Benutzeranleitung / Produktwartung DFL-260 des Produzenten D-Link
Zur Seite of 355
N e t w o r k S e c u r i t y S o l u t i o n h t t p : / / w w w .d l i n k . c o m S e c u r i t y S e c u r i t y D F L - 2 1 0 / 8 0 0 / 1 6 0 0 / 2 5 0 0 D F L - 2 6 0 / 8 6 0 V e r .
User Manual DFL-210/260/800/ 860/1600/2500 NetDefendOS version 2.20 D-Link NetDefend Securit y http://security.dlink.com.tw Published 200 8 - 08 - 05 Copyright © 200 8.
User Manual DFL-210/260/800/860/1600/2500 NetDefendOS version 2.20 Published 200 8 - 08 - 05 Copyright © 200 8 Copyright Notice This publication, including all photographs, illustrations and software, is protected under international copyright laws, with all rights reserved.
Table of Contents Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 1.
3.4.3. ARP Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 3.4.4. Static and Published ARP Entries . . . . . . . . . . . . . . .
6.2.8. H.323 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 6.3. Web Content Filtering . . . . . . . . . . . . . . . . . .
9.2.3. IPsec Roaming Clients with Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234 9.2.4. L2TP Roaming Clients with Pre-Shared Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234 9.
12.3.1. SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300 12.3.2. Threshold Rules . . . . . . . . . . . . . . . . . . . . . .
List of Figures 1.1. Packet Flow Schematic Part I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 1.2. Packet Flow Schematic Part II . . . . . . .
List of Examples 1. Example Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 2.1. Enabling SSH Remote Access .
5.1. Setting up a DHCP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 5.2. Checking the status of a DHCP server . . . . . . . . . .
Preface Intended Audience The target audience for this reference guide is Administrators who are responsible for configuring and managing D-Link Firewalls which are running the NetDefendOS operating system. This guide assumes that the reader has some basic knowledge of networks and network security.
Highlighted Content Special sections of text which the reader should pay special attention to are indicated by icons on the left hand side of the page followed by a short paragraph in italicized text.
Chapter 1. Product Overview This chapter outlines the key features of NetDefendOS. • About D-Link NetDefendOS, page 14 • NetDefendOS Architecture, page 16 • NetDefendOS State Engine Packet Flow, page 19 1.1. About D-Link NetDefendOS D-Link NetDefendOS is the firmware, the software engine that drives and controls all D-Link Firewall products.
hosts. For more information about the IDP capabilities of NetDefendOS, please see Section 6.5, “Intrusion Detection and Prevention”. Anti-Virus NetDefendOS features integrated gateway anti-virus functionality.
1.2. NetDefendOS Architecture 1.2.1. State-based Architecture The NetDefendOS architecture is centered around the concept of state-based connections. Traditional IP routers or switches commonly inspect all packets and then perform forwarding decisions based on information found in the packet headers.
1.2.3. Basic Packet Flow This section outlines the basic flow in the state-engine for packets received and forwarded by NetDefendOS. Please note that this description is simplified and might not be fully applicable in all scenarios. The basic principle, however, is still valid in all applications.
and the event is logged according to the log settings for the rule. If the action is Allow, the packet is allowed through the system. A corresponding state will be added to the connection table for matching subsequent packets belonging to the same connection.
1.3. NetDefendOS State Engine Packet Flow The diagrams in this section provide a summary of the flow of packets through the NetDefendOS state-engine. There are three diagrams, each flowing into the next. Figure 1.1. Packet Flow Schematic Part I The packet flow is continued on the following page.
Figure 1.2. Packet Flow Schematic Part II The packet flow is continued on the following page. Figure 1.3. Packet Flow Schematic Part III 1.3. NetDefendOS State Engine Packet Flow Chapter 1.
1.3. NetDefendOS State Engine Packet Flow Chapter 1. Product Overview 21.
1.3. NetDefendOS State Engine Packet Flow Chapter 1. Product Overview 22.
Chapter 2. Management and Maintenance This chapter describes the management, operations and maintenance related aspects of NetDefendOS. • Managing NetDefendOS, page 23 • Events and Logging, page 35 • RADIUS Accounting, page 39 • Monitoring, page 43 • Maintenance, page 45 2.
By default, NetDefendOS has a local user database, AdminUsers , with one user account pre-defined: • Username admin with password admin . This account has full administrative read/write privileges.
SSH (Secure Shell) CLI Access The SSH (Secure Shell) protocol can be used to access the CLI over the network from a remote host. SSH is a protocol primarily used for secure communication over insecure networks, providing strong authentication and data integrity.
Device:/> set device name="gw-world" The CLI Reference Guide uses the command prompt gw-world:/> throughout. Note When the command line prompt is changed to a new string value, this string also appears as the new device name in the top level node of the WebUI tree-view.
Enter your username and password and click the Login button. If the user credentials are correct, you will be transferred to the main web interface page. This page, with its essential parts highlighted, is shown below. Multi-language Support The WebUI login dialog offers the option to select a language other than english for the interface.
• Home - Navigates to the first page of the web interface. • Configuration • Save and Activate - Saves and activates the configuration. • Discard Changes - Discards any changes made to the configuration during the current session. • View Changes - List the changes made to the configuration since it was last saved.
• User Database: AdminUsers • Interface: any • Network: all-nets 5. Click OK Caution The above example is provided for informational purposes only.
gw-world:/> show Service A list of all services will be displayed, grouped by their respective type. Web Interface 1. Go to Objects > Services 2. A web page listing all services will be presented. A list contains the following basic elements: • Add Button - Displays a dropdown menu when clicked.
Example 2.5. Editing a Configuration Object When you need to modify the behavior of NetDefendOS, you will most likely need to modify one or several configuration objects.
1. Go to Objects > Address Book 2. Click on the Add button 3. In the dropdown menu displayed, select IP4 Address 4. In the Name text box, enter myhost 5. Enter 192.168.10.10 in the IP Address textbox 6. Click OK 7. Verify that the new IP4 address object has been added to the list Example 2.
CLI gw-world:/> show -changes Type Object ------------- ------ - IP4Address myhost * ServiceTCPUDP telnet A "+" character in front of the row indicates that the object has been added. A "*" character indicates that the object has been modified.
Note The configuration must be committed before changes are saved. All changes to a configuration can be ignored simply by not committing a changed configuration.
2.2. Events and Logging 2.2.1. Overview The ability to log and analyze system activities is an essential feature of NetDefendOS. Logging enables not only monitoring of system status and health, but also allows auditing of network usage and assists in trouble-shooting.
Memlog A D-Link Firewall has a built in logging mechanism known as the Memory Log. This retains all event log messages in memory and allows direct viewing of log messages through the web interface. Syslog The de-facto standard for logging events from network devices.
Note The syslog server may have to be configured to receive log messages from NetDefendOS. Please see the documentation for your specific Syslog server software in order to correctly configure it.
CLI gw-world:/> add LogReceiver EventReceiverSNMP2c my_snmp IPAddress=195.11.22.55 Web Interface 1. Goto Log & Event Receivers > Add > EventReceiverSNMP2c 2. Specify a name for the event receiver, eg. my_snmp 3. Enter 195.11.22.55 as the IP Address 4.
2.3. RADIUS Accounting 2.3.1. Overview Within a network environment containing large numbers of users, it is advantageous to have one or a cluster of central servers that maintain user account information and are responsible for authentication and authorization tasks.
database. • Delay Time - The time delay (in seconds) since the AccountingRequest packet was sent and the authentication acknowledgement was received. This can be subtracted from the time of arrival on the server to find the approximate time of the event generating this AccountingRequest.
2.3.3. Interim Accounting Messages In addition to START and STOP messages NetDefendOS can optionally periodically send Interim Accounting Messages to update the accounting server with the current status of an authenticated user.
• An AccountingStart event is sent to the inactive member in an HA setup whenever a response has been received from the accounting server. This specifies that accounting information should be stored for a specific authenticated user.
2.4. Monitoring 2.4.1. SNMP Monitoring Overview Simple Network Management Protocol (SNMP) is a standardized protocol for management of network devices. An SNMP compliant client can connect to a network device which supports the SNMP protocol to query and control it.
SNMP access. Port 161 is usually used for SNMP and NetDefendOS always expects SNMP traffic on that port. Remote Access Encryption It should be noted that SNMP Version 1 or 2c access means that the community string will be sent as plain text over a network.
2.5. Maintenance 2.5.1. Auto-Update Mechanism A number of the NetDefendOS security features rely on external servers for automatic updates and content filtering. The Intrusion Prevention and Detection system and Anti-Virus modules require access to updated signature databases in order to provide protection against the latest threats.
Example 2.15. Complete Hardware Reset to Factory Defaults CLI gw-world:/> reset -unit Web Interface 1. Go to Maintenance > Reset 2. Select Restore the entire unit to factory defaults then confirm and wait for the restore to complete.
2.5.3. Resetting to Factory Defaults Chapter 2. Management and Maintenance 47.
Chapter 3. Fundamentals This chapter describes the fundamental logical objects upon which NetDefendOS is built. These objects include such things as addresses, services and schedules.
For example: 192.168.0.0/24 IP Range A range of IP addresses is represented on the form a.b.c.d - e.f.g.h . Please note that ranges are not limited to netmask boundaries; they may include any span of IP addresses. For example: 192.168.0.10-192.168.0.15 represents six hosts in consecutive order.
Web Interface 1. Go to Objects > Address Book > Add > IP address 2. Specify a suitable name for the IP Range, for instance wwwservers. 3. Enter 192.
3.1.4. Address Groups Address objects can be grouped in order to simplify configuration. Consider a number of public servers that should be accessible from the Internet. The servers have IP addresses that are not in a sequence, and can therefore not be referenced to as a single IP range.
3.2. Services 3.2.1. Overview A Service object is a reference to a specific IP protocol with associated parameters. A Service definition is usually based on one of the major transport protocols such as TCP or UDP, with the associated port number(s). The HTTP service, for instance, is defined as using the TCP protocol with associated port 80.
----------------- ---------------- Name: echo DestinationPorts: 7 Type: TCPUDP (TCP/UDP) SourcePorts: 0-65535 PassICMPReturn: No ALG: (none) MaxSessions: 1000 Comments: Echo service Web Interface 1. Go to Objects > Services 2. Select the specific service object in the grid control.
Tip The above methods of specifying port numbers are used not just for destination ports. Source port definitions can follow the same conventions, although it is most usual that the source ports are left as the default value which is 0-65535 and this corresponds to all possible source ports.
When setting up rules that filter by services it is possible to use the service grouping all_services to refer to all protocols. If just referring to the main protocols of TCP, UDP and ICMP then the service group all_tcpudpicmp can be used.
number. Some of the common IP protocols, such as IGMP, are already pre-defined in the NetDefendOS system configuration. Similar to the TCP/UDP port ranges described previously, a range of IP protocol numbers can be used to specify multiple applications for one service.
3.3. Interfaces 3.3.1. Overview An Interface is one of the most important logical building blocks in NetDefendOS. All network traffic that passes through or gets terminated in the system is done so through one or several interfaces. An interface can be seen as a doorway for network traffic to or from the system.
L2TP tunnels. For more information about PPTP/L2TP, please see Section 9.5, “PPTP/L2TP”. • GRE interfaces are used to establish GRE tunnels. For more information about GRE, please see Section 3.
The names of the Ethernet interfaces are pre-defined by the system, and are mapped to the names of the physical ports; a system with a wan port will have an Ethernet interface named wan and so on. The names of the Ethernet interfaces can be changed to better reflect their usage.
gw-world:/> set Interface Ethernet wan DHCPEnabled=Yes Web Interface 1. Go to Interfaces > Ethernet 2. In the grid, click on the ethernet object of interest 3.
3. Assign a VLAN ID that is unique on the physical interface. 4. Optionally specify an IP address for the VLAN. 5. Optionally specify an IP broadcast address for the VLAN. 6. Create the required route(s) for the VLAN in the appropriate routing table. 7.
Control Protocols (NCPs) can be used to transport traffic for a particular protocol suite, so that multiple protocols can interoperate on the same link, for example, both IP and IPX traffic can share a PPP link.
• Service Name: Service name provided by the service provider • Username: Username provided by the service provider • Password: Password provided by the service provider • Confirm Password: Re.
• IP Address - This is the IP address of the sending interface. This is optional and can be left blank. If it is left blank then the sending IP address will default to the local host address of 127.0.0.1 . • Remote Network - The remote network which the GRE tunnel will connect with.
Setup for D-Link Firewall "A" Assuming that the network 192.168.10.0/24 is lannet on the lan interface, the steps for setting up NetDefendOS on A are: 1. In the address book set up the following IP objects: • remote_net_B: 192.168.11.0/24 • remote_gw: 172.
1. In the address book set up the following IP objects: • remote_net_A: 192.168.10.0/24 • remote_gw: 172.16.0.1 • ip_GRE: 192.168.0.2 2. Create a GRE Tunnel object called GRE_to_A with the follo.
3. Click OK 3.3.6. Interface Groups Chapter 3. Fundamentals 67.
3.4. ARP 3.4.1. Overview Address Resolution Protocol (ARP) is a protocol, which maps a network layer protocol address to a data link layer hardware address and it is used to resolve an IP address into its corresponding Ethernet address.
The default expiration time for dynamic ARP entries is 900 seconds (15 minutes). This can be changed by modifying the Advanced Setting ARPExpire . The setting ARPExpireUnknown specifies how long NetDefendOS is to remember addresses that cannot be reached.
NetDefendOS supports defining static ARP entries (static binding of IP addresses to Ethernet addresses) as well as publishing IP addresses with a specific Ethernet address. Static ARP Entries Static ARP items may help in situations where a device is reporting incorrect Ethernet address in response to ARP requests.
There are two publishing modes; Publish and XPublish. The difference between the two is that XPublish "lies" about the sender Ethernet address in the Ethernet header; this is set to be the same as the published Ethernet address rather than the actual Ethernet address of the Ethernet interface.
situations are to be logged. Sender IP 0.0.0.0 NetDefendOS can be configured on what to do with ARP queries that have a sender IP of 0.0.0.0. Such sender IPs are never valid in responses, but network units that have not yet learned of their IP address sometimes ask ARP questions with an "unspecified" sender IP.
3.5. The IP Rule Set 3.5.1. Security Policies Policy Characteristics NetDefendOS Security Policies designed by the administrator, regulate the way in which traffic can flow through a D-Link Firewall. Policies in NetDefendOS are defined by different NetDefendOS rule sets .
IP Rules The IP rule set is the most important of these security policy rule sets. It determines the critical packet filtering function of NetDefendOS, regulating what is allowed or not allowed to pass through the D-Link Firewall, and if necessary, how address translations like NAT are applied.
3.5.3. IP Rule Actions A rule consists of two parts: the filtering parameters and the action to take if there is a match with those parameters. As described above, the parameters of any NetDefendOS ru.
Using Reject In certain situations the Reject action is recommended instead of the Drop action because a polite reply is required from NetDefendOS. An example of such a situation is when responding to the IDENT user identification protocol.
3.6. Schedules In some scenarios, it might be useful to control not only what functionality is enabled, but also when that functionality is being used. For instance, the IT policy of an enterprise might stipulate that web traffic from a certain department is only allowed access outside that department during normal office hours.
• Action: NAT • Service: http • Schedule: OfficeHours • SourceInterface: lan • SourceNetwork lannet • DestinationInterface: any • DestinationNetwork: all-nets 4.
3.7. X.509 Certificates NetDefendOS supports digital certificates that comply with the ITU-T X.509 standard. This involves the use of an X.509 certificate hierarchy with public-key cryptography to accomplish key distribution and entity authentication.
has to be issued. Certificate Revocation Lists A Certificate Revocation List (CRL) contains a list of all certificates that have been cancelled before their expiration date.
3. Now select one of the following: • Upload self-signed X.509 Certificate • Upload a remote certificate 4. Click OK and follow the instructions. Example 3.19. Associating X.509 Certificates with IPsec Tunnels To associate an imported certificate with an IPsec tunnel.
3.8. Setting Date and Time Correctly setting the date and time is important for NetDefendOS to operate properly. Time scheduled policies, auto-update of the IDP and Anti-Virus databases, and other product features require that the system clock is accurately set.
Example 3.21. Setting the Time Zone To modify the NetDefendOS time zone to be GMT plus 1 hour, follow the steps outlined below: CLI gw-world:/> set DateTime Timezone=GMTplus1 Web Interface 1. Go to System > Date and Time 2. Select (GMT+01:00) in the Timezone drop-down list 3.
Time Synchronization Protocols are standardised methods for retrieving time information from external Time Servers. NetDefendOS supports the following time synchronization protocols: • SNTP - Defined by RFC 2030, The Simple Network Time Protocol (SNTP) is a lightweight implementation of NTP (RFC 1305).
CLI gw-world:/> time -sync Attempting to synchronize system time... Server time: 2007-02-27 12:21:52 (UTC+00:00) Local time: 2007-02-27 12:24:30 (UTC+00:00) (diff: 158) Local time successfully changed to server time.
D-Link Time Servers Using D-Link's own Time Servers is an option in NetDefendOS and this is the recommended way of synchronizing the firewall clock. These servers communicate with NetDefendOS using the SNTP protocol. When the D-Link Server option is chosen, a pre-defined set of recommended default values for the synchronization are used.
3.9. DNS Lookup A DNS server can resolve a Fully Qualified Domain Name (FQDN) into the corresponding numeric IP address. FQDNs are unambiguous textual domain names which specify a node's unique position in the Internet's DNS tree hierarchy. FQDN resolution allows the actual physical IP address to change while the FQDN can stay the same.
3.9. DNS Lookup Chapter 3. Fundamentals 88.
Chapter 4. Routing This chapter describes how to configure IP routing in NetDefendOS. • Overview, page 89 • Static Routing, page 90 • Policy-based Routing, page 98 • Dynamic Routing, page 103 • Multicast Routing, page 110 • Transparent Mode, page 119 4.
4.2. Static Routing The most basic form of routing is known as Static Routing . The term static refers to the fact that entries in the routing table are manually added and are therefore permanent (or static) by nature.
4.2.2. Static Routing This section describes how routing is implemented in NetDefendOS, and how to configure static routing. NetDefendOS supports multiple routing tables. A default table called main is pre-defined and is always present in NetDefendOS.
Persistent Routes: None The corresponding routing table in NetDefendOS is similar to this: Flags Network Iface Gateway Local IP Metric ----- ------------------ -------- -------------- --------- ------ 192.168.0.0/24 lan 20 10.0.0.0/8 wan 1 0.0.0.0/0 wan 192.
213.124.165.0/24 wan 0 0.0.0.0/0 wan 213.124.165.1 0 Web Interface To see the configured routing table: 1. Go to Routing > Routing Tables 2. Select and right-click the main routing table in the grid 3.
Web Interface 1. Select the Routes item in the Status dropdown menu in the menu bar 2. Check the Show all routes checkbox and click the Apply button 3. The main window will list the active routing table, including the core routes Tip For detailed information about the output of the CLI routes command.
methods must be chosen: Interface Link Status NetDefendOS will monitor the link status of the interface specified in the route. As long as the interface is up, the route is diagnosed as healthy. This method is appropriate for monitoring that the interface is physically attached and that the cabling is working as expected.
automatically be transferred back to it. Route Interface Grouping When using route monitoring, it is important to check if a failover to another route will cause the routing interface to be changed. If this could happen, it is necessary to take some precautionary steps to ensure that policies and existing connections will be maintained.
IP address of host B on another separate network. The proxy ARP feature means that NetDefendOS responds to this ARP request instead of host B. The NetDefendOS sends its own MAC address instead in reply, essentially pretending to be the target host.
4.3. Policy-based Routing 4.3.1. Overview Policy-based Routing (PBR) is an extension to the standard routing described previously. It offers administrators significant flexibility in implementing routing decision policies by being able to define rules so alternative routing tables are used.
Policy-based Routing rule can be triggered by the type of Service (HTTP for example) in combination with the Source/Destination Interface and Source/Destination Network. When looking up Policy-based Rules, it is the first matching rule found that is triggered.
interfaces. The first two options can be regarded as combining the alternate table with the main table and assigning one route if there is a match in both tables.
Example 4.5. Policy Based Routing Configuration This example illustrates a multiple ISP scenario which is a common use of Policy-based Routing. The following is assumed: • Each ISP will give you an IP network from its network range. We will assume a 2-ISP scenario, with the network 10.
Note Rules in the above example are added for both inbound and outbound connections. 4.3.5. The Ordering parameter Chapter 4. Routing 102.
4.4. Dynamic Routing 4.4.1. Dynamic Routing overview Dynamic routing is different to static routing in that the D-Link Firewall will adapt to changes of network topology or traffic load automatically. NetDefendOS first learns of all the directly connected networks and gets further route information from other routers.
Routing metrics are the criteria a routing algorithm uses to compute the "best" route to a destination. A routing protocol relies on one or several metrics to evaluate links across a network and to determine the optimal path. The principal metrics used include: Path length The sum of the costs associated with each link.
to which they have an interface. ASBRs Routers that exchange routing information with routers in other Autonomous Systems are called Autonomous System Boundary Router (ASBRs).
in the routing table. This is commonly used to minimize the routing table. Virtual Links Virtual links are used for: • Linking an area that does not have a direct connection to the backbone. • Linking the backbone in case of a partitioned backbone.
common area in between. Figure 4.3. Virtual Links Example 2 The Virtual Link is configured between fw1 and fw2 on Area 1, as it is used as the transit area. In the configuration only the Router ID have to be configured, as in the example above show fw2 need to have a Virtual Link to fw1 with the Router ID 192.
In a dynamic routing environment, it is important for routers to be able to regulate to what extent they will participate in the routing exchange. It is not feasible to accept or trust all received routing information, and it might be crucial to avoid that parts of the routing database gets published to other routers.
gw-world:/ImportOSPFRoutes> add DynamicRoutingRuleAddRoute Destination=MainRoutingTable Web Interface 1. Go to Routing > Dynamic Routing Rules 2. Click on the recently created ImportOSPFRoutes 3. Go to OSPF Routing Action > Add > DynamicRountingRuleAddRoute 4.
4.5. Multicast Routing 4.5.1. Overview Certain types of Internet interactions, such as conferencing and video broadcasts, require a single client or host to send the same packet to multiple receivers.
The multiplex rule can operate in one of two modes: Use IGMP The traffic flow specififed by the multiplex rule must have been requested by hosts using IGMP before any multicast packets are forwarded through the specified interfaces. This is the default behaviour of NetDefendOS.
Example 4.8. Forwarding of Multicast Traffic using the SAT Multiplex Rule In this example, we will create a multiplex rule in order to forward the multicast groups 239.192.10.0/24:1234 to the interfaces if1, if2 and if3. All groups have the same sender 192.
This scenario is based on the previous scenario but now we are going to translate the multicast group. When the multicast streams 239.192.10.0/24 are forwarded through the if2 interface, the multicast groups should be translated into 237.192.10.0/24 .
• Destination Interface: core • Destination Network: 239.192.10.0/24 4. Click the Address Translation tab 5. Add interface if1 but leave the IPAddress empty 6. Add interface if2 but this time, enter 237.192.10.0 as the IPAddress 7. Make sure the forwarded using IGMP checkbox is set 8.
Figure 4.7. Multicast Proxy In Snoop mode, the router will act transparently between the hosts and another IGMP router. It will not send any IGMP Queries. It will only forward queries and reports between the other router and the hosts. In Proxy mode, the router will act as an IGMP router towards the clients and actively send queries.
• Source Network: if1net, if2net, if3net • Destination Interface: core • Destination Network: auto • Multicast Source: 192.168.10.1 • Multicast Group: 239.192.10.0/24 4. Click OK B. Create the second IGMP Rule: 1. Again go to Routing > IGMP > IGMP Rules > Add > IGMP Rule 2.
• Name: A suitable name for the rule, eg. Reports_if1 • Type: Report • Action: Proxy • Output: wan (this is the relay interface) 3. Under Address Filter enter: • Source Interface: if1 • Source Network: if1net • Destination Interface: core • Destination Network: auto • Multicast Source: 192.
• Type: Report • Action: Proxy • Output: wan (this is the relay interface) 3. Under Address Filter enter: • Source Interface: if2 • Source Network: if2net • Destination Interface: core • Destination Network: auto • Multicast Source: 192.
4.6. Transparent Mode 4.6.1. Overview of Transparent Mode Deploying D-Link Firewalls operating in Transparent Mode into an existing network topology can significantly strengthen security. It is simple to do and doesn't require reconfiguration of existing nodes.
When beginning communication, a host will locate the target host's physical address by broadcasting an ARP request. This request is intercepted by NetDefendOS and it sets up an internal ARP Transaction State entry and broadcasts the ARP request to all the other switch-route interfaces except the interface the ARP request was received on.
Figure 4.8. Transparent mode scenario 1 Example 4.13. Setting up Transparent Mode - Scenario 1 Web Interface Configure the interfaces: 1. Go to Interfaces > Ethernet > Edit (wan) 2. Now enter: • IP Address: 10.0.0.1 • Network: 10.0.0.0/24 • Default Gateway: 10.
• Destination Interface: any • Source Network: 10.0.0.0/24 • Destination Network: all-nets (0.0.0.0/0) 3. Click OK Scenario 2 Here the D-Link Firewall in Transparent Mode separates server resources from an internal network by connecting them to a separate interface without the need for different address ranges.
Switch Route: Similar as shown in the previous example. Set up the switch route with the new interface group created earlier. Configure the rules: 1. Go to Rules > New Rule 2. The Rule Properties dialog will be displayed 3. Specify a suitable name for the rule, for instance HTTP-LAN-to-DMZ 4.
1. Go to Interfaces > Ethernet > Edit (lan) 2. Now enter: • IP Address: 10.0.0.1 • Network: 10.0.0.0/24 • Transparent Mode: Disable • Add route for interface network: Disable 3. Click OK 4. Go to Interfaces > Ethernet > Edit (dmz) 5.
3. Click OK 4. Go to Rules > IP Rules > Add > IPRule 5. Now enter: • Name: HTTP-WAN-to-DMZ • Action: SAT • Service: http • Source Interface: wan • Destination Interface: dmz • Source Network: all-nets • Destination Network: wan_ip • Translate: Select Destination IP • New IP Address: 10.
4.6.6. Transparent Mode Scenarios Chapter 4. Routing 126.
Chapter 5. DHCP Services This chapter describes DHCP services in NetDefendOS. • Overview, page 127 • DHCP Servers, page 128 • Static DHCP Assignment, page 130 • DHCP Relaying, page 131 • IP Pools, page 132 5.
5.2. DHCP Servers NetDefendOS has the ability to act as one or more logical DHCP servers. Filtering of DHCP client requests is based on interface, so each NetDefendOS interface can have, at most, one single logical DHCP server associated with it.
Example 5.2. Checking the status of a DHCP server Web Interface Go to Status > DHCP Server in the menu bar. CLI To see the status of all servers: gw-world:/> dhcpserver To list all configured servers: gw-world:/> show dhcpserver Tip DHCP leases are remembered by the system between system restarts.
5.3. Static DHCP Assignment Where the administrator requires a fixed relationship between a client and the assigned IP address, NetDefendOS allows the assignment of a given IP to a specific MAC address. Example 5.3. Setting up Static DHCP This example shows how to assign the IP address 192.
5.4. DHCP Relaying With DHCP, clients send requests to locate the DHCP server(s) using broadcast messages. However, broadcasts are normally only propagated across the local network. This means that the DHCP server and client would always need to be in the same physical network area to be able to communicate.
5.5. IP Pools Overview IP pools are used to offer other subsystems access to a cache of DHCP IP addresses. These addresses are gathered into a pool by internally maintaining a series of DHCP clients (one per IP). The DHCP servers used by a pool can either be external or be DHCP servers defined in NetDefendOS itself.
greater than the prefetch parameter. The pool will start releasing (giving back IPs to the DHCP server) when the number of free clients exceeds this value. Maximum clients Optional setting used to specify the maximum number of clients (IPs) allowed in the pool.
5.5. IP Pools Chapter 5. DHCP Services 134.
Chapter 6. Security Mechanisms This chapter describes NetDefendOS security features. • Access Rules, page 135 • Application Layer Gateways, page 138 • Web Content Filtering, page 169 • Anti-Vi.
VPNs provide one means of avoiding spoofing but where a VPN is not an appropriate solution then Access Rules can provide an anti-spoofing capability by providing an extra filter for source address verification.
Example 6.1. Setting up an Access Rule A rule is to be defined that ensures no traffic with a source address not within the lannet network is received on the lan interface. CLI gw-world:/> add Access Name=lan_Access Interface=lan Network=lannet Action=Except Web Interface 1.
6.2. Application Layer Gateways 6.2.1. Overview To complement low-level packet filtering, which only inspects packet headers in protocols such IP, TCP, UDP, and ICMP, D-Link Firewalls provide Application Layer Gateways (ALGs) which provide filtering at the higher application OSI level.
ALGs and Syn Flood Protection It should be noted that user-defined custom Service objects have the option to enable Syn Flood Protection , a feature which specifically targets Syn Flood attacks. If this option is enabled for a Service object then any ALG associated with that Service will not be used.
• Block Selected means that those filetypes marked will be automatically blocked as downloads. A file's contents will be analyzed to identify the correct filetype. If, for example, a file is found to contain .exe data but the the filetype is not .
client on the internal network connects through the firewall to an FTP server on the Internet. The IP rule is then configured to allow network traffic from the FTP client to port 21 on the FTP server. When active mode is used, NetDefendOS is not aware that the FTP server will establish a new connection back to the FTP client.
To make it possible to connect to this server from the Internet using the FTP ALG, the FTP ALG and rules should be configured as follows: Web Interface A. Define the ALG: 1. Go to Objects > ALG > Add > FTP ALG 2. Enter Name: ftp-inbound 3. Check Allow client to use active mode 4.
2. Now enter: • Name: SAT-ftp-inbound • Action: SAT • Service: ftp-inbound 3. For Address Filter enter: • Source Interface: any • Destination Interface: core • Source Network: all-nets • Destination Network: wan_ip (assuming the external interface has been defined as this) 4.
4. Click OK Example 6.3. Protecting FTP Clients In this scenario shown below the D-Link Firewall is protecting a workstation that will connect to FTP servers on the Internet. To make it possible to connect to these servers from the internal network using the FTP ALG, the FTP ALG and rules should be configured as follows: Web Interface A.
• Destination: 21 (the port the ftp server resides on) • ALG: select the newly created ftp-outbound 3. Click OK Rules (Using Public IPs). The following rule needs to be added to the IP rules if using public IP's; make sure there are no rules disallowing or allowing the same kind of ports/traffic before these rules.
TFTP is widely used in enterprise environments for updating software and backing up configurations on network devices. TFTP is recognised as being an inherently insecure protocol and its usage is often confined to internal networks. The NetDefendOS ALG provides an extra layer of security to TFTP in being able to put restrictions on its use.
Email Rate Limiting A maximum allowable rate of email messages can be specified. Email Size Limiting A maximum allowable size of email messages can be specified. This feature counts the total amount of bytes sent for a single email which is the header size plus body size plus the size of any email attachments after they are encoded.
When the NetDefendOS SPAM filtering function is configured, the IP address of the email's sending server can be sent to one or more DNSBL servers to find out if any DNSBL servers think it is from a spammer or not (NetDefendOS examines the IP packet headers to do this).
Buy this stock today! And if the tag text is defined to be " *** SPAM *** ", then the modified email's Subject field will become: *** SPAM *** Buy this stock today! And this is what the email's recipient will see in the summary of their inbox contents.
Logging There are three types of logging done by the SPAM filtering module: • Logging of dropped or SPAM tagged emails - These log messages include the source email address and IP as well as its weighted points score and which DNSBLs caused the event.
gw-world:/> dnsbl DNSBL Contexts: Name Status Spam Drop Accept ------------------------ -------- -------- -------- -------- my_smtp_alg active 156 65 34299 alt_smtp_alg inactive 0 0 0 The -show option provides a summary of the SPAM filtering operation of a specific ALG.
Hide User This option prevents the POP3 server from revealing that a username does not exist. This prevents users from trying different usernames until they find a valid one. Allow Unknown Commands Non-standard POP3 commands not recognised by the ALG can be allowed or disallowed.
VOIP see also Section 6.2.8, “H.323”.) SIP Components The following components are the logical building blocks for SIP communication: User Agents These are the end points or "peers" that are involved in the peer-to-peer communication. These would typically be the workstation or device used in an IP telephony conversation.
Maximum Sessions per ID The number of simultaneous sessions that a single peer can be involved with is restricted by this value. The default number is 5 . Maximum Registration Time The maximum time for registration with a SIP Registrar. The default value is 3600 seconds.
• A NAT rule for outbound traffic from user agents on the internal network to the SIP Proxy Server located externally. The SIP ALG will take care of all address translation needed by the NAT rule. This translation will occur both on the IP level and the application level.
Gateways An H.323 gateway connects two dissimilar networks and translates traffic between them. It provides connectivity between H.323 networks and non-H.323 networks such as public switched telephone networks (PSTN), translating protocols and converting media them.
• The H.323 ALG supports version 5 of the H.323 specification. This specification is built upon H.225.0 v5 and H.245 v10. • In addition to support voice and video calls, the H.323 ALG supports application sharing over the T.120 protocol. T.120 uses TCP to transport data while voice and video is transported over UDP.
Web Interface Outgoing Rule: 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: H323AllowOut • Action: Allow • Service: H323 • Source Interface: lan • Destination Interface: any • Source Network: lannet • Destination Network: 0.
Example 6.5. H.323 with private IP addresses In this scenario a H.323 phone is connected to the D-Link Firewall on a network with private IP addresses. To make it possible to place a call from this phone to another H.323 phone on the Internet, and to allow H.
• Destination Interface: core • Source Network: 0.0.0.0/0 (all-nets) • Destination Network: wan_ip (external IP of the firewall) • Comment: Allow incoming calls to H.323 phone at ip-phone 3. Click OK To place a call to the phone behind the D-Link Firewall, place a call to the external IP address on the firewall.
1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: H323AllowIn • Action: Allow • Service: H323 • Source Interface: any • Destination Interface: lan • Source Network: 0.0.0.0/0 (all-nets) • Destination Network: lannet • Comment: Allow incoming calls 3.
• Destination Interface: core • Source Network: 0.0.0.0/0 (all-nets) • Destination Network: wan_ip (external IP of the firewall) • Comment: Allow incoming calls to H.323 phone at ip-phone 3. For SAT enter Translate Destination IP Address: To New IP Address: ip-phone (IP address of phone) 4.
Web Interface Incoming Gatekeeper Rules: 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: H323In • Action: SAT • Service: H323-Gatekeeper • Source Interface: any • Destination Interface: core • Source Network: 0.0.0.
Note There is no need to specify a specific rule for outgoing calls. NetDefendOS monitors the communication between "external" phones and the Gatekeeper to make sure that it is possible for internal phones to call the external phones that are registered with the gatekeeper.
is possible for internal phones to call the external phones that are registered with the gatekeeper. Example 6.10. Using the H.323 ALG in a Corporate Environment This scenario is an example of a more complex network that shows how the H.323 ALG can be deployed in a corporate environment.
• Comment: Allow H.323 entities on lannet to connect to the Gatekeeper 3. Click OK 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: LanToGK • Action: Allow • Service: H323 • Source Interface: lan • Destination Interface: dmz • Source Network: lannet • Destination Network: ip-gateway • Comment: Allow H.
1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: BranchToGW • Action: Allow • Service: H323-Gatekeeper • Source Interface: vpn-remote • Destination Interface: dmz • .
• Service: H323-Gatekeeper • Source Interface: dmz • Destination Interface: vpn-hq • Source Network: ip-branchgw • Destination Network: hq-net • Comment: Allow the Gateway to communicate with the Gatekeeper connected to the Head Office 3. Click OK Note There is no need to specify a specific rule for outgoing calls.
6.3. Web Content Filtering 6.3.1. Overview Web traffic is one of the biggest sources for security issues and misuse of the Internet. Inappropriate surfing habits can expose a network to many security threats as well as legal and regulatory liabilities.
Example 6.13. Stripping ActiveX and Java applets This example shows how to configure a HTTP Application Layer Gateway to strip ActiveX and Java applets. The example will use the content_filtering ALG object and presumes you have done one of the previous examples.
Note Web content filtering URL blacklisting is a separate concept from Section 6.7, “Blacklisting Hosts and Networks”. Example 6.14. Setting up a white and blacklist This example shows the use of static content filtering where NetDefendOS can block or permit certain web pages based on blacklists and whitelists.
6.3.4. Dynamic Web Content Filtering Overview NetDefendOS supports Dynamic Web Content Filtering (WCF) of web traffic, which enables an administrator to permit or block access to web pages based on the content of those web pages. This functionality is automated and it is not necessary to manually specify which URLs to block or allow.
Note New, uncategorized URLs sent to the D-Link network are treated as anonymous submissions and no record of the source of new submissions is kept. Categorizing Pages and Not Sites NetDefendOS dynamic filtering categorizes web pages and not sites.
5. In the Blocked Categories list, select Search Sites and click the >> button. 6. Click OK Then, create a Service object using the new HTTP ALG: 1. Go to Local Objects > Services > Add > TCP/UDP service 2. Specify a suitable name for the Service, eg.
FilteringCategories=SEARCH_SITES Web Interface First, create an HTTP Application Layer Gateway (ALG) Object: 1. Go to Objects > ALG > Add > HTTP ALG 2. Specify a suitable name for the ALG, eg. content_filtering 3. Click the Web Content Filtering tab 4.
Example 6.17. Reclassifying a blocked site This example shows how a user may propose a reclassification of a web site if he believes it is wrongly classified.
Category 2: News A web site may be classified under the News category if its content includes information articles on recent events pertaining to topics surrounding a locality (for example, town, city or nation) or culture, including weather forecasting information.
• www.buy-alcohol.se Category 7: Entertainment A web site may be classified under the Entertainment category if its content includes any general form of entertainment that is not specifically covered by another category. Some examples of this are music sites, movies, hobbies, special interest, and fan clubs.
• www.loadsofmoney.com.au • www.putsandcalls.com Category 12: E-Banking A web site may be classified under the E-Banking category if its content includes electronic banking information or services. This category does not include Investment related content; refer to the Investment Sites category (11).
Category 17: www-Email Sites A web site may be classified under the www-Email Sites category if its content includes online, web-based email facilities.
Examples might be: • www.sierra.org • www.walkingclub.org Category 23: Music Downloads A web site may be classified under the Music Downloads category if it provides online music downloading, uploading and sharing facilities as well as high bandwidth audio streaming.
A web site may be classified under the Drugs/Alcohol category if its content includes drug and alcohol related information or services. Some URLs categorised under this category may also be categorised under the Health category. Examples might be: • www.
6.4. Anti-Virus Scanning 6.4.1. Overview The NetDefendOS Anti-Virus module protects against malicious code carried in file downloads. Files may be downloaded as part of a web-page in an HTTP transfer, in an FTP download, or perhaps as an attachment to an email delivered through SMTP.
D-Link Firewall. However, the available free memory can place a limit on the number of concurrent scans that can be initiated. The administrator can increase the default amount of free memory available to Anti-Virus scanning through changing the AVSE_MAXMEMORY advanced setting.
1. General options Mode This must be one of: A. Enabled which means Anti-Virus is active. B. Audit which means it is active but logging will be the only action. Fail mode behaviour If a virus scan fails for any reason then the transfer can be dropped or allowed, with the event being logged.
Enabling of this function is recommended to make sure this form of attack cannot allow a virus to get through. The possible MIME types that can be checked are listed in Appendix C, Checked MIME filetypes .
1. Go to Objects > ALG > Add > HTTP ALG 2. Specify a suitable name for the ALG, for instance anti_virus 3. Click the Antivirus tab 4. Select Protect in the Mode dropdown list 5. Click OK B. Then, create a Service object using the new HTTP ALG: 1.
6.5. Intrusion Detection and Prevention 6.5.1. Overview Intrusion Definition Computer servers can sometimes have vulnerabilites which leave them exposed to attacks carried by network traffic. Worms, trojans and backdoor exploits are examples of such attacks which, if successful, can potentially compromise or take control of a server.
DFL-210/800/1600/2500 firewalls. This is a simplfied IDP that gives basic protection against attacks. It is upgradeable to the professional level Advanced IDP . • Advanced IDP is a subscription based IDP system with a much broader range of database signatures for professional installations.
The console command > updatecenter -status will show the current status of the auto-update feature. This can also be done through the WebUI. Updating in High Availability Clusters Updating the IDP databases for both the D-Link Firewalls in an HA Cluster is performed automatically by NetDefendOS.
The option exists in NetDefendOS IDP to look for intrusions in all traffic, even the packets that are rejected by the IP rule set check for new connections, as well as packets that are not part of an existing connection. This provides the firewall administrator with a way to detect any traffic that appears to be an intrusion.
• Increasing throughput - Where the highest throughout possible is desirable, then turning the option off, can provide a slight increase in processing speed.
Using Groups Usually, several lines of attacks exist for a specific protocol, and it is best to search for all of them at the same time when analyzing network traffic. To do this, signatures related to a particular protocol are grouped together. For example, all signatures that refer to the FTP protocol form a group.
group name. Caution against using too many IDP signatures Do not use the entire signature database and avoid using signatures and signature groups unecessarily. Instead, use only those signatures or groups applicable to the type of traffic you are trying to protect.
triggered. At least one new event occurs within the Hold Time of 120 seconds, thus reaching the log threshold level (at least 2 events have occurred). This results in an email being sent containing a summary of the IDP events.
CLI Create IDP Rule: gw-world:/> add IDPRule Service=smtp SourceInterface=wan SourceNetwork=wannet DestinationInterface=dmz DestinationNetwork=ip_mailserver Name=IDPMailSrvRule Create IDP Action: g.
When this IDP Rule has been created, an action must also be created, specifying what signatures the IDP should use when scanning data matching the IDP Rule, and what NetDefendOS should do in case an intrusion is discovered. Intrusion attempts should cause the connection to be dropped, so Action is set to Protect .
6.6. Denial-Of-Service (DoS) Attacks 6.6.1. Overview By embracing the Internet, enterprises experience new business opportunities and growth. The enterprise network and the applications that run over it are business critical. Not only can a company reach a larger number of customers via the Internet, it can serve them faster and more efficiently.
to run "ping -l 65510 1.2.3.4" on a Windows 95 system where 1.2.3.4 is the IP address of the intended victim. "Jolt" is simply a purpose-written program for generating such packets on operating systems whose ping commands refuse to generate oversized packets.
services expected to only serve the local network. • By stripping the URG bit by default from all TCP segments traversing the system (configurable via Advanced Settings > TCP > TCPUrg ). WinNuke attacks will usually show up in NetDefendOS logs as normal drops with the name of the rule in your policy that disallowed the connection attempt.
The Traffic Shaping feature built into NetDefendOS also help absorb some of the flood before it reaches protected servers. 6.6.8. TCP SYN Flood Attacks The TCP SYN Flood attack works by sending large amounts of TCP SYN packets to a given port and then not responding to SYN ACKs sent in response.
6.7. Blacklisting Hosts and Networks NetDefendOS implements a Blacklist of host or network IP addresses which can be utilized to protect against traffic coming from specific Internet sources.
6.7. Blacklisting Hosts and Networks Chapter 6. Security Mechanisms 203.
Chapter 7. Address Translation This chapter describes NetDefendOS address translation capabilities. • Dynamic Network Address Translation, page 204 • NAT Pools, page 207 • Static Address Translation, page 210 The ability of NetDefendOS to change the IP address of packets as they pass through a D-Link Firewall is known as address translation .
Publish entry configured for the egress interface. Otherwise, the return traffic will not be received by the D-Link Firewall. The following example illustrates how NAT is applied in practice on a new connection: 1.
Protocols Handled by NAT Dynamic address translation is able to deal with the TCP, UDP and ICMP protocols with a good level of functionality since the algorithm knows which values can be adjusted to become unique in the three protocols.
7.2. NAT Pools Overview As discussed in Section 7.1, “Dynamic Network Address Translation”, NAT provides a way to have multiple internal clients and hosts with unique private internal IP addresses communicate to remote hosts through a single external public IP address.
Stateless NAT Pools The Stateless option means that no state table is maintained and the external IP address chosen for each new connection is the one that has the least connections already allocated to it. This means two connections between one internal host to the same external host may use two different external IP addresses.
2. Specify a suitable name for the IP range nat_pool_range 3. Enter 10.6.13.10-10.16.13.15 in the IP Address textbox (a network eg 10.6.13.0/24 could be used here - the 0 and 255 addresses will be automatically removed) 4. Click OK B. Next create a Stateful NAT Pool object called stateful_natpool : 1.
7.3. Static Address Translation NetDefendOS can translate entire ranges of IP addresses and/or ports. Such translations are transpositions, that is, each address or port is mapped to a corresponding address or port in the new range, rather than translating them all to the same address or port.
Then create a corresponding Allow rule: 1. Go to Rules > IP Rules > Add > IPRule 2. Specify a suitable name for the rule, eg. Allow_HTTP_To_DMZ 3. Now enter: • Action: Allow • Service: http • Source Interface: any • Source Network: all-nets • Destination Interface: core • Destination Network: wan_ip 4.
# Action Src Iface Src Net Dest Iface Dest Net Parameters 3 Allow ext2 ext2net core wan_ip http 4 NAT lan lannet any all-nets All This increases the number of rules for each interface allowed to communicate with the web server. However, the rule ordering is unimportant, which may help avoid errors.
• NetDefendOS translates the address in accordance with rule 1 and forwards the packet in accordance with rule 2: 10.0.0.3:1038 => 10.0.0.2:80 • wwwsrv processes the packet and replies: 10.0.0.2:80 => 10.0.0.3:1038 This reply arrives directly to PC1 without passing through the D-Link Firewall.
An example of when this is useful is when having several protected servers in a DMZ, and where each server should be accessible using a unique public IP address.
4. Click OK Publish the public adresses in the wan interface using ARP publish. One ARP item is needed for every IP address: 1. Go to Interfaces > ARP > Add > ARP 2. Now enter: • Mode: Publish • Interface: wan • IP Address: 195.55.66.77 3.
NetDefendOS can be used to translate ranges and/or groups into just one IP address. # Action Src Iface Src Net Dest Iface Dest Net Parameters 1 SAT any all-nets core 194.1.2.16-194.1.2.20, 194.1.2.30 http SETDEST all-to-one 192.168.0.50 80 This rule produces a N:1 translation of all addresses in the group (the range 194.
configuration. There is no definitive list of what protocols that can or cannot be address translated. A general rule is that VPN protocols cannot usually be translated. In addition, protocols that open secondary connections in addition to the initial connection can be difficult to translate.
# Action Src Iface Src Net Dest Iface Dest Net Parameters 5 NAT lan lannet any all-nets All What happens now? • External traffic to wan_ip:80 will match rules 1 and 3, and will be sent to wwwsrv. Correct. • Return traffic from wwwsrv:80 will match rules 2 and 4, and will appear to be sent from wan_ip:80.
7.3.7. SAT and FwdFast Rules Chapter 7. Address Translation 219.
Chapter 8. User Authentication This chapter describes how NetDefendOS implements user authentication. • Overview, page 220 • Authentication Setup, page 221 8.
8.2. Authentication Setup 8.2.1. Setup Summary The following list summarizes the steps for User Authentication setup with NetDefendOS: • Set up a database of users, each with a username/password combination. This can exist locally in a NetDefendOS User DB object, or remotely on a RADIUS server and will be designated as the Authentication Source .
NetDefendOS acts as a RADIUS client, sending user credentials and connection parameter information as a RADIUS message to a nominated RADIUS server. The server processes the requests and sends back a RADIUS message to accept or deny them. One or more external servers can be defined in NetDefendOS.
combination. • Allow only one login per username. • Allow one login per username and logout an existing user with the same name if they have been idle for a specific length of time when the new login occurs. 8.2.5. Authentication Processing The list below describes the processing flow through NetDefendOS for username/password authentication: 1.
Changing the Management WebUI Port HTTP authentication will collide with the WebUI's remote management service which also uses TCP port 80. To avoid this, the WebUI port number should be changed before configuring authentication.
Action Src Interface Src Network Dest Interface Dest Network Service 1 Allow lan lannet core lan_ip http-all 2 NAT lan trusted_users wan all-nets http-all 3 NAT lan lannet wan all-nets dns-all 4 SAT lan lannet wan all-nets all-to-one 127.
Example 8.1. Creating an authentication user group In the example of an authentication address object in the Address Book, a user group "users" is used to enable user authentication on "lannet". This example shows how to configure the user group in the NetDefendOS database.
• Source Network: lannet • Destination Interface core • Destination Network lan_ip 3. Click OK B. Set up the Authentication Rule 1. Go to User Authentication > User Authentication Rules > Add > User Authentication Rule 2.
d. Port: 1812 (RADIUS service uses UDP port 1812 by default) e. Retry Timeout: 2 (NetDefendOS will resend the authentication request to the sever if there is no response after the timeout, for example every 2 seconds. This will be retried a maximum of 3 times) f.
Chapter 9. VPN This chapter describes VPN usage with NetDefendOS. • Overview, page 229 • VPN Quickstart Guide, page 231 • IPsec, page 240 • IPsec Tunnels, page 253 • PPTP/L2TP, page 260 9.1. Overview 9.1.1. The Need for VPNs Most networks are connected to each other through the Internet.
• Protecting mobile and home computers • Restricting access through the VPN to needed services only, since mobile computers are vulnerable • Creating DMZs for services that need to be shared wit.
9.2. VPN Quickstart Guide Later sections in this chapter will explore VPN components in detail. To help put those later sections in context, this section is a quickstart summary of the key steps in VPN setup. It outlines the individual steps in setting up VPNs for the most common VPN scenarios.
the Destination Interface . The rule's Destination Network is the remote network remote_net . • An Allow rule for inbound traffic that has the previously defined ipsec_tunnel object as the Source Interface .
Authentication section of an IP object. If that IP object is then used as the Source Network of a rule in the IP rule set, that rule will only apply to a user if their Group string matches the Group string of the IP object. (note: Group has no meaning in Authentication Rule s).
• Create a Config Mode Pool object (there can only be one associated with a NetDefendOS installation) and associate with it the IP Pool object defined in the previous step. • Enable the IKE Config Mode option in the IPsec Tunnel object ipsec_tunnel .
3. Define a Pre-shared Key for the IPsec tunnel. 4. Define an IPsec Tunnel object (let's call this object ipsec_tunnel ) with the following parameters: • Set Local Network to ip_ext (specify all-nets instead if NetDefendOS is behind a NATing device).
Action Src Interface Src Network Dest Interface Dest Network Service Allow l2tp_tunnel l2tp_pool any int_net All NAT ipsec_tunnel l2tp_pool ext all-nets All The second rule would be included to allow clients to surf the Internet via the ext interface on the D-Link Firewall.
• An int_net object which is the internal network from which the addresses come. • An ip_int object which is the internal IP address of the interface connected to the internal network.
• If certificates have been used, check that the correct certificates have been used and that they haven't expired. • Use ICMP Ping to confirm that the tunnel is working.
IPsec Tunnel Local Net Remote Net Remote GW ------------ -------------- ------------ ------------- L2TP_IPSec 214.237.225.43 84.13.193.179 84.13.193.179 IPsec_Tun1 192.
9.3. IPsec 9.3.1. Overview Internet Protocol Security (IPsec), is a set of protocols defined by the Internet Engineering Task Force (IETF) to provide IP security at the network layer.
IKE Negotiation The process of negotiating session parameters consists of a number of phases and modes. These are described in detail in the below sections.
Authentication can be accomplished through Pre-Shared Keys, certificates or public key encryption. Pre-Shared Keys is the most common authentication method today.
configurations. Remote Gateway The remote gateway will be doing the decryption/authentication and pass the data on to its final destination. This field can also be set to "none", forcing the D-Link VPN to treat the remote address as the remote gateway.
• Cast128 • 3DES • DES DES is only included to be interoperable with other older VPN implementations. Use of DES should be avoided whenever possible, since it is an old algorithm that is no longer considered secure. IKE Authentication This specifies the authentication algorithms used in the IKE negotiation phase.
PFS Group This specifies the PFS group to use with PFS. The PFS groups supported by NetDefendOS are: • 1 modp 768-bit • 2 modp 1024-bit • 5 modp 1536-bit Security increases as the PFS group bits grow larger, as does the time taken for the exchanges.
method where IKE is not used at all; the encryption and authentication keys as well as some other parameters are directly configured on both sides of the VPN tunnel. Note D-Link Firewalls do not support Manual Keying. Manual Keying Advantages Since it is very straightforward it will be quite interoperable.
roaming clients. Instead, should a client be compromised, the client's certificate can simply be revoked. No need to reconfigure every client. Certificate Disadvantages Added complexity. Certificate-based authentication may be used as part of a larger public key infrastructure, making all VPN clients and firewalls dependent on third parties.
9.3.5. NAT Traversal Both IKE and IPsec protocols present a problem in the functioning of NAT. Both protocols were not designed to work through NATs and because of this, a technique called "NAT traversal" has evolved. NAT traversal is an add-on to the IKE and IPsec protocols that allows them to function when being NATed.
configuration is needed. However, for responding firewalls two points should be noted: • On responding firewalls, the Remote Gateway field is used as a filter on the source IP of received IKE packets. This should be set to allow the NATed IP address of the initiator.
1. Go to Objects > VPN Objects > IKE Algorithms > Add > IPsec Algorithms 2. Enter a name for the list eg. esp-l2tptunnel. 3. Now check the following: • DES • 3DES • SHA1 • MD5 4. Click OK Then, apply the proposal list to the IPsec tunnel: 1.
1. Go to Objects > Authentication Objects > Add > Pre-shared key 2. Enter a name for the pre-shared key eg. MyPSK 3. Choose Hexadecimal Key and click Generate Random Key to generate a key to the Passphrase textbox. 4. Click OK Then, apply the pre-shared key to the IPsec tunnel: 1.
gw-world:/MyIDList> cc Finally, apply the Identification List to the IPsec tunnel: gw-world:/> set Interface IPsecTunnel MyIPsecTunnel AuthMethod=Certificate IDList=MyIDList RootCertificates=AdminCert GatewayCertificate=AdminCert Web Interface First create an Identification List: 1.
9.4. IPsec Tunnels 9.4.1. Overview An IPsec Tunnel defines an endpoint of an encrypted tunnel. Each IPsec Tunnel is interpreted as a logical interface by NetDefendOS, with the same filtering, traffic shaping and configuration capabilities as regular interfaces.
computer from different locations is a typical example of a roaming client. Apart from the need for secure VPN access, the other major issue with roaming clients is that the mobile user's IP address is often not known beforehand.
5. Under the Routing tab: • Enable the option: Dynamically add route to the remote network when a tunnel is established. 6. Click OK C. Finally configure the IP rule set to allow traffic inside the tunnel. 9.4.3.2. Self-signed Certificate based client tunnels Example 9.
3. For Algorithms enter: • IKE Algorithms: Medium or High • IPsec Algorithms: Medium or High 4. For Authentication enter: • Choose X.509 Certificate as authentication method • Root Certificate.
3. Click OK 4. Go to Objects > VPN Objects > ID List > Sales > Add > ID 5. Enter the name for the client 6. Select Email as Type 7. In the Email address field, enter the email address selected when you created the certificate on the client 8.
Currently only one Config Mode object can be defined in NetDefendOS and this is referred to as the Config Mode Pool object. The key parameters associated with it are as follows: Use Pre-defined IP Pool Object The IP Pool object that provides the IP addresses.
message includes the two IP addresses as well as the client identity. Optionally, the affected SA can be automatically deleted if validation fails by enabling the advanced setting IPsecDeleteSAOnIPValidationFailure . The default value for this setting is Disabled .
9.5. PPTP/L2TP The access by a client using a modem link over dial-up public switched networks, possibly with an unpredictable IP address, to protected networks via a VPN poses particular problems. Both the PPTP and L2TP protocols provide two different means of achieving VPN access from remote clients.
gw-world:/> add Interface L2TPServer MyPPTPServer ServerIP=lan_ip Interface=any IP=wan_ip IPPool=pp2p_Pool TunnelProtocol=PPTP AllowedRoutes=all-nets Web Interface 1. Go to Interfaces > L2TP Servers > Add > L2TPServer 2. Enter a name for the PPTP Server eg.
3. Now enter: • Inner IP Address: ip_l2tp • Tunnel Protocol: L2TP • Outer Interface Filter: l2tp_ipsec • Outer Server IP: wan_ip 4. Under the PPP Parameters tab, select L2TP_Pool in the IP Pool control 5. Under the Add Route tab, select all_nets in the Allowed Networks control 6.
DHCPOverIPsec=Yes AddRouteToRemoteNet=Yes IPsecLifeTimeKilobytes=250000 IPsecLifeTimeSeconds=3600 Web Interface 1. Go to Interfaces > IPsec > Add > IPsec Tunnel 2. Enter a name for the IPsec tunnel, eg. l2tp_ipsec 3. Now enter: a. Local Network: wan_ip b.
7. In the ProxyARP control, select the lan interface. 8. Click OK In order to authenticate the users using the L2TP tunnel, a user authentication rule needs to be configured.
4. Click OK 5. Go to Rules > IP Rules > Add > IPRule 6. Enter a name for the rule, eg. NATL2TP 7. Now enter: • Action: NAT • Service: all_services • Source Interface: l2tp_tunnel • Source Network: l2tp_pool • Destination Interface: any • Destination Network: all-nets 8.
9.5.2. L2TP Chapter 9. VPN 266.
Chapter 10. Traffic Management This chapter describes how NetDefendOS can manage network traffic. • Traffic Shaping, page 267 • Threshold Rules, page 279 • Server Load Balancing, page 281 10.1. Traffic Shaping 10.1.1. Introduction QoS with TCP/IP A weakness of TCP/IP is the lack of true Quality of Service (QoS) functionality.
• Providing bandwidth guarantees. This is typically accomplished by treating a certain amount of traffic (the guaranteed amount) as high priority. Traffic exceeding the guarantee then has the same priority as "any other traffic", and competes with the rest of the non-prioritized traffic.
Figure 10.1. Pipe rule set to Pipe Packet Flow Where one pipe is specified in a list then that is the pipe whose characteristics will be applied to the traffic. If a series of pipes are specified then these will form a Chain of pipes through which traffic will pass.
CLI gw-world:/> add PipeRule ReturnChain=std-in SourceInterface=lan SourceNetwork=lannet DestinationInterface=wan DestinationNetwork=all-nets Service=all_services name=Outbound Web Interface 1. Go to Traffic Management > Traffic Shaping > Pipes > Add > Pipe Rule 2.
gw-world:/> add Pipe std-out LimitKbpsTotal=2000 Web Interface 1. Go to Traffic Management > Traffic Shaping > Pipes > Add > Pipe 2. Specify a name for the pipe, eg.
Setting up pipes in this way only puts limits on the maximum values for certain traffic types. It does not give priorities to different types of competing traffic. 10.1.6. Precedences All packets that pass through NetDefendOS traffic shaping pipes have a precedence.
These limits can be specified in kilobits per second and/or packets per second (if both are specified then the first limit reached will be the limit used). In precedences are used then the total limit for the pipe as a whole must be specified so the pipe knows when what its capacity is and therefore when precedences are used.
for other services such as surfing, DNS or FTP. A means is therefore required to ensure that lower priority traffic gets some portion of bandwidth and this is done with Bandwidth Guarantees . 10.1.7. Guarantees Bandwidth guarantees ensure that there is a minimum amount of bandwidth available for a given precedence.
telnet-in pipes. Notice that we did not set a total limit for the ssh-in and telnet-in pipes. We do not need to since the total limit will be enforced by the std-in pipe at the end of the respective chains.
Instead of specifying a total group limit, the alternative is to enable the Dynamic Balancing option. This ensures that the available bandwidth is divided equally between all addresses regardless of how many there are and this is done up to the limit of the pipe.
specifying a "Per DestinationIP" grouping. Knowing when the pipe is full is not important since the only constraint is on each user. If precedences were used the pipe maximum would have to be used.
• A pipe can have a limit which is the maximum amount of traffic allowed. • A pipe can only know when it is full if a limit is specified. • A single pipe should handle traffic in only one direction (although 2 way pipes are allowed). • Pipes can be chained so that one pipe's traffic feeds into another pipe.
10.2. Threshold Rules 10.2.1. Overview The objective of a Threshold Rule is to have a means of detecting abnormal connection activity as well as reacting to it. An example of a cause for such abnormal activity might be an internal host becoming infected with a virus that is making repeated connections to external IP addresses.
10.2.5. Multiple Triggered Actions When a rule is triggered then NetDefendOS will perform the associated rule Actions that match the condition that has occured. If more than one Action matches the condition then those matching Actions are applied in the order they appear in the user interface.
10.3. Server Load Balancing 10.3.1. Overview The Server Load Balancing (SLB) feature in NetDefendOS is a powerful tool that can improve the following aspects of network applications: • Performance • Scalability • Reliability • Ease of administration SLB allows network service demands to be shared among multiple servers.
SLB also means that network administrators can perform maintenance tasks on servers or applications without disrupting services. Individual servers can be restarted, upgraded, removed, or replaced, and new servers and applications can be added or moved without affecting the rest of a server farm, or taking down applications.
algorithm cycles through the server list and redirects the load to servers in order. Regardless of each server's capability and other aspects, for instance, the number of existing connections on a server or its response time, all the available servers take turns in being assigned the next connection.
If Connection Rate is applied instead, R1 and R2 will be sent to the same server because of stickiness, but the subsequent requests R3 and R4 will be routed to another server since the number of new connections on each server within the Window Time span is counted in for the distribution.
The key component in setting up SLB is the SLB_SAT rule in the IP rule set. The steps that should be followed are: 1. Define an Object for each server for which SLB is to be done. 2. Define a Group which included all these objects 3. Define an SLB_SAT Rule in the IP rule set which refers to this Group and where all other SLB parameters are defined.
4. Click OK 5. Repeat the above to create an object called server2 for the 192.168.1.11 IP address. B. Create a Group which contains the 2 webserver objects: 1. Go to Objects > Address Book > Add > IP4 Group 2. Enter a suitable name, eg. server_group 3.
• Service: HTTP • Source Interface: any • Source Network: all-nets • Destination Interface: core • Destination Network: ip_ext 3. Click OK 10.
10.3.6. SLB_SAT Rules Chapter 10. Traffic Management 288.
Chapter 11. High Availability This chapter describes the high availability fault-tolerance feature in D-Link Firewalls. • Overview, page 289 • High Availability Mechanisms, page 291 • High Availability Setup , page 293 • High Availability Issues, page 296 11.
D-Link HA will only operate between two D-Link Firewalls. As the internal operation of different security gateway manufacturer's software is completely dissimilar, there is no common method available to communicating state information to a dissimilar device.
11.2. High Availability Mechanisms D-Link HA provides a redundant, state-synchronized hardware configuration. The state of the active unit, such as the connection table and other vital information, is continuously copied to the inactive unit via the sync interface.
packets destined for the shared hardware address. 11.2. High Availability Mechanisms Chapter 11. High Availability 292.
11.3. High Availability Setup This section provides a step-by-step guide for setting up an HA Cluster. 11.3.1. Hardware Setup 1. Start with two physically similar D-Link Firewalls. Both may be newly purchased or one may have been purchased to be the back-up unit (in other words, to be the slave unit).
3. Decide on a shared IP address for each interface in the cluster. Some interfaces could have shared addresses only with others having unique individual addresses as well.
This device is an HA MASTER This device is currently ACTIVE (will forward traffic) HA cluster peer is ALIVE Then use the stat command to verify that both master and slave have about the same number of connections.
11.4. High Availability Issues The following points should be kept in mind when managing and configuring an HA Cluster. SNMP SNMP statistics are not shared between master and slave. SNMP managers have no failover capabilities. Therefore both firewalls in a cluster need to be polled separately.
11.4. High Availability Issues Chapter 11. High Availability 297.
Chapter 12. ZoneDefense This chapter describes the D-Link ZoneDefense feature. • Overview, page 298 • ZoneDefense Switches, page 299 • ZoneDefense Operation, page 300 12.1. Overview ZoneDefense allows a D-Link Firewall to control locally attached switches.
12.2. ZoneDefense Switches Switch information regarding every switch that is to be controlled by the firewall has to be manually specified in the firewall configuration.
12.3. ZoneDefense Operation 12.3.1. SNMP Simple Network Management Protocol (SNMP) is an application layer protocol for complex network management. SNMP allows the managers and managed devices in a network to communicate with each other.
As a complement to threshold rules, it is also possible to manually define hosts and networks that are to be statically blocked or excluded. Manually blocked hosts and networks can be blocked by default or based on a schedule. It is also possible to specify which protocols and protocol port numbers are to be blocked.
2. For Addresses choose the object name of the firewall's interface address 192.168.1.1 from the Available list and put it into the Selected list. 3. Click OK Configure an HTTP threshold of 10 connections/second: 1. Go to Traffic Management > Threshold Rules > Add > Threshold Rule 2.
12.3.4. Limitations Chapter 12. ZoneDefense 303.
Chapter 13. Advanced Settings This chapter describes the configurable advanced setings for NetDefendOS. The settings are divided up into the following categories: Note After an advanced setting is cha.
LogNonIP4 Logs occurrences of IP packets that are not version 4. NetDefendOS only accepts version 4 IP packets; everything else is discarded. Default: 256 LogReceivedTTL0 Logs occurrences of IP packets received with the "Time To Live" (TTL) value set to zero.
Verifies that the size information contained in each "layer" (Ethernet, IP, TCP, UDP, ICMP) is consistent with that of other layers. Default: ValidateLogBad IPOptionSizes Verifies the size of "IP options". These options are small blocks of information that may be added to the end of each IP header.
13.2. TCP Level Settings TCPOptionSizes Verifies the size of TCP options. This function acts in the same way as IPOptionSizes described above. Default: ValidateLogBad TCPMSSMin Determines the minimum permissible size of the TCP MSS. Packets containing maximum segment sizes below this limit are handled according to the next setting.
Default: 7000 bytes TCPZeroUnusedACK Determines whether NetDefendOS should set the ACK sequence number field in TCP packets to zero if it is not used. Some operating systems reveal sequence number information this way, which can make it easier for intruders wanting to hijack established connections.
to transport alternate checksums where permitted by ALTCHKREQ above. Normally never seen on modern networks. Default: StripLog TCPOPT_CC Determines how NetDefendOS will handle connection count options. Default: StripLogBad TCPOPT_OTHER Specifies how NetDefendOS will deal with TCP options not covered by the above settings.
Specifies how NetDefendOS will deal with TCP packets with either the Xmas or Ymas flag turned on. These flags are currently mostly used by OS Fingerprinting.
13.3. ICMP Level Settings ICMPSendPerSecLimit Specifies the maximum number of ICMP messages NetDefendOS may generate per second. This includes ping replies, destination unreachable messages and also TCP RST packets. In other words, this setting limits how many Rejects per second may be generated by the Reject rules in the Rules section.
13.4. ARP Settings ARPMatchEnetSender Determines if NetDefendOS will require the sender address at Ethernet level to comply with the hardware address reported in the ARP data. Default: DropLog ARPQueryNoSenderIP What to do with ARP queries that have a sender IP of 0.
ARPExpire Specifies how long a normal dynamic item in the ARP table is to be retained before it is removed from the table. Default: 900 seconds (15 minutes) ARPExpireUnknown Specifies how long NetDefendOS is to remember addresses that cannot be reached.
13.5. Stateful Inspection Settings LogConnectionUsage This generates a log message for every packet that passes through a connection that is set up in the NetDefendOS state-engine. Traffic whose destination is the D-Link Firewall itself, for example NetDefendOS management traffic, is not subject to this setting.
• NoLog – Does not log any connections; consequently, it will not matter if logging is enabled for either Allow or NAT rules in the Rules section; they will not be logged. However, FwdFast, Drop and Reject rules will be logged as stipulated by the settings in the Rules section.
13.6. Connection Timeouts The settings in this section specify how long a connection can remain idle, ie. no data being sent through it, before it is automatically closed. Please note that each connection has two timeout values: one for each direction.
Default: False AllowBothSidesToKeepConnAlive_UDP Chapter 13. Advanced Settings 317.
13.7. Size Limits by Protocol This section contains information about the size limits imposed on the protocols directly under IP level, ie. TCP, UDP, ICMP, etc. The values specified here concern the IP data contained in packets. In the case of Ethernet, a single packet can contain up to 1480 bytes of IP data without fragmentation.
MaxSKIPLen Specifies the maximum size of a SKIP packet. Default: 2000 bytes MaxOSPFLen Specifies the maximum size of an OSPF packet. OSPF is a routing protocol mainly used in larger LANs. Default: 1480 MaxIPIPLen Specifies the maximum size of an IP-in-IP packet.
13.8. Fragmentation Settings IP is able to transport up to 65536 bytes of data. However, most media, such as Ethernet, cannot carry such huge packets. To compensate, the IP stack fragments the data to.
Default: Check8 – compare 8 random locations, a total of 32 bytes FragReassemblyFail Reassemblies may fail due to one of the following causes: • Some of the fragments did not arrive within the time stipulated by the ReassTimeout or ReassTimeLimit settings.
not match up. Possible settings are as follows: • NoLog - No logging is carried out under normal circumstances. • LogSuspect - Logs duplicated fragments if the reassembly procedure has been affected by "suspect" fragments. • LogAll - Always logs duplicated fragments.
Once a whole packet has been marked as illegal, NetDefendOS is able to retain this in its memory in order to prevent further fragments of that packet from arriving.
13.9. Local Fragment Reassembly Settings LocalReass_MaxConcurrent Maximum number of concurrent local reassemblies. Default: 256 LocalReass_MaxSize Maximum size of a locally reassembled packet. Default: 10000 LocalReass_NumLarge Number of large ( over 2K) local reassembly buffers (of the above size).
13.10. DHCP Settings DHCP_MinimumLeaseTime Minimum lease time (seconds) accepted from the DHCP server. Default: 60 DHCP_ValidateBcast Require that the assigned broadcast address is the highest address in the assigned network. Default: Enabled DHCP_AllowGlobalBcast Allow DHCP server to assign 255.
13.11. DHCPRelay Settings DHCPRelay_MaxTransactions Maximum number of transactions at the same time. Default: 32 DHCPRelay_TransactionTimeout For how long a dhcp transaction can take place. Default: 10 seconds DHCPRelay_MaxPPMPerIface How many dhcp-packets a client can send to through NetDefendOS to the dhcp-server during one minute.
13.12. DHCPServer Settings DHCPServer_SaveLeasePolicy What policy should be used to save the lease database to the disk, possible settings are Disabled, ReconfShut, or ReconfShutTimer. Default: ReconfShut DHCPServer_AutoSaveLeaseInterval How often should the leases database be saved to disk if DHCPServer_SaveLeasePolicy is set to ReconfShutTimer.
13.13. IPsec Settings IKESendInitialContact Determines whether or not IKE should send the "Initial Contact" notification message. This message is sent to each remote gateway when a connection is opened to it and there are no previous IPsec SA using that gateway.
IPsecDeleteSAOnIPValidationFailure Controls what happens to the SAs if IP validation in Config Mode fails. If Enabled, the security associations (SAs) are deleted on failure.
13.14. Logging Settings LogSendPerSecLimit This setting limits how many log packets NetDefendOS may send out per second. This value should never be set too low, as this may result in important events not being logged, nor should it be set too high.
13.15. Time Synchronization Settings TimeSync_SyncInterval Seconds between each resynchronization. Default: 86400 TimeSync_MaxAdjust Maximum time drift that a server is allowed to adjust. Default: 3600 TimeSync_ServerType Type of server for time synchronization, UDPTime or SNTP (Simple Network Time Protocol).
DST offset in minutes. Default: 0 TimeSync_DSTStartDate What month and day DST starts, in the format MM-DD. Default: none TimeSync_DSTEndDate What month and day DST ends, in the format MM-DD.
13.16. PPP Settings PPP_L2TPBeforeRules Pass L2TP traffic sent to the D-Link Firewall directly to the L2TP Server without consulting the rule set. Default: Enabled PPP_PPTPBeforeRules Pass PPTP traffic sent to the D-Link Firewall directly to the PPTP Server without consulting the rule set.
13.17. Hardware Monitor Settings HWM_PollInterval Polling intervall for Hardware Monitor which is the delay in milliseconds between reading of hardware monitor values. Minimum 100, Maximum 10000. Default: 500 ms HWMMem_Interval Memory polling interval which is the delay in minutes between reading of memory values.
13.18. Packet Re-assembly Settings Packet re-assembly collects IP fragments into complete IP datagrams and, for TCP, reorders segments so that they are processed in the correct order and also to keep track of potential segment overlaps and to inform other subsystems of such overlaps.
13.19. Miscellaneous Settings BufFloodRebootTime As a final way out, NetDefendOS automatically reboots if its buffers have been flooded for a long time. This setting specifies this amount of time. Default: 3600 MaxPipeUsers The maximum number of pipe users to allocate.
MaxPipeUsers Chapter 13. Advanced Settings 337.
Appendix A. Subscribing to Security Updates Introduction The NetDefendOS Anti-Virus (AV) module, the Intrusion Detection and Prevention (IDP) module and the Dynamic Web Content Filtering module all function using external D-Link databases which contain details of the latest viruses, security threats and URL categorization.
Querying Update Status To get the status of IDP updates use the command: gw-world:/> updatecenter -status IDP To get the status of AV updates: gw-world:/> updatecenter -status Antivirus Querying.
Appendix B. IDP Signature Groups For IDP scanning, the following signature groups are available for selection. These groups are available only for the D-Link Advanced IDP Service. There is a version of each group under the three Types of IDS , IPS and Policy .
Group Name Intrusion Type FTP_FORMATSTRING Format string attack FTP_GENERAL FTP protocol and implementation FTP_LOGIN Login attacks FTP_OVERFLOW FTP buffer overflow GAME_BOMBERCLONE Bomberclone game G.
Group Name Intrusion Type POP3_DOS Denial of Service for POP POP3_GENERAL Post Office Protocol v3 POP3_LOGIN-ATTACKS Password guessing and related login attack POP3_OVERFLOW POP3 server overflow POP3_.
Group Name Intrusion Type TFTP_OPERATION Operation Attack TFTP_OVERFLOW TFTP buffer overflow attack TFTP_REPLY TFTP Reply attack TFTP_REQUEST TFTP request attack TROJAN_GENERAL Trojan UDP_GENERAL Gene.
Appendix C. Checked MIME filetypes The HTTP Application Layer Gateway has the ability to verify that the contents of a file downloaded via the HTTP protocol is the type that the filetype in its filename indicates.
Filetype extension Application elc eMacs Lisp Byte-compiled Source Code emd ABT EMD Module/Song Format file esp ESP archive data exe Windows Executable fgf Free Graphics Format file flac Free Lossless.
Filetype extension Application pac CrossePAC archive data pbf Portable Bitmap Format Image pbm Portable Bitmap Graphic pdf Acrobat Portable Document Format pe Portable Executable file pfb PostScript T.
Filetype extension Application wk Lotus 1-2-3 document wmv Windows Media file wrl, vrml Plain Text VRML file xcf GIMP Image file xm Fast Tracker 2 Extended Module , audio file xml XML file xmcd xmcd d.
Appendix D. The OSI Framework The Open Systems Interconnection Model defines a framework for intercomputer communications. It categorizes different protocols for a great variety of network applications into seven smaller, more manageable layers.
Appendix E. D-Link worldwide offices Below is a complete list of D-Link worldwide sales offices. Please check your own country area's local website for further details regarding support of D-Link products as well as contact details for local support.
FAX: +972-9-9715601. Website: www.dlink.co.il Italy Via Nino Bonnet n. 6/b, 20154 – Milano, Italy. TEL: 39-02-2900-0676, FAX: 39-02-2900-1723. Website: www.dlink.it LatinAmerica Isidora Goyeechea 2934, Ofcina 702, Las Condes, Santiago – Chile. TEL: 56-2-232-3185, FAX: 56-2-232-0923.
Alphabetical Index A access rules, 135 accounting, 39 interim messages, 41 limitations with NAT, 42 messages, 39 system shutdowns, 42 address book, 48 ethernet addresses in, 50 IP addresses in, 48 add.
DHCP_UseLinkLocalIP setting, 325 DHCP_ValidateBcast setting, 325 DHCPRelay_AutoSaveRelayInterval setting, 326 DHCPRelay_MaxAutoRoutes setting, 326 DHCPRelay_MaxHops setting, 326 DHCPRelay_MaxLeaseTime.
L L2TP, 261 quickstart guide, 234 Lan to Lan tunnels, 253 LayerSizeConsistency setting, 305 LDAP servers, 259 link state algorithm, 103 LocalReass_MaxConcurrent setting, 324 LocalReass_MaxSize setting.
TCP and UDP, 53 SilentlyDropStateICMPErrors setting, 311 simple network management protocol (see SNMP) SIP ALG, 152 SMTP ALG, 146 header verification, 149 SNMP community string, 43 MIB, 43 monitoring,.
X.509 certificates, 79 identification lists, 251 with IPsec, 234 Z zonedefense IDP, 194 zone defense, 298 switches, 299 Alphabetical Index 355.
Ein wichtiger Punkt beim Kauf des Geräts D-Link DFL-260 (oder sogar vor seinem Kauf) ist das durchlesen seiner Bedienungsanleitung. Dies sollten wir wegen ein paar einfacher Gründe machen:
Wenn Sie D-Link DFL-260 noch nicht gekauft haben, ist jetzt ein guter Moment, um sich mit den grundliegenden Daten des Produkts bekannt zu machen. Schauen Sie zuerst die ersten Seiten der Anleitung durch, die Sie oben finden. Dort finden Sie die wichtigsten technischen Daten für D-Link DFL-260 - auf diese Weise prüfen Sie, ob das Gerät Ihren Wünschen entspricht. Wenn Sie tiefer in die Benutzeranleitung von D-Link DFL-260 reinschauen, lernen Sie alle zugänglichen Produktfunktionen kennen, sowie erhalten Informationen über die Nutzung. Die Informationen, die Sie über D-Link DFL-260 erhalten, werden Ihnen bestimmt bei der Kaufentscheidung helfen.
Wenn Sie aber schon D-Link DFL-260 besitzen, und noch keine Gelegenheit dazu hatten, die Bedienungsanleitung zu lesen, sollten Sie es aufgrund der oben beschriebenen Gründe machen. Sie erfahren dann, ob Sie die zugänglichen Funktionen richtig genutzt haben, aber auch, ob Sie keine Fehler begangen haben, die den Nutzungszeitraum von D-Link DFL-260 verkürzen könnten.
Jedoch ist die eine der wichtigsten Rollen, die eine Bedienungsanleitung für den Nutzer spielt, die Hilfe bei der Lösung von Problemen mit D-Link DFL-260. Sie finden dort fast immer Troubleshooting, also die am häufigsten auftauchenden Störungen und Mängel bei D-Link DFL-260 gemeinsam mit Hinweisen bezüglich der Arten ihrer Lösung. Sogar wenn es Ihnen nicht gelingen sollte das Problem alleine zu bewältigen, die Anleitung zeigt Ihnen die weitere Vorgehensweise – den Kontakt zur Kundenberatung oder dem naheliegenden Service.