OF THE POSSIBILITY OF SUCH DAMAGES. FURTHERMORE, D-LINK WILL NOT BE LI- ABLE FOR THIRD-PARTY CLAIMS AGAINST CUSTOMER FOR LOSSES OR DAMAGES. D-LINK WILL IN NO EVENT BE LIABLE FOR ANY DAMAGES IN EXCESS OF THE AMOUNT D-LINK RECEIVED FROM THE END-USER FOR THE PRODUCT.
13.24. Miscellaneous Settings ............... 279 A. Subscribing to Security Updates ................ 281 B. IDP Signature Groups ..................283 C. Anti-Virus MIME filetypes ................287 D. The OSI Framework ..................291 E. D-Link worldwide offices ................292 Alphabetical Index ..................... 294 viii...
List of Figures 1.1. Packet Flow Schematic Part I ................6 1.2. Packet Flow Schematic Part II ................7 1.3. Packet Flow Schematic Part III ................8 4.1. A Route Failover Scenario for ISP Access ............71 4.2. Virtual Links Example 1 ..................83 4.3.
5.3. Setting up Static DHCP ...................99 5.4. Setting up a DHCP relayer ................100 6.1. Setting up an Access Rule ................104 6.2. Protecting an FTP Server with ALG ..............106 6.3. Protecting FTP Clients .................. 109 6.4. Protecting Phones Behind D-Link Firewalls ............113...
6.7. Using Private IP Addresses ................116 6.8. H.323 with Gatekeeper .................. 118 6.9. H.323 with Gatekeeper and two D-Link Firewalls ..........119 6.10. Using the H.323 ALG in a Corporate Environment ........... 120 6.11. Configuring remote offices for H.323 ............. 123 6.12.
The target audience for this reference guide is Administrators who are responsible for configuring and managing D-Link Firewalls which are running the NetDefendOS operating system. This guide assumes that the reader has some basic knowledge of networks and network security.
Notes to the main text Preface Notes to the main text Special sections of text which the reader should pay special attention to are indicated by icons on the the left hand side of the page followed by a short paragraph in italicized text. Such sections have the following types and purposes: Note This indicates some piece of information that is an addition to the preceding text.
• NetDefendOS Architecture, page 3 • NetDefendOS Packet Flow, page 6 1.1. About D-Link NetDefendOS D-Link NetDefendOS is the firmware, the software engine that drives and controls all D-Link Fire- wall products. Designed as a network security operating system, NetDefendOS features high throughput perform- ance with high reliability plus super-granular control.
Chapter 2, Operations and Maintenance. ZoneDefense NetDefendOS can be used to control D-Link switches using the ZoneDefense feature. Reading through this documentation carefully will ensure that you get the most out of your NetDe- fendOS product. In addition to this document, the reader should also be aware of the companion volumes: •...
1.2. NetDefendOS Architecture Chapter 1. Product Overview 1.2. NetDefendOS Architecture 1.2.1. State-based Architecture The NetDefendOS architecture is centered around the concept of state-based connections. Tradition- al IP routers or switches commonly inspect all packets and then perform forwarding decisions based on information found in the packet headers.
1.2.3. Basic Packet Flow Chapter 1. Product Overview • If the Ethernet frame contains a PPP payload, the system checks for a matching PPPoE in- terface. If one is found, that interface becomes the source interface for the packet. If no matching interface is found, the packet is dropped and the event is logged.
1.2.3. Basic Packet Flow Chapter 1. Product Overview connection. 10. The Traffic Shaping and the Threshold Limit Rule-sets are now searched. If a match is found, the corresponding information is recorded with the state. This will enable proper traffic man- agement on the connection.
1.3. NetDefendOS Packet Flow Chapter 1. Product Overview 1.3. NetDefendOS Packet Flow The diagrams in this section provide a summary of the flow of packets through the NetDefendOS state-engine. There are three diagrams, each flowing into the next. Figure 1.1. Packet Flow Schematic Part I The packet flow is continued on the following page.
Chapter 2. Operations and Maintenance This chapter describes the operations and maintenance related aspects of NetDefendOS. • Configuring NetDefendOS, page 10 • Events and Logging, page 21 • RADIUS Accounting, page 24 • Maintenance, page 28 2.1. Configuring NetDefendOS 2.1.1. Overview NetDefendOS is designed to give both high performance and high reliability.
The serial console port is a RS-232 port that enables access to the CLI through a serial connection to a PC or terminal. To locate the serial console port on your D-Link system, please see the D-Link quickstart guide .
2.1.4. Web Interface Chapter 2. Operations and Maintenance SSH (Secure Shell) The SSH (Secure Shell) protocol can be used to access the CLI over the network from a remote host. SSH is a protocol primarily used for secure communication over insecure networks, providing strong authentication and data integrity.
To access the web interface, launch a standard web browser and point the browser at the IP address of the firewall. The factory default address for all D-Link Firewalls is 192.168.1.1. You MUST use https:// as the protocol of the URL in the browser eg: https://192.168.1.1 (https will protect the username and password with encryption when they are sent to NetDefendOS).
2.1.4. Web Interface Chapter 2. Operations and Maintenance Note Access to the web interface is regulated by the remote management policy. By default, the system will only allow web access from the internal network. 188.8.131.52. Interface Layout The main web interface page is divided into three major sections: Menu bar The menu bar located at the top of the web interface contains a number of but- tons and drop-down menus that are used to perform configuration tasks as well as...
2.1.5. Working with Configurations Chapter 2. Operations and Maintenance gw-world:/> add RemoteManagement RemoteMgmtHTTP https Network=all-nets Interface=any LocalUserDatabase=AdminUsers HTTPS=Yes Web Interface Go to System > Remote Management > Add > HTTP/HTTPS Management Enter a Name for the HTTP/HTTPS remote management policy, e.g. https. Check the HTTPS checkbox.
2.1.5. Working with Configurations Chapter 2. Operations and Maintenance Example 2.3. Listing Configuration Objects This example shows how to list all service objects. gw-world:/> show Service A list of all services will be displayed, grouped by their respective type. Web Interface Go to Objects >...
2.1.5. Working with Configurations Chapter 2. Operations and Maintenance Note When accessing object via the CLI you can omit the category name and just use the type name. The CLI command in the above example, for instance, could be simplified gw-world:/>...
2.1.5. Working with Configurations Chapter 2. Operations and Maintenance dress Book. gw-world:/> add Address IP4Address myhost Address=192.168.10.10 Show the new object: gw-world:/> show Address IP4Address myhost Property Value --------------------- ------------- Name: myhost Address: 192.168.10.10 UserAuthGroups: (none) NoDefinedCredentials: Comments: (none) Web Interface Go to Objects >...
2.1.5. Working with Configurations Chapter 2. Operations and Maintenance gw-world:/> undelete Address IP4Address myhost Web Interface Go to Objects > Address Book Right-click on the row containing the myhost object. In the dropdown menu displayed, select Undo Delete. Listing Modified Objects After modifying several configuration objects, you might want to see a list of the objects that were changed, added and removed since the last commit.
2.1.5. Working with Configurations Chapter 2. Operations and Maintenance Example 2.10. Activating and Committing a Configuration This example shows how to activate and commit a new configuration. gw-world:/> activate The system will validate and start using the new configuration. When the command prompt is shown again: gw-world:/>...
NetDefendOS can distribute event messages using the following standards and protocols: Memlog A D-Link Firewall has a built in logging mechanism known as the Memory Log. This re- tains all event log messages in memory and allows direct viewing of log messages through the web interface.
2.2.3. Event Message Distribution Chapter 2. Operations and Maintenance 184.108.40.206. Logging to Syslog Hosts Syslog is a standardized protocol for sending log data to loghosts, although there is no standardized format of these log messages. The format used by NetDefendOS is well suited for automated pro- cessing, filtering and searching.
2.2.3. Event Message Distribution Chapter 2. Operations and Maintenance...
RADIUS sessions. All statistics are updated for an authenticated user whenever a connection related to an authenticated user is closed. When a new client session is started by a user establishing a new connection through the D-Link Firewall, NetDefendOS sends an AccountingRequest START message to a nominated RADIUS server, to record the start of the new session.
Delay Time - See the above comment about this parameter. • Timestamp - The number of seconds since 1970-01-01. Used to set a timestamp when this packet was sent from the D-Link Firewall. In addition to this, two more attributes are possibly sent: •...
2.3.3. Interim Accounting Messages Chapter 2. Operations and Maintenance Note The (*) symbol in the above list indicates that the sending of the parameter is user configurable. 2.3.3. Interim Accounting Messages In addition to START and STOP messages NetDefendOS can optionally periodically send Interim Accounting Messages to update the accounting server with the current status of an authenticated user.
2.3.7. Handling Unresponsive Servers Chapter 2. Operations and Maintenance In an HA cluster, accounting information is synched between the active and passive D-Link Fire- walls. This means that accounting information is automatically updated on both cluster members whenever a connection is closed. Two special accounting events are also used by the active unit to keep the passive unit synchronized: •...
Reset alternative for the DFL-210/260/800/860 only To reset the DFL-210/260/800/860 you must hold down the reset button at the rear panel for 10-15 seconds while powering on the unit. After that, release the reset button and the DFL-210/800 will continue to load and startup in default mode, i.e.
To facilitate the Auto-Update feature D-Link maintains a global infrastructure of servers providing update services for D-Link Firewalls. To ensure availability and low response times, NetDefendOS employs a mechanism for automatically selecting the most appropriate server to supply updates.
2.4.3. Auto-Update Mechanism Chapter 2. Operations and Maintenance...
Chapter 3. Fundamentals This chapter describes the fundamental logical objects upon which NetDefendOS is built. These lo- gical objects include such things as addresses, services and schedules. In addition, this chapter ex- plains how the various supported interfaces work, it outlines how policies are constructed and how basic system settings are configured.
3.1.2. IP Addresses Chapter 3. Fundamentals For example: 192.168.0.0/24 IP Range A range of IP addresses is represented on the form a.b.c.d - e.f.g.h. Please note that ranges are not limited to netmask boundaries; they may include any span of IP ad- dresses.
3.1.3. Ethernet Addresses Chapter 3. Fundamentals Go to Objects > Address Book > Add > IP address Specify a suitable name for the IP Range, for instance wwwservers. Enter 192.168.10.16-192.168.10.21 in the IP Address textbox. Click OK. Example 3.4. Deleting an Address Object To delete an object named wwwsrv1 in the Address Book, do the following: gw-world:/>...
3.1.5. Auto-Generated Address Ob- Chapter 3. Fundamentals jects 3.1.4. Address Groups Address objects can be grouped in order to simplify configuration. Consider a number of public servers that should be accessible from the Internet. The servers have IP addresses that are not in a sequence, and can therefore not be referenced to as a single IP range.
3.2. Services Chapter 3. Fundamentals 3.2. Services 3.2.1. Overview A Service object is a reference to a specific IP protocol with associated parameters. A Service defin- ition is usually based on one of the major transport protocols such as TCP or UDP, with the associ- ated port number(s).
To define a TCP or UDP service in the D-Link Firewall, a TCP/UDP Service object is used. This type of object contains, apart from a unique name describing the service, also information on what protocol (TCP, UDP or both) and what source and destination ports are applicable for the service.
Passing ICMP Errors If an attempt to open a TCP connection is made by a user ap- plication behind the D-Link Firewall and the remote server is not in operation, an ICMP error message is returned as the re- sponse. These ICMP errors can either be ignored or allowed to pass through, back to the requesting application.
3.2.4. Custom IP Protocol Services Chapter 3. Fundamentals The ICMP message types that can be configured in NetDefendOS are listed as follows: • Echo Request: sent by PING to a destination in order to check connectivity. • Destination Unreachable: the source is told that a problem has occurred when delivering a pack- et.
3.2.4. Custom IP Protocol Services Chapter 3. Fundamentals Example 3.9. Adding a IP Protocol Service This example shows how to add an IP Protocol Service, with the Virtual Router Redundancy Protocol. gw-world:/> add Service ServiceIPProto VRRP IPProto=112 Web Interface Go to Objects > Services > Add > IP protocol service Specify a suitable name for the service, for instance VRRP.
3.3. Interfaces Chapter 3. Fundamentals 3.3. Interfaces 3.3.1. Overview An Interface is one of the most important logical building blocks in NetDefendOS. All network traffic that passes through or gets terminated in the system is done so through one or several inter- faces.
NetDefendOS itself that will deal with the traffic. Examples of the use of core would be when the D-Link Firewall acts as a PPTP or L2TP server or is to respond to ICMP "Ping" requests. By specifying the Destination Interface of a route as core, NetDefen- dOS will then know that it is itself that is the ultimate destination of the traffic.
N represents the number of the interface if your D-Link Firewall has more than one of these interfaces. In most of the examples in this guide lan is used for LAN traffic and wan is used for WAN traffic.
3.3.3. Virtual LAN Chapter 3. Fundamentals Check the Enable DHCP client control. Click OK. 3.3.3. Virtual LAN NetDefendOS is fully compliant with the IEEE 802.1Q specification for Virtual LANs. On a pro- tocol level, Virtual LANs work by adding a Virtual LAN identifier (VLAN ID) to the Ethernet frame header.
3.3.4. PPPoE Chapter 3. Fundamentals DSL line, wireless device or cable modem. All the users on the Ethernet share a common connec- tion, while access control can be done on a per-user basis. Internet server providers (ISPs) often require customers to connect through PPPoE to their broad- band service.
3.3.5. Interface Groups Chapter 3. Fundamentals If dial-on-demand is enabled, the PPPoE connection will only be up when there is traffic on the PPPoE interface. It is possible to configure how the firewall should sense activity on the interface, either on outgoing traffic, incoming traffic or both. Also configurable is the time to wait with no activity before the tunnel is disconnected.
3.3.5. Interface Groups Chapter 3. Fundamentals Web Interface Go to Interfaces > Interface Groups > Add > InterfaceGroup Enter the following information to define the group: • Name: The name of the group to be used later • Security/Transport Equivalent: If enabled, the interface group can be used as a destination interface in rules where connections might need to be moved between the interfaces.
3.4. ARP Chapter 3. Fundamentals 3.4. ARP 3.4.1. Overview Address Resolution Protocol (ARP) is a protocol, which maps a network layer protocol address to a data link layer hardware address and it is used to resolve an IP address into its corresponding Ether- net address.
3.4.4. Static and Published ARP Chapter 3. Fundamentals Entries cifies how long NetDefendOS is to remember addresses that cannot be reached. This is done to en- sure that NetDefendOS does not continously request such addresses. The default value for this set- ting is 3 seconds.
3.4.4. Static and Published ARP Chapter 3. Fundamentals Entries dresses) as well as publishing IP addresses with a specific Ethernet address. Static ARP Entries Static ARP items may help in situations where a device is reporting incorrect Ethernet address in re- sponse to ARP requests.
3.4.5. Advanced ARP Settings Chapter 3. Fundamentals XPublish "lies" about the sender Ethernet address in the Ethernet header; this is set to be the same as the published Ethernet address rather than the actual Ethernet address of the Ethernet interface. If a published Ethernet address is the same as the Ethernet address of the interface, it will make no dif- ference if you select Publish or XPublish, the result will be the same.
3.4.5. Advanced ARP Settings Chapter 3. Fundamentals Sender IP 0.0.0.0 NetDefendOS can be configured on what to do with ARP queries that have a sender IP of 0.0.0.0. Such sender IPs are never valid in responses, but network units that have not yet learned of their IP address sometimes ask ARP questions with an "unspecified"...
3.5.2. Rule Evaluation When a new TCP/IP connection is being established through the D-Link Firewall, the list of IP rules are evaluated from top to bottom until a rule that matches the parameters of that new connection is found.
3.5.4. Editing IP Rule-set Entries Chapter 3. Fundamentals 3.5.3. IP Rule components A rule consists of two logical parts: the connection parameters and the action to take if there is a match with those parameters. Rule parameters are pre-defined and reusable network objects such as Addresses and Services, which can be used in any rule to specify the criteria for a match.
3.5.4. Editing IP Rule-set Entries Chapter 3. Fundamentals 3.5.4. Editing IP Rule-set Entries After adding various rules to the rule-set editing any line can be achieved in the Web-UI by right clicking on that line. A context menu will appear with the following options: Edit This allows the contents of the rule to be changed.
3.6. Schedules Chapter 3. Fundamentals 3.6. Schedules In some scenarios, it might be useful to control not only what functionality is enabled, but also when that functionality is being used. For instance, the IT policy of an enterprise might stipulate that web traffic from a certain department is only allowed access outside that department during normal office hours.
3.6. Schedules Chapter 3. Fundamentals • Action: NAT • Service: http • Schedule: OfficeHours • SourceInterface: lan • SourceNetwork lannet • DestinationInterface: any • DestinationNetwork: all-nets Click OK.
3.7. X.509 Certificates Chapter 3. Fundamentals 3.7. X.509 Certificates NetDefendOS supports digital certificates that comply with the ITU-T X.509 standard. This in- volves the use of an X.509 certificate hierarchy with public-key cryptography to accomplish key distribution and entity authentication. 3.7.1.
VPN tunnel, provided the certificate validation procedure described above succeeded. 3.7.7. X.509 Certificates in NetDefendOS X.509 certificates can be uploaded to the D-Link Firewall for use in IKE/IPsec authentication, Webauth etc. There are two types of certificates that can be uploaded, self signed certificates and re- mote certificates belonging to a remote peer or CA server.
3.8.2. Time Servers Chapter 3. Fundamentals Example 3.20. Setting the Time Zone To modify the NetDefendOS time zone to be GMT plus 1 hour, follow the steps outlined below: gw-world:/> set DateTime Timezone=GMTplus1 Web Interface Go to System > Date and Time Select (GMT+01:00) in the Timezone drop-down list.
3.8.2. Time Servers Chapter 3. Fundamentals 220.127.116.11. Time Synchronization Protocols Time Synchronization Protocols are standardised methods for retrieving time information from ex- ternal Time Servers. NetDefendOS supports the following time synchronization protocols: • SNTP - Defined by RFC 2030, The Simple Network Time Protocol (SNTP) is a lightweight im- plementation of NTP (RFC 1305).
3.8.2. Time Servers Chapter 3. Fundamentals Example 3.23. Manually Triggering a Time Synchronization Time synchronization can be triggered from the CLI. The output below shows a typical response. gw-world:/> time -sync Attempting to synchronize system time... Server time: 2007-02-27 12:21:52 (UTC+00:00) Local time: 2007-02-27 12:24:30 (UTC+00:00) (diff: 158) Local time successfully changed to server time.
86,400 seconds (1 day), meaning that the time synchronization process is executed once in a 24 hour period. 18.104.22.168. D-Link Time Servers Using D-Link's own Time Servers is an option in NetDefendOS and this is the recommended way of synchronizing the firewall clock. These servers communicate with NetDefendOS using the SNTP protocol.
3.9. DNS Lookup Chapter 3. Fundamentals 3.9. DNS Lookup A DNS server resolves a textual URL address into a numeric IP address. This allows the actual physical IP address to change while the URL can stay the same. URLs can be used in various areas of a NetDefendOS configuration where IP addresses are un- known, or where it makes more sense to make use of DNS resolution instead of using static IP ad- dresses.
3.9. DNS Lookup Chapter 3. Fundamentals...
Chapter 4. Routing This chapter describes how to configure IP routing in NetDefendOS. • Overview, page 66 • Static Routing, page 67 • Policy-based Routing, page 76 • Dynamic Routing, page 80 • Transparent Mode, page 88 4.1. Overview IP routing capabilities belong to the most fundamental functionalities of NetDefendOS: any IP pack- et flowing through the system will be subjected to at least one routing decision at some point in time, and proper setup of routing is crucial for a NetDefendOS system to function as expected.
4.2.1. Static Routing in NetDefendOS Chapter 4. Routing 4.2.1. Static Routing in NetDefendOS This section describes how routing is implemented in NetDefendOS, and how to configure static routing. NetDefendOS supports multiple routing tables. A default table called main is pre-defined and is al- ways present in NetDefendOS.
4.2.1. Static Routing in NetDefendOS Chapter 4. Routing Persistent Routes: None The corresponding routing table in NetDefendOS is similar to this: Flags Network Iface Gateway Local IP Metric ----- ------------------ -------- -------------- --------- ------ 192.168.0.0/24 10.0.0.0/8 0.0.0.0/0 192.168.0.1 The NetDefendOS way of describing the routes is easier to read and understand. Another advantage with this form of notation is that you can specify a gateway for a particular route without having a route that covers the gateways's IP address or despite the fact that the route covers the gateway's IP address is normally routed via another interface.
4.2.1. Static Routing in NetDefendOS Chapter 4. Routing 22.214.171.124/24 0.0.0.0/0 126.96.36.199 Web Interface To see the configured routing table: Go to Routing > Routing Tables Select and right-click the main routing table in the grid. Choose Edit in the menu. The main window will list the configured routes.
4.2.2. Route Failover Overview D-Link Firewalls are often deployed in mission-critical locations where availability and connectivity is crucial. A corporation relying heavily on access to the Internet, for instance, could have their op- erations severely disrupted if an Internet connection fails.
Host Monitoring The first two options check the accessibility of components local to the D-Link Firewall. An alternative is to monitor the accessibil- ity of one or more nominated remote hosts. These hosts might have known high availability and polling them can indicate if traffic from the local D-Link Firewall is reaching them.
4.2.2. Route Failover Chapter 4. Routing in the route that has the lowest Metric being chosen. If the primary WAN router should then fail, this will be detected by NetDefendOS, and the first route will be disabled. As a consequence, a new route lookup will be performed and the second route will be selected with the first one being marked as disabled.
Grace Period This is the period of time after startup or after reconfiguration of the D-Link Firewall which NetDefendOS will wait before starting Route Monitoring. This waiting period allows time for all network links to initialize once the firewall comes on- line.
Ethernet is separated into two parts with a routing device such as an in- stalled D-Link Firewall, in between. In such a case, NetDefendOS itself can respond to ARP re- quests directed to the network on the other side of the D-Link Firewall using the feature known as Proxy ARP.
4.3. Policy-based Routing Chapter 4. Routing 4.3. Policy-based Routing 4.3.1. Overview Policy-based Routing is an extension to the standard approach to routing described previously. It of- fers administrators significant flexibility in implementing routing decision policies by be able to define Policy-based Routing Rules. Normal routing forwards packets according to destination IP address information derived from static routes or from a dynamic routing protocol.
4.3.4. Policy-based Routing Table Se- Chapter 4. Routing lection based Routing rule can be triggered by the type of Service (eg. HTTP) in combination with the Source/Destination Interface and Source/Destination Network. When looking up Policy-based Rules, it is the first matching rule found that is triggered. 4.3.4.
4.3.5. The Ordering parameter Chapter 4. Routing Example 4.3. Creating a Policy-Based Routing table In this example we create a Policy-based Routing table named "TestPBRTable". Web Interface Go to Routing > Routing Tables > Add > RoutingTable Now enter: • Name: TestPBRTable •...
4.3.5. The Ordering parameter Chapter 4. Routing • This is a "drop-in" design, where there are no explicit routing subnets between the ISP gateways and the D- Link Firewall. In a provider-independent metropolitan area network, clients will likely have a single IP address, belonging to one of the ISPs.
4.4. Dynamic Routing 4.4.1. Dynamic Routing overview Dynamic routing is different to static routing in that the D-Link Firewall will adapt to changes of network topology or traffic load automatically. NetDefendOS first learns of all the directly connec- ted networks and gets further route information from other routers. Detected routes are sorted and the most suitable routes for destinations are added into the routing table and this information is dis- tributed to other routers.
4.4.2. OSPF Chapter 4. Routing Path length The sum of the costs associated with each link. A commonly used value for this metric is called "hop count" which is the number of routing devices a packet must pass through when it travels from source to destination. Item Bandwidth The traffic capacity of a path, rated by "Mbps".
4.4.2. OSPF Chapter 4. Routing advertise externally learned routes throughout the Autonomous System. Backbone Areas All OSPF networks need to have at least the backbone area, that is the area with ID 0. This is the area that all other areas should be connected to, and the backbone make sure to distribute routing information between the connected areas.
4.4.2. OSPF Chapter 4. Routing Virtual links are used for: • Linking an area that does not have a direct connection to the backbone. • Linking the backbone in case of a partitioned backbone. Area without direct connection to the backbone The backbone always need to be the center of all other areas.
4.4.3. Dynamic Routing Policy Chapter 4. Routing Figure 4.3. Virtual Links Example 2 The Virtual Link is configured between fw1 and fw2 on Area 1, as it is used as the transit area. In the configuration only the Router ID have to be configured, as in the example above show fw2 need to have a Virtual Link to fw1 with the Router ID 192.168.1.1 and vice versa.
4.4.3. Dynamic Routing Policy Chapter 4. Routing In a dynamic routing environment, it is important for routers to be able to regulate to what extent they will participate in the routing exchange. It is not feasible to accept or trust all received routing information, and it might be crucial to avoid that parts of the routing database gets published to oth- er routers.
4.4.3. Dynamic Routing Policy Chapter 4. Routing ble. Specify the destination routing table that the routes should be added to, in this case main. gw-world:/> cc DynamicRoutingRule ImportOSPFRoutes gw-world:/ImportOSPFRoutes> add DynamicRoutingRuleAddRoute Destination=MainRoutingTable Web Interface Go to Routing > Dynamic Routing Rules Click on the recently created ImportOSPFRoutes Go to OSPF Routing Action >...
4.4.3. Dynamic Routing Policy Chapter 4. Routing Click on the recently created ExportDefRoute. Go to OSPF Action > Add > DynamicRoutingRuleExportOSPF. In the Export to process control, choose as0. Click OK.
The D-Link Firewall can operate in two modes: Routing Mode or Transparent Mode. In Routing Mode, the D-Link Firewall performs all the functions of a Layer 3 router; if the firewall is placed in- to a network for the first time, or if network topology changes, the routing configuration must there- fore be thoroughly checked to ensure that the routing table is consistent with the new layout.
4.5.4. Enabling Transparent Mode Chapter 4. Routing When beginning communication, a host will locate the target host's physical address by broadcast- ing an ARP request. This request is intercepted by NetDefendOS and it sets up an internal ARP Transaction State entry and broadcasts the ARP request to all the other switch-route interfaces ex- cept the interface the ARP request was received on.
4.5.5. Transparent Mode example Chapter 4. Routing scenarios Example 4.8. Setting up Transparent Mode - Scenario 1 Web Interface Configure the interfaces: Go to Interfaces > Ethernet > Edit (wan) Now enter: • IP Address: 10.0.0.1 • Network: 10.0.0.0/24 • Default Gateway: 10.0.0.1 •...
Scenario 2 Figure 4.5. Transparent mode scenario 2 Here the D-Link Firewall in Transparent Mode separates server resources from an internal network by connecting them to a separate interface without the need for different address ranges. All hosts connected to LAN and DMZ (the lan and dmz interfaces) share the 10.0.0.0/24 address space. As...
4.5.5. Transparent Mode example Chapter 4. Routing scenarios Specify a suitable name for the rule, for instance HTTP-LAN-to-DMZ. Enter following: • Action: Allow • Source Interface: lan • Destination Interface: dmz • Source Network: all-nets • Destination Network: 10.1.4.10 Under the Service tab, choose http in the Pre-defined control Click the OK.
4.5.5. Transparent Mode example Chapter 4. Routing scenarios • Transparent Mode: Disable • Add route for interface network: Disable Click OK. Go to Interfaces > Ethernet > Edit (dmz) Now enter: • IP Address: 10.0.0.2 • Network: 10.0.0.0/24 • Transparent Mode: Disable •...
4.5.5. Transparent Mode example Chapter 4. Routing scenarios • Action: SAT • Service: http • Source Interface: wan • Destination Interface: dmz • Source Network: all-nets • Destination Network: wan_ip • Translate: Select Destination IP • New IP Address: 10.1.4.10 Click OK.
4.5.5. Transparent Mode example Chapter 4. Routing scenarios...
5.2. DHCP Servers Chapter 5. DHCP Services 5.2. DHCP Servers NetDefendOS has the ability to act as one or more logical DHCP servers. Filtering of DHCP client requests is based on interface, so each NetDefendOS interface can have, at most, one single logical DHCP server associated with it.
5.2. DHCP Servers Chapter 5. DHCP Services Example 5.2. Checking the status of a DHCP server Web Interface Select DHCP Server in the Status dropdown menu in the menu bar. DHCP leases are remembered by the system between system restarts.
5.3. Static DHCP Assignment Chapter 5. DHCP Services 5.3. Static DHCP Assignment Where the administrator requires a fixed relationship between a client and the assigned IP address, NetDefendOS allows the assignment of a given IP to a specific MAC address. Example 5.3.
5.4. DHCP Relaying Chapter 5. DHCP Services 5.4. DHCP Relaying With DHCP, clients send requests to locate the DHCP server(s) using broadcast messages. However, broadcasts are normally only propagated across the local network. This means that the DHCP server and client would always need to be in the same physical network area to be able to communicate.
6.1.3. Access Rule Settings Chapter 6. Security Mechanisms Access Rules can provide an anti-spoofing capability by providing an extra filter for source address verification. An Access Rule can verify that packets arriving at a given interface do not have a source address which is associated with a network of another interface.
6.1.3. Access Rule Settings Chapter 6. Security Mechanisms of this. It is always advisable to check Access Rules when troubleshooting puzzling problems in case a rule is preventing some other function, such as VPN tunnel astablishment, from working properly. Example 6.1. Setting up an Access Rule A rule is to be defined that ensures no traffic with a source address not within the lannet network is received on the lan interface.
After granting access, the server will provide the client with a file/directory listing from which it can download/upload files (depending on access rights). The FTP ALG is used to manage FTP connections through the D-Link Firewall.
The conversion also works the other way around, that is, with the FTP client using active mode and the FTP server using passive mode. Example 6.2. Protecting an FTP Server with ALG As shown, an FTP Server is connected to the D-Link Firewall on a DMZ with private IP addresses, shown below:...
6.2.3. File Transfer Protocol Chapter 6. Security Mechanisms To make it possible to connect to this server from the Internet using the FTP ALG, the FTP ALG and rules should be configured as follows: Web Interface Define the ALG: Go to Objects > ALG > Add > FTP ALG Enter Name: ftp-inbound Check Allow client to use active mode Uncheck Allow server to use passive mode...
6.2.3. File Transfer Protocol Chapter 6. Security Mechanisms • Name: SAT-ftp-inbound • Action: SAT • Service: ftp-inbound For Address Filter enter: • Source Interface: any • Destination Interface: core • Source Network: all-nets • Destination Network: wan_ip (assuming the external interface has been defined as this) For SAT check Translate the Destination IP Address.
Chapter 6. Security Mechanisms Example 6.3. Protecting FTP Clients In this scenario shown below the D-Link Firewall is protecting a workstation that will connect to FTP servers on the internet. To make it possible to connect to these servers from the internal network using the FTP ALG, the FTP ALG and...
6.2.4. Simple Mail Transfer Protocol Chapter 6. Security Mechanisms are no rules disallowing or allowing the same kind of ports/traffic before these rules. The service in use is the "ftp- outbound", which should be using the ALG definition "ftp-outbound" as described earlier. Allow connections to ftp-servers on the outside: Go to Rules >...
6.2.5. H.323 Chapter 6. Security Mechanisms • MIME Checking - Mail attachment file content can be checked against its filetype. A list of all filetypes checked can be found in Appendix C, Anti-Virus MIME filetypes. • Anti-Virus Scanning - The NetDefendOS Anti-Virus module can scan email attachments searching for malicious code.
The H.323 specification was not designed to handle NAT, as IP addresses and ports are sent in the payload of H.323 messages. The H.323 ALG modifies and translates H.323 messages to make sure that H.323 messages will be routed to the correct destination and allowed through the D-Link Fire- wall.
Example 6.4. Protecting Phones Behind D-Link Firewalls In the first scenario a H.323 phone is connected to the D-Link Firewall on a network (lannet) with public IP ad- dresses. To make it possible to place a call from this phone to another H.323 phone on the Internet, and to allow H.323 phones on the Internet to call this phone, we need to configure rules.
Example 6.5. H.323 with private IP addresses In this scenario a H.323 phone is connected to the D-Link Firewall on a network with private IP addresses. To make it possible to place a call from this phone to another H.323 phone on the Internet, and to allow H.323 phones on the Internet to call this phone, we need to configure rules.
Click OK To place a call to the phone behind the D-Link Firewall, place a call to the external IP address on the firewall. If multiple H.323 phones are placed behind the firewall, one SAT rule has to be con- figured for each phone.
6.2.5. H.323 Chapter 6. Security Mechanisms Web Interface Outgoing Rule: Go to Rules > IP Rules > Add > IPRule Now enter: • Name: H323AllowOut • Action: Allow • Service: H323 • Source Interface: lan • Destination Interface: any • Source Network: lannet •...
Chapter 6. Security Mechanisms This scenario consists of two H.323 phones, each one connected behind the D-Link Firewall on a network with private IP addresses. In order to place calls on these phones over the Internet, the following rules need to be ad- ded to the rule-set in the firewall, make sure there are no rules disallowing or allowing the same kind of ports/ traffic before these rules.
Example 6.8. H.323 with Gatekeeper In this scenario, a H.323 gatekeeper is placed in the DMZ of the D-Link Firewall. A rule is configured in the firewall to allow traffic between the private network where the H.323 phones are connected on the internal network and to the Gatekeeper on the DMZ.
The D-Link Firewall with the Gatekeeper connected to the DMZ should be configured exactly as in scen- ario 3 The other D-Link Firewall should be configured as below. The rules need to be added to the rule listings, and it should be make sure there are no rules disallowing or allowing the same kind of ports/traffic before these...
6.2.5. H.323 Chapter 6. Security Mechanisms Web Interface Go to Rules > IP Rules > Add > IPRule Now enter: • Name: H323Out • Action: NAT • Service: H323-Gatekeeper • Source Interface: lan • Destination Interface: any • Source Network: lannet •...
6.2.5. H.323 Chapter 6. Security Mechanisms The head office has placed a H.323 Gatekeeper in the DMZ of the corporate D-Link Firewall. This firewall should be configured as follows: Web Interface Go to Rules > IP Rules > Add > IPRule Now enter: •...
6.2.5. H.323 Chapter 6. Security Mechanisms • Source Interface: lan • Destination Interface: dmz • Source Network: lannet • Destination Network: ip-gateway • Comment: Allow H.323 entities on lannet to call phones connected to the H.323 Gateway on the DMZ. Click OK.
Example 6.12. Allowing the H.323 Gateway to register with the Gatekeeper The branch office D-Link Firewall has a H.323 Gateway connected to its DMZ. In order to allow the Gateway to re- gister with the H.323 Gatekeeper at the Head Office, the following rule has to be configured: Web Interface Go to Rules >...
6.2.5. H.323 Chapter 6. Security Mechanisms Note There is no need to specify a specific rule for outgoing calls. NetDefendOS monitors the communication between "external" phones and the Gatekeeper to make sure that it is possible for internal phones to call the external phones that are registered with the gatekeeper.
It operates by monitoring network traffic as it passes through the D-Link Firewall, searching for patterns that indicate an intrusion is being attempted. Once detected, NetDefendOS IDP allows steps to be taken to neutralize both the intrusion attempt as well as its source.
A new, updated signature database is downloaded automatically by NetDefendOS system at a con- figurable interval. This is done via an HTTP connection to the D-Link server network which deliv- ers the latest signature database updates. If the server's signature database has a newer version than the current local database, the new database will be downloaded, replacing the older version.
6.3.4. Insertion/Evasion Attack Pre- Chapter 6. Security Mechanisms vention Rule Components An IDP Rule defines what kind of traffic, or service, should be analyzed. An IDP Rule is similar in makeup to an IP Rule. An IDP Rule specifies a given combination source/destination interfaces/ad- dresses as well as being associated with a Service object which defines which protocols to scan.
6.3.5. IDP Pattern Matching Chapter 6. Security Mechanisms believes it has the full data stream. The attacker now sends two futher packets, p2 and p3, which will be accepted by the application which can now complete reassembly but resulting in a different data stream to that seen by the IDP subsystem.
Attackers who build new intrusions often re-use older code. This means their new attacks can appear "in the wild" quickly. To counter this, D-Link IDP uses an approach where the module scans for these reusable components, with pattern matching looking for building blocks rather than the entire complete code patterns.
6.3.7. IDP Actions Chapter 6. Security Mechanisms The group type is one of the values IDS, IPS or Policy. These types are explained above. 2. Signature Group Category This second level of naming describes the type of application or protocol. Examples are: •...
Section 6.7, “Blacklisting Hosts and Networks”. IDP ZoneDefense The Protect action includes the option that the particular D-Link switch that triggers the IDP Rule can be de-activated through the D-Link ZoneDefense feature. For more details on how ZoneDefense functions see Chapter 12, ZoneDefense.
6.3.8. SMTP Log Receiver for IDP Chapter 6. Security Mechanisms Events gw-world:/examplerule> set IDPRuleAction 1 LogEnabled=Yes Web Interface Adding an SMTP log receiver: Go to System > Log and Event Receivers > Add > SMTP Event Receiver Now enter: • Name: smtp4IDP •...
6.3.8. SMTP Log Receiver for IDP Chapter 6. Security Mechanisms Events Create IDP Rule: gw-world:/> add IDPRule Service=smtp SourceInterface=wan SourceNetwork=wannet DestinationInterface=dmz DestinationNetwork=ip_mailserver Name=IDPMailSrvRule Create IDP Action: gw-world:/> cc IDPRule IDPMailSrvRule gw-world:/IDPMailSrvRule> add IDPRuleAction Action=Protect IDPServity=All Signatures=IPS_MAIL_SMTP Web Interface Create IDP Rule: This IDP rule will be called IDPMailSrvRule, and applies to the SMTP service.
6.3.8. SMTP Log Receiver for IDP Chapter 6. Security Mechanisms Events When this IDP Rule has been created, an action must also be created, specifying what signatures the IDP should use when scanning data matching the IDP Rule, and what NetDefendOS should do in case an intrusion is dis- covered.
D-Link Anti-Virus subscription. 6.4.5. Subscribing to the D-Link Anti-Virus Service The D-Link Anti-Virus feature is purchased as an additional component to the base D-Link license and is bought in the form of a renewable subscription. An Anti-Virus subscription includes regular updates of the Kaspersky SafeStream database during the subscription period with the signatures of the latest virus threats.
6.4.6. Anti-Virus Options Chapter 6. Security Mechanisms 6.4.6. Anti-Virus Options When configuring Anti-Virus scanning in an ALG, the following parameters can be set: 1. General options Mode When Enabled Anti-Virus is active Verify MIME type The MIME type identifies a file's type. For instance a file might be identified as being of type .gif and therefore should contain image data of that type.
6.4.6. Anti-Virus Options Chapter 6. Security Mechanisms To prevent this situation, the adminstrator should specify a Compression Ratio limit. If the limit of the ration is specified as 10 then this will mean that if the uncompressed file is 10 times larger than the compressed file, the specified Action should be taken.
6.4.6. Anti-Virus Options Chapter 6. Security Mechanisms Click the Service tab Select your new service, http_anti_virus, in the pre-defined Service dropdown list Click OK Anti-Virus scanning is now activated for all web traffic from lannet to all-nets.
6.5. Web Content Filtering Chapter 6. Security Mechanisms 6.5. Web Content Filtering 6.5.1. Overview Web traffic is one of the biggest sources for security issues and misuse of the Internet. Inappropriate surfing habits can expose a network to many security threats as well as legal and regulatory liabilit- ies.
6.5.3. Static Content Filtering Chapter 6. Security Mechanisms Example 6.16. Stripping ActiveX and Java applets This example shows how to configure a HTTP Application Layer Gateway to strip ActiveX and Java applets. The example will use the content_filtering ALG object and presumes you have done one of the previous examples. gw-world:/>...
Dynamic Web Content Filtering Availability on D-Link Models Dynamic Content Filtering is available on the D-Link DFL-260 and DFL-860 only. URL Processing Flow When a user requests access to a web site, NetDefendOS sends a query to these databases to retrieve the category of the requested site.
URL. Dynamic Content Filtering therefore requires a minimum of administration effort. Note New, uncategorized URLs sent to the D-Link network are treated as anonymous sub- missions and no record of the source of new submissions is kept. Categorizing Pages and Not Sites NetDefendOS dynamic filtering categorizes web pages and not sites.
6.5.4. Dynamic Content Filtering Chapter 6. Security Mechanisms Click the Web Content Filtering tab. Select Enabled in the Mode dropdown list. In the Blocked Categories list, select Search Sites and click the >> button. Click OK. Then, create a Service object using the new HTTP ALG: Go to Local Objects >...
The URL to the requested web site as well as the proposed category will then be sent to D-Link's central data warehouse for manual inspection. That inspection may result in the web site being re-...
6.5.4. Dynamic Content Filtering Chapter 6. Security Mechanisms Example 6.20. Reclassifying a blocked site This example shows how a user may propose a reclassification of a web site if he believes it is wrongly classified. This mechanism is enabled on a per-HTTP ALG level basis. First, create an HTTP Application Layer Gateway (ALG) Object: gw-world:/>...
6.5.4. Dynamic Content Filtering Chapter 6. Security Mechanisms • www.fullonxxx.com Category 2: News A web site may be classified under the News category if its content includes information articles on recent events pertaining to topics surrounding a locality (eg. a town, city or nation) or culture, in- cluding weather forecasting information.
6.5.4. Dynamic Content Filtering Chapter 6. Security Mechanisms isement of goods or services to be exchanged for money, and may also include the facilities to per- form that transaction online. Included in this category are market promotions, catalogue selling and merchandising services.
6.5.4. Dynamic Content Filtering Chapter 6. Security Mechanisms Category 11: Investment Sites A web site may be classified under the Investment Sites category if its content includes information, services or facilities pertaining to personal investment. URLs in this category include contents such as brokerage services, online portfolio setup, money management forums or stock quotes.
6.5.4. Dynamic Content Filtering Chapter 6. Security Mechanisms Category 16: Sports A web site may be classified under the Sports category if its content includes information or instruc- tions relating to recreational or professional sports, or reviews on sporting events and sports scores. Examples might be: •...
6.5.4. Dynamic Content Filtering Chapter 6. Security Mechanisms Category 21: Health Sites A web site may be classified under the Health Sites category if its content includes health related in- formation or services, including sexuality and sexual health, as well as support groups, hospital and surgical information and medical journals.
6.5.4. Dynamic Content Filtering Chapter 6. Security Mechanisms that relates to educational services or has been deemed of educational value, or to be an educational resource, by educational organisations. This category is populated by request or submission from various educational organisations. Examples might be: •...
6.5.4. Dynamic Content Filtering Chapter 6. Security Mechanisms • kaqsovdij.gjibhgk.info • www.pleaseupdateyourdetails.com Category 32: Non-Managed Unclassified sites and sites that don't fit one of the other categories will be placed in this category. It is unusual to block this category since this could result in most harmless URLs being blocked.
Attacks can appear out of thin air and the consequences can be devastating with crashed servers, jammed Internet connections and business critical systems in overload. This section deals with using the D-Link Firewall to protect organizations against DoS attacks. 6.6.2. DoS Attack Mechanisms A DoS attack can be perpetrated in a number of ways but there are three basic types of attack: •...
6.6.4. Fragmentation overlap attacks: Chapter 6. Security Mechanisms Teardrop, Bonk, Boink and Nestea to run "ping -l 65510 188.8.131.52" on a Windows 95 system where 184.108.40.206 is the IP address of the inten- ded victim. "Jolt" is simply a purpose-written program for generating such packets on operating sys- tems whose ping commands refuse to generate oversized packets.
6.6.7. Amplification attacks: Smurf, Chapter 6. Security Mechanisms Papasmurf, Fraggle vices expected to only serve the local network. • By stripping the URG bit by default from all TCP segments traversing the system (configurable via Advanced Settings > TCP > TCPUrg). WinNuke attacks will usually show up in NetDefendOS logs as normal drops with the name of the rule in your policy that disallowed the connection attempt.
6.6.8. TCP SYN Flood Attacks Chapter 6. Security Mechanisms The Traffic Shaping feature built into NetDefendOS also help absorb some of the flood before it reaches protected servers. 6.6.8. TCP SYN Flood Attacks The TCP SYN Flood attack works by sending large amounts of TCP SYN packets to a given port and then not responding to SYN ACKs sent in response.
To ensure that "good" internet traffic sources are not blacklisted under any circumstances, a Whitel- ist is also maintained by NetDefendOS. It can be advisable to add the D-Link Firewall itself to the Whitelist as well as the IP addresses of all management workstations.
IP addresses on one of your internal networks, and would like the outbound connec- tions to appear as they are originating from the D-Link Firewall itself. NAT is a many-to-one translation, meaning that each NAT rule will translate several source IP ad- dresses into a single source IP address.
In this example, the Use Interface Address option is used, and we will use 220.127.116.11 as the interface address. In addition, the source port is changed to a free port on the D-Link Firewall, usually one above 32768. In this example, we will use port 32789. The packet is then sent to its destination.
7.1.1. Which Protocols can NAT Chapter 7. Address Translation handle? dresses, destination addresses and protocol numbers. This means that: • An internal machine can communicate with several external servers using the same IP protocol. • An internal machine can communicate with several external servers using different IP protocols. •...
In this example, we will create a SAT policy that will translate and allow connections from the Internet to a web server located in a DMZ. The D-Link Firewall is connected to the Internet using the wan interface with address ob- ject wan_ip (defined as 18.104.22.168) as IP address.
These two rules allow us to access the web server via the D-Link Firewall's external IP address. Rule 1 states that address translation can take place if the connection has been permitted, and rule 2 permits the connection.
These two rules allow us to access the web server via the D-Link Firewall's external IP address. Rule 1 states that address translation can take place if the connection has been permitted, and rule 2 permits the connection.
Chapter 7. Address Translation dresses (M:N) This reply arrives directly to PC1 without passing through the D-Link Firewall. This causes problems. The reason this will not work is because PC1 expects a reply from 22.214.171.124:80, not 10.0.0.2:80. The unexpected reply is discarded and PC1 continues to wait for a response from 126.96.36.199:80, which will never arrive.
In this example, we will create a SAT policy that will translate and allow connections from the Internet to five web servers located in a DMZ. The D-Link Firewall is connected to the Internet using the wan interface, and the public IP addresses to use are in the range of 188.8.131.52 to 184.108.40.206.
7.2.3. All-to-One Mappings (N:1) Chapter 7. Address Translation Go to Interfaces > ARP > Add > ARP Now enter: • Mode: Publish • Interface: wan • IP Address: 220.127.116.11 Click OK and repeat for all the five public IP addresses. Create a SAT rule for the translation: Go to Rules >...
7.2.4. Port Translation Chapter 7. Address Translation and 18.104.22.168) to the IP 192.168.0.50. • Attempts to communicate with 22.214.171.124, port 80, will result in a connection to 192.168.0.50 • Attempts to communicate with 126.96.36.199, port 80, will result in a connection to 192.168.0.50 Note When 0.0.0.0/0 is the destination, All-to-One mapping is always done.
7.2.6. Which SAT Rule is executed if Chapter 7. Address Translation several are matching? designed to read and/or alter application data. These are commonly referred to as Application Layer Gateways or Application Layer Filters. NetDefendOS supports a number of such Application Layer Gateways and for more information please see Section 6.2, “Application Layer Gateways”.
Return traffic from wwwsrv:80 will match rules 2 and 3. Correct. • Internal traffic to wan_ip:80 will match rules 1 and 4, and will be sent to wwwsrv. The sender address will be the D-Link Firewall's internal IP address, guaranteeing that return traffic passes through the firewall. •...
7.2.7. SAT and FwdFast Rules Chapter 7. Address Translation...
Chapter 8. User Authentication This chapter describes how NetDefendOS implements user authentication. • Overview, page 174 • Authentication Components, page 176 • Authentication Process, page 178 8.1. Overview Before any user service request is authorized by firewall's security policies, NetDefendOS needs to verify the identity of that user through a process of authentication.
8.1.3. User Types Chapter 8. User Authentication • Changed on a regular basis Good passwords help secure networks, including Layer 2 tunnels, which use passwords for encryp- tion. 8.1.3. User Types NetDefendOS has authentication schemes which support diverse user types. These can be: •...
When there is more than one D-Link Firewall in the network and thousands of users, the ad- ministrator then doesn't have to maintain separate authentication databases on each firewall. Instead, the external authentication server can validate usernames and passwords against its central database by responding to requests from each D-Link Firewall.
8.2.4. Authentication Rules Chapter 8. User Authentication 8.2.4. Authentication Rules A user authentication rule specifies: • From where (i.e. receiving interface, source network) users are allowed to authenticate them- selves at the firewall. • Which agent will be used by NetDefendOS to prompt users for authentication. •...
8.3. Authentication Process Chapter 8. User Authentication 8.3. Authentication Process NetDefendOS performs user authentication in the following series of steps: • A user creates a new connection to the firewall. • NetDefendOS sees the new user connection on an interface, and checks the IP Rule-set to see if their is an authentication policy set for traffic on this interface and coming from this network.
8.3. Authentication Process Chapter 8. User Authentication • Groups: One user can be specified into more than one group. Enter the group names here separated by comma, e.g. "users" for this example. Click OK. Repeat Step B. to add all the "lannet" users having the membership of "users" group into the lan- net_auth_users folder.
8.3. Authentication Process Chapter 8. User Authentication...
Chapter 9. Virtual Private Networks This chapter describes VPN usage with NetDefendOS. • VPN overview, page 181 • IPsec, page 183 • IPsec Tunnels, page 196 • PPTP/L2TP, page 202 9.1. VPN overview 9.1.1. The need for VPNs Most networks today are connected to each other by the Internet. Business increasingly utilizes the Internet since it offers efficient and inexpensive communication.
9.1.3. Planning a VPN Chapter 9. Virtual Private Networks • Protecting mobile and home computers • Restricting access through the VPN to needed services only, since mobile computers are vulner- able • Creating DMZs for services that need to be shared with other companies through VPNs •...
9.2. IPsec Chapter 9. Virtual Private Networks 9.2. IPsec 9.2.1. IPsec Basics 188.8.131.52. Introduction to IPsec IPsec, Internet Protocol Security, is a set of protocols defined by the IETF, Internet Engineering Task Force, to provide IP security at the network layer. An IPsec based VPN is made up by two parts: •...
9.2.1. IPsec Basics Chapter 9. Virtual Private Networks IKE Negotiation The process of negotiating session parameters consists of a number of phases and modes. These are described in detail in the below sections. The flow of events can summarized as follows: IKE Phase-1 •...
When installing two D-Link Firewalls as VPN endpoints, this process is reduced to comparing fields in two identical dialog boxes. However, it is not quite as easy when equipment from different vendors is involved.
IP header claims it is from. More on AH in AH (Authentication Header). Note D-Link Firewalls do not support AH. IKE Encryption This specifies the encryption algorithm used in the IKE nego- tiation, and depending on the algorithm, the size of the en- cryption key used.
• SHA1 • IKE DH (Diffie-Hellman) Group This specifies the Diffie-Hellman group to use when doing key exchanges in IKE. The Diffie-Hellman groups supported by D-Link Firewall VPNs are: • DH group 1 (768-bit) • DH group 2 (1024-bit) •...
9.2.1. IPsec Basics Chapter 9. Virtual Private Networks without encryption. The algorithms supported by D-Link Firewall VPNs are: • • Blowfish • Twofish • Cast128 • 3DES • IPsec Authentication This specifies the authentication algorithm used on the pro- tected traffic.
9.2.1. IPsec Basics Chapter 9. Virtual Private Networks cryption/authentication key always, no anti-replay services, and it is not very flexible. There is also no way of assuring that the remote host/firewall really is the one it says it is. This type of connection is also vulnerable for something called "replay attacks", meaning a mali- cious entity which has access to the encrypted traffic can record some packets, store them, and send them to its destination at a later time.
9.2.1. IPsec Basics Chapter 9. Virtual Private Networks There are two protocols associated with IPsec, AH and ESP. These are covered in the sections be- low. AH (Authentication Header) AH is a protocol used for authenticating a data stream. It uses a cryptographic hash function to pro- duce a MAC from the data in the IP packet.
9.2.1. IPsec Basics Chapter 9. Virtual Private Networks 184.108.40.206. NAT Traversal Both IKE and IPsec protocols present a problem in the functioning of NAT. Both protocols were not designed to work through NATs and because of this, a technique called "NAT traversal" has evolved.
The ike-roamingclients and esp-tn-roamingclients proposal lists are suitable for VPN tunnels that are used for roaming VPN clients. These proposal lists are compatible with the default proposal lists in the D-Link VPN Client. As the name implies, the ike-lantolan and esp-tn-lantolan are suitable for LAN-to-LAN VPN solu- tions.
Click OK 9.2.4. Identification Lists When X.509 certificates are used as authentication method for IPsec tunnels, the D-Link Firewall will accept all remote firewalls or VPN clients that are capable of presenting a certificate signed by any of the trusted Certificate Authorities. This can be a potential problem, especially when using...
First create an Identification List: gw-world:/> add IDList MyIDList Then, create an ID: gw-world:/> cc IDList MyIDList gw-world:/MyIDList> add ID JohnDoe Type=DistinguishedName CommonName="John Doe" OrganizationName=D-Link OrganizationalUnit=Support Country=Sweden EmailAddress=john.doe@D-Link.com gw-world:/MyIDList> cc Finally, apply the Identification List to the IPsec tunnel: gw-world:/> set Interface IPsecTunnel MyIPsecTunnel AuthMethod=Certificate...
• Organizational Unit: Support • Country: Sweden • Email Address: john.doe@D-Link.com Click OK. Finally, apply the Identification List to the IPsec tunnel: Go to Interfaces > IPsec In the grid control, click on the IPsec tunnel object of interest. Under the Authentication tab, choose X.509 Certificate Select the appropriate certificate in the Root Certificate(s) and Gateway Certificate controls.
When another D-Link Firewall or D-Link VPN Client (or any IPsec compliant product) tries to es- tablish a IPsec VPN tunnel to the D-Link Firewall, the configured IPsec Tunnels are evaluated. If a matching IPsec Tunnel definition is found, the IKE and IPsec negotiations then take place, resulting in a IPsec VPN tunnel being established.
Dealing with unknown IP addresses If the IP address of the client is not known before hand then the D-Link Firewall needs to create a route in its routing table dynamically as each client connects. In the example below this is the case and the IPsec tunnel is configured to dynamically add routes.
Example 9.5. Setting up a Self-signed Certificate based VPN tunnel for roaming clients This example describes how to configure an IPsec tunnel at the head office D-Link Firewall for roaming clients that connect to the office to gain remote access. The head office network uses the 10.0.1.0/24 network span with external firewall IP wan_ip.
Example 9.6. Setting up a CA Server issued Certificate based VPN tunnel for roaming clients This example describes how to configure an IPsec tunnel at the head office D-Link Firewall for roaming clients that connect to the office to gain remote access. The head office network uses the 10.0.1.0/24 network span with external firewall IP wan_ip.
An X.509 root certificate usually includes the IP address or hostname of the Certificate Authority to contact when certificates or Certificate Revocation Lists need to be downloaded to the D-Link Fire- wall. Lightweight Directory Access Protocol (LDAP) is used for these downloads.
9.3.4. Fetching CRLs from an alternate Chapter 9. Virtual Private Networks LDAP server gw-world:/> add LDAPServer Host=192.168.101.146 Username=myusername Password=mypassword Port=389 Web Interface Go to Objects > VPN Objects > LDAP > Add > LDAP Server Now enter: • IP Address: 192.168.101.146 •...
A common problem with setting up PPTP is that a router and/or switch in a network is blocking TCP port 1723 and/or IP protocol 47 before the PPTP connection can be made to the D-Link Fire- wall. Examining the log can indicate if this problem occurred, with a log message of the following...
IPsec. The client communicates with a Local Access Concentrator (LAC) and the LAC commu- nicates across the internet with a L2TP Network Server (LNS). The D-Link Firewall acts as the LNS. The LAC is, in effect, tunneling data, such as a PPP session, using IPsec to the LNS across the internet.
9.4.2. L2TP Chapter 9. Virtual Private Networks Enter a suitable name for the L2TP Server, for instance MyL2TPServer. Now enter: • Inner IP Address: ip_l2tp • Tunnel Protocol: L2TP • Outer Interface Filter: l2tp_ipsec • Outer Server IP: wan_ip Under the PPP Parameters tab, select L2TP_Pool in the IP Pool control. Under the Add Route tab, select all_nets in the Allowed Networks control.
9.4.2. L2TP Chapter 9. Virtual Private Networks IPsecAlgorithms=esp-l2tptunnel PSK=MyPSK EncapsulationMode=Transport DHCPOverIPsec=Yes AddRouteToRemoteNet=Yes IPsecLifeTimeKilobytes=250000 IPsecLifeTimeSeconds=3600 Web Interface Go to Interfaces > IPsec > Add > IPsec Tunnel Enter a name for the IPsec tunnel e.g. l2tp_ipsec. Now enter: Local Network: wan_ip Remote Network: all-nets Remote Endpoint: none Encapsulation Mode: Transport...
9.4.2. L2TP Chapter 9. Virtual Private Networks In the ProxyARP control, select the lan interface. Click OK In order to authenticate the users using the L2TP tunnel, a user authentication rule needs to be configured. 4. Next will be setting up the authentication rules: gw-world:/>...
9.4.2. L2TP Chapter 9. Virtual Private Networks Go to Rules > IP Rules > Add > IPRule Enter a name for the rule e.g. NATL2TP Now enter: • Action: NAT • Service: all_services • Source Interface: l2tp_tunnel • Source Network: l2tp_pool •...
Chapter 10. Traffic Management This chapter describes how NetDefendOS can manage network traffic. • Traffic Shaping, page 209 • Threshold Rules, page 221 • Server Load Balancing, page 223 10.1. Traffic Shaping 10.1.1. Introduction A weakness of the TCP/IP protocol is the lack of true Quality of Service (QoS) functionality. QoS in networks is the ability to be able to guarantee and limit bandwidth for certain services and users.
10.1.3. Traffic Shaping in NetDefendOS NetDefendOS offers extensive traffic shaping capailities. Since any D-Link Firewall is a central and vital part of a network, there are many benefits of having it handle traffic control.
10.1.4. Pipes Basics Chapter 10. Traffic Management 10.1.4. Pipes Basics 10.1.4.1. Definition of a Pipe A Pipe is a central concept in the traffic shaping functionality of NetDefendOS and is the basis for all bandwidth control. Pipes are configured in the Pipes section of the firewall configuration. Pipes are fairly simplistic, in that they do not know much about the types of traffic that pass through them, and they know nothing about direction.
10.1.4. Pipes Basics Chapter 10. Traffic Management Go to Traffic Management > Traffic Shaping > Pipes > Add > Pipe Specify a suitable name for the pipe, for instance std-in. Enter 2000 in Total textbox. Click OK. However, simply creating the pipe will not accomplish much; traffic actually needs to be passed through the pipe. This is done by assigning the pipe to an IP rule.
10.1.4. Pipes Basics Chapter 10. Traffic Management However, you cannot just raise the total limit to 4 Mbps and hope for the best. Why? Again, pipes are simple things. This single pipe will not know that you mean 2 Mbps inbound and 2 Mbps out- bound.
10.1.5. Priorities and Guarantees Chapter 10. Traffic Management Now that we have the pipe defined, what do we do with it? Well, first we will need to set up a rule that covers surfing and place it before the rule that covers "everything else". This way we can get surfing traffic to go through the specific pipes that we want it to, but still let everything else be handled by the "default"...
10.1.5. Priorities and Guarantees Chapter 10. Traffic Management Note The respective precedences are not "special" in any way. Their meaning is only defined by the limits and guarantees that you configure. The difference is only in relat- ive importance: traffic in precedence 2 will be passed on before traffic in precedence 0, traffic in precedence 4 before 2 and 0, and so on.
10.1.5. Priorities and Guarantees Chapter 10. Traffic Management 10.1.5.2. Applying Simple Priorities Now, how can we use precedences to make some types of traffic more important than others? Let's continue work on our previous example, by giving SSH and Telnet traffic a higher priority than everything else passing through our pipes.
10.1.5. Priorities and Guarantees Chapter 10. Traffic Management "which traffic is more important?" problem. The solution here is to create two new pipes: one for telnet traffic, and one for SSH traffic, much like the "surf" pipe that we created earlier on. First, remove the 96 kbps limit from the std-in pipe, then create two new pipes: "ssh-in"...
10.1.6. Grouping Users of a Pipe Chapter 10. Traffic Management Measuring and shaping at the entrance of a choke point If you are protecting the "entrance" to a network bottleneck, i.e. outbound data in your firewall, you can probably set the total limit very close to the bandwidth of your connection. Measuring and shaping at the exit of a choke point If you're protecting the "exit"...
10.1.6. Grouping Users of a Pipe Chapter 10. Traffic Management 10.1.6. Grouping Users of a Pipe 10.1.6.1. Overview If pipes were restricted to the functionality described so far, traffic would be limited without respect to source or destination. This mode of operation is likely sufficient for managing simple traffic lim- its and guarantees.
10.1.6. Grouping Users of a Pipe Chapter 10. Traffic Management each inside user gets for inbound SSH traffic. This keeps one single user from using up all available high-priority bandwidth. First, we will have to figure out how to group the users of the ssh-in pipe. What we want to do is ap- ply our limits to each user on the internal network.
Total Connection Limiting allows the administrator to put a limit on the total number of connections opened to the D-Link Firewall. This function is extremely useful when NAT pools are required due to the large number of connections generated by P2P users.
Threshold Rules. 10.2.7. Threshold Rules and ZoneDefense Threshold Rules are used in the D-Link ZoneDefense feature to block the source of excessive con- nection attmepts from internal hosts. For more information on this refer to Chapter 12, ZoneDefense.
(sometimes called a "server farm") to handle many more requests than a single server. The image below illus- trates a typical SLB scenario, with internet access to applications being controlled by a D-Link Fire- wall.
10.3.2. Identifying the Servers Chapter 10. Traffic Management SLB also means that network administrators can perform maintenance tasks on servers or applica- tions without disrupting services. Individual servers can be restarted, upgraded, removed, or re- placed, and new servers and applications can be added or moved without affecting the rest of a serv- er farm, or taking down applications.
10 is used so that the number of new connections which were made to each server in the last 10 seconds will be remembered. An example is shown in the figure below. In this example, the D-Link Firewall is responsible for balancing connections from 3 clients with different addresses to 2 servers. Stickiness is set.
SLB will use the default routing table unless the administrator sets a specific routing table location. D-Link Server Load Balancing provides the following monitoring modes: ICMP Ping This works at OSI layer 3. SLB will ping the IP address of each individual server in the server farm.
The table below shows the rules that would be defined for a typical scenario of a set of webservers behind a D-Link Firewall for which the load is being balanced. The ALLOW rule allows external clients to access the webservers.
• High Availability Issues, page 233 11.1. Overview High Availability (HA) is a fault-tolerant capability that is available on certain models of D-Link Firewalls. Currently the firewalls that offer this feature are the DFL-1600 and DFL-2500 models. D- Link offers an active-passive HA implementation.
High Availability Setup Example Chapter 11. High Availability Broken interfaces will not be detected by the current implementation of D-Link High Availability, unless they are broken to the point where the firewall cannot continue to run. This means that fail- over will not occur if the active firewall can communicate "being alive"...
The shared IP address should not be used for remote management or monitoring pur- poses. When using, for example, SNMP for remote management of the D-Link Fire- walls in an HA configuration, the individual IP addresses of the firewalls should be used.
11.2.3. The synchronization interface Chapter 11. High Availability When three heartbeats are missed, i.e. after 0.6 seconds, the peer will be deemed inoperative. So, why not make it even faster? Maybe send a hundred heartbeats per second and declare a firewall inoperative after missing only two of them? This would after all result in a 0.02-second failover time.
11.3. High Availability Issues Chapter 11. High Availability 11.3. High Availability Issues Even though a high availability cluster will behave like a single firewall in most respects, there are some things which should be kept in mind when managing and configuring it. 11.3.1.
11.3.1. High Availability Configuration Chapter 11. High Availability...
• ZoneDefense Switches, page 236 • ZoneDefense Operation, page 237 12.1. Overview ZoneDefense allows a D-Link Firewall to control locally attached switches. It can be used as a counter-measure to stop a virus-infected computer in a local network from infecting other com- puters.
The switch model type • The SNMP community string (write access) The ZoneDefense feature currently supports the following switches: • D-Link DES 3226S (minimum firmware: R4.02-B14) • D-Link DES 3250TG (minimum firmware: R3.00-B09) • D-Link DES 3326S (minimum firmware: R4.01-B39) •...
SNMP Managers A typical managing device, such as a D-Link Firewall, uses the SNMP protocol to monitor and con- trol network devices in the managed environment. The manager can query stored statistics from the controlled devices by using the SNMP Community String. This is similar to a userid or password which allows access to the device's state information.
(in network range 192.168.2.0/24 for example) from accessing the switch completely. A D-Link switch model DES-3226S is used in this case, with a management interface address 192.168.1.250 con- necting to the firewall's interface address 192.168.1.1. This firewall interface is added into the exclude list to pre- vent the firewall from being accidentally locked out from accessing the switch.
12.3.4. Limitations Chapter 12. ZoneDefense Go to Zone Defense > Exclude list For Addresses choose the object name of the firewall's interface address 192.168.1.1 from the Available list and put it into the Selected list. Click OK. Configure an HTTP threshold of 10 connections/second: Go to Traffic Management >...
Chapter 13. Advanced Settings This chapter describes the configurable advanced setings for NetDefendOS. The settings are divided up into the following categories: • IP Level Settings, page 241 • TCP Level Settings, page 245 • ICMP Level Settings, page 249 •...
LogNonIP4 Chapter 13. Advanced Settings based on illegal checksums. Default: Enabled LogNonIP4 Logs occurrences of IP packets that are not version 4. NetDefendOS only accepts version 4 IP pack- ets; everything else is discarded. Default: 256 LogReceivedTTL0 Logs occurrences of IP packets received with the "Time To Live" (TTL) value set to zero. Under no circumstances should any network unit send packets with a TTL of 0.
LayerSizeConsistency Chapter 13. Advanced Settings Default: 255 LayerSizeConsistency Verifies that the size information contained in each "layer" (Ethernet, IP, TCP, UDP, ICMP) is con- sistent with that of other layers. Default: ValidateLogBad IPOptionSizes Verifies the size of "IP options". These options are small blocks of information that may be added to the end of each IP header.
StripDFOnSmall Chapter 13. Advanced Settings Strip the Don’t Fragment flag for packets equal to or smaller than the size specified by this setting. Default: 65535 bytes...
13.2. TCP Level Settings Chapter 13. Advanced Settings 13.2. TCP Level Settings TCPOptionSizes Verifies the size of TCP options. This function acts in the same way as IPOptionSizes described above. Default: ValidateLogBad TCPMSSMin Determines the minimum permissible size of the TCP MSS. Packets containing maximum segment sizes below this limit are handled according to the next setting.
TCPZeroUnusedACK Chapter 13. Advanced Settings Default: 7000 bytes TCPZeroUnusedACK Determines whether NetDefendOS should set the ACK sequence number field in TCP packets to zero if it is not used. Some operating systems reveal sequence number information this way, which can make it easier for intruders wanting to hijack established connections. Default: Enabled TCPZeroUnusedURG Strips the URG pointers from all packets.
TCPOPT_CC Chapter 13. Advanced Settings to transport alternate checksums where permitted by ALTCHKREQ above. Normally never seen on modern networks. Default: StripLog TCPOPT_CC Determines how NetDefendOS will handle connection count options. Default: StripLogBad TCPOPT_OTHER Specifies how NetDefendOS will deal with TCP options not covered by the above settings. These options usually never appear on modern networks.
TCPRF Chapter 13. Advanced Settings Specifies how NetDefendOS will deal with TCP packets with either the Xmas or Ymas flag turned on. These flags are currently mostly used by OS Fingerprinting. Note: an upcoming standard called Explicit Congestion Notification also makes use of these TCP flags, but as long as there are only a few operating systems supporting this standard, the flags should be stripped.
13.3. ICMP Level Settings Chapter 13. Advanced Settings 13.3. ICMP Level Settings ICMPSendPerSecLimit Specifies the maximum number of ICMP messages NetDefendOS may generate per second. This in- cludes ping replies, destination unreachable messages and also TCP RST packets. In other words, this setting limits how many Rejects per second may be generated by the Reject rules in the Rules section.
13.4. ARP Settings Chapter 13. Advanced Settings 13.4. ARP Settings ARPMatchEnetSender Determines if NetDefendOS will require the sender address at Ethernet level to comply with the hardware address reported in the ARP data. Default: DropLog ARPQueryNoSenderIP What to do with ARP queries that have a sender IP of 0.0.0.0. Such sender IPs are never valid in re- sponses, but network units that have not yet learned of their IP address sometimes ask ARP ques- tions with an "unspecified"...
ARPExpireUnknown Chapter 13. Advanced Settings ARPExpire Specifies how long a normal dynamic item in the ARP table is to be retained before it is removed from the table. Default: 900 seconds (15 minutes) ARPExpireUnknown Specifies how long NetDefendOS is to remember addresses that cannot be reached. This is done to ensure that NetDefendOS does not continuously request such addresses.
This generates a log message for every packet that passes through a connection that is set up in the NetDefendOS state engine. Traffic whose destination is the D-Link Firewall itself eg. NetDefendOS management traffic, is not subject to this setting.
LogConnections Chapter 13. Advanced Settings • NoLog – Does not log any connections; consequently, it will not matter if logging is enabled for either Allow or NAT rules in the Rules section; they will not be logged. However, FwdFast, Drop and Reject rules will be logged as stipulated by the settings in the Rules section. •...
13.6. Connection Timeouts Chapter 13. Advanced Settings 13.6. Connection Timeouts The settings in this section specify how long a connection can remain idle, i.e. no data being sent through it, before it is automatically closed. Please note that each connection has two timeout val- ues: one for each direction.
13.7. Size Limits by Protocol Chapter 13. Advanced Settings 13.7. Size Limits by Protocol This section contains information about the size limits imposed on the protocols directly under IP level, i.e. TCP, UDP, ICMP, etc The values specified here concern the IP data contained in packets. In the case of Ethernet, a single packet can contain up to 1480 bytes of IP data without fragmentation.
MaxIPIPLen Chapter 13. Advanced Settings Specifies the maximum size of an OSPF packet. OSPF is a routing protocol mainly used in larger LANs. Default: 1480 MaxIPIPLen Specifies the maximum size of an IP-in-IP packet. IP-in-IP is used by Checkpoint Firewall-1 VPN connections when IPsec is not used.
13.8. Fragmentation Settings Chapter 13. Advanced Settings 13.8. Fragmentation Settings IP is able to transport up to 65536 bytes of data. However, most media, such as Ethernet, cannot carry such huge packets. To compensate, the IP stack fragments the data to be sent into separate packets, each one given their own IP header and information that will help the recipient reassemble the original packet correctly.
FragReassemblyFail Chapter 13. Advanced Settings Default: Check8 – compare 8 random locations, a total of 32 bytes FragReassemblyFail Reassemblies may fail due to one of the following causes: • Some of the fragments did not arrive within the time stipulated by the ReassTimeout or Reas- sTimeLimit settings.
FragmentedICMP Chapter 13. Advanced Settings up. Possible settings are as follows: • NoLog - No logging is carried out under normal circumstances. • LogSuspect - Logs duplicated fragments if the reassembly procedure has been affected by "sus- pect" fragments. • LogAll - Always logs duplicated fragments.
ReassIllegalLinger Chapter 13. Advanced Settings order to prevent further fragments of that packet from arriving. Default: 60 seconds...
13.9. Local Fragment Reassembly Set- Chapter 13. Advanced Settings tings 13.9. Local Fragment Reassembly Settings LocalReass_MaxConcurrent Maximum number of concurrent local reassemblies. Default: 256 LocalReass_MaxSize Maximum size of a locally reassembled packet. Default: 10000 LocalReass_NumLarge Number of large ( over 2K) local reassembly buffers (of the above size). Default: 32...
13.10. DHCP Settings Chapter 13. Advanced Settings 13.10. DHCP Settings DHCP_MinimumLeaseTime Minimum lease time (seconds) accepted from the DHCP server. Default: 60 DHCP_ValidateBcast Require that the assigned broadcast address is the highest address in the assigned network. Default: Enabled DHCP_AllowGlobalBcast Allow DHCP server to assign 255.255.255.255 as broadcast.
13.11. DHCPRelay Settings Chapter 13. Advanced Settings 13.11. DHCPRelay Settings DHCPRelay_MaxTransactions Maximum number of transactions at the same time. Default: 32 DHCPRelay_TransactionTimeout For how long a dhcp transaction can take place. Default: 10 seconds DHCPRelay_MaxPPMPerIface How many dhcp-packets a client can send to through NetDefendOS to the dhcp-server during one minute.
13.12. DHCPServer Settings Chapter 13. Advanced Settings 13.12. DHCPServer Settings DHCPServer_SaveLeasePolicy What policy should be used to save the lease database to the disk, possible settings are Disabled, Re- confShut, or ReconfShutTimer. Default: ReconfShut DHCPServer_AutoSaveLeaseInterval How often should the leases database be saved to disk if DHCPServer_SaveLeasePolicy is set to ReconfShutTimer.
13.13. IPsec Settings Chapter 13. Advanced Settings 13.13. IPsec Settings IKESendInitialContact Determines whether or not IKE should send the "Initial Contact" notification message. This message is sent to each remote gateway when a connection is opened to it and there are no previous IPsec SA using that gateway.
IPsecDeleteSAOnIPValidationFailure Chapter 13. Advanced Settings IPsecDeleteSAOnIPValidationFailure Controls what happens to the SAs if IP validation in Config Mode fails. If Enabled, the SAs are dropped on failure. Default: Disabled...
13.14. Transparent Mode Settings Chapter 13. Advanced Settings 13.14. Transparent Mode Settings Transp_CAMToL3CDestLearning Enable this if the firewall should be able to learn the destination for hosts by combining destination address information and information found in the CAM table. Default: Enabled Transp_DecrementTTL Enable this if the TTL should be decremented each time a packet traverses the firewall in Transpar- ent Mode.
MulticastEnetSender Chapter 13. Advanced Settings Default: DropLog MulticastEnetSender Defines what to do when receiving a packet that has the sender hardware (MAC) address in ethernet header set to a multicast ethernet address. Options: • Accept - Accept packet • AcceptLog - Accept packet and log •...
13.15. Logging Settings Chapter 13. Advanced Settings 13.15. Logging Settings LogSendPerSecLimit This setting limits how many log packets NetDefendOS may send out per second. This value should never be set too low, as this may result in important events not being logged, nor should it be set too high.
Chapter 13. Advanced Settings 13.16. High Availability Settings ClusterID A (locally) unique cluster ID to use in identifying this group of HA D-Link Firewalls. Default: 0 HASyncBufSize How much sync data, in KB, to buffer while waiting for acknowledgments from the cluster peer.
13.17. Time Synchronization Settings Chapter 13. Advanced Settings 13.17. Time Synchronization Settings TimeSync_SyncInterval Seconds between each resynchronization. Default: 86400 TimeSync_MaxAdjust Maximum time drift that a server is allowed to adjust. Default: 3600 TimeSync_ServerType Type of server for time synchronization, UDPTime or SNTP (Simple Network Time Protocol). Default: SNTP TimeSync_GroupIntervalSize Interval according to which server responses will be grouped.
TimeSync_DSTStartDate Chapter 13. Advanced Settings DST offset in minutes. Default: 0 TimeSync_DSTStartDate What month and day DST starts, in the format MM-DD. Default: none TimeSync_DSTEndDate What month and day DST ends, in the format MM-DD. Default: none...
13.19. HTTP Poster Settings Chapter 13. Advanced Settings 13.19. HTTP Poster Settings HTTPPoster_URL1, HTTPPoster_URL2, HTTPPoster_URL3 The URLs specified here will be posted in order when NetDefendOS is loaded. HTTPPoster_RepDelay Delays in seconds until all URLs are refetcd. Default: 604800...
13.20. PPP Settings Chapter 13. Advanced Settings 13.20. PPP Settings PPP_L2TPBeforeRules Pass L2TP traffic sent to the D-Link Firewall directly to the L2TP Server without consulting the rule-set. Default: Enabled PPP_PPTPBeforeRules Pass PPTP traffic sent to the D-Link Firewall directly to the PPTP Server without consulting the rule-set.
13.22. Hardware Monitor Settings Chapter 13. Advanced Settings 13.22. Hardware Monitor Settings HWM_PollInterval Polling intervall for Hardware Monitor which is the delay in milliseconds between reading of hard- ware monitor values. Minimum 100, Maximum 10000. Default: 500 ms HWMMem_Interval Memory polling interval which is the delay in minutes between reading of memory values. Minim- um 1, Maximum 200.
13.23. Packet Re-assembly Settings Chapter 13. Advanced Settings 13.23. Packet Re-assembly Settings Packet re-assembly collects IP fragments into complete IP datagrams and, for TCP, reorders seg- ments so that they are processed in the correct order and also to keep track of potential segment overlaps and to inform other sub-systems of such overlaps.
13.24. Miscellaneous Settings Chapter 13. Advanced Settings 13.24. Miscellaneous Settings BufFloodRebootTime As a final way out, NetDefendOS automatically reboots if it’s buffers have been flooded for a long time. This setting specifies this amount of time. Default: 3600 HighBuffers The number of buffers to allocate in RAM above the 1 MB limit. Default: 3% of total RAM, with a lower limit of 1024+lowbuffers MaxPipeUsers The maximum number of pipe users to allocate.
Dynamic Web Content Filtering module all function using external D-Link databases which contain details of the latest viruses, security threats and URL categorization. These databases are constantly being updated and to get access to the latest updates a D-Link Security Update Subscrip- tion should be taken out. This is done by: •...
To get the status of AV updates: gw-world:/> updatecenter -status Antivirus Querying Server Status To get the status of the D-Link network servers use the command: gw-world:/> updatecenter -servers Deleting Local Databases Some technical problem in the operation of either IDP or the Anti-Virus modules may be resolved by deleting the database and reloading.
For IDP scanning, the following signature groups are available for selection. These groups are avail- able only for the D-Link Advanced IDP Service. There is a version of each group under the three Types of IDS, IPS and Policy. For further information see Section 6.3, “Intrusion Detection and Prevention”.
Appendix B. IDP Signature Groups Group Name Intrusion Type FTP_FORMATSTRING Format string attack FTP_GENERAL FTP protocol and implementation FTP_LOGIN Login attacks FTP_OVERFLOW FTP buffer overflow GAME_BOMBERCLONE Bomberclone game GAME_GENERAL Generic game servers/clients GAME_UNREAL UnReal Game server HTTP_APACHE Apache httpd HTTP_BADBLUE Badblue web server HTTP_CGI HTTP CGI...
Appendix B. IDP Signature Groups Group Name Intrusion Type POP3_DOS Denial of Service for POP POP3_GENERAL Post Office Protocol v3 POP3_LOGIN-ATTACKS Password guessing and related login attack POP3_OVERFLOW POP3 server overflow POP3_REQUEST-ERRORS Request Error PORTMAPPER_GENERAL PortMapper PRINT_GENERAL LP printing server: LPR LPD PRINT_OVERFLOW Overflow of LPR/LPD protocol/implementation REMOTEACCESS_GOTOMYPC...
Appendix B. IDP Signature Groups Group Name Intrusion Type TFTP_OPERATION Operation Attack TFTP_OVERFLOW TFTP buffer overflow attack TFTP_REPLY TFTP Reply attack TFTP_REQUEST TFTP request attack TROJAN_GENERAL Trojan UDP_GENERAL General UDP UDP_POPUP Pop-up window for MS Windows UPNP_GENERAL UPNP VERSION_CVS VERSION_SVN Subversion VIRUS_GENERAL Virus...
Appendix C. Anti-Virus MIME filetypes For Anti-virus scanning, the following MIME filetypes can be checked to make sure that the content matches the filetype of a file download. Checking is done only if the option is enabled as described in Section 6.4.6, “Anti-Virus Options”. Filetype extension Application 3d Studio files...
Appendix C. Anti-Virus MIME filetypes Filetype extension Application Windows Executable Free Graphics Format file flac Free Lossless Audio Codec file FLIC Animated Picture FLIC Animation Macromedia Flash Video gdbm Database file Graphic Interchange Format file gzip, gz, tgz Gzip compressed archive HAP archive data HPack compressed file archive Macintosh BinHex 4 compressed archive...
Appendix C. Anti-Virus MIME filetypes Filetype extension Application Acrobat Portable Document Format Portable Executable file PostScript Type 1 Font Portable Graymap Graphic SysV R4 PKG Datastreams PAKLeo archive data PMarc archive data Portable (Public) Network Graphic PBM Portable Pixelmap Graphic PostScript file PSA archive data Photoshop Format file...
Appendix C. Anti-Virus MIME filetypes Filetype extension Application GIMP Image file Fast Tracker 2 Extended Module , audio file XML file xmcd xmcd database file for kscd BMC Software Patrol UNIX Icon file YAC compressed archive ZIF image Zip compressed archive file ZOO compressed archive file ZPack archive data Unix compressed file...
Appendix D. The OSI Framework The Open Systems Interconnection Model defines a framework for intercomputer communications. It categorizes different protocols for a great variety of network applications into seven smaller, more manageable layers. The model describes how data from an application in one computer can be trans- ferred through a network medium to an application on another computer.
Appendix E. D-Link worldwide offices Below is a complete list of D-Link worldwide sales offices. Please check your own country area's local website for further details regarding support of D-Link products as well as contact details for local support. Australia 1 Giffnock Avenue, North Ryde, NSW 2113, Australia.
Appendix E. D-Link worldwide offices FAX: +972-9-9715601. Website: www.dlink.co.il Italy Via Nino Bonnet n. 6/b, 20154 – Milano, Italy. TEL: 39-02-2900-0676, FAX: 39-02-2900-1723. Website: www.dlink.it LatinAmerica Isidora Goyeechea 2934, Ofcina 702, Las Condes, Santiago – Chile. TEL: 56-2-232-3185, FAX: 56-2-232-0923. Website: www.dlink.cl...