D-Link DFL-1100 Firewall
Contents
1. TH4 Interface LAN WAN DMZ Interface LAN IP Address 192 168 1 1 Link status Unknown MAC Address O080 c8ca 96c0 Send rate 0 kbps Receive rate 0 kbps Send rate over the past 24 hours 20 kbps Send rate Current amount of traffic sent Connections through the interface Receive rate Current amount of traffic received through the interface 10 kbps Okbps ZA hrs ago Receive rate over the past 24 hours 20 kbps 10 kbps 0 kbps ZA hrs ago There are also two graphs displaying the send and receive rate through the interfaces during the last 24 hours 78 VPN Click on Status in the menu bar and then click Interfaces below it A window will appear providing information about the VPN connections on the DFL 1100 By default information about the first VPN tunnel will be displayed To see another one click on that VPN tunnels name The two graphs EE k display the send and in DFL 1100 receive rate through Building Networks for People the selected VPN Network Security Firewall tunnel during the last 24 hours In this example a tunnel named RoamVPN is selected This is a tunnel that allows roaming users So under the IPSec SA listing each roaming user connected to this tunnel is shown System Firewall Servers Tools YPN Status VPN Tunnels Roam PN Send rate over the past 24 hour2. ccccccceeeeeeeeceeeeeeeeeeeeeeecaeeeeeeeeesessncaesaeeeeeess 56 MPPE Microsoft Point To Point Encrnvptton 56 LZP PPTP e TEE 57 LOT PIPPTP SENOS AER 58 IPSec VPN between two networks sssssssssssesssesserrrrenssrrtrrnnnnrstrrennrnn 59 Creating a LAN to LAN IPSec VPN Tunnel 59 VPN between client and an internal network sssssssssesrnensseesrrrnrrnnseserrenn 60 Creating a Roaming Users IPSec Tunnel 60 Adding an L2TP PPTP VPN Client 61 Adding an L2TP PPTP VPN Gener 61 VPN Advanced KT Lu Le EE 62 Limit MTU ee eege ue Ee 62 IKE MOGE terri eerie eee ent ee 62 IKE DIA GrOUpicdai niisicds Sedetalev siete nne hives lets ctetasiaus a a a aa Eat 62 PFS Perfect Forward Secrecy c cccccceceeeeeeeeeeeeseeeeeeseeneeeeeseeeeeeeseeaees 62 K NT 62 KEGDAIIVES o3eiecalesdadies ek a eet EENS EE 62 Proposal LIStS EE 63 IKE Proposal EE 63 IPSec Proposal TE 63 COMITNICALSS ET 64 Trusting Certificates ceciren ciie a AEE EEEE 64 Beie Hie E Le EE 64 Certificates of remote PCPS ceccceecccceeeeeeeeeceeeeeeeeeeeseeennaeeaeeeeeeesetenaees 64 Certificate eu 64 TONNES 5 fase ecanieteae het eecaeess a E a a a eE e EEA 65 Content PUN FUN EE 66 Edit the URL Global Whitelist eee rcsri rerien 66 Edit the URL Global Blacklist ueeencncrnironnc en 67 Active content Nandling cccccccecceeeeeeeeeeeeseeeeeeeseeaeeeseeeeeeeeeaeeeeseeaeees 67 REENEN 68 DHCP Server OUI CN 68 Enable DHCP Server sssssssessnennrnes
3. Roaming YPN Client Creating a Roaming Users IPSec Tunnel Follow these steps to add a roaming user tunnel Step 1 Go to Firewall and VPN and choose Add new under IPSec Step 2 Enter a Name for the new tunnel in the name field The name can contain numbers 0 9 and upper and lower case letters A Z a z and the special characters and _ No other special characters and spaces are allowed Step 3 Specify your local network or your side of the tunnel for example 192 168 1 0 255 255 255 0 in the Local Net field This is the network your roaming VPN clients should be allowed to connect to Step 4 Choose authentication type either PSK Pre shared Key or Certificate based If you choose PSK make sure the clients use exactly the same PSK Step 5 For Tunnel Type choose Roaming User Click the Apply button below to apply the changes or click Cancel to discard changes 60 Adding an L2TP PPTP VPN Client Follow these steps to add an L2TP or PPTP VPN Client configuration Step 1 Go to Firewall and VPN and choose Add new PPTP client or Add new L2TP client in the L2TP PPTP Clients section Step 2 Enter a Name for the new tunnel in the name field The name can contain numbers 0 9 and upper and lower case letters A Z a z and the special characters and _ No other special characters or spaces are allowed Step 3 Enter the username and password for the PPTP or L2TP Client Step 4 Specify if the IP should be
4. of MPPE for data encryption To use IPSec enable the checkbox and select PSK or Certificate Use ctrl shift clic To use ID lists below you Identity List no list S IPSec VPN between two networks In the following example users on the main Branch Office office internal network can connect to the branch office internal network and vice versa Communication between the two networks takes place in an encrypted IPSec VPN tunnel that connects the two DFL 1100 NetDefend DFL 1100 Firewall Firewalls across the Internet Users on the internal networks are not aware that when they connect to a computer on the other network that the connection runs across the Internet Internal Network As shown in the example you can use the DFL 1100 to protect a branch office and a small main office Both of these DFL 1100s can be configured as IPSec VPN gateways to create a VPN tunnel that connects the branch office network to the main office network DFL 1100 Firewall The example shows an IPSec VPN between two internal networks One may also create VPN tunnels between an internal Main Office network behind one VPN gateway and a DMZ Internal Network network behind another or between two remote DMZ networks The networks at the ends of the VPN tunnel are selected when you configure the VPN policy OF Creating a LAN to LAN IPSec VPN Tunnel Follow these steps to add a LAN to LAN Tunnel Step 1 Go to Firewall VPN and choose Add new und
5. Follow these steps to add a new mapping on the WAN interface Step 1 Click on the Add new link Step 2 Fill in the following values Name Specifies a symbolic name for the rule This name is used mainly as a rule reference in log data and for easy reference in the policy list Source Nets Specify the source networks leave blank for everyone 0 0 0 0 0 Source Users Groups Specifies if an authenticated username is needed for this mapping to match Either make a list of usernames separated by a comma or write Any for any authenticated user If it is left blank there is no need for authentication for the policy Destination IP Leave empty to use the WAN IP of the firewall or enter an additional IP address to be forwarded to the specified Pass To address Service Either choose a predefined service from the dropdown menu or make a custom service Pass To The IP of the server that the traffic should be passed to Schedule Choose which schedule should be used for this mapping to match Choose Always for no scheduling Step 4 If using Traffic shaping fill in the required information If not skip this step Click the Apply button below to apply the changes or click Cancel to discard changes Note Refer to Appendix C of the manual for details on mapping Public IP addresses to Internal Servers 40 Delete mapping Follow these steps to delete a mapping Step 1 Choose the mapping list WAN LAN or DMZ you would li
6. Primary WINS Optional Information related to client IP Senden Option assignment Client IP Pool An IP range group or entire network that the PPTP L2TP Server will use as an IP address pool to assign dynamic IP addresses to clients Primary Secondary DNS IP addresses of the primary and secondary DNS servers If utilizing the DNS Relay function be sure to enable the check box to ensure proper DNS info Primary Secondary WINS IP of the Windows Internet Name Service WINS servers that are used in Microsoft environments which uses the NetBIOS Name Servers NBNS to assign IP addresses to NetBIOS names Authentication protocol Authentication protocol Specify which authentication a P SE protocol to use if any not pap necessary Refer to the M CHAP Authentication Protocols M MSCHAP MPPE encryption possible 7 S KR MSCHAPv2 MPPE encryption possible section for more information about each type MPPE encryption MPPE encryption If MPPE z feed D A encryption is to be used select E ou the desired level of encryption a aa e ne ec den using MSCHAP or MSCHAP v2 as authentication A selection of None means that I Require IPsec encryption data will be sent over the PPP PSK Pre Shared Key link unencrypted Key Retype key Certificate based key MPPE is used with PPTP P Require IPSec encryption If configuring for L2TP you most likely will be using IPSec instead SE ere
7. RFC792 RFC1108 RFC792 RFC792 RFC792 RFC792 RFC792 RFC950 RFC950 RFC1393 RFC1475 RFC2521 RFC2521 RFC2521 RFC2521 RFC2521 RFC2521 RFC2521 Appendix B Common IP Protocol Numbers These are some of the more common IP Protocols For a list of all protocols follow the link after the table Decimal Keyword Description Reference 1 ICMP Internet Control Message RFC792 2 IGMP Internet Group Management RFC1112 3 GGP Gateway to Gateway RFC823 4 IP IP in IP encapsulation RFC2003 5 ST Stream RFC1190 RFC1819 6 TCP Transmission Control RFC793 8 EGP Exterior Gateway Protocol RFC888 17 UDP User Datagram RFC768 47 GRE General Routing Encapsulation 50 ESP Encapsulation Security RFC2406 Payload 51 AH Authentication Header RFC2402 108 IPComp IP Payload Compression RFC2393 Protocol 112 VRRP Virtual Router Redundancy Protocol 115 L2TP Layer Two Tunneling Protocol Source http www iana org assignments protocol numbers Appendix C Multiple Public IP addresses Mapping of a Public IP address other than that of the Firewall to a Server located on either internal interface can be accomplished in two basic steps order does not matter add a Port Mapping Virtual Server rule that forwards specified services to a single LAN or DMZ host to be accessible through a WAN IP not used by the DFL 1100 add a static route in the firewall s routing table indicating the internal interface to which the Public IP should be mapped For an i
8. s routing table The DFL 1100 uses a slightly different method of describing routes compared to most other systems However we believe that this method of describing routes is easier to understand making it less likely for users to cause errors or breaches in security Interface Specifies which interface packets destined for this route shall be sent through Network Specifies the network address for this route Gateway Specifies the IP address of the next router hop used to reach the destination network If the network is directly connected to the firewall interface no gateway address is specified Additional IP Address The IP address specified here will be automatically published on the corresponding interface This address will also be used as the sender address in ARP queries If no address is specified the interface IP address of the firewall will be used Proxy ARP Specifies that the firewall shall publish this route via Proxy ARP One advantage with this form of notation is that you can specify a gateway for a particular route without having a route that covers the gateway s IP address or despite the fact that the route that covers the gateway s IP address is normally routed via another interface The major difference between this form of notation and the form most commonly used is there is no need to specify the interface name in a separate column Instead you specify the IP address of each interface as a g
9. Click on the interface you would like to add it to Step 2 Enable the Read only checkbox Step 3 Specify which network addresses should be allowed to receive SNMP traps for example 192 168 1 0 24 for a whole class C network or 172 16 0 1 172 16 0 10 for a range of IP addresses Step 4 Specify the community string used to authenticate the DFL 1100 Click the Apply button below to apply the settings or click Cancel to discard changes Example M SNMP Simple Network Management Protocol read only access Networks fi 92 168 1 10 Community MySecretCommunity 14 System Interfaces Click on System in the menu bar and then click interfaces below it Change IP of the LAN DMZ or ETH4 interface Follow these steps to change the IP of the LAN DMZ or ETH4 interface Interface Settings Edit settings of the LAN interface IP Address D 92 168 0 1 Subnet Mask 255 255 255 0 256 hosts 24 e Step 1 Choose which interface to view or change under the Available interfaces list Step 2 Fill in the IP address of the LAN DMZ or ETH4 interface These are the addresses that will be used to ping the firewall remotely control it and used as the gateway for the internal hosts or DMZ hosts Step 3 Choose the correct Subnet mask of this interface from the drop down menu This configuration will determine the IP addresses that can communicate with this interface Click the Apply button below to apply the settings
10. To add a new Certificate Authority certificate click Add new The following pages will allow you to specify a name for the CA certificate and upload the certificate file This certificate can be selected in the Certificates field on the VPN page 64 Note If the uploaded certificate is a CA certificate it will automatically be placed in the Certificate Authorities list even if Add New was clicked in the Remote Peers list Similarly a non CA certificate will be placed in the Remote Peers list even if Add New was clicked from the Certificate Authorities list Identities This is a list of all the configured Identity lists An Identity list can be used on the VPN page to limit inbound VPN access from this list of known identities Normally a VPN tunnel is established if the certificate of the remote peer is present in the Certificates field in the VPN section or if the remote peer s certificate is signed by a CA whose certificate is present in the Certificates field in the VPN section However in some cases it might be necessary to limit those who can establish a VPN tunnel even among peers signed by the same CA The Identity list can be selected in the Identity List field on the VPN page If an Identity List is configured the firewall will match the identity of the connecting remote peer against the Identity List and only allow it to open the VPN tunnel if it matches the contents of the list If no Identity List is used no identit
11. 192 168 1 100 192 168 1 199 Check Proxy ARP dynamically added routes Check Use unit s own DNS relayer addresses Leave WINS settings blank Under authentication MSCHAPv2 should be the only checked option Under MPPE encryption 128 bit should be the only checked option Leave Use IPSec encryption unchecked Click Apply 3 Setup policies for the new tunnel Firewall gt Policy Click Global policy parameters Enable Allow all VPN traffic internal gt VPN VPN gt internal and VPN gt VPN Click Apply 4 Set up authentication source Firewall gt Users Select Local database Click Apply 5 Add a new user Firewall gt Users Under Users in local database click Add new Name the new user HomeUser Enter password 1234567890 Retype password 1234567890 Leave static client IP empty could also be set to eg 192 168 1 200 If no IP is set here the IP pool from the PPTP server settings are used Click Apply 6 Click Activate and wait for the firewall to restart 114 This example will allow all traffic from the client to the main office network To get a more secure solution read the Settings for the Main office part of the A more secure LAN to LAN VPN solution section Windows XP client and L2TP server Main office ZN fs pt Internet VPN Client The Windows XP client to L2TP server setup is quite similar to the PPTP setup above Settings for the Windows XP client To setup a L2TP connection from Windows XP to
12. 2 Gateway IP This may or may not be necessary depending on the ISP Before PPTP can be used to connect to your ISP the physical WAN interface parameters must be input You can use either DHCP or Static IP depending on the type of ISP used Your ISP should supply this information If using static IP this information needs to be filled in e IP Address The IP address of the WAN interface This IP is used to connect to the PPTP server e Subnet Mask Size of the external network e Gateway IP Specifies the IP address of the default gateway used to access the Internet 18 WAN Interface Settings Using L2TP L2TP over Ethernet connections are used in some DSL and cable modem networks You need to enter your account details and possibly also IP configuration parameters of the actual physical interface that the L2TP tunnel runs over Your ISP should supply this information M Username The login or username supplied to you by your ISP e Password The password supplied to you by your ISP e L2TP Server IP The IP of the L2TP server that the DFL 1100 will connect to Interface Settings Edit settings of the WAN interface Change WAN Type L2TP v Apply Change L2TP over Ethemet connections are used in some DSL and cable modem networks You need account details and possibly also IP configuration parameters of the actual physical interface that the PPTP tunnel runs over
13. 9 Type the IP address to the server 194 0 2 20 and click Next 10 Click Finish Connect MainOffice Password eovvccces C Save this user name and password for the following users A Anyone who uses this computer 11 Type user name HomeUser and password 1234567890 Note You should use a password that is hard to guess 12 Click Properties 112 MainOffice Properties Gestell Netwoting Liese Type of VPN PPTP VPN v This connection uses the following items Intemet Protocol TCP IP WS QoS Packet Scheduler KR File and Printer Sharing for Microsoft Networks Bert for Microsoft Networks Install Description Transmission Control Protocol Intemet Protocol The default wide area network protocol that provides communication across diverse interconnected networks 13 Select the Networking tab and change Type of VPN to PPTP VPN Click OK All settings needed for the XP client are now complete Once we have configured the server on the firewall you should be able to click Connect to establish the connection to the Main office Settings for Main office 1 Setup interfaces System gt Interfaces WAN IP 194 0 2 20 LAN IP 192 168 1 1 Subnet mask 255 255 255 0 2 Setup PPTP server Firewall gt VPN Under L2TP PPTP Server click Add new PPTP server Name the server pptpServer Leave Outer IP and Inner IP blank Set client IP pool to
14. Choose the LAN gt WAN policy list from the available policy lists Step 2 Click on the Add new link Step 3 Fill in the following values Name Specifies a symbolic name for the rule This name is used mainly as a rule reference in log data and for easy reference in the policy list Position Moves before given position Action Select Allow to allow the specified service traffic to traverse the firewall Choose Deny to drop all traffic matching the criteria of the specified service Source Nets Specifies the sender span of IP addresses to be compared to the received packet Leave this blank to match everything Source Users Groups Specifies if an authenticated username is needed for this policy to match Either make a list of usernames separated by a comma or write Any for any authenticated user If it is left blank there is no need for authentication for the policy Destination Nets Specifies the span of IP addresses to be compared to the destination IP of the received packet Leave this blank to match everything Destination Users Groups Specifies if an authenticated username is needed for this policy to match Either make a list of usernames separated by a comma or write Any for any authenticated user If it is left blank there is no need for authentication for the policy Service Either choose a predefined service from the dropdown menu or make a custom service Schedule Choose which schedule should be used f
15. ICMP error messages are sent in several situations for example when an IP packet cannot reach its destination The purpose of these error control messages is to provide feedback about problems in the communication environment However ICMP error messages and firewalls are usually not a very good combination the ICMP error messages are initiated at the destination host or a device within the path to the destination and sent to the originating host The result is that the ICMP error message will be interpreted by the firewall as a new connection and dropped if not explicitly allowed by the firewall rule set It is generally not a good idea to allow any inbound ICMP message to be able to have those error messages forwarded To solve this problem the DFL 1100 can be instructed to pass an ICMP error message only if it is related to an existing connection Check this option to enable this feature for connections using this service ALG Similar to the way most stateful inspection firewalls behave the DFL 1100 filters only information found in packet headers such as IP TCP UDP or ICMP headers In some situations though filtering only header data is not sufficient The FTP protocol for instance includes IP address and port information in the protocol payload In these cases the firewall needs to be able to examine the payload data and carry out appropriate actions The DFL 1100 provides this functionality using Application Layer Gateways
16. Your ISP should supply this information L2TP tunnel parameters Usemame Password Retype Password L2TP Server IP Physical interface parameters DHCP automatic configuration Everything is automatic Static IP manual configuration Your ISP should provide this information to you IP Address Subnet Mask Gateway IP This may or may not be necessary depending on the ISP Before L2TP can be used to connect to your ISP the physical WAN interface parameters must be input You can use either DHCP or Static IP depending on the type of ISP used Your ISP should supply this information If using static IP this information needs to be filled in e IP Address The IP address of the WAN interface This IP is used to connect to the L2TP server e Subnet Mask Size of the external network e Gateway IP Specifies the IP address of the default gateway used to access the Internet Contact your ISP if you are unsure of the necessity of this information WAN Interface Settings Using BigPond The ISP Telstra BigPond uses BigPond for authentication the IP is assigned with DHCP e Username The login or username supplied to you by your ISP e Password The password supplied to you by your ISP Traffic Shaping When Traffic Shaping is enabled and the correct maximum up and downstream bandwidth is specified it s possible to control whichever policies have the highest priority when lar
17. Z a z and the special characters and _ No other special characters and spaces are allowed Step 3 Select TCP UDP Service Step 4 Select the protocol TCP UDP or both TCP UDP used by the service Step 5 Specify a source port or range for this service by typing in the low and high port numbers Enter 0 65535 for all ports or a single port like 80 for only one source port Step 6 Specify a destination port or range for this service by typing in the low and high port numbers Enter 0 65535 for all ports or a single port like 80 for only one destination port Step 7 Enable the SYN Relay checkbox if you want to protect the destination from SYN flood attacks Click the Apply button below to apply the changes or click Cancel to discard changes Adding IP Protocol When the type of the service is IP Protocol an IP protocol number may be specified in the text field To have the service match the GRE protocol for example the IP protocol should be specified as 47 A list of some defined IP protocols can be found in the appendix named IP Protocol Numbers IP protocol ranges can be used to specify multiple IP protocols for one service An IP protocol range is similar to the TCP and UDP port range described previously The range 1 4 7 will match the protocols ICMP IGMP GGP IP in IP and CBT Follow these steps to add a TCP UDP or TCP UDP service Step 1 Go to Firewall and Service and choose new Step 2 Enter a Name f
18. client IP If empty the IP address will be taken from the server s IP pool Networks behind user Apply Cancel Help Select a user to edit from the below list or select Add new Administrative users Admin admin Add Read only Add Users in local database User name ange Add new Groups Client IP Note The user name and password should be at least six characters long The user name and password can contain numbers 0 9 and upper and lower case letters A Z a z Special characters and spaces are not allowed Change User Password To change the password of a user click on the user name and you will see the following screen Follow these steps to change a user password Step 1 Click on the user for which you would like to change the password Step 2 Enable the Change password checkbox Step 3 Enter the new password twice Click the Apply button below to apply the settings or click Cancel to discard changes User Management Edit user Todd User name fa Group membership NetDeend o F Change password Password TI Retype password I Delete user 0 00 Apply Cancel Help Note The password should be at least six characters long The password can contain numbers 0 9 and upper and lower case letters A Z a z Special characters and spaces are not allowed Delete User To delete a user click on the user name and you will see the following screen Follow these steps to de
19. computers can connect to it 5 Select Connect to the network at my workplace and click Next New Connection Wizard Network Connection How do you want to connect to the network at your workplace ei Create the following connection Dial up connection Connect using a modem and a regular phone line or an Integrated Services Digital Network ISDN phone line network using a virtual private network VPN connection over the 6 Select Virtual Private Network connection and click Next 108 New Connection Wizard Connection Name Specify a name for this connection to your workplace Type a name for this connection in the following box Company Name MainOffice For example you could type the name of your workplace or the name of a server you will connect to 7 Name the connection MainOffice and click Next New Connection Wizard Public Network Windows can make sure the public network is connected first Windows can automatically dial the initial connection to the Intemet or other public network before establishing the virtual connection 8 Select Do not dial the initial connection and click Next 110 New Connection Wizard VPN Server Selection What is the name or address of the VPN server Type the host name or Intemet Protocol IP address of the computer to which you are connecting Host name or IP address for example microsoft com or 157 54 0 1 194 0 2 20
20. download the firmware upgrade from the D Link support web site and place it on your hard drive When the firmware is available use this form to upload the new firmware to the unit The unit will automatically be restarted to activate the new firmware from support dlink com sii em US Make sure the zs See wm firmware file is stored on the PC connected to the PS firewall Connect to the web based GUI navigate to the Upgrade Tools menu click Browse and choose the file name of the newest version of firmware you wish to load Click Upload firmware image to load the new firmware and restart the device Upgrade units signature database To upgrade the unit s IDS signature database download the new signature database file from the D Link support web site and place it on your hard drive When the signature file is available use this form to upload it to the unit After the new signature database has been verified the unit will automatically be restarted to activate the changes Browse Upload signature database The updating process will not overwrite the system configuration Though it is not necessary it is a good idea to backup the system configuration before upgrading the software Upgrade IDS Signature database To upgrade the signature database first download the newest IDS signatures from D Link After downloading the newest version of the software connect to the firewal
21. has been tested and found to comply with the limits for a Class A digital device pursuant to part 15 of the FCC Rules These limits are designed to provide reasonable protection against harmful interference in an industrial installation This equipment generates uses and can radiate radio frequency energy and if not installed and used in accordance with the instructions may cause harmful interference to radio communication However there is no guarantee that interference will not occur in a particular installation If this equipment does cause harmful interference to radio or television reception which can be determined by turning the equipment off and on the user is encouraged to try to correct the interference by one or more of the following measures Reorient or relocate the receiving antenna Increase the separation between the equipment and receiver Connect the equipment into an outlet on a circuit different from that to which the receiver is connected Consult the dealer or an experienced radio TV technician for help For detailed warranty outside the United States please contact corresponding local D Link office 144
22. how your SYSLog recipient works SYSLog daemons on UNIX servers usually log to text files line by line Most SYSLog recipients preface each log entry with a timestamp and the IP address of the machine that sent the log data Oct 20 2003 09 45 23 gateway This is followed by the text the sender has chosen to send All log entries from the DFL 1100 are prefaced with EFW and a category e g DROP Oct 20 2003 09 45 23 gateway EFW DROP Subsequent text is dependent on the event that has occurred USAGE events These events are sent periodically and provide statistical information regarding connections and amount of traffic Example Oct 20 2003 09 45 23 gateway EFW USAGE conns 1174 if0 core ip0 127 0 0 1 p0 0 00 iff wan ip1 192 168 10 2 tp1 11 93 if2 lan ip2 192 168 0 1 tp2 13 27 if3 dmz ip3 192 168 1 1 tp3 0 99 The value after conns is the number of open connections through the firewall when the usage log was sent The value after tp is the throughput through the firewall at the time the usage log was logged DROP events These events may be generated by a number of different functions in the firewall The most common source is the policies Example Oct 20 2003 09 42 25 gateway EFW DROP prio 1 rule Rule_1 action drop recvif wan srcip 192 168 10 2 destip 192 168 0 1 ipproto TCP ipdatalen 28 srcport 3572 destport 135 tcphdrlen 28 syn 1 In this line traffic from 192 168 10 2 coming from the WAN side of
23. information on configuration of HTTP Content Filtering Servers DHCP Server Settings The DFL 1100 contains a DHCP server DHCP Dynamic Host Configuration Protocol is a protocol that allows network administrators to automatically assign IP numbers to DHCP enabled computers on a network The DFL 1100 A e DHCP Server helps to D Link Siete ange Building Networks for People DFL 1100 minimize the work Network Security Firewall necessary to administer a network as there is no System Firewall Tools Status Help need for another DHCP DHCP Server Relaying Settings server DHCP Serve DHCP server relaying settings for LAN interface The DFL 1100 DHCP Ce The unit will ignore DHCP requests heard on this interface Server only implements a o C Use built in DHCP Server subset of the DHCP Pse CO protocol necessary to ONS Serves gt serve a small network optional 7 E Use unit s own DNS relayer addresses these are WINS Servers optional optional e P address WINS servers are used Domainname optional e Netmask Lease time Thou Si The gateway will be set to the IP address of the receiving interface e S u b net Relay DHCP requests to other DHCP server Zeep T e Gateway address 22 Apply Cancel Help e DNS Servers Les e WINS Servers e Domain name The DFL 1100 DHCP Server assigns and manages IP addresses from specified address pools within the firewall to the DHCP clients Note Leases are rem
24. or click Cancel to discard changes Please keep in mind that the DHCP scope will also need to be changed to correspond with the new LAN DMZ or ETH4 IP If the computer through which the DFL 1100 is being configured is a DHCP client you will need to manually release and renew the IP address after applying changes and restarting Failure to follow these directions will result in the firewall configuration reverting back to the state prior to changing the LAN IP WAN Interface Settings Using Static IP If you are using Static IP you have to fill in the IP address information provided to you by your ISP All fields are required except the Secondary DNS Server Note Do not use the numbers displayed in these fields they are only used as an example IP Address The IP address of the WAN interface This is the address that may be used Interface Settings Edit settings of the WAN interface Change WAN Type Static IP z Static WAN interface configuration is most commonly used in dedicated line internet connections Your ISP usually provides this information to you IP Address 192168102 Subnet Mask 255 255 2550 256 hosts 24 Gateway IP 192168101 Primary DNS Server 10 001 Secondary DNS Server 10 002 optional to ping the firewall remotely control it and be used as the source address for dynamically translated connections Subnet Mask Size of the external network Gateway IP Specifies the IP
25. received from the server or if a static one should be used This field should be left blank in most scenarios Step 5 Specify the Remote Gateway this should be the IP of the L2TP or PPTP Server you are connecting to Step 6 If you are using IPSec encryption for the L2TP or PPTP Client choose the appropriate authentication type either PSK Pre shared Key or Certificate based Click the Apply button below to apply the change or click Cancel to discard changes Adding an L2TP PPTP VPN Server Follow these steps to add an L2TP or PPTP VPN Server configuration that listens on the WAN IP Step 1 Go to Firewall and VPN and choose Add new PPTP server or Add new L2TP server in the L2TP PPTP Server section Step 2 Enter a Name for this tunnel in the name field The name can contain numbers 0 9 and upper and lower case letters A Z a z and the special characters and _ No other special characters or spaces are allowed Step 3 Specify the Client IP Pool this should be a range of unused IP s on the LAN interface that will be handed out to L2TP or PPTP Clients Step 4 If you are using IPSec encryption for the L2TP or PPTP Client choose authentication type either PSK Pre shared Key or Certificate based Click the Apply button below to apply the change or click Cancel to discard changes VPN Advanced Settings Advanced settings for a VPN tunnel is used when the user needs to change some characteristics of the
26. shared hardware address 26 Cluster heartbeats A firewall detects that its peer is no longer operational when it can no longer hear cluster heartbeats from its peer Currently a firewall will send five cluster heartbeats per second When a firewall has missed three heartbeats i e after 0 6 seconds it will be declared inoperative Cluster heartbeats have the following characteristics The source IP is the interface address of the sending firewall The destination IP is the shared IP address The IP TTL is always 255 If a firewall receives a cluster heartbeat with any other TTL it is assumed that the packet has traversed a router and hence cannot be trusted at all It is an UDP packet sent from port 999 to port 999 The destination MAC address is the Ethernet multicast address corresponding to the shared hardware address i e 11 00 00 C1 4A nn Link level multicasts were chosen over normal unicast packets for security reasons using unicast packets would have meant that a local attacker could fool switches to route the heartbeats somewhere else causing the peer firewall to never hear the heartbeats The synchronization interface Both firewalls are connected to each other by a separate synchronization connection the fourth port is dedicated solely for this purpose when the firewalls are configured as HA The active firewall continuously sends state update messages to its peer informing it of connections that a
27. start time and stop Een o o Oo Apply Cancel Help time as well as 2 ersten Gebei schedules different time periods Dayne Saa ZOROA TE in a day For example Le an organization may only want the firewall to allow the internal network users to access the Internet during work hours Therefore one may create a schedule to allow the firewall to allow traffic Monday Friday 8AM 5PM only During the non work hours the firewall will not allow Internet access Add new recurring schedule Follow these steps to add a new recurring schedule Step 1 Go to Firewall and Schedules and choose Add new Step 2 Enable the checkbox named Recurring scheduling Step 3 Use the checkboxes to set the times this schedule should be active Click the Apply button below to apply the changes or click Cancel to discard changes Add new one time schedule Follow these steps to create and add a new one time schedule Step 1 Go to Firewall and Schedules and choose Add new Step 2 Choose the starting and ending date and hour when the schedule should be active Step 3 Use the checkboxes to set the times this schedule should be active inside the specified timeframe Click the Apply button below to apply the changes or click Cancel to discard changes 50 Services A service is basically a definition of a specific IP protocol with corresponding parameters The service http for instance is defined as using the TCP protocol with destination
28. the Main office firewall please follow the steps in the PPTP guide above for the client side The only changes to the PPTP guide are MainOffice Properties General Options Security Networking Advanced Type of VPN E E Settings 1 In step 13 change the Type of VPN to L2TP IPSec VPN 116 MainOffice Properties Validate my identity as follows Require secured password _ Automatically use my Windows logon name and password and domain if any V Require data encryption disconnect if none Advanced custom settings of sec urity protoc ols 2 Select the Security tab and click IPSec Settings IPSec Settings V Use pre shared key for authentication Key 1234567890 3 Check Use pre shared key for authentication type the key and click OK Settings for Main office 1 Setup interfaces System gt Interfaces WAN IP 194 0 2 20 LAN IP 192 168 1 1 Subnet mask 255 255 255 0 2 Setup L2TP server Firewall gt VPN Under L2TP PPTP Server click Add new L2TP server Name the server I2tpServer Leave Outer IP and Inner IP blank Set client IP pool to 192 168 1 100 192 168 1 199 Check Proxy ARP dynamically added routes Check Use unit s own DNS relayer addresses Leave WINS settings blank Under authentication MSCHAPv2 should be the only checked option Under MPPE encryption None should be the only checked option Check the Use IPSec encryption box Ente
29. the syslog protocol to one or two servers If both servers are configured logs will be sent to both at the same time Syslog server 1 fi 92 168 1 10 Syslog server 2 optional Syslog facility Local Enable audit logging The firewall normally logs denied packets With audit logging enabled it will also log when allowed connections open and close Enable E mail alerting for IDS IDP events Sensitivity High A SMTP Server Sender IT EMaillAddesst EMaillAddess2 T EMal ddess O oO Apply Cancel Help All logging is done to SYSLog recipients The log format used for SYSLog logging is suitable for automated processing and searching 30 The D Link DFL 1100 specifies a number of events that can be logged Some of these events such as startup and shutdown are mandatory and will always generate log entries Other events for instance when allowed connections are opened and closed are configurable It is also possible to have E mail alerting for IDS IDP events to up to three email addresses Enable Logging Follow these steps to enable logging Step 1 Enable SYSLog by checking the SYSLog box Step 2 Fill in your first SYSLog server as SYSLog server 1 If you have two SYSLog servers you have to fill in the second one as SYSLog server 2 You must fill in at least one SYSLog server for logging to work Step 3 Specify what facility to use by selecting the appr
30. tunnel to for example try to connect to a third party VPN Gateway The different settings per tunnel are Limit MTU With this setting it is possible to limit the MTU Max Transferable Unit of the VPN tunnel IKE Mode Specify if Main mode IKE or Aggressive Mode IKE should be used when establishing outbound VPN Tunnels Inbound main mode connections will always be allowed Inbound aggressive mode connections will only be allowed if this setting is set to aggressive mode IKE DH Group Here it is possible to configure the Diffie Hellman group to 1 modp 768 bit 2 modp 1024 bit or 5 modp 1536 bit PFS Perfect Forward Secrecy If PFS Perfect Forwarding Secrecy is enabled a new Diffie Hellman exchange is performed for each phase 2 negotiation While this is slower it makes sure that no keys are dependent on any other previously used keys no keys are extracted from the same initial keying material PFS is used to ensure that in the unlikely event an encryption key is compromised no subsequent keys could be derived from that compromised key NAT Traversal Here it is possible to configure how the NAT Traversal code should behave Disabled The firewall will not send the necessary Vendor ID s to indicate NAT T support when setting up the tunnel On if supported and need NAT Will only use NAT T if one of the VPN gateways is behind a NAT device On if supported Always tries to use NAT T when setting up the tunnel Ke
31. v1 MS CHAP v2 e Microsoft Point To Point Encryption MPPE L2TP uses UDP to transport the PPP data this is often encapsulated in IPSec for encryption instead of using MPPE Point to Point Protocol PPP Point to Point Protocol is a standard for transporting datagram s over point to point links PPP is used to encapsulate IP packets for transport between two peers PPP consists of these three components e Link Control Protocols LCP to negotiate parameters test and establish the link e Network Control Protocol NCP to establish and negotiate different network layer protocols DFL 1100 only supports IP e Data encapsulation to encapsulate datagram s over the link To establish a PPP tunnel both sides send LCP frames to negotiate parameters and test the data link If authentication is used at least one of the peers has to authenticate itself before the network layer protocol parameters can be negotiated using NCP During the LCP and NCP negotiation optional parameters such as encryption can be negotiated When LCP and NCP negotiation is done IP datagram s can be sent over the link Authentication Protocols PPP supports different authentication protocols PAP CHAP MS CHAP v1 and MSCHAP v2 The authentication protocol to be used is decided during LCP negotiation PAP PAP Password Authentication Protocol is a simple plaintext authentication scheme which means that both user name and password are sent over the tunnel plai
32. where Read Only access is the only type allowed on a specific interface all users that log in to that interface will be in Read Only mode 12 SNMP Specifies if SNMP should or should not be allowed on the interface The DFL 1100 only supports read only access Add ping access to an interface To add ping access click on the interface you would like to add it to Follow these steps to add ping access to an interface Step 1 Click on the interface you would like to add it to Step 2 Enable the Ping checkbox Step 3 Specify which network addresses should be allowed to ping the interface for example 192 168 1 0 24 for a whole class C network or 172 16 0 1 172 16 0 10 for a range of IP addresses Click the Apply button below to apply the settings or click Cancel to discard changes Example Jh Ping standard ICMP echo to the IP address of the interface Networks fi 92 168 1 0 24 Add Admin access to an interface To add admin access click on the interface you would like to add it to Only users with administrative rights can login on interfaces where there is only admin access enabled Follow these steps to add admin access to an interface Step 1 Click on the interface you would like to add it to Step 2 Enable the Admin checkbox Step 3 Specify which network addresses should be allowed to access the administrative interface for example 192 168 1 0 24 for a whole class C network or 172 16 0 1 172 16 0 10 for a ra
33. 168 4 0 24 Remote Gateway 194 0 2 10 way can be 4 numerical IP address DNS name or range of IP addresses for roaming 7 NAT ed gateways Route Automatically add a route for the remote network Proxy ARP 7 Publish remote network on all interfaces via Proxy ARP IKE XAuth client Cl Greg username and password to peer via IKE Auth if the remote gateway requires it xAuth Username gt Auth Password Remote Net 192 168 4 0 24 Remote Gateway 194 0 2 10 Enable Automatically add a route for the remote network Click Apply 3 Setup policies for the new tunnel Firewall gt Policy Click Global policy parameters Enable Allow all VPN traffic internal gt VPN VPN gt internal and VPN gt VPN Click Apply 4 Click Activate and wait for the firewall to restart This example will allow all traffic between the two offices To get a more secure solution read the A more secure LAN to LAN VPN solution section of this user guide 88 LAN to LAN VPN using PPTP Main office Branch office Ze GAN p Ze ees GE N 193 CH Es H e SA Ch By SE CO Op gt d Jg PN Internet KSE CO KS an H a Ee 4 ay ORs Settings for Branch office 1 Setup interfaces System gt Interfaces WAN IP 194 0 2 10 LAN IP 192 168 4 1 Subnet mask 255 255 255 0 2 Setup PPTP client Firewall gt VPN Under PPTP L2TP clients click Add new PPTP client Name the tunnel toMainOffice L2TP PPTP Clients Add PPTP C
34. ALG To use an Application Layer Gateway the appropriate Application Layer Gateway definition is selected in the dropdown menu The selected Application Layer Gateway will thus manage network traffic that matches the policy using this service Currently the DFL 1100 supports two Application Layer Gateways one is used to manage the FTP protocol and the other one is a HTTP Content Filtering ALG For detailed information about how to configure the HTTP Application Layer Gateway please see the Content Filtering chapter VPN Introduction to IPSec This chapter introduces IPSec the method or rather set of methods used to provide VPN functionality IPSec Internet Protocol Security is a set of protocols defined by the IETF Internet Engineering Task Force to provide IP security at the network layer An IPSec based VPN such as that of the DFL 1100 is made up of two basic parts e Internet Key Exchange security protocol IKE e IPSec protocol ESP The first part IKE is the initial negotiation phase where the two VPN endpoints agree on which methods will be used to provide security for the underlying IP traffic Furthermore IKE is used to manage connections by defining a set of Security Associations SA for each connection Each SA is unidirectional so there will be at least two SA per IPSec connection The other part is the actual IP data being transferred using the encryption and authentication methods agreed upon in the IKE nego
35. AR PURPOSE AND NON INFRINGEMENT IF ANY IMPLIED WARRANTY CANNOT BE DISCLAIMED IN ANY TERRITORY WHERE A PRODUCT IS SOLD THE DURATION OF SUCH IMPLIED WARRANTY SHALL BE LIMITED TO NINETY 90 DAYS EXCEPT AS EXPRESSLY COVERED UNDER THE LIMITED WARRANTY PROVIDED HEREIN THE ENTIRE RISK AS TO THE QUALITY SELECTION AND PERFORMANCE OF THE PRODUCT IS WITH THE PURCHASER OF THE PRODUCT 142 Limitation of Liability TO THE MAXIMUM EXTENT PERMITTED BY LAW D LINK IS NOT LIABLE UNDER ANY CONTRACT NEGLIGENCE STRICT LIABILITY OR OTHER LEGAL OR EQUITABLE THEORY FOR ANY LOSS OF USE OF THE PRODUCT INCONVENIENCE OR DAMAGES OF ANY CHARACTER WHETHER DIRECT SPECIAL INCIDENTAL OR CONSEQUENTIAL INCLUDING BUT NOT LIMITED TO DAMAGES FOR LOSS OF GOODWILL LOSS OF REVENUE OR PROFIT WORK STOPPAGE COMPUTER FAILURE OR MALFUNCTION FAILURE OF OTHER EQUIPMENT OR COMPUTER PROGRAMS TO WHICH D LINK S PRODUCT IS CONNECTED WITH LOSS OF INFORMATION OR DATA CONTAINED IN STORED ON OR INTEGRATED WITH ANY PRODUCT RETURNED TO D LINK FOR WARRANTY SERVICE RESULTING FROM THE USE OF THE PRODUCT RELATING TO WARRANTY SERVICE OR ARISING OUT OF ANY BREACH OF THIS LIMITED WARRANTY EVEN IF D LINK HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES THE SOLE REMEDY FOR A BREACH OF THE FOREGOING LIMITED WARRANTY IS REPAIR REPLACEMENT OR REFUND OF THE DEFECTIVE OR NON CONFORMING PRODUCT THE MAXIMUM LIABILITY OF D LINK UNDER THIS WARRANTY IS LIMITED TO THE PURCHASE PRICE OF THE PRODUC
36. As is the case with all other firewalls supporting stateful failover the D Link High Availability will only work between two D Link DFL 1100 Firewalls As the internal workings of different firewalls and indeed different major versions of the same firewall can be radically different there is no way of communicating state to something which has a completely different comprehension of what state means IP Addresses explained For each cluster interface there are three IP addresses e Two real IP addresses one for each firewall These addresses are used to communicate with the firewalls themselves i e for remote control and monitoring They should not be associated in any way with traffic flowing through the cluster if either firewall is inoperative the associated IP address will simply be unreachable e One virtual IP address shared between the firewalls This is the IP address to use when configuring default gateways and other routing related matters It is also the address used by dynamic address translation unless the configuration explicitly specifies another address There is not much to say about the real IP addresses they will act just like firewall interfaces normally do You can ping them or remote control the firewalls through them if your configuration allows it ARP queries for the respective addresses are answered by the firewall that owns the IP address using the normal hardware address just like normal IP units d
37. BranchOffice v gt LAN y Show 3 Create the same 4 policy rules that were created on the branch office firewall allow_pop3 allow_imap allow_ftp and allow_http 4 Click Activate and wait for the firewall to restart Windows XP client and PPTP server Main office VPN Client Settings for the Windows XP client 1 Open the control panel Start button gt Control panel 2 If you are using the Category view click on the Network and Network and Internet Connections Internet icon Then click Create a connection to w Connections the network on your workplace and ez continue to step 6 Network If you are using the Classic view click on the Network Connections icon Connections 3 Under Network task click Create a new Network Tasks connection Create anew connection 4 The New connection wizard window opens up Click next 106 New Connection Wizard Network Connection Type What do you want to do Connect to the Internet Connect to the Intemet so you can browse the Web and read email seseg GES SS dnd Ka a SE ere a insineas network aing dial up or VPN a0 you can was bom home a field office or another location Set up a home or small office network Connect to an existing home or small office network or set up a new one Set up an advanced connection Connect directly to another computer using your serial parallel or infrared port or set up this computer so that other
38. D Link DFL 1100 NETDEFEND Network Security Firewall Manual o D Link Building Networks for People 04 19 2005 Contents roduc NON iain 7 Features and Benefnts 7 Introduction to Firewalls cccccccccececeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeseeeneeeneeees 7 Introduction to Local Area Networkimg 8 LEDS amp Physical CONMGGHONSS cesscccon sccctastasussas octendieinnveanatecreccedataniands 9 Eeer Eeer 10 System eege eege eege 10 Managing D Link DFL 1100 eeeeeeee cece eee e eee e eee e eee e eee eeeeeeeeeeeeeee 11 Resetting the DEL 21100 eEEeEREEEEERNEERKERNEENEREEEEEENEENENEEENEERENEN KEEN 11 Administration SettingS cccsccssssssscssssssssssssseeeeeeeeeeeeeeeeeeeees 12 Administrative Access cece eeeeteeeeeeeeseeeeeeeeeeeeeeeeeeeeeeeeeees 12 Add ping access to an Interface cceeeceeeeeeeeeeneeeeeteneeeeeenieeeeeeeieeeeee 13 Add Admin access to an Interface 13 Add Read only access to an interface ccececeeeeeeeeeeeteeeeeeeteeeeetnneeeenee 14 Enable SNMP access to an interface 200 ceeeeeeeeeeeeeeeeeeneeeeeeeeneeeeeeeaaees 14 kL ee 15 iwer 15 Change IP of the LAN DMZ or ETH4 interface oseeseneneneee eerren 15 WAN Interface Settings Using Static IP 16 WAN Interface Settings Using DHCP oe eeccceeeeneeeeeetteeeeeenteeeeeaes 16 WAN Interface Settings Using PDPPot A 17 WAN Interface Settings Using DPI 18 WAN Interface Settings Using L2TIP 19
39. EH MEN Enable Allow all VPN traffic internal gt VPN VPN gt internal and VPN gt VPN Click Apply 4 Set up authentication source Firewall gt Users Select Local database Authentication source Local database RADIUS server Click Apply 100 5 Add a new user Firewall gt Users Under Users in local database click Add new User Management Add new user User name Group membership Password Retype password L2TP PPTP settings Static client IP Networks behind user BranchO ffice XXXXXXXXXX XXXXXXXXXX f empty the IP address will be taken from the server s IP pool 192 168 4 0 24 Name the new user BranchOffice Enter password 1234567890 Retype password 1234567890 Leave static client IP empty could also be set to eg 192 168 1 200 If no IP is set here the IP pool from the L2TP server settings are used Set Networks behind user to 192 168 4 0 24 Click Apply 6 Click Activate and wait for the firewall to restart This example will allow all traffic between the two offices To get a more secure solution read the A more secure LAN to LAN VPN solution section in this chapter A more secure LAN to LAN VPN solution In order to establish a more secure LAN to LAN VPN connection traffic policies should be created instead of allowing all traffic between the two private Networks The following steps show how to enable some common services allowed through the
40. MSCHAP v2 as authentication protocol Cl Use IPsec encryption Under authentication MSCHAPv2 should be the only checked option Under MPPE encryption 128 bit should be the only checked option Leave Use IPsec encryption unchecked Click Apply 3 Setup policies for the new tunnel Firewall gt Policy Click Global policy parameters Firewall Policy Edit global policy parameters Fragments Drop all fragmented packets Minimum TTL 3 VPN JM Allow all VPN traffic intemal gt VPN VPN gt internal and MEN MEM Enable Allow all VPN traffic internal gt VPN VPN gt internal and VPN gt VPN Click Apply 4 Set up the authentication source Firewall gt Users Authentication source Local database RADIUS server Select Local database Click Apply 5 Add a new user Firewall gt Users Under Users in local database click Add new Name the new user BranchOffice User Management Add new user User name Group membership Password Retype password L2TP PPTP settings Static client IP Networks behind user BranchOffice xxx eaea f empty the IP address will be taken from the server s IP pool 192 168 4 0 24 Enter password 1234567890 Retype password 1234567890 Leave static client IP empty could also be set to 192 168 1 200 If no IP is set here the IP pool from the PPTP server settings are used Set Networks behind user to 192 168 4 0 24 Click A
41. Network field The Subnet Mask should be set to 255 255 255 255 1 host Enable the Proxy ARP feature The above static route configuration explicitly defines the interface that the additional Public IP address should be forwarded to NOTE Be sure to enable Proxy ARP for both routes or the Firewall will not forward traffic destined for the specified Public IP addresses to Internal servers 128 Configure Port Mapping Virtual Server Rules for LAN Server Port Mapping Virtual Servers Edit new mapping Name Web zeroet LAN Di Source Nets Blank everyone Users Groupes Destination IP 80 80 80 81 Blank gt war Service http v Custom source ports destination ports pass to port Pass To 192 168 2550 Schedule Always Virtual Server Configuration for a Server on the LAN Navigate to the FIREWALL tab PORT MAPPING page of the Web based configuration Click the Add New link to create a new Port Mapping Input the Public IP address to be forwarded in the Destination IP field Select the Service to be forwarded to the Internal Server pre defined or custom Enter the Private IP of the Server in the Pass To field Configure Scheduling IDS IDP and or Bandwidth Management if desired Click Apply to save the configuration Configure Port Mapping Virtual Server Rules for DMZ Server Port Mapping Virtual Servers Edt new mapping Name Web_server_DMZ Source Nets Blank everyone Us
42. SN RECH FIN_RECV and so on The Proto column can have TCP The connection is a TCP connection PING The connection is an ICMP ECHO connection UDP The connection is a UDP connection RAWIP The connection uses an IP protocol other than TCP UDP or ICMP The Source and Destination columns show which IP and port on the source interface the connection is coming from and which interface and port number the connection is going to 80 DHCP Server Click on Status in the menu bar and then click DHCP Server below it A window will appear providing information about the configured DHCP Servers By default information about the LAN interface will be displayed To see gA another one click on D Link that interface DFL 1100 Network Security Firewall Interface Name of the interface the DHCP Server is running on IP Span Displays System Firewall Servers Tools DHCP Server Status Interface LAN YPNTunnell Interface LAN the configured range of IP addresses that are Interfaces IP Span 192 168 1 100 192 168 1 200 Usage 15 Em given out as DHCP E leases Active leases Usage Displays isc IP Address MAC Address Time remaining how mu ch of th e IP SS 192 168 1100 0020 e012 3456 9 hrs 23 minutes End lease Connectors 192 168 1101 0020 e012 4567 2 hrs 12 minutes End lease range Is give out to 192 168 1 103 0020 e012 5678 6 his 55 minut
43. T COVERED BY THE WARRANTY THE FOREGOING EXPRESS WRITTEN WARRANTIES AND REMEDIES ARE EXCLUSIVE AND ARE IN LIEU OF ANY OTHER WARRANTIES OR REMEDIES EXPRESS IMPLIED OR STATUTORY Governing Law This Limited Warranty shall be governed by the laws of the State of California Some states do not allow exclusion or limitation of incidental or consequential damages or limitations on how long an implied warranty lasts so the foregoing limitations and exclusions may not apply This limited warranty provides specific legal rights and the product owner may also have other rights which vary from state to state Trademarks D Link is a registered trademark of D Link Systems Inc Other trademarks or registered trademarks are the property of their respective manufacturers or owners Copyright Statement No part of this publication or documentation accompanying this Product may be reproduced in any form or by any means or used to make any derivative such as translation transformation or adaptation without permission from D Link Corporation D Link Systems Inc as stipulated by the United States Copyright Act of 1976 Contents are subject to change without prior notice Copyright 2005 by D Link Corporation D Link Systems Inc All rights reserved CE Mark Warning This is a Class A product In an Industrial environment this product may cause radio interference in which case the user may be required to take adequate measures FCC Statement This equipment
44. VPN tunnel In this example we have a mail server ftp server and a web server intranet in the main office that we want to access from the branch office Settings for Branch office 1 Setup policies for the new tunnel Firewall gt Policy Click Global policy parameters Firewall Policy Edit global policy parameters Fragments IT Drop all fragmented packets Minimum TTL 3 YPN 7 Allow all VPN traffic internal gt VPN VPN gt intemal and YPN gt YPN Disable Allow all VPN traffic internal gt VPN VPN gt internal and VPN gt VPN Click Apply 2 Now is it possible to create policies for the VPN interfaces Select from LAN to toMainOffice and click Show e LAN gt DMZ policy 3 rules e DMZ gt LAN policy 0 rules e WAN gt DMZ policy 0 rules e DM2Z gt WAN policy 4 rules NAT enabled Custom policy LAN vi gt toMainOffice Show 3 Click Add new to create the first rule 102 4 Setup the new rule Name the new rule allow_pop3 Select action Allow Select service pop3 Select schedule Always Firewall Policy Show policy LAN gt WAN LAN gt DMZ WAN gt DM2Z WAN gt LAN DMZ gt LAN DM2 gt WAN Show custom policy LAN e gt toMainOffice Show Edit new rule Name allow_pop3 Position Moves before given position Blank last Action Allow z Source Nets Users Groups Any Any authenticated Destination Nets Users Groups Any Any a
45. WAN Interface Settings Using Biobond 20 Tatie SHAPING DEE 20 MTU eu ue IC le 21 VEAN WEE ER Add a new VAN E 22 Removed VEAN oinisiotaiaraiea ccaavaptenunesatdcedanses 22 ROUUNG E 23 Add a new Static Route 24 Remove a Static ROUle ecciesia on E 24 elle M UE 25 What High Availability will do for YOU 0 eeeceeceeeeeteeeeeenteeeeeettaeeeeeeneeeeeeaas 25 What High Availability will NOT do for wou 25 IP Addresses explained cccccceeceeeeeeeeeceeeeeeeeeeeaeeeeeeeeeeseseenuneeeeeeeteees 26 The shared IP address and the failover mechanism ceeeereeeeeees 26 Cluster heantb ats 2 2 cecehienihi cen aietuideednieei ernie tie 27 The synchronization Interface 27 Setting up a High Availability Cluster 28 Interface MONIOFIAG cecrecceanccnenir ia o E 29 kolot ere BEE 30 Enable Logging ai i aaa ei aise E aie 31 Enable Audit LOGGING serroscneraa kocina ia E tions 31 Enable E mail alerting for IDS IDP events 31 NME ete Ee Ee 32 EN e Une Bn Lu 33 Using NTP to syne dn E 33 Setting time and date manually sssssesesrresssnnsseennesssnnaaneennaanannnneennadnanna 33 Gi ee er E E 34 P QUIGY EE 34 Poley ue EE 34 ACHON RK 34 Source and Destination Elter 35 Tee TEE 35 SCNGCUIC eaaa EEEE edad E EE A 35 Intrusion Detection PDreventon 36 Taie SHAPING DEE 36 Policy RROUUING ET 36 Add a NEW DOll EE 37 Change order of policy crcecrnciseniii nirisan ae E EA 38 Delete polican E E E 38 Co
46. Z a z Special characters and spaces are not allowed 42 Change Administrative User Access level To change the access lever of a user click on the user name and you will see the following screen From here you can change the access level by entering the appropriate level in the Group Membership field Access levels e Administrator the user can add edit and remove rules and change all settings User Management Edit user admin User name admin Group membership administrators Change password Password Retype password L2TP PPTP settings e Read only the user can only look at the configuration of the firewall e No Admin Access The user is only used for user authentication Static client IP If empty the IP addre Networks behind user vill be taken from the server s IP pool Delete user Membership in the administrators group means that the user can administer this unit Membership in the auditors group means that the user has read only access to this unit O O O Apply Cancel Help Follow these steps to change Administrative User Access level Step 1 Click on the user you would like to change level of Step 2 Choose the appropriate level by entering into the Group Membership Field Click the Apply button below to apply the setting or click Cancel to discard changes Change Administrative User Password To change the password of a user clic
47. address of the default gateway used to access the Internet Primary and Secondary DNS Server The IP addresses of your DNS servers only the Primary DNS is required WAN Interface Settings Using DHCP If you are using DHCP there is no need to complete any fields Interface Settings Edit settings of the WAN interlace Change WAN Type DHCP Regular ethernet connection with DHCP assigned IP addresses is used in many DSL and cable modem networks Everything is automatic 16 WAN Interface Settings Using PPPoE Use the following procedure to configure the DFL 1100 external interface to use PPPoE Point to Point Protocol over Ethernet This configuration is required if your ISP uses PPPoE to assign the IP address of the external interface You will have to fill in the username and password provided to you by your ISP e Username The login or username supplied to you by your ISP e Password The Interface Settings Edit settings of the WAN interface Change WAN Type PPPoE PPP over Ethernet connections are used in many DSL and cable modem networks After authenticating everything is automatic Usemame Password Retype Password Service Name Some ISPs require the Service Name to be filled out Most PPPoE services provide DNS server information A few do not If this is the case you can fill out their IP addresses yourself Primary DNS Server optional Secondary DNS Server opti
48. ared IP on each interface This Unit means the master firewall the one you should be configuring at the moment Other Unit is the slave firewall the other DFL 1100 Interface IP Addresses In addition to the unique IP addresses of the cluster members you must also configure shared IP addresses for all interfaces The shared address is the one that units on the network should use as gateway as public IP in address mappings etc The unique addresses are mainly used for management and monitoring of the individual cluster members Interface This Unit Shared IP Other Unit LAN 192 168 1 2 192 168 1 1 192 168 1 3 WAN 172 168 0 2 172 168 0 1 172 168 0 3 DMZ 192 168 3 2 192 168 3 1 192 168 3 3 You also need to configure the Cluster ID of the cluster this have to be a number between 0 and 63 which must be the same on both firewalls in the cluster This must be unique on your LAN if you are running more then one cluster Other parameters Cluster 20 0 63 If there is more than one cluster on a network each cluster needs a unique ID number Make note of the Cluster ID You will need it when setting up the next cluster member When this is done you should click on Apply 28 Now login to the slave firewall and click on System in the menu bar and then click HA below it in this screen you will click on Receive configuration from first unit You will need to fill in the cluster id configured on the first unit Wh
49. ata A switch minimizes network traffic overhead and speeds up the communication over a network Networks take some time in order to plan and implement correctly There are many ways to configure your network You may want to take some time to determine the best network set up for your needs LEDs amp Physical Connections OFL 1100 D Link Power A solid light indicates a proper connection to the power supply Status A System status indicator that flashes occasionally to indicate a functional active system Solid illumination of the Status LED indicates a hardware software critical failure WAN LAN DMZ amp ETH4 Bright Green illumination indicates a valid Ethernet Link on that respective port Each LED will flicker when that respective port is sending or receiving data COM Port Serial Read Only access to the firewall software from a PC equipped with a Serial COM port 9600 baud 8 data bits No Parity 1 Stop bit No Flow Control WAN Port Use this port to connect to an external network such as a WAN or a modem provided by an ISP LAN Port Use this port to connect to a Fast Ethernet Switch to service more than 1 client PC on the internal office network DMZ Port Use this port to service an additional physically segmented Private or Transparent Network to be occupied by WAN accessible servers FTP HTTP DNS DC Power on rear of unit Use the included PC power cable to connect to an 110 120VAC electrical recep
50. ated MPPE currently supports 40 bit 56 bit and 128 bit RC4 session keys 56 L2TP PPTP Clients Settings for L2TP PPTP Client Configuration Name Specifies a friendly name for the PPTP L2TP Client tunnel Username Specify the username for this PPTP L2TP Client tunnel Password Confirm Password The password to use for this PPTP L2TP Client tunnel Interface IP Specifies if the L2TP PPTP Client tunnel should use a Static IP or obtain a dynamic IP from the server The IP remote Remote Gateway address of the PPTP L2TP Server L2TP PPTP Clients Add PPTP Client Name Basic settings Usemame Password Retype Password Interface IP Blank get IP from server Remote C O Gateway M Use primary DNS server from tunnel as primary DNS F Use secondary DNS server from tunnel as secondary DNS Hint Use Servers gt DNS Relayer to easily make DNS servers available to internal client I Dial on demand Idle timeout 50 minutes Count sending as activity Count receiving as activity Count both as activity Dial on demand If enabled the tunnel will only be initiated when needed If disabled the tunnel will be persistent always on Authentication protocol Specify which authentication protocol to use if any Refer to the Authentication Protocols section for more information about each type MPPE encryption If MPPE encryption is to be used select the de
51. ateway Note Proxy ARP will publish the remote network on all interfaces except WAN if enabled on the VPN tunnel Add a new Static Route Follow these steps to add a new route Step 1 Go to System and Routing Step 2 Click on Add new in the bottom of the routing table Step 3 Choose the interface that the route should be sent through from the dropdown menu Step 4 Specify the Network and Subnet mask Step 5 If this network is behind a remote gateway enable the checkbox Network is behind remote gateway and specify the IP of that gateway Click the Apply button below to apply the settings or click Cancel to discard changes Remove a Static Route Follow these steps to remove a route Step 1 Go to System and Routing Step 2 Click the Edit corresponding to the route you would like to remove Step 3 Check the checkbox named Delete this route Click the Apply button below to apply the settings or click Cancel to discard changes 24 High Availability D Link High Availability works by adding a back up firewall to your existing firewall The back up firewall has the same configuration as the primary firewall It will stay inactive monitoring the primary firewall until it deems that the primary firewall is no longer functioning at which point it will go active and assume the active role in the cluster When the other firewall comes back up it will assume a passive role monitoring the now active firewall What High Ava
52. configuration section Once all changes are final those changes must be activated Click on the Activate button under the left hand side menu Follow the on screen instructions to finalize your configuration Appendix D HTTP Content Filtering HTTP Content Filtering Global Policy Protection from malicious or improper web content is a must for Business owners and concerned parents alike There are numerous vehicles for hackers to damage or take control of one s PC or even Network Malicious code may be delivered in deviously crafted Activex controls Java Scripts cookies or tainted file downloads Many times executable exe files are laced with spy ware or viral programs that become active and take over after the program is run for the first time To help reduce the likelihood of malicious software reaching the PCs on the LAN or DMZ of the NetDefend Firewall filtering of HTTP traffic can be customized and enabled This filter can be configured to strip ActiveX objects including flash Java Applets Visual Basic Java Scripts and or block cookies In addition a Whitelist is configurable to define URLs that will always be allowed Conversely a Blacklist is provided to allow customizable filtering of websites domains and even file types based on file extension All of the aforementioned filters function simultaneously if enabled configured when HTTP content filtering is enabled In order for HTTP content filtering to be performed al
53. d Help Available VLAN interfaces Name Physical YLAN ID vlani LAN 1 Edit Add new Add a new VLAN Follow these steps to add a new route Step 1 Go to System and VLAN Step 2 Click on Add new in the bottom of the routing table Step 3 Choose the interface that the VLAN should be on from the dropdown menu Step 4 Specify the 801 2Q VLAN ID Step 5 Fill in the IP address of the VLAN interface This is the address that will be used to ping the firewall remotely control it and use as gateway for hosts on that VLAN Step 6 Choose the correct Subnet mask of this interface from the drop down menu Click the Apply button below to apply the setting or click Cancel to discard changes Remove a VLAN Follow these steps to add a remove a route Step 1 Go to System and VLAN Step 2 Take Edit after the VLAN you would like to remove Step 3 Check the checkbox named Delete this VLAN Click the Apply button below to apply the setting or click Cancel to discard changes 22 Routing Click on System in the menu bar and then click Routing below it this will provide a list of all configured routes and it will look something like this Routing table Interface Network Gateway Additional IP Proxy ARP WAN 194 1 2 0 24 Edit LAN 192 168 1 0 24 Edit WAN 0 0 0 0 0 194 1 2 254 Edit LAN 192 168 5 0 24 192 168 5 1 Edit YPNTunnell 192 168 2 0 24 Yes Edit Add new The Routes configuration section describes the firewall
54. d at 2004 06 04 05 12 06 IDS auto update Autoupdate disabled Firmware version The VPN i p Resources firmware version running on CPU Load 0 RAM 65 255MB MEME Connections 4 200000 La tar t he I e be S 6 GE Rues 1942mm0 SE IDS Signatures The the firewall BEE CPU load over the past 24 hours IDS signature database ime versions 5o Resources Displays o CPU load RAM usage Connections VPN Tunnels and Rules configured State table usage over the past 24 hours 20 10 Z4 his ago now There are also two graphs on this page one shows the CPU usage during the last 24 hours The other shows the state table usage during the last 24 hours Useful for plotting usage trends for your application Interfaces Click on Status in the menu bar and then click Interfaces below it A window will appear providing information about the interfaces on the DFL 1100 By default information about the LAN interface will be displayed To see information for a specific interface click on the respective link Interface Name of P the interface shown LAN D Link DFL 11 WAN or DMZ Building Networks for People 1100 H Network Security Firewall Link status Displays what link the current interface has The speed can be 10 or 100 Mbps and the duplex can be Half or Full MAC Address MAC address of the interface System Firewall Servers _ Tools Interface Status
55. e traversing the firewall out of necessity on a regular basis to ensure no loss in productivity due to invalid network configurations or network outages Domains and or file types defined in the Blacklist will be denied upon request 136 Edit Destination URL Global Blacklist The URL blacklist can be used to deny access to complete sites to file types by extension or to URLs with certain words in them Use e g example org to disallow access to an entire site Blank lines and lines beginning with H are ignored D Al Example for blocking all access to a whole site example com example com Or a shorter variant that runs the risk of blocking sites whose names end with the same text example com Deny access to potentially dangerous file types Malicious executables can be downloaded by exploits exe ser cpl pif com probably not a good idea given the com TLD e oo Apply Cancel Help Navigate to the Firewall tab Content Filtering section of the web administration Click on Edit URL Black List to modify or append the contents of the filtering database To block an entire domain and all sub domains use the following syntax casino com Blocks access to the domain casino com casino com Blocks access to all sub domains under casino com To block specific file types from download through HTTP use the following syntax exe Blocks execu
56. e and date Sree Interfaces IT Set the system time Date ai Al Mar A 2004 24 hour time Time 16 32 08 Time zone and daylight saving time settings GMT 01 00 Central European Time CET Time zone ZS No daylight saving time Apply daylight saving time from i an DI zj sa to an z a z Automatic time synchronization M Enable NTP Primary NTP Server swisstime ethz ch Secondary NTP Server Jun mmo netnod se optional Note The Current time and date and Time zone settings above will be applied instantly and do not require Activate Changes O oO e Apply Cancel Help 32 Changing time zone Follow these steps to change the time zone Step 1 Choose the correct time zone in the drop down menu Step 2 Specify the dates to begin and end daylight saving time or choose no daylight saving time by checking the correct box Click the Apply button below to apply the settings or click Cancel to discard changes Using NTP to sync time Follow these steps to sync to an Internet Time Server Step 1 Enable synchronization by checking the Enable NTP box Step 2 Enter the Server IP Address or Server name with which you want to synchronize Click the Apply button below to apply the settings or click Cancel to discard changes Setting time and date manually Follow these steps to manually set the system time Step 1 Check the Set the syste
57. e configured to relay DNS queries from the internal LAN to the DNS servers used by the firewall itself D Link DFL 1100 Building Networks for People d Network Security Firewall System Firewall Tools _ Status Help DNS Relay DHCP Server The DNS Relayer can provide DNS service on up to two fixed local IP addresses These can be used as DNS servers by computers on the LAN it V Enable DNS Relayer IP Address 1 M Use address of LAN interface IP Address 2 optional The requests will be relayed to the DNS servers that this unit itself uses O oO Apply Cancel Help Enable DNS Relayer Follow these steps to enable the DNS Relayer Step 1 Enable by checking the Enable DNS Relayer box Step 2 Enter the IP numbers that the DFL 1100 should listen for DNS queries on Note If Use address of LAN interface is checked you do not have to enter an IP in IP Address 1 as the firewall will know what address to use Click the Apply button below to apply the settings or click Cancel to discard changes Disable DNS Relayer Follow these steps to disable the DNS Relayer Step 1 Disable by un checking the Enable DNS Relayer box Click the Apply button below to apply the settings or click Cancel to discard changes 70 Tools Ping Click on Tools in the menu bar and then click Ping below it This tool is used to send a specified number of ICMP Echo Request packets t
58. e following steps are taken to verify the validity of the certificate e Construct a certification path up to the trusted root CA e Verify the signatures of all certificates in the certification path e Fetch the CRL for each certificate to verify that none of the certificates have been revoked Local identities This is a list of all the local identity certificates that can be used in VPN tunnels A local identity certificate is used by the firewall to prove its identity to the remote VPN peer To add a new local identity certificate click Add new The following pages will allow you to specify a name for the local identity and upload the certificate and private key files This certificate can be selected in the Local Identity field on the VPN page This list also includes a special certificate called Admin This is the certificate used by the Web interface to provide HTTPS access Note The certificate named Admin can only be replaced by another certificate It cannot be deleted or renamed This is used for HTTPS access to the DFL 1100 Certificates of remote peers This is a list of all certificates of individual remote peers To add a new remote peer certificate click Add new The following pages will allow you to specify a name for the remote peer certificate and upload the certificate file This certificate can be selected in the Certificates field on the VPN page Certificate Authorities This is a list of all CA certificates
59. ec encryption is required Inner IP Blank LAN IP IP Pool and settings Client IP Pook 192 168 1 100 192 168 1 199 N Proxy ARP dynamically added routes Primary DNS Optional Secondary DNS Optional N Use unit s own DNS relayer addresses Primary WINS Optional ares Optional Leave Outer IP and Inner IP blank Set client IP pool to 192 168 1 100 192 168 1 199 Check Proxy ARP dynamically added routes Check Use unit s own DNS relayer addresses Leave WINS settings blank 98 Authentication Protocol No auth C PAP 7 CHAP C MSCHAP MPPE encryption possible Mi MSCHAPy2 MMPE encryption possible Under authentication MSCHAPv2 should be the only checked option Under MPPE encryption None should be the only checked option MPPE encryption Mi None Cl 40 bit 1 56 bit Cl 128 bit me is only possible when using MSCHAP or MSCHAP v2 as authenti protoco N Use IPsec encryption PSK Pre Shared Key Key sane Retype key secre Certificate based Check Use IPSec encryption Enter key 1234567890 Note You should not use this key Retype key 1234567890 Click Apply 3 Setup policies for the new tunnel Firewall gt Policy Click Global policy parameters Firewall Policy Edit global policy parameters Fragments T Drop all fragmented packets Minimum TTL 3 VPN Mi Allow all VPN traffic intermal gt VPN VPN gt internal and V
60. eeeeeeeeeeees 102 Settings for Branch office 102 Settings for Een e 105 Windows XP client and PPTP eener 106 Settings for the Windows XP cent 106 settings for Main offe 22 5 cece ieiceeceteeaeeeeseceeseedaeeeeeedeecnteeeeeeaaaanenees 113 Windows XP client and L7IbPsernver rrenen 116 Settings for the Windows XP cent 116 Settings for Main office 118 Intrusion Detection and Prevention sssssssessrerrrernrerrrernnrnrnnnn reene 120 PPC eS comin 123 Appendix A ICMP Types and Codes ssnnsnesseesererererrererrrrreererne 123 Appendix B Common IP Protocol Numbers s sssesseeseseseeeseeeeesseene 125 Appendix C Multiple Public IP addresses eeeeeeeeeeeeeees 126 Appendix D HTTP Content Eiltermg 134 NT 3 Aue el eel mene neeliee lee een ernr eee eee een enone nner 141 Introduction The DFL 1100 provides four 10 100Mbps Ethernet network interface ports which are 1 Internal LAN 1 External WAN 1 DMZ and 1 ETH4 port In addition the DFL 1100 also provides a user friendly Web UI that allows users to set system parameters or monitor network activities using a Web browser supporting Java Features and Benefits Firewall Security High Availability Through the use of the Sync port ETH4 two DFL 1100 s can form a High Availability cluster that will fail over Firewall and VPN sessions VPN Server Client Supported Supports IPSec LAN to LAN or Roaming user tun
61. eerrrnnttestrrtrtnntnnnnesttnnnnnnneentnnn annann ennn 69 Enable DHCP Relay ascniennnnaea E SNE 69 Disable DHCP Gerveribelay 69 DNS Relay Settings E 70 Enable DNS Relayer 2 20 ecs0 aie seit sii E a E Eaa 70 E 71 RING E 71 Ping Examples 5120 UENES ENEE 71 uereg eet ee 72 Add Dynamic DNS Settings 0 ecccceeceeeeee etter ee eeneeeeeeieeeeeeeeeeeeneeeeee 72 BackUp TEE 73 Exporting the DFL 1100 s Configuration ecccceeeeeeeeeeeneeeeeeenteeeeeeaees 73 Restoring the DFL 1100 s CGontfouraton 73 Restart ROSet AE 74 Restoring system settings to factory defaults 2 0 eect eeeeeeeeeeeeeees 75 Upgrade E 76 Upgrade Firmware eeseessseeererreessrreseerneessnnnsttnnaerenrnaattnndadannaattanaanannaaaanneae 76 Upgrade IDS Signature database A 76 Lr re 77 S101 E 77 Intertaces AAA 78 VPN EE 79 Connections reese Stectee tote cheatets cpieian eer canitashareieccasiiien tein apenas 80 Biel 81 E 81 Mow Ae fead the 006 82 USAGE events 82 DROP events 82 CONN events 83 Step Dy Step TE 84 LAN to LAN VPN using IPSec cccccccceeesseeeeneeeeeeeetessceeeneeeeeneeee 85 Settings for Main office 87 LAN to LAN VPN using PPTP cccccceceecceeceeeeeeeeeeeeeeeeeeeseeeseeeeeeeess 89 Settings for Main office 91 LAN to LAN VPN using L2IbP 95 Settings for Branch ofge vugedegENEREEESENEEEEENEEEEREEEREEEESEEEEEENERENEd ENEE 95 Settings for Main office 98 A more secure LAN to LAN VPN Solution 0 0 eeee
62. embered over a re configure or reboot of the firewall The DFL 1100 also includes a DHCP Relay function A DHCP Relay allows the DFL 1100 to receive DHCP requests and forward those requests to a specified DHCP server The relay function allows the use of existing DHCP servers in conjunction with the DFL 1100 to ensure all users on all interfaces receive IP addresses when requested The DFL 1100 will also configure dynamic routes based on those DHCP leases This enables the firewall to keep an accurate routing table based on active users and protects the DHCP server to some degree Note There can only be one DHCP Server or DHCP Relay configured per interface 68 Enable DHCP Server To enable the DHCP Server on an interface click on Servers in the menu bar and then click DHCP Server below it Follow these steps to enable the DHCP Server on the LAN interface Step 1 Choose the LAN interface from the Available interfaces list Step 2 Enable by checking the Use built in DHCP Server box Step 3 Fillin the IP Span the start and end IP for the range of IP addresses that the DFL 1100 can assign Step 4 Fill in the DNS servers the DHCP server will assign to the clients at least one should be provided If the DNS Relay function is configured the DHCP server will assign those addresses Step 5 Optionally type in the WINS servers the DHCP server will assign to the clients Step 6 Optionally type in the domain that the DHCP server will ass
63. en you click Apply the unit should transfer the configuration from the first unit and you HA cluster should be operating Interface Monitoring When HA is configured it s possible to configure something called Interface Monitoring this is used to monitor up to 6 IP addresses on each segment LAN WAN or DMZ of the DFL 1100 cluster If 50 of the listed addresses are unreachable for several seconds the active node will failover and the other unit will become active Interface Monitoring For each interface you can configure up to 6 IP addresses that the unit will continously ping If 50 of the listed addresses are unreachable for several seconds in a row the cluster will fail over to the other unit IP addresses to monitor on the LAN interface IE SR ES IP addresses to monitor on the WAN interface ET PE IP addresses to monitor on the DMZ interface LI IT LEE Logging Click on System in the menu bar and then click Logging below it Logging the ability to audit decisions made by the firewall is a vital part in all network security products The D Link DFL 1100 provides several options for logging activity The D Link DFL 1100 logs activity by sending the log data to one or two log receivers in the network D Link DFL 1100 Building Networks for People Network Security Firewall Firewall Servers Tools Status Help Logging Settings Pe Pe Interfaces M Syslog send log data via
64. entication Protocol 7 No auth 7 PAP 7 CHAP IT MSCHAP MPPE encryption possible NI MSCHAPy 2 MMPE encryption possible Under authentication only MSCHAPv2 should be checked 96 MPPE encryption N None IT 40 bit C 56 bit C 128 bit Encryption is only possible when using MSCHAP or MSCHAP v2 as authenti protoco Mi Use IPsec encryption PSK Pre Shared Key Key msn Retype key D Certificate based Under MPPE encryption only None should be checked Check Use IPsec encryption Enter key 1234567890 Note You should use a key that is hard to guess Retype key 1234567890 Click Apply 3 Setup policies for the new tunnel Firewall gt Policy Click Global policy parameters Enable Allow all VPN traffic internal gt VPN VPN gt internal and VPN gt VPN Firewall Policy Edit global policy parameters Fragments Cl Drop all fragmented packets Minimum TTL 3 YPN N Allow all VPN traffic internal gt VPN VPN gt interal and VPN gt VPN Click Apply 4 Click Activate and wait for the firewall to restart Settings for Main office 1 Setup interfaces System gt Interfaces WAN IP 194 0 2 20 LAN IP 192 168 1 1 Subnet mask 255 255 255 0 2 Setup L2TP server Firewall gt VPN Under L2TP PPTP Server click Add new L2TP server Name the server I2tpServer L2TP PPTP Servers Add L2TP tunnel Name 2tpServer Outer IP Blank WAN IP Must be WAN IP if IPs
65. epalives No keepalives Keep alive is disabled Automatic keepalives The firewall will send ICMP pings to IP Addresses automatically discovered from the VPN Tunnel settings Manually configured IP addresses Configure the source and destination IP addresses used when sending the ICMP pings 62 Proposal Lists To agree on the VPN connection parameters a negotiation process is performed As the result of the negotiations the IKE and IPSec security associations SA are established As the name implies a proposal is the starting point for the negotiation A proposal defines encryption parameters for instance encryption algorithm life times etc that the VPN gateway supports There are two types of proposals IKE proposals and IPSec proposals IKE proposals are used during IKE Phase 1 IKE Security Negotiation while IPSec proposals are using during IKE Phase 2 IPSec Security Negotiation A Proposal List is used to group several proposals During the negotiation process the proposals in the proposal list are offered to the remote VPN gateway one after another until a matching proposal is found IKE Proposal List Cipher Specifies the encryption algorithm used in this IKE proposal Supported algorithms are AES 3DES DES Blowfish Twofish and CAST128 Hash Specifies the hash function used to calculate a check sum that reveals if the data packet is altered while being transmitted MD5 and SHA1 are supported algorithm
66. er IPSec Step 2 Enter a Name for the new tunnel in the name field The name can contain numbers 0 9 and upper and lower case letters A Z a z and the special characters and _ No other special characters and spaces are allowed Step 3 Specify your local network or your side of the tunnel for example 192 168 1 0 255 255 255 0 in the Local Net field Step 4 Choose authentication type either PSK Pre shared Key or Certificate based If you choose PSK make sure both firewalls use exactly the same PSK Step 5 For Tunnel Type choose LAN to LAN tunnel and specify the network behind the other DFL 1100 as Remote Net Also specify the external IP of the other DFL 1100 either an IP ora DNS name Click the Apply button below to apply the changes or click Cancel to discard changes Repeat these steps with the firewall on the other site VPN between client and an internal network In the following example users can connect to the main office internal network from anywhere on the Internet Communication between the client and the internal network takes place in an encrypted VPN tunnel that connects the DFL 1100 and the roaming users DFL 1100 Firewall We across the Internet Internal Network The example shows a VPN between a roaming VPN client and the internal network but you can also create a VPN tunnel that uses the DMZ network The networks at the ends of the VPN tunnel are selected when you configure the VPN policy
67. ernet to the external interface Then you can create NAT mode policies to accept or deny connections between these networks NAT mode policies hide the addresses of the internal and DMZ networks from users on the Internet In No NAT Route mode you can also create routed policies between interfaces Route mode policies accept or deny connections between networks without performing address translation To use NAT mode select Hide source addresses many to one NAT and to use No NAT Route mode choose No NAT Action Types Drop Packets matching Drop rules will immediately be dropped Such packets will be logged if logging has been enabled in the Logging Settings page Reject Reject works basically the same way as Drop In addition to this the firewall sends an ICMP UNREACHABLE message back to the sender or if the rejected packet was a TCP packet a TCP RST message Such packets will be logged if logging has been enabled in the Logging Settings page Allow Packets matching Allow rules are passed to the stateful inspection engine which will remember that a connection has been opened Therefore rules for return traffic will not be required as traffic belonging to open connections is automatically dealt with before it reaches the policies Logging is carried out if audit logging has been enabled in the Logging Settings page 34 Source and Destination Filter Source Nets Specifies the sender span of IP addresses to be compared
68. ers Groups Any Any authenticated Destination IP 80 80 80 82 lank A WAN interlace IP addiess Service http Custom source pots Blank any port destination pets pass to port and up Blank no change Pass To 192 168 10 100 Schedule Always v Virtual Server Configuration for a Server on the DMZ Navigate to the FIREWALL tab PORT MAPPING page of the Web based configuration Click the Add New link to create a new Port Mapping Input the Public IP address to be forwarded in the Destination IP field Select the Service to be forwarded to the Internal Server pre defined or custom Enter the Private IP of the Server in the Pass To field Configure Scheduling IDS IDP or Bandwidth Management if desired Click Apply to save the configuration Click Activate Changes to apply changes and restart Similar steps can be taken to configure other services to be mapped to Internal Servers for access from Public Hosts Keep in mind that this configuration uses Network Address Translation Not all Protocols will work through NAT so be aware of the type of service in use 130 Example Scenario using DMZ w out NAT An alternative method to that described in the preceding pages is to isolate publicly accessible servers to the DMZ interface with NAT disabled This configuration requires multiple at least 2 Public IP addresses to function as the Firewall will assume one IP and the Server s will use the other
69. es End lease DHCP clients cra 192 168 1104 0020 e012 6789 Shs 47 minutes End lease Inactive leases will be replaced if the pool is full IP Address 192 168 1102 Active leases are the current computers using this DHCP server It is also possible to end a computers lease on this screen by clicking on End lease corresponding to that IP MAC Address 0020 2012 789a Forget mapping Inactive leases are leases that are not currently in use but have been used by a computer before That computer will get the lease the next time it is on the network If there is no free IP in the pool these IP s will be used for new computers Users Click on Status in the menu bar and then click Users below it A window will appear providing user information Currently authenticated users users logged in using HTTP HTTPS authentication users logged in on PPTP and L2TP servers will be listed here Users can be forced to log out by clicking logout Currently recognized privileges all users and groups that are used in policies are listed here These users and groups will be able to use HTTP and HTTPS authentication Interfaces where authentication are available here all interfaces where HTTP and HTTPS authentication is possible is listed How to read the logs Although the exact format of each log entry depends on how your SYSLog recipient works most are very similar The way in which logs are read is also dependent on
70. esponding to the rule you want to configure Step 3 Enable the Intrusion Detection Prevention checkbox Step 4 Choose Inspection Only from the mode drop down list Step 5 Enable the alerting checkbox for e mail alerting Click the Apply button below to apply the changes or click Cancel to discard changes 38 Configure Intrusion Prevention Follow these steps to configure IDP on a policy Step 1 Choose the policy you would like have IDP on Step 2 Click on the Edit link corresponding to the rule you want to configure Step 3 Enable the Intrusion Detection Prevention checkbox Step 4 Choose Prevention from the mode drop down list Step 5 Enable the alerting checkbox for e mail alerting Click the Apply button below to apply the changes or click Cancel to discard changes Port mapping Virtual Servers The Port mapping Virtual Servers configuration section is where you can configure virtual servers such as a LAN Web server on the LAN or DMZ Interfaces to be accessible through the WAN One may also regulate how bandwidth management traffic shaping is applied to traffic flowing through the WAN interface of the firewall to the LAN or DMZ It is also possible to use Intrusion Detection Prevention on Port mapped services These are applied in the same way as with policies See the previous chapter for more information Mappings are read from top to bottom and the first matching mapping is carried out Add a new mapping
71. eway o OC Apply Cancel Help The default WAN route must be modified to enable Proxy ARP The default route for any interface cannot be deleted or modified other than to enable the Proxy ARP feature From the SYSTEM gt ROUTING page select WAN to edit the default route of the WAN interface Enable the Proxy ARP feature by checking the checkbox After making configuration changes be sure to click Apply to save those changes to RAM 132 Disable NAT on the DMZ Interface Firewall Policy Show policy LAN gt WAN LAN gt DMZ WAN gt DMZ W LAN DMZ gt LAN DMZ gt WAN Settings for DMZ gt WAN policy NAT Hide source addresses many to one NAT IS No NAT requires public IP addresses on DMZ network oO OO Apply Cancel Help Select Add New below or select a rule from the list to edit it By default the DFL 1100 is enabled to perform NAT on both LAN and DMZ interfaces Disable NAT on the DMZ interface Navigate to Firewall gt Policy in the web based configuration Click on DMZ gt WAN to modify the behavior of the DMZ interface Select the No NAT requires public IP addresses on DMZ network radio button After making configuration changes click on the Apply button to save those changes To allow services on the DMZ interface to be accessible from the WAN incoming policies must be defined to allow those services This can be done through the WAN gt DMZ section in the Firewall Policy
72. face LAN w Network 80 80 80 81 Subnet Mask 255 255 255 255 1host 32 v Gateway 7 Network is behind remote gateway Proxy ARP Publish network on all other interfaces via Proxy ARP Additional IP C Additional firewall IP address that hosts can use as gateway Static Route Configuration for a Server on the LAN Navigate to the SYSTEM tab then the ROUTING page of the Web based configuration Select the Add New link to create the first static route Select the Interface that the Internal Server is connected to LAN or DMZ Specify the Public IP to be forwarded in the Network field The Subnet Mask should be set to 255 255 255 255 1 host Enable the Proxy ARP feature The above static route configuration explicitly defines the interface that the additional Public IP address should be forwarded to Routing Table Edit new route Interface DMZ v Network 80 80 80 82 Subnet Mask 255 255 255 255 1 host 32 v Gateway T Network is behind remote gateway Proxy ARP Publish network on all other interfaces via Proxy ARP Additional IP C Additional firewall IP address that hosts can use as gateway Static Route Configuration for a Server on the DMZ Navigate to the SYSTEM tab then the ROUTING page of the Web based configuration Select the Add New link to create the second static route Select the Interface that the Internal Server is connected to LAN or DMZ Specify the Public IP to be forwarded in the
73. ft hand menu Select Activate Changes Now to save the configuration to flash and restart When the firewall has finished restarting the HTTP Content Filtering Function will be enabled and active Keep in mind that depending on the type of activities your LAN participates in more services may need to be specified as rules in the Firewall Policy configuration to allow said services to pass the firewall The steps should be similar to the DNS and HTTP configuration if there is a default service configured Custom services can also be created to accommodate most any service needed to run through the firewall 140 Warranty Subject to the terms and conditions set forth herein D Link Systems Inc D Link provides this Limited warranty for its product only to the person or entity that originally purchased the product from D Link or its authorized reseller or distributor and Products purchased and delivered within the fifty states of the United States the District of Columbia U S Possessions or Protectorates U S Military Installations addresses with an APO or FPO Limited Warranty D Link warrants that the hardware portion of the D Link products described below will be free from material defects in workmanship and materials from the date of original retail purchase of the product for the period set forth below applicable to the product type Warranty Period except as otherwise stated herein 1 Year Limited Warran
74. ge amounts of data are moving through the DFL 1100 For example the policy for the web I Traffic shaping interface speed limits Interface Settings Edit settings of the WAN interface Change WAN Type Big Pond z Regular ethernet connection with DHCP assigned IP address plus authentication via a special protocol Used by the ISP Telstra BigPond Username Password Retype Password In order to do traffic shaping beyond simple limits such as guarantees and priorities the traffic shaper needs to know what the maximum bandwidth is Throughput through this interface will be limited to these speeds If the limits are set too high traffic shaping will not work Upstream bandwidth kbit s Downstream bandwidth kbit s server might be given higher priority than the policies for most employees computers You can use traffic shaping to guarantee the amount of bandwidth available through the firewall for a policy Guarantee bandwidth to make sure that there is enough bandwidth available for a high priority service You can also use traffic shaping to limit the amount of bandwidth available through the firewall for a policy Limit bandwidth to keep less important services from using bandwidth needed for more important services Note If the limit is set too high i e higher then your Internet connection the traffic shaping will not work at all 20 MTU Configuration M Manual Interface MTU Configuration maximum size of
75. ges page The firewall will save the configuration and reload it making the new Time changes take effect In order to make the changes permanent the administrator must login again This has to be done before a configurable timeout has been reached otherwise the DFL 1100 will revert to the previous configuration The timeout can be set on the Activate Configuration Changes page by choosing the time from the dropdown menu Logging d mm Q E a EI Changes Discard Resetting the DFL 1100 To reset the DFL 1100 to factory default settings you must do so through the Web UI or the Console Interface Refer to the section on resetting the DFL 1100 to factory default settings for more information After the reset procedure has been carried out the DFL 1100 will be configured at factory default settings with a LAN IP address of 192 168 1 1 Connect to the firewall using a PC configured for DHCP connected to the LAN port in order to complete the Configuration Wizard Administration Settings Administrative Access Administration Settings Management web GUI ports HTTP Pott eo HTTPS Port 443 For security reasons it may be better to run the management web GUI on non standard ports Also note that if web based user authentication is enabled ports 80 and 443 will be taken the management web GUI has to use other ports Apply Cancel Help Select the interface user you wish to edit from the be
76. his unit Membership in the auditors group means that the user has read only access to this unit O 0 O0 Apply Cancel Help Note Deleting a user is irreversible once the user is deleted it cannot be undeleted 44 Users User Authentication allows an administrator to grant or reject access to specific users from specific IP addresses based on their user credentials Before any traffic is allowed to pass through any policies configured with username or groups the user must first authenticate him her self The DFL 1100 can either verify the user against a local database or pass along the user information to an external authentication server which verifies the user and the given password and transmits the result back to the firewall If the authentication is successful the DFL 1100 will remember the source IP address of this user and any matching policies with usernames or groups configured will be allowed Specific policies that deal with user authentication can be defined thus leaving policies that do not require user authentication unaffected The DFL 1100 supports the RADIUS Remote Authentication Dial In User Service authentication protocol This protocol is heavily used in many scenarios where user authentication is required either by itself or as a front end to other authentication services The DFL 1100 RADIUS Support The DFL 1100 can use RADIUS to verify users against for example Active Directory or Unix password f
77. ided After an RMA number is issued the defective product must be packaged securely in the original or other suitable shipping package to ensure that it will not be damaged in transit and the RMA number must be prominently marked on the outside of the package Do not include any manuals or accessories in the shipping package D Link will only replace the defective portion of the Product and will not ship back any accessories The customer is responsible for all in bound shipping charges to D Link No Cash on Delivery COD is allowed Products sent COD will either be rejected by D Link or become the property of D Link Products shall be fully insured by the customer and shipped to D Link Systems Inc 17595 Mt Herrmann Fountain Valley CA 92708 D Link will not be held responsible for any packages that are lost in transit to D Link The repaired or replaced packages will be shipped to the customer via UPS Ground or any common carrier selected by D Link with shipping charges prepaid Expedited shipping is available if shipping charges are prepaid by the customer and upon request D Link may reject or return any product that is not packaged and shipped in strict compliance with the foregoing requirements or for which an RMA number is not visible from the outside of the package The product owner agrees to pay D Link s reasonable handling and return shipping charges for any product that is not packaged and shipped in accordance with the foregoi
78. iendly name such as dns_out Position does not matter leave blank or choose a position Choose Allow as the Action For service choose dns_all Select a schedule and enable IDS IDP if desired Click Apply to save the changes or click Cancel to disregard Edit new rule Name http_cntnt_fltr Position 1 Moves before given position Blank last Action Allow G Source Nets Users Groups Any Any authenticated Destination Nets Users Groups An ny authenticated Leave source and or destination blank to match Service http outbound iv Custom source ports Blank any port destination ports Schedule Always iv CI Intrusion Detection 7 Prevention Mode Alerting Enable IDS IDP alerting via email for this rule O O Apply Cancel Help To configure the HTTP Content Filtering rule Navigate to the Firewall tab Policy section of the web administration Select the appropriate policy based on desired effect LAN gt WAN or DMZ gt WAN Click Add New at the bottom of the list Give the rule a friendly name such as http_cntnt_filtr Position does not matter leave blank or choose a position Choose Allow as the Action For service choose http_outbound already configured to use the HTTP ALG Select a schedule and enable IDS IDP if desired Click Apply to save the changes or click Cancel to disregard After clicking Apply click the Activate button on the le
79. ign to the clients Step 7 Choose the length of time the DHCP server will give out leases before the client has to renew them Click the Apply button below to apply the settings or click Cancel to discard changes Enable DHCP Relay To enable the DHCP Relay on an interface click on Servers in the menu bar and then click DHCP Server below it Follow these steps to enable the DHCP Relay on the LAN interface Step 1 Choose the LAN interface from the Available interfaces list Step 2 Enable by checking the Relay DHCP Requests to other DHCP server box Step 3 Fill in the IP of the DHCP Server note that it should be on another interface than where the DHCP request is coming from i e a server on the DMZ Click the Apply button below to apply the settings or click Cancel to discard changes Disable DHCP Server Relay To disable the DHCP Server on an interface click on Servers in the menu bar and then click DHCP Server below it Select the interface on which you wish to disable the DHCP server or relayer Follow these steps to disable the DHCP Server or Relayer on the LAN interface Step 1 Choose the LAN interface from the Available interfaces list Step 2 Disable by checking the No DHCP processing box Click the Apply button below to apply the settings or click Cancel to discard changes DNS Relay Settings Click on Servers in the menu bar and then click DNS Relay below it The DFL 1100 contains a DNS Relay function that can b
80. ilability will do for you D Link High Availability will provide a redundant state synchronized firewalling solution This means that the state of the active firewall i e connection table and other vital information is continuously copied to the inactive firewall When the cluster fails over to the inactive firewall it knows which connections are active and communication may continue to flow uninterrupted The failover time is typically about one second well in the scope for the normal TCP retransmit timeout which is normally over one minute Clients connecting through the firewall will merely experience the failover procedure as a slight burst of packet loss and as TCP always does in such situations retransmit the lost packets within a second or two and go on communicating What High Availability will NOT do for you Adding redundancy to your firewall setup will eliminate one of the single points of failure in your communication path However it is not a panacea for all possible communication failures Typically your firewall is far from the only single point of failure Redundancy for your routers switches and your Internet connection are also issues that need to be addressed D Link High Availability clusters will not create a load sharing cluster One firewall will be active and the other will be inactive Multiple back up firewalls cannot be used in a cluster Only two firewalls a master and a slave are supported
81. ile It is possible to configure up to two servers if the first one is down it will try the second IP instead The DFL 1100 can use CHAP or PAP when communicating with the RADIUS server CHAP Challenge Handshake Authentication Protocol does not allow a remote attacker to extract the user password from an intercepted RADIUS packet However the password must be stored in plaintext on the RADIUS server PAP Password Authentication Protocol may be defined as the less secure of the two If a RADIUS packet is intercepted while being transmitted between the firewall and the RADIUS server given time the user password can be extracted The advantage to this is that the password does not have to be stored in plaintext in the RADIUS server The DFL 1100 uses a shared secret when connecting to the RADIUS server The shared secret enables basic encryption of the user password when the RADIUS packet is transmitted from the firewall to the RADIUS server The shared secret is case sensitive can contain up to 100 characters and must be typed exactly the same on both the firewall and the RADIUS server Enable User Authentication via HTTP HTTPS Follow these steps to enable User Authentication Step 1 Enable the checkbox for User Authentication I Enable User Authentication via HTTP HTTPS HTTP Security HTTP as well as HTTPS Step 2 Specify if HTTP and HTTPS only HTTPS or only HTTPS should Ide Timeout Thou E be used for the login Ste
82. iltering Step 1 Navigate to Firewall Content Filtering and choose Edit Port Mapping global URL Whitelist Step 2 Add or edit a URL that should always Weitere be allowed Remove any URL that you do not want to always allow saan Click the Apply button below to apply the changes or click Cancel to discard changes Ke Policy Edit Destination URL Global Whitelist To allow access to a whole domain use e g safesite com Note the ending slash which protects against someone setting up e g www safesite com dyndnsprovider net as an alias for an otherwise disallowed site Blank lines are ignored Lines beginning with are also ignored a Access to these sites will always be allowed d ink com dlink com dlink com tw d r com bw DEED Services Certificates a o oO e Apply Cancel Help 66 Edit the URL Global Blacklist Follow these steps to a e D Link add or remove a URL Building Networks for People DFL 1100 Network Security Firewall Step 1 Navigate to Firewall Content Filtering and choose Edit global URL Blacklist Policy Step 2 Add or edit a Port Mapping URL that should be filtered and blocked File extensions may also be defined to block download of specified file types Click the Apply button below to apply the changes or click Cancel to discard PS changes Servers Tools Status Help HTTP Content Fil
83. k on the user name and you will see the following screen Follow these steps to Administrative User password change Step 1 Click on the user you would like to change level of Step 2 Enable the Change password checkbox Step 3 Enter the new password twice User Management Edit user admin User name admin Group membership administrators Change password Password Retype password Click the Apply button below to apply the setting or click Cancel to discard changes Note The password should be at least six characters long The password can contain numbers 0 9 and upper and lower case letters A Z a z Special characters and spaces are not allowed Delete Administrative User To delete a user click on the user name and you will see the following screen Follow these steps to delete an Administrative User Step 1 Click on the user you would like to delete Step 2 Enable the Delete user checkbox Click the Apply button below to apply the setting or click Cancel to discard changes User Management Edit user admin Username admin Group membership administrators Change password Password Retype password L2TP PPTP settings Static client IP IF empty the IP address will be taken from the server s IP pool Networks behind user Delete user Membership in the administrators group means that the user can administer t
84. ke do delete the mapping from Step 2 Click on the Edit link corresponding to the rule you want to delete Step 3 Enable the Delete mapping checkbox Click the Apply button below to apply the changes or click Cancel to discard changes Administrative users Click on Firewall in the menu bar and then click Users below it This will show all the users and the first section is the administrative users Administrative users Admin admin Add Read only auditor Add The first column shows the access levels Administrator and Read only An Administrator user can add edit and remove rules change settings of the DFL 1100 and so on The Read only user can only look at the configuration The second column shows the users in each access level Add Administrative User Follow these steps to add a new administrative user Step 1 Click on add after the type of user you would like to add Admin User Management or Read only Edit user admin Step 2 Fill in User name make User name admin Sure you are not trying to add one Group membership administrators that already exists Change password Step 3 Specify the password for Password the new user Retype password Click the Apply button below to apply the setting or click Cancel to discard changes Note The user name and password should be at least six characters long The user name and password can contain numbers 0 9 and upper and lower case letters A
85. l s Web based configuration GUI enter Upgrade on the Tools menu click Browse in the Upgrade Unit s signature database section and choose the file name of the newest version of the IDS signatures Then click Upload signature database Beginning with firmware version 1 30 the IDS Signature database will automatically update itself once enabled on a policy 76 Status In this section the DFL 1100 displays the status information about the Firewall Administrator may use the Status section to check the System Status Interface statistics VPN status IP connections and DHCP Servers Status System Click on Status in the menu bar and then click System below it A window will appear providing some information about the DFL 1100 Uptime The time the 3 firewall has been running D Link ince the last r t or start Building Networks for Peopl DFL 1100 Sinice the last TebGOt orsta eer Network Security Firewall Time The current time and date System Firewall Servers Tools System Status Configuration Shows when the last administrative configuration change was activated as well as the Uptime 14 days 03 34 48 Time 2005 05 10 18 14 15 Configuration Version 16 last changed at 2005 04 29 15 53 35 by admin from 192 168 1 3 Firmware version 1 32 00 Last restart 2005 04 29 15 53 36 Configuration changed by admin 192 168 1 3 Interfaces 200 originating IP VLAN IDS signatures Last change
86. l HTTP traffic must pass through an outbound policy utilizing the HTTP ALG Due to this behavior content filtering can be applied to either LAN or DMZ interface simultaneously or independent of one another Keep in mind that the content filtering specifications are global and will apply to every instance of a rule using the HTTP ALG Two configurations need to be made in order to use HTTP Content Filtering The Whitelist and Blacklist must be customized to suit the desired filtering requirements HTTP traffic on an interface LAN or DMZ must be bound to a rule using the HTTP ALG 134 HTTP Content Filtering Changes to these settings affect services that use the HTTP HTML Content Filtering ALG By default this includes the http outbound service Global Destination URL Whitelist URLs matching the global whitelist are excluded from all the below checks Contents 10 entries Edit global URL whitelist Destination URL Blacklist Attempts to access URLs matching the blacklist is blocked Contents 115 entries Edit URL blacklist Active content handling go Strip Active objects including Flash F Strip Java applets C Strip Javascript BS cript C Block Cookies The Whitelist Items entered in the Whitelist will always be allowed through the firewall assuming HTTP content filtering is enabled This section should only be used to allow essential domains and servers such as Microsoft com and DLink com to ensu
87. l not accept connections on any interface other than the LAN interface Reset to Factory Defaults Restarting the DFL 1100 Follow these steps to restart the DFL 1100 Step 1 Choose if you want to do a quick or full restart Step 2 Click Restart Unit and the unit will restart 74 Restoring system settings to factory defaults Use the following procedure to restore system settings to the factory defaults This procedure will possibly change the DFL 1100 firmware version to a lower version if it has been upgraded Make sure you have the current firmware file available for upload to the device in the case where the firmware version is defaulted to an older version The factory reset procedure erases all configuration changes that have been made to the DFL 1100 and reverts the system to its original configuration including resetting of all interface addresses Follow these steps to reset the DFL 1100 to factory default settings through the Web based Configuration Step 1 Under the Tools menu and the Reset section click on the Reset to Factory Defaults button Step 2 Click OK in the dialog to reset the unit to factory defaults or press Cancel to cancel Follow these steps to reset the DFL 1100 to factory default settings using the Console Port at the rear of the device Step 1 Connect a PC with a Serial COM port to the COM port on the front of the DFL 1100 using the provided Null Modem cable Configure a Terminal Emulation
88. lete a user Step 1 Click on the user you would like to delete Step 2 Enable the Delete user checkbox Click the Apply button below to apply the settings or click Cancel to discard changes User Management Edit user Todd User name Todd Group membership NetDefend T Change password Password Ju Retype password Ju KR Delete user 0 OO Apply Cancel Help Note Deleting a user is irreversible once the user is deleted it cannot be undeleted 48 Schedules It is possible to configure a schedule for policies to take effect By creating a schedule the DFL 1100 allows the e firewall policies to be Manage Schedules used only at those Edit new schedule designated times Any activities outside of the scheduled time tes Active to 121x Jan z 200517 Hour 1417 inclusive slot will not follow the 06 00 12 00 18 00 All policies and therefore Schedles we MMPI pa bm pb D Link Building Networks for People DFL 1100 Network Security Firewall Servers Took Status Help Name i ii Active from 11 zs Jan 2005 7 Hour 14 sr Tu MMMM M MM M MM M MIA M M M M MI M M M 191 will not likely be We DMMP i Se Tk bb bb babbar bb a ba baier permitted to pass fe IMIR RAM REA I through the firewall Pen sc MMM M M MIM M M M M M A A M A R A A M N The DFL 1100 can be Su MMMM MMMM M MMMM MMM M MIM MM M M M configured to have a
89. lient Name toMainOffice Basic settings Usemame BranchOffice Password XXXXXXXXXX Retype Password XXXXXXXXXX Interface IP Blank get IP from server Remote Gateway Remote Net 192 168 1 0 24 194 0 2 20 Proxy ARP Publish remote network on all interfaces via Proxy ARP TI Use primary DNS server from tunnel as primary DNS IT Use secondary DNS server from tunnel as secondary DNS Hint Use Servers gt DNS Relayer to easily make DNS servers available to internal clients C Dial on demand Username BranchOffice Password 1234567890 Note You should use a password that is hard to guess Retype password 1234567890 Interface IP leave blank Remote gateway 194 0 2 20 Remote net 192 168 1 0 24 Dial on demand leave unchecked Authentication Protocol 7 No auth CC PAP C CHAP T 7 MSCHAP MPP encryption possible N MSCHAPyv2 MMPE encryption possible Under authentication MSCHAPv2 should be the only checked option 90 MPPE encryption C None TI 40 bit _ 56 bit 128 bit Encryption is only possible when using MSCHAP or MSCHAPy2 as authentication protocol C Use IPsec encryption Under MPPE encryption 128 bit should be the only checked option Leave Use IPSec encryption unchecked Click Apply 3 Setup policies for the new tunnel Firewall gt Policy Click Global policy parameters Enable Allow all VPN traffic internal gt VPN VPN gt inte
90. ll gt Port Mapping Under Configured mappings click Add new 120 2 Set up the newly created port mapping Port Mapping Yirtual Servers Edit new mapping Name map_www Source Nets Users Groups Destination IP Blank Service http in all KAI Custom source ports destination ports pass to port Pass To 192 168 2 5 Schedule Always e vl Intrusion Detection Prevention Mode Prevention EAI Blank everyone Any Any authenticated WAN interface IP address Blank any port and up Blank no change Alerting V Enable IDS IDP alerting via email for this rule Name the rule map_www Select service http in all Enter pass to IP 192 168 2 5 the IP of the web server Check the Intrusion detection prevention option Select mode Prevention Enable email alerting by checking the Alerting box Click Apply The new mapping is now in the list Configured mappings Name Source Destination Service Pass to map www Any WAN IP http in all 192 168 2 5 Add new 3 Setup email server and enable alerting System gt Logging Li Enable E mail alerting for IDS IDP events Sensitivity Normal SMTP Server 192 168 2 4 Sender idsalert examplecompany com E Mail Address 1 webmaster examplecompany co E Mail Address 2 steve examplecompany com E Mail Address 3 Check Enable E mail alerting for IDS IDP e
91. low list Note that both the user settings and the interface settings limit what a user can do so if a user with both admin and read only rights logs on from a somewhere where only read only access is allowed the user will be allowed to log on but will receive read only access only Administrative access via LAN interface Edit Ping Any address Admin Any address HTTPS only Read only Any address HTTPS only SNMP Any address Read Community public Administrative access via WAN interface Edit Ping Any address Admin Any address HTTPS only Administrative access via IPSec_tunnel vpn tunnel Edit Ping Any address Admin Any address HTTPS only Add administrative access via Interface DMZ PN Tunnel Management UI Ports The ports for the DFL 1100 s Web Server Management UI HTTP and HTTPS can be customized if so desired These values must change if User Authentication is enabled User Authentication uses 80 and 443 to accomplish user login Ping If enabled it specifies who can ping the IP interface of the DFL 1100 Enabling Default allows anyone to ping the interface IP Admin If enabled it allows all users with admin access to connect to the DFL 1100 and change configuration this can be HTTPS or HTTP and HTTPS Read Only If enabled it allows all users with read only access to connect to the DFL 1100 and look at the configuration this can be HTTPS or HTTP and HTTPS In the case
92. m time box Step 2 Select the correct date Step 3 Set the correct time using the 24 hour format Click the Apply button below to apply the settings or click Cancel to discard changes Firewall Policy The Firewall Policy configuration section is the heart of the firewall The policies are the primary filter that is configured to allow or disallow certain types of network traffic through the firewall The policies also regulate how bandwidth management traffic shaping is applied to traffic flowing through the WAN interface of the firewall When a new connection is being established through the firewall the policies are evaluated top to bottom until a policy that matches the new connection is found The Action of the rule is then carried out If the action is Allow the connection will be established and a state representing the connection is added to the firewall s internal state table If the action is Drop the new connection will be refused The section below will explain the meanings of the various action types available Policy modes The first step in configuring security policies is to configure the mode for the firewall The firewall can run in NAT or No NAT Route mode Select NAT mode to use DFL 1100 network address translation to protect private networks from public networks In NAT mode you can connect a private network to the internal interface a DMZ network to the DMZ interface and a public network such as the Int
93. ncreased level of protection from Network Intrusions or malicious attacks isolation of servers accessible to the public from the Private network is recommended This will ensure that if one of those servers happens to become compromised through vulnerabilities related to software an attacker would not be able to directly access the private internal Network The DFL 1100 provides a physical DMZ network interface specifically for this purpose This can be accomplished with NAT disabled or enabled on the DMZ interface Example Scenario using NAT The firewall is configured using the following scheme in order to allow Internet hosts access to web services running on either the internal LAN or DMZ Network DMZ 192 168 10 1 WAN 192 168 2 1 80 80 80 80 24 The goal is to map two internal web servers port 80 to two Public IP addresses provided by our ISP Host Interface Private IP Public IP Firewall LAN 192 168 2 1 80 80 80 80 Firewall DMZ 192 168 10 1 80 80 80 80 Web Server on LAN 192 168 2 50 80 80 80 81 Web Server on DMZ 192 168 10 100 80 80 80 82 IP 192 168 10 100 192 168 2 50 126 To accomplish this we need to create the following firewall settings Configure two static routes one for each public IP we wish to forward Create two port mappings one for each public IP mapping to each private Server Routing configuration Routing Table Edit new route Inter
94. nels with AES encryption in addition to PPTP and IPSec over L2TP Content Filtering Strip ActiveX objects Java Applets JavaScript and VBScript from HTTP traffic Bandwidth Management DFL 1100 features an extensive Traffic Shaper for bandwidth management Web Management Configurable through any networked computer s Web browser using Netscape or Internet Explorer Access Control supported Allows assignment of different access rights for different users such as Admin or Read Only User Introduction to Firewalls A firewall is a device that sits between your computer and the Internet that prevents unauthorized access to or from your network A firewall can be a computer using firewall software or a special piece of hardware built specifically to act as a firewall In most circumstances a firewall is used to prevent unauthorized Internet users from accessing private networks or corporate LAN s and Intranets Firewalls are also deployed to prevent sensitive information about your network from leaking out of your network A firewall monitors all of the information moving to and from your network and analyzes each piece of data Each piece of data is then checked against a set of criteria configured by the administrator If any data does not meet the criteria that data is blocked and discarded If the data meets the criteria the data is passed through This method is called packet filtering A firewall can also run specific sec
95. nfigure Intrusion Detection ssenceecicsaniararninarninannia ia 38 Configure Intrusion Prevention eecieerinciarcrn inaia 39 Add anew mapping EE 40 Delete Mapping EE 41 Administrative USCIS ccccceeecee cece eeeeeeeeeeeeeseeeeeeeseeeeeeeseeeeeeeeeeeeeeees 42 Add Administrative User 42 Change Administrative User Access level cccceeesneeeeeenereeeeenteeeeeeeas 43 Change Administrative User Password 43 Delete Administrative USGT ecserin 44 EE 45 The DFL 1100 RADIUS Support ss cerersee iusios iinei tinie ESKENN 45 Enable User Authentication via HTTP HTTPS 46 Enable RADIUS SUPpPOrininnon ricn a a a a 46 Aad USEF enasna urinii n E 47 Change User Password i sciences egies EA 47 Delete Use saiccteise nehesteccieiiatcheleeeta te sdecaeeteatddseeedieaeteaddd ENEE AER deed 48 elen Ee UE 49 Add new recurring schedule sssssesessrenssnnssesnnnnsannaatennannannaatennnnanannaatennana 49 Add new one time schedule ee eeneee ee ttteee eee teeeeetaeeeeesieeeee 50 SEENEN Ee 51 Adding TCP UDP or TCP UDP Gervice 51 Adding IP Protocol RE 52 Grouping Services cccccccceceeeceeeeecee cece eeeeeeeaeeeceeeeeeeesceaneeeeeeeeeeeenanes 52 Protocol independent settings cccceeeeeeeeeeeeeeeeeeeeeeeeeneeeeseeeaeeeeeeaeens 53 MW PN BEE 54 Introduction to TT 54 Introduction to GA KEE 54 Introductonito BEE TER 55 Point to Point Protocol s cces aatensecavadevee a a i 55 Authentication Protocols
96. ng requirements or that is determined by D Link not to be defective or non conforming What Is Not Covered This limited warranty provided by D Link does not cover Products if in D Link s judgment have been subjected to abuse accident alteration modification tampering negligence misuse faulty installation lack of reasonable care repair or service in any way that is not contemplated in the documentation for the product or if the model or serial number has been altered tampered with defaced or removed Initial installation installation and removal of the product for repair and shipping costs Operational adjustments covered in the operating manual for the product and normal maintenance Damage that occurs in shipment due to act of God failures due to power surge and cosmetic damage Any hardware software firmware or other products or services provided by anyone other than D Link Products that have been purchased from inventory clearance or liquidation sales or other sales in which D Link the sellers or the liquidators expressly disclaim their warranty obligation pertaining to the product Repair by anyone other than D Link or an Authorized D Link Service Office will void this Warranty Disclaimer of Other Warranties EXCEPT FOR THE LIMITED WARRANTY SPECIFIED HEREIN THE PRODUCT IS PROVIDED AS IS WITHOUT ANY WARRANTY OF ANY KIND WHATSOEVER INCLUDING WITHOUT LIMITATION ANY WARRANTY OF MERCHANTABILITY FITNESS FOR A PARTICUL
97. nge of IP addresses Step 4 Specify protocol to be used to access the DFL 1100 via the dropdown menu Select HTTP and HTTPS Secure HTTP or HTTPS only Click the Apply button below to apply the settings or click Cancel to discard changes Example M Admin Full access to web based management Networks fi 0 0 0 223 255 255 255 Protocol HTTPS only L Add Read only access to an interface To add read only access click on the interface you would like to add it to Note that if you only have read only access enabled on an interface all users will only have read only access even if they are administrators Follow these steps to add read only access to an interface Step 1 Click on the interface you would like to add it to Step 2 Enable the Read only checkbox Step 3 Specify which network addresses should be allowed read only access to the interface for example 192 168 1 0 24 for a whole class C network or 172 16 0 1 172 16 0 10 for a range of IP addresses Step 4 Specify protocol to be used to access the DFL 1100 via the dropdown menu Select HTTP and HTTPS Secure HTTP or HTTPS only Click the Apply button below to apply the settings or click Cancel to discard changes Example M Read only Read only access to web based management Networks 172 16 0 1 172 16 0 10 Protocol HTTP and HTTPS Enable SNMP access to an interface Follow these steps to add read only SNMP access to an interface Step 1
98. nspection Only or Prevention Inspection Only will only inspect the traffic and if the DFL 1100 detects anything it will log e mail an alert if configured and pass on the traffic If Prevention is used the traffic will be dropped and logged and if configured an e mail alert will be sent Traffic Shaping The simplest way to obtain quality of service in a network seen from a security as well as a functionality perspective is to have the components in the network not the applications be responsible for network traffic control in well defined choke points Traffic shaping works by measuring and queuing IP packets in transit with respect to a number of configurable parameters Differentiated rate limits and traffic guarantees based on source destination and protocol parameters can be created much the same way firewall policies are implemented There are three different priorities when configuring the traffic shaping Normal High and Critical Limit works by limiting the inbound and outbound traffic to the specified speed This is the maximum bandwidth that can be used by traffic using this policy Note however that if you have other policies using limit which in total is more then your total internet connection and have configured the traffic limits on the WAN interface this limit is sometimes lowered to allow traffic with higher priorities to have precedence By using Guarantee you can traffic using a policy a minimum bandwidth thi
99. ntext PAP is therefore not considered a secure authentication protocol CHAP CHAP Challenge Handshake Authentication Protocol is a _ challenge response authentication protocol specified in RFC 1994 CHAP uses an MD5 one way encryption scheme to hash the response to a challenge issued by the DFL 1100 CHAP is superior to PAP in that the password is never sent over the link Instead the password is used to create the one way MD5 hash This does however mean that CHAP requires passwords to be stored in a reversibly encrypted form MS CHAP v1 MS CHAP v1 Microsoft Challenge Handshake Authentication Protocol version 1 is similar to CHAP the main difference is that with MS CHAP v1 the password only needs to be stored as an MD4 hash instead of a reversibly encrypted form Another difference is that MSCHAP v1 uses MD4 Hashing as opposed to MD5 used in CHAP MS CHAP v2 MS CHAP v2 Microsoft Challenge Handshake Authentication Protocol version 1 is more secure then MS CHAP v1 as it provides two way authentication MS CHAPv2 is not backwards compatible with MS CHAP v1 Both the Remote Access Server and the client must prove they have knowledge of the password via two way Challenge response messages MPPE Microsoft Point To Point Encryption MPPE is used is used to encrypt Point to Point Protocol PPP packets MPPE uses the RSA RC4 algorithm to provide data confidentiality The length of the session key to be used for the encryption can be negoti
100. o Note You cannot use PPPoE DHCP L2TP on the external interface when using HA The shared IP address and the failover mechanism Both firewalls in the cluster know about the shared IP address ARP queries for the shared IP address or any other IP address published via the ARP configuration section or through Proxy ARP will be answered by the active firewall The hardware address of the shared IP address and other published addresses for that matter is not related to the hardware addresses of the firewall interfaces Rather it is constructed from the cluster ID on the following form 10 00 00 C1 4A nn where nn is the Cluster ID configured in the Settings section As the shared IP address always has the same hardware address there will be no latency time in updating ARP caches of units attached to the same LAN as the cluster when failover occurs When a firewall discovers that its peer is no longer operational it will broadcast a number of ARP queries for itself using the shared hardware address as sender address on all interfaces This causes switches and bridges to re learn where to send packets destined for the shared hardware address in a matter of milliseconds Hence the only real delay in the failover mechanism is detecting that a firewall is no longer operational The activation messages ARP queries described above are also broadcast periodically to ensure that switches won t forget where to send packets destined for the
101. o a given destination All packets are sent in immediate succession rather than one per second This method is the best suited for diagnosing connectivity problems Ping IP Address Number of packets E z Packet size 64 oO oO 0 Apply Cancel Help e IP Address Target IP to send the ICMP Echo Requests to e Number of packets Number of ICMP Echo Request packets to send up to 10 e Packet size Size of the packet to send between 32 and 1500 bytes Ping Example In this example the IP Address is 192 168 10 1 the Number of packets is five After clicking on Apply the firewall will start to send the ICMP Echo Requests to the specified IP After a few seconds the result will be displayed In this example only four out of five packets were received back a 20 packet loss and the average time for the packets to travel to and from the specified IP was 57 ms Results of pinging 192 168 10 1 Seq Roundtrip TTL 1 50 ms 236 2 70 ms 236 3 60 ms 236 5 50 ms 236 5 packets transmitted 4 packets received 20 packet loss Round trip time average 57 ms Dynamic DNS The Dynamic DNS requires Dynamic DNS Service allows you to alias a dynamic IP address to a static hostname allowing your device to be more easily accessed by a specific name When this function is enabled the IP address in Dynamic DNS Server will be automatically updated with the new IP address provided by ISP Click DynDNS in the Tools menu t
102. o enter Dynamic DNS configuration The firewall provides a list of a few predefined DynDNS service providers Users must register with one of these providers before trying to use this function Add Dynamic DNS Settings Follow these steps to enable Dynamic DNS Step 1 Go to Tools and DynDNS Step 2 Choose what Dynamic DNS service you would like to use and fill in the required information username and password in all cases and domains in all but cjb net Click the Apply button below to apply the settings or click Cancel to discard changes 72 Backup Click on Tools in the menu bar and then click Backup below it Here an administrator can backup D Link Building Networks for People DFL 1100 Network Security Firewall and restore the System Firewall Servers configuration The Backup 7 Restore configuration file stores EA sys te m setti n gs 5 l P By dekio Doaa origun vou Li PS a Geen file onesie the unit s entire addresses of the firewall s Download configuration network interfaces address table service table IPSec settings port mapping and policies Upgrade When the configuration process is completed a system administrator can download the configuration file onto a local disc as a backup System Administrators can restore the firewall s configuration file with the one stored on disc Reset Restore unit s configuration To restore an old configuration
103. onal password supplied to you by your ISP e Service Name When using PPPoE some ISPs require you to fill in a Service Name e Primary and Secondary DNS Server The IP addresses of your DNS servers these are optional and are often provided by the PPPoE service WAN Interface Settings PPTP over Ethernet connections are used in some DSL and cable modem networks You need to enter your account details and possibly also IP configuration parameters of the actual physical interface that the PPTP tunnel runs over Your ISP should supply this information e Username The login or username supplied to you by your ISP e Password The password supplied to you by your ISP e PPTP Server IP The IP of the PPTP server that the DFL 1100 will connect to Using PPTP Interface Settings Edit settings of the WAN interface Change WAN Type PPTP PPTP over Ethernet connections are used in some DSL and cable modem networks You need account details and possibly also IP configuration parameters of the actual physical interface that the PPTP tunnel runs over Your ISP should supply this information PPTP tunnel parameters Usermame U Password IT Betpe based FpmpzeefbT Physical interface parameters DHCP automatic configuration Everything is automatic Static IP manual configuration Your ISP should provide this information to you IPAddess Subnet Mask 255 255 2550
104. opriate SYSLog facility Local is the default facility Click the Apply button below to apply the settings or click Cancel to discard changes Enable Audit Logging To start auditing all traffic through the firewall follow the steps below This is required when running third party log analyzers on the logs or to see how much traffic specific connections account for Follow these steps to enable auditing Step 1 Enable SYSLog by checking the Enable Audit Logging box Click the Apply button below to apply the settings or click Cancel to discard changes Enable E mail alerting for IDS IDP events Follow these steps to enable E mail alerting Step 1 Enable E mail alerting by checking the Enable E mail alerting for IDS IDP events checkbox Step 2 Choose the sensitivity level Step 3 In the SMTP Server field fill in the SMTP server to which the DFL 1100 will send the e mail alerts Step 4 Specify up to three valid email addresses to receive the e mail alerts Click the Apply button below to apply the settings or click Cancel to discard changes Time Click on System in the menu bar and then click Time below it This will give you the option to either set the system time by synchronizing with an Internet Network Time Server NTP or by entering the system time manually D Link DFL 1100 Building Networks for People Network Security Firewall Firewall Servers Tools Status Help Time Settings Current tim
105. or the service in the name field This name will appear in the service list when you add a new policy The name can contain numbers 0 9 and upper and lower case letters A Z a z and the special characters and _ No other special characters and spaces are allowed Step 3 Select IP Protocol Step 4 Specify a comma separated list of IP protocols Click the Apply button below to apply the changes or click Cancel to discard changes Grouping Services Services can be grouped in order to simplify configuration Consider a Web server using standard http as well as SSL encrypted http https Instead of having to create two separate rules allowing both types of services through the firewall a service group named for instance Web can be created with the http and the https services as group members Follow these steps to add a group Step 1 Go to Firewall and Service and choose new Step 2 Enter a Name for the service in the name field This name will appear in the service list when you add a new policy The name can contain numbers 0 9 and upper and lower case letters A Z a z and the special characters and _ No other special characters and spaces are allowed Step 3 Select Group Step 4 Specify a comma separated list of existing services Click the Apply button below to apply the changes or click Cancel to discard changes 52 Protocol independent settings Allow ICMP errors from the destination to the source
106. or this policy to match Choose Always for no scheduling Step 4 If using Traffic shaping fill in the required information If not skip this step Click the Apply button below to apply the changes or click Cancel to discard changes Note Refer to Appendix C of the manual for details on mapping Public IP addresses to Internal Servers Change order of policy Follow these steps to change the order of a policy Step 1 Choose the policy list for which you would like to change the order from the available policy lists Step 2 Click on the Edit link corresponding to the rule you want to move Step 3 Change the number in the Position to the new line This will occur after the apply button is clicked and will move the policy to the new row and move the old policy and all following policies one step down Click the Apply button below to apply the changes or click Cancel to discard changes Delete policy Follow these steps to delete a policy Step 1 Choose the policy list from which you would like do delete the policy in from the available policy lists Step 2 Click on the Edit link corresponding to the rule you want to delete Step 3 Enable the Delete policy checkbox Click the Apply button below to apply the changes or click Cancel to discard changes Configure Intrusion Detection Follow these steps to configure IDS on a policy Step 1 Choose the policy you would like to have IDS on Step 2 Click on the Edit link corr
107. ormation with your own values Passwords used in these examples are not recommended for real life use Strong passwords and keys should be chosen making use of symbols letters and numbers to decrease the likelihood of a brute force dictionary attack success In these guides for example Firewall gt Users will mean that the Firewall tab should first be selected from the menu at the top of the screen stem Serv followed by the Users button to the left of the screen should be selected WW 84 LAN to LAN VPN using IPSec Main office Ze 7 l AN p Wi 2 Ary C SCH A Soe zs E Op 2 Jg 025 SR Internet Settings for Branch office 1 Setup interfaces System gt Interfaces WAN IP 194 0 2 10 LAN IP 192 168 4 1 Subnet mask 255 255 255 0 2 Setup IPSec tunnel Firewall gt VPN Under IPSec tunnels click Add new Name the tunnel ToMainOffice Local net 192 168 4 0 24 YPN Tunnels Add IPsec tunnel Name toMainOffice Local Net 192 168 4 0 24 Authentication PSK Pre Shared Key PSK KXXXXXXXXXX Retype PSK XXXXXXXXXX PSK 1234567890 Do not use this as your PSK Retype PSK 1234567890 Branch office Select Tunnel type LAN to LAN tunnel LAN to LAN tunnel Remote Net 192 168 1 0 24 Remote Gateway 194 0 2 20 The gateway can be a numerical IP address DNS name or range of IP addresses for roaming Z NATed gateways Route JM Automaticall
108. ost often are all ports 0 65535 The http service for instance uses destination port 80 A port range can also be used meaning that a range 137 139 covers ports 137 138 and 139 Multiple ranges or individual ports may also be entered separated by commas For instance a service can be defined as having source ports 1024 65535 and destination ports 80 82 90 92 and 95 In this case a TCP or UDP packet with the destination port being one of 80 81 82 90 91 92 or 95 and the source port being in the range 1024 65535 will match this service Schedule If a schedule should be used for the policy choose one from the dropdown menu These are specified on the Schedules page If the policy should always be active choose Always from the dropdown menu Intrusion Detection Prevention The DFL 1100 Intrusion Detection Prevention System IDS IDP is a real time intrusion detection and prevention sensor that identifies and takes action against a wide variety of suspicious network activity The IDS uses intrusion signatures stored in the attack database to identify the most common attacks In response to an attack the IDS will protect the networks behind the DFL 1100 by dropping the traffic To notify responsible parties of the malicious attack the IDS will send e mails to the system administrators if e mail alerting is enabled and configured D Link updates the attack database periodically There are two modes that can be configured either I
109. p 3 Specify the idle timeout the time a user can be idle before being logged out by the firewall Step 4 Choose new ports for the web based management GUI to listen on since enabling user authentication requires the default ports for user login purposes 80 and 443 Click the Apply button below to apply the settings or click Cancel to discard changes Enable RADIUS Support Follow these steps to enable RADIUS M Enable RADIUS Support support Primary Server 192 168 1 10 port 1812 Step 1 Enable the checkbox for See oe Go GES Mode CHAP x RADIUS Support Shared Secret Fe SS Step 2 Enter information for up to Retype Seerat two RADIUS servers RADIUS rety 2 seconds Step 3 Specify which mode to use PAP or CHAP Step 3 Specify the shared secret for this connection Click the Apply button below to apply the settings or click Cancel to discard changes 46 Add User Follow these steps to add a new user Step 1 Click on add corresponding to the type of user you would like to add Admin or Read only Step 2 Fill in User name make sure you are not trying to add one that already exists Step 3 Specify which groups the user should be a member of Step 3 Specify the password for the new user Click the Apply button below to apply the settings or click Cancel to discard changes User Management Add new user User name Group membership Password Retype password L2TP PPTP settings Static
110. packets sent via this interface Normally you do not need to change the MTU settings By default the interface uses the maximum size that the physical media supports MTU fi 500 bytes Upper limit 1500 To improve the performance of your Internet connection you can adjust the maximum transmission unit MTU of the packets that the DFL 1100 transmits from its external interface Ideally you want this MTU to be the same as the smallest MTU of all the networks between the DFL 1100 and the Internet If the packets the DFL 1100 sends are larger they get broken up or fragmented which could slow down transmission speeds Trial and error is the only sure way of finding the optimal MTU but there are some guidelines that can help For example the MTU of many PPP connections is 576 so if you connect to the Internet via PPPoE you may want to set the MTU size to this value DSL modems may also have small MTU sizes Most Ethernet networks have an MTU of 1500 Note If you connect to your ISP using DHCP to obtain an IP address for the external interface you cannot set the MTU below 576 bytes due to DHCP communication standards Click the Apply button below to apply the settings or click Cancel to discard changes VLAN Click on System in the menu bar and then click VLAN below it this will give a list of all configured VLAN Tags which should look something like this VLAN Interfaces Pick a VLAN interface to edit from the below list
111. port 80 Services are simplistic in that they cannot carry out any action in the firewall on their own Thus a service definition does not include any information whether the service should be allowed through the firewall or not That decision is made entirely by the firewall policies in which the service is used as a filter parameter Adding TCP UDP or TCP UDP Service For many services a single destination port is sufficient The http service for instance uses destination port 80 To use a single destination port enter the port number in the destination ports text box In most cases all ports 0 65535 have to be used as source ports The second option is to define a port range a port range is inclusive meaning that a range 137 139 covers ports 137 138 and 139 Multiple ranges or individual ports may also be entered separated by commas For instance a service can be defined as having source ports 1024 65535 and destination ports 80 82 90 92 and 95 In this case a TCP or UDP packet with the destination port being one of 80 81 82 90 91 92 or 95 and the source port being in the range 1024 65535 will match this service Follow these steps to add a TCP UDP or TCP UDP service Step 1 Go to Firewall and Service and choose add new Step 2 Enter a Name for the service in the name field This name will appear in the service list when you add a new policy The name can contain numbers 0 9 and upper and lower case letters A
112. pply 6 Click Activate and wait for the firewall to restart This example will allow all traffic between the two offices To get a more secure solution read the A more secure LAN to LAN VPN solution section 94 LAN to LAN VPN using L2TP Main office ar a gt Mp Sg n AN 193782 2 RK ae ty SE Pe EH a Internet SR Jg a Settings for Branch office 1 Setup interfaces System gt Interfaces WAN IP 194 0 2 10 LAN IP 192 168 4 1 Subnet mask 255 255 255 0 2 Setup L2TP client Firewall gt VPN Under L2TP PPTP client click Add new L2TP client Name the server toMainOffice L2TP PPTP Clients Add L2TP Client Name toMainOffice Branch office Basic settings Username BranchOffice XXXXXXXXXX Password Retype Password XXXXXXXXXX Interface IP Blank get IP from server Remote Gateway i 34 0 2 20 Remote Net 192 168 1 0 24 Proxy ARP Publish remote network on all interfaces via Proxy ARP C Use primary DNS server from tunnel as primary DNS C Use secondary DNS server from tunnel as secondary DNS pe se Servers gt DNS Relayer to easily make DNS servers available to ir C Dial on demand Username BranchOffice Password 1234567890 Note You should use a password that is hard to guess Retype password 1234567890 Interface IP leave blank Remote gateway 194 0 2 20 Remote net 192 168 1 0 24 Dial on demand leave unchecked Auth
113. program to use the following settings 9600 Baud 8 Data Bits No Parity 1 Stop Bit No Flow Control Step 2 Power Cycle the Firewall by either using the power switch on the rear of the device or through the webUI In the Terminal Emulation program input ctrl c to interrupt the firmware loading procedure Step 3 Select the menu option to restart the Firewall with Factory Default settings The default settings will be applied and the firewall will restart At this point the Firewall is loading the factory default configuration Step 4 Allow at least 1 minute for the Firewall to completely restart At this point the firewall can be accessed via its default LAN IP 192 168 1 1 through a web browser The first login will require the use of the Wizard to complete basic connectivity configurations You can restore your system settings by uploading a previously generated system configuration file to the DFL 1100 if a backup of the device has been downloaded to your Local Machine Prior to reset Upgrade The DFL 1100 s software IDS signatures and system parameters are all stored on a flash memory card The flash memory card is re writable D Link and re readable Building Networks for People DFL 1100 Network Security Firewall Upgrade Firmware To upgrade the firmware of the DFL 1100 obtain the latest version System Firewall Servers Upgrade Upgrade unit s fimware To upgrade the unit s firmware
114. r the pre shared key 1234567890 and retype same pre shared key Click Apply 3 Setup policies for the new tunnel Firewall gt Policy Click Global policy parameters Enable Allow all VPN traffic internal gt VPN VPN gt internal and VPN gt VPN Click Apply 4 Set up authentication source Firewall gt Users Select Local database Click Apply 118 5 Add a new user Firewall gt Users Under Users in local database click Add new Name the new user HomeUser Enter password 1234567890 Retype password 1234567890 Leave static client IP empty could also be set to eg 192 168 1 200 If no IP is set here the IP pool from the PPTP server settings are used Click Apply 6 Click Activate and wait for the firewall to restart This example will allow all traffic from the client to the main office network To get a more secure solution read the Settings for the Main office part of the A more secure LAN to LAN VPN solution section Intrusion Detection and Prevention Internet Intrusion detection and prevention can be enabled for both policies and port mappings In this example we are using a port mapping The policy setup is quite similar In this example a mail server with IP 192 168 2 4 and a web server with IP 192 168 2 5 is connected to the DMZ interface on the firewall To set up intrusion detection and prevention to a web server on the DMZ net follow these steps 1 Create a Port mapping for the web server Firewa
115. re opened connections that are closed state and lifetime changes in connections etc The configuration is also transferred between the nodes using the synchronization connection When the active firewall ceases to function for whatever reason and for even a short time the cluster heartbeat mechanism described above will cause the inactive firewall to go active Since it already knows about all open connections communication can continue to flow uninterrupted Setting up a High Availability cluster First of all each of the DFL 1100 Firewalls must be setup so far that one can manage them over the web interface In this example the two units are configured as follow the master DFL 1100 will be configured with 192 168 1 2 on its internal interface and the slave DFL 1100 with 192 168 1 3 Later when the setup of the HA is done the virtual or shared IP will be 192 168 1 1 on the LAN this is the IP that clients on that network will use as gateway When both units are configured with the two individual IP s they should be connected with a crossover cable between the fourth interfaces on each unit this interface ETH4 will no longer be possible to use as an extra DMZ or LAN interface when running HA Login to the master firewall and click on System in the menu bar and then click HA below it in this screen you will click on Configure additional HA parameters This will show the screen below here you will fill in each Units own IP and the sh
116. re the ability to locate and download critical updates or firmware is not hindered Domains or websites entered in the Whitelist will not be subject to any of the content filtering functions Edit Destination URL Global Whitelist To allow access to a whole domain use e g safesite com Note the ending slash which protects against someone setting up e g www safesite com dyndnsprovider net as an alias for an otherwise disallowed site Blank lines are ignored Lines beginning with 87 are also ignored Access to sites that are important for software updates and require cookies scripts d link com d link com dlink com dlink com d link com bai d link com bar dlink com tw dhrk Com bad microsoft com microsoft com O oO Apply Cancel Help Navigate to the Firewall tab Content Filtering section of the web administration Click on Edit URL Black List to modify or append the contents of the filtering database To allow an entire domain and all sub domains use the following syntax dlink com Allows access to the domain dlink com dlink com Allows access to all sub domains in dlink com Once finished editing the Whitelist click Apply to save changes or Cancel to clear The Blacklist Blacklist configuration is not limited to domain names File extensions may be specified to block the download of said file types Be sure to evaluate the type of files that may b
117. rnal and VPN gt VPN Firewall Policy Edit global policy parameters Fragments Drop all fragmented packets Minimum TTL 3 YPN JM Allow all VPN traffic mtema MEN VPN gt internal and MEN MEN Click Apply 4 Click Activate and wait for the firewall to restart Settings for Main office 1 Setup interfaces System gt Interfaces WAN IP 194 0 2 20 LAN IP 192 168 1 1 Subnet mask 255 255 255 0 2 Setup PPTP server Firewall gt VPN Under L2TP PPTP Server click Add new PPTP server Name the server pptpServer L2TP PPTP Servers Add PPTP tunnel Name pptpS erver Outer IP Blank WAN IP Must be WAN IP if IPsec encryption is required Inner IP Blank LAN IP IP Pool and settings Client IP Pool f 92 168 1 100 192 168 1 199 Proxy ARP dynamically added routes Primary DNS Optional Secondary DNS Optional Use unit s own DNS relayer addresses Primary WINS Optional Second INS Optional Leave Outer IP and Inner IP blank Set client IP pool to 192 168 1 100 192 168 1 199 Check Proxy ARP dynamically added routes Check Use unit s own DNS relayer addresses Leave WINS settings blank 92 Authentication Protocol 7 No auth C PAP C CHAP C MSCHAP MPPE encryption possible MSCHAPv2 MMPE encryption possible MPPE encryption C None C 40 bit C 56 bit L 128 bit Encryption is only possible when using MSCHAP or
118. s 20 kbps 10 kbps Okbps 2 his ago Receive rate over the past 24 hours Connections 20 kbps DHCP Server 10 kbps UD BOE Okbps 24 hrs ago IPsec SAs for VPN tunnel Roam PN list IKE SAs Gateway Local Net Remote Net Connections Click on Status in the menu bar and then click Connections below it A window will appear providing information about the D Link content of the state table Building Networks for People DFL 1100 Network Security Firewall The state table shows the last 100 connections opened through the firewall Connections are created when traffic is permitted to pass via the policies Each connection has two timeout values one in each direction These ve System Firewall Server Tools State Table Contents Filter state table display Source Destination IP Address Interface Any a ary H IP Protocol Any sat eg O O are updated when the Apply Help firewall receives packets from each end of the connection The value shown in the Timeout column is the lower of the two values State table contents max 100 entries State Proto Source Destination Timeout TCP_CLOSE TCP lan 192 168 1 5 1024 war 172 16 77 88 80 83 TCP_OPEN TCP lan 192 168 1 5 1025 wan 172 16 77 88 80 299998 Possible values in the State column include TCP_CLOSE TCP_OPEN
119. s Configure the Static Routes Routing Table Edit 192 168 10 2347255 255 255 255 route Interface DMZ a Network fi 92 168 10 234 Subnet Mask 255 255 255 255 1 host 32 Gateway T Network is behind remote gateway 0 0 0 0 Proxy ARP JW Publish network on all other interfaces via Proxy ARP Additional IF Additional firewall IP address that hosts can use as gateway I Delete this route o OO Apply Cancel Help A new route must be added to inform the firewall on which interface the Public IP will reside Navigate to SYSTEM gt ROUTING in the web based configuration of the DFL 1100 Click on Add New to create a new static route Select DMZ as the Interface Enter the IP Address WAN Network you wish to forward to a server on the DMZ interface in the Network field Select a 32 bit subnet mask from the Subnet Mask dropdown box Be sure to have Proxy ARP enabled by checking the checkbox Click Apply to save any changes Modify Existing WAN Route Routing Table Edit 192 168 10 0 255 255 255 0 route Note that this is the local network route for the interface you can only change the Proxy ARP setting Interface WAN Network 192 168 10 0 Subnet Mask 255 255 255 0 256 hosts 24 Gateway JT Network is behind remote gateway fo 0 0 0 Proxy ARP JV Publish network on all other interfaces via Proxy ARP Additional IP T Additional firewall IP address that hosts can use as gat
120. s Life Times Specifies in KB or seconds when the security associations for the VPN tunnel need to be re negotiated IPSec Proposal List Cipher Specifies the encryption algorithm used in this IPSec proposal Supported algorithms are AES 3DES DES Blowfish Twofish and CAST128 HMAC Specifies the hash function used to calculate a check sum that reveals if the data packet is altered while being transmitted MD5 and SHA1 are supported algorithms Life Times Specifies in KB or seconds when the security associations for the VPN tunnel need to be re negotiated Certificates A certificate is a digital proof of identity It links an identity to a public key in a trustworthy manner Certificates can be used to authenticate individual users or other entities These types of certificates are commonly called end entity certificates Before a VPN tunnel with certificate based authentication can be set up the firewall needs a certificate of its own and that of the remote firewall These certificates can either be self signed certificates or issued by a CA Trusting Certificates When setting up a VPN tunnel the firewall has to be told whom it should trust When using pre shared keys this is simple The firewall trusts anyone who has the same pre shared key When using certificates on the other hand you tell the firewall that it can trust anyone whose certificate is signed by a given CA Before a certificate is accepted th
121. s will only work if the traffic limits for the WAN interface are configured correctly Policy Routing Normal routing can be said to be a simple form of policy based routing the policy is the routing table and the only data that can be filtered on is the destination IP address of the packet What is commonly referred to as policy based routing is simply put an extension of what fields of the packet we look at to determine the routing decision In the DFL 1100 each rule in the firewall policy can specify its own routing decision in essence we route according to the source and destination IP addresses and ports Policy based routing can for example be used to route certain protocols through transparent proxies such as web caches and anti virus scanners without adding another point of failure for the network as a whole It s very important to know that the proxy must support this also for it to work 36 There are two ways to configure Policy Routing both include specifying the Gateway to send the traffic over The first one Redirect via routing make gateway next hop will just reroute the traffic to the given gateway as if it was just another router The second mode Via address translation change destination IP will change the destination IP in the IP header and then pass the packet on to the gateway used for example in transparent squid proxy setups Add a new policy Follow these steps to add a new outgoing policy Step 1
122. sers Groups Leave source and or destination blank to match everything Service Al Di Custom source ports Blank any port destination ports Schedule Always Intrusion Detection 7 Prevention Mode Alerting Enable IDS IDP alerting via email for this rule y Delete this rule 2o 9 Apply Cancel Help To disable the default general allow all rule Navigate to the Firewall tab Policy section of the web administration Select the appropriate policy based on desired effect LAN gt WAN or DMZ gt WAN Click Edit next to the default allow all rule 138 Check the check box next to delete this rule Click Apply Edit new rule Name dns_out Position Moves before given position Blank last Action Allow Source Nets Users Groups Any Destination Nets Users Groups Service Custom source ports Blank any port destination ports Schedule Always ze Intrusion Detection Prevention Mode Alerting Enable IDS IDP alerting via email for this rule Any authenticated authenticated O CO CA Apply Cancel Help To allow DNS queries to pass through Navigate to the Firewall tab Policy section of the web administration Select the appropriate policy based on desired effect LAN gt WAN or DMZ gt WAN Click Add New at the bottom of the list Give the rule a fr
123. sired level of encryption key MPPE is used with PPTP A selection of None means that data will be sent over the PPP link unencrypted Require IPSec encryption If configuring for L2TP you most likely will be using IPSec instead of MPPE for data encryption To use IPSec enable the checkbox and select PSK or Certificate Authentication Protocol 7 No auth M pap M ar M MSCHAP MPPE encryption possible M MSCHAPv2 MMPE encryption possible MPPE encryption None M 40bit M 56 bit r bit on is only possible when using MSCHAP or MSCHAP v2 a authentication I Use IPsec encryption PSK Pre Shared Key Key Retype key Certificate based Local Identity Admin CN 000F3D10FC27 Certificates a Use ctrl shift click to select mu To use ID lists bi Identity List Io ist gt L2TP PPTP Servers Settings for L2TP PPTP e S L2TP PPTP Servers Server Configuration Add L2TP tunnel Name Specifies a name for this Name RRTELATP Server Outer IP P Blank WAN IP Outer IP Specifies the IP that Must be WAN IP if IPsec encryption is required the PPTP L2TP server should Inner IP Blank LAN IP listen on leave it Blank for the ENEE WAN IP Client IP Pool Ion uuuu Inner IP Specifies the internal Pima DNS GD Optional IP of the VPN tunnel Leave this Seconday DNS EE Optional field Blank for the LAN IP Eu Use unit s own DNS relayer addresses IP Pool and settings
124. table downloads Once finished editing the Blacklist click Apply to save changes or Cancel to clear Additional Content Filters The Firewall can also filter Java Applets Java VB Script ActiveX objects and or cookies from reaching the PCs behind the NetDefend Firewall These content categories do not require configuration other than enable or disable Active content handling Strip Activex objects including Flash Strip Java applets Strip Javascript VB Script Block Cookies Navigate to the Firewall tab Content Filtering section of the web administration Click the check box next to each filter you would like to enable Once finished selecting additional filters click Apply to save changes or Cancel to clear HTTP Rule using the HTTP ALG Now that the content to be filtered has been decided on a rule needs to be configured for each interface that this filtering should be applied to utilizing the HTTP ALG This will require a rework of the default outbound policy to eliminate the chance of unfiltered HTTP traffic passing through the Firewall The idea is to remove the most general allow rule and configure rules to allow essential services such as DNS as well as HTTP to pass the Firewall Edit allow_standard tule 4 Name allow_standard Position 4 Moves before given position Blank last Action Allow w Source Nets Users Groups Any Any authenticated Destination Nets Any authenticated U
125. tacle Do not use more than 110 120VAC to power the device doing so will damage the unit Power Switch on rear of unit Use the Power switch to turn the DFL 1100 off and on Package Contents pFl 1100 pink Contents of Package e D Link DFL 1100 Firewall e Manual and CD e Installation Guide e PC Power cable e Straight through CAT 5 cable e RS 232 Null Modem Cable If any of the above items are missing please contact your reseller System Requirements e Computer running Microsoft Windows Macintosh OS or a UNIX based operating system with an installed Ethernet adapter configured to communicate using TCP IP e Internet Explorer or Netscape Navigator version 6 0 or above with JavaScript enabled 10 Managing D Link DFL 1100 When a change is made to the configuration D Link a new icon named EACS DFL 1100 Network Security Firewall Activate Changes will appear When all Firewall Servers Tools Status Hel e Firewall __Servers___Tools__Status_Help__ changes made by the S administrator are ee ye com lete those changes Administration Press Activate Changes below to save your changes and have them take effect nee Se to be saved and acedertaly keked gourset cot end rover tote previous coniguation activated to take effect by Wait for admin login for 7 minute 2 before reverting A LAN o clicking on the Activate jase Changes button on the Activate Configuration Chan
126. tering Edit Destination URL Global Blacklist The URL blacklist can be used to deny access to complete sites to file types by extension or to URLs with certain words in them Use e g example org to disallow access to an entire site Blank lines and lines beginning with are ignored Schedules DEER Services VPN Certificates D z e oO CO Apply Cancel Help Note For HTTP URL filtering to work all HTTP traffic needs to go through a policy using a service with the HTTP ALG A pre defined HTTP outbound TCP All gt 80 ALG http cf max 100 service is provided to simplify the configuration of HTTP Content Filtering Refer to Appendix D for more detailed information on configuration of HTTP Content Filtering Active content handling Active content handling can be enabled or disabled by checking the checkbox before each type you would like to strip For example to strip ActiveX and Flash enable the checkbox named Strip ActiveX objects It is possible to strip ActiveX Flash Java JavaScript and VBScript It is also possible to block cookies Note For HTTP URL filtering to work all HTTP traffic needs to go through a policy using a service with the HTTP ALG A pre defined HTTP outbound TCP All gt 80 ALG http cf max 100 service is provided to simplify the configuration of HTTP Content Filtering Refer to Appendix D for more detailed
127. the firewall connecting to 192 168 10 1 on port 135 is dropped The protocol used is TCP 82 CONN events These events are generated if auditing has been enabled One event will be generated when a connection is established This event will include information about the protocol receiving interface source IP address source port destination interface destination IP address and destination port Open Example Oct 20 2003 09 47 56 gateway EFW CONN prio 1 rule Rule_8 conn open connipproto TCP connrecvif lan connsrcip 192 168 0 10 connsrcport 3179 conndestif wan conndestip 64 7 210 132 conndestport 80 In this line traffic from 192 168 0 10 on the LAN interface is connecting to 64 7 210 132 on port 80 on the WAN side of the firewall internet Another event is generated when the connection is closed The information included in the event is the same as in the event sent when the connection was opened with the exception that statistics regarding sent and received traffic is also included Close Example Oct 20 2003 09 48 05 gateway EFW CONN prio 1 rule Rule_8 conn close connipproto TCP connrecvif lan connsrcip 192 168 0 10 connsrcport 3179 conndestif wan conndestip 64 7 210 132 conndestport 80 origsent 62 termsent 60 In this line the connection in the other example is closed Step by Step Guides The following guides make use of example IP Addresses users sites and passwords You will have to exchange the example inf
128. tiation This can be accomplished in a number of ways by using the IPSec protocol ESP To set up an IPSec Virtual Private Network VPN you do not need to configure an Access Policy to enable encryption Just fill in the following settings VPN Name Source Subnet Local Net Destination Gateway If LAN to LAN Destination Subnet If LAN to LAN and Authentication Method Pre shared key or Certificate The firewalls on both ends must use the same Pre shared key or set of Certificates and IPSec lifetime to make a VPN connection Introduction to PPTP PPTP Point to Point Tunneling Protocol jointly developed by Microsoft US Robotics and various other remote access companies known collectively as the PPTP Forum is used to provide IP security at the network layer A PPTP based VPN is made up by these parts e Point to Point Protocol PPP e Authentication Protocols PAP CHAP MS CHAP v1 MS CHAP v2 e Microsoft Point To Point Encryption MPPE e Generic Routing Encapsulation GRE PPTP uses TCP port 1723 for it s control connection and uses GRE IP protocol 47 for the PPP data PPTP supports data encryption by using MPPE 54 Introduction to L2TP L2TP Layer 2 Tunneling Protocol a combination of Microsoft s PPTP and Cisco s L2F Layer 2 Forwarding is used to provide IP security at the network layer An L2TP based VPN is made up by these parts e Point to Point Protocol PPP e Authentication Protocols PAP CHAP MS CHAP
129. tion of the product Software will substantially conform to D Link s then current functional specifications for the Software as set forth in the applicable documentation from the date of original retail purchase of the Software for a period of ninety 90 days Warranty Period provided that the Software is properly installed on approved hardware and operated as contemplated in its documentation D Link further warrants that during the Warranty Period the magnetic media on which D Link delivers the Software will be free of physical defects D Link s sole obligation shall be to replace the non conforming Software or defective media with software that substantially conforms to D Link s functional specifications for the Software or to refund at D Link s sole discretion Except as otherwise agreed by D Link in writing the replacement Software is provided only to the original licensee and is subject to the terms and conditions of the license granted by D Link for the Software Software will be warranted for the remainder of the original Warranty Period from the date or original retail purchase If a material non conformance is incapable of correction or if D Link determines in its sole discretion that it is not practical to replace the non conforming Software the price paid by the original licensee for the non conforming Software will be refunded by D Link provided that the non conforming Software and all copies thereof is first re
130. to the received packet Leave this blank to match everything Source Users Groups Specifies if an authenticated username is needed for this policy to match Simply make a list of usernames separated by commas specify an entire user group or write Any to indicate all authenticated users to enable authentication on this policy If it is left blank there is no need for authentication for the policy Destination Nets Specifies the span of IP addresses to be compared to the destination IP of the received packet Leave this blank to match everything Destination Users Groups Specifies if an authenticated username is needed for this policy to match Either make a list of usernames separated by a comma or write Any for any authenticated user If it is left blank there is no need for authentication for the policy Service Filter Either choose a predefined service from the dropdown menu or make a custom service The following custom services exist All Matches all protocols TCP UDP ICMP This service matches all ports on either the TCP or the UDP protocol including ICMP Custom TCP This service is based on the TCP protocol Custom UDP This service is based on the UDP protocol Custom TCP UDP This service uses both the TCP and UDP protocols The following is used when making a custom service Custom source destination ports For many services a single destination port is sufficient The source port used m
131. turned to D Link The license granted respecting any Software for which a refund is given automatically terminates Non Applicability of Warranty The Limited Warranty provided hereunder for hardware and software of D Link s products will not be applied to and does not cover any refurbished product and any product purchased through the inventory clearance or liquidation sale or other sales in which D Link the sellers or the liquidators expressly disclaim their warranty obligation pertaining to the product and in that case the product is being sold As ls without any warranty whatsoever including without limitation the Limited Warranty as described herein notwithstanding anything stated herein to the contrary Submitting A Claim The customer shall return the product to the original purchase point based on its return policy In case the return policy period has expired and the product is within warranty the customer shall submit a claim to D Link as outlined below The customer must submit with the product as part of the claim a written description of the Hardware defect or Software nonconformance in sufficient detail to allow D Link to confirm the same The original product owner must obtain a Return Material Authorization RMA number from the Authorized D Link Service Office and if requested provide written proof of purchase of the product such as a copy of the dated purchase invoice for the product before the warranty service is prov
132. ty for the Product s is defined as follows Hardware excluding power supplies and fans One 1 Year Power Supplies and Fans One 1 Year Spare parts and spare kits Ninety 90 days D Link s sole obligation shall be to repair or replace the defective Hardware during the Warranty Period at no charge to the original owner or to refund at D Link s sole discretion Such repair or replacement will be rendered by D Link at an Authorized D Link Service Office The replacement Hardware need not be new or have an identical make model or part D Link may in its sole discretion replace the defective Hardware or any part thereof with any reconditioned product that D Link reasonably determines is substantially equivalent or superior in all material respects to the defective Hardware Repaired or replacement Hardware will be warranted for the remainder of the original Warranty Period from the date of original retail purchase If a material defect is incapable of correction or if D Link determines in its sole discretion that it is not practical to repair or replace the defective Hardware the price paid by the original purchaser for the defective Hardware will be refunded by D Link upon return to D Link of the defective Hardware All Hardware or part thereof that is replaced by D Link or for which the purchase price is refunded shall become the property of D Link upon replacement or refund Limited Software Warranty D Link warrants that the software por
133. unication with RFC792 Destination Host is Administratively Prohibited 11 Destination Network RFC792 Unreachable for Type of Service 12 Destination Host Unreachable RFC792 for Type of Service 13 Communication RFC1812 Administratively Prohibited 14 Host Precedence Violation RFC1812 15 Precedence cutoff in effect RFC1812 4 Source Quench 0 No Code RFC792 5 Redirect 0 Redirect Datagram for the RFC792 Network or subnet 10 11 12 13 14 15 16 17 18 30 31 40 Echo Router Advertisement Router Selection Time Exceeded Parameter Problem Timestamp Timestamp Reply Information Request Information Reply Address Mask Request Address Mask Reply Traceroute Datagram Error Photuris Conversion O O O O O O N a O A OO N 5 Redirect Datagram for the Host Redirect Datagram for the Type of Service and Network Redirect Datagram for the Type of Service and Host No Code Normal router advertisement Does not route common traffic No Code Time to Live exceeded in Transit Fragment Reassembly Time Exceeded Pointer indicates the error Missing a Required Option Bad Length No Code No Code No Code No Code No Code No Code Bad SPI Authentication Failed Decompression Failed Decryption Failed Need Authentication Need Authorization Source http www iana org assignments icmp parameters 124 RFC792 RFC792 RFC792 RFC792 RFC1256 RFC2002 RFC1256 RFC792 RFC792
134. urity functions based on the type of application or type of port that is being used For example a firewall can be configured to work with an FTP or Telnet server Or a firewall can be configured to work with specific UDP or TCP ports to allow certain applications or games to work properly over the Internet Introduction to Local Area Networking Local Area Networking LAN is the term used when connecting several computers together over a small area such as a building or group of buildings LANs can be connected over large areas A collection of LANs connected over a large area is called a Wide Area Network WAN A LAN consists of multiple computers connected to each other There are many types of media that can connect computers together The most common media is CAT5 cable UTP or STP twisted pair wire On the other hand wireless networks do not use wires instead they communicate over radio waves Each computer must have a Network Interface Card NIC which communicates the data between computers A NIC is usually a 10Mbps network card or 10 100Mbps network card or a wireless network card Most networks use hardware devices such as hubs or switches that each cable can be connected to in order to continue the connection between computers A hub simply takes any data arriving through each port and forwards the data to all other ports A switch is more sophisticated in that a switch can determine the destination port for a specific piece of d
135. uthenticated Leave source and or destination blank to match everything Service pop3 L Custom source ports Blank any port destination ports Schedule Always zs We dont want any Intrusion detection for now so leave this option unchecked Click Apply 5 The first policy rule is now created Repeat step 4 to create services named allow_imap allow_ftp and allow_http The services for these policies should be imap ftp_passthrough and http respectively The policy list for LAN gt toMainOffice should now look like this LAN gt toMainOffice Policy Name Action Source Destination Service Move 1 don pop Allow Any Any pop3 A Edt 2 allow_imap Allow Any Any imap BY Edit Q 3 allow_ftp Allow Any Any ftp passthrough BY Edi T 4 allow_http Allow Any Any http t Edit a Add new S S If no rule matches the connection will be denied and logged 6 Click Activate and wait for the firewall to restart 104 Settings for Main office 1 Setup policies for the new tunnel Firewall gt Policy Click Global policy parameters Disable Allow all VPN traffic internal gt VPN VPN gt internal and VPN gt VPN Click Apply 2 Now it is possible to create policies for the VPN interfaces Select from toBranchOffice to LAN and click Show e LAN gt DMZ policy 3 rules e DM2Z gt LAN policy 0 rules e WAN gt DMZ policy 0 rules e DMZ gt WAN policy 4 rules NAT enabled Custom policy to
136. vents Select sensitivity Normal Enter SMTP server IP email server 192 168 2 4 Enter sender idsalert examplecompany com Enter E mail address 1 webmaster examplecompany com Enter E mail address 2 steve examplecompany com Click Apply 4 Click Activate and wait for the firewall to restart When attacks are stopped by the firewall it will listed in the logs Since we enabled email alerting in this example emails will also be sent to the users webmaster and steve In this example we used the prevention mode This means that the firewall will block all attacks In Inspection only mode nothing will be blocked the firewall will only log the attacks and send email alerts if that is enabled 122 Appendixes Appendix A ICMP Types and Codes The Internet Control Message Protocol ICMP has many messages that are identified by a type field many of these ICMP types have a code field Here we list the types with their assigned code fields Type Name Code Description Reference 0 Echo Reply 0 No Code RFC792 3 Destination Unreachable 0 Net Unreachable RFC792 1 Host Unreachable RFC792 2 Protocol Unreachable RFC792 3 Port Unreachable RFC792 4 Fragmentation Needed and RFC792 Don t Fragment was Set 5 Source Route Failed RFC792 6 Destination Network Unknown RFC792 7 Destination Host Unknown RFC792 8 Source Host Isolated RFC792 9 Communication with RFC792 Destination Network is Administratively Prohibited 10 Comm
137. y add a route for the remote network Proxy ARP 7 Publish remote network on all interfaces via Proxy ARP _ C Pass username and password to peer via IKE XAuth if the remote gateway requires it Auth Username xAuth Password Remote Net 192 168 1 0 24 Remote Gateway 194 0 2 20 Enable Automatically add a route for the remote network IKE Auth client Click Apply 3 Setup policies for the new tunnel Firewall gt Policy Click Global policy parameters Firewall Policy Edit global policy parameters Fragments Drop all fragmented packets Minimum TTL 3 YPN Allow all YPN traffic internal gt PN VPN gt internal and V PN gt VPN Enable Allow all VPN traffic internal gt VPN VPN gt internal and VPN gt VPN Click Apply 4 Click Activate and wait for the firewall to restart Changes pee 86 Settings for Main office 1 Setup interfaces System gt Interfaces WAN IP 194 0 2 20 LAN IP 192 168 1 1 Subnet mask 255 255 255 0 2 Setup IPSec tunnel Firewall gt VPN Under IPSec tunnels click add new Name the tunnel ToBranchOffice Local net 192 168 1 0 24 Add IPsec tunnel Name toBranchOffice Local Net 192 168 1 0 24 Authentication PSK Pre Shared Key PSK Retype PSK PSK 1234567890 Note You should use a key that is hard to guess Retype PSK 1234567890 Select Tunnel type LAN to LAN tunnel LAN to LAN tunnel Remote Net 192
138. y matching is performed Content Filtering DFL 1100 HTTP content filtering may be configured to scan all HTTP protocol streams for URLs or for potentially dangerous Web page content If a match is found between the requested URL and the URL Blacklist the DFL 1100 will block the Web page You can configure the URL Blacklist to block all or just some of the pages on a website Using this feature one may deny access to parts of a website without denying access to it completely HTTP content filtering may also be configured to strip potentially dangerous content such as ActiveX objects Flash objects Java and cookies There is also a URL Whitelist to explicitly define URLs that should be excluded from all Content Filtering URLs in this list will not be stripped of ActiveX Java Flash or cookies Note For HTTP URL filtering to work all HTTP traffic needs to go through a policy using a service with the HTTP ALG Content Filtering rules will not apply to HTTPS streams A pre defined HTTP outbound TCP All gt 80 ALG http cf max 100 service is provided to simplify the configuration of HTTP Content Filtering Refer to Appendix D for more detailed information on configuration of HTTP Content Filtering Edit the URL Global Whitelist Follow these steps to add or remove a URL D Link Building Networks for People DFL 1100 Network Security Firewall Servers _Tools Status Help HTTP Content F
139. you can upload a previously downloaded backup file REDNI Browse Upload configuration Exporting the DFL 1100 s Configuration Follow these steps to export the configuration Step 1 Under the Tools menu and the Backup section click on the Download configuration button Step 2 When the File Download pop up window appears choose the destination place in which to save the exported file The Administrator may choose to rename the file if preferred Restoring the DFL 1100 s Configuration Follow these steps to restore the configuration Step 1 Under the Tools menu and the Backup section click on the Browse button next to the empty field When the Choose File pop up window appears select the file that contains the saved firewall settings click OK Step 2 Click Upload Configuration to import the file into the firewall Restart Reset D Link Building Networks for People DFL 1100 Network Security Firewall System Firewall Servers Status Help Restart 7 Reset Restart Quick restart reset interfaces and re read configuration C Full restart restart from power on state Restart unit Reset to factory defaults You can restore the unit to factory defaults This means that all configuration parameters will be wiped and all firmware upgrades removed On the next start up its LAN IP address will be 192 168 1 1 and the web GUI will begin with the setup wizard It wil
Download Pdf Manuals
Related Search