D-Link DFL-800 [329/552] Smtp log receiver for idp events chapter 6 security mechanisms

Содержание

• Network security firewall 1
• Security 1
• User manual 1
• Dfl 210 260 260e 800 860 860e dfl 1600 1660 2500 2560 2560g 2
• Netdefendos version 2 7 3 2
• User manual 2
• Copyright notice 3
• Dfl 210 260 260e 800 860 860e dfl 1600 1660 2500 2560 2560g 3
• Disclaimer 3
• Limitations of liability 3
• Netdefendos version 2 7 3 3
• User manual 3
• Table of contents 4
• List of figures 10
• List of examples 12
• Examples 14
• Intended audience 14
• Preface 14
• Screenshots 14
• Text structure and conventions 14
• Caution 15
• Highlighted content 15
• Important 15
• Trademarks 15
• Warning 15
• Chapter 1 netdefendos overview 16
• Features 16
• Key features 16
• Netdefendos as a network security operating system 16
• Netdefendos objects 16
• Netdefendos documentation 18
• Interface symmetry 19
• Interfaces 19
• Logical objects 19
• Netdefendos architecture 19
• Netdefendos building blocks 19
• State based architecture 19
• Stateful inspection 19
• Basic packet flow 20
• Netdefendos rule sets 20
• Note additional actions 21
• Figure 1 packet flow schematic part i 23
• Netdefendos state engine packet flow 23
• Figure 1 packet flow schematic part ii 24
• Figure 1 packet flow schematic part iii 25
• Apply rules 26
• Figure 1 expanded apply rules logic 26
• Chapter 2 management and maintenance 28
• Management interfaces 28
• Managing netdefendos 28
• Overview 28
• Creating additional accounts 29
• Important 29
• Multiple administration logins 29
• Note recommended browsers 29
• Remote management policies 29
• The default administrator account 29
• Assignment of a default ip address 30
• Logging on to the web interface 30
• Setting the management workstation ip 30
• The web interface 30
• First time web interface logon and the setup wizard 31
• Important switch off popup blocking 31
• Multi language support 31
• The web browser interface 31
• Interface layout 32
• Note remote management access 32
• Controlling access to the web interface 33
• Caution don t expose the management interface 34
• Logging out from the web interface 34
• The cli 34
• Tip correctly routing management traffic 34
• Cli command structure 35
• Note category and context 35
• Optional parameters are tab completed last 35
• Tab completion 35
• The cli command history 35
• Tip getting help about help 35
• Note rule names are recommended 36
• Tab completion of parameter values 36
• Object categories 37
• Selecting object categories 37
• Inserting into rule lists 38
• Referencing by name 38
• Specifying multiple property values 38
• Using hostnames in the cli 38
• Using unique names 38
• Serial console cli access 39
• Ssh secure shell cli access 39
• Changing the admin user password 40
• Changing the cli prompt 40
• Logging on to the cli 40
• Note the console password is separate 40
• Activating and committing changes 41
• Checking configuration integrity 41
• Configuring remote management access on an interface 41
• Logging off from the cli 41
• Tip the cli prompt is the webui device name 41
• Managing management sessions with sessionmanager 42
• Cli scripts 43
• Executing scripts 43
• Only four commands are allowed in scripts 43
• Script variables 43
• Error handling 44
• Note the symbol 0 is reserved 44
• Saving scripts 44
• Script output 44
• Script validation and command ordering 44
• Creating scripts automatically 45
• Listing scripts 45
• Removing scripts 45
• Commenting script files 46
• Scripts running other scripts 46
• Secure copy 46
• Tip listing commands at the console 46
• Netdefendos file organization 47
• Note scp examples do not show the password prompt 47
• Scp command format 47
• Activating uploads 48
• Examples of uploading and downloading 48
• The console boot menu 48
• Accessing the console boot menu 49
• Initial boot menu options without a password set 49
• Initial options with a console password set 50
• Local console timeout 50
• Management advanced settings 50
• Removing the console password 50
• Ssh before rules 50
• The console password is only for the console 50
• Validation timeout 50
• Webui before rules 50
• Configuration objects 51
• Https certificate 51
• Object organization 51
• Object types 51
• Webui http port 51
• Webui https port 51
• Working with configurations 51
• Example 2 displaying a configuration object 52
• Show servicetcpudp telnet 52
• When accessing object via the cli you can omit the category name and just use the type name the cli command in the above example for instance could be simplified to 52
• Working with configurations chapter 2 management and maintenance 52
• Changes to a configuration object will not be applied to a running system until the new netdefendos configuration is activated 53
• Example 2 adding a configuration object 53
• Example 2 editing a configuration object 53
• Important configuration changes must be activated 53
• Working with configurations chapter 2 management and maintenance 53
• After modifying several configuration objects you might want to see a list of the objects that were changed added and removed since the last commit 54
• Example 2 deleting a configuration object 54
• Example 2 undeleting a configuration object 54
• Listing modified objects 54
• Working with configurations chapter 2 management and maintenance 54
• Activating and committing a configuration 55
• After changes to a configuration have been made the configuration has to be activated for those changes to have an impact on the running system during the activation process the new proposed configuration is validated and netdefendos will attempt to initialize affected subsystems with the new configuration data 55
• Example 2 0 activating and committing a configuration 55
• Example 2 listing modified configuration objects 55
• If the new configuration is validated netdefendos will wait for a short period 30 seconds by default during which a connection to the administrator must be re established as described previously if the configuration was activated via the cli with the activate command then a commit command must be issued within that period if a lost connection could not be re established or if the commit command was not issued then netdefendos will revert to using the previous configuration this is a fail safe mechanism and amongst others things can help prevent a remote administrator from locking themselves out 55
• Important committing ipsec changes 55
• The administrator should be aware that if any changes that affect the configurations of live ipsec tunnels are committed then those live tunnels connections will be terminated and must be re established 55
• Working with configurations chapter 2 management and maintenance 55
• Note changes must be committed 56
• Event severity 57
• Event types 57
• Events and logging 57
• Log message generation 57
• Log messages 57
• Message format 57
• Overview 57
• Creating log receivers 58
• Disabling memory logging 58
• Logging to memorylogreceiver 58
• Logging to syslog hosts 58
• Memory for logging is limited 58
• Overview 58
• Message format 59
• Note syslog server configuration 59
• The prio and severity fields 59
• Note snmp trap standards 60
• Snmp traps 60
• Snmp traps in netdefendos 60
• The snmp protocol 60
• Advanced log settings 61
• Advanced log settings chapter 2 management and maintenance 61
• Alarm repetition interval 61
• Default 2000 61
• Default 60 one minute 61
• Send limit 61
• The administrator must make a case by case judgement about the message load that log servers can deal with this can often depend on the server hardware platform being used and if the resources of the platform are being shared with other tasks 61
• The delay in seconds between alarms when a continuous alarm is used minimum 0 maximum 10 000 61
• The following advanced settings for netdefendos event logging are available to the administrator 61
• This setting specifies the maximum log messages that netdefendos will send per second this value should never be set too low as this may result in important events not being logged nor should it be set too high when the maximum is exceeded the excess messages are dropped and are not buffered 61
• Overview 62
• Radius accounting 62
• Radius accounting messages 62
• Radius architecture 62
• Start message parameters 62
• Stop message parameters 63
• Activating radius accounting 64
• Interim accounting messages 64
• Radius accounting and high availability 64
• Radius accounting security 64
• Tip the meaning of the asterisk after a list entry 64
• Accounting and system shutdowns 65
• Allow on error 65
• Handling unresponsive servers 65
• Limitations with nat 65
• Radius advanced settings 65
• Continue to be logged in 66
• Default 1024 66
• Default enabled 66
• Disabling the setting will mean that the user will be logged out if the radius accounting server cannot be reached even though the user has been previously authenticated 66
• Example 2 3 radius accounting server setup 66
• If there is an orderly shutdown of the netdefend firewall by the administrator then netdefendos will delay the shutdown until it has sent radius accounting stop messages to any configured radius server 66
• If this option is not enabled netdefendos will shutdown even though there may be radius accounting sessions that have not been correctly terminated this could lead to the situation that the radius server will assume users are still logged in even though their sessions have been terminated 66
• Logout at shutdown 66
• Maximum radius contexts 66
• Radius advanced settings chapter 2 management and maintenance 66
• The maximum number of contexts allowed with radius this applies to radius use with both accounting and authentication 66
• Availability 67
• Enabling hardware monitoring 67
• Hardware monitoring 67
• Note the meaning of x 67
• Using the hwm cli command 67
• Note different hardware has different sensors and ranges 68
• Setting the minimum and maximum range 68
• Defining snmp access 69
• Enabling an ip rule for snmp 69
• Overview 69
• Snmp monitoring 69
• The community string 69
• The netdefendos mib 69
• Enable snmp traffic to the firewall regardless of configured ip rules 70
• Example 2 4 enabling snmp monitoring 70
• It should be noted that snmp version 1 or 2c access means that the community string will be sent as plain text over a network this is clearly insecure if a remote client is communicating over the public internet it is therefore advisable to have remote access take place over an encrypted vpn tunnel or similarly secure means of communication 70
• Preventing snmp overload 70
• Remote access encryption 70
• Snmp access port 161 is usually used for snmp and netdefendos always expects snmp traffic on that port 70
• Snmp advanced settings 70
• Snmp advanced settings chapter 2 management and maintenance 70
• Snmp before ruleslimit 70
• The advanced setting snmp request limit restricts the number of snmp requests allowed per second this can help prevent attacks through snmp overload 70
• The following snmp advanced settings can be found under the remote management section in the webui 70
• Interface alias 71
• Interface description snmp 71
• Snmp request limit 71
• System contact 71
• System location 71
• System name 71
• A simple example 72
• Re using capture files 72
• Running on multiple interfaces 72
• The pcapdump command 72
• Downloading the output file 73
• Filter expressions 73
• Note netdefendos keeps track of saved files 73
• Output file naming restrictions 73
• Combining filters 74
• Compatibility with wireshark 74
• Auto update mechanism 75
• Backing up configurations 75
• Maintenance 75
• Version compatability 75
• Warning do not upload a system backup to dissimilar hardware 75
• Backup and restore using scp 76
• Operation interruption 76
• The management interfaces used 76
• A restore to factory defaults can be applied so that it is possible to return to the original hardware state that existed when the netdefend firewall was shipped by d link when a restore is applied all data such as the idp and anti virus databases are lost and must be reloaded 77
• As an alternative to using scp the administrator can initiate a backup or restore of the configuration or complete system directly through the webui the example below illustrates how this is done 77
• Backup and restore using the webui 77
• Backups include only static information from the netdefendos configuration dynamic information such as the dhcp server lease database or anti virus idp databases will not be backed up 77
• Important any upgrades will be lost after a factory reset 77
• It should be understood that a reset to factory defaults is exactly that any netdefendos upgrades performed since the unit left the factory will be lost 77
• Note backups do not contain everything 77
• Reset procedure for the netdefend dfl 210 260 260e 800 860 and 860e 77
• Restore to factory defaults 77
• Restore to factory defaults chapter 2 management and maintenance 77
• End of life procedures 78
• Reset procedure for the netdefend dfl 1600 1660 2500 2560 and 2560g 78
• Warning do not abort a reset to defaults 78
• Chapter 3 fundamentals 80
• Ip addresses 80
• Overview 80
• The address book 80
• 24 corresponds to a class c net with 256 addresses netmask 255 55 55 27 corresponds to a 32 address net netmask 255 55 55 24 and so on 81
• Example 3 adding an ip host 81
• Example 3 adding an ip network 81
• Example 3 adding an ip range 81
• Ip addresses chapter 3 fundamentals 81
• Ip network an ip network is represented using classless inter domain routing cidr form cidr uses a forward slash and a digit 0 32 to denote the size of the network as a postfix this is also known as the netmask 81
• Ip range a range of ip addresses is represented with the form a b c d e f g h 81
• Note that ranges are not limited to netmask boundaries they may include any span of ip addresses for example 192 68 0 192 68 5 represents six hosts in consecutive order 81
• The numbers 0 32 correspond to the number of binary ones in the netmask for example 192 68 24 81
• Deleting in use ip objects 82
• Ethernet address objects are used to define symbolic names for ethernet addresses also known as mac addresses this is useful for example when populating the arp table with static arp entries or for other parts of the configuration where symbolic names are preferred over numerical ethernet addresses 82
• Ethernet addresses 82
• Ethernet addresses chapter 3 fundamentals 82
• Example 3 adding an ethernet address 82
• Example 3 deleting an address object 82
• If an ip object is deleted that is in use by another object then netdefendos will not allow the configuration to be deployed and will produce a warning message in other words it will appear that the object has been successfully deleted but netdefendos will not allow the configuration to be saved to the netdefend firewall 82
• When specifying an ethernet address the format aa bb cc dd ee ff should be used ethernet addresses are also displayed using this format 82
• Address groups 83
• Groups can contain different subtypes 83
• Groups simplify configuration 83
• Ip addresses can be excluded 83
• Address book folders 84
• Auto generated address objects 84
• A service is passive 85
• Overview 85
• Predefined services 85
• Services 85
• Creating custom services 86
• Creating custom services chapter 3 fundamentals 86
• Example 3 viewing a specific service 86
• Icmp service a service based on the icmp protocol this is discussed further in section 3 icmp services 86
• If the list of predefined netdefendos service objects does not meet the requirements for certain traffic then a new service can be created reading this section will explain not only how new services are created but also provides an understanding of the properties of predefined services 86
• Ip protocol service a service based on a user defined protocol this is discussed further in section 3 custom ip protocol services 86
• Service group a service group consisting of a number of services this is discussed further in section 3 service groups 86
• Tcp udp service a service based on the udp or tcp protocol or both this type of service is discussed further in this section 86
• The type of service created can be one of the following 86
• Specifying port numbers 87
• Tcp and udp based services 87
• Tcp and udp service definition 87
• Udp orientated applications 87
• Other service properties 88
• Specifying all services 88
• Tip specifying source ports 88
• Icmp services 89
• Icmp types and codes 89
• Restrict services to the minimum necessary 89
• Tip the http all service does not include dns 89
• Icmp message types 90
• Specifying codes 90
• Custom ip protocol services 91
• Groups can contain other groups 91
• Ip protocol numbers 91
• Service groups 91
• The advantage of groups 91
• Custom service timeouts 92
• Interface types 93
• Interfaces 93
• Overview 93
• Source and destination interfaces 93
• All interfaces are logically equivalent 94
• Disabling an interface 94
• Interfaces have unique names 94
• The any and core interfaces 94
• Warning 94
• Ethernet frames 95
• Ethernet interface parameters 95
• Ethernet interfaces 95
• Note interface sockets connected via a switch fabric 95
• Note usage of the terms interface and port 95
• Physical ethernet interfaces 95
• Note interface enumeration 96
• Tip specifying multiple ip addresses on an interface 96
• Note a gateway ip cannot be deleted with dhcp enabled 97
• Changing the ip address of an ethernet interface 98
• The difference between logical and physical ethernet interfaces 98
• Showing assigned interfaces 99
• Useful cli commands for ethernet interfaces 99
• Enabling dhcp 100
• Ethernet device commands 100
• Setting interface addresses 100
• Overview 101
• Physical vlan connection with vlan 102
• Vlan processing 102
• Figure 3 vlan connections 103
• Note 802 ad is not supported 103
• License limitations 104
• Summary of vlan setup 104
• Unknown vlan tags 104
• Vlan advanced settings 104
• Ppp authentication 105
• Pppoe client configuration 105
• The ppp protocol 105
• Dial on demand 106
• Ip address information 106
• Note pppoe has a discovery protocol 106
• Unnumbered pppoe 106
• User authentication 106
• Example 3 1 configuring a pppoe client 107
• For reasons connected with the way ip addresses are shared in a netdefendos high availability cluster pppoe will not operate correctly it should there not be configured with ha 107
• Gre is typically used to provide a method of connecting two networks together across a third network such as the internet the two networks being connected together communicate with a common protocol which is tunneled using gre through the intervening network examples of gre usage are 107
• Gre tunnels 107
• Gre tunnels chapter 3 fundamentals 107
• Overview 107
• Pppoe cannot be used with ha 107
• The generic router encapsulation gre protocol is a simple encapsulating protocol that can be used whenever there is a need to tunnel traffic across networks and or through network devices gre does not provide any security features but this means that its use has extremely low overhead 107
• Traversing network equipment that blocks a particular protocol 107
• Using gre 107
• Gre security and performance 108
• Setting up gre 108
• An example gre scenario 109
• Gre and the ip rule set 109
• Setup for netdefend firewall a 109
• Checking gre tunnel status 110
• Setup for netdefend firewall b 110
• Interface groups 111
• The security transport equivalent option 111
• Ip addressing over ethernet 112
• Overview 112
• The expires column 112
• The netdefendos arp cache 112
• Tip osi layers 112
• Flushing the arp cache 113
• The size of the arp cache 113
• Creating arp objects 114
• Static mode arp objects 114
• Published arp objects 115
• Publishing modes 115
• Figure 3 an arp publish ethernet frame 116
• Multicast and broadcast 116
• Publishing entire networks 116
• Unsolicited arp replies 116
• Using arp advanced settings 116
• Arp advanced settings summary 117
• Arp match ethernet sender 117
• Arp requests 117
• Changes to the arp cache 117
• Matching ethernet addresses 117
• Sender ip 0 117
• Arp changes 118
• Arp query no sender 118
• Arp requests 118
• Arp sender ip 118
• Log arp resolve failure 118
• Static arp changes 118
• Unsolicited arp replies 118
• Arp broadcast 119
• Arp cache size 119
• Arp expire 119
• Arp expire unknown 119
• Arp hash size 119
• Arp hash size vlan 119
• Arp multicast 119
• Arp ip collision 120
• Ip rule sets 121
• Security policies 121
• Security policy characteristics 121
• The netdefendos security policy rule sets 121
• Ip rules and the default main ip rule set 122
• Specifying any interface or network 122
• Creating a drop all rule 123
• Figure 3 simplified netdefendos traffic flow 123
• Tip include the rule set name in the drop all name 123
• Traffic flow needs an ip rule and a route 123
• Ip rule evaluation 124
• Non matching traffic 124
• Stateful inspection 124
• The first matching principle 124
• Tip rules in the wrong order sometimes cause problems 124
• Bi directional connections 125
• Ip rule actions 125
• Editing ip rule set entries 126
• Ip rule set folders 126
• Using reject 126
• A compliment or alternative to folders for organizing different type of netdefendos object lists is the configuration object groups feature object groups gather together configuration objects under a specified title text for the purpose of organizing their display in graphical user interfaces unlike folders they do not require the folder to be opened for the individual objects to become visible instead all objects are already visible and they are displayed in a way that indicates how they are grouped together 127
• Configuration object groups 127
• Configuration object groups chapter 3 fundamentals 127
• Groups can be used in most cases where netdefendos objects are displayed as tables where each line in the table is an instance of an object the most common usage will be for the netdefendos address book to arrange ip addresses and in particular for organizing rules in ip rule sets which is why they are introduced in this section 127
• Object groups and the cli 127
• Object groups are a recommended way to document the contents of netdefendos configurations 127
• The concept of folders can be used to organise groups of netdefendos objects into related collections these work much like the folders concept found in a computer s file system folders are described in relation to the address book in section 3 address book folders and can also be used when organizing ip rules 127
• The display function of object groups means they do not have relevance to the command line interface cli it is not possible to define or otherwise modify object groups with the cli and they will not be displayed in cli output any group editing must be done through the web interface and this is described next 127
• This can be very useful for someone seeing a configuration for the first time such as technical support staff in an ip rule set that contains hundreds of rules it can often prove difficult to quickly identify those rules associated with a specific aspect of netdefendos operation 127
• Tip object groups help to document configurations 127
• A simple example 128
• Editing group properties 128
• Adding additional objects 129
• Adding preceding objects 129
• Groups and folders 130
• Leaving a group 130
• Moving group objects 130
• Moving groups 130
• Removing a group 130
• Important set the system date and time 131
• Multiple time ranges 131
• Schedule objects 131
• Schedule parameters 131
• Schedules 131
• Example 3 7 setting up a time scheduled policy 132
• Schedules chapter 3 fundamentals 132
• Certificate authorities 133
• Certificate components 133
• Certificates 133
• Certificates with vpn tunnels 133
• Overview 133
• Certificate revocation lists 134
• Certificates in netdefendos 134
• Identification lists 134
• Important 134
• Reusing root certificates 134
• Trusting certificates 134
• Validity time 134
• Ca certificate requests 135
• Ca certificate requests chapter 3 fundamentals 135
• Convert the pfx file into the pem format 135
• Create a gateway certificate on the windows ca server and export it as a file in the pfx format 135
• Example 3 8 uploading a certificate 135
• Example 3 9 associating certificates with ipsec tunnels 135
• It is possible however to manually create the required files for a windows ca server using the following stages 135
• Manually creating windows ca server requests 135
• The netdefendos web interface webui does not currently include the ability to generate certificate requests that can be sent to a ca server for generation of the cer and key files required by netdefendos 135
• There are two types of certificates that can be uploaded self signed certificates and remote certificates belonging to a remote peer or ca server self signed certificates can be generated by using one of a number of freely available utilities for doing this 135
• To request certificates from a ca server or ca company the best method is to send a ca certificate request which is a file that contains a request for a certificate in a well known predefined format 135
• Current date and time 137
• Date and time 137
• Note a reconfigure is not required 137
• Overview 137
• Setting date and time 137
• Time synchronization protocols 137
• Time zones 137
• Daylight saving time 138
• Example 3 1 setting the time zone 138
• Example 3 2 enabling dst 138
• Many regions follow daylight saving time dst or summer time as it is called in some countries and this means clocks are advanced for the summer period unfortunately the principles regulating dst vary from country to country and in some cases there can be variations within the same country for this reason netdefendos does not automatically know when to adjust for dst instead this information has to be manually provided if daylight saving time is to be used 138
• The netdefendos time zone setting reflects the time zone where the netdefend firewall is physically located 138
• The world is divided up into a number of time zones with greenwich mean time gmt in london at zero longitude being taken as the base time zone all other time zones going east and west from zero longitude are taken as being gmt plus or minus a given integer number of hours all locations counted as being inside a given time zone will then have the same local time and this will be one of the integer offsets from gmt 138
• There are two parameters governing daylight saving time the dst period and the dst offset the dst period specifies on what dates daylight saving time starts and ends the dst offset indicates the number of minutes to advance the clock during the daylight saving time period 138
• Time servers 138
• Time servers chapter 3 fundamentals 138
• Configuring time servers 139
• Important dns servers need to be configured in netdefendos 139
• Time synchronization protocols 139
• Example 3 4 manually triggering a time synchronization 140
• Example 3 5 modifying the maximum adjustment value 140
• If the timesyncinterval parameter is not specified when using the cli to set the synchronization interval the default of 86400 seconds equivalent to one day is used 140
• Maximum time adjustment 140
• Time servers chapter 3 fundamentals 140
• To avoid situations where a faulty time server causes the clock to be updated with a extremely inaccurate time a maximum adjustment value in seconds can be set if the difference between the current netdefendos time and the time received from a time server is greater than this maximum adjustment value then the time server response will be discarded for example assume that the maximum adjustment value is set to 60 seconds and the current netdefendos time is 16 42 35 if a time server responds with a time of 16 43 38 then the difference is 63 seconds this is greater than the maximum adjustment value so no update occurs for this response 140
• D link time servers 141
• Settings summary for date and time 141
• Synchronization intervals 141
• Time zone 141
• Dst end date 142
• Dst offset 142
• Dst start date 142
• Interval between synchronization 142
• Max time drift 142
• Primary time server 142
• Secondary time server 142
• Teriary time server 142
• Time sync server type 142
• Group interval 143
• Dns with netdefendos 144
• Features requiring dns resolution 144
• Overview 144
• Dynamic dns 145
• Note a high rate of server queries can cause problems 145
• Chapter 4 routing 147
• Overview 147
• Static routing 148
• The components of a route 148
• The principles of routing 148
• A typical routing scenario 149
• Figure 4 a typical routing scenario 149
• The local ip address parameter 150
• The narrowest routing table match is selected 150
• Figure 4 using local ip address with an unbound network 151
• All traffic must have two associated routes 152
• Netdefendos route notation 152
• Static routing 152
• The route lookup mechanism 152
• Composite subnets can be specified 153
• Netdefendos route definition advantages 153
• Default static routes are added automatically for each interface 154
• Displaying routing tables 154
• Example 4 displaying the main routing table 154
• In the cli example above it was necessary to first select the name of a specific routing table with the cc command meaning change category or change context before manipulating individual routes this is necessary for any category that could contain more than one named group of objects 154
• It is important to note that routing tables that are initially configured by the administrator can have routes added deleted and changed automatically during live operation and these changes will appear when the routing table contents are displayed 154
• Static routing chapter 4 routing 154
• These routing table changes can take place for different reasons for example if dynamic routing with ospf has been enabled then routing tables will become populated with new routes learned from communicating with other ospf routers in an ospf network other events such as route fail over can also cause routing table contents to change over time 154
• Tip the cli cc command may be needed first 154
• When the netdefend firewall is started for the first time netdefendos will automatically add a 154
• Core routes 155
• Note the metric for default routes is 100 155
• The all nets route 155
• For detailed information about the output of the cli routes command please see the cli reference guide 156
• It is therefore not unusual to have backup internet connectivity using a secondary isp the connections to the two service providers often use different routes to avoid a single point of failure 156
• Netdefend firewalls are often deployed in mission critical locations where availability and connectivity is crucial for example an enterprise relying heavily on access to the internet could have operations severely disrupted if a single connection to the external internet via a single internet service provider isp fails 156
• Overview 156
• Route failover 156
• Route failover chapter 4 routing 156
• Tip understanding output from the routes command 156
• To allow for a situation with multiple isps netdefendos provides a route failover capability so that should one route fail traffic can automatically failover to another alternate route netdefendos implements route failover through the use of route monitoring in which netdefendos monitors the availability of routes and then switches traffic to an alternate route should the primary preferred route fail 156
• Automatically added routes need redefining 157
• Figure 4 a route failover scenario for isp access 157
• Setting the route metric 157
• Setting up route failover 157
• Failover processing 158
• Multiple failover routes 158
• Re enabling routes 158
• Route interface grouping 158
• Enabling host monitoring 159
• Gratuitous arp generation 159
• Host monitoring for route failover 159
• Overview 159
• Specifying hosts 160
• A known issue when no external route is specified 161
• Advanced settings for route failover 161
• Arp poll interval 161
• Http parameters 161
• Iface poll interval 161
• The reachability required option 161
• A typical scenario 162
• Consecutive fails 162
• Consecutive success 162
• Grace time 162
• Gratuitous arp on fail 162
• Overview 162
• Ping poll interval 162
• Proxy arp 162
• Figure 4 a proxy arp example 163
• Setting up proxy arp 163
• Transparent mode as an alternative 163
• Automatically added routes 164
• Not all interfaces can make use of proxy arp 164
• Proxy arp and high availability clusters 164
• Overview 165
• Policy based routing 165
• Policy based routing rules 165
• Policy based routing tables 165
• Routing table selection 166
• The ordering parameter 166
• A common mistake with policy based routing is the absence of the default route with a destination interface of all nets in the default main routing table 167
• Example 4 creating a policy based routing table 167
• Example 4 creating the route 167
• If there is no route that is an exact match then the absence of a default all nets route will mean that the connection will be dropped 167
• Important ensure all nets appears in the main table 167
• The ordering parameter chapter 4 routing 167
• Example 4 policy based routing configuration 168
• The ordering parameter chapter 4 routing 168
• Disabling rlb 170
• Enabling rlb 170
• Overview 170
• Rlb operation 170
• Route load balancing 170
• Figure 4 the rlb round robin algorithm 171
• Figure 4 the rlb spillover algorithm 172
• Using route metrics with round robin 172
• Using route metrics with spillover 172
• An rlb scenario 173
• Rlb limitations 173
• Rlb resets 173
• The requirement for matching ip ranges 173
• By using the destination rlb algorithm we can ensure that clients communicate with a particular server using the same route and therefore the same source ip address if nat was being used for the client communication the ip address seen by the server would be wan1 or wan2 174
• Example 4 setting up rlb 174
• Figure 4 a route load balancing scenario 174
• In order to flow any traffic requires both a route and an allowing ip rule the following rules will allow traffic to flow to either isp and will nat the traffic using the external ip addresses of interfaces wan1 and wan2 174
• Route load balancing chapter 4 routing 174
• The service all is used in the above ip rules but this should be further refined to a service or service group that covers all the traffic that will be allowed to flow 174
• We first need to define two routes to these two isps in the main routing table as shown below 174
• We will not use the spillover algorithm in this example so the routing metric for both routes should be the same in this case a value of 100 is selected 174
• If both tunnels must be for example ipsec connects it is possible to wrap ipsec in a gre tunnel in other words the ipsec tunnel is carried by a gre tunnel gre is a simple tunneling protocol without encryption and therefore involves a minimum of extra overhead see section 3 gre tunnels for more about this topic 175
• If we were to try and use rlb to balance traffic between two ipsec tunnels the problem that arises is that the remote endpoint for any two ipsec tunnels in netdefendos must be different the solutions to this issue are as follows 175
• In order to get the second tunnel to function in this case it is necessary to add a single host route in the main routing table that points to the secondary isps interface and with the secondary isps gateway 175
• Rlb with vpn 175
• Route load balancing chapter 4 routing 175
• This solution has the advantage of providing redundancy should one isp link fail 175
• Use two isps with one tunnel connecting through one isp and the other tunnel connecting through the other isp rlb can then be applied as normal with the two tunnels 175
• Use vpn with one tunnel that is ipsec based and another tunnel that is uses a different protocol 175
• When using rlb with vpn a number of issues need to be overcome 175
• Differences to static routing 176
• Distance vector algorithms 176
• Dynamic routing 176
• Link state algorithms 176
• A simple ospf scenario 177
• Advantages of link state algorithms 177
• Figure 4 a simple ospf scenario 177
• Ospf is not available on all d link netdefend models 177
• The ospf solution 177
• A look at routing metrics 178
• Figure 4 ospf providing route redundancy 178
• Ospf provides route redundancy 178
• Tip ring topologies always provide alternate routes 178
• Link state routing 179
• Ospf concepts 179
• Ospf is not available on all d link netdefend models 179
• Overview 179
• The autonomous system 179
• Authentication 180
• Ospf area components 180
• Ospf areas 180
• The designated router 180
• A linking areas without direct connection to the backbone 181
• Aggregates 181
• Neighbors 181
• Virtual links 181
• B linking a partitioned backbone 182
• Figure 4 0 virtual links connecting areas 182
• Figure 4 1 virtual links with partitioned backbone 183
• Ospf high availability support 183
• Using ospf with netdefendos 183
• Figure 4 2 netdefendos ospf objects 184
• General parameters 184
• Ospf components 184
• Ospf router process 184
• Authentication 185
• Advanced 186
• General parameters 186
• Note authentication must be the same on all routers 186
• Ospf area 186
• Import filter 187
• Note different interface types can be used with ospf interfaces 187
• Ospf interface 187
• Ospf aggregates 189
• Ospf neighbors 189
• Ospf vlinks 189
• Dynamic routing rules 190
• Note linking partitioned backbones 190
• Overview 190
• The final ospf setup step is creating dynamic routing rules 190
• The reasons for dynamic routing rules 190
• Usage with ospf 190
• Dynamic routing rule 191
• Dynamic routing rule objects 191
• Figure 4 3 dynamic routing rule objects 191
• General parameters 191
• Ospf requires at least an import rule 191
• Specifying a filter 191
• When to use export rules 191
• Destination network 192
• General parameters 192
• More parameters 192
• Ospf action 192
• Routing action 192
• Setting up ospf 193
• Confirming ospf deployment 195
• Ospf routing information exchange begins automatically 195
• Sending ospf traffic through a vpn tunnel 195
• An ospf example 196
• Tip non ospf traffic can also use the tunnel 196
• An ospf example chapter 4 routing 197
• Example 4 0 import routes from an ospf as into the main routing table 197
• Example 4 add an ospf area 197
• Example 4 add ospf interface objects 197
• Example 4 creating an ospf router process 197
• An ospf example chapter 4 routing 198
• Example 4 1 exporting the default route into an ospf as 198
• Multicast routing 199
• Note interface multicast handling must be on or auto 199
• Overview 199
• Reverse path forwarding 199
• Routing to the correct interface 199
• The multicast problem 199
• The multicast routing solution 199
• Underlying principles 199
• Multicast forwarding no address translation 200
• Multicast forwarding with sat multiplex rules 200
• Note an allow or nat rule is also needed 200
• Example 4 2 forwarding of multicast traffic using the sat multiplex rule 201
• Figure 4 4 multicast forwarding no address translation 201
• Multicast forwarding with sat multiplex rules chapter 4 routing 201
• Note sat multiplex rules must have a matching allow rule 201
• Remember to add an allow rule that matches the sat multiplex rule 201
• The matching rule could also be a nat rule for source address translation see below but cannot be a fwdfast or sat rule 201
• Cc ipruleset main 202
• Creating multiplex rules through the cli requires some additional explanation 202
• Creating multiplex rules with the cli 202
• First the ipruleset in this example main needs to be selected as the current category 202
• If for example multiplexing of the multicast group 239 92 00 0 is required to the output interfaces if2 and if3 then the command to create the rule would be 202
• Multicast forwarding address translation scenario 202
• Multicast forwarding with sat multiplex rules chapter 4 routing 202
• Multiplexargument if2 if3 202
• Multiplexargument outif1 ip1 outif2 ip2 outif3 ip3 202
• The cli command to create the multiplex rule is then 202
• The destination interface is core since 239 92 00 0 is a multicast group no address translation of 239 92 00 0 was added but if it is required for say if2 then the final argument would be 202
• The two values outif ip represent a combination of output interface and if address translation of a group is needed an ip address 202
• As previously noted remember to add an allow rule matching the sat multiplex rule 203
• Example 4 3 multicast forwarding address translation 203
• Figure 4 5 multicast forwarding address translation 203
• Multicast forwarding with sat multiplex rules chapter 4 routing 203
• No address translation should be made when forwarding through interface if1 the configuration of the corresponding igmp rules can be found below in section 4 igmp rules configuration address translation 203
• This scenario is based on the previous scenario but this time the multicast group is translated when the multicast streams 239 92 0 24 are forwarded through the if2 interface the multicast groups should be translated into 237 92 0 24 203
• If a neighboring router is statically configured to deliver a multicast stream to the netdefend firewall an igmp query would also not have to be specified 204
• If address translation of the source address is required the allow rule following the sat multiplex rule should be replaced with a nat rule 204
• If the multicast source is located on a network directly connected to the router no query rule is needed 204
• Igmp configuration 204
• Igmp configuration chapter 4 routing 204
• Igmp queries 204
• Igmp reports 204
• Igmp signalling between hosts and routers can be divided into two categories 204
• Netdefendos supports two igmp modes of operation 204
• Normally both types of rule have to be specified for igmp to function but there are two exceptions 204
• Note replace allow with nat for source ip translation 204
• Proxy mode 204
• Queries are igmp messages sent from the router towards the hosts in order to make sure that it will not close any stream that some host still wants to receive 204
• Reports are sent from hosts towards the router when a host wants to subscribe to new multicast groups or change current multicast subscriptions 204
• Snoop mode 204
• The operation of these two modes are shown in the following illustrations 204
• Figure 4 6 multicast snoop mode 205
• Figure 4 7 multicast proxy mode 205
• Igmp rules configuration no address translation 205
• Example 4 4 igmp no address translation 206
• Igmp configuration chapter 4 routing 206
• Example 4 5 if1 configuration 207
• Igmp configuration chapter 4 routing 207
• Igmp rules configuration address translation 207
• The following examples illustrates the igmp rules needed to configure igmp according to the address translation scenario described above in section 4 multicast forwarding address translation scenario we need two igmp report rules one for each client interface the interface if1 uses no address translation and if2 translates the multicast group to 237 92 0 24 we also need two query rules one for the translated address and interface and one for the original address towards if1 207
• Two examples are provided one for each pair of report and query rule the upstream multicast router uses ip upstreamrouterip 207
• Example 4 6 if2 configuration group translation 208
• Igmp configuration chapter 4 routing 208
• Advanced igmp settings 209
• Auto add multicast core route 209
• Igmp before rules 209
• Igmp last member query interval 209
• Igmp lowest compatible version 209
• Igmp react to own queries 209
• Igmp router version 209
• Igmp max interface requests 210
• Igmp max total requests 210
• Igmp query interval 210
• Igmp query response interval 210
• Igmp robustness variable 210
• Igmp startup query count 210
• Igmp startup query interval 210
• Igmp unsolicated report interval 210
• Comparison with routing mode 212
• Overview 212
• Switch routes 212
• Transparent mode 212
• Transparent mode usage 212
• Usage scenarios 212
• How transparent mode works 213
• Note transparent and routing mode can be combined 213
• Enabling transparent mode 214
• Multiple switch routes are connected together 214
• Restricting the network parameter 214
• Creating separate transparent mode networks 215
• Transparent mode with vlans 215
• Enabling transparent mode directly on interfaces 216
• High availability and transparent mode 216
• Transparent mode with dhcp 216
• Enabling internet access 217
• Figure 4 8 non transparent mode internet access 217
• Figure 4 9 transparent mode internet access 217
• Grouping ip addresses 218
• Netdefendos may also need internet access 218
• Scenario 1 218
• Transparent mode scenarios 218
• Using nat 218
• Example 4 7 setting up transparent mode for scenario 1 219
• Figure 4 0 transparent mode scenario 1 219
• Transparent mode scenarios chapter 4 routing 219
• All hosts connected to lan and dmz the lan and dmz interfaces share the 10 24 address space as this is configured using transparent mode any ip address can be used for the servers and there is no need for the hosts on the internal network to know if a resource is on the same network or placed on the dmz the hosts on the internal network are allowed to communicate with an http server on dmz while the http server on the dmz can be reached from the internet the netdefend firewall is transparent between the dmz and lan but traffic is still controlled by the ip rule set 220
• Example 4 8 setting up transparent mode for scenario 2 220
• Figure 4 1 transparent mode scenario 2 220
• Here the netdefend firewall in transparent mode separates server resources from an internal network by connecting them to a separate interface without the need for different address ranges 220
• Scenario 2 220
• Transparent mode scenarios chapter 4 routing 220
• Transparent mode scenarios chapter 4 routing 221
• Netdefendos includes support for relaying the bridge protocol data units bpdus across the netdefend firewall bpdu frames carry spanning tree protocol stp messages between layer 2 switches in a network stp allows the switches to understand the network topology and avoid the occurrences of loops in the switching of packets 222
• Spanning tree bpdu support 222
• Spanning tree bpdu support chapter 4 routing 222
• The diagram below illustrates a situation where bpdu messages would occur if the administrator enables the switches to run the stp protocol two netdefend firewalls are deployed in transparent mode between the two sides of the network the switches on either side of the firewall need to communicate and require netdefendos to relay switch bpdu messages in order that packets do not loop between the firewalls 222
• Advanced settings for transparent mode 223
• Cam to l3 cache dest learning 223
• Enabling disabling bpdu relaying 223
• Figure 4 2 an example bpdu relaying scenario 223
• Implementing bpdu relaying 223
• Cam size 224
• Decrement ttl 224
• Dynamic cam size 224
• Dynamic l3c size 224
• L3 cache size 224
• Note optimal ats handling 224
• Transparency ats expire 224
• Transparency ats size 224
• Broadcast enet sender 225
• Multicast enet sender 225
• Null enet sender 225
• Relay spanning tree bpdus 225
• Relay mpls 226
• Chapter 5 dhcp services 228
• Dhcp leases 228
• Ip address assignment 228
• Lease expiration 228
• Overview 228
• Dhcp options 229
• Dhcp servers 229
• Multiple dhcp servers 229
• Searching the server list 229
• Using relayer ip address filtering 229
• Dhcp server advanced settings 230
• Displaying ip to mac address mappings 231
• Additional server settings 232
• Figure 5 dhcp server objects 232
• Static dhcp hosts 232
• Static host parameters 232
• Tip lease database saving 232
• Adding a custom option to the dhcp server definition allows the administrator to send specific pieces of information to dhcp clients in the dhcp leases that are sent out 233
• An example of this is certain switches that require the ip address of a tftp server from which they can get certain extra information 233
• Can be specified as this parameter the option exists to also specify if the identifier will be sent as an ascii or hexadecimal value 233
• Custom options 233
• Custom options chapter 5 dhcp services 233
• Example 5 static dhcp host assignment 233
• Custom option parameters 234
• A dhcp relayer takes the place of the dhcp server in the local network and acts as the link between the client and a remote dhcp server it intercepts requests coming from clients and relays them to the dhcp server the dhcp server then responds to the relayer which forwards the response back to the client dhcp relayers use the tcp ip bootstrap protocol bootp to implement this relay functionality for this reason dhcp relayers are sometimes referred to as bootp relay agents 235
• Although all netdefendos interfaces are core routed that is to say a route exists by default that routes interface ip addresses to core for relayed dhcp requests this core routing does not apply instead the interface is the source interface and not core 235
• Dhcp relaying 235
• Dhcp relaying chapter 5 dhcp services 235
• Example 5 setting up a dhcp relayer 235
• For relayed dhcp traffic the option exists in netdefendos to use the interface on which it listens as the source interface for forwarded traffic or alternatively the interface on which it sends out the forwarded request 235
• The dhcp problem 235
• The dhcp relayer solution 235
• The source ip of relayed dhcp traffic 235
• With dhcp clients send requests to locate the dhcp server s using broadcast messages however broadcasts are normally only propagated across the local network this means that the dhcp server and client always need to be on the same physical network in a large internet like network topology this means there would have to be a different dhcp server on every network this problem is solved by the use of a dhcp relayer 235
• Default 10 seconds 236
• Default 32 236
• Default 5 236
• Default 500 packets 236
• Dhcp relay advanced settings 236
• Dhcp relay advanced settings chapter 5 dhcp services 236
• For how long a dhcp transaction can take place 236
• How many dhcp packets a client can send to through netdefendos to the dhcp server during one minute 236
• How many hops the dhcp request can take between the client and the dhcp server 236
• Max hops 236
• Max lease time 236
• Max ppm 236
• Max transactions 236
• Maximum number of transactions at the same time 236
• The following advanced settings are available with dhcp relaying 236
• The maximum lease time allowed by netdefendos if the dhcp server has a higher lease time it 236
• Transaction timeout 236
• Auto save interval 237
• Auto save policy 237
• Max auto routes 237
• Advanced ip pool options 238
• Basic ip pool options 238
• Ip pools 238
• Ip pools with config mode 238
• Overview 238
• Listing ip pool status 239
• Memory allocation for prefetched leases 239
• Example 5 creating an ip pool 240
• Ip pools chapter 5 dhcp services 240
• Other options in the ippool command allow the administrator to change the pool size and to free up ip addresses the complete list of command options can be found in the cli reference guide 240
• Access rules 242
• Chapter 6 security mechanisms 242
• Custom access rules are optional 242
• Overview 242
• The default access rule 242
• Access rule actions 243
• Access rule filtering fields 243
• Access rule settings 243
• Ip spoofing 243
• Note enabling logging 243
• Turning off default access rule messages 243
• Access rule settings chapter 6 security mechanisms 244
• Example 6 setting up an access rule 244
• If for some reason the default access rule log message is continuously being generated by some source and needs to be turned off then the way to do this is to specify an access rule for that source with an action of drop 244
• It should be noted that access rules are a first filter of traffic before any other netdefendos modules can see it sometimes problems can appear such as setting up vpn tunnels precisely because of this it is always advisable to check access rules when troubleshooting puzzling problems in case a rule is preventing some other function such as vpn tunnel establishment from working properly 244
• Troubleshooting access rule related problems 244
• Deploying an alg 245
• Figure 6 deploying an alg 245
• Overview 245
• Http alg features 246
• Maximum connection sessions 246
• The http alg 246
• Tip maximum sessions for http can sometimes be too low 246
• Figure 6 http alg processing order 248
• Note similarities with other netdefendos features 248
• The ordering for http filtering 248
• Using wildcards in white and blacklists 248
• A discussion of ftp security issues 249
• Deploying an http alg 249
• Ftp connection modes 249
• Ftp connections 249
• The ftp alg 249
• Hybrid mode 250
• The netdefendos alg solution 250
• Connection restriction options 251
• Figure 6 ftp alg hybrid mode 251
• Ftp alg command restrictions 251
• Note hybrid conversion is automatic 251
• Predefined ftp algs 251
• Anti virus scanning 252
• Control channel restrictions 252
• Filetype checking 252
• Note some commands are never allowed 252
• Ftp alg with zonedefense 253
• Note zonedefense won t block infected servers 253
• The ftp alg chapter 6 security mechanisms 254
• The ftp alg chapter 6 security mechanisms 255
• Example 6 protecting ftp clients 256
• The ftp alg chapter 6 security mechanisms 256
• The ftp alg chapter 6 security mechanisms 257
• General tftp options 258
• Setting up ftp servers with passive mode 258
• The tftp alg 258
• Allowing request timeouts 259
• Smtp alg options 259
• Tftp request options 259
• The smtp alg 259
• The ordering for smtp filtering 260
• Enhanced smtp and extensions 261
• Figure 6 smtp alg processing order 261
• Using wildcards in white and blacklists 261
• Anti spam filtering 262
• Smtp alg with zonedefense 262
• Tip exclusion can be manually configured 262
• Creating a dnsbl consesus 263
• Dnsbl databases 263
• Dnsbl server queries 263
• Figure 6 anti spam filtering 263
• The netdefendos anti spam implementation 263
• A threshold calculation example 264
• Alternative actions for dropped spam 264
• Tagging spam 264
• Adding x spam information 265
• Allowing for failed dnsbl servers 265
• Verifying the sender email 265
• Caching addresses for performance 266
• Logging 266
• Setup summary 266
• The dnsbl cli command 267
• Pop3 alg options 268
• The pop3 alg 268
• Tip dnsbl servers 268
• Figure 6 pptp alg usage 269
• Pptp alg setup 269
• The pptp alg 269
• Why the pptp alg is needed 269
• Pptp alg settings 270
• The sip alg 270
• Netdefendos sip setup 271
• Note traffic shaping will not work with the sip alg 271
• Sip alg options 271
• Sip components 271
• Sip media related protocols 271
• Ip rules for media data 272
• The sip proxy record route option 272
• Scenario 1 protecting local clients proxy located on the internet 273
• Sip usage scenarios 273
• Note nat traversal should not be configured 274
• Note nat traversal should not be configured 275
• Scenario 2 protecting proxy and local clients proxy on the same network as clients 275
• The service object for ip rules 275
• Scenario 3 protecting proxy and local clients proxy on the dmz interface 277
• H 23 components 280
• The h 23 alg 280
• H 23 alg features 281
• H 23 protocols 281
• H 23 alg configuration 282
• The h 23 alg chapter 6 security mechanisms 283
• Example 6 h 23 with private ip addresses 284
• The h 23 alg chapter 6 security mechanisms 284
• Example 6 two phones behind different netdefend firewalls 285
• The h 23 alg chapter 6 security mechanisms 285
• To place a call to the phone behind the netdefend firewall place a call to the external ip address on the firewall if multiple h 23 phones are placed behind the firewall one sat rule has to be configured for each phone this means that multiple external addresses have to be used however it is preferred to use a h 23 gatekeeper as in the h 23 with gatekeeper scenario as this only requires one external address 285
• Example 6 using private ip addresses 286
• The h 23 alg chapter 6 security mechanisms 286
• Example 6 h 23 with gatekeeper 287
• The h 23 alg chapter 6 security mechanisms 287
• To place a call to the phone behind the netdefend firewall place a call to the external ip address on the firewall if multiple h 23 phones are placed behind the firewall one sat rule has to be configured for each phone this means that multiple external addresses have to be used however it is preferable to use an h 23 gatekeeper as this only requires one external address 287
• The h 23 alg chapter 6 security mechanisms 288
• Example 6 h 23 with gatekeeper and two netdefend firewalls 289
• Note outgoing calls do not need a specific rule 289
• The h 23 alg chapter 6 security mechanisms 289
• There is no need to specify a specific rule for outgoing calls netdefendos monitors the communication between external phones and the gatekeeper to make sure that it is possible for internal phones to call the external phones that are registered with the gatekeeper 289
• Example 6 0 using the h 23 alg in a corporate environment 290
• Note outgoing calls do not need a specific rule 290
• The h 23 alg chapter 6 security mechanisms 290
• There is no need to specify a specific rule for outgoing calls netdefendos monitors the communication between external phones and the gatekeeper to make sure that it is possible for internal phones to call the external phones that are registered with the gatekeeper 290
• The h 23 alg chapter 6 security mechanisms 291
• The h 23 alg chapter 6 security mechanisms 292
• Example 6 1 configuring remote offices for h 23 293
• Example 6 2 allowing the h 23 gateway to register with the gatekeeper 293
• Note outgoing calls do not need a specific rule 293
• The h 23 alg chapter 6 security mechanisms 293
• There is no need to specify a specific rule for outgoing calls netdefendos monitors 293
• Overview 294
• The relationship with ssl 294
• The tls alg 294
• Tls is certificate based 294
• Advantages of using netdefendos for tls termination 295
• Enabling tls 295
• Figure 6 tls termination 295
• Cipher suites supported by netdefendos tls 296
• Netdefendos tls limitations 296
• Urls delivered by servers 296
• Active content handling 297
• Caution consider the consequences of removing objects 297
• Filtering mechanisms 297
• Note enabling wcf 297
• Overview 297
• Web content filtering 297
• Static and dynamic filter ordering 298
• Static content filtering 298
• Wildcarding 298
• Example 6 4 setting up a white and blacklist 299
• Example com bad this will also cause www myexample com to be blocked since it blocks all sites ending with example com 299
• Gif good this will block all files with gif as the file name extension 299
• Note the hosts and networks blacklist is separate 299
• Static content filtering chapter 6 security mechanisms 299
• Web content filtering url blacklisting is a separate concept from section 6 blacklisting hosts and networks 299
• Www example com bad this will only block the first request to the web site surfing to www example com index html for example will not be blocked 299
• Dynamic wcf databases 300
• Dynamic wcf is only available on certain netdefend models 300
• Dynamic web content filtering 300
• Overview 300
• Wcf processing flow 300
• Categorizing pages and not sites 301
• Figure 6 dynamic content filtering flow 301
• Note new url submissions are done anonymously 301
• Setting up wcf 301
• Wcf and whitelisting 301
• Activation 302
• Allow if the external wcf database is not accessible urls are allowed even though they might be disallowed if the wcf databases were accessible 302
• Deny if wcf is unable to function then urls are denied if external database access to verify them is not possible the user will see an access denied web page 302
• Dynamic content filtering is a feature that is enabled by taking out a separate subscription to the service this is an addition to the normal netdefendos license 302
• Dynamic web content filtering chapter 6 security mechanisms 302
• Example 6 5 enabling dynamic web content filtering 302
• If the administrator would like the content filtering policy to vary depending on the time of the day they can make use of a schedule object associated with the corresponding ip rule for more information please see section 3 schedules 302
• Once a subscription is taken out an http application layer gateway alg object should be defined with dynamic content filtering enabled this object is then associated with a service object and the service object is then associated with a rule in the ip rule set to determine which traffic should be subject to the filtering this makes possible the setting up of a detailed filtering policy based on the filtering parameters that are used for rules in the ip rule set 302
• Setting fail mode 302
• The option exists to set the http alg fail mode in the same way that it can be set for some other algs and it applies to wcf just as it does to functions such as anti virus scanning the fail mode setting determines what happens when dynamic content filtering cannot function and typically this is because netdefendos is unable to reach the external databases to perform url lookup fail mode can have one of two settings 302
• Tip using a schedule 302
• After running in audit mode for some period of time it is easier to then have a better understanding of the surfing behavior of different user groups and also to better understand the potential impact of turning on the wcf feature 303
• Audit mode 303
• Blocking websites can disturb users if it is introduced suddenly it is therefore recommended that the administrator gradually introduces the blocking of particular categories one at a time this allows individual users time to get used to the notion that blocking exists and could avoid any adverse reaction that might occur if too much is blocked at once gradual introduction also makes it 303
• Dynamic web content filtering chapter 6 security mechanisms 303
• In audit mode the system will classify and log all surfing according to the content filtering policy but restricted web sites will still be accessible to the users this means the content filtering feature of netdefendos can then be used as an analysis tool to analysis what categories of websites are being accessed by a user community and how often 303
• Introducing blocking gradually 303
• Allowing override 304
• As the process of classifying unknown web sites is automated there is always a small risk that some sites are given an incorrect classification netdefendos provides a mechanism for allowing users to 304
• By enabling this functionality only users that have a valid reason to visit inappropriate sites will normally do so other will avoid those sites due to the obvious risk of exposing their surfing habits 304
• Caution overriding the restriction of a site 304
• Dynamic web content filtering chapter 6 security mechanisms 304
• Easier to evaluate if the goals of site blocking are being met 304
• Example 6 6 enabling audit mode 304
• For this reason netdefendos supports a feature called allow override with this feature enabled the content filtering component will present a warning to the user that he is about to enter a web site that is restricted according to the corporate policy and that his visit to the web site will be logged this page is known as the restricted site notice the user is then free to continue to the url or abort the request to prevent being logged 304
• If a user overrides the restricted site notice page they are allowed to surf to all pages without any new restricted site message appearing again the user is however still being logged when the user has become inactive for 5 minutes the restricted site page will reappear if they then try to access a restricted site 304
• On some occasions active content filtering may prevent users carrying out legitimate tasks consider a stock analyst who deals with on line gaming companies in his daily work he might need to browse gambling web sites to conduct company assessments if the corporate policy blocks gambling web sites he will not be able to do his job 304
• Reclassification of blocked sites 304
• Content filtering categories 305
• Dynamic web content filtering chapter 6 security mechanisms 305
• Example 6 7 reclassifying a blocked site 305
• If reclassification is enabled and a user requests a web site which is disallowed the block web page will include a dropdown list containing all available categories if the user believes the requested web site is wrongly classified he can select a more appropriate category from the dropdown list and submit that as a proposal 305
• Manually propose a new classification of sites 305
• The url to the requested web site as well as the proposed category will then be sent to d link s central data warehouse for manual inspection that inspection may result in the web site being reclassified either according to the category proposed or to a category which is felt to be correct 305
• This mechanism can be enabled on a per http alg level which means that the administrator can choose to enable this functionality for regular users or for a selected user group only 305
• This section lists all the categories used with dynamic content filtering and describes the purpose 305
• Category 1 adult content 306
• Category 2 news 306
• Category 3 job search 306
• Category 4 gambling 306
• Category 5 travel tourism 306
• Category 10 game sites 307
• Category 6 shopping 307
• Category 7 entertainment 307
• Category 8 chatrooms 307
• Category 9 dating sites 307
• Category 11 investment sites 308
• Category 12 e banking 308
• Category 13 crime terrorism 308
• Category 14 personal beliefs cults 308
• Category 15 politics 308
• Category 16 sports 309
• Category 17 www email sites 309
• Category 18 violence undesirable 309
• Category 19 malicious 309
• Category 20 search sites 309
• Category 21 health sites 310
• Category 22 clubs and societies 310
• Category 23 music downloads 310
• Category 24 business oriented 310
• Category 25 government blocking list 310
• Category 26 educational 310
• Category 27 advertising 311
• Category 28 drugs alcohol 311
• Category 29 computing it 311
• Category 30 swimsuit lingerie models 311
• Category 31 spam 311
• Category 32 non managed 312
• Compressionforbidden contentforbidden urlforbidden restrictedsitenotice reclassifyurl 312
• Customizing html pages 312
• Dynamic web content filtering chapter 6 security mechanisms 312
• Dynamic web content filtering make use of a set of html files to present information to the user when certain conditions occur such as trying to access a blocked site these web pages sometimes referred to as http banner files are stored within netdefendos but can be customized to suit a particular installation s needs the webui provides a simple way to download edit and upload these files the available files are 312
• Example 6 8 editing content filtering http banner files 312
• To perform customization it is necessary to first create a new named alg banner files object this new object automatically contains a copy of all the files in the default alg banner files object these new files can then be edited and uploaded back to netdefendos the original default object cannot be edited the following example goes through the necessary steps 312
• Unclassified sites and sites that do not fit one of the other categories will be placed in this category it is unusual to block this category since this could result in most harmless urls being blocked 312
• Html page parameters 313
• Tip saving changes 313
• Uploading with scp 313
• Anti virus scanning 314
• Combining with client anti virus scanning 314
• Enabling through algs 314
• Implementation 314
• Note anti virus is not available on all netdefend models 314
• Overview 314
• Pattern matching 314
• Streaming 314
• Activating anti virus scanning 315
• Association with an alg 315
• Creating anti virus policies 315
• Protocol specific behavior 315
• Relationship with idp 315
• Simultaneous scans 315
• Types of file downloads scanned 315
• Anti virus options 316
• Database updates 316
• General options 316
• Safestream 316
• Scan exclude option 316
• Subscribing to the d link anti virus service 316
• The signature database 316
• Compression ratio limit 317
• Setting the correct system time 317
• Updating in high availability clusters 317
• Verifying the mime type 317
• Anti virus with zonedefense 318
• Anti virus options chapter 6 security mechanisms 319
• Idp availability for d link models 320
• Idp issues 320
• Intrusion definition 320
• Intrusion detection 320
• Intrusion detection and prevention 320
• Maintenance and advanced idp 320
• Netdefendos idp components 320
• Overview 320
• Figure 6 idp database updating 321
• Subscribing to the d link advanced idp service 321
• Idp rules 322
• Rule components 322
• Setting the correct system time 322
• The terms idp ips and ids 322
• Updating in high availability clusters 322
• Figure 6 0 idp signature selection 323
• Http normalization 323
• Idp signature selection 323
• Checking dropped packets 324
• Evasion attacks 324
• Initial packet processing 324
• Insertion attacks 324
• Insertion evasion attack prevention 324
• Overview 324
• Detection action 325
• Idp pattern matching 325
• Insertion evasion log events 325
• Recognizing unknown threats 325
• Recommended configuration 325
• Signature advisories 325
• Signatures 325
• Idp signature groups 326
• Idp signature types 326
• Specifying signature groups 326
• Using groups 326
• Action options 327
• Caution use the minimum idp signatures necessary 327
• Idp actions 327
• Idp signature wildcarding 327
• Listing of idp groups 327
• Processing multiple actions 327
• Idp blacklisting 328
• Idp zonedefense 328
• Smtp log receiver for idp events 328
• The ip address of smtp log receivers is required 328
• Example 6 1 setting up idp for a mail server 329
• Smtp log receiver for idp events chapter 6 security mechanisms 329
• Smtp log receiver for idp events chapter 6 security mechanisms 330
• The preceding example uses an entire idp group name when enabling idp however it is possible 330
• Using individual signatures 330
• Denial of service attack prevention 332
• Dos attack mechanisms 332
• Overview 332
• Ping of death and jolt attacks 332
• Fragmentation overlap attacks teardrop bonk boink and nestea 333
• The land and latierra attacks 333
• The winnuke attack 333
• Amplification attacks smurf papasmurf fraggle 334
• Avoiding becoming an amplifier 334
• Protection on the victim s side 334
• Algs automatically provide flood protection 335
• Distributed dos attacks 335
• Spotting syn floods 335
• Tcp syn flood attacks 335
• The jolt2 attack 335
• The syn flood defence mechanism 335
• Blacklisting hosts and networks 337
• Blacklisting options 337
• Note restarts do not effect the blacklist 337
• Overview 337
• Tip important ip addresses should be whitelisted 337
• Whitelisting 337
• Note the content filtering blacklist is separate 338
• The cli blacklist command 338
• Chapter 7 address translation 340
• Overview 340
• Types of translation 340
• Figure 7 nat ip address translation 341
• Limitations on the number of connections 341
• Nat provides many to one ip address translation 341
• Applying nat translation 342
• The source ip address used for translation 342
• Tip use nat pools to get around the connection limit 342
• 1 2 3 32789 343
• 68 1038 343
• Example 7 adding a nat rule 343
• Figure 7 a nat example 343
• Nat chapter 7 address translation 343
• Netdefendos receives the packet and compares it to its list of open connections once it finds the connection in question it restores the original address and forwards the packet 343
• The original sender now receives the response 343
• The sequence of these events is illustrated further in the diagram below 343
• A useful application of the nat feature in netdefendos is for anonymizing service providers to 344
• An internal machine can communicate with several external servers using different ip protocols 344
• An internal machine can communicate with several external servers using the same ip protocol 344
• Anonymizing internet traffic with nat 344
• Dynamic address translation is able to deal with the tcp udp and icmp protocols with a good level of functionality since the algorithm knows which values can be adjusted to become unique in the three protocols for other ip level protocols unique connections are identified by their sender addresses destination addresses and protocol numbers 344
• Nat chapter 7 address translation 344
• Netdefendos can alter port number information in the tcp and udp headers to make each connection unique even though such connections have had their sender addresses translated to the same ip 344
• Note restrictions only apply to ip level protocols 344
• Protocols handled by nat 344
• Several internal machines can communicate with different external servers using the same ip protocol 344
• Several internal machines can communicate with the same server using different ip protocols 344
• Several internal machines can not communicate with the same external server using the same ip protocol 344
• Some protocols regardless of the method of transportation used can cause problems during address translation 344
• These restrictions apply only to ip level protocols other than tcp udp and icmp such as ospf and l2tp they do not apply to the protocols transported by tcp udp and icmp such as telnet ftp http and smtp 344
• This means that 344
• Figure 7 anonymizing with nat 345
• Nat pools 346
• Overview 346
• Stateful nat pools 346
• Types of nat pools 346
• Fixed nat pools 347
• Ip pool usage 347
• Proxy arp usage 347
• Stateless nat pools 347
• Using nat pools 347
• Nat pools chapter 7 address translation 348
• Note port forwarding 349
• Sat requires multiple ip rules 349
• The role of the dmz 349
• The second rule must trigger on the untranslated destination ip 349
• Translation of a single ip address 1 1 349
• Example 7 enabling traffic to a protected web server in a dmz 350
• Figure 7 the role of the dmz 350
• Note the dmz port could be any port 350
• On all models of d link netdefend hardware there is a specific ethernet interface which is marked as being for the dmz network although this is the port s intended use it could be used for other purposes and any ethernet interface could also be used instead for a dmz 350
• The illustration below shows a typical network arrangement with the netdefend firewall mediating communications between the public internet and servers in the dmz and between the dmz and local clients on a network called lan 350
• Translation of a single ip address 1 1 chapter 7 address translation 350
• Translation of a single ip address 1 1 chapter 7 address translation 351
• Example 7 enabling traffic to a web server on an internal network 352
• Translation of a single ip address 1 1 chapter 7 address translation 352
• Translation of a single ip address 1 1 chapter 7 address translation 353
• A single sat rule can be used to translate an entire range of ip addresses in this case the result is a transposition where the first original ip address will be translated to the first ip address in the translation list and so on 354
• An example of when this is useful is when having several protected servers in a dmz and where each server should be accessible using a unique public ip address 354
• Attempts to communicate with 194 2 will result in a connection to 192 68 6 354
• Attempts to communicate with 194 6 will result in a connection to 192 68 0 354
• Example 7 translating traffic to multiple protected web servers 354
• For instance a sat policy specifying that connections to the 194 6 29 network should be translated to 192 68 0 will result in transpositions which are described in the table below 354
• In other words 354
• Translation of multiple ip addresses m n 354
• Translation of multiple ip addresses m n chapter 7 address translation 354
• Translation of multiple ip addresses m n chapter 7 address translation 355
• All to one mappings n 1 356
• All to one mappings n 1 chapter 7 address translation 356
• Attempts to communicate with 194 0 port 80 will result in a connection to 192 68 0 356
• Attempts to communicate with 194 6 port 80 will result in a connection to 192 68 0 356
• Netdefendos can be used to translate ranges and or groups into just one ip address 356
• Port translation 356
• This rule produces a n 1 translation of all addresses in the group the range 194 6 194 0 plus 194 0 to the ip 192 68 0 356
• When all nets is the destination all to one mapping is always done 356
• Multiple sat rule matches 357
• Note a custom service is needed for port translation 357
• Protocols handled by sat 357
• Again note that the above rules require a matching allow rule at a later point in the rule set in order to work 358
• External traffic to wan_ip 80 will match rules 1 and 3 and will be sent to wwwsrv correct 358
• In this instance both rules are set to translate the destination address meaning that only one of them will be carried out if an attempt is made internally to communicate with the web servers public address it will instead be redirected to an intranet server if any other attempt is made to communicate with the web servers public address it will be redirected to the private address of the publicly accessible web server 358
• Internal traffic to wan_ip 80 will match rules 1 and 3 and will be sent to wwwsrv this is almost correct the packets will arrive at wwwsrv but 358
• It is possible to employ static address translation in conjunction with fwdfast rules although return traffic must be explicitly granted and translated 358
• Return traffic from wwwsrv 80 to internal machines will be sent directly to the machines themselves this will not work as the packets will be interpreted as coming from the wrong address 358
• Return traffic from wwwsrv 80 will match rules 2 and 4 and will appear to be sent from wan_ip 80 correct 358
• Sat and fwdfast rules 358
• Sat and fwdfast rules chapter 7 address translation 358
• The following rules make up a working example of static address translation using fwdfast rules to a web server located on an internal network 358
• The two above rules may both be carried out concurrently on the same connection in this instance internal sender addresses will be translated to addresses in pubnet in a 1 1 relationship in addition if anyone tries to connect to the public address of the web server the destination address will be changed to its private address 358
• We now add a nat rule to allow connections from the internal network to the internet 358
• We will now try moving the nat rule between the sat and fwdfast rules 358
• What happens now is as follows 358
• External traffic to wan_ip 80 will match rules 1 and 4 and will be sent to wwwsrv correct 359
• External traffic to wan_ip 80 will match rules 1 and 5 and will be sent to wwwsrv 359
• Internal traffic to wan_ip 80 will match rules 1 and 4 and will be sent to wwwsrv the sender address will be the netdefend firewall s internal ip address guaranteeing that return traffic passes through the netdefend firewall 359
• Return traffic from wwwsrv 80 will match rules 2 and 3 359
• Return traffic from wwwsrv 80 will match rules 2 and 3 the replies will therefore be dynamically address translated this changes the source port to a completely different port which will not work 359
• Return traffic will automatically be handled by the netdefend firewall s stateful inspection mechanism 359
• Sat and fwdfast rules chapter 7 address translation 359
• The problem can be solved using the following rule set 359
• What happens now 359
• Chapter 8 user authentication 361
• Making use of username password combinations 361
• Overview 361
• Proving identity 361
• Authentication setup 363
• Group membership 363
• Setup summary 363
• The local database 363
• Using groups with ip rules 363
• Caution use the network option with care 364
• Granting administration privileges 364
• Note other authentication sources do not have the pptp l2tp option 364
• Pptp l2tp configuration 364
• Specifying an ssh public key 364
• External ldap servers 365
• External radius servers 365
• Radius security 365
• Radius usage with netdefendos 365
• Reasons for using external servers 365
• Setting up ldap authentication 365
• Support for groups 365
• Defining an ldap server 366
• General settings 366
• Ldap attributes 366
• Ldap issues 366
• Microsoft active directory as the ldap server 366
• Note the ldap server database determines the correct value 367
• Database settings 368
• Important the base object must be specified correctly 368
• Bind request authentication 369
• Ldap server responses 369
• Optional settings 369
• Usernames may need the domain 369
• Ldap authentication and ppp 370
• Ldap authentication cli commands 370
• Real time monitoring statistics 370
• Figure 8 normal ldap authentication 371
• Authentication rule parameters 372
• Authentication rules 372
• Figure 8 ldap for ppp with chap ms chapv1 or ms chapv2 372
• Important the link to the ldap server must be protected 372
• Connection timeouts 373
• Authentication processing 374
• Multiple logins 374
• A group usage example 375
• Agent options 375
• Changing the management webui port 375
• Http authentication 375
• Combination a realm string can optionally be specified which will appear in the browser s dialog 376
• Forcing users to a login page 376
• Form is recommended over basicauth because in some cases the browser might hold the login data in its cache 376
• Http authentication cannot operate unless a rule is added to the ip rule set to explicitly allow authentication to take place if we consider the example of a number of clients on the local network lannet who would like access to the public internet through the wan interface then the ip rule set would contain the following rules 376
• Http authentication chapter 8 user authentication 376
• If the agent is set to https then the host certificate and root certificate have to be chosen from a list of certificates already loaded into netdefendos 376
• Setting up ip rules 376
• The first rule allows the authentication process to take place and assumes the client is trying to access the lan_ip ip address which is the ip address of the interface on the netdefend firewall where the local network connects 376
• The sat rule catches all unauthenticated requests and must be set up with an all to one address mapping that directs them to the address 127 which corresponds to core netdefendos itself 376
• The second rule allows normal surfing activity but we cannot just use lannet as the source network since the rule would trigger for any unauthenticated client from that network instead the source network is an administrator defined ip object called trusted_users which is the same network as lannet but has additionally either the authentication option no defined credentials enabled or has an authentication group assigned to it which is the same group as that assigned to the users 376
• The third rule allows dns lookup of urls 376
• With this setup when users that are not authenticated try to surf to any ip except lan_ip they will fall through the rules and their packets will be dropped to always have these users come to the authentication page we must add a sat rule and its associated allow rule the rule set will now look like this 376
• Example 8 creating an authentication user group 377
• Example 8 user authentication setup for web access 377
• Http authentication chapter 8 user authentication 377
• Example 8 configuring a radius server 378
• Http authentication chapter 8 user authentication 378
• Customizing html pages 379
• Editing the banner files 379
• Html page parameters 379
• Http banner files 379
• Customizing html pages chapter 8 user authentication 380
• Example 8 editing content filtering http banner files 380
• In certain banner web pages the parameter redirurl appears this is a placeholder for the original url which was requested before the user login screen appeared for an unauthenticated user following successful authentication the user becomes redirected to the url held by this parameter 380
• In the above example more than one html file can be edited in a session but the save button should be pressed to save any edits before beginning editing on another file 380
• Ipaddr the ip address which is being browsed from 380
• It is possible to upload new http banner files using scp the steps to do this are 380
• Reason the reason that access was denied 380
• Since redirurl only has this internal purpose it should not be removed from web pages and should appear in the formlogin page if that is used 380
• Since scp cannot be used to download the original default html the source code must be first copied from the webui and pasted into a local text file which is then edited using an appropriate editor 380
• The redirurl parameter 380
• The web page url for redirects 380
• Tip html file changes need to be saved 380
• Uploading with scp 380
• Chapter 9 vpn 383
• Overview 383
• Vpn usage 383
• Vpn encryption 384
• Vpn planning 384
• Endpoint security 385
• Key distribution 385
• Placement in a dmz 385
• The tls alternative for vpn 385
• Common tunnel setup requirements 387
• Overview 387
• Vpn quick start 387
• Ipsec lan to lan with pre shared keys 388
• Ipsec lan to lan with certificates 389
• Note the system time and date should be correct 389
• A ip addresses already allocated 390
• Ipsec roaming clients with pre shared keys 390
• B ip addresses handed out by netdefendos 391
• Configuring ipsec clients 392
• Ipsec roaming clients with certificates 392
• L2tp roaming clients with pre shared keys 393
• Note the system time and date should be correct 393
• L2tp roaming clients with certificates 394
• Pptp roaming clients 395
• As described for l2tp the nat rule lets the clients access the public internet via the netdefend firewall 396
• As in l2tp enable the insertion of new routes automatically into the main routing table 396
• Define a user authentication rule this is almost identical to l2tp 396
• Enable proxy arp on the int interface 396
• Now set up the ip rules in the ip rule set 396
• Pptp roaming clients chapter 9 vpn 396
• Set up the client for windows xp the procedure is exactly as described for l2tp above but without entering the pre shared key 396
• Internet key exchange ike 397
• Ipsec components 397
• Overview 397
• Security associations sas 397
• Ike algorithm proposals 398
• Ike and ipsec lifetimes 398
• Ike negotiation 398
• Ike phase 1 ike security negotiation 398
• Ike parameters 399
• Ike phase 2 ipsec security negotiation 399
• Diffie hellman groups 402
• Ike authentication 403
• Manual keying 403
• Manual keying advantages 403
• Manual keying disadvantages 403
• Psk advantages 403
• Advantages of certificates 404
• Ah authentication header 404
• Certificates 404
• Disadvantages of certificates 404
• Ipsec protocols esp ah 404
• Psk disadvantages 404
• Esp encapsulating security payload 405
• Figure 9 the ah protocol 405
• Figure 9 the esp protocol 405
• Nat traversal 405
• Achieving nat detection 406
• Changing ports 406
• Nat traversal configuration 406
• Udp encapsulation 406
• Algorithm proposal lists 407
• Beware of non ascii characters in a psk on different platforms 408
• Example 9 using a pre shared key 408
• If a psk is specified as a passphrase and not a hexadecimal value the different encodings on different platforms can cause a problem with non ascii characters windows for example encodes pre shared keys containing non ascii characters in utf 16 while netdefendos uses utf 8 even though they can seem the same at either end of the tunnel there will be a mismatch and this can sometimes cause problems when setting up a windows l2tp client that connects to netdefendos 408
• Pre shared keys 408
• Pre shared keys are used to authenticate vpn tunnels the keys are secrets that are shared by the communicating parties before communication takes place to communicate both parties prove that they know the secret the security of a shared secret depends on how good a passphrase is passphrases that are common words are extremely vulnerable to dictionary attacks 408
• Pre shared keys can be generated automatically through the webui but they can also be generated through the cli using the command pskgen this command is fully documented in the cli reference guide 408
• Pre shared keys chapter 9 vpn 408
• A typical scenario 409
• Consider the scenario of travelling employees being given access to the internal corporate networks using vpn clients the organization administers their own certificate authority and certificates have been issued to the employees different groups of employees are likely to have access to different parts of the internal networks for example members of the sales force need access to servers running the order system while technical engineers need access to technical databases 409
• Example 9 using an identity list 409
• Identification lists 409
• Identification lists chapter 9 vpn 409
• Since the ip addresses of the travelling employees vpn clients cannot be known beforehand the incoming vpn connections from the clients cannot be differentiated this means that the firewall is unable to control the access to various parts of the internal networks 409
• The concept of identification lists presents a solution to this problem an identification list contains one or more identities ids where each identity corresponds to the subject field in a certificate identification lists can thus be used to regulate what certificates that are given access to what ipsec tunnels 409
• The id list solution 409
• The problem 409
• When certificates are used as authentication method for ipsec tunnels the netdefend firewall will accept all remote devices or vpn clients that are capable of presenting a certificate signed by any of the trusted certificate authorities this can be a potential problem especially when using roaming clients 409
• Identification lists chapter 9 vpn 410
• Identification lists chapter 9 vpn 411
• Ip rules control decrypted traffic 412
• Ipsec tunnels 412
• Local initiation of tunnel establishment 412
• No ip rules are needed for the enclosing ipsec traffic 412
• Overview 412
• Remote initiation of tunnel establishment 412
• Returning traffic 412
• Comparing dpd and keep alive 413
• Dead peer detection 413
• Ipsec tunnel quick start 413
• Keep alive 413
• Dealing with unknown ip addresses 414
• Lan to lan tunnels with pre shared keys 414
• Psk based client tunnels 414
• Roaming clients 414
• Example 9 setting up a psk based vpn tunnel for roaming clients 415
• Example 9 setting up a self signed certificate based vpn tunnel for roaming clients 415
• Roaming clients chapter 9 vpn 415
• Self signed certificate based client tunnels 415
• The following example shows how a certificate based tunnel can be set up 415
• Roaming clients chapter 9 vpn 416
• Example 9 setting up ca server certificate based vpn tunnels for roaming clients 417
• It is the responsibility of the administrator to acquire the appropriate certificate from an issuing authority for client tunnels with some systems such as windows 2000 server there is built in access to a ca server in windows 2000 server this is found in certificate services for more information on ca server issued certificates see section 3 certificates 417
• Roaming clients chapter 9 vpn 417
• Setting up client tunnels using a ca issued certificate is largely the same as using self signed certificates with the exception of a couple of steps 417
• Tunnels based on ca server certificates 417
• Defining the config mode object 418
• Using config mode 418
• A root certificate usually includes the ip address or hostname of the certificate authority to contact when certificates or crls need to be downloaded to the netdefend firewall lightweight directory access protocol ldap is used for these downloads 419
• After defining the config mode object the only remaining action is to enable config mode to be used with the ipsec tunnel 419
• Example 9 setting up an ldap server 419
• Example 9 using config mode with ipsec tunnels 419
• Fetching crls from an alternate ldap server 419
• Fetching crls from an alternate ldap server chapter 9 vpn 419
• However in some scenarios this information is missing or the administrator wishes to use another ldap server the ldap configuration section can then be used to manually specify alternate ldap servers 419
• Ip validation 419
• Netdefendos always checks if the source ip address of each packet inside an ipsec tunnel is the same as the ip address assigned to the ipsec client with ike config mode if a mismatch is detected the packet is always dropped and a log message generated with a severity level of warning this message includes the two ip addresses as well as the client identity 419
• Optionally the affected sa can be automatically deleted if validation fails by enabling the advanced setting ipsecdeletesaonipvalidationfailure the default value for this setting is disabled 419
• The client and the server 420
• Troubleshooting with ikesnoop 420
• Using ikesnoop 420
• Vpn tunnel negotiation 420
• Step 1 client initiates exchange by sending a supported algorithm list 421
• Explanation of values 422
• Step 2 server responds to client 422
• Step 3 clients begins key exchange 423
• Explanation of above values 424
• Step 4 server sends key exchange data 424
• Step 5 client sends identification 424
• Step 6 server id response 425
• Step 7 client sends a list of supported ipsec algorithms 425
• Explanation of above values 426
• Step 8 client sends a list of supported algorithms 426
• Ipsec advanced settings 427
• Ipsec max rules 427
• Ipsec max tunnels 427
• Step 9 client confirms tunnel setup 427
• Ike crl validity time 428
• Ike max ca path 428
• Ike send crls 428
• Ike send initial contact 428
• Ipsec before rules 428
• Dpd expire time 429
• Dpd keep time 429
• Dpd metric 429
• Ipsec cert cache max certs 429
• Ipsec gateway name cache time 429
• Deployment 431
• Implementation 431
• Overview 431
• Pptp l2tp 431
• Pptp l2tp quick start 431
• Pptp servers 431
• Troubleshooting pptp 431
• Error ppp lcp_negotiation_stalled ppp_terminated 432
• Example 9 0 setting up a pptp server 432
• L2tp is certificate based and therefore is simpler to administer with a large number of clients and arguably offers better security than pptp unlike pptp it is possible to set up multiple virtual networks across a single tunnel because it is ipsec based l2tp requires nat traversal nat t to be implemented on the lns side of the tunnel 432
• L2tp servers 432
• L2tp servers chapter 9 vpn 432
• Layer 2 tunneling protocol l2tp is an ietf open standard that overcomes many of the problems of pptp its design is a combination of layer 2 forwarding l2f protocol and pptp making use of the best features of both since the l2tp standard does not implement encryption it is usually implemented with an ietf standard known as l2tp ipsec in which l2tp packets are encapsulated by ipsec 432
• Tcp port 1723 and or ip protocol 47 before the pptp connection can be made to the netdefend firewall examining the log can indicate if this problem occurred with a log message of the following form appearing 432
• The client communicates with a local access concentrator lac and the lac communicates across the internet with a l2tp network server lns the netdefend firewall acts as the lns the lac tunnels data such as a ppp session using ipsec to the lns across the internet in most cases the client will itself act as the lac 432
• Example 9 1 setting up an l2tp server 433
• Example 9 2 setting up an l2tp tunnel over ipsec 433
• L2tp servers chapter 9 vpn 433
• L2tp servers chapter 9 vpn 434
• L2tp servers chapter 9 vpn 435
• L2tp pptp server advanced settings 436
• L2tp pptp server advanced settings chapter 9 vpn 436
• The following l2tp pptp server advanced settings are available to the administrator 436
• Client setup 437
• L2tp before rules 437
• Max ppp resends 437
• Pptp before rules 437
• Pptp l2tp clients 437
• Note the default pptp l2tp route 438
• Using the pptp client feature 438
• Figure 9 pptp client usage 439
• Access considerations 440
• Ca server access 440
• Ca server types 440
• Overview 440
• Ca server access by clients 441
• Figure 9 certificate validation components 441
• Placement of private ca servers 441
• Turning off fqdn resolution 442
• General troubleshooting 443
• Troubleshooting certificates 443
• Vpn troubleshooting 443
• Ipsec troubleshooting commands 444
• The ipsecstat console command 444
• Warning be careful using the num all option 444
• Management interface failure with vpn 445
• Specific error messages 445
• The ikesnoop console command 445
• Could not find acceptable proposal no proposal chosen 446
• Incorrect pre shared key 446
• Ike_invalid_payload ike_invalid_cookie 447
• No public key found 447
• Payload_malformed 447
• Note l2tp with microsoft vista 448
• Specific symptoms 448
• The tunnel can only be initiated from one side 448
• Unable to set up with config mode and getting a spurious xauth message 448
• Chapter 10 traffic management 451
• Netdefendos diffserv support 451
• Overview 451
• Qos with tcp ip 451
• The traffic shaping solution 451
• Traffic shaping 451
• Note traffic shaping will not work with the sip alg 452
• Traffic shaping in netdefendos 452
• Traffic shaping objectives 452
• Figure 10 pipe rules determine pipe usage 453
• Note no pipe rules are defined by default 453
• Pipe rule chains 453
• Pipe rules 453
• Explicitly excluding traffic from shaping 454
• Figure 10 fwdfast rules bypass traffic shaping 454
• Pipes will not work with fwdfast ip rules 454
• Simple bandwidth limiting 454
• A single pipe does not care in which direction the traffic through it is flowing when it calculates total throughout using the same pipe for both outbound and inbound traffic is allowed by netdefendos but this will not partition the pipe limit exactly in two between the two directions 455
• In the previous example only bandwidth in the inbound direction is limited in most situations this is the direction that becomes full first but what if the outbound traffic must be limited in the same way 455
• Just inserting std in in the forward chain will not work since we probably want the 2 mbps limit for outbound traffic to be separate from the 2 mbps limit for inbound traffic if 2 mbps of outbound traffic attempts to flow through the pipe in addition to 2 mbps of inbound traffic the total 455
• Limiting bandwidth in both directions 455
• Limiting bandwidth in both directions chapter 10 traffic management 455
• Using a single pipe for both directions 455
• Attempting to flow is 4 mbps since the pipe limit is 2 mbps the actual flow will be close to 1 mbps in each direction 456
• Creating differentiated limits using chains 456
• Creating differentiated limits using chains chapter 10 traffic management 456
• Example 10 limiting bandwidth in both directions 456
• In the previous examples a static traffic limit for all outbound connections was applied what if the aim is to limit web surfing more than other traffic assume that the total bandwidth limit is 250 kbps and 125 kbps of that is to be allocated to web surfing inbound traffic 456
• Raising the total pipe limit to 4 mbps will not solve the problem since the single pipe will not know that 2 mbps of inbound and 2 mbps of outbound are the intended limits the result might be 3 mbps outbound and 1 mbps inbound since this also adds up to 4 mbps 456
• The incorrect solution 456
• The recommended way to control bandwidth in both directions is to use two separate pipes one for inbound and one for outbound traffic in the scenario under discussion each pipe would have a 2 mbps limit to achieve the desired result the following example goes through the setup for this 456
• Two surfing pipes for inbound and outbound traffic could be set up however it is not usually required to limit outbound traffic since most web surfing usually consists of short outbound server 456
• Using two separate pipes instead 456
• Figure 10 differentiated limits using chains 457
• Precedences 457
• The correct solution 457
• The default precedence is zero 457
• Allocating precedence to traffic 458
• Figure 10 the eight pipe precedences 458
• Precedence priority is relative 458
• Specifying precedences within pipes 458
• There are 8 possible precedence levels 458
• Precedence limits are also guarantees 459
• The lowest best effort precedence 459
• Tip specifying bandwidth 459
• Applying precedences 460
• Figure 10 minimum and maximum pipe precedence 460
• Lowest precedence limits 460
• Precedences only apply when a pipe is full 460
• Differentiated guarantees 461
• Note a limit on the lowest precedence has no meaning 461
• The need for guarantees 461
• Using precedences as guarantees 461
• A port grouping includes the ip address 462
• Grouping by networks requires the size 462
• Note the return chain ordering is important 462
• Pipe groups 462
• Combining the group total and precedences 463
• Specifying group limits 463
• Another simple groups example 464
• Combining pipe and group limit precedence values 464
• Dynamic balancing 464
• Figure 10 traffic grouped by ip address 464
• Precedences and dynamic balancing 465
• Relying on the group limit 465
• The importance of a pipe limit 465
• Traffic shaping recommendations 465
• Vpn pipe limits 465
• A summary of traffic shaping 466
• Attacks on bandwidth 466
• Limits should be less than available bandwidth 466
• Limits should not be more than the available bandwidth 466
• Troubleshooting 466
• Watching for leaks 466
• 0 more pipe examples 467
• A basic scenario 467
• 0 more pipe examples chapter 10 traffic management 468
• Dynamic balancing should be enabled for both pipes instead of perdestip and persrcip we could have used perdestnet and persrcnet if there were several networks on the inside 468
• Figure 10 a basic traffic shaping scenario 468
• First two pipes called in pipe and out pipe need to be created with the following parameters 468
• Lets assume we have a symmetric 2 2 mbps link to the internet we will allocate descending priorities and traffic requirements to the following users 468
• Now create the pipe rules 468
• Priority 0 web plus remaining from other levels 468
• Priority 2 1000 468
• Priority 2 other traffic 1000 kpbs 468
• Priority 4 250 468
• Priority 4 citrix 250 kpbs 468
• Priority 6 500 468
• Priority 6 voip 500 kpbs 468
• The next step is to create the following pipe rule which will force traffic to flow through the pipes 468
• The reason for using 2 different pipes in this case is that these are easier to match to the physical link capacity this is especially true with asynchronous links such as adsl 468
• The rule will force all traffic to the default precedence level and the pipes will limit total traffic to their 1 mbps limit having dynamic balancing enabled on the pipes means that all users will be allocated a fair share of this capacity 468
• To implement this scheme we can use the in pipe and out pipe we first enter the pipe limits for each pipe these limits correspond to the list above and are 468
• Using several precedences 468
• We now extend the above example by allocating priorities to different kinds of traffic accessing the internet from a headquarters office 468
• 0 more pipe examples chapter 10 traffic management 469
• A vpn scenario 469
• An important consideration which has been discussed previously is allowance in the pipe total values for the overhead used by vpn protocols as a rule of thumb a pipe total of 1700 bps is reasonable for a vpn tunnel where the underlying physical connection capacity is 2 mbps 469
• In the cases discussed so far all traffic shaping is occurring inside a single netdefend firewall vpn is typically used for communication between a headquarters and branch offices in which case pipes can control traffic flow in both directions with vpn it is the tunnel which is the source and destination interface for the pipe rules 469
• It is also important to remember to insert into the pipe all non vpn traffic using the same physical link 469
• Note that in other and out other are first in the pipe chain in both directions this is because we want to limit the traffic immediately before it enters the in pipe and out pipe and competes with voip citrix and web surfing traffic 469
• Pipe chaining 469
• Priority 0 best effort 469
• Priority 6 voip 500 kpbs 469
• Suppose the requirement now is to limit the precedence 2 capacity other traffic to 1000 kbps so that it does not spill over into precedence 0 this is done with pipe chaining where we create new pipes called in other and out other both with a pipe limit of 1000 the other pipe rule is then modified to use these 469
• The pipe chaining can be used as a solution to the problem of vpn overhead a limit which allows for this overhead is placed on the vpn tunnel traffic and non vpn traffic is inserted into a pipe that matches the speed of the physical link 469
• The pipes required will be 469
• These rules are processed from top to bottom and force different kinds of traffic into precedences based on the service customized service objects may need to be first created in order to identify particular types of traffic the all service at the end catches anything that falls through from earlier rules since it is important that no traffic bypasses the pipe rule set otherwise using pipes will not work 469
• To do this we first create separate pipes for the outgoing traffic and the incoming traffic voip traffic will be sent over a vpn tunnel that will have a high priority all other traffic will be sent at the best effort priority see above for an explanation of this term again we will assume a 2 2 mbps symmetric link 469
• Vpn in 469
• 0 more pipe examples chapter 10 traffic management 470
• A simple solution is to put a catch all inbound rule at the bottom of the pipe rule however the external interface wan should be the source interface to avoid putting into pipes traffic that is coming from the inside and going to the external ip address this last rule will therefore be 470
• If sat is being used for example with a web server or ftp server that traffic also needs to be forced into pipes or it will escape traffic shaping and ruin the planned quality of service in addition server traffic is initiated from the outside so the order of pipes needs to be reversed the forward pipe is the in pipe and the return pipe is the out pipe 470
• In pipe 470
• Out pipe 470
• Priority 0 best effort 470
• Priority 6 voip 500 kpbs 470
• Sat with pipes 470
• The following pipe rules are then needed to force traffic into the correct pipes and precedence levels 470
• Total 1700 470
• Total 2000 470
• Vpn out 470
• With this setup all vpn traffic is limited to 1700 kbps the total traffic is limited to 2000 kbps and voip to the remote site is guaranteed 500 kbps of capacity before it is forced to best effort 470
• Note sat and arped ip addresses 471
• Application related bandwidth usage 472
• Combining idp and traffic shaping 472
• Idp traffic shaping 472
• Overview 472
• Setting up idp traffic shaping 472
• Either side can trigger idp 473
• Processing flow 473
• The importance of specifying a network 473
• Unintended consequences 473
• A p2p scenario 474
• Excluding hosts 474
• Figure 10 idp traffic shaping p2p scenario 474
• Pipe naming 475
• Pipes are shared 475
• Viewing hosts 475
• Viewing pipes 475
• Viewing traffic shaping objects 475
• Guaranteeing instead of limiting bandwidth 476
• Logging 476
• Limiting the connection rate 477
• Limiting the connection rate total connections 477
• Limiting the total connections 477
• Note threshold rules are not available on all netdefend models 477
• Overview 477
• Threshold policies 477
• Threshold rules 477
• Exempted connections 478
• Grouping 478
• Multiple triggered actions 478
• Rule actions 478
• Threshold rule blacklisting 478
• Threshold rules and zonedefense 478
• Note slb is not available on all d link netdefend models 480
• Overview 480
• Server load balancing 480
• Additional benefits of slb 481
• Figure 10 a server load balancing configuration 481
• Identifying the servers 481
• Slb deployment considerations 481
• Slb distribution algorithms 481
• Selecting stickiness 482
• Stickiness parameters 482
• Figure 10 0 connections from three clients 483
• Slb algorithms and stickiness 483
• Figure 10 1 stickiness and round robin 484
• Figure 10 2 stickiness and connection rate 484
• Server health monitoring 484
• Define a further rule that duplicates the source destination interface network of the slb_sat rule that permits the traffic through this could be one rule or a combination of rules using the actions 485
• Define an ip address group object which includes all these individual objects 485
• Define an ip address object for each server for which slb is to enabled 485
• Define an slb_sat rule in the ip rule set which refers to this ip address group and where all other slb parameters are defined 485
• Example 10 setting up slb 485
• If there are clients on the same network as the webservers that also need access to those webservers then an nat rule would also be used 485
• In order to function slb requires that the netdefendos state engine keeps track of connections fwdfast ip rules should not be used with slb since packets that are forwarded by these rules are under state engine control 485
• Note fwdfast rules should not be used with slb 485
• Note that the destination interface is specified as core meaning netdefendos itself deals with this the key advantage of having a separate allow rule is that the webservers can log the exact ip address that is generating external requests using only a nat rule which is possible means that webservers would see only the ip address of the netdefend firewall 485
• Setting up slb_sat rules 485
• Setting up slb_sat rules chapter 10 traffic management 485
• The key component in setting up slb are ip rules that have slb_sat as the action the steps that should be followed for setting up such rules are 485
• The table below shows the rules that would be defined for a typical scenario of a set of webservers behind the netdefend firewall for which the load is being balanced the allow rule allows external clients to access the webservers 485
• Setting up slb_sat rules chapter 10 traffic management 486
• Setting up slb_sat rules chapter 10 traffic management 487
• Chapter 11 high availability 489
• Ha clusters 489
• Interconnection of cluster units 489
• Note high availability is only available on some netdefend models 489
• Overview 489
• The master and active units 489
• Cluster management 490
• Extending redundancy 490
• Hardware duplication 490
• Load sharing 490
• Basic principles 491
• Disabling heartbeat sending on interfaces 491
• Ha mechanisms 491
• Heartbeat characteristics 491
• Heartbeat frequency 491
• Dealing with sync failure 492
• Failover time 492
• Ha with anti virus and idp 492
• Shared ip addresses and arp 492
• Note an inactive unit restart is required for resynchronization 493
• Ha hardware setup 494
• Note management cannot be done through the shared ip 494
• Setting up ha 494
• Typical ha cluster network connections 494
• Netdefendos manual ha setup 495
• Note the illustration shows a crossover cable sync connection 495
• Making cluster configuration changes 496
• Note ip addresses could be public addresses 496
• Verifying the cluster functions 496
• Enabling a unique shared mac address 497
• Problem diagnosis 497
• Unique shared mac addresses 497
• With dissimilar hardware units 497
• All cluster interfaces need ip addresses 498
• Changing the cluster id 498
• Failed interfaces 498
• Ha issues 498
• Invalid checksums in heartbeat packets 498
• Making ospf work 498
• The shared ip must not be 0 498
• Using individual ip addresses 498
• Pppoe tunnels and dhcp clients 499
• Important make sure the inactive unit is alive 500
• Upgrading an ha cluster 500
• Deactivate before reconf 502
• Ha advanced settings 502
• Initial silence 502
• Reconf failover time 502
• Sync buffer size 502
• Sync packet max burst 502
• Use unique shared mac 502
• Acl upload 504
• Chapter 12 zonedefense 504
• Note zonedefense is not available on all netdefend models 504
• Overview 504
• Using thresholds 504
• Zonedefense controls switches 504
• Tip switch firmware versions should be the latest 505
• Zonedefense switches 505
• Managed devices 506
• Manual blocking and exclude lists 506
• Snmp managers 506
• Threshold rules 506
• Zonedefense operation 506
• As a complement to threshold rules it is also possible to manually define hosts and networks that are to be statically blocked or excluded manually blocked hosts and networks can be blocked by default or based on a schedule it is also possible to specify which protocols and protocol port numbers are to be blocked 507
• Example 12 a simple zonedefense scenario 507
• Exclude lists can be created and used to exclude hosts from being blocked when a threshold rule limit is reached good practice includes adding to the list the firewall s interface ip or mac address connecting towards the zonedefense switch this prevents the firewall from being accidentally blocked out 507
• Manual blocking and exclude lists chapter 12 zonedefense 507
• Ftp zonedefense can block a local ftp client that is uploading viruses 508
• Http zonedefense can block an http server that is a virus source 508
• Limitations 508
• Smtp zonedefense can block a local smtp client that is sending viruses with emails 508
• There are some differences in zonedefense operation depending on switch model the first difference is the latency between the triggering of a blocking rule to the moment when switch es actually starts blocking out the traffic matched by the rule all switch models require a short period 508
• This feature is described further in section 6 anti virus scanning and in the sections covering the individual algs 508
• Zonedefense can be used in conjuction with the netdefendos anti virus scanning feature netdefendos can first identify a virus source through antivirus scanning and then block the source by communicating with switches configured to work with zonedefense this feature is activated through the following algs 508
• Zonedefense with anti virus scanning 508
• Zonedefense with anti virus scanning chapter 12 zonedefense 508
• Important clearing the acl rule set on the switch 509
• Chapter 13 advanced settings 511
• Ip level settings 511
• Log checksum errors 511
• Log non ip4 511
• Log received ttl 0 511
• Note activating setting changes 511
• Block 0 net 512
• Block 0000 src 512
• Block 127 net 512
• Block multicast src 512
• Default ttl 512
• Layer size consistency 512
• Multicast ttl on low 512
• Ttl min 512
• Ttl on low 512
• Directed broadcasts 513
• Ip option sizes 513
• Ip option source return 513
• Ip options other 513
• Ip options timestamps 513
• Ip router alert option 513
• Securemoteudp compatibility 513
• Ip reserved flag 514
• Low broadcast ttl action option 514
• Min broadcast ttl option 514
• Multicast mismatch option 514
• Strip dontfragment 514
• Tcp level settings 515
• Tcp mss log level 515
• Tcp mss max 515
• Tcp mss min 515
• Tcp mss on high 515
• Tcp mss on low 515
• Tcp mss vpn max 515
• Tcp option sizes 515
• Tcp auto clamping 516
• Tcp option altchkreq 516
• Tcp option sack 516
• Tcp option tsopt 516
• Tcp option wsopt 516
• Tcp zero unused ack 516
• Tcp zero unused urg 516
• Tcp option altchkdata 517
• Tcp option con timeout 517
• Tcp option other 517
• Tcp syn psh 517
• Tcp syn rst 517
• Tcp syn urg 517
• Tcp fin urg 518
• Tcp null 518
• Tcp reserved field 518
• Tcp sequence numbers 518
• Tcp syn fin 518
• Tcp urg 518
• Tcpe ecn 518
• Allow tcp reopen 519
• Icmp level settings 520
• Icmp sends per sec limit 520
• Silently drop state icmperrors 520
• Connection replace 521
• Log connections 521
• Log open fails 521
• Log reverse opens 521
• Log state violations 521
• State settings 521
• Dynamic max connections 522
• Log connection usage 522
• Max connections 522
• Connection timeout settings 523
• Igmp idle lifetime 523
• Ping idle lifetime 523
• Tcp fin idle lifetime 523
• Tcp idle lifetime 523
• Tcp syn idle lifetime 523
• Udp bidirectional keep alive 523
• Udp idle lifetime 523
• Other idle lifetime 524
• Length limit settings 525
• Max ah length 525
• Max esp length 525
• Max gre length 525
• Max icmp length 525
• Max tcp length 525
• Max udp length 525
• Log oversized packets 526
• Max ipip fwz length 526
• Max ipsec ipcomp length 526
• Max l2tp length 526
• Max ospf length 526
• Max other length 526
• Max skip length 526
• Duplicated fragment data 527
• Fragmentation settings 527
• Illegal fragments 527
• Pseudo reass max concurrent 527
• Dropped fragments 528
• Duplicate fragments 528
• Failed fragment reassembly 528
• Fragmented icmp 529
• Max reassembly time limit 529
• Minimum fragment length 529
• Reassembly done limit 529
• Reassembly timeout 529
• Reassembly illegal limit 530
• Large buffers 531
• Local fragment reassembly settings 531
• Max concurrent 531
• Max size 531
• Flood reboot time 532
• Max connections 532
• Max memory 532
• Max pipe users 532
• Miscellaneous settings 532
• Port 0 532
• Udp source port 0 532
• Watchdog time 532
• Appendix a subscribing to updates 534
• Database console commands 534
• Important renew in good time 534
• Monitoring database updates 534
• Overview 534
• Pre empting database updates 534
• Subscription renewal 534
• Tip a registration guide can be downloaded 534
• Deleting local databases 535
• Note updating the database causes a pause in processing 535
• Querying server status 535
• Querying update status 535
• Appendix b idp signature groups 536
• For idp scanning the following signature groups are available for selection these groups are only available for the d link advanced idp service there is a version of each group under the three types of ids ips and policy for further information see section 6 intrusion detection and prevention 536
• Appendix b idp signature groups 537
• Appendix b idp signature groups 538
• Appendix b idp signature groups 539
• Appendix c verified mime filetypes 540
• For a more detailed description of mime verification and the filetype block allow feature see section 6 the http alg 540
• Some netdefendos application layer gateways algs have the optional ability to verify that the contents of a downloaded file matches the type that the filetype in the filename indicates the filetypes for which mime verification can be done are listed in this appendix and the algs to which this applies are 540
• The algs listed above also offer the option to explicitly allow or block certain filetypes as downloads from a list of types that list is the same one found in this appendix 540
• The ftp alg 540
• The http alg 540
• The pop3 alg 540
• The smtp alg 540
• Appendix c verified mime filetypes 541
• Appendix c verified mime filetypes 542
• Appendix c verified mime filetypes 543
• Appendix d the osi framework 544
• Figure d the 7 layers of the osi model 544
• Layer functions 544
• Overview 544
• Alphabetical index 545