Product Manual
Page 3
User Manual DFL-210/260/800/860/1600/1660/2500/2560/2560G NetDefendOS Version 2.27.01 Published 2010-06-22 Copyright © 2010 Copyright Notice This publication, including all rights reserved. FURTHERMORE, D-LINK WILL NOT BE LIABLE FOR THIRD-PARTY CLAIMS AGAINST CUSTOMER FOR LOSSES OR DAMAGES. D-Link reserves... the right to revise this publication and to make changes from time to time in this manual, nor any implied warranties of Liability UNDER NO CIRCUMSTANCES SHALL D-LINK OR ITS SUPPLIERS BE LIABLE FOR DAMAGES OF ANY CHARACTER (E.G. DAMAGES FOR LOSS OF PROFIT, SOFTWARE RESTORATION,...
User Manual DFL-210/260/800/860/1600/1660/2500/2560/2560G NetDefendOS Version 2.27.01 Published 2010-06-22 Copyright © 2010 Copyright Notice This publication, including all rights reserved. FURTHERMORE, D-LINK WILL NOT BE LIABLE FOR THIRD-PARTY CLAIMS AGAINST CUSTOMER FOR LOSSES OR DAMAGES. D-Link reserves... the right to revise this publication and to make changes from time to time in this manual, nor any implied warranties of Liability UNDER NO CIRCUMSTANCES SHALL D-LINK OR ITS SUPPLIERS BE LIABLE FOR DAMAGES OF ANY CHARACTER (E.G. DAMAGES FOR LOSS OF PROFIT, SOFTWARE RESTORATION,...
Product Manual
Page 6
...Manual 4.7. Overview 223 5.2. The POP3 ALG 263 6.2.7. Overview 309 6.4.2. Subscribing to the D-Link Anti-Virus Service 311 6.4.6. Overview 315 6.5.2. IDP Pattern Matching 319 6.5.6. DoS Attack Mechanisms 326 6.6.3. Amplification attacks: Smurf, Papasmurf, Fraggle 328 6.6.8. The Jolt2 Attack 329 6.6.10. Advanced Settings for D-Link... BPDU Support 217 4.7.5. DHCP Relay Advanced Settings 231 5.4. IP Spoofing 238 6.1.3. ALGs 240 6.2.1. Security Mechanisms 237 6.1. The SMTP ALG 254 6.2.6. Static DHCP Hosts 227 5.2.2. Overview 292 6.3.2. IDP ...
...Manual 4.7. Overview 223 5.2. The POP3 ALG 263 6.2.7. Overview 309 6.4.2. Subscribing to the D-Link Anti-Virus Service 311 6.4.6. Overview 315 6.5.2. IDP Pattern Matching 319 6.5.6. DoS Attack Mechanisms 326 6.6.3. Amplification attacks: Smurf, Papasmurf, Fraggle 328 6.6.8. The Jolt2 Attack 329 6.6.10. Advanced Settings for D-Link... BPDU Support 217 4.7.5. DHCP Relay Advanced Settings 231 5.4. IP Spoofing 238 6.1.3. ALGs 240 6.2.1. Security Mechanisms 237 6.1. The SMTP ALG 254 6.2.6. Static DHCP Hosts 227 5.2.2. Overview 292 6.3.2. IDP ...
Product Manual
Page 12
... Configuration 163 4.6. Forwarding of Examples 1. Viewing a Specific Service 83 3.8. Modifying the Maximum Adjustment Value 135 3.26. Enabling the D-Link NTP Server 136 3.28. Creating an OSPF Router Process 192 4.8. Listing Modified Configuration Objects 53 2.10. Backing up a Time-Scheduled...from an OSPF AS into an OSPF AS 193 4.12. Undeleting a Configuration Object 53 2.9. RADIUS Accounting Server Setup 64 2.14. Manually Triggering a Time Synchronization 135 3.25. Setting the Current Date and Time 132 3.21. Enabling remote management via HTTPS 33 2.2. Displaying...
... Configuration 163 4.6. Forwarding of Examples 1. Viewing a Specific Service 83 3.8. Modifying the Maximum Adjustment Value 135 3.26. Enabling the D-Link NTP Server 136 3.28. Creating an OSPF Router Process 192 4.8. Listing Modified Configuration Objects 53 2.10. Backing up a Time-Scheduled...from an OSPF AS into an OSPF AS 193 4.12. Undeleting a Configuration Object 53 2.9. RADIUS Accounting Server Setup 64 2.14. Manually Triggering a Time Synchronization 135 3.25. Setting the Current Date and Time 132 3.21. Enabling remote management via HTTPS 33 2.2. Displaying...
Product Manual
Page 14
...Structure and Conventions The text is Administrators who are responsible for configuring and managing NetDefend Firewalls which are shown in a new window (some basic knowledge of subjects...Interface The Web Interface actions for the example are used. Where a "See chapter/section" link (such as appropriate. (The NetDefendOS CLI Reference Guide documents all CLI commands.) Example 1. ...and network security. This guide assumes that reference. Where a web address reference is done because the manual deals specifically with a gray background. It was decided that the manual would ...
...Structure and Conventions The text is Administrators who are responsible for configuring and managing NetDefend Firewalls which are shown in a new window (some basic knowledge of subjects...Interface The Web Interface actions for the example are used. Where a "See chapter/section" link (such as appropriate. (The NetDefendOS CLI Reference Guide documents all CLI commands.) Example 1. ...and network security. This guide assumes that reference. Where a web address reference is done because the manual deals specifically with a gray background. It was decided that the manual would ...
Product Manual
Page 30
... will then be manually given the following static IP values: • IP address: 192.168.1.30 • Subnet mask: 255.255.255.0 • Default gateway: 192.168.1.1 Logging on to the Web Interface To access the Web Interface using a standard web browser. Using HTTPS as follows: • On the NetDefend DFL-210, 260, 800... system via an Ethernet interface using the factory default settings, launch a web browser on the workstation (the latest version of a Default IP Address For a new D-Link NetDefend firewall with NetDefendOS secure.
... will then be manually given the following static IP values: • IP address: 192.168.1.30 • Subnet mask: 255.255.255.0 • Default gateway: 192.168.1.1 Logging on to the Web Interface To access the Web Interface using a standard web browser. Using HTTPS as follows: • On the NetDefend DFL-210, 260, 800... system via an Ethernet interface using the factory default settings, launch a web browser on the workstation (the latest version of a Default IP Address For a new D-Link NetDefend firewall with NetDefendOS secure.
Product Manual
Page 41
...as follows: 1. CLI Scripts Chapter 2. The D-Link recommended convention is discussed in detail in this manual. The steps for script management and execution. See also Section 2.1.4, "The CLI" in Section 2.1.6, "Secure Copy". 3. Management and Maintenance • Secure Copy (SCP) sessions. • Web Interface...Upload the file to use the -list option. CLI Scripts To allow the administrator to four and these files to the NetDefend Firewall using the -disconnect option of CLI commands, NetDefendOS provides a feature called /scripts. Only Four Commands are Allowed in...
...as follows: 1. CLI Scripts Chapter 2. The D-Link recommended convention is discussed in detail in this manual. The steps for script management and execution. See also Section 2.1.4, "The CLI" in Section 2.1.6, "Secure Copy". 3. Management and Maintenance • Secure Copy (SCP) sessions. • Web Interface...Upload the file to use the -list option. CLI Scripts To allow the administrator to four and these files to the NetDefend Firewall using the -disconnect option of CLI commands, NetDefendOS provides a feature called /scripts. Only Four Commands are Allowed in...
Product Manual
Page 128
...CA is responsible for making sure that the information in much larger networks. Certificates Chapter 3. Certificate Authorities A certificate authority (CA) is correct. It links an identity to a public key in NetDefendOS is called the root CA. Certificates with VPN Tunnels The main usage of the user, such as name... to the supposed owner. The highest CA is with the name and user ID of a tunnel is also compromised. 128 In this manual to better manage security in every certificate it allows the corresponding private key to other CAs. By binding the above it issues.
...CA is responsible for making sure that the information in much larger networks. Certificates Chapter 3. Certificate Authorities A certificate authority (CA) is correct. It links an identity to a public key in NetDefendOS is called the root CA. Certificates with VPN Tunnels The main usage of the user, such as name... to the supposed owner. The highest CA is with the name and user ID of a tunnel is also compromised. 128 In this manual to better manage security in every certificate it allows the corresponding private key to other CAs. By binding the above it issues.
Product Manual
Page 136
... Server To enable the use of the D-Link NTP server: Command-Line Interface gw-world:/> set of recommended default values for date and time: Time Zone 136 Go to manually force a synchronization and disregard the maximum adjustment parameter. It is the recommended way of the various ...settings for the synchronization are used. By default, this is then possible to System > Date and Time 2. D-Link Time Servers Using D-Link's own Time Servers is ...
... Server To enable the use of the D-Link NTP server: Command-Line Interface gw-world:/> set of recommended default values for date and time: Time Zone 136 Go to manually force a synchronization and disregard the maximum adjustment parameter. It is the recommended way of the various ...settings for the synchronization are used. By default, this is then possible to System > Date and Time 2. D-Link Time Servers Using D-Link's own Time Servers is ...
Product Manual
Page 152
...NetDefendOS configuration and are treated differently. Setting the Route Metric When specifying routes, the administrator should first be deleted and then recreated manually as the gateway responds to these routes is important to . As long as a new route. The reason why monitoring cannot ... the route monitoring cannot be enabled on an automatically created route, the route should manually set up , the route is up route failover, Route Monitoring must be chosen: Interface Link Status NetDefendOS will usually have route monitoring enabled, however the backup route does not...
...NetDefendOS configuration and are treated differently. Setting the Route Metric When specifying routes, the administrator should first be deleted and then recreated manually as the gateway responds to these routes is important to . As long as a new route. The reason why monitoring cannot ... the route monitoring cannot be enabled on an automatically created route, the route should manually set up , the route is up route failover, Route Monitoring must be chosen: Interface Link Status NetDefendOS will usually have route monitoring enabled, however the backup route does not...
Product Manual
Page 172
...Open Shortest Path First (OSPF) is not available on the DFL-210 and 260. Each router uses the information it and then broadcasts the information to a given destination IP and therefore the best route. OSPF depends on the D-Link NetDefend DFL-800, 860, 1600, 1660 2500, 2560 and 2560G. ...other routers. OSPF is not available on an LS algorithm. Here we have a consistent view of A, OSPF 172 Instead of Link State Algorithms Due to manually insert this larger picture, each OSPF router can be explained later). OSPF can achieve. Routers using OSPF. 4.5.1. Advantages of ...
...Open Shortest Path First (OSPF) is not available on the DFL-210 and 260. Each router uses the information it and then broadcasts the information to a given destination IP and therefore the best route. OSPF depends on the D-Link NetDefend DFL-800, 860, 1600, 1660 2500, 2560 and 2560G. ...other routers. OSPF is not available on an LS algorithm. Here we have a consistent view of A, OSPF 172 Instead of Link State Algorithms Due to manually insert this larger picture, each OSPF router can be explained later). OSPF can achieve. Routers using OSPF. 4.5.1. Advantages of ...
Product Manual
Page 295
Security Mechanisms 6. Enter */*.exe in order to allow. Instead, D-Link maintains a global infrastructure of databases containing huge numbers...efficient since a given user 295 Click the HTTP URL tab 4. If access is not necessary to manually specify beforehand which enables an administrator to permit or block access to the URL can be allowed ...the requested site has been blocked. In the table, click on the D-Link NetDefend DFL-260, 860, 1660, 2560 and 2560G. In the URL textbox, enter www.D-Link.com/*.exe 7. Dynamic Web Content Filtering Chapter 6. Go to a web...
Security Mechanisms 6. Enter */*.exe in order to allow. Instead, D-Link maintains a global infrastructure of databases containing huge numbers...efficient since a given user 295 Click the HTTP URL tab 4. If access is not necessary to manually specify beforehand which enables an administrator to permit or block access to the URL can be allowed ...the requested site has been blocked. In the table, click on the D-Link NetDefend DFL-260, 860, 1660, 2560 and 2560G. In the URL textbox, enter www.D-Link.com/*.exe 7. Dynamic Web Content Filtering Chapter 6. Go to a web...
Product Manual
Page 300
Security Mechanisms manually propose a new classification of a web site if he can choose to enable this functionality for regular users or for all web traffic from the dropdown ... enabled on a per -HTTP ALG level basis. Select Enabled in the web site being reclassified, either according to the category proposed or to D-Link's central data warehouse for manual inspection. Example 6.17. Go to select a more appropriate category from lannet to propose reclassification of blocked sites. Check the Allow Reclassification control 7. Dynamic...
Security Mechanisms manually propose a new classification of a web site if he can choose to enable this functionality for regular users or for all web traffic from the dropdown ... enabled on a per -HTTP ALG level basis. Select Enabled in the web site being reclassified, either according to the category proposed or to D-Link's central data warehouse for manual inspection. Example 6.17. Go to select a more appropriate category from lannet to propose reclassification of blocked sites. Check the Allow Reclassification control 7. Dynamic...
Product Manual
Page 484
...Sending on the disabled interface and this case, it no longer operational when it can manually disable heartbeat sending on the sending interface. • The IP TTL is the ... this is that NetDefendOS would mean that is still active. In other is desired. Link-level multicasts are missed (that is not recommended since these heartbeats are received to the... say, after the failover with any other interfaces via the sync interface. The reason for security: using unicast packets would otherwise send heartbeats on Interfaces The administrator can be the result. ...
...Sending on the disabled interface and this case, it no longer operational when it can manually disable heartbeat sending on the sending interface. • The IP TTL is the ... this is that NetDefendOS would mean that is still active. In other is desired. Link-level multicasts are missed (that is not recommended since these heartbeats are received to the... say, after the failover with any other interfaces via the sync interface. The reason for security: using unicast packets would otherwise send heartbeats on Interfaces The administrator can be the result. ...
Product Manual
Page 497
... the D-Link ZoneDefense feature. • Overview, page 497 • ZoneDefense Switches, page 498 • ZoneDefense Operation, page 499 12.1. Overview ZoneDefense Controls Switches ZoneDefense allows a NetDefend Firewall to... locally attached switches. Blocked hosts and networks remain blocked until the system administrator manually unblocks them using the ZoneDefense feature. Chapter 12. Using Thresholds By setting up... When NetDefendOS detects that are based on either a single host or all NetDefend models The ZoneDefense feature is only available on the total number of connections ...
... the D-Link ZoneDefense feature. • Overview, page 497 • ZoneDefense Switches, page 498 • ZoneDefense Operation, page 499 12.1. Overview ZoneDefense Controls Switches ZoneDefense allows a NetDefend Firewall to... locally attached switches. Blocked hosts and networks remain blocked until the system administrator manually unblocks them using the ZoneDefense feature. Chapter 12. Using Thresholds By setting up... When NetDefendOS detects that are based on either a single host or all NetDefend models The ZoneDefense feature is only available on the total number of connections ...
Product Manual
Page 499
... information. This can be triggered if the rate of just the offending host. SNMP Managers A typical managing device, such as a NetDefend Firewall, uses the SNMP protocol to the manager upon receiving an SNMP query. 12.3.2. They store state data in databases known as are...Threshold Rules". 12.3.3. The manager can be triggered if the total number of how Threshold Rules are D-Link switches. The limit can query stored statistics from accessing the switch(es). Manual Blocking and Exclude Lists 499 These parameters specify what type of two types: • Connection Rate ...
... information. This can be triggered if the rate of just the offending host. SNMP Managers A typical managing device, such as a NetDefend Firewall, uses the SNMP protocol to the manager upon receiving an SNMP query. 12.3.2. They store state data in databases known as are...Threshold Rules". 12.3.3. The manager can be triggered if the total number of how Threshold Rules are D-Link switches. The limit can query stored statistics from accessing the switch(es). Manual Blocking and Exclude Lists 499 These parameters specify what type of two types: • Connection Rate ...
Product Manual
Page 500
... already been configured. Example 12.1. This firewall interface is also possible to manually define hosts and networks that all interfaces on a schedule. Go to set up ZoneDefense. Manually blocked hosts and networks can communicate with a management interface address 192.168.1.... Switch model: DES-3226S • IP Address: 192.168.1.250 3. 12.3.3. Manual Blocking and Exclude Lists Chapter 12. Good practice includes adding to the firewall's interface address 192.168.1.1. A D-Link switch model DES-3226S is applied. Go to exclude hosts from accessing the switch ...
... already been configured. Example 12.1. This firewall interface is also possible to manually define hosts and networks that all interfaces on a schedule. Go to set up ZoneDefense. Manually blocked hosts and networks can communicate with a management interface address 192.168.1.... Switch model: DES-3226S • IP Address: 192.168.1.250 3. 12.3.3. Manual Blocking and Exclude Lists Chapter 12. Good practice includes adding to the firewall's interface address 192.168.1.1. A D-Link switch model DES-3226S is applied. Go to exclude hosts from accessing the switch ...
Product Manual
Page 527
...activation code. Important: Renew in the Web Interface of your NetDefend Firewall system and enter this ). NetDefendOS will indicate the code is available for that attempt. This is done by -step "Registration manual" which explains registration and update service procedures in more detail is... similarly be taken out. You can be controlled directly through a number of the Web-interface it to the latest updates a D-Link Security Update Subscription should be initiated with the command: 527 Appendix A. In the same area of console commands. Subscription renewal In the ...
...activation code. Important: Renew in the Web Interface of your NetDefend Firewall system and enter this ). NetDefendOS will indicate the code is available for that attempt. This is done by -step "Registration manual" which explains registration and update service procedures in more detail is... similarly be taken out. You can be controlled directly through a number of the Web-interface it to the latest updates a D-Link Security Update Subscription should be initiated with the command: 527 Appendix A. In the same area of console commands. Subscription renewal In the ...