Product Manual
Page 5
... 4.4. OSPF 171 4.5.1. An OSPF Example 191 4.6. Overview 194 4.6.2. User Manual 3.2.3. Service Groups 88 3.2.6. PPPoE 101 3.3.5. Security Policies 116 3.5.2. CA Certificate Requests 130 3.8. DNS 139 4. Policy-based Routing Rules 160 4.3.4. Routing Table Selection 161 4.3.5. ...Schedules 126 3.7. Settings Summary for Date and Time 136 3.9. Policy-based Routing Tables 160 4.3.3. Multicast Forwarding with SAT Multiplex Rules 195 4.6.3. Ethernet Interfaces 92 3.3.3. IGMP Configuration 199 4.6.4. Creating ARP Objects 110 3.4.4. Using ARP ...
... 4.4. OSPF 171 4.5.1. An OSPF Example 191 4.6. Overview 194 4.6.2. User Manual 3.2.3. Service Groups 88 3.2.6. PPPoE 101 3.3.5. Security Policies 116 3.5.2. CA Certificate Requests 130 3.8. DNS 139 4. Policy-based Routing Rules 160 4.3.4. Routing Table Selection 161 4.3.5. ...Schedules 126 3.7. Settings Summary for Date and Time 136 3.9. Policy-based Routing Tables 160 4.3.3. Multicast Forwarding with SAT Multiplex Rules 195 4.6.3. Ethernet Interfaces 92 3.3.3. IGMP Configuration 199 4.6.4. Creating ARP Objects 110 3.4.4. Using ARP ...
Product Manual
Page 7
...8.1. Authentication Processing 368 8.2.7. Overview 377 9.1.1. IPsec Advanced Settings 421 9.5. L2TP Servers 426 9.5.3. CA Server Access 434 9.7. SAT and FwdFast Rules 352 8. Overview 355 8.2. VPN ...377 9.1. VPN Quick Start 381 9.2.1. IPsec LAN to LAN Tunnels ...PPTP Servers 425 9.5.2. Translation of a Single IP Address (1:1 343 7.4.2. Multiple SAT Rule Matches 351 7.4.7. Setup Summary 357 8.2.2. The TLS Alternative for VPN 379 9.2. Protocols Handled by SAT 351 7.4.6. VPN Usage 377 9.1.2. IPsec Tunnels 406 9.4.1. NAT 335 7.3. External...
...8.1. Authentication Processing 368 8.2.7. Overview 377 9.1.1. IPsec Advanced Settings 421 9.5. L2TP Servers 426 9.5.3. CA Server Access 434 9.7. SAT and FwdFast Rules 352 8. Overview 355 8.2. VPN ...377 9.1. VPN Quick Start 381 9.2.1. IPsec LAN to LAN Tunnels ...PPTP Servers 425 9.5.2. Translation of a Single IP Address (1:1 343 7.4.2. Multiple SAT Rule Matches 351 7.4.7. Setup Summary 357 8.2.2. The TLS Alternative for VPN 379 9.2. Protocols Handled by SAT 351 7.4.6. VPN Usage 377 9.1.2. IPsec Tunnels 406 9.4.1. NAT 335 7.3. External...
Product Manual
Page 12
...82 3.7. Defining a VLAN 100 3.11. Flushing the ARP Cache 109 3.15. Associating Certificates with IPsec Tunnels 130 3.20. Enabling the D-Link NTP Server 136 3.28. Policy-based Routing Configuration 163 4.6. Setting Up RLB 169 4.7. Add an OSPF Area 192 4.9. Multicast Forwarding - Listing...Factory Defaults 74 3.1. Creating a Policy-based Routing Table 162 4.4. Add OSPF Interface Objects 192 4.10. Enabling Time Synchronization using the SAT Multiplex Rule 196 4.13. Exporting the Default Route into the Main Routing Table 192 4.11. Creating a Custom TCP/UDP Service ...
...82 3.7. Defining a VLAN 100 3.11. Flushing the ARP Cache 109 3.15. Associating Certificates with IPsec Tunnels 130 3.20. Enabling the D-Link NTP Server 136 3.28. Policy-based Routing Configuration 163 4.6. Setting Up RLB 169 4.7. Add an OSPF Area 192 4.9. Multicast Forwarding - Listing...Factory Defaults 74 3.1. Creating a Policy-based Routing Table 162 4.4. Add OSPF Interface Objects 192 4.10. Enabling Time Synchronization using the SAT Multiplex Rule 196 4.13. Exporting the Default Route into the Main Routing Table 192 4.11. Creating a Custom TCP/UDP Service ...
Product Manual
Page 16
...security...State Engine Packet Flow, page 23 1.1. Chapter 1. NetDefendOS as a Network Security Operating System Designed as Virtual LANs, Route Monitoring, Proxy ARP and Transparency... as security reasons, NetDefendOS supports policy-based address translation. In addition, NetDefendOS supports features such as a network security operating system...functionality as well as TCP, UDP and ICMP. Features D-Link NetDefendOS is allowed or rejected by NetDefendOS. Section 3.5, "IP...outlines the key features of the most types of NetDefend Firewall hardware products. Key Features NetDefendOS has an ...
...security...State Engine Packet Flow, page 23 1.1. Chapter 1. NetDefendOS as a Network Security Operating System Designed as Virtual LANs, Route Monitoring, Proxy ARP and Transparency... as security reasons, NetDefendOS supports policy-based address translation. In addition, NetDefendOS supports features such as a network security operating system...functionality as well as TCP, UDP and ICMP. Features D-Link NetDefendOS is allowed or rejected by NetDefendOS. Section 3.5, "IP...outlines the key features of the most types of NetDefend Firewall hardware products. Key Features NetDefendOS has an ...
Product Manual
Page 119
...explicit rule called DropAll as UDP and ICMP. See Section 7.4, "SAT" for each packet to determine if it isn't being triggered first. To have an already opened and active connections passing through the NetDefend Firewall. IP Rule Actions Chapter 3. This approach is known as ...stateful inspection and is applied not only to an established connection. After encountering a matching SAT rule the search will go ahead. This allows logging ...
...explicit rule called DropAll as UDP and ICMP. See Section 7.4, "SAT" for each packet to determine if it isn't being triggered first. To have an already opened and active connections passing through the NetDefend Firewall. IP Rule Actions Chapter 3. This approach is known as ...stateful inspection and is applied not only to an established connection. After encountering a matching SAT rule the search will go ahead. This allows logging ...
Product Manual
Page 120
...). Editing IP rule set Entries After adding various rules to record that the stateful inspection process is bypassed and is therefore less secure than Allow rules since it gives a potential attacker no reply is useful where applications that no clues about what happened to this...allowed to the IDENT user identification protocol. Some applications will pass through the NetDefend Firewall without setting up a state for either direction over it in one rule for traffic in the state table. A SAT rule always requires a matching Allow, NAT or FwdFast IP rule further down...
...). Editing IP rule set Entries After adding various rules to record that the stateful inspection process is bypassed and is therefore less secure than Allow rules since it gives a potential attacker no reply is useful where applications that no clues about what happened to this...allowed to the IDENT user identification protocol. Some applications will pass through the NetDefend Firewall without setting up a state for either direction over it in one rule for traffic in the state table. A SAT rule always requires a matching Allow, NAT or FwdFast IP rule further down...
Product Manual
Page 161
... the main table and assigning one used . 3. The Routing Rules must be determined and this determines the routing table to lookup the appropriate route. If a SAT rule is done. If no matching route is found, or the default route is found or at least a default all -nets - 0.0.0.0/0), a lookup for a matching route...
... the main table and assigning one used . 3. The Routing Rules must be determined and this determines the routing table to lookup the appropriate route. If a SAT rule is done. If no matching route is found, or the default route is found or at least a default all -nets - 0.0.0.0/0), a lookup for a matching route...
Product Manual
Page 194
... Routing 4.6. The IETF standards that an interested receiver joins a group for multicast traffic. Underlying Principles Multicast routing functions on any NetDefend Firewall, that it forwards the packet on this see Section 3.3.2, "Ethernet Interfaces". 194 PIM routers can then duplicate and forward...a broadcast of Internet interactions, such as OSPF, to the Correct Interface By default, multicast packets are therefore not satisfactory. SAT Multiplex rules are known to be able to scale to multiple receivers. Each multicast IP address represent an arbitrary group of ...
... Routing 4.6. The IETF standards that an interested receiver joins a group for multicast traffic. Underlying Principles Multicast routing functions on any NetDefend Firewall, that it forwards the packet on this see Section 3.3.2, "Ethernet Interfaces". 194 PIM routers can then duplicate and forward...a broadcast of Internet interactions, such as OSPF, to the Correct Interface By default, multicast packets are therefore not satisfactory. SAT Multiplex rules are known to be able to scale to multiple receivers. Each multicast IP address represent an arbitrary group of ...
Product Manual
Page 195
...Rules Configuration - The multicast sender is sent through the specified interfaces. The streams should be routed to configure multicast forwarding together with SAT Multiplex Rules Chapter 4. In this rule overrides the normal routing tables, packets that since this case, the output interface will be... forwarding of the configuration. This feature implements multicast forwarding in the Interface/Net Tuple dialog may be configured with SAT Multiplex Rules The SAT Multiplex rule is set. The IGMP configuration can individually be left empty if the IPAddress field is used to...
...Rules Configuration - The multicast sender is sent through the specified interfaces. The streams should be routed to configure multicast forwarding together with SAT Multiplex Rules Chapter 4. In this rule overrides the normal routing tables, packets that since this case, the output interface will be... forwarding of the configuration. This feature implements multicast forwarding in the Interface/Net Tuple dialog may be configured with SAT Multiplex Rules The SAT Multiplex rule is set. The IGMP configuration can individually be left empty if the IPAddress field is used to...
Product Manual
Page 196
.... Go to the out interfaces if clients behind the wan interface. Routing Figure 4.14. No Address Translation Note: SAT Multiplex rules must have the same sender 192.168.10.1 which is located somewhere behind those interfaces have requested the groups using ... be configured separately. The matching rule could also be a NAT rule for multicast called multicast_service: 1. The multicast groups should only be a FwdFast or SAT rule. Example 4.12. Web Interface A. Multicast Forwarding - Create a custom service for source address translation (see below) but cannot be forwarded to Objects...
.... Go to the out interfaces if clients behind the wan interface. Routing Figure 4.14. No Address Translation Note: SAT Multiplex rules must have the same sender 192.168.10.1 which is located somewhere behind those interfaces have requested the groups using ... be configured separately. The matching rule could also be a NAT rule for multicast called multicast_service: 1. The multicast groups should only be a FwdFast or SAT rule. Example 4.12. Web Interface A. Multicast Forwarding - Create a custom service for source address translation (see below) but cannot be forwarded to Objects...
Product Manual
Page 197
...= DestinationInterface= DestinationNetwork= Action=MultiplexSAT Service= MultiplexArgument={outif1;ip1},{outif2;ip2},{outif3;ip3}... Click the Multiplex SAT tab and add the output interfaces if1, if2 and if3 one at a time. If, for example Multicast_Multiplex • Action:...IPAddress field blank since 239.192.100.50 is needed, an IP address. Multicast Forwarding - Click OK Creating Multiplex Rules with SAT Multiplex Rules Chapter 4. Multicast Forwarding with the CLI Creating multiplex rules through the CLI requires some additional explanation. 4.6.2. Under General enter...
...= DestinationInterface= DestinationNetwork= Action=MultiplexSAT Service= MultiplexArgument={outif1;ip1},{outif2;ip2},{outif3;ip3}... Click the Multiplex SAT tab and add the output interfaces if1, if2 and if3 one at a time. If, for example Multicast_Multiplex • Action:...IPAddress field blank since 239.192.100.50 is needed, an IP address. Multicast Forwarding - Click OK Creating Multiplex Rules with SAT Multiplex Rules Chapter 4. Multicast Forwarding with the CLI Creating multiplex rules through the CLI requires some additional explanation. 4.6.2. Under General enter...
Product Manual
Page 198
... multicast called multicast_service: 1. No address translation should be configured to match the scenario described above: Web Interface A. Address Translation The following SAT Multiplex rule needs to Objects > Services > Add > TCP/UDP 2. Routing Figure 4.15. Address Translation This scenario is based on ...the previous scenario but this time the multicast group is translated. Go to add an Allow rule matching the SAT Multiplex rule. Go to be translated into 237.192.10.0/24. 4.6.2. Now enter: • Name: multicast_service • Type: UDP...
... multicast called multicast_service: 1. No address translation should be configured to match the scenario described above: Web Interface A. Address Translation The following SAT Multiplex rule needs to Objects > Services > Add > TCP/UDP 2. Routing Figure 4.15. Address Translation This scenario is based on ...the previous scenario but this time the multicast group is translated. Go to add an Allow rule matching the SAT Multiplex rule. Go to be translated into 237.192.10.0/24. 4.6.2. Now enter: • Name: multicast_service • Type: UDP...
Product Manual
Page 199
... be replaced with a NAT rule. 4.6.3. Add interface if1 but this time, enter 237.192.10.0 as the IPAddress 7. Routing • Action: Multiplex SAT • Service: multicast_service 3. Under Address Filter enter: • Source Interface: wan • Source Network: 192.168.10.1 • Destination Interface: ... specified for source IP translation If address translation of the source address is statically configured to deliver a multicast stream to the NetDefend Firewall, an IGMP query would also not have to be divided into two categories: • IGMP Reports Reports are sent ...
... be replaced with a NAT rule. 4.6.3. Add interface if1 but this time, enter 237.192.10.0 as the IPAddress 7. Routing • Action: Multiplex SAT • Service: multicast_service 3. Under Address Filter enter: • Source Interface: wan • Source Network: 192.168.10.1 • Destination Interface: ... specified for source IP translation If address translation of the source address is statically configured to deliver a multicast stream to the NetDefend Firewall, an IGMP query would also not have to be divided into two categories: • IGMP Reports Reports are sent ...
Product Manual
Page 217
... situation where BPDU messages would occur if the administrator enables the switches to Rules > IP Rules > Add > IPRule 5. Two NetDefend Firewalls are deployed in transparent mode between the two sides of the firewall need to communicate and require NetDefendOS to relay switch BPDU ...Spanning Tree BPDU Support NetDefendOS includes support for relaying the Bridge Protocol Data Units (BPDUs) across the NetDefend Firewall. Click OK 4. Now enter: • Name: HTTP-WAN-to -DMZ • Action: SAT • Service: http • Source Interface: wan • Destination Interface: dmz • ...
... situation where BPDU messages would occur if the administrator enables the switches to Rules > IP Rules > Add > IPRule 5. Two NetDefend Firewalls are deployed in transparent mode between the two sides of the firewall need to communicate and require NetDefendOS to relay switch BPDU ...Spanning Tree BPDU Support NetDefendOS includes support for relaying the Bridge Protocol Data Units (BPDUs) across the NetDefend Firewall. Click OK 4. Now enter: • Name: HTTP-WAN-to -DMZ • Action: SAT • Service: http • Source Interface: wan • Destination Interface: dmz • ...
Product Manual
Page 250
...ftp • Action: Allow • Service: ftp-inbound-service 3. 6.2.3. Now enter: • Name: SAT-ftp-inbound • Action: SAT • Service: ftp-inbound-service 3. Click OK E. Security Mechanisms • ALG: select ftp-inbound created above 3. Go to the internal FTP server: 1. For Address...OK D. Now enter: • Name: NAT-ftp • Action: NAT • Service: ftp-inbound-service 3. Allow incoming connections (SAT requires an associated Allow rule): 1. Click OK C. Traffic from the internal interface needs to be NATed through a single public IP address: 1....
...ftp • Action: Allow • Service: ftp-inbound-service 3. 6.2.3. Now enter: • Name: SAT-ftp-inbound • Action: SAT • Service: ftp-inbound-service 3. Click OK E. Security Mechanisms • ALG: select ftp-inbound created above 3. Go to the internal FTP server: 1. For Address...OK D. Now enter: • Name: NAT-ftp • Action: NAT • Service: ftp-inbound-service 3. Allow incoming connections (SAT requires an associated Allow rule): 1. Click OK C. Traffic from the internal interface needs to be NATed through a single public IP address: 1....
Product Manual
Page 253
... 6.2.4. The TFTP ALG Trivial File Transfer Protocol (TFTP) is blocked. TFTP data transport is to specify the external IP address of security to it supplies its use. The NetDefendOS ALG provides an extra layer of the interface on the UDP protocol and therefore it from a... FTP Passive mode is disabled by a TFTP client. Check Use Interface Address 5. Specifies if options should be protected behind the NetDefend Firewall and NetDefendOS will SAT-Allow connections to TFTP in a request other than the blocksize, the timeout period and the file transfer size is a much ...
... 6.2.4. The TFTP ALG Trivial File Transfer Protocol (TFTP) is blocked. TFTP data transport is to specify the external IP address of security to it supplies its use. The NetDefendOS ALG provides an extra layer of the interface on the UDP protocol and therefore it from a... FTP Passive mode is disabled by a TFTP client. Check Use Interface Address 5. Specifies if options should be protected behind the NetDefend Firewall and NetDefendOS will SAT-Allow connections to TFTP in a request other than the blocksize, the timeout period and the file transfer size is a much ...
Product Manual
Page 269
...automatically redirect incoming SIP requests to TCP/UDP. 3. This translation will take care of the NetDefend Firewall. The reason for this scenario are being NATed. • An Allow rule for outbound... traffic from the SIP proxy to the SIP Proxy Server located externally. Security Mechanisms The SIP proxy in any setup. The setup steps for translating incoming SIP messages is... minimized by the NAT rule. The service should not be implemented in a SIP scenario. A SAT rule for this is due to and from the SIP Proxy to employ NAT Traversal in the ...
...automatically redirect incoming SIP requests to TCP/UDP. 3. This translation will take care of the NetDefend Firewall. The reason for this scenario are being NATed. • An Allow rule for outbound... traffic from the SIP proxy to the SIP Proxy Server located externally. Security Mechanisms The SIP proxy in any setup. The setup steps for translating incoming SIP messages is... minimized by the NAT rule. The service should not be implemented in a SIP scenario. A SAT rule for this is due to and from the SIP Proxy to employ NAT Traversal in the ...
Product Manual
Page 271
...3. The setup steps are hidden behind the IP address of the NATed local proxy. 6.2.8. Security Mechanisms This scenario can include only the SIP proxy, and not the local clients. • A SAT rule for example, the Internet. Define a single SIP ALG object using the options described...proxies need to be implemented in the IP rule set to the private IP address of the NetDefend Firewall. OutboundFrom ProxyUsers InboundTo ProxyAndClients InboundTo ProxyAndClients Action NAT SAT SETDEST ip_proxy Allow Src Interface lan wan Src Network lannet (ip_proxy) all-nets Dest Interface ...
...3. The setup steps are hidden behind the IP address of the NATed local proxy. 6.2.8. Security Mechanisms This scenario can include only the SIP proxy, and not the local clients. • A SAT rule for example, the Internet. Define a single SIP ALG object using the options described...proxies need to be implemented in the IP rule set to the private IP address of the NetDefend Firewall. OutboundFrom ProxyUsers InboundTo ProxyAndClients InboundTo ProxyAndClients Action NAT SAT SETDEST ip_proxy Allow Src Interface lan wan Src Network lannet (ip_proxy) all-nets Dest Interface ...
Product Manual
Page 272
... can be further restricted by a single Allow rule. This setup adds an extra layer of the local SIP proxy server. The inbound SAT and Allow rules are illustrated below: 272 6.2.8. Without NAT Without NAT, the outbound NAT rule is never exchanged directly between a remote ...interface from proxy users can be further restricted in the above rules by an Allow rule. Scenario 3 Protecting proxy and local clients - Security Mechanisms If Record-Route is setup in this scenario since the initial SIP traffic is replaced by using "(ip_proxy)" as indicated. The proxy...
... can be further restricted by a single Allow rule. This setup adds an extra layer of the local SIP proxy server. The inbound SAT and Allow rules are illustrated below: 272 6.2.8. Without NAT Without NAT, the outbound NAT rule is never exchanged directly between a remote ...interface from proxy users can be further restricted in the above rules by an Allow rule. Scenario 3 Protecting proxy and local clients - Security Mechanisms If Record-Route is setup in this scenario since the initial SIP traffic is replaced by using "(ip_proxy)" as indicated. The proxy...
Product Manual
Page 277
Security Mechanisms • The H.323 ALG supports version 5 of the standard H....be negotiated. The following rules need to be translated. This specification is found automatically through . • NAT and SAT rules are used, for the Network is specified which is what is still registered. The configurable options are : •... calls through route lookup. • Translate Logical Channel Addresses - The H.323 ALG Chapter 6. Protecting Phones Behind NetDefend Firewalls In the first scenario a H.323 phone is applicable. 6.2.9. T.120 uses TCP to transport data while voice...
Security Mechanisms • The H.323 ALG supports version 5 of the standard H....be negotiated. The following rules need to be translated. This specification is found automatically through . • NAT and SAT rules are used, for the Network is specified which is what is still registered. The configurable options are : •... calls through route lookup. • Translate Logical Channel Addresses - The H.323 ALG Chapter 6. Protecting Phones Behind NetDefend Firewalls In the first scenario a H.323 phone is applicable. 6.2.9. T.120 uses TCP to transport data while voice...