D-link DFL-256E, DFL-860E, DFL-1660, DFL-2560 DATASHEET

Security | DFL-260E/860E/1660/2560(G)

1

DFL-260E/860E/1660/2560(G)

NetDefend UTM Firewall Series

Integrated Firewall/VPN

• Powerful Firewall Engine

• Virtual Private Network (VPN) Security

• Granular Bandwidth Management

• 802.1Q VLAN Tagging and port-based VLAN

• D-Link End-to-End Security Solutions (E2ES)

Integration with ZoneDefense

Advanced Functions

• Stateful Packet Inspection (SPI)

• Detect/Drop Intruding Packets

• Server Load Balancing

• Policy-Based Routing

Unied Threat Management

• Intrusion Prevention System (IPS)

• Antivirus (AV) Protection

• Web Content Filtering (WCF)

• Optional Service Subscriptions

Virtual Private Network

• IPSec NAT Traversal

• VPN Hub and Spoke

• IPSec, PPTP, L2TP

• DES, 3DES, AES, Twosh, Blowsh,

CAST- 128 Encryption

• Automated Key Management via

IKE/ISAKMP

• Aggressive/Main/Quick Negotiation

Enhanced Network Services

• DHCP Server/Client/Relay

• IGMP V3

• H.323 NAT Traversal

• Robust Application Security for ALGs

• OSPF Dynamic Routing Protocol

• Run-Time Web-Based Authentication

Performance Optimisation

• UTM Acceleration Engine

• Multiple WAN Interfaces for

Trac Load Sharing

Today’s continuously shifting security
environment presents a challenge for
small/home oce networks with limited IT
capabilities. Fortunately, the D-Link
NetDefend Unied Threat Management
(UTM) rewalls provide a powerful security
solution to protect business networks from
a wide variety of threats. UTM Firewalls oer
a comprehensive defense against virus
attacks, unauthorised intrusions and harmful
content, successfully enhancing fundamental
capabilities for managing, monitoring and
maintaining a healthy network.

Enterprise-Class Firewall Security

NetDefend UTM Firewalls provide complete
advanced security features to manage,
monitor, and maintain a healthy and secure
network. Network management features
include: Remote Management, Bandwidth
Control Policies URL Black/White Lists,
Access Policies, and SNMP. For network
monitoring, these rewalls support e-mail
alerts, system logs, consistency checks and
real-time statistics.

Unied Threat Management

NetDefend UTM Firewalls integrate an
intrusion detection and prevention system,
gateway antivirus and content ltering for
superior Layer 7 content inspection protection.
An acceleration engine increases throughput,
while the real-time update service keeps the
IPS information, antivirus signatures, and
URL databases current. Combined, these
enhancements help to protect the oce
network from application exploits, network
worms, malicious code attacks and provide
everything a business needs to safely
manage employee Internet access.

Powerful VPN Performance

NetDefend UTM Firewalls oer an integrated
VPN Client and Server. This allows remote
oces to securely connect to a head oce
or a trusted partner network. Mobile users
working from home or remote locations can
also safely connect to the oce network to
access company data and e-mail. NetDefend
UTM Firewalls have hardware-based VPN
engines to support and manage a large
number of VPN congurations. They support
IPSec, PPTP, and L2TP protocols in Client
Server mode and can handle pass- through
trac as well. Advanced VPN conguration
options include: DES/3DES/AES/Twosh/
Blowsh/ CAST-128 encryption, Manual or
IKE/ISAKMP key management, Quick/Main/
Aggressive Negotiation modes, and VPN
authentication support using either an external
RADIUS server or a large user database.

UTM Services

Maintaining an eective defense against the
various threats originating from the Internet,
requires that all three databases used by the
NetDefend UTM Firewalls are kept up-to-date.
In order to provide a robust defense, D-Link
oers optional NetDefend Firewall UTM
Service subscriptions which include updates
for each aspect of defense: Intrusion
Prevention Systems (IPS), Antivirus and Web
Content Filtering (WCF). NetDefend UTM
Subscriptions ensure that each of the
rewall’s service databases are complete
and eective.

Security | DFL-260E/860E/1660/2560(G)

2

DFL-260E/860E/1660/2560(G)

NetDefend UTM Firewall Series

Robust Intrusion Prevention

The NetDefend UTM Firewalls employ
component- based signatures. A unique IPS
technology which recognises and protects
against all varieties of known and unknown
attacks. This system can address all critical
aspects of an attack or potential attack
including payload, NOP sled, infection, and
exploits. In terms of signature coverage,
the IPS database includes attack information
and data from a global attack sensor-grid
and exploits collected data from public sites.
The NetDefend UTM Firewalls constantly
create and optimise NetDefend signatures
via the D-Link Auto-Signature Sensor System
without overloading existing security
appliances. These signatures ensure a high
ratio of detection accuracy and a low ratio
of false positives.

Stream-Based Virus Scanning

The NetDefend UTM Firewalls examine les
of any size, using a stream-based virus
scanning technology which eliminates the
need to cache incoming les. This zero-cache
scanning method not only increases inspection
performance, but also reduces network
bottlenecks. NetDefend UTM rewalls use
virus signatures from Kaspersky Labs to
provide systems with reliable and accurate
antivirus protection, as well as prompt signature
updates. Consequentially, viruses and malware
can be blocked before they reach the
desktops or mobile devices.

Web Content Filtering

Web Content Filtering helps administrators
monitor, manage and control employee
Internet usage. The NetDefend UTM Firewalls
implement multiple global index servers with
millions of URLs and real-time website data
to enhance performance capacity and
maximize service availability. These rewalls

use granular policies and explicit black/
white lists to control access to certain types
of websites for any combination of users,
interfaces and IP networks. The rewall can
actively handle Internet content by stripping
potential malicious objects, such as Java
Applets, JavaScripts/VBScripts, ActiveX
objects, and cookies.

NetDefend UTM Subscription

The standard NetDefend UTM Subscription
provides your rewall with UTM service
updates for 12 months* starting from the
day you activate or extend your service.
The NetDefend UTM Subscription can be
renewed regularly to provide your rewalls
with the most up-to-date security service
available from D-Link.

NetDefend Center: http://www.netdefend.eu

*Actual service package may vary depending on region.

Powerful VPN Engine

Hardware-based data encryption and
authentication for IPSec, PPTP, and L2TP
in Client/Server mode enable fast and
safe handling of VPN trac. The Professional
Intrusion Prevention System (IPS) automatically
updates from a comprehensive IPS signature
database focus on attack payloads to protect
the network against zero-day attacks. The Real­Time Antivirus Inspection engine scans using
the most complete, most up-to-date antivirus
signature database. Streaming-based pattern
matching provides the effective protection
against viruses.

DFL-260E

• Firewall Throughput: 150 Mbps

• VPN Performance: 45 Mbps (3DES/AES)

• 1 10/100/1000 Ethernet WAN Ports

• 5 10/100/1000 Ethernet LAN Ports

• 1 10/100/1000 Ethernet DMZ Port

DFL-860E

• Firewall Throughput: 200 Mbps

• VPN Performance: 60 Mbps (3DES/AES)

• 2 10/100/1000 Ethernet WAN Ports

• 8 10/100/1000 Ethernet LAN Ports

• 1 10/100/1000 Ethernet DMZ Port

DFL-1660

• Firewall Throughput: 1.2 Gbps

• VPN Performance: 350 Mbps (3DES/AES)

• 6 Congurable Gigabit Ethernet Ports

DFL-2560(G)

• Firewall Throughput: 2 Gbps

• VPN Performance: 1 Gbps (3DES/AES)

• 10 Congurable Gigabit Ethernet Ports

• 4 SFP Ports (DFL-2560G)

Fast, Ecient Web Content Filtering

Multiple index server implementation,
granular policies, black lists and active
content handlingenhance performance
and eectiveness of web surng control.

Acceleration Engine for Unied
Threat Management

A powerful processor allows the rewall
to carry out IPS and Antivirus scanning
simultaneously without performance
degradation.

Licensed for Unlimited Users

Optional subscription services for IPS,
Antivirus Scanning and Web Content Filtering
are priced per rewall rather than per user,
thus reducing the total cost of ownership for
licensing.

WAN Link Load-Balancing and
Fault-Tolerance

Multiple WAN ports support trac load
balancing and failover, guaranteeing Internet
availability and bandwidth.

D-Link End-to-End Security (E2ES)
Solutions*

The ZoneDefense mechanism operating in
conjunction with D-Link xStack switches
automatically quarantines infected
workstations and prevents them from
ooding the internal network with
malicious trac.

*For DFL-860E, DFL-1660, and DFL-2560(G) only

D-Link Green Certied

The D-Link Green certied DFL-1660 and
DFL-2560(G) are built with an 80 PLUS
internal power supply. 80 PLUS certied
power supplies oer increased reliability due
to greater eciency, and provide a reduced
cost of ownership through longer equipment
life. Additionally, 80 PLUS power supplies
help prevent pollution by limiting energy
consumption, and run at a lower temperature
to reduce cooling costs.

The DFL-260E and DFL-860E save energy
automatically through cable length and link
status detection. By detecting the length of
cables connected to a port, the amount of
power used for the port can be adjusted,
only using as much as is needed. The DFL­260E/860E can also detect if a port is not in
use, such as when a connected computer
is shut down or if nothing is connected to
the port, and can automatically reduce the
power used for that port, cutting energy
used for it by a substantial amount.

D-Link Green certied devices comply with
RoHS (Restriction of Hazardous Substances)
and WEEE (Waste Electrical and Electronic
Equipment) directives. RoHS directives
restrict the use of specic hazardous
materials during manufacturing, while
WEEE implements standards for proper
recycling and disposal. Together, these
considerations make D-Link Green rewall
products the environmentally responsible
choice.

dlink

3

DFL-260E/860E/1660/2560(G)

NetDefend UTM Firewall Series

Security | DFL-260E/860E/1660/2560(G)

Technical Specifications DFL-260E DFL-860E DFL-1660 DFL-2560(G)

Interfaces

Ethernet

1 10/100/1000 WAN
1 10/100/1000 DMZ

(congurable)

5 10/100/1000 LAN

2 10/100/1000 WAN
1 10/100/1000 DMZ

(congurable)

8 10/100/1000 LAN

6 congurable

10/100/1000

10 congurable

10/100/1000

SFP

4 SFP ports (DFL-

2560G only)

7

USB

2 USB ports

(reserved)

2 USB ports

(reserved)

2 USB ports

(reserved)

2 USB ports

(reserved)

Console RJ-45 RJ-45 1 DB-9 RS-232 1 DB-9 RS-232

System
Performance

1

Firewall Throughput

2

150 Mbps 200 Mbps 1.2 Gbps 2 Gbps

VPN Throughput

3

45 Mbps 60 Mbps 350 Mbps 1 Gbps

IPS Throughput

4

60 Mbps 80 Mbps 400 Mbps 600 Mbps

Antivirus Through­put

4

35 Mbps 50 Mbps 225 Mbps 450 Mbps

Concurrent Sessions 25,000

5

40,000

5

600,000 1,500,000

New Sessions
(per second)

2,000 4,000 15,000 20,000

Policies 500 1,000 4,000 6,000

Firewall System

Transparent Mode √ √ √ √

NAT, PAT √ √ √ √

Dynamic Routing
Protocol

OSPF

H.323 NAT Traversal √ √ √ √

Time-Scheduled
Policies

√ √ √ √

Application Layer
Gateway

√ √ √ √

Proactive End-Point
Security

ZoneDefense

Networking

DHCP Server/Client √ √ √ √

DHCP Relay √ √ √ √

Policy-Based Routing √ √ √ √

IEEE 802.1q VLAN 8 16 1024 2048

Port-based VLAN √ √ √ √

IP Multicast IGMP v3

4

Security | DFL-260E/860E/1660/2560(G)

Technical Specifications DFL-260E DFL-860E DFL-1660 DFL-2560(G)

Virtual Private
Network (VPN)

Encryption Methods

(DES/ 3DES/ AES/ Twosh/
Blowsh/ CAST-128)

√ √ √ √

Dedicated VPN
Tunnels

100 300

5

2,500 5,000

PPTP/L2TP Server √ √ √ √

Hub and Spoke √ √ √ √

IPSec NAT Traversal √ √ √ √

SSL VPN Available in future update

Traffic Load
Balancing

Outbound Load
Balancing

√ √ √ √

Server Load
Balancing

√ √ √

Outbound Load
Balance Algorithms

Round-robin, Weight-based Round-robin, Destination-based, Spill-over

Trac Redirect at
Fail-Over

√ √ √ √

Bandwidth
Management

Policy-Based Trac
Shaping

√ √ √ √

Guaranteed
Bandwidth

√ √ √ √

Maximum
Bandwidth

√ √ √ √

Priority Bandwidth √ √ √ √

Dynamic Bandwidth
Balancing

√ √ √ √

High Availability
(HA)

WAN Fail-Over √ √ √ √

Active-Passive Mode √ √

Device Failure
Detection

√ √

Link Failure
Detection

√ √

FW/VPN Session SYN √ √

Intrusion
Detection &
Prevention
System
(IDP/IPS)

Automatic Pattern
Update

√ √ √ √

DoS, DDoS
Protection

√ √ √ √

Attack Alarm via
E-mail

√ √ √ √

Advanced IDP/IPS
Subscription

√ √ √ √

IP Blacklist by
Threshold or IDP/IPS

√ √ √

5

Security | DFL-260E/860E/1660/2560(G)

Technical Specifications DFL-260E DFL-860E DFL-1660 DFL-2560(G)

Content
Filtering

HTTP Type URL Blacklist/Whitelist

Script Type Java, Cookie, ActiveX, VB

E-mail Type E-mail Blacklist/Whitelist

External Database
Content Filtering

√ √ √ √

Antivirus

Real Time AV
Scanning

√ √ √ √

Unlimited File Size √ √ √ √

Scans VPN Tunnels √ √ √ √

Supports
Compressed Files

√ √ √ √

Signature Licensor Kaspersky

Automatic Pattern
Update

√ √ √ √

Physical &
Environmental

Power Supply Internal Power Supply 80 PLUS Internal Power Supply

Dimensions

280 x 180 x 44 mm

11” Rack-Mount

330 x 180 x 44 mm

13” Rack-Mount

440 x 400 x 44 mm

19” Standard Rack-Mount

Operating
Temperature

0° to 40° C

Storage Temperature -20° to 70° C

Operating Humidity 5% to 95% non-condensing

EMI

FCC Class A

CE Class A

C-Tick

VCCI

Safety UL LVD (EN60950-1) LVD (EN60950-1) cUL, CB

MTBF 186,614 Hours 140,532 Hours 400,000 Hours 310,000 Hours

1

Actual performance may vary depending on network conditions and activated services.

2

The maximum rewall plaintext throughput is based on RFC2544 testing methodologies.

3

VPN throughput is measured using UDP trac at 1420 byte packet size adhering to RFC 2544.

4

IPS and Anti-Virus performance test is based on HTTP protocol with a 1Mb le attachment run on the IXIA IxLoad.

Testing is done with multiple ows through multiple port pairs.

5

Performance based on rmware 2.27.00 and above.

6

Available when DMZ port is congured as WAN port.

7

Compatible with D-Link SFP module transceivers: DEM-310GT, DEM-311GT, DEM-312GT2, DEM-314GT, DEM-315GT, DEM-330T, DEM-330R,

DEM-331T, DEM-331R.

6

Security | DFL-260E/860E/1660/2560(G)

7

Secure Network Implementation Using NetDefend

TM

UTM Firewalls

Security | DFL-260E/860E/1660/2560(G)

D-Link Corporation, No. 289 Xinhu 3rd Road, Neihu, Taipei 114, Taiwan. Specications are subject to change without notice. D-Link is a registered trademark of D-Link Corporation and its overseas subsidiaries.

All other trademarks belong to their respective owners. ©2010 D-Link Corporation. All rights reserved. Release 02 (October 2010)

8

Security | DFL-260E/860E/1660/2560(G)

D-Link European HQ

www.dlink.eu

Albania

www.dlink.eu

Adria

www.dlink.eu

Austria

www.dlink.at

Belgium

www.dlink.be

Bosnia & Herzegovina

www.dlink.eu

Bulgaria

www.dlink.eu

Croatia

www.dlink.eu

Czech Republic

www.dlink.cz

Denmark

www.dlink.dk

Finland

France

www.dlink.fr

Germany

www.dlink.de

Greece

www.dlink.gr

Hungary

www.dlink.hu

Italy

www.dlink.it

Kosovo

www.dlink.eu

Luxembourg

www.dlink.lu

Montenegro

www.dlink.eu

Netherlands

www.dlink.nl

Norway

www.dlink.no

Poland

www.dlink.pl

Portugal

www.dlink.pt

Romania

www.dlink.ro

Serbia

www.dlink.eu

Slovenia

www.dlink.eu

Spain

www.dlink.es

Sweden

www.dlink.se

Switzerland

www.dlink.ch

UK & Ireland

www.dlink.co.uk

www.dlink.fr.it

D-Link Europe