D-Link DFL-2500 User Manual

Security

Network Security Firewall

User Manual

DFL-210/ 800/1600/ 2500 DFL-260/ 860

Ver. 1.07

Network Security Solution http://www.dlink.com

User Manual

DFL-210/260/800/860/1600/2500

NetDefendOS version 2.20

D-Link NetDefend Security

http://security.dlink.com.tw

Published 2008-08-05

User Manual

DFL-210/260/800/860/1600/2500 NetDefendOS version 2.20

This publication, including all photographs, illustrations and software, is protected under international copyright laws, with all rights reserved. Neither this manual, nor any of the material contained herein, may be reproduced without written consent of the author.

Disclaimer

The information in this document is subject to change without notice. The manufacturer makes no representations or warranties with respect to the contents hereof and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose. The manufacturer reserves the right to revise this publication and to make changes from time to time in the content hereof without obligation of the manufacturer to notify any person of such revision or changes.

Limitations of Liability

UNDER NO CIRCUMSTANCES SHALL D-LINK OR ITS SUPPLIERS BE LIABLE FOR DAMAGES OF ANY CHARACTER (E.G. DAMAGES FOR LOSS OF PROFIT, SOFTWARE RESTORATION, WORK STOPPAGE, LOSS OF SAVED DATA OR ANY OTHER COMMERCIAL DAMAGES OR LOSSES) RESULTING FROM THE APPLICATION OR IMPROPER USE OF THE D-LINK PRODUCT OR FAILURE OF THE PRODUCT, EVEN IF D-LINK IS INFORMED OF THE POSSIBILITY OF SUCH DAMAGES. FURTHERMORE, D-LINK WILL NOT BE LIABLE FOR THIRD-PARTY CLAIMS AGAINST CUSTOMER FOR LOSSES OR DAMAGES. D-LINK WILL IN NO EVENT BE LIABLE FOR ANY DAMAGES IN EXCESS OF THE AMOUNT D-LINK RECEIVED FROM THE END-USER FOR THE PRODUCT.

Preface ...............................................................................................................12

1. Product Overview .............................................................................................14

1.1. About D-Link NetDefendOS ....................................................................14

1.2. NetDefendOS Architecture ......................................................................16

1.2.1. State-based Architecture ...............................................................16

1.2.2. NetDefendOS Building Blocks .......................................................16

1.2.3. Basic Packet Flow ........................................................................17

1.3. NetDefendOS State Engine Packet Flow .....................................................19

2. Management and Maintenance ............................................................................23

2.1. Managing NetDefendOS ..........................................................................23

2.1.1. Overview ...................................................................................23

2.1.2. Default Administrator Accounts .....................................................23

2.1.3. The CLI .....................................................................................24

2.1.4. The WebUI .................................................................................26

2.1.5. Working with Configurations .........................................................29

2.2. Events and Logging ................................................................................35

2.2.1. Overview ...................................................................................35

2.2.2. Event Messages ...........................................................................35

2.2.3. Event Message Distribution ...........................................................35

2.3. RADIUS Accounting ..............................................................................39

2.3.1. Overview ...................................................................................39

2.3.2. RADIUS Accounting Messages ......................................................39

2.3.3. Interim Accounting Messages ........................................................41

2.3.4. Activating RADIUS Accounting .....................................................41

2.3.5. RADIUS Accounting Security ........................................................41

2.3.6. RADIUS Accounting and High Availability ......................................41

2.3.7. Handling Unresponsive Servers ......................................................42

2.3.8. Accounting and System Shutdowns .................................................42

2.3.9. Limitations with NAT ...................................................................42

2.4. Monitoring ............................................................................................43

2.4.1. SNMP Monitoring .......................................................................43

2.5. Maintenance ..........................................................................................45

2.5.1. Auto-Update Mechanism ...............................................................45

2.5.2. Configuration Backup and Restore ..................................................45

2.5.3. Resetting to Factory Defaults .........................................................45

3. Fundamentals ...................................................................................................48

3.1. The Address Book ..................................................................................48

3.1.1. Overview ...................................................................................48

3.1.2. IP Addresses ...............................................................................48

3.1.3. Ethernet Addresses .......................................................................50

3.1.4. Address Groups ...........................................................................51

3.1.5. Auto-Generated Address Objects ....................................................51

3.2. Services ................................................................................................52

3.2.1. Overview ...................................................................................52

3.2.2. TCP and UDP Based Services ........................................................53

3.2.3. ICMP Services ............................................................................55

3.2.4. Custom IP Protocol Services ..........................................................55

3.3. Interfaces ..............................................................................................57

3.3.1. Overview ...................................................................................57

3.3.2. Ethernet .....................................................................................58

3.3.3. VLAN .......................................................................................60

3.3.4. PPPoE .......................................................................................61

3.3.5. GRE Tunnels ..............................................................................63

3.3.6. Interface Groups ..........................................................................66

3.4. ARP ....................................................................................................68

3.4.1. Overview ...................................................................................68

3.4.2. ARP in NetDefendOS ...................................................................68

User Manual

3.4.3. ARP Cache .................................................................................68

3.4.4. Static and Published ARP Entries ....................................................69

3.4.5. Advanced ARP Settings ................................................................71

3.5. The IP Rule Set ......................................................................................73

3.5.1. Security Policies ..........................................................................73

3.5.2. IP Rule Evaluation .......................................................................74

3.5.3. IP Rule Actions ...........................................................................75

3.5.4. Editing IP rule set Entries ..............................................................76

3.6. Schedules .............................................................................................77

3.7. X.509 Certificates ..................................................................................79

3.7.1. Overview ...................................................................................79

3.7.2. X.509 Certificates in NetDefendOS .................................................80

3.8. Setting Date and Time .............................................................................82

3.8.1. General Date and Time Settings ......................................................82

3.8.2. Time Servers ..............................................................................83

3.9. DNS Lookup .........................................................................................87

4. Routing ...........................................................................................................89

4.1. Overview ..............................................................................................89

4.2. Static Routing ........................................................................................90

4.2.1. Basic Principles of Routing ............................................................90

4.2.2. Static Routing .............................................................................91

4.2.3. Route Failover ............................................................................94

4.2.4. Proxy ARP .................................................................................96

4.3. Policy-based Routing ..............................................................................98

4.3.1. Overview ...................................................................................98

4.3.2. Policy-based Routing Tables ..........................................................98

4.3.3. Policy-based Routing Rules ...........................................................98

4.3.4. Policy-based Routing Table Selection ..............................................99

4.3.5. The Ordering parameter ................................................................99

4.4. Dynamic Routing ................................................................................. 103

4.4.1. Dynamic Routing overview ......................................................... 103

4.4.2. OSPF ...................................................................................... 104

4.4.3. Dynamic Routing Policy ............................................................. 107

4.5. Multicast Routing ................................................................................. 110

4.5.1. Overview ................................................................................. 110

4.5.2. Multicast Forwarding using the SAT Multiplex Rule ........................ 110

4.5.3. IGMP Configuration ..................................................................114

4.6. Transparent Mode ................................................................................ 119

4.6.1. Overview of Transparent Mode .................................................... 119

4.6.2. Comparison with Routing mode ................................................... 119

4.6.3. Transparent Mode Implementation ................................................ 119

4.6.4. Enabling Transparent Mode ......................................................... 120

4.6.5. High Availability with Transparent Mode ....................................... 120

4.6.6. Transparent Mode Scenarios ........................................................ 120

5. DHCP Services .............................................................................................. 127

5.1. Overview ............................................................................................127

5.2. DHCP Servers ..................................................................................... 128

5.3. Static DHCP Assignment .......................................................................130

5.4. DHCP Relaying ................................................................................... 131

5.5. IP Pools .............................................................................................. 132

6. Security Mechanisms ....................................................................................... 135

6.1. Access Rules ....................................................................................... 135

6.1.1. Introduction .............................................................................. 135

6.1.2. IP spoofing ............................................................................... 135

6.1.3. Access Rule Settings .................................................................. 136

6.2. Application Layer Gateways ................................................................... 138

6.2.1. Overview ................................................................................. 138

6.2.2. HTTP ......................................................................................139

6.2.3. FTP ......................................................................................... 140

6.2.4. TFTP ....................................................................................... 145

6.2.5. SMTP ...................................................................................... 146

6.2.6. POP3 ....................................................................................... 151

6.2.7. SIP .......................................................................................... 152

User Manual

6.2.8. H.323 ...................................................................................... 155

6.3. Web Content Filtering ........................................................................... 169

6.3.1. Overview ................................................................................. 169

6.3.2. Active Content Handling .............................................................169

6.3.3. Static Content Filtering ............................................................... 170

6.3.4. Dynamic Web Content Filtering ................................................... 172

6.4. Anti-Virus Scanning .............................................................................183

6.4.1. Overview ................................................................................. 183

6.4.2. Implementation .........................................................................183

6.4.3. Activating Anti-Virus Scanning ....................................................184

6.4.4. The Signature Database ..............................................................184

6.4.5. Subscribing to the D-Link Anti-Virus Service ................................. 184

6.4.6. Anti-Virus Options .....................................................................184

6.5. Intrusion Detection and Prevention .......................................................... 188

6.5.1. Overview ................................................................................. 188

6.5.2. IDP Availability in D-Link Models ............................................... 188

6.5.3. IDP Rules ................................................................................. 190

6.5.4. Insertion/Evasion Attack Prevention .............................................. 191

6.5.5. IDP Pattern Matching ................................................................. 192

6.5.6. IDP Signature Groups ................................................................. 192

6.5.7. IDP Actions .............................................................................. 194

6.5.8. SMTP Log Receiver for IDP Events .............................................. 194

6.6. Denial-Of-Service (DoS) Attacks ............................................................ 198

6.6.1. Overview ................................................................................. 198

6.6.2. DoS Attack Mechanisms ............................................................. 198

6.6.3. Ping of Death and Jolt Attacks ..................................................... 198

6.6.4. Fragmentation overlap attacks: Teardrop, Bonk, Boink and Nestea ...... 199

6.6.5. The Land and LaTierra attacks .....................................................199

6.6.6. The WinNuke attack ................................................................... 199

6.6.7. Amplification attacks: Smurf, Papasmurf, Fraggle ........................... 200

6.6.8. TCP SYN Flood Attacks ............................................................. 201

6.6.9. The Jolt2 Attack ........................................................................ 201

6.6.10. Distributed DoS Attacks ............................................................ 201

6.7. Blacklisting Hosts and Networks ............................................................. 202

7. Address Translation ........................................................................................ 204

7.1. Dynamic Network Address Translation .................................................... 204

7.2. NAT Pools .......................................................................................... 207

7.3. Static Address Translation ..................................................................... 210

7.3.1. Translation of a Single IP Address (1:1) ......................................... 210

7.3.2. Translation of Multiple IP Addresses (M:N) .................................... 213

7.3.3. All-to-One Mappings (N:1) ......................................................... 215

7.3.4. Port Translation ......................................................................... 216

7.3.5. Protocols handled by SAT ...........................................................216

7.3.6. Multiple SAT rule matches .......................................................... 217

7.3.7. SAT and FwdFast Rules .............................................................. 217

8. User Authentication ........................................................................................ 220

8.1. Overview ............................................................................................220

8.2. Authentication Setup ............................................................................. 221

8.2.1. Setup Summary .........................................................................221

8.2.2. The Local Database .................................................................... 221

8.2.3. External Authentication Servers .................................................... 221

8.2.4. Authentication Rules .................................................................. 222

8.2.5. Authentication Processing ........................................................... 223

8.2.6. HTTP Authentication ................................................................. 223

9. VPN ............................................................................................................. 229

9.1. Overview ............................................................................................229

9.1.1. The Need for VPNs .................................................................... 229

9.1.2. VPN Encryption ........................................................................ 229

9.1.3. VPN Planning ........................................................................... 229

9.1.4. Key Distribution ........................................................................ 230

9.2. VPN Quickstart Guide ..........................................................................231

9.2.1. IPsec LAN to LAN with Pre-shared Keys ....................................... 231

9.2.2. IPsec Roaming Clients with Pre-shared Keys ..................................232

User Manual

9.2.3. IPsec Roaming Clients with Certificates ......................................... 234

9.2.4. L2TP Roaming Clients with Pre-Shared Keys ................................. 234

9.2.5. L2TP Roaming Clients with Certificates ........................................ 236

9.2.6. PPTP Roaming Clients ............................................................... 236

9.2.7. VPN Troubleshooting .................................................................237

9.3. IPsec .................................................................................................. 240

9.3.1. Overview ................................................................................. 240

9.3.2. Internet Key Exchange (IKE) ....................................................... 240

9.3.3. IKE Authentication ....................................................................245

9.3.4. IPsec Protocols (ESP/AH) ...........................................................247

9.3.5. NAT Traversal ..........................................................................248

9.3.6. Proposal Lists ........................................................................... 249

9.3.7. Pre-shared Keys ........................................................................ 250

9.3.8. Identification Lists ..................................................................... 251

9.4. IPsec Tunnels ......................................................................................253

9.4.1. Overview ................................................................................. 253

9.4.2. LAN to LAN Tunnels with Pre-shared Keys ................................... 253

9.4.3. Roaming Clients ........................................................................ 253

9.4.4. Fetching CRLs from an alternate LDAP server ................................ 259

9.5. PPTP/L2TP ......................................................................................... 260

9.5.1. PPTP .......................................................................................260

9.5.2. L2TP .......................................................................................261

10. Traffic Management ...................................................................................... 267

10.1. Traffic Shaping .................................................................................. 267

10.1.1. Introduction ............................................................................267

10.1.2. Traffic Shaping in NetDefendOS ................................................. 268

10.1.3. Simple Bandwidth Limiting ....................................................... 269

10.1.4. Limiting Bandwidth in Both Directions ........................................ 270

10.1.5. Creating Differentiated Limits with Chains ................................... 271

10.1.6. Precedences ............................................................................272

10.1.7. Guarantees .............................................................................. 274

10.1.8. Differentiated Guarantees .......................................................... 274

10.1.9. Groups ................................................................................... 275

10.1.10. Recommendations .................................................................. 276

10.1.11. A Summary of Traffic Shaping .................................................277

10.2. Threshold Rules .................................................................................279

10.2.1. Overview ................................................................................ 279

10.2.2. Connection Rate/Total Connection Limiting ..................................279

10.2.3. Grouping ................................................................................ 279

10.2.4. Rule Actions ........................................................................... 279

10.2.5. Multiple Triggered Actions ........................................................ 280

10.2.6. Exempted Connections .............................................................. 280

10.2.7. Threshold Rules and ZoneDefense .............................................. 280

10.2.8. Threshold Rule Blacklisting .......................................................280

10.3. Server Load Balancing ........................................................................ 281

10.3.1. Overview ................................................................................ 281

10.3.2. Identifying the Servers .............................................................. 282

10.3.3. The Load Distribution Mode ...................................................... 282

10.3.4. The Distribution Algorithm ........................................................282

10.3.5. Server Health Monitoring .......................................................... 284

10.3.6. SLB_SAT Rules ...................................................................... 284

11. High Availability .......................................................................................... 289

11.1. Overview .......................................................................................... 289

11.2. High Availability Mechanisms .............................................................. 291

11.3. High Availability Setup ....................................................................... 293

11.3.1. Hardware Setup ....................................................................... 293

11.3.2. NetDefendOS Setup ................................................................. 294

11.3.3. Verifying Cluster Functioning .................................................... 294

11.4. High Availability Issues .......................................................................296

12. ZoneDefense ................................................................................................ 298

12.1. Overview .......................................................................................... 298

12.2. ZoneDefense Switches ......................................................................... 299

12.3. ZoneDefense Operation ....................................................................... 300

User Manual

12.3.1. SNMP .................................................................................... 300

12.3.2. Threshold Rules ....................................................................... 300

12.3.3. Manual Blocking and Exclude Lists ............................................. 300

12.3.4. Limitations .............................................................................302

13. Advanced Settings ......................................................................................... 304

13.1. IP Level Settings ................................................................................304

13.2. TCP Level Settings ............................................................................. 307

13.3. ICMP Level Settings ........................................................................... 311

13.4. ARP Settings ..................................................................................... 312

13.5. Stateful Inspection Settings ................................................................... 314

13.6. Connection Timeouts ..........................................................................316

13.7. Size Limits by Protocol ........................................................................ 318

13.8. Fragmentation Settings ........................................................................ 320

13.9. Local Fragment Reassembly Settings ..................................................... 324

13.10. DHCP Settings ................................................................................. 325

13.11. DHCPRelay Settings ......................................................................... 326

13.12. DHCPServer Settings ........................................................................ 327

13.13. IPsec Settings ................................................................................... 328

13.14. Logging Settings ............................................................................... 330

13.15. Time Synchronization Settings ............................................................ 331

13.16. PPP Settings .................................................................................... 333

13.17. Hardware Monitor Settings ................................................................. 334

13.18. Packet Re-assembly Settings ...............................................................335

13.19. Miscellaneous Settings .......................................................................336

A. Subscribing to Security Updates ........................................................................ 338

B. IDP Signature Groups ..................................................................................... 340

C. Checked MIME filetypes ................................................................................. 344

D. The OSI Framework ....................................................................................... 348

E. D-Link worldwide offices ................................................................................ 349

Alphabetical Index ............................................................................................. 351

List of Figures

1.1. Packet Flow Schematic Part I ...........................................................................19

1.2. Packet Flow Schematic Part II ..........................................................................20

1.3. Packet Flow Schematic Part III .........................................................................20

3.1. An Example GRE Scenario ..............................................................................64

4.1. A Route Failover Scenario for ISP Access ...........................................................94

4.2. Virtual Links Example 1 ................................................................................ 106

4.3. Virtual Links Example 2 ................................................................................ 107

4.4. Multicast Forwarding - No Address Translation .................................................111

4.5. Multicast Forwarding - Address Translation ...................................................... 112

4.6. Multicast Snoop ........................................................................................... 114

4.7. Multicast Proxy ........................................................................................... 115

4.8. Transparent mode scenario 1 .......................................................................... 121

4.9. Transparent mode scenario 2 .......................................................................... 122

6.1. DNSBL SPAM Filtering ................................................................................ 147

6.2. Dynamic Content Filtering Flow ..................................................................... 172

6.3. IDP Database Updating .................................................................................189

9.1. The AH protocol .......................................................................................... 247

9.2. The ESP protocol .........................................................................................247

10.1. Pipe rule set to Pipe Packet Flow ................................................................... 269

10.2. The Eight Pipe Precedences. ......................................................................... 272

10.3. Minimum and Maximum Pipe Precedence. ...................................................... 273

10.4. Traffic grouped per IP address. ......................................................................275

10.5. A Server Load Balancing configuration .......................................................... 281

10.6. Connections from Three Clients ....................................................................283

10.7. Stickiness and Round-Robin ......................................................................... 283

10.8. Stickiness and Connection Rate ..................................................................... 284

11.1. High Availability Setup ............................................................................... 293

D.1. The 7 layers of the OSI model ........................................................................ 348

List of Examples

1. Example Notation .............................................................................................12

2.1. Enabling SSH Remote Access ..........................................................................25

2.2. Enabling remote management via HTTPS. ..........................................................28

2.3. Listing Configuration Objects ...........................................................................29

2.4. Displaying a Configuration Object .....................................................................30

2.5. Editing a Configuration Object .........................................................................31

2.6. Adding a Configuration Object .........................................................................31

2.7. Deleting a Configuration Object ........................................................................32

2.8. Undeleting a Configuration Object ....................................................................32

2.9. Listing Modified Configuration Objects ..............................................................32

2.10. Activating and Committing a Configuration .......................................................33

2.11. Enable Logging to a Syslog Host .....................................................................36

2.12. Sending SNMP Traps to an SNMP Trap Receiver ...............................................37

2.13. Enabling SNMP Monitoring ...........................................................................44

2.14. Configuration Backup and Restore ...................................................................45

2.15. Complete Hardware Reset to Factory Defaults ...................................................46

3.1. Adding an IP Host ..........................................................................................49

3.2. Adding an IP Network .....................................................................................49

3.3. Adding an IP Range ........................................................................................49

3.4. Deleting an Address Object ..............................................................................50

3.5. Adding an Ethernet Address .............................................................................50

3.6. Listing the Available Services ...........................................................................52

3.7. Viewing a Specific Service ..............................................................................52

3.8. Adding a TCP/UDP Service .............................................................................54

3.9. Adding an IP Protocol Service ..........................................................................56

3.10. Enabling DHCP ...........................................................................................59

3.11. Defining a VLAN .........................................................................................61

3.12. Configuring a PPPoE client on the wan interface with traffic routed over PPPoE. .....62

3.13. Creating an Interface Group ............................................................................66

3.14. Displaying the ARP Cache .............................................................................69

3.15. Flushing the ARP Cache ................................................................................69

3.16. Defining a Static ARP Entry ...........................................................................70

3.17. Setting up a Time-Scheduled Policy .................................................................77

3.18. Uploading an X.509 Certificate .......................................................................80

3.19. Associating X.509 Certificates with IPsec Tunnels ..............................................81

3.20. Setting the Current Date and Time ...................................................................82

3.21. Setting the Time Zone ...................................................................................83

3.22. Enabling DST ..............................................................................................83

3.23. Enabling Time Synchronization using SNTP ......................................................84

3.24. Manually Triggering a Time Synchronization ....................................................84

3.25. Modifying the Maximum Adjustment Value ......................................................85

3.26. Forcing Time Synchronization ........................................................................85

3.27. Enabling the D-Link NTP Server .....................................................................86

3.28. Configuring DNS Servers ...............................................................................87

4.1. Displaying the Routing Table ...........................................................................92

4.2. Displaying the Core Routes ..............................................................................93

4.3. Creating a Policy-Based Routing table .............................................................. 100

4.4. Creating the Route ........................................................................................100

4.5. Policy Based Routing Configuration ................................................................101

4.6. Importing Routes from an OSPF AS into the Main Routing Table .........................108

4.7. Exporting the Default Route into an OSPF AS ................................................... 109

4.8. Forwarding of Multicast Traffic using the SAT Multiplex Rule ............................. 112

4.9. Multicast Forwarding - Address Translation ...................................................... 113

4.10. IGMP - No Address Translation .................................................................... 115

4.11. Configuration if1 ........................................................................................116

4.12. Configuration if2 - Group Translation .............................................................117

4.13. Setting up Transparent Mode - Scenario 1 .......................................................121

4.14. Setting up Transparent Mode - Scenario 2 .......................................................122

User Manual

5.1. Setting up a DHCP server ..............................................................................128

5.2. Checking the status of a DHCP server ..............................................................129

5.3. Setting up Static DHCP ................................................................................. 130

5.4. Setting up a DHCP relayer ............................................................................. 131

5.5. Creating an IP Pool ....................................................................................... 133

6.1. Setting up an Access Rule .............................................................................. 137

6.2. Protecting an FTP Server with an ALG ............................................................. 141

6.3. Protecting FTP Clients .................................................................................. 144

6.4. Protecting Phones Behind D-Link Firewalls ...................................................... 157

6.5. H.323 with private IP addresses ......................................................................159

6.6. Two Phones Behind Different D-Link Firewalls .................................................160

6.7. Using Private IP Addresses ............................................................................ 161

6.8. H.323 with Gatekeeper .................................................................................. 162

6.9. H.323 with Gatekeeper and two D-Link Firewalls .............................................. 164

6.10. Using the H.323 ALG in a Corporate Environment ...........................................165

6.11. Configuring remote offices for H.323 ............................................................. 167

6.12. Allowing the H.323 Gateway to register with the Gatekeeper .............................. 167

6.13. Stripping ActiveX and Java applets ................................................................ 170

6.14. Setting up a white and blacklist ..................................................................... 171

6.15. Enabling Dynamic Web Content Filtering ....................................................... 173

6.16. Enabling Audit Mode .................................................................................. 174

6.17. Reclassifying a blocked site .......................................................................... 176

6.18. Activating Anti-Virus Scanning ..................................................................... 186

6.19. Configuring an SMTP Log Receiver .............................................................. 194

6.20. Setting up IDP for a Mail Server .................................................................... 195

7.1. Adding a NAT rule ....................................................................................... 205

7.2. Using NAT Pools ......................................................................................... 208

7.3. Enabling Traffic to a Protected Web Server in a DMZ ......................................... 210

7.4. Enabling Traffic to a Web Server on an Internal Network ....................................212

7.5. Translating Traffic to Multiple Protected Web Servers ........................................ 214

8.1. Creating an authentication user group ............................................................... 226

8.2. User Authentication Setup for Web Access. ....................................................... 226

8.3. Configuring a RADIUS server. ....................................................................... 227

9.1. Using a Proposal List .................................................................................... 249

9.2. Using a Pre-Shared key ................................................................................. 250

9.3. Using an Identity List .................................................................................... 251

9.4. Setting up a PSK based VPN tunnel for roaming clients ....................................... 254

9.5. Setting up a Self-signed Certificate based VPN tunnel for roaming clients ............... 255

9.6. Setting up a CA Server issued Certificate based VPN tunnel for roaming clients ....... 256

9.7. Setting Up Config Mode ................................................................................ 258

9.8. Using Config Mode with IPsec Tunnels ............................................................ 258

9.9. Setting up an LDAP server ............................................................................. 259

9.10. Setting up a PPTP server .............................................................................. 260

9.11. Setting up an L2TP server ............................................................................ 261

9.12. Setting up an L2TP Tunnel ...........................................................................262

10.1. Applying a Simple Bandwidth Limit .............................................................. 269

10.2. Limiting Bandwidth in Both Directions ........................................................... 270

10.3. Setting up SLB ........................................................................................... 285

12.1. A simple ZoneDefense scenario .................................................................... 301

Preface

Intended Audience

The target audience for this reference guide is Administrators who are responsible for configuring and managing D-Link Firewalls which are running the NetDefendOS operating system. This guide assumes that the reader has some basic knowledge of networks and network security.

Text Structure and Conventions

The text is broken down into chapters and sub-sections. Numbered sub-sections are shown in the table of contents at the beginning. An index is included at the end of the document to aid with alphabetical lookup of subjects.

Where a "See chapter/section" link (such as: see ) is provided in the main text this can be clicked to take the reader directly to that reference.

Text that may appear in the user interface of the product is designated by being in bold case. Where is term is being introduced for the first time or being stressed it may appear in a italics.

Where console interaction is shown in the main text outside of an example this will appear in a box with a gray background.

Where a web address reference is shown in the text this will open the specified URL in a browser in a new window when clicked (some systems may not allow this). For example: http://www.dlink.com.

Examples

Examples in the text are denoted by the header Example and appear with a gray background as shown below. They contain a CLI example and/or a Web Interface example as appropriate. (The accompanying "CLI Reference Guide" documents all CLI commands).

Example 1. Example Notation

Information about what the example is trying to achieve is found here, sometimes with an explanatory image.

CLI

The Command Line Interface example would appear here. It would start with the command prompt followed by the command:

gw-world:/> somecommand someparameter=somevalue

Web Interface

The Web Interface actions for the example are shown here. They are typically a numbered list showing what items in the tree-view list at the left of the interface or in the menu bar or in a context menu need to be opened followed by information about the data items that need to be entered:

1. Go to Item X > Item Y > Item Z

2. Now enter:

• DataItem1: datavalue1

• DataItem2: datavalue2

Highlighted Content Preface

Highlighted Content

Special sections of text which the reader should pay special attention to are indicated by icons on the left hand side of the page followed by a short paragraph in italicized text. Such sections are of the following types with the following purposes:

Note

This indicates some piece of information that is an addition to the preceding text. It may concern something that is being emphasized, or something that is not obvious or explicitly stated in the preceding text.

Tip

This indicates a piece of non-critical information that is useful to know in certain situations but is not essential reading.

Caution

This indicates where the reader should be careful with their actions as an undesirable situation may result if care is not exercised.

Important

This is an essential point that the reader should read and understand.

Warning

This is essential reading for the user as they should be aware that a serious situation may result if certain actions are taken or not taken.

Chapter 1. Product Overview

This chapter outlines the key features of NetDefendOS.

• About D-Link NetDefendOS, page 14

• NetDefendOS Architecture, page 16

• NetDefendOS State Engine Packet Flow, page 19

1.1. About D-Link NetDefendOS

D-Link NetDefendOS is the firmware, the software engine that drives and controls all D-Link Firewall products.

Designed as a network security operating system, NetDefendOS features high throughput performance with high reliability plus super-granular control. In contrast to products built on standard operating systems such as Unix or Microsoft Windows, NetDefendOS offers seamless integration of all subsystems, in-depth administrative control of all functionality as well as a minimal attack surface which helps negate the risk of being a target for security attacks.

From the administrator's perspective the conceptual approach of NetDefendOS is to visualize operations through a set of logical building blocks or objects, which allow the configuration of the product in an almost limitless number of different ways. This granular control allows the administrator to meet the requirements of the most demanding network security scenario.

NetDefendOS is an extensive and feature-rich network operating system. The list below presents the most essential features:

IP Routing

Address Translation

Firewalling

NetDefendOS provides a variety of options for IP routing including static routing, dynamic routing, as well as multicast routing capabilities. In addition, NetDefendOS supports features such as Virtual LANs, Route Monitoring, Proxy ARP and Transparency. For more information, please see Chapter 4, Routing.

For functionality as well as security reasons, NetDefendOS supports policy-based address translation. Dynamic Address Translation (NAT) as well as Static Address Translation (SAT) is supported, and resolves most types of address translation needs. This feature is covered in Chapter 7, Address Translation.

At the heart of the product, NetDefendOS features stateful inspection-based firewalling for common protocols such as TCP, UDP and ICMP. As an administrator, you have the possibility to define detailed firewalling policies based on source and destination network and interface, protocol, ports, user credentials, time-of-day and much more. Section 3.5, “The IP Rule Set”, describes how to use the firewalling aspects of NetDefendOS.

Intrusion Detection and Prevention

To mitigate application-layer attacks towards vulnerabilities in services and applications, NetDefendOS provides a powerful Intrusion Detection and Prevention (IDP) engine. The IDP engine is policy-based and is able to perform high-performance scanning and detection of attacks and can perform blocking and optional black-listing of attacking

1.1. About D-Link NetDefendOS Chapter 1. Product Overview

hosts. For more information about the IDP capabilities of NetDefendOS, please see Section 6.5, “Intrusion Detection and Prevention”.

Anti-Virus

Web Content Filtering

Virtual Private Networking

Traffic Management

NetDefendOS features integrated gateway anti-virus functionality. Traffic passing through the gateway can be subjected to in-depth scanning for viruses, and attacking hosts can be blocked and black-listed at your choice. Section 6.4, “Anti-Virus Scanning”, provides more information about how to use the integrated anti-virus feature.

NetDefendOS provides various mechanisms for filtering web content that is deemed inappropriate according to your web usage policy. Web content can be blocked based on category, malicious objects can be removed and web sites can be whitelisted or blacklisted in multiple policies. For more information, please see Section 6.3, “Web Content Filtering”.

A device running NetDefendOS is highly suitable for participating in a Virtual Private Network (VPN). NetDefendOS supports IPsec, L2TP and PPTP based VPNs concurrently, can act as either server or client for all of the VPN types, and can provide individual security policies for each VPN tunnel. Virtual Private Networking is covered in detail by Chapter 9, VPN.

With the support of Traffic Shaping, Threshold Rules and Server Load Balancing features, NetDefendOS is optimal for traffic management. The Traffic Shaping feature enables fine-granular limiting and balancing of bandwidth; Threshold Rules allows for implementing various types of thresholds where to alarm or limit network traffic, and Server Load Balancing enables a device running NetDefendOS to distribute network load to multiple hosts. Chapter 10, Traffic Management, provides more detailed information on the various traffic management capabilities.

Operations and Maintenance

ZoneDefense

Reading through this documentation carefully will ensure that you get the most out of your NetDefendOS product. In addition to this document, the reader should also be aware of the companion volumes:

• The NetDefendOS CLI Guide which details all NetDefendOS console commands.

• The NetDefendOS Log Reference Guide which details all NetDefendOS log event messages. These documents together form the essential documentation for NetDefendOS operation.

To facilitate management of a NetDefendOS device, administrative control is enabled through a Web-based User Interface or via the Command Line Interface. In addition, NetDefendOS provides very detailed event and logging capabilities and support for monitoring using standards such as SNMP. For more information, please see Chapter 2, Management and Maintenance.

NetDefendOS can be used to control D-Link switches using the ZoneDefense feature.

Note

High Availability, Anti-Virus, Web Content Filtering and ZoneDefense are not available with some models as specified in the chapters relating to those features.

1.2. NetDefendOS Architecture Chapter 1. Product Overview

1.2. NetDefendOS Architecture

1.2.1. State-based Architecture

The NetDefendOS architecture is centered around the concept of state-based connections. Traditional IP routers or switches commonly inspect all packets and then perform forwarding decisions based on information found in the packet headers. With this approach, packets are forwarded without any sense of context which eliminates any possibility to detect and analyze complex protocols and enforce corresponding security policies.

Stateful Inspection

NetDefendOS employs a technique called stateful inspection which means that it inspects and forwards traffic on a per-connection basis. NetDefendOS detects when a new connection is being established, and keeps a small piece of information or state in it's state table for the lifetime of that connection. By doing this, NetDefendOS is able to understand the context of the network traffic, which enables it to perform in-depth traffic scanning, apply bandwidth management and much more.

The stateful inspection approach additionally provides high throughput performance with the added advantage of a design that is highly scalable. The NetDefendOS subsystem that implements stateful inspection will sometimes be referred to in documentation as the NetDefendOS state-engine.

1.2.2. NetDefendOS Building Blocks

The basic building blocks in NetDefendOS are interfaces, logical objects and various types of rules (or rule sets).

Interfaces

Interfaces are the doorways for network traffic passing through, to or from the system. Without interfaces, a NetDefendOS system has no means for receiving or sending traffic. Several types of interfaces are supported; Physical Interfaces, Physical Sub-Interfaces and Tunnel Interfaces. Physical interfaces corresponds to actual physical Ethernet ports; physical sub-interfaces include VLAN and PPPoE interfaces while tunnel interfaces are used for receiving and sending traffic in VPN tunnels.

Interface Symmetry

The NetDefendOS interface design is symmetric, meaning that the interfaces of the device are not fixed as being on the "insecure outside" or "secure inside" of a network topology. The notion of what is inside and outside is totally for the administrator to define.

Logical Objects

Logical objects can be seen as pre-defined building blocks for use by the rule sets. The address book, for instance, contains named objects representing host and network addresses. Another example of logical objects are services , representing specific protocol and port combinations. Also important are the Application Layer Gateway (ALG) objects which are used to define additional parameters on specific protocols such as HTTP, FTP, SMTP and H.323.

NetDefendOS Rule Sets

Finally, rules which are defined by the administrator in the various rule sets are used for actually implementing NetDefendOS security policies. The most fundamental set of rules are the IP Rules, which are used to define the layer 3 IP filtering policy as well as carrying out address translation and server load balancing. The Traffic Shaping Rules define the policy for bandwidth management, the IDP Rules control the behavior of the intrusion prevention engine and so on.

1.2.3. Basic Packet Flow Chapter 1. Product Overview

1.2.3. Basic Packet Flow

This section outlines the basic flow in the state-engine for packets received and forwarded by NetDefendOS. Please note that this description is simplified and might not be fully applicable in all scenarios. The basic principle, however, is still valid in all applications.

1. An Ethernet frame is received on one of the Ethernet interfaces in the system. Basic Ethernet

frame validation is performed and the packet is dropped if the frame is invalid.

2. The packet is associated with a Source Interface. The source interface is determined as follows:

• If the Ethernet frame contains a VLAN ID (Virtual LAN identifier), the system checks for a configured VLAN interface with a corresponding VLAN ID. If one is found, that VLAN interface becomes the source interface for the packet. If no matching interface is found, the packet is dropped and the event is logged.

• If the Ethernet frame contains a PPP payload, the system checks for a matching PPPoE interface. If one is found, that interface becomes the source interface for the packet. If no matching interface is found, the packet is dropped and the event is logged.

• If none the above is true, the receiving Ethernet interface becomes the source interface for the packet.

3. The IP datagram within the packet is passed on to the NetDefendOS Consistency Checker. The consistency checker performs a number of sanity checks on the packet, including validation of checksums, protocol flags, packet length and so on. If the consistency checks fail, the packet gets dropped and the event is logged.

4. NetDefendOS now tries to lookup an existing connection by matching parameters from the incoming packet. A number of parameters are used in the match attempt, including the source interface, source and destination IP addresses and IP protocol.

If a match cannot be found, a connection establishment process starts which includes steps from here to 9 below. If a match is found, the forwarding process continues at step 10 below.

5. The Access Rules are evaluated to find out if the source IP address of the new connection is allowed on the received interface. If no Access Rule matches then a reverse route lookup will be done. In other words, by default, an interface will only accept source IP addresses that belong to networks routed over that interface. If the Access Rules or the reverse route lookup determine that the source IP is invalid, then the packet is dropped and the event is logged.

6. A route lookup is being made using the appropriate routing table. The destination interface for the connection has now been determined.

7. The IP rules are now searched for a rule that matches the packet. The following parameters are part of the matching process:

• Source and destination interfaces

• Source and destination network

• IP protocol (for example TCP, UDP, ICMP)

• TCP/UDP ports

• ICMP types

• Point in time in reference to a pre-defined schedule If a match cannot be found, the packet is dropped. If a rule is found that matches the new connection, the Action parameter of the rule decides

what NetDefendOS should do with the connection. If the action is Drop, the packet is dropped

1.2.3. Basic Packet Flow Chapter 1. Product Overview

and the event is logged according to the log settings for the rule. If the action is Allow, the packet is allowed through the system. A corresponding state will be

added to the connection table for matching subsequent packets belonging to the same connection. In addition, the Service object which matched the IP protocol and ports might have contained a reference to an Application Layer Gateway (ALG) object. This information is recorded in the state so that NetDefendOS will know that application layer processing will have to be performed on the connection.

Finally, the opening of the new connection will be logged according to the log settings of the rule.

Note

There are actually a number of additional actions available such as address translation and server load balancing. The basic concept of dropping and allowing traffic is still the same.

8. The Intrusion Detection and Prevention (IDP) Rules are now evaluated in a similar way to the IP rules. If a match is found, the IDP data is recorded with the state. By doing this, NetDefendOS will know that IDP scanning is supposed to be conducted on all packets belonging to this connection.

9. The Traffic Shaping and the Threshold Limit rule sets are now searched. If a match is found, the corresponding information is recorded with the state. This will enable proper traffic management on the connection.

10. From the information in the state, NetDefendOS now knows what to do with the incoming packet:

• If ALG information is present or if IDP scanning is to be performed, the payload of the

packet is taken care of by the TCP Pseudo-Reassembly subsystem, which in turn makes use of the different Application Layer Gateways, layer 7 scanning engines and so on, to further analyze or transform the traffic.

• If the contents of the packet is encapsulated (such as with IPsec, L2TP/PPTP or some other

type of tunneled protocol), then the interface lists are checked for a matching interface. If one is found, the packet is decapsulated and the payload (the plaintext) is sent into NetDefendOS again, now with source interface being the matched tunnel interface. In other words, the process continues at step 3 above.

• If traffic management information is present, the packet might get queued or otherwise be

subjected to actions related to traffic management.

11. Eventually, the packet will be forwarded out on the destination interface according to the state. If the destination interface is a tunnel interface or a physical sub-interface, additional processing such as encryption or encapsulation might occur.

The following section provides a set of diagrams which illustrate the flow of packets through NetDefendOS.

1.3. NetDefendOS State Engine Packet Flow

Chapter 1. Product Overview

1.3. NetDefendOS State Engine Packet Flow

The diagrams in this section provide a summary of the flow of packets through the NetDefendOS state-engine. There are three diagrams, each flowing into the next.

Figure 1.1. Packet Flow Schematic Part I

The packet flow is continued on the following page.

1.3. NetDefendOS State Engine Packet Flow

Figure 1.2. Packet Flow Schematic Part II

Chapter 1. Product Overview

The packet flow is continued on the following page.

Figure 1.3. Packet Flow Schematic Part III

1.3. NetDefendOS State Engine Packet Flow

Chapter 1. Product Overview

1.3. NetDefendOS State Engine Packet Flow

Chapter 1. Product Overview

Chapter 2. Management and Maintenance

This chapter describes the management, operations and maintenance related aspects of NetDefendOS.

• Managing NetDefendOS, page 23

• Events and Logging, page 35

• RADIUS Accounting, page 39

• Monitoring, page 43

• Maintenance, page 45

2.1. Managing NetDefendOS

2.1.1. Overview

NetDefendOS is designed to give both high performance and high reliability. Not only does it provide an extensive feature set, it also enables the administrator to be in full control of almost every detail of the system. This means the product can be deployed in the most challenging environments.

A good understanding on how NetDefendOS configuration is performed is crucial for proper usage of the system. For this reason, this section provides an in-depth presentation of the configuration subsystem as well as a description of how to work with the various management interfaces.

Management Interfaces

NetDefendOS provides the following management interfaces:

The WebUI

The CLI

The Web User Interface (WebUI) provides a user-friendly and intuitive graphical management interface, accessible from a standard web browser.

The Command Line Interface (CLI), accessible locally via serial console port or remotely using the Secure Shell (SSH) protocol, provides the most fine-grain control over all parameters in NetDefendOS.

Note

Microsoft Internet Explorer (version 6 and later), Firefox and Netscape (version 8 and later) are the recommended web-browsers to use with the WebUI. Other browsers may also provide full support.

Access to remote management interfaces can be regulated by a remote management policy so the administrator can restrict management access based on source network, source interface and credentials. Access to the web interface can be permitted for administrative users on a certain network, while at the same time allowing CLI access for a remote administrator connecting through a specific IPsec tunnel.

By default, Web User Interface access is enabled for users on the network connected via the LAN interface of the firewall (on products where more than one LAN interface is available, LAN1 is the default).

2.1.2. Default Administrator Accounts

2.1.3. The CLI Chapter 2. Management and Maintenance

By default, NetDefendOS has a local user database, AdminUsers, with one user account pre-defined:

• Username admin with password admin.

This account has full administrative read/write privileges.

Important

For security reasons, it is recommended to change the default password of the default account as soon as possible after connecting with the D-Link Firewall.

Creating New Accounts

Extra user accounts can be created if required. Accounts can either can belong to the Administrators group of users in which case they have complete read/write administrative access, or they can belong to the Auditors user group in which case they have read-only access.

2.1.3. The CLI

NetDefendOS provides a Command Line Interface (CLI) for administrators that prefer or require a command-line approach, or who need more granular control of system configuration. The CLI is available either locally through the serial console port, or remotely using the Secure Shell (SSH) protocol.

The CLI provides a comprehensive set of commands that allow the display and modification of configuration data as well as allowing runtime data to be displayed and allowing system maintenance tasks to be performed.

This section only provides a summary only of using the CLI. For a complete reference for all CLI commands see the separate D-Link CLI Reference Guide.

Serial Console CLI Access

The serial console port is a RS-232 port on the D-Link Firewall that allows access to the CLI through a serial connection to a PC or terminal. To locate the serial console port on your D-Link system, see the D-Link Quickstart Guide .

To use the console port, you need the following equipment:

• A terminal or a computer with a serial port and the ability to emulate a terminal (such as using

the Hyper Terminal software included in some Microsoft Windows editions). The serial console port uses the following default settings: 9600 baud, No parity, 8 bits and 1 stop bit.

• A RS-232 cable with appropriate connectors. An appliance package includes a RS-232

null-modem cable.

To connect a terminal to the console port, follow these steps:

1. Set the terminal protocol as described previously.

2. Connect one of the connectors of the RS-232 cable directly to the console port on your system hardware.

3. Connect the other end of the cable to the terminal or the serial connector of the computer running the communications software.

4. Press the enter key on the terminal. The NetDefendOS login prompt should appear on the terminal screen.

2.1.3. The CLI Chapter 2. Management and Maintenance

SSH (Secure Shell) CLI Access

The SSH (Secure Shell) protocol can be used to access the CLI over the network from a remote host. SSH is a protocol primarily used for secure communication over insecure networks, providing strong authentication and data integrity. Many SSH clients are feely available for almost all hardware platforms.

NetDefendOS supports version 1, 1.5 and 2 of the SSH protocol and SSH access is regulated by the remote management policy in NetDefendOS, and is disabled by default.

Example 2.1. Enabling SSH Remote Access

This example shows how to enable remote SSH access from the lannet network through the lan interface by adding a rule to the remote management policy.

CLI

gw-world:/> add RemoteManagement RemoteMgmtSSH ssh Network=lannet Interface=lan

Web Interface

1. Go to System > Remote Management > Add > Secure Shell Management

2. Enter a Name for the SSH remote management policy, eg. ssh_policy

3. Select the following from the dropdown lists:

• User Database: AdminUsers

• Interface: lan

• Network: lannet

4. Click OK

LocalUserDatabase=AdminUsers

Logging on to the CLI

When access to the CLI has been established to NetDefendOS through the serial console or an SSH client, the administrator will need to logon to the system before being able to execute any CLI command. This authentication step is needed to ensure that only trusted users can access the system, as well as providing user information for auditing.

When accessing the CLI, the system will respond with a login prompt. Enter your username and press Enter, followed by your password and then Enter again. After a successful logon you will see the command prompt. If a welcome message has been set then it will be displayed directly after the logon:

gw-world:/>

For security reasons, it can be advisable to disable or anonymize the CLI welcome message.

Changing the CLI Prompt

The default CLI prompt is

Device:/>

where Device is the model number of the D-Link Firewall. This can be customized, for example, to gw-world:/>, by using the CLI command:

2.1.4. The WebUI Chapter 2. Management and Maintenance

Device:/> set device name="gw-world"

The CLI Reference Guide uses the command prompt gw-world:/> throughout.

Note

When the command line prompt is changed to a new string value, this string also appears as the new device name in the top level node of the WebUI tree-view.

Activate and Committing Changes

If any changes are made to the current configuration through the CLI, those changes won't be uploaded to NetDefendOS until the command

gw-world:/> activate

is issued. Immediately following the activate command, the command:

gw-world:/> commit

should be issued to make those changes permanent. If a commit command is not issued within a default time period of 30 seconds then the changes are automatically undone and the old configuration restored.

Logging off from the CLI

After finishing working with the CLI, you should logout to avoid other people getting unauthorized access to the system. Log off by using the exit or the logout command.

2.1.4. The WebUI

NetDefendOS provides a highly versatile web user interface (WebUI) for management of the system using a standard web browser. This allows the administrator to perform remote management from virtually anywhere in the world without having to install any third-party clients.

Logging on to the Web Interface

To access the web interface, launch a standard web browser and point the browser at the IP address of the firewall. The factory default address for all D-Link Firewalls is 192.168.1.1.

When performing this initial connection to NetDefendOS, the administrator MUST use https:// as the URL protocol in the browser (for example: https://192.168.1.1). Using HTTPS as the protocol protects the username and password with encryption when they are sent to NetDefendOS.

If communication with the NetDefendOS is successfully established, a user authentication dialog similar to the one shown below will then be shown in the browser window.

2.1.4. The WebUI Chapter 2. Management and Maintenance

Enter your username and password and click the Login button. If the user credentials are correct, you will be transferred to the main web interface page. This page, with its essential parts highlighted, is shown below.

Multi-language Support

The WebUI login dialog offers the option to select a language other than english for the interface. Language support is provided by a separate set of resource files provided with NetDefendOS.

It may occasionally be the case that a NetDefendOS upgrade might contain features that temporarily lack a complete non-english translation because of time constraints. In this case the original english will be used as a temporary solution.

The Web Browser Interface

On the left hand side of the WebUI is a tree which allows navigation to the various NetDefendOS modules. The central area of the WebUI displays information about those modules. Current performance information is shown by default.

For information about the default user name and password, please see Section 2.1.2, “Default Administrator Accounts”.

Note

Access to the web interface is regulated by the remote management policy. By default, the system will only allow web access from the internal network.

Interface Layout

The main web interface page is divided into three major sections:

Menu bar

The menu bar located at the top of the web interface contains a number of buttons and drop-down menus that are used to perform configuration tasks as well as for navigation to various tools and status pages.

2.1.4. The WebUI Chapter 2. Management and Maintenance

• Home - Navigates to the first page of the web interface.

• Configuration

• Save and Activate - Saves and activates the configuration.

• Discard Changes - Discards any changes made to the configuration

during the current session.

• View Changes - List the changes made to the configuration since it was

last saved.

• Tools - Contains a number of tools that are useful for maintaining the system.

• Status - Provides various status pages that can be used for system

diagnostics.

• Maintenance

• Update Center - Manually update or schedule updates of the intrusion

detection and antivirus signatures.

• License - View license details or enter activation code.

• Backup - Make a backup of the configuration to your local computer or

restore a previously downloaded backup.

• Reset - Restart the firewall or reset to factory default.

• Upgrade - Upgrade the firewall's firmware.

Navigator

The navigator located on the left-hand side of the web interface contains a tree representation of the system configuration. The tree is divided into a number of sections corresponding to the major building blocks of the configuration. The tree can be expanded to expose additional sections.

Main Window

The main window contains configuration or status details corresponding to the section selected in the navigator or the menu bar.

Controlling Access to the Web Interface

By default, the web interface is accessible only from the internal network. If you need to enable access from other parts of the network, you can do so by modifying the remote management policy.

Example 2.2. Enabling remote management via HTTPS.

CLI

gw-world:/> add RemoteManagement RemoteMgmtHTTP https

Network=all-nets Interface=any LocalUserDatabase=AdminUsers HTTPS=Yes

Web Interface

1. Go to System > Remote Management > Add > HTTP/HTTPS Management

2. Enter a Name for the HTTP/HTTPS remote management policy, eg. https

3. Check the HTTPS checkbox

4. Select the following from the dropdown lists:

2.1.5. Working with Configurations Chapter 2. Management and Maintenance

• User Database: AdminUsers

• Interface: any

• Network: all-nets

5. Click OK

Caution

The above example is provided for informational purposes only. It is never recommended to expose any management interface to any user on the Internet.

Logging out from the Web Interface

When you have finished working in the web interface, you should always logout to prevent other users with access to your workstation to get unauthorized access to the system. Logout by clicking on the Logout button at the right of the menu bar.

Tip

If there is a problem with the management interface when communicating alongside VPN tunnels, check the main routing table and look for an all-nets route to the VPN tunnel. If no specific route exists to the management interface then all management traffic coming from NetDefendOS will automatically be routed to the VPN tunnel. If this is the case then a route should be added by the administrator to route management traffic destined for the management network to the correct interface.

2.1.5. Working with Configurations

The system configuration is built up by Configuration Objects, where each object represents a configurable item of any kind. Examples of configuration objects are routing table entries, address book entries, service definitions, IP rules and so on. Each configuration object has a number of properties that constitute the values of the object.

A configuration object has a well-defined type. The type defines the properties that are available for the configuration object, as well as the constraints for those properties. For instance, the IP4Address type is used for all configuration objects representing a named IPv4 address.

In the web user interface the configuration objects are organized into a tree-like structure based on the type of the object.

In the CLI similar configuration object types are grouped together in a category. These categories are different from the structure used in the web user interface to allow quick access to the configuration objects in the CLI. The IP4Address, IP4Group and EthernetAddress types are, for instance, grouped in a category named Address, as they all represent different addresses. Consequently, Ethernet and VLAN objects are all grouped in a category named Interface, as they are all interface objects. The categories have actually no impact on the system configuration; they are merely provided as means to simplify administration.

The following examples show how to manipulate objects.

Example 2.3. Listing Configuration Objects

To find out what configuration objects exist, you can retrieve a listing of the objects. This example shows how to list all service objects.

CLI

2.1.5. Working with Configurations Chapter 2. Management and Maintenance

gw-world:/> show Service

A list of all services will be displayed, grouped by their respective type.

Web Interface

1. Go to Objects > Services

2. A web page listing all services will be presented.

A list contains the following basic elements:

• Add Button - Displays a dropdown menu when clicked. The menu will list all types of configuration items that

can be added to the list.

• Header - The header row displays the titles of the columns in the list. The tiny arrow images next to each title

can be used for sorting the list according to that column.

• Rows - Each row in the list corresponds to one configuration item. Most commonly, each row starts with the

name of the object (if the item has a name), followed by values for the columns in the list.

A single row in the list can be selected by clicking on the row on a spot where there is no hyperlink. The background color of the row will turn dark blue. Right-clicking the row will bring up a menu where you can choose to edit or delete the object as well as modify the order of the objects.

Example 2.4. Displaying a Configuration Object

The most simple operation on a configuration object is just to show its contents, in other words the values of the object properties. This example shows how to display the contents of a configuration object representing the telnet service.

CLI

gw-world:/> show Service ServiceTCPUDP telnet

----------------- ------DestinationPorts: 23

PassICMPReturn: No

The Property column lists the names of all properties in the ServiceTCPUDP class and the Value column lists the corresponding property values.

Web Interface

1. Go to Objects > Services

2. Click on the telnet hyperlink in the list.

3. A web page displaying the telnet service will be presented.

Property Value

Name: telnet

SourcePorts: 0-65535

MaxSessions: 1000

Type: TCP

SYNRelay: No

ALG: (none)

Comments: Telnet

Note

When accessing object via the CLI you can omit the category name and just use the type name. The CLI command in the above example, for instance, could be simplified to:

gw-world:/> show ServiceTCPUDP telnet

+ 325 hidden pages

D-Link DFL-2500 User Manual

User Manual

Table of Contents

Preface

Chapter 1. Product Overview

1.1. About D-Link NetDefendOS

1.2. NetDefendOS Architecture

1.2.1. State-based Architecture

1.2.2. NetDefendOS Building Blocks

1.2.3. Basic Packet Flow

1.3. NetDefendOS State Engine Packet Flow

Chapter 2. Management and Maintenance

2.1. Managing NetDefendOS

2.1.1. Overview

2.1.2. Default Administrator Accounts

2.1.3. The CLI

2.1.4. The WebUI

2.1.5. Working with Configurations