background image

· 

Select the Security tab. 

· 

Make sure Require data encryption is checked. 

· 

Select the Networking tab. 

· 

Set VPN server type to Layer-2 Tunneling Protocol (L2TP). 

· 

Save your changes and continue with the following procedure. 

Disabling IPsec 

· 

Select the Networking tab. 

· 

Select Internet Protocol (TCP/IP) properties.  

· 

Double-click the Advanced tab.  

· 

Go to the Options tab and select IP security properties. 

· 

Make sure Do not use IPSEC is checked. 

· 

Select OK and close the connection properties window. 

  

 

 

  

The default Windows 2000 L2TP traffic policy does not allow L2TP traffic without IPSec encryption. You can disable 
default behavior by editing the Windows 2000 Registry as described in the following steps. Please refer to the 
Microsoft documentation for editing the Windows Registry.  

· 

Use the registry editor (regedit) to locate the following key in the registry: 

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters

  

· 

Add the following registry value to this key: 

· 

Value 

Name: ProhibitIpSec

 

Data Type

: REG_DWORD 

Value: 1

  

· 

Save your changes and restart the computer for the changes to take effect. 
You must add the 

ProhibitIpSec

 registry value to each Windows 2000-based endpoint computer of an 

L2TP or IPSec connection to prevent the automatic filter for L2TP and IPSec traffic from being created. 
When the 

ProhibitIpSec

 registry value is set to 1, your Windows 2000-based computer does not 

create the automatic filter that uses CA authentication. Instead, it checks for a local or Active Directory 
IPSec policy. 

Connecting to the L2TP VPN 

· 

Start the dial-up connection that you configured in the previous procedure. 

· 

Enter your L2TP VPN User Name and Password. 

· 

Select Connect. 

· 

In the connect window, enter the User Name and Password you use to connect to your dial-up network 
connection. 
This user name and password is not the same as your VPN user name and password. 

Configuring a Windows XP Client for L2TP 

Use the following procedure to configure a client machine running Windows XP so that it can connect to a 
DFL-500 L2TP VPN. 

Configuring an L2TP VPN dial-up connection 

· 

Go to 

Start > Settings

 . 

· 

Select Network and Internet Connections. 

DFL-500 User Manual 

83

Summary of Contents for DFL-500

Page 1: ...DFL 500 V2 27 User Manual D Link Systems Inc DFL 500 User Manual 1 ...

Page 2: ...n any form or by any means electronic mechanical manual optical or otherwise for any purpose without prior written permission of D Link Systems Inc DFL 500 User Manual Version 2 27 31 July 2002 Trademarks Products mentioned in this document are trademarks or registered trademarks of their respective holders Regulatory Compliance FCC Class A Part 15 CSA CUS DFL 500 User Manual 2 ...

Page 3: ... 17 NAT Route mode installation 18 Preparing to configure NAT Route mode 18 Customize NAT Route mode settings 18 Advanced NAT Route mode settings 19 Using the setup wizard 20 Connecting to the web based manager 20 Starting the firewall setup wizard 20 Reconnecting to the web based manager 21 Using the command line interface 21 Connecting to the CLI 21 Configuring the DFL 500 to run in NAT Route mo...

Page 4: ... between interfaces 30 Adding policies 31 Adding route mode policies 31 Adding NAT mode policies 32 Editing policies 34 Ordering policies in policy lists 34 Adding addresses 35 Adding addresses 35 Editing addresses 36 Deleting addresses 36 Adding virtual IPs 36 Adding Virtual IPs 36 Services 37 Pre defined services 37 Providing access to custom services 38 Grouping services 39 Schedules 40 Creatin...

Page 5: ...tination addresses 57 Adding an IPSec VPN policy 58 Autokey IPSec VPN for remote clients 59 Configuring the network end of the VPN tunnel 60 Adding source and destination addresses 61 Adding an IPSec VPN policy 62 Configuring the IPSec VPN client 63 Dial up VPN 63 Adding a dial up VPN tunnel 64 Configuring remote IPSec VPN clients 65 Configuring remote IPSec VPN gateways 65 Viewing VPN tunnel stat...

Page 6: ...DS detection 88 Viewing the attack list 89 Configuring NIDS responses 89 General NIDS responses 89 NIDS Alerts 89 Virus protection 91 Configuring antivirus protection 91 Antivirus connection types 92 Configuring antivirus protection 92 Worm protection 93 Customize antivirus messages 94 Customizing messages added to email 94 Customizing messages added to web pages 94 Updating your antivirus databas...

Page 7: ... log message format 106 Administration 107 Logging into the web based manager 107 System status 108 Upgrading the DFL 500 firmware 108 Manual antivirus database updates 111 Manual attack database updates 111 Displaying the DFL 500 serial number 112 Backing up system settings 112 Restoring system settings 112 Restoring system settings to factory defaults 113 Restarting the DFL 500 113 Shutting down...

Page 8: ...122 Configuring SNMP 124 Alert email 126 Glossary 128 Troubleshooting FAQs 131 General administration 131 Network configuration 131 Firewall policies 131 Schedules 132 VPN 132 Virus protection 132 Web content filtering 133 Logging 133 Technical Support 134 Limited Warranty 137 Registration 140 DFL 500 User Manual 8 ...

Page 9: ...d home office SOHO applications The DFL 500 installation wizard guides users through a simple process that enables most installations to be up and running in minutes Antivirus protection DFL 500 antivirus protection screens the information found in web HTTP protocol and email content SMTP POP3 and IMAP protocols as it passes through the DFL 500 The content can be contained in normal network traffi...

Page 10: ...ewall is configured to allow users on the protected network to access the Internet while blocking Internet access to internal networks Using the web based manager you can modify this firewall configuration to place controls on access to the Internet from the protected network and to allow controlled access to internal networks DFL 500 security policies include a complete range of options that Cont...

Page 11: ...ckets from the location of the attack Blocking network ports protocols or services being used by an attack To notify system administrators of the attack the NIDS records the attack and any suspicious traffic to the attack log The attack database functions in a similar manner to an antivirus database D Link updates the attack database periodically You can download and install attack database update...

Page 12: ...gured for secure administration from the external network Internet Configuration changes made with the web based manager are effective immediately without the need to reset the firewall or interrupt service Once a satisfactory configuration has been established it can be downloaded and saved The saved configuration can be restored at any time The DFL 500 web based manager and setup wizard Command ...

Page 13: ...ome example firewall policies IPSec VPNs describes how to create an IPSec VPN between two internal protected networks and between an internal network and a client PPTP and L2TP VPNs describes how to configure PPTP and L2TP VPNs between the DFL 500 and a windows client Network Intrusion detection system NIDS describes how to configure the DFL 500 to detect and prevent common network attacks Virus p...

Page 14: ...the support page The D Link automatic update center at update D Link com is also available for automatically updating your antivirus and attack databases You can contact D Link Technical Support at See Technical Support To help us provide the support you require please provide the following information Name Company Name Location Email address Telephone Number Software Version Serial Number Detaile...

Page 15: ...g Powering on Next steps Package contents The DFL 500 package contains the following items The DFL 500 One orange cross over ethernet cable One gray regular ethernet cable One null modem cable The DFL 500 QuickStart Guide A CD containing this DFL 500 User Manual and the DFL 500 CLI Reference Guide One AC adapter Registration Card DFL 500 package contents Mounting The DFL 500 can be installed on an...

Page 16: ...the DFL 500 is starting up and remains lit when the system is up and running DFL 500 LED indicators LED State Description Green The DFL 500 is powered on Power Off The DFL 500 is powered off Flashing Green The DFL 500 is starting up Green The DFL 500 is running normally Status Off The DFL 500 is powered off Green The correct cable is in use and the connected equipment has power Flashing Green Netw...

Page 17: ... is up and running you can proceed to configure it for operation If you are going to run your DFL 500 in NAT Route mode go to NAT Route mode installation If you are going to run your DFL 500 in Transparent mode go to Transparent mode installation DFL 500 User Manual 17 ...

Page 18: ...n listed in DFL 500 initial power on settings DFL 500 initial power on settings Operating Mode NAT Route User name admin Administrator Account Password none IP 192 168 1 99 Internal Interface Netmask 255 255 255 0 IP 192 168 100 99 Netmask 255 255 255 0 Default Gateway none Manual External Interface Primary DNS Server 207 194 200 1 Secondary DNS Server 207 194 200 129 Customize NAT Route mode sett...

Page 19: ...ttings to gather the information you need to customize advanced DFL 500 NAT Route mode settings Advanced DFL 500 NAT Route mode settings DHCP If your ISP supplies you with an IP address using DHCP no further information is required User name PPPoE Password External Interface If your ISP supplies you with an IP address using PPPoE record your PPPoE user name and password Starting IP _____ _____ ___...

Page 20: ...sk of 255 255 255 0 Using the crossover cable or the ethernet hub and cables connect the Internal interface of the DFL 500 to the computer ethernet connection Start Internet Explorer and browse to the address https 192 168 1 99 The DFL 500 login page appears Type admin in the Name field and select Login DFL 500 login page Starting the firewall setup wizard To start the firewall setup wizard Select...

Page 21: ...ial connector see Front and back view of the DFL 500 Terminal emulation software such as HyperTerminal for Windows Note The following procedure describes how to connect to the DFL 500 CLI using Windows HyperTerminal software You can use any terminal emulation program Connecting to the CLI Connect the null modem cable to the DFL 500 Console connector and to the available communications port on your...

Page 22: ...ists the IP address and netmask settings for each of the DFL 500 interfaces as well as the mode of the external interface Manual DHCP or PPPoE Configure the NAT Route mode default gateway Login to the CLI if you are not already logged in Set the default route to the Default Gateway IP Address that you recorded in NAT Route mode settings Enter set system route add 0 0 0 0 0 0 0 0 gw IP Address dev ...

Page 23: ...he DFL 500 as the DHCP server IP address Once the DFL 500 is connected make sure it is functioning properly by connecting to the Internet from a computer on your internal network You should be able to connect to any Internet address Completing the configuration Use the information in this section to complete the initial configuration of the DFL 500 Setting the date and time For effective schedulin...

Page 24: ... name admin Administrator Account Password none IP 192 168 1 99 Netmask 255 255 255 0 Management Interface Internal interface Default Gateway none Customizing Transparent mode settings Use Transparent mode settings to gather the information you need to customize Transparent mode settings Transparent mode settings Administrator Password IP _____ _____ _____ _____ Netmask _____ _____ _____ _____ Def...

Page 25: ...the ethernet hub and cables connect the Internal interface of the DFL 500 to the computer ethernet connection Start Internet Explorer and browse to the address https 192 168 1 99 The DFL 500 login page appears Type admin in the Name field and select Login DFL 500 login page Changing to Transparent mode The first time you connect to the DFL 500 it is configured to run in NAT Route mode To switch to...

Page 26: ...to the setup wizard you can configure the DFL 500 using the Command Line Interface CLI To connect to the DFL 500 command line interface CLI you require A computer with an available communications port A null modem cable with a 9 pin connector to connect to the DFL 500 Console connection RS 232 serial connector see Front and back view of the DFL 500 Terminal emulation software such as HyperTerminal...

Page 27: ...rial Number FGT 502801021075 Operation mode Transparent Configuring the Transparent mode management IP address Login to the CLI if you are not already logged in Set the IP address and netmask of the Management IP to the IP address and netmask that you recorded in Transparent mode settings Enter set system manageip ip IP Address Netmask Example set system manageip ip 10 10 10 2 255 255 255 0 Confir...

Page 28: ...s Connecting to your network Once you have completed the initial configuration you can connect the DFL 500 between your internal network and the Internet There are two 10 100 BaseTX connectors on the DFL 500 Internal for connecting to your internal network External for connecting to your public switch or router and the Internet To connect the DFL 500 Connect the Internal interface to the hub or sw...

Page 29: ...the packet The action can be to allow the connection deny the connection or to require authentication before the connection is allowed You can also add schedules to security policies so that the firewall can process connections differently depending on the time of day or the day of the week month or year To configure security policies Policy modes Adding policies Adding addresses Adding virtual IP...

Page 30: ...nt mode deletes NAT Route mode firewall policies and addresses and IPSec VPN policies Using the web based manager Go to Firewall Mode Select Transparent Select Apply Select OK To reconnect to the web based manager Connect to the internal interface and browse to https followed by the transparent mode management IP address The default transparent mode Management IP address is 192 168 1 99 Changing t...

Page 31: ...e mode policies When the firewall is running in Transparent mode all policies are route mode policies When the firewall is running in NAT Route mode policies are route mode policies when the policy mode between two interfaces is set to route mode To add a route mode policy Go to Firewall Policy Select a policy list tab Click New to add a new policy You can also select Insert Policy before on a pol...

Page 32: ...olicies in policy lists Sample Route mode policy NAT Route mode Adding NAT mode policies NAT mode policies provide network address translation between interfaces By default when the firewall is running in NAT Route mode it is configured for NAT mode policies between the external and internal interfaces NAT mode policies hide IP addresses on the internal network from the Internet NAT mode policies ...

Page 33: ...e is valid the policy is available to be matched with connections See Schedules Service A service that matches the service or port number of the packet You can select from a wide range of predefined services or add custom services and service groups See Services Action Select how the firewall should respond when the policy matches a connection attempt You can configure the policy to accept the con...

Page 34: ...n attempt was received The first policy that matches is applied to the connection attempt If no policy matches the connection is dropped The default policy accepts all connection attempts from the internal network to the Internet From the internal network users can browse the web use POP3 to get email use FTP to download files through the DFL 500 and so on If the default policy is at the top of th...

Page 35: ...o add an address using the web based manager Go to Firewall Address Select the interface to which to add the address The list of addresses added to that interface is displayed Select New to add a new address to the selected interface Enter an Address Name to identify the address The name can contain numbers 0 9 and upper and lower case letters A Z a z and the special characters and _ Spaces and ot...

Page 36: ...tion address in the less secure network and an actual address in the more secure network This association is called a virtual IP By default virtual IPs are required for Ext to Int NAT mode policies Example virtual IP Your web server has an IP address on the Internet but the computer hosting your web server is located on your internal network with a private IP address To get packets from the Intern...

Page 37: ...0 pre defined services to a policy You can also create your own custom services and add services to service groups This section describes Pre defined services Providing access to custom services Grouping services Pre defined services The DFL 500 pre defined firewall services are listed in DFL 500 pre defined services You can add these services to any policy DFL 500 pre defined services Service nam...

Page 38: ...dp 1 65535 7070 RLOGIN Rlogin service for remotely logging into a server tcp 1 65535 513 SMTP For sending mail between email servers on the Internet tcp 1 65535 25 tcp 1 65535 161 162 SNMP For communicating system status information udp 1 65535 161 162 tcp 1 65535 22 SSH SSH service for secure connections to computers for remote management udp 1 65535 22 TELNET Telnet service for connecting to a r...

Page 39: ...r on the Internet to use pcAnywhere to connect to one or more computers on the internal network The pcAnywhere server program uses TCP port 5631 and UDP port 5632 for communication If you have security concerns about adding a policy for a custom service such as pcAnywhere you can configure the policy to restrict the source and destination addresses of the connection This will restrict the users th...

Page 40: ...week This section describes Creating one time schedules Creating recurring schedules Adding a schedule to a policy Creating one time schedules You can create a one time schedule that activates or deactivates a policy for a specified period of time For instance your firewall may be configured with the default Internal to External policy that allows access to all services on the Internet at all time...

Page 41: ...rs before the start time the schedule will start at the start time and finish at the stop time on the next day You can use this technique to create recurring schedules that run from one day to the next You can also create a recurring schedule that runs for 24 hours by setting the start and stop times to the same time To add a recurring schedule Go to Firewall Schedule Recurring Select New to creat...

Page 42: ...Arrange the policy in the policy list to have the effect that you expect For example to use a one time schedule to deny access to a policy add a policy that matches the policy to be denied in every way Choose the one time schedule that you added and set Action to Deny Then place the policy containing the one time schedule in the policy list above the policy to be denied Arranging a one time schedu...

Page 43: ...ntain numbers 0 9 and upper and lower case letters A Z a z and the special characters and _ Other special characters and spaces are not allowed Select OK Setting authentication time out To set authentication time out Go to System Config Options Set Auth Timeout to control how long authenticated connections can remain idle before users have to authenticate again to get access through the firewall T...

Page 44: ...izard for internal server settings you are configuring port forwarding for the services that you select Firewall policies take precedence over port forwarding If you have configured port forwarding for a service you can add a policy to deny access to this service Note Port Forwarding is not supported in Transparent mode Port forwarding example Configure port forwarding for the external interface s...

Page 45: ...on When a packet arrives from a trusted IP address it is checked to determine whether the MAC address that the packet originated from matches the MAC address in the table The DFL 500 checks all packets received by the DFL 500 external interface This includes packets addressed to the external interface and packets passing through the firewall Note IP MAC binding is not supported in Transparent mode...

Page 46: ...s of data are moving through the DFL 500 For example the policy for the corporate web server might be given higher priority than the policies for most employees computers An employee who needs unusually high speed Internet access could have a special outgoing policy set up with higher bandwidth You can use traffic shaping to guarantee the amount of bandwidth available through the firewall for a po...

Page 47: ...ort e commerce traffic should be assigned a high traffic priority Less important services should be assigned a low priority The firewall provides bandwidth to low priority connections only when bandwidth is not needed for high priority connections Select OK to save your changes to the policy DFL 500 User Manual 47 ...

Page 48: ...licy Source External_All Destination The virtual IP added in Step Add a virtual IP that maps the public IP address of the server to the actual address of the server Schedule Always Service Select a service to match the Internet server For a web server select HTTP Action ACCEPT Reverse NAT Select Reverse NAT Select OK to save the policy Route mode policy for public access to a server The following ...

Page 49: ...en the external interface and the internal interface Add an address for the server to the internal interface address list See Adding addresses Go to Firewall Policy Ext to Int Select New to add a new policy Configure the policy Source External_All Destination The address added in step 1 Schedule Always Service Select a service to match the Internet server For a web server select HTTP Action Select...

Page 50: ...y You must add the deny policy above the accept policy in the policy list For more information see Policy matching in detail and Ordering policies in policy lists Example policy to use a schedule to deny access Denying connections to the Internet Policies that deny connections to the Internet from the internal network restrict the full access to the Internet granted by the default policy You can d...

Page 51: ...onnections that they are exceptions to As a replacement for the default policy to accept only the connections that you want the firewall to accept You can limit access to the Internet to that allowed in the policies that you create You must delete the default policy If the default policy remains in the policy list all connections that do not match a policy will be accepted by the default policy Th...

Page 52: ...s According to a schedule The following example procedure requiring users on the internal network to authenticate to access HTTP servers on the Internet is similar to any procedure requiring authentication In this example the DFL 500 is running in NAT Route mode To require authentication Add user names and passwords to the firewall See Users and authentication Go to Firewall Policy Int to Ext Sele...

Page 53: ...ernet security standard for VPN and is supported by most VPN products DFL 500 IPSec VPNs can be configured to use Autokey Internet Key Exchange IKE or manual key exchange Autokey key exchange is easier to configure and maintain than manual key exchange However manual key exchange is available for compatibility with third party VPN products that require it IPSec VPN is not supported in Transparent ...

Page 54: ... 500 IPSec VPN gateways across the Internet Users on the internal networks are not aware that when they connect to a computer on the other network that the connection runs across the Internet As shown in Example VPN between two internal networks the DFL 500 is designed to connect a telecommuter or small branch office network to the Internet You can use DFL 500 IPSec virtual private networking to c...

Page 55: ...s the amount of time in seconds before the phase 1 encryption key expires When the key expires a new key is generated without interrupting service 600 600 Select the encryption and authentication algorithms to propose for Phase 2 of the IPSec VPN connection See About P1 and P2 proposals Select Enable replay detection to prevent IPSec replay attacks See About replay detection Select Select Select E...

Page 56: ... with packets The attacker could also change and then replay intercepted packets to attempt to gain entry to a trusted network Enable replay detection to check the sequence number of every IPSec packet to see if it has been received before If packets arrive out of sequence the DFL 500 discards them About perfect forward secrecy PFS Perfect Forward Secrecy PFS improves the security of a VPN tunnel ...

Page 57: ...ple VPN between two internal networks In the example both IP addresses are for internal networks IPSec Autokey VPN addresses Description Main office VPN gateway 1 Branch office VPN gateway 2 Source Address Address Name The name to assign to the source address to be connected using the VPN The name can contain numbers 0 9 and upper and lower case letters A Z a z and the special characters and _ Oth...

Page 58: ...ess and NetMask of the network behind the other VPN gateway at the far end of the VPN tunnel Select OK to save the external address Adding an IPSec VPN policy Add a VPN policy to associate the source and destination addresses with the VPN tunnel Example IPSec Autokey VPN policy configuration shows the VPN policy configuration for the VPN in Example VPN between two internal networks Example IPSec A...

Page 59: ...ures to configure a VPN that allows remote VPN clients with static IP addresses to connect to users and computers on a main office internal network See Example VPN between an internal network and a remote client A remote VPN client can be any computer connected to the Internet with a static IP address and running VPN client software that uses IPSec and Autokey IKE Communication between the remote ...

Page 60: ...his VPN tunnel can accept IPSec connections from any Internet address You must create complementary VPN tunnels on the VPN gateway and the clients On both the tunnel must have the same name keylife and authentication key Example VPN Tunnel configuration shows the information required to configure the VPN tunnel for the VPN in Example VPN between an internal network and remote clients Example VPN T...

Page 61: ... characters The VPN gateway and clients must have the same key and it should only be known by network administrators ddcHH01887d Incoming NAT Select Incoming NAT if you require Network address translation for VPN packets Select Complete the following procedure on the DFL 500 VPN gateway Go to VPN IPSEC Autokey IKE Select New to add a new Autokey IKE VPN tunnel Enter the VPN Tunnel Name Remote Gate...

Page 62: ... Go to Firewall Address External Select New to add the address of the client Enter an Address Name the static IP Address and the Netmask of the client Select OK to save the destination address Adding an IPSec VPN policy The VPN policy associates the source and destination address with the VPN tunnel The VPN gateway then starts up the VPN tunnel whenever it receives packets from the VPN client Exam...

Page 63: ...ess A dial up VPN configuration is most often used to allow clients with dynamic IP addresses to connect to the VPN gateway Clients with dynamic IP addresses can be home or travelling users who dial into the Internet and are dynamically assigned an IP address by their ISP using PPPoE DHCP or a similar protocol To configure a dial up VPN gateway add a dial up VPN tunnel A dial up VPN tunnel is an I...

Page 64: ...lowed Dial up_VPN Remote Gateway To accept connections from any Internet address 0 0 0 0 Select the Encryption algorithms to propose for Phase 1 of the IPSec VPN connection See About P1 and P2 proposals DES and 3DES Select the Authentication algorithms to propose for Phase 1 of the IPSec VPN connection MD5 P1 Proposal Specify the Keylife for Phase 1 The keylife is the amount of time in seconds bef...

Page 65: ...roposal and the P2 Proposal algorithms Select OK to save the Autokey IKE VPN tunnel Configuring remote IPSec VPN clients The remote VPN clients must be running industry standard IPSec Autokey IKE VPN client software D Link recommends the SafeNet Soft PK client from IRE Inc Configure the client as required to connect to the dial up VPN gateway using an IPSec VPN configuration Make sure the client c...

Page 66: ... calculated by subtracting the time elapsed since the last key exchange from the keylife Autokey IKE tunnel status Dial up monitor The IPSec VPN dial up monitor displays all of the active dial up tunnels A dial up tunnel is an IPSec VPN tunnel created when a remote IPSec VPN gateway or client connects to the Autokey IKE VPN Tunnel with the IP address 0 0 0 0 This VPN tunnel accepts VPN connections...

Page 67: ...d If you are configuring a VPN between two DFL 500 gateways it is recommended that you use the same tunnel name on both sides of the VPN Local SPI Secure Parameter Index Enter a hexadecimal number of up to eight digits digits can be 0 to 9 a to f This number must be added to the Remote SPI at the opposite end of the tunnel Remote SPI Enter a hexadecimal number of up to eight digits This number mus...

Page 68: ...y that associates the source and destination addresses with the VPN tunnel Manual key IPSec VPN for remote clients Use the following procedures to configure a VPN that allows remote VPN clients to connect to computers on a Main office internal network See Example VPN between an internal network and remote clients Manual key exchange VPNs do not support VPN clients with dynamic IP addresses The VPN...

Page 69: ... the source and destination addresses of the VPN client with the VPN tunnel Testing a VPN To confirm that a VPN between two networks has been configured correctly use the ping command from one internal network to connect to a computer on the other internal network The IPSec VPN tunnel starts automatically when the first data packet destined for the VPN is intercepted by the DFL 500 To confirm that...

Page 70: ...h configurations IPSec client to network pass through IPSec network to network pass through IPSec client to network pass through In the configuration shown in IPSec client connecting to a VPN on the Internet using VPN pass through the PC on your internal network runs IPSec VPN client software and connects to a VPN gateway on the Internet The DFL 500 is configured to pass through IPSec traffic and ...

Page 71: ...he administrator of the remote IPSec VPN gateway creates a standard VPN gateway configuration However the remote gateway address of the VPN tunnel is set to the external address of the DFL 500 to be passed through rather than the IP address of the VPN client Using the example in IPSec client connecting to a VPN on the Internet using VPN pass through the IP address of the remote gateway would be se...

Page 72: ...r both of these IPSec VPN gateways could also be a third party VPN gateway Use the following procedures to configure the internal IPSec VPN gateway the Internet IPSec VPN gateway and the DFL 500 that will be passed through Configure the internal IPSec VPN gateway Create the following configuration on the internal IPSec VPN gateway Configure the internal IPSec VPN gateway to connect to the Internet...

Page 73: ...to 192 168 2 0 with a netmask of 255 255 255 0 The remote gateway address of the VPN tunnel is set to the external address of the DFL 500 to be passed through rather than the external IP address of the internal IPSec VPN gateway Using the example in IPSec network to network VPN pass through the IP address of the remote gateway would be set to 100 100 100 1 with a netmask of 255 255 255 255 Configu...

Page 74: ... network behind the Internet IPSec VPN gateway the DFL 500 accepts IPSec VPN connections from the internal network and performs network address translation on them The VPN packets are forwarded to the destination IPSec VPN gateway with a source address of the external interface of the DFL 500 DFL 500 User Manual 74 ...

Page 75: ...damaged or altered in transit Once connected to the VPN tunnel it seems to the user that the client computer is directly connected to the internal network PPTP and L2TP VPNs are only supported in NAT mode This chapter describes PPTP VPN configuration PPTP pass through L2TP VPN configuration RADIUS authentication for PPTP and L2TP VPNs PPTP VPN configuration You configure your DFL 500 to support PP...

Page 76: ...ed A client can connect to the PPTP VPN with this user name and password Repeat steps Go to VPN PPTP PPTP User to Enter a user name and password to add more PPTP user names and passwords as required Go to VPN PPTP PPTP Range Select Enable PPTP Type in the Starting IP and the Ending IP for the PPTP address range The PPTP address range is the range of addresses on your internal network that must be ...

Page 77: ...rer Select Microsoft Virtual Private Networking Adapter Select OK twice Insert diskettes or CDs as required Restart the computer Configuring a PPTP dial up connection Go to My Computer Dial Up Networking Double click Make New Connection Name the connection and select Next Enter the external IP address or hostname of the DFL 500 to connect to and select Next Select Finish An icon for the new connec...

Page 78: ...operties in the Connect window Select the Security tab Uncheck Require data encryption Select OK Connecting to the PPTP VPN Start the dial up connection that you configured in the previous procedure Enter your PPTP VPN User Name and Password Select Connect In the connect window enter the User Name and Password you use to connect to your dial up network connection This user name and password is not...

Page 79: ... connection that you configured in the previous procedure Enter your PPTP VPN User Name and Password Select Connect In the connect window enter the User Name and Password you use to connect to your dial up network connection This user name and password is not the same as your VPN user name and password PPTP pass through You can configure PPTP pass through so that a PPTP VPN client on your internal...

Page 80: ... PPTP client connecting to a VPN on the Internet using PPTP pass through Configure the PPTP VPN client to connect to the destination PPTP VPN gateway as if the client computer is connected directly to the Internet See the following client configuration sections Configuring a Windows 98 client for PPTP Configuring a Windows 2000 Client for PPTP Configuring a Windows XP Client for PPTP Set the defau...

Page 81: ...ers to authenticate to your RADIUS server Finally to connect to the L2TP VPN your remote Windows clients must be configured for L2TP Make sure that your ISP supports L2TP connections This section describes Configuring the DFL 500 as an L2TP gateway Configuring a Windows 2000 Client for L2TP Configuring a Windows XP Client for L2TP L2TP VPN between a Windows client and the DFL 500 Configuring the D...

Page 82: ...range cannot overlap the PPTP address range If you are planning on using RADIUS for authentication select Enable RADIUS To turn on RADIUS support see RADIUS authentication for PPTP and L2TP VPNs Select Apply to enable L2TP VPNs through the DFL 500 Sample L2TP range configuration Configuring a Windows 2000 Client for L2TP Use the following procedure to configure a client machine running Windows 200...

Page 83: ...hibitIpSec Data Type REG_DWORD Value 1 Save your changes and restart the computer for the changes to take effect You must add the ProhibitIpSec registry value to each Windows 2000 based endpoint computer of an L2TP or IPSec connection to prevent the automatic filter for L2TP and IPSec traffic from being created When the ProhibitIpSec registry value is set to 1 your Windows 2000 based computer does...

Page 84: ...S Packet Scheduler Make sure the following options are not selected File and Printer Sharing for Microsoft Networks Client for Microsoft Networks Disabling IPsec Select the Networking tab Select Internet Protocol TCP IP properties Double click the Advanced tab Go to the Options tab and select IP security properties Make sure Do not use IPSEC is checked Select OK and close the connection properties...

Page 85: ...es of your RADIUS servers to the DFL 500 VPN configuration and then turn on RADIUS support for PPTP and L2TP If you have added PPTP and L2TP user names and passwords and configured RADIUS support when a PPTP or L2TP user connects to a DFL 500 the user name and password is checked against the DFL 500 PPTP or L2TP user name and password list If a match is not found locally the DFL 500 contacts the R...

Page 86: ...turn on RADIUS authentication for PPTP users Go to VPN PPTP PPTP Range Check Enable RADIUS Select Apply Turning on RADIUS authentication for L2TP RADIUS authentication can be turned on separately for PPTP and L2TP To turn on RADIUS authentication for L2TP users Go to VPN L2TP L2TP Range Check Enable RADIUS Select Apply DFL 500 User Manual 86 ...

Page 87: ...atabase updates This chapter describes NIDS features Configuring NIDS detection Viewing the attack list Configuring NIDS responses NIDS features The NIDS protects the DFL 500 and the networks connected to it from the attacks described below Denial of Service DoS attacks Reconnaissance Exploits NIDS evasion Denial of Service DoS attacks Denial of service attacks attempt to deny access to a service ...

Page 88: ...g NIDS evasion techniques Signature spoofing Signature encoding IP fragmentation TCP UDP disassembly Configuring NIDS detection To select the interface for which the NIDS monitors network traffic and to set whether or not the NIDS verifies checksums Go to NIDS Detection General For Monitored Interface select the interface the NIDS monitors for network attacks You can select only one interface Sele...

Page 89: ... Set the assurance mode for alerts All The NIDS sends alerts for all attacks found in traffic received at the monitored interface TCP Session The NIDS sends alerts only for attacks found in connections accepted by a firewall policy at the monitored interface Select TCP Session to reduce the number of alerts generated by the NIDS Select Apply to save your changes NIDS Alerts To configure how the NI...

Page 90: ...d message about the attack with details about the attack and the NIDS response For Address Obfuscation check source address destination address or both When sending an alert message the NIDS replaces the checked IP addresses of attacks with xxx xxx xxx xxx Select Apply to save your changes NIDS alerts configuration DFL 500 User Manual 90 ...

Page 91: ...owever it is available for extremely high risk situations where there is no other way to prevent viruses from entering your network Scan all target files for viruses The antivirus scanning engine performs signature and macro virus scanning on all target files If a virus is found in a file the virus scanner deletes the file and replaces it with an alert message that is forwarded to the user If a vi...

Page 92: ... Int HTTP virus protection if you have a web server on your internal network that can be accessed from the Internet to prevent this web server from distributing viruses to users on the Internet Configure Ext to Int SMTP virus protection if you have an SMTP server on your internal network that can be accessed from the Internet by other SMTP servers Configure Ext to Int POP3 and IMAP virus protectio...

Page 93: ...quests by scanning their originating web page for known worm patterns For example Code Red attempts to gain entry to MS IIS servers by trying to exploit a known buffer overflow bug in these servers To scan SMTP POP3 and IMAP email attachments for worms the virus scanning engine looks for filenames known to be used by worms For example the Nimda worm uses files named readme exe and sample exe To co...

Page 94: ...he message that appears when antivirus scanning detects a virus in a file contained in an email and deletes the file from the email message You can change the message as required The messages can be in plain text or include html coding Include FILE in the message to include the name of the file that was deleted Include VIRUS in the message to include the name of the virus that was found to be infe...

Page 95: ...his database is continuously updated by D Link as new viruses and worms are encountered and defined You should keep your antivirus database up to date so that the DFL 500 can protect your network from new viruses You can configure the DFL 500 to update the antivirus database automatically or you can update your antivirus database manually See Automatic antivirus and attack database updates Manual ...

Page 96: ...ned word list Temporarily disabling individual words in the banned word list Clearing the banned word list Backing up the banned word list Restoring the banned word list Enabling the banned word list To turn on content blocking by enabling the banned word list Go to Web Filter Content Block Select Enable Banned Word to turn on content blocking The DFL 500 is now configured to block web pages conta...

Page 97: ...ed word the DFL 500 blocks all web pages where the words are found together as a phrase Content filtering is not case sensitive You cannot include special characters in banned words Select OK The word or phrase is added to the banned word list Check the box beside the new entry in the banned word list so that the DFL 500 blocks web pages containing this word or phrase You can enter multiple banned...

Page 98: ... path and filename of your banned word list text file or select Browse and locate the file Select OK to upload the backed up banned word list text file Select Return to display the restored list of banned words Block access to Internet sites To block access to internet sites enable URL blocking and then create a list of URLs to be blocked The URLs in the list must include the complete domain name ...

Page 99: ... URL block list To add URLs to the URL block list Go to Web Filter URL Block Select New to add an entry to the URL block list Type the URL to block Enter a complete URL including path to block access to a page on a web site For example www badsite com index html blocks access to the main page of this example website You can also add IP addresses for example 182 33 44 34 index html blocks access to...

Page 100: ...ct Uncheck All to uncheck all of the items in the URL block list All unchecked items in the URL block list are not blocked by the DFL 500 Clearing the URL block list To remove all of the URLs from the URL block list Go to Web Filter URL Block Select Delete to remove all of the URLs from the URL block list Downloading the URL block list If you make changes to the URL block list using the web based ...

Page 101: ...e lost when you upload a new list However you can download your current URL list add more URLs to it using a text editor and then upload the edited list to the DFL 500 In a text editor create the list of URLs to block Using the web based manager go to Web Filter URL Block Select Upload URL Block list Enter the path and filename of your URL block list text file or select Browse and locate the file ...

Page 102: ...DFL 500 User Manual 102 ...

Page 103: ...lowing procedure to configure the DFL 500 to record logs onto a remote computer The remote computer must be configured with a syslog server Go to Log Report Log setting Select Log to Remote Host to send the logs to a syslog server Add the IP address of the computer running syslog server software Select Apply to save your log settings Recording logs on a WebTrends server Use the following procedure...

Page 104: ...n message format All of these message formats are compatible with the WebTrends Enhanced Log Format WELF Use the information in the following sections to interpret DFL 500 log messages Traffic log message format Event log message format Attack log message format Traffic log message format When you select the Log Traffic policy option traffic logs record sessions that match firewall policies Each t...

Page 105: ... successful at 192 168 100 111 by admin 2002 Jun 22 15 35 09 type vpn mgmt msg VPN ipsec_auto auto add successful at 192 168 100 111 by admin Antivirus messages Antivirus event log messages record when the antivirus scanner blocks a file or detects a virus or worm in a file Antivirus event log messages have the following format date time src source IP dst destination IP proto protocol msg type Fir...

Page 106: ...ood If the policy mode for connections in which attacks are detected is NAT NIDS log messages contain reverse NAT IP addresses VPN tunnel monitor messages VPN tunnel monitor log messages record when a VPN tunnel is started and stopped and also when keys are renegotiated VPN tunnel monitor messages have the following format date time type vpn msg description of the VPN tunnel status event Example V...

Page 107: ...the management interface Transparent mode Setting DNS server addresses Configuring routing Enabling RIP server support Providing DHCP services to your internal network System configuration Setting system date and time Changing web based manager options Adding and editing administrator accounts Configuring SNMP Alert email Logging into the web based manager You require A computer with an ethernet c...

Page 108: ...l attack database updates Backing up system settings Restoring system settings Restoring system settings to factory defaults Restarting the DFL 500 Shutting down the DFL 500 If you log onto the web based manager with any other administrator account you can go to System Status to view the system settings including Displaying the DFL 500 serial number All administrative users can also go to System S...

Page 109: ...esses To keep your current settings before installing new firmware download your configuration file see Backing up system settings and your web content and URL filtering lists see Downloading the banned word list and Downloading the URL block list Installing new firmware using the CLI replaces your current antivirus database and attack database with the versions of these databases included with th...

Page 110: ...68 execute ping 192 168 1 168 Copy the new firmware image file to the root directory of your TFTP server Enter the following command to restart the DFL 500 execute reboot As the DFL 500 reboots messages similar to the following appear BIOS Version 2 2 Serial number FGT 502801021075 SDRAM Initialization Scanning PCI Bus Done Total RAM 256M Enabling Cache Done Allocating PCI Resources Done Zeroing I...

Page 111: ...most recent antivirus and attack databases see Automatic antivirus and attack database updates Manual antivirus database updates Use the following procedure to update your antivirus database manually To configure the DFL 500 for automatic antivirus database updates see Automatic antivirus and attack database updates You can also manually update your antivirus database by going to System Update and...

Page 112: ...tem settings This procedure does not back up the Web content and URL filtering lists To back up these lists see Downloading the banned word list and Downloading the URL block list You can back up system settings by downloading them to a text file on the management computer Go to System Status Select System Settings Download Select Download System Settings Type in a name and location for the file T...

Page 113: ...xt file to the DFL 500 Restarting the DFL 500 Use the following procedure to restart the DFL 500 using the web based manager Go to System Status Select Restart The DFL 500 restarts Shutting down the DFL 500 Use the following procedure to shutdown the DFL 500 using the web based manager Go to System Status Select Shutdown The DFL 500 shuts down and all traffic flow stops The DFL 500 can only be res...

Page 114: ...ck the D Link update center at update Dlink com to see if a new version of the antivirus database and a new version of the attack database are available If it finds new versions the DFL 500 automatically downloads and installs the updated databases You can specify the IP addresses of two update centers and configure the DFL 500 to check and download updated databases once a day or once a week You ...

Page 115: ...d select Update Now to check for and update your antivirus and attack databases Configuring automatic antivirus and attack database updates Network configuration Go to System Network to make any of the following changes to the DFL 500 network settings Configuring the internal interface Configuring the external interface Setting DNS server addresses Configuring routing Enabling RIP server support P...

Page 116: ...internal interface you must reconnect to the web based manager using the new internal interface IP address Configuring the internal interface Configuring the external interface Use the following procedures to configure the external interface Configuring the external interface with static IP addresses Configuring the external interface for DHCP Configuring the external interface for PPPoE Controlli...

Page 117: ...lored grey to indicate that the addresses have not been assigned manually Configuring the external interface Configuring the external interface for PPPoE Use the following procedure to configure the DFL 500 external interface to use PPPoE This configuration is required if your ISP uses PPPoE to assign the IP address of the external interface To configure the external interface to use PPPoE Go to S...

Page 118: ... DFL 500 from the Internet Select OK You can control the IP addresses from which administrators can access the web based manager See Adding and editing administrator accounts Changing external interface MTU size to improve network performance To improve the performance of your internet connection you can adjust the maximum transmission unit MTU of the packets that the DFL 500 transmits from its ex...

Page 119: ...it passes through the DFL 500 You can also use static routing to allow different IP domain users to access the Internet through the DFL 500 Use DFL 500 Routing to add edit and delete static routes Go to System Network Routing Select New to add a new route Type the Destination IP address and Netmask for the route Select the Interface for the route Specify the default Gateway for the route Select OK...

Page 120: ...hat the DFL 500 can assign Netmask Enter the Netmask that the DFL 500 assigns to the DHCP clients Lease Duration Optionally type in the interval in seconds after which a DHCP client must ask the DHCP server for a new address Domain Optionally type in the domain that the DHCP server assigns to the client DNS IP Optionally type in the IP addresses of up to 3 DNS servers that the DHCP clients can use...

Page 121: ...ork Time Protocol NTP server For more information on NTP and to find the IP address of an NTP server that you can use see http www ntp org To set the date and time using the web based manager Go to System Config Time Select Refresh to display the current DFL 500 date and time Select your Time Zone from the list Optionally select Set Time and set the DFL 500 date and time to the correct date and ti...

Page 122: ... minutes 8 hours Set the firewall user authentication time out For more information see Users and authentication The default Auth time out is 15 minutes The maximum Auth time out is 480 minutes 8 hours Choose the character set and language that the web based manager uses When the web based manager language is set to use Simplified Chinese you can change to English by selecting the English button t...

Page 123: ...pecial characters and _ Other special characters and spaces are not allowed Optionally type in a trusted host IP address and netmask for the location from which the administrator can log into the web based manager Set the permission level for the administrator Read Only The administrator can access the web based manager and the CLI to view the configuration but cannot change settings Read Write Th...

Page 124: ...500 so that the SNMP agent running on the DFL 500 can report system information and send traps The DFL 500 agent supports SNMP v1 and v2c System information can be monitored by any SNMP manager configured to get system information from your DFL 500 Your SNMP manager can use GET GET NEXT SNMP operations to communicate with the DFL 500 agent DFL 500 MIBs The DFL 500 agent supports the standard Inter...

Page 125: ...quest with an invalid community string System Shutdown The DFL 500 shuts down Agent Disabled An administrator has disabled the SNMP agent from the web based manager The agent is also automatically disabled before a system shutdown and a trap is sent when this occurs Agent Enabled An administrator has enabled the SNMP agent from the web based manager The agent is also automatically enabled when the...

Page 126: ...ault get community string is public Change the default get community string to keep intruders from using get requests to retrieve information about your network configuration The get community string must be used in your SNMP manager to enable it to access DFL 500 SNMP information The get community string can be up to 31 characters long and can contain spaces numbers 0 9 upper and lower case lette...

Page 127: ...ields These are the email addresses that the DFL 500 sends email alerts to Select Apply to save the email alert settings Make sure that the DNS server settings are correct for the DFL 500 See Setting DNS server addresses Because the DFL 500 uses the SMTP server name to connect to the mail server it must be able to look up this name on your DNS server Example alert email settings Testing email aler...

Page 128: ... exchanging authentication and encryption keys between two secure servers IMAP Internet Message Access Protocol An Internet email protocol that allows access to your email from any IMAP compatible browser With IMAP your mail resides on the server IP Internet Protocol The component of TCP IP that handles routing IP Address An identifier for a computer or device on a TCP IP network An IP address is ...

Page 129: ...s information is passed to a RADIUS server which checks that the information is correct and then authorizes access to the ISP system Router A device that connects LANs into an internal network and routes traffic between them Routing The process of determining a path to use to send data to its destination Routing table A list of valid paths through which data can be transmitted Server An applicatio...

Page 130: ...cannot be intercepted Virus A computer program that attaches itself to other programs spreading itself through computers or networks by this mechanism usually with harmful intent Worm A program or algorithm that replicates itself over a computer network usually through email and performs malicious actions such as using up the computer s resources and possibly shutting the system down DFL 500 User ...

Page 131: ...ring system settings Q How can I get a warning when someone is attacking my network See Network Intrusion detection system NIDS and Alert email Network configuration Q I am trying to set up the network connections but I can t seem to ping the firewall Configure the interface to respond to pings See Configuring the internal interface Firewall policies Q When I set policies all the computers on the ...

Page 132: ...rt is allowed through If you are using a non standard port setting individual services will not work ANY allows traffic to go to all ports Schedules Q I need a schedule that will allow access to the Internet overnight from 9 00 pm to 9 00 am How can I do this Create a recurring schedule with a start time of 9 00 pm and a stop time of 9 00 am If the stop time is set earlier than the start time the ...

Page 133: ... from web pages Logging Q Can I identify the attackers from the log The attack log does contain the IP address that the violating packets originated from but since most Internet users do not have static IP addresses these may not provide all of the information that you need Q How can I find out which company employees are spending time on the Internet Select Log Traffic for all From Internal To Ex...

Page 134: ... REPAIR LINE 00800 7250 8000 E MAIL info dlink de URL www dlink de IBERIA D LINK IBERIA Gran Via de Carlos III 84 3 Edificio Trade 08028 BARCELONA TEL 34 93 4090770 FAX 34 93 4910795 E MAIL info dlinkiberia es URL www dlinkiberia es INDIA D LINK INDIA Plot No 5 Kurla Bandra Complex Road Off Cst Road Santacruz E Bombay 400 098 India TEL 91 22 652 6696 FAX 91 22 652 8914 E MAIL service dlink india c...

Page 135: ...marily be used oHome oOffice oTravel oCompany Business oHome Business oPersonal Use 2 How many employees work at installation site o1 employee o2 9 o10 49 o50 99 o100 499 o500 999 o1000 or more 3 What network protocol s does your organization use oXNS IPX oTCP IP oDECnet oOthers_____________________________ 4 What network operating system s does your organization use oD Link LANsmart oNovell NetWa...

Page 136: ...DFL 500 User Manual 136 ...

Page 137: ...ware or part thereof that is replaced by D Link or for which the purchase price is refunded shall become the property of D Link upon replacement or refund Limited Software Warranty D Link warrants that the software portion of the product Software will substantially conform to D Link s then current functional specifications for the Software as set forth in the applicable documentation from the date...

Page 138: ...epair or service in any way that is not contemplated in the documentation for the product or if the model or serial number has been altered tampered with defaced or removed Initial installation installation and removal of the product for repair and shipping costs Operational adjustments covered in the operating manual for the product and normal maintenance Damage that occurs in shipment due to act...

Page 139: ...sformation or adaptation without permission from D Link Corporation D Link Systems Inc as stipulated by the United States Copyright Act of 1976 FCC Warning This equipment has been tested and found to comply with the limits for a Class A digital device pursuant to Part 15 of the FCC Rules These limits are designed to provide reasonable protection against harmful interference when the equipment is o...

Page 140: ...Registration Register the D Link DFL 500 Office Firewall online at http www dlink com sales reg DFL 500 User Manual 140 ...

Reviews: