D-Link DFL-200 - Security Appliance, User Manual

Page 1: ...D Link DFL 200 Network Security Firewall Manual Building Networks for People Ver 1 02 20050419 ...

Page 2: ...o an interface 14 Enable SNMP access to an interface 14 System 15 Interfaces 15 Change IP of the LAN or DMZ interface 15 WAN Interface Settings Using Static IP 16 WAN Interface Settings Using DHCP 16 WAN Interface Settings Using PPPoE 17 WAN Interface Settings Using PPTP 18 WAN Interface Settings Using BigPond 19 MTU Configuration 19 Routing 20 Add a new Static Route 21 Remove a Static Route 21 Lo...

Page 3: ... HTTPS 35 Enable RADIUS Support 35 Add User 36 Change User Password 36 Delete User 37 Schedules 38 Add new recurring schedule 38 Services 39 Adding TCP UDP or TCP UDP Service 39 Adding IP Protocol 40 Grouping Services 40 Protocol independent settings 41 VPN 42 Introduction to IPSec 42 Introduction to PPTP 43 Introduction to L2TP 43 Point to Point Protocol 43 Authentication Protocols 44 PAP 44 CHAP...

Page 4: ...s 53 Certificates of remote peers 53 Certificate Authorities 53 Identities 54 Content Filtering 55 Active content handling 55 Edit the URL Global Whitelist 56 Edit the URL Global Blacklist 57 Active content handling 58 Servers 59 DHCP Server Settings 59 Enable DHCP Server 60 Enable DHCP Relay 60 Disable DHCP Server Relayer 60 DNS Relayer Settings 61 Enable DNS Relayer 61 Disable DNS Relayer 62 Too...

Page 5: ...h office 79 Settings for Main office 81 LAN to LAN VPN using PPTP 83 Settings for Branch office 83 Settings for Main office 86 LAN to LAN VPN using L2TP 90 Settings for Branch office 90 Settings for Main office 93 A more secure LAN to LAN VPN solution 97 Settings for Branch office 97 Settings for Main office 100 Windows XP client and PPTP server 101 Settings for the Windows XP client 101 Settings ...

Page 6: ...6 Intrusion detection and prevention 119 Appendixes 122 Appendix A ICMP Types and Codes 122 Appendix B Common IP Protocol Numbers 124 LIMITED WARRANTY 125 ...

Page 7: ... can be a computer using firewall software or a special piece of hardware built specifically to act as a firewall In most circumstances a firewall is used to prevent unauthorized Internet users from accessing private networks or corporate LAN s and Intranets A firewall watches all of the information moving to and from your network and analyzes each piece of data Each piece of data is checked again...

Page 8: ... have a Network Interface Card NIC which communicates the data between computers A NIC is usually a 10Mbps network card a 10 100Mbps network card or a wireless network card Most networks use hardware devices such as hubs or switches that each cable can be connected to in order to continue the connection between computers A hub simply takes any data arriving through each port and forwards the data ...

Page 9: ...le Serial access to the firewall software 9600 8bit None Parity 1Stop bit Internal Ports LAN Use these ports to connect the internal computers f the office DMZ Port Use this port to connect to the company s server s which needs direct connection to the Internet FTP SNMP HTTP and DNS External Port WAN Use this port to connect to the external router DSL modem or Cable modem Reset Reset the DFL 200 t...

Page 10: ...ating than the one included with the DFL 200 will cause damage and void the warranty for this product If any of the above items are missing please contact your reseller System Requirements Computer with a Windows Macintosh or Unix based operating system with an installed Ethernet adapter Internet Explorer or Netscape Navigator version 6 0 or above with JavaScript enabled ...

Page 11: ...eed to login again This have to be done before a configurable timeout has been reached this can be set on the Activate Configuration Changes page by choosing the time from the dropdown menu Resetting the DFL 200 To reset the DFL 200 to factory default settings you must hold the reset button down for at least 15 seconds after powering on the unit You will first hear one beep which will indicate tha...

Page 12: ...e DFL 200 and change configuration can be HTTPS or HTTP and HTTPS Read Only If enabled allows all users with read only access to connect to the DFL 200 and look at the configuration can be HTTPS or HTTP and HTTPS If there is no Admin access specified on an interface and only read only admin users can still connect but will be in read only mode SNMP Specifies if SNMP should be allowed or not on the...

Page 13: ... to an interface To add admin access click on the interface you would like to add it to Only users with the administrator rights can login on an interfaces where there is only admin access enabled Follow these steps to add admin access to an interface Step 1 Click on the interface you would like to add it to Step 2 Enable the Admin checkbox Step 3 Specify what networks are allowed to ping the inte...

Page 14: ...0 for a range Step 4 Specify protocol used to access the DFL 200 from the dropdown menu either HTTP and HTTPS Secure HTTP or only HTTPS Click the Apply button below to apply the setting or click Cancel to discard changes Example Enable SNMP access to an interface Follow these steps to add read only SNMP access to an interface Step 1 Click on the interface you would like to add it to Step 2 Enable ...

Page 15: ...ce to view or change under the Available interfaces list Step 2 Fill in the IP address of the LAN or DMZ interface These are the address that will be used to ping the firewall remotely control it and use as gateway for the internal hosts or DMZ hosts Step 3 Choose the correct Subnet mask of this interface from the drop down menu Click the Apply button below to apply the setting or click Cancel to ...

Page 16: ...address of the WAN interface This is the address that may be used to ping the firewall remotely control it and be used as source address for dynamically translated connections Subnet Mask Size of the external network Gateway IP Specifies the IP address of the default gateway used to reach for the Internet Primary and Secondary DNS Server The IP addresses of your DNS servers only the Primary DNS is...

Page 17: ... address of the external interface You will have to fill the username and password provided to you by your ISP Username The login or username supplied to you by your ISP Password The password supplied to you by your ISP Service Name When using PPPoE some ISPs require you to fill in a Service Name Primary and Secondary DNS Server The IP addresses of your DNS servers these are optional and are often...

Page 18: ...ur ISP PPTP Server IP The IP of the PPTP server that the DFL 200 should connect to Before PPTP can be used to connect to you ISP the physical WAN interface parameters need to be supplied it s possible to use either DHCP or Static IP this depends on the type of ISP used and this information should be supplied by them If using static IP this information need to be filled in IP Address The IP address...

Page 19: ...200 and the Internet If the packets the DFL 200 sends are larger they get broken up or fragmented which could slow down transmission speeds Trial and error is the only sure way of finding the optimal MTU but there are some guidelines that can help For example the MTU of many PPP connections is 576 so if you connect to the Internet via PPPoE you might want to set the MTU size to 576 DSL modems may ...

Page 20: ...ed to the firewall interface no gateway address is specified Local IP Address The IP address specified here will be automatically published on the corresponding interface This address will also be used as the sender address in ARP queries If no address is specified the firewalls own interface IP address will be used Proxy ARP Specifies that the firewall shall publish this route via Proxy ARP One a...

Page 21: ... network is behind a remote gateway enable the checkbox Network is behind remote gateway and specify the IP of that gateway Click the Apply button below to apply the setting or click Cancel to discard changes Remove a Static Route Follow these steps to add a remove a route Step 1 Go to System and Routing Step 2 Take Edit after the route you would like to remove Step 3 Check the checkbox named Dele...

Page 22: ...l part in all network security products The D Link DFL 200 provides several options for logging its activity The D Link DFL 200 logs its activities by sending the log data to one or two log receivers in the network All logging is done to Syslog recipients The log format used for syslog logging is suitable for automated processing and searching ...

Page 23: ...ton below to apply the setting or click Cancel to discard changes Enable Audit Logging To start auditing all traffic trough the firewall follow the sets below and the firewall will start logging all traffic trough the firewall this is needed for running third party log analyzers on the logs and to see how much traffic different connections use Follow these steps to enable auditing Step 1 Enable sy...

Page 24: ...ogged in the usual logs if IDS is enabled for any of the rules For more information about how to enable intrusion detection and prevention on a policy or port mapping read more under Policies and Port Mappings in the Firewall section below ...

Page 25: ...lick on System in the menu bar and then click Time below it This will give you the option to either set the system time by syncing to an Internet Network Time Server NTP or by entering the system time by hand ...

Page 26: ... sync to an Internet Time Server Step 1 Enable synchronization by checking the Enable NTP box Step 2 Enter the Server IP Address or Server name with which you want to synchronize Click the Apply button below to apply the setting or click Cancel to discard changes Setting time and date manually Follow these steps to set the system time by hand Step 1 Checking the Set the system time box Step 2 Choo...

Page 27: ...to the external interface Then you can create NAT mode policies to accept or deny connections between these networks NAT mode policies hide the addresses of the internal and DMZ networks from users on the Internet In No NAT Route mode you can also create routed policies between interfaces Route mode policies accept or deny connections between networks without performing address translation To use ...

Page 28: ...ols TCP UDP ICMP This service matches all ports on either the TCP or the UDP protocol including ICMP Custom TCP This service is based on the TCP protocol Custom UDP This service is based on the UDP protocol Custom TCP UDP This service is based on either the TCP or the UDP protocol The following is used when making a custom service Custom source destination ports For many services a single destinat...

Page 29: ...ese steps to add a new outgoing policy Step 1 Choose the LAN WAN policy list from the available policy lists Step 2 Click on the Add new link Step 3 Fill in the following values Name Specifies a symbolic name for the rule This name is used mainly as a rule reference in log data and for easy reference in the policy list Action Select Allow to allow this type of traffic Source Nets Specifies the sen...

Page 30: ... policy Step 1 Choose the policy list you would like do delete the policy in from the available policy lists Step 2 Click on the Edit link on the rule you want to delete Step 3 Enable the Delete policy checkbox Click the Apply button below to apply the change or click Cancel to discard changes Configure Intrusion Detection Follow these steps to configure IDS on a policy Step 1 Choose the policy yo...

Page 31: ...ave IDP on Step 2 Click on the Edit link on the rule you want to delete Step 3 Enable the Intrusion Detection Prevention checkbox Step 4 Choose Prevention from the mode drop down list Step 5 Enable the alerting checkbox for email alerting Click the Apply button below to apply the change or click Cancel to discard changes ...

Page 32: ... for the rule This name is used mainly as a rule reference in log data and for easy reference in the policy list Source Nets Specify the source networks leave blank for everyone 0 0 0 0 0 Source Users Groups Specifies if an authenticated username is needed for this mapping to match Either make a list of usernames separated by or write Any for any authenticated user If it s left blank there is no n...

Page 33: ...oose the mapping list WAN LAN or DMZ you would like do delete the mapping from Step 2 Click on the Edit link on the rule you want to delete Step 3 Enable the Delete mapping checkbox Click the Apply button below to apply the change or click Cancel to discard changes ...

Page 34: ...ront end to other authentication services The DFL 200 RADIUS Support The DFL 200 can use RADIUS to verify users against for example Active Directory or Unix password file It is possible to configure up to two servers if the first one is down it will try the second IP instead The DFL 200 can use CHAP or PAP when communicating with the RADIUS server CHAP Challenge Handshake Authentication Protocol d...

Page 35: ...for the management WebUI to listen on as the user authentication will use the same ports as the management WebUI is using Click the Apply button below to apply the setting or click Cancel to discard changes Enable RADIUS Support Follow these steps to enable RADIUS support Step 1 Enable the checkbox for RADIUS Support Step 2 Fill in up to two RADIUS servers Step 3 Specified which mode to use PAP or...

Page 36: ...me and password can contain numbers 0 9 and upper and lower case letters A Z a z Special characters and spaces are not allowed Change User Password To change the password of a user click on the user name and you will see the following screen Follow these steps to change a users password Step 1 Click on the user you would like to change level of Step 2 Enable the Change password checkbox Step 3 Ent...

Page 37: ... these steps to delete a user Step 1 Click on the user you would like to change level of Step 2 Enable the Delete user checkbox Click the Apply button below to apply the setting or click Cancel to discard changes Note Deleting a user is irreversible once the user is deleted it cannot be undeleted ...

Page 38: ...s to access the Internet during work hours Therefore one may create a schedule to allow the firewall to allow traffic Monday Friday 8AM 5PM only During the non work hours the firewall will not allow Internet access Add new recurring schedule Follow these steps to add new recurring schedule Step 1 Go to Firewall and Schedules and choose Add new Step 2 Choose the starting and ending date and hour wh...

Page 39: ...ng source ports 1024 65535 and destination ports 80 82 90 92 95 In this case a TCP or UDP packet with the destination port being one of 80 81 82 90 91 92 or 95 and the source port being in the range 1024 65535 will match this service Follow these steps to add a TCP UDP or TCP UDP service Step 1 Go to Firewall and Service and choose Add new Step 2 Enter a Name for the service in the name field This...

Page 40: ...ecial characters and spaces are allowed Step 3 Select IP Protocol Step 4 Specify a comma separated list of IP protocols Click the Apply button below to apply the change or click Cancel to discard changes Grouping Services Services can be grouped in order to simplify configuration Consider a web server using standard http as well as SSL encrypted http https Instead of having to create two separate ...

Page 41: ...xisting connection Check this option to enable this feature for connections using this service ALG Like other stateful inspection based firewalls DFL 200 filters on information found in packet headers for instance in IP TCP UDP and ICMP headers In some situations though filtering on header data only is not sufficient The FTP protocol for instance includes IP address and port information in the pro...

Page 42: ... connections by defining a set of Security Associations SAs for each connection SAs are unidirectional so there will be at least two SAs per IPSec connection The other part is the actual IP data being transferred using the encryption and authentication methods agreed upon in the IKE negotiation This can be accomplished in a number of ways by using the IPSec protocol ESP To set up a Virtual Private...

Page 43: ...is is often encapsulated in IPSec for encryption instead of using MPPE Point to Point Protocol PPP Point to Point Protocol is a standard for transporting datagram s over point to point links It is used to encapsulate IP packets for transport between two peers PPP consists of these three components Link Control Protocols LCP to negotiate parameters test and establish the link Network Control Protoc...

Page 44: ...e password is used to create the one way MD5 hash That means that CHAP requires passwords to be stored in a reversibly encrypted form MS CHAP v1 MS CHAP v1 Microsoft Challenge Handshake Authentication Protocol version 1 is similar to CHAP the main difference is that with MS CHAP v1 the password only needs to be stored as a MD4 hash instead of a reversibly encrypted form Another difference is that ...

Page 45: ...PPTP L2TP Server To connect to Dial on demand is used when the tunnel should only be used when needed if diabled the tunnel will always try to be up Authentication protocol Specify if and what authentication protocol to use read more about the different authentication protocols in the Authentication Protocol Introduction chapter MPPE encryption If MPPE encryption is going to be used this is where ...

Page 46: ...Server will use as IP address pool to give out IP addresses to the clients from Primary Secondary DNS IP of the primary and secondary DNS servers Primary Secondary WINS IP of the Windows Internet Name Service WINS servers that are used in Microsoft environments which uses the NetBIOS Name Servers NBNS to assign IP addresses to NetBIOS names Authentication protocol Specify if and what authenticatio...

Page 47: ...If MPPE encryption is going to be used this is where the encryption level is configured If L2TP or PPTP over IPSec is going to be used it has to be enabled and configured to either use a Pre Shared Key or a Certificate ...

Page 48: ...wo DMZ networks The networks at the ends of the VPN tunnel are selected when you configure the VPN policy Creating a LAN to LAN IPSec VPN Tunnel Follow these steps to add LAN to LAN Tunnel Step 1 Go to Firewall and VPN and choose Add new in the IPSec tunnels section Step 2 Enter a Name for the new tunnel in the name field The name can contain numbers 0 9 and upper and lower case letters A Z a z an...

Page 49: ... steps to add a roaming users tunnel Step 1 Go to Firewall and VPN and choose Add new in the IPSec tunnels section Step 2 Enter a Name for the new tunnel in the name field The name can contain numbers 0 9 and upper and lower case letters A Z a z and the special characters and _ No other special characters and spaces are allowed Step 3 Specify your local network or your side of the tunnel for examp...

Page 50: ...TP Client choose authentication type either PSK Pre shared Key or Certificate based Click the Apply button below to apply the change or click Cancel to discard changes Adding a L2TP PPTP VPN Server Follow these steps to add a L2TP or PPTP VPN Server configuration that listens on the WAN IP Step 1 Go to Firewall and VPN and choose Add new PPTP server or Add new L2TP server in the L2TP PPTP Server s...

Page 51: ...crecy is enabled a new Diffie Hellman exchange is performed for each phase 2 negotiation While this is slower it makes sure that no keys are dependent on any other previously used keys no keys are extracted from the same initial keying material This is to make sure that in the unlikely event that some key was compromised no subsequent keys can be derived NAT Traversal Here it s possible to configu...

Page 52: ... VPN gateway one after another until a matching proposal is found IKE Proposal List Cipher Specifies the encryption algorithm used in this IKE proposal Supported algorithms are AES 3DES DES Blowfish Twofish and CAST128 Hash Specifies the hash function used to calculate a check sum that reveals if the data packet is altered while being transmitted MD5 and SHA1 are supported algorithms Life Times Sp...

Page 53: ...cal identities This is a list of all the local identity certificates that can be used in VPN tunnels A local identity certificate is used by the firewall to prove its identity to the remote VPN peer To add a new local identity certificate click Add new The following pages will allow you to specify a name for the local identity and upload the certificate and private key files This certificate can b...

Page 54: ...nnel is established if the certificate of the remote peer is present in the Certificates field in the VPN section or if the remote peer s certificate is signed by a CA whose certificate is present in the Certificates field in the VPN section However in some cases it might be necessary to limit who can establish a VPN tunnel even among peers signed by the same CA The Identity list can be selected i...

Page 55: ...ample com and example com to catch the domain name by itself as well as variants with prefixed host names www without having the filter trigger on domains ending with the same text Note For HTTP URL filtering to work all HTTP traffic needs to go trough a policy using a service with the HTTP ALG which is the case for the http outbound service by default Also note that the HTTP content filter cannot...

Page 56: ...move a url Step 1 Go to Firewall and Content Filtering and choose Edit global URL whitelist Step 2 Add edit or remove the URL that should never be checked with the Content Filtering Click the Apply button below to apply the change or click Cancel to discard changes ...

Page 57: ...nd choose Edit global URL blacklist Step 2 Add edit or remove the URL that should be checked with the Content Filtering Click the Apply button below to apply the change or click Cancel to discard changes Note For HTTP URL filtering to work all HTTP traffic needs to go trough a policy using a service with the HTTP ALG ...

Page 58: ... would like to strip For example to strip ActiveX and Flash enable the checkbox named Strip ActiveX objects It s possible to strip ActiveX Flash Java JavaScript and VBScript it s also possible to block cookies Note For HTTP URL filtering to work all HTTP traffic needs to go trough a policy using a service with the HTTP ALG ...

Page 59: ...y address DNS Servers WINS Servers Domain name The DFL 200 DHCP Server assigns and manages IP addresses from specified address pools within the firewall to the DHCP clients Note Leases are remembered over a re configure or reboot of the firewall The DFL 200 also includes a DHCP Relayer A DHCP relayer is a form of gateway between a DHCP Server and its users The relayer intercepts DHCP queries from ...

Page 60: ...or click Cancel to discard changes Enable DHCP Relay To enable the DHCP Relay on an interface click on Servers in the menu bar and then click DHCP Server below it Follow these steps to enable the DHCP Relayer on the LAN interface Step 1 Choose the LAN interface from the Available interfaces list Step 2 Enable by checking the Relay DHCP Requests to other DHCP server box Step 3 Fill in the IP of the...

Page 61: ...all itself Enable DNS Relayer Follow these steps to enable the DNS Relayer Step 1 Enable by checking the Enable DNS Relayer box Step 2 Enter the IP numbers that the DFL 200 should listen for DNS queries on Note If Use address of LAN interface is checked you don t have to enter an IP in IP Address 1 as the firewall will know what address to use Click the Apply button below to apply the setting or c...

Page 62: ...isable DNS Relayer Follow these steps to disable the DNS Relayer Step 1 Disable by un checking the Enable DNS Relayer box Click the Apply button below to apply the setting or click Cancel to discard changes ...

Page 63: ...iven destination All packets are sent in immediate succession rather than one per second This behavior is the best one suited for diagnosing connectivity problems IP Address Target IP to send the ICMP Echo Requests to Number of packets Number of ICMP Echo Request packets to send up to 10 Packet size Size of the packet to send between 32 and 1500 bytes ...

Page 64: ... be more easily accessed by specific name When this function is enabled the IP address in Dynamic DNS Server will be automatically updated with the new IP address provided by ISP Click DynDNS in the Tools menu to enter Dynamic DNS configuration The firewall provides a list of a few predefined DynDNS service providers users have to register with one of these providers before trying to use this func...

Page 65: ...ng the DFL 200 s Configuration Follow these steps to export the configuration Step 1 Under the Tools menu and the Backup section click on the Download configuration button Step 2 When the File Download pop up window appears choose the destination place in which to save the exported file The Administrator may choose to rename the file if preferred Restoring the DFL 200 s Configuration Follow these ...

Page 66: ...66 Restart Reset Restarting the DFL 200 Follow these steps restart the DFL 200 Step 1 Choose if you want to do a quick or full restart Step 2 Click Restart Unit and the unit will restart ...

Page 67: ...lues set at the factory This procedure will possibly change the DFL 200 firmware version to lower version if it has been upgraded This procedure deletes all of the changes that you have made to the DFL 200 configuration and reverts the system to its original configuration including resetting interface addresses ...

Page 68: ...section click on the Reset to Factory Defaults button Step 2 Click OK in the dialog to reset the unit to factory default or press Cancel to cancel You can restore your system settings by uploading a previously downloaded system configurations file to the DFL 200 if a backup of the device has been done ...

Page 69: ...he file name of the newest version of the firmware then click Upload firmware image The updating process won t overwrite the system configuration so it is not necessary but still a good idea to backup it before upgrading the software Upgrade IDS Signature database To upgrade the signature database first download the newest IDS signatures from D Link After having the newest version of software conn...

Page 70: ...ormation about the DFL 200 Uptime The time the firewall have been running since the last reboot or start CPU Load Percentage of cpu used Connections Number of current connections trough the firewall Firmware version The firmware version running on the firewall Last restart The reason for the last restart IDS Signatures The IDS signature versions There are also two graphs on this page one showing t...

Page 71: ...or DMZ Interface Name of the interface shown LAN WAN or DMZ Link status Displays what link the current interface has the speed can be 10 or 100 Mbps and the duplex can be Half or Full MAC Address MAC address of the interface Send rate Current amount of traffic sent trough the interface Receive rate Current amount of traffic received trough the interface There are also two graphs displaying the sen...

Page 72: ...ation about the first VPN tunnel will be show to see another one click on that VPN tunnels name The two graphs display the send and receive rate trough the selected VPN tunnel during the last 24 hours On this example a tunnel named RoamingUsers is selected this is a tunnel that allows roaming users So under the IPSec SA listing each roaming user connected to this tunnel is shown ...

Page 73: ...ceives packets from each end of the connection The value shown in the Timeout column is the lower of the two values Possible values in the State column include TPC_CLOSE TCP_OPEN SYN_RECV FIN_RECV and so on The Proto column can have TCP The connection is a TCP connection PING The connection is an ICMP ECHO connection UDP The connection is a UDP connection RAWIP The connection uses an IP protocol o...

Page 74: ...splays the configured ranges of IP s that are given out as DHCP leases Usage Display how much of the IP range is give out to DHCP clients Active leases are the current computers using this DHCP server It is also possible to end a computers lease from here by clicking on End lease after that IP Inactive leases are leases that are not currently in use but have been used by a computer before that com...

Page 75: ...ation Currently authenticated users users logged in using HTTP HTTPS authentication users logged in on PPTP and L2TP servers will be listed here Users can be forced to log out by clicking logout Currently recognized privileges all users and groups that are used in policies are listed here These users and groups will be able to use HTTP and HTTPS authentication Interfaces where authentication are a...

Page 76: ... if1 wan ip1 192 168 10 2 tp1 11 93 if2 lan ip2 192 168 0 1 tp2 13 27 if3 dmz ip3 192 168 1 1 tp3 0 99 The value after conns is the number of open connections trough the firewall when the usage log was sent The value after tp is the throughput through the firewall at the time the usage log was logged DROP events These events may be generated by a number of different functions in the firewall The m...

Page 77: ...ernet Another event is generated when the connection is closed The information included in the event is the same as in the event sent when the connection was opened with the exception that statistics regarding sent and received traffic is also included Close Example Oct 20 2003 09 48 05 gateway EFW CONN prio 1 rule Rule_8 conn close connipproto TCP connrecvif lan connsrcip 192 168 0 10 connsrcport...

Page 78: ...sswords used in these examples are not recommended for real life use Passwords and keys should be chosen so that they are impossible to guess or find out by eg a dictionary attack In these guides for example Firewall Users will mean that Firewall first should be selected from the menu at the top of the screen and than the Users button to the left of the screen ...

Page 79: ...or Branch office 1 Setup interfaces System Interfaces WAN IP 193 0 2 10 LAN IP 192 168 4 1 Subnet mask 255 255 255 0 2 Setup IPsec tunnel Firewall VPN Under IPsec tunnels click Add new Name the tunnel ToMainOffice Local net 192 168 4 0 24 ...

Page 80: ...type LAN to LAN tunnel Remote Net 192 168 1 0 24 Remote Gateway 194 0 2 20 Enable Automatically add a route for the remote network Click Apply 3 Setup policies for the new tunnel Firewall Policy Click Global policy parameters Enable Allow all VPN traffic internal VPN VPN internal and VPN VPN Click Apply ...

Page 81: ...aces System Interfaces WAN IP 193 0 2 20 LAN IP 192 168 1 1 Subnet mask 255 255 255 0 2 Setup IPsec tunnel Firewall VPN Under IPsec tunnels click add new Name the tunnel ToBranchOffice Local net 192 168 1 0 24 PSK 1234567890 Note You should use a key that is hard to guess Retype PSK 1234567890 ...

Page 82: ...etup policies for the new tunnel Firewall Policy Click Global policy parameters Enable Allow all VPN traffic internal VPN VPN internal and VPN VPN Click Apply 4 Click Activate and wait for the firewall to restart This example will allow all traffic between the two offices To get a more secure solution read the A more secure LAN to LAN VPN solution in this chapter ...

Page 83: ...ngs for Branch office 1 Setup interfaces System Interfaces WAN IP 193 0 2 10 LAN IP 192 168 4 1 Subnet mask 255 255 255 0 2 Setup PPTP client Firewall VPN Under PPTP L2TP clients click Add new PPTP client Name the tunnel toMainOffice ...

Page 84: ...te You should use a password that is hard to guess Retype password 1234567890 Interface IP leave blank Remote gateway 192 0 2 20 Remote net 192 168 1 0 24 Dial on demand leave unchecked Under authentication MSCHAPv2 should be the only checked option ...

Page 85: ... Leave Use IPsec encryption unchecked Click Apply 3 Setup policies for the new tunnel Firewall Policy Click Global policy parameters Enable Allow all VPN traffic internal VPN VPN internal and VPN VPN Click Apply 4 Click Activate and wait for the firewall to restart ...

Page 86: ...255 255 255 0 2 Setup PPTP server Firewall VPN Under L2TP PPTP Server click Add new PPTP server Name the server pptpServer Leave Outer IP and Inner IP blank Set client IP pool to 192 168 1 100 192 168 1 199 Check Proxy ARP dynamically added routes Check Use unit s own DNS relayer addresses Leave WINS settings blank ...

Page 87: ...r MPPE encryption 128 bit should be the only checked option Leave Use IPsec encryption unchecked Click Apply 3 Setup policies for the new tunnel Firewall Policy Click Global policy parameters Enable Allow all VPN traffic internal VPN VPN internal and VPN VPN Click Apply ...

Page 88: ...ers Under Users in local database click Add new Name the new user BranchOffice Enter password 1234567890 Retype password 1234567890 Leave static client IP empty could also be set to eg 192 168 1 200 If no IP is set here the IP pool from the PPTP server settings are used Set Networks behind user to 192 168 4 0 24 ...

Page 89: ...6 Click Activate and wait for the firewall to restart This example will allow all traffic between the two offices To get a more secure solution read the A more secure LAN to LAN VPN solution section in this chapter ...

Page 90: ...tings for Branch office 1 Setup interfaces System Interfaces WAN IP 193 0 2 10 LAN IP 192 168 4 1 Subnet mask 255 255 255 0 2 Setup L2TP client Firewall VPN Under L2TP PPTP client click Add new L2TP client Name the server toMainOffice ...

Page 91: ...0 Note You should use a password that is hard to guess Retype password 1234567890 Interface IP leave blank Remote gateway 192 0 2 20 Remote net 192 168 1 0 24 Dial on demand leave unchecked Under authentication only MSCHAPv2 should be checked ...

Page 92: ...cryption Enter key 1234567890 Note You should use a key that is hard to guess Retype key 1234567890 Click Apply 3 Setup policies for the new tunnel Firewall Policy Click Global policy parameters Enable Allow all VPN traffic internal VPN VPN internal and VPN VPN Click Apply ...

Page 93: ...0 2 20 LAN IP 192 168 1 1 Subnet mask 255 255 255 0 2 Setup L2TP server Firewall VPN Under L2TP PPTP Server click Add new L2TP server Name the server l2tpServer Leave Outer IP and Inner IP blank Set client IP pool to 192 168 1 100 192 168 1 199 Check Proxy ARP dynamically added routes Check Use unit s own DNS relayer addresses ...

Page 94: ...tication MSCHAPv2 should be the only checked option Under MPPE encryption None should be the only checked option Check Use IPsec encryption Enter key 1234567890 Note You should use a key that is hard to guess Retype key 1234567890 Click Apply ...

Page 95: ... the new tunnel Firewall Policy Click Global policy parameters Enable Allow all VPN traffic internal VPN VPN internal and VPN VPN Click Apply 4 Set up authentication source Firewall Users Select Local database Click Apply ...

Page 96: ... empty could also be set to eg 192 168 1 200 If no IP is set here the IP pool from the L2TP server settings are used Set Networks behind user to 192 168 4 0 24 Click Apply 6 Click Activate and wait for the firewall to restart This example will allow all traffic between the two offices To get a more secure solution read the A more secure LAN to LAN VPN solution section in this chapter ...

Page 97: ...server ftp server and a web server intranet in the main office that we want to access from the branch office Settings for Branch office 1 Setup policies for the new tunnel Firewall Policy Click Global policy parameters Disable Allow all VPN traffic internal VPN VPN internal and VPN VPN Click Apply 2 Now is it possible to create policies for the VPN interfaces Select from LAN to toMainOffice and cl...

Page 98: ...8 4 Setup the new rule Name the new rule allow_pop3 Select action Allow Select service pop3 Select schedule Always We don t want any Intrusion detection for now so leave this option unchecked Click Apply ...

Page 99: ... 4 to create services named allow_imap allow_ftp and allow_http The services for these policies should be imap ftp_passthrough and http The policy list for LAN toMainOffice should now look like this 6 Click Activate and wait for the firewall to restart ...

Page 100: ...fic internal VPN VPN internal and VPN VPN Click Apply 2 Now is it possible to create policies for the VPN interfaces Select from toBranchOffice to LAN and click Show 3 Create same 4 policy rules as was created on the branch office firewall allow_pop3 allow_imap allow_ftp and allow_http 4 Click Activate and wait for the firewall to restart ...

Page 101: ...ing the Category view click on the Network and Internet Connections icon Then click Create a connection to the network on your workplace and continue to step 6 If you are using the Classic view click on the Network Connections icon 3 Under Network task click Create a new connection 4 The New connection wizard window opens up Click next ...

Page 102: ...102 5 Select Connect to the network at my workplace and click Next ...

Page 103: ...6 Select Virtual Private Network connection and click Next ...

Page 104: ...104 7 Name the connection MainOffice and click Next ...

Page 105: ...8 Select Do not dial the initial connection and click Next ...

Page 106: ...106 9 Type the IP address to the server 194 0 2 20 and click Next 10 Click Finish ...

Page 107: ...11 Type user name HomeUser and password 1234567890 Note You should use a password that is hard to guess 12 Click Properties ...

Page 108: ...tworking tab and change Type of VPN to PPTP VPN Click OK All settings needed for the XP client is now done When we have set up the server on the firewall you can click Connect to establish the connection to the Main office ...

Page 109: ...s Leave WINS settings blank Under authentication MSCHAPv2 should be the only checked option Under MPPE encryption 128 bit should be the only checked option Leave Use IPsec encryption unchecked Click Apply 3 Setup policies for the new tunnel Firewall Policy Click Global policy parameters Enable Allow all VPN traffic internal VPN VPN internal and VPN VPN Click Apply 4 Set up authentication source Fi...

Page 110: ... PPTP server settings are used Click Apply 6 Click Activate and wait for the firewall to restart This example will allow all traffic from the client to the main office network To get a more secure solution read the Settings for the Main office part of A more secure LAN to LAN VPN solution section in this chapter ...

Page 111: ...lar to the PPTP setup above Settings for the Windows XP client To setup a L2TP connection from Windows XP to the Main office firewall you can follow the steps in the PPTP guide above for the client side The only changes from that guide is 1 In step 13 change the Type of VPN to L2TP IPsec VPN ...

Page 112: ...112 2 Select the Security tab and click IPsec Settings 3 Check Use pre shared key for authentication type the key and click OK ...

Page 113: ...er authentication MSCHAPv2 should be the only checked option Under MPPE encryption None should be the only checked option Check the Use IPsec encryption box Enter the pre shared key 1234567890 and retype same pre shared key Click Apply 3 Setup policies for the new tunnel Firewall Policy Click Global policy parameters Enable Allow all VPN traffic internal VPN VPN internal and VPN VPN Click Apply 4 ...

Page 114: ... PPTP server settings are used Click Apply 6 Click Activate and wait for the firewall to restart This example will allow all traffic from the client to the main office network To get a more secure solution read the Settings for the Main office part of A more secure LAN to LAN VPN solution section in this chapter ...

Page 115: ... or trusted can be added to the whitelist by clicking Edit global URL whitelist To enable all subdomains of eg google com eg gmail google com and all possible pages on that site enter google com in this list This will allow for example www google com about html and gmail google com In the same way servers can be blocked by adding them to the blacklist Click Edit global URL blacklist and add the si...

Page 116: ...re is no service with that name you will have to create one by clicking Add new at the bottom of the list TCP UDP Service should be selected and protocol should be set to TCP Set destination port to 80 Select HTTP HTML Content Filtering in the ALG dropdown Click Apply 3 Now add a policy rule that uses this service Firewall Policy Click LAN WAN Click Add new ...

Page 117: ...4 Edit the new policy we just created Name the rule allow_http Enter position 2 Select action Allow Select service http outbound Select schedule Always Click Apply ...

Page 118: ...18 The new policy should now be added to position two in the list if not it can be moved to the right position by clicking on the up and down arrows 5 Click Activate and wait for the firewall to restart ...

Page 119: ...e policy setup is quite similar In this example a mail server with IP 192 168 2 4 and a web server with IP 192 168 2 5 is connected to the DMZ interface on the firewall To set up intrusion detection and prevention to a web server on the DMZ net follow these steps 1 Create a Port mapping for the web server Firewall Port Mapping Under Configured mappings click Add new ...

Page 120: ...ping Name the rule map_www Select service http in all Enter pass to IP 192 168 2 5 the IP of the web server Check the Intrusion detection prevention option Select mode Prevention Enable email alerting by checking the Alerting box Click Apply ...

Page 121: ...er E mail address 2 steve examplecompany com Click Apply 4 Click Activate and wait for the firewall to restart When attacks are stopped by the firewall it will listed in the logs Since we enabled email alerting in this example emails will also be sent to the users webmaster and steve In this example we used the prevention mode This means that the firewall will block all attacks In Inspection only ...

Page 122: ...e RFC792 4 Fragmentation Needed and Don t Fragment was Set RFC792 5 Source Route Failed RFC792 6 Destination Network Unknown RFC792 7 Destination Host Unknown RFC792 8 Source Host Isolated RFC792 9 Communication with Destination Network is Administratively Prohibited RFC792 10 Communication with Destination Host is Administratively Prohibited RFC792 11 Destination Network Unreachable for Type of S...

Page 123: ...ssembly Time Exceeded RFC792 12 Parameter Problem 0 Pointer indicates the error RFC792 1 Missing a Required Option RFC1108 2 Bad Length RFC792 13 Timestamp 0 No Code RFC792 14 Timestamp Reply 0 No Code RFC792 15 Information Request 0 No Code RFC792 16 Information Reply 0 No Code RFC792 17 Address Mask Request 0 No Code RFC950 18 Address Mask Reply 0 No Code RFC950 30 Traceroute RFC1393 31 Datagram...

Page 124: ...823 4 IP IP in IP encapsulation RFC2003 5 ST Stream RFC1190 RFC1819 6 TCP Transmission Control RFC793 8 EGP Exterior Gateway Protocol RFC888 17 UDP User Datagram RFC768 47 GRE General Routing Encapsulation 50 ESP Encapsulation Security Payload RFC2406 51 AH Authentication Header RFC2402 108 IPComp I IP Payload Compression Protocol RFC2393 112 VRRP Virtual Router Redundancy Protocol 115 L2TP Layer ...

Page 125: ...fective Hardware the price paid by the original purchaser for the defective Hardware will be refunded by D Link upon return to D Link of the defective Hardware All Hardware or part thereof that is replaced by D Link or for which the purchase price is refunded shall become the property of D Link upon replacement or refund Limited Software Warranty D Link warrants that the software portion of the pr...

Page 126: ...forming What Is Not Covered This limited warranty provided by D Link does not cover Products that have been subjected to abuse accident alteration modification tampering negligence misuse faulty installation lack of reasonable care repair or service in any way that is not contemplated in the documentation for the product or if the model or serial number has been altered tampered with defaced or re...

Page 127: ...ie Netzanschlußsteckdose muß aus Gründen der elektrischen Sicherheit einen Schutzleiterkontakt haben 10 Verlegen Sie die Netzanschlußleitung so daß niemand darüber fallen kann Es sollete auch nichts auf der Leitung abgestellt werden 11 Alle Hinweise und Warnungen die sich am Geräten befinden sind zu beachten 12 Wird das Gerät über einen längeren Zeitraum nicht benutzt sollten Sie es vom Stromnetz ...

Page 128: ...roduit pourrait causer des interférences radio auquel cas l utilisateur devrait prendre les mesures adéquates Attenzione Il presente prodotto appartiene alla classe B Se utilizzato in ambiente domestico il prodotto può causare interferenze radio nel cui caso è possibile che l utente debba assumere provvedimenti adeguati FCC Warning This equipment has been tested and found to comply with the limits...

Page 129: ...VCCI Warning ...

Page 130: ...Thlli ja Pakkahuone Katajanokanlaituri 5 FIN 00160 Helsinki Finland TEL 358 9 622 91660 FAX 358 9 622 91661 E MAIL info dlink fi com URL www dlink fi com FRANCE D LINK FRANCE Le Florilege 2 Allee de la Fresnerie 78330 Fontenay le Fleury France TEL 33 1 302 38688 FAX 33 1 3023 8689 E MAIL info dlink france fr URL www dlink france fr GERMANY D LINK Central Europe D Link Deutschland GmbH Schwalbacher...

Page 131: ...67 15 Bromma Sweden TEL 46 0 8564 61900 FAX 46 0 8564 61901 E MAIL info dlink se URL www dlink se TAIWAN D LINK TAIWAN 2F No 119 Pao Chung Road Hsin Tien Taipei Taiwan TEL 886 2 2910 2626 FAX 886 2 2910 1515 E MAIL dssqa tsc dlinktw com tw URL www dlinktw com tw U K D LINK EUROPE 4th Floor Merit House Edgware Road Colindale London NW9 5AB U K TEL 44 20 8731 5555 FAX 44 20 8731 5511 E MAIL info dli...

Page 132: ...132 ...

Page 133: ......