D-Link NetDefendOS User manual

Network Security Solution http://www.dlink.com

NetDefendOS

Ver. 11.04.01

Network Security Firewall

User Manual

Security

User Manual

DFL-260E/860E/870/1660/2560/2560G

NetDefendOS Version 11.04.01

D-Link Corporation

No. 289, Sinhu 3rd Rd, Neihu District, Taipei City 114, Taiwan R.O.C.

http://www.DLink.com

Published 2016-10-03

User Manual

DFL-260E/860E/870/1660/2560/2560G

NetDefendOS Version 11.04.01

Published 2016-10-03

Copyright Notice

This publication, including all photographs, illustrations and software, is protected under

contained herein, may be reproduced without the written consent of D-Link.

Disclaimer

The information in this document is subject to change without notice. D-Link makes no

representations or warranties with respect to the contents hereof and specifically disclaims any

implied warranties of merchantability or fitness for a particular purpose. D-Link reserves the right

to revise this publication and to make changes from time to time in the content hereof without

any obligation to notify any person or parties of such revision or changes.

Limitations of Liability

UNDER NO CIRCUMSTANCES SHALL D-LINK OR ITS SUPPLIERS BE LIABLE FOR DAMAGES OF ANY

CHARACTER (E.G. DAMAGES FOR LOSS OF PROFIT, SOFTWARE RESTORATION, WORK STOPPAGE,

LOSS OF SAVED DATA OR ANY OTHER COMMERCIAL DAMAGES OR LOSSES) RESULTING FROM

THE APPLICATION OR IMPROPER USE OF THE D-LINK PRODUCT OR FAILURE OF THE PRODUCT,

EVEN IF D-LINK IS INFORMED OF THE POSSIBILITY OF SUCH DAMAGES. FURTHERMORE, D-LINK

WILL NOT BE LIABLE FOR THIRD-PARTY CLAIMS AGAINST CUSTOMER FOR LOSSES OR DAMAGES.

D-LINK WILL IN NO EVENT BE LIABLE FOR ANY DAMAGES IN EXCESS OF THE AMOUNT D-LINK

RECEIVED FROM THE END-USER FOR THE PRODUCT.

Table of Contents

Preface...............................................................................................................17

1.NetDefendOSOverview .....................................................................................20

1.1.Features ...............................................................................................20

1.2.NetDefendOSArchitecture ......................................................................24

1.2.1.State-basedArchitecture ..............................................................24

1.2.2.NetDefendOSBuildingBlocks ........................................................24

1.2.3.BasicPacketFlow.........................................................................25

1.3.NetDefendOS StateEngine Packet Flow .....................................................28

2.ManagementandMaintenance ..........................................................................33

2.1.ManagingNetDefendOS .........................................................................33

2.1.1.Overview ....................................................................................33

2.1.2.ConfiguringManagementAccess ...................................................34

2.1.3.AdministratorAccount .................................................................40

2.1.4.TheWebInterface ........................................................................41

2.1.5.TheCLI .......................................................................................46

2.1.6.CLIScripts...................................................................................58

2.1.7.SecureCopy................................................................................64

2.1.8.TheConsoleBootMenu ................................................................66

2.1.9.RADIUSManagementAuthentication .............................................67

2.1.10.ManagementAdvancedSettings ..................................................70

2.1.11.WorkingwithConfigurations .......................................................71

2.2.SystemDateandTime ............................................................................78

2.2.1.Overview ....................................................................................78

2.2.2.SettingDateandTimeManually.....................................................78

2.2.3.DaylightSavingTime ...................................................................79

2.2.4.UsingExternalTimeServers...........................................................82

2.2.5.SettingsSummaryforDateandTime ..............................................85

2.3.EventsandLogging ................................................................................87

2.3.1.Overview ....................................................................................87

2.3.2.LogMessages .............................................................................87

2.3.3.LogReceiverTypes ......................................................................88

2.3.4.TheMemoryLogReceiver(Memlog) ...............................................89

2.3.5.TheSyslogLogReceiver................................................................89

2.3.6.MailAlerting ...............................................................................92

2.3.7. Severity Filter and Message Exceptions ........................................... 96

2.3.8.SNMPTraps ................................................................................97

2.3.9.AdvancedLogSettings .................................................................98

2.3.10.Logsnoop .................................................................................99

2.4.Monitoring .......................................................................................... 103

2.4.1.Real-timeMonitorAlerts ............................................................. 103

2.4.2.TheLinkMonitor ....................................................................... 103

2.4.3.HardwareMonitoring ................................................................. 107

2.4.4.MemoryMonitoringSettings ....................................................... 109

2.5.SNMP ................................................................................................. 111

2.5.1.Management withSNMP ............................................................ 111

2.5.2.PersistentSNMPInterfaceIndexes ................................................ 115

2.5.3.SNMPAdvancedSettings ............................................................ 116

2.6.DiagnosticTools .................................................................................. 118

2.6.1.Overview .................................................................................. 118

2.6.2. The ping Command .................................................................... 118

2.6.3. The stats Command ................................................................... 122

2.6.4. The connections Command ......................................................... 123

2.6.5. The dconsole Command .............................................................. 125

2.6.6. The pcapdump Command ........................................................... 126

2.6.7. The traceroute Command ............................................................ 128

2.6.8. The frags Command ................................................................... 131

4

2.6.9. The selftest Command ................................................................ 133

2.7.Maintenance ....................................................................................... 135

2.7.1.VersionUpdateAlerts ................................................................. 135

2.7.2.Auto-UpdateMechanism ............................................................ 136

2.7.3.Backing UpConfigurations .......................................................... 136

2.7.4.RestoretoFactoryDefaults.......................................................... 139

2.8.Languages .......................................................................................... 141

2.9.DiagnosticsandImprovements .............................................................. 142

3.Fundamentals ................................................................................................ 145

3.1.TheAddressBook ................................................................................ 145

3.1.1.Overview .................................................................................. 145

3.1.2.IPAddresses ............................................................................. 146

3.1.3.EthernetAddresses .................................................................... 148

3.1.4.AddressGroups ......................................................................... 148

3.1.5.Auto-GeneratedAddressObjects ................................................. 149

3.1.6.AddressBookFolders ................................................................. 150

3.1.7.FQDNAddressObjects ............................................................... 150

3.2.IPv6Support ....................................................................................... 156

3.3.Services .............................................................................................. 165

3.3.1.Overview .................................................................................. 165

3.3.2.CreatingCustomServices ............................................................ 167

3.3.3.ICMPServices ............................................................................ 171

3.3.4.CustomIP ProtocolServices ........................................................ 172

3.3.5.ServiceGroups .......................................................................... 173

3.3.6.CustomServiceTimeouts ............................................................ 174

3.3.7.Path MTU Discovery ................................................................... 174

3.4.Interfaces ............................................................................................ 178

3.4.1.Overview .................................................................................. 178

3.4.2.EthernetInterfaces ..................................................................... 180

3.4.3.LinkAggregation ....................................................................... 191

3.4.4.VLAN ....................................................................................... 195

3.4.5.ServiceVLAN............................................................................. 199

3.4.6.PPPoE ...................................................................................... 202

3.4.7.GRETunnels .............................................................................. 205

3.4.8.6in4Tunnels ............................................................................. 209

3.4.9.LoopbackInterfaces ................................................................... 213

3.4.10.InterfaceGroups ...................................................................... 218

3.4.11.Layer2PassThrough ................................................................ 219

3.5.ARP .................................................................................................... 221

3.5.1.Overview .................................................................................. 221

3.5.2.TheARPCache .......................................................................... 221

3.5.3.ARPPublish .............................................................................. 223

3.5.4.UsingARPAdvanced Settings ...................................................... 226

3.6.IPRulesandIP Policies .......................................................................... 228

3.6.1.SecurityPolicies ......................................................................... 228

3.6.2.IPRuleSet Evaluation ................................................................. 232

3.6.3.IP Rule ...................................................................................... 233

3.6.4.Multiple IPRuleSets ................................................................... 235

3.6.5.IP RuleSet Folders ..................................................................... 240

3.6.6.Configuration ObjectGroups ....................................................... 241

3.6.7.IP Policy ................................................................................... 245

3.6.8.StatelessPolicy .......................................................................... 251

3.7.Application Control .............................................................................. 253

3.8.Schedules ........................................................................................... 265

3.9.Certificates .......................................................................................... 268

3.9.1.Overview .................................................................................. 268

3.9.2.Uploading andUsing Certificates ................................................. 273

3.9.3.CRL Distribution Point Lists ......................................................... 275

3.9.4.CA ServerAccess ....................................................................... 277

3.9.5. Creating Windows CA Server Requests .......................................... 279

3.10.DNS .................................................................................................. 281

User Manual

5

4.Routing ......................................................................................................... 285

4.1.Overview ............................................................................................ 285

4.2.Static Routing ...................................................................................... 286

4.2.1.The Principles ofRouting ............................................................ 286

4.2.2.Static Routing ........................................................................... 290

4.2.3.RouteFailover ........................................................................... 296

4.2.4.Host MonitoringforRoute Failover ............................................... 299

4.2.5.Advanced Settings forRoute Failover ............................................ 301

4.2.6.ProxyARP ................................................................................. 302

4.2.7.Broadcast Packet Forwarding ...................................................... 304

4.3.Policy-basedRouting ............................................................................ 308

4.4.Route LoadBalancing ........................................................................... 316

4.5.VirtualRouting .................................................................................... 323

4.5.1.Overview .................................................................................. 323

4.5.2.ASimple Scenario ...................................................................... 323

4.5.3.The DisadvantageofRoutingRules............................................... 325

4.5.4.IP RuleSetswithVirtualRouting ................................................... 328

4.5.5.Multiple IPrulesets .................................................................... 329

4.5.6.Trouble Shooting ....................................................................... 329

4.6.OSPF .................................................................................................. 331

4.6.1.Dynamic Routing ....................................................................... 331

4.6.2.OSPF Concepts .......................................................................... 334

4.6.3.OSPF Components ..................................................................... 339

4.6.4.Dynamic Routing Rules ............................................................... 345

4.6.5.Setting UpOSPF ........................................................................ 348

4.6.6.An OSPFExample ...................................................................... 352

4.6.7.OSPF Troubleshooting ................................................................ 357

4.7.Multicast Routing ................................................................................. 361

4.7.1.Overview .................................................................................. 361

4.7.2. Multicast Forwarding with SAT Multiplex Rules ............................... 362

4.7.3.IGMP Configuration ................................................................... 368

4.7.4.Advanced IGMPSettings ............................................................. 374

4.7.5.TunnelingMulticast usingGRE ..................................................... 376

4.8.Transparent Mode ................................................................................ 379

4.8.1.Overview .................................................................................. 379

4.8.2.EnablingInternet Access ............................................................. 384

4.8.3.ATransparent Mode Use Case ...................................................... 386

4.8.4.SpanningTreeBPDUSupport ...................................................... 388

4.8.5.MPLS Pass Through .................................................................... 389

4.8.6. Advanced Settings for Transparent Mode ...................................... 390

5.DHCP Services ................................................................................................ 393

5.1.Overview ............................................................................................ 393

5.2.IPv4 DHCP Client .................................................................................. 395

5.3.IPv4 DHCP Server ................................................................................. 397

5.3.1.Static IPv4 DHCPHosts ............................................................... 401

5.3.2.Custom IPv4Options .................................................................. 402

5.4.IPv4 DHCP Relay .................................................................................. 404

5.5.IP Pools .............................................................................................. 408

5.6.DHCPv6 .............................................................................................. 411

5.6.1.DHCPv6Client ........................................................................... 411

5.6.2.DHCPv6Server .......................................................................... 414

6.Security Mechanisms ...................................................................................... 421

6.1.AccessRules ........................................................................................ 421

6.1.1.Overview .................................................................................. 421

6.1.2.IP Spoofing ............................................................................... 422

6.1.3.AccessRule Settings ................................................................... 422

6.2.ALGs .................................................................................................. 425

6.2.1.Overview .................................................................................. 425

6.2.2.The HTTP ALG ........................................................................... 427

6.2.3.The LightWeight HTTP ALG ......................................................... 432

6.2.4.The FTPALG ............................................................................. 435

User Manual

6

6.2.5.The TFTPALG ............................................................................ 447

6.2.6.The SMTPALG ........................................................................... 448

6.2.7.The POP3ALG ........................................................................... 457

6.2.8.The PPTPALG............................................................................ 461

6.2.9.The SIPALG .............................................................................. 463

6.2.10.The H.323 ALG ......................................................................... 479

6.2.11.The TLSALG ............................................................................ 500

6.3.Web Content Filtering ........................................................................... 503

6.3.1.Overview .................................................................................. 503

6.3.2.Active Content Handling ............................................................. 503

6.3.3.Static Content Filtering ............................................................... 504

6.3.4.Dynamic WebContent Filtering ................................................... 507

6.4.Email FilteringandAnti-Spam ................................................................ 526

6.4.1.IP Policy BasedEmailFiltering ...................................................... 526

6.4.2.ALG Based EmailFiltering ............................................................ 534

6.4.3.DNSBLDatabases ...................................................................... 539

6.5.Anti-Virus Scanning .............................................................................. 541

6.5.1.Overview .................................................................................. 541

6.5.2.Implementation ........................................................................ 542

6.5.3.Anti-Virus Options ..................................................................... 545

6.5.4.Activating Anti-VirusScanning ..................................................... 546

6.5.5.The Anti-Virus Cache .................................................................. 550

6.6.Intrusion Detectionand Prevention ........................................................ 552

6.6.1.Overview .................................................................................. 552

6.6.2.IDP Subscriptions ....................................................................... 553

6.6.3.IDP Rules .................................................................................. 554

6.6.4.Insertion/Evasion Attack Prevention ............................................. 556

6.6.5.IDP Pattern Matching ................................................................. 557

6.6.6.IDP Signature Groups ................................................................. 558

6.6.7.Setting Up IDP ........................................................................... 559

6.6.8.SMTPLogReceiver forIDP Events ................................................. 562

6.6.9.Best PracticeDeployment ........................................................... 564

6.7.Denial-of-ServiceAttacks ....................................................................... 566

6.7.1.Overview .................................................................................. 566

6.7.2.DoS AttackMechanisms .............................................................. 566

6.7.3. Ping of Death Attacks .................................................................. 566

6.7.4.Fragmentation Overlap Attacks .................................................... 567

6.7.5. The Land and LaTierra Attacks ...................................................... 567

6.7.6. The WinNuke attack .................................................................... 567

6.7.7.Amplification Attacks ................................................................. 568

6.7.8.TCP SYNFloodAttacks ................................................................ 569

6.7.9. The Jolt2 Attack ......................................................................... 569

6.7.10.DistributedDoS Attacks ............................................................ 570

6.8.BlacklistingHostsand Networks ............................................................. 571

7.Address Translation ........................................................................................ 574

7.1.Overview ............................................................................................ 574

7.2.NAT ................................................................................................... 576

7.3.NATPools ........................................................................................... 584

7.4.SAT .................................................................................................... 588

7.4.1.Introduction ............................................................................. 588

7.4.2.One-to-One IPTranslation ........................................................... 590

7.4.3.Many-to-ManyIPTranslation ....................................................... 593

7.4.4.All-to-OneIPTranslation ............................................................. 596

7.4.5.Port Translation ......................................................................... 599

7.4.6. SAT with FwdFast Rules ............................................................... 600

7.4.7.Using anIP PolicyforSAT ............................................................ 601

7.4.8.Protocols Handled bySAT ........................................................... 602

7.4.9.SATwithNAT ............................................................................ 603

8.UserAuthentication ........................................................................................ 608

8.1.Overview ............................................................................................ 608

8.2.Authentication Setup ............................................................................ 610

User Manual

7

8.2.1.SetupSummary ......................................................................... 610

8.2.2.LocalUserDatabases .................................................................. 610

8.2.3.External RADIUS Servers ............................................................. 614

8.2.4.External LDAP Servers ................................................................ 616

8.2.5.Authentication Rules .................................................................. 624

8.2.6.Authentication Processing .......................................................... 626

8.2.7.HTTP Authentication .................................................................. 627

8.2.8.BruteForceProtection ................................................................ 630

8.3.ARP Authentication .............................................................................. 633

8.4.Customizing AuthenticationHTML ......................................................... 635

8.5.Policies Requiring Authentication ........................................................... 639

8.6.UserIdentityAwareness ........................................................................ 641

8.7.MultiFactorAuthentication ................................................................... 650

8.8.RadiusRelay ........................................................................................ 652

8.9.RADIUS Accounting .............................................................................. 659

8.9.1.Overview .................................................................................. 659

8.9.2.RADIUSAccounting Messages ..................................................... 659

8.9.3.InterimAccountingMessages ...................................................... 661

8.9.4.ConfiguringRADIUS Accounting .................................................. 661

8.9.5.RADIUSAccounting Security ....................................................... 663

8.9.6. RADIUS Accounting and High Availability ...................................... 663

8.9.7. Handling Unresponsive RADIUS Servers ........................................ 663

8.9.8.Accounting andSystemShutdowns ............................................. 664

8.9.9.Limitations with NAT .................................................................. 664

8.9.10.Advanced RADIUSSettings ........................................................ 664

9.VPN .............................................................................................................. 667

9.1.Overview ............................................................................................ 667

9.1.1.VPN Usage ................................................................................ 667

9.1.2.VPN Encryption ......................................................................... 668

9.1.3.VPN Planning ............................................................................ 669

9.1.4.Key Distribution ......................................................................... 669

9.1.5.The TLSAlternativeforVPN ......................................................... 670

9.2.VPN QuickStart .................................................................................... 671

9.2.1. IPsec LAN-to-LAN with Pre-shared Keys ......................................... 672

9.2.2.IPsecLAN-to-LAN with Certificates ............................................... 673

9.2.3. IPsec Roaming Clients with Pre-shared Keys ................................... 674

9.2.4. IPsec Roaming Clients with Certificates ......................................... 677

9.2.5. L2TP/IPsec Roaming Clients with Pre-Shared Keys ........................... 678

9.2.6. L2TP/IPsec Roaming Clients with Certificates ................................. 680

9.2.7.PPTP Roaming Clients ................................................................. 680

9.2.8.iOS Setup ................................................................................. 681

9.3.IPsecComponents ............................................................................... 683

9.3.1.Overview .................................................................................. 683

9.3.2.InternetKeyExchange (IKE) ......................................................... 683

9.3.3.IKE Authentication ..................................................................... 690

9.3.4.IPsecProtocols (ESP/AH) ............................................................. 691

9.3.5.NATTraversal ............................................................................ 693

9.3.6.AlgorithmProposal Lists ............................................................. 694

9.3.7.Pre-shared Keys ......................................................................... 696

9.3.8.Using IDLists with Certificates ..................................................... 697

9.3.9.DiffServ withIPsec ..................................................................... 699

9.4.IPsecTunnels....................................................................................... 701

9.4.1.Overview .................................................................................. 701

9.4.2. LAN-to-LAN Tunnels with Pre-shared Keys ..................................... 704

9.4.3.Roaming Clients ........................................................................ 708

9.4.4.IKEv2 Support ........................................................................... 713

9.4.5.IKEv2 ClientSetup ...................................................................... 714

9.4.6. Fetching CRLs from an alternate LDAP server ................................. 719

9.4.7.The IPsec Tunnel SelectionProcess ............................................... 720

9.4.8.IPsecTunnel Monitoring ............................................................. 721

9.4.9.IPsecAdvanced Settings ............................................................. 723

User Manual

8

9.5.PPTP/L2TP .......................................................................................... 729

9.5.1.PPTP Servers ............................................................................. 729

9.5.2.L2TP Servers ............................................................................. 730

9.5.3.L2TP/PPTP ServerAdvanced Settings ............................................ 736

9.5.4.PPTP/L2TP Clients ...................................................................... 737

9.5.5.The l2tpandpptpCommands ..................................................... 739

9.6.L2TP Version 3 ..................................................................................... 741

9.6.1.L2TPv3Server ........................................................................... 741

9.6.2.L2TPv3Client ............................................................................ 748

9.7.SSL VPN .............................................................................................. 752

9.7.1.Overview .................................................................................. 752

9.7.2.ConfiguringSSL VPNin NetDefendOS ........................................... 753

9.7.3.InstallingtheSSL VPNClient ........................................................ 755

9.7.4.SSL VPNSetup Example .............................................................. 759

9.8.VPN Troubleshooting............................................................................ 762

9.8.1.General Troubleshooting ............................................................ 762

9.8.2.TroubleshootingCertificates ....................................................... 763

9.8.3. The ike -stat Command ............................................................... 763

9.8.4. The ike -snoop Command ............................................................ 764

9.8.5. Management Interface Failure with VPN ........................................ 771

9.8.6.SpecificErrorMessages ............................................................... 771

9.8.7.SpecificSymptoms ..................................................................... 774

10.Traffic Management ...................................................................................... 776

10.1.Traffic Shaping ................................................................................... 776

10.1.1.Overview ................................................................................ 776

10.1.2.TrafficShaping inNetDefendOS ................................................. 777

10.1.3.Simple BandwidthLimiting ....................................................... 780

10.1.4. Limiting Bandwidth in Both Directions ........................................ 781

10.1.5. Creating Differentiated Limits Using Chains ................................. 783

10.1.6.Precedences ............................................................................ 784

10.1.7.PipeGroups ............................................................................ 788

10.1.8.TrafficShaping Recommendations ............................................. 791

10.1.9.ASummary ofTraffic Shaping .................................................... 793

10.1.10.More Pipe Examples ............................................................... 793

10.2.IDP TrafficShaping ............................................................................. 798

10.2.1.Overview ................................................................................ 798

10.2.2.SettingUpIDP TrafficShaping ................................................... 798

10.2.3.Processing Flow ....................................................................... 799

10.2.4. The Importance of Specifying a Network ...................................... 799

10.2.5.AP2PScenario......................................................................... 800

10.2.6.Viewing TrafficShaping Objects ................................................. 801

10.2.7. Guaranteeing Instead of Limiting Bandwidth ................................ 802

10.2.8.Logging .................................................................................. 802

10.3.ThresholdRules .................................................................................. 803

10.4.Server LoadBalancing ......................................................................... 807

10.4.1.Overview ................................................................................ 807

10.4.2.SLB Distribution Algorithms ....................................................... 809

10.4.3.SelectingStickiness .................................................................. 809

10.4.4.SLB AlgorithmsandStickiness .................................................... 811

10.4.5.Server Health Monitoring .......................................................... 812

10.4.6. Setting Up SLB_SAT Rules .......................................................... 812

10.4.7.SLB Policy ............................................................................... 816

11.High Availability ........................................................................................... 820

11.1.Overview .......................................................................................... 820

11.2.HA Mechanisms ................................................................................. 823

11.3.Setting UpHA .................................................................................... 827

11.3.1.Hardware Setup ....................................................................... 827

11.3.2.Wizard HASetup ...................................................................... 829

11.3.3.ManualHA Setup ..................................................................... 831

11.3.4. Verifying that the Cluster Functions Correctly ............................... 832

11.3.5.Unique Shared Mac Addresses ................................................... 833

User Manual

9

11.4.HA Issues .......................................................................................... 834

11.5.UpgradinganHA Cluster ..................................................................... 837

11.6.Link Monitoring andHA ...................................................................... 839

11.7.HA AdvancedSettings ......................................................................... 840

12.ZoneDefense ............................................................................................... 843

13.Advanced Settings ........................................................................................ 849

13.1.IP LevelSettings ................................................................................. 849

13.2.TCP LevelSettings .............................................................................. 853

13.3.ICMP Level Settings ............................................................................ 859

13.4.State Settings .................................................................................... 860

13.5.Connection Timeout Settings ............................................................... 862

13.6.LengthLimitSettings .......................................................................... 864

13.7.FragmentationSettings ....................................................................... 867

13.8.Local Fragment Reassembly Settings ..................................................... 871

13.9.SSL/TLS Settings ................................................................................. 872

13.10.Miscellaneous Settings ...................................................................... 875

A.Subscribing toUpdates ................................................................................... 880

B.IDPSignature Groups ...................................................................................... 884

C.Verified MIME filetypes .................................................................................... 888

D.TheOSIFramework ........................................................................................ 892

E.DFL-260E/860E PortBased VLAN ....................................................................... 893

F.Third PartySoftwareLicenses ........................................................................... 895

Alphabetical Index ............................................................................................. 901

User Manual

10

List of Figures

1.1.PacketFlowSchematicPartI ............................................................................28

1.2.PacketFlowSchematicPartII ...........................................................................29

1.3.PacketFlowSchematicPartIII ..........................................................................30

1.4. Expanded Apply Rules Logic .............................................................................31

2.1.ManagementWorkstationConnection ..............................................................42

3.1.Path MTU Discovery Processing ...................................................................... 175

3.2.Link Aggregation ......................................................................................... 192

3.3.VLAN Connections ....................................................................................... 197

3.4.AServiceVLANUse Case ............................................................................... 200

3.5.An Exampleof GREUsage .............................................................................. 207

3.6.IP6in4 Tunnel Usage ..................................................................................... 210

3.7.Actingasa6in4Tunnel Server ........................................................................ 212

3.8.AUse Case forLoopback Interfaces ................................................................. 215

3.9. Setting Up Loopback Interfaces with Routing Tables .......................................... 216

3.10.Components ofLoopback Interface Setup ...................................................... 217

3.11.An ARPPublishEthernet Frame .................................................................... 225

3.12.Simplified NetDefendOS Traffic Flow ............................................................. 231

3.13.Certificate ValidationComponents ................................................................ 278

4.1.ATypical Routing Scenario ............................................................................ 287

4.2. Using Local IP Address withanUnbound Network .............................................. 289

4.3.ARoute Failover ScenarioforISPAccess .......................................................... 296

4.4.AProxy ARPExample .................................................................................... 303

4.5.The RLBRound Robin Algorithm ..................................................................... 317

4.6.The RLB Spillover Algorithm ........................................................................... 318

4.7.ARoute Load Balancing Scenario .................................................................... 320

4.8.VirtualRouting ............................................................................................ 324

4.9.The Disadvantage ofRouting Rules ................................................................. 325

4.10.The Advantage ofVirtual Routing ................................................................. 326

4.11.ASimple OSPFScenario ............................................................................... 332

4.12.OSPF Providing Route Redundancy ............................................................... 333

4.13.VirtualLinks ConnectingAreas ..................................................................... 337

4.14.VirtualLinks withPartitioned Backbone ......................................................... 338

4.15.NetDefendOSOSPFObjects ......................................................................... 339

4.16.Dynamic Routing RuleObjects ..................................................................... 347

4.17.An OSPFExample ....................................................................................... 353

4.18. Multicast Forwarding - No Address Translation ................................................ 363

4.19.Multicast Forwarding -AddressTranslation .................................................... 367

4.20.Multicast Snoop Mode ................................................................................ 369

4.21.Multicast Proxy Mode .................................................................................. 369

4.22.TunnelingMulticastusingGRE ..................................................................... 377

4.23.Non-transparent Mode InternetAccess .......................................................... 384

4.24.TransparentModeInternetAccess ................................................................ 385

4.25.TransparentModeUse Case ......................................................................... 386

4.26.An Example BPDURelaying Scenario ............................................................. 389

5.1.DHCP ServerObjects .................................................................................... 401

5.2.DHCP Relaywith Proxy ARP ........................................................................... 405

6.1.Deploying anALG ........................................................................................ 426

6.2.HTTP ALGProcessingOrder ........................................................................... 431

6.3.FTP ALGHybridMode ................................................................................... 437

6.4.SMTPALG Usage .......................................................................................... 449

6.5.SMTPALG ProcessingOrder ........................................................................... 452

6.6.POP3 ALGUsage .......................................................................................... 458

6.7.PPTP ALGUsage ........................................................................................... 462

6.8.TLS Termination ........................................................................................... 501

6.9.Web Content Filtering Flow ........................................................................... 509

6.10.Anti-SpamFiltering ..................................................................................... 540

11

6.11.Anti-VirusMaliciousFileMessage .................................................................. 543

6.12.Anti-VirusMaliciousURLMessage ................................................................. 543

6.13.IDP Database Updating ............................................................................... 553

6.14.IDP Signature Selection ............................................................................... 555

7.1.NATIPAddress Translation ............................................................................ 576

7.2.ANATExample ............................................................................................ 578

7.3.Automatic Address Translation ....................................................................... 581

7.4.Anonymizing with NAT ................................................................................. 583

7.5.SATAddress Translation ................................................................................ 593

7.6.SATwith NAT .............................................................................................. 603

8.1.Normal LDAPAuthentication ......................................................................... 623

8.2. LDAP for PPP with CHAP, MS-CHAPv1 or MS-CHAPv2 ......................................... 624

8.3.UserIdentityAwareness ................................................................................ 641

8.4. The General Tabin theIDAInterface ................................................................ 646

8.5. The Event Monitoring Tab inthe IDAInterface ................................................... 646

8.6. The Security Tab intheIDA Interface ................................................................ 647

8.7. The Excluded Users Tab inthe IDAInterface ...................................................... 648

9.1.The AHprotocol ........................................................................................... 692

9.2.The ESPprotocol .......................................................................................... 693

9.3.PPTP Client Usage ........................................................................................ 739

9.4.An L2TPv3 Example ...................................................................................... 742

9.5.SSL VPNBrowser ConnectionChoices ............................................................. 756

9.6.The SSLVPN Client Login ............................................................................... 757

9.7.The SSLVPN Client Statistics .......................................................................... 758

10.1.PipeRules Determine Pipe Usage .................................................................. 779

10.2. FwdFast RulesBypassTraffic Shaping ............................................................. 780

10.3.Differentiated Limits UsingChains ................................................................ 783

10.4.The EightPipePrecedences ......................................................................... 784

10.5.Minimum andMaximumPipe Precedence ...................................................... 786

10.6.Traffic Grouped ByIP Address ....................................................................... 790

10.7.ABasicTrafficShapingScenario .................................................................... 794

10.8.IDP TrafficShaping P2PScenario ................................................................... 801

10.9.AServerLoadBalancingConfiguration .......................................................... 808

10.10.Connections fromThree Clients .................................................................. 811

10.11.Stickiness andRound-Robin ....................................................................... 811

10.12.Stickiness andConnection-rate ................................................................... 812

D.1.The 7Layers ofthe OSIModel ........................................................................ 892

User Manual

12

List of Examples

1.ExampleNotation .............................................................................................17

2.1.ChangingtheManagementValidationTimeout ..................................................37

2.2.ChangingtheManagementInterfaceIPAddress .................................................38

2.3.ChangingaRemoteManagementObject ..........................................................38

2.4.ChangingtheHAManagementIPAddress .........................................................39

2.5.AddingRemoteManagementviaHTTPS ............................................................40

2.6. Remote Management via HTTPS with CA Signed Certificates ................................. 46

2.7.EnablingSSHRemoteAccess ...........................................................................52

2.8.EnablingSSHAuthenticationUsingSSHKeys .....................................................53

2.9.RunningaCLIScriptfromtheWebInterface .......................................................63

2.10.EnablingRADIUSManagementAuthentication .................................................70

2.11.ListingConfigurationObjects .........................................................................72

2.12.DisplayingaConfigurationObject...................................................................73

2.13.EditingaConfigurationObject .......................................................................73

2.14.AddingaConfigurationObject .......................................................................74

2.15.DeletingaConfigurationObject .....................................................................75

2.16.Undeleting aConfiguration Object ..................................................................75

2.17.ListingModifiedConfigurationObjects ............................................................76

2.18.ActivatingandCommittingaConfiguration .....................................................76

2.19.SettingtheCurrentDateandTime ..................................................................78

2.20.SettingtheTimeZone ...................................................................................79

2.21.EnablingDSTwiththetzDatabase ..................................................................80

2.22.Enabling DSTManually ..................................................................................81

2.23.UsingtheD-LinkTimeServer .........................................................................83

2.24.ConfiguringCustomTimeServers ...................................................................83

2.25.ManuallyTriggeringaTimeSynchronization ....................................................84

2.26.ModifyingtheMaximumAdjustmentValue ......................................................84

2.27.ForcingTimeSynchronization ........................................................................85

2.28.EnableLoggingtoaSyslogHost .....................................................................90

2.29. Enabling Syslog RFC 5424 Compliance with Hostname ....................................... 91

2.30.SettingupaMailAlertingObject ....................................................................95

2.31.SendingSNMPTrapstoanSNMPTrapReceiver.................................................98

2.32.Link Monitor Setup ..................................................................................... 106

2.33.Enabling SNMP Versions 1and2c Monitoring ................................................. 113

2.34.Enabling SNMP Version3Monitoring ............................................................ 114

2.35.Enabling SNMP IndexPersistence ................................................................. 116

2.36. Disabling NetDefendOS Release Notifications ................................................. 135

2.37.Performing aComplete System Backup ......................................................... 138

2.38. Complete Hardware Reset to Factory Defaults ................................................ 139

2.39. Disabling Diagnostics and Quality Improvements Messaging ............................ 143

3.1.Adding anIP HostAddress ............................................................................. 146

3.2.Adding anIP Network ................................................................................... 147

3.3.Adding anIP Range ...................................................................................... 147

3.4.Deleting anAddressObject ........................................................................... 147

3.5.Adding anEthernetAddress .......................................................................... 148

3.6.Adding anFQDNAddress Object .................................................................... 153

3.7. Setting the DNS Minimum TTL and Minimum Lifetime ....................................... 153

3.8.Using FQDNObjectswith anIP Policy .............................................................. 154

3.9.Enabling IPv6 Globally .................................................................................. 156

3.10.Enabling IPv6 onan Interface ....................................................................... 157

3.11.ManuallyAddingIPv6InterfaceAddresses ..................................................... 158

3.12.Enabling IPv6 Advertisements ...................................................................... 160

3.13.AddinganIPv6 Route andEnabling Proxy ND ................................................. 161

3.14.Listing theAvailableServices ........................................................................ 166

3.15.ViewingaSpecific Service ............................................................................ 167

3.16.CreatingaCustomTCP/UDPService .............................................................. 170

13

3.17.AddinganIP Protocol Service ....................................................................... 172

3.18.CreatingaService ....................................................................................... 173

3.19.Enabling PathMTUDiscovery ....................................................................... 176

3.20.Link Aggregation........................................................................................ 195

3.21.Defining aVLAN ......................................................................................... 198

3.22.Defining aService VLAN .............................................................................. 200

3.23.ConfiguringaPPPoEClient .......................................................................... 204

3.24.6in4 Tunnel Configuration ........................................................................... 211

3.25.CreatingaLoopback Interface Pair ................................................................ 217

3.26.CreatinganInterfaceGroup ......................................................................... 218

3.27.Enabling Layer 2Pass Through ..................................................................... 219

3.28.Displaying theARPCache ............................................................................ 222

3.29.Flushing theARPCache ............................................................................... 222

3.30.Defining anARP/Neighbor Discovery Object................................................... 225

3.31.CreatinganIP RuleSet ................................................................................ 235

3.32. Adding a Goto Rule ..................................................................................... 238

3.33.AddingaReturn Rule .................................................................................. 239

3.34. Adding an Allow IPRule ............................................................................... 240

3.35. Setting up a Policy to Allow Connections to a DMZ .......................................... 247

3.36. Setting up a SAT Policy to an Internal Web Server ............................................ 248

3.37.Setting upaGeolocation Filter ..................................................................... 249

3.38.CreatingaStateless Policy ........................................................................... 251

3.39.Specifying anApplicationControl Policy ........................................................ 253

3.40.Using anApplicationControl RuleSet ............................................................ 255

3.41.ApplicationContent Control ........................................................................ 259

3.42.ApplicationContent Controlwith Logging ..................................................... 260

3.43.Setting upaTime-Scheduled Security Policy ................................................... 266

3.44. Uploading a Certificate with the Web Interface ............................................... 274

3.45.AssociatingCertificates withIPsecTunnels ..................................................... 275

3.46.CRL DistributionPointList ........................................................................... 275

3.47.ConfiguringDNS Servers ............................................................................. 281

4.1. Displaying the main RoutingTable .................................................................. 292

4.2. Adding a Route to the main Table ................................................................... 294

4.3.DisplayingtheCore Routes ............................................................................ 295

4.4.Enabling Broadcast Forwarding onaRoute ...................................................... 306

4.5.Creating aRouting Table ............................................................................... 309

4.6.Adding Routes ............................................................................................. 310

4.7.Creating aRouting Rule ................................................................................. 310

4.8.Policy-basedRouting withMultiple ISPs ........................................................... 313

4.9.SettingUpRLB ............................................................................................. 321

4.10. Creating an OSPF Router Process .................................................................... 353

4.11. Add an OSPF Area ....................................................................................... 354

4.12. Add OSPF Interface Objects .......................................................................... 354

4.13. Import Routes from an OSPF AS into the Main Routing Table ............................. 355

4.14.ExportingtheRoutesintoan OSPFAS ............................................................ 356

4.15.Enabling OSPF DebugLog Events ................................................................. 358

4.16. Forwarding Multicast Traffic with a SAT Multiplex IP Rule .................................. 363

4.17. Forwarding Multicast Traffic with a Multicast Policy ......................................... 365

4.18.Multicast Forwarding -AddressTranslation .................................................... 367

4.19.IGMP -No Address Translation ...................................................................... 370

4.20. if1 Configuration ........................................................................................ 371

4.21. if2 Configuration-GroupTranslation ............................................................. 372

4.22.ATransparentModeUse Case ...................................................................... 386

5.1. Enabling an Ethernet Interface as a DHCP Client ................................................ 395

5.2.Settingupan IPv4DHCPserver ...................................................................... 399

5.3.Static IPv4DHCPHostAssignment .................................................................. 401

5.4.SettingupaDHCPRelayer ............................................................................. 405

5.5.Creating anIP Pool ....................................................................................... 410

5.6.DHCPv6 Client Setup .................................................................................... 413

5.7.DHCPv6 ServerSetup .................................................................................... 416

5.8.Static DHCPv6 HostAssignment ..................................................................... 418

User Manual

14

6.1.Settingupan Access Rule .............................................................................. 423

6.2.Using theLight WeightHTTP ALG ................................................................... 433

6.3.Protecting anFTP Serverwith anALG .............................................................. 440

6.4.Protecting FTPClients ................................................................................... 444

6.5.SMTPALG Setup .......................................................................................... 453

6.6.POP3 ALGSetup .......................................................................................... 459

6.7. SIP with Local Clients/Internet Proxy Using IP Rules ........................................... 470

6.8. SIP with Local Clients/Internet Proxy Using IP Policies ........................................ 471

6.9. Protecting Internal H.323 Phones Using IP Rules ................................................ 482

6.10. Protecting Internal H.323 Phones Using IP Policy Objects .................................. 483

6.11.H.323 with aPrivate AddressUsing IPRules .................................................... 485

6.12. 2 Phones Behind Different NetDefend Firewalls Using IP Rules .......................... 487

6.13.Using PrivateIPv4 Addresses ........................................................................ 489

6.14.H.323 with Gatekeeper ................................................................................ 491

6.15. H.323 with Gatekeeper and two NetDefend Firewalls ....................................... 493

6.16.Using H.323in anEnterpriseEnvironment ...................................................... 495

6.17.Configuringremote offices forH.323 ............................................................. 498

6.18. Allowing the H.323 Gateway to register with the Gatekeeper ............................ 499

6.19.Stripping ActiveX andJavaapplets ................................................................ 504

6.20.URL Filtering UsingIP Rules .......................................................................... 506

6.21. Enabling Web Content Filtering Using IP Rules ................................................ 511

6.22.Enabling AuditMode .................................................................................. 513

6.23.Reclassifying ablocked site .......................................................................... 514

6.24.Enabling WCFwith IPPolicies ....................................................................... 516

6.25.Editing Content Filtering HTTP Banner Files .................................................... 522

6.26.Enabling theWCFPerformance Log .............................................................. 525

6.27.Email filtering ofIMAP Traffic ........................................................................ 531

6.28.Activating Anti-Virus withan IPRule .............................................................. 547

6.29.Activating Anti-Virus withan IPPolicy ............................................................ 548

6.30.Changing theAnti-VirusCache Lifetime ......................................................... 550

6.31.Setting upIDP foraMail Server ..................................................................... 560

6.32.Configuringan SMTP LogReceiver ................................................................ 563

6.33.AddingaHost tothe Whitelist ...................................................................... 572

7.1. Specifying a NAT IPRule ................................................................................ 578

7.2. Specifying a NAT IPPolicy .............................................................................. 579

7.3.Using NATPools .......................................................................................... 586

7.4.One-to-One IPTranslation ............................................................................. 591

7.5.Many-to-ManyIP Translation ......................................................................... 594

7.6.All-to-OneIPTranslation ............................................................................... 597

7.7.SettingupaSATIPPolicy .............................................................................. 602

8.1.Creating aLocal UserDatabase ...................................................................... 610

8.2.Adding aUser withGroup Membership ........................................................... 611

8.3.ConfiguringaRADIUSServer ......................................................................... 615

8.4.UserAuthenticationSetupforWebAccess ....................................................... 629

8.5.EditingContent Filtering HTTP Banner Files ...................................................... 636

8.6.Policies Requiring Authentication ................................................................... 639

8.7.Enabling UserIdentityAwareness ................................................................... 642

8.8.RadiusRelay ................................................................................................ 655

8.9.RADIUS Accounting ServerSetup ................................................................... 662

9.1.Using anAlgorithmProposal List .................................................................... 695

9.2.Using aPre-Shared key ................................................................................. 696

9.3.Using anIDList ............................................................................................ 698

9.4.PSK BasedLAN-to-LAN IPsec Tunnel Setup ....................................................... 705

9.5. PSK Based IPsec Tunnel for Roaming Clients Setup ............................................ 708

9.6. Certificate Based IPsec Tunnels for Roaming Clients ........................................... 710

9.7. Setting Up Config Mode Using a Predefined IP Pool ........................................... 712

9.8.Using ConfigModewithIPsecTunnels ............................................................ 713

9.9.IKEv2 EAPClient Setup .................................................................................. 716

9.10.Setting upan LDAP server ........................................................................... 719

9.11.Enabling IPsec TunnelMonitoring ................................................................. 722

9.12.Setting upaPPTPserver .............................................................................. 730

User Manual

15

9.13.Setting upan L2TPserver ............................................................................ 731

9.14.Setting upan L2TPTunnelOverIPsec ............................................................ 732

9.15.L2TPv3 Server Setup ................................................................................... 743

9.16.L2TPv3 Server SetupWith IPsec .................................................................... 744

9.17.L2TPv3 Server SetupFor VLANs .................................................................... 746

9.18.L2TPv3 Client Setup .................................................................................... 749

9.19.L2TPv3 Client SetupWith IPsec ..................................................................... 750

9.20.Setting Upan SSLVPN Interface .................................................................... 759

9.21.Setting SSLVPN InterfaceClientRoutes ......................................................... 761

10.1.Applying aSimpleBandwidth Limit ............................................................... 780

10.2.Limiting BandwidthinBoth Directions ........................................................... 782

10.3.CreatingaThresholdRule ............................................................................ 805

10.4.Setting upSLB withIP Rules ......................................................................... 813

10.5.Setting upSLB withan SLB Policy .................................................................. 816

11.1.Enabling AutomaticClusterSynchronization .................................................. 821

12.1.Setting UpZoneDefense .............................................................................. 846

User Manual

16

Preface

Intended Audience

The target audience for this reference guide is Administrators who are responsible for

configuring and managing NetDefend Firewalls which are running the NetDefendOS operating

system. This guide assumes that the reader has some basic knowledge of networks and network

security.

Text Structure and Conventions

The text is broken down into chapters and sub-sections. Numbered sub-sections are shown in

the table of contents at the beginning. An index is included at the end of the document to aid

with alphabetical lookup of subjects.

Where a "See chapter/section" link (such as: see Chapter 9, VPN) is provided in the main text, this

can be clicked to take the reader directly to that reference.

Text that may appear in the user interface of the product is designated by being in bold case.

Where a term is being introduced for the first time or being stressed it may appear in italics.

Where console interaction is shown in the main text outside of an example, it will appear in a box

with a gray background.

Where a web address reference is shown in the text, clicking it will open the specified URL in a

browser in a new window (some systems may not allow this).

For example, http://www.dlink.com.

Screenshots

This guide contains a minimum of screenshots. This is deliberate and is done because the manual

deals specifically with NetDefendOS and administrators have a choice of management user

interfaces. It was decided that the manual would be less cluttered and easier to read if it

concentrated on describing how NetDefendOS functions rather than including large numbers of

screenshots showing how the various interfaces are used. Examples are given but these are

largely textual descriptions of management interface usage.

Examples

Examples in the text are denoted by the header Example and appear with a gray background as

shown below. They contain a CLI example and/or a Web Interface example as appropriate. (The

NetDefendOS CLI Reference Guide documents all CLI commands.)

Example 1. Example Notation

Information about what the example is trying to achieve is found here, sometimes with an

explanatory image.

Command-Line Interface

The Command Line Interface example would appear here. It would start with the command

prompt followed by the command:

gw-world:/> somecommand someparameter=somevalue

17

Web Interface

The Web Interface actions for the example are shown here. They are also typically a numbered

list showing what items need to be opened followed by information about the data items that

need to be entered:

1. Go to: Item X > Item Y > Item Z

2. Now enter:

•DataItem1: datavalue1

•DataItem2: datavalue2

Highlighted Content

Sections of text which the reader should pay special attention to are indicated by icons on the

left hand side of the page followed by a short paragraph in italicized text. Such sections are of

the following types with the following purposes:

Note

This indicates some piece of information that is an addition to the preceding text. It may

concern something that is being emphasized, or something that is not obvious or

explicitly stated in the preceding text.

Tip

This indicates a piece of non-critical information that is useful to know in certain

situations but is not essential reading.

Caution

This indicates where the reader should be careful with their actions as an undesirable

situation may result if care is not exercised.

Important

This is an essential point that the reader should read and understand.

Warning

This is essential reading for the user as they should be aware that a serious situation

may result if certain actions are taken or not taken.

Trademarks

Preface

18

Certain names in this publication are the trademarks of their respective owners.

Windows is either registered trademarks or trademarks of Microsoft Corporation in the United

States and/or other countries.

Apple,Mac and Mac OS are trademarks of Apple Inc. registered in the United States and/or other

countries.

Preface

19

Chapter 1: NetDefendOS Overview

This chapter outlines the key features of NetDefendOS.

• Features, page 20

• NetDefendOS Architecture, page 24

• NetDefendOS State Engine Packet Flow, page 28

1.1. Features

D-Link NetDefendOS is the base software engine that drives and controls the range of NetDefend

Firewall hardware products.

NetDefendOS as a Network Security Operating System

Designed as a network security operating system, NetDefendOS features high throughput

performance with high reliability plus super-granular control. In contrast to products built on top

of standard operating systems such as Unix or Microsoft Windows, NetDefendOS offers seamless

integration of all its subsystems, in-depth administrative control of all functionality, as well as a

minimal attack surface which helps to negate the risk from security attacks.

NetDefendOS Objects

From the administrator's perspective the conceptual approach of NetDefendOS is to visualize

operations through a set of logical building blocks or objects. These objects allow the

configuration of NetDefendOS in an almost limitless number of different ways. This granular

control allows the administrator to meet the requirements of the most demanding network

security scenarios.

Key Features

NetDefendOS has an extensive feature set. The list below presents the key features of the

product:

IP Routing NetDefendOS provides a variety of options for IP routing

including static routing, dynamic routing (with OSPF) as

well as multicast routing capabilities. In addition,

20

Page is loading ...

D-Link NetDefendOS User manual

D-Link NetDefendOS User manual

Related papers

Other documents