D-Link DFL-210 - NetDefend - Security Appliance User Manual Download | Manualshive

Page: 332 / 469

background image

9.3. IPsec Components

9.3.1. Overview

Internet Protocol Security (IPsec) is a set of protocols defined by the Internet Engineering Task
Force (IETF) to provide IP security at the network layer. An IPsec based VPN is made up of two
parts:

•

Internet Key Exchange protocol (IKE)

•

IPsec protocols (AH/ESP/both)

The first part, IKE, is the initial negotiation phase, where the two VPN endpoints agree on which
methods will be used to provide security for the underlying IP traffic. Furthermore, IKE is used to
manage connections, by defining a set of Security Associations, SAs, for each connection. SAs are
unidirectional, so there are usually at least two for each IPsec connection.

The second part is the actual IP data being transferred, using the encryption and authentication
methods agreed upon in the IKE negotiation. This can be accomplished in a number of ways; by
using IPsec protocols ESP, AH, or a combination of both.

The flow of events can be briefly described as follows:

•

IKE negotiates how IKE should be protected

•

IKE negotiates how IPsec should be protected

•

IPsec moves data in the VPN

The following sections will describe each of these stages in detail.

9.3.2. Internet Key Exchange (IKE)

This section describes IKE, the Internet Key Exchange protocol, and the parameters that are used
with it.

Encrypting and authenticating data is fairly straightforward, the only things needed are encryption
and authentication algorithms, and the keys used with them. The Internet Key Exchange (IKE)
protocol, IKE, is used as a method of distributing these "session keys", as well as providing a way
for the VPN endpoints to agree on how the data should be protected.

IKE has three main tasks:

•

Provide a means for the endpoints to authenticate each other

•

Establish new IPsec connections (create SA pairs)

•

Manage existing connections

Security Associations (SAs)

IKE keeps track of connections by assigning a set of Security Associations, SAs, to each connection.
An SA describes all parameters associated with a particular connection, such as the IPsec protocol
used (ESP/AH/both) as well as the session keys used to encrypt/decrypt and/or authenticate/verify
the transmitted data.

An SA is unidirectional and relates to traffic flow in one direction only. For the bidirectional traffic
that is usually found in a VPN, there is therefore a need for more than one SA per connection. In
most cases, where only one of ESP or AH is used, two SAs will be created for each connection, one

9.3. IPsec Components

Chapter 9. VPN

332

«
...
330
331
332
333
334
...
»

Summary of Contents for DFL-210 - NetDefend - Security Appliance

Page 1: ...tion http www dlink com curity curity cu u u u u u u u u u u u u u u u u ur r r r r r r r r r r r r r r rity S S S S S S S S S S S S ity ity DFL 210 800 1600 2500 DFL 260 860 Ver 1 08 Network Security...

Page 2: ...Manual DFL 210 260 800 860 1600 2500 NetDefendOS version 2 25 01 D Link Corporation No 289 Sinhu 3rd Rd Neihu District Taipei City 114 Taiwan R O C http www DLink com Published 2009 05 26 Copyright 2...

Page 3: ...ular purpose The manufacturer reserves the right to revise this publication and to make changes from time to time in the content hereof without obligation of the manufacturer to notify any person of s...

Page 4: ...3 2 RADIUS Accounting Messages 54 2 3 3 Interim Accounting Messages 56 2 3 4 Activating RADIUS Accounting 56 2 3 5 RADIUS Accounting Security 56 2 3 6 RADIUS Accounting and High Availability 56 2 3 7...

Page 5: ...119 4 Routing 122 4 1 Overview 122 4 2 Static Routing 123 4 2 1 The Principles of Routing 123 4 2 2 Static Routing 127 4 2 3 Route Failover 130 4 2 4 Host Monitoring for Route Failover 133 4 2 5 Proxy...

Page 6: ...trusion Detection and Prevention 265 6 5 1 Overview 265 6 5 2 IDP Availability in D Link Models 265 6 5 3 IDP Rules 267 6 5 4 Insertion Evasion Attack Prevention 268 6 5 5 IDP Pattern Matching 269 6 5...

Page 7: ...view 332 9 3 2 Internet Key Exchange IKE 332 9 3 3 IKE Authentication 338 9 3 4 IPsec Protocols ESP AH 339 9 3 5 NAT Traversal 340 9 3 6 Algorithm Proposal Lists 341 9 3 7 Pre shared Keys 342 9 3 8 Id...

Page 8: ...High Availability 409 11 1 Overview 409 11 2 HA Mechanisms 411 11 3 HA Setup 413 11 3 1 Hardware Setup 413 11 3 2 NetDefendOS Manual HA Setup 414 11 3 3 Verifying the Cluster is Functioning 415 11 3 4...

Page 9: ...cenario 177 6 1 Deploying an ALG 196 6 2 HTTP ALG Processing Order 199 6 3 SMTP ALG Processing Order 209 6 4 DNSBL SPAM Filtering 211 6 5 TLS Termination 239 6 6 Dynamic Content Filtering Flow 245 6 7...

Page 10: ...3 10 Enabling DHCP 83 3 11 Defining a VLAN 86 3 12 Configuring a PPPoE client 89 3 13 Creating an Interface Group 92 3 14 Displaying the ARP Cache 95 3 15 Flushing the ARP Cache 95 3 16 Defining a Sta...

Page 11: ...Banner Files 257 6 19 Activating Anti Virus Scanning 263 6 20 Configuring an SMTP Log Receiver 272 6 21 Setting up IDP for a Mail Server 273 6 22 Adding a Host to the Whitelist 281 7 1 Adding a NAT Ru...

Page 12: ...ied URL in a browser in a new window some systems may not allow this For example http www dlink com Screenshots This guide contains a minimum of screenshots This is deliberate and is done because the...

Page 13: ...poses Note This indicates some piece of information that is an addition to the preceding text It may concern something that is being emphasized or something that is not obvious or explicitly stated in...

Page 14: ...anular control allows the administrator to meet the requirements of the most demanding network security scenario Key Features NetDefendOS is an extensive and feature rich network operating system The...

Page 15: ...ndOS provides a powerful Intrusion Detection and Prevention IDP engine The IDP engine is policy based and is able to perform high performance scanning and detection of attacks and can perform blocking...

Page 16: ...ble network traffic Note ZoneDefense is only available on certain D Link NetDefendOS models NetDefendOS Documentation Reading through the available documentation carefully will ensure that you get the...

Page 17: ...on as the NetDefendOS state engine 1 2 2 NetDefendOS Building Blocks The basic building blocks in NetDefendOS are interfaces logical objects and various types of rules or rule sets Interfaces Interfac...

Page 18: ...the packet is dropped and the event is logged If none the above is true the receiving Ethernet interface becomes the source interface for the packet 3 The IP datagram within the packet is passed on to...

Page 19: ...cted on all packets belonging to this connection 9 The Traffic Shaping and the Threshold Limit rule sets are now searched If a match is found the corresponding information is recorded with the state T...

Page 20: ...mary of the flow of packets through the NetDefendOS state engine There are three diagrams each flowing into the next Figure 1 1 Packet Flow Schematic Part I The packet flow is continued on the followi...

Page 21: ...Figure 1 2 Packet Flow Schematic Part II The packet flow is continued on the following page 1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 21...

Page 22: ...Figure 1 3 Packet Flow Schematic Part III 1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 22...

Page 23: ...elow presents the detailed logic of the Apply Rules function in Figure 1 2 Packet Flow Schematic Part II above Figure 1 4 Expanded Apply Rules Logic 1 3 NetDefendOS State Engine Packet Flow Chapter 1...

Page 24: ...1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 24...

Page 25: ...or WebUI is built into NetDefendOS and provides a user friendly and intuitive graphical management interface accessible from a standard web browser Microsoft Internet Explorer or Firefox is recommend...

Page 26: ...available LAN1 is the default interface 2 1 2 The Default Administrator Account By default NetDefendOS has a local user database AdminUsers that contains one pre defined administrator account This ac...

Page 27: ...ar to the one shown below will then be shown in the browser window Enter your username and password and click the Login button The factory default username and password is admin and admin If the user...

Page 28: ...1 2 The Default Administrator Account Note Access to the Web Interface is regulated by the remote management policy By default the system will only allow web access from the internal network Interfac...

Page 29: ...r located on the left hand side of the Web Interface contains a tree representation of the system configuration The tree is divided into a number of sections corresponding to the major building blocks...

Page 30: ...or require a command line approach to administration or who need more granular control of system configuration The CLI is available either locally through the serial console port connection to this is...

Page 31: ...t After a command appears it can be re executed in it s original form or changed first before execution Tab Completion Remembering all the commands and their options can be difficult NetDefendOS provi...

Page 32: ...g tab again all the object types for that category is displayed Using categories means that the user has a simple way to specify what kind of object they are trying to specify and a manageable number...

Page 33: ...cated a name as well Subsequent manipulation of such a rule can be done either by referring to it by its index that is to say its list position or by alternatively using the name assigned to it The CL...

Page 34: ...ously 2 Connect one of the connectors of the RS 232 cable directly to the console port on your system hardware 3 Connect the other end of the cable to the terminal or the serial connector of the compu...

Page 35: ...l be displayed directly after the logon For security reasons it is advisable to disable or anonymize the CLI welcome message Changing the admin User Password It is recommended to change the default pa...

Page 36: ...the Address Book that does not exist in a restored configuration backup Logging off from the CLI After finishing working with the CLI it is recommended to logout in order to avoid letting anyone getti...

Page 37: ...y_script sgs is to be executed with IP address 126 12 11 01 replacing all occurrences of 1 in the script file and the string If1 address replacing all occurrences of 2 The file my_script sgs contains...

Page 38: ...To list the content of a specific uploaded script file for example my_script sgs the command would be gw world script show name my_script sgs Creating Scripts Automatically When the same configuration...

Page 39: ...are dependent cannot have a script created using the create option This is true when the CLI node type in the script create command is one of COMPortDevice Ethernet EthernetDevice Device If one of the...

Page 40: ...follow The following table summarizes the operations that can be performed between an SCP client and NetDefendOS File type Upload possible Download possible Configuration Backup config bak Yes also w...

Page 41: ...and would be scp config bak admin1 10 5 62 11 To download a configuration backup to the current local directory the command would be scp admin1 10 5 62 11 config bak To upload a file to an object type...

Page 42: ...ns available in the boot menu are 1 Start firewall This initiates the complete startup of the NetDefendOS software on the D Link Firewall 2 Reset unit to factory defaults This option will restore the...

Page 43: ...sole The password set for the console is not connected to the management passwords used for administrator access through a web browser It is valid only for console access 2 1 8 Management Advanced Set...

Page 44: ...he configuration objects are organized into a tree like structure based on the type of the object In the CLI similar configuration object types are grouped together in a category These categories are...

Page 45: ...show its contents in other words the values of the object properties This example shows how to display the contents of a configuration object representing the telnet service CLI gw world show Service...

Page 46: ...Changes to a configuration object will not be applied to a running system until you activate and commit the changes Example 2 6 Adding a Configuration Object This example shows how to add a new IP4Ad...

Page 47: ...always be restored until the configuration has been activated and committed This example shows how to restore the deleted IP4Address object shown in the previous example CLI gw world undelete Address...

Page 48: ...usly if the configuration was activated via the CLI with the activate command then a commit command must be issued within that period If a lost connection could not be re established or if the commit...

Page 49: ...vent which generates a mandatory event message as soon as the system starts up All event messages have a common format with attributes that include category severity and recommended actions These attr...

Page 50: ...ardized format for the log messages themselves The format used by NetDefendOS is well suited to automated processing filtering and searching Although the exact format of each log entry depends on how...

Page 51: ...ement System NMS and a managed device SNMP defines 3 types of messages a Read command for an NMS to examine a managed device a Write command to alter the state of a managed device and a Trap which is...

Page 52: ...if needed by the trap receiver 5 Click OK The system will now be sending SNMP traps for all events with a severity greater than or equal to Alert to an SNMP trap receiver at 195 11 22 55 2 2 4 Advanc...

Page 53: ...The delay in seconds between alarms when a continuous alarm is used Minimum 0 Maximum 10 000 Default 60 one minute 2 2 4 Advanced Log Settings Chapter 2 Management and Maintenance 53...

Page 54: ...ing Messages Statistics such as number of bytes sent and received and number of packets sent and received are updated and stored throughout RADIUS sessions All statistics are updated for an authentica...

Page 55: ...uthenticated This is a physical port and not a TCP or UDP port User IP Address The IP address of the authenticated user This is sent only if specified on the authentication server Input Bytes The numb...

Page 56: ...cified A user authentication object must have a rule associated with it where a RADIUS server is specified Some important points should be noted about activation RADIUS Accounting will not function wh...

Page 57: ...the case that the client for some reason fails to send a RADIUS AccountingRequest STOP packet the accounting server will never be able to update its user statistics but will most likely believe that...

Page 58: ...that the RADIUS server will assume users are still logged in even though their sessions have been terminated Default Enabled Maximum Radius Contexts The maximum number of contexts allowed with RADIUS...

Page 59: ...e client software When the client runs the MIB file is accessed to inform the client of the values that can be queried on a NetDefendOS device Defining SNMP Access SNMP access is defined through the d...

Page 60: ...management client is on the internal network it is not required to implement a VPN tunnel for it CLI gw world add RemoteManagement RemoteMgmtSNMP my_snmp Interface lan Network mgmt net SNMPGetCommuni...

Page 61: ...tem Contact The contact person for the managed node Default N A System Name The name for the managed node Default N A System Location The physical location of the node Default N A Interface Descriptio...

Page 62: ...ilename cap_int cap pcapdump cleanup Going through this line by line we have 1 Recording is started for the int interface using a buffer size of 1024 Kbytes pcapdump size 1024 start int 2 The recordin...

Page 63: ...ddr Filter on source IP address ipdest ipaddr Filter on destination IP address port portnum Filter on source or destination port number srcport portnum Filter on source port number destport portnum Fi...

Page 64: ...lar destination IP address Compatibility with Wireshark The open source tool Wireshark formerly called Ethereal is an extremely useful analysis tool for examining logs of captured packets The industry...

Page 65: ...e configuration and the installed NetDefendOS software This is useful if both the configuration is to be changed and the NetDefendOS version upgraded Backup files can be created both by downloading th...

Page 66: ...CP server lease database or Anti Virus IDP databases will not be backed up 2 6 3 Configuration Backup and Restore The NetDefendOS configuration of a D Link Firewall at any given point of time can be b...

Page 67: ...Maintenance Reset 2 Select Restore the entire unit to factory defaults then confirm and wait for the restore to complete Important Any upgrades will be lost after a factory reset It should be understo...

Page 68: ...oning procedure a restore to factory defaults should always be run in order to remove all sensitive information such as VPN settings As a further precaution at the end of the product s life it also re...

Page 69: ...2 6 4 Restore to Factory Defaults Chapter 2 Management and Maintenance 69...

Page 70: ...y need to make changes in a single location rather than in each configuration section where the address appears 3 1 2 IP Addresses IP Address objects are used to define symbolic names for various type...

Page 71: ...P address 2 Specify a suitable name for the IP host in this case wwww_srv1 3 Enter 192 168 10 16 for the IP Address 4 Click OK Example 3 2 Adding an IP Network This example adds an IP network named ww...

Page 72: ...successfully deleted but NetDefendOS will not allow the configuration to be saved to the D Link Firewall 3 1 3 Ethernet Addresses Ethernet Address objects are used to define symbolic names for Ethern...

Page 73: ...14 192 168 0 19 will result in a single IP range with addresses 192 168 0 10 192 168 0 19 Keep in mind however that for obvious reasons IP address objects cannot be combined with Ethernet MAC addresse...

Page 74: ...em They are created with a given name and can then be used to contain all the IP address objects that are related together as a group Using folders is simply a way for the administrator to convenientl...

Page 75: ...nformation on how service objects are being used with IP rules see Section 3 5 The IP Rule Set Pre defined Services A large number of Service objects come pre defined with NetDefendOS These include co...

Page 76: ...eat importance such as streaming audio and video services UDP User Datagram Protocol is the preferred protocol UDP is connection less provides very few error recovery services and give thereby much lo...

Page 77: ...shows how to add a TCP UDP Service using destination port 3306 which is used by MySQL CLI gw world add Service ServiceTCPUDP MySQL DestinationPorts 3306 Type TCP Web Interface 1 Go to Objects Service...

Page 78: ...net connectivity ICMP messages are delivered in IP packets and includes a Message Type that specifies the type that is the format of the ICMP message and a Code that is used to further qualify the mes...

Page 79: ...number Some of the common IP protocols such as IGMP are already pre defined in the NetDefendOS system configuration Similar to the TCP UDP port ranges described previously a range of IP protocol numbe...

Page 80: ...cal interface in order to transfer data This group of interfaces is called Physical Sub Interfaces NetDefendOS has support for two types of physical sub interfaces Virtual LAN VLAN interfaces as speci...

Page 81: ...d from this interface Examples of the use of core are when the D Link Firewall acts as a PPTP or L2TP server or responds to ICMP Ping requests By specifying the Destination Interface of a route as cor...

Page 82: ...mples in this guide lan is used for LAN traffic and wan is used for WAN traffic If your D Link Firewall does not have these interfaces please substitute the references with the name of your chosen int...

Page 83: ...gateway to the Internet Normally only one default all nets route to the default gateway needs to exist in the routing table Using DHCP on Ethernet Interfaces NetDefendOS includes a DHCP client for dyn...

Page 84: ...efinedCredentials No Comments Default gateway for interface wan By using the tab key at the end of a line tab completion can be used to complete the command gw world show Address IP4Address InterfaceA...

Page 85: ...w Ethernet Interface The set command can be used to control an Ethernet interface For example to enable an interface lan we can use the command gw world set EthernetDevice lan enable To set the driver...

Page 86: ...dOS installation is limited by the parameters of the license used Different hardware models have different licenses and different limits on VLANs Summary of VLAN Setup It is important to understand th...

Page 87: ...on Trace IP addresses to a specific user Allocate IP address automatically for PC users similar to DHCP IP address provisioning can be per user group The PPP Protocol Point to Point Protocol PPP is a...

Page 88: ...User authentication If user authentication is required by the ISP the username and password can be setup in NetDefendOS for automatic sending to the PPPoE server Dial on demand If dial on demand is e...

Page 89: ...provider Password Password provided by the service provider Confirm Password Retype the password Under Authentication specify which authentication protocol to use the default settings will be used if...

Page 90: ...the local host address of 127 0 0 1 Remote Network The remote network which the GRE tunnel will connect with Remote Endpoint This is the IP address of the remote device which the tunnel will connect w...

Page 91: ...1 In the address book set up the following IP objects remote_net_B 192 168 11 0 24 remote_gw 172 16 1 1 ip_GRE 192 168 0 1 2 Create a GRE Tunnel object called GRE_to_B with the following parameters IP...

Page 92: ...ute for remote network is enabled in the Advanced tab since this will add the route automatically 4 Create the following rules in the IP rule set that allow traffic to pass through the tunnel Name Act...

Page 93: ...be used later Security Transport Equivalent If enabled the interface group can be used as a destination interface in rules where connections might need to be moved between the interfaces examples of...

Page 94: ...ing NetDefendOS supports both Dynamic ARP as well as Static ARP and the latter is available in two modes Publish and XPublish Dynamic ARP is the main mode of operation for ARP where NetDefendOS sends...

Page 95: ...necessary to manually force a re query This is easiest achieved by flushing the ARP cache an operation which will delete all dynamic ARP entries from the cache thereby forcing NetDefendOS to issue ne...

Page 96: ...Ethernet address 4b 86 f6 c5 a2 14 on the lan interface CLI gw world add ARP Interface lan IP 192 168 10 15 Mode Static MACAddress 4b 86 f6 c5 a2 14 Web Interface 1 Go to Interfaces ARP Add ARP 2 Sele...

Page 97: ...f NetDefendOS is to drop and log such ARP requests and ARP replies This can however be changed by modifying the advanced settings ARP Multicast and ARP Broadcast Unsolicited ARP Replies It is fully po...

Page 98: ...el should comply with the Ethernet address reported in the ARP data If this is not the case the reply will be dropped and logged The behavior can be changed by modifying the setting ARP Match Ethernet...

Page 99: ...ns where a received ARP reply or ARP request would alter a static item in the ARP table Of course this is never allowed to happen However this setting does allow you to specify whether or not such sit...

Page 100: ...ies Default 512 ARP Hash Size VLAN Hashing is used to rapidly look up entries in a table For maximum efficiency the hash size should be twice as large as the table it is indexing so if the largest dir...

Page 101: ...object which could define a single IP address or range of addresses Service The protocol type to which the packet belongs Service objects define a protocol port type Examples might be HTTP or ICMP Cus...

Page 102: ...ng NetDefendOS responding to ICMP Ping requests new IP rules must be defined by the administrator Traffic that does not match any rule in the IP rule set is by default dropped by NetDefendOS For loggi...

Page 103: ...internal state table which allows monitoring of opened and active connections passing through the D Link Firewall If the action is Drop or Reject then the new connection is refused Stateful Inspectio...

Page 104: ...low or NAT rules Packet processing time is also slower than Allow rules since every packet is checked against the entire rule set NAT This functions like an Allow rule but with dynamic address transla...

Page 105: ...e moved to a different position in the rule set and therefore have a different precedence 3 5 5 IP Rule Set Folders In order to help organise large numbers of entries in IP rule sets it is possible to...

Page 106: ...1 Go to Rules IP Rules Add IPRule 2 Specify a suitable name for the rule for example LAN_HTTP 3 Now enter Name A suitable name for the rule For example lan_http Action Allow Service http Source Interf...

Page 107: ...multiple time ranges for each day of the week Furthermore a start and a stop date can be specified that will impose additional constraints on the schedule For instance a schedule can be defined as Mo...

Page 108: ...the following Name OfficeHours 3 Select 08 17 Monday to Friday in the grid 4 Click OK 1 Go to Rules IP Rules Add IPRule 2 Enter the following Name AllowHTTP 3 Select the following from the dropdown li...

Page 109: ...a certificate is a public key with identification attached coupled with a stamp of approval by a trusted party Certifice Authorities A certificate authority CA is a trusted entity that issues certifi...

Page 110: ...ten contain a CRL Distribution Point CDP field which specifies the location from where the CRL can be downloaded In some cases certificates do not contain this field In those cases the location of the...

Page 111: ...To associate an imported certificate with an IPsec tunnel Web Interface 1 Go to Interfaces IPsec 2 Display the properties of the IPsec tunnel 3 Select the Authentication tab 4 Select the X509 Certific...

Page 112: ...in format which can be cut and pasted with a text editor Note OpenSSL is being used here as a conversion utility and not in its normal role as a communication utility 3 Create two blank text files wit...

Page 113: ...OS installation is started for the first time Example 3 21 Setting the Current Date and Time To adjust the current date and time follow the steps outlined below CLI gw world time set YYYY mm DD HH MM...

Page 114: ...to be used There are two parameters governing daylight saving time the DST period and the DST offset The DST period specifies on what dates daylight saving time starts and ends The DST offset indicat...

Page 115: ...prevented NetDefendOS always queries all configured Time Servers and then computes an average time based on all responses Internet search engines can be used to list publicly available Time Servers Im...

Page 116: ...ndOS time is 16 42 35 If a Time Server responds with a time of 16 43 38 then the difference is 63 seconds This is greater than the Maximum Adjustment value so no update occurs for this response Exampl...

Page 117: ...e used Example 3 28 Enabling the D Link NTP Server To enable the use of the D Link NTP server CLI gw world set DateTime TimeSynchronization D Link Web Interface 1 Go to System Date and Time 2 Select t...

Page 118: ...y Time Server DNS hostname or IP Address of Timeserver 2 Default None teriary Time Server DNS hostname or IP Address of Timeserver 3 Default None Interval between synchronization Seconds between each...

Page 119: ...to make use of up to three DNS servers The are called the Primary Server the Secondary Server and the Tertiary Server For DNS to function at least the primary must be defined It is recommended to have...

Page 120: ...etch delay The difference between HTTP Poster and the named DNS servers in the WebUI is that HTTP Poster can be used to send any URL The named services are a convenience that make it easy to correctly...

Page 121: ...3 9 DNS Chapter 3 Fundamentals 121...

Page 122: ...ing is one of the most fundamental functions of NetDefendOS Any IP packet flowing through a D Link Firewall will be subjected to at least one routing decision at some point in time and properly settin...

Page 123: ...it can reach its destination The components of a single route are discussed next The Components of a Route When a route is defined it consists of the following parameters Interface The interface to fo...

Page 124: ...see Section 4 4 Route Load Balancing and Section 4 2 3 Route Failover A Typical Routing Scenario The diagram below illustrates a typical D Link Firewall scenario In the above diagram the LAN interface...

Page 125: ...a packet with a destination IP address of 192 168 0 4 will theoretically match both the first route and the last one However the first route entry is a narrower more specific match so the evaluation...

Page 126: ...he 10 2 2 0 24 network The clients in this second network must also have their Default Gateway set to 10 2 2 1 in order to reach the D Link Firewall This feature is normally used when an additional ne...

Page 127: ...he interfaces the connection table is consulted to see if there is an already open connection for which the received packet belongs If an existing connection is found the connection table entry includ...

Page 128: ...words it is perfectly legal to specify one route for the destination address range 192 168 0 5 to 192 168 0 17 and another route for addresses 192 168 0 18 to 192 168 0 254 This is a feature that make...

Page 129: ...ses which must be changed to the appropriate IP address ranges for traffic to flow The most important route that must be defined is the route to all nets which should correspond with the ISP and publi...

Page 130: ...es Tip For detailed information about the output of the CLI routes command Please see the CLI Reference Guide 4 2 3 Route Failover Overview D Link Firewalls are often deployed in mission critical loca...

Page 131: ...hop for a route accessibility to that gateway can be monitored by sending periodic ARP requests As long as the gateway responds to these requests the route is considered to be functioning correctly Se...

Page 132: ...route will be disabled As a consequence a new route lookup will be performed and the second route will be selected with the first one being marked as disabled Re enabling Routes Even if a route has be...

Page 133: ...way to monitor the integrity of routes NetDefendOS provides the additional capability to perform Host Monitoring This feature means that one or more external host systems can be routinely polled to ch...

Page 134: ...cy This value cannot be less than 1 Maximum Failed Poll Attempts The maximum permissible number of polling attempts that fail If this number is exceeded then the host is considered unreachable Max Ave...

Page 135: ...ss of a node on an Ethernet network However situations may exist where a network running Ethernet is separated into two parts with a routing device such as an installed D Link Firewall in between In s...

Page 136: ...nsparent Mode In HA clusters switch routes cannot be used and proxy ARP is the only way to implement transparent mode functionality Note It is only possible to have Proxy ARP functioning for Ethernet...

Page 137: ...ed Routing A different routing table might need to be chosen based on the user identity or the group to which the user belongs This is particularly useful in provider independent metropolitan area net...

Page 138: ...s encountered address translation will be performed The decision of which routing table to use is made before carrying out address translation but the actual route lookup is performed on the altered a...

Page 139: ...the named routing table is the only one consulted If this lookup fails the lookup will not continue in the main routing table 3 If Remove Interface IP Routes is enabled the default interface routes a...

Page 140: ...the default gateway of ISP B Interface Network Gateway ProxyARP lan1 10 10 10 0 24 wan1 lan1 20 20 20 0 24 wan2 wan1 10 10 10 1 32 lan1 wan2 20 20 20 1 32 lan1 wan1 all nets 10 10 10 1 Contents of th...

Page 141: ...llowing list can be specified in an RLB Instance object Round Robin Matching routes are used equally often by successively going to the next matching route Destination This is an algorithm that is sim...

Page 142: ...same route from a lookup The importance of this is that it means that a particular destination application can see all traffic coming from the same source IP address Spillover Spillover is not simila...

Page 143: ...setting a low metric on the route to the favoured ISP A relatively higher metric is then set on the route to the other ISP The all nets metric must be higher that interface routes The metric value use...

Page 144: ...will select the route that has the narrowest range that matches the destination IP address used in the lookup In the above example 10 4 16 0 24 may be chosen over 10 4 16 0 16 because the range is nar...

Page 145: ...T was being used for the client communication the IP address seen by the server would be WAN1 or WAN2 Example 4 6 Setting Up RLB In this example the details of the RLB scenario described above will be...

Page 146: ...her tunnel connecting through the other ISP RLB can then be applied as normal with the two tunnels In order to get the second tunnel to function in this case you need to add a single host route in the...

Page 147: ...ermination is based on the length of the path which is the number of intermediate routers also known as hops After updating its own routing table the router immediately begins transmitting its entire...

Page 148: ...d and the length of the path 4 5 2 OSPF Overview Open Shortest Path First OSPF is a routing protocol developed for IP networks by the Internet Engineering Task Force IETF The NetDefendOS OSPF implemen...

Page 149: ...ry Router ASBRs They advertise externally learned routes throughout the Autonomous System Backbone Areas All OSPF networks need to have at least the backbone area which is the area with ID 0 This is t...

Page 150: ...l This is the normal state of an adjacency between a router and the DR BDR Aggregates OSPF Aggregation is used to combine groups of routes with common addresses into a single entry in the routing tabl...

Page 151: ...ave a Virtual Link to fw1 with Router ID 192 168 1 1 and vice versa These Virtual Links need to be configured in Area 1 A Partitioned Backbone OSPF allows for linking a partitioned backbone using a vi...

Page 152: ...re must also be taken when setting up a virtual link to an firewall in an HA cluster The endpoint setting up a link to the HA firewall must setup 3 separate links one to the shared one to the master a...

Page 153: ...all nets in the Exactly Matches dropdown control 5 Click OK The next step is to create a Dynamic Routing Action that will do the actual importing of the routes into a routing table Specify the destina...

Page 154: ...ion that will export the filtered route to the specified OSPF AS CLI gw world cc DynamicRoutingRule ExportDefRoute gw world ExportDefRoute add DynamicRoutingRuleExportOSPF ExportToProcess as0 Web Inte...

Page 155: ...ss is Reverse Path Forwarding For unicast traffic a router is concerned only with a packet s destination With multicast the router is also concerned with a packets source since it forwards the packet...

Page 156: ...168 10 1 and generates the multicast streams 239 192 10 0 24 1234 These multicast streams should be forwarded from interface wan through the interfaces if1 if2 and if3 The streams should only be forwa...

Page 157: ...a name for the rule for example Multicast_Multiplex Action Multiplex SAT Service multicast_service 3 Under Address Filter enter Source Interface wan Source Network 192 168 10 1 Destination Interface c...

Page 158: ...dress Translation Scenario Figure 4 9 Multicast Forwarding Address Translation This scenario is based on the previous scenario but now we are going to translate the multicast group When the multicast...

Page 159: ...T Multiplex rule should be replaced with a NAT rule 4 6 3 IGMP Configuration IGMP signalling between hosts and routers can be divided into two categories IGMP Reports Reports are sent from hosts towar...

Page 160: ...wards the clients and actively send queries Towards the upstream router it will be acting as a normal host subscribing to multicast groups on behalf of its clients 4 6 3 1 IGMP Rules Configuration No...

Page 161: ...Add IGMP Rule 2 Under General enter Name A suitable name for the rule for example Reports Type Report Action Proxy Output wan this is the relay interface 3 Under Address Filter enter Source Interface...

Page 162: ...ed to create the report and query rule pair for if1 which uses no address translation Web Interface A Create the first IGMP Rule 1 Go to Routing IGMP IGMP Rules Add IGMP Rule 2 Under General enter Nam...

Page 163: ...or the rule for example Reports_if2 Type Report Action Proxy Output wan this is the relay interface 3 Under Address Filter enter Source Interface if2 Source Network if2net Destination Interface core D...

Page 164: ...espond with IGMP Membership Reports even to queries orginating from itself Global setting on interfaces without an overriding IGMP Setting Default Disabled IGMP Lowest Compatible Version IGMP messages...

Page 165: ...nterfaces without an overriding IGMP Setting Default 10 000 IGMP Robustness Variable IGMP is robust to IGMP Robustness Variable 1 packet losses Global setting on interfaces without an overriding IGMP...

Page 166: ...interfaces without an overriding IGMP Setting Default 1 000 4 6 4 Advanced IGMP Settings Chapter 4 Routing 166...

Page 167: ...specified instead of all nets This is usually when a network is split between two interfaces but the administrator does not know exactly which users are on which interface Usage Scenarios Two examples...

Page 168: ...rmines from this ARP traffic the relationship between IP addresses physical addresses and interfaces NetDefendOS remembers this address information in order to relay IP packets to the correct receiver...

Page 169: ...added but more restrictive IP rules are recommended Action Src Interface Src Network Dest Interface Dest Network Service Allow any all nets any all nets all Restricting the Network Parameter As NetDef...

Page 170: ...e is decided by the PBR Membership parameter for each interface PBR is short for Policy Based Routing which is the NetDefendOS term used for multiple routing tables To implement separate Transparent M...

Page 171: ...n route their traffic correctly after determining their whereabouts and IP address through ARP exchanges However a DHCP server could be used to allocate user IP addresses in a Transparent Mode setup i...

Page 172: ...address specifying the interface which leads to the ISP and the ISPs gateway IP address If the IP addresses that need to be reached by NetDefendOS are 85 12 184 39 and 194 142 215 15 then the complete...

Page 173: ...and the internal network The router is used to share the Internet connection with a single public IP address The internal NATed network behind the firewall is in the 10 0 0 0 24 address space Clients...

Page 174: ...t address ranges All hosts connected to LAN and DMZ the lan and dmz interfaces share the 10 0 0 0 24 address space As this is configured using Transparent Mode any IP address can be used for the serve...

Page 175: ...ss 10 0 0 1 Network 10 0 0 0 24 Transparent Mode Disable Add route for interface network Disable 3 Click OK 4 Go to Interfaces Ethernet Edit dmz 5 Now enter IP Address 10 0 0 2 Network 10 0 0 0 24 Tra...

Page 176: ...face lan Destination Interface dmz Source Network 10 0 0 0 24 Destination Network 10 1 4 10 3 Click OK 4 Go to Rules IP Rules Add IPRule 5 Now enter Name HTTP WAN to DMZ Action SAT Service http Source...

Page 177: ...Implementing BPDU Relaying The NetDefendOS BDPU relaying implementation only carries STP messages These STP messages can be of three types Normal Spanning Tree Protocol STP Rapid Spanning Tree Protoco...

Page 178: ...alue dynamically Default Enabled L3 Cache Size This setting is used to manually configure the size of the Layer 3 Cache Enabling Dynamic L3C Size is normally preferred Default Dynamic Transparency ATS...

Page 179: ...s DropLog Drop and log packets Default DropLog Multicast Enet Sender Defines what to do when receiving a packet that has the sender hardware MAC address in ethernet header set to a multicast ethernet...

Page 180: ...gnore all incoming MPLS packets are relayed in transparent mode Options Ignore Let the packets pass but do not log Log Let the packets pass and log the event Drop Drop the packets DropLog Drop packets...

Page 181: ...4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 181...

Page 182: ...ch as an IP address a MAC address a domain name and a lease for the IP address to the client in a unicast message DHCP Leases Compared to static assignment where the client owns the address dynamic ad...

Page 183: ...nterface and relayer IP filter value If there is no match in the list then the request is ignored Using Relayer IP Address Filtering As explained above a DHCP server is selected based on a match of bo...

Page 184: ...created an IP range for the DHCP Server CLI gw world add DHCPServer DHCPServer1 Interface lan IPAddressPool DHCPRange1 Netmask 255 255 255 0 Web Interface 1 Go to System DHCP DHCP Servers Add DHCPSer...

Page 185: ...90 12 13 14 15 3 All static assignments can then be listed and each is listed with an index number gw world show Comments 1 none 4 An individual static assignment can be shown using its index number g...

Page 186: ...ble settings are Disabled ReconfShut or ReconfShutTimer Default ReconfShut Lease Store Interval How often in seconds the leases database should be saved to disk if DHCPServer_SaveLeasePolicy is set to...

Page 187: ...d request Although all NetDefendOS interfaces are core routed that is to say a route exists by default that routes interface IP addresses to Core for relayed DHCP requests this core routing does not a...

Page 188: ...relaying Max Transactions Maximum number of transactions at the same time Default 32 Transaction Timeout For how long a dhcp transaction can take place Default 10 seconds Max PPM How many dhcp packet...

Page 189: ...o save the relay list to the disk possible settings are Disabled ReconfShut or ReconfShutTimer Default ReconfShut Auto Save Interval How often in seconds should the relay list be saved to disk if DHCP...

Page 190: ...k address 127 0 0 1 indicates that the DHCP server is NetDefendOS itself Client IP filter Optional setting used to specify which offered IPs are valid to use In most cases this will be set to the defa...

Page 191: ...number is too large then this can degrade initial performance As leases in the prefetch cache are allocated requests are made to DHCP servers so that the cache is always full The administrator therefo...

Page 192: ...5 5 IP Pools Chapter 5 DHCP Services 192...

Page 193: ...ing a reverse lookup in the routing tables This lookup validates that the incoming traffic is coming from a source that the routing tables indicate is accessible via the interface on which the traffic...

Page 194: ...address should belong to Access Rule Actions The Access Rule actions that can be specified are Drop Discard the packets that match the defined fields Accept Accept the packets that match the defined...

Page 195: ...net network is received on the lan interface CLI gw world add Access Name lan_Access Interface lan Network lannet Action Expect Web Interface 1 Go to Rules Access 2 Select Access Rule in the Add menu...

Page 196: ...ansfer and multimedia transfer ALGs provide higher security than packet filtering since they are capable of scrutinizing all traffic for a specific protocol and perform checks at the higher levels of...

Page 197: ...associated with that Service will not be used 6 2 2 The HTTP ALG Hyper Text Transfer Protocol HTTP is the primary protocol used to access the World Wide Web WWW It is a connectionless stateless applic...

Page 198: ...he file the term filetype here is also known as the filename extension All filetypes that are checked in this way by NetDefendOS are listed in Appendix C Verified MIME filetypes When enabled any file...

Page 199: ...ltering obeys the following processing order and is similar to the order followed by the SMTP ALG 1 Whitelist 2 Blacklist 3 Web content filtering if enabled 4 Anti virus scanning if enabled As describ...

Page 200: ...tself by providing a predefined login and password After granting access the server will provide the client with a file directory listing from which it can download upload files depending on access ri...

Page 201: ...P client can be configured to use passive mode which is the recommended mode for clients The FTP server can be configured to use active mode which is the safer mode for servers When an FTP session is...

Page 202: ...t be blocked by ZoneDefense since it is outside of the configured network range The virus is however still blocked by the D Link Firewall B Blocking infected servers Depending on the company policy an...

Page 203: ...assive mode 5 Click OK B Define the Service 1 Go to Objects Services Add TCP UDP Service 2 Enter the following Name ftp inbound Type select TCP from the list Destination 21 the port the FTP server res...

Page 204: ...nternal interface needs to be NATed 1 Go to Rules IP Rules Add IPRule 2 Now enter Name NAT ftp Action NAT Service ftp inbound 3 For Address Filter enter Source Interface dmz Destination Interface core...

Page 205: ...red as follows Web Interface A Create the FTP ALG 1 Go to Objects ALG Add FTP ALG 2 Enter Name ftp outbound 3 Uncheck Allow client to use active mode 4 Check Allow server to use passive mode 5 Click O...

Page 206: ...tbound Action NAT Service ftp outbound 3 For Address Filter enter Source Interface lan Destination Interface wan Source Network lannet Destination Network all nets 4 Check Use Interface Address 5 Clic...

Page 207: ...e use of filenames containing consecutive periods Allowing Request Timeouts The NetDefendOS TFTP ALG blocks the repetition of an TFTP request coming from the same source IP address and port within a f...

Page 208: ...is allowed to pass through the ALG regardless if the address is on the blacklist or that the mail has been flagged as SPAM Verify MIME type The content of an attached file can be checked to see if it...

Page 209: ...dress entry some_domain com can be used to specify all possible email addresses for some_domain com If for example wildcarding is used in the blacklist to block all addresses for a certain company cal...

Page 210: ...emails from the blocked email server For example if a remote user is sending an infected email using a well known free email company blocking the sending server using ZoneDefense would block all futur...

Page 211: ...hese can be queried over the public Internet These lists are known as DNS Black List DNSBL databases and the information is accessible using a standardized query method supported by NetDefendOS The im...

Page 212: ...2 7 Alternative Actions for Dropped SPAM If the calculated sum is greater than or equal to the Drop threshold value then the email is not forwarded to the intended recipient Instead the administrator...

Page 213: ...t server will be automatically subtracted from both the SPAM and Drop thresholds for the scoring calculation done for that email If enough DNSBL servers do not respond then this subtraction could mean...

Page 214: ...dropped email will be sent as an alternative to simply discarding it Optionally specify that the TXT messages sent by the DNSBL servers that failed are inserted into the header of these emails Cachin...

Page 215: ...kLists 4 Disabled BlackLists 0 Current Sessions 0 Statistics Total number of mails checked 0 Number of mails dropped 0 Number of mails spam tagged 0 Number of mails accepted 0 BlackList Status Value T...

Page 216: ...LG and a fuller description of how it works can be found in Section 6 2 2 The HTTP ALG Anti Virus Scanning The NetDefendOS Anti Virus subsystem can optionally scan email attachments searching for mali...

Page 217: ...and Proxy Server are logical entities and may in fact reside on the same physical server SIP Media related Protocols A SIP session makes use of a number of protocols These are SDP Session Description...

Page 218: ...ges can bypass the proxies This facilitates scaling since proxies are used only for the initial SIP message exchange The disadvantage of removing proxies from the session is that NetDefendOS IP rules...

Page 219: ...tected side The SIP proxy is located on the local protected side of the D Link Firewall and can handle registrations from both clients located on the same local network as well as clients on the exter...

Page 220: ...ype set to TCP UDP 3 Define two rules in the IP rule set A NAT rule for outbound traffic from clients on the internal network to the SIP Proxy Server located externally The SIP ALG will take care of a...

Page 221: ...est Interface Dest Network Allow or NAT lan lannet wan ip_proxy Allow wan ip_proxy lan or core lannet or wan_ip Without the Record Route option enabled the IP rules would be as shown below the changes...

Page 222: ...rule This translation will occur both on the IP level and the application level Neither the clients or the proxies need to be aware that the local clients are being NATed If Record Route is enabled o...

Page 223: ...Clients Allow lan lannet ip_proxy wan all nets InboundTo Proxy Clients Allow wan all nets lan lannet ip_proxy If Record Route is enabled then the networks in the above rules can be further restricted...

Page 224: ...the DMZ interface must be a globally routable IP address This address can be the same address as the one used on the external interface The setup steps are as follows 1 Define a single SIP ALG object...

Page 225: ...P address of the DMZ interface The reason for this is because local clients will be NATed using the IP address of the DMZ interface when they register with the proxy located on the DMZ This rule has c...

Page 226: ...et InboundFromProxy Allow dmz ip_proxy core dmz_ip InboundToProxy Allow wan all nets dmz ip_proxy With Record Route disabled the following IP rules must be added to those above Action Src Interface Sr...

Page 227: ...H 245 Media Control and Transport Provides control of multimedia sessions established between two H 323 endpoints Its most important task is to negotiate opening and closing of logical channels A log...

Page 228: ...es and the administrator needs to be sure about IP addresses and routes used in a particular scenario Gatekeeper Registration Lifetime The gatekeeper registration lifetime can be controlled in order t...

Page 229: ...t Destination Network 0 0 0 0 0 all nets Comment Allow outgoing calls 3 Click OK Incoming Rule 1 Go to Rules IP Rules Add IPRule 2 Now enter Name H323AllowIn Action Allow Service H323 Source Interface...

Page 230: ...phone Web Interface Outgoing Rule 1 Go to Rules IP Rules Add IPRule 2 Now enter Name H323Out Action NAT Service H323 Source Interface lan Destination Interface any Source Network lannet Destination N...

Page 231: ...ddress Example 6 6 Two Phones Behind Different D Link Firewalls This scenario consists of two H 323 phones each one connected behind the D Link Firewall on a network with public IP addresses In order...

Page 232: ...here are no rules disallowing or allowing the same kind of ports traffic before these rules As we are using private IPs on the phones incoming traffic need to be SATed as in the example below The obje...

Page 233: ...multiple H 323 phones are placed behind the firewall one SAT rule has to be configured for each phone This means that multiple external addresses have to be used However it is preferable to use an H 3...

Page 234: ...H323 Gatekeeper Source Interface any Destination Interface core Source Network 0 0 0 0 0 all nets Destination Network wan_ip external IP of the firewall Comment Allow incoming communication with the G...

Page 235: ...make sure there are no rules disallowing or allowing the same kind of ports traffic before these rules Web Interface 1 Go to Rules IP Rules Add IPRule 2 Now enter Name H323Out Action NAT Service H323...

Page 236: ...d that all offices use private IP ranges on their local networks All outside calls are done over the existing telephone network using the gateway ip gateway connected to the ordinary telephone network...

Page 237: ...ination Interface lan Source Network ip gateway Destination Network lannet Comment Allow communication from the Gateway to H 323 phones on lannet 3 Click OK 1 Go to Rules IP Rules Add IPRule 2 Now ent...

Page 238: ...Now enter Name ToGK Action Allow Service H323 Gatekeeper Source Interface lan Destination Interface vpn hq Source Network lannet Destination Network hq net Comment Allow communication with the Gatekee...

Page 239: ...therefore easily have secure server access without requiring additional software The Relationship with SSL TLS is a successor to the Secure Sockets Layer SSL but the differences are slight Therefore f...

Page 240: ...ocessing advantages that can be achieved can however vary and will depend on the comparative processing capabilities of the servers and the D Link Firewall Decrypted TLS traffic can be subject to othe...

Page 241: ...pher Suites Supported by NetDefendOS TLS NetDefendOS TLS supports the following cipher suites 1 TLS_RSA_WITH_3DES_EDE_CBC_SHA 2 TLS_RSA_WITH_RC4_128_SHA 3 TLS_RSA_WITH_RC4_128_MD5 4 TLS_RSA_EXPORT_WIT...

Page 242: ...filtering requires a minimum of administration effort and has very high accuracy Note All Web Content Filtering is enabled via the HTTP ALG which is described in Section 6 2 2 The HTTP ALG 6 3 2 Activ...

Page 243: ...ion as to whether they should be blocked or allowed Static and Dynamic Filter Ordering Additionally Static Content Filtering takes place before Dynamic Content Filtering described below which allows t...

Page 244: ...necessary program files which should be allowed to download CLI Start by adding an HTTP ALG in order to filter HTTP traffic gw world add ALG ALG_HTTP content_filtering Then create a HTTP ALG URL to se...

Page 245: ...The WCF URL databases are updated almost hourly with new categorized URLs while at the same time older invalid URLs are dropped The scope of the URLs in the databases is global covering websites in m...

Page 246: ...ites In other words a web site may contain particular pages that should be blocked without blocking the entire site NetDefendOS provides blocking down to the page level so that users may still access...

Page 247: ...external WCF database is not accessible URLs are allowed even though they might be disallowed if the WCF databases were accessible Example 6 15 Enabling Dynamic Web Content Filtering This example show...

Page 248: ...ites will still be accessible to the users This means the content filtering feature of NetDefendOS can then be used as an analysis tool to analysis what categories of websites are being accessed by a...

Page 249: ...propriate sites will normally do so Other will avoid those sites due to the obvious risk of exposing their surfing habits Caution If a user overrides the restricted site notice page they are allowed t...

Page 250: ...tent filtering is now activated for all web traffic from lannet to all nets and the user is able to propose reclassification of blocked sites Validate the functionality by following these steps 1 On a...

Page 251: ...ified under the Gambling category if its content includes advertisement or encouragement of or facilities allowing for the partaking of any form of gambling For money or otherwise This includes online...

Page 252: ...ategory 9 Dating Sites A web site may be classified under the Dating Sites category if its content includes facilities to submit and review personal advertisements arrange romantic meetings with other...

Page 253: ...be classified under the Personal Beliefs Cults category if its content includes the description or depiction of or instruction in systems of religious beliefs and practice Examples might be www paganf...

Page 254: ...idth This category also includes Phishing URLs which designed to capture secret user authentication details by pretending to be a legitimate organization Examples might be hastalavista baby nu Categor...

Page 255: ...ocking List This category is populated by URLs specified by a government agency and contains URLs that are deemed unsuitable for viewing by the general public by way of their very extreme nature Examp...

Page 256: ...spictured cnn com features 2002 swimsuit Category 31 Spam A web site may be classified under the Spam category if it is found to be contained in bulk or spam emails Examples might be kaqsovdij gjibhgk...

Page 257: ...ed 8 Press Save to save the changes 9 Click OK to exit editing 10 Go to User Authentication User Authentication Rules 11 Select the relevant HTML ALG and click the Agent Options tab 12 Set the HTTP Ba...

Page 258: ...er in Section 2 1 6 Secure Copy 4 Using the CLI the relevant HTTP ALG should now be set to use the mytxt banner files If the ALG us called my_http_alg the command would be set ALG_HTTP my_http_alg HTT...

Page 259: ...tion Most importantly it can act as a backup for when local client antivirus scanning is not available Enabling Through ALGs NetDefendOS Anti Virus is enabled on a per ALG basis It is available for fi...

Page 260: ...e two scanning processes can occur simultaneously and operate at different protocol levels If IDP is enabled it scans all packets designated by a defined IDP rule and does not take notice of the highe...

Page 261: ...ing is active but logging is the only action C Protect Anti Virus is active Suspect files are dropped and logged Fail mode behavior If a virus scan fails for any reason then the transfer can be droppe...

Page 262: ...es that can be checked are listed in Appendix C Verified MIME filetypes Setting the Correct System Time It is important that a NetDefendOS has the correct system time set if the auto update feature in...

Page 263: ...irus Blocking the server s IP address would only consume blocking entries in the switches For NetDefendOS to know which hosts and servers to block the administrator has the ability to specify a networ...

Page 264: ...ated in the ALG dropdown list 6 Click OK C Finally modify the NAT rule called NATHttp in this example to use the new service 1 Go to Rules IP Rules 2 In the grid control click the NAT rule handling th...

Page 265: ...t operates by monitoring network traffic as it passes through the D Link Firewall searching for patterns that indicate an intrusion is being attempted Once detected NetDefendOS IDP allows steps to be...

Page 266: ...a NetDefendOS installation and also that the database is regularly updated with the latest intrusion threats Figure 6 7 IDP Database Updating A new updated signature database is downloaded automatica...

Page 267: ...nformation about HA clusters refer to Chapter 11 High Availability 6 5 3 IDP Rules Rule Components An IDP Rule defines what kind of traffic or service should be analyzed An IDP Rule is similar in make...

Page 268: ...isting connection This provides the firewall administrator with a way to detect any traffic that appears to be an intrusion With this option the only possible IDP Rule Action is logging Caution should...

Page 269: ...atterns of data in the stream Recommended Configuration By default Insertion Evasion protection is enabled for all IDP rules and this is the recommended setting for most configurations There are two m...

Page 270: ...etect events that may be intrusions They have lower accuracy than IPS and may give some false positives so that s recommended that the Audit action is initially used before deciding to use Protect Pol...

Page 271: ...ashion with matching for the signatures for the first action specified being done first IDP Signature Wildcarding When selecting IDP signature groups it is possible to use wildcarding to select more t...

Page 272: ...mmary of IDP events that have occurred in a user configurable period of time When an IDP event occurrs the NetDefendOS will wait for Hold Time seconds before sending the notification email However the...

Page 273: ...es 1 Go to IDP IDP Rules 2 Select a rule in the grid right click and choose Edit 3 Select the action you wish to log and choose Edit 4 Check the Enable logging checkbox in the Log Settings tab 5 Click...

Page 274: ...L_SMTP Web Interface Create IDP Rule This IDP rule is called IDPMailSrvRule and applies to the SMTP service Source Interface and Source Network define where traffic is coming from in this example the...

Page 275: ...in order to match all SMTP attacks Signatures is set to IPS_MAIL_SMTP in order to use signatures that describe attacks from the external network dealing with the SMTP protocol 1 Go to IDP IDP Rules I...

Page 276: ...med Internet connections and business critical systems in overload This section deals with using D Link Firewalls to protect organizations against these attacks 6 6 2 DoS Attack Mechanisms A DoS attac...

Page 277: ...h in turn generates yet another response to itself etc This will either bog the victim s machine down or make it crash The attack is accomplished by using the victim s IP address in the source field o...

Page 278: ...addresses will be those of the amplifier networks used Fraggle attacks will show up in NetDefendOS logs as masses of dropped or allowed depending on policy packets The source IP addresses will be thos...

Page 279: ...bject has an ALG associated with it then the ALG will be disabled 6 6 9 The Jolt2 Attack The Jolt2 attack works by sending a steady stream of identical fragments at the victim machine A few hundred pa...

Page 280: ...Blacklisting If there are established connections that have the same source as this new Blacklist entry then they will not be dropped if this option is set IP addresses or networks are added to the l...

Page 281: ...iewed with the command gw world blacklist show black This blacklist command can be used to remove a host from the blacklist using the unblock option Example 6 22 Adding a Host to the Whitelist In this...

Page 282: ...6 7 Blacklisting Hosts and Networks Chapter 6 Security Mechanisms 282...

Page 283: ...tion NAT Static Address Translation SAT Both types of translation are policy based in NetDefendOS which means that they can be applied to specific traffic based on the source destination network inter...

Page 284: ...32 768 simultaneous NAT connections that can use the same translated source IP address This is normally adequate for all but the most extreme scenarios The Source IP Address Used for Translation Ther...

Page 285: ...server then processes the packet and sends its response 195 55 66 77 80 195 11 22 33 32789 4 NetDefendOS receives the packet and compares it to its list of open connections Once it finds the connecti...

Page 286: ...the same server using different IP protocols Several internal machines can not communicate with the same external server using the same IP protocol Note These restrictions apply only to IP level proto...

Page 287: ...hey are coming from the anonymizing service provider s external IP address and not the client s IP The application therefore sends its responses back to the firewall which relays the traffic back to t...

Page 288: ...s The advantage of the stateful approach is that it can balance connections across several external ISP links while ensuring that an external host will always communicate back to the same IP address w...

Page 289: ...IP Pool Usage When allocating external IP addresses to a NAT Pool it is not necessary to explicitly state these Instead a NetDefendOS IP Pool object can be selected IP Pools gather collections of IP a...

Page 290: ...NAT Pools Add NAT Pool 2 Now enter Name stateful_natpool Pool type stateful IP Range nat_pool_range 3 Select the Proxy ARP tab and add the WAN interface 4 Click OK C Now define the NAT rule in the IP...

Page 291: ...ual Server in some other manufacturer s products Example 7 3 Enabling Traffic to a Protected Web Server in a DMZ In this example we will create a SAT policy that will translate and allow connections f...

Page 292: ...nternal machines to be dynamically address translated to the Internet In this example we use a rule that permits everything from the internal network to access the Internet via NAT hide Action Src Ifa...

Page 293: ...Enabling Traffic to a Web Server on an Internal Network The example we have decided to use is that of a web server with a private address located on an internal network From a security standpoint thi...

Page 294: ...ket to wan_ip to reach www ourcompany com 10 0 0 3 1038 195 55 66 77 80 NetDefendOS address translates this statically in accordance with rule 1 and dynamically in accordance with rule 2 10 0 0 1 3278...

Page 295: ...the public IP addresses on the wan interface using the ARP publish mechanism Create a SAT rule that will perform the translation Create an Allow rule that will permit the incoming HTTP connections CL...

Page 296: ...Now enter Mode Publish Interface wan IP Address 195 55 66 77 3 Click OK and repeat for all 5 public IP addresses Create a SAT rule for the translation 1 Go to Rules IP Rules Add IPRule 2 Specify a su...

Page 297: ...ort Address Translation PAT can be used to modify the source or destination port Action Src Iface Src Net Dest Iface Dest Net Parameters 1 SAT any all nets wan wwwsrv_pub TCP 80 85 SETDEST 192 168 0 5...

Page 298: ...lating the sender address whilst the other is translating the destination address Action Src Iface Src Net Dest Iface Dest Net Parameters 1 SAT any all nets core wwwsrv_pub TCP 80 85 SETDEST 192 168 0...

Page 299: ...ETDEST wwwsrv 80 2 SAT lan wwwsrv any all nets 80 All SETSRC wan_ip 80 3 NAT lan lannet any all nets All 4 FwdFast any all nets core wan_ip http 5 FwdFast lan wwwsrv any all nets 80 All What happens n...

Page 300: ...mechanism 7 3 7 SAT and FwdFast Rules Chapter 7 Address Translation 300...

Page 301: ...7 3 7 SAT and FwdFast Rules Chapter 7 Address Translation 301...

Page 302: ...em is that the feature often cannot be replaced if it is lost Methods B and C are therefore the most common in network security However these have drawbacks keys might be intercepted passcards might b...

Page 303: ...Changed on a regular basis such as every three months 8 1 Overview Chapter 8 User Authentication 303...

Page 304: ...efendOS A RADIUS server which is external to the D Link Firewall An LDAP Server which is also external to the D Link Firewall 8 2 2 The Local Database The Local User Database is a built in registry in...

Page 305: ...nk Firewall acting as a client to one or more LDAP servers Multiple servers can be configured to provide redundancy if any servers become unreachable Setting Up LDAP Authentication There are two steps...

Page 306: ...ame Username Postfix When authenticating this will add domain name after the username If the choice is other than None the Domain Name parameter option described below should be specified Routing Tabl...

Page 307: ...user is authenticated 2 The server replies with a negative response and the user is not authenticated 3 The server does not respond within the Timeout period specified for the server If only one serve...

Page 308: ...S would theoretically need to retrieve the password or password digest from the LDAP server However LDAP doesn t support either To solve the password authentication problem an optional Password Attrib...

Page 309: ...he D Link Firewall is to be prompted for a username password login sequence Authentication Rules are set up in a way that is similar to other NetDefendOS security policies by specifying which traffic...

Page 310: ...h is that a single authentication database must be used for all IPsec tunnels Connection Timeouts An Authentication Rule can specify the following timeouts related to a user session Idle Timeout How l...

Page 311: ...the IP rule set That rule s Source Network object has either the No Defined Credentials option enabled or alternatively it is associated with a group and the user is also a member of that group 8 If...

Page 312: ..._ip IP address which is the IP address of the interface on the D Link Firewall where the local network connects The second rule allows normal surfing activity but we cannot just use lannet as the sour...

Page 313: ...oup names here separated by a comma users for this example 3 Click OK 4 Repeat Step B to add all the lannet users having the membership of users group into the lannet_auth_users folder Example 8 2 Use...

Page 314: ...following steps illustrate how a RADIUS server is typically configured Web Interface 1 User Authentication External User Databases Add External User Database 2 Now enter a Name Enter a name for the se...

Page 315: ...available for editing have the following names FormLogin LoginSuccess LoginFailure LoginAlreadyDone LoginChallenge LoginChallengeTimeout LoginSuccess LoginSuccessBasicAuth LoginFailure FileNotFound Ed...

Page 316: ...he HTML source that appears in the text box for the Forbidden URL page 7 Use Preview to check the layout if required 8 Press Save to save the changes 9 Click OK to exit editing 10 Go to Objects ALG an...

Page 317: ...load command would be pscp my html admin 10 5 62 11 HTTPAuthBanners ua_html FormLogin The usage of SCP clients is explained further in Section 2 1 6 Secure Copy 4 Using the CLI the relevant user authe...

Page 318: ...8 3 Customizing HTML Pages Chapter 8 User Authentication 318...

Page 319: ...ally important that the recipient can verify that no one is falsifying data in other words pretending to be someone else Virtual Private Networks VPNs meet this need providing a highly cost effective...

Page 320: ...yed hashes Non repudiation Proof that the sender actually sent the data the sender cannot later deny having sent it Non repudiation is usually a side effect of authentication VPNs are normally only co...

Page 321: ...e it is usually possible to dictate the types of communication permitted and NetDefendOS VPN has this feature 9 1 4 Key Distribution Key distribution schemes are best planned in advance Issues that ne...

Page 322: ...ALG 9 1 5 The TLS Alternative for VPN Chapter 9 VPN 322...

Page 323: ...bject if the default algorithm proposal lists do not provide a set of algorithms that are acceptable to the tunnel remote end point This will depend on the capabilities of the device at the other end...

Page 324: ...keys but sometimes it may be desirable to use X 509 certificates instead If this is the case Certificate Authority CA signed certificates may be used and these come from an internal CA server or from...

Page 325: ...rations for certificate validation 9 2 3 IPsec Roaming Clients with Pre shared Keys This section details the setup with roaming clients connecting through an IPsec tunnel with pre shared keys There ar...

Page 326: ...ets 0 0 0 0 0 2 The IPsec Tunnel object ipsec_tunnel should have the following parameters Set Local Network to lannet Set Remote Network to all nets Set Remote Endpoint to all nets Set Encapsulation m...

Page 327: ...psec_tunnel Configuring IPsec Clients In both cases A and B above the IPsec client will need to be correctly configured The client configuration will require the following with as well as the pre shar...

Page 328: ...hat an IP address might be accidentally used on the internal network and handed out to a client Use a new address range that is totally different to any internal network This prevents any chance of an...

Page 329: ...ules should be defined in the IP rule set Action Src Interface Src Network Dest Interface Dest Network Service Allow l2tp_tunnel l2tp_pool any int_net All NAT ipsec_tunnel l2tp_pool ext all nets All T...

Page 330: ...ot being able to NAT PPTP connections through a tunnel so multiple clients can use a single connection to the D Link Firewall If NATing is tried then only the first client that tries to connect will s...

Page 331: ...ts 0 0 0 0 0 4 Now set up the IP rules in the IP rule set Action Src Interface Src Network Dest Interface Dest Network Service Allow pptp_tunnel pptp_pool any int_net All NAT pptp_tunnel pptp_pool ext...

Page 332: ...detail 9 3 2 Internet Key Exchange IKE This section describes IKE the Internet Key Exchange protocol and the parameters that are used with it Encrypting and authenticating data is fairly straightforw...

Page 333: ...of how to protect IPsec data flows The VPN device initiating an IPsec connection will send a list of the algorithms combinations it supports for protecting the connection and it is then up to the devi...

Page 334: ...subsequent keys can be derived Once the phase 2 negotiation is finished the VPN connection is established and ready for use IKE Parameters There are a number of parameters used in the negotiation pro...

Page 335: ...ode Main Aggressive Mode The IKE negotiation has two modes of operation main mode and aggressive mode The difference between these two is that aggressive mode will pass more information in fewer packe...

Page 336: ...n This value must be set greater than the IPsec SA lifetime PFS With Perfect Forwarding Secrecy PFS disabled initial keying material is created during the key exchange in phase 1 of the IKE negotiatio...

Page 337: ...ryption and authentication session keys If the VPN connection has not been used during the last re key period the connection will be terminated and re opened from scratch when the connection is needed...

Page 338: ...lnerable for something called replay attacks meaning a malicious entity which has access to the encrypted traffic can record some packets store them and send them to its destination at a later time Th...

Page 339: ...the added complexity Certificate based authentication may be used as part of a larger public key infrastructure making all VPN clients and firewalls dependent on third parties In other words there are...

Page 340: ...aversal Both IKE and IPsec protocols present a problem in the functioning of NAT Both protocols were not designed to work through NATs and because of this a technique called NAT traversal has evolved...

Page 341: ...raversal functionality is completely automatic and in the initiating firewall no special configuration is needed However for responding firewalls two points should be noted On responding firewalls the...

Page 342: ...d while being transmitted Note that this example does not illustrate how to add the specific IPsec tunnel object It will also be used in a later example CLI First create a list of IPsec Algorithms gw...

Page 343: ...Shared key This example shows how to create a Pre shared Key and apply it to a VPN tunnel Since regular words and phrases are vulnerable to dictionary attacks they should not be used as secrets Here t...

Page 344: ...st contains one or more identities IDs where each identity corresponds to the subject field in a certificate Identification lists can thus be used to regulate what certificates that are given access t...

Page 345: ...ink com 6 Click OK Finally apply the Identification List to the IPsec tunnel 1 Go to Interfaces IPsec 2 In the grid control click on the IPsec tunnel object of interest 3 Under the Authentication tab...

Page 346: ...he remote firewall specified by the matching IPsec Tunnel definition Note IKE and ESP AH traffic are sent to the IPsec engine before the rule set is consulted Encrypted traffic to the firewall therefo...

Page 347: ...n from everywhere irrespective of their IP address then the Remote Network needs to be set to all nets IP address 0 0 0 0 0 which will allow all existing IPv4 addresses to connect through the tunnel W...

Page 348: ...firewall IP wan_ip Web Interface A Create a Self signed Certificate for IPsec authentication The step to actually create self signed certificates is performed outside the WebUI using a suitable softw...

Page 349: ...f steps Most importantly it is the responsibility of the administrator to acquire the appropriate certificate from an issuing authority With some systems such as Windows 2000 Server there is built in...

Page 350: ...Certificates as the authentication method Root Certificate s Select your CA server root certificate imported earlier and add it to the Selected list Gateway Certificate Choose your newly created fire...

Page 351: ...BNS WINS resolution already provided by an IP Pool DHCP Instructs the host to send any internal DHCP requests to this address Subnets A list of the subnets that the client can access Example 9 7 Setti...

Page 352: ...this information is missing or the administrator wishes to use another LDAP server The LDAP configuration section can then be used to manually specify alternate LDAP servers Example 9 9 Setting up an...

Page 353: ...e referred to in this section as the client and server In this context the word client is used to refer to the device which is the initiator of the negotiation and the server refers to the device whic...

Page 354: ...ta length 16 bytes Vendor ID 8f 9c c9 4e 01 24 8e cd f1 47 59 4c 28 4b 21 3b Description SSH Communications Security QuickSec 2 1 0 VID Vendor ID Payload data length 16 bytes Vendor ID 27 ba b5 dc 01...

Page 355: ...ies 0x6098238b67d97ea6 0x5e347cb76e95a Message ID 0x00000000 Packet length 224 bytes payloads 8 Payloads SA Security Association Payload data length 52 bytes DOI 1 IPsec DOI Proposal 1 1 Protocol 1 1...

Page 356: ...tion main mode ISAKMP Version 1 0 Flags Cookies 0x6098238b67d97ea6 0x5e347cb76e95a Message ID 0x00000000 Packet length 220 bytes payloads 4 Payloads KE Key Exchange Payload data length 128 bytes NONCE...

Page 357: ...y flag used ID Identification of the client The Notification field is given as Initial Contact to indicate this is not a re key Step 6 Server ID Response The server now responds with its own ID IkeSno...

Page 358: ...e type Seconds SA life duration 21600 SA life type Kilobytes SA life duration 50000 Encapsulation mode Tunnel Transform 3 4 Transform ID Blowfish Key length 128 Authentication algorithm HMAC MD5 SA li...

Page 359: ...ersion 1 0 Flags E encryption Cookies 0x6098238b67d97ea6 0x5e347cb76e95a Message ID 0xaa71428f Packet length 156 bytes payloads 5 Payloads HASH Hash Payload data length 16 bytes SA Security Associatio...

Page 360: ...les Default 4 times the license limit of IPsec Max Tunnels IPsec Max Tunnels Specifies the total number of tunnels allowed by NetDefendOS This value is usually taken from the license but in situations...

Page 361: ...icate may in turn be signed by another CA which may be signed by another CA and so on Each certificate will be verified until one that has been marked as trusted is found or until it is determined tha...

Page 362: ...for this setting is that it is the amount of time in tens of seconds that an SA will remain in the dead cache after a delete An SA is put in the dead cache when the other side of the tunnel has not r...

Page 363: ...lementation PPTP can be used in the VPN context to tunnel different protocols across the Internet Tunneling is achieved by encapsulating PPP packets in IP datagrams using Generic Routing Encapsulation...

Page 364: ...m Allowed Networks 6 Click OK Use User Authentication Rules is enabled as default To be able to authenticate the users using the PPTP tunnel you also need to configure authentication rules which will...

Page 365: ...d Networks control 6 Click OK Use User Authentication Rules is enabled as default To be able to authenticate the users using the PPTP tunnel you also need to configure authentication rules which is no...

Page 366: ...ransport e IKE Algorithms High f IPsec Algorithms esp l2tptunnel 4 Enter 3600 in the IPsec Life Time seconds control 5 Enter 250000 in the IPsec Life Time kilobytes control 6 Under the Authentication...

Page 367: ...Web Interface 1 Go to User Authentication User Authentication Rules Add UserAuthRule 2 Enter a suitable name for the rule for example L2TP_Auth 3 Now enter Agent PPP Authentication Source Local Interf...

Page 368: ...ervices Source Interface l2tp_tunnel Source Network l2tp_pool Destination Interface any Destination Network all nets 8 Click OK 9 5 3 L2TP PPTP Server advanced settings The following L2TP PPTP server...

Page 369: ...ress If this network object exists and has a value which is not 0 0 0 0 then the PPTP L2TP client will try to get that one from the PPTP L2TP server as the preferred IP Automatically pick name If this...

Page 370: ...ting as a PPTP client which is trying to connect to the PPTP server then this will not work because of the NATing The only way of achieving multiple PPTP clients being NATed like this is for the D Lin...

Page 371: ...The following scenarios are possible 1 The CA server is a private server behind the D Link Firewall and the tunnels are set up over the public Internet but to clients that will not try to validate the...

Page 372: ...ion Components CA Server Access by Clients In a VPN tunnel with roaming clients connecting to the D Link Firewall the VPN client software may need to access the CA server Not all VPN client software w...

Page 373: ...must be configured in NetDefendOS so that these requests can be resolved Turning Off FQDN Resolution As explained in the troubleshooting section below identifying problems with CA server access can b...

Page 374: ...IP also belongs to the network behind the D Link Firewall accessible through a tunnel then Windows will still continue to assume that the IP address is to be found on the client s local network Window...

Page 375: ...14 237 225 43 84 13 193 179 84 13 193 179 IPsec_Tun1 192 168 0 0 24 172 16 1 0 24 82 242 91 203 To examine the first IKE negotiation phase of tunnel setup use ipsecstat ike To get complete details of...

Page 376: ...the management traffic being routed back through the VPN tunnel instead of the correct interface This happens when a route is established in the main routing table which routes any traffic for all ne...

Page 377: ...Management Interface Failure with VPN Chapter 9 VPN 377...

Page 378: ...ater in this chapter DSCP bits can be used by the NetDefendOS traffic shaping subsystem as a basis for prioritizing traffic passing through the D Link Firewall The Traffic Shaping Solution Architectur...

Page 379: ...are Pipes Pipe Rules Pipes A Pipe is the fundamental object for traffic shaping and is a conceptual channel through which packets of data can flow It has various characteristics that define how traff...

Page 380: ...rm a Chain of pipes through which traffic will pass A chain can be made up of at most 8 pipes If no pipe is specified in a list then traffic that matches the rule will not flow through any pipe but it...

Page 381: ...e passed through the pipe and this is done by using the pipe in a Pipe Rule We will use the above pipe to limit inbound traffic This limit will apply to the actual data packets and not the connections...

Page 382: ...forward chain will not work since you probably want 2 Mbps limit for outbound traffic to be separate from the 2 Mbps limit for inbound traffic If we try to pass 2 Mbps of outbound traffic through the...

Page 383: ...created earlier Unfortunately this will not achieve the desired effect which is allocating a maximum of 125 kbps to inbound surfing traffic as part of the 250 kbps total Inbound traffic will pass thro...

Page 384: ...of the Diffserv architecture where the Type of Service ToS bits are included in the IP packet header Pipe Precedences When a pipe is configured a Default Precedence a Minimum Precedence and a Maximum...

Page 385: ...a higher priority than all other traffic To do this we add a Pipe Rule specifically for SSH and Telnet and set the priority in the rule to be a higher priority say 2 We specify the same pipes in this...

Page 386: ...es not pose much of a problem here but it becomes more pronounced as your traffic shaping scenario becomes more complex The number of precedences is limited This may not be sufficient in all cases eve...

Page 387: ...ss so that port 1024 of computer A is not the same as port 1024 of computer B and individual connections are identifiable If grouping by network is chosen the network size should also be specified thi...

Page 388: ...it per user to about 13 kbps 64 kbps divided by 5 users Dynamic Balancing takes place within each precedence of a pipe individually This means that if users are allotted a certain small amount of high...

Page 389: ...ded for NetDefendOS to adapt to changing conditions Attacks on Bandwidth Traffic shaping cannot protect against incoming resource exhaustion attacks such as DoS attacks or other flooding attacks NetDe...

Page 390: ...rwarded basis Within a pipe traffic can also be separated on a Group basis For example by source IP address Each user in a group for example each source IP address can be given a maximum limit and pre...

Page 391: ...amic Balancing enabled on the pipes means that all users will be allocated a fair share of this capacity Using Several Precedences We now extend the above example by allocating priorities to different...

Page 392: ...fic shaping is occurring inside a single D Link Firewall VPN is typically used for communication between a headquarters and branch offices in which case pipes can control traffic flow in both directio...

Page 393: ...site is guaranteed 500 kbps of capacity before it is forced to best effort SAT with Pipes If SAT is being used for example with a web server or ftp server that traffic also needs to be forced into pi...

Page 394: ...is a combination of these two features where traffic flows identified by the IDP subsystem automatically trigger the setting up of traffic shaping pipes to control those flows 10 2 2 Setup The steps...

Page 395: ...s a source or destination IP that is the same as the connection that did trigger a rule If the source or destination is also a member of the IP range specified as the Network then the connection s tra...

Page 396: ...ansfer The sequence of events is The client with IP address 192 168 1 15 initiates a P2P file transfer through a connection 1 to the tracking server at 81 150 0 10 This connection triggers an IDP rule...

Page 397: ...istinctive naming convention which is explained next Pipe Naming NetDefendOS names the pipes it automatically creates in IDP Traffic Shaping using the pattern IDPPipe_ bandwidth for pipes with upstrea...

Page 398: ...ffic Shaping generates log messages on the following events When an IDP rule with the Pipe option has triggered and either host or client is present in the Network range When the subsystem adds a host...

Page 399: ...onditions A Threshold has the following parameters Action The response to exceeding the limit either Audit or Protect Group By Either Host or Network based Threshold The numerical limit which must be...

Page 400: ...10 3 7 Threshold Rules and ZoneDefense Threshold Rules are used in the D Link ZoneDefense feature to block the source of excessive connection attmepts from internal hosts For more information on this...

Page 401: ...rmance of applications but also scalability by allowing a cluster of multiple servers sometimes referred to as a server farm to handle many more requests than a single server The illustration below sh...

Page 402: ...e are following issues should be considered when deploying SLB The servers across which the load is to be balanced The load distribution mode The SLB algorithm used The monitoring method Each of these...

Page 403: ...t stickiness it will behave as a Round Robin algorithm that allocates new connections to servers in an orderly fashion It will also behave like the Round Robin algorithm if there are always clients wi...

Page 404: ...ead R1 and R2 will be sent to the same server because of stickiness but the subsequent requests R3 and R4 will be routed to another server since the number of new connections on each server within the...

Page 405: ...up which included all these objects 3 Define an SLB_SAT Rule in the IP rule set which refers to this Group and where all other SLB parameters are defined 4 Define a further rule that duplicates the so...

Page 406: ...ame for example server1 3 Enter the IP Address as 192 168 1 10 4 Click OK 5 Repeat the above to create an object called server2 for the 192 168 1 11 IP address B Create a Group which contains the 2 we...

Page 407: ...Allow IP rule for the external clients 1 Go to Rules IP Rule Sets main Add IP Rule 2 Enter Name Web_SLB_ALW Action Allow Service HTTP Source Interface any Source Network all nets Destination Interfac...

Page 408: ...10 4 6 SLB_SAT Rules Chapter 10 Traffic Management 408...

Page 409: ...s sometimes known as an active passive HA implementation The Master and Active Units When reading this section on HA it should be kept in mind that the master unit in a cluster is not always the same...

Page 410: ...rate between two D Link Firewalls As the internal operation of different firewall manufacturer s software is completely dissimilar there is no common method available to communicating state informatio...

Page 411: ...e sending firewall The destination IP is the broadcast address on the sending interface The IP TTL is always 255 If NetDefendOS receives a cluster heartbeat with any other TTL it is assumed that the p...

Page 412: ...ndOS cluster has the Anti Virus or IDP subsystems enabled then updates to the Anti Virus signature database or IDP pattern database will routinely occur These updates involve downloads from the extern...

Page 413: ...on the master and slave which is to be used by the units for monitoring each other and connect them together with an Ethernet crossover cable This will be the NetDefendOS sync interface It is recomme...

Page 414: ...ed If an interface is not assigned an individual address through an IP4 HA Address object then it must be assigned the default address localhost which is an IP address from the subnet 127 0 0 0 8 ARP...

Page 415: ...configuration log on to either the master or the slave make the change then save and activate The change is automatically made to both units 11 3 3 Verifying the Cluster is Functioning To verify that...

Page 416: ...Use Unique Shared MAC Address By default this is enabled and in most configurations it should not need to be disabled The effect of enabling this setting is that a single unique MAC address will be us...

Page 417: ...luster ID Changing the cluster ID in a live environment is not recommended for two reasons Firstly this will change the hardware address of the shared IPs and will cause problems for all units attache...

Page 418: ...explanation of this setting see Section 11 3 4 Using Unique Shared Mac Addresses Default Enabled Deactivate Before Reconf If enabled this setting will make an active node failover to the inactive node...

Page 419: ...11 5 HA Advanced Settings Chapter 11 High Availability 419...

Page 420: ...old can be dynamically blocked using the ZoneDefense feature Thresholds are based on either the number of new connections made per second or on the total number of connections being made These connect...

Page 421: ...3 02 B12 or later DES 3526 R3 x Version R3 06 B20 only DES 3526 R4 x Version R4 01 B19 or later DES 3550 R3 x Version R3 05 B38 only DES 3550 R4 x Version R4 01 B19 or later DES 3800 Series Version R2...

Page 422: ...eeded The limit can be one of two types Connection Rate Limit This can be triggered if the rate of new connections per second to the firewall exceeds a specified threshold Total Connections Limit This...

Page 423: ...ds this limitation the firewall will block the specific host in network range 192 168 2 0 24 for example from accessing the switch completely A D Link switch model DES 3226S is used in this case with...

Page 424: ...g feature NetDefendOS can first identify a virus source through antivirus scanning and then block the source by communicating with switches configured to work with ZoneDefense This feature is activate...

Page 425: ...or network one rule per switch port is needed When this limit has been reached no more hosts or networks will be blocked out Important ZoneDefense uses a range of the ACL rule set on the switch To avo...

Page 426: ...12 3 5 Limitations Chapter 12 ZoneDefense 426...

Page 427: ...47 Miscellaneous Settings page 448 13 1 IP Level Settings Log Checksum Errors Logs occurrences of IP packets containing erroneous checksums Normally this is the result of the packet being damaged duri...

Page 428: ...he action taken on packets whose TTL falls below the stipulated TTLMin value Default DropLog Multicast TTL on Low What action to take on too low multicast TTL values Default DropLog Default TTL Indica...

Page 429: ...g IP Options Timestamps Time stamp options instruct each router and firewall on the packet s route to indicate at what time the packet was forwarded along the route These options do not occur in norma...

Page 430: ...ts equal to or smaller than the size specified by this setting Default 65535 bytes Multicast Mismatch option What action to take when ethernet and IP multicast addresses does not match Default DropLog...

Page 431: ...cording to the next setting Default 1460 bytes TCP MSS VPN Max As is the case with TCPMSSMax this is the highest Maximum Segment Size allowed However this setting only controls MSS in VPN connections...

Page 432: ...ACK individual packets instead of entire series which can increase the performance of connections experiencing extensive packet loss They are also used by OS Fingerprinting SACK is a common occurrence...

Page 433: ...that a new connection is in the process of being opened and an URG flag means that the packet contains data requiring urgent attention These two flags should not be turned on in a single packet as the...

Page 434: ...ingerprinting Note an upcoming standard called Explicit Congestion Notification also makes use of these TCP flags but as long as there are only a few operating systems supporting this standard the fla...

Page 435: ...e most significant impact of this will be that common web surfing traffic short but complete transactions requested from a relatively small set of clients randomly occurring with an interval of a few...

Page 436: ...ng limits how many Rejects per second may be generated by the Reject rules in the Rules section Default 500 Silently Drop State ICMPErrors Specifies if NetDefendOS should silently drop ICMP errors per...

Page 437: ...etermining whether the remote peer is attempting to open a new connection Default Enabled Log State Violations Determines if NetDefendOS logs packets that violate the expected state switching diagram...

Page 438: ...nostic and testing purposes since it generates unwieldy volumes of log messages and can also significantly impair throughput performance Default Disabled Dynamic Max Connections Allocate the Max Conne...

Page 439: ...may idle before finally being closed Connections reach this state when a packet with its FIN flag on has passed in any direction Default 80 UDP Idle Lifetime Specifies in seconds how long UDP connecti...

Page 440: ...ther Idle Lifetime Specifies in seconds how long connections using an unknown protocol can remain idle before it is closed Default 130 13 5 Connection Timeout Settings Chapter 13 Advanced Settings 440...

Page 441: ...any real time applications use large fragmented UDP packets If no such protocols are used the size limit imposed on UDP packets can probably be lowered to 1480 bytes Default 60000 Max ICMP Length Spec...

Page 442: ...e of an IP in IP packet IP in IP is used by Checkpoint Firewall 1 VPN connections when IPsec is not used This value should be set at the size of the largest packet allowed to pass through the VPN conn...

Page 443: ...track DropPacket Discards the illegal fragment and all previously stored fragments Will not allow further fragments of this packet to pass through during ReassIllegalLinger seconds DropLogPacket As Dr...

Page 444: ...ts have been involved LogSuspectSubseq As LogSuspect but also logs subsequent fragments of the packet as and when they arrive LogAll Logs all failed reassembly attempts LogAllSubseq As LogAll but also...

Page 445: ...send 1480 byte fragments and a router or VPN tunnel on the route to the recipient subsequently reduce the effective MTU to 1440 bytes This would result in the creation of a number of 1440 byte fragme...

Page 446: ...ket has been marked as illegal NetDefendOS is able to retain this in memory for this number of seconds in order to prevent further fragments of that packet from arriving Default 60 13 7 Fragmentation...

Page 447: ...oncurrent local reassemblies Default 256 Max Size Maximum size of a locally reassembled packet Default 10000 Large Buffers Number of large over 2K local reassembly buffers of the above size Default 32...

Page 448: ...ssociated settings limit memory used by the re assembly subsystem This setting specifies how many connections can use the re assembly system at the same time It is expressed as a percentage of the tot...

Page 449: ...13 9 Miscellaneous Settings Chapter 13 Advanced Settings 449...

Page 450: ...Registration manual which explains registration and update service procedures in more detail is available for download from the D Link website Subscription renewal In the Web interface go to Maintena...

Page 451: ...db IDP To remove the Anti Virus database use the command gw world removedb Antivirus Once removed the entire system should be rebooted and a database update initiated Removing the database is also rec...

Page 452: ...ITAS Backup solutions BOT_GENERAL Activities related to bots including those controlled by IRC channels BROWSER_FIREFOX Mozilla Firefox BROWSER_GENERAL General attacks targeting web browsers clients B...

Page 453: ...on IP_OVERFLOW Overflow of IP protocol implementation IRC_GENERAL Internet Relay Chat LDAP_GENERAL General LDAP clients servers LDAP_OPENLDAP Open LDAP LICENSE_CA LICENSE License management for CA sof...

Page 454: ...RSYNC_GENERAL Rsync SCANNER_GENERAL Generic scanners SCANNER_NESSUS Nessus Scanner SECURITY_GENERAL Anti virus solutions SECURITY_ISS Internet Security Systems software SECURITY_MCAFEE McAfee SECURITY...

Page 455: ...ENERAL Virus VOIP_GENERAL VoIP protocol and implementation VOIP_SIP SIP protocol and implementation WEB_CF FILE INCLUSION Coldfusion file inclusion WEB_FILE INCLUSION File inclusion WEB_GENERAL Web ap...

Page 456: ...letype extension Application 3ds 3d Studio files 3gp 3GPP multimedia file aac MPEG 2 Advanced Audio Coding File ab Applix Builder ace ACE archive ad3 Dec systems compressed Voice File ag Applix Graphi...

Page 457: ...inHex 4 compressed archive icc Kodak Color Management System ICC Profile icm Microsoft ICM Color Profile file ico Windows Icon file imf Imago Orpheus module sound data Inf Sidplay info file it Impulse...

Page 458: ...Network Graphic ppm PBM Portable Pixelmap Graphic ps PostScript file psa PSA archive data psd Photoshop Format file qt mov moov QuickTime Movie file qxd QuarkXpress Document ra ram RealMedia Streaming...

Page 459: ...e Player Streaming Video file wav Waveform Audio wk Lotus 1 2 3 document wmv Windows Media file wrl vrml Plain Text VRML file xcf GIMP Image file xm Fast Tracker 2 Extended Module audio file xml XML f...

Page 460: ...7 Layers of the OSI Model Layer number Layer purpose Layer 7 Application Layer 6 Presentation Layer 5 Session Layer 4 Transport Layer 3 Network Layer 2 Data Link Layer 1 Physical Layer Functions The d...

Page 461: ...2600 Glostrup Copenhagen Denmark TEL 45 43 969040 FAX 45 43 424347 Website www dlink dk Egypt 47 El Merghany street Heliopolis Cairo Egypt TEL 202 2919035 202 2919047 FAX 202 2919051 Website www dlin...

Page 462: ...6 Moscow 129626 Russia TEL 7 495 744 0099 FAX 7 495 744 0099 350 Website www dlink ru Singapore 1 International Business Park 03 12 The Synergy Singapore 609917 TEL 65 6774 6233 FAX 65 6774 6322 Websi...

Page 463: ...LG 216 in the SMTP ALG 207 memory requirements 259 relationship with IDP 260 simultaneous scans 259 with zonedefense 263 application layer gateway see ALG ARP 94 advanced settings 97 98 cache 94 gratu...

Page 464: ...8 categories 250 dynamic WCF 245 override 249 phishing 254 setup 246 site reclassification 249 spam 256 static 243 content filtering HTML customizing 256 core interface 81 core routes 129 customer web...

Page 465: ...dentification lists 344 IDP 265 HTTP URI normalization 267 signature groups 270 signature wildcarding 271 SMTP log receivers 272 traffic shaping 394 IGMP advanced settings 164 configuration 159 rules...

Page 466: ...ting 57 58 logout from CLI 36 Log Oversized Packets setting 442 Log Received TTL 0 setting 427 Log Reverse Opens setting 437 Log State Violations setting 437 loopback interfaces 80 Low Broadcast TTL A...

Page 467: ...view 14 proposal lists 341 proxy ARP 135 Pseudo Reass Max Concurrent setting 443 Q QoS see quality of service quality of service 378 R RADIUS accounting 54 advanced settings 57 authentication 304 Reas...

Page 468: ...Lifetime setting 439 TCP MSS Log Level setting 431 TCP MSS Max setting 431 TCP MSS Min setting 431 TCP MSS On High setting 431 TCP MSS on Low setting 431 TCP MSS VPN Max setting 431 TCP NULL setting...

Page 469: ...ce over IP VPN 319 planning 320 quick start guide 323 troubleshooting 374 W Watchdog Time setting 448 WCF see web content filtering webauth 311 web content filtering 245 fail mode 247 whitelisting 246...

Reviews:

No comments

Related manuals for DFL-210 - NetDefend - Security Appliance

Brand: Watchguard Pages: 20

SecPath F5000-AK Series

Brand: H3C Pages: 39

Dual WAN Firewall VPN 1400/2

Brand: HotBrick Pages: 76

Brand: Lanner Pages: 19

Enterprise Filter Authentication R3000

Brand: 8e6 Technologies Pages: 594

Brand: ADTRAN Pages: 38

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands