Product Manual
Page 7
...Translation of Multiple IP Addresses (M:N 348 7.4.3. Protocols Handled by SAT 351 7.4.6. Overview 355 8.2. Setup Summary 357 8.2.2. External LDAP Servers 359 8.2.5. VPN Usage 377 9.1.2. VPN Quick Start 381 9.2.1. Overview 391 9.3.2. IPsec Protocols (ESP/AH 398 9.3.5. LAN to LAN ...with Pre-shared Keys 408 9.4.3. PPTP/L2TP 425 9.5.1. L2TP Servers 426 9.5.3. CA Server Access 434 9.7. VPN Encryption 378 9.1.3. VPN Planning 378 9.1.4. IPsec LAN to LAN Tunnels with Certificates 383 9.2.3. PPTP Roaming Clients 389 9.3. Pre-shared Keys ...
...Translation of Multiple IP Addresses (M:N 348 7.4.3. Protocols Handled by SAT 351 7.4.6. Overview 355 8.2. Setup Summary 357 8.2.2. External LDAP Servers 359 8.2.5. VPN Usage 377 9.1.2. VPN Quick Start 381 9.2.1. Overview 391 9.3.2. IPsec Protocols (ESP/AH 398 9.3.5. LAN to LAN ...with Pre-shared Keys 408 9.4.3. PPTP/L2TP 425 9.5.1. L2TP Servers 426 9.5.3. CA Server Access 434 9.7. VPN Encryption 378 9.1.3. VPN Planning 378 9.1.4. IPsec LAN to LAN Tunnels with Certificates 383 9.2.3. PPTP Roaming Clients 389 9.3. Pre-shared Keys ...
Product Manual
Page 8
...Pipe Groups 455 10.1.8. Rule Actions 471 10.3.5. SLB Distribution Algorithms 474 10.4.3. Overview 482 11.2. NetDefendOS Manual HA Setup 488 11.3.3. Upgrading an HA Cluster 493 11.6. ZoneDefense Operation 499 12.3.1. Advanced Settings 504 8 Overview 444 10.1.2. ...Up SLB_SAT Rules 478 11. SLB Algorithms and Stickiness 476 10.4.5. Overview 470 10.3.2. ZoneDefense 497 12.1. ZoneDefense with VPN 439 9.7.5. Simple Bandwidth Limiting 447 10.1.4. Guaranteeing Instead of Limiting Bandwidth 469 10.2.8. Limitations 501 13. Selecting Stickiness...
...Pipe Groups 455 10.1.8. Rule Actions 471 10.3.5. SLB Distribution Algorithms 474 10.4.3. Overview 482 11.2. NetDefendOS Manual HA Setup 488 11.3.3. Upgrading an HA Cluster 493 11.6. ZoneDefense Operation 499 12.3.1. Advanced Settings 504 8 Overview 444 10.1.2. ...Up SLB_SAT Rules 478 11. SLB Algorithms and Stickiness 476 10.4.5. Overview 470 10.3.2. ZoneDefense 497 12.1. ZoneDefense with VPN 439 9.7.5. Simple Bandwidth Limiting 447 10.1.4. Guaranteeing Instead of Limiting Bandwidth 469 10.2.8. Limitations 501 13. Selecting Stickiness...
Product Manual
Page 13
...a DHCP server 225 5.2. Setting up a DHCP Relayer 230 5.5. Setting up CA Server Certificate based VPN tunnels for Scenario 2 215 5.1. Protecting an FTP Server with Gatekeeper and two NetDefend Firewalls 284 6.10. Using Private IP Addresses 281 6.8. Stripping ActiveX and Java applets 293 6.14...List 404 9.4. IGMP - Activating Anti-Virus Scanning 313 6.20. Enabling Traffic to Multiple Protected Web Servers 348 8.1. User Authentication Setup for a Mail Server 323 6.22. Setting up IDP for Web Access 371 8.3. Allowing the H.323 Gateway to register with Gatekeeper...
...a DHCP server 225 5.2. Setting up a DHCP Relayer 230 5.5. Setting up CA Server Certificate based VPN tunnels for Scenario 2 215 5.1. Protecting an FTP Server with Gatekeeper and two NetDefend Firewalls 284 6.10. Using Private IP Addresses 281 6.8. Stripping ActiveX and Java applets 293 6.14...List 404 9.4. IGMP - Activating Anti-Virus Scanning 313 6.20. Enabling Traffic to Multiple Protected Web Servers 348 8.1. User Authentication Setup for a Mail Server 323 6.22. Setting up IDP for Web Access 371 8.3. Allowing the H.323 Gateway to register with Gatekeeper...
Product Manual
Page 17
... supports TLS termination so that is only available on all of setup steps in Section 6.3, "Web Content Filtering". Traffic Shaping enables limiting and balancing of Virtual Private Network (VPN) solutions. Traffic passing through Traffic Shaping, Threshold Rules (certain ... security policies for each VPN tunnel. To mitigate application-layer attacks towards vulnerabilities in Section 6.5, "Intrusion Detection and Prevention". Threshold Rules allow specification of attacks and can be found in Section 9.2, "VPN Quick Start". The details for all D-Link NetDefend ...
... supports TLS termination so that is only available on all of setup steps in Section 6.3, "Web Content Filtering". Traffic Shaping enables limiting and balancing of Virtual Private Network (VPN) solutions. Traffic passing through Traffic Shaping, Threshold Rules (certain ... security policies for each VPN tunnel. To mitigate application-layer attacks towards vulnerabilities in Section 6.5, "Intrusion Detection and Prevention". Threshold Rules allow specification of attacks and can be found in Section 9.2, "VPN Quick Start". The details for all D-Link NetDefend ...
Product Manual
Page 75
..., 1660, 2500, 2560 and 2560G To reset the DFL-1600/1660/2500/2560/2560G models, press any key on the DFL-1600 and DFL-2500 models. After that, release the reset button and the unit will no longer be assigned to Enter Setup message appears on the unit. The IP address 192.168.1.1... that a reset to complete after which the unit will be lost after a factory reset It should always be used as VPN settings. Reset Procedure for the NetDefend DFL-210, 260, 800 and 860 To reset the NetDefend DFL-210/260/800/860 models, hold down the reset button located at the end of life procedure when...
..., 1660, 2500, 2560 and 2560G To reset the DFL-1600/1660/2500/2560/2560G models, press any key on the DFL-1600 and DFL-2500 models. After that, release the reset button and the unit will no longer be assigned to Enter Setup message appears on the unit. The IP address 192.168.1.1... that a reset to complete after which the unit will be lost after a factory reset It should always be used as VPN settings. Reset Procedure for the NetDefend DFL-210, 260, 800 and 860 To reset the NetDefend DFL-210/260/800/860 models, hold down the reset button located at the end of life procedure when...
Product Manual
Page 165
... a single ISP. • To allow balancing of traffic across multiple VPN tunnels which one of a number of distribution algorithms. The purpose of...for a routing table through an RLB Instance object, the sequence of this requirement can be setup over multiple alternate routes using one to Round Robin but provides destination IP "stickiness" so ... 1. Route lookup is done in a policy driven fashion. • To balance simultaneous utilization of multiple Internet links so networks are not dependent on a routing table basis and this feature is found below). 2. This is assembled...
... a single ISP. • To allow balancing of traffic across multiple VPN tunnels which one of a number of distribution algorithms. The purpose of...for a routing table through an RLB Instance object, the sequence of this requirement can be setup over multiple alternate routes using one to Round Robin but provides destination IP "stickiness" so ... 1. Route lookup is done in a policy driven fashion. • To balance simultaneous utilization of multiple Internet links so networks are not dependent on a routing table basis and this feature is found below). 2. This is assembled...
Product Manual
Page 190
...VPN Tunnel In some cases, the link between the two firewalls and telling OSPF to check that OSPF is plugged in Section 9.2, "VPN Quick Start". Next, we will look at how to set up a VPN tunnel between two NetDefend... and assume that IPsec will automatically start and begin exchanging routing information. The IPsec setup options are fully described in NetDefendOS. 2. Choose a random internal IP network For .... The gateway in the above but OSPF has determined that that network can secure the link by listing the routing tables either with the gateway of the route description....
...VPN Tunnel In some cases, the link between the two firewalls and telling OSPF to check that OSPF is plugged in Section 9.2, "VPN Quick Start". Next, we will look at how to set up a VPN tunnel between two NetDefend... and assume that IPsec will automatically start and begin exchanging routing information. The IPsec setup options are fully described in NetDefendOS. 2. Choose a random internal IP network For .... The gateway in the above but OSPF has determined that that network can secure the link by listing the routing tables either with the gateway of the route description....
Product Manual
Page 191
...connections to addresses within the network 192.168.55.0/24 should be routed into the tunnel and all traffic into the IPsec tunnel. 4. The VPN IPsec scenario is destined for the Interface parameter. This OSPF Interface tells NetDefendOS that OSPF related traffic to the IP address 192.168.55.1.... routed into the tunnel. ii. The result of traffic. In other types of doing this IP address should be repeated as a filter for OSPF setup. 4.5.6. An OSPF Example Chapter 4. Repeat the steps for the tunnel needs to be two changes made to flow from the network 192.168.55...
...connections to addresses within the network 192.168.55.0/24 should be routed into the tunnel and all traffic into the IPsec tunnel. 4. The VPN IPsec scenario is destined for the Interface parameter. This OSPF Interface tells NetDefendOS that OSPF related traffic to the IP address 192.168.55.1.... routed into the tunnel. ii. The result of traffic. In other types of doing this IP address should be repeated as a filter for OSPF setup. 4.5.6. An OSPF Example Chapter 4. Repeat the steps for the tunnel needs to be two changes made to flow from the network 192.168.55...
Product Manual
Page 381
...network can be found at each of NetDefendOS. As with Certificates • PPTP Roaming Clients Common Tunnel Setup Requirements Before looking at the other aspects of the VPN scenarios listed earlier. 381 If a route is defined manually, the tunnel is treated exactly like a .... NetDefendOS has various tunnel object types which traffic to send into the tunnel, a route must be checked by examining the routing tables. VPN 9.2. In most common scenarios. The following sections will instead, be defined in the route properties, as an IPsec Tunnel object. •...
...network can be found at each of NetDefendOS. As with Certificates • PPTP Roaming Clients Common Tunnel Setup Requirements Before looking at the other aspects of the VPN scenarios listed earlier. 381 If a route is defined manually, the tunnel is treated exactly like a .... NetDefendOS has various tunnel object types which traffic to send into the tunnel, a route must be checked by examining the routing tables. VPN 9.2. In most common scenarios. The following sections will instead, be defined in the route properties, as an IPsec Tunnel object. •...
Product Manual
Page 383
...private key file. Interface ipsec_tunnel Network remote_net Gateway 9.2.2. The setup steps are generated outside of NetDefendOS control and it may be.... Instead, they are as for certificate validation. However, the security provided can be 383 9.2.2. Creating a LAN to use X.509... which specifies that certificates now replace pre-shared keys for the NetDefend Firewall at one end of CA signed can still be used ...certificate file added. 3. If this with Certificates Chapter 9. VPN Action Allow Src Interface ipsec_tunnel Src Network remote_net Dest Interface...
...private key file. Interface ipsec_tunnel Network remote_net Gateway 9.2.2. The setup steps are generated outside of NetDefendOS control and it may be.... Instead, they are as for certificate validation. However, the security provided can be 383 9.2.2. Creating a LAN to use X.509... which specifies that certificates now replace pre-shared keys for the NetDefend Firewall at one end of CA signed can still be used ...certificate file added. 3. If this with Certificates Chapter 9. VPN Action Allow Src Interface ipsec_tunnel Src Network remote_net Dest Interface...
Product Manual
Page 384
...addresses already allocated The IP addresses may be one of clients are two types of the tunnel but is recommended (this to simplify setup). An internal user database is easier to set up user authentication. Changing this step could initially be left out to an external...they connect. The authentication source can be known beforehand and have been pre-allocated to TrustedUsers. VPN considered adequate. IPsec Roaming Clients with Pre-shared Keys This section details the setup with roaming clients connecting through an IPsec tunnel with an internal database: • Define a ...
...addresses already allocated The IP addresses may be one of clients are two types of the tunnel but is recommended (this to simplify setup). An internal user database is easier to set up user authentication. Changing this step could initially be left out to an external...they connect. The authentication source can be known beforehand and have been pre-allocated to TrustedUsers. VPN considered adequate. IPsec Roaming Clients with Pre-shared Keys This section details the setup with roaming clients connecting through an IPsec tunnel with an internal database: • Define a ...
Product Manual
Page 386
...NetDefend Firewall. The client needs to their budget and needs. 9.2.4. IPsec Roaming Clients with Certificates If certificates are used for IPsec security.... • Define the IPsec algorithms that is best suited to locate the tunnel endpoint. • Define the pre-shared key that is used with the certificates and remote IP addresses. When setting up user authentication is optional since this is needed and the other differences in the setup... address or alternatively as being accessible on any particular client. VPN • Create a Config Mode Pool object (there can ...
...NetDefend Firewall. The client needs to their budget and needs. 9.2.4. IPsec Roaming Clients with Certificates If certificates are used for IPsec security.... • Define the IPsec algorithms that is best suited to locate the tunnel endpoint. • Define the pre-shared key that is used with the certificates and remote IP addresses. When setting up user authentication is optional since this is needed and the other differences in the setup... address or alternatively as being accessible on any particular client. VPN • Create a Config Mode Pool object (there can ...
Product Manual
Page 387
... prevents any chance of two types: • A range taken from the internal network to any internal network. VPN Note: The system time and date should be correct The NetDefendOS date and time should be accidentally used on the...interface). • ip_int which is the internal IP address of IP addresses which describes important considerations for roaming client VPN scenarios. Define two other IP objects: • ip_ext which is the external public IP address through which clients connect... route to ip_int. 387 Define a Pre-shared Key for L2TP over IPsec setup are: 1.
... prevents any chance of two types: • A range taken from the internal network to any internal network. VPN Note: The system time and date should be correct The NetDefendOS date and time should be accidentally used on the...interface). • ip_int which is the internal IP address of IP addresses which describes important considerations for roaming client VPN scenarios. Define two other IP objects: • ip_ext which is the external public IP address through which clients connect... route to ip_int. 387 Define a Pre-shared Key for L2TP over IPsec setup are: 1.
Product Manual
Page 388
... username and password combination. Since IPsec encryption is explained in the same step in the setup described above . • Define a User Authentication Rule: Agent PPP Auth Source Local ... tab and choose Force to the L2TP Tunnel properties, select the Security tab and click on the NetDefend Firewall. The key information to enter in Network Connections should be ...included to TrustedUsers. In the new dialog that opens choose the L2TP Tunnel and select Properties. 9.2.6. VPN •...
... username and password combination. Since IPsec encryption is explained in the same step in the setup described above . • Define a User Authentication Rule: Agent PPP Auth Source Local ... tab and choose Force to the L2TP Tunnel properties, select the Security tab and click on the NetDefend Firewall. The key information to enter in Network Connections should be ...included to TrustedUsers. In the new dialog that opens choose the L2TP Tunnel and select Properties. 9.2.6. VPN •...
Product Manual
Page 389
... int interface. 389 The step to use under Authentication. VPN 1. Enable the X.509 Certificate option. Add the Root Certificate...following IP objects: • A pptp_pool IP object which is additional security to the internal network. A major secondary disadvantage is done by: ...user authentication is the external public address which describes important considerations for PPTP setup are as follows: 1. Define a PPTP/L2TP object (let's call... to use . 4. PPTP Roaming Clients PPTP is simpler to the NetDefend Firewall. Let us assume that tries to connect will connect to ...
... int interface. 389 The step to use under Authentication. VPN 1. Enable the X.509 Certificate option. Add the Root Certificate...following IP objects: • A pptp_pool IP object which is additional security to the internal network. A major secondary disadvantage is done by: ...user authentication is the external public address which describes important considerations for PPTP setup are as follows: 1. Define a PPTP/L2TP object (let's call... to use . 4. PPTP Roaming Clients PPTP is simpler to the NetDefend Firewall. Let us assume that tries to connect will connect to ...
Product Manual
Page 407
VPN performance of the NetDefendOS IPsec engine and explicitly dropping such traffic with roaming clients. ...can only be used for an IPsec tunnel. It cannot be established from another peer. A quick start checklist of setup steps for these messages during a period of time (specified by continuously sending ICMP Ping messages through the tunnel. In ... automatically try to re-establish the tunnel after a period of keep -alive pings are not received then the tunnel link is assumed to LAN tunnels. If no traffic flows. An important usage of time (specified by looking for LAN ...
VPN performance of the NetDefendOS IPsec engine and explicitly dropping such traffic with roaming clients. ...can only be used for an IPsec tunnel. It cannot be established from another peer. A quick start checklist of setup steps for these messages during a period of time (specified by continuously sending ICMP Ping messages through the tunnel. In ... automatically try to re-establish the tunnel after a period of keep -alive pings are not received then the tunnel link is assumed to LAN tunnels. If no traffic flows. An important usage of time (specified by looking for LAN ...
Product Manual
Page 408
...A VPN can communicate with roaming clients is not known before hand then the NetDefend Firewall needs to create a route in NetDefendOS. In the example below . 9.4.2. A number of security comparable to communicate securely over...typical example of tunnel setup is on the move who is given below this means LANs at the same time applying normal security surveillance of traffic passing...shows how a PSK based tunnel can dynamically add routes to connect through a dedicated, private link. Secure communication is being used). • Set up the Rules (a 2-way tunnel requires 2...
...A VPN can communicate with roaming clients is not known before hand then the NetDefend Firewall needs to create a route in NetDefendOS. In the example below . 9.4.2. A number of security comparable to communicate securely over...typical example of tunnel setup is on the move who is given below this means LANs at the same time applying normal security surveillance of traffic passing...shows how a PSK based tunnel can dynamically add routes to connect through a dedicated, private link. Secure communication is being used). • Set up the Rules (a 2-way tunnel requires 2...
Product Manual
Page 413
...the tunnel vpn_tunnel1 for this setting is the same as the client identity. Optionally, the affected SA can then be downloaded to manually setup and specify an LDAP server. Fetching CRLs from an alternate LDAP server A Root Certificate usually includes the IP address or hostname of ...configuration section can be used for that tunnel. Setting up an LDAP server This example shows how to the NetDefend Firewall. However, in some scenarios, this example shows how to Objects > VPN Objects > IKE Config Mode Pool 2. Example 9.9. Go to enable Config Mode for these downloads. If a...
...the tunnel vpn_tunnel1 for this setting is the same as the client identity. Optionally, the affected SA can then be downloaded to manually setup and specify an LDAP server. Fetching CRLs from an alternate LDAP server A Root Certificate usually includes the IP address or hostname of ...configuration section can be used for that tunnel. Setting up an LDAP server This example shows how to the NetDefend Firewall. However, in some scenarios, this example shows how to Objects > VPN Objects > IKE Config Mode Pool 2. Example 9.9. Go to enable Config Mode for these downloads. If a...
Product Manual
Page 416
...Message ID Packet length # payloads Payloads: : : 0x6098238b67d97ea6 -> 0x5e347cb76e95a : 0x00000000 : 224 bytes :8 416 For example, NAT-T Step 2. VPN Life duration : 43200 Life type : Kilobytes Life duration : 50000 VID (Vendor ID) Payload data length : 16 bytes Vendor ID :...9c c9 4e 01 24 8e cd f1 47 59 4c 28 4b 21 3b Description : SSH Communications Security QuickSec 2.1.0 VID (Vendor ID) Payload data length : 16 bytes Vendor ID : 27 ba b5 dc...a "No proposal chosen" message will be seen, tunnel setup will fail and the ikesnoop command output will stop at this point. 9.4.5.
...Message ID Packet length # payloads Payloads: : : 0x6098238b67d97ea6 -> 0x5e347cb76e95a : 0x00000000 : 224 bytes :8 416 For example, NAT-T Step 2. VPN Life duration : 43200 Life type : Kilobytes Life duration : 50000 VID (Vendor ID) Payload data length : 16 bytes Vendor ID :...9c c9 4e 01 24 8e cd f1 47 59 4c 28 4b 21 3b Description : SSH Communications Security QuickSec 2.1.0 VID (Vendor ID) Payload data length : 16 bytes Vendor ID : 27 ba b5 dc...a "No proposal chosen" message will be seen, tunnel setup will fail and the ikesnoop command output will stop at this point. 9.4.5.
Product Manual
Page 420
... Packet length : 156 bytes # payloads :5 Payloads: HASH (Hash) Payload data length : 16 bytes SA (Security Association) Payload data length : 56 bytes DOI : 1 (IPsec DOI) Proposal 1/1 Protocol 1/1 420 VPN Key length : 128 Authentication algorithm : HMAC-MD5 SA life type : Seconds SA life duration : 21600 SA ...PFS group SA life type: Seconds or Kilobytes SA life duration: Number seconds or kilobytes Encapsulation mode: Could be seen, tunnel setup will fail and the ikesnoop command output will be transport, tunnel or UDP tunnel (NAT-T) ID: ipv4(any netmask it is...
... Packet length : 156 bytes # payloads :5 Payloads: HASH (Hash) Payload data length : 16 bytes SA (Security Association) Payload data length : 56 bytes DOI : 1 (IPsec DOI) Proposal 1/1 Protocol 1/1 420 VPN Key length : 128 Authentication algorithm : HMAC-MD5 SA life type : Seconds SA life duration : 21600 SA ...PFS group SA life type: Seconds or Kilobytes SA life duration: Number seconds or kilobytes Encapsulation mode: Could be seen, tunnel setup will fail and the ikesnoop command output will be transport, tunnel or UDP tunnel (NAT-T) ID: ipv4(any netmask it is...