D-Link DFL-1600 - Security Appliance User Manual

Other manuals for DFL-1600 - Security Appliance: User Manual, Cli Reference Manual, Log Reference Manual, Quick Manual, User Manual, User Manual, User Manual, User Manual, Cli Reference Manual, Cli Reference Manual

Manual is about: NetDefendOS Network Security Firewall

Page of 355

Download

Print this page

Bookmark us

Network Security Solution

http://www.dlink.com

Security

DFL-210/ 800/1600/ 2500

DFL-260/ 860

Ver.

1.06

Network Security Firewall

User Manual

1 2 3 4 5 6 7 Next › »

Summary of DFL-1600 - Security Appliance

Page 1
Network security solution http://www.Dlink.Com security security dfl-210/ 800/1600/ 2500 dfl-260/ 860 ver. 1.06 network security firewall user manual.
Page 3
User manual dfl-210/260/800/860/1600/2500 netdefendos version 2.20 published 2007-12-24 copyright © 2007 copyright notice this publication, including all photographs, illustrations and software, is protected under international copyright laws, with all rights reserved. Neither this manual, nor any o...
Page 4: Table Of Contents
Table of contents preface ...............................................................................................................12 1. Product overview .............................................................................................14 1.1. About d-link netdefendos .................
Page 5
3.4.3. Arp cache .................................................................................68 3.4.4. Static and published arp entries ....................................................69 3.4.5. Advanced arp settings ................................................................71 3.5. The...
Page 6
6.2.8. H.323 ...................................................................................... 155 6.3. Web content filtering ........................................................................... 169 6.3.1. Overview ............................................................................
Page 7
9.2.3. Ipsec roaming clients with certificates ......................................... 234 9.2.4. L2tp roaming clients with pre-shared keys ................................. 234 9.2.5. L2tp roaming clients with certificates ........................................ 236 9.2.6. Pptp roaming clients ....
Page 8
12.3.1. Snmp .................................................................................... 300 12.3.2. Threshold rules ....................................................................... 300 12.3.3. Manual blocking and exclude lists ............................................. 300 12.3.4...
Page 9: List Of Figures
List of figures 1.1. Packet flow schematic part i ...........................................................................19 1.2. Packet flow schematic part ii ..........................................................................20 1.3. Packet flow schematic part iii ...........................
Page 10: List Of Examples
List of examples 1. Example notation .............................................................................................12 2.1. Enabling ssh remote access ..........................................................................25 2.2. Enabling remote management via https. ..................
Page 11
5.1. Setting up a dhcp server .............................................................................. 128 5.2. Checking the status of a dhcp server .............................................................. 129 5.3. Setting up static dhcp .....................................................
Page 12: Preface
Preface intended audience the target audience for this reference guide is administrators who are responsible for configuring and managing d-link firewalls which are running the netdefendos operating system. This guide assumes that the reader has some basic knowledge of networks and network security....
Page 13: Highlighted Content
Highlighted content special sections of text which the reader should pay special attention to are indicated by icons on the left hand side of the page followed by a short paragraph in italicized text. Such sections are of the following types with the following purposes: note this indicates some piec...
Page 14
Chapter 1. Product overview this chapter outlines the key features of netdefendos. • about d-link netdefendos, page 14 • netdefendos architecture, page 16 • netdefendos state engine packet flow, page 19 1.1. About d-link netdefendos d-link netdefendos is the firmware, the software engine that drives...
Page 15
Hosts. For more information about the idp capabilities of netdefendos, please see section 6.5, “intrusion detection and prevention”. Anti-virus netdefendos features integrated gateway anti-virus functionality. Traffic passing through the gateway can be subjected to in-depth scanning for viruses, and...
Page 16
1.2. Netdefendos architecture 1.2.1. State-based architecture the netdefendos architecture is centered around the concept of state-based connections. Traditional ip routers or switches commonly inspect all packets and then perform forwarding decisions based on information found in the packet headers...
Page 17: 1.2.3. Basic Packet Flow
1.2.3. Basic packet flow this section outlines the basic flow in the state-engine for packets received and forwarded by netdefendos. Please note that this description is simplified and might not be fully applicable in all scenarios. The basic principle, however, is still valid in all applications. 1...
Page 18
And the event is logged according to the log settings for the rule. If the action is allow, the packet is allowed through the system. A corresponding state will be added to the connection table for matching subsequent packets belonging to the same connection. In addition, the service object which ma...
Page 19
1.3. Netdefendos state engine packet flow the diagrams in this section provide a summary of the flow of packets through the netdefendos state-engine. There are three diagrams, each flowing into the next. Figure 1.1. Packet flow schematic part i the packet flow is continued on the following page. 1.3...
Page 20
Figure 1.2. Packet flow schematic part ii the packet flow is continued on the following page. Figure 1.3. Packet flow schematic part iii 1.3. Netdefendos state engine packet flow chapter 1. Product overview 20
Page 21
1.3. Netdefendos state engine packet flow chapter 1. Product overview 21.
Page 22
1.3. Netdefendos state engine packet flow chapter 1. Product overview 22.
Page 23: 2.1. Managing Netdefendos
Chapter 2. Management and maintenance this chapter describes the management, operations and maintenance related aspects of netdefendos. • managing netdefendos, page 23 • events and logging, page 35 • radius accounting, page 39 • monitoring, page 43 • maintenance, page 45 2.1. Managing netdefendos 2....
Page 24: 2.1.3. The Cli
By default, netdefendos has a local user database, adminusers, with one user account pre-defined: • username admin with password admin. This account has full administrative read/write privileges. Important for security reasons, it is recommended to change the default password of the default account ...
Page 25
Ssh (secure shell) cli access the ssh (secure shell) protocol can be used to access the cli over the network from a remote host. Ssh is a protocol primarily used for secure communication over insecure networks, providing strong authentication and data integrity. Many ssh clients are feely available ...
Page 26: 2.1.4. The Webui
Device:/> set device name="gw-world" the cli reference guide uses the command prompt gw-world:/> throughout. Note when the command line prompt is changed to a new string value, this string also appears as the new device name in the top level node of the webui tree-view. Activate and committing chang...
Page 27
Enter your username and password and click the login button. If the user credentials are correct, you will be transferred to the main web interface page. This page, with its essential parts highlighted, is shown below. Multi-language support the webui login dialog offers the option to select a langu...
Page 28
• home - navigates to the first page of the web interface. • configuration • save and activate - saves and activates the configuration. • discard changes - discards any changes made to the configuration during the current session. • view changes - list the changes made to the configuration since it ...
Page 29
• user database: adminusers • interface: any • network: all-nets 5. Click ok caution the above example is provided for informational purposes only. It is never recommended to expose any management interface to any user on the internet. Logging out from the web interface when you have finished workin...
Page 30
Gw-world:/> show service a list of all services will be displayed, grouped by their respective type. Web interface 1. Go to objects > services 2. A web page listing all services will be presented. A list contains the following basic elements: • add button - displays a dropdown menu when clicked. The...
Page 31
Example 2.5. Editing a configuration object when you need to modify the behavior of netdefendos, you will most likely need to modify one or several configuration objects. This example shows how to edit the comments property of the telnet service. Cli gw-world:/> set service servicetcpudp telnet comm...
Page 32
1. Go to objects > address book 2. Click on the add button 3. In the dropdown menu displayed, select ip4 address 4. In the name text box, enter myhost 5. Enter 192.168.10.10 in the ip address textbox 6. Click ok 7. Verify that the new ip4 address object has been added to the list example 2.7. Deleti...
Page 33
Cli gw-world:/> show -changes type object ------------- ------ - ip4address myhost * servicetcpudp telnet a "+" character in front of the row indicates that the object has been added. A "*" character indicates that the object has been modified. A "-" character indicates that the object has been mark...
Page 34
Note the configuration must be committed before changes are saved. All changes to a configuration can be ignored simply by not committing a changed configuration. 2.1.5. Working with configurations chapter 2. Management and maintenance 34.
Page 35: 2.2. Events And Logging
2.2. Events and logging 2.2.1. Overview the ability to log and analyze system activities is an essential feature of netdefendos. Logging enables not only monitoring of system status and health, but also allows auditing of network usage and assists in trouble-shooting. Netdefendos defines a number of...
Page 36
Memlog a d-link firewall has a built in logging mechanism known as the memory log. This retains all event log messages in memory and allows direct viewing of log messages through the web interface. Syslog the de-facto standard for logging events from network devices. If other network devices are alr...
Page 37
Note the syslog server may have to be configured to receive log messages from netdefendos. Please see the documentation for your specific syslog server software in order to correctly configure it. 2.2.3.2. Snmp traps the snmp protocol simple network management protocol (snmp) is a means for communic...
Page 38
Cli gw-world:/> add logreceiver eventreceiversnmp2c my_snmp ipaddress=195.11.22.55 web interface 1. Goto log & event receivers > add > eventreceiversnmp2c 2. Specify a name for the event receiver, eg. My_snmp 3. Enter 195.11.22.55 as the ip address 4. Enter an snmp community string if needed by the ...
Page 39: 2.3. Radius Accounting
2.3. Radius accounting 2.3.1. Overview within a network environment containing large numbers of users, it is advantageous to have one or a cluster of central servers that maintain user account information and are responsible for authentication and authorization tasks. The central database residing o...
Page 40
Database. • delay time - the time delay (in seconds) since the accountingrequest packet was sent and the authentication acknowledgement was received. This can be subtracted from the time of arrival on the server to find the approximate time of the event generating this accountingrequest. Note that t...
Page 41
2.3.3. Interim accounting messages in addition to start and stop messages netdefendos can optionally periodically send interim accounting messages to update the accounting server with the current status of an authenticated user. An interim accounting message can be seen as a snapshot of the network ...
Page 42
• an accountingstart event is sent to the inactive member in an ha setup whenever a response has been received from the accounting server. This specifies that accounting information should be stored for a specific authenticated user. • a problem with accounting information synchronization could occu...
Page 43: 2.4. Monitoring
2.4. Monitoring 2.4.1. Snmp monitoring overview simple network management protocol (snmp) is a standardized protocol for management of network devices. An snmp compliant client can connect to a network device which supports the snmp protocol to query and control it. Netdefendos supports snmp version...
Page 44
Snmp access. Port 161 is usually used for snmp and netdefendos always expects snmp traffic on that port. Remote access encryption it should be noted that snmp version 1 or 2c access means that the community string will be sent as plain text over a network. This is clearly insecure if a remote client...
Page 45: 2.5. Maintenance
2.5. Maintenance 2.5.1. Auto-update mechanism a number of the netdefendos security features rely on external servers for automatic updates and content filtering. The intrusion prevention and detection system and anti-virus modules require access to updated signature databases in order to provide pro...
Page 46
Example 2.15. Complete hardware reset to factory defaults cli gw-world:/> reset -unit web interface 1. Go to maintenance > reset 2. Select restore the entire unit to factory defaults then confirm and wait for the restore to complete. Reset alternative for the dfl-210/260/800/860 only to reset the df...
Page 47
2.5.3. Resetting to factory defaults chapter 2. Management and maintenance 47.
Page 48: Chapter 3. Fundamentals
Chapter 3. Fundamentals this chapter describes the fundamental logical objects upon which netdefendos is built. These objects include such things as addresses, services and schedules. In addition, the chapter explains how the various supported interfaces work, it outlines how secuirty policies are c...
Page 49
For example: 192.168.0.0/24 ip range a range of ip addresses is represented on the form a.B.C.D - e.F.G.H. Please note that ranges are not limited to netmask boundaries; they may include any span of ip addresses. For example: 192.168.0.10-192.168.0.15 represents six hosts in consecutive order. Examp...
Page 50: 3.1.3. Ethernet Addresses
Web interface 1. Go to objects > address book > add > ip address 2. Specify a suitable name for the ip range, for instance wwwservers. 3. Enter 192.168.10.16-192.168.10.21 as the ip address 4. Click ok example 3.4. Deleting an address object to delete an object named wwwsrv1 in the address book, do ...
Page 51: 3.1.4. Address Groups
3.1.4. Address groups address objects can be grouped in order to simplify configuration. Consider a number of public servers that should be accessible from the internet. The servers have ip addresses that are not in a sequence, and can therefore not be referenced to as a single ip range. Consequentl...
Page 52: 3.2. Services
3.2. Services 3.2.1. Overview a service object is a reference to a specific ip protocol with associated parameters. A service definition is usually based on one of the major transport protocols such as tcp or udp, with the associated port number(s). The http service, for instance, is defined as usin...
Page 53
----------------- ---------------- name: echo destinationports: 7 type: tcpudp (tcp/udp) sourceports: 0-65535 passicmpreturn: no alg: (none) maxsessions: 1000 comments: echo service web interface 1. Go to objects > services 2. Select the specific service object in the grid control. 3. A grid listing...
Page 54
Tip the above methods of specifying port numbers are used not just for destination ports. Source port definitions can follow the same conventions, although it is most usual that the source ports are left as the default value which is 0-65535 and this corresponds to all possible source ports. Example...
Page 55: 3.2.3. Icmp Services
When setting up rules that filter by services it is possible to use the service grouping all_services to refer to all protocols. If just referring to the main protocols of tcp, udp and icmp then the service group all_tcpudpicmp can be used. 3.2.3. Icmp services internet control message protocol (icm...
Page 56
Number. Some of the common ip protocols, such as igmp, are already pre-defined in the netdefendos system configuration. Similar to the tcp/udp port ranges described previously, a range of ip protocol numbers can be used to specify multiple applications for one service. Note the currently assigned ip...
Page 57: 3.3. Interfaces
3.3. Interfaces 3.3.1. Overview an interface is one of the most important logical building blocks in netdefendos. All network traffic that passes through or gets terminated in the system is done so through one or several interfaces. An interface can be seen as a doorway for network traffic to or fro...
Page 58: 3.3.2. Ethernet
L2tp tunnels. For more information about pptp/l2tp, please see section 9.5, “pptp/l2tp”. • gre interfaces are used to establish gre tunnels. For more information about gre, please see section 3.3.5, “gre tunnels”. Even though the various types of interfaces are very different in the way they are imp...
Page 59
The names of the ethernet interfaces are pre-defined by the system, and are mapped to the names of the physical ports; a system with a wan port will have an ethernet interface named wan and so on. The names of the ethernet interfaces can be changed to better reflect their usage. For instance, if an ...
Page 60: 3.3.3. Vlan
Gw-world:/> set interface ethernet wan dhcpenabled=yes web interface 1. Go to interfaces > ethernet 2. In the grid, click on the ethernet object of interest 3. Enable the enable dhcp client option 4. Click ok 3.3.3. Vlan overview virtual lans (vlans) are useful in several different scenarios, for in...
Page 61: 3.3.4. Pppoe
3. Assign a vlan id that is unique on the physical interface. 4. Optionally specify an ip address for the vlan. 5. Optionally specify an ip broadcast address for the vlan. 6. Create the required route(s) for the vlan in the appropriate routing table. 7. Create rules in the ip rule set to allow traff...
Page 62
Control protocols (ncps) can be used to transport traffic for a particular protocol suite, so that multiple protocols can interoperate on the same link, for example, both ip and ipx traffic can share a ppp link. Authentication is an option with ppp. Authentication protocols supported are password au...
Page 63: 3.3.5. Gre Tunnels
• service name: service name provided by the service provider • username: username provided by the service provider • password: password provided by the service provider • confirm password: retype the password • under authentication specify which authentication protocol to use (the default settings ...
Page 64
• ip address - this is the ip address of the sending interface. This is optional and can be left blank. If it is left blank then the sending ip address will default to the local host address of 127.0.0.1. • remote network - the remote network which the gre tunnel will connect with. • remote endpoint...
Page 65
Setup for d-link firewall "a" assuming that the network 192.168.10.0/24 is lannet on the lan interface, the steps for setting up netdefendos on a are: 1. In the address book set up the following ip objects: • remote_net_b: 192.168.11.0/24 • remote_gw: 172.16.1.1 • ip_gre: 192.168.0.1 2. Create a gre...
Page 66: 3.3.6. Interface Groups
1. In the address book set up the following ip objects: • remote_net_a: 192.168.10.0/24 • remote_gw: 172.16.0.1 • ip_gre: 192.168.0.2 2. Create a gre tunnel object called gre_to_a with the following parameters: • ip address: ip_gre • remote network: remote_net_a • remote endpoint: remote_gw • use se...
Page 67
3. Click ok 3.3.6. Interface groups chapter 3. Fundamentals 67.
Page 68: 3.4. Arp
3.4. Arp 3.4.1. Overview address resolution protocol (arp) is a protocol, which maps a network layer protocol address to a data link layer hardware address and it is used to resolve an ip address into its corresponding ethernet address. It works at the osi data link layer (layer 2 - see appendix d, ...
Page 69
The default expiration time for dynamic arp entries is 900 seconds (15 minutes). This can be changed by modifying the advanced setting arpexpire. The setting arpexpireunknown specifies how long netdefendos is to remember addresses that cannot be reached. This is done to ensure that netdefendos does ...
Page 70
Netdefendos supports defining static arp entries (static binding of ip addresses to ethernet addresses) as well as publishing ip addresses with a specific ethernet address. Static arp entries static arp items may help in situations where a device is reporting incorrect ethernet address in response t...
Page 71
There are two publishing modes; publish and xpublish. The difference between the two is that xpublish "lies" about the sender ethernet address in the ethernet header; this is set to be the same as the published ethernet address rather than the actual ethernet address of the ethernet interface. If a ...
Page 72
Situations are to be logged. Sender ip 0.0.0.0 netdefendos can be configured on what to do with arp queries that have a sender ip of 0.0.0.0. Such sender ips are never valid in responses, but network units that have not yet learned of their ip address sometimes ask arp questions with an "unspecified...
Page 73: 3.5. The Ip Rule Set
3.5. The ip rule set 3.5.1. Security policies policy characteristics netdefendos security policies designed by the administrator, regulate the way in which traffic can flow through a d-link firewall. Policies in netdefendos are defined by different netdefendos rule sets. These rule sets share a comm...
Page 74: 3.5.2. Ip Rule Evaluation
Ip rules the ip rule set is the most important of these security policy rule sets. It determines the critical packet filtering function of netdefendos, regulating what is allowed or not allowed to pass through the d-link firewall, and if necessary, how address translations like nat are applied. Ther...
Page 75: 3.5.3. Ip Rule Actions
3.5.3. Ip rule actions a rule consists of two parts: the filtering parameters and the action to take if there is a match with those parameters. As described above, the parameters of any netdefendos rule, including ip rules are: • source interface • source network • destination interface • destinatio...
Page 76
Using reject in certain situations the reject action is recommended instead of the drop action because a polite reply is required from netdefendos. An example of such a situation is when responding to the ident user identification protocol. 3.5.4. Editing ip rule set entries after adding various rul...
Page 77: 3.6. Schedules
3.6. Schedules in some scenarios, it might be useful to control not only what functionality is enabled, but also when that functionality is being used. For instance, the it policy of an enterprise might stipulate that web traffic from a certain department is only allowed access outside that departme...
Page 78
• action: nat • service: http • schedule: officehours • sourceinterface: lan • sourcenetwork lannet • destinationinterface: any • destinationnetwork: all-nets 4. Click ok 3.6. Schedules chapter 3. Fundamentals 78.
Page 79: 3.7. X.509 Certificates
3.7. X.509 certificates netdefendos supports digital certificates that comply with the itu-t x.509 standard. This involves the use of an x.509 certificate hierarchy with public-key cryptography to accomplish key distribution and entity authentication. 3.7.1. Overview an x.509 certificate is a digita...
Page 80
Has to be issued. Certificate revocation lists a certificate revocation list (crl) contains a list of all certificates that have been cancelled before their expiration date. This can happen for several reasons. One reason could be that the keys of the certificate have been compromised in some way, o...
Page 81
3. Now select one of the following: • upload self-signed x.509 certificate • upload a remote certificate 4. Click ok and follow the instructions. Example 3.19. Associating x.509 certificates with ipsec tunnels to associate an imported certificate with an ipsec tunnel. Web interface 1. Go to interfac...
Page 82
3.8. Setting date and time correctly setting the date and time is important for netdefendos to operate properly. Time scheduled policies, auto-update of the idp and anti-virus databases, and other product features require that the system clock is accurately set. In addition, log messages are tagged ...
Page 83: 3.8.2. Time Servers
Example 3.21. Setting the time zone to modify the netdefendos time zone to be gmt plus 1 hour, follow the steps outlined below: cli gw-world:/> set datetime timezone=gmtplus1 web interface 1. Go to system > date and time 2. Select (gmt+01:00) in the timezone drop-down list 3. Click ok daylight savin...
Page 84
Time synchronization protocols are standardised methods for retrieving time information from external time servers. Netdefendos supports the following time synchronization protocols: • sntp - defined by rfc 2030, the simple network time protocol (sntp) is a lightweight implementation of ntp (rfc 130...
Page 85
Cli gw-world:/> time -sync attempting to synchronize system time... Server time: 2007-02-27 12:21:52 (utc+00:00) local time: 2007-02-27 12:24:30 (utc+00:00) (diff: 158) local time successfully changed to server time. Maximum time adjustment to avoid situations where a faulty time server causes the c...
Page 86
D-link time servers using d-link's own time servers is an option in netdefendos and this is the recommended way of synchronizing the firewall clock. These servers communicate with netdefendos using the sntp protocol. When the d-link server option is chosen, a pre-defined set of recommended default v...
Page 87: 3.9. Dns Lookup
3.9. Dns lookup a dns server can resolve a fully qualified domain name (fqdn) into the corresponding numeric ip address. Fqdns are unambiguous textual domain names which specify a node's unique position in the internet's dns tree hierarchy. Fqdn resolution allows the actual physical ip address to ch...
Page 88
3.9. Dns lookup chapter 3. Fundamentals 88.
Page 89: Chapter 4. Routing
Chapter 4. Routing this chapter describes how to configure ip routing in netdefendos. • overview, page 89 • static routing, page 90 • policy-based routing, page 98 • dynamic routing, page 103 • multicast routing, page 110 • transparent mode, page 119 4.1. Overview ip routing capabilities belong to t...
Page 90: 4.2. Static Routing
4.2. Static routing the most basic form of routing is known as static routing. The term static refers to the fact that entries in the routing table are manually added and are therefore permanent (or static) by nature. Due to this manual approach, static routing is most appropriate to use in smaller ...
Page 91: 4.2.2. Static Routing
4.2.2. Static routing this section describes how routing is implemented in netdefendos, and how to configure static routing. Netdefendos supports multiple routing tables. A default table called main is pre-defined and is always present in netdefendos. However, additional and completely separate rout...
Page 92
Persistent routes: none the corresponding routing table in netdefendos is similar to this: flags network iface gateway local ip metric ----- ------------------ -------- -------------- --------- ------ 192.168.0.0/24 lan 20 10.0.0.0/8 wan 1 0.0.0.0/0 wan 192.168.0.1 20 the netdefendos way of describi...
Page 93
213.124.165.0/24 wan 0 0.0.0.0/0 wan 213.124.165.1 0 web interface to see the configured routing table: 1. Go to routing > routing tables 2. Select and right-click the main routing table in the grid 3. Choose edit in the menu the main window will list the configured routes to see the active routing ...
Page 94: 4.2.3. Route Failover
Web interface 1. Select the routes item in the status dropdown menu in the menu bar 2. Check the show all routes checkbox and click the apply button 3. The main window will list the active routing table, including the core routes tip for detailed information about the output of the cli routes comman...
Page 95
Methods must be chosen: interface link status netdefendos will monitor the link status of the interface specified in the route. As long as the interface is up, the route is diagnosed as healthy. This method is appropriate for monitoring that the interface is physically attached and that the cabling ...
Page 96: 4.2.4. Proxy Arp
Automatically be transferred back to it. Route interface grouping when using route monitoring, it is important to check if a failover to another route will cause the routing interface to be changed. If this could happen, it is necessary to take some precautionary steps to ensure that policies and ex...
Page 97
Ip address of host b on another separate network. The proxy arp feature means that netdefendos responds to this arp request instead of host b. The netdefendos sends its own mac address instead in reply, essentially pretending to be the target host. After receiving the reply, host a then sends data d...
Page 98: 4.3. Policy-Based Routing
4.3. Policy-based routing 4.3.1. Overview policy-based routing (pbr) is an extension to the standard routing described previously. It offers administrators significant flexibility in implementing routing decision policies by being able to define rules so alternative routing tables are used. Normal r...
Page 99
Policy-based routing rule can be triggered by the type of service (http for example) in combination with the source/destination interface and source/destination network. When looking up policy-based rules, it is the first matching rule found that is triggered. 4.3.4. Policy-based routing table selec...
Page 100
Interfaces. The first two options can be regarded as combining the alternate table with the main table and assigning one route if there is a match in both tables. Important - ensuring all-nets appears in the main table. A common mistake with policy-based routing is the absence of the default route w...
Page 101
Example 4.5. Policy based routing configuration this example illustrates a multiple isp scenario which is a common use of policy-based routing. The following is assumed: • each isp will give you an ip network from its network range. We will assume a 2-isp scenario, with the network 10.10.10.0/24 bel...
Page 102
Note rules in the above example are added for both inbound and outbound connections. 4.3.5. The ordering parameter chapter 4. Routing 102.
Page 103: 4.4. Dynamic Routing
4.4. Dynamic routing 4.4.1. Dynamic routing overview dynamic routing is different to static routing in that the d-link firewall will adapt to changes of network topology or traffic load automatically. Netdefendos first learns of all the directly connected networks and gets further route information ...
Page 104: 4.4.2. Ospf
Routing metrics are the criteria a routing algorithm uses to compute the "best" route to a destination. A routing protocol relies on one or several metrics to evaluate links across a network and to determine the optimal path. The principal metrics used include: path length the sum of the costs assoc...
Page 105
To which they have an interface. Asbrs routers that exchange routing information with routers in other autonomous systems are called autonomous system boundary router (asbrs). They advertise externally learned routes throughout the autonomous system. Backbone areas all ospf networks need to have at ...
Page 106
In the routing table. This is commonly used to minimize the routing table. Virtual links virtual links are used for: • linking an area that does not have a direct connection to the backbone. • linking the backbone in case of a partitioned backbone. Areas without direct connection to the backbone the...
Page 107
Common area in between. Figure 4.3. Virtual links example 2 the virtual link is configured between fw1 and fw2 on area 1, as it is used as the transit area. In the configuration only the router id have to be configured, as in the example above show fw2 need to have a virtual link to fw1 with the rou...
Page 108
In a dynamic routing environment, it is important for routers to be able to regulate to what extent they will participate in the routing exchange. It is not feasible to accept or trust all received routing information, and it might be crucial to avoid that parts of the routing database gets publishe...
Page 109
Gw-world:/importospfroutes> add dynamicroutingruleaddroute destination=mainroutingtable web interface 1. Go to routing > dynamic routing rules 2. Click on the recently created importospfroutes 3. Go to ospf routing action > add > dynamicrountingruleaddroute 4. In destination, add the main routing ta...
Page 110: 4.5. Multicast Routing
4.5. Multicast routing 4.5.1. Overview certain types of internet interactions, such as conferencing and video broadcasts, require a single client or host to send the same packet to multiple receivers. This could be achieved through the sender duplicating the packet with different receiving ip addres...
Page 111
The multiplex rule can operate in one of two modes: use igmp the traffic flow specififed by the multiplex rule must have been requested by hosts using igmp before any multicast packets are forwarded through the specified interfaces. This is the default behaviour of netdefendos. Not using igmp the tr...
Page 112
Example 4.8. Forwarding of multicast traffic using the sat multiplex rule in this example, we will create a multiplex rule in order to forward the multicast groups 239.192.10.0/24:1234 to the interfaces if1, if2 and if3. All groups have the same sender 192.168.10.1 which is located somwhere behind t...
Page 113
This scenario is based on the previous scenario but now we are going to translate the multicast group. When the multicast streams 239.192.10.0/24 are forwarded through the if2 interface, the multicast groups should be translated into 237.192.10.0/24. No address translation should be made when forwar...
Page 114: 4.5.3. Igmp Configuration
• destination interface: core • destination network: 239.192.10.0/24 4. Click the address translation tab 5. Add interface if1 but leave the ipaddress empty 6. Add interface if2 but this time, enter 237.192.10.0 as the ipaddress 7. Make sure the forwarded using igmp checkbox is set 8. Click ok note ...
Page 115
Figure 4.7. Multicast proxy in snoop mode, the router will act transparently between the hosts and another igmp router. It will not send any igmp queries. It will only forward queries and reports between the other router and the hosts. In proxy mode, the router will act as an igmp router towards the...
Page 116
• source network: if1net, if2net, if3net • destination interface: core • destination network: auto • multicast source: 192.168.10.1 • multicast group: 239.192.10.0/24 4. Click ok b. Create the second igmp rule: 1. Again go to routing > igmp > igmp rules > add > igmp rule 2. Under general enter: • na...
Page 117
• name: a suitable name for the rule, eg. Reports_if1 • type: report • action: proxy • output: wan (this is the relay interface) 3. Under address filter enter: • source interface: if1 • source network: if1net • destination interface: core • destination network: auto • multicast source: 192.168.10.1 ...
Page 118
• type: report • action: proxy • output: wan (this is the relay interface) 3. Under address filter enter: • source interface: if2 • source network: if2net • destination interface: core • destination network: auto • multicast source: 192.168.10.1 • multicast group: 239.192.10.0/24 4. Click ok b. Crea...
Page 119: 4.6. Transparent Mode
4.6. Transparent mode 4.6.1. Overview of transparent mode deploying d-link firewalls operating in transparent mode into an existing network topology can significantly strengthen security. It is simple to do and doesn't require reconfiguration of existing nodes. Once deployed, netdefendos can then al...
Page 120
When beginning communication, a host will locate the target host's physical address by broadcasting an arp request. This request is intercepted by netdefendos and it sets up an internal arp transaction state entry and broadcasts the arp request to all the other switch-route interfaces except the int...
Page 121
Figure 4.8. Transparent mode scenario 1 example 4.13. Setting up transparent mode - scenario 1 web interface configure the interfaces: 1. Go to interfaces > ethernet > edit (wan) 2. Now enter: • ip address: 10.0.0.1 • network: 10.0.0.0/24 • default gateway: 10.0.0.1 • transparent mode: enable 3. Cli...
Page 122
• destination interface: any • source network: 10.0.0.0/24 • destination network: all-nets (0.0.0.0/0) 3. Click ok scenario 2 here the d-link firewall in transparent mode separates server resources from an internal network by connecting them to a separate interface without the need for different add...
Page 123
Switch route: similar as shown in the previous example. Set up the switch route with the new interface group created earlier. Configure the rules: 1. Go to rules > new rule 2. The rule properties dialog will be displayed 3. Specify a suitable name for the rule, for instance http-lan-to-dmz 4. Enter ...
Page 124
1. Go to interfaces > ethernet > edit (lan) 2. Now enter: • ip address: 10.0.0.1 • network: 10.0.0.0/24 • transparent mode: disable • add route for interface network: disable 3. Click ok 4. Go to interfaces > ethernet > edit (dmz) 5. Now enter: • ip address: 10.0.0.2 • network: 10.0.0.0/24 • transpa...
Page 125
3. Click ok 4. Go to rules > ip rules > add > iprule 5. Now enter: • name: http-wan-to-dmz • action: sat • service: http • source interface: wan • destination interface: dmz • source network: all-nets • destination network: wan_ip • translate: select destination ip • new ip address: 10.1.4.10 6. Cli...
Page 126
4.6.6. Transparent mode scenarios chapter 4. Routing 126.
Page 127: Chapter 5. Dhcp Services
Chapter 5. Dhcp services this chapter describes dhcp services in netdefendos. • overview, page 127 • dhcp servers, page 128 • static dhcp assignment, page 130 • dhcp relaying, page 131 • ip pools, page 132 5.1. Overview dhcp (dynamic host configuration protocol) is a protocol that allows network adm...
Page 128: 5.2. Dhcp Servers
5.2. Dhcp servers netdefendos has the ability to act as one or more logical dhcp servers. Filtering of dhcp client requests is based on interface, so each netdefendos interface can have, at most, one single logical dhcp server associated with it. In other words, netdefendos can provision dhcp client...
Page 129
Example 5.2. Checking the status of a dhcp server web interface go to status > dhcp server in the menu bar. Cli to see the status of all servers: gw-world:/> dhcpserver to list all configured servers: gw-world:/> show dhcpserver tip dhcp leases are remembered by the system between system restarts. 5...
Page 130
5.3. Static dhcp assignment where the administrator requires a fixed relationship between a client and the assigned ip address, netdefendos allows the assignment of a given ip to a specific mac address. Example 5.3. Setting up static dhcp this example shows how to assign the ip address 192.168.1.1 t...
Page 131: 5.4. Dhcp Relaying
5.4. Dhcp relaying with dhcp, clients send requests to locate the dhcp server(s) using broadcast messages. However, broadcasts are normally only propagated across the local network. This means that the dhcp server and client would always need to be in the same physical network area to be able to com...
Page 132: 5.5. Ip Pools
5.5. Ip pools overview ip pools are used to offer other subsystems access to a cache of dhcp ip addresses. These addresses are gathered into a pool by internally maintaining a series of dhcp clients (one per ip). The dhcp servers used by a pool can either be external or be dhcp servers defined in ne...
Page 133
Greater than the prefetch parameter. The pool will start releasing (giving back ips to the dhcp server) when the number of free clients exceeds this value. Maximum clients optional setting used to specify the maximum number of clients (ips) allowed in the pool. Using prefetched leases as mentioned i...
Page 134
5.5. Ip pools chapter 5. Dhcp services 134.
Page 135: 6.1. Access Rules
Chapter 6. Security mechanisms this chapter describes netdefendos security features. • access rules, page 135 • application layer gateways, page 138 • web content filtering, page 169 • anti-virus scanning, page 183 • intrusion detection and prevention, page 188 • denial-of-service (dos) attacks, pag...
Page 136
Vpns provide one means of avoiding spoofing but where a vpn is not an appropriate solution then access rules can provide an anti-spoofing capability by providing an extra filter for source address verification. An access rule can verify that packets arriving at a given interface do not have a source...
Page 137
Example 6.1. Setting up an access rule a rule is to be defined that ensures no traffic with a source address not within the lannet network is received on the lan interface. Cli gw-world:/> add access name=lan_access interface=lan network=lannet action=except web interface 1. Go to rules > access 2. ...
Page 138: 6.2.1. Overview
6.2. Application layer gateways 6.2.1. Overview to complement low-level packet filtering, which only inspects packet headers in protocols such ip, tcp, udp, and icmp, d-link firewalls provide application layer gateways (algs) which provide filtering at the higher application osi level. An alg object...
Page 139: 6.2.2. Http
Algs and syn flood protection it should be noted that user-defined custom service objects have the option to enable syn flood protection, a feature which specifically targets syn flood attacks. If this option is enabled for a service object then any alg associated with that service will not be used....
Page 140: 6.2.3. Ftp
• block selected means that those filetypes marked will be automatically blocked as downloads. A file's contents will be analyzed to identify the correct filetype. If, for example, a file is found to contain .Exe data but the the filetype is not .Exe then the file will be blocked if .Exe files are b...
Page 141
Client on the internal network connects through the firewall to an ftp server on the internet. The ip rule is then configured to allow network traffic from the ftp client to port 21 on the ftp server. When active mode is used, netdefendos is not aware that the ftp server will establish a new connect...
Page 142
To make it possible to connect to this server from the internet using the ftp alg, the ftp alg and rules should be configured as follows: web interface a. Define the alg: 1. Go to objects > alg > add > ftp alg 2. Enter name: ftp-inbound 3. Check allow client to use active mode 4. Uncheck allow serve...
Page 143
2. Now enter: • name: sat-ftp-inbound • action: sat • service: ftp-inbound 3. For address filter enter: • source interface: any • destination interface: core • source network: all-nets • destination network: wan_ip (assuming the external interface has been defined as this) 4. For sat check translate...
Page 144
4. Click ok example 6.3. Protecting ftp clients in this scenario shown below the d-link firewall is protecting a workstation that will connect to ftp servers on the internet. To make it possible to connect to these servers from the internal network using the ftp alg, the ftp alg and rules should be ...
Page 145: 6.2.4. Tftp
• destination: 21 (the port the ftp server resides on) • alg: select the newly created ftp-outbound 3. Click ok rules (using public ips). The following rule needs to be added to the ip rules if using public ip's; make sure there are no rules disallowing or allowing the same kind of ports/traffic bef...
Page 146: 6.2.5. Smtp
Tftp is widely used in enterprise environments for updating software and backing up configurations on network devices. Tftp is recognised as being an inherently insecure protocol and its usage is often confined to internal networks. The netdefendos alg provides an extra layer of security to tftp in ...
Page 147
Email rate limiting a maximum allowable rate of email messages can be specified. Email size limiting a maximum allowable size of email messages can be specified. This feature counts the total amount of bytes sent for a single email which is the header size plus body size plus the size of any email a...
Page 148
When the netdefendos spam filtering function is configured, the ip address of the email's sending server can be sent to one or more dnsbl servers to find out if any dnsbl servers think it is from a spammer or not (netdefendos examines the ip packet headers to do this). The reply sent back by a serve...
Page 149
Buy this stock today! And if the tag text is defined to be "*** spam ***", then the modified email's subject field will become: *** spam *** buy this stock today! And this is what the email's recipient will see in the summary of their inbox contents. The individual user could then decide to set up t...
Page 150
Logging there are three types of logging done by the spam filtering module: • logging of dropped or spam tagged emails - these log messages include the source email address and ip as well as its weighted points score and which dnsbls caused the event. • dnsbls not responding - dnsbl query timeouts a...
Page 151: 6.2.6. Pop3
Gw-world:/> dnsbl dnsbl contexts: name status spam drop accept ------------------------ -------- -------- -------- -------- my_smtp_alg active 156 65 34299 alt_smtp_alg inactive 0 0 0 the -show option provides a summary of the spam filtering operation of a specific alg. Gw-world:/> dnsbl my_smtp_alg...
Page 152: 6.2.7. Sip
Hide user this option prevents the pop3 server from revealing that a username does not exist. This prevents users from trying different usernames until they find a valid one. Allow unknown commands non-standard pop3 commands not recognised by the alg can be allowed or disallowed. Fail mode when cont...
Page 153
Voip see also section 6.2.8, “h.323”.) sip components the following components are the logical building blocks for sip communication: user agents these are the end points or "peers" that are involved in the peer-to-peer communication. These would typically be the workstation or device used in an ip ...
Page 154
Maximum sessions per id the number of simultaneous sessions that a single peer can be involved with is restricted by this value. The default number is 5. Maximum registration time the maximum time for registration with a sip registrar. The default value is 3600 seconds. Sip request-response timeout ...
Page 155: 6.2.8. H.323
• a nat rule for outbound traffic from user agents on the internal network to the sip proxy server located externally. The sip alg will take care of all address translation needed by the nat rule. This translation will occur both on the ip level and the application level. Neither the user agents or ...
Page 156
Gateways an h.323 gateway connects two dissimilar networks and translates traffic between them. It provides connectivity between h.323 networks and non-h.323 networks such as public switched telephone networks (pstn), translating protocols and converting media them. A gateway is not required for com...
Page 157
• the h.323 alg supports version 5 of the h.323 specification. This specification is built upon h.225.0 v5 and h.245 v10. • in addition to support voice and video calls, the h.323 alg supports application sharing over the t.120 protocol. T.120 uses tcp to transport data while voice and video is tran...
Page 158
Web interface outgoing rule: 1. Go to rules > ip rules > add > iprule 2. Now enter: • name: h323allowout • action: allow • service: h323 • source interface: lan • destination interface: any • source network: lannet • destination network: 0.0.0.0/0 (all-nets) • comment: allow outgoing calls 3. Click ...
Page 159
Example 6.5. H.323 with private ip addresses in this scenario a h.323 phone is connected to the d-link firewall on a network with private ip addresses. To make it possible to place a call from this phone to another h.323 phone on the internet, and to allow h.323 phones on the internet to call this p...
Page 160
• destination interface: core • source network: 0.0.0.0/0 (all-nets) • destination network: wan_ip (external ip of the firewall) • comment: allow incoming calls to h.323 phone at ip-phone 3. Click ok to place a call to the phone behind the d-link firewall, place a call to the external ip address on ...
Page 161
1. Go to rules > ip rules > add > iprule 2. Now enter: • name: h323allowin • action: allow • service: h323 • source interface: any • destination interface: lan • source network: 0.0.0.0/0 (all-nets) • destination network: lannet • comment: allow incoming calls 3. Click ok example 6.7. Using private ...
Page 162
• destination interface: core • source network: 0.0.0.0/0 (all-nets) • destination network: wan_ip (external ip of the firewall) • comment: allow incoming calls to h.323 phone at ip-phone 3. For sat enter translate destination ip address: to new ip address: ip-phone (ip address of phone) 4. Click ok...
Page 163
Web interface incoming gatekeeper rules: 1. Go to rules > ip rules > add > iprule 2. Now enter: • name: h323in • action: sat • service: h323-gatekeeper • source interface: any • destination interface: core • source network: 0.0.0.0/0 (all-nets) • destination network: wan_ip (external ip of the firew...
Page 164
Note there is no need to specify a specific rule for outgoing calls. Netdefendos monitors the communication between "external" phones and the gatekeeper to make sure that it is possible for internal phones to call the external phones that are registered with the gatekeeper. Example 6.9. H.323 with g...
Page 165
Is possible for internal phones to call the external phones that are registered with the gatekeeper. Example 6.10. Using the h.323 alg in a corporate environment this scenario is an example of a more complex network that shows how the h.323 alg can be deployed in a corporate environment. At the head...
Page 166
• comment: allow h.323 entities on lannet to connect to the gatekeeper 3. Click ok 1. Go to rules > ip rules > add > iprule 2. Now enter: • name: lantogk • action: allow • service: h323 • source interface: lan • destination interface: dmz • source network: lannet • destination network: ip-gateway • ...
Page 167
1. Go to rules > ip rules > add > iprule 2. Now enter: • name: branchtogw • action: allow • service: h323-gatekeeper • source interface: vpn-remote • destination interface: dmz • source network: remote-net • destination network: ip-gatekeeper • comment: allow communication with the gatekeeper on dmz...
Page 168
• service: h323-gatekeeper • source interface: dmz • destination interface: vpn-hq • source network: ip-branchgw • destination network: hq-net • comment: allow the gateway to communicate with the gatekeeper connected to the head office 3. Click ok note there is no need to specify a specific rule for...
Page 169: 6.3.1. Overview
6.3. Web content filtering 6.3.1. Overview web traffic is one of the biggest sources for security issues and misuse of the internet. Inappropriate surfing habits can expose a network to many security threats as well as legal and regulatory liabilities. Productivity and internet bandwidth can also be...
Page 170
Example 6.13. Stripping activex and java applets this example shows how to configure a http application layer gateway to strip activex and java applets. The example will use the content_filtering alg object and presumes you have done one of the previous examples. Cli gw-world:/> set alg alg_http con...
Page 171
Note web content filtering url blacklisting is a separate concept from section 6.7, “blacklisting hosts and networks”. Example 6.14. Setting up a white and blacklist this example shows the use of static content filtering where netdefendos can block or permit certain web pages based on blacklists and...
Page 172
6.3.4. Dynamic web content filtering overview netdefendos supports dynamic web content filtering (wcf) of web traffic, which enables an administrator to permit or block access to web pages based on the content of those web pages. This functionality is automated and it is not necessary to manually sp...
Page 173
Note new, uncategorized urls sent to the d-link network are treated as anonymous submissions and no record of the source of new submissions is kept. Categorizing pages and not sites netdefendos dynamic filtering categorizes web pages and not sites. In other words, a web site may contain particular p...
Page 174
5. In the blocked categories list, select search sites and click the >> button. 6. Click ok then, create a service object using the new http alg: 1. Go to local objects > services > add > tcp/udp service 2. Specify a suitable name for the service, eg. Http_content_filtering 3. Select the tcp in the ...
Page 175
Filteringcategories=search_sites web interface first, create an http application layer gateway (alg) object: 1. Go to objects > alg > add > http alg 2. Specify a suitable name for the alg, eg. Content_filtering 3. Click the web content filtering tab 4. Select audit in the mode list 5. In the blocked...
Page 176
Example 6.17. Reclassifying a blocked site this example shows how a user may propose a reclassification of a web site if he believes it is wrongly classified. This mechanism is enabled on a per-http alg level basis. Cli first, create an http application layer gateway (alg) object: gw-world:/> add al...
Page 177
Category 2: news a web site may be classified under the news category if its content includes information articles on recent events pertaining to topics surrounding a locality (for example, town, city or nation) or culture, including weather forecasting information. Typically this would include most...
Page 178
• www.Buy-alcohol.Se category 7: entertainment a web site may be classified under the entertainment category if its content includes any general form of entertainment that is not specifically covered by another category. Some examples of this are music sites, movies, hobbies, special interest, and f...
Page 179
• www.Loadsofmoney.Com.Au • www.Putsandcalls.Com category 12: e-banking a web site may be classified under the e-banking category if its content includes electronic banking information or services. This category does not include investment related content; refer to the investment sites category (11)...
Page 180
Category 17: www-email sites a web site may be classified under the www-email sites category if its content includes online, web-based email facilities. Examples might be: • www.Coldmail.Com • mail.Yazoo.Com category 18: violence / undesirable a web site may be classified under the violence / undesi...
Page 181
Examples might be: • www.Sierra.Org • www.Walkingclub.Org category 23: music downloads a web site may be classified under the music downloads category if it provides online music downloading, uploading and sharing facilities as well as high bandwidth audio streaming. Examples might be: • www.Onlymp3...
Page 182
A web site may be classified under the drugs/alcohol category if its content includes drug and alcohol related information or services. Some urls categorised under this category may also be categorised under the health category. Examples might be: • www.The-cocktail-guide.Com • www.Stiffdrinks.Com c...
Page 183: 6.4. Anti-Virus Scanning
6.4. Anti-virus scanning 6.4.1. Overview the netdefendos anti-virus module protects against malicious code carried in file downloads. Files may be downloaded as part of a web-page in an http transfer, in an ftp download, or perhaps as an attachment to an email delivered through smtp. Malicious code ...
Page 184: 6.4.6. Anti-Virus Options
D-link firewall. However, the available free memory can place a limit on the number of concurrent scans that can be initiated. The administrator can increase the default amount of free memory available to anti-virus scanning through changing the avse_maxmemory advanced setting. This setting specifie...
Page 185
1. General options mode this must be one of: a. Enabled which means anti-virus is active. B. Audit which means it is active but logging will be the only action. Fail mode behaviour if a virus scan fails for any reason then the transfer can be dropped or allowed, with the event being logged. 2. File ...
Page 186
Enabling of this function is recommended to make sure this form of attack cannot allow a virus to get through. The possible mime types that can be checked are listed in appendix c, checked mime filetypes. Setting the correct system time it is important that a netdefendos has the correct system time ...
Page 187
1. Go to objects > alg > add > http alg 2. Specify a suitable name for the alg, for instance anti_virus 3. Click the antivirus tab 4. Select protect in the mode dropdown list 5. Click ok b. Then, create a service object using the new http alg: 1. Go to local objects > services > add > tcp/udp servic...
Page 188: 6.5.1. Overview
6.5. Intrusion detection and prevention 6.5.1. Overview intrusion definition computer servers can sometimes have vulnerabilites which leave them exposed to attacks carried by network traffic. Worms, trojans and backdoor exploits are examples of such attacks which, if successful, can potentially comp...
Page 189
Dfl-210/800/1600/2500 firewalls. This is a simplfied idp that gives basic protection against attacks. It is upgradeable to the professional level advanced idp. • advanced idp is a subscription based idp system with a much broader range of database signatures for professional installations. It is ava...
Page 190: 6.5.3. Idp Rules
The console command > updatecenter -status will show the current status of the auto-update feature. This can also be done through the webui. Updating in high availability clusters updating the idp databases for both the d-link firewalls in an ha cluster is performed automatically by netdefendos. In ...
Page 191
The option exists in netdefendos idp to look for intrusions in all traffic, even the packets that are rejected by the ip rule set check for new connections, as well as packets that are not part of an existing connection. This provides the firewall administrator with a way to detect any traffic that ...
Page 192
• increasing throughput - where the highest throughout possible is desirable, then turning the option off, can provide a slight increase in processing speed. • excessive false positives - if there is evidence of an unusually high level of insertion/evasion false positives then disabling the option m...
Page 193
Using groups usually, several lines of attacks exist for a specific protocol, and it is best to search for all of them at the same time when analyzing network traffic. To do this, signatures related to a particular protocol are grouped together. For example, all signatures that refer to the ftp prot...
Page 194: 6.5.7. Idp Actions
Group name. Caution against using too many idp signatures do not use the entire signature database and avoid using signatures and signature groups unecessarily. Instead, use only those signatures or groups applicable to the type of traffic you are trying to protect. For instance, using ids_web*, ips...
Page 195
Triggered. At least one new event occurs within the hold time of 120 seconds, thus reaching the log threshold level (at least 2 events have occurred). This results in an email being sent containing a summary of the idp events. Several more idp events may occur after this, but to prevent flooding the...
Page 196
Cli create idp rule: gw-world:/> add idprule service=smtp sourceinterface=wan sourcenetwork=wannet destinationinterface=dmz destinationnetwork=ip_mailserver name=idpmailsrvrule create idp action: gw-world:/> cc idprule idpmailsrvrule gw-world:/idpmailsrvrule> add idpruleaction action=protect idpserv...
Page 197
When this idp rule has been created, an action must also be created, specifying what signatures the idp should use when scanning data matching the idp rule, and what netdefendos should do in case an intrusion is discovered. Intrusion attempts should cause the connection to be dropped, so action is s...
Page 198: 6.6.1. Overview
6.6. Denial-of-service (dos) attacks 6.6.1. Overview by embracing the internet, enterprises experience new business opportunities and growth. The enterprise network and the applications that run over it are business critical. Not only can a company reach a larger number of customers via the internet...
Page 199: Boink And Nestea
To run "ping -l 65510 1.2.3.4" on a windows 95 system where 1.2.3.4 is the ip address of the intended victim. "jolt" is simply a purpose-written program for generating such packets on operating systems whose ping commands refuse to generate oversized packets. The triggering factor is that the last f...
Page 200
Services expected to only serve the local network. • by stripping the urg bit by default from all tcp segments traversing the system (configurable via advanced settings > tcp > tcpurg). Winnuke attacks will usually show up in netdefendos logs as normal drops with the name of the rule in your policy ...
Page 201: 6.6.9. The Jolt2 Attack
The traffic shaping feature built into netdefendos also help absorb some of the flood before it reaches protected servers. 6.6.8. Tcp syn flood attacks the tcp syn flood attack works by sending large amounts of tcp syn packets to a given port and then not responding to syn acks sent in response. Thi...
Page 202
6.7. Blacklisting hosts and networks netdefendos implements a blacklist of host or network ip addresses which can be utilized to protect against traffic coming from specific internet sources. Certain netdefendos modules, specifically the intrusion detection and prevention (idp) module, as well as th...
Page 203
6.7. Blacklisting hosts and networks chapter 6. Security mechanisms 203.
Page 204
Chapter 7. Address translation this chapter describes netdefendos address translation capabilities. • dynamic network address translation, page 204 • nat pools, page 207 • static address translation, page 210 the ability of netdefendos to change the ip address of packets as they pass through a d-lin...
Page 205
Publish entry configured for the egress interface. Otherwise, the return traffic will not be received by the d-link firewall. The following example illustrates how nat is applied in practice on a new connection: 1. The sender, for example 192.168.1.5, sends a packet from a dynamically assigned port,...
Page 206
Protocols handled by nat dynamic address translation is able to deal with the tcp, udp and icmp protocols with a good level of functionality since the algorithm knows which values can be adjusted to become unique in the three protocols. For other ip level protocols, unique connections are identified...
Page 207: 7.2. Nat Pools
7.2. Nat pools overview as discussed in section 7.1, “dynamic network address translation”, nat provides a way to have multiple internal clients and hosts with unique private internal ip addresses communicate to remote hosts through a single external public ip address. When multiple public external ...
Page 208
Stateless nat pools the stateless option means that no state table is maintained and the external ip address chosen for each new connection is the one that has the least connections already allocated to it. This means two connections between one internal host to the same external host may use two di...
Page 209
2. Specify a suitable name for the ip range nat_pool_range 3. Enter 10.6.13.10-10.16.13.15 in the ip address textbox (a network eg 10.6.13.0/24 could be used here - the 0 and 255 addresses will be automatically removed) 4. Click ok b. Next create a stateful nat pool object called stateful_natpool : ...
Page 210
7.3. Static address translation netdefendos can translate entire ranges of ip addresses and/or ports. Such translations are transpositions, that is, each address or port is mapped to a corresponding address or port in the new range, rather than translating them all to the same address or port. This ...
Page 211
Then create a corresponding allow rule: 1. Go to rules > ip rules > add > iprule 2. Specify a suitable name for the rule, eg. Allow_http_to_dmz 3. Now enter: • action: allow • service: http • source interface: any • source network: all-nets • destination interface: core • destination network: wan_ip...
Page 212
# action src iface src net dest iface dest net parameters 3 allow ext2 ext2net core wan_ip http 4 nat lan lannet any all-nets all this increases the number of rules for each interface allowed to communicate with the web server. However, the rule ordering is unimportant, which may help avoid errors. ...
Page 213
• netdefendos translates the address in accordance with rule 1 and forwards the packet in accordance with rule 2: 10.0.0.3:1038 => 10.0.0.2:80 • wwwsrv processes the packet and replies: 10.0.0.2:80 => 10.0.0.3:1038 this reply arrives directly to pc1 without passing through the d-link firewall. This ...
Page 214
An example of when this is useful is when having several protected servers in a dmz, and where each server should be accessible using a unique public ip address. Example 7.5. Translating traffic to multiple protected web servers in this example, we will create a sat policy that will translate and al...
Page 215
4. Click ok publish the public adresses in the wan interface using arp publish. One arp item is needed for every ip address: 1. Go to interfaces > arp > add > arp 2. Now enter: • mode: publish • interface: wan • ip address: 195.55.66.77 3. Click ok and repeat for all 5 public ip addresses create a s...
Page 216: 7.3.4. Port Translation
Netdefendos can be used to translate ranges and/or groups into just one ip address. # action src iface src net dest iface dest net parameters 1 sat any all-nets core 194.1.2.16-194.1.2.20, 194.1.2.30 http setdest all-to-one 192.168.0.50 80 this rule produces a n:1 translation of all addresses in the...
Page 217
Configuration. There is no definitive list of what protocols that can or cannot be address translated. A general rule is that vpn protocols cannot usually be translated. In addition, protocols that open secondary connections in addition to the initial connection can be difficult to translate. Some p...
Page 218
# action src iface src net dest iface dest net parameters 5 nat lan lannet any all-nets all what happens now? • external traffic to wan_ip:80 will match rules 1 and 3, and will be sent to wwwsrv. Correct. • return traffic from wwwsrv:80 will match rules 2 and 4, and will appear to be sent from wan_i...
Page 219
7.3.7. Sat and fwdfast rules chapter 7. Address translation 219.
Page 220: 8.1. Overview
Chapter 8. User authentication this chapter describes how netdefendos implements user authentication. • overview, page 220 • authentication setup, page 221 8.1. Overview in situations where individual users connect to protected resources through a d-link firewall, the administrator will often requir...
Page 221: 8.2. Authentication Setup
8.2. Authentication setup 8.2.1. Setup summary the following list summarizes the steps for user authentication setup with netdefendos: • set up a database of users, each with a username/password combination. This can exist locally in a netdefendos user db object, or remotely on a radius server and w...
Page 222
Netdefendos acts as a radius client, sending user credentials and connection parameter information as a radius message to a nominated radius server. The server processes the requests and sends back a radius message to accept or deny them. One or more external servers can be defined in netdefendos. R...
Page 223: 8.2.6. Http Authentication
Combination. • allow only one login per username. • allow one login per username and logout an existing user with the same name if they have been idle for a specific length of time when the new login occurs. 8.2.5. Authentication processing the list below describes the processing flow through netdef...
Page 224
Changing the management webui port http authentication will collide with the webui's remote management service which also uses tcp port 80. To avoid this, the webui port number should be changed before configuring authentication. Do this by going to remote management > advanced settings in the webui...
Page 225
Action src interface src network dest interface dest network service 1 allow lan lannet core lan_ip http-all 2 nat lan trusted_users wan all-nets http-all 3 nat lan lannet wan all-nets dns-all 4 sat lan lannet wan all-nets all-to-one 127.0.0.1 http-all 5 allow lan lannet wan all-nets http-all the sa...
Page 226
Example 8.1. Creating an authentication user group in the example of an authentication address object in the address book, a user group "users" is used to enable user authentication on "lannet". This example shows how to configure the user group in the netdefendos database. Web interface step a 1. G...
Page 227
• source network: lannet • destination interface core • destination network lan_ip 3. Click ok b. Set up the authentication rule 1. Go to user authentication > user authentication rules > add > user authentication rule 2. Now enter: • name: httplogin • agent: http • authentication source: local • in...
Page 228
D. Port: 1812 (radius service uses udp port 1812 by default) e. Retry timeout: 2 (netdefendos will resend the authentication request to the sever if there is no response after the timeout, for example every 2 seconds. This will be retried a maximum of 3 times) f. Shared secret: enter a text string h...
Page 229: Chapter 9. Vpn
Chapter 9. Vpn this chapter describes vpn usage with netdefendos. • overview, page 229 • vpn quickstart guide, page 231 • ipsec, page 240 • ipsec tunnels, page 253 • pptp/l2tp, page 260 9.1. Overview 9.1.1. The need for vpns most networks are connected to each other through the internet. Business in...
Page 230: 9.1.4. Key Distribution
• protecting mobile and home computers • restricting access through the vpn to needed services only, since mobile computers are vulnerable • creating dmzs for services that need to be shared with other companies through vpns • adapting vpn access policies for different groups of users • creating key...
Page 231: 9.2. Vpn Quickstart Guide
9.2. Vpn quickstart guide later sections in this chapter will explore vpn components in detail. To help put those later sections in context, this section is a quickstart summary of the key steps in vpn setup. It outlines the individual steps in setting up vpns for the most common vpn scenarios. Thes...
Page 232
The destination interface. The rule's destination network is the remote network remote_net. • an allow rule for inbound traffic that has the previously defined ipsec_tunnel object as the source interface. The source network is remote_net. Action src interface src network dest interface dest network ...
Page 233
Authentication section of an ip object. If that ip object is then used as the source network of a rule in the ip rule set, that rule will only apply to a user if their group string matches the group string of the ip object. (note: group has no meaning in authentication rules). • create a new user au...
Page 234
• create a config mode pool object (there can only be one associated with a netdefendos installation) and associate with it the ip pool object defined in the previous step. • enable the ike config mode option in the ipsec tunnel object ipsec_tunnel. Configuring the ipsec client in both cases (a) and...
Page 235
3. Define a pre-shared key for the ipsec tunnel. 4. Define an ipsec tunnel object (let's call this object ipsec_tunnel) with the following parameters: • set local network to ip_ext (specify all-nets instead if netdefendos is behind a nating device). • set remote network to all-nets • set remote gate...
Page 236
Action src interface src network dest interface dest network service allow l2tp_tunnel l2tp_pool any int_net all nat ipsec_tunnel l2tp_pool ext all-nets all the second rule would be included to allow clients to surf the internet via the ext interface on the d-link firewall. The client will be alloca...
Page 237: 9.2.7. Vpn Troubleshooting
• an int_net object which is the internal network from which the addresses come. • an ip_int object which is the internal ip address of the interface connected to the internal network. Let's assume this interface is int. • an ip_ext object which is the external public address which clients will conn...
Page 238
• if certificates have been used, check that the correct certificates have been used and that they haven't expired. • use icmp ping to confirm that the tunnel is working. With roaming clients this is best done by pinging the internal ip address of the local network interface on the d-link firewall f...
Page 239
Ipsec tunnel local net remote net remote gw ------------ -------------- ------------ ------------- l2tp_ipsec 214.237.225.43 84.13.193.179 84.13.193.179 ipsec_tun1 192.168.0.0/24 172.16.1.0/24 82.242.91.203 to examine the first ike negotiation phase of tunnel setup use: > ipsecstat -ike to get compl...
Page 240: 9.3. Ipsec
9.3. Ipsec 9.3.1. Overview internet protocol security (ipsec), is a set of protocols defined by the internet engineering task force (ietf) to provide ip security at the network layer. An ipsec based vpn is made up by two parts: • internet key exchange protocol (ike) • ipsec protocols (ah/esp/both) t...
Page 241
Ike negotiation the process of negotiating session parameters consists of a number of phases and modes. These are described in detail in the below sections. The flow of events can summarized as follows: ike phase-1 • negotiate how ike should be protected ike phase-2 • negotiate how ipsec should be p...
Page 242
Authentication can be accomplished through pre-shared keys, certificates or public key encryption. Pre-shared keys is the most common authentication method today. Psk and certificates are supported by the netdefendos vpn module. Ike phase-2 - ipsec security negotiation in phase two, another negotiat...
Page 243
Configurations. Remote gateway the remote gateway will be doing the decryption/authentication and pass the data on to its final destination. This field can also be set to "none", forcing the d-link vpn to treat the remote address as the remote gateway. This is particularly useful in cases of roaming...
Page 244
• cast128 • 3des • des des is only included to be interoperable with other older vpn implementations. Use of des should be avoided whenever possible, since it is an old algorithm that is no longer considered secure. Ike authentication this specifies the authentication algorithms used in the ike nego...
Page 245: 9.3.3. Ike Authentication
Pfs group this specifies the pfs group to use with pfs. The pfs groups supported by netdefendos are: • 1 modp 768-bit • 2 modp 1024-bit • 5 modp 1536-bit security increases as the pfs group bits grow larger, as does the time taken for the exchanges. Ipsec dh group this is a diffie-hellman group much...
Page 246
Method where ike is not used at all; the encryption and authentication keys as well as some other parameters are directly configured on both sides of the vpn tunnel. Note d-link firewalls do not support manual keying. Manual keying advantages since it is very straightforward it will be quite interop...
Page 247
Roaming clients. Instead, should a client be compromised, the client's certificate can simply be revoked. No need to reconfigure every client. Certificate disadvantages added complexity. Certificate-based authentication may be used as part of a larger public key infrastructure, making all vpn client...
Page 248: 9.3.5. Nat Traversal
9.3.5. Nat traversal both ike and ipsec protocols present a problem in the functioning of nat. Both protocols were not designed to work through nats and because of this, a technique called "nat traversal" has evolved. Nat traversal is an add-on to the ike and ipsec protocols that allows them to func...
Page 249: 9.3.6. Proposal Lists
Configuration is needed. However, for responding firewalls two points should be noted: • on responding firewalls, the remote gateway field is used as a filter on the source ip of received ike packets. This should be set to allow the nated ip address of the initiator. • when individual pre-shared key...
Page 250: 9.3.7. Pre-Shared Keys
1. Go to objects > vpn objects > ike algorithms > add > ipsec algorithms 2. Enter a name for the list eg. Esp-l2tptunnel. 3. Now check the following: • des • 3des • sha1 • md5 4. Click ok then, apply the proposal list to the ipsec tunnel: 1. Go to interfaces > ipsec 2. In the grid control, click the...
Page 251
1. Go to objects > authentication objects > add > pre-shared key 2. Enter a name for the pre-shared key eg. Mypsk 3. Choose hexadecimal key and click generate random key to generate a key to the passphrase textbox. 4. Click ok then, apply the pre-shared key to the ipsec tunnel: 1. Go to interfaces >...
Page 252
Gw-world:/myidlist> cc finally, apply the identification list to the ipsec tunnel: gw-world:/> set interface ipsectunnel myipsectunnel authmethod=certificate idlist=myidlist rootcertificates=admincert gatewaycertificate=admincert web interface first create an identification list: 1. Go to objects > ...
Page 253: 9.4. Ipsec Tunnels
9.4. Ipsec tunnels 9.4.1. Overview an ipsec tunnel defines an endpoint of an encrypted tunnel. Each ipsec tunnel is interpreted as a logical interface by netdefendos, with the same filtering, traffic shaping and configuration capabilities as regular interfaces. When another d-link firewall or d-link...
Page 254
Computer from different locations is a typical example of a roaming client. Apart from the need for secure vpn access, the other major issue with roaming clients is that the mobile user's ip address is often not known beforehand. To handle the unknown ip address the netdefendos can dynamically add r...
Page 255
5. Under the routing tab: • enable the option: dynamically add route to the remote network when a tunnel is established. 6. Click ok c. Finally configure the ip rule set to allow traffic inside the tunnel. 9.4.3.2. Self-signed certificate based client tunnels example 9.5. Setting up a self-signed ce...
Page 256
3. For algorithms enter: • ike algorithms: medium or high • ipsec algorithms: medium or high 4. For authentication enter: • choose x.509 certificate as authentication method • root certificate(s): select all your client certificates and add them to the selected list • gateway certificate: choose you...
Page 257
3. Click ok 4. Go to objects > vpn objects > id list > sales > add > id 5. Enter the name for the client 6. Select email as type 7. In the email address field, enter the email address selected when you created the certificate on the client 8. Create a new id for every client that you want to grant a...
Page 258
Currently only one config mode object can be defined in netdefendos and this is referred to as the config mode pool object. The key parameters associated with it are as follows: use pre-defined ip pool object the ip pool object that provides the ip addresses. Use a static pool as an alternative to u...
Page 259
Message includes the two ip addresses as well as the client identity. Optionally, the affected sa can be automatically deleted if validation fails by enabling the advanced setting ipsecdeletesaonipvalidationfailure. The default value for this setting is disabled. 9.4.4. Fetching crls from an alterna...
Page 260: 9.5. Pptp/l2Tp
9.5. Pptp/l2tp the access by a client using a modem link over dial-up public switched networks, possibly with an unpredictable ip address, to protected networks via a vpn poses particular problems. Both the pptp and l2tp protocols provide two different means of achieving vpn access from remote clien...
Page 261: 9.5.2. L2Tp
Gw-world:/> add interface l2tpserver mypptpserver serverip=lan_ip interface=any ip=wan_ip ippool=pp2p_pool tunnelprotocol=pptp allowedroutes=all-nets web interface 1. Go to interfaces > l2tp servers > add > l2tpserver 2. Enter a name for the pptp server eg. Mypptpserver. 3. Now enter: • inner ip add...
Page 262
3. Now enter: • inner ip address: ip_l2tp • tunnel protocol: l2tp • outer interface filter: l2tp_ipsec • outer server ip: wan_ip 4. Under the ppp parameters tab, select l2tp_pool in the ip pool control 5. Under the add route tab, select all_nets in the allowed networks control 6. Click ok use user a...
Page 263
Dhcpoveripsec=yes addroutetoremotenet=yes ipseclifetimekilobytes=250000 ipseclifetimeseconds=3600 web interface 1. Go to interfaces > ipsec > add > ipsec tunnel 2. Enter a name for the ipsec tunnel, eg. L2tp_ipsec 3. Now enter: a. Local network: wan_ip b. Remote network: all-nets c. Remote endpoint:...
Page 264
7. In the proxyarp control, select the lan interface. 8. Click ok in order to authenticate the users using the l2tp tunnel, a user authentication rule needs to be configured. D. Next will be setting up the authentication rules: cli gw-world:/> add userauthrule authsource=local interface=l2tp_tunnel ...
Page 265
4. Click ok 5. Go to rules > ip rules > add > iprule 6. Enter a name for the rule, eg. Natl2tp 7. Now enter: • action: nat • service: all_services • source interface: l2tp_tunnel • source network: l2tp_pool • destination interface: any • destination network: all-nets 8. Click ok 9.5.2. L2tp chapter ...
Page 266
9.5.2. L2tp chapter 9. Vpn 266.
Page 267: 10.1. Traffic Shaping
Chapter 10. Traffic management this chapter describes how netdefendos can manage network traffic. • traffic shaping, page 267 • threshold rules, page 279 • server load balancing, page 281 10.1. Traffic shaping 10.1.1. Introduction qos with tcp/ip a weakness of tcp/ip is the lack of true quality of s...
Page 268
• providing bandwidth guarantees. This is typically accomplished by treating a certain amount of traffic (the guaranteed amount) as high priority. Traffic exceeding the guarantee then has the same priority as "any other traffic", and competes with the rest of the non-prioritized traffic. Traffic sha...
Page 269
Figure 10.1. Pipe rule set to pipe packet flow where one pipe is specified in a list then that is the pipe whose characteristics will be applied to the traffic. If a series of pipes are specified then these will form a chain of pipes through which traffic will pass. A chain can be made up of at most...
Page 270
Cli gw-world:/> add piperule returnchain=std-in sourceinterface=lan sourcenetwork=lannet destinationinterface=wan destinationnetwork=all-nets service=all_services name=outbound web interface 1. Go to traffic management > traffic shaping > pipes > add > pipe rule 2. Specify a suitable name for the pi...
Page 271
Gw-world:/> add pipe std-out limitkbpstotal=2000 web interface 1. Go to traffic management > traffic shaping > pipes > add > pipe 2. Specify a name for the pipe, eg. Std-out 3. Enter 2000 in total textbox 4. Click ok after creating a pipe for outbound bandwidth control, add it to the forward pipe ch...
Page 272: 10.1.6. Precedences
Setting up pipes in this way only puts limits on the maximum values for certain traffic types. It does not give priorities to different types of competing traffic. 10.1.6. Precedences all packets that pass through netdefendos traffic shaping pipes have a precedence. In the examples so far, precedenc...
Page 273
These limits can be specified in kilobits per second and/or packets per second (if both are specified then the first limit reached will be the limit used). In precedences are used then the total limit for the pipe as a whole must be specified so the pipe knows when what its capacity is and therefore...
Page 274: 10.1.7. Guarantees
For other services such as surfing, dns or ftp. A means is therefore required to ensure that lower priority traffic gets some portion of bandwidth and this is done with bandwidth guarantees. 10.1.7. Guarantees bandwidth guarantees ensure that there is a minimum amount of bandwidth available for a gi...
Page 275: 10.1.9. Groups
Telnet-in pipes. Notice that we did not set a total limit for the ssh-in and telnet-in pipes. We do not need to since the total limit will be enforced by the std-in pipe at the end of the respective chains. The ssh-in and telnet-in pipes act as a "priority filter": they make sure that no more than t...
Page 276: 10.1.10. Recommendations
Instead of specifying a total group limit, the alternative is to enable the dynamic balancing option. This ensures that the available bandwidth is divided equally between all addresses regardless of how many there are and this is done up to the limit of the pipe. If a total group limit of 100 bps is...
Page 277
Specifying a "per destinationip" grouping. Knowing when the pipe is full is not important since the only constraint is on each user. If precedences were used the pipe maximum would have to be used. Limits shouldn't be higher than the available bandwidth if pipe limits are set higher than the availab...
Page 278
• a pipe can have a limit which is the maximum amount of traffic allowed. • a pipe can only know when it is full if a limit is specified. • a single pipe should handle traffic in only one direction (although 2 way pipes are allowed). • pipes can be chained so that one pipe's traffic feeds into anoth...
Page 279: 10.2. Threshold Rules
10.2. Threshold rules 10.2.1. Overview the objective of a threshold rule is to have a means of detecting abnormal connection activity as well as reacting to it. An example of a cause for such abnormal activity might be an internal host becoming infected with a virus that is making repeated connectio...
Page 280
10.2.5. Multiple triggered actions when a rule is triggered then netdefendos will perform the associated rule actions that match the condition that has occured. If more than one action matches the condition then those matching actions are applied in the order they appear in the user interface. If se...
Page 281: 10.3.1. Overview
10.3. Server load balancing 10.3.1. Overview the server load balancing (slb) feature in netdefendos is a powerful tool that can improve the following aspects of network applications: • performance • scalability • reliability • ease of administration slb allows network service demands to be shared am...
Page 282
Slb also means that network administrators can perform maintenance tasks on servers or applications without disrupting services. Individual servers can be restarted, upgraded, removed, or replaced, and new servers and applications can be added or moved without affecting the rest of a server farm, or...
Page 283
Algorithm cycles through the server list and redirects the load to servers in order. Regardless of each server's capability and other aspects, for instance, the number of existing connections on a server or its response time, all the available servers take turns in being assigned the next connection...
Page 284: 10.3.6. Slb_Sat Rules
If connection rate is applied instead, r1 and r2 will be sent to the same server because of stickiness, but the subsequent requests r3 and r4 will be routed to another server since the number of new connections on each server within the window time span is counted in for the distribution. Figure 10....
Page 285
The key component in setting up slb is the slb_sat rule in the ip rule set. The steps that should be followed are: 1. Define an object for each server for which slb is to be done. 2. Define a group which included all these objects 3. Define an slb_sat rule in the ip rule set which refers to this gro...
Page 286
4. Click ok 5. Repeat the above to create an object called server2 for the 192.168.1.11 ip address. B. Create a group which contains the 2 webserver objects: 1. Go to objects > address book > add > ip4 group 2. Enter a suitable name, eg. Server_group 3. Add server1 and server2 to the group 4. Click ...
Page 287
• service: http • source interface: any • source network: all-nets • destination interface: core • destination network: ip_ext 3. Click ok 10.3.6. Slb_sat rules chapter 10. Traffic management 287.
Page 288
10.3.6. Slb_sat rules chapter 10. Traffic management 288.
Page 289: 11.1. Overview
Chapter 11. High availability this chapter describes the high availability fault-tolerance feature in d-link firewalls. • overview, page 289 • high availability mechanisms, page 291 • high availability setup , page 293 • high availability issues, page 296 11.1. Overview high availability is a fault-...
Page 290
D-link ha will only operate between two d-link firewalls. As the internal operation of different security gateway manufacturer's software is completely dissimilar, there is no common method available to communicating state information to a dissimilar device. It is also strongly recommended that the ...
Page 291
11.2. High availability mechanisms d-link ha provides a redundant, state-synchronized hardware configuration. The state of the active unit, such as the connection table and other vital information, is continuously copied to the inactive unit via the sync interface. When cluster failover occurs, the ...
Page 292
Packets destined for the shared hardware address. 11.2. High availability mechanisms chapter 11. High availability 292.
Page 293: 11.3.1. Hardware Setup
11.3. High availability setup this section provides a step-by-step guide for setting up an ha cluster. 11.3.1. Hardware setup 1. Start with two physically similar d-link firewalls. Both may be newly purchased or one may have been purchased to be the back-up unit (in other words, to be the slave unit...
Page 294: 11.3.2. Netdefendos Setup
3. Decide on a shared ip address for each interface in the cluster. Some interfaces could have shared addresses only with others having unique individual addresses as well. The shared and unique addresses are used as follows: • the unique, non-shared ip addresses are used to communicate with the d-l...
Page 295
This device is an ha master this device is currently active (will forward traffic) ha cluster peer is alive then use the stat command to verify that both master and slave have about the same number of connections. The output should contain a line similar to this: connections 2726 out of 128000 where...
Page 296
11.4. High availability issues the following points should be kept in mind when managing and configuring an ha cluster. Snmp snmp statistics are not shared between master and slave. Snmp managers have no failover capabilities. Therefore both firewalls in a cluster need to be polled separately. Using...
Page 297
11.4. High availability issues chapter 11. High availability 297.
Page 298: Chapter 12. Zonedefense
Chapter 12. Zonedefense this chapter describes the d-link zonedefense feature. • overview, page 298 • zonedefense switches, page 299 • zonedefense operation, page 300 12.1. Overview zonedefense allows a d-link firewall to control locally attached switches. It can be used as a counter-measure to stop...
Page 299: 12.2. Zonedefense Switches
12.2. Zonedefense switches switch information regarding every switch that is to be controlled by the firewall has to be manually specified in the firewall configuration. The information needed in order to control a switch includes: • the ip address of the management interface of the switch • the swi...
Page 300: 12.3.1. Snmp
12.3. Zonedefense operation 12.3.1. Snmp simple network management protocol (snmp) is an application layer protocol for complex network management. Snmp allows the managers and managed devices in a network to communicate with each other. Snmp managers a typical managing device, such as a d-link fire...
Page 301
As a complement to threshold rules, it is also possible to manually define hosts and networks that are to be statically blocked or excluded. Manually blocked hosts and networks can be blocked by default or based on a schedule. It is also possible to specify which protocols and protocol port numbers ...
Page 302: 12.3.4. Limitations
2. For addresses choose the object name of the firewall's interface address 192.168.1.1 from the available list and put it into the selected list. 3. Click ok configure an http threshold of 10 connections/second: 1. Go to traffic management > threshold rules > add > threshold rule 2. For the thresho...
Page 303
12.3.4. Limitations chapter 12. Zonedefense 303.
Page 304: 13.1. Ip Level Settings
Chapter 13. Advanced settings this chapter describes the configurable advanced setings for netdefendos. The settings are divided up into the following categories: note after an advanced setting is changed a reconfiguration must be performed in order for the new netdefendos configuration to be upload...
Page 305: Lognonip4
Lognonip4 logs occurrences of ip packets that are not version 4. Netdefendos only accepts version 4 ip packets; everything else is discarded. Default: 256 logreceivedttl0 logs occurrences of ip packets received with the "time to live" (ttl) value set to zero. Under no circumstances should any networ...
Page 306: Ipoptionsizes
Verifies that the size information contained in each "layer" (ethernet, ip, tcp, udp, icmp) is consistent with that of other layers. Default: validatelogbad ipoptionsizes verifies the size of "ip options". These options are small blocks of information that may be added to the end of each ip header. ...
Page 307: 13.2. Tcp Level Settings
13.2. Tcp level settings tcpoptionsizes verifies the size of tcp options. This function acts in the same way as ipoptionsizes described above. Default: validatelogbad tcpmssmin determines the minimum permissible size of the tcp mss. Packets containing maximum segment sizes below this limit are handl...
Page 308: Tcpzerounusedack
Default: 7000 bytes tcpzerounusedack determines whether netdefendos should set the ack sequence number field in tcp packets to zero if it is not used. Some operating systems reveal sequence number information this way, which can make it easier for intruders wanting to hijack established connections....
Page 309: Tcpopt_Cc
To transport alternate checksums where permitted by altchkreq above. Normally never seen on modern networks. Default: striplog tcpopt_cc determines how netdefendos will handle connection count options. Default: striplogbad tcpopt_other specifies how netdefendos will deal with tcp options not covered...
Page 310: Tcprf
Specifies how netdefendos will deal with tcp packets with either the xmas or ymas flag turned on. These flags are currently mostly used by os fingerprinting. Note: an upcoming standard called explicit congestion notification also makes use of these tcp flags, but as long as there are only a few oper...
Page 311: 13.3. Icmp Level Settings
13.3. Icmp level settings icmpsendperseclimit specifies the maximum number of icmp messages netdefendos may generate per second. This includes ping replies, destination unreachable messages and also tcp rst packets. In other words, this setting limits how many rejects per second may be generated by ...
Page 312: 13.4. Arp Settings
13.4. Arp settings arpmatchenetsender determines if netdefendos will require the sender address at ethernet level to comply with the hardware address reported in the arp data. Default: droplog arpquerynosenderip what to do with arp queries that have a sender ip of 0.0.0.0. Such sender ips are never ...
Page 313: Arpexpire
Arpexpire specifies how long a normal dynamic item in the arp table is to be retained before it is removed from the table. Default: 900 seconds (15 minutes) arpexpireunknown specifies how long netdefendos is to remember addresses that cannot be reached. This is done to ensure that netdefendos does n...
Page 314: Logconnectionusage
13.5. Stateful inspection settings logconnectionusage this generates a log message for every packet that passes through a connection that is set up in the netdefendos state-engine. Traffic whose destination is the d-link firewall itself, for example netdefendos management traffic, is not subject to ...
Page 315
• nolog – does not log any connections; consequently, it will not matter if logging is enabled for either allow or nat rules in the rules section; they will not be logged. However, fwdfast, drop and reject rules will be logged as stipulated by the settings in the rules section. • log – logs connecti...
Page 316: 13.6. Connection Timeouts
13.6. Connection timeouts the settings in this section specify how long a connection can remain idle, ie. No data being sent through it, before it is automatically closed. Please note that each connection has two timeout values: one for each direction. A connection is closed if either of the two val...
Page 317
Default: false allowbothsidestokeepconnalive_udp chapter 13. Advanced settings 317.
Page 318: Maxtcplen
13.7. Size limits by protocol this section contains information about the size limits imposed on the protocols directly under ip level, ie. Tcp, udp, icmp, etc. The values specified here concern the ip data contained in packets. In the case of ethernet, a single packet can contain up to 1480 bytes o...
Page 319: Maxskiplen
Maxskiplen specifies the maximum size of a skip packet. Default: 2000 bytes maxospflen specifies the maximum size of an ospf packet. Ospf is a routing protocol mainly used in larger lans. Default: 1480 maxipiplen specifies the maximum size of an ip-in-ip packet. Ip-in-ip is used by checkpoint firewa...
Page 320: Pseudoreass_Maxconcurrent
13.8. Fragmentation settings ip is able to transport up to 65536 bytes of data. However, most media, such as ethernet, cannot carry such huge packets. To compensate, the ip stack fragments the data to be sent into separate packets, each one given their own ip header and information that will help th...
Page 321: Fragreassemblyfail
Default: check8 – compare 8 random locations, a total of 32 bytes fragreassemblyfail reassemblies may fail due to one of the following causes: • some of the fragments did not arrive within the time stipulated by the reasstimeout or reasstimelimit settings. This may mean that one or more fragments we...
Page 322: Fragmentedicmp
Not match up. Possible settings are as follows: • nolog - no logging is carried out under normal circumstances. • logsuspect - logs duplicated fragments if the reassembly procedure has been affected by "suspect" fragments. • logall - always logs duplicated fragments. Default: logsuspect fragmentedic...
Page 323
Once a whole packet has been marked as illegal, netdefendos is able to retain this in its memory in order to prevent further fragments of that packet from arriving. Default: 60 seconds reassillegallinger chapter 13. Advanced settings 323.
Page 324: Localreass_Maxconcurrent
13.9. Local fragment reassembly settings localreass_maxconcurrent maximum number of concurrent local reassemblies. Default: 256 localreass_maxsize maximum size of a locally reassembled packet. Default: 10000 localreass_numlarge number of large ( over 2k) local reassembly buffers (of the above size)....
Page 325: 13.10. Dhcp Settings
13.10. Dhcp settings dhcp_minimumleasetime minimum lease time (seconds) accepted from the dhcp server. Default: 60 dhcp_validatebcast require that the assigned broadcast address is the highest address in the assigned network. Default: enabled dhcp_allowglobalbcast allow dhcp server to assign 255.255...
Page 326: 13.11. Dhcprelay Settings
13.11. Dhcprelay settings dhcprelay_maxtransactions maximum number of transactions at the same time. Default: 32 dhcprelay_transactiontimeout for how long a dhcp transaction can take place. Default: 10 seconds dhcprelay_maxppmperiface how many dhcp-packets a client can send to through netdefendos to...
Page 327: 13.12. Dhcpserver Settings
13.12. Dhcpserver settings dhcpserver_saveleasepolicy what policy should be used to save the lease database to the disk, possible settings are disabled, reconfshut, or reconfshuttimer. Default: reconfshut dhcpserver_autosaveleaseinterval how often should the leases database be saved to disk if dhcps...
Page 328: 13.13. Ipsec Settings
13.13. Ipsec settings ikesendinitialcontact determines whether or not ike should send the "initial contact" notification message. This message is sent to each remote gateway when a connection is opened to it and there are no previous ipsec sa using that gateway. Default: enabled ikesendcrls dictates...
Page 329
Ipsecdeletesaonipvalidationfailure controls what happens to the sas if ip validation in config mode fails. If enabled, the security associations (sas) are deleted on failure. Default: disabled ipsecdeletesaonipvalidationfailure chapter 13. Advanced settings 329.
Page 330: 13.14. Logging Settings
13.14. Logging settings logsendperseclimit this setting limits how many log packets netdefendos may send out per second. This value should never be set too low, as this may result in important events not being logged, nor should it be set too high. One situation where setting too high a value may ca...
Page 331: Timesync_Syncinterval
13.15. Time synchronization settings timesync_syncinterval seconds between each resynchronization. Default: 86400 timesync_maxadjust maximum time drift that a server is allowed to adjust. Default: 3600 timesync_servertype type of server for time synchronization, udptime or sntp (simple network time ...
Page 332: Timesync_Dststartdate
Dst offset in minutes. Default: 0 timesync_dststartdate what month and day dst starts, in the format mm-dd. Default: none timesync_dstenddate what month and day dst ends, in the format mm-dd. Default: none timesync_dststartdate chapter 13. Advanced settings 332.
Page 333: 13.16. Ppp Settings
13.16. Ppp settings ppp_l2tpbeforerules pass l2tp traffic sent to the d-link firewall directly to the l2tp server without consulting the rule set. Default: enabled ppp_pptpbeforerules pass pptp traffic sent to the d-link firewall directly to the pptp server without consulting the rule set. Default: ...
Page 334: Hwm_Pollinterval
13.17. Hardware monitor settings hwm_pollinterval polling intervall for hardware monitor which is the delay in milliseconds between reading of hardware monitor values. Minimum 100, maximum 10000. Default: 500 ms hwmmem_interval memory polling interval which is the delay in minutes between reading of...
Page 335: Reassembly_Maxconnections
13.18. Packet re-assembly settings packet re-assembly collects ip fragments into complete ip datagrams and, for tcp, reorders segments so that they are processed in the correct order and also to keep track of potential segment overlaps and to inform other subsystems of such overlaps. The associated ...
Page 336: Buffloodreboottime
13.19. Miscellaneous settings buffloodreboottime as a final way out, netdefendos automatically reboots if its buffers have been flooded for a long time. This setting specifies this amount of time. Default: 3600 maxpipeusers the maximum number of pipe users to allocate. As pipe users are only tracked...
Page 337
Maxpipeusers chapter 13. Advanced settings 337.
Page 338: Updates
Appendix a. Subscribing to security updates introduction the netdefendos anti-virus (av) module, the intrusion detection and prevention (idp) module and the dynamic web content filtering module all function using external d-link databases which contain details of the latest viruses, security threats...
Page 339
Querying update status to get the status of idp updates use the command: gw-world:/> updatecenter -status idp to get the status of av updates: gw-world:/> updatecenter -status antivirus querying server status to get the status of the d-link network servers use the command: gw-world:/> updatecenter -...
Page 340
Appendix b. Idp signature groups for idp scanning, the following signature groups are available for selection. These groups are available only for the d-link advanced idp service. There is a version of each group under the three types of ids, ips and policy. For further information see section 6.5, ...
Page 341
Group name intrusion type ftp_formatstring format string attack ftp_general ftp protocol and implementation ftp_login login attacks ftp_overflow ftp buffer overflow game_bomberclone bomberclone game game_general generic game servers/clients game_unreal unreal game server http_apache apache httpd htt...
Page 342
Group name intrusion type pop3_dos denial of service for pop pop3_general post office protocol v3 pop3_login-attacks password guessing and related login attack pop3_overflow pop3 server overflow pop3_request-errors request error portmapper_general portmapper print_general lp printing server: lpr lpd...
Page 343
Group name intrusion type tftp_operation operation attack tftp_overflow tftp buffer overflow attack tftp_reply tftp reply attack tftp_request tftp request attack trojan_general trojan udp_general general udp udp_popup pop-up window for ms windows upnp_general upnp version_cvs cvs version_svn subvers...
Page 344
Appendix c. Checked mime filetypes the http application layer gateway has the ability to verify that the contents of a file downloaded via the http protocol is the type that the filetype in its filename indicates. This appendix lists the mime filetypes that can be checked by netdefendos to make sure...
Page 345
Filetype extension application elc emacs lisp byte-compiled source code emd abt emd module/song format file esp esp archive data exe windows executable fgf free graphics format file flac free lossless audio codec file flc flic animated picture fli flic animation flv macromedia flash video gdbm datab...
Page 346
Filetype extension application pac crossepac archive data pbf portable bitmap format image pbm portable bitmap graphic pdf acrobat portable document format pe portable executable file pfb postscript type 1 font pgm portable graymap graphic pkg sysv r4 pkg datastreams pll pakleo archive data pma pmar...
Page 347
Filetype extension application wk lotus 1-2-3 document wmv windows media file wrl, vrml plain text vrml file xcf gimp image file xm fast tracker 2 extended module , audio file xml xml file xmcd xmcd database file for kscd xpm bmc software patrol unix icon file yc yac compressed archive zif zif image...
Page 348
Appendix d. The osi framework the open systems interconnection model defines a framework for intercomputer communications. It categorizes different protocols for a great variety of network applications into seven smaller, more manageable layers. The model describes how data from an application in on...
Page 349
Appendix e. D-link worldwide offices below is a complete list of d-link worldwide sales offices. Please check your own country area's local website for further details regarding support of d-link products as well as contact details for local support. Australia 1 giffnock avenue, north ryde, nsw 2113...
Page 350
Fax: +972-9-9715601. Website: www.Dlink.Co.Il italy via nino bonnet n. 6/b, 20154 – milano, italy. Tel: 39-02-2900-0676, fax: 39-02-2900-1723. Website: www.Dlink.It latinamerica isidora goyeechea 2934, ofcina 702, las condes, santiago – chile. Tel: 56-2-232-3185, fax: 56-2-232-0923. Website: www.Dli...
Page 351: Alphabetical Index
Alphabetical index a access rules, 135 accounting, 39 interim messages, 41 limitations with nat, 42 messages, 39 system shutdowns, 42 address book, 48 ethernet addresses in, 50 ip addresses in, 48 address groups, 51 address translation, 204 administration accounts, 23 alg (see application layer gate...
Page 352
Dhcp_uselinklocalip setting, 325 dhcp_validatebcast setting, 325 dhcprelay_autosaverelayinterval setting, 326 dhcprelay_maxautoroutes setting, 326 dhcprelay_maxhops setting, 326 dhcprelay_maxleasetime setting, 326 dhcprelay_maxppmperiface setting, 326 dhcprelay_maxtransactions setting, 326 dhcprelay...
Page 353
L l2tp, 261 quickstart guide, 234 lan to lan tunnels, 253 layersizeconsistency setting, 305 ldap servers, 259 link state algorithm, 103 localreass_maxconcurrent setting, 324 localreass_maxsize setting, 324 localreass_numlarge setting, 324 logchecksumerrors setting, 304 logconnections setting, 314 lo...
Page 354
Tcp and udp, 53 silentlydropstateicmperrors setting, 311 simple network management protocol (see snmp) sip alg, 152 smtp alg, 146 header verification, 149 snmp community string, 43 mib, 43 monitoring, 43 traps, 37 with ip rules, 43 source based routing, spam (see content filtering) spam filtering, 1...
Page 355
X.509 certificates, 79 identification lists, 251 with ipsec, 234 z zonedefense idp, 194 zone defense, 298 switches, 299 alphabetical index 355.