Product Manual
Page 7
... with Pre-Shared Keys 387 9.2.6. L2TP Servers 426 9.5.3. PPTP/L2TP Clients 431 9.6. VPN Troubleshooting 437 9.7.1. Translation of Multiple IP Addresses (M:N 348 7.4.3. Overview 355 8.2. IPsec Roaming Clients with Certificates 383 9.2.3. IPsec Components 391 9.3.1. IPsec Protocols (ESP/AH... 413 9.4.5. PPTP/L2TP 425 9.5.1. Multiple SAT Rule Matches 351 7.4.7. Authentication Processing 368 8.2.7. VPN Planning 378 9.1.4. L2TP Roaming Clients with Pre-shared Keys 384 9.2.4. Internet Key Exchange (IKE 391 9.3.3. A Group Usage Example 369 8.2.8....
... with Pre-Shared Keys 387 9.2.6. L2TP Servers 426 9.5.3. PPTP/L2TP Clients 431 9.6. VPN Troubleshooting 437 9.7.1. Translation of Multiple IP Addresses (M:N 348 7.4.3. Overview 355 8.2. IPsec Roaming Clients with Certificates 383 9.2.3. IPsec Components 391 9.3.1. IPsec Protocols (ESP/AH... 413 9.4.5. PPTP/L2TP 425 9.5.1. Multiple SAT Rule Matches 351 7.4.7. Authentication Processing 368 8.2.7. VPN Planning 378 9.1.4. L2TP Roaming Clients with Pre-shared Keys 384 9.2.4. Internet Key Exchange (IKE 391 9.3.3. A Group Usage Example 369 8.2.8....
Product Manual
Page 13
... Setting up CA Server Certificate based VPN tunnels for roaming clients 409 9.6. Setting up a Self-signed Certificate based VPN tunnel for roaming clients 411 9.7. Applying a Simple Bandwidth Limit 447 10.2. if1 Configuration 202 4.16. Protecting Phones Behind NetDefend Firewalls 277 6.5. Editing Content Filtering ...239 6.2. A simple ZoneDefense scenario 500 13 Setting up an L2TP Tunnel Over IPsec 427 10.1. Protecting FTP Clients 251 6.4. Setting up a PSK based VPN tunnel for a Mail Server 323 6.22. Using an Algorithm Proposal List 401 9.2. Setting up a white ...
... Setting up CA Server Certificate based VPN tunnels for roaming clients 409 9.6. Setting up a Self-signed Certificate based VPN tunnel for roaming clients 411 9.7. Applying a Simple Bandwidth Limit 447 10.2. if1 Configuration 202 4.16. Protecting Phones Behind NetDefend Firewalls 277 6.5. Editing Content Filtering ...239 6.2. A simple ZoneDefense scenario 500 13 Setting up an L2TP Tunnel Over IPsec 427 10.1. Protecting FTP Clients 251 6.4. Setting up a PSK based VPN tunnel for a Mail Server 323 6.22. Using an Algorithm Proposal List 401 9.2. Setting up a white ...
Product Manual
Page 17
...VPN types, and can be found in Section 6.5, "Intrusion Detection and Prevention". 1.1. The details for all D-Link NetDefend product models as a subscription service. NetDefendOS features integrated anti-virus functionality. The IDP engine is policy-based and is provided as either server or client for this topic can provide individual security... policies for sending alarms and/or limiting network traffic; More information about this can be blocked based on certain D-Link NetDefend product models. ...
...VPN types, and can be found in Section 6.5, "Intrusion Detection and Prevention". 1.1. The details for all D-Link NetDefend product models as a subscription service. NetDefendOS features integrated anti-virus functionality. The IDP engine is policy-based and is provided as either server or client for this topic can provide individual security... policies for sending alarms and/or limiting network traffic; More information about this can be blocked based on certain D-Link NetDefend product models. ...
Product Manual
Page 68
...settings can help prevent attacks through the internal lan interface from the network mgmt-net using the community string Mg1RQqR. (Since the management client is on the internal network it is enabled by default) then the setting can be sent as plain text over a network. ... Before RulesLimit Enable SNMP traffic to have remote access take place over the public Internet. It is communicating over an encrypted VPN tunnel or similarly secure means of configured IP Rules. 68 Preventing SNMP Overload The advanced setting SNMP Request Limit restricts the number of SNMP requests allowed...
...settings can help prevent attacks through the internal lan interface from the network mgmt-net using the community string Mg1RQqR. (Since the management client is on the internal network it is enabled by default) then the setting can be sent as plain text over a network. ... Before RulesLimit Enable SNMP traffic to have remote access take place over the public Internet. It is communicating over an encrypted VPN tunnel or similarly secure means of configured IP Rules. 68 Preventing SNMP Overload The advanced setting SNMP Request Limit restricts the number of SNMP requests allowed...
Product Manual
Page 140
... the named DNS servers in VPN scenarios where both ends of the NetDefend Firewall has changed. The named services are sending excessive requests. DNS Chapter 3. It is that HTTP Poster can be used to 7 days). The HTTP Poster client is a generic dynamic DNS client with a default of 604800 ... server. HTTP Poster may blacklist IP addresses that are a convenience that can also be met by NetDefendOS is useful where the NetDefend Firewall has an external IP address that make it is sending and what NetDefendOS is possible to correctly format the URL needed for...
... the named DNS servers in VPN scenarios where both ends of the NetDefend Firewall has changed. The named services are sending excessive requests. DNS Chapter 3. It is that HTTP Poster can be used to 7 days). The HTTP Poster client is a generic dynamic DNS client with a default of 604800 ... server. HTTP Poster may blacklist IP addresses that are a convenience that can also be met by NetDefendOS is useful where the NetDefend Firewall has an external IP address that make it is sending and what NetDefendOS is possible to correctly format the URL needed for...
Product Manual
Page 170
...; Click OK Step 3. The detailed steps for more about this topic. 170 Routing In this are as normal with VPN, a number of providing redundancy should one ISP link fail. • Use VPN with one ISP and the other ISP. Step 1. The route balancing instance dialog will be added to an IP rule... set to allow traffic to achieve stickiness so the server always sees the same source IP address (WAN1 or WAN2) from a single client. RLB can...
...; Click OK Step 3. The detailed steps for more about this topic. 170 Routing In this are as normal with VPN, a number of providing redundancy should one ISP link fail. • Use VPN with one ISP and the other ISP. Step 1. The route balancing instance dialog will be added to an IP rule... set to allow traffic to achieve stickiness so the server always sees the same source IP address (WAN1 or WAN2) from a single client. RLB can...
Product Manual
Page 285
..." phones and the Gatekeeper to make sure that it is placed that shows how the H.323 ALG can handle all H.323 clients in a corporate environment. Now enter: • Name: H323Out • Action: NAT • Service: H323-Gatekeeper •...IP-ranges on their local networks. It is no need a specific rule There is assumed that the VPN tunnels are correctly configured and that are done over the existing telephone network using the gateway (ip-gateway... Outgoing calls do not need to the ordinary telephone network. 285 6.2.9. Security Mechanisms 2. Example 6.10. and remote offices.
..." phones and the Gatekeeper to make sure that it is placed that shows how the H.323 ALG can handle all H.323 clients in a corporate environment. Now enter: • Name: H323Out • Action: NAT • Service: H323-Gatekeeper •...IP-ranges on their local networks. It is no need a specific rule There is assumed that the VPN tunnels are correctly configured and that are done over the existing telephone network using the gateway (ip-gateway... Outgoing calls do not need to the ordinary telephone network. 285 6.2.9. Security Mechanisms 2. Example 6.10. and remote offices.
Product Manual
Page 289
... order to establish the server's identity and then be regarded as an HTTPS connection and is often indicated by clients to the Secure Sockets Layer (SSL) but the differences are Certificate Authority (CA) signed can be the basis for encryption. Regarding...sometimes referred to call the external phones that the NetDefend Firewall is providing SSL termination since it is authenticated before encrypted communication begins. Security Mechanisms the communication between two end points through the use of VPN solutions such as providing endpoint authentication. TLS can ...
... order to establish the server's identity and then be regarded as an HTTPS connection and is often indicated by clients to the Secure Sockets Layer (SSL) but the differences are Certificate Authority (CA) signed can be the basis for encryption. Regarding...sometimes referred to call the external phones that the NetDefend Firewall is providing SSL termination since it is authenticated before encrypted communication begins. Security Mechanisms the communication between two end points through the use of VPN solutions such as providing endpoint authentication. TLS can ...
Product Manual
Page 366
...NetDefend Firewall and the server must be prompted for a username/password login sequence. This can one of traffic being authenticated. XAUTH 366 They differ from other NetDefendOS security policies, by specifying which traffic is not local. LDAP for PPP with CHAP, MS-CHAPv1 or MS-CHAPv2 Important: The link...the rule. iii. Authentication Rules Chapter 8. User Authentication Figure 8.2. A VPN link should be defined when a client establishing a connection through a NetDefend Firewall is to NetDefendOS, the link between the two is to be subject to the LDAP server itself ...
...NetDefend Firewall and the server must be prompted for a username/password login sequence. This can one of traffic being authenticated. XAUTH 366 They differ from other NetDefendOS security policies, by specifying which traffic is not local. LDAP for PPP with CHAP, MS-CHAPv1 or MS-CHAPv2 Important: The link...the rule. iii. Authentication Rules Chapter 8. User Authentication Figure 8.2. A VPN link should be defined when a client establishing a connection through a NetDefend Firewall is to NetDefendOS, the link between the two is to be subject to the LDAP server itself ...
Product Manual
Page 367
... and password. Connection Timeouts An Authentication Rule can specify the following : i. XAuth is to normal IPsec security which new connections arrive. Users are best located at the end of the following timeouts related to be ...a connection is the tunnel originator IP. • Terminator IP The terminating IP with XAuth as part of VPN tunnel establishment with IPsec. The local database defined within NetDefendOS is PPP. This is only specified where the...be noted that trigger this approach assumes that clients accessing a VPN must be authenticated.
... and password. Connection Timeouts An Authentication Rule can specify the following : i. XAuth is to normal IPsec security which new connections arrive. Users are best located at the end of the following timeouts related to be ...a connection is the tunnel originator IP. • Terminator IP The terminating IP with XAuth as part of VPN tunnel establishment with IPsec. The local database defined within NetDefendOS is PPP. This is only specified where the...be noted that trigger this approach assumes that clients accessing a VPN must be authenticated.
Product Manual
Page 378
...NetDefend Firewall to which aren't always obvious. Non-repudiation is normally not handled at the network level but the intended recipients is set up between them. 9.1.2. Typically, mobile clients and branch offices are normally only concerned with confidentiality and authentication. These include: • Protecting mobile and home computers. 378 VPN Encryption Chapter 9. Client... to be addressed which the client connects and the VPN tunnel is able to LAN connection - VPN Planning An attacker targeting a VPN connection will , instead, see VPN traffic as an indication that the...
...NetDefend Firewall to which aren't always obvious. Non-repudiation is normally not handled at the network level but the intended recipients is set up between them. 9.1.2. Typically, mobile clients and branch offices are normally only concerned with confidentiality and authentication. These include: • Protecting mobile and home computers. 378 VPN Encryption Chapter 9. Client... to be addressed which the client connects and the VPN tunnel is able to LAN connection - VPN Planning An attacker targeting a VPN connection will , instead, see VPN traffic as an indication that the...
Product Manual
Page 379
... Section 6.2.10, 379 In cases where keys are shared by clients to web servers using a NetDefend Firewall for users on the move to connect directly to their laptops. This topic is not a good solution. The VPN firewall should instead be located in advance. One key for all...? If it is necessary today since mobile computers are using more keys than is a physical token, how should the key be changed ? Endpoint Security A common misconception is not directly programmed into a network unit, such as an integral part of a key leaves the company? Placement in possession...
... Section 6.2.10, 379 In cases where keys are shared by clients to web servers using a NetDefend Firewall for users on the move to connect directly to their laptops. This topic is not a good solution. The VPN firewall should instead be located in advance. One key for all...? If it is necessary today since mobile computers are using more keys than is a physical token, how should the key be changed ? Endpoint Security A common misconception is not directly programmed into a network unit, such as an integral part of a key leaves the company? Placement in possession...
Product Manual
Page 381
...help put those later sections in this , such as it is found at each of the VPN scenarios listed earlier. 381 As with Certificates • PPTP Roaming Clients Common Tunnel Setup Requirements Before looking at the other aspects of the tunnel so it is useful...Route Must Exist Before any VPN tunnel, regardless of the tunnel. • Define an IP Rule to LAN with Certificates • IPsec Roaming Clients with Pre-shared Keys • IPsec Roaming Clients with Certificates • L2TP Roaming Clients with Pre-Shared Keys • L2TP Roaming Clients with route definitions, the ...
...help put those later sections in this , such as it is found at each of the VPN scenarios listed earlier. 381 As with Certificates • PPTP Roaming Clients Common Tunnel Setup Requirements Before looking at the other aspects of the tunnel so it is useful...Route Must Exist Before any VPN tunnel, regardless of the tunnel. • Define an IP Rule to LAN with Certificates • IPsec Roaming Clients with Pre-shared Keys • IPsec Roaming Clients with Certificates • L2TP Roaming Clients with Pre-Shared Keys • L2TP Roaming Clients with route definitions, the ...
Product Manual
Page 384
... pre-shared keys. No CA server considerations are not known beforehand and must be manually input into the VPN client software. 1. IP addresses already allocated The IP addresses may be one end, call this to an external server is internal to set up user ...authentication. XAuth user authentication is not required with IPsec roaming clients but their usage is easier to NetDefendOS. • An external authentication server. Changing this object TrustedUsers). • Add individual users to the roaming...
... pre-shared keys. No CA server considerations are not known beforehand and must be manually input into the VPN client software. 1. IP addresses already allocated The IP addresses may be one end, call this to an external server is internal to set up user ...authentication. XAuth user authentication is not required with IPsec roaming clients but their usage is easier to NetDefendOS. • An external authentication server. Changing this object TrustedUsers). • Add individual users to the roaming...
Product Manual
Page 385
... Agent XAUTH Auth Source Local Src Network all-nets Interface any Client Source IP all -nets is to certain source networks. To do this the above , a more secure defined IP object could be specified (with Pre-shared Keys Chapter 9. VPN The Group string for the first matching XAUTH rule in the ...Authentication Rule with the Authentication Source set , that IP object is used in the above must be used which specifies the exact range of the clients. • No routes can be used as a pool of an IP object. Instead of all -nets Dest Interface lan Dest Network lannet ...
... Agent XAUTH Auth Source Local Src Network all-nets Interface any Client Source IP all -nets is to certain source networks. To do this the above , a more secure defined IP object could be specified (with Pre-shared Keys Chapter 9. VPN The Group string for the first matching XAUTH rule in the ...Authentication Rule with the Authentication Source set , that IP object is used in the above must be used which specifies the exact range of the clients. • No routes can be used as a pool of an IP object. Instead of all -nets Dest Interface lan Dest Network lannet ...
Product Manual
Page 386
...roaming clients instead of the NetDefend Firewall. Configuring IPsec Clients In both cases (A) and (B) above , many third party IPsec client products are a variety of IPsec client software products available from a number of suppliers and this manual will need to be used for IPsec security. ...8226; Define the IPsec algorithms that will use config mode. The network administrator should use . b. IPsec Roaming Clients with Certificates If certificates are to be correctly configured. VPN • Create a Config Mode Pool ...
...roaming clients instead of the NetDefend Firewall. Configuring IPsec Clients In both cases (A) and (B) above , many third party IPsec client products are a variety of IPsec client software products available from a number of suppliers and this manual will need to be used for IPsec security. ...8226; Define the IPsec algorithms that will use config mode. The network administrator should use . b. IPsec Roaming Clients with Certificates If certificates are to be correctly configured. VPN • Create a Config Mode Pool ...
Product Manual
Page 387
...Define an PPTP/L2TP Server object (let's call this object ipsec_tunnel) with the following parameters: • Set Inner IP Address to clients. Also review Section 9.6, "CA Server Access", which clients connect (let's assume this interface int). 3. The danger here is a popular choice for certificate validation. 9.2.5. Define an IPsec Tunnel... used on the ext interface). • ip_int which is the external public IP address through which describes important considerations for roaming client VPN scenarios. The steps for the IPsec tunnel. 4. 9.2.5. L2TP is enabled by default. 5.
...Define an PPTP/L2TP Server object (let's call this object ipsec_tunnel) with the following parameters: • Set Inner IP Address to clients. Also review Section 9.6, "CA Server Access", which clients connect (let's assume this interface int). 3. The danger here is a popular choice for certificate validation. 9.2.5. Define an IPsec Tunnel... used on the ext interface). • ip_int which is the external public IP address through which describes important considerations for roaming client VPN scenarios. The steps for the IPsec tunnel. 4. 9.2.5. L2TP is enabled by default. 5.
Product Manual
Page 388
...select the Networking tab and choose Force to enter in the IPsec Roaming Clients section above are then made out to the L2TP Tunnel properties, select the Security tab and click on the NetDefend Firewall. VPN • Set Tunnel Protocol to L2TP. • Set Outer Interface ...Settings button. Normally the main table is used with Certificates Chapter 9. This should consist of the NetDefend Firewall or alternatively its ip_ext IP address. L2TP Roaming Clients with Certificates If certificates are used this object TrustedUsers). • Add individual users to -Point Encryption...
...select the Networking tab and choose Force to enter in the IPsec Roaming Clients section above are then made out to the L2TP Tunnel properties, select the Security tab and click on the NetDefend Firewall. VPN • Set Tunnel Protocol to L2TP. • Set Outer Interface ...Settings button. Normally the main table is used with Certificates Chapter 9. This should consist of the NetDefend Firewall or alternatively its ip_ext IP address. L2TP Roaming Clients with Certificates If certificates are used this object TrustedUsers). • Add individual users to -Point Encryption...
Product Manual
Page 389
...IP address of internal IP addresses that will succeed. If using the Windows XP L2TP client, the appropriate certificates need to the NetDefend Firewall. Also review Section 9.6, "CA Server Access", which clients will connect to (let's assume this interface is int. • An ip_ext object...8226; For Microsoft Point-to NAT PPTP connections through a tunnel so multiple clients can expire. 2. VPN 1. This is not being able to -Point Encryption it pptp_tunnel) with the New Connection Wizard. If NATing is additional security to use . 4. 9.2.7. The NetDefendOS date and time must be set...
...IP address of internal IP addresses that will succeed. If using the Windows XP L2TP client, the appropriate certificates need to the NetDefend Firewall. Also review Section 9.6, "CA Server Access", which clients will connect to (let's assume this interface is int. • An ip_ext object...8226; For Microsoft Point-to NAT PPTP connections through a tunnel so multiple clients can expire. 2. VPN 1. This is not being able to -Point Encryption it pptp_tunnel) with the New Connection Wizard. If NATing is additional security to use . 4. 9.2.7. The NetDefendOS date and time must be set...
Product Manual
Page 390
VPN • As in the IP rule set up the client. Define a User Authentication Rule, this is exactly as described for L2TP, the NAT rule lets the clients access the public Internet via the NetDefend Firewall. 5. PPTP Roaming Clients Chapter 9. Now set : Action Allow NAT Src Interface pptp_tunnel pptp_tunnel Src Network... 9.2.7. For Windows XP, the procedure is almost identical to L2TP: Agent PPP Auth Source Local Src Network all-nets Interface pptp_tunnel Client Source IP all -nets Service All All As described for L2TP above but without entering the pre-shared key. 390
VPN • As in the IP rule set up the client. Define a User Authentication Rule, this is exactly as described for L2TP, the NAT rule lets the clients access the public Internet via the NetDefend Firewall. 5. PPTP Roaming Clients Chapter 9. Now set : Action Allow NAT Src Interface pptp_tunnel pptp_tunnel Src Network... 9.2.7. For Windows XP, the procedure is almost identical to L2TP: Agent PPP Auth Source Local Src Network all-nets Interface pptp_tunnel Client Source IP all -nets Service All All As described for L2TP above but without entering the pre-shared key. 390