Ir a la página of
manuales de instrucciones parecidos
-
Network Router
D-Link DWM-152
36 páginas 4.21 mb -
Network Router
D-Link DIR-865L
160 páginas 12 mb -
Network Router
D-Link version 1.0
104 páginas 9.95 mb -
Network Router
D-Link D EBR-2310 EBR-2310
2 páginas 0.23 mb -
Network Router
D-Link Dir 457
108 páginas 4.46 mb -
Network Router
D-Link DI-804
59 páginas 1.81 mb -
Network Router
D-Link EBR-2310
2 páginas 0.22 mb -
Network Router
D-Link DIR-120
77 páginas 4.86 mb
Buen manual de instrucciones
Las leyes obligan al vendedor a entregarle al comprador, junto con el producto, el manual de instrucciones D-Link 2560G. La falta del manual o facilitar información incorrecta al consumidor constituyen una base de reclamación por no estar de acuerdo el producto con el contrato. Según la ley, está permitido adjuntar un manual de otra forma que no sea en papel, lo cual últimamente es bastante común y los fabricantes nos facilitan un manual gráfico, su versión electrónica D-Link 2560G o vídeos de instrucciones para usuarios. La condición es que tenga una forma legible y entendible.
¿Qué es un manual de instrucciones?
El nombre proviene de la palabra latina “instructio”, es decir, ordenar. Por lo tanto, en un manual D-Link 2560G se puede encontrar la descripción de las etapas de actuación. El propósito de un manual es enseñar, facilitar el encendido o el uso de un dispositivo o la realización de acciones concretas. Un manual de instrucciones también es una fuente de información acerca de un objeto o un servicio, es una pista.
Desafortunadamente pocos usuarios destinan su tiempo a leer manuales D-Link 2560G, sin embargo, un buen manual nos permite, no solo conocer una cantidad de funcionalidades adicionales del dispositivo comprado, sino también evitar la mayoría de fallos.
Entonces, ¿qué debe contener el manual de instrucciones perfecto?
Sobre todo, un manual de instrucciones D-Link 2560G debe contener:
- información acerca de las especificaciones técnicas del dispositivo D-Link 2560G
- nombre de fabricante y año de fabricación del dispositivo D-Link 2560G
- condiciones de uso, configuración y mantenimiento del dispositivo D-Link 2560G
- marcas de seguridad y certificados que confirmen su concordancia con determinadas normativas
¿Por qué no leemos los manuales de instrucciones?
Normalmente es por la falta de tiempo y seguridad acerca de las funcionalidades determinadas de los dispositivos comprados. Desafortunadamente la conexión y el encendido de D-Link 2560G no es suficiente. El manual de instrucciones siempre contiene una serie de indicaciones acerca de determinadas funcionalidades, normas de seguridad, consejos de mantenimiento (incluso qué productos usar), fallos eventuales de D-Link 2560G y maneras de solucionar los problemas que puedan ocurrir durante su uso. Al final, en un manual se pueden encontrar los detalles de servicio técnico D-Link en caso de que las soluciones propuestas no hayan funcionado. Actualmente gozan de éxito manuales de instrucciones en forma de animaciones interesantes o vídeo manuales que llegan al usuario mucho mejor que en forma de un folleto. Este tipo de manual ayuda a que el usuario vea el vídeo entero sin saltarse las especificaciones y las descripciones técnicas complicadas de D-Link 2560G, como se suele hacer teniendo una versión en papel.
¿Por qué vale la pena leer los manuales de instrucciones?
Sobre todo es en ellos donde encontraremos las respuestas acerca de la construcción, las posibilidades del dispositivo D-Link 2560G, el uso de determinados accesorios y una serie de informaciones que permiten aprovechar completamente sus funciones y comodidades.
Tras una compra exitosa de un equipo o un dispositivo, vale la pena dedicar un momento para familiarizarse con cada parte del manual D-Link 2560G. Actualmente se preparan y traducen con dedicación, para que no solo sean comprensibles para los usuarios, sino que también cumplan su función básica de información y ayuda.
Índice de manuales de instrucciones
-
Página 1
Network Security Sol ution http://www .dlink.com Security Security DFL-210/ 800/1600/ 2500 DFL-260/ 860/1660/ 2560(G) V er 2.27.01 Network Security F irewall User Manu al[...]
-
Página 2
User Manual DFL-210/260/800/860/1600/1660/2500/2560/2560G NetDefendOS Version 2.27.01 D-Link Corporation No. 289, Sinhu 3rd Rd, Neihu District, Taipei City 114, Taiwan R.O.C. http://www.DLink.com Published 2010-06-22 Copyright © 2010[...]
-
Página 3
User Manual DFL-210/260/800/860/1600/1660/2500/2560/2560G NetDefendOS Version 2.27.01 Published 2010-06-22 Copyright © 2010 Copyright Notice This publication, including all photographs, illustrations and software, is protected under international copyright laws, with all rights reserved. Neither this manual, nor any of the material contained herei[...]
-
Página 4
Table of Contents P r e f a c e ...............................................................................................................1 4 1 . N e t D e f e n d O S O v e r v i e w ....................................................................................1 6 1 . 1 . F e a t u r e s .................................................[...]
-
Página 5
3 . 2 . 3 . I C M P S e r v i c e s ............................................................................ 8 6 3 . 2 . 4 . C u s t o m I P P r o t o c o l S e r v i c e s .......................................................... 8 8 3 . 2 . 5 . S e r v i c e G r o u p s ........................................................................[...]
-
Página 6
4 . 7 . T r a n s p a r e n t M o d e ................................................................................ 2 0 7 4 . 7 . 1 . O v e r v i e w ................................................................................. 2 0 7 4 . 7 . 2 . E n a b l i n g I n t e r n e t A c c e s s .....................................................[...]
-
Página 7
7 . A d d r e s s T r a n s l a t i o n ........................................................................................ 3 3 4 7 . 1 . O v e r v i e w ............................................................................................ 3 3 4 7 . 2 . N A T ..............................................................................[...]
-
Página 8
9 . 7 . 2 . T r o u b l e s h o o t i n g C e r t i f i c a t e s ........................................................ 4 3 7 9 . 7 . 3 . I P s e c T r o u b l e s h o o t i n g C o m m a n d s ................................................ 4 3 8 9.7.4. Management Interface Failure with VPN . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]
-
Página 9
1 3 . 1 . I P L e v e l S e t t i n g s ................................................................................ 5 0 4 1 3 . 2 . T C P L e v e l S e t t i n g s ............................................................................. 5 0 8 1 3 . 3 . I C M P L e v e l S e t t i n g s .....................................................[...]
-
Página 10
List of Figures 1 . 1 . P a c k e t F l o w S c h e m a t i c P a r t I ........................................................................... 2 3 1 . 2 . P a c k e t F l o w S c h e m a t i c P a r t I I ..........................................................................2 4 1 . 3 . P a c k e t F l o w S c h e m a t i c P a r t I I I ..[...]
-
Página 11
1 0 . 1 0 . C o n n e c t i o n s f r o m T h r e e C l i e n t s ................................................................... 4 7 6 1 0 . 1 1 . S t i c k i n e s s a n d R o u n d - R o b i n ....................................................................... 4 7 7 1 0 . 1 2 . S t i c k i n e s s a n d C o n n e c t i o n - r a t e ....[...]
-
Página 12
List of Examples 1 . E x a m p l e N o t a t i o n ............................................................................................. 1 4 2 . 1 . E n a b l i n g r e m o t e m a n a g e m e n t v i a H T T P S ...........................................................3 3 2 . 2 . E n a b l i n g S S H R e m o t e A c c e s s ............[...]
-
Página 13
4 . 1 4 . I G M P - N o A d d r e s s T r a n s l a t i o n .................................................................... 2 0 1 4.15. if1 C o n f i g u r a t i o n ........................................................................................ 2 0 2 4.16. if2 C o n f i g u r a t i o n - G r o u p T r a n s l a t i o n ..............[...]
-
Página 14
Preface Intended Audience The target audience for this reference guide is Administrators who are responsible for configuring and managing NetDefend Firewalls which are running the NetDefendOS operating system. This guide assumes that the reader has some basic knowledge of networks and network security. Text Structure and Conventions The text is bro[...]
-
Página 15
items in the tree-view list at the left of the interface or in the menu bar or in a context menu need to be opened followed by information about the data items that need to be entered: 1. Go to Item X > Item Y > Item Z 2. Now enter: • DataItem1: datavalue1 • DataItem2: datavalue2 Highlighted Content Special sections of text which the read[...]
-
Página 16
Chapter 1. NetDefendOS Overview This chapter outlines the key features of NetDefendOS. • Features, page 16 • NetDefendOS Architecture, page 19 • NetDefendOS State Engine Packet Flow, page 23 1.1. Features D-Link NetDefendOS is the base software engine that drives and controls the range of NetDefend Firewall hardware products. NetDefendOS as a[...]
-
Página 17
VPN NetDefendOS supports a range of Virtual Private Network (VPN) solutions. NetDefendOS supports IPsec, L2TP and PPTP based VPNs concurrently, can act as either server or client for all of the VPN types, and can provide individual security policies for each VPN tunnel. The details for this can be found in Chapter 9, VPN which includes a summary of[...]
-
Página 18
enables a device running NetDefendOS to distribute network load to multiple hosts. These features are discussed in detail in Chapter 10, Traffic Management . Note Threshold Rules are only available on certain D-Link NetDefend product models. Operations and Maintenance Administrator management of NetDefendOS is possible through either a Web-based Us[...]
-
Página 19
1.2. NetDefendOS Architecture 1.2.1. State-based Architecture The NetDefendOS architecture is centered around the concept of state-based connections. Traditional IP routers or switches commonly inspect all packets and then perform forwarding decisions based on information found in the packet headers. With this approach, packets are forwarded withou[...]
-
Página 20
NetDefendOS Rule Sets Finally, rules which are defined by the administrator in the various rule sets are used for actually implementing NetDefendOS security policies. The most fundamental set of rules are the IP Rules , which are used to define the layer 3 IP filtering policy as well as carrying out address translation and server load balancing. Th[...]
-
Página 21
• Source and destination interfaces • Source and destination network • IP protocol (for example TCP, UDP, ICMP) • TCP/UDP ports • ICMP types • Point in time in reference to a predefined schedule If a match cannot be found, the packet is dropped. If a rule is found that matches the new connection, the Action parameter of the rule decides[...]
-
Página 22
processing such as encryption or encapsulation might occur. The next section provides a set of diagrams illustrating the flow of packets through NetDefendOS. 1.2.3. Basic Packet Flow Chapter 1. NetDefendOS Overview 22[...]
-
Página 23
1.3. NetDefendOS State Engine Packet Flow The diagrams in this section provide a summary of the flow of packets through the NetDefendOS state-engine. There are three diagrams, each flowing into the next. It is not necessary to understand these diagrams, however, they can be useful as a reference when configuring NetDefendOS in certain situations. F[...]
-
Página 24
Figure 1.2. Packet Flow Schematic Part II The packet flow is continued on the following page. 1.3. NetDefendOS State Engine Packet Flow Chapter 1. NetDefendOS Overview 24[...]
-
Página 25
Figure 1.3. Packet Flow Schematic Part III 1.3. NetDefendOS State Engine Packet Flow Chapter 1. NetDefendOS Overview 25[...]
-
Página 26
Apply Rules The figure below presents the detailed logic of the Apply Rules function in Figure 1.2, “Packet Flow Schematic Part II” above. Figure 1.4. Expanded Apply Rules Logic 1.3. NetDefendOS State Engine Packet Flow Chapter 1. NetDefendOS Overview 26[...]
-
Página 27
1.3. NetDefendOS State Engine Packet Flow Chapter 1. NetDefendOS Overview 27[...]
-
Página 28
Chapter 2. Management and Maintenance This chapter describes the management, operations and maintenance related aspects of NetDefendOS. • Managing NetDefendOS, page 28 • Events and Logging, page 55 • RADIUS Accounting, page 60 • Hardware Monitoring, page 65 • SNMP Monitoring, page 67 • The pcapdump Command, page 70 • Maintenance, page[...]
-
Página 29
This feature is fully described in Section 2.1.6, “Secure Copy” . Console Boot Menu Before NetDefendOS starts running, a console connected directly to the NetDefend Firewall's RS232 port can be used to do basic configuration through the boot menu . This menu can be entered by pressing any console key between power-up and NetDefendOS starti[...]
-
Página 30
NetDefendOS provides an intuitive Web Interface (WebUI) for management of the system via an Ethernet interface using a standard web browser. This allows the administrator to perform remote management from anywhere on a private network or the public Internet using a standard computer without having to install client software. Assignment of a Default[...]
-
Página 31
password is admin and admin . If the user credentials are correct, you will be transferred to the main Web Interface page. First Time Web Interface Logon and the Setup Wizard When logging on for the first time, the default username is always admin and the password is admin . After successful login, the WebUI user interface will be presented in the [...]
-
Página 32
For information about the default user name and password, see Section 2.1.2, “The Default Administrator Account” . Note: Remote management access Access to the Web Interface is regulated by the configured remote management policy. By default, the system will only allow web access from the internal network. Interface Layout The main Web Interfac[...]
-
Página 33
Controlling Access to the Web Interface By default, the Web Interface is accessible only from the internal network. If you need to enable access from other parts of the network, you can do so by modifying the remote management policy. Example 2.1. Enabling remote management via HTTPS Command-Line Interface gw-world:/> add RemoteManagement Remote[...]
-
Página 34
is described below), or remotely via an Ethernet interface using the Secure Shell (SSH) protocol from an SSH client. The CLI provides a comprehensive set of commands that allow the display and modification of configuration data as well as allowing runtime data to be displayed and allowing system maintenance tasks to be performed. This section only [...]
-
Página 35
a command appears it can be re-executed in it's original form or changed first before execution. Tab Completion Remembering all the commands and their options can be difficult. NetDefendOS provides a feature called tab completion which means that pressing the tab key will cause automatically completion of the current part of the command. If co[...]
-
Página 36
Not all object types belong in a category. The object type UserAuthRule is a type without a category and will appear in the category list after pressing tab at the beginning of a command. The category is sometimes also referred to as a context . Selecting Object Categories With some categories, it is necessary to first choose a member of that categ[...]
-
Página 37
can be done either by referring to it by its index, that is to say its list position, or by alternatively using the name assigned to it. The CLI Reference Guide lists the parameter options available for each NetDefendOS object, including the Name= and Index= options. Using Unique Names For convenience and clarity, it is recommended that a name is a[...]
-
Página 38
4. Press the enter key on the terminal. The NetDefendOS login prompt should appear on the terminal screen. SSH (Secure Shell) CLI Access The SSH (Secure Shell) protocol can be used to access the CLI over the network from a remote host. SSH is a protocol primarily used for secure communication over insecure networks, providing strong authentication [...]
-
Página 39
else as soon as possible after initial startup. User passwords can be any combination of characters and cannot be greater than 256 characters in length. It is recommended to use only printable characters. To change the password to, for example, my-password the following CLI commands are used. First we must change the current category to be the Loca[...]
-
Página 40
automatically undone and the old configuration restored. Checking Configuration Integrity After changing a NetDefendOS configuration and before issuing the activate and commit commands, it is possible to explicitly check for any problems in a configuration using the command: gw-world:/> show -errors This will cause NetDefendOS to scan the config[...]
-
Página 41
• Secure Copy (SCP) sessions. • Web Interface sessions connected by HTTP or HTTPS. The command without any options gives a summary of currently open sessions: gw-world:/> sessionmanager Session Manager status ---------------------- Active connections : 3 Maximum allowed connections : 64 Local idle session timeout : 900 NetCon idle session ti[...]
-
Página 42
delete cc If any other command appears in a script file, it is ignored during execution and a warning message is output. For example, the ping command will be ignored. Executing Scripts As mentioned above, the script -execute command launches a named script file that has been previously uploaded to the NetDefend Firewall. For example, to execute th[...]
-
Página 43
If an executing CLI script file encounters an error condition, the default behavior is for the script to terminate. This behavior can be overridden by using the -force option. To run a script file called my_script2.sgs in this way, the CLI command is: gw-world:/> script -execute -name=my_script2.sgs -force If -force is used, the script will cont[...]
-
Página 44
gw-world:/> script -show -name=my_script.sgs Creating Scripts Automatically When the same configuration objects needs to be copied between multiple NetDefend Firewalls, then one way to do this with the CLI is to create a script file that creates the required objects and then upload to and run the same script on each device. If we already have a [...]
-
Página 45
Any line in a script file that begins with the # character is treated as a comment. For example: # The following line defines the If1 IP address add IP4Address If1_ip Address=10.6.60.10 Scripts Running Other Scripts It is possible for one script to run another script. For example, the script my_script.sgs could contain the line: " " scrip[...]
-
Página 46
File type Upload possible Download possible Firmware upgrades Yes No Certificates Yes No SSH public keys Yes No Web auth banner files Yes Yes Web content filter banner files Yes Yes NetDefendOS File organization NetDefendOS maintains a simple 2 level directory structure which consists of the top level root and a number of sub-directories. However, [...]
-
Página 47
To upload a file to an object type under the root, the command is slightly different. If we have a local CLI script file called my_script.sgs then the upload command would be: > scp my_script.sgs admin1@10.5.62.11:script/ If we have the same CLI script file called my_scripts.sgs stored on the NetDefend Firewall then the download command would be[...]
-
Página 48
The options available in the boot menu are: 1. Start firewall This initiates the complete startup of the NetDefendOS software on the NetDefend Firewall. 2. Reset unit to factory defaults This option will restore the hardware to its initial factory state. The operations performed if this option is selected are the following: • Remove console secur[...]
-
Página 49
SSH Before Rules Enable SSH traffic to the firewall regardless of configured IP Rules. Default: Enabled WebUI Before Rules Enable HTTP(S) traffic to the firewall regardless of configured IP Rules. Default: Enabled Local Console Timeout Number of seconds of inactivity until the local console user is automatically logged out. Default: 900 Validation [...]
-
Página 50
A configuration object has a well-defined type. The type defines the properties that are available for the configuration object, as well as the constraints for those properties. For instance, the IP4Address type is used for all configuration objects representing a named IPv4 address. Object Organization In the Web Interface the configuration object[...]
-
Página 51
Type: TCP SourcePorts: 0-65535 SYNRelay: No PassICMPReturn: No ALG: (none) MaxSessions: 1000 Comments: Telnet The Property column lists the names of all properties in the ServiceTCPUDP class and the Value column lists the corresponding property values. Web Interface 1. Go to Objects > Services 2. Click on the telnet hyperlink in the list 3. A we[...]
-
Página 52
Important: Configuration changes must be activated Changes to a configuration object will not be applied to a running system until the new NetDefendOS configuration is activated. Example 2.6. Adding a Configuration Object This example shows how to add a new IP4Address object, here creating the IP address 192.168.10.10 , to the address book. Command[...]
-
Página 53
Example 2.8. Undeleting a Configuration Object A deleted object can always be restored until the configuration has been activated and committed. This example shows how to restore the deleted IP4Address object shown in the previous example. Command-Line Interface gw-world:/> undelete Address IP4Address myhost Web Interface 1. Go to Objects > A[...]
-
Página 54
default) during which a connection to the administrator must be re-established. As described previously, if the configuration was activated via the CLI with the activate command then a commit command must be issued within that period. If a lost connection could not be re-established or if the commit command was not issued, then NetDefendOS will rev[...]
-
Página 55
2.2. Events and Logging 2.2.1. Overview The ability to log and analyze system activities is an essential feature of NetDefendOS. Logging enables not only monitoring of system status and health, but also allows auditing of network usage and assists in trouble-shooting. Log Message Generation NetDefendOS defines a large number of different log event [...]
-
Página 56
By default, NetDefendOS sends all messages of level Info and above to configured log servers. The Debug category is intended for troubleshooting only and should only be turned on if required when trying to solve a problem. All log messages of all severity levels are found listed in the NetDefendOS Log Reference Guide . 2.2.3. Creating Log Receivers[...]
-
Página 57
Syslog is a standardized protocol for sending log data although there is no standardized format for the log messages themselves. The format used by NetDefendOS is well suited to automated processing, filtering and searching. Although the exact format of each log entry depends on how a Syslog receiver works, most are very much alike. The way in whic[...]
-
Página 58
2.2.6. SNMP Traps The SNMP protocol Simple Network Management Protocol (SNMP) is a means for communicating between a Network Management System (NMS) and a managed device. SNMP defines 3 types of messages: a Read command for an NMS to examine a managed device, a Write command to alter the state of a managed device and a Trap which is used by managed[...]
-
Página 59
Web Interface 1. Go to Log & Event Receivers > Add > SNMP2cEventReceiver 2. Specify a name for the event receiver, for example my_snmp 3. Enter 195.11.22.55 as the IP Address 4. Enter an SNMP Community String if needed by the trap receiver 5. Click OK The system will now be sending SNMP traps for all events with a severity greater than or[...]
-
Página 60
2.3. RADIUS Accounting 2.3.1. Overview Within a network environment containing large numbers of users, it is advantageous to have one or a cluster of central servers that maintain user account information and are responsible for authentication and authorization tasks. The central database residing on the dedicated server(s) contains all user creden[...]
-
Página 61
authentication server. • How Authenticated - How the user was authenticated. This is set to either RADIUS if the user was authenticated via RADIUS, or LOCAL if the user was authenticated via a local user database. • Delay Time - The time delay (in seconds) since the AccountingRequest packet was sent and the authentication acknowledgement was re[...]
-
Página 62
Tip: The meaning of the asterisk after a list entry The asterisk "*" symbol after an entry in the list above indicates that the sending of the parameter is optional and is configurable. 2.3.3. Interim Accounting Messages In addition to START and STOP messages NetDefendOS can optionally periodically send Interim Accounting Messages to upda[...]
-
Página 63
Firewalls. This means that accounting information is automatically updated on both cluster members whenever a connection is closed. Two special accounting events are also used by the active unit to keep the passive unit synchronized: • An AccountingStart event is sent to the inactive member in an HA setup whenever a response has been received fro[...]
-
Página 64
continue to be logged in. Disabling the setting will mean that the user will be logged out if the RADIUS accounting server cannot be reached even though the user has been previously authenticated. Default: Enabled Logout at shutdown If there is an orderly shutdown of the NetDefend Firewall by the administrator, then NetDefendOS will delay the shutd[...]
-
Página 65
2.4. Hardware Monitoring Availability Certain D-Link hardware models allow the administrator to use the CLI to query the current value of various hardware operational parameters such as the current temperature inside the firewall. This feature is referred to as Hardware Monitoring . The D-Link NetDefend models that currently support hardware monito[...]
-
Página 66
The -verbose option displays the current values plus the configured ranges: gw-world:/> hwm -a -v 2 sensors available Poll interval time = 500ms Name [type][number] = low_limit] current_value [high_limit (unit) ----------------------------------------------------------------- SYS Temp [TEMP ][ 0] = 44.000] 45.000 [ 0.000 (C) CPU Temp [TEMP ][ 1][...]
-
Página 67
2.5. SNMP Monitoring Overview Simple Network Management Protocol (SNMP) is a standardized protocol for management of network devices. An SNMP compliant client can connect to a network device which supports the SNMP protocol to query and control it. NetDefendOS supports SNMP version 1 and version 2. Connection can be made by any SNMP compliant clien[...]
-
Página 68
SNMP access. Port 161 is usually used for SNMP and NetDefendOS always expects SNMP traffic on that port. Remote Access Encryption It should be noted that SNMP Version 1 or 2c access means that the community string will be sent as plain text over a network. This is clearly insecure if a remote client is communicating over the public Internet. It is [...]
-
Página 69
Default: Enabled SNMP Request Limit Maximum number of SNMP requests that will be processed each second by NetDefendOS. Should SNMP requests exceed this rate then the excess requests will be ignored by NetDefendOS. Default: 100 System Contact The contact person for the managed node. Default: N/A System Name The name for the managed node. Default: N/[...]
-
Página 70
2.6. The pcapdump Command A valuable diagnostic tool is the ability to examine the packets that enter and leave the interfaces of a NetDefend Firewall. For this purpose, NetDefendOS provides the CLI command pcapdump which not only allows the examination of packet streams entering and leaving interfaces but also allows the filtering of these streams[...]
-
Página 71
It is possible to have multiple pcapdump executions being performed at the same time. The following points describe this feature: 1. All capture from all executions goes to the same memory buffer. The command can be launched multiple times with different interfaces specified. In this case the packet flow for the different executions will be grouped[...]
-
Página 72
The name of the file used for pcapdump output must comply with the following rules: • Excluding the filename extension, the name may not exceed 8 characters in length. • The filename extension cannot exceed 3 characters in length. • The filename and extension can only contain the characters A-Z, 0-9, "-" and "_". Combining[...]
-
Página 73
2.7. Maintenance 2.7.1. Auto-Update Mechanism A number of the NetDefendOS security features rely on external servers for automatic updates and content filtering. The Intrusion Prevention and Detection system and Anti-Virus modules require access to updated signature databases in order to provide protection against the latest threats. To facilitate [...]
-
Página 74
be altered to include the date. For example, full.bak might become full-20081121.bak to show it is a snapshot of the state on November 21st, 2008. To restore a backup file, the administrator should upload the file to the NetDefend Firewall. The name of the file does not need to be changed in any way and can retain the date since NetDefendOS will re[...]
-
Página 75
Important: Any upgrades will be lost after a factory reset It should be understood that a reset to factory defaults is exactly that. Any NetDefendOS upgrades performed since the unit left the factory will be lost. Reset Procedure for the NetDefend DFL-210, 260, 800 and 860 To reset the NetDefend DFL-210/260/800/860 models, hold down the reset butto[...]
-
Página 76
2.7.3. Restore to Factory Defaults Chapter 2. Management and Maintenance 76[...]
-
Página 77
Chapter 3. Fundamentals This chapter describes the fundamental logical objects which make up a NetDefendOS configuration. These objects include such items as IP addresses and IP rules. Some exist by default and some must be defined by the administrator. In addition, the chapter explains the different interface types and explains how security polici[...]
-
Página 78
IP Network An IP Network is represented using Classless Inter Domain Routing (CIDR) form. CIDR uses a forward slash and a digit (0-32) to denote the size of the network as a postfix. This is also known as the netmask . /24 corresponds to a class C net with 256 addresses (netmask 255.255.255.0 ), /27 corresponds to a 32 address net (netmask 255.255.[...]
-
Página 79
This example adds a range of IP addresses from 192.168.10.16 to 192.168.10.21 and names the range wwwservers : Command-Line Interface gw-world:/> add Address IP4Address wwwservers Address=192.168.10.16-192.168.10.21 Web Interface 1. Go to Objects > Address Book > Add > IP address 2. Specify a suitable name for the IP Range, for example [...]
-
Página 80
The following example adds an Ethernet Address object named wwwsrv1_mac with the numerical MAC address 08-a3-67-bc-2e-f2 . Command-Line Interface gw-world:/> add Address EthernetAddress wwwsrv1_mac Address=08-a3-67-bc-2e-f2 Web Interface 1. Go to Objects > Address Book > Add > Ethernet Address 2. Specify a suitable name for the Ethernet[...]
-
Página 81
3.1.5. Auto-Generated Address Objects To simplify the configuration, a number of address objects in the address book are automatically created by NetDefendOS when the system starts for the first time and these objects are used in various parts of the initial configuration. The following address objects are auto-generated: Interface Addresses For ea[...]
-
Página 82
3.2. Services 3.2.1. Overview A Service object is a reference to a specific IP protocol with associated parameters. A service definition is usually based on one of the major transport protocols such as TCP or UDP which is associated with a specific source and/or destination port number(s). For example, the HTTP service is defined as using the TCP p[...]
-
Página 83
Name Comments ------------ -------------------------------------------------- all_icmp All ICMP services " " Web Interface 1. Go to Objects > Services Example 3.7. Viewing a Specific Service To view a specific service in the system: Command-Line Interface gw-world:/> show Service ServiceTCPUDP echo The output will look similar to th[...]
-
Página 84
Let us now take a closer look at TCP/UDP services. TCP and UDP Based Services Most applications use TCP and/or UDP as transport protocol for transferring data over IP networks. Transmission Control Protocol (TCP) is a connection-oriented protocol that includes mechanisms for reliable point to point transmission of data. TCP is used by many common a[...]
-
Página 85
Tip: Specifying source ports It is usual with many services that the source ports are left as their default value which is the range 0-65535 (corresponding to all possible source ports). With certain application, it can be useful to also specify the source port if this is always within a limited range of values. Making the service definition as nar[...]
-
Página 86
to refer to all protocols. However, using this is not recommended and specifying a narrower service provides better security. If, for example, the requirement is only to filter using the principal protocols of TCP, UDP and ICMP then the service group all_tcpudpicmp can be used instead. Tip: The http-all service does not include DNS A common mistake[...]
-
Página 87
ICMP messages are delivered in IP packets, and includes a Message Type that specifies the format of the ICMP message and a Code that is used to further qualify the message. For example, the message type Destination Unreachable uses the Code parameter to specify the exact reason for the error. Either all ICMP message types can be accepted by a servi[...]
-
Página 88
3.2.4. Custom IP Protocol Services Services that run over IP and perform application/transport layer functions can be uniquely identified by IP protocol numbers . IP can carry data for a number of different protocols. These protocols are each identified by a unique IP protocol number specified in a field of the IP header. For example, ICMP, IGMP an[...]
-
Página 89
configuration and decrease the ability to troubleshoot problems. 3.2.6. Custom Service Timeouts Any service can have its custom timeouts set. These can also be set globally in NetDefendOS but it is more usual to change these values individually in a custom service. The timeout settings that can be customized are as follows: • Initial Timeout This[...]
-
Página 90
3.3. Interfaces 3.3.1. Overview An Interface is an important logical building block in NetDefendOS. All network traffic that transits through, originates from or is terminated in the NetDefend Firewall, does so through one or more interfaces. Source and Destination Interfaces An interface can be viewed as a doorway through which network traffic pas[...]
-
Página 91
Tunnel interfaces are used when network traffic is being tunneled between the system and another tunnel end-point in the network, before it gets routed to its final destination. VPN tunnels are often used to implement virtual private networks (VPNs) which can secure communication between two firewalls. To accomplish tunneling, additional headers ar[...]
-
Página 92
Should it be desirable to disable an interface so that no traffic can flow through it, this can be done with the CLI using the command: gw-world:/> set Interface Ethernet <interface-name> -disable Where <interface-name> is the interface to be disabled. To re-enable an interface, the command is: gw-world:/> set Interface Ethernet &[...]
-
Página 93
interface will be given a name of the form lanN , wanN and dmz , where N represents the number of the interface if your NetDefend Firewall has more than one of these interfaces. In most of the examples in this guide lan is used for LAN traffic and wan is used for WAN traffic. If your NetDefend Firewall does not have these interfaces, please substit[...]
-
Página 94
allocated to NetDefendOS address objects with the names <interface-name>_dns1 and <interface-name>_dns2 . Note: A gateway IP cannot be deleted with DHCP enabled If DHCP is enabled for a given Ethernet interface then any gateway IP address that is defined for that interface cannot be deleted. To remove the gateway address, the DHCP optio[...]
-
Página 95
Routes can be automatically added for the interface. This addition can be of the following types: i. Add a route for this interface for the given network. This is enabled by default. ii. Add a default route for this interface using the given default gateway. This is enabled by default. • MTU This determines the maximum size of packets in bytes th[...]
-
Página 96
Property Value --------------------- --------------------------- Name: wan_ip Address: 0.0.0.0 UserAuthGroups: <empty> NoDefinedCredentials: No Comments: IP address of interface wan To show the current interface assigned to the network wan_net : gw-world:/> show Address IP4Address InterfaceAddresses/wan_net Property Value -----------------[...]
-
Página 97
Modified Ethernet wan. Some interface settings are accessible only through a related set of CLI commands. These are particularly useful if D-Link hardware has been replaced and Ethernet card settings are to be changed, or if configuring the interfaces when running NetDefendOS on non-D-Link hardware. For example, to display Ethernet port information[...]
-
Página 98
As explained in more detail below, VLAN configuration with NetDefendOS involves a combination of VLAN trunks from the NetDefend Firewall to switches and these switches are configured with port based VLANs on their interfaces. Any physical firewall interface can, at the same time, carry both non-VLAN traffic as well VLAN trunk traffic for one or mul[...]
-
Página 99
Figure 3.1. VLAN Connections With NetDefendOS VLANs, the physical connections are as follows: • One of more VLANs are configured on a physical NetDefend Firewall interface and this is connected directly to a switch. This link acts as a VLAN trunk . The switch used must support port based VLANs . This means that each port on the switch can be conf[...]
-
Página 100
License Limitations The number of VLAN interfaces that can be defined for a NetDefendOS installation is limited by the parameters of the license used. Different hardware models have different licenses and different limits on VLANs. Summary of VLAN Setup Below are the key steps for setting up a VLAN interface. 1. Assign a name to the VLAN interface.[...]
-
Página 101
• Interface: lan • VLAN ID: 10 • IP Address: vlan10_ip • Network: all-nets 3. Click OK 3.3.4. PPPoE Point-to-Point Protocol over Ethernet (PPPoE) is a tunneling protocol used for connecting multiple users on an Ethernet network to the Internet through a common serial interface, such as a single DSL line, wireless device or cable modem. All [...]
-
Página 102
source interface. For outbound traffic, the PPPoE tunnel interface will be the destination interface. As with any interface, one or more routes are defined so NetDefendOS knows what IP addresses it should accept traffic from and which to send traffic to through the PPPoE tunnel. The PPPoE client can be configured to use a service name to distinguis[...]
-
Página 103
PPPoE cannot be used with HA For reasons connected with the way IP addresses are shared in a NetDefendOS high availability cluster, PPPoE will not operate correctly. It should there not be configured with HA. Example 3.11. Configuring a PPPoE Client This example shows how to configure a PPPoE client on the wan interface with traffic routed over PPP[...]
-
Página 104
• Tunneling IPv6 traffic across an IPv4 network. • Where a UDP data stream is to be multicast and it is necessary to transit through a network device which does not support multicasting. GRE allows tunneling though the network device. GRE Security and Performance A GRE tunnel does not use any encryption for the communication and is therefore no[...]
-
Página 105
• Address to use as source IP - It is possible to specify a particular IP address as the source interface IP for the GRE tunnel. The tunnel setup will appear to be initiated by this IP address instead of the IP address of the interface that actually sets up the tunnel. This might be done if, for example, you are using ARP publishing and want the [...]
-
Página 106
2. Create a GRE Tunnel object called GRE_to_B with the following parameters: • IP Address: ip_GRE • Remote Network: remote_net_B • Remote Endpoint: remote_gw • Use Session Key: 1 • Additional Encapulation Checksum: Enabled 3. Define a route in the main routing table which routes all traffic to remote_net_B on the GRE_to_B GRE interface. T[...]
-
Página 107
IPsec tunnels have a status of being either up or not up. With GRE tunnels in NetDefendOS this doesn't really apply. The GRE tunnel is up if it exists in the configuration. However, we can check on the what is going on with a GRE tunnel. For example, if the tunnel is called gre_interface then we can use the ifstat CLI command: gw-world:/> i[...]
-
Página 108
3.4. ARP 3.4.1. Overview Address Resolution Protocol (ARP) allows the mapping of a network layer protocol (OSI layer 3) address to a data link layer hardware address (OSI layer 2). In data networks it is used to resolve an IP address into its corresponding Ethernet address. ARP operates at the OSI layer 2, data link layer, and is encapsulated by Et[...]
-
Página 109
valid for. For example, the first entry has an expiry value of 45 which means that this entry will be rendered invalid and removed from the ARP Cache in 45 seconds. If traffic is going to be sent to the 192.168.0.10 IP address after the expiration, NetDefendOS will issue a new ARP request. The default expiration time for dynamic ARP entries is 900 [...]
-
Página 110
Hash tables are used to rapidly look up entries in the ARP Cache. For maximum efficiency, a hash table should be twice as large as the entries it is indexing, so if the largest directly connected LAN contains 500 IP addresses, the size of the ARP entry hash table should be at least 1000. The administrator can modify the ARP advanced setting ARP Has[...]
-
Página 111
2. Select the following from the dropdown lists: • Mode: Static • Interface: lan 3. Enter the following: • IP Address: 192.168.10.15 • MAC: 4b-86-f6-c5-a2-14 4. Click OK Published ARP Objects NetDefendOS supports publishing IP addresses on a particular interface, optionally along with a specific MAC address instead of the interfaces MAC add[...]
-
Página 112
Figure 3.2. An ARP Publish Ethernet Frame The Publish option uses the real MAC address of the sending interface for the address ( 1 ) in the Ethernet frame. In rare cases, some network equipment will require that both MAC addresses in the response ( 1 and 2 above) are the same. In this case XPublish is used since it changes both MAC addresses in th[...]
-
Página 113
It is possible for a host on a connected network to send an ARP reply to NetDefendOS even though a corresponding ARP request was not issued. This is known as an unsolicited ARP reply . According to the ARP specification, the recipient should accept these types of ARP replies. However, because this could be a malicious attempt to hijack a connection[...]
-
Página 114
ARP Query No Sender Handles ARP queries that have a sender IP of 0.0.0.0 . Such sender IPs are never valid in responses, but network units that have not yet learned of their IP address sometimes ask ARP questions with an "unspecified" sender IP. Default: DropLog ARP Sender IP Determines if the IP sender address must comply with the rules [...]
-
Página 115
Default: 900 seconds (15 minutes) ARP Expire Unknown Specifies in seconds how long NetDefendOS is to remember addresses that cannot be reached. This is done to ensure that NetDefendOS does not continuously request such addresses. Default: 3 ARP Multicast Determines how NetDefendOS is to deal with ARP requests and ARP replies that state that they ar[...]
-
Página 116
3.5. IP Rule Sets 3.5.1. Security Policies Before examining IP rule sets in detail, we will first look at the generic concept of security polices to which IP rule sets belong. Security Policy Characteristics NetDefendOS security policies are configured by the administrator to regulate the way in which traffic can flow through the NetDefend Firewall[...]
-
Página 117
These rules determine the routing table to be used by traffic and are described in Section 4.3, “Policy-based Routing” . • Authentication Rules These determine which traffic triggers authentication to take place (source net/interface only) and are described in Chapter 8, User Authentication . IP Rules and the Default main IP Rule Set IP rule [...]
-
Página 118
all source/destination networks/interfaces, and with logging enabled, is placed as the last rule in the IP rule set. This is often referred to as a drop all rule. Traffic Flow Needs an IP Rule and a Route As stated above, when NetDefendOS is started for the first time, the default IP rules drop all traffic so at least one IP rule must be added to a[...]
-
Página 119
Firewall, the list of IP rules are evaluated from top to bottom until a rule that matches the parameters of the new connection is found. The first matching rule's Action is then performed. If the action allows it then the establishment of the new connection will go ahead. A new entry or state representing the new connection will then be added [...]
-
Página 120
• Destination Network • Service When an IP rule is triggered by a match then one of the following Actions can occur: Allow The packet is allowed to pass. As the rule is applied to only the opening of a connection, an entry in the "state table" is made to record that a connection is open. The remaining packets related to this connectio[...]
-
Página 121
A context menu will appear with the following options: Edit This allows the contents of the rule to be changed. Delete This will remove the rule permanently from the rule set. Disable/Enable This allows the rule to be disabled but left in the rule set. While disabled the rule set line will not affect traffic flow and will appear grayed out in the u[...]
-
Página 122
• Source Interface: lan • Source Network: lannet • Destination Interface: wan • Destination Network: all-nets 4. Click OK 3.5.6. Configuration Object Groups The concept of folders can be used to organise groups of NetDefendOS objects into related collections. These work much like the folders concept found in a computer's file system. F[...]
-
Página 123
Note The screen images used in this example show just the first few columns of the object properties. We would like to create an object group for the two IP rules for web surfing. This is done with the following steps: • Select the first object to be in the new group by right clicking it. • Select the New Group option from the context menu. •[...]
-
Página 124
Any color can be chosen for the group. The color can be selected from the 16 predefined color boxes or entered as a hexadecimal RGB value. In addition, when the hexadecimal value box is selected, a full spectrum color palette appears which allows selection by clicking any color in the box with the mouse. In this example, we might change the name of[...]
-
Página 125
Moving Groups Groups can be moved in the same way as individual objects. By right clicking the group title line, the context menu includes options to move the entire group. For example, the Move to Top option moves the entire group to the top of the table. Leaving a Group If an object in a group is right clicked then the context menu contains the o[...]
-
Página 126
3.6. Schedules In some scenarios, it might be useful to control not only what functionality is enabled, but also when that functionality is being used. For instance, the IT policy of an enterprise might stipulate that web traffic from a certain department is only allowed access outside that department during normal office hours. Another example mig[...]
-
Página 127
Example 3.17. Setting up a Time-Scheduled Policy This example creates a schedule object for office hours on weekdays, and attaches the object to an IP Rule that allows HTTP traffic. Command-Line Interface gw-world:/> add ScheduleProfile OfficeHours Mon=8-17 Tue=8-17 Wed=8-17 Thu=8-17 Fri=8-17 Now create the IP rule that uses this schedule. First[...]
-
Página 128
3.7. Certificates 3.7.1. Overview X.509 NetDefendOS supports digital certificates that comply with the ITU-T X.509 standard. This involves the use of an X.509 certificate hierarchy with public-key cryptography to accomplish key distribution and entity authentication. References in this manual to a certificate means a X.509 certificate . A certifica[...]
-
Página 129
Validity Time A certificate is not valid forever. Each certificate contains the dates between which the certificate is valid. When this validity period expires, the certificate can no longer be used, and a new certificate has to be issued. Important Make sure the NetDefendOS date and time are set correctly when using certificates. Certificate Revoc[...]
-
Página 130
There are two types of certificates that can be uploaded: self-signed certificates and remote certificates belonging to a remote peer or CA server. Self-signed certificates can be generated by using one of a number of freely available utilities for doing this. Example 3.18. Uploading a Certificate The certificate may either be self-signed or belong[...]
-
Página 131
• Take out the relevant parts of the .pem file to form the required .cer and .key files. The detailed steps for the above stages are as follows: 1. Create the gateway certificate on the Windows CA server and export it to a .pfx file on the local NetDefendOS management workstation disk. 2. Now convert the local .pfx file to a .pem file. This can b[...]
-
Página 132
3.8. Date and Time 3.8.1. Overview Correctly setting the date and time is important for NetDefendOS to operate properly. Time scheduled policies, auto-update of the IDP and Anti-Virus databases, and other product features such as digital certificates require that the system clock is accurately set. In addition, log messages are tagged with time-sta[...]
-
Página 133
The world is divided up into a number of time zones with Greenwich Mean Time (GMT) in London at zero longitude being taken as the base time zone. All other time zones going east and west from zero longitude are taken as being GMT plus or minus a given integer number of hours. All locations counted as being inside a given time zone will then have th[...]
-
Página 134
The hardware clock which NetDefendOS uses can sometimes become fast or slow after a period of operation. This is normal behavior in most network and computer equipment and is solved by utilizing Time Servers . NetDefendOS is able to adjust the clock automatically based on information received from one or more Time Servers which provide a highly acc[...]
-
Página 135
3. Now enter: • Time Server Type: SNTP • Primary Time Server: dns:ntp1.sp.se • Secondary Time Server: dns:ntp2.sp.se 4. Click OK The time server URLs must have the prefix dns: to specify that they should be resolved with a DNS server. NetDefendOS must therefore also have a DNS server defined so this resolution can be performed. Note If the Ti[...]
-
Página 136
Sometimes it might be necessary to override the maximum adjustment. For example, if time synchronization has just been enabled and the initial time difference is greater than the maximum adjust value. It is then possible to manually force a synchronization and disregard the maximum adjustment parameter. Example 3.26. Forcing Time Synchronization Th[...]
-
Página 137
Time zone offset in minutes. Default: 0 DST Offset Daylight saving time offset in minutes. Default: 0 DST Start Date What month and day DST starts, in the format MM-DD. Default: none DST End Date What month and day DST ends, in the format MM-DD. Default: none Time Sync Server Type Type of server for time synchronization, UDPTime or SNTP (Simple Net[...]
-
Página 138
Maximum time drift in seconds that a server is allowed to adjust. Default: 600 Group interval Interval according to which server responses will be grouped. Default: 10 3.8.4. Settings Summary for Date and Time Chapter 3. Fundamentals 138[...]
-
Página 139
3.9. DNS Overview A DNS server can resolve a Fully Qualified Domain Name (FQDN) into the corresponding numeric IP address. FQDNs are unambiguous textual domain names which specify a node's unique position in the Internet's DNS tree hierarchy. FQDN resolution allows the actual physical IP address to change while the FQDN can stay the same.[...]
-
Página 140
Dynamic DNS A DNS feature offered by NetDefendOS is the ability to explicitly inform DNS servers when the external IP address of the NetDefend Firewall has changed. This is sometimes referred to as Dynamic DNS and is useful where the NetDefend Firewall has an external IP address that can change. Dynamic DNS can also be useful in VPN scenarios where[...]
-
Página 141
3.9. DNS Chapter 3. Fundamentals 141[...]
-
Página 142
Chapter 4. Routing This chapter describes how to configure IP routing in NetDefendOS. • Overview, page 142 • Static Routing, page 143 • Policy-based Routing, page 160 • Route Load Balancing, page 165 • OSPF, page 171 • Multicast Routing, page 194 • Transparent Mode, page 207 4.1. Overview IP routing is one of the most fundamental func[...]
-
Página 143
4.2. Static Routing The most basic form of routing is known as Static Routing . The word " static " refers to the fact that entries in the routing table are manually added and are therefore permanent (or static) by nature. Due to this manual approach, static routing is most appropriate to use in smaller network deployments where addresses[...]
-
Página 144
This parameter usually doesn't need to be specified. If it is specified, NetDefendOS responds to ARP queries sent to this address. A special section below explains this parameter in more depth. Local IP Address and Gateway are mutually exclusive and either one or the other should be specified. • Metric This is a metric value assigned to the [...]
-
Página 145
Route # Interface Destination Gateway 4 wan all-nets 195.66.77.4 The above routing table provides the following information: • Route #1 All packets going to hosts on the 192.168.0.0/24 network should be sent out on the lan interface. As no gateway is specified for the route entry, the host is assumed to be located on the network segment directly [...]
-
Página 146
• Interface: The interface on which the second network is found. • Network: The IP address range of the second network. • Local IP Address: An address within the second network's IP range. When the Default Gateway of the second network's clients is now set to the same value as the Local IP Address of the above route, the clients wil[...]
-
Página 147
Something that is not intuitive when trying to understand routing in NetDefendOS is the fact that all traffic must have two routes associated with it. Not only must a route be defined for the destination network of a connection but also for the source network. The route that defines the source network simply says that the source network is found on[...]
-
Página 148
=================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.10 20 10.0.0.0 255.0.0.0 10.4.2.143 10.4.2.143 1 10.4.2.143 255.255.255.255 127.0.0.1 127.0.0.1 50 10.255.255.255 255.255.255.255 10.4.2.143 10.4.2.143 50 85.11.194.33 255.255.[...]
-
Página 149
when the routing table contents are displayed. These routing table changes can take place for different reasons. For example, if dynamic routing with OSPF has been enabled then routing tables will become populated with new routes learned from communicating with other OSPF routers in an OSPF network. Other events such as route fail-over can also cau[...]
-
Página 150
Note: The metric for default routes is 100 The metric assigned to the default routes automatically created for the physical interfaces is always 100 . These automatically added routes cannot be removed manually by deleting them one at a time from a routing table. Instead, the properties of the interface must be selected and the advanced option Auto[...]
-
Página 151
gw-world:/> routes -all Flags Network Iface Gateway Local IP Metric ----- ------------------ ---------- ------------- -------- ------ 127.0.0.1 core (Shared IP) 0 192.168.0.1 core (Iface IP) 0 213.124.165.181 core (Iface IP) 0 127.0.3.1 core (Iface IP) 0 127.0.4.1 core (Iface IP) 0 192.168.0.0/24 lan 0 213.124.165.0/24 wan 0 224.0.0.0/4 core (If[...]
-
Página 152
Figure 4.3. A Route Failover Scenario for ISP Access Setting Up Route Failover To set up route failover, Route Monitoring must be enabled and this is an option that is enabled on a route by route basis. To enable route failover in a scenario with a preferred and a backup route, the preferred route will have route monitoring enabled, however the bac[...]
-
Página 153
lowest metric value for sending data (if two routes have the same metric, the route found first in the routing table will be chosen). A primary, preferred route should have a lower metric (for example "10"), and a secondary, failover route should have a higher metric value (for example "20"). Multiple Failover Routes It is possi[...]
-
Página 154
The routing table consequently contains the following default route: Interface Destination Gateway Metric Monitoring wan all-nets 195.66.77.1 10 Off Now a secondary route is added over a backup DSL connection and Route Monitoring is enabled for this. The updated routing table will look like this: Route # Interface Destination Gateway Metric Monitor[...]
-
Página 155
As part of Route Properties Host Monitoring can be enabled and a single route can have multiple hosts associated with it for monitoring. Multiple hosts can provide a higher certainty that any network problem resides in the local network rather than because one remote host itself is down. In association with Host Monitoring there are two numerical p[...]
-
Página 156
The Reachability Required option An important option that can be enabled for a host is the Reachability Required option. When this is selected, the host must be determined as accessible in order for that route to be considered to be functioning. Even if other hosts are accessible, this option says that the accessibility of a host with this option s[...]
-
Página 157
Ping poll interval The time in milliseconds between sending a Ping to hosts. Default: 1000 Grace time The length of time in seconds between startup or reconfigure and monitoring start. Default: 30 Consecutive fails The number of consecutive failures that occurs before a route is marked as being unavailable. Default: 5 Consecutive success The number[...]
-
Página 158
pretending to be the target host. After receiving the reply, Host A then sends data directly to NetDefendOS which forwards the data to host B . In the process NetDefendOS checks the traffic against the configured rule sets. Setting Up Proxy ARP Setting up proxy ARP is done by specifying the option for a route in a routing table. Let us suppose we h[...]
-
Página 159
Proxy ARP and High Availability Clusters In HA clusters, switch routes cannot be used and transparent mode is therefore not an option. However, proxy ARP does function with HA and is consequently the only way to implement transparent mode functionality with a cluster. Not all interfaces can make use of Proxy ARP It is only possible to have Proxy AR[...]
-
Página 160
4.3. Policy-based Routing 4.3.1. Overview Policy-based Routing (PBR) is an extension to the standard routing described previously. It offers administrators significant flexibility in implementing routing decision policies by being able to define rules so alternative routing tables are used. Normal routing forwards packets according to destination I[...]
-
Página 161
When looking up Policy-based Rules, it is the first matching rule found that is triggered. 4.3.4. Routing Table Selection When a packet corresponding to a new connection first arrives, the processing steps are as follows to determine which routing table is chosen: 1. The Routing Rules must first be looked up but to do this the packet's destina[...]
-
Página 162
Important: Ensure all-nets appears in the main table A common mistake with policy-based routing is the absence of the default route with a destination interface of all-nets in the default main routing table. If there is no route that is an exact match then the absence of a default all-nets route will mean that the connection will be dropped. Exampl[...]
-
Página 163
Example 4.5. Policy-based Routing Configuration This example illustrates a multiple ISP scenario which is a common use of Policy-based Routing. The following is assumed: • Each ISP will give you an IP network from its network range. We will assume a 2-ISP scenario, with the network 10.10.10.0/24 belonging to ISP A and 20.20.20.0/24 belonging to I[...]
-
Página 164
Note Rules in the above example are added for both inbound and outbound connections. 4.3.5. The Ordering parameter Chapter 4. Routing 164[...]
-
Página 165
4.4. Route Load Balancing Overview NetDefendOS provides the option to perform Route Load Balancing (RLB). This is the ability to distribute traffic over multiple alternate routes using one of a number of distribution algorithms. The purpose of this feature is to provide the following: • Balancing of traffic between interfaces in a policy driven f[...]
-
Página 166
done according to which algorithm is selected in the table's RLB Instance object: • Round Robin Successive routes are chosen from the matching routes in a "round robin" fashion provided that the metric of the routes is the same. This results in route lookups being spread evenly across matching routes with same metric. If the matchi[...]
-
Página 167
Figure 4.6. The RLB Spillover Algorithm Spillover Limits are set separately for ingoing and outgoing traffic with only one of these typically being specified. If both are specified then only one of them needs to be exceeded continuously for Hold Timer seconds for the next matching route to be chosen. The units of the limits, such as Mbps, can be se[...]
-
Página 168
When that new route's interface limits are also exceeded then the route with the next highest metric is taken and so on. As soon as any route with a lower metric falls below its interface limit for its Hold Timer number of seconds, then it reverts to being the chosen route. • If there is no alternative route, the route does not change. If th[...]
-
Página 169
Figure 4.7. A Route Load Balancing Scenario We first need to define two routes to these two ISPs in the main routing table as shown below: Route No. Interface Destination Gateway Metric 1 WAN1 all-nets GW1 100 2 WAN2 all-nets GW2 100 We will not use the spillover algorithm in this example so the routing metric for both routes should be the same, in[...]
-
Página 170
In this example, the details of the RLB scenario described above will be implemented. The assumption is made that the various IP address book objects needed have already been defined. The IP objects WAN1 and WAN2 represent the interfaces that connect to the two ISPs and the IP objects GW1 and GW2 represent the IP addresses of the gateway routers at[...]
-
Página 171
4.5. OSPF The feature called Dynamic Routing is implemented with NetDefendOS using the OSPF architecture. This section begins by looking generally at what dynamic routing is and how it can be implemented. It then goes on to look at how OSPF can provide dynamic routing followed by a description of how a simple OSPF network can be set up. 4.5.1. Dyna[...]
-
Página 172
Each router broadcasts its attached links and link costs to all other routers in the network. When a router receives these broadcasts it runs the LS algorithm and calculates its own set of least-cost paths. Any change of the link state will be sent everywhere in the network, so that all routers keep the same routing table information and have a con[...]
-
Página 173
allows B 's routing table information to be automatically shared with A . In the same way, OSPF allows firewall B to automatically become aware that network X is attached to firewall A . Under OSPF, this exchange of routing information is completely automatic. OSPF Provides Route Redundancy If we now take the above scenario and add a third Net[...]
-
Página 174
Routing metrics are the criteria that a routing algorithm will use to compute the "best" route to a destination. A routing protocol relies on one or several metrics to evaluate links across a network and to determine the optimal path. The principal metrics used include: Path length The sum of the costs associated with each link. A commonl[...]
-
Página 175
Authentication. All OSPF protocol exchanges can, if required, be authenticated. This means that only routers with the correct authentication can join an AS. Different authentication schemes can be used and with NetDefendOS the scheme can be either a passphrase or an MD5 digest. It is possible to configure separate authentication methods for each AS[...]
-
Página 176
the priorities advertised by all the routers. If there is already a DR on the network, the router will accept that one, regardless of its own router priority. With NetDefendOS, the DR and the BDR are automatically assigned. Neighbors Routers that are in the same area become neighbors in that area. Neighbors are elected by the use of Hello messages.[...]
-
Página 177
This virtual link is established between two Area Border Routers (ABRs) that are on one common area, with one of the ABRs connected to the backbone area. In the example below two routers are connected to the same area (Area 1) but just one of them, fw1 , is connected physically to the backbone area. Figure 4.10. Virtual Links Connecting Areas In th[...]
-
Página 178
Figure 4.11. Virtual Links with Partitioned Backbone The virtual link is configured between fw1 and fw2 on Area 1 as it is used as the transit area. In the configuration, only the Router ID has to be configured, as in the example above show fw2 need to have a virtual link to fw1 with the Router ID 192.168.1.1 and vice versa. These virtual links nee[...]
-
Página 179
The key aspect of an OSPF setup is that connected NetDefend Firewalls share the information in their routing tables so that traffic entering an interface on one of the firewalls can be automatically routed so that it exits the interface on another gateway which is attached to the correct destination network. Another important aspect is that the fir[...]
-
Página 180
not the cluster. Note When running OSPF on a HA Cluster there is a need for a private master and private slave Router ID as well as the shared Router ID. Reference Bandwidth Set the reference bandwidth that is used when calculating the default interface cost for routes. If bandwidth is used instead of specifying a metric on an OSPF Interface, the c[...]
-
Página 181
Note: Authentication must be the same on all routers If a passphrase or MD5 authentication is configured for OSPF, the passphrase or authentication key must be the same on all OSPF Routers in that Autonomous System. In other words, the OSPF authentication method must be replicated on all NetDefend Firewalls. Advanced Time Settings SPF Hold Time Spe[...]
-
Página 182
There can only be one backbone area and it forms the central portion of an AS. Routing information that is exchanged between different area always transits the backbone area. Is stub area Enable this option if the area is a stub area. Become Default Router It is possible to configure if the firewall should become the default router for the stub are[...]
-
Página 183
an OSPF Neighbour object. Using VPN tunnels is discussed further in Section 4.5.5, “Setting Up OSPF” . • Point-to-Multipoint - The Point-to-Multipoint interface type is a collection of Point-to-Point networks, where there is more then one router in a link that does not have OSI Layer 2 broadcast/multicast capabilities. Metric Specifies the me[...]
-
Página 184
Sometimes there is a need to include networks into the OSPF routing process, without running OSPF on the interface connected to that network. This is done by enabling the option: No OSPF routers connected to this interface ("Passive") . This is an alternative to using a Dynamic Routing Policy to import static routes into the OSPF routing [...]
-
Página 185
Authentication Use Default For AS Use the values configured in the AS properties page. Note: Linking partitioned backbones If the backbone area is partitioned, a virtual link is used to connect the different parts. In most, simple OSPF scenarios, OSPF VLink objects will not be needed. 4.5.4. Dynamic Routing Rules This section looks at Dynamic Routi[...]
-
Página 186
OSPF Requires at Least an Import Rule By default, NetDefendOS will not import or export any routes. For OSPF to function, it is therefore mandatory to define at least one dynamic routing rule which will be an Import rule. This Import rule specifies the local OSPF Router Process object. This enables the external routes made available in the OSPF AS [...]
-
Página 187
From OSPF AS Specifies the from which OSPF AS (in other words, an OSPF Router Process) the route should be imported from into either a routing table or another AS. From Routing Table Specifies from which routing table a route should be imported into the OSPF AS or copied into another routing table. Destination Interface Specifies if the rule has to[...]
-
Página 188
A Routing Action is used to manipulate and export routing changes to one or more local routing tables. Destination Specifies into which routing table the route changes to the OSPF AS should be imported. Offset Metric Increases the metric by this value. Offset Metric Type 2 Increases the Type 2 router's metric by this value. Limit Metric To Lim[...]
-
Página 189
• The advanced option No OSPF routers connected to this interface must be enabled if the physical interface doesn't connect directly to another OSPF Router (in other words, with another NetDefend Firewall that acts as an OSPF router). For example, the interface may only be connected to a network of clients, in which case the option would be [...]
-
Página 190
OSPF Routing Information Exchange Begins Automatically As the new configurations are created in the above steps and then deployed, OSPF will automatically start and begin exchanging routing information. Since OSPF is a dynamic and distributed system, it does not matter in which order the configurations of the individual firewalls are deployed. When[...]
-
Página 191
This network is used just as a convenience with OSPF setup and will never be associated with a real physical network. 3. Define an OSPF Interface for the tunnel Define an NetDefendOS OSPF Interface object which has the IPsec tunnel for the Interface parameter. Specify the Type parameter to be point-to-point and the Network parameter to be the netwo[...]
-
Página 192
Example 4.7. Creating an OSPF Router Process On the first firewall involved in the OSPF AS, create an OSPF Router Process . Web Interface 1. Go to Routing > OSPF > Add > OSPF Routing Process 2. Specify a suitable name for the process, for example as_0 3. Click OK This should be repeated for all the NetDefend Firewalls that will be part of [...]
-
Página 193
Web Interface 1. Go to Routing > Dynamic Routing Rules > Add > Dynamic Routing Policy Rule 2. Specify a suitable name for the rule. For example, ImportOSPFRoutes . 3. Select the option From OSPF Process 4. Move as0 from Available to Selected 5. Choose all-nets in the ...Or is within filter option 6. Click OK Now, create a Dynamic Routing A[...]
-
Página 194
4.6. Multicast Routing 4.6.1. Overview The Multicast Problem Certain types of Internet interactions, such as conferencing and video broadcasts, require a single client or host to send the same packet to multiple receivers. This could be achieved through the sender duplicating the packet with different receiving IP addresses or by a broadcast of the[...]
-
Página 195
4.6.2. Multicast Forwarding with SAT Multiplex Rules The SAT Multiplex rule is used to achieve duplication and forwarding of packets through more than one interface. This feature implements multicast forwarding in NetDefendOS, where a multicast packet is sent through several interfaces. Note that since this rule overrides the normal routing tables,[...]
-
Página 196
Figure 4.14. Multicast Forwarding - No Address Translation Note: SAT Multiplex rules must have a matching Allow rule Remember to add an Allow rule that matches the SAT Multiplex rule. The matching rule could also be a NAT rule for source address translation (see below) but cannot be a FwdFast or SAT rule. Example 4.12. Forwarding of Multicast Traff[...]
-
Página 197
B. Create an IP rule: 1. Go to Rules > IP Rules > Add > IP Rule 2. Under General enter. • Name: a name for the rule, for example Multicast_Multiplex • Action: Multiplex SAT • Service: multicast_service 3. Under Address Filter enter: • Source Interface: wan • Source Network: 192.168.10.1 • Destination Interface: core • Destina[...]
-
Página 198
Figure 4.15. Multicast Forwarding - Address Translation This scenario is based on the previous scenario but this time the multicast group is translated. When the multicast streams 239.192.10.0/24 are forwarded through the if2 interface, the multicast groups should be translated into 237.192.10.0/24 . No address translation should be made when forwa[...]
-
Página 199
• Action: Multiplex SAT • Service: multicast_service 3. Under Address Filter enter: • Source Interface: wan • Source Network: 192.168.10.1 • Destination Interface: core • Destination Network: 239.192.10.0/24 4. Click the Multiplex SAT tab 5. Add interface if1 but leave the IPAddress empty 6. Add interface if2 but this time, enter 237.19[...]
-
Página 200
Figure 4.16. Multicast Snoop Mode Figure 4.17. Multicast Proxy Mode In Snoop Mode , the NetDefend Firewall will act transparently between the hosts and another IGMP router. It will not send any IGMP Queries. It will only forward queries and reports between the other router and the hosts. In Proxy Mode , the firewall will act as an IGMP router towar[...]
-
Página 201
Example 4.14. IGMP - No Address Translation The following example requires a configured interface group IfGrpClients including interfaces if1 , if2 and if3 . The ip address of the upstream IGMP router is known as UpstreamRouterIP. Two rules are needed. The first one is a report rule that allows the clients behind interfaces if1, if2 and if3 to subs[...]
-
Página 202
4.6.3.2. IGMP Rules Configuration - Address Translation The following examples illustrates the IGMP rules needed to configure IGMP according to the Address Translation scenario described above in Section 4.6.2.2, “Multicast Forwarding - Address Translation Scenario” . We need two IGMP report rules, one for each client interface. The interface i[...]
-
Página 203
• Destination Network: auto • Multicast Source: 192.168.10.1 • Multicast Group: 239.192.10.0/24 4. Click OK Example 4.16. if2 Configuration - Group Translation The following steps needs to be executed to create the report and query rule pair for if2 which translates the multicast group. Note that the group translated therefore the IGMP report[...]
-
Página 204
• Multicast Source: 192.168.10.1 • Multicast Group: 239.192.10.0/24 4. Click OK Advanced IGMP Settings There are a number of IGMP advanced settings which are global and apply to all interfaces which do not have IGMP settings explicitly specified for them. 4.6.4. Advanced IGMP Settings Auto Add Multicast Core Route This setting will automaticall[...]
-
Página 205
group-and-source specific query. Global setting on interfaces without an overriding IGMP Setting. Default: 5,000 IGMP Max Total Requests The maximum global number of IGMP messages to process each second. Default: 1000 IGMP Max Interface Requests The maximum number of requests per interface and second. Global setting on interfaces without an overrid[...]
-
Página 206
The time in milliseconds between repetitions of an initial membership report. Global setting on interfaces without an overriding IGMP Setting. Default: 1,000 4.6.4. Advanced IGMP Settings Chapter 4. Routing 206[...]
-
Página 207
4.7. Transparent Mode 4.7.1. Overview Transparent Mode Usage The NetDefendOS Transparent Mode feature allows a NetDefend Firewall to be placed at a point in a network without any reconfiguration of the network and without hosts being aware of its presence. All NetDefendOS features can then be used to monitor and manage traffic flowing through that [...]
-
Página 208
the OSI model. If the firewall is placed into a network for the first time, or if network topology changes, the routing configuration must therefore be checked and adjusted to ensure that the routing table is consistent with the new layout. Reconfiguration of IP settings may be required for pre-existing routers and protected servers. This works wel[...]
-
Página 209
the network. Discovery is done by NetDefendOS sending out ARP as well as ICMP (ping) requests, acting as the initiating sender of the original IP packet for the destination on the interfaces specified in the Switch Route . If an ARP reply is received, NetDefendOS will update the CAM table and Layer 3 Cache and forward the packet to the destination.[...]
-
Página 210
routing table will be connected together by NetDefendOS and no matter how interfaces are associated with the switch routes, transparency will exist between them. For example, if the interfaces if1 to if6 appear in a switch routes in routing table A , the resulting interconnections will be as illustrated below. Connecting together switch routes in t[...]
-
Página 211
mode. Two VLAN interfaces with the same VLAN ID are defined on the two physical interfaces and they are called vlan5_if1 and vlan5_if2 . For the VLAN to operate in transparent mode we create a routing table with the ordering set to only and which contains the following 2 switch routes: Network Interface all-nets vlan5_if1 all-nets vlan5_if2 Instead[...]
-
Página 212
Figure 4.18. Non-transparent Mode Internet Access The non-switch route usually needed to allow Internet access would be: Route type Interface Destination Gateway Non-switch if1 all-nets gw-ip Now lets suppose the NetDefend Firewall is to operate in transparent mode between the users and the ISP. The illustration below shows how, using switch routes[...]
-
Página 213
If the IP addresses that need to be reached by NetDefendOS are 85.12.184.39 and 194.142.215.15 then the complete routing table for the above example would be: Route type Interface Destination Gateway Switch if1 all-nets Switch if2 all-nets Non-switch if1 85.12.184.39 gw-ip Non-switch if1 194.142.215.15 gw-ip The appropriate IP rules will also need [...]
-
Página 214
Figure 4.20. Transparent Mode Scenario 1 Example 4.17. Setting up Transparent Mode for Scenario 1 Web Interface Configure the interfaces: 1. Go to Interfaces > Ethernet > Edit (wan) 2. Now enter: • IP Address: 10.0.0.1 • Network: 10.0.0.0/24 • Default Gateway: 10.0.0.1 • Transparent Mode: Enable 3. Click OK 4. Go to Interfaces > Et[...]
-
Página 215
• Source Interface: lan • Destination Interface: any • Source Network: 10.0.0.0/24 • Destination Network: all-nets (0.0.0.0/0) 3. Click OK Scenario 2 Here the NetDefend Firewall in Transparent Mode separates server resources from an internal network by connecting them to a separate interface without the need for different address ranges. Al[...]
-
Página 216
1. Go to Interfaces > Ethernet > Edit (lan) 2. Now enter: • IP Address: 10.0.0.1 • Network: 10.0.0.0/24 • Transparent Mode: Disable • Add route for interface network: Disable 3. Click OK 4. Go to Interfaces > Ethernet > Edit (dmz) 5. Now enter: • IP Address: 10.0.0.2 • Network: 10.0.0.0/24 • Transparent Mode: Disable • A[...]
-
Página 217
3. Click OK 4. Go to Rules > IP Rules > Add > IPRule 5. Now enter: • Name: HTTP-WAN-to-DMZ • Action: SAT • Service: http • Source Interface: wan • Destination Interface: dmz • Source Network: all-nets • Destination Network: wan_ip • Translate: Select Destination IP • New IP Address: 10.1.4.10 6. Click OK 7. Go to Rules &g[...]
-
Página 218
Figure 4.22. An Example BPDU Relaying Scenario Implementing BPDU Relaying The NetDefendOS BDPU relaying implementation only carries STP messages. These STP messages can be of three types: • Normal Spanning Tree Protocol (STP) • Rapid Spanning Tree Protocol (RSTP) • Multiple Spanning Tree Protocol (MSTP) • Cisco proprietary PVST+ Protocol (P[...]
-
Página 219
Default: Enabled Decrement TTL Enable this if the TTL should be decremented each time a packet traverses the firewall in Transparent Mode. Default: Disabled Dynamic CAM Size This setting can be used to manually configure the size of the CAM table. Normally Dynamic is the preferred value to use. Default: Dynamic CAM Size If the Dynamic CAM Size sett[...]
-
Página 220
Null Enet Sender Defines what to do when receiving a packet that has the sender hardware (MAC) address in Ethernet header set to null (0000:0000:0000). Options: • Drop - Drop packets • DropLog - Drop and log packets Default: DropLog Broadcast Enet Sender Defines what to do when receiving a packet that has the sender hardware (MAC) address in Et[...]
-
Página 221
• Drop - Drop the packets • DropLog - Drop packets log the event Default: Drop Relay MPLS When set to Ignore all incoming MPLS packets are relayed in transparent mode. Options: • Ignore - Let the packets pass but do not log • Log - Let the packets pass and log the event • Drop - Drop the packets • DropLog - Drop packets log the event De[...]
-
Página 222
4.7.5. Advanced Settings for Transparent Mode Chapter 4. Routing 222[...]
-
Página 223
Chapter 5. DHCP Services This chapter describes DHCP services in NetDefendOS. • Overview, page 223 • DHCP Servers, page 224 • DHCP Relaying, page 230 • IP Pools, page 233 5.1. Overview Dynamic Host Configuration Protocol (DHCP) is a protocol that allows network administrators to automatically assign IP numbers to computers on a network. IP [...]
-
Página 224
5.2. DHCP Servers DHCP servers assign and manage the IP addresses taken from a specified address pool. In NetDefendOS, DHCP servers are not limited to serving a single range of IP addresses but can use any IP address range that can be specified by a NetDefendOS IP address object. Multiple DHCP Servers The administrator has the ability to set up one[...]
-
Página 225
The following options can be configured for a DHCP server: General Parameters Name A symbolic name for the server. Used as an interface reference but also used as a reference in log messages. Interface Filter The source interface on which NetDefendOS will listen for DHCP requests. This can be a single interface or a group of interfaces. IP Address [...]
-
Página 226
This example shows how to set up a DHCP server called DHCPServer1 which assigns and manages IP addresses from an IP address pool called DHCPRange1 . This example assumes that an IP range for the DHCP Server has already been created. Command-Line Interface gw-world:/> add DHCPServer DHCPServer1 Interface=lan IPAddressPool=DHCPRange1 Netmask=255.2[...]
-
Página 227
The asterisk " * " before a MAC address means that the DHCP server does not track the client using the MAC address but instead tracks the client through a client identifier which the client has given to the server. Tip: Lease database saving DHCP leases are, by default, remembered by NetDefendOS between system restarts. The DHCP advanced [...]
-
Página 228
can be specified as this parameter. The option exists to also specify if the identifier will be sent as an ASCII or Hexadecimal value. Example 5.3. Static DHCP Host Assignment This example shows how to assign the IP address 192.168.1.1 to the MAC address 00-90-12-13-14-15 . The examples assumes that the DHCP server DHCPServer1 has already been defi[...]
-
Página 229
Custom Option Parameters The following parameters can be set for a custom option: Code This is the code that describes the type of information being sent to the client. A large list of possible codes exists. Type This describes the type of data which will be sent. For example, if the type is String then the data is a character string. Data This is [...]
-
Página 230
5.3. DHCP Relaying The DHCP Problem With DHCP, clients send requests to locate the DHCP server(s) using broadcast messages. However, broadcasts are normally only propagated across the local network. This means that the DHCP server and client always need to be on the same physical network. In a large Internet-like network topology, this means there [...]
-
Página 231
• Name: ipgrp-dhcp • Interfaces : select vlan1 and vlan2 from the Available list and put them into the Selected list. 3. Click OK Adding a DHCP relayer called as vlan-to-dhcpserver : 1. Go to System > DHCP > Add > DHCP Relay 2. Now enter: • Name: vlan-to-dhcpserver • Action: Relay • Source Interface: ipgrp-dhcp • DHCP Server to[...]
-
Página 232
will be reduced down to this value. Default: 10000 seconds Max Auto Routes How many relays that can be active at the same time. Default: 256 Auto Save Policy What policy should be used to save the relay list to the disk, possible settings are Disabled , ReconfShut ,o r ReconfShutTimer . Default: ReconfShut Auto Save Interval How often, in seconds, [...]
-
Página 233
5.4. IP Pools Overview An IP pool is used to offer other subsystems access to a cache of DHCP IP addresses. These addresses are gathered into a pool by internally maintaining a series of DHCP clients (one DHCP client per IP address). More than one DHCP server can be used by a pool and can either be external or be local DHCP servers defined in NetDe[...]
-
Página 234
Receive Interface A "simulated" virtual DHCP server receiving interface. This setting is used to simulate a receiving interface when an IP pool is obtaining IP addresses from internal DHCP servers. This is needed since the filtering criteria of a DHCP server includes a Receive Interface . An internal DHCP server cannot receive requests fr[...]
-
Página 235
Other options in the ippool command allow the administrator to change the pool size and to free up IP addresses. The complete list of command options can be found in the CLI Reference Guide. Example 5.5. Creating an IP Pool This example shows the creation of an IP Pool object that will use the DHCP server on IP address 28.10.14.1 with 10 prefetched[...]
-
Página 236
5.4. IP Pools Chapter 5. DHCP Services 236[...]
-
Página 237
Chapter 6. Security Mechanisms This chapter describes NetDefendOS security features. • Access Rules, page 237 • ALGs, page 240 • Web Content Filtering, page 292 • Anti-Virus Scanning, page 309 • Intrusion Detection and Prevention, page 315 • Denial-of-Service Attack Prevention, page 326 • Blacklisting Hosts and Networks, page 331 6.1.[...]
-
Página 238
6.1.2. IP Spoofing Traffic that pretends it comes from a trusted host can be sent by an attacker to try and get past a firewall's security mechanisms. Such an attack is commonly known as Spoofing . IP spoofing is one of the most common spoofing attacks. Trusted IP addresses are used to bypass filtering. The header of an IP packet indicating th[...]
-
Página 239
If, for some reason, the Default Access Rule log message is continuously being generated by some source and needs to be turned off, then the way to do this is to specify an Access Rule for that source with an action of Drop . Troubleshooting Access Rule Related Problems It should be noted that Access Rules are a first filter of traffic before any o[...]
-
Página 240
6.2. ALGs 6.2.1. Overview To complement low-level packet filtering, which only inspects packet headers in protocols such as IP, TCP, UDP, and ICMP, NetDefend Firewalls provide Application Layer Gateways (ALGs) which provide filtering at the higher application OSI level. An ALG object acts as a mediator in accessing commonly used Internet applicatio[...]
-
Página 241
Maximum Connection Sessions The service associated with an ALG has a configurable parameter associated with it called Max Sessions and the default value varies according to the type of ALG. For instance, the default value for the HTTP ALG is 1000 . This means that a 1000 connections are allowed in total for the HTTP service across all interfaces. T[...]
-
Página 242
Anti-Virus scanning, if it is enabled, is always applied to the HTTP traffic even if it is whitelisted. These features are described in depth in Section 6.3.3, “Static Content Filtering” . • Dynamic Content Filtering - Access to specific URLs can be allowed or blocked according to policies for certain types of web content. Access to news site[...]
-
Página 243
Note: Similarities with other NetDefendOS features The Verify MIME type and Allow/Block Selected Types options work in the same way for the FTP, POP3 and SMTP ALGs. • Download File Size Limit - A file size limit can additionally be specified for any single download (this option is available only for HTTP and SMTP ALG downloads). The Ordering for [...]
-
Página 244
equivalent to a large number of possible URLs. The wildcard character " * " can be used to represent any sequence of characters. For example, the entry *.some_domain.com will block all pages whose URLs end with some_domain.com . If we want to now explicitly allow one particular page then this can be done with an entry in the whitelist of [...]
-
Página 245
Consider a scenario where an FTP client on the internal network connects through the firewall to an FTP server on the Internet. The IP rule is then configured to allow network traffic from the FTP client to port 21 on the FTP server. When active mode is used, NetDefendOS doesn't know that the FTP server will establish a new connection back to [...]
-
Página 246
Figure 6.3. FTP ALG Hybrid Mode Note: Hybrid conversion is automatic Hybrid mode does not need to enabled. The conversion between modes occurs automatically within the FTP ALG. Connection Restriction Options The FTP ALG has two options to restrict which type of mode the FTP client and the FTP server can use: • Allow the client to use active mode.[...]
-
Página 247
• Allow the SITE EXEC command to be sent to an FTP server by a client. • Allow the RESUME command even if content scanning terminated the connection. Note: Some commands are never allowed Some commands, such as encryption instructions, are never allowed. Encryption would mean that the FTP command channel could not be examined by the ALG and the[...]
-
Página 248
The NetDefendOS Anti-Virus subsystem can be enabled to scan all FTP downloads searching for malicious code. Suspect files can be de dropped or just logged. This feature is common to a number of ALGs and is described fully in Section 6.4, “Anti-Virus Scanning” . FTP ALG with ZoneDefense Used together with the FTP ALG, ZoneDefense can be configur[...]
-
Página 249
In this case, we will set the FTP ALG restrictions as follows. • Enable the Allow client to use active mode FTP ALG option so clients can use both active and passive modes. • Disable the Allow server to use passive mode FTP ALG option. This is more secure for the server as it will never receive passive mode data. The FTP ALG will handle all con[...]
-
Página 250
• ALG: select ftp-inbound created above 3. Click OK C. Define a rule to allow connections to the public IP on port 21 and forward that to the internal FTP server: 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: SAT-ftp-inbound • Action: SAT • Service: ftp-inbound-service 3. For Address Filter enter: • Source Interf[...]
-
Página 251
• Source Interface: any • Destination Interface: core • Source Network: all-nets • Destination Network: wan_ip 4. Click OK Example 6.3. Protecting FTP Clients In this scenario shown below the NetDefend Firewall is protecting a workstation that will connect to FTP servers on the Internet. In this case, we will set the FTP ALG restrictions as[...]
-
Página 252
2. Enter Name: ftp-outbound 3. Uncheck Allow client to use active mode 4. Check Allow server to use passive mode 5. Click OK B. Create the Service 1. Go to Objects > Services > Add > TCP/UDP Service 2. Now enter: • Name: ftp-outbound-service • Type: select TCP from the dropdown list • Destination: 21 (the port the ftp server resides [...]
-
Página 253
• Destination Interface: wan • Source Network: lannet • Destination Network: all-nets 4. Check Use Interface Address 5. Click OK Setting Up FTP Servers with Passive Mode An important point about FTP server setup needs to be made if the FTP ALG is being used along with passive mode. Usually, the FTP server will be protected behind the NetDefen[...]
-
Página 254
TFTP Request Options As long as the Remove Request Option described above is set to false (options are not removed) then the following request option settings can be applied: Maximum Blocksize The maximum blocksize allowed can be specified. The allowed range is 0 to 65,464 bytes. The default value is 65,464 bytes. Maximum File Size The maximum size[...]
-
Página 255
The administrator should therefore add a reasonable margin above the anticipated email size when setting this limit. Email address blacklisting A blacklist of sender or recipient email addresses can be specified so that mail from/to those addresses is blocked. The blacklist is applied after the whitelist so that if an address matches a whitelist en[...]
-
Página 256
Figure 6.4. SMTP ALG Processing Order Using Wildcards in White and Blacklists Entries made in the white and blacklists can make use of wildcarding to have a single entry cover a large number of potential email addresses. The wildcard character " * " can be used to represent any sequence of characters. For instance, the address entry *@som[...]
-
Página 257
capa=PIPELINING To indicate that the pipelining extension was removed from the SMTP server reply to an EHLO client command. Although ESMTP extensions may be removed by the ALG and related log messages generated, this does not mean that any emails are dropped . Email transfers will take place as usual but without making use of unsupported extensions[...]
-
Página 258
• Dropping email which has a very high probability of being spam. • Letting through but flagging email that has a moderate probability of being spam. The NetDefendOS Anti-Spam Implementation SMTP functions as a protocol for sending emails between servers. NetDefendOS applies Spam filtering to emails as they pass through the NetDefend Firewall f[...]
-
Página 259
servers are queried to assess the likelihood that the email is Spam, based on its origin address. The NetDefendOS administrator assigns a weight greater than zero to each configured server so that a weighted sum can then be calculated based on all responses. The administrator can configure one of the following actions based on the weighted sum calc[...]
-
Página 260
And this is what the email's recipient will see in the summary of their inbox contents. The individual user could then decide to set up their own filters in the local client to deal with such tagged emails, possibly sending it to a separate folder. Adding X-Spam Information If an email is determined to be Spam and a forwarding address is confi[...]
-
Página 261
Logging There are three types of logging done by the Spam filtering module: • Logging of dropped or Spam tagged emails - These log messages include the source email address and IP as well as its weighted points score and which DNSBLs caused the event. • DNSBLs not responding - DNSBL query timeouts are logged. • All defined DNBSLs stop respond[...]
-
Página 262
For the DNSBL subsystem overall: • Number of emails checked. • Number of emails Spam tagged. • Number of dropped emails. For each DNSBL server accessed: • Number of positive (is Spam) responses from each configured DNSBL server. • Number of queries sent to each configured DNSBL server. • Number of failed queries (without replies) for ea[...]
-
Página 263
BlackList: zen.spamhaus.org Status : active Weight value : 25 Number of mails checked : 56 Number of matches in list : 3 Number of failed checks (times disabled) : 0 To clean out the dnsbl cache for my_smtp_alg and to reset all its statistical counters, the following command option can be used: gw-world:/> dnsbl my_smtp_alg -clean Tip: DNSBL ser[...]
-
Página 264
can be dropped or just logged. This feature is common to a number of ALGs and is described fully in Section 6.4, “Anti-Virus Scanning” . 6.2.7. The PPTP ALG Why the PPTP ALG is Needed The PPTP ALG is provided to deal with a specific issue when PPTP tunnels are used with NAT. Let us suppose we have two clients A and B on a protected inner networ[...]
-
Página 265
pptp-ctl can be used for this purpose. Alternatively, a new custom service object can be defined, for example called pptp_service . The service must have the following characteristics: i. Select the Type (the protocol) as TCP . ii. The Source port range can be the default of 0-65535 . iii. Set the Destination port to be 1723 . iv. Select the ALG to[...]
-
Página 266
Note: Traffic shaping will not work with the SIP ALG Any traffic connections that trigger an IP rule with a service object that uses the SIP ALG cannot be also subject to traffic shaping. SIP Components The following components are the logical building blocks for SIP communication: User Agents These are the end points or clients that are involved i[...]
-
Página 267
Maximum Sessions per ID The number of simultaneous sessions that a single client can be involved with is restricted by this value. The default number is 5 . Maximum Registration Time The maximum time for registration with a SIP Registrar. The default value is 3600 seconds. SIP Signal Timeout The maximum time allowed for SIP sessions. The default va[...]
-
Página 268
(sometimes described as SIP pinholes ) for allowing the media data traffic to flow through the NetDefend Firewall. Tip Make sure there are no preceding rules already in the IP rule set disallowing or allowing the same kind of traffic. SIP Usage Scenarios NetDefendOS supports a variety of SIP usage scenarios. The following three scenarios cover near[...]
-
Página 269
The SIP proxy in the above diagram could alternatively be located remotely across the Internet. The proxy should be configured with the Record-Route feature enabled to insure all SIP traffic to and from the office clients will be sent through the SIP Proxy. This is recommended since the attack surface is minimized by allowing only SIP signalling fr[...]
-
Página 270
sends its own IP address as contact information to the SIP proxy. NetDefendOS registers the client's local contact information and uses this to redirect incoming requests to the user. The ALG takes care of the address translations needed. 4. Ensure the clients are correctly configured. The SIP Proxy Server plays a key role in locating the curr[...]
-
Página 271
This scenario can be implemented in two ways: • Using NAT to hide the network topology. • Without NAT so the network topology is exposed. Solution A - Using NAT Here, the proxy and the local clients are hidden behind the IP address of the NetDefend Firewall. The setup steps are as follows: 1. Define a single SIP ALG object using the options des[...]
-
Página 272
If Record-Route is enabled then the Source Network for outbound traffic from proxy users can be further restricted in the above rules by using " ip_proxy " as indicated. When an incoming call is received, the SIP ALG will follow the SAT rule and forward the SIP request to the proxy server. The proxy will in turn, forward the request to it[...]
-
Página 273
The exchanges illustrated are as follows: • 1,2 - An initial INVITE is sent to the outbound local proxy server on the DMZ. • 3,4 - The proxy server sends the SIP messages towards the destination on the Internet. • 5,6 - A remote client or proxy server replies to the local proxy server. • 7,8 - The local proxy forwards the reply to the local[...]
-
Página 274
DMZ interface as the contact address. • An Allow rule for outbound traffic from the proxy behind the DMZ interface to the remote clients on the Internet. • An Allow rule for inbound SIP traffic from the SIP proxy behind the DMZ interface to the IP address of the NetDefend Firewall. This rule will have core (in other words, NetDefendOS itself) a[...]
-
Página 275
• Destination Port set to 5060 (the default SIP signalling port) • Type set to TCP/UDP 3. Define four rules in the IP rule set: • An Allow rule for outbound traffic from the clients on the internal network to the proxy located on the DMZ interface. • An Allow rule for outbound traffic from the proxy behind the DMZ interface to the remote cl[...]
-
Página 276
Gateways An H.323 gateway connects two dissimilar networks and translates traffic between them. It provides connectivity between H.323 networks and non-H.323 networks such as public switched telephone networks (PSTN), translating protocols and converting media streams. A gateway is not required for communication between two H.323 terminals. Gatekee[...]
-
Página 277
• The H.323 ALG supports version 5 of the H.323 specification. This specification is built upon H.225.0 v5 and H.245 v10. • In addition to support voice and video calls, the H.323 ALG supports application sharing over the T.120 protocol. T.120 uses TCP to transport data while voice and video is transported over UDP. • To support gatekeepers, [...]
-
Página 278
Web Interface Outgoing Rule: 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: H323AllowOut • Action: Allow • Service: H323 • Source Interface: lan • Destination Interface: any • Source Network: lannet • Destination Network: 0.0.0.0/0 (all-nets) • Comment: Allow outgoing calls 3. Click OK Incoming Rule: 1. Go t[...]
-
Página 279
Example 6.5. H.323 with private IP addresses In this scenario a H.323 phone is connected to the NetDefend Firewall on a network with private IP addresses. To make it possible to place a call from this phone to another H.323 phone on the Internet, and to allow H.323 phones on the Internet to call this phone, we need to configure rules. The following[...]
-
Página 280
• Destination Interface: core • Source Network: 0.0.0.0/0 (all-nets) • Destination Network: wan_ip (external IP of the firewall) • Comment: Allow incoming calls to H.323 phone at ip-phone 3. Click OK To place a call to the phone behind the NetDefend Firewall, place a call to the external IP address on the firewall. If multiple H.323 phones [...]
-
Página 281
Incoming Rule: 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: H323AllowIn • Action: Allow • Service: H323 • Source Interface: any • Destination Interface: lan • Source Network: 0.0.0.0/0 (all-nets) • Destination Network: lannet • Comment: Allow incoming calls 3. Click OK Example 6.7. Using Private IP Address[...]
-
Página 282
• Source Interface: any • Destination Interface: core • Source Network: 0.0.0.0/0 (all-nets) • Destination Network: wan_ip (external IP of the firewall) • Comment: Allow incoming calls to H.323 phone at ip-phone 3. For SAT enter Translate Destination IP Address: To New IP Address: ip-phone (IP address of phone) 4. Click OK 1. Go to Rules [...]
-
Página 283
Web Interface Incoming Gatekeeper Rules: 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: H323In • Action: SAT • Service: H323-Gatekeeper • Source Interface: any • Destination Interface: core • Source Network: 0.0.0.0/0 (all-nets) • Destination Network: wan_ip (external IP of the firewall) • Comment: SAT rule [...]
-
Página 284
2. Now enter: • Name: H323In • Action: Allow • Service: H323-Gatekeeper • Source Interface: lan • Destination Interface: dmz • Source Network: lannet • Destination Network: ip-gatekeeper (IP address of the gatekeeper) • Comment: Allow incoming communication with the Gatekeeper 3. Click OK Note: Outgoing calls do not need a specific [...]
-
Página 285
2. Now enter: • Name: H323Out • Action: NAT • Service: H323-Gatekeeper • Source Interface: lan • Destination Interface: any • Source Network: lannet • Destination Network: 0.0.0.0/0 (all-nets) • Comment: Allow outgoing communication with a gatekeeper 3. Click OK Note: Outgoing calls do not need a specific rule There is no need to sp[...]
-
Página 286
The head office has placed a H.323 Gatekeeper in the DMZ of the corporate NetDefend Firewall. This firewall should be configured as follows: Web Interface 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: LanToGK • Action: Allow • Service: H323-Gatekeeper • Source Interface: lan • Destination Interface: dmz • Sourc[...]
-
Página 287
• Source Interface: lan • Destination Interface: dmz • Source Network: lannet • Destination Network: ip-gateway • Comment: Allow H.323 entities on lannet to call phones connected to the H.323 Gateway on the DMZ 3. Click OK 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: GWToLan • Action: Allow • Service: H323[...]
-
Página 288
3. Click OK Example 6.11. Configuring remote offices for H.323 If the branch and remote office H.323 phones and applications are to be configured to use the H.323 Gatekeeper at the head office, the NetDefend Firewalls in the remote and branch offices should be configured as follows: (this rule should be in both the Branch and Remote Office firewall[...]
-
Página 289
the communication between "external" phones and the Gatekeeper to make sure that it is possible for internal phones to call the external phones that are registered with the gatekeeper. 6.2.10. The TLS ALG Overview Transport Layer Security (TLS) is a protocol that provides secure communications over the public Internet between two end poin[...]
-
Página 290
Figure 6.7. TLS Termination Advantages of Using NetDefendOS for TLS Termination TLS can be implemented directly in the server to which clients connect, however, if the servers are protected behind a NetDefend Firewall, then NetDefendOS can take on the role of the TLS endpoint. NetDefendOS then performs TLS authentication, encryption and unencryptio[...]
-
Página 291
4. Associate the TLS ALG object with the newly created service object. 5. Create a NAT or Allow IP rule for the targeted traffic and associate the custom service object with it. 6. Optionally, a SAT rule can be created to change the destination port for the unencrypted traffic. Alternatively an SLB_SAT rule can be used to do load balancing (the des[...]
-
Página 292
6.3. Web Content Filtering 6.3.1. Overview Web traffic is one of the biggest sources for security issues and misuse of the Internet. Inappropriate surfing habits can expose a network to many security threats as well as legal and regulatory liabilities. Productivity and Internet bandwidth can also be impaired. Filtering Mechanisms Through the HTTP A[...]
-
Página 293
Removing such legitimate code could, at best, cause the web site to look distorted, at worst, cause it to not work in a browser at all. Active Content Handling should therefore only be used when the consequences are well understood. Example 6.13. Stripping ActiveX and Java applets This example shows how to configure a HTTP Application Layer Gateway[...]
-
Página 294
*/*.gif Good. This will block all files with .gif as the file name extension. www.example.com Bad. This will only block the first request to the web site. Surfing to www.example.com/index.html , for example, will not be blocked. *example.com/* Bad. This will also cause www.myexample.com to be blocked since it blocks all sites ending with example.co[...]
-
Página 295
6. Enter */*.exe in the URL textbox 7. Click OK Finally, make an exception from the blacklist by creating a whitelist: 1. Go to Objects > ALG 2. In the table, click on the recently created HTTP ALG to view its properties 3. Click the HTTP URL tab 4. Now click Add and select HTTP ALG URL from the menu 5. Select Whitelist as the Action 6. In the U[...]
-
Página 296
community, such as a group of university students, often surfs to a limited range of websites. Figure 6.8. Dynamic Content Filtering Flow If the requested web page URL is not present in the databases, then the webpage content at the URL will automatically be downloaded to D-Link's central data warehouse and automatically analyzed using a combi[...]
-
Página 297
Activation Dynamic Content Filtering is a feature that is enabled by taking out a separate subscription to the service. This is an addition to the normal NetDefendOS license. Once a subscription is taken out, an HTTP Application Layer Gateway (ALG) Object should be defined with Dynamic Content Filtering enabled. This object is then associated with [...]
-
Página 298
1. Go to Objects > ALG > Add > HTTP ALG 2. Specify a suitable name for the ALG, for example content_filtering 3. Click the Web Content Filtering tab 4. Select Enabled in the Mode list 5. In the Blocked Categories list, select Search Sites and click the >> button. 6. Click OK Then, create a service object using the new HTTP ALG: 1. Go[...]
-
Página 299
easier to evaluate if the goals of site blocking are being met. Example 6.16. Enabling Audit Mode This example is based on the same scenario as the previous example, but now with audit mode enabled. Command-Line Interface First, create an HTTP Application Layer Gateway (ALG) Object: gw-world:/> add ALG ALG_HTTP content_filtering WebContentFilter[...]
-
Página 300
manually propose a new classification of sites. This mechanism can be enabled on a per-HTTP ALG level, which means that you can choose to enable this functionality for regular users or for a selected user group only. If reclassification is enabled and a user requests a web site which is disallowed, the block web page will include a dropdown list co[...]
-
Página 301
of each category. Category 1: Adult Content A web site may be classified under the Adult Content category if its content includes the description or depiction of erotic or sexual acts or sexually oriented material such as pornography. Exceptions to this are web sites that contain information relating to sexuality and sexual health, which may be cla[...]
-
Página 302
• www.flythere.nu • www.reallycheaptix.com.au Category 6: Shopping A web site may be classified under the Shopping category if its content includes any form of advertisement of goods or services to be exchanged for money, and may also include the facilities to perform that transaction online. Included in this category are market promotions, cat[...]
-
Página 303
computer game related software, or playing or participating in online games. Examples might be: • www.gamesunlimited.com • www.gameplace.com Category 11: Investment Sites A web site may be classified under the Investment Sites category if its content includes information, services or facilities pertaining to personal investment. URLs in this ca[...]
-
Página 304
• www.political.com Category 16: Sports A web site may be classified under the Sports category if its content includes information or instructions relating to recreational or professional sports, or reviews on sporting events and sports scores. Examples might be: • www.sportstoday.com • www.soccerball.com Category 17: www-Email Sites A web si[...]
-
Página 305
Category 21: Health Sites A web site may be classified under the Health Sites category if its content includes health related information or services, including sexuality and sexual health, as well as support groups, hospital and surgical information and medical journals. Examples might be: • www.thehealthzone.com • www.safedrugs.com Category 2[...]
-
Página 306
• highschoolessays.org • www.learn-at-home.com Category 27: Advertising A web site may be classified under the Advertising category if its main focus includes providing advertising related information or services. Examples might be: • www.admessages.com • www.tripleclick.com Category 28: Drugs/Alcohol A web site may be classified under the [...]
-
Página 307
Category 32: Non-Managed Unclassified sites and sites that do not fit one of the other categories will be placed in this category. It is unusual to block this category since this could result in most harmless URLs being blocked. 6.3.4.4. Customizing HTML Pages Dynamic Web Content filtering make use of a set of HTML files to present information to t[...]
-
Página 308
Tip: Saving changes In the above example, more than one HTML file can be edited in a session but the Save button should be pressed to save any edits before beginning editing on another file. Uploading with SCP It is possible to upload new HTTP Banner files using SCP. The steps to do this are: 1. Since SCP cannot be used to download the original def[...]
-
Página 309
6.4. Anti-Virus Scanning 6.4.1. Overview The NetDefendOS Anti-Virus module protects against malicious code carried in file downloads. Files may be downloaded as part of a web-page in an HTTP transfer, in an FTP download, or perhaps as an attachment to an email delivered through SMTP. Malicious code in such downloads can have different intents rangi[...]
-
Página 310
Types of File Downloads Scanned As described above, Anti-Virus scanning is enabled on a per ALG basis and can scan file downloads associated with the HTTP, FTP, SMTP and POP3 ALGs. More specifically: • Any uncompressed file type transferred through these ALGs can be scanned. • If the download has been compressed, ZIP and GZIP file downloads can[...]
-
Página 311
6.4.4. The Signature Database SafeStream NetDefendOS Anti-Virus scanning is implemented by D-Link using the "SafeStream" virus signature database. The SafeStream database is created and maintained by Kaspersky, a company which is a world leader in the field of virus detection. The database provides protection against virtually all known v[...]
-
Página 312
the excluded list is checked. 3. Compression Ratio Limit When scanning compressed files, NetDefendOS must apply decompression to examine the file's contents. Some types of data can result in very high compression ratios where the compressed file is a small fraction of the original uncompressed file size. This can mean that a comparatively smal[...]
-
Página 313
3. This reconfiguration causes a failover so the passive unit becomes the active unit. 4. When the update is completed, the newly active unit also downloads the files for the update and performs a reconfiguration. 5. This second reconfiguration causes another failover so the passive unit reverts back to being active again. These steps result in bot[...]
-
Página 314
Web Interface A. First, create an HTTP ALG Object: 1. Go to Objects > ALG > Add > HTTP ALG 2. Specify a suitable name for the ALG, for instance anti_virus 3. Click the Antivirus tab 4. Select Protect in the Mode dropdown list 5. Click OK B. Then, create a Service object using the new HTTP ALG: 1. Go to Local Objects > Services > Add [...]
-
Página 315
6.5. Intrusion Detection and Prevention 6.5.1. Overview Intrusion Definition Computer servers can sometimes have vulnerabilities which leave them exposed to attacks carried by network traffic. Worms, trojans and backdoor exploits are examples of such attacks which, if successful, can potentially compromise or take control of a server. A generic ter[...]
-
Página 316
• Maintenance IDP Maintenance IDP is the base IDP system included as standard with the NetDefend DFL 210, 800, 1600 and 2500. Maintenance IDP is a simplified IDP that gives basic protection against IDP attacks. It is upgradeable to the higher level and more comprehensive Advanced IDP which is discussed next. IDP does not come as standard with the[...]
-
Página 317
A new, updated signature database is downloaded automatically by NetDefendOS system at a configurable interval. This is done via an HTTP connection to the D-Link server network which delivers the latest signature database updates. If the server's signature database has a newer version than the current local database, the new database will be d[...]
-
Página 318
HTTP Normalization Each IDP rule has a section of settings for HTTP normalization . This allows the administrator to choose the actions that should be taken when IDP finds inconsistencies in the URIs embedded in incoming HTTP requests. Some server attacks are based on creating URIs with sequences that can exploit weaknesses in some HTTP server prod[...]
-
Página 319
aimed at evading IDP mechanisms. It exploits the fact that in a TCP/IP data transfer, the data stream must often be reassembled from smaller pieces of data because the individual pieces either arrive in the wrong order or are fragmented in some way. Insertions or Evasions are designed to exploit this reassembly process. Insertion Attacks An Inserti[...]
-
Página 320
Signatures In order for IDP to correctly identify an attack, it uses a profile of indicators, or pattern , associated with different types of attack. These predefined patterns, also known as signatures , are stored in a local NetDefendOS database and are used by the IDP module to analyze traffic for attack patterns. Each IDP signature is designated[...]
-
Página 321
least possible number of signatures. Specifying Signature Groups IDP Signature Groups fall into a three level hierarchical structure. The top level of this hierarchy is the signature Type , the second level the Category and the third level the Sub-Category . The signature group called POLICY_DB_MSSQL illustrates this principle where Policy is the T[...]
-
Página 322
IDS_HTTP* and IPS_HTTP* IDP groups would be appropriate for protecting an HTTP server. IDP traffic scanning creates an additional load on the hardware that in most cases should not noticeably degrade performance. Using too many signatures during scanning can make the load on the firewall hardware unnecessarily high, adversely affecting throughput. [...]
-
Página 323
Example 6.20. Configuring an SMTP Log Receiver In this example, an IDP Rule is configured with an SMTP Log Receiver. Once an IDP event occurs, the Rule is triggered. At least one new event occurs within the Hold Time of 120 seconds, thus reaching the log threshold level (at least 2 events have occurred). This results in an email being sent containi[...]
-
Página 324
the firewall on the WAN interface as illustrated below. An IDP rule called IDPMailSrvRule will be created, and the Service to use is the SMTP service. Source Interface and Source Network defines where traffic is coming from, in this example the external network. The Destination Interface and Destination Network define where traffic is directed to, [...]
-
Página 325
• Destination Network: ip_mailserver • Click OK Specify the Action: An action is now defined, specifying what signatures the IDP should use when scanning data matching the rule, and what NetDefendOS should do when a possible intrusion is detected. In this example, intrusion attempts will cause the connection to be dropped, so Action is set to P[...]
-
Página 326
6.6. Denial-of-Service Attack Prevention 6.6.1. Overview By embracing the Internet, enterprises experience new business opportunities and growth. The enterprise network and the applications that run over it are business critical. Not only can a company reach a larger number of customers via the Internet, it can serve them faster and more efficientl[...]
-
Página 327
intended victim. "Jolt" is simply a purpose-written program for generating such packets on operating systems whose ping commands refuse to generate oversized packets. The triggering factor is that the last fragment makes the total packet size exceed 65535 bytes, which is the highest number that a 16-bit integer can store. When the value o[...]
-
Página 328
• By stripping the URG bit by default from all TCP segments traversing the system (configurable via Advanced Settings > TCP > TCPUrg ). WinNuke attacks will usually show up in NetDefendOS logs as normal drops with the name of the rule in your policy that disallowed the connection attempt. For connections allowed through the system, "TC[...]
-
Página 329
6.6.8. TCP SYN Flood Attacks TCP SYN flood attacks work by sending large amounts of TCP SYN packets to a given port and then not responding to SYN ACKs sent in response. This will tie up local TCP stack resources on the victim's web server so that it is unable to respond to more SYN packets until the existing half-open connections have timed o[...]
-
Página 330
attacks on victim sites. These attacks typically exhaust bandwidth, router processing capacity, or network stack resources, breaking network connectivity to the victims. Although recent DDoS attacks have been launched from both private corporate and public institutional systems, hackers tend to often prefer university or institutional networks beca[...]
-
Página 331
6.7. Blacklisting Hosts and Networks Overview NetDefendOS implements a Blacklist of host or network IP addresses which can be utilized to protect against traffic coming from specific Internet sources. Certain NetDefendOS subsystems have the ability to optionally blacklist a host or network when certain conditions are encountered. These subsystems a[...]
-
Página 332
blacklisted, it still does not prevent NetDefendOS mechanisms such as threshold rules from dropping or denying connections from that source. What whitelisting does is prevent a source being added to a blacklist if that is the action a rule has specified. For further details on usage see Section 6.5.7, “IDP Actions” , Section 10.3.8, “Threshol[...]
-
Página 333
6.7. Blacklisting Hosts and Networks Chapter 6. Security Mechanisms 333[...]
-
Página 334
Chapter 7. Address Translation This chapter describes NetDefendOS address translation capabilities. • Overview, page 334 • NAT, page 335 • NAT Pools, page 340 • SAT, page 343 7.1. Overview The ability of NetDefendOS to change the IP address of packets as they pass through the NetDefend Firewall is known as address translation . The ability [...]
-
Página 335
7.2. NAT Dynamic Network Address Translation (NAT) provides a mechanism for translating original source IP addresses to a different address. Outgoing packets then appear to come from a different IP address and incoming packets back to that address have their IP address translated back to the original IP address. NAT can have two important benefits:[...]
-
Página 336
address on the firewall then this will constitute two, unique IP pairs. The 64,500 figure is therefore not a limitation for the entire NetDefend Firewall. Tip: Use NAT pools to get around the connection limit The connection maximum per unique IP pair is normally adequate for all but the most extreme scenarios. However, to increase the number of NAT[...]
-
Página 337
195.55.66.77:80 => 195.11.22.33:32789 4. NetDefendOS receives the packet and compares it to its list of open connections. Once it finds the connection in question, it restores the original address and forwards the packet. 195.55.66.77:80 => 192.168.1.5:1038 5. The original sender now receives the response. The sequence of these events is illu[...]
-
Página 338
Web Interface 1. Go to Rules > IP Rules > Add > IPRule 2. Specify a suitable name for the rule, for example NAT_HTTP 3. Now enter: • Action: NAT • Service: http • Source Interface: lan • Source Network: lannet • Destination Interface: any • Destination Network: all-nets 4. Under the NAT tab, make sure that the Use Interface Add[...]
-
Página 339
anonymize traffic between clients and servers across the public Internet so that the client's public IP address is not present in any server access requests or peer to peer traffic. We shall examine the typical case where the NetDefend Firewall acts as a PPTP server and terminates the PPTP tunnel for PPTP clients. Clients that wish to be anony[...]
-
Página 340
7.3. NAT Pools Overview Network Address Translation (NAT) provides a way to have multiple internal clients and hosts with unique private internal IP addresses communicate to remote hosts through a single external public IP address (this is discussed in depth in Section 7.2, “NAT” ). When multiple public external IP addresses are available then [...]
-
Página 341
There is only one state table per NAT Pool so that if a single NAT Pool is re-used in multiple NAT IP rules they share the same state table. Stateless NAT Pools The Stateless option means that no state table is maintained and the external IP address chosen for each new connection is the one that has the least connections already allocated to it. Th[...]
-
Página 342
This example creates a NAT pool with the external IP address range 10.6.13.10 to 10.16.13.15 which is then used in a NAT IP rule for HTTP traffic on the wan interface. Web Interface A. First create an object in the address book for the address range: 1. Go to Objects > Address Book > Add > IP address 2. Specify a suitable name for the IP r[...]
-
Página 343
7.4. SAT NetDefendOS can translate entire ranges of IP addresses and/or ports. Such translations are transpositions, each address or port is mapped to a corresponding address or port in the new range, rather than translating them all to the same address or port. In NetDefendOS this functionality is known as Static Address Translation (SAT). Note: P[...]
-
Página 344
The illustration below shows a typical network arrangement with the NetDefend Firewall mediating communications between the public Internet and servers in the DMZ, and between the DMZ and local clients on a network called LAN . Figure 7.4. The Role of the DMZ Note: The DMZ port could be any port On all models of D-Link NetDefend hardware, there is [...]
-
Página 345
Then create a corresponding Allow rule: gw-world:/main> add IPRule action=Allow Service=http SourceInterface=any SourceNetwork=all-nets DestinationInterface=core DestinationNetwork=wan_ip Name=Allow_HTTP_To_DMZ Web Interface First create a SAT rule: 1. Go to Rules > IP Rules > Add > IPRule 2. Specify a suitable name for the rule, for ex[...]
-
Página 346
# Action Src Iface Src Net Dest Iface Dest Net Parameters 3 NAT lan lannet any all-nets All Now, what is wrong with this rule set? If we assume that we want to implement address translation for reasons of security as well as functionality, we discover that this rule set makes our internal addresses visible to machines in the DMZ. When internal mach[...]
-
Página 347
# Action Src Iface Src Net Dest Iface Dest Net Parameters 2 Allow any all-nets core wan_ip http These two rules allow us to access the web server via the NetDefend Firewall's external IP address. Rule 1 states that address translation can take place if the connection has been permitted, and rule 2 permits the connection. Of course, we also nee[...]
-
Página 348
Another possible solution to this problem is to allow internal clients to speak directly to 10.0.0.2 and this would completely avoid all the problems associated with address translation. However, this is not always practical. 7.4.2. Translation of Multiple IP Addresses (M:N) A single SAT rule can be used to translate an entire range of IP addresses[...]
-
Página 349
Address=10.10.10.5 Publish the public IP addresses on the wan interface using ARP publish. One ARP item is needed for every IP address: gw-world:/> add ARP Interface=wan IP=195.55.66.77 mode=Publish Repeat this for all the five public IP addresses. Next, change the current category to be the main IP rule set: gw-world:/> cc IPRuleSet main Nex[...]
-
Página 350
3. Now enter: • Action: SAT • Servce: http • Source Interface: any • Source Network: all-nets • Destination Interface: wan • Destination Network: wwwsrv_pub 4. Switch to the SAT tab 5. Make sure that the Destination IP Address option is selected 6. In the New IP Address dropdown list, select wwwsrv_priv 7. Click OK Finally, create a cor[...]
-
Página 351
Port Translation (PAT) (also known as Port Address Translation ) can be used to modify the source or destination port. # Action Src Iface Src Net Dest Iface Dest Net Parameters 1 SAT any all-nets wan wwwsrv_pub TCP 80-85 SETDEST 192.168.0.50 1000 This rule produces a 1:1 translation of all ports in the range 80 - 85 to the range 1080 - 1085. • At[...]
-
Página 352
The two above rules may both be carried out concurrently on the same connection. In this instance, internal sender addresses will be translated to addresses in pubnet in a 1:1 relationship. In addition, if anyone tries to connect to the public address of the web server, the destination address will be changed to its private address. # Action Src If[...]
-
Página 353
What happens now? • External traffic to wan_ip:80 will match rules 1 and 4, and will be sent to wwwsrv . Correct. • Return traffic from wwwsrv:80 will match rules 2 and 3. The replies will therefore be dynamically address translated. This changes the source port to a completely different port, which will not work. The problem can be solved usin[...]
-
Página 354
7.4.7. SAT and FwdFast Rules Chapter 7. Address Translation 354[...]
-
Página 355
Chapter 8. User Authentication This chapter describes how NetDefendOS implements user authentication. • Overview, page 355 • Authentication Setup, page 357 • Customizing HTML Pages, page 373 8.1. Overview In situations where individual users connect to protected resources through the NetDefend Firewall, the administrator will often require th[...]
-
Página 356
To remain secure, passwords should also: • Not be recorded anywhere in written form. • Never be revealed to anyone else. • Changed on a regular basis such as every three months. 8.1. Overview Chapter 8. User Authentication 356[...]
-
Página 357
8.2. Authentication Setup 8.2.1. Setup Summary The following list summarizes the steps for User Authentication setup with NetDefendOS: • Have an authentication source which consists of a database of users, each with a username/password combination. Any of the following can be an authentication source: i. The local user database internal to NetDef[...]
-
Página 358
The purpose of this is to restrict access to certain networks to a particular group by having IP rules which will only apply to members of that group. To gain access to a resource there must be an IP rule that allows it and the client must belong to the same group as the rule's Source Network group. Granting Administration Privileges When a us[...]
-
Página 359
When the user connects, there is an automatic checking of the keys used by the client to verify their identity. Once verified, there is no need for the user to input their username and password. To make use of this feature, the relevant SSH Client Key object or objects must first be defined separately in NetDefendOS. Client keys are found as an obj[...]
-
Página 360
One or more LDAP servers can be associated as a list within a user authentication rule. The ordering of the list determines the order in which server access is attempted. The first server in the list has the highest precedence and will be used first. If authentication fails or the server is unreachable then the second in the list is used and so on.[...]
-
Página 361
The following general parameters are used for configuration of each server: • Name The name given to the server object for reference purposes in NetDefendOS. For example, NetDefendOS authentication rules may be defined which reference this name. This value has nothing to do with the Name Attribute described below. It is only for use by NetDefendO[...]
-
Página 362
successful authentication. The domain name is the host name of the LDAP server, for example myldapserver . The choices for this parameter are: i. None - This will not modify the username in any way. For example, testuser . ii. Username Prefix - When authenticating, this will put <domain name> in front of the username. For example, myldapserv[...]
-
Página 363
• Domain Name The Domain Name is used when formatting usernames. This is the first part of the full domain name. In our examples above, the Domain Name is myldapserver . The full domain name is a dot separated set of labels, for example, myldapserver.local.eu.com . This option is only available if the Server Type is NOT set to Other . This option[...]
-
Página 364
If the domain is mydomain.com then the username for myuser might need to be specified as myuser@mydomain.com . With some LDAP servers this might be myuser@domain mydomain.commyuser or even mydomainmyuser . The format depends entirely on the LDAP server and what it expects. Real-time Monitoring Statistics The following statistics are available for[...]
-
Página 365
Figure 8.1. Normal LDAP Authentication The processing is different if a group membership is being retrieved since a request is sent to the LDAP server to search for memberships and any group memberships are then sent back in the response. B. PPP Authentication with CHAP, MS-CHAPv1 or MS-CHAPv2 Encryption If PPP with CHAP, MS-CHAPv1 or MS-CHAPv2 is [...]
-
Página 366
Figure 8.2. LDAP for PPP with CHAP, MS-CHAPv1 or MS-CHAPv2 Important: The link to the LDAP server must be protected Since the LDAP server is sending back passwords in plain text to NetDefendOS, the link between the NetDefend Firewall and the server must be protected. A VPN link should be used if the link between the two is not local. Access to the [...]
-
Página 367
This is the IKE authentication method which is used as part of VPN tunnel establishment with IPsec. XAuth is an extension to the normal IKE exchange and provides an addition to normal IPsec security which means that clients accessing a VPN must provide a login username and password. It should be noted that an interface value is not entered with an [...]
-
Página 368
The maximum time that a connection can exist (no value is specified by default). If an authentication server is being used then the option to Use timeouts received from the authentication server can be enabled to have these values set from the server. Multiple Logins An Authentication Rule can specify how multiple logins are handled where more than[...]
-
Página 369
Any packets from an IP address that fails authentication are discarded. 8.2.7. A Group Usage Example To illustrate Authentication Group usage, lets suppose that there are a set of users which will login from a network 192.168.1.0/24 connected to the lan interface. The requirement is to restrict access to a network called important_net on the int in[...]
-
Página 370
combination. A Realm String can optionally be specified which will appear in the browser's dialog. FORM is recommended over BASICAUTH because in some cases the browser might hold the login data in its cache. • If the Agent is set to HTTPS then the Host Certificate and Root Certificate have to be chosen from a list of certificates already loa[...]
-
Página 371
Example 8.1. Creating an Authentication User Group In the example of an authentication address object in the address book, a user group "users" is used to enable user authentication on "lannet". This example shows how to configure the user group in the NetDefendOS database. Web Interface Step A 1. Go to User Authentication > [...]
-
Página 372
• Destination Network lan_ip 3. Click OK B. Set up the Authentication Rule 1. Go to User Authentication > User Authentication Rules > Add > User Authentication Rule 2. Now enter: • Name: HTTPLogin • Agent: HTTP • Authentication Source: Local • Interface: lan • Originator IP: lannet 3. For Local User DB choose lannet_auth_users [...]
-
Página 373
f. Shared Secret: Enter a text string here for basic encryption of the RADIUS messages g. Confirm Secret: Retype the string to confirm the one typed above 3. Click OK 8.3. Customizing HTML Pages User Authentication makes use of a set of HTML files to present information to the user during the authentication process. The options available for HTTP a[...]
-
Página 374
• %IPADDR% - The IP address which is being browsed from. • %REASON% - The reason that access was denied. • - The web page URL for redirects. The %REDIRURL% Parameter In certain banner web pages, the parameter %REDIRURL% appears. This is a placeholder for the original URL which was requested before the user login screen appeared for an unauthe[...]
-
Página 375
2. A new Auth Banner Files object must exist which the edited file(s) is uploaded to. If the object is called ua_html , the CLI command to create this object is: gw-world:/> add HTTPAuthBanners ua_html This creates an object which contains a copy of all the Default user auth banner files. 3. The modified file is then uploaded using SCP. It is up[...]
-
Página 376
8.3. Customizing HTML Pages Chapter 8. User Authentication 376[...]
-
Página 377
Chapter 9. VPN This chapter describes the Virtual Private Network (VPN) functionality in NetDefendOS. • Overview, page 377 • VPN Quick Start, page 381 • IPsec Components, page 391 • IPsec Tunnels, page 406 • PPTP/L2TP, page 425 • CA Server Access, page 434 • VPN Troubleshooting, page 437 9.1. Overview 9.1.1. VPN Usage The Internet is [...]
-
Página 378
2. Client to LAN connection - Where many remote clients need to connect to an internal network over the Internet. In this case, the internal network is protected by the NetDefend Firewall to which the client connects and the VPN tunnel is set up between them. 9.1.2. VPN Encryption Encryption of VPN traffic is done using the science of cryptography [...]
-
Página 379
• Restricting access through the VPN to needed services only, since mobile computers are vulnerable. • Creating DMZs for services that need to be shared with other companies through VPNs. • Adapting VPN access policies for different groups of users. • Creating key distribution policies. Endpoint Security A common misconception is that VPN-c[...]
-
Página 380
“The TLS ALG” . 9.1.5. The TLS Alternative for VPN Chapter 9. VPN 380[...]
-
Página 381
9.2. VPN Quick Start Overview Later sections in this chapter will explore VPN components in detail. To help put those later sections in context, this section is a quick start summary of the steps needed for VPN setup. It outlines the individual steps in setting up VPNs for the most common scenarios. These are: • IPsec LAN to LAN with Pre-shared K[...]
-
Página 382
9.2.1. IPsec LAN to LAN with Pre-shared Keys 1. Create a Pre-shared Key object. 2. Optionally create a new IKE Algorithms object and/or an IPsec Algorithms object if the default algorithm proposal lists do not provide a set of algorithms that are acceptable to the tunnel remote end point. This will depend on the capabilities of the device at the ot[...]
-
Página 383
Action Src Interface Src Network Dest Interface Dest Network Service Allow ipsec_tunnel remote_net lan lannet All The Service used in these rules is All but it could be a predefined service. 6. Define a new NetDefendOS Route which specifies that the VPN Tunnel ipsec_tunnel is the Interface to use for routing packets bound for the remote network at [...]
-
Página 384
considered adequate. Two self-signed certificates are required and the same two are used at either end of the tunnel but their usage is reversed. In other words: one certificate is used as the root certificate at one end, call it Side A , and as the host certificate at the other end, call it Side B . The second certificate is used in the opposite w[...]
-
Página 385
The Group string for a user can be specified if its group's access is to be restricted to certain source networks. Group can be specified (with the same text string) in the Authentication section of an IP object. If that IP object is then used as the Source Network of a rule in the IP rule set, that rule will only apply to a user if their Grou[...]
-
Página 386
• Create a Config Mode Pool object (there can only be one associated with a NetDefendOS installation) and in it specify the address range. • Enable the IKE Config Mode option in the IPsec Tunnel object ipsec_tunnel . 2. If client IP addresses are to be retrieved through DHCP: • Create an IP Pool object and in it specify the DHCP server to use[...]
-
Página 387
Note: The system time and date should be correct The NetDefendOS date and time should be set correctly since certificates have an expiry date and time. Also review Section 9.6, “CA Server Access” , which describes important considerations for certificate validation. 9.2.5. L2TP Roaming Clients with Pre-Shared Keys Due to the inbuilt L2TP client[...]
-
Página 388
• Set Tunnel Protocol to L2TP . • Set Outer Interface Filter to ipsec_tunnel . • Set Outer Server IP to ip_ext . • Select the Microsoft Point-to-Point Encryption allowed. Since IPsec encryption is used this can be set to be None only, otherwise double encryption will degrade throughput. • Set IP Pool to l2tp_pool . • Enable Proxy ARP on[...]
-
Página 389
1. The NetDefendOS date and time must be set correctly since certificates can expire. 2. Load a Gateway Certificate and Root Certificate into NetDefendOS. 3. When setting up the IPsec Tunnel object, specify the certificates to use under Authentication . This is done by: a. Enable the X.509 Certificate option. b. Select the Gateway Certificate. c. A[...]
-
Página 390
• As in L2TP, enable the insertion of new routes automatically into the main routing table. 3. Define a User Authentication Rule, this is almost identical to L2TP: Agent Auth Source Src Network Interface Client Source IP PPP Local all-nets pptp_tunnel all-nets (0.0.0.0/0) 4. Now set up the IP rules in the IP rule set: Action Src Interface Src Net[...]
-
Página 391
9.3. IPsec Components This section looks at the IPsec standards and describes in general terms the various components, techniques and algorithms that are used in IPsec based VPNs. 9.3.1. Overview Internet Protocol Security (IPsec) is a set of protocols defined by the Internet Engineering Task Force (IETF) to provide IP security at the network layer[...]
-
Página 392
An SA is unidirectional and relates to traffic flow in one direction only. For the bidirectional traffic that is usually found in a VPN, there is therefore a need for more than one SA per connection. In most cases, where only one of ESP or AH is used, two SAs will be created for each connection, one describing the incoming traffic, and the other th[...]
-
Página 393
two VPN firewalls or VPN Clients to each other, by confirming that the remote device has a matching Pre-Shared Key. However, since we do not want to publish to much of the negotiation in plaintext, we first agree upon a way of protecting the rest of the IKE negotiation. This is done, as described in the previous section, by the initiator sending a [...]
-
Página 394
remote device, which will decrypt/authenticate the data, extract it from its tunnel and pass it on to its final destination. This way, an eavesdropper will only see encrypted traffic going from one of VPN endpoint to another. In transport mode, the traffic will not be tunneled, and is hence not applicable to VPN tunnels. It can be used to secure a [...]
-
Página 395
Note NetDefendOS does not support AH. IKE Encryption This specifies the encryption algorithm used in the IKE negotiation, and depending on the algorithm, the size of the encryption key used. The algorithms supported by NetDefendOS IPsec are: • AES • Blowfish • Twofish • Cast128 • 3DES • DES DES is only included to be interoperable with [...]
-
Página 396
phase-1 SA every time a phase-2 negotiation has been finished, making sure no more than one phase-2 negotiation is encrypted using the same key. PFS is generally not needed, since it is very unlikely that any encryption or authentication keys will be compromised. PFS DH Group This specifies the Diffie-Hellman group to use with PFS. The available DH[...]
-
Página 397
through a series of plain text exchanges. Even though the exchanges between the parties might be monitored by a third party, Diffie-Hellman makes it extremely difficult for the third party to determine what the agreed shared secret key is and to decrypt data that is encrypted using the key. Diffie-Hellman is used to establish the shared secret keys[...]
-
Página 398
Pre-Shared Keying has a lot of advantages over manual keying. These include endpoint authentication, which is what the PSKs are really for. It also includes all the benefits of using IKE. Instead of using a fixed set of encryption keys, session keys will be used for a limited period of time, where after a new set of session keys are used. PSK Disad[...]
-
Página 399
Figure 9.1. The AH protocol AH uses a cryptographic hash function to produce a MAC from the data in the IP packet. This MAC is then transmitted with the packet, allowing the remote endpoint to verify the integrity of the original IP packet, making sure the data has not been tampered with on its way through the Internet. Apart from the IP packet dat[...]
-
Página 400
evolved. NAT traversal is an add-on to the IKE and IPsec protocols that allows them to function when being NATed. NetDefendOS supports the RFC3947 standard for NAT-Traversal with IKE. NAT traversal is divided into two parts: • Additions to IKE that lets IPsec peers tell each other that they support NAT traversal, and the specific versions support[...]
-
Página 401
recommended setting unless, in an unlikely event, the two firewalls have the same external IP address. • IP - An IP address can be manually entered • DNS - A DNS address can be manually entered • Email - An email address can be manually entered 9.3.6. Algorithm Proposal Lists To agree on the VPN connection parameters, a negotiation process is[...]
-
Página 402
1. Go to Objects > VPN Objects > IPsec Algorithms > Add > IPsec Algorithms 2. Enter a name for the list, for example esp-l2tptunnel 3. Now check the following: • DES • 3DES • SHA1 • MD5 4. Click OK Then, apply the algorithm proposal list to the IPsec tunnel: 1. Go to Interfaces > IPsec 2. Select the target IPsec tunnel 3. Sel[...]
-
Página 403
gw-world:/> add PSK MyPSK Type=HEX PSKHex=<enter the key here> Now apply the Pre-shared Key to the IPsec tunnel: gw-world:/> set Interface IPsecTunnel MyIPsecTunnel PSK=MyPSK Web Interface First create a Pre-shared Key: 1. Go to Objects > Authentication Objects > Add > Pre-shared key 2. Enter a name for the pre-shared key, for [...]
-
Página 404
Example 9.3. Using an Identity List This example shows how to create and use an Identification List for use in the VPN tunnel. This Identification List will contain one ID with the type DN, distinguished name, as the primary identifier. Note that this example does not illustrate how to add the specific IPsec tunnel object. Command-Line Interface Fi[...]
-
Página 405
2. Select the IPsec tunnel object of interest 3. Under the Authentication tab, choose X.509 Certificate 4. Select the appropriate certificate in the Root Certificate(s) and Gateway Certificate controls 5. Select MyIDList in the Identification List 6. Click OK 9.3.8. Identification Lists Chapter 9. VPN 405[...]
-
Página 406
9.4. IPsec Tunnels This section looks more closely at IPsec tunnels in NetDefendOS, their definition, options and usage. 9.4.1. Overview An IPsec Tunnel defines an endpoint of an encrypted tunnel. Each IPsec Tunnel is interpreted as a logical interface by NetDefendOS, with the same filtering, traffic shaping and configuration capabilities as regula[...]
-
Página 407
performance of the NetDefendOS IPsec engine and explicitly dropping such traffic with an IP rule is an efficient way of preventing it reaching the engine. In other words, IP rules can be used to have complete control over all traffic related to the tunnel. Dead Peer Detection Dead Peer Detection (DPD) can optionally be enabled for an IPsec tunnel. [...]
-
Página 408
• Section 9.2.2, “IPsec LAN to LAN with Certificates” . • Section 9.2.3, “IPsec Roaming Clients with Pre-shared Keys” . • Section 9.2.4, “IPsec Roaming Clients with Certificates” . In addition to the quick start section, more explanation of tunnel setup is given below. 9.4.2. LAN to LAN Tunnels with Pre-shared Keys A VPN can allow[...]
-
Página 409
Example 9.4. Setting up a PSK based VPN tunnel for roaming clients This example describes how to configure an IPsec tunnel at the head office NetDefend Firewall for roaming clients that connect to the office to gain remote access. The head office network uses the 10.0.1.0/24 network span with external firewall IP wan_ip. Web Interface A. Create a p[...]
-
Página 410
Web Interface A. Create a Self-signed Certificate for IPsec authentication: The step to actually create self-signed certificates is performed outside the WebUI using a suitable software product. The certificate should be in the PEM (Privacy Enhanced Mail) file format. B. Upload all the client self-signed certificates: 1. Go to Objects > Authenti[...]
-
Página 411
Tunnels Based on CA Server Certificates Setting up client tunnels using a CA issued certificate is largely the same as using Self-signed certificates with the exception of a couple of steps. It is the responsibility of the administrator to acquire the appropriate certificate from an issuing authority for client tunnels. With some systems, such as W[...]
-
Página 412
• Choose X.509 Certificates as the authentication method • Root Certificate(s): Select your CA server root certificate imported earlier and add it to the Selected list • Gateway Certificate: Choose your newly created firewall certificate • Identification List: Select your ID List that you want to associate with your VPN Tunnel. In our case [...]
-
Página 413
Web Interface 1. Go to Objects > VPN Objects > IKE Config Mode Pool 2. The Config Mode Pool object properties web page now appears 3. Select Use a predefined IPPool object 4. Choose the ip_pool1 object from the IP Pool drop-down list 5. Click OK After defining the Config Mode object, the only remaining action is to enable Config Mode to be us[...]
-
Página 414
Web Interface 1. Go to Objects > VPN Objects > LDAP > Add > LDAP Server 2. Now enter: • IP Address: 192.168.101.146 • Username: myusername • Password: mypassword • Confirm Password: mypassword • Port: 389 3. Click OK 9.4.5. Troubleshooting with ikesnoop VPN Tunnel Negotiation When setting up IPsec tunnels, problems can arise b[...]
-
Página 415
negotiation and the server refers to the device which is the responder . Step 1. Client Initiates Exchange by Sending a Supported Algorithm List The verbose option output initially shows the proposed list of algorithms that the client first sends to the server. This list details the protocols and encryption methods it can support. The purpose of th[...]
-
Página 416
Life duration : 43200 Life type : Kilobytes Life duration : 50000 VID (Vendor ID) Payload data length : 16 bytes Vendor ID : 8f 9c c9 4e 01 24 8e cd f1 47 59 4c 28 4b 21 3b Description : SSH Communications Security QuickSec 2.1.0 VID (Vendor ID) Payload data length : 16 bytes Vendor ID : 27 ba b5 dc 01 ea 07 60 ea 4e 31 90 ac 27 c0 d0 Description :[...]
-
Página 417
SA (Security Association) Payload data length : 52 bytes DOI : 1 (IPsec DOI) Proposal 1/1 Protocol 1/1 Protocol ID : ISAKMP SPI Size : 0 Transform 1/1 Transform ID : IKE Encryption algorithm : Rijndael-cbc (aes) Key length : 128 Hash algorithm : MD5 Authentication method : Pre-Shared Key Group description : MODP 1024 Life type : Seconds Life durati[...]
-
Página 418
NAT-D (NAT Detection) Payload data length : 16 bytes Step 4. Server Sends Key Exchange Data The Server now sends key exchange data back to the client. IkeSnoop: Sending IKE packet to 192.168.0.10:500 Exchange type : Identity Protection (main mode) ISAKMP Version : 1.0 Flags : Cookies : 0x6098238b67d97ea6 -> 0x5e347cb76e95a Message ID : 0x0000000[...]
-
Página 419
Step 6. Server ID Response The server now responds with its own ID. IkeSnoop: Sending IKE packet to 192.168.0.10:500 Exchange type : Identity Protection (main mode) ISAKMP Version : 1.0 Flags : E (encryption) Cookies : 0x6098238b67d97ea6 -> 0x5e347cb76e95a Message ID : 0x00000000 Packet length : 60 bytes # payloads : 2 Payloads: ID (Identificati[...]
-
Página 420
Key length : 128 Authentication algorithm : HMAC-MD5 SA life type : Seconds SA life duration : 21600 SA life type : Kilobytes SA life duration : 50000 Encapsulation mode : Tunnel Transform 4/4 Transform ID : Blowfish Key length : 128 Authentication algorithm : HMAC-SHA-1 SA life type : Seconds SA life duration : 21600 SA life type : Kilobytes SA li[...]
-
Página 421
Protocol ID : ESP SPI Size : 4 SPI Value : 0xafba2d15 Transform 1/1 Transform ID : Rijndael (aes) Key length : 128 Authentication algorithm : HMAC-MD5 SA life type : Seconds SA life duration : 21600 SA life type : Kilobytes SA life duration : 50000 Encapsulation mode : Tunnel NONCE (Nonce) Payload data length : 16 bytes ID (Identification) Payload [...]
-
Página 422
Specifies the total number of IPsec tunnels allowed. This value is initially taken from the maximum tunnels allowed by the license. The setting is used by NetDefendOS to allocate memory for IPsec. If it is desirable to have less memory allocated for IPsec then this setting can be reduced. Increasing the setting cannot override the license limit. A [...]
-
Página 423
IPsec Cert Cache Max Certs Maximum number of certificates/CRLs that can be held in the internal certificate cache. When the certificate cache is full, entries will be removed according to an LRU (Least Recently Used) algorithm. Default: 1024 IPsec Gateway Name Cache Time Maximum number of certificates/CRLs that can be held in the internal certifica[...]
-
Página 424
In other words, this is the length of time in seconds for which DPD-R-U-THERE messages will be sent. If the other side of the tunnel has not sent a response to any messages then it is considered to be dead (not reachable). The SA will then be placed in the dead cache. This setting is used with IKEv1 only. Default: 15 seconds 9.4.6. IPsec Advanced S[...]
-
Página 425
9.5. PPTP/L2TP The access by a client using a modem link over dial-up public switched networks, possibly with an unpredictable IP address, to protected networks via a VPN poses particular problems. Both the PPTP and L2TP protocols provide two different means of achieving VPN access from remote clients. The most commonly used feature that is relevan[...]
-
Página 426
TCP port 1723 and/or IP protocol 47 before the PPTP connection can be made to the NetDefend Firewall. Examining the log can indicate if this problem occurred, with a log message of the following form appearing: Error PPP lcp_negotiation_stalled ppp_terminated Example 9.10. Setting up a PPTP server This example shows how to setup a PPTP Network Serv[...]
-
Página 427
Example 9.11. Setting up an L2TP server This example shows how to setup a L2TP Network Server. The example assumes that you have created some IP address objects. You will have to specify the IP address of the L2TP server interface, an outer IP address (that the L2TP server should listen to) and an IP pool that the L2TP server will use to give out I[...]
-
Página 428
2. Enter a suitable name for the user database, for example UserDB 3. Go to User Authentication > Local User Databases > UserDB > Add > User 4. Now enter: • Username: testuser • Password: mypassword • Confirm Password: mypassword 5. Click OK Now we will setup the IPsec Tunnel, which will later be used in the L2TP section. As we ar[...]
-
Página 429
gw-world:/> add Interface L2TPServer l2tp_tunnel IP=lan_ip Interface=l2tp_ipsec ServerIP=wan_ip IPPool=l2tp_pool TunnelProtocol=L2TP AllowedRoutes=all-nets ProxyARPInterfaces=lan Web Interface 1. Go to Interfaces > L2TP Servers > Add > L2TPServer 2. Enter a name for the L2TP tunnel, for example l2tp_tunnel 3. Now enter: • Inner IP Add[...]
-
Página 430
First, change the current category to be the main IP rule set: gw-world:/> cc IPRuleSet main Now, add the IP rules: gw-world:/main> add IPRule action=Allow Service=all_services SourceInterface=l2tp_tunnel SourceNetwork=l2tp_pool DestinationInterface=any DestinationNetwork=all-nets name=AllowL2TP gw-world:/main> add IPRule action=NAT Servic[...]
-
Página 431
Pass L2TP traffic sent to the NetDefend Firewall directly to the L2TP Server without consulting the rule set. Default: Enabled PPTP Before Rules Pass PPTP traffic sent to the NetDefend Firewall directly to the PPTP Server without consulting the rule set. Default: Enabled Max PPP Resends The maximum number of PPP layer resends. Default: 10 9.5.4. PP[...]
-
Página 432
specified gateway. Authentication • Username - Specifies the username to use for this PPTP/L2TP interface. • Password - Specifies the password for the interface. • Authentication - Specifies which authentication protocol to use. • MPPE - Specifies if Microsoft Point-to-Point Encryption is used and which level to use. If Dial On Demand is en[...]
-
Página 433
Figure 9.3. PPTP Client Usage 9.5.4. PPTP/L2TP Clients Chapter 9. VPN 433[...]
-
Página 434
9.6. CA Server Access Overview Where certificates are used, the two sides of a VPN tunnel exchange their certificates during the tunnel setup negotiation and either may then try to validate the received certificate by accessing a CA server . A certificate contains a URL (the CRL Distribution Point ) which specifies the validating CA server and serv[...]
-
Página 435
3. The CA server is a commercial server on the public Internet. In this, the simplest case, public DNS servers will resolve the FQDN. The only requirement is that NetDefendOS will need to have at least one public DNS server address configured to resolve the FQDNs in the certificates it receives. • It must be also possible for an HTTP PUT request [...]
-
Página 436
As explained previously, the address of the private CA server must be resolvable through public DNS servers for certificate validation requests coming from the public Internet. If the certificate queries are coming only from the NetDefend Firewall and the CA server is on the internal side of the firewall then the IP address of the internal DNS serv[...]
-
Página 437
9.7. VPN Troubleshooting This section deals with how to troubleshoot the common problems that are found with VPN. 9.7.1. General Troubleshooting In all types of VPNs some basic troubleshooting checks can be made: • Check that all IP addresses have been specified correctly. • Check that all pre-shared keys and usernames/passwords are correctly e[...]
-
Página 438
If certificates have been used in a VPN solution then the following should be looked at as a source of potential problems: • Check that the correct certificates have been used for the right purposes. • Check that the certificate .cer and .key files have the same filename. For example, my_cert.key and my_cert.cer . • Check that the certificate[...]
-
Página 439
Another example of what to avoid with many tunnels is: gw-world:/> ipsectunnels -num=all In these circumstances, using the option with a small number, for example -num=10 , is recommended. The ikesnoop console command A common problem with setting up IPsec is a list of proposed algorithms that is unacceptable to the device at the other end of th[...]
-
Página 440
1. Could not find acceptable proposal / no proposal chosen This is the most common IPsec related error message. It means that depending on which side initiates tunnel setup, the negotiations in either the IKE or the IPSec phase of setup failed since they were unable to find a matching proposal that both sides could agree on. Troubleshooting this er[...]
-
Página 441
tunnels use different pre-shared keys, you will receive an " Incorrect pre-shared key " error message. The problem is solved if we reorder the list and move VPN-3 above L2TP . The gateway office3gw will be then matched correctly and VPN-3 will be the tunnel selected by NetDefendOS. 3. Ike_invalid_payload, Ike_invalid_cookie In this case t[...]
-
Página 442
• If multiple similar or roaming tunnels exist and you want to separate them using ID lists, a possible cause can be that none of the ID lists match the certificate properties of the connecting user. Either the user is non-authorized or the certificate properties are wrong on the client or the ID list needs to be updated with this user/informatio[...]
-
Página 443
9.7.6. Specific Symptoms Chapter 9. VPN 443[...]
-
Página 444
Chapter 10. Traffic Management This chapter describes how NetDefendOS can manage network traffic. • Traffic Shaping, page 444 • IDP Traffic Shaping, page 465 • Threshold Rules, page 470 • Server Load Balancing, page 473 10.1. Traffic Shaping 10.1.1. Overview QoS with TCP/IP A weakness of TCP/IP is the lack of true Quality of Service (QoS) f[...]
-
Página 445
Traffic Shaping Objectives Traffic shaping operates by measuring and queuing IP packets with respect to a number of configurable parameters. The objectives are: • Applying bandwidth limits and queuing packets that exceed configured limits, then sending them later when bandwidth demands are lower. • Dropping packets if packet buffers are full. T[...]
-
Página 446
Pipe Rules One or more Pipe Rules make up the NetDefendOS Pipe Rule set which determine what traffic will flow through which pipes. Each pipe rule is defined like other NetDefendOS secuirity policies: by specifying the source/destination interface/network as well as the service to which the rule is to apply. Once a new connection is permitted by th[...]
-
Página 447
of 8 pipes. Explicitly Excluding Traffic from Shaping If no pipe is specified in a pipe rule list then traffic that triggers the rule will not flow through any pipe. It also means that the triggering traffic will not be subject to any other matching pipe rules that might be found later in the rule set. This provides a means to explicitly exclude pa[...]
-
Página 448
Web Interface 1. Go to Traffic Management > Traffic Shaping > Pipes > Add > Pipe 2. Specify a suitable name for the pipe, for instance std-in 3. Enter 2000 in the Total textbox under Pipe Limits 4. Click OK Traffic needs to be passed through the pipe and this is done by using the pipe in a Pipe Rule. We will use the above pipe to limit [...]
-
Página 449
attempting to flow is 4 Mbps. Since the pipe limit is 2 Mbps, the actual flow will be close to 1 Mbps in each direction. Raising the total pipe limit to 4 Mbps will not solve the problem since the single pipe will not know that 2 Mbps of inbound and 2 Mbps of outbound are the intended limits. The result might be 3 Mbps outbound and 1 Mbps inbound s[...]
-
Página 450
requests followed by long inbound responses. A surf-in pipe is therefore first created for inbound traffic with a 125 kbps limit. Next, a new Pipe Rule is set up for surfing that uses the surf-in pipe and it is placed before the rule that directs everything else through the std-in pipe. That way web surfing traffic goes through the surf-in pipe and[...]
-
Página 451
default precedence which is 0. There are 8 Possible Precedence Levels Eight precedences exist which are numbered from 0 to 7. Precedence 0 is the least important (lowest priority) precedence and 7 is the most important (highest priority) precedence. A precedence can be viewed as a separate traffic queue; traffic in precedence 2 will be forwarded be[...]
-
Página 452
• Default Precedence: 0 • Maximum Precedence: 7 As described above, the Default Precedence is the precedence taken by a packet if it is not explicitly assigned by a pipe rule. The minimum and maximum precedences define the precedence range that the pipe will handle. If a packet arrives with an already allocated precedence below the minimum then[...]
-
Página 453
Figure 10.5. Minimum and Maximum Pipe Precedence Lowest Precedence Limits It is usually is not needed to have a limit specified for the lowest (best effort) precedence since this precedence simply uses any spare bandwidth not used by higher precedences. However, a limit could be specified if there is a need to restrict the bandwidth used by the low[...]
-
Página 454
The Need for Guarantees A problem can occur however if prioritized traffic is a continuous stream such as real-time audio, resulting in continuous use of all available bandwidth and resulting in unacceptably long queuing times for other services such as surfing, DNS or FTP. A means is required to ensure that lower priority traffic gets some portion[...]
-
Página 455
Set the priority assignment for both rules to Use defaults from first pipe ; the default precedence of both the ssh-in and telnet-in pipes is 2. Using this approach rather than hard-coding precedence 2 in the rule set, you can easily change the precedence of all SSH and Telnet traffic by changing the default precedence of the ssh-in and telnet-in p[...]
-
Página 456
Specifying Group Limits Once the way the method of grouping is selected, the next step is to specify the Group Limits . These limits can consist of one or both of the following: • Group Limit Total This value specifies a limit for each user within the grouping. For example, if the grouping is by source IP address and the total specified is 100 Kb[...]
-
Página 457
Figure 10.6. Traffic Grouped By IP Address Another Simple Groups Example Consider another situation where the total bandwidth limit for a pipe is 400 bps. If the aim is to allocate this bandwidth amongst many destination IP addresses so that no single IP address can take more then 100 bps of bandwidth, the following steps are needed. • Set the pi[...]
-
Página 458
If a total group limit of 100 bps is also specified with dynamic balancing, then this still means that no single user may take more than that amount of bandwidth. Precedences and Dynamic Balancing As discussed, in addition to specifying a total limit for a grouping, limits can be specified for each precedence within a grouping. If we specify a prec[...]
-
Página 459
fixed bandwidth resource. An ISP might use this approach to limit individual user bandwidth by specifying a "Per Destination IP" grouping. Knowing when the pipe is full is not important since the only constraint is on each user. If precedences were used the pipe maximum would have to be used. Limits should not be more than the Available B[...]
-
Página 460
• Select the traffic to manage through Pipe Rules . • Pipe Rules send traffic through Pipes . • A pipe can have a limit which is the maximum amount of traffic allowed. • A pipe can only know when it is full if a total limit for the pipe is specified. • A single pipe should handle traffic in only one direction (although 2 way pipes are all[...]
-
Página 461
Figure 10.7. A Basic Traffic Shaping Scenario The reason for using 2 different pipes in this case, is that these are easier to match to the physical link capacity. This is especially true with asynchronous links such as ADSL. First, two pipes called in-pipe and out-pipe need to be created with the following parameters: Pipe Name Min Prec Def Prec M[...]
-
Página 462
Rule Name Forward Pipes Return Pipes Source Interface Source Network Dest Interface Dest Network Selected Service Prece dence voip out-pipe in-pipe lan lannet wan all-nets H323 6 citrix out-pipe in-pipe lan lannet wan all-nets citrix 4 other out-pipe in-pipe lan lannet wan all-nets All 2 These rules are processed from top to bottom and force differ[...]
-
Página 463
Total: 1700 • vpn-out • Priority 6: VoIP 500 kpbs • Priority 0: Best effort Total: 1700 • in-pipe • Priority 6: VoIP 500 kpbs Total: 2000 • out-pipe • Priority 6: VoIP 500 kpbs Total: 2000 The following pipe rules are then needed to force traffic into the correct pipes and precedence levels: Rule Name Forward Pipes Return Pipes Src In[...]
-
Página 464
Note: SAT and ARPed IP Addresses If the SAT is from an ARPed IP address, the wan interface needs to be the destination. 10.1.10. More Pipe Examples Chapter 10. Traffic Management 464[...]
-
Página 465
10.2. IDP Traffic Shaping 10.2.1. Overview The IDP Traffic Shaping feature is traffic shaping that is performed based on information coming from the NetDefendOS Intrusion Detection and Prevention (IDP) subsystem (for more information on IDP see Section 6.5, “Intrusion Detection and Prevention” ). Application Related Bandwidth Usage A typical pr[...]
-
Página 466
information followed by a number of data transfer connections to other hosts. It is the initial connection that IDP detects and the Time Window specifies the expected period afterwards when other connections will be opened and subject to traffic shaping. Connections opened after the Time Window has expired will no longer be subject to traffic shapi[...]
-
Página 467
Excluding Hosts To avoid these unintended consequences, we specify the IP addresses of client A and client B in the Network range but not host X . This tells NetDefendOS that host X is not relevant in making a decision about including new non-IDP-triggering connections in traffic shaping. It may seem counter-intuitive that client B is also included[...]
-
Página 468
10.2.6. Viewing Traffic Shaping Objects Viewing Hosts IDP traffic shaping has a special CLI command associated with it called idppipes and this can examine and manipulate the hosts which are currently subject to traffic shaping. To display all hosts being traffic shaped by IDP Traffic Shaping, the command would be: gw-world:/> idppipes -show Hos[...]
-
Página 469
10.2.7. Guaranteeing Instead of Limiting Bandwidth If desired, IDP Traffic Shaping can be used to do the opposite of limiting bandwidth for certain applications. If the administrator wants to guarantee a bandwidth level, say 10 Megabits, for an application then an IDP rule can be set up to trigger for that application with the Pipe action specifyin[...]
-
Página 470
10.3. Threshold Rules 10.3.1. Overview The objective of a Threshold Rule is to have a means of detecting abnormal connection activity as well as reacting to it. An example of a cause for such abnormal activity might be an internal host becoming infected with a virus that is making repeated connections to external IP addresses. It might alternativel[...]
-
Página 471
This function is extremely useful when NAT pools are required due to the large number of connections generated by P2P users. 10.3.3. Grouping The two groupings are as follows: • Host Based - The threshold is applied separately to connections from different IP addresses. • Network Based - The threshold is applied to all connections matching the [...]
-
Página 472
NetDefendOS. The length of time, in seconds, for which the source is blacklisted can also be set. This feature is discussed further in Section 6.7, “Blacklisting Hosts and Networks” . 10.3.8. Threshold Rule Blacklisting Chapter 10. Traffic Management 472[...]
-
Página 473
10.4. Server Load Balancing 10.4.1. Overview The Server Load Balancing (SLB) feature allows the administrator to spread client application requests over a number of servers through the use of IP rules with an Action of SLB_SAT . SLB is a powerful tool that can improve the following aspects of network applications: • Performance • Scalability ?[...]
-
Página 474
Figure 10.9. A Server Load Balancing Configuration Additional Benefits of SLB Besides improving performance and scalability, SLB provides other benefits: • SLB increases the reliability of network applications by actively monitoring the servers sharing the load. NetDefendOS SLB can detect when a server fails or becomes congested and will not dire[...]
-
Página 475
receiving over a certain time period. This time period is known as the Window Time . SLB sends the next request to the server that has received the least number of connections during the last Window Time number of seconds. The Window Time is a setting that the administrator can change. The default value is 10 seconds. 10.4.3. Selecting Stickiness I[...]
-
Página 476
The consequence of a full table can be that stickiness will be lost for any discarded source IP addresses. The administrator should therefore try to ensure that the Max Slots parameter is set to a value that can accommodate the expected number of connections that require stickiness. The default value for this setting is 2048 slots in the table. •[...]
-
Página 477
Figure 10.11. Stickiness and Round-Robin If the connection-rate algorithm is applied instead, R1 and R2 will be sent to the same server because of stickiness, but the subsequent requests R3 and R4 will be routed to another server since the number of new connections on each server within the Window Time span is counted in for the distribution. Figur[...]
-
Página 478
10.4.6. Setting Up SLB_SAT Rules The key component in setting up SLB are IP rules that have SLB_SAT as the action. The steps that should be followed for setting up such rules are: 1. Define an IP address object for each server for which SLB is to enabled. 2. Define an IP address group object which includes all these individual objects. 3. Define an[...]
-
Página 479
Web Interface A. Create an Object for each of the webservers: 1. Go to Objects > Address Book > Add > IP Address 2. Enter a suitable name, for example server1 3. Enter the IP Address as 192.168.1.10 4. Click OK 5. Repeat the above to create an object called server2 for the 192.168.1.11 IP address B. Create a Group which contains the 2 webs[...]
-
Página 480
1. Go to Rules > IP Rule Sets > main > Add > IP Rule 2. Enter: • Name: Web_SLB_ALW • Action: Allow • Service: HTTP • Source Interface: any • Source Network: all-nets • Destination Interface: core • Destination Network: ip_ext 3. Click OK 10.4.6. Setting Up SLB_SAT Rules Chapter 10. Traffic Management 480[...]
-
Página 481
10.4.6. Setting Up SLB_SAT Rules Chapter 10. Traffic Management 481[...]
-
Página 482
Chapter 11. High Availability This chapter describes the high availability fault-tolerance feature in NetDefend Firewalls. • Overview, page 482 • HA Mechanisms, page 484 • Setting Up HA, page 487 • HA Issues, page 491 • Upgrading an HA Cluster, page 493 • HA Advanced Settings, page 495 11.1. Overview HA Clusters NetDefendOS High Availab[...]
-
Página 483
interface and all other interfaces from one unit to the other. These packets allow the health of both units to be monitored. Heartbeat packets are sent in both directions so that the passive unit knows about the health of the active unit and the active unit knows about the health of the passive. The heartbeat mechanism is discussed below with more [...]
-
Página 484
11.2. HA Mechanisms This section discusses in more depth the mechanisms NetDefendOS uses to implement the high availability feature. Basic Principles D-Link HA provides a redundant, state-synchronized hardware configuration. The state of the active unit, such as the connection table and other vital information, is continuously copied to the inactiv[...]
-
Página 485
Failover Time The time for failover is typically about one second which means that clients may experience a failover as a slight burst of packet loss. In the case of TCP, the failover time is well within the range of normal retransmit timeouts so TCP will retransmit the lost packets within a very short space of time, and continue communication. UDP[...]
-
Página 486
Should such a failure occur then the consequence is that both units will continue to function but they will lose their synchronization with each other. In other words, the inactive unit will no longer have a correct copy of the state of the active unit. A failover will not occur in this situation since the inactive unit will realize that synchroniz[...]
-
Página 487
11.3. Setting Up HA This section provides a step-by-step guide for setting up an HA Cluster. 11.3.1. HA Hardware Setup The steps for the setup of hardware in an HA cluster are as follows: 1. Start with two physically similar NetDefend Firewalls. Both may be newly purchased or an existing unit may have a new unit added to it. The master hardware doe[...]
-
Página 488
The illustration below shows the arrangement of typical HA Cluster connections in a network. All interfaces on the master unit would normally also have corresponding interfaces on the slave unit and these would be connected to the same networks. This is achieved by connecting the same interfaces on both master and slave via a separate switch (or br[...]
-
Página 489
4. Set the Cluster ID . This must be unique for each cluster. 5. Choose the Sync Interface . 6. Select the node type to be Master . 7. Go to Objects > Address Book and create an IP4 HA Address object for each interface pair. Each must contain the master and slave interface IP addresses for the pair. Creating an object is mandatory for an interfa[...]
-
Página 490
• If this is not the first cluster in a network then the Cluster ID must be changed for the cluster so that it is unique (the default value is 0 ). The Cluster ID determines that the MAC address for the cluster is unique. • Enabling the advanced setting Use Unique Share MAC is recommended so that each interface has its own MAC address. If this [...]
-
Página 491
11.4. HA Issues The following points should be kept in mind when managing and configuring an HA Cluster. All Cluster Interfaces Need IP Addresses All interfaces on both HA cluster units should have a valid private IP4 address object assigned to them. The predefined IP object local host could be assigned for this purpose. The need to assign an addre[...]
-
Página 492
If OSPF is to work then there must be another designated router available in the same OSPF area as the cluster. Ideally, there will also be a second, backup designated router to provide OSPF metrics if the main designated router should fail. PPPoE Tunnels and DHCP Clients For reasons connected with the shared IP addresses of an HA cluster, PPPoE tu[...]
-
Página 493
11.5. Upgrading an HA Cluster The NetDefendOS software versions running on the master and slave in an HA cluster should be the same. When a new NetDefendOS version becomes available and is to be installed on both units, the upgrade is done one unit at a time. The central principal in the upgrade process for a cluster is that upgrading the inactive [...]
-
Página 494
console and issue the ha -deactivate command. This will cause the active unit to become inactive, and the inactive to become active. gw-world:/> ha -deactivate HA Was: ACTIVE HA going INACTIVE... To check that the failover has completed successfully, an ha command can be issued again and the text " INACTIVE " and " is ALIVE "[...]
-
Página 495
11.6. HA Advanced Settings The following NetDefendOS advanced settings are available for High Availability: Sync Buffer Size How much sync data, in Kbytes, to buffer while waiting for acknowledgments from the cluster peer. Default: 1024 Sync Packet Max Burst The maximum number of state sync packets to send in a burst. Default: 20 Initial Silence Th[...]
-
Página 496
11.6. HA Advanced Settings Chapter 11. High Availability 496[...]
-
Página 497
Chapter 12. ZoneDefense This chapter describes the D-Link ZoneDefense feature. • Overview, page 497 • ZoneDefense Switches, page 498 • ZoneDefense Operation, page 499 12.1. Overview ZoneDefense Controls Switches ZoneDefense allows a NetDefend Firewall to control locally attached switches. It can be used as a counter-measure to stop a virus-in[...]
-
Página 498
12.2. ZoneDefense Switches Switch information regarding every switch that is to be controlled by the firewall has to be manually specified in the firewall configuration. The information needed in order to control a switch includes: • The IP address of the management interface of the switch • The switch model type • The SNMP community string ([...]
-
Página 499
12.3. ZoneDefense Operation 12.3.1. SNMP Simple Network Management Protocol (SNMP) is an application layer protocol for complex network management. SNMP allows the managers and managed devices in a network to communicate with each other. SNMP Managers A typical managing device, such as a NetDefend Firewall, uses the SNMP protocol to monitor and con[...]
-
Página 500
As a complement to threshold rules, it is also possible to manually define hosts and networks that are to be statically blocked or excluded. Manually blocked hosts and networks can be blocked by default or based on a schedule. It is also possible to specify which protocols and protocol port numbers are to be blocked. Exclude Lists can be created an[...]
-
Página 501
2. For Addresses choose the object name of the firewall's interface address 192.168.1.1 from the Available list and put it into the Selected list. 3. Click OK Configure an HTTP threshold of 10 connections/second: 1. Go to Traffic Management > Threshold Rules > Add > Threshold Rule 2. For the Threshold Rule enter: • Name: HTTP-Thresh[...]
-
Página 502
of latency time to implement blocking once the rule is triggered. Some models can activate blocking in less than a second while some models may require a minute or more. A second difference is the maximum number of rules supported by different switches. Some switches support a maximum of 50 rules while others support up to 800 (usually, in order to[...]
-
Página 503
12.3.5. Limitations Chapter 12. ZoneDefense 503[...]
-
Página 504
Chapter 13. Advanced Settings This chapter describes the additional configurable advanced settings for NetDefendOS that are not already described in the manual. In the Web Interface these settings are found under System > Advanced Settings . The settings are divided up into the following categories: Note: Activating setting changes After any adv[...]
-
Página 505
Block 0000 Src Block 0.0.0.0 as source address. Default: Drop Block 0 Net Block 0.* as source addresses. Default: DropLog Block 127 Net Block 127.* as source addresses. Default: DropLog Block Multicast Src Block multicast both source addresses (224.0.0.0 - 255.255.255.255). Default: DropLog TTL Min The minimum TTL value accepted on receipt. Default[...]
-
Página 506
Default: ValidateLogBad SecuRemoteUDP Compatibility Allow IP data to contain eight bytes more than the UDP total length field specifies. Checkpoint SecuRemote violates NAT-T drafts. Default: Disabled IP Option Sizes Verifies the size of "IP options". These options are small blocks of information that may be added to the end of each IP hea[...]
-
Página 507
IP Reserved Flag Indicates what NetDefendOS will do if there is data in the "reserved" fields of IP headers. In normal circumstances, these fields should read 0. Used by OS Fingerprinting. Default: DropLog Strip DontFragment Strip the Don't Fragment flag for packets equal to or smaller than the size specified by this setting. Default[...]
-
Página 508
13.2. TCP Level Settings TCP Option Sizes Verifies the size of TCP options. This function acts in the same way as IPOptionSizes described above. Default: ValidateLogBad TCP MSS Min Determines the minimum permissible size of the TCP MSS. Packets containing maximum segment sizes below this limit are handled according to the next setting. Default: 100[...]
-
Página 509
TCP Auto Clamping Automatically clamp TCP MSS according to MTU of involved interfaces, in addition to TCPMSSMax. Default: Enabled TCP Zero Unused ACK Determines whether NetDefendOS should set the ACK sequence number field in TCP packets to zero if it is not used. Some operating systems reveal sequence number information this way, which can make it [...]
-
Página 510
initially intended to be used in negotiating for the use of better checksums in TCP. However, these are not understood by any today's standard systems. As NetDefendOS cannot understand checksum algorithms other than the standard algorithm, these options can never be accepted. The ALTCHKREQ option is normally never seen on modern networks. Defa[...]
-
Página 511
TCP SYN/FIN The TCP FIN flag together with SYN; normally invalid (strip=strip FIN). Default: DropLog TCP FIN/URG Specifies how NetDefendOS will deal with TCP packets with both FIN (Finish, close connection) and URG flags turned on. This should normally never occur, as you do not usually attempt to close a connection at the same time as sending &quo[...]
-
Página 512
TCP sequence number validation is only possible on connections tracked by the state-engine (not on packets forwarded using a FwdFast rule). Possible values are: Ignore - Do not validate. Means that sequence number validation is completely turned off. ValidateSilent - Validate and pass on. ValidateLogBad - Validate and pass on, log if bad. ValidateR[...]
-
Página 513
13.3. ICMP Level Settings ICMP Sends Per Sec Limit Specifies the maximum number of ICMP messages NetDefendOS may generate per second. This includes ping replies, destination unreachable messages and also TCP RST packets. In other words, this setting limits how many Rejects per second may be generated by the Reject rules in the Rules section. Defaul[...]
-
Página 514
13.4. State Settings Connection Replace Allows new additions to the NetDefendOS connection list to replace the oldest connections if there is no available space. Default: ReplaceLog Log Open Fails In some instances where the Rules section determines that a packet should be allowed through, the stateful inspection mechanism may subsequently decide t[...]
-
Página 515
Default: Log Log Connection Usage This generates a log message for every packet that passes through a connection that is set up in the NetDefendOS state-engine. Traffic whose destination is the NetDefend Firewall itself, for example NetDefendOS management traffic, is not subject to this setting. The log message includes port, service, source/destin[...]
-
Página 516
13.5. Connection Timeout Settings The settings in this section specify how long a connection can remain idle, that is to say with no data being sent through it, before it is automatically closed. Please note that each connection has two timeout values: one for each direction. A connection is closed if either of the two values reaches 0. TCP SYN Idl[...]
-
Página 517
Other Idle Lifetime Specifies in seconds how long connections using an unknown protocol can remain idle before it is closed. Default: 130 13.5. Connection Timeout Settings Chapter 13. Advanced Settings 517[...]
-
Página 518
13.6. Length Limit Settings This section contains information about the size limits imposed on the protocols directly under IP level, such as TCP, UDP and ICMP. The values specified here concern the IP data contained in packets. In the case of Ethernet, a single packet can contain up to 1480 bytes of IP data without fragmentation. In addition to th[...]
-
Página 519
Specifies in bytes the maximum size of an AH packet. AH, Authentication Header, is used by IPsec where only authentication is applied. This value should be set at the size of the largest packet allowed to pass through the VPN connections, regardless of its original protocol, plus approx. 50 bytes. Default: 2000 Max SKIP Length Specifies in bytes th[...]
-
Página 520
13.7. Fragmentation Settings IP is able to transport up to 65536 bytes of data. However, most media, such as Ethernet, cannot carry such huge packets. To compensate, the IP stack fragments the data to be sent into separate packets, each one given their own IP header and information that will help the recipient reassemble the original packet correct[...]
-
Página 521
Default: Check8 – compare 8 random locations, a total of 32 bytes Failed Fragment Reassembly Reassemblies may fail due to one of the following causes: • Some of the fragments did not arrive within the time stipulated by the ReassTimeout or ReassTimeLimit settings. This may mean that one or more fragments were lost on their way across the Intern[...]
-
Página 522
• NoLog - No logging is carried out under normal circumstances. • LogSuspect - Logs duplicated fragments if the reassembly procedure has been affected by "suspect" fragments. • LogAll - Always logs duplicated fragments. Default: LogSuspect Fragmented ICMP Other than ICMP ECHO (Ping), ICMP messages should not normally be fragmented a[...]
-
Página 523
Reassembly Illegal Limit Once a whole packet has been marked as illegal, NetDefendOS is able to retain this in memory for this number of seconds in order to prevent further fragments of that packet from arriving. Default: 60 13.7. Fragmentation Settings Chapter 13. Advanced Settings 523[...]
-
Página 524
13.8. Local Fragment Reassembly Settings Max Concurrent Maximum number of concurrent local reassemblies. Default: 256 Max Size Maximum size of a locally reassembled packet. Default: 10000 Large Buffers Number of large ( over 2K) local reassembly buffers (of the above size). Default: 32 13.8. Local Fragment Reassembly Settings Chapter 13. Advanced S[...]
-
Página 525
13.9. Miscellaneous Settings UDP Source Port 0 How to treat UDP packets with source port 0. Default: DropLog Port 0 How to treat TCP/UDP packets with destination port 0 and TCP packets with source port 0. Default: DropLog Watchdog Time Number of non-responsive seconds before watchdog is triggered (0=disable). Default: 180 Flood Reboot Time As a fin[...]
-
Página 526
13.9. Miscellaneous Settings Chapter 13. Advanced Settings 526[...]
-
Página 527
Appendix A. Subscribing to Updates Overview The NetDefendOS Anti-Virus (AV) module, the Intrusion Detection and Prevention (IDP) module and the Dynamic Web Content Filtering module all function using external D-Link databases which contain details of the latest viruses, security threats and URL categorization. These databases are constantly being u[...]
-
Página 528
gw-world:/> updatecenter -update Antivirus Querying Update Status To get the status of IDP updates use the command: gw-world:/> updatecenter -status IDP To get the status of AV updates: gw-world:/> updatecenter -status Antivirus Querying Server Status To get the status of the D-Link network servers use the command: gw-world:/> updatecen[...]
-
Página 529
Appendix B. IDP Signature Groups For IDP scanning, the following signature groups are available for selection. These groups are available only for the D-Link Advanced IDP Service. There is a version of each group under the three Types of IDS , IPS and Policy . For further information see Section 6.5, “Intrusion Detection and Prevention” . Group[...]
-
Página 530
Group Name Intrusion Type FTP_FORMATSTRING Format string attack FTP_GENERAL FTP protocol and implementation FTP_LOGIN Login attacks FTP_OVERFLOW FTP buffer overflow GAME_BOMBERCLONE Bomberclone game GAME_GENERAL Generic game servers/clients GAME_UNREAL UnReal Game server HTTP_APACHE Apache httpd HTTP_BADBLUE Badblue web server HTTP_CGI HTTP CGI HTT[...]
-
Página 531
Group Name Intrusion Type POP3_DOS Denial of Service for POP POP3_GENERAL Post Office Protocol v3 POP3_LOGIN-ATTACKS Password guessing and related login attack POP3_OVERFLOW POP3 server overflow POP3_REQUEST-ERRORS Request Error PORTMAPPER_GENERAL PortMapper PRINT_GENERAL LP printing server: LPR LPD PRINT_OVERFLOW Overflow of LPR/LPD protocol/imple[...]
-
Página 532
Group Name Intrusion Type TFTP_OPERATION Operation Attack TFTP_OVERFLOW TFTP buffer overflow attack TFTP_REPLY TFTP Reply attack TFTP_REQUEST TFTP request attack TROJAN_GENERAL Trojan UDP_GENERAL General UDP UDP_POPUP Pop-up window for MS Windows UPNP_GENERAL UPNP VERSION_CVS CVS VERSION_SVN Subversion VIRUS_GENERAL Virus VOIP_GENERAL VoIP protocol[...]
-
Página 533
Appendix C. Verified MIME filetypes Some NetDefendOS Application Layer Gateways (ALGs) have the optional ability to verify that the contents of a downloaded file matches the type that the filetype in the filename indicates. The filetypes for which MIME verification can be done are listed in this appendix and the ALGs to which this applies are: • [...]
-
Página 534
Filetype extension Application cpl Windows Control Panel Extension file dbm Database file dcx Graphics Multipage PCX Bitmap file deb Debian Linux Package file djvu DjVu file dll Windows dynamic link library file dpa DPA archive data dvi TeX Device Independent Document eet EET archive egg Allegro datafile elc eMacs Lisp Byte-compiled Source Code emd[...]
-
Página 535
Filetype extension Application mpv MPEG-1 Video file Microsoft files Microsoft office files, and other Microsoft files msa Atari MSA archive data niff, nif Navy Interchange file Format Bitmap noa Nancy Video CODEC nsf NES Sound file obj, o Windows object file, linux object file ocx Object Linking and Embedding (OLE) Control Extension ogg Ogg Vorbis[...]
-
Página 536
Filetype extension Application tfm TeX font metric data tiff, tif Tagged Image Format file tnef Transport Neutral Encapsulation Format torrent BitTorrent Metainfo file ttf TrueType Font txw Yamaha TX Wave audio files ufa UFA archive data vcf Vcard file viv VivoActive Player Streaming Video file wav Waveform Audio wk Lotus 1-2-3 document wmv Windows[...]
-
Página 537
Appendix D. The OSI Framework Overview The Open Systems Interconnection Model defines a framework for inter-computer communications. It categorizes different protocols for a great variety of network applications into seven smaller, more manageable layers. The model describes how data from an application in one computer can be transferred through a [...]
-
Página 538
Alphabetical Index A access rules, 237 accounting, 60 interim messages, 62 limitations with NAT, 63 messages, 60 system shutdowns, 63 address book, 77 ethernet addresses in, 79 folders, 81 IP addresses in, 77 address groups, 80 excluding addresses, 80 address translation, 334 admin account, 29 changing password for, 38 multiple logins, 29 advanced [...]
-
Página 539
banner files in user authentication, 373 in web content filtering, 307 blacklisting hosts and networks, 331 threshold rules, 471 URLs, 293 wildcarding, 293 with IDP, 322 Block 0000 Src setting, 504 Block 0 Net setting, 505 Block 127 Net setting, 505 blocking applications with IDP, 315 Block Multicast Src setting, 505 boot menu (see console boot men[...]
-
Página 540
Directed Broadcasts setting, 506 distance vector algorithms, 171 DMZ, 343 DNS, 139 dynamic lookup, 139 DNS black lists for Spam filtering, 258 documentation, 18 DoS attack (see denial of service) downloading files with SCP, 45 DPD Expire Time (IPsec) setting, 423 DPD Keep Time (IPsec) setting, 423 DPD Metric (IPsec) setting, 423 drop all IP rule, 1[...]
-
Página 541
IDENT and IP rules, 119 identification lists, 403 IDP, 315 HTTP URI normalization, 317 signature groups, 320 signatures, 319 signature wildcarding, 321 SMTP log receivers, 322 traffic shaping, 465 Iface poll interval setting, 156 IGMP, 194 advanced settings, 204 configuration, 199 rules configuration, 202 IGMP Before Rules setting, 204 IGMP Idle Li[...]
-
Página 542
logout from CLI, 40 Log Oversized Packets setting, 519 Log Received TTL 0 setting, 504 Log Reverse Opens setting, 514 Log State Violations setting, 514 loopback interfaces, 90, 91 Low Broadcast TTL Action setting, 507 M MAC addresses, 108 management interfaces, 28 advanced settings, 48 configuring remote access, 40 managing NetDefendOS, 28 Max AH L[...]
-
Página 543
ALG, 264 client, 431 problem with NAT, 432 quick start guide, 389 server, 425 PPTP Before Rules setting, 431 precedences in pipes, 450 pre-shared keys, 382, 402 non-ascii character problem, 402 Primary Time Server setting, 137 product overview, 16 proposal lists, 401 proxy ARP, 157 setting up, 158 Pseudo Reass Max Concurrent setting, 520 Q QoS (see[...]
-
Página 544
SNMP Request Limit setting, 68, 69 source based routing, 160 spam filtering, 257 caching, 261 logging, 260 tagging, 259 spam WCF category, 306 spanning tree relaying, 217 spillover RLB algorithm, 165 spoofing, 238 SSH, 38 SSH Before Rules setting, 48 SSH client keys, 358 SSL acceleration, 290 state-engine, 19 packet flow, 23 stateful inspection (se[...]
-
Página 545
with SIP, 265 VoIP (see voice over IP) VPN, 377 planning, 378 quick start guide, 381 troubleshooting, 437 W Watchdog Time setting, 525 WCF (see web content filtering) webauth, 369 web content filtering, 295 fail mode, 297 whitelisting, 296 web interface, 28, 29 default connection interface, 30 setting workstation IP, 30 WebUI (see web interface) We[...]