D-Link NetDefend DFL-800 User manual

Network Security Solution http://www.dlink.com

Security

DFL-210/ 800/1600/ 2500

DFL-260/ 860

Ver. 1.05

Network Security Firewall

User Manual

DFL-210/260/800/860/1600/2500

NetDefendOS version 2.12

D-Link Corporation

No. 289, Sinhu 3rd Rd, Neihu District, Taipei City 114, Taiwan R.O.C.

http://www.DLink.com

Published 2007-05-29

User Manual

DFL-210/260/800/860/1600/2500

NetDefendOS version 2.12

Published 2007-05-29

Copyright Notice

This publication, including all photographs, illustrations and software, is protected under interna-

herein, may be reproduced without written consent of the author.

Disclaimer

The information in this document is subject to change without notice. The manufacturer makes no

representations or warranties with respect to the contents hereof and specifically disclaim any im-

plied warranties of merchantability or fitness for any particular purpose. The manufacturer reserves

the right to revise this publication and to make changes from time to time in the content hereof

without obligation of the manufacturer to notify any person of such revision or changes.

Limitations of Liability

UNDER NO CIRCUMSTANCES SHALL D-LINK OR ITS SUPPLIERS BE LIABLE FOR DAM-

AGES OF ANY CHARACTER (E.G. DAMAGES FOR LOSS OF PROFIT, SOFTWARE RES-

TORATION, WORK STOPPAGE, LOSS OF SAVED DATA OR ANY OTHER COMMERCIAL

DAMAGES OR LOSSES) RESULTING FROM THE APPLICATION OR IMPROPER USE OF

THE D-LINK PRODUCT OR FAILURE OF THE PRODUCT, EVEN IF D-LINK IS INFORMED

OF THE POSSIBILITY OF SUCH DAMAGES. FURTHERMORE, D-LINK WILL NOT BE LI-

ABLE FOR THIRD-PARTY CLAIMS AGAINST CUSTOMER FOR LOSSES OR DAMAGES.

D-LINK WILL IN NO EVENT BE LIABLE FOR ANY DAMAGES IN EXCESS OF THE

AMOUNT D-LINK RECEIVED FROM THE END-USER FOR THE PRODUCT.

Table of Contents

Preface .............................................................................................................. xii

1. Product Overview .............................................................................................. 1

1.1. About D-Link NetDefendOS ..................................................................... 1

1.2. NetDefendOS Architecture ....................................................................... 3

1.2.1. State-based Architecture ................................................................ 3

1.2.2. NetDefendOS Building Blocks ........................................................ 3

1.2.3. Basic Packet Flow ......................................................................... 3

1.3. NetDefendOS Packet Flow ........................................................................ 6

2. Operations and Maintenance ...............................................................................10

2.1. Configuring NetDefendOS .......................................................................10

2.1.1. Overview ...................................................................................10

2.1.2. Default User Accounts ..................................................................10

2.1.3. Command Line Interface (CLI) ......................................................11

2.1.4. Web Interface .............................................................................13

2.1.5. Working with Configurations .........................................................15

2.2. Events and Logging ................................................................................21

2.2.1. Overview ...................................................................................21

2.2.2. Event Messages ...........................................................................21

2.2.3. Event Message Distribution ...........................................................21

2.3. RADIUS Accounting ..............................................................................24

2.3.1. Overview ...................................................................................24

2.3.2. RADIUS Accounting messages ......................................................24

2.3.3. Interim Accounting Messages ........................................................26

2.3.4. Activating RADIUS Accounting .....................................................26

2.3.5. RADIUS Accounting Security ........................................................26

2.3.6. RADIUS Accounting and High Availability ......................................26

2.3.7. Handling Unresponsive Servers ......................................................27

2.3.8. Accounting and System Shutdowns .................................................27

2.3.9. Limitations with NAT'ed Networks .................................................27

2.4. Maintenance ..........................................................................................28

2.4.1. Reset to Factory Defaults ..............................................................28

2.4.2. Configuration Backup and Restore ..................................................28

2.4.3. Auto-Update Mechanism ...............................................................29

3. Fundamentals ...................................................................................................31

3.1. The Address Book ..................................................................................31

3.1.1. Overview ...................................................................................31

3.1.2. IP Addresses ...............................................................................31

3.1.3. Ethernet Addresses .......................................................................33

3.1.4. Address Groups ...........................................................................34

3.1.5. Auto-Generated Address Objects ....................................................34

3.2. Services ................................................................................................35

3.2.1. Overview ...................................................................................35

3.2.2. TCP and UDP Based Services ........................................................36

3.2.3. ICMP Services ............................................................................37

3.2.4. Custom IP Protocol Services ..........................................................38

3.3. Interfaces ..............................................................................................40

3.3.1. Overview ...................................................................................40

3.3.2. Ethernet .....................................................................................41

3.3.3. Virtual LAN ...............................................................................43

3.3.4. PPPoE .......................................................................................43

3.3.5. Interface Groups ..........................................................................45

3.4. ARP ....................................................................................................47

3.4.1. Overview ...................................................................................47

3.4.2. ARP in NetDefendOS ...................................................................47

3.4.3. ARP Cache .................................................................................47

3.4.4. Static and Published ARP Entries ....................................................48

3.4.5. Advanced ARP Settings ................................................................50

iv

3.5. The IP Rule-Set .....................................................................................52

3.5.1. Overview ...................................................................................52

3.5.2. Rule Evaluation ...........................................................................52

3.5.3. IP Rule components .....................................................................53

3.5.4. Editing IP Rule-set Entries .............................................................54

3.6. Schedules .............................................................................................55

3.7. X.509 Certificates ..................................................................................57

3.7.1. Overview ...................................................................................57

3.7.2. The Certification Authority ............................................................57

3.7.3. Validity Time ..............................................................................57

3.7.4. Certificate Revocation Lists ...........................................................57

3.7.5. Trusting Certificates .....................................................................58

3.7.6. Identification Lists .......................................................................58

3.7.7. X.509 Certificates in NetDefendOS .................................................58

3.8. Setting Date and Time .............................................................................59

3.8.1. General Date and Time Settings ......................................................59

3.8.2. Time Servers ..............................................................................60

3.9. DNS Lookup .........................................................................................64

4. Routing ...........................................................................................................66

4.1. Overview ..............................................................................................66

4.2. Static Routing ........................................................................................67

4.2.1. Static Routing in NetDefendOS ......................................................68

4.2.2. Route Failover ............................................................................71

4.2.3. Proxy ARP .................................................................................75

4.3. Policy-based Routing ..............................................................................76

4.3.1. Overview ...................................................................................76

4.3.2. Policy-based Routing Tables ..........................................................76

4.3.3. Policy-based Routing Rules ...........................................................76

4.3.4. Policy-based Routing Table Selection ..............................................77

4.3.5. The Ordering parameter ................................................................77

4.4. Dynamic Routing ...................................................................................80

4.4.1. Dynamic Routing overview ...........................................................80

4.4.2. OSPF ........................................................................................81

4.4.3. Dynamic Routing Policy ...............................................................84

4.5. Transparent Mode ..................................................................................88

4.5.1. Overview of Transparent Mode ......................................................88

4.5.2. Comparison with Routing mode .....................................................88

4.5.3. Transparent Mode implementation ..................................................88

4.5.4. Enabling Transparent Mode ...........................................................89

4.5.5. Transparent Mode example scenarios ..............................................89

5. DHCP Services ................................................................................................96

5.1. Overview ..............................................................................................96

5.2. DHCP Servers .......................................................................................97

5.3. Static DHCP Assignment .........................................................................99

5.4. DHCP Relaying ...................................................................................100

6. Security Mechanisms .......................................................................................102

6.1. Access Rules .......................................................................................102

6.1.1. Introduction ..............................................................................102

6.1.2. IP spoofing ...............................................................................102

6.1.3. Access Rule Settings ..................................................................103

6.2. Application Layer Gateways ...................................................................105

6.2.1. Overview .................................................................................105

6.2.2. Hyper Text Transfer Protocol .......................................................105

6.2.3. File Transfer Protocol .................................................................105

6.2.4. Simple Mail Transfer Protocol ......................................................110

6.2.5. H.323 ......................................................................................111

6.3. Intrusion Detection and Prevention ..........................................................125

6.3.1. Overview .................................................................................125

6.3.2. IDP Availability in D-Link Models ...............................................125

6.3.3. IDP Rules .................................................................................126

6.3.4. Insertion/Evasion Attack Prevention ..............................................127

6.3.5. IDP Pattern Matching .................................................................128

6.3.6. IDP Signature Groups .................................................................129

User Manual

v

6.3.7. IDP Actions ..............................................................................131

6.3.8. SMTP Log Receiver for IDP Events ..............................................131

6.4. Anti-Virus ..........................................................................................135

6.4.1. Overview .................................................................................135

6.4.2. Implementation .........................................................................135

6.4.3. Activation ................................................................................136

6.4.4. The Signature Database ..............................................................136

6.4.5. Subscribing to the D-Link Anti-Virus Service .................................136

6.4.6. Anti-Virus Options .....................................................................137

6.5. Web Content Filtering ...........................................................................140

6.5.1. Overview .................................................................................140

6.5.2. Active Content Handling .............................................................140

6.5.3. Static Content Filtering ...............................................................141

6.5.4. Dynamic Content Filtering ..........................................................143

6.6. Denial-Of-Service (DoS) Attacks ............................................................155

6.6.1. Overview .................................................................................155

6.6.2. DoS Attack Mechanisms .............................................................155

6.6.3. Ping of Death and Jolt Attacks .....................................................155

6.6.4. Fragmentation overlap attacks: Teardrop, Bonk, Boink and Nestea ......156

6.6.5. The Land and LaTierra attacks .....................................................156

6.6.6. The WinNuke attack ...................................................................156

6.6.7. Amplification attacks: Smurf, Papasmurf, Fraggle ...........................157

6.6.8. TCP SYN Flood Attacks .............................................................158

6.6.9. The Jolt2 Attack ........................................................................158

6.6.10. Distributed DoS Attacks ............................................................158

6.7. Blacklisting Hosts and Networks .............................................................159

7. Address Translation ........................................................................................161

7.1. Dynamic Address Translation (NAT) .......................................................161

7.1.1. Which Protocols can NAT handle? ................................................162

7.2. Static Address Translation (SAT) ............................................................164

7.2.1. Translation of a Single IP Address (1:1) .........................................164

7.2.2. Translation of Multiple IP Addresses (M:N) ....................................167

7.2.3. All-to-One Mappings (N:1) .........................................................169

7.2.4. Port Translation .........................................................................170

7.2.5. Which Protocols can SAT handle? ................................................170

7.2.6. Which SAT Rule is executed if several are matching? ....................... 171

7.2.7. SAT and FwdFast Rules ..............................................................171

8. User Authentication ........................................................................................174

8.1. Overview ............................................................................................174

8.1.1. Authentication Methods ..............................................................174

8.1.2. Choosing Passwords ...................................................................174

8.1.3. User Types ...............................................................................175

8.2. Authentication Components ...................................................................176

8.2.1. The Local User Database (UserDB) ...............................................176

8.2.2. External Authentication Servers ....................................................176

8.2.3. Authentication Agents ................................................................176

8.2.4. Authentication Rules ..................................................................177

8.3. Authentication Process ..........................................................................178

9. Virtual Private Networks ..................................................................................181

9.1. VPN overview .....................................................................................181

9.1.1. The need for VPNs .....................................................................181

9.1.2. The basics of VPN Encryption .....................................................181

9.1.3. Planning a VPN .........................................................................181

9.2. IPsec ..................................................................................................183

9.2.1. IPsec Basics ..............................................................................183

9.2.2. Proposal Lists ...........................................................................192

9.2.3. Pre-shared Keys ........................................................................193

9.2.4. Identification Lists .....................................................................193

9.3. IPsec Tunnels ......................................................................................196

9.3.1. Overview of IPsec tunnels ...........................................................196

9.3.2. LAN to LAN tunnels with a Pre-shared Key ................................... 196

9.3.3. Roaming Clients ........................................................................196

9.3.4. Fetching CRLs from an alternate LDAP server ................................ 200

User Manual

vi

9.4. PPTP/L2TP .........................................................................................202

9.4.1. PPTP .......................................................................................202

9.4.2. L2TP .......................................................................................203

10. Traffic Management ......................................................................................209

10.1. Traffic Shaping ..................................................................................209

10.1.1. Introduction ............................................................................209

10.1.2. Traffic Shaping Basics ..............................................................209

10.1.3. Traffic Shaping in NetDefendOS .................................................210

10.1.4. Pipes Basics ............................................................................211

10.1.5. Priorities and Guarantees ...........................................................214

10.1.6. Grouping Users of a Pipe ...........................................................219

10.2. Threshold Rules .................................................................................221

10.2.1. Overview ................................................................................221

10.2.2. Connection Rate/Total Connection Limiting ..................................221

10.2.3. Grouping ................................................................................221

10.2.4. Rule Actions ...........................................................................221

10.2.5. Multiple Triggered Actions ........................................................222

10.2.6. Exempted Connections ..............................................................222

10.2.7. Threshold Rules and ZoneDefense ..............................................222

10.2.8. Threshold Rule Blacklisting .......................................................222

10.3. Server Load Balancing ........................................................................223

10.3.1. Overview ................................................................................223

10.3.2. Identifying the Servers ..............................................................224

10.3.3. The Load Distribution Mode ......................................................224

10.3.4. The Distribution Algorithm ........................................................224

10.3.5. Server Health Monitoring ..........................................................226

10.3.6. SLB_SAT Rules ......................................................................226

11. High Availability ..........................................................................................229

11.1. Overview ..........................................................................................229

11.2. How rapid failover is accomplished ........................................................231

11.2.1. Shared IP addresses and Failover ................................................231

11.2.2. Cluster heartbeats .....................................................................231

11.2.3. The synchronization interface .....................................................232

11.3. High Availability Issues .......................................................................233

11.3.1. High Availability Configuration ..................................................233

12. ZoneDefense ................................................................................................235

12.1. Overview ..........................................................................................235

12.2. ZoneDefense Switches .........................................................................236

12.3. ZoneDefense Operation .......................................................................237

12.3.1. SNMP ....................................................................................237

12.3.2. Threshold Rules .......................................................................237

12.3.3. Manual Blocking and Exclude Lists .............................................238

12.3.4. Limitations .............................................................................239

13. Advanced Settings .........................................................................................241

13.1. IP Level Settings ................................................................................241

13.2. TCP Level Settings .............................................................................245

13.3. ICMP Level Settings ...........................................................................249

13.4. ARP Settings .....................................................................................250

13.5. Stateful Inspection Settings ...................................................................252

13.6. Connection Timeouts ..........................................................................254

13.7. Size Limits by Protocol ........................................................................255

13.8. Fragmentation Settings ........................................................................257

13.9. Local Fragment Reassembly Settings .....................................................261

13.10. DHCP Settings .................................................................................262

13.11. DHCPRelay Settings .........................................................................263

13.12. DHCPServer Settings ........................................................................264

13.13. IPsec Settings ...................................................................................265

13.14. Transparent Mode Settings .................................................................267

13.15. Logging Settings ...............................................................................269

13.16. High Availability Settings ..................................................................270

13.17. Time Synchronization Settings ............................................................271

13.18. DNS Client Settings ..........................................................................273

13.19. HTTP Poster Settings ........................................................................274

User Manual

vii

13.20. PPP Settings ....................................................................................275

13.21. IDP ................................................................................................276

13.22. Hardware Monitor Settings .................................................................277

13.23. Packet Re-assembly Settings ...............................................................278

13.24. Miscellaneous Settings .......................................................................279

A. Subscribing to Security Updates ........................................................................281

B. IDP Signature Groups .....................................................................................283

C. Anti-Virus MIME filetypes ..............................................................................287

D. The OSI Framework .......................................................................................291

E. D-Link worldwide offices ................................................................................292

Alphabetical Index .............................................................................................294

User Manual

viii

List of Figures

1.1. Packet Flow Schematic Part I ............................................................................ 6

1.2. Packet Flow Schematic Part II ........................................................................... 7

1.3. Packet Flow Schematic Part III .......................................................................... 8

4.1. A Route Failover Scenario for ISP Access ...........................................................71

4.2. Virtual Links Example 1 ..................................................................................83

4.3. Virtual Links Example 2 ..................................................................................84

4.4. Transparent mode scenario 1 ............................................................................89

4.5. Transparent mode scenario 2 ............................................................................91

6.1. IDP Database Updating .................................................................................126

6.2. Dynamic Content Filtering Flow .....................................................................143

9.1. The AH protocol ..........................................................................................190

9.2. The ESP protocol .........................................................................................190

10.1. Packet flow through pipes ............................................................................211

10.2. The Eight Pipe Precedences. .........................................................................214

10.3. A Pipe defined with minimum precedence and maximum precedence. ..................215

10.4. A pipe with traffic in one precedence, grouped per IP address. ............................219

10.5. A Server Load Balancing configuration ..........................................................223

10.6. Connections from Three Clients ....................................................................225

10.7. Stickiness and Round-Robin .........................................................................225

10.8. Stickiness and Connection Rate .....................................................................226

11.1. High Availability Setup Example ...................................................................230

D.1. The 7 layers of the OSI model ........................................................................291

ix

List of Examples

1. Example notation ............................................................................................. xii

2.1. Enabling SSH Remote Access ..........................................................................12

2.2. Enabling remote management via HTTPS. ..........................................................14

2.3. Listing Configuration Objects ...........................................................................16

2.4. Displaying a Configuration Object .....................................................................16

2.5. Editing a Configuration Object .........................................................................17

2.6. Adding a Configuration Object .........................................................................17

2.7. Deleting a Configuration Object ........................................................................18

2.8. Undeleting a Configuration Object ....................................................................18

2.9. Listing Modified Configuration Objects ..............................................................19

2.10. Activating and Committing a Configuration .......................................................20

2.11. Enable Logging to a Syslog Host .....................................................................22

2.12. Reset to Factory Defaults with the standard user interface .....................................28

2.13. Configuration Backup and Restore ...................................................................28

3.1. Adding an IP Host ..........................................................................................32

3.2. Adding an IP Network .....................................................................................32

3.3. Adding an IP Range ........................................................................................32

3.4. Deleting an Address Object ..............................................................................33

3.5. Adding an Ethernet Address .............................................................................33

3.6. Listing the Available Services ...........................................................................35

3.7. Viewing a Specific Service ..............................................................................35

3.8. Adding a TCP/UDP Service .............................................................................37

3.9. Adding a IP Protocol Service ............................................................................39

3.10. Enabling DHCP ...........................................................................................42

3.11. Defining a virtual LAN ..................................................................................43

3.12. Configuring a PPPoE client on the wan interface with traffic routed over PPPoE. .....45

3.13. Creating an Interface Group ............................................................................45

3.14. Displaying the ARP Cache .............................................................................48

3.15. Flushing the ARP Cache ................................................................................48

3.16. Defining a Static ARP Entry ...........................................................................49

3.17. Setting up a Time-Scheduled Policy .................................................................55

3.18. Uploading an X.509 Certificate .......................................................................58

3.19. Setting the Current Date and Time ...................................................................59

3.20. Setting the Time Zone ...................................................................................60

3.21. Enabling DST ..............................................................................................60

3.22. Enabling Time Synchronization using SNTP ......................................................61

3.23. Manually Triggering a Time Synchronization ....................................................62

3.24. Modifying the Maximum Adjustment Value ......................................................62

3.25. Forcing Time Synchronization ........................................................................62

3.26. Enabling the D-Link NTP Server .....................................................................63

3.27. Configuring DNS Servers ...............................................................................64

4.1. Displaying the Routing Table ...........................................................................69

4.2. Displaying the Core Routes ..............................................................................70

4.3. Creating a Policy-Based Routing table ................................................................78

4.4. Creating the Route ..........................................................................................78

4.5. Policy Based Routing Configuration ..................................................................78

4.6. Importing Routes from an OSPF AS into the Main Routing Table ...........................85

4.7. Exporting the Default Route into an OSPF AS .....................................................86

4.8. Setting up Transparent Mode - Scenario 1 ...........................................................90

4.9. Setting up Transparent Mode - Scenario 2 ...........................................................91

5.1. Setting up a DHCP server ................................................................................97

5.2. Checking the status of a DHCP server ................................................................98

5.3. Setting up Static DHCP ...................................................................................99

5.4. Setting up a DHCP relayer .............................................................................100

6.1. Setting up an Access Rule ..............................................................................104

6.2. Protecting an FTP Server with ALG .................................................................106

6.3. Protecting FTP Clients ..................................................................................109

6.4. Protecting Phones Behind D-Link Firewalls ......................................................113

x

6.5. H.323 with private IP addresses ......................................................................114

6.6. Two Phones Behind Different D-Link Firewalls .................................................115

6.7. Using Private IP Addresses ............................................................................116

6.8. H.323 with Gatekeeper ..................................................................................118

6.9. H.323 with Gatekeeper and two D-Link Firewalls ..............................................119

6.10. Using the H.323 ALG in a Corporate Environment ........................................... 120

6.11. Configuring remote offices for H.323 .............................................................123

6.12. Allowing the H.323 Gateway to register with the Gatekeeper .............................. 123

6.13. Configuring an SMTP Log Receiver ..............................................................131

6.14. Setting up IDP for a Mail Server ....................................................................132

6.15. Enabling Anti-Virus Scanning .......................................................................138

6.16. Stripping ActiveX and Java applets ................................................................141

6.17. Setting up a white and blacklist .....................................................................142

6.18. Enable Dynamic Content Filtering .................................................................144

6.19. Enabling Audit Mode ..................................................................................145

6.20. Reclassifying a blocked site ..........................................................................147

7.1. Adding a NAT Policy ...................................................................................162

7.2. Enabling Traffic to a Protected Web Server in a DMZ ......................................... 164

7.3. Enabling Traffic to a Web Server on an Internal Network ....................................166

7.4. Translating Traffic to Multiple Protected Web Servers ........................................ 168

8.1. Creating an authentication user group ...............................................................178

9.1. Using a Proposal List ....................................................................................192

9.2. Using a Pre-Shared key .................................................................................193

9.3. Using an Identity List ....................................................................................194

9.4. Setting up a PSK based VPN tunnel for roaming clients ....................................... 197

9.5. Setting up a Self-signed Certificate based VPN tunnel for roaming clients ...............198

9.6. Setting up a CA Server issued Certificate based VPN tunnel for roaming clients .......199

9.7. Setting up an LDAP server .............................................................................200

9.8. Setting up a PPTP server ................................................................................202

9.9. Setting up an L2TP server ..............................................................................203

9.10. Setting up an L2TP Tunnel ...........................................................................204

10.1. Applying a Simple Bandwidth Limit ..............................................................211

10.2. Applying a Two-Way Bandwidth Limit ..........................................................213

12.1. A simple ZoneDefense scenario ....................................................................238

User Manual

xi

Preface

Intended audience

The target audience for this reference guide is Administrators who are responsible for configuring

and managing D-Link Firewalls which are running the NetDefendOS operating system. This guide

assumes that the reader has some basic knowledge of networks and network security.

Text structure and conventions

The text is broken down into chapters and subsections. Numbered subsections are shown in the table

of contents at the beginning. An index is included at the end of the document to aid with alphabetic-

al lookup of subjects.

Where a "See section" link (such as: see ) is provided in the main text this can be clicked to take the

reader directly to that reference.

Text that may appear in the user interface of the product is designated by being in Bold Case.

Where is term is being introduced for the first time or being stressed it may appear in a italics.

Where console interaction is shown in the main text outside of an example this will appear in a box

with a gray background:

gw-world:/>

Where a web address reference is shown in the text this will open the specified URL in a browser in

a new window when clicked (some systems may not allow this). For example: ht-

tp://www.dlink.com.

Examples

Examples in the text are denoted by the header Example and appear with a gray background as

shown below. They contain a CLI example and/or a Web Interface example as appropriate. (The ac-

companying "CLI Reference Guide" documents all CLI commands).

Example 1. Example notation

Information about what the example is trying to achieve is found here, sometimes with an explanatory image.

CLI

The Command Line Interface example would appear here. It would start with the command prompt followed by

the command:

gw-world:/> somecommand someparameter=somevalue

Web Interface

The Web Interface actions for the example are shown here. They are typically a numbered list showing what

items in the tree-view list at the left of the interface or in the menu bar or in a context menu need to be opened fol-

lowed by information about the data items that need to be entered:

1. Go to Item X > Item Y > Item Z

2. Now enter:

•DataItem1: datavalue1

•DataItem2: datavalue2

xii

Notes to the main text

Special sections of text which the reader should pay special attention to are indicated by icons on the

the left hand side of the page followed by a short paragraph in italicized text. Such sections have the

following types and purposes:

Note

This indicates some piece of information that is an addition to the preceding text. It

may concern something that is being emphasised or something that is not obvious or

explicitly stated in the preceding text.

Tip

This indicates a piece of non-critical information that is useful to know in certain situ-

ations but is not essential reading.

Caution

This indicates where the reader should be careful with their actions as an undesirable

situation may result if care is not exercised.

Important

This is an essential point that the reader should read and understand.

Warning

This is essential reading for the user as they should be aware that a serious situation

may result if certain actions are taken or not taken.

Notes to the main text Preface

xiii

Chapter 1. Product Overview

This chapter outlines the key features of NetDefendOS.

• About D-Link NetDefendOS, page 1

• NetDefendOS Architecture, page 3

• NetDefendOS Packet Flow, page 6

1.1. About D-Link NetDefendOS

D-Link NetDefendOS is the firmware, the software engine that drives and controls all D-Link Fire-

wall products.

Designed as a network security operating system, NetDefendOS features high throughput perform-

ance with high reliability plus super-granular control. In contrast to products built on standard oper-

ating systems such as Unix or Microsoft Windows, NetDefendOS offers seamless integration of all

subsystems, in-depth administrative control of all functionality as well as a minimal attack surface

which helps negate the risk of being a target for security attacks.

From the administrator's perspective the conceptual approach of NetDefendOS is to visualize opera-

tions through a set of logical building blocks or objects, which allow the configuration of the

product in an almost limitless number of different ways. This granular control allows the adminis-

trator to meet the requirements of the most demanding network security scenario.

NetDefendOS is an extensive and feature-rich network operating system. The list below presents the

most essential features:

IP Routing NetDefendOS provides a variety of options for IP routing in-

cluding static routing, dynamic routing, multicast routing and

advanced virtual routing capabilities. In addition, NetDefen-

dOS supports features such as Virtual LANs, Route Monitor-

ing, Proxy ARP and Transparency. For more information,

please see Chapter 4, Routing.

Address Translation For functionality as well as security reasons, NetDefendOS

supports policy-based address translation. Dynamic Address

Translation (NAT) as well as Static Address Translation

(SAT) is supported, and resolves most types of address trans-

lation needs. This feature is covered in Chapter 7, Address

Translation.

Firewalling At the heart of the product, NetDefendOS features stateful in-

spection-based firewalling for common protocols such as

TCP, UDP and ICMP. As an administrator, you have the pos-

sibility to define detailed firewalling policies based on source

and destination network and interface, protocol, ports, user

credentials, time-of-day and much more. Section 3.5, “The IP

Rule-Set”, describes how to use the firewalling aspects of

NetDefendOS.

Intrusion Detection and Preven-

tion To mitigate application-layer attacks towards vulnerabilities

in services and applications, NetDefendOS provides a power-

ful Intrusion Detection and Prevention (IDP) engine. The IDP

engine is policy-based and is able to perform high-

performance scanning and detection of attacks and can per-

form blocking and optional black-listing of attacking hosts.

1

For more information about the IDP capabilities of NetDefen-

dOS, please see Section 6.3, “Intrusion Detection and Preven-

tion”.

Anti-Virus NetDefendOS features integrated gateway anti-virus function-

ality. Traffic passing through the gateway can be subjected to

in-depth scanning for viruses, and attacking hosts can be

blocked and black-listed at your choice. Section 6.4,

“Anti-Virus”, provides more information about how to use

the integrated anti-virus feature.

Web Content Filtering NetDefendOS provides various mechanisms for filtering web

content that is deemed inappropriate according to your web

usage policy. Web content can be blocked based on category,

malicious objects can be removed and web sites can be

whitelisted or blacklisted in multiple policies. For more in-

formation, please see Section 6.5, “Web Content Filtering”.

Virtual Private Networking A device running NetDefendOS is highly suitable for parti-

cipating in a Virtual Private Network (VPN). NetDefendOS

supports IPsec, L2TP and PPTP based VPNs concurrently,

can act as either server or client for all of the VPN types, and

can provide individual security policies for each VPN tunnel.

Virtual Private Networking is covered in detail by Chapter 9,

Virtual Private Networks.

Traffic Management With the support of Traffic Shaping, Threshold Rules and

Server Load Balancing features, NetDefendOS is optimal for

traffic management. The Traffic Shaping feature enables fine-

granular limiting and balancing of bandwidth; Threshold

Rules allows for implementing various types of thresholds

where to alarm or limit network traffic, and Server Load Bal-

ancing enables a device running NetDefendOS to distribute

network load to multiple hosts. Chapter 10, Traffic Manage-

ment, provides more detailed information on the various

traffic management capabilities.

Operations and Maintenance To facilitate management of a NetDefendOS device, adminis-

trative control is enabled through a Web-based User Interface

or via the Command Line Interface. In addition, NetDefen-

dOS provides very detailed event and logging capabilities and

support for monitoring using standards such as SNMP. For

more information, please see Chapter 2, Operations and

Maintenance.

ZoneDefense NetDefendOS can be used to control D-Link switches using

the ZoneDefense feature.

Reading through this documentation carefully will ensure that you get the most out of your NetDe-

fendOS product. In addition to this document, the reader should also be aware of the companion

volumes:

• The NetDefendOS CLI Guide which details all NetDefendOS console commands.

• The NetDefendOS Log Reference Guide which details all NetDefendOS log event messages.

These documents together form the essential documentation for NetDefendOS operation.

Note

High Availability, Anti-Virus, Web Content Filtering and ZoneDefense are not avail-

able with some models as specified in the chapters relating to those features.

1.1. About D-Link NetDefendOS Chapter 1. Product Overview

2

1.2. NetDefendOS Architecture

1.2.1. State-based Architecture

The NetDefendOS architecture is centered around the concept of state-based connections. Tradition-

al IP routers or switches commonly inspect all packets and then perform forwarding decisions based

on information found in the packet headers. With this approach, packets are forwarded without any

sense of context which basically eliminates any possibility to detect and analyze complex protocols

and enforce corresponding security policies.

A NetDefendOS device, on the contrary, will inspect and forward traffic on a per-connection basis.

In other words, NetDefendOS is able to detect when a new connection is being established, and then

keeps a small piece of information, a "state", for the entire life-length of that connection. By doing

this, NetDefendOS is able to understand the context of the network traffic, which enables the device

to perform in-depth traffic scanning, apply bandwidth management and much more. In addition, this

approach provides high throughput performance with the added advantage of a design that is highly

scalable.

1.2.2. NetDefendOS Building Blocks

The basic building blocks in NetDefendOS are interfaces, logical objects and various types of rules

(or rule-sets).

Interfaces are the doorways for network traffic passing through, to or from the system. Without in-

terfaces, a NetDefendOS system has no means for receiving or sending traffic. Several types of in-

terfaces are supported; Physical Interfaces, Physical Sub-Interfaces and Tunnel Interfaces. Physical

interfaces corresponds to actual physical Ethernet ports; physical sub-interfaces include VLAN and

PPPoE interfaces while tunnel interfaces are used for receiving and sending traffic in VPN tunnels.

The NetDefendOS interface design is symmetric, meaning that the interfaces of the device are not

fixed as being on the "insecure outside" or "secure inside" of a network topology. The notion of

what is inside and outside is totally for the administrator to define.

Logical objects can be seen as pre-defined building blocks for use by the rule-sets. The address

book, for instance, contains named objects representing host and network addresses. Another ex-

ample of logical objects are services , representing specific protocol and port combinations. Also

important objects are the Application Layer Gateway (ALG) objects, used for defining additional

parameters on specific protocols such as HTTP, FTP, SMTP and H.323.

Finally, the various rule-sets are used for actually implementing the policies in the system. The most

fundamental rule-set is the IP Rules, which is used to define the layer 3 IP filtering policy as well as

carrying out address translation and server load balancing. The Traffic Shaping Rules define the

policy for bandwidth management, the IPS Rules controls the behavior of the intrusion prevention

engine and so forth.

1.2.3. Basic Packet Flow

This section outlines the basic flow for packets received and forwarded by a NetDefendOS device.

Please note that this description is simplified to ease the understanding and might not be fully ap-

plicable in all scenarios. The basic principle, however, is still valid in all applications.

1. An Ethernet frame is received on one of the Ethernet interfaces in the system. Basic Ethernet

frame validation is performed and the packet is dropped if the frame is invalid.

2. The packet is associated with a Source Interface. The source interface is determined as follows:

• If the Ethernet frame contains a VLAN ID (Virtual LAN identifier), the system checks for a

configured VLAN interface with a corresponding VLAN ID. If one is found, that VLAN

interface becomes the source interface for the packet. If no matching interface is found, the

packet is dropped and the event is logged.

1.2. NetDefendOS Architecture Chapter 1. Product Overview

3

• If the Ethernet frame contains a PPP payload, the system checks for a matching PPPoE in-

terface. If one is found, that interface becomes the source interface for the packet. If no

matching interface is found, the packet is dropped and the event is logged.

• If none the above is true, the receiving Ethernet interface becomes the source interface for

the packet.

3. The IP datagram within the packet is passed on to the NetDefendOS Consistency Checker. The

consistency checker performs a number of sanity checks on the packet, including validation of

checksums, protocol flags, packet length and so forth. If the consistency checks fail, the packet

gets dropped and the event is logged.

4. NetDefendOS now tries to lookup an existing connection by matching parameters from the in-

coming packet. A number of parameters are used in the match attempt, including the source in-

terface, source and destination IP addresses, IP protocol and so forth.

If a match cannot be found, a connection establishment process starts which includes steps 5 to

10 below. If a match is found, the forwarding process continues at step 11 below.

5. The source interface is examined to find out if the interface is a member of a specific routing

table. Also, the Virtual Routing Rules are evaluated to determine the correct routing table for

the connection.

6. The Access rules are evaluated to find out if the source IP address of the new connection is al-

lowed on the received interface. If no access rule matches then a reverse route lookup will be

done. In other words, by default, an interface will only accept source IP addresses that belong

to networks routed over that interface. If the access rules or the reverse route lookup determine

that the source IP is invalid, then the packet is dropped and the event is logged.

7. A route lookup is being made using the appropriate routing table. The destination interface for

the connection has now been determined.

8. The IP rules are now searched for a rule that matches the packet. Basically, the following para-

meters are part of the matching process: Source and destination interfaces, source and destina-

tion network, IP protocol (TCP, UDP, ICMP etc), TCP/UDP ports or ICMP types and schedule

(time-of-day).

If a match cannot be found, the packet is dropped.

If a rule is found that matches the new connection, the Action parameter of the rule decides

what NetDefendOS should do with the connection. If the action is Drop, the packet is dropped

and the event is logged according to the log settings for the rule.

If the action is Allow, the packet is allowed through the system. A corresponding state will be

added to the connection table for matching subsequent packets belonging to the same connec-

tion. In addition, the Service object which matched the IP protocol and ports might have con-

tained a reference to an Application Layer Gateway (ALG) object. This information is recorded

in the state so that NetDefendOS will know that application layer processing will have to be

performed on the connection.

Finally, the opening of the new connection will be logged according to the log settings of the

rule.

Note

There are actually a number of additional actions available such as address

translation and server load balancing. The basic concept of dropping and allow-

ing traffic is still the same.

9. The Intrusion Detection and Prevention (IDP) Rules are now evaluated in a similar way to the

IP rules. If a match is found, the IDP data is recorded with the state. By doing this, NetDefen-

dOS will know that IDP scanning is supposed to be conducted on all packets belonging to this

1.2.3. Basic Packet Flow Chapter 1. Product Overview

4

connection.

10. The Traffic Shaping and the Threshold Limit Rule-sets are now searched. If a match is found,

the corresponding information is recorded with the state. This will enable proper traffic man-

agement on the connection.

11. From the information in the state, NetDefendOS now knows what to do with the incoming

packet:

• If ALG information is present or if IDP scanning is to be performed, the payload of the

packet is taken care of by the TCP Pseudo-Reassembly subsystem, which in turn makes use

of the different Application Layer Gateways, layer 7 scanning engines and so forth, to fur-

ther analyze or transform the traffic.

• If the contents of the packet is encapsulated (i.e. being IPsec, L2TP/PPTP or some other

type of tunneled traffic), the interface lists are checked for a matching interface. If one is

found, the packet is decapsulated and the payload (the plaintext) is sent into NetDefendOS

again, now with source interface being the matched tunnel interface. In other words, the

process continues at step 3 above.

• If traffic management information is present, the packet might get queued or otherwise be

subjected to actions related to traffic management.

12. Eventually, the packet will be forwarded out on the destination interface according to the state.

If the destination interface is a tunnel interface or a physical sub-interface, additional pro-

cessing such as encryption, and encapsulation and so forth might occur.

The following section provides a set of diagrams which illustrate the flow of packets through Net-

DefendOS.

1.2.3. Basic Packet Flow Chapter 1. Product Overview

5

1.3. NetDefendOS Packet Flow

The diagrams in this section provide a summary of the flow of packets through the NetDefendOS

state-engine. There are three diagrams, each flowing into the next.

Figure 1.1. Packet Flow Schematic Part I

The packet flow is continued on the following page.

1.3. NetDefendOS Packet Flow Chapter 1. Product Overview

6

Figure 1.2. Packet Flow Schematic Part II

The packet flow is continued on the following page.

1.3. NetDefendOS Packet Flow Chapter 1. Product Overview

7

Page is loading ...

D-Link NetDefend DFL-800 User manual

This manual is also suitable for

D-Link NetDefend DFL-800 User manual

Related papers

Other documents