User manual D-LINK DFL-2500

CONTENTS I Preface Document Version . . . . . . Disclaimer . . . . . . . . . . . About this Document . . . . Typographical Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi xvii xvii xvii xviii II Product Overview 2 3 3 1 Capabilities 1.1 Product Highlights . . . . . . . . . . . . . . . . . . . . . . . . . . III Introduction to Networking 6 7 9 9 9 9 10 11 11 11 13 13 14 2 The OSI Model 3 Firewall Principles 3.1 The Role of the Firewall . . . . . . . . . . . . . . . . . 3.1.1 What is a Firewall? . . . . . . . . . . . . . . . . 3.1.2 How does a Firewall work? . . . . . . . . . . . . 3.2 What does a Firewall NOT protect against? . . . . . . 3.2.1 Attacks on Insecure pre-installed Components 3.2.2 Inexperienced Users on protected Networks . . 3.2.3 Data-Driven Network Attacks . . . . . . . . . . 3.2.4 Internal Attacks . . . . . . . . . . . . . . . . . . 3.2.5 Modems and VPN Connection . . . . . . . . . 3.2.6 Holes between DMZs and Internal Networks . i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ii IV Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 19 19 19 19 22 23 25 25 25 26 28 28 29 29 31 31 32 34 35 35 4 Configuration Platform 4.1 Configuring Via WebUI . . . . . 4.1.1 Overview . . . . . . . . . . 4.1.2 Interface Layout . . . . . 4.1.3 Configuration Operations 4.2 Monitoring Via CLI . . . . . . . . 5 Logging 5.1 Overview . . . . . . . . . . . . . . 5.1.1 Importance & Capability 5.1.2 Events . . . . . . . . . . . 5.2 Log Receivers . . . . . . . . . . . . 5.2.1 Syslog Receiver . . . . . . 5.2.2 Memory Log Receiver . . 5.2.3 SMTP Event Receiver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Maintenance 6.1 Firmware Upgrades . . . . . . . . . . . . . . . . . . . . . . . . . . 6.2 Reset To Factory Defaults . . . . . . . . . . . . . . . . . . . . . . 6.3 Backup Configuration . . . . . . . . . . . . . . . . . . . . . . . . 7 Advanced Settings 7.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . V Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 39 39 39 41 41 42 46 48 49 49 51 8 Logical Objects 8.1 Address Book . . . . . . . . . . . . . . . . . . . . 8.1.1 IP address . . . . . . . . . . . . . . . . . . 8.1.2 Ethernet address . . . . . . . . . . . . . . 8.2 Services . . . . . . . . . . . . . . . . . . . . . . . . 8.2.1 Service Types . . . . . . . . . . . . . . . . 8.2.2 Error Report & Connection Protection 8.3 Schedules . . . . . . . . . . . . . . . . . . . . . . . 8.4 X.509 Certificates . . . . . . . . . . . . . . . . . . 8.4.1 Introduction to Certificates . . . . . . . . 8.4.2 X.509 Certificates in D-Link Firewall . D-Link Firewalls User's Guide iii 9 Interfaces 9.1 Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9.1.1 Ethernet Interfaces . . . . . . . . . . . . . . . . . . . . 9.1.2 Ethernet Interfaces in D-Link Firewalls . . . . . . . 9.2 Virtual LAN (VLAN) . . . . . . . . . . . . . . . . . . . . . . 9.2.1 VLAN Infrastructure . . . . . . . . . . . . . . . . . . 9.2.2 802.1Q VLAN Standard . . . . . . . . . . . . . . . . 9.2.3 VLAN Implementation . . . . . . . . . . . . . . . . . 9.2.4 Using Virtual LANs to Expand Firewall Interfaces 9.3 DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9.3.1 DHCP Client . . . . . . . . . . . . . . . . . . . . . . . 9.4 PPPoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9.4.1 PPP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9.4.2 PPPoE Client Configuration . . . . . . . . . . . . . . 9.5 Interface Groups . . . . . . . . . . . . . . . . . . . . . . . . . . 9.6 ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9.6.1 ARP Table . . . . . . . . . . . . . . . . . . . . . . . . . 10 Routing 10.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 10.2 Routing Hierarchy . . . . . . . . . . . . . . . . . . . . . 10.3 Routing Algorithms . . . . . . . . . . . . . . . . . . . . 10.3.1 Static Routing . . . . . . . . . . . . . . . . . . 10.3.2 Dynamic Routing . . . . . . . . . . . . . . . . . 10.3.3 OSPF . . . . . . . . . . . . . . . . . . . . . . . . 10.4 Route Failover . . . . . . . . . . . . . . . . . . . . . . . 10.4.1 Scenario: Route Failover Configuration . . . 10.5 Dynamic Routing Implementation . . . . . . . . . . . 10.5.1 OSPF Process . . . . . . . . . . . . . . . . . . . 10.5.2 Dynamic Routing Policy . . . . . . . . . . . . 10.5.3 Scenarios: Dynamic Routing Configuration 10.6 Scenario: Static Routing Configuration . . . . . . . . 10.7 Policy Based Routing(PBR) . . . . . . . . . . . . . . . 10.7.1 Overview . . . . . . . . . . . . . . . . . . . . . . 10.7.2 Policy-based Routing Tables . . . . . . . . . . 10.7.3 Policy-based Routing Policy . . . . . . . . . . 10.7.4 PBR Execution . . . . . . . . . . . . . . . . . . 10.7.5 Scenario: PBR Configuration . . . . . . . . . 10.8 Proxy ARP . . . . . . . . . . . . . . . . . . . . . . . . . D-Link Firewalls User's Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 53 53 54 56 56 57 58 59 60 60 61 62 62 65 66 66 69 69 70 71 71 72 74 77 78 81 81 81 82 87 88 88 89 89 89 91 94 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iv 11 Date & Time 11.1 Setting the Date and Time . . . . . . . . 11.1.1 Current Date and Time . . . . . . 11.1.2 Time Zone . . . . . . . . . . . . . . 11.1.3 Daylight Saving Time(DST) . . . 11.2 Time Synchronization . . . . . . . . . . . 11.2.1 Time Synchronization Protocols . 11.2.2 Timeservers . . . . . . . . . . . . . 11.2.3 Maximum Adjustment . . . . . . 11.2.4 Synchronization Interval . . . . . 12 DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 96 96 96 97 98 98 98 99 99 101 103 103 103 104 13 Log Settings 13.1 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13.1.1 Defining Syslog Receiver . . . . . . . . . . . . . . . . . . 13.1.2 Enabling Logging . . . . . . . . . . . . . . . . . . . . . . . VI Security Polices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 109 109 110 111 112 112 112 114 116 123 123 123 124 124 124 124 126 14 IP Rules 14.1 Overview . . . . . . . . . . . . . . . . . . . . . . . 14.1.1 Fields . . . . . . . . . . . . . . . . . . . . . 14.1.2 Action types . . . . . . . . . . . . . . . . . 14.2 Address Translation . . . . . . . . . . . . . . . . . 14.2.1 Overview . . . . . . . . . . . . . . . . . . . 14.2.2 NAT . . . . . . . . . . . . . . . . . . . . . . 14.2.3 Address translation in D-Link Firewall 14.3 Scenarios: IP Rules Configuration . . . . . . . . 15 Access (Anti-spoofing) 15.1 Overview . . . . . . . . . . . . . . . 15.1.1 IP Spoofing . . . . . . . . . 15.1.2 Anti-spoofing . . . . . . . . 15.2 Access Rule . . . . . . . . . . . . . . 15.2.1 Function . . . . . . . . . . . 15.2.2 Settings . . . . . . . . . . . . 15.3 Scenario: Setting up Access Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D-Link Firewalls User's Guide v 16 DMZ & Port Forwarding 16.1 General . . . . . . . . . . 16.1.1 Concepts . . . . . 16.1.2 DMZ Planning . 16.1.3 Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 127 127 129 130 131 131 131 132 133 134 134 134 135 136 137 137 17 User Authentication 17.1 Authentication Overview . . . . . . . . . . . . . 17.1.1 Authentication Methods . . . . . . . . . 17.1.2 Password Criterion . . . . . . . . . . . . . 17.1.3 User Types . . . . . . . . . . . . . . . . . . 17.2 Authentication Components . . . . . . . . . . . . 17.2.1 Local User Database(UserDB) . . . . . . 17.2.2 External Authentication Server . . . . . 17.2.3 Authentication Agents . . . . . . . . . . 17.2.4 Authentication Rules . . . . . . . . . . . 17.3 Authentication Process . . . . . . . . . . . . . . . 17.4 Scenarios: User Authentication Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VII Content Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 147 147 148 148 150 155 155 156 158 158 158 159 160 161 18 Application Layer Gateway (ALG) 18.1 Overview . . . . . . . . . . . . . . . . . . . . . . 18.2 FTP . . . . . . . . . . . . . . . . . . . . . . . . . 18.2.1 FTP Connections . . . . . . . . . . . . . 18.2.2 Scenarios: FTP ALG Configuration . 18.3 HTTP . . . . . . . . . . . . . . . . . . . . . . . . 18.3.1 Components & Security Issues . . . . . 18.3.2 Solution . . . . . . . . . . . . . . . . . . 18.4 H.323 . . . . . . . . . . . . . . . . . . . . . . . . . 18.4.1 H.323 Standard Overview . . . . . . . . 18.4.2 H.323 Components . . . . . . . . . . . . 18.4.3 H.323 Protocols . . . . . . . . . . . . . . 18.4.4 H.323 ALG Overview . . . . . . . . . . 18.4.5 Scenarios: H.323 ALG Configuration 19 Intrusion Detection System (IDS) 181 19.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181 19.1.1 Intrusion Detection Rules . . . . . . . . . . . . . . . . . . 182 19.1.2 Pattern Matching . . . . . . . . . . . . . . . . . . . . . . . 182 D-Link Firewalls User's Guide vi 19.2 19.3 19.4 19.5 19.6 19.1.3 Action . . . . . . . . . . . . . . . . . Chain of Events . . . . . . . . . . . . . . . . 19.2.1 Scenario 1 . . . . . . . . . . . . . . . 19.2.2 Scenario 2 . . . . . . . . . . . . . . . Signature Groups . . . . . . . . . . . . . . . Automatic Update of Signature Database SMTP Log Receiver for IDS Events . . . . Scenario: Setting up IDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 183 183 184 186 186 187 189 VIII Virtual Private Network (VPN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192 193 193 193 195 195 198 200 201 207 207 208 210 213 213 214 214 215 219 223 228 228 234 243 20 VPN Basics 20.1 Introduction to VPN . . . . . . . . . 20.1.1 VPNs vs Fixed Connections 20.2 Introduction to Cryptography . . . 20.2.1 Encryption . . . . . . . . . . . 20.2.2 Authentication & Integrity . 20.3 Why VPN in Firewalls . . . . . . . . 20.3.1 VPN Deployment . . . . . . . 21 VPN Planning 21.1 VPN Design Considerations . . . . . . . . . . . . . . . . . . . . . 21.1.1 End Point Security . . . . . . . . . . . . . . . . . . . . . . 21.1.2 Key Distribution . . . . . . . . . . . . . . . . . . . . . . . 22 VPN Protocols & Tunnels 22.1 IPsec . . . . . . . . . . . . . . . . . . . . . 22.1.1 IPsec protocols . . . . . . . . . . 22.1.2 IPsec Encapsulation Modes . . 22.1.3 IKE . . . . . . . . . . . . . . . . . 22.1.4 IKE Integrity & Authentication 22.1.5 Scenarios: IPsec Configuration 22.2 PPTP/ L2TP . . . . . . . . . . . . . . . 22.2.1 PPTP . . . . . . . . . . . . . . . . 22.2.2 L2TP . . . . . . . . . . . . . . . . 22.3 SSL/TLS (HTTPS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D-Link Firewalls User's Guide vii IX Traffic Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246 247 247 248 249 249 250 252 253 253 253 261 261 261 262 263 264 264 264 266 268 268 23 Traffic Shaping 23.1 Overview . . . . . . . . . . . . . . . . . . 23.1.1 Functions . . . . . . . . . . . . . . 23.1.2 Features . . . . . . . . . . . . . . 23.2 Pipes . . . . . . . . . . . . . . . . . . . . . 23.2.1 Precedences and Guarantees . . 23.2.2 Grouping Users of a Pipe . . . . 23.2.3 Dynamic Bandwidth Balancing 23.3 Pipe Rules . . . . . . . . . . . . . . . . . 23.4 Scenarios: Setting up Traffic Shaping . 24 Server Load Balancing (SLB) 24.1 Overview . . . . . . . . . . . . . . 24.1.1 The SLB Module . . . . . 24.1.2 SLB Features . . . . . . . 24.1.3 Benefits . . . . . . . . . . . 24.2 SLB Implementation . . . . . . . 24.2.1 Distribution Modes . . . 24.2.2 Distribution Algorithms . 24.2.3 Server Health Checks . . 24.2.4 Packets Flow by SAT . . 24.3 Scenario: Enabling SLB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . X Misc. Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272 273 273 273 274 275 275 25 Miscellaneous Clients 25.1 Overview . . . . . . . . . 25.2 Dynamic DNS . . . . . . 25.3 Automatic Client Login 25.4 HTTP Poster . . . . . . . 25.4.1 URL Format . . . 26 DHCP Server & Relayer 277 26.1 DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277 26.2 DHCP Relayer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279 D-Link Firewalls User's Guide viii XI Transparent Mode 282 27 Transparent Mode 283 27.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283 27.2 Transparent Mode Implementation in D-Link Firewalls . . . . 284 27.3 Scenarios: Enabling Transparent Mode . . . . . . . . . . . . . . 286 XII ZoneDefense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292 293 293 293 294 295 295 296 296 28 ZoneDefense 28.1 Overview . . . . . . . . . . . . . . . 28.2 ZoneDefense Switches . . . . . . . . 28.2.1 SNMP . . . . . . . . . . . . 28.3 Threshold Rules . . . . . . . . . . . 28.4 Manual Blocking & Exclude Lists 28.5 Limitations . . . . . . . . . . . . . . 28.6 Scenario: Setting Up ZoneDefense XIII High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300 301 301 301 302 303 303 304 305 306 306 307 307 309 309 310 29 High Availability 29.1 High Availability Basics . . . . . . . . . . . . . . . . . . . . . 29.1.1 What High Availability will do for you . . . . . . . 29.1.2 What High Availability will NOT do for you . . . . 29.1.3 Example High Availability setup . . . . . . . . . . . 29.2 How Rapid Failover is Accomplished . . . . . . . . . . . . . 29.2.1 The shared IP address and the failover mechanism 29.2.2 Cluster heartbeats . . . . . . . . . . . . . . . . . . . . 29.2.3 The synchronization interface . . . . . . . . . . . . . 29.3 Setting up a High Availability Cluster . . . . . . . . . . . . 29.3.1 Planning the High Availability cluster . . . . . . . . 29.3.2 Creating a High Availability cluster . . . . . . . . . 29.4 Things to Keep in Mind . . . . . . . . . . . . . . . . . . . . . 29.4.1 Statistics and Logging Issues . . . . . . . . . . . . . . 29.4.2 Configuration Issues . . . . . . . . . . . . . . . . . . . XIV Appendix 312 315 A Console Commands Reference D-Link Firewalls User's Guide ix List of Commands . About . . . . . Access . . . . . ARP . . . . . . ARPSnoop . . Buffers . . . . . Certcache . . . CfgLog . . . . . Connections . . Cpuid . . . . . DHCP . . . . . DHCPRelay . DHCPServer . DynRoute . . . Frags . . . . . . HA . . . . . . . HTTPPoster . Ifacegroups . . IfStat . . . . . . Ikesnoop . . . . Ipseckeepalive IPSectunnels . IPSecstats . . . Killsa . . . . . . License . . . . . Lockdown . . . Loghosts . . . . Memory . . . . Netcon . . . . . Netobjects . . OSPF . . . . . Ping . . . . . . Pipes . . . . . . Proplists . . . . ReConfigure . Remotes . . . . Routes . . . . . Rules . . . . . . Scrsave . . . . . Services . . . . Shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315 315 316 316 317 317 318 319 319 320 320 321 321 322 322 322 323 324 324 325 326 326 326 327 327 328 328 328 328 329 329 330 330 331 331 332 332 333 333 334 334 D-Link Firewalls User's Guide x Sysmsgs . Settings . Stats . . . Time . . . Uarules . Userauth Userdb . . Vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334 334 336 337 337 337 338 339 341 B Customer Support D-Link Firewalls User's Guide FIGURES & TABLES 2.1 4.1 4.2 9.1 9.1 The OSI 7-Layer Model. . . . . . . . . . . . . . . . . . . . . . . . WebUI Authentication Window. . . . . . . . . . . . . . . . . . . WebUI Main Display. . . . . . . . . . . . . . . . . . . . . . . . . . A VLAN Infrastructure. . . . . . . . . . . . . . . . . . . . . . . . 802.1Q Standard Ethernet Frame. . . . . . . . . . . . . . . . . . 8 20 20 57 58 78 82 87 10.1 Route Failover Scenario . . . . . . . . . . . . . . . . . . . . . . . 10.2 OSPF Process Scenario . . . . . . . . . . . . . . . . . . . . . . . 10.3 Static Routing Scenario . . . . . . . . . . . . . . . . . . . . . . . 14.1 Dynamic NAT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 14.1 SAT Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 16.1 A Web Server in DMZ . . . . . . . . . . . . . . . . . . . . . . . . 128 18.1 18.2 18.3 18.4 18.5 18.6 18.7 FTP ALG Scenario 1 FTP ALG Scenario 2 H.323 Scenario 1. . . H.323 Scenario 2. . . H.323 Scenario 3. . . H.323 Scenario 4. . . H.323 Scenario 5. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 153 162 166 169 172 174 19.1 IDS Chain of Events Scenario 1 . . . . . . . . . . . . . . . . . . 183 19.2 IDS Chain of Events Scenario 2 . . . . . . . . . . . . . . . . . . 185 19.3 Signature Database Update . . . . . . . . . . . . . . . . . . . . . 187 xi xii 19.4 An IDS Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 20.1 20.2 20.3 20.4 20.5 20.6 22.1 22.2 22.1 22.2 VPN VPN VPN VPN VPN VPN Deployment Deployment Deployment Deployment Deployment Deployment Scenario Scenario Scenario Scenario Scenario Scenario 1 2 3 4 5 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 202 203 203 204 205 223 225 228 235 LAN-to-LAN Example Scenario. . . . . . . IPsec Roaming Client Example Scenario. . PPTP Encapsulation. . . . . . . . . . . . . . L2TP Encapsulation. . . . . . . . . . . . . . 23.1 IPv4 Packet Format . . . . . . . . . . . . . . . . . . . . . . . . . . 251 24.1 24.2 24.3 24.4 24.5 A SLB Logical View. . . . . . . . . . . . . . . . . . . . . . . . . A SLB distribution algorithm example. . . . . . . . . . . . . . Distribution by Stickiness and Round-Robin Algorithm . . . Distribution by Stickiness and Connection-Rate Algorithm . A SLB Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262 266 267 267 269 27.1 Transparent Mode Scenario 1. . . . . . . . . . . . . . . . . . . . 286 27.2 Transparent Mode Scenario 2. . . . . . . . . . . . . . . . . . . . 288 28.1 A ZoneDefense Scenario. . . . . . . . . . . . . . . . . . . . . . . . 297 29.1 Example HA Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . 303 D-Link Firewalls User's Guide LIST OF SCENARIOS Section 10.4: Route Failover Configuration . . . . . . . . . . . . . . Section 10.5: Dynamic Routing Configuration . . . . . . . . . . . . Section 10.6: Static Routing Configuration . . . . . . . . . . . . . . Section 10.7: PBR Configuration . . . . . . . . . . . . . . . . . . . . 78 82 87 91 Section 14.3: IP Rules Configuration . . . . . . . . . . . . . . . . . . 116 Section 15.3: Setting up Access Rule . . . . . . . . . . . . . . . . . . 126 Section 17.4: User Authentication Configuration . . . . . . . . . . 137 Section 18.2: FTP ALG Configuration . . . . . . . . . . . . . . . . . 150 Section 18.4: H.323 ALG Configuration . . . . . . . . . . . . . . . . 161 Section 19.6: Setting up IDS . . . . . . . . . . . . . . . . . . . . . . . 189 Section 22.1: IPsec Configuration . . . . . . . . . . . . . . . . . . . . 223 Section 23.4: Setting up Traffic Shaping . . . . . . . . . . . . . . . . 253 Section 24.3: Enabling SLB . . . . . . . . . . . . . . . . . . . . . . . 268 . . . . . . . . . . . . . . 286 Section 27.3: Enabling Transparent Mode Section 28.6: Setting Up ZoneDefense . . . . . . . . . . . . . . . . . 296 xiii xiv Part I Preface Document Version Version No.: 1.02 Disclaimer Information in this user's guide is subject to change without notice. About this Document This User's Guide is designed to be a handy configuration manual as well as an Internetworking and security knowledge learning tool for network administrators. The document attempts not only to present means for accomplishing certain operations of the product, but provides fundamentals on what concepts the functions are based on, how the various sections of the product actually work, and why a certain set of configurations is performed, in order to enhance the reader's understanding. The content of this guide is logically organized to Parts, Chapters, and Sections, with Scenario analysis for every main feature, to better enable the reader to learn various functions. Following the detailed parts and chapters, supplemental information and an index of relevant terms in this guide are presented. xvii Typographical Conventions Example: Configuration steps for achieving certain function. WebUI : Example steps for WebUI. Note Additional information the user should be aware of. Tip Suggestions on configuration that may be taken into consideration. Caution Critical information the user should follow when performing certain action. Warning Critical information the user MUST follow to avoid potential harm. xviii Part II Product Overview CHAPTER 1 Capabilities 1.1 Product Highlights The key features of D-Link firewalls can be outlined as: · Easy to use start-up wizard · Web-based graphical user interface (WebUI) · Effective and easy to maintenance · Complete control of security policies · Advanced application layer gateways (FTP, HTTP, H.323) · Advanced monitoring & logging methods · Full VLAN compliance · Support for building VPN (IPSec, PPTP, L2TP) · Route Failover · Advanced routing (OSPF) · Transparent Mode support · Server Load Balancing · Intrusion Detection System 3 4 Chapter 1. Capabilities · ZoneDefense · High Availability (Some models) Details about how to make these features work can be found in specific chapters in this user's guide. D-Link Firewalls User's Guide Part III Introduction to Networking CHAPTER 2 The OSI Model Open System Interconnection (OSI) model defines a primary framework for intercomputer communications, by categorizing different protocols for a great variety of network applications into seven smaller, more manageable layers. The model describes how data from an application in one computer can be transferred through a network medium to an application in another computer. The control of the data traffic is passed from one layer to the next, starting at the application layer in one computer, proceeding to the bottom layer, traversing over the medium to another computer and then delivering up to the top of the hierarchy. Each layer handles a certain set of protocols, so that the tasks for achieving an application can be distributed to different layers to be implemented independently. Table 2.1 shows the definition of the 7 layers. The basic functions and common protocols involved in each layer are explained below. Application Layer ­ defines the user interface that supports applications directly. Protocols: HTTP, FTP, DNS, SMTP, Telnet, SNMP, etc. Presentation Layer ­ translates the various applications to uniform network formats that the rest of the layers can understand. Session Layer ­ establishes, maintains and terminates sessions across the network. Protocols: NetBIOS, RPC, etc. 7 8 Chapter 2. The OSI Model 7 Application Layer 6 Presentation Layer 5 Session Layer Transport Layer Network Layer Data-Link Layer Physical Layer 4 3 2 1 Table 2.1: The OSI 7-Layer Model. Transport Layer ­ controls data flow and provides error-handling. Protocols: TCP, UDP, etc. Network Layer ­ performs addressing and routing. Protocols: IP, OSPF, ICMP, IGMP, etc. Data-Link Layer ­ frames the data. Protocols: Ethernet, PPP, etc. Physical Layer ­ defines hardware supports. D-Link firewalls handle network traffics and perform diverse functions for security guarantee and application support throughout the 7 layers of the OSI model. D-Link Firewalls User's Guide CHAPTER 3 Firewall Principles 3.1 3.1.1 The Role of the Firewall What is a Firewall? When you connect your computer or your local area network to another network, e.g. the Internet, measures need to be taken to prevent intruders from gaining access to resources and material you consider confidential or sensitive. In order to achieve this, a firewall must be implemented in the network. Its task is to ensure that only approved communication is allowed to flow between networks and that unauthorized communication is blocked and logged. 3.1.2 How does a Firewall work? The primary purpose of a firewall is to enforce a security policy stating who can communicate with whom and in what way. The firewall accomplishes this by examining the traffic that passes through it, comparing this information to a set of rules programmed into it and making a decision based on factors such as sender address, destination address, protocol and ports. This allows you to install less secure network services on your protected networks and prevent all outsiders from ever gaining access to these services. Most firewalls, including D-Link firewalls, ensure that network traffic 9 10 Chapter 3. Firewall Principles complies with current protocol definitions. This can prevent poorly implemented services on the protected servers and client software from being exposed to unexpected data, causing them to hang or crash. In short, a firewall is the network's answer to poor host security. 3.2 What does a Firewall NOT protect against? Security means much more than just firewalls. However, in most cases, installing a firewall is a necessary first step towards securing your network and computers. This section is not specifically devoted to D-Link firewalls; instead it discusses firewalls in general. The problems described here will occur no matter which firewall you choose to install. A common misconception is that all communication is immediately made safe and secure once it passes through a firewall. This is however not true. Many marketing executives and sales people smile and claim that "our firewall will protect you against everything". We hope that this is just sheer ignorance on their part and not a conscious attempt to mislead potential buyers. A firewall can only protect against that for which it was designed. Unfortunately, it is impossible to predict all the bugs other software may have. In addition, there are a large number of situations where a firewall quite simply cannot provide protection since not all communication passes through it. The following is a selection of security problems that firewalls are often unable to deal with, and in some instances we have provided solutions to combat these. Please note that this only scratches the surface in terms of the number of existing problems. Complete protection can only be achieved through thorough understanding of all possible weaknesses in network protocols and in the software used, and by implementing appropriate measures to compensate for these. D-Link Firewalls User's Guide 3.2. What does a Firewall NOT protect against? 11 3.2.1 Attacks on Insecure pre-installed Components A very common problem is the fact that operating systems and applications usually contain insecure pre-installed components. Such components include undocumented services present on computers connected to the Internet, allowing inbound external network connections. One example of this form of vulnerability is the "simplifying" components that allow direct ODBC access via HTTP in web servers. The common feature of most of these components is that they are not intended for use on a public network, where intruders can utilize the extra functionality at hand to easily break into the system. However, modern systems are frequently supplied with such components pre-installed in order to make the system easier to use. A good precaution to take is to review all Internet-connected systems, clients and servers, and remove all unnecessary functionality. 3.2.2 Inexperienced Users on protected Networks No firewall in the world can protect against the damage that inexperienced users can do to a protected network. If they "assist" an intruder in one way or another, e.g. by opening an unrecognized program sent to them by email such as "merryxmas2001.exe", they can do more damage than all the bugs in applications and operating systems put together. All attempts to secure the networks of an organization should be preceded by a thorough investigation of what should and should not be permitted. The result of this should be a security policy that applies to all parts of the organization, from management down. In order for such a policy to work, all users must be made aware of this policy and why it must be enforced. 3.2.3 Data-Driven Network Attacks Normally, a firewall will only protect a system against data-driven attacks in exceptional circumstances. Such attacks include: · HTML pages containing javascript or Java that attack the network