D-Link NetDefendOS, User Manual

Page 1: ...Network Security Solution http www dlink com NetDefendOS Ver 11 04 01 Network Security Firewall User Manual Security Security ...

Page 2: ...Manual DFL 260E 860E 870 1660 2560 2560G NetDefendOS Version 11 04 01 D Link Corporation No 289 Sinhu 3rd Rd Neihu District Taipei City 114 Taiwan R O C http www DLink com Published 2016 10 03 Copyright 2016 ...

Page 3: ...articular purpose D Link reserves the right to revise this publication and to make changes from time to time in the content hereof without any obligation to notify any person or parties of such revision or changes Limitations of Liability UNDER NO CIRCUMSTANCES SHALL D LINK OR ITS SUPPLIERS BE LIABLE FOR DAMAGES OF ANY CHARACTER E G DAMAGES FOR LOSS OF PROFIT SOFTWARE RESTORATION WORK STOPPAGE LOS...

Page 4: ... Saving Time 79 2 2 4 Using External Time Servers 82 2 2 5 Settings Summary for Date and Time 85 2 3 Events and Logging 87 2 3 1 Overview 87 2 3 2 Log Messages 87 2 3 3 Log Receiver Types 88 2 3 4 The Memory Log Receiver Memlog 89 2 3 5 The Syslog Log Receiver 89 2 3 6 Mail Alerting 92 2 3 7 Severity Filter and Message Exceptions 96 2 3 8 SNMP Traps 97 2 3 9 Advanced Log Settings 98 2 3 10 Logsnoo...

Page 5: ...74 3 4 Interfaces 178 3 4 1 Overview 178 3 4 2 Ethernet Interfaces 180 3 4 3 Link Aggregation 191 3 4 4 VLAN 195 3 4 5 Service VLAN 199 3 4 6 PPPoE 202 3 4 7 GRE Tunnels 205 3 4 8 6in4 Tunnels 209 3 4 9 Loopback Interfaces 213 3 4 10 Interface Groups 218 3 4 11 Layer 2 Pass Through 219 3 5 ARP 221 3 5 1 Overview 221 3 5 2 The ARP Cache 221 3 5 3 ARP Publish 223 3 5 4 Using ARP Advanced Settings 22...

Page 6: ...roubleshooting 357 4 7 Multicast Routing 361 4 7 1 Overview 361 4 7 2 Multicast Forwarding with SAT Multiplex Rules 362 4 7 3 IGMP Configuration 368 4 7 4 Advanced IGMP Settings 374 4 7 5 Tunneling Multicast using GRE 376 4 8 Transparent Mode 379 4 8 1 Overview 379 4 8 2 Enabling Internet Access 384 4 8 3 A Transparent Mode Use Case 386 4 8 4 Spanning Tree BPDU Support 388 4 8 5 MPLS Pass Through ...

Page 7: ...attern Matching 557 6 6 6 IDP Signature Groups 558 6 6 7 Setting Up IDP 559 6 6 8 SMTP Log Receiver for IDP Events 562 6 6 9 Best Practice Deployment 564 6 7 Denial of Service Attacks 566 6 7 1 Overview 566 6 7 2 DoS Attack Mechanisms 566 6 7 3 Ping of Death Attacks 566 6 7 4 Fragmentation Overlap Attacks 567 6 7 5 The Land and LaTierra Attacks 567 6 7 6 The WinNuke attack 567 6 7 7 Amplification ...

Page 8: ...8 9 1 3 VPN Planning 669 9 1 4 Key Distribution 669 9 1 5 The TLS Alternative for VPN 670 9 2 VPN Quick Start 671 9 2 1 IPsec LAN to LAN with Pre shared Keys 672 9 2 2 IPsec LAN to LAN with Certificates 673 9 2 3 IPsec Roaming Clients with Pre shared Keys 674 9 2 4 IPsec Roaming Clients with Certificates 677 9 2 5 L2TP IPsec Roaming Clients with Pre Shared Keys 678 9 2 6 L2TP IPsec Roaming Clients...

Page 9: ...Creating Differentiated Limits Using Chains 783 10 1 6 Precedences 784 10 1 7 Pipe Groups 788 10 1 8 Traffic Shaping Recommendations 791 10 1 9 A Summary of Traffic Shaping 793 10 1 10 More Pipe Examples 793 10 2 IDP Traffic Shaping 798 10 2 1 Overview 798 10 2 2 Setting Up IDP Traffic Shaping 798 10 2 3 Processing Flow 799 10 2 4 The Importance of Specifying a Network 799 10 2 5 A P2P Scenario 80...

Page 10: ...3 4 State Settings 860 13 5 Connection Timeout Settings 862 13 6 Length Limit Settings 864 13 7 Fragmentation Settings 867 13 8 Local Fragment Reassembly Settings 871 13 9 SSL TLS Settings 872 13 10 Miscellaneous Settings 875 A Subscribing to Updates 880 B IDP Signature Groups 884 C Verified MIME filetypes 888 D The OSI Framework 892 E DFL 260E 860E Port Based VLAN 893 F Third Party Software Licen...

Page 11: ...gorithm 318 4 7 A Route Load Balancing Scenario 320 4 8 Virtual Routing 324 4 9 The Disadvantage of Routing Rules 325 4 10 The Advantage of Virtual Routing 326 4 11 A Simple OSPF Scenario 332 4 12 OSPF Providing Route Redundancy 333 4 13 Virtual Links Connecting Areas 337 4 14 Virtual Links with Partitioned Backbone 338 4 15 NetDefendOS OSPF Objects 339 4 16 Dynamic Routing Rule Objects 347 4 17 A...

Page 12: ...ded Users Tab in the IDA Interface 648 9 1 The AH protocol 692 9 2 The ESP protocol 693 9 3 PPTP Client Usage 739 9 4 An L2TPv3 Example 742 9 5 SSL VPN Browser Connection Choices 756 9 6 The SSL VPN Client Login 757 9 7 The SSL VPN Client Statistics 758 10 1 Pipe Rules Determine Pipe Usage 779 10 2 FwdFast Rules Bypass Traffic Shaping 780 10 3 Differentiated Limits Using Chains 783 10 4 The Eight ...

Page 13: ... Synchronization 84 2 26 Modifying the Maximum Adjustment Value 84 2 27 Forcing Time Synchronization 85 2 28 Enable Logging to a Syslog Host 90 2 29 Enabling Syslog RFC 5424 Compliance with Hostname 91 2 30 Setting up a Mail Alerting Object 95 2 31 Sending SNMP Traps to an SNMP Trap Receiver 98 2 32 Link Monitor Setup 106 2 33 Enabling SNMP Versions 1 and 2c Monitoring 113 2 34 Enabling SNMP Versi...

Page 14: ...ting Certificates with IPsec Tunnels 275 3 46 CRL Distribution Point List 275 3 47 Configuring DNS Servers 281 4 1 Displaying the main Routing Table 292 4 2 Adding a Route to the main Table 294 4 3 Displaying the Core Routes 295 4 4 Enabling Broadcast Forwarding on a Route 306 4 5 Creating a Routing Table 309 4 6 Adding Routes 310 4 7 Creating a Routing Rule 310 4 8 Policy based Routing with Multi...

Page 15: ...ltering of IMAP Traffic 531 6 28 Activating Anti Virus with an IP Rule 547 6 29 Activating Anti Virus with an IP Policy 548 6 30 Changing the Anti Virus Cache Lifetime 550 6 31 Setting up IDP for a Mail Server 560 6 32 Configuring an SMTP Log Receiver 563 6 33 Adding a Host to the Whitelist 572 7 1 Specifying a NAT IP Rule 578 7 2 Specifying a NAT IP Policy 579 7 3 Using NAT Pools 586 7 4 One to O...

Page 16: ...TPv3 Client Setup With IPsec 750 9 20 Setting Up an SSL VPN Interface 759 9 21 Setting SSL VPN Interface Client Routes 761 10 1 Applying a Simple Bandwidth Limit 780 10 2 Limiting Bandwidth in Both Directions 782 10 3 Creating a Threshold Rule 805 10 4 Setting up SLB with IP Rules 813 10 5 Setting up SLB with an SLB Policy 816 11 1 Enabling Automatic Cluster Synchronization 821 12 1 Setting Up Zon...

Page 17: ... is shown in the text clicking it will open the specified URL in a browser in a new window some systems may not allow this For example http www dlink com Screenshots This guide contains a minimum of screenshots This is deliberate and is done because the manual deals specifically with NetDefendOS and administrators have a choice of management user interfaces It was decided that the manual would be ...

Page 18: ...wing purposes Note This indicates some piece of information that is an addition to the preceding text It may concern something that is being emphasized or something that is not obvious or explicitly stated in the preceding text Tip This indicates a piece of non critical information that is useful to know in certain situations but is not essential reading Caution This indicates where the reader sho...

Page 19: ...eir respective owners Windows is either registered trademarks or trademarks of Microsoft Corporation in the United States and or other countries Apple Mac and Mac OS are trademarks of Apple Inc registered in the United States and or other countries Preface 19 ...

Page 20: ...tion of all its subsystems in depth administrative control of all functionality as well as a minimal attack surface which helps to negate the risk from security attacks NetDefendOS Objects From the administrator s perspective the conceptual approach of NetDefendOS is to visualize operations through a set of logical building blocks or objects These objects allow the configuration of NetDefendOS in ...

Page 21: ...rmination NetDefendOS supports TLS termination so that the NetDefend Firewall can act as the endpoint for connections by HTTP web browser clients this feature is sometimes called SSL termination For detailed information see Section 6 2 11 The TLS ALG Application Control NetDefendOS is able to identify data connections relating to particular applications and perform defined actions for those data s...

Page 22: ...Rules allow specification of thresholds for sending alarms and or limiting network traffic Server Load Balancing enables a device running NetDefendOS to distribute network load to multiple hosts These features are discussed in detail in Chapter 10 Traffic Management Note Threshold Rules are only available on certain D Link NetDefend product models Operations and Maintenance Administrator managemen...

Page 23: ...addition to the list above NetDefendOS includes a number of other features such as RADIUS Accounting DHCP services protection against Denial of Service DoS attacks support for PPPoE GRE dynamic DNS services and much more NetDefendOS Documentation Reading through the available documentation carefully will ensure getting the most out of the NetDefendOS product In addition to this document the reader...

Page 24: ...ing apply bandwidth management and a variety of other functions The stateful inspection approach additionally provides high throughput performance with the added advantage of a design that is highly scalable The NetDefendOS subsystem that implements stateful inspection will sometimes be referred to in documentation as the NetDefendOS state engine 1 2 2 NetDefendOS Building Blocks The basic buildin...

Page 25: ...N interface with a corresponding VLAN ID If one is found that VLAN interface becomes the source interface for the packet If no matching interface is found the packet is dropped and the event is logged If the Ethernet frame contains a PPP payload the system checks for a matching PPPoE interface If one is found that interface becomes the source interface for the packet If no matching interface is fo...

Page 26: ...ce to an Application Layer Gateway ALG object This information is recorded in the state so that NetDefendOS will know that application layer processing will have to be performed on the connection Finally the opening of the new connection will be logged according to the log settings of the rule Note Additional actions There are actually a number of additional actions available such as address trans...

Page 27: ...erface In other words the process continues at step 3 above If traffic management information is present the packet might get queued or otherwise be subjected to actions related to traffic management 11 Eventually the packet will be forwarded out on the destination interface according to the state If the destination interface is a tunnel interface or a physical sub interface additional processing ...

Page 28: ...OS state engine There are three diagrams each flowing into the next It is not necessary to understand these diagrams however they can be useful as a reference when configuring NetDefendOS in certain situations Figure 1 1 Packet Flow Schematic Part I The packet flow is continued on the following page Chapter 1 NetDefendOS Overview 28 ...

Page 29: ...Figure 1 2 Packet Flow Schematic Part II The packet flow is continued on the following page Chapter 1 NetDefendOS Overview 29 ...

Page 30: ...Figure 1 3 Packet Flow Schematic Part III Chapter 1 NetDefendOS Overview 30 ...

Page 31: ...ply Rules The figure below presents the detailed logic of the Apply Rules function in Figure 1 2 Packet Flow Schematic Part II above Figure 1 4 Expanded Apply Rules Logic Chapter 1 NetDefendOS Overview 31 ...

Page 32: ...Chapter 1 NetDefendOS Overview 32 ...

Page 33: ...both high performance and high reliability Not only does it provide an extensive feature set it also enables the administrator to be in full control of almost every detail of the system This means the product can be deployed in the most challenging environments A good understanding on how NetDefendOS configuration is performed is crucial for proper usage of the system For this reason this section ...

Page 34: ...omplement to CLI usage and provides a secure means of file transfer between the administrator s workstation and the NetDefend Firewall Various files used by NetDefendOS can be both uploaded and downloaded with SCP This feature is described further in Section 2 1 7 Secure Copy The Console Boot Menu Before NetDefendOS starts running a console connected directly to the NetDefend Firewall s local cons...

Page 35: ...LAN1 192 168 10 1 DFL 1660 LAN1 192 168 10 1 DFL 2560 LAN1 192 168 10 1 DFL 2560G LAN1 192 168 10 1 Remote Management Objects Remote access over a network to NetDefendOS is controlled by a set of Remote Management objects and and these objects can be any of the following types HTTP HTTPS Management A predefined object of this type called rmgmt_http already exists in the default NetDefendOS configu...

Page 36: ...iguration will not revert back to the old version Changes made through the CLI over SSH When using the CLI via an SSH connection the administrator must first issue the command gw world activate This activates the new configuration but the changes are not made permanent until the following command is issued gw world commit If the commit command is not issued within a fixed period of time the defaul...

Page 37: ...nt object 3 Delete the old Remote Management object and the activate and commit the change Changing the Management IP Address The following example shows how the IPv4 address for access on the default management interface can be changed The new address must belong to the network allowed by the relevant Remote Management object for that interface If it does not the object must be changed to allow t...

Page 38: ...agement Object If the network as well as the IP address changes for a management interface and or a different interface is used then the relevant management access rule will also need to be changed as shown in the example below Example 2 3 Changing a Remote Management Object This example will change the current HTTP HTTPS management access to allow access on the If2 interface and from the network ...

Page 39: ...the other unit by the synchronization process Example 2 4 Changing the HA Management IP Address This example will change the slave management IP address for the lan interface to 192 168 1 2 for an HA cluster Command Line Interface gw world set Address IP4HA lan_ha_ip Address 2 192 168 1 2 Web Interface 1 Go to Objects Address Book 2 Select the address book object In this case lan_ha_ip 3 Set the f...

Page 40: ...minUsers Interface If2 Network all nets 5 Click OK 2 1 3 Administrator Account By default NetDefendOS has a local user database AdminUsers that contains one predefined administrator account This account has the username admin with password admin This account has full administrative read write privileges for NetDefendOS Important For security reasons it is recommended to change the default password...

Page 41: ... a standard computer without having to install client software Note Recommended web browsers The recommended browsers to use with the Web Interface are Microsoft Internet Explorer Firefox Safari Chrome Opera Assignment of a Default IP Address For a new D Link NetDefend firewall with factory defaults a default IPv4 address is assigned automatically by NetDefendOS to the hardware s LAN1 interface or...

Page 42: ...lf signed certificate for the encryption and the browser will ask the administrator to confirm that a security exception should be made When communication with the NetDefendOS is successfully established a user authentication dialog similar to the one shown below will then be shown in the browser window Enter the username and password and click the Login button The factory default credentials are ...

Page 43: ... since this appears in a popup window The wizard can be terminated and setup up done as a series of separate steps through the Web Interface if desired or alternatively through the CLI Multi language Support The Web Interface login dialog offers the option to select a language other than English for the interface Language support is provided by a set of separate resource files These files can be d...

Page 44: ...enu bar The menu bar located at the top of the Web Interface contains a series of buttons for accessing different aspects of the configuration B Object Navigator The navigator located on the left hand side of the Web Interface is divided into a number of sections related to the chosen menu bar item C Main Window The main window contains configuration or status details corresponding to the section ...

Page 45: ...b Interface they are not applied to the current running configuration until the administrator asks for them to be activated Activation is done by choosing the Web Interface menu option Configuration Save and Activate NetDefendOS will then perform a reconfigure operation which might cause only a slight brief delay to current data traffic To prevent a change locking out the administrator NetDefendOS...

Page 46: ...le to expose any management interface to access from the public Internet Logging out from the Web Interface After finishing working with the Web Interface it is advisable to always logout to prevent other users with access to the workstation getting unauthorized access to NetDefendOS Logout is achieved by clicking on the Logout button at the right of the menu bar Management Traffic Routing with VP...

Page 47: ...pecific object CLI Command Structure CLI commands normally have the structure command object_category object_type object_name For example to display an IP address object called my_address the command would be gw world show Address IP4Address my_address The object category in this case is Address and the type within this category is IPAddress When typing commands the object category can be left out...

Page 48: ...possible then pressing the tab key will alternatively display the possible command options that are available Optional Parameters Are Tab Completed Last Tab completion does not work with optional parameters until all the mandatory parameters have been entered For example when creating an IP rule for a particular IP rule set the command line might begin gw world add IPRule If the tab key is now pre...

Page 49: ...gReceiver LogReceiverSyslog log_example Address example_ip LogSeverity tab This will fill in the default value for LogSeverity gw world add LogReceiver LogReceiverSyslog example Address example_ip LogSeverity Emergency Alert Critical Error Warning Notice Info This severity list can then be edited with the back arrow and backspace keys A default value is not always available For example the Action ...

Page 50: ...the category list after pressing tab at the beginning of a command The category is sometimes also referred to as the CLI context The category does not have to be entered for the command to be valid but always appears when using tab completion As discussed later when commands are created automatically using CLI scripting NetDefendOS omits the category in the commands it creates Selecting Object Cat...

Page 51: ...options available for each NetDefendOS object including the Name and Index options Using Unique Names For convenience and clarity it is recommended that a name is assigned to all objects so that it can be used for reference if required Reference by name is particularly useful when writing CLI scripts For more on scripts see Section 2 1 6 CLI Scripts The CLI will enforce unique naming within an obj...

Page 52: ...on the terminal console The NetDefendOS login prompt should appear on the console to indicate successful communication CLI commands can now be entered SSH Secure Shell CLI Access The SSH Secure Shell protocol can be used to access the CLI over the network from a remote host SSH is a protocol primarily used for secure communication over insecure networks providing strong authentication and data int...

Page 53: ...hclientkeys SCP and this folder are described further in Section 2 1 7 Secure Copy The public key file will usually have an original filetype of pub but the filename on NetDefendOS cannot have a period in the name If the local filename of the certificate s public key file is id_rsa pub this must become something without the period in NetDefendOS storage For example it could get the new name my_pub...

Page 54: ...tem as well as providing user information for auditing When accessing the CLI remotely through SSH NetDefendOS will respond with a login prompt Enter the username and press the Enter key followed by the password and then Enter again After a successful login the CLI command prompt will appear gw world If a welcome message has been set then it will be displayed directly after the login For security ...

Page 55: ...CLI command gw world set device name my prompt The CLI Reference Guide uses the command prompt gw world throughout Tip The CLI prompt is the Web Interface device name When the command line prompt is changed to a new string value this string also appears as the new device name in the top level node of the Web Interface navigation tree Activating and Committing Changes If any changes are made to the...

Page 56: ...elay is 5 seconds To shut down and restart both NetDefendOS and completely reinitialize the hardware including the NetDefendOS loader equivalent to switching the hardware off then on use the command gw world shutdown reboot The reboot option is rarely needed in normal circumstances and because it requires more time for the restart it is best not to use it When NetDefendOS is upgraded the reboot op...

Page 57: ...sses If2_ip Address 10 8 1 34 The network IP address for the interface must also be set to the appropriate value gw world set Address IP4Address InterfaceAddresses If2_net Address 10 8 1 0 24 In this example local IP addresses are used for illustration but these could be public IPv4 addresses instead It is also assumed that the default address objects for the configuration are stored in an address...

Page 58: ...asily store and execute sets of CLI commands NetDefendOS provides a feature called CLI scripting A CLI script is a predefined sequence of CLI commands which can be executed after they are saved to a file and the file is then uploaded to the NetDefend Firewall The steps for creating a CLI script are as follows 1 Create a text file with a text editor containing a sequential list of CLI commands one ...

Page 59: ...nd Firewall For example to execute the script file my_script sgs which has already been uploaded the CLI command would be gw world script execute name my_script sgs Script Variables A script file can contain any number of script variables which are called 1 2 3 4 n The values substituted for these variable names are specified as a list at the end of the script execute command line The number n in ...

Page 60: ...erred to then this can result in confused and disjointed script files and in large script files it is often preferable to group together related CLI commands Error Handling If an executing CLI script file encounters an error condition the default behavior is for the script to terminate This behavior can be overridden by using the force option For example to run a script file called my_script2 sgs ...

Page 61: ...multiple NetDefend Firewalls then one way to do this with the CLI is to create a script file that creates the required objects and then upload to and run the same script on each device If we already have a NetDefendOS installation that already has the objects configured that need to be copied then running the script create command on that installation provides a way to automatically create the req...

Page 62: ...b completion will always include the object category The script filename length has a limit The name of the file created using the create option cannot be greater than 16 characters in length including the extension and the filetype should always be sgs Both Set and Add appear in scripts The default configuration objects will have a Set action and the objects added to the default configuration wil...

Page 63: ...cript For example the script my_script sgs could contain the line script execute name my_script2 sgs NetDefendOS allows the script file my_script2 sgs to execute another script file and so on The maximum depth of this script nesting is 5 Running Scripts from the Web Interface It is possible to upload and execute a CLI script through the Web Interface Following execution of the script it is not ret...

Page 64: ...ne with the command scp source_firewall local_filename The source or destination NetDefend Firewall is of the form user_name firewall_ip_address filepath For example admin 10 62 11 10 config bak The user_name must be a defined NetDefendOS user in the administrator user group Note SCP examples do not show the password prompt SCP will normally prompt for the user password after the command line but ...

Page 65: ...omatic authentication from an SSH client which has the matching private key installed The filename should not have a filetype in other words there should be no period character in the name After upload the administrator should associate the file with a User object so that user can have automatic authentication enabled SSH authentication with certificates is described further in Section 2 1 5 The C...

Page 66: ...s called the console boot menu also known simply as the boot menu This section discusses the boot menu options Accessing the Console Boot Menu The boot menu is only accessible through a console device attached directly to the serial console located on the NetDefend Firewall It can be accessed through the console after the NetDefend Firewall is powered up and before NetDefendOS is fully started Aft...

Page 67: ...ither the boot menu or the command line interface CLI Initial Options with a Console Password Set If a console password is set then the initial options that appear when NetDefendOS loading is interrupted with a key press are shown below The 1 Start firewall option re continues the interrupted NetDefendOS startup process If the 2 Login option is chosen the console password must be entered and the f...

Page 68: ...ntials are authenticated by a RADIUS server These group names are matched by NetDefendOS against the group name returned for the user by the RADIUS server Setting either of these properties to the single wildcard character asterisk means any group will get that access Leaving either property blank means no user can have that type of access The administrator group names take precedence over the aud...

Page 69: ...er object name used The server_ip is the IP of the NetDefendOS interface the client is connecting to It is not the IP of the authenticating RADIUS server The client_ip is the IP of the computer the user is trying to login from Below are some typical examples of log event messages Successful RADIUS Authentication A successful login with the user being part of the system_admins group event admin_log...

Page 70: ...cts are already defined in the configuration and have the names radius_auth1 and radius_auth2 where radius_auth2 is the fallback server in case the other fails to respond The Authentication Order will be set to Local First which will mean that the local NetDefendOS database will be consulted first If the user is not found there then the RADIUS servers will be queried All users who are members of t...

Page 71: ... the amount of seconds to wait for the administrator to log in before reverting to the previous configuration Default 30 WebUI HTTP port Specifies the HTTP port for the Web Interface Default 80 WebUI HTTPS port Specifies the HTTP S port for the Web Interface Default 443 HTTPS Certificate Specifies which certificate to use for HTTPS traffic Only RSA certificates are supported Default HTTPS 2 1 11 W...

Page 72: ...rovided as means to simplify administration The following examples show how to manipulate objects Example 2 11 Listing Configuration Objects To find out what configuration objects exist you can retrieve a listing of the objects This example shows how to list all service objects Command Line Interface gw world show Service A list of all services will be displayed grouped by their respective type We...

Page 73: ...e 1 Go to Objects Services 2 Select the telnet entry in the list 3 A web page displaying the telnet service will be presented Note When accessing object via the CLI you can omit the category name and just use the type name The CLI command in the above example for instance could be simplified to gw world show ServiceTCPUDP telnet Example 2 13 Editing a Configuration Object When the behavior of NetD...

Page 74: ...t will not be applied to a running system until the new NetDefendOS configuration is activated Example 2 14 Adding a Configuration Object This example shows how to add a new IP4Address object here creating the IPv4 address 192 168 10 10 to the address book Command Line Interface gw world add Address IP4Address myhost Address 192 168 10 10 Show the new object gw world show Address IP4Address myhost...

Page 75: ...host object 3 In the dropdown menu displayed select Delete The row will be rendered with a strikethrough line indicating that the object is marked for deletion Example 2 16 Undeleting a Configuration Object A deleted object can always be restored until the configuration has been activated and committed This example shows how to restore the deleted IP4Address object shown in the previous example Co...

Page 76: ...etDefendOS will attempt to initialize affected subsystems with the new configuration data Important Committing IPsec Changes The administrator should be aware that if any changes that affect the configurations of live IPsec tunnels are committed then those live tunnels connections will be terminated and must be re established If the new configuration is validated NetDefendOS will wait for a short ...

Page 77: ... automatically try to connect back to the Web Interface after 10 seconds If the connection succeeds this is interpreted by NetDefendOS as confirmation that remote management is still working The new configuration is then automatically committed Note Changes must be committed The configuration must be committed before changes are saved All changes to a configuration can be ignored simply by not com...

Page 78: ...chronization protocols to automatically adjust the local system clock from the response to queries sent over the public Internet to these servers This is described further in Section 2 2 4 Using External Time Servers There are two types of time server that NetDefendOS can use i Public Servers These are servers that can be used by anyone ii D Link Servers These are D Link s own time servers and is ...

Page 79: ...g east and west from zero longitude are taken as being GMT plus or minus a given integer number of hours All locations counted as being inside a given time zone will then have the same local time and this will be one of the integer offsets from GMT The NetDefendOS time zone setting reflects the time zone where the NetDefend Firewall is physically located Example 2 20 Setting the Time Zone To modif...

Page 80: ...ring an offset from the time in the specified timezone along with a start and end day for the offset to be applied These options are described next Specifying a Location Name for tz Database Lookup The tz database is a publicly available database for mapping a location name to the daylight saving rule for a given location The database is part of the NetDefendOS distribution and is stored locally T...

Page 81: ...r applied at the beginning of this day Example 2 22 Enabling DST Manually In this example a DST rule for Stockholm Sweden will be applied This is an offset of plus 60 minutes that is applied at the beginning of March 29th and no longer applied at the beginning of October 25th It is assumed that the Time zone is already set to the value GMT Command Line Interface gw world set DateTime DSTEnabled Ye...

Page 82: ...l is an older method of providing time synchronization service over the Internet The server sends back the time in seconds since midnight on January 1st 1900 Methods of Configuring Time Servers NetDefendOS provides the ability to configure one of the following two types of time server The D Link Time Server D Link operates its own time server which can be used instead of publicly available servers...

Page 83: ...icly available time servers Important DNS servers need to be configured in NetDefendOS Make sure at least one external DNS server is correctly configured in NetDefendOS so that time server URLs can be resolved see Section 3 10 DNS This is not needed if using IP addresses for the servers but is always needed if using the option of D Link s own time servers Example 2 24 Configuring Custom Time Serve...

Page 84: ... clock to be updated with an extremely inaccurate time a Maximum Adjustment value in seconds can be set If the difference between the current NetDefendOS time and the time received from a time server is greater than this maximum adjustment value then the time server response will be discarded For example assume that the maximum adjustment value is set to 60 seconds and the current NetDefendOS time...

Page 85: ... time synchronization overriding the maximum adjustment setting Command Line Interface gw world time sync force Synchronization Intervals The interval between each synchronization attempt can be adjusted if needed By default this value is 86 400 seconds 1 day meaning that the time synchronization process is executed once in a 24 hour period 2 2 5 Settings Summary for Date and Time Below is a summa...

Page 86: ... None Secondary Time Server DNS hostname or IP Address of Timeserver 2 Default None tertiary Time Server DNS hostname or IP Address of Timeserver 3 Default None Interval between synchronization Seconds between each resynchronization Default 86400 Max time drift Maximum time drift in seconds that a server is allowed to adjust Default 600 Group interval Interval according to which server responses w...

Page 87: ...s Event Types NetDefendOS defines several hundred events for which log messages can be generated The events range from high level customizable user events down to low level and mandatory system events The conn_open event for example is a typical high level event that generates an event message whenever a new connection is established given that the matching security policy rule has defined that ev...

Page 88: ...rs To receive messages it is necessary to configure in NetDefendOS one or more event receivers objects that specify what events to capture and where to send them NetDefendOS can distribute event messages to different types of receivers and these are enabled by creating any of the following types of Log Receiver objects Memory Log Receiver NetDefendOS has its own logging mechanism also known as the...

Page 89: ... local system time of the firewall This is different from the timestamp on log messages sent to external log Receivers which are always timestamped with GMT time Disabling and Enabling Memlog A single Memory Log Receiver object exists by default in NetDefendOS and memlog is therefore enabled by default If logging to memlog is not required then the Memory Log Receiver object can be deleted and this...

Page 90: ...acility property indicates to the server the type of program generating the Syslog message If not specified this is set to local0 meaning a kernel message by NetDefendOS The facility name is commonly used as a filtering parameter by most syslog daemons Example 2 28 Enable Logging to a Syslog Host This example enables logging of all events with a severity equal to Emergency or Alert to a Syslog ser...

Page 91: ...it is also possible to set the hostname to a specific value The example below shows how this is done Example 2 29 Enabling Syslog RFC 5424 Compliance with Hostname This example enables logging of all events with a severity greater equal to Emergency or Alert to a Syslog server with the IPv4 address 192 168 5 1 RFC 5424 compliance will also be enabled with a hostname of my_host1 in the Syslog heade...

Page 92: ...ails to the destination email address This can also be an FQDN address object or a DNS resolvable FQDN note that both require that a DNS server is configured in NetDefendOS Server Port The port number that the SMTP server listens on This is set by default to the standard port number of 25 SMTP Recipient A single destination email address for outgoing mails SMTP Sender A string which will be the se...

Page 93: ...te of events trigger the Event count threshold value has not been reached This is not used in Single event trigger mode Report email interval This is the maximum length of time in hours that can elapse before an email is sent even though the email might contain no events Typically this value might be set to 24 so that the Mail Alerting object generates at least one email a day even though it might...

Page 94: ... 2 minutes and an Event count threshold value of 3 events in other words 3 events must occur in a 2 minute window for an email to be sent Assume that since sending its last email 6 log events occur that are eligible for mailing and these occur over a 6 minute period of time The diagram below divides the 6 minutes into 2 minute sections for clarity and shows when the events occur The processing flo...

Page 95: ...e a mailing list email address on the SMTP server so that a mail sent to that address is sent to multiple email recipients Mail Size Limit In order to limit the available memory that NetDefendOS uses for buffering log messages and building the email body a limit is set on the email size This limit is 8 Kbytes When this limit is reached but the email had not yet been sent any new log messages will ...

Page 96: ...erities are sent to that receiver It is also possible to lower or raise the severity of specific events The Severity Filter The Severity Filter is a means of specifying what severities if any are sent to the receiver By default all log messages except Debug are sent This can be restricted further so for example only Emergency Alert and Critical messages are sent Log Message Exceptions After the se...

Page 97: ...ept of an SNMP Trap one step further by allowing any event message to be sent as an SNMP trap This means that the administrator can set up SNMP Trap notification of events that are considered significant in the operation of a network The file DLINK DFL TRAPS MIB mib defines the SNMP objects and data types that are used to describe an SNMP Trap received from NetDefendOS This file is contained withi...

Page 98: ... 3 1 for the IP Address 4 Enter an SNMP Community String if needed by the trap receiver 5 Select SeverityFilter and choose Emergency and Alert as the severities 6 Click OK 2 3 9 Advanced Log Settings The following advanced settings for NetDefendOS event logging are available to the administrator Send Limit This setting specifies the maximum log messages that NetDefendOS will send per second This v...

Page 99: ...above two features can be combined so that both the contents of the memlog buffer and newly generated messages are displayed together Switching Real time Logsnooping On and Off To switch on snooping the basic form of the command is gw world logsnoop on All log messages generated by NetDefendOS will now appear on the CLI console and each individual message is prefixed by the word LOG For example LO...

Page 100: ...oop on severity warning srcip 192 168 1 10 srcif If1 Any number of filtering parameters can be used together in a single logsnoop command A complete list of command parameters can be found in the entry of logsnoop in the separate NetDefendOS CLI Reference Guide Alternatively the following the CLI command can be used gw world help logsnoop Filtering Wildcards and Free text Filtering When specifying...

Page 101: ...ime This is done with the command gw world logsnoop on source both This will display the contents of memlog and all subsequently generated messages It is recommended to add further filtering parameters to the command If source both is used a second command with the off parameter will be needed later to switch off real time logging Specifying a Time Range The displayed log messages can be limited t...

Page 102: ...he 12th of January the command would be gw world logsnoop on starttime 2014 01 12 endtime 2014 01 13 When not looking at memlog setting the times will act as a way of turning logsnoop on and off at specified future times If the source memlog option is used the start and end times are used to look at a specific period in the memlog history Chapter 2 Management and Maintenance 102 ...

Page 103: ...he statistic generating the event in the list of alert rules A log message with identity 05400003 for example identifies the third rule in the rule list Monitor Alert Rules Each Monitor Alert Rule consists of the following fields Name User assigned name for the rule Sample time The interval in seconds between checking the statistic Low threshold The lower threshold if specified High threshold A hi...

Page 104: ...t the hosts themselves If it is the availability of a single host that is important then a Link Monitor object should be created that monitors only that host The Link Monitor Reconfigure is Different The reconfigure that can be triggered by the link monitor has one special aspect to it The link monitor reconfigure has the additional action of restarting all interfaces This means that if there is a...

Page 105: ...f it is important to not allow a failover during reconfiguration of the active unit in an HA cluster then the advanced setting Reconf Failover Time should be set to a value which is neither too low or too high Reconf Failover Time controls how long the inactive unit will wait for the active unit to reconfigure before taking over Setting this value too low will mean the inactive unit does not wait ...

Page 106: ...s avoids false positives during initial link negotiation The default value is 45 seconds Ping Interval The number of milliseconds between pings sent to hosts The default value is 250 Routing Table This is the routing table used for looking up the route for the host IP addresses The default is the main routing table Use Shared IP This is only used when monitoring in a HA cluster It allows the link ...

Page 107: ...ware Monitoring The System Device Hardware Monitoring section of the Web Interface provides the administrator with the following settings for enabling hardware monitoring when it is available Enable Sensors Enable disable all hardware monitoring functionality Default Disabled Poll Interval Polling interval for the Hardware Monitor which is the delay in milliseconds between readings of hardware mon...

Page 108: ...eturned after polling falls outside this range NetDefendOS optionally generates a log message that is sent to the configured log servers Note Different hardware has different sensors and ranges Each hardware model may have a different set of sensors and a different operating range The above output and its values are for illustration only Setting the Minimum and Maximum Range The minimum and maximu...

Page 109: ... in Section 2 3 9 Advanced Log Settings 2 4 4 Memory Monitoring Settings The System Device Hardware Monitoring section of the Web Interface provides the administrator with a number of settings related to the monitoring of available memory These are Memory Poll Interval Memory polling interval which is the delay in minutes between readings of memory values Minimum 1 Maximum 200 Default 15 minutes M...

Page 110: ...if free memory is below this number of bytes Disable by setting to 0 Maximum value is 10 000 Default 0 Warning Level Generate a Warning log message if free memory is below this number of bytes Disable by setting to 0 Maximum value 10 000 Default 0 Chapter 2 Management and Maintenance 110 ...

Page 111: ...e default or select Version 3 Interface The NetDefendOS interface on which SNMP requests will arrive Network The IP address or network from which SNMP requests will come The other object properties are for security and depend on the SNMP protocol choice These are explained next SNMP Security Options The following are the security options depending on which protocol is selected Versions 1 and 2c Au...

Page 112: ...se usually in the form of a plain text file that defines the parameters on a network device that an SNMP client can access The MIB files for NetDefendOS are contained with NetDefendOS itself They are located within a NetDefendOS folder called SNMP_MIB and have the following names DLINK DFL MIB mib DLINK DFL TRAPS MIB mib Downloading MIB Files The files listed above can be downloaded directly from ...

Page 113: ...mber of SNMP requests allowed per second This can help prevent attacks through SNMP overload Example 2 33 Enabling SNMP Versions 1 and 2c Monitoring This example enables SNMP version 1 and 2c access via the lan interface from the network mgmt net using the community string Mg1RQqR Since the management client is on the internal network there is no need for it to communicate via a VPN tunnel Command...

Page 114: ...entication will be done using the local database called AdminUsers Command Line Interface gw world add RemoteManagement RemoteMgmtSNMP my_snmp_v3 Interface lan Network mgmt net SNMPversion SNMPv3 LocalUserDatabase AdminUsers Snmp3SecurityLevel authPriv Should it be necessary to enable SNMP Before Rules which is enabled by default then the command is gw world set Settings RemoteMgmtSettings SNMPBef...

Page 115: ...e is built in the same way and the table is mirrored between the cluster nodes However if interface persistence is enabled it will only function correctly if the HA setting Synchronize Configuration is enabled on both master and slave This can be found in the Web Interface by going to System Device High Availability and is enabled by default Adding Back a Subtracted Physical Interface If a physica...

Page 116: ...mtSettings SNMPPersistentIfIndex Yes Web Interface 1 Go to System Device Remote Management 2 Select Advanced Settings 3 Under SNMP enable the option Persistent Interface Index 4 Click OK 2 5 3 SNMP Advanced Settings The following SNMP advanced settings can be found under the Remote Management section in the Web Interface They can also be set through the CLI SNMP Before RulesLimit Enable SNMP traff...

Page 117: ...nterface Description SNMP What to display in the SNMP MIB II ifDescr variables Default Name Interface Alias What to display in the SNMP ifMIB ifAlias variables Default Hardware Persistent Interface Index A global setting that determines if interface index persistence is enabled Default No Chapter 2 Management and Maintenance 117 ...

Page 118: ...rip time for the ICMP echo request and reply messages The TTL value is the Time To Live which is a hop counter The initial TTL value is set by the sender and decremented by each router passed When it reaches zero the packet is discarded preventing packets from circulating forever This basic form of the ping command can also be used in the NetDefendOS Web Interface by going to Status Tools Ping Cho...

Page 119: ...ce IP in PBR table main ICMP Reply from 192 168 3 20 seq 0 time 10 ms TTL 255 Ping Results Sent 1 Received 1 Avg RTT 10 0 ms Here the IPv4 address 192 168 3 20 is the IP address of the Ethernet interface on the firewall from which the ping is sent The output shows the route lookup that was performed to find the correct interface When packet simulation is performed with the scrif option discussed l...

Page 120: ...istrator can observe the behavior of the configuration and which IP rules policies and routes are triggered The IP address specified could be an actual host in which case the packet will be forwarded to it through the firewall If there is no route that matches the combination of source IP and receiving interface the srcif parameter the packet it will be dropped by the default access rule For examp...

Page 121: ...for ping PBR selected by rule iface_member_main PBR table main allowed by rule nat_all_wan piped by rule out_pipe Fwd Chain out piped by rule out_pipe Ret Chain in Sending 1 4 byte ICMP ping to 10 6 58 10 from 192 168 3 20 sent via route 0 0 0 0 0 via lan gw 192 168 3 1 in PBR table main ICMP Reply from 10 6 58 10 seq 0 time 10 ms TTL 247 Ping Results Sent 1 Received 1 Avg RTT 10 0 ms The above ou...

Page 122: ...dicate if there has been a serious error in NetDefendOS operation It should be remembered however that the buffer which stats uses is cleared by certain operations such a reconfigure and the output will not therefore show what occurred prior to buffer clearance Below is a typical example of output from the command gw world stats Uptime 7 days 02 12 38 Last shutdown 2014 06 17 16 05 00 Activating c...

Page 123: ...100 163 560 vpn A 10 45 1 2 161 9 UDP UDP vlan1 192 168 100 163 582 vpn B 10 25 1 2 161 76 Each line in the command s output corresponds to a single connection The fields shown are State This indicates the state of the connection and is only really relevant to TCP connections where different states apply Some of the possible values are i UDP A UDP pseudo connection ii PING AN ICMP ping connection ...

Page 124: ...ic is detected As soon as any traffic is detected being sent from either end of the connection this value is reset to the default timeout The defaults are controlled by the followed NetDefendOS settings i TCP Idle Lifetime For TCP connections The default value is 262144 seconds ii UDP Idle Lifetime For UDP connections The default value is 130 seconds iii Ping Idle Lifetime For ICMP Ping connection...

Page 125: ...6 5 The dconsole Command The next step is to use the CLI command gw world dconsole This can be abbreviated to gw world dcon The dconsole command provides a list of important events that have occurred during NetDefendOS operation and can help to establish the date time and nature of events leading up to a serious problem occurring The output might look similar like the following Showing diagnose en...

Page 126: ...irewall For this purpose NetDefendOS provides the CLI command pcapdump which not only allows the examination of packet streams entering and leaving interfaces but also allows the filtering of these streams according to specified criteria Only the pcapdump CLI command usage is described in this section but its functions are also duplicated in the Web Interface The packets that are filtered out by p...

Page 127: ...ump command with the interfaces of interest specified 2 If no interface is specified then the capture is done on all interfaces 3 The stop option without an interface specified will halt capture on all interfaces 4 pcapdump prevents capture running more than once on the same interface by detecting command duplication Filter Expressions Seeing all packets passing through a particular interface ofte...

Page 128: ...filter expressions together in order to further refine the packets that are of interest For example we might want to examine the packets going to a particular destination port at a particular destination IP address Compatibility with Wireshark The open source tool Wireshark formerly called Ethereal is an extremely useful analysis tool for examining logs of captured packets The industry standard pc...

Page 129: ...using the default settings with the destination specified as an FQDN gw world traceroute server example com Tracing server example com 10 194 40 247 30 hops max 32 bytes of data Hop RTT RTT RTT Host 1 10 ms 10 ms 10 ms 10 4 16 1 2 10 ms 10 ms 10 ms 10 4 0 2 3 10 ms 0 ms 10 ms 10 194 40 247 Trace complete Here each line of output corresponds to an attempt by traceroute to reach the next router By d...

Page 130: ...ade for each hop gw world traceroute server example com count 1 The default value is 3 size This specifies how large the payload is that is sent The payload is made up of random data gw world traceroute server example com size 128 The default value is 32 nodelay This specifies that each query is to be sent as fast as possible gw world traceroute server example com nodelay The default is that this ...

Page 131: ...ount 2 starthop 3 maxhops 4 Hop RTT RTT Host 3 10 ms 10 ms 10 131 48 2 4 10 ms 10 ms ge1 1 0 617 cty pe3 una se ip tzc net 10 88 215 44 5 10 ms 10 ms te2 1 80 zty p2 sfl se ip tzc net 10 131 143 226 6 120 ms 120 ms 10 82 35 201 Maximum hops reached A complete description of all the command options can be found in the separate CLI Reference Guide 2 6 8 The frags Command IP datagram fragmentation re...

Page 132: ...tate and all matching fragments received will be dropped Unknown This indicates that it has not yet been determined if the packet is to be dropped or accepted Accept This state indicates it has been determined to not drop the packet based on the configured rules This is the opposite of Drop and matching fragments received are accepted Free This indicates a reassembly slot that is available for sta...

Page 133: ...on various aspects of hardware functioning Warning Do NOT conduct tests with live traffic It is important to remember that the selftest command should not be used on a system that is carrying live traffic The command can cause connections and associated data to be lost and the test results themselves will be unreliable Preparing Hardware To ensure the complete reliability of any selftest it is rec...

Page 134: ... Ethernet interface speeds it is necessary to connect interfaces with similar maximum link speeds together in adjacent pairs A switch should not be used Testing should be done on one pair of interfaces at a time For example if the throughput option is to be applied between the If1 and If2 interfaces the command would be gw world selftest interfaces If1 If2 throughput The burnin Option If the burni...

Page 135: ...and D Link servers is encrypted and occurs at the following times Shortly after system startup Once per day following startup Required Prerequisites This feature will only function if all of the following are true NetDefendOS has access to the public Internet The feature has not been disabled by the administrator Log Event Message Generation A log message is generated when an alert is generated fo...

Page 136: ...ven point in time and restore it when necessary The snapshot can be of two types A Configuration Backup This is the entire current NetDefendOS configuration saved into a single file It does not include the installed NetDefendOS version This is useful when restoring only the configuration It is important to create at the minimum a configuration backup on a regular basis so that a configuration can ...

Page 137: ...ystem backup to get a system with the right version and then upload the latest configuration backup If there is a requirement to move to a higher NetDefendOS version an NetDefendOS upgrade can then be performed The Management Interfaces Used Both types of backup configuration and system can be performed either by downloading the file directly from the NetDefend Firewall using SCP Secure Copy or al...

Page 138: ... retain the date since NetDefendOS will read a header in the file to determine what it is Backup and Restore using the Web Interface As an alternative to using SCP the administrator can initiate a backup or restore of the configuration or complete system directly through the Web Interface The example below illustrates how this is done Example 2 37 Performing a Complete System Backup In this exampl...

Page 139: ...uration An alternative to a complete factory reset is only resetting the firewall to its base configuration This means that only the NetDefendOS configuration is reset to its factory default Resetting to the base configuration can be done through the CLI or Web Interface Using the CLI the command is gw world reset configuration Resetting the DFL 260E 860E and 870 To reset the D Link DFL 260E 860E ...

Page 140: ...reases by one for each consecutive interface skipping the management interface The IPv4 address 127 0 0 1 is not used since this is reserved for the loopback interface End of Life Procedures The restore to factory defaults option should also be used as part of the end of life procedure when a NetDefend Firewall is taken out of operation and will no longer be used As part of the decommissioning pro...

Page 141: ...efiles command and all of them have the filetype RC To see all the available language files use the command with no options gw world languagefiles Language files LNG CH RC Chinese The output shows that only the Chinese language file is present To delete a language file use the remove option gw world languagefiles remove LNG CH RC Removing LNG CH RC OK If there are no language files present the fol...

Page 142: ...If the diagnostics and improvements feature is enabled the information returned to D Link by NetDefendOS can be of the following types Anonymous diagnostic reporting This information relates to the static parameters of NetDefendOS and includes the NetDefendOS version number and the version number of any installed databases such as the anti virus or IDP database Anonymous diagnostic reporting plus ...

Page 143: ...nostics and Quality Improvements Messaging This example shows how to disable the diagnostics and quality improvements feature Command Line Interface gw world set Settings DiagnosticSettings EnableDiagnostics No Web Interface 1 Go to System Advanced Settings Diagnostic Settings 2 Disable the setting Anonymous Diagnostics Reporting 3 Click OK Chapter 2 Management and Maintenance 143 ...

Page 144: ...Chapter 2 Management and Maintenance 144 ...

Page 145: ...65 Interfaces page 178 ARP page 221 IP Rules and IP Policies page 228 Application Control page 253 Schedules page 265 Certificates page 268 DNS page 281 3 1 The Address Book 3 1 1 Overview The NetDefendOS Address Book contains named objects representing various types of IP addresses including single IP addresses networks as well as ranges of IP addresses Ethernet MAC addresses can also be defined ...

Page 146: ... Inter Domain Routing CIDR form CIDR uses a forward slash and a digit 0 32 to denote the size of the network as a postfix This is also known as the netmask 24 corresponds to a class C net with 256 addresses netmask 255 255 255 0 27 corresponds to a 32 address net netmask 255 255 255 224 and so on The numbers 0 32 correspond to the number of binary ones in the netmask For example 192 168 0 0 24 IP ...

Page 147: ...g an IP Range This example adds a range of IPv4 addresses from 192 168 10 16 to 192 168 10 21 and names the range wwwservers Command Line Interface gw world add Address IP4Address wwwservers Address 192 168 10 16 192 168 10 21 Web Interface 1 Go to Objects Address Book Add IP4 Address 2 Specify a suitable name for the IP Range for example wwwservers 3 Enter 192 168 10 16 192 168 10 21 as the IP Ad...

Page 148: ...he ARP table with static ARP entries or for other parts of the configuration where symbolic names are preferred over numerical Ethernet addresses When specifying an Ethernet address the format aa bb cc dd ee ff should be used Ethernet addresses are also displayed using this format Example 3 5 Adding an Ethernet Address The following example adds an Ethernet Address object named wwwsrv1_mac with th...

Page 149: ...ferent Subtypes Address Group objects are not restricted to contain members of the same subtype IP host objects can be teamed up with IP ranges IP networks and so on All addresses of all group members are then combined by NetDefendOS effectively resulting in the union of all the addresses For example if a group contains the following two IP address ranges 192 168 0 10 192 168 0 15 192 168 0 14 192...

Page 150: ...sses The all nets IP object is used extensively when configuring of NetDefendOS and it is important to understand its significance 3 1 6 Address Book Folders In order to help organize large numbers of entries in the address book it is possible to create address book folders These folders are just like a folder in a computer s file system They are created with a given name and can then be used to c...

Page 151: ... lookup used by hosts that are affected by those policies The best way to do this is to ensure that NetDefendOS is using the same DNS server as the hosts it is protecting FQDN Address Object Usage Triggers FQDN Resolution NetDefendOS will try to perform the DNS resolution only when a new configuration is deployed and that configuration makes use of an FQDN Address object In other words an FQDN Add...

Page 152: ... will refresh the cache entry by issuing a new DNS query The TTL returned from the DNS server could be very low or even zero For this reason NetDefendOS provides a global DNS setting called Minimum TTL If the TTL returned from a DNS server is less than the value of Minimum TTL the TTL is reset to be the Minimum TTL value There is also a second global DNS setting called Minimum Cache Time This valu...

Page 153: ...object will contain the address for the FQDN server example com It is assumed that a least one DNS server is already configured in NetDefendOS so the FQDN can be resolved to an IP address Command Line Interface gw world add Address FQDNAddress my_fqdn_address1 Address server example com Web Interface 1 Go to Objects Address Book Add FQDN Address 2 Now enter Name my_fqdn_address1 Address server exa...

Page 154: ...ess example_website Address www example com B Drop connections to the site gw world add IPPolicy SourceInterface lan SourceNetwork lan_net DestinationInterface any DestinationNetwork example_website Service all_services Name deny_lan_to_example Action Deny Web Interface A Create the FQDN object for www example com Web Interface 1 Go to Objects Address Book Add FQDN Address 2 Now enter Name example...

Page 155: ... Name deny_lan_to_example Action Deny Source Interface lan Source Network lannet Destination Interface any Destination Network example_website Service all_services 3 Select OK Chapter 3 Fundamentals 155 ...

Page 156: ...this network or addresses from it NetDefendOS Configuration Objects Supporting IPv6 The following objects of NetDefendOS provide IPv6 support The address book Routing tables except switch routes Routing rules IP rules and IP policies excluding some actions The HTTP and LW HTTP ALGs when used with IP rules or IP policies IPv6 Must be Enabled Globally and on Each Interface IPv6 must be explicitly en...

Page 157: ...terfaces Example 3 10 Enabling IPv6 on an Interface This example enables IPv6 on the wan Ethernet interface using the address objects created previously Command Line Interface gw world set Interface Ethernet wan EnableIPv6 Yes IPv6IP wan_ip6 IPv6Network wan_net6 Web Interface 1 Go to Network Interfaces and VPN Ethernet wan 2 Enable the option Enable IPv6 3 Now enter IP Address wan_ip6 Network wan_...

Page 158: ...s option is explained next The Auto Configure Option If the DHCP client option is not enabled on an interface then there is an alternative method for automatically allocating IPv6 addresses to the interface By enabling the Auto Configure IP Address property on an interface NetDefendOS will calculate an IPv6 address using the Extended Unique Identifier EUI 64 algorithm The EUI 64 algorithm requires...

Page 159: ...a catch all object only for all IPv4 addresses Another object all nets6 represents all IPv6 addresses and only IPv6 addresses Furthermore it is not possible to combine all nets all IPv4 addresses with all nets6 in a single Address Group object For example if a DropAll rule is needed as the last catch all rule in an IP rule set two rules are required to catch all IPv4 and IPv6 traffic This is discu...

Page 160: ...w the ICMP error messages in both directions The exception to this is if the MTU is initially set to 1280 which is the minimum MTU supported by IPv6 In this case there is no need for ICMP error messages to be passed since they will not occur IPv6 Neighbor Discovery IPv6 Neighbor Discovery ND is the IPv6 equivalent of the IPv4 ARP protocol When IPv6 is enabled for a given Ethernet interface NetDefe...

Page 161: ...that interface already has IPv6 enabled In addition proxy neighbor discovery for my_ipv6_net needs to be enabled for the If3 interface Command Line Interface First change the CLI context to be the main routing table gw world cc RoutingTable main Add the IPv6 route gw world main add Route6 Network my_ipv6_net Interface If1 ProxyNDInterfaces If3 Lastly return to the default CLI context gw world main...

Page 162: ...ersion of NetDefendOS Management access with any NetDefendOS management interface is not possible using IPv6 IP rules using IPv4 and IPv6 addresses can coexist in the same IP rule set but a single rule cannot combine IPv4 and IPv6 IPv6 addresses are not currently supported in IP rules with the following actions i NAT ii SAT iii SLB SAT iv Multiplex SAT Routes using IPv4 and IPv6 addresses can coex...

Page 163: ... object This is described further in Section 3 4 8 6in4 Tunnels Using Neighbor Discovery Advanced Settings This section will look more closely at configuring Neighbor Discovery ND for IPv6 In particular it examines the NetDefendOS neighbor discovery cache Neighbor discovery handling in NetDefendOS resembles ARP handling in that a cache is maintained in local memory of IPv6 hosts retaining informat...

Page 164: ... experienced this setting should be given the value AcceptLog This can help identify if the cause is the same IPv6 address moving between hardware Ethernet addresses NDCacheSize The neighbor discovery cache provides higher traffic throughput speeds by reducing neighbor discovery traffic and the time required to process this traffic The size of the cache can be adjusted with this setting to suit pa...

Page 165: ...nce an ALG is associated with a service and not directly with an IP rule For IP rules the service is how an ALG becomes associated with an IP rule An ALG is associated with a service and not directly with an IP rule For more information on how service objects are used with IP rules see Section 3 6 IP Rules and IP Policies For IP policies there is no reason to use an ALG at all since all the ALG op...

Page 166: ...able on an IP Policy object they are associated with In the case of an upgrade from a NetDefendOS version prior to 11 01 the administrator can create these new versions of services by simply setting the Protocol property of the Service object to the correct value The service can then then be used with an IP policy as though it was a new installation of NetDefendOS This topic is is also discussed i...

Page 167: ...ting Custom Services If the list of predefined NetDefendOS service objects does not meet the requirements for certain traffic then a new service can be created Reading this section will explain not only how new services are created but also provides an understanding of the properties of predefined services The Type of service created can be one of the following TCP UDP Service A service based on t...

Page 168: ...me describing the service the object contains information about what protocol TCP UDP or both and what source and destination ports are applicable for the service Specifying Port Numbers Port numbers are specified with all types of services and it is useful to understand how these can be entered in user interfaces They can be specified for both the Source Port and or the Destination Port of a serv...

Page 169: ...ctive connections property allows such ICMP messages to be automatically passed back to the requesting application In some cases it is useful that the ICMP messages are not dropped For example if an ICMP quench message is sent to reduce the rate of traffic flow On the other hand dropping ICMP messages increases security by preventing them being used as a means of attack Enable IPv4 Path MTU Discov...

Page 170: ...t the predefined service http all includes the DNS protocol It does not so the predefined service dns all is usually also required for most web surfing This could be included in a group with http all and then associated with the IP rules that allow web surfing Restrict Services to the Minimum Necessary When choosing a service object to construct a policy such as an IP rule the protocols included i...

Page 171: ...er all ICMP message types can be accepted by a service there are 256 possible types or it is possible to filter the types Specifying Codes If a type is selected then the codes for that type can be specified in the same way that port numbers are specified For example if the Destination Unreachable type is selected with the comma delimited code list 0 1 2 3 then this will filter Network unreachable ...

Page 172: ...ion transport layer functions can be uniquely identified by IP protocol numbers IP can carry data for a number of different protocols These protocols are each identified by a unique IP protocol number specified in a field of the IP header For example ICMP IGMP and EGP have protocol numbers 1 2 and 8 respectively Similar to the TCP UDP port ranges described previously a range of IP protocol numbers...

Page 173: ...es the group Suppose that we create a service group called email services which combines the three services objects for SMTP POP3 and IMAP Now only one IP rule needs to be defined that uses this group service to allow all email related traffic to flow Groups Can Contain Other Groups When a group is defined then it can contain individual services and or service groups This ability to have groups wi...

Page 174: ...servers to which clients connect 3 3 7 Path MTU Discovery Overview Path MTU Discovery also shortened to just MTU discovery in this section is a method by which the MTU size of either IPv4 or IPv6 packets sent across the Internet can be adjusted to meet the MTU limits of traversed network equipment and thus avoiding the need for fragmentation When a packet exceeds a piece of network equipment s nex...

Page 175: ...can only be enabled after the first property is enabled The IP rule or IP policy with which the service is used can be of any type except a FwdFast rule MTU Discovery Processing To illustrate a typical path MTU discovery message exchange consider a client computer trying to connect to a server via a NetDefend Firewall and the public Internet as well as a router This is shown in the diagram below F...

Page 176: ... of network equipment will be fragmented In most cases this will only cause a degradation in performance However explicitly enabling path MTU discovery on a Service object will override the Strip Don t Fragment setting and so it does not need to be changed for MTU discovery Note Not enabling MTU discovery can cause problems Disabling path MTU discovery can have unintended side effects If the forwa...

Page 177: ...P UDP service 2 Enter the following Name my_http_pmd_service Type TCP Destination Port 80 443 Enable Forward ICMP Errors Enable Enable IPv4 Path MTU Discovery Next modify the NAT IP rule to use the new service 1 Go to Policies Firewalling Main IP Rules 2 Select the IP rule called int_to_ext_http 3 Go to Service 4 Select my_http_pmd_service from the Service list 5 Click OK Chapter 3 Fundamentals 17...

Page 178: ...sed when NetDefendOS itself is the source or destination for traffic Interface Types NetDefendOS supports a number of interface types which can be divided into the following four major groups Ethernet Interfaces Each Ethernet interface represents a physical Ethernet interface on a NetDefendOS based product All network traffic that originates from or enters a NetDefend Firewall will pass through on...

Page 179: ...ugh the loopback interface configured as the one to loop to These are almost exclusively used for Virtual Routing scenarios More information about this topic can be found in Section 3 4 9 Loopback Interfaces All Interfaces are Logically Equivalent Even though the different types of interfaces may be very different in the way they function NetDefendOS treats all interfaces as logically equivalent T...

Page 180: ...ial cable Using the CSMA CD protocol each Ethernet connected device listens to the network and sends data to another connected device when no other is sending If 2 devices broadcast simultaneously algorithms allow them to re send at different times Note Usage of the terms interface and port The terms Ethernet interface and Ethernet port can be used interchangeably In this document the term Etherne...

Page 181: ...s recommended to tag the corresponding physical interface with the new name Note Interface enumeration The startup process will enumerate all available Ethernet interfaces Each interface will be given a name of the form lanN wanN and dmz where N represents the number of the interface if the NetDefend Firewall has more than one of these interfaces In most of the examples in this guide lan is used f...

Page 182: ...es the multicast IP address range 224 0 0 0 239 255 255 255 For more information about this topic see Section 4 7 Multicast Routing Receive Multicast Traffic This option controls the reception of multicast IP packets on that interface There are three options i Off Promiscuous mode is switched off so that multicast packets are silently dropped Promiscuous mode will still be automatically switched o...

Page 183: ...o NetDefendOS address objects with the names interface name _dns1 and interface name _dns2 Note A gateway IP cannot be deleted with DHCP enabled If DHCP is enabled for a given Ethernet interface then any gateway IP address for example the address of an ISP that is defined for that interface cannot be deleted To remove the gateway address the DHCP option must be first disabled If DHCP is enabled th...

Page 184: ...the above is to insert the route for this interface into only a specific routing table The specified routing table will be used for all route lookups unless overridden by a routing rule Automatic Route Creation Routes can be automatically added for the interface This addition can be of the following types i Add a route for this interface for the given network This is enabled by default ii Add a de...

Page 185: ...omatically by NetDefendOS to Promiscuous as shown in the CLI example below note that the output is truncated here gw world ifstat If1 Iface Ïf1 Builtin e1000 Gigabit Ethernet Bus 0 Slot 4 Port 0 IRQ 0 Media Autonegotiated Link Status 100 Mbps Full Duplex Receive Mode Promiscuous Changing the IP address of an Ethernet Interface To change the IP address on an interface we can use one of two methods ...

Page 186: ...ll as the Ethernet driver being used These details are not relevant to the logical interface object associated with the physical interface 3 4 2 1 Useful CLI Commands for Ethernet Interfaces This section summarizes the CLI commands most commonly used for examining and manipulating NetDefendOS Ethernet interfaces Ethernet interfaces can also be examined through the Web Interface but for some operat...

Page 187: ...s IP4Address InterfaceAddresses wan_ip Address 172 16 5 1 Modified IP4Address InterfaceAddresses wan_ip Enabling DHCP The CLI can be used to enable DHCP on the interface gw world set Interface Ethernet wan DHCPEnabled yes Modified Ethernet wan Ethernet Device Commands Some interface settings provide direct management of the Ethernet settings themselves These are particularly useful if D Link hardw...

Page 188: ...set EthernetDevice lan EthernetDriver IXP4NPEEthernetDriver PCIBus 0 PCISlot 0 PCIPort 2 This command is useful when a restored configuration contains interface names that do not match the interface names of new hardware By assigning the values for bus slot port and driver of a physical interface to a logical interface in the configuration the logical interface is mapped to the physical interface ...

Page 189: ...in the assigned network Default Enabled DHCP_MinimumLeaseTime Minimum lease time seconds accepted from the DHCP server Default 60 Hardware Settings Below is a list of the advanced hardware settings that are available for NetDefendOS Ethernet interfaces These settings are only relevant to NetDefendOS running on non D Link hardware Ringsize_e1000_rx Size of the rx buffer on e1000 cards Default 64 Ri...

Page 190: ...ngs Below is a list of the monitor settings that are available for NetDefendOS Ethernet interfaces IfaceMon_e1000 Enable interface monitor for e1000 interfaces Default Enabled IfaceMon_BelowCPULoad Temporarily disable ifacemon if CPU load goes above this percentage Default 80 IfaceMon_BelowIfaceLoad Temporarily disable ifacemon on and interface if network load on the interface goes above this perc...

Page 191: ... Example Use Case An example use case is where a NetDefend Firewall might only have multiple one Gigabit Ethernet interfaces but the requirement for a particular traffic flow is bandwidth of three Gigabits A logical Link Aggregation object could then be created which combines the capacities of three physical interfaces This object can then be used in the NetDefendOS configuration like any other in...

Page 192: ...wing are the requirements for the physical Ethernet interfaces associated with a LinkAggregation configuration object in NetDefendOS A maximum of 16 physical interfaces can be aggregated using one LinkAggregation configuration object All the physical interfaces must operate at the same link speed All the physical interfaces must be connected to the same external switch Configuring the Mode The Lin...

Page 193: ...rlying configuration is not changed For example the following will be true Any IP rules that refer to an aggregated interface will be ignored in rule searches Any routes that refer to an aggregated interface will be ignored in route searches The ignored routes will still appear in output from the CLI command show routes but will not appear in the CLI command routes Removing Individual Routing Refe...

Page 194: ...d This means that all packets for a given connection will be sent on the same physical interface The chosen interface for the connection would then only subsequently change if the chosen mode was dynamic and the connection fails The Default IP and Ports Distribution Method The default distribution method is IP and Ports and this takes into account both the source and destination IP address as well...

Page 195: ...is connecting is capable of a link negotiation Command Line Interface gw world add Interface LinkAggregation la_if1_if2 Mode LACP IP la_if1_if2_ip Network la_if1_if2_net DistributionAlgorithm DestinationIP Web Interface 1 Go to Network Interfaces and VPN Link Aggregation Add Link Aggregation 2 Enter the following Name la_if1_if2 Distribution Algorithm DestinationIP Mode LACP IP address IPv4 la_if1...

Page 196: ...dentify the specific Virtual LAN to which each frame belongs With this mechanism Ethernet frames can belong to different Virtual LANs but can still share the same physical Ethernet link The following principles are followed when NetDefendOS processes VLAN tagged Ethernet frames at a physical interface Ethernet frames received on a physical interface by NetDefendOS are examined for a VLAN ID If a V...

Page 197: ...to the switches Switch1 and Switch2 are VLAN trunks Other ports on the switch that connect to VLAN clients are configured with individual VLAN IDs Any device connected to one of these ports will then automatically become part of the VLAN configured for that port In Cisco switches this is called configuring a Static access VLAN On Switch1 in the illustration above one interface is configured to be ...

Page 198: ...60E Port Based VLAN The VLAN processing overhead for these LAN interfaces is performed by the switch fabric that connects these interfaces and not by NetDefendOS This allows the interfaces to be divided up into a number of different VLANs This feature is referred to as Port Based VLAN It is important to understand that the administrator should treat a VLAN interface just like a physical interface ...

Page 199: ... VLANs inside a single parent VLAN This is sometimes referred to as a Q in Q VLAN or a Stacked VLAN In NetDefendOS it is called a Service VLAN and follows the standard defined by IEEE 802 1ad It can be said that a service LAN tunnels other VLANs and provides a convenient method of using a single logical connection on a single Ethernet interface through which multiple VLANs can flow A Service VLAN ...

Page 200: ...for the object is set to 0x88a8 This Type property corresponds to the TPID setting in the VLAN tag and this is explained further at the end of this section After the service VLAN object is defined a non service VLAN object can be placed inside it by setting its Base Interface property to be the service VLAN object This is demonstrated in the example below Example 3 22 Defining a Service VLAN This ...

Page 201: ...2 Now enter Name vlan1 Base Interface svlan_A VLANID 1 IP Address vlan1_ip Network vlan1_net 3 Click OK Important Enable jumbo frame support in the network For optimum performance it is recommended to enable jumbo frame support in the external network equipment which handles service VLAN traffic This is because service VLAN traffic will use an Ethernet MTU value that exceeds the standard size of 1...

Page 202: ...on local interface such as a single DSL line wireless device or cable modem All the users on the Ethernet share a common connection while access control can be done on a per user basis Internet server providers ISPs often require customers to connect through PPPoE to their broadband service Using PPPoE the ISP can Implement security and access control using username password authentication Trace I...

Page 203: ...DefendOS receives this IP address information from the ISP it stores it in a network object and uses it as the IP address of the interface User authentication If user authentication is required by the ISP the username and password can be setup in NetDefendOS for automatic sending to the PPPoE server Dial on demand If dial on demand is enabled the PPPoE connection will only be up when there is traf...

Page 204: ...nnected with the way IP addresses are shared in a NetDefendOS high availability cluster PPPoE will not operate correctly It should therefore not be configured with HA Example 3 23 Configuring a PPPoE Client This example shows how to configure a PPPoE client on the wan interface with traffic routed over PPPoE CLI gw world add Interface PPPoETunnel PPPoEClient EthernetInterface wan Network all nets ...

Page 205: ...an IPv4 network Where a UDP data stream is to be multicast and it is necessary to transit through a network device which does not support multicasting GRE allows tunneling through the network device GRE Security and Performance A GRE tunnel does not use any encryption for the communication and is therefore not in itself secure Any security must come from the protocol being tunneled The advantage o...

Page 206: ...ng options are used as with any other interface such as an Ethernet interface see Section 3 4 2 Ethernet Interfaces The routing tables specified here apply to the traffic carried by the tunnel and not the tunnel itself The route lookup for the tunnel itself is specified in the earlier option Outgoing Routing Table The Advanced settings for a GRE interface are Add route dynamically This option woul...

Page 207: ...n Example of GRE Usage Any traffic passing between A and B is tunneled through the intervening network using a GRE tunnel Since the network is internal and not passing through the public Internet there is no need for encryption Part 1 Setup for NetDefend Firewall A Assuming that the network 192 168 10 0 24 is lannet on the lan interface the steps for setting up NetDefendOS on A are 1 In the addres...

Page 208: ...RE 192 168 0 2 2 Create a GRE Tunnel object called GRE_to_A with the following parameters IP Address ip_GRE Remote Network remote_net_A Remote Endpoint remote_gw Use Session Key 1 Additional Encapsulation Checksum Enabled 3 Define a route in the main routing table which routes all traffic to remote_net_A on the GRE_to_A GRE interface This is not necessary if the option Add route for remote network...

Page 209: ...the public Internet Tunnel servers are provided by Tunnel Brokers which are third party organizations that either charge for server use or provide the service for free In some cases an ISP may also offer this service Prerequisite Tunnel Broker Information Before being able to configure a NetDefendOS 6in4 Tunnel object to an external tunnel server the tunnel broker owning the server will provide th...

Page 210: ...kup of this property In most cases the default route to the public Internet will be looked up and the interface will be the Ethernet interface connected to an ISP IP Address This is the local IPv6 address inside the tunnel It may be provided by the tunnel broker in which case it can be pinged to establish if the tunnel is alive If this is the case then the appropriate NetDefendOS IP rule or policy...

Page 211: ...ing table This can be changed to be a specific routing table The route for the Remote Network property of the tunnel is also added by default to all routing tables including the main table This can also be changed so that the addition is made to a specific routing table MTU resizing The MTU used by the protected IPv6 clients should not be too large since this will result in excessive fragmentation...

Page 212: ...d be a router a server with appropriate software or a NetDefend Firewall set up as described previously To set up NetDefendOS to provide this tunnel server function the following configuration components are required A 6in4 Tunnel object for each tunnel that will connect carrying the IPv6 traffic of remote hosts An all net6 route for an interface that is connected to an ISP gateway that supports I...

Page 213: ...eived on the LB2 interface with the transfer occurring virtually entirely within NetDefendOS Similarly when traffic is sent through LB2 it is received on LB1 This is exactly the same as if the two interfaces were two physical Ethernet interfaces which are connected to each other IPv6 can be used with a Loopback Interface Loopback interfaces can be used with both IPv4 and IPv6 traffic A Loopback In...

Page 214: ...even if IPv4 is not going to be used in the loopback setup One of two options can then be selected depending on how the loopback interface is to be used with routing tables Make the interface a member of all routing tables Traffic arriving on this loopback interface will be routed according to the main routing table A route for this loopback interface s IP address will be inserted automatically in...

Page 215: ...NetDefend Firewall like the one below that has one protected local network called LAN1 The route to this network is contained in a single routing table called RT1 which is isolated from all other routing tables with its Ordering parameter set to Only Figure 3 8 A Use Case for Loopback Interfaces The firewall is also connected to the Internet but the all nets route to the Internet is in a totally s...

Page 216: ...s sent through loopback interface LB1 will automatically arrives at its partner LB2 Because LB2 is a member of the routing table RT2 that contains the all nets route traffic can be successfully routed to the Internet However two additions are still needed i An IP rule needs to be defined which allows traffic to flow from LB2 to the Internet This could be in the same IP rule set as the previous rul...

Page 217: ...IPv4 address 127 0 5 1 24 and network 127 0 5 0 24 Traffic routed by the RT1 table into the LB1 interface will now exit on the LB2 interface and be then routed using the RT2 routing table Command Line Interface A Create the first loopback interface gw world add Interface LoopbackInterface LB1 IP 127 0 5 1 Network 127 0 5 0 24 MemberOfRoutingTable RT1 B Create the second loopback interface gw world...

Page 218: ...interface in NetDefendOS rules where connections might need to be moved between two interfaces For example the interface might change with route failover or OSPF If a connection is moved from one interface to another within a group and Security Transport Equivalent is enabled NetDefendOS will not check the connection against the NetDefendOS rule sets with the new interface With the option disabled...

Page 219: ...ansparent mode enabled L2TPv3 interfaces in a NetDefendOS configuration do not have a property for enabling transparent mode so this does not need to be enabled first before enabling DHCP or non IP protocol passthrough As shown in the example below pass through can be enabled separately or together for the following Example 3 27 Enabling Layer 2 Pass Through This example enables transparent mode a...

Page 220: ... Enable DHCP passthrough Enable L2 passthrough for non IP protocols 4 Click OK Chapter 3 Fundamentals 220 ...

Page 221: ...in the local network receives this packet The host with the specified destination address sends an ARP reply packet to the originating host with its MAC address 3 5 2 The ARP Cache The ARP Cache in network equipment such as switches and firewalls is an important component in the implementation of ARP It consists of a dynamic table that stores the mappings between IP addresses and Ethernet MAC addr...

Page 222: ... show ARP cache of iface lan Dynamic 10 4 0 1 1000 0000 4009 Expire 196 Dynamic 10 4 0 165 0002 a529 1f65 Expire 506 Flushing the ARP Cache If a host in a network is replaced with new hardware and retains the same IP address then it will probably have a new MAC address If NetDefendOS has an old ARP entry for the host in its ARP cache then that entry will become invalid because of the changed MAC a...

Page 223: ...P replies for ARP requests received on the interface for the published IP addresses This feature is referred to in NetDefendOS as ARP Publish Usage ARP publish may be used for a variety of reasons such as the following To give the impression that an interface in NetDefendOS has more than one IP address This is useful if there are several separate IP spans on a single LAN The hosts on each IP span ...

Page 224: ... devices but rather for telling NetDefendOS itself how to reach external devices A static ARP entry tells NetDefendOS that a specific IP address can be reached through a specific interface using a specific MAC address This means that when NetDefendOS wants to communicate with the address it consults the ARP table static entries and can determine that it can be reached at a specific MAC address on ...

Page 225: ...hernet frame In rare cases some network equipment will require that both MAC addresses in the response 1 and 2 above are the same In this case XPublish is used since it changes both MAC addresses in the response to be the published MAC address In other words XPublish lies about the source address of the ARP response If a published MAC address is the same as the MAC address of the physical interfac...

Page 226: ...bject name ARPNDSettings Multicast and Broadcast ARP requests and ARP replies containing multicast or broadcast addresses are usually never correct with the exception of certain load balancing and redundancy devices which make use of hardware layer multicast addresses The default behavior of NetDefendOS is to drop and log such ARP requests and ARP replies This can however be changed by modifying t...

Page 227: ... advanced setting Static ARP Changes can modify this behavior The default behavior is that NetDefendOS will allow changes to take place but all such changes will be logged A similar issue occurs when information in ARP replies or ARP requests could collide with static entries in the ARP cache This should not be allowed to happen and changing the setting Static ARP Changes allows the administrator ...

Page 228: ... of the packet belongs This might be a NetDefendOS IP object which could define a single IP address or range of addresses Service The protocol type to which the packet belongs Service objects define a protocol port type Examples are HTTP and ICMP Service objects also define any ALG which is to be applied to the traffic NetDefendOS provides a large number of predefined service objects but administr...

Page 229: ...ed in Section 10 1 Traffic Shaping Policy based Routing Rules These rules determine the routing table to be used by traffic and are described in Section 4 3 Policy based Routing The network filter for these rules can be IPv4 or IPv6 addresses but not both in a single rule Authentication Rules These determine which traffic triggers authentication to take place source net interface only and are desc...

Page 230: ...y NetDefendOS itself do not need an explicit IP rule or IP policy because they are allowed by default For this reason the interface core is not used as the source interface Such connections include those needed to connect to the external databases needed for such NetDefendOS features as IDP and dynamic web content filtering The Service can be specified as all_services which includes all possible p...

Page 231: ...leave in order to reach their destination A second route must also exist that indicates the source of the traffic is found on the interface where the packets enter An IP rule or IP policy in a NetDefendOS IP rule set which specifies the security policy that allows the packets from the source interface and network bound for the destination network to leave the NetDefend Firewall on the interface de...

Page 232: ...he opening connection subsequent packets belonging to that connection will not need to be evaluated individually against the rule set Instead a much faster search of the state table is performed for each packet to determine if it belongs to an established connection This approach to packet processing is known as stateful inspection and is applied not only to stateful protocols such as TCP but is a...

Page 233: ...When an IP rule is triggered by a match then one of the following Actions can occur Allow The packet is allowed to pass As the rule is applied to only the opening of a connection an entry in the state table is made to record that a connection is open The remaining packets related to this connection will pass through the NetDefendOS stateful engine FwdFast Let the packet pass through the NetDefend ...

Page 234: ...ber as traffic flows through NetDefendOS Logging When an IP Rule or IP Policy object is created the default is that logging is enabled This means that a log message is generated whenever either is triggered This behavior can be altered by disabling logging on the individual rule or policy object Bi directional Connections A common mistake when setting up IP Rules is to define two rules one rule fo...

Page 235: ...information about this topic IP rule lookup speed can be increased for very large rule sets This is done by breaking down a large rule set into several smaller ones A Goto rule can then be used to jump to a new rule set for a given type of traffic and a Return rule can be used to jump back to the original rule set if no other rule set entry triggers Once a new IP rule set is created IP rules and o...

Page 236: ... rule look up only when the triggering rule or policy in main is a Goto rule A Goto rule must have another administrator defined IP rule set associated with it and if the traffic matches that Goto rule then the rule look up jumps to the beginning of the new rule set If the search in the new rule set finds no match then the connection is dropped If a match is found in the new rule set then the matc...

Page 237: ...les the speed of rule set lookup can become impaired and this can degrade the overall throughput of the firewall Typical symptoms of this can be Consistently high CPU loads in the firewall Unusually long loading times for Web Interface pages which is a result of high CPU loads The solution is to break up a large rule set and move rules into several new rule sets Typically each new rule set will co...

Page 238: ...ta The optimum size of any rule set can only be determined on a case by case basis However a rule of thumb that can be applied is to not allow any rule set exceed a thousand entries Above that number using Goto rules should be considered to help in speeding up rule set processing Example 3 32 Adding a Goto Rule In this example a Goto rule is added to the end of the IP rule set main so that all tra...

Page 239: ...always return rule set scanning to the entry immediately following the last executed Goto Example 3 33 Adding a Return Rule In this example a Return rule is added to the end of the administrator defined IP rule set dmz_rules It will be applicable to all traffic so if it is encountered processing will return to the rule set entry following the last executed Goto rule Command Line Interface Change t...

Page 240: ...lders is simply a way for the administrator to conveniently divide up IP rule set entries and no special properties are given to entries in different folders NetDefendOS continues to see all entries as though they were in a single set of IP rules The folder concept is also used by NetDefendOS in the address book where related IP address objects can be grouped together in administrator created fold...

Page 241: ... to gather together and color code configuration objects under a specified title text so their relationships are more easily understood when they are displayed in a NetDefendOS graphical user interface Unlike folders they do not require each folder to be opened for individual objects to become visible Instead all objects in all groupings are visible at once Object groups can be used not only for a...

Page 242: ...in this example show just the first few columns of the object properties If it is desirable to create an object group for the two IP rules for web surfing this is done with the following steps Select the first object to be in the new group by right clicking it Select the New Group option from the context menu A group is now created with a title line and the IP rule as its only member The default t...

Page 243: ...en for the group The color can be selected from the 16 predefined color boxes or entered as a hexadecimal RGB value In addition when the hexadecimal value box is selected a full spectrum color palette appears which allows selection by clicking any color in the box with the mouse In this example we might change the name of the group to be Web surfing and also change the group color to green The res...

Page 244: ...n IP rule is within a group the context of move operations becomes the group For example right clicking a group object and selecting Move to Top will move the object to the top of the group not the top of the entire table Moving Groups Groups can be moved in the same way as individual objects By right clicking the group title line the context menu includes options to move the entire group For exam...

Page 245: ...ffic One of the traffic filtering options is to specify the location in the world where the traffic is coming from or going to Using FQDN Address objects for the source or destination network These are described further in Section 3 1 7 FQDN Address Objects IP Policies Can Simplify Configuration IP policies can be used is to hide the complexities of IP rules For example a NAT policy might require ...

Page 246: ...eated and associated with the policy In addition a Service object must be used that has the Protocol property set to HTTP A Web Profile object can have one or more URL Filter objects defined as children objects Each URL Filter can specify a URL or set of URLs wildcarding is allowed that are on a blacklist or whitelist iv Application Control Application control is enabled directly on an IP Policy A...

Page 247: ...ing CLI command gw world rules Usually the administrator never needs to be aware of the IP rules that are used to implement an IP policy Example 3 35 Setting up a Policy to Allow Connections to a DMZ In this example new HTTP connections will be allowed from the internal lan_net network on the lan interface to the network dmz_net on the dmz interface Command Line Interface gw world add IPPolicy Sou...

Page 248: ...etwork wan_ip Service http all 3 Select Address Translation 4 Select the SAT option 5 Enter the web server s IP address for New IP Geolocation An additional traffic filtering option that is only available in NetDefendOS IP Policy objects is Geolocation This feature allows filterering of IPv4 and IPv6 addresses for the traffic source and or destination according to its geographic association Some I...

Page 249: ... 0 0 0 172 16 0 0 12 192 168 0 0 16 and the IPv6 network fd00 8 Although this option is not directly related to geolocation and could be implemented through address book it is provided as a convenience ii Match Unclassified Networks This will match any IP address that is public but does not has a known country association Tip A web interface flag icon indicates geolocation is set In the IP rule se...

Page 250: ...lter hackerland_filter Web Interface A Create the GeolocationFilter object 1 Go to Policies Firewalling Geolocation Filter Add Geolocation Filter 2 Now enter Name hackerland_filter Add the country Hackerland to the Selected list Enable Match unclassified networks 3 Click OK B Next create the IP Policy object that uses this filter 1 Go to Policies Firewalling Add IP Policy 2 Now enter Name drop_hac...

Page 251: ...ed with a Stateless Policy Note By default logging is enabled for a Stateless Policy Like other types of policy logging is enabled by default for a Stateless Policy object Unfortunately this means that a log message will be generated for each packet that triggers the rule This is usually undesirable so it is better to disable logging on the policy Example 3 38 Creating a Stateless Policy In this e...

Page 252: ...lan_to_dmz Action Allow Source Interface lan Source Network lannet Destination Interface dmz Destination Network dmznet Service all_tcp 3 Select OK Allow stateless TCP flow from dmznet to lannet 1 Go to Policies Firewalling Add Stateless Policy 2 Now enter Name stateless_dmz_to_lan Action Allow Source Interface dmz Source Network dmznet Destination Interface lan Destination Network lannet Service ...

Page 253: ...ssociating an Application Rule Set with an IP Rule or IP Policy object This is the recommended method of using application control and provides more flexible ways to handle the data flows associated with applications An Application Rule Set is first created which defines how an application is to be handled then one or more Application Rule objects are added to it The entire rule set is then associ...

Page 254: ... rule in this case Allow_Comp 3 Now enter Action Allow Service all_services Source Interface lan Source Network lannet Destination Interface all Destination Network all nets 4 Go to the Application Control tab and enter the following Application Control Enable Use Manual Configuration Enable Application Action Deny Using the Add button select yahoo_groups and google_groups from the application def...

Page 255: ... available in NetDefendOS Authentication Rule objects including Identity Awareness If no groups or usernames are specified in an Application Rule object authentication is ignored Traffic Shaping Settings Predefined NetDefendOS Pipe objects can be associated with the rule so the bandwidth limit specified by pipe objects can be placed on the either direction of data flow or both This feature therefo...

Page 256: ...d that all clients on the local network that access the Internet must be authenticated Command Line Interface First the appcontrol command is used to create a filter for BitTorrent This should also include the uTP protocol gw world appcontrol filter application bittorrent utp save_list Assume that this filter list is the third filter list created and is therefore assigned the list number 3 All fil...

Page 257: ...on to Allow 4 Click OK Next define an Application Rule as a child 1 Go to Policies Firewalling Application Rule Sets bt_app_list Add Application Rule 2 Select Allow for the Action 3 Enable Application Control and add the signatures bittorrent and utp both are required for BitTorrent 4 Select Authentication Settings and enter the group name rogue_users 5 Select Traffic Shaping Settings and move the...

Page 258: ...abled for the relevant Application Rule Set object This will force application control to evaluate the entire protocol structure before making a decision on the protocol type Changing the Maximum Unclassified Packets The NetDefendOS application control subsystem processes a connection s data flow until it decides if a connection is unclassifiable or not The maximum amount of data processed to make...

Page 259: ...policies in a rule set that are using deep content control then all policies may need to perform the same filtering since a higher policy in the rule set might trigger before a lower one For example if only the Chrome browser is being allowed all IP policies using application content control should test if the HTTP user agent is Chrome Example 3 41 Application Content Control This example shows ho...

Page 260: ... any version of Firefox since the agent field always contains this string Extended Logging When using application content control it is possible to enable logging for different content This means that special log messages will be generated by NetDefendOS when the rule triggers on a configured piece of content For example if the user_agent in application content has logging enabled and the Allow Se...

Page 261: ...6 Open the Web node and choose Facebook 7 Press the Select button to close the filter dialog Define an Application Content filter 1 Select the Content Control tab 2 For Chat set Action to be Deny and Log to be Log 3 Click OK Lastly associate this Application Rule Set with the appropriate IP Policy that triggers on the relevant traffic as shown in an earlier example Data Leakage Can Occur Applicati...

Page 262: ...al These families consist of the individual definitions For example to view the two definitions in the compression family use the command gw world appcontrol compression compression Compression ccp comp 2 application s To view a single definition the individual name can be used without the family For example to display the comp definition within the compression family gw world appcontrol comp comp...

Page 263: ...d filters can be deleted with the command gw world appcontrol delete_lists all Individual saved filters can be deleted by specifying the number of the filter after delete_lists Selecting All Signatures If the administrators aim is to find out what applications users are accessing application control can be used to do this by triggering on all signatures and allowing instead of blocking the traffic...

Page 264: ...tes news portals Application Control Subscription Expiry As mentioned previously application control requires a subscription to be purchased for the feature to function If the subscription expires the following will happen if application control has been configured on any IP Policy objects A console message is generated at system startup or on reconfiguration to indicate subscription expiry Applic...

Page 265: ... user interface display and as a reference to the schedule from other objects Scheduled Times These are the times during each week when the schedule is applied Times are specified as being to the nearest hour A schedule is either active or inactive during each hour of each day of a week Start Date If this option is used it is the date after which this schedule object becomes active End Date If thi...

Page 266: ...s schedule gw world add IPRule Action NAT Service http SourceInterface lan SourceNetwork lannet DestinationInterface any DestinationNetwork all nets Schedule OfficeHours name AllowHTTP Configuration changes must be saved by then issuing an activate followed by a commit command Web Interface 1 Go to Policies Schedules Add Schedule 2 Enter the following Name OfficeHours 3 Select 08 17 Monday to Frid...

Page 267: ... SourceNetwork lannet DestinationInterface any DestinationNetwork all nets 4 Click OK Chapter 3 Fundamentals 267 ...

Page 268: ...wing A public key The identity of the user such as name and user ID Digital signatures that verify that the information enclosed in the certificate has been verified by a CA By binding the above information together a certificate is a public key with identification attached coupled with a stamp of approval by a trusted party Certificates in NetDefendOS A certificate is stored in a NetDefendOS conf...

Page 269: ...is stored on the firewall Local certificates can be signed or unsigned They always consist of two files A public key file with the filetype cer and a private key file with the filetype key ii Remote This is the type for remote certificates which have the public key file residing locally in NetDefendOS and the private key file present on a CA server Often the certificate is a CA signed root certifi...

Page 270: ...CRL checking if it is enabled This feature is described further in Section 3 9 3 CRL Distribution Point Lists Creating Certificates Objects in NetDefendOS A Certificate configuration object is used for defining a logical certificate in NetDefendOS When such an object is added it acts as a holder for associated certificate files Certificate files are associated with a certificate object in one of t...

Page 271: ...o need to be loaded into NetDefendOS This is just a single cer file containing the public key of the CA Self signed certificates will not have a corresponding root certificate Certificate Chains A CA can also issue certificates to other CAs This can lead to a chain like certificate hierarchy Each certificate in the chain is signed by the CA of the certificate directly above it in the chain The cer...

Page 272: ...or several reasons One reason could be that the keys of the certificate have been compromised in some way or perhaps that the owner of the certificate has lost the rights to authenticate using that certificate perhaps because they have left the company Whatever the reason server CRLs can be updated to change the validity of one or many certificates Certificates will usually contain a CRL Distribut...

Page 273: ...point is defined as an FQDN for example caserver example com which must be resolved to an IP address using a public DNS server At least one DNS server that can resolve this FQDN should therefore be defined in NetDefendOS The CRL distribution point can be contained in the certificate but NetDefendOS provides the ability to associate alternative CRL distribution points a certificate This is describe...

Page 274: ...icates A Remote Certificate is issued by a CA authority and consists of just a single file with a filetype of cer and this is the public key The private key is kept on the CA server The NetDefendOS upload procedure consists of uploading this one file Example 3 44 Uploading a Certificate with the Web Interface In this example one or more certificate files stored on the management workstation comput...

Page 275: ...e Once the association is made between a certificate and a CDPL all CRL lookups for that certificate are done using the entries in the associated CDPL The first entry in the associated list is tried first and if that fails the second is tried and so on It does not matter if the certificate has its own embedded CDPL or not the CDPL associated with it in NetDefendOS will always be used In the case o...

Page 276: ...ange the CLI context back to the default gw world my_cdpl cc gw world B Associate the distribution point list with the certificate gw world set Certificate my_cert CRLDistPointList my_cdpl Web Interface A Configure the distribution point list 1 Go to Objects CRL Distribution Point Lists 2 Select Add CRL Distribution Point List 3 For Name enter my_cdpl 4 Select CRL Distribution Points 5 Select Add ...

Page 277: ...ss it is explicitly registered It also will not be known to an internal network unless it is registered on an internal DNS server Access Considerations The following considerations should be taken into account for CA server access to succeed Either side of a VPN tunnel may issue a validation request to a CA server For a certificate validation request to be issued the FQDN of the certificate s CA s...

Page 278: ...servers will resolve the FQDN The only requirement is that NetDefendOS will need to have at least one public DNS server address configured to resolve the FQDNs in the certificates it receives It must be also possible for an HTTP PUT request to pass from the validation request source either the NetDefend Firewall or a client to the CA server and an HTTP reply to be received If the request is going ...

Page 279: ...bleshooting section below identifying problems with CA server access can be done by turning off the requirement to validate certificates Attempts to access CA servers by NetDefendOS can be disabled with the Disable CRLs option for certificate objects This means that checking against the CA server s revocation list will be turned off and access to the server will not be attempted 3 9 5 Creating Win...

Page 280: ... text editor such as Windows Notepad Give the files the same filename but use the extension cer for one and key for the other For example gateway cer and gateway key might be the names 4 Start a text editor and open the downloaded pem file and locate the line that begins BEGIN RSA PRIVATE KEY 5 Mark and copy into the system clipboard that line and everything under it up to and including the line E...

Page 281: ... to three IPv4 and or IPv6 DNS servers These are called the Primary Server the Secondary Server and the Tertiary Server For DNS to function at least the one the primary server must be configured It is recommended to have at least two servers a primary and a secondary defined so that there is always a backup server available Features Requiring DNS Resolution Having at least one DNS server defined i...

Page 282: ...validity of a certificate and first needs to resolve the certificate s FQDN to an IP address Dynamic DNS and HTTP Poster A DNS feature offered by NetDefendOS is the ability to explicitly inform DNS servers when the external IP address of the NetDefend Firewall has changed This is sometimes referred to as Dynamic DNS and is useful where the NetDefend Firewall has an external address that can change...

Page 283: ...ically formatted for the administrator by NetDefendOS through using the DynDNS option and entering only the information required for dyndns org The CLI console command httpposter can be used to troubleshoot problems by seeing what NetDefendOS is sending and what the servers are returning gw world httpposter Note A high rate of server queries can cause problems Dynamic DNS services are often sensit...

Page 284: ...Chapter 3 Fundamentals 284 ...

Page 285: ...IP routing is one of the most fundamental functions of NetDefendOS Any IP packet flowing through a NetDefend Firewall will be subjected to at least one routing decision at some point in time and properly setting up routing is crucial for the system to function as expected NetDefendOS offers support for the following types of routing mechanisms Static routing Dynamic routing Additionally NetDefendO...

Page 286: ...stination In each router one or more routing tables contain a list of routes and these are consulted to find out where to send a packet so it can reach its destination The components of a single route are discussed next The Components of a Route When a route is defined it consists of the following parameters Interface The interface to forward the packet on in order to reach the destination network...

Page 287: ...ve different metric values then the route with the lowest metric value is taken The metric value is also used by Route Failover and Route Load Balancing For more information see Section 4 4 Route Load Balancing and Section 4 2 3 Route Failover A Typical Routing Scenario The diagram below illustrates a typical NetDefend Firewall usage scenario Figure 4 1 A Typical Routing Scenario In the above diag...

Page 288: ...ch is connected to the public internet The Narrowest Routing Table Match is Selected When a routing table is evaluated the ordering of the routes is not important Instead all routes in the relevant routing table are evaluated and the most specific route is used In other words if two routes have destination networks that overlap the narrower network definition will be taken before the wider one Thi...

Page 289: ...s of the above route the clients will be able to communicate successfully with the interface The IP address chosen in the second network is not significant as long as it is the same value for the Default Gateway of the clients and the Local IP Address The effect of adding the route with the Local IP Address is that the firewall will act as a gateway with the Local IP Address and respond to as well...

Page 290: ... Routing This section describes how routing is implemented in NetDefendOS and how to configure static routing NetDefendOS supports multiple routing tables A default table called main is predefined and is always present in NetDefendOS However additional and completely separate routing tables can be defined by the administrator to provide alternate routing Extra user defined routing tables can be us...

Page 291: ...nation Netmask Gateway Interface Metric 0 0 0 0 0 0 0 0 192 168 0 1 192 168 0 10 20 10 0 0 0 255 0 0 0 10 4 2 143 10 4 2 143 1 10 4 2 143 255 255 255 255 127 0 0 1 127 0 0 1 50 10 255 255 255 255 255 255 255 10 4 2 143 10 4 2 143 50 85 11 194 33 255 255 255 255 192 168 0 1 192 168 0 10 20 127 0 0 0 255 0 0 0 127 0 0 1 127 0 0 1 1 192 168 0 0 255 255 255 0 192 168 0 10 192 168 0 10 20 192 168 0 10 ...

Page 292: ...istrator can have routes added deleted and changed automatically during live operation and these changes will appear when the routing table contents are displayed These routing table changes can take place for different reasons For example if dynamic routing with OSPF has been enabled then routing tables will become populated with new routes learned from communicating with other OSPF routers in an...

Page 293: ...esses changed to the appropriate range for traffic to flow Note The metric for default routes is 100 The metric assigned to the default routes automatically created for the physical interfaces is always 100 These automatically added routes cannot be removed manually by deleting them one at a time from a routing table Instead the properties of the interface must be selected and the advanced option ...

Page 294: ...default CLI context gw world main cc gw world Web Interface 1 Go to Network Routing Routing Tables main Add Route 2 Now enter Interface wan Network all nets Gateway isp_gw_ip 3 Click OK Routes can Contain IPv4 or IPv6 Addresses A single route can contain either an IPv4 or IPv6 address but not both Routes that use IPv4 and IPv6 addresses can be mixed in the same routing table This topic is describe...

Page 295: ... all routes are to be displayed This is shown in the example below Example 4 3 Displaying the Core Routes This example illustrates how to display the core routes in the active routing table Command Line Interface gw world routes all Flags Network Iface Gateway Local IP Metric 127 0 0 1 core Shared IP 0 192 168 0 1 core Iface IP 0 213 124 165 181 core Iface IP 0 127 0 3 1 core Iface IP 0 127 0 4 1 ...

Page 296: ... of routes and then switches traffic to an alternate route should the primary preferred route fail Figure 4 3 A Route Failover Scenario for ISP Access Setting Up Route Failover To set up route failover Route Monitoring must be enabled and this is an option that is enabled on a route by route basis To enable route failover in a scenario with a preferred and a backup route the preferred route will h...

Page 297: ...d on the new route Setting the Route Metric When specifying routes the administrator should manually set a route s Metric The metric is a positive integer that indicates how preferred the route is as a means to reach its destination When two routes offer a means to reach the same destination NetDefendOS will select the one with the lowest metric value for sending data if two routes have the same m...

Page 298: ...nother route will cause the routing interface to be changed If this could happen it is necessary to take some precautionary steps to ensure that policies and existing connections will be maintained To illustrate the problem consider the following configuration Firstly there is one IP rule that will NAT all HTTP traffic destined for the Internet through the wan interface Action Src Iface Src Net De...

Page 299: ...external host systems can be routinely polled to check that a particular route is available The advantages of host monitoring are twofold In a complex network topology it is more reliable to check accessibility to external hosts Just monitoring a link to a local switch may not indicate a problem in another part of the internal network Host monitoring can be used to help in setting the acceptable Q...

Page 300: ...operty to Manual and specifying an IP address Interval The interval in milliseconds between polling attempts The default setting is 10 000 and the minimum value allowed is 100 ms Sample The number of polling attempts used as a sample size for calculating the Percentage Loss and the Average Latency This value cannot be less than 1 Maximum Failed Poll Attempts The maximum permissible number of polli...

Page 301: ...ut the application is offline A Known Issue When No External Route is Specified With connections to an Internet ISP an external network route should always be specified This external route specifies on which interface the network which exists between the NetDefend Firewall and the ISP can be found If only an all nets route is specified to the ISP s gateway route failover may depending on the conne...

Page 302: ...spond to ARP requests directed to the network on the other side of the NetDefend Firewall using the feature known as Proxy ARP The splitting of an Ethernet network into distinct parts so that traffic between them can be controlled is a common usage of the proxy ARP feature NetDefendOS rule sets can then be used to impose security policies on the traffic passing between the different network parts ...

Page 303: ... routes and ARP proxy publishing Route Network Interface Proxy ARP Published 1 net_1 if1 if2 2 net_2 if2 if1 In this way there is complete separation of the sub networks but the hosts are unaware of this The routes are a pair which are a mirror image of each other but there is no requirement that proxy ARP is used in a pairing like this Keep in mind that if the host has an ARP request for an IP ad...

Page 304: ... FF FF FF For example a broadcast packet for the network 192 168 1 0 24 will have the IPv4 address 192 168 1 255 By default NetDefendOS will drop all such broadcast packets arriving at an interface In some situations particularly when using transparent mode it is desirable for NetDefendOS to forward these packets to another interface by doing a route lookup and also applying IP rules policies to d...

Page 305: ...ast IP address However the Source Network should be the network to which the broadcast address belongs For example a broadcast packet for the IPv4 network 10 0 0 0 8 will have the address 10 255 255 255 the highest IP address in the network So in an IP rule or IP policy targeting these packets the Source Network property should be set to 10 0 0 0 8 and the Destination Network property should be se...

Page 306: ...hould be set to Drop if no log messages are to be generated Example 4 4 Enabling Broadcast Forwarding on a Route This example shows how to enable broadcast packet forwarding on an existing route called my_route which is the third route in the main routing table Command Line Interface First enable broadcast forwarding globally for non transparent mode traffic gw world set Settings IPSettings Direct...

Page 307: ...1 Go to Network Routing Routing Tables main 2 Select the route my_route 3 Enable the option Forward Broadcast Traffic 4 Click OK Chapter 4 Routing 307 ...

Page 308: ...st traffic from another address range might be through a second ISP Service based Routing A different routing table might need to be chosen based on the service Policy based routing can route a given protocol such as HTTP through proxies such as Web caches Specific services might also be routed to a specific ISP so that one ISP handles all HTTP traffic User based Routing A different routing table ...

Page 309: ...BRTable is created with the Ordering property set to First Command Line Interface To see the configured routing table gw world add RoutingTable MyPBRTable Ordering First Web Interface 1 Go to Network Routing Routing Tables Add RoutingTable 2 Now enter Name MyPBRTable For Ordering select one of First the named routing table is consulted first of all If this lookup fails the lookup will continue in ...

Page 310: ...es If no address is specified the firewall s interface IP address will be used Metric Specifies the metric for this route Mostly used in route failover scenarios 3 Click OK Routing Rules A rule in the routing rule set can decide which routing table is selected A routing rule has a number of filtering properties that are similar to those used in an IP rule A rule can trigger on a type of service HT...

Page 311: ...er IPv4 or IPv6 addresses as the source and destination network for a rule s filtering properties However both the source and destination network must be either IPv4 or IPv6 It is not permissible to combine IPv4 and IPv6 addresses in a single rule For further discussion of this topic see Section 3 2 IPv6 Support The Forward and Return Routing Table can be Different In most cases the routing table ...

Page 312: ... arrives these are the processing steps taken to determine which routing table to use 1 The routing rules are looked up first To allow this the packet s destination interface must be determined using an initial route lookup that is always performed in the main routing table It is therefore important that a match for the destination network is found To ensure this it is recommended to at least have...

Page 313: ...ing route is found or a default route is found a route with the destination all nets a lookup for a matching route in the alternate table is performed If no match is found in the alternate table then the default route in the main table will be used 2 First This behavior is to first look up the connection s route in the alternate table If no matching route is found there then the main table is used...

Page 314: ...fferent IP spans or about policy routing Unfortunately this is not always possible and this is where Policy Based Routing becomes a necessity We will set up the main routing table to use ISP A and add a named routing table called r2 that uses the default gateway of ISP B Interface Network Gateway ProxyARP lan1 10 10 10 0 24 wan1 lan1 20 20 20 0 24 wan2 wan1 10 10 10 1 32 lan1 wan2 20 20 20 1 32 la...

Page 315: ...the following Go to Network Routing Policy based Routing Rules Add Routing Rule Enter the information from the list Repeat to add the next rule Note Routing rules in the above example are added for both inbound and outbound connections Chapter 4 Routing 315 ...

Page 316: ...h it One of the algorithms from the following list can be specified in an RLB Instance object Round Robin Matching routes are used equally often by successively going to the next matching route Destination This is an algorithm that is similar to Round Robin but provides destination IP stickiness so that the same destination IP address gets the same route The algorithm is always used in conjunction...

Page 317: ...es of all metrics this is explained further below Figure 4 5 The RLB Round Robin Algorithm Destination This is similar to Round Robin but provides stickiness so that unique destination IP addresses always get the same route from a lookup The importance of this is that it means that a particular destination application can see all traffic coming from the same source IP address Spillover Spillover i...

Page 318: ...cs of matching routes In a scenario with two ISPs if the requirement is that the bulk of traffic passes through one of the ISPs then this can be achieved by enabling RLB and setting a low metric on the route to the favoured ISP A relatively higher metric is then set on the route to the other ISP Using Route Metrics with Spillover When using the Spillover algorithm a number of points should be note...

Page 319: ...o RLB will treat the routes as being different It should also be remembered that route lookup will select the route that has the narrowest range that matches the destination IP address used in the lookup In the above example 10 4 16 0 24 may be chosen over 10 4 16 0 16 because the range is narrower with 10 4 16 0 24 for an IP address they both contain RLB Resets There are two occasions when all RL...

Page 320: ...gorithm we can ensure that clients communicate with a particular server using the same route and therefore the same source IP address If NAT was being used for the client communication the IP address seen by the server would be WAN1 or WAN2 In order to flow any traffic requires both a route and an allowing IP rule The following rules will allow traffic to flow to either ISP and will NAT the traffi...

Page 321: ...ithm Destination Click OK Step 3 Create IP rules to allow traffic to flow Finally IP rules needed to be added to an IP rule set to allow traffic to flow The detailed steps for this are not included here but the created rules would follow the pattern described above RLB with VPN When using RLB with VPN a number of issues need to be overcome If we were to try and use RLB to balance traffic between t...

Page 322: ... wrap IPsec in a GRE tunnel in other words the IPsec tunnel is carried by a GRE tunnel GRE is a simple tunneling protocol without encryption and therefore involves a minimum of extra overhead See Section 3 4 7 GRE Tunnels for more about this topic Chapter 4 Routing 322 ...

Page 323: ...lar routing table Specifying a Routing Table for an Interface It is possible to associate an interface directly with a specific routing table This is known as the interface s routing table membership This option is part an interface s virtual routing options This is the preferred way of implementing a virtual router The interface might be physical or it could be a virtual LAN VLAN To ensure that a...

Page 324: ...iate names for each separated portion of data traffic Reusing Private IP Addresses An advantage of using separate routing tables on different interfaces is that internal private IP address ranges can be reused on different virtual systems For example Department A and Department B could both use the internal network 192 168 0 0 24 Since route lookup is done in completely separate routing tables the...

Page 325: ... of the problems that virtual routing can but complex configurations can become unwieldy for such rules Consider a single NetDefend Firewall being used as a firewall for two organizations both using the same IP span In this case two separate routing tables could be used one for each organization as shown below Figure 4 9 The Disadvantage of Routing Rules Two routing tables pbr1 and pbr2 are first ...

Page 326: ...e following two additional routing rules are also needed and are placed before the four above Route Name Source if Source Net Dest Net Fwd Table Ret Table 1 org1 org2 If11 all nets pubip org2 pbr1 pbr2 2 org2 org1 If2 all nets pubip org1 pbr2 pbr1 With two organizations two routing rules are enough to allow them to communicate However with three organizations six are needed with four twelve are ne...

Page 327: ...2 168 0 1 vs1 3 vs2 lan 192 168 0 254 vs2 Loopback Interfaces Name IP Address Loop to Routing Table 1 main vs1 ip_main wan vs1 main main 2 vs1 main pubip vs1 main vs1 vs1 3 main vs2 ip_main wan vs2 main main 4 vs2 main pubip vs2 main vs2 vs2 For each connection between a pair of virtual systems a pair of loopback interfaces is required one for each system When traffic is sent through main vs1 it a...

Page 328: ...the NetDefendOS feature of creating multiple IP rule sets see Section 3 6 4 Multiple IP Rule Sets for more detail on this feature IP rules and IP policies for different virtual systems need not be split up They can reside together in a single IP rule set The benefit of doing this is being able to define shared or global rules or policies that span over several virtual systems For example for aggre...

Page 329: ...used If the vs1 table only includes routes through vs1 interfaces Any filters can only mean through other interfaces in the same virtual system It may however be sound practice to write tighter destination interface filters in case an error occurs elsewhere in the configuration In this example rule 1 might use main ifs rule 4 might use vs1 main The SAT and corresponding Allow rules however are alr...

Page 330: ...en connections Both ends of a connection will be shown before and after address translation Also the routing tables used in the forward and return direction will be shown Enable logging and read the logs In each virtual system a separate rule decision is made and a separate connection is established Chapter 4 Routing 330 ...

Page 331: ...outes for both locally connected and remotely connected destinations are added into local routing tables Dynamic routing responds to routing updates dynamically but has some disadvantages in that it can be more susceptible to certain problems such as routing loops One of two types of algorithms are generally used to implement the dynamic routing mechanism A Distance Vector DV algorithm A Link Stat...

Page 332: ...hierarchy whereas RIP has no knowledge of sub network addressing The OSPF Solution Open Shortest Path First OSPF is a widely used protocol based on an LS algorithm Dynamic routing is implemented in NetDefendOS using OSPF An OSPF enabled router first identifies the routers and sub networks that are directly connected to it and then broadcasts the information to all the other routers Each router use...

Page 333: ...y between any two of the firewalls For example if the direct link between A and C fails then OSPF allows both firewalls to know immediately that there is an alternate route between them via firewall B For instance traffic from network X which is destined for network Z will be routed automatically through firewall B From the administrator s point of view only the routes for directly connected netwo...

Page 334: ... IP address found in the IP packet header IP packets are routed as is in other words they are not encapsulated in any further protocol headers as they transit the Autonomous System AS The Autonomous System The term Autonomous System refers to a single network or group of networks with a single clearly defined routing policy controlled by a common administrator It forms the top level of a tree stru...

Page 335: ...4 6 3 2 OSPF Area OSPF Area Components A summary of OSPF components related to an area is given below ABRs Area Border Routers are routers that have interfaces connected to more than one area These maintain a separate topological database for each area to which they have an interface ASBRs Routers that exchange routing information with routers in other Autonomous Systems are called Autonomous Syst...

Page 336: ...he 2 way state 2 Way In this state the communication between the router and the neighbor is bidirectional On Point to Point and Point to Multipoint OSPF interfaces the state will be changed to Full On Broadcast interfaces only the DR BDR will advance to the Full state with their neighbors all the remaining neighbors will remain in the 2 Way state ExStart Preparing to build adjacency Exchange Route...

Page 337: ...bone area Figure 4 13 Virtual Links Connecting Areas In the above example a Virtual Link is configured between fw1 and fw2 on Area 1 as it is used as the transit area In this configuration only the Router ID has to be configured The diagram shows that fw2 needs to have a Virtual Link to fw1 with Router ID 192 168 1 1 and vice versa These virtual links need to be configured in Area 1 B Linking a Pa...

Page 338: ...o work correctly the NetDefend Firewall needs to have a broadcast interface with at least ONE neighbor for ALL areas that the firewall is attached to In essence the inactive part of the cluster needs a neighbor to get the link state database from It should also be noted that is not possible to put an HA cluster on the same broadcast network without any other neighbors they will not form adjacency ...

Page 339: ... Components This section looks at the NetDefendOS objects that need to be configured for OSPF routing Defining these objects creates the OSPF network The objects should be defined on each NetDefend Firewall that is part of the OSPF network and should describe the same network An illustration of the relationship between NetDefendOS OSPF objects is shown below Figure 4 15 NetDefendOS OSPF Objects 4 ...

Page 340: ...shooting Authentication The primary purpose of OSPF authentication is to make sure that the correct OSPF router processes are talking to each and it is therefore mostly used when there are multiple OSPF AS OSPF supports the following authentication options No null authentication No authentication is used for OSPF protocol exchanges Passphrase A simple password is used to authenticate all the OSPF ...

Page 341: ...unning them one and one Routes Hold Time This specifies the time in seconds that the routing table will be kept unchanged after a reconfiguration of OSPF entries or a HA failover Memory Settings Memory Max Usage Maximum amount in Kilobytes of RAM that the OSPF AS process are allowed to use if no value is specified the default is 1 of installed RAM Specifying 0 indicates that the OSPF AS process is...

Page 342: ...network The purpose of an OSPF interface object is to describe a specific interface which will be part of an OSPF network Note Different interface types can be used with OSPF interfaces Note that an OSPF Interface does not always correspond to a physical interface although this is the most common usage Other types of interfaces such as a VLAN could instead be associated with an OSPF Interface Gene...

Page 343: ...interface Bandwidth If the metric is not specified the bandwidth is specified instead If the bandwidth is known then this can be specified directly instead of the metric Authentication All OSPF protocol exchanges can be authenticated using a simple password or MD5 cryptographic hashes If Use Default for Router Process is enabled then the values configured in the router process properties are used ...

Page 344: ...ns that traffic with a destination MAC address that does not match the Ethernet interface s MAC address will be sent to NetDefendOS and not discarded by the interface Promiscuous mode is enabled automatically by NetDefendOS and the administrator does not need to worry about doing this If the administrator enters a CLI command ifstat ifname the Receive Mode status line will show the value Promiscuo...

Page 345: ... that case a Virtual Link VLink can be used to connect to the backbone through a non backbone area NetDefendOS OSPF VLink objects are created within an OSPF Area and each object has the following parameters General Parameters Name Symbolic name of the virtual link Neighbor Router ID The Router ID of the router on the other side of the virtual link Authentication Use Default For AS Use the values c...

Page 346: ...tables Usage with OSPF Dynamic Routing Rules are used with OSPF to achieve the following Allowing the import of routes from the OSPF AS into local routing tables Allowing the export of routes from a local routing tables to the OSPF AS Allowing the export of routes from one OSPF AS to another OSPF AS Note The last usage of joining asynchronous systems together is rarely encountered except in very l...

Page 347: ...other words an OSPF Router Process the route should be imported from into either a routing table or another AS From Routing Table Specifies from which routing table a route should be imported into the OSPF AS or copied into another routing table Destination Interface Specifies if the rule has to have a match to a certain destination interface Destination Network Exactly Matches Specifies if the ne...

Page 348: ...ignificant cost of a route OffsetMetric Increases the metric of an imported route by this value Limit Metric To Limits the metrics for these routes to a minimum and maximum value If a route has a higher or lower value than specified then it will be set to the specified value 4 6 4 4 Routing Action A Routing Action is used to manipulate and export routing changes to one or more local routing tables...

Page 349: ... OSPF Area Within the OSPF Area created in the previous step add a new OSPF Interface for each physical interface that will be part of the area The OSPF Interface object needs the following parameters specified in its properties Interface the physical interface which will be part of the OSPF area Network the network on the interface that will be part of the area This does not need to be specified ...

Page 350: ... the option From Routing Table with the main routing table moved to the Selected list In addition the optional Or is within filter parameter for the destination network must be set to be all nets This means all routes will be exported ii Within the Dynamic Routing Policy Rule just added we now add an OSPF Action object Here set the Export to process option to be the OSPF Router Process which repre...

Page 351: ...look at how to set this up and assume that IPsec will be the chosen method for implementing the tunnel To create this setup we need to perform the normal OSPF steps described above but with the following additional steps 1 Set up an IPsec tunnel First set up an IPsec tunnel in the normal way between the two firewalls A and B The IPsec setup options are explained in Section 9 2 VPN Quick Start This...

Page 352: ...ify address manually option needs to be enabled and the IPv4 address in this example of 192 168 55 1 needs to be entered in the CLI OriginatorType is set to manual and the OriginatorIP is 192 168 55 1 This sets the tunnel endpoint IP to be 192 168 55 1 so that all OSPF traffic will be sent to firewall A with this source IP The result of doing this is to core route OSPF traffic coming from firewall...

Page 353: ...ted between the 10 4 0 0 16 network and the 192 168 0 0 24 network The IP rules that are needed to allow such traffic to flow are not included in this example Example 4 10 Creating an OSPF Router Process First the Autonomous System AS must be defined on both firewalls On firewall A create an OSPF Router Process object Assume the object name will be as_0 Command Line Interface gw world add OSPFProc...

Page 354: ...SPFArea Name Area ID Comments area_1 0 0 0 0 empty Web Interface 1 Go to Network Routing OSPF 2 Select the routing process as_0 3 Select Add OSPF Area 4 For the area properties Enter the area name in this case area_0 Specify the Area ID as 0 0 0 0 5 Click OK Now repeat this for firewall B using the same OSPF Area object name of area_0 Example 4 12 Add OSPF Interface Objects For firewall A add OSPF...

Page 355: ...ft at its default value of enabled since this interface is connected to another router firewall B should then be set up in the same way Example 4 13 Import Routes from an OSPF AS into the Main Routing Table In this example the routes received using OSPF will be added into the main routing table To do this a Dynamic Routing Policy Rule first needs to be created In this example the rule is called Im...

Page 356: ...d 1 ImportOSPFRoutes add DynamicRoutingRuleAddRoute Destination main Web Interface 1 Go to Network Routing Routing Rules 2 Click on the newly created ImportOSPFRoutes 3 Go to Routing Action Add DynamicRoutingRuleAddRoute 4 Move the routing table main from Available to Selected 5 Click OK The same procedure should be repeated for firewall B Example 4 14 Exporting the Routes into an OSPF AS In this ...

Page 357: ... specified OSPF AS Command Line Interface First change the CLI context to be the DynamicRoutingRule just added for export gw world cc DynamicRoutingRule ExportDefRoute Next add a DynamicRoutingRuleExportOSPF object gw world 2 ExportDefRoute add DynamicRoutingRuleExportOSPF ExportToProcess as_0 Web Interface 1 Go to Network Routing Routing Rules 2 Click on the newly created ExportAllNets 3 Go to OS...

Page 358: ...n packets DebugExchange Log exchange packets DebugLSA Log LSA events DebugSPF Log SPF calculation events DebugRoute Log routing table manipulation events Each of these properties can be assigned one of the following values Off Nothing is logged Low Logs all actions Medium Logs all actions but with more detail High Logs everything with maximum detail Note The high setting generates large amounts of...

Page 359: ...ents can be displayed For example if an OSPFInterface object has the name ospf_If1 details about this can be shown with the command gw world ospf interface ospf_If1 A similar snapshot can be displayed for areas neighbors routes and LSAs OSPF interface operation can also be selectively halted and restarted For example to stop the OSPFInterface called ospf_If1 the CLI command would be gw world ospf ...

Page 360: ...The ospf command options are fully described in the separate NetDefendOS CLI Reference Guide Chapter 4 Routing 360 ...

Page 361: ...col Independent Multicast PIM is a group of routing protocols for deciding the optimal path for multicast packets Underlying Principles Multicast routing functions on the principle that an interested receiver joins a group for a multicast by using the IGMP protocol PIM routers can then duplicate and forward packets to all members of such a multicast group thus creating a distribution tree for pack...

Page 362: ...ultiplex rule needs to be routed to the core interface By default the multicast IP range 224 0 0 0 4 is always routed to core and does not have to be manually added to the routing tables Each specified output interface can individually be configured with static address translation of the destination address The Interface field in the Interface Net Tuple dialog may be left empty if the IPAddress fi...

Page 363: ...ltiplex IP Rule In this example a multiplex IP Rule object will be created to forward the multicast groups 239 192 10 0 24 1234 to the interfaces if1 if2 and if3 All groups have the same sender at the IP address 192 168 10 1 which is located somewhere behind the wan interface The multicast groups should only be forwarded to the outgoing interfaces if clients behind those interfaces have requested ...

Page 364: ...ch interface leave the IPAddress field blank since no destination address translation is required 4 Enable the option Multicast traffic must have been requested using IGMP before it is forwarded 5 Click OK Creating Multiplex Rules with the CLI Creating multiplex rules through the CLI requires some additional explanation The CLI command to create the multiplex rule is then gw world add IPRule Sourc...

Page 365: ...ding Multicast Traffic with a SAT Multiplex IP Rule but uses a Multicast Policy object instead of an IP Rule object Note that the Protocol property of the Service object used with a Multicast Policy is not used and therefore does not need to be set Example 4 17 Forwarding Multicast Traffic with a Multicast Policy In a similar scenario to Example 4 16 Forwarding Multicast Traffic with a SAT Multipl...

Page 366: ...4 Enable the option Require IGMP 5 Click OK The CLI for the above example is not listed since it requires the same considerations as the CLI described for the earlier Example 4 16 Forwarding Multicast Traffic with a SAT Multiplex IP Rule Instead of an IPRule object in the CLI a MulticastPolicy object could be used instead 4 7 2 3 Multicast Forwarding Address Translation Scenario This scenario is b...

Page 367: ...to add an Allow rule matching the SAT Multiplex rule Example 4 18 Multicast Forwarding Address Translation The following SAT Multiplex rule needs to be configured to match the scenario described above Web Interface A Create a custom service for multicast called multicast_service 1 Go to Objects Services Add TCP UDP 2 Now enter Name multicast_service Type UDP Destination 1234 B Create an IP rule 1 ...

Page 368: ...ex rule should be replaced with a NAT rule 4 7 3 IGMP Configuration IGMP signaling between hosts and routers can be divided into two categories IGMP Reports Reports are sent from hosts towards the router when a host wants to subscribe to new multicast groups or change current multicast subscriptions IGMP Queries Queries are IGMP messages sent from the router towards the hosts in order to make sure...

Page 369: ...oop Mode Figure 4 21 Multicast Proxy Mode In Snoop Mode the NetDefend Firewall will act transparently between the hosts and another IGMP router It will not send any IGMP Queries It will only forward queries and reports between the other router and the hosts In Proxy Mode the firewall will act as an IGMP router towards the clients and actively send Chapter 4 Routing 369 ...

Page 370: ...is a report rule that allows the clients behind interfaces if1 if2 and if3 to subscribe for the multicast groups 239 192 10 0 24 The second rule is a query rule that allows the upstream router to query us for the multicast groups that the clients have requested The following steps need to be executed to create the two rules Web Interface A Create the first IGMP Rule 1 Go to Network Routing IGMP Ru...

Page 371: ...tion Scenario We need two IGMP report rules one for each client interface The interface if1 uses no address translation and if2 translates the multicast group to 237 192 10 0 24 We also need two query rules one for the translated address and interface and one for the original address towards if1 Two examples are provided one for each pair of report and query rule The upstream multicast router uses...

Page 372: ...Type Query Action Proxy Output if1 this is the relay interface 3 Under Address Filter enter Source Interface wan Source Network UpstreamRouterIp Destination Interface core Destination Network auto Multicast Source 192 168 10 1 Multicast Group 239 192 10 0 24 4 Click OK Example 4 21 if2 Configuration Group Translation The following steps needs to be executed to create the report and query rule pair...

Page 373: ...on Network auto Multicast Source 192 168 10 1 Multicast Group 239 192 10 0 24 4 Click OK B Create the second IGMP Rule 1 Again go to Network Routing IGMP Rules Add IGMP Rule 2 Under General enter Name A suitable name for the rule for example Queries_if2 Type Query Action Proxy Output if2 this is the relay interface 3 Under Address Filter enter Source Interface wan Source Network UpstreamRouterIp D...

Page 374: ...IGMP React To Own Queries The firewall should always respond with IGMP Membership Reports even to queries originating from itself Global setting on interfaces without an overriding IGMP Setting Default Disabled IGMP Lowest Compatible Version IGMP messages with a version lower than this will be logged and ignored Global setting on interfaces without an overriding IGMP Setting Default IGMPv1 IGMP Ro...

Page 375: ...ntil a host has to send a reply to a query Global setting on interfaces without an overriding IGMP Setting Default 10 000 IGMP Robustness Variable IGMP is robust to IGMP Robustness Variable 1 packet losses Global setting on interfaces without an overriding IGMP Setting Default 2 IGMP Startup Query Count The firewall will send IGMP Startup Query Count general queries with an interval of IGMPStartup...

Page 376: ...plex rules must be setup both on the firewall the server is behind and on the firewall the clients are behind in other words the tunnel terminator Incoming and outgoing IGMP rules for reporting and querying must be configured on both sides of the tunnel if IGMP is used Tunneling Setup Summary The following components are needed on both the client and server side Configure a GRE Tunnel object with ...

Page 377: ...f2_ip the server is on the If2 interface A GRE tunnel called gre_to_clients is configured and the remote network is the address book object called client_net GRE Tunnel Name IP Address Remote Endpoint Remote Network gre_to_clients If2_ip client_interface_ip client_net Routes Provided that the above GRE object has the option to automatically add routes enabled the following route will be added by N...

Page 378: ... remote network is the address book object called server_net GRE Tunnel Name IP Address Remote Endpoint Remote Network gre_to_server If3_ip server_interface_ip server_net Routes Provided that the above GRE object has the option to automatically add routes enabled the following route will be added by NetDefendOS to the main routing table Network Interface server_net gre_to_server Services Name Type...

Page 379: ...by specifying a Switch Route instead of a standard Route in routing tables The switch route usually specifies that the network all nets is found on a specific interface NetDefendOS then uses ARP message exchanges over the connected Ethernet network to identify and keep track of which host IP addresses are located on that interface this is explained further below There should not be a normal non sw...

Page 380: ...justed to ensure that the routing table is consistent with the new layout Reconfiguration of IP settings may be required for pre existing routers and protected servers This works well when comprehensive control over routing is desired With switch routes the NetDefend Firewall operates in transparent mode and resembles a OSI Layer 2 Switch in that it screens IP packets and forwards them transparent...

Page 381: ...his packet in a transparent manner If a destination interface and MAC address is available in the route NetDefendOS has the necessary information to forward the packet to the destination If the route was a Switch Route no specific information about the destination is available and the firewall will have to discover where the destination is located in the network Discovery is done by NetDefendOS se...

Page 382: ...r has some knowledge of the network topology and often this may not be the case Multiple Switch Routes are Connected Together The setup steps listed above describe placing all the interfaces into a single interface group object which is associated with a single switch route An alternative to one switch route is to not use an interface group but instead use an individual switch route for each inter...

Page 383: ...s on which the VLAN is defined To better explain this let us consider a VLAN vlan5 which is defined on two physical interfaces called if1 and if2 Both physical interfaces have switch routes defined so they operate in transparent mode Two VLAN interfaces with the same VLAN ID are defined on the two physical interfaces and they are called vlan5_if1 and vlan5_if2 For the VLAN to operate in transparen...

Page 384: ...resses might be allocated by a DHCP server For example it may be an ISP s DHCP server that hands out public IPv4 addresses to clients located behind a firewall operating in transparent mode In this case NetDefendOS must be correctly configured as a DHCP relayer to allow the forwarding of DHCP traffic between clients and the DHCP server It may also be the case that the exact IP address of the DHCP ...

Page 385: ...SP gateway These same users should also configure the Internet gateway on their local computers to be the ISPs gateway address In non transparent mode the user s gateway IP would be the NetDefend Firewall s IP address but in transparent mode the ISP s gateway is on the same logical IP network as the users and will therefore be gw ip NetDefendOS May Also Need Internet Access The NetDefend Firewall ...

Page 386: ...e example above to hide individual addresses from the Internet it would have to be done by a device possibly another NetDefend Firewall between the 192 168 10 0 24 network and the public Internet In this case internal private IPv4 addresses could be used by the users on Ethernet network pn2 4 8 3 A Transparent Mode Use Case In the use case illustrated below a NetDefend Firewall in transparent mode...

Page 387: ...terface lan SourceNetwork 10 0 0 0 24 DestinationInterface any DestinationNetwork all nets Name http_allow Web Interface Configure the wan interface 1 Go to Network Interfaces and VPN Ethernet 2 Select the wan interface 3 Now enter IP Address 10 0 0 1 Network 10 0 0 0 24 Default Gateway 10 0 0 1 Transparent Mode Enable 4 Click OK Configure the lan interface 1 Go to Network Interfaces and VPN Ether...

Page 388: ...ing Tree Protocol STP messages between layer 2 switches in a network STP allows the switches to understand the network topology and avoid the occurrences of loops in the switching of packets The diagram below illustrates a situation where BPDU messages would occur if the administrator enables the switches to run the STP protocol Two NetDefend Firewalls are deployed in transparent mode between the ...

Page 389: ...U relaying is disabled by default and can be controlled through the advanced setting Relay Spanning tree BPDUs Logging of BPDU messages can also be controlled through this setting When enabled all incoming STP RSTP and MSTP BPDU messages are relayed to all transparent interfaces in the same routing table except the incoming interface 4 8 5 MPLS Pass Through Multi protocol Label Switching MPLS is a...

Page 390: ...e possible values for this setting are Ignore Verify packets and allow all verified MPLS labeled packets to pass silently Packets that fail verification are logged Log Verify packets and allow all verified MPLS packets to pass as well as being logged Packets that fail verification are also logged Drop Silently drop all MPLS packets without verification or logging Drop Log Drop all MPLS packets wit...

Page 391: ...elayed to all transparent interfaces in the same routing table except the incoming interface Options Ignore Let the packets pass but do not log Log Let the packets pass and log the event Drop Drop the packets DropLog Drop packets log the event Default Drop Relay MPLS When set to Ignore all incoming MPLS packets are relayed in transparent mode Options Ignore Let the packets pass but do not log Log ...

Page 392: ...Chapter 4 Routing 392 ...

Page 393: ...s pool which DHCP manages When a DHCP server receives a request from a DHCP client it returns the configuration parameters such as an IP address a MAC address a domain name and a lease for the IP address to the client in a unicast message DHCP Leases Compared to static assignment where the client owns the address dynamic addressing by a DHCP server leases the address to each client for a predefine...

Page 394: ...wishes to use the IP address it was assigned and may terminate the lease and release the IP address The lease time can be configured in a DHCP server by the administrator Chapter 5 DHCP Services 394 ...

Page 395: ...er will issue a lease to the interface NetDefendOS will change the IPv4 address and network of the interface to become the values in the lease The NetDefendOS address book objects associated with the interface will lose their original values and take on the value 0 0 0 0 for the IPv4 address and 0 0 0 0 0 for the IPv4 network The address book objects will not show the DHCP assigned values although...

Page 396: ...Web Interface 1 Go to Network Ethernet If1 2 Select Enable DHCP 3 Click OK Chapter 5 DHCP Services 396 ...

Page 397: ...er object to use The default value of all nets means that all addresses are accepted and only the interface is considered in making a DHCP server selection The other options for this parameter are described further below Searching the Server List Multiple DHCP servers form a list as they are defined the last defined being at the top of the list When NetDefendOS searches for a DHCP server to servic...

Page 398: ...pecifies what IP should be sent to the client for use as the default gateway the router to which the client connects Domain The domain within which users are situated When a user types a simple string into a browser instead of a valid URL the domain property value can be appended by the browser to form a URL For example if the Domain value is example com when the user types just the word wiki the ...

Page 399: ...er1 which assigns and manages IP addresses from an IPv4 address pool called DHCPRange1 This example assumes that an IP range for the DHCP Server has already been created Command Line Interface gw world add DHCPServer DHCPServer1 Interface lan IPAddressPool DHCPRange1 Netmask 255 255 255 0 Web Interface 1 Go to Network Network Services DHCP Servers Add DHCPServer 2 Now enter Name DHCPServer1 Interf...

Page 400: ...to which server in the CLI output To see just the configured DHCP servers use the command gw world dhcpserver show rules Tip The lease database is saved in non volatile memory The DHCP lease database is periodically saved to non volatile memory so that most leases are remembered by NetDefendOS after a system restart A DHCP advanced setting can be adjusted by the administrator to control how often ...

Page 401: ...n be used or the alternative Client Identified parameter can be used Client Identified If the MAC address is not used for identifying the client then the client can send an identifier in its DHCP request The value of this identifier can be specified as this parameter The option exists to also specify if the identifier will be sent as an ASCII or Hexadecimal value Example 5 3 Static IPv4 DHCP Host ...

Page 402: ...mmand gw world DHCPServer1 set DHCPServerPoolStaticHost 1 Host 192 168 1 12 MACAddress 00 90 12 13 14 15 Web Interface 1 Go to Network DHCP Services DHCP Servers DHCPServer1 2 Select Static Hosts 3 Select Add Static Host Entry 4 Now enter Host 19 168 1 1 MAC 00 90 12 13 14 15 5 Click OK 5 3 2 Custom IPv4 Options Adding a Custom Option to the DHCP server definition allows the administrator to send ...

Page 403: ...e or a comma separated list The meaning of the data is determined by the Code and Type For example if the code is set to 66 TFTP server name then the Type could be String and the Data would then be a site name such as tftp example com There is a large number of custom options which can be associated with a single DHCP server and these are described in RFC 2132 DHCP Options and BOOTP Vendor Extensi...

Page 404: ...ayed DHCP traffic the option exists in NetDefendOS to use the interface on which it listens as the source interface for forwarded traffic or alternatively the interface on which it sends out the forwarded request Although all NetDefendOS interfaces are core routed that is to say a route exists by default that routes interface IP addresses to Core for relayed DHCP requests this core routing does no...

Page 405: ...terfaces to obtain IP addresses from a DHCP server It is assumed the NetDefend Firewall is configured with VLAN interfaces vlan1 and vlan2 that use DHCP relaying and the DHCP server IP address is defined in the NetDefendOS address book as ip dhcp NetDefendOS will add a route for the client when it has finalized the DHCP process and obtained an IP Command Line Interface 1 Add the VLAN interfaces vl...

Page 406: ...me vlan to dhcpserver Action Relay Source Interface ipgrp dhcp DHCP Server to relay to ip dhcp Allowed IP offers from server all nets 3 Under the Add Route tab check Add dynamic routes for this relayed DHCP lease 4 Click OK DHCP Relay Advanced Settings The following advanced settings are available with DHCP relaying Max Transactions Maximum number of transactions at the same time Default 32 Transa...

Page 407: ... this value Default 10000 seconds Max Auto Routes How many relays that can be active at the same time Default 256 Auto Save Policy What policy should be used to save the relay list to the disk possible settings are Disabled ReconfShut or ReconfShutTimer Default ReconfShut Auto Save Interval How often in seconds should the relay list be saved to disk if DHCPServer_SaveRelayPolicy is set to ReconfSh...

Page 408: ...Roaming Clients Basic IP Pool Options The basic options available for an IP Pool are DHCP Server behind interface Indicates that the IP pool should use the DHCP server s residing on the specified interface Specify DHCP Server Address Specify DHCP server IP s in preferred ascending order to be used This option is used instead of the behind interface option Using the IP loopback address 127 0 0 1 in...

Page 409: ...nce there will not be any wait time when a system requests an IP while there exists prefetched IPs Maximum free The maximum number of free IPs to be kept Must be equal to or greater than the prefetch parameter The pool will start releasing giving back IPs to the DHCP server when the number of free clients exceeds this value Maximum clients Optional setting used to specify the maximum number of cli...

Page 410: ...he complete list of command options can be found in the CLI Reference Guide Example 5 5 Creating an IP Pool This example shows the creation of an IP Pool object that will use the DHCP server on IP address 28 10 14 1 with 10 prefetched leases It is assumed that this IP address is already defined in the address book as an IP object called ippool_dhcp Command Line Interface gw world add IPPool ip_poo...

Page 411: ... HA clusters The DHCPv6 client is not supported for interfaces in a NetDefendOS high availability cluster If it is enabled for an interface this will result in an error message when trying to commit the configuration Addresses Received in a Server Lease The lease received from a DHCPv6 server will contain the following An IPv6 address for the interface The addresses of up to three IPv6 DNS servers...

Page 412: ...sses for servers from which NetDefendOS will accept leases The Router Discovery Option An Ethernet configuration object has an additional property called Router Discovery which is either disabled or enabled By default this option is disabled which means that the DHCPv6 client feature will only set the IPv6 address for the interface and the IPv6 addresses of DNS servers while the network address an...

Page 413: ...NSv6 server addresses can be configured statically for NetDefendOS If this is done these manually configured addresses take precedence over addresses received in a lease However NetDefendOS will still automatically create the address book objects of the form interface _dns6_ num for each DHCPv6 server address received in the lease This precedence of statically defined DNS addresses is discussed fu...

Page 414: ...t collects received advertise messages from available DHCPv6 servers The client typically will contact the server that sent the advertise message with the highest server preference value A preference value of 255 has the highest priority and once such value is received in an advertise message the client will immediately begin a client initiated message exchange with the DHCPv6 Server originated th...

Page 415: ...y condition and this will appear on the management console This condition would require a very large number of leases to be allocated DHCPv6 Server Setup The steps for setting up a DHCPv6 server in NetDefendOS are as follows Make sure that IPv6 is enabled globally and for the listening interface of the DHCPv6 server with an IPv6 address assigned to that interface Doing this is described in Section...

Page 416: ...d commit option and will assign itself a preference value of 100 It is assumed in this example that IPv6 has been enabled globally and also for the listening interface lan Router advertisements will be generated by the same firewall and the prefix used will be 2001 DB8 64 Command Line Interface Create the server gw world add DHCPv6Server dhcpv6_server1 Interface lan IPv6AddressPool dhcpv6_range1 R...

Page 417: ...ick OK Set the hop limit to 1 1 Go to System Advanced Settings IP Settings 2 Under IPv6 set Multicast HopLimit Min to 1 3 Click OK Create a router advertisement 1 Go to Network Routing Router Advertisements Add Router Advertisement 2 Now enter Name my_ra Interface lan 3 Select the Advanced tab 4 Disable Use Global Settings 5 Enable Managed Flag 6 Enable Other Config Flag 7 Click OK Still within th...

Page 418: ...e 5 8 Static DHCPv6 Host Assignment This example shows how to assign the IPv6 address 2001 DB8 1 to the MAC address 00 90 12 13 14 15 The example assumes that the DHCPv6 server dhcpv6_server1 has already been defined Command Line Interface First change the category to the dhcp_ipv6_server1 context gw world cc DHCPv6Server dhcpv6_server1 Add the static DHCP assignment gw world dhcpv6_server1 add DH...

Page 419: ... Host 2001 DB8 1 MAC 00 90 12 13 14 15 5 Click OK Chapter 5 DHCP Services 419 ...

Page 420: ...Chapter 5 DHCP Services 420 ...

Page 421: ... traffic flow from untrusted sources is restricted from entering trusted areas Before a new connection is checked against the IP rule set NetDefendOS checks the connection source against a set of Access Rules Access Rules can be used to specify what traffic source is expected on a given interface and also to automatically drop traffic originating from specific sources AccessRules provide an effici...

Page 422: ...der of an IP packet indicating the source address of the packet is modified by the attacker to be a local host address The firewall will believe the packet came from a trusted source Although the packet source cannot be responded to correctly there is the potential for unnecessary network congestion to be created and potentially a Denial of Service DoS condition could occur Even if the firewall is...

Page 423: ...efault Access Rule log message is continuously being generated by some source and needs to be turned off then the way to do this is to specify an Access Rule for that source with an action of Drop Troubleshooting Access Rule Related Problems It should be noted that Access Rules are a first filter of traffic before any other NetDefendOS modules can see it Sometimes problems can appear such as setti...

Page 424: ...2 Now enter Name lan_Access Action Expect Interface lan Network lannet 3 Click OK Chapter 6 Security Mechanisms 424 ...

Page 425: ...cket filtering since they are capable of scrutinizing all traffic for a specific protocol and perform checks at the higher levels of the TCP IP stack ALGs exist for the following protocols in NetDefendOS HTTP FTP TFTP SMTP POP3 SIP H 323 TLS Note IPv6 based traffic is not supported by some ALGs Only the HTTP and LW HTTP ALGs have support for IPv6 when used with IP rules or IP policies that referen...

Page 426: ...ximum Connection Sessions The service associated with an ALG has a configurable parameter associated with it called Max Sessions and the default value varies according to the type of ALG For instance the default value for the HTTP ALG is 1000 This means that a 1000 connections are allowed in total for the HTTP service across all interfaces The full list of default maximum session values are HTTP A...

Page 427: ...based on a request response architecture A client such as a Web browser sends a request by establishing a TCP IP connection to a known port usually port 80 on a remote server The server answers with a response string followed by a message of its own That message might be for example an HTML file to be shown in the Web browser or an ActiveX component to be executed on the client or perhaps an error...

Page 428: ...TPS and so SafeSearch cannot be enforced Google searches will be forced to use HTTP if the result of the DNS lookup performed by the browser is changed This is done by adding a CNAME record to the local DNS server that causes www google com to become nosslsearch google com This forces HTTP to be used By default SafeSearch is not forced so this property must be explicitly enabled for the HTTP ALG c...

Page 429: ...OP3 and SMTP ALGs iv Verify MIME Type This option enables checking that the filetype of a file download agrees with the contents of the file the term filetype here is also known as the filename extension All filetypes that are checked in this way by NetDefendOS are listed in Appendix C Verified MIME filetypes When enabled any file download that fails MIME verification in other words its filetype d...

Page 430: ... the following steps are required Create a File Control Profile object which specifies which file control actions to take Assign the File Control Profile object to the File Control property of an IP Policy object that filters the targeted traffic Note that Service property of the IP Policy must be set to a service that has its Protocol property set to the relevant protocol for example HTTP Allow U...

Page 431: ...ince the whitelist has precedence Deploying an HTTP ALG As mentioned in the introduction an HTTP ALG object is brought into use by first associating it with a service object and then associating that service object with an IP rule in the IP rule set A number of predefined HTTP services could be used with the ALG For example the http service might be selected for this purpose As long as the associa...

Page 432: ...ests over a single TCP connection without waiting for the corresponding replies This can result in a significant improvement in page loading times particularly over network connections with high latency times The standard HTTP ALG does not support pipelining connections User Agent Filter Support Specific browsers and or browser versions can be allowed and all others blocked Protocol Upgrade Suppor...

Page 433: ...ill be denied All other agents will be allowed This is the default Allow Selected Only the agents specified by the filter s will be allowed All other agents will be denied As can be seen from the agent example above for Firefox the entire agent string can be long It is therefore better when specifying the agent string in a filter to use wildcards The following wildcards can be used The asterisk ch...

Page 434: ... the User Agent filter that will allow Chrome gw world my_lw_http_alg add ALG_HTTP_UA UserAgent Chrome Return to the default CLI context gw world my_lw_http_alg cc gw world Now create a service object and associate it with this new ALG gw world add Service ServiceTCPUDP my_http_service Type TCP DestinationPorts 80 443 ALG my_lw_http_alg Finally modify the NAT IP rule to use the new service gw worl...

Page 435: ...s Firewalling Main IP Rules 2 Select the IP rule called int_to_ext_http 3 Go to Service 4 Select my_http_service from the Service list 5 Click OK 6 2 4 The FTP ALG Overview File Transfer Protocol FTP is a TCP IP based protocol for exchanging files between a client and a server The client initiates the connection by connecting to the FTP server Normally the client needs to authenticate itself by pr...

Page 436: ...endOS does not know that the FTP server will establish a new connection back to the FTP client Therefore the incoming connection for the data channel will be dropped As the port number used for the data channel is dynamic the only way to solve this is to allow traffic from all ports on the FTP server to all ports on the FTP client Obviously this is not a good solution When passive mode is used the...

Page 437: ...e and the FTP server using passive mode The illustration below shows the typical hybrid mode scenario Figure 6 3 FTP ALG Hybrid Mode Note Hybrid conversion is automatic Hybrid mode does not need to enabled The conversion between modes occurs automatically within the FTP ALG Connection Restriction Options The FTP ALG has two options to restrict which type of mode the FTP client and the FTP server c...

Page 438: ...gh Both the client and the server can use any mode ftp internal The client cannot use active mode and the server cannot use passive mode Beginning with NetDefendOS version 11 01 these individual services are removed from a new NetDefendOS installation However they remain in configurations that upgrade to 11 01 or later A new installation can recreate them manually but the recommended option is to ...

Page 439: ...IME Type Verification When enabled NetDefendOS checks that a download s stated filetype matches the file s contents Mismatches result in the download being dropped Allow Block Selected Types If selected in blocking mode specified filetypes are dropped when downloaded If selected in allow mode only the specified filetypes are allowed as downloads NetDefendOS also performs a check to make sure the f...

Page 440: ...e company policy an administrator might want to take an infected FTP server off line to prevent local hosts and servers from being infected In this scenario the administrator configures the address of the server to be within the range of the network to block When a client downloads an infected file the server is isolated from the network The steps to setting up ZoneDefense with the FTP ALG are Con...

Page 441: ...ddress book and has the name ftp internal Command Line Interface A Define the ALG gw world add ALG ALG_FTP ftp inbound AllowClientActive Yes AllowServerPassive Yes B Define the Service gw world add Service ServiceTCPUDP ftp inbound service DestinationPorts 21 Type TCP ALG ftp inbound C Define a SAT rule allowing connections to the public IP on port 21 and forwarded to the FTP server gw world add I...

Page 442: ...rface A Define the ALG The ALG ftp inbound is already predefined by NetDefendOS but in this example we will show how it can be created from scratch 1 Go to Objects ALG Add FTP ALG 2 Enter Name ftp inbound 3 Check Allow client to use active mode 4 Uncheck Allow server to use passive mode 5 Click OK B Define the Service 1 Go to Objects Services Add TCP UDP Service 2 Enter the following Name ftp inbo...

Page 443: ...ck OK D Traffic from an internal interface needs to be NATed through the public IPv4 address 1 Go to Policies Firewalling Main IP Rules Add IP Rule 2 Now enter Name NAT ftp Action NAT Service ftp inbound service 3 For Address Filter enter Source Interface dmz Destination Interface core Source Network dmznet Destination Network wan_ip 4 For NAT check Use Interface Address 5 Click OK E Allow incomin...

Page 444: ...e diagram below illustrates this scenario The FTP ALG restrictions are as follows Disable the Allow client to use active mode FTP ALG option so clients can only use passive mode This is much safer for the client Enable the Allow server to use passive mode FTP ALG option This allows clients on the inside to connect to FTP servers that support active and passive mode across the Internet Command Line...

Page 445: ... ftp outbound service Name Allow ftp outbound ii Using Private IPs If the firewall is using private IPs with a single external public IP the following NAT rule needs to be added instead of the rule above gw world add IPRule Action NAT SourceInterface lan SourceNetwork lannet DestinationInterface wan DestinationNetwork all nets Service ftp outbound service NATAction UseInterfaceAddress Name NAT ftp...

Page 446: ...llowing the same kind of ports traffic placed before this rule 1 Go to Policies Firewalling Main IP Rules Add IP Rule 2 Now enter Name Allow ftp outbound Action Allow Service ftp outbound service 3 For Address Filter enter Source Interface lan Destination Interface wan Source Network lannet Destination Network all nets 4 Click OK ii Using Private IPs If the firewall is using private IPs with a sin...

Page 447: ... is being used Instead the local internal IP address of the FTP server should be specified when setting up the FTP server 6 2 5 The TFTP ALG Overview Trivial File Transfer Protocol TFTP is a much simpler version of FTP with more limited capabilities Its purpose is to allow a client to upload files to or download files from a host system TFTP data transport is based on the UDP protocol and therefor...

Page 448: ...uts The NetDefendOS TFTP ALG blocks the repetition of an TFTP request coming from the same source IP address and port within a fixed period of time The reason for this is that some TFTP clients might issue requests from the same source port without allowing an appropriate timeout period 6 2 6 The SMTP ALG Overview Simple Mail Transfer Protocol SMTP is a text based protocol used for transferring em...

Page 449: ... The remote user retrieves the email from the remote mail server using POP3 or IMAP or Activesync or some other protocol SMTP ALG Setup To set up security using the SMTP ALG perform the following steps Create a new SMTP ALG object with the desired options enabled such as file blocking and virus scanning Create a new custom Service object for SMTP with the following properties i Type TCP ii Destina...

Page 450: ...can be used to monitor mail traffic that is flowing from clients and or being relayed by the mail server out on the public Internet SMTP ALG Options Key options of the SMTP ALG are Email rate limiting A maximum allowable rate of email messages can be specified This rate is calculated on a per source IP address basis In other words it is not the total rate that is of interest but the rate from a ce...

Page 451: ...ription of how it works can be found in Section 6 2 2 The HTTP ALG Anti Virus scanning The NetDefendOS Anti Virus subsystem can scan email attachments searching for malicious code Suspect files can be dropped or just logged This feature is common to a number of ALGs and is described fully in Section 6 5 Anti Virus Scanning The Ordering for SMTP ALG Processing SMTP filtering obeys the following pro...

Page 452: ...en an SMTP client opens a session with an SMTP server using ESMTP the client first sends an EHLO command If the server supports ESMTP it will respond with a list of the extensions that it supports These extensions are defined by various separate RFCs For example RFC 2920 defines the SMTP Pipelining extension Another common extension is Chunking which is defined in RFC 3030 The NetDefendOS SMTP ALG...

Page 453: ... IPv4 address which is defined by the address book object mail_server_ip so a SAT IP rule will be needed to translate the firewall s public IP address to this private address It is assumed that the wan interface of the firewall is connected to the public internet and the public IP address of the interface is defined by the wan_ip address book object The SMTP ALG will perform the following actions ...

Page 454: ...orld add Service ServiceTCPUDP smtp_inbound_service Type TCP DestinationPorts 25 SYNRelay Yes ALG smtp_inbound_alg C Create an IP Rule for email traffic from the Internet i Create a SAT IP rule to translate the server address gw world add IPRule Action SAT Service smtp_inbound_service SourceInterface wan SourceNetwork all_nets DestinationInterface core DestinationNetwork wan_ip SATTranslate Destin...

Page 455: ...of 5 and dnsbl dronebl org with a value of 3 6 Under Whitelist Blacklist select Add and enter Action Blacklist Type Sender Email example com 7 Click OK B Create a new Service object for inbound SMTP 1 Go to Objects Services Add TCP UDP Service 2 Now enter Name smtp_inbound_service Type TCP Destination 110 Enable SYN Flood Protection ALG smtp_inbound_alg 3 Click OK C Create an IP Rule for email tra...

Page 456: ...nagement commands to certain types of external network switches SMTP is used for both mail clients that want to send emails as well as mail servers that relay emails to other mail servers When using ZoneDefense together with the SMTP ALG the only scenario of interest is to block local clients that try to spread viruses in outgoing emails Using ZoneDefense for blocking relayed emails to an incoming...

Page 457: ...re information about this topic can be found in Chapter 12 ZoneDefense 6 2 7 The POP3 ALG POP3 is a mail transfer protocol that is used by an email client running on the recipients to download emails from a mail server The principal difference with the IMAP protocol is that the entire email and any attachments are downloaded to the client before the email can be examined The email is then subseque...

Page 458: ...te a new custom Service object for POP3 with the following properties i Type TCP ii Destination 110 This is now a copy of the predefined Service object called pop3 This predefined object could be used but this is not recommended Associate the new POP3 ALG object with the newly created Service object Create an IP Rule object that has the mail server as its Destination Network and the email clients ...

Page 459: ... be added to the list This same option is also available in the HTTP ALG and a fuller description of how it works can be found in Section 6 2 2 The HTTP ALG Anti Virus Scanning The NetDefendOS Anti Virus subsystem can optionally scan email attachments searching for malicious code Suspect files can be dropped or just logged This feature is common to a number of ALGs and is described fully in Sectio...

Page 460: ...w world add IPRule Action Allow Service pop3_client_service SourceInterface lan SourceNetwork lan_net DestinationInterface dmz DestinationNetwork mail_server_ip Name pop3_mail Web Interface A Create a POP3 ALG object 1 Go to Objects ALG Add POP3 ALG 2 Under General enter Name pop3_client_alg Enable the option Prevent a user from revealing a user does not exist 3 Under File Integrity enter Select e...

Page 461: ...twork behind a NetDefend Firewall The firewall is connected to the external Internet and a NAT rule is defined to allow traffic from the clients to flow to the Internet Both clients will therefore appear to have from the same IP address as they make connections to servers across the Internet One client A now establishes a PPTP tunnel to an external host C across the Internet The tunnel endpoints a...

Page 462: ...wing characteristics i Select the Type the protocol as TCP ii The Source port range can be the default of 0 65535 iii Set the Destination port to be 1723 iv Select the ALG to be the PPTP ALG object that was defined in the first step In this case it was called pptp_alg Associate this service object with the NAT IP rule that permits the traffic to flow from clients to the remote endpoint of the PPTP...

Page 463: ...e RTP RTCP protocol which is based on UDP but they might also involve traffic based on the TCP protocol An RTP RTCP based session might also involve TCP or TLS based traffic in the same session The SIP RFC SIP is defined by IETF RFC 3261 and this is considered an important general standard for VoIP communication It is comparable to H 323 however a design goal with SIP was to make SIP more scalable...

Page 464: ...ct that uses SIP cannot also be subject to NetDefendOS traffic shaping SIP Components The following components are the logical building blocks for SIP communication User Agents These are the endpoints or clients that are involved in the client to client communication These would typically be the workstation or device used in an IP telephony conversation The term client will be used throughout this...

Page 465: ...dOS versions that are upgraded to 11 03 or later the predefined SIP ALG object will be retained In addition the predefined service object called sip udp will have its Protocol property already correctly set in the default configuration of NetDefendOS version 11 03 and later SIP Setup Using IP Rule Objects When configuring NetDefendOS for SIP sessions with IP Rule objects the following steps are re...

Page 466: ...ion may take place directly between two clients without involving the NetDefend Firewall This would only happen if the two clients were behind the same interface and belong to the same network The default value is Disabled The SIP Proxy Record Route Option To understand how to set up SIP scenarios with NetDefendOS it is important to first understand the SIP proxy Record Route option SIP proxies ha...

Page 467: ...automatically and invisibly takes care of creating the connections required sometimes described as SIP pinholes for allowing the media data traffic to flow through the NetDefend Firewall Tip Make sure there are no preceding IP rules or IP policies already in the IP rule set that disallow or allow the same kind of traffic SIP Usage Scenarios NetDefendOS supports a variety of SIP usage scenarios The...

Page 468: ...ts Proxy located on the Internet The scenario assumed is an office with VoIP users on a private internal network where the network s topology will be hidden using NAT This is illustrated below The SIP proxy in the above diagram could alternatively be located remotely across the Internet The proxy should be configured with the Record Route feature enabled to ensure all SIP traffic to and from the o...

Page 469: ...nce the ALG will automatically redirect incoming SIP requests to the correct internal user When a SIP client behind a NATing NetDefend Firewall registers with an external SIP proxy NetDefendOS sends its own IP address as contact information to the SIP proxy NetDefendOS registers the client s local contact information and uses this to redirect incoming requests to the user The ALG takes care of the...

Page 470: ...s on the external unprotected side of the NetDefend Firewall The client is assumed to be on the network if1_net connected to the interface if1 The SIP proxy is assumed to be on the IP address proxy_ip on the interface ext Web Interface A Define the following IP objects if1_net 192 168 1 0 24 the internal network proxy_ip 81 100 55 2 the SIP proxy ip_wan 81 100 55 1 the NetDefend Firewall s public ...

Page 471: ...ng SIP traffic 1 Go to Rules IP Rule Set main Add IP Rule 2 Now enter Name sip_allow Action Allow Source Interface ext Source Network proxy_ip Destination Interface core Destination Network ip_wan Service my_sip_service Comment Allow incoming SIP traffic 3 Click OK Example 6 8 SIP with Local Clients Internet Proxy Using IP Policies This example is nearly the same as the previous example but uses I...

Page 472: ...ervice in this case my_sip_service 3 Choose UDP as the Type 4 For the Destination property enter the port number 5060 5 Set the Protocol property to SIP 6 Click OK D Define the IP Policy for outgoing SIP traffic 1 Go to Rules IP Rule Set main Add IP Policy 2 Now enter Name sip_nat Action Allow Source Interface if1 Source Network if1_net Destination Interface ext Destination Network proxy_ip Servic...

Page 473: ...ct the VoIP tab enable VoIP and select my_sip_profile 4 Click OK Scenario 2 Protecting proxy and local clients Proxy on the same network as clients In this scenario the goal is to protect the local clients as well as the SIP proxy The proxy is located on the same local network as the clients with SIP signaling and media data flowing across two interfaces This scenario is illustrated below This sce...

Page 474: ...e core as the destination interface in other words NetDefendOS itself since inbound traffic will be sent to the private IPv4 address of the SIP proxy An Allow rule which matches the same type of traffic as the SAT rule defined in the previous step SIP Traffic Type Action Src Interface Src Network Dest Interface Dest Network OutboundFrom ProxyUsers NAT lan lannet ip_proxy wan all nets InboundTo Pro...

Page 475: ... location of the local SIP proxy server The server is placed on a separate interface and network to the local clients This setup adds an extra layer of security since the initial SIP traffic is never exchanged directly between a remote endpoint and the local protected clients The complexity is increased in this scenario since SIP messages flow across three interfaces the receiving interface from t...

Page 476: ... Firewall does not support hiding of the proxy on the DMZ The IP address of the DMZ interface must be a globally routable IP address This address can be the same address as the one used on the external interface The setup steps are as follows 1 Define a single SIP ALG object using the options described above 2 Define a Service object and associate it with the SIP ALG object The service should have...

Page 477: ...e the Internet The SIP ALG will take care of all address translation needed by the NAT rule The translation will occur both at the IP level and the application level An Allow rule policy for inbound SIP traffic from for example the Internet to the IP address of the DMZ interface The reason for this is because local clients will be NATed using the IP address of the DMZ interface when they register ...

Page 478: ...ernet to the proxy behind the DMZ interface 4 If Record Route is not enabled at the proxy direct exchange of SIP messages must also be allowed between clients bypassing the proxy The following two additional rules are therefore needed when Record Route is disabled An Allow rule policy for outbound traffic from the clients on the local network to the external clients and proxies on the Internet An ...

Page 479: ...on of terminals and gateways It can also take care of bandwidth management accounting billing and charging The gatekeeper may allow calls to be placed directly between endpoints or it may route the call signaling through itself to perform functions such as follow me find me forward on busy etc It is needed when there is more than one H 323 terminal behind a NATing device with only one public IP Mu...

Page 480: ...ice and video is transported over UDP To support gatekeepers NetDefendOS monitors RAS traffic between H 323 endpoints and the gatekeeper in order to correctly configure the NetDefend Firewall to let calls through NAT and SAT rules policies are supported allowing clients and gatekeepers to use private IPv4 addresses on a network behind the NetDefend Firewall NetDefendOS H 323 Configuration In NetDe...

Page 481: ... set If not enabled then no address translation will be done on logical channel addresses and the administrator needs to be sure about IP addresses and routes used in a particular scenario Network and IP Address This option is available if the Translate Address option is set to Specific For NATed traffic the Network specifies what is allowed to be translated The IP Address specifies which IPv4 add...

Page 482: ...ects Note Make sure there are no other rules policies disallowing or allowing the same kind of ports traffic before the IP rules in this example Web Interface Create a new H 323 ALG object 1 Go to Objects ALG Add H 323 ALG 2 Specify a name for the ALG in this case my_h323_alg 3 Click OK Create a custom Service object for H 323 1 Go to Objects Services Add TCP UDP 2 Now enter Name my_h323_service T...

Page 483: ...low Source Interface any Source Network all nets Destination Interface lan Destination Network lannet Service my_h323_service Comment Allow incoming H 323 calls 3 Click OK Example 6 10 Protecting Internal H 323 Phones Using IP Policy Objects This example repeats the previous example but uses IP Policy objects instead of IP Rule objects This means that an H 323 ALG object cannot be used and a VoIP ...

Page 484: ...olicy for outgoing H 323 traffic 1 Go to Policies Firewalling Main IP Rules Add IP Policy 2 Now enter Name H323AllowOut Action Allow Source Interface lan Source Network lannet Destination Interface any Destination Network all nets Service my_h323_policy_service Comment Allow outgoing H 323 calls 3 Select the VoIP tab enable VoIP and select my_h323_profile 4 Click OK Create an IP policy for incomin...

Page 485: ... private IPv4 addresses To make make a call from this phone to another H 323 phone on the Internet and to allow H 323 phones on the Internet to call this phone we need to configure IP rules The following rules need to be added to the rule set Note Make sure there are no rules policies disallowing or allowing the same kind of traffic before these IP rules When using private IPs on the phone incomin...

Page 486: ...going H 323 calls 3 Click OK Create the SAT IP rules for incoming H 323 traffic 1 Go to Policies Firewalling Main IP Rules Add IP Rule 2 Now enter Name H323In Action SAT Source Interface any Source Network all nets Destination Interface core Destination Network wan_ip external IP of the firewall Service my_h323_service Comment Allow incoming calls to H 323 phones via ip phone 3 For SAT enter Trans...

Page 487: ...ach phone This means that multiple external addresses have to be used However it is preferred to use a H 323 gatekeeper as in the H 323 with Gatekeeper scenario as this only requires one external address Example 6 12 2 Phones Behind Different NetDefend Firewalls Using IP Rules This scenario consists of two H 323 phones each one connected behind the NetDefend Firewall on a network with public IPv4 ...

Page 488: ...affic IP rule 1 Go to Policies Firewalling Main IP Rules Add IP Rule 2 Now enter Name H323AllowOut Action Allow Source Interface lan Source Network lannet Destination Interface any Destination Network all nets Service my_h323_service Comment Allow outgoing H 323 calls 3 Click OK Create the incoming traffic IP rule 1 Go to Policies Firewalling Main IP Rules Add IP Rule 2 Now enter Name H323AllowIn ...

Page 489: ...ind of ports traffic before these rules As we are using private IPs on the phones incoming traffic need to be SATed as in the example below The object ip phone should be the internal IP of the H 323 phone behind each firewall Web Interface Create a new H 323 ALG object 1 Go to Objects ALG Add H 323 ALG 2 Specify a name for the ALG in this case my_h323_alg 3 Click OK Create a custom Service object ...

Page 490: ... Network all nets Destination Interface core Destination Network wan_ip external IP of the firewall Service my_h323_service Comment Allow incoming calls to H 323 phone at ip phone 3 For SAT enter Translate Destination IP Address To New IP Address ip phone IP address of phone 4 Click OK 1 Go to Policies Firewalling Main IP Rules Add IP Rule 2 Now enter Name H323In Action Allow Source Interface any ...

Page 491: ...placed in the DMZ of the NetDefend Firewall A rule is configured in the firewall to allow traffic between the private network where the H 323 phones are connected on the internal network and to the Gatekeeper on the DMZ The Gatekeeper on the DMZ is configured with a private address The following rules need to be added to the rule listings in both firewalls make sure there are no rules disallowing ...

Page 492: ..._gatekeeper_service Comment SAT rule for incoming communication with the gatekeeper located at ip gatekeeper 3 For SAT enter Translate Destination IP Address To New IP Address ip gatekeeper IP address of gatekeeper 4 Click OK 1 Go to Policies Firewalling Main IP Rules Add IP Rule 2 Now enter Name H323In Action Allow Source Interface any Source Network all nets Destination Interface core Destinatio...

Page 493: ... communication between external phones and the Gatekeeper to make sure that it is possible for internal phones to call the external phones that are registered with the gatekeeper Example 6 15 H 323 with Gatekeeper and two NetDefend Firewalls This scenario is quite similar to scenario 3 with the difference that the NetDefend Firewall is protecting the external phones The firewall with the Gatekeepe...

Page 494: ...the H 323 gatekeeper 1 Go to Objects Services Add TCP UDP 2 Now enter Name my_h323_gatekeeper_service Type UDP ALG my_h323_alg Destination port 1719 3 Click OK Create an IP rule allowing outgoing gatekeeper traffic from lannet to be NATed to the Internet 1 Go to Policies Firewalling Main IP Rules Add IP Rule 2 Now enter Name H323Out Action NAT Chapter 6 Security Mechanisms 494 ...

Page 495: ...e gatekeeper Example 6 16 Using H 323 in an Enterprise Environment This is an example of a more complex situation that shows how the H 323 ALG can be deployed in a enterprise environment At the head office DMZ is a H 323 gatekeeper that can handle all H 323 clients in the head branch and remote offices This will allow the whole enterprise to use the network for both voice communication and applica...

Page 496: ...reate a new H 323 ALG object 1 Go to Objects ALG Add H 323 ALG 2 Specify a name for the ALG in this case my_h323_alg 3 Click OK Create a custom Service object for the H 323 gatekeeper 1 Go to Objects Services Add TCP UDP 2 Now enter Name my_h323_gatekeeper_service Type UDP ALG my_h323_alg Destination port 1719 3 Click OK Chapter 6 Security Mechanisms 496 ...

Page 497: ...fic from the gateway to internal phones on lannet 1 Go to Policies Firewalling Main IP Rules Add IP Rule 2 Now enter Name GWToLan Action Allow Source Interface dmz Source Network ip gateway Destination Interface lan Destination Network lannet Service my_h323_gatekeeper_service Comment Allow communication from the gateway to H 323 phones on lannet 3 Click OK Create an IP rule for traffic from the g...

Page 498: ...Service my_h323_gatekeeper_service Comment Allow communication with the gatekeeper on DMZ from the remote network 3 Click OK Example 6 17 Configuring remote offices for H 323 If the branch and remote office H 323 phones and applications are to be configured to use the H 323 gatekeeper at the head office the NetDefend Firewalls in the remote and branch offices should be configured as follows Here t...

Page 499: ...eway connected to its DMZ In order to allow the H 323 gateway to register with the H 323 gatekeeper at the Head Office the following rule has to be configured Web Interface 1 Go to Policies Firewalling Main IP Rules Add IP Rule 2 Now enter Name GWToGK Action Allow Source Interface dmz Source Network ip branchgw Destination Interface vpn hq Destination Network hq net Service my_h323_gatekeeper_serv...

Page 500: ... and SSL can be regarded as equivalent However NetDefendOS only supports TLS and any reference to SSL in NetDefendOS documentation should be assumed to be referring to TLS The TLS ALG can be said to provide SSL termination since it is acting as an SSL end point Cryptographic Suites and TLS Version Supported by NetDefendOS NetDefendOS supports a number of cryptographic algorithms for SSL VPN Only s...

Page 501: ... certificate does not need to be present on each server The encryption decryption processing overhead required by TLS can be offloaded to the NetDefend Firewall This is sometimes referred to as SSL acceleration Any processing advantages that can be achieved can however vary and will depend on the comparative processing capabilities of the servers and the NetDefend Firewall Decrypted TLS traffic ca...

Page 502: ...en any web pages delivered back containing absolute URLs with the http protocol perhaps to refer to other pages on the same site will not have these URLs converted to https by NetDefendOS The solution to this issue is for the servers to use relative URLs instead of absolute ones Cryptographic Suites Supported by NetDefendOS TLS NetDefendOS supports a number of cryptographic algorithms for TLS Thes...

Page 503: ... IP Rules or IP Policies Web content filtering scanning can be enabled using either an IP Rule object or an IP Policy object With an IP Rule object Web content filtering is first enabled on an HTTP ALG object Then that ALG is associated with a Service object which is in turn is associated with an IP rule The setup example in this section uses an IP Rule object Configuring web content filtering usi...

Page 504: ...derstood Example 6 19 Stripping ActiveX and Java applets This example shows how to configure a HTTP Application Layer Gateway to strip ActiveX and Java applets The example will use the content_filtering ALG object and assumes one of the previous examples has been done Command Line Interface gw world set ALG ALG_HTTP content_filtering RemoveActiveX Yes RemoveApplets Yes Web Interface 1 Go to Object...

Page 505: ...his will block all hosts in the example com domain and all web pages served by those hosts This is the only correct form that can be used with HTTPS www example com Good This will block the www example com website and all web pages served by that site gif Good This will block all files with gif as the filename extension www example com Not good This will only block the first request to the web sit...

Page 506: ... set to be HTTP For HTTPS the Service must include the port number 443 for HTTPS Use the Service object with an IP policy that filters the relevant traffic Set the Web Profile property of the IP Policy to the profile created earlier Example 6 20 URL Filtering Using IP Rules This example shows the use of static content filtering where certain URLs are to be blacklisted or white listed In this small...

Page 507: ...its properties 3 Click the HTTP URL tab 4 Now click Add and select HTTP ALG URL from the menu 5 Select Blacklist as the Action 6 Enter exe in the URL textbox 7 Click OK Finally make an exception from the blacklist by creating a whitelist 1 Go to Objects ALG 2 In the table click on the recently created HTTP ALG to view its properties 3 Click the HTTP URL tab 4 Now click Add and select HTTP ALG URL ...

Page 508: ... external WCF databases it sends it as a TCP request to the destination port 9998 Therefore any network equipment through which the request passes including other firewalls must not block TCP traffic with destination port 9998 If the equipment through which the message passes is another NetDefend Firewall an IP rule with the action Allow should be created along with a custom service that is then a...

Page 509: ...ous submissions and no record of the source of new submissions is kept Categorizing Pages and Not Sites NetDefendOS WCF categorizes web pages and not sites In other words a web site may contain particular pages that should be blocked without blocking the entire site NetDefendOS provides blocking down to the page level so that users may still access those pages of a website that are not blocked by ...

Page 510: ...ect is then associated with a Service object It is recommended to create a custom Service object for this purpose so the predefined Service objects are left unchanged This Service object is then associated with an IP Rule object to determine which traffic should be subject to filtering This allows a detailed filtering policy to be defined Tip Using a schedule If the administrator would like the co...

Page 511: ...WebContentFilteringMode Enabled FilteringCategories SEARCH_SITES Then create a service object using the new HTTP ALG gw world add Service ServiceTCPUDP http_content_filtering Type TCP DestinationPorts 80 ALG content_filtering Finally modify the NAT rule to use the new service Assume rule is called NATHttp gw world set IPRule NATHttp Service http_content_filtering Web Interface First create an HTTP...

Page 512: ...3 traffic are allowed A custom service may need to be defined and used if an existing pre defined service does not meet the requirements of the traffic A further point to note with WCF over an HTTPS connection is that if access to a particular site is denied the HTTPS connection is automatically dropped This means that the browser will not be able to display the usual NetDefendOS generated message...

Page 513: ...Audit FilteringCategories SEARCH_SITES Web Interface First create an HTTP Application Layer Gateway ALG Object 1 Go to Objects ALG Add HTTP ALG 2 Specify a suitable name for the ALG for example content_filtering 3 Click the Web Content Filtering tab 4 Select Audit in the Mode list 5 In the Blocked Categories list select Search Sites and click the button 6 Click OK The steps to then create a servic...

Page 514: ...only If reclassification is enabled and a user requests a web site which is disallowed the block web page will include a dropdown list containing all available categories If the user believes the requested web site is wrongly classified he can select a more appropriate category from the dropdown list and submit that as a proposal The URL to the requested web site as well as the proposed category w...

Page 515: ...le to select a more proper category and propose a reclassification Note Enabling request_url message generation The request_url event message will only be generated if event message generation has been enabled in the parent IP rule 6 3 4 3 WCF Setup with IP Policies WCF can be enabled on an IP Policy object instead of using the HTTP ALG with an IP Rule object This provides a more direct method of ...

Page 516: ...6 24 Enabling WCF with IP Policies This example shows how to set up web content filtering for HTTP traffic coming from HTTP clients on a protected network which is destined for the Internet It will be configured to block all shopping sites It is assumed that an IP Policy object called http_nat_policy already exists and this implements NAT for the client connections to the Internet Command Line Int...

Page 517: ...ult Content A web site may be classified under the Adult Content category if its content includes the description or depiction of erotic or sexual acts or sexually oriented material such as pornography Exceptions to this are web sites that contain information relating to sexuality and sexual health which may be classified under the Health Sites Category 21 Category 2 News A web site may be classif...

Page 518: ...7 Entertainment A web site may be classified under the Entertainment category if its content includes any general form of entertainment that is not specifically covered by another category Some examples of this are music sites movies hobbies special interest and fan clubs This category also includes personal web pages such as those provided by ISPs The following categories more specifically cover ...

Page 519: ...n or depiction of or instruction in systems of religious beliefs and practice Category 15 Politics A web site may be classified under the Politics category if its content includes information or opinions of a political nature electoral information and including political discussion groups Category 16 Sports A web site may be classified under the Sports category if its content includes information ...

Page 520: ...igh bandwidth audio streaming Category 24 Business Oriented A web site may be classified under the Business Oriented category if its content is relevant to general day to day business or proper functioning of the Internet for example Web browser updates Access to web sites in this category would in most cases not be considered unproductive or inappropriate Category 25 Government Blocking List This...

Page 521: ...ory since this could result in most harmless URLs being blocked 6 3 4 5 Customizing WCF HTML Pages The Web Content Filtering WCF feature of the HTTP ALG make use of a set of HTML files to present information to the user when certain conditions occur such as trying to access a blocked site These HTML web pages stored as files in NetDefendOS and these files are known as HTTP Banner Files The adminis...

Page 522: ...ntains a copy of all the files in the Default ALG Banner Files object These new files can then be edited and uploaded back to NetDefendOS The original Default object cannot be edited The following example goes through the necessary steps Example 6 25 Editing Content Filtering HTTP Banner Files This example shows how to modify the contents of the URL forbidden HTML page Web Interface 1 Go to System...

Page 523: ...dified file is then uploaded using SCP It is uploaded to the object type HTTPALGBanner and the object mytxt with the property name URLForbidden If the edited URLForbidden local file is called my html then using the Open SSH SCP client the upload command would be scp myhtml admin 10 5 62 11 HTTPAuthBanners mytxt URLForbidden The usage of SCP clients is explained further in Section 2 1 7 Secure Copy...

Page 524: ...S will send batches when there is more than one waiting for processing against the database queue_len The length of the queue of URLs awaiting processing by the external WCF database server in_transit The number of URLs in the queue where a request has been sent to the WCF database server but a reply has not yet been received rtt The round trip time for the last WCF database server lookup queue_de...

Page 525: ...s in techsupport command output The output from the CLI command httpalf wcf is included in the output from the techsupport command Enabling the WCF Performance Log The example below shows how the WCF performance log feature is enabled Example 6 26 Enabling the WCF Performance Log This example enables the WCF performance log feature so that a wcf_performance_notice log event message is generated ev...

Page 526: ... filtering can be applied to IMAP POP3 and SMTP traffic With IMAP and POP3 filtering emails cannot be dropped when they fail filtering but only marked as failed With SMTP emails can be dropped or forwarded IP policy based email is set up with the following steps Create an Email Control Profile object which defines how email is to be filtered If anti spam filtering is required it must be explicitly...

Page 527: ...tings The following options are available for IMAP traffic Hide User If the wrong credentials are sent to this server enabling this option prevents the server s error message being returned to the client Some servers might send an error message which gives an indication which of the credentials is incorrect and this could be helpful in a security attack Instead NetDefendOS will send back its own g...

Page 528: ...g takes precedence over all other email filtering Whitelisted emails will never be subject to anti spam or anti virus processing if either of those is enabled If an email comes from a blacklisted domain the mail is not dropped Instead the subject line has a configurable text string inserted at the beginning By default this string is BLACK LISTED However this text can be set by the user as previous...

Page 529: ...er The server returns a value to indicate how many other email recipients have reported identical checksums If the returned value is greater than the DCC Threshold property set by the administrator the sub score for this filter option is added to the total anti spam score DCC filtering is enabled by default and the default sub score is 10 The administrator does not need to define any DCC servers b...

Page 530: ...ring and the filters applied iii X Spam Flag Included only for emails marked as spam and always Yes iv X Spam Report A detailed list of the results from applied filters An example of inserted X SPAM information for an email that was flagged as spam is the following X Spam Checker Version D Link NetDefendOS on Device X Spam Status Yes score 30 required 10 tests LINK_PROTECTION DCC DNS_BLACKLIST_1 X...

Page 531: ...tion for the web content filtering feature since this is used to evaluate links IMAP Clients May Display Incorrect Header Information Email clients using IMAP to retrieve email details from an email server can download and display the headers of emails before they download the email body This means the user can only download the body of emails they want to read based on the header information Sinc...

Page 532: ...le object for filtering the mail gw world add Policy EmailControlProfile my_email_profile AntiSpam Yes SubjectTag Probably SPAM DomainVerificationScore 5 LinkProtectionScore 5 DNSBL Yes DNSBL1 Yes DNSBL1Name zen spamhaus org B Add an EmailFilter object to the profile for whitelisting Change the CLI context to be the profile gw world cc EmailProfile my_email_profile Add an EmailFilter object as a c...

Page 533: ...ail_profile Web Interface A Create an EmailProfile object for filtering the mail 1 Go to Policies Firewalling Email Control Add Email Control Profile 2 Now enter Name my_email_profile Anti Spam Enable Domain Verfication Score 5 Malicious Link Protection Score 5 DNS Blacklists Enable Blacklist 1 zen spaumhaus org Tag Subject Text Probably SPAM 3 Select OK B Add an EmailFilter object to the profile ...

Page 534: ...n Allow Source Interface lan Source Network lan_net Destination Interface dmz Destination Network dmz_net Service my_imap_service 3 Now select Email control and enter Enable Email Control enable Email Control Profile my_email_profile 4 Select OK 6 4 2 ALG Based Email Filtering A function of the NetDefendOS SMTP ALG is basic email filtering that provides the ability to filter mail as it passes to a...

Page 535: ...ollowing actions based on the weighted sum calculated Dropped If the sum is greater than or equal to a predefined Drop threshold then the email is considered to be definitely spam and is discarded or alternatively sent to a single special mailbox If it is discarded then the administrator has the option that an error message is sent back to the sending SMTP server this error message is similar to t...

Page 536: ...il s Subject field would become SPAM Buy this stock today And this is what the email s recipient will see in the summary of their inbox contents The individual user could then decide to set up their own filters in the local client to deal with such tagged emails possibly sending it to a separate folder Adding X Spam Information If an email is determined to be spam and a forwarding address is confi...

Page 537: ...mail to pass but tag it using the configured spam tag When sender address verification is enabled there is an additional option to only compare the domain names in the From addresses Logging There are three types of logging performed by the spam filtering in the ALG Logging of dropped or spam tagged emails These log messages include the source email address and IP as well as its weighted points sc...

Page 538: ...s how long any address will be valid for once it is saved in the cache After this period of time has expired a new query for a cached sender address must be sent to the DNSBL servers The default value if 600 seconds The address cache is emptied when NetDefendOS restarts or a reconfiguration operation is performed For the DNSBL subsystem overall Number of emails checked Number of emails spam tagged...

Page 539: ... 0 To examine the statistics for a particular DNSBL server the following command can be used gw world dnsbl smtp_test zen spamhaus org show BlackList zen spamhaus org Status active Weight value 25 Number of mails checked 56 Number of matches in list 3 Number of failed checks times disabled 0 To clean out the dnsbl cache for my_smtp_alg and to reset all its statistical counters the following comman...

Page 540: ...s from a spammer or not NetDefendOS examines the IP packet headers to do this Figure 6 10 Anti Spam Filtering The reply sent back by a server is either a not listed response or a listed response In the latter case of being listed the DSNBL server is indicating the email might be spam and it will usually also provide information known as a TXT record which is a textual explanation for the listing T...

Page 541: ... computers It is not intended as a complete substitute for local scanning but rather as an extra shield to boost client protection Most importantly it can act as a backup for when local client anti virus scanning is not available Enabling Using IP Rules or IP Policies Anti virus scanning can be enabled using either an IP Rule object or an IP Policy object and this section includes examples for usi...

Page 542: ... Once a virus is recognized in the contents of a file the download can be terminated before it completes Types of Data Scanned As described above anti virus scanning is enabled on a per ALG basis and can scan data downloads associated with the HTTP FTP SMTP and POP3 ALGs More specifically Any uncompressed file type transferred through these ALGs can be scanned If the data file transferred has been...

Page 543: ...ed Relationship with IDP A question that is often posed is the ordering of Anti virus scanning in relation to IDP scanning In fact the concept of ordering is not relevant since the two scanning processes can occur simultaneously and operate at different protocol levels If IDP is enabled it scans all packets designated by a defined IDP rule and does not take notice of higher level protocols such as...

Page 544: ...he following CLI command will show the current status of the auto update feature gw world updatecenter status This can also be done through the Web Interface Database Updates in HA Clusters Updating the anti virus databases for both the NetDefend Firewalls in an HA Cluster is performed automatically by NetDefendOS In a cluster there is always an active unit and an inactive unit Only the active uni...

Page 545: ...s configuration in the ALGs Depending on the protocol used there exist different scenarios of how the feature can be used For more information about this topic refer to Chapter 12 ZoneDefense 6 5 3 Anti Virus Options When configuring anti virus scanning in an ALG the following parameters can be set General options Mode This must be one of i Disabled Anti virus is switched off ii Audit Scanning is ...

Page 546: ...files containing other compressed files will cause a fail condition A value of two allows a single nesting level of compressed files within compressed files with both levels being scanned The Maximum archive depth setting can have a maximum value of 10 but increasing the setting should be done with caution A denial of service attack might consist of sending a compressed file with a high level of n...

Page 547: ...e 6 28 Activating Anti Virus with an IP Rule This example shows how to set up an anti virus scanning policy for HTTP traffic from lannet to all nets We will assume there is already a NAT rule defined in the IP rule set to NAT this traffic Command Line Interface First create an HTTP Application Layer Gateway ALG Object with anti virus scanning enabled gw world set ALG ALG_HTTP anti_virus Antivirus ...

Page 548: ...ptions can be configured directly as properties of the IP policy An Anti Virus Profile object can first be created which defines the properties for anti virus scanning This profile can then be used repeatedly with different IP policies Note The service object needs the protocol property defined Whenever anti virus is to be used with an IP policy the service object selected for the IP policy must h...

Page 549: ...ntiVirusPolicy Name av_audit_profile AuditMode Yes Next define the IP Policy object gw world add IPPolicy SourceInterface lan SourceNetwork lan_net DestinationInterface wan DestinationNetwork all nets Service http Name lan_to_wan Action Allow AntiVirus Yes AV_Policy av_audit_profile Web Interface First set up an Anti Virus Profile object 1 Go to Policies Firewalling Anti Virus Add Anti Virus Profi...

Page 550: ...RL was found in the cache Cache usage is not indicated in the log events generated The Lifetime for Cache Entries By default an entry stays in the cache for a set period of time which is determined by the global setting Anti Virus Cache Lifetime After the lifetime expires the entry is removed from the cache and a fresh anti virus scan of the file is done by NetDefendOS if a new download is request...

Page 551: ... cache size This is the total number of unique file URL entries in the cache Each entry corresponds to a requested file download that was blocked because it triggered an anti virus signature Cache hit count This is the number of successful cache lookups that have been performed In other words the number of times a URL has been found already in the cache This counter is not incremented when a URL e...

Page 552: ...nitoring network traffic as it passes through the NetDefend Firewall searching for patterns that indicate an intrusion is being attempted Once detected NetDefendOS IDP allows steps to be taken to neutralize both the intrusion attempt as well as its source The Terms IDP IPS and IDS Note that the terms Intrusion Detection and Prevention IDP Intrusion Prevention System IDP and Intrusion Detection Sys...

Page 553: ...ver network When a new signature database version is available it is downloaded and the old database replaced Database updating is described further in Appendix A Subscribing to Updates along with a description of IDP behavior after subscription expiry Setting the Correct System Time It is important that a NetDefendOS has the correct system time set if the auto update feature in the IDP module can...

Page 554: ...ervice should be analyzed An IDP Rule is similar in makeup to an IP Rule IDP Rules are constructed like other security policies in NetDefendOS such as IP Rules An IDP Rule specifies a given combination source destination interfaces addresses as well as being associated with a service object which defines the IDP rules that will be used during traffic scanning A time schedule can also be associated...

Page 555: ...t weaknesses in some HTTP server products The URI conditions which IDP can detect are as follows Invalid UTF8 This looks for any invalid UTF8 characters in a URI Invalid hex encoding A valid hex sequence is where a percentage sign is followed by two hexadecimal values to represent a single byte of data An invalid hex sequence would be percentage sign followed by something which is not a valid hexa...

Page 556: ...t streams of data As an example consider a data stream broken up into 4 packets p1 p2 p3 and p4 The attacker might first send packets p1 and p4 to the targeted application These will be held by both the IDP subsystem and the application until packets p2 and p3 arrive so that reassembly can be done The attacker now deliberately sends two packets p2 and p3 which will be rejected by the application b...

Page 557: ... involving an exchange with an FTP server A rogue user might try to retrieve the password file passwd from an FTP server using the FTP command RETR passwd A signature looking for the ASCII text strings RETR and passwd would find a match in this case indicating a possible attack In this example the pattern is found in plaintext but pattern matching is done in the same way on pure binary data Recogn...

Page 558: ...gether For example all signatures that refer to the FTP protocol form a group It is best to specify a group that relates to the traffic being searched than be concerned about individual signatures For performance purposes the aim should be to have NetDefendOS search data using the least possible number of signatures Specifying Signature Groups IDP Signature Groups fall into a three level hierarchi...

Page 559: ...f any length in a group name Caution Use the minimum IDP signatures necessary Do not use the entire signature database and avoid using signatures and signature groups unnecessarily Instead use only those signatures or groups applicable to the type of traffic being protected For example using only the IDP groups IDS_WEB IPS_WEB IDS_HTTP and IPS_HTTP would be appropriate for protecting an HTTP serve...

Page 560: ... Example 6 31 Setting up IDP for a Mail Server The following example details the steps needed to set up IDP for a simple scenario where a mail server is exposed to the Internet on the DMZ network with a public IPv4 address The public Internet can be reached through the firewall on the WAN interface as illustrated below An IDP rule called IDPMailSrvRule will be created and the Service object to use...

Page 561: ...ching this rule should be scanned this also means traffic that the main rule set would drop the Protect against insertion evasion attacks checkbox should be checked which is the case in this example Source Interface wan Source Network wannet Destination Interface dmz Destination Network ip_mailserver Click OK Specify the Action An action now needs to be defined for the rule which specifies what si...

Page 562: ...MailSrvRule add IDPRuleAction Action Protect Signatures 68343 68345 68349 Individual signatures are entered in a similar way when using the Web Interface IDP Traffic Shaping IDP offers an excellent means of identifying different types of traffic flow through NetDefendOS and the applications responsible for them This ability is combined with the traffic management features of NetDefendOS to provide...

Page 563: ...nds equivalent to 10 minutes before sending a new email An SMTP server is assumed to have already been configured in the address book with the name smtp server Command Line Interface Add an SMTP log receiver gw world add LogReceiver LogReceiverSMTP smt4IDP IPAddress smtp server Receiver1 youremail example com Next change the CLI context to be IDPRule gw world cc IDPRule examplerule Now set the pro...

Page 564: ... is it triggering on ii Is the correct traffic being identified iii Are there any false positives with the signatures that have been chosen Adjust the signature selection and examine the logs again There may be several adjustments before the logs demonstrate that the desired effect is being achieved If certain signatures are repeatedly triggering it may be reason to look more closely to check if a...

Page 565: ...res introduced In some cases it can be preferable to force the database update manually so that the effect of any changes can be observed following the update Automatic updates might take place without the necessary checking in place to make sure there are no disruptions to live traffic Chapter 6 Security Mechanisms 565 ...

Page 566: ...nfiguration information such as routing information Disruption of physical network components One of the most commonly used method is the consumption of computational resources which means that the DoS attack floods the network and ties up critical resources used to run business critical applications In some cases vulnerabilities in the Unix and Windows operating systems are exploited to intention...

Page 567: ...lf and so on This will either bog the victim s machine down or cause it to crash The attack is accomplished by using the victim s IP address in the source field of an IP packet as well as in the destination field NetDefendOS protects against this attack by applying IP spoofing protection to all packets In its default configuration it will simply compare arriving packets to the contents of the rout...

Page 568: ...es the same general idea but instead using UDP echo port 7 to accomplish the task Fraggle generally gets lower amplification factors since there are fewer hosts on the Internet that have the UDP echo service enabled Smurf attacks will show up in NetDefendOS logs as masses of dropped ICMP Echo Reply packets The source IP addresses will be those of the amplifier networks used Fraggle attacks will sh...

Page 569: ...y handshake with the client before doing a second handshake of its own with the target service Overload situations have difficulty occurring in NetDefendOS due to superior resource management and an absence of the restrictions normally placed on other operating systems While other operating systems can exhibit problems with as few as 5 outstanding half open connections NetDefendOS can fill its ent...

Page 570: ... is the Distributed Denial of Service DDoS attack These attacks involve breaking into hundreds or thousands of individual computers around the Internet to install DDoS software on them This allows the hacker to direct the burgled machines to launch coordinated attacks on victim sites These attacks typically exhaust bandwidth router processing capacity or network stack resources breaking network co...

Page 571: ... original full value in other words it is not cumulative Block only this Service By default blacklisting blocks all services for the triggering host Exempt already established connections from Blacklisting If there are established connections that have the same source as this new Blacklist entry then they will not be dropped if this option is set IP addresses or networks are added to the list then...

Page 572: ...and The blacklist command can be used to look at as well as manipulate the current contents of the blacklist and the whitelist The current blacklist can be viewed with the command gw world blacklist show black This blacklist command can be used to remove a host from the blacklist using the unblock option Example 6 33 Adding a Host to the Whitelist In this example we will add an IP address object c...

Page 573: ...Chapter 6 Security Mechanisms 573 ...

Page 574: ...4 addresses that need to be accessible from the public Internet Security is increased by making it more difficult for intruders to understand the topology of the protected network Address translation hides internal IP addresses which means that an attack coming from the outside is more difficult Types of Translation NetDefendOS supports two types of translation Dynamic Network Address Translation ...

Page 575: ...This section describes and provides examples of configuring NAT and SAT rules Chapter 7 Address Translation 575 ...

Page 576: ...ormation each connection from dynamically translated addresses uses a unique port number and IP address combination as its sender NetDefendOS performs automatic translation of the source port number as well as the IP address In other words the source IP addresses for connections are all translated to the same IP address and the connections are distinguished from one another by the allocation of a ...

Page 577: ...ined Specify a Specific IP Address A specific IP address can be specified as the new source IP address The specified IP address needs to have a matching ARP Publish entry configured for the outbound interface Otherwise the return traffic will not be received by the NetDefend Firewall This technique might be used when the source IP is to differ based on the source of the traffic For example an ISP ...

Page 578: ...s is illustrated further in the diagram below Figure 7 2 A NAT Example Example 7 1 Specifying a NAT IP Rule The following will add a NAT rule that will perform address translation for all HTTP traffic originating from the internal network lan as it flows out to the public Internet on the wan interface The IP address of the wan interface will be used as the NATing address for all connections Comman...

Page 579: ...ing NAT with an IP Policy A NetDefendOS IP Policy object can be used instead of an IP Rule object An IP policy is essentially equivalent in function but makes it simpler to associate other functions with NAT such as authentication application control and traffic shaping The example below performs the same task as the previous example Example 7 2 Specifying a NAT IP Policy This example adds a NAT I...

Page 580: ...simple way for the administrator to apply the most common types of NAT address translation based on if the connections are between private and public IP addresses Automatic translation is particularly suitable in one of the most typical scenarios where external clients access a protected webserver over the public Internet and internal protected clients need access to both the public Internet and t...

Page 581: ...he automatic translation rules summarized above is as follows If the connection s source IP address is a public address NetDefendOS will Allow traffic from the source address to the destination address If the connection s source IP address is a private address i If the destination address is a public IP address NetDefendOS will NAT the source address through the IP address of the destination inter...

Page 582: ...eral internal machines cannot communicate with the same external server using the same IP protocol Note Restrictions only apply to IP level protocols These restrictions apply only to IP level protocols other than TCP UDP and ICMP such as OSPF and L2TP They do not apply to the protocols transported by TCP UDP and ICMP such as telnet FTP HTTP and SMTP NetDefendOS can alter port number information in...

Page 583: ...the client s IP The application therefore sends its responses back to the firewall which relays the traffic back to the client through the PPTP tunnel The original IP address of the client is not revealed in traffic as it is relayed beyond the termination of the PPTP tunnel at the NetDefendOS Typically all traffic passes through the same physical interface and that interface has a single public IP...

Page 584: ...umber of connections routed through it with the assumption that it is the least loaded NetDefendOS keeps a record in memory of all such connections Subsequent connections involving the same internal client host will then use the same external IP address The advantage of the stateful approach is that it can balance connections across several external ISP links while ensuring that an external host w...

Page 585: ...ion has the advantage of not requiring memory for a state table and providing very fast processing for new connection establishment Although explicit load balancing is not part of this option there should be spreading of the load across the external connections due to the random nature of the allocating algorithm IP Pool Usage When allocating external IP addresses to a NAT Pool it is not necessary...

Page 586: ...my_stateful_natpool gw world add NatPool my_stateful_natpool Range nat_pool_range Type Stateful ProxyARPInterfaces wan C Finally define the NAT rule in the IP rule set gw world add IPRule Action NAT SourceInterface lan SourceNetwork lannet DestinationInterface wan DestinationNetwork all nets Service http all NATAction UseNATPool NATPool my_stateful_natpool Name NAT_HTTP Web Interface A First creat...

Page 587: ... Rule 2 Under General enter Name Enter a suitable name such as nat_pool_rule Action NAT 3 Under Address filter enter Source Interface lan Source Network lan net Destination Interface wan Destination Network all nets Service http all 4 Select the NAT tab and enter Check the Use NAT Pool option Select my_stateful_natpool from the drop down list 5 Click OK Chapter 7 Address Translation 587 ...

Page 588: ...le IP rule when it is configured A SAT rule that triggers for the target traffic must first be created to specify the translation required However NetDefendOS does not terminate rule set lookups after finding a matching SAT rule Instead the rule set search continues for a matching Allow NAT or FwdFast rule Only when NetDefendOS finds such a second matching rule is the SAT rule applied to the traff...

Page 589: ...t used for port translation as all to one port translation is not possible When using an IP Policy object instead of an IP rule for SAT the properties are slightly different and this is discussed further in Section 7 4 7 Using an IP Policy for SAT Specifying the Type of IP Address Mapping NetDefendOS recognizes the type of SAT IP address mapping using the following rules If the original address is...

Page 590: ... this usage is to enable external users to access a protected server in a DMZ that has a private address This is also sometimes referred to as implementing a Virtual IP or a Virtual Server and is often used in conjunction with a DMZ The Role of a DMZ At this point it is relevant to discuss the role of the network known as the Demilitarized Zone DMZ since SAT rules are often used for allowing DMZ a...

Page 591: ...world add IPRule Action SAT Service http all SourceInterface wan SourceNetwork all nets DestinationInterface core DestinationNetwork wan_ip SATTranslate DestinationIP SATTranslateToIP 10 10 10 5 Name SAT_HTTP_To_DMZ Then create a corresponding Allow rule gw world add IPRule Action Allow Service http all SourceInterface wan SourceNetwork all nets DestinationInterface core DestinationNetwork wan_ip ...

Page 592: ... Net Dest Iface Dest Net Service SAT Action 1 SAT wan all nets core wan_ip http all Destination IP 10 10 10 5 2 Allow wan all nets core wan_ip http all These two rules allow web server access via the NetDefend Firewall s external IP address Rule 1 states that address translation will take place if the connection has been permitted and rule 2 permits the connection Note that only HTTP traffic will ...

Page 593: ...A single SAT rule can be used to transpose an entire range or network of IP addresses to another range or network The result is a many to many translation where the first original IP address is translated to the first IP address in the new range or network then the second to the second and so on To tell NetDefendOS to perform this type of translation the original IP address must be a range or netw...

Page 594: ...are the range 195 55 66 77 to 195 55 66 81 The web servers have the private IPv4 address range 10 10 10 5 to 10 10 10 9 and are on the network connected to the dmz interface The following steps need to be performed Define an address object containing the public IPv4 addresses Define another address object for the base of the web server IP addresses Publish the public IPv4 addresses on the wan inte...

Page 595: ... Web Interface Create an address object for the public IPv4 address 1 Go to Objects Address Book Add IP4 Address 2 Specify a suitable name for the object for example wwwsrv_pub 3 Enter 195 55 66 77 195 55 66 77 81 as the IP Address 4 Click OK Now create another address object for the base of the web server IP addresses 1 Go to Objects Address Book Add IP4 Address 2 Specify a suitable name for the ...

Page 596: ... Allow rule 1 Go to Policies Firewalling Main IP Rules Add IP Rule 2 Specify a suitable name for the rule for example Allow_HTTP_To_DMZ 3 Now enter Action Allow Service http all Source Interface any Source Network all nets Destination Interface wan Destination Network wwwsrv_pub 4 Click OK 7 4 4 All to One IP Translation NetDefendOS can be used to translate a range or a network to a single IP addr...

Page 597: ...s example is similar to the previous many to many example but this time a SAT IP rule will translate from five public IPv4 addresses to a single web server located in a DMZ The NetDefend Firewall is connected to the Internet via the wan interface and the public IPv4 addresses have the range of 195 55 66 77 to 195 55 66 81 The server has the private IPv4 address 10 10 10 5 and is on the network con...

Page 598: ...ationIP SATAllToOne Yes Finally create an associated Allow rule gw world add IPRule Action Allow Service http all SourceInterface any SourceNetwork all nets DestinationInterface wan DestinationNetwork wwwsrv_pub Web Interface Create a SAT IP rule for the translation 1 Go to Policies Firewalling Main IP Rules Add IP Rule 2 Specify a suitable name for the rule for example SAT_HTTP_To_DMZ 3 Now enter...

Page 599: ...the Service object has a single value specified for its Port property the port translation is one to one If the Port property is a simple range for example 60 70 the translation is many to many with the transposition beginning with the new port number specified Port translation will not occur if the Service object s Port property is anything other than a single value or a simple range For example ...

Page 600: ...er rules by the administrator Action Src Iface Src Net Dest Iface Dest Net Service SAT Action 5 NAT lan lan_net any all nets all_services However this is not correct What will happen with this additional rule is the following External traffic to wan_ip will match rules 1 and 3 and will be sent to wwwsrv This is correct Return traffic from wwwsrv will match rules 2 and 4 and will appear to be sent ...

Page 601: ...Using an IP Policy for SAT An alternative to using two IP rules for SAT is to use a single IP Policy object This simplifies the SAT definition process as well as allowing other features such as application control authentication and traffic shaping to be more easily associated with the rule When creating a SAT policy the policy is either for source or destination translation or both The way the tr...

Page 602: ... address The web server has the IPv4 address 10 10 10 5 and is reachable through the dmz interface Command Line Interface Create a SAT IP rule gw world add IPPolicy SourceInterface any SourceNetwork all nets DestinationInterface core DestinationNetwork wan_ip Service http all Name SAT_HTTP_To_DMZ Action Allow DestNewIP 10 10 10 5 Web Interface First create a SAT rule 1 Go to Policies Firewalling M...

Page 603: ... dynamic connections to the addresses visible to that party In some cases this can be resolved by modifying the application or the firewall configuration There is no definitive list of what protocols can or cannot be address translated A general rule is that VPN protocols cannot usually be translated In addition protocols that open secondary connections in addition to the initial connection can be...

Page 604: ...tes the address in accordance with SAT rule 1 and forwards the packet in accordance with Allow rule 2 10 0 0 3 1038 10 0 0 2 80 3 The server at wwwsrv_ip processes the packet and replies 10 0 0 2 80 10 0 0 3 1038 The reply will be sent directly to the client across the local network bypassing the firewall 4 The client expects a reply from 203 0 113 10 80 and not 10 0 0 2 80 so the response is disc...

Page 605: ... would require an internal DNS server so that the client could discover the private address of the web server Rule Ordering is Important Reversing the order of the NAT and Allow rules as shown below would not provide the expected behavior Action Src Iface Src Net Dest Iface Dest Net Service SAT Action 1 SAT any all nets core wan_ip http all Destination IP wwwsrv_ip Port 80 2 Allow any all nets cor...

Page 606: ...source before forwarding it to the web server Allow rule 3 allows traffic from the Internet to reach the web server after it has been translated by the SAT rule This traffic will not trigger the preceding NAT rule NAT rule 4 performs NAT translation of HTTP traffic flowing from internal clients out onto the Internet Chapter 7 Address Translation 606 ...

Page 607: ...Chapter 7 Address Translation 607 ...

Page 608: ...nd Firewall the administrator will often require that each user goes through a process of authentication before access is allowed This chapter deals with setting up authentication for NetDefendOS but first the general issues involved in authentication will be examined Proving Identity The aim of authentication is to have the user prove their identity so that the network administrator can allow or ...

Page 609: ...thentication performed with username password combinations that are manually entered by a user attempting to gain access to resources Access to the external public Internet through a NetDefend Firewall by internal clients using the HTTP protocol is an example of this In using this approach username password pairs are often the subject of attacks using guesswork or systematic automated attempts To ...

Page 610: ... as the originator IP or can be associated with an Authentication Group Set up IP rules to allow the authentication to take place and also to allow access to resources by the clients belonging to the IP object set up in the previous step The sections that follow describe the components of these steps in detail These are Section 8 2 2 Local User Databases Section 8 2 3 External RADIUS Servers Secti...

Page 611: ...aints Group names are entered as text strings which are case sensitive and can have a maximum length of 128 characters The only characters that cannot be used in a group name are spaces and commas The only limit on the number of group names is the number of unique combinations that can be created from 128 characters Where a user is a member in multiple groups the group names are entered as a comma...

Page 612: ...administrator can be logged in with more than one simultaneous session The auditors group This is similar to the administrators group but members are only allowed to view the configuration data but cannot change it Any number of audit users can be logged in at once Using Groups with IP Rules or IP Policies Authentication groups are not used directly with Authentication Rule objects but are instead...

Page 613: ...a route is automatically added to the NetDefendOS main routing table This existence of this added route means that any traffic destined for the specified network will be correctly routed through the user s PPTP L2TP tunnel When the connection to the user ends the route is automatically removed by NetDefendOS Caution Use the network option with care The administrator should think carefully what the...

Page 614: ...of the messages sent from the RADIUS client to the server and is commonly configured as a relatively long text string The string can contain up to 100 characters and is case sensitive RADIUS uses PPP to transfer username password requests between client and RADIUS server as well as using PPP authentication schemes such as PAP and CHAP RADIUS messages are sent as UDP messages via UDP port 1812 The ...

Page 615: ...nnecting client as a part of the tunnel negotiation Framed IP Netmask In some cases the client might be a network device such as another firewall with a network behind it The Framed IP Netmask parameter requires that the Framed IP Address is also present in the Access Accept message The netmask together with the IP address is combined to form a route which will be sent to the client as a part of t...

Page 616: ...me rs_users IP Address radius_ip Port 1812 Retry Timeout 2 Shared Secret mysecretcode Confirm Secret mysecretcode 3 Click OK 8 2 4 External LDAP Servers Lightweight Directory Access Protocol LDAP servers can also be used with NetDefendOS as an authentication source This is implemented by the NetDefend Firewall acting as a client to one or more LDAP servers Multiple servers can be configured to pro...

Page 617: ...n LDAP user group set to primary cannot be received by NetDefendOS from the Microsoft LDAP server and used in security policies Defining an LDAP Server One or more named LDAP server objects can be defined in NetDefendOS These objects tell NetDefendOS which LDAP servers are available and how to access them Defining an LDAP server to NetDefendOS is sometimes not straightforward because some LDAP ser...

Page 618: ...trator must also manually configure NetDefendOS to ARP publish the IP address on the sending interface Doing this is described in Section 3 5 3 ARP Publish The default value is Automatic Timeout This is the timeout length for LDAP server user authentication attempts in seconds If no response to a request is received from the server after this time then the server will be considered to be unreachab...

Page 619: ...not modify the username in any way For example testuser ii Username Prefix When authenticating this will put domain name in front of the username For example myldapserver testuser iii Username Postfix When authenticating this will add domain name after the username For example testuser myldapserver If the choice is other than Do Not Use the Domain Name parameter option described below should be sp...

Page 620: ...und and authenticated if they are not in the part of the tree below the Base Object The recommended option is therefore to initially specify the Base Object as the root of the tree The Base Object is specified as a comma separated domainComponent DC set If the full domain name is myldapserver local eu com and this is the Base Object then this is specified as DC myldapserver DC local DC eu DC com T...

Page 621: ...quest Authentication LDAP server authentication is automatically configured to work using LDAP Bind Request Authentication This means that authentication succeeds if successful connection is made to the LDAP server Individual clients are not distinguished from one another LDAP server referrals should not occur with bind request authentication but if they do the server sending the referral will be ...

Page 622: ...authentication are called LDAPDatabase objects LDAP servers used for certificate lookup are known as LDAPServer objects in the CLI A specific LDAP server that is defined in NetDefendOS for authentication can be shown with the command gw world show LDAPDatabase object_name The entire contents of the database can be displayed with the command gw world show LDAPDatabase LDAP Authentication and PPP Wh...

Page 623: ... LDAP server that will contain the password when it is sent back This ID must be different from the default password attribute which is usually userPassword for most LDAP servers A suggestion is to use the description field in the LDAP database In order for the server to return the password in the database field with the ID specified the LDAP administrator must make sure that the plain text passwo...

Page 624: ... username password login sequence Authentication Rules are set up in a similar way to other NetDefendOS security policies and that is by specifying which traffic is to be subject to the rule They differ from other policies in that the connection s destination network interface is not of interest but only the source network interface of the client being authenticated Authentication Rule Properties ...

Page 625: ...th XAuth as the agent will be used for all IPsec tunnels However this approach assumes that a single authentication source is used for all tunnels An IP rule allowing client access to core is not required v L2TP PPTP SSL VPN This is used specifically for L2TP PPTP or SSL VPN authentication An IP rule allowing client access to core is not required Authentication Source This specifies that authentic...

Page 626: ... An Authentication Rule can specify how multiple logins are handled where more than one user from different source IP addresses try to login with the same username The possible options are Allow multiple logins so that more than one client can use the same username password combination Allow only one login per username Allow one login per username and logout an existing user with the same name if ...

Page 627: ...e then the authenticated user will be automatically logged out after that length of time without activity Any packets from an IP address that fails authentication are discarded 8 2 7 HTTP Authentication Where users are communicating through a web browser using the HTTP or HTTPS protocol then authentication is done by NetDefendOS presenting the user with HTML pages to retrieve required user informa...

Page 628: ...ntication to take place This is also true with HTTPS If we consider the example of a number of clients on the local network lannet who would like access to the public Internet through the wan interface then the IP rule set would contain the following rules Action Src Interface Src Network Dest Interface Dest Network Service 1 Allow lan lannet core lan_ip http all 2 NAT lan trusted_users wan all ne...

Page 629: ...DefendOS itself Example 8 4 User Authentication Setup for Web Access The configurations below shows how to enable HTTP user authentication for the user group lan_group on lannet Only users that belong to the group users can get Web browsing service after authentication as it is defined in the IP rule It is assumed that the authentication IPv4 address object lan_users_net has been defined and this ...

Page 630: ...tion Overview By default NetDefendOS applies brute force protection to any authentication which involves the validation of username password credentials against a local user database a database defined within NetDefendOS and not an external database This means that a management login via the Web Interface or SSH is also protected by this feature This feature cannot be turned off by the administrat...

Page 631: ...ttempts This number will be reset to a new positive value after another failed authentication attempt If the Blocked remaining value reaches zero the user will not be removed from the list for 24 hours and this allows the administrator to see such blocked users later However a Blocked remaining value of zero means that the user can try to make another authentication attempt which NetDefendOS will ...

Page 632: ... Notice id 03200802 rev 1 event user_blocked database AdminUsers username admin blockedremaining 10s blockedsince 2016 06 10 09 42 12 Multi Factor Authentication Provides Additional Security Another approach which can neutralize brute force attacks is to use multi factor authentication where an additional code needs to be entered in addition to standard credentials This is described further in Sec...

Page 633: ...on in the Web Interface Other Steps with the ARP Cache Method When using the ARP Cache method there are some other configuration steps that the administrator must take so that the NetDefendOS ARP cache contains the data needed for successful authentication There must be a second IP rule below the Allow or NAT IP rule that has action of Reject This ensures that clients that are not yet authenticate...

Page 634: ...xample 00 0c 19 f9 14 6f Dealing with Duplicate MAC Addresses If there is a router between the firewall and connecting clients NetDefendOS will receive the same MAC address from the router instead of the original client MAC address This causes problems because NetDefendOS is set up by default to not allow clients to duplicate MAC addresses The problem is solved by enabling the property Allow clien...

Page 635: ...ce or by downloading and re uploading through an SCP client Banner files in NetDefendOS are of two types Banner files for authentication rules using Web Auth HTTP and HTTPS login These are discussed below Banner files for the HTTP ALG These are discussed in Section 6 3 4 5 Customizing WCF HTML Pages Banner Files for Web Authentication The web authentication files available for editing have the fol...

Page 636: ...arest the firewall A typical parameter set of values for the LoginFailure page when ARP authentication is used might be USER 00 0c 19 f9 14 6f REDIRHOST 10 234 56 71 REDIRURL testing user user pass pass REDIRURLENC 2ftesting 3fuser 3duser 26pass 3dpass IPADDR 10 1 6 1 DEVICENAME MyGateway The REDIRURL Parameter Should Not Be Removed In certain banner web pages the parameter REDIRURL appears This i...

Page 637: ...The steps to do this are 1 Since SCP cannot be used to download the original default HTML the source code must be first copied from the Web Interface and pasted into a local text file which is then edited using an appropriate editor 2 A new Auth Banner Files object must exist which the edited file s is uploaded to If the object is called ua_html the CLI command to create this object is gw world ad...

Page 638: ...set UserAuthRule my_auth_rule HTTPBanners ua_html 5 As usual use the activate followed by the commit CLI commands to activate the changes on the NetDefend Firewall Chapter 8 User Authentication 638 ...

Page 639: ...e Network property would typically be set to only allow access by authenticated clients to certain resources such as servers The Destination Network property would typically be set to only allow access to authenticated servers by clients Authentication of a server is achieved by opening a single connection once to NetDefendOS as though the server were a client Example 8 6 Policies Requiring Authen...

Page 640: ...IP Rule 2 Specify a suitable name for the rule for example LAN_HTTP 3 Now enter Name client_access_rule Action Allow Service all_services Source Interface If1 Source Network client_net Destination Interface If2 Destination Network all nets 4 Click OK Note Authentication address objects have only one use IP address objects that are used for authentication with the authentication property set can on...

Page 641: ... member Installation of the IDA software on multiple servers will provide redundancy The authentication process taking place in NetDefendOS as clients try to access resources through the firewall This process uses the information sent by the Identity Awareness Agent The overall relationship between client server and NetDefend Firewall is shown in the diagram below Figure 8 3 User Identity Awarenes...

Page 642: ...d on the domain servers A separate Authentication Agent object should be created for each server in the domain which has the IDA software installed If the Pre shared Key property is not specified this defaults to the value of the predefined PSK object auth_agent_psk This is also the default key value used by the D Link Identity Awareness Agent However the default key is the same across all NetDefe...

Page 643: ...Address aa_server_ip PSK aa_server_key Name my_auth_agent Assign the permitted usernames to the network object for client IPs gw world add Address IP4Address client_net UserAuthGroups user1 mydomain user2 mydomain Create an IP Policy which allows access and uses client_net as the source network gw world main add IPPolicy SourceInterface If1 SourceNetwork client_net DestinationInterface If2 Destina...

Page 644: ...to trigger authentication but an IP Rule could have been used instead Installing the Identity Awareness Agent The D Link Identity Awareness Agent IDA is a separate piece of software provided at no extra charge with NetDefendOS The installation file is called IDA_Setup exe and when it is installed on a Windows based computer it runs as a service called IDA exe Note Use administrator privileges when...

Page 645: ...768 A user has logged in As explained previously the agent service listens for authenticated users and sends their details to the configured NetDefend Firewalls The software has its own management user interface and this interface has three tabs which are described next The General tab This tab consists of the following settings i Listening IP This is the IPv4 address and port number which the IDA...

Page 646: ...his specifies the IP address of other domain servers which are to be monitored by this IDA installation More than one IDP installation can monitor the same domain server and more than one IDP installation can send the same authentication event to NetDefendOS duplicate received IDA events are recognized by NetDefendOS and ignored If the Monitor the local event log option is not enabled and no other...

Page 647: ...efault value of 0 0 0 0 0 means all IPv4 addresses are acceptable The administrator can improve security by narrowing this to a specific network or IP address where the connecting NetDefend Firewall is located Figure 8 6 The Security Tab in the IDA Interface The Excluded Users tab In this tab it is possible to set up an exclusion list for the IDA so that users on the list will not have their authe...

Page 648: ...g local server authentication events 3 For server A configure the Remote monitoring option with the IP addresses of servers B C and D so that they are monitored too 4 For server B configure the Remote monitoring option with the IP addresses of servers A C and D so that they are monitored too Now if either server A or B should fail authentication events will still be sent back to NetDefendOS NetDef...

Page 649: ...on Authentication Agents to see that the IDA service is connected to NetDefendOS In the CLI the same can be achieved with the command gw world authagent As users are authenticated they can be seen in the Web Interface by going to Status Run time Information User Authentication In the CLI the same can be achieved with the command gw world userauth list In order to switch on console monitoring of th...

Page 650: ...rules or IP policies 2 The authentication source will be an external RADIUS server that has been configured to perform multi factor authentication 3 A user tries to access resources through the NetDefend Firewall They are presented with a standard NetDefendOS login challenge page and they enter their credentials 4 NetDefendOS now sends these credentials to the RADIUS server for authentication in a...

Page 651: ...endOS However if the banner file LoginChallenge is used in the challenge process it may need to be edited to display the appropriate text This is discussed further in Section 8 4 Customizing Authentication HTML The administrator must configure the RADIUS server appropriately and the server s documentation should be consulted on how to do this If the RADIUS server causes a code to be sent to the us...

Page 652: ...e RADIUS server the UE issues a DHCP request and a DHCP IP lease from the configured NetDefendOS DHCP server is sent back to the UE The DHCP server must be configured so that leases are only be distríbuted to authenticated clients the LeasesRequireAuth option is enabled Successful authentication also means that NetDefendOS includes the UE s username in its list of logged in users visible with the ...

Page 653: ... hand out IP address leases once the UE is authenticated Source Interface This is the NetDefendOS interface on which NetDefendOS will listen for AP requests This can be any of the following i An Ethernet interface ii A VLAN interface iii An Interface Group If the property Override User Data Interface is set this interface will only listen for the intial connection from the AP and carry authenticat...

Page 654: ...traffic from the authenticated user the user will be automatically logged out Session Timeout This is the absolute allowed length of a authenticated used session in seconds This is normally set to zero meaning a session of infinite length Use Timeouts Received from Authentication Server If this property is enabled and the RADIUS server is correctly configured the Idle Timeout and Session Timeout p...

Page 655: ...r the physical Ethernet interface If1 and that the AP has also been correctly configured to use the appropriate VLAN for authentication and data Authenticated users must belong to the group called ue_group A Radius Relay object called r_relay1 will be created which will listen for authentication requests on the vlan_auth interface and relay them to a RADIUS server with the IPv4 address radius_ip T...

Page 656: ...rld add IPRule Action Allow Service all_services SourceInterface vlan_data SourceNetwork client_net DestinationInterface If2 DestinationNetwork all nets Name client_access_rule E Create the RadiusRelay object gw world add RadiusRelay r_relay1 SourceInterface vlan_auth ClientIPFilter client_ip_range RemoteServerIP radius_ip DHCPServer rr_dhcp_server OverrideUserDataInterface vlan_data Web Interface...

Page 657: ... to RADIUS relay authenticated clients 4 Click OK D Create the IPRule object that grants access for client data flowing to the backbone network which is connected to the interface If2 1 Go to Policies Firewalling Main IP Rules Add IP Rule 2 Specify a suitable name for the rule for example LAN_HTTP 3 Now enter Name client_access_rule Action Allow Service all_services Source Interface vlan_data Sour...

Page 658: ...t is assumed the group name ue_group will be sent back by the RADIUS server during authentication The RADIUS server must be configured to do this When configuring the external RADIUS server to provide group information for the logged in user to NetDefendOS it is necessary to use the user group vendor specific attribute The NetDefendOS Vendor ID is 5089 and the user group is defined as vendor type ...

Page 659: ...ivery of accounting information and this is the standard followed by NetDefendOS for user accounting In this way all the benefits of centralized servers are thus extended to user connection accounting The usage of RADIUS for NetDefendOS authentication is discussed in Section 8 2 Authentication Setup 8 9 2 RADIUS Accounting Messages Message Generation Statistics such as number of bytes sent and rec...

Page 660: ...event generating this AccountingRequest Note that this does not reflect network delays The first attempt will have this parameter set to 0 Timestamp The number of seconds since 1st January 1970 Used to set a timestamp when this packet was sent from NetDefendOS STOP Message Parameters Parameters included in STOP messages sent by NetDefendOS are Type Marks this accounting request as signaling the en...

Page 661: ...Interim Accounting Messages to update the accounting server with the current status of an authenticated user Messages are Snapshots An interim accounting message can be seen as a snapshot of the network resources that an authenticated user has used up until a given point With this feature the RADIUS server can track how many bytes and packets an authenticated user has sent and received up until th...

Page 662: ...is subject to a FwdFast rule in the IP rule set The same RADIUS server does not need to handle both authentication and accounting one server can be responsible for authentication while another is responsible for accounting tasks Multiple RADIUS servers can be configured in NetDefendOS to deal with the event when the primary server is unreachable Example 8 9 RADIUS Accounting Server Setup This exam...

Page 663: ...ting Events Two special accounting events are also used by the active unit to keep the passive unit synchronized An AccountingStart event is sent to the inactive member in an HA setup whenever a response has been received from the accounting server This specifies that accounting information should be stored for a specific authenticated user A problem with accounting information synchronization cou...

Page 664: ...happen for example when several users are behind the same network using NAT to allow network access through a single external IP address This means that as soon as one user is authenticated traffic coming through that NAT IP address could be assumed to be coming from that one authenticated user even though it may come from other users on the same network NetDefendOS RADIUS Accounting will therefor...

Page 665: ...efault Enabled Maximum Radius Contexts The maximum number of contexts allowed with RADIUS This applies to RADIUS use with both accounting and authentication Default 1024 Chapter 8 User Authentication 665 ...

Page 666: ...Chapter 8 User Authentication 666 ...

Page 667: ... is equally important that the recipient can verify that no one is falsifying data in other words pretending to be someone else Virtual Private Networks VPNs meet this need providing a highly cost effective means of establishing secure links between two co operating computers so that data can be exchanged in a secure manner VPN allows the setting up of a tunnel between two devices known as tunnel ...

Page 668: ...cryptography Cryptography is an umbrella expression covering 3 techniques and benefits Confidentiality No one but the intended recipients is able to receive and understand the communication Confidentiality is accomplished by encryption Authentication and Integrity Proof for the recipient that the communication was actually sent by the expected sender and that the data has not been modified in tran...

Page 669: ...key distribution policies Endpoint Security A common misconception is that VPN connections are equivalents to the internal network from a security standpoint and that they can be connected directly to it with no further precautions It is important to remember that although the VPN connection itself may be secure the total level of security is only as high as the security of the tunnel endpoints It...

Page 670: ... work for a short period of time when new keys have been issued What happens when an employee in possession of a key leaves the company If several users are using the same key it should be changed In cases where the key is not directly programmed into a network unit such as a VPN firewall how should the key be stored On a floppy As a pass phrase to memorize On a smart card If it is a physical toke...

Page 671: ...re any traffic can flow into the tunnel a route must be defined in a NetDefendOS routing table This route tells NetDefendOS which network can be found at the other end of the tunnel so it knows which traffic to send into the tunnel In most cases this route is created automatically when the tunnel is defined and this can be checked by examining the routing tables If a route is defined manually the ...

Page 672: ...he Address Book create IP objects for The remote VPN gateway which is the IPv4 address of the network device at the other end of the tunnel let s call this object remote_gw This may or may not be another NetDefend Firewall The remote network which lies behind the remote VPN gateway let s call this object remote_net The local network behind the NetDefend Firewall which will communicate across the t...

Page 673: ...xample 9 4 PSK Based LAN to LAN IPsec Tunnel Setup 9 2 2 IPsec LAN to LAN with Certificates LAN to LAN security is usually provided with pre shared keys but sometimes it may be desirable to use X 509 certificates instead If this is the case Certificate Authority CA signed certificates may be used and these come from an internal CA server or from a commercial supplier of certificates Creating a LAN...

Page 674: ...validation Self signed certificates instead of CA signed can be used for LAN to LAN tunnels but the Web Interface and other interfaces do not have a feature to generate them Instead they must be generated by another utility and imported into NetDefendOS This means that they are not truly self signed since they are generated outside of NetDefendOS control and it should be remembered that there is n...

Page 675: ...ep could initially be left out to simplify setup The authentication source can be one of the following A Local User DB object which is internal to NetDefendOS An external authentication server An internal user database is easier to set up and is assumed here Changing this to an external server is simple to do later To implement user authentication with an internal database Define a Local User DB o...

Page 676: ...ios Enable the option Require IKE XAuth user authentication for inbound IPsec tunnels This will enable a search for the first matching XAUTH rule in the authentication rules 3 The IP rule set should contain the single rule Action Src Interface Src Network Dest Interface Dest Network Service Allow ipsec_tunnel all nets lan lannet all_services Once an Allow rule permits the connection to be set up b...

Page 677: ... are supported by NetDefendOS Specify if the client will use config mode There are a variety of IPsec client software products available from a number of suppliers and this manual will not focus on any specific one The network administrator should use the client that is best suited to their budget and needs For a roaming clients example showing the actual configuration steps go to Example 9 5 PSK ...

Page 678: ...osen for this address object can be one of the following two types A range taken from the internal network to which clients will connect If the internal network is 192 168 0 0 24 then we might use the address range 192 168 0 10 to 192 168 0 20 The danger here is that an IP address might be accidentally used on the internal network and handed out to a client Use a new address range that is totally ...

Page 679: ...d combination The Group string for a user can also be specified This is explained in the same step in the IPsec Roaming Clients section above Define a User Authentication Rule Agent Auth Source Src Network Interface Client Source IP PPP Local all nets l2tp_tunnel all nets 0 0 0 0 0 7 To allow traffic through the L2TP tunnel the following rules should be defined in the IP rule set Action Src Interf...

Page 680: ...additional security to certificates Also review Section 3 9 4 CA Server Access which describes important considerations for certificate validation 9 2 7 PPTP Roaming Clients PPTP is simpler to set up than L2TP since IPsec is not used and instead relies on its own less strong encryption A major secondary disadvantage is not being able to NAT PPTP connections through a tunnel so multiple clients can...

Page 681: ...or Windows XP the procedure is exactly as described for L2TP above but without entering the pre shared key 9 2 8 iOS Setup The standard IPsec client built into Apple iOS devices can be used to connect to a NetDefend Firewall using standard IPsec tunnels defined in NetDefendOS The NetDefendOS setup steps are as follows 1 Create address book objects for the tunnel These will consist of i The network...

Page 682: ...k when tunnel is established x IP Addresses Specify manually to be the local tunnel endpoint address xi Security Assocation Per Host xii Disable the option Add route to remote network 6 Place the tunnel last in the list of IPsec tunnels Also be aware that this tunnel cannot coexist with a PSK tunnel for L2TP IPsec 7 Create a User Authentication Rule with the following properties i Authentication A...

Page 683: ...number of ways by using IPsec protocols ESP AH or a combination of both The flow of events can be briefly described as follows IKE negotiates how IKE should be protected IKE negotiates how IPsec should be protected IPsec moves data in the VPN The following sections will describe each of these stages in detail 9 3 2 Internet Key Exchange IKE This section describes IKE the Internet Key Exchange prot...

Page 684: ...t be shorter than the IKE lifetime The difference between the two must be a minimum of 5 minutes This allows for the IPsec connection to be re keyed simply by performing another phase 2 negotiation There is no need to do another phase 1 negotiation until the IKE lifetime has expired IKE Algorithm Proposals An IKE algorithm proposal list is a suggestion of how to protect IPsec data flows The VPN de...

Page 685: ...ta flow If Perfect Forwarding Secrecy PFS is used a new Diffie Hellman exchange is performed for each phase 2 negotiation While this is slower it makes sure that no keys are dependent on any other previously used keys no keys are extracted from the same initial keying material This is to make sure that in the unlikely event that some key was compromised no subsequent keys can be derived Once the p...

Page 686: ...there will be an error message when the NetDefendOS configuration is committed The corrected remote ID form is the following DN D Link OU One Two Three DC SE Encapsulation Mode IPsec can be used in one two modes Tunnel Mode Tunnel mode indicates that the traffic will be tunneled to a remote device which will decrypt authenticate the data extract it from its tunnel and pass it on to its final desti...

Page 687: ... The two protocols to choose from are AH Authentication Header and ESP Encapsulating Security Payload ESP provides encryption authentication or both However it is not recommended to use encryption only since it will dramatically decrease security Note that AH only provides authentication The difference from ESP with authentication only is that AH also authenticates parts of the outer IP header for...

Page 688: ...ession keys will be extracted from this initial keying material By using PFS completely new keying material will always be created upon re key Should one key be compromised no other key can be derived using that information PFS can be used in two modes the first is PFS on keys where a new key exchange will be performed in every phase 2 negotiation The other type is PFS on identities where the iden...

Page 689: ...fetime of the VPN connection It is specified in both time seconds and data amount in Kbytes Whenever either of these values is exceeded a re key will be initiated providing new IPsec encryption and authentication session keys If the VPN connection has not been used during the last re key period the connection will be terminated and re opened from scratch when the connection is needed again This va...

Page 690: ...s on a slower hardware platform It could also result in 100 processor utilization from the tunnel setup process and a possible temporary halt of all traffic throughput 9 3 3 IKE Authentication Manual Keying The simplest way of configuring a VPN is by using a method called manual keying This is a method where IKE is not used at all the encryption and authentication keys as well as some other parame...

Page 691: ... is based on the PSKs being secret Should one PSK be compromised the configuration will need to be changed to use a new PSK Certificates Each VPN firewall has its own certificate and one or more trusted root certificates The authentication is based on several things That each endpoint has the private key corresponding to the public key found in its certificate and that nobody else has access to th...

Page 692: ...the IP header The AH protocol inserts an AH header after the original IP header In tunnel mode the AH header is inserted after the outer header but before the original inner IP header ESP Encapsulating Security Payload The ESP protocol inserts an ESP header after the original IP header in tunnel mode the ESP header is inserted after the outer header but before the original inner IP header All data...

Page 693: ...e VPNs send out a special vendor ID to tell the other end of the tunnel that it understands NAT traversal and which specific versions of the draft it supports Achieving NAT Detection To achieve NAT detection both IPsec peers send hashes of their own IP addresses along with the source UDP port used in the IKE negotiations This information is used to see whether the IP address and source port each p...

Page 694: ... Auto The local ID becomes the IP address of the outgoing interface This is the recommended setting unless the two firewalls have the same external IP address ii IP A IP address can be manually entered iii DNS A DNS address can be manually entered iv Email An email address can be manually entered 9 3 6 Algorithm Proposal Lists To agree on the VPN connection parameters a negotiation process is perf...

Page 695: ...eing transmitted Note that this example does not illustrate how to add the specific IPsec tunnel object It will also be used in a later example Command Line Interface First create a list of IPsec Algorithms gw world add IPsecAlgorithms esp l2tptunnel DES3Enabled Yes AESEnabled Yes SHA256Enabled Yes SHA512Enabled Yes Then apply the algorithm proposal list to the IPsec tunnel gw world set Interface ...

Page 696: ... on different platforms can cause a problem with non ASCII characters Windows for example encodes pre shared keys containing non ASCII characters in UTF 16 while NetDefendOS uses UTF 8 Even though they can seem the same at either end of the tunnel there will be a mismatch and this can sometimes cause problems when setting up a Windows L2TP client that connects to NetDefendOS Example 9 2 Using a Pr...

Page 697: ...given access to the internal corporate networks using IPsec with certificates The organization administers their own Certificate Authority and certificates have been issued to the employees Different groups of employees are likely to have access to different parts of the internal networks For example members of the sales force might access servers running the order system while technical engineers...

Page 698: ...nnel can be established If the ID is not in the certificate NetDefendOS flags that there is an authentication failure and the client connection is dropped This means that a particular IPsec Tunnel is only used by a particular client The NetDefendOS configuration s IP rules and IP policies can then be designed to control which traffic can flow through which tunnel the tunnel being an interface in t...

Page 699: ...D Link Organizational Unit Support Country Sweden Email Address john doe D Link com 6 Click OK Finally apply the Identification List to the IPsec tunnel 1 Go to Network Interfaces and VPN IPsec 2 Select the IPsec tunnel object of interest 3 Under the Authentication tab choose X 509 Certificate 4 Select the appropriate certificate in the Root Certificate s and Gateway Certificate controls For a cer...

Page 700: ...uter tunnel packets can be set to a fixed value or they can have the value copied from the DiffServ field of the packets inside the tunnel Setting up the above two options is described next Specifying the DiffServ Field for IKE Traffic By default all IKE packets sent by NetDefendOS during tunnel setup have their DiffServ value set to zero This can be changed to a fixed value for a tunnel by settin...

Page 701: ...it takes precedence over the normal procedure for selecting a tunnel Setting the Originator IP Address An IPsec Tunnel object s Originator IP property is a means to set the source IPv4 address that flows inside the tunnel when the originator is NetDefendOS itself This IP will be needed in such cases as when log messages or ICMP ping messages are sent by NetDefendOS Also when NATing an IPsec tunnel...

Page 702: ...y a user on a protected local network might try and access a resource which is located at the end of an IPsec tunnel In this case NetDefendOS sees that the route for the IP address of the resource is through a defined IPsec tunnel and establishment of the tunnel is then initiated from the local NetDefend Firewall IP Rules Control Decrypted Traffic Note that an established IPsec tunnel does not aut...

Page 703: ... clients With route failover a tunnel for the alternate route is always established After a reconfigure operation is performed on NetDefendOS the tunnels are immediately reestablished without waiting for any traffic to flow Assuming two IPsec tunnel endpoint A and B it is recommended that auto establish is enabled on B only when both of the following criteria are true A cannot initiate an IKE nego...

Page 704: ...Tunnel Quick Start Sections A quick start checklist of setup steps for these protocols in typical scenarios can be found in the following sections in this document Section 9 2 1 IPsec LAN to LAN with Pre shared Keys Section 9 2 2 IPsec LAN to LAN with Certificates Section 9 2 3 IPsec Roaming Clients with Pre shared Keys Section 9 2 4 IPsec Roaming Clients with Certificates In addition to the quick...

Page 705: ... 11 0 24 Assume that the branch office firewall Ethernet interface connected to the Internet has the public IP address 203 0 113 1 It is assumed the default IKE and IPsec proposal list are used at either end of the tunnel Command Line Interface A Create a pre shared key for IPsec authentication gw world add PSK my_scecret_key Type ASCII PSKascii somesecretasciikey B Configure the IPsec tunnel gw w...

Page 706: ...D Add a route that routes the remote network on the tunnel Change the context to be the routing table gw world cc RoutingTable main Add the route gw world main add Route Interface ipsec_hq_to_branch Network 192 168 11 0 24 Return to the default CLI context gw world main cc gw world Web Interface A Create a pre shared key for IPsec authentication 1 Go to Objects Key Ring Add Pre Shared Key 2 Now en...

Page 707: ... Rule 2 Now enter Name hq_to_branch Action Allow Service all_services Source Interface lan Source Network 172 16 1 0 24 Destination Interface ipsec_hq_to_branch Destination Network 192 168 11 0 24 3 Click OK ii Add an IP rule to allow traffic to flow from remote to local network 1 Go to Policies Firewalling Main IP Rules Add IP Rule 2 Now enter Name branch_to_hq Action Allow Service all_services S...

Page 708: ...of the client is not known beforehand then the NetDefend Firewall needs to create a route in its routing table dynamically as each client connects In the example below this is the case and the IPsec tunnel is configured to dynamically add routes If clients are to be allowed to roam in from everywhere irrespective of their IP address then the Remote Network needs to be set to all nets IP address 0 ...

Page 709: ...tinationNetwork 172 16 1 0 24 Name roaming_clients_to_hq Web Interface A Create a pre shared key object for IPsec authentication 1 Go to Objects Key Ring Add Pre Shared Key 2 Now enter Name Enter a name for the key for example my_secret_key Shared Secret Enter a secret passphrase Confirm Secret Enter the secret passphrase again 3 Click OK B Configure the IPsec tunnel object 1 Go to Network Interfa...

Page 710: ... is built in access to a CA server in Windows 2000 Server this is found in Certificate Services For more information on CA server issued certificates see Section 3 9 Certificates Example 9 6 Certificate Based IPsec Tunnels for Roaming Clients This example describes how to configure an IPsec tunnel at the head office NetDefend Firewall for roaming clients that connect to the office to gain remote a...

Page 711: ... the situation is reversed cert_B is the gateway certificate and cert_A is the root certificate for the tunnel Note that if cert_A was created on gateway_A it should not need to be uploaded and its private key is already available in the key store of gateway_A When cert_B is loaded onto gateway_A it is stored as a root certificate without a private key file The situation will be the reverse on gat...

Page 712: ...IP Pool a static set of IP addresses can be defined DNS The IP address of the DNS used for URL resolution already provided by an IP Pool NBNS WINS The IP address for NBNS WINS resolution already provided by an IP Pool DHCP Instructs the host to send any internal DHCP requests to this address Subnets A list of the subnets that the client can access Example 9 7 Setting Up Config Mode Using a Predefi...

Page 713: ...etting is Disabled Local Gateway In the situation where clients are initiating IPsec connections to the firewall the usual situation is that the client will send the initial IKE request to the IP address bound to a physical interface However if there are other IP addresses being ARP published on the interface and IKE requests are being sent to these addresses the IPsec tunnel property Local Gatewa...

Page 714: ...ll be skipped If AES XCBC is the only algorithm in the proposal list with IKEv1 tunnel setup will fail The Encapsulation Mode property of an IKEv2 tunnel can only be set to Tunnel This means that IKEv2 should not be used with L2TP see Section 9 5 2 L2TP Servers EAP Authentication Settings Authentication with IKEv2 is done using EAP The following IPsec Tunnel object properties are used with IKv2 EA...

Page 715: ... installed in NetDefendOS In addition NetDefendOS should also have a host certificate also known as the gateway certificate installed which is signed by the root CA This host certificate must have the following properties i Either the Common Name CN or the Subject Alternative Name SAN must contain either the IP address of the IPsec tunnels local endpoint the IP address the client connects to or an...

Page 716: ...can be found in the NetDefendOS setup example found below RADIUS Server Setup The following setup notes apply to a Microsoft Network Policy Server NPS and should be adapted if another type of RADIUS server is being used With an NPS the following steps should be performed 1 Under NPS Policies Connection Request Policies add a Connection Request Policy 2 The Type of network access server should be s...

Page 717: ...lNetwork lannet RemoteNetwork all nets AuthMethod Certificate GatewayCertificate my_host_cert RootCertificates my_root_cert AddRouteToRemoteNet Yes AutoInterfaceNetworkRoute No IKEVersion 2 RemoteEndpoint all nets EAP Yes RequestEAPID Yes IKEConfigModePool ConfigModePool C Configure the RADIUS server for authentication gw world add RadiusServer my_radius_server IPAddress 203 0 113 20 SharedSecret ...

Page 718: ...ect Authentication and enter Enable the X 509 Certificate option For Gateway Certificate select my_host_cert For Root Certificate s add my_root_cert Enable the Require EAP for inbound IPsec tunnels option Enable the Request EAP ID option 5 Select Advanced and enter Enable the Add route dynamically option Disable the Add route statically option 6 Click OK C Configure a RADIUS server for authenticat...

Page 719: ...cate Authority to contact when certificates or CRLs need to be downloaded to the NetDefend Firewall Lightweight Directory Access Protocol LDAP is used for these downloads However in some scenarios this information is missing or the administrator wishes to use another LDAP server The LDAP configuration section can then be used to manually specify alternate LDAP servers Example 9 10 Setting up an LD...

Page 720: ...is the basis for a secure control channel between the local and remote peer The configuration properties used are i Local Endpoint ii Remote Endpoint iii Source Interface iv DH Group Stage 2 Authentication In the second stage the peers authenticate themselves to each other The matching criteria are i Authentication Method ii Local ID If specified this must be acceptable to the remote peer If not s...

Page 721: ... 2 3 Route Failover and shares the same underlying mechanism Tunnel Health Monitoring Alternatives Tunnel monitoring is an efficient way of monitoring IPsec tunnel health but requires an external host However it is preferable to using the Auto Establish option Auto establish has the disadvantage that it works at the IKE level and does not monitor the traffic flowing inside the tunnel There is no r...

Page 722: ...instances When a host is determined to be reachable the following log message is generated IPSEC prio Info id 01803600 rev 1 event monitored_host_reachable action none ip 192 168 1 2 tunnel PSK NAT When a host is determined to be unreachable the following log message is generated IPSEC prio Error id 01803600 rev 1 event monitored_host_unreachable action sas_deleted ip 192 168 1 2 tunnel PSK NAT Ex...

Page 723: ...lue is specified the default then the DSF value of the tunnel s inner packets will be copied into the outer header of the tunnel s outbound ESP packets The DS field value is part of the DiffServ architecture and specifies a Quality of Service QoS requirement for the traffic as it passes through other devices such as routers Diffserv is discussed further in Section 10 1 Traffic Shaping IPsec Max Ru...

Page 724: ...ates can be anything from a few hours and upwards depending on how the CA is configured Most CA software allow the CA administrator to issue new CRLs at any time so even if the next update field says that a new CRL is available in 12 hours there may already be a new CRL for download This setting limits the time a CRL is considered valid A new CRL is downloaded when IKECRLVailityTime expires or whe...

Page 725: ...abled NetDefendOS will fallback to using XCBC RFC 3664 if XCBC RFC 4344 fails during EAP authentication AES XCBC MAC is a method of generating the message authentication code MAC used in IKEv2 negotiations RFC 3664 states that only key lengths of 128 bits are supported for AES XCBC MAC This is a problem with EAP since EAP authentication uses session keys of at least 512 bits To solve this using on...

Page 726: ...on ID is always set by NetDefendOS to the value of the responder identity sent during the IKEv2 negotiation If no identity is available then the default value of 1234567891234321 is used Default Disabled Allow Port Change When a NAT device has been detected between the client and the NetDefend Firewall IKEv2 negotiation will switch from port 500 to 4500 and all ESP traffic will be encapsulated in ...

Page 727: ...ong period but at least one IKE packet has been seen within the last 10 x the configured value seconds then NetDefendOS will not send more DPD R U THERE messages to the other side Default 3 in other words 3 x 10 30 seconds DPD Keep Time The amount of time in tens of seconds that a peer is assumed to be dead after NetDefendOS has detected it to be so While the peer is considered dead NetDefendOS wi...

Page 728: ...h of time in seconds for which DPD R U THERE messages will be sent If the other side of the tunnel has not sent a response to any messages then it is considered to be dead not reachable The SA will then be placed in the dead cache This setting is used with IKEv1 only Default 15 seconds Chapter 9 VPN 728 ...

Page 729: ...ss to remote servers via dial up networks and is still widely used Implementation PPTP can be used in the VPN context to tunnel different protocols across the Internet Tunneling is achieved by encapsulating PPP packets in IP datagrams using Generic Routing Encapsulation GRE IP protocol 47 The client first establishes a connection to an ISP in the normal way using the PPP protocol and then establis...

Page 730: ... to and an IP pool that the PPTP server will use to give out IP addresses to the clients from Command Line Interface gw world add Interface L2TPServer MyPPTPServer ServerIP wan_ip Interface any IP lan_ip IPPool pp2p_Pool TunnelProtocol PPTP AllowedRoutes all nets Web Interface 1 Go to Network Interfaces and VPN PPTP L2TP Servers Add PPTP L2TP Server 2 Enter a name for the PPTP Server for example M...

Page 731: ...ecified to be an IPsec tunnel object If this is done then the tunnel should not have the Dynamically add route to remote network option enabled since this can cause problems Note All DHCP special parameters are not sent to clients When DHCP is configured on an L2TP IPsec interface to hand out client IPs NetDefendOS does not return all the DHCP special parameters This can be the source of issues wi...

Page 732: ...ome address objects for example the network that is going to be assigned to the L2TP clients Proposal lists and PSK are needed as well Here we will use the objects created in previous examples To be able to authenticate the users using the L2TP tunnel a local user database will be used A Start by preparing a new Local User Database Command Line Interface gw world add LocalUserDatabase UserDB gw wo...

Page 733: ... 2 Enter a name for the IPsec tunnel for example l2tp_ipsec 3 Now enter a Local Network wan_ip b Remote Network all nets c Remote Endpoint none d Encapsulation Mode Transport e IKE Algorithms High f IPsec Algorithms esp l2tptunnel 4 Enter 3600 for IPsec Life Time seconds 5 Enter 250000 for IPsec Life Time kilobytes 6 Under the Authentication tab select Pre shared Key 7 Select MyPSK as the Pre shar...

Page 734: ...cation Rules control 5 Select l2tp_pool in the IP Pool control 6 Under the Add Route tab select all nets in the Allowed Networks control 7 In the ProxyARP control select the lan interface 8 Click OK In order to authenticate the users using the L2TP tunnel a user authentication rule needs to be configured D Next will be setting up the authentication rules Command Line Interface gw world add UserAut...

Page 735: ...e all_services SourceInterface l2tp_tunnel SourceNetwork l2tp_pool DestinationInterface lan DestinationNetwork lannet name AllowL2TP gw world main add IPRule action NAT Service all_services SourceInterface l2tp_tunnel SourceNetwork l2tp_pool DestinationInterface wan DestinationNetwork all nets name NATL2TP Web Interface 1 Go to Policies Firewalling Main IP Rules Add IP Rule 2 Enter a name for the ...

Page 736: ...unnel setup The Local Network and Remote Network properties are ignored The Add route statically setting should be disabled It should be enabled only if the administrator has an in depth understanding of how this setting functions with transport mode If Add route statically is enabled with transport mode and the OutgoingRoutingTable is set to the same routing table as the RoutingTable NetDefendOS ...

Page 737: ...h the remote PPTP L2TP server will be listening for connections Where the remote endpoint is specified as an FQDN the prefix dns must be precede it For example dns server example com Remote Network The remote network which will be connected to inside the tunnel Traffic will flow between the client and this network Originator IP Type This specifies how the IP address is obtained for the local endpo...

Page 738: ...of the PPTP client feature is shown in the scenario depicted below Here a number of clients are being NATed through NetDefendOS before being connected to a PPTP server on the other side of the NetDefend Firewall If more that one of the clients is acting as a PPTP client which is trying to connect to the PPTP server then this will not work because of the NATing One way of achieving multiple PPTP cl...

Page 739: ...l To view all the sessions for a specific L2TP server the syntax would be gw world l2tp l2tpserver L2TP server object name Below is an example of some output where an L2TP tunnel object called my_l2tp_tunnel1 which has been established but has no connected clients so it is only listening gw world l2tp state all Active and listening sessions L2TP Tunnel Remote GW State Tunnel IDs my_l2tp_tunnel1 Li...

Page 740: ...32008 39949 1 Established 1 1 The pptp CLI Command NetDefendOS provides the CLI command pptp to show information about both PPTP clients and servers The pptp command syntax and output closely follows that of the l2tp command described above For example to list the current state of all PPTP servers and clients the command would be the following gw world pptp state all Active and listening sessions ...

Page 741: ...oes not provide encryption of transmitted data If the L2TPv3 tunnel is to be secure it should be used with IPsec or PPPoE NetDefendOS L2TPv3 can only be used with IPv4 IPv6 is not supported by NetDefendOS at this time L2TPv3 support in NetDefendOS allows the NetDefend Firewall to act as either an L2TPv3 server or a client Setting up these two functions is described next Note HA clusters do not sup...

Page 742: ... B Enable transparent mode for the protected interface Change the properties of the Ethernet interface connected to the protected network so that Transparent Mode is enabled C Set any required L2TPv3 Server advanced options Some L2TPv3 clients may require the setting of the option Host Name or Router ID for the server object If the Host Name is set to None the tunnel s Inner IP Address is used for...

Page 743: ...world set Interface Ethernet If3 AutoSwitchRoute Yes Web Interface A First define an L2TPv3 Server object 1 Go to Network Interfaces and VPN L2TPv3 Servers Add L2TPv3 Server 2 Now enter Name my_l2tpv3_if Inner IP Address If3_ip Local Network If3_net Outer Interface Filter If2 Server IP If2_ip 3 Click OK B Next enable transparent mode on the protected interface If3 1 Go to Network Interfaces and VP...

Page 744: ...the listening interface then becomes the tunnel The setup of the IPsec tunnel follows the same procedure as for standard L2TP and this is described in Section 9 5 2 L2TP Servers Example 9 16 L2TPv3 Server Setup With IPsec Assume the same scenario as the previous example but this time the L2TPv3 tunnel is itself being tunneled through an IPsec Tunnel object called my_ipsec_tunnel Setup of the IPsec...

Page 745: ...n the pair is made a member of that table Here is a summary of the setup steps for VLAN A Define an L2TPv3 server interface object as described previously but do not enable transparent mode on the protected Ethernet interface B Set up a NetDefendOS VLAN interface object with the following properties i The VLAN ID is the same as the VLAN ID of packets sent by clients ii The interface is the protect...

Page 746: ...define a L2TPv3 Server object gw world add Interface L2TPv3Server my_l2tpv3_if IP If3_ip LocalNetwork If3 Interface If2 ServerIP If2_ip B Next create a VLAN object on the protected interface If3 gw world add Interface VLAN my_vlan_local Ethernet If3 VLANID 555 IP If3_arbitrary_ip1 Network If3_net AutoSwitchRoute Yes C Last create a VLAN object on the L2TPv3 tunnel interface my_l2tpv3_if gw world a...

Page 747: ...f3 1 Go to Network Interfaces and VPN VLAN Add VLAN 2 Select the If3 interface 3 Now enter Name my_vlan_local Interface If3 VLAN ID 555 IP Address If3_arbitrary_ip1 Network If3_net 4 Select the option Enable transparent mode 5 Click OK C Create a VLAN object on the L2TPv3 tunnel interface my_l2tpv3_if 1 Go to Network Interfaces and VPN VLAN Add VLAN 2 Select the If3 interface 3 Now enter Name my_v...

Page 748: ...ect my_vlan_rt Click OK 9 6 2 L2TPv3 Client A NetDefend Firewall can also act as an L2TPv3 client This allows a remote firewall configured as an L2TPv3 client to act as a concentrator of traffic from locally connected clients so it is sent through a single L2TPv3 tunnel to an L2TPv3 server The following steps are required to configure NetDefendOS to be an L2TPv3 client A Define an L2TPv3Client obj...

Page 749: ..._client IP inner_client_ip LocalNetwork If1_net PseudowireType Ethernet Protocol UDP RemoteEndpoint l2tpv3_server_ip B Next enable transparent mode on the protected interface If1 gw world set Interface Ethernet If1 AutoSwitchRoute Yes Web Interface A First define an L2TPv3 Client object 1 Go to Network Interfaces and VPN L2TPv3 Client Add L2TPv3 Client 2 Now enter Name my_l2tpv3_client Inner IP Ad...

Page 750: ...wn in Example 9 14 Setting up an L2TP Tunnel Over IPsec Command Line Interface A Define the L2TPv3Client object gw world add Interface L2TPv3Client my_l2tpv3_client IP inner_client_ip LocalNetwork If1_net PseudowireType Ethernet Protocol UDP RemoteEndpoint l2tpv3_server_ip IPsecInterface l2tpv3_ipsec_tunnel B Next enable transparent mode on the protected interface If1 gw world set Interface Ethern...

Page 751: ... can handle VLAN tagged Ethernet frames so that a protected internal network can be access an external network over VLAN connections The setup of the VLANs is done in the same way as for the server and this is fully described in Section 9 6 1 L2TPv3 Server When setting up the L2TPv3 client object the PseudowireType property must be set to the value VLAN Chapter 9 VPN 751 ...

Page 752: ...n for example IPsec In addition hardware acceleration for IPsec is available on some hardware platforms to further boost processing efficiency Cryptographic Suites and TLS Version Supported by NetDefendOS NetDefendOS supports a number of cryptographic algorithms for SSL VPN Only some are enabled by default and all can be either enabled or disabled All the supported algorithms are listed in Section...

Page 753: ...or example with an Allow or NAT rule proxy ARP is not needed The option exists with NetDefendOS SSL VPN to automatically ARP publish all client IPs on all firewall interfaces but this is not recommended because of the security issues that are raised vii Routes for clients do not need to be defined in the routing tables as these are added automatically by NetDefendOS when SSL VPN tunnels are establ...

Page 754: ...e Ethernet interface IP address on which to listen for SSL VPN connection attempts by clients This will typically be a public IPv4 address which will be initially accessed using a web browser across the public Internet The following should be noted about this IP i The Server IP must be specified and will not default to the IP of the Outer Interface ii The Server IP cannot be an IP address which is...

Page 755: ...handed out to a connecting client Client Routes By default all client traffic is routed through the SSL tunnel when the client software is activated This behavior can be changed by specifying that only specific IPv4 addresses networks or address ranges will be accessible through the tunnel When this is done only the specified routes through the tunnel are added to the client s routing table and al...

Page 756: ...onnection Choices Using CA Signed Certificates By default NetDefendOS uses a self signed certificate when it displays the dialog shown above If it is desirable to use a CA signed certificate that may or may not use certificate chaining this can be configured on the RemoteMgmtSettings object In other words the certificates used for HTTPS Web Interface access are the same ones used for SSL VPN login...

Page 757: ...party might try to intercept communications between the firewall and the client Custom Server Connection When the SSL VPN client software is started it is possible to connect to an SSL VPN interface on a NetDefend Firewall that has not been connected to before This is done by enabling the option Specify Custom Server and explicitly specifying the IP address port and login credentials for the serve...

Page 758: ... handed out client IP address to the associated SSL VPN interface Traffic can now flow between the client and the firewall subject to NetDefendOS IP rules Specifying IP Rules for Traffic Flow No IP rules need to be specified for the setup of an SSL VPN tunnel itself provided that the advanced setting SSLVPNBeforeRules is enabled However appropriate IP rules need to be specified by the administrato...

Page 759: ...ically 9 7 4 SSL VPN Setup Example Example 9 20 Setting Up an SSL VPN Interface This example shows how to set up a new SSL VPN interface called my_sslvpn_if Assume that the physical interface If2 will be used to listen to client connections and this will have an external IP address already defined in the address book called sslvpn_server_ip Connections will be made using SSL VPN to a server locate...

Page 760: ... sslvpn_server_ip Name ssl_login Web Interface 1 Go to Policies User Authentication User Authentication Rules Add User Authentication Rule 2 Now enter Name ssl_login Agent L2TP PPTP SSL VPN Authentication Source Local Interface my_sslvpn_if Originator IP all nets a more specific range is more secure Terminator IP sslvpn_server_ip 3 For Local User DB choose lannet_auth_users 4 For Login Type choose...

Page 761: ...cted network protected_server_net which is already defined in the NetDefendOS address book Command Line Interface gw world set Interface SSLVPNInterface my_sslvpn_if ClientRoutes protected_server_net Web Interface 1 Go to Network Interfaces and VPN SSL 2 Select the tunnel called my_sslvpn_if 3 Under Client Routes move the address object protected_server_net from Available to Selected 4 Click OK Ch...

Page 762: ...rk such as a Wi Fi network at an airport the client will get an IP address from the Wi Fi network s DHCP server If that IP also belongs to the network behind the NetDefend Firewall accessible through a tunnel then Windows will still continue to assume that the IP address is to be found on the client s local network Windows therefore will not correctly route packets bound for the remote network thr...

Page 763: ...n the local zone Disable CRL revocation list checking to see if CA server access could be the problem CA Server issues are discussed further in Section 3 9 4 CA Server Access 9 8 3 The ike stat Command The ipsec CLI command can be used to show that IPsec tunnels have correctly established A representative example of output is gw world ipsec IPsec SAs Displaying one line per SA bundle IPsec Tunnel ...

Page 764: ...of the VPN tunnel s remote endpoint either the IP of the remote endpoint or the client IP To turn off monitoring the command is gw world ike snoop off By default ike snoop always creates the most verbose output It is possible to reduce this output volume by using the brief option However this may not provide sufficient detail to identify problems All the ike command options can be found in the sep...

Page 765: ...3200 Life type Kilobytes Life duration 50000 Transform 2 4 Transform ID IKE Encryption algorithm Rijndael cbc aes Key length 128 Hash algorithm SHA Authentication method Pre Shared Key Group description MODP 1024 Life type Seconds Life duration 43200 Life type Kilobytes Life duration 50000 Transform 3 4 Transform ID IKE Encryption algorithm 3DES cbc Hash algorithm MD5 Authentication method Pre Sha...

Page 766: ... DH group Life type Seconds or kilobytes Life duration No of seconds or kilobytes VID The IPsec software vendor plus what standards are supported For example NAT T Step 2 Server Responds to Client A typical response from the server is shown below This must contain a proposal that is identical to one of the choices from the client list above If no match was found by the server then a No proposal ch...

Page 767: ...ndor ID 7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56 Description draft ietf ipsec nat t ike 03 Step 3 Clients Begins Key Exchange The server has accepted a proposal at this point and the client now begins a key exchange In addition NAT detection payloads are sent to detect if NAT is being used Received IKE packet from 192 168 0 10 500 Exchange type Identity Protection main mode ISAKMP Version 1...

Page 768: ...Hash Payload data length 16 bytes N Notification Payload data length 8 bytes Protocol ID ISAKMP Notification Initial contact Explanation of Above Values Flags E means encryption it is the only flag used ID Identification of the client The Notification field is given as Initial Contact to indicate this is not a re key Step 6 Server ID Response The server now responds with its own ID Sending IKE pac...

Page 769: ...e Tunnel Transform 2 4 Transform ID Rijndael aes Key length 128 Authentication algorithm HMAC SHA 1 SA life type Seconds SA life duration 21600 SA life type Kilobytes SA life duration 50000 Encapsulation mode Tunnel Transform 3 4 Transform ID Blowfish Key length 128 Authentication algorithm HMAC MD5 SA life type Seconds SA life duration 21600 SA life type Kilobytes SA life duration 50000 Encapsula...

Page 770: ...0x5e347cb76e95a Message ID 0xaa71428f Packet length 156 bytes payloads 5 Payloads HASH Hash Payload data length 16 bytes SA Security Association Payload data length 56 bytes DOI 1 IPsec DOI Proposal 1 1 Protocol 1 1 Protocol ID ESP SPI Size 4 SPI Value 0xafba2d15 Transform 1 1 Transform ID Rijndael aes Key length 128 Authentication algorithm HMAC MD5 SA life type Seconds SA life duration 21600 SA ...

Page 771: ...elated error message It means that depending on which side initiates tunnel setup the negotiations in either the IKE or the IPSec phase of setup failed since they were unable to find a matching proposal that both sides could agree on Troubleshooting this error message can be involved since the reasons for this message can be multiple depending on where in the negotiation it occurred If the negotia...

Page 772: ...te Network Remote Gateway VPN 1 lannet office1net office1gw VPN 2 lannet office2net office2gw L2TP ip_wan all nets all nets VPN 3 lannet office3net office3gw Since the tunnel L2TP in the above table is above the tunnel VPN 3 a match will trigger before VPN 3 because of the all nets remote gateway all nets will match any network Since these two tunnels use different pre shared keys NetDefendOS will...

Page 773: ...all or they are in different time zones The NetDefend Firewall is unable to reach the Certificate Revocation List CRL on the CA server in order to verify if the certificate is valid or not Double check that the CRL path is valid in the certificate s properties Note that usage of the CRL feature can be turned off Also make sure that there is a DNS client configured for NetDefendOS in order to be ab...

Page 774: ... A s local network This means that Side A can only initiate the tunnel successfully towards Site B as its network is smaller When Side B tries to initiate the tunnel Side A will reject it because the network is bigger than what is defined The reason it works the other way around is because a smaller network is considered more secure and will be accepted This principle also applies to the lifetimes...

Page 775: ...Chapter 9 VPN 775 ...

Page 776: ...n in packet headers to provide network devices with QoS information NetDefendOS DiffServ Support NetDefendOS supports the DiffServ architecture in the following ways NetDefendOS forwards the 6 bits which make up the DiffServ Differentiated Services Code Point DSCP As described later in this chapter DSCP bits can be used by the NetDefendOS traffic shaping subsystem as a basis for prioritizing traff...

Page 777: ...cording to administrator decisions If traffic with a high priority increases while a communication line is full traffic with a low priority can be temporarily limited to make room for the higher priority traffic Providing bandwidth guarantees This is typically accomplished by treating a certain amount of traffic the guaranteed amount as high priority The traffic that is in excess of the guarantee ...

Page 778: ...rule is defined like other NetDefendOS security policies by specifying both the source and destination for the interface and network as well as the service to which the rule is to apply Once a new connection is permitted by the IP rule set the pipe rule set is then checked for any matching pipe rules Pipe rules are checked in the same way as IP rules by going from top to bottom first to last in th...

Page 779: ...his provides a means to explicitly exclude particular traffic from traffic shaping Such rules are not absolutely necessary but if placed at the beginning of the pipe rule set they can guard against accidental traffic shaping by later rules Pipes Will Not Work With FwdFast IP Rules It is important to understand that traffic shaping will not work with traffic that is flows as a result of triggering ...

Page 780: ...or bandwidth limiting This is also a scenario that does not require much planning The example that follows applies a bandwidth limit to inbound traffic only This is the direction most likely to cause problems for Internet connections Example 10 1 Applying a Simple Bandwidth Limit Begin with creating a simple pipe that limits all traffic that gets passed through it to 2 megabits per second regardle...

Page 781: ...Pipe Rule 2 Specify a suitable name for the pipe for instance outbound 3 Now enter Service all_services Source Interface lan Source Network lannet Destination Interface wan Destination Network all nets 4 Under the Traffic Shaping tab make std in selected in the Return Chain control 5 Click OK This setup limits all traffic from the outside the Internet to 2 megabits per second No priorities are app...

Page 782: ...ic In the scenario under discussion each pipe would have a 2 Mbps limit to achieve the desired result The following example goes through the setup for this Example 10 2 Limiting Bandwidth in Both Directions Create a second pipe for outbound traffic Command Line Interface gw world add Pipe std out LimitKbpsTotal 2000 Web Interface 1 Go to Policies Traffic Management Pipes Add Pipe 2 Specify a name ...

Page 783: ...er Unfortunately this will not achieve the desired effect which is allocating a maximum of 125 Kbps to inbound surfing traffic as part of the 250 Kbps total Inbound traffic will pass through one of two pipes one that allows 250 Kbps and one that allows 125 Kbps giving a possible total of 375 Kbps of inbound traffic but this exceeds the real limit of 250 Kbps The Correct Solution To provide the sol...

Page 784: ...Precedence 0 is the least important lowest priority precedence and 7 is the most important highest priority precedence A precedence can be viewed as a separate traffic queue traffic in precedence 2 will be forwarded before traffic in precedence 0 precedence 4 forwarded before 2 Figure 10 4 The Eight Pipe Precedences Precedence Priority is Relative The priority of a precedence comes from the fact t...

Page 785: ...pecified in kilobits per second and or packets per second if both are specified then the first limit reached will be the limit used Tip Specifying bandwidth Remember that when specifying network traffic bandwidths the prefix Kilo means 1000 and NOT 1024 For example 3 Kbps means 3000 bits per second Similarly the prefix Mega means one million in a traffic bandwidth context Precedence Limits are als...

Page 786: ...g to precedence with higher precedence packets that do not exceed the precedence limit being sent before lower precedence packets Lower precedence packets are buffered until they can be sent If buffer space becomes exhausted then they are dropped If a total limit for a pipe is not specified it is the same as saying that the pipe has unlimited bandwidth and consequently it can never become full so ...

Page 787: ...e If more than 96 Kbps of precedence 2 traffic arrives any excess traffic will be moved down to the best effort precedence All traffic at the best effort precedence is then forwarded on a first come first forwarded basis Note A limit on the lowest precedence has no meaning Setting a maximum limit for the lowest best effort precedence or any lower precedences has no meaning and will be ignored by N...

Page 788: ...ps respectively of precedence 2 traffic will reach std in SSH and Telnet traffic exceeding their guarantees will reach std in as precedence 0 the best effort precedence of the std in and ssh in pipes Note The return chain ordering is important Here the ordering of the pipes in the return chain is important Should std in appear before ssh in and telnet in then traffic will reach std in at the lowes...

Page 789: ...s specified These values are in fact guarantees not limits for each user in a group For example precedence 3 might have the value 50 Kbps and this is saying that an individual user in other words each source IP if that is the selected grouping with that precedence will be guaranteed 50 Kbps at the expense of lower precedences The precedences for each user must be allocated by different pipe rules ...

Page 790: ...t of 400 Kbps Combining Pipe and Group Limit Precedence Values Let us suppose that grouping is enabled by one of the options such as source IP and some values for precedences have been specified under Group Limits How does these combine with values specified for the corresponding precedences in Pipe Limits In this case the Group Limits precedence value is a guarantee and the Pipe Limits value for ...

Page 791: ...ch user will have to compete for the available precedence 2 bandwidth the same way they have to compete for the lowest precedence bandwidth Some users will still get their 16 Kbps some will not Dynamic balancing can be enabled to improve this situation by making sure all of the 5 users get the same amount of limited bandwidth When the 5th user begins to generate SSH traffic balancing lowers the li...

Page 792: ...at NetDefendOS might slightly overload the connection because of the software delays involved in deciding to send packets and the packets actually being dispatched from buffers For inbound connections there is less control over what is arriving and what has to be processed by the traffic shaping subsystem and it is therefore more important to set pipe limits slightly below the real connection limi...

Page 793: ...ich is also a guarantee Traffic that exceeds this will be sent at the minimum precedence which is also called the Best Effort precedence At the best effort precedence all packets are treated on a first come first forwarded basis Within a pipe traffic can also be separated on a Group basis For example by source IP address Each user in a group for example each source IP address can be given a maximu...

Page 794: ...ate the following Pipe Rule which will force traffic to flow through the pipes Rule Name Forward Pipes Return Pipes Source Interface Source Network Destination Interface Destination Network Selected Service all_1mbps out pipe in pipe lan lannet wan all nets all_services The rule will force all traffic to the default precedence level and the pipes will limit total traffic to their 1 Mbps limit Havi...

Page 795: ...is important that no traffic bypasses the pipe rule set otherwise using pipes will not work Pipe Chaining Suppose the requirement now is to limit the precedence 2 capacity other traffic to 1000 Kbps so that it does not spill over into precedence 0 This is done with pipe chaining where we create new pipes called in other and out other both with a Pipe Limit of 1000 The other pipe rule is then modif...

Page 796: ...sent at the best effort priority see above for an explanation of this term Again a 2 2 Mbps symmetric link is assumed The pipes required will be vpn in Priority 6 VoIP 500 Kbps Priority 0 Best effort Total 1700 vpn out Priority 6 VoIP 500 Kbps Priority 0 Best effort Total 1700 in pipe Priority 6 VoIP 500 Kbps Total 2000 out pipe Priority 6 VoIP 500 Kbps Total 2000 The following pipe rules are then...

Page 797: ...n server traffic is initiated from the outside so the order of pipes needs to be reversed the forward pipe is the in pipe and the return pipe is the out pipe A simple solution is to put a catch all inbound rule at the bottom of the pipe rule However the external interface wan should be the source interface to avoid putting into pipes traffic that is coming from the inside and going to the external...

Page 798: ...dy provides a highly effective means to perform this recognition and as an extension to this NetDefendOS also provides the ability to apply throttling through the NetDefendOS traffic shaping subsystem when the targeted traffic is recognized IDP Traffic Shaping is a combination of these two features where traffic flows identified by the IDP subsystem automatically trigger the setting up of traffic ...

Page 799: ...the processing steps that occur 1 A new connection is opened by one host to another through the NetDefend Firewall and traffic begins to flow The source and destination IP address of the connection is noted by NetDefendOS 2 The traffic flowing on the connection triggers an IDP rule The IDP rule has Pipe as action so the traffic on the connection is now subject to the pipe traffic shaping bandwidth...

Page 800: ... user whose traffic might also have to be traffic shaped if they become involved in a P2P transfer If Network is not specified then any connection involving either client A or host X will be subject to traffic shaping and this is probably not desirable 10 2 5 A P2P Scenario The schematic below illustrates a typical scenario involving P2P data transfer The sequence of events is The client with IP a...

Page 801: ... from traffic shaping using the command gw world idppipes unpipe host 192 168 1 1 A full description of the idppipes command can be found in the separate CLI Reference Guide Viewing Pipes IDP Traffic Shaping makes use of normal NetDefendOS pipe objects which are created automatically These pipes are always allocated the highest priority and use the Group feature to throttle traffic The created pip...

Page 802: ...traffic in the upstream pipe grouped using the Per Source IP feature and traffic in the downstream pipe grouped using the Per Destination IP feature 10 2 7 Guaranteeing Instead of Limiting Bandwidth If desired IDP Traffic Shaping can be used to do the opposite of limiting bandwidth for certain applications If the administrator wants to guarantee a bandwidth level say 10 Megabits for an application...

Page 803: ...s added to it as children and these specify how to handle different threshold conditions A Threshold Action object has the following key properties Action This is the response of the rule when the limit is exceeded Either the option Audit or Protect can be selected These options are explained in more detail below Group By The rule can be either Host or Network based These options are explained bel...

Page 804: ...e only the action with the highest threshold value will be logged Exempted Connections It should be noted that some advanced settings known as Before Rules settings can exempt certain types of connections for remote management from examination by the NetDefendOS IP rule set if they are enabled These Before Rules settings will also exempt the connections from threshold rules if they are enabled Thr...

Page 805: ...seconds and any existing connections from that IP will be dropped when the theshold rule is triggered Here the expectation is that a SAT rule would translate the destination address to the IP address of a protected webserver Command Line Interface First create the threshold rule gw world add ThresholdRule SourceInterface wan SourceNetwork all nets DestinationInterface core DestinationNetwork wan_i...

Page 806: ...he threshold action to the rule 3 Select Threshold Action 4 Select Add Threshold Action 5 Now enter Action Protect Group by Host based Enable Blacklist Time to block 300 Enable Block only service Disable Ignore Established 6 Click OK Chapter 10 Traffic Management 806 ...

Page 807: ... of administration The principle SLB benefit of sharing the load across multiple servers can improve not just the performance of applications but also scalability by facilitating the implementation of a cluster of servers sometimes referred to as a server farm that can handle many more requests than a single server Note SLB is not available on all NetDefend models The SLB feature is not available ...

Page 808: ...nistrators to perform maintenance tasks on servers or applications without disrupting services Individual servers can be restarted upgraded removed or replaced and new servers and applications can be added or moved without affecting the rest of a server farm or taking down applications The combination of network monitoring and distributed load sharing also provides an extra level of protection aga...

Page 809: ...that all servers receive an equal number of requests therefore it is most suited to server farms where all servers have an equal capacity and the processing loads of all requests are likely to be similar Connection rate This algorithm considers the number of requests that each server has been receiving over a certain time period This time period is known as the Window Time SLB sends the next reque...

Page 810: ...When a match is found then stickiness ensures that the new connection goes to the same server as previous connections from the same source IP The default value for this setting is 10 seconds Max Slots This parameter specifies how many slots exist in the stickiness table When the table fills up then the oldest entry is discarded to make way for a new entry even though it may be still valid the Idle...

Page 811: ...gorithm is used the first arriving requests R1 and R2 from Client 1 are both assigned to one server say Server 1 according to stickiness The next request R3 from Client 2 is then routed to Server 2 When R4 from Client 3 arrives Server 1 gets back its turn again and will be assigned with R4 Figure 10 11 Stickiness and Round Robin If the connection rate algorithm is applied instead R1 and R2 will be...

Page 812: ...orks at OSI layer 4 SLB attempts to connect to a specified port on each server For example if a server is specified as running web services on port 80 the SLB will send a TCP SYN request to that port If SLB does not receive a TCP SYN ACK back it will mark port 80 on that server as down SLB recognizes the conditions no response normal response or closed port response from servers 10 4 6 Setting Up ...

Page 813: ...l web_slb_allow Allow wan all nets core wan_ip http all It is assumed here that internal clients also open connections to wan_ip in order to access the web servers and so their connections are automatically routed to core In the IP rules the destination interface is always specified as core meaning NetDefendOS itself deals with the connection The key advantage of having a separate Allow rule is th...

Page 814: ...tp all SLBAddresses server_group Name web_slb D Specify a NAT rule for internal clients access to the servers gw world add IPRule Action NAT SourceInterface lan SourceNetwork lan net DestinationInterface core DestinationNetwork wan_ip Service http all NATAction UseInterfaceAddress Name web_slb_nat E Specify an Allow IP rule for the external clients gw world add IPRule Action Allow SourceInterface ...

Page 815: ... Add IP Rule 2 Now enter Name web_slb Action SLB_SAT Service HTTP Source Interface wan Source Network all nets Destination Interface core Destination Network wan_ip 3 Select SAT SLB 4 Under Server Addresses add server_group to Selected 5 Click OK D Specify a NAT rule for internal clients access to the servers 1 Go to Policies Firewalling Main IP Rules Add IP Rule 2 Now enter Name web_slb_nat Actio...

Page 816: ... SLB Policy In this example server load balancing is performed between two HTTP web servers situated behind the NetDefend Firewall These web servers have the private IPv4 addresses 192 168 1 10 and 192 168 1 11 Access by external clients is via the wan interface which has the IPv4 address wan_ip The default SLB values for monitoring distribution method and stickiness are used Command Line Interfac...

Page 817: ...f the web servers 1 Go to Objects Address Book Add IP4 Address 2 Enter a suitable name in this example server1 3 Enter the IP Address as 192 168 1 10 4 Click OK 5 Repeat the above to create an object called server2 for the 192 168 1 11 IP address B Specify the SLB_SAT IP rule 1 Go to Policies Firewalling Main IP Rules Add SLB Policy 2 Now enter Name my_web_slb_policy Source Interface wan Source Ne...

Page 818: ...er1 and server2 to Selected 4 Click OK B 2 Now create the SLBPolicy object 1 Go to Policies Firewalling Main IP Rules Add SLB Policy 2 Now enter Name my_web_slb_policy Source Interface my_if_group Source Network all nets Destination Interface core Destination Network wan_ip Service http all Selected server1 and server2 3 Click OK Chapter 10 Traffic Management 818 ...

Page 819: ...Chapter 10 Traffic Management 819 ...

Page 820: ...onization link and make up a logical HA Cluster One of the units in a cluster will be active while the other unit will be inactive and on standby Initially the cluster slave will be inactive and will only monitor the activity of the master If the slave detects that the master has become inoperative an HA failover takes place and the slave becomes active assuming processing responsibility for all t...

Page 821: ...active unit and the active unit knows about the health of the passive The heartbeat mechanism is discussed below with more detail in Section 11 2 HA Mechanisms Cluster Management When managing the cluster through the Web Interface or CLI the configuration on one cluster unit can be changed and this will then be automatically copied to the other unit provided that automatic synchronization is enabl...

Page 822: ...nit is not responding Extending Redundancy Implementing an HA Cluster will eliminate one of the points of failure in a network Routers switches and Internet connections can remain as potential points of failure and redundancy for these should also be considered Protecting Against Network Failures Using HA and Link Monitor The NetDefendOS Link Monitor feature can be used to check connection with a ...

Page 823: ...e not sent at smaller intervals because such delays may occur during normal operation An operation for example opening a file could result in delays long enough to cause the inactive system to go active even though the other is still active Important Disabling sending heartbeats on interfaces The administrator can manually disable heartbeat sending on any interface if that is desired This is a pro...

Page 824: ... C1 4A nn where nn is derived by combining the configured Cluster ID with the hardware bus slot port of the interface The Cluster ID must be unique for each NetDefendOS cluster in a network As the shared IP address always has the same hardware address there will be no latency time in updating ARP caches of units attached to the same LAN as the cluster when failover occurs When a cluster member dis...

Page 825: ... been lost Failure of the sync interface results in the generation of hasync_connection_failed_timeout log messages by the active unit However it should be noted that this log message is also generated whenever the inactive unit appears to be not working such as during a software upgrade Failure of the sync interface can be confirmed by comparing the output from certain CLI commands for each unit ...

Page 826: ...successfully if there is a system failure A restart of the inactive unit is the only time when the entire state of the active unit is sent to the inactive unit Chapter 11 High Availability 826 ...

Page 827: ...aces of master and slave through separate switches or separate broadcast domains It is important to keep the traffic on each interface pair separated from other pairs Select one unique interface on the master and slave which is to be used by the units for monitoring each other This will be the sync interface It is recommended that the same interface is used on both master and slave assuming they a...

Page 828: ... routing and it is also the address used by dynamic address translation unless the configuration explicitly specifies another address Note Master and slave management IPs must be different The shared IP address cannot be used for remote management or monitoring purposes For example when using SSH for remote management of the NetDefend Firewalls in an HA Cluster the individual IP addresses of each ...

Page 829: ...ction The illustration above shows a direct crossover cable connection between the sync interfaces of each unit Alternatively the connection could be via a switch or broadcast domain Wizard and Manual Software Setup The software setup procedures are now divided into the two sections that follow Section 11 3 2 Wizard HA Setup for fast simple setup Section 11 3 3 Manual HA Setup for step by step man...

Page 830: ...resses below for an explanation of this option 3 Select the shared IP address and if desired the individual IP4 HA Address objects created earlier Make sure the management interface IPs are different for master and slave 4 The wizard will confirm that master setup is complete B Running the Wizard for Slave Setup 1 Specify the NodeType ClusterID and Interface that will be used for synchronization 2...

Page 831: ...r commit the new configuration manually before dealing with the ARP issue or lengthen the time available by increasing the advanced setting Validation Timeout 11 3 3 Manual HA Setup To set up an HA cluster manually without the wizard the steps are as follows 1 Connect to the master unit with the Web Interface 2 Go to System Device High Availability 3 Check the Enable High Availability checkbox 4 S...

Page 832: ...an administrator make the change then save and activate The change is automatically made to both units Automatic synchronization is discussed in more depth in Section 11 1 Overview 11 3 4 Verifying that the Cluster Functions Correctly Important Perform shutdown on both master and slave After the cluster has been configured it is highly recommended to perform a shutdown operation on both cluster un...

Page 833: ... gw world shutdown Where a cluster has a very high number for example tens of thousands of simultaneous connections then it may be necessary to set a high value for this instead of enabling the Dynamic High Buffers option A very high value for High Buffers can suit situations with large numbers of connections but can have the disadvantage of increasing throughput See Section 13 10 Miscellaneous Se...

Page 834: ... the event of a failover occurring for these types of tunnel incoming clients must re establish their tunnels after the original tunnels are deemed non functional The timeout for this varies depending on the client and is typically within the range of a few seconds to a few minutes DHCP Servers for IPv4 DHCP as well as DHCPv6 have full HA synchronization support However the clients for both IPv4 D...

Page 835: ...continue to function This means that failover will not occur if the active unit can still send I am alive heartbeats to the inactive unit through any of its interfaces even though one or more interfaces may be inoperative However by utilizing the NetDefendOS link monitoring feature NetDefendOS can be configured to trigger immediate HA failover on interface failure This is discussed further in Sect...

Page 836: ...ee the unused interface as a failed interface The higher the proportion of unused interfaces there are in a cluster the more pronounced the effect of sending heartbeats on unused interfaces becomes Both Units Going Active In the case of a misconfiguration of an HA cluster a worst case scenario could arise where both the master and slave think the other unit has failed and both can go active at the...

Page 837: ... it is necessary to identify this To do this connect with a CLI console to one of the cluster units and issue the ha command The typical output if the unit is active is shown below gw world ha This device is a HA SLAVE This device is currently ACTIVE will forward traffic This device has been active 430697 sec HA cluster peer is ALIVE This unit the slave is the currently active unit so the other on...

Page 838: ...IVE should appear in the output D Upgrade the newly inactive unit When the failover is complete upgrade the newly inactive unit with the new NetDefendOS version Just like step B this is done in the normal way as though the unit were not part of a cluster E Wait for resynchronization Once the second software upgrade is complete two units will automatically resynchronize and the cluster will continu...

Page 839: ... whose reachability is monitored using ICMP Ping requests and therefore link status If these hosts become unreachable then the link is considered failed and a failover to a slave can be initiated Provided that the slave is using a different network link and also monitoring the reachability of different hosts traffic can continue to flow Using the Shared IP Address When this property of the Link Mo...

Page 840: ...psed the synchronization traffic is then only sent after repeated periods of silence The length of this silence is taken from this setting Default 5 Use Unique Shared Mac Use a unique shared MAC address for each interface For further explanation of this setting see Section 11 3 5 Unique Shared Mac Addresses Default Enabled Deactivate Before Reconf If enabled this setting will make an active node f...

Page 841: ...Number of milliseconds that the active unit in the cluster has been unresponsive before a failover is initiated by the inactive unit Default 750 Chapter 11 High Availability 841 ...

Page 842: ...Chapter 11 High Availability 842 ...

Page 843: ...kes Use of SNMP Simple Network Management Protocol SNMP is an application layer protocol for complex network management SNMP allows the managers and managed devices in a network to communicate with each other For ZoneDefense NetDefendOS uses SNMP to control switch behavior Management privileges to a switch are gained by NetDefendOS using the configured SNMP Community String for write access The ap...

Page 844: ...to be manually specified in the NetDefendOS configuration The information that must be specified in the configuration setup in order to control a switch includes The IP address of the management interface of the switch The switch model type or Universal MIB for newer switches The SNMP community string for write access to the switch ZoneDefense supports all newer D Link switches which use the Unive...

Page 845: ...of traffic a threshold rule applies to A single threshold rule object has the following properties Source interface and source network Destination interface and destination network Service Type of threshold Host and or network based Traffic that matches the above criteria and causes the host network threshold to be exceeded will trigger the ZoneDefense feature This will prevent the host networks f...

Page 846: ...shold of 10 connections second is to be applied to traffic If the connection rate exceeds this NetDefendOS will instruct the switch to block the host within the network range 192 168 2 0 24 A D Link switch of model type DES 3226S is assumed with a management interface address of 192 168 1 250 and it is connected to a firewall interface with address 192 168 1 1 This interface will be added into the...

Page 847: ... Go to Policies Traffic Management Threshold Rules Add Threshold Rule 2 For the Threshold Rule enter Name HTTP Threshold Service http 3 For Address Filter enter Source Interface Enter the firewall s management interface Destination Interface any Source Network 192 168 2 0 24 or the address object name Destination Network all nets 4 Click OK Specify the threshold the threshold type and the action t...

Page 848: ...the latency between the triggering of a blocking rule to the moment when a switch actually starts blocking out the traffic matched by the rule All switch models require a short period of latency time to implement blocking once the rule is triggered Some models can activate blocking in less than a second while some models may require a minute or more A second difference is the maximum number of rul...

Page 849: ...to take effect IP Level Settings page 849 TCP Level Settings page 853 ICMP Level Settings page 859 State Settings page 860 Connection Timeout Settings page 862 Length Limit Settings page 864 Fragmentation Settings page 867 Local Fragment Reassembly Settings page 871 SSL TLS Settings page 872 Miscellaneous Settings page 875 13 1 IP Level Settings Log Checksum Errors Logs occurrences of IP packets c...

Page 850: ...th a TTL of 0 Default Enabled Block 0000 Src Block 0 0 0 0 as source address Default Drop Block 0 Net Block 0 as source addresses Default DropLog Block 127 Net Block 127 as source addresses Default DropLog Block Multicast Src Block multicast both source addresses 224 0 0 0 255 255 255 255 Default DropLog TTL Min The minimum TTL value accepted on receipt Default 3 TTL on Low Determines the action t...

Page 851: ...ze of well known option types and ensures that no option exceeds the size limit stipulated by the IP header itself Default ValidateLogBad IP Option Source Return Indicates whether source routing options are to be permitted These options allow the sender of the packet to control how the packet is to be routed through each router and firewall These constitute an enormous security risk NetDefendOS ne...

Page 852: ...ce it is more specialized Default DropLog IP Reserved Flag Indicates what NetDefendOS will do if there is data in the reserved fields of IP headers In normal circumstances these fields should read 0 Used by OS Fingerprinting Default DropLog Strip DontFragment Strip the Don t Fragment flag for packets equal to or smaller than the size specified by this setting Default 65535 bytes Multicast Mismatch...

Page 853: ...ax As is the case with TCPMSSMax this is the highest Maximum Segment Size allowed However this setting only controls MSS in VPN connections This way NetDefendOS can reduce the effective segment size used by TCP in all VPN connections This reduces TCP fragmentation in the VPN connection even if hosts do not know how to perform MTU discovery This setting must be less than the maximum IPsec MTU size ...

Page 854: ...alidateLogBad TCP Option SACK Determines how NetDefendOS will handle selective acknowledgment options These options are used to ACK individual packets instead of entire series which can increase the performance of connections experiencing extensive packet loss They are also used by OS Fingerprinting SACK is a common occurrence in modern networks Default ValidateLogBad TCP Option TSOPT Determines h...

Page 855: ...ption CC Determines how NetDefendOS will handle connection count options Note that this TCP option is obsoleted by RFC 6247 and only some network equipment will make use of it Default StripLogBad TCP Option Other Specifies how NetDefendOS will deal with TCP options not covered by the above settings These options usually never appear on modern networks Default StripLog TCP SYN URG Specifies how Net...

Page 856: ...ould be used to crash poorly implemented TCP stacks and is also used by OS Fingerprinting Default DropLog TCP URG Specifies how NetDefendOS will deal with TCP packets with the URG flag turned on regardless of any other flags Many TCP stacks and applications deal with Urgent flags in the wrong way and can in the worst case scenario cease working Note however that some programs such as FTP and MS SQ...

Page 857: ...ts with a previously used sequence number ValidateReopen and ValidReopenLog are special settings giving the default behavior found in older NetDefendOS versions where only re open attempts using a sequence number falling inside the current or last used TCP window will be allowed This is more restrictive than ValidateLogBad ValidateSilent and will block some valid TCP re open attempts The most sign...

Page 858: ...Allow TCP Reopen Allow clients to re open TCP connections that are in the closed state Default Disabled Chapter 13 Advanced Settings 858 ...

Page 859: ...ds this setting limits how many Rejects per second may be generated by the Reject rules in the Rules section Default 500 Silently Drop State ICMPErrors Specifies if NetDefendOS should silently drop ICMP errors pertaining to statefully tracked open connections If these errors are not dropped by this setting they are passed to the rule set for evaluation just like any other packet Default Enabled Ch...

Page 860: ... such as UDP there is no way of determining whether the remote peer is attempting to open a new connection Default Enabled Log State Violations Determines if NetDefendOS logs packets that violate the expected state switching diagram of a connection for example getting TCP FIN packets in response to TCP SYN packets Default Enabled Log Connections Specifies how NetDefendOS will log connections NoLog...

Page 861: ...ng should only be enabled for diagnostic and testing purposes since it generates unwieldy volumes of log messages and can also significantly impair throughput performance Default Disabled Dynamic Max Connections Allocate the Max Connection value dynamically Default Enabled Max Connections This setting applies if Dynamic Max Connections above is disabled Specifies how many connections NetDefendOS m...

Page 862: ...ds how long a TCP connection about to close may idle before finally being closed Connections reach this state when a packet with its FIN flag on has passed in any direction Default 80 UDP Idle Lifetime Specifies in seconds how long UDP connections may idle before being closed This timeout value is usually low as UDP has no way of signaling when the connection is about to close Default 130 UDP Bidi...

Page 863: ...n lifetime for IGMP in seconds Default 12 Other Idle Lifetime Specifies in seconds how long connections using an unknown protocol can remain idle before it is closed Default 130 Chapter 13 Advanced Settings 863 ...

Page 864: ... be quite high since many real time applications use large fragmented UDP packets If no such protocols are used the size limit imposed on UDP packets can probably be lowered to 1480 bytes Default 60000 Max ICMP Length Specifies in bytes the maximum size of an ICMP packet ICMP error messages should never exceed 600 bytes although Ping packets can be larger if so requested This value may be lowered ...

Page 865: ...fies in bytes the maximum size of an IP in IP packet IP in IP is used by Checkpoint Firewall 1 VPN connections when IPsec is not used This value should be set at the size of the largest packet allowed to pass through the VPN connections regardless of its original protocol plus approx 50 bytes Default 2000 Max IPsec IPComp Length Specifies in bytes the maximum size of an IPComp packet Default 2000 ...

Page 866: ...Default Enabled Chapter 13 Advanced Settings 866 ...

Page 867: ...ng reassembled is suspect which can be used for logging further down the track DropPacket Discards the illegal fragment and all previously stored fragments Will not allow further fragments of this packet to pass through during ReassIllegalLinger seconds DropLogPacket As DropPacket but also logs the event DropLogAll As DropLogPacket but also logs further fragments belonging to this packet that arri...

Page 868: ...pPacket The following settings are available for FragReassemblyFail NoLog No logging is done when a reassembly attempt fails LogSuspect Logs failed reassembly attempts only if suspect fragments have been involved LogSuspectSubseq As LogSuspect but also logs subsequent fragments of the packet as and when they arrive LogAll Logs all failed reassembly attempts LogAllSubseq As LogAll but also logs sub...

Page 869: ...for IP stacks it is usually not possible to set this limit too high It is rarely the case that senders create very small fragments However a sender may send 1480 byte fragments and a router or VPN tunnel on the route to the recipient subsequently reduce the effective MTU to 1440 bytes This would result in the creation of a number of 1440 byte fragments and an equal number of 40 byte fragments Beca...

Page 870: ...mbly Illegal Limit Once a whole packet has been marked as illegal NetDefendOS is able to retain this in memory for this number of seconds in order to prevent further fragments of that packet from arriving Default 60 Chapter 13 Advanced Settings 870 ...

Page 871: ...t Maximum number of concurrent local reassemblies Default 256 Max Size Maximum size of a locally reassembled packet Default 10000 Large Buffers Number of large over 2K local reassembly buffers of the above size Default 32 Chapter 13 Advanced Settings 871 ...

Page 872: ...t then some SSL connection setups may fail under a heavy SSL load and the following log message will be seen SSL Handshake Disallow ClientKeyExchange Closing down SSL connection The solution to the problem is to increase the maximum CPU resources available from the default setting of Normal about 17 up to either High about 25 or Very High about 50 However a higher CPU allocation may adversely effe...

Page 873: ...ecurity and disabled by default but can be enabled if required although this is not recommended TLS RSA RC4 128 SHA1 Enable cipher RSA_WITH_RC4_128_SHA1 Default Disabled TLS RSA RC4 128 MD5 Enable cipher TLS_RSA_WITH_RC4_128_MD5 Default Disabled TLS RSA EXPORT 1024 RC4 56 SHA1 Enable cipher TLS_RSA_EXPORT1024_WITH_RC4_56_SHA1 Default Disabled TLS RSA EXPORT 1024 RC4 40 MD5 Enable cipher TLS_RSA_EX...

Page 874: ...ms are recommended By default all symmetric encryption algorithms except AES and 3DES are disabled It is not recommended that this is changed The algorithms disabled by default are considered to be insecure at the time this document was written If the administrator does enable any of the weaker algorithms NetDefendOS will issue a warning when the configuration is committed and will continue to dis...

Page 875: ... available memory with a lower limit of 1024 Note that in addition to this there is always an extra 512 Kbytes allocated for buffers This setting requires a NetDefendOS restart for a new value to take effect A reconfiguration is not sufficient Default Enabled High Buffers If Dynamic High Buffers is not enabled then this number of buffers will be allocated in RAM above the 1 MByte limit When troubl...

Page 876: ...umstances will application control use up a high level of total system memory This setting puts a maximum limit of how much memory can be used When this maximum is reached the application control subsystem will restart and clear all its memory usage When this occurs no traffic connections will not be dropped but application control will not be applied during the restart period This setting can be ...

Page 877: ...her subsystems of such overlaps The associated settings limit memory used by the re assembly subsystem This setting specifies how many connections can use the re assembly system at the same time It is expressed as a percentage of the total number of allowed connections The minimum value is 1 The maximum value is 100 Default 80 Max Memory This setting specifies how much memory that the re assembly ...

Page 878: ...Screen Saver Selection The type of screen saver used Default Blank Status Bar Selection The status bar control Default Auto Chapter 13 Advanced Settings 878 ...

Page 879: ...Chapter 13 Advanced Settings 879 ...

Page 880: ...Make sure that NetDefendOS has access to the public Internet when doing this Tip A registration guide can be downloaded A step by step Registration manual which explains registration and update service procedures in more detail is available for download from the D Link website Subscription renewal In the Web Interface go to Status Maintenance License to check which update services are activated an...

Page 881: ...me by using the command gw world updatecenter update idp An Anti Virus update can similarly be initiated with the command gw world updatecenter update antivirus Querying Update Status To get the status of IDP updates use the command gw world updatecenter status idp To get the status of AV updates gw world updatecenter status antivirus Querying Server Status To get the status of the D Link network ...

Page 882: ...pdate center update antivirus Subscription Expiry Behavior The behavior on subscription expiry varies according to the subsystem The following occurs Anti Virus Subscription expiry results in anti virus scanning operating normally but the signature database will not be updated until the subscription is renewed IDP Subscription expiry results in the same behavior as for anti virus IDP scanning will...

Page 883: ...nistrator has configured application control to behave with the unknown tag In addition a warning expiry message is shown on the CLI console and log messages are generated indicating that traffic is being tagged unknown because of subscription expiry For all these features the current status of the relevant subscription along with the expiry date can be viewed in the Web Interface by going to Stat...

Page 884: ...ault Backup solution BACKUP_VERITAS Backup solutions BOT_GENERAL Activities related to bots including those controlled by IRC channels BROWSER_FIREFOX Mozilla Firefox BROWSER_GENERAL General attacks targeting web browsers clients BROWSER_IE Microsoft IE BROWSER_MOZILLA Mozilla Browser COMPONENT_ENCODER Encoders as part of an attack COMPONENT_INFECTION Infection as part of an attack COMPONENT_SHELL...

Page 885: ...enger implementations IM_MSN MSN Messenger IM_YAHOO Yahoo Messenger IP_GENERAL IP protocol and implementation IP_OVERFLOW Overflow of IP protocol implementation IRC_GENERAL Internet Relay Chat LDAP_GENERAL General LDAP clients servers LDAP_OPENLDAP Open LDAP LICENSE_CA LICENSE License management for CA software LICENSE_GENERAL General License Manager MALWARE_GENERAL Malware attack METASPLOIT_FRAME...

Page 886: ...GENERAL RLogin protocol and implementation RLOGIN_LOGIN ATTACK Login attacks ROUTER_CISCO Cisco router attack ROUTER_GENERAL General router attack ROUTING_BGP BGP router protocol RPC_GENERAL RFC protocol and implementation RPC_JAVA RMI Java RMI RSYNC_GENERAL Rsync SCANNER_GENERAL Generic scanners SCANNER_NESSUS Nessus Scanner SECURITY_GENERAL Anti virus solutions SECURITY_ISS Internet Security Sys...

Page 887: ...TFTP request attack TROJAN_GENERAL Trojan UDP_GENERAL General UDP UDP_POPUP Pop up window for MS Windows UPNP_GENERAL UPNP VERSION_CVS CVS VERSION_SVN Subversion VIRUS_GENERAL Virus VOIP_GENERAL VoIP protocol and implementation VOIP_SIP SIP protocol and implementation WEB_CF FILE INCLUSION Coldfusion file inclusion WEB_FILE INCLUSION File inclusion WEB_GENERAL Web application attacks WEB_JSP FILE ...

Page 888: ...ection 6 2 2 The HTTP ALG Filetype extension Application 3ds 3d Studio files 3gp 3GPP multimedia file aac MPEG 2 Advanced Audio Coding File ab Applix Builder ace ACE archive ad3 Dec systems compressed Voice File ag Applix Graphic file aiff aif Audio Interchange file am Applix SHELF Macro arc Archive file alz ALZip compressed file avi Audio Video Interleave file arj Compressed archive ark QuArk com...

Page 889: ...change Format file gzip gz tgz Gzip compressed archive hap HAP archive data hpk HPack compressed file archive hqx Macintosh BinHex 4 compressed archive icc Kodak Color Management System ICC Profile icm Microsoft ICM Color Profile file ico Windows Icon file imf Imago Orpheus module sound data inf Sidplay info file ipa iPhone application archive file it Impulse Tracker Music Module java Java source ...

Page 890: ...rtable Bitmap Graphic pdf Acrobat Portable Document Format pe Portable Executable file pfb PostScript Type 1 Font pgm Portable Graymap Graphic pkg SysV R4 PKG Datastreams pll PAKLeo archive data pma PMarc archive data png Portable Public Network Graphic ppm PBM Portable Pixelmap Graphic ps PostScript file psa PSA archive data psd Photoshop Format file qt mov moov QuickTime Movie file qxd QuarkXpre...

Page 891: ...BitTorrent Metainfo file ttf TrueType Font txw Yamaha TX Wave audio files ufa UFA archive data vcf Vcard file viv VivoActive Player Streaming Video file wav Waveform Audio wk Lotus 1 2 3 document wmv Windows Media file wrl vrml Plain Text VRML file xcf GIMP Image file xm Fast Tracker 2 Extended Module audio file xml XML file xmcd xmcd database file for kscd xpm BMC Software Patrol UNIX Icon file y...

Page 892: ... Layer purpose Layer 7 Application Layer 6 Presentation Layer 5 Session Layer 4 Transport Layer 3 Network Layer 2 Data Link Layer 1 Physical Figure D 1 The 7 Layers of the OSI Model Layer Functions The different layers perform the following functions Layer 7 Application Layer Defines the user interface that supports applications directly Protocols HTTP FTP TFTP DNS SMTP Telnet SNMP and similar The...

Page 893: ...ch VLAN For example the interfaces could be divided so that the first 2 interfaces are part of one VLAN the next 2 interfaces are part of a second VLAN and the remainder are left in normal operation The LAN interfaces that are not part of a VLAN will continue to operate as a single interface with the logical interface name LAN Configuring VLANs How to configure port based VLANs will be illustrated...

Page 894: ...port port based VLANs Port Based VLAN Issues There are some issues which the adminstrator should be aware of when setting up port based VLANs Port based VLANs cannot be mixed with VLAN trunks When the port based VLAN feature is used all of the LAN interfaces act as access ports and none can be used for 802 1q VLAN trunks MAC addresses are duplicated The MAC addresses of all the LAN interfaces are ...

Page 895: ...icense and the GNU GPL refers to version 3 of the GNU General Public License The Library refers to a covered work governed by this License other than an Application or a Combined Work as defined below An Application is any work that makes use of an interface provided by the Library but which is not otherwise based on the Library Defining a subclass of a class defined by the Library is deemed a mod...

Page 896: ...he user to recombine or relink the Application with a modified version of the Linked Version to produce a modified Combined Work in the manner specified by section 6 of the GNU GPL for conveying Corresponding Source Use a suitable shared library mechanism for linking with the Library A suitable mechanism is one that a uses at run time a copy of the Library already present on the user s computer sy...

Page 897: ...e form shall mean the preferred form for making modifications including but not limited to software source code documentation source and configuration files Object form shall mean any form resulting from mechanical transformation or translation of a Source form including but not limited to compiled object code generated documentation and conversions to other media types Work shall mean the work of...

Page 898: ...cludes a NOTICE text file as part of its distribution then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file excluding those notices that do not pertain to any part of the Derivative Works in at least one of the following places within a NOTICE text file distributed as part of the Derivative Works within the Source fo...

Page 899: ...bility obligations and or rights consistent with this License However in accepting such obligations You may act only on Your own behalf and on Your sole responsibility not on behalf of any other Contributor and only if You agree to indemnify defend and hold each Contributor harmless for any liability incurred by or claims asserted against such Contributor by reason of your accepting any such warra...

Page 900: ...paging JS code which does simple table pagination Author Chun Lin Based on code by Ryan Zielke Released under the MIT license see above Open Source Code Requests Upon request D Link will provide a CD with a copy of the source code for the open source components used in D Link s products that are released under General Public License GPL or similar licenses mandating code availability To obtain suc...

Page 901: ... 109 ALG 425 deploying 425 FTP 435 H 323 479 HTTP 427 IPv6 support 162 425 Light Weight LW HTTP 432 no HA state synchronization 426 834 not needed with IP policies 427 POP3 457 PPTP 461 SIP 463 SMTP 448 TFTP 447 TLS 500 all nets6 IP address object 159 all nets IP address object 150 230 Allow IP rule 233 Allow IP Rules setting 876 Allow on error RADIUS setting 664 Allow Port Change setting 726 Allo...

Page 902: ...DAP 616 using RADIUS 614 with RADIUS for management 67 XAuth 624 Auto Add Multicast Route setting 374 autonomous system see OSPF Auto Save Interval DHCP setting 407 Auto Save Policy DHCP setting 407 auto update 136 B backing up configurations 136 bandwidth guarantees 787 banner files for web authentication 635 for web content filtering 521 parameters 521 636 storage folder 65 blacklisting hosts an...

Page 903: ...ting 110 CRL 272 distribution point lists 275 enforcing checking 269 D date and time 78 setting daylight saving time 79 time servers 82 daylight saving time 79 setting manually 81 with tz Olson database 80 dconsole CLI command 125 Deactivate Before Reconf HA setting 840 dead peer detection 703 Decrement TTL setting 390 default access rule 290 421 Default TTL setting 851 demilitarized zone see DMZ ...

Page 904: ...531 malicious link protection 530 maximum email rate 528 maximum email size 528 Enable Accounting setting 725 Enable Sensors setting 107 end of life procedures 140 ESMTP extensions 452 Ethernet interface 180 advanced settings 188 changing IP addresses 185 CLI command summary 186 default gateway 182 disabling 188 enabling 188 IP address 181 logical physical difference 185 promiscuous mode 184 with ...

Page 905: ...and ICMP Sends Per Sec Limit setting 859 ICMP Unreachable message 234 IDENT and IP rules 234 identity awareness agent IDA 644 event IDs listened for 645 ID lists 273 686 697 IDP 552 associating signatures with rules 554 best practice deployment 564 blacklisting 559 HTTP URI normalization 555 insertion evasion attacks 556 rules 554 signature group list 884 signature groups 558 signatures 557 signat...

Page 906: ... local ID 686 HA synchronization support 834 health monitoring options 721 ID lists 273 686 ike snoop CLI command 764 IKEv2 client setup 714 invalid IKE payload cookie error 772 ipsec CLI command 763 IPsec DS Field setting 723 IP validation 713 LAN to LAN setup 672 local endpoint property 701 local gateway 713 local ID 686 NAT traversal 693 originator IP property 701 overview 683 payload malformed...

Page 907: ...t severity 87 event types 87 mail alerting 92 memlog 89 message exceptions 96 severity filter 96 SNMP traps 97 syslog 89 time stamping 88 login authentication 624 log messages 87 Log non IPv4 IPv6 setting 850 Log Open Fails setting 860 Logout at shutdown RADIUS setting 664 664 logout from CLI 57 Log Oversized Packets setting 865 Log Received TTL 0 setting 850 Log Reverse Opens setting 860 logsnoop...

Page 908: ...with CLI 364 multi protocol label switching see MPLS N NAT 576 anonymizing with 582 IP rules 233 578 pools 584 stateful pools 584 traversal 693 using automatic translation 580 with an IP Policy 579 neighbor discovery 160 advanced settings 163 cache 163 timing settings 164 NetDefendOS overview 20 packet flow description 28 system date and time 78 network address translation see NAT NIC teaming see ...

Page 909: ...ing 870 Reassembly Timeout setting 869 Receive Multicast Traffic setting 182 362 reconf CLI command 56 Reconf Failover Time HA setting 105 840 Reject IP rule 234 Relay MPLS setting 390 391 Relay Spanning tree BPDUs setting 389 391 Require Cookie setting 726 reset interface IP addresses 140 to base configuration 133 139 to factory defaults 139 restarting NetDefendOS with the CLI 56 restoring backup...

Page 910: ...imple network management protocol see SNMP SIP ALG 463 and traffic shaping 464 equipment incompatibility 463 NAT traversal 463 predefined SIP ALG object 465 record route 466 supported scenarios 463 using IP policies 465 with route failover 464 with virtual routing 464 with VoIP profile 465 SLB see server load balancing SLB policy 816 SMTP ALG 448 ESMTP extensions 452 whitelist precedence 451 with ...

Page 911: ... 872 supported cryptographic suites 500 supported TLS version 500 usage instead of SSL 500 TLS RSA 3DES 168 SHA1 setting 873 TLS RSA EXPORT 1024 RC2 40 MD5 setting 873 TLS RSA EXPORT 1024 RC4 40 MD5 setting 873 TLS RSA EXPORT 1024 RC4 56 SHA1 setting 873 TLS RSA EXPORT NULL MD5 setting 874 TLS RSA EXPORT NULL SHA1 setting 874 TLS RSA RC4 128 MD5 setting 873 TLS RSA RC4 128 SHA1 setting 873 TLS RSA...

Page 912: ...nabling performance logging 876 fail mode 510 order of static and dynamic 504 overriding 513 phishing 519 setting up WCF 509 site reclassification 514 spam 521 static 504 subscription expiry behavior 882 URL whitelisting exclusion 430 WCF performance log 523 with HTTPS 512 with IP policies 515 with IP rules or IP policies 503 with whitelisting 509 web interface 34 41 access with CA signed certific...