D-Link DFL-700 Network Security Firewall Manual Building Networks for People Ver.1.
Contents Introduction ..................................................................................... 7 Features and Benefits ........................................................................... 7 Introduction to Firewalls ........................................................................ 7 Introduction to Local Area Networking .................................................. 8 LEDs .....................................................................................................
Setting time and date manually .................................................................27 Firewall ........................................................................................... 28 Policy................................................................................................... 28 Policy modes.............................................................................................28 Action Types...............................................................................
MS-CHAP v1 ..............................................................................................49 MS-CHAP v2 ..............................................................................................49 MPPE, Microsoft Point-To-Point Encryption ..............................................49 L2TP/PPTP Clients ...................................................................................50 L2TP/PPTP Servers ..................................................................................
Ping ..................................................................................................... 68 Ping Example ............................................................................................68 Dynamic DNS...................................................................................... 69 Add Dynamic DNS Settings ......................................................................69 Backup ......................................................................................
Settings for the Windows XP client ...........................................................105 Settings for Main office .............................................................................113 Windows XP client and L2TP server ..................................................115 Settings for the Windows XP client ...........................................................115 Settings for Main office .............................................................................
Introduction The DFL-700 provides three 10/100M Ethernet network interface ports, which are (1) Internal/LAN, (1) External/WAN, and (1) DMZ port. It also provides easily operated software WebUI that allows users to set system parameters or monitor network activities using a web browser. Features and Benefits z Firewall Security z VPN Server/Client Supported z Content Filtering z Bandwidth Management DFL-700 features an extensive Traffic Shaper for bandwidth management.
Introduction to Local Area Networking Local Area Networking (LAN) is the term used when connecting several computers together over a small area such as a building or group of buildings. LAN’s can be connected over large areas. A collection of LAN’s connected over a large area is called a Wide Area Network (WAN). A LAN consists of multiple computers connected to each other. There are many types of media that can connect computers together. The most common media is CAT5 cable (UTP or STP twisted pair wire.
LEDs Power: A solid light indicates a proper connection to the power supply. Status: System status indicators, flashes to indicate an active system. If the LED has a solid light the unit is defective. WAN, LAN & DMZ: Ethernet port indicators, Green. The LED flickers when the ports are sending or receiving data. Physical Connections Console: Serial access to the firewall software, 9600, 8bit, None Parity, 1Stop bit.
Package Contents Contents of Package: • D-Link DFL-700 Firewall • Manual and CD • Quick Installation Guide • AC Power adapter Note: Using a power supply with a different voltage rating than the one included with the DFL-700 will cause damage and void the warranty for this product. If any of the above items are missing, please contact your reseller.
Managing D-Link DFL-700 When a change is done to the configuration a new icon named Activate Changes will appear. When all changes and administrator would like to do is done the changes need to be saved and activated to take effect, this is done by clicking on the Activate Changes button on the Activate Configuration Changes page. What will happen is that the firewall will save the configuration and reload it, letting the new changes take effect.
Administration Settings Administrative Access Ping – If enabled, specifies who can ping the interface IP of the DFL-700. Default if enabled is to allow anyone to ping the interface IP. Admin – If enabled allows all users with admin access to connect to the DFL-700 and change configuration, can be HTTPS or HTTP and HTTPS. Read-Only – If enabled allows all users with read-only access to connect to the DFL-700 and look at the configuration, can be HTTPS or HTTP and HTTPS.
Add ping access to an interface To add ping access click on the interface you would like to add it to. Follow these steps to add ping access to an interface. Step 1. Click on the interface you would like to add it to. Step 2. Enable the Ping checkbox. Step 3. Specify what networks are allowed to ping the interface, for example 192.168.1.0/24 for a whole network or 172.16.0.1 – 172.16.0.10 for a range. Click the Apply button below to apply the setting or click Cancel to discard changes.
Add Read-only access to an interface To add read-only access click on the interface you would like to add it to, note that if you only have read-only access enable on an interface all users only get read-only access, even if they are administrators. Follow these steps to add read-only access to an interface. Step 1. Click on the interface you would like to add it to. Step 2. Enable the Read-only checkbox. Step 3. Specify what networks are allowed to ping the interface, for example 192.168.1.
System Interfaces Click on System in the menu bar, and then click interfaces below it. Change IP of the LAN or DMZ interface Follow these steps to change the IP of the LAN or DMZ interface. Step 1. Choose which interface to view or change under the Available interfaces list. Step 2. Fill in the IP address of the LAN or DMZ interface. These are the address that will be used to ping the firewall, remotely control it and use as gateway for the internal hosts or DMZ hosts. Step 3.
WAN Interface Settings – Using Static IP If you are using Static IP you have to fill in the IP address information provided to you by your ISP. All fields are required except the Secondary DNS Server. You should probably not use the numbers displayed in these fields, they are only used as an example. • IP Address – The IP address of the WAN interface. This is the address that may be used to ping the firewall, remotely control it and be used as source address for dynamically translated connections.
WAN Interface Settings – Using PPPoE Use the following procedure to configure the DFL-700 external interface to use PPPoE (Point-to-Point Protocol over Ethernet). This configuration is required if your ISP uses PPPoE to assign the IP address of the external interface. You will have to fill the username and password provided to you by your ISP. • Username – The login or username supplied to you by your ISP. • Password – The password supplied to you by your ISP.
WAN Interface Settings – Using PPTP PPTP over Ethernet connections are used in some DSL and cable modem networks. You need your account details, and possibly also IP configuration parameters of the actual physical interface that the PPTP tunnel runs over. Your ISP should supply this information. • Username – The login or username supplied to you by your ISP. • Password – The password supplied to you by your ISP. • PPTP Server IP – The IP of the PPTP server that the DFL-700 should connect to.
WAN Interface Settings – Using BigPond The ISP Telstra BigPond uses BigPond for authentication; the IP is assigned with DHCP. • Username – The login or username supplied to you by your ISP. • Password – The password supplied to you by your ISP. Traffic Shaping When Traffic Shaping is enabled and the correct maximum up and downstream bandwidth is specified it’s possible to control which policies have the highest priority when large amounts of data are moving through the DFL-700.
MTU Configuration To improve the performance of your Internet connection, you can adjust the maximum transmission unit (MTU) of the packets that the DFL-700 transmits from its external interface. Ideally, you want this MTU to be the same as the smallest MTU of all the networks between the DFL-700 and the Internet. If the packets the DFL-700 sends are larger, they get broken up or fragmented, which could slow down transmission speeds.
Routing Click on System in the menu bar, and then click Routing below it, this will give a list of all configured routes, it will look something like this: The Routes configuration section describes the firewall’s routing table. DFL-700 uses a slightly different way of describing routes compared to most other systems. However, we believe that this way of describing routes is easier to understand, making it less likely for users to cause errors or breaches in security.
Add a new Static Route Follow these steps to add a new route. Step 1. Go to System and Routing. Step 2. Click on Add new in the bottom of the routing table. Step 3. Choose the interface that the route should be sent trough from the dropdown menu. Step 4. Specify the Network and Subnet mask. Step 5.
Logging Click on System in the menu bar, and then click Logging below it. Logging, the ability to audit decisions made by the firewall, is a vital part in all network security products. The D-Link DFL-700 provides several options for logging its activity. The DLink DFL-700 logs its activities by sending the log data to one or two log receivers in the network. All logging is done to Syslog recipients. The log format used for syslog logging is suitable for automated processing and searching.
configurable. It’s also possible to have E-mail alerting for IDS/IDP events to up to three email addresses. Enable Logging Follow these steps to enable logging. Step 1. Enable syslog by checking the Syslog box. Step 2. Fill in your first syslog server as Syslog server 1, if you have two syslog servers you have to fill in the second one as Syslog server 2. You must fill in at least one syslog server for logging to work. Step 3. Specify what facility to use by selecting the appropriate syslog facility.
Intrusion attacks will always be logged in the usual logs if IDS is enabled for any of the rules. For more information about how to enable intrusion detection and prevention on a policy or port mapping, read more under Policies and Port Mappings in the Firewall section below.
Time Click on System in the menu bar, and then click Time below it. This will give you the option to either set the system time by syncing to an Internet Network Time Server (NTP) or by entering the system time by hand.
Changing time zone Follow these steps to change the time zone. Step 1. Choose the correct time zone in the drop down menu. Step 2. Specify your daylight time or choose no daylight saving time by checking the correct box. Click the Apply button below to apply the setting or click Cancel to discard changes. Using NTP to sync time Follow these steps to sync to an Internet Time Server. Step 1. Enable synchronization by checking the Enable NTP box. Step 2.
Firewall Policy The Firewall Policy configuration section is the "heart" of the firewall. The policies are the primary filter that is configured to allow or disallow certain types of network traffic through the firewall. The policies also regulate how bandwidth management, traffic shaping, is applied to traffic flowing through the WAN interface of the firewall.
Source and Destination Filter Source Nets – Specifies the sender span of IP addresses to be compared to the received packet. Leave this blank to match everything. Source Users/Groups – Specifies if an authenticated username is needed for this policy to match. Either make a list of usernames, separated by , or write Any for any authenticated user. If it’s left blank there is no need for authentication for the policy.
the system administrators if email alerting is converted. There are two modes that can be configured, either Inspection Only or Prevention. Inspection Only will only inspect the traffic and if the DFL-700 sees anything it will log, email an alert (if configured) and pass on the traffic, if Prevention is used the traffic will be dropped and logged and if configured a email alert will be sent. D-Link updates the attack database periodically. Since firmware version 1.30.00 automatic updates are possible.
Add a new policy Follow these steps to add a new outgoing policy. Step 1. Choose the LAN->WAN policy list from the available policy lists. Step 2. Click on the Add new link. Step 3. Fill in the following values: Name: Specifies a symbolic name for the rule. This name is used mainly as a rule reference in log data and for easy reference in the policy list. Action: Select Allow to allow this type of traffic. Source Nets: – Specifies the sender span of IP addresses to be compared to the received packet.
Change order of policy Follow these steps to change order of a policy. Step 1. Choose the policy list you would like do change order in from the available policy lists. Step 2. Click on the Edit link on the rule you want to delete. Step 3. Change the number in the Position to the new line, this will after the apply button is clicked move this policy to this row and move the old policy and all after to one step down.
Configure Intrusion Prevention Follow these steps to configure IDP on a policy. Step 1. Choose the policy you would like have IDP on. Step 2. Click on the Edit link on the rule you want to delete. Step 3. Enable the Intrusion Detection / Prevention checkbox. Step 4. Choose Prevention from the mode drop down list. Step 5. Enable the alerting checkbox for email alerting.
Port mapping / Virtual Servers The Port mapping / Virtual Servers configuration section is where you can configure virtual servers like Web servers on the DMZ or similar. It’s also possible to regulate how bandwidth management, traffic shaping, is applied to traffic flowing through the WAN interface of the firewall. It is also possible to use Intrusion Detection / Prevention and Traffic shaping on Port mapped services, these are done in the same way as on policies, so see that chapter for more information.
Delete mapping Follow these steps to delete a mapping. Step 1. Choose the mapping list (WAN, LAN or DMZ) you would like do delete the mapping from. Step 2. Click on the Edit link on the rule you want to delete. Step 3. Enable the Delete mapping checkbox. Click the Apply button below to apply the change or click Cancel to discard changes.
Administrative users Click on Firewall in the menu bar, and then click Users below it. This will show all the users, and the first section is the administrative users. The first column show the access levels, Administrator and Read-only. An Administrator user can add, edit and remove rules, change settings of the DFL-700 and so on. The Readonly user can only look at the configuration. The second column shows the users in each access level.
Change Administrative User Access level To change the access lever of a user click on the user name and you will see the following screen. From here you can change the access level by choosing the appropriate level from the drop-down menu. Access levels • Administrator – the user can add, edit and remove rules and change all settings. • Read-only – the user can only look at the configuration of the firewall. • No Admin Access – The user is only used for user authentication.
Delete Administrative User To delete a user click on the user name and you will see the following screen. Follow these steps to delete an Administrative User. Step 1. Click on the user you would like to change level of. Step 2. Enable the Delete user checkbox. Click the Apply button below to apply the setting or click Cancel to discard changes. Note: Deleting a user is irreversible; once the user is deleted, it cannot be undeleted.
Users User Authentication allows an administrator to grant or reject access to specific users from specific IP addresses, based on their user credentials. Before any traffic is allowed to pass through any policies configured with username or groups, the user must first authenticate him/her-self.
Enable User Authentication via HTTP / HTTPS Follow these Authentication. steps to enable User Step 1. Enable the checkbox for User Authentication. Step 2. Specify if HTTP and HTTPS or only HTTPS should be used for the login. Step 3. Specify the idle-timeout, the time a user can be idle before being logged out by the firewall. Step 4. Choose new ports for the management WebUI to listen on as the user authentication will use the same ports as the management WebUI is using..
Add User Follow these steps to add a new user. Step 1. Click on add after the type of user you would like to add, Admin or Read-only. Step 2. Fill in User name; make sure you are not trying to add one that already exists. Step 3. Specified what groups the user should be a member of. Step 3. Specify the password for the new user. Click the Apply button below to apply the setting or click Cancel to discard changes. Note: The user name and password should be at least six characters long.
Delete User To delete a user click on the user name and you will see the following screen. Follow these steps to delete a user. Step 1. Click on the user you would like to change level of. Step 2. checkbox. Enable the Delete user Click the Apply button below to apply the setting or click Cancel to discard changes. Note: Deleting a user is irreversible; once the user is deleted, it cannot be undeleted.
Schedules It is possible to configure a schedule for policies to take affect. By creating a schedule, the DFL-700 is allowing the firewall policies to be used at those designated times only. Any activities outside of the scheduled time slot will not follow the policies and will therefore likely not be permitted to pass through the firewall. The DFL-700 can be configured to have a start time and stop time, as well as creating 2 different time periods in a day.
Services A service is basically a definition of a specific IP protocol with corresponding parameters. The service http, for instance, is defined as to use the TCP protocol with destination port 80. Services are simplistic, in that they cannot carry out any action in the firewall on their own. Thus, a service definition does not include any information whether the service should be allowed through the firewall or not.
Adding IP Protocol When the type of the service is IP Protocol, an IP protocol number may be specified in the text field. To have the service match the GRE protocol, for example, the IP protocol should be specified as 47. A list of some defined IP protocols can be found in the appendix named “IP Protocol Numbers”. IP protocol ranges can be used to specify multiple IP protocols for one service.
Protocol-independent settings Allow ICMP errors from the destination to the source – ICMP error messages are sent in several situations: for example, when an IP packet cannot reach its destination. The purpose of these error control messages is to provide feedback about problems in the communication environment.
VPN Introduction to IPsec This chapter introduces IPsec, the method, or rather set of methods used to provide VPN functionality. IPSec, Internet Protocol Security, is a set of protocols defined by the IETF, Internet Engineering Task Force, to provide IP security at the network layer.
Introduction to PPTP PPTP, Point-to-Point Tunneling Protocol, is used to provide IP security at the network layer. A PPTP based VPN is made up by these parts: • Point-to-Point Protocol (PPP) • Authentication Protocols (PAP, CHAP, MS-CHAP v1, MS-CHAP v2) • Microsoft Point-To-Point Encryption (MPPE) • Generic Routing Encapsulation (GRE) PPTP uses TCP port 1723 for it's control connection and uses GRE (IP protocol 47) for the PPP data. PPTP supports data encryption by using MPPE.
Authentication Protocols PPP supports different authentication protocols, PAP, CHAP, MS-CHAP v1 and MSCHAP v2 is supported. Which authentication protocol to use is negotiated during LCP negotiation. PAP PAP (Password Authentication Protocol) is a simple, plaintext authentication scheme, which means that user name and password are sent in plaintext. PAP is therefore not a secure authentication protocol.
L2TP/PPTP Clients General parameters Name – Specifies a name for the PPTP/L2TP Client. Username - Specify username to use for PPTP/L2TP Client. the this Password/Confirm Password - The password to use for this PPTP/L2TP Client. Interface IP.- Specifies if the L2TP/PPTP Client should try to use a specified IP or get one from the server. Remote Gateway - The IP address of the PPTP/L2TP Server.
L2TP/PPTP Servers Name – Specifies a name for this PPTP/L2TP Server. Outer IP - Specifies the IP that the PPTP/L2TP server should listen on, leave it Blank for the WAN IP. Inner IP - Specifies the IP inside the tunnel, leave it Blank for the LAN IP. IP Pool and settings Client IP Pool - A range, group or network that the PPTP/L2TP Server will use as IP address pool to give out IP addresses to the clients from. Primary/Secondary DNS - IP of the primary and secondary DNS servers.
MPPE encryption If MPPE encryption is going to be used, this is where the encryption level is configured. If L2TP or PPTP over IPSec is going to be used it has to be enabled and configured to either use a Pre-Shared Key or a Certificate.
VPN between two networks In the following example users on the main office internal network can connect to the branch office internal network vice versa. Communication between the two networks takes place in an encrypted VPN tunnel that connects the two DFLs Network Security Firewall across the Internet. Users on the internal networks are not aware that when they connect to a computer on the other network that the connection runs across the Internet.
VPN between client and an internal network In the following example users can connect to the main office internal network from anywhere on the Internet. Communication between the client and the internal network takes place in an encrypted VPN tunnel that connects the DFL and the roaming users across the Internet. The example shows a VPN between a roaming VPN client and the internal network, but you can also create a VPN tunnel that uses the DMZ network.
Adding a L2TP/PPTP VPN Client Follow these steps to add a L2TP or PPTP VPN Client configuration. Step 1. Go to Firewall and VPN and choose Add new PPTP client or Add new L2TP client in the L2TP/PPTP Clients section. Step 2. Enter a Name for the new tunnel in the name field. The name can contain numbers (0-9) and upper and lower case letters (A-Z, a-z), and the special characters and _. No other special characters and spaces are allowed. Step 3. Enter the username and password for the PPTP or L2TP Client.
VPN – Advanced Settings Advanced settings for a VPN tunnel is used when one need change some characteristics of the tunnel when using for example trying to connect to a third party VPN Gateway. The different settings to set per tunnel is the following: Limit MTU Whit this setting it’s possible to limit the MTU (Max Transferable Unit) of the VPN tunnel. IKE Mode Specify if Main mode IKE or Aggressive Mode IKE should be used when establishing outbound VPN Tunnels.
Proposal Lists To agree on the VPN connection parameters, a negotiation process is performed. As the result of the negotiations, the IKE and IPSec security associations (SAs) are established. As the name implies, a proposal is the starting point for the negotiation. A proposal defines encryption parameters, for instance encryption algorithm, life times etc, that the VPN gateway supports. There are two types of proposals, IKE proposals and IPSec proposals.
Certificates A certificate is a digital proof of identity. It links an identity to a public key in a trustworthy manner. Certificates can be used to authenticate individual users or other entities. These types of certificates are commonly called end-entity certificates. Before a VPN tunnel with certificate based authentication can be set up, the firewall needs a certificate of its own and that of the remote firewall. These certificates can either be selfsigned certificates, or issued by a CA.
Certificate Authorities This is a list of all CA certificates. To add a new Certificate Authority certificate, click Add new. The following pages will allow you to specify a name for the CA certificate and upload the certificate file. This certificate can be selected in the Certificates field on the VPN page. Note: If the uploaded certificate is a CA certificate, it will automatically be placed in the Certificate Authorities list, even if Add New was clicked in the Remote Peers list.
Content Filtering DFL-700 HTTP content filtering can be configured to scan all HTTP content protocol streams for URLs or for web page content. You can configure URL blacklist to block all or just some of the pages on a website. Using this feature you can deny access to parts of a web site without denying access to it completely. The HTTP content filter can also be configured to strip contents like ActiveX, Flash and cookies.
Edit the URL Global Whitelist Follow these steps to add or remove a url. Step 1. Go to Firewall and Content Filtering and choose Edit global URL whitelist Step 2. Add/edit or remove the URL that should never be checked with the Content Filtering. Click the Apply button below to apply the change or click Cancel to discard changes.
Edit the URL Global Blacklist Follow these steps to add or remove a url. Step 1. Go to Firewall and Content Filtering and choose Edit global URL blacklist Step 2. Add/edit or remove the URL that should be checked with the Content Filtering. Click the Apply button below to apply the change or click Cancel to discard changes. Note: For HTTP URL filtering to work, all HTTP traffic needs to go trough a policy using a service with the HTTP ALG.
Active content handling Active content handling can be enabled or disabled by checking the checkbox before each type you would like to strip. For example to strip ActiveX and Flash enable the checkbox named Strip ActiveX objects. It’s possible to strip ActiveX, Flash, Java, JavaScript and VBScript, it’s also possible to block cookies. Note: For HTTP URL filtering to work, all HTTP traffic needs to go trough a policy using a service with the HTTP ALG.
Servers DHCP Server Settings The DFL-700 contains a DHCP server; DHCP (Dynamic Host Configuration Protocol) is a protocol that lets network administrators to automatically assign IP numbers to computers on a network. The DFL-700 DHCP Server helps to minimize the work necessary to administer a network, as there is no need for another server running DHCP Server software.
Enable DHCP Server To enable the DHCP Server on an interface, click on Servers in the menu bar, and then click DHCP Server below it. Follow these steps to enable the DHCP Server on the LAN interface. Step 1. Choose the LAN interface from the Available interfaces list. Step 2. Enable by checking the Use built-in DHCP Server box. Step 3. Fill in the IP Span, the start and end IP for the range of IP addresses that the DFL700 can assign. Step 4.
DNS Relayer Settings Click on Servers in the menu bar, and then click DNS Relay below it. The DFL-700 contains a DNS relayer that you can be configured to relay DNS queries from the internal LAN to the DNS servers used by the firewall itself. Enable DNS Relayer Follow these steps to enable the DNS Relayer. Step 1. Enable by checking the Enable DNS Relayer box. Step 2. Enter the IP numbers that the DFL-700 should listen for DNS queries on.
Disable DNS Relayer Follow these steps to disable the DNS Relayer. Step 1. Disable by un-checking the Enable DNS Relayer box. Click the Apply button below to apply the setting or click Cancel to discard changes.
Tools Ping Click on Tools in the menu bar, and then click Ping below it. This tool is used to send a specified number of ICMP Echo Request packets to a given destination. All packets are sent in immediate succession rather than one per second. This behavior is the best one suited for diagnosing connectivity problems. • IP Address – Target IP to send the ICMP Echo Requests to. • Number of packets – Number of ICMP Echo Request packets to send, up to 10.
Dynamic DNS The Dynamic DNS (require Dynamic DNS Service) allows you to alias a dynamic IP address to a static hostname, allowing your device to be more easily accessed by specific name. When this function is enabled, the IP address in Dynamic DNS Server will be automatically updated with the new IP address provided by ISP. Click DynDNS in the Tools menu to enter Dynamic DNS configuration.
Backup Click on Tools in the menu bar, and then click Backup below it. Here a administrator can backup and restore the configuration. The configuration file stores system settings, IP addresses of Firewall’s network interfaces, address table, service table, IPSec settings, port mapping and policies. When the configuration process is completed, system administrator can download the configuration file into local disc as a backup.
Restart/Reset Restarting the DFL-700 Follow these steps restart the DFL-700. Step 1. Choose if you want to do a quick or full restart. Step 2. Click Restart Unit and the unit will restart. Restoring system settings to factory defaults Use the following procedure to restore system settings to the values set at the factory. This procedure will possibly change the DFL-700 firmware version to lower version if it has been upgraded.
Step 1. Under the Tools menu and the Reset section, click on the Reset to Factory Defaults button. Step 2. Click OK in the dialog to reset the unit to factory default, or press Cancel to cancel. You can restore your system settings by uploading a previously downloaded system configurations file to the DFL-700 if a backup of the device has been done.
Upgrade The DFL-700’s software, IDS signatures and system parameters are all stored on a flash memory card. The flash memory card is rewritable and re-readable. Upgrade Firmware To upgrade the firmware first download the correct firmware image from D-Link.
Status In this section, the DFL-700 displays the status information about the Firewall. Administrator may use Status to check the System Status, Interface statistics, VPN, connections and DHCP Servers. System Click on Status in the menu bar, and then click System below it. A window will appear providing some information about the DFL-700. Uptime – The time the firewall have been running, since the last reboot or start. CPU Load – Percentage of cpu used.
Interfaces Click on Status in the menu bar, and then click Interfaces below it. A window will appear providing information about the interfaces in the DFL-700. By default information about the LAN interface will be show, to see another one click on that interface (WAN or DMZ). Interface – Name of the interface shown, LAN, WAN or DMZ. Link status – Displays what link the current interface has, the speed can be 10 or 100 Mbps and the duplex can be Half or Full. MAC Address – MAC address of the interface.
VPN Click on Status in the menu bar, and then click Interfaces below it. A window will appear providing information about the VPN connections done in the DFL-700. By default information about the first VPN tunnel will be show, to see another one click on that VPN tunnels name. The two graphs display the send and receive rate trough the selected VPN tunnel during the last 24 hours. On this example a tunnel named RoamingUsers is selected, this is a tunnel that allows roaming users.
Connections Click on Status in the menu bar, and then click Connections below it. A window will appear providing information about the content of the state table. Shows the last 100 connections opened through the firewall. Connections are created when traffic is permitted to pass via the policies. Each connection has two timeout values, one in each direction. These are updated when the firewall receives packets from each end of the connection.
DHCP Server Click on Status in the menu bar, and then click DHCP Server below it. A window will appear providing information about the configured DHCP Servers. By default information about the LAN interface will be show, to see another one click on that interface. Interface – Name of the interface the DHCP Server is running on. IP Span – Displays the configured ranges of IP’s that are given out as DHCP leases. Usage – Display how much of the IP range is give out to DHCP clients.
Users Click on Status in the menu bar, and then click Users below it. A window will appear providing user information. Currently authenticated users – users logged in using HTTP/HTTPS authentication, users logged in on PPTP and L2TP servers will be listed here. Users can be forced to log out by clicking logout. Currently recognized privileges – all users and groups that are used in policies are listed here. These users and groups will be able to use HTTP and HTTPS authentication.
How to read the logs Although the exact format of each log entry depends on how your syslog recipient works, most are very much alike. The way in which logs are read is also dependent on how your syslog recipient works. Syslog daemons on UNIX servers usually log to text files, line by line. Most syslog recipients preface each log entry with a timestamp and the IP address of the machine that sent the log data: Oct 20 2003 09:45:23 gateway This is followed by the text the sender has chosen to send.
One event will be generated when a connection is established. This event will include information about protocol, receiving interface, source IP address, source port, destination interface, destination IP address and destination port. Open Example: Oct 20 2003 09:47:56 gateway EFW: CONN: prio=1 rule=Rule_8 conn=open connipproto=TCP connrecvif=lan connsrcip=192.168.0.10 connsrcport=3179 conndestif=wan conndestip=64.7.210.132 conndestport=80 In this line, traffic from 192.168.0.
Step by step guides In the following guides example IPs, users, sites and passwords are used. You will have to exchange the IP addresses and sites to your own. Passwords used in these examples are not recommended for real life use. Passwords and keys should be chosen so that they are impossible to guess or find out by eg a dictionary attack.
LAN-to-LAN VPN using IPsec Settings for Branch office 1. Setup interfaces, System->Interfaces: WAN IP: 193.0.2.10 LAN IP: 192.168.4.1, Subnet mask: 255.255.255.0 2. Setup IPsec tunnel, Firewall->VPN: Under IPsec tunnels click Add new Name the tunnel ToMainOffice Local net: 192.168.4.
Retype PSK: 1234567890 Select Tunnel type: LAN-to-LAN tunnel Remote Net: 192.168.1.0/24 Remote Gateway: 194.0.2.20 Enable Automatically add a route for the remote network Click Apply 3.
4. Click Activate and wait for the firewall to restart Settings for Main office 1. Setup interfaces, System->Interfaces: WAN IP: 193.0.2.20 LAN IP: 192.168.1.1, Subnet mask: 255.255.255.0 2. Setup IPsec tunnel, Firewall->VPN: Under IPsec tunnels click add new Name the tunnel ToBranchOffice Local net: 192.168.1.
Select Tunnel type: LAN-to-LAN tunnel Remote Net: 192.168.4.0/24 Remote Gateway: 194.0.2.10 Enable “Automatically add a route for the remote network” Click Apply 3. Setup policies for the new tunnel, Firewall->Policy: Click Global policy parameters Enable Allow all VPN traffic: internal->VPN, VPN->internal and VPN->VPN Click Apply 4. Click Activate and wait for the firewall to restart This example will allow all traffic between the two offices.
LAN-to-LAN VPN using PPTP Settings for Branch office 1. Setup interfaces, System->Interfaces: WAN IP: 193.0.2.10 LAN IP: 192.168.4.1, Subnet mask: 255.255.255.0 2.
Username: BranchOffice Password: 1234567890 (Note! You should use a password that is hard to guess) Retype password: 1234567890 Interface IP: leave blank Remote gateway: 192.0.2.20 Remote net: 192.168.1.0/24 Dial on demand: leave unchecked Under authentication MSCHAPv2 should be the only checked option.
Under MPPE encryption 128 bit should be the only checked option. Leave Use IPsec encryption unchecked Click Apply 3. Setup policies for the new tunnel, Firewall->Policy: Click Global policy parameters Enable Allow all VPN traffic: internal->VPN, VPN->internal and VPN->VPN Click Apply 4. Click Activate and wait for the firewall to restart.
Settings for Main office 1. Setup interfaces, System->Interfaces: WAN IP: 193.0.2.20 LAN IP: 192.168.1.1, Subnet mask: 255.255.255.0 2. Setup PPTP server, Firewall->VPN: Under L2TP / PPTP Server click Add new PPTP server Name the server pptpServer Leave Outer IP and Inner IP blank Set client IP pool to 192.168.1.100 – 192.168.1.
Under authentication MSCHAPv2 should be the only checked option. Under MPPE encryption 128 bit should be the only checked option. Leave Use IPsec encryption unchecked Click Apply 3.
4. Set up authentication source, Firewall->Users: Select Local database Click Apply 5. Add a new user, Firewall->Users: Under Users in local database click Add new Name the new user BranchOffice Enter password: 1234567890 Retype password: 1234567890 Leave static client IP empty (could also be set to eg 192.168.1.200. If no IP is set here the IP pool from the PPTP server settings are used). Set Networks behind user to 192.168.4.
Click Apply 6. Click Activate and wait for the firewall to restart. This example will allow all traffic between the two offices. To get a more secure solution read the A more secure LAN-to-LAN VPN solution section in this chapter.
LAN-to-LAN VPN using L2TP Settings for Branch office 1. Setup interfaces, System->Interfaces: WAN IP: 193.0.2.10 LAN IP: 192.168.4.1, Subnet mask: 255.255.255.0 2.
Username: BranchOffice Password: 1234567890 (Note! You should use a password that is hard to guess) Retype password: 1234567890 Interface IP: leave blank Remote gateway: 192.0.2.20 Remote net: 192.168.1.
Under MPPE encryption only None should be checked Check Use IPsec encryption Enter key 1234567890 (Note! You should use a key that is hard to guess) Retype key 1234567890 Click Apply 3.
4. Click Activate and wait for the firewall to restart Settings for Main office 1. Setup interfaces, System->Interfaces: WAN IP: 193.0.2.20 LAN IP: 192.168.1.1, Subnet mask: 255.255.255.0 2. Setup L2TP server, Firewall->VPN: Under L2TP / PPTP Server click Add new L2TP server Name the server l2tpServer Leave Outer IP and Inner IP blank Set client IP pool to 192.168.1.100 – 192.168.1.
Leave WINS settings blank Under authentication MSCHAPv2 should be the only checked option. Under MPPE encryption None should be the only checked option.
3. Setup policies for the new tunnel, Firewall->Policy: Click Global policy parameters Enable Allow all VPN traffic: internal->VPN, VPN->internal and VPN->VPN Click Apply 4.
5. Add a new user, Firewall->Users: Under Users in local database click Add new Name the new user BranchOffice Enter password: 1234567890 Retype password: 1234567890 Leave static client IP empty (could also be set to eg 192.168.1.200. If no IP is set here the IP pool from the L2TP server settings are used). Set Networks behind user to 192.168.4.0/24 Click Apply 6. Click Activate and wait for the firewall to restart. This example will allow all traffic between the two offices.
A more secure LAN-to-LAN VPN solution Go get a more secure solution, policies should be created instead of allowing all traffic between the two offices. The following steps will show how to enable some common services. In this example we have a mail server, ftp server and a web server (intranet) in the main office that we want to access from the branch office. Settings for Branch office 1.
4. Setup the new rule: Name the new rule: allow_pop3 Select action: Allow Select service: pop3 Select schedule: Always We don’t want any Intrusion detection or traffic shaping for now, so leave these options unchecked.
5. The first policy rule is now created. Repeat step 4 to create services named allow_imap, allow_ftp and allow_http. The services for these policies should be imap, ftp_passthrough and http. The policy list for LAN->toMainOffice should now look like this. 6. Click Activate and wait for the firewall to restart.
Settings for Main office 1. Setup policies for the new tunnel, Firewall->Policy: Click Global policy parameters Disable Allow all VPN traffic: internal->VPN, VPN->internal and VPN->VPN Click Apply 2. Now is it possible to create policies for the VPN interfaces. Select from toBranchOffice to LAN and click Show. 3. Create same 4 policy rules as was created on the branch office firewall (allow_pop3, allow_imap, allow_ftp and allow_http). 4. Click Activate and wait for the firewall to restart.
Windows XP client and PPTP server Settings for the Windows XP client 1. Open the control panel (Start button -> Control panel). 2. If you are using the Category view, click on the Network and Internet Connections icon. Then click Create a connection to the network on your workplace and continue to step 6. If you are using the Classic view, click on the Network Connections icon. 3. Under Network task, click Create connection a new 4. The New connection wizard window opens up. Click next.
5.
6.
7.
8.
9. Type the IP address to the server, 194.0.2.20, and click Next 10.
11. Type user name HomeUser and password 1234567890 (Note! You should use a password that is hard to guess) 12.
13. Select the Networking tab and change Type of VPN to PPTP VPN. Click OK. All settings needed for the XP client is now done.
Settings for Main office 1. Setup interfaces, System->Interfaces: WAN IP:193.0.2.20 LAN IP: 192.168.1.1, Subnet mask: 255.255.255.0 2. Setup PPTP server, Firewall->VPN: Under L2TP / PPTP Server click Add new PPTP server Name the server pptpServer Leave Outer IP and Inner IP blank Set client IP pool to 192.168.1.100 – 192.168.1.199 Check Proxy ARP dynamically added routes Check Use unit’s own DNS relayer addresses Leave WINS settings blank Under authentication MSCHAPv2 should be the only checked option.
Leave static client IP empty (could also be set to eg 192.168.1.200. If no IP is set here the IP pool from the PPTP server settings are used). Click Apply 6. Click Activate and wait for the firewall to restart. This example will allow all traffic from the client to the main office network. To get a more secure solution read the Settings for the Main office part of A more secure LAN-to-LAN VPN solution section in this chapter.
Windows XP client and L2TP server The Windows XP client to L2TP server setup is quite similar to the PPTP setup above. Settings for the Windows XP client To setup a L2TP connection from Windows XP to the Main office firewall, you can follow the steps in the PPTP guide above for the client side. The only changes from that guide is: 1. In step 13, change the Type of VPN to L2TP IPsec VPN.
2. Select the Security tab and click IPsec Settings 3.
Settings for Main office 1. Setup interfaces, System->Interfaces: WAN IP:193.0.2.20 LAN IP: 192.168.1.1, Subnet mask: 255.255.255.0 2. Setup L2TP server, Firewall->VPN: Under L2TP / PPTP Server click Add new L2TP server Name the server l2tpServer Leave Outer IP and Inner IP blank Set client IP pool to 192.168.1.100 – 192.168.1.
Leave static client IP empty (could also be set to eg 192.168.1.200. If no IP is set here the IP pool from the PPTP server settings are used). Click Apply 6. Click Activate and wait for the firewall to restart. This example will allow all traffic from the client to the main office network. To get a more secure solution read the Settings for the Main office part of A more secure LAN-to-LAN VPN solution section in this chapter.
Content filtering To enable content filtering, follow these steps: 1. Update the content filtering settings, Firewall->Content Filtering: Select what content that should be filtered out. ActiveX, Java applets, JavaScript/VBScript and cookies can be blocked or filtered out. Note that some web pages don’t work very well if these options are enabled. Pages that are safe or trusted can be added to the whitelist by clicking Edit global URL whitelist. To enable all subdomains of eg google.com (eg gmail.google.
2. Make sure the http-outbound service exists and is using the HTTP ALG, Firewall->Services: Find the http-outbound service in the list and click Edit. If there is no service with that name you will have to create one by clicking Add new at the bottom of the list. TCP / UDP Service should be selected and protocol should be set to TCP. Set destination port to 80. Select HTTP/HTML Content Filtering in the ALG dropdown. Click Apply 3.
4.
The new policy should now be added to position two in the list (if not, it can be moved to the right position by clicking on the up and down arrows). 5. Click Activate and wait for the firewall to restart.
Intrusion detection and prevention Intrusion detection and prevention can be enabled for both policies and port mappings. In this example we are using a port mapping. The policy setup is quite similar. In this example a mail server with IP 192.168.2.4 and a web server with IP 192.168.2.5 is connected to the DMZ interface on the firewall. To set up intrusion detection and prevention to a web server on the DMZ net, follow these steps: 1.
2. Set up the newly created port mapping: Name the rule map_www Select service http-in-all Enter pass to IP: 192.168.2.
The new mapping is now in the list. 3. Setup email server and enable alerting, System->Logging: Check Enable E-mail alerting for IDS/IDP events Select sensitivity Normal Enter SMTP server IP (email server): 192.168.2.4 Enter sender: idsalert@examplecompany.com Enter E-mail address 1: webmaster@examplecompany.com Enter E-mail address 2: steve@examplecompany.com Click Apply 4. Click Activate and wait for the firewall to restart. When attacks are stopped by the firewall it will listed in the logs.
Traffic shaping In these examples we assume that the WAN port of the firewall is connected to Internet with an up and downstream bandwidth of 2 mbps. Limit bandwidth to a service To limit bandwidth a service (in this case FTP) can use, follow these steps: 1. Create a new policy rule. Under Firewall->Policy click LAN->WAN. Click Add new. 2.
Now all FTP traffic from 192.168.1.125 on the LAN network will be limited to 400kbit/s in both directions. If more than one IP is required, a comma-separated list or a network can be entered (eg 192.168.1.125, 192.168.1.126 or 192.168.1.0/24). Guarantee bandwidth to a service To set up traffic shaping to guarantee a service a certain amount of bandwidth, follow these steps: 1. Set the interface speed for the WAN interface under System->Interfaces: Click Edit for the WAN interface.
Select service: ftp_outbound Schedule should be always Check the Traffic shaping box and enter 1000 as up and downstream guarantee. Click Apply 3. Click Activate and wait for the firewall to restart. FTP traffic from LAN to WAN will now be guaranteed half of the total bandwidth to the Internet, 1mbit/s of 2mbit/s. If there are no FTP connections, or if the bandwidth usage of the FTP connections are less than 1mbit/s other services can use the bandwidth.
Appendixes Appendix A: ICMP Types and Codes The Internet Control Message Protocol (ICMP) has many messages that are identified by a “type” field; many of these ICMP types have a "code" field. Here we list the types with their assigned code fields.
1 Redirect Datagram for the Host RFC792 2 Redirect Datagram for the Type of Service and Network RFC792 3 Redirect Datagram for the Type of Service and Host RFC792 8 Echo 0 No Code RFC792 9 Router Advertisement 0 Normal router advertisement RFC1256 16 Does not route common traffic RFC2002 10 Router Selection 0 No Code RFC1256 11 Time Exceeded 0 Time to Live exceeded in Transit RFC792 1 Fragment Reassembly Time Exceeded RFC792 0 Pointer indicates the error RFC792 1 Missi
Appendix B: Common IP Protocol Numbers These are some of the more common IP Protocols, for all follow the link after the table.
LIMITED WARRANTY D-Link provides this limited warranty for its product only to the person or entity who originally purchased the product from D-Link or its authorized reseller or distributor.
Registration Card. The Registration Card provided at the back of this manual must be completed and returned to an Authorized D-Link Service Office for each D-Link product within ninety (90) days after the product is purchased and/or licensed. The addresses/telephone/fax list of the nearest Authorized D-Link Service Office is provided in the back of this manual. FAILURE TO PROPERLY COMPLETE AND TIMELY RETURN THE REGISTRATION CARD MAY AFFECT THE WARRANTY FOR THIS PRODUCT. Submitting A Claim.
PRODUCT RETURNED TO D-LINK FOR WARRANTY SERVICE) RESULTING FROM THE USE OF THE PRODUCT, RELATING TO WARRANTY SERVICE, OR ARISING OUT OF ANY BREACH OF THIS LIMITED WARRANTY, EVEN IF D-LINK HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE SOLE REMEDY FOR A BREACH OF THE FOREGOING LIMITED WARRANTY IS REPAIR, REPLACEMENT OR REFUND OF THE DEFECTIVE OR NON-CONFORMING PRODUCT. GOVERNING LAW: This Limited Warranty shall be governed by the laws of the state of California.
Somit stellen Sie die Betriebssicherheit des Gerätes sicher. 18. Zum Netzanschluß dieses Gerätes ist eine geprüfte Leitung zu verwenden, Für einen Nennstrom bis 6A und einem Gerätegewicht gr ßer 3kg ist eine Leitung nicht leichter als H05VV-F, 3G, 0.75mm2 einzusetzen. Trademarks Copyright .2002 D-Link Corporation. Contents subject to change without prior notice. D-Link is a registered trademark of D-Link Corporation/D-Link Systems, Inc. All other trademarks belong to their respective proprietors.
-Consult the dealer or an experienced radio/ TV technician for help.
Offices AUSTRALIA D-LINK AUSTRALIA 1 Giffnock Ave,North Ryde, NSW 2113, Australia TEL: 61-2-8899-1800 FAX: 61-2-8899-1868 TOLL FREE: 1800-177-100 (Australia), 0800-900900 (New Zealand) E-MAIL: support@dlink.com.au, info@dlink.com.au URL: www.dlink.com.au BENELUX D-LINK BENELUX Fellenoord 130, 5611 ZB Eindhoven, The Netherlands TEL: 31-40-2668713 FAX: 31-40-2668666 E-MAIL:info@dlink-benelux.nl, info@dlink-benelux.be URL: www.dlink-benelux.nl/, www.dlink-benelux.
SINGAPORE S. AFRICA SWEDEN TAIWAN U.K. U.S.A. Tel /fax +7 (095) 744-00-99 mailto:mail@dlink.ru , Web: www.dlink.ru D-LINK INTERNATIONAL 1 International Business Park, #03-12 The Synergy, Singapore 609917 TEL: 65-774-6233 FAX: 65-774-6322 E-MAIL: info@dlink.com.sg URL: www.dlink-intl.com D-LINK SOUTH AFRICA 102-106 Witchhazel Avenue, Einetein Park 2, Block B, Highveld Technopark Centurion, South Africa TEL: 27(0)126652165 FAX: 27(0)126652186 E-MAIL: attie@d-link.co.za URL: www.d-link.co.
