D-Link 210, 260, 2560G, 860, 1660 User Manual

0 (0)

NETWORK SECURITY FIREWALL

USER MANUAL

DFL-210/ 800/1600/ 2500

DFL-260/ 860/1660/ 2560(G)

SECURITYSECURITY

VER 2.27.01

NETWORK SECURITY SOLUTION http://www.dlink.com

User Manual

DFL-210/260/800/860/1600/1660/2500/2560/2560G

NetDefendOS Version 2.27.01

D-Link Corporation

No. 289, Sinhu 3rd Rd, Neihu District, Taipei City 114, Taiwan R.O.C.

http://www.DLink.com

Published 2010-06-22

User Manual

DFL-210/260/800/860/1600/1660/2500/2560/2560G

NetDefendOS Version 2.27.01

Published 2010-06-22

This publication, including all photographs, illustrations and software, is protected under international copyright laws, with all rights reserved. Neither this manual, nor any of the material contained herein, may be reproduced without the written consent of D-Link.

Disclaimer

The information in this document is subject to change without notice. D-Link makes no representations or warranties with respect to the contents hereof and specifically disclaims any implied warranties of merchantability or fitness for a particular purpose. D-Link reserves the right to revise this publication and to make changes from time to time in the content hereof without any obligation to notify any person or parties of such revision or changes.

Limitations of Liability

UNDER NO CIRCUMSTANCES SHALL D-LINK OR ITS SUPPLIERS BE LIABLE FOR DAMAGES OF ANY CHARACTER (E.G. DAMAGES FOR LOSS OF PROFIT, SOFTWARE RESTORATION, WORK STOPPAGE, LOSS OF SAVED DATA OR ANY OTHER COMMERCIAL DAMAGES OR LOSSES) RESULTING FROM THE APPLICATION OR IMPROPER USE OF THE D-LINK PRODUCT OR FAILURE OF THE PRODUCT, EVEN IF D-LINK IS INFORMED OF THE POSSIBILITY OF SUCH DAMAGES. FURTHERMORE, D-LINK WILL NOT BE LIABLE FOR THIRD-PARTY CLAIMS AGAINST CUSTOMER FOR LOSSES OR DAMAGES. D-LINK WILL IN NO EVENT BE LIABLE FOR ANY DAMAGES IN EXCESS OF THE AMOUNT D-LINK RECEIVED FROM THE END-USER FOR THE PRODUCT.

Table of Contents
Preface ...............................................................................................................	14
1. NetDefendOS Overview ....................................................................................	16
1.1. Features ................................................................................................	16
1.2. NetDefendOS Architecture ......................................................................	19
1.2.1. State-based Architecture ...............................................................	19
1.2.2. NetDefendOS Building Blocks .......................................................	19
1.2.3. Basic Packet Flow ........................................................................	20
1.3. NetDefendOS State Engine Packet Flow .....................................................	23
2. Management and Maintenance ............................................................................	28
2.1. Managing NetDefendOS ..........................................................................	28
2.1.1. Overview ...................................................................................	28
2.1.2. The Default Administrator Account .................................................	29
2.1.3. The Web Interface .......................................................................	29
2.1.4. The CLI .....................................................................................	33
2.1.5. CLI Scripts .................................................................................	41
2.1.6. Secure Copy ...............................................................................	45
2.1.7. The Console Boot Menu ...............................................................	47
2.1.8. Management Advanced Settings .....................................................	48
2.1.9. Working with Configurations .........................................................	49
2.2. Events and Logging ................................................................................	55
2.2.1. Overview ...................................................................................	55
2.2.2. Log Messages .............................................................................	55
2.2.3. Creating Log Receivers .................................................................	56
2.2.4. Logging to MemoryLogReceiver ....................................................	56
2.2.5. Logging to Syslog Hosts ...............................................................	56
2.2.6. SNMP Traps ...............................................................................	58
2.2.7. Advanced Log Settings .................................................................	59
2.3. RADIUS Accounting ..............................................................................	60
2.3.1. Overview ...................................................................................	60
2.3.2. RADIUS Accounting Messages ......................................................	60
2.3.3. Interim Accounting Messages ........................................................	62
2.3.4. Activating RADIUS Accounting .....................................................	62
2.3.5. RADIUS Accounting Security ........................................................	62
2.3.6. RADIUS Accounting and High Availability ......................................	62
2.3.7. Handling Unresponsive Servers ......................................................	63
2.3.8. Accounting and System Shutdowns .................................................	63
2.3.9. Limitations with NAT ...................................................................	63
2.3.10. RADIUS Advanced Settings ........................................................	63
2.4. Hardware Monitoring ..............................................................................	65
2.5. SNMP Monitoring ..................................................................................	67
2.5.1. SNMP Advanced Settings .............................................................	68
2.6. The pcapdump Command ........................................................................	70
2.7. Maintenance ..........................................................................................	73
2.7.1. Auto-Update Mechanism ...............................................................	73
2.7.2. Backing Up Configurations ...........................................................	73
2.7.3. Restore to Factory Defaults ............................................................	74
3. Fundamentals ...................................................................................................	77
3.1. The Address Book ..................................................................................	77
3.1.1. Overview ...................................................................................	77
3.1.2. IP Addresses ...............................................................................	77
3.1.3. Ethernet Addresses .......................................................................	79
3.1.4. Address Groups ...........................................................................	80
3.1.5. Auto-Generated Address Objects ....................................................	81
3.1.6. Address Book Folders ...................................................................	81
3.2. Services ................................................................................................	82
3.2.1. Overview ...................................................................................	82
3.2.2. Creating Custom Services ..............................................................	83

	User Manual
3.2.3. ICMP Services ............................................................................	86
3.2.4. Custom IP Protocol Services ..........................................................	88
3.2.5. Service Groups ............................................................................	88
3.2.6. Custom Service Timeouts ..............................................................	89
3.3. Interfaces ..............................................................................................	90
3.3.1. Overview ...................................................................................	90
3.3.2. Ethernet Interfaces .......................................................................	92
3.3.3. VLAN .......................................................................................	97
3.3.4. PPPoE .....................................................................................	101
3.3.5. GRE Tunnels ............................................................................	103
3.3.6. Interface Groups ........................................................................	107
3.4. ARP ..................................................................................................	108
3.4.1. Overview .................................................................................	108
3.4.2. The NetDefendOS ARP Cache .....................................................	108
3.4.3. Creating ARP Objects .................................................................	110
3.4.4. Using ARP Advanced Settings .....................................................	112
3.4.5. ARP Advanced Settings Summary ................................................	113
3.5. IP Rule Sets ........................................................................................	116
3.5.1. Security Policies ........................................................................	116
3.5.2. IP Rule Evaluation .....................................................................	118
3.5.3. IP Rule Actions .........................................................................	119
3.5.4. Editing IP rule set Entries ............................................................	120
3.5.5. IP Rule Set Folders ....................................................................	121
3.5.6. Configuration Object Groups .......................................................	122
3.6. Schedules ...........................................................................................	126
3.7. Certificates .........................................................................................	128
3.7.1. Overview .................................................................................	128
3.7.2. Certificates in NetDefendOS ........................................................	129
3.7.3. CA Certificate Requests ..............................................................	130
3.8. Date and Time .....................................................................................	132
3.8.1. Overview .................................................................................	132
3.8.2. Setting Date and Time ................................................................	132
3.8.3. Time Servers ............................................................................	133
3.8.4. Settings Summary for Date and Time ............................................	136
3.9. DNS ..................................................................................................	139
4. Routing .........................................................................................................	142
4.1. Overview ............................................................................................	142
4.2. Static Routing ......................................................................................	143
4.2.1. The Principles of Routing ............................................................	143
4.2.2. Static Routing ...........................................................................	147
4.2.3. Route Failover ..........................................................................	151
4.2.4. Host Monitoring for Route Failover ...............................................	154
4.2.5. Advanced Settings for Route Failover ............................................	156
4.2.6. Proxy ARP ...............................................................................	157
4.3. Policy-based Routing ............................................................................	160
4.3.1. Overview .................................................................................	160
4.3.2. Policy-based Routing Tables ........................................................	160
4.3.3. Policy-based Routing Rules .........................................................	160
4.3.4. Routing Table Selection ..............................................................	161
4.3.5. The Ordering parameter ..............................................................	161
4.4. Route Load Balancing ...........................................................................	165
4.5. OSPF .................................................................................................	171
4.5.1. Dynamic Routing .......................................................................	171
4.5.2. OSPF Concepts .........................................................................	174
4.5.3. OSPF Components .....................................................................	179
4.5.4. Dynamic Routing Rules ..............................................................	185
4.5.5. Setting Up OSPF .......................................................................	188
4.5.6. An OSPF Example .....................................................................	191
4.6. Multicast Routing .................................................................................	194
4.6.1. Overview .................................................................................	194
4.6.2. Multicast Forwarding with SAT Multiplex Rules .............................	195
4.6.3. IGMP Configuration ..................................................................	199
4.6.4. Advanced IGMP Settings ............................................................	204

	User Manual
4.7. Transparent Mode ................................................................................	207
4.7.1. Overview .................................................................................	207
4.7.2. Enabling Internet Access .............................................................	211
4.7.3. Transparent Mode Scenarios ........................................................	213
4.7.4. Spanning Tree BPDU Support ......................................................	217
4.7.5. Advanced Settings for Transparent Mode .......................................	218
5. DHCP Services ..............................................................................................	223
5.1. Overview ............................................................................................	223
5.2. DHCP Servers .....................................................................................	224
5.2.1. Static DHCP Hosts .....................................................................	227
5.2.2. Custom Options .........................................................................	228
5.3. DHCP Relaying ...................................................................................	230
5.3.1. DHCP Relay Advanced Settings ...................................................	231
5.4. IP Pools ..............................................................................................	233
6. Security Mechanisms .......................................................................................	237
6.1. Access Rules .......................................................................................	237
6.1.1. Overview .................................................................................	237
6.1.2. IP Spoofing ..............................................................................	238
6.1.3. Access Rule Settings ..................................................................	238
6.2. ALGs .................................................................................................	240
6.2.1. Overview .................................................................................	240
6.2.2. The HTTP ALG ........................................................................	241
6.2.3. The FTP ALG ...........................................................................	244
6.2.4. The TFTP ALG .........................................................................	253
6.2.5. The SMTP ALG ........................................................................	254
6.2.6. The POP3 ALG .........................................................................	263
6.2.7. The PPTP ALG .........................................................................	264
6.2.8. The SIP ALG ............................................................................	265
6.2.9. The H.323 ALG ........................................................................	275
6.2.10. The TLS ALG .........................................................................	289
6.3. Web Content Filtering ...........................................................................	292
6.3.1. Overview .................................................................................	292
6.3.2. Active Content Handling .............................................................	292
6.3.3. Static Content Filtering ...............................................................	293
6.3.4. Dynamic Web Content Filtering ...................................................	295
6.4. Anti-Virus Scanning .............................................................................	309
6.4.1. Overview .................................................................................	309
6.4.2. Implementation .........................................................................	309
6.4.3. Activating Anti-Virus Scanning ....................................................	310
6.4.4. The Signature Database ..............................................................	311
6.4.5. Subscribing to the D-Link Anti-Virus Service .................................	311
6.4.6. Anti-Virus Options .....................................................................	311
6.5. Intrusion Detection and Prevention ..........................................................	315
6.5.1. Overview .................................................................................	315
6.5.2. IDP Availability for D-Link Models ..............................................	315
6.5.3. IDP Rules .................................................................................	317
6.5.4. Insertion/Evasion Attack Prevention ..............................................	318
6.5.5. IDP Pattern Matching .................................................................	319
6.5.6. IDP Signature Groups .................................................................	320
6.5.7. IDP Actions ..............................................................................	322
6.5.8. SMTP Log Receiver for IDP Events ..............................................	322
6.6. Denial-of-Service Attack Prevention ........................................................	326
6.6.1. Overview .................................................................................	326
6.6.2. DoS Attack Mechanisms .............................................................	326
6.6.3. Ping of Death and Jolt Attacks .....................................................	326
6.6.4. Fragmentation overlap attacks: Teardrop, Bonk, Boink and Nestea ......	327
6.6.5. The Land and LaTierra attacks .....................................................	327
6.6.6. The WinNuke attack ...................................................................	327
6.6.7. Amplification attacks: Smurf, Papasmurf, Fraggle ...........................	328
6.6.8. TCP SYN Flood Attacks .............................................................	329
6.6.9. The Jolt2 Attack ........................................................................	329
6.6.10. Distributed DoS Attacks ............................................................	329
6.7. Blacklisting Hosts and Networks .............................................................	331

	User Manual
7. Address Translation ........................................................................................	334
7.1. Overview ............................................................................................	334
7.2. NAT ..................................................................................................	335
7.3. NAT Pools ..........................................................................................	340
7.4. SAT ...................................................................................................	343
7.4.1. Translation of a Single IP Address (1:1) .........................................	343
7.4.2. Translation of Multiple IP Addresses (M:N) ....................................	348
7.4.3. All-to-One Mappings (N:1) .........................................................	350
7.4.4. Port Translation .........................................................................	350
7.4.5. Protocols Handled by SAT ..........................................................	351
7.4.6. Multiple SAT Rule Matches .........................................................	351
7.4.7. SAT and FwdFast Rules ..............................................................	352
8. User Authentication ........................................................................................	355
8.1. Overview ............................................................................................	355
8.2. Authentication Setup .............................................................................	357
8.2.1. Setup Summary .........................................................................	357
8.2.2. The Local Database ....................................................................	357
8.2.3. External RADIUS Servers ...........................................................	359
8.2.4. External LDAP Servers ...............................................................	359
8.2.5. Authentication Rules ..................................................................	366
8.2.6. Authentication Processing ...........................................................	368
8.2.7. A Group Usage Example .............................................................	369
8.2.8. HTTP Authentication .................................................................	369
8.3. Customizing HTML Pages .....................................................................	373
9. VPN .............................................................................................................	377
9.1. Overview ............................................................................................	377
9.1.1. VPN Usage ...............................................................................	377
9.1.2. VPN Encryption ........................................................................	378
9.1.3. VPN Planning ...........................................................................	378
9.1.4. Key Distribution ........................................................................	379
9.1.5. The TLS Alternative for VPN ......................................................	379
9.2. VPN Quick Start ..................................................................................	381
9.2.1. IPsec LAN to LAN with Pre-shared Keys .......................................	382
9.2.2. IPsec LAN to LAN with Certificates .............................................	383
9.2.3. IPsec Roaming Clients with Pre-shared Keys ..................................	384
9.2.4. IPsec Roaming Clients with Certificates .........................................	386
9.2.5. L2TP Roaming Clients with Pre-Shared Keys .................................	387
9.2.6. L2TP Roaming Clients with Certificates ........................................	388
9.2.7. PPTP Roaming Clients ...............................................................	389
9.3. IPsec Components ................................................................................	391
9.3.1. Overview .................................................................................	391
9.3.2. Internet Key Exchange (IKE) .......................................................	391
9.3.3. IKE Authentication ....................................................................	397
9.3.4. IPsec Protocols (ESP/AH) ...........................................................	398
9.3.5. NAT Traversal ..........................................................................	399
9.3.6. Algorithm Proposal Lists .............................................................	401
9.3.7. Pre-shared Keys ........................................................................	402
9.3.8. Identification Lists .....................................................................	403
9.4. IPsec Tunnels ......................................................................................	406
9.4.1. Overview .................................................................................	406
9.4.2. LAN to LAN Tunnels with Pre-shared Keys ...................................	408
9.4.3. Roaming Clients ........................................................................	408
9.4.4. Fetching CRLs from an alternate LDAP server ................................	413
9.4.5. Troubleshooting with ikesnoop .....................................................	414
9.4.6. IPsec Advanced Settings .............................................................	421
9.5. PPTP/L2TP .........................................................................................	425
9.5.1. PPTP Servers ............................................................................	425
9.5.2. L2TP Servers ............................................................................	426
9.5.3. L2TP/PPTP Server advanced settings ............................................	430
9.5.4. PPTP/L2TP Clients ....................................................................	431
9.6. CA Server Access ................................................................................	434
9.7. VPN Troubleshooting ...........................................................................	437
9.7.1. General Troubleshooting .............................................................	437

	User Manual
9.7.2. Troubleshooting Certificates ........................................................	437
9.7.3. IPsec Troubleshooting Commands ................................................	438
9.7.4. Management Interface Failure with VPN ........................................	439
9.7.5. Specific Error Messages ..............................................................	439
9.7.6. Specific Symptoms ....................................................................	442
10. Traffic Management ......................................................................................	444
10.1. Traffic Shaping ..................................................................................	444
10.1.1. Overview ................................................................................	444
10.1.2. Traffic Shaping in NetDefendOS .................................................	445
10.1.3. Simple Bandwidth Limiting .......................................................	447
10.1.4. Limiting Bandwidth in Both Directions ........................................	448
10.1.5. Creating Differentiated Limits Using Chains .................................	449
10.1.6. Precedences ............................................................................	450
10.1.7. Pipe Groups ............................................................................	455
10.1.8. Traffic Shaping Recommendations ..............................................	458
10.1.9. A Summary of Traffic Shaping ...................................................	459
10.1.10. More Pipe Examples ...............................................................	460
10.2. IDP Traffic Shaping ............................................................................	465
10.2.1. Overview ................................................................................	465
10.2.2. Setting Up IDP Traffic Shaping ..................................................	465
10.2.3. Processing Flow .......................................................................	466
10.2.4. The Importance of Specifying a Network ......................................	466
10.2.5. A P2P Scenario ........................................................................	467
10.2.6. Viewing Traffic Shaping Objects ................................................	468
10.2.7. Guaranteeing Instead of Limiting Bandwidth .................................	469
10.2.8. Logging .................................................................................	469
10.3. Threshold Rules .................................................................................	470
10.3.1. Overview ................................................................................	470
10.3.2. Limiting the Connection Rate/Total Connections ...........................	470
10.3.3. Grouping ................................................................................	471
10.3.4. Rule Actions ...........................................................................	471
10.3.5. Multiple Triggered Actions ........................................................	471
10.3.6. Exempted Connections ..............................................................	471
10.3.7. Threshold Rules and ZoneDefense ..............................................	471
10.3.8. Threshold Rule Blacklisting .......................................................	471
10.4. Server Load Balancing ........................................................................	473
10.4.1. Overview ................................................................................	473
10.4.2. SLB Distribution Algorithms ......................................................	474
10.4.3. Selecting Stickiness ..................................................................	475
10.4.4. SLB Algorithms and Stickiness ...................................................	476
10.4.5. Server Health Monitoring ..........................................................	477
10.4.6. Setting Up SLB_SAT Rules ........................................................	478
11. High Availability ..........................................................................................	482
11.1. Overview ..........................................................................................	482
11.2. HA Mechanisms .................................................................................	484
11.3. Setting Up HA ...................................................................................	487
11.3.1. HA Hardware Setup .................................................................	487
11.3.2. NetDefendOS Manual HA Setup .................................................	488
11.3.3. Verifying the Cluster Functions ..................................................	489
11.3.4. Unique Shared Mac Addresses ...................................................	490
11.4. HA Issues .........................................................................................	491
11.5. Upgrading an HA Cluster .....................................................................	493
11.6. HA Advanced Settings ........................................................................	495
12. ZoneDefense ................................................................................................	497
12.1. Overview ..........................................................................................	497
12.2. ZoneDefense Switches .........................................................................	498
12.3. ZoneDefense Operation .......................................................................	499
12.3.1. SNMP ....................................................................................	499
12.3.2. Threshold Rules .......................................................................	499
12.3.3. Manual Blocking and Exclude Lists .............................................	499
12.3.4. ZoneDefense with Anti-Virus Scanning ........................................	501
12.3.5. Limitations .............................................................................	501
13. Advanced Settings .........................................................................................	504

	User Manual
13.1. IP Level Settings ................................................................................	504
13.2. TCP Level Settings .............................................................................	508
13.3. ICMP Level Settings ...........................................................................	513
13.4. State Settings .....................................................................................	514
13.5. Connection Timeout Settings ................................................................	516
13.6. Length Limit Settings ..........................................................................	518
13.7. Fragmentation Settings ........................................................................	520
13.8. Local Fragment Reassembly Settings .....................................................	524
13.9. Miscellaneous Settings ........................................................................	525
A. Subscribing to Updates ...................................................................................	527
B. IDP Signature Groups .....................................................................................	529
C. Verified MIME filetypes .................................................................................	533
D. The OSI Framework .......................................................................................	537
Alphabetical Index .............................................................................................	538

List of Figures
1.1. Packet Flow Schematic Part I ...........................................................................	23
1.2. Packet Flow Schematic Part II ..........................................................................	24
1.3. Packet Flow Schematic Part III .........................................................................	25
1.4. Expanded Apply Rules Logic ............................................................................	26
3.1. VLAN Connections ........................................................................................	99
3.2. An ARP Publish Ethernet Frame .....................................................................	112
3.3. Simplified NetDefendOS Traffic Flow .............................................................	118
4.1. A Typical Routing Scenario ...........................................................................	144
4.2. Using Local IP Address with an Unbound Network ............................................	146
4.3. A Route Failover Scenario for ISP Access .........................................................	152
4.4. A Proxy ARP Example ..................................................................................	158
4.5. The RLB Round Robin Algorithm ...................................................................	166
4.6. The RLB Spillover Algorithm .........................................................................	167
4.7. A Route Load Balancing Scenario ...................................................................	169
4.8. A Simple OSPF Scenario ...............................................................................	172
4.9. OSPF Providing Route Redundancy .................................................................	173
4.10. Virtual Links Connecting Areas ....................................................................	177
4.11. Virtual Links with Partitioned Backbone .........................................................	178
4.12. NetDefendOS OSPF Objects ........................................................................	179
4.13. Dynamic Routing Rule Objects .....................................................................	186
4.14. Multicast Forwarding - No Address Translation ................................................	196
4.15. Multicast Forwarding - Address Translation ....................................................	198
4.16. Multicast Snoop Mode .................................................................................	200
4.17. Multicast Proxy Mode .................................................................................	200
4.18. Non-transparent Mode Internet Access ...........................................................	212
4.19. Transparent Mode Internet Access .................................................................	212
4.20. Transparent Mode Scenario 1 ........................................................................	214
4.21. Transparent Mode Scenario 2 ........................................................................	215
4.22. An Example BPDU Relaying Scenario ...........................................................	218
5.1. DHCP Server Objects ...................................................................................	227
6.1. Deploying an ALG .......................................................................................	240
6.2. HTTP ALG Processing Order .........................................................................	243
6.3. FTP ALG Hybrid Mode .................................................................................	245
6.4. SMTP ALG Processing Order .........................................................................	256
6.5. Anti-Spam Filtering ......................................................................................	258
6.6. PPTP ALG Usage ........................................................................................	264
6.7. TLS Termination ..........................................................................................	290
6.8. Dynamic Content Filtering Flow .....................................................................	296
6.9. IDP Database Updating .................................................................................	316
7.1. NAT IP Address Translation ..........................................................................	335
7.2. A NAT Example ..........................................................................................	337
7.3. Anonymizing with NAT ................................................................................	339
7.4. The Role of the DMZ ....................................................................................	344
8.1. Normal LDAP Authentication ........................................................................	365
8.2. LDAP for PPP with CHAP, MS-CHAPv1 or MS-CHAPv2 ..................................	366
9.1. The AH protocol ..........................................................................................	399
9.2. The ESP protocol .........................................................................................	399
9.3. PPTP Client Usage .......................................................................................	433
9.4. Certificate Validation Components ..................................................................	435
10.1. Pipe Rules Determine Pipe Usage ..................................................................	446
10.2. FwdFast Rules Bypass Traffic Shaping ...........................................................	447
10.3. Differentiated Limits Using Chains ................................................................	450
10.4. The Eight Pipe Precedences ..........................................................................	451
10.5. Minimum and Maximum Pipe Precedence .......................................................	453
10.6. Traffic Grouped By IP Address .....................................................................	457
10.7. A Basic Traffic Shaping Scenario ..................................................................	460
10.8. IDP Traffic Shaping P2P Scenario .................................................................	467
10.9. A Server Load Balancing Configuration ..........................................................	473

	User Manual
10.10. Connections from Three Clients	................................................................... 476
10.11. Stickiness and Round-Robin .......................................................................	477
10.12. Stickiness and Connection-rate ....................................................................	477
D.1. The 7 Layers of the OSI Model ......................................................................	537

List of Examples
1. Example Notation .............................................................................................	14
2.1. Enabling remote management via HTTPS ...........................................................	33
2.2. Enabling SSH Remote Access ..........................................................................	38
2.3. Listing Configuration Objects ...........................................................................	50
2.4. Displaying a Configuration Object .....................................................................	50
2.5. Editing a Configuration Object .........................................................................	51
2.6. Adding a Configuration Object .........................................................................	52
2.7. Deleting a Configuration Object ........................................................................	52
2.8. Undeleting a Configuration Object ....................................................................	53
2.9. Listing Modified Configuration Objects ..............................................................	53
2.10. Activating and Committing a Configuration .......................................................	54
2.11. Enable Logging to a Syslog Host .....................................................................	57
2.12. Sending SNMP Traps to an SNMP Trap Receiver ...............................................	58
2.13. RADIUS Accounting Server Setup ..................................................................	64
2.14. Enabling SNMP Monitoring ...........................................................................	68
2.15. Backing up the Entire System .........................................................................	74
2.16. Complete Hardware Reset to Factory Defaults ...................................................	74
3.1. Adding an IP Host ..........................................................................................	78
3.2. Adding an IP Network .....................................................................................	78
3.3. Adding an IP Range ........................................................................................	78
3.4. Deleting an Address Object ..............................................................................	79
3.5. Adding an Ethernet Address .............................................................................	79
3.6. Listing the Available Services ...........................................................................	82
3.7. Viewing a Specific Service ..............................................................................	83
3.8. Creating a Custom TCP/UDP Service ................................................................	86
3.9. Adding an IP Protocol Service ..........................................................................	88
3.10. Defining a VLAN .......................................................................................	100
3.11. Configuring a PPPoE Client .........................................................................	103
3.12. Creating an Interface Group ..........................................................................	107
3.13. Displaying the ARP Cache ...........................................................................	109
3.14. Flushing the ARP Cache ..............................................................................	109
3.15. Defining a Static ARP Entry .........................................................................	110
3.16. Adding an Allow IP Rule ..............................................................................	121
3.17. Setting up a Time-Scheduled Policy ...............................................................	127
3.18. Uploading a Certificate ................................................................................	130
3.19. Associating Certificates with IPsec Tunnels .....................................................	130
3.20. Setting the Current Date and Time .................................................................	132
3.21. Setting the Time Zone .................................................................................	133
3.22. Enabling DST ............................................................................................	133
3.23. Enabling Time Synchronization using SNTP ....................................................	134
3.24. Manually Triggering a Time Synchronization ..................................................	135
3.25. Modifying the Maximum Adjustment Value ....................................................	135
3.26. Forcing Time Synchronization ......................................................................	136
3.27. Enabling the D-Link NTP Server ...................................................................	136
3.28. Configuring DNS Servers .............................................................................	139
4.1. Displaying the main Routing Table ..................................................................	149
4.2. Displaying the Core Routes ............................................................................	150
4.3. Creating a Policy-based Routing Table .............................................................	162
4.4. Creating the Route ........................................................................................	162
4.5. Policy-based Routing Configuration .................................................................	163
4.6. Setting Up RLB ...........................................................................................	169
4.7. Creating an OSPF Router Process ...................................................................	192
4.8. Add an OSPF Area .......................................................................................	192
4.9. Add OSPF Interface Objects ..........................................................................	192
4.10. Import Routes from an OSPF AS into the Main Routing Table ............................	192
4.11. Exporting the Default Route into an OSPF AS .................................................	193
4.12. Forwarding of Multicast Traffic using the SAT Multiplex Rule ...........................	196
4.13. Multicast Forwarding - Address Translation ....................................................	198

	User Manual
4.14. IGMP - No Address Translation ....................................................................	201
4.15. if1 Configuration ........................................................................................	202
4.16. if2 Configuration - Group Translation .............................................................	203
4.17. Setting up Transparent Mode for Scenario 1 ....................................................	214
4.18. Setting up Transparent Mode for Scenario 2 ....................................................	215
5.1. Setting up a DHCP server ..............................................................................	225
5.2. Checking DHCP Server Status ........................................................................	226
5.3. Static DHCP Host Assignment ........................................................................	228
5.4. Setting up a DHCP Relayer ............................................................................	230
5.5. Creating an IP Pool .......................................................................................	235
6.1. Setting up an Access Rule ..............................................................................	239
6.2. Protecting an FTP Server with an ALG .............................................................	248
6.3. Protecting FTP Clients ..................................................................................	251
6.4. Protecting Phones Behind NetDefend Firewalls ..................................................	277
6.5. H.323 with private IP addresses ......................................................................	279
6.6. Two Phones Behind Different NetDefend Firewalls ............................................	280
6.7. Using Private IP Addresses ............................................................................	281
6.8. H.323 with Gatekeeper ..................................................................................	282
6.9. H.323 with Gatekeeper and two NetDefend Firewalls ..........................................	284
6.10. Using the H.323 ALG in a Corporate Environment ...........................................	285
6.11. Configuring remote offices for H.323 .............................................................	288
6.12. Allowing the H.323 Gateway to register with the Gatekeeper ..............................	288
6.13. Stripping ActiveX and Java applets ................................................................	293
6.14. Setting up a white and blacklist .....................................................................	294
6.15. Enabling Dynamic Web Content Filtering .......................................................	297
6.16. Enabling Audit Mode ..................................................................................	299
6.17. Reclassifying a blocked site ..........................................................................	300
6.18. Editing Content Filtering HTTP Banner Files ...................................................	307
6.19. Activating Anti-Virus Scanning .....................................................................	313
6.20. Configuring an SMTP Log Receiver ..............................................................	323
6.21. Setting up IDP for a Mail Server ....................................................................	323
6.22. Adding a Host to the Whitelist ......................................................................	332
7.1. Adding a NAT Rule ......................................................................................	337
7.2. Using NAT Pools .........................................................................................	341
7.3. Enabling Traffic to a Protected Web Server in a DMZ .........................................	344
7.4. Enabling Traffic to a Web Server on an Internal Network ....................................	346
7.5. Translating Traffic to Multiple Protected Web Servers ........................................	348
8.1. Creating an Authentication User Group ............................................................	371
8.2. User Authentication Setup for Web Access .......................................................	371
8.3. Configuring a RADIUS Server .......................................................................	372
8.4. Editing Content Filtering HTTP Banner Files ....................................................	374
9.1. Using an Algorithm Proposal List ....................................................................	401
9.2. Using a Pre-Shared key .................................................................................	402
9.3. Using an Identity List ....................................................................................	404
9.4. Setting up a PSK based VPN tunnel for roaming clients .......................................	409
9.5. Setting up a Self-signed Certificate based VPN tunnel for roaming clients ...............	409
9.6. Setting up CA Server Certificate based VPN tunnels for roaming clients .................	411
9.7. Setting Up Config Mode ................................................................................	412
9.8. Using Config Mode with IPsec Tunnels ............................................................	413
9.9. Setting up an LDAP server .............................................................................	413
9.10. Setting up a PPTP server ..............................................................................	426
9.11. Setting up an L2TP server ............................................................................	427
9.12. Setting up an L2TP Tunnel Over IPsec ...........................................................	427
10.1. Applying a Simple Bandwidth Limit ..............................................................	447
10.2. Limiting Bandwidth in Both Directions ...........................................................	449
10.3. Setting up SLB ...........................................................................................	478
12.1. A simple ZoneDefense scenario ....................................................................	500

Preface

Intended Audience

The target audience for this reference guide is Administrators who are responsible for configuring and managing NetDefend Firewalls which are running the NetDefendOS operating system. This guide assumes that the reader has some basic knowledge of networks and network security.

Text Structure and Conventions

The text is broken down into chapters and sub-sections. Numbered sub-sections are shown in the table of contents at the beginning. An index is included at the end of the document to aid with alphabetical lookup of subjects.

Where a "See chapter/section" link (such as: see Chapter 9, VPN) is provided in the main text, this can be clicked to take the reader directly to that reference.

Text that may appear in the user interface of the product is designated by being in bold case. Where a term is being introduced for the first time or being stressed it may appear in italics.

Where console interaction is shown in the main text outside of an example, it will appear in a box with a gray background.

Where a web address reference is shown in the text, clicking it will open the specified URL in a browser in a new window (some systems may not allow this).

For example, http://www.dlink.com.

Screenshots

This guide contains a minimum of screenshots. This is deliberate and is done because the manual deals specifically with NetDefendOS and administrators have a choice of management user interfaces. It was decided that the manual would be less cluttered and easier to read if it concentrated on describing how NetDefendOS functions rather than including large numbers of screenshots showing how the various interfaces are used. Examples are given but these are largely textual descriptions of management interface usage.

Examples

Examples in the text are denoted by the header Example and appear with a gray background as shown below. They contain a CLI example and/or a Web Interface example as appropriate. (The NetDefendOS CLI Reference Guide documents all CLI commands.)

Example 1. Example Notation

Information about what the example is trying to achieve is found here, sometimes with an explanatory image.

Command-Line Interface

The Command Line Interface example would appear here. It would start with the command prompt followed by the command:

gw-world:/> somecommand someparameter=somevalue

Web Interface

The Web Interface actions for the example are shown here. They are also typically a numbered list showing what

Preface

items in the tree-view list at the left of the interface or in the menu bar or in a context menu need to be opened followed by information about the data items that need to be entered:

1.Go to Item X > Item Y > Item Z

2.Now enter:

•DataItem1: datavalue1

•DataItem2: datavalue2

Highlighted Content

Special sections of text which the reader should pay special attention to are indicated by icons on the left hand side of the page followed by a short paragraph in italicized text. Such sections are of the following types with the following purposes:

Note

This indicates some piece of information that is an addition to the preceding text. It may concern something that is being emphasized, or something that is not obvious or explicitly stated in the preceding text.

Tip

This indicates a piece of non-critical information that is useful to know in certain situations but is not essential reading.

Caution

This indicates where the reader should be careful with their actions as an undesirable situation may result if care is not exercised.

Important

This is an essential point that the reader should read and understand.

Warning

This is essential reading for the user as they should be aware that a serious situation may result if certain actions are taken or not taken.

Trademarks

Certain names in this publication are the trademarks of their respective owners.

Windows, Windows XP, Windows Vista and Windows 7 are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

Chapter 1. NetDefendOS Overview

This chapter outlines the key features of NetDefendOS.

•Features, page 16

•NetDefendOS Architecture, page 19

•NetDefendOS State Engine Packet Flow, page 23

1.1.Features

D-Link NetDefendOS is the base software engine that drives and controls the range of NetDefend Firewall hardware products.

NetDefendOS as a Network Security Operating System

Designed as a network security operating system, NetDefendOS features high throughput performance with high reliability plus super-granular control. In contrast to products built on top of standard operating systems such as Unix or Microsoft Windows, NetDefendOS offers seamless integration of all its subsystems, in-depth administrative control of all functionality, as well as a minimal attack surface which helps to negate the risk from security attacks.

NetDefendOS Objects

From the administrator's perspective the conceptual approach of NetDefendOS is to visualize operations through a set of logical building blocks or objects. These objects allow the configuration of NetDefendOS in an almost limitless number of different ways. This granular control allows the administrator to meet the requirements of the most demanding network security scenarios.

Key Features

NetDefendOS has an extensive feature set. The list below presents the key features of the product:

IP Routing	NetDefendOS provides a variety of options for IP routing
	including static routing, dynamic routing, as well as multicast
	routing capabilities. In addition, NetDefendOS supports
	features such as Virtual LANs, Route Monitoring, Proxy ARP
	and Transparency. For more information, please see
	Chapter 4, Routing.
Firewalling Policies	NetDefendOS provides stateful inspection-based firewalling
	for a wide range of protocols such as TCP, UDP and ICMP.
	The administrator can define detailed firewalling policies
	based on source/destination network/interface, protocol,
	ports, user credentials, time-of-day and more. Section 3.5, “IP
	Rule Sets”, describes how to set up these policies to
	determine what traffic is allowed or rejected by
	NetDefendOS.
Address Translation	For functionality as well as security reasons, NetDefendOS
	supports policy-based address translation. Dynamic Address
	Translation (NAT) as well as Static Address Translation
	(SAT) is supported, and resolves most types of address
	translation needs. This feature is covered in Chapter 7,
	Address Translation.

1.1. Features		Chapter 1. NetDefendOS Overview

	VPN	NetDefendOS supports a range of Virtual Private Network
		(VPN) solutions. NetDefendOS supports IPsec, L2TP and
		PPTP based VPNs concurrently, can act as either server or
		client for all of the VPN types, and can provide individual
		security policies for each VPN tunnel. The details for this can
		be found in Chapter 9, VPN which includes a summary of
		setup steps in Section 9.2, “VPN Quick Start”.
	TLS Termination	NetDefendOS supports TLS termination so that the
		NetDefend Firewall can act as the end point for connections
		by HTTP web-browser clients (this feature is sometimes
		called SSL termination). For detailed information, see
		Section 6.2.10, “The TLS ALG”.
	Anti-Virus Scanning	NetDefendOS features integrated anti-virus functionality.
		Traffic passing through the NetDefend Firewall can be
		subjected to in-depth scanning for viruses, and virus sending
		hosts can be black-listed and blocked. For details of this
		feature, seeSection 6.4, “Anti-Virus Scanning”.
		Note
		Anti-Virus scanning is only available on certain
		D-Link NetDefend product models.
	Intrusion Detection and	To mitigate application-layer attacks towards vulnerabilities
	Prevention	in services and applications, NetDefendOS provides a
		powerful Intrusion Detection and Prevention (IDP) engine.
		The IDP engine is policy-based and is able to perform
		high-performance scanning and detection of attacks and can
		perform blocking and optional black-listing of attacking
		hosts. More information about the IDP capabilities of
		NetDefendOS can be found in Section 6.5, “Intrusion
		Detection and Prevention”.
		Note
		Full IDP is available on all D-Link NetDefend
		product models as a subscription service. On
		some models, a simplified IDP subsystem is
		provided as standard..
	Web Content Filtering	NetDefendOS provides various mechanisms for filtering web
		content that is deemed inappropriate according to a web usage
		policy. With Web Content Filtering (WCF) web content can
		be blocked based on category (Dynamic WCF), malicious
		objects can be removed from web pages and web sites can be
		whitelisted or blacklisted. More information about this topic
		can be found in Section 6.3, “Web Content Filtering”.
		Note
		Dynamic WCF is only available on some D-Link
		NetDefend product models.
	Traffic Management	NetDefendOS provides broad traffic management capabilities
		through Traffic Shaping, Threshold Rules (certain models
		only) and Server Load Balancing.
		Traffic Shaping enables limiting and balancing of bandwidth;
		Threshold Rules allow specification of thresholds for sending
		alarms and/or limiting network traffic; Server Load Balancing

1.1. Features		Chapter 1. NetDefendOS Overview

	enables a device running NetDefendOS to distribute network
	load to multiple hosts. These features are discussed in detail
	in Chapter 10, Traffic Management.
	Note
	Threshold Rules are only available on certain
	D-Link NetDefend product models.
Operations and Maintenance	Administrator management of NetDefendOS is possible
	through either a Web-based User Interface (the WebUI) or via
	a Command Line Interface (the CLI). NetDefendOS also
	provides detailed event and logging capabilities plus support
	for monitoring through SNMP. More detailed information
	about this topic can be found in Chapter 2, Management and
	Maintenance.
ZoneDefense	NetDefendOS can be used to control D-Link switches using
	the ZoneDefense feature. This allows NetDefendOS to isolate
	portions of a network that contain hosts that are the source of
	undesirable network traffic.
	Note
	NetDefendOS ZoneDefense is only available on
	certain D-Link NetDefend product models.

NetDefendOS Documentation

Reading through the available documentation carefully will ensure that you get the most out of your NetDefendOS product. In addition to this document, the reader should also be aware of the companion reference guides:

•The CLI Reference Guide which details all NetDefendOS CLI commands.

•The NetDefendOS Log Reference Guide which details all NetDefendOS log event messages. Together, these documents form the essential reference material for NetDefendOS operation.

1.2. NetDefendOS Architecture		Chapter 1. NetDefendOS Overview

1.2. NetDefendOS Architecture

1.2.1. State-based Architecture

The NetDefendOS architecture is centered around the concept of state-based connections. Traditional IP routers or switches commonly inspect all packets and then perform forwarding decisions based on information found in the packet headers. With this approach, packets are forwarded without any sense of context which eliminates any possibility to detect and analyze complex protocols and enforce corresponding security policies.

Stateful Inspection

NetDefendOS employs a technique called stateful inspection which means that it inspects and forwards traffic on a per-connection basis. NetDefendOS detects when a new connection is being established, and keeps a small piece of information or state in its state table for the lifetime of that connection. By doing this, NetDefendOS is able to understand the context of the network traffic which enables it to perform in-depth traffic scanning, apply bandwidth management and a variety of other functions.

The stateful inspection approach additionally provides high throughput performance with the added advantage of a design that is highly scalable. The NetDefendOS subsystem that implements stateful inspection will sometimes be referred to in documentation as the NetDefendOS state-engine.

1.2.2. NetDefendOS Building Blocks

The basic building blocks in NetDefendOS are interfaces, logical objects and various types of rules (or rule sets).

Interfaces

Interfaces are the doorways through which network traffic enters or leaves the NetDefend Firewall. Without interfaces, a NetDefendOS system has no means for receiving or sending traffic.

The following types of interface are supported in NetDefendOS:

•Physical interfaces - These correspond to the actual physical Ethernet ports.

•Sub-interfaces - These include VLAN and PPPoE interfaces.

•Tunnel interfaces - Used for receiving and sending traffic through VPN tunnels.

Interface Symmetry

The NetDefendOS interface design is symmetric, meaning that the interfaces of the device are not fixed as being on the "insecure outside" or "secure inside" of a network topology. The notion of what is inside and outside is totally for the administrator to define.

Logical Objects

Logical objects can be seen as predefined building blocks for use by the rule sets. The address book, for instance, contains named objects representing host and network addresses.

Another example of logical objects are services which represent specific protocol and port combinations. Also important are the Application Layer Gateway (ALG) objects which are used to define additional parameters on specific protocols such as HTTP, FTP, SMTP and H.323.

1.2.3. Basic Packet Flow		Chapter 1. NetDefendOS Overview

NetDefendOS Rule Sets

Finally, rules which are defined by the administrator in the various rule sets are used for actually implementing NetDefendOS security policies. The most fundamental set of rules are the IP Rules, which are used to define the layer 3 IP filtering policy as well as carrying out address translation and server load balancing. The Traffic Shaping Rules define the policy for bandwidth management, the IDP Rules control the behavior of the intrusion prevention engine and so on.

1.2.3. Basic Packet Flow

This section outlines the basic flow in the state-engine for packets received and forwarded by NetDefendOS. The following description is simplified and might not be fully applicable in all scenarios, however, the basic principles will be valid for all NetDefendOS deployments.

1.An Ethernet frame is received on one of the Ethernet interfaces in the system. Basic Ethernet frame validation is performed and the packet is dropped if the frame is invalid.

2.The packet is associated with a Source Interface. The source interface is determined as follows:

•If the Ethernet frame contains a VLAN ID (Virtual LAN identifier), the system checks for a configured VLAN interface with a corresponding VLAN ID. If one is found, that VLAN interface becomes the source interface for the packet. If no matching interface is found, the packet is dropped and the event is logged.

•If the Ethernet frame contains a PPP payload, the system checks for a matching PPPoE interface. If one is found, that interface becomes the source interface for the packet. If no matching interface is found, the packet is dropped and the event is logged.

•If none the above is true, the receiving Ethernet interface becomes the source interface for the packet.

3.The IP datagram within the packet is passed on to the NetDefendOS Consistency Checker. The consistency checker performs a number of sanity checks on the packet, including validation of checksums, protocol flags, packet length and so on. If the consistency checks fail, the packet gets dropped and the event is logged.

4.NetDefendOS now tries to lookup an existing connection by matching parameters from the incoming packet. A number of parameters are used in the match attempt, including the source interface, source and destination IP addresses and IP protocol.

If a match cannot be found, a connection establishment process starts which includes steps from here to 9 below. If a match is found, the forwarding process continues at step 10 below.

5.The Access Rules are evaluated to find out if the source IP address of the new connection is allowed on the received interface. If no Access Rule matches then a reverse route lookup will be done in the routing tables.

In other words, by default, an interface will only accept source IP addresses that belong to networks routed over that interface. A reverse lookup means that we look in the routing tables to confirm that there is a route where if this network is the destination then the same interface could be used.

If the Access Rule lookup or the reverse route lookup determine that the source IP is invalid, then the packet is dropped and the event is logged.

6.A route lookup is being made using the appropriate routing table. The destination interface for the connection has now been determined.

7.The IP rules are now searched for a rule that matches the packet. The following parameters are part of the matching process:

1.2.3. Basic Packet Flow		Chapter 1. NetDefendOS Overview

•Source and destination interfaces

•Source and destination network

•IP protocol (for example TCP, UDP, ICMP)

•TCP/UDP ports

•ICMP types

•Point in time in reference to a predefined schedule If a match cannot be found, the packet is dropped.

If a rule is found that matches the new connection, the Action parameter of the rule decides what NetDefendOS should do with the connection. If the action is Drop, the packet is dropped and the event is logged according to the log settings for the rule.

If the action is Allow, the packet is allowed through the system. A corresponding state will be added to the connection table for matching subsequent packets belonging to the same connection. In addition, the service object which matched the IP protocol and ports might have contained a reference to an Application Layer Gateway (ALG) object. This information is recorded in the state so that NetDefendOS will know that application layer processing will have to be performed on the connection.

Finally, the opening of the new connection will be logged according to the log settings of the rule.

Note: Additional actions

There are actually a number of additional actions available such as address translation and server load balancing. The basic concept of dropping and allowing traffic is still the same.

8.The Intrusion Detection and Prevention (IDP) Rules are now evaluated in a similar way to the IP rules. If a match is found, the IDP data is recorded with the state. By doing this, NetDefendOS will know that IDP scanning is supposed to be conducted on all packets belonging to this connection.

9.The Traffic Shaping and the Threshold Limit rule sets are now searched. If a match is found, the corresponding information is recorded with the state. This will enable proper traffic management on the connection.

10.From the information in the state, NetDefendOS now knows what to do with the incoming packet:

•If ALG information is present or if IDP scanning is to be performed, the payload of the packet is taken care of by the TCP Pseudo-Reassembly subsystem, which in turn makes use of the different Application Layer Gateways, layer 7 scanning engines and so on, to further analyze or transform the traffic.

•If the contents of the packet is encapsulated (such as with IPsec, PPTP/L2TP or some other type of tunneled protocol), then the interface lists are checked for a matching interface. If one is found, the packet is decapsulated and the payload (the plaintext) is sent into NetDefendOS again, now with source interface being the matched tunnel interface. In other words, the process continues at step 3 above.

•If traffic management information is present, the packet might get queued or otherwise be subjected to actions related to traffic management.

11.Eventually, the packet will be forwarded out on the destination interface according to the state. If the destination interface is a tunnel interface or a physical sub-interface, additional

1.2.3. Basic Packet Flow		Chapter 1. NetDefendOS Overview

processing such as encryption or encapsulation might occur.

The next section provides a set of diagrams illustrating the flow of packets through NetDefendOS.

1.3. NetDefendOS State Engine Packet		Chapter 1. NetDefendOS Overview
Flow

1.3. NetDefendOS State Engine Packet Flow

The diagrams in this section provide a summary of the flow of packets through the NetDefendOS state-engine. There are three diagrams, each flowing into the next. It is not necessary to understand these diagrams, however, they can be useful as a reference when configuring NetDefendOS in certain situations.

Figure 1.1. Packet Flow Schematic Part I

The packet flow is continued on the following page.

D-Link 210, 260, 2560G, 860, 1660 User Manual

1.3. NetDefendOS State Engine Packet		Chapter 1. NetDefendOS Overview
Flow

Figure 1.2. Packet Flow Schematic Part II

The packet flow is continued on the following page.

1.3. NetDefendOS State Engine Packet		Chapter 1. NetDefendOS Overview
Flow

Figure 1.3. Packet Flow Schematic Part III

1.3. NetDefendOS State Engine Packet		Chapter 1. NetDefendOS Overview
Flow

Apply Rules

The figure below presents the detailed logic of the Apply Rules function in Figure 1.2, “Packet Flow Schematic Part II” above.

Figure 1.4. Expanded Apply Rules Logic

1.3. NetDefendOS State Engine Packet		Chapter 1. NetDefendOS Overview
Flow

Chapter 2. Management and Maintenance

This chapter describes the management, operations and maintenance related aspects of NetDefendOS.

•Managing NetDefendOS, page 28

•Events and Logging, page 55

•RADIUS Accounting, page 60

•Hardware Monitoring, page 65

•SNMP Monitoring, page 67

•The pcapdump Command, page 70

•Maintenance, page 73

2.1.Managing NetDefendOS

2.1.1. Overview

NetDefendOS is designed to give both high performance and high reliability. Not only does it provide an extensive feature set, it also enables the administrator to be in full control of almost every detail of the system. This means the product can be deployed in the most challenging environments.

A good understanding on how NetDefendOS configuration is performed is crucial for proper usage of the system. For this reason, this section provides an in-depth presentation of the configuration subsystem as well as a description of how to work with the various management interfaces.

Management Interfaces

NetDefendOS provides the following management interfaces:

The Web Interface	The Web Interface (also known as the Web User Interface or WebUI) is
	built into NetDefendOS and provides a user-friendly and intuitive
	graphical management interface, accessible from a standard web
	browser (Microsoft Internet Explorer or Firefox is recommended). The
	browser connects to one of the hardware's Ethernet interfaces using
	HTTP or HTTPS and the NetDefendOS responds like a web server,
	allowing web pages to be used as the management interface.
	This feature is fully described in Section 2.1.3, “The Web Interface”.
The CLI	The Command Line Interface (CLI), accessible locally via serial console
	port or remotely using the Secure Shell (SSH) protocol, provides the
	most fine-grained control over all parameters in NetDefendOS.
	This feature is fully described in Section 2.1.4, “The CLI”.
Secure Copy	Secure Copy (SCP) is a widely used communication protocol for file
	transfer. No specific SCP client is provided with NetDefendOS
	distributions but there exists a wide selection of SCP clients available
	for nearly all workstation platforms. SCP is a complement to CLI usage
	and provides a secure means of file transfer between the administrator's
	workstation and the NetDefend Firewall. Various files used by
	NetDefendOS can be both uploaded and downloaded with SCP.

2.1.2. The Default Administrator		Chapter 2. Management and Maintenance
Account
		This feature is fully described in Section 2.1.6, “Secure Copy”.
	Console Boot Menu	Before NetDefendOS starts running, a console connected directly to the
		NetDefend Firewall's RS232 port can be used to do basic configuration
		through the boot menu. This menu can be entered by pressing any
		console key between power-up and NetDefendOS starting. It is the
		D-Link firmware loader that is being accessed with the boot menu.
		This feature is fully described in Section 2.1.7, “The Console Boot
		Menu”.

Note: Recommended browsers

Microsoft Internet Explorer (version 7 and later), Firefox (version 3.0 and later) and Netscape (version 8 and later) are the recommended web-browsers to use with the WebUI. Other browsers may also provide full support.

Remote Management Policies

Access to remote management interfaces can be regulated by a remote management policy so the administrator can restrict management access based on source network, source interface and username/password credentials. Access to the Web Interface can be permitted for administrative users on a certain network, while at the same time allowing CLI access for a remote administrator connecting through a specific IPsec tunnel.

By default, Web Interface access is enabled for users on the network connected via the LAN interface of the D-Link firewall (on products where more than one LAN interface is available, LAN1 is the default interface).

2.1.2. The Default Administrator Account

By default, NetDefendOS has a local user database, AdminUsers, that contains one predefined administrator account. This account has the username admin with password admin. This account has full administrative read/write privileges for NetDefendOS.

Important

For security reasons, it is recommended to change the default password of the default account as soon as possible after connecting with the NetDefend Firewall.

Creating Additional Accounts

Extra user accounts can be created as required. Accounts can either belong to the Administrator user group, in which case they have complete read/write administrative access. Alternatively, they can belong to the Auditor user group, in which case they have read-only access.

Multiple Administration Logins

NetDefendOS doesn't allow more than one administrator account to be logged in at the same time. If one administrator logs in, then a second or more will be allowed to login but they will only have audit privileges. In other words the second or more administrators who login will only be able to read configurations and will not be able to change them.

2.1.3. The Web Interface

2.1.3. The Web Interface		Chapter 2. Management and Maintenance

NetDefendOS provides an intuitive Web Interface (WebUI) for management of the system via an Ethernet interface using a standard web browser. This allows the administrator to perform remote management from anywhere on a private network or the public Internet using a standard computer without having to install client software.

Assignment of a Default IP Address

For a new D-Link NetDefend firewall with factory defaults, a default internal IP address is assigned automatically by NetDefendOS to the hardware's LAN1 interface (or the LAN interface on models wihout multiple LAN interfaces). The IP address assigned to the management interface differs according to the NetDefend model as follows:

•On the NetDefend DFL-210, 260, 800, 860, 1600 and 2500, the default management interface IP address is 192.168.1.1.

•On the NetDefend DFL-1660, 2560 and 2560G, the default management interface IP address is

192.168.10.1.

Setting the Workstation IP

The assigned NetDefend Firewall interface and the workstation interface must be members of the same logical IP network for initial communication between them to succeed so the connecting interface of the workstation must be manually given the following static IP values:

•IP address: 192.168.1.30

•Subnet mask: 255.255.255.0

•Default gateway: 192.168.1.1

Logging on to the Web Interface

To access the Web Interface using the factory default settings, launch a web browser on the workstation (the latest version of Internet Explorer or Firefox is recommended) and point the browser at the address 192.168.1.1.

When performing initial connection to NetDefendOS, the administrator must use https:// as the URL protocol in the browser (in other words, https://192.168.1.1). Using HTTPS as the protocol makes communication with NetDefendOS secure.

If communication with the NetDefendOS is successfully established, a user authentication dialog similar to the one shown below will then be shown in the browser window.

Enter your username and password and click the Login button. The factory default username and

+ 515 hidden pages

D-Link 210, 260, 2560G, 860, 1660 User Manual

User Manual

Table of Contents

Preface

Chapter 1. NetDefendOS Overview

1.1.Features

1.2. NetDefendOS Architecture

1.2.1. State-based Architecture

1.2.2. NetDefendOS Building Blocks

1.2.3. Basic Packet Flow

1.3. NetDefendOS State Engine Packet Flow

Chapter 2. Management and Maintenance

2.1.Managing NetDefendOS

2.1.1. Overview

2.1.2. The Default Administrator Account

2.1.3. The Web Interface