background image

Network Security Solution

 

http://www.dlink.com 

NetDefendOS

Ver.

 

2.27.03

Network Security Firewall

User Manual

Security 

Security 

Summary of Contents for NetDefend DFL-260E

Page 1: ...Network Security Solution http www dlink com NetDefendOS Ver 2 27 03 Network Security Firewall User Manual Security Security...

Page 2: ...260 260E 800 860 860E DFL 1600 1660 2500 2560 2560G NetDefendOS Version 2 27 03 D Link Corporation No 289 Sinhu 3rd Rd Neihu District Taipei City 114 Taiwan R O C http www DLink com Published 2010 11...

Page 3: ...ness for a particular purpose D Link reserves the right to revise this publication and to make changes from time to time in the content hereof without any obligation to notify any person or parties of...

Page 4: ...NMP Traps 60 2 2 7 Advanced Log Settings 61 2 3 RADIUS Accounting 62 2 3 1 Overview 62 2 3 2 RADIUS Accounting Messages 62 2 3 3 Interim Accounting Messages 64 2 3 4 Activating RADIUS Accounting 64 2...

Page 5: ...5 3 8 Date and Time 137 3 8 1 Overview 137 3 8 2 Setting Date and Time 137 3 8 3 Time Servers 138 3 8 4 Settings Summary for Date and Time 141 3 9 DNS 144 4 Routing 147 4 1 Overview 147 4 2 Static Rou...

Page 6: ...ing 298 6 3 4 Dynamic Web Content Filtering 300 6 4 Anti Virus Scanning 314 6 4 1 Overview 314 6 4 2 Implementation 314 6 4 3 Activating Anti Virus Scanning 315 6 4 4 The Signature Database 316 6 4 5...

Page 7: ...art 387 9 2 1 IPsec LAN to LAN with Pre shared Keys 388 9 2 2 IPsec LAN to LAN with Certificates 389 9 2 3 IPsec Roaming Clients with Pre shared Keys 390 9 2 4 IPsec Roaming Clients with Certificates...

Page 8: ...es 477 10 3 1 Overview 477 10 3 2 Limiting the Connection Rate Total Connections 477 10 3 3 Grouping 478 10 3 4 Rule Actions 478 10 3 5 Multiple Triggered Actions 478 10 3 6 Exempted Connections 478 1...

Page 9: ...nnection Timeout Settings 523 13 6 Length Limit Settings 525 13 7 Fragmentation Settings 527 13 8 Local Fragment Reassembly Settings 531 13 9 Miscellaneous Settings 532 A Subscribing to Updates 534 B...

Page 10: ...ode Internet Access 217 4 19 Transparent Mode Internet Access 217 4 20 Transparent Mode Scenario 1 219 4 21 Transparent Mode Scenario 2 220 4 22 An Example BPDU Relaying Scenario 223 5 1 DHCP Server O...

Page 11: ...rver Load Balancing Configuration 480 10 10 Connections from Three Clients 483 10 11 Stickiness and Round Robin 484 10 12 Stickiness and Connection rate 484 D 1 The 7 Layers of the OSI Model 544 User...

Page 12: ...ing a PPPoE Client 107 3 12 Creating an Interface Group 111 3 13 Displaying the ARP Cache 113 3 14 Flushing the ARP Cache 113 3 15 Defining a Static ARP Entry 114 3 16 Adding an Allow IP Rule 126 3 17...

Page 13: ...g Content Filtering HTTP Banner Files 312 6 19 Activating Anti Virus Scanning 318 6 20 Configuring an SMTP Log Receiver 328 6 21 Setting up IDP for a Mail Server 329 6 22 Adding a Host to the Whitelis...

Page 14: ...n a browser in a new window some systems may not allow this For example http www dlink com Screenshots This guide contains a minimum of screenshots This is deliberate and is done because the manual de...

Page 15: ...g emphasized or something that is not obvious or explicitly stated in the preceding text Tip This indicates a piece of non critical information that is useful to know in certain situations but is not...

Page 16: ...t ways This granular control allows the administrator to meet the requirements of the most demanding network security scenarios Key Features NetDefendOS has an extensive feature set The list below pre...

Page 17: ...rusion Detection and Prevention IDP engine The IDP engine is policy based and is able to perform high performance scanning and detection of attacks and can perform blocking and optional black listing...

Page 18: ...e NetDefendOS can be used to control D Link switches using the ZoneDefense feature This allows NetDefendOS to isolate portions of a network that contain hosts that are the source of undesirable networ...

Page 19: ...ation as the NetDefendOS state engine 1 2 2 NetDefendOS Building Blocks The basic building blocks in NetDefendOS are interfaces logical objects and various types of rules or rule sets Interfaces Inter...

Page 20: ...none the above is true the receiving Ethernet interface becomes the source interface for the packet 3 The IP datagram within the packet is passed on to the NetDefendOS Consistency Checker The consist...

Page 21: ...If a match is found the IDP data is recorded with the state By doing this NetDefendOS will know that IDP scanning is supposed to be conducted on all packets belonging to this connection 9 The Traffic...

Page 22: ...ing such as encryption or encapsulation might occur The next section provides a set of diagrams illustrating the flow of packets through NetDefendOS 1 2 3 Basic Packet Flow Chapter 1 NetDefendOS Overv...

Page 23: ...are three diagrams each flowing into the next It is not necessary to understand these diagrams however they can be useful as a reference when configuring NetDefendOS in certain situations Figure 1 1 P...

Page 24: ...Figure 1 2 Packet Flow Schematic Part II The packet flow is continued on the following page 1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 24...

Page 25: ...Figure 1 3 Packet Flow Schematic Part III 1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 25...

Page 26: ...elow presents the detailed logic of the Apply Rules function in Figure 1 2 Packet Flow Schematic Part II above Figure 1 4 Expanded Apply Rules Logic 1 3 NetDefendOS State Engine Packet Flow Chapter 1...

Page 27: ...1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 27...

Page 28: ...dOS provides the following management interfaces The Web Interface The Web Interface also known as the Web User Interface or WebUI is built into NetDefendOS and provides a user friendly and intuitive...

Page 29: ...can be permitted for administrative users on a certain network while at the same time allowing CLI access for a remote administrator connecting through a specific IPsec tunnel By default Web Interface...

Page 30: ...kstation IP The default management Ethernet interface of the firewall and the external workstation computer s Ethernet interface must be members of the same logical IP network for communication betwee...

Page 31: ...browser to allow the NetDefendOS Setup Wizard to run since this appears in a popup window Multi language Support The Web Interface login dialog offers the option to select a language other than Engli...

Page 32: ...buttons and drop down menus that are used to perform configuration tasks as well as for navigation to various tools and status pages Home Navigates to the first page of the Web Interface Configuration...

Page 33: ...tree is divided into a number of sections corresponding to the major building blocks of the configuration The tree can be expanded to expose additional sections and the selected set of objects are dis...

Page 34: ...then all management traffic coming from NetDefendOS will automatically be routed into the VPN tunnel If this is the case then a route should be added by the administrator to route management traffic...

Page 35: ...t of types and mainly used with tab completion which is described below Tip Getting help about help Typing the CLI command gw world help help will give information about the help command itself The CL...

Page 36: ...names are recommended Even though it is optional it is still recommended that a Name value is entered for rules in order to make examining the configuration easier Tab Completion of Parameter Values...

Page 37: ...fter pressing tab Not all object types belong in a category The object type UserAuthRule is a type without a category and will appear in the category list after pressing tab at the beginning of a comm...

Page 38: ...LI Reference Guide lists the parameter options available for each NetDefendOS object including the Name and Index options Using Unique Names For convenience and clarity it is recommended that a name i...

Page 39: ...nal or the serial connector of the computer running the communications software 4 Press the enter key on the terminal The NetDefendOS login prompt should appear on the terminal screen SSH Secure Shell...

Page 40: ...he default password of the admin account from admin to something else as soon as possible after initial startup User passwords can be any combination of characters and cannot be greater than 256 chara...

Page 41: ...in at the time of the commit will require that the user logs in again This is because the Web Interface view of the configuration may no longer be valid Checking Configuration Integrity After changing...

Page 42: ...to the ISP s gateway In other words Internet access has been enabled for the NetDefend Firewall Managing Management Sessions with sessionmanager The CLI provides a command called sessionmanager for ma...

Page 43: ...script command is the tool used for script management and execution The complete syntax of the command is described in the CLI Reference Guide and specific examples of usage are detailed in the follow...

Page 44: ...before it is referred to then this can result in a confused and disjointed script file and in large script files it is often preferable to group together CLI commands which are similar Error Handling...

Page 45: ...cts needs to be copied between multiple NetDefend Firewalls then one way to do this with the CLI is to create a script file that creates the required objects and then upload to and run the same script...

Page 46: ...en the CLI node type in the script create command is one of COMPortDevice Ethernet EthernetDevice Device If one of these node types is used then the error message script file empty is returned by NetD...

Page 47: ...able summarizes the operations that can be performed between an SCP client and NetDefendOS File type Upload possible Download possible Configuration Backup config bak Yes also with WebUI Yes also with...

Page 48: ...and would be scp config bak admin1 10 5 62 11 To download a configuration backup to the current local directory the command would be scp admin1 10 5 62 11 config bak To upload a file to an object type...

Page 49: ...tions available in the boot menu are 1 Start firewall This initiates the complete startup of the NetDefendOS software on the NetDefend Firewall 2 Reset unit to factory defaults This option will restor...

Page 50: ...ord set for the console is not connected to the management username password combinations used for administrator access through a web browser It is valid only for console access 2 1 8 Management Advan...

Page 51: ...onfiguration objects representing a named IPv4 address Object Organization In the Web Interface the configuration objects are organized into a tree like structure based on the type of the object In th...

Page 52: ...ch gives the option to edit or delete the object as well as modify the order of the objects Example 2 4 Displaying a Configuration Object The simplest operation on a configuration object is to show it...

Page 53: ...es 2 Click on the telnet hyperlink in the list 3 In the Comments textbox a suitable comment 4 Click OK Verify that the new comment has been updated in the list Important Configuration changes must be...

Page 54: ...The row will be rendered with a strike through line indicating that the object is marked for deletion Example 2 8 Undeleting a Configuration Object A deleted object can always be restored until the c...

Page 55: ...IPsec tunnels are committed then those live tunnels connections will be terminated and must be re established If the new configuration is validated NetDefendOS will wait for a short period 30 seconds...

Page 56: ...rmation that remote management is still working The new configuration is then automatically committed Note Changes must be committed The configuration must be committed before changes are saved All ch...

Page 57: ...nts down to low level and mandatory system events The conn_open event for example is a typical high level event that generates an event message whenever a new connection is established given that the...

Page 58: ...rs using syslog with NetDefendOS messages can simplify overall administration This receiver type is discussed further below in Section 2 2 5 Logging to Syslog Hosts 2 2 4 Logging to MemoryLogReceiver...

Page 59: ...r without assuming that a specific piece of data is in a specific location in the log entry The Prio and Severity fields The Prio field in SysLog messages contains the same information as the Severity...

Page 60: ...e for each model of NetDefend Firewall Make sure that the correct file is used For each NetDefend Firewall model there is one generic trap object called DLNNNosGenericTrap that is used for all traps w...

Page 61: ...fies the maximum log messages that NetDefendOS will send per second This value should never be set too low as this may result in important events not being logged nor should it be set too high When th...

Page 62: ...ng Messages Statistics such as number of bytes sent and received and number of packets sent and received are updated and stored throughout RADIUS sessions All statistics are updated for an authenticat...

Page 63: ...enticated This is a physical interface and not a TCP or UDP port User IP Address The IP address of the authenticated user This is sent only if specified on the authentication server Input Bytes The nu...

Page 64: ...S accounting a number of steps must be followed The RADIUS accounting server must be specified A user authentication object must have a rule associated with it where a RADIUS server is specified Some...

Page 65: ...eady been authenticated 2 3 8 Accounting and System Shutdowns In the case that the client for some reason fails to send a RADIUS AccountingRequest STOP packet the accounting server will never be able...

Page 66: ...the situation that the RADIUS server will assume users are still logged in even though their sessions have been terminated Default Enabled Maximum Radius Contexts The maximum number of contexts allowe...

Page 67: ...g settings for enabling hardware monitoring when it is available Enable Sensors Enable disable all hardware monitoring functionality Default Disabled Poll Interval Polling interval for the Hardware Mo...

Page 68: ...tration only Setting the Minimum and Maximum Range The minimum and maximum values shown in the output from the hwm command are set through the Web Interface by going to System Hardware Monitoring Add...

Page 69: ...client software When the client runs the MIB file is accessed to inform the client of the values that can be queried on a NetDefendOS device Defining SNMP Access SNMP access is defined through the de...

Page 70: ...nt client is on the internal network it is not required to implement a VPN tunnel for it Command Line Interface gw world add RemoteManagement RemoteMgmtSNMP my_snmp Interface lan Network mgmt net SNMP...

Page 71: ...tem Contact The contact person for the managed node Default N A System Name The name for the managed node Default N A System Location The physical location of the node Default N A Interface Descriptio...

Page 72: ...p gw world pcapdump cleanup Going through this line by line we have 1 Recording is started for the int interface using a buffer size of 1024 Kbytes gw world pcapdump size 1024 start int 2 The recordin...

Page 73: ...ilter on source IP address ipdest ipaddr Filter on destination IP address port portnum Filter on source or destination port number srcport portnum Filter on source port number destport portnum Filter...

Page 74: ...urther refine the packets that are of interest For example we might want to examine the packets going to a particular destination port at a particular destination IP address Compatibility with Wiresha...

Page 75: ...e minimum a configuration backup on a regular basis so that a configuration can be easily recreated in the event of hardware replacement The alternative is to recreate a configuration by manually addi...

Page 76: ...toring a backup is done in the reverse fashion Either by uploading the backup file using SCP or alternatively through the WebUI A restore cannot be done with CLI commands Operation Interruption Backup...

Page 77: ...such as the DHCP server lease database or Anti Virus IDP databases will not be backed up 2 7 3 Restore to Factory Defaults A restore to factory defaults can be applied so that it is possible to return...

Page 78: ...rface LAN1 on the DFL 1600 and DFL 2500 models The management interface IP address for the DFL 1660 DFL 2560 and DFL 2560G models will default to 192 168 10 1 The default IP address factory setting fo...

Page 79: ...2 7 3 Restore to Factory Defaults Chapter 2 Management and Maintenance 79...

Page 80: ...s It increases understanding of the configuration by using meaningful symbolic names Using address object names instead of entering numerical addresses reduces errors By defining an IP address object...

Page 81: ...hosts in consecutive order Example 3 1 Adding an IP Host This example adds the IP host www_srv1 with IP address 192 168 10 16 to the address book Command Line Interface gw world add Address IP4Address...

Page 82: ...leting In use IP Objects If an IP object is deleted that is in use by another object then NetDefendOS will not allow the configuration to be deployed and will produce a warning message In other words...

Page 83: ...web server hosts as group members Now a single policy can be used with this group thereby greatly reducing the administrative workload IP Addresses Can Be Excluded When groups are created with the Web...

Page 84: ...ily by the routing table but is also used by the DHCP client subsystem to store gateway address information acquired through DHCP If a default gateway address has been provided during the setup phase...

Page 85: ...he most important usage of service objects and it is also how ALGs become associated with IP rules since an ALG is associated with a service and not directly with an IP rule For more information on ho...

Page 86: ...ects does not meet the requirements for certain traffic then a new service can be created Reading this section will explain not only how new services are created but also provides an understanding of...

Page 87: ...stination ports are applicable for the service Specifying Port Numbers Port numbers are specified with all types of services and it is useful to understand how these can be entered in user interfaces...

Page 88: ...ck to the requesting application In some cases it is useful that the ICMP messages are not dropped For example if an ICMP quench message is sent to reduce the rate of traffic flow On the other hand dr...

Page 89: ...ld provide The best approach is to narrow the service filter in a security policy so it allows only the protocols that are absolutely necessary The all_tcpudpicmp service object is often a first choic...

Page 90: ...e selected are as follows Echo Request Sent by PING to a destination in order to check connectivity Destination Unreachable The source is told that a problem has occurred when delivering a packet Ther...

Page 91: ...ol service 2 Specify a suitable name for the service for example VRRP 3 Enter 112 in the IP Protocol control 4 Optionally enter Virtual Router Redundancy Protocol in the Comments control 5 Click OK 3...

Page 92: ...n to be open Establish Idle Timeout If there is no activity on a connection for this amount of time then it is considered to be closed and is removed from the NetDefendOS state table The default setti...

Page 93: ...itself is the source or destination for traffic Interface Types NetDefendOS supports a number of interface types which can be divided into the following four major groups Ethernet Interfaces Each Eth...

Page 94: ...interfaces can be used almost interchangeably in the various NetDefendOS rule sets and other configuration objects This results in a high degree of flexibility in how traffic can be examined controll...

Page 95: ...quence of bits which specify the originating device plus the destination device plus the data payload along with error checking bits A pause between the broadcasting of individual frames allows device...

Page 96: ...lly auto generated by the system For more information please see Section 3 1 5 Auto Generated Address Objects Tip Specifying multiple IP addresses on an interface Multiple IP addresses can be specifie...

Page 97: ...n be sent from the DHCP server iv Do not allow IP address collisions with static routes v Do not allow network collisions with static routes vi Specify an allowed IP address for the DHCP lease vii Spe...

Page 98: ...this interface 2 An additional option is to disable the sending of HA cluster heartbeats from this interface Quality Of Service The option exists to copy the IP DSCP precedence to the VLAN priority fi...

Page 99: ...net card including the bus slot and port number of the card as well as the Ethernet driver being used These details are not relevant to the logical interface object associated with the physical interf...

Page 100: ...dresses lan_ip InterfaceAddresses wan_net InterfaceAddresses lan_net Server Setting Interface Addresses The CLI can be used to set the address of the interface gw world set Address IP4Address Interfac...

Page 101: ...for the bus slot port combination 0 0 2 on the wan interface the set command would be gw world set EthernetDevice lan EthernetDriver IXP4NPEEthernetDriver PCIBus 0 PCISlot 0 PCIPort 2 This command is...

Page 102: ...belong to different Virtual LANs but can still share the same physical Ethernet link The following principles underlie the NetDefendOS processing of VLAN tagged Ethernet frames at a physical interfac...

Page 103: ...ports on the switch that connect to VLAN clients are configured with individual VLAN IDs Any device connected to one of these ports will then automatically become part of the VLAN configured for that...

Page 104: ...treat a VLAN interface just like a physical interface in that they require both appropriate IP rules and routes to exist in the NetDefendOS configuration for traffic to flow through them For example...

Page 105: ...P networks PPP uses Link Control Protocol LCP for link establishment configuration and testing Once the LCP is initialized one or several Network Control Protocols NCPs can be used to transport traffi...

Page 106: ...red PPPoE to be used in PPPoE sessions Unnumbered PPPoE is typically used when ISPs want to allocate one or more preassigned IP addresses to users These IP addresses are then manually entered into cli...

Page 107: ...rm Password Retype the password Under Authentication specify which authentication protocol to use the default settings will be used if not specified Disable the option Enable dial on demand Under Adva...

Page 108: ...be given a value The specified IP address is then used for the following i An ICMP Ping can be sent to this tunnel endpoint ii Log messages related to the tunnel will be generated with this IP addres...

Page 109: ...associated GRE Tunnel The same is true for traffic in the opposite direction that is going into a GRE tunnel Furthermore a Route has to be defined so NetDefendOS knows what IP addresses should be acce...

Page 110: ...nnet on the lan interface the steps for setting up NetDefendOS on B are as follows 1 In the address book set up the following IP objects remote_net_A 192 168 10 0 24 remote_gw 172 16 0 1 ip_GRE 192 16...

Page 111: ...t Equivalent can be enabled it is disabled by default Enabling the option means that the group can be used as the destination interface in NetDefendOS rules where connections might need to be moved be...

Page 112: ...destination IP address sends an ARP reply packet to the originating host with its MAC address 3 4 2 The NetDefendOS ARP Cache The ARP Cache in network equipment such as switches and firewalls is an im...

Page 113: ...new MAC address If NetDefendOS has an old ARP entry for the host in its ARP cache then that entry will become invalid because of the changed MAC address and this will cause data to be sent to the hos...

Page 114: ...onse Interface The local physical interface for the ARP object IP Address The IP address for the MAC IP mapping MAC Address The MAC address for the MAC IP mapping The three ARP modes of Static Publish...

Page 115: ...s translate traffic to these addresses and send it onwards to internal servers with private IP addresses A less common purpose is to aid nearby network equipment responding to ARP in an incorrect mann...

Page 116: ...the administrator can use the alternative Proxy ARP feature in NetDefendOS to handle publishing of entire networks see Section 4 2 6 Proxy ARP 3 4 4 Using ARP Advanced Settings This section presents...

Page 117: ...ntil the previous ARP cache entry has timed out The advanced setting Static ARP Changes can modify this behavior The default behavior is that NetDefendOS will allow changes to take place but all such...

Page 118: ...DefendOS will provided that other rules approve the request reply to it Default Drop ARP Changes Determines how NetDefendOS will deal with situations where a received ARP reply or ARP request would al...

Page 119: ...es how NetDefendOS deals with ARP requests and ARP replies that state that they are broadcast addresses Such claims are usually never correct Default DropLog ARP cache size How many ARP entries there...

Page 120: ...behavior when receiving an ARP request with a sender IP address that collides with one already used on the receive interface Possible actions Drop or Notify Default Drop 3 4 5 ARP Advanced Settings Su...

Page 121: ...tunnel Destination Network The network to which the destination IP address of the packet belongs This might be a NetDefendOS IP object which could define a single IP address or range of addresses Serv...

Page 122: ...e IP rules must be defined by the administrator Each IP rule that is added by the administrator will define the following basic filtering criteria From what interface to what interface traffic flows F...

Page 123: ...t least one IP rule must be added to allow traffic to flow In fact two NetDefendOS components need to be present A route must exist in a NetDefendOS routing table which specifies on which interface pa...

Page 124: ...rule above it is not being triggered first Stateful Inspection After initial rule evaluation of the opening connection subsequent packets belonging to that connection will not need to be evaluated in...

Page 125: ...ailed description Drop This tells NetDefendOS to immediately discard the packet This is an impolite version of Reject in that no reply is sent back to the sender It is often preferable since it gives...

Page 126: ...e large numbers of entries in IP rule sets it is possible to create IP rule set folders These folders are just like a folder in a computer s file system They are created with a given name and can then...

Page 127: ...the individual objects to become visible Instead all objects are already visible and they are displayed in a way that indicates how they are grouped together Groups can be used in most cases where Ne...

Page 128: ...Select the New Group option from the context menu A group is now created with a title line and the IP rule as its only member The default title of new Group is used The entire group is also assigned...

Page 129: ...r in the box with the mouse In this example we might change the name of the group to be Web surfing and also change the group color to green The resulting group display is shown below Adding Additiona...

Page 130: ...in a group is right clicked then the context menu contains the option Leave Group Selecting this removes the object from the group AND moves it down to a position immediately following the group Remov...

Page 131: ...ther objects Scheduled Times These are the times during each week when the schedule is applied Times are specified as being to the nearest hour A schedule is either active or inactive during each hour...

Page 132: ...ace lan SourceNetwork lannet DestinationInterface any DestinationNetwork all nets Schedule OfficeHours name AllowHTTP Return to the top level gw world main cc Configuration changes must be saved by th...

Page 133: ...a certificate is a public key with identification attached coupled with a stamp of approval by a trusted party Certificate Authorities A certificate authority CA is a trusted entity that issues certif...

Page 134: ...can be downloaded In some cases certificates do not contain this field In those cases the location of the CRL has to be configured manually A CA usually updates its CRL at a given interval The length...

Page 135: ...erfaces IPsec 2 Display the properties of the IPsec tunnel 3 Select the Authentication tab 4 Select the X509 Certificate option 5 Select the correct Gateway and Root certificates 6 Click OK 3 7 3 CA C...

Page 136: ...e cut and pasted with a text editor Note OpenSSL is being used here as a conversion utility and not in its normal role as a communication utility 3 Create two blank text files with a text editor such...

Page 137: ...wn as Time Servers 3 8 2 Setting Date and Time Current Date and Time The administrator can set the date and time manually and this is recommended when a new NetDefendOS installation is started for the...

Page 138: ...ing Time Many regions follow Daylight Saving Time DST or Summer time as it is called in some countries and this means clocks are advanced for the summer period Unfortunately the principles regulating...

Page 139: ...January first 1900 Most public Time Servers run the NTP protocol and are accessible using SNTP Configuring Time Servers Up to three Time Servers can be configured to query for time information By usin...

Page 140: ...ty Time Server causes the clock to be updated with a extremely inaccurate time a Maximum Adjustment value in seconds can be set If the difference between the current NetDefendOS time and the time rece...

Page 141: ...nk Time Servers Using D Link s own Time Servers is an option in NetDefendOS and this is the recommended way of synchronizing the firewall clock These servers communicate with NetDefendOS using the SNT...

Page 142: ...er for time synchronization UDPTime or SNTP Simple Network Time Protocol Default SNTP Primary Time Server DNS hostname or IP Address of Timeserver 1 Default None Secondary Time Server DNS hostname or...

Page 143: ...ft in seconds that a server is allowed to adjust Default 600 Group interval Interval according to which server responses will be grouped Default 10 3 8 4 Settings Summary for Date and Time Chapter 3 F...

Page 144: ...of up to three DNS servers The are called the Primary Server the Secondary Server and the Tertiary Server For DNS to function at least the primary server must be configured It is recommended to have b...

Page 145: ...g a new local IP address on the interface that connects to the DNS server The difference between HTTP Poster and the named DNS servers in the WebUI is that HTTP Poster can be used to send any URL The...

Page 146: ...3 9 DNS Chapter 3 Fundamentals 146...

Page 147: ...one of the most fundamental functions of NetDefendOS Any IP packet flowing through a NetDefend Firewall will be subjected to at least one routing decision at some point in time and properly setting up...

Page 148: ...d these are consulted to find out where to send a packet so it can reach its destination The components of a single route are discussed next The Components of a Route When a route is defined it consis...

Page 149: ...ed by Route Failover and Route Load Balancing For more information see Section 4 4 Route Load Balancing and Section 4 2 3 Route Failover A Typical Routing Scenario The diagram below illustrates a typi...

Page 150: ...ific route is used In other words if two routes have destination networks that overlap the narrower network definition will be taken before the wider one This behavior is in contrast to IP rules where...

Page 151: ...ARP queries as though the interface had that IP address The diagram below illustrates a scenario where this feature could be used The network 10 1 1 0 24 is bound to a physical interface that has an...

Page 152: ...bles will handle certain types of traffic see Section 4 3 Policy based Routing The Route Lookup Mechanism The NetDefendOS route lookup mechanism has some slight differences to how some other router pr...

Page 153: ...following Flags Network Iface Gateway Local IP Metric 192 168 0 0 24 lan 20 10 0 0 0 8 wan 1 0 0 0 0 0 wan 192 168 0 1 20 NetDefendOS Route Definition Advantages The NetDefendOS method of defining rou...

Page 154: ...all nets 213 124 165 1 none 2 lan lannet none none 3 wan wannet none none To see the active routing table enter gw world routes Flags Network Iface Gateway Local IP Metric 192 168 0 0 24 lan 0 213 124...

Page 155: ...net In the Web Interface this is an advanced setting in the Ethernet interface properties called Automatically add a default route for this interface using the given default gateway When this option i...

Page 156: ...2 3 Route Failover Overview NetDefend Firewalls are often deployed in mission critical locations where availability and connectivity is crucial For example an enterprise relying heavily on access to...

Page 157: ...next hop for a route accessibility to that gateway can be monitored by sending periodic ARP requests As long as the gateway responds to these requests the route is considered to be functioning correc...

Page 158: ...gateways The first primary route has the lowest metric and also has route monitoring enabled Route monitoring for the second alternate route is not meaningful since it has no failover route Route Inte...

Page 159: ...l destination interfaces should be grouped together into an Interface Group and the Security Transport Equivalent flag should be enabled for the Group The Interface Group is then used as the Destinati...

Page 160: ...on is established to and then disconnected from the host An IP address must be specified for this HTTP A normal HTTP server request using a URL A URL must be specified for this as well as a text strin...

Page 161: ...from a server can indicate if a specific database is operational with text such as Database OK then the absence of that response can indicate that the server is operational but the application is offl...

Page 162: ...nning Ethernet is separated into two parts with a routing device such as a NetDefend Firewall in between In such a case NetDefendOS itself can respond to ARP requests directed to the network on the ot...

Page 163: ...traffic to net_1 In the same way net_2 could be published on the interface if1 so that there is a mirroring of routes and ARP proxy publishing Route Network Interface Proxy ARP Published 1 net_1 if1 i...

Page 164: ...interfaces since ARP is not involved Automatically Added Routes Proxy ARP cannot be enabled for automatically added routes For example the routes that NetDefendOS creates at initial startup for physi...

Page 165: ...ed Routing A different routing table might need to be chosen based on the user identity or the group to which the user belongs This is particularly useful in provider independent metropolitan area net...

Page 166: ...le is encountered address translation will be performed The decision of which routing table to use is made before carrying out address translation but the actual route lookup is performed on the alter...

Page 167: ...med routing table fails the lookup as a whole is considered to have failed Only the named routing table is the only one consulted If this lookup fails the lookup will not continue in the main routing...

Page 168: ...outing becomes a necessity We will set up the main routing table to use ISP A and add a named routing table called r2 that uses the default gateway of ISP B Interface Network Gateway ProxyARP lan1 10...

Page 169: ...Note Rules in the above example are added for both inbound and outbound connections 4 3 5 The Ordering parameter Chapter 4 Routing 169...

Page 170: ...ject Round Robin Matching routes are used equally often by successively going to the next matching route Destination This is an algorithm that is similar to Round Robin but provides destination IP sti...

Page 171: ...e importance of this is that it means that a particular destination application can see all traffic coming from the same source IP address Spillover Spillover is not similar to the previous algorithms...

Page 172: ...ses through one of the ISPs then this can be achieved by enabling RLB and setting a low metric on the route to the favoured ISP A relatively higher metric is then set on the route to the other ISP Usi...

Page 173: ...okup In the above example 10 4 16 0 24 may be chosen over 10 4 16 0 16 because the range is narrower with 10 4 16 0 24 for an IP address they both contain RLB Resets There are two occasions when all R...

Page 174: ...ource IP address If NAT was being used for the client communication the IP address seen by the server would be WAN1 or WAN2 In order to flow any traffic requires both a route and an allowing IP rule T...

Page 175: ...s are not included here but the created rules would follow the pattern described above RLB with VPN When using RLB with VPN a number of issues need to be overcome If we were to try and use RLB to bala...

Page 176: ...certain problems such as routing loops One of two types of algorithms are generally used to implement the dynamic routing mechanism A Distance Vector DV algorithm A Link State LS algorithm How a route...

Page 177: ...and 2560G OSPF is not available on the DFL 210 260 and 260E An OSPF enabled router first identifies the routers and sub networks that are directly connected to it and then broadcasts the information...

Page 178: ...tween them via firewall B For instance traffic from network X which is destined for network Z will be routed automatically through firewall B From the administrators point of view only the routes for...

Page 179: ...kets based only on the destination IP address found in the IP packet header IP packets are routed as is in other words they are not encapsulated in any further protocol headers as they transit the Aut...

Page 180: ...3 2 OSPF Area OSPF Area Components A summary of OSPF components related to an area is given below ABRs Area Border Routers are routers that have interfaces connected to more than one area These maint...

Page 181: ...bi directional On Point to Point and Point to Multipoint OSPF interfaces the state will be changed to Full On Broadcast interfaces only the DR BDR will advance to the Full state with their neighbors a...

Page 182: ...configured between fw1 and fw2 on Area 1 as it is used as the transit area In this configuration only the Router ID has to be configured The diagram shows that fw2 needs to have a Virtual Link to fw1...

Page 183: ...wall needs to have a broadcast interface with at least ONE neighbor for ALL areas that the firewall is attached to In essence the inactive part of the cluster needs a neighbor to get the link state da...

Page 184: ...routing Defining these objects creates the OSPF network The objects should be defined on each NetDefend Firewall that is part of the OSPF network and should describe the same network An illustration...

Page 185: ...tions that Low logs but with more detail High Logs everything with most detail Note When using the High setting the firewall will log a lot of information even when just connected to a small AS Changi...

Page 186: ...freshed It is more optimal to group many LSAs and process them at the same time instead of running them one and one Routes Hold Time This specifies the time in seconds that the routing table will be k...

Page 187: ...e used with OSPF interfaces Note that an OSPF Interface does not always correspond to a physical interface although this is the most common usage Other types of interfaces such as a VLAN could instead...

Page 188: ...en the following options are available No authentication Passphrase MD5 Digest Advanced Hello Interval Specifies the number of seconds between Hello packets sent on the interface Router Dead Interval...

Page 189: ...neighbor This is the IP Address of the neighbors OSPF interface connecting to this router For VPN tunnels this will be the IP address of the tunnel s remote end Metric Specifies the metric to this ne...

Page 190: ...ting Rules In a dynamic routing environment it is important for routers to be able to regulate to what extent they will participate in the routing exchange It is not feasible to accept or trust all re...

Page 191: ...OSPF AS the opposite is not true The export of routes to networks that are part of OSPF Interface objects are automatic The one exception is for routes on interfaces that have a gateway defined for t...

Page 192: ...ies if the rule should filter on Router ID OSPF Route Type Specifies if the rule should filter on the OSPF Router Type OSPF Tag Specifies an interval that the tag of the routers needs to be in between...

Page 193: ...ther explanation Beginning with just one of these firewalls the NetDefendOS setup steps are as follows 1 Create an OSPF Router object Create a NetDefendOS OSPF Router Process object This will represen...

Page 194: ...is no need to have a Dynamic Routing Policy Rule which exports the local routing table into the AS since this is done automatically for OSPF Interface objects The exception to this is if a route invol...

Page 195: ...eway in this case is of course the NetDefend Firewall to which the traffic should be sent That firewall may or may not be attached to the destination network but OSPF has determined that that is the o...

Page 196: ...al IP of the tunnel endpoint To finish the setup for firewall A there needs to be two changes made to the IPsec tunnel setup on firewall B These are i In the IPsec tunnel properties the Local Network...

Page 197: ...le name For example area_0 Specify the Area ID as 0 0 0 0 5 Click OK This should be repeated for all the NetDefend Firewalls that will be part of the OSPF area Example 4 9 Add OSPF Interface Objects N...

Page 198: ...Example 4 11 Exporting the Default Route into an OSPF AS In this example the default all nets route from the main routing table will be exported into an OSPF AS named as_0 This must be done explicitly...

Page 199: ...Multicast routing functions on the principle that an interested receiver joins a group for a multicast by using the IGMP protocol PIM routers can then duplicate and forward packets to all members of...

Page 200: ...specified by the multiplex rule must have been requested by hosts using IGMP before any multicast packets are forwarded through the specified interfaces This is the default behavior of NetDefendOS No...

Page 201: ...0 0 24 1234 to the interfaces if1 if2 and if3 All groups have the same sender 192 168 10 1 which is located somewhere behind the wan interface The multicast groups should only be forwarded to the out...

Page 202: ...en gw world main add IPRule SourceNetwork srcnet SourceInterface srcif DestinationInterface srcif DestinationNetwork destnet Action MultiplexSAT Service service MultiplexArgument outif1 ip1 outif2 ip2...

Page 203: ...MP Rules Configuration Address Translation Tip As previously noted remember to add an Allow rule matching the SAT Multiplex rule Example 4 13 Multicast Forwarding Address Translation The following SAT...

Page 204: ...ategories IGMP Reports Reports are sent from hosts towards the router when a host wants to subscribe to new multicast groups or change current multicast subscriptions IGMP Queries Queries are IGMP mes...

Page 205: ...towards the clients and actively send queries Towards the upstream router the firewall will be acting as a normal host subscribing to multicast groups on behalf of its clients 4 6 3 1 IGMP Rules Confi...

Page 206: ...d IGMP Rule 2 Under General enter Name A suitable name for the rule for example Reports Type Report Action Proxy Output wan this is the relay interface 3 Under Address Filter enter Source Interface lf...

Page 207: ...needs to be executed to create the report and query rule pair for if1 which uses no address translation Web Interface A Create the first IGMP Rule 1 Go to Routing IGMP IGMP Rules Add IGMP Rule 2 Unde...

Page 208: ...nter Name A suitable name for the rule for example Reports_if2 Type Report Action Proxy Output wan this is the relay interface 3 Under Address Filter enter Source Interface if2 Source Network if2net D...

Page 209: ...led IGMP React To Own Queries The firewall should always respond with IGMP Membership Reports even to queries originating from itself Global setting on interfaces without an overriding IGMP Setting De...

Page 210: ...he maximum time in milliseconds until a host has to send a reply to a query Global setting on interfaces without an overriding IGMP Setting Default 10 000 IGMP Robustness Variable IGMP is robust to IG...

Page 211: ...time in milliseconds between repetitions of an initial membership report Global setting on interfaces without an overriding IGMP Setting Default 1 000 4 6 4 Advanced IGMP Settings Chapter 4 Routing 2...

Page 212: ...ge specified instead of all nets This is usually when a network is split between two interfaces but the administrator does not know exactly which users are on which interface Usage Scenarios Two examp...

Page 213: ...s ARP transactions to pass through the NetDefend Firewall and determines from this ARP traffic the relationship between IP addresses physical addresses and interfaces NetDefendOS remembers this addres...

Page 214: ...Mode If no restriction at all is to be initially placed on traffic flowing in transparent mode the following single IP rule could be added but more restrictive IP rules are recommended Action Src Inte...

Page 215: ...ate two separate transparent mode networks The routing table used for an interface is decided by the Routing Table Membership parameter for each interface To implement separate Transparent Mode networ...

Page 216: ...h Routes the solution in a High Availability setup is to use Proxy ARP to separate two networks This is described further in Section 4 2 6 Proxy ARP The key disadvantage with this approach is that fir...

Page 217: ...tween the internal physical Ethernet network pn2 and the Ethernet network to the ISP s gateway pn1 The two Ethernet networks are treated as a single logical IP network in Transparent Mode with a commo...

Page 218: ...In the above example 85 12 184 39 and 194 142 215 15 could be grouped into a single object in this way Using NAT NAT should not be enabled for NetDefendOS in Transparent Mode since as explained previ...

Page 219: ...P Address 10 0 0 1 Network 10 0 0 0 24 Default Gateway 10 0 0 1 Transparent Mode Enable 3 Click OK 4 Go to Interfaces Ethernet Edit lan 5 Now enter IP Address 10 0 0 2 Network 10 0 0 0 24 Transparent...

Page 220: ...d there is no need for the hosts on the internal network to know if a resource is on the same network or placed on the DMZ The hosts on the internal network are allowed to communicate with an HTTP ser...

Page 221: ...nterface Groups Add InterfaceGroup 2 Now enter Name TransparentGroup Security Transport Equivalent Disable Interfaces Select lan and dmz 3 Click OK Configure the routing 1 Go to Routing Main Routing T...

Page 222: ...the Bridge Protocol Data Units BPDUs across the NetDefend Firewall BPDU frames carry Spanning Tree Protocol STP messages between layer 2 switches in a network STP allows the switches to understand th...

Page 223: ...Enabling Disabling BPDU Relaying BPDU relaying is disabled by default and can be controlled through the advanced setting Relay Spanning tree BPDUs Logging of BPDU messages can also be controlled throu...

Page 224: ...cally Default Enabled L3 Cache Size This setting is used to manually configure the size of the Layer 3 Cache Enabling Dynamic L3C Size is normally preferred Default Dynamic Transparency ATS Expire Def...

Page 225: ...s DropLog Drop and log packets Default DropLog Multicast Enet Sender Defines what to do when receiving a packet that has the sender hardware MAC address in Ethernet header set to a multicast Ethernet...

Page 226: ...gnore all incoming MPLS packets are relayed in transparent mode Options Ignore Let the packets pass but do not log Log Let the packets pass and log the event Drop Drop the packets DropLog Drop packets...

Page 227: ...4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 227...

Page 228: ...ess a MAC address a domain name and a lease for the IP address to the client in a unicast message DHCP Leases Compared to static assignment where the client owns the address dynamic addressing by a DH...

Page 229: ...they are defined the last defined being at the top of the list When NetDefendOS searches for a DHCP server to service a request it goes through the list from top to bottom and chooses the first server...

Page 230: ...ease Primary Secondary DNS The IP of the primary and secondary DNS servers Primary Secondary NBNS WINS IP of the Windows Internet Name Service WINS servers that are used in Microsoft environments whic...

Page 231: ...rs gw world dhcpserver To list all current leases gw world dhcpserver show Displaying IP to MAC Address Mappings To display the mappings of IP addresses to MAC addresses that result from allocated DHC...

Page 232: ...ng sections discuss these two DHCP server options 5 2 1 Static DHCP Hosts Where the administrator requires a fixed relationship between a client and the assigned IP address NetDefendOS allows the assi...

Page 233: ...individual static assignment can be shown using its index number gw world show DHCPServerPoolStaticHost 1 Property Value Index 1 Host 192 168 1 1 MACAddress 00 90 12 13 14 15 Comments none 5 The assig...

Page 234: ...e or a comma separated list The meaning of the data is determined by the Code and Type For example if the code is set to 66 TFTP server name then the Type could be String and the Data would then be a...

Page 235: ...interface on which it sends out the forwarded request Although all NetDefendOS interfaces are core routed that is to say a route exists by default that routes interface IP addresses to Core for relaye...

Page 236: ...DHCP Relay Advanced Settings The following advanced settings are available with DHCP relaying Max Transactions Maximum number of transactions at the same time Default 32 Transaction Timeout For how lo...

Page 237: ...What policy should be used to save the relay list to the disk possible settings are Disabled ReconfShut or ReconfShutTimer Default ReconfShut Auto Save Interval How often in seconds should the relay l...

Page 238: ...should use the DHCP server s residing on the specified interface Specify DHCP Server Address Specify DHCP server IP s in preferred ascending order to be used This option is used instead of the behind...

Page 239: ...this value Maximum clients Optional setting used to specify the maximum number of clients IPs allowed in the pool Sender IP This is the source IP to use when communicating with the DHCP server Memory...

Page 240: ...10 14 1 with 10 prefetched leases It is assumed that this IP address is already defined in the address book as an IP object called ippool_dhcp Command Line Interface gw world add IPPool ip_pool_1 DHCP...

Page 241: ...5 4 IP Pools Chapter 5 DHCP Services 241...

Page 242: ...hich is known as the Default Access Rule This default rule is not really a true rule but operates by checking the validity of incoming traffic by performing a reverse lookup in the NetDefendOS routing...

Page 243: ...is NOT allowed Any outgoing traffic with a source IP address belonging to an outside untrusted network is NOT allowed The first point prevents an outsider from using a local host s address as its sou...

Page 244: ...s always advisable to check Access Rules when troubleshooting puzzling problems in case a rule is preventing some other function such as VPN tunnel establishment from working properly Example 6 1 Sett...

Page 245: ...ransfer and multimedia transfer ALGs provide higher security than packet filtering since they are capable of scrutinizing all traffic for a specific protocol and perform checks at the higher levels of...

Page 246: ...browser sends a request by establishing a TCP IP connection to a known port usually port 80 on a remote server The server answers with a response string followed by a message of its own That message...

Page 247: ...ontents is dropped by NetDefendOS on the assumption that it can be a security threat 2 Allow Block Selected Types This option operates independently of the MIME verification option described above but...

Page 248: ...tering if enabled 4 Anti virus scanning if enabled As described above if a URL is found on the whitelist then it will not be blocked if it also found on the blacklist If it is enabled Anti virus scann...

Page 249: ...Normally the client needs to authenticate itself by providing a predefined login and password After granting access the server will provide the client with a file directory listing from which it can d...

Page 250: ...of the FTP command channel and examining its contents By doing this the NetDefendOS knows what port to open for the data channel Furthermore the FTP ALG also provides functionality to filter out certa...

Page 251: ...pecified with this option The client will be allowed to connect to any of these if the server is using passive mode The default range is 1024 65535 These options can determine if hybrid mode is requir...

Page 252: ...frequency of commands can be useful The default limit is 20 commands per second Allow 8 bit strings in control channel The option determines if 8 bit characters are allowed in the control channel All...

Page 253: ...rom a remote FTP server on the Internet the server will not be blocked by ZoneDefense since it is outside of the configured network range The virus is however still blocked by the NetDefend Firewall B...

Page 254: ...configuration is performed as follows Web Interface A Define the ALG The ALG ftp inbound is already predefined by NetDefendOS but in this example we will show how it can be created from scratch 1 Go t...

Page 255: ...ternal assume this internal IP address for FTP server has been defined in the address book object 6 New Port 21 7 Click OK D Traffic from the internal interface needs to be NATed through a single publ...

Page 256: ...use active mode FTP ALG option so clients can only use passive mode This is much safer for the client Enable the Allow server to use passive mode FTP ALG option This allows clients on the inside to co...

Page 257: ...owing the same kind of ports traffic before these rules The service used here is the ftp outbound service which should be using the predefined ALG definition ftp outbound which is described earlier 1...

Page 258: ...mpler version of FTP with more limited capabilities Its purpose is to allow a client to upload files to or download files from a host system TFTP data transport is based on the UDP protocol and theref...

Page 259: ...l server this setup is illustrated later in Section 6 2 5 1 Anti Spam Filtering Local users will then use email client software to retrieve their email from the local SMTP server SMTP is also used whe...

Page 260: ...This same option is also available in the HTTP ALG and a fuller description of how it works can be found in Section 6 2 2 The HTTP ALG This same option is also available in the HTTP ALG and a fuller d...

Page 261: ...ned in RFC 1869 and allows a number extensions to the standard SMTP protocol When an SMTP client opens a session with an SMTP server using ESMTP the client first sends an EHLO command If the server su...

Page 262: ...ly configured It is possible to manually configure certain hosts and servers to be excluded from being blocked by adding them to the ZoneDefense Exclude List When a client tries to send an email infec...

Page 263: ...ck List DNSBL databases and the information is accessible using a standardized query method supported by NetDefendOS The image below illustrates all the components involved DNSBL Server Queries When t...

Page 264: ...old in this example is set at 7 then all three DNSBL servers would have to respond in order for the calculated sum to cause the email to be dropped 3 2 2 7 Alternative Actions for Dropped Spam If the...

Page 265: ...out then NetDefendOS will consider that the query has failed and the weight given to that server will be automatically subtracted from both the Spam and Drop thresholds for the scoring calculation don...

Page 266: ...r dropping mail The Spam Threshold should be less than the Drop Threshold If the two are equal then only the Drop Threshold applies Specify a textual tag to prefix to the Subject field of email design...

Page 267: ...my_smtp_alg active 156 65 34299 alt_smtp_alg inactive 0 0 0 The show option provides a summary of the Spam filtering operation of a specific ALG It is used below to examine activity for my_smtp_alg a...

Page 268: ...sername does not exist This prevents users from trying different usernames until they find a valid one Allow Unknown Commands Non standard POP3 commands not recognized by the ALG can be allowed or dis...

Page 269: ...ress on the firewall This first connection will be successful but when the second client B also tries to connect to the same server C at the same endpoint IP address the first connection for A will be...

Page 270: ...scriptive name for the ALG Echo timeout Idle timeout for Echo messages in the PPTP tunnel Idle timeout Idle timeout for user traffic messages in the PPTP tunnel In most cases only the name needs to be...

Page 271: ...by NetDefendOS Registrars A server that handles SIP REGISTER requests is given the special name of Registrar The Registrar server has the task of locating the host where the other client is reachable...

Page 272: ...ys the INVITE message to the called client Once the two clients have learnt of each other s IP addresses they can communicate directly with each other and remaining SIP messages can bypass the proxies...

Page 273: ...fend Firewall and a client which is on the external unprotected side The SIP proxy is located on the local protected side of the NetDefend Firewall and can handle registrations from both clients locat...

Page 274: ...have Destination Port set to 5060 the default SIP signalling port Type set to TCP UDP 3 Define two rules in the IP rule set A NAT rule for outbound traffic from clients on the internal network to the...

Page 275: ...AT is used are shown in parentheses Action Src Interface Src Network Dest Interface Dest Network Allow or NAT lan lannet wan ip_proxy Allow wan ip_proxy lan or core lannet or wan_ip Without the Record...

Page 276: ...T rule This translation will occur both on the IP level and the application level Neither the clients or the proxies need to be aware that the local clients are being NATed If Record Route is enabled...

Page 277: ...Clients Allow lan lannet ip_proxy wan all nets InboundTo Proxy Clients Allow wan all nets lan lannet ip_proxy If Record Route is enabled then the networks in the above rules can be further restricted...

Page 278: ...Z The IP address of the DMZ interface must be a globally routable IP address This address can be the same address as the one used on the external interface The setup steps are as follows 1 Define a si...

Page 279: ...el An Allow rule for inbound SIP traffic from for example the Internet to the IP address of the DMZ interface The reason for this is because local clients will be NATed using the IP address of the DMZ...

Page 280: ...twork The IP rules with Record Route enabled are Action Src Interface Src Network Dest Interface Dest Network OutboundToProxy Allow lan lannet dmz ip_proxy OutboundFromProxy Allow dmz ip_proxy lan lan...

Page 281: ...blish a connection between two H 323 endpoints This call signal channel is opened between two H 323 endpoints or between a H 323 endpoint and a gatekeeper For communication between two H 323 endpoints...

Page 282: ...Translate Logical Channel Addresses This would normally always be set If not enabled then no address translation will be done on logical channel addresses and the administrator needs to be sure about...

Page 283: ...t Destination Network 0 0 0 0 0 all nets Comment Allow outgoing calls 3 Click OK Incoming Rule 1 Go to Rules IP Rules Add IPRule 2 Now enter Name H323AllowIn Action Allow Service H323 Source Interface...

Page 284: ...IP of the H 323 phone Web Interface Outgoing Rule 1 Go to Rules IP Rules Add IPRule 2 Now enter Name H323Out Action NAT Service H323 Source Interface lan Destination Interface any Source Network lanne...

Page 285: ...ires one external address Example 6 6 Two Phones Behind Different NetDefend Firewalls This scenario consists of two H 323 phones each one connected behind the NetDefend Firewall on a network with publ...

Page 286: ...e set in the firewall Make sure there are no rules disallowing or allowing the same kind of ports traffic before these rules As we are using private IPs on the phones incoming traffic need to be SATed...

Page 287: ...IP address on the firewall If multiple H 323 phones are placed behind the firewall one SAT rule has to be configured for each phone This means that multiple external addresses have to be used However...

Page 288: ...r located at ip gatekeeper 3 For SAT enter Translate Destination IP Address To New IP Address ip gatekeeper IP address of gatekeeper 4 Click OK 1 Go to Rules IP Rules Add IPRule 2 Now enter Name H323I...

Page 289: ...hones to call the external phones that are registered with the gatekeeper Example 6 9 H 323 with Gatekeeper and two NetDefend Firewalls This scenario is quite similar to scenario 3 with the difference...

Page 290: ...eeper Example 6 10 Using the H 323 ALG in a Corporate Environment This scenario is an example of a more complex network that shows how the H 323 ALG can be deployed in a corporate environment At the h...

Page 291: ...ow enter Name LanToGK Action Allow Service H323 Gatekeeper Source Interface lan Destination Interface dmz Source Network lannet Destination Network ip gatekeeper Comment Allow H 323 entities on lannet...

Page 292: ...t 3 Click OK 1 Go to Rules IP Rules Add IPRule 2 Now enter Name BranchToGW Action Allow Service H323 Gatekeeper Source Interface vpn branch Destination Interface dmz Source Network branch net Destinat...

Page 293: ...to the Head Office DMZ 3 Click OK Example 6 12 Allowing the H 323 Gateway to register with the Gatekeeper The branch office NetDefend Firewall has a H 323 Gateway connected to its DMZ In order to allo...

Page 294: ...e Relationship with SSL TLS is a successor to the Secure Sockets Layer SSL but the differences are slight Therefore for most purposes TLS and SSL can be regarded as equivalent In the context of the TL...

Page 295: ...LS can be offloaded to the NetDefend Firewall This is be sometimes referred to as SSL acceleration Any processing advantages that can be achieved can however vary and will depend on the comparative pr...

Page 296: ...lution to this issue is for the servers to use relative URLs instead of absolute ones Cipher Suites Supported by NetDefendOS TLS NetDefendOS TLS supports the following cipher suites 1 TLS_RSA_WITH_3DE...

Page 297: ...ation effort and has very high accuracy Note Enabling WCF All Web Content Filtering is enabled via the HTTP ALG which is described in Section 6 2 2 The HTTP ALG 6 3 2 Active Content Handling Some web...

Page 298: ...target specific web sites and make the decision as to whether they should be blocked or allowed Static and Dynamic Filter Ordering Additionally Static Content Filtering takes place before Dynamic Con...

Page 299: ...s users from downloading exe files However the D Link website provides secure and necessary program files which should be allowed to download Command Line Interface Start by adding an HTTP ALG in orde...

Page 300: ...re already classified and grouped into a variety of categories such as shopping news sport adult oriented and so on The Dynamic WCF URL databases are updated almost hourly with new categorized URLs wh...

Page 301: ...ork are treated as anonymous submissions and no record of the source of new submissions is kept Categorizing Pages and Not Sites NetDefendOS dynamic filtering categorizes web pages and not sites In ot...

Page 302: ...typically this is because NetDefendOS is unable to reach the external databases to perform URL lookup Fail mode can have one of two settings Deny If WCF is unable to function then URLs are denied if...

Page 303: ...arch site For example www google com 3 If everything is configured correctly the web browser will present a web page that informs the user about that the requested site is blocked Audit Mode In Audit...

Page 304: ...gambling web sites he will not be able to do his job For this reason NetDefendOS supports a feature called Allow Override With this feature enabled the content filtering component will present a warni...

Page 305: ...tegories SEARCH_SITES AllowReclassification Yes Then continue setting up the service object and modifying the NAT rule as we have done in the previous examples Web Interface First create an HTTP Appli...

Page 306: ...ght be www newsunlimited com www dailyscoop com Category 3 Job Search A web site may be classified under the Job Search category if its content includes facilities to search for or submit online emplo...

Page 307: ...Chatrooms 8 Game Sites 10 Sports 16 Clubs and Societies 22 and Music Downloads 23 Examples might be www celebnews com www hollywoodlatest com Category 8 Chatrooms A web site may be classified under t...

Page 308: ...Investment related content refer to the Investment Sites category 11 Examples might be www nateast co uk www borganfanley com Category 13 Crime Terrorism A web site may be classified under the Crime...

Page 309: ...ction of violent acts as well as web sites that have undesirable content and may not be classified elsewhere Examples might be www itstinks com www ratemywaste com Category 19 Malicious A web site may...

Page 310: ...com Category 24 Business Oriented A web site may be classified under the Business Oriented category if its content is relevant to general day to day business or proper functioning of the Internet for...

Page 311: ...ks com Category 29 Computing IT A web site may be classified under the Computing IT category if its content includes computing related information or services Examples might be www purplehat com www g...

Page 312: ...les object These new files can then be edited and uploaded back to NetDefendOS The original Default object cannot be edited The following example goes through the necessary steps Example 6 18 Editing...

Page 313: ...ng SCP It is uploaded to the object type HTTPALGBanner and the object mytxt with the property name URLForbidden If the edited URLForbidden local file is called my html then using the Open SSH SCP clie...

Page 314: ...mportantly it can act as a backup for when local client antivirus scanning is not available Enabling Through ALGs NetDefendOS Anti Virus is enabled on a per ALG basis It is available for file download...

Page 315: ...pt of ordering is not relevant since the two scanning processes can occur simultaneously and operate at different protocol levels If IDP is enabled it scans all packets designated by a defined IDP rul...

Page 316: ...irus Options When configuring Anti Virus scanning in an ALG the following parameters can be set 1 General options Mode This must be one of i Disabled Anti Virus is switched off ii Audit Scanning is ac...

Page 317: ...contain image data of that type Some viruses can try to hide inside files by using a misleading file type A file might pretend to be a gif file but the file s data will not match that type s data patt...

Page 318: ...a remote FTP server over the Internet NetDefendOS detects this and stops the file transfer At this point NetDefendOS has blocked the infected file from reaching the internal network Hence there would...

Page 319: ...rus 3 Select the TCP in the Type dropdown list 4 Enter 80 in the Destination Port textbox 5 Select the HTTP ALG just created in the ALG dropdown list 6 Click OK C Finally modify the NAT rule called NA...

Page 320: ...t operates by monitoring network traffic as it passes through the NetDefend Firewall searching for patterns that indicate an intrusion is being attempted Once detected NetDefendOS IDP allows steps to...

Page 321: ...rd subscription is for 12 months and provides automatic IDP signature database updates This IDP option is available for all D Link NetDefend models including those that don t come as standard with Mai...

Page 322: ...w database updates If a new database update becomes available the sequence of events will be as follows 1 The active unit determines there is a new update and downloads the required files for the upda...

Page 323: ...n the upper text box is equivalent to the way signatures are specified when using the CLI to define an IDP rule HTTP Normalization Each IDP rule has a section of settings for HTTP normalization This a...

Page 324: ...the option Protect against Insertion Evasion attack An Insertion Evasion Attack is a form of attack which is specifically aimed at evading IDP mechanisms It exploits the fact that in a TCP IP data tr...

Page 325: ...prudent while the false positive causes are investigated 6 5 5 IDP Pattern Matching Signatures In order for IDP to correctly identify an attack it uses a profile of indicators or pattern associated w...

Page 326: ...as file sharing applications and instant messaging 6 5 6 IDP Signature Groups Using Groups Usually several lines of attacks exist for a specific protocol and it is best to search for all of them at t...

Page 327: ...n be used to wildcard for any set of characters of any length in a group name Caution Use the minimum IDP signatures necessary Do not use the entire signature database and avoid using signatures and s...

Page 328: ...dOS will wait for Minimum Repeat Time seconds before sending a new email The IP Address of SMTP Log Receivers is Required When specifying an SMTP log receiver the IP address of the receiver must be sp...

Page 329: ...s exposed to the Internet on the DMZ network with a public IP address The public Internet can be reached through the firewall on the WAN interface as illustrated below An IDP rule called IDPMailSrvRul...

Page 330: ...tion Network ip_mailserver Click OK Specify the Action An action is now defined specifying what signatures the IDP should use when scanning data matching the rule and what NetDefendOS should do when a...

Page 331: ...e ID 68343 the CLI in the above example would become gw world IDPMailSrvRule add IDPRuleAction Action Protect IDPServity All Signatures 68343 To specify a list which also includes signatures 68345 and...

Page 332: ...ammed Internet connections and business critical systems in overload This section deals with using NetDefend Firewalls to protect organizations against these attacks 6 6 2 DoS Attack Mechanisms A DoS...

Page 333: ...turn generates yet another response to itself etc This will either bog the victim s machine down or make it crash The attack is accomplished by using the victim s IP address in the source field of an...

Page 334: ...s masses of dropped ICMP Echo Reply packets The source IP addresses will be those of the amplifier networks used Fraggle attacks will show up in NetDefendOS logs as masses of dropped or allowed depend...

Page 335: ...ppens When the state table fills up old outstanding SYN connections will be the first to be dropped to make room for new connections Spotting SYN Floods TCP SYN flood attacks will show up in NetDefend...

Page 336: ...se attacks typically exhaust bandwidth router processing capacity or network stack resources breaking network connectivity to the victims Although recent DDoS attacks have been launched from both priv...

Page 337: ...nly this Service By default Blacklisting blocks all services for the triggering host Exempt already established connections from Blacklisting If there are established connections that have the same so...

Page 338: ...look at as well as manipulate the current contents of the blacklist and the whitelist The current blacklist can be viewed with the command gw world blacklist show black This blacklist command can be u...

Page 339: ...6 7 Blacklisting Hosts and Networks Chapter 6 Security Mechanisms 339...

Page 340: ...he public Internet Security is increased by making it more difficult for intruders to understand the topology of the protected network Address translation hides internal IP addresses which means that...

Page 341: ...ss combination as its sender NetDefendOS performs automatic translation of the source port number as well as the IP address In other words the source IP addresses for connections are all translated to...

Page 342: ...have a matching ARP Publish entry configured for the outbound interface Otherwise the return traffic will not be received by the NetDefend Firewall This technique might be used when the source IP is...

Page 343: ...xample Example 7 1 Adding a NAT Rule To add a NAT rule that will perform address translation for all HTTP traffic originating from the internal network follow the steps outlined below Command Line Int...

Page 344: ...al servers using different IP protocols Several internal machines can communicate with different external servers using the same IP protocol Several internal machines can communicate with the same ser...

Page 345: ...ic is relayed between the firewall and the Internet it is no longer encapsulated by PPTP When an application such as a web server now receives requests from the client it appears as though they are co...

Page 346: ...s Subsequent connections involving the same internal client host will then use the same external IP address The advantage of the stateful approach is that it can balance connections across several ext...

Page 347: ...lancing is not part of this option there should be spreading of the load across the external connections due to the random nature of the allocating algorithm IP Pool Usage When allocating external IP...

Page 348: ...OK B Next create a stateful NAT Pool object called stateful_natpool 1 Go to Objects NAT Pools Add NAT Pool 2 Now enter Name stateful_natpool Pool type stateful IP Range nat_pool_range 3 Select the Pro...

Page 349: ...rs on the translated address given by the SAT rule For example if a SAT rule translates the destination from 1 1 1 1 to 2 2 2 2 then the second associated rule should allow traffic to pass to the dest...

Page 350: ...r in a DMZ In this example we will create a SAT policy that will translate and allow connections from the Internet to a web server located in a DMZ The NetDefend Firewall is connected to the Internet...

Page 351: ...DMZ 3 Now enter Action Allow Service http Source Interface any Source Network all nets Destination Interface core Destination Network wan_ip 4 Under the Service tab select http in the Predefined list...

Page 352: ...the number of rules for each interface allowed to communicate with the web server However the rule ordering is unimportant which may help avoid errors If option 2 was selected the rule set must be ad...

Page 353: ...address in accordance with rule 1 and forwards the packet in accordance with rule 2 10 0 0 3 1038 10 0 0 2 80 wwwsrv processes the packet and replies 10 0 0 2 80 10 0 0 3 1038 This reply arrives direc...

Page 354: ...veral protected servers in a DMZ and where each server should be accessible using a unique public IP address Example 7 5 Translating Traffic to Multiple Protected Web Servers In this example we will c...

Page 355: ...rv_pub Web Interface Create an address object for the public IP address 1 Go to Objects Address Book Add IP address 2 Specify a suitable name for the object for example wwwsrv_pub 3 Enter 195 55 66 77...

Page 356: ...wwsrv_pub 4 Click OK 7 4 3 All to One Mappings N 1 NetDefendOS can be used to translate ranges and or groups into just one IP address Action Src Iface Src Net Dest Iface Dest Net Parameters 1 SAT any...

Page 357: ...TCP or UDP level data and subsequently requires that in some way or another the addresses visible on IP level are the same as those embedded in the data Examples of this include FTP and logons to NT...

Page 358: ...ic address translation using FwdFast rules to a web server located on an internal network Action Src Iface Src Net Dest Iface Dest Net Parameters 1 SAT any all nets core wan_ip http SETDEST wwwsrv 80...

Page 359: ...rv any all nets 80 All SETSRC wan_ip 80 3 FwdFast lan wwwsrv any all nets 80 All 4 NAT lan lannet any all nets All 5 FwdFast lan wwwsrv any all nets 80 All External traffic to wan_ip 80 will match rul...

Page 360: ...7 4 7 SAT and FwdFast Rules Chapter 7 Address Translation 360...

Page 361: ...such as a biometric reader Another problem with A is that the special attribute often cannot be replaced if it is lost Methods B and C are therefore the most common means of identification in network...

Page 362: ...in secure passwords should also Not be recorded anywhere in written form Never be revealed to anyone else Changed on a regular basis such as every three months 8 1 Overview Chapter 8 User Authenticati...

Page 363: ...tail These are Section 8 2 2 The Local Database Section 8 2 3 External RADIUS Servers Section 8 2 4 External LDAP Servers Section 8 2 5 Authentication Rules 8 2 2 The Local Database The Local User Dat...

Page 364: ...users with fixed IP addresses Network behind user If a network is specified for this user then when the user connects a route is automatically added to the NetDefendOS main routing table This existen...

Page 365: ...cesses the requests and sends back a RADIUS message to accept or deny them One or more external servers can be defined in NetDefendOS RADIUS Security To provide security a common shared secret is conf...

Page 366: ...ial consideration with Active Directory and that is the Name Attribute This should be set to SAMAccountName Defining an LDAP Server One or more named LDAP server objects can be defined in NetDefendOS...

Page 367: ...ountName which is NOT case sensitive When looking at the details of a user in Active Directory the value for the user logon name is defined in the SAMAccountName field under the Account tab Note The L...

Page 368: ...tructure The Base Object specifies where in this tree the relevant users are located Specifying the Base Object has the effect of speeding up the search of the LDAP tree since only users under the Bas...

Page 369: ...automatically configured to work using LDAP Bind Request Authentication This means that authentication succeeds if successful connection is made to the LDAP server Individual clients are not distingu...

Page 370: ...cts LDAP servers used for certificate lookup are known as LDAPServer objects in the CLI A specific LDAP server that is defined in NetDefendOS for authentication can be shown with the command gw world...

Page 371: ...will contain the password when it is sent back This ID must be different from the default password attribute which is usually userPassword for most LDAP servers A suggestion is to use the description...

Page 372: ...word login sequence Authentication Rules are set up in a way that is similar to other NetDefendOS security policies by specifying which traffic is to be subject to the rule They differ from other poli...

Page 373: ...ll connections that trigger this rule Such connections will never be authenticated Any Disallow rules are best located at the end of the authentication rule set iv Local The local database defined wit...

Page 374: ...rk and data which is one of the following types HTTP traffic HTTPS traffic IPsec tunnel traffic L2TP tunnel traffic PPTP tunnel traffic 3 If no rule matches the connection is allowed provided the IP r...

Page 375: ...oup users to also be able to access the regular network we could add a third rule to permit this Action Src Interface Src Network Dest Interface Dest Network Service 1 Allow lan trusted_net int import...

Page 376: ...activity but we cannot just use lannet as the source network since the rule would trigger for any unauthenticated client from that network Instead the source network is an administrator defined IP obj...

Page 377: ...p enter the group names here separated by a comma users for this example 3 Click OK 4 Repeat Step B to add all the lannet users having the membership of users group into the lannet_auth_users folder E...

Page 378: ...e any Destination Network all nets 3 Click OK Example 8 3 Configuring a RADIUS Server The following steps illustrate how a RADIUS server is typically configured Web Interface 1 User Authentication Ext...

Page 379: ...eds either through by direct editing in Web Interface or by downloading and re uploading through an SCP client The files available for editing have the following names FormLogin LoginSuccess LoginFail...

Page 380: ...r the new set of ALG banner files will appear 4 Click the Edit Preview tab 5 Select FormLogin from the Page list 6 Now edit the HTML source that appears in the text box for the Forbidden URL page 7 Us...

Page 381: ...If the edited Formlogon local file is called my html then using the Open SSH SCP client the upload command would be pscp my html admin 10 5 62 11 HTTPAuthBanners ua_html FormLogin The usage of SCP cl...

Page 382: ...8 3 Customizing HTML Pages Chapter 8 User Authentication 382...

Page 383: ...lly important that the recipient can verify that no one is falsifying data in other words pretending to be someone else Virtual Private Networks VPNs meet this need providing a highly cost effective m...

Page 384: ...yptographic keyed hashing Non repudiation Proof that the sender actually sent the data the sender cannot later deny having sent it Non repudiation is usually a side effect of authentication VPNs are n...

Page 385: ...feature it is usually possible to dictate the types of communication permitted and NetDefendOS VPN has this feature 9 1 4 Key Distribution Key distribution schemes are best planned in advance Issues...

Page 386: ...The TLS ALG 9 1 5 The TLS Alternative for VPN Chapter 9 VPN 386...

Page 387: ...n flow into the tunnel a route must be defined in a NetDefendOS routing table This route tells NetDefendOS which network can be found at the other end of the tunnel so it knows which traffic to send i...

Page 388: ...hich has the IP address lan_ip 4 Create an IPsec Tunnel object let s call this object ipsec_tunnel Specify the following tunnel parameters Set Local Network to lannet Set Remote Network to remote_net...

Page 389: ...unnel 2 Under Authentication Objects add the Root Certificate and Host Certificate into NetDefendOS The root certificate needs to have 2 parts added a certificate file and a private key file The gatew...

Page 390: ...ehand and must be handed out by NetDefendOS as the clients connect A IP addresses already allocated The IP addresses may be known beforehand and have been pre allocated to the roaming clients before t...

Page 391: ...remote network when tunnel established should be enabled for the tunnel object If all nets is the destination network the option Add route for remote network should be disabled Note The option to dyn...

Page 392: ...rity Define the IPsec algorithms that will be used and which are supported by NetDefendOS Specify if the client will use config mode There are a variety of IPsec client software products available fro...

Page 393: ...range that is totally different to any internal network This prevents any chance of an address in the range also being used on the internal network 2 Define two other IP objects ip_ext which is the ex...

Page 394: ...should be defined in the IP rule set Action Src Interface Src Network Dest Interface Dest Network Service Allow l2tp_tunnel l2tp_pool any int_net All NAT ipsec_tunnel l2tp_pool ext all nets All The s...

Page 395: ...t being able to NAT PPTP connections through a tunnel so multiple clients can use a single connection to the NetDefend Firewall If NATing is tried then only the first client that tries to connect will...

Page 396: ...s 0 0 0 0 0 4 Now set up the IP rules in the IP rule set Action Src Interface Src Network Dest Interface Dest Network Service Allow pptp_tunnel pptp_pool any int_net All NAT pptp_tunnel pptp_pool ext...

Page 397: ...low of events can be briefly described as follows IKE negotiates how IKE should be protected IKE negotiates how IPsec should be protected IPsec moves data in the VPN The following sections will descri...

Page 398: ...mply by performing another phase 2 negotiation There is no need to do another phase 1 negotiation until the IKE lifetime has expired IKE Algorithm Proposals An IKE algorithm proposal list is a suggest...

Page 399: ...from the same initial keying material This is to make sure that in the unlikely event that some key was compromised no subsequent keys can be derived Once the phase 2 negotiation is finished the VPN c...

Page 400: ...cified as a URL string such as vpn company com If this is done the prefix dns must be used The string above should therefore be specified as dns vpn company com The remote endpoint is not used in tran...

Page 401: ...ified in time seconds as well as data amount kilobytes Whenever one of these expires a new phase 1 exchange will be performed If no data was transmitted in the last incarnation of the IKE connection n...

Page 402: ...ec Authentication This specifies the authentication algorithm used on the protected traffic This is not used when ESP is used without authentication although it is not recommended to use ESP without a...

Page 403: ...g Advantages Since it is very straightforward it will be quite interoperable Most interoperability problems encountered today are in IKE Manual keying completely bypasses IKE and sets up its own set o...

Page 404: ...omeone that the remote endpoint trusts Advantages of Certificates A principal advantage of certificates is added flexibility Many VPN clients for instance can be managed without having the same pre sh...

Page 405: ...er the original IP header in tunnel mode the ESP header is inserted after the outer header but before the original inner IP header All data after the ESP header is encrypted and or authenticated The d...

Page 406: ...negotiation is moved away from UDP port 500 to port 4500 This is necessary since certain NAT devices treat UDP packet on port 500 differently from other UDP packets in an effort to work around the NAT...

Page 407: ...for different VPN scenarios and user defined lists can be added Two IKE algorithm lists and two IPsec lists are already defined by default High This consists of a more restricted set of algorithms to...

Page 408: ...ase and not a hexadecimal value the different encodings on different platforms can cause a problem with non ASCII characters Windows for example encodes pre shared keys containing non ASCII characters...

Page 409: ...l corporate networks using VPN clients The organization administers their own Certificate Authority and certificates have been issued to the employees Different groups of employees are likely to have...

Page 410: ...thMethod Certificate IDList MyIDList RootCertificates AdminCert GatewayCertificate AdminCert Web Interface First create an Identification List 1 Go to Objects VPN Objects ID List Add ID List 2 Enter a...

Page 411: ...4 Select the appropriate certificate in the Root Certificate s and Gateway Certificate controls 5 Select MyIDList in the Identification List 6 Click OK 9 3 8 Identification Lists Chapter 9 VPN 411...

Page 412: ...that has been decrypted will be checked against the IP rule set When doing this IP rule set check the source interface of the traffic will be the associated IPsec tunnel since tunnels are treated lik...

Page 413: ...be broken and an attempt is automatically made to re establish the tunnel This feature is only useful for LAN to LAN tunnels Optionally a specific source IP address and or a destination IP address fo...

Page 414: ...routing table or another table if an alternate is being used Set up the Rules a 2 way tunnel requires 2 rules 9 4 3 Roaming Clients An employee who is on the move who needs to access a central corpor...

Page 415: ...the roaming users will connect to Remote Network all nets Remote Endpoint None Encapsulation Mode Tunnel 3 For Algorithms enter IKE Algorithms Medium or High IPsec Algorithms Medium or High 4 For Aut...

Page 416: ...ID for every client that is to be granted access rights according to the instructions above D Configure the IPsec tunnel 1 Go to Interfaces IPsec Add IPsec Tunnel 2 Now enter Name RoamingIPsecTunnel...

Page 417: ...ip Web Interface A Upload all the client certificates 1 Go to Objects Authentication Objects Add Certificate 2 Enter a suitable name for the Certificate object 3 Select the X 509 Certificate option 4...

Page 418: ...an IP Pool object An IP pool is a cache of IP addresses collected from DHCP servers and leases on these addresses are automatically renewed when the lease time is about to expire IP Pools also manage...

Page 419: ...log message generated with a severity level of Warning This message includes the two IP addresses as well as the client identity Optionally the affected SA can be automatically deleted if validation f...

Page 420: ...IKE negotiation The output can be overwhelming so to limit the output to a single IP address for example the IP address 10 1 1 10 the command would be gw world ikesnoop on 10 1 1 10 verbose The IP ad...

Page 421: ...8 Payloads SA Security Association Payload data length 152 bytes DOI 1 IPsec DOI Proposal 1 1 Protocol 1 1 Protocol ID ISAKMP SPI Size 0 Transform 1 4 Transform ID IKE Encryption algorithm Rijndael c...

Page 422: ...bytes Vendor ID 7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56 Description draft ietf ipsec nat t ike 03 Explanation of Values Exchange type Main mode or aggressive mode IKEv1 0 only Cookies A rando...

Page 423: ...Description draft ietf ipsec nat t ike 00 VID Vendor ID Payload data length 16 bytes Vendor ID cd 60 46 43 35 df 21 f8 7c fd b2 fc 68 b6 a4 48 Description draft ietf ipsec nat t ike 02 VID Vendor ID P...

Page 424: ...nds the identification which is normally an IP address or the Subject Alternative Name if certificates are used IkeSnoop Received IKE packet from 192 168 0 10 500 Exchange type Identity Protection mai...

Page 425: ...168 0 10 500 Exchange type Quick mode ISAKMP Version 1 0 Flags E encryption Cookies 0x6098238b67d97ea6 0x5e347cb76e95a Message ID 0xaa71428f Packet length 264 bytes payloads 5 Payloads HASH Hash Paylo...

Page 426: ...ode Could be transport tunnel or UDP tunnel NAT T ID ipv4 any 0 0 3 10 4 2 6 Here the first ID is the local network of the tunnel from the client s point of view and the second ID is the remote networ...

Page 427: ...6e95a Message ID 0xaa71428f Packet length 48 bytes payloads 1 Payloads HASH Hash Payload data length 16 bytes 9 4 6 IPsec Advanced Settings The following NetDefendOS advanced settings are available fo...

Page 428: ...ithout consulting the rule set Default Enabled IKE CRL Validity Time A CRL contains a next update field that dictates the time and date when a new CRL will be available for download from the CA The ti...

Page 429: ...PD R U THERE messages to the other side Default 3 in other words 3 x 10 30 seconds DPD Keep Time The amount of time in tens of seconds that a peer is assumed to be dead after NetDefendOS has detected...

Page 430: ...has not sent a response to any messages then it is considered to be dead not reachable The SA will then be placed in the dead cache This setting is used with IKEv1 only Default 15 seconds 9 4 6 IPsec...

Page 431: ...ementation PPTP can be used in the VPN context to tunnel different protocols across the Internet Tunneling is achieved by encapsulating PPP packets in IP datagrams using Generic Routing Encapsulation...

Page 432: ...nder the Add Route tab select all_nets from Allowed Networks 6 Click OK Use User Authentication Rules is enabled as default To be able to authenticate the users using the PPTP tunnel it is required to...

Page 433: ...er the Add Route tab select all_nets in the Allowed Networks control 6 Click OK Use User Authentication Rules is enabled as default To be able to authenticate users using the PPTP tunnel it is necessa...

Page 434: ...IPsecLifeTimeSeconds 3600 Web Interface 1 Go to Interfaces IPsec Add IPsec Tunnel 2 Enter a name for the IPsec tunnel for example l2tp_ipsec 3 Now enter a Local Network wan_ip b Remote Network all ne...

Page 435: ...lick OK In order to authenticate the users using the L2TP tunnel a user authentication rule needs to be configured D Next will be setting up the authentication rules Command Line Interface gw world ad...

Page 436: ...Interface 1 Go to Rules IP Rules Add IPRule 2 Enter a name for the rule for example AllowL2TP 3 Now enter Action Allow Service all_services Source Interface l2tp_tunnel Source Network l2tp_pool Destin...

Page 437: ...olves the following settings General Parameters Name A symbolic name for the client Interface Type Specifies if it is a PPTP or L2TP client Remote Endpoint The IP address of the remote endpoint Where...

Page 438: ...demand should trigger on Send or Recv or both Idle Timeout The time of inactivity in seconds to wait before disconnection Using the PPTP Client Feature One usage of the PPTP client feature is shown i...

Page 439: ...Figure 9 3 PPTP Client Usage 9 5 4 PPTP L2TP Clients Chapter 9 VPN 439...

Page 440: ...following scenarios are possible 1 The CA server is a private server behind the NetDefend Firewall and the tunnels are set up over the public Internet but to clients that will not try to validate the...

Page 441: ...ion Components CA Server Access by Clients In a VPN tunnel with roaming clients connecting to the NetDefend Firewall the VPN client software may need to access the CA server Not all VPN client softwar...

Page 442: ...er must be configured in NetDefendOS so that these requests can be resolved Turning Off FQDN Resolution As explained in the troubleshooting section below identifying problems with CA server access can...

Page 443: ...airport the client will get an IP address from the Wi Fi network s DHCP server If that IP also belongs to the network behind the NetDefend Firewall accessible through a tunnel then Windows will still...

Page 444: ...if CA server access could be the problem CA Server issues are discussed further in Section 9 6 CA Server Access 9 7 3 IPsec Troubleshooting Commands A number of commands can be used to diagnose IPsec...

Page 445: ...noop on ip address verbose Ikesnoop can be turned off with the command gw world ikesnoop off For a more detailed discussion of this topic see Section 9 4 5 Troubleshooting with ikesnoop 9 7 4 Manageme...

Page 446: ...multiple IPsec SA s one SA per network or host if that option is used The defined network size is also important in that it must be exactly the same size on both sides as will be mentioned again later...

Page 447: ...likely the error message that will be generated 5 No public key found This is a very common error message when dealing with tunnels that use certificates for authentication Troubleshooting this error...

Page 448: ...ssary to examine the settings for the local network remote network IKE proposal list and IPsec proposal list on both sides to try to identify a miss match For example suppose the following IPsec setti...

Page 449: ...imple to compare the network that both sides are sending in phase 2 With that information it should be possible to spot the network problem It can be the case that it is a network size mismatch or tha...

Page 450: ...9 7 6 Specific Symptoms Chapter 9 VPN 450...

Page 451: ...s for prioritizing traffic passing through the NetDefend Firewall It is important to understand that NetDefendOS traffic shaping does not add new Diffserv information as packets traverse a NetDefend F...

Page 452: ...ce object that uses the SIP ALG cannot be also subject to traffic shaping 10 1 2 Traffic Shaping in NetDefendOS NetDefendOS offers extensive traffic shaping capabilities for the packets passing throug...

Page 453: ...rules is initially empty with no rules being defined by default At least one rule must be created for traffic shaping to begin to function Pipe Rule Chains When a pipe rule is defined the pipes to be...

Page 454: ...is implemented by using the NetDefendOS state engine which is the subsystem that deals with the tracking of connections FwdFast IP rules do not set up a connection in the state engine Instead packets...

Page 455: ...ound 3 Now enter Service all_services Source Interface lan Source Network lannet Destination Interface wan Destination Network all nets 4 Under the Traffic Shaping tab make std in selected in the Retu...

Page 456: ...r 2000 in Total textbox 4 Click OK After creating a pipe for outbound bandwidth control add it to the forward pipe chain of the rule created in the previous example Command Line Interface gw world set...

Page 457: ...it will pass through the std in pipe along with other inbound traffic which will apply the 250 kbps total limit Figure 10 3 Differentiated Limits Using Chains If surfing uses the full limit of 125 kb...

Page 458: ...ces 4 and 6 instead of 0 and 3 will makes no difference to the end result Allocating Precedence to Traffic The way precedence is assigned to traffic is specified in the triggering pipe rule and can be...

Page 459: ...refix Mega means one million in a traffic bandwidth context Precedence Limits are also Guarantees A precedence limit is both a limit and a guarantee The bandwidth specified for precedence also guarant...

Page 460: ...hausted then they are dropped If a total limit for a pipe is not specified it is the same as saying that the pipe has unlimited bandwidth and consequently it can never become full so precedences have...

Page 461: ...lower precedences has no meaning and will be ignored by NetDefendOS Differentiated Guarantees A problem arises if the aim is to give a specific 32 kbps guarantee to Telnet traffic and a specific 64 kb...

Page 462: ...ble bandwidth with other traffic 10 1 7 Pipe Groups NetDefendOS provides a further level of control within pipes through the ability to split pipe bandwidth into individual resource users within a gro...

Page 463: ...ill be guaranteed 50 Kbps at the expense of lower precedences The precedences for each user must be allocated by different pipe rules that trigger on particular users For example if grouping is by sou...

Page 464: ...ence Values Let us suppose that grouping is enabled by one of the options such as source IP and some values for precedences have been specified under Group Limits How does these combine with values sp...

Page 465: ...16 kbps some will not Dynamic balancing can be enabled to improve this situation by making sure all of the 5 users get the same amount of limited bandwidth When the 5th user begins to generate SSH tr...

Page 466: ...y the traffic shaping subsystem and it is therefore more important to set pipe limits slightly below the real connection limit to account for the time needed for NetDefendOS to adapt to changing condi...

Page 467: ...cedence all packets are treated on a first come first forwarded basis Within a pipe traffic can also be separated on a Group basis For example by source IP address Each user in a group for example eac...

Page 468: ...ffic to the default precedence level and the pipes will limit total traffic to their 1 Mbps limit Having Dynamic Balancing enabled on the pipes means that all users will be allocated a fair share of t...

Page 469: ...ffic immediately before it enters the in pipe and out pipe and competes with VoIP Citrix and Web surfing traffic A VPN Scenario In the cases discussed so far all traffic shaping is occurring inside a...

Page 470: ...700 kbps the total traffic is limited to 2000 kbps and VoIP to the remote site is guaranteed 500 kbps of capacity before it is forced to best effort SAT with Pipes If SAT is being used for example wit...

Page 471: ...Note SAT and ARPed IP Addresses If the SAT is from an ARPed IP address the wan interface needs to be the destination 10 1 10 More Pipe Examples Chapter 10 Traffic Management 471...

Page 472: ...ity to apply throttling through the NetDefendOS traffic shaping subsystem when the targeted traffic is recognized IDP Traffic Shaping is a combination of these two features where traffic flows identif...

Page 473: ...subject to the pipe traffic shaping bandwidth specified in the IDP rule 3 A new connection is then established that does not trigger an IDP rule but has a source or destination IP that is the same as...

Page 474: ...2P Scenario The schematic below illustrates a typical scenario involving P2P data transfer The sequence of events is The client with IP address 192 168 1 15 initiates a P2P file transfer through a con...

Page 475: ...ed pipes the CLI command is gw world pipes show The IDP Traffic Shaping pipes can be recognized by their distinctive naming convention which is explained next Pipe Naming NetDefendOS names the pipes i...

Page 476: ...y by default and are therefore guaranteed that bandwidth 10 2 8 Logging IDP Traffic Shaping generates log messages on the following events When an IDP rule with the Pipe option has triggered and eithe...

Page 477: ...e such as HTTP can be associated with it Each rule can have associated with it one or more Actions which specify how to handle different threshold conditions A Threshold Rule has the following paramet...

Page 478: ...ged 10 3 6 Exempted Connections It should be noted that some advanced settings known as Before Rules settings can exempt certain types of connections for remote management from examination by the NetD...

Page 479: ...of time in seconds for which the source is blacklisted can also be set This feature is discussed further in Section 6 7 Blacklisting Hosts and Networks 10 3 8 Threshold Rule Blacklisting Chapter 10 T...

Page 480: ...ple servers can improve not just the performance of applications but also scalability by facilitating the implementation of a cluster of servers sometimes referred to as a server farm that can handle...

Page 481: ...rs An important first step in SLB deployment is to identify the servers across which the load is to be balanced This might be a server farm which is a cluster of servers set up to work as a single vir...

Page 482: ...ces such as HTTPS which require a repeated connection to the same host Network Stickiness This mode is similar to IP stickiness except that the stickiness can be associated with a network instead of a...

Page 483: ...compares if the source IP address belongs to the same network as a previous connection already in the table If they belong to the same network then stickiness to the same server will result The defaul...

Page 484: ...onfiguration SLB can monitor different OSI layers to check the condition of each server Regardless of the algorithms used if a server is deemed to have failed SLB will not open any more connections to...

Page 485: ...nterface Src Network Dest Interface Dest Network WEB_SLB SLB_SAT any all nets core ip_ext WEB_SLB_ALW Allow any all nets core ip_ext If there are clients on the same network as the webservers that als...

Page 486: ...C Specify the SLB_SAT IP rule 1 Go to Rules IP Rule Sets main Add IP Rule 2 Enter Name Web_SLB Action SLB_SAT Service HTTP Source Interface any Source Network all nets Destination Interface core Dest...

Page 487: ...IP Rule 2 Enter Name Web_SLB_ALW Action Allow Service HTTP Source Interface any Source Network all nets Destination Interface core Destination Network ip_ext 3 Click OK 10 4 6 Setting Up SLB_SAT Rule...

Page 488: ...10 4 6 Setting Up SLB_SAT Rules Chapter 10 Traffic Management 488...

Page 489: ...will continue to be active but the master will now monitor the slave with failover only taking place if the slave fails This is sometimes known as an active passive implementation of fault tolerance...

Page 490: ...exist in a single cluster The only processing role that the inactive unit plays is to replicate the state of the active unit and to take over all traffic processing if it detects the active unit is no...

Page 491: ...ng enough to cause the inactive system to go active even though the other is still active Disabling Heartbeat Sending on Interfaces The administrator can manually disable heartbeat sending on any inte...

Page 492: ...e sender address This allows switches to re learn within milliseconds where to send packets destined for the shared address The only delay in failover therefore is detecting that the active unit is do...

Page 493: ...statistics would indicate a failure to synchronize If the sync interface is functioning correctly there may still be some small differences in the statistics from each cluster unit but these will be m...

Page 494: ...ss object allow remote management through that interface These addresses can also be pinged using ICMP provided that IP rules are defined to permit this by default ICMP queries are dropped by the rule...

Page 495: ...ame switch which then connects to an internal network Similarly the wan interface on the master and the wan interface would connect to a switch which in turn connects to the external Internet Note The...

Page 496: ...the public Internet is required 9 Save and activate the new configuration 10 Repeat the above steps for the other NetDefend Firewall but this time select the node type to be Slave Making Cluster Confi...

Page 497: ...bers of connections but can have the disadvantage of increasing throughput latency 11 3 4 Unique Shared Mac Addresses For HA setup NetDefendOS provides the advanced option Use Unique Shared MAC Addres...

Page 498: ...Lockdown Mode Failed Interfaces Failed interfaces will not be detected unless they fail to the point where NetDefendOS cannot continue to function This means that failover will not occur if the active...

Page 499: ...also be a second backup designated router to provide OSPF metrics if the main designated router should fail PPPoE Tunnels and DHCP Clients For reasons connected with the shared IP addresses of an HA...

Page 500: ...ne of the cluster units and issue the ha command The typical output if the unit is active is shown below gw world ha This device is a HA SLAVE This device is currently ACTIVE will forward traffic This...

Page 501: ...ailover is complete upgrade the newly inactive unit with the new NetDefendOS version Just like step B this is done in the normal way as though the unit were not part of a cluster E Wait for resynchron...

Page 502: ...psed the synchronization traffic is then only sent after repeated periods of silence The length of this silence is this setting Default 5 Use Unique Shared Mac Use a unique shared MAC address for each...

Page 503: ...11 6 HA Advanced Settings Chapter 11 High Availability 503...

Page 504: ...d can be dynamically blocked using the ZoneDefense feature Thresholds are based on either the number of new connections made per second or on the total number of connections being made These connectio...

Page 505: ...526 R3 x Version R3 06 B20 only DES 3526 R4 x Version R4 01 B19 or later DES 3550 R3 x Version R3 05 B38 only DES 3550 R4 x Version R4 01 B19 or later DES 3800 Series Version R2 00 B13 or later DGS 32...

Page 506: ...xceeded The limit can be one of two types Connection Rate Limit This can be triggered if the rate of new connections per second to the firewall exceeds a specified threshold Total Connections Limit Th...

Page 507: ...nnections second is applied If the connection rate exceeds this limitation the firewall will block the specific host in network range 192 168 2 0 24 for example from accessing the switch completely A...

Page 508: ...se with Anti Virus Scanning ZoneDefense can be used in conjuction with the NetDefendOS Anti Virus scanning feature NetDefendOS can first identify a virus source through antivirus scanning and then blo...

Page 509: ...lly in order to block a host or network one rule per switch port is needed When this limit has been reached no more hosts or networks will be blocked out Important Clearing the ACL rule set on the swi...

Page 510: ...12 3 5 Limitations Chapter 12 ZoneDefense 510...

Page 511: ...ragmentation Settings page 527 Local Fragment Reassembly Settings page 531 Miscellaneous Settings page 532 13 1 IP Level Settings Log Checksum Errors Logs occurrences of IP packets containing erroneou...

Page 512: ...on Low Determines the action taken on packets whose TTL falls below the stipulated TTLMin value Default DropLog Multicast TTL on Low What action to take on too low multicast TTL values Default DropLog...

Page 513: ...ault DropLog IP Options Timestamps Time stamp options instruct each router and firewall on the packet s route to indicate at what time the packet was forwarded along the route These options do not occ...

Page 514: ...ts equal to or smaller than the size specified by this setting Default 65535 bytes Multicast Mismatch option What action to take when Ethernet and IP multicast addresses does not match Default DropLog...

Page 515: ...cording to the next setting Default 1460 bytes TCP MSS VPN Max As is the case with TCPMSSMax this is the highest Maximum Segment Size allowed However this setting only controls MSS in VPN connections...

Page 516: ...cknowledgement options These options are used to ACK individual packets instead of entire series which can increase the performance of connections experiencing extensive packet loss They are also used...

Page 517: ...urned on The presence of a SYN flag indicates that a new connection is in the process of being opened and an URG flag means that the packet contains data requiring urgent attention These two flags sho...

Page 518: ...Ymas flag turned on These flags are currently mostly used by OS Fingerprinting It should be noted that a developing standard called Explicit Congestion Notification also makes use of these TCP flags b...

Page 519: ...Bad ValidateSilent and will block some valid TCP re open attempts The most significant impact of this will be that common web surfing traffic short but complete transactions requested from a relativel...

Page 520: ...ng limits how many Rejects per second may be generated by the Reject rules in the Rules section Default 500 Silently Drop State ICMPErrors Specifies if NetDefendOS should silently drop ICMP errors per...

Page 521: ...determining whether the remote peer is attempting to open a new connection Default Enabled Log State Violations Determines if NetDefendOS logs packets that violate the expected state switching diagram...

Page 522: ...gnostic and testing purposes since it generates unwieldy volumes of log messages and can also significantly impair throughput performance Default Disabled Dynamic Max Connections Allocate the Max Conn...

Page 523: ...may idle before finally being closed Connections reach this state when a packet with its FIN flag on has passed in any direction Default 80 UDP Idle Lifetime Specifies in seconds how long UDP connecti...

Page 524: ...ther Idle Lifetime Specifies in seconds how long connections using an unknown protocol can remain idle before it is closed Default 130 13 5 Connection Timeout Settings Chapter 13 Advanced Settings 524...

Page 525: ...any real time applications use large fragmented UDP packets If no such protocols are used the size limit imposed on UDP packets can probably be lowered to 1480 bytes Default 60000 Max ICMP Length Spec...

Page 526: ...e of an IP in IP packet IP in IP is used by Checkpoint Firewall 1 VPN connections when IPsec is not used This value should be set at the size of the largest packet allowed to pass through the VPN conn...

Page 527: ...rack DropPacket Discards the illegal fragment and all previously stored fragments Will not allow further fragments of this packet to pass through during ReassIllegalLinger seconds DropLogPacket As Dro...

Page 528: ...nts have been involved LogSuspectSubseq As LogSuspect but also logs subsequent fragments of the packet as and when they arrive LogAll Logs all failed reassembly attempts LogAllSubseq As LogAll but als...

Page 529: ...send 1480 byte fragments and a router or VPN tunnel on the route to the recipient subsequently reduce the effective MTU to 1440 bytes This would result in the creation of a number of 1440 byte fragme...

Page 530: ...ket has been marked as illegal NetDefendOS is able to retain this in memory for this number of seconds in order to prevent further fragments of that packet from arriving Default 60 13 7 Fragmentation...

Page 531: ...oncurrent local reassemblies Default 256 Max Size Maximum size of a locally reassembled packet Default 10000 Large Buffers Number of large over 2K local reassembly buffers of the above size Default 32...

Page 532: ...ssociated settings limit memory used by the re assembly subsystem This setting specifies how many connections can use the re assembly system at the same time It is expressed as a percentage of the tot...

Page 533: ...13 9 Miscellaneous Settings Chapter 13 Advanced Settings 533...

Page 534: ...de can be downloaded A step by step Registration manual which explains registration and update service procedures in more detail is available for download from the D Link website Subscription renewal...

Page 535: ...ith the command gw world removedb IDP To remove the Anti Virus database use the command gw world removedb Antivirus Once removed the entire system should be rebooted and a database update initiated Re...

Page 536: ...ITAS Backup solutions BOT_GENERAL Activities related to bots including those controlled by IRC channels BROWSER_FIREFOX Mozilla Firefox BROWSER_GENERAL General attacks targeting web browsers clients B...

Page 537: ...on IP_OVERFLOW Overflow of IP protocol implementation IRC_GENERAL Internet Relay Chat LDAP_GENERAL General LDAP clients servers LDAP_OPENLDAP Open LDAP LICENSE_CA LICENSE License management for CA sof...

Page 538: ...RSYNC_GENERAL Rsync SCANNER_GENERAL Generic scanners SCANNER_NESSUS Nessus Scanner SECURITY_GENERAL Anti virus solutions SECURITY_ISS Internet Security Systems software SECURITY_MCAFEE McAfee SECURITY...

Page 539: ...ENERAL Virus VOIP_GENERAL VoIP protocol and implementation VOIP_SIP SIP protocol and implementation WEB_CF FILE INCLUSION Coldfusion file inclusion WEB_FILE INCLUSION File inclusion WEB_GENERAL Web ap...

Page 540: ...letype extension Application 3ds 3d Studio files 3gp 3GPP multimedia file aac MPEG 2 Advanced Audio Coding File ab Applix Builder ace ACE archive ad3 Dec systems compressed Voice File ag Applix Graphi...

Page 541: ...inHex 4 compressed archive icc Kodak Color Management System ICC Profile icm Microsoft ICM Color Profile file ico Windows Icon file imf Imago Orpheus module sound data Inf Sidplay info file it Impulse...

Page 542: ...Network Graphic ppm PBM Portable Pixelmap Graphic ps PostScript file psa PSA archive data psd Photoshop Format file qt mov moov QuickTime Movie file qxd QuarkXpress Document ra ram RealMedia Streaming...

Page 543: ...e Player Streaming Video file wav Waveform Audio wk Lotus 1 2 3 document wmv Windows Media file wrl vrml Plain Text VRML file xcf GIMP Image file xm Fast Tracker 2 Extended Module audio file xml XML f...

Page 544: ...yer purpose Layer 7 Application Layer 6 Presentation Layer 5 Session Layer 4 Transport Layer 3 Network Layer 2 Data Link Layer 1 Physical Figure D 1 The 7 Layers of the OSI Model Layer Functions The d...

Page 545: ...e spam filtering anti virus scanning 314 activating 315 database 316 fail mode behaviour 316 in the FTP ALG 252 in the HTTP ALG 247 in the POP3 ALG 268 in the SMTP ALG 259 memory requirements 314 rela...

Page 546: ...ty gateway script sgs 43 uploading with SCP 48 validation 44 variables 43 verbose output 44 cluster see high availability cluster ID see high availability command line interface see CLI config mode 41...

Page 547: ...llow in FTP ALG 252 in HTTP ALG 247 Flood Reboot Time setting 532 folders with IP rules 126 with the address book 84 Fragmented ICMP setting 529 FTP ALG 249 command restrictions 251 connection restric...

Page 548: ...93 internet key exchange see IKE Interval between synchronization setting 142 intrusion detection and prevention see IDP intrusion detection rule 322 invalid checksum in cluster heartbeats 498 IP add...

Page 549: ...drift setting 142 Max Transactions DHCP setting 236 Max UDP Length setting 525 memlog 58 MIME filetype verification in FTP ALG 252 in HTTP ALG 247 in POP3 ALG 268 in SMTP ALG 259 list of filetypes 54...

Page 550: ...55 dynamic 176 local IP address 150 metric for default routes 155 metrics 148 178 monitoring 156 narrowest matching principle 150 principles 148 routes added at startup 154 static 148 the all nets rou...

Page 551: ...ting 517 TCP Option SACK setting 516 TCP Option Sizes setting 515 TCP Option TSOPT setting 516 TCP Option WSOPT setting 516 TCP Reserved Field setting 518 TCP Sequence Numbers setting 518 TCP SYN FIN...

Page 552: ...02 whitelisting 301 web interface 28 30 default connection interface 30 setting workstation IP 30 WebUI see web interface WebUI Before Rules setting 50 WebUI HTTP port setting 51 WebUI HTTPS port sett...

Reviews: