D-Link DFL-260 manuel d'utilisation

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355

Aller à la page of

Un bon manuel d’utilisation

Les règles imposent au revendeur l'obligation de fournir à l'acheteur, avec des marchandises, le manuel d’utilisation D-Link DFL-260. Le manque du manuel d’utilisation ou les informations incorrectes fournies au consommateur sont à la base d'une plainte pour non-conformité du dispositif avec le contrat. Conformément à la loi, l’inclusion du manuel d’utilisation sous une forme autre que le papier est autorisée, ce qui est souvent utilisé récemment, en incluant la forme graphique ou électronique du manuel D-Link DFL-260 ou les vidéos d'instruction pour les utilisateurs. La condition est son caractère lisible et compréhensible.

Qu'est ce que le manuel d’utilisation?

Le mot vient du latin "Instructio", à savoir organiser. Ainsi, le manuel d’utilisation D-Link DFL-260 décrit les étapes de la procédure. Le but du manuel d’utilisation est d’instruire, de faciliter le démarrage, l'utilisation de l'équipement ou l'exécution des actions spécifiques. Le manuel d’utilisation est une collection d'informations sur l'objet/service, une indice.

Malheureusement, peu d'utilisateurs prennent le temps de lire le manuel d’utilisation, et un bon manuel permet non seulement d’apprendre à connaître un certain nombre de fonctionnalités supplémentaires du dispositif acheté, mais aussi éviter la majorité des défaillances.

Donc, ce qui devrait contenir le manuel parfait?

Tout d'abord, le manuel d’utilisation D-Link DFL-260 devrait contenir:
- informations sur les caractéristiques techniques du dispositif D-Link DFL-260
- nom du fabricant et année de fabrication D-Link DFL-260
- instructions d'utilisation, de réglage et d’entretien de l'équipement D-Link DFL-260
- signes de sécurité et attestations confirmant la conformité avec les normes pertinentes

Pourquoi nous ne lisons pas les manuels d’utilisation?

Habituellement, cela est dû au manque de temps et de certitude quant à la fonctionnalité spécifique de l'équipement acheté. Malheureusement, la connexion et le démarrage D-Link DFL-260 ne suffisent pas. Le manuel d’utilisation contient un certain nombre de lignes directrices concernant les fonctionnalités spécifiques, la sécurité, les méthodes d'entretien (même les moyens qui doivent être utilisés), les défauts possibles D-Link DFL-260 et les moyens de résoudre des problèmes communs lors de l'utilisation. Enfin, le manuel contient les coordonnées du service D-Link en l'absence de l'efficacité des solutions proposées. Actuellement, les manuels d’utilisation sous la forme d'animations intéressantes et de vidéos pédagogiques qui sont meilleurs que la brochure, sont très populaires. Ce type de manuel permet à l'utilisateur de voir toute la vidéo d'instruction sans sauter les spécifications et les descriptions techniques compliquées D-Link DFL-260, comme c’est le cas pour la version papier.

Pourquoi lire le manuel d’utilisation?

Tout d'abord, il contient la réponse sur la structure, les possibilités du dispositif D-Link DFL-260, l'utilisation de divers accessoires et une gamme d'informations pour profiter pleinement de toutes les fonctionnalités et commodités.

Après un achat réussi de l’équipement/dispositif, prenez un moment pour vous familiariser avec toutes les parties du manuel d'utilisation D-Link DFL-260. À l'heure actuelle, ils sont soigneusement préparés et traduits pour qu'ils soient non seulement compréhensibles pour les utilisateurs, mais pour qu’ils remplissent leur fonction de base de l'information et d’aide.

Table des matières du manuel d’utilisation

  • Page 1

    N e t w o r k S e c u r i t y S o l u t i o n h t t p : / / w w w .d l i n k . c o m S e c u r i t y S e c u r i t y D F L - 2 1 0 / 8 0 0 / 1 6 0 0 / 2 5 0 0 D F L - 2 6 0 / 8 6 0 V e r . 1 . 0 7 N e t w o r k S e c u r i t y F i r e w a l l U s e r M a n u a l[...]

  • Page 2

    User Manual DFL-210/260/800/ 860/1600/2500 NetDefendOS version 2.20 D-Link NetDefend Securit y http://security.dlink.com.tw Published 200 8 - 08 - 05 Copyright © 200 8[...]

  • Page 3

    User Manual DFL-210/260/800/860/1600/2500 NetDefendOS version 2.20 Published 200 8 - 08 - 05 Copyright © 200 8 Copyright Notice This publication, including all photographs, illustrations and software, is protected under international copyright laws, with all rights reserved. Neither this manual, nor any of the material contained herein, may be rep[...]

  • Page 4

    Table of Contents Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 1. Product Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]

  • Page 5

    3.4.3. ARP Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 3.4.4. Static and Published ARP Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 3.4.5. Advanced ARP S[...]

  • Page 6

    6.2.8. H.323 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 6.3. Web Content Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]

  • Page 7

    9.2.3. IPsec Roaming Clients with Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234 9.2.4. L2TP Roaming Clients with Pre-Shared Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234 9.2.5. L2TP Roaming Clients with Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . [...]

  • Page 8

    12.3.1. SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300 12.3.2. Threshold Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]

  • Page 9

    List of Figures 1.1. Packet Flow Schematic Part I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 1.2. Packet Flow Schematic Part II . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]

  • Page 10

    List of Examples 1. Example Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 2.1. Enabling SSH Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]

  • Page 11

    5.1. Setting up a DHCP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 5.2. Checking the status of a DHCP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]

  • Page 12

    Preface Intended Audience The target audience for this reference guide is Administrators who are responsible for configuring and managing D-Link Firewalls which are running the NetDefendOS operating system. This guide assumes that the reader has some basic knowledge of networks and network security. Text Structure and Conventions The text is broken[...]

  • Page 13

    Highlighted Content Special sections of text which the reader should pay special attention to are indicated by icons on the left hand side of the page followed by a short paragraph in italicized text. Such sections are of the following types with the following purposes: Note This indicates some piece of information that is an addition to the preced[...]

  • Page 14

    Chapter 1. Product Overview This chapter outlines the key features of NetDefendOS. • About D-Link NetDefendOS, page 14 • NetDefendOS Architecture, page 16 • NetDefendOS State Engine Packet Flow, page 19 1.1. About D-Link NetDefendOS D-Link NetDefendOS is the firmware, the software engine that drives and controls all D-Link Firewall products. [...]

  • Page 15

    hosts. For more information about the IDP capabilities of NetDefendOS, please see Section 6.5, “Intrusion Detection and Prevention”. Anti-Virus NetDefendOS features integrated gateway anti-virus functionality. Traffic passing through the gateway can be subjected to in-depth scanning for viruses, and attacking hosts can be blocked and black-list[...]

  • Page 16

    1.2. NetDefendOS Architecture 1.2.1. State-based Architecture The NetDefendOS architecture is centered around the concept of state-based connections. Traditional IP routers or switches commonly inspect all packets and then perform forwarding decisions based on information found in the packet headers. With this approach, packets are forwarded withou[...]

  • Page 17

    1.2.3. Basic Packet Flow This section outlines the basic flow in the state-engine for packets received and forwarded by NetDefendOS. Please note that this description is simplified and might not be fully applicable in all scenarios. The basic principle, however, is still valid in all applications. 1. An Ethernet frame is received on one of the Ethe[...]

  • Page 18

    and the event is logged according to the log settings for the rule. If the action is Allow, the packet is allowed through the system. A corresponding state will be added to the connection table for matching subsequent packets belonging to the same connection. In addition, the Service object which matched the IP protocol and ports might have contain[...]

  • Page 19

    1.3. NetDefendOS State Engine Packet Flow The diagrams in this section provide a summary of the flow of packets through the NetDefendOS state-engine. There are three diagrams, each flowing into the next. Figure 1.1. Packet Flow Schematic Part I The packet flow is continued on the following page. 1.3. NetDefendOS State Engine Packet Flow Chapter 1. [...]

  • Page 20

    Figure 1.2. Packet Flow Schematic Part II The packet flow is continued on the following page. Figure 1.3. Packet Flow Schematic Part III 1.3. NetDefendOS State Engine Packet Flow Chapter 1. Product Overview 20[...]

  • Page 21

    1.3. NetDefendOS State Engine Packet Flow Chapter 1. Product Overview 21[...]

  • Page 22

    1.3. NetDefendOS State Engine Packet Flow Chapter 1. Product Overview 22[...]

  • Page 23

    Chapter 2. Management and Maintenance This chapter describes the management, operations and maintenance related aspects of NetDefendOS. • Managing NetDefendOS, page 23 • Events and Logging, page 35 • RADIUS Accounting, page 39 • Monitoring, page 43 • Maintenance, page 45 2.1. Managing NetDefendOS 2.1.1. Overview NetDefendOS is designed to[...]

  • Page 24

    By default, NetDefendOS has a local user database, AdminUsers , with one user account pre-defined: • Username admin with password admin . This account has full administrative read/write privileges. Important For security reasons, it is recommended to change the default password of the default account as soon as possible after connecting with the [...]

  • Page 25

    SSH (Secure Shell) CLI Access The SSH (Secure Shell) protocol can be used to access the CLI over the network from a remote host. SSH is a protocol primarily used for secure communication over insecure networks, providing strong authentication and data integrity. Many SSH clients are feely available for almost all hardware platforms. NetDefendOS sup[...]

  • Page 26

    Device:/> set device name="gw-world" The CLI Reference Guide uses the command prompt gw-world:/> throughout. Note When the command line prompt is changed to a new string value, this string also appears as the new device name in the top level node of the WebUI tree-view. Activate and Committing Changes If any changes are made to the [...]

  • Page 27

    Enter your username and password and click the Login button. If the user credentials are correct, you will be transferred to the main web interface page. This page, with its essential parts highlighted, is shown below. Multi-language Support The WebUI login dialog offers the option to select a language other than english for the interface. Language[...]

  • Page 28

    • Home - Navigates to the first page of the web interface. • Configuration • Save and Activate - Saves and activates the configuration. • Discard Changes - Discards any changes made to the configuration during the current session. • View Changes - List the changes made to the configuration since it was last saved. • Tools - Contains a n[...]

  • Page 29

    • User Database: AdminUsers • Interface: any • Network: all-nets 5. Click OK Caution The above example is provided for informational purposes only. It is never recommended to expose any management interface to any user on the Internet. Logging out from the Web Interface When you have finished working in the web interface, you should always lo[...]

  • Page 30

    gw-world:/> show Service A list of all services will be displayed, grouped by their respective type. Web Interface 1. Go to Objects > Services 2. A web page listing all services will be presented. A list contains the following basic elements: • Add Button - Displays a dropdown menu when clicked. The menu will list all types of configuration[...]

  • Page 31

    Example 2.5. Editing a Configuration Object When you need to modify the behavior of NetDefendOS, you will most likely need to modify one or several configuration objects. This example shows how to edit the Comments property of the telnet service. CLI gw-world:/> set Service ServiceTCPUDP telnet Comments="Modified Comment" Show the obje[...]

  • Page 32

    1. Go to Objects > Address Book 2. Click on the Add button 3. In the dropdown menu displayed, select IP4 Address 4. In the Name text box, enter myhost 5. Enter 192.168.10.10 in the IP Address textbox 6. Click OK 7. Verify that the new IP4 address object has been added to the list Example 2.7. Deleting a Configuration Object This example shows ho[...]

  • Page 33

    CLI gw-world:/> show -changes Type Object ------------- ------ - IP4Address myhost * ServiceTCPUDP telnet A "+" character in front of the row indicates that the object has been added. A "*" character indicates that the object has been modified. A "-" character indicates that the object has been marked for deletion. [...]

  • Page 34

    Note The configuration must be committed before changes are saved. All changes to a configuration can be ignored simply by not committing a changed configuration. 2.1.5. Working with Configurations Chapter 2. Management and Maintenance 34[...]

  • Page 35

    2.2. Events and Logging 2.2.1. Overview The ability to log and analyze system activities is an essential feature of NetDefendOS. Logging enables not only monitoring of system status and health, but also allows auditing of network usage and assists in trouble-shooting. NetDefendOS defines a number of event messages , which are generated as a result [...]

  • Page 36

    Memlog A D-Link Firewall has a built in logging mechanism known as the Memory Log. This retains all event log messages in memory and allows direct viewing of log messages through the web interface. Syslog The de-facto standard for logging events from network devices. If other network devices are already logging to Syslog servers, using syslog with [...]

  • Page 37

    Note The syslog server may have to be configured to receive log messages from NetDefendOS. Please see the documentation for your specific Syslog server software in order to correctly configure it. 2.2.3.2. SNMP Traps The SNMP protocol Simple Network Management Protocol (SNMP) is a means for communicating between a Network Management System (NMS) an[...]

  • Page 38

    CLI gw-world:/> add LogReceiver EventReceiverSNMP2c my_snmp IPAddress=195.11.22.55 Web Interface 1. Goto Log & Event Receivers > Add > EventReceiverSNMP2c 2. Specify a name for the event receiver, eg. my_snmp 3. Enter 195.11.22.55 as the IP Address 4. Enter an SNMP Community String if needed by the trap receiver) 5. Click OK The system[...]

  • Page 39

    2.3. RADIUS Accounting 2.3.1. Overview Within a network environment containing large numbers of users, it is advantageous to have one or a cluster of central servers that maintain user account information and are responsible for authentication and authorization tasks. The central database residing on the dedicated server(s) contains all user creden[...]

  • Page 40

    database. • Delay Time - The time delay (in seconds) since the AccountingRequest packet was sent and the authentication acknowledgement was received. This can be subtracted from the time of arrival on the server to find the approximate time of the event generating this AccountingRequest. Note that this does not reflect network delays. The first a[...]

  • Page 41

    2.3.3. Interim Accounting Messages In addition to START and STOP messages NetDefendOS can optionally periodically send Interim Accounting Messages to update the accounting server with the current status of an authenticated user. An Interim Accounting Message can be seen as a snapshot of the network resources that an authenticated user has used up u[...]

  • Page 42

    • An AccountingStart event is sent to the inactive member in an HA setup whenever a response has been received from the accounting server. This specifies that accounting information should be stored for a specific authenticated user. • A problem with accounting information synchronization could occur if an active unit has an authenticated user [...]

  • Page 43

    2.4. Monitoring 2.4.1. SNMP Monitoring Overview Simple Network Management Protocol (SNMP) is a standardized protocol for management of network devices. An SNMP compliant client can connect to a network device which supports the SNMP protocol to query and control it. NetDefendOS supports SNMP version 1 and version 2. Connection can be made by any SN[...]

  • Page 44

    SNMP access. Port 161 is usually used for SNMP and NetDefendOS always expects SNMP traffic on that port. Remote Access Encryption It should be noted that SNMP Version 1 or 2c access means that the community string will be sent as plain text over a network. This is clearly insecure if a remote client is communicating over the public Internet. It is [...]

  • Page 45

    2.5. Maintenance 2.5.1. Auto-Update Mechanism A number of the NetDefendOS security features rely on external servers for automatic updates and content filtering. The Intrusion Prevention and Detection system and Anti-Virus modules require access to updated signature databases in order to provide protection against the latest threats. To facilitate [...]

  • Page 46

    Example 2.15. Complete Hardware Reset to Factory Defaults CLI gw-world:/> reset -unit Web Interface 1. Go to Maintenance > Reset 2. Select Restore the entire unit to factory defaults then confirm and wait for the restore to complete. Reset alternative for the DFL-210/260/800/860 only To reset the DFL-210/260/800/860 you must hold down the res[...]

  • Page 47

    2.5.3. Resetting to Factory Defaults Chapter 2. Management and Maintenance 47[...]

  • Page 48

    Chapter 3. Fundamentals This chapter describes the fundamental logical objects upon which NetDefendOS is built. These objects include such things as addresses, services and schedules. In addition, the chapter explains how the various supported interfaces work, it outlines how secuirty policies are constructed and how basic system settings are confi[...]

  • Page 49

    For example: 192.168.0.0/24 IP Range A range of IP addresses is represented on the form a.b.c.d - e.f.g.h . Please note that ranges are not limited to netmask boundaries; they may include any span of IP addresses. For example: 192.168.0.10-192.168.0.15 represents six hosts in consecutive order. Example 3.1. Adding an IP Host This example adds the I[...]

  • Page 50

    Web Interface 1. Go to Objects > Address Book > Add > IP address 2. Specify a suitable name for the IP Range, for instance wwwservers. 3. Enter 192.168.10.16-192.168.10.21 as the IP Address 4. Click OK Example 3.4. Deleting an Address Object To delete an object named wwwsrv1 in the Address Book, do the following: CLI gw-world:/> delete [...]

  • Page 51

    3.1.4. Address Groups Address objects can be grouped in order to simplify configuration. Consider a number of public servers that should be accessible from the Internet. The servers have IP addresses that are not in a sequence, and can therefore not be referenced to as a single IP range. Consequently, individual IP Address objects have to be create[...]

  • Page 52

    3.2. Services 3.2.1. Overview A Service object is a reference to a specific IP protocol with associated parameters. A Service definition is usually based on one of the major transport protocols such as TCP or UDP, with the associated port number(s). The HTTP service, for instance, is defined as using the TCP protocol with associated port 80. Howeve[...]

  • Page 53

    ----------------- ---------------- Name: echo DestinationPorts: 7 Type: TCPUDP (TCP/UDP) SourcePorts: 0-65535 PassICMPReturn: No ALG: (none) MaxSessions: 1000 Comments: Echo service Web Interface 1. Go to Objects > Services 2. Select the specific service object in the grid control. 3. A grid listing all services will be presented. 3.2.2. TCP and[...]

  • Page 54

    Tip The above methods of specifying port numbers are used not just for destination ports. Source port definitions can follow the same conventions, although it is most usual that the source ports are left as the default value which is 0-65535 and this corresponds to all possible source ports. Example 3.8. Adding a TCP/UDP Service This example shows [...]

  • Page 55

    When setting up rules that filter by services it is possible to use the service grouping all_services to refer to all protocols. If just referring to the main protocols of TCP, UDP and ICMP then the service group all_tcpudpicmp can be used. 3.2.3. ICMP Services Internet Control Message Protocol (ICMP), is a protocol integrated with IP for error rep[...]

  • Page 56

    number. Some of the common IP protocols, such as IGMP, are already pre-defined in the NetDefendOS system configuration. Similar to the TCP/UDP port ranges described previously, a range of IP protocol numbers can be used to specify multiple applications for one service. Note The currently assigned IP protocol numbers and references are published by [...]

  • Page 57

    3.3. Interfaces 3.3.1. Overview An Interface is one of the most important logical building blocks in NetDefendOS. All network traffic that passes through or gets terminated in the system is done so through one or several interfaces. An interface can be seen as a doorway for network traffic to or from the system. Thus, when traffic enters the system[...]

  • Page 58

    L2TP tunnels. For more information about PPTP/L2TP, please see Section 9.5, “PPTP/L2TP”. • GRE interfaces are used to establish GRE tunnels. For more information about GRE, please see Section 3.3.5, “GRE Tunnels”. Even though the various types of interfaces are very different in the way they are implemented and how they work, NetDefendOS [...]

  • Page 59

    The names of the Ethernet interfaces are pre-defined by the system, and are mapped to the names of the physical ports; a system with a wan port will have an Ethernet interface named wan and so on. The names of the Ethernet interfaces can be changed to better reflect their usage. For instance, if an interface named dmz is connected to a wireless LAN[...]

  • Page 60

    gw-world:/> set Interface Ethernet wan DHCPEnabled=Yes Web Interface 1. Go to Interfaces > Ethernet 2. In the grid, click on the ethernet object of interest 3. Enable the Enable DHCP client option 4. Click OK 3.3.3. VLAN Overview Virtual LANs (VLANs) are useful in several different scenarios, for instance, when filtering of traffic is needed [...]

  • Page 61

    3. Assign a VLAN ID that is unique on the physical interface. 4. Optionally specify an IP address for the VLAN. 5. Optionally specify an IP broadcast address for the VLAN. 6. Create the required route(s) for the VLAN in the appropriate routing table. 7. Create rules in the IP rule set to allow traffic through on the VLAN interface. Example 3.11. De[...]

  • Page 62

    Control Protocols (NCPs) can be used to transport traffic for a particular protocol suite, so that multiple protocols can interoperate on the same link, for example, both IP and IPX traffic can share a PPP link. Authentication is an option with PPP. Authentication protocols supported are Password Authentication Protocol (PAP), Challenge Handshake A[...]

  • Page 63

    • Service Name: Service name provided by the service provider • Username: Username provided by the service provider • Password: Password provided by the service provider • Confirm Password: Retype the password • Under Authentication specify which authentication protocol to use (the default settings will be used if not specified) • Disab[...]

  • Page 64

    • IP Address - This is the IP address of the sending interface. This is optional and can be left blank. If it is left blank then the sending IP address will default to the local host address of 127.0.0.1 . • Remote Network - The remote network which the GRE tunnel will connect with. • Remote Endpoint - This is the IP address of the remote dev[...]

  • Page 65

    Setup for D-Link Firewall "A" Assuming that the network 192.168.10.0/24 is lannet on the lan interface, the steps for setting up NetDefendOS on A are: 1. In the address book set up the following IP objects: • remote_net_B: 192.168.11.0/24 • remote_gw: 172.16.1.1 • ip_GRE: 192.168.0.1 2. Create a GRE Tunnel object called GRE_to_B wit[...]

  • Page 66

    1. In the address book set up the following IP objects: • remote_net_A: 192.168.10.0/24 • remote_gw: 172.16.0.1 • ip_GRE: 192.168.0.2 2. Create a GRE Tunnel object called GRE_to_A with the following parameters: • IP Address: ip_GRE • Remote Network: remote_net_A • Remote Endpoint: remote_gw • Use Session Key: 1 • Additional Encapula[...]

  • Page 67

    3. Click OK 3.3.6. Interface Groups Chapter 3. Fundamentals 67[...]

  • Page 68

    3.4. ARP 3.4.1. Overview Address Resolution Protocol (ARP) is a protocol, which maps a network layer protocol address to a data link layer hardware address and it is used to resolve an IP address into its corresponding Ethernet address. It works at the OSI Data Link Layer (Layer 2 - see Appendix D, The OSI Framework ) and is encapsulated by Etherne[...]

  • Page 69

    The default expiration time for dynamic ARP entries is 900 seconds (15 minutes). This can be changed by modifying the Advanced Setting ARPExpire . The setting ARPExpireUnknown specifies how long NetDefendOS is to remember addresses that cannot be reached. This is done to ensure that NetDefendOS does not continously request such addresses. The defau[...]

  • Page 70

    NetDefendOS supports defining static ARP entries (static binding of IP addresses to Ethernet addresses) as well as publishing IP addresses with a specific Ethernet address. Static ARP Entries Static ARP items may help in situations where a device is reporting incorrect Ethernet address in response to ARP requests. Some workstation bridges, such as [...]

  • Page 71

    There are two publishing modes; Publish and XPublish. The difference between the two is that XPublish "lies" about the sender Ethernet address in the Ethernet header; this is set to be the same as the published Ethernet address rather than the actual Ethernet address of the Ethernet interface. If a published Ethernet address is the same a[...]

  • Page 72

    situations are to be logged. Sender IP 0.0.0.0 NetDefendOS can be configured on what to do with ARP queries that have a sender IP of 0.0.0.0. Such sender IPs are never valid in responses, but network units that have not yet learned of their IP address sometimes ask ARP questions with an "unspecified" sender IP. Normally, these ARP replies[...]

  • Page 73

    3.5. The IP Rule Set 3.5.1. Security Policies Policy Characteristics NetDefendOS Security Policies designed by the administrator, regulate the way in which traffic can flow through a D-Link Firewall. Policies in NetDefendOS are defined by different NetDefendOS rule sets . These rule sets share a common means of specifying filtering criteria which d[...]

  • Page 74

    IP Rules The IP rule set is the most important of these security policy rule sets. It determines the critical packet filtering function of NetDefendOS, regulating what is allowed or not allowed to pass through the D-Link Firewall, and if necessary, how address translations like NAT are applied. There are two possible approaches to how traffic trave[...]

  • Page 75

    3.5.3. IP Rule Actions A rule consists of two parts: the filtering parameters and the action to take if there is a match with those parameters. As described above, the parameters of any NetDefendOS rule, including IP rules are: • Source Interface • Source Network • Destination Interface • Destination Network • Service The Service in an IP[...]

  • Page 76

    Using Reject In certain situations the Reject action is recommended instead of the Drop action because a polite reply is required from NetDefendOS. An example of such a situation is when responding to the IDENT user identification protocol. 3.5.4. Editing IP rule set Entries After adding various rules to the rule set editing any line can be achieve[...]

  • Page 77

    3.6. Schedules In some scenarios, it might be useful to control not only what functionality is enabled, but also when that functionality is being used. For instance, the IT policy of an enterprise might stipulate that web traffic from a certain department is only allowed access outside that department during normal office hours. Another example mig[...]

  • Page 78

    • Action: NAT • Service: http • Schedule: OfficeHours • SourceInterface: lan • SourceNetwork lannet • DestinationInterface: any • DestinationNetwork: all-nets 4. Click OK 3.6. Schedules Chapter 3. Fundamentals 78[...]

  • Page 79

    3.7. X.509 Certificates NetDefendOS supports digital certificates that comply with the ITU-T X.509 standard. This involves the use of an X.509 certificate hierarchy with public-key cryptography to accomplish key distribution and entity authentication. 3.7.1. Overview An X.509 certificate is a digital proof of identity. It links an identity to a pub[...]

  • Page 80

    has to be issued. Certificate Revocation Lists A Certificate Revocation List (CRL) contains a list of all certificates that have been cancelled before their expiration date. This can happen for several reasons. One reason could be that the keys of the certificate have been compromised in some way, or perhaps that the owner of the certificate has lo[...]

  • Page 81

    3. Now select one of the following: • Upload self-signed X.509 Certificate • Upload a remote certificate 4. Click OK and follow the instructions. Example 3.19. Associating X.509 Certificates with IPsec Tunnels To associate an imported certificate with an IPsec tunnel. Web Interface 1. Go to Interfaces > IPsec 2. Display the properties the IP[...]

  • Page 82

    3.8. Setting Date and Time Correctly setting the date and time is important for NetDefendOS to operate properly. Time scheduled policies, auto-update of the IDP and Anti-Virus databases, and other product features require that the system clock is accurately set. In addition, log messages are tagged with time-stamps in order to indicate when a speci[...]

  • Page 83

    Example 3.21. Setting the Time Zone To modify the NetDefendOS time zone to be GMT plus 1 hour, follow the steps outlined below: CLI gw-world:/> set DateTime Timezone=GMTplus1 Web Interface 1. Go to System > Date and Time 2. Select (GMT+01:00) in the Timezone drop-down list 3. Click OK Daylight Saving Time Many regions follow Daylight Saving T[...]

  • Page 84

    Time Synchronization Protocols are standardised methods for retrieving time information from external Time Servers. NetDefendOS supports the following time synchronization protocols: • SNTP - Defined by RFC 2030, The Simple Network Time Protocol (SNTP) is a lightweight implementation of NTP (RFC 1305). This is used by NetDefendOS to query NTP ser[...]

  • Page 85

    CLI gw-world:/> time -sync Attempting to synchronize system time... Server time: 2007-02-27 12:21:52 (UTC+00:00) Local time: 2007-02-27 12:24:30 (UTC+00:00) (diff: 158) Local time successfully changed to server time. Maximum Time Adjustment To avoid situations where a faulty Time Server causes the clock to be updated with a extremely inaccurate [...]

  • Page 86

    D-Link Time Servers Using D-Link's own Time Servers is an option in NetDefendOS and this is the recommended way of synchronizing the firewall clock. These servers communicate with NetDefendOS using the SNTP protocol. When the D-Link Server option is chosen, a pre-defined set of recommended default values for the synchronization are used. Examp[...]

  • Page 87

    3.9. DNS Lookup A DNS server can resolve a Fully Qualified Domain Name (FQDN) into the corresponding numeric IP address. FQDNs are unambiguous textual domain names which specify a node's unique position in the Internet's DNS tree hierarchy. FQDN resolution allows the actual physical IP address to change while the FQDN can stay the same. A[...]

  • Page 88

    3.9. DNS Lookup Chapter 3. Fundamentals 88[...]

  • Page 89

    Chapter 4. Routing This chapter describes how to configure IP routing in NetDefendOS. • Overview, page 89 • Static Routing, page 90 • Policy-based Routing, page 98 • Dynamic Routing, page 103 • Multicast Routing, page 110 • Transparent Mode, page 119 4.1. Overview IP routing capabilities belong to the most fundamental functionalities of[...]

  • Page 90

    4.2. Static Routing The most basic form of routing is known as Static Routing . The term static refers to the fact that entries in the routing table are manually added and are therefore permanent (or static) by nature. Due to this manual approach, static routing is most appropriate to use in smaller network deployments where addresses are fairly fi[...]

  • Page 91

    4.2.2. Static Routing This section describes how routing is implemented in NetDefendOS, and how to configure static routing. NetDefendOS supports multiple routing tables. A default table called main is pre-defined and is always present in NetDefendOS. However, additional and completely separate routing tables can be defined by the administrator to [...]

  • Page 92

    Persistent Routes: None The corresponding routing table in NetDefendOS is similar to this: Flags Network Iface Gateway Local IP Metric ----- ------------------ -------- -------------- --------- ------ 192.168.0.0/24 lan 20 10.0.0.0/8 wan 1 0.0.0.0/0 wan 192.168.0.1 20 The NetDefendOS way of describing the routes is easier to read and understand. An[...]

  • Page 93

    213.124.165.0/24 wan 0 0.0.0.0/0 wan 213.124.165.1 0 Web Interface To see the configured routing table: 1. Go to Routing > Routing Tables 2. Select and right-click the main routing table in the grid 3. Choose Edit in the menu The main window will list the configured routes To see the active routing table, select the Routes item in the Status dro[...]

  • Page 94

    Web Interface 1. Select the Routes item in the Status dropdown menu in the menu bar 2. Check the Show all routes checkbox and click the Apply button 3. The main window will list the active routing table, including the core routes Tip For detailed information about the output of the CLI routes command. Please see the CLI Reference Guide. 4.2.3. Rout[...]

  • Page 95

    methods must be chosen: Interface Link Status NetDefendOS will monitor the link status of the interface specified in the route. As long as the interface is up, the route is diagnosed as healthy. This method is appropriate for monitoring that the interface is physically attached and that the cabling is working as expected. As any changes to the link[...]

  • Page 96

    automatically be transferred back to it. Route Interface Grouping When using route monitoring, it is important to check if a failover to another route will cause the routing interface to be changed. If this could happen, it is necessary to take some precautionary steps to ensure that policies and existing connections will be maintained. To illustra[...]

  • Page 97

    IP address of host B on another separate network. The proxy ARP feature means that NetDefendOS responds to this ARP request instead of host B. The NetDefendOS sends its own MAC address instead in reply, essentially pretending to be the target host. After receiving the reply, Host A then sends data directly to NetDefendOS which, acting as a proxy, f[...]

  • Page 98

    4.3. Policy-based Routing 4.3.1. Overview Policy-based Routing (PBR) is an extension to the standard routing described previously. It offers administrators significant flexibility in implementing routing decision policies by being able to define rules so alternative routing tables are used. Normal routing forwards packets according to destination I[...]

  • Page 99

    Policy-based Routing rule can be triggered by the type of Service (HTTP for example) in combination with the Source/Destination Interface and Source/Destination Network. When looking up Policy-based Rules, it is the first matching rule found that is triggered. 4.3.4. Policy-based Routing Table Selection When a packet corresponding to a new connecti[...]

  • Page 100

    interfaces. The first two options can be regarded as combining the alternate table with the main table and assigning one route if there is a match in both tables. Important - Ensuring all-nets appears in the main table. A common mistake with Policy-based routing is the absence of the default route with a destination interface of all-nets in the def[...]

  • Page 101

    Example 4.5. Policy Based Routing Configuration This example illustrates a multiple ISP scenario which is a common use of Policy-based Routing. The following is assumed: • Each ISP will give you an IP network from its network range. We will assume a 2-ISP scenario, with the network 10.10.10.0/24 belonging to "ISP A" and "20.20.20.0[...]

  • Page 102

    Note Rules in the above example are added for both inbound and outbound connections. 4.3.5. The Ordering parameter Chapter 4. Routing 102[...]

  • Page 103

    4.4. Dynamic Routing 4.4.1. Dynamic Routing overview Dynamic routing is different to static routing in that the D-Link Firewall will adapt to changes of network topology or traffic load automatically. NetDefendOS first learns of all the directly connected networks and gets further route information from other routers. Detected routes are sorted and[...]

  • Page 104

    Routing metrics are the criteria a routing algorithm uses to compute the "best" route to a destination. A routing protocol relies on one or several metrics to evaluate links across a network and to determine the optimal path. The principal metrics used include: Path length The sum of the costs associated with each link. A commonly used va[...]

  • Page 105

    to which they have an interface. ASBRs Routers that exchange routing information with routers in other Autonomous Systems are called Autonomous System Boundary Router (ASBRs). They advertise externally learned routes throughout the Autonomous System. Backbone Areas All OSPF networks need to have at least the backbone area, that is the area with ID [...]

  • Page 106

    in the routing table. This is commonly used to minimize the routing table. Virtual Links Virtual links are used for: • Linking an area that does not have a direct connection to the backbone. • Linking the backbone in case of a partitioned backbone. Areas without direct connection to the backbone The backbone always need to be the center of all [...]

  • Page 107

    common area in between. Figure 4.3. Virtual Links Example 2 The Virtual Link is configured between fw1 and fw2 on Area 1, as it is used as the transit area. In the configuration only the Router ID have to be configured, as in the example above show fw2 need to have a Virtual Link to fw1 with the Router ID 192.168.1.1 and vice versa. These VLinks ne[...]

  • Page 108

    In a dynamic routing environment, it is important for routers to be able to regulate to what extent they will participate in the routing exchange. It is not feasible to accept or trust all received routing information, and it might be crucial to avoid that parts of the routing database gets published to other routers. For this reason, NetDefendOS p[...]

  • Page 109

    gw-world:/ImportOSPFRoutes> add DynamicRoutingRuleAddRoute Destination=MainRoutingTable Web Interface 1. Go to Routing > Dynamic Routing Rules 2. Click on the recently created ImportOSPFRoutes 3. Go to OSPF Routing Action > Add > DynamicRountingRuleAddRoute 4. In Destination , add the main routing table to the Selected list 5. Click OK [...]

  • Page 110

    4.5. Multicast Routing 4.5.1. Overview Certain types of Internet interactions, such as conferencing and video broadcasts, require a single client or host to send the same packet to multiple receivers. This could be achieved through the sender duplicating the packet with different receiving IP addresses or by a broadcast of the packet across the Int[...]

  • Page 111

    The multiplex rule can operate in one of two modes: Use IGMP The traffic flow specififed by the multiplex rule must have been requested by hosts using IGMP before any multicast packets are forwarded through the specified interfaces. This is the default behaviour of NetDefendOS. Not using IGMP The traffic flow will be forwarded according to the spec[...]

  • Page 112

    Example 4.8. Forwarding of Multicast Traffic using the SAT Multiplex Rule In this example, we will create a multiplex rule in order to forward the multicast groups 239.192.10.0/24:1234 to the interfaces if1, if2 and if3. All groups have the same sender 192.168.10.1 which is located somwhere behind the wan interface. The multicast groups should only[...]

  • Page 113

    This scenario is based on the previous scenario but now we are going to translate the multicast group. When the multicast streams 239.192.10.0/24 are forwarded through the if2 interface, the multicast groups should be translated into 237.192.10.0/24 . No address translation should be made when forwarding through interface if1. The configuration of [...]

  • Page 114

    • Destination Interface: core • Destination Network: 239.192.10.0/24 4. Click the Address Translation tab 5. Add interface if1 but leave the IPAddress empty 6. Add interface if2 but this time, enter 237.192.10.0 as the IPAddress 7. Make sure the forwarded using IGMP checkbox is set 8. Click OK Note If address translation of the source address i[...]

  • Page 115

    Figure 4.7. Multicast Proxy In Snoop mode, the router will act transparently between the hosts and another IGMP router. It will not send any IGMP Queries. It will only forward queries and reports between the other router and the hosts. In Proxy mode, the router will act as an IGMP router towards the clients and actively send queries. Towards the up[...]

  • Page 116

    • Source Network: if1net, if2net, if3net • Destination Interface: core • Destination Network: auto • Multicast Source: 192.168.10.1 • Multicast Group: 239.192.10.0/24 4. Click OK B. Create the second IGMP Rule: 1. Again go to Routing > IGMP > IGMP Rules > Add > IGMP Rule 2. Under General enter: • Name: A suitable name for th[...]

  • Page 117

    • Name: A suitable name for the rule, eg. Reports_if1 • Type: Report • Action: Proxy • Output: wan (this is the relay interface) 3. Under Address Filter enter: • Source Interface: if1 • Source Network: if1net • Destination Interface: core • Destination Network: auto • Multicast Source: 192.168.10.1 • Multicast Group: 239.192.10.[...]

  • Page 118

    • Type: Report • Action: Proxy • Output: wan (this is the relay interface) 3. Under Address Filter enter: • Source Interface: if2 • Source Network: if2net • Destination Interface: core • Destination Network: auto • Multicast Source: 192.168.10.1 • Multicast Group: 239.192.10.0/24 4. Click OK B. Create the second IGMP Rule: 1. Agai[...]

  • Page 119

    4.6. Transparent Mode 4.6.1. Overview of Transparent Mode Deploying D-Link Firewalls operating in Transparent Mode into an existing network topology can significantly strengthen security. It is simple to do and doesn't require reconfiguration of existing nodes. Once deployed, NetDefendOS can then allow or deny access to different types of serv[...]

  • Page 120

    When beginning communication, a host will locate the target host's physical address by broadcasting an ARP request. This request is intercepted by NetDefendOS and it sets up an internal ARP Transaction State entry and broadcasts the ARP request to all the other switch-route interfaces except the interface the ARP request was received on. If Ne[...]

  • Page 121

    Figure 4.8. Transparent mode scenario 1 Example 4.13. Setting up Transparent Mode - Scenario 1 Web Interface Configure the interfaces: 1. Go to Interfaces > Ethernet > Edit (wan) 2. Now enter: • IP Address: 10.0.0.1 • Network: 10.0.0.0/24 • Default Gateway: 10.0.0.1 • Transparent Mode: Enable 3. Click OK 4. Go to Interfaces > Ether[...]

  • Page 122

    • Destination Interface: any • Source Network: 10.0.0.0/24 • Destination Network: all-nets (0.0.0.0/0) 3. Click OK Scenario 2 Here the D-Link Firewall in Transparent Mode separates server resources from an internal network by connecting them to a separate interface without the need for different address ranges. Figure 4.9. Transparent mode sc[...]

  • Page 123

    Switch Route: Similar as shown in the previous example. Set up the switch route with the new interface group created earlier. Configure the rules: 1. Go to Rules > New Rule 2. The Rule Properties dialog will be displayed 3. Specify a suitable name for the rule, for instance HTTP-LAN-to-DMZ 4. Enter following: • Action: Allow • Source Interfa[...]

  • Page 124

    1. Go to Interfaces > Ethernet > Edit (lan) 2. Now enter: • IP Address: 10.0.0.1 • Network: 10.0.0.0/24 • Transparent Mode: Disable • Add route for interface network: Disable 3. Click OK 4. Go to Interfaces > Ethernet > Edit (dmz) 5. Now enter: • IP Address: 10.0.0.2 • Network: 10.0.0.0/24 • Transparent Mode: Disable • A[...]

  • Page 125

    3. Click OK 4. Go to Rules > IP Rules > Add > IPRule 5. Now enter: • Name: HTTP-WAN-to-DMZ • Action: SAT • Service: http • Source Interface: wan • Destination Interface: dmz • Source Network: all-nets • Destination Network: wan_ip • Translate: Select Destination IP • New IP Address: 10.1.4.10 6. Click OK 7. Go to Rules &g[...]

  • Page 126

    4.6.6. Transparent Mode Scenarios Chapter 4. Routing 126[...]

  • Page 127

    Chapter 5. DHCP Services This chapter describes DHCP services in NetDefendOS. • Overview, page 127 • DHCP Servers, page 128 • Static DHCP Assignment, page 130 • DHCP Relaying, page 131 • IP Pools, page 132 5.1. Overview DHCP (Dynamic Host Configuration Protocol) is a protocol that allows network administrators to automatically assign IP n[...]

  • Page 128

    5.2. DHCP Servers NetDefendOS has the ability to act as one or more logical DHCP servers. Filtering of DHCP client requests is based on interface, so each NetDefendOS interface can have, at most, one single logical DHCP server associated with it. In other words, NetDefendOS can provision DHCP clients using different address ranges depending on what[...]

  • Page 129

    Example 5.2. Checking the status of a DHCP server Web Interface Go to Status > DHCP Server in the menu bar. CLI To see the status of all servers: gw-world:/> dhcpserver To list all configured servers: gw-world:/> show dhcpserver Tip DHCP leases are remembered by the system between system restarts. 5.2. DHCP Servers Chapter 5. DHCP Services[...]

  • Page 130

    5.3. Static DHCP Assignment Where the administrator requires a fixed relationship between a client and the assigned IP address, NetDefendOS allows the assignment of a given IP to a specific MAC address. Example 5.3. Setting up Static DHCP This example shows how to assign the IP address 192.168.1.1 to the MAC address 00-90-12-13-14-15 . The examples[...]

  • Page 131

    5.4. DHCP Relaying With DHCP, clients send requests to locate the DHCP server(s) using broadcast messages. However, broadcasts are normally only propagated across the local network. This means that the DHCP server and client would always need to be in the same physical network area to be able to communicate. In a large Internet-like environment, th[...]

  • Page 132

    5.5. IP Pools Overview IP pools are used to offer other subsystems access to a cache of DHCP IP addresses. These addresses are gathered into a pool by internally maintaining a series of DHCP clients (one per IP). The DHCP servers used by a pool can either be external or be DHCP servers defined in NetDefendOS itself. External DHCP servers can be spe[...]

  • Page 133

    greater than the prefetch parameter. The pool will start releasing (giving back IPs to the DHCP server) when the number of free clients exceeds this value. Maximum clients Optional setting used to specify the maximum number of clients (IPs) allowed in the pool. Using Prefetched Leases As mentioned in the previous section, the Prefetched Leases opti[...]

  • Page 134

    5.5. IP Pools Chapter 5. DHCP Services 134[...]

  • Page 135

    Chapter 6. Security Mechanisms This chapter describes NetDefendOS security features. • Access Rules, page 135 • Application Layer Gateways, page 138 • Web Content Filtering, page 169 • Anti-Virus Scanning, page 183 • Intrusion Detection and Prevention, page 188 • Denial-Of-Service (DoS) Attacks, page 198 • Blacklisting Hosts and Netwo[...]

  • Page 136

    VPNs provide one means of avoiding spoofing but where a VPN is not an appropriate solution then Access Rules can provide an anti-spoofing capability by providing an extra filter for source address verification. An Access Rule can verify that packets arriving at a given interface do not have a source address which is associated with a network of ano[...]

  • Page 137

    Example 6.1. Setting up an Access Rule A rule is to be defined that ensures no traffic with a source address not within the lannet network is received on the lan interface. CLI gw-world:/> add Access Name=lan_Access Interface=lan Network=lannet Action=Except Web Interface 1. Go to Rules > Access 2. Select Access Rule in the Add menu . 3. Now [...]

  • Page 138

    6.2. Application Layer Gateways 6.2.1. Overview To complement low-level packet filtering, which only inspects packet headers in protocols such IP, TCP, UDP, and ICMP, D-Link Firewalls provide Application Layer Gateways (ALGs) which provide filtering at the higher application OSI level. An ALG object acts as a mediator in accessing commonly used Int[...]

  • Page 139

    ALGs and Syn Flood Protection It should be noted that user-defined custom Service objects have the option to enable Syn Flood Protection , a feature which specifically targets Syn Flood attacks. If this option is enabled for a Service object then any ALG associated with that Service will not be used. 6.2.2. HTTP Hyper Text Transfer Protocol (HTTP) [...]

  • Page 140

    • Block Selected means that those filetypes marked will be automatically blocked as downloads. A file's contents will be analyzed to identify the correct filetype. If, for example, a file is found to contain .exe data but the the filetype is not .exe then the file will be blocked if .exe files are blocked. Blocking is the default action take[...]

  • Page 141

    client on the internal network connects through the firewall to an FTP server on the Internet. The IP rule is then configured to allow network traffic from the FTP client to port 21 on the FTP server. When active mode is used, NetDefendOS is not aware that the FTP server will establish a new connection back to the FTP client. Therefore, the incomin[...]

  • Page 142

    To make it possible to connect to this server from the Internet using the FTP ALG, the FTP ALG and rules should be configured as follows: Web Interface A. Define the ALG: 1. Go to Objects > ALG > Add > FTP ALG 2. Enter Name: ftp-inbound 3. Check Allow client to use active mode 4. Uncheck Allow server to use passive mode 5. Click OK B. Defi[...]

  • Page 143

    2. Now enter: • Name: SAT-ftp-inbound • Action: SAT • Service: ftp-inbound 3. For Address Filter enter: • Source Interface: any • Destination Interface: core • Source Network: all-nets • Destination Network: wan_ip (assuming the external interface has been defined as this) 4. For SAT check Translate the Destination IP Address 5. Enter[...]

  • Page 144

    4. Click OK Example 6.3. Protecting FTP Clients In this scenario shown below the D-Link Firewall is protecting a workstation that will connect to FTP servers on the Internet. To make it possible to connect to these servers from the internal network using the FTP ALG, the FTP ALG and rules should be configured as follows: Web Interface A. Create the[...]

  • Page 145

    • Destination: 21 (the port the ftp server resides on) • ALG: select the newly created ftp-outbound 3. Click OK Rules (Using Public IPs). The following rule needs to be added to the IP rules if using public IP's; make sure there are no rules disallowing or allowing the same kind of ports/traffic before these rules. The service in use is th[...]

  • Page 146

    TFTP is widely used in enterprise environments for updating software and backing up configurations on network devices. TFTP is recognised as being an inherently insecure protocol and its usage is often confined to internal networks. The NetDefendOS ALG provides an extra layer of security to TFTP in being able to put restrictions on its use. General[...]

  • Page 147

    Email Rate Limiting A maximum allowable rate of email messages can be specified. Email Size Limiting A maximum allowable size of email messages can be specified. This feature counts the total amount of bytes sent for a single email which is the header size plus body size plus the size of any email attachments after they are encoded. It should be ke[...]

  • Page 148

    When the NetDefendOS SPAM filtering function is configured, the IP address of the email's sending server can be sent to one or more DNSBL servers to find out if any DNSBL servers think it is from a spammer or not (NetDefendOS examines the IP packet headers to do this). The reply sent back by a server is either a not listed response or a listed[...]

  • Page 149

    Buy this stock today! And if the tag text is defined to be " *** SPAM *** ", then the modified email's Subject field will become: *** SPAM *** Buy this stock today! And this is what the email's recipient will see in the summary of their inbox contents. The individual user could then decide to set up their own filters in the loca[...]

  • Page 150

    Logging There are three types of logging done by the SPAM filtering module: • Logging of dropped or SPAM tagged emails - These log messages include the source email address and IP as well as its weighted points score and which DNSBLs caused the event. • DNSBLs not responding - DNSBL query timeouts are logged. • All defined DNBSLs stop respond[...]

  • Page 151

    gw-world:/> dnsbl DNSBL Contexts: Name Status Spam Drop Accept ------------------------ -------- -------- -------- -------- my_smtp_alg active 156 65 34299 alt_smtp_alg inactive 0 0 0 The -show option provides a summary of the SPAM filtering operation of a specific ALG. gw-world:/> dnsbl my_smtp_alg -show DNSBL used by ALG my_smtp_alg Drop Th[...]

  • Page 152

    Hide User This option prevents the POP3 server from revealing that a username does not exist. This prevents users from trying different usernames until they find a valid one. Allow Unknown Commands Non-standard POP3 commands not recognised by the ALG can be allowed or disallowed. Fail Mode When content scanning find bad file integrity then the file[...]

  • Page 153

    VOIP see also Section 6.2.8, “H.323”.) SIP Components The following components are the logical building blocks for SIP communication: User Agents These are the end points or "peers" that are involved in the peer-to-peer communication. These would typically be the workstation or device used in an IP telephony conversation. The word pee[...]

  • Page 154

    Maximum Sessions per ID The number of simultaneous sessions that a single peer can be involved with is restricted by this value. The default number is 5 . Maximum Registration Time The maximum time for registration with a SIP Registrar. The default value is 3600 seconds. SIP Request-Response Timeout The maximum time allowed for responses to SIP req[...]

  • Page 155

    • A NAT rule for outbound traffic from user agents on the internal network to the SIP Proxy Server located externally. The SIP ALG will take care of all address translation needed by the NAT rule. This translation will occur both on the IP level and the application level. Neither the user agents or the proxies need to be aware that the local user[...]

  • Page 156

    Gateways An H.323 gateway connects two dissimilar networks and translates traffic between them. It provides connectivity between H.323 networks and non-H.323 networks such as public switched telephone networks (PSTN), translating protocols and converting media them. A gateway is not required for communication between two H.323 terminals. Gatekeeper[...]

  • Page 157

    • The H.323 ALG supports version 5 of the H.323 specification. This specification is built upon H.225.0 v5 and H.245 v10. • In addition to support voice and video calls, the H.323 ALG supports application sharing over the T.120 protocol. T.120 uses TCP to transport data while voice and video is transported over UDP. • To support gatekeepers, [...]

  • Page 158

    Web Interface Outgoing Rule: 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: H323AllowOut • Action: Allow • Service: H323 • Source Interface: lan • Destination Interface: any • Source Network: lannet • Destination Network: 0.0.0.0/0 (all-nets) • Comment: Allow outgoing calls 3. Click OK Incoming Rule: 1. Go t[...]

  • Page 159

    Example 6.5. H.323 with private IP addresses In this scenario a H.323 phone is connected to the D-Link Firewall on a network with private IP addresses. To make it possible to place a call from this phone to another H.323 phone on the Internet, and to allow H.323 phones on the Internet to call this phone, we need to configure rules. The following ru[...]

  • Page 160

    • Destination Interface: core • Source Network: 0.0.0.0/0 (all-nets) • Destination Network: wan_ip (external IP of the firewall) • Comment: Allow incoming calls to H.323 phone at ip-phone 3. Click OK To place a call to the phone behind the D-Link Firewall, place a call to the external IP address on the firewall. If multiple H.323 phones are[...]

  • Page 161

    1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: H323AllowIn • Action: Allow • Service: H323 • Source Interface: any • Destination Interface: lan • Source Network: 0.0.0.0/0 (all-nets) • Destination Network: lannet • Comment: Allow incoming calls 3. Click OK Example 6.7. Using Private IP Addresses This scenari[...]

  • Page 162

    • Destination Interface: core • Source Network: 0.0.0.0/0 (all-nets) • Destination Network: wan_ip (external IP of the firewall) • Comment: Allow incoming calls to H.323 phone at ip-phone 3. For SAT enter Translate Destination IP Address: To New IP Address: ip-phone (IP address of phone) 4. Click OK 1. Go to Rules > IP Rules > Add >[...]

  • Page 163

    Web Interface Incoming Gatekeeper Rules: 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: H323In • Action: SAT • Service: H323-Gatekeeper • Source Interface: any • Destination Interface: core • Source Network: 0.0.0.0/0 (all-nets) • Destination Network: wan_ip (external IP of the firewall) • Comment: SAT rule [...]

  • Page 164

    Note There is no need to specify a specific rule for outgoing calls. NetDefendOS monitors the communication between "external" phones and the Gatekeeper to make sure that it is possible for internal phones to call the external phones that are registered with the gatekeeper. Example 6.9. H.323 with Gatekeeper and two D-Link Firewalls This [...]

  • Page 165

    is possible for internal phones to call the external phones that are registered with the gatekeeper. Example 6.10. Using the H.323 ALG in a Corporate Environment This scenario is an example of a more complex network that shows how the H.323 ALG can be deployed in a corporate environment. At the head office DMZ a H.323 Gatekeeper is placed that can [...]

  • Page 166

    • Comment: Allow H.323 entities on lannet to connect to the Gatekeeper 3. Click OK 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: LanToGK • Action: Allow • Service: H323 • Source Interface: lan • Destination Interface: dmz • Source Network: lannet • Destination Network: ip-gateway • Comment: Allow H.323 en[...]

  • Page 167

    1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: BranchToGW • Action: Allow • Service: H323-Gatekeeper • Source Interface: vpn-remote • Destination Interface: dmz • Source Network: remote-net • Destination Network: ip-gatekeeper • Comment: Allow communication with the Gatekeeper on DMZ from the Remote network [...]

  • Page 168

    • Service: H323-Gatekeeper • Source Interface: dmz • Destination Interface: vpn-hq • Source Network: ip-branchgw • Destination Network: hq-net • Comment: Allow the Gateway to communicate with the Gatekeeper connected to the Head Office 3. Click OK Note There is no need to specify a specific rule for outgoing calls. NetDefendOS monitors [...]

  • Page 169

    6.3. Web Content Filtering 6.3.1. Overview Web traffic is one of the biggest sources for security issues and misuse of the Internet. Inappropriate surfing habits can expose a network to many security threats as well as legal and regulatory liabilities. Productivity and Internet bandwidth can also be impaired. NetDefendOS provides three mechanisms f[...]

  • Page 170

    Example 6.13. Stripping ActiveX and Java applets This example shows how to configure a HTTP Application Layer Gateway to strip ActiveX and Java applets. The example will use the content_filtering ALG object and presumes you have done one of the previous examples. CLI gw-world:/> set ALG ALG_HTTP content_filtering RemoveActiveX=Yes RemoveApplets=[...]

  • Page 171

    Note Web content filtering URL blacklisting is a separate concept from Section 6.7, “Blacklisting Hosts and Networks”. Example 6.14. Setting up a white and blacklist This example shows the use of static content filtering where NetDefendOS can block or permit certain web pages based on blacklists and whitelists. As the usability of static conten[...]

  • Page 172

    6.3.4. Dynamic Web Content Filtering Overview NetDefendOS supports Dynamic Web Content Filtering (WCF) of web traffic, which enables an administrator to permit or block access to web pages based on the content of those web pages. This functionality is automated and it is not necessary to manually specify which URLs to block or allow. Instead, D-Lin[...]

  • Page 173

    Note New, uncategorized URLs sent to the D-Link network are treated as anonymous submissions and no record of the source of new submissions is kept. Categorizing Pages and Not Sites NetDefendOS dynamic filtering categorizes web pages and not sites. In other words, a web site may contain particular pages that should be blocked without blocking the e[...]

  • Page 174

    5. In the Blocked Categories list, select Search Sites and click the >> button. 6. Click OK Then, create a Service object using the new HTTP ALG: 1. Go to Local Objects > Services > Add > TCP/UDP service 2. Specify a suitable name for the Service, eg. http_content_filtering 3. Select the TCP in the Type dropdown list 4. Enter 80 in t[...]

  • Page 175

    FilteringCategories=SEARCH_SITES Web Interface First, create an HTTP Application Layer Gateway (ALG) Object: 1. Go to Objects > ALG > Add > HTTP ALG 2. Specify a suitable name for the ALG, eg. content_filtering 3. Click the Web Content Filtering tab 4. Select Audit in the Mode list 5. In the Blocked Categories list, select Search Sites and[...]

  • Page 176

    Example 6.17. Reclassifying a blocked site This example shows how a user may propose a reclassification of a web site if he believes it is wrongly classified. This mechanism is enabled on a per-HTTP ALG level basis. CLI First, create an HTTP Application Layer Gateway (ALG) Object: gw-world:/> add ALG ALG_HTTP content_filtering WebContentFilterin[...]

  • Page 177

    Category 2: News A web site may be classified under the News category if its content includes information articles on recent events pertaining to topics surrounding a locality (for example, town, city or nation) or culture, including weather forecasting information. Typically this would include most real-time online news publications and technology[...]

  • Page 178

    • www.buy-alcohol.se Category 7: Entertainment A web site may be classified under the Entertainment category if its content includes any general form of entertainment that is not specifically covered by another category. Some examples of this are music sites, movies, hobbies, special interest, and fan clubs. This category also includes personal w[...]

  • Page 179

    • www.loadsofmoney.com.au • www.putsandcalls.com Category 12: E-Banking A web site may be classified under the E-Banking category if its content includes electronic banking information or services. This category does not include Investment related content; refer to the Investment Sites category (11). Examples might be: • www.nateast.co.uk •[...]

  • Page 180

    Category 17: www-Email Sites A web site may be classified under the www-Email Sites category if its content includes online, web-based email facilities. Examples might be: • www.coldmail.com • mail.yazoo.com Category 18: Violence / Undesirable A web site may be classified under the Violence / Undesirable category if its contents are extremely v[...]

  • Page 181

    Examples might be: • www.sierra.org • www.walkingclub.org Category 23: Music Downloads A web site may be classified under the Music Downloads category if it provides online music downloading, uploading and sharing facilities as well as high bandwidth audio streaming. Examples might be: • www.onlymp3s.com • www.mp3space.com Category 24: Busi[...]

  • Page 182

    A web site may be classified under the Drugs/Alcohol category if its content includes drug and alcohol related information or services. Some URLs categorised under this category may also be categorised under the Health category. Examples might be: • www.the-cocktail-guide.com • www.stiffdrinks.com Category 29: Computing/IT A web site may be cla[...]

  • Page 183

    6.4. Anti-Virus Scanning 6.4.1. Overview The NetDefendOS Anti-Virus module protects against malicious code carried in file downloads. Files may be downloaded as part of a web-page in an HTTP transfer, in an FTP download, or perhaps as an attachment to an email delivered through SMTP. Malicious code in such downloads can have different intents rangi[...]

  • Page 184

    D-Link Firewall. However, the available free memory can place a limit on the number of concurrent scans that can be initiated. The administrator can increase the default amount of free memory available to Anti-Virus scanning through changing the AVSE_MAXMEMORY advanced setting. This setting specifies what percentage of total memory is to be used fo[...]

  • Page 185

    1. General options Mode This must be one of: A. Enabled which means Anti-Virus is active. B. Audit which means it is active but logging will be the only action. Fail mode behaviour If a virus scan fails for any reason then the transfer can be dropped or allowed, with the event being logged. 2. File Type Blocking/Allowing Action When a particular do[...]

  • Page 186

    Enabling of this function is recommended to make sure this form of attack cannot allow a virus to get through. The possible MIME types that can be checked are listed in Appendix C, Checked MIME filetypes . Setting the Correct System Time It is important that a NetDefendOS has the correct system time set if the auto-update feature in the Anti-Virus [...]

  • Page 187

    1. Go to Objects > ALG > Add > HTTP ALG 2. Specify a suitable name for the ALG, for instance anti_virus 3. Click the Antivirus tab 4. Select Protect in the Mode dropdown list 5. Click OK B. Then, create a Service object using the new HTTP ALG: 1. Go to Local Objects > Services > Add > TCP/UDP service 2. Specify a suitable name for[...]

  • Page 188

    6.5. Intrusion Detection and Prevention 6.5.1. Overview Intrusion Definition Computer servers can sometimes have vulnerabilites which leave them exposed to attacks carried by network traffic. Worms, trojans and backdoor exploits are examples of such attacks which, if successful, can potentially compromise or take control of a server. A generic term[...]

  • Page 189

    DFL-210/800/1600/2500 firewalls. This is a simplfied IDP that gives basic protection against attacks. It is upgradeable to the professional level Advanced IDP . • Advanced IDP is a subscription based IDP system with a much broader range of database signatures for professional installations. It is available on all D-Link firewalls. Maintenance IDP[...]

  • Page 190

    The console command > updatecenter -status will show the current status of the auto-update feature. This can also be done through the WebUI. Updating in High Availability Clusters Updating the IDP databases for both the D-Link Firewalls in an HA Cluster is performed automatically by NetDefendOS. In a cluster there is always an active unit and an[...]

  • Page 191

    The option exists in NetDefendOS IDP to look for intrusions in all traffic, even the packets that are rejected by the IP rule set check for new connections, as well as packets that are not part of an existing connection. This provides the firewall administrator with a way to detect any traffic that appears to be an intrusion. With this option the o[...]

  • Page 192

    • Increasing throughput - Where the highest throughout possible is desirable, then turning the option off, can provide a slight increase in processing speed. • Excessive False Positives - If there is evidence of an unusually high level of Insertion/Evasion false positives then disabling the option may be prudent while the false positive causes [...]

  • Page 193

    Using Groups Usually, several lines of attacks exist for a specific protocol, and it is best to search for all of them at the same time when analyzing network traffic. To do this, signatures related to a particular protocol are grouped together. For example, all signatures that refer to the FTP protocol form a group. It is best to specify a group t[...]

  • Page 194

    group name. Caution against using too many IDP signatures Do not use the entire signature database and avoid using signatures and signature groups unecessarily. Instead, use only those signatures or groups applicable to the type of traffic you are trying to protect. For instance, using IDS_WEB*, IPS_WEB*, IDS_HTTP* and IPS_HTTP* IDP groups would be[...]

  • Page 195

    triggered. At least one new event occurs within the Hold Time of 120 seconds, thus reaching the log threshold level (at least 2 events have occurred). This results in an email being sent containing a summary of the IDP events. Several more IDP events may occur after this, but to prevent flooding the mail server, NetDefendOS will wait 600 seconds (e[...]

  • Page 196

    CLI Create IDP Rule: gw-world:/> add IDPRule Service=smtp SourceInterface=wan SourceNetwork=wannet DestinationInterface=dmz DestinationNetwork=ip_mailserver Name=IDPMailSrvRule Create IDP Action: gw-world:/> cc IDPRule IDPMailSrvRule gw-world:/IDPMailSrvRule> add IDPRuleAction Action=Protect IDPServity=All Signatures=IPS_MAIL_SMTP Web Inte[...]

  • Page 197

    When this IDP Rule has been created, an action must also be created, specifying what signatures the IDP should use when scanning data matching the IDP Rule, and what NetDefendOS should do in case an intrusion is discovered. Intrusion attempts should cause the connection to be dropped, so Action is set to Protect . Severity is set to Attack , in ord[...]

  • Page 198

    6.6. Denial-Of-Service (DoS) Attacks 6.6.1. Overview By embracing the Internet, enterprises experience new business opportunities and growth. The enterprise network and the applications that run over it are business critical. Not only can a company reach a larger number of customers via the Internet, it can serve them faster and more efficiently. A[...]

  • Page 199

    to run "ping -l 65510 1.2.3.4" on a Windows 95 system where 1.2.3.4 is the IP address of the intended victim. "Jolt" is simply a purpose-written program for generating such packets on operating systems whose ping commands refuse to generate oversized packets. The triggering factor is that the last fragment makes the total packet[...]

  • Page 200

    services expected to only serve the local network. • By stripping the URG bit by default from all TCP segments traversing the system (configurable via Advanced Settings > TCP > TCPUrg ). WinNuke attacks will usually show up in NetDefendOS logs as normal drops with the name of the rule in your policy that disallowed the connection attempt. F[...]

  • Page 201

    The Traffic Shaping feature built into NetDefendOS also help absorb some of the flood before it reaches protected servers. 6.6.8. TCP SYN Flood Attacks The TCP SYN Flood attack works by sending large amounts of TCP SYN packets to a given port and then not responding to SYN ACKs sent in response. This will tie up local TCP stack resources on the vic[...]

  • Page 202

    6.7. Blacklisting Hosts and Networks NetDefendOS implements a Blacklist of host or network IP addresses which can be utilized to protect against traffic coming from specific Internet sources. Certain NetDefendOS modules, specifically the Intrusion Detection and Prevention (IDP) module, as well as Threshold Rules, can make use of the Blacklist when [...]

  • Page 203

    6.7. Blacklisting Hosts and Networks Chapter 6. Security Mechanisms 203[...]

  • Page 204

    Chapter 7. Address Translation This chapter describes NetDefendOS address translation capabilities. • Dynamic Network Address Translation, page 204 • NAT Pools, page 207 • Static Address Translation, page 210 The ability of NetDefendOS to change the IP address of packets as they pass through a D-Link Firewall is known as address translation .[...]

  • Page 205

    Publish entry configured for the egress interface. Otherwise, the return traffic will not be received by the D-Link Firewall. The following example illustrates how NAT is applied in practice on a new connection: 1. The sender, for example 192.168.1.5, sends a packet from a dynamically assigned port, for instance, port 1038, to a server, for example[...]

  • Page 206

    Protocols Handled by NAT Dynamic address translation is able to deal with the TCP, UDP and ICMP protocols with a good level of functionality since the algorithm knows which values can be adjusted to become unique in the three protocols. For other IP level protocols, unique connections are identified by their sender addresses, destination addresses [...]

  • Page 207

    7.2. NAT Pools Overview As discussed in Section 7.1, “Dynamic Network Address Translation”, NAT provides a way to have multiple internal clients and hosts with unique private internal IP addresses communicate to remote hosts through a single external public IP address. When multiple public external IP addresses are available then a NAT Pool obj[...]

  • Page 208

    Stateless NAT Pools The Stateless option means that no state table is maintained and the external IP address chosen for each new connection is the one that has the least connections already allocated to it. This means two connections between one internal host to the same external host may use two different external IP addresses. The advantage of a [...]

  • Page 209

    2. Specify a suitable name for the IP range nat_pool_range 3. Enter 10.6.13.10-10.16.13.15 in the IP Address textbox (a network eg 10.6.13.0/24 could be used here - the 0 and 255 addresses will be automatically removed) 4. Click OK B. Next create a Stateful NAT Pool object called stateful_natpool : 1. Go to Objects > NAT Pools > Add > NAT [...]

  • Page 210

    7.3. Static Address Translation NetDefendOS can translate entire ranges of IP addresses and/or ports. Such translations are transpositions, that is, each address or port is mapped to a corresponding address or port in the new range, rather than translating them all to the same address or port. This functionality is known as Static Address Translati[...]

  • Page 211

    Then create a corresponding Allow rule: 1. Go to Rules > IP Rules > Add > IPRule 2. Specify a suitable name for the rule, eg. Allow_HTTP_To_DMZ 3. Now enter: • Action: Allow • Service: http • Source Interface: any • Source Network: all-nets • Destination Interface: core • Destination Network: wan_ip 4. Under the Service tab, se[...]

  • Page 212

    # Action Src Iface Src Net Dest Iface Dest Net Parameters 3 Allow ext2 ext2net core wan_ip http 4 NAT lan lannet any all-nets All This increases the number of rules for each interface allowed to communicate with the web server. However, the rule ordering is unimportant, which may help avoid errors. If option 2 was selected, the rule set must be adj[...]

  • Page 213

    • NetDefendOS translates the address in accordance with rule 1 and forwards the packet in accordance with rule 2: 10.0.0.3:1038 => 10.0.0.2:80 • wwwsrv processes the packet and replies: 10.0.0.2:80 => 10.0.0.3:1038 This reply arrives directly to PC1 without passing through the D-Link Firewall. This causes problems. The reason this will no[...]

  • Page 214

    An example of when this is useful is when having several protected servers in a DMZ, and where each server should be accessible using a unique public IP address. Example 7.5. Translating Traffic to Multiple Protected Web Servers In this example, we will create a SAT policy that will translate and allow connections from the Internet to five web serv[...]

  • Page 215

    4. Click OK Publish the public adresses in the wan interface using ARP publish. One ARP item is needed for every IP address: 1. Go to Interfaces > ARP > Add > ARP 2. Now enter: • Mode: Publish • Interface: wan • IP Address: 195.55.66.77 3. Click OK and repeat for all 5 public IP addresses Create a SAT rule for the translation: 1. Go [...]

  • Page 216

    NetDefendOS can be used to translate ranges and/or groups into just one IP address. # Action Src Iface Src Net Dest Iface Dest Net Parameters 1 SAT any all-nets core 194.1.2.16-194.1.2.20, 194.1.2.30 http SETDEST all-to-one 192.168.0.50 80 This rule produces a N:1 translation of all addresses in the group (the range 194.1.2.16 - 194.1.2.20 and 194.[...]

  • Page 217

    configuration. There is no definitive list of what protocols that can or cannot be address translated. A general rule is that VPN protocols cannot usually be translated. In addition, protocols that open secondary connections in addition to the initial connection can be difficult to translate. Some protocols that are difficult to address translate m[...]

  • Page 218

    # Action Src Iface Src Net Dest Iface Dest Net Parameters 5 NAT lan lannet any all-nets All What happens now? • External traffic to wan_ip:80 will match rules 1 and 3, and will be sent to wwwsrv. Correct. • Return traffic from wwwsrv:80 will match rules 2 and 4, and will appear to be sent from wan_ip:80. Correct. • Internal traffic to wan_ip:[...]

  • Page 219

    7.3.7. SAT and FwdFast Rules Chapter 7. Address Translation 219[...]

  • Page 220

    Chapter 8. User Authentication This chapter describes how NetDefendOS implements user authentication. • Overview, page 220 • Authentication Setup, page 221 8.1. Overview In situations where individual users connect to protected resources through a D-Link Firewall, the administrator will often require that each user goes through a process of aut[...]

  • Page 221

    8.2. Authentication Setup 8.2.1. Setup Summary The following list summarizes the steps for User Authentication setup with NetDefendOS: • Set up a database of users, each with a username/password combination. This can exist locally in a NetDefendOS User DB object, or remotely on a RADIUS server and will be designated as the Authentication Source .[...]

  • Page 222

    NetDefendOS acts as a RADIUS client, sending user credentials and connection parameter information as a RADIUS message to a nominated RADIUS server. The server processes the requests and sends back a RADIUS message to accept or deny them. One or more external servers can be defined in NetDefendOS. RADIUS Security To provide security, a common share[...]

  • Page 223

    combination. • Allow only one login per username. • Allow one login per username and logout an existing user with the same name if they have been idle for a specific length of time when the new login occurs. 8.2.5. Authentication Processing The list below describes the processing flow through NetDefendOS for username/password authentication: 1.[...]

  • Page 224

    Changing the Management WebUI Port HTTP authentication will collide with the WebUI's remote management service which also uses TCP port 80. To avoid this, the WebUI port number should be changed before configuring authentication. Do this by going to Remote Management > Advanced Settings in the WebUI and changing the setting WebUI HTTP Port [...]

  • Page 225

    Action Src Interface Src Network Dest Interface Dest Network Service 1 Allow lan lannet core lan_ip http-all 2 NAT lan trusted_users wan all-nets http-all 3 NAT lan lannet wan all-nets dns-all 4 SAT lan lannet wan all-nets all-to-one 127.0.0.1 http-all 5 Allow lan lannet wan all-nets http-all The SAT rule catches all unauthenticated requests and mu[...]

  • Page 226

    Example 8.1. Creating an authentication user group In the example of an authentication address object in the Address Book, a user group "users" is used to enable user authentication on "lannet". This example shows how to configure the user group in the NetDefendOS database. Web Interface Step A 1. Go to User Authentication > [...]

  • Page 227

    • Source Network: lannet • Destination Interface core • Destination Network lan_ip 3. Click OK B. Set up the Authentication Rule 1. Go to User Authentication > User Authentication Rules > Add > User Authentication Rule 2. Now enter: • Name: HTTPLogin • Agent: HTTP • Authentication Source: Local • Interface: lan • Originator[...]

  • Page 228

    d. Port: 1812 (RADIUS service uses UDP port 1812 by default) e. Retry Timeout: 2 (NetDefendOS will resend the authentication request to the sever if there is no response after the timeout, for example every 2 seconds. This will be retried a maximum of 3 times) f. Shared Secret: Enter a text string here for basic encryption of the RADIUS messages. g[...]

  • Page 229

    Chapter 9. VPN This chapter describes VPN usage with NetDefendOS. • Overview, page 229 • VPN Quickstart Guide, page 231 • IPsec, page 240 • IPsec Tunnels, page 253 • PPTP/L2TP, page 260 9.1. Overview 9.1.1. The Need for VPNs Most networks are connected to each other through the Internet. Business increasingly utilizes the Internet since i[...]

  • Page 230

    • Protecting mobile and home computers • Restricting access through the VPN to needed services only, since mobile computers are vulnerable • Creating DMZs for services that need to be shared with other companies through VPNs • Adapting VPN access policies for different groups of users • Creating key distribution policies A common misconce[...]

  • Page 231

    9.2. VPN Quickstart Guide Later sections in this chapter will explore VPN components in detail. To help put those later sections in context, this section is a quickstart summary of the key steps in VPN setup. It outlines the individual steps in setting up VPNs for the most common VPN scenarios. These are: • IPsec LAN to LAN with Pre-shared Keys ?[...]

  • Page 232

    the Destination Interface . The rule's Destination Network is the remote network remote_net . • An Allow rule for inbound traffic that has the previously defined ipsec_tunnel object as the Source Interface . The Source Network is remote_net . Action Src Interface Src Network Dest Interface Dest Network Service Allow lan lannet ipsec_tunnel r[...]

  • Page 233

    Authentication section of an IP object. If that IP object is then used as the Source Network of a rule in the IP rule set, that rule will only apply to a user if their Group string matches the Group string of the IP object. (note: Group has no meaning in Authentication Rule s). • Create a new User Authentication Rule with the Authentication Sourc[...]

  • Page 234

    • Create a Config Mode Pool object (there can only be one associated with a NetDefendOS installation) and associate with it the IP Pool object defined in the previous step. • Enable the IKE Config Mode option in the IPsec Tunnel object ipsec_tunnel . Configuring the IPsec Client In both cases (A) and (B) above the IPsec client will need to conf[...]

  • Page 235

    3. Define a Pre-shared Key for the IPsec tunnel. 4. Define an IPsec Tunnel object (let's call this object ipsec_tunnel ) with the following parameters: • Set Local Network to ip_ext (specify all-nets instead if NetDefendOS is behind a NATing device). • Set Remote Network to all-nets • Set Remote Gateway to none • For Authentication sel[...]

  • Page 236

    Action Src Interface Src Network Dest Interface Dest Network Service Allow l2tp_tunnel l2tp_pool any int_net All NAT ipsec_tunnel l2tp_pool ext all-nets All The second rule would be included to allow clients to surf the Internet via the ext interface on the D-Link Firewall. The client will be allocated a private internal IP address which must be NA[...]

  • Page 237

    • An int_net object which is the internal network from which the addresses come. • An ip_int object which is the internal IP address of the interface connected to the internal network. let's assume this interface is int . • An ip_ext object which is the external public address which clients will connect to (let's assume this is on t[...]

  • Page 238

    • If certificates have been used, check that the correct certificates have been used and that they haven't expired. • Use ICMP Ping to confirm that the tunnel is working. With roaming clients this is best done by Pinging the internal IP address of the local network interface on the D-Link Firewall from a client (in LAN to LAN setups pingin[...]

  • Page 239

    IPsec Tunnel Local Net Remote Net Remote GW ------------ -------------- ------------ ------------- L2TP_IPSec 214.237.225.43 84.13.193.179 84.13.193.179 IPsec_Tun1 192.168.0.0/24 172.16.1.0/24 82.242.91.203 To examine the first IKE negotiation phase of tunnel setup use: > ipsecstat -ike To get complete details of tunnel setup use: > ipsecstat[...]

  • Page 240

    9.3. IPsec 9.3.1. Overview Internet Protocol Security (IPsec), is a set of protocols defined by the Internet Engineering Task Force (IETF) to provide IP security at the network layer. An IPsec based VPN is made up by two parts: • Internet Key Exchange protocol (IKE) • IPsec protocols (AH/ESP/both) The first part, IKE, is the initial negotiation[...]

  • Page 241

    IKE Negotiation The process of negotiating session parameters consists of a number of phases and modes. These are described in detail in the below sections. The flow of events can summarized as follows: IKE Phase-1 • Negotiate how IKE should be protected IKE Phase-2 • Negotiate how IPsec should be protected • Derive some fresh keying material[...]

  • Page 242

    Authentication can be accomplished through Pre-Shared Keys, certificates or public key encryption. Pre-Shared Keys is the most common authentication method today. PSK and certificates are supported by the NetDefendOS VPN module. IKE Phase-2 - IPsec Security Negotiation In phase two, another negotiation is performed, detailing the parameters for the[...]

  • Page 243

    configurations. Remote Gateway The remote gateway will be doing the decryption/authentication and pass the data on to its final destination. This field can also be set to "none", forcing the D-Link VPN to treat the remote address as the remote gateway. This is particularly useful in cases of roaming access, where the IP addresses of the r[...]

  • Page 244

    • Cast128 • 3DES • DES DES is only included to be interoperable with other older VPN implementations. Use of DES should be avoided whenever possible, since it is an old algorithm that is no longer considered secure. IKE Authentication This specifies the authentication algorithms used in the IKE negotiation phase. The algorithms supported by N[...]

  • Page 245

    PFS Group This specifies the PFS group to use with PFS. The PFS groups supported by NetDefendOS are: • 1 modp 768-bit • 2 modp 1024-bit • 5 modp 1536-bit Security increases as the PFS group bits grow larger, as does the time taken for the exchanges. IPsec DH Group This is a Diffie-Hellman group much like the one for IKE. However, this one is [...]

  • Page 246

    method where IKE is not used at all; the encryption and authentication keys as well as some other parameters are directly configured on both sides of the VPN tunnel. Note D-Link Firewalls do not support Manual Keying. Manual Keying Advantages Since it is very straightforward it will be quite interoperable. Most interoperability problems encountered[...]

  • Page 247

    roaming clients. Instead, should a client be compromised, the client's certificate can simply be revoked. No need to reconfigure every client. Certificate Disadvantages Added complexity. Certificate-based authentication may be used as part of a larger public key infrastructure, making all VPN clients and firewalls dependent on third parties. I[...]

  • Page 248

    9.3.5. NAT Traversal Both IKE and IPsec protocols present a problem in the functioning of NAT. Both protocols were not designed to work through NATs and because of this, a technique called "NAT traversal" has evolved. NAT traversal is an add-on to the IKE and IPsec protocols that allows them to function when being NATed. NetDefendOS suppo[...]

  • Page 249

    configuration is needed. However, for responding firewalls two points should be noted: • On responding firewalls, the Remote Gateway field is used as a filter on the source IP of received IKE packets. This should be set to allow the NATed IP address of the initiator. • When individual pre-shared keys are used with multiple tunnels connecting to[...]

  • Page 250

    1. Go to Objects > VPN Objects > IKE Algorithms > Add > IPsec Algorithms 2. Enter a name for the list eg. esp-l2tptunnel. 3. Now check the following: • DES • 3DES • SHA1 • MD5 4. Click OK Then, apply the proposal list to the IPsec tunnel: 1. Go to Interfaces > IPsec 2. In the grid control, click the target IPsec tunnel 3. Sel[...]

  • Page 251

    1. Go to Objects > Authentication Objects > Add > Pre-shared key 2. Enter a name for the pre-shared key eg. MyPSK 3. Choose Hexadecimal Key and click Generate Random Key to generate a key to the Passphrase textbox. 4. Click OK Then, apply the pre-shared key to the IPsec tunnel: 1. Go to Interfaces > IPsec 2. In the grid control, click t[...]

  • Page 252

    gw-world:/MyIDList> cc Finally, apply the Identification List to the IPsec tunnel: gw-world:/> set Interface IPsecTunnel MyIPsecTunnel AuthMethod=Certificate IDList=MyIDList RootCertificates=AdminCert GatewayCertificate=AdminCert Web Interface First create an Identification List: 1. Go to Objects > VPN Objects > ID List > Add > ID[...]

  • Page 253

    9.4. IPsec Tunnels 9.4.1. Overview An IPsec Tunnel defines an endpoint of an encrypted tunnel. Each IPsec Tunnel is interpreted as a logical interface by NetDefendOS, with the same filtering, traffic shaping and configuration capabilities as regular interfaces. When another D-Link Firewall or D-Link VPN Client (or any IPsec compliant product) tries[...]

  • Page 254

    computer from different locations is a typical example of a roaming client. Apart from the need for secure VPN access, the other major issue with roaming clients is that the mobile user's IP address is often not known beforehand. To handle the unknown IP address the NetDefendOS can dynamically add routes to the routing table as tunnels are est[...]

  • Page 255

    5. Under the Routing tab: • Enable the option: Dynamically add route to the remote network when a tunnel is established. 6. Click OK C. Finally configure the IP rule set to allow traffic inside the tunnel. 9.4.3.2. Self-signed Certificate based client tunnels Example 9.5. Setting up a Self-signed Certificate based VPN tunnel for roaming clients T[...]

  • Page 256

    3. For Algorithms enter: • IKE Algorithms: Medium or High • IPsec Algorithms: Medium or High 4. For Authentication enter: • Choose X.509 Certificate as authentication method • Root Certificate(s): Select all your client certificates and add them to the Selected list • Gateway Certificate: Choose your newly created firewall certificate •[...]

  • Page 257

    3. Click OK 4. Go to Objects > VPN Objects > ID List > Sales > Add > ID 5. Enter the name for the client 6. Select Email as Type 7. In the Email address field, enter the email address selected when you created the certificate on the client 8. Create a new ID for every client that you want to grant access rights according to the instr[...]

  • Page 258

    Currently only one Config Mode object can be defined in NetDefendOS and this is referred to as the Config Mode Pool object. The key parameters associated with it are as follows: Use Pre-defined IP Pool Object The IP Pool object that provides the IP addresses. Use a Static Pool As an alternative to using an IP Pool, a static set of IP addresses can [...]

  • Page 259

    message includes the two IP addresses as well as the client identity. Optionally, the affected SA can be automatically deleted if validation fails by enabling the advanced setting IPsecDeleteSAOnIPValidationFailure . The default value for this setting is Disabled . 9.4.4. Fetching CRLs from an alternate LDAP server An X.509 root certificate usually[...]

  • Page 260

    9.5. PPTP/L2TP The access by a client using a modem link over dial-up public switched networks, possibly with an unpredictable IP address, to protected networks via a VPN poses particular problems. Both the PPTP and L2TP protocols provide two different means of achieving VPN access from remote clients. 9.5.1. PPTP Overview Point to Point Tunneling [...]

  • Page 261

    gw-world:/> add Interface L2TPServer MyPPTPServer ServerIP=lan_ip Interface=any IP=wan_ip IPPool=pp2p_Pool TunnelProtocol=PPTP AllowedRoutes=all-nets Web Interface 1. Go to Interfaces > L2TP Servers > Add > L2TPServer 2. Enter a name for the PPTP Server eg. MyPPTPServer. 3. Now enter: • Inner IP Address: lan_ip • Tunnel Protocol: PP[...]

  • Page 262

    3. Now enter: • Inner IP Address: ip_l2tp • Tunnel Protocol: L2TP • Outer Interface Filter: l2tp_ipsec • Outer Server IP: wan_ip 4. Under the PPP Parameters tab, select L2TP_Pool in the IP Pool control 5. Under the Add Route tab, select all_nets in the Allowed Networks control 6. Click OK Use User Authentication Rules is enabled as default.[...]

  • Page 263

    DHCPOverIPsec=Yes AddRouteToRemoteNet=Yes IPsecLifeTimeKilobytes=250000 IPsecLifeTimeSeconds=3600 Web Interface 1. Go to Interfaces > IPsec > Add > IPsec Tunnel 2. Enter a name for the IPsec tunnel, eg. l2tp_ipsec 3. Now enter: a. Local Network: wan_ip b. Remote Network: all-nets c. Remote Endpoint: none d. Encapsulation Mode: Transport e.[...]

  • Page 264

    7. In the ProxyARP control, select the lan interface. 8. Click OK In order to authenticate the users using the L2TP tunnel, a user authentication rule needs to be configured. D. Next will be setting up the authentication rules: CLI gw-world:/> add UserAuthRule AuthSource=Local Interface=l2tp_tunnel OriginatorIP=all-nets LocalUserDB=UserDB agent=[...]

  • Page 265

    4. Click OK 5. Go to Rules > IP Rules > Add > IPRule 6. Enter a name for the rule, eg. NATL2TP 7. Now enter: • Action: NAT • Service: all_services • Source Interface: l2tp_tunnel • Source Network: l2tp_pool • Destination Interface: any • Destination Network: all-nets 8. Click OK 9.5.2. L2TP Chapter 9. VPN 265[...]

  • Page 266

    9.5.2. L2TP Chapter 9. VPN 266[...]

  • Page 267

    Chapter 10. Traffic Management This chapter describes how NetDefendOS can manage network traffic. • Traffic Shaping, page 267 • Threshold Rules, page 279 • Server Load Balancing, page 281 10.1. Traffic Shaping 10.1.1. Introduction QoS with TCP/IP A weakness of TCP/IP is the lack of true Quality of Service (QoS) functionality. QoS is the abili[...]

  • Page 268

    • Providing bandwidth guarantees. This is typically accomplished by treating a certain amount of traffic (the guaranteed amount) as high priority. Traffic exceeding the guarantee then has the same priority as "any other traffic", and competes with the rest of the non-prioritized traffic. Traffic shaping doesn't typically work by qu[...]

  • Page 269

    Figure 10.1. Pipe rule set to Pipe Packet Flow Where one pipe is specified in a list then that is the pipe whose characteristics will be applied to the traffic. If a series of pipes are specified then these will form a Chain of pipes through which traffic will pass. A chain can be made up of at most 8 pipes. If no pipe is specified in a list then t[...]

  • Page 270

    CLI gw-world:/> add PipeRule ReturnChain=std-in SourceInterface=lan SourceNetwork=lannet DestinationInterface=wan DestinationNetwork=all-nets Service=all_services name=Outbound Web Interface 1. Go to Traffic Management > Traffic Shaping > Pipes > Add > Pipe Rule 2. Specify a suitable name for the pipe, for instance outbound . 3. Now [...]

  • Page 271

    gw-world:/> add Pipe std-out LimitKbpsTotal=2000 Web Interface 1. Go to Traffic Management > Traffic Shaping > Pipes > Add > Pipe 2. Specify a name for the pipe, eg. std-out 3. Enter 2000 in Total textbox 4. Click OK After creating a pipe for outbound bandwidth control, add it to the forward pipe chain of the rule created in the prev[...]

  • Page 272

    Setting up pipes in this way only puts limits on the maximum values for certain traffic types. It does not give priorities to different types of competing traffic. 10.1.6. Precedences All packets that pass through NetDefendOS traffic shaping pipes have a precedence. In the examples so far, precedences have not been explicitly set and so all packets[...]

  • Page 273

    These limits can be specified in kilobits per second and/or packets per second (if both are specified then the first limit reached will be the limit used). In precedences are used then the total limit for the pipe as a whole must be specified so the pipe knows when what its capacity is and therefore when precedences are used. The Best Effort Preced[...]

  • Page 274

    for other services such as surfing, DNS or FTP. A means is therefore required to ensure that lower priority traffic gets some portion of bandwidth and this is done with Bandwidth Guarantees . 10.1.7. Guarantees Bandwidth guarantees ensure that there is a minimum amount of bandwidth available for a given precedence. This is done by specifying a maxi[...]

  • Page 275

    telnet-in pipes. Notice that we did not set a total limit for the ssh-in and telnet-in pipes. We do not need to since the total limit will be enforced by the std-in pipe at the end of the respective chains. The ssh-in and telnet-in pipes act as a "priority filter": they make sure that no more than the reserved amount, 64 and 32 kbps, resp[...]

  • Page 276

    Instead of specifying a total group limit, the alternative is to enable the Dynamic Balancing option. This ensures that the available bandwidth is divided equally between all addresses regardless of how many there are and this is done up to the limit of the pipe. If a total group limit of 100 bps is also specified, as before, then no one user may t[...]

  • Page 277

    specifying a "Per DestinationIP" grouping. Knowing when the pipe is full is not important since the only constraint is on each user. If precedences were used the pipe maximum would have to be used. Limits shouldn't be higher than the available bandwidth If pipe limits are set higher than the available bandwidth, the pipe will not kno[...]

  • Page 278

    • A pipe can have a limit which is the maximum amount of traffic allowed. • A pipe can only know when it is full if a limit is specified. • A single pipe should handle traffic in only one direction (although 2 way pipes are allowed). • Pipes can be chained so that one pipe's traffic feeds into another pipe. • Specific traffic types c[...]

  • Page 279

    10.2. Threshold Rules 10.2.1. Overview The objective of a Threshold Rule is to have a means of detecting abnormal connection activity as well as reacting to it. An example of a cause for such abnormal activity might be an internal host becoming infected with a virus that is making repeated connections to external IP addresses. It might alternativel[...]

  • Page 280

    10.2.5. Multiple Triggered Actions When a rule is triggered then NetDefendOS will perform the associated rule Actions that match the condition that has occured. If more than one Action matches the condition then those matching Actions are applied in the order they appear in the user interface. If several Actions that have the same combination of Ty[...]

  • Page 281

    10.3. Server Load Balancing 10.3.1. Overview The Server Load Balancing (SLB) feature in NetDefendOS is a powerful tool that can improve the following aspects of network applications: • Performance • Scalability • Reliability • Ease of administration SLB allows network service demands to be shared among multiple servers. This improves both t[...]

  • Page 282

    SLB also means that network administrators can perform maintenance tasks on servers or applications without disrupting services. Individual servers can be restarted, upgraded, removed, or replaced, and new servers and applications can be added or moved without affecting the rest of a server farm, or taking down applications. The combination of netw[...]

  • Page 283

    algorithm cycles through the server list and redirects the load to servers in order. Regardless of each server's capability and other aspects, for instance, the number of existing connections on a server or its response time, all the available servers take turns in being assigned the next connection. This algorithm ensures that all servers rec[...]

  • Page 284

    If Connection Rate is applied instead, R1 and R2 will be sent to the same server because of stickiness, but the subsequent requests R3 and R4 will be routed to another server since the number of new connections on each server within the Window Time span is counted in for the distribution. Figure 10.8. Stickiness and Connection Rate Regardless which[...]

  • Page 285

    The key component in setting up SLB is the SLB_SAT rule in the IP rule set. The steps that should be followed are: 1. Define an Object for each server for which SLB is to be done. 2. Define a Group which included all these objects 3. Define an SLB_SAT Rule in the IP rule set which refers to this Group and where all other SLB parameters are defined.[...]

  • Page 286

    4. Click OK 5. Repeat the above to create an object called server2 for the 192.168.1.11 IP address. B. Create a Group which contains the 2 webserver objects: 1. Go to Objects > Address Book > Add > IP4 Group 2. Enter a suitable name, eg. server_group 3. Add server1 and server2 to the group 4. Click OK C. Specify the SLB_SAT IP rule: 1. Go [...]

  • Page 287

    • Service: HTTP • Source Interface: any • Source Network: all-nets • Destination Interface: core • Destination Network: ip_ext 3. Click OK 10.3.6. SLB_SAT Rules Chapter 10. Traffic Management 287[...]

  • Page 288

    10.3.6. SLB_SAT Rules Chapter 10. Traffic Management 288[...]

  • Page 289

    Chapter 11. High Availability This chapter describes the high availability fault-tolerance feature in D-Link Firewalls. • Overview, page 289 • High Availability Mechanisms, page 291 • High Availability Setup , page 293 • High Availability Issues, page 296 11.1. Overview High Availability is a fault-tolerant capability that is available on c[...]

  • Page 290

    D-Link HA will only operate between two D-Link Firewalls. As the internal operation of different security gateway manufacturer's software is completely dissimilar, there is no common method available to communicating state information to a dissimilar device. It is also strongly recommended that the D-Link Firewalls used in cluster have identic[...]

  • Page 291

    11.2. High Availability Mechanisms D-Link HA provides a redundant, state-synchronized hardware configuration. The state of the active unit, such as the connection table and other vital information, is continuously copied to the inactive unit via the sync interface. When cluster failover occurs, the inactive unit knows which connections are active, [...]

  • Page 292

    packets destined for the shared hardware address. 11.2. High Availability Mechanisms Chapter 11. High Availability 292[...]

  • Page 293

    11.3. High Availability Setup This section provides a step-by-step guide for setting up an HA Cluster. 11.3.1. Hardware Setup 1. Start with two physically similar D-Link Firewalls. Both may be newly purchased or one may have been purchased to be the back-up unit (in other words, to be the slave unit). 2. Make the physical connections: • Connect t[...]

  • Page 294

    3. Decide on a shared IP address for each interface in the cluster. Some interfaces could have shared addresses only with others having unique individual addresses as well. The shared and unique addresses are used as follows: • The unique, non-shared IP addresses are used to communicate with the D-Link Firewalls themselves for functions such as r[...]

  • Page 295

    This device is an HA MASTER This device is currently ACTIVE (will forward traffic) HA cluster peer is ALIVE Then use the stat command to verify that both master and slave have about the same number of connections. The output should contain a line similar to this: Connections 2726 out of 128000 where the lower number is the current number of connect[...]

  • Page 296

    11.4. High Availability Issues The following points should be kept in mind when managing and configuring an HA Cluster. SNMP SNMP statistics are not shared between master and slave. SNMP managers have no failover capabilities. Therefore both firewalls in a cluster need to be polled separately. Using Individual IPs The unique individual IP addresses[...]

  • Page 297

    11.4. High Availability Issues Chapter 11. High Availability 297[...]

  • Page 298

    Chapter 12. ZoneDefense This chapter describes the D-Link ZoneDefense feature. • Overview, page 298 • ZoneDefense Switches, page 299 • ZoneDefense Operation, page 300 12.1. Overview ZoneDefense allows a D-Link Firewall to control locally attached switches. It can be used as a counter-measure to stop a virus-infected computer in a local networ[...]

  • Page 299

    12.2. ZoneDefense Switches Switch information regarding every switch that is to be controlled by the firewall has to be manually specified in the firewall configuration. The information needed in order to control a switch includes: • The IP address of the management interface of the switch • The switch model type • The SNMP community string ([...]

  • Page 300

    12.3. ZoneDefense Operation 12.3.1. SNMP Simple Network Management Protocol (SNMP) is an application layer protocol for complex network management. SNMP allows the managers and managed devices in a network to communicate with each other. SNMP Managers A typical managing device, such as a D-Link Firewall, uses the SNMP protocol to monitor and contro[...]

  • Page 301

    As a complement to threshold rules, it is also possible to manually define hosts and networks that are to be statically blocked or excluded. Manually blocked hosts and networks can be blocked by default or based on a schedule. It is also possible to specify which protocols and protocol port numbers are to be blocked. Exclude Lists can be created an[...]

  • Page 302

    2. For Addresses choose the object name of the firewall's interface address 192.168.1.1 from the Available list and put it into the Selected list. 3. Click OK Configure an HTTP threshold of 10 connections/second: 1. Go to Traffic Management > Threshold Rules > Add > Threshold Rule 2. For the Threshold Rule enter: • Name: HTTP-Thresh[...]

  • Page 303

    12.3.4. Limitations Chapter 12. ZoneDefense 303[...]

  • Page 304

    Chapter 13. Advanced Settings This chapter describes the configurable advanced setings for NetDefendOS. The settings are divided up into the following categories: Note After an advanced setting is changed a reconfiguration must be performed in order for the new NetDefendOS configuration to be uploaded to the D-Link Firewall and the new value to tak[...]

  • Page 305

    LogNonIP4 Logs occurrences of IP packets that are not version 4. NetDefendOS only accepts version 4 IP packets; everything else is discarded. Default: 256 LogReceivedTTL0 Logs occurrences of IP packets received with the "Time To Live" (TTL) value set to zero. Under no circumstances should any network unit send packets with a TTL of 0. Def[...]

  • Page 306

    Verifies that the size information contained in each "layer" (Ethernet, IP, TCP, UDP, ICMP) is consistent with that of other layers. Default: ValidateLogBad IPOptionSizes Verifies the size of "IP options". These options are small blocks of information that may be added to the end of each IP header. This function checks the size [...]

  • Page 307

    13.2. TCP Level Settings TCPOptionSizes Verifies the size of TCP options. This function acts in the same way as IPOptionSizes described above. Default: ValidateLogBad TCPMSSMin Determines the minimum permissible size of the TCP MSS. Packets containing maximum segment sizes below this limit are handled according to the next setting. Default: 100 byt[...]

  • Page 308

    Default: 7000 bytes TCPZeroUnusedACK Determines whether NetDefendOS should set the ACK sequence number field in TCP packets to zero if it is not used. Some operating systems reveal sequence number information this way, which can make it easier for intruders wanting to hijack established connections. Default: Enabled TCPZeroUnusedURG Strips the URG [...]

  • Page 309

    to transport alternate checksums where permitted by ALTCHKREQ above. Normally never seen on modern networks. Default: StripLog TCPOPT_CC Determines how NetDefendOS will handle connection count options. Default: StripLogBad TCPOPT_OTHER Specifies how NetDefendOS will deal with TCP options not covered by the above settings. These options usually neve[...]

  • Page 310

    Specifies how NetDefendOS will deal with TCP packets with either the Xmas or Ymas flag turned on. These flags are currently mostly used by OS Fingerprinting. Note: an upcoming standard called Explicit Congestion Notification also makes use of these TCP flags, but as long as there are only a few operating systems supporting this standard, the flags [...]

  • Page 311

    13.3. ICMP Level Settings ICMPSendPerSecLimit Specifies the maximum number of ICMP messages NetDefendOS may generate per second. This includes ping replies, destination unreachable messages and also TCP RST packets. In other words, this setting limits how many Rejects per second may be generated by the Reject rules in the Rules section. Default: 20[...]

  • Page 312

    13.4. ARP Settings ARPMatchEnetSender Determines if NetDefendOS will require the sender address at Ethernet level to comply with the hardware address reported in the ARP data. Default: DropLog ARPQueryNoSenderIP What to do with ARP queries that have a sender IP of 0.0.0.0. Such sender IPs are never valid in responses, but network units that have no[...]

  • Page 313

    ARPExpire Specifies how long a normal dynamic item in the ARP table is to be retained before it is removed from the table. Default: 900 seconds (15 minutes) ARPExpireUnknown Specifies how long NetDefendOS is to remember addresses that cannot be reached. This is done to ensure that NetDefendOS does not continuously request such addresses. Default: 3[...]

  • Page 314

    13.5. Stateful Inspection Settings LogConnectionUsage This generates a log message for every packet that passes through a connection that is set up in the NetDefendOS state-engine. Traffic whose destination is the D-Link Firewall itself, for example NetDefendOS management traffic, is not subject to this setting. The log message includes port, servi[...]

  • Page 315

    • NoLog – Does not log any connections; consequently, it will not matter if logging is enabled for either Allow or NAT rules in the Rules section; they will not be logged. However, FwdFast, Drop and Reject rules will be logged as stipulated by the settings in the Rules section. • Log – Logs connections in short form; gives a short descripti[...]

  • Page 316

    13.6. Connection Timeouts The settings in this section specify how long a connection can remain idle, ie. no data being sent through it, before it is automatically closed. Please note that each connection has two timeout values: one for each direction. A connection is closed if either of the two values reaches 0. ConnLife_TCP_SYN Specifies how long[...]

  • Page 317

    Default: False AllowBothSidesToKeepConnAlive_UDP Chapter 13. Advanced Settings 317[...]

  • Page 318

    13.7. Size Limits by Protocol This section contains information about the size limits imposed on the protocols directly under IP level, ie. TCP, UDP, ICMP, etc. The values specified here concern the IP data contained in packets. In the case of Ethernet, a single packet can contain up to 1480 bytes of IP data without fragmentation. In addition to th[...]

  • Page 319

    MaxSKIPLen Specifies the maximum size of a SKIP packet. Default: 2000 bytes MaxOSPFLen Specifies the maximum size of an OSPF packet. OSPF is a routing protocol mainly used in larger LANs. Default: 1480 MaxIPIPLen Specifies the maximum size of an IP-in-IP packet. IP-in-IP is used by Checkpoint Firewall-1 VPN connections when IPsec is not used. This [...]

  • Page 320

    13.8. Fragmentation Settings IP is able to transport up to 65536 bytes of data. However, most media, such as Ethernet, cannot carry such huge packets. To compensate, the IP stack fragments the data to be sent into separate packets, each one given their own IP header and information that will help the recipient reassemble the original packet correct[...]

  • Page 321

    Default: Check8 – compare 8 random locations, a total of 32 bytes FragReassemblyFail Reassemblies may fail due to one of the following causes: • Some of the fragments did not arrive within the time stipulated by the ReassTimeout or ReassTimeLimit settings. This may mean that one or more fragments were lost on their way across the Internet, whic[...]

  • Page 322

    not match up. Possible settings are as follows: • NoLog - No logging is carried out under normal circumstances. • LogSuspect - Logs duplicated fragments if the reassembly procedure has been affected by "suspect" fragments. • LogAll - Always logs duplicated fragments. Default: LogSuspect FragmentedICMP Other than ICMP ECHO (Ping), IC[...]

  • Page 323

    Once a whole packet has been marked as illegal, NetDefendOS is able to retain this in its memory in order to prevent further fragments of that packet from arriving. Default: 60 seconds ReassIllegalLinger Chapter 13. Advanced Settings 323[...]

  • Page 324

    13.9. Local Fragment Reassembly Settings LocalReass_MaxConcurrent Maximum number of concurrent local reassemblies. Default: 256 LocalReass_MaxSize Maximum size of a locally reassembled packet. Default: 10000 LocalReass_NumLarge Number of large ( over 2K) local reassembly buffers (of the above size). Default: 32 13.9. Local Fragment Reassembly Setti[...]

  • Page 325

    13.10. DHCP Settings DHCP_MinimumLeaseTime Minimum lease time (seconds) accepted from the DHCP server. Default: 60 DHCP_ValidateBcast Require that the assigned broadcast address is the highest address in the assigned network. Default: Enabled DHCP_AllowGlobalBcast Allow DHCP server to assign 255.255.255.255 as broadcast. (Non-standard.) Default: Di[...]

  • Page 326

    13.11. DHCPRelay Settings DHCPRelay_MaxTransactions Maximum number of transactions at the same time. Default: 32 DHCPRelay_TransactionTimeout For how long a dhcp transaction can take place. Default: 10 seconds DHCPRelay_MaxPPMPerIface How many dhcp-packets a client can send to through NetDefendOS to the dhcp-server during one minute. Default: 500 p[...]

  • Page 327

    13.12. DHCPServer Settings DHCPServer_SaveLeasePolicy What policy should be used to save the lease database to the disk, possible settings are Disabled, ReconfShut, or ReconfShutTimer. Default: ReconfShut DHCPServer_AutoSaveLeaseInterval How often should the leases database be saved to disk if DHCPServer_SaveLeasePolicy is set to ReconfShutTimer. D[...]

  • Page 328

    13.13. IPsec Settings IKESendInitialContact Determines whether or not IKE should send the "Initial Contact" notification message. This message is sent to each remote gateway when a connection is opened to it and there are no previous IPsec SA using that gateway. Default: Enabled IKESendCRLs Dictates whether or not CRLs (Certificate Revoca[...]

  • Page 329

    IPsecDeleteSAOnIPValidationFailure Controls what happens to the SAs if IP validation in Config Mode fails. If Enabled, the security associations (SAs) are deleted on failure. Default: Disabled IPsecDeleteSAOnIPValidationFailure Chapter 13. Advanced Settings 329[...]

  • Page 330

    13.14. Logging Settings LogSendPerSecLimit This setting limits how many log packets NetDefendOS may send out per second. This value should never be set too low, as this may result in important events not being logged, nor should it be set too high. One situation where setting too high a value may cause damage is when NetDefendOS sends a log message[...]

  • Page 331

    13.15. Time Synchronization Settings TimeSync_SyncInterval Seconds between each resynchronization. Default: 86400 TimeSync_MaxAdjust Maximum time drift that a server is allowed to adjust. Default: 3600 TimeSync_ServerType Type of server for time synchronization, UDPTime or SNTP (Simple Network Time Protocol). Default: SNTP TimeSync_GroupIntervalSiz[...]

  • Page 332

    DST offset in minutes. Default: 0 TimeSync_DSTStartDate What month and day DST starts, in the format MM-DD. Default: none TimeSync_DSTEndDate What month and day DST ends, in the format MM-DD. Default: none TimeSync_DSTStartDate Chapter 13. Advanced Settings 332[...]

  • Page 333

    13.16. PPP Settings PPP_L2TPBeforeRules Pass L2TP traffic sent to the D-Link Firewall directly to the L2TP Server without consulting the rule set. Default: Enabled PPP_PPTPBeforeRules Pass PPTP traffic sent to the D-Link Firewall directly to the PPTP Server without consulting the rule set. Default: Enabled 13.16. PPP Settings Chapter 13. Advanced S[...]

  • Page 334

    13.17. Hardware Monitor Settings HWM_PollInterval Polling intervall for Hardware Monitor which is the delay in milliseconds between reading of hardware monitor values. Minimum 100, Maximum 10000. Default: 500 ms HWMMem_Interval Memory polling interval which is the delay in minutes between reading of memory values. Minimum 1, Maximum 200. Default: 1[...]

  • Page 335

    13.18. Packet Re-assembly Settings Packet re-assembly collects IP fragments into complete IP datagrams and, for TCP, reorders segments so that they are processed in the correct order and also to keep track of potential segment overlaps and to inform other subsystems of such overlaps. The associated settings limit memory used by the re-assembly subs[...]

  • Page 336

    13.19. Miscellaneous Settings BufFloodRebootTime As a final way out, NetDefendOS automatically reboots if its buffers have been flooded for a long time. This setting specifies this amount of time. Default: 3600 MaxPipeUsers The maximum number of pipe users to allocate. As pipe users are only tracked for a 20th of a second, this number usually does [...]

  • Page 337

    MaxPipeUsers Chapter 13. Advanced Settings 337[...]

  • Page 338

    Appendix A. Subscribing to Security Updates Introduction The NetDefendOS Anti-Virus (AV) module, the Intrusion Detection and Prevention (IDP) module and the Dynamic Web Content Filtering module all function using external D-Link databases which contain details of the latest viruses, security threats and URL categorization. These databases are const[...]

  • Page 339

    Querying Update Status To get the status of IDP updates use the command: gw-world:/> updatecenter -status IDP To get the status of AV updates: gw-world:/> updatecenter -status Antivirus Querying Server Status To get the status of the D-Link network servers use the command: gw-world:/> updatecenter -servers Deleting Local Databases Some tec[...]

  • Page 340

    Appendix B. IDP Signature Groups For IDP scanning, the following signature groups are available for selection. These groups are available only for the D-Link Advanced IDP Service. There is a version of each group under the three Types of IDS , IPS and Policy . For further information see Section 6.5, “Intrusion Detection and Prevention”. Group [...]

  • Page 341

    Group Name Intrusion Type FTP_FORMATSTRING Format string attack FTP_GENERAL FTP protocol and implementation FTP_LOGIN Login attacks FTP_OVERFLOW FTP buffer overflow GAME_BOMBERCLONE Bomberclone game GAME_GENERAL Generic game servers/clients GAME_UNREAL UnReal Game server HTTP_APACHE Apache httpd HTTP_BADBLUE Badblue web server HTTP_CGI HTTP CGI HTT[...]

  • Page 342

    Group Name Intrusion Type POP3_DOS Denial of Service for POP POP3_GENERAL Post Office Protocol v3 POP3_LOGIN-ATTACKS Password guessing and related login attack POP3_OVERFLOW POP3 server overflow POP3_REQUEST-ERRORS Request Error PORTMAPPER_GENERAL PortMapper PRINT_GENERAL LP printing server: LPR LPD PRINT_OVERFLOW Overflow of LPR/LPD protocol/imple[...]

  • Page 343

    Group Name Intrusion Type TFTP_OPERATION Operation Attack TFTP_OVERFLOW TFTP buffer overflow attack TFTP_REPLY TFTP Reply attack TFTP_REQUEST TFTP request attack TROJAN_GENERAL Trojan UDP_GENERAL General UDP UDP_POPUP Pop-up window for MS Windows UPNP_GENERAL UPNP VERSION_CVS CVS VERSION_SVN Subversion VIRUS_GENERAL Virus VOIP_GENERAL VoIP protocol[...]

  • Page 344

    Appendix C. Checked MIME filetypes The HTTP Application Layer Gateway has the ability to verify that the contents of a file downloaded via the HTTP protocol is the type that the filetype in its filename indicates. This appendix lists the MIME filetypes that can be checked by NetDefendOS to make sure that the content matches the filetype of a downlo[...]

  • Page 345

    Filetype extension Application elc eMacs Lisp Byte-compiled Source Code emd ABT EMD Module/Song Format file esp ESP archive data exe Windows Executable fgf Free Graphics Format file flac Free Lossless Audio Codec file flc FLIC Animated Picture fli FLIC Animation flv Macromedia Flash Video gdbm Database file gif Graphic Interchange Format file gzip,[...]

  • Page 346

    Filetype extension Application pac CrossePAC archive data pbf Portable Bitmap Format Image pbm Portable Bitmap Graphic pdf Acrobat Portable Document Format pe Portable Executable file pfb PostScript Type 1 Font pgm Portable Graymap Graphic pkg SysV R4 PKG Datastreams pll PAKLeo archive data pma PMarc archive data png Portable (Public) Network Graph[...]

  • Page 347

    Filetype extension Application wk Lotus 1-2-3 document wmv Windows Media file wrl, vrml Plain Text VRML file xcf GIMP Image file xm Fast Tracker 2 Extended Module , audio file xml XML file xmcd xmcd database file for kscd xpm BMC Software Patrol UNIX Icon file yc YAC compressed archive zif ZIF image zip Zip compressed archive file zoo ZOO compresse[...]

  • Page 348

    Appendix D. The OSI Framework The Open Systems Interconnection Model defines a framework for intercomputer communications. It categorizes different protocols for a great variety of network applications into seven smaller, more manageable layers. The model describes how data from an application in one computer can be transferred through a network me[...]

  • Page 349

    Appendix E. D-Link worldwide offices Below is a complete list of D-Link worldwide sales offices. Please check your own country area's local website for further details regarding support of D-Link products as well as contact details for local support. Australia 1 Giffnock Avenue, North Ryde, NSW 2113, Australia. TEL: 61-2-8899-1800, FAX: 61-2-8[...]

  • Page 350

    FAX: +972-9-9715601. Website: www.dlink.co.il Italy Via Nino Bonnet n. 6/b, 20154 – Milano, Italy. TEL: 39-02-2900-0676, FAX: 39-02-2900-1723. Website: www.dlink.it LatinAmerica Isidora Goyeechea 2934, Ofcina 702, Las Condes, Santiago – Chile. TEL: 56-2-232-3185, FAX: 56-2-232-0923. Website: www.dlink.cl Luxemburg Rue des Colonies 11, B-1000 Br[...]

  • Page 351

    Alphabetical Index A access rules, 135 accounting, 39 interim messages, 41 limitations with NAT, 42 messages, 39 system shutdowns, 42 address book, 48 ethernet addresses in, 50 IP addresses in, 48 address groups, 51 address translation, 204 administration accounts, 23 ALG (see application layer gateway) all-nets IP object, 51 AllowBothSidesToKeepCo[...]

  • Page 352

    DHCP_UseLinkLocalIP setting, 325 DHCP_ValidateBcast setting, 325 DHCPRelay_AutoSaveRelayInterval setting, 326 DHCPRelay_MaxAutoRoutes setting, 326 DHCPRelay_MaxHops setting, 326 DHCPRelay_MaxLeaseTime setting, 326 DHCPRelay_MaxPPMPerIface setting, 326 DHCPRelay_MaxTransactions setting, 326 DHCPRelay_TransactionTimeout setting, 326 DHCPServer_AutoSa[...]

  • Page 353

    L L2TP, 261 quickstart guide, 234 Lan to Lan tunnels, 253 LayerSizeConsistency setting, 305 LDAP servers, 259 link state algorithm, 103 LocalReass_MaxConcurrent setting, 324 LocalReass_MaxSize setting, 324 LocalReass_NumLarge setting, 324 LogChecksumErrors setting, 304 LogConnections setting, 314 LogConnectionUsage setting, 314 logging, 35 login au[...]

  • Page 354

    TCP and UDP, 53 SilentlyDropStateICMPErrors setting, 311 simple network management protocol (see SNMP) SIP ALG, 152 SMTP ALG, 146 header verification, 149 SNMP community string, 43 MIB, 43 monitoring, 43 traps, 37 with IP rules, 43 source based routing, spam (see content filtering) SPAM filtering, 147 caching, 150 logging, 149 tagging, 148 spoofing[...]

  • Page 355

    X.509 certificates, 79 identification lists, 251 with IPsec, 234 Z zonedefense IDP, 194 zone defense, 298 switches, 299 Alphabetical Index 355[...]