D-Link DFL-200 - Security Appliance User Manual - System

Other manuals for DFL-200 - Security Appliance: Manual, Quick Installation Manual, User Manual, Quick Installation Manual, User Manual, Quick Installation Manual

Manual is about: Network Security Firewall

Page of 89

Download

Print this page

Bookmark us

System

Interfaces

Click on

System

in the menu bar, and then click

interfaces

below it.

Change IP of the LAN or DMZ interface

Follow these steps to change the IP of the LAN or DMZ interface.

Step 1.

Choose which interface to view or change under the Available interfaces list.

Step 2.

Fill in the IP address of the

LAN

DMZ

interface. These are the addresses that

will be used to ping the firewall, remotely control it, and used as the gateway for the

internal hosts or DMZ hosts.

Step 3.

Choose the correct Subnet mask of this interface from the drop down menu. This

configuration will determine the IP addresses that can communicate with this interface.

Click the

Apply

button below to apply the settings or click

Cancel

to discard changes.

« ‹ Prev 11 12 13 14 15 16 17 Next › »

Summary of DFL-200 - Security Appliance

Page 1
D-link dfl-200 tm network security firewall manual building networks for people (10/28/2004).
Page 2: Contents
2 contents introduction ........................................................................................ 6 features and benefits ........................................................................... 6 introduction to firewalls ..............................................................
Page 3
Firewall.............................................................................................. 25 policy................................................................................................... 25 policy modes............................................................................
Page 4
4 ike proposal list.........................................................................................47 ipsec proposal list.....................................................................................47 certificates ........................................................................
Page 5
Usage events .................................................................................... 68 drop events ...................................................................................... 68 conn events ........................................................................................
Page 6: Introduction
6 introduction the dfl-200 provides six 10/100mbps auto mdi/mdix ethernet network interface ports, which are (4) internal/lan, (1) external/wan, and (1) dmz port. In addition the dfl-200 also provides a user-friendly web ui that allows users to set system parameters or monitor network activities usi...
Page 7
Introduction to local area networking local area networking (lan) is the term used when connecting several computers together over a small area such as a building or group of buildings. Lans can be connected over large areas. A collection of lans connected over a large area is called a wide area net...
Page 8
Leds power: a solid light indicates a proper connection to the power supply. Status: a system status indicator that flashes occasionally to indicate a functional, active system. Solid illumination of the status led indicates a hardware/software critical failure. Wan, 4 x lan, & dmz: bright green ill...
Page 9
Package contents contents of package: • d-link dfl-200 firewall • manual and cd • quick installation guide • 5v/3a ac power adapter • straight-through cat-5 cable note: using a power supply with a different voltage rating than the one included with the dfl-200 will cause irreparable electrical damag...
Page 10: Managing D-Link Dfl-200
Managing d-link dfl-200 when a change is made to the configuration, a new icon named activate changes will appear. When all changes made by the administrator are complete, those changes need to be saved and activated to take effect by clicking on the activate changes button on the activate configura...
Page 11: Administration Settings
Administration settings administrative access management ui ports – the ports for the dfl-200’s web server management ui (http and https) can be customized if so desired. These values must change if user authentication is enabled (user authentication uses 80 and 443 to accomplish user login). Ping –...
Page 12
Add ping access to an interface to add ping access click on the interface you would like to add it to. Follow these steps to add ping access to an interface. Step 1. Click on the interface you would like to add it to. Step 2. Enable the ping checkbox. Step 3. Specify which network addresses should b...
Page 13
Add read-only access to an interface to add read-only access, click on the interface you would like to add it to. Note that if you only have read-only access enabled on an interface, all users will only have read-only access, even if they are administrators. Follow these steps to add read-only acces...
Page 14: System
System interfaces click on system in the menu bar, and then click interfaces below it. Change ip of the lan or dmz interface follow these steps to change the ip of the lan or dmz interface. Step 1. Choose which interface to view or change under the available interfaces list. Step 2. Fill in the ip a...
Page 15
Wan interface settings – using static ip if you are using static ip , you have to fill in the ip address information provided to you by your isp. All fields are required except the secondary dns server. Note: do not use the numbers displayed in these fields, they are only used as an example. • ip ad...
Page 16
Wan interface settings – using pppoe use the following procedure to configure the dfl-200 external interface to use pppoe (point-to-point protocol over ethernet). This configuration is required if your isp uses pppoe to assign the ip address of the external interface. You will have to fill in the us...
Page 17
Wan interface settings – using pptp pptp over ethernet connections are used in some dsl and cable modem networks. You need to enter your account details, and possibly also ip configuration parameters of the actual physical interface that the pptp tunnel runs over. Your isp should supply this informa...
Page 18
Wan interface settings – using bigpond the isp telstra bigpond uses bigpond for authentication; the ip is assigned with dhcp. 18 • username – the login or username supplied to you by your isp. • password – the password supplied to you by your isp. Mtu configuration to improve the performance of your...
Page 19
Routing click on system in the menu bar, and then click routing below it; this will provide a list of all configured routes, and it will look something like this: the routes configuration section describes the firewall’s routing table. The dfl-200 uses a slightly different method of describing route...
Page 20
20 add a new static route follow these steps to add a new route. Step 1. Go to system and routing . Step 2. Click on add new in the bottom of the routing table. Step 3. Choose the interface that the route should be sent trough from the dropdown menu. Step 4. Specify the network and subnet mask. Step...
Page 21
Logging click on system in the menu bar, and then click logging below it. Logging, the ability to audit decisions made by the firewall, is a vital part in all network security products. The d-link dfl-200 provides several options for logging activity. The d-link dfl- 200 logs activity by sending the...
Page 22
22 enable logging follow these steps to enable logging. Step 1. Enable syslog by checking the syslog box. Step 2. Fill in your first syslog server as syslog server 1 . If you have two syslog servers, you have to fill in the second one as syslog server 2. You must fill in at least one syslog server f...
Page 23
Time click on system in the menu bar, and then click time below it. This will give you the option to either set the system time by syncing to an internet network time server (ntp) or by entering the system time manually..
Page 24
24 changing time zone follow these steps to change the time zone. Step 1. Choose the correct time zone in the drop down menu. Step 2. Specify the dates to begin and end daylight saving time or choose no daylight saving time by checking the correct box. Click the apply button below to apply the setti...
Page 25: Firewall
Firewall policy the firewall policy configuration section is the "heart" of the firewall. The policies are the primary filter that is configured to allow or disallow certain types of network traffic through the firewall. The policies also regulate how bandwidth management, traffic shaping, is applie...
Page 26
26 source users/groups – specifies if an authenticated username is needed for this policy to match. Simply make a list of usernames separated by commas (,), specify an entire user group, or write any to indicate all authenticated users to enable authentication on this policy. If it is left blank the...
Page 27
Enabled and configured. D-link updates the attack database periodically. There are two modes that can be configured, either inspection only or prevention . Inspection only will only inspect the traffic, and if the dfl-200 detects anything it will log, e-mail an alert (if configured), and pass on the...
Page 28
28 add a new policy follow these steps to add a new outgoing policy. Step 1. Choose the lan->wan policy list from the available policy lists. Step 2. Click on the add new link. Step 3. Fill in the following values: name: specifies a symbolic name for the rule. This name is used mainly as a rule refe...
Page 29
Change order of policy follow these steps to change the order of a policy. Step 1. Choose the policy list for which you would like to change the order from the available policy lists. Step 2. Click on the edit link corresponding to the rule you want to move. Step 3. Change the number in the position...
Page 30
30 configure intrusion prevention follow these steps to configure idp on a policy. Step 1. Choose the policy you would like have idp on. Step 2. Click on the edit link corresponding to the rule you want to configure. Step 3. Enable the intrusion detection / prevention checkbox. Step 4. Choose preven...
Page 31
Port mapping / virtual servers the port mapping / virtual servers configuration section is where you can configure virtual servers like web servers on the dmz or similar servers. It is also possible to regulate how bandwidth management, traffic shaping, is applied to traffic flowing through the wan ...
Page 32
32 delete mapping follow these steps to delete a mapping. Step 1. Choose the mapping list (wan, lan, or dmz) you would like do delete the mapping from. Step 2. Click on the edit link corresponding to the rule you want to delete. Step 3. Enable the delete mapping checkbox. Click the apply button belo...
Page 33
Administrative users click on firewall in the menu bar, and then click users below it. This will display all the users. The first section links to the administrative user. The password for the admin account may be changed at any time, however the username admin cannot. Change administrative user pas...
Page 34
34 users user authentication allows an administrator to grant or reject access to specific users from specific ip addresses, based on their user credentials. Before any traffic is allowed to pass through any policies configured with username or groups, the user must first authenticate him/her-self. ...
Page 35
Enable user authentication via http / https follow these steps to enable user authentication. Step 1. Enable the checkbox for user authentication. Step 2. Specify if http and https or only https should be used for the login. Step 3. Specify the idle-timeout, the time a user can be idle before being ...
Page 36
Add user follow these steps to add a new user. Step 1. Click on add corresponding to the type of user you would like to add, admin or read-only. Step 2. Fill in user name ; make sure you are not trying to add one that already exists. Step 3. Specify which groups the user should be a member of. Step ...
Page 37
Delete user to delete a user click on the user name and you will see the following screen. Follow these steps to delete a user. Step 1. Click on the user you would like to delete. Step 2. Enable the delete user checkbox. Click the apply button below to apply the settings or click cancel to discard c...
Page 38
Schedules it is possible to configure a schedule for policies to take effect. By creating a schedule, the dfl- 200 allows the firewall policies to be used only at those designated times. Any activities outside of the scheduled time slot will not follow the policies and therefore will not likely be p...
Page 39
Add new one-time schedule follow these steps to create and add a new one-time schedule. Step 1. Go to firewall and schedules and choose add new. Step 2. Choose the starting and ending date and hour when the schedule should be active. Step 3. Use the checkboxes to set the times this schedule should b...
Page 40
40 services a service is basically a definition of a specific ip protocol with corresponding parameters. The service http, for instance, is defined as using the tcp protocol with destination port 80. Services are simplistic, in that they cannot carry out any action in the firewall on their own. Thus...
Page 41
Adding ip protocol when the type of the service is ip protocol, an ip protocol number may be specified in the text field. To have the service match the gre protocol, for example, the ip protocol should be specified as 47. A list of some defined ip protocols can be found in the appendix named “ip pro...
Page 42
42 protocol-independent settings allow icmp errors from the destination to the source – icmp error messages are sent in several situations: for example, when an ip packet cannot reach its destination. The purpose of these error control messages is to provide feedback about problems in the communicat...
Page 43
Vpn this chapter introduces ipsec, the method, or rather set of methods used to provide vpn functionality. Ipsec, internet protocol security, is a set of protocols defined by the ietf, internet engineering task force, to provide ip security at the network layer. An ipsec based vpn, such as dfl-200 v...
Page 44
Ipsec vpn between two networks in the following example users on the main office internal network can connect to the branch office internal network and vice versa. Communication between the two networks takes place in an encrypted vpn tunnel that connects the two dfl-200 network security firewalls a...
Page 45
Ipsec vpn between client and an internal network in the following example users can connect to the main office internal network from anywhere on the internet. Communication between the client and the internal network takes place in an encrypted vpn tunnel that connects the dfl-200 and the roaming us...
Page 46
46 vpn – advanced settings advanced settings for a vpn tunnel is used when the user needs to change some characteristics of the tunnel to, for example, try to connect to a third party vpn gateway. The different settings per tunnel are: limit mtu with this setting it is possible to limit the mtu (max...
Page 47
Proposal lists to agree on the vpn connection parameters, a negotiation process is performed. As the result of the negotiations, the ike and ipsec security associations (sa) are established. As the name implies, a proposal is the starting point for the negotiation. A proposal defines encryption para...
Page 48
48 certificates a certificate is a digital proof of identity. It links an identity to a public key in a trustworthy manner. Certificates can be used to authenticate individual users or other entities. These types of certificates are commonly called end-entity certificates. Before a vpn tunnel with c...
Page 49
Certificate authorities this is a list of all ca certificates. To add a new certificate authority certificate, click add new. The following pages will allow you to specify a name for the ca certificate and upload the certificate file. This certificate can be selected in the certificates field on the...
Page 50
Content filtering dfl-200 http content filtering can be configured to scan all http content protocol streams for urls or for potentially dangerous web page content. If a match is found between the requested url and the url blacklist the dfl-200 will block the web page. You can configure the url blac...
Page 51
Edit the url global blacklist follow these steps to add or remove a url. Step 1. Navigate to firewall / content filtering and choose edit global url blacklist. Step 2. Add or edit a url that should be filtered and blocked. File extensions may also be defined to block download of specified file types...
Page 52
52 active content handling active content handling can be enabled or disabled by checking the checkbox before each type you would like to strip. For example to strip activex and flash, enable the checkbox named strip activex objects. It is possible to strip activex, flash, java, javascript, and vbsc...
Page 53: Servers
Servers dhcp server settings the dfl-200 contains a dhcp server. Dhcp (dynamic host configuration protocol) is a protocol that allows network administrators to automatically assign ip numbers to dhcp enabled computers on a network. The dfl-200 dhcp server helps to minimize the work necessary to admi...
Page 54
54 enable dhcp server to enable the dhcp server on an interface, click on servers in the menu bar, and then click dhcp server below it. Follow these steps to enable the dhcp server on the lan interface. Step 1. Choose the lan interface from the available interfaces list. Step 2. Enable by checking t...
Page 55
Dns relayer settings click on servers in the menu bar, and then click dns relay below it. The dfl-200 contains a dns relayer that can be configured to relay dns queries from the internal lan to the dns servers used by the firewall itself. Enable dns relayer follow these steps to enable the dns relay...
Page 56
56 disable dns relayer follow these steps to disable the dns relayer. Step 1. Disable by un-checking the enable dns relayer box. Click the apply button below to apply the settings or click cancel to discard changes..
Page 57: Tools
Tools ping click on tools in the menu bar, and then click ping below it. This tool is used to send a specified number of icmp echo request packets to a given destination. All packets are sent in immediate succession rather than one per second. This method is the best suited for diagnosing connectivi...
Page 58
58 dynamic dns the dynamic dns (requires dynamic dns service) allows you to alias a dynamic ip address to a static hostname, allowing your device to be more easily accessed by a specific name. When this function is enabled, the ip address in dynamic dns server will be automatically updated with the ...
Page 59
Backup click on tools in the menu bar, and then click backup below it. Here an administrator can backup and restore the configuration. The configuration file stores system settings, ip addresses of the firewall’s network interfaces, address table, service table, ipsec settings, port mapping, and pol...
Page 60
Restart/reset restarting the dfl-200 follow these steps restart the dfl-200. Step 1 . Choose if you want to do a quick or full restart. Step 2 . Click restart unit and the unit will restart. Restoring system settings to factory defaults use the following procedure to restore system settings to the f...
Page 61
The factory reset procedure erases all configuration changes that have been made to the dfl-200 and will revert the system to its original configuration, including resetting interface addresses. Follow these steps to reset the dfl-200 to factory default settings through the web-based configuration: ...
Page 62
Upgrade thedfl-200’s software, ids signatures, and system parameters are all stored on a flash memory card. The flash memory card is re- writable and re-readable. 62 upgrade firmware to upgrade the firmware of the dfl-200, obtain the latest version from support.Dlink.Com (us). Make sure the firmware...
Page 63: Status
Status in this section, the dfl-200 displays the status information about the firewall. Administrator may use status to check the system status, interface statistics, vpn, connections, and dhcp servers. System click on status in the menu bar, and then click system below it. A window will appear prov...
Page 64
Interfaces click on status in the menu bar, and then click interfaces below it. A window will appear providing information about the interfaces on the dfl-200. By default, information about the lan interface will be displayed. To see another one, click on that interface ( wan or dmz ). Interface – n...
Page 65
Vpn click on status in the menu bar, and then click interfaces below it. A window will appear providing information about the vpn connections on the dfl-200. By default information about the first vpn tunnel will be displayed. To see another one, click on that vpn tunnels name. The two graphs displa...
Page 66
Connections click on status in the menu bar, and then click connections below it. A window will appear providing information about the content of the state table. The state table shows the last 100 connections opened through the firewall. Connections are created when traffic is permitted to pass via...
Page 67
Dhcp server click on status in the menu bar, and then click dhcp server below it. A window will appear providing information about the configured dhcp servers. By default, information about the lan interface will be displayed. To see another one, click on that interface. Interface – name of the inte...
Page 68: How to Read The Logs
68 how to read the logs although the exact format of each log entry depends on how your syslog recipient works, most are very similar. The way in which logs are read is also dependent on how your syslog recipient works. Syslog daemons on unix servers usually log to text files, line by line. Most sys...
Page 69
Open example: oct 20 2003 09:47:56 gateway efw: conn: prio=1 rule=rule_8 conn=open connipproto=tcp connrecvif=lan connsrcip=192.168.0.10 connsrcport=3179 conndestif=wan conndestip=64.7.210.132 conndestport=80 in this line, traffic from 192.168.0.10 on the lan interface is connecting to 64.7.210.132 ...
Page 70: Appendixes
70 appendixes appendix a: icmp types and codes the internet control message protocol (icmp) has many messages that are identified by a “type” field; many of these icmp types have a "code" field. Here we list the types with their assigned code fields. Type name code description reference 0 echo reply...
Page 71
Network (or subnet) 1 redirect datagram for the host rfc792 2 redirect datagram for the type of service and network rfc792 3 redirect datagram for the type of service and host rfc792 8 echo 0 no code rfc792 9 router advertisement 0 normal router advertisement rfc1256 16 does not route common traffic...
Page 72
72 appendix b: common ip protocol numbers these are some of the more common ip protocols. For a list of all protocols, follow the link after the table. Decimal keyword description reference 1 icmp internet control message rfc792 2 igmp internet group management rfc1112 3 ggp gateway-to-gateway rfc82...
Page 73
Appendix c: multiple public ip addresses mapping of a public ip address other than that of the firewall to a server located on either internal interface can be accomplished in two basic steps (order does not matter): add a port mapping/virtual server rule that forwards specified services to a single...
Page 74
To accomplish this we need to create the following firewall settings: - configure two static routes (one for each public ip we wish to forward) - create two port mappings (one for each public ip mapping to each private server) routing configuration: static route configuration for a server on the lan...
Page 75
Static route configuration for a server on the dmz: navigate to the system tab, then the routing page of the web-based configuration. Select the add new link to create the second static route. Select the interface that the internal server is connected to (lan or dmz). Specify the public ip to be for...
Page 76
Configure port mapping/virtual server rules for lan server: virtual server configuration for a server on the lan: navigate to the firewall tab, port mapping page of the web-based configuration. Click the add new link to create a new port mapping. Input the public ip address to be forwarded in the de...
Page 77
Configure port mapping/virtual server rules for dmz server: virtual server configuration for a server on the dmz: navigate to the firewall tab, port mapping page of the web-based configuration. Click the add new link to create a new port mapping. Input the public ip address to be forwarded in the de...
Page 78
Example scenario using dmz w/out nat: an alternative method to that described in the preceding pages is to isolate publicly accessible servers to the dmz interface with nat disabled. This configuration requires multiple (at least 2) public ip addresses to function, as the firewall will assume one ip...
Page 79
Modify existing wan route: the default wan route must be modified to enable proxy arp . The default route for any interface cannot be deleted or modified other than to enable the proxy arp feature. From the system > routing page select wan to edit the default route of the wan interface. Enable the p...
Page 80
Disable nat on the dmz interface: by default the dfl-200 is enabled to perform nat on both lan and dmz interfaces. Disable nat on the dmz interface. Navigate to firewall > policy in the web-based configuration. Click on dmz->wan to modify the behavior of the dmz interface. Select the no nat – requir...
Page 81
Appendix d: http content filtering http content filtering global policy protection from malicious or improper web content is a must for business owners and concerned parents alike. There are numerous vehicles for hackers to damage or take control of one’s pc or even network. Malicious code may be de...
Page 82
The whitelist items entered in the whitelist will always be allowed through the firewall, assuming http content filtering is enabled. This section should only be used to allow essential domains and servers, such as microsoft.Com and dlink.Com to ensure the ability to locate and download critical upd...
Page 83
The blacklist blacklist configuration is not limited to domain names. File extensions may be specified to block the download of said file types. Be sure to evaluate the type of files that may be traversing the firewall out of necessity on a regular basis to ensure no loss in productivity due to inva...
Page 84
Additional content filters the firewall can also filter java applets, java/vb script, activex objects, and/or cookies from reaching the pcs behind the netdefend firewall. These content categories do not require configuration other than enable or disable. Navigate to the firewall tab, content filteri...
Page 85
To disable the default general allow all rule - navigate to the firewall tab, policy section of the web-administration. Select the appropriate policy based on desired effect ( lan->wan or dmz->wan ). Click edit next to the default allow all rule. Check the check box next to delete this rule . Click ...
Page 86
To configure the http content filtering rule - navigate to the firewall tab, policy section of the web-administration. Select the appropriate policy based on desired effect ( lan->wan or dmz->wan ). Click add new at the bottom of the list. Give the rule a friendly name, such as http_cntnt_filtr . Po...
Page 87: Warranty
Warranty subject to the terms and conditions set forth herein, d-link systems, inc. (“d-link”) provides this limited warranty for its product only to the person or entity that originally purchased the product from: d-link or its authorized reseller or distributor and products purchased and delivered...
Page 88
88 submitting a claim : the customer shall return the product to the original purchase point based on its return policy. In case the return policy period has expired and the product is within warranty, the customer shall submit a claim to d-link as outlined below: the customer must submit with the p...
Page 89
Limitation of liability: to the maximum extent permitted by law, d-link is not liable under any contract, negligence, strict liability or other legal or equitable theory for any loss of use of the product, inconvenience or damages of any character, whether direct, special, incidental or consequentia...