User Guide
Page 2
... against 10 3.2.1 Attacks on Insecure pre-installed Components . . . . . 11 3.2.2 Inexperienced Users on protected Networks 11 3.2.3 Data-Driven Network Attacks 11 3.2.4 Internal Attacks 13 3.2.5 Modems and VPN Connection 13 3.2.6 Holes between DMZs and Internal Networks 14 i
... against 10 3.2.1 Attacks on Insecure pre-installed Components . . . . . 11 3.2.2 Inexperienced Users on protected Networks 11 3.2.3 Data-Driven Network Attacks 11 3.2.4 Internal Attacks 13 3.2.5 Modems and VPN Connection 13 3.2.6 Holes between DMZs and Internal Networks 14 i
User Guide
Page 7
... & Integrity 198 20.3 Why VPN in Firewalls 200 20.3.1 VPN Deployment 201 21 VPN Planning 207 21.1 VPN Design Considerations 207 21.1.1 End Point Security 208 21.1.2 Key Distribution 210 22 VPN Protocols & Tunnels 213 22.1 IPsec... 213 22.1.1 IPsec protocols 214 22.1.2 IPsec Modes 214 22.1.3 IKE 215 22.1.4 IKE Integrity & Authentication 219 22.1.5 Scenarios: IPSec Configuration 223 22.2 PPTP/ L2TP 228 22.2.1 PPTP 228 22.2.2 L2TP 234 22.3 SSL/TLS (HTTPS 243 D-Link...
... & Integrity 198 20.3 Why VPN in Firewalls 200 20.3.1 VPN Deployment 201 21 VPN Planning 207 21.1 VPN Design Considerations 207 21.1.1 End Point Security 208 21.1.2 Key Distribution 210 22 VPN Protocols & Tunnels 213 22.1 IPsec... 213 22.1.1 IPsec protocols 214 22.1.2 IPsec Modes 214 22.1.3 IKE 215 22.1.4 IKE Integrity & Authentication 219 22.1.5 Scenarios: IPSec Configuration 223 22.2 PPTP/ L2TP 228 22.2.1 PPTP 228 22.2.2 L2TP 234 22.3 SSL/TLS (HTTPS 243 D-Link...
User Guide
Page 13
xii 19.4 An IDS Scenario 189 20.1 VPN Deployment Scenario 1 201 20.2 VPN Deployment Scenario 2 202 20.3 VPN Deployment Scenario 3 203 20.4 VPN Deployment Scenario 4 203 20.5 VPN Deployment Scenario 5 204 20.6 VPN Deployment Scenario 6 205 22.1 LAN-to-LAN Example Scenario 223 22.2 IPSec Roaming Client Example Scenario 225 22.1 PPTP Encapsulation 228 22.2 L2TP Encapsulation... 262 24.2 A SLB Scenario 266 27.1 Transparent Mode Scenario 1 284 27.2 Transparent Mode Scenario 2 287 28.1 A Zone Defense Scenario 297 29.1 Example HA Setup 303 D-Link Firewalls User's Guide
xii 19.4 An IDS Scenario 189 20.1 VPN Deployment Scenario 1 201 20.2 VPN Deployment Scenario 2 202 20.3 VPN Deployment Scenario 3 203 20.4 VPN Deployment Scenario 4 203 20.5 VPN Deployment Scenario 5 204 20.6 VPN Deployment Scenario 6 205 22.1 LAN-to-LAN Example Scenario 223 22.2 IPSec Roaming Client Example Scenario 225 22.1 PPTP Encapsulation 228 22.2 L2TP Encapsulation... 262 24.2 A SLB Scenario 266 27.1 Transparent Mode Scenario 1 284 27.2 Transparent Mode Scenario 2 287 28.1 A Zone Defense Scenario 297 29.1 Example HA Setup 303 D-Link Firewalls User's Guide
User Guide
Page 22
... Highlights The key features of D-Link firewalls can be outlined as: • Easy to use start-up wizard • Web-based graphical user interface (WebUI) • Effective and easy to maintenance • Complete control of security policies • Advanced application layer... gateways (FTP, HTTP, H.323) • Advanced monitoring & logging methods • Full VLAN compliance • Support for building VPN (IPSec, PPTP, L2TP) • Route Failover • ...
... Highlights The key features of D-Link firewalls can be outlined as: • Easy to use start-up wizard • Web-based graphical user interface (WebUI) • Effective and easy to maintenance • Complete control of security policies • Advanced application layer... gateways (FTP, HTTP, H.323) • Advanced monitoring & logging methods • Full VLAN compliance • Support for building VPN (IPSec, PPTP, L2TP) • Route Failover • ...
User Guide
Page 32
... as secure as browsers. Scripting languages provide almost unlimited access to extend the functionality of such damage. This may seem obvious. Although different sources provide different figures, it without protection. However, insufficient awareness of potential problems can only filter data that modems and VPN...
... as secure as browsers. Scripting languages provide almost unlimited access to extend the functionality of such damage. This may seem obvious. Although different sources provide different figures, it without protection. However, insufficient awareness of potential problems can only filter data that modems and VPN...
User Guide
Page 33
...more companies begin to direct attacks and, in protecting your network against intruders. The VPN endpoints should never be secure, the total level of protection as a D-Link Firewalls User's Guide A VPN connection or modem pool should instead be anywhere near them. In instances where the...and as more and more or less the same level of security is dedicated to communicate with already-opened VPN connections. However, the laptop itself may be regarded as the security of a protected network. The D-Link Firewall features just such a facility. 3.2.6 Holes between DMZs ...
...more companies begin to direct attacks and, in protecting your network against intruders. The VPN endpoints should never be secure, the total level of protection as a D-Link Firewalls User's Guide A VPN connection or modem pool should instead be anywhere near them. In instances where the...and as more and more or less the same level of security is dedicated to communicate with already-opened VPN connections. However, the laptop itself may be regarded as the security of a protected network. The D-Link Firewall features just such a facility. 3.2.6 Holes between DMZs ...
User Guide
Page 70
...CA server. There are allowed access through a specific VPN tunnel, provided the certificate validation procedure described above succeeded. 8.4.2 X.509 Certificates in IKE/IPSec authentication, webauth etc. Example: Uploading a Certificate to a D-Link Firewall This example describes how to upload a X.509 certi... remote certificates belonging to verifying the signatures of certificates that can be self-signed or belonging to a D-Link Firewall. X.509 Certificates 51 - Options Select one of the following : Name: Name of the certificates ...
...CA server. There are allowed access through a specific VPN tunnel, provided the certificate validation procedure described above succeeded. 8.4.2 X.509 Certificates in IKE/IPSec authentication, webauth etc. Example: Uploading a Certificate to a D-Link Firewall This example describes how to upload a X.509 certi... remote certificates belonging to verifying the signatures of certificates that can be self-signed or belonging to a D-Link Firewall. X.509 Certificates 51 - Options Select one of the following : Name: Name of the certificates ...
User Guide
Page 84
...Link Firewalls User's Guide This means that should be moved between the interfaces. All members of an interface group do not need to be interfaces of such usage can be used in rules where connections might need to be a part of regular Ethernet interfaces, VLAN interfaces, or VPN... Tunnels (see 10.3.3) scenarios. WebUI : • Create Interface Group Interfaces → Interface Groups → Add → Interface Group: Enter the following: Name: testifgroup Security/Transport Equivalent: If enabled, the interface group ...
...Link Firewalls User's Guide This means that should be moved between the interfaces. All members of an interface group do not need to be interfaces of such usage can be used in rules where connections might need to be a part of regular Ethernet interfaces, VLAN interfaces, or VPN... Tunnels (see 10.3.3) scenarios. WebUI : • Create Interface Group Interfaces → Interface Groups → Add → Interface Group: Enter the following: Name: testifgroup Security/Transport Equivalent: If enabled, the interface group ...
User Guide
Page 143
... it because of monitoring traffic to verify that proper authentication measures are carried out over secure channels, which is similar to normal rule, containing Filtering Fields and the Action to a local... against the source address verification is correctly configured. 124 Chapter 15. D-Link firewalls provide the network administrators choices to do not have a source address which can ... the rules can also reduce the spoofing threats.(See 17 User Authentication, VIII VPN) 15.2 Access Rule 15.2.1 Function The Access rule is capable of the spoofi...
... it because of monitoring traffic to verify that proper authentication measures are carried out over secure channels, which is similar to normal rule, containing Filtering Fields and the Action to a local... against the source address verification is correctly configured. 124 Chapter 15. D-Link firewalls provide the network administrators choices to do not have a source address which can ... the rules can also reduce the spoofing threats.(See 17 User Authentication, VIII VPN) 15.2 Access Rule 15.2.1 Function The Access rule is capable of the spoofi...
User Guide
Page 151
... methods, for example, the keys may be used in : 20.2.2 Authentication & Integrity, and 22 VPN Protocols & Tunnels. 17.1.2 Password Criterion In the Username/Password coupling, the username(account name) as ...user or administrator's privileges, the password is often granted to this attack. • Find: D-Link Firewalls User's Guide in case the user loses the feature by encryption algorithms. The basic concepts... IKE, IKE XAuth, and ID List are almost impossible to Cryptography. More advanced and secure means of encryption is that only the involved user knows and keeps, such as name,...
... methods, for example, the keys may be used in : 20.2.2 Authentication & Integrity, and 22 VPN Protocols & Tunnels. 17.1.2 Password Criterion In the Username/Password coupling, the username(account name) as ...user or administrator's privileges, the password is often granted to this attack. • Find: D-Link Firewalls User's Guide in case the user loses the feature by encryption algorithms. The basic concepts... IKE, IKE XAuth, and ID List are almost impossible to Cryptography. More advanced and secure means of encryption is that only the involved user knows and keeps, such as name,...
User Guide
Page 154
...prevalent standard for RADIUS messages, a common shared secret is easily administered. Originally developed for dial-up to a RADIUS server. To provide security for remote authentication. It can be defined in the firewall to improve the availability of a RADIUS message to 100 ... Four different agents built in User Service) Server to the server, and is now supported by VPN, wireless access points, and other network access types. D-Link firewalls support the use of the user's password when the RADIUS message is transmitted from the RADIUS client...
...prevalent standard for RADIUS messages, a common shared secret is easily administered. Originally developed for dial-up to a RADIUS server. To provide security for remote authentication. It can be defined in the firewall to improve the availability of a RADIUS message to 100 ... Four different agents built in User Service) Server to the server, and is now supported by VPN, wireless access points, and other network access types. D-Link firewalls support the use of the user's password when the RADIUS message is transmitted from the RADIUS client...
User Guide
Page 155
..., only one XAUTH user authentication rule can be used to establish SSL connection to the firewall. (refer to set up IPsec VPN tunnels. D-Link Firewalls User's Guide Similar to HTTP agent except that Host & Root Certificates are set up (if the PPTP/L2TP tunnel ...prompt users the authentication request. • Where is the location of the database that the firewall consults to perform the authentication, either in IPsec VPN (if the IPSec tunnel has been configured to require XAUTH authentication). (refer to 9.4.1 PPP, and 22.2 PPTP/ L2TP) 17.2.4 Authentication...
..., only one XAUTH user authentication rule can be used to establish SSL connection to the firewall. (refer to set up IPsec VPN tunnels. D-Link Firewalls User's Guide Similar to HTTP agent except that Host & Root Certificates are set up (if the PPTP/L2TP tunnel ...prompt users the authentication request. • Where is the location of the database that the firewall consults to perform the authentication, either in IPsec VPN (if the IPSec tunnel has been configured to require XAUTH authentication). (refer to 9.4.1 PPP, and 22.2 PPTP/ L2TP) 17.2.4 Authentication...
User Guide
Page 156
Requests from its core authentication agent. • According to 9.4.2, PPPoE Client Configuration, and 22, VPN Protocols & Tunnels, respectively. D-Link Firewalls User's Guide Authentication Process 137 17.3 Authentication Process A D-Link firewall proceeds user authentication as follows: • A user connects to the firewall to the timeout restrictions defined in the...
Requests from its core authentication agent. • According to 9.4.2, PPPoE Client Configuration, and 22, VPN Protocols & Tunnels, respectively. D-Link Firewalls User's Guide Authentication Process 137 17.3 Authentication Process A D-Link firewall proceeds user authentication as follows: • A user connects to the firewall to the timeout restrictions defined in the...
User Guide
Page 192
Then click OK Note There is assumed that the VPN tunnels are done D-Link Firewalls User's Guide At the head office DMZ a H.323 Gatekeeper is placed that are registered with a gatekeeper. All outside calls are correctly confi...gured and that shows how the H.323 ALG can handle all H.323 clients in the head-, branch- The D-Link Firewall monitors the communication between "external" phones and the Gatekeeper to call the external phones that can be deployed in a Corporate Environment This scenario is...
Then click OK Note There is assumed that the VPN tunnels are done D-Link Firewalls User's Guide At the head office DMZ a H.323 Gatekeeper is placed that are registered with a gatekeeper. All outside calls are correctly confi...gured and that shows how the H.323 ALG can handle all H.323 clients in the head-, branch- The D-Link Firewall monitors the communication between "external" phones and the Gatekeeper to call the external phones that can be deployed in a Corporate Environment This scenario is...
User Guide
Page 195
...DMZ Destination Interface: LAN Source Network: ip-gateway Destination Network: lan-net Comment: Allow communication from the Branch network Then click OK D-Link Firewalls User's Guide Remember to H.323 phones on DMZ from the Gateway to use the correct service. Then click OK 4. 176 ... Rules → Add → IP Rule: Enter the following : Name: BranchToGW Action: Allow Service: H323-Gatekeeper Source Interface: vpn-branch Destination Interface: DMZ Source Network: branch-net Destination Network: ip-gatekeeper, ip-gateway Comment: Allow communication with the Gatekeeper on int-net.
...DMZ Destination Interface: LAN Source Network: ip-gateway Destination Network: lan-net Comment: Allow communication from the Branch network Then click OK D-Link Firewalls User's Guide Remember to H.323 phones on DMZ from the Gateway to use the correct service. Then click OK 4. 176 ... Rules → Add → IP Rule: Enter the following : Name: BranchToGW Action: Allow Service: H323-Gatekeeper Source Interface: vpn-branch Destination Interface: DMZ Source Network: branch-net Destination Network: ip-gatekeeper, ip-gateway Comment: Allow communication with the Gatekeeper on int-net.
User Guide
Page 196
... be configured to use the H.323 Gatekeeper at the head office. The following : Name: BranchToGW Action: Allow Service: H323-Gatekeeper Source Interface: vpn-remote Destination Interface: DMZ Source Network: remote-net Destination Network: ip-gatekeeper Comment: Allow communication with the Gatekeeper on DMZ from the Remote network Then... OK Branch and Remote Office Firewall The branch and remote office H.323 phones and applications will be configured as follows. The D-Link Firewalls in both the Branch and Remote Office firewalls...
... be configured to use the H.323 Gatekeeper at the head office. The following : Name: BranchToGW Action: Allow Service: H323-Gatekeeper Source Interface: vpn-remote Destination Interface: DMZ Source Network: remote-net Destination Network: ip-gatekeeper Comment: Allow communication with the Gatekeeper on DMZ from the Remote network Then... OK Branch and Remote Office Firewall The branch and remote office H.323 phones and applications will be configured as follows. The D-Link Firewalls in both the Branch and Remote Office firewalls...
User Guide
Page 197
... register with the H.323 Gatekeeper at the Head Office, the following : Name: ToGK Action: Allow Service: H323-Gatekeeper Source Interface: LAN Destination Interface: vpn-hq Source Network: lan-net Destination Network: hq-net Comment: Allow communication with the Gatekeeper connected to be configured. Application Layer Gateway (ALG...) 1. Rules → IP Rules → Add → IP Rule: Enter the following rule has to the Head Office DMZ. D-Link Firewalls User's Guide 178 WebUI : Chapter 18. Then click OK The branch office...
... register with the H.323 Gatekeeper at the Head Office, the following : Name: ToGK Action: Allow Service: H323-Gatekeeper Source Interface: LAN Destination Interface: vpn-hq Source Network: lan-net Destination Network: hq-net Comment: Allow communication with the Gatekeeper connected to be configured. Application Layer Gateway (ALG...) 1. Rules → IP Rules → Add → IP Rule: Enter the following rule has to the Head Office DMZ. D-Link Firewalls User's Guide 178 WebUI : Chapter 18. Then click OK The branch office...
User Guide
Page 198
The D-Link Firewall monitors the communication between "external" phones and the Gatekeeper to make sure that are registered with the Gatekeeper connected to the Head Office. ... calls. Rules → IP Rules → Add → IP Rule: Enter the following: Name: GWToGK Action: Allow Service: H323-Gatekeeper Source Interface: DMZ Destination Interface: vpn-hq Source Network: ip-branchgw Destination Network: hq-net Comment: Allow the Gateway to communicate with the gatekeeper...
The D-Link Firewall monitors the communication between "external" phones and the Gatekeeper to make sure that are registered with the Gatekeeper connected to the Head Office. ... calls. Rules → IP Rules → Add → IP Rule: Enter the following: Name: GWToGK Action: Allow Service: H323-Gatekeeper Source Interface: DMZ Destination Interface: vpn-hq Source Network: ip-branchgw Destination Network: hq-net Comment: Allow the Gateway to communicate with the gatekeeper...
User Guide
Page 211
It is extended over the Internet. Topics in Firewalls • VPN Protocols & Tunnels • VPN Planning VPNs, Virtual Private Networks, provide means of Encryption and Authentication, offering good flexibility, effective protection, and cost efficiency on connections over public networks via the application of establishing secure links to Cryptography • VPN in this part includes: • Introduction to VPN • Introduction to parties.
It is extended over the Internet. Topics in Firewalls • VPN Protocols & Tunnels • VPN Planning VPNs, Virtual Private Networks, provide means of Encryption and Authentication, offering good flexibility, effective protection, and cost efficiency on connections over public networks via the application of establishing secure links to Cryptography • VPN in this part includes: • Introduction to VPN • Introduction to parties.
User Guide
Page 212
... of local connectivity. pretending to be trusted in a trustworthy manner. 20.1.1 VPNs vs Fixed Connections Using leased lines or other security investments. 20 CHAPTER VPN Basics 20.1 Introduction to VPN Long gone is the time when corporate networks were separate isles of establishing secure links to parties that no one is increasingly often being solved by...
... of local connectivity. pretending to be trusted in a trustworthy manner. 20.1.1 VPNs vs Fixed Connections Using leased lines or other security investments. 20 CHAPTER VPN Basics 20.1 Introduction to VPN Long gone is the time when corporate networks were separate isles of establishing secure links to parties that no one is increasingly often being solved by...