![D-Link DFL-2500 [319/355] Logoversizedpackets](/img/pdf.png)
D-Link DFL-2500 [319/355] Logoversizedpackets
![D-Link DFL-2500 [319/355] Logoversizedpackets](/views2/1113520/page319/bg13f.png)
MaxSKIPLen
Specifies the maximum size of a SKIP packet.
Default: 2000 bytes
MaxOSPFLen
Specifies the maximum size of an OSPF packet. OSPF is a routing protocol mainly used in larger
LANs.
Default: 1480
MaxIPIPLen
Specifies the maximum size of an IP-in-IP packet. IP-in-IP is used by Checkpoint Firewall-1 VPN
connections when IPsec is not used. This value should be set at the size of the largest packet allowed
to pass through the VPN connections, regardless of its original protocol, plus approx. 50 bytes.
Default: 2000 bytes
MaxIPCompLen
Specifies the maximum size of an IPComp packet.
Default: 2000 bytes
MaxL2TPLen
Specifies the maximum size of a Layer 2 Tunneling Protocol packet.
Default: 2000 bytes
MaxOtherSubIPLen
Specifies the maximum size of packets belonging to protocols that are not specified above.
Default: 1480 bytes
LogOversizedPackets
Specifies if NetDefendOS will log oversized packets.
Default: Enabled
MaxOSPFLen Chapter 13. Advanced Settings
319
Содержание
- Network security firewall 1
- Security 1
- User manual 1
- Dfl 210 260 800 860 1600 2500 netdefendos version 2 0 2
- User manual 2
- Copyright notice 3
- Dfl 210 260 800 860 1600 2500 netdefendos version 2 0 3
- Disclaimer 3
- Limitations of liability 3
- User manual 3
- Table of contents 4
- List of figures 9
- List of examples 10
- Examples 12
- Intended audience 12
- Preface 12
- Text structure and conventions 12
- Caution 13
- Highlighted content 13
- Important 13
- Warning 13
- About d link netdefendos 14
- Chapter 1 product overview 14
- Interface symmetry 16
- Interfaces 16
- Logical objects 16
- Netdefendos architecture 16
- Netdefendos building blocks 16
- Netdefendos rule sets 16
- State based architecture 16
- Stateful inspection 16
- Basic packet flow 17
- Figure 1 packet flow schematic part i 19
- Netdefendos state engine packet flow 19
- Figure 1 packet flow schematic part ii 20
- Figure 1 packet flow schematic part iii 20
- Chapter 2 management and maintenance 23
- Default administrator accounts 23
- Managing netdefendos 23
- Overview 23
- Creating new accounts 24
- Important 24
- Serial console cli access 24
- The cli 24
- By using the cli command 25
- Changing the cli prompt 25
- Example 2 enabling ssh remote access 25
- For security reasons it can be advisable to disable or anonymize the cli welcome message 25
- Logging on to the cli 25
- Netdefendos supports version 1 1 and 2 of the ssh protocol and ssh access is regulated by the remote management policy in netdefendos and is disabled by default 25
- Ssh secure shell cli access 25
- The cli chapter 2 management and maintenance 25
- The default cli prompt is 25
- The ssh secure shell protocol can be used to access the cli over the network from a remote host ssh is a protocol primarily used for secure communication over insecure networks providing strong authentication and data integrity many ssh clients are feely available for almost all hardware platforms 25
- When access to the cli has been established to netdefendos through the serial console or an ssh client the administrator will need to logon to the system before being able to execute any cli command this authentication step is needed to ensure that only trusted users can access the system as well as providing user information for auditing 25
- When accessing the cli the system will respond with a login prompt enter your username and press enter followed by your password and then enter again after a successful logon you will see the command prompt if a welcome message has been set then it will be displayed directly after the logon 25
- Activate and committing changes 26
- Logging off from the cli 26
- Logging on to the web interface 26
- The webui 26
- Interface layout 27
- Multi language support 27
- The web browser interface 27
- Controlling access to the web interface 28
- Caution 29
- Logging out from the web interface 29
- Working with configurations 29
- Example 2 displaying a configuration object 30
- Show servicetcpudp telnet 30
- When accessing object via the cli you can omit the category name and just use the type name the cli command in the above example for instance could be simplified to 30
- Working with configurations chapter 2 management and maintenance 30
- Changes to a configuration object will not be applied to a running system until you activate and commit the changes 31
- Example 2 adding a configuration object 31
- Example 2 editing a configuration object 31
- Important 31
- Working with configurations chapter 2 management and maintenance 31
- After modifying several configuration objects you might want to see a list of the objects that were changed added and removed since the last commit 32
- Example 2 deleting a configuration object 32
- Example 2 listing modified configuration objects 32
- Example 2 undeleting a configuration object 32
- Listing modified objects 32
- Working with configurations chapter 2 management and maintenance 32
- Activating and committing a configuration 33
- After changes to a configuration have been made the configuration has to be activated for those changes to have an impact on the running system during the activation process the new proposed configuration is validated and netdefendos will attempt to initialize affected subsystems with the new configuration data 33
- Committing ipsec changes 33
- Example 2 0 activating and committing a configuration 33
- If the new configuration is validated netdefendos will wait for a short period 30 seconds by default during which a connection to the administrator must be re established as described previously if the configuration was activated via the cli with the activate command then a commit command must be issued within that period if a lost connection could not be re established or if the commit command was not issued then netdefendos will revert to using the previous configuration this is a fail safe mechanism and amongst others things can help prevent a remote administrator from locking themselves out 33
- The administrator should be aware that if any changes that effect the configurations of live ipsec tunnels are committed then those live tunnels connections will be terminated and must be re established 33
- Working with configurations chapter 2 management and maintenance 33
- Event message distribution 35
- Event messages 35
- Events and logging 35
- Overview 35
- Logging to syslog hosts 36
- Snmp traps 37
- Snmp traps in netdefendos 37
- The snmp protocol 37
- Event message distribution chapter 2 management and maintenance 38
- Overview 39
- Radius accounting 39
- Radius accounting messages 39
- Start message parameters 39
- Stop message parameters 40
- Activating radius accounting 41
- Interim accounting messages 41
- Radius accounting and high availability 41
- Radius accounting security 41
- Accounting and system shutdowns 42
- Handling unresponsive servers 42
- Limitations with nat 42
- Defining snmp access 43
- Enabling an ip rule for snmp 43
- Monitoring 43
- Overview 43
- Snmp monitoring 43
- The community string 43
- The netdefendos mib 43
- Example 2 3 enabling snmp monitoring 44
- It should be noted that snmp version 1 or 2c access means that the community string will be sent as plain text over a network this is clearly insecure if a remote client is communicating over the public internet it is therefore advisable to have remote access take place over an encrypted vpn tunnel or similarly secure means of communication 44
- Preventing snmp overload 44
- Remote access encryption 44
- Snmp access port 161 is usually used for snmp and netdefendos always expects snmp traffic on that port 44
- Snmp monitoring chapter 2 management and maintenance 44
- The advanced setting snmpreqlimit restricts the number of snmp requests allowed per second this can help prevent attacks through snmp overload 44
- Auto update mechanism 45
- Configuration backup and restore 45
- Maintenance 45
- Resetting to factory defaults 45
- Do not abort the reset to factory defaults process if aborted the d link firewall can cease to function properly 46
- Example 2 5 complete hardware reset to factory defaults 46
- Press any key on the keypad when the press keypad to enter setup message appears on the display select reset firewall confirm by selecting yes and wait for the process to complete 46
- Reset alternative for the dfl 210 260 800 860 only 46
- Reset alternatives for the dfl 1600 and dfl 2500 only 46
- Resetting to factory defaults chapter 2 management and maintenance 46
- To reset the dfl 210 260 800 860 you must hold down the reset button at the rear panel for 10 15 seconds while powering on the unit after that release the reset button and the dfl 210 800 will continue to load and startup in default mode that is to say with 192 68 on the lan interface 46
- Warning 46
- Chapter 3 fundamentals 48
- Ip addresses 48
- Overview 48
- The address book 48
- Example 3 adding an ip host 49
- Example 3 adding an ip network 49
- Example 3 adding an ip range 49
- For example 192 68 0 192 68 5 represents six hosts in consecutive order 49
- For example 192 68 24 49
- Ip addresses chapter 3 fundamentals 49
- Ip range a range of ip addresses is represented on the form a b c d e f g h please note that ranges are not limited to netmask boundaries they may include any span of ip addresses 49
- Ethernet address objects are used to define symbolic names for ethernet addresses also known as mac addresses this is useful for instance when populating the arp table with static arp entries or for other parts of the configuration where symbolic names are preferred over numerical ethernet addresses 50
- Ethernet addresses 50
- Ethernet addresses chapter 3 fundamentals 50
- Example 3 adding an ethernet address 50
- Example 3 deleting an address object 50
- When specifying an ethernet address the format aa bb cc dd ee ff should be used ethernet addresses are also displayed using this format 50
- Address groups 51
- Auto generated address objects 51
- A large number of service objects come pre defined with netdefendos these include common services such as http ftp telnet and ssh pre defined services can be used and also modified just like user defined services however it is recommended not to make any changes to pre defined services but instead create new ones with the desired parameters 52
- A service object is a reference to a specific ip protocol with associated parameters a service definition is usually based on one of the major transport protocols such as tcp or udp with the associated port number s the http service for instance is defined as using the tcp protocol with associated port 80 52
- Example 3 listing the available services 52
- Example 3 viewing a specific service 52
- However service objects are in no way restricted to tcp or udp they can be used to define icmp messages as well as any user definable ip protocol 52
- Overview 52
- Services 52
- Services are passive objects in that they cannot carry out any action in the system on their own instead service objects are used frequently in the various security policies defined by rule sets for instance a rule in the ip rule set can use a service object as a filter to decide whether or not to allow certain traffic through the d link firewall for more information on how service objects are being used wit ip rules see section 3 the ip rule set 52
- Services chapter 3 fundamentals 52
- Tcp and udp based services 53
- Max sessions 54
- Using all services 54
- Custom ip protocol services 55
- Icmp services 55
- Custom ip protocol services chapter 3 fundamentals 56
- Example 3 adding an ip protocol service 56
- Number some of the common ip protocols such as igmp are already pre defined in the netdefendos system configuration 56
- Similar to the tcp udp port ranges described previously a range of ip protocol numbers can be used to specify multiple applications for one service 56
- The currently assigned ip protocol numbers and references are published by the internet assigned numbers authority iana and can be found at http www iana org assignments protocol numbers 56
- Interfaces 57
- Overview 57
- Ethernet 58
- Ethernet interface names 58
- The any and core interfaces 58
- Warning 58
- Ethernet ip addresses 59
- The default gateway 59
- Using dhcp on ethernet interfaces 59
- License limitations 60
- Overview 60
- Summary of vlan setup 60
- Vlan operation 60
- Overview of ppp 61
- Dial on demand 62
- Ip address information 62
- Pppoe client configuration 62
- The pppoe interface 62
- User authentication 62
- A gre tunnel does not use any encryption for the communication and is therefore not in itself secure any security must come from the protocol being tunneled the advantage of gre s lack of encryption is the high performance which is achievable because of the low traffic processing overhead the lack of encryption can be acceptable in some circumstances if the tunneling is done across an internal network that is not public 63
- Gre is typically used to provide a method of connecting two networks together across a third network such as the internet the two networks being connected together communicate with a common protocol which is tunneled using gre through the intervening network examples of gre usage are 63
- Gre security and performance 63
- Gre tunnels 63
- Gre tunnels chapter 3 fundamentals 63
- Like other tunnels in netdefendos such as an ipsec tunnel a gre tunnel is treated as a logical interface by netdefendos with the same filtering traffic shaping and configuration capabilities as a standard interface the gre options are 63
- Overview 63
- Setting up gre 63
- The generic router encapsulation gre protocol is a simple encapsulating protocol that can be used whenever there is a need to tunnel traffic across networks and or through network devices gre does not provide any security features but this means that its use has extremely low overhead 63
- To provide a point to point connection over ethernet each ppp session must learn the ethernet address of the remote peer as well as establish a unique session identifier pppoe includes a discovery protocol that provides this 63
- Traversing network equipment that blocks a particular protocol 63
- Tunneling ipv6 traffic across an ipv4 network 63
- Using gre 63
- Where a udp data stream is to be multicast and it is necessary to transit through a network device which does not support multicasting gre allows tunneling though the network device 63
- An example gre scenario 64
- Figure 3 an example gre scenario 64
- Gre and the ip rule set 64
- Setup for d link firewall a 65
- Setup for d link firewall b 65
- Interface groups 66
- Interface groups chapter 3 fundamentals 67
- Arp cache 68
- Arp in netdefendos 68
- Overview 68
- Flushing the arp cache 69
- Size of the arp cache 69
- Static and published arp entries 69
- Another use is publishing multiple addresses on an external interface enabling netdefendos to statically address translate communications to these addresses and send it onwards to internal servers with private ip addresses 70
- Example 3 6 defining a static arp entry 70
- Netdefendos supports defining static arp entries static binding of ip addresses to ethernet addresses as well as publishing ip addresses with a specific ethernet address 70
- Netdefendos supports publishing arp entries meaning that you can define ip addresses and optionally ethernet addresses for an interface netdefendos will then provide arp replies for arp requests related to those ip addresses 70
- Published arp entries 70
- Static and published arp entries chapter 3 fundamentals 70
- Static arp entries 70
- Static arp items may help in situations where a device is reporting incorrect ethernet address in response to arp requests some workstation bridges such as radio modems can have such problems it may also be used to lock an ip address to a specific ethernet address for increasing security or to avoid denial of service if there are rogue users in a network note however that such protection only applies to packets being sent to that ip address it does not apply to packets being sent from that ip address 70
- The first purpose is useful if there are several separate ip spans on a single lan the hosts on each ip span may then use a gateway in their own span when these gateway addresses are published on the corresponding netdefendos interface 70
- This can serve two purposes 70
- To aid nearby network equipment responding to arp in an incorrect manner this use is however less common 70
- To give the impression that an interface in netdefendos has more than one ip address 70
- Advanced arp settings 71
- Arp requests 71
- Changes to the arp cache 71
- Multicast and broadcast 71
- Unsolicited arp replies 71
- Matching ethernet addresses 72
- Sender ip 0 72
- Policy characteristics 73
- Security policies 73
- Specifying any interface or network 73
- The ip rule set 73
- Ip rule evaluation 74
- Ip rules 74
- Non matching traffic 74
- Stateful inspection 74
- The first matching principle 74
- Bi directional connections 75
- Ip rule actions 75
- Editing ip rule set entries 76
- Using reject 76
- A schedule object gives the possibility to enter multiple time ranges for each day of the week furthermore a start and a stop date can be specified that will impose additional constraints on the schedule for instance a schedule can be defined as mondays and tuesdays 08 30 10 40 and 11 30 14 00 fridays 14 30 17 00 77
- As schedules depend on an accurate date and time it is very important that the system date and time are set correctly preferably time synchronization has also been enabled to ensure that scheduled policies will be enabled and disabled at the right time for more information please see section 3 setting date and time 77
- Example 3 7 setting up a time scheduled policy 77
- For instance the it policy of an enterprise might stipulate that web traffic from a certain department is only allowed access outside that department during normal office hours another example might be that authentication using a specific vpn connection is only permitted on weekdays before noon 77
- Important 77
- In some scenarios it might be useful to control not only what functionality is enabled but also when that functionality is being used 77
- Netdefendos addresses this requirement by providing schedule objects or simply schedules that can be selected and used with various types of security policies to accomplish time based control this functionality is in no way limited to ip rules but is valid for most types of policies including traffic shaping rules and intrusion detection and prevention idp rules a schedule object is in other words a very powerful component that can allow detailed regulation of when functions in netdefendos are enabled or disabled 77
- Schedules 77
- Schedules chapter 3 fundamentals 77
- Schedules chapter 3 fundamentals 78
- Certificate components 79
- Certificates with vpn tunnels 79
- Certification authorities 79
- Overview 79
- Validity time 79
- X 09 certificates 79
- Certificate revocation lists 80
- Identification lists 80
- Reusing root certificates 80
- Trusting certificates 80
- X 09 certificates in netdefendos 80
- Example 3 9 associating x 09 certificates with ipsec tunnels 81
- X 09 certificates in netdefendos chapter 3 fundamentals 81
- Current date and time 82
- General date and time settings 82
- Setting date and time 82
- Time zones 82
- Daylight saving time 83
- Example 3 1 setting the time zone 83
- Example 3 2 enabling dst 83
- Many regions follow daylight saving time dst or summer time as it is called in some countries and this means clocks are advanced for the summer period unfortunately the principles regulating dst vary from country to country and in some cases there can be variations within the same country for this reason netdefendos does not automatically know when to adjust for dst instead this information has to be manually provided if daylight saving time is to be used 83
- Netdefendos is able to adjust the clock automatically based on information received from one or more time servers which provide a highly accurate time usually using atomic clocks using time servers is highly recommended as it ensures netdefendos will have its date and time aligned with other network devices 83
- The hardware clock which netdefendos uses can sometimes become fast or slow after a period of operation this is normal behavior in most network and computer equipment and is solved by utilizing time servers 83
- There are two parameters governing daylight saving time the dst period and the dst offset the dst period specifies on what dates daylight saving time starts and ends the dst offset indicates the number of minutes to advance the clock during the daylight saving time period 83
- Time servers 83
- Time servers chapter 3 fundamentals 83
- Time synchronization protocols 83
- Configuring time servers 84
- Important 84
- Example 3 5 modifying the maximum adjustment value 85
- Example 3 6 forcing time synchronization 85
- Maximum time adjustment 85
- Sometimes it might be necessary to override the maximum adjustment for instance if time synchronization has just been enabled and the inital time difference is greater than the maximum adjust value it is then possible to manually force a synchronization and disregard the maximum adjustment parameter 85
- Synchronization intervals 85
- The interval between each synchronization attempt can be adjusted if needed by default this value is 86 400 seconds 1 day meaning that the time synchronization process is executed once in a 24 hour period 85
- Time servers chapter 3 fundamentals 85
- To avoid situations where a faulty time server causes the clock to be updated with a extremely inaccurate time a maximum adjustment value in seconds can be set if the difference between the current netdefendos time and the time received from a time server is greater than this maximum adjustment value then the time server response will be discarded for example assume that the maximum adjustment value is set to 60 seconds and the current netdefendos time is 16 42 35 if a time server responds with a time of 16 43 38 then the difference is 63 seconds this is greater than the maximum adjustment value so no update occurs for this response 85
- As mentioned above it is important to have an external dns server configured so that the d link time server urls can be resolved during the access process 86
- D link time servers 86
- Example 3 7 enabling the d link ntp server 86
- Time servers chapter 3 fundamentals 86
- Using d link s own time servers is an option in netdefendos and this is the recommended way of synchronizing the firewall clock these servers communicate with netdefendos using the sntp protocol 86
- When the d link server option is chosen a pre defined set of recommended default values for the synchronization are used 86
- Dns lookup 87
- Chapter 4 routing 89
- Overview 89
- Basic principles of routing 90
- Static routing 90
- Netdefendos route notation 91
- Static routing 91
- The route lookup mechanism 91
- Displaying the routing table 92
- Example 4 displaying the routing table 92
- Flags network iface gateway local ip metric 192 68 24 lan 20 10 8 wan 1 0 0 wan 192 68 20 92
- It is also worth mentioning that netdefendos allows you to specify routes for destinations that are not aligned with traditional subnet masks in other words it is perfectly legal to specify one route for the destination address range 192 68 192 68 7 and another route for addresses 192 68 8 192 68 54 this is a feature that makes netdefendos highly suitable for routing in highly complex network topologies 92
- It is important to distinguish between the routing table that is active in the system and the routing table that you configure the routing table that you configure contains only the routes that you have added manually in other words the static routes the content of the active routing table however will vary depending on several factors for instance if dynamic routing has been enabled the routing table will be populated with routes learned by communicating with other routers in the network also features such as route fail over will cause the active routing table to look different from time to time 92
- Persistent routes none 92
- Static routing chapter 4 routing 92
- The corresponding routing table in netdefendos is similar to this 92
- The netdefendos way of describing the routes is easier to read and understand another advantage with this form of notation is that you can specify a gateway for a particular route without having a route that covers the gateways s ip address or despite the fact that the route covers the gateway s ip address is normally routed via another interface 92
- Core routes 93
- Example 4 displaying the core routes 93
- Netdefendos automatically populates the active routing table with core routes these routes are present for the system to understand where to route traffic that is destined for the system itself there is one route added for each interface in the system in other words two interfaces named lan and wan and with ip addresses 192 68 0 and 193 5 6 7 respectively will result in the following routes 93
- Static routing chapter 4 routing 93
- There is also a core route added for all multicast addresses 93
- To include the core routes when you display the active routing table you have to specify an option to the routing command 93
- When the system receives an ip packet whose destination address is one of the interface ips the packet will be routed to the core interface in other words it is processed by netdefendos itself 93
- Figure 4 a route failover scenario for isp access 94
- Overview 94
- Route failover 94
- Setting up route failover 94
- Failover processing 95
- Multiple failover routes 95
- Re enabling routes 95
- Setting the route metric 95
- Gratuitous arp generation 96
- Proxy arp 96
- Route interface grouping 96
- Overview 98
- Policy based routing 98
- Policy based routing rules 98
- Policy based routing tables 98
- Policy based routing table selection 99
- The ordering parameter 99
- A common mistake with policy based routing is the absence of the default route with a destination interface of all nets in the default main routing table if there is no route that is an exact match then the absence a default all nets route will mean that the connection will be dropped 100
- Example 4 creating a policy based routing table 100
- Example 4 creating the route 100
- Important ensuring all nets appears in the main table 100
- Interfaces 100
- The first two options can be regarded as combining the alternate table with the main table and assigning one route if there is a match in both tables 100
- The ordering parameter chapter 4 routing 100
- Example 4 policy based routing configuration 101
- The ordering parameter chapter 4 routing 101
- Comparing dynamic routing algorithms 103
- Distance vector algorithms 103
- Dynamic routing 103
- Dynamic routing overview 103
- Link state algorithms 103
- Open shortest path first 103
- Routing metrics 103
- Ospf areas 104
- Overview 104
- Aggregates 105
- Neighbors 105
- The designated router 105
- A partitioned backbone 106
- Areas without direct connection to the backbone 106
- Figure 4 virtual links example 1 106
- Virtual links 106
- Dynamic routing policy 107
- Figure 4 virtual links example 2 107
- Ospf high availability support 107
- Overview 107
- A dynamic routing policy rule filters either statically configured or ospf learned routes according to parameters like the origin of the routes destination metric and so on the matched routes can be controlled by actions to be either exported to ospf processes or to be added to one or more routing tables 108
- By default netdefendos will not import or export any routes in other words for dynamic routing to be meaningful it is mandatory to define at least one dynamic routing policy rule 108
- Dynamic routing policy chapter 4 routing 108
- Example 4 importing routes from an ospf as into the main routing table 108
- Exporting routes from a routing table to an ospf process 108
- Exporting routes from one ospf process to another 108
- For this reason netdefendos provides a dynamic routing policy which is used to regulate the flow of dynamic routing information 108
- Importing ospf routes from an ospf process into a routing table 108
- In a dynamic routing environment it is important for routers to be able to regulate to what extent they will participate in the routing exchange it is not feasible to accept or trust all received routing information and it might be crucial to avoid that parts of the routing database gets published to other routers 108
- The most common usages of dynamic routing policy are 108
- Dynamic routing policy chapter 4 routing 109
- Example 4 exporting the default route into an ospf as 109
- Multicast forwarding using the sat multiplex rule 110
- Multicast routing 110
- Overview 110
- Figure 4 multicast forwarding no address translation 111
- Multicast forwarding no address translation 111
- Example 4 forwarding of multicast traffic using the sat multiplex rule 112
- Figure 4 multicast forwarding address translation 112
- Multicast forwarding address translation scenario 112
- Multicast forwarding using the sat multiplex rule chapter 4 routing 112
- As previously noted remember to add an allow rule matching the sat multiplex rule 113
- Caution 113
- Example 4 multicast forwarding address translation 113
- Multicast forwarding using the sat multiplex rule chapter 4 routing 113
- This scenario is based on the previous scenario but now we are going to translate the multicast group when the multicast streams 239 92 0 24 are forwarded through the if2 interface the multicast groups should be translated into 237 92 0 24 no address translation should be made when forwarding through interface if1 the configuration of the corresponding igmp rules can be found below in section 4 igmp rules configuration address translation 113
- A second exception is if a neighbouring router is statically configured to deliver a multicast stream to the d link firewall in this case also an igmp query would not have to be specified 114
- Figure 4 multicast snoop 114
- If address translation of the source address is required the allow rule following the sat multiplex rule should be replaced with a nat rule 114
- Igmp configuration 114
- Igmp configuration chapter 4 routing 114
- Igmp queries queries are igmp messages sent from the router towards the hosts in order to make sure that it will not close any stream that some host still wants to receive 114
- Igmp reports reports are sent from hosts towards the router when a host wants to subscribe to new multicast groups or change current multicast subscriptions 114
- Igmp signaling between hosts and routers can be divided into two categories 114
- Netdefendos supports two igmp modes of operation snoop and proxy 114
- Normally both these types of rules has to be specified for igmp to work one exception to this is if the multicast source is located on a network directly connected to the router in this case no query rule is needed 114
- Example 4 0 igmp no address translation 115
- Figure 4 multicast proxy 115
- Igmp configuration chapter 4 routing 115
- Igmp rules configuration no address translation 115
- In snoop mode the router will act transparently between the hosts and another igmp router it will not send any igmp queries it will only forward queries and reports between the other router and the hosts in proxy mode the router will act as an igmp router towards the clients and actively send queries towards the upstream router it will be acting as a normal host subscribing to multicast groups on behalf of its clients 115
- This example describes the igmp rules needed for configuring igmp according to the no address translation scenario described above we want our router to act as a host towards the upstream router and therefore we configure igmp to run in proxy mode 115
- Example 4 1 configuration if1 116
- Igmp configuration chapter 4 routing 116
- Igmp rules configuration address translation 116
- The following examples illustrates the igmp rules needed to configure igmp according to the address translation scenario described above in section 4 multicast forwarding address translation scenario we need two igmp report rules one for each client interface if1 uses no address translation and if2 translates the multicast group to 237 92 0 24 we also need two query rules one for the translated address and interface and one for the original address towards if1 116
- Two examples are provided one for each pair of report and query rule the upstream multicast router uses ip upstreamrouterip 116
- Example 4 2 configuration if2 group translation 117
- Igmp configuration chapter 4 routing 117
- Advanced igmp settings 118
- Igmp configuration chapter 4 routing 118
- There are a number of advanced settings which are global and apply to all interfaces which do not have igmp setttings explicitly specified for them these global settings can be found in chapter 13 advanced settings individual igmp settings are found in the igmp section of the administration interface 118
- Comparison with routing mode 119
- Overview of transparent mode 119
- Transparent mode 119
- Transparent mode implementation 119
- Enabling transparent mode 120
- High availability with transparent mode 120
- Scenario 1 120
- Transparent mode scenarios 120
- Example 4 3 setting up transparent mode scenario 1 121
- Figure 4 transparent mode scenario 1 121
- Transparent mode scenarios chapter 4 routing 121
- All hosts connected to lan and dmz the lan and dmz interfaces share the 10 24 address space as this is configured using transparent mode any ip address can be used for the servers and there is no need for the hosts on the internal network to know if a resource is on the same network or placed on the dmz the hosts on the internal network are allowed to communicate with an http server on dmz while the http server on the dmz can be reached from the internet the firewall is transparent between the dmz and lan while traffic can subjected to the ip rule set 122
- Example 4 4 setting up transparent mode scenario 2 122
- Figure 4 transparent mode scenario 2 122
- Here the d link firewall in transparent mode separates server resources from an internal network by connecting them to a separate interface without the need for different address ranges 122
- Scenario 2 122
- Transparent mode scenarios chapter 4 routing 122
- Transparent mode scenarios chapter 4 routing 123
- Transparent mode scenarios chapter 4 routing 124
- Transparent mode scenarios chapter 4 routing 125
- Chapter 5 dhcp services 127
- Dhcp leases 127
- Ip address assignment 127
- Overview 127
- Dhcp servers 128
- Dhcp leases are remembered by the system between system restarts 129
- Dhcp servers chapter 5 dhcp services 129
- Example 5 checking the status of a dhcp server 129
- Example 5 setting up static dhcp 130
- Static dhcp assignment 130
- Static dhcp assignment chapter 5 dhcp services 130
- Where the administrator requires a fixed relationship between a client and the assigned ip address netdefendos allows the assignment of a given ip to a specific mac address 130
- A dhcp relayer takes the place of the dhcp server in the local network to act as the link between the client and the remote dhcp server it intercepts requests from clients and relays them to the server the server then responds to the relayer which forwards the response to the client the dhcp relayers follow the bootp relay agent functionality and retain the bootp message format and communication protocol and hence they are often called bootp relay agents 131
- Dhcp relaying 131
- Dhcp relaying chapter 5 dhcp services 131
- Example 5 setting up a dhcp relayer 131
- With dhcp clients send requests to locate the dhcp server s using broadcast messages however broadcasts are normally only propagated across the local network this means that the dhcp server and client would always need to be in the same physical network area to be able to communicate in a large internet like environment this means there has to be a different server on every network this problem is solved by the use of a dhcp relayer 131
- Advanced ip pool options 132
- Basic ip pool options 132
- Ip pools 132
- Overview 132
- As leases in the prefetch cache are allocated requests are made to dhcp servers so that the cache is always full the administrator therefore has to make a judgement as to the optimal initial size of the prefetch cache 133
- As mentioned in the previous section the prefetched leases option specifies the size of the cache of leases which is maintained by netdefendos this cache provides fast lease allocation and can improve overall system performance it should be noted however that the entire prefetched number of leases is requested at system startup and if this number is too large then this can degrade initial performance 133
- Example 5 creating an ip pool 133
- Greater than the prefetch parameter the pool will start releasing giving back ips to the dhcp server when the number of free clients exceeds this value 133
- Ip pools chapter 5 dhcp services 133
- Maximum clients optional setting used to specify the maximum number of clients ips allowed in the pool 133
- Using prefetched leases 133
- Access rules 135
- Chapter 6 security mechanisms 135
- Introduction 135
- Ip spoofing 135
- The default access rule 135
- Access rule action 136
- Access rule filtering fields 136
- Access rule settings 136
- Troubleshooting access rule related problems 136
- Turning off default access rule messages 136
- Access rule settings chapter 6 security mechanisms 137
- Example 6 setting up an access rule 137
- Application layer gateways 138
- Deploying an alg 138
- Maximum connection sessions 138
- Overview 138
- Algs and syn flood protection 139
- Connection modes 140
- Deploying an http alg 140
- Ftp connections 140
- Ftp security issues 140
- The solution 141
- Ftp chapter 6 security mechanisms 142
- Ftp chapter 6 security mechanisms 143
- Example 6 protecting ftp clients 144
- Ftp chapter 6 security mechanisms 144
- Tftp chapter 6 security mechanisms 145
- Trivial file transfer protocol tftp is a much simpler version of ftp with more limited capabilities its purpose is to allow a client to upload files to or download files from a host system tftp data transport is based on the udp protocol and therefore it supplies its own transport and session control protocols which are layered onto udp 145
- Allowing request timeouts 146
- General tftp options 146
- Smtp alg options 146
- Tftp request options 146
- Dnsbl spam filtering 147
- Figure 6 dnsbl spam filtering 147
- The netdefendos implementation 147
- A threshold calculation example 148
- Tagging spam emails 148
- Allowing for failed dnsbl servers 149
- Dropping spam email 149
- Verifying the sender email 149
- Caching addresses for performance 150
- Logging 150
- Network setup 150
- Setup summary 150
- The dnsbl cli command 150
- Pop3 alg options 151
- Anti virus options 152
- Sip components 153
- Sip configuration options 153
- Sip media related protocols 153
- Sip usage scenarios 153
- Sip setup summary 154
- H 23 components 155
- Handling data traffic 155
- H 23 alg features 156
- H 23 protocols 156
- H 23 alg configuration 157
- H 23 chapter 6 security mechanisms 158
- Example 6 h 23 with private ip addresses 159
- H 23 chapter 6 security mechanisms 159
- Example 6 two phones behind different d link firewalls 160
- H 23 chapter 6 security mechanisms 160
- To place a call to the phone behind the d link firewall place a call to the external ip address on the firewall if multiple h 23 phones are placed behind the firewall one sat rule has to be configured for each phone this means that multiple external addresses have to be used however it is preferred to use a h 23 gatekeeper as in the h 23 with gatekeeper scenario as this only requires one external address 160
- Example 6 using private ip addresses 161
- H 23 chapter 6 security mechanisms 161
- Example 6 h 23 with gatekeeper 162
- H 23 chapter 6 security mechanisms 162
- To place a call to the phone behind the d link firewall place a call to the external ip address on the firewall if multiple h 23 phones are placed behind the firewall one sat rule has to be configured for each phone this means that multiple external addresses have to be used however it is preferable to use an h 23 gatekeeper as as this only requires one external address 162
- H 23 chapter 6 security mechanisms 163
- Example 6 h 23 with gatekeeper and two d link firewalls 164
- H 23 chapter 6 security mechanisms 164
- There is no need to specify a specific rule for outgoing calls netdefendos monitors the communication between external phones and the gatekeeper to make sure that it 164
- There is no need to specify a specific rule for outgoing calls netdefendos monitors the communication between external phones and the gatekeeper to make sure that it is possible for internal phones to call the external phones that are registered with the gatekeeper 164
- Example 6 0 using the h 23 alg in a corporate environment 165
- H 23 chapter 6 security mechanisms 165
- Is possible for internal phones to call the external phones that are registered with the gatekeeper 165
- H 23 chapter 6 security mechanisms 166
- Example 6 1 configuring remote offices for h 23 167
- Example 6 2 allowing the h 23 gateway to register with the gatekeeper 167
- H 23 chapter 6 security mechanisms 167
- H 23 chapter 6 security mechanisms 168
- There is no need to specify a specific rule for outgoing calls netdefendos monitors the communication between external phones and the gatekeeper to make sure that it is possible for internal phones to call the external phones that are registered with the gatekeeper 168
- Active content handling 169
- Caution 169
- Overview 169
- Web content filtering 169
- Static and dynamic filter ordering 170
- Static content filtering 170
- Wildcarding 170
- Dynamic web content filtering chapter 6 security mechanisms 171
- Example 6 4 setting up a white and blacklist 171
- Web content filtering url blacklisting is a separate concept from section 6 blacklisting hosts and networks 171
- Dynamic web content filtering 172
- Dynamic web content filtering availability on d link models 172
- Figure 6 dynamic content filtering flow 172
- Overview 172
- Url processing flow 172
- Activation 173
- Categorizing pages and not sites 173
- Dynamic content filtering is a feature that is enabled by taking out a separate subscription to the service this is an addition to the normal netdefendos license for complete details of subscription services see appendix a subscribing to security updates 173
- Dynamic web content filtering chapter 6 security mechanisms 173
- Example 6 5 enabling dynamic web content filtering 173
- If you would like your content filtering policy to vary depending on the time of the day make use of a schedule object in the corresponding ip rule for more information please see section 3 schedules 173
- Netdefendos dynamic filtering categorizes web pages and not sites in other words a web site may contain particular pages that should be blocked without blocking the entire site netdefendos provides blocking down to the page level so that users may still access parts of websites that aren t blocked by the filtering policy 173
- New uncategorized urls sent to the d link network are treated as anonymous submissions and no record of the source of new submissions is kept 173
- Once a subscription is taken out an http application layer gateway alg object should be defined with dynamic content filtering enabled this object is then associated with a service object and the service object is then associated with a rule in the ip rule set to determine which traffic should be subject to the filtering this makes possible the setting up of a detailed filtering policy based on the filtering parameters that are used for rules in the ip rule set 173
- After running in audit mode for some weeks it is then easier to have a good understanding of surfing behaviour and also the potential time savings that can be made by enabling content filtering it is recommended that the administrator gradually introduces the blocking of particular categories one at a time this allows individual users time to get used to the notion that blocking exists and can avoid the widespread protests that might occur if everything is blocked at once gradual introduction also makes for better evaluation as to whether the goals of blocking are being met 174
- Audit mode 174
- Dynamic web content filtering chapter 6 security mechanisms 174
- Example 6 6 enabling audit mode 174
- In audit mode the system will classify and log all surfing according to the content filtering policy but restricted web sites will still be accessible to the users this means the content filtering feature of netdefendos can then be used as an analysis tool to analysis what categories of websites are being accessed by a user community and how often 174
- Allowing override 175
- As the process of classifying unknown web sites is automated there is always a small risk that some sites are given an incorrect classification netdefendos provides a mechanism for allowing users to manually propose a new classification of sites 175
- By enabling this functionality only users that have a valid reason to visit inappropriate sites will normally do so other will avoid those sites due to the obvious risk of exposing their surfing habits 175
- Caution 175
- Dynamic web content filtering chapter 6 security mechanisms 175
- Enabling override can result in a user being able to surf to sites that are linked to by the visited site 175
- For this reason netdefendos supports a feature called allow override with this feature enabled the content filtering component will present a warning to the user that he is about to enter a web site that is restricted according to the corporate policy and that his visit to the web site will be logged this page is known as the restricted site notice the user is then free to continue to the url or abort the request to prevent being logged 175
- If reclassification is enabled and a user requests a web site which is disallowed the block web page will include a dropdown list containing all available categories if the user believes the requested web site is wrongly classified he can select a more appropriate category from the dropdown list and submit that as a proposal 175
- On some occasions active content filtering may prevent users carrying out legitimate tasks consider a stock broker dealing with on line gaming companies in his daily work he might need to browse gambling web sites to conduct company assessments if the corporate policy blocks gambling web sites he won t be able to do his job 175
- Reclassification of blocked sites 175
- The url to the requested web site as well as the proposed category will then be sent to d link s central data warehouse for manual inspection that inspection may result in the web site being reclassified either according to the category proposed or to a category which is felt to be correct 175
- This mechanism can be enabled on a per http alg level which means that you can choose to enable this functionality for regular users or for a selected user group only 175
- A web site may be classified under the adult content category if its content includes the description or depiction of erotic or sexual acts or sexually oriented material such as pornography exceptions to this are web sites that contain information relating to sexuality and sexual health which may be classified under the health sites category 21 examples might be 176
- Category 1 adult content 176
- Content filtering categories 176
- Dynamic web content filtering chapter 6 security mechanisms 176
- Example 6 7 reclassifying a blocked site 176
- This section lists all the categories used with dynamic content filtering and describes the purpose of each category 176
- Www fullonxxx com 176
- Www naughtychix com 176
- Category 2 news 177
- Category 3 job search 177
- Category 4 gambling 177
- Category 5 travel tourism 177
- Category 6 shopping 177
- Category 10 game sites 178
- Category 11 investment sites 178
- Category 7 entertainment 178
- Category 8 chatrooms 178
- Category 9 dating sites 178
- Category 12 e banking 179
- Category 13 crime terrorism 179
- Category 14 personal beliefs cults 179
- Category 15 politics 179
- Category 16 sports 179
- Category 17 www email sites 180
- Category 18 violence undesirable 180
- Category 19 malicious 180
- Category 20 search sites 180
- Category 21 health sites 180
- Category 22 clubs and societies 180
- Category 23 music downloads 181
- Category 24 business oriented 181
- Category 25 government blocking list 181
- Category 26 educational 181
- Category 27 advertising 181
- Category 28 drugs alcohol 181
- Category 29 computing it 182
- Category 30 swimsuit lingerie models 182
- Category 31 spam 182
- Category 32 non managed 182
- Anti virus availability on d link models 183
- Anti virus scanning 183
- Combining with client anti virus scanning 183
- Implementation 183
- Overview 183
- Pattern matching 183
- Simultaneous scans 183
- Streaming 183
- Types of files scanned 183
- Activating anti virus scanning 184
- Anti virus options 184
- Association with an alg 184
- Creating anti virus policies 184
- Database updates 184
- Protocol specific behaviour 184
- Safestream 184
- Subscribing to the d link anti virus service 184
- The signature database 184
- Compression ratio limit 185
- File type blocking allowing 185
- General options 185
- Scan exclude option 185
- Verifying the mime type 185
- Setting the correct system time 186
- Updating in high availability clusters 186
- Anti virus options chapter 6 security mechanisms 187
- Idp availability in d link models 188
- Idp issues 188
- Intrusion definition 188
- Intrusion detection 188
- Intrusion detection and prevention 188
- Maintenance and advanced idp 188
- Netdefendos idp components 188
- Overview 188
- Figure 6 idp database updating 189
- Idp ips and ids 189
- Setting the correct system time 189
- Subscribing to the d link advanced idp service 189
- Checking dropped packets 190
- Idp rules 190
- Initial packet processing 190
- Rule components 190
- Updating in high availability clusters 190
- Detection action 191
- Evasion attacks 191
- Insertion attacks 191
- Insertion evasion attack prevention 191
- Insertion evasion log events 191
- Overview 191
- Recommended configuration 191
- Idp pattern matching 192
- Idp signature groups 192
- Idp signature types 192
- Recognising unknown threats 192
- Signature advisories 192
- Signatures 192
- Idp signature wildcarding 193
- Listing of idp groups 193
- Processing multiple actions 193
- Signature group category 193
- Signature group sub category 193
- Signature group type 193
- Specifying signature groups 193
- Using groups 193
- Action options 194
- Caution against using too many idp signatures 194
- Idp actions 194
- Idp blacklisting 194
- Idp zonedefense 194
- Smtp log receiver for idp events 194
- Example 6 0 setting up idp for a mail server 195
- Smtp log receiver for idp events chapter 6 security mechanisms 195
- Smtp log receiver for idp events chapter 6 security mechanisms 196
- Smtp log receiver for idp events chapter 6 security mechanisms 197
- Denial of service dos attacks 198
- Dos attack mechanisms 198
- Overview 198
- Ping of death and jolt attacks 198
- Fragmentation overlap attacks teardrop bonk boink and nestea 199
- The land and latierra attacks 199
- The winnuke attack 199
- Amplification attacks smurf papasmurf fraggle 200
- Avoiding becoming an amplifier 200
- Protection on the victim s side 200
- Distributed dos attacks 201
- Tcp syn flood attacks 201
- The jolt2 attack 201
- Blacklisting hosts and networks 202
- Whitelisting 202
- Chapter 7 address translation 204
- Dynamic network address translation 204
- 1 2 3 32789 205
- 5 6 7 80 205
- 68 1038 205
- Dynamic network address translation chapter 7 address translation 205
- Example 7 adding a nat rule 205
- In this example the use interface address option is used and we will use 195 1 2 3 as the interface address in addition the source port is changed to a free port on the d link firewall usually one above 32768 in this example we will use port 32789 the packet is then sent to its destination 205
- Netdefendos receives the packet and compares it to its list of open connections once it finds the connection in question it restores the original address and forwards the packet 205
- Publish entry configured for the egress interface otherwise the return traffic will not be received by the d link firewall 205
- The following example illustrates how nat is applied in practice on a new connection 205
- The original sender receives the response 205
- The recipient server then processes the packet and sends its response 205
- The sender for example 192 68 sends a packet from a dynamically assigned port for instance port 1038 to a server for example 195 5 6 7 port 80 205
- Protocols handled by nat 206
- Nat pools 207
- Overview 207
- Stateful nat pools 207
- Types of nat pools 207
- Fixed nat pools 208
- Ip pool usage 208
- Proxy arp usage 208
- Stateless nat pools 208
- Using nat pools 208
- Nat pools chapter 7 address translation 209
- Example 7 enabling traffic to a protected web server in a dmz 210
- Netdefendos can translate entire ranges of ip addresses and or ports such translations are transpositions that is each address or port is mapped to a corresponding address or port in the new range rather than translating them all to the same address or port this functionality is known as static address translation sat 210
- Static address translation 210
- Static address translation chapter 7 address translation 210
- The simplest form of sat usage is translation of a single ip address a very common scenario for this is to enable external users to access a protected server having a private address this scenario is also sometimes referred to as a virtual ip or virtual server in some other manufacturer s products 210
- Translation of a single ip address 1 1 210
- Unlike nat sat requires more than just a single sat rule to function netdefendos does not terminate the rule set lookup upon finding a matching sat rule instead it continues to search for a matching allow nat or fwdfast rule only when it has found such a matching rule does netdefendos execute the sat rule 210
- Translation of a single ip address 1 1 chapter 7 address translation 211
- Example 7 enabling traffic to a web server on an internal network 212
- Translation of a single ip address 1 1 chapter 7 address translation 212
- A single sat rule can be used to translate an entire range of ip addresses in this case the result is a transposition where the first original ip address will be translated to the first ip address in the translation list and so on 213
- Attempts to communicate with 194 2 will result in a connection to 192 68 6 213
- Attempts to communicate with 194 6 will result in a connection to 192 68 0 213
- For instance a sat policy specifying that connections to the 194 6 29 network should be translated to 192 68 0 will result in transpositions as per the table below 213
- In other words 213
- Translation of multiple ip addresses m n 213
- Translation of multiple ip addresses m n chapter 7 address translation 213
- An example of when this is useful is when having several protected servers in a dmz and where each server should be accessible using a unique public ip address 214
- Example 7 translating traffic to multiple protected web servers 214
- Translation of multiple ip addresses m n chapter 7 address translation 214
- All to one mappings n 1 215
- All to one mappings n 1 chapter 7 address translation 215
- Port translation 216
- Protocols handled by sat 216
- Again note that the above rules require a matching allow rule at a later point in the rule set in order to work 217
- Configuration 217
- Despite this the first matching sat rule found for each address is the one that will be carried out 217
- Each address above means that two sat rules can be in effect at the same time on the same connection provided that one is translating the sender address whilst the other is translating the destination address 217
- In this instance both rules are set to translate the destination address meaning that only one of them will be carried out if an attempt is made internally to communicate with the web servers public address it will instead be redirected to an intranet server if any other attempt is made to communicate with the web servers public address it will be redirected to the private address of the publicly accessible web server 217
- It is possible to employ static address translation in conjunction with fwdfast rules although return traffic must be explicitly granted and translated 217
- Multiple sat rule matches 217
- Multiple sat rule matches chapter 7 address translation 217
- Netdefendos does not terminate the rule set lookup upon finding a matching sat rule instead it continues to search for a matching allow nat or fwdfast rule only when it has found such a matching rule does the firewall execute the static address translation 217
- Sat and fwdfast rules 217
- Some protocols that are difficult to address translate may be handled by specially written algorithms designed to read and or alter application data these are commonly referred to as application layer gateways or application layer filters netdefendos supports a number of such application layer gateways and for more information please see section 6 application layer gateways 217
- The following rules make up a working example of static address translation using fwdfast rules to a web server located on an internal network 217
- The two above rules may both be carried out concurrently on the same connection in this instance internal sender addresses will be translated to addresses in the pubnet in a 1 1 relation in addition if anyone tries to connect to the public address of the web server the destination address will be changed to its private address 217
- There is no definitive list of what protocols that can or cannot be address translated a general rule is that vpn protocols cannot usually be translated in addition protocols that open secondary connections in addition to the initial connection can be difficult to translate 217
- We add a nat rule to allow connections from the internal network to the internet 217
- External traffic to wan_ip 80 will match rules 1 and 3 and will be sent to wwwsrv correct 218
- External traffic to wan_ip 80 will match rules 1 and 4 and will be sent to wwwsrv correct 218
- External traffic to wan_ip 80 will match rules 1 and 5 and will be sent to wwwsrv 218
- Internal traffic to wan_ip 80 will match rules 1 and 3 and will be sent to wwwsrv almost correct the packets will arrive at wwwsrv but 218
- Internal traffic to wan_ip 80 will match rules 1 and 4 and will be sent to wwwsrv the sender address will be the d link firewall s internal ip address guaranteeing that return traffic passes through the d link firewall 218
- Return traffic from wwwsrv 80 to internal machines will be sent directly to the machines themselves this will not work as the packets will be interpreted as coming from the wrong address 218
- Return traffic from wwwsrv 80 will match rules 2 and 3 218
- Return traffic from wwwsrv 80 will match rules 2 and 3 the replies will therefore be dynamically address translated this changes the source port to a completely different port which will not work 218
- Return traffic from wwwsrv 80 will match rules 2 and 4 and will appear to be sent from wan_ip 80 correct 218
- Return traffic will automatically be handled by the d link firewall s stateful inspection mechanism 218
- Sat and fwdfast rules chapter 7 address translation 218
- The problem can be solved using the following rule set 218
- We will now try moving the nat rule between the sat and fwdfast rules 218
- What happens now 218
- Chapter 8 user authentication 220
- Overview 220
- Proving identity 220
- Using username passwords 220
- Authentication setup 221
- Authentication sources 221
- External authentication servers 221
- Radius with netdefendos 221
- Setup summary 221
- The local database 221
- The need for servers 221
- Authentication rules 222
- Connection timeouts 222
- Multiple logins 222
- Radius security 222
- Authentication processing 223
- Http authentication 223
- Agent options 224
- Changing the management webui port 224
- Forcing users to a login page 224
- Setting up ip rules 224
- Http authentication chapter 8 user authentication 225
- The sat rule catches all unauthenticated requests and must be set up with an all to one address mapping that directs them to the address 127 which corresponds to core netdefendos itself 225
- Example 8 creating an authentication user group 226
- Example 8 user authentication setup for web access 226
- Http authentication chapter 8 user authentication 226
- Example 8 configuring a radius server 227
- Http authentication chapter 8 user authentication 227
- Http authentication chapter 8 user authentication 228
- Chapter 9 vpn 229
- Overview 229
- The need for vpns 229
- Vpn encryption 229
- Vpn planning 229
- Key distribution 230
- Ipsec lan to lan with pre shared keys 231
- Vpn quickstart guide 231
- A ip addresses already allocated 232
- Ipsec roaming clients with pre shared keys 232
- B ip addresses handed out by netdefendos 233
- Configuring the ipsec client 234
- Ipsec roaming clients with certificates 234
- L2tp roaming clients with pre shared keys 234
- L2tp roaming clients with certificates 236
- Pptp roaming clients 236
- General troubleshooting 237
- Vpn troubleshooting 237
- The ipsecstat console command 238
- Troubleshooting ipsec tunnels 238
- Management interface failure with vpn 239
- The ikesnoop console command 239
- Internet key exchange ike 240
- Overview 240
- Ike and ipsec lifetimes 241
- Ike negotiation 241
- Ike phase 1 ike security negotiation 241
- Ike proposals 241
- Ike parameters 242
- Ike phase 2 ipsec security negotiation 242
- Ike authentication 245
- Manual keying 245
- Certificate advantages 246
- Certificates 246
- Manual keying advantages 246
- Manual keying disadvantages 246
- Psk advantages 246
- Psk disadvantages 246
- Ah authentication header 247
- Certificate disadvantages 247
- Esp encapsulating security payload 247
- Figure 9 the ah protocol 247
- Figure 9 the esp protocol 247
- Ipsec protocols esp ah 247
- Nat traversal 248
- Nat traversal configuration 248
- Proposal lists 249
- Example 9 using a pre shared key 250
- Pre shared keys 250
- Pre shared keys are used to authenticate vpn tunnels the keys are secrets that are shared by the communicating parties before communication takes place to communicate both parties prove that they know the secret the security of a shared secret depends on how good a passphrase is passphrases that are common words are for instance extremely vulnerable to dictionary attacks 250
- Pre shared keys can be generated automatically through the webui but they can also be generated through the cli using the command pskgen this command is fully documented in the cli reference guide 250
- Pre shared keys chapter 9 vpn 250
- Consider the scenario of travelling employees being given access to the internal corporate networks using vpn clients the organization administers their own certificate authority and certificates have been issued to the employees different groups of employees are likely to have access to different parts of the internal networks for instance members of the sales force need access to servers running the order system while technical engineers need access to technical databases 251
- Example 9 using an identity list 251
- Identification lists 251
- Identification lists chapter 9 vpn 251
- Since the ip addresses of the travelling employees vpn clients cannot be known beforehand the incoming vpn connections from the clients cannot be differentiated this means that the firewall is unable to control the access to various parts of the internal networks 251
- The concept of identification lists presents a solution to this problem an identification list contains one or more identities ids where each identity corresponds to the subject field in an x 09 certificate identification lists can thus be used to regulate what x 09 certificates that are given access to what ipsec tunnels 251
- When x 09 certificates are used as authentication method for ipsec tunnels the d link firewall will accept all remote firewalls or vpn clients that are capable of presenting a certificate signed by any of the trusted certificate authorities this can be a potential problem especially when using roaming clients 251
- Identification lists chapter 9 vpn 252
- Ipsec tunnels 253
- Lan to lan tunnels with pre shared keys 253
- Overview 253
- Roaming clients 253
- Computer from different locations is a typical example of a roaming client apart from the need for secure vpn access the other major issue with roaming clients is that the mobile user s ip address is often not known beforehand to handle the unknown ip address the netdefendos can dynamically add routes to the routing table as tunnels are established 254
- Dealing with unknown ip addresses 254
- Example 9 setting up a psk based vpn tunnel for roaming clients 254
- If clients are to be allowed to roam in from everywhere irrespective of their ip address then the remote network needs to be set to all nets ip address 0 0 which will allow all existing ipv4 addresses to connect through the tunnel 254
- If the ip address of the client is not known before hand then the d link firewall needs to create a route in its routing table dynamically as each client connects in the example below this is the case and the ipsec tunnel is configured to dynamically add routes 254
- Psk based client tunnels 254
- Roaming clients chapter 9 vpn 254
- When configuring vpn tunnels for roaming clients it is usually not necessary to add to or modify the proposal lists that are pre configured in netdefendos 254
- Example 9 setting up a self signed certificate based vpn tunnel for roaming clients 255
- Roaming clients chapter 9 vpn 255
- Self signed certificate based client tunnels 255
- Ca server issued certificates based client tunnels 256
- Example 9 setting up a ca server issued certificate based vpn tunnel for roaming clients 256
- It is the responsibility of the administrator to aquire the appropriate certificate from an issuing authority for client tunnels with some systems such as windows 2000 server there is built in access to a ca server in windows 2000 server this is found in certificate services for more information on ca server issued certificates see section 3 x 09 certificates 256
- Roaming clients chapter 9 vpn 256
- Setting up client tunnels using a certification authority issued x 09 certificate is largely the same as using self signed certificates with the exception of a couple of steps most importantly it is the responsibility of the administrator to aquire the appropriate certificate from an issuing authority with some systems such as windows 2000 server there is built in access to a ca server in windows 2000 server this is found in certificate services for more information on ca server issued certificates see section 3 x 09 certificates 256
- An ip pool is a cache of ip addresses collected from dhcp servers and leases on these addresses are automatically renewed when the lease time is about to expire ip pools also manage additional information such as dns and wins nbns just as an ordinary dhcp server would for detailed information on pools see section 5 ip pools 257
- Defining the config mode object 257
- Ike configuration mode config mode is an extension to ike that allows netdefendos to provide lan configuration information to remote vpn clients it is used to dynamically configure ipsec clients with ip addresses and corresponding netmasks and to exchange other types of information associated with dhcp the ip address provided to a client can be either be based on a range of predefined static ip addresses defined for config mode or it can come from dhcp servers associated with an ip pool object 257
- Roaming clients chapter 9 vpn 257
- Using config mode 257
- After defining the config mode object the only remaining action is to enable config mode to be used with the ipsec tunnel 258
- Currently only one config mode object can be defined in netdefendos and this is referred to as the config mode pool object the key parameters associated with it are as follows 258
- Dhcp instructs the host to send any internal dhcp requests to this address 258
- Dns the ip address of the dns used for url resolution already provided by an ip pool 258
- Example 9 setting up config mode 258
- Example 9 using config mode with ipsec tunnels 258
- Ip validation 258
- Nbns wins the ip address for nbns wins resolution already provided by an ip pool 258
- Netdefendos always checks if the source ip address of each packet inside an ipsec tunnel is the same as the ip address assigned to the ipsec client with ike config mode if a mismatch is detected the packet is always dropped and a log message generated with a severity level of warning this 258
- Roaming clients chapter 9 vpn 258
- Subnets a list of the subnets that the client can access 258
- Use a static pool as an alternative to using an ip pool a static set of ip addresses can be defined 258
- Use pre defined ip pool object the ip pool object that provides the ip addresses 258
- An x 09 root certificate usually includes the ip address or hostname of the certificate authority to contact when certificates or certificate revocation lists need to be downloaded to the d link firewall lightweight directory access protocol ldap is used for these downloads 259
- Example 9 setting up an ldap server 259
- Fetching crls from an alternate ldap server 259
- Fetching crls from an alternate ldap server chapter 9 vpn 259
- However in some scenarios this information is missing or the administrator wishes to use another ldap server the ldap configuration section can then be used to manually specify alternate ldap servers 259
- Message includes the two ip addresses as well as the client identity 259
- Optionally the affected sa can be automatically deleted if validation fails by enabling the advanced setting ipsecdeletesaonipvalidationfailure the default value for this setting is disabled 259
- Deployment 260
- Implementation 260
- Overview 260
- Pptp l2tp 260
- Troubleshooting pptp 260
- Example 9 1 setting up an l2tp server 261
- L2tp chapter 9 vpn 261
- L2tp is certificate based and therefore is simpler to administer with a large number of clients and arguably offers better security than pptp unlike pptp it is possible to set up multiple virtual networks across a single tunnel being ipsec based l2tp requires nat traversal nat t to be implemented on the lns side of the tunnel 261
- Layer 2 tunneling protocol l2tp is an ietf open standard that overcomes many of the problems of pptp its design is a combination of layer 2 forwarding l2f protocol and pptp making use of the best features of both since the l2tp standard does not implement encryption it is usually implemented with an ietf standard known as l2tp ipsec in which l2tp packets are encapsulated by ipsec the client communicates with a local access concentrator lac and the lac communicates across the internet with a l2tp network server lns the d link firewall acts as the lns the lac is in effect tunneling data such as a ppp session using ipsec to the lns across the internet in most cases the client will itself act as the lac 261
- Example 9 2 setting up an l2tp tunnel 262
- L2tp chapter 9 vpn 262
- L2tp chapter 9 vpn 263
- L2tp chapter 9 vpn 264
- L2tp chapter 9 vpn 265
- Chapter 10 traffic management 267
- Introduction 267
- Netdefendos diffserv support 267
- Qos with tcp ip 267
- The traffic shaping solution 267
- Traffic shaping 267
- Traffic shaping objectives 267
- Pipe rules 268
- Traffic shaping in netdefendos 268
- Example 10 applying a simple bandwidth limit 269
- Figure 10 pipe rule set to pipe packet flow 269
- If no pipe is specified in a list then traffic that matches the rule will not flow through any pipe but it will also mean that the traffic will not be subject to any other pipe rules found later in the rule set 269
- Simple bandwidth limiting 269
- Simple bandwidth limiting chapter 10 traffic management 269
- The simplest use of pipes is for bandwidth limiting this is also a scenario that doesn t require much planning the example that follows applies a bandwidth limit to inbound traffic only this is the direction most likely to cause problems for internet connections 269
- Where one pipe is specified in a list then that is the pipe whose characteristics will be applied to the traffic if a series of pipes are specified then these will form a chain of pipes through which traffic will pass a chain can be made up of at most 8 pipes 269
- A single pipe doesn t care which direction the traffic through it is coming from when it calculates total throughout using the same pipe for both outbound and inbound traffic is allowed by netdefendos but it will not neatly partition pipe limits between the two directions the following scenario clarifies this 270
- Example 10 limiting bandwidth in both directions 270
- In the previous example only bandwidth in the inbound direction is limited we chose this direction because in most setups it is the direction that becomes full first now what if we want to limit outbound bandwidth in the same way 270
- Just inserting std in in the forward chain won t work since you probably want 2 mbps limit for outbound traffic to be separate from the 2 mbps limit for inbound traffic if we try to pass 2 mbps of outbound traffic through the pipe in addition to 2 mbps of inbound traffic it adds up to 4 mbps since the pipe limit is 2 mbps you d get something close to 1 mbps in each direction 270
- Limiting bandwidth in both directions 270
- Limiting bandwidth in both directions chapter 10 traffic management 270
- Raising the total pipe limit to 4 mbps won t solve the problem since the single pipe will not know that 2 mbps inbound and 2 mbps outbound was intended 3 mbps outbound and 1 mbps inbound might be the result since that also adds up to 4 mbps 270
- The recommended way to control bandwidth in both directions is to use two separate pipes one for inbound and one for outbound traffic in the secenario under discussion each pipe would have a 2 mbps limit to achieve the desired result the following example goes through the setup for this 270
- Creating differentiated limits with chains 271
- Allocating precedence 272
- Figure 10 the eight pipe precedences 272
- Pipe precedences 272
- Precedences 272
- Applying precedences 273
- Figure 10 minimum and maximum pipe precedence 273
- The best effort precedence 273
- The need for guarantees 273
- Differentiated guarantees 274
- Guarantees 274
- A simple groups scenario 275
- Figure 10 traffic grouped per ip address 275
- Groups 275
- 0 recommendations 276
- Group limits and guarantees 276
- Pipe limits for vpn 276
- Relying on the group limit 276
- The importance of setting a pipe limit 276
- 1 a summary of traffic shaping 277
- Attacks on bandwidth 277
- Limits should be slightly less than available bandwidth 277
- Limits shouldn t be higher than the available bandwidth 277
- Troubleshooting 277
- Watching for leaks 277
- Connection rate total connection limiting 279
- Grouping 279
- Overview 279
- Rule actions 279
- Threshold rules 279
- Exempted connections 280
- Multiple triggered actions 280
- Threshold rule blacklisting 280
- Threshold rules and zonedefense 280
- Figure 10 a server load balancing configuration 281
- Overview 281
- Server load balancing 281
- Identifying the servers 282
- The distribution algorithm 282
- The load distribution mode 282
- Figure 10 connections from three clients 283
- Figure 10 stickiness and round robin 283
- Figure 10 stickiness and connection rate 284
- Server health monitoring 284
- Slb_sat rules 284
- Define a further rule that duplicates the source destination interface network of the slb_sat rule that allows traffic through the could be one or combination of 285
- Define a group which included all these objects 285
- Define an object for each server for which slb is to be done 285
- Define an slb_sat rule in the ip rule set which refers to this group and where all other slb parameters are defined 285
- Example 10 setting up slb 285
- Forwardfast 285
- If there are clients on the same network as the webservers that also need access to those webservers then an nat rule would also be used 285
- Note that the destination interface is specified as core meaning netdefendos itself deals with this the key advantage of having a separate allow rule is that the webservers can log the exact ip address that is generating external requests using only a nat rule which is possible means that webservers would see only the ip address of the d link firewall 285
- Slb_sat rules chapter 10 traffic management 285
- The key component in setting up slb is the slb_sat rule in the ip rule set the steps that should be followed are 285
- The table below shows the rules that would be defined for a typical scenario of a set of webservers behind a d link firewall for which the load is being balanced the allow rule allows external clients to access the webservers 285
- Slb_sat rules chapter 10 traffic management 286
- Slb_sat rules chapter 10 traffic management 287
- Chapter 11 high availability 289
- Cluster management 289
- Ha clusters 289
- Hardware duplication 289
- Inter connection 289
- Load sharing 289
- Overview 289
- The master and active units 289
- Extending redundancy 290
- High availability mechanisms 291
- Figure 11 high availability setup 293
- Hardware setup 293
- High availability setup 293
- Netdefendos setup 294
- Verifying cluster functioning 294
- Changing the cluster id 296
- Failed interfaces 296
- High availability issues 296
- Invalid checksums in heartbeat packets 296
- Using individual ips 296
- Chapter 12 zonedefense 298
- Overview 298
- Zonedefense switches 299
- Managed devices 300
- Manual blocking and exclude lists 300
- Snmp managers 300
- Threshold rules 300
- Zonedefense operation 300
- As a complement to threshold rules it is also possible to manually define hosts and networks that are to be statically blocked or excluded manually blocked hosts and networks can be blocked by default or based on a schedule it is also possible to specify which protocols and protocol port numbers are to be blocked 301
- Example 12 a simple zonedefense scenario 301
- Exclude lists can be created and used to exclude hosts from being blocked when a threshold rule limit is reached good practice includes adding to the list the firewall s interface ip or mac address connecting towards the zonedefense switch this prevents the firewall from being accidentally blocked out 301
- Manual blocking and exclude lists chapter 12 zonedefense 301
- A second difference is the maximum number of rules supported by different switches some switches support a maximum of 50 rules while others support up to 800 usually in order to block a host or network one rule per switch port is needed when this limit has been reached no more hosts or networks will be blocked out 302
- Important 302
- Limitations 302
- Limitations chapter 12 zonedefense 302
- There are some differences in zonedefense operation depending on switch model the first difference is the latency between the triggering of a blocking rule to the moment when switch es actually starts blocking out the traffic matched by the rule all switch models require a short period of latency time to implement blocking once the rule is triggered some models can activate blocking in less than a second while some models may require a minute or more 302
- Zonedefense uses a range of the acl rule set on the switch to avoid potential conflicts in these rules and guarantee the firewall s access control it is strongly recommended that the administrator clear the entire acl rule set on the switch before executing the zonedefense setup 302
- Chapter 13 advanced settings 304
- Ip level settings 304
- Logchecksumerrors 304
- Block0000src 305
- Block0net 305
- Block127net 305
- Blockmulticastsrc 305
- Defaultttl 305
- Layersizeconsistency 305
- Lognonip4 305
- Logreceivedttl0 305
- Ttlmin 305
- Ttlonlow 305
- Directedbroadcasts 306
- Ipopt_other 306
- Ipopt_sr 306
- Ipopt_ts 306
- Ipoptionsizes 306
- Stripdfonsmall 306
- Tcp level settings 307
- Tcpmssautoclamping 307
- Tcpmssloglevel 307
- Tcpmssmax 307
- Tcpmssmin 307
- Tcpmssonhigh 307
- Tcpmssonlow 307
- Tcpmssvpnmax 307
- Tcpoptionsizes 307
- Tcpopt_altchkdata 308
- Tcpopt_altchkreq 308
- Tcpopt_sack 308
- Tcpopt_tsopt 308
- Tcpopt_wsopt 308
- Tcpzerounusedack 308
- Tcpzerounusedurg 308
- Tcpecn 309
- Tcpfinurg 309
- Tcpopt_cc 309
- Tcpopt_other 309
- Tcpsynpsh 309
- Tcpsynurg 309
- Tcpurg 309
- Tcpnull 310
- Tcpsequencenumbers 310
- Icmp level settings 311
- Icmpsendperseclimit 311
- Silentlydropstateicmperrors 311
- Arp settings 312
- Arpchanges 312
- Arpmatchenetsender 312
- Arpquerynosenderip 312
- Arprequests 312
- Arpsenderip 312
- Staticarpchanges 312
- Unsolicitedarpreplies 312
- Arpbroadcast 313
- Arpcachesize 313
- Arpexpire 313
- Arpexpireunknown 313
- Arphashsize 313
- Arphashsizevlan 313
- Arpipcollision 313
- Arpmulticast 313
- Connreplace 314
- Logconnections 314
- Logconnectionusage 314
- Logopenfails 314
- Logreverseopens 314
- Logstateviolations 314
- Maxconnections 314
- Stateful inspection settings 314
- Allowbothsidestokeepconnalive_udp 316
- Connection timeouts 316
- Connlife_igmp 316
- Connlife_other 316
- Connlife_ping 316
- Connlife_tcp 316
- Connlife_tcp_fin 316
- Connlife_tcp_syn 316
- Connlife_udp 316
- Maxahlen 318
- Maxesplen 318
- Maxgrelen 318
- Maxicmplen 318
- Maxtcplen 318
- Maxudplen 318
- Size limits by protocol 318
- Logoversizedpackets 319
- Maxipcomplen 319
- Maxipiplen 319
- Maxl2tplen 319
- Maxospflen 319
- Maxothersubiplen 319
- Maxskiplen 319
- Duplicatefragdata 320
- Fragmentation settings 320
- Illegalfrags 320
- Pseudoreass_maxconcurrent 320
- Droppedfrags 321
- Duplicatefrags 321
- Fragreassemblyfail 321
- Fragmentedicmp 322
- Minimumfraglength 322
- Reassdonelinger 322
- Reassillegallinger 322
- Reasstimelimit 322
- Reasstimeout 322
- Local fragment reassembly settings 324
- Localreass_maxconcurrent 324
- Localreass_maxsize 324
- Localreass_numlarge 324
- Dhcp settings 325
- Dhcp_allowglobalbcast 325
- Dhcp_disablearponoffer 325
- Dhcp_minimumleasetime 325
- Dhcp_uselinklocalip 325
- Dhcp_validatebcast 325
- Dhcprelay settings 326
- Dhcprelay_autosaverelayinterval 326
- Dhcprelay_maxautoroutes 326
- Dhcprelay_maxhops 326
- Dhcprelay_maxleasetime 326
- Dhcprelay_maxppmperiface 326
- Dhcprelay_maxtransactions 326
- Dhcprelay_transactiontimeout 326
- Dhcpserver_saverelaypolicy 326
- Dhcpserver settings 327
- Dhcpserver_autosaveleaseinterval 327
- Dhcpserver_saveleasepolicy 327
- Ikecrlvaliditytime 328
- Ikemaxcapath 328
- Ikesendcrls 328
- Ikesendinitialcontact 328
- Ipsec settings 328
- Ipsecbeforerules 328
- Ipseccertcachemaxcerts 328
- Ipsecdeletesaonipvalidationfailure 329
- Logging settings 330
- Logsendperseclimit 330
- Time synchronization settings 331
- Timesync_dstenabled 331
- Timesync_dstoffs 331
- Timesync_groupintervalsize 331
- Timesync_maxadjust 331
- Timesync_servertype 331
- Timesync_syncinterval 331
- Timesync_timeserverip1 331
- Timesync_timeserverip2 331
- Timesync_timeserverip3 331
- Timesync_timezoneoffs 331
- Timesync_dstenddate 332
- Timesync_dststartdate 332
- Ppp settings 333
- Ppp_l2tpbeforerules 333
- Ppp_pptpbeforerules 333
- Hardware monitor settings 334
- Hwm_pollinterval 334
- Hwmmem_alertlevel 334
- Hwmmem_criticallevel 334
- Hwmmem_interval 334
- Hwmmem_logrepetition 334
- Hwmmem_usepercent 334
- Hwmmem_warninglevel 334
- Packet re assembly settings 335
- Reassembly_maxconnections 335
- Reassembly_maxprocessingmem 335
- Buffloodreboottime 336
- Maxpipeusers 336
- Miscellaneous settings 336
- Appendix a subscribing to security updates 338
- Caution 338
- Database console commands 338
- Introduction 338
- Monitoring database updates 338
- Pre empting database updates 338
- Subscription renewal 338
- Deleting local databases 339
- Querying server status 339
- Querying update status 339
- Appendix b idp signature groups 340
- For idp scanning the following signature groups are available for selection these groups are available only for the d link advanced idp service there is a version of each group under the three types of ids ips and policy for further information see section 6 intrusion detection and prevention 340
- Appendix b idp signature groups 341
- Appendix b idp signature groups 342
- Appendix b idp signature groups 343
- Appendix c checked mime filetypes 344
- The http application layer gateway has the ability to verify that the contents of a file downloaded via the http protocol is the type that the filetype in its filename indicates 344
- This appendix lists the mime filetypes that can be checked by netdefendos to make sure that the content matches the filetype of a download checking is done if the check mime type option is enabled as described in section 6 http checking also always done if the filetype is ticked in the allow selected list for an http alg 344
- Appendix c checked mime filetypes 345
- Appendix c checked mime filetypes 346
- Appendix c checked mime filetypes 347
- Appendix d the osi framework 348
- Figure d the 7 layers of the osi model 348
- Appendix e d link worldwide offices 349
- Alphabetical index 351
Похожие устройства
- Gaggenau RW 424 Инструкция по эксплуатации
- Oursson IP 1200 T/S Инструкция по эксплуатации
- LG MS20F23D Инструкция по эксплуатации
- Gaggenau RW 404 Инструкция по эксплуатации
- D-Link DIR-300 C1 Инструкция по эксплуатации
- KitchenAid Artisan 5KEK1522EAC кремовый Инструкция по эксплуатации
- Gaggenau RC 472 Инструкция по эксплуатации
- D-Link DIR-100 F Инструкция по эксплуатации
- KitchenAid Artisan 5KEK1522ECA карамельное яблоко Инструкция по эксплуатации
- Gaggenau RC 462 Инструкция по эксплуатации
- D-Link DMC-810SC Инструкция по эксплуатации
- KitchenAid Artisan 5KEK1522EER зеленое яблоко Инструкция по эксплуатации
- D-Link DMC-805G Инструкция по эксплуатации
- Gaggenau RC 289 Инструкция по эксплуатации
- KitchenAid Artisan 5KEK1522EFP морозный жемчуг Инструкция по эксплуатации
- Gaggenau RC 249 Инструкция по эксплуатации
- KitchenAid Artisan 5KEK1522EGA зеленое яблоко Инструкция по эксплуатации
- D-Link DMC-1530SC Инструкция по эксплуатации
- Gaggenau RC 282 Инструкция по эксплуатации
- KitchenAid Artisan 5KEK1522EMS серебряный медальон Инструкция по эксплуатации
Скачать
Случайные обсуждения