manualshive.com logo in svg

D-Link NetDefend SOHO DFL-160, User Manual

Share
Download
D-Link NetDefend SOHO DFL-160 User Manual Download Page 50

and password must be specified.

Note: Fully qualified domain names

If fully qualified DNS names (FQDN) are used, for example vpn.example.com, then
the prefix dns: must be used when these are entered. For this example:
dns:vpn.example.com (a DNS server must also be configured either manually or
automatically for resolution to an IP address to succeed).

LAN-to-LAN tunnel establishment can also optionally require a username and password pair for
authentication using XAuth. This can be optionally specified.

Advanced

The advanced options provide a way to customize some of the parameters used by IPsec. This may
be necessary in certain scenarios where the DFL-160 must communicate with an IPsec peer that
expects certain conventions to be used.

The advanced options are as follows:

A. Lifetimes

B. IKE Settings

C. Perfect Forward Secrecy

D. Dead Peer Detection

E. Keep-Alive

A. Lifetimes

Both the IKE and the IPsec connections have limited lifetimes and are described both in terms of
time (seconds). These lifetimes prevent a connection from being used too long, which is desirable
from a crypto-analysis perspective.

The IPsec lifetime must be shorter than the IKE lifetime. The difference between the two must be a
minimum of 5 minutes. This allows for the IPsec connection to be re-keyed simply by performing

4.4.1. IPsec

Chapter 4. The Firewall Menu

50

Summary of Contents for NetDefend SOHO DFL-160

Page 1: ...User Manual DFL 160 Ver 2 27 00 Network Security Solution http www dlink com tw Security Security SOHO UTM Firewall...

Page 2: ...ser Manual D Link DFL 160 Firewall NetDefendOS Version 2 27 00 D Link Corporation No 289 Sinhu 3rd Rd Neihu District Taipei City 114 Taiwan R O C http www DLink com Published 2010 05 24 Copyright 2009...

Page 3: ...r purpose The manufacturer reserves the right to revise this publication and to make changes from time to time in the content hereof without obligation of the manufacturer to notify any person of such...

Page 4: ...sec 48 4 4 2 L2TP PPTP Client 52 4 4 3 L2TP PPTP Server 53 4 5 VPN Users 55 4 6 Web Content Filtering 56 4 6 1 Options 56 4 6 2 The Content Categories 58 4 7 Anti Virus 65 4 8 IDP Options 68 4 9 Traff...

Page 5: ...B Windows XP IP Setup 121 C Windows Vista IP Setup 123 D Windows 7 IP Setup 125 E Apple Mac IP Setup 127 Alphabetical Index 129 User Manual 5...

Page 6: ...em is also found in D Link DFL firewall products designed for larger enterprises The NetDefendOS Management Interface The principle management interface for the DFL 160 is through a web browser runnin...

Page 7: ...the Internet Extensive Firewalling Capabilities NetDefendOS can block traffic which does not comply with security policies defined by the user These policies can target traffic according to which prot...

Page 8: ...ces at the back of the hardware unit Interface Network Connections The illustration below shows the typical usage of network connections to the DFL 160 interfaces Intended Interface Usage The interfac...

Page 9: ...from and send data to the public internet An example might be a mail server The intent with the DMZ interface is to provide a stage of security between the well protected internal LAN networks and th...

Page 10: ...Ports On the right hand side of the front of the DFL 160 there is a line of LED lights that show the status of the different Ethernet interfaces by showing a flashing or solid light in orange or gree...

Page 11: ...1 3 The LED Indicators Chapter 1 Product Overview 11...

Page 12: ...Quick Installation Guide A plug in 12 Volt 1 2 Amp power supply with connecting cable One Category 5e Ethernet cable One RS232 cable for connecting a console to the DFL 160 serial COM port A CD ROM c...

Page 13: ...d with the DFL 160 to connect it to the power source Ensure that the DFL 160 does not overload the power circuits wiring and over current protection To determine the possibility of overloading the sup...

Page 14: ...L 160 LAN interface because they are on the same IP network If DHCP is enabled on the workstation and this is usually the default or DHCP is enabled on the device such as a router via which the connec...

Page 15: ...instead enter https 192 168 10 1 in the browser When responding to an https request NetDefendOS sends a self signed certificate which will not be initially recognized so it will be necessary to tell t...

Page 16: ...erent menus shown in the top menu bar to a get a feel where different options are located This menu structure is duplicated in the layout of later chapters that describe the options During initial set...

Page 17: ...Traffic Options By default everything is allowed for outbound connections on the LAN interface but it is recommended to restrict this to the minimum necessary For instance allowing the HTTP and HTTPS...

Page 18: ...tions and exploring the individual options available with each The later part of this manual has a structure which reflects the naming and order of these menu options In most instances the web interfa...

Page 19: ...blem further connect a console to the RS232 port on the DFL 160 after NetDefendOS starts The details of making this connection are described below in Section 2 4 Console Port Connection When you press...

Page 20: ...n included RS232 null modem cable is used to connect the console to the console port This port is marked COM as shown in the image above The connected console must have the following communication set...

Page 21: ...60 USB Port Next to the RS232 port is a USB port This port is not used with the current version of NetDefendOS The port is intended for use with features planned for future NetDefendOS versions and is...

Page 22: ...2 4 Console Port Connection Chapter 2 Initial Setup 22...

Page 23: ...hat follow describe the options in this menu in the order they appear 3 1 Administration The options on this page deal with administrator access to the DFL 160 through one of the Ethernet interfaces T...

Page 24: ...efore not recommended to expose the DFL 160s public IP address to this probing For troubleshooting purposes however it may be desirable to temporarily enable ping responses on the WAN interface B Admi...

Page 25: ...ne if there is a clash of port numbers after enabling inbound traffic Management Through the Serial Console Some administration tasks can be carried out through a console device attached directly to t...

Page 26: ...sses will automatically be retrieved and no further configuration is normally required for this option The only option is the MTU value that will be used for this connection but this normally doesn t...

Page 27: ...the ISP then this should be selected otherwise Static should be selected and the static IP addresses supplied by the ISP should be entered If the Dial on Demand option is enabled the PPTP connection w...

Page 28: ...Transparent mode does not require an IP address to be allocated instead the LAN interface automatically gets the same IP address as the WAN interface The presentation of the LAN interface options in...

Page 29: ...e exposed through the WAN interface In some scenarios the WAN interface may be connected to another internal network and in this case NAT usage may also not be appropriate because there is no need to...

Page 30: ...pears in the web interface Combinations of IP address and MAC address can be added to the list The red icon on the right of each entry can be clicked to delete the entry This feature allows the same I...

Page 31: ...re URL resolution is required will also need to find a DNS server These DNS servers should be manually configured if this hasn t already been done automatically through DHCP when connecting to an ISP...

Page 32: ...affic itself which networks can be found on the interfaces and creates the necessary entries in its routing table If both the LAN and DMZ interfaces have transparent mode enabled traffic will flow tra...

Page 33: ...dress as the WAN interface If DHCP is enabled on the WAN interface and the IP address on WAN cannot be refreshed within its DHCP lease time then it will receive the IP address 0 0 0 0 and the DMZ inte...

Page 34: ...ning of severity levels and the various attributes available The severity of each event is predefined and it can be in order of severity one of 1 Emergency the most severe 2 Alert 3 Critical 4 Error 5...

Page 35: ...0 seconds Hold Time 120 Log Threshold 2 Medium Min Repeat Delay 600 seconds Hold Time 120 Log Threshold 3 Low Min Repeat Delay 1800 seconds Hold Time 120 Log Threshold 5 Very Low Min Repeat Delay 3600...

Page 36: ...d applicable daylight saving time settings can be set in this part of the web page C Automatic time synchronization A number of publicly available time servers exist on the Internet which any host can...

Page 37: ...ll poll them on a regular basis and then adjust the DFL 160 system clock with the exact time If the time server and the current time differ by more than one hour 60 minutes then the time server is ign...

Page 38: ...DNS lookup All CLI commands are documented in Appendix A CLI Reference Usage in VPN Scenarios Dynamic DNS can also be useful in VPN scenarios where both ends of the tunnel have dynamic IP addresses I...

Page 39: ...3 7 Dynamic DNS Settings Chapter 3 The System Menu 39...

Page 40: ...t provides a protective barrier against a range of potential threats that can be transported by the public Internet towards sensitive internal networks Using the DFL 160 as a Firewall The firewalling...

Page 41: ...ork Allowing Services A Service refers to a higher level protocol such as the HTTP protocol used for web surfing and is a convenient way of identifying different types of data traffic The presentation...

Page 42: ...hedule A named Schedule can be defined through the Firewall Schedules menu option and this can then be used with any individual protocol allowed for outgoing traffic from the LAN interface Schedules s...

Page 43: ...ocked It is recommended however to try and impose restrictions that match the expected needs of the clients and hosts on the DMZ network Connections from the DMZ to the LAN Connections initiated from...

Page 44: ...interface Schedules specify a period of time when a particular selection is valid For example the administrator might decide to not allow web surfing during working hours The HTTP and HTTPS protocols...

Page 45: ...public IP address if it is not If there are two IP addresses for a particular service for instance 2 web servers then the inbound traffic to one could be allowed by ticking the box here and the inbou...

Page 46: ...on a specified port As explained above the custom rule must have a destination IP address specified which either an internal IP address if NAT is being used of a public IP if NAT is not being used Th...

Page 47: ...l is then secure The mechanism that provides tunnel security is encryption There are two common scenarios where VPNs are used 1 LAN to LAN connection Where two internal networks need to be connected t...

Page 48: ...options are grouped together into the same pages This is because of their similarity L2TP is a protocol that has superseded PPTP but PPTP is still used in some scenarios 4 4 1 IPsec This section expla...

Page 49: ...the tunnel The key should be the same for both end points of the tunnel for communication to succeed A PSK can be any alphanumeric character string Security using digital certificates is not possible...

Page 50: ...parameters used by IPsec This may be necessary in certain scenarios where the DFL 160 must communicate with an IPsec peer that expects certain conventions to be used The advanced options are as follo...

Page 51: ...to work out the key The DH group value selects the strength of the DH algorithm being used The options are 1 2 and 5 C Perfect Forward Secrecy Perfect Forward Secrecy PFS ensures that the session key...

Page 52: ...tunnels can be listed and their usage examined through the IPsec option in the Status menu see Section 6 8 IPsec Status 4 4 2 L2TP PPTP Client This option allows a tunnel to be set up where the DFL 16...

Page 53: ...re the DFL 160 acts as a L2TP or PPTP server receiving connection requests from external clients Such clients are sometimes called roaming clients since they might not have a fixed IP address and migh...

Page 54: ...least one DNS server defined C Authentication This section specifies how authentication is done with connecting clients D MPPE Microsoft Point to Point Encryption MPPE is an optional encryption method...

Page 55: ...ssible For a description of how to set up VPN connections with the DFL 160 see Section 4 4 VPN Options VPN Types That Use VPN Authentication The exact types of VPN actions that rely on this user datab...

Page 56: ...itted or denied for web surfing A company s internal surfing policy might be for example to only allow access to news and e banking sites but not to any other type of site The sections of the WCF page...

Page 57: ...fied URLs Allow Override With this option a web page is displayed to the user to indicate that they are trying to access a URL which has been flagged by the WCF database There is a link on the page ho...

Page 58: ...cribed in Section 6 4 Web Content Filtering Status A graphical summary of WCF activity shown below can be found in the initial display screen which is described in Section 6 1 System Status 4 6 2 The...

Page 59: ...odds and lottery web sites This does not include traditional or computer based games refer to the Games Sites category 10 Examples might be www blackjackspot com www pickapony net Category 5 Travel To...

Page 60: ...ncludes facilities to submit and review personal advertisements arrange romantic meetings with other people mail order bride foreign spouse introductions and escort services Examples might be adultmat...

Page 61: ...systems of religious beliefs and practice Examples might be www paganfed demon co uk www cultdeadcrow com Category 15 Politics A web site may be classified under the Politics category if its content...

Page 62: ...baby nu Category 20 Search Sites A web site may be classified under the Search Sites category if its main focus is providing online Internet search facilities Refer to the section on unique categories...

Page 63: ...easantvids com Category 26 Educational A web site classified under the Educational category may belong to other categories but has content that relates to educational services or has been deemed of ed...

Page 64: ...r general fashion models Examples might be www vickys secret com sportspictured cnn com features 2002 swimsuit Category 31 Spam A web site may be classified under the Spam category if it is found to b...

Page 65: ...imal effect on overall throughput The inspection process is based on pattern matching against a database of known virus patterns and can determine with a high degree of certainty if a virus is in the...

Page 66: ...the web interface for Anti Virus scanning is divided into 3 sections A Anti Virus Database B Anti Virus Scanning C Scan Exclusion Control A Anti Virus Database This section of the user interface shows...

Page 67: ...ion NetDefendOS always performs MIME checking where it looks inside the file to determine what the true filetype of the data is Only if the filetype determined by MIME checking is on the exclude list...

Page 68: ...sions by isolating any server infection away from the most sensitive inside network which is usually connected to the LAN interface However it is much better to take steps to prevent these infections...

Page 69: ...It is recommended to scan the minimum number of protocols required For example if there is only an SMTP server in the DMZ network then enabling the SMTP checkbox only is recommended IDP scanning can c...

Page 70: ...ol With both Worms and Malware and Scanners it is important to use them with caution since they will use more processing resources by increasing the scanning load Both can be particularly useful when...

Page 71: ...help to resolve competing guarantees Setting Up traffic Shaping After selecting the Traffic Shaping menu option in the Firewall menu we must first click the box that enables the option Specifying WAN...

Page 72: ...Tip Specifying all services It is not possible to explcitly specify all services However it is possible to specify a custom service with a port range that is zero to a very large number A port range c...

Page 73: ...shaping rule can apply to a specific local network on LAN or DMZ and or a specific remote network on the Internet If specified the source and or destination networks provide an alternate condition fo...

Page 74: ...owed and this is described further in Section 4 1 Outbound LAN Traffic Options Section 4 2 Outbound DMZ Traffic Options Section 4 3 Inbound Traffic Options Predefined Schedules By default a number of...

Page 75: ...comments field allows some text explanation to be added to the schedule It serves only as a reminder to the administrator what the schedule was intended for 4 10 Schedules Chapter 4 The Firewall Menu...

Page 76: ...4 10 Schedules Chapter 4 The Firewall Menu 76...

Page 77: ...face provides a simple way to issue a ping command to any IP address and also to repeat the ping request a certain number of times with a certain size of packet The image below shows the ping dialog w...

Page 78: ...5 1 Ping Chapter 5 The Tools Menu 78...

Page 79: ...output could consist of a large number of lines of output the web interface provides the ability to impose a filter on the output so only those lines that are of interest are displayed Where a large...

Page 80: ...60 system and how its resources are being used B UTM Statistics Unified Threat Management UTM consists of the 3 components Anti Virus IDP and Web Content Filtering If any of these features are enabled...

Page 81: ...take you to the Logging option in the System menu for a more complete list of recent events and the filters to analyze them The details of NetDefendOS logging can be found in Section 3 5 Logging 6 1...

Page 82: ...the NetDefendOS MemLog Along with these 500 the last 500 from each of the Anti Virus Web Content Filtering and IDP subsystems are also kept in memory and these can be viewed separately The MemLog Dis...

Page 83: ...escribed in Section 6 2 Logging Status Log messages are visible in 100 message blocks on the page and tools are also provided for filtering out messages of interest based on various criteria These mes...

Page 84: ...Section 6 2 Logging Status Log messages are visible in 100 message blocks on the page and tools are also provided for filtering out messages of interest based on various criteria These messages can p...

Page 85: ...tatus menu described in Section 6 2 Logging Status Log messages are visible in 100 message blocks on the page and tools are also provided for filtering out messages of interest based on various criter...

Page 86: ...e currently established connections The list shows the protocol TCP or UDP the source IP address and the destination IP address of the connection A example of the information displayed is shown below...

Page 87: ...cs A Interface Status The general information for the chosen interface is displayed The example below is for the DMZ interface B Driver Information Hardware Statistics This section of the display show...

Page 88: ...dly the statistics for received incoming traffic are shown over the last 24 hours An example is shown below the image is also truncated on the right side 6 7 Interfaces Status Chapter 6 The Status Men...

Page 89: ...e encryption methods and other parameters that will be used for data flowing from one end of an IPsec tunnel to the other SAs are set up after the two ends of a VPN tunnel use the Internet Exchange Pr...

Page 90: ...el An example of the user authentication display is shown below The Forcibly Logout Option For each user the administrator has the option to force a logout of a user with this option This can be usefu...

Page 91: ...utes in the NetDefendOS routing table are created automatically without intervention from the administrator The image below shows a typical example of the status display for the NetDefendOS routing ta...

Page 92: ...fined IP range to any users or hosts that require them This option in the Status menu allows the administrator to see which DHCP servers are configured and the status of these servers Each line is the...

Page 93: ...6 11 DHCP Server Status Chapter 6 The Status Menu 93...

Page 94: ...and IDP databases This portion of the web interface is divided into 3 tabs A General B Update Interval C History A General This section of the user interface allows the administrator to enable or dis...

Page 95: ...the latest releases It is not often that the databases are updated more than once in a day C History This tab shows the history of recent database updates and can also indicate if there were problems...

Page 96: ...s received which can then be entered into the license page to activate the service License Properties Each DFL 160 comes pre installed with a standard NetDefendOS license This page of the web interfac...

Page 97: ...ber of PPP tunnels which terminate at the WAN interface that can be created To expand the capabilities of the standard product license consult with your local D Link representative 7 2 Licenses Chapte...

Page 98: ...really matter since NetDefendOS will read a header in the file to determine what it is Backups Do Not Contain Everything Backups include only static information from the NetDefendOS configuration Dyna...

Page 99: ...en could be used to hold the reset button in Warning Do not abort a reset to factory defaults DO NOT STOP THE RESET TO FACTORY DEFAULTS PROCESS PREMATURELY If the factory default reset process is inte...

Page 100: ...s are available as a single file which can be uploaded to the DFL 160 through this page in the web interface NetDefendOS upgrades can be downloaded for free from your local D Link site or from the D L...

Page 101: ...el After clicking on the button Download support file a file is automatically generated by the NetDefendOS and downloaded to the web interface and can be saved to the local disk The techsupport CLI Co...

Page 102: ...7 6 Technical Support Chapter 7 The Maintenance Menu 102...

Page 103: ...ey is pressed during these 3 seconds then NetDefendOS startup pauses and the console boot menu is displayed Initial Boot Menu Options without a Password Set When NetDefendOS is started for the first t...

Page 104: ...w The Start firewall option re continues the interrupted NetDefendOS startup process If the Login option is chosen the console password must be entered and the full boot menu described above is entere...

Page 105: ...llowing Showing diagnose entries since 2008 05 22 2008 06 21 11 54 58 Start 2 27 00 0 131 2008 06 21 11 56 16 Stop RECONFIGURE 2008 06 21 11 56 21 Start 2 27 00 0 131 2008 06 21 11 57 29 Stop RECONFIG...

Page 106: ...tional frozen state then system restart can offer a simple way to clear all error conditions This can take a few minutes and while restart occurs no traffic can flow through the unit All connections w...

Page 107: ...tly running on the DFL 160 Syntax about ARP Displays ARP entries for the specified interface s Published static as well as dynamic items are shown Syntax arp options interface pattern Options ip patte...

Page 108: ...an 419 142 UDP 192 168 123 137 192 168 3 183 wan 543 322 UDP 194 2 1 50 192 168 123 182 lan 962 60 UDP 192 168 123 182 194 2 1 50 lan 687 60 ARP 0080 ad87 e592 ffff ffff ffff wan 268 88 UDP 192 168 3...

Page 109: ...c permitted to pass under FwdFast is not included in this list Each connection has two timeout values one in each direction These are updated when the firewall receives packets from each end of the co...

Page 110: ...r options Options rules Shows dhcp server rules leases Shows dhcp server leases mappings Shows dhcp server IP MAC mappings release Releases an active or blacklisted IP Example DFL 160 dhcpserver Conte...

Page 111: ...ongoing and completed attempts Syntax frags Example DFL 160 frags RecvIf Num State Source Destination Proto Next Timeout lan 2 Done 10 5 3 2 26 23 5 4 ICMP 2000 58 wan 8 Accept 23 3 8 4 10 5 3 2 ICMP...

Page 112: ...ce lan Builtin e1000 Intel R PRO 1000 T Server Adapter Slot 2 1 IRQ 5 Media 1000BaseTx Speed 1000 Mbps Full Duplex MTU 1500 Link Partner 10BASE T 10BASE T FD 100BASE TX 100BASE TX FD 1000BASE TX F Bus...

Page 113: ...n IKE snooping on if an IP is specified then only IKE traffic from that IP will be shown Syntax ikesnoop verbose ipaddr Enable verbose output if an IP is specified then only IKE traffic from that IP w...

Page 114: ...re memory consumption Also displays detailed memory use of some components and lists Syntax memory Ping Sends a specified number of ICMP Echo Request packets to a given destination All packets are sen...

Page 115: ...single host routes Note that core routes for interface IP addresses are not normally shown use the all switch to show core routes also In the Flags field of the routing tables the following letters ar...

Page 116: ...ttings TCP TCP Transmission Control Protocol Settings ICMP ICMP Internet Control Message Protocol Settings ARP ARP Address Resolution Protocol Settings State Stateful Inspection Settings ConnTimeouts...

Page 117: ...Shutdown NORMAL Active in 5 seconds Shutdown reason Shutdown due to console command Stats Shows various vital stats and counters Syntax stats Example DFL 160 stats Uptime 10 days 23 11 59 Last shutdow...

Page 118: ...x time options Options set arg Set system local time YYYY MM DD HH MM SS sync Synchronize time with timeserver s specified in settings force Force synchronization regardless of the MaxAdjust setting U...

Page 119: ...ay to explicitly disconnect Userauth Display information about authenticated users known privileges Syntax userauth options Options l Displays a list of all authenticated users p Displays a list of al...

Page 120: ...ntents of user database LocalUsers Username Groups Static IP Remote Networks bob sales alice tech DFL 160 userdb LocalUsers bob Information for bob in database LocalUsers Username bob Groups sales Net...

Page 121: ...ic must be able to flow between the designated PC Ethernet interface and the DFL 160 LAN interface so they must be on the same IP network This means the PC s interface should be assigned the following...

Page 122: ...e assigned IP address 192 168 10 30 could in fact be another address from the 192 168 10 0 24 network However 192 168 10 30 is normally used by D Link as a convention Appendix B Windows XP IP Setup 12...

Page 123: ...DHCP cannot be used the workstation IP address should be configured manually The steps to do this with Windows Vista are as follows 1 Press the Windows Start button 2 Select the Control Panel from th...

Page 124: ...e following IP address and enter the following values IP Address 192 168 10 30 Subnet mask 255 255 255 0 Default gateway 192 168 10 1 DNS addresses can be entered later once Internet access is establi...

Page 125: ...nnot be used the workstation IP address should be configured manually The steps to do this with Windows 7 are as follows 1 Press the Windows Start button 2 Select the Control Panel from the start menu...

Page 126: ...the following IP address and enter the following values IP Address 192 168 10 30 Subnet mask 255 255 255 0 Default gateway 192 168 10 1 DNS addresses can be entered later once Internet access is estab...

Page 127: ...e should not be needed since the DFL 160 automatically assigns the address using DHCP If DHCP cannot be used the workstation IP address should be configured manually The steps to do this with MacOS X...

Page 128: ...ask 255 255 255 0 Router 192 168 10 1 6 Click Apply to complete the static IP setup Note Different MacOS versions Some versions of MacOS may differ slightly from the screenshots shown above but the se...

Page 129: ...ommand 110 dynamic DNS settings 38 E end of life procedures 99 environmental parameters 13 Ethernet port LEDs 10 F FireFox usage 15 firewall menu 17 40 frags CLI command 111 H heat flow considerations...

Page 130: ...tatic URL filters 57 stats CLI command 117 status LED 10 14 status menu 79 sysmsgs CLI command 117 system menu 23 system status 80 T technical support 101 techsupport CLI command 118 time CLI command...

Reviews:

No comments

Brands by name

Popular brands

Load more brands