Product Manual
Page 1
Network Security Firewall User Manual DFL-210/ 800/1600/ 2500 DFL-260/ 860/1660/ 2560(G) Ver 2.27.01 SecurSiteycurity Network Security Solution http://www.dlink.com
Network Security Firewall User Manual DFL-210/ 800/1600/ 2500 DFL-260/ 860/1660/ 2560(G) Ver 2.27.01 SecurSiteycurity Network Security Solution http://www.dlink.com
Product Manual
Page 14
...is shown in the main text outside of an example, it will appear in a new window (some basic knowledge of networks and network security. Where a "See chapter/section" link (such as: see Chapter 9, VPN) is provided in italics. It was decided that may not allow this). Example...here. For example, http://www.dlink.com. Examples Examples in bold case. Where a term is being introduced for configuring and managing NetDefend Firewalls which are running the NetDefendOS operating system. This guide assumes that reference. Where a web address reference is shown in the text, ...
...is shown in the main text outside of an example, it will appear in a new window (some basic knowledge of networks and network security. Where a "See chapter/section" link (such as: see Chapter 9, VPN) is provided in italics. It was decided that may not allow this). Example...here. For example, http://www.dlink.com. Examples Examples in bold case. Where a term is being introduced for configuring and managing NetDefend Firewalls which are running the NetDefendOS operating system. This guide assumes that reference. Where a web address reference is shown in the text, ...
Product Manual
Page 16
... D-Link NetDefendOS is the base software engine that drives and controls the range of NetDefendOS. • Features, page 16 • NetDefendOS Architecture, page 19 • NetDefendOS State Engine Packet Flow, page 23 1.1. NetDefendOS Overview This chapter outlines the key features of NetDefend Firewall hardware products. In addition, NetDefendOS supports features such as a network security operating...
... D-Link NetDefendOS is the base software engine that drives and controls the range of NetDefendOS. • Features, page 16 • NetDefendOS Architecture, page 19 • NetDefendOS State Engine Packet Flow, page 23 1.1. NetDefendOS Overview This chapter outlines the key features of NetDefend Firewall hardware products. In addition, NetDefendOS supports features such as a network security operating...
Product Manual
Page 17
...of thresholds for filtering web content that the NetDefend Firewall can act as either server or client for...VPN types, and can be blocked based on certain D-Link NetDefend product models. For detailed information, see Section 6.2.10...NetDefend Firewall can be whitelisted or blacklisted. NetDefendOS provides various mechanisms for sending alarms and/or limiting network traffic; Traffic Shaping enables limiting and balancing of Virtual Private Network... features integrated anti-virus functionality. On some D-Link NetDefend product models. Features VPN TLS Termination Anti-Virus...
...of thresholds for filtering web content that the NetDefend Firewall can act as either server or client for...VPN types, and can be blocked based on certain D-Link NetDefend product models. For detailed information, see Section 6.2.10...NetDefend Firewall can be whitelisted or blacklisted. NetDefendOS provides various mechanisms for sending alarms and/or limiting network traffic; Traffic Shaping enables limiting and balancing of Virtual Private Network... features integrated anti-virus functionality. On some D-Link NetDefend product models. Features VPN TLS Termination Anti-Virus...
Product Manual
Page 19
... per-connection basis. NetDefendOS detects when a new connection is able to understand the context of the network traffic which network traffic enters or leaves the NetDefend Firewall. The stateful inspection approach additionally provides high throughput performance with the added advantage of state-based connections. ... inspection will sometimes be seen as being established, and keeps a small piece of a network topology. The notion of what is inside and outside " or "secure inside" of information or state in the packet headers. Interface Symmetry The NetDefendOS interface design...
... per-connection basis. NetDefendOS detects when a new connection is able to understand the context of the network traffic which network traffic enters or leaves the NetDefend Firewall. The stateful inspection approach additionally provides high throughput performance with the added advantage of state-based connections. ... inspection will sometimes be seen as being established, and keeps a small piece of a network topology. The notion of what is inside and outside " or "secure inside" of information or state in the packet headers. Interface Symmetry The NetDefendOS interface design...
Product Manual
Page 29
...NetDefend Firewall. 2.1.2. Management and Maintenance Console Boot Menu This feature is fully described in , then a second or more administrators who login will only be used to do basic configuration through a specific IPsec tunnel. Access to change the default password of the D-Link firewall (on a certain network... and Netscape (version 8 and later) are the recommended web-browsers to the Administrator user group, in Section 2.1.6, "Secure Copy". Alternatively, they can either belong to use with password admin. This feature is fully described in which case they...
...NetDefend Firewall. 2.1.2. Management and Maintenance Console Boot Menu This feature is fully described in , then a second or more administrators who login will only be used to do basic configuration through a specific IPsec tunnel. Access to change the default password of the D-Link firewall (on a certain network... and Netscape (version 8 and later) are the recommended web-browsers to the Administrator user group, in Section 2.1.6, "Secure Copy". Alternatively, they can either belong to use with password admin. This feature is fully described in which case they...
Product Manual
Page 30
...NetDefend DFL-210, 260, 800, 860, 1600 and 2500, the default management interface IP address is 192.168.1.1. • On the NetDefend DFL-1660, 2560 and 2560G, the default management interface IP address is recommended) and point the browser at the address 192.168.1.1. Setting the Workstation IP The assigned NetDefend Firewall... of a Default IP Address For a new D-Link NetDefend firewall with NetDefendOS secure. When performing initial connection to NetDefendOS, the administrator...default settings, launch a web browser on a private network or the public Internet using a standard web browser....
...NetDefend DFL-210, 260, 800, 860, 1600 and 2500, the default management interface IP address is 192.168.1.1. • On the NetDefend DFL-1660, 2560 and 2560G, the default management interface IP address is recommended) and point the browser at the address 192.168.1.1. Setting the Workstation IP The assigned NetDefend Firewall... of a Default IP Address For a new D-Link NetDefend firewall with NetDefendOS secure. When performing initial connection to NetDefendOS, the administrator...default settings, launch a web browser on a private network or the public Internet using a standard web browser....
Product Manual
Page 40
...The CLI provides a command called HTTP_if2: gw-world:/> add RemoteManagement RemoteMgmtHTTP HTTP_if2 Interface=if2 Network=all-nets LocalUserDatabase=AdminUsers AccessLevel=Admin HTTP=Yes If we set Address IP4Address if2_net Address=... an IP object in the address book that an all types of management sessions, including: • Secure Shell (SSH) CLI sessions. • Any CLI session through the CLI. Next, create a remote... example called sessionmanager for the NetDefend Firewall. In other words, Internet access has been enabled for managing management sessions themselves. 2.1.4.
...The CLI provides a command called HTTP_if2: gw-world:/> add RemoteManagement RemoteMgmtHTTP HTTP_if2 Interface=if2 Network=all-nets LocalUserDatabase=AdminUsers AccessLevel=Admin HTTP=Yes If we set Address IP4Address if2_net Address=... an IP object in the address book that an all types of management sessions, including: • Secure Shell (SSH) CLI sessions. • Any CLI session through the CLI. Next, create a remote... example called sessionmanager for the NetDefend Firewall. In other words, Internet access has been enabled for managing management sessions themselves. 2.1.4.
Product Manual
Page 67
..., using combinations of upper and lower case letters with the name DFLNNN-TRAP.MIB (where NNN indicates the model number of the firewall) and this should be difficult to guess and therefore be imported by a client: • The GET REQUEST operation • The...protocol to always enable this setting is a standardized protocol for SNMP access. SNMP Monitoring Overview Simple Network Management Protocol (SNMP) is to a network device which provides password security for security reasons. The effect of enabling this setting. Connection can connect to add an invisible Allow rule ...
..., using combinations of upper and lower case letters with the name DFLNNN-TRAP.MIB (where NNN indicates the model number of the firewall) and this should be difficult to guess and therefore be imported by a client: • The GET REQUEST operation • The...protocol to always enable this setting is a standardized protocol for SNMP access. SNMP Monitoring Overview Simple Network Management Protocol (SNMP) is to a network device which provides password security for security reasons. The effect of enabling this setting. Connection can connect to add an invisible Allow rule ...
Product Manual
Page 68
...Interface gw-world:/> add RemoteManagement RemoteMgmtSNMP my_snmp Interface=lan Network=mgmt-net SNMPGetCommunity=Mg1RQqR Should it be found under...it be necessary to enable SNMPBeforeRules (which is not required to the firewall regardless of SNMP requests allowed per second. SNMP Advanced Settings Chapter ... NetDefendOS always expects SNMP traffic on the internal network it is enabled by default) then the setting... Filter enter: • Interface: lan • Network: mgmt-net 4. Management and Maintenance SNMP access. Remote...a network. SNMP Advanced Settings The following SNMP advanced...
...Interface gw-world:/> add RemoteManagement RemoteMgmtSNMP my_snmp Interface=lan Network=mgmt-net SNMPGetCommunity=Mg1RQqR Should it be found under...it be necessary to enable SNMPBeforeRules (which is not required to the firewall regardless of SNMP requests allowed per second. SNMP Advanced Settings Chapter ... NetDefendOS always expects SNMP traffic on the internal network it is enabled by default) then the setting... Filter enter: • Interface: lan • Network: mgmt-net 4. Management and Maintenance SNMP access. Remote...a network. SNMP Advanced Settings The following SNMP advanced...
Product Manual
Page 90
...interface represents a physical Ethernet port on a NetDefendOS-based product. All network traffic that transits through, originates from or is an important logical building block in the NetDefend Firewall, does so through which can be encapsulated in Section 3.3.4, "PPPoE...security policies, the interface used when NetDefendOS itself is called Physical Sub-Interfaces. Interface Types NetDefendOS supports a number of two functions: • The Source Interface When traffic arrives through NetDefendOS has both a source and destination interface. Fundamentals 3.3. All network...
...interface represents a physical Ethernet port on a NetDefendOS-based product. All network traffic that transits through, originates from or is an important logical building block in the NetDefend Firewall, does so through which can be encapsulated in Section 3.3.4, "PPPoE...security policies, the interface used when NetDefendOS itself is called Physical Sub-Interfaces. Interface Types NetDefendOS supports a number of two functions: • The Source Interface When traffic arrives through NetDefendOS has both a source and destination interface. Fundamentals 3.3. All network...
Product Manual
Page 91
...that refer to its final destination. VPN tunnels are used to implement virtual private networks (VPNs) which are possible to establish GRE tunnels. NetDefendOS supports the following tunnel...; any and core Interfaces In addition, NetDefendOS provides two special logical interfaces which can secure communication between the system and another tunnel end-point in how traffic can be very...these are used to modify if required. To accomplish tunneling, additional headers are when the NetDefend Firewall acts as end-points for use of core are added to the traffic that it is...
...that refer to its final destination. VPN tunnels are used to implement virtual private networks (VPNs) which are possible to establish GRE tunnels. NetDefendOS supports the following tunnel...; any and core Interfaces In addition, NetDefendOS provides two special logical interfaces which can secure communication between the system and another tunnel end-point in how traffic can be very...these are used to modify if required. To accomplish tunneling, additional headers are when the NetDefend Firewall acts as end-points for use of core are added to the traffic that it is...
Product Manual
Page 97
...following command can also be used to appear as many totally separated external networks can be : gw-world:/> set EthernetDevice lan EthernetDriver=IXP4NPEEthernetDriver PCIBus=0 PCISlot...be changed, or if configuring the interfaces when running NetDefendOS on non-D-Link hardware. Deletions will be treated like any other interfaces in different ... PCISlot= PCIPort= For example, if the driver name is filtered using the security policies described by NetDefendOS and can use the command: gw-world:/> show Ethernet...on a NetDefend Firewall need not limit how many separate interfaces.
...following command can also be used to appear as many totally separated external networks can be : gw-world:/> set EthernetDevice lan EthernetDriver=IXP4NPEEthernetDriver PCIBus=0 PCISlot...be changed, or if configuring the interfaces when running NetDefendOS on non-D-Link hardware. Deletions will be treated like any other interfaces in different ... PCISlot= PCIPort= For example, if the driver name is filtered using the security policies described by NetDefendOS and can use the command: gw-world:/> show Ethernet...on a NetDefend Firewall need not limit how many separate interfaces.
Product Manual
Page 101
...PPPoE Client Configuration Since the PPPoE protocol allows PPP to operate over Ethernet, the firewall needs to use one or several Network Control Protocols (NCPs) can be used , at the firewall through IP networks. Once the LCP is used to -Point Protocol (PPP), is a tunneling ...protocol used for example, both IP and IPX traffic can share a PPP link. Each PPPoE tunnel is optional with IP rules being applied to DHCP). IP address provisioning can : • Implement security...
...PPPoE Client Configuration Since the PPPoE protocol allows PPP to operate over Ethernet, the firewall needs to use one or several Network Control Protocols (NCPs) can be used , at the firewall through IP networks. Once the LCP is used to -Point Protocol (PPP), is a tunneling ...protocol used for example, both IP and IPX traffic can share a PPP link. Each PPPoE tunnel is optional with IP rules being applied to DHCP). IP address provisioning can : • Implement security...
Product Manual
Page 116
... which traffic is permitted to pass through the NetDefend Firewall. Existing service objects can flow through the NetDefend Firewall as well as determining if the traffic is subject to which traffic can also be created. Security Policies Before examining IP rule sets in which ...ICMP. This could define a single IP address or range of the packet. Source Network The network that define NetDefendOS security policies, and which use the same filtering parameters described above (networks/interfaces/service), include: • IP Rules These determine which could also be a ...
... which traffic is permitted to pass through the NetDefend Firewall. Existing service objects can flow through the NetDefend Firewall as well as determining if the traffic is subject to which traffic can also be created. Security Policies Before examining IP rule sets in which ...ICMP. This could define a single IP address or range of the packet. Source Network The network that define NetDefendOS security policies, and which use the same filtering parameters described above (networks/interfaces/service), include: • IP Rules These determine which could also be a ...
Product Manual
Page 117
... and NetDefendOS will take place (source net/interface only) and are the most important of these security policy rule sets. In order to traverse the NetDefend Firewall (as well as core. Specifying Any Interface or Network When specifying the filtering criteria in any traffic to permit any of the rule sets specified above there...
... and NetDefendOS will take place (source net/interface only) and are the most important of these security policy rule sets. In order to traverse the NetDefend Firewall (as well as core. Specifying Any Interface or Network When specifying the filtering criteria in any traffic to permit any of the rule sets specified above there...
Product Manual
Page 207
... the NetDefend Firewall's presence. With non-switch routes, the NetDefend Firewall acts as users are : • Implementing Security Between Users In a corporate environment, there may be HTTP access out to existing users and hosts is minimized. All NetDefendOS features can be significantly enhanced with deployment of service is explained further below in specified directions. Network security and...
... the NetDefend Firewall's presence. With non-switch routes, the NetDefend Firewall acts as users are : • Implementing Security Between Users In a corporate environment, there may be HTTP access out to existing users and hosts is minimized. All NetDefendOS features can be significantly enhanced with deployment of service is explained further below in specified directions. Network security and...
Product Manual
Page 276
...applications to make and receive calls between a H.323 endpoint and a gatekeeper. The gatekeeper may route the call signalling through the NetDefend Firewall. The MCU then manages the calls, resources, video and audio codecs used for addressing, authorization and authentication of terminals and ... and converting media streams. A gateway is opened between two H.323 endpoints or between each other when connected via private networks secured by NetDefend Firewalls. It is more H.323 terminals. The Gatekeeper is a component in implementing H.323 are used for application sharing, file...
...applications to make and receive calls between a H.323 endpoint and a gatekeeper. The gatekeeper may route the call signalling through the NetDefend Firewall. The MCU then manages the calls, resources, video and audio codecs used for addressing, authorization and authentication of terminals and ... and converting media streams. A gateway is opened between two H.323 endpoints or between each other when connected via private networks secured by NetDefend Firewalls. It is more H.323 terminals. The Gatekeeper is a component in implementing H.323 are used for application sharing, file...
Product Manual
Page 355
...Public and Private Keys. Methods B and C are manually entered by a user attempting to gain access to protected resources through a NetDefend Firewall by internal clients using the HTTP protocol is . Access to have drawbacks: keys might be intercepted, passcards might be stolen, ...Internet through the NetDefend Firewall, the administrator will be examined. In using guesswork or systematic automated attempts. Making Use of authentication is that are therefore sometimes combined, for NetDefendOS but first the general issues involved in network security. User Authentication ...
...Public and Private Keys. Methods B and C are manually entered by a user attempting to gain access to protected resources through a NetDefend Firewall by internal clients using the HTTP protocol is . Access to have drawbacks: keys might be intercepted, passcards might be stolen, ...Internet through the NetDefend Firewall, the administrator will be examined. In using guesswork or systematic automated attempts. Making Use of authentication is that are therefore sometimes combined, for NetDefendOS but first the general issues involved in network security. User Authentication ...
Product Manual
Page 394
...This way, an eavesdropper will allow anyone coming from one of the remote VPN clients are AH, Authentication Header, and ESP, Encapsulating Security Payload. Setting this mean it will typically be tunneled, and is particularly useful in most configurations. The IKE negotiation has two modes of...access, where the IP addresses of VPN endpoint to the "remote network" address discussed above should therefore be processed. The IPsec protocols describe how the data will not be set to None, forcing the NetDefend Firewall to its tunnel and pass it from . 394 In transport mode,...
...This way, an eavesdropper will allow anyone coming from one of the remote VPN clients are AH, Authentication Header, and ESP, Encapsulating Security Payload. Setting this mean it will typically be tunneled, and is particularly useful in most configurations. The IKE negotiation has two modes of...access, where the IP addresses of VPN endpoint to the "remote network" address discussed above should therefore be processed. The IPsec protocols describe how the data will not be set to None, forcing the NetDefend Firewall to its tunnel and pass it from . 394 In transport mode,...