D-Link DFL-1660-NB manuel d'utilisation

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589

Aller à la page of

Un bon manuel d’utilisation

Les règles imposent au revendeur l'obligation de fournir à l'acheteur, avec des marchandises, le manuel d’utilisation D-Link DFL-1660-NB. Le manque du manuel d’utilisation ou les informations incorrectes fournies au consommateur sont à la base d'une plainte pour non-conformité du dispositif avec le contrat. Conformément à la loi, l’inclusion du manuel d’utilisation sous une forme autre que le papier est autorisée, ce qui est souvent utilisé récemment, en incluant la forme graphique ou électronique du manuel D-Link DFL-1660-NB ou les vidéos d'instruction pour les utilisateurs. La condition est son caractère lisible et compréhensible.

Qu'est ce que le manuel d’utilisation?

Le mot vient du latin "Instructio", à savoir organiser. Ainsi, le manuel d’utilisation D-Link DFL-1660-NB décrit les étapes de la procédure. Le but du manuel d’utilisation est d’instruire, de faciliter le démarrage, l'utilisation de l'équipement ou l'exécution des actions spécifiques. Le manuel d’utilisation est une collection d'informations sur l'objet/service, une indice.

Malheureusement, peu d'utilisateurs prennent le temps de lire le manuel d’utilisation, et un bon manuel permet non seulement d’apprendre à connaître un certain nombre de fonctionnalités supplémentaires du dispositif acheté, mais aussi éviter la majorité des défaillances.

Donc, ce qui devrait contenir le manuel parfait?

Tout d'abord, le manuel d’utilisation D-Link DFL-1660-NB devrait contenir:
- informations sur les caractéristiques techniques du dispositif D-Link DFL-1660-NB
- nom du fabricant et année de fabrication D-Link DFL-1660-NB
- instructions d'utilisation, de réglage et d’entretien de l'équipement D-Link DFL-1660-NB
- signes de sécurité et attestations confirmant la conformité avec les normes pertinentes

Pourquoi nous ne lisons pas les manuels d’utilisation?

Habituellement, cela est dû au manque de temps et de certitude quant à la fonctionnalité spécifique de l'équipement acheté. Malheureusement, la connexion et le démarrage D-Link DFL-1660-NB ne suffisent pas. Le manuel d’utilisation contient un certain nombre de lignes directrices concernant les fonctionnalités spécifiques, la sécurité, les méthodes d'entretien (même les moyens qui doivent être utilisés), les défauts possibles D-Link DFL-1660-NB et les moyens de résoudre des problèmes communs lors de l'utilisation. Enfin, le manuel contient les coordonnées du service D-Link en l'absence de l'efficacité des solutions proposées. Actuellement, les manuels d’utilisation sous la forme d'animations intéressantes et de vidéos pédagogiques qui sont meilleurs que la brochure, sont très populaires. Ce type de manuel permet à l'utilisateur de voir toute la vidéo d'instruction sans sauter les spécifications et les descriptions techniques compliquées D-Link DFL-1660-NB, comme c’est le cas pour la version papier.

Pourquoi lire le manuel d’utilisation?

Tout d'abord, il contient la réponse sur la structure, les possibilités du dispositif D-Link DFL-1660-NB, l'utilisation de divers accessoires et une gamme d'informations pour profiter pleinement de toutes les fonctionnalités et commodités.

Après un achat réussi de l’équipement/dispositif, prenez un moment pour vous familiariser avec toutes les parties du manuel d'utilisation D-Link DFL-1660-NB. À l'heure actuelle, ils sont soigneusement préparés et traduits pour qu'ils soient non seulement compréhensibles pour les utilisateurs, mais pour qu’ils remplissent leur fonction de base de l'information et d’aide.

Table des matières du manuel d’utilisation

  • Page 1

    N et w or k S e c ur i ty S o l ut i o n h ttp://ww w . dli nk. c om N et D efendO S V er . 2 .40. 00 N et w or k S e c ur i ty F i re w al l Us er Man u a l S e c ur i ty S e c ur i ty[...]

  • Page 2

    User Manual DFL-260E/860E/1660/2560/2560G NetDefendOS Version 2.40.00 D-Link Corporation No. 289, Sinhu 3rd Rd, Neihu District, Taipei City 114, Taiwan R.O.C. http://www.DLink.com Published 2011-09-06 Copyright © 2011[...]

  • Page 3

    User Manual DFL-260E/860E/1660/2560/2560G NetDefendOS Version 2.40.00 Published 2011-09-06 Copyright © 2011 Copyright Notice This publication, including all photographs, illustrations and software, is protected under international copyright laws, with all rights reserved. Neither this manual, nor any of the material contained herein, may be reprod[...]

  • Page 4

    Table of Contents Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 1. NetDefendOS Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]

  • Page 5

    3.2. IPv6 Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 3.3. Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]

  • Page 6

    4.7. Transparent Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233 4.7.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]

  • Page 7

    6.7. Blacklisting Hosts and Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360 7. Address Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]

  • Page 8

    9.6.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466 9.6.2. Configuring SSL VPN in NetDefendOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467 9.6.3. Installing the SSL VPN Client . .[...]

  • Page 9

    13. Advanced Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546 13.1. IP Level Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]

  • Page 10

    List of Figures 1.1. Packet Flow Schematic Part I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 1.2. Packet Flow Schematic Part II . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]

  • Page 11

    10.6. Traffic Grouped By IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498 10.7. A Basic Traffic Shaping Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5[...]

  • Page 12

    List of Examples 1. Example Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 2.1. Enabling remote management via HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]

  • Page 13

    4.10. Add an OSPF Area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 4.11. Add OSPF Interface Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]

  • Page 14

    10.3. Setting up SLB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519 12.1. A simple ZoneDefense scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]

  • Page 15

    Preface Intended Audience The target audience for this reference guide is Administrators who are responsible for configuring and managing NetDefend Firewalls which are running the NetDefendOS operating system. This guide assumes that the reader has some basic knowledge of networks and network security. Text Structure and Conventions The text is bro[...]

  • Page 16

    The Web Interface actions for the example are shown here. They are also typically a numbered list showing what items in the tree-view list at the left of the interface or in the menu bar or in a context menu need to be opened followed by information about the data items that need to be entered: 1. Go to: Item X > Item Y > Item Z 2. Now enter:[...]

  • Page 17

    Chapter 1. NetDefendOS Overview This chapter outlines the key features of NetDefendOS. • Features, page 17 • NetDefendOS Architecture, page 20 • NetDefendOS State Engine Packet Flow, page 24 1.1. Features D-Link NetDefendOS is the base software engine that drives and controls the range of NetDefend Firewall hardware products. NetDefendOS as a[...]

  • Page 18

    VPN NetDefendOS supports a range of Virtual Private Network (VPN) solutions. Support exists for IPsec, L2TP and PPTP as well as SSL VPN with security policies definable for individual VPN connections. This topic is covered in Chapter 9, VPN . TLS Termination NetDefendOS supports TLS termination so that the NetDefend Firewall can act as the end poin[...]

  • Page 19

    provides detailed event and logging capabilities plus support for monitoring through SNMP. More detailed information about this topic can be found in Chapter 2, Management and Maintenance . ZoneDefense NetDefendOS can be used to control D-Link switches using the ZoneDefense feature. This allows NetDefendOS to isolate portions of a network that cont[...]

  • Page 20

    1.2. NetDefendOS Architecture 1.2.1. State-based Architecture The NetDefendOS architecture is centered around the concept of state-based connections. Traditional IP routers or switches commonly inspect all packets and then perform forwarding decisions based on information found in the packet headers. With this approach, packets are forwarded withou[...]

  • Page 21

    NetDefendOS Rule Sets Finally, rules which are defined by the administrator in the various rule sets are used for actually implementing NetDefendOS security policies. The most fundamental set of rules are the IP Rules , which are used to define the layer 3 IP filtering policy as well as carrying out address translation and server load balancing. Th[...]

  • Page 22

    • Source and destination interfaces • Source and destination network • IP protocol (for example TCP, UDP, ICMP) • TCP/UDP ports • ICMP types • Point in time in reference to a predefined schedule If a match cannot be found, the packet is dropped. If a rule is found that matches the new connection, the Action parameter of the rule decides[...]

  • Page 23

    If the destination interface is a tunnel interface or a physical sub-interface, additional processing such as encryption or encapsulation might occur. The next section provides a set of diagrams illustrating the flow of packets through NetDefendOS. 1.2.3. Basic Packet Flow Chapter 1. NetDefendOS Overview 23[...]

  • Page 24

    1.3. NetDefendOS State Engine Packet Flow The diagrams in this section provide a summary of the flow of packets through the NetDefendOS state-engine. There are three diagrams, each flowing into the next. It is not necessary to understand these diagrams, however, they can be useful as a reference when configuring NetDefendOS in certain situations. F[...]

  • Page 25

    Figure 1.2. Packet Flow Schematic Part II The packet flow is continued on the following page. 1.3. NetDefendOS State Engine Packet Flow Chapter 1. NetDefendOS Overview 25[...]

  • Page 26

    Figure 1.3. Packet Flow Schematic Part III 1.3. NetDefendOS State Engine Packet Flow Chapter 1. NetDefendOS Overview 26[...]

  • Page 27

    Apply Rules The figure below presents the detailed logic of the Apply Rules function in Figure 1.2, “Packet Flow Schematic Part II” above. Figure 1.4. Expanded Apply Rules Logic 1.3. NetDefendOS State Engine Packet Flow Chapter 1. NetDefendOS Overview 27[...]

  • Page 28

    1.3. NetDefendOS State Engine Packet Flow Chapter 1. NetDefendOS Overview 28[...]

  • Page 29

    Chapter 2. Management and Maintenance This chapter describes the management, operations and maintenance related aspects of NetDefendOS. • Managing NetDefendOS, page 29 • Events and Logging, page 59 • RADIUS Accounting, page 65 • Monitoring, page 71 • The pcapdump Command, page 80 • Maintenance, page 83 2.1. Managing NetDefendOS 2.1.1. O[...]

  • Page 30

    Firewall. Various files used by NetDefendOS can be both uploaded and downloaded with SCP. This feature is fully described in Section 2.1.6, “Secure Copy” . Console Boot Menu Before NetDefendOS starts running, a console connected directly to the NetDefend Firewall's RS232 port can be used to do basic configuration through the boot menu . Th[...]

  • Page 31

    Ethernet interface using a standard web browser. This allows the administrator to perform remote management from anywhere on a private network or the public Internet using a standard computer without having to install client software. Note: Recommended web browsers The recommended browsers to use with the Web Interface are as follows: • Microsoft[...]

  • Page 32

    Enter the username and password and click the Login button. The factory default username and password is admin and admin . If the user credentials are correct, you will be transferred to the main Web Interface page. First Time Web Interface Logon and the Setup Wizard When logging on for the first time, the default username is always admin and the p[...]

  • Page 33

    For information about the default user name and password, see Section 2.1.2, “The Default Administrator Account” . Note: Remote management access Access to the Web Interface is regulated by the configured remote management policy. By default, the system will only allow web access from the internal network. Interface Layout The main Web Interfac[...]

  • Page 34

    • Maintenance i. Update Center - Manually update or schedule updates of the intrusion detection and antivirus signatures. ii. License - View license details or enter activation code. iii. Backup - Make a backup of the configuration to a local computer or restore a previously downloaded backup. iv. Reset - Restart the firewall or reset to factory [...]

  • Page 35

    Controlling Access to the Web Interface By default, the Web Interface is accessible only from the internal network. If it is required to have access from other parts of the network, this can be done by modifying the remote management policy. Example 2.1. Enabling remote management via HTTPS Command-Line Interface gw-world:/> add RemoteManagement[...]

  • Page 36

    Tip: Correctly routing management traffic If there is a problem with the management interface when communicating alongside VPN tunnels, check the main routing table and look for an all-nets route to the VPN tunnel. Management traffic may be using this route. If no specific route is set up for the management interface then all management traffic com[...]

  • Page 37

    The object type can be optionally preceded by the object category . A category groups together a set of types and mainly used with tab completion which is described below. Tip: Getting help about help Typing the CLI command: gw-world:/> help help will give information about the help command itself. The CLI Command History Just like the console i[...]

  • Page 38

    mandatory parameters have already been entered. Note: Rule names are recommended Even when it is optional, it is recommended that a Name value is assigned to a rule. This makes examining and understanding the configuration easier. Specifying the Default Value The period " . " character before a tab can be used to automatically fill in the[...]

  • Page 39

    with routes. There can be more than one routing table, so when adding or manipulating a route we first have to use the cc command to identify which routing table we are interested in. Suppose a route is to be added to the routing table main . The first command would be: gw-world:/> cc RoutingTable main gw-world:/main> Notice that the command [...]

  • Page 40

    For more on scripts see Section 2.1.5, “CLI Scripts” . The CLI will enforce unique naming within an object type. For reasons of backward compatibility to earlier NetDefendOS releases, an exception exists with IP rules which can have duplicate names, however it is strongly recommended to avoid this. If a duplicate IP rule name is used in two IP [...]

  • Page 41

    platforms. NetDefendOS supports version 1, 1.5 and 2 of the SSH protocol. SSH access is regulated by the remote management policy in NetDefendOS, and is disabled by default. Example 2.2. Enabling SSH Remote Access This example shows how to enable remote SSH access from the lannet network through the lan interface by adding a rule to the remote mana[...]

  • Page 42

    gw-world:/> cc LocalUserDatabase AdminUsers We are now in AdminUsers and can change the password of the admin user: gw-world:/AdminUsers> set User admin Password="my-password" Finally, we return the current category to the top level: gw-world:/AdminUsers> cc Note: The console password is separate The password that can be set to p[...]

  • Page 43

    gw-world:/> shutdown This is sufficient for most situations that require a system restart. To shutdown and restart both NetDefendOS and completely reinitialize the hardware, including the NetDefendOS loader (equivalent to switching the hardware off then on) use the command: gw-world:/> shutdown -reboot A possible side effect of committing cha[...]

  • Page 44

    address 10.8.1.34 is now possible using a web browser. If SSH management access is required then a RemoteMgmtSSH object should be added. The assumption made with the above commands is that an all-nets route exists to the ISP's gateway. In other words, Internet access has been enabled for the NetDefend Firewall. Managing Management Sessions wit[...]

  • Page 45

    in a directory under the root called /scripts . SCP uploading is discussed in detail in Section 2.1.6, “Secure Copy” . 3. Use the CLI command script -execute to run the script file. The CLI script command is the tool used for script management and execution. The complete syntax of the command is described in the CLI Reference Guide and specific[...]

  • Page 46

    When the script file runs, the variable replacement would mean that the file becomes: add IP4Address If1_ip Address=126.12.11.01 Comments="If1 address" Script Validation and Command Ordering CLI scripts are not, by default, validated. This means that the written ordering of the script does not matter. There can be a reference to a configu[...]

  • Page 47

    gw-world:/> script -remove -name=my_script.sgs Listing Scripts The script on its own, command without any parameters, lists all the scripts currently available and indicates the size of each script as well as the type of memory where it resides (residence in non-volatile memory is indicated by the word " Disk " in the Memory column). g[...]

  • Page 48

    Tip: Listing commands at the console To list the created CLI commands on the console instead of saving them to a file, leave out the option -name= in the script -create command. Certain aspects of a configuration which are hardware dependent cannot have a script file entry created when using the -create option. This is true when the CLI node type i[...]

  • Page 49

    Download is done with the command: > scp <source_firewall> <local_filename> The source or destination NetDefend Firewall is of the form: <user_name>@<firewall_ip_address>:<filepath> . For example: admin@10.62.11.10:config.bak . The <user_name> must be a defined NetDefendOS user in the administrator user group.[...]

  • Page 50

    • script/ - The object type for all CLI scripts. Scripts are described further in Section 2.1.5, “CLI Scripts” . • sshclientkey/ - The SSH client key object type. Examples of Uploading and Downloading In some cases, a file is located in the NetDefendOS root. The license file ( license.lic ) falls into this category, as well as backup files [...]

  • Page 51

    below: If any console key is pressed during these 3 seconds then NetDefendOS startup pauses and the console boot menu is displayed. Initial Boot Menu Options without a Password Set When NetDefendOS is started for the first time with no console password set for console access then the full set of boot menu options are displayed as shown below: The o[...]

  • Page 52

    The 1. Start firewall option re-continues the interrupted NetDefendOS startup process. If the 2. Login option is chosen, the console password must be entered and the full boot menu described above is entered. Removing the Console Password Once the console password is set it can be removed by selecting the Set console password option in the boot men[...]

  • Page 53

    Specifies the HTTP port for the Web Interface. Default: 80 WebUI HTTPS port Specifies the HTTP(S) port for the Web Interface. Default: 443 HTTPS Certificate Specifies which certificate to use for HTTPS traffic. Only RSA certificates are supported. Default: HTTPS 2.1.9. Working with Configurations Configuration Objects The system configuration is bu[...]

  • Page 54

    Web Interface 1. Go to: Objects > Services 2. A web page listing all services will be presented. A list contains the following basic elements: • Add Button - Displays a dropdown menu when clicked. The menu will list all types of configuration items that can be added to the list. • Header - The header row displays the titles of the columns in[...]

  • Page 55

    Example 2.5. Editing a Configuration Object When the behavior of NetDefendOS is changed, it is most likely necessary to modify one or several configuration objects. This example shows how to edit the Comments property of the telnet service. Command-Line Interface gw-world:/> set Service ServiceTCPUDP telnet Comments="Modified Comment" [...]

  • Page 56

    Web Interface 1. Go to: Objects > Address Book 2. Click on the Add button 3. In the dropdown menu displayed, select IP Address 4. In the Name text box, enter myhost 5. Enter 192.168.10.10 in the IP Address textbox 6. Click OK 7. Verify that the new IP4 address object has been added to the list Example 2.7. Deleting a Configuration Object This ex[...]

  • Page 57

    Example 2.9. Listing Modified Configuration Objects This example shows how to list configuration objects that have been modified. Command-Line Interface gw-world:/> show -changes Type Object ------------- ------ - IP4Address myhost * ServiceTCPUDP telnet A "+" character in front of the row indicates that the object has been added. A &q[...]

  • Page 58

    2. Click OK to confirm The web browser will automatically try to connect back to the Web Interface after 10 seconds. If the connection succeeds, this is interpreted by NetDefendOS as confirmation that remote management is still working. The new configuration is then automatically committed. Note: Changes must be committed The configuration must be [...]

  • Page 59

    2.2. Events and Logging 2.2.1. Overview The ability to log and analyze system activities is an essential feature of NetDefendOS. Logging enables not only monitoring of system status and health, but also allows auditing of network usage and assists in trouble-shooting. Log Message Generation NetDefendOS defines a large number of different log event [...]

  • Page 60

    • Debug By default, NetDefendOS sends all messages of level Info and above to any configured log servers but the level for sending can be changed by the administrator. The Debug severity is intended for system troubleshooting only and should only be used if required. All log event messages of all severity levels are listed in the separate NetDefe[...]

  • Page 61

    Overview Syslog is a standardized protocol for sending log data although there is no standardized format for the log messages themselves. The format used by NetDefendOS is well suited to automated processing, filtering and searching. Although the exact format of each log entry depends on how a Syslog receiver works, most are very much alike. The wa[...]

  • Page 62

    Note: Syslog server configuration The syslog server may have to be configured to receive log messages from NetDefendOS. Please see the documentation for specific Syslog servers in order to correctly configure it. 2.2.6. Severity Filter and Message Exceptions For each log receiver it is possible to impose rules on what log message categories and sev[...]

  • Page 63

    NetDefendOS takes the concept of an SNMP Trap one step further by allowing any event message to be sent as an SNMP trap. This means that the administrator can set up SNMP Trap notification of events that are considered significant in the operation of a network. The file DFLNNN-TRAP.MIB (where NNN indicates the model number of the firewall) is provi[...]

  • Page 64

    2.2.8. Advanced Log Settings The following advanced settings for NetDefendOS event logging are available to the administrator: Send Limit This setting specifies the maximum log messages that NetDefendOS will send per second. This value should never be set too low as this may result in important events not being logged, nor should it be set too high[...]

  • Page 65

    2.3. RADIUS Accounting 2.3.1. Overview The Central Database Approach Within a network environment containing large numbers of users, it is advantageous to have one or a cluster of central servers that maintain user account information and are responsible for authentication and authorization tasks. The central database residing on such dedicated ser[...]

  • Page 66

    • ID - A unique identifier to enable matching of an AccountingRequest with Acct-Status-Type set to STOP. • User Name - The user name of the authenticated user. • NAS IP Address - The IP address of the NetDefend Firewall. • NAS Port - The port of the NAS on which the user was authenticated (this is a physical interface and not a TCP or UDP p[...]

  • Page 67

    • Timestamp - The number of seconds since 1970-01-01. Used to set a timestamp when this packet was sent from the NetDefend Firewall. In addition, two more attributes may be sent: • Input Gigawords - Indicates how many times the Input Bytes counter has wrapped. This is only sent if Input Bytes has wrapped, and if the Input Bytes attribute is sen[...]

  • Page 68

    Some important points should be noted about activation: • RADIUS Accounting will not function where a connection is subject to a FwdFast rule in the IP rule set. • The same RADIUS server does not need to handle both authentication and accounting; one server can be responsible for authentication while another is responsible for accounting tasks.[...]

  • Page 69

    Allow on error to determine how this situation is handled. If the Allow on error setting is enabled, an already authenticated user's session will be unaffected. If it is not enabled, any affected user will automatically be logged out even if they have already been authenticated. 2.3.8. Accounting and System Shutdowns In the case that the clien[...]

  • Page 70

    Maximum Radius Contexts The maximum number of contexts allowed with RADIUS. This applies to RADIUS use with both accounting and authentication. Default: 1024 Example 2.13. RADIUS Accounting Server Setup This example shows configuring of a local RADIUS server known as radius-accounting with IP address 123.04.03.01 using port 1813 . Web Interface 1. [...]

  • Page 71

    2.4. Monitoring The real-time performance of NetDefendOS can be monitored in a number of ways. They are: • The NetDefendOS link monitor. • Monitoring through an SNMP client. • Hardware monitoring for specific hardware models. 2.4.1. The Link Monitor Overview The Link Monitor is a NetDefendOS feature that allows monitoring of the connectivity [...]

  • Page 72

    period and all interface links to external devices are renegotiated. • In an HA cluster setup, the link from the master to the external Internet (or other part of a network) can be continually monitored so that should the link fail, the slave will take over (assuming that the slave has a different physical connection to the monitored address). Th[...]

  • Page 73

    Maximum Loss A single host is considered unreachable if this number of consecutive ping responses to that host are not replied to. Grace Period Do not allow the link monitor to trigger an action for this number of seconds after the last reconfiguration. This avoids false positives during initial link negotiation. The default value is 45 seconds. Se[...]

  • Page 74

    Security for SNMP Versions 1 and 2c is handled by the Community String which is the same as a password for SNMP access. The Community String should be difficult to guess and should therefore be constructed in the same way as any other password, using combinations of upper and lower case letters along with digits. Enabling an IP Rule for SNMP The ad[...]

  • Page 75

    4. Click OK Should it be necessary to enable SNMP Before Rules (which is enabled by default) then the setting can be found in System > Remote Management > Advanced Settings . SNMP Advanced Settings The following SNMP advanced settings can be found under the Remote Management section in the Web Interface. They can also be set through the CLI. [...]

  • Page 76

    Default: Hardware 2.4.3. Hardware Monitoring Feature Availability Certain D-Link hardware models allow the administrator to use the CLI to query the current value of various hardware operational parameters such as the current temperature inside the firewall. This feature is referred to as Hardware Monitoring . Note: Hardware monitoring is not avail[...]

  • Page 77

    CPU Temp = 41.500 (C) (x) The SYS temperature is for the overall temperature inside the hardware unit. The CPU temperature relates specifically to the unit's central processor which can be lower than the overall temperature due to the method of cooling. Note: The meaning of "(x)" The "(x)" at the side of each the sensor lin[...]

  • Page 78

    displayed next to the sensor in the output from the hwm command. Controlling the Event Sending Frequency The maximum frequency of log event generation when hardware monitoring values fall outside their preset range can be limited using the AlarmRepeatInterval setting in the LogSettings object. This setting is used because the monitored values are c[...]

  • Page 79

    Generate a Critical log message if free memory is below this number of bytes. Disable by setting to 0. Maximum value is 10,000. Default: 0 Warning Level Generate a Warning log message if free memory is below this number of bytes. Disable by setting to 0. Maximum value 10,000. Default: 0 2.4.4. Memory Monitoring Settings Chapter 2. Management and Ma[...]

  • Page 80

    2.5. The pcapdump Command A valuable diagnostic tool is the ability to examine the packets that enter and leave the interfaces of a NetDefend Firewall. For this purpose, NetDefendOS provides the CLI command pcapdump which not only allows the examination of packet streams entering and leaving interfaces but also allows the filtering of these streams[...]

  • Page 81

    It is possible to have multiple pcapdump executions being performed at the same time. The following points describe this feature: 1. All capture from all executions goes to the same memory buffer. The command can be launched multiple times with different interfaces specified. In this case the packet flow for the different executions will be grouped[...]

  • Page 82

    Output File Naming Restrictions The name of the file used for pcapdump output must comply with the following rules: • Excluding the filename extension, the name may not exceed 8 characters in length. • The filename extension cannot exceed 3 characters in length. • The filename and extension can only contain the characters A-Z, 0-9, "-&qu[...]

  • Page 83

    2.6. Maintenance 2.6.1. Auto-Update Mechanism A number of the NetDefendOS security features rely on external servers for automatic updates and content filtering. The Intrusion Prevention and Detection system and Anti-Virus modules require access to updated signature databases in order to provide protection against the latest threats. To facilitate [...]

  • Page 84

    Version Compatability Since a full system backup includes a NetDefendOS version, compatability is not an issue with these types of backup. With configuration only backups, the following should be noted: • A configuration backup created on a higher NetDefendOS version should never be uploaded to a lower NetDefendOS version. For example, a backup c[...]

  • Page 85

    name of the file does not need to be changed in any way and can retain the date since NetDefendOS will read a header in the file to determine what it is. Backup and Restore using the WebUI As an alternative to using SCP, the administrator can initiate a backup or restore of the configuration or complete system directly through the WebUI. The exampl[...]

  • Page 86

    Reset Procedure for the NetDefend DFL-210, 260, 260E, 800, 860 and 860E To reset the NetDefend DFL-210, 260, 260E, 800, 860 and 860E models, hold down the reset button located at the rear of the unit for 10-15 seconds while powering on the unit. After that, release the reset button and the unit will continue to load and startup with its default fac[...]

  • Page 87

    2.6.3. Restore to Factory Defaults Chapter 2. Management and Maintenance 87[...]

  • Page 88

    Chapter 3. Fundamentals This chapter describes the fundamental logical objects which make up a NetDefendOS configuration. These objects include such items as IP addresses and IP rules. Some exist by default and some must be defined by the administrator. In addition, the chapter explains the different interface types and explains how security polici[...]

  • Page 89

    Host A single host is represented simply by its IP address. For example, 192.168.0.14 . IP Network An IP Network is represented using Classless Inter Domain Routing (CIDR) form. CIDR uses a forward slash and a digit (0-32) to denote the size of the network as a postfix. This is also known as the netmask . /24 corresponds to a class C net with 256 a[...]

  • Page 90

    Example 3.3. Adding an IP Range This example adds a range of IPv4 addresses from 192.168.10.16 to 192.168.10.21 and names the range wwwservers : Command-Line Interface gw-world:/> add Address IP4Address wwwservers Address=192.168.10.16-192.168.10.21 Web Interface 1. Go to: Objects > Address Book > Add > IP4 Address 2. Specify a suitable[...]

  • Page 91

    Example 3.5. Adding an Ethernet Address The following example adds an Ethernet Address object named wwwsrv1_mac with the numerical MAC address 08-a3-67-bc-2e-f2 . Command-Line Interface gw-world:/> add Address EthernetAddress wwwsrv1_mac Address=08-a3-67-bc-2e-f2 Web Interface 1. Go to: Objects > Address Book > Add > Ethernet Address 2.[...]

  • Page 92

    The result of combining these two will be a single address range containing 192.168.0.10 - 192.168.0.19 . 3.1.5. Auto-Generated Address Objects To simplify the configuration, a number of address objects in the address book are automatically created by NetDefendOS when the system starts for the first time and these objects are used in various parts [...]

  • Page 93

    3.2. IPv6 Support All the IP addresses discussed so far are of the IPv4 type. The IP address standard IPv6 is designed as a successor to IPv4 with the principal advantage of providing a much larger 128 bit address space. Among many advantages, the large number of available global IPv6 addresses means that NAT is no longer required to share a limite[...]

  • Page 94

    4. Click OK Note: The prefix 2001:DB8::/32 is reserved for documentation As described in RFC3849, the IPv6 prefix 2001:DB8::/32 is specifically reserved for documentation purposes. All IPv6 examples in this manual therefore use this network or addresses from it. IPv6 Must be Enabled Globally and on an Interface IPv6 must be explicitly enabled in Ne[...]

  • Page 95

    This example enables IPv6 on the wan Ethernet interface using the address objects created previously. Command-Line Interface gw-world:/> set Interface Ethernet wan EnableIPv6=Yes IPv6IP=wan_ip6 IPv6Network=wan_net6 Web Interface 1. Go to: Interfaces > Ethernet > wan 2. Enable the option: Enable IPv6 3. Now enter: • IP Address: wan_ip6 ?[...]

  • Page 96

    IPv4 and IPv6 Cannot Share an Address Group Object IPv6 address objects are created and managed in a similar way to IPv4 objects They are called an IP6 Address and can be used in NetDefendOS rules and other objects in the same way as an IPv4 address. However, it is not possible to combine the two in one configuration object . For example, it is not[...]

  • Page 97

    IPv6 and High Availability NetDefendOS High Availability (HA) does not fully support IPv6. Any IPv6 configuration objects will be mirrored on both the HA master and slave units. However, if a failover occurs, state information will be lost when one unit takes over processing from the other and IPv6 connections will be lost. In an HA configuration w[...]

  • Page 98

    3.3. Services 3.3.1. Overview A Service object is a reference to a specific IP protocol with associated parameters. A service definition is usually based on one of the major transport protocols such as TCP or UDP which is associated with a specific source and/or destination port number(s). For example, the HTTP service is defined as using the TCP p[...]

  • Page 99

    Name Comments ------------ -------------------------------------------------- all_icmp All ICMP services " " Web Interface 1. Go to: Objects > Services Example 3.11. Viewing a Specific Service To view a specific service in the system: Command-Line Interface gw-world:/> show Service ServiceTCPUDP echo The output will look similar to [...]

  • Page 100

    Let us now take a closer look at TCP/UDP services. TCP and UDP Based Services Most applications use TCP and/or UDP as transport protocol for transferring data over IP networks. Transmission Control Protocol (TCP) is a connection-oriented protocol that includes mechanisms for reliable point to point transmission of data. TCP is used by many common a[...]

  • Page 101

    Tip: Specifying source ports It is usual with many services that the source ports are left as their default value which is the range 0-65535 (corresponding to all possible source ports). With certain application, it can be useful to also specify the source port if this is always within a limited range of values. Making the service definition as nar[...]

  • Page 102

    to refer to all protocols. However, using this is not recommended and specifying a narrower service provides better security. If, for example, the requirement is only to filter using the principal protocols of TCP, UDP and ICMP then the service group all_tcpudpicmp can be used instead. Tip: The http-all service does not include DNS A common mistake[...]

  • Page 103

    ICMP Types and Codes ICMP messages are delivered in IP packets, and includes a Message Type that specifies the format of the ICMP message and a Code that is used to further qualify the message. For example, the message type Destination Unreachable uses the Code parameter to specify the exact reason for the error. Either all ICMP message types can b[...]

  • Page 104

    has filled up. Time Exceeded The packet has been discarded as it has taken too long to be delivered. 3.3.4. Custom IP Protocol Services Services that run over IP and perform application/transport layer functions can be uniquely identified by IP protocol numbers . IP can carry data for a number of different protocols. These protocols are each identi[...]

  • Page 105

    service to allow all email related traffic to flow. Groups Can Contain Other Groups When a group is defined then it can contain individual services and/or service groups. This ability to have groups within groups should be used with caution since it can increase the complexity of a configuration and decrease the ability to troubleshoot problems. 3.[...]

  • Page 106

    3.4. Interfaces 3.4.1. Overview An Interface is an important logical building block in NetDefendOS. All network traffic that transits through, originates from or is terminated in the NetDefend Firewall, does so through one or more interfaces. Source and Destination Interfaces An interface can be viewed as a doorway through which network traffic pas[...]

  • Page 107

    Tunnel interfaces are used when network traffic is being tunneled between the system and another tunnel end-point in the network, before it gets routed to its final destination. VPN tunnels are often used to implement virtual private networks (VPNs) which can secure communication between two firewalls. To accomplish tunneling, additional headers ar[...]

  • Page 108

    Disabling an Interface Should it be desirable to disable an interface so that no traffic can flow through it, this can be done with the CLI using the command: gw-world:/> set Interface Ethernet <interface-name> -disable Where <interface-name> is the interface to be disabled. To re-enable an interface, the command is: gw-world:/> s[...]

  • Page 109

    Ethernet Interface Parameters The following are the various parameters that can be set for an Ethernet interface: • Interface Name The names of the Ethernet interfaces are predefined by the system, and are mapped to the names of the physical interfaces. The names of the Ethernet interfaces can be changed to better reflect their usage. For example[...]

  • Page 110

    • Enable DHCP Client NetDefendOS includes a DHCP client feature for dynamic assignment of address information by a connected DHCP server. This feature is often used for receiving external IP address information from an ISP's DHCP server for public Internet connection. The information that can be set using DHCP includes the IP address of the [...]

  • Page 111

    ii. The MAC address can be set if it needs to be different to the MAC address inbuilt into the hardware. Some ISP connections might require this. • Virtual Routing To implement virtual routing where the routes related to different interfaces are kept in separate routing table, there are a number of options: i. Make the interface a member of all r[...]

  • Page 112

    This same operation could also be done through the Web Interface. A summary of CLI commands that can be used with Ethernet interfaces can be found in Section 3.4.2.1, “Useful CLI Commands for Ethernet Interfaces” . The Difference Between Logical and Physical Ethernet Interfaces The difference between logical and physical interfaces can sometime[...]

  • Page 113

    UserAuthGroups: <empty> NoDefinedCredentials: No Comments: Network on interface wan To show the current interface assigned to the gateway wan_gw : gw-world:/> show Address IP4Address InterfaceAddresses/wan_gw Property Value --------------------- --------------------------------- Name: wan_gw Address: 0.0.0.0 UserAuthGroups: <empty> N[...]

  • Page 114

    Ethernet Device Commands Some interface settings provide direct management of the Ethernet settings themselves. These are particularly useful if D-Link hardware has been replaced and Ethernet card settings are to be changed, or if configuring the interfaces when running NetDefendOS on non-D-Link hardware. For example, to display all Ethernet interf[...]

  • Page 115

    physical interface to a logical interface in the confguration, the logical interface is mapped to the physical interface. However, this mapping must be done before the configuration is activated. For a complete list of all CLI options see the CLI Reference Guide . 3.4.3. VLAN Overview Virtual LAN (VLAN) support in NetDefendOS allows the definition [...]

  • Page 116

    Physical VLAN Connection with VLAN The illustration below shows the connections for a typical NetDefendOS VLAN scenario. Figure 3.1. VLAN Connections With NetDefendOS VLANs, the physical connections are as follows: • One of more VLANs are configured on a physical NetDefend Firewall interface and this is connected directly to a switch. This link a[...]

  • Page 117

    Note: 802.1ad is not supported NetDefendOS does not support the IEEE 802.1ad (provider bridges) standard which allows VLANs to be run inside other VLANs. License Limitations The number of VLAN interfaces that can be defined for a NetDefendOS installation is limited by the parameters of the license used. Different hardware models have different lice[...]

  • Page 118

    Network=all-nets VLANID=10 Web Interface 1. Go to: Interfaces > VLAN > Add > VLAN 2. Now enter: • Name: Enter a name, for example VLAN10 • Interface: lan • VLAN ID: 10 • IP Address: vlan10_ip • Network: all-nets 3. Click OK 3.4.4. PPPoE Point-to-Point Protocol over Ethernet (PPPoE) is a tunneling protocol used for connecting mult[...]

  • Page 119

    PPPoE Client Configuration Since the PPPoE protocol allows PPP to operate over Ethernet, the firewall needs to use one of the normal physical Ethernet interfaces to run PPPoE over. Each PPPoE tunnel is interpreted as a logical interface by NetDefendOS, with the same routing and configuration capabilities as regular interfaces and with IP rules bein[...]

  • Page 120

    or NATed by the NetDefend Firewall. Note: PPPoE has a discovery protocol To provide a point-to-point connection over Ethernet, each PPP session must learn the Ethernet address of the remote peer, as well as establish a unique session identifier. PPPoE includes a discovery protocol that provides this. PPPoE cannot be used with HA For reasons connect[...]

  • Page 121

    GRE does not provide any security features but this means that its use has extremely low overhead. Using GRE GRE is typically used to provide a method of connecting two networks together across a third network such as the Internet. The two networks being connected together communicate with a common protocol which is tunneled using GRE through the i[...]

  • Page 122

    between them. • Additional Encapsulation Checksum The GRE protocol allows for an additional checksum over and above the IPv4 checksum. This provides an extra check of data integrity. The Advanced settings for a GRE interface are: • Automatically add route for remote network - This option would normally be checked in order that the routing table[...]

  • Page 123

    Setup for NetDefend Firewall "A" Assuming that the network 192.168.10.0/24 is lannet on the lan interface, the steps for setting up NetDefendOS on A are: 1. In the address book set up the following IP objects: • remote_net_B: 192.168.11.0/24 • remote_gw: 172.16.1.1 • ip_GRE: 192.168.0.1 2. Create a GRE Tunnel object called GRE_to_B [...]

  • Page 124

    3. Define a route in the main routing table which routes all traffic to remote_net_A on the GRE_to_A GRE interface. This is not necessary if the option Add route for remote network is enabled in the Advanced tab, since this will add the route automatically. 4. Create the following rules in the IP rule set that allow traffic to pass through the tunn[...]

  • Page 125

    gw-world:/> add Interface InterfaceGroup examplegroup Members=exampleif1,exampleif2 Web Interface 1. Go to: Interfaces > Interface Groups > Add > InterfaceGroup 2. Enter the following information to define the group: • Name: The name of the group to be used later • Security/Transport Equivalent: If enabled, the interface group can b[...]

  • Page 126

    3.5. ARP 3.5.1. Overview Address Resolution Protocol (ARP) allows the mapping of a network layer protocol (OSI layer 3) address to a data link layer hardware address (OSI layer 2). In data networks it is used to resolve an IP address into its corresponding Ethernet address. ARP operates at the OSI layer 2, data link layer, and is encapsulated by Et[...]

  • Page 127

    The third column in the table, Expires , is used to indicate how much longer the ARP entry will be valid for. For example, the first entry has an expiry value of 45 which means that this entry will be rendered invalid and removed from the ARP Cache in 45 seconds. If traffic is going to be sent to the 192.168.0.10 IP address after the expiration, Ne[...]

  • Page 128

    connected to the firewall, it may be necessary to adjust this value upwards. This can be done by modifying the ARP advanced setting ARP Cache Size . Hash tables are used to rapidly look up entries in the ARP Cache. For maximum efficiency, a hash table should be twice as large as the entries it is indexing, so if the largest directly connected LAN c[...]

  • Page 129

    Web Interface 1. Go to: Interfaces > ARP > Add > ARP 2. Select the following from the dropdown lists: • Mode: Static • Interface: lan 3. Enter the following: • IP Address: 192.168.10.15 • MAC: 4b-86-f6-c5-a2-14 4. Click OK ARP Publish NetDefendOS supports publishing IP addresses on a particular interface, optionally along with a sp[...]

  • Page 130

    These are shown in the illustration below of an Ethernet frame containing an ARP response: Figure 3.2. An ARP Publish Ethernet Frame The Publish option uses the real MAC address of the sending interface for the address ( 1 ) in the Ethernet frame. In rare cases, some network equipment will require that both MAC addresses in the response ( 1 and 2 a[...]

  • Page 131

    Unsolicited ARP Replies It is possible for a host on a connected network to send an ARP reply to NetDefendOS even though a corresponding ARP request was not issued. This is known as an unsolicited ARP reply . According to the ARP specification, the recipient should accept these types of ARP replies. However, because this could be a malicious attemp[...]

  • Page 132

    Determines if NetDefendOS will require the sender address at Ethernet level to comply with the hardware address reported in the ARP data. Default: DropLog ARP Query No Sender Handles ARP queries that have a sender IP of 0.0.0.0 . Such sender IPs are never valid in responses, but network units that have not yet learned of their IP address sometimes [...]

  • Page 133

    This determines whether NetDefendOS will log failed ARP resolve requests or not. Logging can be used for monitoring purposes and can be helpful for troubleshooting network related problems. However, disabling logging can prevent attempts to "spam" log receivers with failed resolve requests. Default: Enabled ARP Expire Specifies how long a[...]

  • Page 134

    Default: 64 ARP IP Collision Determines the behavior when receiving an ARP request with a sender IP address that collides with one already used on the receive interface. Possible actions: Drop or Notify. Default: Drop 3.5.5. ARP Advanced Settings Summary Chapter 3. Fundamentals 134[...]

  • Page 135

    3.6. IP Rules 3.6.1. Security Policies Before examining IP rule sets in detail, we will first look at the generic concept of security polices to which IP rule sets belong. Security Policy Characteristics NetDefendOS security policies are configured by the administrator to regulate the way in which traffic can flow through the NetDefend Firewall. Su[...]

  • Page 136

    • Policy-based Routing Rules These rules determine the routing table to be used by traffic and are described in Section 4.3, “Policy-based Routing” . The network filter for these rules can be IPv4 or IPv6 addresses (but not both in a single rule). • Authentication Rules These determine which traffic triggers authentication to take place (so[...]

  • Page 137

    features as IDP. • The Service can be specified as all_services which includes all possible protocols. Creating a Drop All Rule Traffic that does not match any rule in the IP rule set is, by default, dropped by NetDefendOS. In order to be able to log the dropped connections, it is recommended that an explicit IP rule with an action of Drop for al[...]

  • Page 138

    Figure 3.3. Simplified NetDefendOS Traffic Flow This description of traffic flow is an extremely simplified version of the full flow description found in Section 1.3, “NetDefendOS State Engine Packet Flow” . For example, before the route lookup is done, NetDefendOS first checks that traffic from the source network should, in fact, be arriving o[...]

  • Page 139

    This approach is known as stateful inspection and is applied not only to stateful protocols such as TCP but also by means of "pseudo-connections" to stateless protocols such as UDP and ICMP. This approach means that evaluation against the IP rule set is only done in the initial opening phase of a connection. The size of the IP rule set co[...]

  • Page 140

    version of Reject in that no reply is sent back to the sender. It is often preferable since it gives a potential attacker no clues about what happened to their packets. Reject This acts like Drop but will return a TCP RST or ICMP Unreachable message, informing the sending computer that the packet was dropped. This is a "polite" version of[...]

  • Page 141

    3.6.5. IP Rule Set Folders In order to help organise large numbers of entries in IP rule sets, it is possible to create IP rule set folders . These folders are just like a folder in a computer's file system. They are created with a given name and can then be used to contain all the IP rules that are related together as a group. Using folders i[...]

  • Page 142

    3.6.6. Configuration Object Groups The concept of folders can be used to organise groups of NetDefendOS objects into related collections. These work much like the folders concept found in a computer's file system. Folders are described in relation to the address book in Section 3.1.6, “Address Book Folders” and can also be used when organi[...]

  • Page 143

    • A group is now created with a title line and the IP rule as its only member. The default title of " (new Group) " is used. The entire group is also assigned a default color and the group member is also indented. The object inside the group retains the same index number to indicate its position in the whole table. The index is not affe[...]

  • Page 144

    Adding Additional Objects A new group will always contain just one object. Now, we must add more objects to the group. By right clicking the object that immediately follows the group, we can select the Join Preceding option to add it to the preceding group. Once we do this for the second IP rule in our example then the result will be the following:[...]

  • Page 145

    If an object in a group is right clicked then the context menu contains the option Leave Group . Selecting this removes the object from the group AND moves it down to a position immediately following the group. Removing a Group By right clicking on a group title, the displayed context menu includes the Ungroup option. This removes the group, howeve[...]

  • Page 146

    3.7. Schedules In some scenarios, it might be useful to control not only what functionality is enabled, but also when that functionality is being used. For instance, the IT policy of an enterprise might stipulate that web traffic from a certain department is only allowed access outside that department during normal office hours. Another example mig[...]

  • Page 147

    Example 3.21. Setting up a Time-Scheduled Security Policy This example creates a schedule object for office hours on weekdays, and attaches the object to an IP Rule that allows HTTP traffic. Command-Line Interface gw-world:/> add ScheduleProfile OfficeHours Mon=8-17 Tue=8-17 Wed=8-17 Thu=8-17 Fri=8-17 Now create the IP rule that uses this schedu[...]

  • Page 148

    3.8. Certificates 3.8.1. Overview The X.509 Standard NetDefendOS supports digital certificates that comply with the ITU-T X.509 standard. This involves the use of an X.509 certificate hierarchy with public-key cryptography to accomplish key distribution and entity authentication. References in this document to certificates mean X.509 certificates .[...]

  • Page 149

    A CA can also issue certificates to other CAs. This leads to a chain-like certificate hierarchy. The highest certificate is called the Root Certificate and it is signed by the Root CA . Each certificate in the chain is signed by the CA of the certificate directly above it in the chain. However, the root certificate is signed by itself (it is "[...]

  • Page 150

    CA is configured. Typically, this is somewhere between an hour to several days. Trusting Certificates When using certificates, NetDefendOS trusts anyone whose certificate is signed by a given CA. Before a certificate is accepted, the following steps are taken to verify the validity of the certificate: • Construct a certification path up to the tr[...]

  • Page 151

    Web Interface 1. Go to: Objects > Authentication Objects > Add > Certificate 2. Specify a suitable name for the certificate 3. Now select one of the following: • Upload self-signed X.509 Certificate • Upload a remote certificate 4. Click OK and follow the instructions Example 3.23. Associating Certificates with IPsec Tunnels To associa[...]

  • Page 152

    2. Now convert the local .pfx file to a .pem file. This can be done with the OpenSSL utility using the console command line: > openssl pkcs12 -in gateway.pfx -out gateway.pem -nodes In this command line example, the file exported from the CA server is assumed to be called gateway.pfx and it is assumed to be in the same local directory as the Ope[...]

  • Page 153

    3.9. Date and Time 3.9.1. Overview Correctly setting the date and time is important for NetDefendOS to operate properly. Time scheduled policies, auto-update of the IDP and Anti-Virus databases, and other product features such as digital certificates require that the system clock is accurately set. In addition, log messages are tagged with time-sta[...]

  • Page 154

    The world is divided up into a number of time zones with Greenwich Mean Time (GMT) in London at zero longitude being taken as the base time zone. All other time zones going east and west from zero longitude are taken as being GMT plus or minus a given integer number of hours. All locations counted as being inside a given time zone will then have th[...]

  • Page 155

    The hardware clock which NetDefendOS uses can sometimes become fast or slow after a period of operation. This is normal behavior in most network and computer equipment and is solved by utilizing Time Servers . NetDefendOS is able to adjust the clock automatically based on information received from one or more Time Servers which provide a highly acc[...]

  • Page 156

    3. Now enter: • Time Server Type: SNTP • Primary Time Server: dns:ntp1.sp.se • Secondary Time Server: dns:ntp2.sp.se 4. Click OK The time server URLs must have the prefix dns: to specify that they should be resolved with a DNS server. NetDefendOS must therefore also have a DNS server defined so this resolution can be performed. Note If the Ti[...]

  • Page 157

    Sometimes it might be necessary to override the maximum adjustment. For example, if time synchronization has just been enabled and the initial time difference is greater than the maximum adjust value. It is then possible to manually force a synchronization and disregard the maximum adjustment parameter. Example 3.30. Forcing Time Synchronization Th[...]

  • Page 158

    Time zone offset in minutes. Default: 0 DST Offset Daylight saving time offset in minutes. Default: 0 DST Start Date What month and day DST starts, in the format MM-DD. Default: none DST End Date What month and day DST ends, in the format MM-DD. Default: none Time Sync Server Type Type of server for time synchronization, UDPTime or SNTP (Simple Net[...]

  • Page 159

    Maximum time drift in seconds that a server is allowed to adjust. Default: 600 Group interval Interval according to which server responses will be grouped. Default: 10 3.9.4. Settings Summary for Date and Time Chapter 3. Fundamentals 159[...]

  • Page 160

    3.10. DNS Overview A DNS server can resolve a Fully Qualified Domain Name (FQDN) into the corresponding numeric IP address. FQDNs are unambiguous textual domain names which specify a node's unique position in the Internet's DNS tree hierarchy. FQDN resolution allows the actual physical IP address to change while the FQDN can stay the same[...]

  • Page 161

    DNS Lookup and IP Rules In the case of DNS server request being generated by NetDefendOS itself, no IP rules need to be defined for the connection to succeed. This is because connections initiated by NetDefendOS are considered to be trusted. For example, this would be the case if NetDefendOS is accessing a CA server to establish the validity of a c[...]

  • Page 162

    Note: A high rate of server queries can cause problems Dynamic DNS services are often sensitive to repeated logon attempts over short periods of time and may blacklist source IP addresses that are sending excessive requests. It is therefore not advisable to query these servers too often, otherwise they may cease to respond. A repost for an individu[...]

  • Page 163

    3.10. DNS Chapter 3. Fundamentals 163[...]

  • Page 164

    Chapter 4. Routing This chapter describes how to configure IP routing in NetDefendOS. • Overview, page 164 • Static Routing, page 165 • Policy-based Routing, page 183 • Route Load Balancing, page 190 • OSPF, page 196 • Multicast Routing, page 220 • Transparent Mode, page 233 4.1. Overview IP routing is one of the most fundamental func[...]

  • Page 165

    4.2. Static Routing The most basic form of routing is known as Static Routing . The word " static " refers to the fact that entries in the routing table are manually added and are therefore permanent (or static) by nature. Due to this manual approach, static routing is most appropriate to use in smaller network deployments where addresses[...]

  • Page 166

    This parameter usually does not need to be specified. If it is specified, NetDefendOS responds to ARP queries sent to this address. A special section below explains this parameter in more depth. Local IP Address and Gateway are mutually exclusive and either one or the other should be specified. • Metric This is a metric value assigned to the rout[...]

  • Page 167

    Route # Interface Destination Gateway 3 wan 195.66.77.0/24 4 wan all-nets 195.66.77.4 The above routing table provides the following information: • Route #1 All packets going to hosts on the 192.168.0.0/24 network should be sent out on the lan interface. As no gateway is specified for the route entry, the host is assumed to be located on the netw[...]

  • Page 168

    network range that does not include the physical interface's IP address. This network is said to be not bound to the physical interface. Clients on this second network won't then be able to communicate with the NetDefend Firewall because ARP won't function between the clients and the interface. To solve this problem, a new route is a[...]

  • Page 169

    This feature is normally used when an additional network is to be added to an interface but it is not desirable to change the existing IP addresses of the network. From a security standpoint, doing this can present significant risks since different networks will typically be joined together through a switch which imposes no controls on traffic pass[...]

  • Page 170

    this way is easier to understand, making errors less likely. Many other products do not use the specific interface in the routing table, but specify the IP address of the interface instead. The routing table below is from a Microsoft Windows XP workstation: ==================================================================== Interface List 0x1 ....[...]

  • Page 171

    For example, it is perfectly legal to define one route for the destination IP address range 192.168.0.5 to 192.168.0.17 and another route for IP addresses 192.168.0.18 to 192.168.0.254 . This is a feature that makes NetDefendOS highly suitable for routing in highly complex network topologies. Displaying Routing Tables It is important to note that r[...]

  • Page 172

    Default Static Routes are Added Automatically for Each Interface When the NetDefend Firewall is started for the first time, NetDefendOS will automatically add a route in the main routing table for each physical interface. These routes are assigned a default IP address object in the address book and these IP objects must have their addresses changed[...]

  • Page 173

    • Network: all-nets • Gateway: isp_gw_ip 3. Click OK Routes can Contain IPv4 or IPv6 Addresses A single route can contain either an IPv4 or IPv6 address but not both. Routes that use IPv4 and IPv6 addresses can be mixed in the same routing table. This topic is described further in Section 3.2, “IPv6 Support” . Routes to the Core Interface N[...]

  • Page 174

    Web Interface 1. Select the Routes item in the Status dropdown menu in the menu bar 2. Check the Show all routes checkbox and click the Apply button 3. The main window will list the active routing table, including the core routes Tip: Understanding output from the routes command For detailed information about the output of the CLI routes command. P[...]

  • Page 175

    route by route basis. To enable route failover in a scenario with a preferred and a backup route, the preferred route will have route monitoring enabled, however the backup route does not require this since it will usually have no route to failover to. When route monitoring is enabled for a route, one of the following monitoring methods must be cho[...]

  • Page 176

    enabled. Route monitoring for the second, alternate route is not meaningful since it has no failover route. Route # Interface Destination Gateway Metric Monitoring 1 wan all-nets 195.66.77.1 10 On 2 wan all-nets 193.54.68.1 20 Off When a new connection is about to be established to a host on the Internet, a route lookup will result in the route tha[...]

  • Page 177

    change in the destination interface. Clearly, this is undesirable. To overcome this issue, potential destination interfaces should be grouped together into an Interface Group and the Security/Transport Equivalent flag should be enabled for the Group. The Interface Group is then used as the Destination Interface when setting policies. For more infor[...]

  • Page 178

    The method by which the host is to be polled. This can be one of: • ICMP - ICMP "Ping" polling. An IP address must be specified for this. • TCP - A TCP connection is established to and then disconnected from the host. An IP address must be specified for this. • HTTP - A normal HTTP server request using a URL. A URL must be specified[...]

  • Page 179

    • Expected Response The text that is expected back from querying the URL. Testing for a specific response text provides the possibility of testing if an application is offline. If, for example, a web page response from a server can indicate if a specific database is operational with text such as " Database OK ", then the absence of that[...]

  • Page 180

    Consecutive success The number of consecutive successes that must occur before a route is marked as being available. Default: 5 Gratuitous ARP on fail Send a gratuitous ARP on HA failover to alert hosts of the changes in interface Ethernet and IP addresses. Default: Enabled 4.2.6. Proxy ARP Overview As discussed previously in Section 3.5, “ARP”[...]

  • Page 181

    and ARP proxy publishing. Route # Network Interface Proxy ARP Published 1 net_1 if1 if2 2 net_2 if2 if1 In this way there is complete separation of the sub-networks but the hosts are unaware of this. The routes are a pair which are a mirror image of each other but there is no requirement that proxy ARP is used in a pairing like this. Keep in mind t[...]

  • Page 182

    NetDefendOS creates at initial startup for physical interfaces are automatically added routes. The reason why Proxy ARP cannot be enabled for these routes is because automatically created routes have a special status in the NetDefendOS configuration and are treated differently. If Proxy ARP is required on an automatically created route, the route s[...]

  • Page 183

    4.3. Policy-based Routing Overview Policy-based Routing (PBR) is an extension to the standard routing described previously. It offers administrators significant flexibility in implementing routing decision policies by being able to use different routing tables according to specified criteria. Normal routing forwards packets according to destination[...]

  • Page 184

    NetDefendOS, as standard, has one default routing table called main . In addition to the main table, it is possible to define one or more, additional routing tables for policy-based routing. (these will sometimes be referred to as alternate rouitng tables ). Alternate routing tables contain the same information for describing routes as main , excep[...]

  • Page 185

    1. Go to: Routing > Routing Tables > MyPBRTable > Add > Route 2. Now enter: • Interface: lan • Network: my_network • Gateway: The gateway router is there is one • Local IP Address: The IP address specified here will be automatically published on the corresponding interface. This address will also be used as the sender address in[...]

  • Page 186

    the core interface (which are routes to NetDefendOS itself). 4. Click OK Routing Rules can use IPv4 or IPv6 Addresses Routing rules support either IPv4 or IPv6 addresses as the source and destination network for a rule's filtering properties. However both the source and destination network must be either IPv4 or IPv6. It is not permissible to [...]

  • Page 187

    exists which can catch anything not explicitly matched. 2. A search is now made for a routing rule that matches the packet's source/destination interface/network as well as service. If a matching rule is found then this determines the routing table to use. If no routing rule is found then the main table will be used. 3. Once the correct routin[...]

  • Page 188

    Important: Ensure all-nets appears in the main table A common mistake when setting up policy-based routing is the absence of a default route with a destination interface of all-nets in the default main routing table. If there is no route that is an exact match then the absence of a default all-nets route will mean that the connection will be droppe[...]

  • Page 189

    2. Create a routing table called "r2" and make sure the ordering is set to "Default". 3. Add the route found in the list of routes in the routing table "r2", as shown earlier. 4. Add two VR policies according to the list of policies shown earlier. • Go to: Routing > Routing Rules > Add > Routing Rule • Ent[...]

  • Page 190

    4.4. Route Load Balancing Overview NetDefendOS provides the option to perform Route Load Balancing (RLB). This is the ability to distribute traffic over multiple alternate routes using one of a number of distribution algorithms. The purpose of this feature is to provide the following: • Balancing of traffic between interfaces in a policy driven f[...]

  • Page 191

    done according to which algorithm is selected in the table's RLB Instance object: • Round Robin Successive routes are chosen from the matching routes in a "round robin" fashion provided that the metric of the routes is the same. This results in route lookups being spread evenly across matching routes with same metric. If the matchi[...]

  • Page 192

    Figure 4.6. The RLB Spillover Algorithm Spillover Limits are set separately for ingoing and outgoing traffic with only one of these typically being specified. If both are specified then only one of them needs to be exceeded continuously for Hold Timer seconds for the next matching route to be chosen. The units of the limits, such as Mbps, can be se[...]

  • Page 193

    When that new route's interface limits are also exceeded then the route with the next highest metric is taken and so on. As soon as any route with a lower metric falls below its interface limit for its Hold Timer number of seconds, then it reverts to being the chosen route. • If there is no alternative route, the route does not change. If th[...]

  • Page 194

    Figure 4.7. A Route Load Balancing Scenario We first need to define two routes to these two ISPs in the main routing table as shown below: Route No. Interface Destination Gateway Metric 1 WAN1 all-nets GW1 100 2 WAN2 all-nets GW2 100 We will not use the spillover algorithm in this example so the routing metric for both routes should be the same, in[...]

  • Page 195

    In this example, the details of the RLB scenario described above will be implemented. The assumption is made that the various IP address book objects needed have already been defined. The IP objects WAN1 and WAN2 represent the interfaces that connect to the two ISPs and the IP objects GW1 and GW2 represent the IP addresses of the gateway routers at[...]

  • Page 196

    4.5. OSPF The feature called Dynamic Routing is implemented with NetDefendOS using the OSPF architecture. This section begins by looking generally at what dynamic routing is and how it can be implemented. It then goes on to look at how OSPF can provide dynamic routing followed by a description of how a simple OSPF network can be set up. 4.5.1. Dyna[...]

  • Page 197

    Each router broadcasts its attached links and link costs to all other routers in the network. When a router receives these broadcasts it runs the LS algorithm and calculates its own set of least-cost paths. Any change of the link state will be sent everywhere in the network, so that all routers keep the same routing table information and have a con[...]

  • Page 198

    Instead of having to manually insert this routing information into the routing tables of A , OSPF allows B 's routing table information to be automatically shared with A . In the same way, OSPF allows firewall B to automatically become aware that network X is attached to firewall A . Under OSPF, this exchange of routing information is complete[...]

  • Page 199

    and a brief explanation is given here. Routing metrics are the criteria that a routing algorithm will use to compute the "best" route to a destination. A routing protocol relies on one or several metrics to evaluate links across a network and to determine the optimal path. The principal metrics used include: Path length The sum of the cos[...]

  • Page 200

    Authentication. All OSPF protocol exchanges can, if required, be authenticated. This means that only routers with the correct authentication can join an AS. Different authentication schemes can be used and with NetDefendOS the scheme can be either a passphrase or an MD5 digest. It is possible to configure separate authentication methods for each AS[...]

  • Page 201

    Router . The routers use OSPF Hello messages to elect the DR and BDR for the network based on the priorities advertised by all the routers. If there is already a DR on the network, the router will accept that one, regardless of its own router priority. With NetDefendOS, the DR and the BDR are automatically assigned. Neighbors Routers that are in th[...]

  • Page 202

    links can provide an area with a logical path to the backbone area. This virtual link is established between two Area Border Routers (ABRs) that are on one common area, with one of the ABRs connected to the backbone area. In the example below two routers are connected to the same area (Area 1) but just one of them, fw1 , is connected physically to [...]

  • Page 203

    Figure 4.11. Virtual Links with Partitioned Backbone The virtual link is configured between fw1 and fw2 on Area 1 as it is used as the transit area. In the configuration, only the Router ID has to be configured, as in the example above show fw2 need to have a virtual link to fw1 with the Router ID 192.168.1.1 and vice versa. These virtual links nee[...]

  • Page 204

    routing tables for the destination. The key aspect of an OSPF setup is that connected NetDefend Firewalls share the information in their routing tables so that traffic entering an interface on one of the firewalls can be automatically routed so that it exits the interface on another gateway which is attached to the correct destination network. Anot[...]

  • Page 205

    Private Router ID This is used in an HA cluster and is the ID for this firewall and not the cluster. Note When running OSPF on a HA Cluster there is a need for a private master and private slave Router ID as well as the shared Router ID. Reference Bandwidth Set the reference bandwidth that is used when calculating the default interface cost for rou[...]

  • Page 206

    Section 4.5.5, “Setting Up OSPF” . Note: Authentication must be the same on all routers If a passphrase or MD5 authentication is configured for OSPF, the passphrase or authentication key must be the same on all OSPF Routers in that Autonomous System. In other words, the OSPF authentication method must be replicated on all NetDefend Firewalls. A[...]

  • Page 207

    ID Specifies the area id. If 0.0.0.0 is specified then this is the backbone area. There can only be one backbone area and it forms the central portion of an AS. Routing information that is exchanged between different area always transits the backbone area. Is stub area Enable this option if the area is a stub area. Become Default Router It is possi[...]

  • Page 208

    only two routers (in other words, two firewalls). A typical example of this is a VPN tunnel which is used to transfer OSPF traffic between two firewalls. The neighbor address of such a link is configured by defining an OSPF Neighbour object. Using VPN tunnels is discussed further in Section 4.5.5, “Setting Up OSPF” . • Point-to-Multipoint - T[...]

  • Page 209

    Note An HA cluster will always have 0 as router priority, and can never be used as a DR or BDR. Sometimes there is a need to include networks into the OSPF routing process, without running OSPF on the interface connected to that network. This is done by enabling the option: No OSPF routers connected to this interface ("Passive") . This is[...]

  • Page 210

    NetDefendOS OSPF VLink objects are created within an OSPF Area and each object has the following parameters: General Parameters Name Symbolic name of the virtual link. Neighbor Router ID The Router ID of the router on the other side of the virtual link. Authentication Use Default For AS Use the values configured in the AS properties page. Note: Lin[...]

  • Page 211

    • Allowing the export of routes from a local routing tables to the OSPF AS. • Allowing the export of routes from one OSPF AS to another OSPF AS. Note The last usage of joining asynchronous systems together is rarely encountered except in very large networks. OSPF Requires at Least an Import Rule By default, NetDefendOS will not import or export[...]

  • Page 212

    4.5.4.2. Dynamic Routing Rule This object defines a dynamic routing rule. General Parameters Name Specifies a symbolic name for the rule. From OSPF AS Specifies the from which OSPF AS (in other words, an OSPF Router Process) the route should be imported from into either a routing table or another AS. From Routing Table Specifies from which routing [...]

  • Page 213

    regard external routes as type 1 OSPF routes . Type 2 is the most significant cost of a route. OffsetMetric Increases the metric of an imported route by this value. Limit Metric To Limits the metrics for these routes to a minimum and maximum value. If a route has a higher or lower value than specified then it will be set to the specified value. 4.5[...]

  • Page 214

    interface that will be part of the area. The OSPF Interface object needs the following parameters specified in its properties: • Interface - the physical interface which will be part of the OSPF area. • Network - the network on the interface that will be part of the area. This does not need to be specified and if it is not, the network assigned[...]

  • Page 215

    AS. 6. Repeat these steps on the other firewall Now repeat steps 1 to 5 for the other NetDefend Firewall that will be part of the OSPF AS and area. The OSPF Router and OSPF Area objects will be identical on each. The OSPF Interface objects will be different depending on which interfaces and networks will be included in the OSPF system. If more than[...]

  • Page 216

    1. Set up an IPsec tunnel First set up an IPsec tunnel in the normal way between the two firewalls A and B . The IPsec setup options are explained in Section 9.2, “VPN Quick Start” . This IPsec tunnel is now treated like any other interface when configuring OSPF in NetDefendOS. 2. Choose a random internal IP network For each firewall, we need t[...]

  • Page 217

    Tip: Non-OSPF traffic can also use the tunnel A VPN tunnel can carry both OSPF traffic as well as other types of traffic. There is no requirement to dedicate a tunnel to OSPF traffic. 4.5.6. An OSPF Example This section shows the actual interface commands to implement the simple scenario described above in Section 4.5.5, “Setting Up OSPF” . The[...]

  • Page 218

    3. Select the Interface . For example, lan 4. Click OK Just selecting the Interface means that the Network defaults to the network bound to that interface. In this case lannet . This should be repeated for all the interfaces on this NetDefend Firewall that will be part of the OSPF area and then repeated for all the other firewalls. Example 4.12. Im[...]

  • Page 219

    Next, create an OSPF Action that will export the filtered route to the specified OSPF AS: Web Interface 1. Go to: Routing > Dynamic Routing Rules 2. Click on the newly created ExportAllNets 3. Go to: OSPF Actions > Add > DynamicRoutingRuleExportOSPF 4. For Export to process choose as0 5. Click OK 4.5.6. An OSPF Example Chapter 4. Routing 2[...]

  • Page 220

    4.6. Multicast Routing 4.6.1. Overview The Multicast Problem Certain types of Internet interactions, such as conferencing and video broadcasts, require a single client or host to send the same packet to multiple receivers. This could be achieved through the sender duplicating the packet with different receiving IP addresses or by a broadcast of the[...]

  • Page 221

    see Section 3.4.2, “Ethernet Interfaces”. 4.6.2. Multicast Forwarding with SAT Multiplex Rules The SAT Multiplex rule is used to achieve duplication and forwarding of packets through more than one interface. This feature implements multicast forwarding in NetDefendOS, where a multicast packet is sent through several interfaces. Note that since [...]

  • Page 222

    Figure 4.14. Multicast Forwarding - No Address Translation Note: SAT Multiplex rules must have a matching Allow rule Remember to add an Allow rule that matches the SAT Multiplex rule. The matching rule could also be a NAT rule for source address translation (see below) but cannot be a FwdFast or SAT rule. Example 4.14. Forwarding of Multicast Traff[...]

  • Page 223

    • Destination: 1234 B. Create an IP rule: 1. Go to: Rules > IP Rules > Add > IP Rule 2. Under General enter. • Name: a name for the rule, for example Multicast_Multiplex • Action: Multiplex SAT • Service: multicast_service 3. Under Address Filter enter: • Source Interface: wan • Source Network: 192.168.10.1 • Destination Inte[...]

  • Page 224

    MultiplexArgument={if2;},{if3;} The destination interface is core since 239.192.100.50 is a multicast group. No address translation of 239.192.100.50 was added but if it is required for, say, if2 then the final argument would be: MultiplexArgument={if2;<new_ip_address>},{if3;} 4.6.2.2. Multicast Forwarding - Address Translation Scenario Figur[...]

  • Page 225

    • Type: UDP • Destination: 1234 B. Create an IP rule: 1. Go to: Rules > IP Rules > Add > IP Rule 2. Under General enter. • Name: a name for the rule, for example Multicast_Multiplex • Action: Multiplex SAT • Service: multicast_service 3. Under Address Filter enter: • Source Interface: wan • Source Network: 192.168.10.1 • De[...]

  • Page 226

    NetDefendOS supports two IGMP modes of operation: • Snoop Mode • Proxy Mode The operation of these two modes are shown in the following illustrations: Figure 4.16. Multicast Snoop Mode Figure 4.17. Multicast Proxy Mode In Snoop Mode , the NetDefend Firewall will act transparently between the hosts and another IGMP router. It will not send any I[...]

  • Page 227

    In Proxy Mode , the firewall will act as an IGMP router towards the clients and actively send queries. Towards the upstream router, the firewall will be acting as a normal host, subscribing to multicast groups on behalf of its clients. 4.6.3.1. IGMP Rules Configuration - No Address Translation This example describes the IGMP rules needed for config[...]

  • Page 228

    • Source Network: UpstreamRouterIp • Destination Interface: core • Destination Network: auto • Multicast Source: 192.168.10.1 • Multicast Group: 239.192.10.0/24 4. Click OK 4.6.3.2. IGMP Rules Configuration - Address Translation The following examples illustrates the IGMP rules needed to configure IGMP according to the Address Translation[...]

  • Page 229

    1. Again go to Routing > IGMP > IGMP Rules > Add > IGMP Rule 2. Under General enter: • Name: A suitable name for the rule, for example Queries_if1 • Type: Query • Action: Proxy • Output: if1 (this is the relay interface) 3. Under Address Filter enter: • Source Interface: wan • Source Network: UpstreamRouterIp • Destination[...]

  • Page 230

    2. Under General enter: • Name: A suitable name for the rule, for example Queries_if2 • Type: Query • Action: Proxy • Output: if2 (this is the relay interface) 3. Under Address Filter enter: • Source Interface: wan • Source Network: UpstreamRouterIp • Destination Interface: core • Destination Network: auto • Multicast Source: 192.[...]

  • Page 231

    Default: IGMPv1 IGMP Router Version The IGMP protocol version that will be globally used on interfaces without a configured IGMP Setting. Multiple querying IGMP routers on the same network must use the same IGMP version. Global setting on interfaces without an overriding IGMP Setting. Default: IGMPv3 IGMP Last Member Query Interval The maximum time[...]

  • Page 232

    IGMPStartupQueryInterval at startup. Global setting on interfaces without an overriding IGMP Setting. Default: 2 IGMP Startup Query Interval The interval of General Queries in milliseconds used during the startup phase. Global setting on interfaces without an overriding IGMP Setting. Default: 30,000 IGMP Unsolicated Report Interval The time in mill[...]

  • Page 233

    4.7. Transparent Mode 4.7.1. Overview Transparent Mode Usage The NetDefendOS Transparent Mode feature allows a NetDefend Firewall to be placed at a point in a network without any reconfiguration of the network and without hosts being aware of its presence. All NetDefendOS features can then be used to monitor and manage traffic flowing through that [...]

  • Page 234

    With non-switch routes, the NetDefend Firewall acts as a router and routing operates at layer 3 of the OSI model. If the firewall is placed into a network for the first time, or if network topology changes, the routing configuration must therefore be checked and adjusted to ensure that the routing table is consistent with the new layout. Reconfigur[...]

  • Page 235

    forward the packet to the destination. If the route was a Switch Route , no specific information about the destination is available and the firewall will have to discover where the destination is located in the network. Discovery is done by NetDefendOS sending out ARP as well as ICMP (ping) requests, acting as the initiating sender of the original [...]

  • Page 236

    An alternative to one switch route is to not use an interface group but instead use an individual switch route for each interface. The end result is the same. All the switch routes defined in a single routing table will be connected together by NetDefendOS and no matter how interfaces are associated with the switch routes, transparency will exist b[...]

  • Page 237

    To better explain this, let us consider a VLAN vlan5 which is defined on two physical interfaces called if1 and if2 . Both physical interfaces have switch routes defined so they operate in transparent mode. Two VLAN interfaces with the same VLAN ID are defined on the two physical interfaces and they are called vlan5_if1 and vlan5_if2 . For the VLAN[...]

  • Page 238

    • Define a static ARP table entry which maps the MAC address FF-FF-FF-FF-FF-FF to the IPv4 address 255.255.255.255 . • Configure DHCP relay to the DHCP server IP address 255.255.255.255 . 4.7.2. Enabling Internet Access A common misunderstanding when setting up Transparent Mode is how to correctly set up access to the public Internet. Below is [...]

  • Page 239

    gateway address. In non-transparent mode the user's gateway IP would be the NetDefend Firewall's IP address but in transparent mode the ISP's gateway is on the same logical IP network as the users and will therefore be gw-ip . NetDefendOS May Also Need Internet Access The NetDefend Firewall also needs to find the public Internet if i[...]

  • Page 240

    Figure 4.20. Transparent Mode Scenario 1 Example 4.19. Setting up Transparent Mode for Scenario 1 Web Interface Configure the interfaces: 1. Go to: Interfaces > Ethernet > Edit (wan) 2. Now enter: • IP Address: 10.0.0.1 • Network: 10.0.0.0/24 • Default Gateway: 10.0.0.1 • Transparent Mode: Enable 3. Click OK 4. Go to: Interfaces > [...]

  • Page 241

    • Source Interface: lan • Destination Interface: any • Source Network: 10.0.0.0/24 • Destination Network: all-nets (0.0.0.0/0) 3. Click OK Scenario 2 Here the NetDefend Firewall in Transparent Mode separates server resources from an internal network by connecting them to a separate interface without the need for different address ranges. Al[...]

  • Page 242

    1. Go to: Interfaces > Ethernet > Edit (lan) 2. Now enter: • IP Address: 10.0.0.1 • Network: 10.0.0.0/24 • Transparent Mode: Disable • Add route for interface network: Disable 3. Click OK 4. Go to: Interfaces > Ethernet > Edit (dmz) 5. Now enter: • IP Address: 10.0.0.2 • Network: 10.0.0.0/24 • Transparent Mode: Disable •[...]

  • Page 243

    3. Click OK 4. Go to: Rules > IP Rules > Add > IPRule 5. Now enter: • Name: HTTP-WAN-to-DMZ • Action: SAT • Service: http • Source Interface: wan • Destination Interface: dmz • Source Network: all-nets • Destination Network: wan_ip • Translate: Select Destination IP • New IP Address: 10.1.4.10 6. Click OK 7. Go to: Rules [...]

  • Page 244

    Figure 4.22. An Example BPDU Relaying Scenario Implementing BPDU Relaying The NetDefendOS BDPU relaying implementation only carries STP messages. These STP messages can be of three types: • Normal Spanning Tree Protocol (STP) • Rapid Spanning Tree Protocol (RSTP) • Multiple Spanning Tree Protocol (MSTP) • Cisco proprietary PVST+ Protocol (P[...]

  • Page 245

    Default: Enabled Decrement TTL Enable this if the TTL should be decremented each time a packet traverses the firewall in Transparent Mode. Default: Disabled Dynamic CAM Size This setting can be used to manually configure the size of the CAM table. Normally Dynamic is the preferred value to use. Default: Dynamic CAM Size If the Dynamic CAM Size sett[...]

  • Page 246

    Null Enet Sender Defines what to do when receiving a packet that has the sender hardware (MAC) address in Ethernet header set to null (0000:0000:0000). Options: • Drop - Drop packets • DropLog - Drop and log packets Default: DropLog Broadcast Enet Sender Defines what to do when receiving a packet that has the sender hardware (MAC) address in Et[...]

  • Page 247

    • Log - Let the packets pass and log the event • Drop - Drop the packets • DropLog - Drop packets log the event Default: Drop Relay MPLS When set to Ignore all incoming MPLS packets are relayed in transparent mode. Options: • Ignore - Let the packets pass but do not log • Log - Let the packets pass and log the event • Drop - Drop the pa[...]

  • Page 248

    4.7.5. Advanced Settings for Transparent Mode Chapter 4. Routing 248[...]

  • Page 249

    Chapter 5. DHCP Services This chapter describes DHCP services in NetDefendOS. • Overview, page 249 • DHCP Servers, page 250 • DHCP Relaying, page 256 • IP Pools, page 259 5.1. Overview Dynamic Host Configuration Protocol (DHCP) is a protocol that allows network administrators to automatically assign IP numbers to computers on a network. IP [...]

  • Page 250

    5.2. DHCP Servers DHCP servers assign and manage the IP addresses taken from a specified address pool. In NetDefendOS, DHCP servers are not limited to serving a single range of IP addresses but can use any IP address range that can be specified by a NetDefendOS IP address object. Multiple DHCP Servers The administrator has the ability to set up one[...]

  • Page 251

    The following options can be configured for a DHCP server: General Parameters Name A symbolic name for the server. Used as an interface reference but also used as a reference in log messages. Interface Filter The source interface on which NetDefendOS will listen for DHCP requests. This can be a single interface or a group of interfaces. IP Address [...]

  • Page 252

    This example shows how to set up a DHCP server called DHCPServer1 which assigns and manages IP addresses from an IPv4 address pool called DHCPRange1 . This example assumes that an IP range for the DHCP Server has already been created. Command-Line Interface gw-world:/> add DHCPServer DHCPServer1 Interface=lan IPAddressPool=DHCPRange1 Netmask=255[...]

  • Page 253

    Tip: Lease database saving between restarts DHCP leases are, by default, remembered by NetDefendOS between system restarts. The DHCP advanced settings can be adjusted to control how often the lease database is saved. The DHCP Server Blacklist Sometimes, an IP address offered in a lease is rejected by the client. This may because the client detects [...]

  • Page 254

    parameters: Host This is the IP address that will be handed out to the client. MAC Address This is the MAC address of the client. Either the MAC address can be used or the alternative Client Identified parameter can be used. Client Identified If the MAC address is not used for identifying the client then the client can send an identifier in its DHC[...]

  • Page 255

    5.2.2. Custom Options Adding a Custom Option to the DHCP server definition allows the administrator to send specific pieces of information to DHCP clients in the DHCP leases that are sent out. An example of this is certain switches that require the IP address of a TFTP server from which they can get certain extra information. Custom Option Paramete[...]

  • Page 256

    5.3. DHCP Relaying The DHCP Problem With DHCP, clients send requests to locate the DHCP server(s) using broadcast messages. However, broadcasts are normally only propagated across the local network. This means that the DHCP server and client always need to be on the same physical network. In a large Internet-like network topology, this means there [...]

  • Page 257

    • Name: ipgrp-dhcp • Interfaces : select vlan1 and vlan2 from the Available list and put them into the Selected list. 3. Click OK Adding a DHCP relayer called as vlan-to-dhcpserver : 1. Go to: System > DHCP > Add > DHCP Relay 2. Now enter: • Name: vlan-to-dhcpserver • Action: Relay • Source Interface: ipgrp-dhcp • DHCP Server t[...]

  • Page 258

    The maximum lease time allowed by NetDefendOS. If the DHCP server has a higher lease time, it will be reduced down to this value. Default: 10000 seconds Max Auto Routes How many relays that can be active at the same time. Default: 256 Auto Save Policy What policy should be used to save the relay list to the disk, possible settings are Disabled , Re[...]

  • Page 259

    5.4. IP Pools Overview An IP pool is used to offer other subsystems access to a cache of DHCP IP addresses. These addresses are gathered into a pool by internally maintaining a series of DHCP clients (one DHCP client per IP address). More than one DHCP server can be used by a pool and can either be external or be local DHCP servers defined in NetDe[...]

  • Page 260

    Receive Interface A "simulated" virtual DHCP server receiving interface. This setting is used to simulate a receiving interface when an IP pool is obtaining IP addresses from internal DHCP servers. This is needed since the filtering criteria of a DHCP server includes a Receive Interface . An internal DHCP server cannot receive requests fr[...]

  • Page 261

    Other options in the ippool command allow the administrator to change the pool size and to free up IP addresses. The complete list of command options can be found in the CLI Reference Guide. Example 5.4. Creating an IP Pool This example shows the creation of an IP Pool object that will use the DHCP server on IP address 28.10.14.1 with 10 prefetched[...]

  • Page 262

    5.4. IP Pools Chapter 5. DHCP Services 262[...]

  • Page 263

    Chapter 6. Security Mechanisms This chapter describes NetDefendOS security features. • Access Rules, page 263 • ALGs, page 266 • Web Content Filtering, page 319 • Anti-Virus Scanning, page 337 • Intrusion Detection and Prevention, page 343 • Denial-of-Service Attack Prevention, page 355 • Blacklisting Hosts and Networks, page 360 6.1.[...]

  • Page 264

    add them if there is a requirement for stricter checking on new connections. 6.1.2. IP Spoofing Traffic that pretends it comes from a trusted host can be sent by an attacker to try and get past a firewall's security mechanisms. Such an attack is commonly known as Spoofing . IP spoofing is one of the most common spoofing attacks. Trusted IP add[...]

  • Page 265

    Turning Off Default Access Rule Messages If, for some reason, the Default Access Rule log message is continuously being generated by some source and needs to be turned off, then the way to do this is to specify an Access Rule for that source with an action of Drop . Troubleshooting Access Rule Related Problems It should be noted that Access Rules a[...]

  • Page 266

    6.2. ALGs 6.2.1. Overview To complement low-level packet filtering, which only inspects packet headers in protocols such as IP, TCP, UDP, and ICMP, NetDefend Firewalls provide Application Layer Gateways (ALGs) which provide filtering at the higher application OSI level. An ALG object acts as a mediator in accessing commonly used Internet applicatio[...]

  • Page 267

    Maximum Connection Sessions The service associated with an ALG has a configurable parameter associated with it called Max Sessions and the default value varies according to the type of ALG. For instance, the default value for the HTTP ALG is 1000 . This means that a 1000 connections are allowed in total for the HTTP service across all interfaces. T[...]

  • Page 268

    cannot be dropped by web content filtering (if that is enabled, although it will be logged). Anti-Virus scanning, if it is enabled, is always applied to the HTTP traffic even if it is whitelisted. These features are described in depth in Section 6.3.3, “Static Content Filtering” . • Dynamic Content Filtering - Access to specific URLs can be a[...]

  • Page 269

    Note: Similarities with other NetDefendOS features The Verify MIME type and Allow/Block Selected Types options work in the same way for the FTP, POP3 and SMTP ALGs. • Download File Size Limit - A file size limit can additionally be specified for any single download (this option is only available for HTTP and SMTP ALG downloads). The Ordering for [...]

  • Page 270

    Entries made in the white and blacklists can make use of wildcarding to have a single entry be equivalent to a large number of possible URLs. The wildcard character " * " can be used to represent any sequence of characters. For example, the entry *.some_domain.com will block all pages whose URLs end with some_domain.com . If we want to no[...]

  • Page 271

    Both active and passive modes of FTP operation present problems for NetDefend Firewalls. Consider a scenario where an FTP client on the internal network connects through the firewall to an FTP server on the Internet. The IP rule is then configured to allow network traffic from the FTP client to port 21 on the FTP server. When active mode is used, N[...]

  • Page 272

    Figure 6.3. FTP ALG Hybrid Mode Note: Hybrid conversion is automatic Hybrid mode does not need to enabled. The conversion between modes occurs automatically within the FTP ALG. Connection Restriction Options The FTP ALG has two options to restrict which type of mode the FTP client and the FTP server can use: • Allow the client to use active mode.[...]

  • Page 273

    standard set. • Allow the SITE EXEC command to be sent to an FTP server by a client. • Allow the RESUME command even if content scanning terminated the connection. Note: Some commands are never allowed Some commands, such as encryption instructions, are never allowed. Encryption would mean that the FTP command channel could not be examined by t[...]

  • Page 274

    Anti-Virus Scanning The NetDefendOS Anti-Virus subsystem can be enabled to scan all FTP downloads searching for malicious code. Suspect files can be de dropped or just logged. This feature is common to a number of ALGs and is described fully in Section 6.4, “Anti-Virus Scanning” . FTP ALG with ZoneDefense Used together with the FTP ALG, ZoneDef[...]

  • Page 275

    In this case, we will set the FTP ALG restrictions as follows. • Enable the Allow client to use active mode FTP ALG option so clients can use both active and passive modes. • Disable the Allow server to use passive mode FTP ALG option. This is more secure for the server as it will never receive passive mode data. The FTP ALG will handle all con[...]

  • Page 276

    • Destination: 21 (the port the FTP server resides on) • ALG: select ftp-inbound created above 3. Click OK C. Define a rule to allow connections to the public IP on port 21 and forward that to the internal FTP server: 1. Go to: Rules > IP Rules > Add > IPRule 2. Now enter: • Name: SAT-ftp-inbound • Action: SAT • Service: ftp-inbo[...]

  • Page 277

    3. For Address Filter enter: • Source Interface: any • Destination Interface: core • Source Network: all-nets • Destination Network: wan_ip 4. Click OK Example 6.3. Protecting FTP Clients In this scenario shown below the NetDefend Firewall is protecting a workstation that will connect to FTP servers on the Internet. In this case, we will se[...]

  • Page 278

    1. Go to: Objects > ALG > Add > FTP ALG 2. Enter Name: ftp-outbound 3. Uncheck Allow client to use active mode 4. Check Allow server to use passive mode 5. Click OK B. Create the Service 1. Go to: Objects > Services > Add > TCP/UDP Service 2. Now enter: • Name: ftp-outbound-service • Type: select TCP from the dropdown list •[...]

  • Page 279

    • Source Interface: lan • Destination Interface: wan • Source Network: lannet • Destination Network: all-nets 4. Check Use Interface Address 5. Click OK Setting Up FTP Servers with Passive Mode An important point about FTP server setup needs to be made if the FTP ALG is being used along with passive mode. Usually, the FTP server will be pro[...]

  • Page 280

    TFTP Request Options As long as the Remove Request Option described above is set to false (options are not removed) then the following request option settings can be applied: Maximum Blocksize The maximum blocksize allowed can be specified. The allowed range is 0 to 65,464 bytes. The default value is 65,464 bytes. Maximum File Size The maximum size[...]

  • Page 281

    The administrator should therefore add a reasonable margin above the anticipated email size when setting this limit. Email address blacklisting A blacklist of sender or recipient email addresses can be specified so that mail from/to those addresses is blocked. The blacklist is applied after the whitelist so that if an address matches a whitelist en[...]

  • Page 282

    Figure 6.4. SMTP ALG Processing Order Using Wildcards in White and Blacklists Entries made in the white and blacklists can make use of wildcarding to have a single entry cover a large number of potential email addresses. The wildcard character " * " can be used to represent any sequence of characters. For instance, the address entry *@som[...]

  • Page 283

    server response. For example, this parameter may appear in the log message as: capa=PIPELINING To indicate that the pipelining extension was removed from the SMTP server reply to an EHLO client command. Although ESMTP extensions may be removed by the ALG and related log messages generated, this does not mean that any emails are dropped . Email tran[...]

  • Page 284

    • Dropping email which has a very high probability of being spam. • Letting through but flagging email that has a moderate probability of being spam. The NetDefendOS Anti-Spam Implementation SMTP functions as a protocol for sending emails between servers. NetDefendOS applies Spam filtering to emails as they pass through the NetDefend Firewall f[...]

  • Page 285

    servers are queried to assess the likelihood that the email is Spam, based on its origin address. The NetDefendOS administrator assigns a weight greater than zero to each configured server so that a weighted sum can then be calculated based on all responses. The administrator can configure one of the following actions based on the weighted sum calc[...]

  • Page 286

    *** SPAM *** Buy this stock today! And this is what the email's recipient will see in the summary of their inbox contents. The individual user could then decide to set up their own filters in the local client to deal with such tagged emails, possibly sending it to a separate folder. Adding X-Spam Information If an email is determined to be Spa[...]

  • Page 287

    When sender address verification is enabled, there is an additional option to only compare the domain names in the "From" addresses. Logging There are three types of logging done by the Spam filtering module: • Logging of dropped or Spam tagged emails - These log messages include the source email address and IP as well as its weighted p[...]

  • Page 288

    The default value if 600 seconds. The Anti-Spam address cache is emptied at startup or reconfiguration. For the DNSBL subsystem overall: • Number of emails checked. • Number of emails Spam tagged. • Number of dropped emails. For each DNSBL server accessed: • Number of positive (is Spam) responses from each configured DNSBL server. • Numbe[...]

  • Page 289

    asdf.egrhb.net active 5 0 0 0 To examine the statistics for a particular DNSBL server, the following command can be used. gw-world:/> dnsbl smtp_test zen.spamhaus.org -show BlackList: zen.spamhaus.org Status : active Weight value : 25 Number of mails checked : 56 Number of matches in list : 3 Number of failed checks (times disabled) : 0 To clean[...]

  • Page 290

    allowed as mail attachments and new filetypes can be added to the list. This same option is also available in the HTTP ALG and a fuller description of how it works can be found in Section 6.2.2, “The HTTP ALG” . Anti-Virus Scanning The NetDefendOS Anti-Virus subsystem can optionally scan email attachments searching for malicious code. Suspect f[...]

  • Page 291

    Setting up the PPTP ALG is similar to the set up of other ALG types. The ALG object must be associated with the relevant service and the service is then associated with an IP rule. The full sequence of steps for setup is as follows: • Define a new PPTP ALG object with an appropriate name, for example pptp_alg . The full list of options for the AL[...]

  • Page 292

    SIP Sets Up Sessions SIP does not know about the details of a session's content and is only responsible for initiating, terminating and modifying sessions. Sessions set up by SIP are typically used for the streaming of audio and video over the Internet using the RTP/RTCP protocol (which is based on UDP) but they might also involve traffic base[...]

  • Page 293

    The following components are the logical building blocks for SIP communication: User Agents These are the end points or clients that are involved in the client-to-client communication. These would typically be the workstation or device used in an IP telephony conversation. The term client will be used throughout this section to describe a user agen[...]

  • Page 294

    value is 43200 seconds . Data Channel Timeout The maximum time allowed for periods with no traffic in a SIP session. A timeout condition occurs if this value is exceeded. The default value is 120 seconds . Allow Media Bypass If this option is enabled then data. such as RTP/RTCP communication, may take place directly between two clients without invo[...]

  • Page 295

    SIP Usage Scenarios NetDefendOS supports a variety of SIP usage scenarios. The following three scenarios cover nearly all possible types of usage: • Scenario 1 Protecting local clients - Proxy located on the Internet The SIP session is between a client on the local, protected side of the NetDefend Firewall and a client which is on the external, u[...]

  • Page 296

    The SIP proxy in the above diagram could alternatively be located remotely across the Internet. The proxy should be configured with the Record-Route feature enabled to insure all SIP traffic to and from the office clients will be sent through the SIP Proxy. This is recommended since the attack surface is minimized by allowing only SIP signalling fr[...]

  • Page 297

    traversal issues with NAT in a SIP setup. The IP rules with the Record-Route option enabled would be as shown below, the changes that apply when NAT is used are shown in parentheses " (..) ". Action Src Interface Src Network Dest Interface Dest Network Allow (or NAT) lan lannet wan ip_proxy Allow wan ip_proxy lan (or core) lannet (or wan_[...]

  • Page 298

    • Without NAT so the network topology is exposed. Solution A - Using NAT Here, the proxy and the local clients are hidden behind the IP address of the NetDefend Firewall. The setup steps are as follows: 1. Define a single SIP ALG object using the options described above. 2. Define a Service object which is associated with the SIP ALG object. The [...]

  • Page 299

    Action Src Interface Src Network Dest Interface Dest Network Proxy&Clients (ip_proxy) InboundTo Proxy&Clients Allow wan all-nets lan lannet (ip_proxy) If Record-Route is enabled then the networks in the above rules can be further restricted by using " (ip_proxy) " as indicated. Scenario 3 Protecting proxy and local clients - Proxy[...]

  • Page 300

    The exchanges illustrated are as follows: • 1,2 - An initial INVITE is sent to the outbound local proxy server on the DMZ. • 3,4 - The proxy server sends the SIP messages towards the destination on the Internet. • 5,6 - A remote client or proxy server replies to the local proxy server. • 7,8 - The local proxy forwards the reply to the local[...]

  • Page 301

    DMZ interface as the contact address. • An Allow rule for outbound traffic from the proxy behind the DMZ interface to the remote clients on the Internet. • An Allow rule for inbound SIP traffic from the SIP proxy behind the DMZ interface to the IP address of the NetDefend Firewall. This rule will have core (in other words, NetDefendOS itself) a[...]

  • Page 302

    • Destination Port set to 5060 (the default SIP signalling port) • Type set to TCP/UDP 3. Define four rules in the IP rule set: • An Allow rule for outbound traffic from the clients on the internal network to the proxy located on the DMZ interface. • An Allow rule for outbound traffic from the proxy behind the DMZ interface to the remote cl[...]

  • Page 303

    "software phones" such as the product "NetMeeting". Gateways An H.323 gateway connects two dissimilar networks and translates traffic between them. It provides connectivity between H.323 networks and non-H.323 networks such as public switched telephone networks (PSTN), translating protocols and converting media streams. A gatewa[...]

  • Page 304

    The H.323 ALG has the following features: • The H.323 ALG supports version 5 of the H.323 specification. This specification is built upon H.225.0 v5 and H.245 v10. • In addition to support voice and video calls, the H.323 ALG supports application sharing over the T.120 protocol. T.120 uses TCP to transport data while voice and video is transpor[...]

  • Page 305

    Example 6.4. Protecting Phones Behind NetDefend Firewalls In the first scenario a H.323 phone is connected to the NetDefend Firewall on a network (lannet) with public IP addresses. To make it possible to place a call from this phone to another H.323 phone on the Internet, and to allow H.323 phones on the Internet to call this phone, we need to conf[...]

  • Page 306

    • Destination Interface: lan • Source Network: 0.0.0.0/0 (all-nets) • Destination Network: lannet • Comment: Allow incoming calls 3. Click OK Example 6.5. H.323 with Private IPv4 Addresses In this scenario a H.323 phone is connected to the NetDefend Firewall on a network with private IPv4 addresses. To make it possible to place a call from [...]

  • Page 307

    4. Click OK 1. Go to: Rules > IP Rules > Add > IPRule 2. Now enter: • Name: H323In • Action: Allow • Service: H323 • Source Interface: any • Destination Interface: core • Source Network: 0.0.0.0/0 (all-nets) • Destination Network: wan_ip (external IP of the firewall) • Comment: Allow incoming calls to H.323 phone at ip-phon[...]

  • Page 308

    • Action: Allow • Service: H323 • Source Interface: lan • Destination Interface: any • Source Network: lannet • Destination Network: 0.0.0.0/0 (all-nets) • Comment: Allow outgoing calls 3. Click OK Incoming Rule: 1. Go to: Rules > IP Rules > Add > IPRule 2. Now enter: • Name: H323AllowIn • Action: Allow • Service: H323 [...]

  • Page 309

    • Destination Network: 0.0.0.0/0 (all-nets) • Comment: Allow outgoing calls 3. Click OK Incoming Rules: 1. Go to: Rules > IP Rules > Add > IPRule 2. Now enter: • Name: H323In • Action: SAT • Service: H323 • Source Interface: any • Destination Interface: core • Source Network: 0.0.0.0/0 (all-nets) • Destination Network: wa[...]

  • Page 310

    Web Interface Incoming Gatekeeper Rules: 1. Go to: Rules > IP Rules > Add > IPRule 2. Now enter: • Name: H323In • Action: SAT • Service: H323-Gatekeeper • Source Interface: any • Destination Interface: core • Source Network: 0.0.0.0/0 (all-nets) • Destination Network: wan_ip (external IP of the firewall) • Comment: SAT rule[...]

  • Page 311

    1. Go to: Rules > IP Rules > Add > IPRule 2. Now enter: • Name: H323In • Action: Allow • Service: H323-Gatekeeper • Source Interface: lan • Destination Interface: dmz • Source Network: lannet • Destination Network: ip-gatekeeper (IP address of the gatekeeper) • Comment: Allow incoming communication with the Gatekeeper 3. Cl[...]

  • Page 312

    1. Go to: Rules > IP Rules > Add > IPRule 2. Now enter: • Name: H323Out • Action: NAT • Service: H323-Gatekeeper • Source Interface: lan • Destination Interface: any • Source Network: lannet • Destination Network: 0.0.0.0/0 (all-nets) • Comment: Allow outgoing communication with a gatekeeper 3. Click OK Note: Outgoing calls[...]

  • Page 313

    The head office has placed a H.323 Gatekeeper in the DMZ of the corporate NetDefend Firewall. This firewall should be configured as follows: Web Interface 1. Go to: Rules > IP Rules > Add > IPRule 2. Now enter: • Name: LanToGK • Action: Allow • Service: H323-Gatekeeper • Source Interface: lan • Destination Interface: dmz • Sour[...]

  • Page 314

    • Source Interface: lan • Destination Interface: dmz • Source Network: lannet • Destination Network: ip-gateway • Comment: Allow H.323 entities on lannet to call phones connected to the H.323 Gateway on the DMZ 3. Click OK 1. Go to: Rules > IP Rules > Add > IPRule 2. Now enter: • Name: GWToLan • Action: Allow • Service: H32[...]

  • Page 315

    • Comment: Allow communication with the Gatekeeper on DMZ from the Remote network 3. Click OK Example 6.11. Configuring remote offices for H.323 If the branch and remote office H.323 phones and applications are to be configured to use the H.323 Gatekeeper at the head office, the NetDefend Firewalls in the remote and branch offices should be confi[...]

  • Page 316

    Note: Outgoing calls do not need a specific rule There is no need to specify a specific rule for outgoing calls. NetDefendOS monitors the communication between "external" phones and the Gatekeeper to make sure that it is possible for internal phones to call the external phones that are registered with the gatekeeper. 6.2.10. The TLS ALG O[...]

  • Page 317

    Figure 6.7. TLS Termination Advantages of Using NetDefendOS for TLS Termination TLS can be implemented directly in the server to which clients connect, however, if the servers are protected behind a NetDefend Firewall, then NetDefendOS can take on the role of the TLS endpoint. NetDefendOS then performs TLS authentication, encryption and unencryptio[...]

  • Page 318

    4. Associate the TLS ALG object with the newly created service object. 5. Create a NAT or Allow IP rule for the targeted traffic and associate the custom service object with it. 6. Optionally, a SAT rule can be created to change the destination port for the unencrypted traffic. Alternatively an SLB_SAT rule can be used to do load balancing (the des[...]

  • Page 319

    6.3. Web Content Filtering 6.3.1. Overview Web traffic is one of the biggest sources for security issues and misuse of the Internet. Inappropriate surfing habits can expose a network to many security threats as well as legal and regulatory liabilities. Productivity and Internet bandwidth can also be impaired. Filtering Mechanisms Through the HTTP A[...]

  • Page 320

    Removing such legitimate code could, at best, cause the web site to look distorted, at worst, cause it to not work in a browser at all. Active Content Handling should therefore only be used when the consequences are well understood. Example 6.13. Stripping ActiveX and Java applets This example shows how to configure a HTTP Application Layer Gateway[...]

  • Page 321

    served by that site. */*.gif Good. This will block all files with .gif as the file name extension. www.example.com Bad. This will only block the first request to the web site. Surfing to www.example.com/index.html , for example, will not be blocked. *example.com/* Bad. This will also cause www.myexample.com to be blocked since it blocks all sites e[...]

  • Page 322

    4. Now click Add and select HTTP ALG URL from the menu 5. Select Blacklist as the Action 6. Enter */*.exe in the URL textbox 7. Click OK Finally, make an exception from the blacklist by creating a whitelist: 1. Go to: Objects > ALG 2. In the table, click on the recently created HTTP ALG to view its properties 3. Click the HTTP URL tab 4. Now cli[...]

  • Page 323

    Figure 6.8. Dynamic Content Filtering Flow If the requested web page URL is not present in the databases, then the webpage content at the URL will automatically be downloaded to D-Link's central data warehouse and automatically analyzed using a combination of software techniques. Once categorized, the URL is distributed to the global databases[...]

  • Page 324

    Dynamic Content Filtering is a feature that is enabled by taking out a separate subscription to the service. This is an addition to the normal NetDefendOS license. Once a subscription is taken out, an HTTP Application Layer Gateway (ALG) Object should be defined with Dynamic Content Filtering enabled. This object is then associated with a service o[...]

  • Page 325

    4. Select Enabled in the Mode list 5. In the Blocked Categories list, select Search Sites and click the >> button. 6. Click OK Then, create a service object using the new HTTP ALG: 1. Go to: Local Objects > Services > Add > TCP/UDP service 2. Specify a suitable name for the Service, for example http_content_filtering 3. Select the TC[...]

  • Page 326

    Example 6.16. Enabling Audit Mode This example is based on the same scenario as the previous example, but now with audit mode enabled. Command-Line Interface First, create an HTTP Application Layer Gateway (ALG) Object: gw-world:/> add ALG ALG_HTTP content_filtering WebContentFilteringMode=Audit FilteringCategories=SEARCH_SITES Web Interface Fir[...]

  • Page 327

    This mechanism can be enabled on a per-HTTP ALG level, which means that the administrator can choose to enable this functionality for regular users or for a selected user group only. If reclassification is enabled and a user requests a web site which is disallowed, the block web page will include a dropdown list containing all available categories.[...]

  • Page 328

    Category 1: Adult Content A web site may be classified under the Adult Content category if its content includes the description or depiction of erotic or sexual acts or sexually oriented material such as pornography. Exceptions to this are web sites that contain information relating to sexuality and sexual health, which may be classified under the [...]

  • Page 329

    • www.reallycheaptix.com.au Category 6: Shopping A web site may be classified under the Shopping category if its content includes any form of advertisement of goods or services to be exchanged for money, and may also include the facilities to perform that transaction online. Included in this category are market promotions, catalogue selling and m[...]

  • Page 330

    • www.gamesunlimited.com • www.gameplace.com Category 11: Investment Sites A web site may be classified under the Investment Sites category if its content includes information, services or facilities pertaining to personal investment. URLs in this category include contents such as brokerage services, online portfolio setup, money management for[...]

  • Page 331

    • www.political.com Category 16: Sports A web site may be classified under the Sports category if its content includes information or instructions relating to recreational or professional sports, or reviews on sporting events and sports scores. Examples might be: • www.sportstoday.com • www.soccerball.com Category 17: www-Email Sites A web si[...]

  • Page 332

    Category 21: Health Sites A web site may be classified under the Health Sites category if its content includes health related information or services, including sexuality and sexual health, as well as support groups, hospital and surgical information and medical journals. Examples might be: • www.thehealthzone.com • www.safedrugs.com Category 2[...]

  • Page 333

    various educational organizations. Examples might be: • highschoolessays.org • www.learn-at-home.com Category 27: Advertising A web site may be classified under the Advertising category if its main focus includes providing advertising related information or services. Examples might be: • www.admessages.com • www.tripleclick.com Category 28:[...]

  • Page 334

    Category 32: Non-Managed Unclassified sites and sites that do not fit one of the other categories will be placed in this category. It is unusual to block this category since this could result in most harmless URLs being blocked. 6.3.4.4. Customizing WCF HTML Pages The Web Content Filtering (WCF) feature of the HTTP ALG make use of a set of HTML fil[...]

  • Page 335

    1. Go to: Objects > HTTP Banner files > Add > ALG Banner Files 2. Enter a name such as new_forbidden and press OK 3. The dialog for the new set of ALG banner files will appear 4. Click the Edit & Preview tab 5. Select URLForbidden from the Page list 6. Now edit the HTML source that appears in the text box for the Forbidden URL page 7. [...]

  • Page 336

    set ALG_HTTP my_http_alg HTTPBanners=mytxt 5. As usual, the activate followed by the commit CLI commands must be used to activate the changes on the NetDefend Firewall. 6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms 336[...]

  • Page 337

    6.4. Anti-Virus Scanning 6.4.1. Overview The NetDefendOS Anti-Virus module protects against malicious code carried in file downloads. Files may be downloaded as part of a web-page in an HTTP transfer, in an FTP download, or perhaps as an attachment to an email delivered through SMTP. Malicious code in such downloads can have different intents rangi[...]

  • Page 338

    • Any uncompressed file type transferred through these ALGs can be scanned. • If the download has been compressed, ZIP and GZIP file downloads can be scanned. The administrator has the option to always drop specific files as well as the option to specify a size limit on scanned files. If no size limit is specified then there is no default upper[...]

  • Page 339

    NetDefendOS Anti-Virus scanning is implemented by D-Link using the "SafeStream" virus signature database. The SafeStream database is created and maintained by Kaspersky, a company which is a world leader in the field of virus detection. The database provides protection against virtually all known virus threats including trojans, worms, ba[...]

  • Page 340

    When scanning compressed files, NetDefendOS must apply decompression to examine the file's contents. Some types of data can result in very high compression ratios where the compressed file is a small fraction of the original uncompressed file size. This can mean that a comparatively small compressed file attachment might need to be uncompresse[...]

  • Page 341

    5. This second reconfiguration causes another failover so the passive unit reverts back to being active again. These steps result in both NetDefend Firewalls in a cluster having updated databases and with the original active/passive roles. For more information about HA clusters refer to Chapter 11, High Availability . Anti-Virus with ZoneDefense An[...]

  • Page 342

    2. Specify a suitable name for the ALG, for instance anti_virus 3. Click the Antivirus tab 4. Select Protect in the Mode dropdown list 5. Click OK B. Then, create a Service object using the new HTTP ALG: 1. Go to: Local Objects > Services > Add > TCP/UDP service 2. Specify a suitable name for the Service, for instance http_anti_virus 3. Se[...]

  • Page 343

    6.5. Intrusion Detection and Prevention 6.5.1. Overview Intrusion Definition Computer servers can sometimes have vulnerabilities which leave them exposed to attacks carried by network traffic. Worms, trojans and backdoor exploits are examples of such attacks which, if successful, can potentially compromise or take control of a server. A generic ter[...]

  • Page 344

    D-Link offers two types of IDP: • Maintenance IDP Maintenance IDP is the base IDP system included as standard with the NetDefend DFL 210, 800, 1600 and 2500. Maintenance IDP is a simplified IDP that gives basic protection against IDP attacks. It is upgradeable to the higher level and more comprehensive Advanced IDP which is discussed next. IDP do[...]

  • Page 345

    A new, updated signature database is downloaded automatically by NetDefendOS system at a configurable interval. This is done via an HTTP connection to the D-Link server network which delivers the latest signature database updates. If the server's signature database has a newer version than the current local database, the new database will be d[...]

  • Page 346

    IDP Signature Selection When using the Web Interface, all IDP signatures in the local signature database are shown under the heading IDP Signatures . This displays a two level tree of all signatures ordered by group. However, its purpose is for reference only and it is not possible to add signatures through this tree. In the Web Interface, associat[...]

  • Page 347

    Initial Packet Processing The initial order of packet processing with IDP is as follows: 1. A packet arrives at the firewall and NetDefendOS performs normal verification. If the packet is part of a new connection then it is checked against the IP rule set before being passed to the IDP module. If the packet is part of an existing connection it is p[...]

  • Page 348

    it is achieved in the reverse way. It consists of sending data packets that are rejected by the IDP subsystem but are acceptable to the target application. Detection Action If an Insertion/Evasion Attack is detected with the Insertion/Evasion Protect option enabled, NetDefendOS automatically corrects the data stream by removing the extraneous data [...]

  • Page 349

    Signature Advisories An advisory is a explanatory textual description of a signature. Reading a signature's advisory will explain to the administrator what the signature will search for. Due to the changing nature of the signature database, advisories are not included in D-Link documentation but instead, are available on the D-Link website at:[...]

  • Page 350

    This second level of naming describes the type of application or protocol. Examples are: • BACKUP • DB • DNS • FTP • HTTP 3. Signature Group Sub-Category The third level of naming further specifies the target of the group and often specifies the application, for example MSSQL . The Sub-Category may not be necessary if the Type and Categor[...]

  • Page 351

    After pattern matching recognizes an intrusion in traffic subject to an IDP Rule, the Action associated with that Rule is taken. The administrator can associate one of three Action options with an IDP Rule: • Ignore - Do nothing if an intrusion is detected and allow the connection to stay open. • Audit - Allow the connection to stay open but lo[...]

  • Page 352

    gw-world:/> cc IDPRule examplerule gw-world:/examplerule> set IDPRuleAction 1 LogEnabled=Yes Web Interface Adding an SMTP log receiver: 1. Go to: System > Log and Event Receivers > Add > SMTP Event Receiver 2. Now enter: • Name: smtp4IDP • SMTP Server: smtp-server • Server Port: 25 • Specify alternative email addresses (up to[...]

  • Page 353

    An IDP rule called IDPMailSrvRule will be created, and the Service to use is the SMTP service. Source Interface and Source Network defines where traffic is coming from, in this example the external network. The Destination Interface and Destination Network define where traffic is directed to, in this case the mail server. Destination Network should[...]

  • Page 354

    • Destination Network: ip_mailserver • Click OK Specify the Action: An action is now defined, specifying what signatures the IDP should use when scanning data matching the rule, and what NetDefendOS should do when a possible intrusion is detected. In this example, intrusion attempts will cause the connection to be dropped, so Action is set to P[...]

  • Page 355

    6.6. Denial-of-Service Attack Prevention 6.6.1. Overview By embracing the Internet, enterprises experience new business opportunities and growth. The enterprise network and the applications that run over it are business critical. Not only can a company reach a larger number of customers via the Internet, it can serve them faster and more efficientl[...]

  • Page 356

    intended victim. "Jolt" is simply a purpose-written program for generating such packets on operating systems whose ping commands refuse to generate oversized packets. The triggering factor is that the last fragment makes the total packet size exceed 65535 bytes, which is the highest number that a 16-bit integer can store. When the value o[...]

  • Page 357

    • By stripping the URG bit by default from all TCP segments traversing the system (configurable via Advanced Settings > TCP > TCPUrg ). WinNuke attacks will usually show up in NetDefendOS logs as normal drops with the name of the IP rule that disallowed the connection attempt. For connections allowed through the system, "TCP" or &[...]

  • Page 358

    The Traffic Shaping feature built into NetDefendOS also help absorb some of the flood before it reaches protected servers. 6.6.8. TCP SYN Flood Attacks TCP SYN flood attacks work by sending large amounts of TCP SYN packets to a given port and then not responding to SYN ACKs sent in response. This will tie up local TCP stack resources on the victim&[...]

  • Page 359

    A more sophisticated form of DoS is the Distributed Denial of Service (DoS) attack. DDoS attacks involve breaking into hundreds or thousands of machines all over the Internet to installs DDoS software on them, allowing the hacker to control all these burgled machines to launch coordinated attacks on victim sites. These attacks typically exhaust ban[...]

  • Page 360

    6.7. Blacklisting Hosts and Networks Overview NetDefendOS implements a Blacklist of host or network IP addresses which can be utilized to protect against traffic coming from specific Internet sources. Certain NetDefendOS subsystems have the ability to optionally blacklist a host or network when certain conditions are encountered. These subsystems a[...]

  • Page 361

    It is also important to understand that although whitelisting prevents a particular source from being blacklisted, it still does not prevent NetDefendOS mechanisms such as threshold rules from dropping or denying connections from that source. What whitelisting does is prevent a source being added to a blacklist if that is the action a rule has spec[...]

  • Page 362

    6.7. Blacklisting Hosts and Networks Chapter 6. Security Mechanisms 362[...]

  • Page 363

    Chapter 7. Address Translation This chapter describes NetDefendOS address translation capabilities. • Overview, page 363 • NAT, page 364 • NAT Pools, page 369 • SAT, page 372 7.1. Overview The ability of NetDefendOS to change the IP address of packets as they pass through the NetDefend Firewall is known as address translation . The ability [...]

  • Page 364

    7.2. NAT Dynamic Network Address Translation (NAT) provides a mechanism for translating original source IP addresses to a different address. Outgoing packets then appear to come from a different IP address and incoming packets back to that address have their IP address translated back to the original IP address. NAT can have two important benefits:[...]

  • Page 365

    However, since there is a possible range of 64,500 source ports and the same number for destination ports, it is theoretically possible to have over 4 billion connections between two IP addresses if all ports are used. Using NAT Pools Can Increase the Connections To increase the number of NAT connections that can exist between the NetDefend Firewal[...]

  • Page 366

    3. The recipient server then processes the packet and sends its response. 195.55.66.77:80 => 195.11.22.33:32789 4. NetDefendOS receives the packet and compares it to its list of open connections. Once it finds the connection in question, it restores the original address and forwards the packet. 195.55.66.77:80 => 192.168.1.5:1038 5. The origi[...]

  • Page 367

    gw-world:/main> cc The NATAction option could be left out since the default value is to use the interface address. The alternative is to specify UseSenderAddress and use the NATSenderAddress option to specify the IP address to use. The sender address will also need to be explicitly ARP published on the interface. Web Interface 1. Go to: Rules &g[...]

  • Page 368

    Some protocols, regardless of the method of transportation used, can cause problems during address translation. Anonymizing Internet Traffic with NAT A useful application of the NAT feature in NetDefendOS is for anonymizing service providers to anonymize traffic between clients and servers across the public Internet so that the client's public[...]

  • Page 369

    7.3. NAT Pools Overview Network Address Translation (NAT) provides a way to have multiple internal clients and hosts with unique private, internal IP addresses communicate to remote hosts through a single external public IPv4 address (this is discussed in depth in Section 7.2, “NAT” ). When multiple public external IP addresses are available th[...]

  • Page 370

    There is only one state table per NAT Pool so that if a single NAT Pool is re-used in multiple NAT IP rules they share the same state table. Stateless NAT Pools The Stateless option means that no state table is maintained and the external IP address chosen for each new connection is the one that has the least connections already allocated to it. Th[...]

  • Page 371

    This example creates a NAT pool with the external IP address range 10.6.13.10 to 10.16.13.15 which is then used in a NAT IP rule for HTTP traffic on the wan interface. Web Interface A. First create an object in the address book for the address range: 1. Go to: Objects > Address Book > Add > IP4 Address 2. Specify a suitable name for the IP[...]

  • Page 372

    7.4. SAT NetDefendOS can translate entire ranges of IP addresses and/or port numbers. Such translations are transpositions where each address or port is mapped to a corresponding address or port in a new range, rather than translating them all to the same address or port. This functionality is known as Static Address Translation (SAT). Note: Port f[...]

  • Page 373

    The illustration below shows a typical network arrangement with a NetDefend Firewall mediating communications between the public Internet and servers in the DMZ and between the DMZ and local clients on a network called LAN . Figure 7.4. The Role of the DMZ Note: The DMZ port could be any port On all models of D-Link NetDefend hardware, there is a s[...]

  • Page 374

    SATTranslateToIP=10.10.10.5 Name=SAT_HTTP_To_DMZ Then create a corresponding Allow rule: gw-world:/main> add IPRule action=Allow Service=http SourceInterface=any SourceNetwork=all-nets DestinationInterface=core DestinationNetwork=wan_ip Name=Allow_HTTP_To_DMZ Web Interface First create a SAT rule: 1. Go to: Rules > IP Rules > Add > IPRu[...]

  • Page 375

    address translation can take place if the connection has been permitted, and rule 2 permits the connection. The SAT rule destination interface must be core because interface IPs are always routed on core . A NAT rule may also be needed to allow internal computers access to the public Internet: # Action Src Iface Src Net Dest Iface Dest Net Paramete[...]

  • Page 376

    # Action Src Iface Src Net Dest Iface Dest Net Parameters 1 SAT any all-nets core wan_ip http SETDEST wwwsrv 80 2 Allow any all-nets core wan_ip http These two rules allow us to access the web server via the firewall's external IP address. Rule 1 states that address translation will take place if the connection is permitted, and rule 2 permits[...]

  • Page 377

    • The reply arrives and both address translations are restored: 195.55.66.77:80 => 10.0.0.3:1038 In this way, the reply arrives at PC1 from the expected address. Another possible solution to this problem is to allow internal clients to speak directly to 10.0.0.2 and this would completely avoid all the problems associated with address translati[...]

  • Page 378

    Command-Line Interface Create an address object for the public IPv4 addresses: gw-world:/> add Address IP4Address wwwsrv_pub Address=195.55.66.77-195.55.66.81 Now, create another object for the base of the web server IP addresses: gw-world:/> add Address IP4Address wwwsrv_priv_base Address=10.10.10.5 Publish the public IPv4 addresses on the w[...]

  • Page 379

    • Interface: wan • IP Address: 195.55.66.77 3. Click OK and repeat for all 5 public IPv4 addresses Create a SAT rule for the translation: 1. Go to: Rules > IP Rules > Add > IPRule 2. Specify a suitable name for the rule, for example SAT_HTTP_To_DMZ 3. Now enter: • Action: SAT • Servce: http • Source Interface: any • Source Netw[...]

  • Page 380

    • Attempts to communicate with 194.1.2.16 - port 80, will result in a connection to 192.168.0.50 . • Attempts to communicate with 194.1.2.30 - port 80, will result in a connection to 192.168.0.50 . Note When all-nets is the destination, All-to-One mapping is always done. Example 7.6. Translating Traffic to a Single Protected Web Server (N:1) Th[...]

  • Page 381

    DestinationNetwork=wwwsrv_pub Return to the default CLI context with the command: gw-world:/IPRuleSet/main> cc 7.4.4. Port Translation Port Translation (PAT) (also known as Port Address Translation ) can be used to modify the source or destination port. # Action Src Iface Src Net Dest Iface Dest Net Parameters 1 SAT any all-nets wan wwwsrv_pub T[...]

  • Page 382

    matching rule does NetDefendOS execute the static address translation. Despite this, the first matching SAT rule found for each address is the one that will be carried out. The phrase " each address " above means that two SAT rules can be in effect at the same time on the same connection, provided that one is translating the sender addres[...]

  • Page 383

    themselves. This will not work, as the packets will be interpreted as coming from the wrong address. We will now try moving the NAT rule between the SAT and FwdFast rules: # Action Src Iface Src Net Dest Iface Dest Net Parameters 1 SAT any all-nets core wan_ip http SETDEST wwwsrv 80 2 SAT lan wwwsrv any all-nets 80 -> All SETSRC wan_ip 80 3 NAT [...]

  • Page 384

    7.4.7. SAT and FwdFast Rules Chapter 7. Address Translation 384[...]

  • Page 385

    Chapter 8. User Authentication This chapter describes how NetDefendOS implements user authentication. • Overview, page 385 • Authentication Setup, page 387 • Customizing Authentication HTML Pages, page 404 8.1. Overview In situations where individual users connect to protected resources through the NetDefend Firewall, the administrator will o[...]

  • Page 386

    To remain secure, passwords should also: • Not be recorded anywhere in written form. • Never be revealed to anyone else. • Changed on a regular basis such as every three months. 8.1. Overview Chapter 8. User Authentication 386[...]

  • Page 387

    8.2. Authentication Setup 8.2.1. Setup Summary The following list summarizes the steps for User Authentication setup with NetDefendOS: • Have an authentication source which consists of a database of users, each with a username/password combination. Any of the following can be an authentication source: i. The local user database internal to NetDef[...]

  • Page 388

    The purpose of this is to restrict access to certain networks to a particular group by having IP rules which will only apply to members of that group. To gain access to a resource there must be an IP rule that allows it and the client must belong to the same group as the rule's Source Network group. Granting Administration Privileges When a us[...]

  • Page 389

    NetDefendOS SSH Client Key object. When the user connects, there is an automatic checking of the keys used by the client to verify their identity. Once verified, there is no need for the user to input their username and password. To make use of this feature, the relevant SSH Client Key object or objects must first be defined separately in NetDefend[...]

  • Page 390

    Setting Up LDAP Authentication There are two steps for setting up user authentication with LDAP servers: • Define one or more user authentication LDAP server objects in NetDefendOS. • Specify one or a list of these LDAP server objects in a user authentication rule. One or more LDAP servers can be associated as a list within a user authenticatio[...]

  • Page 391

    tuple for a username attribute that has an ID of username and a value of Smith . These attributes can be used in different ways and their meaning to the LDAP server is usually defined by the server's database schema . The database schema can usually be changed by the server administrator to alter the attributes. General Settings The following [...]

  • Page 392

    The Membership Attribute defines which groups a user is a member of. This is similar to the way a user belongs to either the admin or audit database group in NetDefendOS. This is another tuple defined by the server's database schema and the default ID is MemberOf . In Microsoft Active Directory, the groups a user belongs to can be found by loo[...]

  • Page 393

    • Administrator Account The LDAP server will require that the user establishing a connection to do a search has administrator privileges. The Administration Account specifies the administrator username. This username may be requested by the server in a special format in the same way as described previously with Use Domain Name . • Password/Conf[...]

  • Page 394

    • The server does not respond within the Timeout period specified for the server. If only one server is specified then authentication will be considered to have failed. If there are alternate servers defined for the user authentication rule then these are queried next. Usernames may need the Domain With certain LDAP servers, the domain name may n[...]

  • Page 395

    server which then performs the authentication and sends back a bind response with the result. Figure 8.1. Normal LDAP Authentication The processing is different if a group membership is being retrieved since a request is sent to the LDAP server to search for memberships and any group memberships are then sent back in the response. B. PPP Authentica[...]

  • Page 396

    Figure 8.2. LDAP for PPP with CHAP, MS-CHAPv1 or MS-CHAPv2 Important: The link to the LDAP server must be protected Since the LDAP server is sending back passwords in plain text to NetDefendOS, the link between the NetDefend Firewall and the server must be protected. A VPN link should be used if the link between the two is not local. Access to the [...]

  • Page 397

    the detailed HTTP explanation below). An IP rule allowing client access to core is also required with this agent type. iii. XAUTH This is the IKE authentication method which is used as part of VPN tunnel establishment with IPsec. XAuth is an extension to the normal IKE exchange and provides an addition to normal IPsec security which means that clie[...]

  • Page 398

    Connection Timeouts An Authentication Rule can specify the following timeouts related to a user session: • Idle Timeout How long a connection is idle before being automatically terminated (1800 seconds by default). • Session Timeout The maximum time that a connection can exist (no value is specified by default). If an authentication server is b[...]

  • Page 399

    authentication rule. This will be either a local NetDefendOS database, an external RADIUS database server or an external LDAP server. 6. NetDefendOS then allows further traffic through this connection as long as authentication was successful and the service requested is allowed by a rule in the IP rule set. That rule's Source Network object ha[...]

  • Page 400

    setting WebUI HTTP Port . Port number 81 could instead, be used for this setting. The same is true for HTTPS authentication and the default HTTPS management port number of 443 must also be changed. HTTP(s) Agent Options For HTTP and HTTPS authentication there is a set of options in an authentication rule called Agent Options . These are: • Login [...]

  • Page 401

    six hexadecimal two character lower-case values separated by a hyphen ("-") character. For example: 00-0c-19-f9-14-6f IP Rules are Needed HTTP authentication cannot operate unless a rule is added to the IP rule set to explicitly allow authentication to take place. This is also true with HTTPS. If we consider the example of a number of cli[...]

  • Page 402

    Example 8.1. Creating an Authentication User Group In the example of an authentication address object in the address book, a user group "users" is used to enable user authentication on "lannet". This example shows how to configure the user group in the NetDefendOS database. Web Interface Step A 1. Go to: User Authentication >[...]

  • Page 403

    • Destination Interface core • Destination Network lan_ip 3. Click OK B. Set up an Authentication Rule 1. Go to: User Authentication > User Authentication Rules > Add > User Authentication Rule 2. Now enter: • Name: HTTPLogin • Agent: HTTP • Authentication Source: Local • Interface: lan • Originator IP: lannet 3. For Local Us[...]

  • Page 404

    e. Retry Timeout: 2 (NetDefendOS will resend the authentication request to the sever if there is no response after the timeout, for example every 2 seconds. This will be retried a maximum of 3 times) f. Shared Secret: Enter a text string here for basic encryption of the RADIUS messages g. Confirm Secret: Retype the string to confirm the one typed a[...]

  • Page 405

    To perform customization it is necessary to first create a new Auth Banner Files object with a new name. This new object automatically contains a copy of all the files in the Default Auth Banner Files object. These new files can then be edited and uploaded back to NetDefendOS. The original Default object cannot be edited. The example given below go[...]

  • Page 406

    This example shows how to modify the contents of the URL forbidden HTML page. Web Interface 1. Go to: Objects > HTTP Banner files > Add > Auth Banner Files 2. Enter a name such as new_forbidden and press OK 3. The dialog for the new set of ALG banner files will appear 4. Click the Edit & Preview tab 5. Select FormLogin from the Page li[...]

  • Page 407

    set UserAuthRule my_auth_rule HTTPBanners=ua_html 5. As usual, use the activate followed by the commit CLI commands to activate the changes on the NetDefend Firewall. 8.3. Customizing Authentication HTML Pages Chapter 8. User Authentication 407[...]

  • Page 408

    8.3. Customizing Authentication HTML Pages Chapter 8. User Authentication 408[...]

  • Page 409

    Chapter 9. VPN This chapter describes the Virtual Private Network (VPN) functionality in NetDefendOS. • Overview, page 409 • VPN Quick Start, page 413 • IPsec Components, page 423 • IPsec Tunnels, page 438 • PPTP/L2TP, page 457 • SSL VPN, page 466 • CA Server Access, page 474 • VPN Troubleshooting, page 477 9.1. Overview 9.1.1. VPN [...]

  • Page 410

    2. Client to LAN connection - Where many remote clients need to connect to an internal network over the Internet. In this case, the internal network is protected by the NetDefend Firewall to which the client connects and the VPN tunnel is set up between them. 9.1.2. VPN Encryption Encryption of VPN traffic is done using the science of cryptography [...]

  • Page 411

    side-effect of authentication. VPNs are normally only concerned with confidentiality and authentication. Non-repudiation is normally not handled at the network level but rather is usually done at a higher, transaction level. 9.1.3. VPN Planning An attacker targeting a VPN connection will typically not attempt to crack the VPN encryption since this [...]

  • Page 412

    It is probably better using more keys than is necessary today since it will be easier to adjust access per user (group) in the future. • Should the keys be changed? If they are changed, how often? In cases where keys are shared by multiple users, consider using overlapping schemes, so that the old keys work for a short period of time when new key[...]

  • Page 413

    9.2. VPN Quick Start Overview Later sections in this chapter will explore VPN components in detail. To help put those later sections in context, this section is a quick start summary of the steps needed for VPN setup. It outlines the individual steps in setting up VPNs for the most common scenarios. These are: • IPsec LAN to LAN with Pre-shared K[...]

  • Page 414

    9.2.1. IPsec LAN to LAN with Pre-shared Keys The objective is to create a secure means of joining two networks: a Local Network which is on the protected side of a local firewall; and a Remote Network which is on the other side of some remote device, located across an insecure network. The steps for setup are as follows: 1. Create a Pre-shared Key [...]

  • Page 415

    remote_net . • An Allow rule for inbound traffic that has the previously defined ipsec_tunnel object as the Source Interface . The Source Network is remote_net . Action Src Interface Src Network Dest Interface Dest Network Service Allow lan lannet ipsec_tunnel remote_net all_services Allow ipsec_tunnel remote_net lan lannet all_services The Servi[...]

  • Page 416

    Also review Section 9.7, “CA Server Access” below, which describes important considerations for certificate validation. Self-signed certificates instead of CA signed can be used for LAN to LAN tunnels but the Web Interface and other interfaces do not have a feature to generate them. Instead, they must be generated by another utility and importe[...]

  • Page 417

    • An external authentication server. An internal user database is easier to set up and is assumed here. Changing this to an external server is simple to do later. To implement user authentication with an internal database: • Define a Local User DB object (let's call this object TrustedUsers ). • Add individual users to TrustedUsers . Thi[...]

  • Page 418

    Once an Allow rule permits the connection to be set up, bidirectional traffic flow is allowed which is why only one rule is used here. Instead of all-nets being used in the above, a more secure defined IP object could be used which specifies the exact range of the pre-allocated IP addresses. B. IP addresses handed out by NetDefendOS If the client I[...]

  • Page 419

    This is done by doing the following: a. Enable the X.509 Certificate option. b. Select the Gateway Certificate . c. Add the Root Certificate to use. 3. The IPsec client software will need to be appropriately configured with the certificates and remote IP addresses. As already mentioned above, many third party IPsec client products are available and[...]

  • Page 420

    • Set Encapsulation Mode to Transport . • Select the IKE and IPsec algorithm proposal lists to be used. • Enable the IPsec tunnel routing option Dynamically add route to the remote network when tunnel established . • When all-nets is the destination network, as is the case here, the advanced setting option Add route for remote network must [...]

  • Page 421

    Connections should be selected to start the New Connection Wizard . The key information to enter in this wizard is: the resolvable URL of the NetDefend Firewall or alternatively its ip_ext IP address. Then choose Network > Properties . In the dialog that opens choose the L2TP Tunnel and select Properties . In the new dialog that opens select the[...]

  • Page 422

    2. Define a PPTP/L2TP object (let's call it pptp_tunnel ) with the following parameters: • Set Inner IP Address to ip_net . • Set Tunnel Protocol to PPTP . • Set Outer Interface Filter to ext . • Set Outer server IP to ip_ext . • For Microsoft Point-to-Point Encryption it is recommended to disable all options except 128 bit encryptio[...]

  • Page 423

    9.3. IPsec Components This section looks at the IPsec standards and describes in general terms the various components, techniques and algorithms that are used in IPsec based VPNs. 9.3.1. Overview Internet Protocol Security (IPsec) is a set of protocols defined by the Internet Engineering Task Force (IETF) to provide IP security at the network layer[...]

  • Page 424

    An SA is unidirectional and relates to traffic flow in one direction only. For the bidirectional traffic that is usually found in a VPN, there is therefore a need for more than one SA per connection. In most cases, where only one of ESP or AH is used, two SAs will be created for each connection, one describing the incoming traffic, and the other th[...]

  • Page 425

    An IKE negotiation is performed in two phases. The first phase, phase 1, is used to authenticate the two VPN firewalls or VPN Clients to each other, by confirming that the remote device has a matching Pre-Shared Key. However, since we do not want to publish to much of the negotiation in plaintext, we first agree upon a way of protecting the rest of[...]

  • Page 426

    Tunnel mode indicates that the traffic will be tunneled to a remote device, which will decrypt/authenticate the data, extract it from its tunnel and pass it on to its final destination. This way, an eavesdropper will only see encrypted traffic going from one of VPN endpoint to another. In transport mode, the traffic will not be tunneled, and is hen[...]

  • Page 427

    Note NetDefendOS does not support AH. IKE Encryption This specifies the encryption algorithm used in the IKE negotiation, and depending on the algorithm, the size of the encryption key used. The algorithms supported by NetDefendOS IPsec are: • AES • Blowfish • Twofish • Cast128 • 3DES • DES DES is only included to be interoperable with [...]

  • Page 428

    where the identities are also protected, by deleting the phase-1 SA every time a phase-2 negotiation has been finished, making sure no more than one phase-2 negotiation is encrypted using the same key. PFS is generally not needed, since it is very unlikely that any encryption or authentication keys will be compromised. PFS DH Group This specifies t[...]

  • Page 429

    Diffie-Hellman (DH) is a cryptographic protocol that allows two parties that have no prior knowledge of each other to establish a shared secret key over an insecure communications channel through a series of plain text exchanges. Even though the exchanges between the parties might be monitored by a third party, Diffie-Hellman makes it extremely dif[...]

  • Page 430

    PSK Advantages Pre-Shared Keying has a lot of advantages over manual keying. These include endpoint authentication, which is what the PSKs are really for. It also includes all the benefits of using IKE. Instead of using a fixed set of encryption keys, session keys will be used for a limited period of time, where after a new set of session keys are [...]

  • Page 431

    Figure 9.1. The AH protocol AH uses a cryptographic hash function to produce a MAC from the data in the IP packet. This MAC is then transmitted with the packet, allowing the remote endpoint to verify the integrity of the original IP packet, making sure the data has not been tampered with on its way through the Internet. Apart from the IP packet dat[...]

  • Page 432

    evolved. NAT traversal is an add-on to the IKE and IPsec protocols that allows them to function when being NATed. NetDefendOS supports the RFC3947 standard for NAT-Traversal with IKE. NAT traversal is divided into two parts: • Additions to IKE that lets IPsec peers tell each other that they support NAT traversal, and the specific versions support[...]

  • Page 433

    recommended setting unless the two firewalls have the same external IP address. • IP - An IP address can be manually entered • DNS - A DNS address can be manually entered • Email - An email address can be manually entered 9.3.6. Algorithm Proposal Lists To agree on the VPN connection parameters, a negotiation process is performed. As a result[...]

  • Page 434

    1. Go to: Objects > VPN Objects > IPsec Algorithms > Add > IPsec Algorithms 2. Enter a name for the list, for example esp-l2tptunnel 3. Now check the following: • DES • 3DES • SHA1 • MD5 4. Click OK Then, apply the algorithm proposal list to the IPsec tunnel: 1. Go to: Interfaces > IPsec 2. Select the target IPsec tunnel 3. S[...]

  • Page 435

    gw-world:/> add PSK MyPSK Type=HEX PSKHex=<enter the key here> Now apply the Pre-shared Key to the IPsec tunnel: gw-world:/> set Interface IPsecTunnel MyIPsecTunnel PSK=MyPSK Web Interface First create a Pre-shared Key: 1. Go to: Objects > Authentication Objects > Add > Pre-shared key 2. Enter a name for the pre-shared key, for[...]

  • Page 436

    Example 9.3. Using an Identity List This example shows how to create and use an Identification List for use in the VPN tunnel. This Identification List will contain one ID with the type DN, distinguished name, as the primary identifier. Note that this example does not illustrate how to add the specific IPsec tunnel object. Command-Line Interface Fi[...]

  • Page 437

    Finally, apply the Identification List to the IPsec tunnel: 1. Go to: Interfaces > IPsec 2. Select the IPsec tunnel object of interest 3. Under the Authentication tab, choose X.509 Certificate 4. Select the appropriate certificate in the Root Certificate(s) and Gateway Certificate controls 5. Select MyIDList in the Identification List 6. Click O[...]

  • Page 438

    9.4. IPsec Tunnels This section looks more closely at IPsec tunnels in NetDefendOS, their definition, options and usage. 9.4.1. Overview An IPsec Tunnel defines an endpoint of an encrypted tunnel. Each IPsec Tunnel is interpreted as a logical interface by NetDefendOS, with the same filtering, traffic shaping and configuration capabilities as regula[...]

  • Page 439

    connection attempts coming from a particular IP address or group of addresses. This can degrade the performance of the NetDefendOS IPsec engine and explicitly dropping such traffic with an IP rule is an efficient way of preventing it reaching the engine. In other words, IP rules can be used for complete control over all traffic related to the tunne[...]

  • Page 440

    • Section 9.2.1, “IPsec LAN to LAN with Pre-shared Keys” . • Section 9.2.2, “IPsec LAN to LAN with Certificates” . • Section 9.2.3, “IPsec Roaming Clients with Pre-shared Keys” . • Section 9.2.4, “IPsec Roaming Clients with Certificates” . In addition to the quick start section, more explanation of tunnel setup is given belo[...]

  • Page 441

    Example 9.4. Setting up a PSK based VPN tunnel for roaming clients This example describes how to configure an IPsec tunnel at the head office NetDefend Firewall for roaming clients that connect to the office to gain remote access. The head office network uses the 10.0.1.0/24 network span with external firewall IP wan_ip. Web Interface A. Create a p[...]

  • Page 442

    span with external firewall IP wan_ip. Web Interface A. Create a Self-signed Certificate for IPsec authentication: The step to actually create self-signed certificates is performed outside the WebUI using a suitable software product. The certificate should be in the PEM (Privacy Enhanced Mail) file format. B. Upload all the client self-signed certi[...]

  • Page 443

    E. Finally configure the IP rule set to allow traffic inside the tunnel. Tunnels Based on CA Server Certificates Setting up client tunnels using a CA issued certificate is largely the same as using Self-signed certificates with the exception of a couple of steps. It is the responsibility of the administrator to acquire the appropriate certificate f[...]

  • Page 444

    • IKE Algorithms: Medium or High • IPsec Algorithms: Medium or High 4. For Authentication enter: • Choose X.509 Certificates as the authentication method • Root Certificate(s): Select the CA server root certificate imported earlier and add it to the Selected list • Gateway Certificate: Choose the newly created firewall certificate • Ide[...]

  • Page 445

    Example 9.7. Setting Up Config Mode In this example, the Config Mode Pool object is enabled by associating with it an already configured IP Pool object called ip_pool1. Web Interface 1. Go to: Objects > VPN Objects > IKE Config Mode Pool 2. The Config Mode Pool object properties web page now appears 3. Select Use a predefined IPPool object 4.[...]

  • Page 446

    Example 9.9. Setting up an LDAP server This example shows how to manually setup and specify an LDAP server. Command-Line Interface gw-world:/> add LDAPServer Host=192.168.101.146 Username=myusername Password=mypassword Port=389 Web Interface 1. Go to: Objects > VPN Objects > LDAP > Add > LDAP Server 2. Now enter: • IP Address: 192.[...]

  • Page 447

    The output from verbose option can be troublesome to interpret by an administrator seeing it for the first time. Presented below is some typical ikesnoop output with annotations to explain it. The tunnel negotiation considered is based on Pre-shared Keys. A negotiation based on certificates is not discussed here but the principles are similar. Comp[...]

  • Page 448

    Encryption algorithm : 3DES-cbc Hash algorithm : MD5 Authentication method : Pre-Shared Key Group description : MODP 1024 Life type : Seconds Life duration : 43200 Life type : Kilobytes Life duration : 50000 Transform 4/4 Transform ID : IKE Encryption algorithm : 3DES-cbc Hash algorithm : SHA Authentication method : Pre-Shared Key Group description[...]

  • Page 449

    A typical response from the server is shown below. This must contain a proposal that is identical to one of the choices from the client list above. If no match was found by the server then a "No proposal chosen" message will be seen, tunnel setup will fail and the ikesnoop command output will stop at this point. IkeSnoop: Sending IKE pack[...]

  • Page 450

    IkeSnoop: Received IKE packet from 192.168.0.10:500 Exchange type : Identity Protection (main mode) ISAKMP Version : 1.0 Flags : Cookies : 0x6098238b67d97ea6 -> 0x5e347cb76e95a Message ID : 0x00000000 Packet length : 220 bytes # payloads : 4 Payloads: KE (Key Exchange) Payload data length : 128 bytes NONCE (Nonce) Payload data length : 16 bytes [...]

  • Page 451

    Payload data length : 8 bytes Protocol ID : ISAKMP Notification : Initial contact Explanation of Above Values Flags: E means encryption (it is the only flag used). ID: Identification of the client The Notification field is given as Initial Contact to indicate this is not a re-key. Step 6. Server ID Response The server now responds with its own ID. [...]

  • Page 452

    SA life type : Seconds SA life duration : 21600 SA life type : Kilobytes SA life duration : 50000 Encapsulation mode : Tunnel Transform 2/4 Transform ID : Rijndael (aes) Key length : 128 Authentication algorithm : HMAC-SHA-1 SA life type : Seconds SA life duration : 21600 SA life type : Kilobytes SA life duration : 50000 Encapsulation mode : Tunnel[...]

  • Page 453

    IkeSnoop: Sending IKE packet to 192.168.0.10:500 Exchange type : Quick mode ISAKMP Version : 1.0 Flags : E (encryption) Cookies : 0x6098238b67d97ea6 -> 0x5e347cb76e95a Message ID : 0xaa71428f Packet length : 156 bytes # payloads : 5 Payloads: HASH (Hash) Payload data length : 16 bytes SA (Security Association) Payload data length : 56 bytes DOI [...]

  • Page 454

    This specifies the total number of IP rules that can be connected to IPsec tunnels. By default this is initially approximately 4 times the licensed IPsecMaxTunnels and system memory for this is allocated at startup. By reducing the number of rules, memory requirements can be reduced but making this change is not recommended. IPsec Max Rules will al[...]

  • Page 455

    Default: 86400 seconds IKE Max CA Path When the signature of a user certificate is verified, NetDefendOS looks at the issuer name field in the user certificate to find the CA certificate the certificate was signed by. The CA certificate may in turn be signed by another CA, which may be signed by another CA, and so on. Each certificate will be verif[...]

  • Page 456

    of the tunnel has not responded to DPD-R-U-THERE messages for DPD Expire Time x 10 seconds and there is no other evidence of life. When the SA is placed in the dead cache, NetDefendOS will not try to re-negotiate the tunnel. If traffic that is associated with the SA that is in the dead cache is received, the SA will be removed from the dead cache. [...]

  • Page 457

    9.5. PPTP/L2TP The access by a client using a modem link over dial-up public switched networks, possibly with an unpredictable IP address, to protected networks via a VPN poses particular problems. Both the PPTP and L2TP protocols provide two different means of achieving VPN access from remote clients. The most commonly used feature that is relevan[...]

  • Page 458

    A common problem with setting up PPTP is that a router and/or switch in a network is blocking TCP port 1723 and/or IP protocol 47 before the PPTP connection can be made to the NetDefend Firewall. Examining the log can indicate if this problem occurred, with a log message of the following form appearing: Error PPP lcp_negotiation_stalled ppp_termina[...]

  • Page 459

    arguably offers better security than PPTP. Unlike PPTP, it is possible to set up multiple virtual networks across a single tunnel. Because it is IPsec based, L2TP requires NAT traversal (NAT-T) to be implemented on the LNS side of the tunnel. Example 9.11. Setting up an L2TP server This example shows how to setup a L2TP Network Server. The example [...]

  • Page 460

    gw-world:/UserDB> add User testuser Password=mypassword Web Interface 1. Go to: User Authentication > Local User Databases > Add > Local User Database 2. Enter a suitable name for the user database, for example UserDB 3. Go to: User Authentication > Local User Databases > UserDB > Add > User 4. Now enter: • Username: testu[...]

  • Page 461

    • Dynamically add route to the remote network when a tunnel is established 9. Click OK Now it is time to setup the L2TP Server. The inner IP address should be a part of the network which the clients are assigned IP addresses from, in this lan_ip. The outer interface filter is the interface that the L2TP server will accept connections on, this wil[...]

  • Page 462

    • Authentication Source: Local • Interface: l2tp_tunnel • Originator IP: all-nets • Terminator IP: wan_ip 4. Under the Authentication Options tab enter UserDB as the Local User DB 5. Click OK When the other parts are done, all that is left is the rules. To let traffic through from the tunnel, two IP rules should be added. E. Finally, set up[...]

  • Page 463

    • Service: all_services • Source Interface: l2tp_tunnel • Source Network: l2tp_pool • Destination Interface: any • Destination Network: all-nets 8. Click OK 9.5.3. L2TP/PPTP Server advanced settings The following L2TP/PPTP server advanced settings are available to the administrator: L2TP Before Rules Pass L2TP traffic sent to the NetDefen[...]

  • Page 464

    Names of Assigned Addresses Both PPTP and L2TP utilizes dynamic IP configuration using the PPP LCP protocol. When NetDefendOS receives this information, it is stored in symbolic host/network names. The settings for this are: • Inner IP Address - The host name that is used for storing the assigned IP address. If this network object exists and has [...]

  • Page 465

    Figure 9.3. PPTP Client Usage 9.5.4. PPTP/L2TP Clients Chapter 9. VPN 465[...]

  • Page 466

    9.6. SSL VPN 9.6.1. Overview NetDefendOS provides an additional type of VPN connection called SSL VPN . This makes use of the Secure Sockets Layer (SSL) protocol to provide a secure tunnel between a remote client computer and a NetDefend Firewall. Any application on the client can then communicate securely with servers located on the protected side[...]

  • Page 467

    The option exists with NetDefendOS SSL VPN to automatically ARP publish all client IPs on all firewall interfaces but this is not recommended because of the security issues that are raised. vi. Routes for clients do not need to be defined in the routing tables as these are added automatically by NetDefendOS when SSL VPN tunnels are established. •[...]

  • Page 468

    Ethernet interface but it could also be another logical interface. For example, a PPPoE interface could be used. Note In the current NetDefendOS version, the outer interface cannot be a VLAN interface. • Server IP The IP address on the listening interface on which to listen for SSL VPN connection attempts by clients. This will typically be a publ[...]

  • Page 469

    it will be necessary to choose at least one interface on which to publish the client network. 9.6.3. Installing the SSL VPN Client For the SSL VPN to function, a proprietary D-Link SSL VPN client application must be installed on the client computer. This is done with the following steps: 1. A web browser must be opened and the protocol https:// nee[...]

  • Page 470

    Figure 9.5. The SSL VPN Client Login The difference between the two approaches above is that when the SSL VPN client software is started by browsing to the SSL VPN interface, the correct settings for the tunnel are downloaded to the SSL VPN client software and stored as the client's configuration file . As long as these settings have not chang[...]

  • Page 471

    Figure 9.6. The SSL VPN Client Statistics SSL VPN Client Operation Whenever the SSL VPN client application runs, the following happens: • A route is added to the Windows routing table. This route is equivalent to a NetDefendOS default all-nets route. • The added default route directs all traffic from the Windows client through the SSL tunnel. W[...]

  • Page 472

    have been removed. To remedy this problem, the D-Link SSL VPN client software should be started by selecting it in the Windows Start menu and then stopped. 9.6.4. Setup Example Example 9.13. Setting Up an SSL VPN Interface This example shows how to set up a new SSL VPN interface called my_sslvpn . Assume that the physical interface If2 will be used[...]

  • Page 473

    Web Interface 1. Go to: User Authentication > User Authentication Rules > Add > User Authentication Rule 2. Now enter: • Name: ssl_login • Agent: L2TP/PPTP/SSL VPN • Authentication Source: Local • Interface: my_sslvpn_if • Originator IP: all-nets (a more specific range is more secure) • Terminator IP: sslvpn_server_ip 3. For Lo[...]

  • Page 474

    9.7. CA Server Access Overview Certificate validation can be done by accessing a separate Certifícation Server (CA) server . For example, the two sides of an IPsec tunnel exchange their certificates during the tunnel setup negotiation and either may then try to validate the received certificate. A certificate contains a URL (the CRL Distribution P[...]

  • Page 475

    The same steps should be followed if the other side of the tunnel is another firewall instead of being many clients. 3. The CA server is a commercial server on the public Internet. In this, the simplest case, public DNS servers will resolve the FQDN. The only requirement is that NetDefendOS will need to have at least one public DNS server address c[...]

  • Page 476

    Placement of Private CA Servers The easiest solution for placement of a private CA server is to have it on the unprotected side of the NetDefend Firewall. This however, is not recommended from a security viewpoint. It is better to place it on the inside (or preferably in the DMZ if available) and to have NetDefendOS control access to it. As explain[...]

  • Page 477

    9.8. VPN Troubleshooting This section deals with how to troubleshoot the common problems that are found with VPN. 9.8.1. General Troubleshooting In all types of VPNs some basic troubleshooting checks can be made: • Check that all IP addresses have been specified correctly. • Check that all pre-shared keys and usernames/passwords are correctly e[...]

  • Page 478

    9.8.2. Troubleshooting Certificates If certificates have been used in a VPN solution then the following should be looked at as a source of potential problems: • Check that the correct certificates have been used for the right purposes. • Check that the certificate .cer and .key files have the same filename. For example, my_cert.key and my_cert.[...]

  • Page 479

    gw-world:/> ipsecstat -num=all Another example of what to avoid with many tunnels is: gw-world:/> ipsectunnels -num=all In these circumstances, using the option with a small number, for example -num=10 , is recommended. The ikesnoop console command A common problem with setting up IPsec is a list of proposed algorithms that is unacceptable to[...]

  • Page 480

    2. Incorrect pre-shared key. 3. Ike_invalid_payload, Ike_invalid_cookie. 4. Payload_Malformed. 5. No public key found. 1. Could not find acceptable proposal / no proposal chosen This is the most common IPsec related error message. It means that depending on which side initiates tunnel setup, the negotiations in either the IKE or the IPSec phase of [...]

  • Page 481

    Since the tunnel L2TP in the above table is above the tunnel VPN-3 , a match will trigger before VPN-3 because of the all-nets remote gateway ( all-nets will match any network). Since these two tunnels use different pre-shared keys, NetDefendOS will generate an " Incorrect pre-shared key " error message. The problem is solved if we reorde[...]

  • Page 482

    Also make sure that there is a DNS client configured for NetDefendOS in order to be able to correctly resolve the path to the CRL on the CA server. Note: L2TP with Microsoft Vista With L2TP, Microsoft Vista tries by default to contact and download the CRL list, while Microsoft XP does not. This can be turned off in Vista. • If multiple similar or[...]

  • Page 483

    when there is something that fails in terms of network size on either local network or remote network. Since NetDefendOS has determined that it is a type of network size problem, it will try one last attempt to get the correct network by sending a config mode request. By using ikesnoop when both sides initiate the tunnel, it should be simple to com[...]

  • Page 484

    9.8.6. Specific Symptoms Chapter 9. VPN 484[...]

  • Page 485

    Chapter 10. Traffic Management This chapter describes how NetDefendOS can manage network traffic. • Traffic Shaping, page 485 • IDP Traffic Shaping, page 506 • Threshold Rules, page 511 • Server Load Balancing, page 514 10.1. Traffic Shaping 10.1.1. Overview QoS with TCP/IP A weakness of TCP/IP is the lack of true Quality of Service (QoS) f[...]

  • Page 486

    Traffic Shaping Objectives Traffic shaping operates by measuring and queuing IP packets with respect to a number of configurable parameters. The objectives are: • Applying bandwidth limits and queuing packets that exceed configured limits, then sending them later when bandwidth demands are lower. • Dropping packets if packet buffers are full. T[...]

  • Page 487

    Pipe Rules One or more Pipe Rules make up the NetDefendOS Pipe Rule set which determine what traffic will flow through which pipes. Each pipe rule is defined like other NetDefendOS secuirity policies: by specifying the source/destination interface/network as well as the service to which the rule is to apply. Once a new connection is permitted by th[...]

  • Page 488

    will form a Chain of pipes through which traffic will pass. A chain can be made up of a maximum of 8 pipes. Explicitly Excluding Traffic from Shaping If no pipe is specified in a pipe rule list then traffic that triggers the rule will not flow through any pipe. It also means that the triggering traffic will not be subject to any other matching pipe[...]

  • Page 489

    Web Interface 1. Go to: Traffic Management > Traffic Shaping > Pipes > Add > Pipe 2. Specify a suitable name for the pipe, for instance std-in 3. Enter 2000 in the Total textbox under Pipe Limits 4. Click OK Traffic needs to be passed through the pipe and this is done by using the pipe in a Pipe Rule. We will use the above pipe to limit[...]

  • Page 490

    Just inserting std-in in the forward chain will not work since we probably want the 2 Mbps limit for outbound traffic to be separate from the 2 Mbps limit for inbound traffic. If 2 Mbps of outbound traffic attempts to flow through the pipe in addition to 2 Mbps of inbound traffic, the total attempting to flow is 4 Mbps. Since the pipe limit is 2 Mb[...]

  • Page 491

    The Incorrect Solution Two "surfing" pipes for inbound and outbound traffic could be set up. However, it is not usually required to limit outbound traffic since most web surfing usually consists of short outbound server requests followed by long inbound responses. A surf-in pipe is therefore first created for inbound traffic with a 125 kb[...]

  • Page 492

    10.1.6. Precedences The Default Precedence is Zero All packets that pass through NetDefendOS traffic shaping pipes have a Precedence . In the examples so far, precedences have not been explicitly set and so all packets have had the same default precedence which is 0. There are 8 Possible Precedence Levels Eight precedences exist which are numbered [...]

  • Page 493

    Specifying Precedences Within Pipes When a pipe is configured, a Default Precedence , a Minimum Precedence and a Maximum Precedence can be specified. The default precedences are: • Minimum Precedence: 0 • Default Precedence: 0 • Maximum Precedence: 7 As described above, the Default Precedence is the precedence taken by a packet if it is not e[...]

  • Page 494

    Figure 10.5. Minimum and Maximum Pipe Precedence Lowest Precedence Limits It is usually is not needed to have a limit specified for the lowest (best effort) precedence since this precedence simply uses any spare bandwidth not used by higher precedences. However, a limit could be specified if there is a need to restrict the bandwidth used by the low[...]

  • Page 495

    The Need for Guarantees A problem can occur however if prioritized traffic is a continuous stream such as real-time audio, resulting in continuous use of all available bandwidth and resulting in unacceptably long queuing times for other services such as surfing, DNS or FTP. A means is required to ensure that lower priority traffic gets some portion[...]

  • Page 496

    Set the return chain of the port 23 rule to telnet-in followed by std-in . Set the priority assignment for both rules to Use defaults from first pipe ; the default precedence of both the ssh-in and telnet-in pipes is 2. Using this approach rather than hard-coding precedence 2 in the rule set, it is easy to change the precedence of all SSH and Telne[...]

  • Page 497

    other words the netmask for the network must be specified for NetDefendOS. Specifying Group Limits Once the way the method of grouping is selected, the next step is to specify the Group Limits . These limits can consist of one or both of the following: • Group Limit Total This value specifies a limit for each user within the grouping. For example[...]

  • Page 498

    Figure 10.6. Traffic Grouped By IP Address Another Simple Groups Example Consider another situation where the total bandwidth limit for a pipe is 400 bps. If the aim is to allocate this bandwidth amongst many destination IP addresses so that no single IP address can take more then 100 bps of bandwidth, the following steps are needed. • Set the pi[...]

  • Page 499

    of how many there are. This is done up to the limit of the pipe. If a total group limit of 100 bps is also specified with dynamic balancing, then this still means that no single user may take more than that amount of bandwidth. Precedences and Dynamic Balancing As discussed, in addition to specifying a total limit for a grouping, limits can be spec[...]

  • Page 500

    A special case when a total pipe limit is not specified is when a group limit is used instead. The bandwidth limit is then placed on, for example, each user of a network where the users must share a fixed bandwidth resource. An ISP might use this approach to limit individual user bandwidth by specifying a "Per Destination IP" grouping. Kn[...]

  • Page 501

    NetDefendOS traffic shaping provides a sophisticated set of mechanisms for controlling and prioritising network packets. The following points summarize its use: • Select the traffic to manage through Pipe Rules . • Pipe Rules send traffic through Pipes . • A pipe can have a limit which is the maximum amount of traffic allowed. • A pipe can [...]

  • Page 502

    Figure 10.7. A Basic Traffic Shaping Scenario The reason for using 2 different pipes in this case, is that these are easier to match to the physical link capacity. This is especially true with asynchronous links such as ADSL. First, two pipes called in-pipe and out-pipe need to be created with the following parameters: Pipe Name Min Prec Def Prec M[...]

  • Page 503

    • Priority 4 - Citrix (250 kpbs) • Priority 2 - Other traffic (1000 kpbs) • Priority 0 - Web plus remaining from other levels To implement this scheme, we can use the in-pipe and out-pipe . We first enter the Pipe Limits for each pipe. These limits correspond to the list above and are: • Priority 6 - 500 • Priority 4 - 250 • Priority 2 [...]

  • Page 504

    reasonable for a VPN tunnel where the underlying physical connection capacity is 2 Mbps. It is also important to remember to insert into the pipe all non-VPN traffic using the same physical link. The pipe chaining can be used as a solution to the problem of VPN overhead. A limit which allows for this overhead is placed on the VPN tunnel traffic and[...]

  • Page 505

    VoIP to the remote site is guaranteed 500 kbps of capacity before it is forced to best effort. SAT with Pipes If SAT is being used, for example with a web server or ftp server, that traffic also needs to be forced into pipes or it will escape traffic shaping and ruin the planned quality of service. In addition, server traffic is initiated from the [...]

  • Page 506

    10.2. IDP Traffic Shaping 10.2.1. Overview The IDP Traffic Shaping feature is traffic shaping that is performed based on information coming from the NetDefendOS Intrusion Detection and Prevention (IDP) subsystem (for more information on IDP see Section 6.5, “Intrusion Detection and Prevention” ). Application Related Bandwidth Usage A typical pr[...]

  • Page 507

    Typically, a P2P transfer starts with an initial connection to allow transfer of control information followed by a number of data transfer connections to other hosts. It is the initial connection that IDP detects and the Time Window specifies the expected period afterwards when other connections will be opened and subject to traffic shaping. Connec[...]

  • Page 508

    connection just because host X is involved. Excluding Hosts To avoid these unintended consequences, we specify the IPv4 addresses of client A and client B in the Network range but not host X . This tells NetDefendOS that host X is not relevant in making a decision about including new non-IDP-triggering connections in traffic shaping. It may seem co[...]

  • Page 509

    10.2.6. Viewing Traffic Shaping Objects Viewing Hosts IDP traffic shaping has a special CLI command associated with it called idppipes and this can examine and manipulate the hosts which are currently subject to traffic shaping. To display all hosts being traffic shaped by IDP Traffic Shaping, the command would be: gw-world:/> idppipes -show Hos[...]

  • Page 510

    using the "Per Destination IP" feature. 10.2.7. Guaranteeing Instead of Limiting Bandwidth If desired, IDP Traffic Shaping can be used to do the opposite of limiting bandwidth for certain applications. If the administrator wants to guarantee a bandwidth level, say 10 Megabits, for an application then an IDP rule can be set up to trigger f[...]

  • Page 511

    10.3. Threshold Rules Overview The objective of a Threshold Rule is to have a means of detecting abnormal connection activity as well as reacting to it. An example of a cause for such abnormal activity might be an internal host becoming infected with a virus that is making repeated connections to external IP addresses. It might alternatively be som[...]

  • Page 512

    The Group By Setting The two groupings allowed are as follows: • Host Based The threshold is applied separately to connections from different IP addresses. • Network Based The threshold is applied to all connections matching the rules as a group. Rule Actions When a Threshold Rule is triggered one of two responses are possible: • Audit Leave [...]

  • Page 513

    rule, is added automatically to a Blacklist of IP addresses or networks. If several Protect actions with blacklisting enabled are triggered at the same time, only the first triggered blacklisting action will be executed by NetDefendOS. A host based action with blacklisting enabled will blacklist a single host when triggered. A network based action [...]

  • Page 514

    10.4. Server Load Balancing 10.4.1. Overview The Server Load Balancing (SLB) feature allows the administrator to spread client application requests over a number of servers through the use of IP rules with an Action of SLB_SAT . SLB is a powerful tool that can improve the following aspects of network applications: • Performance • Scalability ?[...]

  • Page 515

    Figure 10.9. A Server Load Balancing Configuration Additional Benefits of SLB Besides improving performance and scalability, SLB provides other benefits: • SLB increases the reliability of network applications by actively monitoring the servers sharing the load. NetDefendOS SLB can detect when a server fails or becomes congested and will not dire[...]

  • Page 516

    receiving over a certain time period. This time period is known as the Window Time . SLB sends the next request to the server that has received the least number of connections during the last Window Time number of seconds. The Window Time is a setting that the administrator can change. The default value is 10 seconds. 10.4.3. Selecting Stickiness I[...]

  • Page 517

    (the Idle Timeout has not been exceeded). The consequence of a full table can be that stickiness will be lost for any discarded source IP addresses. The administrator should therefore try to ensure that the Max Slots parameter is set to a value that can accommodate the expected number of connections that require stickiness. The default value for th[...]

  • Page 518

    Figure 10.11. Stickiness and Round-Robin If the connection-rate algorithm is applied instead, R1 and R2 will be sent to the same server because of stickiness, but the subsequent requests R3 and R4 will be routed to another server since the number of new connections on each server within the Window Time span is counted in for the distribution. Figur[...]

  • Page 519

    10.4.6. Setting Up SLB_SAT Rules The key component in setting up SLB are IP rules that have SLB_SAT as the action. The steps that should be followed for setting up such rules are: 1. Define an IP address object for each server for which SLB is to enabled. 2. Define an IP address group object which includes all these individual objects. 3. Define an[...]

  • Page 520

    Web Interface A. Create an Object for each of the webservers: 1. Go to: Objects > Address Book > Add > IP4 Address 2. Enter a suitable name, for example server1 3. Enter the IP Address as 192.168.1.10 4. Click OK 5. Repeat the above to create an object called server2 for the 192.168.1.11 IP address B. Create a Group which contains the 2 we[...]

  • Page 521

    1. Go to: Rules > IP Rule Sets > main > Add > IP Rule 2. Enter: • Name: Web_SLB_ALW • Action: Allow • Service: HTTP • Source Interface: any • Source Network: all-nets • Destination Interface: core • Destination Network: ip_ext 3. Click OK 10.4.6. Setting Up SLB_SAT Rules Chapter 10. Traffic Management 521[...]

  • Page 522

    10.4.6. Setting Up SLB_SAT Rules Chapter 10. Traffic Management 522[...]

  • Page 523

    Chapter 11. High Availability This chapter describes the high availability fault-tolerance feature in NetDefend Firewalls. • Overview, page 523 • HA Mechanisms, page 525 • Setting Up HA, page 528 • HA Issues, page 532 • Upgrading an HA Cluster, page 534 • Link Monitoring and HA, page 536 • HA Advanced Settings, page 537 11.1. Overview[...]

  • Page 524

    Special packets, known as heartbeats , are continually sent by NetDefendOS across the sync interface and all other interfaces from one unit to the other. These packets allow the health of both units to be monitored. Heartbeat packets are sent in both directions so that the passive unit knows about the health of the active unit and the active unit k[...]

  • Page 525

    11.2. HA Mechanisms This section discusses in more depth the mechanisms NetDefendOS uses to implement the high availability feature. Basic Principles D-Link HA provides a redundant, state-synchronized hardware configuration. The state of the active unit, such as the connection table and other vital information, is continuously copied to the inactiv[...]

  • Page 526

    10-00-00-00-nn-mm Where nn is a bit mask made up of the interface bus, slot and port on the master and mm represents the cluster ID, Link-level multicasts are used over normal unicast packets for security: using unicast packets would mean that a local attacker could fool switches to route heartbeats somewhere else so the inactive system never recei[...]

  • Page 527

    to the slave unit. The slave is now the active unit. 5. After reconfiguration of the master is complete, failover occurs again so that the master once again becomes the active unit. Dealing with Sync Failure An unusual situation that can occur in an HA cluster is if the sync connection between the master and slave experiences a failure with the res[...]

  • Page 528

    11.3. Setting Up HA This section provides a step-by-step guide for setting up an HA Cluster. 11.3.1. HA Hardware Setup The steps for the setup of hardware in an HA cluster are as follows: 1. Start with two physically similar NetDefend Firewalls. Both may be newly purchased or an existing unit may have a new unit added to it. The master hardware doe[...]

  • Page 529

    The illustration below shows the arrangement of typical HA Cluster connections in a network. All interfaces on the master unit would normally also have corresponding interfaces on the slave unit and these would be connected to the same networks. This is achieved by connecting the same interfaces on both master and slave via a separate switch (or br[...]

  • Page 530

    4. Set the Cluster ID . This must be unique for each cluster. 5. Choose the Sync Interface . 6. Select the node type to be Master . 7. Go to: Objects > Address Book and create an IP4 HA Address object for each interface pair. Each must contain the master and slave interface IP addresses for the pair. Creating an object is mandatory for an interf[...]

  • Page 531

    • If this is not the first cluster in a network then the Cluster ID must be changed for the cluster so that it is unique (the default value is 0 ). The Cluster ID determines that the MAC address for the cluster is unique. • Enabling the advanced setting Use Unique Share MAC is recommended so that each interface has its own MAC address. If this [...]

  • Page 532

    11.4. HA Issues The following points should be kept in mind when managing and configuring an HA Cluster. All Cluster Interfaces Need IP Addresses All interfaces on both HA cluster units should have a valid private IP4 address object assigned to them. The predefined IP object local host could be assigned for this purpose. The need to assign an addre[...]

  • Page 533

    router . If OSPF is to work then there must be another designated router available in the same OSPF area as the cluster. Ideally, there will also be a second, backup designated router to provide OSPF metrics if the main designated router should fail. PPPoE Tunnels and DHCP Clients For reasons connected with the shared IP addresses of an HA cluster,[...]

  • Page 534

    11.5. Upgrading an HA Cluster The NetDefendOS software versions running on the master and slave in an HA cluster should be the same. When a new NetDefendOS version becomes available and is to be installed on both units, the upgrade is done one unit at a time. The central principal in the upgrade process for a cluster is that upgrading the inactive [...]

  • Page 535

    Now, connect to the active unit (which is still running the old NetDefendOS version) with a CLI console and issue the ha -deactivate command. This will cause the active unit to become inactive, and the inactive to become active. gw-world:/> ha -deactivate HA Was: ACTIVE HA going INACTIVE... To check that the failover has completed successfully, [...]

  • Page 536

    11.6. Link Monitoring and HA Redundant Network Paths When using an HA configuration, it can be important to use redundant paths to vital resources such as the Internet. The paths through the network from the master device in an HA configuration may fail in which case it may be desirable to have this failure trigger a failover to the slave unit whic[...]

  • Page 537

    11.7. HA Advanced Settings The following NetDefendOS advanced settings are available for High Availability: Sync Buffer Size How much sync data, in Kbytes, to buffer while waiting for acknowledgments from the cluster peer. Default: 1024 Sync Packet Max Burst The maximum number of state sync packets to send in a burst. Default: 20 Initial Silence Th[...]

  • Page 538

    11.7. HA Advanced Settings Chapter 11. High Availability 538[...]

  • Page 539

    Chapter 12. ZoneDefense This chapter describes the D-Link ZoneDefense feature. • Overview, page 539 • ZoneDefense Switches, page 540 • ZoneDefense Operation, page 541 12.1. Overview ZoneDefense Controls Switches ZoneDefense allows a NetDefend Firewall to control locally attached switches. It can be used as a counter-measure to stop a virus-in[...]

  • Page 540

    12.2. ZoneDefense Switches Switch information regarding every switch that is to be controlled by the firewall has to be manually specified in the firewall configuration. The information needed in order to control a switch includes: • The IP address of the management interface of the switch • The switch model type • The SNMP community string ([...]

  • Page 541

    12.3. ZoneDefense Operation 12.3.1. SNMP Simple Network Management Protocol (SNMP) is an application layer protocol for complex network management. SNMP allows the managers and managed devices in a network to communicate with each other. SNMP Managers A typical managing device, such as a NetDefend Firewall, uses the SNMP protocol to monitor and con[...]

  • Page 542

    As a complement to threshold rules, it is also possible to manually define hosts and networks that are to be statically blocked or excluded. Manually blocked hosts and networks can be blocked by default or based on a schedule. It is also possible to specify which protocols and protocol port numbers are to be blocked. Exclude Lists can be created an[...]

  • Page 543

    2. For Addresses choose the object name of the firewall's interface address 192.168.1.1 from the Available list and put it into the Selected list. 3. Click OK Configure an HTTP threshold of 10 connections/second: 1. Go to: Traffic Management > Threshold Rules > Add > Threshold Rule 2. For the Threshold Rule enter: • Name: HTTP-Thres[...]

  • Page 544

    actually starts blocking out the traffic matched by the rule. All switch models require a short period of latency time to implement blocking once the rule is triggered. Some models can activate blocking in less than a second while some models may require a minute or more. A second difference is the maximum number of rules supported by different swi[...]

  • Page 545

    12.3.5. Limitations Chapter 12. ZoneDefense 545[...]

  • Page 546

    Chapter 13. Advanced Settings This chapter describes the additional configurable advanced settings for NetDefendOS that are not already described in the manual. In the Web Interface these settings are found under System > Advanced Settings . The settings are divided up into the following categories: Note: Activating setting changes After any adv[...]

  • Page 547

    Block 0000 Src Block 0.0.0.0 as source address. Default: Drop Block 0 Net Block 0.* as source addresses. Default: DropLog Block 127 Net Block 127.* as source addresses. Default: DropLog Block Multicast Src Block multicast both source addresses (224.0.0.0 - 255.255.255.255). Default: DropLog TTL Min The minimum TTL value accepted on receipt. Default[...]

  • Page 548

    Default: ValidateLogBad SecuRemoteUDP Compatibility Allow IP data to contain eight bytes more than the UDP total length field specifies. Checkpoint SecuRemote violates NAT-T drafts. Default: Disabled IP Option Sizes Verifies the size of "IP options". These options are small blocks of information that may be added to the end of each IP hea[...]

  • Page 549

    IP Reserved Flag Indicates what NetDefendOS will do if there is data in the "reserved" fields of IP headers. In normal circumstances, these fields should read 0. Used by OS Fingerprinting. Default: DropLog Strip DontFragment Strip the Don't Fragment flag for packets equal to or smaller than the size specified by this setting. Default[...]

  • Page 550

    13.2. TCP Level Settings TCP Option Sizes Verifies the size of TCP options. This function acts in the same way as IPOptionSizes described above. Default: ValidateLogBad TCP MSS Min Determines the minimum permissible size of the TCP MSS. Packets containing maximum segment sizes below this limit are handled according to the next setting. Default: 100[...]

  • Page 551

    Default: 7000 bytes TCP Auto Clamping Automatically clamp TCP MSS according to MTU of involved interfaces, in addition to TCPMSSMax. Default: Enabled TCP Zero Unused ACK Determines whether NetDefendOS should set the ACK sequence number field in TCP packets to zero if it is not used. Some operating systems reveal sequence number information this way[...]

  • Page 552

    Determines how NetDefendOS will handle alternate checksum request options. These options were initially intended to be used in negotiating for the use of better checksums in TCP. However, these are not understood by any today's standard systems. As NetDefendOS cannot understand checksum algorithms other than the standard algorithm, these optio[...]

  • Page 553

    Default: DropLog TCP SYN/FIN The TCP FIN flag together with SYN; normally invalid (strip=strip FIN). Default: DropLog TCP FIN/URG Specifies how NetDefendOS will deal with TCP packets with both FIN (Finish, close connection) and URG flags turned on. This should normally never occur, as it is not usually attempted to close a connection at the same ti[...]

  • Page 554

    Determines if the sequence number range occupied by a TCP segment will be compared to the receive window announced by the receiving peer before the segment is forwarded. TCP sequence number validation is only possible on connections tracked by the state-engine (not on packets forwarded using a FwdFast rule). Possible values are: • Ignore - Do not[...]

  • Page 555

    13.3. ICMP Level Settings ICMP Sends Per Sec Limit Specifies the maximum number of ICMP messages NetDefendOS may generate per second. This includes ping replies, destination unreachable messages and also TCP RST packets. In other words, this setting limits how many Rejects per second may be generated by the Reject rules in the Rules section. Defaul[...]

  • Page 556

    13.4. State Settings Connection Replace Allows new additions to the NetDefendOS connection list to replace the oldest connections if there is no available space. Default: ReplaceLog Log Open Fails In some instances where the Rules section determines that a packet should be allowed through, the stateful inspection mechanism may subsequently decide t[...]

  • Page 557

    Default: Log Log Connection Usage This generates a log message for every packet that passes through a connection that is set up in the NetDefendOS state-engine. Traffic whose destination is the NetDefend Firewall itself, for example NetDefendOS management traffic, is not subject to this setting. The log message includes port, service, source/destin[...]

  • Page 558

    13.5. Connection Timeout Settings The settings in this section specify how long a connection can remain idle, that is to say with no data being sent through it, before it is automatically closed. Please note that each connection has two timeout values: one for each direction. A connection is closed if either of the two values reaches 0. TCP SYN Idl[...]

  • Page 559

    Default: 12 Other Idle Lifetime Specifies in seconds how long connections using an unknown protocol can remain idle before it is closed. Default: 130 13.5. Connection Timeout Settings Chapter 13. Advanced Settings 559[...]

  • Page 560

    13.6. Length Limit Settings This section contains information about the size limits imposed on the protocols directly under IP level, such as TCP, UDP and ICMP. The values specified here concern the IP data contained in packets. In the case of Ethernet, a single packet can contain up to 1480 bytes of IP data without fragmentation. In addition to th[...]

  • Page 561

    Specifies in bytes the maximum size of an AH packet. AH, Authentication Header, is used by IPsec where only authentication is applied. This value should be set at the size of the largest packet allowed to pass through the VPN connections, regardless of its original protocol, plus approx. 50 bytes. Default: 2000 Max SKIP Length Specifies in bytes th[...]

  • Page 562

    13.7. Fragmentation Settings IP is able to transport up to 65536 bytes of data. However, most media, such as Ethernet, cannot carry such huge packets. To compensate, the IP stack fragments the data to be sent into separate packets, each one given their own IP header and information that will help the recipient reassemble the original packet correct[...]

  • Page 563

    Default: Check8 – compare 8 random locations, a total of 32 bytes Failed Fragment Reassembly Reassemblies may fail due to one of the following causes: • Some of the fragments did not arrive within the time stipulated by the ReassTimeout or ReassTimeLimit settings. This may mean that one or more fragments were lost on their way across the Intern[...]

  • Page 564

    • NoLog - No logging is carried out under normal circumstances. • LogSuspect - Logs duplicated fragments if the reassembly procedure has been affected by "suspect" fragments. • LogAll - Always logs duplicated fragments. Default: LogSuspect Fragmented ICMP Other than ICMP ECHO (Ping), ICMP messages should not normally be fragmented a[...]

  • Page 565

    Reassembly Illegal Limit Once a whole packet has been marked as illegal, NetDefendOS is able to retain this in memory for this number of seconds in order to prevent further fragments of that packet from arriving. Default: 60 13.7. Fragmentation Settings Chapter 13. Advanced Settings 565[...]

  • Page 566

    13.8. Local Fragment Reassembly Settings Max Concurrent Maximum number of concurrent local reassemblies. Default: 256 Max Size Maximum size of a locally reassembled packet. Default: 10000 Large Buffers Number of large ( over 2K) local reassembly buffers (of the above size). Default: 32 13.8. Local Fragment Reassembly Settings Chapter 13. Advanced S[...]

  • Page 567

    13.9. Miscellaneous Settings UDP Source Port 0 How to treat UDP packets with source port 0. Default: DropLog Port 0 How to treat TCP/UDP packets with destination port 0 and TCP packets with source port 0. Default: DropLog Watchdog Time Number of non-responsive seconds before watchdog is triggered (0=disable). Default: 180 Flood Reboot Time As a fin[...]

  • Page 568

    Default: 512 13.9. Miscellaneous Settings Chapter 13. Advanced Settings 568[...]

  • Page 569

    13.9. Miscellaneous Settings Chapter 13. Advanced Settings 569[...]

  • Page 570

    Appendix A. Subscribing to Updates Overview The NetDefendOS Anti-Virus (AV) module, the Intrusion Detection and Prevention (IDP) module and the Dynamic Web Content Filtering module all function using external D-Link databases which contain details of the latest viruses, security threats and URL categorization. These databases are constantly being u[...]

  • Page 571

    An Anti-Virus update can similarly be initiated with the command: gw-world:/> updatecenter -update Antivirus Querying Update Status To get the status of IDP updates use the command: gw-world:/> updatecenter -status IDP To get the status of AV updates: gw-world:/> updatecenter -status Antivirus Querying Server Status To get the status of th[...]

  • Page 572

    Appendix B. IDP Signature Groups For IDP scanning, the following signature groups are available for selection. These groups are only available for the D-Link Advanced IDP Service. There is a version of each group under the three Types of IDS , IPS and Policy . For further information see Section 6.5, “Intrusion Detection and Prevention” . Group[...]

  • Page 573

    Group Name Intrusion Type FTP_FORMATSTRING Format string attack FTP_GENERAL FTP protocol and implementation FTP_LOGIN Login attacks FTP_OVERFLOW FTP buffer overflow GAME_BOMBERCLONE Bomberclone game GAME_GENERAL Generic game servers/clients GAME_UNREAL UnReal Game server HTTP_APACHE Apache httpd HTTP_BADBLUE Badblue web server HTTP_CGI HTTP CGI HTT[...]

  • Page 574

    Group Name Intrusion Type PBX_GENERAL PBX POP3_DOS Denial of Service for POP POP3_GENERAL Post Office Protocol v3 POP3_LOGIN-ATTACKS Password guessing and related login attack POP3_OVERFLOW POP3 server overflow POP3_REQUEST-ERRORS Request Error PORTMAPPER_GENERAL PortMapper PRINT_GENERAL LP printing server: LPR LPD PRINT_OVERFLOW Overflow of LPR/LP[...]

  • Page 575

    Group Name Intrusion Type TFTP_DIR_NAME Directory Name attack TFTP_GENERAL TFTP protocol and implementation TFTP_OPERATION Operation Attack TFTP_OVERFLOW TFTP buffer overflow attack TFTP_REPLY TFTP Reply attack TFTP_REQUEST TFTP request attack TROJAN_GENERAL Trojan UDP_GENERAL General UDP UDP_POPUP Pop-up window for MS Windows UPNP_GENERAL UPNP VER[...]

  • Page 576

    Appendix C. Verified MIME filetypes Some NetDefendOS Application Layer Gateways (ALGs) have the optional ability to verify that the contents of a downloaded file matches the type that the filetype in the filename indicates. The filetypes for which MIME verification can be done are listed in this appendix and the ALGs to which this applies are: • [...]

  • Page 577

    Filetype extension Application cpl Windows Control Panel Extension file dbm Database file dcx Graphics Multipage PCX Bitmap file deb Debian Linux Package file djvu DjVu file dll Windows dynamic link library file dpa DPA archive data dvi TeX Device Independent Document eet EET archive egg Allegro datafile elc eMacs Lisp Byte-compiled Source Code emd[...]

  • Page 578

    Filetype extension Application mpg,mpeg MPEG 1 System Stream , Video file mpv MPEG-1 Video file Microsoft files Microsoft office files, and other Microsoft files msa Atari MSA archive data niff, nif Navy Interchange file Format Bitmap noa Nancy Video CODEC nsf NES Sound file obj, o Windows object file, linux object file ocx Object Linking and Embed[...]

  • Page 579

    Filetype extension Application swf Macromedia Flash Format file tar Tape archive file tfm TeX font metric data tiff, tif Tagged Image Format file tnef Transport Neutral Encapsulation Format torrent BitTorrent Metainfo file ttf TrueType Font txw Yamaha TX Wave audio files ufa UFA archive data vcf Vcard file viv VivoActive Player Streaming Video file[...]

  • Page 580

    Appendix D. The OSI Framework Overview The Open Systems Interconnection (OSI) model defines a framework for inter-computer communications. It categorizes different protocols for a great variety of network applications into seven smaller, more manageable layers. The model describes how data from an application in one computer can be transferred thro[...]

  • Page 581

    Alphabetical Index A access rules, 263 accounting, 65 interim messages, 67 limitations with NAT, 69 messages, 65 system shutdowns, 69 accouting and high availability, 68 address book, 88 Ethernet MAC addresses, 90 folders, 92 IP addresses in, 88 address groups, 91 excluding addresses, 91 address translation, 363 admin account, 30 changing password [...]

  • Page 582

    Auto Add Multicast Route setting, 230 autonomous system (see OSPF) Auto Save Interval (DHCP) setting, 258 Auto Save Policy (DHCP) setting, 258 auto-update, 83 B backing up configurations, 83 bandwidth guarantees, 495 banner files customizing, 334, 404 for web authentication, 404 for web content filtering, 334 parameters, 334, 405 blacklisting hosts[...]

  • Page 583

    Decrement TTL setting, 245 default access rule, 169, 263 Default TTL setting, 547 demilitarized zone (see DMZ) denial of service, 355 destination RLB algorithm, 190 DHCP, 249 displaying server info, 252 leases, 249 multiple servers, 250 over Ethernet, 109 relay advanced settings, 257 relaying, 256 server advanced settings, 251 server blacklist, 253[...]

  • Page 584

    heartbeats, 525 issues, 532 link monitor usage, 536 making OSPF work, 532 mechanisms, 525 physical interconnection, 523 resynchronizing units, 527 setting up, 528 sync failure, 527 unique shared MAC, 531 upgrading NetDefendOS, 534 with IDP and anti-virus, 526 with IPv6, 97 with transparent mode, 237 host monitoring for route failover, 177 HTML page[...]

  • Page 585

    IPsec Max Tunnels setting, 454 IPv6, 93 adding an address, 93 all-nets6 address object, 96 and management access, 96 enabling globally, 94 enabling on an interface, 94 enabling router advertisement, 95 grouping with IPv4, 96 in IP rules, 137 in routing rules, 186 with high availability, 97 with the ping command, 96 ip validation with config mode, 4[...]

  • Page 586

    Multicast TTL on Low setting, 547 multiple login authentication, 396 multiplex rules, 221 creating with CLI, 223 N NAT, 364 anonymizing with, 368 IP rules, 139 pools, 369 stateful pools, 369 traversal, 431 network address translation (see NAT) NTP (see time synchronization) Null Enet Sender setting, 245 O open shortest path first (see OSPF) OSPF, 1[...]

  • Page 587

    metrics, 165, 198 monitoring, 174 narrowest matching principle, 167 notation, 169 ordering parameter, 187 policy-based, 183 principles, 165 routes added at startup, 171 rules, 185 service-based, 183 source-based, 183 static, 165, 169 tables, 183 the all-nets route, 172 user-based, 183 S SA (see security association) SafeStream, 338 SAT, 372 all-to-[...]

  • Page 588

    syslog, 60 system backup/restore, 83 System Contact (SNMP) setting, 75 System Location (SNMP) setting, 75 System Name (SNMP)setting, 75 T tab completion (see CLI) TCP Auto Clamping setting, 551 TCP ECN setting, 553 TCP FIN/URG setting, 553 TCP FIN Idle Lifetime setting, 558 TCP Idle Lifetime setting, 558 TCP MSS Log Level setting, 550 TCP MSS Max s[...]

  • Page 589

    recommended browsers, 31 setting workstation IP, 31 WebUI (see web interface) WebUI Before Rules setting, 52 WebUI HTTP port setting, 52 WebUI HTTPS port setting, 53 whitelisting hosts and networks, 360 URLs, 320 wildcarding, 320 wildcarding in blacklists and whitelists, 282, 320 in IDP rules, 350 in static content filtering, 269 Windows CA certifi[...]