background image

actually starts blocking out the traffic matched by the rule. All switch models require a short period
of latency time to implement blocking once the rule is triggered. Some models can activate blocking
in less than a second while some models may require a minute or more.

A second difference is the maximum number of rules supported by different switches. Some
switches support a maximum of 50 rules while others support up to 800 (usually, in order to block a
host or network, one rule per switch port is needed). When this limit has been reached no more hosts
or networks will be blocked out.

Important: Clearing the ACL rule set on the switch

ZoneDefense uses a range in the ACL rule set on the switch. To avoid potential
conflicts in these rules and guarantee the firewall's access control, it is strongly
recommended that the administrator clear the entire ACL rule set on the switch before
executing the ZoneDefense setup.

12.3.5. Limitations

Chapter 12. ZoneDefense

550

Summary of Contents for NetDefend DFL-1660

Page 1: ...Network Security Solution http www dlink com NetDefendOS Ver 2 40 03 Network Security Firewall User Manual Security Security ...

Page 2: ...r Manual DFL 260E 860E 1660 2560 2560G NetDefendOS Version 2 40 03 D Link Corporation No 289 Sinhu 3rd Rd Neihu District Taipei City 114 Taiwan R O C http www DLink com Published 2013 02 20 Copyright 2013 ...

Page 3: ...ticular purpose D Link reserves the right to revise this publication and to make changes from time to time in the content hereof without any obligation to notify any person or parties of such revision or changes Limitations of Liability UNDER NO CIRCUMSTANCES SHALL D LINK OR ITS SUPPLIERS BE LIABLE FOR DAMAGES OF ANY CHARACTER E G DAMAGES FOR LOSS OF PROFIT SOFTWARE RESTORATION WORK STOPPAGE LOSS ...

Page 4: ...Message Exceptions 63 2 2 7 SNMP Traps 63 2 2 8 Advanced Log Settings 65 2 3 RADIUS Accounting 66 2 3 1 Overview 66 2 3 2 RADIUS Accounting Messages 66 2 3 3 Interim Accounting Messages 68 2 3 4 Configuring RADIUS Accounting 68 2 3 5 RADIUS Accounting Security 69 2 3 6 RADIUS Accounting and High Availability 69 2 3 7 Handling Unresponsive RADIUS Servers 70 2 3 8 Accounting and System Shutdowns 70 ...

Page 5: ...ules 148 3 8 Certificates 150 3 8 1 Overview 150 3 8 2 Certificates in NetDefendOS 152 3 8 3 CA Certificate Requests 154 3 9 Date and Time 156 3 9 1 Overview 156 3 9 2 Setting Date and Time 156 3 9 3 Time Servers 157 3 9 4 Settings Summary for Date and Time 160 3 10 DNS 163 4 Routing 167 4 1 Overview 167 4 2 Static Routing 168 4 2 1 The Principles of Routing 168 4 2 2 Static Routing 172 4 2 3 Rout...

Page 6: ...Active Content Handling 325 6 3 3 Static Content Filtering 326 6 3 4 Dynamic Web Content Filtering 328 6 4 Anti Virus Scanning 343 6 4 1 Overview 343 6 4 2 Implementation 343 6 4 3 Activating Anti Virus Scanning 344 6 4 4 The Signature Database 344 6 4 5 Subscribing to the D Link Anti Virus Service 345 6 4 6 Anti Virus Options 345 6 5 Intrusion Detection and Prevention 349 6 5 1 Overview 349 6 5 2...

Page 7: ...ing 417 9 1 4 Key Distribution 417 9 1 5 The TLS Alternative for VPN 418 9 2 VPN Quick Start 419 9 2 1 IPsec LAN to LAN with Pre shared Keys 420 9 2 2 IPsec LAN to LAN with Certificates 421 9 2 3 IPsec Roaming Clients with Pre shared Keys 422 9 2 4 IPsec Roaming Clients with Certificates 424 9 2 5 L2TP Roaming Clients with Pre Shared Keys 425 9 2 6 L2TP Roaming Clients with Certificates 427 9 2 7 ...

Page 8: ...IDP Traffic Shaping 512 10 2 3 Processing Flow 513 10 2 4 The Importance of Specifying a Network 513 10 2 5 A P2P Scenario 514 10 2 6 Viewing Traffic Shaping Objects 515 10 2 7 Guaranteeing Instead of Limiting Bandwidth 516 10 2 8 Logging 516 10 3 Threshold Rules 517 10 4 Server Load Balancing 520 10 4 1 Overview 520 10 4 2 SLB Distribution Algorithms 521 10 4 3 Selecting Stickiness 522 10 4 4 SLB...

Page 9: ...tate Settings 562 13 5 Connection Timeout Settings 564 13 6 Length Limit Settings 566 13 7 Fragmentation Settings 568 13 8 Local Fragment Reassembly Settings 572 13 9 Miscellaneous Settings 573 A Subscribing to Updates 576 B IDP Signature Groups 578 C Verified MIME filetypes 582 D The OSI Framework 586 Alphabetical Index 587 User Manual 9 ...

Page 10: ...st Proxy Mode 233 4 19 Non transparent Mode Internet Access 245 4 20 Transparent Mode Internet Access 245 4 21 Transparent Mode Scenario 1 247 4 22 Transparent Mode Scenario 2 248 4 23 An Example BPDU Relaying Scenario 251 5 1 DHCP Server Objects 259 6 1 Deploying an ALG 272 6 2 HTTP ALG Processing Order 275 6 3 FTP ALG Hybrid Mode 277 6 4 SMTP ALG Processing Order 288 6 5 Anti Spam Filtering 290 ...

Page 11: ...asic Traffic Shaping Scenario 508 10 8 IDP Traffic Shaping P2P Scenario 514 10 9 A Server Load Balancing Configuration 520 10 10 Connections from Three Clients 523 10 11 Stickiness and Round Robin 524 10 12 Stickiness and Connection rate 524 D 1 The 7 Layers of the OSI Model 586 User Manual 11 ...

Page 12: ... and Enabling Proxy ND 97 3 11 Listing the Available Services 100 3 12 Viewing a Specific Service 101 3 13 Creating a Custom TCP UDP Service 104 3 14 Adding an IP Protocol Service 106 3 15 Defining a VLAN 119 3 16 Configuring a PPPoE Client 122 3 17 Creating an Interface Group 126 3 18 Displaying the ARP Cache 129 3 19 Flushing the ARP Cache 129 3 20 Defining an ARP Neighbor Discovery Object 132 3...

Page 13: ...iveX and Java applets 326 6 14 Setting up a white and blacklist 327 6 15 Enabling Dynamic Web Content Filtering 330 6 16 Enabling Audit Mode 332 6 17 Reclassifying a blocked site 333 6 18 Editing Content Filtering HTTP Banner Files 341 6 19 Activating Anti Virus Scanning 347 6 20 Configuring an SMTP Log Receiver 357 6 21 Setting up IDP for a Mail Server 358 6 22 Adding a Host to the Whitelist 367 ...

Page 14: ...10 1 Applying a Simple Bandwidth Limit 494 10 2 Limiting Bandwidth in Both Directions 496 10 3 Setting up SLB 525 12 1 A simple ZoneDefense scenario 548 User Manual 14 ...

Page 15: ...wn in the text clicking it will open the specified URL in a browser in a new window some systems may not allow this For example http www dlink com Screenshots This guide contains a minimum of screenshots This is deliberate and is done because the manual deals specifically with NetDefendOS and administrators have a choice of management user interfaces It was decided that the manual would be less cl...

Page 16: ...the preceding text It may concern something that is being emphasized or something that is not obvious or explicitly stated in the preceding text Tip This indicates a piece of non critical information that is useful to know in certain situations but is not essential reading Caution This indicates where the reader should be careful with their actions as an undesirable situation may result if care is...

Page 17: ...rent ways This granular control allows the administrator to meet the requirements of the most demanding network security scenarios Key Features NetDefendOS has an extensive feature set The list below presents the key features of the product IP Routing NetDefendOS provides a variety of options for IP routing including static routing dynamic routing as well as multicast routing capabilities In addit...

Page 18: ... Section 6 5 Intrusion Detection and Prevention Note Full IDP is available on all D Link NetDefend product models as a subscription service On some models a simplified IDP subsystem is provided as standard Web Content Filtering NetDefendOS provides various mechanisms for filtering web content that is deemed inappropriate according to a web usage policy With Web Content Filtering WCF web content ca...

Page 19: ...ed on interfaces and within rulesets This feature is not enabled by default and must be explicitly enables on an Ethernet interface More information about this topic can be found in Section 3 2 IPv6 Support NetDefendOS Documentation Reading through the available documentation carefully will ensure getting the most out of the NetDefendOS product In addition to this document the reader should also b...

Page 20: ...tation as the NetDefendOS state engine 1 2 2 NetDefendOS Building Blocks The basic building blocks in NetDefendOS are interfaces logical objects and various types of rules or rule sets Interfaces Interfaces are the doorways through which network traffic enters or leaves the NetDefend Firewall Without interfaces a NetDefendOS system has no means for receiving or sending traffic The following types ...

Page 21: ...s logged If none the above is true the receiving Ethernet interface becomes the source interface for the packet 3 The IP datagram within the packet is passed on to the NetDefendOS Consistency Checker The consistency checker performs a number of sanity checks on the packet including validation of checksums protocol flags packet length and so on If the consistency checks fail the packet gets dropped...

Page 22: ...now evaluated in a similar way to the IP rules If a match is found the IDP data is recorded with the state By doing this NetDefendOS will know that IDP scanning is supposed to be conducted on all packets belonging to this connection 9 The Traffic Shaping and the Threshold Limit rule sets are now searched If a match is found the corresponding information is recorded with the state This will enable ...

Page 23: ...or a physical sub interface additional processing such as encryption or encapsulation might occur The next section provides a set of diagrams illustrating the flow of packets through NetDefendOS 1 2 3 Basic Packet Flow Chapter 1 NetDefendOS Overview 23 ...

Page 24: ... are three diagrams each flowing into the next It is not necessary to understand these diagrams however they can be useful as a reference when configuring NetDefendOS in certain situations Figure 1 1 Packet Flow Schematic Part I The packet flow is continued on the following page 1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 24 ...

Page 25: ...Figure 1 2 Packet Flow Schematic Part II The packet flow is continued on the following page 1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 25 ...

Page 26: ...Figure 1 3 Packet Flow Schematic Part III 1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 26 ...

Page 27: ...below presents the detailed logic of the Apply Rules function in Figure 1 2 Packet Flow Schematic Part II above Figure 1 4 Expanded Apply Rules Logic 1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 27 ...

Page 28: ...1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 28 ...

Page 29: ...wing management interfaces The Web Interface The Web Interface also known as the Web User Interface or WebUI is built into NetDefendOS and provides a user friendly and intuitive graphical management interface accessible from a standard web browser The browser connects to one of the hardware s Ethernet interfaces using HTTP or HTTPS and the NetDefendOS responds like a web server allowing web pages ...

Page 30: ...interface is available LAN1 is the default interface 2 1 2 The Default Administrator Account By default NetDefendOS has a local user database AdminUsers that contains one predefined administrator account This account has the username admin with password admin This account has full administrative read write privileges for NetDefendOS Important For security reasons it is recommended to change the de...

Page 31: ...lt management Ethernet interface of the firewall and the external workstation computer s Ethernet interface must be members of the same logical IP network for communication between them to succeed Therefore the connecting Ethernet interface of the workstation must be manually assigned the following static IP values DFL 210 260 800 860 1600 2500 DFL 260E 860E 1660 2560 2560G IP Address 192 168 1 30...

Page 32: ...endOS setup and establishing public Internet access Important Switch off popup blocking Popup blocking must be disabled in the web browser to allow the NetDefendOS Setup Wizard to run since this appears in a popup window Multi language Support The Web Interface login dialog offers the option to select a language other than English for the interface Language support is provided by a set of separate...

Page 33: ...ber of buttons and drop down menus that are used to perform configuration tasks as well as for navigation to various tools and status pages Home Navigates to the first page of the Web Interface Configuration i Save and Activate Saves and activates the configuration ii Discard Changes Discards any changes made to the configuration during the current session iii View Changes List the changes made to...

Page 34: ...of the Web Interface contains a tree representation of the system configuration The tree is divided into a number of sections corresponding to the major building blocks of the configuration The tree can be expanded to expose additional sections and the selected set of objects are displayed in the Web Interface s central main window C Main Window The main window contains configuration or status det...

Page 35: ... management policy for example https 3 Check the HTTPS checkbox 4 Select the following from the dropdown lists User Database AdminUsers Interface any Network all nets 5 Click OK Caution Do not expose the management interface to the Internet The above example is provided for informational purposes only It is never recommended to expose any management interface to any user on the Internet Logging ou...

Page 36: ...ormed This section only provides a summary for using the CLI For a complete reference for all CLI commands see the separate D Link CLI Reference Guide The most often used CLI commands are add Adds an object such as an IP address or a rule to a NetDefendOS configuration set Sets some property of an object to a value For example this might be used to set the source interface on an IP rule show Displ...

Page 37: ...nt CLI prompt After a command appears it can be re executed in its original form or changed first before execution Tab Completion Remembering all the commands and their options can be difficult NetDefendOS provides a feature called tab completion which means that pressing the tab key will cause automatically completion of the current part of the command If completion is not possible then pressing ...

Page 38: ...y tab Will fill in the default value for LogSeverity add LogReceiverSyslog example Address example_ip LogSeverity Emergency Alert Critical Error Warning Notice Info This severity list can then be edited with the back arrow and backspace keys A default value is not always available For example the Action of an IP rule has no default Appending Property Values Another usage of the period character be...

Page 39: ...sary to first choose a member of that category with the cc change category command before individual objects can be manipulated This is the case for example with routes There can be more than one routing table so when adding or manipulating a route we first have to use the cc command to identify which routing table we are interested in Suppose a route is to be added to the routing table main The f...

Page 40: ...es however it is strongly recommended to avoid this If a duplicate IP rule name is used in two IP rules then only the Index value can uniquely identify each IP rule in subsequent CLI commands Referencing an IP rule with a duplicated name will fail and result in an error message Using Hostnames in the CLI For certain CLI commands IP addresses can optionally be specified as a textual hostname instea...

Page 41: ...S supports version 1 1 5 and 2 of the SSH protocol SSH access is regulated by the remote management policy in NetDefendOS and is disabled by default Example 2 2 Enabling SSH Remote Access This example shows how to enable remote SSH access from the lannet network through the lan interface by adding a rule to the remote management policy Command Line Interface gw world add RemoteManagement RemoteMgm...

Page 42: ...LocalUserDatabase called AdminUsers which exists by default gw world cc LocalUserDatabase AdminUsers We are now in AdminUsers and can change the password of the admin user gw world AdminUsers set User admin Password my password Finally we return the current category to the top level gw world AdminUsers cc Note The console password is separate The password that can be set to protect direct serial c...

Page 43: ...n includes a reloading of the configuration in other words reconfiguration To shutdown and restart both NetDefendOS and completely reinitialize the hardware including the NetDefendOS loader equivalent to switching the hardware off then on use the command gw world shutdown reboot The reboot option is rarely needed in normal circumstances and because it requires more time for the restart it is best ...

Page 44: ... values for the IPv4 address objects for if2 which already exist in the NetDefendOS address book starting with the interface IP gw world set Address IP4Address if2_ip Address 10 8 1 34 The network IP address for the interface must also be set to the appropriate value gw world set Address IP4Address if2_net Address 10 8 1 0 24 In this example local IP addresses are used for illustration but these c...

Page 45: ...mmands NetDefendOS provides a feature called CLI scripting A CLI script is a predefined sequence of CLI commands which can be executed after they are saved to a file and the file is then uploaded to the NetDefend Firewall The steps for creating a CLI script are as follows 1 Create a text file with a text editor containing a sequential list of CLI commands one per line The D Link recommended conven...

Page 46: ...variable names are specified as a list at the end of the script execute command line The number n in the variable name indicates the variable value s position in this list 1 comes first 2 comes second and so on Note The symbol 0 is reserved Notice that the name of the first variable is 1 The variable 0 is reserved and is always replaced before execution by the name of the script file itself For ex...

Page 47: ... errors are returned by a command in the script file Script Output Any output from script execution will appear at the CLI console Normally this output only consists of any error messages that occur during execution To see the confirmation of each command completing the verbose option should be used gw world script execute name my_script2 sgs verbose Saving Scripts When a script file is uploaded t...

Page 48: ...e local management workstation and then uploaded to and executed on other NetDefend Firewalls to duplicate the objects For example suppose the requirement is to create the same set of IP4Address objects on several NetDefend Firewalls that already exist on a single unit The administrator would connect to the single unit with the CLI and issue the command gw world script create Address IP4Address na...

Page 49: ...vice These node types are skipped when the script file is created and NetDefendOS gives the message No objects of selected category or type Tip Listing commands at the console To list the created CLI commands on the console instead of saving them to a file leave out the option name in the script create command Commenting Script Files Any line in a script file that begins with the character is trea...

Page 50: ...not shown in the examples given here The following table summarizes the operations that can be performed between an SCP client and NetDefendOS File type Upload possible Download possible Configuration Backup config bak Yes also with WebUI Yes also with WebUI System Backup full bak Yes also with WebUI Yes also with WebUI Firmware upgrades Yes No Certificates Yes No SSH public keys Yes No Web auth b...

Page 51: ...r username is admin1 and the IPv4 address of the NetDefend Firewall is 10 5 62 11 then to upload a configuration backup the SCP command would be scp config bak admin1 10 5 62 11 To download a configuration backup to the current local directory the command would be scp admin1 10 5 62 11 config bak To upload a file to an object type under the root the command is slightly different If we have a local...

Page 52: ...rd Set When NetDefendOS is started for the first time with no console password set for console access then the full set of boot menu options are displayed as shown below The options available in the boot menu are 1 Start firewall This initiates the complete startup of the NetDefendOS software on the NetDefend Firewall 2 Reset unit to factory defaults This option will restore the hardware to its in...

Page 53: ...g nothing as the password and just pressing the Enter key to the prompt The Console Password is Only for the Console The password set for the console is not connected to the management username password combinations used for administrator access through a web browser It is valid only for console access 2 1 8 Management Advanced Settings Under the Remote Management section of the Web Interface a nu...

Page 54: ...he properties that are available for the configuration object as well as the constraints for those properties For instance the IP4Address type is used for all configuration objects representing a named IPv4 address Object Organization In the Web Interface the configuration objects are organized into a tree like structure based on the type of the object In the CLI similar configuration object types...

Page 55: ...le row in the list can be selected by clicking on the row on a spot where there is no hyperlink The background color of the row will turn dark blue Right clicking the row will display a menu which gives the option to edit or delete the object as well as modify the order of the objects Example 2 4 Displaying a Configuration Object The simplest operation on a configuration object is to show its cont...

Page 56: ... Value Name telnet DestinationPorts 23 Type TCP SourcePorts 0 65535 SYNRelay No PassICMPReturn No ALG none MaxSessions 1000 Comments Modified Comment Web Interface 1 Go to Objects Services 2 Click on the telnet hyperlink in the list 3 In the Comments textbox a suitable comment 4 Click OK Verify that the new comment has been updated in the list Important Configuration changes must be activated Chan...

Page 57: ...e Interface gw world delete Address IP4Address myhost Web Interface 1 Go to Objects Address Book 2 Right click on the row containing the myhost object 3 In the dropdown menu displayed select Delete The row will be rendered with a strike through line indicating that the object is marked for deletion Example 2 8 Undeleting a Configuration Object A deleted object can always be restored until the conf...

Page 58: ...nfiguration is validated and NetDefendOS will attempt to initialize affected subsystems with the new configuration data Important Committing IPsec Changes The administrator should be aware that if any changes that affect the configurations of live IPsec tunnels are committed then those live tunnels connections will be terminated and must be re established If the new configuration is validated NetD...

Page 59: ...ically try to connect back to the Web Interface after 10 seconds If the connection succeeds this is interpreted by NetDefendOS as confirmation that remote management is still working The new configuration is then automatically committed Note Changes must be committed The configuration must be committed before changes are saved All changes to a configuration can be ignored simply by not committing ...

Page 60: ... low level and mandatory system events The conn_open event for example is a typical high level event that generates an event message whenever a new connection is established given that the matching security policy rule has defined that event messages should be generated for that connection An example of a low level event would be the startup_normal event which generates a mandatory event message a...

Page 61: ...ady logging to Syslog servers using syslog with NetDefendOS messages can simplify overall administration This receiver type is discussed further below in Section 2 2 5 Logging to Syslog Hosts 2 2 4 Logging to MemoryLogReceiver The MemoryLogReceiver also known as Memlog is an optional NetDefendOS feature that allows logging direct to memory in the NetDefend Firewall instead of sending messages to a...

Page 62: ...the format name value This enables automatic filters to easily find the values they are looking for without assuming that a specific piece of data is in a specific location in the log entry Note The Prio and Severity fields The Prio field in SysLog messages contains the same information as the Severity field for D Link Logger messages However the ordering of the numbering is reversed Example 2 11 ...

Page 63: ...f the ID number of the log message is not specified then all log messages for the specified category will be included The ID of specific log messages can be found in the Log Reference Guide Type This can be one the following i Exclude This will exclude the specified log message s even if they are allowed by the severity filter ii Include This will include the specified log message s even if they a...

Page 64: ...ique identification within the category Description A short textual description Action What action is NetDefendOS taking This information can be cross referenced to the Log Reference Guide Note SNMP Trap standards NetDefendOS sends SNMP Traps which are based on the SNMPv2c standard as defined by RFC1901 RFC1905 and RFC1906 Example 2 12 Sending SNMP Traps to an SNMP Trap Receiver To enable generati...

Page 65: ...rator must make a case by case judgement about the message load that log servers can deal with This can often depend on the server hardware platform being used and if the resources of the platform are being shared with other tasks Default 2000 Alarm Repeat Interval The delay in seconds between alarms when a continuous alarm is used As discussed in Section 2 4 3 Hardware Monitoring the log event me...

Page 66: ...er accounting In this way all the benefits of centralized servers are thus extended to user connection accounting The usage of RADIUS for NetDefendOS authentication is discussed in Section 8 2 Authentication Setup 2 3 2 RADIUS Accounting Messages Message Generation Statistics such as number of bytes sent and received and number of packets sent and received are updated and stored throughout RADIUS ...

Page 67: ...mestamp when this packet was sent from NetDefendOS STOP Message Parameters Parameters included in STOP messages sent by NetDefendOS are Type Marks this accounting request as signalling the end of a session STOP ID An identifier matching a previously sent AccountingRequest packet with Acct Status Type set to START User Name The user name of the authenticated user NAS IP Address The IP address of th...

Page 68: ... feature the RADIUS server can track how many bytes and packets an authenticated user has sent and received up until the point when the last message was sent An Interim Accounting Message contains the current values of the statistics for an authenticated user It contains more or less the same parameters as found in an accounting request STOP message except that the Acct Terminate Cause is not incl...

Page 69: ...ort 1813 RetryTimeout 2 RoutingTable main Web Interface 1 Go to User Authentication Accounting Servers Add Radius Server 2 Now enter Name my accounting IP Address 192 168 03 01 Port 1813 Retry Timeout 2 Shared Secret 231562514098273 Confirm Secret 231562514098273 Routing Table main 3 Click OK 2 3 5 RADIUS Accounting Security Communication between NetDefendOS and any RADIUS accounting server is pro...

Page 70: ... conclude that the accounting server is unreachable The administrator can use the NetDefendOS advanced setting Allow on error to determine how this situation is handled If the Allow on error setting is enabled an already authenticated user s session will be unaffected If it is not enabled any affected user will automatically be logged out even if they have already been authenticated 2 3 8 Accounti...

Page 71: ...ccounting server cannot be reached even though the user has been previously authenticated Default Enabled Logout at shutdown If there is an orderly shutdown of the NetDefend Firewall by the administrator then NetDefendOS will delay the shutdown until it has sent RADIUS accounting STOP messages to any configured RADIUS server If this option is not enabled NetDefendOS will shutdown even though there...

Page 72: ...en initiate one of 3 configurable actions A NetDefendOS reconfigure A High Availability HA cluster failover An HA cluster failover followed by a NetDefendOS reconfigure The Link Monitor Reconfigure is Different The reconfigure that can be triggered by the link monitor has one special aspect to it The link monitor reconfigure has the additional action of restarting all interfaces This means that if...

Page 73: ...gering of a reconfiguration by the link monitor will then cause the slave to failover back to the master which will then failover back to the slave again and so on If it is important to not allow a failover during reconfiguration of the active unit in an HA cluster then the advanced setting Reconf Failover Time should be set to a value which is neither too low or too high Reconf Failover Time cont...

Page 74: ...nt The GET REQUEST operation The GET NEXT REQUEST operation The GET BULK REQUEST operation SNMP Version 2c only The NetDefendOS MIB The Management Information Base MIB is a database usually in the form of a text file which defines the parameters on a network device that an SNMP client can query or change The MIB file for a device running NetDefendOS is distributed with the standard NetDefendOS dis...

Page 75: ...a remote client is communicating over the public Internet It is therefore advisable to have remote access take place over an encrypted VPN tunnel or similarly secure means of communication Preventing SNMP Overload The advanced setting SNMP Request Limit restricts the number of SNMP requests allowed per second This can help prevent attacks through SNMP overload Example 2 14 Enabling SNMP Monitoring...

Page 76: ...Default Enabled SNMP Request Limit Maximum number of SNMP requests that will be processed each second by NetDefendOS Should SNMP requests exceed this rate then the excess requests will be ignored by NetDefendOS Default 100 System Contact The contact person for the managed node Default N A System Name The name for the managed node Default N A System Location The physical location of the node Defaul...

Page 77: ... System Hardware Monitoring section of the Web Interface provides the administrator with the following settings for enabling hardware monitoring when it is available Enable Sensors Enable disable all hardware monitoring functionality Default Disabled Poll Interval Polling interval for the Hardware Monitor which is the delay in milliseconds between readings of hardware monitor values Minimum value ...

Page 78: ...red log servers Note Different hardware has different sensors and ranges Each hardware model may have a different set of sensors and a different operating range The above output and its values are for illustration only Setting the Minimum and Maximum Range The minimum and maximum values shown in the output from the hwm command are set through the Web Interface by going to System Hardware Monitorin...

Page 79: ...ce provides the administrator with a number of settings related to the monitoring of available memory These are Memory Poll Interval Memory polling interval which is the delay in minutes between readings of memory values Minimum 1 Maximum 200 Default 15 minutes Memory Use Percentage True if the memory monitor uses a percentage as the unit for monitoring False if megabytes are used Applies to Alert...

Page 80: ...s Disable by setting to 0 Maximum value is 10 000 Default 0 Warning Level Generate a Warning log message if free memory is below this number of bytes Disable by setting to 0 Maximum value 10 000 Default 0 2 4 4 Memory Monitoring Settings Chapter 2 Management and Maintenance 80 ...

Page 81: ...ap gw world pcapdump cleanup Going through this line by line we have 1 Recording is started for the int interface using a buffer size of 1024 Kbytes gw world pcapdump size 1024 start int 2 The recording is stopped for the int interface gw world pcapdump stop int 3 The dump output is displayed on the console in a summarized form gw world pcapdump show 4 The same information is written in its comple...

Page 82: ...ss ipsrc ipaddr Filter on source IP address ipdest ipaddr Filter on destination IP address port portnum Filter on source or destination port number srcport portnum Filter on source port number destport portnum Filter on destination port number proto id Filter on protocol where id is the decimal protocol id protocolname Instead of the protocol number the protocol name alone can be specified and can...

Page 83: ...her in order to further refine the packets that are of interest For example we might want to examine the packets going to a particular destination port at a particular destination IP address Compatibility with Wireshark The open source tool Wireshark formerly called Ethereal is an extremely useful analysis tool for examining logs of captured packets The industry standard pcap file format used by p...

Page 84: ...create at the minimum a configuration backup on a regular basis so that a configuration can be easily recreated in the event of hardware replacement The alternative is to recreate a configuration by manually adding its contents piece by piece A System Backup This a complete backup of both the configuration and the installed NetDefendOS software saved into a single file This is useful if restoring ...

Page 85: ...NetDefend Firewall using SCP Secure Copy or alternatively using the Web Interface Backup cannot be done using CLI commands Similarly restoring a backup is done in the reverse fashion Either by uploading the backup file using SCP or alternatively through the Web Interface A restore cannot be done with CLI commands Operation Interruption Backups can be created at any time without disturbing NetDefen...

Page 86: ...ring a previously created backup Note Backups do not contain everything Backups include only static information from the NetDefendOS configuration Dynamic information such as the DHCP server lease database or Anti Virus IDP databases will not be backed up 2 6 3 Restore to Factory Defaults A restore to factory defaults can be applied so that it is possible to return to the original hardware state t...

Page 87: ...ssigned to the default management interface LAN1 on the DFL 1600 and DFL 2500 models The management interface IP address for the DFL 1660 DFL 2560 and DFL 2560G models will default to 192 168 10 1 The default IP address factory setting for the default management interface is discussed further in Section 2 1 3 The Web Interface Warning Do NOT abort a reset to defaults If the process of resetting to...

Page 88: ...2 6 3 Restore to Factory Defaults Chapter 2 Management and Maintenance 88 ...

Page 89: ...P addresses Using address book objects has a number of important benefits It increases understanding of the configuration by using meaningful symbolic names Using address object names instead of entering numerical addresses reduces errors By defining an IP address object just once in the address book changing the definition automatically also changes all references to it 3 1 2 IP Addresses IP Addr...

Page 90: ...For example 192 168 0 10 192 168 0 15 represents six hosts in consecutive order Example 3 1 Adding an IP Host Address This example adds the IPv4 host www_srv1 with IP address 192 168 10 16 to the address book Command Line Interface gw world add Address IP4Address www_srv1 Address 192 168 10 16 Web Interface 1 Go to Objects Address Book Add IP4 Address 2 Specify a suitable name for the IP host in t...

Page 91: ...t wwwsrv1 3 Choose Delete from the menu 4 Click OK Deleting In use IP Objects If an IP object is deleted that is in use by another object then NetDefendOS will not allow the configuration to be deployed and will generate a warning message In other words it will appear that the object has been successfully deleted but NetDefendOS will not allow the configuration to be saved to the NetDefend Firewal...

Page 92: ...Address Group named for example web servers could be created with the web server hosts as group members Now a single policy can be used with this group thereby greatly reducing the administrative workload IP Addresses Can Be Excluded When groups are created with the Web Interface it is possible to not only add address objects to a group but also to explicitly exclude addresses from the group Howev...

Page 93: ...eway to the Internet This address is used primarily by the routing table but is also used by the DHCP client subsystem to store gateway address information acquired through DHCP If a default gateway address has been provided during the setup phase the default gateway object will contain that address Otherwise the object will be left as 0 0 0 0 0 all nets The all nets IP address object is initializ...

Page 94: ...his means that the IPv6 address and network objects associated with an interface must first be created Example 3 6 Adding IPv6 Host Addresses Assume that an IPv6 address and network have to be associated with the wan interface This example adds two new IPv6 address objects to the address book consisting of the network wan_net6 the IPv6 prefix 2001 DB8 32 and the single IP address wan_ip6 2001 DB8 ...

Page 95: ... Enabling IPv6 Globally This example enables all IPv6 features across the whole of NetDefendOS If an IPv6 feature is used and this setting is not enabled a warning will be generated when the configuration is activated Command Line Interface gw world set Settings IPSettings EnableIPv6 Yes Web Interface 1 Go to System Advanced Settings IP Settings 2 Enable the setting Enable IPv6 3 Click OK B Enable...

Page 96: ... enabled by default Enabling IPv6 Router Advertisement An additional option for an Ethernet interface is to enable IPv6 router advertisement This means that any external client connected to the interface can solicit and receive IPv6 messages to allow it to perform Stateless Address Auto Configuration SLAAC The SLAAC process allows the client to create its own unique global IPv6 address based on th...

Page 97: ...et interface NetDefendOS will respond to any IPv6 Neighbor Solicitations NS sent to that interface with IPv6 Neighbor Advertisments NA for the IPv6 address configured for that interface NetDefendOS will also respond with neighbor advertisments for any networks configured using Proxy Neighbor Discovery Proxy Neighbor Discovery The IPv6 feature of Proxy Neighbor Discovery Proxy ND in NetDefendOS fun...

Page 98: ...and responding Outgoing ICMP messages from the firewall do not require an IP rule which allows them since the gateway is trusted However if the firewall is to be pinged by an external host then an IP rule must be set up to allow this Such an IP rule would use the predefined Service object called ping6 inbound The service object called all_icmpv6 covers all IPv6 ICMP messages except mobile ICMP mes...

Page 99: ...enabled and IPv6 addresses assigned there is no private and shared IPv6 IP for each pair of interfaces Each interface pair will have the same IPv6 IP address on both master and slave A private IPv6 interface address for each interface in a pair is not possible IPv6 and Transparent Mode Transparent Mode in NetDefendOS does not directly support IPv6 since Switched Routes cannot be defined for IPv6 n...

Page 100: ... the most important usage of service objects and it is also how ALGs become associated with IP rules since an ALG is associated with a service and not directly with an IP rule For more information on how service objects are used with IP rules see Section 3 6 IP Rules Predefined Services A large number of service objects are predefined in NetDefendOS These include common services such as HTTP FTP T...

Page 101: ...jects does not meet the requirements for certain traffic then a new service can be created Reading this section will explain not only how new services are created but also provides an understanding of the properties of predefined services The Type of service created can be one of the following TCP UDP Service A service based on the UDP or TCP protocol or both This type of service is discussed furt...

Page 102: ...estination ports are applicable for the service Specifying Port Numbers Port numbers are specified with all types of services and it is useful to understand how these can be entered in user interfaces They can be specified for both the Source Port and or the Destination Port of a service in the following ways Single Port For many services a single destination port is sufficient For example HTTP us...

Page 103: ... back to the requesting application In some cases it is useful that the ICMP messages are not dropped For example if an ICMP quench message is sent to reduce the rate of traffic flow On the other hand dropping ICMP messages increases security by preventing them being used as a means of attack ALG A TCP UDP service can be linked to an Application Layer Gateway ALG to enable deeper inspection of cer...

Page 104: ... object could provide The best approach is to narrow the service filter in a security policy so it allows only the protocols that are absolutely necessary The all_tcpudpicmp service object is often a first choice for general traffic but even this may allow many more protocols than are normally necessary and the administrator can often narrow the range of allowed protocols further Example 3 13 Crea...

Page 105: ...hat type is assumed ICMP Message Types The message types that can be selected are as follows Echo Request Sent by PING to a destination in order to check connectivity Destination Unreachable The source is told that a problem has occurred when delivering a packet There are codes from 0 to 5 for this type Code 0 Net Unreachable Code 1 Host Unreachable Code 2 Protocol Unreachable Code 3 Port Unreacha...

Page 106: ...col service with the Virtual Router Redundancy Protocol Command Line Interface gw world add Service ServiceIPProto VRRP IPProto 112 Web Interface 1 Go to Objects Services Add IP protocol service 2 Specify a suitable name for the service for example VRRP 3 Enter 112 in the IP Protocol control 4 Optionally enter Virtual Router Redundancy Protocol in the Comments control 5 Click OK 3 3 5 Service Grou...

Page 107: ...y in a custom service The timeout settings that can be customized are as follows Initial Timeout This is the time allowed for a new connection to be open Establish Idle Timeout If there is no activity on a connection for this amount of time then it is considered to be closed and is removed from the NetDefendOS state table The default setting for this time with TCP UDP connections is 3 days Closing...

Page 108: ... itself is the source or destination for traffic Interface Types NetDefendOS supports a number of interface types which can be divided into the following four major groups Ethernet Interfaces Each Ethernet interface represents a physical Ethernet interface on a NetDefendOS based product All network traffic that originates from or enters a NetDefend Firewall will pass through one of the physical in...

Page 109: ...all types of interfaces can be used almost interchangeably in the various NetDefendOS rule sets and other configuration objects This results in a high degree of flexibility in how traffic can be examined controlled and routed Interfaces have Unique Names Each interface in NetDefendOS is given a unique name to be able to identify and select it for use with other NetDefendOS objects in a configurati...

Page 110: ...her devices listen to determine if they are the intended destination for any of these frames A frame is a sequence of bits which specify the originating device plus the destination device plus the data payload along with error checking bits A pause between the broadcasting of individual frames allows devices time to process each frame before the next arrives and this pause is progressively smaller...

Page 111: ...address provided by DHCP The interface IP address is used as the primary address for communicating with the system through the specific Ethernet interface NetDefendOS IP4 Address objects are usually used to define the IPv4 addresses of Ethernet interfaces Those objects are normally auto generated by the system For more information please see Section 3 1 5 Auto Generated Address Objects Tip Specify...

Page 112: ...for a given Ethernet interface then any gateway IP address that is defined for that interface cannot be deleted To remove the gateway address the DHCP option must be first disabled If DHCP is enabled then there is a set of interface specific advanced settings i A preferred IP address can be requested ii A preferred lease time can be requested iii Static routes can be sent from the DHCP server iv D...

Page 113: ...TU This determines the maximum size of packets in bytes that can be sent on this interface By default the interface uses the maximum size supported High Availability There are two options which are specific to high availability clusters 1 A private IPv4 address can be specified for this interface 2 An additional option is to disable the sending of HA cluster heartbeats from this interface Quality ...

Page 114: ...e is represented by the object EthernetInterface To display all the characteristics of an interface for example for interface if1 the CLI command is gw world show EthernetDevice if1 The output from this command shows details about the physical Ethernet card including the bus slot and port number of the card as well as the Ethernet driver being used These details are not relevant to the logical int...

Page 115: ...tab completion is used again at the end of the command line gw world set Address IP4Address tab Category Type Identifier dnsserver1_ip InterfaceAddresses wan_br timesyncsrv1_ip InterfaceAddresses aux_ip InterfaceAddresses wan_dns1 InterfaceAddresses aux_net InterfaceAddresses wan_dns2 InterfaceAddresses dmz_ip InterfaceAddresses wan_gw InterfaceAddresses dmz_net InterfaceAddresses wan_ip Interface...

Page 116: ...face Individual interface details can be displayed for example for the interface if1 with the command gw world show EthernetDevice if1 Property Value Name if1 EthernetDriver E1000EthernetPCIDriver PCIBus 0 PCISlot 17 PCIPort 0 The set command can be used to control an Ethernet interface For example to disable an interface lan the following command can be used gw world set EthernetDevice lan disabl...

Page 117: ... time carry both non VLAN traffic as well VLAN trunk traffic for one or multiple VLANs VLAN Processing NetDefendOS follows the IEEE 802 1Q specification The specifies how VLAN functions by adding a Virtual LAN Identifier VLAN ID to Ethernet frame headers which are part of a VLAN s traffic The VLAN ID is a number between 0 and 4095 which is used to identify the specific Virtual LAN to which each fr...

Page 118: ...k In the illustration above the connections between the interfaces if1 and if2 to the switches Switch1 and Switch2 are VLAN trunks Other ports on the switch that connect to VLAN clients are configured with individual VLAN IDs Any device connected to one of these ports will then automatically become part of the VLAN configured for that port In Cisco switches this is called configuring a Static acce...

Page 119: ...Create rules in the IP rule set to allow traffic through on the VLAN interface It is important to understand that the administrator should treat a VLAN interface just like a physical interface in that they require both appropriate IP rules and routes to exist in the NetDefendOS configuration for traffic to flow through them For example if no IP rule with a particular VLAN interface as the source i...

Page 120: ...a protocol for communication between two computers using a serial interface such as the case of a personal computer connected through a switched telephone line to an ISP In terms of the layered OSI model PPP provides a layer 2 encapsulation mechanism to allow packets of any protocol to travel through IP networks PPP uses Link Control Protocol LCP for link establishment configuration and testing On...

Page 121: ...rface It is possible to configure how the firewall should sense activity on the interface either on outgoing traffic incoming traffic or both Also configurable is the time to wait with no activity before the tunnel is disconnected Unnumbered PPPoE When NetDefendOS acts as a PPPoE client support for unnumbered PPPoE is provided by default The additional option also exists to force unnumbered PPPoE ...

Page 122: ...ame exampleuser Password examplepw Web Interface 1 Go to Interfaces PPPoE Add PPPoE Tunnel 2 Then enter Name PPPoEClient Physical Interface wan Remote Network all nets as we will route all traffic into the tunnel Service Name Service name provided by the service provider Username Username provided by the service provider Password Password provided by the service provider Confirm Password Retype th...

Page 123: ... if the tunneling is done across an internal network that is not public Setting Up GRE Like other tunnels in NetDefendOS such as an IPsec tunnel a GRE Tunnel is treated as a logical interface by NetDefendOS with the same filtering traffic shaping and configuration capabilities as a standard interface The GRE options are IP Address This is the IPv4 address of the inside of the tunnel on the local s...

Page 124: ...hed IP address GRE and the IP Rule Set An established GRE tunnel does not automatically mean that all traffic coming from or to that GRE tunnel is trusted On the contrary network traffic coming from the GRE tunnel will be transferred to the NetDefendOS IP rule set for evaluation The source interface of the network traffic will be the name of the associated GRE Tunnel The same is true for traffic i...

Page 125: ...led in the Advanced tab since this will add the route automatically 4 Create the following rules in the IP rule set that allow traffic to pass through the tunnel Name Action Src Int Src Net Dest Int Dest Net Service To_B Allow lan lannet GRE_to_B remote_net_B all_services From_B Allow GRE_to_B remote_net_B lan lannet all_services Setup for NetDefend Firewall B Assuming that the network 192 168 11 ...

Page 126: ... for example as the source interface in an IP rule any of the interfaces in the group could provide a match for the rule A group can consist of ordinary Ethernet interfaces or it could consist of other types such as VLAN interfaces or VPN Tunnels Also the members of a group do not need to be of the same type A group might consist for example of a combination of two Ethernet interfaces and four VLA...

Page 127: ...owing information to define the group Name The name of the group to be used later Security Transport Equivalent If enabled the interface group can be used as a destination interface in rules where connections might need to be moved between the interfaces Interfaces Select the interfaces to be in the group 3 Click OK 3 4 6 Interface Groups Chapter 3 Fundamentals 127 ...

Page 128: ...network receives this packet The host with the specified destination address sends an ARP reply packet to the originating host with its MAC address 3 5 2 The ARP Cache The ARP Cache in network equipment such as switches and firewalls is an important component in the implementation of ARP It consists of a dynamic table that stores the mappings between IP addresses and Ethernet MAC addresses NetDefe...

Page 129: ...he ARP Cache If a host in a network is replaced with new hardware and retains the same IP address then it will probably have a new MAC address If NetDefendOS has an old ARP entry for the host in its ARP cache then that entry will become invalid because of the changed MAC address and this will cause data to be sent to the host over Ethernet which will never reach its destination After the ARP entry...

Page 130: ...g may be done for a number of reasons To give the impression that an interface in NetDefendOS has more than one IP address This is useful if there are several separate IP spans on a single LAN The hosts on each IP span may then use a gateway in their own span when these gateway addresses are published on the corresponding NetDefendOS interface Another use is publishing multiple addresses on an ext...

Page 131: ...nd can determine that it can be reached at a specific MAC address on a specific interface The most frequent use of static ARP objects is in situations where some external network device is not responding to ARP requests correctly and is reporting an incorrect MAC address Some network devices such as wireless modems can have these problems It may also be used to lock an IP address to a specific MAC...

Page 132: ...erface it will make no difference if Publish or XPublish is selected the result will be the same ARP and Neighbor Discovery Neighbor Discovery with IPv6 is the equivalent of ARP with IPv4 For this reason ARP and neighbor discovery are combined in The graphical interface to NetDefendOS uses the same dialog to add either one Neighbor Discovery is discussed further in Section 3 2 IPv6 Support Example...

Page 133: ...e ARP specification the recipient should accept these types of ARP replies However because this could be a malicious attempt to hijack a connection NetDefendOS will by default drop and log unsolicited ARP replies This behavior can be changed by modifying the advanced setting Unsolicited ARP Replies ARP Requests The ARP specification states that a host should update its ARP Cache with data from ARP...

Page 134: ... with the Ethernet address reported in the ARP data If this is not the case the reply will be dropped and logged The behavior can be changed by modifying the setting ARP Match Ethernet Sender 3 5 5 ARP Advanced Settings Summary The following advanced settings are available with ARP ARP Match Ethernet Sender Determines if NetDefendOS will require the sender address at Ethernet level to comply with ...

Page 135: ... request would alter a static item in the ARP table Of course this is never allowed to happen However this setting does allow the administrator to specify whether or not such situations are to be logged Default DropLog Log ARP Resolve Failure This determines whether NetDefendOS will log failed ARP resolve requests or not Logging can be used for monitoring purposes and can be helpful for troublesho...

Page 136: ...exing If the largest directly connected LAN contains 500 IP addresses then the size of the ARP entry hash should be at least 1000 entries Default 512 ARP Hash Size VLAN Hashing is used to rapidly look up entries in a table For maximum efficiency the hash size should be twice as large as the table it is indexing so if the largest directly connected VLAN contains 500 IP addresses the size of the ARP...

Page 137: ...ch the destination IP address of the packet belongs This might be a NetDefendOS IP object which could define a single IP address or range of addresses Service The protocol type to which the packet belongs Service objects define a protocol port type Examples are HTTP and ICMP Service objects also define any ALG which is to be applied to the traffic NetDefendOS provides a large number of predefined ...

Page 138: ... traffic to traverse the NetDefend Firewall as well as allowing NetDefendOS to respond to ICMP Ping requests some IP rules must be defined by the administrator Each IP rule that is added by the administrator will define the following basic filtering criteria From what interface to what interface traffic flows From what network to what network the traffic flows What kind of protocol is affected the...

Page 139: ... IPv6 as shown below Name Action Source Iface Source Net Dest Iface Dest Net Service DropAll Drop any all nets any all nets all_services DropAll6 Drop any all nets6 any all nets6 all_services For further discussion of this topic see Section 3 2 IPv6 Support Traffic Flow Needs an IP Rule and a Route As stated above when NetDefendOS is started for the first time the default IP rules drop all traffic...

Page 140: ...the parameters of the new connection is found The first matching rule s Action is then performed If the action allows it then the establishment of the new connection will go ahead A new entry or state representing the new connection will then be added to the NetDefendOS internal state table which allows monitoring of opened and active connections passing through the NetDefend Firewall If the actio...

Page 141: ...hat matches no IP rule 3 6 3 IP Rule Actions A rule consists of two parts the filtering parameters and the action to take if there is a match with those parameters As described above the parameters of any NetDefendOS rule including IP rules are Source Interface Source Network Destination Interface Destination Network Service When an IP rule is triggered by a match then one of the following Actions...

Page 142: ...ource of the initial connection request If a connection is permitted and then becomes established traffic can flow in either direction over it The exception to this bi directional flow is FwdFast rules If the FwdFast action is used the rule will not allow traffic to flow from the destination back to the source If bi directional flow is required then two FwdFast rules are needed one for either dire...

Page 143: ...is example shows how to create a simple Allow rule that will allow HTTP connections to be opened from the lannet network on the lan interface to any network all nets on the wan interface Command Line Interface First change the current category to be the main IP rule set gw world cc IPRuleSet main Now create the IP rule gw world main add IPRule Action Allow Service http SourceInterface lan SourceNe...

Page 144: ...es in IP rule sets Tip Object groups help to document configurations Object groups are a recommended way to document the contents of NetDefendOS configurations This can be very useful for someone seeing a configuration for the first time In an IP rule set that contains hundreds of rules object groups provide a means to quickly identify those rules associated with a specific aspect of NetDefendOS o...

Page 145: ...log will be displayed which allows two functions Specify the Title The title of the group can be any text that is required and can contain new lines as well as empty lines There is also no requirement that the group name is unique since it is used purely as a label Change the Display Color Any color can be chosen for the group The color can be selected from the 16 predefined color boxes or entered...

Page 146: ...ti step process i Right click the object and select the Move to option ii Enter the index of the position immediately following the target group iii After the object has been moved to the new position right click the object again and select the Join Preceding option Moving Group Objects Once an object such as an IP rule is within a group the context of move operations becomes the group For example...

Page 147: ...also removed if there are no members left If there is only one member of a group when this leaves the group the group will no longer exist and the title line will disappear Groups and Folders It is important to distinguish between collecting together objects using a folder and collecting it together using groups Either can be used to group objects but a folder is similar to the concept of a folder...

Page 148: ...other objects Scheduled Times These are the times during each week when the schedule is applied Times are specified as being to the nearest hour A schedule is either active or inactive during each hour of each day of a week Start Date If this option is used it is the date after which this schedule object becomes active End Date If this option is used it is the date after which this schedule object...

Page 149: ...nterface lan SourceNetwork lannet DestinationInterface any DestinationNetwork all nets Schedule OfficeHours name AllowHTTP Return to the top level gw world main cc Configuration changes must be saved by then issuing an activate followed by a commit command Web Interface 1 Go to Objects Schedules Add Schedule 2 Enter the following Name OfficeHours 3 Select 08 17 Monday to Friday in the grid 4 Click...

Page 150: ...etween the ends of a tunnel is to use Pre shared Keys PSKs As a VPN network grows so does the complexity of using PSKs Certificates provide a means to better manage security in much larger networks Certificate Components A certificate consists of the following A public key The identity of the user such as name and user ID Digital signatures that verify that the information enclosed in the certific...

Page 151: ... for example in VPN tunnel establishment can be due to an incorrect system date or time The NetDefendOS Certificate Cache NetDefendOS maintains a Certificate Cache in local memory which provides processing speed enhancement when certificates are being repeatedly accessed This cache is only completely cleared and initialized when NetDefendOS is restarted For this reason it is important to restart N...

Page 152: ...f other factors should be kept in mind when using certificates If Certificate Revocation Lists CRLs are used then the CRL distribution point is defined as an FQDN for example caserver somecompany com which must be resolved to an IP address using a public DNS server At least one DNS server that can resolve this FQDN should therefore be defined in NetDefendOS Do not get the Host Certificate files an...

Page 153: ...eer or CA server Web Interface 1 Go to Objects Authentication Objects Add Certificate 2 Specify a suitable name for the certificate 3 Now select one of the following Upload self signed X 509 Certificate Upload a remote certificate 4 Click OK and follow the instructions Using Uploaded Certificates Once certificates are uploaded they are stored in non volatile NetDefendOS memory To be used they must...

Page 154: ...fx file to a pem file This can be done with the OpenSSL utility using the console command line openssl pkcs12 in gateway pfx out gateway pem nodes In this command line example the file exported from the CA server is assumed to be called gateway pfx and it is assumed to be in the same local directory as the OpenSSL executable The original gateway pfx file contained 3 certificates CA root certificat...

Page 155: ...nto the system clipboard that line and everything under it up to and including END CERTIFICATE 8 Now paste this copied text into the cer file and save it The saved key and cer files are now ready for upload into NetDefendOS 3 8 3 CA Certificate Requests Chapter 3 Fundamentals 155 ...

Page 156: ...own as Time Servers 3 9 2 Setting Date and Time Current Date and Time The administrator can set the date and time manually and this is recommended when a new NetDefendOS installation is started for the first time Example 3 25 Setting the Current Date and Time To adjust the current date and time follow the steps outlined below Command Line Interface gw world time set YYYY mm DD HH MM SS Where YYYY ...

Page 157: ...ving Time Many regions follow Daylight Saving Time DST or Summer time as it is called in some countries and this means clocks are advanced for the summer period Unfortunately the principles regulating DST vary from country to country and in some cases there can be variations within the same country For this reason NetDefendOS does not automatically know when to adjust for DST Instead this informat...

Page 158: ... January first 1900 Most public Time Servers run the NTP protocol and are accessible using SNTP Configuring Time Servers Up to three Time Servers can be configured to query for time information By using more than a single server situations where an unreachable server causes the time synchronization process to fail can be prevented NetDefendOS always queries all configured Time Servers and then com...

Page 159: ...lty Time Server causes the clock to be updated with a extremely inaccurate time a Maximum Adjustment value in seconds can be set If the difference between the current NetDefendOS time and the time received from a Time Server is greater than this Maximum Adjustment value then the Time Server response will be discarded For example assume that the maximum adjustment value is set to 60 seconds and the...

Page 160: ...ink Time Servers Using D Link s own Time Servers is an option in NetDefendOS and this is the recommended way of synchronizing the firewall clock These servers communicate with NetDefendOS using the SNTP protocol When the D Link Server option is chosen a predefined set of recommended default values for the synchronization are used Example 3 32 Enabling the D Link NTP Server To enable the use of the...

Page 161: ...ver for time synchronization UDPTime or SNTP Simple Network Time Protocol Default SNTP Primary Time Server DNS hostname or IP Address of Timeserver 1 Default None Secondary Time Server DNS hostname or IP Address of Timeserver 2 Default None teriary Time Server DNS hostname or IP Address of Timeserver 3 Default None Interval between synchronization Seconds between each resynchronization Default 864...

Page 162: ...ift in seconds that a server is allowed to adjust Default 600 Group interval Interval according to which server responses will be grouped Default 10 3 9 4 Settings Summary for Date and Time Chapter 3 Fundamentals 162 ...

Page 163: ...of up to three DNS servers The are called the Primary Server the Secondary Server and the Tertiary Server For DNS to function at least the primary server must be configured It is recommended to have both a primary and secondary defined so that there is a backup should the primary be unavailable Features Requiring DNS Resolution Having at least one DNS server defined is vital for functioning of the...

Page 164: ...this the option HTTP Post the Values should be enabled This is usually needed when authentication parameters are being sent in the URL By default HTTP Poster does not automatically send the server request after NetDefendOS reconfiguration This behaviour can be changed by enabling the option Repost on each reconfiguration There is one exception to the default behaviour and that is after a reconfigu...

Page 165: ...cease to respond A repost for an individual server can be forced with the command gw world httpposter repost index Where index is the position of the object in the list of posters For example to force a report of the second in the list gw world httpposter repost 2 HTTP Poster Has Other Uses HTTP Poster may be used for other purposes than dynamic DNS Any requirement for NetDefendOS to send an HTTP ...

Page 166: ...3 10 DNS Chapter 3 Fundamentals 166 ...

Page 167: ... one of the most fundamental functions of NetDefendOS Any IP packet flowing through a NetDefend Firewall will be subjected to at least one routing decision at some point in time and properly setting up routing is crucial for the system to function as expected NetDefendOS offers support for the following types of routing mechanisms Static routing Dynamic routing Additionally NetDefendOS supports ro...

Page 168: ...g tables contain a list of routes and these are consulted to find out where to send a packet so it can reach its destination The components of a single route are discussed next The Components of a Route When a route is defined it consists of the following parameters Interface The interface to forward the packet on in order to reach the destination network In other words the interface to which the ...

Page 169: ...en The metric value is also used by Route Failover and Route Load Balancing For more information see Section 4 4 Route Load Balancing and Section 4 2 3 Route Failover A Typical Routing Scenario The diagram below illustrates a typical NetDefend Firewall usage scenario Figure 4 1 A Typical Routing Scenario In the above diagram the LAN interface is connected to the network 192 168 0 0 24 and the DMZ ...

Page 170: ...elected When a routing table is evaluated the ordering of the routes is not important Instead all routes in the relevant routing table are evaluated and the most specific route is used In other words if two routes have destination networks that overlap the narrower network definition will be taken before the wider one This behavior is in contrast to IP rules where the first matching rule is used I...

Page 171: ...etwork is not significant as long as it is the same value for the Default Gateway of the clients and the Local IP Address The effect of adding the route with the Local IP Address is that the NetDefendOS will act as a gateway with the Local IP Address and respond to as well as send out ARP queries as though the interface had that IP address The diagram below illustrates a scenario where this featur...

Page 172: ... separate routing tables can be defined by the administrator to provide alternate routing These user defined extra routing toubles can be used to implement Policy Based Routing which means the administrator can set up rules in the IP rule set that decide which of the routing tables will handle certain types of traffic see Section 4 3 Policy based Routing The Route Lookup Mechanism The NetDefendOS ...

Page 173: ...0 0 0 192 168 0 10 192 168 0 10 20 255 255 255 255 255 255 255 255 10 4 2 143 10 4 2 143 1 255 255 255 255 255 255 255 255 192 168 0 10 192 168 0 10 1 Default Gateway 192 168 0 1 Persistent Routes None The corresponding routing table in NetDefendOS will be similar to the following Flags Network Iface Gateway Local IP Metric 192 168 0 0 24 lan 20 10 0 0 0 8 wan 1 0 0 0 0 0 wan 192 168 0 1 20 NetDef...

Page 174: ... over time Example 4 1 Displaying the main Routing Table This example illustrates how to display the contents of the default main routing table Command Line Interface To see the routing table contents gw world cc RoutingTable main gw world main show Route Interface Network Gateway Local IP 1 wan all nets 213 124 165 1 none 2 lan lannet none none 3 wan wannet none none To return the default CLI con...

Page 175: ...o other purpose but to delete the automatically added routes The all nets Route The most important route that should be defined is the route to all nets which usually corresponds to an ISP that provides public Internet access If using the NetDefendOS setup wizard this route is also added automatically However the option also exists for any physical interface to indicate that it should be used for ...

Page 176: ...3 55 66 77 this will result in the following routes existing Route Interface Destination Gateway 1 core 192 168 0 10 2 core 193 55 66 77 When the system receives an IP packet whose destination address is one of the interface IPs the packet will be routed to the core interface In other words it is processed by NetDefendOS itself There is also a core route added for all multicast addresses Route Int...

Page 177: ...le an enterprise relying heavily on access to the Internet could have operations severely disrupted if a single connection to the external Internet via a single Internet Service Provider ISP fails It is therefore not unusual to have backup Internet connectivity using a secondary ISP The connections to the two service providers often use different routes to avoid a single point of failure To allow ...

Page 178: ...es is because automatically created routes have a special status in an NetDefendOS configuration and are treated differently If route monitoring is required on an automatically created route the route should first be deleted and then recreated manually as a new route Monitoring can then be enabled on the new route Setting the Route Metric When specifying routes the administrator should manually se...

Page 179: ...existing connections will automatically be transferred back to it Route Interface Grouping When using route monitoring it is important to check if a failover to another route will cause the routing interface to be changed If this could happen it is necessary to take some precautionary steps to ensure that policies and existing connections will be maintained To illustrate the problem consider the f...

Page 180: ...rnal host systems can be routinely polled to check that a particular route is available The advantages of Host Monitoring are twofold In a complex network topology it is more reliable to check accessibility to external hosts Just monitoring a link to a local switch may not indicate a problem in another part of the internal network Host monitoring can be used to help in setting the acceptable Quali...

Page 181: ...Attempts The maximum permissible number of polling attempts that fail If this number is exceeded then the host is considered unreachable Max Average Latency The maximum number of milliseconds allowable between a poll request and the response If this threshold is exceeded then the host is considered unreachable Average Latency is calculated by averaging the response times from the host If a polling...

Page 182: ...oute is specified to the ISP s gateway route failover may depending on the connected equipment not function as expected This issue rarely occurs but the reason why it occurs is that ARP queries arriving on a disabled route will be ignored 4 2 5 Advanced Settings for Route Failover The following NetDefendOS advanced settings are available for route failover Iface poll interval The time in milliseco...

Page 183: ...with a NetDefend Firewall between the two Host A on one sub network might send an ARP request to find out the MAC address for the IP address of host B on the other sub network With the proxy ARP feature configured NetDefendOS responds to this ARP request instead of host B NetDefendOS sends its own MAC address in reply pretending to be the target host After receiving the reply Host A then sends dat...

Page 184: ...ay of splitting Ethernet networks Setup is simpler than using proxy ARP since only the appropriate switch routes need to be defined Using switch routes is fully explained in Section 4 7 Transparent Mode Proxy ARP depends on static routing where the location of networks on interfaces are known and usually fixed Transparent mode is more suited to networks whose interface location can change Proxy AR...

Page 185: ... why Proxy ARP cannot be enabled for these routes is because automatically created routes have a special status in the NetDefendOS configuration and are treated differently If Proxy ARP is required on an automatically created route the route should first be deleted and then manually recreated as a new route Proxy ARP can then be enabled on the new route 4 2 6 Proxy ARP Chapter 4 Routing 185 ...

Page 186: ...dress range might be routed through one ISP whilst traffic from another address range might be through a second ISP Service based Routing A different routing table might need to be chosen based on the service Policy based routing can route a given protocol such as HTTP through proxies such as Web caches Specific services might also be routed to a specific ISP so that one ISP handles all HTTP traff...

Page 187: ... one of First the named routing table is consulted first of all If this lookup fails the lookup will continue in the main routing table Default the main routing table will be consulted first If the only match is the default route in other words the all nets route the named routing table will be consulted If the lookup in the named routing table fails the lookup as a whole is considered to have fai...

Page 188: ...erface and Source Destination Network When looking up routing rules it is the first matching rule found that is triggered Example 4 6 Creating a Routing Rule In this example a routing rule called my_routing_rule is created This will select the routing table MyPBRTable for any http traffic destined for the network my_network Command Line Interface gw world add RoutingRule Service http SourceInterfa...

Page 189: ...e isp2 routing table Index Interface Destination Gateway 1 wan2 all_nets isp2_ip If traffic coming through wan2 is to have access to lannet then a routing rule needs to constructed as follows Source Interface Source Network Destination Interface Destination Network Forward Routing Table Return Routing Table wan2 all nets any lannet main isp2 This rule allows the forward traffic through the wan2 ta...

Page 190: ...nation interface used for all rule look ups was done with the original untranslated address 6 If allowed by the IP rule set the new connection is opened in the NetDefendOS state table and the packet forwarded through this connection The Ordering parameter Once the routing table for a new connection is chosen and that table is an alternate routing table the Ordering parameter associated with the ta...

Page 191: ...addresses one from each ISP However this difference does not matter for the policy routing setup itself Note that for a single organization Internet connectivity through multiple ISPs is normally best done with the BGP protocol which means not worrying about different IP spans or about policy routing Unfortunately this is not always possible and this is where Policy Based Routing becomes a necessi...

Page 192: ...r 4 Add two VR policies according to the list of policies shown earlier Go to Routing Routing Rules Add Routing Rule Enter the information found in the list of policies displayed earlier Repeat the above to add the second rule Note Routing rules in the above example are added for both inbound and outbound connections 4 3 Policy based Routing Chapter 4 Routing 192 ...

Page 193: ...bject Round Robin Matching routes are used equally often by successively going to the next matching route Destination This is an algorithm that is similar to Round Robin but provides destination IP stickiness so that the same destination IP address gets the same route Spillover This uses the next route when specified interface traffic limits are exceeded continuously for a given time Disabling RLB...

Page 194: ...he importance of this is that it means that a particular destination application can see all traffic coming from the same source IP address Spillover Spillover is not similar to the previous algorithms With spillover the first matching route s interface is repeatedly used until the Spillover Limits of that route s interface are continuously exceeded for the Hold Timer number of seconds Once this h...

Page 195: ...sses through one of the ISPs then this can be achieved by enabling RLB and setting a low metric on the route to the favoured ISP A relatively higher metric is then set on the route to the other ISP Using Route Metrics with Spillover When using the Spillover algorithm a number of points should be noted regarding metrics and the way alternative routes are chosen Route metrics should always be set Wi...

Page 196: ...ookup In the above example 10 4 16 0 24 may be chosen over 10 4 16 0 16 because the range is narrower with 10 4 16 0 24 for an IP address they both contain RLB Resets There are two occasions when all RLB algorithms will reset to their initial state After NetDefendOS reconfiguration After a high availability failover In both these cases the chosen route will revert to the one selected when the algo...

Page 197: ... address If NAT was being used for the client communication the IP address seen by the server would be WAN1 or WAN2 In order to flow any traffic requires both a route and an allowing IP rule The following rules will allow traffic to flow to either ISP and will NAT the traffic using the external IP addresses of interfaces WAN1 and WAN2 Rule No Action Src Interface Src Network Dest Interace Dest Net...

Page 198: ...is are not included here but the created rules would follow the pattern described above RLB with VPN When using RLB with VPN a number of issues need to be overcome If we were to try and use RLB to balance traffic between two IPsec tunnels the problem that arises is that the Remote Endpoint for any two IPsec tunnels in NetDefendOS must be different The solutions to this issue are as follows Use two...

Page 199: ...sceptible to certain problems such as routing loops One of two types of algorithms are generally used to implement the dynamic routing mechanism A Distance Vector DV algorithm A Link State LS algorithm How a router decides the optimal or best route and shares updated information with other routers depends on the type of algorithm used The two algorithm types will be discussed next Distance Vector ...

Page 200: ... the D Link NetDefend DFL 860E 1660 2560 and 2560G OSPF is not available on the DFL 210 260 and 260E An OSPF enabled router first identifies the routers and sub networks that are directly connected to it and then broadcasts the information to all the other routers Each router uses the information it receives to add the OSPF learned routes to its routing table With this larger picture each OSPF rou...

Page 201: ...th firewalls to know immediately that there is an alternate route between them via firewall B For instance traffic from network X which is destined for network Z will be routed automatically through firewall B From the administrators point of view only the routes for directly connected networks need to be configured on each firewall OSPF automatically provides the required routing information to f...

Page 202: ... the destination IP address found in the IP packet header IP packets are routed as is in other words they are not encapsulated in any further protocol headers as they transit the Autonomous System AS The Autonomous System The term Autonomous System refers to a single network or group of networks with a single clearly defined routing policy controlled by a common administrator It forms the top leve...

Page 203: ...ndOS object is described further in Section 4 5 3 2 OSPF Area OSPF Area Components A summary of OSPF components related to an area is given below ABRs Area Border Routers are routers that have interfaces connected to more than one area These maintain a separate topological database for each area to which they have an interface ASBRs Routers that exchange routing information with routers in other A...

Page 204: ...te 2 Way In this state the communication between the router and the neighbor is bi directional On Point to Point and Point to Multipoint OSPF interfaces the state will be changed to Full On Broadcast interfaces only the DR BDR will advance to the Full state with their neighbors all the remaining neighbors will remain in the 2 Way state ExStart Preparing to build adjacency Exchange Routers are exch...

Page 205: ...e above example a Virtual Link is configured between fw1 and fw2 on Area 1 as it is used as the transit area In this configuration only the Router ID has to be configured The diagram shows that fw2 needs to have a Virtual Link to fw1 with Router ID 192 168 1 1 and vice versa These virtual links need to be configured in Area 1 B Linking a Partitioned Backbone OSPF allows for linking a partitioned b...

Page 206: ... the NetDefend Firewall needs to have a broadcast interface with at least ONE neighbor for ALL areas that the firewall is attached to In essence the inactive part of the cluster needs a neighbor to get the link state database from It should also be noted that is not possible to put an HA cluster on the same broadcast network without any other neighbors they will not form adjacency with each other ...

Page 207: ...t the NetDefendOS objects that need to be configured for OSPF routing Defining these objects creates the OSPF network The objects should be defined on each NetDefend Firewall that is part of the OSPF network and should describe the same network An illustration of the relationship between NetDefendOS OSPF objects is shown below Figure 4 12 NetDefendOS OSPF Objects 4 5 3 1 OSPF Router Process This o...

Page 208: ... sure that the correct OSPF router processes are talking to each and it is therefore mostly used when there are multiple OSPF AS OSPF supports the following authentication options No null authentication No authentication is used for OSPF protocol exchanges Passphrase A simple password is used to authenticate all the OSPF protocol exchanges MD5 Digest MD5 authentication consists of a key ID and 128...

Page 209: ...OSPF AS process are allowed to use if no value is specified the default is 1 of installed RAM Specifying 0 indicates that the OSPF AS process is allowed to use all available ram in the firewall 4 5 3 2 OSPF Area The Autonomous System AS is divided into smaller parts called an Area this section explains how to configure areas An area collects together OSPF interfaces neighbors aggregates and virtua...

Page 210: ...to the network assigned to the underlying NetDefendOS interface This network is automatically exported to the OSPF AS and does not require a Dynamic Routing Rule Interface Type This can be one of the following Auto Tries to automatically detect interface type This can be used for physical interfaces Broadcast The Broadcast interface type is an interface that has native Layer 2 broadcast multicast ...

Page 211: ...cifies the number of seconds between Hello packets sent on the interface Router Dead Interval If not Hello packets are received from a neighbor within this interval then that neighbor router will be considered to be out of operation RXMT Interval Specifies the number of seconds between retransmissions of LSAs to neighbors on this interface InfTrans Delay Specifies the estimated transmit delay for ...

Page 212: ...PN tunnels this will be the IP address of the tunnel s remote end Metric Specifies the metric to this neighbor 4 5 3 5 OSPF Aggregates OSPF Aggregation is used to combine groups of routes with common addresses into a single entry in the routing table If advertised this will decreases the size of the routing table in the firewall if not advertised this will hide the networks NetDefendOS OSPF Aggreg...

Page 213: ...g Rules In a dynamic routing environment it is important for routers to be able to regulate to what extent they will participate in the routing exchange It is not feasible to accept or trust all received routing information and it might be crucial to avoid parts of the routing database getting published to other routers For this reason Dynamic Routing Rules are used to regulate the flow of routing...

Page 214: ...ter is applied When to Use Export Rules Although an Import rule is needed to import routes from the OSPF AS the opposite is not true The export of routes to networks that are part of OSPF Interface objects are automatic A dynamic routing export rule must be created to explicitly export the route to the OSPF AS Dynamic Routing Rule Objects The diagram below shows the relationship between the NetDef...

Page 215: ...ecifies an interval that the tag of the routers needs to be in between 4 5 4 3 OSPF Action This object defines an OSPF action General Parameters Export to Process Specifies into which OSPF AS the route change should be imported Forward If needed specifies the IP to route via Tag Specifies a tag for this route This tag can be used in other routers for filtering Route Type Specifies what the kind of...

Page 216: ...ate a NetDefendOS OSPF Router Process object This will represent an OSPF Autonomous Area AS which is the highest level in the OSPF hierarchy Give the object an appropriate name The Router ID can be left blank since this will be assigned automatically by NetDefendOS 2 Add an OSPF Area to the OSPF Router Within the OSPF Router Process created in the previous step add a new OSPF Area object Assign an...

Page 217: ...ly for OSPF Interface objects The exception to this is if a route involves an ISP gateway in other words a router hop In this case the route MUST be explicitly exported The most frequent case when this is necessary is for the all nets route to the external public Internet where the gateway is the ISP s router Doing this is discussed in the next step 5 Add a Dynamic Routing Rule for all nets Option...

Page 218: ...tion network but OSPF has determined that that is the optimum route to reach it The CLI command ospf can also be used to indicate OSPF status The options for this command are fully described in the CLI Reference Guide Sending OSPF Traffic Through a VPN Tunnel In some cases the link between two NetDefend Firewalls which are configured with OSPF Router Process objects may be insecure For example ove...

Page 219: ...e setup for firewall A there needs to be two changes made to the IPsec tunnel setup on firewall B These are i In the IPsec tunnel properties the Local Network for the tunnel needs to be set to all nets This setting acts as a filter for what traffic is allowed into the tunnel and all nets will allow all traffic into the tunnel ii In the routing section of the IPsec properties the Specify address ma...

Page 220: ...ween the 10 4 0 0 16 network and the 192 168 0 0 24 network The IP rules that are needed to allow such traffic to flow are not included in this example Example 4 9 Creating an OSPF Router Process First the Autonomous System AS must be defined on both firewalls On firewall A create an OSPF Router Process object Assume the object name will be as_0 Command Line Interface gw world add OSPFProcess as_0...

Page 221: ...F Area 4 For the area properties Enter the area name in this case area_0 Specify the Area ID as 0 0 0 0 5 Click OK Now repeat this for firewall B using the same OSPF Area object name of area_0 Example 4 11 Add OSPF Interface Objects For firewall A add OSPF Interface objects for each physical interface that is to be part of the OSPF area called area_0 Command Line Interface Assume the context is st...

Page 222: ... be imported In this example the OSPF AS configured above witrh the name as_0 is used Depending on the routing topology it may be preferable to just import certain routes using the Destination Interface Destination Network filters but in this scenario all routes that are within the all nets network object are allowed The steps are first performed for firewall A Command Line Interface gw world add ...

Page 223: ...all A First add a new Dynamic Routing Policy Rule Command Line Interface gw world add DynamicRoutingRule OSPFProcess as_0 Name ExportDefRoute DestinationNetworkIn all nets DestinationInterface If3 From RTable RoutingTable main Web Interface 1 Go to Routing Dynamic Routing Rules Add Dynamic Routing Policy Rule 2 Specify a name for the rule In this case ExportAllNets 3 Select the option From Routing...

Page 224: ...fendOS is called my_ospf_proc normal log generation would be enabled with the CLI command gw world set OSPFProcess my_ospf_proc LogEnabled Yes This is the default setting so the command is only for illustration The following properties can be enabled to provide additional OSPF log messages for troubleshooting and or monitoring purposes DebugPacket Log general packet parsing events DebugHello Log H...

Page 225: ...rovides various options for examining the behaviour of OSPF in real time on a particular In order to see general OSPF activity on a CLI console the snoop option can be used gw world ospf snoop on Usually there is only one OSPFProcess defined for a firewall and there is therefore no need to specify this explicitly in the command The snooping processes is turned off with gw world ospf snoop off A sn...

Page 226: ...cess object defined in the configuration the CLI command to halt it is gw world ospf execute stop To start the stopped OSPFRouteProcess gw world ospf execute start To stop and then start in a single command gw world ospf execute restart The ospf command options are fully described in the separate NetDefendOS CLI Reference Guide 4 5 7 OSPF Troubleshooting Chapter 4 Routing 226 ...

Page 227: ...Underlying Principles Multicast routing functions on the principle that an interested receiver joins a group for a multicast by using the IGMP protocol PIM routers can then duplicate and forward packets to all members of such a multicast group thus creating a distribution tree for packet flow Rather than acquiring new network information PIM uses the routing information from existing protocols suc...

Page 228: ...GMP The traffic flow specified by the multiplex rule must have been requested by hosts using IGMP before any multicast packets are forwarded through the specified interfaces This is the default behavior of NetDefendOS Not using IGMP The traffic flow will be forwarded according to the specified interfaces directly without any inference from IGMP Note An Allow or NAT rule is also needed Since the Mu...

Page 229: ...239 192 10 0 24 1234 to the interfaces if1 if2 and if3 All groups have the same sender 192 168 10 1 which is located somewhere behind the wan interface The multicast groups should only be forwarded to the out interfaces if clients behind those interfaces have requested the groups using IGMP The following steps need to be performed to configure the actual forwarding of the multicast traffic IGMP ha...

Page 230: ...te the multiplex rule is then gw world add IPRule SourceNetwork srcnet SourceInterface srcif DestinationInterface srcif DestinationNetwork destnet Action MultiplexSAT Service service MultiplexArgument outif1 ip1 outif2 ip2 outif3 ip3 The two values outif ip represent a combination of output interface and if address translation of a group is needed an IP address If for example multiplexing of the m...

Page 231: ...ding through interface if1 The configuration of the corresponding IGMP rules can be found below in Section 4 6 3 2 IGMP Rules Configuration Address Translation Tip As previously noted remember to add an Allow rule matching the SAT Multiplex rule Example 4 16 Multicast Forwarding Address Translation The following SAT Multiplex rule needs to be configured to match the scenario described above Web In...

Page 232: ...should be replaced with a NAT rule 4 6 3 IGMP Configuration IGMP signalling between hosts and routers can be divided into two categories IGMP Reports Reports are sent from hosts towards the router when a host wants to subscribe to new multicast groups or change current multicast subscriptions IGMP Queries Queries are IGMP messages sent from the router towards the hosts in order to make sure that i...

Page 233: ...he hosts and another IGMP router It will not send any IGMP Queries It will only forward queries and reports between the other router and the hosts In Proxy Mode the firewall will act as an IGMP router towards the clients and actively send queries Towards the upstream router the firewall will be acting as a normal host subscribing to multicast groups on behalf of its clients 4 6 3 IGMP Configuratio...

Page 234: ...ry us for the multicast groups that the clients have requested The following steps need to be executed to create the two rules Web Interface A Create the first IGMP Rule 1 Go to Network Routing IGMP Rules Add IGMP Rule 2 Under General enter Name A suitable name for the rule for example Reports Type Report Action Proxy Output wan this is the relay interface 3 Under Address Filter enter Source Inter...

Page 235: ...s are provided one for each pair of report and query rule The upstream multicast router uses IP UpstreamRouterIP Example 4 18 if1 Configuration The following steps needs to be executed to create the report and query rule pair for if1 which uses no address translation Web Interface A Create the first IGMP Rule 1 Go to Network Routing IGMP Rules Add IGMP Rule 2 Under General enter Name A suitable na...

Page 236: ...group translated therefore the IGMP reports include the translated IP addresses and the queries will contain the original IP addresses Web Interface A Create the first IGMP Rule 1 Go to Network Routing IGMP Rules Add IGMP Rule 2 Under General enter Name A suitable name for the rule for example Reports_if2 Type Report Action Proxy Output wan this is the relay interface 3 Under Address Filter enter ...

Page 237: ...gs for IGMP can be found in the Web Interface by going to Network Routing Advanced Multicast Settings Auto Add Multicast Core Route This setting will automatically add core routes in all routing tables for the multicast IP address range 224 0 0 0 4 If the setting is disabled multicast packets might be forwarded according to the default route Default Enabled IGMP Before Rules For IGMP traffic by pa...

Page 238: ...otal Requests The maximum global number of IGMP messages to process each second Default 1000 IGMP Max Interface Requests The maximum number of requests per interface and second Global setting on interfaces without an overriding IGMP Setting Default 100 IGMP Query Interval The interval in milliseconds between General Queries sent by the device to refresh its IGMP state Global setting on interfaces ...

Page 239: ...ery Interval The interval of General Queries in milliseconds used during the startup phase Global setting on interfaces without an overriding IGMP Setting Default 30 000 IGMP Unsolicitated Report Interval The time in milliseconds between repetitions of an initial membership report Global setting on interfaces without an overriding IGMP Setting Default 1 000 4 6 4 Advanced IGMP Settings Chapter 4 R...

Page 240: ...ircumstances switch routes can have a network range specified instead of all nets This is usually when a network is split between two interfaces but the administrator does not know exactly which users are on which interface Usage Scenarios Two examples of Transparent Mode usage are Implementing Security Between Users In a corporate environment there may be a need to protect the computing resources...

Page 241: ...create a hybrid case by applying address translation on otherwise transparent traffic How Transparent Mode Functions In Transparent Mode NetDefendOS allows ARP transactions to pass through the NetDefend Firewall and determines from this ARP traffic the relationship between IP addresses physical addresses and interfaces NetDefendOS remembers this address information in order to relay IP packets to ...

Page 242: ...he interfaces this latter option is discussed further below 3 Create the appropriate IP rules in the IP rule set to allow the desired traffic to flow between the interfaces operating in Transparent Mode If no restriction at all is to be initially placed on traffic flowing in transparent mode the following single IP rule could be added but more restrictive IP rules are recommended Action Src Interf...

Page 243: ...ow switch route interconnections for one routing table are completely separate from the switch route interconnections for another routing table By using different routing tables in this way we can create two separate transparent mode networks The routing table used for an interface is decided by the Routing Table Membership parameter for each interface To implement separate Transparent Mode networ...

Page 244: ...ot be used with High Availability and therefore true transparent mode cannot be implemented with a NetDefendOS High Availability Cluster Instead of Switch Routes the solution in a High Availability setup is to use Proxy ARP to separate two networks This is described further in Section 4 2 6 Proxy ARP The key disadvantage with this approach is that firstly clients will not be able to roam between N...

Page 245: ...s to operate in transparent mode between the users and the ISP The illustration below shows how using switch routes the NetDefend Firewall is set up to be transparent between the internal physical Ethernet network pn2 and the Ethernet network to the ISP s gateway pn1 The two Ethernet networks are treated as a single logical IP network in Transparent Mode with a common address range in this example...

Page 246: ...to group all the addresses into a single group IP object and then use that object in a single defined route In the above example 85 12 184 39 and 194 142 215 15 could be grouped into a single object in this way Using NAT NAT should not be enabled for NetDefendOS in Transparent Mode since as explained previously the NetDefend Firewall is acting like a level 2 switch and address translation is done ...

Page 247: ...IP Address 10 0 0 1 Network 10 0 0 0 24 Default Gateway 10 0 0 1 Transparent Mode Enable 3 Click OK 4 Go to Interfaces Ethernet Edit lan 5 Now enter IP Address 10 0 0 2 Network 10 0 0 0 24 Transparent Mode Enable 6 Click OK Configure the rules 1 Go to Rules IP Rules Add IPRule 2 Now enter Name HTTPAllow Action Allow Service http 4 7 3 Transparent Mode Scenarios Chapter 4 Routing 247 ...

Page 248: ...nd there is no need for the hosts on the internal network to know if a resource is on the same network or placed on the DMZ The hosts on the internal network are allowed to communicate with an HTTP server on DMZ while the HTTP server on the DMZ can be reached from the Internet The NetDefend Firewall is transparent between the DMZ and LAN but traffic is still controlled by the IP rule set Figure 4 ...

Page 249: ...Interface Groups Add InterfaceGroup 2 Now enter Name TransparentGroup Security Transport Equivalent Disable Interfaces Select lan and dmz 3 Click OK Configure the routing 1 Go to Routing Main Routing Table Add SwitchRoute 2 Now enter Switched Interfaces TransparentGroup Network 10 0 0 0 24 Metric 0 3 Click OK Configure the rules 1 Go to Rules IP Rules Add IPRule 2 Now enter Name HTTP LAN to DMZ Ac...

Page 250: ...g the Bridge Protocol Data Units BPDUs across the NetDefend Firewall BPDU frames carry Spanning Tree Protocol STP messages between layer 2 switches in a network STP allows the switches to understand the network topology and avoid the occurrences of loops in the switching of packets The diagram below illustrates a situation where BPDU messages would occur if the administrator enables the switches t...

Page 251: ... Enabling Disabling BPDU Relaying BPDU relaying is disabled by default and can be controlled through the advanced setting Relay Spanning tree BPDUs Logging of BPDU messages can also be controlled through this setting When enabled all incoming STP RSTP and MSTP BPDU messages are relayed to all transparent interfaces in the same routing table except the incoming interface 4 7 5 Advanced Settings for...

Page 252: ...e dynamically Default Enabled L3 Cache Size This setting is used to manually configure the size of the Layer 3 Cache Enabling Dynamic L3C Size is normally preferred Default Dynamic Relay Spanning tree BPDUs When set to Ignore all incoming STP RSTP and MSTP BPDUs are relayed to all transparent interfaces in the same routing table except the incoming interface Options Ignore Let the packets pass but...

Page 253: ... the packets pass but do not log Log Let the packets pass and log the event Drop Drop the packets DropLog Drop packets log the event Default Drop 4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 253 ...

Page 254: ...4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 254 ...

Page 255: ...ress a MAC address a domain name and a lease for the IP address to the client in a unicast message DHCP Leases Compared to static assignment where the client owns the address dynamic addressing by a DHCP server leases the address to each client for a predefined period of time During the lifetime of a lease the client has permission to keep the assigned address and is guaranteed to have no address ...

Page 256: ... they are defined the last defined being at the top of the list When NetDefendOS searches for a DHCP server to service a request it goes through the list from top to bottom and chooses the first server with a matching combination of interface and relayer IP filter value If there is no match in the list then the request is ignored The DHCP server ordering in the list can of course be changed throug...

Page 257: ...lease Primary Secondary DNS The IP of the primary and secondary DNS servers Primary Secondary NBNS WINS IP of the Windows Internet Name Service WINS servers that are used in Microsoft environments which uses the NetBIOS Name Servers NBNS to assign IP addresses to NetBIOS names Next Server Specifies the IP address of the next server in the boot process This is usually a TFTP server DHCP Server Adva...

Page 258: ... 4 13 240 00 1e 0b a0 c6 5f ACTIVE STATIC 10 4 13 241 00 0c 29 04 f8 3c ACTIVE STATIC 10 4 13 242 00 1e 0b aa ae 11 ACTIVE STATIC 10 4 13 243 00 1c c4 36 6c c4 INACTIVE STATIC 10 4 13 244 00 00 00 00 02 14 INACTIVE STATIC 10 4 13 254 00 00 00 00 02 54 INACTIVE STATIC 10 4 13 1 00 12 79 3b dd 45 ACTIVE 10 4 13 2 00 12 79 c4 06 e7 ACTIVE 10 4 13 3 00 a0 f8 23 45 a3 ACTIVE 10 4 13 4 00 0e 7f 4b e2 29...

Page 259: ...he command gw world dhcpserver release blacklist Additional Server Settings A NetDefendOS DHCP server can have two other sets of objects associated with it Static Hosts Custom Options The illustration below shows the relationship between these objects Figure 5 1 DHCP Server Objects The following sections discuss these two DHCP server options 5 2 1 Static DHCP Hosts Where the administrator requires...

Page 260: ...efined Command Line Interface 1 First change the category to the DHCPServer1 context gw world cc DHCPServer DHCPServer1 2 Add the static DHCP assignment gw world add DHCPServerPoolStaticHost Host 192 168 1 1 MACAddress 00 90 12 13 14 15 3 All static assignments can then be listed and each is listed with an index number gw world show Comments 1 none 4 An individual static assignment can be shown us...

Page 261: ... sent For example if the type is String then the data is a character string Data This is the actual information that will be sent in the lease This can be one value or a comma separated list The meaning of the data is determined by the Code and Type For example if the code is set to 66 TFTP server name then the Type could be String and the Data would then be a site name such as tftp mycompany com ...

Page 262: ... interface on which it sends out the forwarded request Although all NetDefendOS interfaces are core routed that is to say a route exists by default that routes interface IP addresses to Core for relayed DHCP requests this core routing does not apply Instead the interface is the source interface and not core Example 5 3 Setting up a DHCP Relayer This example allows clients on NetDefendOS VLAN inter...

Page 263: ...s for this relayed DHCP lease 4 Click OK 5 3 1 DHCP Relay Advanced Settings The following advanced settings are available with DHCP relaying Max Transactions Maximum number of transactions at the same time Default 32 Transaction Timeout For how long a dhcp transaction can take place Default 10 seconds Max PPM How many dhcp packets a client can send to through NetDefendOS to the dhcp server during ...

Page 264: ... at the same time Default 256 Auto Save Policy What policy should be used to save the relay list to the disk possible settings are Disabled ReconfShut or ReconfShutTimer Default ReconfShut Auto Save Interval How often in seconds should the relay list be saved to disk if DHCPServer_SaveRelayPolicy is set to ReconfShutTimer Default 86400 5 3 1 DHCP Relay Advanced Settings Chapter 5 DHCP Services 264...

Page 265: ... should use the DHCP server s residing on the specified interface Specify DHCP Server Address Specify DHCP server IP s in preferred ascending order to be used This option is used instead of the behind interface option Using the IP loopback address 127 0 0 1 indicates that the DHCP server is NetDefendOS itself Server filter Optional setting used to specify which servers to use If unspecified any DH...

Page 266: ... this value Maximum clients Optional setting used to specify the maximum number of clients IPs allowed in the pool Sender IP This is the source IP to use when communicating with the DHCP server Memory Allocation for Prefetched Leases As mentioned in the previous section the Prefetched Leases option specifies the size of the cache of leases which is maintained by NetDefendOS This cache provides fas...

Page 267: ... 10 14 1 with 10 prefetched leases It is assumed that this IP address is already defined in the address book as an IP object called ippool_dhcp Command Line Interface gw world add IPPool ip_pool_1 DHCPServerType ServerIP ServerIP ippool_dhcp PrefetchLeases 10 Web Interface 1 Go to Objects IP Pools Add IP Pool 2 Now enter Name ip_pool_1 3 Select Specify DHCP Server Address 4 Add ippool_dhcp to the ...

Page 268: ...5 4 IP Pools Chapter 5 DHCP Services 268 ...

Page 269: ...ules an access rule is always in place which is known as the Default Access Rule This default rule is not really a true rule but operates by checking the validity of incoming traffic by performing a reverse lookup in the NetDefendOS routing tables This lookup validates that the incoming traffic is coming from a source that the routing tables indicate is accessible via the interface on which the tr...

Page 270: ...affic with a source IP address belonging to a local trusted host is NOT allowed Any outgoing traffic with a source IP address belonging to an outside untrusted network is NOT allowed The first point prevents an outsider from using a local host s address as its source address The second point prevents any local host from launching the spoof 6 1 3 Access Rule Settings The configuration of an access ...

Page 271: ...y because of this It is always advisable to check Access Rules when troubleshooting puzzling problems in case a rule is preventing some other function such as VPN tunnel establishment from working properly Example 6 1 Setting up an Access Rule A rule is to be defined that ensures no traffic with a source address not within the lannet network is received on the lan interface Command Line Interface ...

Page 272: ...transfer and multimedia transfer ALGs provide higher security than packet filtering since they are capable of scrutinizing all traffic for a specific protocol and perform checks at the higher levels of the TCP IP stack ALGs exist for the following protocols in NetDefendOS HTTP FTP TFTP SMTP POP3 SIP H 323 TLS Deploying an ALG Once a new ALG object is defined by the administrator it is brought into...

Page 273: ...t response architecture A client such as a Web browser sends a request by establishing a TCP IP connection to a known port usually port 80 on a remote server The server answers with a response string followed by a message of its own That message might be for example an HTML file to be shown in the Web browser or an ActiveX component to be executed on the client or perhaps an error message The HTTP...

Page 274: ... other words its filetype does not match its contents is dropped by NetDefendOS on the assumption that it can be a security threat 2 Allow Block Selected Types This option operates independently of the MIME verification option described above but is based on the predefined filetypes listed in Appendix C Verified MIME filetypes When enabled the feature operates in either a Block Selected or an Allo...

Page 275: ...TP ALG 1 Whitelist 2 Blacklist 3 Web content filtering if enabled 4 Anti virus scanning if enabled As described above if a URL is found on the whitelist then it will not be blocked if it also found on the blacklist If it is enabled Anti virus scanning is always applied even though a URL is whitelisted If it is enabled Web content filtering is still applied to whitelisted URLs but if instead of blo...

Page 276: ...n a client and a server The client initiates the connection by connecting to the FTP server Normally the client needs to authenticate itself by providing a predefined login and password After granting access the server will provide the client with a file directory listing from which it can download upload files depending on access rights The FTP ALG is used to manage FTP connections through the Ne...

Page 277: ... issues by fully reassembling the TCP stream of the FTP command channel and examining its contents By doing this the NetDefendOS knows what port to open for the data channel Furthermore the FTP ALG also provides functionality to filter out certain control commands and provide buffer overrun protection Hybrid Mode An important feature of the NetDefendOS FTP ALG is its automatic ability to perform o...

Page 278: ...ts is specified with this option The client will be allowed to connect to any of these if the server is using passive mode The default range is 1024 65535 These options can determine if hybrid mode is required to complete the connection For example if the client connects with passive mode but this is not allowed to the server then hybrid mode is automatically used and the FTP ALG performs the conv...

Page 279: ...r restricting the frequency of commands can be useful The default limit is 20 commands per second Allow 8 bit strings in control channel The option determines if 8 bit characters are allowed in the control channel Allowing 8 bit characters enables support for filenames containing international characters For example accented or umlauted characters Filetype Checking The FTP ALG offers the same file...

Page 280: ...ted file from a remote FTP server on the Internet the server will not be blocked by ZoneDefense since it is outside of the configured network range The virus is however still blocked by the NetDefend Firewall B Blocking infected servers Depending on the company policy an administrator might want to take an infected FTP server off line to prevent local hosts and servers from being infected In this ...

Page 281: ...ts using passive mode The configuration is performed as follows Web Interface A Define the ALG The ALG ftp inbound is already predefined by NetDefendOS but in this example we will show how it can be created from scratch 1 Go to Objects ALG Add FTP ALG 2 Enter Name ftp inbound 3 Check Allow client to use active mode 4 Uncheck Allow server to use passive mode 5 Click OK B Define the Service 1 Go to ...

Page 282: ...dress 5 Enter To New IP Address ftp internal assume this internal IP address for FTP server has been defined in the address book object 6 New Port 21 7 Click OK D Traffic from the internal interface needs to be NATed through a single public IPv4 address 1 Go to Rules IP Rules Add IPRule 2 Now enter Name NAT ftp Action NAT Service ftp inbound service 3 For Address Filter enter Source Interface dmz ...

Page 283: ...s Disable the Allow client to use active mode FTP ALG option so clients can only use passive mode This is much safer for the client Enable the Allow server to use passive mode FTP ALG option This allows clients on the inside to connect to FTP servers that support active and passive mode across the Internet The configuration is performed as follows Web Interface A Create the FTP ALG The ALG ftp out...

Page 284: ...e no rules disallowing or allowing the same kind of ports traffic before these rules The service used here is the ftp outbound service which should be using the predefined ALG definition ftp outbound which is described earlier 1 Go to Rules IP Rules Add IPRule 2 Now enter Name Allow ftp outbound Action Allow Service ftp outbound service 3 For Address Filter enter Source Interface lan Destination I...

Page 285: ...s a much simpler version of FTP with more limited capabilities Its purpose is to allow a client to upload files to or download files from a host system TFTP data transport is based on the UDP protocol and therefore it supplies its own transport and session control protocols which are layered onto UDP TFTP is widely used in enterprise environments for updating software and backing up configurations...

Page 286: ...al server this setup is illustrated later in Section 6 2 5 1 Anti Spam Filtering Local users will then use email client software to retrieve their email from the local SMTP server SMTP is also used when clients are sending email and the SMTP ALG can be used to monitor SMTP traffic originating from both clients and servers SMTP ALG Options Key features of the SMTP ALG are Email rate limiting A maxi...

Page 287: ... This same option is also available in the HTTP ALG and a fuller description of how it works can be found in Section 6 2 2 The HTTP ALG This same option is also available in the HTTP ALG and a fuller description of how it works can be found in Section 6 2 2 The HTTP ALG Anti Virus scanning The NetDefendOS Anti Virus subsystem can scan email attachments searching for malicious code Suspect files ca...

Page 288: ... Extensions Enhanced SMTP ESMTP is defined in RFC 1869 and allows a number extensions to the standard SMTP protocol When an SMTP client opens a session with an SMTP server using ESMTP the client first sends an EHLO command If the server supports ESMTP it will respond with a list of the extensions that it supports These extensions are defined by various separate RFCs For example RFC 2920 defines th...

Page 289: ... this range Tip Exclusion can be manually configured It is possible to manually configure certain hosts and servers to be excluded from being blocked by adding them to the ZoneDefense Exclude List When a client tries to send an email infected with a virus the virus is blocked and ZoneDefense isolates the host from the rest of the network The steps to setting up ZoneDefense with the SMTP ALG are Co...

Page 290: ...ack List DNSBL databases and the information is accessible using a standardized query method supported by NetDefendOS The image below illustrates all the components involved DNSBL Server Queries When the NetDefendOS Anto Spam filtering function is configured the IP address of the email s sending server is sent to one or more DNSBL servers to find out if any DNSBL servers think the email is from a ...

Page 291: ...he Drop threshold in this example is set at 7 then all three DNSBL servers would have to respond in order for the calculated sum to cause the email to be dropped 3 2 2 7 Alternative Actions for Dropped Spam If the calculated sum is greater than or equal to the Drop threshold value then the email is not forwarded to the intended recipient Instead the administrator can choose one of two alternatives...

Page 292: ... software Allowing for Failed DNSBL Servers If a query to a DNSBL server times out then NetDefendOS will consider that the query has failed and the weight given to that server will be automatically subtracted from both the Spam and Drop thresholds for the scoring calculation done for that email If enough DNSBL servers do not respond then this subtraction could mean that the threshold values become...

Page 293: ...o thresholds are specified i Spam Threshold The threshold for tagging mail as spam ii Drop Threshold The threshold for dropping mail The Spam Threshold should be less than the Drop Threshold If the two are equal then only the Drop Threshold applies Specify a textual tag to prefix to the Subject field of email designated as Spam Optionally specify an email address to which dropped email will be sen...

Page 294: ...hich DNSBL Spam filtering is enabled is my_smtp_alg then the output would be gw world dnsbl DNSBL Contexts Name Status Spam Drop Accept my_smtp_alg active 156 65 34299 alt_smtp_alg inactive 0 0 0 The show option provides a summary of the Spam filtering operation of a specific ALG It is used below to examine activity for my_smtp_alg although in this case the ALG object has not yet processed any ema...

Page 295: ...mmand Block connections between client and server that send the username password combination as clear text which can be easily read some servers may not support other methods than this Hide User This option prevents the POP3 server from revealing that a username does not exist This prevents users from trying different usernames until they find a valid one Allow Unknown Commands Non standard POP3 ...

Page 296: ...fic from the clients to flow to the Internet Both clients will therefore appear to have from the same IP address as they make connections to servers across the Internet One client A now establishes a PPTP tunnel to an external host C across the Internet The tunnel endpoints are the client and the external server Because of the NAT IP rule the tunnel connection will appear to be coming from the ext...

Page 297: ...le below shows how the custom service object called pptp_service is associated with a typical NAT rule The clients which are the local end point of the PPTP tunnels are located behind the firewall on the network lannet which is connected to the lan interface The Internet is found on the wan interface which is the destination interface with all nets as the destination network Action Src Interface S...

Page 298: ...may use techniques that lie outside RFC 3261 and it may not be possible to configure the equipment to disable these For this reason such equipment may not be able to operate successfully with the NetDefendOS SIP ALG For example analog to digital converters that do not work with the SIP ALG may come pre configured by service providers with restricted configuration possibilities NAT traversal techni...

Page 299: ...side on the same physical server SIP Media related Protocols A SIP session makes use of a number of protocols These are SDP Session Description Protocol RFC4566 is used for media session initialization RTP Real time Transport Protocol RFC3550 is used as the underlying packet format for delivering audio and video streaming via IP using the UDP protocol RTCP Real time Control Protocol RFC3550 is use...

Page 300: ...hange The disadvantage of removing proxies from the session is that NetDefendOS IP rules must be set up to allow all SIP messages through the NetDefend Firewall and if the source network of the messages is not known then a large number of potentially dangerous connections must be allowed by the IP rule set This problem does not occur if the local proxy is set up with the Record Route option enable...

Page 301: ...ed side of the NetDefend Firewall and can handle registrations from both clients located on the same local network as well as clients on the external unprotected side Communication can take place across the public Internet or between clients on the local network Scenario 3 Protecting proxy and local clients Proxy on a DMZ interface The SIP session is between a client on the local protected side of...

Page 302: ...e being NATed An Allow rule for inbound SIP traffic from the SIP proxy to the IP of the NetDefend Firewall This rule will use core in other words NetDefendOS itself as the destination interface The reason for this is due to the NAT rule above When an incoming call is received NetDefendOS will automatically locate the local receiver perform address translation and forward SIP messages to the receiv...

Page 303: ...of using Record Route is clear since now the destination network for outgoing traffic and the source network for incoming traffic have to include all IP addresses that are possible The Service object for IP rules In this section tables which list IP rules like those above will omit the Service object associated with the rule The same custom Service object is used for all SIP scenarios Scenario 2 P...

Page 304: ...DefendOS itself since inbound traffic will be sent to the private IPv4 address of the SIP proxy An Allow rule which matches the same type of traffic as the SAT rule defined in the previous step Action Src Interface Src Network Dest Interface Dest Network OutboundFrom ProxyUsers NAT lan lannet ip_proxy wan all nets InboundTo ProxyAndClients SAT SETDEST ip_proxy wan all nets core wan_ip InboundTo Pr...

Page 305: ...xy server The server is placed on a separate interface and network to the local clients This setup adds an extra layer of security since the initial SIP traffic is never exchanged directly between a remote endpoint and the local protected clients The complexity is increased in this scenario since SIP messages flow across three interfaces the receiving interface from the call initiator the DMZ inte...

Page 306: ...MZ The IP address of the DMZ interface must be a globally routable IP address This address can be the same address as the one used on the external interface The setup steps are as follows 1 Define a single SIP ALG object using the options described above 2 Define a Service object which is associated with the SIP ALG object The service should have Destination Port set to 5060 the default SIP signal...

Page 307: ...vel An Allow rule for inbound SIP traffic from for example the Internet to the IP address of the DMZ interface The reason for this is because local clients will be NATed using the IP address of the DMZ interface when they register with the proxy located on the DMZ This rule has core as the destination interface in other words NetDefendOS itself When an incoming call is received NetDefendOS uses th...

Page 308: ...o clients on the local network The IP rules with Record Route enabled are Action Src Interface Src Network Dest Interface Dest Network OutboundToProxy Allow lan lannet dmz ip_proxy OutboundFromProxy Allow dmz ip_proxy lan lannet InboundFromProxy Allow dmz ip_proxy core dmz_ip InboundToProxy Allow wan all nets dmz ip_proxy With Record Route disabled the following IP rules must be added to those abo...

Page 309: ...g Used for call signalling It is used to establish a connection between two H 323 endpoints This call signal channel is opened between two H 323 endpoints or between a H 323 endpoint and a gatekeeper For communication between two H 323 endpoints TCP 1720 is used When connecting to a gatekeeper UDP port 1719 H 225 RAS messages are used H 245 Media Control and Transport Provides control of multimedi...

Page 310: ...nslation For NATed traffic the Network can be specified which is what is allowed to be translated The External IP for the Network is specified which is the IPv4 address to NAT with If the External IP is set as Auto then the external IP is found automatically through route lookup Translate Logical Channel Addresses This would normally always be set If not enabled then no address translation will be...

Page 311: ...eed to be added to the rule set make sure there are no rules disallowing or allowing the same kind of ports traffic before these rules Web Interface Outgoing Rule 1 Go to Rules IP Rules Add IPRule 2 Now enter Name H323AllowOut Action Allow Service H323 Source Interface lan Destination Interface any Source Network lannet Destination Network 0 0 0 0 0 all nets Comment Allow outgoing calls 3 Click OK...

Page 312: ...te IPs on the phone incoming traffic needs to be SATed as in the example below The object ip phone should be the internal IP of the H 323 phone Web Interface Outgoing Rule 1 Go to Rules IP Rules Add IPRule 2 Now enter Name H323Out Action NAT Service H323 Source Interface lan Destination Interface any Source Network lannet Destination Network 0 0 0 0 0 all nets Comment Allow outgoing calls 3 Click ...

Page 313: ... external addresses have to be used However it is preferred to use a H 323 gatekeeper as in the H 323 with Gatekeeper scenario as this only requires one external address Example 6 6 Two Phones Behind Different NetDefend Firewalls This scenario consists of two H 323 phones each one connected behind the NetDefend Firewall on a network with public IPv4 addresses In order to place calls on these phone...

Page 314: ...cted behind the NetDefend Firewall on a network with private IPv4 addresses In order to place calls on these phones over the Internet the following rules need to be added to the rule set in the firewall Make sure there are no rules disallowing or allowing the same kind of ports traffic before these rules As we are using private IPs on the phones incoming traffic need to be SATed as in the example ...

Page 315: ...K To place a call to the phone behind the NetDefend Firewall place a call to the external IP address on the firewall If multiple H 323 phones are placed behind the firewall one SAT rule has to be configured for each phone This means that multiple external addresses have to be used However it is preferable to use an H 323 gatekeeper as this only requires one external address Example 6 8 H 323 with ...

Page 316: ...with the Gatekeeper located at ip gatekeeper 3 For SAT enter Translate Destination IP Address To New IP Address ip gatekeeper IP address of gatekeeper 4 Click OK 1 Go to Rules IP Rules Add IPRule 2 Now enter Name H323In Action Allow Service H323 Gatekeeper Source Interface any Destination Interface core Source Network 0 0 0 0 0 all nets Destination Network wan_ip external IP of the firewall Commen...

Page 317: ... that it is possible for internal phones to call the external phones that are registered with the gatekeeper Example 6 9 H 323 with Gatekeeper and two NetDefend Firewalls This scenario is quite similar to scenario 3 with the difference that the NetDefend Firewall is protecting the external phones The NetDefend Firewall with the Gatekeeper connected to the DMZ should be configured exactly as in sce...

Page 318: ...red with the gatekeeper Example 6 10 Using the H 323 ALG in a Corporate Environment This scenario is an example of a more complex network that shows how the H 323 ALG can be deployed in a corporate environment At the head office DMZ a H 323 Gatekeeper is placed that can handle all H 323 clients in the head branch and remote offices This will allow the whole corporation to use the network for both ...

Page 319: ...Now enter Name LanToGK Action Allow Service H323 Gatekeeper Source Interface lan Destination Interface dmz Source Network lannet Destination Network ip gatekeeper Comment Allow H 323 entities on lannet to connect to the Gatekeeper 3 Click OK 1 Go to Rules IP Rules Add IPRule 2 Now enter Name LanToGK Action Allow Service H323 Gatekeeper 6 2 9 The H 323 ALG Chapter 6 Security Mechanisms 319 ...

Page 320: ...from the Gateway to H 323 phones on lannet 3 Click OK 1 Go to Rules IP Rules Add IPRule 2 Now enter Name BranchToGW Action Allow Service H323 Gatekeeper Source Interface vpn branch Destination Interface dmz Source Network branch net Destination Network ip gatekeeper ip gateway Comment Allow communication with the Gatekeeper on DMZ from the Branch network 3 Click OK 1 Go to Rules IP Rules Add IPRul...

Page 321: ...Source Network lannet Destination Network hq net Comment Allow communication with the Gatekeeper connected to the Head Office DMZ 3 Click OK Example 6 12 Allowing the H 323 Gateway to register with the Gatekeeper The branch office NetDefend Firewall has a H 323 Gateway connected to its DMZ In order to allow the Gateway to register with the H 323 Gatekeeper at the Head Office the following rule has...

Page 322: ...iring additional software The Relationship with SSL TLS is a successor to the Secure Sockets Layer SSL but the differences are slight Therefore for most purposes TLS and SSL can be regarded as equivalent In the context of the TLS ALG we can say that the NetDefend Firewall is providing SSL termination since it is acting as an SSL end point Supported Standards With SSL and TLS NetDefendOS provides t...

Page 323: ...TLS can be offloaded to the NetDefend Firewall This is sometimes referred to as SSL acceleration Any processing advantages that can be achieved can however vary and will depend on the comparative processing capabilities of the servers and the NetDefend Firewall Decrypted TLS traffic can be subject to other NetDefendOS features such as traffic shaping or looking for server threats with IDP scanning...

Page 324: ... to this issue is for the servers to use relative URLs instead of absolute ones Cryptographic Suites Supported by NetDefendOS TLS NetDefendOS TLS supports the following cryptographic suites 1 TLS_RSA_WITH_3DES_EDE_CBC_SHA 2 TLS_RSA_WITH_RC4_128_SHA 3 TLS_RSA_WITH_RC4_128_MD5 4 TLS_RSA_EXPORT_WITH_RC4_56_SHA certificate key size up to 1024 bits 5 TLS_RSA_EXPORT_WITH_RC4_40_MD5 certificate key size ...

Page 325: ...ort and has very high accuracy Note WCF is enabled through the HTTP ALG All Web Content Filtering is enabled via the HTTP ALG which is described in Section 6 2 2 The HTTP ALG 6 3 2 Active Content Handling Some web content can contain malicious code designed to harm the workstation or the network from where the user is surfing Typically such code is embedded into various types of objects or files w...

Page 326: ...ent tool to target specific web sites and make the decision as to whether they should be blocked or allowed Static and Dynamic Filter Ordering Additionally Static Content Filtering takes place before Dynamic Content Filtering described below which allows the possibility of manually making exceptions from the automatic dynamic classification process In a scenario where goods have to be purchased fr...

Page 327: ...n this small scenario a general surfing policy prevents users from downloading exe files However the D Link website provides secure and necessary program files which should be allowed to download Command Line Interface Start by adding an HTTP ALG in order to filter HTTP traffic gw world add ALG ALG_HTTP content_filtering Then create a HTTP ALG URL to set up a blacklist gw world cc ALG ALG_HTTP con...

Page 328: ...y beforehand which URLs to block or to allow Instead D Link maintains a global infrastructure of databases containing huge numbers of current web site URL addresses which are already classified and grouped into a variety of categories such as shopping news sport adult oriented and so on The Dynamic WCF URL databases are updated almost hourly with new categorized URLs while at the same time older i...

Page 329: ...s not present in the databases then the webpage content at the URL will automatically be downloaded to D Link s central data warehouse and automatically analyzed using a combination of software techniques Once categorized the URL is distributed to the global databases and NetDefendOS receives the category for the URL Dynamic WCF therefore requires a minimum of administration effort Note New URL su...

Page 330: ...edules Setting Fail Mode The option exists to set the HTTP ALG fail mode in the same way that it can be set for some other ALGs and it applies to WCF just as it does to functions such as Anti Virus scanning The fail mode setting determines what happens when dynamic content filtering cannot function and typically this is because NetDefendOS is unable to reach the external databases to perform URL l...

Page 331: ...rule to use the new service 1 Go to Rules IP Rules 2 Select the NAT rule handling the HTTP traffic 3 Select the Service tab 4 Select the new service http_content_filtering in the predefined Service list 5 Click OK Dynamic content filtering is now activated for all web traffic from lannet to all nets We can validate the functionality with the following steps 1 On a workstation on the lannet network...

Page 332: ...e content_filtering 3 Click the Web Content Filtering tab 4 Select Audit in the Mode list 5 In the Blocked Categories list select Search Sites and click the button 6 Click OK The steps to then create a service object using the new HTTP ALG and modifying the NAT rule to use the new service are described in the previous example Allowing Override On some occasions Active Content Filtering may prevent...

Page 333: ... for manual inspection That inspection may result in the web site being reclassified either according to the category proposed or to a category which is felt to be correct Example 6 17 Reclassifying a blocked site This example shows how a user may propose a reclassification of a web site if he believes it is wrongly classified This mechanism is enabled on a per HTTP ALG level basis Command Line In...

Page 334: ...ry 2 News A web site may be classified under the News category if its content includes information articles on recent events pertaining to topics surrounding a locality for example town city or nation or culture including weather forecasting information Typically this would include most real time online news publications and technology or trade journals This does not include financial quotes refer...

Page 335: ...e www megamall com www buy alcohol se Category 7 Entertainment A web site may be classified under the Entertainment category if its content includes any general form of entertainment that is not specifically covered by another category Some examples of this are music sites movies hobbies special interest and fan clubs This category also includes personal web pages such as those provided by ISPs Th...

Page 336: ...tion services or facilities pertaining to personal investment URLs in this category include contents such as brokerage services online portfolio setup money management forums or stock quotes This category does not include electronic banking facilities refer to the E Banking category 12 Examples might be www loadsofmoney com au www putsandcalls com Category 12 E Banking A web site may be classified...

Page 337: ...rtstoday com www soccerball com Category 17 www Email Sites A web site may be classified under the www Email Sites category if its content includes online web based email facilities Examples might be www coldmail com mail yazoo com Category 18 Violence Undesirable A web site may be classified under the Violence Undesirable category if its contents are extremely violent or horrific in nature This i...

Page 338: ... web site may be classified under the Clubs and Societies category if its content includes information or services of relating to a club or society This includes team or conference web sites Examples might be www sierra org www walkingclub org Category 23 Music Downloads A web site may be classified under the Music Downloads category if it provides online music downloading uploading and sharing fa...

Page 339: ...main focus includes providing advertising related information or services Examples might be www admessages com www tripleclick com Category 28 Drugs Alcohol A web site may be classified under the Drugs Alcohol category if its content includes drug and alcohol related information or services Some URLs categorized under this category may also be categorized under the Health category Examples might b...

Page 340: ...ored as files in NetDefendOS and these files are known as HTTP Banner Files The administrator can customize the appearance of the HTML is these files to suit a particular installation s needs The NetDefendOS management interface provides a simple way to download edit and re upload the edited files Note The banner files related to authentication rules and web authentication are a separate subject a...

Page 341: ...ed 8 Press Save to save the changes 9 Click OK to exit editing 10 Go to User Authentication User Authentication Rules 11 Select the relevant HTML ALG and click the Agent Options tab 12 Set the HTTP Banners option to be new_forbidden 13 Click OK 14 Go to Configuration Save Activate to activate the new file 15 Press Save and then click OK The new file will be uploaded to NetDefendOS Tip Saving chang...

Page 342: ... SSH SCP client the upload command would be scp myhtml admin 10 5 62 11 HTTPAuthBanners mytxt URLForbidden The usage of SCP clients is explained further in Section 2 1 6 Secure Copy 4 Using the CLI the relevant HTTP ALG should now be set to use the mytxt banner files If the ALG us called my_http_alg the command would be set ALG_HTTP my_http_alg HTTPBanners mytxt 5 As usual the activate followed by...

Page 343: ... backup for when local client antivirus scanning is not available Enabling Through ALGs NetDefendOS Anti Virus is enabled for different types of traffic by enabling it in the the related ALG object It is available for file downloads associated with the following ALGs The HTTP ALG The FTP ALG The POP3 ALG The SMTP ALG 6 4 2 Implementation Streaming As a file transfer is streamed through the NetDefe...

Page 344: ...otocol levels If IDP is enabled it scans all packets designated by a defined IDP rule and does not take notice of higher level protocols such as HTTP that generate the packet streams However Anti virus is aware of the higher level protocol and only looks at the data involved in file transfers Anti virus scanning is a function that therefore logically belongs in an ALG whereas IDP does not belong t...

Page 345: ...ng in an ALG the following parameters can be set 1 General options Mode This must be one of i Disabled Anti Virus is switched off ii Audit Scanning is active but logging is the only action iii Protect Anti Virus is active Suspect files are dropped and logged Fail mode behavior If a virus scan fails for any reason then the transfer can be dropped or allowed with the event being logged If this optio...

Page 346: ...gif file but the file s data will not match that type s data pattern because it is infected with a virus Enabling of this function is recommended to make sure this form of attack cannot allow a virus to get through The possible MIME types that can be checked are listed in Appendix C Verified MIME filetypes Setting the Correct System Time It is important that a NetDefendOS has the correct system ti...

Page 347: ...ile from reaching the internal network Hence there would be no use in blocking the remote FTP server at the local switches since NetDefendOS has already stopped the virus Blocking the server s IP address would only consume blocking entries in the switches For NetDefendOS to know which hosts and servers to block the administrator has the ability to specify a network range that should be affected by...

Page 348: ...wn list 4 Enter 80 in the Destination Port textbox 5 Select the HTTP ALG just created in the ALG dropdown list 6 Click OK C Finally modify the NAT rule called NATHttp in this example to use the new service 1 Go to Rules IP Rules 2 Select the NAT rule handling the traffic between lannet and all nets 3 Click the Service tab 4 Select the new service http_anti_virus in the predefined Service dropdown ...

Page 349: ...ntrusion attempts It operates by monitoring network traffic as it passes through the NetDefend Firewall searching for patterns that indicate an intrusion is being attempted Once detected NetDefendOS IDP allows steps to be taken to neutralize both the intrusion attempt as well as its source IDP Issues In order to have an effective and reliable IDP system the following issues have to be addressed Wh...

Page 350: ...tions The standard subscription is for 12 months and provides automatic IDP signature database updates This IDP option is available for all D Link NetDefend models including those that don t come as standard with Maintenance IDP Maintenance IDP can be viewed as a restricted subset of Advanced IDP and the following sections describe how the Advanced IDP option functions Subscribing to the D Link Ad...

Page 351: ...t in the cluster will perform regular checking for new database updates If a new database update becomes available the sequence of events will be as follows 1 The active unit determines there is a new update and downloads the required files for the update 2 The active unit performs an automatic reconfiguration to update its database 3 This reconfiguration causes a failover so the passive unit beco...

Page 352: ...an only be entered in the text box What appears in the upper text box is equivalent to the way signatures are specified when using the CLI to define an IDP rule HTTP Normalization Each IDP rule has a section of settings for HTTP normalization This allows the administrator to choose the actions that should be taken when IDP finds inconsistencies in the URIs embedded in incoming HTTP requests Some s...

Page 353: ...n IDP Rule the administrator can enable or disable the option Protect against Insertion Evasion attack An Insertion Evasion Attack is a form of attack which is specifically aimed at evading IDP mechanisms It exploits the fact that in a TCP IP data transfer the data stream must often be reassembled from smaller pieces of data because the individual pieces either arrive in the wrong order or are fra...

Page 354: ...tion Evasion false positives then disabling the option may be prudent while the false positive causes are investigated 6 5 5 IDP Pattern Matching Signatures In order for IDP to correctly identify an attack it uses a profile of indicators or pattern associated with different types of attack These predefined patterns also known as signatures are stored in a local NetDefendOS database and are used by...

Page 355: ...tion traffic They can be used to block certain applications such as file sharing applications and instant messaging 6 5 6 IDP Signature Groups Using Groups Usually several lines of attacks exist for a specific protocol and it is best to search for all of them at the same time when analyzing network traffic To do this signatures related to a particular protocol are grouped together For example all ...

Page 356: ...with matching for the signatures for the first action specified being done first IDP Signature Wildcarding When selecting IDP signature groups it is possible to use wildcarding to select more than one group The character can be used to wildcard for a single character in a group name Alternatively the character can be used to wildcard for any set of characters of any length in a group name Caution ...

Page 357: ...in a summary of IDP events that have occurred in a user configurable period of time When an IDP event occurrs the NetDefendOS will wait for Hold Time seconds before sending the notification email However the email will only be sent if the number of events occurred in this period of time is equal to or bigger than the Log Threshold When this email has been sent NetDefendOS will wait for Minimum Rep...

Page 358: ...Threshold 2 Click OK IDP Rules 1 Go to IDP IDP Rules 2 Select a rule and choose Edit 3 Select the action you wish to log and choose Edit 4 Check the Enable logging checkbox in the Log Settings tab 5 Click OK Example 6 21 Setting up IDP for a Mail Server The following example details the steps needed to set up IDP for a simple scenario where a mail server is exposed to the Internet on the DMZ netwo...

Page 359: ...rvity All Signatures IPS_MAIL_SMTP Web Interface Create an IDP Rule This IDP rule is called IDPMailSrvRule and applies to the SMTP service Source Interface and Source Network define where traffic is coming from in this example the external network The Destination Interface and Destination Network define where traffic is directed to in this case the mail server Destination Network should therefore ...

Page 360: ...er Using Individual Signatures The preceding example uses an entire IDP group name when enabling IDP However it is possible to instead specify indvidual signatures or a list of signatures for an IDP rule Individual signatures are identified by their unique number ID and multiple signatures is specified as a comma separated list of these IDs For example to specify signatures with the ID 68343 the C...

Page 361: ...jammed Internet connections and business critical systems in overload This section deals with using NetDefend Firewalls to protect organizations against these attacks 6 6 2 DoS Attack Mechanisms A DoS attack can be perpetrated in a number of ways but there are three basic types of attack Consumption of computational resources such as bandwidth disk space or CPU time Disruption of configuration inf...

Page 362: ... turn generates yet another response to itself etc This will either bog the victim s machine down or make it crash The attack is accomplished by using the victim s IP address in the source field of an IP packet as well as in the destination field NetDefendOS protects against this attack by applying IP spoofing protection to all packets In its default configuration it will simply compare arriving p...

Page 363: ...as masses of dropped ICMP Echo Reply packets The source IP addresses will be those of the amplifier networks used Fraggle attacks will show up in NetDefendOS logs as masses of dropped or allowed depending on policy packets The source IP addresses will be those of the amplifier networks used Avoiding Becoming an Amplifier Even though the brunt of the bandwidth stream is at the ultimate victim s sid...

Page 364: ...appens When the state table fills up old outstanding SYN connections will be the first to be dropped to make room for new connections Spotting SYN Floods TCP SYN flood attacks will show up in NetDefendOS logs as excessive amounts of new connections or drops if the attack is targeted at a closed port The sender IP address is almost invariably spoofed ALGs Automatically Provide Flood Protection It s...

Page 365: ...ese attacks typically exhaust bandwidth router processing capacity or network stack resources breaking network connectivity to the victims Although recent DDoS attacks have been launched from both private corporate and public institutional systems hackers tend to often prefer university or institutional networks because of their open distributed nature Tools used to launch DDoS attacks include Tri...

Page 366: ...ll value in other words it is not cumulative Block only this Service By default blacklisting blocks all services for the triggering host Exempt already established connections from Blacklisting If there are established connections that have the same source as this new Blacklist entry then they will not be dropped if this option is set IP addresses or networks are added to the list then the traffic...

Page 367: ...cklist command can be used to look at as well as manipulate the current contents of the blacklist and the whitelist The current blacklist can be viewed with the command gw world blacklist show black This blacklist command can be used to remove a host from the blacklist using the unblock option Example 6 22 Adding a Host to the Whitelist In this example we will add an IP address object called white...

Page 368: ...6 7 Blacklisting Hosts and Networks Chapter 6 Security Mechanisms 368 ...

Page 369: ...from the public Internet Security is increased by making it more difficult for intruders to understand the topology of the protected network Address translation hides internal IP addresses which means that an attack coming from the outside is more difficult Types of Translation NetDefendOS supports two types of translation Dynamic Network Address Translation NAT Static Address Translation SAT Appl...

Page 370: ...nnection from dynamically translated addresses uses a unique port number and IP address combination as its sender NetDefendOS performs automatic translation of the source port number as well as the IP address In other words the source IP addresses for connections are all translated to the same IP address and the connections are distinguished from one another by the allocation of a unique port numb...

Page 371: ...A specific IP address can be specified as the new source IP address The specified IP address needs to have a matching ARP Publish entry configured for the outbound interface Otherwise the return traffic will not be received by the NetDefend Firewall This technique might be used when the source IP is to differ based on the source of the traffic For example an ISP that is using NAT might use differe...

Page 372: ...ing a NAT Rule To following will add a NAT rule that will perform address translation for all HTTP traffic originating from the internal network lan as it flows out to the public Internet on the wan interface The IP address of the wan interface will be used as the NATing address for all connections Command Line Interface First change the current category to be the main IP rule set gw world cc IPRu...

Page 373: ...ecome unique in the three protocols For other IP level protocols unique connections are identified by their sender addresses destination addresses and protocol numbers This means that An internal machine can communicate with several external servers using the same IP protocol An internal machine can communicate with several external servers using different IP protocols Several internal machines ca...

Page 374: ... with the client is with the PPTP protocol but the PPTP tunnel from the client terminates at the firewall When this traffic is relayed between the firewall and the Internet it is no longer encapsulated by PPTP When an application such as a web server now receives requests from the client it appears as though they are coming from the anonymizing service provider s external IP address and not the cl...

Page 375: ...ions Subsequent connections involving the same internal client host will then use the same external IP address The advantage of the stateful approach is that it can balance connections across several external ISP links while ensuring that an external host will always communicate back to the same IP address which will be essential with protocols such as HTTP when cookies are involved The disadvanta...

Page 376: ...alancing is not part of this option there should be spreading of the load across the external connections due to the random nature of the allocating algorithm IP Pool Usage When allocating external IP addresses to a NAT Pool it is not necessary to explicitly state these Instead a NetDefendOS IP Pool object can be selected IP Pools gather collections of IP addresses automatically through DHCP and c...

Page 377: ...k OK B Next create a stateful NAT Pool object called stateful_natpool 1 Go to Objects NAT Pools Add NAT Pool 2 Now enter Name stateful_natpool Pool type stateful IP Range nat_pool_range 3 Select the Proxy ARP tab and add the WAN interface 4 Click OK C Now define the NAT rule in the IP rule set 1 Go to Rules IP Rules Add IP Rule 2 Under General enter Name Enter a suitable name such as nat_pool_rule...

Page 378: ... by the SAT rule For example if a SAT rule translates the destination from 1 1 1 1 to 2 2 2 2 then the second associated rule should allow traffic to pass to the destination 1 1 1 1 and not 2 2 2 2 Only after the second rule triggers to allow the traffic is the route lookup then done by NetDefendOS on the translated address to work out which interface the packets should be sent from 7 4 1 Translat...

Page 379: ...to a Protected Web Server in a DMZ In this example we will create a SAT policy that will translate and allow connections from the Internet to a web server located in a DMZ The NetDefend Firewall is connected to the Internet using the wan interface with address object wan_ip defined as 195 55 66 77 as IP address The web server has the IPv4 address 10 10 10 5 and is reachable through the dmz interfa...

Page 380: ...ted 5 In the New IP Address textbox enter 10 10 10 5 6 Click OK Then create a corresponding Allow rule 1 Go to Rules IP Rules Add IPRule 2 Specify a suitable name for the rule for example Allow_HTTP_To_DMZ 3 Now enter Action Allow Service http Source Interface any Source Network all nets Destination Interface core Destination Network wan_ip 4 Under the Service tab select http in the Predefined lis...

Page 381: ...an all nets core wan_ip http 3 Allow ext2 ext2net core wan_ip http 4 NAT lan lannet any all nets all_services This increases the number of rules for each interface allowed to communicate with the web server However the rule ordering is unimportant which may help avoid errors If option 2 was selected the rule set must be adjusted like this Action Src Iface Src Net Dest Iface Dest Net Parameters 1 S...

Page 382: ...ds a packet to wan_ip to reach www ourcompany com 10 0 0 3 1038 195 55 66 77 80 NetDefendOS translates the address in accordance with rule 1 and forwards the packet in accordance with rule 2 10 0 0 3 1038 10 0 0 2 80 wwwsrv processes the packet and replies 10 0 0 2 80 10 0 0 3 1038 This reply arrives directly to PC1 without passing through the NetDefend Firewall This causes problems The reason thi...

Page 383: ...n a connection to 192 168 0 50 Attempts to communicate with 194 1 2 22 will result in a connection to 192 168 0 56 An example of when this is useful is when having several protected servers in a DMZ and where each server should be accessible using a unique public IPv4 address Example 7 5 Translating Traffic to Multiple Protected Web Servers In this example a SAT IP rule will translate from five pu...

Page 384: ...wsrv_pub SATTranslateToIP wwwsrv_priv_base SATTranslate DestinationIP Finally create an associated Allow Rule gw world main add IPRule Action Allow Service http SourceInterface any SourceNetwork all nets DestinationInterface wan DestinationNetwork wwwsrv_pub Web Interface Create an address object for the public IPv4 address 1 Go to Objects Address Book Add IP4 Address 2 Specify a suitable name for...

Page 385: ...orresponding Allow rule 1 Go to Rules IP Rules Add IPRule 2 Specify a suitable name for the rule for example Allow_HTTP_To_DMZ 3 Now enter Action Allow Service http Source Interface any Source Network all nets Destination Interface wan Destination Network wwwsrv_pub 4 Click OK 7 4 3 All to One Mappings N 1 NetDefendOS can be used to translate ranges and or groups into just one IP address Action Sr...

Page 386: ...RP publish mechanism Create a SAT rule that will perform the translation Create an Allow rule that will permit the incoming HTTP flows Command Line Interface Create an address object for the public IPv4 addresses gw world add Address IPAddress wwwsrv_pub Address 195 55 66 77 195 55 66 81 Now create another object for the base of the web server IP addresses gw world add Address IPAddress wwwsrv_pri...

Page 387: ... cases and other protocols that simply cannot be translated at all Protocols that are impossible to translate using SAT are most likely also impossible to translate using NAT Reasons for this include The protocol cryptographically requires that the addresses are unaltered this applies to many VPN protocols The protocol embeds its IP addresses inside the TCP or UDP level data and subsequently requi...

Page 388: ...other attempt is made to communicate with the web server s public address it will be redirected to the private address of the publicly accessible web server Again note that the above rules require a matching Allow rule at a later point in the rule set in order to work 7 4 7 SAT and FwdFast Rules It is possible to employ static address translation in conjunction with FwdFast rules although return t...

Page 389: ...ompletely different port which will not work The problem can be solved using the following rule set Action Src Iface Src Net Dest Iface Dest Net Parameters 1 SAT any all nets core wan_ip http SETDEST wwwsrv 80 2 SAT lan wwwsrv any all nets 80 All SETSRC wan_ip 80 3 FwdFast lan wwwsrv any all nets 80 All 4 NAT lan lannet any all nets all_services 5 FwdFast lan wwwsrv any all nets 80 All External tr...

Page 390: ...7 4 7 SAT and FwdFast Rules Chapter 7 Address Translation 390 ...

Page 391: ...quipment such as a biometric reader Another problem with A is that the special attribute often cannot be replaced if it is lost Methods B and C are therefore the most common means of identification in network security However these have drawbacks keys might be intercepted passcards might be stolen passwords might be guessable or people may simply be bad at keeping a secret Methods B and C are ther...

Page 392: ...ain secure passwords should also Not be recorded anywhere in written form Never be revealed to anyone else Changed on a regular basis such as every three months 8 1 Overview Chapter 8 User Authentication 392 ...

Page 393: ...etail These are Section 8 2 2 The Local Database Section 8 2 3 External RADIUS Servers Section 8 2 4 External LDAP Servers Section 8 2 5 Authentication Rules 8 2 2 The Local Database The Local User Database is a built in registry inside NetDefendOS which contains the profiles of authorized users and user groups Usernames and passwords can be entered into this database through the Web Interface or ...

Page 394: ...extra security for users with fixed IP addresses Network behind user If a network is specified for this user then when the user connects a route is automatically added to the NetDefendOS main routing table This existence of this added route means that any traffic destined for the specified network will be correctly routed through the user s PPTP L2TP tunnel When the connection to the user ends the...

Page 395: ... message to a designated RADIUS server The server processes the requests and sends back a RADIUS message to accept or deny them One or more external servers can be defined in NetDefendOS RADIUS Security To provide security a common shared secret is configured on both the RADIUS client and the server This secret enables encryption of the messages sent from the RADIUS client to the server and is com...

Page 396: ... clients may require some administrative changes to the LDAP server and this is discussed later Microsoft Active Directory as the LDAP Server A Microsoft Active Directory can be configured in NetDefendOS as an LDAP server There is one option in the NetDefendOS LDAP server setup which has special consideration with Active Directory and that is the Name Attribute This should be set to SAMAccountName...

Page 397: ...equest is received from the server after this time then the server will be considered to be unreachable The default timeout setting is 5 seconds Name Attribute The Name Attribute is the ID of the data field on the LDAP server that contains the username The NetDefendOS default value for this is uid which is correct for most UNIX based servers If using Microsoft Active Directory this should be set t...

Page 398: ...cked Most versions of Windows Active Directory require the Postfix option to be used Routing Table The NetDefendOS routing table where route lookup will be done to resolve the server s IP address into a route The default is the main routing table Database Settings The Database Settings are as follows Base Object Defines where in the LDAP server tree search for user accounts shall begin The users d...

Page 399: ...s the LDAP server is being used to authenticate users connecting via PPP with CHAP MS CHAPv1 or MS CHAPv2 When it is used it determines the ID of the data field in the LDAP server database which contains the user password in plain text The LDAP server administrator must make sure that this field actually does contain the password This is explained in greater detail later Bind Request Authenticatio...

Page 400: ...hentication requests Total number of failed authentication requests Total number of invalid usernames Total number of invalid password LDAP Authentication CLI Commands The CLI objects that correspond to LDAP servers used for authentication are called LDAPDatabase objects LDAP servers used for certificate lookup are known as LDAPServer objects in the CLI A specific LDAP server that is defined in Ne...

Page 401: ...l be the ID of the field on the LDAP server that will contain the password when it is sent back This ID must be different from the default password attribute which is usually userPassword for most LDAP servers A suggestion is to use the description field in the LDAP database In order for the server to return the password in the database field with the ID specified the LDAP administrator must make ...

Page 402: ...les are set up in a similar way to other NetDefendOS security policies and that is by specifying which traffic is to be subject to the rule They differ from other policies in that the connection s destination network interface is not of interest but only the source network interface of the client being authenticated Authentication Rule Properties An Authentication Rule has the following parameters...

Page 403: ... Authentication Source This specifies that authentication is to be performed using one of the following i LDAP Users are looked up in an external LDAP server database ii RADIUS An external RADIUS server is used for lookup iii Disallow This option explicitly disallows all connections that trigger this rule Such connections will never be authenticated Any Disallow rules are best located at the end o...

Page 404: ...have been idle for a specific length of time when the new login occurs 8 2 6 Authentication Processing The list below describes the processing flow through NetDefendOS for username password authentication 1 A user creates a new connection to the NetDefend Firewall 2 NetDefendOS sees the new user connection on an interface and checks the Authentication rule set to see if there is a matching rule fo...

Page 405: ...p with the name untrusted We now define two IP objects for the same network 192 168 1 0 24 One IP object is called untrusted_net and has its Group parameter set to the string untrusted The other IP object is called trusted_net and its Group parameter is set to the string trusted The final step is to set up the rules in the IP rule set as shown below Action Src Interface Src Network Dest Interface ...

Page 406: ...possible to authenticate an HTTP or HTTPS client automatically using the MAC address of the connecting client s Ethernet interface This means that authentication is based only on the identity of the client hardware This is useful if the administrator wants to ensure that access is simple for a particular device and the user is not going to be requred to type in their credentials The following poin...

Page 407: ...ated client from that network Instead the source network is an administrator defined IP object called trusted_users which is the same network as lannet but has additionally either the Authentication option No Defined Credentials enabled or has an Authentication Group assigned to it which is the same group as that assigned to the users The third rule allows DNS lookup of URLs Forcing Users to a Log...

Page 408: ...an one group enter the group names here separated by a comma users for this example 3 Click OK 4 Repeat Step B to add all the lannet users having the membership of users group into the lannet_auth_users folder Example 8 2 User Authentication Setup for Web Access The configurations below shows how to enable HTTP user authentication for the user group users on lannet Only users that belong to the gr...

Page 409: ...e Allow_http_auth Action NAT Service HTTP Source Interface lan Source Network lannet_users Destination Interface any Destination Network all nets 3 Click OK Example 8 3 Configuring a RADIUS Server The following steps illustrate how a RADIUS server is typically configured Web Interface 1 User Authentication External User Databases Add External User Database 2 Now enter a Name Enter a name for the s...

Page 410: ...ginSuccess page before being automatically redirected to the originally requested page HTTP Banner Files The web page files also referred to as HTTP banner files are stored within NetDefendOS and already exist by default at initial NetDefendOS startup These files can be customized to suit a particular installation s needs either by direct editing in Web Interface or by downloading and re uploading...

Page 411: ...ith MAC Authentication If authentication fails with MAC authentication the USER parameter will contain the MAC address of the requesting client or the MAC address of the intervening router nearest the firewall A typical parameter set of values for the LoginFailure page when MAC address authentication is used might be USER 00 0c 19 f9 14 6f REDIRHOST 10 234 56 71 REDIRURL testing user user pass pas...

Page 412: ...files using SCP The steps to do this are 1 Since SCP cannot be used to download the original default HTML the source code must be first copied from the Web Interface and pasted into a local text file which is then edited using an appropriate editor 2 A new Auth Banner Files object must exist which the edited file s is uploaded to If the object is called ua_html the CLI command to create this objec...

Page 413: ..._auth_rule HTTPBanners ua_html 5 As usual use the activate followed by the commit CLI commands to activate the changes on the NetDefend Firewall 8 3 Customizing Authentication HTML Pages Chapter 8 User Authentication 413 ...

Page 414: ...8 3 Customizing Authentication HTML Pages Chapter 8 User Authentication 414 ...

Page 415: ...t is equally important that the recipient can verify that no one is falsifying data in other words pretending to be someone else Virtual Private Networks VPNs meet this need providing a highly cost effective means of establishing secure links between two co operating computers so that data can be exchanged in a secure manner VPN allows the setting up of a tunnel between two devices known as tunnel...

Page 416: ...benefits Confidentiality No one but the intended recipients is able to receive and understand the communication Confidentiality is accomplished by encryption Authentication and Integrity Proof for the recipient that the communication was actually sent by the expected sender and that the data has not been modified in transit This is accomplished by authentication and is often implemented through th...

Page 417: ...with no further precautions It is important to remember that although the VPN connection itself may be secure the total level of security is only as high as the security of the tunnel endpoints It is becoming increasingly common for users on the move to connect directly to their company s network via VPN from their laptops However the laptop itself is often not protected In other words an intruder...

Page 418: ...e using the same key it should be changed In cases where the key is not directly programmed into a network unit such as a VPN firewall how should the key be stored On a floppy As a pass phrase to memorize On a smart card If it is a physical token how should it be handled 9 1 5 The TLS Alternative for VPN If secure access by clients to web servers using HTTP is the scenario under consideration then...

Page 419: ...an flow into the tunnel a route must be defined in a NetDefendOS routing table This route tells NetDefendOS which network can be found at the other end of the tunnel so it knows which traffic to send into the tunnel In most cases this route is created automatically when the tunnel is defined and this can be checked by examining the routing tables If a route is defined manually the tunnel is treate...

Page 420: ...twork which lies behind the remote VPN gateway let s call this object remote_net The local network behind the NetDefend Firewall which will communicate across the tunnel Here we will assume that this is the predefined address lannet and this network is attached to the NetDefendOS lan interface which has the IPv4 address lan_ip 4 Create an IPsec Tunnel object let s call this object ipsec_tunnel Spe...

Page 421: ...revious section where a pre shared key was used The difference is that certificates now replace pre shared keys for authentication Two unique sets of two CA signed certificates two for either end a root certificate and a gateway certificate are required for a LAN to LAN tunnel authentication The setup steps are as follows 1 Open the management Web Interface for the NetDefend Firewall at one end of...

Page 422: ...te at Side A and the root certificate at Side B No CA server considerations are needed with self signed certificates since CRL lookup does not occur 9 2 3 IPsec Roaming Clients with Pre shared Keys This section details the setup with roaming clients connecting through an IPsec tunnel using pre shared keys to a protected Local Network which is located behind a NetDefend Firewall There are two types...

Page 423: ... rule are Agent Auth Source Src Network Interface Client Source IP XAUTH Local all nets any all nets 0 0 0 0 0 2 The IPsec Tunnel object ipsec_tunnel should have the following parameters Set Local Network to lannet Set Remote Network to all nets Set Remote Endpoint to all nets Set Encapsulation mode to Tunnel Set the IKE and IPsec algorithm proposal lists to match the capabilities of the clients N...

Page 424: ...the IP Pool object defined in the previous step Enable the IKE Config Mode Pool option in the IPsec Tunnel object ipsec_tunnel so the created pool is selected Configuring IPsec Clients In both cases A and B above the IPsec client will need to be correctly configured The client configuration will require the following Define the URL or IP address of the NetDefend Firewall The client needs to locate...

Page 425: ... l2tp_pool which defines the range of IP addresses which can be handed out to clients The range chosen could be of two types A range taken from the internal network to which clients will connect If the internal network is 192 168 0 0 24 then we might use the address range 192 168 0 10 to 192 168 0 20 The danger here is that an IP address might be accidentally used on the internal network and hande...

Page 426: ...ally the main table is selected 6 For user authentication Define a Local User DB object let s call this object TrustedUsers Add individual users to TrustedUsers This should consist of at least a username and password combination The Group string for a user can also be specified This is explained in the same step in the IPsec Roaming Clients section above Define a User Authentication Rule Agent Aut...

Page 427: ...rtificates need to be imported into Windows before setting up the connection with the New Connection Wizard The step to set up user authentication is optional since this is additional security to certificates Also review Section 9 7 CA Server Access which describes important considerations for certificate validation 9 2 7 PPTP Roaming Clients PPTP is simpler to set up than L2TP since IPsec is not ...

Page 428: ...efine a User Authentication Rule this is almost identical to L2TP Agent Auth Source Src Network Interface Client Source IP PPP Local all nets pptp_tunnel all nets 0 0 0 0 0 4 Now set up the IP rules in the IP rule set Action Src Interface Src Network Dest Interface Dest Network Service Allow pptp_tunnel pptp_pool any int_net all_services NAT pptp_tunnel pptp_pool ext all nets all_services As descr...

Page 429: ...flow of events can be briefly described as follows IKE negotiates how IKE should be protected IKE negotiates how IPsec should be protected IPsec moves data in the VPN The following sections will describe each of these stages in detail 9 3 2 Internet Key Exchange IKE This section describes IKE the Internet Key Exchange protocol and the parameters that are used with it Encrypting and authenticating ...

Page 430: ... allows for the IPsec connection to be re keyed simply by performing another phase 2 negotiation There is no need to do another phase 1 negotiation until the IKE lifetime has expired IKE Algorithm Proposals An IKE algorithm proposal list is a suggestion of how to protect IPsec data flows The VPN device initiating an IPsec connection will send a list of the algorithms combinations it supports for p...

Page 431: ...t no keys are dependent on any other previously used keys no keys are extracted from the same initial keying material This is to make sure that in the unlikely event that some key was compromised no subsequent keys can be derived Once the phase 2 negotiation is finished the VPN connection is established and ready for traffic to pass through it IKE Parameters There are a number of parameters used i...

Page 432: ...y The remote endpoint can be specified as a URL string such as vpn company com If this is done the prefix dns must be used The string above should therefore be specified as dns vpn company com The remote endpoint is not used in transport mode Main Aggressive Mode The IKE negotiation has two modes of operation main mode and aggressive mode The difference between these two is that aggressive mode wi...

Page 433: ...the IKE connection It is specified in time seconds as well as data amount kilobytes Whenever one of these expires a new phase 1 exchange will be performed If no data was transmitted in the last incarnation of the IKE connection no new connection will be made until someone wants to use the VPN connection again This value must be set greater than the IPsec SA lifetime PFS With Perfect Forwarding Sec...

Page 434: ... used without encryption The algorithms supported by NetDefend Firewall VPNs are AES Blowfish Twofish Cast128 3DES DES IPsec Authentication This specifies the authentication algorithm used on the protected traffic This is not used when ESP is used without authentication although it is not recommended to use ESP without authentication The algorithms supported by NetDefend Firewall VPNs are SHA1 MD5...

Page 435: ...nfigured on both sides of the VPN tunnel Note NetDefendOS does not support manual keying Manual Keying Advantages Since it is very straightforward it will be quite interoperable Most interoperability problems encountered today are in IKE Manual keying completely bypasses IKE and sets up its own set of IPsec SAs Manual Keying Disadvantages It is an old method which was used before IKE came into use...

Page 436: ...ned by someone that the remote endpoint trusts Advantages of Certificates A principal advantage of certificates is added flexibility Many VPN clients for instance can be managed without having the same pre shared key configured on all of them which is often the case when using pre shared keys and roaming clients Instead should a client be compromised the client s certificate can simply be revoked ...

Page 437: ...ter the original IP header in tunnel mode the ESP header is inserted after the outer header but before the original inner IP header All data after the ESP header is encrypted and or authenticated The difference from AH is that ESP also provides encryption of the IP packet The authentication phase also differs in that ESP only authenticates the data after the ESP header thus the outer IP header is ...

Page 438: ... negotiation is moved away from UDP port 500 to port 4500 This is necessary since certain NAT devices treat UDP packet on port 500 differently from other UDP packets in an effort to work around the NAT problems with IKE The problem is that this special handling of IKE packets may in fact break the IKE negotiations which is why the UDP port used by IKE has changed UDP Encapsulation Another problem ...

Page 439: ...defined by default in NetDefendOS for different VPN scenarios and user defined lists can be added Two IKE algorithm lists and two IPsec lists are already defined by default High This consists of a more restricted set of algorithms to give higher security The complete list is 3DES AES Blowfish MD5 SHA1 Medium This consists of a longer set of algorithms The complete list is 3DES AES Blowfish Twofish...

Page 440: ... in a PSK on Different Platforms If a PSK is specified as a passphrase and not a hexadecimal value the different encodings on different platforms can cause a problem with non ASCII characters Windows for example encodes pre shared keys containing non ASCII characters in UTF 16 while NetDefendOS uses UTF 8 Even though they can seem the same at either end of the tunnel there will be a mismatch and t...

Page 441: ...lients A Typical Scenario Consider the scenario of travelling employees being given access to the internal corporate networks using VPN clients The organization administers their own Certificate Authority and certificates have been issued to the employees Different groups of employees are likely to have access to different parts of the internal networks For example members of the sales force need ...

Page 442: ...n EmailAddress john doe D Link com gw world MyIDList cc Finally apply the Identification List to the IPsec tunnel gw world set Interface IPsecTunnel MyIPsecTunnel AuthMethod Certificate IDList MyIDList RootCertificates AdminCert GatewayCertificate AdminCert Web Interface First create an Identification List 1 Go to Objects VPN Objects IKE ID Lists Add ID List 2 Enter a name for the list for example...

Page 443: ...ct the IPsec tunnel object of interest 3 Under the Authentication tab choose X 509 Certificate 4 Select the appropriate certificate in the Root Certificate s and Gateway Certificate controls 5 Select MyIDList in the Identification List 6 Click OK 9 3 8 Identification Lists Chapter 9 VPN 443 ...

Page 444: ... tunnel is trusted On the contrary network traffic that has been decrypted will be checked against the IP rule set When doing this IP rule set check the source interface of the traffic will be the associated IPsec tunnel since tunnels are treated like interfaces in NetDefendOS In addition a Route or an Access rule may have to be defined for roaming clients in order for NetDefendOS to accept specif...

Page 445: ...to the ping messages are not received then the tunnel link is assumed to be broken and an attempt is automatically made to re establish the tunnel This feature is only useful for LAN to LAN tunnels Optionally a specific source IP address and or a destination IP address for the pings can be specified It is recommended to specify a destination IP of a host which is known to being able to reliably re...

Page 446: ...et up the Route in the main routing table or another table if an alternate is being used Set up the Rules a 2 way tunnel requires 2 rules 9 4 3 Roaming Clients An employee who is on the move who needs to access a central corporate server from a notebook computer from different locations is a typical example of a roaming client Apart from the need for secure VPN access the other major issue with ro...

Page 447: ...e local network that the roaming users will connect to Remote Network all nets Remote Endpoint None Encapsulation Mode Tunnel 3 For Algorithms enter IKE Algorithms Medium or High IPsec Algorithms Medium or High 4 For Authentication enter Pre Shared Key Select the pre shared key created earlier 5 Under the Routing tab Enable the option Dynamically add route to the remote network when a tunnel is es...

Page 448: ...hen the certificate was created on the client 8 Create a new ID for every client that is to be granted access rights according to the instructions above D Configure the IPsec tunnel 1 Go to Interfaces IPsec Add IPsec Tunnel 2 Now enter Name RoamingIPsecTunnel Local Network 10 0 1 0 24 This is the local network that the roaming users will connect to Remote Network all nets Remote Endpoint None Enca...

Page 449: ...d office network uses the 10 0 1 0 24 network span with external firewall IP wan_ip Web Interface A Upload all the client certificates 1 Go to Objects Authentication Objects Add Certificate 2 Enter a suitable name for the Certificate object 3 Select the X 509 Certificate option 4 Click OK B Create Identification Lists 1 Go to Objects VPN Objects ID List Add ID List 2 Enter a descriptive name for e...

Page 450: ...r be based on a range of predefined static IP addresses defined for Config Mode or it can come from DHCP servers associated with an IP Pool object An IP pool is a cache of IP addresses collected from DHCP servers and leases on these addresses are automatically renewed when the lease time is about to expire IP Pools also manage additional information such as DNS and WINS NBNS just as an ordinary DH...

Page 451: ...urce IP address of each packet inside an IPsec tunnel is the same as the IP address assigned to the IPsec client with IKE config mode If a mismatch is detected the packet is always dropped and a log message generated with a severity level of Warning This message includes the two IP addresses as well as the client identity Optionally the affected SA can be automatically deleted if validation fails ...

Page 452: ...hods will be used The ikesnoop console command with the verbose option is a tool that can be used to identify the source of such problems by showing the details of this negotiation Using ikesnoop The ikesnoop command can be entered via a CLI console or directly via the RS232 Console To begin monitoring the full command is gw world ikesnoop on verbose This means that ikesnoop output will be sent to...

Page 453: ... the client is trying to find a matching set of protocols methods supported by the server The server examines the list and attempts to find a combination of the protocols methods sent by the client which it can support This matching process is one of the key purposes of the IKE exchange IkeSnoop Received IKE packet from 192 168 0 10 500 Exchange type Identity Protection main mode ISAKMP Version 1 ...

Page 454: ...ad data length 16 bytes Vendor ID 44 85 15 2d 18 b6 bb cd 0b e8 a8 46 95 79 dd cc Description draft ietf ipsec nat t ike 00 VID Vendor ID Payload data length 16 bytes Vendor ID cd 60 46 43 35 df 21 f8 7c fd b2 fc 68 b6 a4 48 Description draft ietf ipsec nat t ike 02 VID Vendor ID Payload data length 16 bytes Vendor ID 90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f Description draft ietf ipsec nat...

Page 455: ...tion SSH Communications Security QuickSec 2 1 0 VID Vendor ID Payload data length 16 bytes Vendor ID 27 ba b5 dc 01 ea 07 60 ea 4e 31 90 ac 27 c0 d0 Description draft stenberg ipsec nat traversal 01 VID Vendor ID Payload data length 16 bytes Vendor ID 61 05 c4 22 e7 68 47 e4 3f 96 84 80 12 92 ae cd Description draft stenberg ipsec nat traversal 02 VID Vendor ID Payload data length 16 bytes Vendor ...

Page 456: ...0x5e347cb76e95a Message ID 0x00000000 Packet length 220 bytes payloads 4 Payloads KE Key Exchange Payload data length 128 bytes NONCE Nonce Payload data length 16 bytes NAT D NAT Detection Payload data length 16 bytes NAT D NAT Detection Payload data length 16 bytes Step 5 Client Sends Identification The initiator sends the identification which is normally an IP address or the Subject Alternative ...

Page 457: ...pv4 any 0 0 3 192 168 10 20 HASH Hash Payload data length 16 bytes Step 7 Client Sends a List of Supported IPsec Algorithms Now the client sends the list of supported IPsec algorithms to the server It will also contain the proposed host networks that are allowed in the tunnel IkeSnoop Received IKE packet from 192 168 0 10 500 Exchange type Quick mode ISAKMP Version 1 0 Flags E encryption Cookies 0...

Page 458: ...ytes ID ipv4 any 0 0 3 10 4 2 6 ID Identification Payload data length 12 bytes ID ipv4_subnet any 0 0 7 10 4 0 0 16 Explanation of Above Values Transform ID Cipher Key length Cipher key length Authentication algorithm HMAC Hash Group description PFS and PFS group SA life type Seconds or Kilobytes SA life duration Number seconds or kilobytes Encapsulation mode Could be transport tunnel or UDP tunne...

Page 459: ...NCE Nonce Payload data length 16 bytes ID Identification Payload data length 8 bytes ID ipv4 any 0 0 3 10 4 2 6 ID Identification Payload data length 12 bytes ID ipv4_subnet any 0 0 7 10 4 0 0 16 Step 9 Client Confirms Tunnel Setup This last message is a message from the client saying that the tunnel is up and running All client server exchanges have been successful IkeSnoop Received IKE packet fr...

Page 460: ...IKE Send Initial Contact Determines whether or not IKE should send the Initial Contact notification message This message is sent to each remote endpoint when a connection is opened to it and there are no previous IPsec SA using that gateway Default Enabled IKE Send CRLs Dictates whether or not CRLs Certificate Revocation Lists should be sent as part of the IKE exchange Should typically be set to E...

Page 461: ...checking aliveness of the peer will be sent during this time even though no packets from the peer have been received during this time In other words the amount of time in tens of seconds that a tunnel is without traffic or any other sign of life before the peer is considered dead If DPD is due to be triggered but other evidence of life is seen such as IKE packets from the other side of the tunnel ...

Page 462: ... is used with IKEv1 only Default 2 in other words 2 x 10 20 seconds DPD Expire Time The length of time in seconds for which DPD messages will be sent to the peer If the peer has not responded to messages during this time it is considered to be dead In other words this is the length of time in seconds for which DPD R U THERE messages will be sent If the other side of the tunnel has not sent a respo...

Page 463: ...a dial up networks and is still widely used Implementation PPTP can be used in the VPN context to tunnel different protocols across the Internet Tunneling is achieved by encapsulating PPP packets in IP datagrams using Generic Routing Encapsulation GRE IP protocol 47 The client first establishes a connection to an ISP in the normal way using the PPP protocol and then establishes a TCP IP connection...

Page 464: ...er IP Address lan_ip Tunnel Protocol PPTP Outer Interface Filter any Outer Server IP wan_ip 4 Under the PPP Parameters tab select pptp_Pool in the IP Pool control 5 Under the Add Route tab select all_nets from Allowed Networks 6 Click OK Use User Authentication Rules is enabled as default To be able to authenticate the users using the PPTP tunnel it is required to configure NetDefendOS Authenticat...

Page 465: ...ol L2TP_Pool TunnelProtocol L2TP AllowedRoutes all nets Web Interface 1 Go to Interfaces L2TP Servers Add L2TPServer 2 Enter a suitable name for the L2TP Server for example MyL2TPServer 3 Now enter Inner IP Address ip_l2tp Tunnel Protocol L2TP Outer Interface Filter any Outer Server IP wan_ip 4 Under the PPP Parameters tab select L2TP_Pool in the IP Pool control 5 Under the Add Route tab select al...

Page 466: ...unnel will connect to wan_ip Furthermore the IPsec tunnel needs to be configured to dynamically add routes to the remote network when the tunnel is established B Continue setting up the IPsec Tunnel Command Line Interface gw world add Interface IPsecTunnel l2tp_ipsec LocalNetwork wan_ip RemoteNetwork all nets IKEAlgorithms Medium IPsecAlgorithms esp l2tptunnel PSK MyPSK EncapsulationMode Transport...

Page 467: ... IP lan_ip Interface l2tp_ipsec ServerIP wan_ip IPPool l2tp_pool TunnelProtocol L2TP AllowedRoutes all nets ProxyARPInterfaces lan Web Interface 1 Go to Interfaces L2TP Servers Add L2TPServer 2 Enter a name for the L2TP tunnel for example l2tp_tunnel 3 Now enter Inner IP Address lan_ip Tunnel Protocol L2TP Outer Interface Filter l2tp_ipsec Server IP wan_ip 4 Under the PPP Parameters tab check the ...

Page 468: ...main IP rule set gw world cc IPRuleSet main Now add the IP rules gw world main add IPRule action Allow Service all_services SourceInterface l2tp_tunnel SourceNetwork l2tp_pool DestinationInterface any DestinationNetwork all nets name AllowL2TP gw world main add IPRule action NAT Service all_services SourceInterface l2tp_tunnel SourceNetwork l2tp_pool DestinationInterface any DestinationNetwork all...

Page 469: ...tly to the PPTP Server without consulting the rule set Default Enabled Max PPP Resends The maximum number of PPP layer resends Default 10 9 5 4 PPTP L2TP Clients The PPTP and L2TP protocols are described in the previous section In addition to being able to act as a PPTP or L2TP server NetDefendOS also offers the ability to act as a PPTP or L2TP client This can be useful if PPTP or L2TP is preferre...

Page 470: ...oute is normally routed directly across the PPTP L2TP tunnel without a specified gateway Authentication Username Specifies the username to use for this PPTP L2TP interface Password Specifies the password for the interface Authentication Specifies which authentication protocol to use MPPE Specifies if Microsoft Point to Point Encryption is used and which level to use If Dial On Demand is enabled th...

Page 471: ...NetDefendOS and the server A route is added to the routing table in NetDefendOS which specifies that traffic for the server should be routed through the PPTP tunnel Figure 9 3 PPTP Client Usage 9 5 4 PPTP L2TP Clients Chapter 9 VPN 471 ...

Page 472: ...of SSL VPN Setup Steps SSL VPN setup requires the following steps On the NetDefend Firewall side i An SSL VPN Interface object needs to be created which configures a particular Ethernet interface to accept SSL VPN connections ii An Authentication Rule needs to be defined for incoming SSL VPN clients and the rule must have the Interface property set to be the name of the SSL VPN object created abov...

Page 473: ...SL VPN tunnel so that the Outer Interface property of the SSL VPN tunnel object is specifed to be a PPPoE configuration object instead of a physical Ethernet interface Setting up a PPPoE interface object is described in Section 3 4 4 PPPoE 9 6 2 Configuring SSL VPN in NetDefendOS To configure the SSL VPN in NetDefendOS an SSL VPN Interface object must be defined for each interface on which connect...

Page 474: ...e FQDN instead For example the FQDN might be specified as server some domain com When a client connects to the SSL VPN interface this FQDN is handed out to the client which then resolves the FQDN using DNS to a specific IP address This allows the server address to change dynamically with only the DNS entry being changed If this option is specified the Server IP in General Options above is ignored ...

Page 475: ...layed which offers two choices i Download the D Link SSL VPN client software If this option has not been chosen before it must be selected first to install the proprietary D Link SSL VPN client application ii Connect the SSL VPN client If the client software is already installed selecting this option starts the client running and an SSL VPN tunnel is established to the firewall This is discussed n...

Page 476: ... intercept communications between the firewall and the client Custom Server Connection When the SSL VPN client software is started it is possible to connect to an SSL VPN interface on a NetDefend Firewall that has not been connected to before This is done by enabling the option Specify Custom Server and explicitly specifying the IP address port and login credentials for the server With the Specify...

Page 477: ...ace Traffic can now flow between the client and the firewall subject to NetDefendOS IP rules Specifying IP Rules for Traffic Flow No IP rules need to be specified for the setup of an SSL VPN tunnel itself provided that the advanced setting SSLVPNBeforeRules is enabled However appropriate IP rules need to be specified by the administrator to allow traffic to flow through the tunnel Since SSL VPN co...

Page 478: ... 0 1 and this is the inner IP of the NetDefendOS end of the tunnel 1 Create an SSL VPN Object Command Line Interface gw world add Interface SSLVPNInterface my_sslvpn InnerIP sslvpn_inner_ip IPAddressPool sslvpn_pool OuterInterface If2 ServerIP sslvpn_server_ip ProxyARPInterfaces If3 Note If multiple Proxy ARP interfaces are needed they are specified as a comma separated list For example If3 If4 If...

Page 479: ...fic range is more secure Terminator IP sslvpn_server_ip 3 For Local User DB choose lannet_auth_users 4 For Login Type choose HTMLForm 5 Click OK The new NetDefendOS configuration should now be deployed For external client connection a web browser should be directed to the IP address my_sslvpn_if This is done either by typing the actual IP address or using a URL that can resolve to the IP address 9...

Page 480: ...he FQDN of the certificate s CA server must first be resolved into an IP address The following scenarios are possible 1 The CA server is a private server behind the NetDefend Firewall and the tunnels are set up over the public Internet but to clients that will not try to validate the certificate sent by NetDefendOS In this case the IP address of the private server needs only be registered on a pri...

Page 481: ...the NetDefendOS IP rule set need to be defined to allow this traffic through IP rules are not required if it NetDefendOS itself that is issuing the request to the CA server Actions taken by NetDefendOS are trusted by default This is a general rule that also applies to DNS resolution requests issued by NetDefendOS Figure 9 7 Certificate Validation Components CA Server Access by Clients In a VPN tun...

Page 482: ...the certificate queries are coming only from the NetDefend Firewall and the CA server is on the internal side of the firewall then the IP address of the internal DNS server must be configured in NetDefendOS so that these requests can be resolved Turning Off validation As explained in the troubleshooting section below identifying problems with CA server access can be done by turning off the require...

Page 483: ...i Fi network at an airport the client will get an IP address from the Wi Fi network s DHCP server If that IP also belongs to the network behind the NetDefend Firewall accessible through a tunnel then Windows will still continue to assume that the IP address is to be found on the client s local network Windows therefore will not correctly route packets bound for the remote network through the tunne...

Page 484: ... revocation list checking to see if CA server access could be the problem CA Server issues are discussed further in Section 9 7 CA Server Access 9 8 3 IPsec Troubleshooting Commands A number of commands can be used to diagnose IPsec tunnels The ipsecstat console command ipsecstat can be used to show that IPsec tunnels have correctly established A representative example of output is gw world ipsecs...

Page 485: ...int or a client s IP address The command takes the form gw world ikesnoop on ip address verbose Ikesnoop can be turned off with the command gw world ikesnoop off For a more detailed discussion of this topic see Section 9 4 5 Troubleshooting with ikesnoop 9 8 4 Management Interface Failure with VPN If any VPN tunnel is set up and then the management interface no longer operates then it is likely to...

Page 486: ...st seem to match the problem may be with mismatching networks The local network s on one side need to be the remote network on the other side and vice versa Remember that multiple networks will generate multiple IPsec SA s one SA per network or host if that option is used The defined network size is also important in that it must be exactly the same size on both sides as will be mentioned again la...

Page 487: ...ason is that the PSK is of the wrong TYPE on either side Passphrase or Hex key Verify that the same type is being used on both sides of the IPsec tunnel If one side is using Hex and the other Passphrase then this is most likely the error message that will be generated 5 No public key found This is a very common error message when dealing with tunnels that use certificates for authentication Troubl...

Page 488: ...can only be initiated from one side This is a common problem and is due to a mismatch of the size in local or remote network and or the lifetime settings on the proposal list s To troubleshoot this it is necessary to examine the settings for the local network remote network IKE proposal list and IPsec proposal list on both sides to try to identify a miss match For example suppose the following IPs...

Page 489: ...tempt to get the correct network by sending a config mode request By using ikesnoop when both sides initiate the tunnel it should be simple to compare the network that both sides are sending in phase 2 With that information it should be possible to spot the network problem It can be the case that it is a network size mismatch or that it does not match at all 9 8 6 Specific Symptoms Chapter 9 VPN 4...

Page 490: ...9 8 6 Specific Symptoms Chapter 9 VPN 490 ...

Page 491: ...is for prioritizing traffic passing through the NetDefend Firewall It is important to understand that NetDefendOS traffic shaping does not add new Diffserv information as packets traverse a NetDefend Firewall The NetDefendOS traffic shaping priorities described later in this chapter are for traffic shaping within NetDefendOS only and are not translated into Diffserv information that is then added ...

Page 492: ...ice object that uses the SIP ALG cannot be also subject to traffic shaping 10 1 2 Traffic Shaping in NetDefendOS NetDefendOS offers extensive traffic shaping capabilities for the packets passing through the NetDefend Firewall Different rate limits and traffic guarantees can be created as policies based on the traffic s source destination and protocol similar to the way in which security policies a...

Page 493: ...ules are defined by default The rule set for pipe rules is initially empty with no rules being defined by default At least one rule must be created for traffic shaping to begin to function Pipe Rule Chains When a pipe rule is defined the pipes to be used with that rule are also specified and they are placed into one of two lists in the pipe rule These lists are The Forward Chain These are the pipe...

Page 494: ...ets The reason for this is that traffic shaping is implemented by using the NetDefendOS state engine which is the subsystem that deals with the tracking of connections FwdFast IP rules do not set up a connection in the state engine Instead packets are considered not to be part of a connection and are forwarded individually to their destination bypassing the state engine Figure 10 2 FwdFast Rules B...

Page 495: ...ices Name Outbound Web Interface 1 Go to Traffic Management Traffic Shaping Add Pipe Rule 2 Specify a suitable name for the pipe for instance outbound 3 Now enter Service all_services Source Interface lan Source Network lannet Destination Interface wan Destination Network all nets 4 Under the Traffic Shaping tab make std in selected in the Return Chain control 5 Click OK This setup limits all traf...

Page 496: ...oth Directions Create a second pipe for outbound traffic Command Line Interface gw world add Pipe std out LimitKbpsTotal 2000 Web Interface 1 Go to Traffic Management Traffic Shaping Pipes Add Pipe 2 Specify a name for the pipe for example std out 3 Enter 2000 in Total textbox 4 Click OK After creating a pipe for outbound bandwidth control add it to the forward pipe chain of the rule created in th...

Page 497: ... provide the solution create a chain of the surf in pipe followed by the std in pipe in the pipe rule for surfing traffic Inbound surfing traffic will now first pass through surf in and be limited to a maximum of 125 kbps Then it will pass through the std in pipe along with other inbound traffic which will apply the 250 kbps total limit Figure 10 3 Differentiated Limits Using Chains If surfing use...

Page 498: ...ty of a precedence comes from the fact that it is either higher or lower than another precedence and not from the number itself For example if two precedences are used in a traffic shaping scenario choosing precedences 4 and 6 instead of 0 and 3 will makes no difference to the end result Allocating Precedence to Traffic The way precedence is assigned to traffic is specified in the triggering pipe ...

Page 499: ... prefix Kilo means 1000 and NOT 1024 For example 3 Kbps means 3000 bits per second Similarly the prefix Mega means one million in a traffic bandwidth context Precedence Limits are also Guarantees A precedence limit is both a limit and a guarantee The bandwidth specified for precedence also guarantees that the bandwidth will be available at the expense of lower precedences If the specified bandwidt...

Page 500: ...xhausted then they are dropped If a total limit for a pipe is not specified it is the same as saying that the pipe has unlimited bandwidth and consequently it can never become full so precedences have no meaning Applying Precedences Continuing to use the previous traffic shaping example let us add the requirement that SSH and Telnet traffic is to have a higher priority than all other traffic To do...

Page 501: ...lowest best effort precedence or any lower precedences has no meaning and will be ignored by NetDefendOS Differentiated Guarantees A problem arises if the aim is to give a specific 32 kbps guarantee to Telnet traffic and a specific 64 kbps guarantee to SSH traffic A 32 kbps limit could be set for precedence 2 a 64 kbps limit set for precedence 4 and then pass the different types of traffic through...

Page 502: ... at the lowest precedence only and hence compete for the 250 kbps of available bandwidth with other traffic 10 1 7 Pipe Groups NetDefendOS provides a further level of control within pipes through the ability to split pipe bandwidth into individual resource users within a group and to apply a limit and guarantee to each user Individual users can be distinguished according to one of the following So...

Page 503: ...lected grouping with that precedence will be guaranteed 50 Kbps at the expense of lower precedences The precedences for each user must be allocated by different pipe rules that trigger on particular users For example if grouping is by source IP then different pipe rules will trigger on different IPs and send the traffic into the same pipe with the appropriate precedence The potential sum of the pr...

Page 504: ...ining Pipe and Group Limit Precedence Values Let us suppose that grouping is enabled by one of the options such as source IP and some values for precedences have been specified under Group Limits How does these combine with values specified for the corresponding precedences in Pipe Limits In this case the Group Limits precedence value is a guarantee and the Pipe Limits value for the same precedenc...

Page 505: ...ilable precedence 2 bandwidth the same way they have to compete for the lowest precedence bandwidth Some users will still get their 16 kbps some will not Dynamic balancing can be enabled to improve this situation by making sure all of the 5 users get the same amount of limited bandwidth When the 5th user begins to generate SSH traffic balancing lowers the limit per user to about 13 kbps 64 kbps di...

Page 506: ...deciding to send packets and the packets actually being dispatched from buffers For inbound connections there is less control over what is arriving and what has to be processed by the traffic shaping subsystem and it is therefore more important to set pipe limits slightly below the real connection limit to account for the time needed for NetDefendOS to adapt to changing conditions Attacks on Bandw...

Page 507: ...recedence which is also called the Best Effort precedence At the best effort precedence all packets are treated on a first come first forwarded basis Within a pipe traffic can also be separated on a Group basis For example by source IP address Each user in a group for example each source IP address can be given a maximum limit and precedences within a group can be given a limit guarantee A pipe li...

Page 508: ...e which will force traffic to flow through the pipes Rule Name Forward Pipes Return Pipes Source Interface Source Network Destination Interface Destination Network Selected Service all_1mbps out pipe in pipe lan lannet wan all nets all The rule will force all traffic to the default precedence level and the pipes will limit total traffic to their 1 Mbps limit Having Dynamic Balancing enabled on the...

Page 509: ...equirement now is to limit the precedence 2 capacity other traffic to 1000 kbps so that it does not spill over into precedence 0 This is done with pipe chaining where we create new pipes called in other and out other both with a Pipe Limit of 1000 The other pipe rule is then modified to use these Rule Name Forward Pipes Return Pipes Source Interface Source Network Dest Interface Dest Network Selec...

Page 510: ... 500 kpbs Priority 0 Best effort Total 1700 vpn out Priority 6 VoIP 500 kpbs Priority 0 Best effort Total 1700 in pipe Priority 6 VoIP 500 kpbs Total 2000 out pipe Priority 6 VoIP 500 kpbs Total 2000 The following pipe rules are then needed to force traffic into the correct pipes and precedence levels Rule Name Forward Pipes Return Pipes Src Int Source Network Dest Int Destination Network Selected...

Page 511: ...out pipe A simple solution is to put a catch all inbound rule at the bottom of the pipe rule However the external interface wan should be the source interface to avoid putting into pipes traffic that is coming from the inside and going to the external IP address This last rule will therefore be Rule Name Forward Pipes Return Pipes Source Interface Source Network Dest Interface Dest Network Selecte...

Page 512: ...on to this NetDefendOS also provides the ability to apply throttling through the NetDefendOS traffic shaping subsystem when the targeted traffic is recognized IDP Traffic Shaping is a combination of these two features where traffic flows identified by the IDP subsystem automatically trigger the setting up of traffic shaping pipes to control those flows 10 2 2 Setting Up IDP Traffic Shaping The ste...

Page 513: ...DP rule has Pipe as action so the traffic on the connection is now subject to the pipe traffic shaping bandwidth specified in the IDP rule 3 A new connection is then established that does not trigger an IDP rule but has a source or destination IP that is the same as the connection that did trigger a rule If the source or destination is also a member of the IP range specified as the Network then th...

Page 514: ...ot desirable 10 2 5 A P2P Scenario The schematic below illustrates a typical scenario involving P2P data transfer The sequence of events is The client with IP address 192 168 1 15 initiates a P2P file transfer through a connection 1 to the tracking server at 81 150 0 10 This connection triggers an IDP rule in NetDefendOS which is set up with an IDP signature that targets the P2P application The Pi...

Page 515: ... show all currently defined pipes the CLI command is gw world pipes show The IDP Traffic Shaping pipes can be recognized by their distinctive naming convention which is explained next Pipe Naming NetDefendOS names the pipes it automatically creates in IDP Traffic Shaping using the pattern IDPPipe_ bandwidth for pipes with upstream forward flowing traffic and IDPPipe_ bandwidth R for pipes with dow...

Page 516: ...ity by default and are therefore guaranteed that bandwidth 10 2 8 Logging IDP Traffic Shaping generates log messages on the following events When an IDP rule with the Pipe option has triggered and either host or client is present in the Network range When the subsystem adds a host that will have future connections blocked When a timer for piping news connections expires a log message is generated ...

Page 517: ... Actions associated with it and these specify how to handle different threshold conditions A Threshold Rule has the following parameters associated with it Action This is the response of the rule when the limit is exceeded Either the option Audit or Protect can be selected These options are explained in more detail below Group By The rule can be either Host or Network based These options are expla...

Page 518: ...ition then those matching actions are applied in the order they appear in the user interface If several actions that have the same combination of Type and Grouping see above for the definition of these terms are triggered at the same time only the action with the highest threshold value will be logged Exempted Connections It should be noted that some advanced settings known as Before Rules setting...

Page 519: ...ill blacklist the source network associated with the rule If the Threshold Rule is linked to a service then it is possible to block only that service When blacklisting is selected the administrator can choose to leave pre existing connections from the triggering source unaffected or can alternatively choose to have the connections dropped by NetDefendOS The length of time in seconds for which the ...

Page 520: ...ross multiple servers can improve not just the performance of applications but also scalability by facilitating the implementation of a cluster of servers sometimes referred to as a server farm that can handle many more requests than a single server Note SLB is not available on all D Link NetDefend models The SLB feature is only available on the D Link NetDefend DFL 860E 1660 2560 and 2560G The il...

Page 521: ...ers An important first step in SLB deployment is to identify the servers across which the load is to be balanced This might be a server farm which is a cluster of servers set up to work as a single virtual server The servers that are to be treated as a single virtual server by SLB must be specified 10 4 2 SLB Distribution Algorithms There are several ways to determine how a load is shared across a...

Page 522: ...LS or SSL based services such as HTTPS which require a repeated connection to the same host Network Stickiness This mode is similar to IP stickiness except that the stickiness can be associated with a network instead of a single IP address The network is specified by stating its size as a parameter For example if the network size is specified as 24 the default then an IP address 10 01 01 02 will b...

Page 523: ...ddresses but instead compares if the source IP address belongs to the same network as a previous connection already in the table If they belong to the same network then stickiness to the same server will result The default value for this setting is a network size of 24 10 4 4 SLB Algorithms and Stickiness This section discusses further how stickiness functions with the different SLB algorithms An ...

Page 524: ...configuration SLB can monitor different OSI layers to check the condition of each server Regardless of the algorithms used if a server is deemed to have failed SLB will not open any more connections to it until the server is restored to full functionality D Link Server Load Balancing provides the following monitoring modes ICMP Ping This works at OSI layer 3 SLB will ping the IP address of each in...

Page 525: ...nterface Src Network Dest Interface Dest Network WEB_SLB SLB_SAT any all nets core ip_ext WEB_SLB_ALW Allow any all nets core ip_ext If there are clients on the same network as the webservers that also need access to those webservers then an NAT rule would also be used Rule Name Rule Type Src Interface Src Network Dest Interface Dest Network WEB_SLB SLB_SAT any all nets core ip_ext WEB_SLB_NAT NAT...

Page 526: ...K C Specify the SLB_SAT IP rule 1 Go to Rules IP Rule Sets main Add IP Rule 2 Enter Name Web_SLB Action SLB_SAT Service HTTP Source Interface any Source Network all nets Destination Interface core Destination Network ip_ext 3 Select tab SAT SLB 4 Under Server Addresses add server_group to Selected 5 Click OK D Specify a matching NAT IP rule for internal clients 1 Go to Rules IP Rule Sets main Add ...

Page 527: ...d IP Rule 2 Enter Name Web_SLB_ALW Action Allow Service HTTP Source Interface any Source Network all nets Destination Interface core Destination Network ip_ext 3 Click OK 10 4 6 Setting Up SLB_SAT Rules Chapter 10 Traffic Management 527 ...

Page 528: ...10 4 6 Setting Up SLB_SAT Rules Chapter 10 Traffic Management 528 ...

Page 529: ...lity for all traffic If the master later becomes operative again the slave will continue to be active but the master will now monitor the slave with failover only taking place if the slave fails This is sometimes known as an active passive implementation of fault tolerance Note HA is only available on some NetDefend models The HA feature is only available on the D Link NetDefend DFL 1660 2560 and ...

Page 530: ...ot responding Hardware Duplication D Link HA will only operate between two NetDefend Firewalls As the internal operation of different firewall manufacturer s software is completely dissimilar there is no common method available to communicating state information to a dissimilar device It is also strongly recommended that the NetDefend Firewalls used in cluster have identical configurations They mu...

Page 531: ...because such delays may occur during normal operation An operation for example opening a file could result in delays long enough to cause the inactive system to go active even though the other is still active Disabling Heartbeat Sending on Interfaces The administrator can manually disable heartbeat sending on any interface if that is desired This is not recommended since the fewer interfaces that ...

Page 532: ...etDefendOS cluster in a network As the shared IP address always has the same hardware address there will be no latency time in updating ARP caches of units attached to the same LAN as the cluster when failover occurs When a cluster member discovers that its peer is not operational it broadcasts gratuitous ARP queries on all interfaces using the shared hardware address as the sender address This al...

Page 533: ...IPsec tunnels are heavily used the ipsecglobalstat verbose command could be used instead and significant differences in the numbers of IPsec SAs IKE SAs active users and IP pool statistics would indicate a failure to synchronize If the sync interface is functioning correctly there may still be some small differences in the statistics from each cluster unit but these will be minor compared with the...

Page 534: ...at interface These addresses can also be pinged using ICMP provided that IP rules are defined to permit this by default ICMP queries are dropped by the rule set If either unit is inoperative its individual IP addresses will also be unreachable These IP addresses are usually private but must be public if management access across the public Internet is required If an interface is not assigned an ind...

Page 535: ...e lan interface on the slave would be connected to the same switch which then connects to an internal network Similarly the wan interface on the master and the wan interface would connect to a switch which in turn connects to the external Internet Note The illustration shows a crossover cable sync connection The illustration above shows a direct crossover cable connection between the sync interfac...

Page 536: ... addresses The term private IPv4 address is not strictly correct when used here Either address used in an IP4 HA Address object may be public if management access across the public Internet is required 9 Save and activate the new configuration 10 Repeat the above steps for the other NetDefend Firewall but this time select the node type to be Slave Making Cluster Configuration Changes The configura...

Page 537: ...then it may be necessary to set a high value for this instead of using automatic A very high value for High Buffers can suit situations with large numbers of connections but can have the disadvantage of increasing throughput latency 11 3 4 Unique Shared Mac Addresses For HA setup NetDefendOS provides the advanced option Use Unique Shared MAC Address By default this is enabled and in most configura...

Page 538: ...enter Lockdown Mode Failed Interfaces Failed interfaces will not be detected unless they fail to the point where NetDefendOS cannot continue to function This means that failover will not occur if the active unit can still send I am alive heartbeats to the inactive unit through any of its interfaces even though one or more interfaces may be inoperative Changing the Cluster ID Changing the cluster I...

Page 539: ...router to provide OSPF metrics if the main designated router should fail PPPoE Tunnels and DHCP Clients For reasons connected with the shared IP addresses of an HA cluster PPPoE tunnels and DHCP clients should not be configured in an HA cluster IPv6 Support Support for IPv6 addresses is discussed in Section 3 2 IPv6 Support 11 4 HA Issues Chapter 11 High Availability 539 ...

Page 540: ... this To do this connect with a CLI console to one of the cluster units and issue the ha command The typical output if the unit is active is shown below gw world ha This device is a HA SLAVE This device is currently ACTIVE will forward traffic This device has been active 430697 sec HA cluster peer is ALIVE This unit the slave is the currently active unit so the other one the master is the inactive...

Page 541: ...put D Upgrade the newly inactive unit When the failover is complete upgrade the newly inactive unit with the new NetDefendOS version Just like step B this is done in the normal way as though the unit were not part of a cluster E Wait for resynchronization Once the second software upgrade is complete two units will automatically resynchronize and the cluster will continue operation The roles of act...

Page 542: ... monitored using ICMP Ping requests and therefore link status If these hosts become unreachable then the link is considered failed and a failover to a slave can be initiated Provided that the slave is using a different network link and also monitoring the reachability of different hosts traffic can continue to flow Using the Shared IP Address When using the Link Monitor in a High Availability clus...

Page 543: ...apsed the synchronization traffic is then only sent after repeated periods of silence The length of this silence is this setting Default 5 Use Unique Shared Mac Use a unique shared MAC address for each interface For further explanation of this setting see Section 11 3 4 Unique Shared Mac Addresses Default Enabled Deactivate Before Reconf If enabled this setting will make an active node failover to...

Page 544: ...11 7 HA Advanced Settings Chapter 11 High Availability 544 ...

Page 545: ...n threshold can be dynamically blocked using the ZoneDefense feature Thresholds are based on either the number of new connections made per second or on the total number of connections being made These connections may be made by either a single host or all hosts within a specified CIDR network range an IP address range specified by a combination of an IP address and its associated network mask ACL ...

Page 546: ...3526 R3 x Version R3 06 B20 only DES 3526 R4 x Version R4 01 B19 or later DES 3550 R3 x Version R3 05 B38 only DES 3550 R4 x Version R4 01 B19 or later DES 3800 Series Version R2 00 B13 or later DGS 3200 Series Version R1 10 B06 or later DGS 3324SR SRi Version R4 30 B11 or later DGS 3400 Series R1 x Version R1 00 B35 only DGS 3400 Series R2 x Version R2 00 B52 or later DGS 3600 Series Version R2 2...

Page 547: ...exceeded The limit can be one of two types Connection Rate Limit This can be triggered if the rate of new connections per second to the firewall exceeds a specified threshold Total Connections Limit This can be triggered if the total number of connections to the firewall exceeds a specified threshold Threshold rules have parameters which are similar to those for IP Rules These parameters specify w...

Page 548: ...onnections second is applied If the connection rate exceeds this limitation the firewall will block the specific host in network range 192 168 2 0 24 for example from accessing the switch completely A D Link switch model DES 3226S is used in this case with a management interface address 192 168 1 250 connecting to the firewall s interface address 192 168 1 1 This firewall interface is added into t...

Page 549: ...e Use ZoneDefense checkbox Click OK 12 3 4 ZoneDefense with Anti Virus Scanning ZoneDefense can be used in conjuction with the NetDefendOS Anti Virus scanning feature NetDefendOS can first identify a virus source through antivirus scanning and then block the source by communicating with switches configured to work with ZoneDefense This feature is activated through the following ALGs HTTP ZoneDefen...

Page 550: ...imum of 50 rules while others support up to 800 usually in order to block a host or network one rule per switch port is needed When this limit has been reached no more hosts or networks will be blocked out Important Clearing the ACL rule set on the switch ZoneDefense uses a range in the ACL rule set on the switch To avoid potential conflicts in these rules and guarantee the firewall s access contr...

Page 551: ...12 3 5 Limitations Chapter 12 ZoneDefense 551 ...

Page 552: ...4 Length Limit Settings page 566 Fragmentation Settings page 568 Local Fragment Reassembly Settings page 572 Miscellaneous Settings page 573 13 1 IP Level Settings Log Checksum Errors Logs occurrences of IP packets containing erroneous checksums Normally this is the result of the packet being damaged during network transport All network units both routers and workstations drop IP packets that cont...

Page 553: ... on Low Determines the action taken on packets whose TTL falls below the stipulated TTLMin value Default DropLog Multicast TTL on Low What action to take on too low multicast TTL values Default DropLog Default TTL Indicates which TTL NetDefendOS is to use when originating a packet These values are usually between 64 and 255 Default 255 Layer Size Consistency Verifies that the size information cont...

Page 554: ...fault DropLog IP Options Timestamps Time stamp options instruct each router and firewall on the packet s route to indicate at what time the packet was forwarded along the route These options do not occur in normal traffic Time stamps may also be used to record the route a packet has taken from sender to final destination NetDefendOS never enters information into these options regardless of this se...

Page 555: ...ets equal to or smaller than the size specified by this setting Default 65535 bytes Multicast Mismatch option What action to take when Ethernet and IP multicast addresses does not match Default DropLog Min Broadcast TTL option The shortest IP broadcast Time To Live value accepted on receipt Default 1 Low Broadcast TTL Action option What action to take on too low broadcast TTL values Default DropLo...

Page 556: ... case with TCPMSSMax this is the highest Maximum Segment Size allowed However this setting only controls MSS in VPN connections This way NetDefendOS can reduce the effective segment size used by TCP in all VPN connections This reduces TCP fragmentation in the VPN connection even if hosts do not know how to perform MTU discovery This setting must be less than the maximum IPsec MTU size and the maxi...

Page 557: ...n SACK Determines how NetDefendOS will handle selective acknowledgement options These options are used to ACK individual packets instead of entire series which can increase the performance of connections experiencing extensive packet loss They are also used by OS Fingerprinting SACK is a common occurrence in modern networks Default ValidateLogBad TCP Option TSOPT Determines how NetDefendOS will ha...

Page 558: ... SYN synchronize flags and URG urgent data flags both turned on The presence of a SYN flag indicates that a new connection is in the process of being opened and an URG flag means that the packet contains data requiring urgent attention These two flags should not be turned on in a single packet as they are used exclusively to crash computers with poorly implemented TCP stacks Default DropLog TCP SY...

Page 559: ...ripLog TCPE ECN Specifies how NetDefendOS will deal with TCP packets with either the Xmas or Ymas flag turned on These flags are currently mostly used by OS Fingerprinting It should be noted that a developing standard called Explicit Congestion Notification also makes use of these TCP flags but as long as there are only a few operating systems supporting this standard the flags should be stripped ...

Page 560: ...rent or last used TCP window will be allowed This is more restrictive than ValidateLogBad ValidateSilent and will block some valid TCP re open attempts The most significant impact of this will be that common web surfing traffic short but complete transactions requested from a relatively small set of clients randomly occurring with an interval of a few seconds will slow down considerably while most...

Page 561: ...ing limits how many Rejects per second may be generated by the Reject rules in the Rules section Default 500 Silently Drop State ICMPErrors Specifies if NetDefendOS should silently drop ICMP errors pertaining to statefully tracked open connections If these errors are not dropped by this setting they are passed to the rule set for evaluation just like any other packet Default Enabled 13 3 ICMP Leve...

Page 562: ... determining whether the remote peer is attempting to open a new connection Default Enabled Log State Violations Determines if NetDefendOS logs packets that violate the expected state switching diagram of a connection for example getting TCP FIN packets in response to TCP SYN packets Default Enabled Log Connections Specifies how NetDefendOS will log connections NoLog Does not log any connections c...

Page 563: ...agnostic and testing purposes since it generates unwieldy volumes of log messages and can also significantly impair throughput performance Default Disabled Dynamic Max Connections Allocate the Max Connection value dynamically Default Enabled Max Connections This setting applies if Dynamic Max Connections above is disabled Specifies how many connections NetDefendOS may keep open at any one time Eac...

Page 564: ... close may idle before finally being closed Connections reach this state when a packet with its FIN flag on has passed in any direction Default 80 UDP Idle Lifetime Specifies in seconds how long UDP connections may idle before being closed This timeout value is usually low as UDP has no way of signalling when the connection is about to close Default 130 UDP Bidirectional Keep alive This allows bot...

Page 565: ...lt 12 Other Idle Lifetime Specifies in seconds how long connections using an unknown protocol can remain idle before it is closed Default 130 13 5 Connection Timeout Settings Chapter 13 Advanced Settings 565 ...

Page 566: ...many real time applications use large fragmented UDP packets If no such protocols are used the size limit imposed on UDP packets can probably be lowered to 1480 bytes Default 60000 Max ICMP Length Specifies in bytes the maximum size of an ICMP packet ICMP error messages should never exceed 600 bytes although Ping packets can be larger if so requested This value may be lowered to 1000 bytes if usin...

Page 567: ...ze of an IP in IP packet IP in IP is used by Checkpoint Firewall 1 VPN connections when IPsec is not used This value should be set at the size of the largest packet allowed to pass through the VPN connections regardless of its original protocol plus approx 50 bytes Default 2000 Max IPsec IPComp Length Specifies in bytes the maximum size of an IPComp packet Default 2000 Max L2TP Length Specifies in...

Page 568: ...track DropPacket Discards the illegal fragment and all previously stored fragments Will not allow further fragments of this packet to pass through during ReassIllegalLinger seconds DropLogPacket As DropPacket but also logs the event DropLogAll As DropLogPacket but also logs further fragments belonging to this packet that arrive during ReassIllegalLinger seconds The choice of whether to discard ind...

Page 569: ...ents have been involved LogSuspectSubseq As LogSuspect but also logs subsequent fragments of the packet as and when they arrive LogAll Logs all failed reassembly attempts LogAllSubseq As LogAll but also logs subsequent fragments of the packet as and when they arrive Default LogSuspectSubseq Dropped Fragments If a packet is denied entry to the system as the result of the settings in the Rules secti...

Page 570: ...y send 1480 byte fragments and a router or VPN tunnel on the route to the recipient subsequently reduce the effective MTU to 1440 bytes This would result in the creation of a number of 1440 byte fragments and an equal number of 40 byte fragments Because of potential problems this can cause the default settings in NetDefendOS has been designed to allow the smallest possible fragments 8 bytes to pas...

Page 571: ...cket has been marked as illegal NetDefendOS is able to retain this in memory for this number of seconds in order to prevent further fragments of that packet from arriving Default 60 13 7 Fragmentation Settings Chapter 13 Advanced Settings 571 ...

Page 572: ...concurrent local reassemblies Default 256 Max Size Maximum size of a locally reassembled packet Default 10000 Large Buffers Number of large over 2K local reassembly buffers of the above size Default 32 13 8 Local Fragment Reassembly Settings Chapter 13 Advanced Settings 572 ...

Page 573: ...s The associated settings limit memory used by the re assembly subsystem This setting specifies how many connections can use the re assembly system at the same time It is expressed as a percentage of the total number of allowed connections Minimum 1 Maximum 100 Default 80 Max Memory This setting specifies how much memory that the re assembly system can allocate to process packets It is expressed a...

Page 574: ...Default 512 13 9 Miscellaneous Settings Chapter 13 Advanced Settings 574 ...

Page 575: ...13 9 Miscellaneous Settings Chapter 13 Advanced Settings 575 ...

Page 576: ...ide can be downloaded A step by step Registration manual which explains registration and update service procedures in more detail is available for download from the D Link website Subscription renewal In the Web interface go to Maintenance License to check which update services are activated and when your subscription is ends Important Renew in good time Renew your subscription well before your cu...

Page 577: ...with the command gw world removedb IDP To remove the Anti Virus database use the command gw world removedb Antivirus Once removed the entire system should be rebooted and a database update initiated Removing the database is also recommended if either IDP or Anti Virus is not used for longer periods of time Note Updating the database causes a pause in processing Anti Virus database updates require ...

Page 578: ...RITAS Backup solutions BOT_GENERAL Activities related to bots including those controlled by IRC channels BROWSER_FIREFOX Mozilla Firefox BROWSER_GENERAL General attacks targeting web browsers clients BROWSER_IE Microsoft IE BROWSER_MOZILLA Mozilla Browser COMPONENT_ENCODER Encoders as part of an attack COMPONENT_INFECTION Infection as part of an attack COMPONENT_SHELLCODE Shell code as part of the...

Page 579: ...lementation IP_OVERFLOW Overflow of IP protocol implementation IRC_GENERAL Internet Relay Chat LDAP_GENERAL General LDAP clients servers LDAP_OPENLDAP Open LDAP LICENSE_CA LICENSE License management for CA software LICENSE_GENERAL General License Manager MALWARE_GENERAL Malware attack METASPLOIT_FRAME Metasploit frame attack METASPLOIT_GENERAL Metasploit general attack MISC_GENERAL General attack ...

Page 580: ...protocol and implementation RPC_JAVA RMI Java RMI RSYNC_GENERAL Rsync SCANNER_GENERAL Generic scanners SCANNER_NESSUS Nessus Scanner SECURITY_GENERAL Anti virus solutions SECURITY_ISS Internet Security Systems software SECURITY_MCAFEE McAfee SECURITY_NAV Symantec AV solution SMB_ERROR SMB Error SMB_EXPLOIT SMB Exploit SMB_GENERAL SMB attacks SMB_NETBIOS NetBIOS attacks SMB_WORMS SMB worms SMTP_COM...

Page 581: ...ION_CVS CVS VERSION_SVN Subversion VIRUS_GENERAL Virus VOIP_GENERAL VoIP protocol and implementation VOIP_SIP SIP protocol and implementation WEB_CF FILE INCLUSION Coldfusion file inclusion WEB_FILE INCLUSION File inclusion WEB_GENERAL Web application attacks WEB_JSP FILE INCLUSION JSP file inclusion WEB_PACKAGES Popular web application packages WEB_PHP XML RPC PHP XML RPC WEB_SQL INJECTION SQL In...

Page 582: ...iletype extension Application 3ds 3d Studio files 3gp 3GPP multimedia file aac MPEG 2 Advanced Audio Coding File ab Applix Builder ace ACE archive ad3 Dec systems compressed Voice File ag Applix Graphic file aiff aif Audio Interchange file am Applix SHELF Macro arc Archive file alz ALZip compressed file avi Audio Video Interleave file arj Compressed archive ark QuArk compressed file archive arq Co...

Page 583: ...rchive hqx Macintosh BinHex 4 compressed archive icc Kodak Color Management System ICC Profile icm Microsoft ICM Color Profile file ico Windows Icon file imf Imago Orpheus module sound data Inf Sidplay info file it Impulse Tracker Music Module java Java source code jar Java JAR archive jng JNG Video Format jpg jpeg jpe jff jfif jif JPEG file jrc Jrchive compressed archive jsw Just System Word Proc...

Page 584: ... data pma PMarc archive data png Portable Public Network Graphic ppm PBM Portable Pixelmap Graphic ps PostScript file psa PSA archive data psd Photoshop Format file qt mov moov QuickTime Movie file qxd QuarkXpress Document ra ram RealMedia Streaming Media rar WinRAR compressed archive rbs ReBirth Song file riff rif Microsoft Audio file rm RealMedia Streaming Media rpm RedHat Package Manager rtf wr...

Page 585: ... vcf Vcard file viv VivoActive Player Streaming Video file wav Waveform Audio wk Lotus 1 2 3 document wmv Windows Media file wrl vrml Plain Text VRML file xcf GIMP Image file xm Fast Tracker 2 Extended Module audio file xml XML file xmcd xmcd database file for kscd xpm BMC Software Patrol UNIX Icon file yc YAC compressed archive zif ZIF image zip Zip compressed archive file zoo ZOO compressed arch...

Page 586: ... Layer purpose Layer 7 Application Layer 6 Presentation Layer 5 Session Layer 4 Transport Layer 3 Network Layer 2 Data Link Layer 1 Physical Figure D 1 The 7 Layers of the OSI Model Layer Functions The different layers perform the following functions Layer 7 Application Layer Defines the user interface that supports applications directly Protocols HTTP FTP TFTP DNS SMTP Telnet SNMP and similar The...

Page 587: ... TCP Reopen setting 560 amplification attacks 363 anonymizing internet traffic 374 anti spam filtering see spam filtering anti virus scanning 343 activating 344 database 344 fail mode behaviour 345 in the FTP ALG 279 in the HTTP ALG 274 in the POP3 ALG 295 in the SMTP ALG 286 memory requirements 343 relationship with IDP 344 simultaneous scans 343 with zonedefense 347 application layer gateway see...

Page 588: ...ry 37 command structure 36 indexing 39 multiple property values 39 name references 40 object category 38 object context 39 object type 36 omitting the object category 39 48 prompt change 42 reconfiguring NetDefendOS 43 restarting NetDefendOS 43 secure shell 41 tab completion 37 tab completion of data 38 using hostnames 40 CLI scripts 45 automatic creation 48 command ordering 47 commenting 49 error...

Page 589: ...namic CAM Size setting 252 dynamic DNS 164 Dynamic L3C Size setting 252 Dynamic Max Connections setting 563 dynamic routing rules 213 214 OSPF action 215 routing action 215 DynDNS service 164 E Enable Sensors setting 77 end of life procedures 87 ESMTP extensions 288 Ethernet interface 110 changing IP addresses 113 CLI command summary 114 default gateway 111 disabling 116 enabling 116 IP address 11...

Page 590: ...ing 238 IGMP Query Response Interval setting 238 IGMP React To Own Queries setting 237 IGMP Robustness Variable setting 238 IGMP Router Version setting 238 IGMP Startup Query Count setting 238 IGMP Startup Query Interval setting 239 IGMP Unsolicitated Report Interval setting 239 IKE 429 algorithm proposals 430 lifetimes 430 negotiation 430 parameters 431 IKE CRL Validity Time setting 460 IKE Max C...

Page 591: ...er 63 SNMP traps 63 syslog 61 login authentication 402 log messages 60 Log non IPv4 IPv6 setting 552 Log Open Fails setting 562 Logout at shutdown RADIUS setting 70 71 logout from CLI 44 Log Oversized Packets setting 567 Log Received TTL 0 setting 552 Log Reverse Opens setting 562 Log State Violations setting 562 loopback interfaces 108 109 Low Broadcast TTL Action setting 555 M MAC address 128 au...

Page 592: ...hing see content filtering Ping Idle Lifetime setting 564 Ping poll interval setting 182 pipe rules 492 pipes 492 policies 137 Poll Interval setting 77 POP3 ALG 295 Port 0 setting 573 port address translation see SAT port forwarding see SAT port mirroring see pcapdump PPP authentication with LDAP 400 PPPoE 120 client configuration 120 unnumbered support 121 with HA 122 with SSL VPN 473 PPTP 463 ad...

Page 593: ...port enabled option 126 security association 429 Send Limit setting 65 serial console see console serial console port 40 server load balancing 520 connection rate algorithm 521 idle timeout setting 522 max slots setting 522 net size setting 522 round robin algorithm 521 with FwdFast rules 525 services 100 and ALGs 103 creating custom 101 custom IP protocol 106 custom timeouts 107 group 106 ICMP 10...

Page 594: ...CP SYN PSH setting 558 TCP SYN RST setting 558 TCP SYN URG setting 558 TCP SYN Idle Lifetime setting 564 TCP URG setting 559 TCP Zero Unused ACK setting 557 TCP Zero Unused URG setting 557 Teriary Time Server setting 161 TFTP ALG 285 threshold rules 517 547 in zonedefense 547 time synchronization 157 Time Sync Server Type setting 161 Time Zone setting 160 TLS ALG 322 advantages 323 cryptographic s...

Page 595: ...31 object cloning 34 password caching prevention 32 recommended browsers 31 setting workstation IP 31 WebUI see web interface WebUI Before Rules setting 53 WebUI HTTP port setting 54 WebUI HTTPS port setting 54 whitelisting hosts and networks 366 URLs 326 wildcarding 326 wildcarding in blacklists and whitelists 288 326 in IDP rules 356 in static content filtering 275 Windows CA certificate request...

Reviews: