D-Link DFL-860E — как выполнить резервное копирование и восстановление через WebUI [77/552]

Содержание

• Network security firewall p.1
• User manual p.1
• Security p.1
• Dfl 210 260 260e 800 860 860e dfl 1600 1660 2500 2560 2560g p.2
• User manual p.2
• Netdefendos version 2 7 3 p.2
• Dfl 210 260 260e 800 860 860e dfl 1600 1660 2500 2560 2560g p.3
• User manual p.3
• Netdefendos version 2 7 3 p.3
• Limitations of liability p.3
• Disclaimer p.3
• Copyright notice p.3
• Table of contents p.4
• List of figures p.10
• List of examples p.12
• Examples p.14
• Text structure and conventions p.14
• Screenshots p.14
• Preface p.14
• Intended audience p.14
• Warning p.15
• Trademarks p.15
• Important p.15
• Highlighted content p.15
• Caution p.15
• Netdefendos objects p.16
• Netdefendos as a network security operating system p.16
• Key features p.16
• Features p.16
• Chapter 1 netdefendos overview p.16
• Netdefendos documentation p.18
• Interfaces p.19
• Netdefendos building blocks p.19
• Netdefendos architecture p.19
• Logical objects p.19
• Interface symmetry p.19
• Stateful inspection p.19
• State based architecture p.19
• Netdefendos rule sets p.20
• Basic packet flow p.20
• Note additional actions p.21
• Netdefendos state engine packet flow p.23
• Figure 1 packet flow schematic part i p.23
• Figure 1 packet flow schematic part ii p.24
• Figure 1 packet flow schematic part iii p.25
• Figure 1 expanded apply rules logic p.26
• Apply rules p.26
• Overview p.28
• Managing netdefendos p.28
• Management interfaces p.28
• Chapter 2 management and maintenance p.28
• Creating additional accounts p.29
• The default administrator account p.29
• Remote management policies p.29
• Note recommended browsers p.29
• Multiple administration logins p.29
• Important p.29
• Logging on to the web interface p.30
• The web interface p.30
• Setting the management workstation ip p.30
• Assignment of a default ip address p.30
• The web browser interface p.31
• Multi language support p.31
• Important switch off popup blocking p.31
• First time web interface logon and the setup wizard p.31
• Note remote management access p.32
• Interface layout p.32
• Controlling access to the web interface p.33
• Tip correctly routing management traffic p.34
• The cli p.34
• Logging out from the web interface p.34
• Caution don t expose the management interface p.34
• Tip getting help about help p.35
• The cli command history p.35
• Tab completion p.35
• Optional parameters are tab completed last p.35
• Note category and context p.35
• Cli command structure p.35
• Tab completion of parameter values p.36
• Note rule names are recommended p.36
• Selecting object categories p.37
• Object categories p.37
• Referencing by name p.38
• Using hostnames in the cli p.38
• Inserting into rule lists p.38
• Using unique names p.38
• Specifying multiple property values p.38
• Ssh secure shell cli access p.39
• Serial console cli access p.39
• Note the console password is separate p.40
• Logging on to the cli p.40
• Changing the cli prompt p.40
• Changing the admin user password p.40
• Tip the cli prompt is the webui device name p.41
• Logging off from the cli p.41
• Configuring remote management access on an interface p.41
• Checking configuration integrity p.41
• Activating and committing changes p.41
• Managing management sessions with sessionmanager p.42
• Cli scripts p.43
• Script variables p.43
• Only four commands are allowed in scripts p.43
• Executing scripts p.43
• Script validation and command ordering p.44
• Script output p.44
• Saving scripts p.44
• Note the symbol 0 is reserved p.44
• Error handling p.44
• Removing scripts p.45
• Listing scripts p.45
• Creating scripts automatically p.45
• Tip listing commands at the console p.46
• Secure copy p.46
• Scripts running other scripts p.46
• Commenting script files p.46
• Netdefendos file organization p.47
• Scp command format p.47
• Note scp examples do not show the password prompt p.47
• The console boot menu p.48
• Examples of uploading and downloading p.48
• Activating uploads p.48
• Initial boot menu options without a password set p.49
• Accessing the console boot menu p.49
• Webui before rules p.50
• Validation timeout p.50
• The console password is only for the console p.50
• Ssh before rules p.50
• Removing the console password p.50
• Management advanced settings p.50
• Local console timeout p.50
• Initial options with a console password set p.50
• Webui http port p.51
• Https certificate p.51
• Configuration objects p.51
• Working with configurations p.51
• Webui https port p.51
• Object types p.51
• Object organization p.51
• Working with configurations chapter 2 management and maintenance p.52
• When accessing object via the cli you can omit the category name and just use the type name the cli command in the above example for instance could be simplified to p.52
• Show servicetcpudp telnet p.52
• Example 2 displaying a configuration object p.52
• Working with configurations chapter 2 management and maintenance p.53
• Important configuration changes must be activated p.53
• Example 2 editing a configuration object p.53
• Example 2 adding a configuration object p.53
• Changes to a configuration object will not be applied to a running system until the new netdefendos configuration is activated p.53
• After modifying several configuration objects you might want to see a list of the objects that were changed added and removed since the last commit p.54
• Working with configurations chapter 2 management and maintenance p.54
• Listing modified objects p.54
• Example 2 undeleting a configuration object p.54
• Example 2 deleting a configuration object p.54
• Working with configurations chapter 2 management and maintenance p.55
• The administrator should be aware that if any changes that affect the configurations of live ipsec tunnels are committed then those live tunnels connections will be terminated and must be re established p.55
• Important committing ipsec changes p.55
• If the new configuration is validated netdefendos will wait for a short period 30 seconds by default during which a connection to the administrator must be re established as described previously if the configuration was activated via the cli with the activate command then a commit command must be issued within that period if a lost connection could not be re established or if the commit command was not issued then netdefendos will revert to using the previous configuration this is a fail safe mechanism and amongst others things can help prevent a remote administrator from locking themselves out p.55
• Example 2 listing modified configuration objects p.55
• Example 2 0 activating and committing a configuration p.55
• After changes to a configuration have been made the configuration has to be activated for those changes to have an impact on the running system during the activation process the new proposed configuration is validated and netdefendos will attempt to initialize affected subsystems with the new configuration data p.55
• Activating and committing a configuration p.55
• Note changes must be committed p.56
• Events and logging p.57
• Event types p.57
• Event severity p.57
• Overview p.57
• Message format p.57
• Log messages p.57
• Log message generation p.57
• Overview p.58
• Memory for logging is limited p.58
• Logging to syslog hosts p.58
• Logging to memorylogreceiver p.58
• Disabling memory logging p.58
• Creating log receivers p.58
• The prio and severity fields p.59
• Note syslog server configuration p.59
• Message format p.59
• Snmp traps p.60
• Snmp traps in netdefendos p.60
• Note snmp trap standards p.60
• The snmp protocol p.60
• This setting specifies the maximum log messages that netdefendos will send per second this value should never be set too low as this may result in important events not being logged nor should it be set too high when the maximum is exceeded the excess messages are dropped and are not buffered p.61
• The following advanced settings for netdefendos event logging are available to the administrator p.61
• The delay in seconds between alarms when a continuous alarm is used minimum 0 maximum 10 000 p.61
• The administrator must make a case by case judgement about the message load that log servers can deal with this can often depend on the server hardware platform being used and if the resources of the platform are being shared with other tasks p.61
• Send limit p.61
• Default 60 one minute p.61
• Default 2000 p.61
• Alarm repetition interval p.61
• Advanced log settings chapter 2 management and maintenance p.61
• Advanced log settings p.61
• Start message parameters p.62
• Radius architecture p.62
• Radius accounting messages p.62
• Radius accounting p.62
• Overview p.62
• Stop message parameters p.63
• Tip the meaning of the asterisk after a list entry p.64
• Radius accounting security p.64
• Radius accounting and high availability p.64
• Interim accounting messages p.64
• Activating radius accounting p.64
• Radius advanced settings p.65
• Limitations with nat p.65
• Handling unresponsive servers p.65
• Allow on error p.65
• Accounting and system shutdowns p.65
• Example 2 3 radius accounting server setup p.66
• Disabling the setting will mean that the user will be logged out if the radius accounting server cannot be reached even though the user has been previously authenticated p.66
• Default enabled p.66
• Default 1024 p.66
• Continue to be logged in p.66
• The maximum number of contexts allowed with radius this applies to radius use with both accounting and authentication p.66
• Radius advanced settings chapter 2 management and maintenance p.66
• Maximum radius contexts p.66
• Logout at shutdown p.66
• If this option is not enabled netdefendos will shutdown even though there may be radius accounting sessions that have not been correctly terminated this could lead to the situation that the radius server will assume users are still logged in even though their sessions have been terminated p.66
• If there is an orderly shutdown of the netdefend firewall by the administrator then netdefendos will delay the shutdown until it has sent radius accounting stop messages to any configured radius server p.66
• Using the hwm cli command p.67
• Note the meaning of x p.67
• Hardware monitoring p.67
• Enabling hardware monitoring p.67
• Availability p.67
• Setting the minimum and maximum range p.68
• Note different hardware has different sensors and ranges p.68
• Overview p.69
• Enabling an ip rule for snmp p.69
• Defining snmp access p.69
• The netdefendos mib p.69
• The community string p.69
• Snmp monitoring p.69
• The following snmp advanced settings can be found under the remote management section in the webui p.70
• The advanced setting snmp request limit restricts the number of snmp requests allowed per second this can help prevent attacks through snmp overload p.70
• Snmp before ruleslimit p.70
• Snmp advanced settings chapter 2 management and maintenance p.70
• Snmp advanced settings p.70
• Snmp access port 161 is usually used for snmp and netdefendos always expects snmp traffic on that port p.70
• Remote access encryption p.70
• Preventing snmp overload p.70
• It should be noted that snmp version 1 or 2c access means that the community string will be sent as plain text over a network this is clearly insecure if a remote client is communicating over the public internet it is therefore advisable to have remote access take place over an encrypted vpn tunnel or similarly secure means of communication p.70
• Example 2 4 enabling snmp monitoring p.70
• Enable snmp traffic to the firewall regardless of configured ip rules p.70
• Interface description snmp p.71
• Interface alias p.71
• System name p.71
• System location p.71
• System contact p.71
• Snmp request limit p.71
• The pcapdump command p.72
• Running on multiple interfaces p.72
• Re using capture files p.72
• A simple example p.72
• Output file naming restrictions p.73
• Note netdefendos keeps track of saved files p.73
• Filter expressions p.73
• Downloading the output file p.73
• Compatibility with wireshark p.74
• Combining filters p.74
• Backing up configurations p.75
• Auto update mechanism p.75
• Warning do not upload a system backup to dissimilar hardware p.75
• Version compatability p.75
• Maintenance p.75
• The management interfaces used p.76
• Operation interruption p.76
• Backup and restore using scp p.76
• Restore to factory defaults chapter 2 management and maintenance p.77
• Restore to factory defaults p.77
• Reset procedure for the netdefend dfl 210 260 260e 800 860 and 860e p.77
• Note backups do not contain everything p.77
• It should be understood that a reset to factory defaults is exactly that any netdefendos upgrades performed since the unit left the factory will be lost p.77
• Important any upgrades will be lost after a factory reset p.77
• Backups include only static information from the netdefendos configuration dynamic information such as the dhcp server lease database or anti virus idp databases will not be backed up p.77
• Backup and restore using the webui p.77
• As an alternative to using scp the administrator can initiate a backup or restore of the configuration or complete system directly through the webui the example below illustrates how this is done p.77
• A restore to factory defaults can be applied so that it is possible to return to the original hardware state that existed when the netdefend firewall was shipped by d link when a restore is applied all data such as the idp and anti virus databases are lost and must be reloaded p.77
• Warning do not abort a reset to defaults p.78
• Reset procedure for the netdefend dfl 1600 1660 2500 2560 and 2560g p.78
• End of life procedures p.78
• The address book p.80
• Overview p.80
• Ip addresses p.80
• Chapter 3 fundamentals p.80
• The numbers 0 32 correspond to the number of binary ones in the netmask for example 192 68 24 p.81
• Note that ranges are not limited to netmask boundaries they may include any span of ip addresses for example 192 68 0 192 68 5 represents six hosts in consecutive order p.81
• Ip range a range of ip addresses is represented with the form a b c d e f g h p.81
• Ip network an ip network is represented using classless inter domain routing cidr form cidr uses a forward slash and a digit 0 32 to denote the size of the network as a postfix this is also known as the netmask p.81
• Ip addresses chapter 3 fundamentals p.81
• Example 3 adding an ip range p.81
• Example 3 adding an ip network p.81
• Example 3 adding an ip host p.81
• 24 corresponds to a class c net with 256 addresses netmask 255 55 55 27 corresponds to a 32 address net netmask 255 55 55 24 and so on p.81
• When specifying an ethernet address the format aa bb cc dd ee ff should be used ethernet addresses are also displayed using this format p.82
• If an ip object is deleted that is in use by another object then netdefendos will not allow the configuration to be deployed and will produce a warning message in other words it will appear that the object has been successfully deleted but netdefendos will not allow the configuration to be saved to the netdefend firewall p.82
• Example 3 deleting an address object p.82
• Example 3 adding an ethernet address p.82
• Ethernet addresses chapter 3 fundamentals p.82
• Ethernet addresses p.82
• Ethernet address objects are used to define symbolic names for ethernet addresses also known as mac addresses this is useful for example when populating the arp table with static arp entries or for other parts of the configuration where symbolic names are preferred over numerical ethernet addresses p.82
• Deleting in use ip objects p.82
• Ip addresses can be excluded p.83
• Groups simplify configuration p.83
• Groups can contain different subtypes p.83
• Address groups p.83
• Auto generated address objects p.84
• Address book folders p.84
• Overview p.85
• A service is passive p.85
• Services p.85
• Predefined services p.85
• The type of service created can be one of the following p.86
• Tcp udp service a service based on the udp or tcp protocol or both this type of service is discussed further in this section p.86
• Service group a service group consisting of a number of services this is discussed further in section 3 service groups p.86
• Ip protocol service a service based on a user defined protocol this is discussed further in section 3 custom ip protocol services p.86
• If the list of predefined netdefendos service objects does not meet the requirements for certain traffic then a new service can be created reading this section will explain not only how new services are created but also provides an understanding of the properties of predefined services p.86
• Icmp service a service based on the icmp protocol this is discussed further in section 3 icmp services p.86
• Example 3 viewing a specific service p.86
• Creating custom services chapter 3 fundamentals p.86
• Creating custom services p.86
• Udp orientated applications p.87
• Tcp and udp service definition p.87
• Tcp and udp based services p.87
• Specifying port numbers p.87
• Other service properties p.88
• Tip specifying source ports p.88
• Specifying all services p.88
• Tip the http all service does not include dns p.89
• Restrict services to the minimum necessary p.89
• Icmp types and codes p.89
• Icmp services p.89
• Specifying codes p.90
• Icmp message types p.90
• The advantage of groups p.91
• Service groups p.91
• Ip protocol numbers p.91
• Groups can contain other groups p.91
• Custom ip protocol services p.91
• Custom service timeouts p.92
• Interfaces p.93
• Interface types p.93
• Source and destination interfaces p.93
• Overview p.93
• Warning p.94
• The any and core interfaces p.94
• Interfaces have unique names p.94
• Disabling an interface p.94
• All interfaces are logically equivalent p.94
• Physical ethernet interfaces p.95
• Note usage of the terms interface and port p.95
• Note interface sockets connected via a switch fabric p.95
• Ethernet interfaces p.95
• Ethernet interface parameters p.95
• Ethernet frames p.95
• Tip specifying multiple ip addresses on an interface p.96
• Note interface enumeration p.96
• Note a gateway ip cannot be deleted with dhcp enabled p.97
• The difference between logical and physical ethernet interfaces p.98
• Changing the ip address of an ethernet interface p.98
• Useful cli commands for ethernet interfaces p.99
• Showing assigned interfaces p.99
• Setting interface addresses p.100
• Ethernet device commands p.100
• Enabling dhcp p.100
• Overview p.101
• Vlan processing p.102
• Physical vlan connection with vlan p.102
• Note 802 ad is not supported p.103
• Figure 3 vlan connections p.103
• Vlan advanced settings p.104
• Unknown vlan tags p.104
• Summary of vlan setup p.104
• License limitations p.104
• The ppp protocol p.105
• Pppoe client configuration p.105
• Ppp authentication p.105
• User authentication p.106
• Unnumbered pppoe p.106
• Note pppoe has a discovery protocol p.106
• Ip address information p.106
• Dial on demand p.106
• The generic router encapsulation gre protocol is a simple encapsulating protocol that can be used whenever there is a need to tunnel traffic across networks and or through network devices gre does not provide any security features but this means that its use has extremely low overhead p.107
• Pppoe cannot be used with ha p.107
• Overview p.107
• Gre tunnels chapter 3 fundamentals p.107
• Gre tunnels p.107
• Gre is typically used to provide a method of connecting two networks together across a third network such as the internet the two networks being connected together communicate with a common protocol which is tunneled using gre through the intervening network examples of gre usage are p.107
• For reasons connected with the way ip addresses are shared in a netdefendos high availability cluster pppoe will not operate correctly it should there not be configured with ha p.107
• Example 3 1 configuring a pppoe client p.107
• Using gre p.107
• Traversing network equipment that blocks a particular protocol p.107
• Setting up gre p.108
• Gre security and performance p.108
• Setup for netdefend firewall a p.109
• Gre and the ip rule set p.109
• An example gre scenario p.109
• Setup for netdefend firewall b p.110
• Checking gre tunnel status p.110
• The security transport equivalent option p.111
• Interface groups p.111
• Tip osi layers p.112
• The netdefendos arp cache p.112
• The expires column p.112
• Overview p.112
• Ip addressing over ethernet p.112
• The size of the arp cache p.113
• Flushing the arp cache p.113
• Static mode arp objects p.114
• Creating arp objects p.114
• Publishing modes p.115
• Published arp objects p.115
• Using arp advanced settings p.116
• Unsolicited arp replies p.116
• Publishing entire networks p.116
• Multicast and broadcast p.116
• Figure 3 an arp publish ethernet frame p.116
• Matching ethernet addresses p.117
• Changes to the arp cache p.117
• Arp requests p.117
• Arp match ethernet sender p.117
• Arp advanced settings summary p.117
• Sender ip 0 p.117
• Unsolicited arp replies p.118
• Static arp changes p.118
• Log arp resolve failure p.118
• Arp sender ip p.118
• Arp requests p.118
• Arp query no sender p.118
• Arp changes p.118
• Arp multicast p.119
• Arp hash size vlan p.119
• Arp hash size p.119
• Arp expire unknown p.119
• Arp expire p.119
• Arp cache size p.119
• Arp broadcast p.119
• Arp ip collision p.120
• The netdefendos security policy rule sets p.121
• Security policy characteristics p.121
• Security policies p.121
• Ip rule sets p.121
• Specifying any interface or network p.122
• Ip rules and the default main ip rule set p.122
• Traffic flow needs an ip rule and a route p.123
• Tip include the rule set name in the drop all name p.123
• Figure 3 simplified netdefendos traffic flow p.123
• Creating a drop all rule p.123
• Tip rules in the wrong order sometimes cause problems p.124
• The first matching principle p.124
• Stateful inspection p.124
• Non matching traffic p.124
• Ip rule evaluation p.124
• Bi directional connections p.125
• Ip rule actions p.125
• Using reject p.126
• Ip rule set folders p.126
• Editing ip rule set entries p.126
• Tip object groups help to document configurations p.127
• This can be very useful for someone seeing a configuration for the first time such as technical support staff in an ip rule set that contains hundreds of rules it can often prove difficult to quickly identify those rules associated with a specific aspect of netdefendos operation p.127
• The display function of object groups means they do not have relevance to the command line interface cli it is not possible to define or otherwise modify object groups with the cli and they will not be displayed in cli output any group editing must be done through the web interface and this is described next p.127
• The concept of folders can be used to organise groups of netdefendos objects into related collections these work much like the folders concept found in a computer s file system folders are described in relation to the address book in section 3 address book folders and can also be used when organizing ip rules p.127
• Object groups are a recommended way to document the contents of netdefendos configurations p.127
• Object groups and the cli p.127
• Groups can be used in most cases where netdefendos objects are displayed as tables where each line in the table is an instance of an object the most common usage will be for the netdefendos address book to arrange ip addresses and in particular for organizing rules in ip rule sets which is why they are introduced in this section p.127
• Configuration object groups chapter 3 fundamentals p.127
• Configuration object groups p.127
• A compliment or alternative to folders for organizing different type of netdefendos object lists is the configuration object groups feature object groups gather together configuration objects under a specified title text for the purpose of organizing their display in graphical user interfaces unlike folders they do not require the folder to be opened for the individual objects to become visible instead all objects are already visible and they are displayed in a way that indicates how they are grouped together p.127
• Editing group properties p.128
• A simple example p.128
• Adding preceding objects p.129
• Adding additional objects p.129
• Removing a group p.130
• Moving groups p.130
• Moving group objects p.130
• Leaving a group p.130
• Groups and folders p.130
• Schedules p.131
• Schedule parameters p.131
• Schedule objects p.131
• Multiple time ranges p.131
• Important set the system date and time p.131
• Schedules chapter 3 fundamentals p.132
• Example 3 7 setting up a time scheduled policy p.132
• Certificate components p.133
• Certificate authorities p.133
• Overview p.133
• Certificates with vpn tunnels p.133
• Certificates p.133
• Validity time p.134
• Trusting certificates p.134
• Reusing root certificates p.134
• Important p.134
• Identification lists p.134
• Certificates in netdefendos p.134
• Certificate revocation lists p.134
• Example 3 9 associating certificates with ipsec tunnels p.135
• Example 3 8 uploading a certificate p.135
• Create a gateway certificate on the windows ca server and export it as a file in the pfx format p.135
• Convert the pfx file into the pem format p.135
• Ca certificate requests chapter 3 fundamentals p.135
• Ca certificate requests p.135
• To request certificates from a ca server or ca company the best method is to send a ca certificate request which is a file that contains a request for a certificate in a well known predefined format p.135
• There are two types of certificates that can be uploaded self signed certificates and remote certificates belonging to a remote peer or ca server self signed certificates can be generated by using one of a number of freely available utilities for doing this p.135
• The netdefendos web interface webui does not currently include the ability to generate certificate requests that can be sent to a ca server for generation of the cer and key files required by netdefendos p.135
• Manually creating windows ca server requests p.135
• It is possible however to manually create the required files for a windows ca server using the following stages p.135
• Time zones p.137
• Time synchronization protocols p.137
• Setting date and time p.137
• Overview p.137
• Note a reconfigure is not required p.137
• Date and time p.137
• Current date and time p.137
• Many regions follow daylight saving time dst or summer time as it is called in some countries and this means clocks are advanced for the summer period unfortunately the principles regulating dst vary from country to country and in some cases there can be variations within the same country for this reason netdefendos does not automatically know when to adjust for dst instead this information has to be manually provided if daylight saving time is to be used p.138
• Example 3 2 enabling dst p.138
• Example 3 1 setting the time zone p.138
• Daylight saving time p.138
• Time servers chapter 3 fundamentals p.138
• Time servers p.138
• There are two parameters governing daylight saving time the dst period and the dst offset the dst period specifies on what dates daylight saving time starts and ends the dst offset indicates the number of minutes to advance the clock during the daylight saving time period p.138
• The world is divided up into a number of time zones with greenwich mean time gmt in london at zero longitude being taken as the base time zone all other time zones going east and west from zero longitude are taken as being gmt plus or minus a given integer number of hours all locations counted as being inside a given time zone will then have the same local time and this will be one of the integer offsets from gmt p.138
• The netdefendos time zone setting reflects the time zone where the netdefend firewall is physically located p.138
• Time synchronization protocols p.139
• Important dns servers need to be configured in netdefendos p.139
• Configuring time servers p.139
• To avoid situations where a faulty time server causes the clock to be updated with a extremely inaccurate time a maximum adjustment value in seconds can be set if the difference between the current netdefendos time and the time received from a time server is greater than this maximum adjustment value then the time server response will be discarded for example assume that the maximum adjustment value is set to 60 seconds and the current netdefendos time is 16 42 35 if a time server responds with a time of 16 43 38 then the difference is 63 seconds this is greater than the maximum adjustment value so no update occurs for this response p.140
• Time servers chapter 3 fundamentals p.140
• Maximum time adjustment p.140
• If the timesyncinterval parameter is not specified when using the cli to set the synchronization interval the default of 86400 seconds equivalent to one day is used p.140
• Example 3 5 modifying the maximum adjustment value p.140
• Example 3 4 manually triggering a time synchronization p.140
• Settings summary for date and time p.141
• D link time servers p.141
• Time zone p.141
• Synchronization intervals p.141
• Time sync server type p.142
• Teriary time server p.142
• Secondary time server p.142
• Primary time server p.142
• Max time drift p.142
• Interval between synchronization p.142
• Dst start date p.142
• Dst offset p.142
• Dst end date p.142
• Group interval p.143
• Overview p.144
• Features requiring dns resolution p.144
• Dns with netdefendos p.144
• Dynamic dns p.145
• Note a high rate of server queries can cause problems p.145
• Overview p.147
• Chapter 4 routing p.147
• The principles of routing p.148
• The components of a route p.148
• Static routing p.148
• Figure 4 a typical routing scenario p.149
• A typical routing scenario p.149
• The narrowest routing table match is selected p.150
• The local ip address parameter p.150
• Figure 4 using local ip address with an unbound network p.151
• The route lookup mechanism p.152
• Static routing p.152
• Netdefendos route notation p.152
• All traffic must have two associated routes p.152
• Composite subnets can be specified p.153
• Netdefendos route definition advantages p.153
• When the netdefend firewall is started for the first time netdefendos will automatically add a p.154
• Tip the cli cc command may be needed first p.154
• These routing table changes can take place for different reasons for example if dynamic routing with ospf has been enabled then routing tables will become populated with new routes learned from communicating with other ospf routers in an ospf network other events such as route fail over can also cause routing table contents to change over time p.154
• Static routing chapter 4 routing p.154
• It is important to note that routing tables that are initially configured by the administrator can have routes added deleted and changed automatically during live operation and these changes will appear when the routing table contents are displayed p.154
• In the cli example above it was necessary to first select the name of a specific routing table with the cc command meaning change category or change context before manipulating individual routes this is necessary for any category that could contain more than one named group of objects p.154
• Example 4 displaying the main routing table p.154
• Displaying routing tables p.154
• Default static routes are added automatically for each interface p.154
• The all nets route p.155
• Note the metric for default routes is 100 p.155
• Core routes p.155
• Netdefend firewalls are often deployed in mission critical locations where availability and connectivity is crucial for example an enterprise relying heavily on access to the internet could have operations severely disrupted if a single connection to the external internet via a single internet service provider isp fails p.156
• It is therefore not unusual to have backup internet connectivity using a secondary isp the connections to the two service providers often use different routes to avoid a single point of failure p.156
• For detailed information about the output of the cli routes command please see the cli reference guide p.156
• To allow for a situation with multiple isps netdefendos provides a route failover capability so that should one route fail traffic can automatically failover to another alternate route netdefendos implements route failover through the use of route monitoring in which netdefendos monitors the availability of routes and then switches traffic to an alternate route should the primary preferred route fail p.156
• Tip understanding output from the routes command p.156
• Route failover chapter 4 routing p.156
• Route failover p.156
• Overview p.156
• Setting up route failover p.157
• Setting the route metric p.157
• Figure 4 a route failover scenario for isp access p.157
• Automatically added routes need redefining p.157
• Route interface grouping p.158
• Re enabling routes p.158
• Multiple failover routes p.158
• Failover processing p.158
• Host monitoring for route failover p.159
• Gratuitous arp generation p.159
• Enabling host monitoring p.159
• Overview p.159
• Specifying hosts p.160
• The reachability required option p.161
• Iface poll interval p.161
• Http parameters p.161
• Arp poll interval p.161
• Advanced settings for route failover p.161
• A known issue when no external route is specified p.161
• Proxy arp p.162
• Ping poll interval p.162
• Overview p.162
• Gratuitous arp on fail p.162
• Grace time p.162
• Consecutive success p.162
• Consecutive fails p.162
• A typical scenario p.162
• Transparent mode as an alternative p.163
• Setting up proxy arp p.163
• Figure 4 a proxy arp example p.163
• Proxy arp and high availability clusters p.164
• Not all interfaces can make use of proxy arp p.164
• Automatically added routes p.164
• Policy based routing tables p.165
• Policy based routing rules p.165
• Policy based routing p.165
• Overview p.165
• The ordering parameter p.166
• Routing table selection p.166
• If there is no route that is an exact match then the absence of a default all nets route will mean that the connection will be dropped p.167
• Example 4 creating the route p.167
• Example 4 creating a policy based routing table p.167
• A common mistake with policy based routing is the absence of the default route with a destination interface of all nets in the default main routing table p.167
• The ordering parameter chapter 4 routing p.167
• Important ensure all nets appears in the main table p.167
• The ordering parameter chapter 4 routing p.168
• Example 4 policy based routing configuration p.168
• Route load balancing p.170
• Rlb operation p.170
• Overview p.170
• Enabling rlb p.170
• Disabling rlb p.170
• Figure 4 the rlb round robin algorithm p.171
• Using route metrics with spillover p.172
• Using route metrics with round robin p.172
• Figure 4 the rlb spillover algorithm p.172
• Rlb resets p.173
• Rlb limitations p.173
• An rlb scenario p.173
• The requirement for matching ip ranges p.173
• We will not use the spillover algorithm in this example so the routing metric for both routes should be the same in this case a value of 100 is selected p.174
• We first need to define two routes to these two isps in the main routing table as shown below p.174
• The service all is used in the above ip rules but this should be further refined to a service or service group that covers all the traffic that will be allowed to flow p.174
• Route load balancing chapter 4 routing p.174
• In order to flow any traffic requires both a route and an allowing ip rule the following rules will allow traffic to flow to either isp and will nat the traffic using the external ip addresses of interfaces wan1 and wan2 p.174
• Figure 4 a route load balancing scenario p.174
• Example 4 setting up rlb p.174
• By using the destination rlb algorithm we can ensure that clients communicate with a particular server using the same route and therefore the same source ip address if nat was being used for the client communication the ip address seen by the server would be wan1 or wan2 p.174
• Use two isps with one tunnel connecting through one isp and the other tunnel connecting through the other isp rlb can then be applied as normal with the two tunnels p.175
• This solution has the advantage of providing redundancy should one isp link fail p.175
• Route load balancing chapter 4 routing p.175
• Rlb with vpn p.175
• In order to get the second tunnel to function in this case it is necessary to add a single host route in the main routing table that points to the secondary isps interface and with the secondary isps gateway p.175
• If we were to try and use rlb to balance traffic between two ipsec tunnels the problem that arises is that the remote endpoint for any two ipsec tunnels in netdefendos must be different the solutions to this issue are as follows p.175
• If both tunnels must be for example ipsec connects it is possible to wrap ipsec in a gre tunnel in other words the ipsec tunnel is carried by a gre tunnel gre is a simple tunneling protocol without encryption and therefore involves a minimum of extra overhead see section 3 gre tunnels for more about this topic p.175
• When using rlb with vpn a number of issues need to be overcome p.175
• Use vpn with one tunnel that is ipsec based and another tunnel that is uses a different protocol p.175
• Link state algorithms p.176
• Dynamic routing p.176
• Distance vector algorithms p.176
• Differences to static routing p.176
• The ospf solution p.177
• Ospf is not available on all d link netdefend models p.177
• Figure 4 a simple ospf scenario p.177
• Advantages of link state algorithms p.177
• A simple ospf scenario p.177
• Tip ring topologies always provide alternate routes p.178
• Ospf provides route redundancy p.178
• Figure 4 ospf providing route redundancy p.178
• A look at routing metrics p.178
• Link state routing p.179
• The autonomous system p.179
• Overview p.179
• Ospf is not available on all d link netdefend models p.179
• Ospf concepts p.179
• The designated router p.180
• Ospf areas p.180
• Ospf area components p.180
• Authentication p.180
• Virtual links p.181
• Neighbors p.181
• Aggregates p.181
• A linking areas without direct connection to the backbone p.181
• Figure 4 0 virtual links connecting areas p.182
• B linking a partitioned backbone p.182
• Ospf high availability support p.183
• Figure 4 1 virtual links with partitioned backbone p.183
• Using ospf with netdefendos p.183
• Ospf router process p.184
• Ospf components p.184
• General parameters p.184
• Figure 4 2 netdefendos ospf objects p.184
• Authentication p.185
• Ospf area p.186
• Note authentication must be the same on all routers p.186
• General parameters p.186
• Advanced p.186
• Ospf interface p.187
• Note different interface types can be used with ospf interfaces p.187
• Import filter p.187
• Ospf vlinks p.189
• Ospf neighbors p.189
• Ospf aggregates p.189
• Usage with ospf p.190
• The reasons for dynamic routing rules p.190
• The final ospf setup step is creating dynamic routing rules p.190
• Overview p.190
• Note linking partitioned backbones p.190
• Dynamic routing rules p.190
• When to use export rules p.191
• Specifying a filter p.191
• Ospf requires at least an import rule p.191
• General parameters p.191
• Figure 4 3 dynamic routing rule objects p.191
• Dynamic routing rule objects p.191
• Dynamic routing rule p.191
• More parameters p.192
• General parameters p.192
• Destination network p.192
• Routing action p.192
• Ospf action p.192
• Setting up ospf p.193
• Sending ospf traffic through a vpn tunnel p.195
• Ospf routing information exchange begins automatically p.195
• Confirming ospf deployment p.195
• Tip non ospf traffic can also use the tunnel p.196
• An ospf example p.196
• Example 4 creating an ospf router process p.197
• Example 4 add ospf interface objects p.197
• Example 4 add an ospf area p.197
• Example 4 0 import routes from an ospf as into the main routing table p.197
• An ospf example chapter 4 routing p.197
• Example 4 1 exporting the default route into an ospf as p.198
• An ospf example chapter 4 routing p.198
• Reverse path forwarding p.199
• Multicast routing p.199
• Underlying principles p.199
• The multicast routing solution p.199
• The multicast problem p.199
• Routing to the correct interface p.199
• Overview p.199
• Note interface multicast handling must be on or auto p.199
• Note an allow or nat rule is also needed p.200
• Multicast forwarding with sat multiplex rules p.200
• Multicast forwarding no address translation p.200
• The matching rule could also be a nat rule for source address translation see below but cannot be a fwdfast or sat rule p.201
• Remember to add an allow rule that matches the sat multiplex rule p.201
• Note sat multiplex rules must have a matching allow rule p.201
• Multicast forwarding with sat multiplex rules chapter 4 routing p.201
• Figure 4 4 multicast forwarding no address translation p.201
• Example 4 2 forwarding of multicast traffic using the sat multiplex rule p.201
• The two values outif ip represent a combination of output interface and if address translation of a group is needed an ip address p.202
• The destination interface is core since 239 92 00 0 is a multicast group no address translation of 239 92 00 0 was added but if it is required for say if2 then the final argument would be p.202
• The cli command to create the multiplex rule is then p.202
• Multiplexargument outif1 ip1 outif2 ip2 outif3 ip3 p.202
• Multiplexargument if2 if3 p.202
• Multicast forwarding with sat multiplex rules chapter 4 routing p.202
• Multicast forwarding address translation scenario p.202
• If for example multiplexing of the multicast group 239 92 00 0 is required to the output interfaces if2 and if3 then the command to create the rule would be p.202
• First the ipruleset in this example main needs to be selected as the current category p.202
• Creating multiplex rules with the cli p.202
• Creating multiplex rules through the cli requires some additional explanation p.202
• Cc ipruleset main p.202
• Multicast forwarding with sat multiplex rules chapter 4 routing p.203
• Figure 4 5 multicast forwarding address translation p.203
• Example 4 3 multicast forwarding address translation p.203
• As previously noted remember to add an allow rule matching the sat multiplex rule p.203
• This scenario is based on the previous scenario but this time the multicast group is translated when the multicast streams 239 92 0 24 are forwarded through the if2 interface the multicast groups should be translated into 237 92 0 24 p.203
• No address translation should be made when forwarding through interface if1 the configuration of the corresponding igmp rules can be found below in section 4 igmp rules configuration address translation p.203
• Reports are sent from hosts towards the router when a host wants to subscribe to new multicast groups or change current multicast subscriptions p.204
• Queries are igmp messages sent from the router towards the hosts in order to make sure that it will not close any stream that some host still wants to receive p.204
• Proxy mode p.204
• Note replace allow with nat for source ip translation p.204
• Normally both types of rule have to be specified for igmp to function but there are two exceptions p.204
• Netdefendos supports two igmp modes of operation p.204
• Igmp signalling between hosts and routers can be divided into two categories p.204
• Igmp reports p.204
• Igmp queries p.204
• Igmp configuration chapter 4 routing p.204
• Igmp configuration p.204
• If the multicast source is located on a network directly connected to the router no query rule is needed p.204
• If address translation of the source address is required the allow rule following the sat multiplex rule should be replaced with a nat rule p.204
• If a neighboring router is statically configured to deliver a multicast stream to the netdefend firewall an igmp query would also not have to be specified p.204
• The operation of these two modes are shown in the following illustrations p.204
• Snoop mode p.204
• Igmp rules configuration no address translation p.205
• Figure 4 7 multicast proxy mode p.205
• Figure 4 6 multicast snoop mode p.205
• Igmp configuration chapter 4 routing p.206
• Example 4 4 igmp no address translation p.206
• Two examples are provided one for each pair of report and query rule the upstream multicast router uses ip upstreamrouterip p.207
• The following examples illustrates the igmp rules needed to configure igmp according to the address translation scenario described above in section 4 multicast forwarding address translation scenario we need two igmp report rules one for each client interface the interface if1 uses no address translation and if2 translates the multicast group to 237 92 0 24 we also need two query rules one for the translated address and interface and one for the original address towards if1 p.207
• Igmp rules configuration address translation p.207
• Igmp configuration chapter 4 routing p.207
• Example 4 5 if1 configuration p.207
• Igmp configuration chapter 4 routing p.208
• Example 4 6 if2 configuration group translation p.208
• Auto add multicast core route p.209
• Advanced igmp settings p.209
• Igmp router version p.209
• Igmp react to own queries p.209
• Igmp lowest compatible version p.209
• Igmp last member query interval p.209
• Igmp before rules p.209
• Igmp unsolicated report interval p.210
• Igmp startup query interval p.210
• Igmp startup query count p.210
• Igmp robustness variable p.210
• Igmp query response interval p.210
• Igmp query interval p.210
• Igmp max total requests p.210
• Igmp max interface requests p.210
• Switch routes p.212
• Overview p.212
• Comparison with routing mode p.212
• Usage scenarios p.212
• Transparent mode usage p.212
• Transparent mode p.212
• Note transparent and routing mode can be combined p.213
• How transparent mode works p.213
• Restricting the network parameter p.214
• Multiple switch routes are connected together p.214
• Enabling transparent mode p.214
• Transparent mode with vlans p.215
• Creating separate transparent mode networks p.215
• Transparent mode with dhcp p.216
• High availability and transparent mode p.216
• Enabling transparent mode directly on interfaces p.216
• Figure 4 9 transparent mode internet access p.217
• Figure 4 8 non transparent mode internet access p.217
• Enabling internet access p.217
• Using nat p.218
• Transparent mode scenarios p.218
• Scenario 1 p.218
• Netdefendos may also need internet access p.218
• Grouping ip addresses p.218
• Transparent mode scenarios chapter 4 routing p.219
• Figure 4 0 transparent mode scenario 1 p.219
• Example 4 7 setting up transparent mode for scenario 1 p.219
• Transparent mode scenarios chapter 4 routing p.220
• Scenario 2 p.220
• Here the netdefend firewall in transparent mode separates server resources from an internal network by connecting them to a separate interface without the need for different address ranges p.220
• Figure 4 1 transparent mode scenario 2 p.220
• Example 4 8 setting up transparent mode for scenario 2 p.220
• All hosts connected to lan and dmz the lan and dmz interfaces share the 10 24 address space as this is configured using transparent mode any ip address can be used for the servers and there is no need for the hosts on the internal network to know if a resource is on the same network or placed on the dmz the hosts on the internal network are allowed to communicate with an http server on dmz while the http server on the dmz can be reached from the internet the netdefend firewall is transparent between the dmz and lan but traffic is still controlled by the ip rule set p.220
• Transparent mode scenarios chapter 4 routing p.221
• Netdefendos includes support for relaying the bridge protocol data units bpdus across the netdefend firewall bpdu frames carry spanning tree protocol stp messages between layer 2 switches in a network stp allows the switches to understand the network topology and avoid the occurrences of loops in the switching of packets p.222
• The diagram below illustrates a situation where bpdu messages would occur if the administrator enables the switches to run the stp protocol two netdefend firewalls are deployed in transparent mode between the two sides of the network the switches on either side of the firewall need to communicate and require netdefendos to relay switch bpdu messages in order that packets do not loop between the firewalls p.222
• Spanning tree bpdu support chapter 4 routing p.222
• Spanning tree bpdu support p.222
• Implementing bpdu relaying p.223
• Figure 4 2 an example bpdu relaying scenario p.223
• Enabling disabling bpdu relaying p.223
• Cam to l3 cache dest learning p.223
• Advanced settings for transparent mode p.223
• Transparency ats size p.224
• Transparency ats expire p.224
• Note optimal ats handling p.224
• L3 cache size p.224
• Dynamic l3c size p.224
• Dynamic cam size p.224
• Decrement ttl p.224
• Cam size p.224
• Relay spanning tree bpdus p.225
• Null enet sender p.225
• Multicast enet sender p.225
• Broadcast enet sender p.225
• Relay mpls p.226
• Overview p.228
• Lease expiration p.228
• Ip address assignment p.228
• Dhcp leases p.228
• Chapter 5 dhcp services p.228
• Using relayer ip address filtering p.229
• Searching the server list p.229
• Multiple dhcp servers p.229
• Dhcp servers p.229
• Dhcp options p.229
• Dhcp server advanced settings p.230
• Displaying ip to mac address mappings p.231
• Tip lease database saving p.232
• Static host parameters p.232
• Static dhcp hosts p.232
• Figure 5 dhcp server objects p.232
• Additional server settings p.232
• Example 5 static dhcp host assignment p.233
• Custom options chapter 5 dhcp services p.233
• Custom options p.233
• Can be specified as this parameter the option exists to also specify if the identifier will be sent as an ascii or hexadecimal value p.233
• An example of this is certain switches that require the ip address of a tftp server from which they can get certain extra information p.233
• Adding a custom option to the dhcp server definition allows the administrator to send specific pieces of information to dhcp clients in the dhcp leases that are sent out p.233
• Custom option parameters p.234
• Dhcp relaying p.235
• Although all netdefendos interfaces are core routed that is to say a route exists by default that routes interface ip addresses to core for relayed dhcp requests this core routing does not apply instead the interface is the source interface and not core p.235
• A dhcp relayer takes the place of the dhcp server in the local network and acts as the link between the client and a remote dhcp server it intercepts requests coming from clients and relays them to the dhcp server the dhcp server then responds to the relayer which forwards the response back to the client dhcp relayers use the tcp ip bootstrap protocol bootp to implement this relay functionality for this reason dhcp relayers are sometimes referred to as bootp relay agents p.235
• With dhcp clients send requests to locate the dhcp server s using broadcast messages however broadcasts are normally only propagated across the local network this means that the dhcp server and client always need to be on the same physical network in a large internet like network topology this means there would have to be a different dhcp server on every network this problem is solved by the use of a dhcp relayer p.235
• The source ip of relayed dhcp traffic p.235
• The dhcp relayer solution p.235
• The dhcp problem p.235
• For relayed dhcp traffic the option exists in netdefendos to use the interface on which it listens as the source interface for forwarded traffic or alternatively the interface on which it sends out the forwarded request p.235
• Example 5 setting up a dhcp relayer p.235
• Dhcp relaying chapter 5 dhcp services p.235
• How many hops the dhcp request can take between the client and the dhcp server p.236
• How many dhcp packets a client can send to through netdefendos to the dhcp server during one minute p.236
• For how long a dhcp transaction can take place p.236
• Dhcp relay advanced settings chapter 5 dhcp services p.236
• Dhcp relay advanced settings p.236
• Default 500 packets p.236
• Default 5 p.236
• Default 32 p.236
• Transaction timeout p.236
• Default 10 seconds p.236
• The maximum lease time allowed by netdefendos if the dhcp server has a higher lease time it p.236
• The following advanced settings are available with dhcp relaying p.236
• Maximum number of transactions at the same time p.236
• Max transactions p.236
• Max ppm p.236
• Max lease time p.236
• Max hops p.236
• Max auto routes p.237
• Auto save policy p.237
• Auto save interval p.237
• Overview p.238
• Ip pools with config mode p.238
• Ip pools p.238
• Basic ip pool options p.238
• Advanced ip pool options p.238
• Memory allocation for prefetched leases p.239
• Listing ip pool status p.239
• Other options in the ippool command allow the administrator to change the pool size and to free up ip addresses the complete list of command options can be found in the cli reference guide p.240
• Ip pools chapter 5 dhcp services p.240
• Example 5 creating an ip pool p.240
• The default access rule p.242
• Overview p.242
• Custom access rules are optional p.242
• Chapter 6 security mechanisms p.242
• Access rules p.242
• Turning off default access rule messages p.243
• Note enabling logging p.243
• Ip spoofing p.243
• Access rule settings p.243
• Access rule filtering fields p.243
• Access rule actions p.243
• If for some reason the default access rule log message is continuously being generated by some source and needs to be turned off then the way to do this is to specify an access rule for that source with an action of drop p.244
• Troubleshooting access rule related problems p.244
• It should be noted that access rules are a first filter of traffic before any other netdefendos modules can see it sometimes problems can appear such as setting up vpn tunnels precisely because of this it is always advisable to check access rules when troubleshooting puzzling problems in case a rule is preventing some other function such as vpn tunnel establishment from working properly p.244
• Example 6 setting up an access rule p.244
• Access rule settings chapter 6 security mechanisms p.244
• Overview p.245
• Figure 6 deploying an alg p.245
• Deploying an alg p.245
• Tip maximum sessions for http can sometimes be too low p.246
• The http alg p.246
• Maximum connection sessions p.246
• Http alg features p.246
• Using wildcards in white and blacklists p.248
• The ordering for http filtering p.248
• Note similarities with other netdefendos features p.248
• Figure 6 http alg processing order p.248
• The ftp alg p.249
• Ftp connections p.249
• Ftp connection modes p.249
• Deploying an http alg p.249
• A discussion of ftp security issues p.249
• The netdefendos alg solution p.250
• Hybrid mode p.250
• Predefined ftp algs p.251
• Note hybrid conversion is automatic p.251
• Ftp alg command restrictions p.251
• Figure 6 ftp alg hybrid mode p.251
• Connection restriction options p.251
• Note some commands are never allowed p.252
• Filetype checking p.252
• Control channel restrictions p.252
• Anti virus scanning p.252
• Note zonedefense won t block infected servers p.253
• Ftp alg with zonedefense p.253
• The ftp alg chapter 6 security mechanisms p.254
• The ftp alg chapter 6 security mechanisms p.255
• The ftp alg chapter 6 security mechanisms p.256
• Example 6 protecting ftp clients p.256
• The ftp alg chapter 6 security mechanisms p.257
• The tftp alg p.258
• Setting up ftp servers with passive mode p.258
• General tftp options p.258
• The smtp alg p.259
• Tftp request options p.259
• Smtp alg options p.259
• Allowing request timeouts p.259
• The ordering for smtp filtering p.260
• Enhanced smtp and extensions p.261
• Using wildcards in white and blacklists p.261
• Figure 6 smtp alg processing order p.261
• Tip exclusion can be manually configured p.262
• Smtp alg with zonedefense p.262
• Anti spam filtering p.262
• The netdefendos anti spam implementation p.263
• Figure 6 anti spam filtering p.263
• Dnsbl server queries p.263
• Dnsbl databases p.263
• Creating a dnsbl consesus p.263
• Tagging spam p.264
• Alternative actions for dropped spam p.264
• A threshold calculation example p.264
• Verifying the sender email p.265
• Allowing for failed dnsbl servers p.265
• Adding x spam information p.265
• Setup summary p.266
• Logging p.266
• Caching addresses for performance p.266
• The dnsbl cli command p.267
• Tip dnsbl servers p.268
• The pop3 alg p.268
• Pop3 alg options p.268
• Why the pptp alg is needed p.269
• The pptp alg p.269
• Pptp alg setup p.269
• Figure 6 pptp alg usage p.269
• The sip alg p.270
• Pptp alg settings p.270
• Sip alg options p.271
• Note traffic shaping will not work with the sip alg p.271
• Netdefendos sip setup p.271
• Sip media related protocols p.271
• Sip components p.271
• The sip proxy record route option p.272
• Ip rules for media data p.272
• Sip usage scenarios p.273
• Scenario 1 protecting local clients proxy located on the internet p.273
• Note nat traversal should not be configured p.274
• The service object for ip rules p.275
• Scenario 2 protecting proxy and local clients proxy on the same network as clients p.275
• Note nat traversal should not be configured p.275
• Scenario 3 protecting proxy and local clients proxy on the dmz interface p.277
• The h 23 alg p.280
• H 23 components p.280
• H 23 protocols p.281
• H 23 alg features p.281
• H 23 alg configuration p.282
• The h 23 alg chapter 6 security mechanisms p.283
• The h 23 alg chapter 6 security mechanisms p.284
• Example 6 h 23 with private ip addresses p.284
• To place a call to the phone behind the netdefend firewall place a call to the external ip address on the firewall if multiple h 23 phones are placed behind the firewall one sat rule has to be configured for each phone this means that multiple external addresses have to be used however it is preferred to use a h 23 gatekeeper as in the h 23 with gatekeeper scenario as this only requires one external address p.285
• The h 23 alg chapter 6 security mechanisms p.285
• Example 6 two phones behind different netdefend firewalls p.285
• The h 23 alg chapter 6 security mechanisms p.286
• Example 6 using private ip addresses p.286
• To place a call to the phone behind the netdefend firewall place a call to the external ip address on the firewall if multiple h 23 phones are placed behind the firewall one sat rule has to be configured for each phone this means that multiple external addresses have to be used however it is preferable to use an h 23 gatekeeper as this only requires one external address p.287
• The h 23 alg chapter 6 security mechanisms p.287
• Example 6 h 23 with gatekeeper p.287
• The h 23 alg chapter 6 security mechanisms p.288
• There is no need to specify a specific rule for outgoing calls netdefendos monitors the communication between external phones and the gatekeeper to make sure that it is possible for internal phones to call the external phones that are registered with the gatekeeper p.289
• The h 23 alg chapter 6 security mechanisms p.289
• Note outgoing calls do not need a specific rule p.289
• Example 6 h 23 with gatekeeper and two netdefend firewalls p.289
• There is no need to specify a specific rule for outgoing calls netdefendos monitors the communication between external phones and the gatekeeper to make sure that it is possible for internal phones to call the external phones that are registered with the gatekeeper p.290
• The h 23 alg chapter 6 security mechanisms p.290
• Note outgoing calls do not need a specific rule p.290
• Example 6 0 using the h 23 alg in a corporate environment p.290
• The h 23 alg chapter 6 security mechanisms p.291
• The h 23 alg chapter 6 security mechanisms p.292
• There is no need to specify a specific rule for outgoing calls netdefendos monitors p.293
• The h 23 alg chapter 6 security mechanisms p.293
• Note outgoing calls do not need a specific rule p.293
• Example 6 2 allowing the h 23 gateway to register with the gatekeeper p.293
• Example 6 1 configuring remote offices for h 23 p.293
• Tls is certificate based p.294
• The tls alg p.294
• The relationship with ssl p.294
• Overview p.294
• Advantages of using netdefendos for tls termination p.295
• Figure 6 tls termination p.295
• Enabling tls p.295
• Urls delivered by servers p.296
• Netdefendos tls limitations p.296
• Cipher suites supported by netdefendos tls p.296
• Web content filtering p.297
• Overview p.297
• Note enabling wcf p.297
• Filtering mechanisms p.297
• Caution consider the consequences of removing objects p.297
• Active content handling p.297
• Wildcarding p.298
• Static content filtering p.298
• Static and dynamic filter ordering p.298
• Example com bad this will also cause www myexample com to be blocked since it blocks all sites ending with example com p.299
• Example 6 4 setting up a white and blacklist p.299
• Www example com bad this will only block the first request to the web site surfing to www example com index html for example will not be blocked p.299
• Web content filtering url blacklisting is a separate concept from section 6 blacklisting hosts and networks p.299
• Static content filtering chapter 6 security mechanisms p.299
• Note the hosts and networks blacklist is separate p.299
• Gif good this will block all files with gif as the file name extension p.299
• Wcf processing flow p.300
• Overview p.300
• Dynamic web content filtering p.300
• Dynamic wcf is only available on certain netdefend models p.300
• Dynamic wcf databases p.300
• Wcf and whitelisting p.301
• Setting up wcf p.301
• Note new url submissions are done anonymously p.301
• Figure 6 dynamic content filtering flow p.301
• Categorizing pages and not sites p.301
• Activation p.302
• Tip using a schedule p.302
• The option exists to set the http alg fail mode in the same way that it can be set for some other algs and it applies to wcf just as it does to functions such as anti virus scanning the fail mode setting determines what happens when dynamic content filtering cannot function and typically this is because netdefendos is unable to reach the external databases to perform url lookup fail mode can have one of two settings p.302
• Setting fail mode p.302
• Once a subscription is taken out an http application layer gateway alg object should be defined with dynamic content filtering enabled this object is then associated with a service object and the service object is then associated with a rule in the ip rule set to determine which traffic should be subject to the filtering this makes possible the setting up of a detailed filtering policy based on the filtering parameters that are used for rules in the ip rule set p.302
• If the administrator would like the content filtering policy to vary depending on the time of the day they can make use of a schedule object associated with the corresponding ip rule for more information please see section 3 schedules p.302
• Example 6 5 enabling dynamic web content filtering p.302
• Dynamic web content filtering chapter 6 security mechanisms p.302
• Dynamic content filtering is a feature that is enabled by taking out a separate subscription to the service this is an addition to the normal netdefendos license p.302
• Deny if wcf is unable to function then urls are denied if external database access to verify them is not possible the user will see an access denied web page p.302
• Allow if the external wcf database is not accessible urls are allowed even though they might be disallowed if the wcf databases were accessible p.302
• Introducing blocking gradually p.303
• In audit mode the system will classify and log all surfing according to the content filtering policy but restricted web sites will still be accessible to the users this means the content filtering feature of netdefendos can then be used as an analysis tool to analysis what categories of websites are being accessed by a user community and how often p.303
• Dynamic web content filtering chapter 6 security mechanisms p.303
• Blocking websites can disturb users if it is introduced suddenly it is therefore recommended that the administrator gradually introduces the blocking of particular categories one at a time this allows individual users time to get used to the notion that blocking exists and could avoid any adverse reaction that might occur if too much is blocked at once gradual introduction also makes it p.303
• Audit mode p.303
• After running in audit mode for some period of time it is easier to then have a better understanding of the surfing behavior of different user groups and also to better understand the potential impact of turning on the wcf feature p.303
• Reclassification of blocked sites p.304
• On some occasions active content filtering may prevent users carrying out legitimate tasks consider a stock analyst who deals with on line gaming companies in his daily work he might need to browse gambling web sites to conduct company assessments if the corporate policy blocks gambling web sites he will not be able to do his job p.304
• If a user overrides the restricted site notice page they are allowed to surf to all pages without any new restricted site message appearing again the user is however still being logged when the user has become inactive for 5 minutes the restricted site page will reappear if they then try to access a restricted site p.304
• For this reason netdefendos supports a feature called allow override with this feature enabled the content filtering component will present a warning to the user that he is about to enter a web site that is restricted according to the corporate policy and that his visit to the web site will be logged this page is known as the restricted site notice the user is then free to continue to the url or abort the request to prevent being logged p.304
• Example 6 6 enabling audit mode p.304
• Easier to evaluate if the goals of site blocking are being met p.304
• Dynamic web content filtering chapter 6 security mechanisms p.304
• Caution overriding the restriction of a site p.304
• By enabling this functionality only users that have a valid reason to visit inappropriate sites will normally do so other will avoid those sites due to the obvious risk of exposing their surfing habits p.304
• As the process of classifying unknown web sites is automated there is always a small risk that some sites are given an incorrect classification netdefendos provides a mechanism for allowing users to p.304
• Allowing override p.304
• Manually propose a new classification of sites p.305
• If reclassification is enabled and a user requests a web site which is disallowed the block web page will include a dropdown list containing all available categories if the user believes the requested web site is wrongly classified he can select a more appropriate category from the dropdown list and submit that as a proposal p.305
• Example 6 7 reclassifying a blocked site p.305
• Dynamic web content filtering chapter 6 security mechanisms p.305
• Content filtering categories p.305
• This section lists all the categories used with dynamic content filtering and describes the purpose p.305
• This mechanism can be enabled on a per http alg level which means that the administrator can choose to enable this functionality for regular users or for a selected user group only p.305
• The url to the requested web site as well as the proposed category will then be sent to d link s central data warehouse for manual inspection that inspection may result in the web site being reclassified either according to the category proposed or to a category which is felt to be correct p.305
• Category 5 travel tourism p.306
• Category 4 gambling p.306
• Category 3 job search p.306
• Category 2 news p.306
• Category 1 adult content p.306
• Category 9 dating sites p.307
• Category 8 chatrooms p.307
• Category 7 entertainment p.307
• Category 6 shopping p.307
• Category 10 game sites p.307
• Category 13 crime terrorism p.308
• Category 12 e banking p.308
• Category 11 investment sites p.308
• Category 15 politics p.308
• Category 14 personal beliefs cults p.308
• Category 20 search sites p.309
• Category 19 malicious p.309
• Category 18 violence undesirable p.309
• Category 17 www email sites p.309
• Category 16 sports p.309
• Category 26 educational p.310
• Category 25 government blocking list p.310
• Category 24 business oriented p.310
• Category 23 music downloads p.310
• Category 22 clubs and societies p.310
• Category 21 health sites p.310
• Category 29 computing it p.311
• Category 28 drugs alcohol p.311
• Category 27 advertising p.311
• Category 31 spam p.311
• Category 30 swimsuit lingerie models p.311
• Unclassified sites and sites that do not fit one of the other categories will be placed in this category it is unusual to block this category since this could result in most harmless urls being blocked p.312
• To perform customization it is necessary to first create a new named alg banner files object this new object automatically contains a copy of all the files in the default alg banner files object these new files can then be edited and uploaded back to netdefendos the original default object cannot be edited the following example goes through the necessary steps p.312
• Example 6 8 editing content filtering http banner files p.312
• Dynamic web content filtering make use of a set of html files to present information to the user when certain conditions occur such as trying to access a blocked site these web pages sometimes referred to as http banner files are stored within netdefendos but can be customized to suit a particular installation s needs the webui provides a simple way to download edit and upload these files the available files are p.312
• Dynamic web content filtering chapter 6 security mechanisms p.312
• Customizing html pages p.312
• Compressionforbidden contentforbidden urlforbidden restrictedsitenotice reclassifyurl p.312
• Category 32 non managed p.312
• Uploading with scp p.313
• Tip saving changes p.313
• Html page parameters p.313
• Enabling through algs p.314
• Combining with client anti virus scanning p.314
• Anti virus scanning p.314
• Streaming p.314
• Pattern matching p.314
• Overview p.314
• Note anti virus is not available on all netdefend models p.314
• Implementation p.314
• Types of file downloads scanned p.315
• Simultaneous scans p.315
• Relationship with idp p.315
• Protocol specific behavior p.315
• Creating anti virus policies p.315
• Association with an alg p.315
• Activating anti virus scanning p.315
• Safestream p.316
• General options p.316
• Database updates p.316
• Anti virus options p.316
• The signature database p.316
• Subscribing to the d link anti virus service p.316
• Scan exclude option p.316
• Verifying the mime type p.317
• Updating in high availability clusters p.317
• Setting the correct system time p.317
• Compression ratio limit p.317
• Anti virus with zonedefense p.318
• Anti virus options chapter 6 security mechanisms p.319
• Netdefendos idp components p.320
• Maintenance and advanced idp p.320
• Intrusion detection and prevention p.320
• Intrusion detection p.320
• Intrusion definition p.320
• Idp issues p.320
• Idp availability for d link models p.320
• Overview p.320
• Subscribing to the d link advanced idp service p.321
• Figure 6 idp database updating p.321
• Updating in high availability clusters p.322
• The terms idp ips and ids p.322
• Setting the correct system time p.322
• Rule components p.322
• Idp rules p.322
• Idp signature selection p.323
• Http normalization p.323
• Figure 6 0 idp signature selection p.323
• Insertion evasion attack prevention p.324
• Insertion attacks p.324
• Initial packet processing p.324
• Evasion attacks p.324
• Checking dropped packets p.324
• Overview p.324
• Signatures p.325
• Signature advisories p.325
• Recommended configuration p.325
• Recognizing unknown threats p.325
• Insertion evasion log events p.325
• Idp pattern matching p.325
• Detection action p.325
• Using groups p.326
• Specifying signature groups p.326
• Idp signature types p.326
• Idp signature groups p.326
• Idp signature wildcarding p.327
• Idp actions p.327
• Caution use the minimum idp signatures necessary p.327
• Action options p.327
• Processing multiple actions p.327
• Listing of idp groups p.327
• The ip address of smtp log receivers is required p.328
• Smtp log receiver for idp events p.328
• Idp zonedefense p.328
• Idp blacklisting p.328
• Smtp log receiver for idp events chapter 6 security mechanisms p.329
• Example 6 1 setting up idp for a mail server p.329
• Using individual signatures p.330
• The preceding example uses an entire idp group name when enabling idp however it is possible p.330
• Smtp log receiver for idp events chapter 6 security mechanisms p.330
• Ping of death and jolt attacks p.332
• Overview p.332
• Dos attack mechanisms p.332
• Denial of service attack prevention p.332
• Fragmentation overlap attacks teardrop bonk boink and nestea p.333
• The winnuke attack p.333
• The land and latierra attacks p.333
• Protection on the victim s side p.334
• Avoiding becoming an amplifier p.334
• Amplification attacks smurf papasmurf fraggle p.334
• The syn flood defence mechanism p.335
• The jolt2 attack p.335
• Tcp syn flood attacks p.335
• Spotting syn floods p.335
• Distributed dos attacks p.335
• Algs automatically provide flood protection p.335
• Blacklisting hosts and networks p.337
• Tip important ip addresses should be whitelisted p.337
• Overview p.337
• Note restarts do not effect the blacklist p.337
• Blacklisting options p.337
• Whitelisting p.337
• The cli blacklist command p.338
• Note the content filtering blacklist is separate p.338
• Types of translation p.340
• Overview p.340
• Chapter 7 address translation p.340
• Nat provides many to one ip address translation p.341
• Limitations on the number of connections p.341
• Figure 7 nat ip address translation p.341
• Tip use nat pools to get around the connection limit p.342
• The source ip address used for translation p.342
• Applying nat translation p.342
• Figure 7 a nat example p.343
• Example 7 adding a nat rule p.343
• 68 1038 p.343
• 1 2 3 32789 p.343
• The sequence of these events is illustrated further in the diagram below p.343
• The original sender now receives the response p.343
• Netdefendos receives the packet and compares it to its list of open connections once it finds the connection in question it restores the original address and forwards the packet p.343
• Nat chapter 7 address translation p.343
• Several internal machines can not communicate with the same external server using the same ip protocol p.344
• Several internal machines can communicate with the same server using different ip protocols p.344
• Several internal machines can communicate with different external servers using the same ip protocol p.344
• Protocols handled by nat p.344
• Note restrictions only apply to ip level protocols p.344
• Netdefendos can alter port number information in the tcp and udp headers to make each connection unique even though such connections have had their sender addresses translated to the same ip p.344
• Nat chapter 7 address translation p.344
• Dynamic address translation is able to deal with the tcp udp and icmp protocols with a good level of functionality since the algorithm knows which values can be adjusted to become unique in the three protocols for other ip level protocols unique connections are identified by their sender addresses destination addresses and protocol numbers p.344
• Anonymizing internet traffic with nat p.344
• An internal machine can communicate with several external servers using the same ip protocol p.344
• An internal machine can communicate with several external servers using different ip protocols p.344
• A useful application of the nat feature in netdefendos is for anonymizing service providers to p.344
• This means that p.344
• These restrictions apply only to ip level protocols other than tcp udp and icmp such as ospf and l2tp they do not apply to the protocols transported by tcp udp and icmp such as telnet ftp http and smtp p.344
• Some protocols regardless of the method of transportation used can cause problems during address translation p.344
• Figure 7 anonymizing with nat p.345
• Types of nat pools p.346
• Stateful nat pools p.346
• Overview p.346
• Nat pools p.346
• Using nat pools p.347
• Stateless nat pools p.347
• Proxy arp usage p.347
• Ip pool usage p.347
• Fixed nat pools p.347
• Nat pools chapter 7 address translation p.348
• Sat requires multiple ip rules p.349
• Note port forwarding p.349
• Translation of a single ip address 1 1 p.349
• The second rule must trigger on the untranslated destination ip p.349
• The role of the dmz p.349
• Translation of a single ip address 1 1 chapter 7 address translation p.350
• The illustration below shows a typical network arrangement with the netdefend firewall mediating communications between the public internet and servers in the dmz and between the dmz and local clients on a network called lan p.350
• On all models of d link netdefend hardware there is a specific ethernet interface which is marked as being for the dmz network although this is the port s intended use it could be used for other purposes and any ethernet interface could also be used instead for a dmz p.350
• Note the dmz port could be any port p.350
• Figure 7 the role of the dmz p.350
• Example 7 enabling traffic to a protected web server in a dmz p.350
• Translation of a single ip address 1 1 chapter 7 address translation p.351
• Translation of a single ip address 1 1 chapter 7 address translation p.352
• Example 7 enabling traffic to a web server on an internal network p.352
• Translation of a single ip address 1 1 chapter 7 address translation p.353
• Attempts to communicate with 194 2 will result in a connection to 192 68 6 p.354
• An example of when this is useful is when having several protected servers in a dmz and where each server should be accessible using a unique public ip address p.354
• A single sat rule can be used to translate an entire range of ip addresses in this case the result is a transposition where the first original ip address will be translated to the first ip address in the translation list and so on p.354
• Translation of multiple ip addresses m n chapter 7 address translation p.354
• Translation of multiple ip addresses m n p.354
• In other words p.354
• For instance a sat policy specifying that connections to the 194 6 29 network should be translated to 192 68 0 will result in transpositions which are described in the table below p.354
• Example 7 translating traffic to multiple protected web servers p.354
• Attempts to communicate with 194 6 will result in a connection to 192 68 0 p.354
• Translation of multiple ip addresses m n chapter 7 address translation p.355
• When all nets is the destination all to one mapping is always done p.356
• This rule produces a n 1 translation of all addresses in the group the range 194 6 194 0 plus 194 0 to the ip 192 68 0 p.356
• Port translation p.356
• Netdefendos can be used to translate ranges and or groups into just one ip address p.356
• Attempts to communicate with 194 6 port 80 will result in a connection to 192 68 0 p.356
• Attempts to communicate with 194 0 port 80 will result in a connection to 192 68 0 p.356
• All to one mappings n 1 chapter 7 address translation p.356
• All to one mappings n 1 p.356
• Multiple sat rule matches p.357
• Protocols handled by sat p.357
• Note a custom service is needed for port translation p.357
• What happens now is as follows p.358
• We will now try moving the nat rule between the sat and fwdfast rules p.358
• We now add a nat rule to allow connections from the internal network to the internet p.358
• The two above rules may both be carried out concurrently on the same connection in this instance internal sender addresses will be translated to addresses in pubnet in a 1 1 relationship in addition if anyone tries to connect to the public address of the web server the destination address will be changed to its private address p.358
• The following rules make up a working example of static address translation using fwdfast rules to a web server located on an internal network p.358
• Sat and fwdfast rules chapter 7 address translation p.358
• Sat and fwdfast rules p.358
• Return traffic from wwwsrv 80 will match rules 2 and 4 and will appear to be sent from wan_ip 80 correct p.358
• Return traffic from wwwsrv 80 to internal machines will be sent directly to the machines themselves this will not work as the packets will be interpreted as coming from the wrong address p.358
• It is possible to employ static address translation in conjunction with fwdfast rules although return traffic must be explicitly granted and translated p.358
• Internal traffic to wan_ip 80 will match rules 1 and 3 and will be sent to wwwsrv this is almost correct the packets will arrive at wwwsrv but p.358
• In this instance both rules are set to translate the destination address meaning that only one of them will be carried out if an attempt is made internally to communicate with the web servers public address it will instead be redirected to an intranet server if any other attempt is made to communicate with the web servers public address it will be redirected to the private address of the publicly accessible web server p.358
• External traffic to wan_ip 80 will match rules 1 and 3 and will be sent to wwwsrv correct p.358
• Again note that the above rules require a matching allow rule at a later point in the rule set in order to work p.358
• What happens now p.359
• The problem can be solved using the following rule set p.359
• Sat and fwdfast rules chapter 7 address translation p.359
• Return traffic will automatically be handled by the netdefend firewall s stateful inspection mechanism p.359
• Return traffic from wwwsrv 80 will match rules 2 and 3 the replies will therefore be dynamically address translated this changes the source port to a completely different port which will not work p.359
• Return traffic from wwwsrv 80 will match rules 2 and 3 p.359
• Internal traffic to wan_ip 80 will match rules 1 and 4 and will be sent to wwwsrv the sender address will be the netdefend firewall s internal ip address guaranteeing that return traffic passes through the netdefend firewall p.359
• External traffic to wan_ip 80 will match rules 1 and 5 and will be sent to wwwsrv p.359
• External traffic to wan_ip 80 will match rules 1 and 4 and will be sent to wwwsrv correct p.359
• Proving identity p.361
• Overview p.361
• Making use of username password combinations p.361
• Chapter 8 user authentication p.361
• Setup summary p.363
• Group membership p.363
• Authentication setup p.363
• Using groups with ip rules p.363
• The local database p.363
• Specifying an ssh public key p.364
• Pptp l2tp configuration p.364
• Note other authentication sources do not have the pptp l2tp option p.364
• Granting administration privileges p.364
• Caution use the network option with care p.364
• Support for groups p.365
• Setting up ldap authentication p.365
• Reasons for using external servers p.365
• Radius usage with netdefendos p.365
• Radius security p.365
• External radius servers p.365
• External ldap servers p.365
• General settings p.366
• Defining an ldap server p.366
• Microsoft active directory as the ldap server p.366
• Ldap issues p.366
• Ldap attributes p.366
• Note the ldap server database determines the correct value p.367
• Important the base object must be specified correctly p.368
• Database settings p.368
• Usernames may need the domain p.369
• Optional settings p.369
• Ldap server responses p.369
• Bind request authentication p.369
• Real time monitoring statistics p.370
• Ldap authentication cli commands p.370
• Ldap authentication and ppp p.370
• Figure 8 normal ldap authentication p.371
• Authentication rules p.372
• Authentication rule parameters p.372
• Important the link to the ldap server must be protected p.372
• Figure 8 ldap for ppp with chap ms chapv1 or ms chapv2 p.372
• Connection timeouts p.373
• Multiple logins p.374
• Authentication processing p.374
• Http authentication p.375
• Changing the management webui port p.375
• Agent options p.375
• A group usage example p.375
• Setting up ip rules p.376
• If the agent is set to https then the host certificate and root certificate have to be chosen from a list of certificates already loaded into netdefendos p.376
• Http authentication chapter 8 user authentication p.376
• Http authentication cannot operate unless a rule is added to the ip rule set to explicitly allow authentication to take place if we consider the example of a number of clients on the local network lannet who would like access to the public internet through the wan interface then the ip rule set would contain the following rules p.376
• Form is recommended over basicauth because in some cases the browser might hold the login data in its cache p.376
• Forcing users to a login page p.376
• Combination a realm string can optionally be specified which will appear in the browser s dialog p.376
• With this setup when users that are not authenticated try to surf to any ip except lan_ip they will fall through the rules and their packets will be dropped to always have these users come to the authentication page we must add a sat rule and its associated allow rule the rule set will now look like this p.376
• The third rule allows dns lookup of urls p.376
• The second rule allows normal surfing activity but we cannot just use lannet as the source network since the rule would trigger for any unauthenticated client from that network instead the source network is an administrator defined ip object called trusted_users which is the same network as lannet but has additionally either the authentication option no defined credentials enabled or has an authentication group assigned to it which is the same group as that assigned to the users p.376
• The sat rule catches all unauthenticated requests and must be set up with an all to one address mapping that directs them to the address 127 which corresponds to core netdefendos itself p.376
• The first rule allows the authentication process to take place and assumes the client is trying to access the lan_ip ip address which is the ip address of the interface on the netdefend firewall where the local network connects p.376
• Http authentication chapter 8 user authentication p.377
• Example 8 user authentication setup for web access p.377
• Example 8 creating an authentication user group p.377
• Http authentication chapter 8 user authentication p.378
• Example 8 configuring a radius server p.378
• Http banner files p.379
• Html page parameters p.379
• Editing the banner files p.379
• Customizing html pages p.379
• Example 8 editing content filtering http banner files p.380
• Customizing html pages chapter 8 user authentication p.380
• Uploading with scp p.380
• Tip html file changes need to be saved p.380
• The web page url for redirects p.380
• The redirurl parameter p.380
• Since scp cannot be used to download the original default html the source code must be first copied from the webui and pasted into a local text file which is then edited using an appropriate editor p.380
• Since redirurl only has this internal purpose it should not be removed from web pages and should appear in the formlogin page if that is used p.380
• Reason the reason that access was denied p.380
• It is possible to upload new http banner files using scp the steps to do this are p.380
• Ipaddr the ip address which is being browsed from p.380
• In the above example more than one html file can be edited in a session but the save button should be pressed to save any edits before beginning editing on another file p.380
• In certain banner web pages the parameter redirurl appears this is a placeholder for the original url which was requested before the user login screen appeared for an unauthenticated user following successful authentication the user becomes redirected to the url held by this parameter p.380
• Vpn usage p.383
• Overview p.383
• Chapter 9 vpn p.383
• Vpn planning p.384
• Vpn encryption p.384
• The tls alternative for vpn p.385
• Placement in a dmz p.385
• Key distribution p.385
• Endpoint security p.385
• Vpn quick start p.387
• Overview p.387
• Common tunnel setup requirements p.387
• Ipsec lan to lan with pre shared keys p.388
• Note the system time and date should be correct p.389
• Ipsec lan to lan with certificates p.389
• Ipsec roaming clients with pre shared keys p.390
• A ip addresses already allocated p.390
• B ip addresses handed out by netdefendos p.391
• Ipsec roaming clients with certificates p.392
• Configuring ipsec clients p.392
• L2tp roaming clients with pre shared keys p.393
• Note the system time and date should be correct p.393
• L2tp roaming clients with certificates p.394
• Pptp roaming clients p.395
• Set up the client for windows xp the procedure is exactly as described for l2tp above but without entering the pre shared key p.396
• Pptp roaming clients chapter 9 vpn p.396
• Now set up the ip rules in the ip rule set p.396
• Enable proxy arp on the int interface p.396
• Define a user authentication rule this is almost identical to l2tp p.396
• As in l2tp enable the insertion of new routes automatically into the main routing table p.396
• As described for l2tp the nat rule lets the clients access the public internet via the netdefend firewall p.396
• Security associations sas p.397
• Overview p.397
• Ipsec components p.397
• Internet key exchange ike p.397
• Ike and ipsec lifetimes p.398
• Ike algorithm proposals p.398
• Ike phase 1 ike security negotiation p.398
• Ike negotiation p.398
• Ike phase 2 ipsec security negotiation p.399
• Ike parameters p.399
• Diffie hellman groups p.402
• Psk advantages p.403
• Manual keying disadvantages p.403
• Manual keying advantages p.403
• Manual keying p.403
• Ike authentication p.403
• Psk disadvantages p.404
• Ipsec protocols esp ah p.404
• Disadvantages of certificates p.404
• Certificates p.404
• Ah authentication header p.404
• Advantages of certificates p.404
• Nat traversal p.405
• Figure 9 the esp protocol p.405
• Figure 9 the ah protocol p.405
• Esp encapsulating security payload p.405
• Udp encapsulation p.406
• Nat traversal configuration p.406
• Changing ports p.406
• Achieving nat detection p.406
• Algorithm proposal lists p.407
• Pre shared keys chapter 9 vpn p.408
• Pre shared keys can be generated automatically through the webui but they can also be generated through the cli using the command pskgen this command is fully documented in the cli reference guide p.408
• Pre shared keys are used to authenticate vpn tunnels the keys are secrets that are shared by the communicating parties before communication takes place to communicate both parties prove that they know the secret the security of a shared secret depends on how good a passphrase is passphrases that are common words are extremely vulnerable to dictionary attacks p.408
• Pre shared keys p.408
• If a psk is specified as a passphrase and not a hexadecimal value the different encodings on different platforms can cause a problem with non ascii characters windows for example encodes pre shared keys containing non ascii characters in utf 16 while netdefendos uses utf 8 even though they can seem the same at either end of the tunnel there will be a mismatch and this can sometimes cause problems when setting up a windows l2tp client that connects to netdefendos p.408
• Example 9 using a pre shared key p.408
• Beware of non ascii characters in a psk on different platforms p.408
• When certificates are used as authentication method for ipsec tunnels the netdefend firewall will accept all remote devices or vpn clients that are capable of presenting a certificate signed by any of the trusted certificate authorities this can be a potential problem especially when using roaming clients p.409
• The problem p.409
• The id list solution p.409
• The concept of identification lists presents a solution to this problem an identification list contains one or more identities ids where each identity corresponds to the subject field in a certificate identification lists can thus be used to regulate what certificates that are given access to what ipsec tunnels p.409
• Since the ip addresses of the travelling employees vpn clients cannot be known beforehand the incoming vpn connections from the clients cannot be differentiated this means that the firewall is unable to control the access to various parts of the internal networks p.409
• Identification lists chapter 9 vpn p.409
• Identification lists p.409
• Example 9 using an identity list p.409
• Consider the scenario of travelling employees being given access to the internal corporate networks using vpn clients the organization administers their own certificate authority and certificates have been issued to the employees different groups of employees are likely to have access to different parts of the internal networks for example members of the sales force need access to servers running the order system while technical engineers need access to technical databases p.409
• A typical scenario p.409
• Identification lists chapter 9 vpn p.410
• Identification lists chapter 9 vpn p.411
• No ip rules are needed for the enclosing ipsec traffic p.412
• Local initiation of tunnel establishment p.412
• Ipsec tunnels p.412
• Ip rules control decrypted traffic p.412
• Returning traffic p.412
• Remote initiation of tunnel establishment p.412
• Overview p.412
• Keep alive p.413
• Ipsec tunnel quick start p.413
• Dead peer detection p.413
• Comparing dpd and keep alive p.413
• Roaming clients p.414
• Psk based client tunnels p.414
• Lan to lan tunnels with pre shared keys p.414
• Dealing with unknown ip addresses p.414
• The following example shows how a certificate based tunnel can be set up p.415
• Self signed certificate based client tunnels p.415
• Roaming clients chapter 9 vpn p.415
• Example 9 setting up a self signed certificate based vpn tunnel for roaming clients p.415
• Example 9 setting up a psk based vpn tunnel for roaming clients p.415
• Roaming clients chapter 9 vpn p.416
• Tunnels based on ca server certificates p.417
• Setting up client tunnels using a ca issued certificate is largely the same as using self signed certificates with the exception of a couple of steps p.417
• Roaming clients chapter 9 vpn p.417
• It is the responsibility of the administrator to acquire the appropriate certificate from an issuing authority for client tunnels with some systems such as windows 2000 server there is built in access to a ca server in windows 2000 server this is found in certificate services for more information on ca server issued certificates see section 3 certificates p.417
• Example 9 setting up ca server certificate based vpn tunnels for roaming clients p.417
• Using config mode p.418
• Defining the config mode object p.418
• Ip validation p.419
• However in some scenarios this information is missing or the administrator wishes to use another ldap server the ldap configuration section can then be used to manually specify alternate ldap servers p.419
• Fetching crls from an alternate ldap server chapter 9 vpn p.419
• Fetching crls from an alternate ldap server p.419
• Example 9 using config mode with ipsec tunnels p.419
• Example 9 setting up an ldap server p.419
• After defining the config mode object the only remaining action is to enable config mode to be used with the ipsec tunnel p.419
• A root certificate usually includes the ip address or hostname of the certificate authority to contact when certificates or crls need to be downloaded to the netdefend firewall lightweight directory access protocol ldap is used for these downloads p.419
• Optionally the affected sa can be automatically deleted if validation fails by enabling the advanced setting ipsecdeletesaonipvalidationfailure the default value for this setting is disabled p.419
• Netdefendos always checks if the source ip address of each packet inside an ipsec tunnel is the same as the ip address assigned to the ipsec client with ike config mode if a mismatch is detected the packet is always dropped and a log message generated with a severity level of warning this message includes the two ip addresses as well as the client identity p.419
• Vpn tunnel negotiation p.420
• Using ikesnoop p.420
• Troubleshooting with ikesnoop p.420
• The client and the server p.420
• Step 1 client initiates exchange by sending a supported algorithm list p.421
• Step 2 server responds to client p.422
• Explanation of values p.422
• Step 3 clients begins key exchange p.423
• Step 5 client sends identification p.424
• Step 4 server sends key exchange data p.424
• Explanation of above values p.424
• Step 7 client sends a list of supported ipsec algorithms p.425
• Step 6 server id response p.425
• Explanation of above values p.426
• Step 8 client sends a list of supported algorithms p.426
• Step 9 client confirms tunnel setup p.427
• Ipsec max tunnels p.427
• Ipsec max rules p.427
• Ipsec advanced settings p.427
• Ipsec before rules p.428
• Ike send initial contact p.428
• Ike send crls p.428
• Ike max ca path p.428
• Ike crl validity time p.428
• Ipsec gateway name cache time p.429
• Ipsec cert cache max certs p.429
• Dpd metric p.429
• Dpd keep time p.429
• Dpd expire time p.429
• Deployment p.431
• Troubleshooting pptp p.431
• Pptp servers p.431
• Pptp l2tp quick start p.431
• Pptp l2tp p.431
• Overview p.431
• Implementation p.431
• The client communicates with a local access concentrator lac and the lac communicates across the internet with a l2tp network server lns the netdefend firewall acts as the lns the lac tunnels data such as a ppp session using ipsec to the lns across the internet in most cases the client will itself act as the lac p.432
• Tcp port 1723 and or ip protocol 47 before the pptp connection can be made to the netdefend firewall examining the log can indicate if this problem occurred with a log message of the following form appearing p.432
• Layer 2 tunneling protocol l2tp is an ietf open standard that overcomes many of the problems of pptp its design is a combination of layer 2 forwarding l2f protocol and pptp making use of the best features of both since the l2tp standard does not implement encryption it is usually implemented with an ietf standard known as l2tp ipsec in which l2tp packets are encapsulated by ipsec p.432
• L2tp servers chapter 9 vpn p.432
• L2tp servers p.432
• L2tp is certificate based and therefore is simpler to administer with a large number of clients and arguably offers better security than pptp unlike pptp it is possible to set up multiple virtual networks across a single tunnel because it is ipsec based l2tp requires nat traversal nat t to be implemented on the lns side of the tunnel p.432
• Example 9 0 setting up a pptp server p.432
• Error ppp lcp_negotiation_stalled ppp_terminated p.432
• Example 9 2 setting up an l2tp tunnel over ipsec p.433
• Example 9 1 setting up an l2tp server p.433
• L2tp servers chapter 9 vpn p.433
• L2tp servers chapter 9 vpn p.434
• L2tp servers chapter 9 vpn p.435
• The following l2tp pptp server advanced settings are available to the administrator p.436
• L2tp pptp server advanced settings chapter 9 vpn p.436
• L2tp pptp server advanced settings p.436
• Pptp l2tp clients p.437
• Pptp before rules p.437
• Max ppp resends p.437
• L2tp before rules p.437
• Client setup p.437
• Using the pptp client feature p.438
• Note the default pptp l2tp route p.438
• Figure 9 pptp client usage p.439
• Ca server access p.440
• Access considerations p.440
• Overview p.440
• Ca server types p.440
• Placement of private ca servers p.441
• Figure 9 certificate validation components p.441
• Ca server access by clients p.441
• Turning off fqdn resolution p.442
• Vpn troubleshooting p.443
• Troubleshooting certificates p.443
• General troubleshooting p.443
• Warning be careful using the num all option p.444
• The ipsecstat console command p.444
• Ipsec troubleshooting commands p.444
• The ikesnoop console command p.445
• Specific error messages p.445
• Management interface failure with vpn p.445
• Could not find acceptable proposal no proposal chosen p.446
• Incorrect pre shared key p.446
• Payload_malformed p.447
• No public key found p.447
• Ike_invalid_payload ike_invalid_cookie p.447
• Unable to set up with config mode and getting a spurious xauth message p.448
• The tunnel can only be initiated from one side p.448
• Specific symptoms p.448
• Note l2tp with microsoft vista p.448
• Traffic shaping p.451
• The traffic shaping solution p.451
• Qos with tcp ip p.451
• Overview p.451
• Netdefendos diffserv support p.451
• Chapter 10 traffic management p.451
• Traffic shaping in netdefendos p.452
• Note traffic shaping will not work with the sip alg p.452
• Traffic shaping objectives p.452
• Pipe rules p.453
• Pipe rule chains p.453
• Note no pipe rules are defined by default p.453
• Figure 10 pipe rules determine pipe usage p.453
• Simple bandwidth limiting p.454
• Pipes will not work with fwdfast ip rules p.454
• Figure 10 fwdfast rules bypass traffic shaping p.454
• Explicitly excluding traffic from shaping p.454
• Using a single pipe for both directions p.455
• Limiting bandwidth in both directions chapter 10 traffic management p.455
• Limiting bandwidth in both directions p.455
• Just inserting std in in the forward chain will not work since we probably want the 2 mbps limit for outbound traffic to be separate from the 2 mbps limit for inbound traffic if 2 mbps of outbound traffic attempts to flow through the pipe in addition to 2 mbps of inbound traffic the total p.455
• In the previous example only bandwidth in the inbound direction is limited in most situations this is the direction that becomes full first but what if the outbound traffic must be limited in the same way p.455
• A single pipe does not care in which direction the traffic through it is flowing when it calculates total throughout using the same pipe for both outbound and inbound traffic is allowed by netdefendos but this will not partition the pipe limit exactly in two between the two directions p.455
• Attempting to flow is 4 mbps since the pipe limit is 2 mbps the actual flow will be close to 1 mbps in each direction p.456
• Using two separate pipes instead p.456
• Two surfing pipes for inbound and outbound traffic could be set up however it is not usually required to limit outbound traffic since most web surfing usually consists of short outbound server p.456
• The recommended way to control bandwidth in both directions is to use two separate pipes one for inbound and one for outbound traffic in the scenario under discussion each pipe would have a 2 mbps limit to achieve the desired result the following example goes through the setup for this p.456
• The incorrect solution p.456
• Raising the total pipe limit to 4 mbps will not solve the problem since the single pipe will not know that 2 mbps of inbound and 2 mbps of outbound are the intended limits the result might be 3 mbps outbound and 1 mbps inbound since this also adds up to 4 mbps p.456
• In the previous examples a static traffic limit for all outbound connections was applied what if the aim is to limit web surfing more than other traffic assume that the total bandwidth limit is 250 kbps and 125 kbps of that is to be allocated to web surfing inbound traffic p.456
• Example 10 limiting bandwidth in both directions p.456
• Creating differentiated limits using chains chapter 10 traffic management p.456
• Creating differentiated limits using chains p.456
• The default precedence is zero p.457
• The correct solution p.457
• Precedences p.457
• Figure 10 differentiated limits using chains p.457
• Precedence priority is relative p.458
• Figure 10 the eight pipe precedences p.458
• Allocating precedence to traffic p.458
• There are 8 possible precedence levels p.458
• Specifying precedences within pipes p.458
• Tip specifying bandwidth p.459
• The lowest best effort precedence p.459
• Precedence limits are also guarantees p.459
• Precedences only apply when a pipe is full p.460
• Lowest precedence limits p.460
• Figure 10 minimum and maximum pipe precedence p.460
• Applying precedences p.460
• Using precedences as guarantees p.461
• The need for guarantees p.461
• Note a limit on the lowest precedence has no meaning p.461
• Differentiated guarantees p.461
• Note the return chain ordering is important p.462
• Grouping by networks requires the size p.462
• A port grouping includes the ip address p.462
• Pipe groups p.462
• Specifying group limits p.463
• Combining the group total and precedences p.463
• Figure 10 traffic grouped by ip address p.464
• Dynamic balancing p.464
• Combining pipe and group limit precedence values p.464
• Another simple groups example p.464
• Vpn pipe limits p.465
• Traffic shaping recommendations p.465
• The importance of a pipe limit p.465
• Relying on the group limit p.465
• Precedences and dynamic balancing p.465
• Limits should not be more than the available bandwidth p.466
• Limits should be less than available bandwidth p.466
• Attacks on bandwidth p.466
• A summary of traffic shaping p.466
• Watching for leaks p.466
• Troubleshooting p.466
• A basic scenario p.467
• 0 more pipe examples p.467
• Priority 6 500 p.468
• Priority 4 citrix 250 kpbs p.468
• Priority 4 250 p.468
• Priority 2 other traffic 1000 kpbs p.468
• Priority 2 1000 p.468
• Priority 0 web plus remaining from other levels p.468
• Now create the pipe rules p.468
• Lets assume we have a symmetric 2 2 mbps link to the internet we will allocate descending priorities and traffic requirements to the following users p.468
• First two pipes called in pipe and out pipe need to be created with the following parameters p.468
• We now extend the above example by allocating priorities to different kinds of traffic accessing the internet from a headquarters office p.468
• Figure 10 a basic traffic shaping scenario p.468
• Using several precedences p.468
• Dynamic balancing should be enabled for both pipes instead of perdestip and persrcip we could have used perdestnet and persrcnet if there were several networks on the inside p.468
• To implement this scheme we can use the in pipe and out pipe we first enter the pipe limits for each pipe these limits correspond to the list above and are p.468
• 0 more pipe examples chapter 10 traffic management p.468
• The rule will force all traffic to the default precedence level and the pipes will limit total traffic to their 1 mbps limit having dynamic balancing enabled on the pipes means that all users will be allocated a fair share of this capacity p.468
• The reason for using 2 different pipes in this case is that these are easier to match to the physical link capacity this is especially true with asynchronous links such as adsl p.468
• The next step is to create the following pipe rule which will force traffic to flow through the pipes p.468
• Priority 6 voip 500 kpbs p.468
• Priority 6 voip 500 kpbs p.469
• Priority 0 best effort p.469
• Pipe chaining p.469
• Note that in other and out other are first in the pipe chain in both directions this is because we want to limit the traffic immediately before it enters the in pipe and out pipe and competes with voip citrix and web surfing traffic p.469
• It is also important to remember to insert into the pipe all non vpn traffic using the same physical link p.469
• In the cases discussed so far all traffic shaping is occurring inside a single netdefend firewall vpn is typically used for communication between a headquarters and branch offices in which case pipes can control traffic flow in both directions with vpn it is the tunnel which is the source and destination interface for the pipe rules p.469
• An important consideration which has been discussed previously is allowance in the pipe total values for the overhead used by vpn protocols as a rule of thumb a pipe total of 1700 bps is reasonable for a vpn tunnel where the underlying physical connection capacity is 2 mbps p.469
• A vpn scenario p.469
• 0 more pipe examples chapter 10 traffic management p.469
• Vpn in p.469
• To do this we first create separate pipes for the outgoing traffic and the incoming traffic voip traffic will be sent over a vpn tunnel that will have a high priority all other traffic will be sent at the best effort priority see above for an explanation of this term again we will assume a 2 2 mbps symmetric link p.469
• These rules are processed from top to bottom and force different kinds of traffic into precedences based on the service customized service objects may need to be first created in order to identify particular types of traffic the all service at the end catches anything that falls through from earlier rules since it is important that no traffic bypasses the pipe rule set otherwise using pipes will not work p.469
• The pipes required will be p.469
• The pipe chaining can be used as a solution to the problem of vpn overhead a limit which allows for this overhead is placed on the vpn tunnel traffic and non vpn traffic is inserted into a pipe that matches the speed of the physical link p.469
• Suppose the requirement now is to limit the precedence 2 capacity other traffic to 1000 kbps so that it does not spill over into precedence 0 this is done with pipe chaining where we create new pipes called in other and out other both with a pipe limit of 1000 the other pipe rule is then modified to use these p.469
• Total 1700 p.470
• The following pipe rules are then needed to force traffic into the correct pipes and precedence levels p.470
• Sat with pipes p.470
• Priority 6 voip 500 kpbs p.470
• Priority 0 best effort p.470
• Out pipe p.470
• In pipe p.470
• If sat is being used for example with a web server or ftp server that traffic also needs to be forced into pipes or it will escape traffic shaping and ruin the planned quality of service in addition server traffic is initiated from the outside so the order of pipes needs to be reversed the forward pipe is the in pipe and the return pipe is the out pipe p.470
• A simple solution is to put a catch all inbound rule at the bottom of the pipe rule however the external interface wan should be the source interface to avoid putting into pipes traffic that is coming from the inside and going to the external ip address this last rule will therefore be p.470
• 0 more pipe examples chapter 10 traffic management p.470
• With this setup all vpn traffic is limited to 1700 kbps the total traffic is limited to 2000 kbps and voip to the remote site is guaranteed 500 kbps of capacity before it is forced to best effort p.470
• Vpn out p.470
• Total 2000 p.470
• Note sat and arped ip addresses p.471
• Setting up idp traffic shaping p.472
• Overview p.472
• Idp traffic shaping p.472
• Combining idp and traffic shaping p.472
• Application related bandwidth usage p.472
• Unintended consequences p.473
• The importance of specifying a network p.473
• Processing flow p.473
• Either side can trigger idp p.473
• Figure 10 idp traffic shaping p2p scenario p.474
• Excluding hosts p.474
• A p2p scenario p.474
• Viewing traffic shaping objects p.475
• Viewing pipes p.475
• Viewing hosts p.475
• Pipes are shared p.475
• Pipe naming p.475
• Logging p.476
• Guaranteeing instead of limiting bandwidth p.476
• Threshold rules p.477
• Threshold policies p.477
• Overview p.477
• Note threshold rules are not available on all netdefend models p.477
• Limiting the total connections p.477
• Limiting the connection rate total connections p.477
• Limiting the connection rate p.477
• Grouping p.478
• Exempted connections p.478
• Threshold rules and zonedefense p.478
• Threshold rule blacklisting p.478
• Rule actions p.478
• Multiple triggered actions p.478
• Server load balancing p.480
• Overview p.480
• Note slb is not available on all d link netdefend models p.480
• Slb distribution algorithms p.481
• Slb deployment considerations p.481
• Identifying the servers p.481
• Figure 10 a server load balancing configuration p.481
• Additional benefits of slb p.481
• Stickiness parameters p.482
• Selecting stickiness p.482
• Slb algorithms and stickiness p.483
• Figure 10 0 connections from three clients p.483
• Server health monitoring p.484
• Figure 10 2 stickiness and connection rate p.484
• Figure 10 1 stickiness and round robin p.484
• The table below shows the rules that would be defined for a typical scenario of a set of webservers behind the netdefend firewall for which the load is being balanced the allow rule allows external clients to access the webservers p.485
• The key component in setting up slb are ip rules that have slb_sat as the action the steps that should be followed for setting up such rules are p.485
• Setting up slb_sat rules chapter 10 traffic management p.485
• Setting up slb_sat rules p.485
• Note that the destination interface is specified as core meaning netdefendos itself deals with this the key advantage of having a separate allow rule is that the webservers can log the exact ip address that is generating external requests using only a nat rule which is possible means that webservers would see only the ip address of the netdefend firewall p.485
• Note fwdfast rules should not be used with slb p.485
• In order to function slb requires that the netdefendos state engine keeps track of connections fwdfast ip rules should not be used with slb since packets that are forwarded by these rules are under state engine control p.485
• If there are clients on the same network as the webservers that also need access to those webservers then an nat rule would also be used p.485
• Example 10 setting up slb p.485
• Define an slb_sat rule in the ip rule set which refers to this ip address group and where all other slb parameters are defined p.485
• Define an ip address object for each server for which slb is to enabled p.485
• Define an ip address group object which includes all these individual objects p.485
• Define a further rule that duplicates the source destination interface network of the slb_sat rule that permits the traffic through this could be one rule or a combination of rules using the actions p.485
• Setting up slb_sat rules chapter 10 traffic management p.486
• Setting up slb_sat rules chapter 10 traffic management p.487
• The master and active units p.489
• Overview p.489
• Note high availability is only available on some netdefend models p.489
• Interconnection of cluster units p.489
• Ha clusters p.489
• Chapter 11 high availability p.489
• Load sharing p.490
• Hardware duplication p.490
• Extending redundancy p.490
• Cluster management p.490
• Heartbeat characteristics p.491
• Ha mechanisms p.491
• Disabling heartbeat sending on interfaces p.491
• Basic principles p.491
• Heartbeat frequency p.491
• Shared ip addresses and arp p.492
• Ha with anti virus and idp p.492
• Failover time p.492
• Dealing with sync failure p.492
• Note an inactive unit restart is required for resynchronization p.493
• Typical ha cluster network connections p.494
• Setting up ha p.494
• Note management cannot be done through the shared ip p.494
• Ha hardware setup p.494
• Note the illustration shows a crossover cable sync connection p.495
• Netdefendos manual ha setup p.495
• Verifying the cluster functions p.496
• Note ip addresses could be public addresses p.496
• Making cluster configuration changes p.496
• Enabling a unique shared mac address p.497
• With dissimilar hardware units p.497
• Unique shared mac addresses p.497
• Problem diagnosis p.497
• Using individual ip addresses p.498
• The shared ip must not be 0 p.498
• Making ospf work p.498
• Invalid checksums in heartbeat packets p.498
• Ha issues p.498
• Failed interfaces p.498
• Changing the cluster id p.498
• All cluster interfaces need ip addresses p.498
• Pppoe tunnels and dhcp clients p.499
• Upgrading an ha cluster p.500
• Important make sure the inactive unit is alive p.500
• Ha advanced settings p.502
• Deactivate before reconf p.502
• Use unique shared mac p.502
• Sync packet max burst p.502
• Sync buffer size p.502
• Reconf failover time p.502
• Initial silence p.502
• Zonedefense controls switches p.504
• Using thresholds p.504
• Overview p.504
• Note zonedefense is not available on all netdefend models p.504
• Chapter 12 zonedefense p.504
• Acl upload p.504
• Zonedefense switches p.505
• Tip switch firmware versions should be the latest p.505
• Snmp managers p.506
• Manual blocking and exclude lists p.506
• Managed devices p.506
• Zonedefense operation p.506
• Threshold rules p.506
• Manual blocking and exclude lists chapter 12 zonedefense p.507
• Exclude lists can be created and used to exclude hosts from being blocked when a threshold rule limit is reached good practice includes adding to the list the firewall s interface ip or mac address connecting towards the zonedefense switch this prevents the firewall from being accidentally blocked out p.507
• Example 12 a simple zonedefense scenario p.507
• As a complement to threshold rules it is also possible to manually define hosts and networks that are to be statically blocked or excluded manually blocked hosts and networks can be blocked by default or based on a schedule it is also possible to specify which protocols and protocol port numbers are to be blocked p.507
• Zonedefense with anti virus scanning chapter 12 zonedefense p.508
• Zonedefense with anti virus scanning p.508
• Zonedefense can be used in conjuction with the netdefendos anti virus scanning feature netdefendos can first identify a virus source through antivirus scanning and then block the source by communicating with switches configured to work with zonedefense this feature is activated through the following algs p.508
• This feature is described further in section 6 anti virus scanning and in the sections covering the individual algs p.508
• There are some differences in zonedefense operation depending on switch model the first difference is the latency between the triggering of a blocking rule to the moment when switch es actually starts blocking out the traffic matched by the rule all switch models require a short period p.508
• Smtp zonedefense can block a local smtp client that is sending viruses with emails p.508
• Limitations p.508
• Http zonedefense can block an http server that is a virus source p.508
• Ftp zonedefense can block a local ftp client that is uploading viruses p.508
• Important clearing the acl rule set on the switch p.509
• Note activating setting changes p.511
• Log received ttl 0 p.511
• Log non ip4 p.511
• Log checksum errors p.511
• Ip level settings p.511
• Chapter 13 advanced settings p.511
• Ttl on low p.512
• Ttl min p.512
• Multicast ttl on low p.512
• Layer size consistency p.512
• Default ttl p.512
• Block multicast src p.512
• Block 127 net p.512
• Block 0000 src p.512
• Block 0 net p.512
• Directed broadcasts p.513
• Securemoteudp compatibility p.513
• Ip router alert option p.513
• Ip options timestamps p.513
• Ip options other p.513
• Ip option source return p.513
• Ip option sizes p.513
• Strip dontfragment p.514
• Multicast mismatch option p.514
• Min broadcast ttl option p.514
• Low broadcast ttl action option p.514
• Ip reserved flag p.514
• Tcp mss on high p.515
• Tcp mss min p.515
• Tcp mss max p.515
• Tcp mss log level p.515
• Tcp level settings p.515
• Tcp option sizes p.515
• Tcp mss vpn max p.515
• Tcp mss on low p.515
• Tcp zero unused urg p.516
• Tcp zero unused ack p.516
• Tcp option wsopt p.516
• Tcp option tsopt p.516
• Tcp option sack p.516
• Tcp option altchkreq p.516
• Tcp auto clamping p.516
• Tcp syn urg p.517
• Tcp syn rst p.517
• Tcp syn psh p.517
• Tcp option other p.517
• Tcp option con timeout p.517
• Tcp option altchkdata p.517
• Tcpe ecn p.518
• Tcp urg p.518
• Tcp syn fin p.518
• Tcp sequence numbers p.518
• Tcp reserved field p.518
• Tcp null p.518
• Tcp fin urg p.518
• Allow tcp reopen p.519
• Silently drop state icmperrors p.520
• Icmp sends per sec limit p.520
• Icmp level settings p.520
• Log state violations p.521
• Log reverse opens p.521
• Log open fails p.521
• Log connections p.521
• Connection replace p.521
• State settings p.521
• Max connections p.522
• Log connection usage p.522
• Dynamic max connections p.522
• Udp idle lifetime p.523
• Udp bidirectional keep alive p.523
• Tcp syn idle lifetime p.523
• Tcp idle lifetime p.523
• Tcp fin idle lifetime p.523
• Ping idle lifetime p.523
• Igmp idle lifetime p.523
• Connection timeout settings p.523
• Other idle lifetime p.524
• Max esp length p.525
• Max ah length p.525
• Length limit settings p.525
• Max udp length p.525
• Max tcp length p.525
• Max icmp length p.525
• Max gre length p.525
• Max skip length p.526
• Max other length p.526
• Max ospf length p.526
• Max l2tp length p.526
• Max ipsec ipcomp length p.526
• Max ipip fwz length p.526
• Log oversized packets p.526
• Pseudo reass max concurrent p.527
• Illegal fragments p.527
• Fragmentation settings p.527
• Duplicated fragment data p.527
• Dropped fragments p.528
• Failed fragment reassembly p.528
• Duplicate fragments p.528
• Reassembly timeout p.529
• Reassembly done limit p.529
• Minimum fragment length p.529
• Max reassembly time limit p.529
• Fragmented icmp p.529
• Reassembly illegal limit p.530
• Max size p.531
• Max concurrent p.531
• Local fragment reassembly settings p.531
• Large buffers p.531
• Max pipe users p.532
• Max memory p.532
• Max connections p.532
• Flood reboot time p.532
• Watchdog time p.532
• Udp source port 0 p.532
• Port 0 p.532
• Miscellaneous settings p.532
• Tip a registration guide can be downloaded p.534
• Subscription renewal p.534
• Pre empting database updates p.534
• Overview p.534
• Monitoring database updates p.534
• Important renew in good time p.534
• Database console commands p.534
• Appendix a subscribing to updates p.534
• Querying update status p.535
• Querying server status p.535
• Note updating the database causes a pause in processing p.535
• Deleting local databases p.535
• For idp scanning the following signature groups are available for selection these groups are only available for the d link advanced idp service there is a version of each group under the three types of ids ips and policy for further information see section 6 intrusion detection and prevention p.536
• Appendix b idp signature groups p.536
• Appendix b idp signature groups p.537
• Appendix b idp signature groups p.538
• Appendix b idp signature groups p.539
• The smtp alg p.540
• The pop3 alg p.540
• The http alg p.540
• The ftp alg p.540
• The algs listed above also offer the option to explicitly allow or block certain filetypes as downloads from a list of types that list is the same one found in this appendix p.540
• Some netdefendos application layer gateways algs have the optional ability to verify that the contents of a downloaded file matches the type that the filetype in the filename indicates the filetypes for which mime verification can be done are listed in this appendix and the algs to which this applies are p.540
• For a more detailed description of mime verification and the filetype block allow feature see section 6 the http alg p.540
• Appendix c verified mime filetypes p.540
• Appendix c verified mime filetypes p.541
• Appendix c verified mime filetypes p.542
• Appendix c verified mime filetypes p.543
• Overview p.544
• Layer functions p.544
• Figure d the 7 layers of the osi model p.544
• Appendix d the osi framework p.544
• Alphabetical index p.545