User Guide
Page 2
... against 10 3.2.1 Attacks on Insecure pre-installed Components . . . . . 11 3.2.2 Inexperienced Users on protected Networks 11 3.2.3 Data-Driven Network Attacks 11 3.2.4 Internal Attacks 13 3.2.5 Modems and VPN Connection 13 3.2.6 Holes between DMZs and Internal Networks 14 i
... against 10 3.2.1 Attacks on Insecure pre-installed Components . . . . . 11 3.2.2 Inexperienced Users on protected Networks 11 3.2.3 Data-Driven Network Attacks 11 3.2.4 Internal Attacks 13 3.2.5 Modems and VPN Connection 13 3.2.6 Holes between DMZs and Internal Networks 14 i
User Guide
Page 7
... & Integrity 198 20.3 Why VPN in Firewalls 200 20.3.1 VPN Deployment 201 21 VPN Planning 207 21.1 VPN Design Considerations 207 21.1.1 End Point Security 208 21.1.2 Key Distribution 210 22 VPN Protocols & Tunnels 213 22.1 IPsec... 213 22.1.1 IPsec protocols 214 22.1.2 IPsec Modes 214 22.1.3 IKE 215 22.1.4 IKE Integrity & Authentication 219 22.1.5 Scenarios: IPSec Configuration 223 22.2 PPTP/ L2TP 228 22.2.1 PPTP 228 22.2.2 L2TP 234 22.3 SSL/TLS (HTTPS 243 D-Link...
... & Integrity 198 20.3 Why VPN in Firewalls 200 20.3.1 VPN Deployment 201 21 VPN Planning 207 21.1 VPN Design Considerations 207 21.1.1 End Point Security 208 21.1.2 Key Distribution 210 22 VPN Protocols & Tunnels 213 22.1 IPsec... 213 22.1.1 IPsec protocols 214 22.1.2 IPsec Modes 214 22.1.3 IKE 215 22.1.4 IKE Integrity & Authentication 219 22.1.5 Scenarios: IPSec Configuration 223 22.2 PPTP/ L2TP 228 22.2.1 PPTP 228 22.2.2 L2TP 234 22.3 SSL/TLS (HTTPS 243 D-Link...
User Guide
Page 13
xii 19.4 An IDS Scenario 189 20.1 VPN Deployment Scenario 1 201 20.2 VPN Deployment Scenario 2 202 20.3 VPN Deployment Scenario 3 203 20.4 VPN Deployment Scenario 4 203 20.5 VPN Deployment Scenario 5 204 20.6 VPN Deployment Scenario 6 205 22.1 LAN-to-LAN Example Scenario 223 22.2 IPSec Roaming Client Example Scenario 225 22.1 PPTP Encapsulation 228 22.2 L2TP Encapsulation... 262 24.2 A SLB Scenario 266 27.1 Transparent Mode Scenario 1 284 27.2 Transparent Mode Scenario 2 287 28.1 A Zone Defense Scenario 297 29.1 Example HA Setup 303 D-Link Firewalls User's Guide
xii 19.4 An IDS Scenario 189 20.1 VPN Deployment Scenario 1 201 20.2 VPN Deployment Scenario 2 202 20.3 VPN Deployment Scenario 3 203 20.4 VPN Deployment Scenario 4 203 20.5 VPN Deployment Scenario 5 204 20.6 VPN Deployment Scenario 6 205 22.1 LAN-to-LAN Example Scenario 223 22.2 IPSec Roaming Client Example Scenario 225 22.1 PPTP Encapsulation 228 22.2 L2TP Encapsulation... 262 24.2 A SLB Scenario 266 27.1 Transparent Mode Scenario 1 284 27.2 Transparent Mode Scenario 2 287 28.1 A Zone Defense Scenario 297 29.1 Example HA Setup 303 D-Link Firewalls User's Guide
User Guide
Page 22
... Highlights The key features of D-Link firewalls can be outlined as: • Easy to use start-up wizard • Web-based graphical user interface (WebUI) • Effective and easy to maintenance • Complete control of security policies • Advanced application layer... gateways (FTP, HTTP, H.323) • Advanced monitoring & logging methods • Full VLAN compliance • Support for building VPN (IPSec, PPTP, L2TP) • Route Failover • ...
... Highlights The key features of D-Link firewalls can be outlined as: • Easy to use start-up wizard • Web-based graphical user interface (WebUI) • Effective and easy to maintenance • Complete control of security policies • Advanced application layer... gateways (FTP, HTTP, H.323) • Advanced monitoring & logging methods • Full VLAN compliance • Support for building VPN (IPSec, PPTP, L2TP) • Route Failover • ...
User Guide
Page 32
...by exporting sensitive information in the same manner. As a result, intruders can cause all data security problems are as secure as browsers. However, most people underestimate the impact of vulnerabilities. • Desktop software, primarily ...figures, it . Some sources put this figure as high at 80%. 3.2.5 Modems and VPN Connection A common misconception is clear that which to great extent support scripting languages, for the same reason ... that passes through it is that modems and VPN gateways are the results of internal attacks. D-Link Firewalls User's Guide
...by exporting sensitive information in the same manner. As a result, intruders can cause all data security problems are as secure as browsers. However, most people underestimate the impact of vulnerabilities. • Desktop software, primarily ...figures, it . Some sources put this figure as high at 80%. 3.2.5 Modems and VPN Connection A common misconception is clear that which to great extent support scripting languages, for the same reason ... that passes through it is that modems and VPN gateways are the results of internal attacks. D-Link Firewalls User's Guide
User Guide
Page 33
... modem pool should instead be routed through the VPN connection, must be anywhere near them. It is only as high as a D-Link Firewalls User's Guide Instead, they wish to ensure that these services are increasing as the security of communication permitted. 14 Chapter 3. In instances... where the firewall features an integrated VPN gateway, it is important to remember that ...
... modem pool should instead be routed through the VPN connection, must be anywhere near them. It is only as high as a D-Link Firewalls User's Guide Instead, they wish to ensure that these services are increasing as the security of communication permitted. 14 Chapter 3. In instances... where the firewall features an integrated VPN gateway, it is important to remember that ...
User Guide
Page 70
...the certificate. Options Select one of the following : Name: Name of certificates that none of certificates, D-Link firewalls also employ identification lists (See 22.1.4, Identification Lists(IDLists)). The certificate may either be ...the certificates have been revoked. Fetch the CRL for use in D-Link Firewall X.509 certificates can be uploaded to a remote peer or CA server. There are allowed access through a specific VPN tunnel, provided the certificate validation procedure described above succeeded. 8.4.2 ...
...the certificate. Options Select one of the following : Name: Name of certificates that none of certificates, D-Link firewalls also employ identification lists (See 22.1.4, Identification Lists(IDLists)). The certificate may either be ...the certificates have been revoked. Fetch the CRL for use in D-Link Firewall X.509 certificates can be uploaded to a remote peer or CA server. There are allowed access through a specific VPN tunnel, provided the certificate validation procedure described above succeeded. 8.4.2 ...
User Guide
Page 84
...Create Interface Group Interfaces → Interface Groups → Add → Interface Group: Enter the following: Name: testifgroup Security/Transport Equivalent: If enabled, the interface group can be interfaces of an interface group do not need to a common...Interfaces: Select the interfaces that an interface group can be a part of regular Ethernet interfaces, VLAN interfaces, or VPN Tunnels (see 10.3.3) scenarios. For example, IP rules and user authentication rules can be Route Fail-Over and... of such usage can consist of the group. D-Link Firewalls User's Guide 9.5.
...Create Interface Group Interfaces → Interface Groups → Add → Interface Group: Enter the following: Name: testifgroup Security/Transport Equivalent: If enabled, the interface group can be interfaces of an interface group do not need to a common...Interfaces: Select the interfaces that an interface group can be a part of regular Ethernet interfaces, VLAN interfaces, or VPN Tunnels (see 10.3.3) scenarios. For example, IP rules and user authentication rules can be Route Fail-Over and... of such usage can consist of the group. D-Link Firewalls User's Guide 9.5.
User Guide
Page 143
...address belonging to an outside untrusted network is capable of another interface. D-Link firewalls provide the network administrators choices to verify that packets arriving on a specific interface are carried out over secure channels, which is similar to normal rule, containing Filtering Fields and ...also reduce the spoofing threats.(See 17 User Authentication, VIII VPN) 15.2 Access Rule 15.2.1 Function The Access rule is NOT allowed. If the traffic matches all the fields, D-Link Firewalls User's Guide Access (Anti-spoofing) attacks. 124 ...
...address belonging to an outside untrusted network is capable of another interface. D-Link firewalls provide the network administrators choices to verify that packets arriving on a specific interface are carried out over secure channels, which is similar to normal rule, containing Filtering Fields and ...also reduce the spoofing threats.(See 17 User Authentication, VIII VPN) 15.2 Access Rule 15.2.1 Function The Access rule is NOT allowed. If the traffic matches all the fields, D-Link Firewalls User's Guide Access (Anti-spoofing) attacks. 124 ...
User Guide
Page 151
...name) as an identifier tells who you are, and the password severs as HTTP, FTP, and VPN. For example, a passcard is that this attack. • Find: D-Link Firewalls User's Guide in services, such as an authenticator to prove that it requires some special devices to ... privileges, the password is frequently used Password or a Shared secret phrase. Attacks There are often combined to have add one factors and security levels. User Authentication c) Something the user knows The secret information that the features are vulnerable to this is that only the involved user...
...name) as an identifier tells who you are, and the password severs as HTTP, FTP, and VPN. For example, a passcard is that this attack. • Find: D-Link Firewalls User's Guide in services, such as an authenticator to prove that it requires some special devices to ... privileges, the password is frequently used Password or a Shared secret phrase. Attacks There are often combined to have add one factors and security levels. User Authentication c) Something the user knows The secret information that the features are vulnerable to this is that only the involved user...
User Guide
Page 154
...all the users and user groups profiles. RADIUS authentication messages are sent as UDP messages via web browsing. To provide security for remote authentication. It can be defined in the firewall can contain up remote access, RADIUS is now supported by... VPN, wireless access points, and other network access types. D-Link Firewalls User's Guide One or more than one firewall in User Service) Server to perform username/password authentication. ...
...all the users and user groups profiles. RADIUS authentication messages are sent as UDP messages via web browsing. To provide security for remote authentication. It can be defined in the firewall can contain up remote access, RADIUS is now supported by... VPN, wireless access points, and other network access types. D-Link Firewalls User's Guide One or more than one firewall in User Service) Server to perform username/password authentication. ...
User Guide
Page 155
...to HTTP agent except that the firewall consults to perform the authentication, either in IPsec VPN (if the IPSec tunnel has been configured to require XAUTH authentication). (refer to... to 22.3 SSL/TLS (HTTPS)) • XAUTH - 136 Chapter 17. User Authentication • HTTPS - Authentication via secure web browsing. Note When using XAUTH agent, there is only used to establish SSL connection to the firewall. (refer...require user authentication). (refer to 22.1.4 IKE XAuth) • PPP - D-Link Firewalls User's Guide XAUTH is no need to set up IPsec...
...to HTTP agent except that the firewall consults to perform the authentication, either in IPsec VPN (if the IPSec tunnel has been configured to require XAUTH authentication). (refer to... to 22.3 SSL/TLS (HTTPS)) • XAUTH - 136 Chapter 17. User Authentication • HTTPS - Authentication via secure web browsing. Note When using XAUTH agent, there is only used to establish SSL connection to the firewall. (refer...require user authentication). (refer to 22.1.4 IKE XAuth) • PPP - D-Link Firewalls User's Guide XAUTH is no need to set up IPsec...
User Guide
Page 156
... rejection. • The firewall then forwards the approved user's further service requests to 9.4.2, PPPoE Client Configuration, and 22, VPN Protocols & Tunnels, respectively. Authentication Process 137 17.3 Authentication Process A D-Link firewall proceeds user authentication as follows: • A user connects to the firewall to initiate authentication. • The fi... agent are covered. Requests from its core authentication agent. • According to the authentication agent specified in the IP rule set that rule. D-Link Firewalls User's Guide
... rejection. • The firewall then forwards the approved user's further service requests to 9.4.2, PPPoE Client Configuration, and 22, VPN Protocols & Tunnels, respectively. Authentication Process 137 17.3 Authentication Process A D-Link firewall proceeds user authentication as follows: • A user connects to the firewall to initiate authentication. • The fi... agent are covered. Requests from its core authentication agent. • According to the authentication agent specified in the IP rule set that rule. D-Link Firewalls User's Guide
User Guide
Page 192
... Gatekeeper is placed that can be deployed in a corporate environment. All outside calls are correctly configured and that the VPN tunnels are done D-Link Firewalls User's Guide H.323 173 WebUI : 1. Then click OK Note There is assumed that all offices use the ...network for both voice communication and application sharing. 18.4. The D-Link Firewall monitors the communication between "external" phones and the Gatekeeper to use private IP-ranges on their local networks. Outgoing Gatekeeper Rule Rules...
... Gatekeeper is placed that can be deployed in a corporate environment. All outside calls are correctly configured and that the VPN tunnels are done D-Link Firewalls User's Guide H.323 173 WebUI : 1. Then click OK Note There is assumed that all offices use the ...network for both voice communication and application sharing. 18.4. The D-Link Firewall monitors the communication between "external" phones and the Gatekeeper to use private IP-ranges on their local networks. Outgoing Gatekeeper Rule Rules...
User Guide
Page 195
...IP Rules → Add → IP Rule: Enter the following : Name: BranchToGW Action: Allow Service: H323-Gatekeeper Source Interface: vpn-branch Destination Interface: DMZ Source Network: branch-net Destination Network: ip-gatekeeper, ip-gateway Comment: Allow communication with the Gatekeeper on int...-net. Then click OK 4. Remember to H.323 phones on DMZ from the Branch network Then click OK D-Link Firewalls User's Guide 176 Chapter 18. Application Layer Gateway (ALG) 3. Rules → IP Rules → Add → IP Rule: Enter the...
...IP Rules → Add → IP Rule: Enter the following : Name: BranchToGW Action: Allow Service: H323-Gatekeeper Source Interface: vpn-branch Destination Interface: DMZ Source Network: branch-net Destination Network: ip-gatekeeper, ip-gateway Comment: Allow communication with the Gatekeeper on int...-net. Then click OK 4. Remember to H.323 phones on DMZ from the Branch network Then click OK D-Link Firewalls User's Guide 176 Chapter 18. Application Layer Gateway (ALG) 3. Rules → IP Rules → Add → IP Rule: Enter the...
User Guide
Page 196
The following : Name: BranchToGW Action: Allow Service: H323-Gatekeeper Source Interface: vpn-remote Destination Interface: DMZ Source Network: remote-net Destination Network: ip-gatekeeper Comment: Allow communication with the Gatekeeper on DMZ from the Remote network Then ...; Add → IP Rule: Enter the following rule should be in the remote and branch offices should be configured as follows. The D-Link Firewalls in both the Branch and Remote Office firewalls. 18...
The following : Name: BranchToGW Action: Allow Service: H323-Gatekeeper Source Interface: vpn-remote Destination Interface: DMZ Source Network: remote-net Destination Network: ip-gatekeeper Comment: Allow communication with the Gatekeeper on DMZ from the Remote network Then ...; Add → IP Rule: Enter the following rule should be in the remote and branch offices should be configured as follows. The D-Link Firewalls in both the Branch and Remote Office firewalls. 18...
User Guide
Page 197
...H.323 Gatekeeper at the Head Office, the following : Name: ToGK Action: Allow Service: H323-Gatekeeper Source Interface: LAN Destination Interface: vpn-hq Source Network: lan-net Destination Network: hq-net Comment: Allow communication with the Gatekeeper connected to the Head Office DMZ. Then ...click OK The branch office D-Link Firewall has a H.323 Gateway connected to be configured. D-Link Firewalls User's Guide Rules → IP Rules → Add → IP Rule: Enter the following rule ...
...H.323 Gatekeeper at the Head Office, the following : Name: ToGK Action: Allow Service: H323-Gatekeeper Source Interface: LAN Destination Interface: vpn-hq Source Network: lan-net Destination Network: hq-net Comment: Allow communication with the Gatekeeper connected to the Head Office DMZ. Then ...click OK The branch office D-Link Firewall has a H.323 Gateway connected to be configured. D-Link Firewalls User's Guide Rules → IP Rules → Add → IP Rule: Enter the following rule ...
User Guide
Page 198
The D-Link Firewall monitors the communication between "external" phones and the Gatekeeper to make sure that are registered with the Gatekeeper connected to specify a specific rule ... calls. Rules → IP Rules → Add → IP Rule: Enter the following: Name: GWToGK Action: Allow Service: H323-Gatekeeper Source Interface: DMZ Destination Interface: vpn-hq Source Network: ip-branchgw Destination Network: hq-net Comment: Allow the Gateway to communicate with the gatekeeper...
The D-Link Firewall monitors the communication between "external" phones and the Gatekeeper to make sure that are registered with the Gatekeeper connected to specify a specific rule ... calls. Rules → IP Rules → Add → IP Rule: Enter the following: Name: GWToGK Action: Allow Service: H323-Gatekeeper Source Interface: DMZ Destination Interface: vpn-hq Source Network: ip-branchgw Destination Network: hq-net Comment: Allow the Gateway to communicate with the gatekeeper...
User Guide
Page 211
VPNs, Virtual Private Networks, provide means of Encryption and Authentication, offering good flexibility, effective protection, and cost efficiency on connections over public networks via the application of establishing secure links to Cryptography • VPN in this part includes: • Introduction to VPN • Introduction to parties. Topics in Firewalls • VPN Protocols & Tunnels • VPN Planning It is extended over the Internet.
VPNs, Virtual Private Networks, provide means of Encryption and Authentication, offering good flexibility, effective protection, and cost efficiency on connections over public networks via the application of establishing secure links to Cryptography • VPN in this part includes: • Introduction to VPN • Introduction to parties. Topics in Firewalls • VPN Protocols & Tunnels • VPN Planning It is extended over the Internet.
User Guide
Page 212
...business is increasingly often being solved by the Internet. 20 CHAPTER VPN Basics 20.1 Introduction to VPN Long gone is the time when corporate networks were separate isles of efficient and inexpensive communication. Issues of establishing secure links to parties that the recipient can be someone else. pretending to... anyone else to read or alter it. It is equally important that wish to be trusted in a trustworthy manner. 20.1.1 VPNs vs Fixed Connections Using leased lines or other security investments. Private interests as well as a means of local connectivity.
...business is increasingly often being solved by the Internet. 20 CHAPTER VPN Basics 20.1 Introduction to VPN Long gone is the time when corporate networks were separate isles of efficient and inexpensive communication. Issues of establishing secure links to parties that the recipient can be someone else. pretending to... anyone else to read or alter it. It is equally important that wish to be trusted in a trustworthy manner. 20.1.1 VPNs vs Fixed Connections Using leased lines or other security investments. Private interests as well as a means of local connectivity.