manualshive.com logo in svg

D-Link DFL-210 - NetDefend - Security Appliance, Руководство пользователя

Поделиться
Скачать
D-Link DFL-210 - NetDefend - Security Appliance Скачать руководство пользователя страница 276

6.6. Denial-of-Service Attack Prevention

6.6.1. Overview

By embracing the Internet, enterprises experience new business opportunities and growth. The
enterprise network and the applications that run over it are business critical. Not only can a company
reach a larger number of customers via the Internet, it can serve them faster and more efficiently. At
the same time, using a public IP network enables companies to reduce infrastructure related costs.

Unfortunately, the same advantages that the Internet brings to business also benefit the hackers who
use the same public infrastructure to mount attacks. Attack tools are readily available on the Internet
and development work on these tools is often split across groups of novice hackers — known as
"script kiddies" or "larval hackers" — scattered across the globe, providing around-the-clock
progression of automated attack methods. Many of the new attack methods utilize the distributed
nature of the Internet to launch Denial of Service (DoS) attacks against organizations in which
servers are rendered incapable of responding to legitimate requests.

To be on the receiving end of a DoS attack is probably the last thing any network administrator
wants to experience. Attacks can appear out of thin air and the consequences can be devastating
with crashed servers, jammed Internet connections and business critical systems in overload.

This section deals with using D-Link Firewalls to protect organizations against these attacks.

6.6.2. DoS Attack Mechanisms

A DoS attack can be perpetrated in a number of ways but there are three basic types of attack:

Consumption of computational resources, such as bandwidth, disk space, or CPU time.

Disruption of configuration information, such as routing information.

Disruption of physical network components.

One of the most commonly used method is the consumption of computational resources which
means that the DoS attack floods the network and ties up critical resources used to run business
critical applications. In some cases, vulnerabilities in the Unix and Windows operating systems are
exploited to intentionally crash the system, while in other cases large amounts of apparently valid
traffic are directed at sites until they become overloaded and crash.

Some of the most commonly used DoS attacks have been:

The Ping of Death / Jolt attacks

Fragmentation overlap attacks: Teardrop / Bonk / Boink / Nestea

The Land and LaTierra attacks

The WinNuke attack

Amplification attacks: Smurf, Papasmurf, Fraggle

TCP SYN Flood attack

The Jolt2 attack

6.6.3. Ping of Death and Jolt Attacks

The "ping of death" is one of the earliest layer 3/4 attacks. One of the simplest ways to execute it is
to run "ping -l 65510 1.2.3.4" on a Windows 95 system where 1.2.3.4 is the IP address of the

6.6. Denial-of-Service Attack
Prevention

Chapter 6. Security Mechanisms

276

Содержание DFL-210 - NetDefend - Security Appliance

Страница 1: ...tion http www dlink com curity curity cu u u u u u u u u u u u u u u u u ur r r r r r r r r r r r r r r rity S S S S S S S S S S S S ity ity DFL 210 800 1600 2500 DFL 260 860 Ver 1 08 Network Security...

Страница 2: ...Manual DFL 210 260 800 860 1600 2500 NetDefendOS version 2 25 01 D Link Corporation No 289 Sinhu 3rd Rd Neihu District Taipei City 114 Taiwan R O C http www DLink com Published 2009 05 26 Copyright 2...

Страница 3: ...ular purpose The manufacturer reserves the right to revise this publication and to make changes from time to time in the content hereof without obligation of the manufacturer to notify any person of s...

Страница 4: ...3 2 RADIUS Accounting Messages 54 2 3 3 Interim Accounting Messages 56 2 3 4 Activating RADIUS Accounting 56 2 3 5 RADIUS Accounting Security 56 2 3 6 RADIUS Accounting and High Availability 56 2 3 7...

Страница 5: ...119 4 Routing 122 4 1 Overview 122 4 2 Static Routing 123 4 2 1 The Principles of Routing 123 4 2 2 Static Routing 127 4 2 3 Route Failover 130 4 2 4 Host Monitoring for Route Failover 133 4 2 5 Proxy...

Страница 6: ...trusion Detection and Prevention 265 6 5 1 Overview 265 6 5 2 IDP Availability in D Link Models 265 6 5 3 IDP Rules 267 6 5 4 Insertion Evasion Attack Prevention 268 6 5 5 IDP Pattern Matching 269 6 5...

Страница 7: ...view 332 9 3 2 Internet Key Exchange IKE 332 9 3 3 IKE Authentication 338 9 3 4 IPsec Protocols ESP AH 339 9 3 5 NAT Traversal 340 9 3 6 Algorithm Proposal Lists 341 9 3 7 Pre shared Keys 342 9 3 8 Id...

Страница 8: ...High Availability 409 11 1 Overview 409 11 2 HA Mechanisms 411 11 3 HA Setup 413 11 3 1 Hardware Setup 413 11 3 2 NetDefendOS Manual HA Setup 414 11 3 3 Verifying the Cluster is Functioning 415 11 3 4...

Страница 9: ...cenario 177 6 1 Deploying an ALG 196 6 2 HTTP ALG Processing Order 199 6 3 SMTP ALG Processing Order 209 6 4 DNSBL SPAM Filtering 211 6 5 TLS Termination 239 6 6 Dynamic Content Filtering Flow 245 6 7...

Страница 10: ...3 10 Enabling DHCP 83 3 11 Defining a VLAN 86 3 12 Configuring a PPPoE client 89 3 13 Creating an Interface Group 92 3 14 Displaying the ARP Cache 95 3 15 Flushing the ARP Cache 95 3 16 Defining a Sta...

Страница 11: ...Banner Files 257 6 19 Activating Anti Virus Scanning 263 6 20 Configuring an SMTP Log Receiver 272 6 21 Setting up IDP for a Mail Server 273 6 22 Adding a Host to the Whitelist 281 7 1 Adding a NAT Ru...

Страница 12: ...ied URL in a browser in a new window some systems may not allow this For example http www dlink com Screenshots This guide contains a minimum of screenshots This is deliberate and is done because the...

Страница 13: ...poses Note This indicates some piece of information that is an addition to the preceding text It may concern something that is being emphasized or something that is not obvious or explicitly stated in...

Страница 14: ...anular control allows the administrator to meet the requirements of the most demanding network security scenario Key Features NetDefendOS is an extensive and feature rich network operating system The...

Страница 15: ...ndOS provides a powerful Intrusion Detection and Prevention IDP engine The IDP engine is policy based and is able to perform high performance scanning and detection of attacks and can perform blocking...

Страница 16: ...ble network traffic Note ZoneDefense is only available on certain D Link NetDefendOS models NetDefendOS Documentation Reading through the available documentation carefully will ensure that you get the...

Страница 17: ...on as the NetDefendOS state engine 1 2 2 NetDefendOS Building Blocks The basic building blocks in NetDefendOS are interfaces logical objects and various types of rules or rule sets Interfaces Interfac...

Страница 18: ...the packet is dropped and the event is logged If none the above is true the receiving Ethernet interface becomes the source interface for the packet 3 The IP datagram within the packet is passed on to...

Страница 19: ...cted on all packets belonging to this connection 9 The Traffic Shaping and the Threshold Limit rule sets are now searched If a match is found the corresponding information is recorded with the state T...

Страница 20: ...mary of the flow of packets through the NetDefendOS state engine There are three diagrams each flowing into the next Figure 1 1 Packet Flow Schematic Part I The packet flow is continued on the followi...

Страница 21: ...Figure 1 2 Packet Flow Schematic Part II The packet flow is continued on the following page 1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 21...

Страница 22: ...Figure 1 3 Packet Flow Schematic Part III 1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 22...

Страница 23: ...elow presents the detailed logic of the Apply Rules function in Figure 1 2 Packet Flow Schematic Part II above Figure 1 4 Expanded Apply Rules Logic 1 3 NetDefendOS State Engine Packet Flow Chapter 1...

Страница 24: ...1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 24...

Страница 25: ...or WebUI is built into NetDefendOS and provides a user friendly and intuitive graphical management interface accessible from a standard web browser Microsoft Internet Explorer or Firefox is recommend...

Страница 26: ...available LAN1 is the default interface 2 1 2 The Default Administrator Account By default NetDefendOS has a local user database AdminUsers that contains one pre defined administrator account This ac...

Страница 27: ...ar to the one shown below will then be shown in the browser window Enter your username and password and click the Login button The factory default username and password is admin and admin If the user...

Страница 28: ...1 2 The Default Administrator Account Note Access to the Web Interface is regulated by the remote management policy By default the system will only allow web access from the internal network Interfac...

Страница 29: ...r located on the left hand side of the Web Interface contains a tree representation of the system configuration The tree is divided into a number of sections corresponding to the major building blocks...

Страница 30: ...or require a command line approach to administration or who need more granular control of system configuration The CLI is available either locally through the serial console port connection to this is...

Страница 31: ...t After a command appears it can be re executed in it s original form or changed first before execution Tab Completion Remembering all the commands and their options can be difficult NetDefendOS provi...

Страница 32: ...g tab again all the object types for that category is displayed Using categories means that the user has a simple way to specify what kind of object they are trying to specify and a manageable number...

Страница 33: ...cated a name as well Subsequent manipulation of such a rule can be done either by referring to it by its index that is to say its list position or by alternatively using the name assigned to it The CL...

Страница 34: ...ously 2 Connect one of the connectors of the RS 232 cable directly to the console port on your system hardware 3 Connect the other end of the cable to the terminal or the serial connector of the compu...

Страница 35: ...l be displayed directly after the logon For security reasons it is advisable to disable or anonymize the CLI welcome message Changing the admin User Password It is recommended to change the default pa...

Страница 36: ...the Address Book that does not exist in a restored configuration backup Logging off from the CLI After finishing working with the CLI it is recommended to logout in order to avoid letting anyone getti...

Страница 37: ...y_script sgs is to be executed with IP address 126 12 11 01 replacing all occurrences of 1 in the script file and the string If1 address replacing all occurrences of 2 The file my_script sgs contains...

Страница 38: ...To list the content of a specific uploaded script file for example my_script sgs the command would be gw world script show name my_script sgs Creating Scripts Automatically When the same configuration...

Страница 39: ...are dependent cannot have a script created using the create option This is true when the CLI node type in the script create command is one of COMPortDevice Ethernet EthernetDevice Device If one of the...

Страница 40: ...follow The following table summarizes the operations that can be performed between an SCP client and NetDefendOS File type Upload possible Download possible Configuration Backup config bak Yes also w...

Страница 41: ...and would be scp config bak admin1 10 5 62 11 To download a configuration backup to the current local directory the command would be scp admin1 10 5 62 11 config bak To upload a file to an object type...

Страница 42: ...ns available in the boot menu are 1 Start firewall This initiates the complete startup of the NetDefendOS software on the D Link Firewall 2 Reset unit to factory defaults This option will restore the...

Страница 43: ...sole The password set for the console is not connected to the management passwords used for administrator access through a web browser It is valid only for console access 2 1 8 Management Advanced Set...

Страница 44: ...he configuration objects are organized into a tree like structure based on the type of the object In the CLI similar configuration object types are grouped together in a category These categories are...

Страница 45: ...show its contents in other words the values of the object properties This example shows how to display the contents of a configuration object representing the telnet service CLI gw world show Service...

Страница 46: ...Changes to a configuration object will not be applied to a running system until you activate and commit the changes Example 2 6 Adding a Configuration Object This example shows how to add a new IP4Ad...

Страница 47: ...always be restored until the configuration has been activated and committed This example shows how to restore the deleted IP4Address object shown in the previous example CLI gw world undelete Address...

Страница 48: ...usly if the configuration was activated via the CLI with the activate command then a commit command must be issued within that period If a lost connection could not be re established or if the commit...

Страница 49: ...vent which generates a mandatory event message as soon as the system starts up All event messages have a common format with attributes that include category severity and recommended actions These attr...

Страница 50: ...ardized format for the log messages themselves The format used by NetDefendOS is well suited to automated processing filtering and searching Although the exact format of each log entry depends on how...

Страница 51: ...ement System NMS and a managed device SNMP defines 3 types of messages a Read command for an NMS to examine a managed device a Write command to alter the state of a managed device and a Trap which is...

Страница 52: ...if needed by the trap receiver 5 Click OK The system will now be sending SNMP traps for all events with a severity greater than or equal to Alert to an SNMP trap receiver at 195 11 22 55 2 2 4 Advanc...

Страница 53: ...The delay in seconds between alarms when a continuous alarm is used Minimum 0 Maximum 10 000 Default 60 one minute 2 2 4 Advanced Log Settings Chapter 2 Management and Maintenance 53...

Страница 54: ...ing Messages Statistics such as number of bytes sent and received and number of packets sent and received are updated and stored throughout RADIUS sessions All statistics are updated for an authentica...

Страница 55: ...uthenticated This is a physical port and not a TCP or UDP port User IP Address The IP address of the authenticated user This is sent only if specified on the authentication server Input Bytes The numb...

Страница 56: ...cified A user authentication object must have a rule associated with it where a RADIUS server is specified Some important points should be noted about activation RADIUS Accounting will not function wh...

Страница 57: ...the case that the client for some reason fails to send a RADIUS AccountingRequest STOP packet the accounting server will never be able to update its user statistics but will most likely believe that...

Страница 58: ...that the RADIUS server will assume users are still logged in even though their sessions have been terminated Default Enabled Maximum Radius Contexts The maximum number of contexts allowed with RADIUS...

Страница 59: ...e client software When the client runs the MIB file is accessed to inform the client of the values that can be queried on a NetDefendOS device Defining SNMP Access SNMP access is defined through the d...

Страница 60: ...management client is on the internal network it is not required to implement a VPN tunnel for it CLI gw world add RemoteManagement RemoteMgmtSNMP my_snmp Interface lan Network mgmt net SNMPGetCommuni...

Страница 61: ...tem Contact The contact person for the managed node Default N A System Name The name for the managed node Default N A System Location The physical location of the node Default N A Interface Descriptio...

Страница 62: ...ilename cap_int cap pcapdump cleanup Going through this line by line we have 1 Recording is started for the int interface using a buffer size of 1024 Kbytes pcapdump size 1024 start int 2 The recordin...

Страница 63: ...ddr Filter on source IP address ipdest ipaddr Filter on destination IP address port portnum Filter on source or destination port number srcport portnum Filter on source port number destport portnum Fi...

Страница 64: ...lar destination IP address Compatibility with Wireshark The open source tool Wireshark formerly called Ethereal is an extremely useful analysis tool for examining logs of captured packets The industry...

Страница 65: ...e configuration and the installed NetDefendOS software This is useful if both the configuration is to be changed and the NetDefendOS version upgraded Backup files can be created both by downloading th...

Страница 66: ...CP server lease database or Anti Virus IDP databases will not be backed up 2 6 3 Configuration Backup and Restore The NetDefendOS configuration of a D Link Firewall at any given point of time can be b...

Страница 67: ...Maintenance Reset 2 Select Restore the entire unit to factory defaults then confirm and wait for the restore to complete Important Any upgrades will be lost after a factory reset It should be understo...

Страница 68: ...oning procedure a restore to factory defaults should always be run in order to remove all sensitive information such as VPN settings As a further precaution at the end of the product s life it also re...

Страница 69: ...2 6 4 Restore to Factory Defaults Chapter 2 Management and Maintenance 69...

Страница 70: ...y need to make changes in a single location rather than in each configuration section where the address appears 3 1 2 IP Addresses IP Address objects are used to define symbolic names for various type...

Страница 71: ...P address 2 Specify a suitable name for the IP host in this case wwww_srv1 3 Enter 192 168 10 16 for the IP Address 4 Click OK Example 3 2 Adding an IP Network This example adds an IP network named ww...

Страница 72: ...successfully deleted but NetDefendOS will not allow the configuration to be saved to the D Link Firewall 3 1 3 Ethernet Addresses Ethernet Address objects are used to define symbolic names for Ethern...

Страница 73: ...14 192 168 0 19 will result in a single IP range with addresses 192 168 0 10 192 168 0 19 Keep in mind however that for obvious reasons IP address objects cannot be combined with Ethernet MAC addresse...

Страница 74: ...em They are created with a given name and can then be used to contain all the IP address objects that are related together as a group Using folders is simply a way for the administrator to convenientl...

Страница 75: ...nformation on how service objects are being used with IP rules see Section 3 5 The IP Rule Set Pre defined Services A large number of Service objects come pre defined with NetDefendOS These include co...

Страница 76: ...eat importance such as streaming audio and video services UDP User Datagram Protocol is the preferred protocol UDP is connection less provides very few error recovery services and give thereby much lo...

Страница 77: ...shows how to add a TCP UDP Service using destination port 3306 which is used by MySQL CLI gw world add Service ServiceTCPUDP MySQL DestinationPorts 3306 Type TCP Web Interface 1 Go to Objects Service...

Страница 78: ...net connectivity ICMP messages are delivered in IP packets and includes a Message Type that specifies the type that is the format of the ICMP message and a Code that is used to further qualify the mes...

Страница 79: ...number Some of the common IP protocols such as IGMP are already pre defined in the NetDefendOS system configuration Similar to the TCP UDP port ranges described previously a range of IP protocol numbe...

Страница 80: ...cal interface in order to transfer data This group of interfaces is called Physical Sub Interfaces NetDefendOS has support for two types of physical sub interfaces Virtual LAN VLAN interfaces as speci...

Страница 81: ...d from this interface Examples of the use of core are when the D Link Firewall acts as a PPTP or L2TP server or responds to ICMP Ping requests By specifying the Destination Interface of a route as cor...

Страница 82: ...mples in this guide lan is used for LAN traffic and wan is used for WAN traffic If your D Link Firewall does not have these interfaces please substitute the references with the name of your chosen int...

Страница 83: ...gateway to the Internet Normally only one default all nets route to the default gateway needs to exist in the routing table Using DHCP on Ethernet Interfaces NetDefendOS includes a DHCP client for dyn...

Страница 84: ...efinedCredentials No Comments Default gateway for interface wan By using the tab key at the end of a line tab completion can be used to complete the command gw world show Address IP4Address InterfaceA...

Страница 85: ...w Ethernet Interface The set command can be used to control an Ethernet interface For example to enable an interface lan we can use the command gw world set EthernetDevice lan enable To set the driver...

Страница 86: ...dOS installation is limited by the parameters of the license used Different hardware models have different licenses and different limits on VLANs Summary of VLAN Setup It is important to understand th...

Страница 87: ...on Trace IP addresses to a specific user Allocate IP address automatically for PC users similar to DHCP IP address provisioning can be per user group The PPP Protocol Point to Point Protocol PPP is a...

Страница 88: ...User authentication If user authentication is required by the ISP the username and password can be setup in NetDefendOS for automatic sending to the PPPoE server Dial on demand If dial on demand is e...

Страница 89: ...provider Password Password provided by the service provider Confirm Password Retype the password Under Authentication specify which authentication protocol to use the default settings will be used if...

Страница 90: ...the local host address of 127 0 0 1 Remote Network The remote network which the GRE tunnel will connect with Remote Endpoint This is the IP address of the remote device which the tunnel will connect w...

Страница 91: ...1 In the address book set up the following IP objects remote_net_B 192 168 11 0 24 remote_gw 172 16 1 1 ip_GRE 192 168 0 1 2 Create a GRE Tunnel object called GRE_to_B with the following parameters IP...

Страница 92: ...ute for remote network is enabled in the Advanced tab since this will add the route automatically 4 Create the following rules in the IP rule set that allow traffic to pass through the tunnel Name Act...

Страница 93: ...be used later Security Transport Equivalent If enabled the interface group can be used as a destination interface in rules where connections might need to be moved between the interfaces examples of...

Страница 94: ...ing NetDefendOS supports both Dynamic ARP as well as Static ARP and the latter is available in two modes Publish and XPublish Dynamic ARP is the main mode of operation for ARP where NetDefendOS sends...

Страница 95: ...necessary to manually force a re query This is easiest achieved by flushing the ARP cache an operation which will delete all dynamic ARP entries from the cache thereby forcing NetDefendOS to issue ne...

Страница 96: ...Ethernet address 4b 86 f6 c5 a2 14 on the lan interface CLI gw world add ARP Interface lan IP 192 168 10 15 Mode Static MACAddress 4b 86 f6 c5 a2 14 Web Interface 1 Go to Interfaces ARP Add ARP 2 Sele...

Страница 97: ...f NetDefendOS is to drop and log such ARP requests and ARP replies This can however be changed by modifying the advanced settings ARP Multicast and ARP Broadcast Unsolicited ARP Replies It is fully po...

Страница 98: ...el should comply with the Ethernet address reported in the ARP data If this is not the case the reply will be dropped and logged The behavior can be changed by modifying the setting ARP Match Ethernet...

Страница 99: ...ns where a received ARP reply or ARP request would alter a static item in the ARP table Of course this is never allowed to happen However this setting does allow you to specify whether or not such sit...

Страница 100: ...ies Default 512 ARP Hash Size VLAN Hashing is used to rapidly look up entries in a table For maximum efficiency the hash size should be twice as large as the table it is indexing so if the largest dir...

Страница 101: ...object which could define a single IP address or range of addresses Service The protocol type to which the packet belongs Service objects define a protocol port type Examples might be HTTP or ICMP Cus...

Страница 102: ...ng NetDefendOS responding to ICMP Ping requests new IP rules must be defined by the administrator Traffic that does not match any rule in the IP rule set is by default dropped by NetDefendOS For loggi...

Страница 103: ...internal state table which allows monitoring of opened and active connections passing through the D Link Firewall If the action is Drop or Reject then the new connection is refused Stateful Inspectio...

Страница 104: ...low or NAT rules Packet processing time is also slower than Allow rules since every packet is checked against the entire rule set NAT This functions like an Allow rule but with dynamic address transla...

Страница 105: ...e moved to a different position in the rule set and therefore have a different precedence 3 5 5 IP Rule Set Folders In order to help organise large numbers of entries in IP rule sets it is possible to...

Страница 106: ...1 Go to Rules IP Rules Add IPRule 2 Specify a suitable name for the rule for example LAN_HTTP 3 Now enter Name A suitable name for the rule For example lan_http Action Allow Service http Source Interf...

Страница 107: ...multiple time ranges for each day of the week Furthermore a start and a stop date can be specified that will impose additional constraints on the schedule For instance a schedule can be defined as Mo...

Страница 108: ...the following Name OfficeHours 3 Select 08 17 Monday to Friday in the grid 4 Click OK 1 Go to Rules IP Rules Add IPRule 2 Enter the following Name AllowHTTP 3 Select the following from the dropdown li...

Страница 109: ...a certificate is a public key with identification attached coupled with a stamp of approval by a trusted party Certifice Authorities A certificate authority CA is a trusted entity that issues certifi...

Страница 110: ...ten contain a CRL Distribution Point CDP field which specifies the location from where the CRL can be downloaded In some cases certificates do not contain this field In those cases the location of the...

Страница 111: ...To associate an imported certificate with an IPsec tunnel Web Interface 1 Go to Interfaces IPsec 2 Display the properties of the IPsec tunnel 3 Select the Authentication tab 4 Select the X509 Certific...

Страница 112: ...in format which can be cut and pasted with a text editor Note OpenSSL is being used here as a conversion utility and not in its normal role as a communication utility 3 Create two blank text files wit...

Страница 113: ...OS installation is started for the first time Example 3 21 Setting the Current Date and Time To adjust the current date and time follow the steps outlined below CLI gw world time set YYYY mm DD HH MM...

Страница 114: ...to be used There are two parameters governing daylight saving time the DST period and the DST offset The DST period specifies on what dates daylight saving time starts and ends The DST offset indicat...

Страница 115: ...prevented NetDefendOS always queries all configured Time Servers and then computes an average time based on all responses Internet search engines can be used to list publicly available Time Servers Im...

Страница 116: ...ndOS time is 16 42 35 If a Time Server responds with a time of 16 43 38 then the difference is 63 seconds This is greater than the Maximum Adjustment value so no update occurs for this response Exampl...

Страница 117: ...e used Example 3 28 Enabling the D Link NTP Server To enable the use of the D Link NTP server CLI gw world set DateTime TimeSynchronization D Link Web Interface 1 Go to System Date and Time 2 Select t...

Страница 118: ...y Time Server DNS hostname or IP Address of Timeserver 2 Default None teriary Time Server DNS hostname or IP Address of Timeserver 3 Default None Interval between synchronization Seconds between each...

Страница 119: ...to make use of up to three DNS servers The are called the Primary Server the Secondary Server and the Tertiary Server For DNS to function at least the primary must be defined It is recommended to have...

Страница 120: ...etch delay The difference between HTTP Poster and the named DNS servers in the WebUI is that HTTP Poster can be used to send any URL The named services are a convenience that make it easy to correctly...

Страница 121: ...3 9 DNS Chapter 3 Fundamentals 121...

Страница 122: ...ing is one of the most fundamental functions of NetDefendOS Any IP packet flowing through a D Link Firewall will be subjected to at least one routing decision at some point in time and properly settin...

Страница 123: ...it can reach its destination The components of a single route are discussed next The Components of a Route When a route is defined it consists of the following parameters Interface The interface to fo...

Страница 124: ...see Section 4 4 Route Load Balancing and Section 4 2 3 Route Failover A Typical Routing Scenario The diagram below illustrates a typical D Link Firewall scenario In the above diagram the LAN interface...

Страница 125: ...a packet with a destination IP address of 192 168 0 4 will theoretically match both the first route and the last one However the first route entry is a narrower more specific match so the evaluation...

Страница 126: ...he 10 2 2 0 24 network The clients in this second network must also have their Default Gateway set to 10 2 2 1 in order to reach the D Link Firewall This feature is normally used when an additional ne...

Страница 127: ...he interfaces the connection table is consulted to see if there is an already open connection for which the received packet belongs If an existing connection is found the connection table entry includ...

Страница 128: ...words it is perfectly legal to specify one route for the destination address range 192 168 0 5 to 192 168 0 17 and another route for addresses 192 168 0 18 to 192 168 0 254 This is a feature that make...

Страница 129: ...ses which must be changed to the appropriate IP address ranges for traffic to flow The most important route that must be defined is the route to all nets which should correspond with the ISP and publi...

Страница 130: ...es Tip For detailed information about the output of the CLI routes command Please see the CLI Reference Guide 4 2 3 Route Failover Overview D Link Firewalls are often deployed in mission critical loca...

Страница 131: ...hop for a route accessibility to that gateway can be monitored by sending periodic ARP requests As long as the gateway responds to these requests the route is considered to be functioning correctly Se...

Страница 132: ...route will be disabled As a consequence a new route lookup will be performed and the second route will be selected with the first one being marked as disabled Re enabling Routes Even if a route has be...

Страница 133: ...way to monitor the integrity of routes NetDefendOS provides the additional capability to perform Host Monitoring This feature means that one or more external host systems can be routinely polled to ch...

Страница 134: ...cy This value cannot be less than 1 Maximum Failed Poll Attempts The maximum permissible number of polling attempts that fail If this number is exceeded then the host is considered unreachable Max Ave...

Страница 135: ...ss of a node on an Ethernet network However situations may exist where a network running Ethernet is separated into two parts with a routing device such as an installed D Link Firewall in between In s...

Страница 136: ...nsparent Mode In HA clusters switch routes cannot be used and proxy ARP is the only way to implement transparent mode functionality Note It is only possible to have Proxy ARP functioning for Ethernet...

Страница 137: ...ed Routing A different routing table might need to be chosen based on the user identity or the group to which the user belongs This is particularly useful in provider independent metropolitan area net...

Страница 138: ...s encountered address translation will be performed The decision of which routing table to use is made before carrying out address translation but the actual route lookup is performed on the altered a...

Страница 139: ...the named routing table is the only one consulted If this lookup fails the lookup will not continue in the main routing table 3 If Remove Interface IP Routes is enabled the default interface routes a...

Страница 140: ...the default gateway of ISP B Interface Network Gateway ProxyARP lan1 10 10 10 0 24 wan1 lan1 20 20 20 0 24 wan2 wan1 10 10 10 1 32 lan1 wan2 20 20 20 1 32 lan1 wan1 all nets 10 10 10 1 Contents of th...

Страница 141: ...llowing list can be specified in an RLB Instance object Round Robin Matching routes are used equally often by successively going to the next matching route Destination This is an algorithm that is sim...

Страница 142: ...same route from a lookup The importance of this is that it means that a particular destination application can see all traffic coming from the same source IP address Spillover Spillover is not simila...

Страница 143: ...setting a low metric on the route to the favoured ISP A relatively higher metric is then set on the route to the other ISP The all nets metric must be higher that interface routes The metric value use...

Страница 144: ...will select the route that has the narrowest range that matches the destination IP address used in the lookup In the above example 10 4 16 0 24 may be chosen over 10 4 16 0 16 because the range is nar...

Страница 145: ...T was being used for the client communication the IP address seen by the server would be WAN1 or WAN2 Example 4 6 Setting Up RLB In this example the details of the RLB scenario described above will be...

Страница 146: ...her tunnel connecting through the other ISP RLB can then be applied as normal with the two tunnels In order to get the second tunnel to function in this case you need to add a single host route in the...

Страница 147: ...ermination is based on the length of the path which is the number of intermediate routers also known as hops After updating its own routing table the router immediately begins transmitting its entire...

Страница 148: ...d and the length of the path 4 5 2 OSPF Overview Open Shortest Path First OSPF is a routing protocol developed for IP networks by the Internet Engineering Task Force IETF The NetDefendOS OSPF implemen...

Страница 149: ...ry Router ASBRs They advertise externally learned routes throughout the Autonomous System Backbone Areas All OSPF networks need to have at least the backbone area which is the area with ID 0 This is t...

Страница 150: ...l This is the normal state of an adjacency between a router and the DR BDR Aggregates OSPF Aggregation is used to combine groups of routes with common addresses into a single entry in the routing tabl...

Страница 151: ...ave a Virtual Link to fw1 with Router ID 192 168 1 1 and vice versa These Virtual Links need to be configured in Area 1 A Partitioned Backbone OSPF allows for linking a partitioned backbone using a vi...

Страница 152: ...re must also be taken when setting up a virtual link to an firewall in an HA cluster The endpoint setting up a link to the HA firewall must setup 3 separate links one to the shared one to the master a...

Страница 153: ...all nets in the Exactly Matches dropdown control 5 Click OK The next step is to create a Dynamic Routing Action that will do the actual importing of the routes into a routing table Specify the destina...

Страница 154: ...ion that will export the filtered route to the specified OSPF AS CLI gw world cc DynamicRoutingRule ExportDefRoute gw world ExportDefRoute add DynamicRoutingRuleExportOSPF ExportToProcess as0 Web Inte...

Страница 155: ...ss is Reverse Path Forwarding For unicast traffic a router is concerned only with a packet s destination With multicast the router is also concerned with a packets source since it forwards the packet...

Страница 156: ...168 10 1 and generates the multicast streams 239 192 10 0 24 1234 These multicast streams should be forwarded from interface wan through the interfaces if1 if2 and if3 The streams should only be forwa...

Страница 157: ...a name for the rule for example Multicast_Multiplex Action Multiplex SAT Service multicast_service 3 Under Address Filter enter Source Interface wan Source Network 192 168 10 1 Destination Interface c...

Страница 158: ...dress Translation Scenario Figure 4 9 Multicast Forwarding Address Translation This scenario is based on the previous scenario but now we are going to translate the multicast group When the multicast...

Страница 159: ...T Multiplex rule should be replaced with a NAT rule 4 6 3 IGMP Configuration IGMP signalling between hosts and routers can be divided into two categories IGMP Reports Reports are sent from hosts towar...

Страница 160: ...wards the clients and actively send queries Towards the upstream router it will be acting as a normal host subscribing to multicast groups on behalf of its clients 4 6 3 1 IGMP Rules Configuration No...

Страница 161: ...Add IGMP Rule 2 Under General enter Name A suitable name for the rule for example Reports Type Report Action Proxy Output wan this is the relay interface 3 Under Address Filter enter Source Interface...

Страница 162: ...ed to create the report and query rule pair for if1 which uses no address translation Web Interface A Create the first IGMP Rule 1 Go to Routing IGMP IGMP Rules Add IGMP Rule 2 Under General enter Nam...

Страница 163: ...or the rule for example Reports_if2 Type Report Action Proxy Output wan this is the relay interface 3 Under Address Filter enter Source Interface if2 Source Network if2net Destination Interface core D...

Страница 164: ...espond with IGMP Membership Reports even to queries orginating from itself Global setting on interfaces without an overriding IGMP Setting Default Disabled IGMP Lowest Compatible Version IGMP messages...

Страница 165: ...nterfaces without an overriding IGMP Setting Default 10 000 IGMP Robustness Variable IGMP is robust to IGMP Robustness Variable 1 packet losses Global setting on interfaces without an overriding IGMP...

Страница 166: ...interfaces without an overriding IGMP Setting Default 1 000 4 6 4 Advanced IGMP Settings Chapter 4 Routing 166...

Страница 167: ...specified instead of all nets This is usually when a network is split between two interfaces but the administrator does not know exactly which users are on which interface Usage Scenarios Two examples...

Страница 168: ...rmines from this ARP traffic the relationship between IP addresses physical addresses and interfaces NetDefendOS remembers this address information in order to relay IP packets to the correct receiver...

Страница 169: ...added but more restrictive IP rules are recommended Action Src Interface Src Network Dest Interface Dest Network Service Allow any all nets any all nets all Restricting the Network Parameter As NetDef...

Страница 170: ...e is decided by the PBR Membership parameter for each interface PBR is short for Policy Based Routing which is the NetDefendOS term used for multiple routing tables To implement separate Transparent M...

Страница 171: ...n route their traffic correctly after determining their whereabouts and IP address through ARP exchanges However a DHCP server could be used to allocate user IP addresses in a Transparent Mode setup i...

Страница 172: ...address specifying the interface which leads to the ISP and the ISPs gateway IP address If the IP addresses that need to be reached by NetDefendOS are 85 12 184 39 and 194 142 215 15 then the complete...

Страница 173: ...and the internal network The router is used to share the Internet connection with a single public IP address The internal NATed network behind the firewall is in the 10 0 0 0 24 address space Clients...

Страница 174: ...t address ranges All hosts connected to LAN and DMZ the lan and dmz interfaces share the 10 0 0 0 24 address space As this is configured using Transparent Mode any IP address can be used for the serve...

Страница 175: ...ss 10 0 0 1 Network 10 0 0 0 24 Transparent Mode Disable Add route for interface network Disable 3 Click OK 4 Go to Interfaces Ethernet Edit dmz 5 Now enter IP Address 10 0 0 2 Network 10 0 0 0 24 Tra...

Страница 176: ...face lan Destination Interface dmz Source Network 10 0 0 0 24 Destination Network 10 1 4 10 3 Click OK 4 Go to Rules IP Rules Add IPRule 5 Now enter Name HTTP WAN to DMZ Action SAT Service http Source...

Страница 177: ...Implementing BPDU Relaying The NetDefendOS BDPU relaying implementation only carries STP messages These STP messages can be of three types Normal Spanning Tree Protocol STP Rapid Spanning Tree Protoco...

Страница 178: ...alue dynamically Default Enabled L3 Cache Size This setting is used to manually configure the size of the Layer 3 Cache Enabling Dynamic L3C Size is normally preferred Default Dynamic Transparency ATS...

Страница 179: ...s DropLog Drop and log packets Default DropLog Multicast Enet Sender Defines what to do when receiving a packet that has the sender hardware MAC address in ethernet header set to a multicast ethernet...

Страница 180: ...gnore all incoming MPLS packets are relayed in transparent mode Options Ignore Let the packets pass but do not log Log Let the packets pass and log the event Drop Drop the packets DropLog Drop packets...

Страница 181: ...4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 181...

Страница 182: ...ch as an IP address a MAC address a domain name and a lease for the IP address to the client in a unicast message DHCP Leases Compared to static assignment where the client owns the address dynamic ad...

Страница 183: ...nterface and relayer IP filter value If there is no match in the list then the request is ignored Using Relayer IP Address Filtering As explained above a DHCP server is selected based on a match of bo...

Страница 184: ...created an IP range for the DHCP Server CLI gw world add DHCPServer DHCPServer1 Interface lan IPAddressPool DHCPRange1 Netmask 255 255 255 0 Web Interface 1 Go to System DHCP DHCP Servers Add DHCPSer...

Страница 185: ...90 12 13 14 15 3 All static assignments can then be listed and each is listed with an index number gw world show Comments 1 none 4 An individual static assignment can be shown using its index number g...

Страница 186: ...ble settings are Disabled ReconfShut or ReconfShutTimer Default ReconfShut Lease Store Interval How often in seconds the leases database should be saved to disk if DHCPServer_SaveLeasePolicy is set to...

Страница 187: ...d request Although all NetDefendOS interfaces are core routed that is to say a route exists by default that routes interface IP addresses to Core for relayed DHCP requests this core routing does not a...

Страница 188: ...relaying Max Transactions Maximum number of transactions at the same time Default 32 Transaction Timeout For how long a dhcp transaction can take place Default 10 seconds Max PPM How many dhcp packet...

Страница 189: ...o save the relay list to the disk possible settings are Disabled ReconfShut or ReconfShutTimer Default ReconfShut Auto Save Interval How often in seconds should the relay list be saved to disk if DHCP...

Страница 190: ...k address 127 0 0 1 indicates that the DHCP server is NetDefendOS itself Client IP filter Optional setting used to specify which offered IPs are valid to use In most cases this will be set to the defa...

Страница 191: ...number is too large then this can degrade initial performance As leases in the prefetch cache are allocated requests are made to DHCP servers so that the cache is always full The administrator therefo...

Страница 192: ...5 5 IP Pools Chapter 5 DHCP Services 192...

Страница 193: ...ing a reverse lookup in the routing tables This lookup validates that the incoming traffic is coming from a source that the routing tables indicate is accessible via the interface on which the traffic...

Страница 194: ...address should belong to Access Rule Actions The Access Rule actions that can be specified are Drop Discard the packets that match the defined fields Accept Accept the packets that match the defined...

Страница 195: ...net network is received on the lan interface CLI gw world add Access Name lan_Access Interface lan Network lannet Action Expect Web Interface 1 Go to Rules Access 2 Select Access Rule in the Add menu...

Страница 196: ...ansfer and multimedia transfer ALGs provide higher security than packet filtering since they are capable of scrutinizing all traffic for a specific protocol and perform checks at the higher levels of...

Страница 197: ...associated with that Service will not be used 6 2 2 The HTTP ALG Hyper Text Transfer Protocol HTTP is the primary protocol used to access the World Wide Web WWW It is a connectionless stateless applic...

Страница 198: ...he file the term filetype here is also known as the filename extension All filetypes that are checked in this way by NetDefendOS are listed in Appendix C Verified MIME filetypes When enabled any file...

Страница 199: ...ltering obeys the following processing order and is similar to the order followed by the SMTP ALG 1 Whitelist 2 Blacklist 3 Web content filtering if enabled 4 Anti virus scanning if enabled As describ...

Страница 200: ...tself by providing a predefined login and password After granting access the server will provide the client with a file directory listing from which it can download upload files depending on access ri...

Страница 201: ...P client can be configured to use passive mode which is the recommended mode for clients The FTP server can be configured to use active mode which is the safer mode for servers When an FTP session is...

Страница 202: ...t be blocked by ZoneDefense since it is outside of the configured network range The virus is however still blocked by the D Link Firewall B Blocking infected servers Depending on the company policy an...

Страница 203: ...assive mode 5 Click OK B Define the Service 1 Go to Objects Services Add TCP UDP Service 2 Enter the following Name ftp inbound Type select TCP from the list Destination 21 the port the FTP server res...

Страница 204: ...nternal interface needs to be NATed 1 Go to Rules IP Rules Add IPRule 2 Now enter Name NAT ftp Action NAT Service ftp inbound 3 For Address Filter enter Source Interface dmz Destination Interface core...

Страница 205: ...red as follows Web Interface A Create the FTP ALG 1 Go to Objects ALG Add FTP ALG 2 Enter Name ftp outbound 3 Uncheck Allow client to use active mode 4 Check Allow server to use passive mode 5 Click O...

Страница 206: ...tbound Action NAT Service ftp outbound 3 For Address Filter enter Source Interface lan Destination Interface wan Source Network lannet Destination Network all nets 4 Check Use Interface Address 5 Clic...

Страница 207: ...e use of filenames containing consecutive periods Allowing Request Timeouts The NetDefendOS TFTP ALG blocks the repetition of an TFTP request coming from the same source IP address and port within a f...

Страница 208: ...is allowed to pass through the ALG regardless if the address is on the blacklist or that the mail has been flagged as SPAM Verify MIME type The content of an attached file can be checked to see if it...

Страница 209: ...dress entry some_domain com can be used to specify all possible email addresses for some_domain com If for example wildcarding is used in the blacklist to block all addresses for a certain company cal...

Страница 210: ...emails from the blocked email server For example if a remote user is sending an infected email using a well known free email company blocking the sending server using ZoneDefense would block all futur...

Страница 211: ...hese can be queried over the public Internet These lists are known as DNS Black List DNSBL databases and the information is accessible using a standardized query method supported by NetDefendOS The im...

Страница 212: ...2 7 Alternative Actions for Dropped SPAM If the calculated sum is greater than or equal to the Drop threshold value then the email is not forwarded to the intended recipient Instead the administrator...

Страница 213: ...t server will be automatically subtracted from both the SPAM and Drop thresholds for the scoring calculation done for that email If enough DNSBL servers do not respond then this subtraction could mean...

Страница 214: ...dropped email will be sent as an alternative to simply discarding it Optionally specify that the TXT messages sent by the DNSBL servers that failed are inserted into the header of these emails Cachin...

Страница 215: ...kLists 4 Disabled BlackLists 0 Current Sessions 0 Statistics Total number of mails checked 0 Number of mails dropped 0 Number of mails spam tagged 0 Number of mails accepted 0 BlackList Status Value T...

Страница 216: ...LG and a fuller description of how it works can be found in Section 6 2 2 The HTTP ALG Anti Virus Scanning The NetDefendOS Anti Virus subsystem can optionally scan email attachments searching for mali...

Страница 217: ...and Proxy Server are logical entities and may in fact reside on the same physical server SIP Media related Protocols A SIP session makes use of a number of protocols These are SDP Session Description...

Страница 218: ...ges can bypass the proxies This facilitates scaling since proxies are used only for the initial SIP message exchange The disadvantage of removing proxies from the session is that NetDefendOS IP rules...

Страница 219: ...tected side The SIP proxy is located on the local protected side of the D Link Firewall and can handle registrations from both clients located on the same local network as well as clients on the exter...

Страница 220: ...ype set to TCP UDP 3 Define two rules in the IP rule set A NAT rule for outbound traffic from clients on the internal network to the SIP Proxy Server located externally The SIP ALG will take care of a...

Страница 221: ...est Interface Dest Network Allow or NAT lan lannet wan ip_proxy Allow wan ip_proxy lan or core lannet or wan_ip Without the Record Route option enabled the IP rules would be as shown below the changes...

Страница 222: ...rule This translation will occur both on the IP level and the application level Neither the clients or the proxies need to be aware that the local clients are being NATed If Record Route is enabled o...

Страница 223: ...Clients Allow lan lannet ip_proxy wan all nets InboundTo Proxy Clients Allow wan all nets lan lannet ip_proxy If Record Route is enabled then the networks in the above rules can be further restricted...

Страница 224: ...the DMZ interface must be a globally routable IP address This address can be the same address as the one used on the external interface The setup steps are as follows 1 Define a single SIP ALG object...

Страница 225: ...P address of the DMZ interface The reason for this is because local clients will be NATed using the IP address of the DMZ interface when they register with the proxy located on the DMZ This rule has c...

Страница 226: ...et InboundFromProxy Allow dmz ip_proxy core dmz_ip InboundToProxy Allow wan all nets dmz ip_proxy With Record Route disabled the following IP rules must be added to those above Action Src Interface Sr...

Страница 227: ...H 245 Media Control and Transport Provides control of multimedia sessions established between two H 323 endpoints Its most important task is to negotiate opening and closing of logical channels A log...

Страница 228: ...es and the administrator needs to be sure about IP addresses and routes used in a particular scenario Gatekeeper Registration Lifetime The gatekeeper registration lifetime can be controlled in order t...

Страница 229: ...t Destination Network 0 0 0 0 0 all nets Comment Allow outgoing calls 3 Click OK Incoming Rule 1 Go to Rules IP Rules Add IPRule 2 Now enter Name H323AllowIn Action Allow Service H323 Source Interface...

Страница 230: ...phone Web Interface Outgoing Rule 1 Go to Rules IP Rules Add IPRule 2 Now enter Name H323Out Action NAT Service H323 Source Interface lan Destination Interface any Source Network lannet Destination N...

Страница 231: ...ddress Example 6 6 Two Phones Behind Different D Link Firewalls This scenario consists of two H 323 phones each one connected behind the D Link Firewall on a network with public IP addresses In order...

Страница 232: ...here are no rules disallowing or allowing the same kind of ports traffic before these rules As we are using private IPs on the phones incoming traffic need to be SATed as in the example below The obje...

Страница 233: ...multiple H 323 phones are placed behind the firewall one SAT rule has to be configured for each phone This means that multiple external addresses have to be used However it is preferable to use an H 3...

Страница 234: ...H323 Gatekeeper Source Interface any Destination Interface core Source Network 0 0 0 0 0 all nets Destination Network wan_ip external IP of the firewall Comment Allow incoming communication with the G...

Страница 235: ...make sure there are no rules disallowing or allowing the same kind of ports traffic before these rules Web Interface 1 Go to Rules IP Rules Add IPRule 2 Now enter Name H323Out Action NAT Service H323...

Страница 236: ...d that all offices use private IP ranges on their local networks All outside calls are done over the existing telephone network using the gateway ip gateway connected to the ordinary telephone network...

Страница 237: ...ination Interface lan Source Network ip gateway Destination Network lannet Comment Allow communication from the Gateway to H 323 phones on lannet 3 Click OK 1 Go to Rules IP Rules Add IPRule 2 Now ent...

Страница 238: ...Now enter Name ToGK Action Allow Service H323 Gatekeeper Source Interface lan Destination Interface vpn hq Source Network lannet Destination Network hq net Comment Allow communication with the Gatekee...

Страница 239: ...therefore easily have secure server access without requiring additional software The Relationship with SSL TLS is a successor to the Secure Sockets Layer SSL but the differences are slight Therefore f...

Страница 240: ...ocessing advantages that can be achieved can however vary and will depend on the comparative processing capabilities of the servers and the D Link Firewall Decrypted TLS traffic can be subject to othe...

Страница 241: ...pher Suites Supported by NetDefendOS TLS NetDefendOS TLS supports the following cipher suites 1 TLS_RSA_WITH_3DES_EDE_CBC_SHA 2 TLS_RSA_WITH_RC4_128_SHA 3 TLS_RSA_WITH_RC4_128_MD5 4 TLS_RSA_EXPORT_WIT...

Страница 242: ...filtering requires a minimum of administration effort and has very high accuracy Note All Web Content Filtering is enabled via the HTTP ALG which is described in Section 6 2 2 The HTTP ALG 6 3 2 Activ...

Страница 243: ...ion as to whether they should be blocked or allowed Static and Dynamic Filter Ordering Additionally Static Content Filtering takes place before Dynamic Content Filtering described below which allows t...

Страница 244: ...necessary program files which should be allowed to download CLI Start by adding an HTTP ALG in order to filter HTTP traffic gw world add ALG ALG_HTTP content_filtering Then create a HTTP ALG URL to se...

Страница 245: ...The WCF URL databases are updated almost hourly with new categorized URLs while at the same time older invalid URLs are dropped The scope of the URLs in the databases is global covering websites in m...

Страница 246: ...ites In other words a web site may contain particular pages that should be blocked without blocking the entire site NetDefendOS provides blocking down to the page level so that users may still access...

Страница 247: ...external WCF database is not accessible URLs are allowed even though they might be disallowed if the WCF databases were accessible Example 6 15 Enabling Dynamic Web Content Filtering This example show...

Страница 248: ...ites will still be accessible to the users This means the content filtering feature of NetDefendOS can then be used as an analysis tool to analysis what categories of websites are being accessed by a...

Страница 249: ...propriate sites will normally do so Other will avoid those sites due to the obvious risk of exposing their surfing habits Caution If a user overrides the restricted site notice page they are allowed t...

Страница 250: ...tent filtering is now activated for all web traffic from lannet to all nets and the user is able to propose reclassification of blocked sites Validate the functionality by following these steps 1 On a...

Страница 251: ...ified under the Gambling category if its content includes advertisement or encouragement of or facilities allowing for the partaking of any form of gambling For money or otherwise This includes online...

Страница 252: ...ategory 9 Dating Sites A web site may be classified under the Dating Sites category if its content includes facilities to submit and review personal advertisements arrange romantic meetings with other...

Страница 253: ...be classified under the Personal Beliefs Cults category if its content includes the description or depiction of or instruction in systems of religious beliefs and practice Examples might be www paganf...

Страница 254: ...idth This category also includes Phishing URLs which designed to capture secret user authentication details by pretending to be a legitimate organization Examples might be hastalavista baby nu Categor...

Страница 255: ...ocking List This category is populated by URLs specified by a government agency and contains URLs that are deemed unsuitable for viewing by the general public by way of their very extreme nature Examp...

Страница 256: ...spictured cnn com features 2002 swimsuit Category 31 Spam A web site may be classified under the Spam category if it is found to be contained in bulk or spam emails Examples might be kaqsovdij gjibhgk...

Страница 257: ...ed 8 Press Save to save the changes 9 Click OK to exit editing 10 Go to User Authentication User Authentication Rules 11 Select the relevant HTML ALG and click the Agent Options tab 12 Set the HTTP Ba...

Страница 258: ...er in Section 2 1 6 Secure Copy 4 Using the CLI the relevant HTTP ALG should now be set to use the mytxt banner files If the ALG us called my_http_alg the command would be set ALG_HTTP my_http_alg HTT...

Страница 259: ...tion Most importantly it can act as a backup for when local client antivirus scanning is not available Enabling Through ALGs NetDefendOS Anti Virus is enabled on a per ALG basis It is available for fi...

Страница 260: ...e two scanning processes can occur simultaneously and operate at different protocol levels If IDP is enabled it scans all packets designated by a defined IDP rule and does not take notice of the highe...

Страница 261: ...ing is active but logging is the only action C Protect Anti Virus is active Suspect files are dropped and logged Fail mode behavior If a virus scan fails for any reason then the transfer can be droppe...

Страница 262: ...es that can be checked are listed in Appendix C Verified MIME filetypes Setting the Correct System Time It is important that a NetDefendOS has the correct system time set if the auto update feature in...

Страница 263: ...irus Blocking the server s IP address would only consume blocking entries in the switches For NetDefendOS to know which hosts and servers to block the administrator has the ability to specify a networ...

Страница 264: ...ated in the ALG dropdown list 6 Click OK C Finally modify the NAT rule called NATHttp in this example to use the new service 1 Go to Rules IP Rules 2 In the grid control click the NAT rule handling th...

Страница 265: ...t operates by monitoring network traffic as it passes through the D Link Firewall searching for patterns that indicate an intrusion is being attempted Once detected NetDefendOS IDP allows steps to be...

Страница 266: ...a NetDefendOS installation and also that the database is regularly updated with the latest intrusion threats Figure 6 7 IDP Database Updating A new updated signature database is downloaded automatica...

Страница 267: ...nformation about HA clusters refer to Chapter 11 High Availability 6 5 3 IDP Rules Rule Components An IDP Rule defines what kind of traffic or service should be analyzed An IDP Rule is similar in make...

Страница 268: ...isting connection This provides the firewall administrator with a way to detect any traffic that appears to be an intrusion With this option the only possible IDP Rule Action is logging Caution should...

Страница 269: ...atterns of data in the stream Recommended Configuration By default Insertion Evasion protection is enabled for all IDP rules and this is the recommended setting for most configurations There are two m...

Страница 270: ...etect events that may be intrusions They have lower accuracy than IPS and may give some false positives so that s recommended that the Audit action is initially used before deciding to use Protect Pol...

Страница 271: ...ashion with matching for the signatures for the first action specified being done first IDP Signature Wildcarding When selecting IDP signature groups it is possible to use wildcarding to select more t...

Страница 272: ...mmary of IDP events that have occurred in a user configurable period of time When an IDP event occurrs the NetDefendOS will wait for Hold Time seconds before sending the notification email However the...

Страница 273: ...es 1 Go to IDP IDP Rules 2 Select a rule in the grid right click and choose Edit 3 Select the action you wish to log and choose Edit 4 Check the Enable logging checkbox in the Log Settings tab 5 Click...

Страница 274: ...L_SMTP Web Interface Create IDP Rule This IDP rule is called IDPMailSrvRule and applies to the SMTP service Source Interface and Source Network define where traffic is coming from in this example the...

Страница 275: ...in order to match all SMTP attacks Signatures is set to IPS_MAIL_SMTP in order to use signatures that describe attacks from the external network dealing with the SMTP protocol 1 Go to IDP IDP Rules I...

Страница 276: ...med Internet connections and business critical systems in overload This section deals with using D Link Firewalls to protect organizations against these attacks 6 6 2 DoS Attack Mechanisms A DoS attac...

Страница 277: ...h in turn generates yet another response to itself etc This will either bog the victim s machine down or make it crash The attack is accomplished by using the victim s IP address in the source field o...

Страница 278: ...addresses will be those of the amplifier networks used Fraggle attacks will show up in NetDefendOS logs as masses of dropped or allowed depending on policy packets The source IP addresses will be thos...

Страница 279: ...bject has an ALG associated with it then the ALG will be disabled 6 6 9 The Jolt2 Attack The Jolt2 attack works by sending a steady stream of identical fragments at the victim machine A few hundred pa...

Страница 280: ...Blacklisting If there are established connections that have the same source as this new Blacklist entry then they will not be dropped if this option is set IP addresses or networks are added to the l...

Страница 281: ...iewed with the command gw world blacklist show black This blacklist command can be used to remove a host from the blacklist using the unblock option Example 6 22 Adding a Host to the Whitelist In this...

Страница 282: ...6 7 Blacklisting Hosts and Networks Chapter 6 Security Mechanisms 282...

Страница 283: ...tion NAT Static Address Translation SAT Both types of translation are policy based in NetDefendOS which means that they can be applied to specific traffic based on the source destination network inter...

Страница 284: ...32 768 simultaneous NAT connections that can use the same translated source IP address This is normally adequate for all but the most extreme scenarios The Source IP Address Used for Translation Ther...

Страница 285: ...server then processes the packet and sends its response 195 55 66 77 80 195 11 22 33 32789 4 NetDefendOS receives the packet and compares it to its list of open connections Once it finds the connecti...

Страница 286: ...the same server using different IP protocols Several internal machines can not communicate with the same external server using the same IP protocol Note These restrictions apply only to IP level proto...

Страница 287: ...hey are coming from the anonymizing service provider s external IP address and not the client s IP The application therefore sends its responses back to the firewall which relays the traffic back to t...

Страница 288: ...s The advantage of the stateful approach is that it can balance connections across several external ISP links while ensuring that an external host will always communicate back to the same IP address w...

Страница 289: ...IP Pool Usage When allocating external IP addresses to a NAT Pool it is not necessary to explicitly state these Instead a NetDefendOS IP Pool object can be selected IP Pools gather collections of IP a...

Страница 290: ...NAT Pools Add NAT Pool 2 Now enter Name stateful_natpool Pool type stateful IP Range nat_pool_range 3 Select the Proxy ARP tab and add the WAN interface 4 Click OK C Now define the NAT rule in the IP...

Страница 291: ...ual Server in some other manufacturer s products Example 7 3 Enabling Traffic to a Protected Web Server in a DMZ In this example we will create a SAT policy that will translate and allow connections f...

Страница 292: ...nternal machines to be dynamically address translated to the Internet In this example we use a rule that permits everything from the internal network to access the Internet via NAT hide Action Src Ifa...

Страница 293: ...Enabling Traffic to a Web Server on an Internal Network The example we have decided to use is that of a web server with a private address located on an internal network From a security standpoint thi...

Страница 294: ...ket to wan_ip to reach www ourcompany com 10 0 0 3 1038 195 55 66 77 80 NetDefendOS address translates this statically in accordance with rule 1 and dynamically in accordance with rule 2 10 0 0 1 3278...

Страница 295: ...the public IP addresses on the wan interface using the ARP publish mechanism Create a SAT rule that will perform the translation Create an Allow rule that will permit the incoming HTTP connections CL...

Страница 296: ...Now enter Mode Publish Interface wan IP Address 195 55 66 77 3 Click OK and repeat for all 5 public IP addresses Create a SAT rule for the translation 1 Go to Rules IP Rules Add IPRule 2 Specify a su...

Страница 297: ...ort Address Translation PAT can be used to modify the source or destination port Action Src Iface Src Net Dest Iface Dest Net Parameters 1 SAT any all nets wan wwwsrv_pub TCP 80 85 SETDEST 192 168 0 5...

Страница 298: ...lating the sender address whilst the other is translating the destination address Action Src Iface Src Net Dest Iface Dest Net Parameters 1 SAT any all nets core wwwsrv_pub TCP 80 85 SETDEST 192 168 0...

Страница 299: ...ETDEST wwwsrv 80 2 SAT lan wwwsrv any all nets 80 All SETSRC wan_ip 80 3 NAT lan lannet any all nets All 4 FwdFast any all nets core wan_ip http 5 FwdFast lan wwwsrv any all nets 80 All What happens n...

Страница 300: ...mechanism 7 3 7 SAT and FwdFast Rules Chapter 7 Address Translation 300...

Страница 301: ...7 3 7 SAT and FwdFast Rules Chapter 7 Address Translation 301...

Страница 302: ...em is that the feature often cannot be replaced if it is lost Methods B and C are therefore the most common in network security However these have drawbacks keys might be intercepted passcards might b...

Страница 303: ...Changed on a regular basis such as every three months 8 1 Overview Chapter 8 User Authentication 303...

Страница 304: ...efendOS A RADIUS server which is external to the D Link Firewall An LDAP Server which is also external to the D Link Firewall 8 2 2 The Local Database The Local User Database is a built in registry in...

Страница 305: ...nk Firewall acting as a client to one or more LDAP servers Multiple servers can be configured to provide redundancy if any servers become unreachable Setting Up LDAP Authentication There are two steps...

Страница 306: ...ame Username Postfix When authenticating this will add domain name after the username If the choice is other than None the Domain Name parameter option described below should be specified Routing Tabl...

Страница 307: ...user is authenticated 2 The server replies with a negative response and the user is not authenticated 3 The server does not respond within the Timeout period specified for the server If only one serve...

Страница 308: ...S would theoretically need to retrieve the password or password digest from the LDAP server However LDAP doesn t support either To solve the password authentication problem an optional Password Attrib...

Страница 309: ...he D Link Firewall is to be prompted for a username password login sequence Authentication Rules are set up in a way that is similar to other NetDefendOS security policies by specifying which traffic...

Страница 310: ...h is that a single authentication database must be used for all IPsec tunnels Connection Timeouts An Authentication Rule can specify the following timeouts related to a user session Idle Timeout How l...

Страница 311: ...the IP rule set That rule s Source Network object has either the No Defined Credentials option enabled or alternatively it is associated with a group and the user is also a member of that group 8 If...

Страница 312: ..._ip IP address which is the IP address of the interface on the D Link Firewall where the local network connects The second rule allows normal surfing activity but we cannot just use lannet as the sour...

Страница 313: ...oup names here separated by a comma users for this example 3 Click OK 4 Repeat Step B to add all the lannet users having the membership of users group into the lannet_auth_users folder Example 8 2 Use...

Страница 314: ...following steps illustrate how a RADIUS server is typically configured Web Interface 1 User Authentication External User Databases Add External User Database 2 Now enter a Name Enter a name for the se...

Страница 315: ...available for editing have the following names FormLogin LoginSuccess LoginFailure LoginAlreadyDone LoginChallenge LoginChallengeTimeout LoginSuccess LoginSuccessBasicAuth LoginFailure FileNotFound Ed...

Страница 316: ...he HTML source that appears in the text box for the Forbidden URL page 7 Use Preview to check the layout if required 8 Press Save to save the changes 9 Click OK to exit editing 10 Go to Objects ALG an...

Страница 317: ...load command would be pscp my html admin 10 5 62 11 HTTPAuthBanners ua_html FormLogin The usage of SCP clients is explained further in Section 2 1 6 Secure Copy 4 Using the CLI the relevant user authe...

Страница 318: ...8 3 Customizing HTML Pages Chapter 8 User Authentication 318...

Страница 319: ...ally important that the recipient can verify that no one is falsifying data in other words pretending to be someone else Virtual Private Networks VPNs meet this need providing a highly cost effective...

Страница 320: ...yed hashes Non repudiation Proof that the sender actually sent the data the sender cannot later deny having sent it Non repudiation is usually a side effect of authentication VPNs are normally only co...

Страница 321: ...e it is usually possible to dictate the types of communication permitted and NetDefendOS VPN has this feature 9 1 4 Key Distribution Key distribution schemes are best planned in advance Issues that ne...

Страница 322: ...ALG 9 1 5 The TLS Alternative for VPN Chapter 9 VPN 322...

Страница 323: ...bject if the default algorithm proposal lists do not provide a set of algorithms that are acceptable to the tunnel remote end point This will depend on the capabilities of the device at the other end...

Страница 324: ...keys but sometimes it may be desirable to use X 509 certificates instead If this is the case Certificate Authority CA signed certificates may be used and these come from an internal CA server or from...

Страница 325: ...rations for certificate validation 9 2 3 IPsec Roaming Clients with Pre shared Keys This section details the setup with roaming clients connecting through an IPsec tunnel with pre shared keys There ar...

Страница 326: ...ets 0 0 0 0 0 2 The IPsec Tunnel object ipsec_tunnel should have the following parameters Set Local Network to lannet Set Remote Network to all nets Set Remote Endpoint to all nets Set Encapsulation m...

Страница 327: ...psec_tunnel Configuring IPsec Clients In both cases A and B above the IPsec client will need to be correctly configured The client configuration will require the following with as well as the pre shar...

Страница 328: ...hat an IP address might be accidentally used on the internal network and handed out to a client Use a new address range that is totally different to any internal network This prevents any chance of an...

Страница 329: ...ules should be defined in the IP rule set Action Src Interface Src Network Dest Interface Dest Network Service Allow l2tp_tunnel l2tp_pool any int_net All NAT ipsec_tunnel l2tp_pool ext all nets All T...

Страница 330: ...ot being able to NAT PPTP connections through a tunnel so multiple clients can use a single connection to the D Link Firewall If NATing is tried then only the first client that tries to connect will s...

Страница 331: ...ts 0 0 0 0 0 4 Now set up the IP rules in the IP rule set Action Src Interface Src Network Dest Interface Dest Network Service Allow pptp_tunnel pptp_pool any int_net All NAT pptp_tunnel pptp_pool ext...

Страница 332: ...detail 9 3 2 Internet Key Exchange IKE This section describes IKE the Internet Key Exchange protocol and the parameters that are used with it Encrypting and authenticating data is fairly straightforw...

Страница 333: ...of how to protect IPsec data flows The VPN device initiating an IPsec connection will send a list of the algorithms combinations it supports for protecting the connection and it is then up to the devi...

Страница 334: ...subsequent keys can be derived Once the phase 2 negotiation is finished the VPN connection is established and ready for use IKE Parameters There are a number of parameters used in the negotiation pro...

Страница 335: ...ode Main Aggressive Mode The IKE negotiation has two modes of operation main mode and aggressive mode The difference between these two is that aggressive mode will pass more information in fewer packe...

Страница 336: ...n This value must be set greater than the IPsec SA lifetime PFS With Perfect Forwarding Secrecy PFS disabled initial keying material is created during the key exchange in phase 1 of the IKE negotiatio...

Страница 337: ...ryption and authentication session keys If the VPN connection has not been used during the last re key period the connection will be terminated and re opened from scratch when the connection is needed...

Страница 338: ...lnerable for something called replay attacks meaning a malicious entity which has access to the encrypted traffic can record some packets store them and send them to its destination at a later time Th...

Страница 339: ...the added complexity Certificate based authentication may be used as part of a larger public key infrastructure making all VPN clients and firewalls dependent on third parties In other words there are...

Страница 340: ...aversal Both IKE and IPsec protocols present a problem in the functioning of NAT Both protocols were not designed to work through NATs and because of this a technique called NAT traversal has evolved...

Страница 341: ...raversal functionality is completely automatic and in the initiating firewall no special configuration is needed However for responding firewalls two points should be noted On responding firewalls the...

Страница 342: ...d while being transmitted Note that this example does not illustrate how to add the specific IPsec tunnel object It will also be used in a later example CLI First create a list of IPsec Algorithms gw...

Страница 343: ...Shared key This example shows how to create a Pre shared Key and apply it to a VPN tunnel Since regular words and phrases are vulnerable to dictionary attacks they should not be used as secrets Here t...

Страница 344: ...st contains one or more identities IDs where each identity corresponds to the subject field in a certificate Identification lists can thus be used to regulate what certificates that are given access t...

Страница 345: ...ink com 6 Click OK Finally apply the Identification List to the IPsec tunnel 1 Go to Interfaces IPsec 2 In the grid control click on the IPsec tunnel object of interest 3 Under the Authentication tab...

Страница 346: ...he remote firewall specified by the matching IPsec Tunnel definition Note IKE and ESP AH traffic are sent to the IPsec engine before the rule set is consulted Encrypted traffic to the firewall therefo...

Страница 347: ...n from everywhere irrespective of their IP address then the Remote Network needs to be set to all nets IP address 0 0 0 0 0 which will allow all existing IPv4 addresses to connect through the tunnel W...

Страница 348: ...firewall IP wan_ip Web Interface A Create a Self signed Certificate for IPsec authentication The step to actually create self signed certificates is performed outside the WebUI using a suitable softw...

Страница 349: ...f steps Most importantly it is the responsibility of the administrator to acquire the appropriate certificate from an issuing authority With some systems such as Windows 2000 Server there is built in...

Страница 350: ...Certificates as the authentication method Root Certificate s Select your CA server root certificate imported earlier and add it to the Selected list Gateway Certificate Choose your newly created fire...

Страница 351: ...BNS WINS resolution already provided by an IP Pool DHCP Instructs the host to send any internal DHCP requests to this address Subnets A list of the subnets that the client can access Example 9 7 Setti...

Страница 352: ...this information is missing or the administrator wishes to use another LDAP server The LDAP configuration section can then be used to manually specify alternate LDAP servers Example 9 9 Setting up an...

Страница 353: ...e referred to in this section as the client and server In this context the word client is used to refer to the device which is the initiator of the negotiation and the server refers to the device whic...

Страница 354: ...ta length 16 bytes Vendor ID 8f 9c c9 4e 01 24 8e cd f1 47 59 4c 28 4b 21 3b Description SSH Communications Security QuickSec 2 1 0 VID Vendor ID Payload data length 16 bytes Vendor ID 27 ba b5 dc 01...

Страница 355: ...ies 0x6098238b67d97ea6 0x5e347cb76e95a Message ID 0x00000000 Packet length 224 bytes payloads 8 Payloads SA Security Association Payload data length 52 bytes DOI 1 IPsec DOI Proposal 1 1 Protocol 1 1...

Страница 356: ...tion main mode ISAKMP Version 1 0 Flags Cookies 0x6098238b67d97ea6 0x5e347cb76e95a Message ID 0x00000000 Packet length 220 bytes payloads 4 Payloads KE Key Exchange Payload data length 128 bytes NONCE...

Страница 357: ...y flag used ID Identification of the client The Notification field is given as Initial Contact to indicate this is not a re key Step 6 Server ID Response The server now responds with its own ID IkeSno...

Страница 358: ...e type Seconds SA life duration 21600 SA life type Kilobytes SA life duration 50000 Encapsulation mode Tunnel Transform 3 4 Transform ID Blowfish Key length 128 Authentication algorithm HMAC MD5 SA li...

Страница 359: ...ersion 1 0 Flags E encryption Cookies 0x6098238b67d97ea6 0x5e347cb76e95a Message ID 0xaa71428f Packet length 156 bytes payloads 5 Payloads HASH Hash Payload data length 16 bytes SA Security Associatio...

Страница 360: ...les Default 4 times the license limit of IPsec Max Tunnels IPsec Max Tunnels Specifies the total number of tunnels allowed by NetDefendOS This value is usually taken from the license but in situations...

Страница 361: ...icate may in turn be signed by another CA which may be signed by another CA and so on Each certificate will be verified until one that has been marked as trusted is found or until it is determined tha...

Страница 362: ...for this setting is that it is the amount of time in tens of seconds that an SA will remain in the dead cache after a delete An SA is put in the dead cache when the other side of the tunnel has not r...

Страница 363: ...lementation PPTP can be used in the VPN context to tunnel different protocols across the Internet Tunneling is achieved by encapsulating PPP packets in IP datagrams using Generic Routing Encapsulation...

Страница 364: ...m Allowed Networks 6 Click OK Use User Authentication Rules is enabled as default To be able to authenticate the users using the PPTP tunnel you also need to configure authentication rules which will...

Страница 365: ...d Networks control 6 Click OK Use User Authentication Rules is enabled as default To be able to authenticate the users using the PPTP tunnel you also need to configure authentication rules which is no...

Страница 366: ...ransport e IKE Algorithms High f IPsec Algorithms esp l2tptunnel 4 Enter 3600 in the IPsec Life Time seconds control 5 Enter 250000 in the IPsec Life Time kilobytes control 6 Under the Authentication...

Страница 367: ...Web Interface 1 Go to User Authentication User Authentication Rules Add UserAuthRule 2 Enter a suitable name for the rule for example L2TP_Auth 3 Now enter Agent PPP Authentication Source Local Interf...

Страница 368: ...ervices Source Interface l2tp_tunnel Source Network l2tp_pool Destination Interface any Destination Network all nets 8 Click OK 9 5 3 L2TP PPTP Server advanced settings The following L2TP PPTP server...

Страница 369: ...ress If this network object exists and has a value which is not 0 0 0 0 then the PPTP L2TP client will try to get that one from the PPTP L2TP server as the preferred IP Automatically pick name If this...

Страница 370: ...ting as a PPTP client which is trying to connect to the PPTP server then this will not work because of the NATing The only way of achieving multiple PPTP clients being NATed like this is for the D Lin...

Страница 371: ...The following scenarios are possible 1 The CA server is a private server behind the D Link Firewall and the tunnels are set up over the public Internet but to clients that will not try to validate the...

Страница 372: ...ion Components CA Server Access by Clients In a VPN tunnel with roaming clients connecting to the D Link Firewall the VPN client software may need to access the CA server Not all VPN client software w...

Страница 373: ...must be configured in NetDefendOS so that these requests can be resolved Turning Off FQDN Resolution As explained in the troubleshooting section below identifying problems with CA server access can b...

Страница 374: ...IP also belongs to the network behind the D Link Firewall accessible through a tunnel then Windows will still continue to assume that the IP address is to be found on the client s local network Window...

Страница 375: ...14 237 225 43 84 13 193 179 84 13 193 179 IPsec_Tun1 192 168 0 0 24 172 16 1 0 24 82 242 91 203 To examine the first IKE negotiation phase of tunnel setup use ipsecstat ike To get complete details of...

Страница 376: ...the management traffic being routed back through the VPN tunnel instead of the correct interface This happens when a route is established in the main routing table which routes any traffic for all ne...

Страница 377: ...Management Interface Failure with VPN Chapter 9 VPN 377...

Страница 378: ...ater in this chapter DSCP bits can be used by the NetDefendOS traffic shaping subsystem as a basis for prioritizing traffic passing through the D Link Firewall The Traffic Shaping Solution Architectur...

Страница 379: ...are Pipes Pipe Rules Pipes A Pipe is the fundamental object for traffic shaping and is a conceptual channel through which packets of data can flow It has various characteristics that define how traff...

Страница 380: ...rm a Chain of pipes through which traffic will pass A chain can be made up of at most 8 pipes If no pipe is specified in a list then traffic that matches the rule will not flow through any pipe but it...

Страница 381: ...e passed through the pipe and this is done by using the pipe in a Pipe Rule We will use the above pipe to limit inbound traffic This limit will apply to the actual data packets and not the connections...

Страница 382: ...forward chain will not work since you probably want 2 Mbps limit for outbound traffic to be separate from the 2 Mbps limit for inbound traffic If we try to pass 2 Mbps of outbound traffic through the...

Страница 383: ...created earlier Unfortunately this will not achieve the desired effect which is allocating a maximum of 125 kbps to inbound surfing traffic as part of the 250 kbps total Inbound traffic will pass thro...

Страница 384: ...of the Diffserv architecture where the Type of Service ToS bits are included in the IP packet header Pipe Precedences When a pipe is configured a Default Precedence a Minimum Precedence and a Maximum...

Страница 385: ...a higher priority than all other traffic To do this we add a Pipe Rule specifically for SSH and Telnet and set the priority in the rule to be a higher priority say 2 We specify the same pipes in this...

Страница 386: ...es not pose much of a problem here but it becomes more pronounced as your traffic shaping scenario becomes more complex The number of precedences is limited This may not be sufficient in all cases eve...

Страница 387: ...ss so that port 1024 of computer A is not the same as port 1024 of computer B and individual connections are identifiable If grouping by network is chosen the network size should also be specified thi...

Страница 388: ...it per user to about 13 kbps 64 kbps divided by 5 users Dynamic Balancing takes place within each precedence of a pipe individually This means that if users are allotted a certain small amount of high...

Страница 389: ...ded for NetDefendOS to adapt to changing conditions Attacks on Bandwidth Traffic shaping cannot protect against incoming resource exhaustion attacks such as DoS attacks or other flooding attacks NetDe...

Страница 390: ...rwarded basis Within a pipe traffic can also be separated on a Group basis For example by source IP address Each user in a group for example each source IP address can be given a maximum limit and pre...

Страница 391: ...amic Balancing enabled on the pipes means that all users will be allocated a fair share of this capacity Using Several Precedences We now extend the above example by allocating priorities to different...

Страница 392: ...fic shaping is occurring inside a single D Link Firewall VPN is typically used for communication between a headquarters and branch offices in which case pipes can control traffic flow in both directio...

Страница 393: ...site is guaranteed 500 kbps of capacity before it is forced to best effort SAT with Pipes If SAT is being used for example with a web server or ftp server that traffic also needs to be forced into pi...

Страница 394: ...is a combination of these two features where traffic flows identified by the IDP subsystem automatically trigger the setting up of traffic shaping pipes to control those flows 10 2 2 Setup The steps...

Страница 395: ...s a source or destination IP that is the same as the connection that did trigger a rule If the source or destination is also a member of the IP range specified as the Network then the connection s tra...

Страница 396: ...ansfer The sequence of events is The client with IP address 192 168 1 15 initiates a P2P file transfer through a connection 1 to the tracking server at 81 150 0 10 This connection triggers an IDP rule...

Страница 397: ...istinctive naming convention which is explained next Pipe Naming NetDefendOS names the pipes it automatically creates in IDP Traffic Shaping using the pattern IDPPipe_ bandwidth for pipes with upstrea...

Страница 398: ...ffic Shaping generates log messages on the following events When an IDP rule with the Pipe option has triggered and either host or client is present in the Network range When the subsystem adds a host...

Страница 399: ...onditions A Threshold has the following parameters Action The response to exceeding the limit either Audit or Protect Group By Either Host or Network based Threshold The numerical limit which must be...

Страница 400: ...10 3 7 Threshold Rules and ZoneDefense Threshold Rules are used in the D Link ZoneDefense feature to block the source of excessive connection attmepts from internal hosts For more information on this...

Страница 401: ...rmance of applications but also scalability by allowing a cluster of multiple servers sometimes referred to as a server farm to handle many more requests than a single server The illustration below sh...

Страница 402: ...e are following issues should be considered when deploying SLB The servers across which the load is to be balanced The load distribution mode The SLB algorithm used The monitoring method Each of these...

Страница 403: ...t stickiness it will behave as a Round Robin algorithm that allocates new connections to servers in an orderly fashion It will also behave like the Round Robin algorithm if there are always clients wi...

Страница 404: ...ead R1 and R2 will be sent to the same server because of stickiness but the subsequent requests R3 and R4 will be routed to another server since the number of new connections on each server within the...

Страница 405: ...up which included all these objects 3 Define an SLB_SAT Rule in the IP rule set which refers to this Group and where all other SLB parameters are defined 4 Define a further rule that duplicates the so...

Страница 406: ...ame for example server1 3 Enter the IP Address as 192 168 1 10 4 Click OK 5 Repeat the above to create an object called server2 for the 192 168 1 11 IP address B Create a Group which contains the 2 we...

Страница 407: ...Allow IP rule for the external clients 1 Go to Rules IP Rule Sets main Add IP Rule 2 Enter Name Web_SLB_ALW Action Allow Service HTTP Source Interface any Source Network all nets Destination Interfac...

Страница 408: ...10 4 6 SLB_SAT Rules Chapter 10 Traffic Management 408...

Страница 409: ...s sometimes known as an active passive HA implementation The Master and Active Units When reading this section on HA it should be kept in mind that the master unit in a cluster is not always the same...

Страница 410: ...rate between two D Link Firewalls As the internal operation of different firewall manufacturer s software is completely dissimilar there is no common method available to communicating state informatio...

Страница 411: ...e sending firewall The destination IP is the broadcast address on the sending interface The IP TTL is always 255 If NetDefendOS receives a cluster heartbeat with any other TTL it is assumed that the p...

Страница 412: ...ndOS cluster has the Anti Virus or IDP subsystems enabled then updates to the Anti Virus signature database or IDP pattern database will routinely occur These updates involve downloads from the extern...

Страница 413: ...on the master and slave which is to be used by the units for monitoring each other and connect them together with an Ethernet crossover cable This will be the NetDefendOS sync interface It is recomme...

Страница 414: ...ed If an interface is not assigned an individual address through an IP4 HA Address object then it must be assigned the default address localhost which is an IP address from the subnet 127 0 0 0 8 ARP...

Страница 415: ...configuration log on to either the master or the slave make the change then save and activate The change is automatically made to both units 11 3 3 Verifying the Cluster is Functioning To verify that...

Страница 416: ...Use Unique Shared MAC Address By default this is enabled and in most configurations it should not need to be disabled The effect of enabling this setting is that a single unique MAC address will be us...

Страница 417: ...luster ID Changing the cluster ID in a live environment is not recommended for two reasons Firstly this will change the hardware address of the shared IPs and will cause problems for all units attache...

Страница 418: ...explanation of this setting see Section 11 3 4 Using Unique Shared Mac Addresses Default Enabled Deactivate Before Reconf If enabled this setting will make an active node failover to the inactive node...

Страница 419: ...11 5 HA Advanced Settings Chapter 11 High Availability 419...

Страница 420: ...old can be dynamically blocked using the ZoneDefense feature Thresholds are based on either the number of new connections made per second or on the total number of connections being made These connect...

Страница 421: ...3 02 B12 or later DES 3526 R3 x Version R3 06 B20 only DES 3526 R4 x Version R4 01 B19 or later DES 3550 R3 x Version R3 05 B38 only DES 3550 R4 x Version R4 01 B19 or later DES 3800 Series Version R2...

Страница 422: ...eeded The limit can be one of two types Connection Rate Limit This can be triggered if the rate of new connections per second to the firewall exceeds a specified threshold Total Connections Limit This...

Страница 423: ...ds this limitation the firewall will block the specific host in network range 192 168 2 0 24 for example from accessing the switch completely A D Link switch model DES 3226S is used in this case with...

Страница 424: ...g feature NetDefendOS can first identify a virus source through antivirus scanning and then block the source by communicating with switches configured to work with ZoneDefense This feature is activate...

Страница 425: ...or network one rule per switch port is needed When this limit has been reached no more hosts or networks will be blocked out Important ZoneDefense uses a range of the ACL rule set on the switch To avo...

Страница 426: ...12 3 5 Limitations Chapter 12 ZoneDefense 426...

Страница 427: ...47 Miscellaneous Settings page 448 13 1 IP Level Settings Log Checksum Errors Logs occurrences of IP packets containing erroneous checksums Normally this is the result of the packet being damaged duri...

Страница 428: ...he action taken on packets whose TTL falls below the stipulated TTLMin value Default DropLog Multicast TTL on Low What action to take on too low multicast TTL values Default DropLog Default TTL Indica...

Страница 429: ...g IP Options Timestamps Time stamp options instruct each router and firewall on the packet s route to indicate at what time the packet was forwarded along the route These options do not occur in norma...

Страница 430: ...ts equal to or smaller than the size specified by this setting Default 65535 bytes Multicast Mismatch option What action to take when ethernet and IP multicast addresses does not match Default DropLog...

Страница 431: ...cording to the next setting Default 1460 bytes TCP MSS VPN Max As is the case with TCPMSSMax this is the highest Maximum Segment Size allowed However this setting only controls MSS in VPN connections...

Страница 432: ...ACK individual packets instead of entire series which can increase the performance of connections experiencing extensive packet loss They are also used by OS Fingerprinting SACK is a common occurrence...

Страница 433: ...that a new connection is in the process of being opened and an URG flag means that the packet contains data requiring urgent attention These two flags should not be turned on in a single packet as the...

Страница 434: ...ingerprinting Note an upcoming standard called Explicit Congestion Notification also makes use of these TCP flags but as long as there are only a few operating systems supporting this standard the fla...

Страница 435: ...e most significant impact of this will be that common web surfing traffic short but complete transactions requested from a relatively small set of clients randomly occurring with an interval of a few...

Страница 436: ...ng limits how many Rejects per second may be generated by the Reject rules in the Rules section Default 500 Silently Drop State ICMPErrors Specifies if NetDefendOS should silently drop ICMP errors per...

Страница 437: ...etermining whether the remote peer is attempting to open a new connection Default Enabled Log State Violations Determines if NetDefendOS logs packets that violate the expected state switching diagram...

Страница 438: ...nostic and testing purposes since it generates unwieldy volumes of log messages and can also significantly impair throughput performance Default Disabled Dynamic Max Connections Allocate the Max Conne...

Страница 439: ...may idle before finally being closed Connections reach this state when a packet with its FIN flag on has passed in any direction Default 80 UDP Idle Lifetime Specifies in seconds how long UDP connecti...

Страница 440: ...ther Idle Lifetime Specifies in seconds how long connections using an unknown protocol can remain idle before it is closed Default 130 13 5 Connection Timeout Settings Chapter 13 Advanced Settings 440...

Страница 441: ...any real time applications use large fragmented UDP packets If no such protocols are used the size limit imposed on UDP packets can probably be lowered to 1480 bytes Default 60000 Max ICMP Length Spec...

Страница 442: ...e of an IP in IP packet IP in IP is used by Checkpoint Firewall 1 VPN connections when IPsec is not used This value should be set at the size of the largest packet allowed to pass through the VPN conn...

Страница 443: ...track DropPacket Discards the illegal fragment and all previously stored fragments Will not allow further fragments of this packet to pass through during ReassIllegalLinger seconds DropLogPacket As Dr...

Страница 444: ...ts have been involved LogSuspectSubseq As LogSuspect but also logs subsequent fragments of the packet as and when they arrive LogAll Logs all failed reassembly attempts LogAllSubseq As LogAll but also...

Страница 445: ...send 1480 byte fragments and a router or VPN tunnel on the route to the recipient subsequently reduce the effective MTU to 1440 bytes This would result in the creation of a number of 1440 byte fragme...

Страница 446: ...ket has been marked as illegal NetDefendOS is able to retain this in memory for this number of seconds in order to prevent further fragments of that packet from arriving Default 60 13 7 Fragmentation...

Страница 447: ...oncurrent local reassemblies Default 256 Max Size Maximum size of a locally reassembled packet Default 10000 Large Buffers Number of large over 2K local reassembly buffers of the above size Default 32...

Страница 448: ...ssociated settings limit memory used by the re assembly subsystem This setting specifies how many connections can use the re assembly system at the same time It is expressed as a percentage of the tot...

Страница 449: ...13 9 Miscellaneous Settings Chapter 13 Advanced Settings 449...

Страница 450: ...Registration manual which explains registration and update service procedures in more detail is available for download from the D Link website Subscription renewal In the Web interface go to Maintena...

Страница 451: ...db IDP To remove the Anti Virus database use the command gw world removedb Antivirus Once removed the entire system should be rebooted and a database update initiated Removing the database is also rec...

Страница 452: ...ITAS Backup solutions BOT_GENERAL Activities related to bots including those controlled by IRC channels BROWSER_FIREFOX Mozilla Firefox BROWSER_GENERAL General attacks targeting web browsers clients B...

Страница 453: ...on IP_OVERFLOW Overflow of IP protocol implementation IRC_GENERAL Internet Relay Chat LDAP_GENERAL General LDAP clients servers LDAP_OPENLDAP Open LDAP LICENSE_CA LICENSE License management for CA sof...

Страница 454: ...RSYNC_GENERAL Rsync SCANNER_GENERAL Generic scanners SCANNER_NESSUS Nessus Scanner SECURITY_GENERAL Anti virus solutions SECURITY_ISS Internet Security Systems software SECURITY_MCAFEE McAfee SECURITY...

Страница 455: ...ENERAL Virus VOIP_GENERAL VoIP protocol and implementation VOIP_SIP SIP protocol and implementation WEB_CF FILE INCLUSION Coldfusion file inclusion WEB_FILE INCLUSION File inclusion WEB_GENERAL Web ap...

Страница 456: ...letype extension Application 3ds 3d Studio files 3gp 3GPP multimedia file aac MPEG 2 Advanced Audio Coding File ab Applix Builder ace ACE archive ad3 Dec systems compressed Voice File ag Applix Graphi...

Страница 457: ...inHex 4 compressed archive icc Kodak Color Management System ICC Profile icm Microsoft ICM Color Profile file ico Windows Icon file imf Imago Orpheus module sound data Inf Sidplay info file it Impulse...

Страница 458: ...Network Graphic ppm PBM Portable Pixelmap Graphic ps PostScript file psa PSA archive data psd Photoshop Format file qt mov moov QuickTime Movie file qxd QuarkXpress Document ra ram RealMedia Streaming...

Страница 459: ...e Player Streaming Video file wav Waveform Audio wk Lotus 1 2 3 document wmv Windows Media file wrl vrml Plain Text VRML file xcf GIMP Image file xm Fast Tracker 2 Extended Module audio file xml XML f...

Страница 460: ...7 Layers of the OSI Model Layer number Layer purpose Layer 7 Application Layer 6 Presentation Layer 5 Session Layer 4 Transport Layer 3 Network Layer 2 Data Link Layer 1 Physical Layer Functions The d...

Страница 461: ...2600 Glostrup Copenhagen Denmark TEL 45 43 969040 FAX 45 43 424347 Website www dlink dk Egypt 47 El Merghany street Heliopolis Cairo Egypt TEL 202 2919035 202 2919047 FAX 202 2919051 Website www dlin...

Страница 462: ...6 Moscow 129626 Russia TEL 7 495 744 0099 FAX 7 495 744 0099 350 Website www dlink ru Singapore 1 International Business Park 03 12 The Synergy Singapore 609917 TEL 65 6774 6233 FAX 65 6774 6322 Websi...

Страница 463: ...LG 216 in the SMTP ALG 207 memory requirements 259 relationship with IDP 260 simultaneous scans 259 with zonedefense 263 application layer gateway see ALG ARP 94 advanced settings 97 98 cache 94 gratu...

Страница 464: ...8 categories 250 dynamic WCF 245 override 249 phishing 254 setup 246 site reclassification 249 spam 256 static 243 content filtering HTML customizing 256 core interface 81 core routes 129 customer web...

Страница 465: ...dentification lists 344 IDP 265 HTTP URI normalization 267 signature groups 270 signature wildcarding 271 SMTP log receivers 272 traffic shaping 394 IGMP advanced settings 164 configuration 159 rules...

Страница 466: ...ting 57 58 logout from CLI 36 Log Oversized Packets setting 442 Log Received TTL 0 setting 427 Log Reverse Opens setting 437 Log State Violations setting 437 loopback interfaces 80 Low Broadcast TTL A...

Страница 467: ...view 14 proposal lists 341 proxy ARP 135 Pseudo Reass Max Concurrent setting 443 Q QoS see quality of service quality of service 378 R RADIUS accounting 54 advanced settings 57 authentication 304 Reas...

Страница 468: ...Lifetime setting 439 TCP MSS Log Level setting 431 TCP MSS Max setting 431 TCP MSS Min setting 431 TCP MSS On High setting 431 TCP MSS on Low setting 431 TCP MSS VPN Max setting 431 TCP NULL setting...

Страница 469: ...ce over IP VPN 319 planning 320 quick start guide 323 troubleshooting 374 W Watchdog Time setting 448 WCF see web content filtering webauth 311 web content filtering 245 fail mode 247 whitelisting 246...

Отзывы:

Нет отзывов

Бренды по названию

Популярные бренды

Загрузить еще бренды