D-Link DFL- 860 Uživatelský manuál

Network Security Solution http://www.dlink.com Security Security DFL-210/ 800/1600/ 2500DFL-260/ 860Ver. 1.07Network Security FirewallUser Manual

List of Examples1. Example Notation ...122.1. Enabling SSH R

interfaces.The first two options can be regarded as combining the alternate table with the main table andassigning one route if there is a match in bo

Example 4.5. Policy Based Routing ConfigurationThis example illustrates a multiple ISP scenario which is a common use of Policy-based Routing. The fol

NoteRules in the above example are added for both inbound and outbound connections.4.3.5. The Ordering parameter Chapter 4. Routing102

4.4. Dynamic Routing4.4.1. Dynamic Routing overviewDynamic routing is different to static routing in that the D-Link Firewall will adapt to changes of

Routing metrics are the criteria a routing algorithm uses to compute the "best" route to a destination.A routing protocol relies on one or s

to which they have an interface.ASBRsRouters that exchange routing information with routers in other AutonomousSystems are called Autonomous System Bo

in the routing table. This is commonly used to minimize the routing table.Virtual LinksVirtual links are used for:• Linking an area that does not have

common area in between.Figure 4.3. Virtual Links Example 2The Virtual Link is configured between fw1 and fw2 on Area 1, as it is used as the transit a

In a dynamic routing environment, it is important for routers to be able to regulate to what extentthey will participate in the routing exchange. It i

gw-world:/ImportOSPFRoutes> add DynamicRoutingRuleAddRouteDestination=MainRoutingTableWeb Interface1. Go to Routing > Dynamic Routing Rules2. Cl

5.1. Setting up a DHCP server ... 1285.2. Checking the status of a DHCP ser

4.5. Multicast Routing4.5.1. OverviewCertain types of Internet interactions, such as conferencing and video broadcasts, require a singleclient or host

The multiplex rule can operate in one of two modes:Use IGMPThe traffic flow specififed by the multiplex rule must have been requestedby hosts using IG

Example 4.8. Forwarding of Multicast Traffic using the SAT Multiplex RuleIn this example, we will create a multiplex rule in order to forward the mult

This scenario is based on the previous scenario but now we are going to translate the multicastgroup. When the multicast streams 239.192.10.0/24 are f

• Destination Interface: core• Destination Network: 239.192.10.0/244. Click the Address Translation tab5. Add interface if1 but leave the IPAddress em

Figure 4.7. Multicast ProxyIn Snoop mode, the router will act transparently between the hosts and another IGMP router. It willnot send any IGMP Querie

• Source Network: if1net, if2net, if3net• Destination Interface: core• Destination Network: auto• Multicast Source: 192.168.10.1• Multicast Group: 239

• Name: A suitable name for the rule, eg. Reports_if1• Type: Report• Action: Proxy• Output: wan (this is the relay interface)3. Under Address Filter e

• Type: Report• Action: Proxy• Output: wan (this is the relay interface)3. Under Address Filter enter:• Source Interface: if2• Source Network: if2net•

4.6. Transparent Mode4.6.1. Overview of Transparent ModeDeploying D-Link Firewalls operating in Transparent Mode into an existing network topology can

PrefaceIntended AudienceThe target audience for this reference guide is Administrators who are responsible for configuringand managing D-Link Firewall

When beginning communication, a host will locate the target host's physical address bybroadcasting an ARP request. This request is intercepted by

Figure 4.8. Transparent mode scenario 1Example 4.13. Setting up Transparent Mode - Scenario 1Web InterfaceConfigure the interfaces:1. Go to Interfaces

• Destination Interface: any• Source Network: 10.0.0.0/24• Destination Network: all-nets (0.0.0.0/0)3. Click OKScenario 2Here the D-Link Firewall in T

Switch Route:Similar as shown in the previous example. Set up the switch route with the new interface group created earlier.Configure the rules:1. Go

1. Go to Interfaces > Ethernet > Edit (lan)2. Now enter:• IP Address: 10.0.0.1• Network: 10.0.0.0/24• Transparent Mode: Disable• Add route for i

3. Click OK4. Go to Rules > IP Rules > Add > IPRule5. Now enter:• Name: HTTP-WAN-to-DMZ• Action: SAT• Service: http• Source Interface: wan• D

4.6.6. Transparent Mode Scenarios Chapter 4. Routing126

Chapter 5. DHCP ServicesThis chapter describes DHCP services in NetDefendOS.• Overview, page 127• DHCP Servers, page 128• Static DHCP Assignment, page

5.2. DHCP ServersNetDefendOS has the ability to act as one or more logical DHCP servers. Filtering of DHCP clientrequests is based on interface, so ea

Example 5.2. Checking the status of a DHCP serverWeb InterfaceGo to Status > DHCP Server in the menu bar.CLITo see the status of all servers:gw-wor

Highlighted ContentSpecial sections of text which the reader should pay special attention to are indicated by icons on theleft hand side of the page f

5.3. Static DHCP AssignmentWhere the administrator requires a fixed relationship between a client and the assigned IP address,NetDefendOS allows the a

5.4. DHCP RelayingWith DHCP, clients send requests to locate the DHCP server(s) using broadcast messages.However, broadcasts are normally only propaga

5.5. IP PoolsOverviewIP pools are used to offer other subsystems access to a cache of DHCP IP addresses. Theseaddresses are gathered into a pool by in

greater than the prefetch parameter. The pool will start releasing (givingback IPs to the DHCP server) when the number of free clients exceedsthis val

5.5. IP Pools Chapter 5. DHCP Services134

Chapter 6. Security MechanismsThis chapter describes NetDefendOS security features.• Access Rules, page 135• Application Layer Gateways, page 138• Web

VPNs provide one means of avoiding spoofing but where a VPN is not an appropriate solution thenAccess Rules can provide an anti-spoofing capability by

Example 6.1. Setting up an Access RuleA rule is to be defined that ensures no traffic with a source address not within the lannet network is received

6.2. Application Layer Gateways6.2.1. OverviewTo complement low-level packet filtering, which only inspects packet headers in protocols such IP,TCP, U

ALGs and Syn Flood ProtectionIt should be noted that user-defined custom Service objects have the option to enable Syn FloodProtection, a feature whic

Chapter 1. Product OverviewThis chapter outlines the key features of NetDefendOS.• About D-Link NetDefendOS, page 14• NetDefendOS Architecture, page 1

• Block Selected means that those filetypes marked will be automatically blocked asdownloads. A file's contents will be analyzed to identify the

client on the internal network connects through the firewall to an FTP server on the Internet. The IPrule is then configured to allow network traffic

To make it possible to connect to this server from the Internet using the FTP ALG, the FTP ALG and rules shouldbe configured as follows:Web InterfaceA

2. Now enter:• Name: SAT-ftp-inbound• Action: SAT• Service: ftp-inbound3. For Address Filter enter:• Source Interface: any• Destination Interface: cor

4. Click OKExample 6.3. Protecting FTP ClientsIn this scenario shown below the D-Link Firewall is protecting a workstation that will connect to FTP se

• Destination: 21 (the port the ftp server resides on)• ALG: select the newly created ftp-outbound3. Click OKRules (Using Public IPs). The following r

TFTP is widely used in enterprise environments for updating software and backing upconfigurations on network devices. TFTP is recognised as being an i

Email Rate LimitingA maximum allowable rate of email messages can bespecified.Email Size LimitingA maximum allowable size of email messages can bespec

When the NetDefendOS SPAM filtering function is configured, the IP address of the email'ssending server can be sent to one or more DNSBL servers

Buy this stock today!And if the tag text is defined to be "*** SPAM ***", then the modified email's Subject field willbecome:*** SPAM *

hosts. For more information about the IDP capabilities ofNetDefendOS, please see Section 6.5, “Intrusion Detectionand Prevention”.Anti-VirusNetDefendO

LoggingThere are three types of logging done by the SPAM filtering module:• Logging of dropped or SPAM tagged emails - These log messages include the

gw-world:/> dnsblDNSBL Contexts:Name Status Spam Drop Accept------------------------ -------- -------- -------- --------my_smtp_alg active 156 65 3

Hide UserThis option prevents the POP3 server from revealing that ausername does not exist. This prevents users from tryingdifferent usernames until t

VOIP see also Section 6.2.8, “H.323”.)SIP ComponentsThe following components are the logical building blocks for SIP communication:User AgentsThese ar

Maximum Sessions per IDThe number of simultaneous sessions that a single peer can beinvolved with is restricted by this value. The default numberis 5.

• A NAT rule for outbound traffic from user agents on the internal network to the SIP ProxyServer located externally. The SIP ALG will take care of al

GatewaysAn H.323 gateway connects two dissimilar networks andtranslates traffic between them. It provides connectivitybetween H.323 networks and non-H

• The H.323 ALG supports version 5 of the H.323 specification. This specification is built uponH.225.0 v5 and H.245 v10.• In addition to support voice

Web InterfaceOutgoing Rule:1. Go to Rules > IP Rules > Add > IPRule2. Now enter:• Name: H323AllowOut• Action: Allow• Service: H323• Source In

Example 6.5. H.323 with private IP addressesIn this scenario a H.323 phone is connected to the D-Link Firewall on a network with private IP addresses.

1.2. NetDefendOS Architecture1.2.1. State-based ArchitectureThe NetDefendOS architecture is centered around the concept of state-based connections.Tra

• Destination Interface: core• Source Network: 0.0.0.0/0 (all-nets)• Destination Network: wan_ip (external IP of the firewall)• Comment: Allow incomin

1. Go to Rules > IP Rules > Add > IPRule2. Now enter:• Name: H323AllowIn• Action: Allow• Service: H323• Source Interface: any• Destination In

• Destination Interface: core• Source Network: 0.0.0.0/0 (all-nets)• Destination Network: wan_ip (external IP of the firewall)• Comment: Allow incomin

Web InterfaceIncoming Gatekeeper Rules:1. Go to Rules > IP Rules > Add > IPRule2. Now enter:• Name: H323In• Action: SAT• Service: H323-Gateke

NoteThere is no need to specify a specific rule for outgoing calls. NetDefendOS monitorsthe communication between "external" phones and the

is possible for internal phones to call the external phones that are registered with thegatekeeper.Example 6.10. Using the H.323 ALG in a Corporate En

• Comment: Allow H.323 entities on lannet to connect to the Gatekeeper3. Click OK1. Go to Rules > IP Rules > Add > IPRule2. Now enter:• Name:

1. Go to Rules > IP Rules > Add > IPRule2. Now enter:• Name: BranchToGW• Action: Allow• Service: H323-Gatekeeper• Source Interface: vpn-remot

• Service: H323-Gatekeeper• Source Interface: dmz• Destination Interface: vpn-hq• Source Network: ip-branchgw• Destination Network: hq-net• Comment: A

6.3. Web Content Filtering6.3.1. OverviewWeb traffic is one of the biggest sources for security issues and misuse of the Internet. Inappropriatesurfin

1.2.3. Basic Packet FlowThis section outlines the basic flow in the state-engine for packets received and forwarded byNetDefendOS. Please note that th

Example 6.13. Stripping ActiveX and Java appletsThis example shows how to configure a HTTP Application Layer Gateway to strip ActiveX and Java applets

NoteWeb content filtering URL blacklisting is a separate concept from Section 6.7,“Blacklisting Hosts and Networks”.Example 6.14. Setting up a white a

6.3.4. Dynamic Web Content FilteringOverviewNetDefendOS supports Dynamic Web Content Filtering (WCF) of web traffic, which enables anadministrator to

NoteNew, uncategorized URLs sent to the D-Link network are treated as anonymoussubmissions and no record of the source of new submissions is kept.Cate

5. In the Blocked Categories list, select Search Sites and click the >> button.6. Click OKThen, create a Service object using the new HTTP ALG:1

FilteringCategories=SEARCH_SITESWeb InterfaceFirst, create an HTTP Application Layer Gateway (ALG) Object:1. Go to Objects > ALG > Add > HTTP

Example 6.17. Reclassifying a blocked siteThis example shows how a user may propose a reclassification of a web site if he believes it is wrongly clas

Category 2: NewsA web site may be classified under the News category if its content includes information articles onrecent events pertaining to topics

• www.buy-alcohol.seCategory 7: EntertainmentA web site may be classified under the Entertainment category if its content includes any generalform of

• www.loadsofmoney.com.au• www.putsandcalls.comCategory 12: E-BankingA web site may be classified under the E-Banking category if its content includes

and the event is logged according to the log settings for the rule.If the action is Allow, the packet is allowed through the system. A corresponding s

Category 17: www-Email SitesA web site may be classified under the www-Email Sites category if its content includes online,web-based email facilities.

Examples might be:• www.sierra.org• www.walkingclub.orgCategory 23: Music DownloadsA web site may be classified under the Music Downloads category if

A web site may be classified under the Drugs/Alcohol category if its content includes drug andalcohol related information or services. Some URLs categ

6.4. Anti-Virus Scanning6.4.1. OverviewThe NetDefendOS Anti-Virus module protects against malicious code carried in file downloads.Files may be downlo

D-Link Firewall. However, the available free memory can place a limit on the number of concurrentscans that can be initiated. The administrator can in

1. General optionsModeThis must be one of:A. Enabled which means Anti-Virus is active.B. Audit which means it is active but logging will be the only a

Enabling of this function is recommended to make sure this form of attack cannot allow a virus toget through. The possible MIME types that can be chec

1. Go to Objects > ALG > Add > HTTP ALG2. Specify a suitable name for the ALG, for instance anti_virus3. Click the Antivirus tab4. Select Pro

6.5. Intrusion Detection and Prevention6.5.1. OverviewIntrusion DefinitionComputer servers can sometimes have vulnerabilites which leave them exposed

DFL-210/800/1600/2500 firewalls. This is a simplfied IDP that gives basic protection againstattacks. It is upgradeable to the professional level Advan

1.3. NetDefendOS State Engine Packet FlowThe diagrams in this section provide a summary of the flow of packets through the NetDefendOSstate-engine. Th

The console command> updatecenter -statuswill show the current status of the auto-update feature. This can also be done through the WebUI.Updating

The option exists in NetDefendOS IDP to look for intrusions in all traffic, even the packets that arerejected by the IP rule set check for new connect

• Increasing throughput - Where the highest throughout possible is desirable, then turning theoption off, can provide a slight increase in processing

Using GroupsUsually, several lines of attacks exist for a specific protocol, and it is best to search for all of them atthe same time when analyzing n

group name.Caution against using too many IDP signaturesDo not use the entire signature database and avoid using signatures and signaturegroups uneces

triggered. At least one new event occurs within the Hold Time of 120 seconds, thus reaching the log thresholdlevel (at least 2 events have occurred).

CLICreate IDP Rule:gw-world:/> add IDPRule Service=smtp SourceInterface=wan SourceNetwork=wannetDestinationInterface=dmz DestinationNetwork=ip_mail

When this IDP Rule has been created, an action must also be created, specifying what signatures the IDP shoulduse when scanning data matching the IDP

6.6. Denial-Of-Service (DoS) Attacks6.6.1. OverviewBy embracing the Internet, enterprises experience new business opportunities and growth. Theenterpr

to run "ping -l 65510 1.2.3.4" on a Windows 95 system where 1.2.3.4 is the IP address of theintended victim. "Jolt" is simply a pu

User Manual DFL-210/260/800/860/1600/2500 NetDefendOS version 2.20 D-Link NetDefend Security http://security.dlink.com.tw Published 2008

Figure 1.2. Packet Flow Schematic Part IIThe packet flow is continued on the following page.Figure 1.3. Packet Flow Schematic Part III1.3. NetDefendOS

services expected to only serve the local network.• By stripping the URG bit by default from all TCP segments traversing the system (configurablevia A

The Traffic Shaping feature built into NetDefendOS also help absorb some of the flood before itreaches protected servers.6.6.8. TCP SYN Flood AttacksT

6.7. Blacklisting Hosts and NetworksNetDefendOS implements a Blacklist of host or network IP addresses which can be utilized toprotect against traffic

6.7. Blacklisting Hosts and Networks Chapter 6. Security Mechanisms203

Chapter 7. Address TranslationThis chapter describes NetDefendOS address translation capabilities.• Dynamic Network Address Translation, page 204• NAT

Publish entry configured for the egress interface. Otherwise, thereturn traffic will not be received by the D-Link Firewall.The following example illu

Protocols Handled by NATDynamic address translation is able to deal with the TCP, UDP and ICMP protocols with a goodlevel of functionality since the a

7.2. NAT PoolsOverviewAs discussed in Section 7.1, “Dynamic Network Address Translation”, NAT provides a way to havemultiple internal clients and host

Stateless NAT PoolsThe Stateless option means that no state table is maintained and the external IP address chosen foreach new connection is the one t

2. Specify a suitable name for the IP range nat_pool_range3. Enter 10.6.13.10-10.16.13.15 in the IP Address textbox(a network eg 10.6.13.0/24 could be

1.3. NetDefendOS State Engine PacketFlowChapter 1. Product Overview21

7.3. Static Address TranslationNetDefendOS can translate entire ranges of IP addresses and/or ports. Such translations aretranspositions, that is, eac

Then create a corresponding Allow rule:1. Go to Rules > IP Rules > Add > IPRule2. Specify a suitable name for the rule, eg. Allow_HTTP_To_DMZ

# Action Src Iface Src Net Dest Iface Dest Net Parameters3 Allow ext2 ext2net core wan_ip http4 NAT lan lannet any all-nets AllThis increases the numb

• NetDefendOS translates the address in accordance with rule 1 and forwards the packet in accordance withrule 2:10.0.0.3:1038 => 10.0.0.2:80• wwwsr

An example of when this is useful is when having several protected servers in a DMZ, and whereeach server should be accessible using a unique public I

4. Click OKPublish the public adresses in the wan interface using ARP publish. One ARP item is needed for every IPaddress:1. Go to Interfaces > ARP

NetDefendOS can be used to translate ranges and/or groups into just one IP address.# Action Src Iface Src Net Dest Iface Dest Net Parameters1 SAT any

configuration.There is no definitive list of what protocols that can or cannot be address translated. A general ruleis that VPN protocols cannot usual

# Action Src Iface Src Net Dest Iface Dest Net Parameters5 NAT lan lannet any all-nets AllWhat happens now?• External traffic to wan_ip:80 will match

7.3.7. SAT and FwdFast Rules Chapter 7. Address Translation219

1.3. NetDefendOS State Engine PacketFlowChapter 1. Product Overview22

Chapter 8. User AuthenticationThis chapter describes how NetDefendOS implements user authentication.• Overview, page 220• Authentication Setup, page 2

8.2. Authentication Setup8.2.1. Setup SummaryThe following list summarizes the steps for User Authentication setup with NetDefendOS:• Set up a databas

NetDefendOS acts as a RADIUS client, sending user credentials and connection parameterinformation as a RADIUS message to a nominated RADIUS server. Th

combination.• Allow only one login per username.• Allow one login per username and logout an existing user with the same name if they have beenidle fo

Changing the Management WebUI PortHTTP authentication will collide with the WebUI's remote management service which also usesTCP port 80. To avoi

Action Src Interface Src Network Dest Interface Dest Network Service1 Allow lan lannet core lan_ip http-all2 NAT lan trusted_users wan all-nets http-a

Example 8.1. Creating an authentication user groupIn the example of an authentication address object in the Address Book, a user group "users&quo

• Source Network: lannet• Destination Interface core• Destination Network lan_ip3. Click OKB. Set up the Authentication Rule1. Go to User Authenticati

d. Port: 1812 (RADIUS service uses UDP port 1812 by default)e. Retry Timeout: 2 (NetDefendOS will resend the authentication request to the sever if th

Chapter 9. VPNThis chapter describes VPN usage with NetDefendOS.• Overview, page 229• VPN Quickstart Guide, page 231• IPsec, page 240• IPsec Tunnels,

Chapter 2. Management and MaintenanceThis chapter describes the management, operations and maintenance related aspects ofNetDefendOS.• Managing NetDef

• Protecting mobile and home computers• Restricting access through the VPN to needed services only, since mobile computers arevulnerable• Creating DMZ

9.2. VPN Quickstart GuideLater sections in this chapter will explore VPN components in detail. To help put those latersections in context, this sectio

the Destination Interface. The rule's Destination Network is the remote networkremote_net.• An Allow rule for inbound traffic that has the previo

Authentication section of an IP object. If that IP object is then used as the SourceNetwork of a rule in the IP rule set, that rule will only apply to

• Create a Config Mode Pool object (there can only be one associated with a NetDefendOSinstallation) and associate with it the IP Pool object defined

3. Define a Pre-shared Key for the IPsec tunnel.4. Define an IPsec Tunnel object (let's call this object ipsec_tunnel) with the followingparamete

Action Src Interface Src Network Dest Interface Dest Network ServiceAllow l2tp_tunnel l2tp_pool any int_net AllNAT ipsec_tunnel l2tp_pool ext all-nets

• An int_net object which is the internal network from which the addresses come.• An ip_int object which is the internal IP address of the interface c

• If certificates have been used, check that the correct certificates have been used and that theyhaven't expired.• Use ICMP Ping to confirm that

IPsec Tunnel Local Net Remote Net Remote GW------------ -------------- ------------ -------------L2TP_IPSec 214.237.225.43 84.13.193.179 84.13.193.179

By default, NetDefendOS has a local user database, AdminUsers, with one user account pre-defined:• Username admin with password admin.This account has

9.3. IPsec9.3.1. OverviewInternet Protocol Security (IPsec), is a set of protocols defined by the Internet Engineering TaskForce (IETF) to provide IP

IKE NegotiationThe process of negotiating session parameters consists of a number of phases and modes. These aredescribed in detail in the below secti

Authentication can be accomplished through Pre-Shared Keys, certificates or public key encryption.Pre-Shared Keys is the most common authentication me

configurations.Remote GatewayThe remote gateway will be doing thedecryption/authentication and pass the data on to its finaldestination. This field ca

• Cast128• 3DES• DESDES is only included to be interoperable with other olderVPN implementations. Use of DES should be avoidedwhenever possible, since

PFS GroupThis specifies the PFS group to use with PFS.The PFS groups supported by NetDefendOS are:• 1 modp 768-bit• 2 modp 1024-bit• 5 modp 1536-bitSe

method where IKE is not used at all; the encryption and authentication keys as well as some otherparameters are directly configured on both sides of t

roaming clients. Instead, should a client be compromised, the client's certificate can simply berevoked. No need to reconfigure every client.Cert

9.3.5. NAT TraversalBoth IKE and IPsec protocols present a problem in the functioning of NAT. Both protocols were notdesigned to work through NATs and

configuration is needed. However, for responding firewalls two points should be noted:• On responding firewalls, the Remote Gateway field is used as a

SSH (Secure Shell) CLI AccessThe SSH (Secure Shell) protocol can be used to access the CLI over the network from a remotehost. SSH is a protocol prima

1. Go to Objects > VPN Objects > IKE Algorithms > Add > IPsec Algorithms2. Enter a name for the list eg. esp-l2tptunnel.3. Now check the f

1. Go to Objects > Authentication Objects > Add > Pre-shared key2. Enter a name for the pre-shared key eg. MyPSK3. Choose Hexadecimal Key and

gw-world:/MyIDList> ccFinally, apply the Identification List to the IPsec tunnel:gw-world:/> set Interface IPsecTunnel MyIPsecTunnel AuthMethod=

9.4. IPsec Tunnels9.4.1. OverviewAn IPsec Tunnel defines an endpoint of an encrypted tunnel. Each IPsec Tunnel is interpreted as alogical interface by

computer from different locations is a typical example of a roaming client. Apart from the need forsecure VPN access, the other major issue with roami

5. Under the Routing tab:• Enable the option: Dynamically add route to the remote network when a tunnel is established.6. Click OKC. Finally configure

3. For Algorithms enter:• IKE Algorithms: Medium or High• IPsec Algorithms: Medium or High4. For Authentication enter:• Choose X.509 Certificate as au

3. Click OK4. Go to Objects > VPN Objects > ID List > Sales > Add > ID5. Enter the name for the client6. Select Email as Type7. In the

Currently only one Config Mode object can be defined in NetDefendOS and this is referred to as theConfig Mode Pool object. The key parameters associat

message includes the two IP addresses as well as the client identity.Optionally, the affected SA can be automatically deleted if validation fails by e

Device:/> set device name="gw-world"The CLI Reference Guide uses the command prompt gw-world:/> throughout.NoteWhen the command line p

9.5. PPTP/L2TPThe access by a client using a modem link over dial-up public switched networks, possibly with anunpredictable IP address, to protected

gw-world:/> add Interface L2TPServer MyPPTPServer ServerIP=lan_ip Interface=anyIP=wan_ip IPPool=pp2p_Pool TunnelProtocol=PPTP AllowedRoutes=all-net

3. Now enter:• Inner IP Address: ip_l2tp• Tunnel Protocol: L2TP• Outer Interface Filter: l2tp_ipsec• Outer Server IP: wan_ip4. Under the PPP Parameter

DHCPOverIPsec=Yes AddRouteToRemoteNet=Yes IPsecLifeTimeKilobytes=250000IPsecLifeTimeSeconds=3600Web Interface1. Go to Interfaces > IPsec > Add &

7. In the ProxyARP control, select the lan interface.8. Click OKIn order to authenticate the users using the L2TP tunnel, a user authentication rule n

4. Click OK5. Go to Rules > IP Rules > Add > IPRule6. Enter a name for the rule, eg. NATL2TP7. Now enter:• Action: NAT• Service: all_services

9.5.2. L2TP Chapter 9. VPN266

Chapter 10. Traffic ManagementThis chapter describes how NetDefendOS can manage network traffic.• Traffic Shaping, page 267• Threshold Rules, page 279

• Providing bandwidth guarantees. This is typically accomplished by treating a certain amount oftraffic (the guaranteed amount) as high priority. Traf

Figure 10.1. Pipe rule set to Pipe Packet FlowWhere one pipe is specified in a list then that is the pipe whose characteristics will be applied to the

Enter your username and password and click the Login button. If the user credentials are correct,you will be transferred to the main web interface pag

CLIgw-world:/> add PipeRule ReturnChain=std-in SourceInterface=lanSourceNetwork=lannet DestinationInterface=wanDestinationNetwork=all-nets Service=

gw-world:/> add Pipe std-out LimitKbpsTotal=2000Web Interface1. Go to Traffic Management > Traffic Shaping > Pipes > Add > Pipe2. Speci

Setting up pipes in this way only puts limits on the maximum values for certain traffic types. It doesnot give priorities to different types of compet

These limits can be specified in kilobits per second and/or packets per second (if both are specifiedthen the first limit reached will be the limit us

for other services such as surfing, DNS or FTP. A means is therefore required to ensure that lowerpriority traffic gets some portion of bandwidth and

telnet-in pipes.Notice that we did not set a total limit for the ssh-in and telnet-in pipes. We do not need to since thetotal limit will be enforced b

Instead of specifying a total group limit, the alternative is to enable the Dynamic Balancing option.This ensures that the available bandwidth is divi

specifying a "Per DestinationIP" grouping. Knowing when the pipe is full is not important since theonly constraint is on each user. If prece

• A pipe can have a limit which is the maximum amount of traffic allowed.• A pipe can only know when it is full if a limit is specified.• A single pip

10.2. Threshold Rules10.2.1. OverviewThe objective of a Threshold Rule is to have a means of detecting abnormal connection activity aswell as reacting

• Home - Navigates to the first page of the web interface.• Configuration• Save and Activate - Saves and activates the configuration.• Discard Changes

10.2.5. Multiple Triggered ActionsWhen a rule is triggered then NetDefendOS will perform the associated rule Actions that match thecondition that has

10.3. Server Load Balancing10.3.1. OverviewThe Server Load Balancing (SLB) feature in NetDefendOS is a powerful tool that can improve thefollowing asp

SLB also means that network administrators can perform maintenance tasks on servers orapplications without disrupting services. Individual servers can

algorithm cycles through the server list and redirects the load to servers inorder. Regardless of each server's capability and other aspects, for

If Connection Rate is applied instead, R1 and R2 will be sent to the same server because ofstickiness, but the subsequent requests R3 and R4 will be r

The key component in setting up SLB is the SLB_SAT rule in the IP rule set. The steps that shouldbe followed are:1. Define an Object for each server f

4. Click OK5. Repeat the above to create an object called server2 for the 192.168.1.11 IP address.B. Create a Group which contains the 2 webserver obj

• Service: HTTP• Source Interface: any• Source Network: all-nets• Destination Interface: core• Destination Network: ip_ext3. Click OK10.3.6. SLB_SAT R

10.3.6. SLB_SAT Rules Chapter 10. Traffic Management288

Chapter 11. High AvailabilityThis chapter describes the high availability fault-tolerance feature in D-Link Firewalls.• Overview, page 289• High Avail

• User Database: AdminUsers• Interface: any• Network: all-nets5. Click OKCautionThe above example is provided for informational purposes only. It is n

D-Link HA will only operate between two D-Link Firewalls. As the internal operation of differentsecurity gateway manufacturer's software is compl

11.2. High Availability MechanismsD-Link HA provides a redundant, state-synchronized hardware configuration. The state of the activeunit, such as the

packets destined for the shared hardware address.11.2. High Availability Mechanisms Chapter 11. High Availability292

11.3. High Availability SetupThis section provides a step-by-step guide for setting up an HA Cluster.11.3.1. Hardware Setup1. Start with two physicall

3. Decide on a shared IP address for each interface in the cluster. Some interfaces could haveshared addresses only with others having unique individu

This device is an HA MASTERThis device is currently ACTIVE (will forward traffic)HA cluster peer is ALIVEThen use the stat command to verify that both

11.4. High Availability IssuesThe following points should be kept in mind when managing and configuring an HA Cluster.SNMPSNMP statistics are not shar

11.4. High Availability Issues Chapter 11. High Availability297

Chapter 12. ZoneDefenseThis chapter describes the D-Link ZoneDefense feature.• Overview, page 298• ZoneDefense Switches, page 299• ZoneDefense Operati

12.2. ZoneDefense SwitchesSwitch information regarding every switch that is to be controlled by the firewall has to be manuallyspecified in the firewa

User ManualDFL-210/260/800/860/1600/2500NetDefendOS version 2.20Published 2008-08-05Copyright © 2008Copyright NoticeThis publication, including all ph

gw-world:/> show ServiceA list of all services will be displayed, grouped by their respective type.Web Interface1. Go to Objects > Services2. A

12.3. ZoneDefense Operation12.3.1. SNMPSimple Network Management Protocol (SNMP) is an application layer protocol for complexnetwork management. SNMP

As a complement to threshold rules, it is also possible to manually define hosts and networks thatare to be statically blocked or excluded. Manually b

2. For Addresses choose the object name of the firewall's interface address 192.168.1.1 from the Available listand put it into the Selected list.

12.3.4. Limitations Chapter 12. ZoneDefense303

Chapter 13. Advanced SettingsThis chapter describes the configurable advanced setings for NetDefendOS. The settings are dividedup into the following c

LogNonIP4Logs occurrences of IP packets that are not version 4. NetDefendOS only accepts version 4 IPpackets; everything else is discarded.Default: 25

Verifies that the size information contained in each "layer" (Ethernet, IP, TCP, UDP, ICMP) isconsistent with that of other layers.Default:

13.2. TCP Level SettingsTCPOptionSizesVerifies the size of TCP options. This function acts in the same way as IPOptionSizes describedabove.Default: Va

Default: 7000 bytesTCPZeroUnusedACKDetermines whether NetDefendOS should set the ACK sequence number field in TCP packets tozero if it is not used. So

to transport alternate checksums where permitted by ALTCHKREQ above. Normally never seen onmodern networks.Default: StripLogTCPOPT_CCDetermines how Ne

Example 2.5. Editing a Configuration ObjectWhen you need to modify the behavior of NetDefendOS, you will most likely need to modify one or severalconf

Specifies how NetDefendOS will deal with TCP packets with either the Xmas or Ymas flag turnedon. These flags are currently mostly used by OS Fingerpri

13.3. ICMP Level SettingsICMPSendPerSecLimitSpecifies the maximum number of ICMP messages NetDefendOS may generate per second. Thisincludes ping repli

13.4. ARP SettingsARPMatchEnetSenderDetermines if NetDefendOS will require the sender address at Ethernet level to comply with thehardware address rep

ARPExpireSpecifies how long a normal dynamic item in the ARP table is to be retained before it is removedfrom the table.Default: 900 seconds (15 minut

13.5. Stateful Inspection SettingsLogConnectionUsageThis generates a log message for every packet that passes through a connection that is set up in t

• NoLog – Does not log any connections; consequently, it will not matter if logging is enabled foreither Allow or NAT rules in the Rules section; they

13.6. Connection TimeoutsThe settings in this section specify how long a connection can remain idle, ie. no data being sentthrough it, before it is au

Default: FalseAllowBothSidesToKeepConnAlive_UDP Chapter 13. Advanced Settings317

13.7. Size Limits by ProtocolThis section contains information about the size limits imposed on the protocols directly under IPlevel, ie. TCP, UDP, IC

MaxSKIPLenSpecifies the maximum size of a SKIP packet.Default: 2000 bytesMaxOSPFLenSpecifies the maximum size of an OSPF packet. OSPF is a routing pro

1. Go to Objects > Address Book2. Click on the Add button3. In the dropdown menu displayed, select IP4 Address4. In the Name text box, enter myhost

13.8. Fragmentation SettingsIP is able to transport up to 65536 bytes of data. However, most media, such as Ethernet, cannotcarry such huge packets. T

Default: Check8 – compare 8 random locations, a total of 32 bytesFragReassemblyFailReassemblies may fail due to one of the following causes:• Some of

not match up. Possible settings are as follows:• NoLog - No logging is carried out under normal circumstances.• LogSuspect - Logs duplicated fragments

Once a whole packet has been marked as illegal, NetDefendOS is able to retain this in its memory inorder to prevent further fragments of that packet f

13.9. Local Fragment Reassembly SettingsLocalReass_MaxConcurrentMaximum number of concurrent local reassemblies.Default: 256LocalReass_MaxSizeMaximum

13.10. DHCP SettingsDHCP_MinimumLeaseTimeMinimum lease time (seconds) accepted from the DHCP server.Default: 60DHCP_ValidateBcastRequire that the assi

13.11. DHCPRelay SettingsDHCPRelay_MaxTransactionsMaximum number of transactions at the same time.Default: 32DHCPRelay_TransactionTimeoutFor how long

13.12. DHCPServer SettingsDHCPServer_SaveLeasePolicyWhat policy should be used to save the lease database to the disk, possible settings are Disabled,

13.13. IPsec SettingsIKESendInitialContactDetermines whether or not IKE should send the "Initial Contact" notification message. This message

IPsecDeleteSAOnIPValidationFailureControls what happens to the SAs if IP validation in Config Mode fails. If Enabled, the securityassociations (SAs) a

CLIgw-world:/> show -changesType Object------------- ------- IP4Address myhost* ServiceTCPUDP telnetA "+" character in front of the row i

13.14. Logging SettingsLogSendPerSecLimitThis setting limits how many log packets NetDefendOS may send out per second. This value shouldnever be set t

13.15. Time Synchronization SettingsTimeSync_SyncIntervalSeconds between each resynchronization.Default: 86400TimeSync_MaxAdjustMaximum time drift tha

DST offset in minutes.Default: 0TimeSync_DSTStartDateWhat month and day DST starts, in the format MM-DD.Default: noneTimeSync_DSTEndDateWhat month and

13.16. PPP SettingsPPP_L2TPBeforeRulesPass L2TP traffic sent to the D-Link Firewall directly to the L2TP Server without consulting therule set.Default

13.17. Hardware Monitor SettingsHWM_PollIntervalPolling intervall for Hardware Monitor which is the delay in milliseconds between reading ofhardware m

13.18. Packet Re-assembly SettingsPacket re-assembly collects IP fragments into complete IP datagrams and, for TCP, reorderssegments so that they are

13.19. Miscellaneous SettingsBufFloodRebootTimeAs a final way out, NetDefendOS automatically reboots if its buffers have been flooded for a longtime.

MaxPipeUsers Chapter 13. Advanced Settings337

Appendix A. Subscribing to SecurityUpdatesIntroductionThe NetDefendOS Anti-Virus (AV) module, the Intrusion Detection and Prevention (IDP) moduleand t

Querying Update StatusTo get the status of IDP updates use the command:gw-world:/> updatecenter -status IDPTo get the status of AV updates:gw-world

NoteThe configuration must be committed before changes are saved. All changes to aconfiguration can be ignored simply by not committing a changed conf

Appendix B. IDP Signature GroupsFor IDP scanning, the following signature groups are available for selection. These groups areavailable only for the D

Group Name Intrusion TypeFTP_FORMATSTRING Format string attackFTP_GENERAL FTP protocol and implementationFTP_LOGIN Login attacksFTP_OVERFLOW FTP buffe

Group Name Intrusion TypePOP3_DOS Denial of Service for POPPOP3_GENERAL Post Office Protocol v3POP3_LOGIN-ATTACKS Password guessing and related login

Group Name Intrusion TypeTFTP_OPERATION Operation AttackTFTP_OVERFLOW TFTP buffer overflow attackTFTP_REPLY TFTP Reply attackTFTP_REQUEST TFTP request

Appendix C. Checked MIME filetypesThe HTTP Application Layer Gateway has the ability to verify that the contents of a filedownloaded via the HTTP prot

Filetype extension Applicationelc eMacs Lisp Byte-compiled Source Codeemd ABT EMD Module/Song Format fileesp ESP archive dataexe Windows Executablefgf

Filetype extension Applicationpac CrossePAC archive datapbf Portable Bitmap Format Imagepbm Portable Bitmap Graphicpdf Acrobat Portable Document Forma

Filetype extension Applicationwk Lotus 1-2-3 documentwmv Windows Media filewrl, vrml Plain Text VRML filexcf GIMP Image filexm Fast Tracker 2 Extended

Appendix D. The OSI FrameworkThe Open Systems Interconnection Model defines a framework for intercomputer communications.It categorizes different prot

Appendix E. D-Link worldwide officesBelow is a complete list of D-Link worldwide sales offices. Please check your own country area'slocal website

2.2. Events and Logging2.2.1. OverviewThe ability to log and analyze system activities is an essential feature of NetDefendOS. Loggingenables not only

FAX: +972-9-9715601. Website: www.dlink.co.ilItalyVia Nino Bonnet n. 6/b, 20154 – Milano, Italy. TEL:39-02-2900-0676, FAX: 39-02-2900-1723. Website: w

Alphabetical IndexAaccess rules, 135accounting, 39interim messages, 41limitations with NAT, 42messages, 39system shutdowns, 42address book, 48ethernet

DHCP_UseLinkLocalIP setting, 325DHCP_ValidateBcast setting, 325DHCPRelay_AutoSaveRelayInterval setting, 326DHCPRelay_MaxAutoRoutes setting, 326DHCPRel

LL2TP, 261quickstart guide, 234Lan to Lan tunnels, 253LayerSizeConsistency setting, 305LDAP servers, 259link state algorithm, 103LocalReass_MaxConcurr

TCP and UDP, 53SilentlyDropStateICMPErrors setting, 311simple network management protocol (see SNMP)SIPALG, 152SMTPALG, 146header verification, 149SNM

X.509 certificates, 79identification lists, 251with IPsec, 234ZzonedefenseIDP, 194zone defense, 298switches, 299Alphabetical Index355

MemlogA D-Link Firewall has a built in logging mechanism known as the Memory Log. Thisretains all event log messages in memory and allows direct viewi

NoteThe syslog server may have to be configured to receive log messages fromNetDefendOS. Please see the documentation for your specific Syslog server

CLIgw-world:/> add LogReceiver EventReceiverSNMP2c my_snmp IPAddress=195.11.22.55Web Interface1. Goto Log & Event Receivers > Add > Event

2.3. RADIUS Accounting2.3.1. OverviewWithin a network environment containing large numbers of users, it is advantageous to have one ora cluster of cen

Table of ContentsPreface ...121. Product O

database.• Delay Time - The time delay (in seconds) since the AccountingRequest packet was sent and theauthentication acknowledgement was received. Th

2.3.3. Interim Accounting MessagesIn addition to START and STOP messages NetDefendOS can optionally periodically send InterimAccounting Messages to up

• An AccountingStart event is sent to the inactive member in an HA setup whenever a responsehas been received from the accounting server. This specifi

2.4. Monitoring2.4.1. SNMP MonitoringOverviewSimple Network Management Protocol (SNMP) is a standardized protocol for management ofnetwork devices. An

SNMP access. Port 161 is usually used for SNMP and NetDefendOS always expects SNMP trafficon that port.Remote Access EncryptionIt should be noted that

2.5. Maintenance2.5.1. Auto-Update MechanismA number of the NetDefendOS security features rely on external servers for automatic updates andcontent fi

Example 2.15. Complete Hardware Reset to Factory DefaultsCLIgw-world:/> reset -unitWeb Interface1. Go to Maintenance > Reset2. Select Restore th

2.5.3. Resetting to Factory Defaults Chapter 2. Management and Maintenance47

Chapter 3. FundamentalsThis chapter describes the fundamental logical objects upon which NetDefendOS is built. Theseobjects include such things as add

For example: 192.168.0.0/24IP RangeA range of IP addresses is represented on the form a.b.c.d - e.f.g.h. Please note thatranges are not limited to net

3.4.3. ARP Cache ...683.4.4. Static and Published ARP Entries ...

Web Interface1. Go to Objects > Address Book > Add > IP address2. Specify a suitable name for the IP Range, for instance wwwservers.3. Enter

3.1.4. Address GroupsAddress objects can be grouped in order to simplify configuration. Consider a number of publicservers that should be accessible f

3.2. Services3.2.1. OverviewA Service object is a reference to a specific IP protocol with associated parameters. A Servicedefinition is usually based

----------------- ----------------Name: echoDestinationPorts: 7Type: TCPUDP (TCP/UDP)SourcePorts: 0-65535PassICMPReturn: NoALG: (none)MaxSessions: 100

TipThe above methods of specifying port numbers are used not just for destination ports.Source port definitions can follow the same conventions, altho

When setting up rules that filter by services it is possible to use the service grouping all_services torefer to all protocols. If just referring to t

number. Some of the common IP protocols, such as IGMP, are already pre-defined in theNetDefendOS system configuration.Similar to the TCP/UDP port rang

3.3. Interfaces3.3.1. OverviewAn Interface is one of the most important logical building blocks in NetDefendOS. All networktraffic that passes through

L2TP tunnels. For more information about PPTP/L2TP,please see Section 9.5, “PPTP/L2TP”.• GRE interfaces are used to establish GRE tunnels. For moreinf

The names of the Ethernet interfaces are pre-defined by the system, and are mapped to the names ofthe physical ports; a system with a wan port will ha

6.2.8. H.323 ... 1556.3. Web Content Filtering ...

gw-world:/> set Interface Ethernet wan DHCPEnabled=YesWeb Interface1. Go to Interfaces > Ethernet2. In the grid, click on the ethernet object of

3. Assign a VLAN ID that is unique on the physical interface.4. Optionally specify an IP address for the VLAN.5. Optionally specify an IP broadcast ad

Control Protocols (NCPs) can be used to transport traffic for a particular protocol suite, so thatmultiple protocols can interoperate on the same link

• Service Name: Service name provided by the service provider• Username: Username provided by the service provider• Password: Password provided by the

• IP Address - This is the IP address of the sending interface. This is optional and can be leftblank. If it is left blank then the sending IP address

Setup for D-Link Firewall "A"Assuming that the network 192.168.10.0/24 is lannet on the lan interface, the steps for setting upNetDefendOS o

1. In the address book set up the following IP objects:• remote_net_A: 192.168.10.0/24• remote_gw: 172.16.0.1• ip_GRE: 192.168.0.22. Create a GRE Tunn

3. Click OK3.3.6. Interface Groups Chapter 3. Fundamentals67

3.4. ARP3.4.1. OverviewAddress Resolution Protocol (ARP) is a protocol, which maps a network layer protocol address to adata link layer hardware addre

The default expiration time for dynamic ARP entries is 900 seconds (15 minutes). This can bechanged by modifying the Advanced Setting ARPExpire. The s

9.2.3. IPsec Roaming Clients with Certificates ... 2349.2.4. L2TP Roaming Clients with Pre-Shared Keys ...

NetDefendOS supports defining static ARP entries (static binding of IP addresses to Ethernetaddresses) as well as publishing IP addresses with a speci

There are two publishing modes; Publish and XPublish. The difference between the two is thatXPublish "lies" about the sender Ethernet addres

situations are to be logged.Sender IP 0.0.0.0NetDefendOS can be configured on what to do with ARP queries that have a sender IP of 0.0.0.0.Such sender

3.5. The IP Rule Set3.5.1. Security PoliciesPolicy CharacteristicsNetDefendOS Security Policies designed by the administrator, regulate the way in whi

IP RulesThe IP rule set is the most important of these security policy rule sets. It determines the criticalpacket filtering function of NetDefendOS,

3.5.3. IP Rule ActionsA rule consists of two parts: the filtering parameters and the action to take if there is a match withthose parameters. As descr

Using RejectIn certain situations the Reject action is recommended instead of the Drop action because a politereply is required from NetDefendOS. An e

3.6. SchedulesIn some scenarios, it might be useful to control not only what functionality is enabled, but also whenthat functionality is being used.F

• Action: NAT• Service: http• Schedule: OfficeHours• SourceInterface: lan• SourceNetwork lannet• DestinationInterface: any• DestinationNetwork: all-ne

3.7. X.509 CertificatesNetDefendOS supports digital certificates that comply with the ITU-T X.509 standard. Thisinvolves the use of an X.509 certifica

12.3.1. SNMP ... 30012.3.2. Threshold Rules ...

has to be issued.Certificate Revocation ListsA Certificate Revocation List (CRL) contains a list of all certificates that have been cancelled beforeth

3. Now select one of the following:• Upload self-signed X.509 Certificate• Upload a remote certificate4. Click OK and follow the instructions.Example

3.8. Setting Date and TimeCorrectly setting the date and time is important for NetDefendOS to operate properly. Timescheduled policies, auto-update of

Example 3.21. Setting the Time ZoneTo modify the NetDefendOS time zone to be GMT plus 1 hour, follow the steps outlined below:CLIgw-world:/> set Da

Time Synchronization Protocols are standardised methods for retrieving time information fromexternal Time Servers. NetDefendOS supports the following

CLIgw-world:/> time -syncAttempting to synchronize system time...Server time: 2007-02-27 12:21:52 (UTC+00:00)Local time: 2007-02-27 12:24:30 (UTC+0

D-Link Time ServersUsing D-Link's own Time Servers is an option in NetDefendOS and this is the recommended way ofsynchronizing the firewall clock

3.9. DNS LookupA DNS server can resolve a Fully Qualified Domain Name (FQDN) into the corresponding numericIP address. FQDNs are unambiguous textual d

3.9. DNS Lookup Chapter 3. Fundamentals88

Chapter 4. RoutingThis chapter describes how to configure IP routing in NetDefendOS.• Overview, page 89• Static Routing, page 90• Policy-based Routing

List of Figures1.1. Packet Flow Schematic Part I ...191.2. Packet Flow Schemat

4.2. Static RoutingThe most basic form of routing is known as Static Routing. The term static refers to the fact thatentries in the routing table are

4.2.2. Static RoutingThis section describes how routing is implemented in NetDefendOS, and how to configure staticrouting.NetDefendOS supports multipl

Persistent Routes:NoneThe corresponding routing table in NetDefendOS is similar to this:Flags Network Iface Gateway Local IP Metric----- -------------

213.124.165.0/24 wan 00.0.0.0/0 wan 213.124.165.1 0Web InterfaceTo see the configured routing table:1. Go to Routing > Routing Tables2. Select and

Web Interface1. Select the Routes item in the Status dropdown menu in the menu bar2. Check the Show all routes checkbox and click the Apply button3. T

methods must be chosen:Interface Link StatusNetDefendOS will monitor the link status of the interfacespecified in the route. As long as the interface

automatically be transferred back to it.Route Interface GroupingWhen using route monitoring, it is important to check if a failover to another route w

IP address of host B on another separate network. The proxy ARP feature means that NetDefendOSresponds to this ARP request instead of host B. The NetD

4.3. Policy-based Routing4.3.1. OverviewPolicy-based Routing (PBR) is an extension to the standard routing described previously. It offersadministrato

Policy-based Routing rule can be triggered by the type of Service (HTTP for example) incombination with the Source/Destination Interface and Source/De