manualshive.com logo in svg

D-Link NetDefend DFL-260E, Руководство пользователя

D-Link NetDefend DFL-260E - мощный межсетевой экран с обширным функционалом. Пользователи могут загрузить Руководство по журналу регистрации событий с сайта manualshive.com бесплатно. Этот надежный мануал поможет вам использовать все возможности этого продукта для обеспечения безопасности вашей сети.

Поделиться
Скачать
background image

9.4. IPsec Tunnels

This section looks more closely at IPsec tunnels in NetDefendOS, their definition, options and
usage.

9.4.1. Overview

An IPsec Tunnel defines an endpoint of an encrypted tunnel. Each IPsec Tunnel is interpreted as a
logical interface by NetDefendOS, with the same filtering, traffic shaping and configuration
capabilities as regular interfaces.

Remote Initiation of Tunnel Establishment

When another NetDefend Firewall or another IPsec compliant networking product (also known as
the remote endpoint) tries to establish an IPsec VPN tunnel to a local NetDefend Firewall, the list of
currently defined IPsec tunnels in the NetDefendOS configuration is examined. If a matching tunnel
definition is found, that tunnel is opened. The associated IKE and IPsec negotiations then take place,
resulting in the tunnel becoming established to the remote endpoint.

Local Initiation of Tunnel Establishment

Alternatively, a user on a protected local network might try and access a resource which is located at
the end of an IPsec tunnel. In this case, NetDefendOS sees that the route for the IP address of the
resource is through a defined IPsec tunnel and establishment of the tunnel is then initiated from the
local NetDefend Firewall.

IP Rules Control Decrypted Traffic

Note that an established IPsec tunnel does not automatically mean that all the traffic flowing from
the tunnel is trusted. On the contrary, network traffic that has been decrypted will be checked
against the IP rule set. When doing this IP rule set check, the source interface of the traffic will be
the associated IPsec tunnel since tunnels are treated like interfaces in NetDefendOS.

In addition, a Route or an Access rule may have to be defined for roaming clients in order for
NetDefendOS to accept specific source IP addresses from the IPsec tunnel.

Returning Traffic

For network traffic going in the opposite direction, back into an IPsec tunnel, a reverse process takes
place. First, the unencrypted traffic is evaluated by the rule set. If a rule and route matches,
NetDefendOS tries to find an established IPsec tunnel that matches the criteria. If not found,
NetDefendOS will try to establish a new tunnel to the remote endpoint specified by a matching
IPsec tunnel definition.

No IP Rules Are Needed for the Enclosing IPsec Traffic

With IPsec tunnels, the administrator usually sets up IPsec rules that allow unencrypted traffic to
flow into the tunnel (the tunnel being treated as an NetDefendOS interface). However, it is normally
not necessary to set up IP rules that explicitly allow the packets that implement IPsec itself.

IKE and ESP packets are by default dealt with by the NetDefendOS's internal IPsec engine and the
IP rule set is not consulted.

This behavior can be changed in the IPsec advanced settings section with the IPsec Before Rules
setting. An example of why this might be done is if there are a high number of IPsec tunnel
connection attempts coming from a particular IP address or group of addresses. This can degrade the

9.4. IPsec Tunnels

Chapter 9. VPN

412

Содержание NetDefend DFL-260E

Страница 1: ...Network Security Solution http www dlink com NetDefendOS Ver 2 27 03 Network Security Firewall User Manual Security Security...

Страница 2: ...260 260E 800 860 860E DFL 1600 1660 2500 2560 2560G NetDefendOS Version 2 27 03 D Link Corporation No 289 Sinhu 3rd Rd Neihu District Taipei City 114 Taiwan R O C http www DLink com Published 2010 11...

Страница 3: ...ness for a particular purpose D Link reserves the right to revise this publication and to make changes from time to time in the content hereof without any obligation to notify any person or parties of...

Страница 4: ...NMP Traps 60 2 2 7 Advanced Log Settings 61 2 3 RADIUS Accounting 62 2 3 1 Overview 62 2 3 2 RADIUS Accounting Messages 62 2 3 3 Interim Accounting Messages 64 2 3 4 Activating RADIUS Accounting 64 2...

Страница 5: ...5 3 8 Date and Time 137 3 8 1 Overview 137 3 8 2 Setting Date and Time 137 3 8 3 Time Servers 138 3 8 4 Settings Summary for Date and Time 141 3 9 DNS 144 4 Routing 147 4 1 Overview 147 4 2 Static Rou...

Страница 6: ...ing 298 6 3 4 Dynamic Web Content Filtering 300 6 4 Anti Virus Scanning 314 6 4 1 Overview 314 6 4 2 Implementation 314 6 4 3 Activating Anti Virus Scanning 315 6 4 4 The Signature Database 316 6 4 5...

Страница 7: ...art 387 9 2 1 IPsec LAN to LAN with Pre shared Keys 388 9 2 2 IPsec LAN to LAN with Certificates 389 9 2 3 IPsec Roaming Clients with Pre shared Keys 390 9 2 4 IPsec Roaming Clients with Certificates...

Страница 8: ...es 477 10 3 1 Overview 477 10 3 2 Limiting the Connection Rate Total Connections 477 10 3 3 Grouping 478 10 3 4 Rule Actions 478 10 3 5 Multiple Triggered Actions 478 10 3 6 Exempted Connections 478 1...

Страница 9: ...nnection Timeout Settings 523 13 6 Length Limit Settings 525 13 7 Fragmentation Settings 527 13 8 Local Fragment Reassembly Settings 531 13 9 Miscellaneous Settings 532 A Subscribing to Updates 534 B...

Страница 10: ...ode Internet Access 217 4 19 Transparent Mode Internet Access 217 4 20 Transparent Mode Scenario 1 219 4 21 Transparent Mode Scenario 2 220 4 22 An Example BPDU Relaying Scenario 223 5 1 DHCP Server O...

Страница 11: ...rver Load Balancing Configuration 480 10 10 Connections from Three Clients 483 10 11 Stickiness and Round Robin 484 10 12 Stickiness and Connection rate 484 D 1 The 7 Layers of the OSI Model 544 User...

Страница 12: ...ing a PPPoE Client 107 3 12 Creating an Interface Group 111 3 13 Displaying the ARP Cache 113 3 14 Flushing the ARP Cache 113 3 15 Defining a Static ARP Entry 114 3 16 Adding an Allow IP Rule 126 3 17...

Страница 13: ...g Content Filtering HTTP Banner Files 312 6 19 Activating Anti Virus Scanning 318 6 20 Configuring an SMTP Log Receiver 328 6 21 Setting up IDP for a Mail Server 329 6 22 Adding a Host to the Whitelis...

Страница 14: ...n a browser in a new window some systems may not allow this For example http www dlink com Screenshots This guide contains a minimum of screenshots This is deliberate and is done because the manual de...

Страница 15: ...g emphasized or something that is not obvious or explicitly stated in the preceding text Tip This indicates a piece of non critical information that is useful to know in certain situations but is not...

Страница 16: ...t ways This granular control allows the administrator to meet the requirements of the most demanding network security scenarios Key Features NetDefendOS has an extensive feature set The list below pre...

Страница 17: ...rusion Detection and Prevention IDP engine The IDP engine is policy based and is able to perform high performance scanning and detection of attacks and can perform blocking and optional black listing...

Страница 18: ...e NetDefendOS can be used to control D Link switches using the ZoneDefense feature This allows NetDefendOS to isolate portions of a network that contain hosts that are the source of undesirable networ...

Страница 19: ...ation as the NetDefendOS state engine 1 2 2 NetDefendOS Building Blocks The basic building blocks in NetDefendOS are interfaces logical objects and various types of rules or rule sets Interfaces Inter...

Страница 20: ...none the above is true the receiving Ethernet interface becomes the source interface for the packet 3 The IP datagram within the packet is passed on to the NetDefendOS Consistency Checker The consist...

Страница 21: ...If a match is found the IDP data is recorded with the state By doing this NetDefendOS will know that IDP scanning is supposed to be conducted on all packets belonging to this connection 9 The Traffic...

Страница 22: ...ing such as encryption or encapsulation might occur The next section provides a set of diagrams illustrating the flow of packets through NetDefendOS 1 2 3 Basic Packet Flow Chapter 1 NetDefendOS Overv...

Страница 23: ...are three diagrams each flowing into the next It is not necessary to understand these diagrams however they can be useful as a reference when configuring NetDefendOS in certain situations Figure 1 1 P...

Страница 24: ...Figure 1 2 Packet Flow Schematic Part II The packet flow is continued on the following page 1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 24...

Страница 25: ...Figure 1 3 Packet Flow Schematic Part III 1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 25...

Страница 26: ...elow presents the detailed logic of the Apply Rules function in Figure 1 2 Packet Flow Schematic Part II above Figure 1 4 Expanded Apply Rules Logic 1 3 NetDefendOS State Engine Packet Flow Chapter 1...

Страница 27: ...1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 27...

Страница 28: ...dOS provides the following management interfaces The Web Interface The Web Interface also known as the Web User Interface or WebUI is built into NetDefendOS and provides a user friendly and intuitive...

Страница 29: ...can be permitted for administrative users on a certain network while at the same time allowing CLI access for a remote administrator connecting through a specific IPsec tunnel By default Web Interface...

Страница 30: ...kstation IP The default management Ethernet interface of the firewall and the external workstation computer s Ethernet interface must be members of the same logical IP network for communication betwee...

Страница 31: ...browser to allow the NetDefendOS Setup Wizard to run since this appears in a popup window Multi language Support The Web Interface login dialog offers the option to select a language other than Engli...

Страница 32: ...buttons and drop down menus that are used to perform configuration tasks as well as for navigation to various tools and status pages Home Navigates to the first page of the Web Interface Configuration...

Страница 33: ...tree is divided into a number of sections corresponding to the major building blocks of the configuration The tree can be expanded to expose additional sections and the selected set of objects are dis...

Страница 34: ...then all management traffic coming from NetDefendOS will automatically be routed into the VPN tunnel If this is the case then a route should be added by the administrator to route management traffic...

Страница 35: ...t of types and mainly used with tab completion which is described below Tip Getting help about help Typing the CLI command gw world help help will give information about the help command itself The CL...

Страница 36: ...names are recommended Even though it is optional it is still recommended that a Name value is entered for rules in order to make examining the configuration easier Tab Completion of Parameter Values...

Страница 37: ...fter pressing tab Not all object types belong in a category The object type UserAuthRule is a type without a category and will appear in the category list after pressing tab at the beginning of a comm...

Страница 38: ...LI Reference Guide lists the parameter options available for each NetDefendOS object including the Name and Index options Using Unique Names For convenience and clarity it is recommended that a name i...

Страница 39: ...nal or the serial connector of the computer running the communications software 4 Press the enter key on the terminal The NetDefendOS login prompt should appear on the terminal screen SSH Secure Shell...

Страница 40: ...he default password of the admin account from admin to something else as soon as possible after initial startup User passwords can be any combination of characters and cannot be greater than 256 chara...

Страница 41: ...in at the time of the commit will require that the user logs in again This is because the Web Interface view of the configuration may no longer be valid Checking Configuration Integrity After changing...

Страница 42: ...to the ISP s gateway In other words Internet access has been enabled for the NetDefend Firewall Managing Management Sessions with sessionmanager The CLI provides a command called sessionmanager for ma...

Страница 43: ...script command is the tool used for script management and execution The complete syntax of the command is described in the CLI Reference Guide and specific examples of usage are detailed in the follow...

Страница 44: ...before it is referred to then this can result in a confused and disjointed script file and in large script files it is often preferable to group together CLI commands which are similar Error Handling...

Страница 45: ...cts needs to be copied between multiple NetDefend Firewalls then one way to do this with the CLI is to create a script file that creates the required objects and then upload to and run the same script...

Страница 46: ...en the CLI node type in the script create command is one of COMPortDevice Ethernet EthernetDevice Device If one of these node types is used then the error message script file empty is returned by NetD...

Страница 47: ...able summarizes the operations that can be performed between an SCP client and NetDefendOS File type Upload possible Download possible Configuration Backup config bak Yes also with WebUI Yes also with...

Страница 48: ...and would be scp config bak admin1 10 5 62 11 To download a configuration backup to the current local directory the command would be scp admin1 10 5 62 11 config bak To upload a file to an object type...

Страница 49: ...tions available in the boot menu are 1 Start firewall This initiates the complete startup of the NetDefendOS software on the NetDefend Firewall 2 Reset unit to factory defaults This option will restor...

Страница 50: ...ord set for the console is not connected to the management username password combinations used for administrator access through a web browser It is valid only for console access 2 1 8 Management Advan...

Страница 51: ...onfiguration objects representing a named IPv4 address Object Organization In the Web Interface the configuration objects are organized into a tree like structure based on the type of the object In th...

Страница 52: ...ch gives the option to edit or delete the object as well as modify the order of the objects Example 2 4 Displaying a Configuration Object The simplest operation on a configuration object is to show it...

Страница 53: ...es 2 Click on the telnet hyperlink in the list 3 In the Comments textbox a suitable comment 4 Click OK Verify that the new comment has been updated in the list Important Configuration changes must be...

Страница 54: ...The row will be rendered with a strike through line indicating that the object is marked for deletion Example 2 8 Undeleting a Configuration Object A deleted object can always be restored until the c...

Страница 55: ...IPsec tunnels are committed then those live tunnels connections will be terminated and must be re established If the new configuration is validated NetDefendOS will wait for a short period 30 seconds...

Страница 56: ...rmation that remote management is still working The new configuration is then automatically committed Note Changes must be committed The configuration must be committed before changes are saved All ch...

Страница 57: ...nts down to low level and mandatory system events The conn_open event for example is a typical high level event that generates an event message whenever a new connection is established given that the...

Страница 58: ...rs using syslog with NetDefendOS messages can simplify overall administration This receiver type is discussed further below in Section 2 2 5 Logging to Syslog Hosts 2 2 4 Logging to MemoryLogReceiver...

Страница 59: ...r without assuming that a specific piece of data is in a specific location in the log entry The Prio and Severity fields The Prio field in SysLog messages contains the same information as the Severity...

Страница 60: ...e for each model of NetDefend Firewall Make sure that the correct file is used For each NetDefend Firewall model there is one generic trap object called DLNNNosGenericTrap that is used for all traps w...

Страница 61: ...fies the maximum log messages that NetDefendOS will send per second This value should never be set too low as this may result in important events not being logged nor should it be set too high When th...

Страница 62: ...ng Messages Statistics such as number of bytes sent and received and number of packets sent and received are updated and stored throughout RADIUS sessions All statistics are updated for an authenticat...

Страница 63: ...enticated This is a physical interface and not a TCP or UDP port User IP Address The IP address of the authenticated user This is sent only if specified on the authentication server Input Bytes The nu...

Страница 64: ...S accounting a number of steps must be followed The RADIUS accounting server must be specified A user authentication object must have a rule associated with it where a RADIUS server is specified Some...

Страница 65: ...eady been authenticated 2 3 8 Accounting and System Shutdowns In the case that the client for some reason fails to send a RADIUS AccountingRequest STOP packet the accounting server will never be able...

Страница 66: ...the situation that the RADIUS server will assume users are still logged in even though their sessions have been terminated Default Enabled Maximum Radius Contexts The maximum number of contexts allowe...

Страница 67: ...g settings for enabling hardware monitoring when it is available Enable Sensors Enable disable all hardware monitoring functionality Default Disabled Poll Interval Polling interval for the Hardware Mo...

Страница 68: ...tration only Setting the Minimum and Maximum Range The minimum and maximum values shown in the output from the hwm command are set through the Web Interface by going to System Hardware Monitoring Add...

Страница 69: ...client software When the client runs the MIB file is accessed to inform the client of the values that can be queried on a NetDefendOS device Defining SNMP Access SNMP access is defined through the de...

Страница 70: ...nt client is on the internal network it is not required to implement a VPN tunnel for it Command Line Interface gw world add RemoteManagement RemoteMgmtSNMP my_snmp Interface lan Network mgmt net SNMP...

Страница 71: ...tem Contact The contact person for the managed node Default N A System Name The name for the managed node Default N A System Location The physical location of the node Default N A Interface Descriptio...

Страница 72: ...p gw world pcapdump cleanup Going through this line by line we have 1 Recording is started for the int interface using a buffer size of 1024 Kbytes gw world pcapdump size 1024 start int 2 The recordin...

Страница 73: ...ilter on source IP address ipdest ipaddr Filter on destination IP address port portnum Filter on source or destination port number srcport portnum Filter on source port number destport portnum Filter...

Страница 74: ...urther refine the packets that are of interest For example we might want to examine the packets going to a particular destination port at a particular destination IP address Compatibility with Wiresha...

Страница 75: ...e minimum a configuration backup on a regular basis so that a configuration can be easily recreated in the event of hardware replacement The alternative is to recreate a configuration by manually addi...

Страница 76: ...toring a backup is done in the reverse fashion Either by uploading the backup file using SCP or alternatively through the WebUI A restore cannot be done with CLI commands Operation Interruption Backup...

Страница 77: ...such as the DHCP server lease database or Anti Virus IDP databases will not be backed up 2 7 3 Restore to Factory Defaults A restore to factory defaults can be applied so that it is possible to return...

Страница 78: ...rface LAN1 on the DFL 1600 and DFL 2500 models The management interface IP address for the DFL 1660 DFL 2560 and DFL 2560G models will default to 192 168 10 1 The default IP address factory setting fo...

Страница 79: ...2 7 3 Restore to Factory Defaults Chapter 2 Management and Maintenance 79...

Страница 80: ...s It increases understanding of the configuration by using meaningful symbolic names Using address object names instead of entering numerical addresses reduces errors By defining an IP address object...

Страница 81: ...hosts in consecutive order Example 3 1 Adding an IP Host This example adds the IP host www_srv1 with IP address 192 168 10 16 to the address book Command Line Interface gw world add Address IP4Address...

Страница 82: ...leting In use IP Objects If an IP object is deleted that is in use by another object then NetDefendOS will not allow the configuration to be deployed and will produce a warning message In other words...

Страница 83: ...web server hosts as group members Now a single policy can be used with this group thereby greatly reducing the administrative workload IP Addresses Can Be Excluded When groups are created with the Web...

Страница 84: ...ily by the routing table but is also used by the DHCP client subsystem to store gateway address information acquired through DHCP If a default gateway address has been provided during the setup phase...

Страница 85: ...he most important usage of service objects and it is also how ALGs become associated with IP rules since an ALG is associated with a service and not directly with an IP rule For more information on ho...

Страница 86: ...ects does not meet the requirements for certain traffic then a new service can be created Reading this section will explain not only how new services are created but also provides an understanding of...

Страница 87: ...stination ports are applicable for the service Specifying Port Numbers Port numbers are specified with all types of services and it is useful to understand how these can be entered in user interfaces...

Страница 88: ...ck to the requesting application In some cases it is useful that the ICMP messages are not dropped For example if an ICMP quench message is sent to reduce the rate of traffic flow On the other hand dr...

Страница 89: ...ld provide The best approach is to narrow the service filter in a security policy so it allows only the protocols that are absolutely necessary The all_tcpudpicmp service object is often a first choic...

Страница 90: ...e selected are as follows Echo Request Sent by PING to a destination in order to check connectivity Destination Unreachable The source is told that a problem has occurred when delivering a packet Ther...

Страница 91: ...ol service 2 Specify a suitable name for the service for example VRRP 3 Enter 112 in the IP Protocol control 4 Optionally enter Virtual Router Redundancy Protocol in the Comments control 5 Click OK 3...

Страница 92: ...n to be open Establish Idle Timeout If there is no activity on a connection for this amount of time then it is considered to be closed and is removed from the NetDefendOS state table The default setti...

Страница 93: ...itself is the source or destination for traffic Interface Types NetDefendOS supports a number of interface types which can be divided into the following four major groups Ethernet Interfaces Each Eth...

Страница 94: ...interfaces can be used almost interchangeably in the various NetDefendOS rule sets and other configuration objects This results in a high degree of flexibility in how traffic can be examined controll...

Страница 95: ...quence of bits which specify the originating device plus the destination device plus the data payload along with error checking bits A pause between the broadcasting of individual frames allows device...

Страница 96: ...lly auto generated by the system For more information please see Section 3 1 5 Auto Generated Address Objects Tip Specifying multiple IP addresses on an interface Multiple IP addresses can be specifie...

Страница 97: ...n be sent from the DHCP server iv Do not allow IP address collisions with static routes v Do not allow network collisions with static routes vi Specify an allowed IP address for the DHCP lease vii Spe...

Страница 98: ...this interface 2 An additional option is to disable the sending of HA cluster heartbeats from this interface Quality Of Service The option exists to copy the IP DSCP precedence to the VLAN priority fi...

Страница 99: ...net card including the bus slot and port number of the card as well as the Ethernet driver being used These details are not relevant to the logical interface object associated with the physical interf...

Страница 100: ...dresses lan_ip InterfaceAddresses wan_net InterfaceAddresses lan_net Server Setting Interface Addresses The CLI can be used to set the address of the interface gw world set Address IP4Address Interfac...

Страница 101: ...for the bus slot port combination 0 0 2 on the wan interface the set command would be gw world set EthernetDevice lan EthernetDriver IXP4NPEEthernetDriver PCIBus 0 PCISlot 0 PCIPort 2 This command is...

Страница 102: ...belong to different Virtual LANs but can still share the same physical Ethernet link The following principles underlie the NetDefendOS processing of VLAN tagged Ethernet frames at a physical interfac...

Страница 103: ...ports on the switch that connect to VLAN clients are configured with individual VLAN IDs Any device connected to one of these ports will then automatically become part of the VLAN configured for that...

Страница 104: ...treat a VLAN interface just like a physical interface in that they require both appropriate IP rules and routes to exist in the NetDefendOS configuration for traffic to flow through them For example...

Страница 105: ...P networks PPP uses Link Control Protocol LCP for link establishment configuration and testing Once the LCP is initialized one or several Network Control Protocols NCPs can be used to transport traffi...

Страница 106: ...red PPPoE to be used in PPPoE sessions Unnumbered PPPoE is typically used when ISPs want to allocate one or more preassigned IP addresses to users These IP addresses are then manually entered into cli...

Страница 107: ...rm Password Retype the password Under Authentication specify which authentication protocol to use the default settings will be used if not specified Disable the option Enable dial on demand Under Adva...

Страница 108: ...be given a value The specified IP address is then used for the following i An ICMP Ping can be sent to this tunnel endpoint ii Log messages related to the tunnel will be generated with this IP addres...

Страница 109: ...associated GRE Tunnel The same is true for traffic in the opposite direction that is going into a GRE tunnel Furthermore a Route has to be defined so NetDefendOS knows what IP addresses should be acce...

Страница 110: ...nnet on the lan interface the steps for setting up NetDefendOS on B are as follows 1 In the address book set up the following IP objects remote_net_A 192 168 10 0 24 remote_gw 172 16 0 1 ip_GRE 192 16...

Страница 111: ...t Equivalent can be enabled it is disabled by default Enabling the option means that the group can be used as the destination interface in NetDefendOS rules where connections might need to be moved be...

Страница 112: ...destination IP address sends an ARP reply packet to the originating host with its MAC address 3 4 2 The NetDefendOS ARP Cache The ARP Cache in network equipment such as switches and firewalls is an im...

Страница 113: ...new MAC address If NetDefendOS has an old ARP entry for the host in its ARP cache then that entry will become invalid because of the changed MAC address and this will cause data to be sent to the hos...

Страница 114: ...onse Interface The local physical interface for the ARP object IP Address The IP address for the MAC IP mapping MAC Address The MAC address for the MAC IP mapping The three ARP modes of Static Publish...

Страница 115: ...s translate traffic to these addresses and send it onwards to internal servers with private IP addresses A less common purpose is to aid nearby network equipment responding to ARP in an incorrect mann...

Страница 116: ...the administrator can use the alternative Proxy ARP feature in NetDefendOS to handle publishing of entire networks see Section 4 2 6 Proxy ARP 3 4 4 Using ARP Advanced Settings This section presents...

Страница 117: ...ntil the previous ARP cache entry has timed out The advanced setting Static ARP Changes can modify this behavior The default behavior is that NetDefendOS will allow changes to take place but all such...

Страница 118: ...DefendOS will provided that other rules approve the request reply to it Default Drop ARP Changes Determines how NetDefendOS will deal with situations where a received ARP reply or ARP request would al...

Страница 119: ...es how NetDefendOS deals with ARP requests and ARP replies that state that they are broadcast addresses Such claims are usually never correct Default DropLog ARP cache size How many ARP entries there...

Страница 120: ...behavior when receiving an ARP request with a sender IP address that collides with one already used on the receive interface Possible actions Drop or Notify Default Drop 3 4 5 ARP Advanced Settings Su...

Страница 121: ...tunnel Destination Network The network to which the destination IP address of the packet belongs This might be a NetDefendOS IP object which could define a single IP address or range of addresses Serv...

Страница 122: ...e IP rules must be defined by the administrator Each IP rule that is added by the administrator will define the following basic filtering criteria From what interface to what interface traffic flows F...

Страница 123: ...t least one IP rule must be added to allow traffic to flow In fact two NetDefendOS components need to be present A route must exist in a NetDefendOS routing table which specifies on which interface pa...

Страница 124: ...rule above it is not being triggered first Stateful Inspection After initial rule evaluation of the opening connection subsequent packets belonging to that connection will not need to be evaluated in...

Страница 125: ...ailed description Drop This tells NetDefendOS to immediately discard the packet This is an impolite version of Reject in that no reply is sent back to the sender It is often preferable since it gives...

Страница 126: ...e large numbers of entries in IP rule sets it is possible to create IP rule set folders These folders are just like a folder in a computer s file system They are created with a given name and can then...

Страница 127: ...the individual objects to become visible Instead all objects are already visible and they are displayed in a way that indicates how they are grouped together Groups can be used in most cases where Ne...

Страница 128: ...Select the New Group option from the context menu A group is now created with a title line and the IP rule as its only member The default title of new Group is used The entire group is also assigned...

Страница 129: ...r in the box with the mouse In this example we might change the name of the group to be Web surfing and also change the group color to green The resulting group display is shown below Adding Additiona...

Страница 130: ...in a group is right clicked then the context menu contains the option Leave Group Selecting this removes the object from the group AND moves it down to a position immediately following the group Remov...

Страница 131: ...ther objects Scheduled Times These are the times during each week when the schedule is applied Times are specified as being to the nearest hour A schedule is either active or inactive during each hour...

Страница 132: ...ace lan SourceNetwork lannet DestinationInterface any DestinationNetwork all nets Schedule OfficeHours name AllowHTTP Return to the top level gw world main cc Configuration changes must be saved by th...

Страница 133: ...a certificate is a public key with identification attached coupled with a stamp of approval by a trusted party Certificate Authorities A certificate authority CA is a trusted entity that issues certif...

Страница 134: ...can be downloaded In some cases certificates do not contain this field In those cases the location of the CRL has to be configured manually A CA usually updates its CRL at a given interval The length...

Страница 135: ...erfaces IPsec 2 Display the properties of the IPsec tunnel 3 Select the Authentication tab 4 Select the X509 Certificate option 5 Select the correct Gateway and Root certificates 6 Click OK 3 7 3 CA C...

Страница 136: ...e cut and pasted with a text editor Note OpenSSL is being used here as a conversion utility and not in its normal role as a communication utility 3 Create two blank text files with a text editor such...

Страница 137: ...wn as Time Servers 3 8 2 Setting Date and Time Current Date and Time The administrator can set the date and time manually and this is recommended when a new NetDefendOS installation is started for the...

Страница 138: ...ing Time Many regions follow Daylight Saving Time DST or Summer time as it is called in some countries and this means clocks are advanced for the summer period Unfortunately the principles regulating...

Страница 139: ...January first 1900 Most public Time Servers run the NTP protocol and are accessible using SNTP Configuring Time Servers Up to three Time Servers can be configured to query for time information By usin...

Страница 140: ...ty Time Server causes the clock to be updated with a extremely inaccurate time a Maximum Adjustment value in seconds can be set If the difference between the current NetDefendOS time and the time rece...

Страница 141: ...nk Time Servers Using D Link s own Time Servers is an option in NetDefendOS and this is the recommended way of synchronizing the firewall clock These servers communicate with NetDefendOS using the SNT...

Страница 142: ...er for time synchronization UDPTime or SNTP Simple Network Time Protocol Default SNTP Primary Time Server DNS hostname or IP Address of Timeserver 1 Default None Secondary Time Server DNS hostname or...

Страница 143: ...ft in seconds that a server is allowed to adjust Default 600 Group interval Interval according to which server responses will be grouped Default 10 3 8 4 Settings Summary for Date and Time Chapter 3 F...

Страница 144: ...of up to three DNS servers The are called the Primary Server the Secondary Server and the Tertiary Server For DNS to function at least the primary server must be configured It is recommended to have b...

Страница 145: ...g a new local IP address on the interface that connects to the DNS server The difference between HTTP Poster and the named DNS servers in the WebUI is that HTTP Poster can be used to send any URL The...

Страница 146: ...3 9 DNS Chapter 3 Fundamentals 146...

Страница 147: ...one of the most fundamental functions of NetDefendOS Any IP packet flowing through a NetDefend Firewall will be subjected to at least one routing decision at some point in time and properly setting up...

Страница 148: ...d these are consulted to find out where to send a packet so it can reach its destination The components of a single route are discussed next The Components of a Route When a route is defined it consis...

Страница 149: ...ed by Route Failover and Route Load Balancing For more information see Section 4 4 Route Load Balancing and Section 4 2 3 Route Failover A Typical Routing Scenario The diagram below illustrates a typi...

Страница 150: ...ific route is used In other words if two routes have destination networks that overlap the narrower network definition will be taken before the wider one This behavior is in contrast to IP rules where...

Страница 151: ...ARP queries as though the interface had that IP address The diagram below illustrates a scenario where this feature could be used The network 10 1 1 0 24 is bound to a physical interface that has an...

Страница 152: ...bles will handle certain types of traffic see Section 4 3 Policy based Routing The Route Lookup Mechanism The NetDefendOS route lookup mechanism has some slight differences to how some other router pr...

Страница 153: ...following Flags Network Iface Gateway Local IP Metric 192 168 0 0 24 lan 20 10 0 0 0 8 wan 1 0 0 0 0 0 wan 192 168 0 1 20 NetDefendOS Route Definition Advantages The NetDefendOS method of defining rou...

Страница 154: ...all nets 213 124 165 1 none 2 lan lannet none none 3 wan wannet none none To see the active routing table enter gw world routes Flags Network Iface Gateway Local IP Metric 192 168 0 0 24 lan 0 213 124...

Страница 155: ...net In the Web Interface this is an advanced setting in the Ethernet interface properties called Automatically add a default route for this interface using the given default gateway When this option i...

Страница 156: ...2 3 Route Failover Overview NetDefend Firewalls are often deployed in mission critical locations where availability and connectivity is crucial For example an enterprise relying heavily on access to...

Страница 157: ...next hop for a route accessibility to that gateway can be monitored by sending periodic ARP requests As long as the gateway responds to these requests the route is considered to be functioning correc...

Страница 158: ...gateways The first primary route has the lowest metric and also has route monitoring enabled Route monitoring for the second alternate route is not meaningful since it has no failover route Route Inte...

Страница 159: ...l destination interfaces should be grouped together into an Interface Group and the Security Transport Equivalent flag should be enabled for the Group The Interface Group is then used as the Destinati...

Страница 160: ...on is established to and then disconnected from the host An IP address must be specified for this HTTP A normal HTTP server request using a URL A URL must be specified for this as well as a text strin...

Страница 161: ...from a server can indicate if a specific database is operational with text such as Database OK then the absence of that response can indicate that the server is operational but the application is offl...

Страница 162: ...nning Ethernet is separated into two parts with a routing device such as a NetDefend Firewall in between In such a case NetDefendOS itself can respond to ARP requests directed to the network on the ot...

Страница 163: ...traffic to net_1 In the same way net_2 could be published on the interface if1 so that there is a mirroring of routes and ARP proxy publishing Route Network Interface Proxy ARP Published 1 net_1 if1 i...

Страница 164: ...interfaces since ARP is not involved Automatically Added Routes Proxy ARP cannot be enabled for automatically added routes For example the routes that NetDefendOS creates at initial startup for physi...

Страница 165: ...ed Routing A different routing table might need to be chosen based on the user identity or the group to which the user belongs This is particularly useful in provider independent metropolitan area net...

Страница 166: ...le is encountered address translation will be performed The decision of which routing table to use is made before carrying out address translation but the actual route lookup is performed on the alter...

Страница 167: ...med routing table fails the lookup as a whole is considered to have failed Only the named routing table is the only one consulted If this lookup fails the lookup will not continue in the main routing...

Страница 168: ...outing becomes a necessity We will set up the main routing table to use ISP A and add a named routing table called r2 that uses the default gateway of ISP B Interface Network Gateway ProxyARP lan1 10...

Страница 169: ...Note Rules in the above example are added for both inbound and outbound connections 4 3 5 The Ordering parameter Chapter 4 Routing 169...

Страница 170: ...ject Round Robin Matching routes are used equally often by successively going to the next matching route Destination This is an algorithm that is similar to Round Robin but provides destination IP sti...

Страница 171: ...e importance of this is that it means that a particular destination application can see all traffic coming from the same source IP address Spillover Spillover is not similar to the previous algorithms...

Страница 172: ...ses through one of the ISPs then this can be achieved by enabling RLB and setting a low metric on the route to the favoured ISP A relatively higher metric is then set on the route to the other ISP Usi...

Страница 173: ...okup In the above example 10 4 16 0 24 may be chosen over 10 4 16 0 16 because the range is narrower with 10 4 16 0 24 for an IP address they both contain RLB Resets There are two occasions when all R...

Страница 174: ...ource IP address If NAT was being used for the client communication the IP address seen by the server would be WAN1 or WAN2 In order to flow any traffic requires both a route and an allowing IP rule T...

Страница 175: ...s are not included here but the created rules would follow the pattern described above RLB with VPN When using RLB with VPN a number of issues need to be overcome If we were to try and use RLB to bala...

Страница 176: ...certain problems such as routing loops One of two types of algorithms are generally used to implement the dynamic routing mechanism A Distance Vector DV algorithm A Link State LS algorithm How a route...

Страница 177: ...and 2560G OSPF is not available on the DFL 210 260 and 260E An OSPF enabled router first identifies the routers and sub networks that are directly connected to it and then broadcasts the information...

Страница 178: ...tween them via firewall B For instance traffic from network X which is destined for network Z will be routed automatically through firewall B From the administrators point of view only the routes for...

Страница 179: ...kets based only on the destination IP address found in the IP packet header IP packets are routed as is in other words they are not encapsulated in any further protocol headers as they transit the Aut...

Страница 180: ...3 2 OSPF Area OSPF Area Components A summary of OSPF components related to an area is given below ABRs Area Border Routers are routers that have interfaces connected to more than one area These maint...

Страница 181: ...bi directional On Point to Point and Point to Multipoint OSPF interfaces the state will be changed to Full On Broadcast interfaces only the DR BDR will advance to the Full state with their neighbors a...

Страница 182: ...configured between fw1 and fw2 on Area 1 as it is used as the transit area In this configuration only the Router ID has to be configured The diagram shows that fw2 needs to have a Virtual Link to fw1...

Страница 183: ...wall needs to have a broadcast interface with at least ONE neighbor for ALL areas that the firewall is attached to In essence the inactive part of the cluster needs a neighbor to get the link state da...

Страница 184: ...routing Defining these objects creates the OSPF network The objects should be defined on each NetDefend Firewall that is part of the OSPF network and should describe the same network An illustration...

Страница 185: ...tions that Low logs but with more detail High Logs everything with most detail Note When using the High setting the firewall will log a lot of information even when just connected to a small AS Changi...

Страница 186: ...freshed It is more optimal to group many LSAs and process them at the same time instead of running them one and one Routes Hold Time This specifies the time in seconds that the routing table will be k...

Страница 187: ...e used with OSPF interfaces Note that an OSPF Interface does not always correspond to a physical interface although this is the most common usage Other types of interfaces such as a VLAN could instead...

Страница 188: ...en the following options are available No authentication Passphrase MD5 Digest Advanced Hello Interval Specifies the number of seconds between Hello packets sent on the interface Router Dead Interval...

Страница 189: ...neighbor This is the IP Address of the neighbors OSPF interface connecting to this router For VPN tunnels this will be the IP address of the tunnel s remote end Metric Specifies the metric to this ne...

Страница 190: ...ting Rules In a dynamic routing environment it is important for routers to be able to regulate to what extent they will participate in the routing exchange It is not feasible to accept or trust all re...

Страница 191: ...OSPF AS the opposite is not true The export of routes to networks that are part of OSPF Interface objects are automatic The one exception is for routes on interfaces that have a gateway defined for t...

Страница 192: ...ies if the rule should filter on Router ID OSPF Route Type Specifies if the rule should filter on the OSPF Router Type OSPF Tag Specifies an interval that the tag of the routers needs to be in between...

Страница 193: ...ther explanation Beginning with just one of these firewalls the NetDefendOS setup steps are as follows 1 Create an OSPF Router object Create a NetDefendOS OSPF Router Process object This will represen...

Страница 194: ...is no need to have a Dynamic Routing Policy Rule which exports the local routing table into the AS since this is done automatically for OSPF Interface objects The exception to this is if a route invol...

Страница 195: ...eway in this case is of course the NetDefend Firewall to which the traffic should be sent That firewall may or may not be attached to the destination network but OSPF has determined that that is the o...

Страница 196: ...al IP of the tunnel endpoint To finish the setup for firewall A there needs to be two changes made to the IPsec tunnel setup on firewall B These are i In the IPsec tunnel properties the Local Network...

Страница 197: ...le name For example area_0 Specify the Area ID as 0 0 0 0 5 Click OK This should be repeated for all the NetDefend Firewalls that will be part of the OSPF area Example 4 9 Add OSPF Interface Objects N...

Страница 198: ...Example 4 11 Exporting the Default Route into an OSPF AS In this example the default all nets route from the main routing table will be exported into an OSPF AS named as_0 This must be done explicitly...

Страница 199: ...Multicast routing functions on the principle that an interested receiver joins a group for a multicast by using the IGMP protocol PIM routers can then duplicate and forward packets to all members of...

Страница 200: ...specified by the multiplex rule must have been requested by hosts using IGMP before any multicast packets are forwarded through the specified interfaces This is the default behavior of NetDefendOS No...

Страница 201: ...0 0 24 1234 to the interfaces if1 if2 and if3 All groups have the same sender 192 168 10 1 which is located somewhere behind the wan interface The multicast groups should only be forwarded to the out...

Страница 202: ...en gw world main add IPRule SourceNetwork srcnet SourceInterface srcif DestinationInterface srcif DestinationNetwork destnet Action MultiplexSAT Service service MultiplexArgument outif1 ip1 outif2 ip2...

Страница 203: ...MP Rules Configuration Address Translation Tip As previously noted remember to add an Allow rule matching the SAT Multiplex rule Example 4 13 Multicast Forwarding Address Translation The following SAT...

Страница 204: ...ategories IGMP Reports Reports are sent from hosts towards the router when a host wants to subscribe to new multicast groups or change current multicast subscriptions IGMP Queries Queries are IGMP mes...

Страница 205: ...towards the clients and actively send queries Towards the upstream router the firewall will be acting as a normal host subscribing to multicast groups on behalf of its clients 4 6 3 1 IGMP Rules Confi...

Страница 206: ...d IGMP Rule 2 Under General enter Name A suitable name for the rule for example Reports Type Report Action Proxy Output wan this is the relay interface 3 Under Address Filter enter Source Interface lf...

Страница 207: ...needs to be executed to create the report and query rule pair for if1 which uses no address translation Web Interface A Create the first IGMP Rule 1 Go to Routing IGMP IGMP Rules Add IGMP Rule 2 Unde...

Страница 208: ...nter Name A suitable name for the rule for example Reports_if2 Type Report Action Proxy Output wan this is the relay interface 3 Under Address Filter enter Source Interface if2 Source Network if2net D...

Страница 209: ...led IGMP React To Own Queries The firewall should always respond with IGMP Membership Reports even to queries originating from itself Global setting on interfaces without an overriding IGMP Setting De...

Страница 210: ...he maximum time in milliseconds until a host has to send a reply to a query Global setting on interfaces without an overriding IGMP Setting Default 10 000 IGMP Robustness Variable IGMP is robust to IG...

Страница 211: ...time in milliseconds between repetitions of an initial membership report Global setting on interfaces without an overriding IGMP Setting Default 1 000 4 6 4 Advanced IGMP Settings Chapter 4 Routing 2...

Страница 212: ...ge specified instead of all nets This is usually when a network is split between two interfaces but the administrator does not know exactly which users are on which interface Usage Scenarios Two examp...

Страница 213: ...s ARP transactions to pass through the NetDefend Firewall and determines from this ARP traffic the relationship between IP addresses physical addresses and interfaces NetDefendOS remembers this addres...

Страница 214: ...Mode If no restriction at all is to be initially placed on traffic flowing in transparent mode the following single IP rule could be added but more restrictive IP rules are recommended Action Src Inte...

Страница 215: ...ate two separate transparent mode networks The routing table used for an interface is decided by the Routing Table Membership parameter for each interface To implement separate Transparent Mode networ...

Страница 216: ...h Routes the solution in a High Availability setup is to use Proxy ARP to separate two networks This is described further in Section 4 2 6 Proxy ARP The key disadvantage with this approach is that fir...

Страница 217: ...tween the internal physical Ethernet network pn2 and the Ethernet network to the ISP s gateway pn1 The two Ethernet networks are treated as a single logical IP network in Transparent Mode with a commo...

Страница 218: ...In the above example 85 12 184 39 and 194 142 215 15 could be grouped into a single object in this way Using NAT NAT should not be enabled for NetDefendOS in Transparent Mode since as explained previ...

Страница 219: ...P Address 10 0 0 1 Network 10 0 0 0 24 Default Gateway 10 0 0 1 Transparent Mode Enable 3 Click OK 4 Go to Interfaces Ethernet Edit lan 5 Now enter IP Address 10 0 0 2 Network 10 0 0 0 24 Transparent...

Страница 220: ...d there is no need for the hosts on the internal network to know if a resource is on the same network or placed on the DMZ The hosts on the internal network are allowed to communicate with an HTTP ser...

Страница 221: ...nterface Groups Add InterfaceGroup 2 Now enter Name TransparentGroup Security Transport Equivalent Disable Interfaces Select lan and dmz 3 Click OK Configure the routing 1 Go to Routing Main Routing T...

Страница 222: ...the Bridge Protocol Data Units BPDUs across the NetDefend Firewall BPDU frames carry Spanning Tree Protocol STP messages between layer 2 switches in a network STP allows the switches to understand th...

Страница 223: ...Enabling Disabling BPDU Relaying BPDU relaying is disabled by default and can be controlled through the advanced setting Relay Spanning tree BPDUs Logging of BPDU messages can also be controlled throu...

Страница 224: ...cally Default Enabled L3 Cache Size This setting is used to manually configure the size of the Layer 3 Cache Enabling Dynamic L3C Size is normally preferred Default Dynamic Transparency ATS Expire Def...

Страница 225: ...s DropLog Drop and log packets Default DropLog Multicast Enet Sender Defines what to do when receiving a packet that has the sender hardware MAC address in Ethernet header set to a multicast Ethernet...

Страница 226: ...gnore all incoming MPLS packets are relayed in transparent mode Options Ignore Let the packets pass but do not log Log Let the packets pass and log the event Drop Drop the packets DropLog Drop packets...

Страница 227: ...4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 227...

Страница 228: ...ess a MAC address a domain name and a lease for the IP address to the client in a unicast message DHCP Leases Compared to static assignment where the client owns the address dynamic addressing by a DH...

Страница 229: ...they are defined the last defined being at the top of the list When NetDefendOS searches for a DHCP server to service a request it goes through the list from top to bottom and chooses the first server...

Страница 230: ...ease Primary Secondary DNS The IP of the primary and secondary DNS servers Primary Secondary NBNS WINS IP of the Windows Internet Name Service WINS servers that are used in Microsoft environments whic...

Страница 231: ...rs gw world dhcpserver To list all current leases gw world dhcpserver show Displaying IP to MAC Address Mappings To display the mappings of IP addresses to MAC addresses that result from allocated DHC...

Страница 232: ...ng sections discuss these two DHCP server options 5 2 1 Static DHCP Hosts Where the administrator requires a fixed relationship between a client and the assigned IP address NetDefendOS allows the assi...

Страница 233: ...individual static assignment can be shown using its index number gw world show DHCPServerPoolStaticHost 1 Property Value Index 1 Host 192 168 1 1 MACAddress 00 90 12 13 14 15 Comments none 5 The assig...

Страница 234: ...e or a comma separated list The meaning of the data is determined by the Code and Type For example if the code is set to 66 TFTP server name then the Type could be String and the Data would then be a...

Страница 235: ...interface on which it sends out the forwarded request Although all NetDefendOS interfaces are core routed that is to say a route exists by default that routes interface IP addresses to Core for relaye...

Страница 236: ...DHCP Relay Advanced Settings The following advanced settings are available with DHCP relaying Max Transactions Maximum number of transactions at the same time Default 32 Transaction Timeout For how lo...

Страница 237: ...What policy should be used to save the relay list to the disk possible settings are Disabled ReconfShut or ReconfShutTimer Default ReconfShut Auto Save Interval How often in seconds should the relay l...

Страница 238: ...should use the DHCP server s residing on the specified interface Specify DHCP Server Address Specify DHCP server IP s in preferred ascending order to be used This option is used instead of the behind...

Страница 239: ...this value Maximum clients Optional setting used to specify the maximum number of clients IPs allowed in the pool Sender IP This is the source IP to use when communicating with the DHCP server Memory...

Страница 240: ...10 14 1 with 10 prefetched leases It is assumed that this IP address is already defined in the address book as an IP object called ippool_dhcp Command Line Interface gw world add IPPool ip_pool_1 DHCP...

Страница 241: ...5 4 IP Pools Chapter 5 DHCP Services 241...

Страница 242: ...hich is known as the Default Access Rule This default rule is not really a true rule but operates by checking the validity of incoming traffic by performing a reverse lookup in the NetDefendOS routing...

Страница 243: ...is NOT allowed Any outgoing traffic with a source IP address belonging to an outside untrusted network is NOT allowed The first point prevents an outsider from using a local host s address as its sou...

Страница 244: ...s always advisable to check Access Rules when troubleshooting puzzling problems in case a rule is preventing some other function such as VPN tunnel establishment from working properly Example 6 1 Sett...

Страница 245: ...ransfer and multimedia transfer ALGs provide higher security than packet filtering since they are capable of scrutinizing all traffic for a specific protocol and perform checks at the higher levels of...

Страница 246: ...browser sends a request by establishing a TCP IP connection to a known port usually port 80 on a remote server The server answers with a response string followed by a message of its own That message...

Страница 247: ...ontents is dropped by NetDefendOS on the assumption that it can be a security threat 2 Allow Block Selected Types This option operates independently of the MIME verification option described above but...

Страница 248: ...tering if enabled 4 Anti virus scanning if enabled As described above if a URL is found on the whitelist then it will not be blocked if it also found on the blacklist If it is enabled Anti virus scann...

Страница 249: ...Normally the client needs to authenticate itself by providing a predefined login and password After granting access the server will provide the client with a file directory listing from which it can d...

Страница 250: ...of the FTP command channel and examining its contents By doing this the NetDefendOS knows what port to open for the data channel Furthermore the FTP ALG also provides functionality to filter out certa...

Страница 251: ...pecified with this option The client will be allowed to connect to any of these if the server is using passive mode The default range is 1024 65535 These options can determine if hybrid mode is requir...

Страница 252: ...frequency of commands can be useful The default limit is 20 commands per second Allow 8 bit strings in control channel The option determines if 8 bit characters are allowed in the control channel All...

Страница 253: ...rom a remote FTP server on the Internet the server will not be blocked by ZoneDefense since it is outside of the configured network range The virus is however still blocked by the NetDefend Firewall B...

Страница 254: ...configuration is performed as follows Web Interface A Define the ALG The ALG ftp inbound is already predefined by NetDefendOS but in this example we will show how it can be created from scratch 1 Go t...

Страница 255: ...ternal assume this internal IP address for FTP server has been defined in the address book object 6 New Port 21 7 Click OK D Traffic from the internal interface needs to be NATed through a single publ...

Страница 256: ...use active mode FTP ALG option so clients can only use passive mode This is much safer for the client Enable the Allow server to use passive mode FTP ALG option This allows clients on the inside to co...

Страница 257: ...owing the same kind of ports traffic before these rules The service used here is the ftp outbound service which should be using the predefined ALG definition ftp outbound which is described earlier 1...

Страница 258: ...mpler version of FTP with more limited capabilities Its purpose is to allow a client to upload files to or download files from a host system TFTP data transport is based on the UDP protocol and theref...

Страница 259: ...l server this setup is illustrated later in Section 6 2 5 1 Anti Spam Filtering Local users will then use email client software to retrieve their email from the local SMTP server SMTP is also used whe...

Страница 260: ...This same option is also available in the HTTP ALG and a fuller description of how it works can be found in Section 6 2 2 The HTTP ALG This same option is also available in the HTTP ALG and a fuller d...

Страница 261: ...ned in RFC 1869 and allows a number extensions to the standard SMTP protocol When an SMTP client opens a session with an SMTP server using ESMTP the client first sends an EHLO command If the server su...

Страница 262: ...ly configured It is possible to manually configure certain hosts and servers to be excluded from being blocked by adding them to the ZoneDefense Exclude List When a client tries to send an email infec...

Страница 263: ...ck List DNSBL databases and the information is accessible using a standardized query method supported by NetDefendOS The image below illustrates all the components involved DNSBL Server Queries When t...

Страница 264: ...old in this example is set at 7 then all three DNSBL servers would have to respond in order for the calculated sum to cause the email to be dropped 3 2 2 7 Alternative Actions for Dropped Spam If the...

Страница 265: ...out then NetDefendOS will consider that the query has failed and the weight given to that server will be automatically subtracted from both the Spam and Drop thresholds for the scoring calculation don...

Страница 266: ...r dropping mail The Spam Threshold should be less than the Drop Threshold If the two are equal then only the Drop Threshold applies Specify a textual tag to prefix to the Subject field of email design...

Страница 267: ...my_smtp_alg active 156 65 34299 alt_smtp_alg inactive 0 0 0 The show option provides a summary of the Spam filtering operation of a specific ALG It is used below to examine activity for my_smtp_alg a...

Страница 268: ...sername does not exist This prevents users from trying different usernames until they find a valid one Allow Unknown Commands Non standard POP3 commands not recognized by the ALG can be allowed or dis...

Страница 269: ...ress on the firewall This first connection will be successful but when the second client B also tries to connect to the same server C at the same endpoint IP address the first connection for A will be...

Страница 270: ...scriptive name for the ALG Echo timeout Idle timeout for Echo messages in the PPTP tunnel Idle timeout Idle timeout for user traffic messages in the PPTP tunnel In most cases only the name needs to be...

Страница 271: ...by NetDefendOS Registrars A server that handles SIP REGISTER requests is given the special name of Registrar The Registrar server has the task of locating the host where the other client is reachable...

Страница 272: ...ys the INVITE message to the called client Once the two clients have learnt of each other s IP addresses they can communicate directly with each other and remaining SIP messages can bypass the proxies...

Страница 273: ...fend Firewall and a client which is on the external unprotected side The SIP proxy is located on the local protected side of the NetDefend Firewall and can handle registrations from both clients locat...

Страница 274: ...have Destination Port set to 5060 the default SIP signalling port Type set to TCP UDP 3 Define two rules in the IP rule set A NAT rule for outbound traffic from clients on the internal network to the...

Страница 275: ...AT is used are shown in parentheses Action Src Interface Src Network Dest Interface Dest Network Allow or NAT lan lannet wan ip_proxy Allow wan ip_proxy lan or core lannet or wan_ip Without the Record...

Страница 276: ...T rule This translation will occur both on the IP level and the application level Neither the clients or the proxies need to be aware that the local clients are being NATed If Record Route is enabled...

Страница 277: ...Clients Allow lan lannet ip_proxy wan all nets InboundTo Proxy Clients Allow wan all nets lan lannet ip_proxy If Record Route is enabled then the networks in the above rules can be further restricted...

Страница 278: ...Z The IP address of the DMZ interface must be a globally routable IP address This address can be the same address as the one used on the external interface The setup steps are as follows 1 Define a si...

Страница 279: ...el An Allow rule for inbound SIP traffic from for example the Internet to the IP address of the DMZ interface The reason for this is because local clients will be NATed using the IP address of the DMZ...

Страница 280: ...twork The IP rules with Record Route enabled are Action Src Interface Src Network Dest Interface Dest Network OutboundToProxy Allow lan lannet dmz ip_proxy OutboundFromProxy Allow dmz ip_proxy lan lan...

Страница 281: ...blish a connection between two H 323 endpoints This call signal channel is opened between two H 323 endpoints or between a H 323 endpoint and a gatekeeper For communication between two H 323 endpoints...

Страница 282: ...Translate Logical Channel Addresses This would normally always be set If not enabled then no address translation will be done on logical channel addresses and the administrator needs to be sure about...

Страница 283: ...t Destination Network 0 0 0 0 0 all nets Comment Allow outgoing calls 3 Click OK Incoming Rule 1 Go to Rules IP Rules Add IPRule 2 Now enter Name H323AllowIn Action Allow Service H323 Source Interface...

Страница 284: ...IP of the H 323 phone Web Interface Outgoing Rule 1 Go to Rules IP Rules Add IPRule 2 Now enter Name H323Out Action NAT Service H323 Source Interface lan Destination Interface any Source Network lanne...

Страница 285: ...ires one external address Example 6 6 Two Phones Behind Different NetDefend Firewalls This scenario consists of two H 323 phones each one connected behind the NetDefend Firewall on a network with publ...

Страница 286: ...e set in the firewall Make sure there are no rules disallowing or allowing the same kind of ports traffic before these rules As we are using private IPs on the phones incoming traffic need to be SATed...

Страница 287: ...IP address on the firewall If multiple H 323 phones are placed behind the firewall one SAT rule has to be configured for each phone This means that multiple external addresses have to be used However...

Страница 288: ...r located at ip gatekeeper 3 For SAT enter Translate Destination IP Address To New IP Address ip gatekeeper IP address of gatekeeper 4 Click OK 1 Go to Rules IP Rules Add IPRule 2 Now enter Name H323I...

Страница 289: ...hones to call the external phones that are registered with the gatekeeper Example 6 9 H 323 with Gatekeeper and two NetDefend Firewalls This scenario is quite similar to scenario 3 with the difference...

Страница 290: ...eeper Example 6 10 Using the H 323 ALG in a Corporate Environment This scenario is an example of a more complex network that shows how the H 323 ALG can be deployed in a corporate environment At the h...

Страница 291: ...ow enter Name LanToGK Action Allow Service H323 Gatekeeper Source Interface lan Destination Interface dmz Source Network lannet Destination Network ip gatekeeper Comment Allow H 323 entities on lannet...

Страница 292: ...t 3 Click OK 1 Go to Rules IP Rules Add IPRule 2 Now enter Name BranchToGW Action Allow Service H323 Gatekeeper Source Interface vpn branch Destination Interface dmz Source Network branch net Destinat...

Страница 293: ...to the Head Office DMZ 3 Click OK Example 6 12 Allowing the H 323 Gateway to register with the Gatekeeper The branch office NetDefend Firewall has a H 323 Gateway connected to its DMZ In order to allo...

Страница 294: ...e Relationship with SSL TLS is a successor to the Secure Sockets Layer SSL but the differences are slight Therefore for most purposes TLS and SSL can be regarded as equivalent In the context of the TL...

Страница 295: ...LS can be offloaded to the NetDefend Firewall This is be sometimes referred to as SSL acceleration Any processing advantages that can be achieved can however vary and will depend on the comparative pr...

Страница 296: ...lution to this issue is for the servers to use relative URLs instead of absolute ones Cipher Suites Supported by NetDefendOS TLS NetDefendOS TLS supports the following cipher suites 1 TLS_RSA_WITH_3DE...

Страница 297: ...ation effort and has very high accuracy Note Enabling WCF All Web Content Filtering is enabled via the HTTP ALG which is described in Section 6 2 2 The HTTP ALG 6 3 2 Active Content Handling Some web...

Страница 298: ...target specific web sites and make the decision as to whether they should be blocked or allowed Static and Dynamic Filter Ordering Additionally Static Content Filtering takes place before Dynamic Con...

Страница 299: ...s users from downloading exe files However the D Link website provides secure and necessary program files which should be allowed to download Command Line Interface Start by adding an HTTP ALG in orde...

Страница 300: ...re already classified and grouped into a variety of categories such as shopping news sport adult oriented and so on The Dynamic WCF URL databases are updated almost hourly with new categorized URLs wh...

Страница 301: ...ork are treated as anonymous submissions and no record of the source of new submissions is kept Categorizing Pages and Not Sites NetDefendOS dynamic filtering categorizes web pages and not sites In ot...

Страница 302: ...typically this is because NetDefendOS is unable to reach the external databases to perform URL lookup Fail mode can have one of two settings Deny If WCF is unable to function then URLs are denied if...

Страница 303: ...arch site For example www google com 3 If everything is configured correctly the web browser will present a web page that informs the user about that the requested site is blocked Audit Mode In Audit...

Страница 304: ...gambling web sites he will not be able to do his job For this reason NetDefendOS supports a feature called Allow Override With this feature enabled the content filtering component will present a warni...

Страница 305: ...tegories SEARCH_SITES AllowReclassification Yes Then continue setting up the service object and modifying the NAT rule as we have done in the previous examples Web Interface First create an HTTP Appli...

Страница 306: ...ght be www newsunlimited com www dailyscoop com Category 3 Job Search A web site may be classified under the Job Search category if its content includes facilities to search for or submit online emplo...

Страница 307: ...Chatrooms 8 Game Sites 10 Sports 16 Clubs and Societies 22 and Music Downloads 23 Examples might be www celebnews com www hollywoodlatest com Category 8 Chatrooms A web site may be classified under t...

Страница 308: ...Investment related content refer to the Investment Sites category 11 Examples might be www nateast co uk www borganfanley com Category 13 Crime Terrorism A web site may be classified under the Crime...

Страница 309: ...ction of violent acts as well as web sites that have undesirable content and may not be classified elsewhere Examples might be www itstinks com www ratemywaste com Category 19 Malicious A web site may...

Страница 310: ...com Category 24 Business Oriented A web site may be classified under the Business Oriented category if its content is relevant to general day to day business or proper functioning of the Internet for...

Страница 311: ...ks com Category 29 Computing IT A web site may be classified under the Computing IT category if its content includes computing related information or services Examples might be www purplehat com www g...

Страница 312: ...les object These new files can then be edited and uploaded back to NetDefendOS The original Default object cannot be edited The following example goes through the necessary steps Example 6 18 Editing...

Страница 313: ...ng SCP It is uploaded to the object type HTTPALGBanner and the object mytxt with the property name URLForbidden If the edited URLForbidden local file is called my html then using the Open SSH SCP clie...

Страница 314: ...mportantly it can act as a backup for when local client antivirus scanning is not available Enabling Through ALGs NetDefendOS Anti Virus is enabled on a per ALG basis It is available for file download...

Страница 315: ...pt of ordering is not relevant since the two scanning processes can occur simultaneously and operate at different protocol levels If IDP is enabled it scans all packets designated by a defined IDP rul...

Страница 316: ...irus Options When configuring Anti Virus scanning in an ALG the following parameters can be set 1 General options Mode This must be one of i Disabled Anti Virus is switched off ii Audit Scanning is ac...

Страница 317: ...contain image data of that type Some viruses can try to hide inside files by using a misleading file type A file might pretend to be a gif file but the file s data will not match that type s data patt...

Страница 318: ...a remote FTP server over the Internet NetDefendOS detects this and stops the file transfer At this point NetDefendOS has blocked the infected file from reaching the internal network Hence there would...

Страница 319: ...rus 3 Select the TCP in the Type dropdown list 4 Enter 80 in the Destination Port textbox 5 Select the HTTP ALG just created in the ALG dropdown list 6 Click OK C Finally modify the NAT rule called NA...

Страница 320: ...t operates by monitoring network traffic as it passes through the NetDefend Firewall searching for patterns that indicate an intrusion is being attempted Once detected NetDefendOS IDP allows steps to...

Страница 321: ...rd subscription is for 12 months and provides automatic IDP signature database updates This IDP option is available for all D Link NetDefend models including those that don t come as standard with Mai...

Страница 322: ...w database updates If a new database update becomes available the sequence of events will be as follows 1 The active unit determines there is a new update and downloads the required files for the upda...

Страница 323: ...n the upper text box is equivalent to the way signatures are specified when using the CLI to define an IDP rule HTTP Normalization Each IDP rule has a section of settings for HTTP normalization This a...

Страница 324: ...the option Protect against Insertion Evasion attack An Insertion Evasion Attack is a form of attack which is specifically aimed at evading IDP mechanisms It exploits the fact that in a TCP IP data tr...

Страница 325: ...prudent while the false positive causes are investigated 6 5 5 IDP Pattern Matching Signatures In order for IDP to correctly identify an attack it uses a profile of indicators or pattern associated w...

Страница 326: ...as file sharing applications and instant messaging 6 5 6 IDP Signature Groups Using Groups Usually several lines of attacks exist for a specific protocol and it is best to search for all of them at t...

Страница 327: ...n be used to wildcard for any set of characters of any length in a group name Caution Use the minimum IDP signatures necessary Do not use the entire signature database and avoid using signatures and s...

Страница 328: ...dOS will wait for Minimum Repeat Time seconds before sending a new email The IP Address of SMTP Log Receivers is Required When specifying an SMTP log receiver the IP address of the receiver must be sp...

Страница 329: ...s exposed to the Internet on the DMZ network with a public IP address The public Internet can be reached through the firewall on the WAN interface as illustrated below An IDP rule called IDPMailSrvRul...

Страница 330: ...tion Network ip_mailserver Click OK Specify the Action An action is now defined specifying what signatures the IDP should use when scanning data matching the rule and what NetDefendOS should do when a...

Страница 331: ...e ID 68343 the CLI in the above example would become gw world IDPMailSrvRule add IDPRuleAction Action Protect IDPServity All Signatures 68343 To specify a list which also includes signatures 68345 and...

Страница 332: ...ammed Internet connections and business critical systems in overload This section deals with using NetDefend Firewalls to protect organizations against these attacks 6 6 2 DoS Attack Mechanisms A DoS...

Страница 333: ...turn generates yet another response to itself etc This will either bog the victim s machine down or make it crash The attack is accomplished by using the victim s IP address in the source field of an...

Страница 334: ...s masses of dropped ICMP Echo Reply packets The source IP addresses will be those of the amplifier networks used Fraggle attacks will show up in NetDefendOS logs as masses of dropped or allowed depend...

Страница 335: ...ppens When the state table fills up old outstanding SYN connections will be the first to be dropped to make room for new connections Spotting SYN Floods TCP SYN flood attacks will show up in NetDefend...

Страница 336: ...se attacks typically exhaust bandwidth router processing capacity or network stack resources breaking network connectivity to the victims Although recent DDoS attacks have been launched from both priv...

Страница 337: ...nly this Service By default Blacklisting blocks all services for the triggering host Exempt already established connections from Blacklisting If there are established connections that have the same so...

Страница 338: ...look at as well as manipulate the current contents of the blacklist and the whitelist The current blacklist can be viewed with the command gw world blacklist show black This blacklist command can be u...

Страница 339: ...6 7 Blacklisting Hosts and Networks Chapter 6 Security Mechanisms 339...

Страница 340: ...he public Internet Security is increased by making it more difficult for intruders to understand the topology of the protected network Address translation hides internal IP addresses which means that...

Страница 341: ...ss combination as its sender NetDefendOS performs automatic translation of the source port number as well as the IP address In other words the source IP addresses for connections are all translated to...

Страница 342: ...have a matching ARP Publish entry configured for the outbound interface Otherwise the return traffic will not be received by the NetDefend Firewall This technique might be used when the source IP is...

Страница 343: ...xample Example 7 1 Adding a NAT Rule To add a NAT rule that will perform address translation for all HTTP traffic originating from the internal network follow the steps outlined below Command Line Int...

Страница 344: ...al servers using different IP protocols Several internal machines can communicate with different external servers using the same IP protocol Several internal machines can communicate with the same ser...

Страница 345: ...ic is relayed between the firewall and the Internet it is no longer encapsulated by PPTP When an application such as a web server now receives requests from the client it appears as though they are co...

Страница 346: ...s Subsequent connections involving the same internal client host will then use the same external IP address The advantage of the stateful approach is that it can balance connections across several ext...

Страница 347: ...lancing is not part of this option there should be spreading of the load across the external connections due to the random nature of the allocating algorithm IP Pool Usage When allocating external IP...

Страница 348: ...OK B Next create a stateful NAT Pool object called stateful_natpool 1 Go to Objects NAT Pools Add NAT Pool 2 Now enter Name stateful_natpool Pool type stateful IP Range nat_pool_range 3 Select the Pro...

Страница 349: ...rs on the translated address given by the SAT rule For example if a SAT rule translates the destination from 1 1 1 1 to 2 2 2 2 then the second associated rule should allow traffic to pass to the dest...

Страница 350: ...r in a DMZ In this example we will create a SAT policy that will translate and allow connections from the Internet to a web server located in a DMZ The NetDefend Firewall is connected to the Internet...

Страница 351: ...DMZ 3 Now enter Action Allow Service http Source Interface any Source Network all nets Destination Interface core Destination Network wan_ip 4 Under the Service tab select http in the Predefined list...

Страница 352: ...the number of rules for each interface allowed to communicate with the web server However the rule ordering is unimportant which may help avoid errors If option 2 was selected the rule set must be ad...

Страница 353: ...address in accordance with rule 1 and forwards the packet in accordance with rule 2 10 0 0 3 1038 10 0 0 2 80 wwwsrv processes the packet and replies 10 0 0 2 80 10 0 0 3 1038 This reply arrives direc...

Страница 354: ...veral protected servers in a DMZ and where each server should be accessible using a unique public IP address Example 7 5 Translating Traffic to Multiple Protected Web Servers In this example we will c...

Страница 355: ...rv_pub Web Interface Create an address object for the public IP address 1 Go to Objects Address Book Add IP address 2 Specify a suitable name for the object for example wwwsrv_pub 3 Enter 195 55 66 77...

Страница 356: ...wwsrv_pub 4 Click OK 7 4 3 All to One Mappings N 1 NetDefendOS can be used to translate ranges and or groups into just one IP address Action Src Iface Src Net Dest Iface Dest Net Parameters 1 SAT any...

Страница 357: ...TCP or UDP level data and subsequently requires that in some way or another the addresses visible on IP level are the same as those embedded in the data Examples of this include FTP and logons to NT...

Страница 358: ...ic address translation using FwdFast rules to a web server located on an internal network Action Src Iface Src Net Dest Iface Dest Net Parameters 1 SAT any all nets core wan_ip http SETDEST wwwsrv 80...

Страница 359: ...rv any all nets 80 All SETSRC wan_ip 80 3 FwdFast lan wwwsrv any all nets 80 All 4 NAT lan lannet any all nets All 5 FwdFast lan wwwsrv any all nets 80 All External traffic to wan_ip 80 will match rul...

Страница 360: ...7 4 7 SAT and FwdFast Rules Chapter 7 Address Translation 360...

Страница 361: ...such as a biometric reader Another problem with A is that the special attribute often cannot be replaced if it is lost Methods B and C are therefore the most common means of identification in network...

Страница 362: ...in secure passwords should also Not be recorded anywhere in written form Never be revealed to anyone else Changed on a regular basis such as every three months 8 1 Overview Chapter 8 User Authenticati...

Страница 363: ...tail These are Section 8 2 2 The Local Database Section 8 2 3 External RADIUS Servers Section 8 2 4 External LDAP Servers Section 8 2 5 Authentication Rules 8 2 2 The Local Database The Local User Dat...

Страница 364: ...users with fixed IP addresses Network behind user If a network is specified for this user then when the user connects a route is automatically added to the NetDefendOS main routing table This existen...

Страница 365: ...cesses the requests and sends back a RADIUS message to accept or deny them One or more external servers can be defined in NetDefendOS RADIUS Security To provide security a common shared secret is conf...

Страница 366: ...ial consideration with Active Directory and that is the Name Attribute This should be set to SAMAccountName Defining an LDAP Server One or more named LDAP server objects can be defined in NetDefendOS...

Страница 367: ...ountName which is NOT case sensitive When looking at the details of a user in Active Directory the value for the user logon name is defined in the SAMAccountName field under the Account tab Note The L...

Страница 368: ...tructure The Base Object specifies where in this tree the relevant users are located Specifying the Base Object has the effect of speeding up the search of the LDAP tree since only users under the Bas...

Страница 369: ...automatically configured to work using LDAP Bind Request Authentication This means that authentication succeeds if successful connection is made to the LDAP server Individual clients are not distingu...

Страница 370: ...cts LDAP servers used for certificate lookup are known as LDAPServer objects in the CLI A specific LDAP server that is defined in NetDefendOS for authentication can be shown with the command gw world...

Страница 371: ...will contain the password when it is sent back This ID must be different from the default password attribute which is usually userPassword for most LDAP servers A suggestion is to use the description...

Страница 372: ...word login sequence Authentication Rules are set up in a way that is similar to other NetDefendOS security policies by specifying which traffic is to be subject to the rule They differ from other poli...

Страница 373: ...ll connections that trigger this rule Such connections will never be authenticated Any Disallow rules are best located at the end of the authentication rule set iv Local The local database defined wit...

Страница 374: ...rk and data which is one of the following types HTTP traffic HTTPS traffic IPsec tunnel traffic L2TP tunnel traffic PPTP tunnel traffic 3 If no rule matches the connection is allowed provided the IP r...

Страница 375: ...oup users to also be able to access the regular network we could add a third rule to permit this Action Src Interface Src Network Dest Interface Dest Network Service 1 Allow lan trusted_net int import...

Страница 376: ...activity but we cannot just use lannet as the source network since the rule would trigger for any unauthenticated client from that network Instead the source network is an administrator defined IP obj...

Страница 377: ...p enter the group names here separated by a comma users for this example 3 Click OK 4 Repeat Step B to add all the lannet users having the membership of users group into the lannet_auth_users folder E...

Страница 378: ...e any Destination Network all nets 3 Click OK Example 8 3 Configuring a RADIUS Server The following steps illustrate how a RADIUS server is typically configured Web Interface 1 User Authentication Ext...

Страница 379: ...eds either through by direct editing in Web Interface or by downloading and re uploading through an SCP client The files available for editing have the following names FormLogin LoginSuccess LoginFail...

Страница 380: ...r the new set of ALG banner files will appear 4 Click the Edit Preview tab 5 Select FormLogin from the Page list 6 Now edit the HTML source that appears in the text box for the Forbidden URL page 7 Us...

Страница 381: ...If the edited Formlogon local file is called my html then using the Open SSH SCP client the upload command would be pscp my html admin 10 5 62 11 HTTPAuthBanners ua_html FormLogin The usage of SCP cl...

Страница 382: ...8 3 Customizing HTML Pages Chapter 8 User Authentication 382...

Страница 383: ...lly important that the recipient can verify that no one is falsifying data in other words pretending to be someone else Virtual Private Networks VPNs meet this need providing a highly cost effective m...

Страница 384: ...yptographic keyed hashing Non repudiation Proof that the sender actually sent the data the sender cannot later deny having sent it Non repudiation is usually a side effect of authentication VPNs are n...

Страница 385: ...feature it is usually possible to dictate the types of communication permitted and NetDefendOS VPN has this feature 9 1 4 Key Distribution Key distribution schemes are best planned in advance Issues...

Страница 386: ...The TLS ALG 9 1 5 The TLS Alternative for VPN Chapter 9 VPN 386...

Страница 387: ...n flow into the tunnel a route must be defined in a NetDefendOS routing table This route tells NetDefendOS which network can be found at the other end of the tunnel so it knows which traffic to send i...

Страница 388: ...hich has the IP address lan_ip 4 Create an IPsec Tunnel object let s call this object ipsec_tunnel Specify the following tunnel parameters Set Local Network to lannet Set Remote Network to remote_net...

Страница 389: ...unnel 2 Under Authentication Objects add the Root Certificate and Host Certificate into NetDefendOS The root certificate needs to have 2 parts added a certificate file and a private key file The gatew...

Страница 390: ...ehand and must be handed out by NetDefendOS as the clients connect A IP addresses already allocated The IP addresses may be known beforehand and have been pre allocated to the roaming clients before t...

Страница 391: ...remote network when tunnel established should be enabled for the tunnel object If all nets is the destination network the option Add route for remote network should be disabled Note The option to dyn...

Страница 392: ...rity Define the IPsec algorithms that will be used and which are supported by NetDefendOS Specify if the client will use config mode There are a variety of IPsec client software products available fro...

Страница 393: ...range that is totally different to any internal network This prevents any chance of an address in the range also being used on the internal network 2 Define two other IP objects ip_ext which is the ex...

Страница 394: ...should be defined in the IP rule set Action Src Interface Src Network Dest Interface Dest Network Service Allow l2tp_tunnel l2tp_pool any int_net All NAT ipsec_tunnel l2tp_pool ext all nets All The s...

Страница 395: ...t being able to NAT PPTP connections through a tunnel so multiple clients can use a single connection to the NetDefend Firewall If NATing is tried then only the first client that tries to connect will...

Страница 396: ...s 0 0 0 0 0 4 Now set up the IP rules in the IP rule set Action Src Interface Src Network Dest Interface Dest Network Service Allow pptp_tunnel pptp_pool any int_net All NAT pptp_tunnel pptp_pool ext...

Страница 397: ...low of events can be briefly described as follows IKE negotiates how IKE should be protected IKE negotiates how IPsec should be protected IPsec moves data in the VPN The following sections will descri...

Страница 398: ...mply by performing another phase 2 negotiation There is no need to do another phase 1 negotiation until the IKE lifetime has expired IKE Algorithm Proposals An IKE algorithm proposal list is a suggest...

Страница 399: ...from the same initial keying material This is to make sure that in the unlikely event that some key was compromised no subsequent keys can be derived Once the phase 2 negotiation is finished the VPN c...

Страница 400: ...cified as a URL string such as vpn company com If this is done the prefix dns must be used The string above should therefore be specified as dns vpn company com The remote endpoint is not used in tran...

Страница 401: ...ified in time seconds as well as data amount kilobytes Whenever one of these expires a new phase 1 exchange will be performed If no data was transmitted in the last incarnation of the IKE connection n...

Страница 402: ...ec Authentication This specifies the authentication algorithm used on the protected traffic This is not used when ESP is used without authentication although it is not recommended to use ESP without a...

Страница 403: ...g Advantages Since it is very straightforward it will be quite interoperable Most interoperability problems encountered today are in IKE Manual keying completely bypasses IKE and sets up its own set o...

Страница 404: ...omeone that the remote endpoint trusts Advantages of Certificates A principal advantage of certificates is added flexibility Many VPN clients for instance can be managed without having the same pre sh...

Страница 405: ...er the original IP header in tunnel mode the ESP header is inserted after the outer header but before the original inner IP header All data after the ESP header is encrypted and or authenticated The d...

Страница 406: ...negotiation is moved away from UDP port 500 to port 4500 This is necessary since certain NAT devices treat UDP packet on port 500 differently from other UDP packets in an effort to work around the NAT...

Страница 407: ...for different VPN scenarios and user defined lists can be added Two IKE algorithm lists and two IPsec lists are already defined by default High This consists of a more restricted set of algorithms to...

Страница 408: ...ase and not a hexadecimal value the different encodings on different platforms can cause a problem with non ASCII characters Windows for example encodes pre shared keys containing non ASCII characters...

Страница 409: ...l corporate networks using VPN clients The organization administers their own Certificate Authority and certificates have been issued to the employees Different groups of employees are likely to have...

Страница 410: ...thMethod Certificate IDList MyIDList RootCertificates AdminCert GatewayCertificate AdminCert Web Interface First create an Identification List 1 Go to Objects VPN Objects ID List Add ID List 2 Enter a...

Страница 411: ...4 Select the appropriate certificate in the Root Certificate s and Gateway Certificate controls 5 Select MyIDList in the Identification List 6 Click OK 9 3 8 Identification Lists Chapter 9 VPN 411...

Страница 412: ...that has been decrypted will be checked against the IP rule set When doing this IP rule set check the source interface of the traffic will be the associated IPsec tunnel since tunnels are treated lik...

Страница 413: ...be broken and an attempt is automatically made to re establish the tunnel This feature is only useful for LAN to LAN tunnels Optionally a specific source IP address and or a destination IP address fo...

Страница 414: ...routing table or another table if an alternate is being used Set up the Rules a 2 way tunnel requires 2 rules 9 4 3 Roaming Clients An employee who is on the move who needs to access a central corpor...

Страница 415: ...the roaming users will connect to Remote Network all nets Remote Endpoint None Encapsulation Mode Tunnel 3 For Algorithms enter IKE Algorithms Medium or High IPsec Algorithms Medium or High 4 For Aut...

Страница 416: ...ID for every client that is to be granted access rights according to the instructions above D Configure the IPsec tunnel 1 Go to Interfaces IPsec Add IPsec Tunnel 2 Now enter Name RoamingIPsecTunnel...

Страница 417: ...ip Web Interface A Upload all the client certificates 1 Go to Objects Authentication Objects Add Certificate 2 Enter a suitable name for the Certificate object 3 Select the X 509 Certificate option 4...

Страница 418: ...an IP Pool object An IP pool is a cache of IP addresses collected from DHCP servers and leases on these addresses are automatically renewed when the lease time is about to expire IP Pools also manage...

Страница 419: ...log message generated with a severity level of Warning This message includes the two IP addresses as well as the client identity Optionally the affected SA can be automatically deleted if validation f...

Страница 420: ...IKE negotiation The output can be overwhelming so to limit the output to a single IP address for example the IP address 10 1 1 10 the command would be gw world ikesnoop on 10 1 1 10 verbose The IP ad...

Страница 421: ...8 Payloads SA Security Association Payload data length 152 bytes DOI 1 IPsec DOI Proposal 1 1 Protocol 1 1 Protocol ID ISAKMP SPI Size 0 Transform 1 4 Transform ID IKE Encryption algorithm Rijndael c...

Страница 422: ...bytes Vendor ID 7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56 Description draft ietf ipsec nat t ike 03 Explanation of Values Exchange type Main mode or aggressive mode IKEv1 0 only Cookies A rando...

Страница 423: ...Description draft ietf ipsec nat t ike 00 VID Vendor ID Payload data length 16 bytes Vendor ID cd 60 46 43 35 df 21 f8 7c fd b2 fc 68 b6 a4 48 Description draft ietf ipsec nat t ike 02 VID Vendor ID P...

Страница 424: ...nds the identification which is normally an IP address or the Subject Alternative Name if certificates are used IkeSnoop Received IKE packet from 192 168 0 10 500 Exchange type Identity Protection mai...

Страница 425: ...168 0 10 500 Exchange type Quick mode ISAKMP Version 1 0 Flags E encryption Cookies 0x6098238b67d97ea6 0x5e347cb76e95a Message ID 0xaa71428f Packet length 264 bytes payloads 5 Payloads HASH Hash Paylo...

Страница 426: ...ode Could be transport tunnel or UDP tunnel NAT T ID ipv4 any 0 0 3 10 4 2 6 Here the first ID is the local network of the tunnel from the client s point of view and the second ID is the remote networ...

Страница 427: ...6e95a Message ID 0xaa71428f Packet length 48 bytes payloads 1 Payloads HASH Hash Payload data length 16 bytes 9 4 6 IPsec Advanced Settings The following NetDefendOS advanced settings are available fo...

Страница 428: ...ithout consulting the rule set Default Enabled IKE CRL Validity Time A CRL contains a next update field that dictates the time and date when a new CRL will be available for download from the CA The ti...

Страница 429: ...PD R U THERE messages to the other side Default 3 in other words 3 x 10 30 seconds DPD Keep Time The amount of time in tens of seconds that a peer is assumed to be dead after NetDefendOS has detected...

Страница 430: ...has not sent a response to any messages then it is considered to be dead not reachable The SA will then be placed in the dead cache This setting is used with IKEv1 only Default 15 seconds 9 4 6 IPsec...

Страница 431: ...ementation PPTP can be used in the VPN context to tunnel different protocols across the Internet Tunneling is achieved by encapsulating PPP packets in IP datagrams using Generic Routing Encapsulation...

Страница 432: ...nder the Add Route tab select all_nets from Allowed Networks 6 Click OK Use User Authentication Rules is enabled as default To be able to authenticate the users using the PPTP tunnel it is required to...

Страница 433: ...er the Add Route tab select all_nets in the Allowed Networks control 6 Click OK Use User Authentication Rules is enabled as default To be able to authenticate users using the PPTP tunnel it is necessa...

Страница 434: ...IPsecLifeTimeSeconds 3600 Web Interface 1 Go to Interfaces IPsec Add IPsec Tunnel 2 Enter a name for the IPsec tunnel for example l2tp_ipsec 3 Now enter a Local Network wan_ip b Remote Network all ne...

Страница 435: ...lick OK In order to authenticate the users using the L2TP tunnel a user authentication rule needs to be configured D Next will be setting up the authentication rules Command Line Interface gw world ad...

Страница 436: ...Interface 1 Go to Rules IP Rules Add IPRule 2 Enter a name for the rule for example AllowL2TP 3 Now enter Action Allow Service all_services Source Interface l2tp_tunnel Source Network l2tp_pool Destin...

Страница 437: ...olves the following settings General Parameters Name A symbolic name for the client Interface Type Specifies if it is a PPTP or L2TP client Remote Endpoint The IP address of the remote endpoint Where...

Страница 438: ...demand should trigger on Send or Recv or both Idle Timeout The time of inactivity in seconds to wait before disconnection Using the PPTP Client Feature One usage of the PPTP client feature is shown i...

Страница 439: ...Figure 9 3 PPTP Client Usage 9 5 4 PPTP L2TP Clients Chapter 9 VPN 439...

Страница 440: ...following scenarios are possible 1 The CA server is a private server behind the NetDefend Firewall and the tunnels are set up over the public Internet but to clients that will not try to validate the...

Страница 441: ...ion Components CA Server Access by Clients In a VPN tunnel with roaming clients connecting to the NetDefend Firewall the VPN client software may need to access the CA server Not all VPN client softwar...

Страница 442: ...er must be configured in NetDefendOS so that these requests can be resolved Turning Off FQDN Resolution As explained in the troubleshooting section below identifying problems with CA server access can...

Страница 443: ...airport the client will get an IP address from the Wi Fi network s DHCP server If that IP also belongs to the network behind the NetDefend Firewall accessible through a tunnel then Windows will still...

Страница 444: ...if CA server access could be the problem CA Server issues are discussed further in Section 9 6 CA Server Access 9 7 3 IPsec Troubleshooting Commands A number of commands can be used to diagnose IPsec...

Страница 445: ...noop on ip address verbose Ikesnoop can be turned off with the command gw world ikesnoop off For a more detailed discussion of this topic see Section 9 4 5 Troubleshooting with ikesnoop 9 7 4 Manageme...

Страница 446: ...multiple IPsec SA s one SA per network or host if that option is used The defined network size is also important in that it must be exactly the same size on both sides as will be mentioned again later...

Страница 447: ...likely the error message that will be generated 5 No public key found This is a very common error message when dealing with tunnels that use certificates for authentication Troubleshooting this error...

Страница 448: ...ssary to examine the settings for the local network remote network IKE proposal list and IPsec proposal list on both sides to try to identify a miss match For example suppose the following IPsec setti...

Страница 449: ...imple to compare the network that both sides are sending in phase 2 With that information it should be possible to spot the network problem It can be the case that it is a network size mismatch or tha...

Страница 450: ...9 7 6 Specific Symptoms Chapter 9 VPN 450...

Страница 451: ...s for prioritizing traffic passing through the NetDefend Firewall It is important to understand that NetDefendOS traffic shaping does not add new Diffserv information as packets traverse a NetDefend F...

Страница 452: ...ce object that uses the SIP ALG cannot be also subject to traffic shaping 10 1 2 Traffic Shaping in NetDefendOS NetDefendOS offers extensive traffic shaping capabilities for the packets passing throug...

Страница 453: ...rules is initially empty with no rules being defined by default At least one rule must be created for traffic shaping to begin to function Pipe Rule Chains When a pipe rule is defined the pipes to be...

Страница 454: ...is implemented by using the NetDefendOS state engine which is the subsystem that deals with the tracking of connections FwdFast IP rules do not set up a connection in the state engine Instead packets...

Страница 455: ...ound 3 Now enter Service all_services Source Interface lan Source Network lannet Destination Interface wan Destination Network all nets 4 Under the Traffic Shaping tab make std in selected in the Retu...

Страница 456: ...r 2000 in Total textbox 4 Click OK After creating a pipe for outbound bandwidth control add it to the forward pipe chain of the rule created in the previous example Command Line Interface gw world set...

Страница 457: ...it will pass through the std in pipe along with other inbound traffic which will apply the 250 kbps total limit Figure 10 3 Differentiated Limits Using Chains If surfing uses the full limit of 125 kb...

Страница 458: ...ces 4 and 6 instead of 0 and 3 will makes no difference to the end result Allocating Precedence to Traffic The way precedence is assigned to traffic is specified in the triggering pipe rule and can be...

Страница 459: ...refix Mega means one million in a traffic bandwidth context Precedence Limits are also Guarantees A precedence limit is both a limit and a guarantee The bandwidth specified for precedence also guarant...

Страница 460: ...hausted then they are dropped If a total limit for a pipe is not specified it is the same as saying that the pipe has unlimited bandwidth and consequently it can never become full so precedences have...

Страница 461: ...lower precedences has no meaning and will be ignored by NetDefendOS Differentiated Guarantees A problem arises if the aim is to give a specific 32 kbps guarantee to Telnet traffic and a specific 64 kb...

Страница 462: ...ble bandwidth with other traffic 10 1 7 Pipe Groups NetDefendOS provides a further level of control within pipes through the ability to split pipe bandwidth into individual resource users within a gro...

Страница 463: ...ill be guaranteed 50 Kbps at the expense of lower precedences The precedences for each user must be allocated by different pipe rules that trigger on particular users For example if grouping is by sou...

Страница 464: ...ence Values Let us suppose that grouping is enabled by one of the options such as source IP and some values for precedences have been specified under Group Limits How does these combine with values sp...

Страница 465: ...16 kbps some will not Dynamic balancing can be enabled to improve this situation by making sure all of the 5 users get the same amount of limited bandwidth When the 5th user begins to generate SSH tr...

Страница 466: ...y the traffic shaping subsystem and it is therefore more important to set pipe limits slightly below the real connection limit to account for the time needed for NetDefendOS to adapt to changing condi...

Страница 467: ...cedence all packets are treated on a first come first forwarded basis Within a pipe traffic can also be separated on a Group basis For example by source IP address Each user in a group for example eac...

Страница 468: ...ffic to the default precedence level and the pipes will limit total traffic to their 1 Mbps limit Having Dynamic Balancing enabled on the pipes means that all users will be allocated a fair share of t...

Страница 469: ...ffic immediately before it enters the in pipe and out pipe and competes with VoIP Citrix and Web surfing traffic A VPN Scenario In the cases discussed so far all traffic shaping is occurring inside a...

Страница 470: ...700 kbps the total traffic is limited to 2000 kbps and VoIP to the remote site is guaranteed 500 kbps of capacity before it is forced to best effort SAT with Pipes If SAT is being used for example wit...

Страница 471: ...Note SAT and ARPed IP Addresses If the SAT is from an ARPed IP address the wan interface needs to be the destination 10 1 10 More Pipe Examples Chapter 10 Traffic Management 471...

Страница 472: ...ity to apply throttling through the NetDefendOS traffic shaping subsystem when the targeted traffic is recognized IDP Traffic Shaping is a combination of these two features where traffic flows identif...

Страница 473: ...subject to the pipe traffic shaping bandwidth specified in the IDP rule 3 A new connection is then established that does not trigger an IDP rule but has a source or destination IP that is the same as...

Страница 474: ...2P Scenario The schematic below illustrates a typical scenario involving P2P data transfer The sequence of events is The client with IP address 192 168 1 15 initiates a P2P file transfer through a con...

Страница 475: ...ed pipes the CLI command is gw world pipes show The IDP Traffic Shaping pipes can be recognized by their distinctive naming convention which is explained next Pipe Naming NetDefendOS names the pipes i...

Страница 476: ...y by default and are therefore guaranteed that bandwidth 10 2 8 Logging IDP Traffic Shaping generates log messages on the following events When an IDP rule with the Pipe option has triggered and eithe...

Страница 477: ...e such as HTTP can be associated with it Each rule can have associated with it one or more Actions which specify how to handle different threshold conditions A Threshold Rule has the following paramet...

Страница 478: ...ged 10 3 6 Exempted Connections It should be noted that some advanced settings known as Before Rules settings can exempt certain types of connections for remote management from examination by the NetD...

Страница 479: ...of time in seconds for which the source is blacklisted can also be set This feature is discussed further in Section 6 7 Blacklisting Hosts and Networks 10 3 8 Threshold Rule Blacklisting Chapter 10 T...

Страница 480: ...ple servers can improve not just the performance of applications but also scalability by facilitating the implementation of a cluster of servers sometimes referred to as a server farm that can handle...

Страница 481: ...rs An important first step in SLB deployment is to identify the servers across which the load is to be balanced This might be a server farm which is a cluster of servers set up to work as a single vir...

Страница 482: ...ces such as HTTPS which require a repeated connection to the same host Network Stickiness This mode is similar to IP stickiness except that the stickiness can be associated with a network instead of a...

Страница 483: ...compares if the source IP address belongs to the same network as a previous connection already in the table If they belong to the same network then stickiness to the same server will result The defaul...

Страница 484: ...onfiguration SLB can monitor different OSI layers to check the condition of each server Regardless of the algorithms used if a server is deemed to have failed SLB will not open any more connections to...

Страница 485: ...nterface Src Network Dest Interface Dest Network WEB_SLB SLB_SAT any all nets core ip_ext WEB_SLB_ALW Allow any all nets core ip_ext If there are clients on the same network as the webservers that als...

Страница 486: ...C Specify the SLB_SAT IP rule 1 Go to Rules IP Rule Sets main Add IP Rule 2 Enter Name Web_SLB Action SLB_SAT Service HTTP Source Interface any Source Network all nets Destination Interface core Dest...

Страница 487: ...IP Rule 2 Enter Name Web_SLB_ALW Action Allow Service HTTP Source Interface any Source Network all nets Destination Interface core Destination Network ip_ext 3 Click OK 10 4 6 Setting Up SLB_SAT Rule...

Страница 488: ...10 4 6 Setting Up SLB_SAT Rules Chapter 10 Traffic Management 488...

Страница 489: ...will continue to be active but the master will now monitor the slave with failover only taking place if the slave fails This is sometimes known as an active passive implementation of fault tolerance...

Страница 490: ...exist in a single cluster The only processing role that the inactive unit plays is to replicate the state of the active unit and to take over all traffic processing if it detects the active unit is no...

Страница 491: ...ng enough to cause the inactive system to go active even though the other is still active Disabling Heartbeat Sending on Interfaces The administrator can manually disable heartbeat sending on any inte...

Страница 492: ...e sender address This allows switches to re learn within milliseconds where to send packets destined for the shared address The only delay in failover therefore is detecting that the active unit is do...

Страница 493: ...statistics would indicate a failure to synchronize If the sync interface is functioning correctly there may still be some small differences in the statistics from each cluster unit but these will be m...

Страница 494: ...ss object allow remote management through that interface These addresses can also be pinged using ICMP provided that IP rules are defined to permit this by default ICMP queries are dropped by the rule...

Страница 495: ...ame switch which then connects to an internal network Similarly the wan interface on the master and the wan interface would connect to a switch which in turn connects to the external Internet Note The...

Страница 496: ...the public Internet is required 9 Save and activate the new configuration 10 Repeat the above steps for the other NetDefend Firewall but this time select the node type to be Slave Making Cluster Confi...

Страница 497: ...bers of connections but can have the disadvantage of increasing throughput latency 11 3 4 Unique Shared Mac Addresses For HA setup NetDefendOS provides the advanced option Use Unique Shared MAC Addres...

Страница 498: ...Lockdown Mode Failed Interfaces Failed interfaces will not be detected unless they fail to the point where NetDefendOS cannot continue to function This means that failover will not occur if the active...

Страница 499: ...also be a second backup designated router to provide OSPF metrics if the main designated router should fail PPPoE Tunnels and DHCP Clients For reasons connected with the shared IP addresses of an HA...

Страница 500: ...ne of the cluster units and issue the ha command The typical output if the unit is active is shown below gw world ha This device is a HA SLAVE This device is currently ACTIVE will forward traffic This...

Страница 501: ...ailover is complete upgrade the newly inactive unit with the new NetDefendOS version Just like step B this is done in the normal way as though the unit were not part of a cluster E Wait for resynchron...

Страница 502: ...psed the synchronization traffic is then only sent after repeated periods of silence The length of this silence is this setting Default 5 Use Unique Shared Mac Use a unique shared MAC address for each...

Страница 503: ...11 6 HA Advanced Settings Chapter 11 High Availability 503...

Страница 504: ...d can be dynamically blocked using the ZoneDefense feature Thresholds are based on either the number of new connections made per second or on the total number of connections being made These connectio...

Страница 505: ...526 R3 x Version R3 06 B20 only DES 3526 R4 x Version R4 01 B19 or later DES 3550 R3 x Version R3 05 B38 only DES 3550 R4 x Version R4 01 B19 or later DES 3800 Series Version R2 00 B13 or later DGS 32...

Страница 506: ...xceeded The limit can be one of two types Connection Rate Limit This can be triggered if the rate of new connections per second to the firewall exceeds a specified threshold Total Connections Limit Th...

Страница 507: ...nnections second is applied If the connection rate exceeds this limitation the firewall will block the specific host in network range 192 168 2 0 24 for example from accessing the switch completely A...

Страница 508: ...se with Anti Virus Scanning ZoneDefense can be used in conjuction with the NetDefendOS Anti Virus scanning feature NetDefendOS can first identify a virus source through antivirus scanning and then blo...

Страница 509: ...lly in order to block a host or network one rule per switch port is needed When this limit has been reached no more hosts or networks will be blocked out Important Clearing the ACL rule set on the swi...

Страница 510: ...12 3 5 Limitations Chapter 12 ZoneDefense 510...

Страница 511: ...ragmentation Settings page 527 Local Fragment Reassembly Settings page 531 Miscellaneous Settings page 532 13 1 IP Level Settings Log Checksum Errors Logs occurrences of IP packets containing erroneou...

Страница 512: ...on Low Determines the action taken on packets whose TTL falls below the stipulated TTLMin value Default DropLog Multicast TTL on Low What action to take on too low multicast TTL values Default DropLog...

Страница 513: ...ault DropLog IP Options Timestamps Time stamp options instruct each router and firewall on the packet s route to indicate at what time the packet was forwarded along the route These options do not occ...

Страница 514: ...ts equal to or smaller than the size specified by this setting Default 65535 bytes Multicast Mismatch option What action to take when Ethernet and IP multicast addresses does not match Default DropLog...

Страница 515: ...cording to the next setting Default 1460 bytes TCP MSS VPN Max As is the case with TCPMSSMax this is the highest Maximum Segment Size allowed However this setting only controls MSS in VPN connections...

Страница 516: ...cknowledgement options These options are used to ACK individual packets instead of entire series which can increase the performance of connections experiencing extensive packet loss They are also used...

Страница 517: ...urned on The presence of a SYN flag indicates that a new connection is in the process of being opened and an URG flag means that the packet contains data requiring urgent attention These two flags sho...

Страница 518: ...Ymas flag turned on These flags are currently mostly used by OS Fingerprinting It should be noted that a developing standard called Explicit Congestion Notification also makes use of these TCP flags b...

Страница 519: ...Bad ValidateSilent and will block some valid TCP re open attempts The most significant impact of this will be that common web surfing traffic short but complete transactions requested from a relativel...

Страница 520: ...ng limits how many Rejects per second may be generated by the Reject rules in the Rules section Default 500 Silently Drop State ICMPErrors Specifies if NetDefendOS should silently drop ICMP errors per...

Страница 521: ...determining whether the remote peer is attempting to open a new connection Default Enabled Log State Violations Determines if NetDefendOS logs packets that violate the expected state switching diagram...

Страница 522: ...gnostic and testing purposes since it generates unwieldy volumes of log messages and can also significantly impair throughput performance Default Disabled Dynamic Max Connections Allocate the Max Conn...

Страница 523: ...may idle before finally being closed Connections reach this state when a packet with its FIN flag on has passed in any direction Default 80 UDP Idle Lifetime Specifies in seconds how long UDP connecti...

Страница 524: ...ther Idle Lifetime Specifies in seconds how long connections using an unknown protocol can remain idle before it is closed Default 130 13 5 Connection Timeout Settings Chapter 13 Advanced Settings 524...

Страница 525: ...any real time applications use large fragmented UDP packets If no such protocols are used the size limit imposed on UDP packets can probably be lowered to 1480 bytes Default 60000 Max ICMP Length Spec...

Страница 526: ...e of an IP in IP packet IP in IP is used by Checkpoint Firewall 1 VPN connections when IPsec is not used This value should be set at the size of the largest packet allowed to pass through the VPN conn...

Страница 527: ...rack DropPacket Discards the illegal fragment and all previously stored fragments Will not allow further fragments of this packet to pass through during ReassIllegalLinger seconds DropLogPacket As Dro...

Страница 528: ...nts have been involved LogSuspectSubseq As LogSuspect but also logs subsequent fragments of the packet as and when they arrive LogAll Logs all failed reassembly attempts LogAllSubseq As LogAll but als...

Страница 529: ...send 1480 byte fragments and a router or VPN tunnel on the route to the recipient subsequently reduce the effective MTU to 1440 bytes This would result in the creation of a number of 1440 byte fragme...

Страница 530: ...ket has been marked as illegal NetDefendOS is able to retain this in memory for this number of seconds in order to prevent further fragments of that packet from arriving Default 60 13 7 Fragmentation...

Страница 531: ...oncurrent local reassemblies Default 256 Max Size Maximum size of a locally reassembled packet Default 10000 Large Buffers Number of large over 2K local reassembly buffers of the above size Default 32...

Страница 532: ...ssociated settings limit memory used by the re assembly subsystem This setting specifies how many connections can use the re assembly system at the same time It is expressed as a percentage of the tot...

Страница 533: ...13 9 Miscellaneous Settings Chapter 13 Advanced Settings 533...

Страница 534: ...de can be downloaded A step by step Registration manual which explains registration and update service procedures in more detail is available for download from the D Link website Subscription renewal...

Страница 535: ...ith the command gw world removedb IDP To remove the Anti Virus database use the command gw world removedb Antivirus Once removed the entire system should be rebooted and a database update initiated Re...

Страница 536: ...ITAS Backup solutions BOT_GENERAL Activities related to bots including those controlled by IRC channels BROWSER_FIREFOX Mozilla Firefox BROWSER_GENERAL General attacks targeting web browsers clients B...

Страница 537: ...on IP_OVERFLOW Overflow of IP protocol implementation IRC_GENERAL Internet Relay Chat LDAP_GENERAL General LDAP clients servers LDAP_OPENLDAP Open LDAP LICENSE_CA LICENSE License management for CA sof...

Страница 538: ...RSYNC_GENERAL Rsync SCANNER_GENERAL Generic scanners SCANNER_NESSUS Nessus Scanner SECURITY_GENERAL Anti virus solutions SECURITY_ISS Internet Security Systems software SECURITY_MCAFEE McAfee SECURITY...

Страница 539: ...ENERAL Virus VOIP_GENERAL VoIP protocol and implementation VOIP_SIP SIP protocol and implementation WEB_CF FILE INCLUSION Coldfusion file inclusion WEB_FILE INCLUSION File inclusion WEB_GENERAL Web ap...

Страница 540: ...letype extension Application 3ds 3d Studio files 3gp 3GPP multimedia file aac MPEG 2 Advanced Audio Coding File ab Applix Builder ace ACE archive ad3 Dec systems compressed Voice File ag Applix Graphi...

Страница 541: ...inHex 4 compressed archive icc Kodak Color Management System ICC Profile icm Microsoft ICM Color Profile file ico Windows Icon file imf Imago Orpheus module sound data Inf Sidplay info file it Impulse...

Страница 542: ...Network Graphic ppm PBM Portable Pixelmap Graphic ps PostScript file psa PSA archive data psd Photoshop Format file qt mov moov QuickTime Movie file qxd QuarkXpress Document ra ram RealMedia Streaming...

Страница 543: ...e Player Streaming Video file wav Waveform Audio wk Lotus 1 2 3 document wmv Windows Media file wrl vrml Plain Text VRML file xcf GIMP Image file xm Fast Tracker 2 Extended Module audio file xml XML f...

Страница 544: ...yer purpose Layer 7 Application Layer 6 Presentation Layer 5 Session Layer 4 Transport Layer 3 Network Layer 2 Data Link Layer 1 Physical Figure D 1 The 7 Layers of the OSI Model Layer Functions The d...

Страница 545: ...e spam filtering anti virus scanning 314 activating 315 database 316 fail mode behaviour 316 in the FTP ALG 252 in the HTTP ALG 247 in the POP3 ALG 268 in the SMTP ALG 259 memory requirements 314 rela...

Страница 546: ...ty gateway script sgs 43 uploading with SCP 48 validation 44 variables 43 verbose output 44 cluster see high availability cluster ID see high availability command line interface see CLI config mode 41...

Страница 547: ...llow in FTP ALG 252 in HTTP ALG 247 Flood Reboot Time setting 532 folders with IP rules 126 with the address book 84 Fragmented ICMP setting 529 FTP ALG 249 command restrictions 251 connection restric...

Страница 548: ...93 internet key exchange see IKE Interval between synchronization setting 142 intrusion detection and prevention see IDP intrusion detection rule 322 invalid checksum in cluster heartbeats 498 IP add...

Страница 549: ...drift setting 142 Max Transactions DHCP setting 236 Max UDP Length setting 525 memlog 58 MIME filetype verification in FTP ALG 252 in HTTP ALG 247 in POP3 ALG 268 in SMTP ALG 259 list of filetypes 54...

Страница 550: ...55 dynamic 176 local IP address 150 metric for default routes 155 metrics 148 178 monitoring 156 narrowest matching principle 150 principles 148 routes added at startup 154 static 148 the all nets rou...

Страница 551: ...ting 517 TCP Option SACK setting 516 TCP Option Sizes setting 515 TCP Option TSOPT setting 516 TCP Option WSOPT setting 516 TCP Reserved Field setting 518 TCP Sequence Numbers setting 518 TCP SYN FIN...

Страница 552: ...02 whitelisting 301 web interface 28 30 default connection interface 30 setting workstation IP 30 WebUI see web interface WebUI Before Rules setting 50 WebUI HTTP port setting 51 WebUI HTTPS port sett...

Отзывы:

Нет отзывов

Похожие инструкции для NetDefend DFL-260E

Kerio Tech Control Box 1000 Serie Quick Manual preview
Control Box 1000 Serie
Бренд: Kerio Tech Страницы: 24
H3C SecPath NS-HTIM-GMG2A Manual preview
SecPath NS-HTIM-GMG2A
Бренд: H3C Страницы: 17
Fortinet FortiBridge 1000 Installation Manual preview
FortiBridge 1000
Бренд: Fortinet Страницы: 56
Source fire Sourcefire 3D System Installation Manual preview
Sourcefire 3D System
Бренд: Source fire Страницы: 280
Lanner FW-7551SE User Manual preview
FW-7551SE
Бренд: Lanner Страницы: 59
Trend Micro Deep Edge Quick Start Manual preview
Deep Edge
Бренд: Trend Micro Страницы: 2

Бренды по названию

Популярные бренды

Загрузить еще бренды