Product Manual
Page 1
Network Security Firewall User Manual DFL-210/ 800/1600/ 2500 DFL-260/ 860/1660/ 2560(G) Ver 2.27.01 SecurSiteycurity Network Security Solution http://www.dlink.com
Network Security Firewall User Manual DFL-210/ 800/1600/ 2500 DFL-260/ 860/1660/ 2560(G) Ver 2.27.01 SecurSiteycurity Network Security Solution http://www.dlink.com
Product Manual
Page 3
... any obligation to notify any implied warranties of such revision or changes. User Manual DFL-210/260/800/860/1600/1660/2500/2560/2560G NetDefendOS Version 2.27.01 Published 2010-06-22 Copyright © 2010 Copyright Notice This publication, including all rights reserved. D-Link makes no representations or warranties with all photographs, illustrations and software...
... any obligation to notify any implied warranties of such revision or changes. User Manual DFL-210/260/800/860/1600/1660/2500/2560/2560G NetDefendOS Version 2.27.01 Published 2010-06-22 Copyright © 2010 Copyright Notice This publication, including all rights reserved. D-Link makes no representations or warranties with all photographs, illustrations and software...
Product Manual
Page 5
...Rule Evaluation 118 3.5.3. CA Certificate Requests 130 3.8. Overview 132 3.8.2. Multicast Routing 194 4.6.1. Using ARP Advanced Settings 112 3.4.5. Security Policies 116 3.5.2. Schedules 126 3.7. The Principles of Routing 143 4.2.2. Static Routing 147 4.2.3. Policy-based Routing Tables 160 ...for Date and Time 136 3.9. Policy-based Routing Rules 160 4.3.4. The Ordering parameter 161 4.4. OSPF Components 179 4.5.4. User Manual 3.2.3. ARP 108 3.4.1. Route Load Balancing 165 4.5. The NetDefendOS ARP Cache 108 3.4.3. An OSPF Example 191 4.6. Advanced...
...Rule Evaluation 118 3.5.3. CA Certificate Requests 130 3.8. Overview 132 3.8.2. Multicast Routing 194 4.6.1. Using ARP Advanced Settings 112 3.4.5. Security Policies 116 3.5.2. Schedules 126 3.7. The Principles of Routing 143 4.2.2. Static Routing 147 4.2.3. Policy-based Routing Tables 160 ...for Date and Time 136 3.9. Policy-based Routing Rules 160 4.3.4. The Ordering parameter 161 4.4. OSPF Components 179 4.5.4. User Manual 3.2.3. ARP 108 3.4.1. Route Load Balancing 165 4.5. The NetDefendOS ARP Cache 108 3.4.3. An OSPF Example 191 4.6. Advanced...
Product Manual
Page 6
...Web Content Filtering 295 6.4. Subscribing to the D-Link Anti-Virus Service 311 6.4.6. IDP Rules 317 6.5.4. SMTP Log Receiver for D-Link Models 315 6.5.3. Fragmentation overlap attacks: Teardrop, ...Bonk, Boink and Nestea ...... 327 6.6.5. The WinNuke attack 327 6.6.7. Transparent Mode Scenarios 213 4.7.4. DHCP Services 223 5.1. Security Mechanisms 237 6.1. The FTP ALG 244 6.2.4. The POP3 ALG 263 6.2.7. Static Content Filtering 293 6.3.4. Denial-of Death and Jolt Attacks 326 6.6.4. User Manual...
...Web Content Filtering 295 6.4. Subscribing to the D-Link Anti-Virus Service 311 6.4.6. IDP Rules 317 6.5.4. SMTP Log Receiver for D-Link Models 315 6.5.3. Fragmentation overlap attacks: Teardrop, ...Bonk, Boink and Nestea ...... 327 6.6.5. The WinNuke attack 327 6.6.7. Transparent Mode Scenarios 213 4.7.4. DHCP Services 223 5.1. Security Mechanisms 237 6.1. The FTP ALG 244 6.2.4. The POP3 ALG 263 6.2.7. Static Content Filtering 293 6.3.4. Denial-of Death and Jolt Attacks 326 6.6.4. User Manual...
Product Manual
Page 7
Address Translation 334 7.1. NAT Pools 340 7.4. All-to LAN with Pre-shared Keys 384 9.2.4. User Authentication 355 8.1. External RADIUS Servers 359 8.2.4. A Group Usage Example 369 8.2.8. Customizing HTML Pages 373 9. VPN...402 9.3.8. Overview 334 7.2. Translation of Multiple IP Addresses (M:N 348 7.4.3. Overview 355 8.2. VPN ...377 9.1. L2TP/PPTP Server advanced settings 430 9.5.4. User Manual 7. The Local Database 357 8.2.3. The TLS Alternative for VPN 379 9.2. IKE Authentication 397 9.3.4. IPsec Protocols (ESP/AH 398 9.3.5. CA Server Access...
Address Translation 334 7.1. NAT Pools 340 7.4. All-to LAN with Pre-shared Keys 384 9.2.4. User Authentication 355 8.1. External RADIUS Servers 359 8.2.4. A Group Usage Example 369 8.2.8. Customizing HTML Pages 373 9. VPN...402 9.3.8. Overview 334 7.2. Translation of Multiple IP Addresses (M:N 348 7.4.3. Overview 355 8.2. VPN ...377 9.1. L2TP/PPTP Server advanced settings 430 9.5.4. User Manual 7. The Local Database 357 8.2.3. The TLS Alternative for VPN 379 9.2. IKE Authentication 397 9.3.4. IPsec Protocols (ESP/AH 398 9.3.5. CA Server Access...
Product Manual
Page 8
...Setting Up HA 487 11.3.1. Upgrading an HA Cluster 493 11.6. ZoneDefense 497 12.1. Overview 497 12.2. Advanced Settings 504 8 User Manual 9.7.2. Overview 444 10.1.2. Limiting Bandwidth in NetDefendOS 445 10.1.3. Rule Actions 471 10.3.5. Overview 482 11.2. HA Hardware Setup 487 ...Shared Mac Addresses 490 11.4. Threshold Rules 499 12.3.3. Limitations 501 13. Overview 470 10.3.2. ZoneDefense Switches 498 12.3. Manual Blocking and Exclude Lists 499 12.3.4. Traffic Management 444 10.1. Precedences 450 10.1.7. The Importance of Traffic Shaping 459 ...
...Setting Up HA 487 11.3.1. Upgrading an HA Cluster 493 11.6. ZoneDefense 497 12.1. Overview 497 12.2. Advanced Settings 504 8 User Manual 9.7.2. Overview 444 10.1.2. Limiting Bandwidth in NetDefendOS 445 10.1.3. Rule Actions 471 10.3.5. Overview 482 11.2. HA Hardware Setup 487 ...Shared Mac Addresses 490 11.4. Threshold Rules 499 12.3.3. Limitations 501 13. Overview 470 10.3.2. ZoneDefense Switches 498 12.3. Manual Blocking and Exclude Lists 499 12.3.4. Traffic Management 444 10.1. Precedences 450 10.1.7. The Importance of Traffic Shaping 459 ...
Product Manual
Page 9
TCP Level Settings 508 13.3. State Settings 514 13.5. Connection Timeout Settings 516 13.6. The OSI Framework 537 Alphabetical Index 538 9 Fragmentation Settings 520 13.8. IDP Signature Groups 529 C. ICMP Level Settings 513 13.4. Local Fragment Reassembly Settings 524 13.9. User Manual 13.1. Verified MIME filetypes 533 D. Miscellaneous Settings 525 A. IP Level Settings 504 13.2. Length Limit Settings 518 13.7. Subscribing to Updates 527 B.
TCP Level Settings 508 13.3. State Settings 514 13.5. Connection Timeout Settings 516 13.6. The OSI Framework 537 Alphabetical Index 538 9 Fragmentation Settings 520 13.8. IDP Signature Groups 529 C. ICMP Level Settings 513 13.4. Local Fragment Reassembly Settings 524 13.9. User Manual 13.1. Verified MIME filetypes 533 D. Miscellaneous Settings 525 A. IP Level Settings 504 13.2. Length Limit Settings 518 13.7. Subscribing to Updates 527 B.
Product Manual
Page 11
Stickiness and Connection-rate 477 D.1. User Manual 10.10. Stickiness and Round-Robin 477 10.12. The 7 Layers of the OSI Model 537 11 Connections from Three Clients 476 10.11.
Stickiness and Connection-rate 477 D.1. User Manual 10.10. Stickiness and Round-Robin 477 10.12. The 7 Layers of the OSI Model 537 11 Connections from Three Clients 476 10.11.
Product Manual
Page 13
...addresses 279 6.6. Protecting FTP Clients 251 6.4. H.323 with IPsec Tunnels 413 9.9. Two Phones Behind Different NetDefend Firewalls 280 6.7. Allowing the H.323 Gateway to register with Gatekeeper 282 6.9. Enabling Dynamic Web Content Filtering...based VPN tunnel for roaming clients 411 9.7. Limiting Bandwidth in Both Directions 449 10.3. Protecting Phones Behind NetDefend Firewalls 277 6.5. Configuring an SMTP Log Receiver 323 6.21. Enabling Traffic to Multiple Protected Web Servers... 341 7.3. Setting up a PPTP server 426 9.11. User Manual 4.14.
...addresses 279 6.6. Protecting FTP Clients 251 6.4. H.323 with IPsec Tunnels 413 9.9. Two Phones Behind Different NetDefend Firewalls 280 6.7. Allowing the H.323 Gateway to register with Gatekeeper 282 6.9. Enabling Dynamic Web Content Filtering...based VPN tunnel for roaming clients 411 9.7. Limiting Bandwidth in Both Directions 449 10.3. Protecting Phones Behind NetDefend Firewalls 277 6.5. Configuring an SMTP Log Receiver 323 6.21. Enabling Traffic to Multiple Protected Web Servers... 341 7.3. Setting up a PPTP server 426 9.11. User Manual 4.14.
Product Manual
Page 14
... managing NetDefend Firewalls which are shown in the table of an example, it will appear in a box with alphabetical lookup of networks and network security. Where a "See chapter/section" link (such... Guide documents all CLI commands.) Example 1. Screenshots This guide contains a minimum of management user interfaces. They are also typically a numbered list showing what the example is trying to ...at the beginning. Examples Examples in italics. An index is done because the manual deals specifically with an explanatory image. It was decided that reference. Example Notation ...
... managing NetDefend Firewalls which are shown in the table of an example, it will appear in a box with alphabetical lookup of networks and network security. Where a "See chapter/section" link (such... Guide documents all CLI commands.) Example 1. Screenshots This guide contains a minimum of management user interfaces. They are also typically a numbered list showing what the example is trying to ...at the beginning. Examples Examples in italics. An index is done because the manual deals specifically with an explanatory image. It was decided that reference. Example Notation ...
Product Manual
Page 30
... version of a Default IP Address For a new D-Link NetDefend firewall with NetDefendOS secure. Enter your username and password and click the Login... The assigned NetDefend Firewall interface and the workstation interface must use https:// as follows: • On the NetDefend DFL-210, 260, 800...NetDefend DFL-1660, 2560 and 2560G, the default management interface IP address is recommended) and point the browser at the address 192.168.1.1. 2.1.3. If communication with the NetDefendOS is successfully established, a user authentication dialog similar to the one shown below will then be manually...
... version of a Default IP Address For a new D-Link NetDefend firewall with NetDefendOS secure. Enter your username and password and click the Login... The assigned NetDefend Firewall interface and the workstation interface must use https:// as follows: • On the NetDefend DFL-210, 260, 800...NetDefend DFL-1660, 2560 and 2560G, the default management interface IP address is recommended) and point the browser at the address 192.168.1.1. 2.1.3. If communication with the NetDefendOS is successfully established, a user authentication dialog similar to the one shown below will then be manually...
Product Manual
Page 32
... to factory default. • Upgrade - List the changes made to analyze a problem. Management and Maintenance For information about the default user name and password, see Section 2.1.2, "The Default Administrator Account". Manually update or schedule updates of the system configuration. Restart the firewall or reset to the first page of buttons and drop...
... to factory default. • Upgrade - List the changes made to analyze a problem. Management and Maintenance For information about the default user name and password, see Section 2.1.2, "The Default Administrator Account". Manually update or schedule updates of the system configuration. Restart the firewall or reset to the first page of buttons and drop...
Product Manual
Page 41
...user has full administrator privileges, they can be executed after they are : add set 41 The sessionmanager command options are detailed in the CLI Reference Guide. 2.1.5. Create a text file with a text editor containing a sequential list of the sessionmanager command. The CLI script command is discussed in detail in this manual... extension .sgs (Security Gateway Script). Only Four Commands are Allowed in Scripts The commands allowed in a directory under the root called CLI scripting. The D-Link recommended convention is then uploaded to the NetDefend Firewall using the ...
...user has full administrator privileges, they can be executed after they are : add set 41 The sessionmanager command options are detailed in the CLI Reference Guide. 2.1.5. Create a text file with a text editor containing a sequential list of the sessionmanager command. The CLI script command is discussed in detail in this manual... extension .sgs (Security Gateway Script). Only Four Commands are Allowed in Scripts The commands allowed in a directory under the root called CLI scripting. The D-Link recommended convention is then uploaded to the NetDefend Firewall using the ...
Product Manual
Page 102
...firewall should accept traffic from the ISP, it stores it as the address of another IP address to users. As with any interface, one or more routes are then manually entered into client computers. It is to through the PPPoE tunnel. When NetDefendOS receives this . 102...a discovery protocol that is used in a network object and uses it in PPPoE sessions. If unnumbered PPPoE is required by the NetDefend Firewall. Unnumbered PPPoE When NetDefendOS acts as establish a unique session identifier. These IP addresses are defined so NetDefendOS knows what IP addresses ...
...firewall should accept traffic from the ISP, it stores it as the address of another IP address to users. As with any interface, one or more routes are then manually entered into client computers. It is to through the PPPoE tunnel. When NetDefendOS receives this . 102...a discovery protocol that is used in a network object and uses it in PPPoE sessions. If unnumbered PPPoE is required by the NetDefend Firewall. Unnumbered PPPoE When NetDefendOS acts as establish a unique session identifier. These IP addresses are defined so NetDefendOS knows what IP addresses ...
Product Manual
Page 128
...security between the ends of a tunnel is a digital proof of an X.509 certificate hierarchy with the ITU-T X.509 standard. The CA digitally signs all certificates it prevents data transfer interception by a malicious third-party who might post a fake key with the name and user...key with identification attached, coupled with by a trusted party. In this manual to a public key in much larger networks. The CA certificate is...that tells the information enclosed in NetDefendOS is called the root CA. It links an identity to a certificate means a X.509 certificate. A certification path ...
...security between the ends of a tunnel is a digital proof of an X.509 certificate hierarchy with the ITU-T X.509 standard. The CA digitally signs all certificates it prevents data transfer interception by a malicious third-party who might post a fake key with the name and user...key with identification attached, coupled with by a trusted party. In this manual to a public key in much larger networks. The CA certificate is...that tells the information enclosed in NetDefendOS is called the root CA. It links an identity to a certificate means a X.509 certificate. A certification path ...
Product Manual
Page 129
...List (CRL) contains a list of all certificates in the certification path. • Fetch the CRL for each certificate to validate a user certificate in some cases, certificates do not contain this interval depends on an external server which is accessed to NetDefendOS for several days. ... in NetDefendOS, it can be reused between an hour to be configured manually. In some way, or perhaps that have left the company. An identification list is a key reason why certificate security simplifies the administration of the certificates have been revoked. Certificates in IKE/...
...List (CRL) contains a list of all certificates in the certification path. • Fetch the CRL for each certificate to validate a user certificate in some cases, certificates do not contain this interval depends on an external server which is accessed to NetDefendOS for several days. ... in NetDefendOS, it can be reused between an hour to be configured manually. In some way, or perhaps that have left the company. An identification list is a key reason why certificate security simplifies the administration of the certificates have been revoked. Certificates in IKE/...
Product Manual
Page 211
...Internet. This is described further in a High Availability setup is provided in the above . With Internet connections, it may be manually configured for the interface and any corresponding non-switch routes are called lannet access the Internet via an ISP's gateway with its VLAN... interface by defining a Policy Based Routing Rule. The key disadvantage with this routing table because traffic that these users can plug in the detailed examples given later. Enabling Internet Access A common misunderstanding when setting up access to separate two networks....
...Internet. This is described further in a High Availability setup is provided in the above . With Internet connections, it may be manually configured for the interface and any corresponding non-switch routes are called lannet access the Internet via an ISP's gateway with its VLAN... interface by defining a Policy Based Routing Rule. The key disadvantage with this routing table because traffic that these users can plug in the detailed examples given later. Enabling Internet Access A common misunderstanding when setting up access to separate two networks....
Product Manual
Page 257
...the ALG. Using ZoneDefense for blocking relayed emails to an incoming SMTP server would be manually configured It is excluded from the rest of interest is detected. The SMTP ALG ...: • Configure the ZoneDefense switches to be used for blocking local email clients. Security Mechanisms capa=PIPELINING To indicate that provides the ability to apply spam filtering to incoming...block all local SMTP clients. Unsolicited email, sent out in the mailboxes of users behind the NetDefend Firewall. Filtering is a spam module that the pipelining extension was removed from ...
...the ALG. Using ZoneDefense for blocking relayed emails to an incoming SMTP server would be manually configured It is excluded from the rest of interest is detected. The SMTP ALG ...: • Configure the ZoneDefense switches to be used for blocking local email clients. Security Mechanisms capa=PIPELINING To indicate that provides the ability to apply spam filtering to incoming...block all local SMTP clients. Unsolicited email, sent out in the mailboxes of users behind the NetDefend Firewall. Filtering is a spam module that the pipelining extension was removed from ...
Product Manual
Page 292
...consideration should be impaired. Typically, such code is one of the biggest sources for manually classifying web sites as legal and regulatory liabilities. Overview Web traffic is embedded into ...effort and has very high accuracy. NetDefendOS includes support for an organization or group of users: • Active Content Handling can be selected individually by an automatic classification service.... as ActiveX objects and Java Applets. • Static Content Filtering provides a means for security issues and misuse of objects or files which is described in most cases, the code is...
...consideration should be impaired. Typically, such code is one of the biggest sources for manually classifying web sites as legal and regulatory liabilities. Overview Web traffic is embedded into ...effort and has very high accuracy. NetDefendOS includes support for an organization or group of users: • Active Content Handling can be selected individually by an automatic classification service.... as ActiveX objects and Java Applets. • Static Content Filtering provides a means for security issues and misuse of objects or files which is described in most cases, the code is...
Product Manual
Page 295
...recently created HTTP ALG to allow. Security Mechanisms 6. Go to retrieve the category of the requested site. Click the HTTP URL tab 4. Instead, D-Link maintains a global infrastructure of databases ...WCF Processing Flow When a user of current web site URL addresses which are dropped. Enter */*.exe in many different languages and hosted on the D-Link NetDefend DFL-260, 860, 1660, 2560...only available on certain NetDefend models Dynamic WCF is not necessary to manually specify beforehand which enables an administrator to permit or block access to the user explaining that category....
...recently created HTTP ALG to allow. Security Mechanisms 6. Go to retrieve the category of the requested site. Click the HTTP URL tab 4. Instead, D-Link maintains a global infrastructure of databases ...WCF Processing Flow When a user of current web site URL addresses which are dropped. Enter */*.exe in many different languages and hosted on the D-Link NetDefend DFL-260, 860, 1660, 2560...only available on certain NetDefend models Dynamic WCF is not necessary to manually specify beforehand which enables an administrator to permit or block access to the user explaining that category....