, in KB, to buffer while waiting for acknowledgments from the cluster peer.
Page 284: Time Synchronization Settings
13.17. Time Synchronization Settings Chapter 13. Advanced Settings 13.17. Time Synchronization Settings TimeSync_SyncInterval Seconds between each resynchronization. Default: 86400 TimeSync_MaxAdjust Maximum time drift that a server is allowed to adjust. Default: 3600 TimeSync_ServerType Type of server for time synchronization, UDPTime or SNTP (Simple Network Time Protocol). Default: SNTP TimeSync_GroupIntervalSize Interval according to which server responses will be grouped.
Page 285 TimeSync_DSTStartDate Chapter 13. Advanced Settings DST offset in minutes. Default: 0 TimeSync_DSTStartDate What month and day DST starts, in the format MM-DD. Default: none TimeSync_DSTEndDate What month and day DST ends, in the format MM-DD. Default: none...
Page 286: Dns Client Settings
13.18. DNS Client Settings Chapter 13. Advanced Settings 13.18. DNS Client Settings DNS_DNSServerIP1 Primary DNS Server. Default: none DNS_DNSServerIP2 Secondary DNS Server. Default: none DNS_DNSServerIP3 Tertiary DNS Server. Default: none...
Page 287: Http Poster Settings
13.19. HTTP Poster Settings Chapter 13. Advanced Settings 13.19. HTTP Poster Settings HTTPPoster_URL1, HTTPPoster_URL2, HTTPPoster_URL3 The URLs specified here will be posted in order when NetDefendOS is loaded. HTTPPoster_RepDelay Delays in seconds until all URLs are refetcd. Default: 604800...
Page 288: Ppp Settings
13.20. PPP Settings Chapter 13. Advanced Settings 13.20. PPP Settings PPP_L2TPBeforeRules Pass L2TP traffic sent to the D-Link Firewall directly to the L2TP Server without consulting the rule-set. Default: Enabled PPP_PPTPBeforeRules Pass PPTP traffic sent to the D-Link Firewall directly to the PPTP Server without consulting the rule-set.
Page 289: Idp
13.21. IDP Chapter 13. Advanced Settings 13.21. IDP IDP_UpdateInterval The number of seconds between automatic IDP signature updates. A value of 0 stops automatic up- dates. Default: 43200 (=12 hours)
Page 290: Hardware Monitor Settings
13.22. Hardware Monitor Settings Chapter 13. Advanced Settings 13.22. Hardware Monitor Settings HWM_PollInterval Polling intervall for Hardware Monitor which is the delay in milliseconds between reading of hard- ware monitor values. Minimum 100, Maximum 10000. Default: 500 ms HWMMem_Interval Memory polling interval which is the delay in minutes between reading of memory values. Minim- um 1, Maximum 200.
Page 291: Packet Re-Assembly Settings
13.23. Packet Re-assembly Settings Chapter 13. Advanced Settings 13.23. Packet Re-assembly Settings Packet re-assembly collects IP fragments into complete IP datagrams and, for TCP, reorders seg- ments so that they are processed in the correct order and also to keep track of potential segment overlaps and to inform other sub-systems of such overlaps.
Page 292: Miscellaneous Settings
13.24. Miscellaneous Settings Chapter 13. Advanced Settings 13.24. Miscellaneous Settings BufFloodRebootTime As a final way out, NetDefendOS automatically reboots if it’s buffers have been flooded for a long time. This setting specifies this amount of time. Default: 3600 HighBuffers The number of buffers to allocate in RAM above the 1 MB limit. Default: 3% of total RAM, with a lower limit of 1024+lowbuffers MaxPipeUsers The maximum number of pipe users to allocate.
Page 293 MaxPipeUsers Chapter 13. Advanced Settings...
Page 294: Subscribing To Security Updates
Dynamic Web Content Filtering module all function using external D-Link databases which contain details of the latest viruses, security threats and URL categorization. These databases are constantly being updated and to get access to the latest updates a D-Link Security Update Subscrip- tion should be taken out. This is done by: •...
Page 295 To get the status of AV updates: gw-world:/> updatecenter -status Antivirus Querying Server Status To get the status of the D-Link network servers use the command: gw-world:/> updatecenter -servers Deleting Local Databases Some technical problem in the operation of either IDP or the Anti-Virus modules may be resolved by deleting the database and reloading.
Page 296: Idp Signature Groups
For IDP scanning, the following signature groups are available for selection. These groups are avail- able only for the D-Link Advanced IDP Service. There is a version of each group under the three Types of IDS, IPS and Policy. For further information see Section 6.3, “Intrusion Detection and Prevention”.
Page 297 Appendix B. IDP Signature Groups Group Name Intrusion Type FTP_FORMATSTRING Format string attack FTP_GENERAL FTP protocol and implementation FTP_LOGIN Login attacks FTP_OVERFLOW FTP buffer overflow GAME_BOMBERCLONE Bomberclone game GAME_GENERAL Generic game servers/clients GAME_UNREAL UnReal Game server HTTP_APACHE Apache httpd HTTP_BADBLUE Badblue web server HTTP_CGI HTTP CGI...
Page 298 Appendix B. IDP Signature Groups Group Name Intrusion Type POP3_DOS Denial of Service for POP POP3_GENERAL Post Office Protocol v3 POP3_LOGIN-ATTACKS Password guessing and related login attack POP3_OVERFLOW POP3 server overflow POP3_REQUEST-ERRORS Request Error PORTMAPPER_GENERAL PortMapper PRINT_GENERAL LP printing server: LPR LPD PRINT_OVERFLOW Overflow of LPR/LPD protocol/implementation REMOTEACCESS_GOTOMYPC...
Page 299 Appendix B. IDP Signature Groups Group Name Intrusion Type TFTP_OPERATION Operation Attack TFTP_OVERFLOW TFTP buffer overflow attack TFTP_REPLY TFTP Reply attack TFTP_REQUEST TFTP request attack TROJAN_GENERAL Trojan UDP_GENERAL General UDP UDP_POPUP Pop-up window for MS Windows UPNP_GENERAL UPNP VERSION_CVS VERSION_SVN Subversion VIRUS_GENERAL Virus...
Page 300: Anti-Virus Mime Filetypes
Appendix C. Anti-Virus MIME filetypes For Anti-virus scanning, the following MIME filetypes can be checked to make sure that the content matches the filetype of a file download. Checking is done only if the option is enabled as described in Section 6.4.6, “Anti-Virus Options”. Filetype extension Application 3d Studio files...
Page 301 Appendix C. Anti-Virus MIME filetypes Filetype extension Application Windows Executable Free Graphics Format file flac Free Lossless Audio Codec file FLIC Animated Picture FLIC Animation Macromedia Flash Video gdbm Database file Graphic Interchange Format file gzip, gz, tgz Gzip compressed archive HAP archive data HPack compressed file archive Macintosh BinHex 4 compressed archive...
Page 302 Appendix C. Anti-Virus MIME filetypes Filetype extension Application Acrobat Portable Document Format Portable Executable file PostScript Type 1 Font Portable Graymap Graphic SysV R4 PKG Datastreams PAKLeo archive data PMarc archive data Portable (Public) Network Graphic PBM Portable Pixelmap Graphic PostScript file PSA archive data Photoshop Format file...
Page 303 Appendix C. Anti-Virus MIME filetypes Filetype extension Application GIMP Image file Fast Tracker 2 Extended Module , audio file XML file xmcd xmcd database file for kscd BMC Software Patrol UNIX Icon file YAC compressed archive ZIF image Zip compressed archive file ZOO compressed archive file ZPack archive data Unix compressed file...
Page 304: The Osi Framework
Appendix D. The OSI Framework The Open Systems Interconnection Model defines a framework for intercomputer communications. It categorizes different protocols for a great variety of network applications into seven smaller, more manageable layers. The model describes how data from an application in one computer can be trans- ferred through a network medium to an application on another computer.
Page 305: D-Link Worldwide Offices
Appendix E. D-Link worldwide offices Below is a complete list of D-Link worldwide sales offices. Please check your own country area's local website for further details regarding support of D-Link products as well as contact details for local support. Australia 1 Giffnock Avenue, North Ryde, NSW 2113, Australia.
Page 306 Appendix E. D-Link worldwide offices FAX: +972-9-9715601. Website: www.dlink.co.il Italy Via Nino Bonnet n. 6/b, 20154 – Milano, Italy. TEL: 39-02-2900-0676, FAX: 39-02-2900-1723. Website: www.dlink.it LatinAmerica Isidora Goyeechea 2934, Ofcina 702, Las Condes, Santiago – Chile. TEL: 56-2-232-3185, FAX: 56-2-232-0923. Website: www.dlink.cl...
Page 307: Alphabetical Index
cluster heartbeats, 231 cluster ID, 233 Alphabetical Index ClusterID, setting, 270 connection limiting (see threshold rules) connection rate limiting (see threshold rules) ConnLife_IGMP, setting, 254 access rules, 102 ConnLife_Other, setting, 254 accounting, 24 ConnLife_Ping, setting, 254 interim messages, 26 ConnLife_TCP_FIN, setting, 254 limitations, 27 ConnLife_TCP_SYN, setting, 254 messages, 24...
Page 308 Alphabetical Index dynamic routing policy, 84 L2TP, 203 ethernet, 41 Lan to Lan tunnels, 196 IP addresses, 42 LayerSizeConsistency, setting, 243 evasion attack prevention, 127 link state algorithms, 80 events, 21 LocalReass_MaxConcurrent, setting, 261 distribution, 21 LocalReass_MaxSize, setting, 261 messages, 21 LocalReass_NumLarge, setting, 261 LogChecksumErrors, setting, 241 LogConnections, setting, 252...
Page 309 Alphabetical Index PPTP, 202 TCPOPT_ALTCHKDATA, setting, 246 PseudoReass_MaxConcurrent, setting, 257 TCPOPT_ALTCHKREQ, setting, 246 TCPOPT_CC, setting, 247 TCPOPT_OTHER, setting, 247 TCPOPT_SACK, setting, 246 QoS (see quality of service) TCPOPT_TSOPT, setting, 246 quality of service, 209 TCPOPT_WSOPT, setting, 246 TCPOptionSizes, setting, 245 TCPRF, setting, 248 TCPSynPsh, setting, 247 RADIUS...
Page 310 Alphabetical Index X.509 certificates, 57 zonedefense IDP, 131 zone defense, 235 switches, 236...

This manual is also suitable for:

Dfl-800 Dfl-1600 Netdefend dfl-2500 Netdefend dfl-260 Netdefend dfl-860 Netdefend dfl-800 ... Show all

D-Link NetDefend DFL-210 User Manual

1 Product Overview

2 Operations and Maintenance

3 Fundamentals

4 Routing

5 DHCP Services

6 Security Mechanisms

7 Address Translation

8 User Authentication

9 Virtual Private Networks

10 Traffic Management

Quick Links

Need help?

Questions and answers

Related Manuals for D-Link NetDefend DFL-210

Summary of Contents for D-Link NetDefend DFL-210