background image

  

 
 

D-Link DFL-200

 

 

Network Security Firewall 

 

 

 

 

Manual

 

 
 

 

 

 

 

 

 

 

 

Building Networks for People

 

Ver.1.02 

(20050419) 

 

Содержание DFL-200 - Security Appliance

Страница 1: ...D Link DFL 200 Network Security Firewall Manual Building Networks for People Ver 1 02 20050419 ...

Страница 2: ...o an interface 14 Enable SNMP access to an interface 14 System 15 Interfaces 15 Change IP of the LAN or DMZ interface 15 WAN Interface Settings Using Static IP 16 WAN Interface Settings Using DHCP 16 WAN Interface Settings Using PPPoE 17 WAN Interface Settings Using PPTP 18 WAN Interface Settings Using BigPond 19 MTU Configuration 19 Routing 20 Add a new Static Route 21 Remove a Static Route 21 Lo...

Страница 3: ... HTTPS 35 Enable RADIUS Support 35 Add User 36 Change User Password 36 Delete User 37 Schedules 38 Add new recurring schedule 38 Services 39 Adding TCP UDP or TCP UDP Service 39 Adding IP Protocol 40 Grouping Services 40 Protocol independent settings 41 VPN 42 Introduction to IPSec 42 Introduction to PPTP 43 Introduction to L2TP 43 Point to Point Protocol 43 Authentication Protocols 44 PAP 44 CHAP...

Страница 4: ...s 53 Certificates of remote peers 53 Certificate Authorities 53 Identities 54 Content Filtering 55 Active content handling 55 Edit the URL Global Whitelist 56 Edit the URL Global Blacklist 57 Active content handling 58 Servers 59 DHCP Server Settings 59 Enable DHCP Server 60 Enable DHCP Relay 60 Disable DHCP Server Relayer 60 DNS Relayer Settings 61 Enable DNS Relayer 61 Disable DNS Relayer 62 Too...

Страница 5: ...h office 79 Settings for Main office 81 LAN to LAN VPN using PPTP 83 Settings for Branch office 83 Settings for Main office 86 LAN to LAN VPN using L2TP 90 Settings for Branch office 90 Settings for Main office 93 A more secure LAN to LAN VPN solution 97 Settings for Branch office 97 Settings for Main office 100 Windows XP client and PPTP server 101 Settings for the Windows XP client 101 Settings ...

Страница 6: ...6 Intrusion detection and prevention 119 Appendixes 122 Appendix A ICMP Types and Codes 122 Appendix B Common IP Protocol Numbers 124 LIMITED WARRANTY 125 ...

Страница 7: ... can be a computer using firewall software or a special piece of hardware built specifically to act as a firewall In most circumstances a firewall is used to prevent unauthorized Internet users from accessing private networks or corporate LAN s and Intranets A firewall watches all of the information moving to and from your network and analyzes each piece of data Each piece of data is checked again...

Страница 8: ... have a Network Interface Card NIC which communicates the data between computers A NIC is usually a 10Mbps network card a 10 100Mbps network card or a wireless network card Most networks use hardware devices such as hubs or switches that each cable can be connected to in order to continue the connection between computers A hub simply takes any data arriving through each port and forwards the data ...

Страница 9: ...le Serial access to the firewall software 9600 8bit None Parity 1Stop bit Internal Ports LAN Use these ports to connect the internal computers f the office DMZ Port Use this port to connect to the company s server s which needs direct connection to the Internet FTP SNMP HTTP and DNS External Port WAN Use this port to connect to the external router DSL modem or Cable modem Reset Reset the DFL 200 t...

Страница 10: ...ating than the one included with the DFL 200 will cause damage and void the warranty for this product If any of the above items are missing please contact your reseller System Requirements Computer with a Windows Macintosh or Unix based operating system with an installed Ethernet adapter Internet Explorer or Netscape Navigator version 6 0 or above with JavaScript enabled ...

Страница 11: ...eed to login again This have to be done before a configurable timeout has been reached this can be set on the Activate Configuration Changes page by choosing the time from the dropdown menu Resetting the DFL 200 To reset the DFL 200 to factory default settings you must hold the reset button down for at least 15 seconds after powering on the unit You will first hear one beep which will indicate tha...

Страница 12: ...e DFL 200 and change configuration can be HTTPS or HTTP and HTTPS Read Only If enabled allows all users with read only access to connect to the DFL 200 and look at the configuration can be HTTPS or HTTP and HTTPS If there is no Admin access specified on an interface and only read only admin users can still connect but will be in read only mode SNMP Specifies if SNMP should be allowed or not on the...

Страница 13: ... to an interface To add admin access click on the interface you would like to add it to Only users with the administrator rights can login on an interfaces where there is only admin access enabled Follow these steps to add admin access to an interface Step 1 Click on the interface you would like to add it to Step 2 Enable the Admin checkbox Step 3 Specify what networks are allowed to ping the inte...

Страница 14: ...0 for a range Step 4 Specify protocol used to access the DFL 200 from the dropdown menu either HTTP and HTTPS Secure HTTP or only HTTPS Click the Apply button below to apply the setting or click Cancel to discard changes Example Enable SNMP access to an interface Follow these steps to add read only SNMP access to an interface Step 1 Click on the interface you would like to add it to Step 2 Enable ...

Страница 15: ...ce to view or change under the Available interfaces list Step 2 Fill in the IP address of the LAN or DMZ interface These are the address that will be used to ping the firewall remotely control it and use as gateway for the internal hosts or DMZ hosts Step 3 Choose the correct Subnet mask of this interface from the drop down menu Click the Apply button below to apply the setting or click Cancel to ...

Страница 16: ...address of the WAN interface This is the address that may be used to ping the firewall remotely control it and be used as source address for dynamically translated connections Subnet Mask Size of the external network Gateway IP Specifies the IP address of the default gateway used to reach for the Internet Primary and Secondary DNS Server The IP addresses of your DNS servers only the Primary DNS is...

Страница 17: ... address of the external interface You will have to fill the username and password provided to you by your ISP Username The login or username supplied to you by your ISP Password The password supplied to you by your ISP Service Name When using PPPoE some ISPs require you to fill in a Service Name Primary and Secondary DNS Server The IP addresses of your DNS servers these are optional and are often...

Страница 18: ...ur ISP PPTP Server IP The IP of the PPTP server that the DFL 200 should connect to Before PPTP can be used to connect to you ISP the physical WAN interface parameters need to be supplied it s possible to use either DHCP or Static IP this depends on the type of ISP used and this information should be supplied by them If using static IP this information need to be filled in IP Address The IP address...

Страница 19: ...200 and the Internet If the packets the DFL 200 sends are larger they get broken up or fragmented which could slow down transmission speeds Trial and error is the only sure way of finding the optimal MTU but there are some guidelines that can help For example the MTU of many PPP connections is 576 so if you connect to the Internet via PPPoE you might want to set the MTU size to 576 DSL modems may ...

Страница 20: ...ed to the firewall interface no gateway address is specified Local IP Address The IP address specified here will be automatically published on the corresponding interface This address will also be used as the sender address in ARP queries If no address is specified the firewalls own interface IP address will be used Proxy ARP Specifies that the firewall shall publish this route via Proxy ARP One a...

Страница 21: ... network is behind a remote gateway enable the checkbox Network is behind remote gateway and specify the IP of that gateway Click the Apply button below to apply the setting or click Cancel to discard changes Remove a Static Route Follow these steps to add a remove a route Step 1 Go to System and Routing Step 2 Take Edit after the route you would like to remove Step 3 Check the checkbox named Dele...

Страница 22: ...l part in all network security products The D Link DFL 200 provides several options for logging its activity The D Link DFL 200 logs its activities by sending the log data to one or two log receivers in the network All logging is done to Syslog recipients The log format used for syslog logging is suitable for automated processing and searching ...

Страница 23: ...ton below to apply the setting or click Cancel to discard changes Enable Audit Logging To start auditing all traffic trough the firewall follow the sets below and the firewall will start logging all traffic trough the firewall this is needed for running third party log analyzers on the logs and to see how much traffic different connections use Follow these steps to enable auditing Step 1 Enable sy...

Страница 24: ...ogged in the usual logs if IDS is enabled for any of the rules For more information about how to enable intrusion detection and prevention on a policy or port mapping read more under Policies and Port Mappings in the Firewall section below ...

Страница 25: ...lick on System in the menu bar and then click Time below it This will give you the option to either set the system time by syncing to an Internet Network Time Server NTP or by entering the system time by hand ...

Страница 26: ... sync to an Internet Time Server Step 1 Enable synchronization by checking the Enable NTP box Step 2 Enter the Server IP Address or Server name with which you want to synchronize Click the Apply button below to apply the setting or click Cancel to discard changes Setting time and date manually Follow these steps to set the system time by hand Step 1 Checking the Set the system time box Step 2 Choo...

Страница 27: ...to the external interface Then you can create NAT mode policies to accept or deny connections between these networks NAT mode policies hide the addresses of the internal and DMZ networks from users on the Internet In No NAT Route mode you can also create routed policies between interfaces Route mode policies accept or deny connections between networks without performing address translation To use ...

Страница 28: ...ols TCP UDP ICMP This service matches all ports on either the TCP or the UDP protocol including ICMP Custom TCP This service is based on the TCP protocol Custom UDP This service is based on the UDP protocol Custom TCP UDP This service is based on either the TCP or the UDP protocol The following is used when making a custom service Custom source destination ports For many services a single destinat...

Страница 29: ...ese steps to add a new outgoing policy Step 1 Choose the LAN WAN policy list from the available policy lists Step 2 Click on the Add new link Step 3 Fill in the following values Name Specifies a symbolic name for the rule This name is used mainly as a rule reference in log data and for easy reference in the policy list Action Select Allow to allow this type of traffic Source Nets Specifies the sen...

Страница 30: ... policy Step 1 Choose the policy list you would like do delete the policy in from the available policy lists Step 2 Click on the Edit link on the rule you want to delete Step 3 Enable the Delete policy checkbox Click the Apply button below to apply the change or click Cancel to discard changes Configure Intrusion Detection Follow these steps to configure IDS on a policy Step 1 Choose the policy yo...

Страница 31: ...ave IDP on Step 2 Click on the Edit link on the rule you want to delete Step 3 Enable the Intrusion Detection Prevention checkbox Step 4 Choose Prevention from the mode drop down list Step 5 Enable the alerting checkbox for email alerting Click the Apply button below to apply the change or click Cancel to discard changes ...

Страница 32: ... for the rule This name is used mainly as a rule reference in log data and for easy reference in the policy list Source Nets Specify the source networks leave blank for everyone 0 0 0 0 0 Source Users Groups Specifies if an authenticated username is needed for this mapping to match Either make a list of usernames separated by or write Any for any authenticated user If it s left blank there is no n...

Страница 33: ...oose the mapping list WAN LAN or DMZ you would like do delete the mapping from Step 2 Click on the Edit link on the rule you want to delete Step 3 Enable the Delete mapping checkbox Click the Apply button below to apply the change or click Cancel to discard changes ...

Страница 34: ...ront end to other authentication services The DFL 200 RADIUS Support The DFL 200 can use RADIUS to verify users against for example Active Directory or Unix password file It is possible to configure up to two servers if the first one is down it will try the second IP instead The DFL 200 can use CHAP or PAP when communicating with the RADIUS server CHAP Challenge Handshake Authentication Protocol d...

Страница 35: ...for the management WebUI to listen on as the user authentication will use the same ports as the management WebUI is using Click the Apply button below to apply the setting or click Cancel to discard changes Enable RADIUS Support Follow these steps to enable RADIUS support Step 1 Enable the checkbox for RADIUS Support Step 2 Fill in up to two RADIUS servers Step 3 Specified which mode to use PAP or...

Страница 36: ...me and password can contain numbers 0 9 and upper and lower case letters A Z a z Special characters and spaces are not allowed Change User Password To change the password of a user click on the user name and you will see the following screen Follow these steps to change a users password Step 1 Click on the user you would like to change level of Step 2 Enable the Change password checkbox Step 3 Ent...

Страница 37: ... these steps to delete a user Step 1 Click on the user you would like to change level of Step 2 Enable the Delete user checkbox Click the Apply button below to apply the setting or click Cancel to discard changes Note Deleting a user is irreversible once the user is deleted it cannot be undeleted ...

Страница 38: ...s to access the Internet during work hours Therefore one may create a schedule to allow the firewall to allow traffic Monday Friday 8AM 5PM only During the non work hours the firewall will not allow Internet access Add new recurring schedule Follow these steps to add new recurring schedule Step 1 Go to Firewall and Schedules and choose Add new Step 2 Choose the starting and ending date and hour wh...

Страница 39: ...ng source ports 1024 65535 and destination ports 80 82 90 92 95 In this case a TCP or UDP packet with the destination port being one of 80 81 82 90 91 92 or 95 and the source port being in the range 1024 65535 will match this service Follow these steps to add a TCP UDP or TCP UDP service Step 1 Go to Firewall and Service and choose Add new Step 2 Enter a Name for the service in the name field This...

Страница 40: ...ecial characters and spaces are allowed Step 3 Select IP Protocol Step 4 Specify a comma separated list of IP protocols Click the Apply button below to apply the change or click Cancel to discard changes Grouping Services Services can be grouped in order to simplify configuration Consider a web server using standard http as well as SSL encrypted http https Instead of having to create two separate ...

Страница 41: ...xisting connection Check this option to enable this feature for connections using this service ALG Like other stateful inspection based firewalls DFL 200 filters on information found in packet headers for instance in IP TCP UDP and ICMP headers In some situations though filtering on header data only is not sufficient The FTP protocol for instance includes IP address and port information in the pro...

Страница 42: ... connections by defining a set of Security Associations SAs for each connection SAs are unidirectional so there will be at least two SAs per IPSec connection The other part is the actual IP data being transferred using the encryption and authentication methods agreed upon in the IKE negotiation This can be accomplished in a number of ways by using the IPSec protocol ESP To set up a Virtual Private...

Страница 43: ...is is often encapsulated in IPSec for encryption instead of using MPPE Point to Point Protocol PPP Point to Point Protocol is a standard for transporting datagram s over point to point links It is used to encapsulate IP packets for transport between two peers PPP consists of these three components Link Control Protocols LCP to negotiate parameters test and establish the link Network Control Protoc...

Страница 44: ...e password is used to create the one way MD5 hash That means that CHAP requires passwords to be stored in a reversibly encrypted form MS CHAP v1 MS CHAP v1 Microsoft Challenge Handshake Authentication Protocol version 1 is similar to CHAP the main difference is that with MS CHAP v1 the password only needs to be stored as a MD4 hash instead of a reversibly encrypted form Another difference is that ...

Страница 45: ...PPTP L2TP Server To connect to Dial on demand is used when the tunnel should only be used when needed if diabled the tunnel will always try to be up Authentication protocol Specify if and what authentication protocol to use read more about the different authentication protocols in the Authentication Protocol Introduction chapter MPPE encryption If MPPE encryption is going to be used this is where ...

Страница 46: ...Server will use as IP address pool to give out IP addresses to the clients from Primary Secondary DNS IP of the primary and secondary DNS servers Primary Secondary WINS IP of the Windows Internet Name Service WINS servers that are used in Microsoft environments which uses the NetBIOS Name Servers NBNS to assign IP addresses to NetBIOS names Authentication protocol Specify if and what authenticatio...

Страница 47: ...If MPPE encryption is going to be used this is where the encryption level is configured If L2TP or PPTP over IPSec is going to be used it has to be enabled and configured to either use a Pre Shared Key or a Certificate ...

Страница 48: ...wo DMZ networks The networks at the ends of the VPN tunnel are selected when you configure the VPN policy Creating a LAN to LAN IPSec VPN Tunnel Follow these steps to add LAN to LAN Tunnel Step 1 Go to Firewall and VPN and choose Add new in the IPSec tunnels section Step 2 Enter a Name for the new tunnel in the name field The name can contain numbers 0 9 and upper and lower case letters A Z a z an...

Страница 49: ... steps to add a roaming users tunnel Step 1 Go to Firewall and VPN and choose Add new in the IPSec tunnels section Step 2 Enter a Name for the new tunnel in the name field The name can contain numbers 0 9 and upper and lower case letters A Z a z and the special characters and _ No other special characters and spaces are allowed Step 3 Specify your local network or your side of the tunnel for examp...

Страница 50: ...TP Client choose authentication type either PSK Pre shared Key or Certificate based Click the Apply button below to apply the change or click Cancel to discard changes Adding a L2TP PPTP VPN Server Follow these steps to add a L2TP or PPTP VPN Server configuration that listens on the WAN IP Step 1 Go to Firewall and VPN and choose Add new PPTP server or Add new L2TP server in the L2TP PPTP Server s...

Страница 51: ...crecy is enabled a new Diffie Hellman exchange is performed for each phase 2 negotiation While this is slower it makes sure that no keys are dependent on any other previously used keys no keys are extracted from the same initial keying material This is to make sure that in the unlikely event that some key was compromised no subsequent keys can be derived NAT Traversal Here it s possible to configu...

Страница 52: ... VPN gateway one after another until a matching proposal is found IKE Proposal List Cipher Specifies the encryption algorithm used in this IKE proposal Supported algorithms are AES 3DES DES Blowfish Twofish and CAST128 Hash Specifies the hash function used to calculate a check sum that reveals if the data packet is altered while being transmitted MD5 and SHA1 are supported algorithms Life Times Sp...

Страница 53: ...cal identities This is a list of all the local identity certificates that can be used in VPN tunnels A local identity certificate is used by the firewall to prove its identity to the remote VPN peer To add a new local identity certificate click Add new The following pages will allow you to specify a name for the local identity and upload the certificate and private key files This certificate can b...

Страница 54: ...nnel is established if the certificate of the remote peer is present in the Certificates field in the VPN section or if the remote peer s certificate is signed by a CA whose certificate is present in the Certificates field in the VPN section However in some cases it might be necessary to limit who can establish a VPN tunnel even among peers signed by the same CA The Identity list can be selected i...

Страница 55: ...ample com and example com to catch the domain name by itself as well as variants with prefixed host names www without having the filter trigger on domains ending with the same text Note For HTTP URL filtering to work all HTTP traffic needs to go trough a policy using a service with the HTTP ALG which is the case for the http outbound service by default Also note that the HTTP content filter cannot...

Страница 56: ...move a url Step 1 Go to Firewall and Content Filtering and choose Edit global URL whitelist Step 2 Add edit or remove the URL that should never be checked with the Content Filtering Click the Apply button below to apply the change or click Cancel to discard changes ...

Страница 57: ...nd choose Edit global URL blacklist Step 2 Add edit or remove the URL that should be checked with the Content Filtering Click the Apply button below to apply the change or click Cancel to discard changes Note For HTTP URL filtering to work all HTTP traffic needs to go trough a policy using a service with the HTTP ALG ...

Страница 58: ... would like to strip For example to strip ActiveX and Flash enable the checkbox named Strip ActiveX objects It s possible to strip ActiveX Flash Java JavaScript and VBScript it s also possible to block cookies Note For HTTP URL filtering to work all HTTP traffic needs to go trough a policy using a service with the HTTP ALG ...

Страница 59: ...y address DNS Servers WINS Servers Domain name The DFL 200 DHCP Server assigns and manages IP addresses from specified address pools within the firewall to the DHCP clients Note Leases are remembered over a re configure or reboot of the firewall The DFL 200 also includes a DHCP Relayer A DHCP relayer is a form of gateway between a DHCP Server and its users The relayer intercepts DHCP queries from ...

Страница 60: ...or click Cancel to discard changes Enable DHCP Relay To enable the DHCP Relay on an interface click on Servers in the menu bar and then click DHCP Server below it Follow these steps to enable the DHCP Relayer on the LAN interface Step 1 Choose the LAN interface from the Available interfaces list Step 2 Enable by checking the Relay DHCP Requests to other DHCP server box Step 3 Fill in the IP of the...

Страница 61: ...all itself Enable DNS Relayer Follow these steps to enable the DNS Relayer Step 1 Enable by checking the Enable DNS Relayer box Step 2 Enter the IP numbers that the DFL 200 should listen for DNS queries on Note If Use address of LAN interface is checked you don t have to enter an IP in IP Address 1 as the firewall will know what address to use Click the Apply button below to apply the setting or c...

Страница 62: ...isable DNS Relayer Follow these steps to disable the DNS Relayer Step 1 Disable by un checking the Enable DNS Relayer box Click the Apply button below to apply the setting or click Cancel to discard changes ...

Страница 63: ...iven destination All packets are sent in immediate succession rather than one per second This behavior is the best one suited for diagnosing connectivity problems IP Address Target IP to send the ICMP Echo Requests to Number of packets Number of ICMP Echo Request packets to send up to 10 Packet size Size of the packet to send between 32 and 1500 bytes ...

Страница 64: ... be more easily accessed by specific name When this function is enabled the IP address in Dynamic DNS Server will be automatically updated with the new IP address provided by ISP Click DynDNS in the Tools menu to enter Dynamic DNS configuration The firewall provides a list of a few predefined DynDNS service providers users have to register with one of these providers before trying to use this func...

Страница 65: ...ng the DFL 200 s Configuration Follow these steps to export the configuration Step 1 Under the Tools menu and the Backup section click on the Download configuration button Step 2 When the File Download pop up window appears choose the destination place in which to save the exported file The Administrator may choose to rename the file if preferred Restoring the DFL 200 s Configuration Follow these ...

Страница 66: ...66 Restart Reset Restarting the DFL 200 Follow these steps restart the DFL 200 Step 1 Choose if you want to do a quick or full restart Step 2 Click Restart Unit and the unit will restart ...

Страница 67: ...lues set at the factory This procedure will possibly change the DFL 200 firmware version to lower version if it has been upgraded This procedure deletes all of the changes that you have made to the DFL 200 configuration and reverts the system to its original configuration including resetting interface addresses ...

Страница 68: ...section click on the Reset to Factory Defaults button Step 2 Click OK in the dialog to reset the unit to factory default or press Cancel to cancel You can restore your system settings by uploading a previously downloaded system configurations file to the DFL 200 if a backup of the device has been done ...

Страница 69: ...he file name of the newest version of the firmware then click Upload firmware image The updating process won t overwrite the system configuration so it is not necessary but still a good idea to backup it before upgrading the software Upgrade IDS Signature database To upgrade the signature database first download the newest IDS signatures from D Link After having the newest version of software conn...

Страница 70: ...ormation about the DFL 200 Uptime The time the firewall have been running since the last reboot or start CPU Load Percentage of cpu used Connections Number of current connections trough the firewall Firmware version The firmware version running on the firewall Last restart The reason for the last restart IDS Signatures The IDS signature versions There are also two graphs on this page one showing t...

Страница 71: ...or DMZ Interface Name of the interface shown LAN WAN or DMZ Link status Displays what link the current interface has the speed can be 10 or 100 Mbps and the duplex can be Half or Full MAC Address MAC address of the interface Send rate Current amount of traffic sent trough the interface Receive rate Current amount of traffic received trough the interface There are also two graphs displaying the sen...

Страница 72: ...ation about the first VPN tunnel will be show to see another one click on that VPN tunnels name The two graphs display the send and receive rate trough the selected VPN tunnel during the last 24 hours On this example a tunnel named RoamingUsers is selected this is a tunnel that allows roaming users So under the IPSec SA listing each roaming user connected to this tunnel is shown ...

Страница 73: ...ceives packets from each end of the connection The value shown in the Timeout column is the lower of the two values Possible values in the State column include TPC_CLOSE TCP_OPEN SYN_RECV FIN_RECV and so on The Proto column can have TCP The connection is a TCP connection PING The connection is an ICMP ECHO connection UDP The connection is a UDP connection RAWIP The connection uses an IP protocol o...

Страница 74: ...splays the configured ranges of IP s that are given out as DHCP leases Usage Display how much of the IP range is give out to DHCP clients Active leases are the current computers using this DHCP server It is also possible to end a computers lease from here by clicking on End lease after that IP Inactive leases are leases that are not currently in use but have been used by a computer before that com...

Страница 75: ...ation Currently authenticated users users logged in using HTTP HTTPS authentication users logged in on PPTP and L2TP servers will be listed here Users can be forced to log out by clicking logout Currently recognized privileges all users and groups that are used in policies are listed here These users and groups will be able to use HTTP and HTTPS authentication Interfaces where authentication are a...

Страница 76: ... if1 wan ip1 192 168 10 2 tp1 11 93 if2 lan ip2 192 168 0 1 tp2 13 27 if3 dmz ip3 192 168 1 1 tp3 0 99 The value after conns is the number of open connections trough the firewall when the usage log was sent The value after tp is the throughput through the firewall at the time the usage log was logged DROP events These events may be generated by a number of different functions in the firewall The m...

Страница 77: ...ernet Another event is generated when the connection is closed The information included in the event is the same as in the event sent when the connection was opened with the exception that statistics regarding sent and received traffic is also included Close Example Oct 20 2003 09 48 05 gateway EFW CONN prio 1 rule Rule_8 conn close connipproto TCP connrecvif lan connsrcip 192 168 0 10 connsrcport...

Страница 78: ...sswords used in these examples are not recommended for real life use Passwords and keys should be chosen so that they are impossible to guess or find out by eg a dictionary attack In these guides for example Firewall Users will mean that Firewall first should be selected from the menu at the top of the screen and than the Users button to the left of the screen ...

Страница 79: ...or Branch office 1 Setup interfaces System Interfaces WAN IP 193 0 2 10 LAN IP 192 168 4 1 Subnet mask 255 255 255 0 2 Setup IPsec tunnel Firewall VPN Under IPsec tunnels click Add new Name the tunnel ToMainOffice Local net 192 168 4 0 24 ...

Страница 80: ...type LAN to LAN tunnel Remote Net 192 168 1 0 24 Remote Gateway 194 0 2 20 Enable Automatically add a route for the remote network Click Apply 3 Setup policies for the new tunnel Firewall Policy Click Global policy parameters Enable Allow all VPN traffic internal VPN VPN internal and VPN VPN Click Apply ...

Страница 81: ...aces System Interfaces WAN IP 193 0 2 20 LAN IP 192 168 1 1 Subnet mask 255 255 255 0 2 Setup IPsec tunnel Firewall VPN Under IPsec tunnels click add new Name the tunnel ToBranchOffice Local net 192 168 1 0 24 PSK 1234567890 Note You should use a key that is hard to guess Retype PSK 1234567890 ...

Страница 82: ...etup policies for the new tunnel Firewall Policy Click Global policy parameters Enable Allow all VPN traffic internal VPN VPN internal and VPN VPN Click Apply 4 Click Activate and wait for the firewall to restart This example will allow all traffic between the two offices To get a more secure solution read the A more secure LAN to LAN VPN solution in this chapter ...

Страница 83: ...ngs for Branch office 1 Setup interfaces System Interfaces WAN IP 193 0 2 10 LAN IP 192 168 4 1 Subnet mask 255 255 255 0 2 Setup PPTP client Firewall VPN Under PPTP L2TP clients click Add new PPTP client Name the tunnel toMainOffice ...

Страница 84: ...te You should use a password that is hard to guess Retype password 1234567890 Interface IP leave blank Remote gateway 192 0 2 20 Remote net 192 168 1 0 24 Dial on demand leave unchecked Under authentication MSCHAPv2 should be the only checked option ...

Страница 85: ... Leave Use IPsec encryption unchecked Click Apply 3 Setup policies for the new tunnel Firewall Policy Click Global policy parameters Enable Allow all VPN traffic internal VPN VPN internal and VPN VPN Click Apply 4 Click Activate and wait for the firewall to restart ...

Страница 86: ...255 255 255 0 2 Setup PPTP server Firewall VPN Under L2TP PPTP Server click Add new PPTP server Name the server pptpServer Leave Outer IP and Inner IP blank Set client IP pool to 192 168 1 100 192 168 1 199 Check Proxy ARP dynamically added routes Check Use unit s own DNS relayer addresses Leave WINS settings blank ...

Страница 87: ...r MPPE encryption 128 bit should be the only checked option Leave Use IPsec encryption unchecked Click Apply 3 Setup policies for the new tunnel Firewall Policy Click Global policy parameters Enable Allow all VPN traffic internal VPN VPN internal and VPN VPN Click Apply ...

Страница 88: ...ers Under Users in local database click Add new Name the new user BranchOffice Enter password 1234567890 Retype password 1234567890 Leave static client IP empty could also be set to eg 192 168 1 200 If no IP is set here the IP pool from the PPTP server settings are used Set Networks behind user to 192 168 4 0 24 ...

Страница 89: ...6 Click Activate and wait for the firewall to restart This example will allow all traffic between the two offices To get a more secure solution read the A more secure LAN to LAN VPN solution section in this chapter ...

Страница 90: ...tings for Branch office 1 Setup interfaces System Interfaces WAN IP 193 0 2 10 LAN IP 192 168 4 1 Subnet mask 255 255 255 0 2 Setup L2TP client Firewall VPN Under L2TP PPTP client click Add new L2TP client Name the server toMainOffice ...

Страница 91: ...0 Note You should use a password that is hard to guess Retype password 1234567890 Interface IP leave blank Remote gateway 192 0 2 20 Remote net 192 168 1 0 24 Dial on demand leave unchecked Under authentication only MSCHAPv2 should be checked ...

Страница 92: ...cryption Enter key 1234567890 Note You should use a key that is hard to guess Retype key 1234567890 Click Apply 3 Setup policies for the new tunnel Firewall Policy Click Global policy parameters Enable Allow all VPN traffic internal VPN VPN internal and VPN VPN Click Apply ...

Страница 93: ...0 2 20 LAN IP 192 168 1 1 Subnet mask 255 255 255 0 2 Setup L2TP server Firewall VPN Under L2TP PPTP Server click Add new L2TP server Name the server l2tpServer Leave Outer IP and Inner IP blank Set client IP pool to 192 168 1 100 192 168 1 199 Check Proxy ARP dynamically added routes Check Use unit s own DNS relayer addresses ...

Страница 94: ...tication MSCHAPv2 should be the only checked option Under MPPE encryption None should be the only checked option Check Use IPsec encryption Enter key 1234567890 Note You should use a key that is hard to guess Retype key 1234567890 Click Apply ...

Страница 95: ... the new tunnel Firewall Policy Click Global policy parameters Enable Allow all VPN traffic internal VPN VPN internal and VPN VPN Click Apply 4 Set up authentication source Firewall Users Select Local database Click Apply ...

Страница 96: ... empty could also be set to eg 192 168 1 200 If no IP is set here the IP pool from the L2TP server settings are used Set Networks behind user to 192 168 4 0 24 Click Apply 6 Click Activate and wait for the firewall to restart This example will allow all traffic between the two offices To get a more secure solution read the A more secure LAN to LAN VPN solution section in this chapter ...

Страница 97: ...server ftp server and a web server intranet in the main office that we want to access from the branch office Settings for Branch office 1 Setup policies for the new tunnel Firewall Policy Click Global policy parameters Disable Allow all VPN traffic internal VPN VPN internal and VPN VPN Click Apply 2 Now is it possible to create policies for the VPN interfaces Select from LAN to toMainOffice and cl...

Страница 98: ...8 4 Setup the new rule Name the new rule allow_pop3 Select action Allow Select service pop3 Select schedule Always We don t want any Intrusion detection for now so leave this option unchecked Click Apply ...

Страница 99: ... 4 to create services named allow_imap allow_ftp and allow_http The services for these policies should be imap ftp_passthrough and http The policy list for LAN toMainOffice should now look like this 6 Click Activate and wait for the firewall to restart ...

Страница 100: ...fic internal VPN VPN internal and VPN VPN Click Apply 2 Now is it possible to create policies for the VPN interfaces Select from toBranchOffice to LAN and click Show 3 Create same 4 policy rules as was created on the branch office firewall allow_pop3 allow_imap allow_ftp and allow_http 4 Click Activate and wait for the firewall to restart ...

Страница 101: ...ing the Category view click on the Network and Internet Connections icon Then click Create a connection to the network on your workplace and continue to step 6 If you are using the Classic view click on the Network Connections icon 3 Under Network task click Create a new connection 4 The New connection wizard window opens up Click next ...

Страница 102: ...102 5 Select Connect to the network at my workplace and click Next ...

Страница 103: ...6 Select Virtual Private Network connection and click Next ...

Страница 104: ...104 7 Name the connection MainOffice and click Next ...

Страница 105: ...8 Select Do not dial the initial connection and click Next ...

Страница 106: ...106 9 Type the IP address to the server 194 0 2 20 and click Next 10 Click Finish ...

Страница 107: ...11 Type user name HomeUser and password 1234567890 Note You should use a password that is hard to guess 12 Click Properties ...

Страница 108: ...tworking tab and change Type of VPN to PPTP VPN Click OK All settings needed for the XP client is now done When we have set up the server on the firewall you can click Connect to establish the connection to the Main office ...

Страница 109: ...s Leave WINS settings blank Under authentication MSCHAPv2 should be the only checked option Under MPPE encryption 128 bit should be the only checked option Leave Use IPsec encryption unchecked Click Apply 3 Setup policies for the new tunnel Firewall Policy Click Global policy parameters Enable Allow all VPN traffic internal VPN VPN internal and VPN VPN Click Apply 4 Set up authentication source Fi...

Страница 110: ... PPTP server settings are used Click Apply 6 Click Activate and wait for the firewall to restart This example will allow all traffic from the client to the main office network To get a more secure solution read the Settings for the Main office part of A more secure LAN to LAN VPN solution section in this chapter ...

Страница 111: ...lar to the PPTP setup above Settings for the Windows XP client To setup a L2TP connection from Windows XP to the Main office firewall you can follow the steps in the PPTP guide above for the client side The only changes from that guide is 1 In step 13 change the Type of VPN to L2TP IPsec VPN ...

Страница 112: ...112 2 Select the Security tab and click IPsec Settings 3 Check Use pre shared key for authentication type the key and click OK ...

Страница 113: ...er authentication MSCHAPv2 should be the only checked option Under MPPE encryption None should be the only checked option Check the Use IPsec encryption box Enter the pre shared key 1234567890 and retype same pre shared key Click Apply 3 Setup policies for the new tunnel Firewall Policy Click Global policy parameters Enable Allow all VPN traffic internal VPN VPN internal and VPN VPN Click Apply 4 ...

Страница 114: ... PPTP server settings are used Click Apply 6 Click Activate and wait for the firewall to restart This example will allow all traffic from the client to the main office network To get a more secure solution read the Settings for the Main office part of A more secure LAN to LAN VPN solution section in this chapter ...

Страница 115: ... or trusted can be added to the whitelist by clicking Edit global URL whitelist To enable all subdomains of eg google com eg gmail google com and all possible pages on that site enter google com in this list This will allow for example www google com about html and gmail google com In the same way servers can be blocked by adding them to the blacklist Click Edit global URL blacklist and add the si...

Страница 116: ...re is no service with that name you will have to create one by clicking Add new at the bottom of the list TCP UDP Service should be selected and protocol should be set to TCP Set destination port to 80 Select HTTP HTML Content Filtering in the ALG dropdown Click Apply 3 Now add a policy rule that uses this service Firewall Policy Click LAN WAN Click Add new ...

Страница 117: ...4 Edit the new policy we just created Name the rule allow_http Enter position 2 Select action Allow Select service http outbound Select schedule Always Click Apply ...

Страница 118: ...18 The new policy should now be added to position two in the list if not it can be moved to the right position by clicking on the up and down arrows 5 Click Activate and wait for the firewall to restart ...

Страница 119: ...e policy setup is quite similar In this example a mail server with IP 192 168 2 4 and a web server with IP 192 168 2 5 is connected to the DMZ interface on the firewall To set up intrusion detection and prevention to a web server on the DMZ net follow these steps 1 Create a Port mapping for the web server Firewall Port Mapping Under Configured mappings click Add new ...

Страница 120: ...ping Name the rule map_www Select service http in all Enter pass to IP 192 168 2 5 the IP of the web server Check the Intrusion detection prevention option Select mode Prevention Enable email alerting by checking the Alerting box Click Apply ...

Страница 121: ...er E mail address 2 steve examplecompany com Click Apply 4 Click Activate and wait for the firewall to restart When attacks are stopped by the firewall it will listed in the logs Since we enabled email alerting in this example emails will also be sent to the users webmaster and steve In this example we used the prevention mode This means that the firewall will block all attacks In Inspection only ...

Страница 122: ...e RFC792 4 Fragmentation Needed and Don t Fragment was Set RFC792 5 Source Route Failed RFC792 6 Destination Network Unknown RFC792 7 Destination Host Unknown RFC792 8 Source Host Isolated RFC792 9 Communication with Destination Network is Administratively Prohibited RFC792 10 Communication with Destination Host is Administratively Prohibited RFC792 11 Destination Network Unreachable for Type of S...

Страница 123: ...ssembly Time Exceeded RFC792 12 Parameter Problem 0 Pointer indicates the error RFC792 1 Missing a Required Option RFC1108 2 Bad Length RFC792 13 Timestamp 0 No Code RFC792 14 Timestamp Reply 0 No Code RFC792 15 Information Request 0 No Code RFC792 16 Information Reply 0 No Code RFC792 17 Address Mask Request 0 No Code RFC950 18 Address Mask Reply 0 No Code RFC950 30 Traceroute RFC1393 31 Datagram...

Страница 124: ...823 4 IP IP in IP encapsulation RFC2003 5 ST Stream RFC1190 RFC1819 6 TCP Transmission Control RFC793 8 EGP Exterior Gateway Protocol RFC888 17 UDP User Datagram RFC768 47 GRE General Routing Encapsulation 50 ESP Encapsulation Security Payload RFC2406 51 AH Authentication Header RFC2402 108 IPComp I IP Payload Compression Protocol RFC2393 112 VRRP Virtual Router Redundancy Protocol 115 L2TP Layer ...

Страница 125: ...fective Hardware the price paid by the original purchaser for the defective Hardware will be refunded by D Link upon return to D Link of the defective Hardware All Hardware or part thereof that is replaced by D Link or for which the purchase price is refunded shall become the property of D Link upon replacement or refund Limited Software Warranty D Link warrants that the software portion of the pr...

Страница 126: ...forming What Is Not Covered This limited warranty provided by D Link does not cover Products that have been subjected to abuse accident alteration modification tampering negligence misuse faulty installation lack of reasonable care repair or service in any way that is not contemplated in the documentation for the product or if the model or serial number has been altered tampered with defaced or re...

Страница 127: ...ie Netzanschlußsteckdose muß aus Gründen der elektrischen Sicherheit einen Schutzleiterkontakt haben 10 Verlegen Sie die Netzanschlußleitung so daß niemand darüber fallen kann Es sollete auch nichts auf der Leitung abgestellt werden 11 Alle Hinweise und Warnungen die sich am Geräten befinden sind zu beachten 12 Wird das Gerät über einen längeren Zeitraum nicht benutzt sollten Sie es vom Stromnetz ...

Страница 128: ...roduit pourrait causer des interférences radio auquel cas l utilisateur devrait prendre les mesures adéquates Attenzione Il presente prodotto appartiene alla classe B Se utilizzato in ambiente domestico il prodotto può causare interferenze radio nel cui caso è possibile che l utente debba assumere provvedimenti adeguati FCC Warning This equipment has been tested and found to comply with the limits...

Страница 129: ...VCCI Warning ...

Страница 130: ...Thlli ja Pakkahuone Katajanokanlaituri 5 FIN 00160 Helsinki Finland TEL 358 9 622 91660 FAX 358 9 622 91661 E MAIL info dlink fi com URL www dlink fi com FRANCE D LINK FRANCE Le Florilege 2 Allee de la Fresnerie 78330 Fontenay le Fleury France TEL 33 1 302 38688 FAX 33 1 3023 8689 E MAIL info dlink france fr URL www dlink france fr GERMANY D LINK Central Europe D Link Deutschland GmbH Schwalbacher...

Страница 131: ...67 15 Bromma Sweden TEL 46 0 8564 61900 FAX 46 0 8564 61901 E MAIL info dlink se URL www dlink se TAIWAN D LINK TAIWAN 2F No 119 Pao Chung Road Hsin Tien Taipei Taiwan TEL 886 2 2910 2626 FAX 886 2 2910 1515 E MAIL dssqa tsc dlinktw com tw URL www dlinktw com tw U K D LINK EUROPE 4th Floor Merit House Edgware Road Colindale London NW9 5AB U K TEL 44 20 8731 5555 FAX 44 20 8731 5511 E MAIL info dli...

Страница 132: ...132 ...

Страница 133: ......

Отзывы: