D-Link DFL-1000, User Manual

Page 1: ...DFL 1000 Workgroup Firewall User s Manual Rev 02 March 2002 D Link Systems Inc DFL 1000 User s Manual 1 ...

Page 2: ...ny form or by any means electronic mechanical manual optical or otherwise for any purpose without prior written permission of D Link Systems Inc DFL 1000 User s Manual Version 2 2 28 Mach 2002 Trademarks Products mentioned in this document are trademarks or registered trademarks of their respective holders Regulatory Compliance FCC Class A Part 15 CSA CUS DFL 1000 User s Manual 2 ...

Page 3: ...he DFL 1000 17 Powering on the DFL 1000 18 Using the Quick Setup Wizard 18 Connecting to the web based manager 18 Starting the Quick Setup Wizard 19 Reconnecting to the web based manager 19 Configuring the DFL 1000 from the CLI 19 Connecting to the CLI 20 Configuring the DFL 1000 to run in NAT mode 20 Configuring the DFL 1000 to run in Transparent mode 21 Connecting the DFL 1000 to your network 22...

Page 4: ...nging policies in the policy list 35 Addresses 35 Adding addresses 36 Editing addresses 36 Organizing addresses into address groups 37 Services 37 Pre defined services 38 Providing access to custom services 39 Grouping services 39 Schedules 40 Creating one time schedules 40 Creating recurring schedules 41 Applying a schedule to a policy 42 Users and authentication 42 Adding authentication to a pol...

Page 5: ... 61 Configuring a Windows XP Client to connect to a DFL 1000 PPTP VPN 61 L2TP VPN configuration 62 Configuring the DFL 1000 as an L2TP server 63 Configuring a Windows 2000 Client for L2TP 64 Configuring a Windows XP Client to connect to a DFL 1000 L2TP VPN 65 RADIUS authentication for PPTP and L2TP VPNs 66 Adding RADIUS server addresses 67 Turning on RADIUS authentication for PPTP 67 Turning on RA...

Page 6: ...ist using a text editor 80 Blocking access to Internet sites 81 Enabling the URL block list 81 Adding URLs to the URL block list 81 Temporarily disabling the URL block list 81 Temporarily disabling blocking individual URLs 81 Clearing the URL block list 82 Creating the URL block list using a text editor 82 Removing scripts from web pages 82 Logging and reporting 84 Configuring logging 84 Recording...

Page 7: ...g 98 Enabling RIP server support 98 Providing DHCP services to your internal network 99 System configuration 100 Setting system date and time 100 Changing web based manager options 101 Adding and editing administrator accounts 101 Configuring SNMP 102 Using the DFL 1000 CLI 104 Connecting to the DFL 1000 CLI 104 Connecting to the DFL 1000 communications port 104 Connecting to the DFL 1000 CLI usin...

Page 8: ...Logging 114 Technical Support 116 DFL 1000 User s Manual 8 ...

Page 9: ...rformance solution for securing your business network Firewall The core function of the DFL 1000 is a state of the art firewall that protects computer networks from the hostile environment of the Internet The firewall provides control of security policies through a carefully designed interface that is easy to use but allows full control even in complex situations DFL 1000 security policies include...

Page 10: ...etwork therefore the DFL 1000 can be inserted into your network at any point without the need to make any changes to your network Packets arriving at the DFL 1000 are intelligently forwarded to the correct network interface and firewall policies prevent unauthorized access to your network Transparent mode provides the same basic firewall protection as NAT mode However more advanced features such a...

Page 11: ... Compressed files zip gzip tar hta and rar Screen saver files scr Dynamic link libraries dll MS Office files You can configure DFL 1000 virus scanning to block the target files or scan them for viruses and worms You can configure three levels of virus protection High level protection removes target files from HTTP transfers and email attachments before they pass through the firewall With high leve...

Page 12: ...nd line interface CLI When initially connected to your network the DFL 1000 comes with a default configuration that provides basic security features From this foundation you can use the web based manager to customize the configuration to meet your needs Web based manager Using a secure HTTPS connection from any computer running Internet Explorer you can configure and manage the DFL 1000 It can als...

Page 13: ... remote syslog server or saved on an optional hard drive installed in the DFL 1000 About this document This user manual describes how to install and configure the DFL 1000 This document contains the following chapters Installing the DFL 1000 Firewall Configuration describes how to configure firewall policies to enhance firewall protection IPSec VPNs describes how to create an IPSec VPN between two...

Page 14: ... defines many of the terms used in this document Troubleshooting FAQs help you find the information you need if you run into problems Customer service and technical support For updated product documentation technical support information and other resources please visit our web site at http tsd dlink com tw You can contact D Link Technical Support at your local D Link office See Technical Support T...

Page 15: ...ration information to collect the information required to configure the DFL 1000 to run in Network Address Translation NAT mode NAT mode configuration information Part 1 of 2 1 Administrator Password Specify an administrator password The password should be difficult to guess It must be at least 6 characters long and may contain numbers 0 9 and upper and lower case letters A Z a z but no spaces 2 I...

Page 16: ...ransparent mode configuration information to collect the information required to configure the DFL 1000 to run in Transparent mode Transparent mode configuration information 1 Administrator Password Specify an administrator password The password should be difficult to guess It must be at least 6 characters long and may contain numbers 0 9 and upper and lower case letters A Z a z but no spaces 2 Tr...

Page 17: ...e mounted on a standard 19 inch rack It requires 1 U of vertical space in the rack The DFL 1000 can be installed as a free standing appliance on any stable surface For free standing installation make sure the appliance has at least 1 5 in 3 75 cm of clearance on each side to allow for adequate air flow and cooling Dimensions 426 x 252 x 44 mm Rack mount 1 U height Weight 7 25 lb Power requirements...

Page 18: ...s section to connect to the web based manager and use the Quick Start Wizard to create your initial DFL 1000 configuration Connecting to the web based manager To connect to the web based manager you require A computer with an ethernet connection Internet Explorer version 4 0 or higher A crossover cable or an ethernet hub and two ethernet cables To connect to the web based manager Set the IP addres...

Page 19: ... 1000 to your network using the information in Connecting the DFL 1000 to your network Reconnecting to the web based manager After running the Quick Setup Wizard if you changed the IP address of the internal interface or switched to Transparent Mode you must re connect to the web based manager using a new IP address In NAT mode if you changed the IP address of the internal interface browse to http...

Page 20: ...ent Choose the correct ones for your installation The NAT mode configuration procedures start next The Transparent mode configuration procedures begin at Configuring the DFL 1000 to run in Transparent mode Configuring the DFL 1000 to run in NAT mode The procedures in this section describe how to use the CLI to configure the DFL 1000 to run in NAT mode Configuring NAT mode IP addresses Login to the...

Page 21: ... use the CLI to configure the DFL 1000 to run in Transparent mode Changing to Transparent mode Login to the CLI if you are not already logged in Switch to Transparent mode Enter set system status opmode 2 The following prompt appears D Link login Type admin and press Enter The following prompt appears Type for a list of commands Confirm that the DFL 1000 has switched to Transparent mode Enter get ...

Page 22: ...work using the information in Connecting the DFL 1000 to your network that follows Connecting the DFL 1000 to your network Once the initial configuration of the DFL 1000 is completed you can connect the DFL 1000 between your internal network and the Internet The NAT mode and Transparent mode connection procedures are different Choose the correct one for your installation NAT mode connections To co...

Page 23: ...l network Connect the External Interface to the public switch or router provided by your Internet Service Provider Connect the DMZ Interface to your management computer You can either connect the DMZ interface directly to the Management computer using a cross over cable or you can connect the DMZ interface and the management computer to a hub or switch DFL 1000 User s Manual 23 ...

Page 24: ...rver IP address If you are running the DFL 1000 in Transparent mode you do not have to make any changes to your network Once the DFL 1000 is connected make sure it is functioning properly by connecting to the internet from a computer on your internal network You should be able to connect to any internet address Completing the configuration Use the information in this section to complete the initia...

Page 25: ...ogging the DFL 1000 date and time should be accurate You can either manually set the DFL 1000 time or you can configure the DFL 1000 to automatically keep its time correct by synchronizing with a Network Time Protocol NTP server To set the DFL 1000 date and time see Setting system date and time DFL 1000 User s Manual 25 ...

Page 26: ...ng incoming connections in NAT mode Accepting incoming connections in Transparent mode Denying incoming connections Arranging policies in the incoming policy list Accepting incoming connections in NAT mode The most secure way to operate an Internet server is to run the DFL 1000 in NAT mode and isolate the server on your DMZ network Isolating the server on the DMZ is more secure because from there ...

Page 27: ...the policy accepts a connection See Logging and reporting Traffic Shaping Optionally select Traffic Shaping to control the bandwidth available to and set the priority of the traffic processed by the policy See Traffic shaping Click OK to save the policy Adding an incoming policy Accepting incoming connections in Transparent mode In transparent mode the addresses on the internal network are routabl...

Page 28: ...nal network see Addresses To services see Services According to a one time or recurring schedule see Schedules For example you may want to periodically deny access to your public web server to allow for regular maintenance To do this create a recurring schedule for the maintenance period Then create a policy that matches the original web server policy Set the schedule of this policy to the mainten...

Page 29: ...s and edit policies For more information see Arranging policies in the policy list Controlling connections to the Internet By default the DFL 1000 accepts all connections from the internal network to the Internet If you do not want to enforce restrictions on access to the Internet you do not have to change anything The default policy accepts connections from any address on the internal network to ...

Page 30: ...g a policy to deny connections Add addresses services or schedules as required Go to Firewall Policy Int to Ext In Transparent mode go to Firewall Policy Outgoing Click New to add a policy You can also click Insert Policy before on a policy in the list to add the new policy above a specific policy Configure the policy Source Select the Internal address from which to deny connections Destination Se...

Page 31: ...ubnet Policies that accept connections in this way must be added to the policy list above the connections that they are exceptions to Delete the default policy and then add policies to accept only the connections that you want the firewall to accept In this way you can limit Internet access to that allowed in the policies that you create You must delete the default policy because if it remains in ...

Page 32: ...and authentication Go to Firewall Policy Int to Ext Click New to add a policy Configure the policy Source Select the Internal address that users must authenticate from Destination Select the Internet address that users must authenticate before connecting to Schedule Select a schedule to control when to require authentication Service Select the service for which to require authentication Action Sel...

Page 33: ... on the DMZ to be able to connect to the Internet To configure DMZ policies you must first add DMZ addresses for the servers on your DMZ to the firewall configuration See Adding addresses Once the DMZ addresses have been added you can add and organize DMZ related policies in the same way as Int to Ext Outgoing and Incoming policies For examples see Controlling connections from the Internet and Con...

Page 34: ... information about traffic shaping see See Traffic shaping Default policy The default policy accepts connections from all computers at any source address on the internal network and grants them access to any services on the external network usually the Internet The default policy appears in the Int to Ext policy list when running in NAT mode and in the Outgoing policy list when running in Transpar...

Page 35: ...match with the default policy Any policies in the list below the default policy are never matched For the policy to block FTP connections shown in Sample Int to Ext policy to deny FTP connections to be effective it must be moved above the default policy in the policy list Then all FTP connection attempts from the internal network would match the FTP policy and be blocked Connection attempts for al...

Page 36: ... Organizing addresses into address groups Adding addresses Go to Firewall Address Click the Internal External or DMZ tab corresponding to the type of address you want to add Click New to add a new address Enter an Address Name to identify the address Add the IP Address The IP Address can be the IP address of a single computer for example 192 45 46 45 or the address of a subnetwork for example 192 ...

Page 37: ...up Enter a Group Name to identify the address group To add addresses to the address group select an address from the Available Addresses list and click the right arrow to add it to the Members list To remove addresses from the address group select an address from the Members list and click the left arrow to remove it from the group Click OK to add the address group Example internal address group S...

Page 38: ...rotocol for transmitting Usenet news tcp 119 0 65535 NTP Network time protocol for synchronizing a computer s time with a time server tcp 123 0 65535 udp 123 0 65535 PING For testing connections to other computers udp 0 0 65535 8 0 65535 POP3 POP3 email protocol for downloading email from a POP3 server tcp 110 0 65535 udp 110 0 65535 QUAKE For connections used by the popular Quake multi player com...

Page 39: ... Click OK to add the custom service You can now add this custom service to a policy see Policies Adding a custom service Grouping services To make it easier to add policies you can create groups of services and then add one policy to provide access to or block access for all the services in the group A service group can contain pre defined services and custom services in any combination You cannot...

Page 40: ...and the second from midnight until 9 00 am on Tuesday morning This section describes Creating one time schedules Creating recurring schedules Applying a schedule to a policy Creating one time schedules You can create a one time schedule that activates or deactivates a policy for a specified period of time For instance your firewall may be configured with the default Internal to External policy tha...

Page 41: ...f the week For instance you may wish to prevent internet use outside of working hours by creating a recurring schedule Go to Firewall Schedule Recurring Click New to create a new schedule Specify a name for the schedule Select the days of the week that are working days Set the Start Hour and the End Hour to the start and end of the work day The Recurring schedule uses a 24 hour clock Click OK DFL ...

Page 42: ...ime schedule to deny access to another policy add a policy that matches the other policy in every way Choose the one time schedule that you added and set Action to Deny Then you must arrange the policy containing the one time schedule in the policy list above the policy to be denied Arranging a one time schedule in the policy list to deny access Users and authentication You can configure the DFL 1...

Page 43: ...ins valid for an idle time out of 15 minutes If the user does not access services through the firewall for more than 15 minutes they must enter their user name and password again for access Adding users Go to Firewall Users Click New Enter a User Name and Password to add users to the DFL 1000 The password must be at least 6 characters long and may contain numbers 0 9 and upper and lower case lette...

Page 44: ...he External IP Address field enter the Internet IP address of the server This must be a static IP address obtained from your ISP for this purpose and must not be the same as the external address of the DFL 1000 However your ISP must route this address to the external IP address of the DFL 1000 In the Map to IP field enter the actual IP address of the web server on your DMZ or internal network Clic...

Page 45: ...affic with a source address that is defined in the IP MAC binding table must have the correct MAC address or it is also blocked Click Apply to save your changes Traffic shaping Traffic Shaping makes it possible to control which policies have the highest priority when large amounts of data are moving through the DFL 1000 For example the policy for the corporate web server might be given higher prio...

Page 46: ...nternal network can connect to their organization s VPN A subnet on your Internal network protected by a VPN gateway can use VPN to connect to a VPN on the Internet DFL 1000 VPN pass through can be configured for IPSec or PPTP VPN connections No special VPN configuration is required for the client or VPN gateway on your internal network The VPN tunnel configuration of the VPN gateway on the Intern...

Page 47: ...with third party VPN products that require it IPSec VPN is only supported in NAT mode This chapter describes Compatibility with third party VPN products Autokey IPSec VPN between two networks Autokey IPSec VPN for remote clients Manual key exchange IPSec VPN between two networks Manual key exchange IPSec VPN for remote clients Testing a VPN Compatibility with third party VPN products Because the D...

Page 48: ...e of the networks can be protected by a third party VPN gateway that also supports IPSec and Autokey IKE Use the following procedures to configure an IPSec Autokey IKE VPN between internal networks Creating the VPN tunnel Adding internal and external addresses Adding an IPSec VPN policy Figure Example VPN between two internal networks Creating the VPN tunnel A VPN tunnel consists of a name for the...

Page 49: ...lowing procedure on both VPN gateways to configure a VPN tunnel that uses Autokey IKE key exchange Go to VPN IPSEC Autokey IKE Click New to add a new Autokey IKE VPN tunnel Enter the VPN Tunnel Name Remote Gateway Keylife and Authentication Key Click OK to save the Autokey IKE VPN tunnel Example Main Office Autokey IKE VPN tunnel Adding internal and external addresses The next step in configuring ...

Page 50: ...P Address and NetMask of the internal network that can connect to the VPN Example internal address for VPN Gateway 1 Click OK to save the internal address Go to Firewall Address External Click New to add a new external address Enter the Address Name and the IP Address and NetMask of the network behind the other VPN gateway Click OK to save the external address Adding an IPSec VPN policy The VPN po...

Page 51: ...ct to users and computers on a Main Office internal network See Example VPN between an internal network and remote clients A remote VPN client can be any computer connected to the Internet and running VPN client software that uses IPSec and Autokey IKE The client can have a static IP address or a dynamic IP address A remote client could be A traveller using a dial up connection to connect to the I...

Page 52: ...accepts connections from any Internet address You must create complementary VPN tunnels on the VPN gateway and the clients On both the tunnel must have the same name keylife and authentication key Example VPN Tunnel configuration shows the information required to configure the VPN tunnel for the VPN in Example VPN between an internal network and remote clients Example VPN Tunnel configuration Desc...

Page 53: ... to Main_Office IP address 192 168 1 0 Netmask The IP address and netmask of the internal network that the VPN client can connect to 255 255 255 0 External Address Address Name The name to assign to the VPN client VPN_Client IP address 2 2 2 2 Netmask The IP address and netmask of a VPN client with a static IP address for example 2 2 2 2 You do not have to add an address for a client with a dynami...

Page 54: ...the client configuration includes the settings in VPN client configuration These settings should match the VPN Gateway configuration VPN client configuration Description Example Setting VPN Tunnel Name Should correspond to the VPN tunnel name used on the VPN gateway Client_VPN Remote Gateway The External IP address of the VPN gateway 1 1 1 1 Keylife The Client key life should match the VPN gateway...

Page 55: ... opposite end of the tunnel Remote Gateway Enter the external IP address of the DFL 1000 or other IPSec gateway at the opposite end of the tunnel Encryption Algorithm Select one of the three algorithms 3DES 3DES MD5 or 3DES SHA1 Use the same algorithm at both ends of the tunnel Encryption Key Enter three hexadecimal numbers of up to 16 digits each digits can be 0 to 9 a to f Use the same encryptio...

Page 56: ...ty VPN products D Link recommends SafeNet Soft PK from IRE Inc Configuring the VPN tunnel You can either create multiple VPN tunnels one for each VPN client or you can create one VPN tunnel with a remote gateway address set to 0 0 0 0 This VPN tunnel accepts connections from any Internet address You must create complementary VPN tunnels on the VPN gateway and the clients On both the tunnel must ha...

Page 57: ...ined for the VPN is intercepted by the DFL 1000 To confirm that a VPN between a network and one or more clients has been configured correctly start a VPN client and use the ping command to connect to a computer on the internal network The VPN tunnel initializes automatically when the client makes a connection attempt You can start the tunnel and test it at the same time by pinging from the client ...

Page 58: ...through the tunnel by encrypting it to guarantee confidentiality In addition authentication guarantees that the data originated from the claimed sender and was not damaged or altered in transit PPTP and L2TP VPNs are only supported in NAT mode This chapter describes PPTP VPN configuration L2TP VPN configuration RADIUS authentication for PPTP and L2TP VPNs PPTP VPN configuration This section descri...

Page 59: ... 9 and upper and lower case letters A Z a z but no spaces A client can connect to the PPTP VPN with this user name and password Repeat steps Go to VPN PPTP PPTP User to Enter a user name and password to add more PPTP user names and passwords as required Go to VPN PPTP PPTP Range Click Enable PPTP Specify the PPTP address range The PPTP address range is the range of addresses on your internal netwo...

Page 60: ...r Select Microsoft Virtual Private Networking Adapter Click OK twice Insert diskettes or CDs as required Restart the computer Configuring a PPTP dial up connection Go to My Computer Dial Up Networking Double click Make New Connection Name the connection and click Next Enter the external IP address or hostname of the DFL 1000 to connect to and click Next Click Finish An icon for the new connection ...

Page 61: ...ption Click OK Connecting to the PPTP VPN Start the dial up connection that you configured in the previous procedure Enter your PPTP VPN User Name and Password Click Connect In the connect window enter the User Name and Password you use to connect to your dial up network connection This user name and password is not the same as your VPN user name and password Configuring a Windows XP Client to con...

Page 62: ...t you configured in the previous procedure Enter your PPTP VPN User Name and Password Click Connect In the connect window enter the User Name and Password you use to connect to your dial up network connection This user name and password is not the same as your VPN user name and password L2TP VPN configuration This section describes how to configure the DFL 1000 as an L2TP VPN server This section a...

Page 63: ...d lower case letters A Z a z but no spaces A client can connect to the L2TP VPN with this user name and password Click OK Repeat steps Go to VPN L2TP L2TP User to Click OK to add more L2TP user names and passwords as required Go to VPN L2TP L2TP Range Click Enable L2TP Specify the L2TP address range The L2TP address range is the range of addresses on your internal network that must be reserved for...

Page 64: ...k Properties in the Connect window Click the Security tab Make sure Require data encryption is checked Continue with the following procedure Disabling IPsec Click the Networking tab Click Internet Protocol TCP IP properties Double click the Advanced tab Go to the Options tab and click IP security properties Make sure Do not use IPSEC is checked Click OK and close the connection properties window T...

Page 65: ...password Configuring a Windows XP Client to connect to a DFL 1000 L2TP VPN Use the following procedure to configure a client machine running Windows XP so that it can connect to a DFL 1000 L2TP VPN Configuring an L2TP VPN dial up connection Go to Start Settings Click Network and Internet Connections Select Create a connection to the network of your workplace and click Next Click Virtual Private Ne...

Page 66: ...omputer for the changes to take effect You must add the ProhibitIpSec registry value to each Windows XP based endpoint computer of an L2TP or IPSec connection to prevent the automatic filter for L2TP and IPSec traffic from being created When the ProhibitIpSec registry value is set to 1 your Windows XP based computer does not create the automatic filter that uses CA authentication Instead it checks...

Page 67: ...o connect to a RADIUS server installed on your DMZ or internal network you must add firewall policies to grant access to the server from the Internet To configure the DFL 1000 for RADIUS authentication Go to VPN RADIUS Enter the server name or IP address of your primary RADIUS server Enter the primary RADIUS server secret Optionally enter the server name or IP address and secret for your secondary...

Page 68: ...cks are recorded in the attack log You can also configure the DFL 1000 to send alert emails to system administrators if an attack is detected Use the following procedure to configure attack prevention Go to IDS Attack Prevention Click to enable the types of attacks that the DFL 1000 should detect and prevent Attack prevention list Alert email Use the following procedure to configure the DFL 1000 t...

Page 69: ... the Email To fields These are the email addresses that the DFL 1000 sends email alerts to Click Apply to save the email alert configuration Make sure that the DNS server settings are correct for the DFL 1000 See Setting DNS server addresses Because the DFL 1000 uses the SMTP server name to connect to the mail server it must be able to look up this name on your DNS server Example alert email setti...

Page 70: ...requests by scanning their originating web page for known worm patterns To scan email attachments for worms the DFL 1000 looks for filenames known to be used by worms If the DFL 1000 detects a virus or worm in a file the file is deleted from the data stream and replaced with an alert message DFL 1000 content virus and worm prevention is transparent to the end user Client and server programs requir...

Page 71: ...3 and IMAP content protocols For each content type you can also select target file types to be removed The virus scanner replaces deleted files with an alert message that is forwarded to the user Use High level protection to remove all content that poses a potential threat before it reaches your protected network This security level provides the best protection from active computer virus attacks I...

Page 72: ... High Security Alert You are not allowed to download this type of file Configuring medium level virus protection for your internal network Medium level protection scans all target files for viruses You can configure the DFL 1000 to perform up to four different types of virus scans on each target file Signature scanning Macro scanning Behavior simulated execution Heuristic scanning If a virus is fo...

Page 73: ...nts in SMTP traffic to Click OK and click Apply to configure medium level virus protection to virus scan target files in email attachments in IMAP traffic When the DFL 1000 detects a virus and removes the infected file the user who requested the file receives a message similar to the following Sorry Dangerous Attachment has been removed It was infected with the Generic VBA Virus virus Configuring ...

Page 74: ... on your internal network from sending email attachments that contain viruses to addresses on the Internet POP3 if you allow users on the Internet to connect to a POP3 server on your internal or DMZ network IMAP if you allow users on the Internet to connect to an IMAP server on your internal or DMZ network Even though viruses and worms are distributed from your internal and DMZ networks by being u...

Page 75: ... 1000 blocks a file the user who requested the file receives the following message High Security Alert You are not allowed to download this type of file Medium level virus protection for incoming connections Medium level protection scans all target files for viruses You can configure the virus scanning engine to perform up to four different types of virus scans on each target file Signature scanni...

Page 76: ...oming low level protection Go to Anti Virus HTTP Incoming Click Low to turn off virus scanning for Internet web pages Click Apply Go to Anti Virus SMTP Incoming and repeat steps Click Low to turn off virus scanning for Internet web pages and Click Apply to turn off virus scanning for email attachments in SMTP traffic Go to Anti Virus POP3 Incoming and repeat steps Click Low to turn off virus scann...

Page 77: ... antivirus database and restarts This takes about 1 minute Go to System Status to confirm that the Antivirus Database Version information has been updated When a new virus protection database is made available by D Link you should upgrade your DFL 1000 as soon as possible If a new virus is reported and you are not able to upgrade the anti virus database immediately you can use the procedure Config...

Page 78: ...nfiguring automatic antivirus database updates Displaying virus and worm lists Use the following procedure to display the lists of viruses and worms in the antivirus database To display the virus list go to Anti Virus Config Virus List Scroll through the virus list to view the names of all of the viruses in the list Click Worm List to display the worm list Scroll through the worm list to view the ...

Page 79: ...banned word list Creating the banned word list using a text editor Enabling the banned word list Use the following procedure to turn on content blocking by enabling the banned word list From the web based manager Go to Web Filter Content Block Click Enable Banned Word to enable content blocking The DFL 1000 is now configured to block web pages containing words added to the banned word list Adding ...

Page 80: ...n a text editor create the list of banned words Type one word on each line in the text file Follow the word with a space and a 1 to enable or a zero 0 to disable the banned word Go to Web Filter Content Block Click Upload Banned Word list to upload your banned word list Enter the path and filename of your banned word list text file or click Browse and locate the file Click OK to upload your banned...

Page 81: ...to the URL block list Type the URL or URL pattern to block Enter a complete URL to block access to a single Internet site only For example www badsite com blocks access to all of the pages on the badsite Web site Enter a pattern to block access to all web sites with the specified pattern in their URL For example bad blocks access to any web site with bad in it s URL This would include www bad com ...

Page 82: ... to the DFL 1000 The DFL 1000 uploads the file Click Return to display the updated URL block list You can continue to maintain the URL block list by making changes to the text file and uploading it again All changes made to the URL block list from the web based manager are lost when you upload a new list Downloading the URL block list If you make changes to the URL block list from the web based ma...

Page 83: ...Example Script filtering settings to block Java Applets and ActiveX DFL 1000 User s Manual 83 ...

Page 84: ...se the following procedure to configure the DFL 1000 to record logs onto a remote computer To save log messages to this remote computer it must be configured with a syslog server If you are running the DFL 1000 in NAT mode the computer running the syslog server must be connected to the same network as the Internal interface of the DFL 1000 If you are running the DFL 1000 in Transparent mode the co...

Page 85: ...nections to the internal interface This includes all connections for management Click Log All External Traffic To Firewall to record all connections to the external interface Click Log All DMZ Traffic To Firewall to record connections to the DMZ interface Click Log All Events to record all the changes made to the DFL 1000 configuration Click Apply to save your logging settings Log message formats ...

Page 86: ...essage format Traffic log message format Description Format Example Maximum Length Date and time the log message was recorded YYYY MMM DD hh mm ss 2002 Mar 12 05 03 45 15 bytes Protocol TCP UDP or ICMP TCP 5 bytes Source IP address and port number ipaddress port 192 168 1 98 443 21 bytes Destination IP and port ipaddress port 192 168 1 23 1199 21 bytes TCP flag optional FIN or SYN 3 bytes Length o...

Page 87: ... the IP address of the computer from which the attack originated When running in Transparent mode the DFL 1000 does not create an Attack log Attack log messages are created when the DFL 1000 detects one of the attacks listed on the IDS Attack Prevention page Attack log message format describes the attack log message format Attack log message format Description Format Example Maximum Length Date an...

Page 88: ... search the active traffic event or attack log You can view and search the current log or any saved log files Go to Log Report Logging Click Traffic Log Event Log or Attack Log to select the type of log to view The web based manager lists all of the saved logs of the selected type with the active log at the top of the list For each log the list shows the date and time at which an entry was last ad...

Page 89: ...t you are viewing Traffic Log Search Click AND to search for messages that match all of the specified search criteria Click OR to search for messages that match one or more of the specified search criteria Specify one or more of the following search criteria Keyword To search for any text in a log message Keyword searching is case sensitive Source To search for any source IP address Traffic logs o...

Page 90: ...fic Log Event Log or Attack Log The web based manager lists all of the saved logs of the selected type with the active log at the top of the list For each log the list shows the date and time at which an entry was last added to the log the size of the log file and its name To delete all of the messages in the active log file click Empty Log Click OK to delete the messages Deleting a saved log file...

Page 91: ...manager Make sure the computer from which you are going to connect to the web based manager is correctly configured on the same network as the DFL 1000 interface to which you are going to connect If the DFL 1000 is running in NAT mode connect to the internal interface If the DFL 1000 is running in Transparent Mode connect to the DMZ interface Start Internet Explorer and browse to the address https...

Page 92: ...ons of the DFL 1000 firmware periodically When D Lnk releases new firmware you can download the upgrade from our Web site http www DLink com You can save this file on your management computer and then use the following procedure to upgrade the firmware on your DFL 1000 Go to System Status Click Firmware Upgrade Enter the path and filename of the firmware update file or click Browse and locate the ...

Page 93: ...load Enter the path and filename of the system settings file or click Browse and locate the file Click OK to upload the system settings file to the DFL 1000 The DFL 1000 uploads the file and restarts loading the new system settings Reconnect to the web based manager and review your configuration to confirm that the uploaded system settings have taken effect Restoring system settings to factory def...

Page 94: ...ffic blocked Internal Address Internal all External Address External all DMZ Address none One time schedule none Recurring schedule Always Anti virus for HTTP Low Anti virus for POP3 SMTP and IMAP Low Worm protection Disabled Default Transparent mode system configuration When the DFL 1000 is first switched to transparent mode or when it is reset to default and run in Transparent mode the system ha...

Page 95: ...ions to the DFL 1000 and information about the connections The system status monitor also displays system statistics such as CPU and memory usage To view system status Go to System Status Monitor The system status monitor display appears Click Refresh to update the information displayed System status monitor Each line of the system status monitor displays the following information about one active...

Page 96: ...o System Network IP Address Click DHCP and click OK The DFL 1000 changes to DHCP mode and attempts to contact the DHCP server to set the external IP address netmask and default gateway IP address When the DFL 1000 gets this information from the DHCP server the new addresses and netmask are displayed in the external IP address netmask and default gateway IP address fields These fields are also colo...

Page 97: ...ckets greater than MTU Set the maximum MTU size Set the maximum packet size in the range of 68 to 1500 bytes The default MTU size is 1500 Experiment by lowering the MTU to find an MTU size for maximum performance Setting DNS server addresses Several functions of the DFL 1000 including sending alert emails and URL blocking use DNS To set the DNS server addresses from the web based manager Go to Sys...

Page 98: ...ce and gateway for the route Click OK to save the new static route To change a route choose the route to change and click Edit To delete a route choose the route to delete and click Delete Enabling RIP server support Enable RIP server support to configure the DFL 1000 to act like a RIP server The RIP routing protocol maintains up to date dynamic routing tables between nearby routers When activated...

Page 99: ...k Configure the Netmask that the DFL 1000 assigns to the DHCP clients Lease Duration Optionally specify the interval in minutes after which a DHCP client must ask the DHCP server for a new address Domain Optionally specify the domain that the DHCP server assigns to the client DNS IP Optionally specify the IP addresses of up to 3 DNS servers that the DHCP clients can use for looking up domain names...

Page 100: ...rotocol NTP server For more information on NTP and to find the IP address of an NTP server that you can use see http www ntp org To set the date and time from the web based manager Go to System Config Time Click Refresh to display the current DFL 1000 date and time Select your Time Zone from the list Optionally click Set Time and set the DFL 1000 date and time to the correct date and time To confi...

Page 101: ...r has permission to change all DFL 1000 settings From the web based manager you can add administrator accounts and control their level of administrative access You can also control the addresses from which administrators can access the DFL 1000 This section contains the following procedures Adding new administrator accounts Editing administrator accounts Adding new administrator accounts Use the f...

Page 102: ...ter Change the administrator s permission as required Click OK To delete an administrator account choose the account to delete and click Delete Configuring SNMP Configure SNMP for the DFL 1000 so that the SNMP agent running on the DFL 1000 can report system information and send traps Traps can alert system administrators about problems with the DFL 1000 Go to System Config SNMP Click to select SNM...

Page 103: ...dress of the SNMP monitor to which to send traps Second Trap Receiver IP Address Optionally specify the IP address of a second SNMP monitor to which to send traps Third Trap Receiver IP Address Optionally specify the IP address of a third SNMP monitor to which to send traps Click Apply Sample SNMP configuration DFL 1000 User s Manual 103 ...

Page 104: ...ns port A null modem cable with a 9 pin connector to connect to the communications port on the back panel of the DFL 1000 Terminal emulation software such as HyperTerminal for Windows The following procedure describes how to connect to the DFL 1000 CLI using Windows HyperTerminal software You can use any terminal emulation program To connect to the DFL 1000 CLI Connect the null modem cable to the ...

Page 105: ...the DMZ interface to accept SSH connections Enter set system interface DMZ mng ssh enable Connecting to the CLI using SSH To connect to the CLI using SSH you must install an SSH client Start the SSH client and connect to a DFL 1000 interface that is configured for SSH connections The following prompt appears D Link login Type a valid administrator name and press Enter Type the password for this ad...

Page 106: ...itional options available for that command option combination and a description of each option Installing firmware from a TFTP server D Lnk releases new versions of the DFL 1000 firmware periodically When D Lnk releases new firmware you can download the upgrade from our Web site http tsd dlink com tw You can save this file on your management computer and then use the following procedure to upgrade...

Page 107: ...ny Key To Download Boot Image Quickly press any key to interrupt system startup The following message appears Enter TFTP Server Address 192 168 1 168 Type the address of the TFTP server and press Enter The following message appears Enter Local Address 192 168 1 188 Type the address of the internal interface of the DFL 1000 and press Enter The following message appears Enter File Name image out Ent...

Page 108: ...set system interface Once the interface addresses are changed you can access the DFL 1000 from the web based manager and upload your configuration files DFL 1000 User s Manual 108 ...

Page 109: ...wser Internal interface The DFL 1000 interface that is connected to your internal private network Internet A collection of networks connected together that span the entire globe using the NFSNET as their backbone As a generic term it refers to any collection of interdependent networks ICMP Internet Control Message Protocol Part of the Internet Protocol IP that allows for the generation of error me...

Page 110: ...network and router to router connections PPTP Point to Point Tunneling Protocol A Windows based technology for creating VPNs PPTP is supported by Windows 98 2000 and XP To create a PPTP VPN your ISP s routers must support PPTP Port In TCP IP and UDP networks an endpoint to a logical connection The port number identifies what type of port it is For example port 80 is used for HTTP traffic Protocol ...

Page 111: ...nications over insecure channels TCP Transmission Control Protocol One of the main protocols in TCP IP networks TCP guarantees delivery of data and also guarantees that packets will be delivered in the same order in which they were sent UDP User Datagram Protocol A connectionless protocol that like TCP runs on top of IP networks Unlike TCP UDP provides very few error recovery services offering ins...

Page 112: ...iting administrator accounts Q I just spent a week setting up and things are working perfectly Is there some way to save the configuration before making any more changes See Backing up system settings and Restoring system settings Q How can I get a warning when someone is attacking my network See Alert email Network configuration Q I am trying to set up the network connections but I can t seem to ...

Page 113: ...ss can then be used as the destination in an incoming policy See Controlling connections from the Internet Q I want to connect to a TELNET FTP WEB server across the Internet If I set the outgoing policy service field to TELNET FTP HTTP I can t connect Try setting the service to ANY Settings for individual services assume that the standard port for that service is being used and only traffic addres...

Page 114: ...age may be required for a few Internet sites to work properly Logging Q I want to keep track of any attempts by intruders to go through the firewall to our network or to get control of the firewall Go to Log Report Log Setting and turn on Log All External Traffic To Firewall All attempts to access the firewall are recorded You can also get email alert messages by going to System Config Alert Mail ...

Page 115: ... If you are running the DFL 1000 in Transparent mode the computer running the syslog server must be connected to the same network as the DMZ interface of the DFL 1000 DFL 1000 User s Manual 115 ...

Page 116: ...REPAIR LINE 00800 7250 8000 E MAIL info dlink de URL www dlink de IBERIA D LINK IBERIA Gran Via de Carlos III 84 3 Edificio Trade 08028 BARCELONA TEL 34 93 4090770 FAX 34 93 4910795 E MAIL info dlinkiberia es URL www dlinkiberia es INDIA D LINK INDIA Plot No 5 Kurla Bandra Complex Road Off Cst Road Santacruz E Bombay 400 098 India TEL 91 22 652 6696 FAX 91 22 652 8914 E MAIL service dlink india co...

Page 117: ...here and how will the product primarily be used Home Office Travel Company Business Home Business Personal Use 2 How many employees work at installation site 1 employee 2 9 10 49 50 99 100 499 500 999 1000 or more 3 What network protocol s does your organization use XNS IPX TCP IP DECnet Others_____________________________ 4 What network operating system s does your organization use D Link LANsmar...

Page 118: ...DFL 1000 User s Manual 118 ...