background image

Multicast Source: 192.168.10.1

Multicast Group: 239.192.10.0/24

4.

Click OK

Advanced IGMP Settings

There are a number of IGMP advanced settings which are global and apply to all
interfaces which do not have IGMP settings explicitly specified for them.

4.6.4. Advanced IGMP Settings

Auto Add Multicast Core Route

This setting will automatically add core routes in all routing tables for the multicast IP address range
224.0.0.0/4. If the setting is disabled, multicast packets might be forwarded according to the default
route.

Default: Enabled

IGMP Before Rules

For IGMP traffic, by-pass the normal IP rule set and consult the IGMP rule set.

Default: Enabled

IGMP React To Own Queries

The firewall should always respond with IGMP Membership Reports, even to queries originating
from itself. Global setting on interfaces without an overriding IGMP Setting.

Default: Disabled

IGMP Lowest Compatible Version

IGMP messages with a version lower than this will be logged and ignored. Global setting on
interfaces without an overriding IGMP Setting.

Default: IGMPv1

IGMP Router Version

The IGMP protocol version that will be globally used on interfaces without a configured IGMP
Setting. Multiple querying IGMP routers on the same network must use the same IGMP version.
Global setting on interfaces without an overriding IGMP Setting.

Default: IGMPv3

IGMP Last Member Query Interval

The maximum time in milliseconds until a host has to send an answer to a group or

4.6.4. Advanced IGMP Settings

Chapter 4. Routing

209

Summary of Contents for DFL-1600 - Security Appliance

Page 1: ...Network Security Solution http www dlink com NetDefendOS Ver 2 27 03 Network Security Firewall User Manual Security Security ...

Page 2: ...0 260 260E 800 860 860E DFL 1600 1660 2500 2560 2560G NetDefendOS Version 2 27 03 D Link Corporation No 289 Sinhu 3rd Rd Neihu District Taipei City 114 Taiwan R O C http www DLink com Published 2010 11 11 Copyright 2010 ...

Page 3: ...tness for a particular purpose D Link reserves the right to revise this publication and to make changes from time to time in the content hereof without any obligation to notify any person or parties of such revision or changes Limitations of Liability UNDER NO CIRCUMSTANCES SHALL D LINK OR ITS SUPPLIERS BE LIABLE FOR DAMAGES OF ANY CHARACTER E G DAMAGES FOR LOSS OF PROFIT SOFTWARE RESTORATION WORK...

Page 4: ...SNMP Traps 60 2 2 7 Advanced Log Settings 61 2 3 RADIUS Accounting 62 2 3 1 Overview 62 2 3 2 RADIUS Accounting Messages 62 2 3 3 Interim Accounting Messages 64 2 3 4 Activating RADIUS Accounting 64 2 3 5 RADIUS Accounting Security 64 2 3 6 RADIUS Accounting and High Availability 64 2 3 7 Handling Unresponsive Servers 65 2 3 8 Accounting and System Shutdowns 65 2 3 9 Limitations with NAT 65 2 3 10...

Page 5: ...35 3 8 Date and Time 137 3 8 1 Overview 137 3 8 2 Setting Date and Time 137 3 8 3 Time Servers 138 3 8 4 Settings Summary for Date and Time 141 3 9 DNS 144 4 Routing 147 4 1 Overview 147 4 2 Static Routing 148 4 2 1 The Principles of Routing 148 4 2 2 Static Routing 152 4 2 3 Route Failover 156 4 2 4 Host Monitoring for Route Failover 159 4 2 5 Advanced Settings for Route Failover 161 4 2 6 Proxy ...

Page 6: ...ring 298 6 3 4 Dynamic Web Content Filtering 300 6 4 Anti Virus Scanning 314 6 4 1 Overview 314 6 4 2 Implementation 314 6 4 3 Activating Anti Virus Scanning 315 6 4 4 The Signature Database 316 6 4 5 Subscribing to the D Link Anti Virus Service 316 6 4 6 Anti Virus Options 316 6 5 Intrusion Detection and Prevention 320 6 5 1 Overview 320 6 5 2 IDP Availability for D Link Models 320 6 5 3 IDP Rule...

Page 7: ...tart 387 9 2 1 IPsec LAN to LAN with Pre shared Keys 388 9 2 2 IPsec LAN to LAN with Certificates 389 9 2 3 IPsec Roaming Clients with Pre shared Keys 390 9 2 4 IPsec Roaming Clients with Certificates 392 9 2 5 L2TP Roaming Clients with Pre Shared Keys 393 9 2 6 L2TP Roaming Clients with Certificates 394 9 2 7 PPTP Roaming Clients 395 9 3 IPsec Components 397 9 3 1 Overview 397 9 3 2 Internet Key ...

Page 8: ...les 477 10 3 1 Overview 477 10 3 2 Limiting the Connection Rate Total Connections 477 10 3 3 Grouping 478 10 3 4 Rule Actions 478 10 3 5 Multiple Triggered Actions 478 10 3 6 Exempted Connections 478 10 3 7 Threshold Rules and ZoneDefense 478 10 3 8 Threshold Rule Blacklisting 478 10 4 Server Load Balancing 480 10 4 1 Overview 480 10 4 2 SLB Distribution Algorithms 481 10 4 3 Selecting Stickiness ...

Page 9: ...onnection Timeout Settings 523 13 6 Length Limit Settings 525 13 7 Fragmentation Settings 527 13 8 Local Fragment Reassembly Settings 531 13 9 Miscellaneous Settings 532 A Subscribing to Updates 534 B IDP Signature Groups 536 C Verified MIME filetypes 540 D The OSI Framework 544 Alphabetical Index 545 User Manual 9 ...

Page 10: ...Mode Internet Access 217 4 19 Transparent Mode Internet Access 217 4 20 Transparent Mode Scenario 1 219 4 21 Transparent Mode Scenario 2 220 4 22 An Example BPDU Relaying Scenario 223 5 1 DHCP Server Objects 232 6 1 Deploying an ALG 245 6 2 HTTP ALG Processing Order 248 6 3 FTP ALG Hybrid Mode 250 6 4 SMTP ALG Processing Order 261 6 5 Anti Spam Filtering 263 6 6 PPTP ALG Usage 269 6 7 TLS Terminat...

Page 11: ...erver Load Balancing Configuration 480 10 10 Connections from Three Clients 483 10 11 Stickiness and Round Robin 484 10 12 Stickiness and Connection rate 484 D 1 The 7 Layers of the OSI Model 544 User Manual 11 ...

Page 12: ...ring a PPPoE Client 107 3 12 Creating an Interface Group 111 3 13 Displaying the ARP Cache 113 3 14 Flushing the ARP Cache 113 3 15 Defining a Static ARP Entry 114 3 16 Adding an Allow IP Rule 126 3 17 Setting up a Time Scheduled Policy 132 3 18 Uploading a Certificate 135 3 19 Associating Certificates with IPsec Tunnels 135 3 20 Setting the Current Date and Time 137 3 21 Setting the Time Zone 138...

Page 13: ...ng Content Filtering HTTP Banner Files 312 6 19 Activating Anti Virus Scanning 318 6 20 Configuring an SMTP Log Receiver 328 6 21 Setting up IDP for a Mail Server 329 6 22 Adding a Host to the Whitelist 338 7 1 Adding a NAT Rule 343 7 2 Using NAT Pools 347 7 3 Enabling Traffic to a Protected Web Server in a DMZ 350 7 4 Enabling Traffic to a Web Server on an Internal Network 352 7 5 Translating Tra...

Page 14: ...in a browser in a new window some systems may not allow this For example http www dlink com Screenshots This guide contains a minimum of screenshots This is deliberate and is done because the manual deals specifically with NetDefendOS and administrators have a choice of management user interfaces It was decided that the manual would be less cluttered and easier to read if it concentrated on descri...

Page 15: ...ng emphasized or something that is not obvious or explicitly stated in the preceding text Tip This indicates a piece of non critical information that is useful to know in certain situations but is not essential reading Caution This indicates where the reader should be careful with their actions as an undesirable situation may result if care is not exercised Important This is an essential point tha...

Page 16: ...nt ways This granular control allows the administrator to meet the requirements of the most demanding network security scenarios Key Features NetDefendOS has an extensive feature set The list below presents the key features of the product IP Routing NetDefendOS provides a variety of options for IP routing including static routing dynamic routing as well as multicast routing capabilities In additio...

Page 17: ...trusion Detection and Prevention IDP engine The IDP engine is policy based and is able to perform high performance scanning and detection of attacks and can perform blocking and optional black listing of attacking hosts More information about the IDP capabilities of NetDefendOS can be found in Section 6 5 Intrusion Detection and Prevention Note Full IDP is available on all D Link NetDefend product...

Page 18: ...se NetDefendOS can be used to control D Link switches using the ZoneDefense feature This allows NetDefendOS to isolate portions of a network that contain hosts that are the source of undesirable network traffic Note NetDefendOS ZoneDefense is only available on certain D Link NetDefend product models NetDefendOS Documentation Reading through the available documentation carefully will ensure geting ...

Page 19: ...tation as the NetDefendOS state engine 1 2 2 NetDefendOS Building Blocks The basic building blocks in NetDefendOS are interfaces logical objects and various types of rules or rule sets Interfaces Interfaces are the doorways through which network traffic enters or leaves the NetDefend Firewall Without interfaces a NetDefendOS system has no means for receiving or sending traffic The following types ...

Page 20: ...f none the above is true the receiving Ethernet interface becomes the source interface for the packet 3 The IP datagram within the packet is passed on to the NetDefendOS Consistency Checker The consistency checker performs a number of sanity checks on the packet including validation of checksums protocol flags packet length and so on If the consistency checks fail the packet gets dropped and the e...

Page 21: ...s If a match is found the IDP data is recorded with the state By doing this NetDefendOS will know that IDP scanning is supposed to be conducted on all packets belonging to this connection 9 The Traffic Shaping and the Threshold Limit rule sets are now searched If a match is found the corresponding information is recorded with the state This will enable proper traffic management on the connection 1...

Page 22: ...sing such as encryption or encapsulation might occur The next section provides a set of diagrams illustrating the flow of packets through NetDefendOS 1 2 3 Basic Packet Flow Chapter 1 NetDefendOS Overview 22 ...

Page 23: ... are three diagrams each flowing into the next It is not necessary to understand these diagrams however they can be useful as a reference when configuring NetDefendOS in certain situations Figure 1 1 Packet Flow Schematic Part I The packet flow is continued on the following page 1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 23 ...

Page 24: ...Figure 1 2 Packet Flow Schematic Part II The packet flow is continued on the following page 1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 24 ...

Page 25: ...Figure 1 3 Packet Flow Schematic Part III 1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 25 ...

Page 26: ...below presents the detailed logic of the Apply Rules function in Figure 1 2 Packet Flow Schematic Part II above Figure 1 4 Expanded Apply Rules Logic 1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 26 ...

Page 27: ...1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 27 ...

Page 28: ...ndOS provides the following management interfaces The Web Interface The Web Interface also known as the Web User Interface or WebUI is built into NetDefendOS and provides a user friendly and intuitive graphical management interface accessible from a standard web browser Microsoft Internet Explorer or Firefox is recommended The browser connects to one of the hardware s Ethernet interfaces using HTT...

Page 29: ... can be permitted for administrative users on a certain network while at the same time allowing CLI access for a remote administrator connecting through a specific IPsec tunnel By default Web Interface access is enabled for users on the network connected via the LAN interface of the D Link firewall on products where more than one LAN interface is available LAN1 is the default interface 2 1 2 The D...

Page 30: ...rkstation IP The default management Ethernet interface of the firewall and the external workstation computer s Ethernet interface must be members of the same logical IP network for communication between them to succeed Therefore the connecting Ethernet interface of the workstation must be manually assigned the following static IP values DFL 210 260 800 860 1600 2500 DFL 260E 860E 1660 2560 2560G I...

Page 31: ...b browser to allow the NetDefendOS Setup Wizard to run since this appears in a popup window Multi language Support The Web Interface login dialog offers the option to select a language other than English for the interface Language support is provided by a set of separate resource files These files can be downloaded from the D Link website It may occasionally be the case that a NetDefendOS upgrade ...

Page 32: ... buttons and drop down menus that are used to perform configuration tasks as well as for navigation to various tools and status pages Home Navigates to the first page of the Web Interface Configuration i Save and Activate Saves and activates the configuration ii Discard Changes Discards any changes made to the configuration during the current session iii View Changes List the changes made to the c...

Page 33: ... tree is divided into a number of sections corresponding to the major building blocks of the configuration The tree can be expanded to expose additional sections and the selected set of objects are displayed in the Web Interface s central main window C Main Window The main window contains configuration or status details corresponding to the section selected in the navigator or the menu bar When di...

Page 34: ...e then all management traffic coming from NetDefendOS will automatically be routed into the VPN tunnel If this is the case then a route should be added by the administrator to route management traffic destined for the management network to the correct interface 2 1 4 The CLI NetDefendOS provides a Command Line Interface CLI for administrators who prefer or require a command line approach to admini...

Page 35: ...et of types and mainly used with tab completion which is described below Tip Getting help about help Typing the CLI command gw world help help will give information about the help command itself The CLI Command History Just like the console in many versions of Microsoft Windows the up and down arrow keys allow the user to move through the list of commands in the CLI command history For example pre...

Page 36: ...e names are recommended Even though it is optional it is still recommended that a Name value is entered for rules in order to make examining the configuration easier Tab Completion of Parameter Values Another useful feature with tab completion is the ability to automatically fill in the current values of data parameters in a command line This is done by typing a period character followed by the ta...

Page 37: ...after pressing tab Not all object types belong in a category The object type UserAuthRule is a type without a category and will appear in the category list after pressing tab at the beginning of a command The category is sometimes also referred to as a context Selecting Object Categories With some categories it is necessary to first choose a member of that category with the cc change category comm...

Page 38: ...CLI Reference Guide lists the parameter options available for each NetDefendOS object including the Name and Index options Using Unique Names For convenience and clarity it is recommended that a name is assigned to all objects so that it can be used for reference if required Reference by name is particularly useful when writing CLI scripts For more on scripts see Section 2 1 5 CLI Scripts The CLI ...

Page 39: ...inal or the serial connector of the computer running the communications software 4 Press the enter key on the terminal The NetDefendOS login prompt should appear on the terminal screen SSH Secure Shell CLI Access The SSH Secure Shell protocol can be used to access the CLI over the network from a remote host SSH is a protocol primarily used for secure communication over insecure networks providing ...

Page 40: ...the default password of the admin account from admin to something else as soon as possible after initial startup User passwords can be any combination of characters and cannot be greater than 256 characters in length It is recommended to use only printable characters To change the password to for example my password the following CLI commands are used First we must change the current category to b...

Page 41: ... in at the time of the commit will require that the user logs in again This is because the Web Interface view of the configuration may no longer be valid Checking Configuration Integrity After changing a NetDefendOS configuration and before issuing the activate and commit commands it is possible to explicitly check for any problems in a configuration using the command gw world show errors This wil...

Page 42: ... to the ISP s gateway In other words Internet access has been enabled for the NetDefend Firewall Managing Management Sessions with sessionmanager The CLI provides a command called sessionmanager for managing management sessions themselves The command be used to manage all types of management sessions including Secure Shell SSH CLI sessions Any CLI session through the serial console interface Secur...

Page 43: ... script command is the tool used for script management and execution The complete syntax of the command is described in the CLI Reference Guide and specific examples of usage are detailed in the following sections See also Section 2 1 4 The CLI in this manual Only Four Commands are Allowed in Scripts The commands allowed in a script file are limited to four and these are add set delete cc If any o...

Page 44: ...d before it is referred to then this can result in a confused and disjointed script file and in large script files it is often preferable to group together CLI commands which are similar Error Handling If an executing CLI script file encounters an error condition the default behavior is for the script to terminate This behavior can be overridden by using the force option To run a script file calle...

Page 45: ...ects needs to be copied between multiple NetDefend Firewalls then one way to do this with the CLI is to create a script file that creates the required objects and then upload to and run the same script on each device If we already have a NetDefendOS installation that already has the objects configured that need to be copied then running the script create command on that installation provides a way...

Page 46: ...hen the CLI node type in the script create command is one of COMPortDevice Ethernet EthernetDevice Device If one of these node types is used then the error message script file empty is returned by NetDefendOS Commenting Script Files Any line in a script file that begins with the character is treated as a comment For example The following line defines the If1 IP address add IP4Address If1_ip Addres...

Page 47: ...table summarizes the operations that can be performed between an SCP client and NetDefendOS File type Upload possible Download possible Configuration Backup config bak Yes also with WebUI Yes also with WebUI System Backup full bak Yes also with WebUI Yes also with WebUI Firmware upgrades Yes No Certificates Yes No SSH public keys Yes No Web auth banner files Yes Yes Web content filter banner files...

Page 48: ...mand would be scp config bak admin1 10 5 62 11 To download a configuration backup to the current local directory the command would be scp admin1 10 5 62 11 config bak To upload a file to an object type under the root the command is slightly different If we have a local CLI script file called my_script sgs then the upload command would be scp my_script sgs admin1 10 5 62 11 script If we have the sa...

Page 49: ...ptions available in the boot menu are 1 Start firewall This initiates the complete startup of the NetDefendOS software on the NetDefend Firewall 2 Reset unit to factory defaults This option will restore the hardware to its initial factory state The operations performed if this option is selected are the following Remove console security so there is no console password Restore default NetDefendOS e...

Page 50: ...word set for the console is not connected to the management username password combinations used for administrator access through a web browser It is valid only for console access 2 1 8 Management Advanced Settings Under the Remote Management section of the Web Interface a number of advanced settings can be found These are SSH Before Rules Enable SSH traffic to the firewall regardless of configured...

Page 51: ...configuration objects representing a named IPv4 address Object Organization In the Web Interface the configuration objects are organized into a tree like structure based on the type of the object In the CLI similar configuration object types are grouped together in a category These categories are different from the structure used in the Web Interface to allow quick access to the configuration obje...

Page 52: ...ich gives the option to edit or delete the object as well as modify the order of the objects Example 2 4 Displaying a Configuration Object The simplest operation on a configuration object is to show its contents in other words the values of the object properties This example shows how to display the contents of a configuration object representing the telnet service Command Line Interface gw world ...

Page 53: ...ces 2 Click on the telnet hyperlink in the list 3 In the Comments textbox a suitable comment 4 Click OK Verify that the new comment has been updated in the list Important Configuration changes must be activated Changes to a configuration object will not be applied to a running system until the new NetDefendOS configuration is activated Example 2 6 Adding a Configuration Object This example shows h...

Page 54: ...e The row will be rendered with a strike through line indicating that the object is marked for deletion Example 2 8 Undeleting a Configuration Object A deleted object can always be restored until the configuration has been activated and committed This example shows how to restore the deleted IP4Address object shown in the previous example Command Line Interface gw world undelete Address IP4Address...

Page 55: ...e IPsec tunnels are committed then those live tunnels connections will be terminated and must be re established If the new configuration is validated NetDefendOS will wait for a short period 30 seconds by default during which a connection to the administrator must be re established As described previously if the configuration was activated via the CLI with the activate command then a commit comman...

Page 56: ...irmation that remote management is still working The new configuration is then automatically committed Note Changes must be committed The configuration must be committed before changes are saved All changes to a configuration can be ignored simply by not committing a changed configuration 2 1 9 Working with Configurations Chapter 2 Management and Maintenance 56 ...

Page 57: ...ents down to low level and mandatory system events The conn_open event for example is a typical high level event that generates an event message whenever a new connection is established given that the matching security policy rule has defined that event messages should be generated for that connection An example of a low level event would be the startup_normal event which generates a mandatory eve...

Page 58: ...ers using syslog with NetDefendOS messages can simplify overall administration This receiver type is discussed further below in Section 2 2 5 Logging to Syslog Hosts 2 2 4 Logging to MemoryLogReceiver The MemoryLogReceiver also known as Memlog is an optional NetDefendOS feature that allows logging direct to memory in the NetDefend Firewall instead of sending messages to an external server These me...

Page 59: ...or without assuming that a specific piece of data is in a specific location in the log entry The Prio and Severity fields The Prio field in SysLog messages contains the same information as the Severity field for D Link Logger messages However the ordering of the numbering is reversed Example 2 11 Enable Logging to a Syslog Host To enable logging of all events with a severity greater than or equal ...

Page 60: ...le for each model of NetDefend Firewall Make sure that the correct file is used For each NetDefend Firewall model there is one generic trap object called DLNNNosGenericTrap that is used for all traps where NNN indicates the model number This object includes the following parameters System The system generating the trap Severity Severity of the message Category What NetDefendOS subsystem is reporti...

Page 61: ...ifies the maximum log messages that NetDefendOS will send per second This value should never be set too low as this may result in important events not being logged nor should it be set too high When the maximum is exceeded the excess messages are dropped and are not buffered The administrator must make a case by case judgement about the message load that log servers can deal with This can often de...

Page 62: ...ing Messages Statistics such as number of bytes sent and received and number of packets sent and received are updated and stored throughout RADIUS sessions All statistics are updated for an authenticated user whenever a connection related to an authenticated user is closed When a new client session is started by a user establishing a new connection through the NetDefend Firewall NetDefendOS sends ...

Page 63: ...henticated This is a physical interface and not a TCP or UDP port User IP Address The IP address of the authenticated user This is sent only if specified on the authentication server Input Bytes The number of bytes received by the user Output Bytes The number of bytes sent by the user Input Packets The number of packets received by the user Output Packets The number of packets sent by the user Ses...

Page 64: ...US accounting a number of steps must be followed The RADIUS accounting server must be specified A user authentication object must have a rule associated with it where a RADIUS server is specified Some important points should be noted about activation RADIUS Accounting will not function where a connection is subject to a FwdFast rule in the IP rule set The same RADIUS server does not need to handle...

Page 65: ...ready been authenticated 2 3 8 Accounting and System Shutdowns In the case that the client for some reason fails to send a RADIUS AccountingRequest STOP packet the accounting server will never be able to update its user statistics but will most likely believe that the session is still active This situation should be avoided In the case that the NetDefend Firewall administrator issues a shutdown co...

Page 66: ... the situation that the RADIUS server will assume users are still logged in even though their sessions have been terminated Default Enabled Maximum Radius Contexts The maximum number of contexts allowed with RADIUS This applies to RADIUS use with both accounting and authentication Default 1024 Example 2 13 RADIUS Accounting Server Setup This example shows configuring of a local RADIUS server known...

Page 67: ...ng settings for enabling hardware monitoring when it is available Enable Sensors Enable disable all hardware monitoring functionality Default Disabled Poll Interval Polling interval for the Hardware Monitor which is the delay in milliseconds between readings of hardware monitor values Minimum value 100 Maximum value 10000 Default 500 Using the hwm CLI Command To get a list current values from all ...

Page 68: ...stration only Setting the Minimum and Maximum Range The minimum and maximum values shown in the output from the hwm command are set through the Web Interface by going to System Hardware Monitoring Add and selecting the hardware parameter to monitor The desired operating range can then be specified A sensor is identified in the Web Interface by specifying a unique combination of the following param...

Page 69: ...e client software When the client runs the MIB file is accessed to inform the client of the values that can be queried on a NetDefendOS device Defining SNMP Access SNMP access is defined through the definition of a NetDefendOS Remote object with a Mode value of SNMP The Remote object requires the entry of Interface The NetDefendOS interface on which SNMP requests will arrive Network The IP address...

Page 70: ...ent client is on the internal network it is not required to implement a VPN tunnel for it Command Line Interface gw world add RemoteManagement RemoteMgmtSNMP my_snmp Interface lan Network mgmt net SNMPGetCommunity Mg1RQqR Should it be necessary to enable SNMP Before Rules which is enabled by default then the command is gw world set Settings RemoteMgmtSettings SNMPBeforeRules Yes Web Interface 1 Go...

Page 71: ...stem Contact The contact person for the managed node Default N A System Name The name for the managed node Default N A System Location The physical location of the node Default N A Interface Description SNMP What to display in the SNMP MIB II ifDescr variables Default Name Interface Alias What to display in the SNMP ifMIB ifAlias variables Default Hardware 2 5 1 SNMP Advanced Settings Chapter 2 Ma...

Page 72: ...ap gw world pcapdump cleanup Going through this line by line we have 1 Recording is started for the int interface using a buffer size of 1024 Kbytes gw world pcapdump size 1024 start int 2 The recording is stopped for the int interface gw world pcapdump stop int 3 The dump output is displayed on the console in a summarized form gw world pcapdump show 4 The same information is written in its comple...

Page 73: ...Filter on source IP address ipdest ipaddr Filter on destination IP address port portnum Filter on source or destination port number srcport portnum Filter on source port number destport portnum Filter on destination port number proto id Filter on protocol where id is the decimal protocol id protocolname Instead of the protocol number the protocol name alone can be specified and can be one of tcp u...

Page 74: ...further refine the packets that are of interest For example we might want to examine the packets going to a particular destination port at a particular destination IP address Compatibility with Wireshark The open source tool Wireshark formerly called Ethereal is an extremely useful analysis tool for examining logs of captured packets The industry standard pcap file format used by pcapdump with its...

Page 75: ...he minimum a configuration backup on a regular basis so that a configuration can be easily recreated in the event of hardware replacement The alternative is to recreate a configuration by manually adding its contents piece by piece A System Backup This a complete backup of both the configuration and the installed NetDefendOS software saved into a single file This is useful if restoring both the co...

Page 76: ...storing a backup is done in the reverse fashion Either by uploading the backup file using SCP or alternatively through the WebUI A restore cannot be done with CLI commands Operation Interruption Backups can be created at any time without disturbing NetDefendOS operation For restores however it is not recommended to have live traffic flowing since the restored configuration may significantly alter ...

Page 77: ... such as the DHCP server lease database or Anti Virus IDP databases will not be backed up 2 7 3 Restore to Factory Defaults A restore to factory defaults can be applied so that it is possible to return to the original hardware state that existed when the NetDefend Firewall was shipped by D Link When a restore is applied all data such as the IDP and Anti Virus databases are lost and must be reloade...

Page 78: ...erface LAN1 on the DFL 1600 and DFL 2500 models The management interface IP address for the DFL 1660 DFL 2560 and DFL 2560G models will default to 192 168 10 1 The default IP address factory setting for the default management interface is discussed further in Section 2 1 3 The Web Interface Warning Do NOT abort a reset to defaults If the process of resetting to factory defaults is aborted before i...

Page 79: ...2 7 3 Restore to Factory Defaults Chapter 2 Management and Maintenance 79 ...

Page 80: ...ts It increases understanding of the configuration by using meaningful symbolic names Using address object names instead of entering numerical addresses reduces errors By defining an IP address object just once in the address book and then referencing this definition changing the definition automatically also changes all references to it 3 1 2 IP Addresses IP Address objects are used to define sym...

Page 81: ... hosts in consecutive order Example 3 1 Adding an IP Host This example adds the IP host www_srv1 with IP address 192 168 10 16 to the address book Command Line Interface gw world add Address IP4Address www_srv1 Address 192 168 10 16 Web Interface 1 Go to Objects Address Book Add IP address 2 Specify a suitable name for the IP host in this case wwww_srv1 3 Enter 192 168 10 16 for the IP Address 4 C...

Page 82: ...eleting In use IP Objects If an IP object is deleted that is in use by another object then NetDefendOS will not allow the configuration to be deployed and will produce a warning message In other words it will appear that the object has been successfully deleted but NetDefendOS will not allow the configuration to be saved to the NetDefend Firewall 3 1 3 Ethernet Addresses Ethernet Address objects a...

Page 83: ... web server hosts as group members Now a single policy can be used with this group thereby greatly reducing the administrative workload IP Addresses Can Be Excluded When groups are created with the Web Interface it is possible to not only add address objects to a group but also to explicitly exclude addresses from the group However exclusion is not possible when creating groups with the CLI For ex...

Page 84: ...rily by the routing table but is also used by the DHCP client subsystem to store gateway address information acquired through DHCP If a default gateway address has been provided during the setup phase the default gateway object will contain that address Otherwise the object will be left as 0 0 0 0 0 all nets The all nets IP address object is initialized to the IP address 0 0 0 0 0 which represents...

Page 85: ...the most important usage of service objects and it is also how ALGs become associated with IP rules since an ALG is associated with a service and not directly with an IP rule For more information on how service objects are used with IP rules see Section 3 5 IP Rule Sets Predefined Services A large number of service objects are predefined in NetDefendOS These include common services such as HTTP FT...

Page 86: ...jects does not meet the requirements for certain traffic then a new service can be created Reading this section will explain not only how new services are created but also provides an understanding of the properties of predefined services The Type of service created can be one of the following TCP UDP Service A service based on the UDP or TCP protocol or both This type of service is discussed furt...

Page 87: ...estination ports are applicable for the service Specifying Port Numbers Port numbers are specified with all types of services and it is useful to understand how these can be entered in user interfaces They can be specified for both the Source Port and or the Destination Port of a service in the following ways Single Port For many services a single destination port is sufficient For example HTTP us...

Page 88: ...ack to the requesting application In some cases it is useful that the ICMP messages are not dropped For example if an ICMP quench message is sent to reduce the rate of traffic flow On the other hand dropping ICMP messages increases security by preventing them being used as a means of attack ALG A TCP UDP service can be linked to an Application Layer Gateway ALG to enable deeper inspection of certa...

Page 89: ...uld provide The best approach is to narrow the service filter in a security policy so it allows only the protocols that are absolutely necessary The all_tcpudpicmp service object is often a first choice for general traffic but even this may allow many more protocols than are normally necessary and the administrator can often narrow the range of allowed protocols further Example 3 8 Creating a Cust...

Page 90: ...be selected are as follows Echo Request Sent by PING to a destination in order to check connectivity Destination Unreachable The source is told that a problem has occurred when delivering a packet There are codes from 0 to 5 for this type Code 0 Net Unreachable Code 1 Host Unreachable Code 2 Protocol Unreachable Code 3 Port Unreachable Code 4 Cannot Fragment Code 5 Source Route Failed Redirect The...

Page 91: ...col service 2 Specify a suitable name for the service for example VRRP 3 Enter 112 in the IP Protocol control 4 Optionally enter Virtual Router Redundancy Protocol in the Comments control 5 Click OK 3 2 5 Service Groups A Service Group is exactly as the name suggests a NetDefendOS object that consists of a collection of services Although the group concept is simple it can be very useful when const...

Page 92: ...on to be open Establish Idle Timeout If there is no activity on a connection for this amount of time then it is considered to be closed and is removed from the NetDefendOS state table The default setting for this time with TCP UDP connections is 3 days Closing Timeout The is the time allowed for the connection to be closed The administrator must make a judgement as what the acceptable values shoul...

Page 93: ...S itself is the source or destination for traffic Interface Types NetDefendOS supports a number of interface types which can be divided into the following four major groups Ethernet Interfaces Each Ethernet interface represents a physical Ethernet interface on a NetDefendOS based product All network traffic that originates from or enters a NetDefend Firewall will pass through one of the physical i...

Page 94: ...f interfaces can be used almost interchangeably in the various NetDefendOS rule sets and other configuration objects This results in a high degree of flexibility in how traffic can be examined controlled and routed Interfaces have Unique Names Each interface in NetDefendOS is given a unique name to be able to identify and select it for use with other NetDefendOS objects in a configuration Some int...

Page 95: ...equence of bits which specify the originating device plus the destination device plus the data payload along with error checking bits A pause between the broadcasting of individual frames allows devices time to process each frame before the next arrives and this pause is progressively smaller with the faster data transmission speeds found in normal Ethernet then Fast Ethernet and finally Gigabit E...

Page 96: ...ally auto generated by the system For more information please see Section 3 1 5 Auto Generated Address Objects Tip Specifying multiple IP addresses on an interface Multiple IP addresses can be specified for an Ethernet interface by using the ARP Publish feature For more information see Section 3 4 ARP Network In addition to the interface IP address a Network address is also specified for an Ethern...

Page 97: ...an be sent from the DHCP server iv Do not allow IP address collisions with static routes v Do not allow network collisions with static routes vi Specify an allowed IP address for the DHCP lease vii Specify an address range for DHCP servers from which leases will be accepted DHCP Hostname In some infrequent cases a DHCP server may require a hostname to be sent by the DHCP client Enable Transparent ...

Page 98: ... this interface 2 An additional option is to disable the sending of HA cluster heartbeats from this interface Quality Of Service The option exists to copy the IP DSCP precedence to the VLAN priority field for any VLAN packets This is disabled by default Changing the IP Address of an Ethernet Interface To change the IP address on an interface we can use one of two methods Change the IP address dire...

Page 99: ...rnet card including the bus slot and port number of the card as well as the Ethernet driver being used These details are not relevant to the logical interface object associated with the physical interface 3 3 2 1 Useful CLI Commands for Ethernet Interfaces This section summarizes the CLI commands most commonly used for examining and manipulating NetDefendOS Ethernet interfaces Ethernet interfaces ...

Page 100: ...ddresses lan_ip InterfaceAddresses wan_net InterfaceAddresses lan_net Server Setting Interface Addresses The CLI can be used to set the address of the interface gw world set Address IP4Address InterfaceAddresses wan_ip Address 172 16 5 1 Modified IP4Address InterfaceAddresses wan_ip Enabling DHCP The CLI can be used to enable DHCP on the interface gw world set Interface Ethernet wan DHCPEnabled ye...

Page 101: ...r for the bus slot port combination 0 0 2 on the wan interface the set command would be gw world set EthernetDevice lan EthernetDriver IXP4NPEEthernetDriver PCIBus 0 PCISlot 0 PCIPort 2 This command is useful when a restored configuration contains interface names that do not match the interface names of new hardware By assigning the values for bus slot port and driver of a physical interface to a ...

Page 102: ...n belong to different Virtual LANs but can still share the same physical Ethernet link The following principles underlie the NetDefendOS processing of VLAN tagged Ethernet frames at a physical interface Ethernet frames received on a physical interface by NetDefendOS are examined for a VLAN ID If a VLAN ID is found and a matching VLAN interface has been defined for that interface NetDefendOS will u...

Page 103: ...r ports on the switch that connect to VLAN clients are configured with individual VLAN IDs Any device connected to one of these ports will then automatically become part of the VLAN configured for that port In Cisco switches this is called configuring a Static access VLAN On Switch1 in the illustration above one interface is configured to be dedicated to VLAN1 and two others are dedicated to VLAN2...

Page 104: ...d treat a VLAN interface just like a physical interface in that they require both appropriate IP rules and routes to exist in the NetDefendOS configuration for traffic to flow through them For example if no IP rule with a particular VLAN interface as the source interface is defined allowing traffic to flow then packets arriving on that interface will be dropped VLAN advanced settings There is a si...

Page 105: ...IP networks PPP uses Link Control Protocol LCP for link establishment configuration and testing Once the LCP is initialized one or several Network Control Protocols NCPs can be used to transport traffic for a particular protocol suite so that multiple protocols can interoperate on the same link for example both IP and IPX traffic can share a PPP link PPP Authentication PPP authentication is option...

Page 106: ...ered PPPoE to be used in PPPoE sessions Unnumbered PPPoE is typically used when ISPs want to allocate one or more preassigned IP addresses to users These IP addresses are then manually entered into client computers The ISP does not assign an IP address to the PPPoE client at the time it connects A further option with the unnumbered PPPoE feature in NetDefendOS is to allow the specification of a si...

Page 107: ...irm Password Retype the password Under Authentication specify which authentication protocol to use the default settings will be used if not specified Disable the option Enable dial on demand Under Advanced if Add route for remote network is enabled then a new route will be added for the interface 3 Click OK 3 3 5 GRE Tunnels Overview The Generic Router Encapsulation GRE protocol is a simple encaps...

Page 108: ...t be given a value The specified IP address is then used for the following i An ICMP Ping can be sent to this tunnel endpoint ii Log messages related to the tunnel will be generated with this IP address as the source iii If NAT is being used then it will not be necessary to set the source IP on the IP rule that performs NAT on traffic going through the tunnel This IP address will be used as the so...

Page 109: ... associated GRE Tunnel The same is true for traffic in the opposite direction that is going into a GRE tunnel Furthermore a Route has to be defined so NetDefendOS knows what IP addresses should be accepted and sent through the tunnel An Example GRE Scenario The diagram above shows a typical GRE scenario where two NetDefend Firewalls A and B must communicate with each other through the intervening ...

Page 110: ...annet on the lan interface the steps for setting up NetDefendOS on B are as follows 1 In the address book set up the following IP objects remote_net_A 192 168 10 0 24 remote_gw 172 16 0 1 ip_GRE 192 168 0 2 2 Create a GRE Tunnel object called GRE_to_A with the following parameters IP Address ip_GRE Remote Network remote_net_A Remote Endpoint remote_gw Use Session Key 1 Additional Encapulation Chec...

Page 111: ...rt Equivalent can be enabled it is disabled by default Enabling the option means that the group can be used as the destination interface in NetDefendOS rules where connections might need to be moved between two interfaces For example the interface might change with route failover or OSPF If a connection is moved from one interface to another within a group and Security Transport Equivalent is enab...

Page 112: ... destination IP address sends an ARP reply packet to the originating host with its MAC address 3 4 2 The NetDefendOS ARP Cache The ARP Cache in network equipment such as switches and firewalls is an important component in the implementation of ARP It consists of a dynamic table that stores the mappings between IP addresses and Ethernet MAC addresses NetDefendOS uses an ARP cache in exactly the sam...

Page 113: ...a new MAC address If NetDefendOS has an old ARP entry for the host in its ARP cache then that entry will become invalid because of the changed MAC address and this will cause data to be sent to the host over Ethernet which will never reach its destination After the ARP entry expiration time NetDefendOS will learn the new MAC address of the host but sometimes it may be necessary to manually force t...

Page 114: ...ponse Interface The local physical interface for the ARP object IP Address The IP address for the MAC IP mapping MAC Address The MAC address for the MAC IP mapping The three ARP modes of Static Publish and XPublish are discussed next Static Mode ARP Objects A Static ARP object inserts a particular MAC IP address mapping into the NetDefendOS ARP cache The most frequent use of static ARP objects is ...

Page 115: ...ss translate traffic to these addresses and send it onwards to internal servers with private IP addresses A less common purpose is to aid nearby network equipment responding to ARP in an incorrect manner Publishing Modes There are two publishing modes available when publishing a MAC IP address pair Publish XPublish In both cases an IP address and an associated MAC address are specified If the MAC ...

Page 116: ...r the administrator can use the alternative Proxy ARP feature in NetDefendOS to handle publishing of entire networks see Section 4 2 6 Proxy ARP 3 4 4 Using ARP Advanced Settings This section presents some of the advanced settings related to ARP In most cases these settings need not to be changed but in some deployments modifications might be needed A summary of all ARP advanced settings can be fo...

Page 117: ...until the previous ARP cache entry has timed out The advanced setting Static ARP Changes can modify this behavior The default behavior is that NetDefendOS will allow changes to take place but all such changes will be logged A similar issue occurs when information in ARP replies or ARP requests could collide with static entries in the ARP cache This should not be allowed to happen and changing the ...

Page 118: ...tDefendOS will provided that other rules approve the request reply to it Default Drop ARP Changes Determines how NetDefendOS will deal with situations where a received ARP reply or ARP request would alter an existing item in the ARP table Allowing this to take place may facilitate hijacking of local connections However not allowing this may cause problems if for example a network adapter is replac...

Page 119: ...nes how NetDefendOS deals with ARP requests and ARP replies that state that they are broadcast addresses Such claims are usually never correct Default DropLog ARP cache size How many ARP entries there can be in the cache in total Default 4096 ARP Hash Size Hashing is used to rapidly look up entries in a table For maximum efficiency the hash size should be twice as large as the table it is indexing...

Page 120: ... behavior when receiving an ARP request with a sender IP address that collides with one already used on the receive interface Possible actions Drop or Notify Default Drop 3 4 5 ARP Advanced Settings Summary Chapter 3 Fundamentals 120 ...

Page 121: ... tunnel Destination Network The network to which the destination IP address of the packet belongs This might be a NetDefendOS IP object which could define a single IP address or range of addresses Service The protocol type to which the packet belongs Service objects define a protocol port type Examples are HTTP and ICMP Service objects also define any ALG which is to be applied to the traffic NetD...

Page 122: ...me IP rules must be defined by the administrator Each IP rule that is added by the administrator will define the following basic filtering criteria From what interface to what interface traffic flows From what network to what network the traffic flows What kind of protocol is affected the service What action the rule will take when a match on the filter triggers Specifying Any Interface or Network...

Page 123: ...at least one IP rule must be added to allow traffic to flow In fact two NetDefendOS components need to be present A route must exist in a NetDefendOS routing table which specifies on which interface packets should leave in order to reach their destination A second route must also exist that indicates the source of the traffic is found on the interface where the packets enter An IP rule in a NetDef...

Page 124: ...r rule above it is not being triggered first Stateful Inspection After initial rule evaluation of the opening connection subsequent packets belonging to that connection will not need to be evaluated individually against the rule set Instead a highly efficient algorithm searches the state table for each packet to determine if it belongs to an established connection This approach is known as statefu...

Page 125: ...tailed description Drop This tells NetDefendOS to immediately discard the packet This is an impolite version of Reject in that no reply is sent back to the sender It is often preferable since it gives a potential attacker no clues about what happened to their packets Reject This acts like Drop but will return a TCP RST or ICMP Unreachable message informing the sending computer that the packet was ...

Page 126: ...se large numbers of entries in IP rule sets it is possible to create IP rule set folders These folders are just like a folder in a computer s file system They are created with a given name and can then be used to contain all the IP rules that are related together as a group Using folders is simply a way for the administrator to conveniently divide up IP rule set entries and no special properties a...

Page 127: ...r the individual objects to become visible Instead all objects are already visible and they are displayed in a way that indicates how they are grouped together Groups can be used in most cases where NetDefendOS objects are displayed as tables where each line in the table is an instance of an object The most common usage will be for the NetDefendOS Address Book to arrange IP addresses and in partic...

Page 128: ...t Select the New Group option from the context menu A group is now created with a title line and the IP rule as its only member The default title of new Group is used The entire group is also assigned a default color and the group member is also indented The object inside the group retains the same index number to indicate its position in the whole table The index is not affected by group membersh...

Page 129: ...or in the box with the mouse In this example we might change the name of the group to be Web surfing and also change the group color to green The resulting group display is shown below Adding Additional Objects A new group will always contain just one object Now we must add more objects to the group By right clicking the object that immediately follows the group we can select the Join Preceding op...

Page 130: ... in a group is right clicked then the context menu contains the option Leave Group Selecting this removes the object from the group AND moves it down to a position immediately following the group Removing a Group By right clicking on a group title the context menu includes the Ungroup option This removes the group however the group s member objects remain The group title line disappears and the in...

Page 131: ...other objects Scheduled Times These are the times during each week when the schedule is applied Times are specified as being to the nearest hour A schedule is either active or inactive during each hour of each day of a week Start Date If this option is used it is the date after which this schedule object becomes active End Date If this option is used it is the date after which this schedule object...

Page 132: ...face lan SourceNetwork lannet DestinationInterface any DestinationNetwork all nets Schedule OfficeHours name AllowHTTP Return to the top level gw world main cc Configuration changes must be saved by then issuing an activate followed by a commit command Web Interface 1 Go to Objects Schedules Add Schedule 2 Enter the following Name OfficeHours 3 Select 08 17 Monday to Friday in the grid 4 Click OK ...

Page 133: ... a certificate is a public key with identification attached coupled with a stamp of approval by a trusted party Certificate Authorities A certificate authority CA is a trusted entity that issues certificates to other entities The CA digitally signs all certificates it issues A valid CA signature in a certificate verifies the identity of the certificate holder and guarantees that the certificate ha...

Page 134: ... can be downloaded In some cases certificates do not contain this field In those cases the location of the CRL has to be configured manually A CA usually updates its CRL at a given interval The length of this interval depends on how the CA is configured Typically this is somewhere between an hour to several days Trusting Certificates When using certificates NetDefendOS trusts anyone whose certific...

Page 135: ...terfaces IPsec 2 Display the properties of the IPsec tunnel 3 Select the Authentication tab 4 Select the X509 Certificate option 5 Select the correct Gateway and Root certificates 6 Click OK 3 7 3 CA Certificate Requests To request certificates from a CA server or CA company the best method is to send a CA Certificate Request which is a file that contains a request for a certificate in a well know...

Page 136: ...be cut and pasted with a text editor Note OpenSSL is being used here as a conversion utility and not in its normal role as a communication utility 3 Create two blank text files with a text editor such as Windows Notepad Give the files the same filename but use the extension cer for one and key for the other For example gateway cer and gateway key might be the names 4 Start a text editor and open t...

Page 137: ...own as Time Servers 3 8 2 Setting Date and Time Current Date and Time The administrator can set the date and time manually and this is recommended when a new NetDefendOS installation is started for the first time Example 3 20 Setting the Current Date and Time To adjust the current date and time follow the steps outlined below Command Line Interface gw world time set YYYY mm DD HH MM SS Where YYYY ...

Page 138: ...ving Time Many regions follow Daylight Saving Time DST or Summer time as it is called in some countries and this means clocks are advanced for the summer period Unfortunately the principles regulating DST vary from country to country and in some cases there can be variations within the same country For this reason NetDefendOS does not automatically know when to adjust for DST Instead this informat...

Page 139: ... January first 1900 Most public Time Servers run the NTP protocol and are accessible using SNTP Configuring Time Servers Up to three Time Servers can be configured to query for time information By using more than a single server situations where an unreachable server causes the time synchronization process to fail can be prevented NetDefendOS always queries all configured Time Servers and then com...

Page 140: ...lty Time Server causes the clock to be updated with a extremely inaccurate time a Maximum Adjustment value in seconds can be set If the difference between the current NetDefendOS time and the time received from a Time Server is greater than this Maximum Adjustment value then the Time Server response will be discarded For example assume that the maximum adjustment value is set to 60 seconds and the...

Page 141: ...ink Time Servers Using D Link s own Time Servers is an option in NetDefendOS and this is the recommended way of synchronizing the firewall clock These servers communicate with NetDefendOS using the SNTP protocol When the D Link Server option is chosen a predefined set of recommended default values for the synchronization are used Example 3 27 Enabling the D Link NTP Server To enable the use of the...

Page 142: ...ver for time synchronization UDPTime or SNTP Simple Network Time Protocol Default SNTP Primary Time Server DNS hostname or IP Address of Timeserver 1 Default None Secondary Time Server DNS hostname or IP Address of Timeserver 2 Default None teriary Time Server DNS hostname or IP Address of Timeserver 3 Default None Interval between synchronization Seconds between each resynchronization Default 864...

Page 143: ...ift in seconds that a server is allowed to adjust Default 600 Group interval Interval according to which server responses will be grouped Default 10 3 8 4 Settings Summary for Date and Time Chapter 3 Fundamentals 143 ...

Page 144: ... of up to three DNS servers The are called the Primary Server the Secondary Server and the Tertiary Server For DNS to function at least the primary server must be configured It is recommended to have both a primary and secondary defined so that there is a backup should the primary be unavailable Features Requiring DNS Resolution Having at least one DNS server defined is vital for functioning of th...

Page 145: ...ng a new local IP address on the interface that connects to the DNS server The difference between HTTP Poster and the named DNS servers in the WebUI is that HTTP Poster can be used to send any URL The named services are a convenience that make it easy to correctly format the URL needed for that service For example the http URL for the dyndns org service might be myuid mypwd members dyndns org nic ...

Page 146: ...3 9 DNS Chapter 3 Fundamentals 146 ...

Page 147: ... one of the most fundamental functions of NetDefendOS Any IP packet flowing through a NetDefend Firewall will be subjected to at least one routing decision at some point in time and properly setting up routing is crucial for the system to function as expected NetDefendOS offers support for the following types of routing mechanisms Static routing Dynamic routing NetDefendOS additionally supports ro...

Page 148: ...nd these are consulted to find out where to send a packet so it can reach its destination The components of a single route are discussed next The Components of a Route When a route is defined it consists of the following parameters Interface The interface to forward the packet on in order to reach the destination network In other words the interface to which the destination IP range is connected e...

Page 149: ...sed by Route Failover and Route Load Balancing For more information see Section 4 4 Route Load Balancing and Section 4 2 3 Route Failover A Typical Routing Scenario The diagram below illustrates a typical NetDefend Firewall usage scenario Figure 4 1 A Typical Routing Scenario In the above diagram the LAN interface is connected to the network 192 168 0 0 24 and the DMZ interface is connected to the...

Page 150: ...cific route is used In other words if two routes have destination networks that overlap the narrower network definition will be taken before the wider one This behavior is in contrast to IP rules where the first matching rule is used In the above example a packet with a destination IP address of 192 168 0 4 will theoretically match both the first route and the last one However the first route entr...

Page 151: ...t ARP queries as though the interface had that IP address The diagram below illustrates a scenario where this feature could be used The network 10 1 1 0 24 is bound to a physical interface that has an IP address within the network of 10 1 1 1 If we now attach a second network 10 2 2 0 24 to the interface via the switch it is unbound since the interface s IP address does not belong to it Figure 4 2...

Page 152: ...ables will handle certain types of traffic see Section 4 3 Policy based Routing The Route Lookup Mechanism The NetDefendOS route lookup mechanism has some slight differences to how some other router products work In many routers where the IP packets are forwarded without context in other words the forwarding is stateless the routing table is scanned for each and every IP packet received by the rou...

Page 153: ... following Flags Network Iface Gateway Local IP Metric 192 168 0 0 24 lan 20 10 0 0 0 8 wan 1 0 0 0 0 0 wan 192 168 0 1 20 NetDefendOS Route Definition Advantages The NetDefendOS method of defining routes makes the reading and understanding of routing information easier A further advantage with the NetDefendOS approach is that the administrator can directly specify a gateway for a particular route...

Page 154: ... all nets 213 124 165 1 none 2 lan lannet none none 3 wan wannet none none To see the active routing table enter gw world routes Flags Network Iface Gateway Local IP Metric 192 168 0 0 24 lan 0 213 124 165 0 24 wan 0 0 0 0 0 0 wan 213 124 165 1 0 Web Interface To see the configured routing table 1 Go to Routing Routing Tables 2 Select the main routing table The main window will list the configured...

Page 155: ...rnet In the Web Interface this is an advanced setting in the Ethernet interface properties called Automatically add a default route for this interface using the given default gateway When this option is selected the appropriate all nets route is automatically added to the main routing table for the interface Core Routes NetDefendOS automatically populates the active routing table with Core Routes ...

Page 156: ...4 2 3 Route Failover Overview NetDefend Firewalls are often deployed in mission critical locations where availability and connectivity is crucial For example an enterprise relying heavily on access to the Internet could have operations severely disrupted if a single connection to the external Internet via a single Internet Service Provider ISP fails It is therefore not unusual to have backup Inter...

Page 157: ...e next hop for a route accessibility to that gateway can be monitored by sending periodic ARP requests As long as the gateway responds to these requests the route is considered to be functioning correctly Automatically Added Routes Need Redefining It is important to note that the route monitoring cannot be enabled on automatically added routes For example the routes that NetDefendOS creates at ini...

Page 158: ... gateways The first primary route has the lowest metric and also has route monitoring enabled Route monitoring for the second alternate route is not meaningful since it has no failover route Route Interface Destination Gateway Metric Monitoring 1 wan all nets 195 66 77 1 10 On 2 wan all nets 193 54 68 1 20 Off When a new connection is about to be established to a host on the Internet a route looku...

Page 159: ...al destination interfaces should be grouped together into an Interface Group and the Security Transport Equivalent flag should be enabled for the Group The Interface Group is then used as the Destination Interface when setting policies For more information on groups see Section 3 3 6 Interface Groups Gratuitous ARP Generation By default NetDefendOS generates a gratuitous ARP request when a route f...

Page 160: ...ion is established to and then disconnected from the host An IP address must be specified for this HTTP A normal HTTP server request using a URL A URL must be specified for this as well as a text string which is the beginning or complete text of a valid response If no text is specified any response from the server will be valid IP Address The IP address of the host when using the ICMP or TCP optio...

Page 161: ... from a server can indicate if a specific database is operational with text such as Database OK then the absence of that response can indicate that the server is operational but the application is offline A Known Issue When No External Route is Specified With connections to an Internet ISP an external network route should always be specified This external route specifies on which interface the net...

Page 162: ...unning Ethernet is separated into two parts with a routing device such as a NetDefend Firewall in between In such a case NetDefendOS itself can respond to ARP requests directed to the network on the other side of the NetDefend Firewall using the feature known as Proxy ARP The splitting of an Ethernet network into distinct parts so that traffic between them can be controlled is a common usage of th...

Page 163: ... traffic to net_1 In the same way net_2 could be published on the interface if1 so that there is a mirroring of routes and ARP proxy publishing Route Network Interface Proxy ARP Published 1 net_1 if1 if2 2 net_2 if2 if1 In this way there is complete separation of the sub networks but the hosts are unaware of this The routes are a pair which are a mirror image of each other but there is no requirem...

Page 164: ...S interfaces since ARP is not involved Automatically Added Routes Proxy ARP cannot be enabled for automatically added routes For example the routes that NetDefendOS creates at initial startup for physical interfaces are automatically added routes The reason why Proxy ARP cannot be enabled for these routes is because automatically created routes have a special status in the NetDefendOS configuratio...

Page 165: ...sed Routing A different routing table might need to be chosen based on the user identity or the group to which the user belongs This is particularly useful in provider independent metropolitan area networks where all users share a common active backbone but each can use different ISPs subscribing to different providers Policy based Routing implementation in NetDefendOS is based on two building blo...

Page 166: ...ule is encountered address translation will be performed The decision of which routing table to use is made before carrying out address translation but the actual route lookup is performed on the altered address Note that the original route lookup to find the destination interface used for all rule look ups was done with the original untranslated address 6 If allowed by the IP rule set the new con...

Page 167: ...amed routing table fails the lookup as a whole is considered to have failed Only the named routing table is the only one consulted If this lookup fails the lookup will not continue in the main routing table 3 If Remove Interface IP Routes is enabled the default interface routes are removed that is to say routes to the core interface which are routes to NetDefendOS itself 4 Click OK Example 4 4 Cre...

Page 168: ...Routing becomes a necessity We will set up the main routing table to use ISP A and add a named routing table called r2 that uses the default gateway of ISP B Interface Network Gateway ProxyARP lan1 10 10 10 0 24 wan1 lan1 20 20 20 0 24 wan2 wan1 10 10 10 1 32 lan1 wan2 20 20 20 1 32 lan1 wan1 all nets 10 10 10 1 Contents of the named Policy based Routing table r2 Interface Network Gateway wan2 all...

Page 169: ...Note Rules in the above example are added for both inbound and outbound connections 4 3 5 The Ordering parameter Chapter 4 Routing 169 ...

Page 170: ...bject Round Robin Matching routes are used equally often by successively going to the next matching route Destination This is an algorithm that is similar to Round Robin but provides destination IP stickiness so that the same destination IP address gets the same route Spillover This uses the next route when specified interface traffic limits are exceeded continuously for a given time Disabling RLB...

Page 171: ...he importance of this is that it means that a particular destination application can see all traffic coming from the same source IP address Spillover Spillover is not similar to the previous algorithms With spillover the first matching route s interface is repeatedly used until the Spillover Limits of that route s interface are continuously exceeded for the Hold Timer number of seconds Once this h...

Page 172: ...sses through one of the ISPs then this can be achieved by enabling RLB and setting a low metric on the route to the favoured ISP A relatively higher metric is then set on the route to the other ISP Using Route Metrics with Spillover When using the Spillover algorithm a number of points should be noted regarding metrics and the way alternative routes are chosen Route metrics should always be set Wi...

Page 173: ...ookup In the above example 10 4 16 0 24 may be chosen over 10 4 16 0 16 because the range is narrower with 10 4 16 0 24 for an IP address they both contain RLB Resets There are two occasions when all RLB algorithms will reset to their initial state After NetDefendOS reconfiguration After a high availability failover In both these cases the chosen route will revert to the one selected when the algo...

Page 174: ...source IP address If NAT was being used for the client communication the IP address seen by the server would be WAN1 or WAN2 In order to flow any traffic requires both a route and an allowing IP rule The following rules will allow traffic to flow to either ISP and will NAT the traffic using the external IP addresses of interfaces WAN1 and WAN2 Rule No Action Src Interface Src Network Dest Interace...

Page 175: ...is are not included here but the created rules would follow the pattern described above RLB with VPN When using RLB with VPN a number of issues need to be overcome If we were to try and use RLB to balance traffic between two IPsec tunnels the problem that arises is that the Remote Endpoint for any two IPsec tunnels in NetDefendOS must be different The solutions to this issue are as follows Use two...

Page 176: ... certain problems such as routing loops One of two types of algorithms are generally used to implement the dynamic routing mechanism A Distance Vector DV algorithm A Link State LS algorithm How a router decides the optimal or best route and shares updated information with other routers depends on the type of algorithm used The two algorithm types will be discussed next Distance Vector Algorithms A...

Page 177: ...0 and 2560G OSPF is not available on the DFL 210 260 and 260E An OSPF enabled router first identifies the routers and sub networks that are directly connected to it and then broadcasts the information to all the other routers Each router uses the information it receives to add the OSPF learned routes to its routing table With this larger picture each OSPF router can identify the networks and route...

Page 178: ...etween them via firewall B For instance traffic from network X which is destined for network Z will be routed automatically through firewall B From the administrators point of view only the routes for directly connected networks need to be configured on each firewall OSPF automatically provides the required routing information to find networks connected to other firewalls even if traffic needs to ...

Page 179: ...ckets based only on the destination IP address found in the IP packet header IP packets are routed as is in other words they are not encapsulated in any further protocol headers as they transit the Autonomous System AS The Autonomous System The term Autonomous System refers to a single network or group of networks with a single clearly defined routing policy controlled by a common administrator It...

Page 180: ...5 3 2 OSPF Area OSPF Area Components A summary of OSPF components related to an area is given below ABRs Area Border Routers are routers that have interfaces connected to more than one area These maintain a separate topological database for each area to which they have an interface ASBRs Routers that exchange routing information with routers in other Autonomous Systems are called Autonomous System...

Page 181: ... bi directional On Point to Point and Point to Multipoint OSPF interfaces the state will be changed to Full On Broadcast interfaces only the DR BDR will advance to the Full state with their neighbors all the remaining neighbors will remain in the 2 Way state ExStart Preparing to build adjacency Exchange Routers are exchanging Data Descriptors Loading Routers are exchanging LSAs Full This is the no...

Page 182: ... configured between fw1 and fw2 on Area 1 as it is used as the transit area In this configuration only the Router ID has to be configured The diagram shows that fw2 needs to have a Virtual Link to fw1 with Router ID 192 168 1 1 and vice versa These virtual links need to be configured in Area 1 B Linking a Partitioned Backbone OSPF allows for linking a partitioned backbone using a virtual link The ...

Page 183: ...ewall needs to have a broadcast interface with at least ONE neighbor for ALL areas that the firewall is attached to In essence the inactive part of the cluster needs a neighbor to get the link state database from It should also be noted that is not possible to put an HA cluster on the same broadcast network without any other neighbors they will not form adjacency with each other because of the rou...

Page 184: ...F routing Defining these objects creates the OSPF network The objects should be defined on each NetDefend Firewall that is part of the OSPF network and should describe the same network An illustration of the relationship between NetDefendOS OSPF objects is shown below Figure 4 12 NetDefendOS OSPF Objects 4 5 3 1 OSPF Router Process This object defines the autonomous system AS which is the top leve...

Page 185: ...ctions that Low logs but with more detail High Logs everything with most detail Note When using the High setting the firewall will log a lot of information even when just connected to a small AS Changing the advanced setting Log Send Per Sec Limit may be required Authentication OSPF supports the following authentication options No null authentication No authentication is used for OSPF protocol exc...

Page 186: ...efreshed It is more optimal to group many LSAs and process them at the same time instead of running them one and one Routes Hold Time This specifies the time in seconds that the routing table will be kept unchanged after a reconfiguration of OSPF entries or a HA failover Memory Settings Memory Max Usage Maximum amount in Kilobytes of RAM that the OSPF AS process are allowed to use if no value is s...

Page 187: ...be used with OSPF interfaces Note that an OSPF Interface does not always correspond to a physical interface although this is the most common usage Other types of interfaces such as a VLAN could instead be associated with an OSPF Interface General Parameters Interface Specifies which interface on the firewall will be used for this OSPF interface Network Specifies the network address for this OSPF i...

Page 188: ...hen the following options are available No authentication Passphrase MD5 Digest Advanced Hello Interval Specifies the number of seconds between Hello packets sent on the interface Router Dead Interval If not Hello packets are received from a neighbor within this interval then that neighbor router will be considered to be out of operation RXMT Interval Specifies the number of seconds between retran...

Page 189: ...e neighbor This is the IP Address of the neighbors OSPF interface connecting to this router For VPN tunnels this will be the IP address of the tunnel s remote end Metric Specifies the metric to this neighbor 4 5 3 5 OSPF Aggregates OSPF Aggregation is used to combine groups of routes with common addresses into a single entry in the routing table If advertised this will decreases the size of the ro...

Page 190: ...uting Rules In a dynamic routing environment it is important for routers to be able to regulate to what extent they will participate in the routing exchange It is not feasible to accept or trust all received routing information and it might be crucial to avoid parts of the routing database getting published to other routers For this reason Dynamic Routing Rules are used to regulate the flow of rou...

Page 191: ...e OSPF AS the opposite is not true The export of routes to networks that are part of OSPF Interface objects are automatic The one exception is for routes on interfaces that have a gateway defined for them In other words where the destination is not directly connected to the physical interface and instead there is a hop to another router on the way to the destination network The all nets route defi...

Page 192: ...fies if the rule should filter on Router ID OSPF Route Type Specifies if the rule should filter on the OSPF Router Type OSPF Tag Specifies an interval that the tag of the routers needs to be in between 4 5 4 3 OSPF Action This object defines an OSPF action General Parameters Export to Process Specifies into which OSPF AS the route change should be imported Forward If needed specifies the IP to rou...

Page 193: ...rther explanation Beginning with just one of these firewalls the NetDefendOS setup steps are as follows 1 Create an OSPF Router object Create a NetDefendOS OSPF Router Process object This will represent an OSPF Autonomous Area AS which is the highest level in the OSPF hierarchy Give the object an appropriate name The Router ID can be left blank since this will be assigned automatically by NetDefen...

Page 194: ... is no need to have a Dynamic Routing Policy Rule which exports the local routing table into the AS since this is done automatically for OSPF Interface objects The exception to this is if a route involves a gateway in other words a router hop In this case the route MUST be explicitly exported The most frequent case when this is necessary is for the all nets route to the external public Internet wh...

Page 195: ...teway in this case is of course the NetDefend Firewall to which the traffic should be sent That firewall may or may not be attached to the destination network but OSPF has determined that that is the optimum route to reach it The CLI command ospf can also be used to indicate OSPF status The options for this command are fully described in the CLI Reference Guide Sending OSPF Traffic Through a VPN T...

Page 196: ...cal IP of the tunnel endpoint To finish the setup for firewall A there needs to be two changes made to the IPsec tunnel setup on firewall B These are i In the IPsec tunnel properties the Local Network for the tunnel needs to be set to all nets This setting acts as a filter for what traffic is allowed into the tunnel and all nets will allow all traffic into the tunnel ii In the routing section of t...

Page 197: ...ble name For example area_0 Specify the Area ID as 0 0 0 0 5 Click OK This should be repeated for all the NetDefend Firewalls that will be part of the OSPF area Example 4 9 Add OSPF Interface Objects Now add OSPF Interface objects for each physical interface that is to be part of the OSPF area area_0 Web Interface 1 Go to Routing OSPF as_0 area_0 OSPF Interfaces 2 Select Add OSPF Interface 3 Selec...

Page 198: ... Example 4 11 Exporting the Default Route into an OSPF AS In this example the default all nets route from the main routing table will be exported into an OSPF AS named as_0 This must be done explicitly because all nets routes are not exported automatically First add a new Dynamic Routing Policy Rule Web Interface 1 Go to Routing Dynamic Routing Rules Add Dynamic routing policy rule 2 Specify a nam...

Page 199: ...s Multicast routing functions on the principle that an interested receiver joins a group for a multicast by using the IGMP protocol PIM routers can then duplicate and forward packets to all members of such a multicast group thus creating a distribution tree for packet flow Rather than acquiring new network information PIM uses the routing information from existing protocols such as OSPF to decide ...

Page 200: ...w specified by the multiplex rule must have been requested by hosts using IGMP before any multicast packets are forwarded through the specified interfaces This is the default behavior of NetDefendOS Not using IGMP The traffic flow will be forwarded according to the specified interfaces directly without any inference from IGMP Note An Allow or NAT rule is also needed Since the Multiplex rule is a S...

Page 201: ...10 0 24 1234 to the interfaces if1 if2 and if3 All groups have the same sender 192 168 10 1 which is located somewhere behind the wan interface The multicast groups should only be forwarded to the out interfaces if clients behind those interfaces have requested the groups using IGMP The following steps need to be performed to configure the actual forwarding of the multicast traffic IGMP has to be ...

Page 202: ...hen gw world main add IPRule SourceNetwork srcnet SourceInterface srcif DestinationInterface srcif DestinationNetwork destnet Action MultiplexSAT Service service MultiplexArgument outif1 ip1 outif2 ip2 outif3 ip3 The two values outif ip represent a combination of output interface and if address translation of a group is needed an IP address If for example multiplexing of the multicast group 239 19...

Page 203: ...GMP Rules Configuration Address Translation Tip As previously noted remember to add an Allow rule matching the SAT Multiplex rule Example 4 13 Multicast Forwarding Address Translation The following SAT Multiplex rule needs to be configured to match the scenario described above Web Interface A Create a custom service for multicast called multicast_service 1 Go to Objects Services Add TCP UDP 2 Now ...

Page 204: ...categories IGMP Reports Reports are sent from hosts towards the router when a host wants to subscribe to new multicast groups or change current multicast subscriptions IGMP Queries Queries are IGMP messages sent from the router towards the hosts in order to make sure that it will not close any stream that some host still wants to receive Normally both types of rule have to be specified for IGMP to...

Page 205: ... towards the clients and actively send queries Towards the upstream router the firewall will be acting as a normal host subscribing to multicast groups on behalf of its clients 4 6 3 1 IGMP Rules Configuration No Address Translation This example describes the IGMP rules needed for configuring IGMP according to the No Address Translation scenario described above The router is required to act as a h...

Page 206: ...dd IGMP Rule 2 Under General enter Name A suitable name for the rule for example Reports Type Report Action Proxy Output wan this is the relay interface 3 Under Address Filter enter Source Interface lfGrpClients Source Network if1net if2net if3net Destination Interface core Destination Network auto Multicast Source 192 168 10 1 Multicast Destination 239 192 10 0 24 4 Click OK B Create the second I...

Page 207: ...s needs to be executed to create the report and query rule pair for if1 which uses no address translation Web Interface A Create the first IGMP Rule 1 Go to Routing IGMP IGMP Rules Add IGMP Rule 2 Under General enter Name A suitable name for the rule for example Reports_if1 Type Report Action Proxy Output wan this is the relay interface 3 Under Address Filter enter Source Interface if1 Source Netw...

Page 208: ...enter Name A suitable name for the rule for example Reports_if2 Type Report Action Proxy Output wan this is the relay interface 3 Under Address Filter enter Source Interface if2 Source Network if2net Destination Interface core Destination Network auto Multicast Source 192 168 10 1 Multicast Group 239 192 10 0 24 4 Click OK B Create the second IGMP Rule 1 Again go to Routing IGMP IGMP Rules Add IGM...

Page 209: ...bled IGMP React To Own Queries The firewall should always respond with IGMP Membership Reports even to queries originating from itself Global setting on interfaces without an overriding IGMP Setting Default Disabled IGMP Lowest Compatible Version IGMP messages with a version lower than this will be logged and ignored Global setting on interfaces without an overriding IGMP Setting Default IGMPv1 IG...

Page 210: ...The maximum time in milliseconds until a host has to send a reply to a query Global setting on interfaces without an overriding IGMP Setting Default 10 000 IGMP Robustness Variable IGMP is robust to IGMP Robustness Variable 1 packet losses Global setting on interfaces without an overriding IGMP Setting Default 2 IGMP Startup Query Count The firewall will send IGMP Startup Query Count general queri...

Page 211: ...e time in milliseconds between repetitions of an initial membership report Global setting on interfaces without an overriding IGMP Setting Default 1 000 4 6 4 Advanced IGMP Settings Chapter 4 Routing 211 ...

Page 212: ...nge specified instead of all nets This is usually when a network is split between two interfaces but the administrator does not know exactly which users are on which interface Usage Scenarios Two examples of Transparent Mode usage are Implementing Security Between Users In a corporate environment there may be a need to protect the computing resources of different departments from one another The f...

Page 213: ...ws ARP transactions to pass through the NetDefend Firewall and determines from this ARP traffic the relationship between IP addresses physical addresses and interfaces NetDefendOS remembers this address information in order to relay IP packets to the correct receiver During the ARP transactions neither of the endpoints will be aware of the NetDefend Firewall When beginning communication a host wil...

Page 214: ... Mode If no restriction at all is to be initially placed on traffic flowing in transparent mode the following single IP rule could be added but more restrictive IP rules are recommended Action Src Interface Src Network Dest Interface Dest Network Service Allow any all nets any all nets all Restricting the Network Parameter As NetDefendOS listens to ARP traffic it continuously adds single host rout...

Page 215: ...eate two separate transparent mode networks The routing table used for an interface is decided by the Routing Table Membership parameter for each interface To implement separate Transparent Mode networks interfaces must have their Routing Table Membership reset By default all interfaces have Routing Table Membership set to be all routing tables By default one main routing table always exists and o...

Page 216: ...ch Routes the solution in a High Availability setup is to use Proxy ARP to separate two networks This is described further in Section 4 2 6 Proxy ARP The key disadvantage with this approach is that firstly clients will not be able to roam between NetDefendOS interfaces retaining the same IP address Secondly and more importantly their network routes will need to be manually configured for proxy ARP...

Page 217: ...etween the internal physical Ethernet network pn2 and the Ethernet network to the ISP s gateway pn1 The two Ethernet networks are treated as a single logical IP network in Transparent Mode with a common address range in this example 192 168 10 0 24 Figure 4 19 Transparent Mode Internet Access In this situation any normal non switch all nets routes in the routing table should be removed and replace...

Page 218: ...e In the above example 85 12 184 39 and 194 142 215 15 could be grouped into a single object in this way Using NAT NAT should not be enabled for NetDefendOS in Transparent Mode since as explained previously the NetDefend Firewall is acting like a level 2 switch and address translation is done at the higher IP OSI layer The other consequence of not using NAT is that IP addresses of users accessing ...

Page 219: ...IP Address 10 0 0 1 Network 10 0 0 0 24 Default Gateway 10 0 0 1 Transparent Mode Enable 3 Click OK 4 Go to Interfaces Ethernet Edit lan 5 Now enter IP Address 10 0 0 2 Network 10 0 0 0 24 Transparent Mode Enable 6 Click OK Configure the rules 1 Go to Rules IP Rules Add IPRule 2 Now enter Name HTTPAllow Action Allow Service http 4 7 3 Transparent Mode Scenarios Chapter 4 Routing 219 ...

Page 220: ...nd there is no need for the hosts on the internal network to know if a resource is on the same network or placed on the DMZ The hosts on the internal network are allowed to communicate with an HTTP server on DMZ while the HTTP server on the DMZ can be reached from the Internet The NetDefend Firewall is transparent between the DMZ and LAN but traffic is still controlled by the IP rule set Figure 4 ...

Page 221: ...Interface Groups Add InterfaceGroup 2 Now enter Name TransparentGroup Security Transport Equivalent Disable Interfaces Select lan and dmz 3 Click OK Configure the routing 1 Go to Routing Main Routing Table Add SwitchRoute 2 Now enter Switched Interfaces TransparentGroup Network 10 0 0 0 24 Metric 0 3 Click OK Configure the rules 1 Go to Rules IP Rules Add IPRule 2 Now enter Name HTTP LAN to DMZ Ac...

Page 222: ...g the Bridge Protocol Data Units BPDUs across the NetDefend Firewall BPDU frames carry Spanning Tree Protocol STP messages between layer 2 switches in a network STP allows the switches to understand the network topology and avoid the occurrences of loops in the switching of packets The diagram below illustrates a situation where BPDU messages would occur if the administrator enables the switches t...

Page 223: ... Enabling Disabling BPDU Relaying BPDU relaying is disabled by default and can be controlled through the advanced setting Relay Spanning tree BPDUs Logging of BPDU messages can also be controlled through this setting When enabled all incoming STP RSTP and MSTP BPDU messages are relayed to all transparent interfaces in the same routing table except the incoming interface 4 7 5 Advanced Settings for...

Page 224: ...ically Default Enabled L3 Cache Size This setting is used to manually configure the size of the Layer 3 Cache Enabling Dynamic L3C Size is normally preferred Default Dynamic Transparency ATS Expire Defines the lifetime of an unanswered ARP Transaction State ATS entry in seconds Valid values are 1 60 seconds Default 3 seconds Transparency ATS Size Defines the maximum total number of ARP Transaction...

Page 225: ...ts DropLog Drop and log packets Default DropLog Multicast Enet Sender Defines what to do when receiving a packet that has the sender hardware MAC address in Ethernet header set to a multicast Ethernet address Options Accept Accept packet AcceptLog Accept packet and log Rewrite Rewrite to the MAC of the forwarding interface RewriteLog Rewrite to the MAC of the forwarding interface and log Drop Drop...

Page 226: ...Ignore all incoming MPLS packets are relayed in transparent mode Options Ignore Let the packets pass but do not log Log Let the packets pass and log the event Drop Drop the packets DropLog Drop packets log the event Default Drop 4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 226 ...

Page 227: ...4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 227 ...

Page 228: ...ress a MAC address a domain name and a lease for the IP address to the client in a unicast message DHCP Leases Compared to static assignment where the client owns the address dynamic addressing by a DHCP server leases the address to each client for a predefined period of time During the lifetime of a lease the client has permission to keep the assigned address and is guaranteed to have no address ...

Page 229: ... they are defined the last defined being at the top of the list When NetDefendOS searches for a DHCP server to service a request it goes through the list from top to bottom and chooses the first server with a matching combination of interface and relayer IP filter value If there is no match in the list then the request is ignored The DHCP server ordering in the list can of course be changed throug...

Page 230: ...lease Primary Secondary DNS The IP of the primary and secondary DNS servers Primary Secondary NBNS WINS IP of the Windows Internet Name Service WINS servers that are used in Microsoft environments which uses the NetBIOS Name Servers NBNS to assign IP addresses to NetBIOS names Next Server Specifies the IP address of the next server in the boot process This is usually a TFTP server DHCP Server Adva...

Page 231: ...ers gw world dhcpserver To list all current leases gw world dhcpserver show Displaying IP to MAC Address Mappings To display the mappings of IP addresses to MAC addresses that result from allocated DHCP leases the following command can be used It is shown with some typical output gw world dhcpserver show mappings DHCP server mappings Client IP Client MAC Mode 10 4 13 240 00 1e 0b a0 c6 5f ACTIVE S...

Page 232: ...ing sections discuss these two DHCP server options 5 2 1 Static DHCP Hosts Where the administrator requires a fixed relationship between a client and the assigned IP address NetDefendOS allows the assignment of a given IP to a specific MAC address In other words the creation of a static host Static Host Parameters Many such assignments can be created for a single DHCP server and each object has th...

Page 233: ... individual static assignment can be shown using its index number gw world show DHCPServerPoolStaticHost 1 Property Value Index 1 Host 192 168 1 1 MACAddress 00 90 12 13 14 15 Comments none 5 The assignment could be changed later to IP address 192 168 1 12 with the following command gw world set DHCPServerPoolStaticHost 1 Host 192 168 1 12 MACAddress 00 90 12 13 14 15 Web Interface 1 Go to System ...

Page 234: ...ue or a comma separated list The meaning of the data is determined by the Code and Type For example if the code is set to 66 TFTP server name then the Type could be String and the Data would then be a site name such as tftp mycompany com There is a large number of custom options which can be associated with a single DHCP server and these are described in RFC 2132 DHCP Options and BOOTP Vendor Exte...

Page 235: ... interface on which it sends out the forwarded request Although all NetDefendOS interfaces are core routed that is to say a route exists by default that routes interface IP addresses to Core for relayed DHCP requests this core routing does not apply Instead the interface is the source interface and not core Example 5 4 Setting up a DHCP Relayer This example allows clients on NetDefendOS VLAN inter...

Page 236: ... DHCP Relay Advanced Settings The following advanced settings are available with DHCP relaying Max Transactions Maximum number of transactions at the same time Default 32 Transaction Timeout For how long a dhcp transaction can take place Default 10 seconds Max PPM How many dhcp packets a client can send to through NetDefendOS to the dhcp server during one minute Default 500 packets Max Hops How ma...

Page 237: ... What policy should be used to save the relay list to the disk possible settings are Disabled ReconfShut or ReconfShutTimer Default ReconfShut Auto Save Interval How often in seconds should the relay list be saved to disk if DHCPServer_SaveRelayPolicy is set to ReconfShutTimer Default 86400 5 3 1 DHCP Relay Advanced Settings Chapter 5 DHCP Services 237 ...

Page 238: ... should use the DHCP server s residing on the specified interface Specify DHCP Server Address Specify DHCP server IP s in preferred ascending order to be used This option is used instead of the behind interface option Using the IP loopback address 127 0 0 1 indicates that the DHCP server is NetDefendOS itself Server filter Optional setting used to specify which servers to use If unspecified any DH...

Page 239: ... this value Maximum clients Optional setting used to specify the maximum number of clients IPs allowed in the pool Sender IP This is the source IP to use when communicating with the DHCP server Memory Allocation for Prefetched Leases As mentioned in the previous section the Prefetched Leases option specifies the size of the cache of leases which is maintained by NetDefendOS This cache provides fas...

Page 240: ... 10 14 1 with 10 prefetched leases It is assumed that this IP address is already defined in the address book as an IP object called ippool_dhcp Command Line Interface gw world add IPPool ip_pool_1 DHCPServerType ServerIP ServerIP ippool_dhcp PrefetchLeases 10 Web Interface 1 Go to Objects IP Pools Add IP Pool 2 Now enter Name ip_pool_1 3 Select Specify DHCP Server Address 4 Add ippool_dhcp to the ...

Page 241: ...5 4 IP Pools Chapter 5 DHCP Services 241 ...

Page 242: ...which is known as the Default Access Rule This default rule is not really a true rule but operates by checking the validity of incoming traffic by performing a reverse lookup in the NetDefendOS routing tables This lookup validates that the incoming traffic is coming from a source that the routing tables indicate is accessible via the interface on which the traffic arrived If this reverse lookup fa...

Page 243: ...t is NOT allowed Any outgoing traffic with a source IP address belonging to an outside untrusted network is NOT allowed The first point prevents an outsider from using a local host s address as its source address The second point prevents any local host from launching the spoof 6 1 3 Access Rule Settings The configuration of an access rule is similar to other types of rules It contains Filtering F...

Page 244: ...is always advisable to check Access Rules when troubleshooting puzzling problems in case a rule is preventing some other function such as VPN tunnel establishment from working properly Example 6 1 Setting up an Access Rule A rule is to be defined that ensures no traffic with a source address not within the lannet network is received on the lan interface Command Line Interface gw world add Access N...

Page 245: ...transfer and multimedia transfer ALGs provide higher security than packet filtering since they are capable of scrutinizing all traffic for a specific protocol and perform checks at the higher levels of the TCP IP stack ALGs exist for the following protocols in NetDefendOS HTTP FTP TFTP SMTP POP3 SIP H 323 TLS Deploying an ALG Once a new ALG object is defined by the administrator it is brought into...

Page 246: ...b browser sends a request by establishing a TCP IP connection to a known port usually port 80 on a remote server The server answers with a response string followed by a message of its own That message might be for example an HTML file to be shown in the Web browser or an ActiveX component to be executed on the client or perhaps an error message The HTTP protocol has particular issues associated wi...

Page 247: ...contents is dropped by NetDefendOS on the assumption that it can be a security threat 2 Allow Block Selected Types This option operates independently of the MIME verification option described above but is based on the predefined filetypes listed in Appendix C Verified MIME filetypes When enabled the feature operates in either a Block Selected or an Allow Selected mode These two modes function as f...

Page 248: ...ltering if enabled 4 Anti virus scanning if enabled As described above if a URL is found on the whitelist then it will not be blocked if it also found on the blacklist If it is enabled Anti virus scanning is always applied even though a URL is whitelisted If it is enabled Web content filtering is still applied to whitelisted URLs but if instead of blocking flagged URLs are only logged If it is ena...

Page 249: ... Normally the client needs to authenticate itself by providing a predefined login and password After granting access the server will provide the client with a file directory listing from which it can download upload files depending on access rights The FTP ALG is used to manage FTP connections through the NetDefend Firewall FTP Connections FTP uses two communication channels one for control comman...

Page 250: ... of the FTP command channel and examining its contents By doing this the NetDefendOS knows what port to open for the data channel Furthermore the FTP ALG also provides functionality to filter out certain control commands and provide buffer overrun protection Hybrid Mode An important feature of the NetDefendOS FTP ALG is its automatic ability to perform on the fly conversion between active and pass...

Page 251: ...specified with this option The client will be allowed to connect to any of these if the server is using passive mode The default range is 1024 65535 These options can determine if hybrid mode is required to complete the connection For example if the client connects with passive mode but this is not allowed to the server then hybrid mode is automatically used and the FTP ALG performs the conversion...

Page 252: ...e frequency of commands can be useful The default limit is 20 commands per second Allow 8 bit strings in control channel The option determines if 8 bit characters are allowed in the control channel Allowing 8 bit characters enables support for filenames containing international characters For example accented or umlauted characters Filetype Checking The FTP ALG offers the same filetype verificatio...

Page 253: ...from a remote FTP server on the Internet the server will not be blocked by ZoneDefense since it is outside of the configured network range The virus is however still blocked by the NetDefend Firewall B Blocking infected servers Depending on the company policy an administrator might want to take an infected FTP server off line to prevent local hosts and servers from being infected In this scenario ...

Page 254: ... configuration is performed as follows Web Interface A Define the ALG The ALG ftp inbound is already predefined by NetDefendOS but in this example we will show how it can be created from scratch 1 Go to Objects ALG Add FTP ALG 2 Enter Name ftp inbound 3 Check Allow client to use active mode 4 Uncheck Allow server to use passive mode 5 Click OK B Define the Service 1 Go to Objects Services Add TCP ...

Page 255: ...nternal assume this internal IP address for FTP server has been defined in the address book object 6 New Port 21 7 Click OK D Traffic from the internal interface needs to be NATed through a single public IP address 1 Go to Rules IP Rules Add IPRule 2 Now enter Name NAT ftp Action NAT Service ftp inbound service 3 For Address Filter enter Source Interface dmz Destination Interface core Source Netwo...

Page 256: ... use active mode FTP ALG option so clients can only use passive mode This is much safer for the client Enable the Allow server to use passive mode FTP ALG option This allows clients on the inside to connect to FTP servers that support active and passive mode across the Internet The configuration is performed as follows Web Interface A Create the FTP ALG The ALG ftp outbound is already predefined b...

Page 257: ...lowing the same kind of ports traffic before these rules The service used here is the ftp outbound service which should be using the predefined ALG definition ftp outbound which is described earlier 1 Go to Rules IP Rules Add IPRule 2 Now enter Name Allow ftp outbound Action Allow Service ftp outbound service 3 For Address Filter enter Source Interface lan Destination Interface wan Source Network ...

Page 258: ...impler version of FTP with more limited capabilities Its purpose is to allow a client to upload files to or download files from a host system TFTP data transport is based on the UDP protocol and therefore it supplies its own transport and session control protocols which are layered onto UDP TFTP is widely used in enterprise environments for updating software and backing up configurations on networ...

Page 259: ...al server this setup is illustrated later in Section 6 2 5 1 Anti Spam Filtering Local users will then use email client software to retrieve their email from the local SMTP server SMTP is also used when clients are sending email and the SMTP ALG can be used to monitor SMTP traffic originating from both clients and servers SMTP ALG Options Key features of the SMTP ALG are Email rate limiting A maxi...

Page 260: ... This same option is also available in the HTTP ALG and a fuller description of how it works can be found in Section 6 2 2 The HTTP ALG This same option is also available in the HTTP ALG and a fuller description of how it works can be found in Section 6 2 2 The HTTP ALG Anti Virus scanning The NetDefendOS Anti Virus subsystem can scan email attachments searching for malicious code Suspect files ca...

Page 261: ...ined in RFC 1869 and allows a number extensions to the standard SMTP protocol When an SMTP client opens a session with an SMTP server using ESMTP the client first sends an EHLO command If the server supports ESMTP it will respond with a list of the extensions that it supports These extensions are defined by various separate RFCs For example RFC 2920 defines the SMTP Pipelining extension Another co...

Page 262: ...lly configured It is possible to manually configure certain hosts and servers to be excluded from being blocked by adding them to the ZoneDefense Exclude List When a client tries to send an email infected with a virus the virus is blocked and ZoneDefense isolates the host from the rest of the network The steps to setting up ZoneDefense with the SMTP ALG are Configure the ZoneDefense switches to be...

Page 263: ...ack List DNSBL databases and the information is accessible using a standardized query method supported by NetDefendOS The image below illustrates all the components involved DNSBL Server Queries When the NetDefendOS Anto Spam filtering function is configured the IP address of the email s sending server is sent to one or more DNSBL servers to find out if any DNSBL servers think the email is from a ...

Page 264: ...hold in this example is set at 7 then all three DNSBL servers would have to respond in order for the calculated sum to cause the email to be dropped 3 2 2 7 Alternative Actions for Dropped Spam If the calculated sum is greater than or equal to the Drop threshold value then the email is not forwarded to the intended recipient Instead the administrator can choose one of two alternatives for dropped ...

Page 265: ... out then NetDefendOS will consider that the query has failed and the weight given to that server will be automatically subtracted from both the Spam and Drop thresholds for the scoring calculation done for that email If enough DNSBL servers do not respond then this subtraction could mean that the threshold values become negative Since the scoring calculation will always produce a value of zero or...

Page 266: ...or dropping mail The Spam Threshold should be less than the Drop Threshold If the two are equal then only the Drop Threshold applies Specify a textual tag to prefix to the Subject field of email designated as Spam Optionally specify an email address to which dropped email will be sent as an alternative to simply discarding it Optionally specify that the TXT messages sent by the DNSBL servers that ...

Page 267: ...t my_smtp_alg active 156 65 34299 alt_smtp_alg inactive 0 0 0 The show option provides a summary of the Spam filtering operation of a specific ALG It is used below to examine activity for my_smtp_alg although in this case the ALG object has not yet processed any emails gw world dnsbl my_smtp_alg show Drop Threshold 20 Spam Threshold 10 Use TXT records yes IP Cache disabled Configured BlackLists 4 ...

Page 268: ...username does not exist This prevents users from trying different usernames until they find a valid one Allow Unknown Commands Non standard POP3 commands not recognized by the ALG can be allowed or disallowed Fail Mode When content scanning find bad file integrity then the file can be allowed or disallowed Verify MIME type The content of an attached file can be checked to see if it agrees with its...

Page 269: ...dress on the firewall This first connection will be successful but when the second client B also tries to connect to the same server C at the same endpoint IP address the first connection for A will be lost The reason is that both clients are trying to establish a PPTP tunnel from the same external IP address to the same endpoint Figure 6 6 PPTP ALG Usage The PPTP ALG solves this problem By using ...

Page 270: ...escriptive name for the ALG Echo timeout Idle timeout for Echo messages in the PPTP tunnel Idle timeout Idle timeout for user traffic messages in the PPTP tunnel In most cases only the name needs to be defined and the other settings can be left at their defaults 6 2 8 The SIP ALG Session Initiation Protocol SIP is an ASCII UTF 8 text based signalling protocol used to establish sessions between cli...

Page 271: ... by NetDefendOS Registrars A server that handles SIP REGISTER requests is given the special name of Registrar The Registrar server has the task of locating the host where the other client is reachable The Registrar and Proxy Server are logical entities and may in fact reside on the same physical server SIP Media related Protocols A SIP session makes use of a number of protocols These are SDP Sessi...

Page 272: ...ays the INVITE message to the called client Once the two clients have learnt of each other s IP addresses they can communicate directly with each other and remaining SIP messages can bypass the proxies This facilitates scaling since proxies are used only for the initial SIP message exchange The disadvantage of removing proxies from the session is that NetDefendOS IP rules must be set up to allow a...

Page 273: ...efend Firewall and a client which is on the external unprotected side The SIP proxy is located on the local protected side of the NetDefend Firewall and can handle registrations from both clients located on the same local network as well as clients on the external unprotected side Communication can take place across the public Internet or between clients on the local network Scenario 3 Protecting ...

Page 274: ...d have Destination Port set to 5060 the default SIP signalling port Type set to TCP UDP 3 Define two rules in the IP rule set A NAT rule for outbound traffic from clients on the internal network to the SIP Proxy Server located externally The SIP ALG will take care of all address translation needed by the NAT rule This translation will occur both on the IP level and the application level Neither th...

Page 275: ...NAT is used are shown in parentheses Action Src Interface Src Network Dest Interface Dest Network Allow or NAT lan lannet wan ip_proxy Allow wan ip_proxy lan or core lannet or wan_ip Without the Record Route option enabled the IP rules would be as shown below the changes that apply when NAT is used are again shown in parentheses Action Src Interface Src Network Dest Interface Dest Network Allow or...

Page 276: ...AT rule This translation will occur both on the IP level and the application level Neither the clients or the proxies need to be aware that the local clients are being NATed If Record Route is enabled on the SIP proxy the source network of the NAT rule can include only the SIP proxy and not the local clients A SAT rule for redirecting inbound SIP traffic to the private IP address of the NATed loca...

Page 277: ...y Clients Allow lan lannet ip_proxy wan all nets InboundTo Proxy Clients Allow wan all nets lan lannet ip_proxy If Record Route is enabled then the networks in the above rules can be further restricted by using ip_proxy as indicated Scenario 3 Protecting proxy and local clients Proxy on the DMZ interface This scenario is similar to the previous but the major difference is the location of the local...

Page 278: ...MZ The IP address of the DMZ interface must be a globally routable IP address This address can be the same address as the one used on the external interface The setup steps are as follows 1 Define a single SIP ALG object using the options described above 2 Define a Service object which is associated with the SIP ALG object The service should have Destination Port set to 5060 the default SIP signal...

Page 279: ...vel An Allow rule for inbound SIP traffic from for example the Internet to the IP address of the DMZ interface The reason for this is because local clients will be NATed using the IP address of the DMZ interface when they register with the proxy located on the DMZ This rule has core as the destination interface in other words NetDefendOS itself When an incoming call is received NetDefendOS uses th...

Page 280: ...etwork The IP rules with Record Route enabled are Action Src Interface Src Network Dest Interface Dest Network OutboundToProxy Allow lan lannet dmz ip_proxy OutboundFromProxy Allow dmz ip_proxy lan lannet InboundFromProxy Allow dmz ip_proxy core dmz_ip InboundToProxy Allow wan all nets dmz ip_proxy With Record Route disabled the following IP rules must be added to those above Action Src Interface ...

Page 281: ...ablish a connection between two H 323 endpoints This call signal channel is opened between two H 323 endpoints or between a H 323 endpoint and a gatekeeper For communication between two H 323 endpoints TCP 1720 is used When connecting to a gatekeeper UDP port 1719 H 225 RAS messages are used H 245 Media Control and Transport Provides control of multimedia sessions established between two H 323 end...

Page 282: ...p Translate Logical Channel Addresses This would normally always be set If not enabled then no address translation will be done on logical channel addresses and the administrator needs to be sure about IP addresses and routes used in a particular scenario Gatekeeper Registration Lifetime The gatekeeper registration lifetime can be controlled in order to force re registration by clients within a ce...

Page 283: ...et Destination Network 0 0 0 0 0 all nets Comment Allow outgoing calls 3 Click OK Incoming Rule 1 Go to Rules IP Rules Add IPRule 2 Now enter Name H323AllowIn Action Allow Service H323 Source Interface any Destination Interface lan Source Network 0 0 0 0 0 all nets Destination Network lannet Comment Allow incoming calls 3 Click OK 6 2 9 The H 323 ALG Chapter 6 Security Mechanisms 283 ...

Page 284: ... IP of the H 323 phone Web Interface Outgoing Rule 1 Go to Rules IP Rules Add IPRule 2 Now enter Name H323Out Action NAT Service H323 Source Interface lan Destination Interface any Source Network lannet Destination Network 0 0 0 0 0 all nets Comment Allow outgoing calls 3 Click OK Incoming Rules 1 Go to Rules IP Rules Add IPRule 2 Now enter Name H323In Action SAT Service H323 Source Interface any ...

Page 285: ...uires one external address Example 6 6 Two Phones Behind Different NetDefend Firewalls This scenario consists of two H 323 phones each one connected behind the NetDefend Firewall on a network with public IP addresses In order to place calls on these phones over the Internet the following rules need to be added to the rule listings in both firewalls Make sure there are no rules disallowing or allow...

Page 286: ...le set in the firewall Make sure there are no rules disallowing or allowing the same kind of ports traffic before these rules As we are using private IPs on the phones incoming traffic need to be SATed as in the example below The object ip phone below should be the internal IP of the H 323 phone behind each firewall Web Interface Outgoing Rule 1 Go to Rules IP Rules Add IPRule 2 Now enter Name H32...

Page 287: ...l IP address on the firewall If multiple H 323 phones are placed behind the firewall one SAT rule has to be configured for each phone This means that multiple external addresses have to be used However it is preferable to use an H 323 gatekeeper as this only requires one external address Example 6 8 H 323 with Gatekeeper In this scenario a H 323 gatekeeper is placed in the DMZ of the NetDefend Fir...

Page 288: ...er located at ip gatekeeper 3 For SAT enter Translate Destination IP Address To New IP Address ip gatekeeper IP address of gatekeeper 4 Click OK 1 Go to Rules IP Rules Add IPRule 2 Now enter Name H323In Action Allow Service H323 Gatekeeper Source Interface any Destination Interface core Source Network 0 0 0 0 0 all nets Destination Network wan_ip external IP of the firewall Comment Allow incoming ...

Page 289: ...phones to call the external phones that are registered with the gatekeeper Example 6 9 H 323 with Gatekeeper and two NetDefend Firewalls This scenario is quite similar to scenario 3 with the difference that the NetDefend Firewall is protecting the external phones The NetDefend Firewall with the Gatekeeper connected to the DMZ should be configured exactly as in scenario 3 The other NetDefend Firewa...

Page 290: ...keeper Example 6 10 Using the H 323 ALG in a Corporate Environment This scenario is an example of a more complex network that shows how the H 323 ALG can be deployed in a corporate environment At the head office DMZ a H 323 Gatekeeper is placed that can handle all H 323 clients in the head branch and remote offices This will allow the whole corporation to use the network for both voice communicati...

Page 291: ...Now enter Name LanToGK Action Allow Service H323 Gatekeeper Source Interface lan Destination Interface dmz Source Network lannet Destination Network ip gatekeeper Comment Allow H 323 entities on lannet to connect to the Gatekeeper 3 Click OK 1 Go to Rules IP Rules Add IPRule 2 Now enter Name LanToGK Action Allow Service H323 Gatekeeper 6 2 9 The H 323 ALG Chapter 6 Security Mechanisms 291 ...

Page 292: ...et 3 Click OK 1 Go to Rules IP Rules Add IPRule 2 Now enter Name BranchToGW Action Allow Service H323 Gatekeeper Source Interface vpn branch Destination Interface dmz Source Network branch net Destination Network ip gatekeeper ip gateway Comment Allow communication with the Gatekeeper on DMZ from the Branch network 3 Click OK 1 Go to Rules IP Rules Add IPRule 2 Now enter Name BranchToGW Action All...

Page 293: ... to the Head Office DMZ 3 Click OK Example 6 12 Allowing the H 323 Gateway to register with the Gatekeeper The branch office NetDefend Firewall has a H 323 Gateway connected to its DMZ In order to allow the Gateway to register with the H 323 Gatekeeper at the Head Office the following rule has to be configured Web Interface 1 Go to Rules IP Rules Add IPRule 2 Now enter Name GWToGK Action Allow Ser...

Page 294: ...he Relationship with SSL TLS is a successor to the Secure Sockets Layer SSL but the differences are slight Therefore for most purposes TLS and SSL can be regarded as equivalent In the context of the TLS ALG we can say that the NetDefend Firewall is providing SSL termination since it is acting as an SSL end point Regarding the SSL and TLS standards supported NetDefendOS provides termination support...

Page 295: ...TLS can be offloaded to the NetDefend Firewall This is be sometimes referred to as SSL acceleration Any processing advantages that can be achieved can however vary and will depend on the comparative processing capabilities of the servers and the NetDefend Firewall Decrypted TLS traffic can be subject to other NetDefendOS features such as traffic shaping or looking for server threats with IDP scann...

Page 296: ...olution to this issue is for the servers to use relative URLs instead of absolute ones Cipher Suites Supported by NetDefendOS TLS NetDefendOS TLS supports the following cipher suites 1 TLS_RSA_WITH_3DES_EDE_CBC_SHA 2 TLS_RSA_WITH_RC4_128_SHA 3 TLS_RSA_WITH_RC4_128_MD5 4 TLS_RSA_EXPORT_WITH_RC4_56_SHA certificate key size up to 1024 bits 5 TLS_RSA_EXPORT_WITH_RC4_40_MD5 certificate key size up to 1...

Page 297: ...ration effort and has very high accuracy Note Enabling WCF All Web Content Filtering is enabled via the HTTP ALG which is described in Section 6 2 2 The HTTP ALG 6 3 2 Active Content Handling Some web content can contain malicious code designed to harm the workstation or the network from where the user is surfing Typically such code is embedded into various types of objects or files which are embe...

Page 298: ...o target specific web sites and make the decision as to whether they should be blocked or allowed Static and Dynamic Filter Ordering Additionally Static Content Filtering takes place before Dynamic Content Filtering described below which allows the possibility of manually making exceptions from the automatic dynamic classification process In a scenario where goods have to be purchased from a parti...

Page 299: ...ts users from downloading exe files However the D Link website provides secure and necessary program files which should be allowed to download Command Line Interface Start by adding an HTTP ALG in order to filter HTTP traffic gw world add ALG ALG_HTTP content_filtering Then create a HTTP ALG URL to set up a blacklist gw world cc ALG ALG_HTTP content_filtering gw world content_filtering add ALG_HTT...

Page 300: ...are already classified and grouped into a variety of categories such as shopping news sport adult oriented and so on The Dynamic WCF URL databases are updated almost hourly with new categorized URLs while at the same time older invalid URLs are dropped The scope of the URLs in the databases is global covering websites in many different languages and hosted on servers located in many different coun...

Page 301: ...work are treated as anonymous submissions and no record of the source of new submissions is kept Categorizing Pages and Not Sites NetDefendOS dynamic filtering categorizes web pages and not sites In other words a web site may contain particular pages that should be blocked without blocking the entire site NetDefendOS provides blocking down to the page level so that users may still access parts of ...

Page 302: ...d typically this is because NetDefendOS is unable to reach the external databases to perform URL lookup Fail mode can have one of two settings Deny If WCF is unable to function then URLs are denied if external database access to verify them is not possible The user will see an Access denied web page Allow If the external WCF database is not accessible URLs are allowed even though they might be dis...

Page 303: ...earch site For example www google com 3 If everything is configured correctly the web browser will present a web page that informs the user about that the requested site is blocked Audit Mode In Audit Mode the system will classify and log all surfing according to the content filtering policy but restricted web sites will still be accessible to the users This means the content filtering feature of ...

Page 304: ... gambling web sites he will not be able to do his job For this reason NetDefendOS supports a feature called Allow Override With this feature enabled the content filtering component will present a warning to the user that he is about to enter a web site that is restricted according to the corporate policy and that his visit to the web site will be logged This page is known as the restricted site no...

Page 305: ...ategories SEARCH_SITES AllowReclassification Yes Then continue setting up the service object and modifying the NAT rule as we have done in the previous examples Web Interface First create an HTTP Application Layer Gateway ALG Object 1 Go to Objects ALG Add HTTP ALG 2 Specify a suitable name for the ALG for example content_filtering 3 Click the Web Content Filtering tab 4 Select Enabled in the Mode...

Page 306: ...ight be www newsunlimited com www dailyscoop com Category 3 Job Search A web site may be classified under the Job Search category if its content includes facilities to search for or submit online employment applications This also includes resume writing and posting and interviews as well as staff recruitment and training services Examples might be www allthejobs com www yourcareer com Category 4 G...

Page 307: ...4 Chatrooms 8 Game Sites 10 Sports 16 Clubs and Societies 22 and Music Downloads 23 Examples might be www celebnews com www hollywoodlatest com Category 8 Chatrooms A web site may be classified under the Chatrooms category if its content focuses on or includes real time on line interactive discussion groups This also includes bulletin boards message boards online forums discussion groups as well a...

Page 308: ...e Investment related content refer to the Investment Sites category 11 Examples might be www nateast co uk www borganfanley com Category 13 Crime Terrorism A web site may be classified under the Crime Terrorism category if its content includes the description promotion or instruction in criminal or terrorist activities cultures or opinions Examples might be www beatthecrook com Category 14 Persona...

Page 309: ...iction of violent acts as well as web sites that have undesirable content and may not be classified elsewhere Examples might be www itstinks com www ratemywaste com Category 19 Malicious A web site may be classified under the Malicious category if its content is capable of causing damage to a computer or computer environment including malicious consumption of network bandwidth This category also i...

Page 310: ... com Category 24 Business Oriented A web site may be classified under the Business Oriented category if its content is relevant to general day to day business or proper functioning of the Internet for example Web browser updates Access to web sites in this category would in most cases not be considered unproductive or inappropriate Category 25 Government Blocking List This category is populated by...

Page 311: ...nks com Category 29 Computing IT A web site may be classified under the Computing IT category if its content includes computing related information or services Examples might be www purplehat com www gnu org Category 30 Swimsuit Lingerie Models A web site may be categorized under the Swimsuit Lingerie Models category if its content includes information pertaining to or images of swimsuit lingerie ...

Page 312: ...iles object These new files can then be edited and uploaded back to NetDefendOS The original Default object cannot be edited The following example goes through the necessary steps Example 6 18 Editing Content Filtering HTTP Banner Files This example shows how to modify the contents of the URL forbidden HTML page Web Interface 1 Go to Objects HTTP Banner files Add ALG Banner Files 2 Enter a name su...

Page 313: ...ing SCP It is uploaded to the object type HTTPALGBanner and the object mytxt with the property name URLForbidden If the edited URLForbidden local file is called my html then using the Open SSH SCP client the upload command would be scp myhtml admin 10 5 62 11 HTTPAuthBanners mytxt URLForbidden The usage of SCP clients is explained further in Section 2 1 6 Secure Copy 4 Using the CLI the relevant H...

Page 314: ...importantly it can act as a backup for when local client antivirus scanning is not available Enabling Through ALGs NetDefendOS Anti Virus is enabled on a per ALG basis It is available for file downloads associated with the following ALGs and is enabled in the ALGs themselves The HTTP ALG The FTP ALG The POP3 ALG The SMTP ALG Note Anti Virus is not available on all NetDefend models Anti Virus scann...

Page 315: ...ept of ordering is not relevant since the two scanning processes can occur simultaneously and operate at different protocol levels If IDP is enabled it scans all packets designated by a defined IDP rule and does not take notice of higher level protocols such as HTTP that generate the packet streams However Anti virus is aware of the higher level protocol and only looks at the data involved in file...

Page 316: ...Virus Options When configuring Anti Virus scanning in an ALG the following parameters can be set 1 General options Mode This must be one of i Disabled Anti Virus is switched off ii Audit Scanning is active but logging is the only action iii Protect Anti Virus is active Suspect files are dropped and logged Fail mode behavior If a virus scan fails for any reason then the transfer can be dropped or a...

Page 317: ... contain image data of that type Some viruses can try to hide inside files by using a misleading file type A file might pretend to be a gif file but the file s data will not match that type s data pattern because it is infected with a virus Enabling of this function is recommended to make sure this form of attack cannot allow a virus to get through The possible MIME types that can be checked are l...

Page 318: ...m a remote FTP server over the Internet NetDefendOS detects this and stops the file transfer At this point NetDefendOS has blocked the infected file from reaching the internal network Hence there would be no use in blocking the remote FTP server at the local switches since NetDefendOS has already stopped the virus Blocking the server s IP address would only consume blocking entries in the switches...

Page 319: ...irus 3 Select the TCP in the Type dropdown list 4 Enter 80 in the Destination Port textbox 5 Select the HTTP ALG just created in the ALG dropdown list 6 Click OK C Finally modify the NAT rule called NATHttp in this example to use the new service 1 Go to Rules IP Rules 2 Select the NAT rule handling the traffic between lannet and all nets 3 Click the Service tab 4 Select the new service http_anti_v...

Page 320: ...It operates by monitoring network traffic as it passes through the NetDefend Firewall searching for patterns that indicate an intrusion is being attempted Once detected NetDefendOS IDP allows steps to be taken to neutralize both the intrusion attempt as well as its source IDP Issues In order to have an effective and reliable IDP system the following issues have to be addressed 1 What kinds of traf...

Page 321: ...ard subscription is for 12 months and provides automatic IDP signature database updates This IDP option is available for all D Link NetDefend models including those that don t come as standard with Maintenance IDP Maintenance IDP can be viewed as a restricted subset of Advanced IDP and the following sections describe how the Advanced IDP option functions Subscribing to the D Link Advanced IDP Serv...

Page 322: ...ew database updates If a new database update becomes available the sequence of events will be as follows 1 The active unit determines there is a new update and downloads the required files for the update 2 The active unit performs an automatic reconfiguration to update its database 3 This reconfiguration causes a failover so the passive unit becomes the active unit 4 When the update is completed t...

Page 323: ...in the upper text box is equivalent to the way signatures are specified when using the CLI to define an IDP rule HTTP Normalization Each IDP rule has a section of settings for HTTP normalization This allows the administrator to choose the actions that should be taken when IDP finds inconsistencies in the URIs embedded in incoming HTTP requests Some server attacks are based on creating URIs with se...

Page 324: ...e the option Protect against Insertion Evasion attack An Insertion Evasion Attack is a form of attack which is specifically aimed at evading IDP mechanisms It exploits the fact that in a TCP IP data transfer the data stream must often be reassembled from smaller pieces of data because the individual pieces either arrive in the wrong order or are fragmented in some way Insertions or Evasions are de...

Page 325: ...e prudent while the false positive causes are investigated 6 5 5 IDP Pattern Matching Signatures In order for IDP to correctly identify an attack it uses a profile of indicators or pattern associated with different types of attack These predefined patterns also known as signatures are stored in a local NetDefendOS database and are used by the IDP module to analyze traffic for attack patterns Each ...

Page 326: ...h as file sharing applications and instant messaging 6 5 6 IDP Signature Groups Using Groups Usually several lines of attacks exist for a specific protocol and it is best to search for all of them at the same time when analyzing network traffic To do this signatures related to a particular protocol are grouped together For example all signatures that refer to the FTP protocol form a group It is be...

Page 327: ...an be used to wildcard for any set of characters of any length in a group name Caution Use the minimum IDP signatures necessary Do not use the entire signature database and avoid using signatures and signature groups unnecessarily Instead use only those signatures or groups applicable to the type of traffic being protected For example using only the IDP groups IDS_WEB IPS_WEB IDS_HTTP and IPS_HTTP...

Page 328: ...ndOS will wait for Minimum Repeat Time seconds before sending a new email The IP Address of SMTP Log Receivers is Required When specifying an SMTP log receiver the IP address of the receiver must be specified A domain name such as dns smtp domain com cannot be used Example 6 20 Configuring an SMTP Log Receiver In this example an IDP Rule is configured with an SMTP Log Receiver Once an IDP event oc...

Page 329: ...is exposed to the Internet on the DMZ network with a public IP address The public Internet can be reached through the firewall on the WAN interface as illustrated below An IDP rule called IDPMailSrvRule will be created and the Service to use is the SMTP service Source Interface and Source Network defines where traffic is coming from in this example the external network The Destination Interface an...

Page 330: ...ation Network ip_mailserver Click OK Specify the Action An action is now defined specifying what signatures the IDP should use when scanning data matching the rule and what NetDefendOS should do when a possible intrusion is detected In this example intrusion attempts will cause the connection to be dropped so Action is set to Protect The Signatures option is set to IPS_MAIL_SMTP in order to use si...

Page 331: ...he ID 68343 the CLI in the above example would become gw world IDPMailSrvRule add IDPRuleAction Action Protect IDPServity All Signatures 68343 To specify a list which also includes signatures 68345 and 68349 gw world IDPMailSrvRule add IDPRuleAction Action Protect IDPServity All Signatures 68343 68345 68349 Individual signatures are entered in a similar way when using the Web Interface 6 5 8 SMTP ...

Page 332: ...jammed Internet connections and business critical systems in overload This section deals with using NetDefend Firewalls to protect organizations against these attacks 6 6 2 DoS Attack Mechanisms A DoS attack can be perpetrated in a number of ways but there are three basic types of attack Consumption of computational resources such as bandwidth disk space or CPU time Disruption of configuration inf...

Page 333: ... turn generates yet another response to itself etc This will either bog the victim s machine down or make it crash The attack is accomplished by using the victim s IP address in the source field of an IP packet as well as in the destination field NetDefendOS protects against this attack by applying IP spoofing protection to all packets In its default configuration it will simply compare arriving p...

Page 334: ...as masses of dropped ICMP Echo Reply packets The source IP addresses will be those of the amplifier networks used Fraggle attacks will show up in NetDefendOS logs as masses of dropped or allowed depending on policy packets The source IP addresses will be those of the amplifier networks used Avoiding Becoming an Amplifier Even though the brunt of the bandwidth stream is at the ultimate victim s sid...

Page 335: ...appens When the state table fills up old outstanding SYN connections will be the first to be dropped to make room for new connections Spotting SYN Floods TCP SYN flood attacks will show up in NetDefendOS logs as excessive amounts of new connections or drops if the attack is targeted at a closed port The sender IP address is almost invariably spoofed ALGs Automatically Provide Flood Protection It s...

Page 336: ...ese attacks typically exhaust bandwidth router processing capacity or network stack resources breaking network connectivity to the victims Although recent DDoS attacks have been launched from both private corporate and public institutional systems hackers tend to often prefer university or institutional networks because of their open distributed nature Tools used to launch DDoS attacks include Tri...

Page 337: ...only this Service By default Blacklisting blocks all services for the triggering host Exempt already established connections from Blacklisting If there are established connections that have the same source as this new Blacklist entry then they will not be dropped if this option is set IP addresses or networks are added to the list then the traffic from these sources is then blocked for the period ...

Page 338: ... look at as well as manipulate the current contents of the blacklist and the whitelist The current blacklist can be viewed with the command gw world blacklist show black This blacklist command can be used to remove a host from the blacklist using the unblock option Example 6 22 Adding a Host to the Whitelist In this example we will add an IP address object called white_ip to the whitelist This wil...

Page 339: ...6 7 Blacklisting Hosts and Networks Chapter 6 Security Mechanisms 339 ...

Page 340: ...the public Internet Security is increased by making it more difficult for intruders to understand the topology of the protected network Address translation hides internal IP addresses which means that an attack coming from the outside is much more difficult Types of Translation NetDefendOS supports two types of translation Dynamic Network Address Translation NAT Static Address Translation SAT Appl...

Page 341: ...ess combination as its sender NetDefendOS performs automatic translation of the source port number as well as the IP address In other words the source IP addresses for connections are all translated to the same IP address and the connections are distinguished from one another by the allocation of a unique port number to each connection The diagram below illustrates the concept of NAT Figure 7 1 NA...

Page 342: ...o have a matching ARP Publish entry configured for the outbound interface Otherwise the return traffic will not be received by the NetDefend Firewall This technique might be used when the source IP is to differ based on the source of the traffic For example an ISP that is using NAT might use different IP addresses for different customers Use an IP Address from a NAT Pool A NAT Pool which is a set ...

Page 343: ...Example Example 7 1 Adding a NAT Rule To add a NAT rule that will perform address translation for all HTTP traffic originating from the internal network follow the steps outlined below Command Line Interface First change the current category to be the main IP rule set gw world cc IPRuleSet main Now create the IP rule gw world main add IPRule Action NAT Service http SourceInterface lan SourceNetwor...

Page 344: ...nal servers using different IP protocols Several internal machines can communicate with different external servers using the same IP protocol Several internal machines can communicate with the same server using different IP protocols Several internal machines can not communicate with the same external server using the same IP protocol Note Restrictions only apply to IP level protocols These restri...

Page 345: ...fic is relayed between the firewall and the Internet it is no longer encapsulated by PPTP When an application such as a web server now receives requests from the client it appears as though they are coming from the anonymizing service provider s external IP address and not the client s IP The application therefore sends its responses back to the firewall which relays the traffic back to the client...

Page 346: ...ns Subsequent connections involving the same internal client host will then use the same external IP address The advantage of the stateful approach is that it can balance connections across several external ISP links while ensuring that an external host will always communicate back to the same IP address which will be essential with protocols such as HTTP when cookies are involved The disadvantage...

Page 347: ...alancing is not part of this option there should be spreading of the load across the external connections due to the random nature of the allocating algorithm IP Pool Usage When allocating external IP addresses to a NAT Pool it is not necessary to explicitly state these Instead a NetDefendOS IP Pool object can be selected IP Pools gather collections of IP addresses automatically through DHCP and c...

Page 348: ... OK B Next create a stateful NAT Pool object called stateful_natpool 1 Go to Objects NAT Pools Add NAT Pool 2 Now enter Name stateful_natpool Pool type stateful IP Range nat_pool_range 3 Select the Proxy ARP tab and add the WAN interface 4 Click OK C Now define the NAT rule in the IP rule set 1 Go to Rules IP Rules Add IP Rule 2 Under General enter Name Enter a suitable name such as nat_pool_rule ...

Page 349: ...ers on the translated address given by the SAT rule For example if a SAT rule translates the destination from 1 1 1 1 to 2 2 2 2 then the second associated rule should allow traffic to pass to the destination 1 1 1 1 and not 2 2 2 2 Only after the second rule triggers to allow the traffic is the route lookup then done by NetDefendOS on the translated address to work out which interface the packets...

Page 350: ...er in a DMZ In this example we will create a SAT policy that will translate and allow connections from the Internet to a web server located in a DMZ The NetDefend Firewall is connected to the Internet using the wan interface with address object wan_ip defined as 195 55 66 77 as IP address The web server has the IP address 10 10 10 5 and is reachable through the dmz interface Command Line Interface...

Page 351: ..._DMZ 3 Now enter Action Allow Service http Source Interface any Source Network all nets Destination Interface core Destination Network wan_ip 4 Under the Service tab select http in the Predefined list 5 Click OK The example results in the following two rules in the rule set Action Src Iface Src Net Dest Iface Dest Net Parameters 1 SAT any all nets core wan_ip http SETDEST 10 10 10 5 80 2 Allow any...

Page 352: ...s the number of rules for each interface allowed to communicate with the web server However the rule ordering is unimportant which may help avoid errors If option 2 was selected the rule set must be adjusted like this Action Src Iface Src Net Dest Iface Dest Net Parameters 1 SAT any all nets core wan_ip http SETDEST 10 10 10 5 80 2 NAT lan lannet core wan_ip All 3 Allow any all nets core wan_ip ht...

Page 353: ... address in accordance with rule 1 and forwards the packet in accordance with rule 2 10 0 0 3 1038 10 0 0 2 80 wwwsrv processes the packet and replies 10 0 0 2 80 10 0 0 3 1038 This reply arrives directly to PC1 without passing through the NetDefend Firewall This causes problems The reason this will not work is because PC1 expects a reply from 195 55 66 77 80 and not 10 0 0 2 80 The unexpected rep...

Page 354: ...everal protected servers in a DMZ and where each server should be accessible using a unique public IP address Example 7 5 Translating Traffic to Multiple Protected Web Servers In this example we will create a SAT policy that will translate and allow connections from the Internet to five web servers located in a DMZ The NetDefend Firewall is connected to the Internet using the wan interface and the...

Page 355: ...srv_pub Web Interface Create an address object for the public IP address 1 Go to Objects Address Book Add IP address 2 Specify a suitable name for the object for example wwwsrv_pub 3 Enter 195 55 66 77 195 55 66 77 81 as the IP Address 4 Click OK Now create another address object for the base of the web server IP addresses 1 Go to Objects Address Book Add IP address 2 Specify a suitable name for t...

Page 356: ...wwwsrv_pub 4 Click OK 7 4 3 All to One Mappings N 1 NetDefendOS can be used to translate ranges and or groups into just one IP address Action Src Iface Src Net Dest Iface Dest Net Parameters 1 SAT any all nets wan 194 1 2 16 194 1 2 20 194 1 2 30 http SETDEST all to one 192 168 0 50 80 This rule produces a N 1 translation of all addresses in the group the range 194 1 2 16 194 1 2 20 plus 194 1 2 3...

Page 357: ...e TCP or UDP level data and subsequently requires that in some way or another the addresses visible on IP level are the same as those embedded in the data Examples of this include FTP and logons to NT domains via NetBIOS Either party is attempting to open new dynamic connections to the addresses visible to that party In some cases this can be resolved by modifying the application or the firewall c...

Page 358: ...tic address translation using FwdFast rules to a web server located on an internal network Action Src Iface Src Net Dest Iface Dest Net Parameters 1 SAT any all nets core wan_ip http SETDEST wwwsrv 80 2 SAT lan wwwsrv any all nets 80 All SETSRC wan_ip 80 3 FwdFast any all nets core wan_ip http 4 FwdFast lan wwwsrv any all nets 80 All We now add a NAT rule to allow connections from the internal net...

Page 359: ...srv any all nets 80 All SETSRC wan_ip 80 3 FwdFast lan wwwsrv any all nets 80 All 4 NAT lan lannet any all nets All 5 FwdFast lan wwwsrv any all nets 80 All External traffic to wan_ip 80 will match rules 1 and 5 and will be sent to wwwsrv Return traffic from wwwsrv 80 will match rules 2 and 3 Internal traffic to wan_ip 80 will match rules 1 and 4 and will be sent to wwwsrv The sender address will ...

Page 360: ...7 4 7 SAT and FwdFast Rules Chapter 7 Address Translation 360 ...

Page 361: ...t such as a biometric reader Another problem with A is that the special attribute often cannot be replaced if it is lost Methods B and C are therefore the most common means of identification in network security However these have drawbacks keys might be intercepted passcards might be stolen passwords might be guessable or people may simply be bad at keeping a secret Methods B and C are therefore s...

Page 362: ...ain secure passwords should also Not be recorded anywhere in written form Never be revealed to anyone else Changed on a regular basis such as every three months 8 1 Overview Chapter 8 User Authentication 362 ...

Page 363: ...etail These are Section 8 2 2 The Local Database Section 8 2 3 External RADIUS Servers Section 8 2 4 External LDAP Servers Section 8 2 5 Authentication Rules 8 2 2 The Local Database The Local User Database is a built in registry inside NetDefendOS which contains the profiles of authorized users and user groups Usernames and passwords can be entered into this database through the Web Interface or ...

Page 364: ...r users with fixed IP addresses Network behind user If a network is specified for this user then when the user connects a route is automatically added to the NetDefendOS main routing table This existence of this added route means that any traffic destined for the specified network will be correctly routed through the user s PPTP L2TP tunnel When the connection to the user ends the route is automat...

Page 365: ...ocesses the requests and sends back a RADIUS message to accept or deny them One or more external servers can be defined in NetDefendOS RADIUS Security To provide security a common shared secret is configured on both the RADIUS client and the server This secret enables encryption of the messages sent from the RADIUS client to the server and is commonly configured as a relatively long text string Th...

Page 366: ...cial consideration with Active Directory and that is the Name Attribute This should be set to SAMAccountName Defining an LDAP Server One or more named LDAP server objects can be defined in NetDefendOS These objects tell NetDefendOS which LDAP servers are available and how to access them Defining an LDAP server to NetDefendOS is sometimes not straightforward because some LDAP server software may no...

Page 367: ...countName which is NOT case sensitive When looking at the details of a user in Active Directory the value for the user logon name is defined in the SAMAccountName field under the Account tab Note The LDAP server database determines the correct value This is an attribute tuple and the LDAP server s database schema definitions determines the correct ID to use Retrieve Group Membership This option sp...

Page 368: ...structure The Base Object specifies where in this tree the relevant users are located Specifying the Base Object has the effect of speeding up the search of the LDAP tree since only users under the Base Object will be examined Important The Base Object must be specified correctly If the Base Object is specified incorrectly then this can mean that a user will not be found and authenticated if they ...

Page 369: ...s automatically configured to work using LDAP Bind Request Authentication This means that authentication succeeds if successful connection is made to the LDAP server Individual clients are not distinguished from one another LDAP server referrals should not occur with bind request authentication but if they do the server sending the referral will be regarded as not having responded LDAP Server Resp...

Page 370: ...ects LDAP servers used for certificate lookup are known as LDAPServer objects in the CLI A specific LDAP server that is defined in NetDefendOS for authentication can be shown with the command gw world show LDAPDatabase object_name The entire contents of the database can be displayed with the command gw world show LDAPDatabase LDAP Authentication and PPP When using a PPP based client for PPTP or L2...

Page 371: ...t will contain the password when it is sent back This ID must be different from the default password attribute which is usually userPassword for most LDAP servers A suggestion is to use the description field in the LDAP database In order for the server to return the password in the database field with the ID specified the LDAP administrator must make sure that the plain text password is found ther...

Page 372: ...sword login sequence Authentication Rules are set up in a way that is similar to other NetDefendOS security policies by specifying which traffic is to be subject to the rule They differ from other policies in that the connection s destination network interface is not of interest but only the source network interface Authentication Rule Parameters An Authentication Rule has the following parameters...

Page 373: ...all connections that trigger this rule Such connections will never be authenticated Any Disallow rules are best located at the end of the authentication rule set iv Local The local database defined within NetDefendOS is used for user lookup v Allow This option allows all connections that trigger this rule With this option all connections that trigger this rule will be authenticated No authenticati...

Page 374: ...ork and data which is one of the following types HTTP traffic HTTPS traffic IPsec tunnel traffic L2TP tunnel traffic PPTP tunnel traffic 3 If no rule matches the connection is allowed provided the IP rule set permits it and nothing further happens in the authentication process 4 Based on the settings of the first matching authentication rule NetDefendOS prompts the user with an authentication requ...

Page 375: ...roup users to also be able to access the regular network we could add a third rule to permit this Action Src Interface Src Network Dest Interface Dest Network Service 1 Allow lan trusted_net int important_net All 2 Allow lan trusted_net dmz regular_net All 3 Allow int untrusted_net dmz regular_net All 8 2 8 HTTP Authentication Where users are communicating through a web browser using the HTTP prot...

Page 376: ... activity but we cannot just use lannet as the source network since the rule would trigger for any unauthenticated client from that network Instead the source network is an administrator defined IP object called trusted_users which is the same network as lannet but has additionally either the Authentication option No Defined Credentials enabled or has an Authentication Group assigned to it which i...

Page 377: ...up enter the group names here separated by a comma users for this example 3 Click OK 4 Repeat Step B to add all the lannet users having the membership of users group into the lannet_auth_users folder Example 8 2 User Authentication Setup for Web Access The configurations below shows how to enable HTTP user authentication for the user group users on lannet Only users that belong to the group users ...

Page 378: ...ce any Destination Network all nets 3 Click OK Example 8 3 Configuring a RADIUS Server The following steps illustrate how a RADIUS server is typically configured Web Interface 1 User Authentication External User Databases Add External User Database 2 Now enter a Name Enter a name for the server for example ex users b Type Select RADIUS c IP Address Enter the IP address of the server or enter the s...

Page 379: ...eeds either through by direct editing in Web Interface or by downloading and re uploading through an SCP client The files available for editing have the following names FormLogin LoginSuccess LoginFailure LoginAlreadyDone LoginChallenge LoginChallengeTimeout LoginSuccess LoginSuccessBasicAuth LoginFailure FileNotFound Editing the Banner Files The WebUI provides a simple way to download and edit th...

Page 380: ...or the new set of ALG banner files will appear 4 Click the Edit Preview tab 5 Select FormLogin from the Page list 6 Now edit the HTML source that appears in the text box for the Forbidden URL page 7 Use Preview to check the layout if required 8 Press Save to save the changes 9 Click OK to exit editing 10 Go to Objects ALG and select the relevant HTML ALG 11 Select new_forbidden as the HTML Banner ...

Page 381: ...n If the edited Formlogon local file is called my html then using the Open SSH SCP client the upload command would be pscp my html admin 10 5 62 11 HTTPAuthBanners ua_html FormLogin The usage of SCP clients is explained further in Section 2 1 6 Secure Copy 4 Using the CLI the relevant user authentication rule should now be set to use the ua_html If the rule us called my_auth_rule the command would...

Page 382: ...8 3 Customizing HTML Pages Chapter 8 User Authentication 382 ...

Page 383: ...ally important that the recipient can verify that no one is falsifying data in other words pretending to be someone else Virtual Private Networks VPNs meet this need providing a highly cost effective means of establishing secure links between two co operating computers so that data can be exchanged in a secure manner VPN allows the setting up of a tunnel between two devices known as tunnel endpoin...

Page 384: ...ryptographic keyed hashing Non repudiation Proof that the sender actually sent the data the sender cannot later deny having sent it Non repudiation is usually a side effect of authentication VPNs are normally only concerned with confidentiality and authentication Non repudiation is normally not handled at the network level but rather is usually done at a higher transaction level 9 1 3 VPN Planning...

Page 385: ...N feature it is usually possible to dictate the types of communication permitted and NetDefendOS VPN has this feature 9 1 4 Key Distribution Key distribution schemes are best planned in advance Issues that need to be addressed include How will keys be distributed Email is not a good solution Phone conversations might be secure enough How many different keys should be used One key per user One per ...

Page 386: ... The TLS ALG 9 1 5 The TLS Alternative for VPN Chapter 9 VPN 386 ...

Page 387: ...an flow into the tunnel a route must be defined in a NetDefendOS routing table This route tells NetDefendOS which network can be found at the other end of the tunnel so it knows which traffic to send into the tunnel In most cases this route is created automatically when the tunnel is defined and this can be checked by examining the routing tables If a route is defined manually the tunnel is treate...

Page 388: ...which has the IP address lan_ip 4 Create an IPsec Tunnel object let s call this object ipsec_tunnel Specify the following tunnel parameters Set Local Network to lannet Set Remote Network to remote_net Set Remote Endpoint to remote_gw Set Encapsulation mode to Tunnel Choose the IKE and IPsec algorithm proposal lists to be used For Authentication select the Pre shared Key object defined in step 1 ab...

Page 389: ...tunnel 2 Under Authentication Objects add the Root Certificate and Host Certificate into NetDefendOS The root certificate needs to have 2 parts added a certificate file and a private key file The gateway certificate needs just the certificate file added 3 Set up the IPsec Tunnel object as for pre shared keys but specify the certificates to use under Authentication Do this with the following steps ...

Page 390: ...rehand and must be handed out by NetDefendOS as the clients connect A IP addresses already allocated The IP addresses may be known beforehand and have been pre allocated to the roaming clients before they connect The client s IP address will be manually input into the VPN client software 1 Set up user authentication XAuth user authentication is not required with IPsec roaming clients but is recomm...

Page 391: ...e remote network when tunnel established should be enabled for the tunnel object If all nets is the destination network the option Add route for remote network should be disabled Note The option to dynamically add routes should not be enabled in LAN to LAN tunnel scenarios Enable the option Require IKE XAuth user authentication for inbound IPsec tunnels This will enable a search for the first matc...

Page 392: ...urity Define the IPsec algorithms that will be used and which are supported by NetDefendOS Specify if the client will use config mode There are a variety of IPsec client software products available from a number of suppliers and this manual will not focus on any specific one The network administrator should use the client that is best suited to their budget and needs 9 2 4 IPsec Roaming Clients wi...

Page 393: ... range that is totally different to any internal network This prevents any chance of an address in the range also being used on the internal network 2 Define two other IP objects ip_ext which is the external public IP address through which clients connect let s assume this is on the ext interface ip_int which is the internal IP address of the interface to which the internal network is connected le...

Page 394: ...s should be defined in the IP rule set Action Src Interface Src Network Dest Interface Dest Network Service Allow l2tp_tunnel l2tp_pool any int_net All NAT ipsec_tunnel l2tp_pool ext all nets All The second rule would be included to allow clients to surf the Internet via the ext interface on the NetDefend Firewall The client will be allocated a private internal IP address which must be NATed if co...

Page 395: ...ot being able to NAT PPTP connections through a tunnel so multiple clients can use a single connection to the NetDefend Firewall If NATing is tried then only the first client that tries to connect will succeed The steps for PPTP setup are as follows 1 In the Address Book define the following IP objects A pptp_pool IP object which is the range of internal IP addresses that will be handed out from a...

Page 396: ...ts 0 0 0 0 0 4 Now set up the IP rules in the IP rule set Action Src Interface Src Network Dest Interface Dest Network Service Allow pptp_tunnel pptp_pool any int_net All NAT pptp_tunnel pptp_pool ext all nets All As described for L2TP the NAT rule lets the clients access the public Internet via the NetDefend Firewall 5 Set up the client For Windows XP the procedure is exactly as described for L2T...

Page 397: ...flow of events can be briefly described as follows IKE negotiates how IKE should be protected IKE negotiates how IPsec should be protected IPsec moves data in the VPN The following sections will describe each of these stages in detail 9 3 2 Internet Key Exchange IKE This section describes IKE the Internet Key Exchange protocol and the parameters that are used with it Encrypting and authenticating ...

Page 398: ...imply by performing another phase 2 negotiation There is no need to do another phase 1 negotiation until the IKE lifetime has expired IKE Algorithm Proposals An IKE algorithm proposal list is a suggestion of how to protect IPsec data flows The VPN device initiating an IPsec connection will send a list of the algorithms combinations it supports for protecting the connection and it is then up to the...

Page 399: ... from the same initial keying material This is to make sure that in the unlikely event that some key was compromised no subsequent keys can be derived Once the phase 2 negotiation is finished the VPN connection is established and ready for traffic to pass through it IKE Parameters There are a number of parameters used in the negotiation process Below is a summary of the configuration parameters ne...

Page 400: ...ecified as a URL string such as vpn company com If this is done the prefix dns must be used The string above should therefore be specified as dns vpn company com The remote endpoint is not used in transport mode Main Aggressive Mode The IKE negotiation has two modes of operation main mode and aggressive mode The difference between these two is that aggressive mode will pass more information in few...

Page 401: ...cified in time seconds as well as data amount kilobytes Whenever one of these expires a new phase 1 exchange will be performed If no data was transmitted in the last incarnation of the IKE connection no new connection will be made until someone wants to use the VPN connection again This value must be set greater than the IPsec SA lifetime PFS With Perfect Forwarding Secrecy PFS disabled initial ke...

Page 402: ...sec Authentication This specifies the authentication algorithm used on the protected traffic This is not used when ESP is used without authentication although it is not recommended to use ESP without authentication The algorithms supported by NetDefend Firewall VPNs are SHA1 MD5 IPsec Lifetime This is the lifetime of the VPN connection It is specified in both time seconds and data amount kilobytes...

Page 403: ...ng Advantages Since it is very straightforward it will be quite interoperable Most interoperability problems encountered today are in IKE Manual keying completely bypasses IKE and sets up its own set of IPsec SAs Manual Keying Disadvantages It is an old method which was used before IKE came into use and is thus lacking all the functionality of IKE This method therefore has a number of limitations ...

Page 404: ...someone that the remote endpoint trusts Advantages of Certificates A principal advantage of certificates is added flexibility Many VPN clients for instance can be managed without having the same pre shared key configured on all of them which is often the case when using pre shared keys and roaming clients Instead should a client be compromised the client s certificate can simply be revoked No need...

Page 405: ...ter the original IP header in tunnel mode the ESP header is inserted after the outer header but before the original inner IP header All data after the ESP header is encrypted and or authenticated The difference from AH is that ESP also provides encryption of the IP packet The authentication phase also differs in that ESP only authenticates the data after the ESP header thus the outer IP header is ...

Page 406: ... negotiation is moved away from UDP port 500 to port 4500 This is necessary since certain NAT devices treat UDP packet on port 500 differently from other UDP packets in an effort to work around the NAT problems with IKE The problem is that this special handling of IKE packets may in fact break the IKE negotiations which is why the UDP port used by IKE has changed UDP Encapsulation Another problem ...

Page 407: ... for different VPN scenarios and user defined lists can be added Two IKE algorithm lists and two IPsec lists are already defined by default High This consists of a more restricted set of algorithms to give higher security The complete list is 3DES AES Blowfish MD5 SHA1 Medium This consists of a longer set of algorithms The complete list is 3DES AES Blowfish Twofish CAST128 MD5 SHA1 Example 9 1 Usi...

Page 408: ...rase and not a hexadecimal value the different encodings on different platforms can cause a problem with non ASCII characters Windows for example encodes pre shared keys containing non ASCII characters in UTF 16 while NetDefendOS uses UTF 8 Even though they can seem the same at either end of the tunnel there will be a mismatch and this can sometimes cause problems when setting up a Windows L2TP cl...

Page 409: ...al corporate networks using VPN clients The organization administers their own Certificate Authority and certificates have been issued to the employees Different groups of employees are likely to have access to different parts of the internal networks For example members of the sales force need access to servers running the order system while technical engineers need access to technical databases ...

Page 410: ...uthMethod Certificate IDList MyIDList RootCertificates AdminCert GatewayCertificate AdminCert Web Interface First create an Identification List 1 Go to Objects VPN Objects ID List Add ID List 2 Enter a name for the list for example MyIDList 3 Click OK Then create an ID 1 Go to Objects VPN Objects IKE ID List Add ID List 2 Select MyIDList 3 Enter a name for the ID for example JohnDoe 4 Select Disti...

Page 411: ...4 Select the appropriate certificate in the Root Certificate s and Gateway Certificate controls 5 Select MyIDList in the Identification List 6 Click OK 9 3 8 Identification Lists Chapter 9 VPN 411 ...

Page 412: ...c that has been decrypted will be checked against the IP rule set When doing this IP rule set check the source interface of the traffic will be the associated IPsec tunnel since tunnels are treated like interfaces in NetDefendOS In addition a Route or an Access rule may have to be defined for roaming clients in order for NetDefendOS to accept specific source IP addresses from the IPsec tunnel Retu...

Page 413: ...o be broken and an attempt is automatically made to re establish the tunnel This feature is only useful for LAN to LAN tunnels Optionally a specific source IP address and or a destination IP address for the pings can be specified It is recommended to specify a destination IP of a host which is known to being able to reliably respond to ICMP messages If a destination IP is not specified NetDefendOS...

Page 414: ...n routing table or another table if an alternate is being used Set up the Rules a 2 way tunnel requires 2 rules 9 4 3 Roaming Clients An employee who is on the move who needs to access a central corporate server from a notebook computer from different locations is a typical example of a roaming client Apart from the need for secure VPN access the other major issue with roaming clients is that the ...

Page 415: ...t the roaming users will connect to Remote Network all nets Remote Endpoint None Encapsulation Mode Tunnel 3 For Algorithms enter IKE Algorithms Medium or High IPsec Algorithms Medium or High 4 For Authentication enter Pre Shared Key Select the pre shared key created earlier 5 Under the Routing tab Enable the option Dynamically add route to the remote network when a tunnel is established 6 Click O...

Page 416: ...w ID for every client that is to be granted access rights according to the instructions above D Configure the IPsec tunnel 1 Go to Interfaces IPsec Add IPsec Tunnel 2 Now enter Name RoamingIPsecTunnel Local Network 10 0 1 0 24 This is the local network that the roaming users will connect to Remote Network all nets Remote Endpoint None Encapsulation Mode Tunnel 3 For Algorithms enter IKE Algorithms...

Page 417: ..._ip Web Interface A Upload all the client certificates 1 Go to Objects Authentication Objects Add Certificate 2 Enter a suitable name for the Certificate object 3 Select the X 509 Certificate option 4 Click OK B Create Identification Lists 1 Go to Objects VPN Objects ID List Add ID List 2 Enter a descriptive name for example sales 3 Click OK 4 Go to Objects VPN Objects ID List Sales Add ID 5 Enter...

Page 418: ... an IP Pool object An IP pool is a cache of IP addresses collected from DHCP servers and leases on these addresses are automatically renewed when the lease time is about to expire IP Pools also manage additional information such as DNS and WINS NBNS just as an ordinary DHCP server would For detailed information on pools see Section 5 4 IP Pools Defining the Config Mode Object Currently only one Co...

Page 419: ... log message generated with a severity level of Warning This message includes the two IP addresses as well as the client identity Optionally the affected SA can be automatically deleted if validation fails by enabling the advanced setting IPsecDeleteSAOnIPValidationFailure The default value for this setting is Disabled 9 4 4 Fetching CRLs from an alternate LDAP server A Root Certificate usually in...

Page 420: ...l IKE negotiation The output can be overwhelming so to limit the output to a single IP address for example the IP address 10 1 1 10 the command would be gw world ikesnoop on 10 1 1 10 verbose The IP address used is the IP address of the VPN tunnel s remote endpoint either the IP of the remote endpoint or the client IP To turn off monitoring the command is gw world ikesnoop off The output from verb...

Page 421: ...s 8 Payloads SA Security Association Payload data length 152 bytes DOI 1 IPsec DOI Proposal 1 1 Protocol 1 1 Protocol ID ISAKMP SPI Size 0 Transform 1 4 Transform ID IKE Encryption algorithm Rijndael cbc aes Key length 128 Hash algorithm MD5 Authentication method Pre Shared Key Group description MODP 1024 Life type Seconds Life duration 43200 Life type Kilobytes Life duration 50000 Transform 2 4 T...

Page 422: ...6 bytes Vendor ID 7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56 Description draft ietf ipsec nat t ike 03 Explanation of Values Exchange type Main mode or aggressive mode IKEv1 0 only Cookies A random number to identify the negotiation Encryption algorithm Cipher Key length Cipher key length Hash algorithm Hash Authentication method Pre shared key or certificate Group description Diffie Hellman ...

Page 423: ... Description draft ietf ipsec nat t ike 00 VID Vendor ID Payload data length 16 bytes Vendor ID cd 60 46 43 35 df 21 f8 7c fd b2 fc 68 b6 a4 48 Description draft ietf ipsec nat t ike 02 VID Vendor ID Payload data length 16 bytes Vendor ID 90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f Description draft ietf ipsec nat t ike 02 VID Vendor ID Payload data length 16 bytes Vendor ID 7d 94 19 a6 53 10 ...

Page 424: ...ends the identification which is normally an IP address or the Subject Alternative Name if certificates are used IkeSnoop Received IKE packet from 192 168 0 10 500 Exchange type Identity Protection main mode ISAKMP Version 1 0 Flags E encryption Cookies 0x6098238b67d97ea6 0x5e347cb76e95a Message ID 0x00000000 Packet length 72 bytes payloads 3 Payloads ID Identification Payload data length 8 bytes ...

Page 425: ... 168 0 10 500 Exchange type Quick mode ISAKMP Version 1 0 Flags E encryption Cookies 0x6098238b67d97ea6 0x5e347cb76e95a Message ID 0xaa71428f Packet length 264 bytes payloads 5 Payloads HASH Hash Payload data length 16 bytes SA Security Association Payload data length 164 bytes DOI 1 IPsec DOI Proposal 1 1 Protocol 1 1 Protocol ID ESP SPI Size 4 SPI Value 0x4c83cad2 Transform 1 4 Transform ID Rijn...

Page 426: ...mode Could be transport tunnel or UDP tunnel NAT T ID ipv4 any 0 0 3 10 4 2 6 Here the first ID is the local network of the tunnel from the client s point of view and the second ID is the remote network If it contains any netmask it is usually SA per net and otherwise it is SA per host Step 8 Client Sends a List of Supported Algorithms The server now responds with a matching IPsec proposal from th...

Page 427: ...76e95a Message ID 0xaa71428f Packet length 48 bytes payloads 1 Payloads HASH Hash Payload data length 16 bytes 9 4 6 IPsec Advanced Settings The following NetDefendOS advanced settings are available for configuring IPsec tunnels IPsec Max Rules This specifies the total number of IP rules that can be connected to IPsec tunnels By default this is initially approximately 4 times the licensed IPsecMax...

Page 428: ...without consulting the rule set Default Enabled IKE CRL Validity Time A CRL contains a next update field that dictates the time and date when a new CRL will be available for download from the CA The time between CRL updates can be anything from a few hours and upwards depending on how the CA is configured Most CA software allow the CA administrator to issue new CRLs at any time so even if the next...

Page 429: ...DPD R U THERE messages to the other side Default 3 in other words 3 x 10 30 seconds DPD Keep Time The amount of time in tens of seconds that a peer is assumed to be dead after NetDefendOS has detected it to be so While the peer is considered dead NetDefendOS will not try to re negotiate the tunnel or send DPD messages to the peer However the peer will not be considered dead any more as soon as a p...

Page 430: ...l has not sent a response to any messages then it is considered to be dead not reachable The SA will then be placed in the dead cache This setting is used with IKEv1 only Default 15 seconds 9 4 6 IPsec Advanced Settings Chapter 9 VPN 430 ...

Page 431: ...lementation PPTP can be used in the VPN context to tunnel different protocols across the Internet Tunneling is achieved by encapsulating PPP packets in IP datagrams using Generic Routing Encapsulation GRE IP protocol 47 The client first establishes a connection to an ISP in the normal way using the PPP protocol and then establishes a TCP IP connection across the Internet to the NetDefend Firewall ...

Page 432: ...Under the Add Route tab select all_nets from Allowed Networks 6 Click OK Use User Authentication Rules is enabled as default To be able to authenticate the users using the PPTP tunnel it is required to configure NetDefendOS Authentication Rules but that will not be covered in this example 9 5 2 L2TP Servers Layer 2 Tunneling Protocol L2TP is an IETF open standard that overcomes many of the problem...

Page 433: ...der the Add Route tab select all_nets in the Allowed Networks control 6 Click OK Use User Authentication Rules is enabled as default To be able to authenticate users using the PPTP tunnel it is necessary to configure NetDefendOS Authentication Rules but that is not covered in this example Example 9 12 Setting up an L2TP Tunnel Over IPsec This example shows how to setup a fully working L2TP Tunnel ...

Page 434: ...0 IPsecLifeTimeSeconds 3600 Web Interface 1 Go to Interfaces IPsec Add IPsec Tunnel 2 Enter a name for the IPsec tunnel for example l2tp_ipsec 3 Now enter a Local Network wan_ip b Remote Network all nets c Remote Endpoint none d Encapsulation Mode Transport e IKE Algorithms High f IPsec Algorithms esp l2tptunnel 4 Enter 3600 in the IPsec Life Time seconds control 5 Enter 250000 in the IPsec Life T...

Page 435: ...Click OK In order to authenticate the users using the L2TP tunnel a user authentication rule needs to be configured D Next will be setting up the authentication rules Command Line Interface gw world add UserAuthRule AuthSource Local Interface l2tp_tunnel OriginatorIP all nets LocalUserDB UserDB agent PPP TerminatorIP wan_ip name L2TP_Auth Web Interface 1 Go to User Authentication User Authenticati...

Page 436: ... Interface 1 Go to Rules IP Rules Add IPRule 2 Enter a name for the rule for example AllowL2TP 3 Now enter Action Allow Service all_services Source Interface l2tp_tunnel Source Network l2tp_pool Destination Interface any Destination Network all nets 4 Click OK 5 Go to Rules IP Rules Add IPRule 6 Enter a name for the rule for example NATL2TP 7 Now enter Action NAT Service all_services Source Interf...

Page 437: ...volves the following settings General Parameters Name A symbolic name for the client Interface Type Specifies if it is a PPTP or L2TP client Remote Endpoint The IP address of the remote endpoint Where this is specified as a URL the prefix dns must be precede it Names of Assigned Addresses Both PPTP and L2TP utilizes dynamic IP configuration using the PPP LCP protocol When NetDefendOS receives this...

Page 438: ...n demand should trigger on Send or Recv or both Idle Timeout The time of inactivity in seconds to wait before disconnection Using the PPTP Client Feature One usage of the PPTP client feature is shown in the scenario depicted below Here a number of clients are being NATed through NetDefendOS before being connected to a PPTP server on the other side of the NetDefend Firewall If more that one of the ...

Page 439: ...Figure 9 3 PPTP Client Usage 9 5 4 PPTP L2TP Clients Chapter 9 VPN 439 ...

Page 440: ... following scenarios are possible 1 The CA server is a private server behind the NetDefend Firewall and the tunnels are set up over the public Internet but to clients that will not try to validate the certificate sent by NetDefendOS In this case the IP address of the private server needs only be registered on a private DNS server so the FQDN can be resolved This private DNS server will also have t...

Page 441: ...tion Components CA Server Access by Clients In a VPN tunnel with roaming clients connecting to the NetDefend Firewall the VPN client software may need to access the CA server Not all VPN client software will need this access In the Microsoft clients prior to Vista CA server requests are not sent at all With Microsoft Vista validation became the default with the option to disable it Other non Micro...

Page 442: ...ver must be configured in NetDefendOS so that these requests can be resolved Turning Off FQDN Resolution As explained in the troubleshooting section below identifying problems with CA server access can be done by turning off the requirement to validate certificates Attempts to access CA servers by NetDefendOS can be disabled with the Disable CRLs option for certificate objects This means that chec...

Page 443: ...n airport the client will get an IP address from the Wi Fi network s DHCP server If that IP also belongs to the network behind the NetDefend Firewall accessible through a tunnel then Windows will still continue to assume that the IP address is to be found on the client s local network Windows therefore will not correctly route packets bound for the remote network through the tunnel but instead rou...

Page 444: ...e if CA server access could be the problem CA Server issues are discussed further in Section 9 6 CA Server Access 9 7 3 IPsec Troubleshooting Commands A number of commands can be used to diagnose IPsec tunnels The ipsecstat console command ipsecstat can be used to show that IPsec tunnels have correctly established A representative example of output is gw world ipsecstat IPsec SAs Displaying one li...

Page 445: ...snoop on ip address verbose Ikesnoop can be turned off with the command gw world ikesnoop off For a more detailed discussion of this topic see Section 9 4 5 Troubleshooting with ikesnoop 9 7 4 Management Interface Failure with VPN If any VPN tunnel is set up and then the management interface no longer operates then it is likely to be a problem with the management traffic being routed back through ...

Page 446: ... multiple IPsec SA s one SA per network or host if that option is used The defined network size is also important in that it must be exactly the same size on both sides as will be mentioned again later in the symptoms section There are also some settings on the IPsec tunnel s IKE tab that can be involved in a no proposal chosen issue For example PFS for IPsec phase or DH Group for the IKE phase 2 ...

Page 447: ... likely the error message that will be generated 5 No public key found This is a very common error message when dealing with tunnels that use certificates for authentication Troubleshooting this error message can be very difficult as the possible cause of the problem can be quite extensive Also it is very important to keep in mind that when dealing with certificates there may be a need to combine ...

Page 448: ...essary to examine the settings for the local network remote network IKE proposal list and IPsec proposal list on both sides to try to identify a miss match For example suppose the following IPsec settings are at either end of a tunnel Side A Local Network 192 168 10 0 24 Remote Network 10 10 10 0 24 Side B Local Network 10 10 10 0 24 Remote Network 192 168 10 0 16 In this scenario it can be seen t...

Page 449: ...simple to compare the network that both sides are sending in phase 2 With that information it should be possible to spot the network problem It can be the case that it is a network size mismatch or that it does not match at all 9 7 6 Specific Symptoms Chapter 9 VPN 449 ...

Page 450: ...9 7 6 Specific Symptoms Chapter 9 VPN 450 ...

Page 451: ...is for prioritizing traffic passing through the NetDefend Firewall It is important to understand that NetDefendOS traffic shaping does not add new Diffserv information as packets traverse a NetDefend Firewall The NetDefendOS traffic shaping priorities described later in this chapter are for traffic shaping within NetDefendOS only and are not translated into Diffserv information that is then added ...

Page 452: ...ice object that uses the SIP ALG cannot be also subject to traffic shaping 10 1 2 Traffic Shaping in NetDefendOS NetDefendOS offers extensive traffic shaping capabilities for the packets passing through the NetDefend Firewall Different rate limits and traffic guarantees can be created as policies based on the traffic s source destination and protocol similar to the way in which security policies a...

Page 453: ...e rules is initially empty with no rules being defined by default At least one rule must be created for traffic shaping to begin to function Pipe Rule Chains When a pipe rule is defined the pipes to be used with that rule are also specified and they are placed into one of two lists in the pipe rule These lists are The Forward Chain These are the pipe or pipes that will be used for outgoing leaving...

Page 454: ... is implemented by using the NetDefendOS state engine which is the subsystem that deals with the tracking of connections FwdFast IP rules do not set up a connection in the state engine Instead packets are considered not to be part of a connection and are forwarded individually to their destination bypassing the state engine Figure 10 2 FwdFast Rules Bypass Traffic Shaping 10 1 3 Simple Bandwidth L...

Page 455: ...bound 3 Now enter Service all_services Source Interface lan Source Network lannet Destination Interface wan Destination Network all nets 4 Under the Traffic Shaping tab make std in selected in the Return Chain control 5 Click OK This setup limits all traffic from the outside the Internet to 2 megabits per second No priorities are applied nor any dynamic balancing 10 1 4 Limiting Bandwidth in Both ...

Page 456: ...er 2000 in Total textbox 4 Click OK After creating a pipe for outbound bandwidth control add it to the forward pipe chain of the rule created in the previous example Command Line Interface gw world set PipeRule Outbound ForwardChain std out Web Interface 1 Go to Traffic Management Traffic Shaping Pipe Rules 2 Right click on the pipe rule that was created in the previous example and choose Edit 3 U...

Page 457: ...n it will pass through the std in pipe along with other inbound traffic which will apply the 250 kbps total limit Figure 10 3 Differentiated Limits Using Chains If surfing uses the full limit of 125 kbps those 125 kbps will occupy half of the std in pipe leaving 125 kbps for the rest of the traffic If no surfing is taking place then all of the 250 kbps allowed through std in will be available for ...

Page 458: ...nces 4 and 6 instead of 0 and 3 will makes no difference to the end result Allocating Precedence to Traffic The way precedence is assigned to traffic is specified in the triggering pipe rule and can be done in one of three ways Use the precedence of the first pipe Each pipe has a Default Precedence and packets take the default precedence of the first pipe they pass through Use a fixed precedence T...

Page 459: ...prefix Mega means one million in a traffic bandwidth context Precedence Limits are also Guarantees A precedence limit is both a limit and a guarantee The bandwidth specified for precedence also guarantees that the bandwidth will be available at the expense of lower precedences If the specified bandwidth is exceeded the excess traffic falls to the lowest precedence The lowest precedence has a speci...

Page 460: ...xhausted then they are dropped If a total limit for a pipe is not specified it is the same as saying that the pipe has unlimited bandwidth and consequently it can never become full so precedences have no meaning Applying Precedences Continuing to use the previous traffic shaping example let us add the requirement that SSH and Telnet traffic is to have a higher priority than all other traffic To do...

Page 461: ... lower precedences has no meaning and will be ignored by NetDefendOS Differentiated Guarantees A problem arises if the aim is to give a specific 32 kbps guarantee to Telnet traffic and a specific 64 kbps guarantee to SSH traffic A 32 kbps limit could be set for precedence 2 a 64 kbps limit set for precedence 4 and then pass the different types of traffic through each precedence However there are t...

Page 462: ...able bandwidth with other traffic 10 1 7 Pipe Groups NetDefendOS provides a further level of control within pipes through the ability to split pipe bandwidth into individual resource users within a group and to apply a limit and guarantee to each user Individual users can be distinguished according to one of the following Source IP Destination IP Source Network Destination Network Source Port incl...

Page 463: ...will be guaranteed 50 Kbps at the expense of lower precedences The precedences for each user must be allocated by different pipe rules that trigger on particular users For example if grouping is by source IP then different pipe rules will trigger on different IPs and send the traffic into the same pipe with the appropriate precedence The potential sum of the precedence values could clearly become ...

Page 464: ...dence Values Let us suppose that grouping is enabled by one of the options such as source IP and some values for precedences have been specified under Group Limits How does these combine with values specified for the corresponding precedences in Pipe Limits In this case the Group Limits precedence value is a guarantee and the Pipe Limits value for the same precedence is a limit For example if traf...

Page 465: ...r 16 kbps some will not Dynamic balancing can be enabled to improve this situation by making sure all of the 5 users get the same amount of limited bandwidth When the 5th user begins to generate SSH traffic balancing lowers the limit per user to about 13 kbps 64 kbps divided by 5 users Dynamic Balancing takes place within each precedence of a pipe individually This means that if users are allotted...

Page 466: ...by the traffic shaping subsystem and it is therefore more important to set pipe limits slightly below the real connection limit to account for the time needed for NetDefendOS to adapt to changing conditions Attacks on Bandwidth Traffic shaping cannot protect against incoming resource exhaustion attacks such as DoS attacks or other flooding attacks NetDefendOS will prevent these extraneous packets ...

Page 467: ...ecedence all packets are treated on a first come first forwarded basis Within a pipe traffic can also be separated on a Group basis For example by source IP address Each user in a group for example each source IP address can be given a maximum limit and precedences within a group can be given a limit guarantee A pipe limit need not be specified if group members have a maximum limit Dynamic Balanci...

Page 468: ...affic to the default precedence level and the pipes will limit total traffic to their 1 Mbps limit Having Dynamic Balancing enabled on the pipes means that all users will be allocated a fair share of this capacity Using Several Precedences We now extend the above example by allocating priorities to different kinds of traffic accessing the Internet from a headquarters office Lets assume we have a s...

Page 469: ...affic immediately before it enters the in pipe and out pipe and competes with VoIP Citrix and Web surfing traffic A VPN Scenario In the cases discussed so far all traffic shaping is occurring inside a single NetDefend Firewall VPN is typically used for communication between a headquarters and branch offices in which case pipes can control traffic flow in both directions With VPN it is the tunnel w...

Page 470: ...1700 kbps the total traffic is limited to 2000 kbps and VoIP to the remote site is guaranteed 500 kbps of capacity before it is forced to best effort SAT with Pipes If SAT is being used for example with a web server or ftp server that traffic also needs to be forced into pipes or it will escape traffic shaping and ruin the planned quality of service In addition server traffic is initiated from the...

Page 471: ...Note SAT and ARPed IP Addresses If the SAT is from an ARPed IP address the wan interface needs to be the destination 10 1 10 More Pipe Examples Chapter 10 Traffic Management 471 ...

Page 472: ...lity to apply throttling through the NetDefendOS traffic shaping subsystem when the targeted traffic is recognized IDP Traffic Shaping is a combination of these two features where traffic flows identified by the IDP subsystem automatically trigger the setting up of traffic shaping pipes to control those flows 10 2 2 Setting Up IDP Traffic Shaping The steps for IDP Traffic Shaping setup are as foll...

Page 473: ...w subject to the pipe traffic shaping bandwidth specified in the IDP rule 3 A new connection is then established that does not trigger an IDP rule but has a source or destination IP that is the same as the connection that did trigger a rule If the source or destination is also a member of the IP range specified as the Network then the connection s traffic is included in the pipe performing traffic...

Page 474: ...P2P Scenario The schematic below illustrates a typical scenario involving P2P data transfer The sequence of events is The client with IP address 192 168 1 15 initiates a P2P file transfer through a connection 1 to the tracking server at 81 150 0 10 This connection triggers an IDP rule in NetDefendOS which is set up with an IDP signature that targets the P2P application The Pipe action in the rule ...

Page 475: ...ned pipes the CLI command is gw world pipes show The IDP Traffic Shaping pipes can be recognized by their distinctive naming convention which is explained next Pipe Naming NetDefendOS names the pipes it automatically creates in IDP Traffic Shaping using the pattern IDPPipe_ bandwidth for pipes with upstream forward flowing traffic and IDPPipe_ bandwidth R for pipes with downstream return flowing t...

Page 476: ...ty by default and are therefore guaranteed that bandwidth 10 2 8 Logging IDP Traffic Shaping generates log messages on the following events When an IDP rule with the Pipe option has triggered and either host or client is present in the Network range When the subsystem adds a host that will have future connections blocked When a timer for piping news connections expires a log message is generated i...

Page 477: ...ce such as HTTP can be associated with it Each rule can have associated with it one or more Actions which specify how to handle different threshold conditions A Threshold Rule has the following parameters associated with it Action This is the response of the rule when the limit is exceeded Either the option Audit or Protect can be selected Group By The rule can be either Host or Network based Thre...

Page 478: ...gged 10 3 6 Exempted Connections It should be noted that some advanced settings known as Before Rules settings can exempt certain types of connections for remote management from examination by the NetDefendOS IP rule set if they are enabled These Before Rules settings will also exempt the connections from Threshold Rules if they are enabled 10 3 7 Threshold Rules and ZoneDefense Threshold Rules ar...

Page 479: ...h of time in seconds for which the source is blacklisted can also be set This feature is discussed further in Section 6 7 Blacklisting Hosts and Networks 10 3 8 Threshold Rule Blacklisting Chapter 10 Traffic Management 479 ...

Page 480: ...iple servers can improve not just the performance of applications but also scalability by facilitating the implementation of a cluster of servers sometimes referred to as a server farm that can handle many more requests than a single server Note SLB is not available on all D Link NetDefend models The SLB feature is only available on the D Link NetDefend DFL 800 860 860E 1600 1660 2500 2560 and 256...

Page 481: ...ers An important first step in SLB deployment is to identify the servers across which the load is to be balanced This might be a server farm which is a cluster of servers set up to work as a single virtual server The servers that are to be treated as a single virtual server by SLB must be specified 10 4 2 SLB Distribution Algorithms There are several ways to determine how a load is shared across a...

Page 482: ...ices such as HTTPS which require a repeated connection to the same host Network Stickiness This mode is similar to IP stickiness except that the stickiness can be associated with a network instead of a single IP address The network is specified by stating its size as a parameter For example if the network size is specified as 24 the default then an IP address 10 01 01 02 will be assumed to belong ...

Page 483: ... compares if the source IP address belongs to the same network as a previous connection already in the table If they belong to the same network then stickiness to the same server will result The default value for this setting is a network size of 24 10 4 4 SLB Algorithms and Stickiness This section discusses further how stickiness functions with the different SLB algorithms An example scenario is ...

Page 484: ...configuration SLB can monitor different OSI layers to check the condition of each server Regardless of the algorithms used if a server is deemed to have failed SLB will not open any more connections to it until the server is restored to full functionality D Link Server Load Balancing provides the following monitoring modes ICMP Ping This works at OSI layer 3 SLB will ping the IP address of each in...

Page 485: ...Interface Src Network Dest Interface Dest Network WEB_SLB SLB_SAT any all nets core ip_ext WEB_SLB_ALW Allow any all nets core ip_ext If there are clients on the same network as the webservers that also need access to those webservers then an NAT rule would also be used Rule Name Rule Type Src Interface Src Network Dest Interface Dest Network WEB_SLB SLB_SAT any all nets core ip_ext WEB_SLB_NAT NA...

Page 486: ...K C Specify the SLB_SAT IP rule 1 Go to Rules IP Rule Sets main Add IP Rule 2 Enter Name Web_SLB Action SLB_SAT Service HTTP Source Interface any Source Network all nets Destination Interface core Destination Network ip_ext 3 Select tab SAT SLB 4 Under Server Addresses add server_group to Selected 5 Click OK D Specify a matching NAT IP rule for internal clients 1 Go to Rules IP Rule Sets main Add ...

Page 487: ...d IP Rule 2 Enter Name Web_SLB_ALW Action Allow Service HTTP Source Interface any Source Network all nets Destination Interface core Destination Network ip_ext 3 Click OK 10 4 6 Setting Up SLB_SAT Rules Chapter 10 Traffic Management 487 ...

Page 488: ...10 4 6 Setting Up SLB_SAT Rules Chapter 10 Traffic Management 488 ...

Page 489: ...e will continue to be active but the master will now monitor the slave with failover only taking place if the slave fails This is sometimes known as an active passive implementation of fault tolerance Note High Availability is only available on some NetDefend models The HA feature is only available on the D Link NetDefend DFL 1600 1660 2500 2560 and 2560G The Master and Active Units When reading t...

Page 490: ... exist in a single cluster The only processing role that the inactive unit plays is to replicate the state of the active unit and to take over all traffic processing if it detects the active unit is not responding Hardware Duplication D Link HA will only operate between two NetDefend Firewalls As the internal operation of different firewall manufacturer s software is completely dissimilar there is...

Page 491: ...ong enough to cause the inactive system to go active even though the other is still active Disabling Heartbeat Sending on Interfaces The administrator can manually disable heartbeat sending on any interface if that is desired This is not recommended since the fewer interfaces that send heartbeats the higher the risk that not enough heartbeats are received to correctly indicate system health The ex...

Page 492: ...he sender address This allows switches to re learn within milliseconds where to send packets destined for the shared address The only delay in failover therefore is detecting that the active unit is down ARP queries are also broadcast periodically to ensure that switches do not forget where to send packets destined for the shared hardware address HA with Anti Virus and IDP If a NetDefendOS cluster...

Page 493: ... statistics would indicate a failure to synchronize If the sync interface is functioning correctly there may still be some small differences in the statistics from each cluster unit but these will be minor compared with the differences seen in the case of failure Once the broken sync interface is fixed perhaps by replacing the connecting cable synchronization between active and inactive units will...

Page 494: ...ess object allow remote management through that interface These addresses can also be pinged using ICMP provided that IP rules are defined to permit this by default ICMP queries are dropped by the rule set If either unit is inoperative its individual IP addresses will also be unreachable These IP addresses are usually private but must be public if management access across the public Internet is re...

Page 495: ...same switch which then connects to an internal network Similarly the wan interface on the master and the wan interface would connect to a switch which in turn connects to the external Internet Note The illustration shows a crossover cable sync connection The illustration above shows a direct crossover cable connection between the sync interfaces of each unit This connection could instead be via a ...

Page 496: ... the public Internet is required 9 Save and activate the new configuration 10 Repeat the above steps for the other NetDefend Firewall but this time select the node type to be Slave Making Cluster Configuration Changes The configuration on both NetDefend Firewalls needs to be the same The configurations of the two units will be automatically synchronized To change something in a cluster configurati...

Page 497: ...mbers of connections but can have the disadvantage of increasing throughput latency 11 3 4 Unique Shared Mac Addresses For HA setup NetDefendOS provides the advanced option Use Unique Shared MAC Address By default this is enabled and in most configurations it should not need to be disabled Enabling a Unique Shared MAC Address The effect of enabling this setting is that a single unique MAC address ...

Page 498: ... Lockdown Mode Failed Interfaces Failed interfaces will not be detected unless they fail to the point where NetDefendOS cannot continue to function This means that failover will not occur if the active unit can still send I am alive heartbeats to the inactive unit through any of its interfaces even though one or more interfaces may be inoperative Changing the Cluster ID Changing the cluster ID in ...

Page 499: ...l also be a second backup designated router to provide OSPF metrics if the main designated router should fail PPPoE Tunnels and DHCP Clients For reasons connected with the shared IP addresses of an HA cluster PPPoE tunnels and DHCP clients should not be configured in an HA cluster 11 4 HA Issues Chapter 11 High Availability 499 ...

Page 500: ...one of the cluster units and issue the ha command The typical output if the unit is active is shown below gw world ha This device is a HA SLAVE This device is currently ACTIVE will forward traffic This device has been active 430697 sec HA cluster peer is ALIVE This unit the slave is the currently active unit so the other one the master is the inactive unit B Upgrade the inactive unit Once the inac...

Page 501: ...failover is complete upgrade the newly inactive unit with the new NetDefendOS version Just like step B this is done in the normal way as though the unit were not part of a cluster E Wait for resynchronization Once the second software upgrade is complete two units will automatically resynchronize and the cluster will continue operation The roles of active and inactive unit will have been reversed I...

Page 502: ...apsed the synchronization traffic is then only sent after repeated periods of silence The length of this silence is this setting Default 5 Use Unique Shared Mac Use a unique shared MAC address for each interface For further explanation of this setting see Section 11 3 4 Unique Shared Mac Addresses Default Enabled Deactivate Before Reconf If enabled this setting will make an active node failover to...

Page 503: ...11 6 HA Advanced Settings Chapter 11 High Availability 503 ...

Page 504: ...ld can be dynamically blocked using the ZoneDefense feature Thresholds are based on either the number of new connections made per second or on the total number of connections being made These connections may be made by either a single host or all hosts within a specified CIDR network range an IP address range specified by a combination of an IP address and its associated network mask ACL Upload Wh...

Page 505: ...3526 R3 x Version R3 06 B20 only DES 3526 R4 x Version R4 01 B19 or later DES 3550 R3 x Version R3 05 B38 only DES 3550 R4 x Version R4 01 B19 or later DES 3800 Series Version R2 00 B13 or later DGS 3200 Series Version R1 10 B06 or later DGS 3324SR SRi Version R4 30 B11 or later DGS 3400 Series R1 x Version R1 00 B35 only DGS 3400 Series R2 x Version R2 00 B52 or later DGS 3600 Series Version R2 2...

Page 506: ...exceeded The limit can be one of two types Connection Rate Limit This can be triggered if the rate of new connections per second to the firewall exceeds a specified threshold Total Connections Limit This can be triggered if the total number of connections to the firewall exceeds a specified threshold Threshold rules have parameters which are similar to those for IP Rules These parameters specify w...

Page 507: ...onnections second is applied If the connection rate exceeds this limitation the firewall will block the specific host in network range 192 168 2 0 24 for example from accessing the switch completely A D Link switch model DES 3226S is used in this case with a management interface address 192 168 1 250 connecting to the firewall s interface address 192 168 1 1 This firewall interface is added into t...

Page 508: ...nse with Anti Virus Scanning ZoneDefense can be used in conjuction with the NetDefendOS Anti Virus scanning feature NetDefendOS can first identify a virus source through antivirus scanning and then block the source by communicating with switches configured to work with ZoneDefense This feature is activated through the following ALGs HTTP ZoneDefense can block an HTTP server that is a virus source ...

Page 509: ...ally in order to block a host or network one rule per switch port is needed When this limit has been reached no more hosts or networks will be blocked out Important Clearing the ACL rule set on the switch ZoneDefense uses a range in the ACL rule set on the switch To avoid potential conflicts in these rules and guarantee the firewall s access control it is strongly recommended that the administrato...

Page 510: ...12 3 5 Limitations Chapter 12 ZoneDefense 510 ...

Page 511: ...Fragmentation Settings page 527 Local Fragment Reassembly Settings page 531 Miscellaneous Settings page 532 13 1 IP Level Settings Log Checksum Errors Logs occurrences of IP packets containing erroneous checksums Normally this is the result of the packet being damaged during network transport All network units both routers and workstations drop IP packets that contain checksum errors However it is...

Page 512: ... on Low Determines the action taken on packets whose TTL falls below the stipulated TTLMin value Default DropLog Multicast TTL on Low What action to take on too low multicast TTL values Default DropLog Default TTL Indicates which TTL NetDefendOS is to use when originating a packet These values are usually between 64 and 255 Default 255 Layer Size Consistency Verifies that the size information cont...

Page 513: ...fault DropLog IP Options Timestamps Time stamp options instruct each router and firewall on the packet s route to indicate at what time the packet was forwarded along the route These options do not occur in normal traffic Time stamps may also be used to record the route a packet has taken from sender to final destination NetDefendOS never enters information into these options regardless of this se...

Page 514: ...ets equal to or smaller than the size specified by this setting Default 65535 bytes Multicast Mismatch option What action to take when Ethernet and IP multicast addresses does not match Default DropLog Min Broadcast TTL option The shortest IP broadcast Time To Live value accepted on receipt Default 1 Low Broadcast TTL Action option What action to take on too low broadcast TTL values Default DropLo...

Page 515: ...ccording to the next setting Default 1460 bytes TCP MSS VPN Max As is the case with TCPMSSMax this is the highest Maximum Segment Size allowed However this setting only controls MSS in VPN connections This way NetDefendOS can reduce the effective segment size used by TCP in all VPN connections This reduces TCP fragmentation in the VPN connection even if hosts do not know how to perform MTU discove...

Page 516: ...acknowledgement options These options are used to ACK individual packets instead of entire series which can increase the performance of connections experiencing extensive packet loss They are also used by OS Fingerprinting SACK is a common occurrence in modern networks Default ValidateLogBad TCP Option TSOPT Determines how NetDefendOS will handle time stamp options As stipulated by the PAWS Protec...

Page 517: ...turned on The presence of a SYN flag indicates that a new connection is in the process of being opened and an URG flag means that the packet contains data requiring urgent attention These two flags should not be turned on in a single packet as they are used exclusively to crash computers with poorly implemented TCP stacks Default DropLog TCP SYN PSH Specifies how NetDefendOS will deal with TCP pac...

Page 518: ... Ymas flag turned on These flags are currently mostly used by OS Fingerprinting It should be noted that a developing standard called Explicit Congestion Notification also makes use of these TCP flags but as long as there are only a few operating systems supporting this standard the flags should be stripped Default StripLog TCP Reserved Field Specifies how NetDefendOS will deal with information pre...

Page 519: ...gBad ValidateSilent and will block some valid TCP re open attempts The most significant impact of this will be that common web surfing traffic short but complete transactions requested from a relatively small set of clients randomly occurring with an interval of a few seconds will slow down considerably while most normal TCP traffic will continue to work as usual Using either ValidateReopen or Val...

Page 520: ...ing limits how many Rejects per second may be generated by the Reject rules in the Rules section Default 500 Silently Drop State ICMPErrors Specifies if NetDefendOS should silently drop ICMP errors pertaining to statefully tracked open connections If these errors are not dropped by this setting they are passed to the rule set for evaluation just like any other packet Default Enabled 13 3 ICMP Leve...

Page 521: ... determining whether the remote peer is attempting to open a new connection Default Enabled Log State Violations Determines if NetDefendOS logs packets that violate the expected state switching diagram of a connection for example getting TCP FIN packets in response to TCP SYN packets Default Enabled Log Connections Specifies how NetDefendOS will log connections NoLog Does not log any connections c...

Page 522: ...agnostic and testing purposes since it generates unwieldy volumes of log messages and can also significantly impair throughput performance Default Disabled Dynamic Max Connections Allocate the Max Connection value dynamically Default Enabled Max Connections This setting applies if Dynamic Max Connections above is disabled Specifies how many connections NetDefendOS may keep open at any one time Eac...

Page 523: ... may idle before finally being closed Connections reach this state when a packet with its FIN flag on has passed in any direction Default 80 UDP Idle Lifetime Specifies in seconds how long UDP connections may idle before being closed This timeout value is usually low as UDP has no way of signalling when the connection is about to close Default 130 UDP Bidirectional Keep alive This allows both side...

Page 524: ...Other Idle Lifetime Specifies in seconds how long connections using an unknown protocol can remain idle before it is closed Default 130 13 5 Connection Timeout Settings Chapter 13 Advanced Settings 524 ...

Page 525: ...many real time applications use large fragmented UDP packets If no such protocols are used the size limit imposed on UDP packets can probably be lowered to 1480 bytes Default 60000 Max ICMP Length Specifies in bytes the maximum size of an ICMP packet ICMP error messages should never exceed 600 bytes although Ping packets can be larger if so requested This value may be lowered to 1000 bytes if usin...

Page 526: ...ze of an IP in IP packet IP in IP is used by Checkpoint Firewall 1 VPN connections when IPsec is not used This value should be set at the size of the largest packet allowed to pass through the VPN connections regardless of its original protocol plus approx 50 bytes Default 2000 Max IPsec IPComp Length Specifies in bytes the maximum size of an IPComp packet Default 2000 Max L2TP Length Specifies in...

Page 527: ...track DropPacket Discards the illegal fragment and all previously stored fragments Will not allow further fragments of this packet to pass through during ReassIllegalLinger seconds DropLogPacket As DropPacket but also logs the event DropLogAll As DropLogPacket but also logs further fragments belonging to this packet that arrive during ReassIllegalLinger seconds The choice of whether to discard ind...

Page 528: ...ents have been involved LogSuspectSubseq As LogSuspect but also logs subsequent fragments of the packet as and when they arrive LogAll Logs all failed reassembly attempts LogAllSubseq As LogAll but also logs subsequent fragments of the packet as and when they arrive Default LogSuspectSubseq Dropped Fragments If a packet is denied entry to the system as the result of the settings in the Rules secti...

Page 529: ...y send 1480 byte fragments and a router or VPN tunnel on the route to the recipient subsequently reduce the effective MTU to 1440 bytes This would result in the creation of a number of 1440 byte fragments and an equal number of 40 byte fragments Because of potential problems this can cause the default settings in NetDefendOS has been designed to allow the smallest possible fragments 8 bytes to pas...

Page 530: ...cket has been marked as illegal NetDefendOS is able to retain this in memory for this number of seconds in order to prevent further fragments of that packet from arriving Default 60 13 7 Fragmentation Settings Chapter 13 Advanced Settings 530 ...

Page 531: ...concurrent local reassemblies Default 256 Max Size Maximum size of a locally reassembled packet Default 10000 Large Buffers Number of large over 2K local reassembly buffers of the above size Default 32 13 8 Local Fragment Reassembly Settings Chapter 13 Advanced Settings 531 ...

Page 532: ...associated settings limit memory used by the re assembly subsystem This setting specifies how many connections can use the re assembly system at the same time It is expressed as a percentage of the total number of allowed connections Minimum 1 Maximum 100 Default 80 Max Memory This setting specifies how much memory that the re assembly system can allocate to process packets It is expressed as a pe...

Page 533: ...13 9 Miscellaneous Settings Chapter 13 Advanced Settings 533 ...

Page 534: ...ide can be downloaded A step by step Registration manual which explains registration and update service procedures in more detail is available for download from the D Link website Subscription renewal In the Web interface go to Maintenance License to check which update services are activated and when your subscription is ends Important Renew in good time Renew your subscription well before your cu...

Page 535: ...with the command gw world removedb IDP To remove the Anti Virus database use the command gw world removedb Antivirus Once removed the entire system should be rebooted and a database update initiated Removing the database is also recommended if either IDP or Anti Virus is not used for longer periods of time Note Updating the database causes a pause in processing Anti Virus database updates require ...

Page 536: ...RITAS Backup solutions BOT_GENERAL Activities related to bots including those controlled by IRC channels BROWSER_FIREFOX Mozilla Firefox BROWSER_GENERAL General attacks targeting web browsers clients BROWSER_IE Microsoft IE BROWSER_MOZILLA Mozilla Browser COMPONENT_ENCODER Encoders as part of an attack COMPONENT_INFECTION Infection as part of an attack COMPONENT_SHELLCODE Shell code as part of the...

Page 537: ...ion IP_OVERFLOW Overflow of IP protocol implementation IRC_GENERAL Internet Relay Chat LDAP_GENERAL General LDAP clients servers LDAP_OPENLDAP Open LDAP LICENSE_CA LICENSE License management for CA software LICENSE_GENERAL General License Manager MALWARE_GENERAL Malware attack METASPLOIT_FRAME Metasploit frame attack METASPLOIT_GENERAL Metasploit general attack MISC_GENERAL General attack MSDTC_GE...

Page 538: ... RSYNC_GENERAL Rsync SCANNER_GENERAL Generic scanners SCANNER_NESSUS Nessus Scanner SECURITY_GENERAL Anti virus solutions SECURITY_ISS Internet Security Systems software SECURITY_MCAFEE McAfee SECURITY_NAV Symantec AV solution SMB_ERROR SMB Error SMB_EXPLOIT SMB Exploit SMB_GENERAL SMB attacks SMB_NETBIOS NetBIOS attacks SMB_WORMS SMB worms SMTP_COMMAND ATTACK SMTP command attack SMTP_DOS Denial o...

Page 539: ...GENERAL Virus VOIP_GENERAL VoIP protocol and implementation VOIP_SIP SIP protocol and implementation WEB_CF FILE INCLUSION Coldfusion file inclusion WEB_FILE INCLUSION File inclusion WEB_GENERAL Web application attacks WEB_JSP FILE INCLUSION JSP file inclusion WEB_PACKAGES Popular web application packages WEB_PHP XML RPC PHP XML RPC WEB_SQL INJECTION SQL Injection WEB_XSS Cross Site Scripting WINS...

Page 540: ...iletype extension Application 3ds 3d Studio files 3gp 3GPP multimedia file aac MPEG 2 Advanced Audio Coding File ab Applix Builder ace ACE archive ad3 Dec systems compressed Voice File ag Applix Graphic file aiff aif Audio Interchange file am Applix SHELF Macro arc Archive file alz ALZip compressed file avi Audio Video Interleave file arj Compressed archive ark QuArk compressed file archive arq Co...

Page 541: ...BinHex 4 compressed archive icc Kodak Color Management System ICC Profile icm Microsoft ICM Color Profile file ico Windows Icon file imf Imago Orpheus module sound data Inf Sidplay info file it Impulse Tracker Music Module java Java source code jar Java JAR archive jng JNG Video Format jpg jpeg jpe jff jfif jif JPEG file jrc Jrchive compressed archive jsw Just System Word Processor Ichitaro kdelnk...

Page 542: ... Network Graphic ppm PBM Portable Pixelmap Graphic ps PostScript file psa PSA archive data psd Photoshop Format file qt mov moov QuickTime Movie file qxd QuarkXpress Document ra ram RealMedia Streaming Media rar WinRAR compressed archive rbs ReBirth Song file riff rif Microsoft Audio file rm RealMedia Streaming Media rpm RedHat Package Manager rtf wri Rich Text Format file sar Streamline compresse...

Page 543: ...ve Player Streaming Video file wav Waveform Audio wk Lotus 1 2 3 document wmv Windows Media file wrl vrml Plain Text VRML file xcf GIMP Image file xm Fast Tracker 2 Extended Module audio file xml XML file xmcd xmcd database file for kscd xpm BMC Software Patrol UNIX Icon file yc YAC compressed archive zif ZIF image zip Zip compressed archive file zoo ZOO compressed archive file zpk ZPack archive d...

Page 544: ...ayer purpose Layer 7 Application Layer 6 Presentation Layer 5 Session Layer 4 Transport Layer 3 Network Layer 2 Data Link Layer 1 Physical Figure D 1 The 7 Layers of the OSI Model Layer Functions The different layers perform the following functions Layer 7 Application Layer Defines the user interface that supports applications directly Protocols HTTP FTP TFTP DNS SMTP Telnet SNMP and similar The A...

Page 545: ...ee spam filtering anti virus scanning 314 activating 315 database 316 fail mode behaviour 316 in the FTP ALG 252 in the HTTP ALG 247 in the POP3 ALG 268 in the SMTP ALG 259 memory requirements 314 relationship with IDP 315 simultaneous scans 314 with zonedefense 318 application layer gateway see ALG ARP 112 advanced settings 116 117 cache 112 gratuitous 156 proxy 162 publish 115 static 114 xpublis...

Page 546: ...ity gateway script sgs 43 uploading with SCP 48 validation 44 variables 43 verbose output 44 cluster see high availability cluster ID see high availability command line interface see CLI config mode 418 configuration object groups 127 and folders 130 and the CLI 127 editing properties of 128 configurations 51 backup restore 75 backup compatibility 75 checking integrity 41 connection limiting see t...

Page 547: ...allow in FTP ALG 252 in HTTP ALG 247 Flood Reboot Time setting 532 folders with IP rules 126 with the address book 84 Fragmented ICMP setting 529 FTP ALG 249 command restrictions 251 connection restriction options 251 control channel restrictions 252 filetype checking 252 hybrid mode 250 server IP setup for passive 258 virus scanning 252 FwdFast IP rule 125 exclusion from traffic shaping 454 with ...

Page 548: ...l 93 internet key exchange see IKE Interval between synchronization setting 142 intrusion detection and prevention see IDP intrusion detection rule 322 invalid checksum in cluster heartbeats 498 IP address objects 84 IP Option Sizes setting 513 IP Options Other setting 513 IP Option Source Return setting 513 IP Options Timestamps setting 513 IP pools 238 with config mode 418 IP Reserved Flag setti...

Page 549: ...e drift setting 142 Max Transactions DHCP setting 236 Max UDP Length setting 525 memlog 58 MIME filetype verification in FTP ALG 252 in HTTP ALG 247 in POP3 ALG 268 in SMTP ALG 259 list of filetypes 540 Min Broadcast TTL setting 514 Minimum Fragment Length setting 529 multicast 199 address translation 202 forwarding 200 IGMP 204 reverse path forwarding 199 Multicast Enet Sender setting 225 Multica...

Page 550: ...155 dynamic 176 local IP address 150 metric for default routes 155 metrics 148 178 monitoring 156 narrowest matching principle 150 principles 148 routes added at startup 154 static 148 the all nets route 155 S SA see security association SafeStream 316 SAT 349 all to 1 mapping 356 IP rules 125 multiple address translation 354 multiplex rule 200 port forwarding 349 second rule destination 349 sched...

Page 551: ...tting 517 TCP Option SACK setting 516 TCP Option Sizes setting 515 TCP Option TSOPT setting 516 TCP Option WSOPT setting 516 TCP Reserved Field setting 518 TCP Sequence Numbers setting 518 TCP SYN FIN setting 517 TCP SYN PSH setting 517 TCP SYN RST setting 517 TCP SYN URG setting 517 TCP SYN Idle Lifetime setting 523 TCP URG setting 518 TCP Zero Unused ACK setting 516 TCP Zero Unused URG setting 5...

Page 552: ...302 whitelisting 301 web interface 28 30 default connection interface 30 setting workstation IP 30 WebUI see web interface WebUI Before Rules setting 50 WebUI HTTP port setting 51 WebUI HTTPS port setting 51 whitelisting hosts and networks 337 URLs 298 wildcarding 298 wildcarding in blacklists and whitelists 261 298 in IDP rules 327 in static content filtering 248 Windows CA certificate requests 1...

Reviews: