Go to page of
A good user manual
The rules should oblige the seller to give the purchaser an operating instrucion of D-Link DFL-1660, along with an item. The lack of an instruction or false information given to customer shall constitute grounds to apply for a complaint because of nonconformity of goods with the contract. In accordance with the law, a customer can receive an instruction in non-paper form; lately graphic and electronic forms of the manuals, as well as instructional videos have been majorly used. A necessary precondition for this is the unmistakable, legible character of an instruction.
What is an instruction?
The term originates from the Latin word „instructio”, which means organizing. Therefore, in an instruction of D-Link DFL-1660 one could find a process description. An instruction's purpose is to teach, to ease the start-up and an item's use or performance of certain activities. An instruction is a compilation of information about an item/a service, it is a clue.
Unfortunately, only a few customers devote their time to read an instruction of D-Link DFL-1660. A good user manual introduces us to a number of additional functionalities of the purchased item, and also helps us to avoid the formation of most of the defects.
What should a perfect user manual contain?
First and foremost, an user manual of D-Link DFL-1660 should contain:
- informations concerning technical data of D-Link DFL-1660
- name of the manufacturer and a year of construction of the D-Link DFL-1660 item
- rules of operation, control and maintenance of the D-Link DFL-1660 item
- safety signs and mark certificates which confirm compatibility with appropriate standards
Why don't we read the manuals?
Usually it results from the lack of time and certainty about functionalities of purchased items. Unfortunately, networking and start-up of D-Link DFL-1660 alone are not enough. An instruction contains a number of clues concerning respective functionalities, safety rules, maintenance methods (what means should be used), eventual defects of D-Link DFL-1660, and methods of problem resolution. Eventually, when one still can't find the answer to his problems, he will be directed to the D-Link service. Lately animated manuals and instructional videos are quite popular among customers. These kinds of user manuals are effective; they assure that a customer will familiarize himself with the whole material, and won't skip complicated, technical information of D-Link DFL-1660.
Why one should read the manuals?
It is mostly in the manuals where we will find the details concerning construction and possibility of the D-Link DFL-1660 item, and its use of respective accessory, as well as information concerning all the functions and facilities.
After a successful purchase of an item one should find a moment and get to know with every part of an instruction. Currently the manuals are carefully prearranged and translated, so they could be fully understood by its users. The manuals will serve as an informational aid.
Table of contents for the manual
-
Page 1
Network Security Sol ution http://www .dlink.com curity curity cu u u u u u u u u u u u u u u u u u r r r r r r r r r r r r r r r r i ty S S S S S S S S S S S S ity ity DFL-210/ 800/1600/ 2500 DFL-260/ 860 V er. 1.08 Network Security F irewall User Manu al[...]
-
Page 2
User Manual DFL-210/260/800/860/1600/2500 NetDefendOS version 2.25.01 D-Link Corporation No. 289, Sinhu 3rd Rd, Neihu District, Taipei City 114, Taiwan R.O.C. http://www.DLink.com Published 2009-05-26 Copyright © 2009[...]
-
Page 3
User Manual DFL-210/260/800/860/1600/2500 NetDefendOS version 2.25.01 Published 2009-05-26 Copyright © 2009 Copyright Notice This publication, including all photographs, illustrations and software, is protected under international copyright laws, with all rights reserved. Neither this manual, nor any of the material contained herein, may be reprod[...]
-
Page 4
Table of Contents Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 1. NetDefendOS Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]
-
Page 5
3.3.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 3.3.2. Ethernet Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]
-
Page 6
5.3. Static DHCP Assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 5.3.1. DHCP Advanced Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 5.4. DHCP Relaying . .[...]
-
Page 7
7.3.7. SAT and FwdFast Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298 8. User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]
-
Page 8
10.1.12. More Pipe Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390 10.2. IDP Traffic Shaping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394 10.2.1. Ov[...]
-
Page 9
List of Figures 1.1. Packet Flow Schematic Part I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 1.2. Packet Flow Schematic Part II . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]
-
Page 10
List of Examples 1. Example Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 2.1. Enabling remote management via HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]
-
Page 11
4.12. if1 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 4.13. if2 Configuration - Group Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]
-
Page 12
Preface Intended Audience The target audience for this reference guide is Administrators who are responsible for configuring and managing D-Link Firewalls which are running the NetDefendOS operating system. This guide assumes that the reader has some basic knowledge of networks and network security. Text Structure and Conventions The text is broken[...]
-
Page 13
items in the tree-view list at the left of the interface or in the menu bar or in a context menu need to be opened followed by information about the data items that need to be entered: 1. Go to Item X > Item Y > Item Z 2. Now enter: • DataItem1: datavalue1 • DataItem2: datavalue2 Highlighted Content Special sections of text which the read[...]
-
Page 14
Chapter 1. NetDefendOS Overview This chapter outlines the key features of NetDefendOS. • Features, page 14 • NetDefendOS Architecture, page 17 • NetDefendOS State Engine Packet Flow, page 20 1.1. Features D-Link NetDefendOS is the base software engine that drives and controls an advanced range of D-Link Firewall products. NetDefendOS as a Net[...]
-
Page 15
Address Translation . VPN NetDefendOS supports a range of Virtual Private Network (VPN) solutions. NetDefendOS supports IPsec, L2TP and PPTP based VPNs concurrently, can act as either server or client for all of the VPN types, and can provide individual security policies for each VPN tunnel. The details for this can be found in Chapter 9, VPN which[...]
-
Page 16
hosts. These features are discussed in detail in Chapter 10, Traffic Management . Note Threshold Rules are only available on certain D-Link NetDefendOS models. Operations and Maintenance Adminstrator management of NetDefendOS is possible through either a Web-based User Interface (the WebUI) or via a Command Line Interface (the CLI). NetDefendOS als[...]
-
Page 17
1.2. NetDefendOS Architecture 1.2.1. State-based Architecture The NetDefendOS architecture is centered around the concept of state-based connections. Traditional IP routers or switches commonly inspect all packets and then perform forwarding decisions based on information found in the packet headers. With this approach, packets are forwarded withou[...]
-
Page 18
NetDefendOS Rule Sets Finally, rules which are defined by the administrator in the various rule sets are used for actually implementing NetDefendOS security policies. The most fundamental set of rules are the IP Rules , which are used to define the layer 3 IP filtering policy as well as carrying out address translation and server load balancing. Th[...]
-
Page 19
• TCP/UDP ports • ICMP types • Point in time in reference to a pre-defined schedule If a match cannot be found, the packet is dropped. If a rule is found that matches the new connection, the Action parameter of the rule decides what NetDefendOS should do with the connection. If the action is Drop, the packet is dropped and the event is logged[...]
-
Page 20
1.3. NetDefendOS State Engine Packet Flow The diagrams in this section provide a summary of the flow of packets through the NetDefendOS state-engine. There are three diagrams, each flowing into the next. Figure 1.1. Packet Flow Schematic Part I The packet flow is continued on the following page. 1.3. NetDefendOS State Engine Packet Flow Chapter 1. [...]
-
Page 21
Figure 1.2. Packet Flow Schematic Part II The packet flow is continued on the following page. 1.3. NetDefendOS State Engine Packet Flow Chapter 1. NetDefendOS Overview 21[...]
-
Page 22
Figure 1.3. Packet Flow Schematic Part III 1.3. NetDefendOS State Engine Packet Flow Chapter 1. NetDefendOS Overview 22[...]
-
Page 23
Apply Rules The figure below presents the detailed logic of the Apply Rules function in Figure 1.2, “Packet Flow Schematic Part II” above. Figure 1.4. Expanded Apply Rules Logic 1.3. NetDefendOS State Engine Packet Flow Chapter 1. NetDefendOS Overview 23[...]
-
Page 24
1.3. NetDefendOS State Engine Packet Flow Chapter 1. NetDefendOS Overview 24[...]
-
Page 25
Chapter 2. Management and Maintenance This chapter describes the management, operations and maintenance related aspects of NetDefendOS. • Managing NetDefendOS, page 25 • Events and Logging, page 49 • RADIUS Accounting, page 54 • SNMP Monitoring, page 59 • The pcapdump Command, page 62 • Maintenance, page 65 2.1. Managing NetDefendOS 2.1[...]
-
Page 26
Console Boot Menu Before NetDefendOS starts running, a console connected directly to the D-Link Firewall's RS232 port can be used to do basic configuration through the boot menu . This menu can be entered by pressing any console key between power-up and NetDefendOS starting. It is the D-Link firmware loader that is being accessed with the boot[...]
-
Page 27
Setting the Workstation IP The assigned D-Link Firewall interface and the workstation interface must be on the same IP network for inital communication between them to succeed so the static IP address of the workstation must be set to the following values: • IP address: 192.168.1.30 • Subnet mask: 255.255.255.0 • Default gateway: 192.168.1.1 [...]
-
Page 28
It may occasionally be the case that a NetDefendOS upgrade might contain features that temporarily lack a complete non-english translation because of time constraints. In this case the original english will be used as a temporary solution. The Web Browser Interface On the left hand side of the WebUI is a tree which allows navigation to the various [...]
-
Page 29
• View Changes - List the changes made to the configuration since it was last saved. • Tools - Contains a number of tools that are useful for maintaining the system. • Status - Provides various status pages that can be used for system diagnostics. • Maintenance • Update Center - Manually update or schedule updates of the intrusion detecti[...]
-
Page 30
• Interface: any • Network: all-nets 5. Click OK Caution The above example is provided for informational purposes only. It is never recommended to expose any management interface to any user on the Internet. Logging out from the Web Interface When you have finished working in the Web Interface, you should always logout to prevent other users wi[...]
-
Page 31
gw-world:/> show Address IP4Address my_address The second part of the command specifies the object type and is necessary to identify what category of object the object name refers to (consider that the same name might exist in two different categories). Note The term category is sometimes referred to as the context of an object. A command like a[...]
-
Page 32
In a similar way, the " < " character before a tab can be used to automatically fill in the default value for a parameter if no value has yet been set. For example: add LogReceiverSyslog example Address=example_ip LogSeverity=< (tab) Will fill in the default value for LogSeverity : add LogReceiverSyslog example Address=example_ip Lo[...]
-
Page 33
gw-world:/> The categories that require an initial cc command before object manipulation have a "/" character following their names when displayed by a show command. For example: RoutingTable/ . Specifying Multiple Property Values Sometimes a command property may need multiple values. For example, some commands use the property Account[...]
-
Page 34
• The Remote Endpoint for IPsec, L2TP and PPTP tunnels. • The Host for LDAP servers. When DNS lookup needs to be done, at least one public DNS server must be configured in NetDefendOS for hostnames to be translated to IP addresses. Serial Console CLI Access The serial console port is a local RS-232 port on the D-Link Firewall that allows direct[...]
-
Page 35
2. Enter a Name for the SSH remote management policy, for example ssh_policy 3. Select the following from the dropdown lists: • User Database: AdminUsers • Interface: lan • Network: lannet 4. Click OK Logging on to the CLI When access to the CLI has been established to NetDefendOS through the serial console or an SSH client, the administrator[...]
-
Page 36
The CLI Reference Guide uses the command prompt gw-world:/> throughout. Note When the command line prompt is changed to a new string value, this string also appears as the new device name in the top level node of the WebUI tree-view. Activating and Committing Changes If any changes are made to the current configuration through the CLI, those cha[...]
-
Page 37
syntax of the command is described in the CLI Reference Guide and specific examples of usage are detailed in the following sections. See also Section 2.1.4, “The CLI” in this manual. Executing Scripts As mentioned above, the script -execute command launches a named script file that has been previously uploaded to the D-Link Firewall. For exampl[...]
-
Page 38
completing, the -verbose option should be used: gw-world:/> script -execute -name=my_script2.sgs -verbose Saving Scripts When a script file is uploaded to the D-Link Firewall, it is initially kept only in temporary RAM memory. If NetDefendOS restarts then any uploaded scripts will be lost from this volatile memory and must be uploaded again to r[...]
-
Page 39
create all IP4Address address objects in that unit's configuration. The created file's contents might, for example, be: add IP4Address If1_ip Address=10.6.60.10 add IP4Address If1_net Address=10.6.60.0/24 add IP4Address If1_br Address=10.6.60.255 add IP4Address If1_dns1 Address=141.1.1.1 " " " The file new_script_sgs can th[...]
-
Page 40
platforms. The command line examples below are based on the most common command format for SCP client software. SCP Command Format SCP command syntax is straightforward for most console based clients. The basic command used here is scp followed by the source and destination for the file transfer. Upload is done with the command: > scp <local_[...]
-
Page 41
Apart from the individual files, the objects types listed are: • HTTPALGBanners/ - The banner files for user authentication HTML. Uploading these is described further in Section 6.3.4.4, “Customizing HTML Pages” . • HTTPAuthBanner/ - The banner files for HTML ALG dynamic content filtering. Uploading these is described further in Section 6.3[...]
-
Page 42
Accessing the Console Boot Menu The boot menu is only accessible through a console device attached directly to the serial console located on the D-Link Firewall. It can be accessed through the console after the D-Link Firewall is powered up and before NetDefendOS is fully started. After powering up the D-Link Firewall, there is a 3 second interval [...]
-
Page 43
Initial Options with a Console Password Set If a console password is set then the initial options that appear when NetDefendOS loading is interrupted with a key press are shown below. The 1. Start firewall option re-continues the interrupted NetDefendOS startup process. If the 2. Login option is chosen, the console password must be entered and the [...]
-
Page 44
Default: 30 WebUI HTTP port Specifies the HTTP port for the Web Interface. Default: 80 WebUI HTTPS port Specifies the HTTP(S) port for the Web Interface. Default: 443 HTTPS Certificate Specifies which certificate to use for HTTPS traffic. Only RSA certificates are supported. Default: HTTPS 2.1.9. Working with Configurations The system configuration[...]
-
Page 45
2. A web page listing all services will be presented. A list contains the following basic elements: • Add Button - Displays a dropdown menu when clicked. The menu will list all types of configuration items that can be added to the list. • Header - The header row displays the titles of the columns in the list. The tiny arrow images next to each [...]
-
Page 46
CLI gw-world:/> set Service ServiceTCPUDP telnet Comments="Modified Comment" Show the object again to verify the new property value: gw-world:/> show Service ServiceTCPUDP telnet Property Value ----------------- ------- Name: telnet DestinationPorts: 23 Type: TCP SourcePorts: 0-65535 SYNRelay: No PassICMPReturn: No ALG: (none) MaxSe[...]
-
Page 47
5. Enter 192.168.10.10 in the IP Address textbox 6. Click OK 7. Verify that the new IP4 address object has been added to the list Example 2.7. Deleting a Configuration Object This example shows how to delete the newly added IP4Address object. CLI gw-world:/> delete Address IP4Address myhost Web Interface 1. Go to Objects > Address Book 2. Rig[...]
-
Page 48
* ServiceTCPUDP telnet A "+" character in front of the row indicates that the object has been added. A "*" character indicates that the object has been modified. A "-" character indicates that the object has been marked for deletion. Web Interface 1. Go to Configuration > View Changes in the menu bar A list of chang[...]
-
Page 49
2.2. Events and Logging 2.2.1. Overview The ability to log and analyze system activities is an essential feature of NetDefendOS. Logging enables not only monitoring of system status and health, but also allows auditing of network usage and assists in trouble-shooting. NetDefendOS defines a number of event messages , which are generated as a result [...]
-
Page 50
Web Interface. Syslog The de-facto standard for logging events from network devices. If other network devices are already logging to Syslog servers, using syslog with NetDefendOS messages can simplify overall administration. 2.2.3.1. Logging to Memlog Memlog is an optional NetDefendOS feature that allows logging direct to memory in the D-Link Firew[...]
-
Page 51
To enable logging of all events with a severity greater than or equal to Notice to a Syslog server with IP address 195.11.22.55, follow the steps outlined below: CLI gw-world:/> add LogReceiverSyslog my_syslog IPAddress=195.11.22.55 Web Interface 1. Go to System > Log and Event Receivers > Add > Syslog Receiver 2. Specify a suitable nam[...]
-
Page 52
• Category - What NetDefendOS subsystem is reporting the problem • ID - Unique identification within the category • Description - A short textual description • Action - What action is NetDefendOS taking This information can be cross-referenced to the Log Reference Guide . Note NetDefendOS sends SNMP Traps which are based on the SNMPv2c stan[...]
-
Page 53
The delay in seconds between alarms when a continuous alarm is used. Minimum 0, Maximum 10,000. Default: 60 (one minute) 2.2.4. Advanced Log Settings Chapter 2. Management and Maintenance 53[...]
-
Page 54
2.3. RADIUS Accounting 2.3.1. Overview Within a network environment containing large numbers of users, it is advantageous to have one or a cluster of central servers that maintain user account information and are responsible for authentication and authorization tasks. The central database residing on the dedicated server(s) contains all user creden[...]
-
Page 55
authentication server. • How Authenticated - How the user was authenticated. This is set to either RADIUS if the user was authenticated via RADIUS, or LOCAL if the user was authenticated via a local user database. • Delay Time - The time delay (in seconds) since the AccountingRequest packet was sent and the authentication acknowledgement was re[...]
-
Page 56
Note The (*) symbol in the above list indicates that the sending of the parameter is user configurable. 2.3.3. Interim Accounting Messages In addition to START and STOP messages NetDefendOS can optionally periodically send Interim Accounting Messages to update the accounting server with the current status of an authenticated user. An Interim Accoun[...]
-
Page 57
whenever a connection is closed. Two special accounting events are also used by the active unit to keep the passive unit synchronized: • An AccountingStart event is sent to the inactive member in an HA setup whenever a response has been received from the accounting server. This specifies that accounting information should be stored for a specific[...]
-
Page 58
Disabling the setting will mean that the user will be logged out if the RADIUS accounting server cannot be reached even though the user has been previously authenticated. Default: Enabled Logout at shutdown If there is an orderly shutdown of the D-Link Firewall by the administrator, then NetDefendOS will delay the shutdown until it has sent RADIUS [...]
-
Page 59
2.4. SNMP Monitoring Overview Simple Network Management Protocol (SNMP) is a standardized protocol for management of network devices. An SNMP compliant client can connect to a network device which supports the SNMP protocol to query and control it. NetDefendOS supports SNMP version 1 and version 2. Connection can be made by any SNMP compliant clien[...]
-
Page 60
SNMP access. Port 161 is usually used for SNMP and NetDefendOS always expects SNMP traffic on that port. Remote Access Encryption It should be noted that SNMP Version 1 or 2c access means that the community string will be sent as plain text over a network. This is clearly insecure if a remote client is communicating over the public Internet. It is [...]
-
Page 61
Default: Enabled SNMP Request Limit Maximum number of SNMP requests that will be processed each second by NetDefendOS. Should SNMP requests exceed this rate then the excess requests will be ignored by NetDefendOS. Default: 100 System Contact The contact person for the managed node. Default: N/A System Name The name for the managed node. Default: N/[...]
-
Page 62
2.5. The pcapdump Command A valuable diagnostic tool is the ability to examine the packets that enter and leave the interfaces of a D-Link Firewall. For this purpose, NetDefendOS provides the CLI command pcapdump which not only allows the examination of packet streams entering and leaving interfaces but also allows the filtering of these streams ac[...]
-
Page 63
It is possible to have multiple pcapdump executions being performed at the same time. The following points describe this feature: 1. All capture from all executions goes to the same memory buffer. The command can be launched multiple times with different interfaces specified. In this case the packet flow for the different executions will be grouped[...]
-
Page 64
Combining Filters It is possible to use several of these filter expressions together in order to further refine the packets that are of interest. For example we might want to examine the packets going to a particular destination port at a particular destination IP address. Compatibility with Wireshark The open source tool Wireshark (formerly called[...]
-
Page 65
2.6. Maintenance 2.6.1. Auto-Update Mechanism A number of the NetDefendOS security features rely on external servers for automatic updates and content filtering. The Intrusion Prevention and Detection system and Anti-Virus modules require access to updated signature databases in order to provide protection against the latest threats. To facilitate [...]
-
Page 66
snapshot of the state on November 21st, 2008. To restore a backup file, the administrator should upload the file to the D-Link Firewall. The name of the file does not need to be changed in any way and can retain the date since NetDefendOS will read a header in the file to determine what it is. Backup and Restore using the WebUI As an alternative to[...]
-
Page 67
1. Go to Tools > Backup 2. In Restore unit's configuration browse and locate the desired backup file 3. Click Upload configuration and then choose to activate that configuration This feature could, for example, be used to recall the "last known good" configuration when experimenting with different configuration setups. Note: Dynam[...]
-
Page 68
End of Life Procedures The restore to factory defaults option should also be used as part of the end of life procedure when a D-Link Firewall is taken out of operation and will no longer be used. As part of the decommissioning procedure, a restore to factory defaults should always be run in order to remove all sensitive information such as VPN sett[...]
-
Page 69
2.6.4. Restore to Factory Defaults Chapter 2. Management and Maintenance 69[...]
-
Page 70
Chapter 3. Fundamentals This chapter describes the fundamental logical objects upon which NetDefendOS is built. These objects include such items as addresses, services and schedules. In addition, the chapter explains how the various supported interfaces work, it outlines how security policies are constructed and how basic system settings are config[...]
-
Page 71
The numbers 0-32 correspond to the number of binary ones in the netmask. For example: 192.168.0.0/24 . IP Range A range of IP addresses is represented on the form a.b.c.d - e.f.g.h . Note that ranges are not limited to netmask boundaries. They may include any span of IP addresses. For example, 192.168.0.10-192.168.0.15 represents six hosts in conse[...]
-
Page 72
1. Go to Objects > Address Book > Add > IP address 2. Specify a suitable name for the IP Range, for example wwwservers . 3. Enter 192.168.10.16-192.168.10.21 as the IP Address 4. Click OK Example 3.4. Deleting an Address Object To delete an object named wwwsrv1 in the Address Book, do the following: CLI gw-world:/> delete Address IP4Add[...]
-
Page 73
2. Specify a suitable name for the Ethernet Address object, for example wwwsrv1_mac 3. Enter 08-a3-67-bc-2e-f2 as the MAC Address 4. Click OK 3.1.4. Address Groups Groups Simplify Configuration Address objects can be grouped in order to simplify configuration. Consider a number of public servers that should be accessible from the Internet. The serv[...]
-
Page 74
all-nets The all-nets IP address object is initialized to the IP address 0.0.0.0/0 , thus representing all possible IP addresses. This object is used extensively throughout the configuration. 3.1.6. Address Book Folders In order to help organise large numbers of entries in the address book, it is possible to create Address Book folders . These fold[...]
-
Page 75
3.2. Services 3.2.1. Overview A Service object is a reference to a specific IP protocol with associated parameters. A Service definition is usually based on one of the major transport protocols such as TCP or UDP, with the associated port number(s). The HTTP service, for instance, is defined as using the TCP protocol with associated port 80. Howeve[...]
-
Page 76
To view a specific service in the system: CLI gw-world:/> show Service ServiceTCPUDP echo The output will look similar to the following listing: Property Value ----------------- ---------------- Name: echo DestinationPorts: 7 Type: TCPUDP (TCP/UDP) SourcePorts: 0-65535 PassICMPReturn: No ALG: (none) MaxSessions: 1000 Comments: Echo service Web I[...]
-
Page 77
Port Ranges Some services use a range of destination ports. As an example, the NetBIOS protocol used by Microsoft Windows uses destination ports 137 to 139. To define a range of ports in a TCP/UDP Service object, the format mmm-nnn is used. A port range is inclusive, meaning that a range specified as 137-139 covers ports 137, 138 and 139. Multiple [...]
-
Page 78
Max Sessions An important parameter associated with a Service is Max Sessions . This parameter is allocated a default value when the Service is associated with an ALG. The default value varies according to the ALG it is associated with. If the default is, for example 100 , this would mean that only 100 connections are allowed in total for this Serv[...]
-
Page 79
• Source Quenching: the source is sending data too fast for the receiver, the buffer has filled up. • Time Exceeded: the packet has been discarded as it has taken too long to be delivered. 3.2.4. Custom IP Protocol Services Services that run over IP and perform application/transport layer functions can be uniquely identified by IP protocol numb[...]
-
Page 80
3.3. Interfaces 3.3.1. Overview An Interface is one of the most important logical building blocks in NetDefendOS. All network traffic that passes through or gets terminated in the system is done so through one or several interfaces. An interface can be seen as a doorway for network traffic to or from the system. Thus, when traffic enters the system[...]
-
Page 81
found in Section 9.5, “PPTP/L2TP” . • GRE interfaces are used to establish GRE tunnels. More information about this topic can be found in Section 3.3.5, “GRE Tunnels” . Even though the various types of interfaces are very different in the way they are implemented and how they work, NetDefendOS treats all interfaces as logical IP interface[...]
-
Page 82
progressively smaller as the transmission rates get faster from normal Ethernet to Fast Ethernet and then Gigabit Ethernet. Each NetDefendOS Ethernet interface corresponds to a physical Ethernet port in the system. The number of ports, their link speed and the way the ports are realized, is dependent on the hardware model. Note: Additional switch p[...]
-
Page 83
The CLI command to do this would be: gw-world:/> set Address IP4Address ip_lan Address=10.1.1.2 This same operation could also be done through the Web Interface. A summary of CLI commands that can be used with Ethernet interfaces can be found in Section 3.3.2.1, “Useful CLI Commands for Ethernet Interfaces” . Network Addresses In addition to[...]
-
Page 84
Ethernet interfaces can also be examined through the Web Interface but for some operations the CLI must be used. To show the current interface assigned to the IP address wan_ip : gw-world:/> show Address IP4Address InterfaceAddresses/wan_ip Property Value --------------------- --------------------------- Name: wan_ip Address: 0.0.0.0 UserAuthGro[...]
-
Page 85
gw-world:/> set Address IP4Address InterfaceAddresses/wan_ip Address=172.16.5.1 Modified IP4Address InterfaceAddresses/wan_ip. The CLI can be used to enable DHCP on the interface: gw-world:/> set Interface Ethernet wan DHCPEnabled=yes Modified Ethernet wan. Some interface settings are accessible only through a related set of CLI commands. The[...]
-
Page 86
VLAN Operation NetDefendOS follows the IEEE 802.1Q specification for VLAN. On a protocol level, VLAN works by adding a Virtual LAN Identifier (VLAN ID) to Ethernet frame headers. The VLAN ID is a number from 0 up to 4095 which is used to identify the specific Virtual LAN to which the frame belongs. In this way, Ethernet frames can belong to differe[...]
-
Page 87
1. Go to Interfaces > VLAN > Add > VLAN 2. Enter a suitable name for the VLAN, in this case VLAN10 3. Now enter: • Interface: lan • VLAN ID: 10 4. Click OK VLAN advanced settings There is a single advanced setting for VLAN: Unknown VLAN Tags What to do with VLAN packets tagged with an unknown ID. Default: DropLog 3.3.4. PPPoE 3.3.4.1. [...]
-
Page 88
Microsoft CHAP (version 1 and 2). If authentication is used, at least one of the peers has to authenticate itself before the network layer protocol parameters can be negotiated using NCP. During the LCP and NCP negotiation, optional parameters such as encryption, can be negotiated. 3.3.4.2. PPPoE Client Configuration The PPPoE interface Since the P[...]
-
Page 89
• The IP address specified, or possibly the address assigned by the PPPoE server when unnumbered PPPoE is not forced, will serve as the IP address of the PPPoE client interface. This will be used as the local IP address for traffic leaving the interface when the traffic is originated or NATed by the D-Link Firewall. Example 3.12. Configuring a PP[...]
-
Page 90
network such as the Internet. The two networks being connected together communicate with a common protocol which is tunneled using GRE through the intervening network. Examples of GRE usage are: • Traversing network equipment that blocks a particular protocol. • Tunneling IPv6 traffic across an IPv4 network. • Where a UDP data stream is to be[...]
-
Page 91
An Example GRE Scenario The diagram above shows a typical GRE scenario, where two D-Link Firewalls A and B must communicate with each other through the intervening internal network 172.16.0.0/16 . Any traffic passing between A and B is tunneled through the intervening network using a GRE tunnel and since the network is internal and not public there[...]
-
Page 92
Name Action Src Interface Src Network Dest Interface Dest Network Service To_B Allow lan lannet GRE_to_B remote_net_B All From_B Allow GRE_to_B remote_net_B lan lannet All Setup for D-Link Firewall "B" Assuming that the network 192.168.11.0/24 is lannet on the lan interface, the steps for setting up NetDefendOS on B are as follows: 1. In [...]
-
Page 93
Web Interface 1. Go to Interfaces > Interface Groups > Add > InterfaceGroup 2. Enter the following information to define the group: • Name: The name of the group to be used later • Security/Transport Equivalent: If enabled, the interface group can be used as a destination interface in rules where connections might need to be moved betw[...]
-
Page 94
3.4. ARP 3.4.1. Overview Address Resolution Protocol (ARP) is a protocol, which maps a network layer protocol address to a data link layer hardware address and it is used to resolve an IP address into its corresponding Ethernet address. ARP operates at the OSI Data Link Layer (Layer 2 - see Appendix D, The OSI Framework ) and is encapsulated by Eth[...]
-
Page 95
The default expiration time for dynamic ARP entries is 900 seconds (15 minutes). This can be changed by modifying the advanced setting ARP Expire . The setting ARP Expire Unknown specifies how long NetDefendOS will remember addresses that cannot be reached. This is done to ensure that NetDefendOS does not continuously request such addresses. The de[...]
-
Page 96
hash size for VLAN interfaces only. The default value is 64 . 3.4.4. Static and Published ARP Entries NetDefendOS supports defining static ARP entries (static binding of IP addresses to Ethernet addresses) as well as publishing IP addresses with a specific Ethernet address. Static ARP Entries Static ARP items may help in situations where a device i[...]
-
Page 97
Another use is publishing multiple addresses on an external interface, enabling NetDefendOS to statically address translate communications to these addresses and send it onwards to internal servers with private IP addresses. There are two publishing modes; Publish and XPublish. The difference between the two is that XPublish "lies" about [...]
-
Page 98
The advanced setting ARP Changes can be changed to modify this behavior. The default behavior is that NetDefendOS will allow changes to take place, but all such changes will be logged. Another, similar, situation occurs when information in ARP replies or ARP requests could collide with static entries in the ARP cache. Naturally, this should never b[...]
-
Page 99
ARP Requests Determines if NetDefendOS will automatically add the data in ARP requests to its ARP table. The ARP specification states that this should be done, but as this procedure can facilitate hijacking of local connections, it is not normally allowed. Even if ARPRequests is set to "Drop", meaning that the packet is discarded without [...]
-
Page 100
Default: DropLog ARP cache size How many ARP entries there can be in the cache in total. Default: 4096 ARP Hash Size Hashing is used to rapidly look up entries in a table. For maximum efficiency, the hash size should be twice as large as the table it is indexing. If the largest directly-connected LAN contains 500 IP addresses then the size of the A[...]
-
Page 101
3.5. The IP Rule Set 3.5.1. Security Policies Common Policy Characteristics NetDefendOS Security Policies designed by the administrator, regulate the way in which traffic can flow through the D-Link Firewall. Policies in NetDefendOS are defined by different NetDefendOS rule sets . These rule sets share a common means of specifying filtering criteri[...]
-
Page 102
When specifying the filtering criteria in any of the rule sets specified above there are three useful pre-defined options that can be used: • For a Source or Destination Network, the all-nets option is equivalent to the IP address 0.0.0.0/0 which will mean that any IP address is acceptable. • For Source or Destination Interface, the any option [...]
-
Page 103
This description of traffic flow is an extremely simplified version of the full flow description found in Section 1.3, “NetDefendOS State Engine Packet Flow” . For example, before the route lookup is done, NetDefendOS actually first checks that the source network for the traffic should, in fact, be arriving on the interface where it was receive[...]
-
Page 104
second rule. See Section 7.3, “SAT” for more information on this topic. Non-matching Traffic Incoming packets that do not match any rule in the rule set and that do not have an already opened matching connection in the state table, will automatically be subject to a Drop action. For explicitness there should be a rule called DropAll as the fina[...]
-
Page 105
The exception to this bi-directional flow is FwdFast rules. If the FwdFast action is used, the rule will not allow traffic to flow from the destination back to the source. If bi-directional flow is required then two FwdFast rules are needed, one for either direction. This is also the case if a FwdFast rule is used with a SAT rule. Using Reject In c[...]
-
Page 106
Return to the top level: gw-world:/main> cc Configuration changes must be saved by then issuing an activate followed by a commit command. Web Interface 1. Go to Rules > IP Rules > Add > IPRule 2. Specify a suitable name for the rule, for example LAN_HTTP 3. Now enter: • Name: A suitable name for the rule. For example lan_http • Acti[...]
-
Page 107
3.6. Schedules In some scenarios, it might be useful to control not only what functionality is enabled, but also when that functionality is being used. For instance, the IT policy of an enterprise might stipulate that web traffic from a certain department is only allowed access outside that department during normal office hours. Another example mig[...]
-
Page 108
Return to the top level: gw-world:/main> cc Configuration changes must be saved by then issuing an activate followed by a commit command. Web Interface 1. Go to Objects > Schedules > Add > Schedule 2. Enter the following: • Name: OfficeHours 3. Select 08-17, Monday to Friday in the grid 4. Click OK 1. Go to Rules > IP Rules > Ad[...]
-
Page 109
3.7. Certificates 3.7.1. Overview X.509 NetDefendOS supports digital certificates that comply with the ITU-T X.509 standard. This involves the use of an X.509 certificate hierarchy with public-key cryptography to accomplish key distribution and entity authentication. References in this manual to a certificate means a X.509 certificate . A certifica[...]
-
Page 110
Note A CA is sometimes referred to as a "certification authority". Validity Time A certificate is not valid forever. Each certificate contains the dates between which the certificate is valid. When this validity period expires, the certificate can no longer be used, and a new certificate has to be issued. Important Make sure the NetDefend[...]
-
Page 111
3.7.2. Certificates in NetDefendOS Certificates can be uploaded to NetDefendOS for use in IKE/IPsec authentication, Webauth, etc. There are two types of certificates that can be uploaded: self-signed certificates and remote certificates belonging to a remote peer or CA server. Self-signed certificates can be generated by using one of a number of fr[...]
-
Page 112
• Convert the .pfx file into the .pem format. • Take out the relevant parts of the .pem file to form the required .cer and .key files. The detailed steps for the above stages are as follows: 1. Create the gateway certificate on the Windows CA server and export it to a .pfx file on the local NetDefendOS management workstation disk. 2. Now conver[...]
-
Page 113
3.8. Date and Time 3.8.1. Overview Correctly setting the date and time is important for NetDefendOS to operate properly. Time scheduled policies, auto-update of the IDP and Anti-Virus databases, and other product features require that the system clock is accurately set. In addition, log messages are tagged with time-stamps in order to indicate when[...]
-
Page 114
The NetDefendOS time zone setting reflects the time zone where the D-Link Firewall is physically located. Example 3.22. Setting the Time Zone To modify the NetDefendOS time zone to be GMT plus 1 hour, follow the steps outlined below: CLI gw-world:/> set DateTime Timezone=GMTplus1 Web Interface 1. Go to System > Date and Time 2. Select (GMT+01[...]
-
Page 115
other network devices. Time Synchronization Protocols Time Synchronization Protocols are standardized methods for retrieving time information from external Time Servers. NetDefendOS supports the following time synchronization protocols: • SNTP - Defined by RFC 2030, The Simple Network Time Protocol (SNTP) is a lightweight implementation of NTP (R[...]
-
Page 116
Example 3.25. Manually Triggering a Time Synchronization Time synchronization can be triggered from the CLI. The output below shows a typical response. CLI gw-world:/> time -sync Attempting to synchronize system time... Server time: 2008-02-27 12:21:52 (UTC+00:00) Local time: 2008-02-27 12:24:30 (UTC+00:00) (diff: 158) Local time successfully ch[...]
-
Page 117
Synchronization Intervals The interval between each synchronization attempt can be adjusted if needed. By default, this value is 86,400 seconds (1 day), meaning that the time synchronization process is executed once in a 24 hour period. D-Link Time Servers Using D-Link's own Time Servers is an option in NetDefendOS and this is the recommended [...]
-
Page 118
DST End Date What month and day DST ends, in the format MM-DD. Default: none Time Sync Server Type Type of server for time synchronization, UDPTime or SNTP (Simple Network Time Protocol). Default: SNTP Primary Time Server DNS hostname or IP Address of Timeserver 1. Default: None Secondary Time Server DNS hostname or IP Address of Timeserver 2. Defa[...]
-
Page 119
3.9. DNS Overview A DNS server can resolve a Fully Qualified Domain Name (FQDN) into the corresponding numeric IP address. FQDNs are unambiguous textual domain names which specify a node's unique position in the Internet's DNS tree hierarchy. FQDN resolution allows the actual physical IP address to change while the FQDN can stay the same.[...]
-
Page 120
Dynamic DNS A DNS feature offered by NetDefendOS is the ability to explicitly inform DNS servers when the external IP address of the D-Link Firewall has changed. This is sometimes referred to as Dynamic DNS and is useful where the D-Link Firewall has an external IP address that can change. Dynamic DNS can also be useful in VPN scenarios where both [...]
-
Page 121
3.9. DNS Chapter 3. Fundamentals 121[...]
-
Page 122
Chapter 4. Routing This chapter describes how to configure IP routing in NetDefendOS. • Overview, page 122 • Static Routing, page 123 • Policy-based Routing, page 137 • Route Load Balancing, page 141 • Dynamic Routing, page 147 • Multicast Routing, page 155 • Transparent Mode, page 167 4.1. Overview IP routing is one of the most funda[...]
-
Page 123
4.2. Static Routing The most basic form of routing is known as Static Routing . The term static refers to the fact that entries in the routing table are manually added and are therefore permanent (or static) by nature. Due to this manual approach, static routing is most appropriate to use in smaller network deployments where addresses are fairly fi[...]
-
Page 124
ARP queries sent to this address. A special section below explains this parameter in more depth. Local IP Address and Gateway are mutually exclusive and either one or the other should be specified. • Metric This is a metric value assigned to the route and is used as a weight when performing comparisons between alternate routes. If two routes are [...]
-
Page 125
• Route #1 All packets going to hosts on the 192.168.0.0/24 network should be sent out on the lan interface. As no gateway is specified for the route entry, the host is assumed to be located on the network segment directly reachable from the lan interface. • Route #2 All packets going to hosts on the 10.4.0.0/16 network are to be sent out on th[...]
-
Page 126
IP Address of the above route, the clients will be able to communicate successfully with the interface. The IP address chosen in the second network isn't significant, as long as it is the same value for the Default Gateway of the clients and the Local IP Address . The effect of adding the route with the Local IP Address is that the NetDefendOS[...]
-
Page 127
routing but instead as a check that the source network should be found on the interface where it arrived. If this check fails, NetDefendOS generates a Default Access Rule error message. Even traffic destined for Core (NetDefendOS itself), such as ICMP ping requests must follow this rule of having two routes associated with it. In this case, the int[...]
-
Page 128
192.168.0.0 255.255.255.0 192.168.0.10 192.168.0.10 20 192.168.0.10 255.255.255.255 127.0.0.1 127.0.0.1 20 192.168.0.255 255.255.255.255 192.168.0.10 192.168.0.10 20 224.0.0.0 240.0.0.0 10.4.2.143 10.4.2.143 50 224.0.0.0 240.0.0.0 192.168.0.10 192.168.0.10 20 255.255.255.255 255.255.255.255 10.4.2.143 10.4.2.143 1 255.255.255.255 255.255.255.255 19[...]
-
Page 129
3 wan wannet (none) (none) To see the active routing table enter: gw-world:/> routes Flags Network Iface Gateway Local IP Metric ----- ------------------ -------------- --------------- --------------- ------ 192.168.0.0/24 lan 0 213.124.165.0/24 wan 0 0.0.0.0/0 wan 213.124.165.1 0 Web Interface To see the configured routing table: 1. Go to Routi[...]
-
Page 130
There is also a core route added for all multicast addresses: Route # Interface Destination Gateway 1 core 224.0.0.0/4 To include the core routes when you display the active routing table, you have to specify an option to the routing command. Example 4.2. Displaying the Core Routes This example illustrates how to display the core routes in the acti[...]
-
Page 131
Figure 4.2. A Route Failover Scenario for ISP Access Setting Up Route Failover Route Monitoring should be enabled on a per-route basis. To enable the Route Failover feature in a scenario with a preferred and a backup route, the preferred route will have Route Monitoring enabled, however the backup route does not require it to be enabled since it wi[...]
-
Page 132
second failover route. The first two routes would have Route Monitoring enabled in the routing table but the last one (with the highest Metric) would not since it has no route to failover to. Failover Processing Whenever monitoring determines that a route is not available, NetDefendOS will mark the route as disabled and instigate Route Failover for[...]
-
Page 133
As long as the preferred wan route is healthy, everything will work as expected. Route Monitoring will also be functioning, so the secondary route will be enabled if the wan route should fail. There are, however, some problems with this setup: if a route failover occurs, the default route will then use the dsl interface. When a new HTTP connection [...]
-
Page 134
Specifying Hosts For each host specified for host monitoring there are a number of property parameters that should be set: • Method The method by which the host is to be polled. This can be one of: • ICMP - ICMP "Ping" polling. An IP address must be specified for this. • TCP - A TCP connection is established to and then disconnected[...]
-
Page 135
HTTP Parameters If the HTTP polling method is selected then two further parameters can be entered: • Request URL The URL which is to be requested. • Expected Response The text that is expected back from querying the URL. Testing for a specific response text provides the possibility of testing if an application is offline. If, for example, a web[...]
-
Page 136
Using switch routes is fully explained in Section 4.7, “Transparent Mode” . In HA clusters, switch routes cannot be used and proxy ARP is the only way to implement transparent mode functionality. Note It is only possible to have Proxy ARP functioning for Ethernet and VLAN interfaces. 4.2.5. Proxy ARP Chapter 4. Routing 136[...]
-
Page 137
4.3. Policy-based Routing 4.3.1. Overview Policy-based Routing (PBR) is an extension to the standard routing described previously. It offers administrators significant flexibility in implementing routing decision policies by being able to define rules so alternative routing tables are used. Normal routing forwards packets according to destination I[...]
-
Page 138
When looking up Policy-based Rules, it is the first matching rule found that is triggered. 4.3.4. PBR Table Selection When a packet corresponding to a new connection first arrives, the processing steps are as follows to determine which routing table is chosen: 1. The PBR Rules must first be looked up but to do this the packet's destination int[...]
-
Page 139
Important - Ensuring all-nets appears in the main table A common mistake with Policy-based routing is the absence of the default route with a destination interface of all-nets in the default main routing table. If there is no route that is an exact match then the absence of a default all-nets route will mean that the connection will be dropped. Exa[...]
-
Page 140
assumed: • Each ISP will give you an IP network from its network range. We will assume a 2-ISP scenario, with the network 10.10.10.0/24 belonging to ISP A and 20.20.20.0/24 belonging to ISP B. The ISP gateways are 10.10.10.1 and 20.20.20.1 respectively. • All addresses in this scenario are public addresses for the sake of simplicity. • This i[...]
-
Page 141
4.4. Route Load Balancing Overview NetDefendOS provides the option to perform Route Load Balancing (RLB). This is the ability to distribute traffic over multiple alternate routes based on a number of predefined distribution algorithms. The purpose of this feature is to provide the following: • Balancing of traffic between interfaces in a policy d[...]
-
Page 142
3. If more than one matching route is found then RLB is used to choose which one to use. This is done according to which algorithm is selected in the table's RLB Instance object: • Round Robin Successive routes are chosen from the matching routes in a "round robin" fashion provided that the metric of the routes is the same. This re[...]
-
Page 143
Spillover Limits are set separately for ingoing and outgoing traffic with only one of these typically being specified. If both are specified then only one of them needs to be exceeded continuously for Hold Timer seconds for the next matching route to be chosen. The units of the limits, such as Mbps, can be selected to simplify specification of the [...]
-
Page 144
different metric. The route with the lowest metric is chosen first and when that route's interface limits are exceeded, the route with the next highest metric is then chosen. When that new route's interface limits are also exceeded then the route with the next highest metric is taken and so on. As soon as any route with a lower metric fal[...]
-
Page 145
the two ISPs. Figure 4.5. A Route Load Balancing Scenario We first need to define two routes to these two ISPs in the main routing table as shown below: Route No. Interface Destination Gateway Metric 1 WAN1 all-nets GW1 100 2 WAN2 all-nets GW2 100 We will not use the spillover algorithm in this example so the routing metric for both routes should b[...]
-
Page 146
CLI gw-world:/> add RouteBalancingInstance main Algorithm=Destination Web Interface 1. Go to Routing > Route Load Balancing > Instances > Add > Route Balancing Instance 2. The route balancing instance dialog will appear. Now select: • Routing Table: main • Algorithm: Destination • Click OK RLB with VPN When using RLB with VPN, [...]
-
Page 147
4.5. Dynamic Routing 4.5.1. Dynamic Routing overview Dynamic routing is different to static routing in that the D-Link Firewall will adapt to changes of network topology or traffic load automatically. NetDefendOS first learns of all the directly connected networks and gets further route information from other routers. Detected routes are sorted and[...]
-
Page 148
Comparing Dynamic Routing Algorithms Due to the fact that the global link state information is maintained everywhere in a network, LS algorithms offer a high degree of configuration control and scalability. Changes result in broadcasts of just the updated information to other routers which means faster convergence and less possibility of routing lo[...]
-
Page 149
All OSPF protocol exchanges can be authenticated. This means that only routers with the correct authentication can join the AS. Different authentication schemes can be used, like none, passphrase or MD5 digest. It is possible to configure separate authentication methods for each AS. OSPF Areas OSPF allows sets of networks to be grouped together and[...]
-
Page 150
Down This is the initial state of the neighbor relationship. Init When a HELLO packet is received from a neighbor, but does NOT include the Router ID of the firewall in it, the neighbor will be placed in Init state. As soon as the neighbor in question receives a HELLO packet it will know the sending routers Router ID and will send a HELLO packet wi[...]
-
Page 151
In the above example, the Virtual Link is configured between fw1 and fw2 on Area 1, as it is used as the transit area. In this configuration only the Router ID has to be configured. The diagram shows that fw2 needs to have a Virtual Link to fw1 with Router ID 192.168.1.1 and vice versa. These Virtual Links need to be configured in Area 1. A Partiti[...]
-
Page 152
The Virtual Link is configured between fw1 and fw2 on Area 1, as it is used as the transit area. In the configuration only the Router ID have to be configured, as in the example above show fw2 need to have a Virtual Link to fw1 with the Router ID 192.168.1.1 and vice versa. These VLinks need to be configured in Area 1. OSPF High Availability Suppor[...]
-
Page 153
In this example, the routes received using OSPF will be added into the main routing table. First of all a Dynamic Routing Policy filter needs to be created. The filter needs to have a name, in this example ImportOSPFRoutes is used, as it explains what the filter does. The filter must also specify from what OSPF AS the routes should be imported. In [...]
-
Page 154
2. Specify a suitable name for the filter, for example ExportDefRoute 3. For From Routing Table select Main Routing Table 4. Choose wan for Destination Interface 5. Choose all-nets in the ...Exactly Matches list 6. Click OK Next, create an OSPF Action that will export the filtered route to the specified OSPF AS: CLI gw-world:/> cc DynamicRouting[...]
-
Page 155
4.6. Multicast Routing 4.6.1. Overview Certain types of Internet interactions, such as conferencing and video broadcasts, require a single client or host to send the same packet to multiple receivers. This could be achieved through the sender duplicating the packet with different receiving IP addresses or by a broadcast of the packet across the Int[...]
-
Page 156
Using IGMP The traffic flow specified by the multiplex rule must have been requested by hosts using IGMP before any multicast packets are forwarded through the specified interfaces. This is the default behavior of NetDefendOS. Not using IGMP The traffic flow will be forwarded according to the specified interfaces directly without any inference from[...]
-
Page 157
Example 4.9. Forwarding of Multicast Traffic using the SAT Multiplex Rule In this example, we will create a multiplex rule in order to forward the multicast groups 239.192.10.0/24:1234 to the interfaces if1, if2 and if3. All groups have the same sender 192.168.10.1 which is located somewhere behind the wan interface. The multicast groups should onl[...]
-
Page 158
The two values {outif;ip} represent a combination of output interface and, if address translation of a group is needed, an IP address. If, for example, multiplexing of the multicast group 239.192.100.50 is required to the output interfaces if2 and if3 , then the command to create the rule would be: add IPRule SourceNetwork=<srcnet> SourceInte[...]
-
Page 159
1. Go to Objects > Services > Add > TCP/UDP 2. Now enter: • Name: multicast_service • Type: UDP • Destination: 1234 B. Create an IP rule: 1. Go to Rules > IP Rules > Add > IP Rule 2. Under General enter. • Name: a name for the rule, for example Multicast_Multiplex • Action: Multiplex SAT • Service: multicast_service 3.[...]
-
Page 160
Figure 4.10. Multicast Snoop Figure 4.11. Multicast Proxy In Snoop mode, the router will act transparently between the hosts and another IGMP router. It will not send any IGMP Queries. It will only forward queries and reports between the other router and the hosts. In Proxy mode, the router will act as an IGMP router towards the clients and activel[...]
-
Page 161
Example 4.11. IGMP - No Address Translation The following example requires a configured interface group IfGrpClients including interfaces if1, if2 and if3. The ip address of the upstream IGMP router is known as UpstreamRouterIP. Two rules are needed. The first one is a report rule that allows the clients behind interfaces if1, if2 and if3 to subscr[...]
-
Page 162
4.6.3.2. IGMP Rules Configuration - Address Translation The following examples illustrates the IGMP rules needed to configure IGMP according to the Address Translation scenario described above in Section 4.6.2.2, “Multicast Forwarding - Address Translation Scenario” . We need two IGMP report rules, one for each client interface. If1 uses no add[...]
-
Page 163
• Multicast Source: 192.168.10.1 • Multicast Group: 239.192.10.0/24 4. Click OK Example 4.13. if2 Configuration - Group Translation The following steps needs to be executed to create the report and query rule pair for if2 which translates the multicast group. Note that the group translated therefore the IGMP reports include the translated IP ad[...]
-
Page 164
• Multicast Group: 239.192.10.0/24 4. Click OK Advanced IGMP Settings There are a number of IGMP advanced settings which are global and apply to all interfaces which do not have IGMP settings explicitly specified for them. 4.6.4. Advanced IGMP Settings Auto Add Multicast Core Route This setting will automatically add core routes in all routing ta[...]
-
Page 165
Default: 5,000 IGMP Max Total Requests The maximum global number of IGMP messages to process each second. Default: 1000 IGMP Max Interface Requests The maximum number of requests per interface and second. Global setting on interfaces without an overriding IGMP Setting. Default: 100 IGMP Query Interval The interval in milliseconds between General Qu[...]
-
Page 166
interfaces without an overriding IGMP Setting. Default: 1,000 4.6.4. Advanced IGMP Settings Chapter 4. Routing 166[...]
-
Page 167
4.7. Transparent Mode 4.7.1. Overview Transparent Mode Usage The NetDefendOS Transparent Mode feature allows a D-Link Firewall to be placed at a point in a network without any reconfiguration of the network and without hosts being aware of its presence. All NetDefendOS features can then be used to monitor and manage traffic flowing through that poi[...]
-
Page 168
the D-Link Firewall is placed into a network for the first time, or if network topology changes, the routing configuration must therefore be checked and adjusted to ensure that the routing table is consistent with the new layout. Reconfiguration of IP settings may be required for pre-existing routers and protected servers. This works well when comp[...]
-
Page 169
initiating sender of the original IP packet for the destination on the interfaces specified in the Switch Route . If an ARP reply is received, NetDefendOS will update the CAM table and Layer 3 Cache and forward the packet to the destination. If the CAM table or the Layer 3 Cache is full, the tables are partially flushed automatically. Using the dis[...]
-
Page 170
For example, if the interfaces if1 to if6 appear in a switch routes in routing table A , the resulting interconnections will be as illustrated below. Connecting together switch routes in this way only applies, however, if all interfaces are associated with the same routing table. The situation where they are not, is described next. Creating Separat[...]
-
Page 171
alternative method is to enable transparent mode directly on an interface (a check box for this is provided in the graphical user interfaces). When enabled in this way, default switch routes are automatically added to the routing table for the interface and any corresponding non-switch routes are automatically removed. This method is used in the de[...]
-
Page 172
Figure 4.13. Transparent Mode Internet Access In this situation, any "normal" non-switch all-nets routes in the routing table should be removed and replaced with an all-nets switch route (not doing this is a common mistake during setup). This switch route will allow traffic from the local users on Ethernet network pn2 to find the ISP gate[...]
-
Page 173
need to be public IP addresses. If NATing needs to be performed in the example above to hide individual addresses from the Internet, it would have to be done by a device (possibly another D-Link Firewall) between the 192.168.10.0/24 network and the public Internet. In this case, internal IP addresses could be used by the users on Ethernet network p[...]
-
Page 174
• IP Address: 10.0.0.2 • Network: 10.0.0.0/24 • Transparent Mode: Enable 6. Click OK Configure the rules: 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: HTTPAllow • Action: Allow • Service: http • Source Interface: lan • Destination Interface: any • Source Network: 10.0.0.0/24 • Destination Network: all-[...]
-
Page 175
Example 4.15. Setting up Transparent Mode for Scenario 2 Configure a Switch Route over the LAN and DMZ interfaces for address range 10.0.0.0/24 (assume the WAN interface is already configured). Web Interface Configure the interfaces: 1. Go to Interfaces > Ethernet > Edit (lan) 2. Now enter: • IP Address: 10.0.0.1 • Network: 10.0.0.0/24 ?[...]
-
Page 176
• Interfaces: Select lan and dmz 3. Click OK Configure the routing: 1. Go to Routing > Main Routing Table > Add > SwitchRoute 2. Now enter: • Switched Interfaces: TransparentGroup • Network: 10.0.0.0/24 • Metric: 0 3. Click OK Configure the rules: 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: HTTP-LAN-to[...]
-
Page 177
• Destination Interface: dmz • Source Network: all-nets • Destination Network: wan_ip 9. Click OK 4.7.4. Spanning Tree BPDU Support NetDefendOS includes support for relaying the Bridge Protocol Data Units (BPDUs) across the D-Link Firewall. BPDU frames carry Spanning Tree Protocol (STP) messages between layer 2 switches in a network. STP allo[...]
-
Page 178
Default: Enabled Decrement TTL Enable this if the TTL should be decremented each time a packet traverses the firewall in Transparent Mode. Default: Disabled Dynamic CAM Size This setting can be used to manually configure the size of the CAM table. Normally Dynamic is the preferred value to use. Default: Dynamic CAM Size If the Dynamic CAM Size sett[...]
-
Page 179
Null Enet Sender Defines what to do when receiving a packet that has the sender hardware (MAC) address in ethernet header set to null (0000:0000:0000). Options: • Drop - Drop packets • DropLog - Drop and log packets Default: DropLog Broadcast Enet Sender Defines what to do when receiving a packet that has the sender hardware (MAC) address in et[...]
-
Page 180
• Drop - Drop the packets • DropLog - Drop packets log the event Default: Drop Relay MPLS When set to Ignore all incoming MPLS packets are relayed in transparent mode. Options: • Ignore - Let the packets pass but do not log • Log - Let the packets pass and log the event • Drop - Drop the packets • DropLog - Drop packets log the event De[...]
-
Page 181
4.7.5. Advanced Settings for Transparent Mode Chapter 4. Routing 181[...]
-
Page 182
Chapter 5. DHCP Services This chapter describes DHCP services in NetDefendOS. • Overview, page 182 • DHCP Servers, page 183 • Static DHCP Assignment, page 185 • DHCP Relaying, page 187 • IP Pools, page 190 5.1. Overview Dynamic Host Configuration Protocol (DHCP) is a protocol that allows network administrators to automatically assign IP n[...]
-
Page 183
5.2. DHCP Servers DHCP servers assign and manage the IP addresses taken from a specified address pool. In NetDefendOS, DHCP servers are not limited to serving a single range of IP addresses but can use any IP address range that can be specified by a NetDefendOS IP address object. Multiple DHCP Servers The administrator has the ability to set up one[...]
-
Page 184
• WINS Servers - WINS servers the client can use for WINS lookup. • Next Server - the IP address of the next server in the boot process, this is usually a TFTP server. In addition, Custom Options can be specified in order to have the DHCP servers hand out all options supported by the DHCP standard. Example 5.1. Setting up a DHCP server This exa[...]
-
Page 185
5.3. Static DHCP Assignment Where the administrator requires a fixed relationship between a client and the assigned IP address, NetDefendOS allows the assignment of a given IP to a specific MAC address. Example 5.3. Setting up Static DHCP This example shows how to assign the IP address 192.168.1.1 to the MAC address 00-90-12-13-14-15 . The examples[...]
-
Page 186
Auto Save Policy What policy should be used to save the lease database to the disk, possible settings are Disabled , ReconfShut or ReconfShutTimer . Default: ReconfShut Lease Store Interval How often, in seconds, the leases database should be saved to disk if DHCPServer_SaveLeasePolicy is set to ReconfShutTimer . Default: 86400 5.3.1. DHCP Advanced[...]
-
Page 187
5.4. DHCP Relaying The DHCP Problem With DHCP, clients send requests to locate the DHCP server(s) using broadcast messages. However, broadcasts are normally only propagated across the local network. This means that the DHCP server and client always need to be on the same physical network. In a large Internet-like network topology, this means there [...]
-
Page 188
3. Click OK Adding a DHCP relayer called as vlan-to-dhcpserver : 1. Go to System > DHCP > Add > DHCP Relay 2. Now enter: • Name: vlan-to-dhcpserver • Action: Relay • Source Interface: ipgrp-dhcp • DHCP Server to relay to: ip-dhcp • Allowed IP offers from server: all-nets 3. Under the Add Route tab, check Add dynamic routes for th[...]
-
Page 189
Max Auto Routes How many relays that can be active at the same time. Default: 256 Auto Save Policy What policy should be used to save the relay list to the disk, possible settings are Disabled , ReconfShut , or ReconfShutTimer . Default: ReconfShut Auto Save Interval How often, in seconds, should the relay list be saved to disk if DHCPServer_SaveRe[...]
-
Page 190
5.5. IP Pools Overview IP pools are used to offer other subsystems access to a cache of DHCP IP addresses. These addresses are gathered into a pool by internally maintaining a series of DHCP clients (one per IP). The DHCP servers used by a pool can either be external or be DHCP servers defined in NetDefendOS itself. External DHCP servers can be spe[...]
-
Page 191
Maximum free The maximum number of "free" IPs to be kept. Must be equal to or greater than the prefetch parameter. The pool will start releasing (giving back IPs to the DHCP server) when the number of free clients exceeds this value. Maximum clients Optional setting used to specify the maximum number of clients (IPs) allowed in the pool. [...]
-
Page 192
5.5. IP Pools Chapter 5. DHCP Services 192[...]
-
Page 193
Chapter 6. Security Mechanisms This chapter describes NetDefendOS security features. • Access Rules, page 193 • ALGs, page 196 • Web Content Filtering, page 242 • Anti-Virus Scanning, page 259 • Intrusion Detection and Prevention, page 265 • Denial-of-Service Attack Prevention, page 276 • Blacklisting Hosts and Networks, page 280 6.1.[...]
-
Page 194
VPNs provide one means of avoiding spoofing but where a VPN is not an appropriate solution then Access Rules can provide an anti-spoofing capability by providing an extra filter for source address verification. An Access Rule can verify that packets arriving at a given interface do not have a source address which is associated with a network of ano[...]
-
Page 195
working properly. Example 6.1. Setting up an Access Rule A rule is to be defined that ensures no traffic with a source address not within the lannet network is received on the lan interface. CLI gw-world:/> add Access Name=lan_Access Interface=lan Network=lannet Action=Expect Web Interface 1. Go to Rules > Access 2. Select Access Rule in the [...]
-
Page 196
6.2. ALGs 6.2.1. Overview To complement low-level packet filtering, which only inspects packet headers in protocols such as IP, TCP, UDP, and ICMP, D-Link Firewalls provide Application Layer Gateways (ALGs) which provide filtering at the higher application OSI level. An ALG object acts as a mediator in accessing commonly used Internet applications [...]
-
Page 197
Maximum Connection Sessions The Service associated with an ALG has a configurable parameter associated with it called Max Sessions and the default value varies according to the type of ALG. For instance, the default value for the HTTP ALG is 1000 . This means that a 1000 connections are allowed in total for the HTTP Service across all interfaces. T[...]
-
Page 198
• URL Whitelisting The opposite to blacklisting, this makes sure certain URLs are always allowed. Wildcarding can also be used for these URLs, as described below. It is important to note that whitelisting a URL means that it cannot be blacklisted and it also cannot be dropped by web content filtering (if that is enabled, although it will be logge[...]
-
Page 199
Additional filetypes not included by default can be added to the Allow/Block list however these cannot be subject to content checking meaning that the file extension will be trusted as being correct for the contents of the file. Note The Verify MIME type and Allow/Block Selected Types options work in the same way for the FTP, POP3 and SMTP ALGs. ?[...]
-
Page 200
Entries made in the white and blacklists can make use of wildcarding to have a single entry be equivalent to a large number of possible URLs. The wildcard character " * " can be used to represent any sequence of characters. For example, the entry *.some_domain.com will block all pages whose URLs end with some_domain.com . If we want to no[...]
-
Page 201
When active mode is used, NetDefendOS doesn't know that the FTP server will establish a new connection back to the FTP client. Therefore, the incoming connection for the data channel will be dropped. As the port number used for the data channel is dynamic, the only way to solve this is to allow traffic from all ports on the FTP server to all p[...]
-
Page 202
malicious code. Suspect files can be de dropped or just logged. This feature is common to a number of ALGs and is described fully in Section 6.4, “Anti-Virus Scanning” . FTP ALG with ZoneDefense Used together with the FTP ALG, ZoneDefense can be configured to protect an internal network from virus spreading servers and hosts. This is relevant t[...]
-
Page 203
To make it possible to connect to this server from the Internet using the FTP ALG, the FTP ALG and rules should be configured as follows: Web Interface A. Define the ALG: 1. Go to Objects > ALG > Add > FTP ALG 2. Enter Name: ftp-inbound 3. Check Allow client to use active mode 4. Uncheck Allow server to use passive mode 5. Click OK B. Defi[...]
-
Page 204
• Action: SAT • Service: ftp-inbound 3. For Address Filter enter: • Source Interface: any • Destination Interface: core • Source Network: all-nets • Destination Network: wan_ip (assuming the external interface has been defined as this) 4. For SAT check Translate the Destination IP Address 5. Enter To: New IP Address: ftp-internal (assum[...]
-
Page 205
Example 6.3. Protecting FTP Clients In this scenario shown below the D-Link Firewall is protecting a workstation that will connect to FTP servers on the Internet. To make it possible to connect to these servers from the internal network using the FTP ALG, the FTP ALG and rules should be configured as follows: Web Interface A. Create the FTP ALG: 1.[...]
-
Page 206
Rules (Using Public IPs). The following rule needs to be added to the IP rules if using public IP's; make sure there are no rules disallowing or allowing the same kind of ports/traffic before these rules. The service in use is the ftp-outbound , which should be using the ALG definition ftp-outbound as described earlier. C. Allow connections to[...]
-
Page 207
Allow/Disallow Read The TFTP GET function can be disabled so that files cannot be retrieved by a TFTP client. The default value is Allow . Allow/Disallow Write The TFTP PUT function can be disabled so that files cannot be written by a TFTP client. The default value is Allow. Remove Request Option Specifies if options should be removed from request.[...]
-
Page 208
This is a very useful feature to have since it is possible to put in a block against either an infected client or an infected server sending large amounts of malware generated emails. Email Size Limiting A maximum allowable size of email messages can be specified. This feature counts the total amount of bytes sent for a single email which is the he[...]
-
Page 209
4. Anti-virus scanning (if enabled). As described above, if an address is found on the whitelist then it will not be blocked if it also found on the blacklist. SPAM filtering, if it is enabled, is still applied to whitelisted addresses but emails flagged as SPAM will not be tagged nor dropped, only logged. Anti-virus scanning, if it is enabled, is [...]
-
Page 210
The NetDefendOS SMTP ALG does not support all ESMTP extensions including Pipelining and Chunking . The ALG therefore removes any unsupported extensions from the supported extension list that is returned to the client by an SMTP server behind the D-Link Firewall. When an extension is removed, a log message is generated with the text: unsupported_ext[...]
-
Page 211
known as spammers , can waste resources, transport malware as well as try to direct the reader to webpages which might exploit browser vulnerabilities. Integral to the NetDefendOS SMTP ALG is a SPAM module that provides the ability to apply spam filtering to incoming email based on its origin. This can significantly reduce the burden of such email [...]
-
Page 212
the following actions based on the sum calculated: 1. Dropped If the sum is greater than or equal to a pre-defined Drop threshold then the email is considered to be definitely SPAM and is discarded or alternatively sent to a single, special mailbox. If it is discarded then the administrator has the option that an error message is sent back to the s[...]
-
Page 213
And this is what the email's recipient will see in the summary of their inbox contents. The individual user could then decide to set up their own filters in the local client to deal with such tagged emails, possibly sending it to a separate folder. Adding X-SPAM Information If an email is determined to be SPAM and a forwarding address is confi[...]
-
Page 214
allowed through if this happens. Setup Summary To set up DNSBL SPAM filtering in the SMTP ALG, the following list summarizes the steps: • Specify which DNSBL servers are to be used. There can be multiple and they can act both as backups to each other as well as confirmation of a sender's status. • Specify a weight for each server which wil[...]
-
Page 215
The dnsbl CLI command provides a means to control and monitor the operation of the SPAM filtering module. The dnsbl command on its own without options shows the overall status of all ALGs. If the name of the SMTP ALG object on which DNSBL SPAM filtering is enabled is my_smtp_alg then the output would be: gw-world:/> dnsbl DNSBL Contexts: Name St[...]
-
Page 216
6.2.6. The POP3 ALG POP3 is a mail transfer protocol that differs from SMTP in that the transfer of mail is directly from a server to a user's client software. POP3 ALG Options Key features of the POP3 ALG are: Block Clear Text Authentication Block connections between client and server that send the username/password combination as clear text [...]
-
Page 217
SIP Components The following components are the logical building blocks for SIP communication: User Agents These are the end points or clients that are involved in the client-to-client communication. These would typically be the workstation or device used in an IP telephony conversation. The term client will be used throughout this section to descr[...]
-
Page 218
default value is 3600 seconds. SIP Signal Timeout The maximum time allowed for SIP sessions. The default value is 43200 seconds . Data Channel Timeout The maximum time allowed for periods with no traffic in a SIP session. A timeout condition occurs if this value is exceeded. The default value is 120 seconds . Allow Media Bypass If this option is en[...]
-
Page 219
Tip Make sure there are no preceding rules already in the IP rule set disallowing or allowing the same kind of traffic. SIP Usage Scenarios NetDefendOS supports a variety of SIP usage scenarios. The following three scenarios cover nearly all possible types of usage: • Scenario 1 Protecting local clients - Proxy located on the Internet The SIP ses[...]
-
Page 220
The SIP proxy in the above diagram could alternatively be located remotely across the Internet. The proxy should be configured with the Record-Route feature enabled to insure all SIP traffic to and from the office clients will be sent through the SIP Proxy. This is recommended since the attack surface is minimized by allowing only SIP signalling fr[...]
-
Page 221
local contact information and uses this to redirect incoming requests to the user. The ALG takes care of the address translations needed. 4. Ensure the clients are correctly configured. The SIP Proxy Server plays a key role in locating the current location of the other client for the session. The proxy's IP address is not specified directly in[...]
-
Page 222
This scenario can be implemented in two ways: • Using NAT to hide the network topology. • Without NAT so the network topology is exposed. Solution A - Using NAT Here, the proxy and the local clients are hidden behind the IP address of the D-Link Firewall. The setup steps are as follows: 1. Define a single SIP ALG object using the options descri[...]
-
Page 223
If Record-Route is enabled then the Source Network for outbound traffic from proxy users can be further restricted in the above rules by using " ip_proxy " as indicated. When an incoming call is received, the SIP ALG will follow the SAT rule and forward the SIP request to the proxy server. The proxy will in turn, forward the request to it[...]
-
Page 224
The exchanges illustrated are as follows: • 1,2 - An initial INVITE is sent to the outbound local proxy server on the DMZ. • 3,4 - The proxy server sends the SIP messages towards the destination on the Internet. • 5,6 - A remote client or proxy server replies to the local proxy server. • 7,8 - The local proxy forwards the reply to the local[...]
-
Page 225
• An Allow rule for outbound traffic from the proxy behind the DMZ interface to the remote clients on the Internet. • An Allow rule for inbound SIP traffic from the SIP proxy behind the DMZ interface to the IP address of the D-Link Firewall. This rule will have core (in other words, NetDefendOS itself) as the destination interface. The reason f[...]
-
Page 226
• An Allow rule for outbound traffic from the clients on the internal network to the proxy located on the DMZ interface. • An Allow rule for outbound traffic from the proxy behind the DMZ interface to the remote clients on the Internet. • An Allow rule for inbound SIP traffic from the SIP proxy behind the DMZ interface to the clients located [...]
-
Page 227
required for communication between two H.323 terminals. Gatekeepers The Gatekeeper is a component in the H.323 system which is used for addressing, authorization and authentication of terminals and gateways. It can also take care of bandwidth management, accounting, billing and charging. The gatekeeper may allow calls to be placed directly between [...]
-
Page 228
UDP. • To support gatekeepers, the ALG monitors RAS traffic between H.323 endpoints and the gatekeeper, in order to correctly configure the D-Link Firewall to let calls through. • NAT and SAT rules are supported, allowing clients and gatekeepers to use private IP addresses on a network behind the D-Link Firewall. H.323 ALG Configuration The con[...]
-
Page 229
Web Interface Outgoing Rule: 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: H323AllowOut • Action: Allow • Service: H323 • Source Interface: lan • Destination Interface: any • Source Network: lannet • Destination Network: 0.0.0.0/0 (all-nets) • Comment: Allow outgoing calls 3. Click OK Incoming Rule: 1. Go t[...]
-
Page 230
Example 6.5. H.323 with private IP addresses In this scenario a H.323 phone is connected to the D-Link Firewall on a network with private IP addresses. To make it possible to place a call from this phone to another H.323 phone on the Internet, and to allow H.323 phones on the Internet to call this phone, we need to configure rules. The following ru[...]
-
Page 231
• Source Network: 0.0.0.0/0 (all-nets) • Destination Network: wan_ip (external IP of the firewall) • Comment: Allow incoming calls to H.323 phone at ip-phone 3. Click OK To place a call to the phone behind the D-Link Firewall, place a call to the external IP address on the firewall. If multiple H.323 phones are placed behind the firewall, one[...]
-
Page 232
1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: H323AllowIn • Action: Allow • Service: H323 • Source Interface: any • Destination Interface: lan • Source Network: 0.0.0.0/0 (all-nets) • Destination Network: lannet • Comment: Allow incoming calls 3. Click OK Example 6.7. Using Private IP Addresses This scenari[...]
-
Page 233
• Source Network: 0.0.0.0/0 (all-nets) • Destination Network: wan_ip (external IP of the firewall) • Comment: Allow incoming calls to H.323 phone at ip-phone 3. For SAT enter Translate Destination IP Address: To New IP Address: ip-phone (IP address of phone) 4. Click OK 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name:[...]
-
Page 234
Incoming Gatekeeper Rules: 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: H323In • Action: SAT • Service: H323-Gatekeeper • Source Interface: any • Destination Interface: core • Source Network: 0.0.0.0/0 (all-nets) • Destination Network: wan_ip (external IP of the firewall) • Comment: SAT rule for incoming c[...]
-
Page 235
is possible for internal phones to call the external phones that are registered with the gatekeeper. Example 6.9. H.323 with Gatekeeper and two D-Link Firewalls This scenario is quite similar to scenario 3, with the difference that the D-Link Firewall is protecting the "external" phones. The D-Link Firewall with the Gatekeeper connected t[...]
-
Page 236
Example 6.10. Using the H.323 ALG in a Corporate Environment This scenario is an example of a more complex network that shows how the H.323 ALG can be deployed in a corporate environment. At the head office DMZ a H.323 Gatekeeper is placed that can handle all H.323 clients in the head-, branch- and remote offices. This will allow the whole corporat[...]
-
Page 237
1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: LanToGK • Action: Allow • Service: H323-Gatekeeper • Source Interface: lan • Destination Interface: dmz • Source Network: lannet • Destination Network: ip-gateway • Comment: Allow H.323 entities on lannet to call phones connected to the H.323 Gateway on the DMZ [...]
-
Page 238
• Source Interface: vpn-remote • Destination Interface: dmz • Source Network: remote-net • Destination Network: ip-gatekeeper • Comment: Allow communication with the Gatekeeper on DMZ from the Remote network 3. Click OK Example 6.11. Configuring remote offices for H.323 If the branch and remote office H.323 phones and applications are to [...]
-
Page 239
• Comment: Allow the Gateway to communicate with the Gatekeeper connected to the Head Office 3. Click OK Note There is no need to specify a specific rule for outgoing calls. NetDefendOS monitors the communication between "external" phones and the Gatekeeper to make sure that it is possible for internal phones to call the external phones[...]
-
Page 240
Advantages of Using NetDefendOS for TLS Termination TLS can be implemented directly in the server to which clients connect, however, if the servers are protected behind a D-Link Firewall, then NetDefendOS can take on the role of the TLS endpoint. NetDefendOS then performs TLS authentication, encryption and unencryption of data to/from clients and t[...]
-
Page 241
6. Optionally, a SAT rule can be created to change the destination port for the unencrypted traffic. Alternatively an SLB_SAT rule can be used to do load balancing (the destination port can also be changed through a custom service object). URLs Delivered by Servers It should be noted that using NetDefendOS for TLS termination will not change URLs i[...]
-
Page 242
6.3. Web Content Filtering 6.3.1. Overview Web traffic is one of the biggest sources for security issues and misuse of the Internet. Inappropriate surfing habits can expose a network to many security threats as well as legal and regulatory liabilities. Productivity and Internet bandwidth can also be impaired. Filtering Mechanisms Through the HTTP A[...]
-
Page 243
Removing such legitimate code could, at best, cause the web site to look distorted, at worst, cause it to not work in a browser at all. Active Content Handling should therefore only be used when the consequences are well understood. Example 6.13. Stripping ActiveX and Java applets This example shows how to configure a HTTP Application Layer Gateway[...]
-
Page 244
www.example.com Bad. This will only block the first request to the web site. Surfing to www.example.com/index.html , for example, will not be blocked. *example.com/* Bad. This will also cause www.myexample.com to be blocked since it blocks all sites ending with example.com . Note: The hosts and networks blacklist is separate Web content filtering U[...]
-
Page 245
1. Go to Objects > ALG 2. In the table, click on the recently created HTTP ALG to view its properties 3. Click the HTTP URL tab 4. Now click Add and select HTTP ALG URL from the menu 5. Select Whitelist as the Action 6. In the URL textbox, enter www.D-Link.com/*.exe 7. Click OK Simply continue adding specific blacklists and whitelists until the [...]
-
Page 246
If the requested web page URL is not present in the databases, then the webpage content at the URL will automatically be downloaded to D-Link's central data warehouse and automatically analyzed using a combination of software techniques. Once categorized, the URL is distributed to the global databases and NetDefendOS receives the category for [...]
-
Page 247
defined with Dynamic Content Filtering enabled. This object is then associated with a Service object and the Service object is then associated with a rule in the IP rule set to determine which traffic should be subject to the filtering. This makes possible the setting up of a detailed filtering policy based on the filtering parameters that are used[...]
-
Page 248
1. Go to Local Objects > Services > Add > TCP/UDP service 2. Specify a suitable name for the Service, for example http_content_filtering 3. Select the TCP in the Type dropdown list 4. Enter 80 in the Destination Port textbox 5. Select the HTTP ALG you just created in the ALG list 6. Click OK Finally, modify the NAT rule to use the new serv[...]
-
Page 249
FilteringCategories=SEARCH_SITES Web Interface First, create an HTTP Application Layer Gateway (ALG) Object: 1. Go to Objects > ALG > Add > HTTP ALG 2. Specify a suitable name for the ALG, for example content_filtering 3. Click the Web Content Filtering tab 4. Select Audit in the Mode list 5. In the Blocked Categories list, select Search S[...]
-
Page 250
Example 6.17. Reclassifying a blocked site This example shows how a user may propose a reclassification of a web site if he believes it is wrongly classified. This mechanism is enabled on a per-HTTP ALG level basis. CLI First, create an HTTP Application Layer Gateway (ALG) Object: gw-world:/> add ALG ALG_HTTP content_filtering WebContentFilterin[...]
-
Page 251
Category 2: News A web site may be classified under the News category if its content includes information articles on recent events pertaining to topics surrounding a locality (for example, town, city or nation) or culture, including weather forecasting information. Typically this would include most real-time online news publications and technology[...]
-
Page 252
• www.buy-alcohol.se Category 7: Entertainment A web site may be classified under the Entertainment category if its content includes any general form of entertainment that is not specifically covered by another category. Some examples of this are music sites, movies, hobbies, special interest, and fan clubs. This category also includes personal w[...]
-
Page 253
• www.loadsofmoney.com.au • www.putsandcalls.com Category 12: E-Banking A web site may be classified under the E-Banking category if its content includes electronic banking information or services. This category does not include Investment related content; refer to the Investment Sites category (11). Examples might be: • www.nateast.co.uk •[...]
-
Page 254
Category 17: www-Email Sites A web site may be classified under the www-Email Sites category if its content includes online, web-based email facilities. Examples might be: • www.coldmail.com • mail.yazoo.com Category 18: Violence / Undesirable A web site may be classified under the Violence / Undesirable category if its contents are extremely v[...]
-
Page 255
information or services of relating to a club or society. This includes team or conference web sites. Examples might be: • www.sierra.org • www.walkingclub.org Category 23: Music Downloads A web site may be classified under the Music Downloads category if it provides online music downloading, uploading and sharing facilities as well as high ban[...]
-
Page 256
Category 28: Drugs/Alcohol A web site may be classified under the Drugs/Alcohol category if its content includes drug and alcohol related information or services. Some URLs categorized under this category may also be categorized under the Health category. Examples might be: • www.the-cocktail-guide.com • www.stiffdrinks.com Category 29: Computi[...]
-
Page 257
URLForbidden RestrictedSiteNotice ReclassifyURL To perform customization it is necessary to first create a new, named ALG Banner Files object. This new object automatically contains a copy of all the files in the Default ALG Banner Files object. These new files can then be edited and uploaded back to NetDefendOS. The original Default object cannot [...]
-
Page 258
This creates an object which contains a copy of all the Default content filtering banner files. 3. The modified file is then uploaded using SCP. It is uploaded to the object type HTTPALGBanner and the object mytxt with the property name URLForbidden . If the edited URLForbidden local file is called my.html then using the Open SSH SCP client, the up[...]
-
Page 259
6.4. Anti-Virus Scanning 6.4.1. Overview The NetDefendOS Anti-Virus module protects against malicious code carried in file downloads. Files may be downloaded as part of a web-page in an HTTP transfer, in an FTP download, or perhaps as an attachment to an email delivered through SMTP. Malicious code in such downloads can have different intents rangi[...]
-
Page 260
As described above, Anti-Virus scanning is enabled on a per ALG basis and can scan file downloads associated with the HTTP, FTP, SMTP and POP3 ALGs. More specifically: • Any uncompressed file type transferred through these ALGs can be scanned. • If the download has been compressed, ZIP and GZIP file downloads can be scanned. The administrator h[...]
-
Page 261
NetDefendOS Anti-Virus scanning is implemented by D-Link using the "SafeStream" virus signature database. The SafeStream database is created and maintained by Kaspersky, a company which is a world leader in the field of virus detection. The database provides protection against virtually all known virus threats including trojans, worms, ba[...]
-
Page 262
compressed file attachment might need to be uncompressed into a much larger file which can place an excessive load on NetDefendOS resources and noticeably slowdown throughput. To prevent this situation, the administrator should specify a Compression Ratio limit. If the limit of the ration is specified as 10 then this will mean that if the uncompres[...]
-
Page 263
original active/passive roles. For more information about HA clusters refer to Chapter 11, High Availability . Anti-Virus with ZoneDefense Anti-Virus triggered ZoneDefense is a feature for isolating virus infected hosts and servers on a local network. While the virus scanning firewall takes care of blocking inbound infected files from reaching the [...]
-
Page 264
B. Then, create a Service object using the new HTTP ALG: 1. Go to Local Objects > Services > Add > TCP/UDP service 2. Specify a suitable name for the Service, for instance http_anti_virus 3. Select the TCP in the Type dropdown list 4. Enter 80 in the Destination Port textbox 5. Select the HTTP ALG you just created in the ALG dropdown list [...]
-
Page 265
6.5. Intrusion Detection and Prevention 6.5.1. Overview Intrusion Definition Computer servers can sometimes have vulnerabilities which leave them exposed to attacks carried by network traffic. Worms, trojans and backdoor exploits are examples of such attacks which, if successful, can potentially compromise or take control of a server. A generic ter[...]
-
Page 266
• Maintenance IDP is a basic IDP system included as standard with the D-Link DFL-210/800/1600/2500 firewalls. This is a simplfied IDP that gives basic protection against attacks. It is upgradeable to the professional level Advanced IDP . • Advanced IDP is a subscription based IDP system with a much broader range of database signatures for profe[...]
-
Page 267
The console command > updatecenter -status will show the current status of the auto-update feature. This can also be done through the WebUI. Updating in High Availability Clusters Updating the IDP databases for both the D-Link Firewalls in an HA Cluster is performed automatically by NetDefendOS. In a cluster there is always an active unit and an[...]
-
Page 268
something which is not a valid hexadecimal value. • Double encoding This looks for any hex sequence which itself is encoded using other hex escape sequences. An example would be the original sequence %2526 where %25 is then might be decoded by the HTTP server to ' % ' and results in the sequence ' %26 '. This is then finally d[...]
-
Page 269
and believes it has the full data stream. The attacker now sends two further packets, p2 and p3, which will be accepted by the application which can now complete reassembly but resulting in a different data stream to that seen by the IDP subsystem. Evasion Attacks An evasion attack has a similar end-result to the Insertion Attack in that it also ge[...]
-
Page 270
Recognizing Unknown Threats Attackers who build new intrusions often re-use older code. This means their new attacks can appear "in the wild" quickly. To counter this, D-Link IDP uses an approach where the module scans for these reusable components, with pattern matching looking for building blocks rather than the entire complete code pat[...]
-
Page 271
2. Signature Group Category This second level of naming describes the type of application or protocol. Examples are: • BACKUP • DB • DNS • FTP • HTTP 3. Signature Group Sub-Category The third level of naming further specifies the target of the group and often specifies the application, for example MSSQL . The Sub-Category may not be neces[...]
-
Page 272
After pattern matching recognizes an intrusion in traffic subject to an IDP Rule, the Action associated with that Rule is taken. The administrator can associate one of three Action options with an IDP Rule: • Ignore - Do nothing if an intrusion is detected and allow the connection to stay open. • Audit - Allow the connection to stay open but lo[...]
-
Page 273
gw-world:/examplerule> set IDPRuleAction 1 LogEnabled=Yes Web Interface Adding an SMTP log receiver: 1. Go to System > Log and Event Receivers > Add > SMTP Event Receiver 2. Now enter: • Name: smtp4IDP • SMTP Server: smtp-server • Server Port: 25 • Specify alternative email addresses (up to 3) • Sender: hostmaster • Subject:[...]
-
Page 274
An IDP rule called IDPMailSrvRule will be created, and the Service to use is the SMTP service. Source Interface and Source Network defines where traffic is coming from, in this example the external network. The Destination Interface and Destination Network define where traffic is directed to, in this case the mail server. Destination Network should[...]
-
Page 275
If logging of intrusion attempts is desired, this can be configured in the Log Settings tab. Create IDP Action: When this IDP Rule has been created, an action must also be created, specifying what signatures the IDP should use when scanning data matching the IDP Rule, and what NetDefendOS should do in case an intrusion is discovered. Intrusion atte[...]
-
Page 276
6.6. Denial-of-Service Attack Prevention 6.6.1. Overview By embracing the Internet, enterprises experience new business opportunities and growth. The enterprise network and the applications that run over it are business critical. Not only can a company reach a larger number of customers via the Internet, it can serve them faster and more efficientl[...]
-
Page 277
intended victim. "Jolt" is simply a purpose-written program for generating such packets on operating systems whose ping commands refuse to generate oversized packets. The triggering factor is that the last fragment makes the total packet size exceed 65535 bytes, which is the highest number that a 16-bit integer can store. When the value o[...]
-
Page 278
• By stripping the URG bit by default from all TCP segments traversing the system (configurable via Advanced Settings > TCP > TCPUrg ). WinNuke attacks will usually show up in NetDefendOS logs as normal drops with the name of the rule in your policy that disallowed the connection attempt. For connections allowed through the system, "TC[...]
-
Page 279
6.6.8. TCP SYN Flood Attacks The TCP SYN Flood attack works by sending large amounts of TCP SYN packets to a given port and then not responding to SYN ACKs sent in response. This will tie up local TCP stack resources on the victim machine until it is unable to respond to more SYN packets until the existing half-open connections have timed out. NetD[...]
-
Page 280
6.7. Blacklisting Hosts and Networks Overview NetDefendOS implements a Blacklist of host or network IP addresses which can be utilized to protect against traffic coming from specific Internet sources. Certain NetDefendOS subsystems have the ability to optionally blacklist a host or network when certain conditions are encountered. These subsystems a[...]
-
Page 281
For further details on usage see Section 6.5.7, “IDP Actions” , Section 10.3.8, “Threshold Rule Blacklisting” and Section 10.3, “Threshold Rules” . Note: The content filtering blacklist is separate Content filtering blacklisting is a separate subject and uses a separate logical list (see Section 6.3, “Web Content Filtering”). The CL[...]
-
Page 282
6.7. Blacklisting Hosts and Networks Chapter 6. Security Mechanisms 282[...]
-
Page 283
Chapter 7. Address Translation This chapter describes NetDefendOS address translation capabilities. • NAT, page 283 • NAT Pools, page 288 • SAT, page 291 The ability of NetDefendOS to change the IP address of packets as they pass through the D-Link Firewall is known as address translation . The ability to transform one IP address to another c[...]
-
Page 284
NAT provides many-to-one translation . This means that each NAT rule in the IP rule set will translate between several source IP addresses and a single source IP address. To maintain session state information, each connection from dynamically translated addresses uses a unique port number and IP address combination as its sender. NetDefendOS perfor[...]
-
Page 285
many NAT pools and a single pool can be used in more than one NAT rule. This topic is discussed further in Section 7.2, “NAT Pools” . Applying NAT Translation The following illustrates how NAT is applied in practice on a new connection: 1. The sender, for example 192.168.1.5, sends a packet from a dynamically assigned port, for instance, port 1[...]
-
Page 286
2. Specify a suitable name for the rule, for example NAT_HTTP 3. Now enter: • Action: NAT • Service: http • Source Interface: lan • Source Network: lannet • Destination Interface: any • Destination Network: all-nets 4. Under the NAT tab, make sure that the Use Interface Address option is selected 5. Click OK Protocols Handled by NAT Dyn[...]
-
Page 287
ISP using PPTP. The traffic is directed to the anonymizing service provider where a D-Link Firewall is installed to act as the PPTP server for the client, terminating the PPTP tunnel. This arrangement is illustrated in the diagram below. Figure 7.2. Anonymizing with NAT NetDefendOS is set up with NAT rules in the IP rule set so it takes communicati[...]
-
Page 288
7.2. NAT Pools Overview As discussed in Section 7.1, “NAT” , NAT provides a way to have multiple internal clients and hosts with unique private internal IP addresses communicate to remote hosts through a single external public IP address. When multiple public external IP addresses are available then a NAT Pool object can be used to allocate new[...]
-
Page 289
Stateless NAT Pools The Stateless option means that no state table is maintained and the external IP address chosen for each new connection is the one that has the least connections already allocated to it. This means two connections between one internal host to the same external host may use two different external IP addresses. The advantage of a [...]
-
Page 290
Web Interface A. First create an object in the address book for the address range: 1. Go to Objects > Address Book > Add > IP address 2. Specify a suitable name for the IP range nat_pool_range 3. Enter 10.6.13.10-10.16.13.15 in the IP Address textbox (a network such as 10.6.13.0/24 could be used here - the 0 and 255 addresses will be autom[...]
-
Page 291
7.3. SAT NetDefendOS can translate entire ranges of IP addresses and/or ports. Such translations are transpositions, that is, each address or port is mapped to a corresponding address or port in the new range, rather than translating them all to the same address or port. This functionality is known as Static Address Translation (SAT). Some other ve[...]
-
Page 292
• Source Network: all-nets • Destination Interface: core • Destination Network: wan_ip 4. Under the SAT tab, make sure that the Destination IP Address option is selected 5. In the New IP Address textbox, enter 10.10.10.5 6. Click OK Then create a corresponding Allow rule: 1. Go to Rules > IP Rules > Add > IPRule 2. Specify a suitable[...]
-
Page 293
However, suppose that we use another interface, ext2, in the D-Link Firewall and connect it to another network, perhaps to that of a neighboring company so that they can communicate much faster with our servers. If option 1 was selected, the rule set must be adjusted thus: # Action Src Iface Src Net Dest Iface Dest Net Parameters 1 SAT any all-nets[...]
-
Page 294
• lan_ip (10.0.0.1): the D-Link Firewall's private internal IP address • wwwsrv (10.0.0.2): the web servers private IP address • PC1 (10.0.0.3): a machine with a private IP address The order of events is as follows: • PC1 sends a packet to wan_ip to reach "www.ourcompany.com": 10.0.0.3:1038 => 195.55.66.77:80 • NetDefend[...]
-
Page 295
Original Address Translated Address 194.1.2.22 192.168.0.56 194.1.2.23 192.168.0.57 In other words: • Attempts to communicate with 194.1.2.16 will result in a connection to 192.168.0.50 . • Attempts to communicate with 194.1.2.22 will result in a connection to 192.168.0.56 . An example of when this is useful is when having several protected ser[...]
-
Page 296
Create an address object for the public IP address: 1. Go to Objects > Address Book > Add > IP address 2. Specify a suitable name for the object, for example wwwsrv_pub 3. Enter 195.55.66.77 - 195.55.66.77.81 as the IP Address 4. Click OK Now, create another address object for the base of the web server IP addresses: 1. Go to Objects > [...]
-
Page 297
• Source Interface: any • Source Network: all-nets • Destination Interface: wan • Destination Network: wwwsrv_pub 4. Click OK 7.3.3. All-to-One Mappings (N:1) NetDefendOS can be used to translate ranges and/or groups into just one IP address. # Action Src Iface Src Net Dest Iface Dest Net Parameters 1 SAT any all-nets wan 194.1.2.16-194.1.2[...]
-
Page 298
Protocols that are impossible to translate using SAT are most likely also impossible to translate using NAT. Reasons for this include: • The protocol cryptographically requires that the addresses are unaltered; this applies to many VPN protocols. • The protocol embeds its IP addresses inside the TCP or UDP level data, and subsequently requires [...]
-
Page 299
# Action Src Iface Src Net Dest Iface Dest Net Parameters 1 SAT any all-nets core wan_ip http SETDEST wwwsrv 80 2 SAT lan wwwsrv any all-nets 80 -> All SETSRC wan_ip 80 3 FwdFast any all-nets core wan_ip http 4 FwdFast lan wwwsrv any all-nets 80 -> All We now add a NAT rule to allow connections from the internal network to the Internet: # Act[...]
-
Page 300
mechanism. 7.3.7. SAT and FwdFast Rules Chapter 7. Address Translation 300[...]
-
Page 301
7.3.7. SAT and FwdFast Rules Chapter 7. Address Translation 301[...]
-
Page 302
Chapter 8. User Authentication This chapter describes how NetDefendOS implements user authentication. • Overview, page 302 • Authentication Setup, page 304 • Customizing HTML Pages, page 315 8.1. Overview In situations where individual users connect to protected resources through the D-Link Firewall, the administrator will often require that [...]
-
Page 303
• Changed on a regular basis such as every three months. 8.1. Overview Chapter 8. User Authentication 303[...]
-
Page 304
8.2. Authentication Setup 8.2.1. Setup Summary The following list summarizes the steps for User Authentication setup with NetDefendOS: • Set up a database of users, each with a username/password combination. This can exist locally in a NetDefendOS User DB object, or remotely on a RADIUS server and will be designated as the Authentication Source .[...]
-
Page 305
RADIUS with NetDefendOS NetDefendOS acts as a RADIUS client, sending user credentials and connection parameter information as a RADIUS message to a nominated RADIUS server. The server processes the requests and sends back a RADIUS message to accept or deny them. One or more external servers can be defined in NetDefendOS. RADIUS Security To provide [...]
-
Page 306
unreachable. The default value for this setting is 5 . • Name Attribute The name of the field in the LDAP server containing the username. The default value is uid . This should be set to samaccountname if using Active Directory. • Retrieve Group Membership If this option is enabled, group memberships will be received from the database. The Memb[...]
-
Page 307
LDAP server authentication is automatically configured to work using LDAP Bind Request Authentication . This means that authentication succeeds if successful connection is made to the LDAP server. Individual clients are not distinguished from one another. LDAP server referrals should not occur with bind request authentication but if they do, the se[...]
-
Page 308
gw-world:/> show LDAPDatabase LDAP Authentication and PPP When using a PPP based client for PPTP or L2TP access, special consideration has to be taken if LDAP authentication is to succeed with CHAP, MS-CHAPv1 or MS-CHAPv2. A. Normal LDAP Authentication Normal LDAP authentication for Webauth, XAuth, or PPP with PAP security is illustrated in the [...]
-
Page 309
Figure 8.2. LDAP for PPP with CHAP, MS-CHAPv1 or MS-CHAPv2 When setting up this scenario, the administrator needs to take note of the following issues: 1. User passwords will be stored in two places so changing one means a separate change to the other. 2. Users will not be able to change their passwords unless both passwords can somehow be changed [...]
-
Page 310
A further option, Disallow , can be used so that a negative rule can be created which says "never authenticate given these conditions". This option might be used, for instance, to never authenticate connections coming in on a particular interface. These Disallow rules are usually best located at the end of the authentication rule set. •[...]
-
Page 311
authentication: 1. A user creates a new connection to the D-Link Firewall. 2. NetDefendOS sees the new user connection on an interface and checks the Authentication rule set to see if there is a matching rule for traffic on this interface, coming from this network and data which is one of the following types: • HTTP traffic • HTTPS traffic • [...]
-
Page 312
• FORM - The user is presented with an HTML page for authentication which is filled in and the data sent back to NetDefendOS with a POST. • BASICAUTH - This sends a 401 - Authentication Required message back to the browser which will cause it to use its own inbuilt dialog to ask the user for a username/password combination. A Realm String can o[...]
-
Page 313
Example 8.1. Creating an Authentication User Group In the example of an authentication address object in the Address Book, a user group "users" is used to enable user authentication on "lannet". This example shows how to configure the user group in the NetDefendOS database. Web Interface Step A 1. Go to User Authentication > [...]
-
Page 314
3. Click OK B. Set up the Authentication Rule 1. Go to User Authentication > User Authentication Rules > Add > User Authentication Rule 2. Now enter: • Name: HTTPLogin • Agent: HTTP • Authentication Source: Local • Interface: lan • Originator IP: lannet 3. For Local User DB choose lannet_auth_users 4. For Login Type choose HTMLFo[...]
-
Page 315
3. Click OK 8.3. Customizing HTML Pages User Authentication makes use of a set of HTML files to present information to the user during the authentication process. The options available for HTTP authentication processing are as follows: • When a user attempts to use a browser to open a web page they are directed to a login page (the FormLogin page[...]
-
Page 316
• - The web page URL for redirects. The %REDIRURL% Parameter In certain banner web pages, the parameter %REDIRURL% appears. This is a placeholder for the original URL which was requested before the user login screen appeared for an unauthenticated user. Following successful authentication, the user becomes redirected to the URL held by this param[...]
-
Page 317
This creates an object which contains a copy of all the Default user auth banner files. 3. The modified file is then uploaded using SCP. It is uploaded to the object type HTTPAuthBanner and the object ua_html with property name FormLogin . If the edited Formlogon local file is called my.html then using the Open SSH SCP client, the upload command wo[...]
-
Page 318
8.3. Customizing HTML Pages Chapter 8. User Authentication 318[...]
-
Page 319
Chapter 9. VPN This chapter describes the Virtual Private Network (VPN) functionality in NetDefendOS. • Overview, page 319 • VPN Quick Start, page 323 • IPsec Components, page 332 • IPsec Tunnels, page 346 • PPTP/L2TP, page 363 • CA Server Access, page 371 • VPN Troubleshooting, page 374 9.1. Overview 9.1.1. VPN Usage The Internet is [...]
-
Page 320
2. Client to LAN connection - Where many remote clients need to connect to an internal network over the Internet. In this case, the internal network is protected by the D-Link Firewall to which the client connects and the VPN tunnel is set up between them. 9.1.2. VPN Encryption Encryption of VPN traffic is done using the science of cryptography . C[...]
-
Page 321
• Restricting access through the VPN to needed services only, since mobile computers are vulnerable. • Creating DMZs for services that need to be shared with other companies through VPNs. • Adapting VPN access policies for different groups of users. • Creating key distribution policies. Endpoint Security A common misconception is that VPN-c[...]
-
Page 322
ALG” . 9.1.5. The TLS Alternative for VPN Chapter 9. VPN 322[...]
-
Page 323
9.2. VPN Quick Start Later sections in this chapter will explore VPN components in detail. To help put those later sections in context, this section is a quick start summary of the key steps in VPN setup. It outlines the individual steps in setting up VPNs for the most common VPN scenarios. These are: • IPsec LAN to LAN with Pre-shared Keys • I[...]
-
Page 324
• Set Remote Endpoint to remote_gw . • Set Encapsulation mode to Tunnel . • Choose the IKE and IPsec algorithm proposal lists to be used. • For Authentication select the Pre-shared Key object defined in step (1) above. The IPsec Tunnel object can be treated exactly like any NetDefendOS Interface object in later steps. 5. Set up two IP rules[...]
-
Page 325
key file. The gateway certificate needs just the certificate file added. 4. Set up the IPsec Tunnel object as for pre-shared keys, but specify the certificates to use under Authentication . Do this with the following steps: a. Enable the X.509 Certificate option. b. Add the Root Certificate to use. c. Select the Gateway Certificate . 5. Open the We[...]
-
Page 326
• An external authentication server. An internal user database is easier to set up and is assumed here. Changing this to an external server is simple to do later. To implement user authentication with an internal database: • Define a Local User DB object (let's call this object TrustedUsers ). • Add individual users to TrustedUsers . Thi[...]
-
Page 327
object could be used which specifies the exact range of the pre-allocated IP addresses. B. IP addresses handed out by NetDefendOS If the client IP addresses are not known then they must be handed out by NetDefendOS. To do this the above must be modified with the following: 1. If a specific IP address range is to be used as a pool of available addre[...]
-
Page 328
c. Add the Root Certificate to use. 4. The IPsec client software will need to be appropriately configured with the certificates and remote IP addresses. As already mentioned above, many third party IPsec client products are available and this manual will not focus on any one of these clients. The step to set up user authentication is optional since[...]
-
Page 329
• Set Inner IP Address to ip_int . • Set Tunnel Protocol to L2TP . • Set Outer Interface Filter to ipsec_tunnel . • Set Outer Server IP to ip_ext . • Select the Microsoft Point-to-Point Encryption allowed. Since IPsec encryption is used this can be set to be None only, otherwise double encryption will degrade throughput. • Set IP Pool t[...]
-
Page 330
the setup described above are: 1. The NetDefendOS date and time must be set correctly since certificates can expire. 2. Load a Gateway Certificate and Root Certificate into NetDefendOS. 3. When setting up the IPsec Tunnel object, specify the certificates to use under Authentication . This is done by: a. Enable the X.509 Certificate option. b. Selec[...]
-
Page 331
• Enable Proxy ARP on the int interface. • As in L2TP, enable the insertion of new routes automatically into the main routing table. 3. Define a User Authentication Rule, this is almost identical to L2TP: Agent Auth Source Src Network Interface Client Source IP PPP Local all-nets pptp_tunnel all-nets (0.0.0.0/0) 4. Now set up the IP rules in th[...]
-
Page 332
9.3. IPsec Components 9.3.1. Overview Internet Protocol Security (IPsec) is a set of protocols defined by the Internet Engineering Task Force (IETF) to provide IP security at the network layer. An IPsec based VPN is made up of two parts: • Internet Key Exchange protocol (IKE) • IPsec protocols (AH/ESP/both) The first part, IKE, is the initial n[...]
-
Page 333
describing the incoming traffic, and the other the outgoing. In cases where ESP and AH are used in conjunction, four SAs will be created. IKE Negotiation The process of negotiating session parameters consists of a number of phases and modes. These are described in detail in the below sections. The flow of events can be summarized as follows: IKE Ph[...]
-
Page 334
However, since we do not want to publish to much of the negotiation in plaintext, we first agree upon a way of protecting the rest of the IKE negotiation. This is done, as described in the previous section, by the initiator sending a proposal-list to the responder. When this has been done, and the responder accepted one of the proposals, we try to [...]
-
Page 335
In transport mode, the traffic will not be tunneled, and is hence not applicable to VPN tunnels. It can be used to secure a connection from a VPN client directly to the D-Link Firewall, for example for IPsec protected remote configuration. This setting will typically be set to "tunnel" in most configurations. Remote Endpoint The remote en[...]
-
Page 336
The algorithms supported by NetDefendOS IPsec are: • AES • Blowfish • Twofish • Cast128 • 3DES • DES DES is only included to be interoperable with other older VPN implementations. The use of DES should be avoided whenever possible, since it is an older algorithm that is no longer considered to be sufficiently secure. IKE Authentication [...]
-
Page 337
IPsec DH Group This specifies the Diffie-Hellman group to use for IPsec communication. The available DH groups are discussed below in the section titled Diffie-Hellman Groups . IPsec Encryption The encryption algorithm that will be used on the protected IPsec traffic. This is not needed when AH is used, or when ESP is used without encryption. The a[...]
-
Page 338
• DH group 2 (1024-bit) • DH group 5 (1536-bit) All these HA groups are available for use with IKE, IPsec and PFS. 9.3.3. IKE Authentication Manual Keying The "simplest" way of configuring a VPN is by using a method called "manual keying". This is a method where IKE is not used at all; the encryption and authentication keys [...]
-
Page 339
Certificates Each VPN firewall has its own certificate, and one or more trusted root certificates. The authentication is based on several things: • That each endpoint has the private key corresponding to the public key found in its certificate, and that nobody else has access to the private key. • That the certificate has been signed by someone[...]
-
Page 340
Apart from the IP packet data, AH also authenticates parts of the IP header. The AH protocol inserts an AH header after the original IP header. In tunnel mode, the AH header is inserted after the outer header, but before the original, inner IP header. ESP (Encapsulating Security Payload) The ESP protocol inserts an ESP header after the original IP [...]
-
Page 341
To achieve NAT detection both IPsec peers send hashes of their own IP addresses along with the source UDP port used in the IKE negotiations. This information is used to see whether the IP address and source port each peer uses is the same as what the other peer sees. If the source address and port have not changed, then the traffic has not been NAT[...]
-
Page 342
Several algorithm proposal lists are already defined by default in NetDefendOS for different VPN scenarios and user defined lists can be added. Two IKE algorithm lists and two IPsec lists are already defined by default: • High This consists of a more restricted set of algorithms to give higher security. The complete list is 3DES, AES, Blowfish, M[...]
-
Page 343
Pre-Shared Keys are used to authenticate VPN tunnels. The keys are secrets that are shared by the communicating parties before communication takes place. To communicate, both parties prove that they know the secret. The security of a shared secret depends on how "good" a passphrase is. Passphrases that are common words are extremely vulne[...]
-
Page 344
9.3.8. Identification Lists When certificates are used as authentication method for IPsec tunnels, the D-Link Firewall will accept all remote devices or VPN clients that are capable of presenting a certificate signed by any of the trusted Certificate Authorities. This can be a potential problem, especially when using roaming clients. Consider the s[...]
-
Page 345
3. Enter a name for the ID, for example JohnDoe 4. Select Distinguished name in the Type control 5. Now enter: • Common Name: John Doe • Organization Name: D-Link • Organizational Unit: Support • Country: Sweden • Email Address: john.doe@D-Link.com 6. Click OK Finally, apply the Identification List to the IPsec tunnel: 1. Go to Interfaces[...]
-
Page 346
9.4. IPsec Tunnels 9.4.1. Overview An IPsec Tunnel defines an endpoint of an encrypted tunnel. Each IPsec Tunnel is interpreted as a logical interface by NetDefendOS, with the same filtering, traffic shaping and configuration capabilities as regular interfaces. When another D-Link Firewall or any IPsec compliant product tries to establish an IPsec [...]
-
Page 347
• Set up the VPN tunnel properties and include the Pre-Shared key. • Set up the VPN tunnel properties . • Set up the Route in the main routing table (or another table if an alternate is being used). • Set up the Rules (a 2-way tunnel requires 2 rules). 9.4.3. Roaming Clients An employee who is on the move who needs to access a central corpo[...]
-
Page 348
• Remote Network: all-nets • Remote Endpoint: (None) • Encapsulation Mode: Tunnel 3. For Algorithms enter: • IKE Algorithms: Medium or High • IPsec Algorithms: Medium or High 4. For Authentication enter: • Pre-Shared Key: Select the pre-shared key created earlier 5. Under the Routing tab: • Enable the option: Dynamically add route to [...]
-
Page 349
1. Go to Interfaces > IPsec > Add > IPsec Tunnel 2. Now enter: • Name: RoamingIPsecTunnel • Local Network: 10.0.1.0/24 (This is the local network that the roaming users will connect to) • Remote Network: all-nets • Remote Endpoint: (None) • Encapsulation Mode: Tunnel 3. For Algorithms enter: • IKE Algorithms: Medium or High •[...]
-
Page 350
3. Select the X.509 Certificate option 4. Click OK B. Create Identification Lists: 1. Go to Objects > VPN Objects > ID List > Add > ID List 2. Enter a descriptive name , for example sales 3. Click OK 4. Go to Objects > VPN Objects > ID List > Sales > Add > ID 5. Enter the name for the client 6. Select Email as Type 7. In [...]
-
Page 351
An IP pool is a cache of IP addresses collected from DHCP servers and leases on these addresses are automatically renewed when the lease time is about to expire. IP Pools also manage additional information such as DNS and WINS/NBNS, just as an ordinary DHCP server would. (For detailed information on pools see Section 5.5, “IP Pools” .) Defining[...]
-
Page 352
IP Validation NetDefendOS always checks if the source IP address of each packet inside an IPsec tunnel is the same as the IP address assigned to the IPsec client with IKE Config Mode. If a mismatch is detected the packet is always dropped and a log message generated with a severity level of Warning . This message includes the two IP addresses as we[...]
-
Page 353
The ikesnoop command can be entered via a CLI console or directly via the RS232 Console. To begin monitoring the full command is: gw-world:/> ikesnoop -on -verbose This means that ikesnoop output will be sent to the console for every VPN tunnel IKE negotiation. The output can be overwhelming so to limit the output to a single IP address, for exa[...]
-
Page 354
Authentication method : Pre-Shared Key Group description : MODP 1024 Life type : Seconds Life duration : 43200 Life type : Kilobytes Life duration : 50000 Transform 2/4 Transform ID : IKE Encryption algorithm : Rijndael-cbc (aes) Key length : 128 Hash algorithm : SHA Authentication method : Pre-Shared Key Group description : MODP 1024 Life type : S[...]
-
Page 355
Explanation of Values Exchange type: Main mode or aggressive mode Cookies: A random number to identify the negotiation Encryption algorithm: Cipher Key length: Cipher key length Hash algorithm: Hash Authentication method: Pre-shared key or certificate Group description: Diffie Hellman (DH) group Life type: Seconds or kilobytes Life duration: No of [...]
-
Page 356
Payload data length : 16 bytes Vendor ID : cd 60 46 43 35 df 21 f8 7c fd b2 fc 68 b6 a4 48 Description : draft-ietf-ipsec-nat-t-ike-02 VID (Vendor ID) Payload data length : 16 bytes Vendor ID : 90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f Description : draft-ietf-ipsec-nat-t-ike-02 VID (Vendor ID) Payload data length : 16 bytes Vendor ID : 7d 94[...]
-
Page 357
Step 5. Client Sends Identification The initiator sends the identification which is normally an IP address or the Subject Alternative Name if certificates are used. IkeSnoop: Received IKE packet from 192.168.0.10:500 Exchange type : Identity Protection (main mode) ISAKMP Version : 1.0 Flags : E (encryption) Cookies : 0x6098238b67d97ea6 -> 0x5e34[...]
-
Page 358
Quick mode ISAKMP Version : 1.0 Flags : E (encryption) Cookies : 0x6098238b67d97ea6 -> 0x5e347cb76e95a Message ID : 0xaa71428f Packet length : 264 bytes # payloads : 5 Payloads: HASH (Hash) Payload data length : 16 bytes SA (Security Association) Payload data length : 164 bytes DOI : 1 (IPsec DOI) Proposal 1/1 Protocol 1/1 Protocol ID : ESP SPI [...]
-
Page 359
Authentication algorithm: HMAC (Hash) Group description: PFS and PFS group SA life type: Seconds or Kilobytes SA life duration: Number seconds or kilobytes Encapsulation mode: Could be transport, tunnel or UDP tunnel (NAT-T) ID: ipv4(any:0,[0..3]=10.4.2.6) Here the first ID is the local network of the tunnel from the client's point of view and[...]
-
Page 360
Flags : E (encryption) Cookies : 0x6098238b67d97ea6 -> 0x5e347cb76e95a Message ID : 0xaa71428f Packet length : 48 bytes # payloads : 1 Payloads: HASH (Hash) Payload data length : 16 bytes 9.4.6. IPsec Advanced Settings The following NetDefendOS advanced settings are available for configuring IPsec tunnels. IPsec Max Rules This specifies the tota[...]
-
Page 361
IPsec Before Rules Pass IKE and IPsec (ESP/AH) traffic sent to NetDefendOS directly to the IPsec engine without consulting the rule set. Default: Enabled IKE CRL Validity Time A CRL contains a "next update" field that dictates the time and date when a new CRL will be available for download from the CA. The time between CRL updates can be [...]
-
Page 362
In other words, the amount of time in tens of seconds that a tunnel is without traffic or any other sign of life before the peer is considered dead. If DPD is due to be triggered but other evidence of life is seen (such as IKE packets from the other side of the tunnel) within the time frame, no DPD-R-U-THERE messages will be sent. For example, if t[...]
-
Page 363
9.5. PPTP/L2TP The access by a client using a modem link over dial-up public switched networks, possibly with an unpredictable IP address, to protected networks via a VPN poses particular problems. Both the PPTP and L2TP protocols provide two different means of achieving VPN access from remote clients. The most commonly used feature that is relevan[...]
-
Page 364
TCP port 1723 and/or IP protocol 47 before the PPTP connection can be made to the D-Link Firewall. Examining the log can indicate if this problem occurred, with a log message of the following form appearing: Error PPP lcp_negotiation_stalled ppp_terminated Example 9.10. Setting up a PPTP server This example shows how to setup a PPTP Network Server.[...]
-
Page 365
This example shows how to setup a L2TP Network Server. The example assumes that you have created some address objects in the Address Book. You will have to specify the IP address of the L2TP server interface, an outer IP address (that the L2TP server should listen to) and an IP pool that the L2TP server will use to give out IP addresses to the clie[...]
-
Page 366
• Password: mypassword • Confirm Password: mypassword 5. Click OK Now we will setup the IPsec Tunnel, which will later be used in the L2TP section. As we are going to use L2TP, the Local Network is the same IP as the IP that the L2TP tunnel will connect to, wan_ip. Furthermore, the IPsec tunnel needs to be configured to dynamically add routes t[...]
-
Page 367
2. Enter a name for the L2TP tunnel, for example l2tp_tunnel 3. Now enter: • Inner IP Address: lan_ip • Tunnel Protocol: L2TP • Outer Interface Filter: l2tp_ipsec • Server IP: wan_ip 4. Under the PPP Parameters tab, check the Use User Authentication Rules control 5. Select l2tp_pool in the IP Pool control 6. Under the Add Route tab, select [...]
-
Page 368
DestinationInterface=any DestinationNetwork=all-nets name=NATL2TP Web Interface 1. Go to Rules > IP Rules > Add > IPRule 2. Enter a name for the rule, for example AllowL2TP 3. Now enter: • Action: Allow • Service: all_services • Source Interface: l2tp_tunnel • Source Network: l2tp_pool • Destination Interface: any • Destination[...]
-
Page 369
Default: 10 9.5.4. PPTP/L2TP Clients The PPTP and L2TP protocols are described in the previous section. In addition to being able to act as a PPTP or L2TP server, NetDefendOS also offers the ability to act as a PPTP or L2TP clients. This can be useful if PPTP or L2TP is preferred as the VPN protocol instead of IPsec. One D-Link Firewall can act as [...]
-
Page 370
• Idle Timeout - The time of inactivity in seconds to wait before disconnection. Using the PPTP Client Feature One usage of the PPTP client feature is shown in the scenario depicted below. Here a number of clients are being NATed through NetDefendOS before being connected to a PPTP server on the other side of the D-Link Firewall. If more that one[...]
-
Page 371
9.6. CA Server Access Overview Where certificates are used, the two sides of a VPN tunnel exchange their certificates during the tunnel setup negotiation and either may then try to validate the received certificate by accessing a CA server . A certificate contains a URL (the CRL Distribution Point ) which specifies the validating CA server and serv[...]
-
Page 372
3. The CA server is a commercial server on the public Internet. In this, the simplest case, public DNS servers will resolve the FQDN. The only requirement is that NetDefendOS will need to have at least one public DNS server address configured to resolve the FQDNs in the certificates it receives. • It must be also possible for an HTTP PUT request [...]
-
Page 373
As explained previously, the address of the private CA server must be resolvable through public DNS servers for certificate validation requests coming from the public Internet. If the certificate queries are coming only from the D-Link Firewall and the CA server is on the internal side of the firewall then the IP address of the internal DNS server [...]
-
Page 374
9.7. VPN Troubleshooting General Troubleshooting In all types of VPNs some basic troubleshooting checks can be made: • Check that all IP addresses have been specified correctly. • Check that all pre-shared keys and usernames/passwords are correctly entered. • Use ICMP Ping to confirm that the tunnel is working. With roaming clients this is be[...]
-
Page 375
• Check that the correct certificates have been used. • Check that the certificate .cer and .key files have the same filename. For example, my_cert.key and my_cert.cer . • Check that the certificates have not expired. • Check that the NetDefendOS date and time is set correctly and consider time-zone issues with newly generated certificates [...]
-
Page 376
single tunnel by specifying the IP address of the tunnel's endpoint (this is either the IP of the remote endpoint or a client's IP address). The command takes the form: ikesnoop -on <ip-address> -verbose Ikesnoop can be turned off with the command: ikesnoop -off For a more detailed discussion of this topic, see Section 9.4.5, “Tro[...]
-
Page 377
Management Interface Failure with VPN Chapter 9. VPN 377[...]
-
Page 378
Chapter 10. Traffic Management This chapter describes how NetDefendOS can manage network traffic. • Traffic Shaping, page 378 • IDP Traffic Shaping, page 394 • Threshold Rules, page 399 • Server Load Balancing, page 401 10.1. Traffic Shaping 10.1.1. Introduction QoS with TCP/IP A weakness of TCP/IP is the lack of true Quality of Service (Qo[...]
-
Page 379
• Applying bandwidth limits and queuing packets that exceed configured limits, then sending them later when bandwidth demands are lower. • Dropping packets if packet buffers are full. The packets to be dropped should be chosen from those that are responsible for the "jam". • Prioritizing traffic according to administrator decisions.[...]
-
Page 380
least one rule must be created for traffic shaping to begin to function. When a Pipe Rule is defined, the pipes to be used with that rule are also specified and they are placed into one of two lists in the Pipe Rule. These lists are: • The Forward Chain These are the pipes that will be used for outgoing (leaving) traffic from the D-Link Firewall.[...]
-
Page 381
10.1.3. Simple Bandwidth Limiting The simplest use of pipes is for bandwidth limiting. This is also a scenario that does not require much planning. The example that follows applies a bandwidth limit to inbound traffic only. This is the direction most likely to cause problems for Internet connections. Example 10.1. Applying a Simple Bandwidth Limit [...]
-
Page 382
3. Now enter: • Service: all_services • Source Interface: lan • Source Network: lannet • Destination Interface: wan • Destination Network: all-nets 4. Under the Traffic Shaping tab, make std-in selected in the Return Chain control 5. Click OK This setup limits all traffic from the outside (the Internet) to 2 megabits per second. No priori[...]
-
Page 383
2. Specify a name for the pipe, for example std-out 3. Enter 2000 in Total textbox 4. Click OK After creating a pipe for outbound bandwidth control, add it to the forward pipe chain of the rule created in the previous example: CLI gw-world:/> set PipeRule Outbound ForwardChain=std-out Web Interface 1. Go to Traffic Management > Traffic Shapin[...]
-
Page 384
default precedence of 0. Eight precedences exist, numbered from 0 to 7. Precedence 0 is the least important and 7 is the most important. A precedence can be viewed as a separate traffic queue; traffic in precedence 2 will be forwarded before traffic in precedence 0, precedence 4 forwarded before 2. The meaning of a precedence comes from the fact th[...]
-
Page 385
The precedence defined as the minimum pipe precedence has a special meaning: it acts as the Best Effort Precedence . All packets arriving at this precedence will always be processed on a "first come, first forwarded" basis and cannot be sent to another precedence. Packets with a higher precedence and that exceed the limits of that precede[...]
-
Page 386
Bandwidth guarantees ensure that there is a minimum amount of bandwidth available for a given precedence. This is done by specifying a maximum limit for the precedence in a pipe. This will be the maximum amount of bandwidth that the precedence will accept and will send ahead of lower precedences. Excess traffic above this limit will be sent at the [...]
-
Page 387
reserved amount, 64 and 32 kbps, respectively, of precedence 2 traffic will reach std-in . SSH and Telnet traffic exceeding their guarantees will reach std-in as precedence 0, the best-effort precedence of the std-in and ssh-in pipes. Note Here, the ordering of the pipes in the return chain is important. Should std-in appear before ssh-in and telne[...]
-
Page 388
Group Limits and Guarantees In addition to specifying a total limit for group users, limits can be specified for each preference. If we specify a group user limit of 30 bps for precedence 2 then this means that users assigned a precedence of 2 by a Pipe Rule will be guaranteed 30 bps no matter how many users are using the pipe. Just as with normal [...]
-
Page 389
Limits should not be higher than the available bandwidth If pipe limits are set higher than the available bandwidth, the pipe will not know when the physical connection has reached its capacity. If the connection is 500 kbps but the total pipe limit is set to 600 kbps, the pipe will believe that it is not full and it will not throttle lower precede[...]
-
Page 390
• Pipe Rules send traffic through Pipes . • A pipe can have a limit which is the maximum amount of traffic allowed. • A pipe can only know when it is full if a limit is specified. • A single pipe should handle traffic in only one direction (although 2 way pipes are allowed). • Pipes can be chained so that one pipe's traffic feeds int[...]
-
Page 391
The reason for using 2 different pipes in this case, is that these are easier to match to the physical link capacity. This is especially true with asynchronous links such as ADSL. First, two pipes called in-pipe and out-pipe need to be created with the following parameters: Pipe Name Min Prec Def Prec Max Prec Grouping Net size Pipe limit in-pipe 0[...]
-
Page 392
These rules are processed from top to bottom and force different kinds of traffic into precedences based on the Service . Customized service objects may need to be first created in order to identify particular types of traffic. The all service at the end, catches anything that falls through from earlier rules since it is important that no traffic b[...]
-
Page 393
• Priority 0: Best effort Total: 1700 • in-pipe • Priority 6: VoIP 500 kpbs Total: 2000 • out-pipe • Priority 6: VoIP 500 kpbs Total: 2000 The following pipe rules are then needed to force traffic into the correct pipes and precedence levels: Rule Name Forward Pipes Return Pipes Src Int Source Network Dest Int Destination Network Service [...]
-
Page 394
10.2. IDP Traffic Shaping 10.2.1. Overview The IDP Traffic Shaping feature is traffic shaping that is performed based on information coming from the NetDefendOS Intrusion Detection and Prevention (IDP) subsystem (for more information on IDP see Section 6.5, “Intrusion Detection and Prevention” ). The Problem of Bandwidth Usage A prime use of ID[...]
-
Page 395
afterwards when other connections will be opened and subject to traffic shaping. Connections opened after the Time Window has expired will no longer be subject to traffic shaping. A Time Window of 0 means that only traffic flowing over the initial triggering connection will be subject to traffic shaping. Any associated connections that do not trigg[...]
-
Page 396
Network range but not host X . This tells NetDefendOS that host X is not relevant in making a decision about including new non-IDP-triggering connections in traffic shaping. It may seem counter-intuitive that client B is also included in the Network range but this is done on the assumption that client B is a user whose traffic might also have to be[...]
-
Page 397
IDP traffic shaping has a special CLI command associated with it called idppipes and this can examine and manipulate the hosts which are currently subject to traffic shaping. To display all hosts being traffic shaped by IDP Traffic Shaping, the command would be: gw-world:/> idppipes -show Host kbps Tmout ----------- ---- ---- 192.168.1.1 100 58 [...]
-
Page 398
If the administrator wants to guarantee a bandwidth level, say 10 Megabits, for an application then an IDP rule can be set up to trigger for that application with the Pipe action specifying the bandwidth required. The traffic shaping pipes that are then automatically created get the highest priority by default and are therefore guaranteed that band[...]
-
Page 399
10.3. Threshold Rules 10.3.1. Overview The objective of a Threshold Rule is to have a means of detecting abnormal connection activity as well as reacting to it. An example of a cause for such abnormal activity might be an internal host becoming infected with a virus that is making repeated connections to external IP addresses. It might alternativel[...]
-
Page 400
• Protect - Drop the triggering connection. Logging would be the preferred option if the appropriate triggering value cannot be determined beforehand. Multiple Actions for a given rule might consist of Audit for a given threshold while the action might become Protect for a higher threshold. 10.3.5. Multiple Triggered Actions When a rule is trigge[...]
-
Page 401
10.4. Server Load Balancing 10.4.1. Overview The Server Load Balancing (SLB) feature in NetDefendOS is a powerful tool that can improve the following aspects of network applications: • Performance • Scalability • Reliability • Ease of administration The primary benefit of SLB is to allow the network service load to be shared across multiple[...]
-
Page 402
The Additional Benefits of SLB Besides from improving performance and scalability, SLB provides a number of other benefits: • SLB increases the reliability of network applications by actively monitoring the servers sharing the load. SLB can detect when a server fails or becomes congested and will not direct any further requests to that server unt[...]
-
Page 403
to the same host. Network Stickiness This mode is similar to IP stickiness except that by using a subnet mask, a range of hosts in a subnet can be specified. 10.4.4. The Distribution Algorithm There are several ways to determine how a load is shared across a server farm. NetDefendOS SLB supports the following algorithms: Round Robin The algorithm d[...]
-
Page 404
When the Round Robin algorithm is used, the first arriving requests R1 and R2 from Client 1 are both assigned to one sever, say Server 1 , according to stickiness. The next request R3 from Client 2 is then routed to Server 2 . When R4 from Client 3 arrives, Server 1 gets back its turn again and will be assigned with R4 . Figure 10.10. Stickiness an[...]
-
Page 405
10.4.5. Server Health Monitoring SLB uses Server Health Monitoring to continuously check the condition of the servers in an SLB configuration. SLB can monitor different OSI layers to check the condition of each server. Regardless of the algorithms used, if a server is deemed to have failed, SLB will not open any more connections to it until the ser[...]
-
Page 406
webservers would see only the IP address of the D-Link Firewall. Example 10.3. Setting up SLB In this example server load balancing is to be done between 2 HTTP webservers which are situated behind the D-Link Firewall. The 2 webservers have the private IP addresses 192.168.1.10 and 192.168.1.11 respectively. The default SLB values for monitoring, d[...]
-
Page 407
• Source Network: lannet • Destination Interface: core • Destination Network: ip_ext 3. Click OK E. Specify an Allow IP rule for the external clients: 1. Go to Rules > IP Rule Sets > main > Add > IP Rule 2. Enter: • Name: Web_SLB_ALW • Action: Allow • Service: HTTP • Source Interface: any • Source Network: all-nets • D[...]
-
Page 408
10.4.6. SLB_SAT Rules Chapter 10. Traffic Management 408[...]
-
Page 409
Chapter 11. High Availability This chapter describes the high availability fault-tolerance feature in D-Link Firewalls. • Overview, page 409 • HA Mechanisms, page 411 • HA Setup, page 413 • HA Issues, page 417 • HA Advanced Settings, page 418 11.1. Overview High Availability is a fault-tolerant capability that is available on certain mode[...]
-
Page 410
operations such as changing rules in the IP rule set are carried out as normal with the changes automatically being made to the configurations of both the master and the slave. Load-sharing D-Link HA clusters do not provide load-sharing since only one unit will be active while the other is inactive and only two D-Link Firewalls, the master and the [...]
-
Page 411
11.2. HA Mechanisms Basic Principles D-Link HA provides a redundant, state-synchronized hardware configuration. The state of the active unit, such as the connection table and other vital information, is continuously copied to the inactive unit via the sync interface. When cluster failover occurs, the inactive unit knows which connections are active[...]
-
Page 412
bus/slot/port of the interface. The Cluster ID must be unique for each cluster in a network. As the shared IP address always has the same hardware address, there will be no latency time in updating ARP caches of units attached to the same LAN as the cluster when failover occurs. When a cluster member discovers that its peer is not operational, it b[...]
-
Page 413
11.3. HA Setup This section provides a step-by-step guide for setting up an HA Cluster. 11.3.1. Hardware Setup 1. Start with two physically similar D-Link Firewalls. Both may be newly purchased or one may have been purchased to be the back-up unit (in other words, to be the slave unit). 2. The units should have the appropriate licenses for a cluste[...]
-
Page 414
The lan interface on the master and the lan interface on the slave would be connected to the same switch which then connects to an internal network. Similarly the wan interface on the master and the wan interface would connect to a switch which in turn connects to the external Internet. The hardware of the slave does not need to exactly match the m[...]
-
Page 415
Creating an object is mandatory for an interface pair used for remote management, but optional for other interfaces (in which case the default address localhost must be used which is an IP from the 127.0.0.0/8 subnet). 8. Go to Interfaces > Ethernet and go through each interface in the list, entering the shared IP address for that interface in t[...]
-
Page 416
• Make sure that the advanced setting High Buffers is set to be automatic for both units in the cluster. This setting determines how memory is allocated by NetDefendOS for handling increasing numbers of connections. A hardware restart is required for a change in this setting to take effect. Where a cluster has a very high number (for example, ten[...]
-
Page 417
11.4. HA Issues The following points should be kept in mind when managing and configuring an HA Cluster. SNMP SNMP statistics are not shared between master and slave. SNMP managers have no failover capabilities. Therefore both firewalls in a cluster need to be polled separately. Using Individual IP Addresses The unique individual IP addresses of th[...]
-
Page 418
11.5. HA Advanced Settings The following NetDefendOS advanced settings are available for High Availability: Sync Buffer Size How much sync data, in Kbytes, to buffer while waiting for acknowledgments from the cluster peer. Default: 1024 Sync Packet Max Burst The maximum number of state sync packets to send in a burst. Default: 20 Initial Silence Th[...]
-
Page 419
11.5. HA Advanced Settings Chapter 11. High Availability 419[...]
-
Page 420
Chapter 12. ZoneDefense This chapter describes the D-Link ZoneDefense feature. • Overview, page 420 • ZoneDefense Switches, page 421 • ZoneDefense Operation, page 422 12.1. Overview ZoneDefense Controls Switches ZoneDefense allows a D-Link Firewall to control locally attached switches. It can be used as a counter-measure to stop a virus-infec[...]
-
Page 421
12.2. ZoneDefense Switches Switch information regarding every switch that is to be controlled by the firewall has to be manually specified in the firewall configuration. The information needed in order to control a switch includes: • The IP address of the management interface of the switch • The switch model type • The SNMP community string ([...]
-
Page 422
12.3. ZoneDefense Operation 12.3.1. SNMP Simple Network Management Protocol (SNMP) is an application layer protocol for complex network management. SNMP allows the managers and managed devices in a network to communicate with each other. SNMP Managers A typical managing device, such as a D-Link Firewall, uses the SNMP protocol to monitor and contro[...]
-
Page 423
As a complement to threshold rules, it is also possible to manually define hosts and networks that are to be statically blocked or excluded. Manually blocked hosts and networks can be blocked by default or based on a schedule. It is also possible to specify which protocols and protocol port numbers are to be blocked. Exclude Lists can be created an[...]
-
Page 424
and put it into the Selected list. 3. Click OK Configure an HTTP threshold of 10 connections/second: 1. Go to Traffic Management > Threshold Rules > Add > Threshold Rule 2. For the Threshold Rule enter: • Name: HTTP-Threshold • Service: http 3. For Address Filter enter: • Source Interface: The firewall's management interface •[...]
-
Page 425
in less than a second while some models may require a minute or more. A second difference is the maximum number of rules supported by different switches. Some switches support a maximum of 50 rules while others support up to 800 (usually, in order to block a host or network, one rule per switch port is needed). When this limit has been reached no m[...]
-
Page 426
12.3.5. Limitations Chapter 12. ZoneDefense 426[...]
-
Page 427
Chapter 13. Advanced Settings This chapter describes the configurable advanced settings for NetDefendOS. The settings are divided up into the following categories: Note: Activate after changes After an advanced setting is changed an activate operation must be performed in order for the new NetDefendOS configuration to take effect. • IP Level Sett[...]
-
Page 428
Block 0.0.0.0 as source address. Default: Drop Block 0 Net Block 0.* as source addresses. Default: DropLog Block 127 Net Block 127.* as source addresses. Default: DropLog Block Multicast Src Block multicast both source addresses (224.0.0.0 - 255.255.255.255). Default: DropLog TTL Min The minimum TTL value accepted on receipt. Default: 3 TTL on Low [...]
-
Page 429
SecuRemoteUDP Compatibility Allow IP data to contain eight bytes more than the UDP total length field specifies. Checkpoint SecuRemote violates NAT-T drafts. Default: Disabled IP Option Sizes Verifies the size of "IP options". These options are small blocks of information that may be added to the end of each IP header. This function check[...]
-
Page 430
IP Reserved Flag Indicates what NetDefendOS will do if there is data in the "reserved" fields of IP headers. In normal circumstances, these fields should read 0. Used by OS Fingerprinting. Default: DropLog Strip DontFragment Strip the Don’t Fragment flag for packets equal to or smaller than the size specified by this setting. Default: 6[...]
-
Page 431
13.2. TCP Level Settings TCP Option Sizes Verifies the size of TCP options. This function acts in the same way as IPOptionSizes described above. Default: ValidateLogBad TCP MSS Min Determines the minimum permissible size of the TCP MSS. Packets containing maximum segment sizes below this limit are handled according to the next setting. Default: 100[...]
-
Page 432
TCP Auto Clamping Automatically clamp TCP MSS according to MTU of involved interfaces, in addition to TCPMSSMax. Default: Enabled TCP Zero Unused ACK Determines whether NetDefendOS should set the ACK sequence number field in TCP packets to zero if it is not used. Some operating systems reveal sequence number information this way, which can make it [...]
-
Page 433
are not understood by any today's standard systems. As NetDefendOS cannot understand checksum algorithms other than the standard algorithm, these options can never be accepted. The ALTCHKREQ option is normally never seen on modern networks. Default: StripLog TCP Option ALTCHKDATA Determines how NetDefendOS will handle alternate checksum data o[...]
-
Page 434
The TCP FIN flag together with SYN; normally invalid (strip=strip FIN). Default: DropLog TCP FIN/URG Specifies how NetDefendOS will deal with TCP packets with both FIN (Finish, close connection) and URG flags turned on. This should normally never occur, as you do not usually attempt to close a connection at the same time as sending "important&[...]
-
Page 435
Possible values are: Ignore - Do not validate. Means that sequence number validation is completely turned off. ValidateSilent - Validate and pass on. ValidateLogBad - Validate and pass on, log if bad. ValidateReopen - Validate reopen attempt like normal traffic; validate and pass on. ValidateReopenLog - Validate reopen attempts like normal traffic;[...]
-
Page 436
13.3. ICMP Level Settings ICMP Sends Per Sec Limit Specifies the maximum number of ICMP messages NetDefendOS may generate per second. This includes ping replies, destination unreachable messages and also TCP RST packets. In other words, this setting limits how many Rejects per second may be generated by the Reject rules in the Rules section. Defaul[...]
-
Page 437
13.4. State Settings Connection Replace Allows new additions to the NetDefendOS connection list to replace the oldest connections if there is no available space. Default: ReplaceLog Log Open Fails In some instances where the Rules section determines that a packet should be allowed through, the stateful inspection mechanism may subsequently decide t[...]
-
Page 438
Default: Log Log Connection Usage This generates a log message for every packet that passes through a connection that is set up in the NetDefendOS state-engine. Traffic whose destination is the D-Link Firewall itself, for example NetDefendOS management traffic, is not subject to this setting. The log message includes port, service, source/destinati[...]
-
Page 439
13.5. Connection Timeout Settings The settings in this section specify how long a connection can remain idle, that is to say with no data being sent through it, before it is automatically closed. Please note that each connection has two timeout values: one for each direction. A connection is closed if either of the two values reaches 0. TCP SYN Idl[...]
-
Page 440
Other Idle Lifetime Specifies in seconds how long connections using an unknown protocol can remain idle before it is closed. Default: 130 13.5. Connection Timeout Settings Chapter 13. Advanced Settings 440[...]
-
Page 441
13.6. Length Limit Settings This section contains information about the size limits imposed on the protocols directly under IP level, such as TCP, UDP and ICMP. The values specified here concern the IP data contained in packets. In the case of Ethernet, a single packet can contain up to 1480 bytes of IP data without fragmentation. In addition to th[...]
-
Page 442
Specifies in bytes the maximum size of an AH packet. AH, Authentication Header, is used by IPsec where only authentication is applied. This value should be set at the size of the largest packet allowed to pass through the VPN connections, regardless of its original protocol, plus approx. 50 bytes. Default: 2000 Max SKIP Length Specifies in bytes th[...]
-
Page 443
13.7. Fragmentation Settings IP is able to transport up to 65536 bytes of data. However, most media, such as Ethernet, cannot carry such huge packets. To compensate, the IP stack fragments the data to be sent into separate packets, each one given their own IP header and information that will help the recipient reassemble the original packet correct[...]
-
Page 444
Default: Check8 – compare 8 random locations, a total of 32 bytes Failed Fragment Reassembly Reassemblies may fail due to one of the following causes: • Some of the fragments did not arrive within the time stipulated by the ReassTimeout or ReassTimeLimit settings. This may mean that one or more fragments were lost on their way across the Intern[...]
-
Page 445
• NoLog - No logging is carried out under normal circumstances. • LogSuspect - Logs duplicated fragments if the reassembly procedure has been affected by "suspect" fragments. • LogAll - Always logs duplicated fragments. Default: LogSuspect Fragmented ICMP Other than ICMP ECHO (Ping), ICMP messages should not normally be fragmented a[...]
-
Page 446
Reassembly Illegal Limit Once a whole packet has been marked as illegal, NetDefendOS is able to retain this in memory for this number of seconds in order to prevent further fragments of that packet from arriving. Default: 60 13.7. Fragmentation Settings Chapter 13. Advanced Settings 446[...]
-
Page 447
13.8. Local Fragment Reassembly Settings Max Concurrent Maximum number of concurrent local reassemblies. Default: 256 Max Size Maximum size of a locally reassembled packet. Default: 10000 Large Buffers Number of large ( over 2K) local reassembly buffers (of the above size). Default: 32 13.8. Local Fragment Reassembly Settings Chapter 13. Advanced S[...]
-
Page 448
13.9. Miscellaneous Settings UDP Source Port 0 How to treat UDP packets with source port 0. Default: DropLog Port 0 How to treat TCP/UDP packets with destination port 0 and TCP packets with source port 0. Default: DropLog Watchdog Time Number of non-responsive seconds before watchdog is triggered (0=disable). Default: 180 Flood Reboot Time As a fin[...]
-
Page 449
13.9. Miscellaneous Settings Chapter 13. Advanced Settings 449[...]
-
Page 450
Appendix A. Subscribing to Security Updates Introduction The NetDefendOS Anti-Virus (AV) module, the Intrusion Detection and Prevention (IDP) module and the Dynamic Web Content Filtering module all function using external D-Link databases which contain details of the latest viruses, security threats and URL categorization. These databases are const[...]
-
Page 451
Querying Update Status To get the status of IDP updates use the command: gw-world:/> updatecenter -status IDP To get the status of AV updates: gw-world:/> updatecenter -status Antivirus Querying Server Status To get the status of the D-Link network servers use the command: gw-world:/> updatecenter -servers Deleting Local Databases Some tec[...]
-
Page 452
Appendix B. IDP Signature Groups For IDP scanning, the following signature groups are available for selection. These groups are available only for the D-Link Advanced IDP Service. There is a version of each group under the three Types of IDS , IPS and Policy . For further information see Section 6.5, “Intrusion Detection and Prevention” . Group[...]
-
Page 453
Group Name Intrusion Type FTP_FORMATSTRING Format string attack FTP_GENERAL FTP protocol and implementation FTP_LOGIN Login attacks FTP_OVERFLOW FTP buffer overflow GAME_BOMBERCLONE Bomberclone game GAME_GENERAL Generic game servers/clients GAME_UNREAL UnReal Game server HTTP_APACHE Apache httpd HTTP_BADBLUE Badblue web server HTTP_CGI HTTP CGI HTT[...]
-
Page 454
Group Name Intrusion Type POP3_DOS Denial of Service for POP POP3_GENERAL Post Office Protocol v3 POP3_LOGIN-ATTACKS Password guessing and related login attack POP3_OVERFLOW POP3 server overflow POP3_REQUEST-ERRORS Request Error PORTMAPPER_GENERAL PortMapper PRINT_GENERAL LP printing server: LPR LPD PRINT_OVERFLOW Overflow of LPR/LPD protocol/imple[...]
-
Page 455
Group Name Intrusion Type TFTP_OPERATION Operation Attack TFTP_OVERFLOW TFTP buffer overflow attack TFTP_REPLY TFTP Reply attack TFTP_REQUEST TFTP request attack TROJAN_GENERAL Trojan UDP_GENERAL General UDP UDP_POPUP Pop-up window for MS Windows UPNP_GENERAL UPNP VERSION_CVS CVS VERSION_SVN Subversion VIRUS_GENERAL Virus VOIP_GENERAL VoIP protocol[...]
-
Page 456
Appendix C. Verified MIME filetypes Some NetDefendOS Application Layer Gateways (ALGs) have the optional ability to verify that the contents of a downloaded file matches the type that the filetype in the filename indicates. The filetypes for which MIME verification can be done are listed in this appendix and the ALGs to which this applies are: • [...]
-
Page 457
Filetype extension Application cpl Windows Control Panel Extension file dbm Database file dcx Graphics Multipage PCX Bitmap file deb Debian Linux Package file djvu DjVu file dll Windows dynamic link library file dpa DPA archive data dvi TeX Device Independent Document eet EET archive egg Allegro datafile elc eMacs Lisp Byte-compiled Source Code emd[...]
-
Page 458
Filetype extension Application mpv MPEG-1 Video file Microsoft files Microsoft office files, and other Microsoft files msa Atari MSA archive data niff, nif Navy Interchange file Format Bitmap noa Nancy Video CODEC nsf NES Sound file obj, o Windows object file, linux object file ocx Object Linking and Embedding (OLE) Control Extension ogg Ogg Vorbis[...]
-
Page 459
Filetype extension Application tfm TeX font metric data tiff, tif Tagged Image Format file tnef Transport Neutral Encapsulation Format torrent BitTorrent Metainfo file ttf TrueType Font txw Yamaha TX Wave audio files ufa UFA archive data vcf Vcard file viv VivoActive Player Streaming Video file wav Waveform Audio wk Lotus 1-2-3 document wmv Windows[...]
-
Page 460
Appendix D. The OSI Framework Overview The Open Systems Interconnection Model defines a framework for inter-computer communications. It categorizes different protocols for a great variety of network applications into seven smaller, more manageable layers. The model describes how data from an application in one computer can be transferred through a [...]
-
Page 461
Appendix E. D-Link Worldwide Offices Below is a complete list of D-Link worldwide sales offices. Please check your own country area's local website for further details regarding support of D-Link products as well as contact details for local support. Australia 1 Giffnock Avenue, North Ryde, NSW 2113, Australia. TEL: 61-2-8899-1800, FAX: 61-2-8[...]
-
Page 462
Italy Via Nino Bonnet n. 6/b, 20154 – Milano, Italy. TEL: 39-02-2900-0676, FAX: 39-02-2900-1723. Website: www.dlink.it LatinAmerica Isidora Goyeechea 2934, Ofcina 702, Las Condes, Santiago – Chile. TEL: 56-2-232-3185, FAX: 56-2-232-0923. Website: www.dlink.cl Luxemburg Rue des Colonies 11, B-1000 Brussels, Belgium TEL: +32 (0)2 517 7111, FAX: +[...]
-
Page 463
Alphabetical Index A access rules, 193 accounting, 54 interim messages, 56 limitations with NAT, 57 messages, 54 system shutdowns, 57 address book, 70 ethernet addresses in, 72 folders, 74 IP addresses in, 70 address groups, 73 address translation, 283 admin account, 26 changing password for, 35 advanced settings ARP, 98 connection timeout, 439 DHC[...]
-
Page 464
BOOTP, 187 BPDU relaying, 177 Broadcast Enet Sender setting, 179 C CAM Size setting, 178 CAM To L3 Cache Dest Learning setting, 177 CA servers access, 371 client access, 372 FQDN resolution, 373 certificates, 109 CA authority, 109 certificate requests, 111 identification lists, 344 revocation list, 110 self-signed, 111, 324, 348 validity, 110 with [...]
-
Page 465
E end of life procedures, 67 ESMTP extensions, 209 ethernet interface, 81 changing IP addresses, 82 CLI command summary, 83 default gateway, 83 IP address, 82 with DHCP, 83 evasion attack prevention, 268 events, 49 distribution, 49 messages, 49 F Failed Fragment Reassembly setting, 444 filetype download block/allow in FTP ALG, 201 in HTTP ALG, 198 [...]
-
Page 466
IP Option Source/Return setting, 429 IP Options Timestamps setting, 429 IP pools, 190 with config mode, 350 IP Reserved Flag setting, 429 IP router alert option setting, 429 IP rules, 101 bi-directional connections, 104 IP rule set, 101 duplicate naming, 33 evaluation order, 103 folders, 105 IPsec, 332 advanced settings, 360 algorithm proposal list[...]
-
Page 467
creating with CLI, 157 N NAT, 283 anonymizing with, 286 IP rules, 104 pools, 288 stateful pools, 288 traversal, 340 network address translation (see NAT) NTP (see time synchronization) Null Enet Sender setting, 178 O open shortest path first (see OSPF) OSPF, 148 aggregates, 150 areas, 149 autonomous system, 148 Other Idle Lifetimes setting, 439 ove[...]
-
Page 468
max sessions, 78 specifying port number, 76 SYN flood protection, 77 TCP and UDP, 76 sgs file extension, 36 Silently Drop State ICMPErrors setting, 436 simple network management protocol (see SNMP) SIP ALG, 216 record-route, 218 SLB (see server load balancing) SMTP ALG, 207 ESMTP extensions, 209 header verification, 213 log receiver with IDP, 272 w[...]