D-Link DFL-1100 - Security Appliance User Manual Download

Page: 1 / 144

D-Link DFL-1100

Network Security Firewall

Manual

Building Networks for People

(04/19/2005)

Summary of Contents for DFL-1100 - Security Appliance

Page 1: ...D Link DFL 1100 Network Security Firewall Manual Building Networks for People 04 19 2005 TM ...

Page 2: ...em 15 Interfaces 15 Change IP of the LAN DMZ or ETH4 interface 15 WAN Interface Settings Using Static IP 16 WAN Interface Settings Using DHCP 16 WAN Interface Settings Using PPPoE 17 WAN Interface Settings Using PPTP 18 WAN Interface Settings Using L2TP 19 WAN Interface Settings Using BigPond 20 Traffic Shaping 20 MTU Configuration 21 VLAN 22 Add a new VLAN 22 Remove a VLAN 22 Routing 23 Add a new...

Page 3: ...36 Policy Routing 36 Add a new policy 37 Change order of policy 38 Delete policy 38 Configure Intrusion Detection 38 Configure Intrusion Prevention 39 Add a new mapping 40 Delete mapping 41 Administrative users 42 Add Administrative User 42 Change Administrative User Access level 43 Change Administrative User Password 43 Delete Administrative User 44 Users 45 The DFL 1100 RADIUS Support 45 Enable ...

Page 4: ...an L2TP PPTP VPN Client 61 Adding an L2TP PPTP VPN Server 61 VPN Advanced Settings 62 Limit MTU 62 IKE Mode 62 IKE DH Group 62 PFS Perfect Forward Secrecy 62 NAT Traversal 62 Keepalives 62 Proposal Lists 63 IKE Proposal List 63 IPSec Proposal List 63 Certificates 64 Trusting Certificates 64 Local identities 64 Certificates of remote peers 64 Certificate Authorities 64 Identities 65 Content Filteri...

Page 5: ...em 77 Interfaces 78 VPN 79 Connections 80 DHCP Server 81 Users 81 How to read the logs 82 USAGE events 82 DROP events 82 CONN events 83 Step by Step Guides 84 LAN to LAN VPN using IPSec 85 Settings for Main office 87 LAN to LAN VPN using PPTP 89 Settings for Main office 91 LAN to LAN VPN using L2TP 95 Settings for Branch office 95 Settings for Main office 98 A more secure LAN to LAN VPN solution 1...

Page 6: ... the Windows XP client 116 Settings for Main office 118 Intrusion Detection and Prevention 120 Appendixes 123 Appendix A ICMP Types and Codes 123 Appendix B Common IP Protocol Numbers 125 Appendix C Multiple Public IP addresses 126 Appendix D HTTP Content Filtering 134 Warranty 141 ...

Page 7: ...nly User Introduction to Firewalls A firewall is a device that sits between your computer and the Internet that prevents unauthorized access to or from your network A firewall can be a computer using firewall software or a special piece of hardware built specifically to act as a firewall In most circumstances a firewall is used to prevent unauthorized Internet users from accessing private networks...

Page 8: ...have a Network Interface Card NIC which communicates the data between computers A NIC is usually a 10Mbps network card or 10 100Mbps network card or a wireless network card Most networks use hardware devices such as hubs or switches that each cable can be connected to in order to continue the connection between computers A hub simply takes any data arriving through each port and forwards the data ...

Page 9: ... with a Serial COM port 9600 baud 8 data bits No Parity 1 Stop bit No Flow Control WAN Port Use this port to connect to an external network such as a WAN or a modem provided by an ISP LAN Port Use this port to connect to a Fast Ethernet Switch to service more than 1 client PC on the internal office network DMZ Port Use this port to service an additional physically segmented Private or Transparent ...

Page 10: ...232 Null Modem Cable If any of the above items are missing please contact your reseller System Requirements Computer running Microsoft Windows Macintosh OS or a UNIX based operating system with an installed Ethernet adapter configured to communicate using TCP IP Internet Explorer or Netscape Navigator version 6 0 or above with JavaScript enabled ...

Page 11: ...configurable timeout has been reached otherwise the DFL 1100 will revert to the previous configuration The timeout can be set on the Activate Configuration Changes page by choosing the time from the dropdown menu Resetting the DFL 1100 To reset the DFL 1100 to factory default settings you must do so through the Web UI or the Console Interface Refer to the section on resetting the DFL 1100 to facto...

Page 12: ...e IP interface of the DFL 1100 Enabling Default allows anyone to ping the interface IP Admin If enabled it allows all users with admin access to connect to the DFL 1100 and change configuration this can be HTTPS or HTTP and HTTPS Read Only If enabled it allows all users with read only access to connect to the DFL 1100 and look at the configuration this can be HTTPS or HTTP and HTTPS In the case wh...

Page 13: ...ancel to discard changes Example Add Admin access to an interface To add admin access click on the interface you would like to add it to Only users with administrative rights can login on interfaces where there is only admin access enabled Follow these steps to add admin access to an interface Step 1 Click on the interface you would like to add it to Step 2 Enable the Admin checkbox Step 3 Specify...

Page 14: ... range of IP addresses Step 4 Specify protocol to be used to access the DFL 1100 via the dropdown menu Select HTTP and HTTPS Secure HTTP or HTTPS only Click the Apply button below to apply the settings or click Cancel to discard changes Example Enable SNMP access to an interface Follow these steps to add read only SNMP access to an interface Step 1 Click on the interface you would like to add it t...

Page 15: ...ts Step 3 Choose the correct Subnet mask of this interface from the drop down menu This configuration will determine the IP addresses that can communicate with this interface Click the Apply button below to apply the settings or click Cancel to discard changes Please keep in mind that the DHCP scope will also need to be changed to correspond with the new LAN DMZ or ETH4 IP If the computer through ...

Page 16: ...address of the WAN interface This is the address that may be used to ping the firewall remotely control it and be used as the source address for dynamically translated connections Subnet Mask Size of the external network Gateway IP Specifies the IP address of the default gateway used to access the Internet Primary and Secondary DNS Server The IP addresses of your DNS servers only the Primary DNS i...

Page 17: ...address of the external interface You will have to fill in the username and password provided to you by your ISP Username The login or username supplied to you by your ISP Password The password supplied to you by your ISP Service Name When using PPPoE some ISPs require you to fill in a Service Name Primary and Secondary DNS Server The IP addresses of your DNS servers these are optional and are oft...

Page 18: ...plied to you by your ISP PPTP Server IP The IP of the PPTP server that the DFL 1100 will connect to Before PPTP can be used to connect to your ISP the physical WAN interface parameters must be input You can use either DHCP or Static IP depending on the type of ISP used Your ISP should supply this information If using static IP this information needs to be filled in IP Address The IP address of the...

Page 19: ...IP The IP of the L2TP server that the DFL 1100 will connect to Before L2TP can be used to connect to your ISP the physical WAN interface parameters must be input You can use either DHCP or Static IP depending on the type of ISP used Your ISP should supply this information If using static IP this information needs to be filled in IP Address The IP address of the WAN interface This IP is used to con...

Page 20: ...DFL 1100 For example the policy for the web server might be given higher priority than the policies for most employees computers You can use traffic shaping to guarantee the amount of bandwidth available through the firewall for a policy Guarantee bandwidth to make sure that there is enough bandwidth available for a high priority service You can also use traffic shaping to limit the amount of band...

Page 21: ...wn transmission speeds Trial and error is the only sure way of finding the optimal MTU but there are some guidelines that can help For example the MTU of many PPP connections is 576 so if you connect to the Internet via PPPoE you may want to set the MTU size to this value DSL modems may also have small MTU sizes Most Ethernet networks have an MTU of 1500 Note If you connect to your ISP using DHCP ...

Page 22: ...tep 5 Fill in the IP address of the VLAN interface This is the address that will be used to ping the firewall remotely control it and use as gateway for hosts on that VLAN Step 6 Choose the correct Subnet mask of this interface from the drop down menu Click the Apply button below to apply the setting or click Cancel to discard changes Remove a VLAN Follow these steps to add a remove a route Step 1...

Page 23: ...terface no gateway address is specified Additional IP Address The IP address specified here will be automatically published on the corresponding interface This address will also be used as the sender address in ARP queries If no address is specified the interface IP address of the firewall will be used Proxy ARP Specifies that the firewall shall publish this route via Proxy ARP One advantage with ...

Page 24: ...work is behind a remote gateway enable the checkbox Network is behind remote gateway and specify the IP of that gateway Click the Apply button below to apply the settings or click Cancel to discard changes Remove a Static Route Follow these steps to remove a route Step 1 Go to System and Routing Step 2 Click the Edit corresponding to the route you would like to remove Step 3 Check the checkbox nam...

Page 25: ... the firewall will merely experience the failover procedure as a slight burst of packet loss and as TCP always does in such situations retransmit the lost packets within a second or two and go on communicating What High Availability will NOT do for you Adding redundancy to your firewall setup will eliminate one of the single points of failure in your communication path However it is not a panacea ...

Page 26: ...ver mechanism Both firewalls in the cluster know about the shared IP address ARP queries for the shared IP address or any other IP address published via the ARP configuration section or through Proxy ARP will be answered by the active firewall The hardware address of the shared IP address and other published addresses for that matter is not related to the hardware addresses of the firewall interfa...

Page 27: ...evel multicasts were chosen over normal unicast packets for security reasons using unicast packets would have meant that a local attacker could fool switches to route the heartbeats somewhere else causing the peer firewall to never hear the heartbeats The synchronization interface Both firewalls are connected to each other by a separate synchronization connection the fourth port is dedicated solel...

Page 28: ...e fourth interfaces on each unit this interface ETH4 will no longer be possible to use as an extra DMZ or LAN interface when running HA Login to the master firewall and click on System in the menu bar and then click HA below it in this screen you will click on Configure additional HA parameters This will show the screen below here you will fill in each Units own IP and the shared IP on each interf...

Page 29: ... Apply the unit should transfer the configuration from the first unit and you HA cluster should be operating Interface Monitoring When HA is configured it s possible to configure something called Interface Monitoring this is used to monitor up to 6 IP addresses on each segment LAN WAN or DMZ of the DFL 1100 cluster If 50 of the listed addresses are unreachable for several seconds the active node w...

Page 30: ...vital part in all network security products The D Link DFL 1100 provides several options for logging activity The D Link DFL 1100 logs activity by sending the log data to one or two log receivers in the network All logging is done to SYSLog recipients The log format used for SYSLog logging is suitable for automated processing and searching ...

Page 31: ... the Apply button below to apply the settings or click Cancel to discard changes Enable Audit Logging To start auditing all traffic through the firewall follow the steps below This is required when running third party log analyzers on the logs or to see how much traffic specific connections account for Follow these steps to enable auditing Step 1 Enable SYSLog by checking the Enable Audit Logging ...

Page 32: ...k on System in the menu bar and then click Time below it This will give you the option to either set the system time by synchronizing with an Internet Network Time Server NTP or by entering the system time manually ...

Page 33: ...e steps to sync to an Internet Time Server Step 1 Enable synchronization by checking the Enable NTP box Step 2 Enter the Server IP Address or Server name with which you want to synchronize Click the Apply button below to apply the settings or click Cancel to discard changes Setting time and date manually Follow these steps to manually set the system time Step 1 Check the Set the system time box St...

Page 34: ...Z network to the DMZ interface and a public network such as the Internet to the external interface Then you can create NAT mode policies to accept or deny connections between these networks NAT mode policies hide the addresses of the internal and DMZ networks from users on the Internet In No NAT Route mode you can also create routed policies between interfaces Route mode policies accept or deny co...

Page 35: ...g custom services exist All Matches all protocols TCP UDP ICMP This service matches all ports on either the TCP or the UDP protocol including ICMP Custom TCP This service is based on the TCP protocol Custom UDP This service is based on the UDP protocol Custom TCP UDP This service uses both the TCP and UDP protocols The following is used when making a custom service Custom source destination ports ...

Page 36: ...s based on source destination and protocol parameters can be created much the same way firewall policies are implemented There are three different priorities when configuring the traffic shaping Normal High and Critical Limit works by limiting the inbound and outbound traffic to the specified speed This is the maximum bandwidth that can be used by traffic using this policy Note however that if you...

Page 37: ... span of IP addresses to be compared to the received packet Leave this blank to match everything Source Users Groups Specifies if an authenticated username is needed for this policy to match Either make a list of usernames separated by a comma or write Any for any authenticated user If it is left blank there is no need for authentication for the policy Destination Nets Specifies the span of IP add...

Page 38: ...ete a policy Step 1 Choose the policy list from which you would like do delete the policy in from the available policy lists Step 2 Click on the Edit link corresponding to the rule you want to delete Step 3 Enable the Delete policy checkbox Click the Apply button below to apply the changes or click Cancel to discard changes Configure Intrusion Detection Follow these steps to configure IDS on a pol...

Page 39: ... Step 2 Click on the Edit link corresponding to the rule you want to configure Step 3 Enable the Intrusion Detection Prevention checkbox Step 4 Choose Prevention from the mode drop down list Step 5 Enable the alerting checkbox for e mail alerting Click the Apply button below to apply the changes or click Cancel to discard changes ...

Page 40: ...e in log data and for easy reference in the policy list Source Nets Specify the source networks leave blank for everyone 0 0 0 0 0 Source Users Groups Specifies if an authenticated username is needed for this mapping to match Either make a list of usernames separated by a comma or write Any for any authenticated user If it is left blank there is no need for authentication for the policy Destinatio...

Page 41: ... mapping list WAN LAN or DMZ you would like do delete the mapping from Step 2 Click on the Edit link corresponding to the rule you want to delete Step 3 Enable the Delete mapping checkbox Click the Apply button below to apply the changes or click Cancel to discard changes ...

Page 42: ...e users in each access level Add Administrative User Follow these steps to add a new administrative user Step 1 Click on add after the type of user you would like to add Admin or Read only Step 2 Fill in User name make sure you are not trying to add one that already exists Step 3 Specify the password for the new user Click the Apply button below to apply the setting or click Cancel to discard chan...

Page 43: ... change level of Step 2 Choose the appropriate level by entering into the Group Membership Field Click the Apply button below to apply the setting or click Cancel to discard changes Change Administrative User Password To change the password of a user click on the user name and you will see the following screen Follow these steps to change Administrative User password Step 1 Click on the user you w...

Page 44: ...Follow these steps to delete an Administrative User Step 1 Click on the user you would like to delete Step 2 Enable the Delete user checkbox Click the Apply button below to apply the setting or click Cancel to discard changes Note Deleting a user is irreversible once the user is deleted it cannot be undeleted ...

Page 45: ...t end to other authentication services The DFL 1100 RADIUS Support The DFL 1100 can use RADIUS to verify users against for example Active Directory or Unix password file It is possible to configure up to two servers if the first one is down it will try the second IP instead The DFL 1100 can use CHAP or PAP when communicating with the RADIUS server CHAP Challenge Handshake Authentication Protocol d...

Page 46: ...d management GUI to listen on since enabling user authentication requires the default ports for user login purposes 80 and 443 Click the Apply button below to apply the settings or click Cancel to discard changes Enable RADIUS Support Follow these steps to enable RADIUS support Step 1 Enable the checkbox for RADIUS Support Step 2 Enter information for up to two RADIUS servers Step 3 Specify which ...

Page 47: ...and password can contain numbers 0 9 and upper and lower case letters A Z a z Special characters and spaces are not allowed Change User Password To change the password of a user click on the user name and you will see the following screen Follow these steps to change a user password Step 1 Click on the user for which you would like to change the password Step 2 Enable the Change password checkbox ...

Page 48: ...Follow these steps to delete a user Step 1 Click on the user you would like to delete Step 2 Enable the Delete user checkbox Click the Apply button below to apply the settings or click Cancel to discard changes Note Deleting a user is irreversible once the user is deleted it cannot be undeleted ...

Page 49: ...or example an organization may only want the firewall to allow the internal network users to access the Internet during work hours Therefore one may create a schedule to allow the firewall to allow traffic Monday Friday 8AM 5PM only During the non work hours the firewall will not allow Internet access Add new recurring schedule Follow these steps to add a new recurring schedule Step 1 Go to Firewa...

Page 50: ...l and Schedules and choose Add new Step 2 Choose the starting and ending date and hour when the schedule should be active Step 3 Use the checkboxes to set the times this schedule should be active inside the specified timeframe Click the Apply button below to apply the changes or click Cancel to discard changes ...

Page 51: ...g source ports 1024 65535 and destination ports 80 82 90 92 and 95 In this case a TCP or UDP packet with the destination port being one of 80 81 82 90 91 92 or 95 and the source port being in the range 1024 65535 will match this service Follow these steps to add a TCP UDP or TCP UDP service Step 1 Go to Firewall and Service and choose add new Step 2 Enter a Name for the service in the name field T...

Page 52: ...cial characters and spaces are allowed Step 3 Select IP Protocol Step 4 Specify a comma separated list of IP protocols Click the Apply button below to apply the changes or click Cancel to discard changes Grouping Services Services can be grouped in order to simplify configuration Consider a Web server using standard http as well as SSL encrypted http https Instead of having to create two separate ...

Page 53: ...existing connection Check this option to enable this feature for connections using this service ALG Similar to the way most stateful inspection firewalls behave the DFL 1100 filters only information found in packet headers such as IP TCP UDP or ICMP headers In some situations though filtering only header data is not sufficient The FTP protocol for instance includes IP address and port information ...

Page 54: ...IKE negotiation This can be accomplished in a number of ways by using the IPSec protocol ESP To set up an IPSec Virtual Private Network VPN you do not need to configure an Access Policy to enable encryption Just fill in the following settings VPN Name Source Subnet Local Net Destination Gateway If LAN to LAN Destination Subnet If LAN to LAN and Authentication Method Pre shared key or Certificate T...

Page 55: ... is used to encapsulate IP packets for transport between two peers PPP consists of these three components Link Control Protocols LCP to negotiate parameters test and establish the link Network Control Protocol NCP to establish and negotiate different network layer protocols DFL 1100 only supports IP Data encapsulation to encapsulate datagram s over the link To establish a PPP tunnel both sides sen...

Page 56: ...o be stored in a reversibly encrypted form MS CHAP v1 MS CHAP v1 Microsoft Challenge Handshake Authentication Protocol version 1 is similar to CHAP the main difference is that with MS CHAP v1 the password only needs to be stored as an MD4 hash instead of a reversibly encrypted form Another difference is that MSCHAP v1 uses MD4 Hashing as opposed to MD5 used in CHAP MS CHAP v2 MS CHAP v2 Microsoft ...

Page 57: ... demand If enabled the tunnel will only be initiated when needed If disabled the tunnel will be persistent always on Authentication protocol Specify which authentication protocol to use if any Refer to the Authentication Protocols section for more information about each type MPPE encryption If MPPE encryption is to be used select the desired level of encryption key MPPE is used with PPTP A selecti...

Page 58: ...lay function be sure to enable the check box to ensure proper DNS info Primary Secondary WINS IP of the Windows Internet Name Service WINS servers that are used in Microsoft environments which uses the NetBIOS Name Servers NBNS to assign IP addresses to NetBIOS names Authentication protocol Specify which authentication protocol to use if any not necessary Refer to the Authentication Protocols sect...

Page 59: ... two remote DMZ networks The networks at the ends of the VPN tunnel are selected when you configure the VPN policy Creating a LAN to LAN IPSec VPN Tunnel Follow these steps to add a LAN to LAN Tunnel Step 1 Go to Firewall VPN and choose Add new under IPSec Step 2 Enter a Name for the new tunnel in the name field The name can contain numbers 0 9 and upper and lower case letters A Z a z and the spec...

Page 60: ...e steps to add a roaming user tunnel Step 1 Go to Firewall and VPN and choose Add new under IPSec Step 2 Enter a Name for the new tunnel in the name field The name can contain numbers 0 9 and upper and lower case letters A Z a z and the special characters and _ No other special characters and spaces are allowed Step 3 Specify your local network or your side of the tunnel for example 192 168 1 0 25...

Page 61: ...PTP Client choose the appropriate authentication type either PSK Pre shared Key or Certificate based Click the Apply button below to apply the change or click Cancel to discard changes Adding an L2TP PPTP VPN Server Follow these steps to add an L2TP or PPTP VPN Server configuration that listens on the WAN IP Step 1 Go to Firewall and VPN and choose Add new PPTP server or Add new L2TP server in the...

Page 62: ... exchange is performed for each phase 2 negotiation While this is slower it makes sure that no keys are dependent on any other previously used keys no keys are extracted from the same initial keying material PFS is used to ensure that in the unlikely event an encryption key is compromised no subsequent keys could be derived from that compromised key NAT Traversal Here it is possible to configure h...

Page 63: ...PN gateway one after another until a matching proposal is found IKE Proposal List Cipher Specifies the encryption algorithm used in this IKE proposal Supported algorithms are AES 3DES DES Blowfish Twofish and CAST128 Hash Specifies the hash function used to calculate a check sum that reveals if the data packet is altered while being transmitted MD5 and SHA1 are supported algorithms Life Times Spec...

Page 64: ...This is a list of all the local identity certificates that can be used in VPN tunnels A local identity certificate is used by the firewall to prove its identity to the remote VPN peer To add a new local identity certificate click Add new The following pages will allow you to specify a name for the local identity and upload the certificate and private key files This certificate can be selected in t...

Page 65: ...established if the certificate of the remote peer is present in the Certificates field in the VPN section or if the remote peer s certificate is signed by a CA whose certificate is present in the Certificates field in the VPN section However in some cases it might be necessary to limit those who can establish a VPN tunnel even among peers signed by the same CA The Identity list can be selected in ...

Page 66: ...ld be excluded from all Content Filtering URLs in this list will not be stripped of ActiveX Java Flash or cookies Note For HTTP URL filtering to work all HTTP traffic needs to go through a policy using a service with the HTTP ALG Content Filtering rules will not apply to HTTPS streams A pre defined HTTP outbound TCP All 80 ALG http cf max 100 service is provided to simplify the configuration of HT...

Page 67: ...ation of HTTP Content Filtering Refer to Appendix D for more detailed information on configuration of HTTP Content Filtering Active content handling Active content handling can be enabled or disabled by checking the checkbox before each type you would like to strip For example to strip ActiveX and Flash enable the checkbox named Strip ActiveX objects It is possible to strip ActiveX Flash Java Java...

Page 68: ...r assigns and manages IP addresses from specified address pools within the firewall to the DHCP clients Note Leases are remembered over a re configure or reboot of the firewall The DFL 1100 also includes a DHCP Relay function A DHCP Relay allows the DFL 1100 to receive DHCP requests and forward those requests to a specified DHCP server The relay function allows the use of existing DHCP servers in ...

Page 69: ...o apply the settings or click Cancel to discard changes Enable DHCP Relay To enable the DHCP Relay on an interface click on Servers in the menu bar and then click DHCP Server below it Follow these steps to enable the DHCP Relay on the LAN interface Step 1 Choose the LAN interface from the Available interfaces list Step 2 Enable by checking the Relay DHCP Requests to other DHCP server box Step 3 Fi...

Page 70: ...e Enable DNS Relayer box Step 2 Enter the IP numbers that the DFL 1100 should listen for DNS queries on Note If Use address of LAN interface is checked you do not have to enter an IP in IP Address 1 as the firewall will know what address to use Click the Apply button below to apply the settings or click Cancel to discard changes Disable DNS Relayer Follow these steps to disable the DNS Relayer Ste...

Page 71: ...Requests to Number of packets Number of ICMP Echo Request packets to send up to 10 Packet size Size of the packet to send between 32 and 1500 bytes Ping Example In this example the IP Address is 192 168 10 1 the Number of packets is five After clicking on Apply the firewall will start to send the ICMP Echo Requests to the specified IP After a few seconds the result will be displayed In this exampl...

Page 72: ...Tools menu to enter Dynamic DNS configuration The firewall provides a list of a few predefined DynDNS service providers Users must register with one of these providers before trying to use this function Add Dynamic DNS Settings Follow these steps to enable Dynamic DNS Step 1 Go to Tools and DynDNS Step 2 Choose what Dynamic DNS service you would like to use and fill in the required information use...

Page 73: ... Exporting the DFL 1100 s Configuration Follow these steps to export the configuration Step 1 Under the Tools menu and the Backup section click on the Download configuration button Step 2 When the File Download pop up window appears choose the destination place in which to save the exported file The Administrator may choose to rename the file if preferred Restoring the DFL 1100 s Configuration Fol...

Page 74: ...74 Restart Reset Restarting the DFL 1100 Follow these steps to restart the DFL 1100 Step 1 Choose if you want to do a quick or full restart Step 2 Click Restart Unit and the unit will restart ...

Page 75: ...t at the rear of the device Step 1 Connect a PC with a Serial COM port to the COM port on the front of the DFL 1100 using the provided Null Modem cable Configure a Terminal Emulation program to use the following settings 9600 Baud 8 Data Bits No Parity 1 Stop Bit No Flow Control Step 2 Power Cycle the Firewall by either using the power switch on the rear of the device or through the webUI In the T...

Page 76: ...ware and restart the device The updating process will not overwrite the system configuration Though it is not necessary it is a good idea to backup the system configuration before upgrading the software Upgrade IDS Signature database To upgrade the signature database first download the newest IDS signatures from D Link After downloading the newest version of the software connect to the firewall s ...

Page 77: ... the last reboot or start Time The current time and date Configuration Shows when the last administrative configuration change was activated as well as the originating IP Firmware version The firmware version running on the firewall Last restart The reason for the last restart IDS Signatures The IDS signature database versions Resources Displays CPU load RAM usage Connections VPN Tunnels and Rules...

Page 78: ...the respective link Interface Name of the interface shown LAN WAN or DMZ Link status Displays what link the current interface has The speed can be 10 or 100 Mbps and the duplex can be Half or Full MAC Address MAC address of the interface Send rate Current amount of traffic sent through the interface Receive rate Current amount of traffic received through the interface There are also two graphs dis...

Page 79: ...n about the first VPN tunnel will be displayed To see another one click on that VPN tunnels name The two graphs display the send and receive rate through the selected VPN tunnel during the last 24 hours In this example a tunnel named RoamVPN is selected This is a tunnel that allows roaming users So under the IPSec SA listing each roaming user connected to this tunnel is shown ...

Page 80: ...wall receives packets from each end of the connection The value shown in the Timeout column is the lower of the two values Possible values in the State column include TCP_CLOSE TCP_OPEN SYN_RECV FIN_RECV and so on The Proto column can have TCP The connection is a TCP connection PING The connection is an ICMP ECHO connection UDP The connection is a UDP connection RAWIP The connection uses an IP pro...

Page 81: ...o that IP Inactive leases are leases that are not currently in use but have been used by a computer before That computer will get the lease the next time it is on the network If there is no free IP in the pool these IP s will be used for new computers Users Click on Status in the menu bar and then click Users below it A window will appear providing user information Currently authenticated users us...

Page 82: ...istical information regarding connections and amount of traffic Example Oct 20 2003 09 45 23 gateway EFW USAGE conns 1174 if0 core ip0 127 0 0 1 tp0 0 00 if1 wan ip1 192 168 10 2 tp1 11 93 if2 lan ip2 192 168 0 1 tp2 13 27 if3 dmz ip3 192 168 1 1 tp3 0 99 The value after conns is the number of open connections through the firewall when the usage log was sent The value after tp is the throughput th...

Page 83: ...nndestport 80 In this line traffic from 192 168 0 10 on the LAN interface is connecting to 64 7 210 132 on port 80 on the WAN side of the firewall internet Another event is generated when the connection is closed The information included in the event is the same as in the event sent when the connection was opened with the exception that statistics regarding sent and received traffic is also includ...

Page 84: ...s are not recommended for real life use Strong passwords and keys should be chosen making use of symbols letters and numbers to decrease the likelihood of a brute force dictionary attack success In these guides for example Firewall Users will mean that the Firewall tab should first be selected from the menu at the top of the screen followed by the Users button to the left of the screen should be s...

Page 85: ...ces System Interfaces WAN IP 194 0 2 10 LAN IP 192 168 4 1 Subnet mask 255 255 255 0 2 Setup IPSec tunnel Firewall VPN Under IPSec tunnels click Add new Name the tunnel ToMainOffice Local net 192 168 4 0 24 PSK 1234567890 Do not use this as your PSK Retype PSK 1234567890 ...

Page 86: ...2 20 Enable Automatically add a route for the remote network Click Apply 3 Setup policies for the new tunnel Firewall Policy Click Global policy parameters Enable Allow all VPN traffic internal VPN VPN internal and VPN VPN Click Apply 4 Click Activate and wait for the firewall to restart ...

Page 87: ...l Firewall VPN Under IPSec tunnels click add new Name the tunnel ToBranchOffice Local net 192 168 1 0 24 PSK 1234567890 Note You should use a key that is hard to guess Retype PSK 1234567890 Select Tunnel type LAN to LAN tunnel Remote Net 192 168 4 0 24 Remote Gateway 194 0 2 10 Enable Automatically add a route for the remote network Click Apply ...

Page 88: ...le Allow all VPN traffic internal VPN VPN internal and VPN VPN Click Apply 4 Click Activate and wait for the firewall to restart This example will allow all traffic between the two offices To get a more secure solution read the A more secure LAN to LAN VPN solution section of this user guide ...

Page 89: ...ngs for Branch office 1 Setup interfaces System Interfaces WAN IP 194 0 2 10 LAN IP 192 168 4 1 Subnet mask 255 255 255 0 2 Setup PPTP client Firewall VPN Under PPTP L2TP clients click Add new PPTP client Name the tunnel toMainOffice ...

Page 90: ...te You should use a password that is hard to guess Retype password 1234567890 Interface IP leave blank Remote gateway 194 0 2 20 Remote net 192 168 1 0 24 Dial on demand leave unchecked Under authentication MSCHAPv2 should be the only checked option ...

Page 91: ...ies for the new tunnel Firewall Policy Click Global policy parameters Enable Allow all VPN traffic internal VPN VPN internal and VPN VPN Click Apply 4 Click Activate and wait for the firewall to restart Settings for Main office 1 Setup interfaces System Interfaces WAN IP 194 0 2 20 LAN IP 192 168 1 1 Subnet mask 255 255 255 0 ...

Page 92: ...Server click Add new PPTP server Name the server pptpServer Leave Outer IP and Inner IP blank Set client IP pool to 192 168 1 100 192 168 1 199 Check Proxy ARP dynamically added routes Check Use unit s own DNS relayer addresses Leave WINS settings blank ...

Page 93: ...r MPPE encryption 128 bit should be the only checked option Leave Use IPsec encryption unchecked Click Apply 3 Setup policies for the new tunnel Firewall Policy Click Global policy parameters Enable Allow all VPN traffic internal VPN VPN internal and VPN VPN Click Apply ...

Page 94: ...90 Retype password 1234567890 Leave static client IP empty could also be set to 192 168 1 200 If no IP is set here the IP pool from the PPTP server settings are used Set Networks behind user to 192 168 4 0 24 Click Apply 6 Click Activate and wait for the firewall to restart This example will allow all traffic between the two offices To get a more secure solution read the A more secure LAN to LAN V...

Page 95: ...ngs for Branch office 1 Setup interfaces System Interfaces WAN IP 194 0 2 10 LAN IP 192 168 4 1 Subnet mask 255 255 255 0 2 Setup L2TP client Firewall VPN Under L2TP PPTP client click Add new L2TP client Name the server toMainOffice ...

Page 96: ...90 Note You should use a password that is hard to guess Retype password 1234567890 Interface IP leave blank Remote gateway 194 0 2 20 Remote net 192 168 1 0 24 Dial on demand leave unchecked Under authentication only MSCHAPv2 should be checked ...

Page 97: ... Note You should use a key that is hard to guess Retype key 1234567890 Click Apply 3 Setup policies for the new tunnel Firewall Policy Click Global policy parameters Enable Allow all VPN traffic internal VPN VPN internal and VPN VPN Click Apply 4 Click Activate and wait for the firewall to restart ...

Page 98: ...255 255 255 0 2 Setup L2TP server Firewall VPN Under L2TP PPTP Server click Add new L2TP server Name the server l2tpServer Leave Outer IP and Inner IP blank Set client IP pool to 192 168 1 100 192 168 1 199 Check Proxy ARP dynamically added routes Check Use unit s own DNS relayer addresses Leave WINS settings blank ...

Page 99: ...n MSCHAPv2 should be the only checked option Under MPPE encryption None should be the only checked option Check Use IPSec encryption Enter key 1234567890 Note You should not use this key Retype key 1234567890 Click Apply ...

Page 100: ...or the new tunnel Firewall Policy Click Global policy parameters Enable Allow all VPN traffic internal VPN VPN internal and VPN VPN Click Apply 4 Set up authentication source Firewall Users Select Local database Click Apply ...

Page 101: ...empty could also be set to eg 192 168 1 200 If no IP is set here the IP pool from the L2TP server settings are used Set Networks behind user to 192 168 4 0 24 Click Apply 6 Click Activate and wait for the firewall to restart This example will allow all traffic between the two offices To get a more secure solution read the A more secure LAN to LAN VPN solution section in this chapter ...

Page 102: ... tunnel In this example we have a mail server ftp server and a web server intranet in the main office that we want to access from the branch office Settings for Branch office 1 Setup policies for the new tunnel Firewall Policy Click Global policy parameters Disable Allow all VPN traffic internal VPN VPN internal and VPN VPN Click Apply 2 Now is it possible to create policies for the VPN interfaces...

Page 103: ...4 Setup the new rule Name the new rule allow_pop3 Select action Allow Select service pop3 Select schedule Always We don t want any Intrusion detection for now so leave this option unchecked Click Apply ...

Page 104: ... create services named allow_imap allow_ftp and allow_http The services for these policies should be imap ftp_passthrough and http respectively The policy list for LAN toMainOffice should now look like this 6 Click Activate and wait for the firewall to restart ...

Page 105: ...ternal VPN VPN internal and VPN VPN Click Apply 2 Now it is possible to create policies for the VPN interfaces Select from toBranchOffice to LAN and click Show 3 Create the same 4 policy rules that were created on the branch office firewall allow_pop3 allow_imap allow_ftp and allow_http 4 Click Activate and wait for the firewall to restart ...

Page 106: ...using the Category view click on the Network and Internet Connections icon Then click Create a connection to the network on your workplace and continue to step 6 If you are using the Classic view click on the Network Connections icon 3 Under Network task click Create a new connection 4 The New connection wizard window opens up Click next ...

Page 107: ...5 Select Connect to the network at my workplace and click Next ...

Page 108: ...108 6 Select Virtual Private Network connection and click Next ...

Page 109: ...7 Name the connection MainOffice and click Next ...

Page 110: ...110 8 Select Do not dial the initial connection and click Next ...

Page 111: ...9 Type the IP address to the server 194 0 2 20 and click Next 10 Click Finish ...

Page 112: ...112 11 Type user name HomeUser and password 1234567890 Note You should use a password that is hard to guess 12 Click Properties ...

Page 113: ... for the XP client are now complete Once we have configured the server on the firewall you should be able to click Connect to establish the connection to the Main office Settings for Main office 1 Setup interfaces System Interfaces WAN IP 194 0 2 20 LAN IP 192 168 1 1 Subnet mask 255 255 255 0 ...

Page 114: ...se IPSec encryption unchecked Click Apply 3 Setup policies for the new tunnel Firewall Policy Click Global policy parameters Enable Allow all VPN traffic internal VPN VPN internal and VPN VPN Click Apply 4 Set up authentication source Firewall Users Select Local database Click Apply 5 Add a new user Firewall Users Under Users in local database click Add new Name the new user HomeUser Enter passwor...

Page 115: ...his example will allow all traffic from the client to the main office network To get a more secure solution read the Settings for the Main office part of the A more secure LAN to LAN VPN solution section ...

Page 116: ...ilar to the PPTP setup above Settings for the Windows XP client To setup a L2TP connection from Windows XP to the Main office firewall please follow the steps in the PPTP guide above for the client side The only changes to the PPTP guide are 1 In step 13 change the Type of VPN to L2TP IPSec VPN ...

Page 117: ...2 Select the Security tab and click IPSec Settings 3 Check Use pre shared key for authentication type the key and click OK ...

Page 118: ... routes Check Use unit s own DNS relayer addresses Leave WINS settings blank Under authentication MSCHAPv2 should be the only checked option Under MPPE encryption None should be the only checked option Check the Use IPSec encryption box Enter the pre shared key 1234567890 and retype same pre shared key Click Apply 3 Setup policies for the new tunnel Firewall Policy Click Global policy parameters E...

Page 119: ...ty could also be set to eg 192 168 1 200 If no IP is set here the IP pool from the PPTP server settings are used Click Apply 6 Click Activate and wait for the firewall to restart This example will allow all traffic from the client to the main office network To get a more secure solution read the Settings for the Main office part of the A more secure LAN to LAN VPN solution section ...

Page 120: ...The policy setup is quite similar In this example a mail server with IP 192 168 2 4 and a web server with IP 192 168 2 5 is connected to the DMZ interface on the firewall To set up intrusion detection and prevention to a web server on the DMZ net follow these steps 1 Create a Port mapping for the web server Firewall Port Mapping Under Configured mappings click Add new ...

Page 121: ...ng Name the rule map_www Select service http in all Enter pass to IP 192 168 2 5 the IP of the web server Check the Intrusion detection prevention option Select mode Prevention Enable email alerting by checking the Alerting box Click Apply ...

Page 122: ...nter E mail address 2 steve examplecompany com Click Apply 4 Click Activate and wait for the firewall to restart When attacks are stopped by the firewall it will listed in the logs Since we enabled email alerting in this example emails will also be sent to the users webmaster and steve In this example we used the prevention mode This means that the firewall will block all attacks In Inspection onl...

Page 123: ...d Don t Fragment was Set RFC792 5 Source Route Failed RFC792 6 Destination Network Unknown RFC792 7 Destination Host Unknown RFC792 8 Source Host Isolated RFC792 9 Communication with Destination Network is Administratively Prohibited RFC792 10 Communication with Destination Host is Administratively Prohibited RFC792 11 Destination Network Unreachable for Type of Service RFC792 12 Destination Host ...

Page 124: ...2 Parameter Problem 0 Pointer indicates the error RFC792 1 Missing a Required Option RFC1108 2 Bad Length RFC792 13 Timestamp 0 No Code RFC792 14 Timestamp Reply 0 No Code RFC792 15 Information Request 0 No Code RFC792 16 Information Reply 0 No Code RFC792 17 Address Mask Request 0 No Code RFC950 18 Address Mask Reply 0 No Code RFC950 30 Traceroute RFC1393 31 Datagram Conversion Error RFC1475 40 P...

Page 125: ...eway RFC823 4 IP IP in IP encapsulation RFC2003 5 ST Stream RFC1190 RFC1819 6 TCP Transmission Control RFC793 8 EGP Exterior Gateway Protocol RFC888 17 UDP User Datagram RFC768 47 GRE General Routing Encapsulation 50 ESP Encapsulation Security Payload RFC2406 51 AH Authentication Header RFC2402 108 IPComp I IP Payload Compression Protocol RFC2393 112 VRRP Virtual Router Redundancy Protocol 115 L2T...

Page 126: ...s recommended This will ensure that if one of those servers happens to become compromised through vulnerabilities related to software an attacker would not be able to directly access the private internal Network The DFL 1100 provides a physical DMZ network interface specifically for this purpose This can be accomplished with NAT disabled or enabled on the DMZ interface Example Scenario using NAT T...

Page 127: ...LAN Navigate to the SYSTEM tab then the ROUTING page of the Web based configuration Select the Add New link to create the first static route Select the Interface that the Internal Server is connected to LAN or DMZ Specify the Public IP to be forwarded in the Network field The Subnet Mask should be set to 255 255 255 255 1 host Enable the Proxy ARP feature The above static route configuration expli...

Page 128: ...ted to LAN or DMZ Specify the Public IP to be forwarded in the Network field The Subnet Mask should be set to 255 255 255 255 1 host Enable the Proxy ARP feature The above static route configuration explicitly defines the interface that the additional Public IP address should be forwarded to NOTE Be sure to enable Proxy ARP for both routes or the Firewall will not forward traffic destined for the ...

Page 129: ...w link to create a new Port Mapping Input the Public IP address to be forwarded in the Destination IP field Select the Service to be forwarded to the Internal Server pre defined or custom Enter the Private IP of the Server in the Pass To field Configure Scheduling IDS IDP and or Bandwidth Management if desired Click Apply to save the configuration Configure Port Mapping Virtual Server Rules for DM...

Page 130: ...l Server pre defined or custom Enter the Private IP of the Server in the Pass To field Configure Scheduling IDS IDP or Bandwidth Management if desired Click Apply to save the configuration Click Activate Changes to apply changes and restart Similar steps can be taken to configure other services to be mapped to Internal Servers for access from Public Hosts Keep in mind that this configuration uses ...

Page 131: ...the Static Routes A new route must be added to inform the firewall on which interface the Public IP will reside Navigate to SYSTEM ROUTING in the web based configuration of the DFL 1100 Click on Add New to create a new static route Select DMZ as the Interface Enter the IP Address WAN Network you wish to forward to a server on the DMZ interface in the Network field Select a 32 bit subnet mask from ...

Page 132: ...cannot be deleted or modified other than to enable the Proxy ARP feature From the SYSTEM ROUTING page select WAN to edit the default route of the WAN interface Enable the Proxy ARP feature by checking the checkbox After making configuration changes be sure to click Apply to save those changes to RAM ...

Page 133: ...es on DMZ network radio button After making configuration changes click on the Apply button to save those changes To allow services on the DMZ interface to be accessible from the WAN incoming policies must be defined to allow those services This can be done through the WAN DMZ section in the Firewall Policy configuration section Once all changes are final those changes must be activated Click on t...

Page 134: ...Basic Java Scripts and or block cookies In addition a Whitelist is configurable to define URLs that will always be allowed Conversely a Blacklist is provided to allow customizable filtering of websites domains and even file types based on file extension All of the aforementioned filters function simultaneously if enabled configured when HTTP content filtering is enabled In order for HTTP content f...

Page 135: ...ing is enabled This section should only be used to allow essential domains and servers such as Microsoft com and DLink com to ensure the ability to locate and download critical updates or firmware is not hindered Domains or websites entered in the Whitelist will not be subject to any of the content filtering functions ...

Page 136: ... domains in dlink com Once finished editing the Whitelist click Apply to save changes or Cancel to clear The Blacklist Blacklist configuration is not limited to domain names File extensions may be specified to block the download of said file types Be sure to evaluate the type of files that may be traversing the firewall out of necessity on a regular basis to ensure no loss in productivity due to i...

Page 137: ...com Blocks access to all sub domains under casino com To block specific file types from download through HTTP use the following syntax exe Blocks executable downloads Once finished editing the Blacklist click Apply to save changes or Cancel to clear Additional Content Filters The Firewall can also filter Java Applets Java VB Script ActiveX objects and or cookies from reaching the PCs behind the Ne...

Page 138: ... this filtering should be applied to utilizing the HTTP ALG This will require a rework of the default outbound policy to eliminate the chance of unfiltered HTTP traffic passing through the Firewall The idea is to remove the most general allow rule and configure rules to allow essential services such as DNS as well as HTTP to pass the Firewall To disable the default general allow all rule Navigate ...

Page 139: ...the appropriate policy based on desired effect LAN WAN or DMZ WAN Click Add New at the bottom of the list Give the rule a friendly name such as dns_out Position does not matter leave blank or choose a position Choose Allow as the Action For service choose dns_all Select a schedule and enable IDS IDP if desired Click Apply to save the changes or click Cancel to disregard ...

Page 140: ...save the changes or click Cancel to disregard After clicking Apply click the Activate button on the left hand menu Select Activate Changes Now to save the configuration to flash and restart When the firewall has finished restarting the HTTP Content Filtering Function will be enabled and active Keep in mind that depending on the type of activities your LAN participates in more services may need to ...

Page 141: ...hase price is refunded shall become the property of D Link upon replacement or refund Limited Software Warranty D Link warrants that the software portion of the product Software will substantially conform to D Link s then current functional specifications for the Software as set forth in the applicable documentation from the date of original retail purchase of the Software for a period of ninety 9...

Page 142: ...strict compliance with the foregoing requirements or for which an RMA number is not visible from the outside of the package The product owner agrees to pay D Link s reasonable handling and return shipping charges for any product that is not packaged and shipped in accordance with the foregoing requirements or that is determined by D Link not to be defective or non conforming What Is Not Covered Th...

Page 143: ...This limited warranty provides specific legal rights and the product owner may also have other rights which vary from state to state Trademarks D Link is a registered trademark of D Link Systems Inc Other trademarks or registered trademarks are the property of their respective manufacturers or owners Copyright Statement No part of this publication or documentation accompanying this Product may be ...

Page 144: ...ipment and receiver Connect the equipment into an outlet on a circuit different from that to which the receiver is connected Consult the dealer or an experienced radio TV technician for help For detailed warranty outside the United States please contact corresponding local D Link office ...

Search results

Summary of Contents for DFL-1100 - Security Appliance

Reviews:

Related manuals for DFL-1100 - Security Appliance

Brands by name

Popular brands

D-Link DFL-1100 - Security Appliance, User Manual

Search results

Summary of Contents for DFL-1100 - Security Appliance

Reviews:

Related manuals for DFL-1100 - Security Appliance

Brands by name

Popular brands