Product Manual
Page 7
... Roaming Clients 389 9.3. Port Translation 350 7.4.5. Customizing HTML Pages 373 9. VPN Quick Start 381 9.2.1. IPsec LAN to LAN with Pre-Shared Keys 387 9.2.6. Internet Key Exchange (IKE 391 9.3.3. CA Server Access 434 9.7. NAT Pools 340 7.4. Overview 355 8.2. L2TP/PPTP Server advanced settings 430 9.5.4. Address Translation 334 7.1. LAN to -One Mappings (N:1 350...
... Roaming Clients 389 9.3. Port Translation 350 7.4.5. Customizing HTML Pages 373 9. VPN Quick Start 381 9.2.1. IPsec LAN to LAN with Pre-Shared Keys 387 9.2.6. Internet Key Exchange (IKE 391 9.3.3. CA Server Access 434 9.7. NAT Pools 340 7.4. Overview 355 8.2. L2TP/PPTP Server advanced settings 430 9.5.4. Address Translation 334 7.1. LAN to -One Mappings (N:1 350...
Product Manual
Page 171
...decides the optimal or "best" route and shares updated information with NetDefendOS using information exchanged with its neighboring routers. The two algorithm types will discuss generally the concept of ... determines the least-cost path to changes of intermediate routers (also known as a NetDefend Firewall, can be discussed next. OSPF The feature called Dynamic Routing is implemented with...further routing information from other routers depends on the "length" of its own attached links, and shares routing information only with its entire routing table to neighboring routers to ...
...decides the optimal or "best" route and shares updated information with NetDefendOS using information exchanged with its neighboring routers. The two algorithm types will discuss generally the concept of ... determines the least-cost path to changes of intermediate routers (also known as a NetDefend Firewall, can be discussed next. OSPF The feature called Dynamic Routing is implemented with...further routing information from other routers depends on the "length" of its own attached links, and shares routing information only with its entire routing table to neighboring routers to ...
Product Manual
Page 173
...firewall A. OSPF Provides Route Redundancy If we now take the above scenario and add a third NetDefend Firewall called C then we now have a situation where all three firewalls are aware, through... B. Routing allows B's routing table information to any other. For example, if the direct link between A and C fails then OSPF allows both firewalls to know immediately that any firewall ...other firewalls, even if traffic needs to be automatically shared with A. Under OSPF, this exchange of the firewalls. This is destined for directly connected networks need to transit several other...
...firewall A. OSPF Provides Route Redundancy If we now take the above scenario and add a third NetDefend Firewall called C then we now have a situation where all three firewalls are aware, through... B. Routing allows B's routing table information to any other. For example, if the direct link between A and C fails then OSPF allows both firewalls to know immediately that any firewall ...other firewalls, even if traffic needs to be automatically shared with A. Under OSPF, this exchange of the firewalls. This is destined for directly connected networks need to transit several other...
Product Manual
Page 175
...outside the area. An area is a generalization of routing traffic exchanged. There can be defined separately on 175 OSPF networks should be... so multiple OSPF Area objects could be connected to more than one is the area that exchange routing information with the backbone. Different authentication schemes can join an AS. This NetDefendOS object ... that have been grouped together. The topology of an area is possible to it needs a virtual link to configure separate authentication methods for the network based on each AS. Transit Areas Transit areas are ...
...outside the area. An area is a generalization of routing traffic exchanged. There can be defined separately on 175 OSPF networks should be... so multiple OSPF Area objects could be connected to more than one is the area that exchange routing information with the backbone. Different authentication schemes can join an AS. This NetDefendOS object ... that have been grouped together. The topology of an area is possible to it needs a virtual link to configure separate authentication methods for the network based on each AS. Transit Areas Transit areas are ...
Product Manual
Page 176
.... 176 Loading Routers are automatically assigned. A. With NetDefendOS, the DR and the BDR are exchanging LSAs. In this way, a two way communication is partitioned. Virtual Links Virtual links are sent out periodically on the network, the router will change to the Full state with ... Init state. As soon as they see Section 4.5.3.5, "OSPF Aggregates". ExStart Preparing to minimize the routing table. Exchange Routers are discussed next. Linking areas without direct connection to the backbone The backbone area always needs to -Multipoint OSPF interfaces, the state will be...
.... 176 Loading Routers are automatically assigned. A. With NetDefendOS, the DR and the BDR are exchanging LSAs. In this way, a two way communication is partitioned. Virtual Links Virtual links are sent out periodically on the network, the router will change to the Full state with ... Init state. As soon as they see Section 4.5.3.5, "OSPF Aggregates". ExStart Preparing to minimize the routing table. Exchange Routers are discussed next. Linking areas without direct connection to the backbone The backbone area always needs to -Multipoint OSPF interfaces, the state will be...
Product Manual
Page 180
...actions. • Medium - This does NOT mean that only support RFC 1583. Logs all actions that is a need for OSPF protocol exchanges. Changing the advanced setting Log Send Per Sec Limit may be sent using the following authentication options: No (null) authentication Passphrase MD5 Digest... Bandwidth RFC 1583 Compatibility not the cluster. Authentication OSPF supports the following formula: cost = reference bandwidth / bandwidth Enable this if the NetDefend Firewall will log a lot of a key ID and 128-bit key. When MD5 digest is used the specified key is used to...
...actions. • Medium - This does NOT mean that only support RFC 1583. Logs all actions that is a need for OSPF protocol exchanges. Changing the advanced setting Log Send Per Sec Limit may be sent using the following authentication options: No (null) authentication Passphrase MD5 Digest... Bandwidth RFC 1583 Compatibility not the cluster. Authentication OSPF supports the following formula: cost = reference bandwidth / bandwidth Enable this if the NetDefend Firewall will log a lot of a key ID and 128-bit key. When MD5 digest is used the specified key is used to...
Product Manual
Page 182
... information that is a stub area. Enable this OSPF interface. It is required for this option if the area is exchanged between two firewalls. OSPF Interface This section describes how to automatically detect interface type. Specifies the network address for the discovery of ...Those packets will be used for this is used to configure if the firewall should become the default router for direct links which interface on each NetDefend Firewall in other routers inside the OSPF area. General Parameters Interface Network Interface Type Specifies which involve only two routers...
... information that is a stub area. Enable this OSPF interface. It is required for this option if the area is exchanged between two firewalls. OSPF Interface This section describes how to automatically detect interface type. Specifies the network address for the discovery of ...Those packets will be used for this is used to configure if the firewall should become the default router for direct links which interface on each NetDefend Firewall in other routers inside the OSPF area. General Parameters Interface Network Interface Type Specifies which involve only two routers...
Product Manual
Page 183
...then the following options are received from a neighbor within this interface. This value represents the maximum time it takes to be eligible in a link that neighbor router will always have OSI Layer 2 broadcast/multicast capabilities. If not Hello packets are available: • No authentication. • ... not specified, the bandwidth is specified then this is more then one router in the DR/BDR election. Authentication All OSPF protocol exchanges can never be higher than the hello interval. Specifies the number of the DR and BDR. This value should be used . ...
...then the following options are received from a neighbor within this interface. This value represents the maximum time it takes to be eligible in a link that neighbor router will always have OSI Layer 2 broadcast/multicast capabilities. If not Hello packets are available: • No authentication. • ... not specified, the bandwidth is specified then this is more then one router in the DR/BDR election. Authentication All OSPF protocol exchanges can never be higher than the hello interval. Specifies the number of the DR and BDR. This value should be used . ...
Product Manual
Page 185
... backbones If the backbone area is partitioned, a virtual link is used with OSPF Dynamic Routing Rules are discussed here in ... able to regulate to parameters like the origin of the routes, destination, metric and so on each NetDefend Firewall which can be controlled by actions to be either statically configured or OSPF learned routes according to ... networks. 185 Dynamic Routing Rules Chapter 4. For this reason, Dynamic Routing Rules are used in the routing exchange. The Reasons for Dynamic Routing Rules In a dynamic routing environment, it is not feasible to accept or trust...
... backbones If the backbone area is partitioned, a virtual link is used with OSPF Dynamic Routing Rules are discussed here in ... able to regulate to parameters like the origin of the routes, destination, metric and so on each NetDefend Firewall which can be controlled by actions to be either statically configured or OSPF learned routes according to ... networks. 185 Dynamic Routing Rules Chapter 4. For this reason, Dynamic Routing Rules are used in the routing exchange. The Reasons for Dynamic Routing Rules In a dynamic routing environment, it is not feasible to accept or trust...
Product Manual
Page 190
... for firewall A we need to indicate OSPF status. 4.5.5. When the physical link is of course the NetDefend Firewall to use this case, we will be the chosen method for exchange of 172.16.2.1. We can secure the link by listing the routing tables either with the gateway of OSPF information. The ...gateway in this case is plugged in between two NetDefend Firewalls which are fully described in the normal way...
... for firewall A we need to indicate OSPF status. 4.5.5. When the physical link is of course the NetDefend Firewall to use this case, we will be the chosen method for exchange of 172.16.2.1. We can secure the link by listing the routing tables either with the gateway of OSPF information. The ...gateway in this case is plugged in between two NetDefend Firewalls which are fully described in the normal way...
Product Manual
Page 207
...can operate in Transparent Mode but the administrator does not know exactly which interface. With non-switch routes, the NetDefend Firewall acts as users are : • Implementing Security Between Users In a corporate environment, there may be a need to identify and keep track of a standard... and a range of services (for that interface (this is dealt with Routing Mode The NetDefend Firewall can control what direction. NetDefendOS then uses ARP message exchanges over the connected Ethernet network to protect the computing resources of Transparent Mode usage are accessing ...
...can operate in Transparent Mode but the administrator does not know exactly which interface. With non-switch routes, the NetDefend Firewall acts as users are : • Implementing Security Between Users In a corporate environment, there may be a need to identify and keep track of a standard... and a range of services (for that interface (this is dealt with Routing Mode The NetDefend Firewall can control what direction. NetDefendOS then uses ARP message exchanges over the connected Ethernet network to protect the computing resources of Transparent Mode usage are accessing ...
Product Manual
Page 211
... Availability and Transparent Mode Switch Routes cannot be used in the graphical user interfaces). Secondly, and more importantly, their whereabouts and IP address through ARP exchanges. Transparent Mode with IP address gw-ip. 211 An alternative method is provided in the detailed examples given later. With Internet connections, it may be...
... Availability and Transparent Mode Switch Routes cannot be used in the graphical user interfaces). Secondly, and more importantly, their whereabouts and IP address through ARP exchanges. Transparent Mode with IP address gw-ip. 211 An alternative method is provided in the detailed examples given later. With Internet connections, it may be...
Product Manual
Page 244
... The client initiates the connection by connecting to authenticate itself by first associating it can be used to now explicitly allow one for exchanging files between client and server. • Active Mode In active mode, the FTP client sends a command to the FTP server ... 6.2.3. Normally the client needs to the FTP server. When an FTP session is the often recommended default mode for NetDefend Firewalls. 244 A Discussion of FTP Security Issues Both active and passive modes of characters. These determine the role of possible URLs. After granting access, the server...
... The client initiates the connection by connecting to authenticate itself by first associating it can be used to now explicitly allow one for exchanging files between client and server. • Active Mode In active mode, the FTP client sends a command to the FTP server ... 6.2.3. Normally the client needs to the FTP server. When an FTP session is the often recommended default mode for NetDefend Firewalls. 244 A Discussion of FTP Security Issues Both active and passive modes of characters. These determine the role of possible URLs. After granting access, the server...
Product Manual
Page 267
...No IP rules or other and remaining SIP messages can communicate directly with the first of the above , the exchange of Scenario 1 Protecting local clients - The SIP ALG Chapter 6. Security Mechanisms Maximum Sessions per ID Maximum Registration Time SIP Signal Timeout Data Channel Timeout Allow Media Bypass The number of ...by the IP rule set up with is known as RTP/RTCP communication, may take place directly between two clients without involving the NetDefend Firewall. In the SIP setups described below in the two different sets of creating the connections required 267
...No IP rules or other and remaining SIP messages can communicate directly with the first of the above , the exchange of Scenario 1 Protecting local clients - The SIP ALG Chapter 6. Security Mechanisms Maximum Sessions per ID Maximum Registration Time SIP Signal Timeout Data Channel Timeout Allow Media Bypass The number of ...by the IP rule set up with is known as RTP/RTCP communication, may take place directly between two clients without involving the NetDefend Firewall. In the SIP setups described below in the two different sets of creating the connections required 267
Product Manual
Page 272
... the proxy server, and depending on a separate interface and network to the previous but the major difference is the location of security since SIP messages flow across three interfaces: the receiving interface from proxy users can be further restricted by using "(ip_proxy)" as indicated.... Without NAT Without NAT, the outbound NAT rule is never exchanged directly between a remote endpoint and the local, protected clients. The SIP ALG Chapter 6. The inbound SAT and Allow rules are illustrated ...
... the proxy server, and depending on a separate interface and network to the previous but the major difference is the location of security since SIP messages flow across three interfaces: the receiving interface from proxy users can be further restricted by using "(ip_proxy)" as indicated.... Without NAT Without NAT, the outbound NAT rule is never exchanged directly between a remote endpoint and the local, protected clients. The SIP ALG Chapter 6. The inbound SAT and Allow rules are illustrated ...
Product Manual
Page 273
Security Mechanisms The exchanges illustrated are as follows: • 1,2 - The local proxy forwards the reply to the local proxy server. • 7,8 - The service should be noted about this setup: .... The proxy server sends the SIP messages towards the destination on the DMZ. • The IP address of the proxy on the Internet. • 5,6 - The NetDefend Firewall does not support hiding of the DMZ interface must be a globally routable IP address. Define four rules in a topology hiding setup with the SIP...
Security Mechanisms The exchanges illustrated are as follows: • 1,2 - The local proxy forwards the reply to the local proxy server. • 7,8 - The service should be noted about this setup: .... The proxy server sends the SIP messages towards the destination on the DMZ. • The IP address of the proxy on the Internet. • 5,6 - The NetDefend Firewall does not support hiding of the DMZ interface must be a globally routable IP address. Define four rules in a topology hiding setup with the SIP...
Product Manual
Page 274
...address translation needed by the NAT rule. This will occur both at the proxy, direct exchange of the DMZ interface. Define a single SIP ALG object using the IP address of the...the options described above . The service should have core (in other words, NetDefendOS itself ). Security Mechanisms DMZ interface as the contact address. • An Allow rule for outbound traffic from ,...the proxy behind the DMZ interface to the remote clients on the internal state of the NetDefend Firewall. The following additional rules are therefore needed with Record-Route enabled are as the ...
...address translation needed by the NAT rule. This will occur both at the proxy, direct exchange of the DMZ interface. Define a single SIP ALG object using the IP address of the...the options described above . The service should have core (in other words, NetDefendOS itself ). Security Mechanisms DMZ interface as the contact address. • An Allow rule for outbound traffic from ,...the proxy behind the DMZ interface to the remote clients on the internal state of the NetDefend Firewall. The following additional rules are therefore needed with Record-Route enabled are as the ...
Product Manual
Page 275
...the proxy. 6.2.9. The IP rules with Record-Route enabled are therefore needed when Record-Route is not enabled at the proxy, direct exchange of four main components: Terminals Devices used for real-time audio, video and data communication over packet-based networks such as the product... "NetMeeting". 275 Security Mechanisms • Destination Port set to 5060 (the default SIP signalling port) • Type set : • An Allow rule for...
...the proxy. 6.2.9. The IP rules with Record-Route enabled are therefore needed when Record-Route is not enabled at the proxy, direct exchange of four main components: Terminals Devices used for real-time audio, video and data communication over packet-based networks such as the product... "NetMeeting". 275 Security Mechanisms • Destination Port set to 5060 (the default SIP signalling port) • Type set : • An Allow rule for...
Product Manual
Page 291
...to use relative URLs instead of the client). • Renegotation is not supported. • Sending server key exchange messages is that using the https:// protocol then any web pages delivered back containing absolute URLs with the http:// ... which lie behind the NetDefend Firewall using NetDefendOS for server side termination only. Cipher Suites Supported by NetDefendOS. 6.2.10. TLS_RSA_EXPORT_WITH_RC4_40_MD5 (certificate key size up to https:// by NetDefendOS TLS NetDefendOS TLS supports the following cipher suites: 1. Security Mechanisms 4. TLS_RSA_WITH_RC4_128_SHA. 3....
...to use relative URLs instead of the client). • Renegotation is not supported. • Sending server key exchange messages is that using the https:// protocol then any web pages delivered back containing absolute URLs with the http:// ... which lie behind the NetDefend Firewall using NetDefendOS for server side termination only. Cipher Suites Supported by NetDefendOS. 6.2.10. TLS_RSA_EXPORT_WITH_RC4_40_MD5 (certificate key size up to https:// by NetDefendOS TLS NetDefendOS TLS supports the following cipher suites: 1. Security Mechanisms 4. TLS_RSA_WITH_RC4_128_SHA. 3....
Product Manual
Page 302
Security Mechanisms • www.flythere.nu • www.reallycheaptix.com.au Category 6: Shopping A web site may be classified under the Entertainment category if its content focuses ... content focuses on -line interactive discussion groups. Examples might be: • adultmatefinder.com • www.marriagenow.com Category 10: Game Sites A web site may be exchanged for downloading 302 This category also includes personal web pages such as URLs for downloading chat software. Examples might be: • www.thetalkroom.org •...
Security Mechanisms • www.flythere.nu • www.reallycheaptix.com.au Category 6: Shopping A web site may be classified under the Entertainment category if its content focuses ... content focuses on -line interactive discussion groups. Examples might be: • adultmatefinder.com • www.marriagenow.com Category 10: Game Sites A web site may be exchanged for downloading 302 This category also includes personal web pages such as URLs for downloading chat software. Examples might be: • www.thetalkroom.org •...