manualshive.com logo in svg

D-Link 800 - DFL 800 - Security Appliance, User Manual, Page: 267 / 469

Share
Download
D-Link 800 - DFL 800 - Security Appliance User Manual Download Page 267

The console command

> updatecenter -status

will show the current status of the auto-update feature. This can also be done through the WebUI.

Updating in High Availability Clusters

Updating the IDP databases for both the D-Link Firewalls in an HA Cluster is performed
automatically by NetDefendOS. In a cluster there is always an active unit and an inactive unit. Only
the active unit in the cluster will perform regular checking for new database updates. If a new
database update becomes available the sequence of events will be as follows:

1.

The active unit determines there is a new update and downloads the required files for the
update.

2.

The active unit performs an automatic reconfiguration to update its database.

3.

This reconfiguration causes a failover so the passive unit becomes the active unit.

4.

When the update is completed, the newly active unit also downloads the files for the update
and performs a reconfiguration.

5.

This second reconfiguration causes another failover so the passive unit reverts back to being
active again.

These steps result in both D-Link Firewalls in a cluster having updated databases and with the
original active/passive roles. For more information about HA clusters refer to Chapter 11, High
Availability.

6.5.3. IDP Rules

Rule Components

An IDP Rule defines what kind of traffic, or service, should be analyzed. An IDP Rule is similar in
makeup to an IP Rule. IDP Rules are constructed like other security policies in NetDefendOS such
as IP Rules. An IDP Rule specifies a given combination source/destination interfaces/addresses as
well as being associated with a Service object which defines which protocols to scan. A time
schedule can also be associated with an IDP Rule. Most importantly, an IDP Rule specifies the
Action to take on detecting an intrusion in the traffic targeted by the rule.

HTTP Normalization

Each IDP rule has a section of settings for HTTP normalization. This allows the administrator to
choose the actions that should be taken when IDP finds inconsistencies in the URIs embedded in
incoming HTTP requests. Some server attacks are based on creating URIs with sequences that can
exploit weaknesses in some HTTP server products.

The URI conditions which IDP can detect are:

Invalid UTF8

This looks for any invalid UTF8 characters in a URI.

Invalid hex encoding

A valid hex sequence is where a percentage sign is followed by two hexadecimal values to
represent a single byte of data. An invalid hex sequence would be percentage sign followed by

6.5.3. IDP Rules

Chapter 6. Security Mechanisms

267

Summary of Contents for 800 - DFL 800 - Security Appliance

Page 1: ...ution http www dlink com curity curity cu u u u u u u u u u u u u u u u u ur r r r r r r r r r r r r r r rity S S S S S S S S S S S S ity ity DFL 210 800 1600 2500 DFL 260 860 Ver 1 08 Network Security Firewall User Manual ...

Page 2: ...r Manual DFL 210 260 800 860 1600 2500 NetDefendOS version 2 25 01 D Link Corporation No 289 Sinhu 3rd Rd Neihu District Taipei City 114 Taiwan R O C http www DLink com Published 2009 05 26 Copyright 2009 ...

Page 3: ...cular purpose The manufacturer reserves the right to revise this publication and to make changes from time to time in the content hereof without obligation of the manufacturer to notify any person of such revision or changes Limitations of Liability UNDER NO CIRCUMSTANCES SHALL D LINK OR ITS SUPPLIERS BE LIABLE FOR DAMAGES OF ANY CHARACTER E G DAMAGES FOR LOSS OF PROFIT SOFTWARE RESTORATION WORK S...

Page 4: ...2 3 2 RADIUS Accounting Messages 54 2 3 3 Interim Accounting Messages 56 2 3 4 Activating RADIUS Accounting 56 2 3 5 RADIUS Accounting Security 56 2 3 6 RADIUS Accounting and High Availability 56 2 3 7 Handling Unresponsive Servers 57 2 3 8 Accounting and System Shutdowns 57 2 3 9 Limitations with NAT 57 2 3 10 RADIUS Advanced Settings 57 2 4 SNMP Monitoring 59 2 4 1 SNMP Advanced Settings 60 2 5 ...

Page 5: ... 119 4 Routing 122 4 1 Overview 122 4 2 Static Routing 123 4 2 1 The Principles of Routing 123 4 2 2 Static Routing 127 4 2 3 Route Failover 130 4 2 4 Host Monitoring for Route Failover 133 4 2 5 Proxy ARP 135 4 3 Policy based Routing 137 4 3 1 Overview 137 4 3 2 Policy based Routing Tables 137 4 3 3 Policy based Routing Rules 137 4 3 4 PBR Table Selection 138 4 3 5 The Ordering parameter 138 4 4 ...

Page 6: ...ntrusion Detection and Prevention 265 6 5 1 Overview 265 6 5 2 IDP Availability in D Link Models 265 6 5 3 IDP Rules 267 6 5 4 Insertion Evasion Attack Prevention 268 6 5 5 IDP Pattern Matching 269 6 5 6 IDP Signature Groups 270 6 5 7 IDP Actions 271 6 5 8 SMTP Log Receiver for IDP Events 272 6 6 Denial of Service Attack Prevention 276 6 6 1 Overview 276 6 6 2 DoS Attack Mechanisms 276 6 6 3 Ping ...

Page 7: ...rview 332 9 3 2 Internet Key Exchange IKE 332 9 3 3 IKE Authentication 338 9 3 4 IPsec Protocols ESP AH 339 9 3 5 NAT Traversal 340 9 3 6 Algorithm Proposal Lists 341 9 3 7 Pre shared Keys 342 9 3 8 Identification Lists 344 9 4 IPsec Tunnels 346 9 4 1 Overview 346 9 4 2 LAN to LAN Tunnels with Pre shared Keys 346 9 4 3 Roaming Clients 347 9 4 4 Fetching CRLs from an alternate LDAP server 352 9 4 5...

Page 8: ... High Availability 409 11 1 Overview 409 11 2 HA Mechanisms 411 11 3 HA Setup 413 11 3 1 Hardware Setup 413 11 3 2 NetDefendOS Manual HA Setup 414 11 3 3 Verifying the Cluster is Functioning 415 11 3 4 Using Unique Shared Mac Addresses 416 11 4 HA Issues 417 11 5 HA Advanced Settings 418 12 ZoneDefense 420 12 1 Overview 420 12 2 ZoneDefense Switches 421 12 3 ZoneDefense Operation 422 12 3 1 SNMP 4...

Page 9: ...Scenario 177 6 1 Deploying an ALG 196 6 2 HTTP ALG Processing Order 199 6 3 SMTP ALG Processing Order 209 6 4 DNSBL SPAM Filtering 211 6 5 TLS Termination 239 6 6 Dynamic Content Filtering Flow 245 6 7 IDP Database Updating 266 7 1 NAT IP Address Translation 284 7 2 Anonymizing with NAT 287 8 1 Normal LDAP Authentication 308 8 2 LDAP for PPP with CHAP MS CHAPv1 or MS CHAPv2 309 9 1 The AH protocol...

Page 10: ... 3 10 Enabling DHCP 83 3 11 Defining a VLAN 86 3 12 Configuring a PPPoE client 89 3 13 Creating an Interface Group 92 3 14 Displaying the ARP Cache 95 3 15 Flushing the ARP Cache 95 3 16 Defining a Static ARP Entry 96 3 17 Adding an Allow IP Rule 105 3 18 Setting up a Time Scheduled Policy 107 3 19 Uploading a Certificate 111 3 20 Associating Certificates with IPsec Tunnels 111 3 21 Setting the Cu...

Page 11: ... Banner Files 257 6 19 Activating Anti Virus Scanning 263 6 20 Configuring an SMTP Log Receiver 272 6 21 Setting up IDP for a Mail Server 273 6 22 Adding a Host to the Whitelist 281 7 1 Adding a NAT Rule 285 7 2 Using NAT Pools 289 7 3 Enabling Traffic to a Protected Web Server in a DMZ 291 7 4 Enabling Traffic to a Web Server on an Internal Network 293 7 5 Translating Traffic to Multiple Protecte...

Page 12: ...fied URL in a browser in a new window some systems may not allow this For example http www dlink com Screenshots This guide contains a minimum of screenshots This is deliberate and is done because the manual deals specifically with NetDefendOS and administrators have a choice of management user interfaces It was decided that the manual would be less cluttered and easier to read if it concentrated ...

Page 13: ...rposes Note This indicates some piece of information that is an addition to the preceding text It may concern something that is being emphasized or something that is not obvious or explicitly stated in the preceding text Tip This indicates a piece of non critical information that is useful to know in certain situations but is not essential reading Caution This indicates where the reader should be ...

Page 14: ...ranular control allows the administrator to meet the requirements of the most demanding network security scenario Key Features NetDefendOS is an extensive and feature rich network operating system The list below presents the key features of the product IP Routing NetDefendOS provides a variety of options for IP routing including static routing dynamic routing as well as multicast routing capabilit...

Page 15: ...endOS provides a powerful Intrusion Detection and Prevention IDP engine The IDP engine is policy based and is able to perform high performance scanning and detection of attacks and can perform blocking and optional black listing of attacking hosts More information about the IDP capabilities of NetDefendOS can be found in Section 6 5 Intrusion Detection and Prevention Note IDP is only available on ...

Page 16: ...able network traffic Note ZoneDefense is only available on certain D Link NetDefendOS models NetDefendOS Documentation Reading through the available documentation carefully will ensure that you get the most out of your NetDefendOS product In addition to this document the reader should also be aware of the companion reference guides The emphasis CLI Reference Guide emphasis which details all NetDef...

Page 17: ...ion as the NetDefendOS state engine 1 2 2 NetDefendOS Building Blocks The basic building blocks in NetDefendOS are interfaces logical objects and various types of rules or rule sets Interfaces Interfaces are the doorways through which network traffic enters or leaves the hardware Without interfaces a NetDefendOS system has no means for receiving or sending traffic The following types of interface ...

Page 18: ... the packet is dropped and the event is logged If none the above is true the receiving Ethernet interface becomes the source interface for the packet 3 The IP datagram within the packet is passed on to the NetDefendOS Consistency Checker The consistency checker performs a number of sanity checks on the packet including validation of checksums protocol flags packet length and so on If the consisten...

Page 19: ...ucted on all packets belonging to this connection 9 The Traffic Shaping and the Threshold Limit rule sets are now searched If a match is found the corresponding information is recorded with the state This will enable proper traffic management on the connection 10 From the information in the state NetDefendOS now knows what to do with the incoming packet If ALG information is present or if IDP scan...

Page 20: ...mmary of the flow of packets through the NetDefendOS state engine There are three diagrams each flowing into the next Figure 1 1 Packet Flow Schematic Part I The packet flow is continued on the following page 1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 20 ...

Page 21: ...Figure 1 2 Packet Flow Schematic Part II The packet flow is continued on the following page 1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 21 ...

Page 22: ...Figure 1 3 Packet Flow Schematic Part III 1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 22 ...

Page 23: ...below presents the detailed logic of the Apply Rules function in Figure 1 2 Packet Flow Schematic Part II above Figure 1 4 Expanded Apply Rules Logic 1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 23 ...

Page 24: ...1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 24 ...

Page 25: ...e or WebUI is built into NetDefendOS and provides a user friendly and intuitive graphical management interface accessible from a standard web browser Microsoft Internet Explorer or Firefox is recommended The browser connects to one of the hardware s Ethernet interfaces using HTTP or HTTPS and the NetDefendOS responds like a web server allowing web pages to be used as the management interface This ...

Page 26: ...s available LAN1 is the default interface 2 1 2 The Default Administrator Account By default NetDefendOS has a local user database AdminUsers that contains one pre defined administrator account This account has the username admin with password admin This account has full administrative read write privileges for NetDefendOS Important For security reasons it is recommended to change the default pass...

Page 27: ...lar to the one shown below will then be shown in the browser window Enter your username and password and click the Login button The factory default username and password is admin and admin If the user credentials are correct you will be transferred to the main Web Interface page First Time Web Interface Logon and the Setup Wizard When logging on for the first time the default username is admin and...

Page 28: ...2 1 2 The Default Administrator Account Note Access to the Web Interface is regulated by the remote management policy By default the system will only allow web access from the internal network Interface Layout The main Web Interface page is divided into three major sections Menu bar The menu bar located at the top of the Web Interface contains a number of buttons and drop down menus that are used ...

Page 29: ...or located on the left hand side of the Web Interface contains a tree representation of the system configuration The tree is divided into a number of sections corresponding to the major building blocks of the configuration The tree can be expanded to expose additional sections Main Window The main window contains configuration or status details corresponding to the section selected in the navigato...

Page 30: ... or require a command line approach to administration or who need more granular control of system configuration The CLI is available either locally through the serial console port connection to this is described below or remotely via an Ethernet interface using the Secure Shell SSH protocol from an SSH client The CLI provides a comprehensive set of commands that allow the display and modification ...

Page 31: ...pt After a command appears it can be re executed in it s original form or changed first before execution Tab Completion Remembering all the commands and their options can be difficult NetDefendOS provides a feature called tab completion which means that pressing the tab key will cause automatically completion of the current part of the command If completion is not possible then pressing the tab ke...

Page 32: ...ng tab again all the object types for that category is displayed Using categories means that the user has a simple way to specify what kind of object they are trying to specify and a manageable number of options are displayed after pressing tab Not all object types belong in a category The object type UserAuthRule is a type without a category and will appear in the category list after pressing tab...

Page 33: ...ocated a name as well Subsequent manipulation of such a rule can be done either by referring to it by its index that is to say its list position or by alternatively using the name assigned to it The CLI Reference Guide lists the parameter options available for each NetDefendOS object including the Name and Index options Using Unique Names For convenience and clarity it is recommended that a name i...

Page 34: ...iously 2 Connect one of the connectors of the RS 232 cable directly to the console port on your system hardware 3 Connect the other end of the cable to the terminal or the serial connector of the computer running the communications software 4 Press the enter key on the terminal The NetDefendOS login prompt should appear on the terminal screen SSH Secure Shell CLI Access The SSH Secure Shell protoc...

Page 35: ...ll be displayed directly after the logon For security reasons it is advisable to disable or anonymize the CLI welcome message Changing the admin User Password It is recommended to change the default password of the admin account from admin to something else as soon as possible after initial startup To change it to for example my password the following CLI commands are used First we must change the...

Page 36: ... the Address Book that does not exist in a restored configuration backup Logging off from the CLI After finishing working with the CLI it is recommended to logout in order to avoid letting anyone getting unauthorized access to the system Log off by using the exit or the logout command 2 1 5 CLI Scripts To allow the administrator to easily store and execute sets of CLI commands NetDefendOS provides...

Page 37: ...my_script sgs is to be executed with IP address 126 12 11 01 replacing all occurrences of 1 in the script file and the string If1 address replacing all occurrences of 2 The file my_script sgs contains the single CLI command line add IP4Address If1_ip Address 1 Comments 2 To run this script file after uploading the CLI command would be script execute name my_script sgs 126 12 11 01 If1 address When...

Page 38: ... To list the content of a specific uploaded script file for example my_script sgs the command would be gw world script show name my_script sgs Creating Scripts Automatically When the same configuration objects needs to be copied between multiple D Link Firewalls then one way to do this with the CLI is to create a script file that creates the required objects and then upload to and run the same scr...

Page 39: ...ware dependent cannot have a script created using the create option This is true when the CLI node type in the script create command is one of COMPortDevice Ethernet EthernetDevice Device If one of these node types is used then the error message script file empty is returned by NetDefendOS Commenting Script Files Any line in a script file that begins with the character is treated as a comment For ...

Page 40: ...t follow The following table summarizes the operations that can be performed between an SCP client and NetDefendOS File type Upload possible Download possible Configuration Backup config bak Yes also with WebUI Yes also with WebUI System Backup full bak Yes also with WebUI Yes also with WebUI Firmware upgrades Yes No Certificates Yes No SSH public keys Yes No Web auth banner files Yes Yes Web cont...

Page 41: ...mand would be scp config bak admin1 10 5 62 11 To download a configuration backup to the current local directory the command would be scp admin1 10 5 62 11 config bak To upload a file to an object type under the root the command is slightly different If we have a local CLI script file called my_script sgs then the upload command would be scp my_script sgs admin1 10 5 62 11 script If we have the sa...

Page 42: ...ons available in the boot menu are 1 Start firewall This initiates the complete startup of the NetDefendOS software on the D Link Firewall 2 Reset unit to factory defaults This option will restore the hardware to its initial factory state The operations performed if this option is selected are the following Remove console security so there is no console password Restore default NetDefendOS executa...

Page 43: ...nsole The password set for the console is not connected to the management passwords used for administrator access through a web browser It is valid only for console access 2 1 8 Management Advanced Settings Under the Remote Management section of the WebUI a number of advanced settings can be found These are SSH Before Rules Enable SSH traffic to the firewall regardless of configured IP Rules Defau...

Page 44: ...the configuration objects are organized into a tree like structure based on the type of the object In the CLI similar configuration object types are grouped together in a category These categories are different from the structure used in the Web Interface to allow quick access to the configuration objects in the CLI The IP4Address IP4Group and EthernetAddress types are for instance grouped in a ca...

Page 45: ...o show its contents in other words the values of the object properties This example shows how to display the contents of a configuration object representing the telnet service CLI gw world show Service ServiceTCPUDP telnet Property Value Name telnet DestinationPorts 23 Type TCP SourcePorts 0 65535 SYNRelay No PassICMPReturn No ALG none MaxSessions 1000 Comments Telnet The Property column lists the...

Page 46: ...t Changes to a configuration object will not be applied to a running system until you activate and commit the changes Example 2 6 Adding a Configuration Object This example shows how to add a new IP4Address object here creating the IP address 192 168 10 10 to the Address Book CLI gw world add Address IP4Address myhost Address 192 168 10 10 Show the new object gw world show Address IP4Address myhos...

Page 47: ... always be restored until the configuration has been activated and committed This example shows how to restore the deleted IP4Address object shown in the previous example CLI gw world undelete Address IP4Address myhost Web Interface 1 Go to Objects Address Book 2 Right click on the row containing the myhost object 3 In the dropdown menu displayed select Undo Delete Listing Modified Objects After m...

Page 48: ...ously if the configuration was activated via the CLI with the activate command then a commit command must be issued within that period If a lost connection could not be re established or if the commit command was not issued then NetDefendOS will revert to using the previous configuration This is a fail safe mechanism and amongst others things can help prevent a remote administrator from locking th...

Page 49: ...event which generates a mandatory event message as soon as the system starts up All event messages have a common format with attributes that include category severity and recommended actions These attributes enable easy filtering of messages either within NetDefendOS prior to sending to an event receiver or as part of the analysis after logging and storing messages on an external log server A list...

Page 50: ...dardized format for the log messages themselves The format used by NetDefendOS is well suited to automated processing filtering and searching Although the exact format of each log entry depends on how a Syslog receiver works most are very much alike The way in which logs are read is also dependent on how the syslog receiver works Syslog daemons on UNIX servers usually log to text files line by lin...

Page 51: ...gement System NMS and a managed device SNMP defines 3 types of messages a Read command for an NMS to examine a managed device a Write command to alter the state of a managed device and a Trap which is used by managed devices to send messages asynchronously to an NMS about a change of state SNMP Traps in NetDefendOS NetDefendOS takes the concept of an SNMP Trap one step further by allowing any even...

Page 52: ...g if needed by the trap receiver 5 Click OK The system will now be sending SNMP traps for all events with a severity greater than or equal to Alert to an SNMP trap receiver at 195 11 22 55 2 2 4 Advanced Log Settings The following advanced settings for logging are available to the administrator Send Limit This setting limits how many log packets NetDefendOS may send out per second This value shoul...

Page 53: ...The delay in seconds between alarms when a continuous alarm is used Minimum 0 Maximum 10 000 Default 60 one minute 2 2 4 Advanced Log Settings Chapter 2 Management and Maintenance 53 ...

Page 54: ...ting Messages Statistics such as number of bytes sent and received and number of packets sent and received are updated and stored throughout RADIUS sessions All statistics are updated for an authenticated user whenever a connection related to an authenticated user is closed When a new client session is started by a user establishing a new connection through the D Link Firewall NetDefendOS sends an...

Page 55: ...authenticated This is a physical port and not a TCP or UDP port User IP Address The IP address of the authenticated user This is sent only if specified on the authentication server Input Bytes The number of bytes received by the user Output Bytes The number of bytes sent by the user Input Packets The number of packets received by the user Output Packets The number of packets sent by the user Sessi...

Page 56: ...ecified A user authentication object must have a rule associated with it where a RADIUS server is specified Some important points should be noted about activation RADIUS Accounting will not function where a connection is subject to a FwdFast rule in the IP rule set The same RADIUS server does not need to handle both authentication and accounting one server can be responsible for authentication whi...

Page 57: ...n the case that the client for some reason fails to send a RADIUS AccountingRequest STOP packet the accounting server will never be able to update its user statistics but will most likely believe that the session is still active This situation should be avoided In the case that the D Link Firewall administrator issues a shutdown command while authenticated users are still online the AccountingRequ...

Page 58: ... that the RADIUS server will assume users are still logged in even though their sessions have been terminated Default Enabled Maximum Radius Contexts The maximum number of contexts allowed with RADIUS This applies to RADIUS use with both accounting and authentication Default 1024 Example 2 13 RADIUS Accounting Server Setup This example shows configuring of a local RADIUS server known as radius acc...

Page 59: ...he client software When the client runs the MIB file is accessed to inform the client of the values that can be queried on a NetDefendOS device Defining SNMP Access SNMP access is defined through the definition of a NetDefendOS Remote object with a Mode value of SNMP The Remote object requires the entry of Interface The NetDefendOS interface on which SNMP requests will arrive Network The IP addres...

Page 60: ...e management client is on the internal network it is not required to implement a VPN tunnel for it CLI gw world add RemoteManagement RemoteMgmtSNMP my_snmp Interface lan Network mgmt net SNMPGetCommunity Mg1RQqR Should it be necessary to enable SNMPBeforeRules which is enabled by default then the command is gw world set Settings RemoteMgmtSettings SNMPBeforeRules Yes Web Interface 1 Goto System Re...

Page 61: ...stem Contact The contact person for the managed node Default N A System Name The name for the managed node Default N A System Location The physical location of the node Default N A Interface Description SNMP What to display in the SNMP MIB II ifDescr variables Default Name Interface Alias What to display in the SNMP ifMIB ifAlias variables Default Hardware 2 4 1 SNMP Advanced Settings Chapter 2 Ma...

Page 62: ...filename cap_int cap pcapdump cleanup Going through this line by line we have 1 Recording is started for the int interface using a buffer size of 1024 Kbytes pcapdump size 1024 start int 2 The recording is stopped for the int interface pcapdump stop int 3 The dump output is displayed on the console in a summarized form pcapdump show 4 The same information is written in its complete form to a file ...

Page 63: ...addr Filter on source IP address ipdest ipaddr Filter on destination IP address port portnum Filter on source or destination port number srcport portnum Filter on source port number destport portnum Filter on destination port number proto id Filter on protocol where id is the decimal protocol id protocolname Instead of the protocol number the protocol name alone can be specified and can be one of ...

Page 64: ...ular destination IP address Compatibility with Wireshark The open source tool Wireshark formerly called Ethereal is an extremely useful analysis tool for examining logs of captured packets The industry standard pcap file format used by pcapdump with its write option means that it is compatible with Wireshark For more complete information on this topic see http www wireshark org 2 5 The pcapdump Co...

Page 65: ...he configuration and the installed NetDefendOS software This is useful if both the configuration is to be changed and the NetDefendOS version upgraded Backup files can be created both by downloading the files directly from the D Link Firewall using SCP Secure Copy or alternatively using the WebUI It cannot be done though the CLI Operation Interruption Backups can be created at any time without dis...

Page 66: ...HCP server lease database or Anti Virus IDP databases will not be backed up 2 6 3 Configuration Backup and Restore The NetDefendOS configuration of a D Link Firewall at any given point of time can be backed up or restored on demand Configurations are downloaded through the WebUI to a single file which is saved on the local management workstation This file can then be uploaded at any time restore t...

Page 67: ... Maintenance Reset 2 Select Restore the entire unit to factory defaults then confirm and wait for the restore to complete Important Any upgrades will be lost after a factory reset It should be understood that a reset to factory defaults is exactly that Any NetDefendOS upgrades performed since the unit left the factory will be lost Reset alternative for the DFL 210 260 800 860 only To reset the DFL...

Page 68: ...ioning procedure a restore to factory defaults should always be run in order to remove all sensitive information such as VPN settings As a further precaution at the end of the product s life it also recommended that the memory media in a D Link Firewall is destroyed and certified as destroyed by a suitable provider of computer disposal services 2 6 4 Restore to Factory Defaults Chapter 2 Managemen...

Page 69: ...2 6 4 Restore to Factory Defaults Chapter 2 Management and Maintenance 69 ...

Page 70: ...ly need to make changes in a single location rather than in each configuration section where the address appears 3 1 2 IP Addresses IP Address objects are used to define symbolic names for various types of IP addresses Depending on how the address is specified an IP Address object can represent either a host a single IP address a network or a range of IP addresses In addition IP Address objects ca...

Page 71: ...IP address 2 Specify a suitable name for the IP host in this case wwww_srv1 3 Enter 192 168 10 16 for the IP Address 4 Click OK Example 3 2 Adding an IP Network This example adds an IP network named wwwsrvnet with address 192 168 10 0 24 to the Address Book CLI gw world add Address IP4Address wwwsrvnet Address 192 168 10 0 24 Web Interface 1 Go to Objects Address Book Add IP address 2 Specify a su...

Page 72: ...n successfully deleted but NetDefendOS will not allow the configuration to be saved to the D Link Firewall 3 1 3 Ethernet Addresses Ethernet Address objects are used to define symbolic names for Ethernet addresses also known as MAC addresses This is useful for example when populating the ARP table with static ARP entries or for other parts of the configuration where symbolic names are preferred ov...

Page 73: ... 14 192 168 0 19 will result in a single IP range with addresses 192 168 0 10 192 168 0 19 Keep in mind however that for obvious reasons IP address objects cannot be combined with Ethernet MAC addresses 3 1 5 Auto Generated Address Objects To simplify the configuration a number of address objects in the Address Book are automatically created by NetDefendOS when the system starts for the first time...

Page 74: ...tem They are created with a given name and can then be used to contain all the IP address objects that are related together as a group Using folders is simply a way for the administrator to conveniently divide up Address Book entries and no special properties are given to entries in different folders NetDefendOS continues to see all entries as though they were in large table of IP address objects ...

Page 75: ...information on how service objects are being used with IP rules see Section 3 5 The IP Rule Set Pre defined Services A large number of Service objects come pre defined with NetDefendOS These include common services such as HTTP FTP Telnet and SSH Pre defined Services can be used and also modified just like user defined Services However it is recommended NOT to make any changes to pre defined servi...

Page 76: ...reat importance such as streaming audio and video services UDP User Datagram Protocol is the preferred protocol UDP is connection less provides very few error recovery services and give thereby much lower overhead traffic than when using TCP For this reason UDP is used for non streaming services as well and it is common in those cases that the applications themselves provide the error recovery mec...

Page 77: ...e shows how to add a TCP UDP Service using destination port 3306 which is used by MySQL CLI gw world add Service ServiceTCPUDP MySQL DestinationPorts 3306 Type TCP Web Interface 1 Go to Objects Services Add TCP UDP service 2 Specify a suitable name for the service for example MySQL 3 Now enter Type TCP Source 0 65535 Destination 3306 4 Click OK Apart from protocol and port information TCP UDP Serv...

Page 78: ...rnet connectivity ICMP messages are delivered in IP packets and includes a Message Type that specifies the type that is the format of the ICMP message and a Code that is used to further qualify the message For example the message type Destination Unreachable uses the Code parameter to specify the exact reason for the error The ICMP message types that can be configured in NetDefendOS are listed as ...

Page 79: ... number Some of the common IP protocols such as IGMP are already pre defined in the NetDefendOS system configuration Similar to the TCP UDP port ranges described previously a range of IP protocol numbers can be used to specify multiple applications for one service Note The currently assigned IP protocol numbers and references are published by the Internet Assigned Numbers Authority IANA and can be...

Page 80: ...ical interface in order to transfer data This group of interfaces is called Physical Sub Interfaces NetDefendOS has support for two types of physical sub interfaces Virtual LAN VLAN interfaces as specified by IEEE 802 1Q When routing IP packets over a Virtual LAN interface they will be encapsulated in VLAN tagged Ethernet frames For more information about Virtual LAN interfaces please see Section ...

Page 81: ...nd from this interface Examples of the use of core are when the D Link Firewall acts as a PPTP or L2TP server or responds to ICMP Ping requests By specifying the Destination Interface of a route as core NetDefendOS will then know that it is itself that is the ultimate destination of the traffic Disabling an Interface Should it be desirable to disable an interface so that no traffic can flow throug...

Page 82: ...amples in this guide lan is used for LAN traffic and wan is used for WAN traffic If your D Link Firewall does not have these interfaces please substitute the references with the name of your chosen interface Ethernet IP Addresses Each Ethernet interface is required to have an Interface IP Address which can be either a static address or an address provided by DHCP The interface IP address is used a...

Page 83: ... gateway to the Internet Normally only one default all nets route to the default gateway needs to exist in the routing table Using DHCP on Ethernet Interfaces NetDefendOS includes a DHCP client for dynamic assignment of address information The information that can be set using DHCP includes the IP address of the interface the local network that the interface is attached to and the default gateway ...

Page 84: ...DefinedCredentials No Comments Default gateway for interface wan By using the tab key at the end of a line tab completion can be used to complete the command gw world show Address IP4Address InterfaceAddresses wan_ tab Category Type Identifier InterfaceAddresses wan_br InterfaceAddresses wan_gw InterfaceAddresses wan_dns1 InterfaceAddresses wan_ip InterfaceAddresses wan_dns2 InterfaceAddresses wan...

Page 85: ...ow Ethernet Interface The set command can be used to control an Ethernet interface For example to enable an interface lan we can use the command gw world set EthernetDevice lan enable To set the driver on an Ethernet interface card the command is gw world set EthernetDevice lan EthernetDriver driver PCIBus X PCISlot Y PCIPort Z For example if the driver name is IXP4NPEEthernetDriver for the bus sl...

Page 86: ...ndOS installation is limited by the parameters of the license used Different hardware models have different licenses and different limits on VLANs Summary of VLAN Setup It is important to understand that the administrator should treat a VLAN interface just like a physical interface in that they require at least IP rules and routes to be defined in order to function If for instance no Allow rule is...

Page 87: ...ion Trace IP addresses to a specific user Allocate IP address automatically for PC users similar to DHCP IP address provisioning can be per user group The PPP Protocol Point to Point Protocol PPP is a protocol for communication between two computers using a serial interface such as the case of a personal computer connected through a switched telephone line to an ISP In terms of the OSI model PPP p...

Page 88: ...e User authentication If user authentication is required by the ISP the username and password can be setup in NetDefendOS for automatic sending to the PPPoE server Dial on demand If dial on demand is enabled the PPPoE connection will only be up when there is traffic on the PPPoE interface It is possible to configure how the firewall should sense activity on the interface either on outgoing traffic...

Page 89: ...e provider Password Password provided by the service provider Confirm Password Retype the password Under Authentication specify which authentication protocol to use the default settings will be used if not specified Disable the option Enable dial on demand Under Advanced if Add route for remote network is enabled then a new route will be added for the interface 3 Click OK Note To provide a point t...

Page 90: ... the local host address of 127 0 0 1 Remote Network The remote network which the GRE tunnel will connect with Remote Endpoint This is the IP address of the remote device which the tunnel will connect with Use Session Key A unique number can optionally be specified for the tunnel This allows more than one GRE tunnel to run between the same two endpoints The Session Key value is used to distinguish ...

Page 91: ... 1 In the address book set up the following IP objects remote_net_B 192 168 11 0 24 remote_gw 172 16 1 1 ip_GRE 192 168 0 1 2 Create a GRE Tunnel object called GRE_to_B with the following parameters IP Address ip_GRE Remote Network remote_net_B Remote Endpoint remote_gw Use Session Key 1 Additional Encapulation Checksum Enabled 3 Define a route in the main routing table which routes all traffic to...

Page 92: ...oute for remote network is enabled in the Advanced tab since this will add the route automatically 4 Create the following rules in the IP rule set that allow traffic to pass through the tunnel Name Action Src Interface Src Network Dest Interface Dest Network Service To_A Allow lan lannet GRE_to_A remote_net_A All From_A Allow GRE_to_A remote_net_A lan lannet All 3 3 6 Interface Groups Multiple Net...

Page 93: ...o be used later Security Transport Equivalent If enabled the interface group can be used as a destination interface in rules where connections might need to be moved between the interfaces examples of such usage are Route Fail Over and OSPF Interfaces Select the interfaces to be in the group 3 Click OK 3 3 6 Interface Groups Chapter 3 Fundamentals 93 ...

Page 94: ...king NetDefendOS supports both Dynamic ARP as well as Static ARP and the latter is available in two modes Publish and XPublish Dynamic ARP is the main mode of operation for ARP where NetDefendOS sends out ARP requests whenever it needs to resolve an IP address to an Ethernet address The ARP replies are stored in the ARP cache of the system Static ARP is used for manually lock an IP address to a sp...

Page 95: ...e necessary to manually force a re query This is easiest achieved by flushing the ARP cache an operation which will delete all dynamic ARP entries from the cache thereby forcing NetDefendOS to issue new ARP queries Example 3 15 Flushing the ARP Cache This example shows how to flush the ARP Cache from within the CLI CLI gw world arp flush ARP cache of all interfaces flushed Size of the ARP Cache By...

Page 96: ... Ethernet address 4b 86 f6 c5 a2 14 on the lan interface CLI gw world add ARP Interface lan IP 192 168 10 15 Mode Static MACAddress 4b 86 f6 c5 a2 14 Web Interface 1 Go to Interfaces ARP Add ARP 2 Select the following from the dropdown lists Mode Static Interface lan 3 Enter the following IP Address 192 168 10 15 MAC 4b 86 f6 c5 a2 14 4 Click OK Published ARP Entries NetDefendOS supports publishin...

Page 97: ...of NetDefendOS is to drop and log such ARP requests and ARP replies This can however be changed by modifying the advanced settings ARP Multicast and ARP Broadcast Unsolicited ARP Replies It is fully possible for a host on the LAN to send an ARP reply to NetDefendOS even though a corresponding ARP request has not been issued According to the ARP specification the recipient should accept these types...

Page 98: ...vel should comply with the Ethernet address reported in the ARP data If this is not the case the reply will be dropped and logged The behavior can be changed by modifying the setting ARP Match Ethernet Sender 3 4 6 ARP Advanced Settings Summary The following advanced settings are available with ARP ARP Match Ethernet Sender Determines if NetDefendOS will require the sender address at Ethernet leve...

Page 99: ...ons where a received ARP reply or ARP request would alter a static item in the ARP table Of course this is never allowed to happen However this setting does allow you to specify whether or not such situations are to be logged Default DropLog ARP Expire Specifies how long a normal dynamic item in the ARP table is to be retained before it is removed from the table Default 900 seconds 15 minutes ARP ...

Page 100: ...ries Default 512 ARP Hash Size VLAN Hashing is used to rapidly look up entries in a table For maximum efficiency the hash size should be twice as large as the table it is indexing so if the largest directly connected VLAN contains 500 IP addresses the size of the ARP entry hash should be at least 1000 entries Default 64 ARP IP Collision Determines the behavior when receiving an ARP request with a ...

Page 101: ... object which could define a single IP address or range of addresses Service The protocol type to which the packet belongs Service objects define a protocol port type Examples might be HTTP or ICMP Custom services can also be defined See Section 3 2 Services for more information on this topic The NetDefendOS Security Policy Rulesets The principle NetDefendOS rule sets that define NetDefendOS secur...

Page 102: ...ing NetDefendOS responding to ICMP Ping requests new IP rules must be defined by the administrator Traffic that does not match any rule in the IP rule set is by default dropped by NetDefendOS For logging purposes it is nevertheless recommended that an explicit IP rule with an action of Drop for all source destination networks interfaces and with logging enabled is placed as the last rule in the IP...

Page 103: ...S internal state table which allows monitoring of opened and active connections passing through the D Link Firewall If the action is Drop or Reject then the new connection is refused Stateful Inspection After initial rule evaluation of the opening connection subsequent packets belonging to that connection will not need to be evaluated individually against the rule set Instead a highly efficient al...

Page 104: ...llow or NAT rules Packet processing time is also slower than Allow rules since every packet is checked against the entire rule set NAT This functions like an Allow rule but with dynamic address translation NAT enabled see Section 7 1 NAT in Chapter 7 Address Translation for a detailed description SAT This tells NetDefendOS to perform static address translation A SAT rule always requires a matching...

Page 105: ...be moved to a different position in the rule set and therefore have a different precedence 3 5 5 IP Rule Set Folders In order to help organise large numbers of entries in IP rule sets it is possible to create IP rule set folders These folders are just like a folder in a computer s file system They are created with a given name and can then be used to contain all the IP rules that are related toget...

Page 106: ... 1 Go to Rules IP Rules Add IPRule 2 Specify a suitable name for the rule for example LAN_HTTP 3 Now enter Name A suitable name for the rule For example lan_http Action Allow Service http Source Interface lan Source Network lannet Destination Interface wan Destination Network all nets 4 Click OK 3 5 5 IP Rule Set Folders Chapter 3 Fundamentals 106 ...

Page 107: ...r multiple time ranges for each day of the week Furthermore a start and a stop date can be specified that will impose additional constraints on the schedule For instance a schedule can be defined as Mondays and Tuesdays 08 30 10 40 and 11 30 14 00 Fridays 14 30 17 00 Important Set the system date and time As schedules depend on an accurate system date and time it is very important that the system ...

Page 108: ... the following Name OfficeHours 3 Select 08 17 Monday to Friday in the grid 4 Click OK 1 Go to Rules IP Rules Add IPRule 2 Enter the following Name AllowHTTP 3 Select the following from the dropdown lists Action NAT Service http Schedule OfficeHours SourceInterface lan SourceNetwork lannet DestinationInterface any DestinationNetwork all nets 4 Click OK 3 6 Schedules Chapter 3 Fundamentals 108 ...

Page 109: ...r a certificate is a public key with identification attached coupled with a stamp of approval by a trusted party Certifice Authorities A certificate authority CA is a trusted entity that issues certificates to other entities The CA digitally signs all certificates it issues A valid CA signature in a certificate verifies the identity of the certificate holder and guarantees that the certificate has...

Page 110: ...ften contain a CRL Distribution Point CDP field which specifies the location from where the CRL can be downloaded In some cases certificates do not contain this field In those cases the location of the CRL has to be configured manually A CA usually updates its CRL at a given interval The length of this interval depends on how the CA is configured Typically this is somewhere between an hour to seve...

Page 111: ... To associate an imported certificate with an IPsec tunnel Web Interface 1 Go to Interfaces IPsec 2 Display the properties of the IPsec tunnel 3 Select the Authentication tab 4 Select the X509 Certificate option 5 Select the correct Gateway and Root certificates 6 Click OK 3 7 3 CA Certificate Requests To request certificates from a CA server or CA company the best method is to send a CA Certifica...

Page 112: ... in format which can be cut and pasted with a text editor Note OpenSSL is being used here as a conversion utility and not in its normal role as a communication utility 3 Create two blank text files with a text editor such as Windows Notepad Give the files the same filename but use the extension cer for one and key for the other For example gateway cer and gateway key might be the names 4 Start a t...

Page 113: ...dOS installation is started for the first time Example 3 21 Setting the Current Date and Time To adjust the current date and time follow the steps outlined below CLI gw world time set YYYY mm DD HH MM SS Where YYYY mm DD HH MM SS is the new date and time Note that the date order is year then month and then day For example to set the date and time to 9 25 in the morning on April 27th 2008 the comma...

Page 114: ...s to be used There are two parameters governing daylight saving time the DST period and the DST offset The DST period specifies on what dates daylight saving time starts and ends The DST offset indicates the number of minutes to advance the clock during the daylight saving time period Example 3 23 Enabling DST To enable DST follow the steps outlined below CLI gw world set DateTime DSTEnabled Yes W...

Page 115: ... prevented NetDefendOS always queries all configured Time Servers and then computes an average time based on all responses Internet search engines can be used to list publicly available Time Servers Important Make sure an external DNS server is configured so that Time Server URLs can be resolved see Section 3 9 DNS This is not needed if using server IP addresses Example 3 24 Enabling Time Synchron...

Page 116: ...endOS time is 16 42 35 If a Time Server responds with a time of 16 43 38 then the difference is 63 seconds This is greater than the Maximum Adjustment value so no update occurs for this response Example 3 26 Modifying the Maximum Adjustment Value CLI gw world set DateTime TimeSyncMaxAdjust 40000 Web Interface 1 Go to System Date and Time 2 For the setting Maximum time drift that a server is allowe...

Page 117: ...re used Example 3 28 Enabling the D Link NTP Server To enable the use of the D Link NTP server CLI gw world set DateTime TimeSynchronization D Link Web Interface 1 Go to System Date and Time 2 Select the D Link TimeSync Server radio button 3 Click OK As mentioned above it is important to have an external DNS server configured so that the D Link Time Server URLs can be resolved during the access pr...

Page 118: ...ry Time Server DNS hostname or IP Address of Timeserver 2 Default None teriary Time Server DNS hostname or IP Address of Timeserver 3 Default None Interval between synchronization Seconds between each resynchronization Default 86400 Max time drift Maximum time drift in seconds that a server is allowed to adjust Default 600 Group interval Interval according to which server responses will be grouped...

Page 119: ... to make use of up to three DNS servers The are called the Primary Server the Secondary Server and the Tertiary Server For DNS to function at least the primary must be defined It is recommended to have at least a primary and secondary defined so that there is a backup should the primary be unavailable Features Requiring DNS Resolution Having at least one DNS server defined is vital for functioning...

Page 120: ...fetch delay The difference between HTTP Poster and the named DNS servers in the WebUI is that HTTP Poster can be used to send any URL The named services are a convenience that make it easy to correctly format the URL needed for that service For example the http URL for the dyndns org service might be myuid mypwd members dyndns org nic update hostname mydns dyndns org This could be sent as shown ab...

Page 121: ...3 9 DNS Chapter 3 Fundamentals 121 ...

Page 122: ...ting is one of the most fundamental functions of NetDefendOS Any IP packet flowing through a D Link Firewall will be subjected to at least one routing decision at some point in time and properly setting up routing is crucial for the system to function as expected NetDefendOS offers support for the following types of routing mechanisms Static routing Dynamic routing NetDefendOS additionally support...

Page 123: ... it can reach its destination The components of a single route are discussed next The Components of a Route When a route is defined it consists of the following parameters Interface The interface to forward the packet on in order to reach the destination network In other words the interface to which the destination IP range is connected either directly or through a router The interface might be a ...

Page 124: ... see Section 4 4 Route Load Balancing and Section 4 2 3 Route Failover A Typical Routing Scenario The diagram below illustrates a typical D Link Firewall scenario In the above diagram the LAN interface is connected to the network 192 168 0 0 24 and the DMZ interface is connected to the network 10 4 0 0 16 The WAN interface is connected to the network 195 66 77 0 24 and the address of the ISP gatew...

Page 125: ...e a packet with a destination IP address of 192 168 0 4 will theoretically match both the first route and the last one However the first route entry is a narrower more specific match so the evaluation will end there and the packet will be routed according to that entry The Local IP Address Parameter The correct usage of the Local IP Address parameter can be difficult to understand so additional ex...

Page 126: ...the 10 2 2 0 24 network The clients in this second network must also have their Default Gateway set to 10 2 2 1 in order to reach the D Link Firewall This feature is normally used when an additional network is to be added to an interface but it is not desirable to change the existing IP addresses of the network From a security standpoint doing this can present significant risks since different net...

Page 127: ...the interfaces the connection table is consulted to see if there is an already open connection for which the received packet belongs If an existing connection is found the connection table entry includes information on where to route the packet so there is no need for lookups in the routing table This is far more efficient than traditional routing table lookups and is one reason for the high forwa...

Page 128: ... words it is perfectly legal to specify one route for the destination address range 192 168 0 5 to 192 168 0 17 and another route for addresses 192 168 0 18 to 192 168 0 254 This is a feature that makes NetDefendOS highly suitable for routing in highly complex network topologies Displaying the Routing Table It is important to distinguish between the routing table that is active in the system and t...

Page 129: ...sses which must be changed to the appropriate IP address ranges for traffic to flow The most important route that must be defined is the route to all nets which should correspond with the ISP and public Internet access If using the NetDefendOS setup wizard this route is added automatically The option exists on any interface to indicate that it is the interface for connection to the Internet When t...

Page 130: ...tes Tip For detailed information about the output of the CLI routes command Please see the CLI Reference Guide 4 2 3 Route Failover Overview D Link Firewalls are often deployed in mission critical locations where availability and connectivity is crucial A corporation relying heavily on access to the Internet for instance could have their operations severely disrupted if an Internet connection fail...

Page 131: ... hop for a route accessibility to that gateway can be monitored by sending periodic ARP requests As long as the gateway responds to these requests the route is considered to be functioning correctly Setting the Route Metric When specifying routes the administrator should manually set a route s Metric The Metric is a positive integer that indicates how preferred the route is as a means to reach its...

Page 132: ... route will be disabled As a consequence a new route lookup will be performed and the second route will be selected with the first one being marked as disabled Re enabling Routes Even if a route has been disabled NetDefendOS will continue to check the status of that route Should the route become available again it will be re enabled and existing connections will automatically be transferred back t...

Page 133: ... way to monitor the integrity of routes NetDefendOS provides the additional capability to perform Host Monitoring This feature means that one or more external host systems can be routinely polled to check that a particular route is available The advantages of Host Monitoring are twofold In a complex network topology it is more reliable to check accessibility to external hosts Just monitoring a lin...

Page 134: ...ncy This value cannot be less than 1 Maximum Failed Poll Attempts The maximum permissible number of polling attempts that fail If this number is exceeded then the host is considered unreachable Max Average Latency The maximum number of milliseconds allowable between a poll request and the response If this threshold is exceeded then the host is considered unreachable Average Latency is calculated b...

Page 135: ...ess of a node on an Ethernet network However situations may exist where a network running Ethernet is separated into two parts with a routing device such as an installed D Link Firewall in between In such a case NetDefendOS itself can respond to ARP requests directed to the network on the other side of the D Link Firewall using the feature known as Proxy ARP The splitting of an Ethernet network in...

Page 136: ...ansparent Mode In HA clusters switch routes cannot be used and proxy ARP is the only way to implement transparent mode functionality Note It is only possible to have Proxy ARP functioning for Ethernet and VLAN interfaces 4 2 5 Proxy ARP Chapter 4 Routing 136 ...

Page 137: ...sed Routing A different routing table might need to be chosen based on the user identity or the group to which the user belongs This is particularly useful in provider independent metropolitan area networks where all users share a common active backbone but each can use different ISPs subscribing to different providers Policy based Routing implementation in NetDefendOS is based on two building blo...

Page 138: ...is encountered address translation will be performed The decision of which routing table to use is made before carrying out address translation but the actual route lookup is performed on the altered address Note that the original route lookup to find the destination interface used for all rule look ups was done with the original untranslated address 6 If allowed by the IP rule set the new connect...

Page 139: ...y the named routing table is the only one consulted If this lookup fails the lookup will not continue in the main routing table 3 If Remove Interface IP Routes is enabled the default interface routes are removed that is to say routes to the core interface which are routes to NetDefendOS itself 4 Click OK Example 4 4 Creating the Route After defining the routing table TestPBRTable we add routes int...

Page 140: ...s the default gateway of ISP B Interface Network Gateway ProxyARP lan1 10 10 10 0 24 wan1 lan1 20 20 20 0 24 wan2 wan1 10 10 10 1 32 lan1 wan2 20 20 20 1 32 lan1 wan1 all nets 10 10 10 1 Contents of the named Policy based Routing table r2 Interface Network Gateway wan2 all nets 20 20 20 1 The table r2 has its Ordering parameter set to Default which means that it will only be consulted if the main ...

Page 141: ...ollowing list can be specified in an RLB Instance object Round Robin Matching routes are used equally often by successively going to the next matching route Destination This is an algorithm that is similar to Round Robin but provides destination IP stickiness so that the same destination IP address gets the same route Spillover This uses the next route when specified interface traffic limits are e...

Page 142: ...e same route from a lookup The importance of this is that it means that a particular destination application can see all traffic coming from the same source IP address Spillover Spillover is not similar to the previous algorithms With spillover the first matching route s interface is repeatedly used until the Spillover Limits of that route s interface are continuously exceeded for the Hold Timer n...

Page 143: ... setting a low metric on the route to the favoured ISP A relatively higher metric is then set on the route to the other ISP The all nets metric must be higher that interface routes The metric value used for the all nets route should always be higher than the metric specified for any other route This is true regardless if RLB is being used or not The metric should the highest so that it is examined...

Page 144: ... will select the route that has the narrowest range that matches the destination IP address used in the lookup In the above example 10 4 16 0 24 may be chosen over 10 4 16 0 16 because the range is narrower for an IP address it contains RLB Resets There are two occasions when all RLB algorithms will reset to their initial state After NetDefendOS reconfiguration After a high availability failover I...

Page 145: ...AT was being used for the client communication the IP address seen by the server would be WAN1 or WAN2 Example 4 6 Setting Up RLB In this example the details of the RLB scenario described above will be implemented The assumption is made that the various IP address book objects needed have already been defined The IP objects WAN1 and WAN2 represent the interfaces that connect to the two ISPs and th...

Page 146: ...ther tunnel connecting through the other ISP RLB can then be applied as normal with the two tunnels In order to get the second tunnel to function in this case you need to add a single host route in the main routing table that points to the secondary ISPs interface and with the secondary ISPs gateway This solution has the advantage of providing redundancy should one ISP link fail Use VPN with one t...

Page 147: ...termination is based on the length of the path which is the number of intermediate routers also known as hops After updating its own routing table the router immediately begins transmitting its entire routing table to neighboring routers to inform them of changes Link State Algorithms In contrast to DV algorithms Link State LS algorithms enable routers to keep routing tables that reflect the topol...

Page 148: ...ad and the length of the path 4 5 2 OSPF Overview Open Shortest Path First OSPF is a routing protocol developed for IP networks by the Internet Engineering Task Force IETF The NetDefendOS OSPF implementation is based upon RFC 2328 with compatibility to RFC 1583 Note OSPF is not available on all D Link models The OSPF feature is only available on the D Link DFL 800 DFL 860 DFL 1600 and DFL 2500 pro...

Page 149: ...ary Router ASBRs They advertise externally learned routes throughout the Autonomous System Backbone Areas All OSPF networks need to have at least the backbone area which is the area with ID 0 This is the area that all other areas should be connected to and the backbone make sure to distribute routing information between the connected areas When an area is not directly connected to the backbone it ...

Page 150: ...ll This is the normal state of an adjacency between a router and the DR BDR Aggregates OSPF Aggregation is used to combine groups of routes with common addresses into a single entry in the routing table This is commonly used to minimize the routing table Virtual Links Virtual links are used for Linking an area that does not have a direct connection to the backbone Linking the backbone in case of a...

Page 151: ...have a Virtual Link to fw1 with Router ID 192 168 1 1 and vice versa These Virtual Links need to be configured in Area 1 A Partitioned Backbone OSPF allows for linking a partitioned backbone using a virtual link The virtual link should be configured between two separate ABRs that touch the backbone from each side and have a common area in between Figure 4 7 Virtual Links Example 2 4 5 2 OSPF Chapt...

Page 152: ...are must also be taken when setting up a virtual link to an firewall in an HA cluster The endpoint setting up a link to the HA firewall must setup 3 separate links one to the shared one to the master and one to the slave router id of the firewall 4 5 3 Dynamic Routing Policy Overview In a dynamic routing environment it is important for routers to be able to regulate to what extent they will partic...

Page 153: ... all nets in the Exactly Matches dropdown control 5 Click OK The next step is to create a Dynamic Routing Action that will do the actual importing of the routes into a routing table Specify the destination routing table that the routes should be added to in this case main CLI gw world cc DynamicRoutingRule ImportOSPFRoutes gw world ImportOSPFRoutes add DynamicRoutingRuleAddRoute Destination MainRo...

Page 154: ...tion that will export the filtered route to the specified OSPF AS CLI gw world cc DynamicRoutingRule ExportDefRoute gw world ExportDefRoute add DynamicRoutingRuleExportOSPF ExportToProcess as0 Web Interface 1 Go to Routing Dynamic Routing Rules 2 Click on the newly created ExportDefRoute 3 Go to OSPF Action Add DynamicRoutingRuleExportOSPF 4 For Export to process choose as0 5 Click OK 4 5 3 Dynami...

Page 155: ...ess is Reverse Path Forwarding For unicast traffic a router is concerned only with a packet s destination With multicast the router is also concerned with a packets source since it forwards the packet on paths which are known to be downstream away from the packet s source This approach is adopted to avoid loops in the distribution tree By default multicast packets are routed by NetDefendOS to the ...

Page 156: ... 168 10 1 and generates the multicast streams 239 192 10 0 24 1234 These multicast streams should be forwarded from interface wan through the interfaces if1 if2 and if3 The streams should only be forwarded if some host has requested the streams using the IGMP protocol The example below only covers the multicast forwarding part of the configuration The IGMP configuration can be found below in Secti...

Page 157: ... a name for the rule for example Multicast_Multiplex Action Multiplex SAT Service multicast_service 3 Under Address Filter enter Source Interface wan Source Network 192 168 10 1 Destination Interface core Destination Network 239 192 10 0 24 4 Click the Multiplex SAT tab and add the output interfaces if1 if2 and if3 one at a time For each interface leave the IPAddress field blank since no destinati...

Page 158: ...ddress Translation Scenario Figure 4 9 Multicast Forwarding Address Translation This scenario is based on the previous scenario but now we are going to translate the multicast group When the multicast streams 239 192 10 0 24 are forwarded through the if2 interface the multicast groups should be translated into 237 192 10 0 24 No address translation should be made when forwarding through interface ...

Page 159: ...AT Multiplex rule should be replaced with a NAT rule 4 6 3 IGMP Configuration IGMP signalling between hosts and routers can be divided into two categories IGMP Reports Reports are sent from hosts towards the router when a host wants to subscribe to new multicast groups or change current multicast subscriptions IGMP Queries Queries are IGMP messages sent from the router towards the hosts in order t...

Page 160: ...owards the clients and actively send queries Towards the upstream router it will be acting as a normal host subscribing to multicast groups on behalf of its clients 4 6 3 1 IGMP Rules Configuration No Address Translation This example describes the IGMP rules needed for configuring IGMP according to the No Address Translation scenario described above We want our router to act as a host towards the ...

Page 161: ...s Add IGMP Rule 2 Under General enter Name A suitable name for the rule for example Reports Type Report Action Proxy Output wan this is the relay interface 3 Under Address Filter enter Source Interface lfGrpClients Source Network if1net if2net if3net Destination Interface core Destination Network auto Multicast Source 192 168 10 1 Multicast Group 239 192 10 0 24 4 Click OK B Create the second IGMP...

Page 162: ...ted to create the report and query rule pair for if1 which uses no address translation Web Interface A Create the first IGMP Rule 1 Go to Routing IGMP IGMP Rules Add IGMP Rule 2 Under General enter Name A suitable name for the rule for example Reports_if1 Type Report Action Proxy Output wan this is the relay interface 3 Under Address Filter enter Source Interface if1 Source Network if1net Destinat...

Page 163: ...for the rule for example Reports_if2 Type Report Action Proxy Output wan this is the relay interface 3 Under Address Filter enter Source Interface if2 Source Network if2net Destination Interface core Destination Network auto Multicast Source 192 168 10 1 Multicast Group 239 192 10 0 24 4 Click OK B Create the second IGMP Rule 1 Again go to Routing IGMP IGMP Rules Add IGMP Rule 2 Under General ente...

Page 164: ...respond with IGMP Membership Reports even to queries orginating from itself Global setting on interfaces without an overriding IGMP Setting Default Disabled IGMP Lowest Compatible Version IGMP messages with a version lower than this will be logged and ignored Global setting on interfaces without an overriding IGMP Setting Default IGMPv1 IGMP Router Version The IGMP protocol version that will be gl...

Page 165: ...interfaces without an overriding IGMP Setting Default 10 000 IGMP Robustness Variable IGMP is robust to IGMP Robustness Variable 1 packet losses Global setting on interfaces without an overriding IGMP Setting Default 2 IGMP Startup Query Count The firewall will send IGMP Startup Query Count general queries with an interval of IGMPStartupQueryInterval at startup Global setting on interfaces without...

Page 166: ...interfaces without an overriding IGMP Setting Default 1 000 4 6 4 Advanced IGMP Settings Chapter 4 Routing 166 ...

Page 167: ... specified instead of all nets This is usually when a network is split between two interfaces but the administrator does not know exactly which users are on which interface Usage Scenarios Two examples of Transparent Mode s usage are Implementing Security Between Users In a corporate environment there may be a need to protect the computing resources of different departments from one another The fi...

Page 168: ...ermines from this ARP traffic the relationship between IP addresses physical addresses and interfaces NetDefendOS remembers this address information in order to relay IP packets to the correct receiver During the ARP transactions neither of the endpoints will be aware of the D Link Firewall When beginning communication a host will locate the target host s physical address by broadcasting an ARP re...

Page 169: ... added but more restrictive IP rules are recommended Action Src Interface Src Network Dest Interface Dest Network Service Allow any all nets any all nets all Restricting the Network Parameter As NetDefendOS listens to ARP traffic it continuously adds single host routes to the routing table as it discovers on which interface IP addresses are located As the name suggests single hosts routes give a r...

Page 170: ...ce is decided by the PBR Membership parameter for each interface PBR is short for Policy Based Routing which is the NetDefendOS term used for multiple routing tables To implement separate Transparent Mode networks interfaces must have their PBR Membership reset By default all interfaces have PBR membership set to be all routing tables By default one main routing table always exists and once an add...

Page 171: ...an route their traffic correctly after determining their whereabouts and IP address through ARP exchanges However a DHCP server could be used to allocate user IP addresses in a Transparent Mode setup if desired With Internet connections it may be the ISP s own DHCP server which will hand out public IP addresses to users In this case NetDefendOS MUST be correctly configured as a DHCP Relayer to for...

Page 172: ... address specifying the interface which leads to the ISP and the ISPs gateway IP address If the IP addresses that need to be reached by NetDefendOS are 85 12 184 39 and 194 142 215 15 then the complete routing table for the above example would be Route type Interface Destination Gateway Switch if1 all nets Switch if2 all nets Non switch if1 85 12 184 39 gw ip Non switch if1 194 142 215 15 gw ip Th...

Page 173: ... and the internal network The router is used to share the Internet connection with a single public IP address The internal NATed network behind the firewall is in the 10 0 0 0 24 address space Clients on the internal network are allowed to access the Internet via the HTTP protocol Figure 4 14 Transparent Mode Scenario 1 Example 4 14 Setting up Transparent Mode for Scenario 1 Web Interface Configur...

Page 174: ...nt address ranges All hosts connected to LAN and DMZ the lan and dmz interfaces share the 10 0 0 0 24 address space As this is configured using Transparent Mode any IP address can be used for the servers and there is no need for the hosts on the internal network to know if a resource is on the same network or placed on the DMZ The hosts on the internal network are allowed to communicate with an HT...

Page 175: ...ess 10 0 0 1 Network 10 0 0 0 24 Transparent Mode Disable Add route for interface network Disable 3 Click OK 4 Go to Interfaces Ethernet Edit dmz 5 Now enter IP Address 10 0 0 2 Network 10 0 0 0 24 Transparent Mode Disable Add route for interface network Disable 6 Click OK Configure the interface groups 1 Go to Interfaces Interface Groups Add InterfaceGroup 2 Now enter Name TransparentGroup Securi...

Page 176: ...rface lan Destination Interface dmz Source Network 10 0 0 0 24 Destination Network 10 1 4 10 3 Click OK 4 Go to Rules IP Rules Add IPRule 5 Now enter Name HTTP WAN to DMZ Action SAT Service http Source Interface wan Destination Interface dmz Source Network all nets Destination Network wan_ip Translate Select Destination IP New IP Address 10 1 4 10 6 Click OK 7 Go to Rules IP Rules Add IPRule 8 Now...

Page 177: ... Implementing BPDU Relaying The NetDefendOS BDPU relaying implementation only carries STP messages These STP messages can be of three types Normal Spanning Tree Protocol STP Rapid Spanning Tree Protocol RSTP Multiple Spanning Tree Protocol MSTP Cisco proprietary PVST Protocol Per VLAN Spanning Tree Plus NetDefendOS checks the contents of BDPU messages to make sure the content type is supported If ...

Page 178: ...value dynamically Default Enabled L3 Cache Size This setting is used to manually configure the size of the Layer 3 Cache Enabling Dynamic L3C Size is normally preferred Default Dynamic Transparency ATS Expire Defines the lifetime of an unanswered ARP Transaction State ATS entry in seconds Valid values are 1 60 seconds Default 3 seconds Transparency ATS Size Defines the maximum total number of ARP ...

Page 179: ...ts DropLog Drop and log packets Default DropLog Multicast Enet Sender Defines what to do when receiving a packet that has the sender hardware MAC address in ethernet header set to a multicast ethernet address Options Accept Accept packet AcceptLog Accept packet and log Rewrite Rewrite to the MAC of the forwarding interface RewriteLog Rewrite to the MAC of the forwarding interface and log Drop Drop...

Page 180: ...Ignore all incoming MPLS packets are relayed in transparent mode Options Ignore Let the packets pass but do not log Log Let the packets pass and log the event Drop Drop the packets DropLog Drop packets log the event Default Drop 4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 180 ...

Page 181: ...4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 181 ...

Page 182: ...uch as an IP address a MAC address a domain name and a lease for the IP address to the client in a unicast message DHCP Leases Compared to static assignment where the client owns the address dynamic addressing by a DHCP server leases the address to each client for a pre defined period of time During the lifetime of a lease the client has permission to keep the assigned address and is guaranteed to...

Page 183: ...interface and relayer IP filter value If there is no match in the list then the request is ignored Using Relayer IP Address Filtering As explained above a DHCP server is selected based on a match of both interface and relayer IP filter Each DNS server must have a relayer IP filter value specified and the possible values are as follows The default value is all nets 0 0 0 0 0 This means all DHCP req...

Page 184: ...e created an IP range for the DHCP Server CLI gw world add DHCPServer DHCPServer1 Interface lan IPAddressPool DHCPRange1 Netmask 255 255 255 0 Web Interface 1 Go to System DHCP DHCP Servers Add DHCPServer 2 Now enter Name DHCPServer1 Interface Filter lan IP Address Pool DHCPRange1 Netmask 255 255 255 0 3 Click OK Example 5 2 Checking the status of a DHCP server CLI To see the status of all servers...

Page 185: ... 90 12 13 14 15 3 All static assignments can then be listed and each is listed with an index number gw world show Comments 1 none 4 An individual static assignment can be shown using its index number gw world show DHCPServerPoolStaticHost 1 Property Value Index 1 Host 192 168 1 1 MACAddress 00 90 12 13 14 15 Comments none 5 The assignment could be changed later to IP address 192 168 1 12 with the ...

Page 186: ...ible settings are Disabled ReconfShut or ReconfShutTimer Default ReconfShut Lease Store Interval How often in seconds the leases database should be saved to disk if DHCPServer_SaveLeasePolicy is set to ReconfShutTimer Default 86400 5 3 1 DHCP Advanced Settings Chapter 5 DHCP Services 186 ...

Page 187: ...ed request Although all NetDefendOS interfaces are core routed that is to say a route exists by default that routes interface IP addresses to Core for relayed DHCP requests this core routing does not apply Instead the interface is the source interface and not core Example 5 4 Setting up a DHCP Relayer This example allows clients on NetDefendOS VLAN interfaces to obtain IP addresses from a DHCP ser...

Page 188: ...P relaying Max Transactions Maximum number of transactions at the same time Default 32 Transaction Timeout For how long a dhcp transaction can take place Default 10 seconds Max PPM How many dhcp packets a client can send to through NetDefendOS to the dhcp server during one minute Default 500 packets Max Hops How many hops the dhcp request can take between the client and the dhcp server Default 5 M...

Page 189: ...to save the relay list to the disk possible settings are Disabled ReconfShut or ReconfShutTimer Default ReconfShut Auto Save Interval How often in seconds should the relay list be saved to disk if DHCPServer_SaveRelayPolicy is set to ReconfShutTimer Default 86400 5 4 1 DHCP Relay Advanced Settings Chapter 5 DHCP Services 189 ...

Page 190: ...ck address 127 0 0 1 indicates that the DHCP server is NetDefendOS itself Client IP filter Optional setting used to specify which offered IPs are valid to use In most cases this will be set to the default of all nets Alternatively a set of IP ranges might be specified The filter ensures that only certain IP addresses from DHCP servers are acceptable and is used in the situation where there might b...

Page 191: ... number is too large then this can degrade initial performance As leases in the prefetch cache are allocated requests are made to DHCP servers so that the cache is always full The administrator therefore has to make a judgement as to the optimal initial size of the prefetch cache Example 5 5 Creating an IP Pool This example shows the creation of an IP Pool object that will use the DHCP server on I...

Page 192: ...5 5 IP Pools Chapter 5 DHCP Services 192 ...

Page 193: ...ming a reverse lookup in the routing tables This lookup validates that the incoming traffic is coming from a source that the routing tables indicate is accessible via the interface on which the traffic arrived If this reverse lookup fails then the connection is dropped and a Default Access Rule log message will be generated For most configurations the Default Access Rule is sufficient and the admi...

Page 194: ...r address should belong to Access Rule Actions The Access Rule actions that can be specified are Drop Discard the packets that match the defined fields Accept Accept the packets that match the defined fields for further inspection in the rule set Expect If the sender address of the packet matches the Network specified by this rule the receiving interface is compared to the specified interface If t...

Page 195: ...nnet network is received on the lan interface CLI gw world add Access Name lan_Access Interface lan Network lannet Action Expect Web Interface 1 Go to Rules Access 2 Select Access Rule in the Add menu 3 Now enter Name lan_Access Action Except Interface lan Network lannet 4 Click OK 6 1 3 Access Rule Settings Chapter 6 Security Mechanisms 195 ...

Page 196: ...ransfer and multimedia transfer ALGs provide higher security than packet filtering since they are capable of scrutinizing all traffic for a specific protocol and perform checks at the higher levels of the TCP IP stack ALGs exist for the following protocols in NetDefendOS HTTP FTP TFTP SMTP POP3 SIP H 323 TLS Deploying an ALG Once a new ALG object is defined by the administrator it is brought into ...

Page 197: ... associated with that Service will not be used 6 2 2 The HTTP ALG Hyper Text Transfer Protocol HTTP is the primary protocol used to access the World Wide Web WWW It is a connectionless stateless application layer protocol based on a request response architecture A client such as a Web browser sends a request by establishing a TCP IP connection to a known port usually port 80 on a remote server The...

Page 198: ...the file the term filetype here is also known as the filename extension All filetypes that are checked in this way by NetDefendOS are listed in Appendix C Verified MIME filetypes When enabled any file download that fails MIME verification in other words its filetype does not match its contents is dropped by NetDefendOS on the assumption that it can be a security threat 2 Allow Block Selected Types...

Page 199: ...iltering obeys the following processing order and is similar to the order followed by the SMTP ALG 1 Whitelist 2 Blacklist 3 Web content filtering if enabled 4 Anti virus scanning if enabled As described above if a URL is found on the whitelist then it will not be blocked if it also found on the blacklist If it is enabled Anti virus scanning is always applied even though a URL is whitelisted If it...

Page 200: ...itself by providing a predefined login and password After granting access the server will provide the client with a file directory listing from which it can download upload files depending on access rights The FTP ALG is used to manage FTP connections through the D Link Firewall FTP Connections FTP uses two communication channels one for control commands and one for the actual files being transfer...

Page 201: ...TP client can be configured to use passive mode which is the recommended mode for clients The FTP server can be configured to use active mode which is the safer mode for servers When an FTP session is established the D Link Firewall will automatically and transparently receive the passive data channel from the FTP client and the active data channel from the server and tie them together This implem...

Page 202: ...ot be blocked by ZoneDefense since it is outside of the configured network range The virus is however still blocked by the D Link Firewall B Blocking infected servers Depending on the company policy an administrator might want to take an infected FTP server off line to prevent local hosts and servers from being infected In this scenario the administrator configures the address of the server to be ...

Page 203: ...passive mode 5 Click OK B Define the Service 1 Go to Objects Services Add TCP UDP Service 2 Enter the following Name ftp inbound Type select TCP from the list Destination 21 the port the FTP server resides on ALG select the ftp inbound that has been created 3 Click OK C Define a rule to allow connections to the public IP on port 21 and forward that to the internal FTP server 1 Go to Rules IP Rules...

Page 204: ...internal interface needs to be NATed 1 Go to Rules IP Rules Add IPRule 2 Now enter Name NAT ftp Action NAT Service ftp inbound 3 For Address Filter enter Source Interface dmz Destination Interface core Source Network dmznet Destination Network wan_ip 4 For NAT check Use Interface Address 5 Click OK E Allow incoming connections SAT requires a second Allow rule 1 Go to Rules IP Rules Add IPRule 2 No...

Page 205: ...ured as follows Web Interface A Create the FTP ALG 1 Go to Objects ALG Add FTP ALG 2 Enter Name ftp outbound 3 Uncheck Allow client to use active mode 4 Check Allow server to use passive mode 5 Click OK B Create the Service 1 Go to Objects Services Add TCP UDP Service 2 Now enter Name ftp outbound Type select TCP from the dropdown list Destination 21 the port the ftp server resides on ALG select t...

Page 206: ...utbound Action NAT Service ftp outbound 3 For Address Filter enter Source Interface lan Destination Interface wan Source Network lannet Destination Network all nets 4 Check Use Interface Address 5 Click OK 6 2 4 The TFTP ALG Trivial File Transfer Protocol TFTP is a much simpler version of FTP with more limited capabilities Its purpose is to allow a client to upload files to or download files from ...

Page 207: ...he use of filenames containing consecutive periods Allowing Request Timeouts The NetDefendOS TFTP ALG blocks the repetition of an TFTP request coming from the same source IP address and port within a fixed period of time The reason for this is that some TFTP clients might issue requests from the same source port without allowing an appropriate timeout period 6 2 5 The SMTP ALG Simple Mail Transfer...

Page 208: ...s is allowed to pass through the ALG regardless if the address is on the blacklist or that the mail has been flagged as SPAM Verify MIME type The content of an attached file can be checked to see if it agrees with its stated filetype A list of all filetypes that are verified in this way can be found in Appendix C Verified MIME filetypes This same option is also available in the HTTP ALG and a full...

Page 209: ...ddress entry some_domain com can be used to specify all possible email addresses for some_domain com If for example wildcarding is used in the blacklist to block all addresses for a certain company called my_company then the blacklist address entry required could be my_company com If we want to now explicitly allow mails for just one department called my_department in my_company then this could be...

Page 210: ... emails from the blocked email server For example if a remote user is sending an infected email using a well known free email company blocking the sending server using ZoneDefense would block all future emails from that same company to any local receiver Using ZoneDefense together with the SMTP ALG should therefore be used principally for blocking local email clients To implement blocking the admi...

Page 211: ...these can be queried over the public Internet These lists are known as DNS Black List DNSBL databases and the information is accessible using a standardized query method supported by NetDefendOS The image below illustrates all the components involved When the NetDefendOS SPAM filtering function is configured the IP address of the email s sending server can be sent to one or more DNSBL servers to f...

Page 212: ...2 2 7 Alternative Actions for Dropped SPAM If the calculated sum is greater than or equal to the Drop threshold value then the email is not forwarded to the intended recipient Instead the administrator can choose one of two alternatives for dropped email A special email address can be configured to receive all dropped email If this is done then any TXT messages sent by the DNSBL servers described ...

Page 213: ...at server will be automatically subtracted from both the SPAM and Drop thresholds for the scoring calculation done for that email If enough DNSBL servers do not respond then this subtraction could mean that the threshold values become negative Since the scoring calculation will always produce a value of zero or greater servers cannot have negative weights then all email will be allowed through if ...

Page 214: ...h dropped email will be sent as an alternative to simply discarding it Optionally specify that the TXT messages sent by the DNSBL servers that failed are inserted into the header of these emails Caching Addresses for Performance To speed processing NetDefendOS maintains a cache of the most recently looked up sender addresses in local memory If the cache becomes full then the oldest entry is writte...

Page 215: ...ckLists 4 Disabled BlackLists 0 Current Sessions 0 Statistics Total number of mails checked 0 Number of mails dropped 0 Number of mails spam tagged 0 Number of mails accepted 0 BlackList Status Value Total Matches Failed zen spamhaus org active 25 0 0 0 cbl abuseat org active 20 0 0 0 dnsbl sorbs net active 5 0 0 0 asdf egrhb net active 5 0 0 0 To examine the statistics for a particular DNSBL serv...

Page 216: ...ALG and a fuller description of how it works can be found in Section 6 2 2 The HTTP ALG Anti Virus Scanning The NetDefendOS Anti Virus subsystem can optionally scan email attachments searching for malicious code Suspect files can be dropped or just logged This feature is common to a number of ALGs and is described fully in Section 6 4 Anti Virus Scanning 6 2 7 The SIP ALG Session Initiation Protoc...

Page 217: ... and Proxy Server are logical entities and may in fact reside on the same physical server SIP Media related Protocols A SIP session makes use of a number of protocols These are SDP Session Description Protocol RFC4566 is used for media session initialization RTP Real time Transport Protocol RFC3550 is used as the underlying packet format for delivering audio and video streaming via IP using the UD...

Page 218: ...ages can bypass the proxies This facilitates scaling since proxies are used only for the initial SIP message exchange The disadvantage of removing proxies from the session is that NetDefendOS IP rules must be set up to allow all SIP messages through the D Link Firewall and if the source network of the messages is not known then a large number of potentially dangerous connections must be allowed by...

Page 219: ...otected side The SIP proxy is located on the local protected side of the D Link Firewall and can handle registrations from both clients located on the same local network as well as clients on the external unprotected side Communication can take place across the public Internet or between clients on the local network Scenario 3 Protecting proxy and local clients Proxy on a DMZ interface The SIP ses...

Page 220: ...Type set to TCP UDP 3 Define two rules in the IP rule set A NAT rule for outbound traffic from clients on the internal network to the SIP Proxy Server located externally The SIP ALG will take care of all address translation needed by the NAT rule This translation will occur both on the IP level and the application level Neither the clients or the proxies need to be aware that the local users are b...

Page 221: ...Dest Interface Dest Network Allow or NAT lan lannet wan ip_proxy Allow wan ip_proxy lan or core lannet or wan_ip Without the Record Route option enabled the IP rules would be as shown below the changes that apply when NAT is used are again shown in parentheses Action Src Interface Src Network Dest Interface Dest Network Allow or NAT lan lannet wan All possible IPs Allow wan All possible IPs lan or...

Page 222: ...T rule This translation will occur both on the IP level and the application level Neither the clients or the proxies need to be aware that the local clients are being NATed If Record Route is enabled on the SIP proxy the source network of the NAT rule can include only the SIP proxy and not the local clients A SAT rule for redirecting inbound SIP traffic to the private IP address of the NATed local...

Page 223: ...y Clients Allow lan lannet ip_proxy wan all nets InboundTo Proxy Clients Allow wan all nets lan lannet ip_proxy If Record Route is enabled then the networks in the above rules can be further restricted by using ip_proxy as indicated Scenario 3 Protecting proxy and local clients Proxy on the DMZ interface This scenario is similar to the previous but the major difference is the location of the local...

Page 224: ... the DMZ interface must be a globally routable IP address This address can be the same address as the one used on the external interface The setup steps are as follows 1 Define a single SIP ALG object using the options described above 2 Define a Service object which is associated with the SIP ALG object The Service should have Destination Port set to 5060 the default SIP signalling port Type set t...

Page 225: ...IP address of the DMZ interface The reason for this is because local clients will be NATed using the IP address of the DMZ interface when they register with the proxy located on the DMZ This rule has core as the destination interface in other words NetDefendOS itself When an incoming call is received NetDefendOS uses the registration information of the local receiver to automatically locate this r...

Page 226: ...net InboundFromProxy Allow dmz ip_proxy core dmz_ip InboundToProxy Allow wan all nets dmz ip_proxy With Record Route disabled the following IP rules must be added to those above Action Src Interface Src Network Dest Interface Dest Network OutboundBypassProxy Allow lan lannet wan all nets InboundBypassProxy Allow wan all nets lan lannet 6 2 8 The H 323 ALG H 323 is a standard approved by the Intern...

Page 227: ...d H 245 Media Control and Transport Provides control of multimedia sessions established between two H 323 endpoints Its most important task is to negotiate opening and closing of logical channels A logical channel could be for example an audio channel used for voice communication Video and T 120 channels are also called logical channels during negotiation T 120 A suite of communication and applica...

Page 228: ...ses and the administrator needs to be sure about IP addresses and routes used in a particular scenario Gatekeeper Registration Lifetime The gatekeeper registration lifetime can be controlled in order to force re registration by clients within a certain time A shorter time forces more frequent registration by clients with the gatekeeper and less probability of a problem if the network becomes unava...

Page 229: ...et Destination Network 0 0 0 0 0 all nets Comment Allow outgoing calls 3 Click OK Incoming Rule 1 Go to Rules IP Rules Add IPRule 2 Now enter Name H323AllowIn Action Allow Service H323 Source Interface any Destination Interface lan Source Network 0 0 0 0 0 all nets Destination Network lannet Comment Allow incoming calls 3 Click OK 6 2 8 The H 323 ALG Chapter 6 Security Mechanisms 229 ...

Page 230: ...3 phone Web Interface Outgoing Rule 1 Go to Rules IP Rules Add IPRule 2 Now enter Name H323Out Action NAT Service H323 Source Interface lan Destination Interface any Source Network lannet Destination Network 0 0 0 0 0 all nets Comment Allow outgoing calls 3 Click OK Incoming Rules 1 Go to Rules IP Rules Add IPRule 2 Now enter Name H323In Action SAT Service H323 Source Interface any Destination Int...

Page 231: ...address Example 6 6 Two Phones Behind Different D Link Firewalls This scenario consists of two H 323 phones each one connected behind the D Link Firewall on a network with public IP addresses In order to place calls on these phones over the Internet the following rules need to be added to the rule listings in both firewalls Make sure there are no rules disallowing or allowing the same kind of port...

Page 232: ...there are no rules disallowing or allowing the same kind of ports traffic before these rules As we are using private IPs on the phones incoming traffic need to be SATed as in the example below The object ip phone below should be the internal IP of the H 323 phone behind each firewall Web Interface Outgoing Rule 1 Go to Rules IP Rules Add IPRule 2 Now enter Name H323Out Action NAT Service H323 Sour...

Page 233: ... multiple H 323 phones are placed behind the firewall one SAT rule has to be configured for each phone This means that multiple external addresses have to be used However it is preferable to use an H 323 gatekeeper as this only requires one external address Example 6 8 H 323 with Gatekeeper In this scenario a H 323 gatekeeper is placed in the DMZ of the D Link Firewall A rule is configured in the ...

Page 234: ... H323 Gatekeeper Source Interface any Destination Interface core Source Network 0 0 0 0 0 all nets Destination Network wan_ip external IP of the firewall Comment Allow incoming communication with the Gatekeeper 3 Click OK 1 Go to Rules IP Rules Add IPRule 2 Now enter Name H323In Action Allow Service H323 Gatekeeper Source Interface lan Destination Interface dmz Source Network lannet Destination Ne...

Page 235: ...e make sure there are no rules disallowing or allowing the same kind of ports traffic before these rules Web Interface 1 Go to Rules IP Rules Add IPRule 2 Now enter Name H323Out Action NAT Service H323 Gatekeeper Source Interface lan Destination Interface any Source Network lannet Destination Network 0 0 0 0 0 all nets Comment Allow outgoing communication with a gatekeeper 3 Click OK Note There is...

Page 236: ...nd that all offices use private IP ranges on their local networks All outside calls are done over the existing telephone network using the gateway ip gateway connected to the ordinary telephone network The head office has placed a H 323 Gatekeeper in the DMZ of the corporate D Link Firewall This firewall should be configured as follows Web Interface 1 Go to Rules IP Rules Add IPRule 2 Now enter Na...

Page 237: ...tination Interface lan Source Network ip gateway Destination Network lannet Comment Allow communication from the Gateway to H 323 phones on lannet 3 Click OK 1 Go to Rules IP Rules Add IPRule 2 Now enter Name BranchToGW Action Allow Service H323 Gatekeeper Source Interface vpn branch Destination Interface dmz Source Network branch net Destination Network ip gatekeeper ip gateway Comment Allow comm...

Page 238: ... Now enter Name ToGK Action Allow Service H323 Gatekeeper Source Interface lan Destination Interface vpn hq Source Network lannet Destination Network hq net Comment Allow communication with the Gatekeeper connected to the Head Office DMZ 3 Click OK Example 6 12 Allowing the H 323 Gateway to register with the Gatekeeper The branch office D Link Firewall has a H 323 Gateway connected to its DMZ In o...

Page 239: ... therefore easily have secure server access without requiring additional software The Relationship with SSL TLS is a successor to the Secure Sockets Layer SSL but the differences are slight Therefore for most purposes TLS and SSL can be regarded as equivalent In the context of the TLS ALG we can say that the D Link Firewall is providing SSL termination since it is acting as an SSL end point Regard...

Page 240: ...rocessing advantages that can be achieved can however vary and will depend on the comparative processing capabilities of the servers and the D Link Firewall Decrypted TLS traffic can be subject to other NetDefendOS features such as traffic shaping or looking for server threats with IDP scanning TLS can be combined with NetDefendOS server load balancing to provide a means to spread traffic across s...

Page 241: ...ipher Suites Supported by NetDefendOS TLS NetDefendOS TLS supports the following cipher suites 1 TLS_RSA_WITH_3DES_EDE_CBC_SHA 2 TLS_RSA_WITH_RC4_128_SHA 3 TLS_RSA_WITH_RC4_128_MD5 4 TLS_RSA_EXPORT_WITH_RC4_56_SHA certificate key size up to 1024 bits 5 TLS_RSA_EXPORT_WITH_RC4_40_MD5 certificate key size up to 1024 bits 6 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 certificate key size up to 1024 bits 7 TLS...

Page 242: ... filtering requires a minimum of administration effort and has very high accuracy Note All Web Content Filtering is enabled via the HTTP ALG which is described in Section 6 2 2 The HTTP ALG 6 3 2 Active Content Handling Some web content can contain malicious code designed to harm the workstation or the network from where the user is surfing Typically such code is embedded into various types of obj...

Page 243: ...sion as to whether they should be blocked or allowed Static and Dynamic Filter Ordering Additionally Static Content Filtering takes place before Dynamic Content Filtering described below which allows the possibility of manually making exceptions from the automatic dynamic classification process In a scenario where goods have to be purchased from a particular on line store Dynamic Content Filtering...

Page 244: ... necessary program files which should be allowed to download CLI Start by adding an HTTP ALG in order to filter HTTP traffic gw world add ALG ALG_HTTP content_filtering Then create a HTTP ALG URL to set up a blacklist gw world cc ALG ALG_HTTP content_filtering gw world content_filtering add ALG_HTTP_URL URL exe Action Blacklist Finally make an exception from the blacklist by creating a specific wh...

Page 245: ...n The WCF URL databases are updated almost hourly with new categorized URLs while at the same time older invalid URLs are dropped The scope of the URLs in the databases is global covering websites in many different languages and hosted on servers located in many different countries Dynamic Web Content Filtering Availability on D Link Models Dynamic Content Filtering is available on the D Link DFL ...

Page 246: ...sites In other words a web site may contain particular pages that should be blocked without blocking the entire site NetDefendOS provides blocking down to the page level so that users may still access parts of websites that are not blocked by the filtering policy WCF and Whitelisting If a particular URL is whitelisted then it will bypass the WCF subsystem No classification will be done on the URL ...

Page 247: ... external WCF database is not accessible URLs are allowed even though they might be disallowed if the WCF databases were accessible Example 6 15 Enabling Dynamic Web Content Filtering This example shows how to setup a dynamic content filtering policy for HTTP traffic from intnet to all nets The policy will be configured to block all search sites and this example assumes that the system is using a ...

Page 248: ...sites will still be accessible to the users This means the content filtering feature of NetDefendOS can then be used as an analysis tool to analysis what categories of websites are being accessed by a user community and how often After running in Audit Mode for some period of time it is easier to then have a better understanding of the surfing behavior of different user groups and also to better u...

Page 249: ...ppropriate sites will normally do so Other will avoid those sites due to the obvious risk of exposing their surfing habits Caution If a user overrides the restricted site notice page they are allowed to surf to all pages without any new restricted site message appearing again The user is however still being logged When the user has become inactive for 5 minutes the restricted site page will reappe...

Page 250: ...ntent filtering is now activated for all web traffic from lannet to all nets and the user is able to propose reclassification of blocked sites Validate the functionality by following these steps 1 On a workstation on the lannet network launch a standard web browser 2 Try to browse to a search site for example www google com 3 If everything is configured correctly your web browser will present a bl...

Page 251: ...sified under the Gambling category if its content includes advertisement or encouragement of or facilities allowing for the partaking of any form of gambling For money or otherwise This includes online gaming bookmaker odds and lottery web sites This does not include traditional or computer based games refer to the Games Sites category 10 Examples might be www blackjackspot com www pickapony net C...

Page 252: ...Category 9 Dating Sites A web site may be classified under the Dating Sites category if its content includes facilities to submit and review personal advertisements arrange romantic meetings with other people mail order bride foreign spouse introductions and escort services Examples might be adultmatefinder com www marriagenow com Category 10 Game Sites A web site may be classified under the Game ...

Page 253: ... be classified under the Personal Beliefs Cults category if its content includes the description or depiction of or instruction in systems of religious beliefs and practice Examples might be www paganfed demon co uk www cultdeadcrow com Category 15 Politics A web site may be classified under the Politics category if its content includes information or opinions of a political nature electoral infor...

Page 254: ...width This category also includes Phishing URLs which designed to capture secret user authentication details by pretending to be a legitimate organization Examples might be hastalavista baby nu Category 20 Search Sites A web site may be classified under the Search Sites category if its main focus is providing online Internet search facilities Refer to the section on unique categories at the start ...

Page 255: ...locking List This category is populated by URLs specified by a government agency and contains URLs that are deemed unsuitable for viewing by the general public by way of their very extreme nature Examples might be www verynastystuff com www unpleasantvids com Category 26 Educational A web site classified under the Educational category may belong to other categories but has content that relates to ...

Page 256: ...tspictured cnn com features 2002 swimsuit Category 31 Spam A web site may be classified under the Spam category if it is found to be contained in bulk or spam emails Examples might be kaqsovdij gjibhgk info www pleaseupdateyourdetails com Category 32 Non Managed Unclassified sites and sites that do not fit one of the other categories will be placed in this category It is unusual to block this cate...

Page 257: ...red 8 Press Save to save the changes 9 Click OK to exit editing 10 Go to User Authentication User Authentication Rules 11 Select the relevant HTML ALG and click the Agent Options tab 12 Set the HTTP Banners option to be new_forbidden 13 Click OK 14 Go to Configuration Save Activate to activate the new file 15 Press Save and then click OK The new file will be uploaded to NetDefendOS Note In the abo...

Page 258: ...her in Section 2 1 6 Secure Copy 4 Using the CLI the relevant HTTP ALG should now be set to use the mytxt banner files If the ALG us called my_http_alg the command would be set ALG_HTTP my_http_alg HTTPBanners mytxt 5 As usual the activate followed by the commit CLI commands must be used to activate the changes on the D Link Firewall HTML Page Parameters The HTML pages contain a number of paramete...

Page 259: ...ction Most importantly it can act as a backup for when local client antivirus scanning is not available Enabling Through ALGs NetDefendOS Anti Virus is enabled on a per ALG basis It is available for file downloads associated with the following ALGs and is enabled in the ALGs themselves The HTTP ALG The FTP ALG The POP3 ALG The SMTP ALG Anti Virus Availability on D Link Models Anti Virus scanning i...

Page 260: ...he two scanning processes can occur simultaneously and operate at different protocol levels If IDP is enabled it scans all packets designated by a defined IDP rule and does not take notice of the higher level protocol such as HTTP that generate the packet streams Anti virus is however aware of the higher level protocol and only looks at the data involved in file transfers Anti virus scanning is a ...

Page 261: ...ning is active but logging is the only action C Protect Anti Virus is active Suspect files are dropped and logged Fail mode behavior If a virus scan fails for any reason then the transfer can be dropped or allowed with the event being logged If this option is set to Allow then a condition such as the virus database not being available or the current license not being valid will not cause files to ...

Page 262: ...pes that can be checked are listed in Appendix C Verified MIME filetypes Setting the Correct System Time It is important that a NetDefendOS has the correct system time set if the auto update feature in the Anti Virus module can function correctly An incorrect time can mean the auto updating is disabled The console command updatecenter status will show the current status of the auto update feature ...

Page 263: ...virus Blocking the server s IP address would only consume blocking entries in the switches For NetDefendOS to know which hosts and servers to block the administrator has the ability to specify a network range that should be affected by a ZoneDefense block All hosts and servers that are within this range will be blocked The feature is controlled through the Anti Virus configuration in the ALGs Depe...

Page 264: ...eated in the ALG dropdown list 6 Click OK C Finally modify the NAT rule called NATHttp in this example to use the new service 1 Go to Rules IP Rules 2 In the grid control click the NAT rule handling the traffic between lannet and all nets 3 Click the Service tab 4 Select your new service http_anti_virus in the pre defined Service dropdown list 5 Click OK Anti Virus scanning is now activated for al...

Page 265: ...It operates by monitoring network traffic as it passes through the D Link Firewall searching for patterns that indicate an intrusion is being attempted Once detected NetDefendOS IDP allows steps to be taken to neutralize both the intrusion attempt as well as its source IDP Issues In order to have an effective and reliable IDP system the following issues have to be addressed 1 What kinds of traffic...

Page 266: ...o a NetDefendOS installation and also that the database is regularly updated with the latest intrusion threats Figure 6 7 IDP Database Updating A new updated signature database is downloaded automatically by NetDefendOS system at a configurable interval This is done via an HTTP connection to the D Link server network which delivers the latest signature database updates If the server s signature da...

Page 267: ...information about HA clusters refer to Chapter 11 High Availability 6 5 3 IDP Rules Rule Components An IDP Rule defines what kind of traffic or service should be analyzed An IDP Rule is similar in makeup to an IP Rule IDP Rules are constructed like other security policies in NetDefendOS such as IP Rules An IDP Rule specifies a given combination source destination interfaces addresses as well as be...

Page 268: ...xisting connection This provides the firewall administrator with a way to detect any traffic that appears to be an intrusion With this option the only possible IDP Rule Action is logging Caution should of course be exercised with this option since the processing load can be much higher when all data packets are checked 6 5 4 Insertion Evasion Attack Prevention Overview When defining an IDP Rule th...

Page 269: ...patterns of data in the stream Recommended Configuration By default Insertion Evasion protection is enabled for all IDP rules and this is the recommended setting for most configurations There are two motivations for disabling the option Increasing throughput Where the highest throughout possible is desirable then turning the option off can provide a slight increase in processing speed Excessive Fa...

Page 270: ...detect events that may be intrusions They have lower accuracy than IPS and may give some false positives so that s recommended that the Audit action is initially used before deciding to use Protect Policy Signatures These detect different types of application traffic They can be used to block certain applications such as file sharing applications and instant messaging 6 5 6 IDP Signature Groups Us...

Page 271: ...fashion with matching for the signatures for the first action specified being done first IDP Signature Wildcarding When selecting IDP signature groups it is possible to use wildcarding to select more than one group The character can be used to wildcard for a single character in a group name Alternatively the character can be used to wildcard for any set of characters of any length in a group name ...

Page 272: ...ummary of IDP events that have occurred in a user configurable period of time When an IDP event occurrs the NetDefendOS will wait for Hold Time seconds before sending the notification email However the email will only be sent if the number of events occurred in this period of time is equal to or bigger than the Log Threshold When this email has been sent NetDefendOS will wait for Minimum Repeat Ti...

Page 273: ...les 1 Go to IDP IDP Rules 2 Select a rule in the grid right click and choose Edit 3 Select the action you wish to log and choose Edit 4 Check the Enable logging checkbox in the Log Settings tab 5 Click OK Example 6 21 Setting up IDP for a Mail Server The following example details the steps needed to set up IDP for a simple scenario where a mail server is exposed to the Internet on the DMZ network ...

Page 274: ...IL_SMTP Web Interface Create IDP Rule This IDP rule is called IDPMailSrvRule and applies to the SMTP service Source Interface and Source Network define where traffic is coming from in this example the external network The Destination Interface and Destination Network define where traffic is directed to in this case the mail server Destination Network should therefore be set to the object defining ...

Page 275: ...k in order to match all SMTP attacks Signatures is set to IPS_MAIL_SMTP in order to use signatures that describe attacks from the external network dealing with the SMTP protocol 1 Go to IDP IDP Rules IDPMailSrvRule Add IDP Rule Action 2 Now enter Action Protect Severity All Signatures IPS_MAIL_SMTP Click OK In summary the following will occur If traffic from the external network to the mail server...

Page 276: ...mmed Internet connections and business critical systems in overload This section deals with using D Link Firewalls to protect organizations against these attacks 6 6 2 DoS Attack Mechanisms A DoS attack can be perpetrated in a number of ways but there are three basic types of attack Consumption of computational resources such as bandwidth disk space or CPU time Disruption of configuration informat...

Page 277: ...ch in turn generates yet another response to itself etc This will either bog the victim s machine down or make it crash The attack is accomplished by using the victim s IP address in the source field of an IP packet as well as in the destination field NetDefendOS protects against this attack by applying IP spoofing protection to all packets In its default configuration it will simply compare arriv...

Page 278: ... addresses will be those of the amplifier networks used Fraggle attacks will show up in NetDefendOS logs as masses of dropped or allowed depending on policy packets The source IP addresses will be those of the amplifier networks used Avoiding Becoming an Amplifier Even though the brunt of the bandwidth stream is at the ultimate victim s side being selected as an amplifier network can also consume ...

Page 279: ...object has an ALG associated with it then the ALG will be disabled 6 6 9 The Jolt2 Attack The Jolt2 attack works by sending a steady stream of identical fragments at the victim machine A few hundred packets per second will freeze vulnerable machines completely until the stream is ended NetDefendOS will protect completely against this attack The first fragment will be queued waiting for earlier fra...

Page 280: ...m Blacklisting If there are established connections that have the same source as this new Blacklist entry then they will not be dropped if this option is set IP addresses or networks are added to the list then the traffic from these sources is then blocked for the period of time specified Note Restarts do not effect the blacklist The contents of the blacklist is not lost if the D Link Firewall shu...

Page 281: ...viewed with the command gw world blacklist show black This blacklist command can be used to remove a host from the blacklist using the unblock option Example 6 22 Adding a Host to the Whitelist In this example we will add an IP address object called white_ip to the whitelist This will mean this IP address can never be blacklisted CLI gw world add BlacklistWhiteHost Addresses white_ip Service all_t...

Page 282: ...6 7 Blacklisting Hosts and Networks Chapter 6 Security Mechanisms 282 ...

Page 283: ...ation NAT Static Address Translation SAT Both types of translation are policy based in NetDefendOS which means that they can be applied to specific traffic based on the source destination network interface as well as based on the type of protocol Two types of NetDefendOS IP rules NAT rules and SAT rules are used to configure address translation This section describes and provides examples of confi...

Page 284: ...f 32 768 simultaneous NAT connections that can use the same translated source IP address This is normally adequate for all but the most extreme scenarios The Source IP Address Used for Translation There are three options for how NetDefendOS determines the source IP address that will be used for NAT Use the IP Address of the Interface When a new connection is established the routing table is consul...

Page 285: ...t server then processes the packet and sends its response 195 55 66 77 80 195 11 22 33 32789 4 NetDefendOS receives the packet and compares it to its list of open connections Once it finds the connection in question it restores the original address and forwards the packet 195 55 66 77 80 192 168 1 5 1038 5 The original sender now receives the response Example 7 1 Adding a NAT Rule To add a NAT rul...

Page 286: ... the same server using different IP protocols Several internal machines can not communicate with the same external server using the same IP protocol Note These restrictions apply only to IP level protocols other than TCP UDP and ICMP such as OSPF L2TP etc They do not apply to the protocols transported by TCP UDP and ICMP such as telnet FTP HTTP and SMTP NetDefendOS can alter port number informatio...

Page 287: ...they are coming from the anonymizing service provider s external IP address and not the client s IP The application therefore sends its responses back to the firewall which relays the traffic back to the client through the PPTP tunnel The original IP address of the client is not revealed in traffic as it is relayed beyond the termination of the PPTP tunnel at the NetDefendOS Typically all traffic ...

Page 288: ...ss The advantage of the stateful approach is that it can balance connections across several external ISP links while ensuring that an external host will always communicate back to the same IP address which will be essential with protocols such as HTTP when cookies are involved The disadvantage is the extra memory required by NetDefendOS to track the usage in its state table and the small processin...

Page 289: ... IP Pool Usage When allocating external IP addresses to a NAT Pool it is not necessary to explicitly state these Instead a NetDefendOS IP Pool object can be selected IP Pools gather collections of IP addresses automatically through DHCP and can therefore supply external IP addresses automatically to a NAT Pool See Section 5 5 IP Pools for more details on this topic Proxy ARP Usage Where an externa...

Page 290: ...s NAT Pools Add NAT Pool 2 Now enter Name stateful_natpool Pool type stateful IP Range nat_pool_range 3 Select the Proxy ARP tab and add the WAN interface 4 Click OK C Now define the NAT rule in the IP rule set 1 Go to Rules IP Rules Add IP Rule 2 Under General enter Name Enter a suitable name such as nat_pool_rule Action NAT 3 Under Address filter enter Source Interface int Source Network int net...

Page 291: ...tual Server in some other manufacturer s products Example 7 3 Enabling Traffic to a Protected Web Server in a DMZ In this example we will create a SAT policy that will translate and allow connections from the Internet to a web server located in a DMZ The D Link Firewall is connected to the Internet using the wan interface with address object wan_ip defined as 195 55 66 77 as IP address The web ser...

Page 292: ...internal machines to be dynamically address translated to the Internet In this example we use a rule that permits everything from the internal network to access the Internet via NAT hide Action Src Iface Src Net Dest Iface Dest Net Parameters 3 NAT lan lannet any all nets All Now what is wrong with this rule set If we assume that we want to implement address translation for reasons of security as ...

Page 293: ...4 Enabling Traffic to a Web Server on an Internal Network The example we have decided to use is that of a web server with a private address located on an internal network From a security standpoint this approach is wrong as web servers are very vulnerable to attack and should therefore be located in a DMZ However due to its simplicity we have chosen to use this model in our example In order for ex...

Page 294: ...cket to wan_ip to reach www ourcompany com 10 0 0 3 1038 195 55 66 77 80 NetDefendOS address translates this statically in accordance with rule 1 and dynamically in accordance with rule 2 10 0 0 1 32789 10 0 0 2 80 wwwsrv processes the packet and replies 10 0 0 2 80 10 0 0 1 32789 The reply arrives and both address translations are restored 195 55 66 77 80 10 0 0 3 1038 In this way the reply arriv...

Page 295: ...h the public IP addresses on the wan interface using the ARP publish mechanism Create a SAT rule that will perform the translation Create an Allow rule that will permit the incoming HTTP connections CLI Create an address object for the public IP addresses gw world add Address IP4Address wwwsrv_pub Address 195 55 66 77 195 55 66 81 Now create another object for the base of the web server IP address...

Page 296: ...2 Now enter Mode Publish Interface wan IP Address 195 55 66 77 3 Click OK and repeat for all 5 public IP addresses Create a SAT rule for the translation 1 Go to Rules IP Rules Add IPRule 2 Specify a suitable name for the rule for example SAT_HTTP_To_DMZ 3 Now enter Action SAT Servce http Source Interface any Source Network all nets Destination Interface wan Destination Network wwwsrv_pub 4 Switch ...

Page 297: ...Port Address Translation PAT can be used to modify the source or destination port Action Src Iface Src Net Dest Iface Dest Net Parameters 1 SAT any all nets wan wwwsrv_pub TCP 80 85 SETDEST 192 168 0 50 1080 This rule produces a 1 1 translation of all ports in the range 80 85 to the range 1080 1085 Attempts to communicate with the web servers public address port 80 will result in a connection to t...

Page 298: ...slating the sender address whilst the other is translating the destination address Action Src Iface Src Net Dest Iface Dest Net Parameters 1 SAT any all nets core wwwsrv_pub TCP 80 85 SETDEST 192 168 0 50 1080 2 SAT lan lannet all nets Standard SETSRC pubnet The two above rules may both be carried out concurrently on the same connection In this instance internal sender addresses will be translated...

Page 299: ...SETDEST wwwsrv 80 2 SAT lan wwwsrv any all nets 80 All SETSRC wan_ip 80 3 NAT lan lannet any all nets All 4 FwdFast any all nets core wan_ip http 5 FwdFast lan wwwsrv any all nets 80 All What happens now External traffic to wan_ip 80 will match rules 1 and 4 and will be sent to wwwsrv Correct Return traffic from wwwsrv 80 will match rules 2 and 3 The replies will therefore be dynamically address t...

Page 300: ...mechanism 7 3 7 SAT and FwdFast Rules Chapter 7 Address Translation 300 ...

Page 301: ...7 3 7 SAT and FwdFast Rules Chapter 7 Address Translation 301 ...

Page 302: ...lem is that the feature often cannot be replaced if it is lost Methods B and C are therefore the most common in network security However these have drawbacks keys might be intercepted passcards might be stolen passwords might be guessable or people may simply be bad at keeping a secret Methods B and C are sometimes combined for example in a passcard that requires a password or pincode for use Usin...

Page 303: ... Changed on a regular basis such as every three months 8 1 Overview Chapter 8 User Authentication 303 ...

Page 304: ...DefendOS A RADIUS server which is external to the D Link Firewall An LDAP Server which is also external to the D Link Firewall 8 2 2 The Local Database The Local User Database is a built in registry inside NetDefendOS which contains the profiles of authorized users and user groups Usernames and passwords can be entered into this database and users with the same privileges can be collected together...

Page 305: ...ink Firewall acting as a client to one or more LDAP servers Multiple servers can be configured to provide redundancy if any servers become unreachable Setting Up LDAP Authentication There are two steps to setting up user authentication with LDAP servers A Define one or more user authentication LDAP server objects in NetDefendOS B Specify a list of these LDAP server objects in a user authentication...

Page 306: ...name Username Postfix When authenticating this will add domain name after the username If the choice is other than None the Domain Name parameter option described below should be specified Routing Table The NetDefendOS routing table where route lookup will be done of the server s IP address The optional parameters are as follows Base Object Defines where in the LDAP server tree search for user acc...

Page 307: ... user is authenticated 2 The server replies with a negative response and the user is not authenticated 3 The server does not respond within the Timeout period specified for the server If only one server is specified then authentication will be considered to have failed If there are alternate servers defined for the user authentication rule then these are queried next Real time Monitoring Statistic...

Page 308: ...OS would theoretically need to retrieve the password or password digest from the LDAP server However LDAP doesn t support either To solve the password authentication problem an optional Password Attribute field needs to be configured when configuring the LDAP server in NetDefendOS This field must be different from the default password attribute this is userPassword in most LDAP databases This may ...

Page 309: ...the D Link Firewall is to be prompted for a username password login sequence Authentication Rules are set up in a way that is similar to other NetDefendOS security policies by specifying which traffic is to be subject to the rule They differ from other policies in that the destination network interface is not of interest but only the source network interface An Authentication Rule has the followin...

Page 310: ...ch is that a single authentication database must be used for all IPsec tunnels Connection Timeouts An Authentication Rule can specify the following timeouts related to a user session Idle Timeout How long a connection is idle before being automatically terminated 1800 seconds by default Session Timeout The maximum time that a connection can exist no value is specified by default If an authenticati...

Page 311: ...n the IP rule set That rule s Source Network object has either the No Defined Credentials option enabled or alternatively it is associated with a group and the user is also a member of that group 8 If a timeout restriction is specified in the authentication rule then the authenticated user will be automatically logged out after that length of time without activity Any packets from an IP address th...

Page 312: ...n_ip IP address which is the IP address of the interface on the D Link Firewall where the local network connects The second rule allows normal surfing activity but we cannot just use lannet as the source network since the rule would trigger for any unauthenticated client from that network Instead the source network is an administrator defined IP object called trusted_users which is the same networ...

Page 313: ...roup names here separated by a comma users for this example 3 Click OK 4 Repeat Step B to add all the lannet users having the membership of users group into the lannet_auth_users folder Example 8 2 User Authentication Setup for Web Access The configurations below shows how to enable HTTP user authentication for the user group users on lannet Only users that belong to the group users can get Web br...

Page 314: ... following steps illustrate how a RADIUS server is typically configured Web Interface 1 User Authentication External User Databases Add External User Database 2 Now enter a Name Enter a name for the server for example ex users b Type Select RADIUS c IP Address Enter the IP address of the server or enter the symbolic name if the server has been defined in the Address Book d Port 1812 RADIUS service...

Page 315: ... available for editing have the following names FormLogin LoginSuccess LoginFailure LoginAlreadyDone LoginChallenge LoginChallengeTimeout LoginSuccess LoginSuccessBasicAuth LoginFailure FileNotFound Editing the Banner Files The WebUI provides a simple way to download and edit the files and then upload the edited HTML back to NetDefendOS The description of doing this that is given next and mirrors ...

Page 316: ...the HTML source that appears in the text box for the Forbidden URL page 7 Use Preview to check the layout if required 8 Press Save to save the changes 9 Click OK to exit editing 10 Go to Objects ALG and select the relevant HTML ALG 11 Select new_forbidden as the HTML Banner 12 Click OK 13 Go to Configuration Save Activate to activate the new file Note In the above example more than one HTML file c...

Page 317: ...pload command would be pscp my html admin 10 5 62 11 HTTPAuthBanners ua_html FormLogin The usage of SCP clients is explained further in Section 2 1 6 Secure Copy 4 Using the CLI the relevant user authentication rule should now be set to use the ua_html If the rule us called my_auth_rule the command would be set UserAuthRule my_auth_rule HTTPBanners ua_html 5 As usual use the activate followed by t...

Page 318: ...8 3 Customizing HTML Pages Chapter 8 User Authentication 318 ...

Page 319: ...ually important that the recipient can verify that no one is falsifying data in other words pretending to be someone else Virtual Private Networks VPNs meet this need providing a highly cost effective means of establishing secure links between two co operating computers so that data can be exchanged in a secure manner VPN allows the setting up of a tunnel between two devices known as tunnel endpoi...

Page 320: ...eyed hashes Non repudiation Proof that the sender actually sent the data the sender cannot later deny having sent it Non repudiation is usually a side effect of authentication VPNs are normally only concerned with confidentiality and authentication Non repudiation is normally not handled at the network level but rather on a transaction document by document basis 9 1 3 VPN Planning An attacker targ...

Page 321: ...re it is usually possible to dictate the types of communication permitted and NetDefendOS VPN has this feature 9 1 4 Key Distribution Key distribution schemes are best planned in advance Issues that need to be addressed include How will keys be distributed Email is not a good solution Phone conversations might be secure enough How many different keys should be used One key per user One per group o...

Page 322: ...ALG 9 1 5 The TLS Alternative for VPN Chapter 9 VPN 322 ...

Page 323: ...object if the default algorithm proposal lists do not provide a set of algorithms that are acceptable to the tunnel remote end point This will depend on the capabilities of the device at the other end of the VPN tunnel 3 In the Address Book create IP objects for The remote VPN gateway which is the IP address of the network device at the other end of the tunnel let s call this object remote_gw The ...

Page 324: ...d keys but sometimes it may be desirable to use X 509 certificates instead If this is the case Certificate Authority CA signed certificates may be used and these come from an internal CA server or from a commercial supplier of certificates Alternatively self signed certificates can be used and these can be generated from a number of utilities downloadable from the Internet Creating a LAN to LAN tu...

Page 325: ...erations for certificate validation 9 2 3 IPsec Roaming Clients with Pre shared Keys This section details the setup with roaming clients connecting through an IPsec tunnel with pre shared keys There are two types of roaming clients A The IP addresses of the clients are already allocated B The IP addresses of clients are not known beforehand and must be handed out by NetDefendOS as the clients conn...

Page 326: ...nets 0 0 0 0 0 2 The IPsec Tunnel object ipsec_tunnel should have the following parameters Set Local Network to lannet Set Remote Network to all nets Set Remote Endpoint to all nets Set Encapsulation mode to Tunnel Set the IKE and IPsec algorithm proposal lists to match the capabilities of the clients No routes can be predefined so the option Dynamically add route to the remote network when tunnel...

Page 327: ...ipsec_tunnel Configuring IPsec Clients In both cases A and B above the IPsec client will need to be correctly configured The client configuration will require the following with as well as the pre shared key Define the URL or IP address of the D Link Firewall The client needs to locate the tunnel endpoint Define the pre shared key that is used for IPsec security Define the IPsec algorithms that wi...

Page 328: ...that an IP address might be accidentally used on the internal network and handed out to a client Use a new address range that is totally different to any internal network This prevents any chance of an address in the range also being used on the internal network 2 Define two other IP objects ip_ext which is the external public IP address through which clients connect let s assume this is on the ex...

Page 329: ...rules should be defined in the IP rule set Action Src Interface Src Network Dest Interface Dest Network Service Allow l2tp_tunnel l2tp_pool any int_net All NAT ipsec_tunnel l2tp_pool ext all nets All The second rule would be included to allow clients to surf the Internet via the ext interface on the D Link Firewall The client will be allocated a private internal IP address which must be NATed if c...

Page 330: ...not being able to NAT PPTP connections through a tunnel so multiple clients can use a single connection to the D Link Firewall If NATing is tried then only the first client that tries to connect will succeed The steps for PPTP setup are as follows 1 In the Address Book define the following IP objects A pptp_pool IP object which is the range of internal IP addresses that will be handed out from an ...

Page 331: ...ets 0 0 0 0 0 4 Now set up the IP rules in the IP rule set Action Src Interface Src Network Dest Interface Dest Network Service Allow pptp_tunnel pptp_pool any int_net All NAT pptp_tunnel pptp_pool ext all nets All As described for L2TP the NAT rule lets the clients access the public Internet via the D Link Firewall 5 Set up the client For Windows XP the procedure is exactly as described for L2TP ...

Page 332: ...n detail 9 3 2 Internet Key Exchange IKE This section describes IKE the Internet Key Exchange protocol and the parameters that are used with it Encrypting and authenticating data is fairly straightforward the only things needed are encryption and authentication algorithms and the keys used with them The Internet Key Exchange IKE protocol IKE is used as a method of distributing these session keys a...

Page 333: ... of how to protect IPsec data flows The VPN device initiating an IPsec connection will send a list of the algorithms combinations it supports for protecting the connection and it is then up to the device at the other end of the connection to say which proposal is acceptable The responding VPN device upon receiving the list of supported algorithms will choose the algorithm combination that best mat...

Page 334: ...o subsequent keys can be derived Once the phase 2 negotiation is finished the VPN connection is established and ready for use IKE Parameters There are a number of parameters used in the negotiation process Below is a summary of the configuration parameters needed to establish a VPN connection Understanding what these parameters do before attempting to configure the VPN endpoints is strongly recomm...

Page 335: ...mode Main Aggressive Mode The IKE negotiation has two modes of operation main mode and aggressive mode The difference between these two is that aggressive mode will pass more information in fewer packets with the benefit of slightly faster connection establishment at the cost of transmitting the identities of the security firewalls in the clear When using aggressive mode some configuration paramet...

Page 336: ...in This value must be set greater than the IPsec SA lifetime PFS With Perfect Forwarding Secrecy PFS disabled initial keying material is created during the key exchange in phase 1 of the IKE negotiation In phase 2 of the IKE negotiation encryption and authentication session keys will be extracted from this initial keying material By using PFS completely new keying material will always be created u...

Page 337: ...cryption and authentication session keys If the VPN connection has not been used during the last re key period the connection will be terminated and re opened from scratch when the connection is needed again This value must be set lower than the IKE lifetime Diffie Hellman Groups Diffie Hellman DH is a cryptographic protocol that allows two parties that have no prior knowledge of each other to est...

Page 338: ...ulnerable for something called replay attacks meaning a malicious entity which has access to the encrypted traffic can record some packets store them and send them to its destination at a later time The destination VPN endpoint will have no way of telling if this packet is a replayed packet or not Using IKE eliminates this vulnerability PSK Using a Pre shared Key PSK is a method where the endpoint...

Page 339: ... the added complexity Certificate based authentication may be used as part of a larger public key infrastructure making all VPN clients and firewalls dependent on third parties In other words there are more aspects that have to be configured and there is more that can go wrong 9 3 4 IPsec Protocols ESP AH The IPsec protocols are the protocols used to protect the actual traffic being passed through...

Page 340: ...raversal Both IKE and IPsec protocols present a problem in the functioning of NAT Both protocols were not designed to work through NATs and because of this a technique called NAT traversal has evolved NAT traversal is an add on to the IKE and IPsec protocols that allows them to function when being NATed NetDefendOS supports the RFC3947 standard for NAT Traversal with IKE NAT traversal is divided i...

Page 341: ...traversal functionality is completely automatic and in the initiating firewall no special configuration is needed However for responding firewalls two points should be noted On responding firewalls the Remote Gateway field is used as a filter on the source IP of received IKE packets This should be set to allow the NATed IP address of the initiator When individual pre shared keys are used with mult...

Page 342: ...ed while being transmitted Note that this example does not illustrate how to add the specific IPsec tunnel object It will also be used in a later example CLI First create a list of IPsec Algorithms gw world add IPsecAlgorithms esp l2tptunnel DESEnabled Yes DES3Enabled Yes SHA1Enabled Yes MD5Enabled Yes Then apply the algorithm proposal list to the IPsec tunnel gw world set Interface IPsecTunnel My...

Page 343: ... Shared key This example shows how to create a Pre shared Key and apply it to a VPN tunnel Since regular words and phrases are vulnerable to dictionary attacks they should not be used as secrets Here the pre shared key is a randomly generated hexadecimal key Note that this example does not illustrate how to add the specific IPsec tunnel object CLI First create a Pre shared Key To generate the key ...

Page 344: ...ist contains one or more identities IDs where each identity corresponds to the subject field in a certificate Identification lists can thus be used to regulate what certificates that are given access to what IPsec tunnels Example 9 3 Using an Identity List This example shows how to create and use an Identification List for use in the VPN tunnel This Identification List will contain one ID with the...

Page 345: ...Link com 6 Click OK Finally apply the Identification List to the IPsec tunnel 1 Go to Interfaces IPsec 2 In the grid control click on the IPsec tunnel object of interest 3 Under the Authentication tab choose X 509 Certificate 4 Select the appropriate certificate in the Root Certificate s and Gateway Certificate controls 5 Select MyIDList in the Identification List 6 Click OK 9 3 8 Identification L...

Page 346: ...the remote firewall specified by the matching IPsec Tunnel definition Note IKE and ESP AH traffic are sent to the IPsec engine before the rule set is consulted Encrypted traffic to the firewall therefore does not need to be allowed in the rule set This behavior can be changed in the IPsec advanced settings section IPsec Tunnel Quick Start This section covers IPsec tunnels in some detail A quick st...

Page 347: ...in from everywhere irrespective of their IP address then the Remote Network needs to be set to all nets IP address 0 0 0 0 0 which will allow all existing IPv4 addresses to connect through the tunnel When configuring VPN tunnels for roaming clients it is usually not necessary to add to or modify the algorithm proposal lists that are pre configured in NetDefendOS 9 4 3 1 PSK based client tunnels Ex...

Page 348: ...l firewall IP wan_ip Web Interface A Create a Self signed Certificate for IPsec authentication The step to actually create self signed certificates is performed outside the WebUI using a suitable software product The certificate should be in the PEM Privacy Enhanced Mail file format B Upload all the client self signed certificates 1 Go to Objects Authentication Objects Add Certificate 2 Enter a su...

Page 349: ...of steps Most importantly it is the responsibility of the administrator to acquire the appropriate certificate from an issuing authority With some systems such as Windows 2000 Server there is built in access to a CA server in Windows 2000 Server this is found in Certificate Services For more information on CA server issued certificates see Section 3 7 Certificates It is the responsibility of the a...

Page 350: ...9 Certificates as the authentication method Root Certificate s Select your CA server root certificate imported earlier and add it to the Selected list Gateway Certificate Choose your newly created firewall certificate Identification List Select your ID List that you want to associate with your VPN Tunnel In our case that will be sales 5 Under the Routing tab Enable the option Dynamically add route...

Page 351: ...NBNS WINS resolution already provided by an IP Pool DHCP Instructs the host to send any internal DHCP requests to this address Subnets A list of the subnets that the client can access Example 9 7 Setting Up Config Mode In this example the Config Mode Pool object is enabled by associating with it an already configured IP Pool object called ip_pool1 Web Interface 1 Go to Objects VPN Objects IKE Conf...

Page 352: ...s this information is missing or the administrator wishes to use another LDAP server The LDAP configuration section can then be used to manually specify alternate LDAP servers Example 9 9 Setting up an LDAP server This example shows how to manually setup and specify an LDAP server CLI gw world add LDAPServer Host 192 168 101 146 Username myusername Password mypassword Port 389 Web Interface 1 Go t...

Page 353: ...re referred to in this section as the client and server In this context the word client is used to refer to the device which is the initiator of the negotiation and the server refers to the device which is the responder Step 1 Client Initiates Exchange by Sending a Supported Algorithm List The verbose option output initially shows the proposed list of algorithms that the client first sends to the ...

Page 354: ...ata length 16 bytes Vendor ID 8f 9c c9 4e 01 24 8e cd f1 47 59 4c 28 4b 21 3b Description SSH Communications Security QuickSec 2 1 0 VID Vendor ID Payload data length 16 bytes Vendor ID 27 ba b5 dc 01 ea 07 60 ea 4e 31 90 ac 27 c0 d0 Description draft stenberg ipsec nat traversal 01 VID Vendor ID Payload data length 16 bytes Vendor ID 61 05 c4 22 e7 68 47 e4 3f 96 84 80 12 92 ae cd Description dra...

Page 355: ...kies 0x6098238b67d97ea6 0x5e347cb76e95a Message ID 0x00000000 Packet length 224 bytes payloads 8 Payloads SA Security Association Payload data length 52 bytes DOI 1 IPsec DOI Proposal 1 1 Protocol 1 1 Protocol ID ISAKMP SPI Size 0 Transform 1 1 Transform ID IKE Encryption algorithm Rijndael cbc aes Key length 128 Hash algorithm MD5 Authentication method Pre Shared Key Group description MODP 1024 L...

Page 356: ...ction main mode ISAKMP Version 1 0 Flags Cookies 0x6098238b67d97ea6 0x5e347cb76e95a Message ID 0x00000000 Packet length 220 bytes payloads 4 Payloads KE Key Exchange Payload data length 128 bytes NONCE Nonce Payload data length 16 bytes NAT D NAT Detection Payload data length 16 bytes NAT D NAT Detection Payload data length 16 bytes Step 4 Server Sends Key Exchange Data The Server now sends key ex...

Page 357: ...ly flag used ID Identification of the client The Notification field is given as Initial Contact to indicate this is not a re key Step 6 Server ID Response The server now responds with its own ID IkeSnoop Sending IKE packet to 192 168 0 10 500 Exchange type Identity Protection main mode ISAKMP Version 1 0 Flags E encryption Cookies 0x6098238b67d97ea6 0x5e347cb76e95a Message ID 0x00000000 Packet len...

Page 358: ...fe type Seconds SA life duration 21600 SA life type Kilobytes SA life duration 50000 Encapsulation mode Tunnel Transform 3 4 Transform ID Blowfish Key length 128 Authentication algorithm HMAC MD5 SA life type Seconds SA life duration 21600 SA life type Kilobytes SA life duration 50000 Encapsulation mode Tunnel Transform 4 4 Transform ID Blowfish Key length 128 Authentication algorithm HMAC SHA 1 S...

Page 359: ...Version 1 0 Flags E encryption Cookies 0x6098238b67d97ea6 0x5e347cb76e95a Message ID 0xaa71428f Packet length 156 bytes payloads 5 Payloads HASH Hash Payload data length 16 bytes SA Security Association Payload data length 56 bytes DOI 1 IPsec DOI Proposal 1 1 Protocol 1 1 Protocol ID ESP SPI Size 4 SPI Value 0xafba2d15 Transform 1 1 Transform ID Rijndael aes Key length 128 Authentication algorith...

Page 360: ...ules Default 4 times the license limit of IPsec Max Tunnels IPsec Max Tunnels Specifies the total number of tunnels allowed by NetDefendOS This value is usually taken from the license but in situations where it is desirable to have less than the license value it can be reduced System memory for the tunnels is allocated at startup and reducing this value can therefore reduce memory requirements A w...

Page 361: ...ficate may in turn be signed by another CA which may be signed by another CA and so on Each certificate will be verified until one that has been marked as trusted is found or until it is determined that none of the certificates are trusted If there are more certificates in this path than what this setting specifies the user certificate will be considered invalid Default 15 IPsec Cert Cache Max Cer...

Page 362: ...n for this setting is that it is the amount of time in tens of seconds that an SA will remain in the dead cache after a delete An SA is put in the dead cache when the other side of the tunnel has not responded to DPD R U THERE messages for DPD Expire Time x 10 seconds and there is no other evidence of life When the SA is placed in the dead cache NetDefendOS will not try to re negotiate the tunnel ...

Page 363: ...plementation PPTP can be used in the VPN context to tunnel different protocols across the Internet Tunneling is achieved by encapsulating PPP packets in IP datagrams using Generic Routing Encapsulation GRE IP protocol 47 The client first establishes a connection to an ISP in the normal way using the PPP protocol and then establishes a TCP IP connection across the Internet to the D Link Firewall wh...

Page 364: ...om Allowed Networks 6 Click OK Use User Authentication Rules is enabled as default To be able to authenticate the users using the PPTP tunnel you also need to configure authentication rules which will not be covered in this example 9 5 2 L2TP Servers Layer 2 Tunneling Protocol L2TP is an IETF open standard that overcomes many of the problems of PPTP Its design is a combination of Layer 2 Forwardin...

Page 365: ...ed Networks control 6 Click OK Use User Authentication Rules is enabled as default To be able to authenticate the users using the PPTP tunnel you also need to configure authentication rules which is not covered in this example Example 9 12 Setting up an L2TP Tunnel Over IPsec This example shows how to setup a fully working L2TP Tunnel based on IPsec encryption and will cover many parts of basic VP...

Page 366: ...Transport e IKE Algorithms High f IPsec Algorithms esp l2tptunnel 4 Enter 3600 in the IPsec Life Time seconds control 5 Enter 250000 in the IPsec Life Time kilobytes control 6 Under the Authentication tab select Pre shared Key 7 Select MyPSK in the Pre shared Key control 8 Under the Routing tab check the following controls Allow DHCP over IPsec from single host clients Dynamically add route to the...

Page 367: ... Web Interface 1 Go to User Authentication User Authentication Rules Add UserAuthRule 2 Enter a suitable name for the rule for example L2TP_Auth 3 Now enter Agent PPP Authentication Source Local Interface l2tp_tunnel Originator IP all nets Terminator IP wan_ip 4 Under the Authentication Options tab enter UserDB as the Local User DB 5 Click OK When the other parts are done all that is left is the r...

Page 368: ...services Source Interface l2tp_tunnel Source Network l2tp_pool Destination Interface any Destination Network all nets 8 Click OK 9 5 3 L2TP PPTP Server advanced settings The following L2TP PPTP server advanced settings are available to the administrator L2TP Before Rules Pass L2TP traffic sent to the D Link Firewall directly to the L2TP Server without consulting the rule set Default Enabled PPTP B...

Page 369: ...dress If this network object exists and has a value which is not 0 0 0 0 then the PPTP L2TP client will try to get that one from the PPTP L2TP server as the preferred IP Automatically pick name If this option is enabled then NetDefendOS will create a host name based on the name of the PPTP L2TP interface for example ip_PPTPTunnel1 Primary Secondary DNS Name This defines the DNS servers from a list...

Page 370: ...cting as a PPTP client which is trying to connect to the PPTP server then this will not work because of the NATing The only way of achieving multiple PPTP clients being NATed like this is for the D Link Firewall to act as a PPTP client when it connects to the PPTP server To summarize the setup A PPTP tunnel is defined between NetDefendOS and the server A route is added to the routing table in NetD...

Page 371: ... The following scenarios are possible 1 The CA server is a private server behind the D Link Firewall and the tunnels are set up over the public Internet but to clients that will not try to validate the certificate sent by NetDefendOS In this case the IP address of the private server needs only be registered on a private DNS server so the FQDN can be resolved This private DNS server will also have ...

Page 372: ...tion Components CA Server Access by Clients In a VPN tunnel with roaming clients connecting to the D Link Firewall the VPN client software may need to access the CA server Not all VPN client software will need this access In the Microsoft clients prior to Vista CA server requests are not sent at all With Microsoft Vista validation became the default with the option to disable it Other non Microsof...

Page 373: ...r must be configured in NetDefendOS so that these requests can be resolved Turning Off FQDN Resolution As explained in the troubleshooting section below identifying problems with CA server access can be done by turning off the requirement to validate certificates Attempts to access CA servers by NetDefendOS can be disabled with the Disable CRLs option for certificate objects This means that checki...

Page 374: ... IP also belongs to the network behind the D Link Firewall accessible through a tunnel then Windows will still continue to assume that the IP address is to be found on the client s local network Windows therefore will not correctly route packets bound for the remote network through the tunnel but instead route them to the local network The solution to this problem of local remote IP address duplic...

Page 375: ...214 237 225 43 84 13 193 179 84 13 193 179 IPsec_Tun1 192 168 0 0 24 172 16 1 0 24 82 242 91 203 To examine the first IKE negotiation phase of tunnel setup use ipsecstat ike To get complete details of tunnel setup use ipsecstat u v The ikesnoop console command A common problem with setting up IPsec is a list of proposed algorithms that is unacceptable to the device at the other end of the tunnel T...

Page 376: ...h the management traffic being routed back through the VPN tunnel instead of the correct interface This happens when a route is established in the main routing table which routes any traffic for all nets through the VPN tunnel If the management interface is not reached by the VPN tunnel then the administrator needs to create a specific route that routes management interface traffic leaving the D L...

Page 377: ...Management Interface Failure with VPN Chapter 9 VPN 377 ...

Page 378: ...later in this chapter DSCP bits can be used by the NetDefendOS traffic shaping subsystem as a basis for prioritizing traffic passing through the D Link Firewall The Traffic Shaping Solution Architectures like Diffserv however fall short if applications themselves supply the network with QoS information In most networks it is rarely appropriate to let the applications the users of the network decid...

Page 379: ...S are Pipes Pipe Rules Pipes A Pipe is the fundamental object for traffic shaping and is a conceptual channel through which packets of data can flow It has various characteristics that define how traffic passing through it is handled As many pipes as are required can be defined by the administrator None are defined by default Pipes are simplistic in that they do not care about the types of traffic...

Page 380: ...orm a Chain of pipes through which traffic will pass A chain can be made up of at most 8 pipes If no pipe is specified in a list then traffic that matches the rule will not flow through any pipe but it will also mean that the traffic will not be subject to any other pipe rules found later in the rule set Pipes Will Not Work With FwdFast Rules It is important to understand that traffic shaping will...

Page 381: ...be passed through the pipe and this is done by using the pipe in a Pipe Rule We will use the above pipe to limit inbound traffic This limit will apply to the actual data packets and not the connections In traffic shaping we re interested in the direction that data is being shuffled not which computer initiated the connection Create a simple rule that allows everything from the inside going out We ...

Page 382: ... forward chain will not work since you probably want 2 Mbps limit for outbound traffic to be separate from the 2 Mbps limit for inbound traffic If we try to pass 2 Mbps of outbound traffic through the pipe in addition to 2 Mbps of inbound traffic it adds up to 4 Mbps Since the pipe limit is 2 Mbps you would get something close to 1 Mbps in each direction Raising the total pipe limit to 4 Mbps will...

Page 383: ... created earlier Unfortunately this will not achieve the desired effect which is allocating a maximum of 125 kbps to inbound surfing traffic as part of the 250 kbps total Inbound traffic will pass through one of two pipes one that allows 250 kbps and one that allows 125 kbps giving a possible total of 375 kbps of inbound traffic To solve this we create a chain of the surf in pipe followed by the s...

Page 384: ... of the Diffserv architecture where the Type of Service ToS bits are included in the IP packet header Pipe Precedences When a pipe is configured a Default Precedence a Minimum Precedence and a Maximum Precedence can be specified The Default Precedence is the precedence taken by a packet if it is not explicitly assigned by a Pipe Rule as described in the preceding paragraph The minimum and maximum ...

Page 385: ...e a higher priority than all other traffic To do this we add a Pipe Rule specifically for SSH and Telnet and set the priority in the rule to be a higher priority say 2 We specify the same pipes in this new rule as are used for other traffic The effect of doing this is that the SSH and Telnet rule sets the higher priority on packets related to these services and these packets are sent through the s...

Page 386: ...oes not pose much of a problem here but it becomes more pronounced as your traffic shaping scenario becomes more complex The number of precedences is limited This may not be sufficient in all cases even barring the which traffic is more important problem The solution here is to create two new pipes one for telnet traffic and one for SSH traffic much like the surf pipe that we created earlier on Fi...

Page 387: ...ess so that port 1024 of computer A is not the same as port 1024 of computer B and individual connections are identifiable If grouping by network is chosen the network size should also be specified this has the same meaning as the netmask A Simple Groups Scenario If the total bandwidth limit for a pipe is 400 bps and we want to allocate this bandwidth amongst many destination IP addresses so no si...

Page 388: ...mit per user to about 13 kbps 64 kbps divided by 5 users Dynamic Balancing takes place within each precedence of a pipe individually This means that if users are allotted a certain small amount of high priority traffic and a larger chunk of best effort traffic all users will get their share of the high precedence traffic as well as their fair share of the best effort traffic 10 1 10 Recommendation...

Page 389: ...eded for NetDefendOS to adapt to changing conditions Attacks on Bandwidth Traffic shaping cannot protect against incoming resource exhaustion attacks such as DoS attacks or other flooding attacks NetDefendOS will prevent these extraneous packets from reaching the hosts behind the D Link Firewall but cannot protect the connection becoming overloaded if an attack floods it Watching for Leaks When se...

Page 390: ...orwarded basis Within a pipe traffic can also be separated on a Group basis For example by source IP address Each user in a group for example each source IP address can be given a maximum limit and precedences within a group can be given a limit guarantee A pipe limit need not be specified if group members have a maximum limit Dynamic Balancing can be used to specify that all users in a group get ...

Page 391: ...namic Balancing enabled on the pipes means that all users will be allocated a fair share of this capacity Using Several Precedences We now extend the above example by allocating priorities to different kinds of traffic accessing the Internet from a headquarters office Lets assume we have a symmetric 2 2 Mbps link to the Internet We will allocate descending priorities and traffic requirements to th...

Page 392: ...ffic shaping is occurring inside a single D Link Firewall VPN is typically used for communication between a headquarters and branch offices in which case pipes can control traffic flow in both directions With VPN it is the tunnel which is the source and destination interface for the pipe rules An important consideration which has been discussed previously is allowance in the Pipe Total values for ...

Page 393: ...e site is guaranteed 500 kbps of capacity before it is forced to best effort SAT with Pipes If SAT is being used for example with a web server or ftp server that traffic also needs to be forced into pipes or it will escape traffic shaping and ruin the planned quality of service In addition server traffic is initiated from the outside so the order of pipes needs to be reversed the forward pipe is t...

Page 394: ...g is a combination of these two features where traffic flows identified by the IDP subsystem automatically trigger the setting up of traffic shaping pipes to control those flows 10 2 2 Setup The steps for IDP Traffic Shaping setup are as follows 1 Define an IDP rule that triggers on targeted traffic The IDP signature chosen determines which traffic is to be targeted and the signature usually has t...

Page 395: ...as a source or destination IP that is the same as the connection that did trigger a rule If the source or destination is also a member of the IP range specified as the Network then the connection s traffic is included in the pipe performing traffic shaping for the original triggering connection If no Network is specified then this new connection is also included in the triggering connection s pipe...

Page 396: ...ransfer The sequence of events is The client with IP address 192 168 1 15 initiates a P2P file transfer through a connection 1 to the tracking server at 81 150 0 10 This connection triggers an IDP rule in NetDefendOS which is set up with an IDP signature that targets the P2P application The Pipe action in the rule sets up a traffic shaping pipe with a specified capacity and the connection is added...

Page 397: ...distinctive naming convention which is explained next Pipe Naming NetDefendOS names the pipes it automatically creates in IDP Traffic Shaping using the pattern IDPPipe_ bandwidth for pipes with upstream forward flowing traffic and IDPPipe_ bandwidth R for pipes with downstream return flowing traffic A number suffix is appended if name duplication occurs For example the first pipes created with a l...

Page 398: ...affic Shaping generates log messages on the following events When an IDP rule with the Pipe option has triggered and either host or client is present in the Network range When the subsystem adds a host that will have future connections blocked When a timer for piping news connections expires a log message is generated indicating that new connections to or from the host are no longer piped There ar...

Page 399: ...conditions A Threshold has the following parameters Action The response to exceeding the limit either Audit or Protect Group By Either Host or Network based Threshold The numerical limit which must be exceeded to trigger a response Threshold Type Limiting connections per second or limiting total number of concurrent connections These parameters are described below 10 3 2 Limiting the Connection Ra...

Page 400: ... 10 3 7 Threshold Rules and ZoneDefense Threshold Rules are used in the D Link ZoneDefense feature to block the source of excessive connection attmepts from internal hosts For more information on this refer to Chapter 12 ZoneDefense 10 3 8 Threshold Rule Blacklisting If the Protect option is used Threshold Rules can be configured so that the source that triggered the rule is added automatically to...

Page 401: ...ormance of applications but also scalability by allowing a cluster of multiple servers sometimes referred to as a server farm to handle many more requests than a single server The illustration below shows a typical SLB scenario with Internet access to internal server applications being managed by a D Link Firewall Note SLB is not available on all D Link models The SLB feature is only available on ...

Page 402: ...re are following issues should be considered when deploying SLB The servers across which the load is to be balanced The load distribution mode The SLB algorithm used The monitoring method Each of these topics is discussed further in the sections that follow 10 4 2 Identifying the Servers The first step is to identify the servers across which the load is to be balanced This might be a server farm w...

Page 403: ...ut stickiness it will behave as a Round Robin algorithm that allocates new connections to servers in an orderly fashion It will also behave like the Round Robin algorithm if there are always clients with a new IP address that make one connection The real benefit of using the Connection Rate algorithm together with stickiness is when clients make multiple connections Connection Rate will then ensur...

Page 404: ...tead R1 and R2 will be sent to the same server because of stickiness but the subsequent requests R3 and R4 will be routed to another server since the number of new connections on each server within the Window Time span is counted in for the distribution Figure 10 11 Stickiness and Connection Rate Regardless which algorithm is chosen if a server goes down traffic will be sent to other servers And w...

Page 405: ...oup which included all these objects 3 Define an SLB_SAT Rule in the IP rule set which refers to this Group and where all other SLB parameters are defined 4 Define a further rule that duplicates the source destination interface network of the SLB_SAT rule that allows traffic through This could be one rule or a combination of ForwardFast Allow NAT The table below shows the rules that would be defin...

Page 406: ...name for example server1 3 Enter the IP Address as 192 168 1 10 4 Click OK 5 Repeat the above to create an object called server2 for the 192 168 1 11 IP address B Create a Group which contains the 2 webserver objects 1 Go to Objects Address Book Add IP4 Group 2 Enter a suitable name for example server_group 3 Add server1 and server2 to the group 4 Click OK C Specify the SLB_SAT IP rule 1 Go to Rul...

Page 407: ...n Allow IP rule for the external clients 1 Go to Rules IP Rule Sets main Add IP Rule 2 Enter Name Web_SLB_ALW Action Allow Service HTTP Source Interface any Source Network all nets Destination Interface core Destination Network ip_ext 3 Click OK 10 4 6 SLB_SAT Rules Chapter 10 Traffic Management 407 ...

Page 408: ...10 4 6 SLB_SAT Rules Chapter 10 Traffic Management 408 ...

Page 409: ...is sometimes known as an active passive HA implementation The Master and Active Units When reading this section on HA it should be kept in mind that the master unit in a cluster is not always the same as the active unit in a cluster The active unit is the D Link Firewall that is actually processing all traffic at a given point in time This could be the slave unit if a failover has occurred because...

Page 410: ...erate between two D Link Firewalls As the internal operation of different firewall manufacturer s software is completely dissimilar there is no common method available to communicating state information to a dissimilar device It is also strongly recommended that the D Link Firewalls used in cluster have identical configurations They must also have identical licenses which allow identical capabilit...

Page 411: ...he sending firewall The destination IP is the broadcast address on the sending interface The IP TTL is always 255 If NetDefendOS receives a cluster heartbeat with any other TTL it is assumed that the packet has traversed a router and therefore cannot be trusted It is a UDP packet sent from port 999 to port 999 The destination MAC address is the ethernet multicast address corresponding to the share...

Page 412: ...endOS cluster has the Anti Virus or IDP subsystems enabled then updates to the Anti Virus signature database or IDP pattern database will routinely occur These updates involve downloads from the external D Link databases and they require NetDefendOS reconfiguration to occur for the new database contents to become active A database update causes the following sequence of events to occur in an HA cl...

Page 413: ...e on the master and slave which is to be used by the units for monitoring each other and connect them together with an Ethernet crossover cable This will be the NetDefendOS sync interface It is recommended that the same interface is used on both master and slave assuming they are similar systems Figure 11 1 High Availability Setup The illustration above shows the typical HA Cluster connections All...

Page 414: ...red If an interface is not assigned an individual address through an IP4 HA Address object then it must be assigned the default address localhost which is an IP address from the subnet 127 0 0 0 8 ARP queries for the individual IP addresses specified in IP4 HA Address objects are answered by the firewall that owns the address using the normal hardware address just as with normal IP units One singl...

Page 415: ...r configuration log on to either the master or the slave make the change then save and activate The change is automatically made to both units 11 3 3 Verifying the Cluster is Functioning To verify that the cluster is performing correctly first use the ha command on each unit The output will look similar to the following for the master gw world ha This device is an HA MASTER This device is currentl...

Page 416: ... Use Unique Shared MAC Address By default this is enabled and in most configurations it should not need to be disabled The effect of enabling this setting is that a single unique MAC address will be used for each pair of matching hardware interfaces so that for example the lan1 interface on the master unit will appear to have the same MAC address as the lan1 interface on the slave unit An HA clust...

Page 417: ...Cluster ID Changing the cluster ID in a live environment is not recommended for two reasons Firstly this will change the hardware address of the shared IPs and will cause problems for all units attached to the local LAN as they will keep the old hardware address in their ARP caches until it times out Such units would have to have their ARP caches flushed Secondly this breaks the connection between...

Page 418: ... explanation of this setting see Section 11 3 4 Using Unique Shared Mac Addresses Default Enabled Deactivate Before Reconf If enabled this setting will make an active node failover to the inactive node before a reconfigure takes place instead of relying on the inactive node detecting that the active node is not operating normally and then taking over on its own initiative Enabling this setting sho...

Page 419: ...11 5 HA Advanced Settings Chapter 11 High Availability 419 ...

Page 420: ...hold can be dynamically blocked using the ZoneDefense feature Thresholds are based on either the number of new connections made per second or on the total number of connections being made These connections may be made by either a single host or all hosts within a specified CIDR network range an IP address range specified by a combination of an IP address and its associated network mask ACL Upload ...

Page 421: ...R3 02 B12 or later DES 3526 R3 x Version R3 06 B20 only DES 3526 R4 x Version R4 01 B19 or later DES 3550 R3 x Version R3 05 B38 only DES 3550 R4 x Version R4 01 B19 or later DES 3800 Series Version R2 00 B13 or later DGS 3200 Series Version R1 10 B06 or later DGS 3324SR SRi Version R4 30 B11 or later DGS 3400 Series R1 x Version R1 00 B35 only DGS 3400 Series R2 x Version R2 00 B52 or later DGS 3...

Page 422: ...ceeded The limit can be one of two types Connection Rate Limit This can be triggered if the rate of new connections per second to the firewall exceeds a specified threshold Total Connections Limit This can be triggered if the total number of connections to the firewall exceeds a specified threshold Threshold rules have parameters which are similar to those for IP Rules These parameters specify wha...

Page 423: ...eds this limitation the firewall will block the specific host in network range 192 168 2 0 24 for example from accessing the switch completely A D Link switch model DES 3226S is used in this case with a management interface address 192 168 1 250 connecting to the firewall s interface address 192 168 1 1 This firewall interface is added into the exclude list to prevent the firewall from being accid...

Page 424: ...ng feature NetDefendOS can first identify a virus source through antivirus scanning and then block the source by communicating with switches configured to work with ZoneDefense This feature is activated through the following ALGs HTTP ZoneDefense can block an HTTP server that is a virus source FTP ZoneDefense can block a local FTP client that is uploading viruses SMTP ZoneDefense can block a local...

Page 425: ... or network one rule per switch port is needed When this limit has been reached no more hosts or networks will be blocked out Important ZoneDefense uses a range of the ACL rule set on the switch To avoid potential conflicts in these rules and guarantee the firewall s access control it is strongly recommended that the administrator clear the entire ACL rule set on the switch before executing the Zo...

Page 426: ...12 3 5 Limitations Chapter 12 ZoneDefense 426 ...

Page 427: ...447 Miscellaneous Settings page 448 13 1 IP Level Settings Log Checksum Errors Logs occurrences of IP packets containing erroneous checksums Normally this is the result of the packet being damaged during network transport All network units both routers and workstations drop IP packets that contain checksum errors However it is highly unlikely for an attack to be based on illegal checksums Default ...

Page 428: ...the action taken on packets whose TTL falls below the stipulated TTLMin value Default DropLog Multicast TTL on Low What action to take on too low multicast TTL values Default DropLog Default TTL Indicates which TTL NetDefendOS is to use when originating a packet These values are usually between 64 and 255 Default 255 Layer Size Consistency Verifies that the size information contained in each layer...

Page 429: ...og IP Options Timestamps Time stamp options instruct each router and firewall on the packet s route to indicate at what time the packet was forwarded along the route These options do not occur in normal traffic Time stamps may also be used to record the route a packet has taken from sender to final destination NetDefendOS never enters information into these options regardless of this setting Defau...

Page 430: ...ets equal to or smaller than the size specified by this setting Default 65535 bytes Multicast Mismatch option What action to take when ethernet and IP multicast addresses does not match Default DropLog Min Broadcast TTL option The shortest IP broadcast Time To Live value accepted on receipt Default 1 Low Broadcast TTL Action option What action to take on too low broadcast TTL values Default DropLo...

Page 431: ...ccording to the next setting Default 1460 bytes TCP MSS VPN Max As is the case with TCPMSSMax this is the highest Maximum Segment Size allowed However this setting only controls MSS in VPN connections This way NetDefendOS can reduce the effective segment size used by TCP in all VPN connections This reduces TCP fragmentation in the VPN connection even if hosts do not know how to perform MTU discove...

Page 432: ... ACK individual packets instead of entire series which can increase the performance of connections experiencing extensive packet loss They are also used by OS Fingerprinting SACK is a common occurrence in modern networks Default ValidateLogBad TCP Option TSOPT Determines how NetDefendOS will handle time stamp options As stipulated by the PAWS Protect Against Wrapped Sequence numbers method TSOPT i...

Page 433: ... that a new connection is in the process of being opened and an URG flag means that the packet contains data requiring urgent attention These two flags should not be turned on in a single packet as they are used exclusively to crash computers with poorly implemented TCP stacks Default DropLog TCP SYN PSH Specifies how NetDefendOS will deal with TCP packets with SYN and PSH Push flags both turned o...

Page 434: ...Fingerprinting Note an upcoming standard called Explicit Congestion Notification also makes use of these TCP flags but as long as there are only a few operating systems supporting this standard the flags should be stripped Default StripLog TCP Reserved Field Specifies how NetDefendOS will deal with information present in the reserved field in the TCP header which should normally be 0 This field is...

Page 435: ...he most significant impact of this will be that common web surfing traffic short but complete transactions requested from a relatively small set of clients randomly occurring with an interval of a few seconds will slow down considerably while most normal TCP traffic will continue to work as usual Using either ValidateReopen or ValidateReopenLog is however not recommended since the same effect can ...

Page 436: ...ing limits how many Rejects per second may be generated by the Reject rules in the Rules section Default 500 Silently Drop State ICMPErrors Specifies if NetDefendOS should silently drop ICMP errors pertaining to statefully tracked open connections If these errors are not dropped by this setting they are passed to the rule set for evaluation just like any other packet Default Enabled 13 3 ICMP Leve...

Page 437: ...determining whether the remote peer is attempting to open a new connection Default Enabled Log State Violations Determines if NetDefendOS logs packets that violate the expected state switching diagram of a connection for example getting TCP FIN packets in response to TCP SYN packets Default Enabled Log Connections Specifies how NetDefendOS will log connections NoLog Does not log any connections co...

Page 438: ...gnostic and testing purposes since it generates unwieldy volumes of log messages and can also significantly impair throughput performance Default Disabled Dynamic Max Connections Allocate the Max Connection value dynamically Default Enabled Max Connections This setting applies if Dynamic Max Connections above is disabled Specifies how many connections NetDefendOS may keep open at any one time Each...

Page 439: ... may idle before finally being closed Connections reach this state when a packet with its FIN flag on has passed in any direction Default 80 UDP Idle Lifetime Specifies in seconds how long UDP connections may idle before being closed This timeout value is usually low as UDP has no way of signalling when the connection is about to close Default 130 UDP Bidirectional Keep alive This allows both side...

Page 440: ...Other Idle Lifetime Specifies in seconds how long connections using an unknown protocol can remain idle before it is closed Default 130 13 5 Connection Timeout Settings Chapter 13 Advanced Settings 440 ...

Page 441: ...many real time applications use large fragmented UDP packets If no such protocols are used the size limit imposed on UDP packets can probably be lowered to 1480 bytes Default 60000 Max ICMP Length Specifies in bytes the maximum size of an ICMP packet ICMP error messages should never exceed 600 bytes although Ping packets can be larger if so requested This value may be lowered to 1000 bytes if you ...

Page 442: ...ze of an IP in IP packet IP in IP is used by Checkpoint Firewall 1 VPN connections when IPsec is not used This value should be set at the size of the largest packet allowed to pass through the VPN connections regardless of its original protocol plus approx 50 bytes Default 2000 Max IPsec IPComp Length Specifies in bytes the maximum size of an IPComp packet Default 2000 Max L2TP Length Specifies in...

Page 443: ... track DropPacket Discards the illegal fragment and all previously stored fragments Will not allow further fragments of this packet to pass through during ReassIllegalLinger seconds DropLogPacket As DropPacket but also logs the event DropLogAll As DropLogPacket but also logs further fragments belonging to this packet that arrive during ReassIllegalLinger seconds The choice of whether to discard in...

Page 444: ...nts have been involved LogSuspectSubseq As LogSuspect but also logs subsequent fragments of the packet as and when they arrive LogAll Logs all failed reassembly attempts LogAllSubseq As LogAll but also logs subsequent fragments of the packet as and when they arrive Default LogSuspectSubseq Dropped Fragments If a packet is denied entry to the system as the result of the settings in the Rules sectio...

Page 445: ...y send 1480 byte fragments and a router or VPN tunnel on the route to the recipient subsequently reduce the effective MTU to 1440 bytes This would result in the creation of a number of 1440 byte fragments and an equal number of 40 byte fragments Because of potential problems this can cause the default settings in NetDefendOS has been designed to allow the smallest possible fragments 8 bytes to pas...

Page 446: ...cket has been marked as illegal NetDefendOS is able to retain this in memory for this number of seconds in order to prevent further fragments of that packet from arriving Default 60 13 7 Fragmentation Settings Chapter 13 Advanced Settings 446 ...

Page 447: ...concurrent local reassemblies Default 256 Max Size Maximum size of a locally reassembled packet Default 10000 Large Buffers Number of large over 2K local reassembly buffers of the above size Default 32 13 8 Local Fragment Reassembly Settings Chapter 13 Advanced Settings 447 ...

Page 448: ...associated settings limit memory used by the re assembly subsystem This setting specifies how many connections can use the re assembly system at the same time It is expressed as a percentage of the total number of allowed connections Minimum 1 Maximum 100 Default 80 Max Memory This setting specifies how much memory that the re assembly system can allocate to process packets It is expressed as a pe...

Page 449: ...13 9 Miscellaneous Settings Chapter 13 Advanced Settings 449 ...

Page 450: ...p Registration manual which explains registration and update service procedures in more detail is available for download from the D Link website Subscription renewal In the Web interface go to Maintenance License to check which update services are activated and when your subscription is ends Caution Renew your subscription in good time before your current subscription ends Monitoring database upda...

Page 451: ...edb IDP To remove the Anti Virus database use the command gw world removedb Antivirus Once removed the entire system should be rebooted and a database update initiated Removing the database is also recommended if either IDP or Anti Virus is not used for longer periods of time Note Anti Virus database updates require a couple of seconds to be optimized once an update is downloaded This will cause t...

Page 452: ...RITAS Backup solutions BOT_GENERAL Activities related to bots including those controlled by IRC channels BROWSER_FIREFOX Mozilla Firefox BROWSER_GENERAL General attacks targeting web browsers clients BROWSER_IE Microsoft IE BROWSER_MOZILLA Mozilla Browser COMPONENT_ENCODER Encoders as part of an attack COMPONENT_INFECTION Infection as part of an attack COMPONENT_SHELLCODE Shell code as part of the...

Page 453: ...ion IP_OVERFLOW Overflow of IP protocol implementation IRC_GENERAL Internet Relay Chat LDAP_GENERAL General LDAP clients servers LDAP_OPENLDAP Open LDAP LICENSE_CA LICENSE License management for CA software LICENSE_GENERAL General License Manager MALWARE_GENERAL Malware attack METASPLOIT_FRAME Metasploit frame attack METASPLOIT_GENERAL Metasploit general attack MISC_GENERAL General attack MSDTC_GE...

Page 454: ... RSYNC_GENERAL Rsync SCANNER_GENERAL Generic scanners SCANNER_NESSUS Nessus Scanner SECURITY_GENERAL Anti virus solutions SECURITY_ISS Internet Security Systems software SECURITY_MCAFEE McAfee SECURITY_NAV Symantec AV solution SMB_ERROR SMB Error SMB_EXPLOIT SMB Exploit SMB_GENERAL SMB attacks SMB_NETBIOS NetBIOS attacks SMB_WORMS SMB worms SMTP_COMMAND ATTACK SMTP command attack SMTP_DOS Denial o...

Page 455: ...GENERAL Virus VOIP_GENERAL VoIP protocol and implementation VOIP_SIP SIP protocol and implementation WEB_CF FILE INCLUSION Coldfusion file inclusion WEB_FILE INCLUSION File inclusion WEB_GENERAL Web application attacks WEB_JSP FILE INCLUSION JSP file inclusion WEB_PACKAGES Popular web application packages WEB_PHP XML RPC PHP XML RPC WEB_SQL INJECTION SQL Injection WEB_XSS Cross Site Scripting WINS...

Page 456: ...iletype extension Application 3ds 3d Studio files 3gp 3GPP multimedia file aac MPEG 2 Advanced Audio Coding File ab Applix Builder ace ACE archive ad3 Dec systems compressed Voice File ag Applix Graphic file aiff aif Audio Interchange file am Applix SHELF Macro arc Archive file alz ALZip compressed file avi Audio Video Interleave file arj Compressed archive ark QuArk compressed file archive arq Co...

Page 457: ...BinHex 4 compressed archive icc Kodak Color Management System ICC Profile icm Microsoft ICM Color Profile file ico Windows Icon file imf Imago Orpheus module sound data Inf Sidplay info file it Impulse Tracker Music Module java Java source code jar Java JAR archive jng JNG Video Format jpg jpeg jpe jff jfif jif JPEG file jrc Jrchive compressed archive jsw Just System Word Processor Ichitaro kdelnk...

Page 458: ... Network Graphic ppm PBM Portable Pixelmap Graphic ps PostScript file psa PSA archive data psd Photoshop Format file qt mov moov QuickTime Movie file qxd QuarkXpress Document ra ram RealMedia Streaming Media rar WinRAR compressed archive rbs ReBirth Song file riff rif Microsoft Audio file rm RealMedia Streaming Media rpm RedHat Package Manager rtf wri Rich Text Format file sar Streamline compresse...

Page 459: ...ve Player Streaming Video file wav Waveform Audio wk Lotus 1 2 3 document wmv Windows Media file wrl vrml Plain Text VRML file xcf GIMP Image file xm Fast Tracker 2 Extended Module audio file xml XML file xmcd xmcd database file for kscd xpm BMC Software Patrol UNIX Icon file yc YAC compressed archive zif ZIF image zip Zip compressed archive file zoo ZOO compressed archive file zpk ZPack archive d...

Page 460: ... 7 Layers of the OSI Model Layer number Layer purpose Layer 7 Application Layer 6 Presentation Layer 5 Session Layer 4 Transport Layer 3 Network Layer 2 Data Link Layer 1 Physical Layer Functions The different layers perform the following functions Layer 7 Application Layer Defines the user interface that supports applications directly Protocols HTTP FTP TFTP DNS SMTP Telnet SNMP and similar The A...

Page 461: ...K 2600 Glostrup Copenhagen Denmark TEL 45 43 969040 FAX 45 43 424347 Website www dlink dk Egypt 47 El Merghany street Heliopolis Cairo Egypt TEL 202 2919035 202 2919047 FAX 202 2919051 Website www dlink me com Europe UK 4th Floor Merit House Edgware Road Colindale London NW9 5AB UK TEL 44 20 8731 5555 FAX 44 20 8731 5511 Website www dlink co uk Finland Latokartanontie 7A FIN 00700 HELSINKI Finland...

Page 462: ... 6 Moscow 129626 Russia TEL 7 495 744 0099 FAX 7 495 744 0099 350 Website www dlink ru Singapore 1 International Business Park 03 12 The Synergy Singapore 609917 TEL 65 6774 6233 FAX 65 6774 6322 Website www dlink intl com South Africa Einstein Park II Block B 102 106 Witch Hazel Avenue Highveld Technopark Centurion Gauteng Republic of South Africa TEL 27 12 665 2165 FAX 27 12 665 2186 Website www...

Page 463: ...ALG 216 in the SMTP ALG 207 memory requirements 259 relationship with IDP 260 simultaneous scans 259 with zonedefense 263 application layer gateway see ALG ARP 94 advanced settings 97 98 cache 94 gratuitous 130 proxy 135 static 96 ARP Broadcast setting 99 ARP Cache Size setting 100 ARP Changes setting 99 ARP Expire setting 99 ARP Expire Unknown setting 95 99 ARP Hash Size setting 95 100 ARP Hash S...

Page 464: ...48 categories 250 dynamic WCF 245 override 249 phishing 254 setup 246 site reclassification 249 spam 256 static 243 content filtering HTML customizing 256 core interface 81 core routes 129 customer web transparent mode access 172 D date and time 113 Deactivate Before Reconf HA setting 418 Decrement TTL setting 178 default access rule 126 193 Default TTL setting 428 denial of service 276 destinatio...

Page 465: ...identification lists 344 IDP 265 HTTP URI normalization 267 signature groups 270 signature wildcarding 271 SMTP log receivers 272 traffic shaping 394 IGMP advanced settings 164 configuration 159 rules configuration 162 IGMP Before Rules setting 164 IGMP Idle Lifetime setting 439 IGMP Last Member Query Interval setting 164 IGMP Lowest Compatible Version setting 164 IGMP Max Interface Requests setti...

Page 466: ...tting 57 58 logout from CLI 36 Log Oversized Packets setting 442 Log Received TTL 0 setting 427 Log Reverse Opens setting 437 Log State Violations setting 437 loopback interfaces 80 Low Broadcast TTL Action setting 430 M MAC addresses 94 management interfaces 25 advanced settings 43 managing NetDefendOS 25 Max AH Length setting 441 Max Auto Routes DHCP setting 188 Max Concurrent reassembly setting...

Page 467: ...rview 14 proposal lists 341 proxy ARP 135 Pseudo Reass Max Concurrent setting 443 Q QoS see quality of service quality of service 378 R RADIUS accounting 54 advanced settings 57 authentication 304 Reassembly Done Limit setting 445 Reassembly Illegal Limit setting 445 Reassembly Timeout setting 445 Reconf Failover Time HA setting 418 Reject IP rule 104 Relay MPLS setting 180 Relay Spanning tree BPD...

Page 468: ...e Lifetime setting 439 TCP MSS Log Level setting 431 TCP MSS Max setting 431 TCP MSS Min setting 431 TCP MSS On High setting 431 TCP MSS on Low setting 431 TCP MSS VPN Max setting 431 TCP NULL setting 434 TCP Option ALTCHKDATA setting 433 TCP Option ALTCHKREQ setting 432 TCP Option Con Timeout setting 433 TCP Option Other setting 433 TCP Option SACK setting 432 TCP Option Sizes setting 431 TCP Opt...

Page 469: ...ice over IP VPN 319 planning 320 quick start guide 323 troubleshooting 374 W Watchdog Time setting 448 WCF see web content filtering webauth 311 web content filtering 245 fail mode 247 whitelisting 246 web interface 25 26 default connection interface 26 setting workstation IP 26 WebUI see web interface WebUI Before Rules setting 43 WebUI HTTP port setting 44 WebUI HTTPS port setting 44 whitelistin...

Reviews:

No comments