Вы находитесь на странице: 1из 510

1

DFL-210/260/800/860/1600/1660/2500/2560/2560G
NetDefendOS 2.27.01
D-Link Corporation
No. 289, , , ,
http://www.DLink.com

2010-02-26
Copyright 2010

2

DFL-210/260/800/860/1600/1660/2500/2560/2560G
NetDefendOS 2.27.01
2010-02-26

Copyright 2010


, , ,
, . , ,
, D-
Link.


, , .
D-Link
,
. D-Link

.


D-LINK
(, ,
, ,
),

D-LINK , D-LINK
. , D-LINK
, -
. D-LINK ,
,
.

...........................................................................................................11
1. NetDefendOS ...............................................................................13
1.1. .....................................................................................................................13
1.2. NetDefendOS ......................................................................................15
1.2.1. ..............................................................................15
1.2.2. NetDefendOS ........................................................................16
1.2.3. ............................................................................................................... 17
1.3. (State Engine)
NetDefendOS....................................................................................................20
2. ..................................................................24
2.1.2. Administrator ..........................................................25
2.1.3. Web-............................................................................................................ 26
2.1.4. CLI...............................................................................30
2.1.5. CLI................................................................................................................ 38
2.1.6. Secure Copy..................................................................................................42
2.1.7. ........................................................................................45
2.1.8. .........................................................................47
2.1.9. .................................................................................................48
2.2. ...................................................................................53
2.2.1. ............................................................................................................................ 53
2.2.2. ...............................................................................54
2.2.3. Log Receivers................................................................................................................ 54
2.2.4. MemoryLogReceiver...................................................................55
2.2.5. Syslog.........................................................................................55
2.2.6. SNMP Traps..............................................................................................56
2.2.7. ...............................................................................58
2.3. RADIUS Accounting...........................................................................58
2.3.1. ............................................................................................................................ 58
2.3.2. RADIUS Accounting....................................................................59
2.3.3. (Interim Accounting Messages)......................................61
2.3.4. RADIUS Accounting....................................................................................61
2.3.5. RADIUS Accounting...............................................................................61
2.3.6. RADIUS Accounting ............................62
2.3.7. ...................................................................62
2.3.8. .............................................................................62
2.3.9. NAT......................................................................................................... 62
2.3.10. RADIUS...............................................................63
2.4. ..................................................................64
2.5. SNMP ...................................................................................................66
2.5.1. SNMP..................................................................................67
2.6. pcapdump...................................................................................................68
2.7. ..........................................................................................................71
2.7.1. ....................................................................71
2.7.2. ..............................................................................71
2.7.3. ...........................................................73
3. .................................................................................75
3.1. .........................................................................................................75
3.1.1. ............................................................................................................................ 75
3.1.2. IP-...................................................................................................................... 75
3.1.3. Ethernet-............................................................................................................ 77
3.1.4. Address Groups ( ).............................................................................78
4
3.1.5. .....................................................79
3.1.6. Address Book Folders ( )............................................................79
3.2.1. ............................................................................................................................ 80
3.2.2. ........................................................................81
3.2.3. ICMP-............................................................................................................... 84
3.2.4. IP-.....................................................................86
3.2.5. Service Groups ( )............................................................................87
3.2.6. Custom Service Timeouts (- ) .........................87
3.3.1. ............................................................................................................................ 88
3.3.2. Ethernet-...................................................................................................90
3.3.2.1. CLI- Ethernet-...........................................................94
3.3.3. VLAN............................................................................................................................. 96
3.3.4. PPPoE........................................................................................................................... 99
3.3.5. GRE-............................................................................................................... 102
3.3.6. Interface Groups ( )....................................................................106
3.4. ARP..........................................................................................................................106
3.4.1. .......................................................................................................................... 106
3.4.2. ARP- (ARP Cache) NetDefendOS..........................................................107
3.4.3. ARP-............................................................................................108
3.4.4. ARP...........................................................111
3.4.5. ...............................................................112
3.5. IP- .................................................................................................115
3.5.1. (Security Policies)................................................................115
3.5.2. IP-.................................................................................................118
3.5.3. IP-....................................................................................................119
3.5.4. IP-.............................................................120
3.5.5. IP-...........................................................................................121
3.5.6. Configuration Object Groups ( ).......................122
3.6. (Schedules).........................................................................................125
3.7.1. .......................................................................................................................... 127
3.7.2. NetDefendOS......................................................................129
3.7.3. CA (CA Certificate Requests)...............................................131
3.8. (Date) (Time)....................................................................................132
3.8.1. .......................................................................................................................... 132
3.8.2. ........................................................................................132
3.8.3. (Time Servers)..............................................................................134
3.8.4. ...........................................................137
3.9. DNS..........................................................................................................................138
4. .....................................................................................141
4.1. .......................................................................................................................141
4.2. (Static Routing)......................................................141
4.2.1. .........................................................................................141
4.2.2. .....................................................................................145
4.2.3. (Route Failover)...........................................................150
4.2.4. (Host Monitoring) ..................152
4.2.5. Route Failover....................................................................155
4.2.6. Proxy ARP................................................................................................................... 155
4.3. (PBR)............................................................157
4.3.1. .......................................................................................................................... 157
4.3.2. PBR- ............................................................................................................. 158
4.3.3. PBR.............................................................................................................. 158
4.3.4. ............................................................................158
4.3.5. Ordering (Ordering parameter) ................................................................159
4.4. Route Load Balancing .............................................................................162
4.4. OSPF.......................................................................................................................167
4.5.1. (Dynamic Routing)....................................................167
5
4.5.2. OSPF........................................................................................................ 171
4.5.3. OSPF......................................................................................................176
4.5.3.1. OSPF Router Process........................................................................................... 176
4.5.3.2. OSPF Area............................................................................................................ 179
4.5.3.3. OSPF Interface..................................................................................................... 179
4.5.3.4. OSPF Neighbor..................................................................................................... 181
4.5.3.5. OSPF Aggregate .................................................................................................. 182
4.5.3.6. OSPF VLink.......................................................................................................... 182
4.5.4 (Dynamic Routing Rule).............................184
4.5.4.1. .................................................................................................................................. 184
4.5.4.2. Dynamic Routing Rule ( )...................185
4.5.4.3. OSPF Action......................................................................................................... 186
4.5.4.4. Routing Action....................................................................................................... 186
4.5.5. OSPF.........................................................................................................187
4.5.6. OSPF............................................................................................................. 191
4.6. (Multicast Routing)............................................193
4.6.1. .......................................................................................................................... 193
4.6.2. (Multicast Forwarding)
SAT Multiplex (SAT Multiplex Rules).........................................................................194
4.6.2.1. (Multicast Forwarding - No
Address Translation)......................................................................................................................... 194
4.6.2.2. (Multicast Forwarding - Address
Translation Scenario)........................................................................................................................ 196
4.6.3. IGMP......................................................................................................... 198
4.6.3.1. IGMP- .................................................199
4.6.3.2. IGMP- ...................................................201
4.6.4. IGMP..................................................................................203
4.7. (Transparent Mode)...............................................................206
4.7.1. ......................................................................................................................... 206
4.7.2. .................................................................................210
4.7.3 .........................................................212
4.7.4. Spanning Tree BPDU...............................................................................216
4.7.5 .........................................................217
5. DHCP .....................................................................................220
5.1. .......................................................................................................................220
5.2. DHCP-.......................................................................................................220
5.2.1 DHCP-...........................................................................................224
5.2.2 ....................................................................................................225
5.3. DHCP Relaying........................................................................................................226
5.3.1. DHCP Relay.......................................................................227
5.4. IP-.....................................................................................................228
6. .....................................................................232
6.1.2. IP Spoofing.................................................................................................................. 233
6.1.3. ......................................................................................233
6.2. ALG .........................................................................................................................234
6.2.1. .......................................................................................................................... 234
6.2.2. HTTP ALG................................................................................................................... 236
6.2.3. FTP ALG...................................................................................................................... 239
6.2.4. TFTP ALG.................................................................................................................... 247
6.2.5. SMTP ALG................................................................................................................... 248
6.2.5.1. DNSBL .........................................................................252
6.2.6. POP3 ALG................................................................................................................... 257
6.2.7. PPTP ALG................................................................................................................... 258
6.2.8. SIP ALG....................................................................................................................... 260
6.2.9. H.323 ALG................................................................................................................... 270
6
6.2.10. TLS ALG.................................................................................................................... 284
6.3. Web-.............................................................................287
6.3.1. ......................................................................................................................... 287
6.3.2. ............................................................................288
6.3.3. ....................................................................289
6.3.4. Web-........................................................291
6.3.4.1. .................................................................................................................................. 291
6.3.4.2. WCF................................................................................................................. 292
6.3.4.3. ............................................................................297
6.3.4.4. HTML- .............................................................................................. 302
6.4 ..................................................................................304
6.4.1. .......................................................................................................................... 304
6.4.2. ................................................................................................................. 305
6.4.3. ..................................................................306
6.4.4. ................................................................................................306
6.4.5. D-Link .....................................................................306
6.4.6. ...................................................................................................307
6.5. ......................................................310
6.5.1. .......................................................................................................................... 310
6.5.2. IDP D-Link .............................................................................311
6.5.3. IDP-................................................................................................................ 313
6.5.4. Insertion/Evasion....................................................................314
6.5.5. IDP ......................................................................................315
6.5.6. IDP .................................................................................................316
6.5.7. IDP ............................................................................................................. 317
6.5.8. SMTP Log Receiver IDP .......................................................................318
6.6. Denial-of-Service...............................................................320
6.6.1. .......................................................................................................................... 320
6.6.2. DoS..................................................................................................321
6.6.3. Ping of Death Jolt Attacks...............................................................................321
6.6.4. Fragmentation overlap: Teardrop, Bonk, Boink Nestea..................................321
6.6.5. Land LaTierra.................................................................................................322
6.6.6. WinNuke............................................................................................................ 322
6.6.7. : Smurf, Papasmurf, Fraggle.........................................322
6.6.8. TCP SYN Flood.................................................................................................323
6.6.9. Jolt2................................................................................................................... 324
6.6.10. Distributed DoS (DDoS)...................................................................................324
6.7. ..........................................................................325
7. .....................................................................327
7.1. .......................................................................................................................327
7.2. NAT..........................................................................................................................327
7.3. NAT-................................................................................................................332
7.4. SAT..........................................................................................................................335
7.4.1. IP- .........................................................336
7.4.2. IP- ......................................................341
7.4.3. ................................................................................344
7.4.4. -..........................................................................................344
7.4.5. SAT.................................................................................345
7.4.6. SAT-..............................................................345
7.4.7. SAT- FwdFast-..............................................................................346
8. ............................................................347
8.1. .......................................................................................................................347
8.2. ...................................................................................348
8.2.1. ...........................................................................348
8.2.2. ...................................................................349

7
8.2.3. RADIUS........................................................................................350
8.2.4. LDAP............................................................................................351
8.2.5. ..........................................................................................357
8.2.6. ..........................................................................................359
8.2.7. .....................................................360
8.2.8. HTTP-...............................................................................................361
8.3. HTML-......................................................................................364
9. VPN ........................................................................................................367
9.1. .......................................................................................................................367
9.1.1. VPN ..................................................................................................367
9.1.2. VPN-.......................................................................................................368
9.1.3. VPN ......................................................................................................368
9.1.4. ..............................................................................................369
9.1.5. TLS VPN...........................................................................370
9.2. VPN..............................................................................................370
9.2.1. IPsec- LAN to LAN ...............371
9.2.2. IPsec- LAN to LAN ...............372
9.2.3. IPsec-
................................................................................................................................... 373
9.2.4. IPsec-
....................................................................................................................... 376
9.2.5. L2TP- ...........376
9.2.6. L2TP- ...........378
9.2.7. PPTP-..................................................................378
9.3. IPsec ................................................................................................379
9.3.1. .......................................................................................................................... 379
9.3.2. IKE (Internet Key Exchange).......................................................................380
9.3.3. IKE..................................................................................................385
9.3.4. IPsec (ESP/AH)........................................................................................386
9.3.5. NAT Traversal.............................................................................................................. 387
9.3.6. (Algorithm Proposal Lists)..............................................389
9.3.7. .............................................................................................................. 390
9.3.8. ..............................................................................................391
9.4. IPsec- ........................................................................................................392
9.4.1. .......................................................................................................................... 393
9.4.2. LAN to LAN ........................394
9.4.3. ...................................................................................................395
9.4.4. RL, LDAP-.............................................400
9.4.5. ikesnoop .....................................400
9.4.6. IPsec .................................................................................406
9.5. PPTP/L2TP ............................................................................................................409
9.5.1 PPTP- ........................................................................................................... 409
9.5.2. L2TP- ........................................................................................................... 411
9.5.3. L2TP/PPTP- .......................................................415
9.5.4. L2TP/PPTP- ..................................................................................................415
9.6. .............................................................................................417
9.7. VPN ......................................................................419
9.7.1. .....................................................................................419
9.7.2. ............................420
9.7.3. IPsec....................................................421
9.7.4. VPN .........................................................................422
9.7.5. ............................................................................................422
9.7.6. ........................................................................................................425
10. ........................................................................427
10.1. Traffic Shaping.......................................................................................................427
10.1.1. ........................................................................................................................ 427
8
10.1.2. Traffic Shaping NetDefendOS.................................................................................428
10.1.3. ............................................................431
10.1.4. ....................................432
10.1.5. ....................433
10.1.6. .............................................................................................................. 434
10.1.7. .......................................................................................................438
10.1.8. Traffic shaping.............................................................................441
10.1.9. Traffic shaping..................................................................443
10.1.10. ............................................443
10.2. Traffic Shaping IDP..............................................................................447
10.2.1. ........................................................................................................................ 447
10.2.2. Traffic Shaping IDP ...............................................................448
10.2.3. ....................................................................................................448
10.2.4. ...........................................................................................449
10.2.5. P2P .......................................................................................................... 449
10.2.6. Traffic Shaping .............................................................................450
10.2.7. ..................................451
10.2.8. .....................................................................................................451
10.3. ....................................................................................................452
10.3.1. ........................................................................................................................ 452
10.3.2. / ..................453
10.3.3. ........................................................................................................453
10.3.4. ....................................................................................................453
10.3.5. ....................................................................................453
10.3.6. , .............................................................453
10.3.7. ZoneDefense ..............................................................................454
10.3.8. ...........................................................................454
10.4. .........................................................................454
10.4.1. ........................................................................................................................ 454
10.4.2. SLB .............................................................................456
10.4.3. (Stickiness) ................................456
10.4.4. SLB (Stickiness) ..................................................................458
10.4.5. ..............................................................................459
10.4.6. SLB_SAT ..................................................................................459
11. ..............................................................463
11.1. .....................................................................................................................463
11.2. ....................................464
11.3. HA-.......................................................................................467
11.3.1. HA-................................................467
11.3.2. HA- NetDefendOS..............469
11.3.3. HA-..............................................................................470
11.3.4. Unique Shared Mac Addresses......................................................................471
11.4. HA-.........................................................471
11.5. HA-....................................................................................472
11.6. HA-...............................................................474
12. ZoneDefense.........................................................................................476
12.1. .....................................................................................................................476
12.2. ZoneDefense .................................................................................476
12.3. ZoneDefense........................................................................477
12.3.1. SNMP......................................................................................................................... 477
12.3.2. (Threshold Rules).....................................................................478
12.3.3. Exclude (Exclude Lists)..............................478
12.3.4. ZoneDefense ............................................................480
12.3.5. ............................................................................................................. 480
13. ...............................................................482
9
13.1. IP- ...........................................................................................482
13.2. TCP- .......................................................................................485
13.3. ICMP- .....................................................................................490
13.4. ...........................................................................................491
13.5. ........................................................................492
13.6. ......................................................................494
13.7. ...................................................................................496
13.8. .............................................499
13.9. ........................................................................................499
. ...........................................................501
. IDP .................................................................503
. MIME, .............................507
. OSI .............................................................510

10

,
D-Link
NetDefendOS. ,
.

. .

, ,
. , .
.

,
.

Web-, URL
(, ).
: http://www.dlink.com.

.
, , ,
NetDefendOS, .
, ,
, NetDefendOS,
, , .

.

,
. , CLI
/ Web-. ( CLI
NetDefendOS CLI.)

1.

, .

CLI

, , .
, :

gw-world:/> somecommand someparameter=somevalue

Web-

, Web-, .

, :

1. X > Item Y > Item Z

11
2. :
DataItem1: datavalue1
DataItem2: datavalue2

, ,
.
:


,
.


,
, .


,
,
.


,
.


,
, ,
.


, ,
.

Windows, Windows XP, Windows Vista Windows 7


Microsoft Corporation / .

12
1. NetDefendOS
NetDefendOS.

NetDefendOS

(State Engine)

NetDefendOS

1.1.
D-Link NetDefendOS ,
D-Link .

NetDefendOS
, NetDefendOS
. ,
, , Unix Microsoft Windows,
NetDefendOS ,
.

NetDefendOS
, NetDefendOS
,
.
.


NetDefendOS .
:

IP Routing NetDefendOS IP-,


,
, multicast.
, NetDefendOS , Virtual
LAN, , Proxy ARP Transparency.
4,.

Firewalling Policies NetDefendOS SPI


, TCP, UDP ICMP.

/ /, ,
, (user credentials), ..
3.5, IP-, ,
,
NetDefendOS.

13
Address Translation , ,
NetDefendOS .
(NAT),
(SAT),
. 7,
.

VPN NetDefendOS Virtual


Private Network (VPN). NetDefendOS VPN
IPsec, L2TP PPTP
VPN
VPN-.
9, VPN, ,
9.2, VPN.

TLS Termination NetDefendOS TLS Termination,


D-Link
Web- HTTP ( SSL
termination).
6.2.9, TLS ALG.

Anti-Virus Scanning NetDefendOS .


, D-Link,
, ,
,
.
6.4, .


IDP D-Link
NetDefend .

IDP.

Intrusion Detection and


Prevention NetDefendOS
Intrusion Detection and Prevention (IDP).
IDP engine


. IDP
NetDefendOS 6.5,
(IDP)


IDP D-Link
NetDefend .

IDP.

Web Content Filtering NetDefendOS Web-


, Web.
Web- ,
, Web-
.

6.3, Web-.


Dynamic WCF
D-Link NetDefend.

14
Traffic Management NetDefendOS
,
(Traffic Shaping), (Threshold Rules) (
) (Server Load
Balancing).
Traffic Shaping
; Threshold Rules
/
; Server Load Balancing NetDefendOS
.
10, .


Threshold Rules
D-Link NetDefend.

Operations and NetDefendOS Web-


Maintenance (CLI). NetDefendOS

, SNMP.
2,
.

ZoneDefense NetDefendOS
D-Link ZoneDefense.
NetDefendOS ,
.


NetDefendOS ZoneDefense
D-Link NetDefend.

NetDefendOS
,
NetDefendOS.
:

CLI,
NetDefendOS CLI.

NetDefendOS
NetDefendOS.

NetDefendOS.

1.2. NetDefendOS
1.2.1.
NetDefendOS . ,
IP-
, .
15
,
.

Stateful Inspection
NetDefendOS Stateful inspection,
. NetDefendOS
state state table
. , NetDefendOS
,
, .
Stateful inspection ,
.
NetDefendOS, stateful inspection,
NetDefendOS state-engine.

1.2.2. NetDefendOS
NetDefendOS ,
( ).


,
NetDefend. NetDefendOS
.

NetDefendOS :

Ethernet-.

- (sub-interfaces) VLAN PPPoE.

VPN-


NetDefendOS , ,

.


- , .
, , , .
,
. , Application Layer
Gateway (ALG),
, HTTP, FTP, SMTP H.323.

NetDefendOS
16
, , (rule sets)
NetDefendOS.
IP- (IP Rules), ,
IP- 3,
. (Traffic Shaping Rules)
, IDP ..

1.2.3.
,
NetDefendOS.
, ,
NetDefendOS.

1. Ethernet- Ethernet- .
Ethernet- , , .

2. .
:
Ethernet- VLAN ID (Virtual LAN identifier),
( ), VLAN-
VLAN ID. VLAN-
. ,
, .
Ethernet- PPP-,
PPPoE-. ,
. ,
.
, ( Ethernet-
, Ethernet-)
.
3. IP- NetDefendOS,
, ,
, .. , ,
.
4. NetDefendOS ,
, , IP- IP-.
, ,
, 9. ,
10.
5. (Access Rules) , IP-
. ,
(reverse route lookup).
, , IP- ,
. (reverse lookup)
, ,
, .
, IP
, .
6. .
.
7. IP-, .
17
:

IP- (, TCP, UDP, ICMP)

TCP/UDP-

ICMP-

, .
, , Action
NetDefendOS .
Drop (), , .
Allow (), .
,
. , ,
IP-
Application Layer Gateway (ALG). , NetDefendOS
.
, , ,
.

:
, ,
.
.
8. (Intrusion Detection and Prevention (IDP)
Rules) IP-. ,
. , NetDefendOS
, .
9. (Traffic Shaping)
(Threshold Limit rule). ,
. , .
10. NetDefendOS ,
:
ALG IDP-
TCP,
ALG, 7 ..,
.
( IPsec, PPTP/L2TP
),
. ,
( ) NetDefendOS,
, . ,
3, .
,
.
11. ,
.
-, , ,
. ,
18
, NetDefendOS.

19
1.3.
(State Engine) NetDefendOS
,
NetDefendOS. ,
.
, , NetDefendOS
.

. 1.1. .
.

20
. 1.2. . II
.

21
. 1.3. . III

22


1.2, I, .

. 1.4.

23
2.
, ,
NetDefendOS.

NetDefendOS

RADIUS Accounting

SNMP Monitoring

pcapdump

2.1. NetDefendOS
2.1.1.
NetDefendOS
. ,
. ,
.

,
NetDefendOS. ,
.

NetDefendOS :

Web- NetDefendOS
Web- ( Web-
WebUI).
Web-
( Microsoft Internet Explorer Firefox).
Ethernet-
HTTP HTTPS NetDefendOS
Web-, Web-
.

2.1.3, Web-
.

CLI,

CLI Secure Shell (SSH),
NetDefendOS.

2.1.4, CLI.

Secure Copy Secure Copy (SCP)


, . NetDefendOS
SCP-, ,
SCP-,
24
. SCP CLI
,
NetDefend.
, NetDefendOS,
SCP.

2.1.6, Secure Copy.

NetDefendOS, ,
RS232- NetDefend,

.
NetDefendOS.
.

2.1.6,
.

:
, WebUI: Microsoft Internet
Explorer ( 7 ), Firefox ( 3.0 ) Netscape ( 8
). .


, ,
, , .
Web- ,
CLI
IPsec-.

, Web-
LAN- D-Link ( LAN-, LAN1
).

2.1.2. Administrator
, NetDefendOS , AdminUsers,
admin.
admin. / NetDefendOS.

:
,
NetDefend,
.

, .
25
, ,
/, ,
.

NetDefendOS .
, ,
. ,

.

2.1.3. Web-
NetDefendOS Web- (WebUI)
Ethernet-, Web-.

,
.

IP-

D-Link NetDefend
NetDefendOS IP- LAN1
( LAN ). IP-,
, NetDefend:

NetDefend DFL-210, 260, 800, 860, 1600 2500, IP-


, - 192.168.1.1.

NetDefend DFL-1660, 2560 2560G, IP-


, - 192.168.10.1.

IP-

NetDefend
, ,
IP-:

IP-: 192.168.1.30

: 255.255.255.0

: 192.168.1.1

Web-

Web-, ,
Web- ( Internet Explorer
Firefox) 192.168.1.1.

NetDefendOS,
https:// URL- (
, https://192.168.1.1). HTTPS
NetDefendOS.

NetDefendOS,
26
, .

, Login.
admin, admin. ,
Web-.

Web-

, - admin.

.
NetDefend,
NetDefendOS
.

:
Web-
NetDefendOS
Setup Wizard .

Web- (
). .
Web- D-Link.

, NetDefendOS ,
- . ,
.

Web-

Web- ,
NetDefendOS. Web-
. .

27

2.1.2, Administrator.

:
Web-
. ,
Web-
.

Web- :

A. , Web-,
, ,

.

Home Web-

Save and Actvate

Discard changes ,

View Changes
.

Tools , .

Status ,
.

28
Maintenance ()

Update Center
.

License .

Backup

.

Reset
.

Upgrade
.

Technical support
,

. ,

,
.

. , Web-,
, .
,
.
.

.
, .

Web-

, Web- .
, ,
.

2.1. HTTPS
CLI

gw-world:/> add RemoteManagement RemoteMgmtHTTP https


Network=all-nets Interface=any
LocalUserDatabase=AdminUsers HTTPS=Yes

Web-

1. System > Remote Management > Add > HTTP/HTTPS Management

2. Name () HTTP/HTTPS, , https

3. HTTPS

4. :

User Database: AdminUsers


Interface: any
Network: all-nets

5. OK

29
:


.
.

Web-

Web-,
.
Logout .

:

VPN- ,

all-nets VPN-.
.

,
, , NetDefendOS,
VPN-.
.

2.1.4. CLI
NetDefendOS (CLI) ,

. CLI
( )
Ethernet- Secure Shell (SSH) SSH.

CLI ,
,
.


CLI. CLI, .
CLI.

CLI:

add , , IP- NetDefendOS.

set - . ,
IP-.

show .

delete .
30
CLI

, CLI : <command> <object_type>


<object_name>. , IP- my_address, :

gw-world:/> show Address IP4Address my_address

(object type)
, ( ,
).

:

.

add (object properties).


IP4Address IP- 10.49.02.01 :

gw-world:/> add IP4Address my_address Address=10.49.02.01

.
tab completion , .

:
CLI gw-world:/> help help
.

CLI

CLI-
( Microsoft Windows).
,
CLI. ,
.

Tab Completion

. NetDefendOS
, tab completion. tab
. , ,
tab .

Tab Completion

tab completion
. ".",
tab "=". ,
:

set Address IP4Address lan_ip Address=

" " tab, NetDefendOS


Address. , , 10.6.58.10,
:

31
set Address IP4Address lan_ip Address=10.6.58.10

NetDefendOS 10.6.58.10,

.

, "<" tab
, . :

add LogReceiverSyslog example Address=example_ip LogSeverity=< (tab)

LogSeverity:

add LogReceiverSyslog example Address=example_ip LogSeverity=Emergency

, ".", :
add LogReceiverSyslog example Address=example_ip LogSeverity=. (tab)

:
add LogReceiverSyslog example Address=example_ip
LogSeverity=Emergency,Alert,Critical,Error,Warning,Notice,Info

, , , IP4Address.
. IP4Address Address. ,
tab completion , .

, , add tab, NetDefendOS


. tab,
.
,
tab.

. UserAuthRule
tab .


cc ( ) . ,
, . ,
, , cc
, .

, main.
:

gw-world:/> cc RoutingTable main

gw-world:/main>

, .
32
:

gw-world:/> add Route Name=new_route1 Interface=lan Network=lannet

cc:

gw-world:/main>
cc gw-world:/>

, cc,
/, ,
show. , RoutingTable/.

. ,
AccountingServers,
. ,.
, server1, server2, server3,
:

AccountingServers=server1,server2,server3

, , , IP-, .
add, CLI,
. , add
Index= .
Index=1 add, Index=2
..


Name= add. , , Index,
,
. ,
, , , .

,
NetDefendOS, Name= Index=.

, ,
, .
CLI. ,
2.1.5, CLI.

CLI .
NetDefendOS , IP-
, , , .
IP- IP-,
Index IP- CLI. IP-
.

33
CLI

CLI, IP-
IP4Address IP-, , 192.168.1.10.
dns: , DNS IP-
. , host.company.com CLI
dns:host.company.com.

, URN CLI:

Remote Endpoint ( ) IPsec, L2TP PPTP-.

LDAP-.

DNS, NetDefendOS
DNS- IP-.

CLI

RS-232 NetDefend,
NetDefendOS CLI
/. ,
D-Link, .


(, Hyper Terminal,
Microsoft Windows).
: : 9600 /, : , : 8
:1 -.

RS-232 . RS-232
null-modem.

, :

1. , .

2. RS-232
.

3.
, .

4. enter.
(login prompt) NetDefendOS.

CLI SSH (Secure Shell)


SSH (Secure Shell) CLI .
SSH
, . SSH-
.

NetDefendOS 1, 1.5 2 SSH-. SSH-


NetDefendOS,
.

34
2.2. SSH-

SSH- lannet lan


.

CLI

gw-world:/> add RemoteManagement RemoteMgmtSSH ssh Network=lannet


Interface=lan LocalUserDatabase=AdminUsers

Web-

1. System > Remote Management > Add > Secure Shell Management

2. Name () SSH-, , ssh_policy

3. :

User Database: AdminUsers


Interface: lan
Network: lannet

4. OK

CLI

CLI, NetDefendOS
SSH-, ,
CLI.
,
.

CLI SSH-, NetDefendOS


. Enter,
Enter.

CLI:

gw-world:/>

-,
.
CLI.

admin


admin .
256 . .

, , my-password, CLI.
, LocalUserDatabase AdminUsers
( ):

gw-world:/> cc LocalUserDatabase AdminUsers

AdminUsers admin:

gw-world:/AdminUsers> set User admin Password="my-password"

35
:
gw-world:/AdminUsers> cc

:
,
, - ,
.
2.1.7 .

CLI Prompt

CLI prompt :

gw-world:/>

Device NetDefend. ,
, my-prompt:/>, CLI:

gw-world:/> set device name="my-prompt"

CLI

gw-world:/>.

:
,

WebUI.

CLI - ,
NetDefendOS, :

gw-world:/> activate

activate, :

gw-world:/> commit

30 ( ) commit,
, .

activate commit,
- :
36
gw-world:/> show -errors

NetDefendOS
. , ,
IP- , .

CLI

CLI,
. exit
logout.

, CLI.
Ethernet- if2 IP- 10.8.1.34.

-, IP- if2,
NetDefendOS, IP-:

gw-world:/> set Address IP4Address if2_ip Address=10.8.1.34

IP- :

gw-world:/> set Address IP4Address if2_net Address=10.8.1.0/24

IP-,
IP-.

HTTP-, HTTP_if2:

gw-world:/> add RemoteManagement RemoteMgmtHTTP HTTP_if2


Interface=if2 Network=all-nets
LocalUserDatabase=AdminUsers
AccessLevel=Admin HTTP=Yes

, IP-
10.8.1.34 Web-. SSH-,
RemoteMgmtSSH.

, , all-nets
-. , NetDefend
.

, sessionmanager

CLI sessionmanager
. ,
:

CLI Secure Shell (SSH).

CLI .

Secure Copy (SCP).

Web- HTTP HTTPS.

37
- :

gw-world:/> sessionmanager

Session Manager status


----------------------
Active connections : 3
Maximum allowed connections : 64
Local idle session timeout : 900
NetCon idle session timeout : 600

-list.
:

gw-world:/> sessionmanager -list


User Database IP Type Mode Access
-------- ---------------- --------- ------- ------- --------
local (none) 0.0.0.0 local console admin

,
-disconnect sessionmanager.

sessionmanager
CLI.

2.1.5. CLI
CLI , NetDefendOS
CLI scripting. CLI script
CLI,
NetDefend.

CLI script:

1. ,
, .

2. D-Link .sgs (Security Gateway Script).


, , 16 .

3. NetDefend, Secure Copy (SCP). -


scripts. SCP 2.1.6, Secure
Copy.

4. CLI script -execute .

CLI script , .
CLI,
. .
2.1.4 CLI .

add

set

38
delete

cc

, ,
. , ping .

, script -execute
, . ,
my_script.sgs, ,
CLI:

gw-world:/> script -execute -name=my_script.sgs

,
:

$1, $2, $3, $4 $n

, ,
script -execute. n .
$1, $2 ..

: $0

, $1. $0

.

, my_script.sgs $1
IP 126.12.11.01, , If1, $2.

my_script.sgs CLI:

add IP4Address If1_ip Address=$1 Comments=$2

CLI:

> script -execute -name=my_script.sgs 126.12.11.01 "If1 address"

, :

add IP4Address If1_ip Address=126.12.11.01 Comments="If1 address"

39

, CLI . ,
. ,
. , ,
. , - ,
,
;
CLI.

, ,
. -force.
my_script2.sgs , CLI:

gw-world:/> script -execute -name=my_script2.sgs -force

-force, ,
.


CLI.
, .
, -verbose:
gw-world:/> script -execute -name=my_script2.sgs -verbose

NetDefend,
RAM. NetDefendOS
, .
NetDefendOS
script -store.

my_script.sgs :

gw-world:/> script -store -name=my_script.sgs

,
:

gw-world:/> script -store -all

, script remove.
my_script.sgs, :

gw-world:/> script -remove -name=my_script.sgs

- ,
40
, , , ,
( Disk
Memory).

gw-world:/> script

Name Storage Size (bytes)


-------------- ------------ --------------
my_script.sgs RAM 8
my_script2.sgs Disk 10

, ,
my_script.sgs, :

gw-world:/> script -show -name=my_script.sgs


NetDefend, ,
.

NetDefendOS , script -create


.
,
NetDefend .

, IP4Address
NetDefend, .
CLI :

gw-world:/> script -create Address IP4Address -name new_script.sgs

new_script_sgs, CLI,
IP4Address .
, , :

add IP4Address If1_ip Address=10.6.60.10


add IP4Address If1_net Address=10.6.60.0/24
add IP4Address If1_br Address=10.6.60.255
add IP4Address If1_dns1 Address=141.1.1.1
"
"
"

new_script_sgs SCP
NetDefend.
,
IP4Address.

, -create 16
( ) .sgs.

:
CLI
, -name= script -create.

41
, ,
, -create. CLI
script -create :

COMPortDevice

Ethernet

EthernetDevice

Device

, NetDefendOS
script file empty.

, #,
. :

# The following line defines the If1 IP address

add IP4Address If1_ip Address=10.6.60.10

. , my_script.sgs :

"
"
script -execute -name my_script2.sgs
"
"

NetDefendOS my_script2.sgs
.. 5.

2.1.6. Secure Copy


,
secure copy (SCP). SCP SSH
SCP-, .
, , SCP-.

SCP

SCP .
, , scp, .

> scp <local_filename> <destination_firewall>

42
:

> scp <source_firewall> <local_filename>

NetDefend :

<user_name>@<firewall_ip_address>:<filepath>.

: admin@10.62.11.10:config.bak.

<user_name> NetDefendOS .

: SCP

SCP
,
.

, SCP-
NetDefendOS:

43


( Web-) ( Web-)
(config.bak)

( Web-) ( Web-)
(full.bak)


SSH-
Web auth banner
Web content filter banner

NetDefendOS

NetDefendOS 2- ,
root . , sshlclientkey
. , NetDefendOS,
, CLI ls.

gw-world:/> ls

HTTPALGBanners/

HTTPAuthBanners/

certificate/

config.bak

full.bak

script/

sshclientkey/

, :

HTTPALGBanners/ - HTML- .
6.3.4.4, HTML-.

HTTPAuthBanner/ - HTML- ALG.


6.3.4.4, HTML-.

certificate/ - .

script/ - CLI. 2.1.5,


CLI.

sshclientkey/ - SSH-.

NetDefendOS.
(license.lic), (config.bak)
(full.bak). .
NetDefendOS
( ).

admin1 IP- 10.5.62.11, ,


44
SCP:

> scp config.bak admin1@10.5.62.11:

,
:

> scp admin1@10.5.62.11:config.bak ./

,
. CLI my_script.sgs, :

> scp my_script.sgs admin1@10.5.62.11:script/

CLI my_script.sgs ,
:

> scp admin1@10.5.62.11:script/my_script.sgs ./

, SCP
CLI activate, commit .

( .upg)
(full.bak) .
.
, .

2.1.7.
NetDefendOS
NetDefendOS, (
). .

,
NetDefend.
NetDefend NetDefendOS.

NetDefend NetDefendOS 3
, Press any key to abort and load boot menu (
), :

3 ,
NetDefendOS .


45
NetDefendOS
, , :

1. Start firewall ( )

NetDefendOS NetDefend.

2. Reset unit to factory defaults ( )

.
:

3.

,
NetDefendOS. , ,
.

4.
. ,
, ,
. , ,
(CLI).

, NetDefendOS
, , .

Start firewall, NetDefendOS.


Login, , ,
.

, Set console password


, Enter .

/,
46
Web-.

2.1.8.
Web- :

SSH Before Rules


SSH- IP-.

WebUI Before Rules


HTTP(S)- IP-.

: 900

,
.

: 30

WebUI HTTP port


HTTP- Web-.

: 80

WebUI HTTPS port


HTTP(S)- Web-.

: 443

HTTPS

, HTTPS-.
RSA .

: HTTPS

47
2.1.9.

,
.
, , , IP- ..
, .

. ,
, . , IP4Address
, IPv4-.

Web-
.

CLI,
. , Web-
CLI. , IP4Address,
IP4Group EthernetAddress Address,
. , Ethernet VLAN
Interface, . ,
; ,
.

2.3.
, , .
, .

CLI

gw-world:/> show Service

Web-

1. Objects > Services

2. Web- , :

Add Button - .
, .

Header .
.

Rows . ,
( ), .

, , . -
. ,
, .

48
2.4.
, ,
. , ,
telnet.

CLI

gw-world:/> show Service ServiceTCPUDP telnet

Property Value
----------------- -------
Name: telnet
DestinationPorts: 23
Type: TCP
SourcePorts: 0-65535
SYNRelay: No
PassICMPReturn: No
ALG: (none)
MaxSessions: 1000
Comments: Telnet

Property TCP/UDP , Value


.

Web-

1. Objects > Services

2. telnet

3. Web-, telnet


CLI,
. ,
CLI :

gw-world:/> show ServiceTCPUDP telnet

2.5.
NetDefendOS, ,
. , Comments telnet.

CLI

gw-world:/> set Service ServiceTCPUDP telnet


Comments="Modified Comment"

gw-world:/> show Service ServiceTCPUDP telnet Property Value

Property Value
----------------- -------
Name: telnet
DestinationPorts: 23
Type: TCP
SourcePorts: 0-65535
SYNRelay: No
PassICMPReturn: No
ALG: (none)
MaxSessions: 1000
Comments: Modified Comment

49
Web-

1. Objects > Services

2. telnet

3. Comments

4. OK ,

:


NetDefendOS.

2.6.
, IP4Address, IP- 192.168.10.10,
.

CLI
gw-world:/> add Address IP4Address myhost Address=192.168.10.10

gw-world:/> show Address IP4Address myhost

Property Value
--------------------- -------------
Name: myhost
Address: 192.168.10.10
UserAuthGroups: (none)
NoDefinedCredentials: No
Comments: (none)

Web-

1. Objects > Address Book

2. Add

3. IP-

4. Name myhost

5. IP Address 192.168.10.10

6. OK

7. , IP4 address

2.7.

, IP4Address.

CLI

gw-world:/> delete Address IP4Address myhost

Web-

1. Objects > Address Book

2. , myhost

50
3. Delete

2.8.
.
, IP4Address, .

CLI

gw-world:/> undelete Address IP4Address myhost

Web-

1. Objects > Address Book

2. , myhost

3. Undo Delete

, ,
, , .

2.9.
, .

CLI
gw-world:/> show -changes
Type Object
------------- ------
- IP4Address myhost
* ServiceTCPUDP telnet

+ , . * ,
. - , .

Web-

1. Configuration > View Changes


,
. ,
NetDefendOS ,
.

: IPsec
,
, IPsec,

.

51
, NetDefendOS
(30 ),
. , CLI
activate, commit.
commit , , NetDefendOS
. ,
, .

52
2.10.
, .

CLI
gw-world:/> activate

. :
gw-world:/> commit

Web-

1. Configuration > Save and Activate

2. OK

10 Web- Web-.
, NetDefendOS ,
- . .

:


.
, .

2.2.
2.2.1.
NetDefendOS.
,
, .

NetDefendOS ,
. ,
, ,
.

,
(Event Receivers).
,
.

53
2.2.2.

NetDefendOS ,
. ,
, , , ,
.

conn_open event ,
, ,

.

startup_normal,
.


, , ,
.
, NetDefendOS ,
.

NetDefendOS.
,
.

, , :

Emergency ( )
Alert ( )
Critical ( )
Error ()
Warning ()
Notice ()
Info ()
Debug ()
, NetDefendOS Info ()
. Debug ()
, .
NetDefendOS.

2.2.3. Log Receivers


,
,
, .

NetDefendOS ,
Log Receiver:

54
MemoryLogReceiver

NetDefendOS ,
MemLog. ,
Web-.

, .

Syslog Receiver

Syslog , .
,
NetDefendOS
.

2.2.5, Syslog.

2.2.4. MemoryLogReceiver
MemoryLogReceiver ( Memlog) ,
NetDefend
.
.

Memlog , , ..
.
, . ,
Memlog
. ,
NetDefendOS ,
VPN-, , Memlog, ,
.

NetDefendOS MemoryLogReceiver .
, .

2.2.5. Syslog

Syslog
, . ,
NetDefendOS, , .

,
.
. UNIX
.


IP- , :

55
Feb 5 2000 09:45:23 firewall.ourcompany.com

, :

Feb 5 2000 09:45:23 firewall.ourcompany.com EFW: DROP:

.
, NetDefendOS
. , ,
=.
,
.

Prio Severity

Prio=
, Severity
D-Link. , .

2.11.
Notice ()
IP- 195.11.22.55, , :

CLI

gw-world:/> add LogReceiverSyslog my_syslog IPAddress=195.11.22.55

Web-

1. System > Log and Event Receivers > Add > Syslog Receiver
2. , , my_syslog
3. 195.11.22.55 IP-
4. Facility , ,
- .
5. OK

Notice
() IP- 195.11.22.55.

:


NetDefendOS. ,
,
.

2.2.6. SNMP Traps

SNMP-

Simple Network Management Protocol (SNMP)


(NMS) . SNMP 3
56
: Read NMS, , Write
Trap,
NMS.

SNMP Traps NetDefendOS

NetDefendOS SNMP Trap,


trap. , SNMP-
, .

D-Link DFLNNN-TRAP.MIB ( NNN


), SNMP ,
SNMP Trap, NetDefendOS.

NetDefend
MIB-. , .

NetDefend
DLNNNosGenericTrap, traps ( NNN - ).
:

System , trap

Severity

Category NetDefendOS

ID

Description

Action , NetDefendOS

: SNMP
Trap
NetDefendOS SNMP Traps
SNMPv2c, RFC1901, RFC1905
RFC1906.

2.12. SNMP Traps SNMP (SNMP Trap


Receiver)

SNMP traps Alert


( ) SNMP (SNMP trap receiver) IP- 195.11.22.55,
, :

CLI

gw-world:/> add LogReceiver EventReceiverSNMP2c my_snmp


IPAddress=195.11.22.55

Web-

1. Log & Event Receivers > Add > SNMP2cEventReceiver

57
2. , , my_snmp

3. 195.11.22.55 IP-

4. SNMP Community String,

5. OK

SNMP traps
Alert ( ) SNMP (SNMP trap receiver) IP-
195.11.22.55.

2.2.7.
:

Send Limit

,
NetDefendOS. ,
, .

NetDefendOS , Log
Receiver , .
ICMP Unreachable (ICMP ),
NetDefendOS , , ,
ICMP Unreachable (ICMP ) .. ,
NetDefendOS,
.

: 3600 ( )

.
0, 10 000.

: 60 ( )

2.3. RADIUS Accounting


2.3.1.

,
. ,
(-), ,
, .
RADIUS (Remote Authentication Dial-in User Service) AAA (Authentication,
Authorization Accounting), NetDefendOS
.

RADIUS

RADIUS /. NetDefend

58
RADIUS, .
RADIUS Network Access Server (NAS).

RADIUS ,
, , .
RFC2866 RADIUS
NetDefendOS (
RADIUS NetDefendOS, .
8.2, ).

2.3.2. RADIUS Accounting


RADIUS , ,
, .

.


NetDefend, NetDefendOS AccountingRequest START
RADIUS, .
RADIUS. NetDefendOS
AccountingResponse, , .

, ,
, NetDefendOS
AccountingRequest STOP, . ,
, .
START STOP :

START
START, NetDefendOS, :

Type AccountingRequest
(START).

ID AccountingRequest Acct-Status-
Type, STOP.

User Name .

NAS IP Address IP- NetDefend.

NAS Port NAS-, ( ,


TCP-, UDP-).

User IP Address IP- .


.

How Authenticated . RADIUS,


RADIUS, LOCAL,
.

Delay Time ( ) AccountingRequest


.
, ,
AccountingRequest. ,
. 0.

59
Timestamp 1- , 1970 .
NetDefendOS.

STOP

STOP, NetDefendOS:

Type - AccountingRequest
(STOP).

ID -
AccountingRequest Acct-Status-Type, START.

User Name .

NAS IP Address IP- NetDefend.


NAS Port NAS-, ( ,

TCP, UDP-).

User IP Address IP- .


.

Input Bytes , . (*)

Output Bytes , . (*)

Input Packets , . (*)

Output Packets , . (*)

Session Time . (*)

Termination Cause .

How Authenticated . RADIUS,


RADIUS, LOCAL,
.

Delay Time . .

Timestamp 1 1970 .
NetDefend.
, :

Input Gigawords .

Output Gigawords .

: (*)

(*)
,
.

60
2.3.3. (Interim Accounting
Messages)
START STOP NetDefendOS
(Interim Accounting Messages)
. Interim Accounting Message
,
. RADIUS
,
.

Interim Accounting Message


. ,
AccountingRequest Stop, Acct-Terminate-Cause (
).

Interim Accounting Messages


NetDefendOS. NetDefendOS
.

2.3.4. RADIUS Accounting


RADIUS accounting :

RADIUS accounting.

,
RADIUS.

RADIUS Accounting ,
FwdFast, IP-.

, RADIUS ,
; ,
.

NetDefendOS RADIUS ,
.

2.3.5. RADIUS Accounting


NetDefendOS
RADIUS accounting. 16-
(Authenticator code) MD5 -
, .

, 100 ,
NetDefendOS RADIUS.

UDP-, 1813
.

61
2.3.6. RADIUS Accounting


NetDefend. , ,
.
:

, ,
AccountingStart, .

.

,
,
. ,
AccountingUpdate,
.

2.3.7.
, RADIUS AccountingRequest START,
. NetDefendOS
, . , -
NetDefendOS .

NetDefendOS ,
, . Allow
on error , . ,
. ,
, .

2.3.8.
- RADIUS
AccountingRequest STOP, , ,
. .

NetDefend ,
, ,
AccountingRequest STOP .
Logout at shutdown ,
NetDefendOS STOP
RADIUS.

2.3.9. NAT
NetDefendOS IP- .
IP-, .
62
, , ,
NAT, IP-. ,
, , ,
NAT ( IP-), ,
. NetDefendOS RADIUS
Accounting ,
.

2.3.10. RADIUS
RADIUS:

Allow on error

,
.

, ,
RADIUS , .

Logout at shutdown ( )

NetDefend , NetDefendOS
, RADIUS
STOP.

, NetDefendOS ,
. , RADIUS ,
- .

Maximum Radius Contexts

, RADIUS.
RADIUS.

: 1024

2.13. RADIUS Accounting

RADIUS, radius-accounting IP-


123.04.03.01 1813.

Web-

1. User Authentication > Accounting Servers > Add > Radius Server
2. :
Name: radius-accounting
IP Address: 123.04.03.01
Port: 1813
Retry Timeout: 2
Shared Secret:
Confirm Secret:
Routing Table: main
63
3. OK

2.4.

D-Link
CLI
, , .
.

D-Link NetDefend, : DFL-1600, 1660, 2500, 2560


2560G.

CLI,
Web-.

System > Hardware Monitoring Web-


:

/ .

(Poll Interval)

: 100

: 10000

: 500

hwm CLI

, :

gw-world:/> hwm -all

gw-world:/> hwm -a

gw-world:/> hwm -a
Name Current value (unit)
--------------- --------------------
64
SYS Temp = 44.000 (C) (x)
CPU Temp = 41.500 (C) (x)

: "(x)"
"(x)" , . -verbose
:

gw-world:/> hwm -a -v
2 sensors available
Poll interval time = 500ms
Name [type][number] = low_limit] current_value [high_limit (unit)
-----------------------------------------------------------------
SYS Temp [TEMP ][ 0] = 44.000] 45.000 [ 0.000 (C)
CPU Temp [TEMP ][ 1] = 42.000] 42.500 [ 0.000 (C)
Time to probe sensors: 2.980000e-05 seconds

, ,
, .
, NetDefendOS
.

:



. ,
, .

, hwm
Web- System > Hardware Monitoring > Add
. .

Web-
:

, CLI Web-
. , Temp.

, CLI. , SYS Temp 0.

, . , SYS Temp.

Enabled

.
, "(x)".

65
2.5. SNMP

Simple Network Management Protocol (SNMP)


. SNMP- ,
SNMP- .

NetDefendOS 1 2 SNMP-.
, NetDefendOS, SNMP-.
, . ,
NetDefendOS SNMP-, :

GET REQUEST

GET NEXT REQUEST

GET BULK REQUEST ( SNMP 2c)

NetDefendOS MIB

Management Information Base (MIB) , , ,


, SNMP- . MIB
, NetDefendOS,
NetDefendOS DFLNNN-TRAP.MIB ( NNN ),
SNMP-.
MIB,
, NetDefendOS.

SNMP-

SNMP- NetDefendOS Remote SNMP Mode.


Remote :

Interface NetDefendOS, SNMP-.

Network IP- , SNMP-.

Community community, .

Community

Community String SNMP 1 2c ,


SNMP-. Community String, ,
, ,
.

IP- SNMP

SNMP Before Rules RemoteAdmin


, SNMP IP-.
, .

Allow IP-,
161 ,
66
SNMP-. 161 SNMP NetDefendOS
SNMP-.

, SNMP 1 2c access ,
community .
Internet .
VPN .

SNMP

SNMP Request Limit SNMP-


. , , .

2.14. SNMP

SNMP lan mgmt-net,


Mg1RQqR. ( ,
VPN-.)

CLI

gw-world:/> add RemoteManagement RemoteMgmtSNMP my_snmp Interface=lan


Network=mgmt-net SNMPGetCommunity=Mg1RQqR

SNMPBeforeRules ( ), :

gw-world:/> set Settings RemoteMgmtSettings SNMPBeforeRules=Yes

Web-

1. System > Remote Management > Add > SNMP management

2. Remote access type :

Name:
Community: Mg1RQqR

3. Access Filter :

Interface: lan
Network: mgmt-net

4. OK

SNMPBeforeRules ( ),
System > Remote Management > Advanced Settings.

2.5.1. SNMP
SNMP WebUI.

SNMP Before RulesLimit

SNMP- IP-.

SNMP-
67
SNMP,
NetDefendOS. SNMP-
, NetDefendOS .

: 100

System Contact
.

: N/A

System Name
.

: N/A

System Location
.

: N/A

(SNMP)
, SNMP MIB-II ifDescr variables.

: Name

Alias
, SNMP ifMIB ifAlias variables.

: Hardware

2.6. pcapdump
,
NetDefend. NetDefendOS
pcapdump, ,
, .

, pcapdump,
.cap,
libpcap .

pcapdump
CLI.

pcapdump :

68
gw-world:/> pcapdump -size 1024 -start int
gw-world:/> pcapdump -stop int
gw-world:/> pcapdump -show
gw-world:/> pcapdump -write int -filename=cap_int.cap
gw-world:/> pcapdump cleanup

, :

1. int 1024 .

gw-world:/> pcapdump -size 1024 -start int

2. int.

gw-world:/> pcapdump -stop int

3. .

gw-world:/> pcapdump -show

4. cap_int.cap.

gw-world:/> pcapdump -write int -filename=cap_int.cap

, cap_int.cap
.

5. .

gw-world:/> pcapdump -cleanup

NetDefend
,
pcapdump -write. .

pcapdump .
:

1. .

.
.

,
pcapdump , .

2. , ,
.

3. , -stop
.

4. pcapdump
.
69
Filter Expressions

, ,
. pcapdump

:

-eth=<macaddr> - MAC- .

-ethsrc=<macaddr> - MAC- .

-ethdest=<macaddr> - MAC-

-ip=<ipaddr> - IP- .

-ipsrc=<ipaddr> - IP- .

-ipdest=<ipaddr> - IP- .

-port=<portnum> - .

-srcport=<portnum> - .

-destport=<portnum> - .

-proto=<id> - ,
.

-<protocolname> - , -tcp,
-udp -icmp.

, -write pcapdump
NetDefend.

NetDefendOS
pcapdump, , .cap.
, .
Secure Copy (SCP) (. 2.1.6, Secure
Copy). , NetDefendOS ,
ls CLI.

cleanup , pcapdump
( ), ,
.

: NetDefendOS

NetDefendOS ,
pcapdump. , the -cleanup
.

, pcap,
:

70
( ) 8 .

3 .

A-Z, 0-9, "-" "_".


, . , ,
IP- .

Wireshark

Wireshark ( Ethereal)
. Wireshark Pcap.

Wireshark,
http://www.wireshark.org.

2.7.
2.7.1.
NetDefendOS
.

.

D-Link
,
NetDefend. NetDefendOS

.

:
6.5,

6.4,

6.3, Web-

2.7.2.
NetDefendOS
, .
:

, NetDefendOS.
, NetDefendOS .

, ,
NetDefendOS. ,
71
NetDefendOS.

,
NetDefend, SCP (Secure Copy) WebUI.
CLI.


NetDefendOS. Activate
/.


.
NetDefendOS, .
,
.

SCP

NetDefendOS :

config.bak .

full.bak .

SCP .
, . , full.bak
full-20081121.bak , 21 , 2008 .


NetDefend. ,
NetDefendOS .

Web-

SCP,
Web-
. .

2.15.

, 12 2008 .

Web-

1. Maintenance > Backup

2. Backup

3. Backup configuration

4.

5.

72
:

NetDefendOS. , , DHCP-
/IDP, .

2.7.3.

NetDefend. , ,
,
.

2.16.
CLI

gw-world:/> reset -unit

Web-

1. Maintenance () > Reset ( )

2. Restore the entire unit to factory defaults ( ),


.

:

,
NetDefendOS .

NetDefend DFL-210, 260, 800


860

NetDefend DFL-210/260/800/860
, 10-15 reset,
. ,
.

IP-, LAN- - 192.168.1.1.

NetDefend DFL-1600, 1660,


2500, 2560 2560G

DFL-1600/1660/2500/2560/2560G
Press keypad to Enter Setup.
Reset firewall , Yes.
,
.
73
DFL-1600 DFL-2500 LAN1 IP- 192.168.1.1.
IP- DFL-1660, DFL-2560 DFL-2560G -
192.168.10.1.

IP-
2.1.3, Web-.

:


,
NetDefend ,
.


, NetDefend,
.
,
, , VPN-.


NetDefend,

, .

74
3.
,
NetDefendOS. , IP- IP-.
,
.

, , ,
.

ARP

IP-

DNS

3.1.
3.1.1.
NetDefendOS ,
IP-, IP-, , IP-.

IP- ,
.

3.1.2. IP-
IP-a .
, , IP-
IP- ( ), IP-.

, IP- ,
. 8,
.
75
,
IP-, , :

IP-
. : 192.168.0.14

IP- IP-
-
Classless Inter Domain Routing (CIDR). CIDR
(0-32),
.
.

/24 C 256
( 255.255.255.0), /27
32 ( 255.255.255.224)
.

0-32
. : 192.168.0.0/24.

IP- a.b.c.d
IP- - e.f.g.h.

,
.
IP-. , 192.168.0.10-
192.168.0.15
.

3.1. IP-

IP- www_srv1 IP- 192.168.10.16 :

CLI

gw-world:/> add Address IP4Address www_srv1 Address=192.168.10.16

Web-

1. Objects > Address Book > Add > IP address

2. IP-, wwww_srv1

3. IP Address 192.168.10.16

4. OK

3.2. IP-

IP- wwwsrvnet 192.168.10.0/24


:

CLI

gw-world:/> add Address IP4Address wwwsrvnet Address=192.168.10.0/24

Web-

1. Objects > Address Book > Add > IP address

76
2. IP-, wwwsrvnet

3. 192.168.10.0/24 IP-

4. OK

3.3. IP-
IP- 192.168.10.16 192.168.10.21
wwwservers:

CLI

gw-world:/> add Address IP4Address wwwservers


Address=192.168.10.16-192.168.10.21

Web-

1. Objects > Address Book > Add > IP address

2. IP-, wwwservers.

3. 192.168.10.16-192.168.10.21 IP-

4. OK

3.4.

wwwsrv1 , :

CLI

gw-world:/> delete Address IP4Address www_srv1

Web-

1. Objects > Address Book

2. www_srv1

3. Delete

4. OK

IP-

IP-, , NetDefendOS
. ,
, , NetDefendOS
NetDefend.

3.1.3. Ethernet-
Ethernet- Ethernet-
( MAC-). , , ARP-
ARP-, ,
Ethernet-.

Ethernet- aa-bb-cc-dd-ee-ff. Ethernet-


77
.

3.5. Ethernet-
Ethernet- wwwsrv1_mac
MAC- 08-a3-67-bc-2e-f2.

CLI

gw-world:/> add Address EthernetAddress wwwsrv1_mac


Address=08-a3-67-bc-2e-f2

Web-

1. Objects > Address Book > Add > Ethernet Address

2. Ethernet-, wwwsrv1_mac

3. 08-a3-67-bc-2e-f2 MAC-

4. OK

3.1.4. Address Groups ( )

.
, .
IP- , ,
IP-. , IP-
.


, (Address Groups), web-
, web- .
,
.

. IP-
IP-, IP- ..
NetDefendOS.

, IP-:

192.168.0.10 - 192.168.0.15

192.168.0.14 - 192.168.0.19

,
192.168.0.10 - 192.168.0.19.

78
3.1.5.
NetDefendOS
,
.

Ethernet-
IP-;
IP- ,

.

IP-
<interface-name>_ip, :
<interface-name>_net. : lan
lan_ip
lannet

(Default IP- wan_gw


Gateway)
. wan_gw
,
DHCP-
DHCP-
.
,
wan_gw .
, (
IP- 0.0.0.0/0)

all-nets ( ) IP- IP-


0.0.0.0/0,
IP-.
NetDefendOS

3.1.6. Address Book Folders ( )


,
. ,
IP-, .

,
.
NetDefendOS , IP-.

NetDefendOS , IP-
, IP- .

3.2.

79
3.2.1.
IP- .
,
TCP UDP, / .
, HTTP TCP-
80 .

, TCP UDP-.
ICMP-,
IP-.

,
.
, NetDefendOS,
,
.

, IP- IP- NetDefendOS


, ,
NetDefend. IP-
, ALG IP-
, ALG , IP-.

, IP-
. 3.5, IP-.

NetDefendOS.
, HTTP, FTP, Telnet SSH.


. , ,
.

.
3.2.2, .

3.6.

CLI

gw-world:/> show Service

,
::

ServiceGroup
Name Comments
------------ --------------------------------------------------
all_services All ICMP, TCP and UDP services
all_tcpudp All TCP and UDP services
ipsec-suite The IPsec+IKE suite
l2tp-ipsec L2TP using IPsec for encryption and authentication
l2tp-raw L2TP control and transport, unencrypted
pptp-suite PPTP control and transport
ServiceICMP
Name Comments
------------ --------------------------------------------------
all_icmp All ICMP services
80
""

Web-

1. Objects > Services

3.7.
CLI

gw-world:/> show Service ServiceTCPUDP echo

Property Value
----------------- ----------------
Name: echo
DestinationPorts: 7
Type: TCPUDP (TCP/UDP)
SourcePorts: 0-65535
PassICMPReturn: No
ALG: (none)
MaxSessions: 1000
Comments: Echo service

Web-

1. Objects > Services

2.

3.

3.2.2.
NetDefendOS
, .
, , .

TCP/UDP- , UDP TCP-, .


.

ICMP- , ICMP-.
3.2.3, ICMP-.

IP Protocol- , .
3.2.4, IP- .

, .
3.2.5, -.

TCP/UDP-.

, TCP UDP

TCP / UDP
IP-.
81
- Transmission Control Protocol (TCP)
, - (point-to-point).
TCP- ,
, HTTP, FTP SMTP.

UDP-

, , ,
, - User
Datagram Protocol (UDP). UDP - , ,
,
TCP-. - UDP
, -
.

TCP UDP-

TCP UDP- NetDefendOS,


TCP/UDP-. , ,
(TCP, UDP )
.

,
.
/ :


. , HTTP
80. SMTP- 25
.

.


. , NetBIOS-,
Microsoft WindowsTM,
137 139.
M
TCP/UDP-
mmm-nnn.
137-139 , 137, 138
139 .


, ,

TCP/UDP-
.

, Microsoft Windows ,
135-139,445. HTTP
HTTPS , 80,443.

82
:

0-65535 (
).
,
. :
.

, TCP/UDP-
:

SYN Flood Protection ( SYN Flood)

SYN Flood Protection , TCP


SYN Flood. TCP/IP-.

, , 6.6.8,
TCP SYN Flood.

Pass ICMP Errors ( ICMP- )

TCP- ,
NetDefend, ,
ICMP- . NetDefendOS
, IP- .

Pass returned ICMP error messages from destination ( ICMP-


) ICMP-
. ICMP-.
, ICMP- quench .
, ICMP- ,
.

ALG

TCP/UDP- - Application Layer Gateway


(ALG), .
ALG IP-. ALG ,
IP-.

6.2, ALG.

Max Sessions ( )

Max Sessions.
ALG. ALG
. , , 100,
, 100 .

, , , HTTP ALG
, ,
NetDefend.

all_services

83
,
all_services, . ,
. , ,
TCP, UDP ICMP,
all_tcpudpicmp.

: http-all DNS-

web- DNS- dns-all,
http-all IP-.

, IP-, ,
.
all_services , ,
.

,
, .
all_tcpudpicmp,
, ;
.

3.8. TCP/UDP-

TCP/UDP-, 3306,
MySQL:

CLI

gw-world:/> add Service ServiceTCPUDP MySQL


DestinationPorts=3306 Type=TCP

Web-

1. Objects > Services > Add > TCP/UDP service

2. , MySQL

3. :

Type: TCP

Source: 0-65535

Destination: 3306

4. OK

3.2.3. ICMP-
ICMP-.

- Internet Control Message Protocol (ICMP) ,


84
IP . ,
ICMP Ping -.

ICMP

ICMP- IP- (Message Type),


ICMP- (Code),
. , Destination Unreachable (
) , .

ICMP- ( 256 ) ,
.

, ,
. , Destination Unreachable ,
0,1,2,3, : Network unreachable ( ), Host
unreachable ( ), Protocol unreachable ( ) Port unreachable
( ).

, ,
.

ICMP-

Echo Request
PING.

Destination Unreachable ,
. :

Code 0: Net Unreachable ( )

Code 1: Host Unreachable ( )

Code 2: Protocol Unreachable ( )

Code 3: Port Unreachable ( )

Code 4: Cannot Fragment (


)

Code 5: Source Route Failed (


)

Redirect ,
.
:

Code 0: Redirect datagrams for the network


( )
Code 1: Redirect datagrams for the host
( )
Code 2: Redirect datagrams for the Type of Service and
the network (
)
Code 3: Redirect datagrams for the Type of Service and
85
the host (
)

Parameter Problem .

Echo Reply ,
- (Echo Request).

Source Quenching
.

Time Exceeded ,
.

3.2.4. IP-
, IP
IP-. IP-
.
IP-, IP-. ,
ICMP, IGMP EGP 1, 2 8 .

TCP/UDP, IP-
. ,
1-4,7 ICMP, IGMP, GGP, IP-in-IP CBT.

IP-

IP-
- Internet Assigned Numbers Authority (IANA):

http://www.iana.org/assignments/protocol-numbers

3.9. IP-
IP- VRRP (Virtual Router
Redundancy Protocol).

CLI

gw-world:/> add Service ServiceIPProto VRRP IPProto=112

Web-

1. Objects > Services > Add > IP protocol service

2. , VRRP

3. 112 IP Protocol

4. Virtual Router Redundancy Protocol Comments

5. OK

86
3.2.5. Service Groups ( )
, NetDefendOS,
. , ,
,
.

, IP-,
. ,
, , IP-,
.

, email-services,
SMTP, POP3 IMAP. IP-,
,
, email.

, .
,

.

3.2.6. Custom Service Timeouts (-


)
-. -
NetDefendOS,
.

-, :

Initial Timeout

Establish (Idle) Timeout

,
NetDefendOS. TCP/UDP-
3 .

Closing Timeout

, .

.
, , ,
.

87
3.3.
3.3.1.
NetDefendOS.
NetDefend
.

,
NetDefendOS . NetDefendOS
:

, NetDefendOS
( ).

, NetDefendOS,
, , NetDefendOS
( ).

, NetDefendOS, ,
. , core
, NetDefendOS .

NetDefendOS ,
4 :

Ethernet-

Ethernet- Ethernet-
NetDefendOS. , ,
.
NetDefendOS -
Ethernet. Ethernet- 3.3.2,
Ethernet-.


. -
- Physical Sub-Interfaces.
NetDefendOS -:
Virtual LAN (VLAN) IEEE 802.1Q.
IP- Virtual LAN-,
VLAN- Ethernet-. VLAN-
3.3.3., VLAN.
PPPoE (PPP-over-Ethernet) PPPoE-.
3.3.4, PPPoE.

88

,
,
. VPN-
(VPN),
.
. ,

. , IPsec-,
.

NetDefendOS :

i. IPsec- VPN IPsec-.


9.3, IPsec.
ii. PPTP/L2TP- PPTP /L2TP-
. 9.5, PPTP/L2TP.
iii.GRE- GRE-.
3.3.5, GRE-

NetDefendOS ,

NetDefendOS. , Ethernet-
, NetDefendOS ,
. , ,
, .


NetDefendOS
- . ,
IP-, ,
.

any core

, NetDefendOS ,
any core. :

any , core.

core , NetDefendOS
. core ,
NetDefend PPTP 2 ICMP-
"Ping". , core, NetDefendOS
, .

, ,
:
89
gw-world:/> set Interface Ethernet <interface-name> -disable

<interface-name> - , .

gw-world:/> set Interface Ethernet <interface-name> -enable

3.3.2. Ethernet-
Ethernet- IEEE 802.3
,
. CSMA/CD-, Ethernet
,
. ,
.

Ethernet- (Ethernet Frames)


, Ethernet-,
, .
,
, .
(Ethernet, Fast Ethernet Gigabit Ethernet)
, .

Ethernet-

Ethernet- NetDefendOS Ethernet-


. ,
.

:

Ethernet-.
NetDefendOS
.

Ethernet-

, Ethernet :

Interface Name

Ethernet-
; Ethernet- wan- wan .

Ethernet- . ,
dmz ,
radio.
.

:
90
Ethernet-.
lanN, wanN dmz, N
NetDefend .
LAN- lan, WAN- wan.
NetDefend ,
.

IP Address

Ethernet- IP- - Interface IP Address,


, , DHCP. IP-
Ethernet-.

IP- Ethernet- NetDefendOS, ,


IP4 Address. .
3.1.5,
.

: IP- (multiple IP
addresses)
ARP Publish Ethernet-
IP-. (
3.4, ARP).

Network

IP- Ethernet- .
NetDefendOS , IP-
. , IP-,
.
NetDefendOS
.

Default Gateway

Ethernet- .
, .

,
all-nets (-).

Enable DHCP Client

NetDefendOS DHCP-
DHCP-.
IP- DHCP- ,
.

DHCP IP- , ,
, .

, DHCP-, IP4Address.
, , ,
. ,
3.1.5, .
91
Ethernet- DHCP- .
IP-
, DHCP .

DNS-, DHCP <interface-name>,


NetDefendOS <interface-name>_dns1
<interface_name>_dns2.

: DHCP IP-

DHCP Ethernet-,
IP- , ,
.
DHCP.

DHCP ,
:
i. IP-.
ii. (lease time).
iii. DHCP-.

iv. IP- .
v. .
vi. IP- DHCP.
vii. DHCP-, .

DHCP Hostname

DHCP- hostname, DHCP-.

Enable Transparent Mode

(Transparent Mode)
, 4.7, (Transparent Mode).

.

,
,
.

Hardware Settings

. :

i. . Auto.

ii. MAC-, MAC-


. -
.

Virtual Routing

(virtual routing), ,
, ,
:
92
i. .
, , ,
main. IP
.

ii.
.
, , .

Automatic Route Creation

.
:

i. . .

ii. ,
. .

MTU

,
. .

High Availability

, :
1. IP-.
2. , HA-
.

Quality of Service

IP DSCP
VLAN VLAN-. .

IP- Ethernet-

IP- :

IP- . , IP lan-
10.1.1.2 :

gw-world:/> set Interface Ethernet lan IP=10.1.1.2

, IP- .

ip_lan NetDefendOS ,
NetDefendOS, IP-.
CLI :

gw-world:/> set Address ip_lan Address=10.1.1.2

Web-.

CLI, Ethernet- 3.3.2.1,


CLI- Ethernet-.

93
3.3.2.1. CLI- Ethernet-
CLI-,
Ethernet- NetDefendOS.

Ethernet- Web-,
CLI-:

IP- wan_ip:

gw-world:/> show Address IP4Address InterfaceAddresses/wan_ip

Property Value
--------------------- ---------------------------
Name: wan_ip
Address: 0.0.0.0
UserAuthGroups: <empty>
NoDefinedCredentials: No
Comments: IP address of interface wan

wan_net:

gw-world:/> show Address IP4Address InterfaceAddresses/wan_net

Property Value
--------------------- ------------------------
Name: wan_net
Address: 0.0.0.0/0
UserAuthGroups: <empty>
NoDefinedCredentials: No
Comments: Network on interface wan

wan_gw:

gw-world:/> show Address IP4Address InterfaceAddresses/wan_gw

Property Value
--------------------- ---------------------------------
Name: wan_gw
Address: 0.0.0.0
UserAuthGroups: <empty>
NoDefinedCredentials: No
Comments: Default gateway for interface wan

Tab:

gw-world:/> show Address IP4Address InterfaceAddresses/wan_<tab>

[<Category>] [<Type> [<Identifier>]]:

InterfaceAddresses/wan_br InterfaceAddresses/wan_gw
InterfaceAddresses/wan_dns1 InterfaceAddresses/wan_ip
InterfaceAddresses/wan_dns2 InterfaceAddresses/wan_net

94
Tab

gw-world:/> set Address IP4Address<tab>

[<Category>] <Type> [<Identifier>]:

dnsserver1_ip InterfaceAddresses/wan_br timesyncsrv1_ip


InterfaceAddresses/aux_ip InterfaceAddresses/wan_dns1
InterfaceAddresses/aux_net InterfaceAddresses/wan_dns2
InterfaceAddresses/dmz_ip InterfaceAddresses/wan_gw
InterfaceAddresses/dmz_net InterfaceAddresses/wan_ip
InterfaceAddresses/lan_ip InterfaceAddresses/wan_net
InterfaceAddresses/lan_net Server

CLI :

gw-world:/> set Address IP4Address


InterfaceAddresses/wan_ip Address=172.16.5.1

Modified IP4Address InterfaceAddresses/wan_ip.

CLI DHCP :

gw-world:/> set Interface Ethernet wan DHCPEnabled=yes

Modified Ethernet wan.

CLI-
. , D-Link
, NetDefendOS
. , Ethernet-
:

gw-world:/> show EthernetDevice

Ethernet-.
, .
"-" .
undelete:

gw-world:/> undelete EthernetDevice <interface>

gw-world:/> show Ethernet Interface

Ethernet- set. ,
lan :

gw-world:/> set EthernetDevice lan -enable

Ethernet- :

gw-world:/> set EthernetDevice lan EthernetDriver=<driver>


PCIBus=<X> PCISlot=<Y> PCIPort=<Z>

, - IXP4NPEEthernetDriver , , 0,
0, 2 wan-, set :
95
gw-world:/> set EthernetDevice lan
EthernetDriver=IXP4NPEEthernetDriver
PCIBus=0 PCISlot=0 PCIPort=2

CLI- CLI Reference Guide.

3.3.3. VLAN

(Virtual LAN, VLAN), NetDefendOS


VLAN-,
. VLAN-
NetDefendOS NetDefendOS
.

VLAN . Ethernet-
. , Ethernet-
NetDefend .

VLAN
, , ,
. VLAN-
, NetDefendOS
, NetDefendOS.

, VLAN NetDefendOS
VLAN- NetDefend ,
VLAN.
- VLAN-, VLAN-
VLAN.

VLAN

NetDefendOS IEEE 802.1Q. ,


VLAN, Ethernet-
(VLAN ID), VLAN-.

VLAN ID 0 4095,
, . Ethernet-

.

NetDefendOS VLAN- Ethernet-


:

Etnernet-, NetDefendOS
VLAN ID. VLAN ID
VLAN-, NetDefendOS VLAN-
.

Ethernet-, , VLAN ID,


, VLAN.

VLAN-
NetDefendOS VLAN VLAN ID,
NetDefendOS unknown_vlanid.

96
NetDefendOS VLAN ID ,
VLAN ID .
, VLAN .

,
VLAN, VLAN-.

VLAN- VLAN
VLAN NetDefendOS.

. 3.1. VLAN-

NetDefendOS VLAN:

VLAN-,
NetDefend, . VLAN-
. VLAN. ,
ID VLAN- VLAN-
, . , ,
VLAN ID, .

.3.1. Switch1 Switch2 if1 if2


VLAN-.

, VLAN,
VLAN ID. , ,
VLAN, . Cisco
Static-access VLAN.

3.1. Switch2 VLAN1,


VLAN2.

,
.

VLAN-,
.
97
VLAN ID.

: 802.1ad
NetDefendOS IEEE 802.1ad (provider bridges),
VLAN- VLAN-.

VLAN-, NetDefendOS,
.
VLAN-.

VLAN

VLAN-:

1. VLAN-.

2. VLAN.

3. VLAN ID, .

4. IP- VLAN.

5. IP- VLAN.

6. VLAN VLAN

7. IP-, VLAN-

, VLAN-,
, IP-
NetDefendOS , . , IP-
VLAN- ,
, , , .

VLAN

VLAN:

Unknown VLAN Tags


, ID.

: DropLog

98
3.10. VLAN
VLAN10
ID VLAN 10. , IP- VLAN
vlan10_ip.

CLI

gw-world:/> add Interface VLAN VLAN10 Ethernet=lan


Network=all-nets VLANID=10

Web-

1. Interfaces > VLAN > Add > VLAN

2. :

Name: , VLAN10

Interface: lan

VLAN ID: 10

IP Address: vlan10_ip

Network: all-nets

4. OK

3.3.4. PPPoE
PPP - Point-to-Point Protocol over Ethernet (PPPoE)
, Ethernet-
, DSL-,
. Ethernet,
.

- (Internet server providers


(ISPs)) PPPoE-. PPPoE
- :

, /

IP-

IP- ( DHCP). IP-


.

PPP

- - Point-to-Point Protocol (PPP) ,


, ,
-.

OSI, PPP
, IP-. PPP

99
- Link Control Protocol (LCP), ,
. LCP-
- Network Control Protocols (NCPs)
, ,
, , IP IPX PPP-
.

PPP- (PPP Authentication)

PPP- PPP-.
: - Password Authentication Protocol
(PAP), - Challenge Handshake
Authentication Protocol (CHAP) Microsoft CHAP ( 1 2).
,
NCP. LCP
NCP .

PPPoE-
PPPoE- PPP Ethernet, ,
Ethernet-, PPPoE.

PPPoE- NetDefendOS,
IP-
, . ,
PPPoE-, (Source Interface)
PPPoE-. PPPoE-
(Destination Interface).

, , NetDefendOS
, IP- PPPoE-
. PPPoE- ,
Ethernet-.

IP-

PPPoE IP- ( DHCP).


NetDefendOS, IP- -,
IP- .

-
PPPoE- NetDefendOS .

(Dial-on-demand)

dial-on-demand , PPPoE-
PPPoE-.
, , .
, ,
, .

PPPoE (Unnumbered PPPoE)

NetDefendOS PPPoE-, unnumbered


PPPoE. PPPoE-
.

Unnumbered PPPoE ,
IP-. IP- . -
100
IP- PPPoE- .

unnumbered PPPoE
IP-, PPPoE-.
:

IP- PPPoE- preferred IP ( IP).


unnumbered PPPoE , preferred IP
IP- PPPoE-.

unnumbered PPPoE, (..


NetDefendOS) IP- .

PPPoE- IP-, unnumbered PPPoE


, IP- PPPoE-.
IP- ,
NAT NetDefend.

: PPPoE
Discovery protocol
- Ethernet
PPP- Ethernet-

, discovery protocol.

PPPoE HA

, IP-
NetDefendOS, PPPoE . PPPoE HA.

3.11. PPPoE-
, PPPoE- wan- ,
PPPoE.

CLI

gw-world:/> add Interface PPPoETunnel PPPoEClient


EthernetInterface=wan Network=all-nets
Username=exampleuser Password=examplepw

Web-

1. Interfaces > PPPoE > Add > PPPoE Tunnel

2. :

Name: PPPoEClient

Physical Interface: wan

Remote Network: all-nets (.. )

Service Name: ,

Username: ,

Password: ,

Confirm Password:

Authentication , (
)

Enable dial-on-demand

Advanced, Add route for remote network,


101
3. OK

3.3.5. GRE-

- Generic Router Encapsulation (GRE) -


,
/ . GRE
.

GRE

GRE ,
, . ,
, GRE, . GRE :

, .

IPv6- IPv4-.
UDP-
, . GRE
.

GRE-

GRE- .
, . -
, GRE , -
.

,
, .

GRE-

NetDefendOS, , IPSec-, GRE-


NetDefendOS, ,

. GRE:

IP Address (IP-) IP- .


.

IP- :

i. ICMP PING.

ii. , IP-

iii. NAT, IP- IP-


, NAT, .

Remote Network ( ) , GRE-


.

102
Remote Endpoint ( ) IP- ,
.

Use Session Key ( ) ,


. GRE-
. ,
.

Additional Encapsulation Checksum ( ) -


GRE- IPv4-
, , .

(Advanced) GRE-:

Automatically add route for remote network (


) , , ,
.
.

Address to use as source IP (, IP)


IP- IP GRE-.
IP- IP- ,
.

, , ARP
ARP- IP-.

GRE IP-

GRE- , .
, , GRE- NetDefendOS
IP-.
.

, GRE-
. , (Route),
NetDefendOS , IP- .

GRE-

103
, , GRE-,
NetDefend A B
172.16.0.0./16.

A B , GRE-
, , , .

NetDefend "A"

, 192.168.10.0/24 lannet, lan-,


NetDefendOS A :

1. IP-:

remote_net_B: 192.168.11.0/24

remote_gw: 172.16.1.1

ip_GRE: 192.168.0.1

2. GRE- GRE_to_B :

IP Address: ip_GRE

Remote Network: remote_net_B

Remote Endpoint: remote_gw

Use Session Key: 1

Additional Encapsulation Checksum: Enabled

3. main,
remote_net_B GRE_to_B GRE-. ,
Add route for remote network Advanced,
.

4. IP-,
:


104

(Name ) (Action) (Service)
(Src Int) (Src Net) (Dest Int) (Dest Net)
To_B Allow lan lannet GRE_to_B remote_net_B All
From_B Allow GRE_to_B remote_net_B lan lannet All

NetDefend "B"
, 192.168.11.0/24 - lannet, lan-,
NetDefendOS B :

1. IP-:

remote_net_A: 192.168.10.0/24

remote_gw: 172.16.0.1

ip_GRE: 192.168.0.2

2. GRE- GRE_to_ A :

IP Address: ip_GRE

Remote Network: remote_net_A

Remote Endpoint: remote_gw

Use Session Key: 1

Additional Encapulation Checksum: Enabled

3. ,
remote_net_ A GRE_to_ A GRE-. ,
Add route for remote network Advanced,
.

4. IP-,
:




(Name) (Action) (Service)
(Src Int) (Src Net) (Dest Int) (Dest Net)
_ Allow lan lannet GRE_to_A remote_net_A All
From_A Allow GRE_to_A remote_net_A lan lannet All

GRE-

IPsec- , . GRE-
NetDefendOS. GRE- ,
.

, GRE-. ,
gre_interface, CLI- ifstat:

gw-world:/> ifstat gre_interface

, , ifstat
.

105
3.3.6. Interface Groups ( )
NetDefendOS .

NetDefendOS,
. , , IP-,
.

Ethernet- ,
VLAN- VPN-. ,
. , , 2 Ethernet- 4 VLAN-
.

3.12.
CLI

gw-world:/> add Interface InterfaceGroup examplegroup


Members=exampleif1,exampleif2

Web-

1. Interfaces > Interface Groups > Add > InterfaceGroup

2. :

Name:

Security/Transport Equivalent: ,
,
.

Interfaces:

3. OK

3.4. ARP
3.4.1.
- Address Resolution Protocol (ARP)
( 3 OSI)
( 2 OSI). IP-
Ethernet-. ARP 2 OSI ,
Ethernet- .

: OSI
OSI
D.

IP- Ethernet

106
Ethernet- , Ethernet- (MAC-
) . , IP-, IP-,
, MAC-.
ARP Ethernet MAC- IP-.

IP- Ethernet-
ARP-. ARP- MAC- , IP-
IP- . . IP-
ARP- MAC- .

3.4.2. ARP- (ARP Cache) NetDefendOS


ARP- , ,
ARP. ARP- ,
IP Ethernet-.

NetDefendOS ARP- .
ARP- .

ARP- :

Ethernet- (Ethernet
IP- (IP Address) Expires
(Type) address)
Dynamic 192.168.0.10 08:00:10:0f:bc:a5 45
Dynamic 193.13.66.77 0a:46:42:4f:ac:65 136
Publish 10.5.16.3 4a:32:12:6c:89:a4 -

:
ARP- ARP-, , IP-
192.168.0.10 Ethernet- 08:00:10:0f:bc:a5.
IP- 193.13.66.77
Ethernet- 0a:46:42:4f:ac:65.
ARP-, IP-
10.5.16.3 Ethernet- 4a:32:12:6c:89:a4.

Expires

Expires
ARP-.

, , 45,
ARP- 45 . IP- 192.168.0.10
, NetDefendOS ARP-.

900 (15 ),
ARP Expire.

ARP Expire Unknown , NetDefendOS


. ,
NetDefendOS.
3 .

3.13. ARP-

107
ARP- , CLI.

CLI

gw-world:/> arp -show


ARP cache of iface lan

Dynamic 10.4.0.1 = 1000:0000:4009 Expire=196


Dynamic 10.4.0.165 = 0002:a529:1f65 Expire=506

ARP- (flushing)

IP- , ,
MAC-. NetDefendOS
ARP- ARP-,
MAC- , , .

ARP, NetDefendOS MAC- ,


.
ARP- (flushing). ARP ,
NetDefendOS ARP- MAC/IP-
.

, CLI- arp-flush:

3.14. ARP-

, ARP- .

CLI

gw-world:/> arp flush


ARP cache of all interfaces flushed.

ARP-
ARP- 4096 .
, , , LAN-
,
. ARP- ARP Cache Size.

ARP- -.
-
, LAN-, 500 IP-
, - 1000.
ARP Hash Siz ARP,
512.

ARP Hash Size VLAN ARP Hash Size, VLAN-


. 64.

3.4.3. ARP-
NetDefendOS, ARP ,
NetDefendOS ARP-,
:
108
Mode ARP-. :

Static
ARP-.

Publish IP- MAC-


( ).

XPublish IP-
MAC- MAC-,
Ethernet-, ARP-.

Interface ARP-.

IP Address IP- MAC/IP-.

MAC Address MAC- MAC/IP-.

ARP- Static, Publish XPublish .

Static

(Static) ARP- MAC/IP- ARP-


NetDefendOS.

ARP- ,
ARP-
MAC-. ,
.

ARP- IP-
MAC- ,
. , ,
IP-, , .

3.15. ARP-
IP- 192.168.10.15
Ethernet- 4b:86:f6:c5:a2:14 lan-:

CLI

gw-world:/> add ARP Interface=lan IP=192.168.10.15 Mode=Static


MACAddress=4b-86-f6-c5-a2-14

Web-

1. Interfaces > ARP > Add > ARP

2. :

Mode: Static

Interface: lan

3. :

IP Address: 192.168.10.15

MAC: 4b-86-f6-c5-a2-14

4. OK

109
ARP-

, MAC- , NetDefendOS
(publishing) IP- MAC-
. NetDefendOS ARP- ARP-,
, IP-.

ARP- :

, NetDefendOS
IP-.

, IP-
LAN-. IP-
,
NetDefendOS.


, NetDefendOS

IP-.


ARP .

, MAC/IP-:

Publish

XPublish

, IP- MAC-. MAC-


( ), MAC- .

Publish XPublish : ARP-


NetDefendOS MAC- Ethernet-:

1. Ethernet- MAC- Ethernet-, ,.

2. MAC- ARP-, . ,
, (1) MAC- Ethernet-.

, , Ethernet-, ARP-:

110
3.2. ARP- Ethernet-

Publish MAC- (1) Ethernet-


.

MAC- (1 2),
. XPublish, MAC-
, MAC-. , XPublish
ARP-.

MAC- MAC-
Publish XPublish .

ARP-, IP- .
, Proxy ARP
NetDefendOS (. 4.2.6, Proxy ARP).

3.4.4. ARP
, ARP.
,
.

(Multicast) (Broadcast)

ARP- ARP-, ,
, ,
, .

NetDefendOS ARP- ARP-.


, ARP Multicast ARP
Broadcast.

(Unsolicited) ARP-

111
, , , ARP- NetDefendOS
ARP-.
ARP-.

ARP, ARP-. ,
, NetDefendOS
.

Unsolicited ARP Replies.

ARP-

ARP ARP- ARP-,


. ,
, NetDefendOS, , .

RFC 826,
ARP Requests. Drop (
), NetDefendOS
.

ARP-

NetDefendOS ARP-.

ARP- ARP- ARP-.


.
, , ,
NetDefendOS , ,
.

Static ARP Changes .


NetDefendOS .

ARP-
ARP- ARP-.
Static ARP Changes ,
.

IP- 0.0.0.0

NetDefendOS ARP-, IP-


0.0.0.0. IP- ,
ARP- ("unspecified") IP-. ,
ARP- ,
ARP Query No Sender.

Ethernet-

NetDefendOS , Ethernet-
Ethernet-, ARP-. ,
.
ARP Match Ethernet Sender.

3.4.5.
ARP :
112
ARP Match Ethernet Sender

, NetDefendOS Ethernet-
, ARP-.

: DropLog

ARP Query No Sender

ARP- IP- 0.0.0.0. IP-


, ARP-
("unspecified") IP-.

: DropLog

ARP Sender IP

, IP-
(Access section).

: Validate

Unsolicited ARP Replies

, NetDefendOS ARP-, .
ARP- . ,
, .

: DropLog

ARP Requests

, NetDefendOS ARP-
ARP-. ARP ,
, .
ARPRequests "Drop", ,
, NetDefendOS ,
.

: Drop

ARP Changes
, NetDefendOS , ARP- ARP-
ARP-.
.
, , ,
NetDefendOS , ,
.
: AcceptLog

Static ARP Changes

, NetDefendOS , ARP-
ARP- ARP-.

113
, , .

: DropLog

ARP Expire

ARP-
.

: 900 seconds (15 minutes)

ARP Expire Unknown

, NetDefendOS .
, NetDefendOS .

: 3

ARP Multicast

, NetDefendOS , ARP- ARP-


, , .
, , ,
,
.

: DropLog

ARP Broadcast

, NetDefendOS , ARP- ARP-


, , .
, , .

: DropLog

ARP cache size


ARP-.

: 4096

ARP Hash Size

.
.
LAN-, 500 IP-, -
1000.

: 512

ARP Hash Size VLAN

.
,
VLAN-, 500 IP-, -
1000.

114
: 64

ARP IP Collision

ARP- , IP-
.
: Drop Notify.

: Drop

3.5. IP-
3.5.1. (Security Policies)
IP-
, IP-
.

NetDefendOS
, NetDefend.
NetDefendOS.
, ,
, .
:

Source Interface
NetDefend, .
VPN-.

Source Network , IP- .


IP- NetDefendOS,
IP-
.

Destination Interface
NetDefend, .
VPN-.

Destination Network , IP- .


IP-
NetDefendOS,
IP- .

Service , .
/.
, HTTP ICMP.
ALG,
.

NetDefendOS
,

.
.


115
3.2. .

NetDefendOS

NetDefendOS,
NetDefendOS , (//)
:

IP-

, NetDefend,
, . IP- .

Pipe-

, ,
10.1, .

, .
4.3, (Policy-based Routing).

, ( / ),
8, .

IP- IP- main

IP- .
NetDefendOS,
NetDefend , ,
NAT. NetDefendOS IP-
, main.

NetDefend:

, .

, .

NetDefendOS .
, NetDefendOS IP-
IP- main .
NetDefend ( NetDefendOS ICMP Ping)
IP-.

IP-, ,
:

, .

, .

().

,
.

Any

116
,
:

all-nets IP- 0.0.0.0/0,


IP-.

any,
NetDefendOS
.

core . ,
NetDefendOS ICMP Ping,
NetDefend.

Drop All

, IP-,
NetDefendOS . ( )
- Drop -
/ /. drop all.

IP-

, NetDefendOS IP-
.
NetDefendOS :

NetDefendOS ,
,
.

, ,
.

IP- IP- NetDefendOS,


,
NetDefend , .

IP- Allow, .

.
, NetDefendOS IP-,
. , .

117
3.3. NetDefendOS

,
1.3, NetDefendOS State Engine Packet Flow.

, NetDefendOS
.
NetDefendOS (reverse route lookup),
, ,
.


( ).

3.5.2. IP-
NetDefend , TCP/IP-,
IP- ,
. Action.

, . NetDefendOS
,
,
NetDefend. Drop Reject,
.

:

, IP- NetDefendOS
, .

IP- , , ,
.

Stateful Inspection

, , ,
, .

.

stateful inspection (
), ,
(TCP), , , -
, UDP ICMP. ,
IP- . IP-
.

,
,
.

118
SAT,
. SAT,
.
7.4, SAT.

,
, , Drop.

DropAll Drop, / all-nets
/ all. ,
IP-.

3.5.3. IP-
: ,
. , NetDefendOS,
IP- :

(Source Interface)

(Source Network)

(Destination Interface)

(Destination Network)

(Service)

IP- , (Action):

Allow . ,
, ,
.
"Stateful engine" NetDefendOS.

FwdFast , , NetDefend
. ,
stateful inspection , , Allow
NAT. ,
Allow, .

NAT Allow,
( 7.2, NAT).

SAT NetDefendOS .
SAT
Allow, NAT FwdFast (
7.4, SAT).

Drop
NetDefendOS , .
Reject,
. ,
, .

Reject
, Drop,
119
TCP RST ICMP Unreachable,
, .
IP- Drop.

Reject ,
-,
, , -.

(Bi-directional Connections)

IP- ,
. IP-
.

. ,
.

FwdFast.
. ,
FwdFast .
FwdFast SAT.

Reject

Drop Reject,
.
IDENT .
- Drop, Reject
.

3.5.4. IP-
Web-,
.

Edit
.

Delete

.

Disable/Enable
,
. ,

.
.

Move options


IP-, ,
120
.

3.5.5. IP-
IP-
IP-.
. , IP-
, .

,
, ,
. NetDefendOS , IP-
.

NetDefendOS , IP-
.

3.16. IP- Allow

Allow, HTTP-
lannet- lan- (all-nets) wan-.

CLI

-, IP- main:
gw-world:/> cc IPRuleSet main

IP-:

gw-world:/main> add IPRule Action=Allow Service=http


SourceInterface=lan SourceNetwork=lannet
DestinationInterface=wan
DestinationNetwork=all-nets
Name=lan_http

gw-world:/main> cc

commit.

Web-

1. Rules > IP Rules > Add > IPRule

2. , LAN_HTTP

3. :

Name: . , lan_http

Action: Allow

Service: http

Source Interface: lan

Source Network: lannet

Destination Interface: wan

Destination Network: all-nets

121
4. OK

3.5.6. Configuration Object Groups (


)
NetDefendOS
.
. ,
3.1.6, (Address Book Folders).
IP-.


NetDefendOS configuration object groups.
, ,
. ,
, , .
, , .

, NetDefendOS
, .
IP- NetDefendOS ,
, IP-, .


NetDefendOS.

, ,
, .
NetDefendOS , IP-,
.

CLI

,
(command line interface, CLI).
CLI, CLI.
Web-, .

IP- main, ,
web- Drop-all
:

122

, ,
.

IP- Web-.
:

New Group.

IP-,
. (new Group).

.
, .
. ,
.


Edit.

Group, :

Specify the Title

,
. ,
.

Change the Display Color


123
16 ,
RGB-. ,
,
.

Web surfing, .
:

.
.
( )
Join Preceding.

, , IP-
:


Join Preceding.

(Preceding Object)

,
, :

i. Move to.

ii. , .

iii. ,
Join Preceding.

, , IP-, ,
. ,
Move to Top ,
.


124
.
,
. , Move to Top
.

, ,
Leave Group.
, .

,
Ungroup. , .
, ,
.
.

:
.

,
. .
, .
.

NetDefendOS
.

3.6. (Schedules)
,
, .

, IT- , web-
.
VPN-,
.

Schedule ()

NetDefendOS Schedule (
Schedules ),
.

Schedule
. , ,
. , :
08:30 - 10:40, 11:30 - 14:00, 14:30 - 17:00.
125

Schedule :

Name .
.

Scheduled Times , , .
.
.

Start Date ,
Schedule .

End Date ,
Schedule .

Comment , .

IP-,
, (Traffic Shaping),
(Intrusion Detection/Prevention, IDP)
. , Schedule
,
NetDefendOS.

:


, .
,
VPN-.

, ,
.
3.8, .

3.17.

Schedule, IP-
, HTTP-.

CLI

gw-world:/> add ScheduleProfile OfficeHours


Mon=8-17 Tue=8-17 Wed=8-17 Thu=8-17 Fri=8-17

IP-, . -,
IP- main:

gw-world:/> cc IPRuleSet main

IP-:

gw-world:/main> add IPRule Action=NAT Service=http


SourceInterface=lan SourceNetwork=lannet
DestinationInterface=any
DestinationNetwork=all-nets
Schedule=OfficeHours name=AllowHTTP

126
:

gw-world:/main> cc

commit.

Web-

1. Objects > Schedules > Add > Schedule

2. :

Name: OfficeHours

3. : 08-17,

4. OK

1. Rules > IP Rules > Add > IPRule

2. :

Name: AllowHTTP

3. :

Action: NAT

Service: http

Schedule: OfficeHours

SourceInterface: lan

SourceNetwork lannet

DestinationInterface: any

DestinationNetwork: all-nets

4. OK

3.7.
3.7.1.
X.509

NetDefendOS , ITU-T
X.509. X.509
.
X.509.

.
, .
,
, ID .

VPN-

NetDefendOS VPN-.

Pre-shared- (PSKs). VPN- PSKs
.
127
.

: , ID .

: , , ,
(Certificate Authority).

, ,
.

(Certificate authority, CA) ,


. CA .
CA , ,
- .

CA . ,
.

CA CA,
. CA . CA
, ,
CA, .

.

.

CA , ,
.
, CA, ,
, .

(Validity Time)
. ,
.
.


,
NetDefendOS .

(Certificate Revocation List)

Certificate Revocation List (CRL) ,


. ,

128
.
,
.

CRL ,
, LDAP, HTTP-.
. ,
, ,
, , .
CRL- .

CRL Distribution Point (CDP), ,


CRL. .
CRL .

CRL .
CA,
.

(Trusting Certificates)

NetDefendOS ,
CA. ,
:

CA.

CRL , ,

NetDefendOS
.
, VPN-, ,
, .

(Reusing Root Certificates)

NetDefendOS
, VPN-. ,
VPN- NetDefendOS,
VPN-.

3.7.2. NetDefendOS
NetDefendOS IKE/IPsec-
, Webauth . ,
: (self-signed) (remote) ,
CA-.
.

129
3.18.

, CA-.

Web-

1. Objects > Authentication Objects > Add > Certificate

2.

3. :

Upload self-signed X.509 Certificate

Upload a remote certificate

4. OK

3.19. IPsec-

IPsec-.

Web-

1. Interfaces > IPsec

2. IPsec-

3. Authentication

4. X509 Certificate

5. Gateway Root

6. OK

130
3.7.3. CA (CA Certificate
Requests)
CA- CA-
CA- CA Certificate Request,
.

Windows CA- (Windows CA Server)

Web- (WebUI) NetDefendOS


, CA
.cer .key, NetDefendOS.

Windows CA- ,
:

gateway certificate Windows CA-


.pfx.

.pfx .pem.

.pem
.cer .key.

1. gateway certificate Windows CA-


.pfx , NetDefendOS.

2. .pfx .pem, OpenSSL,


:

> openssl pkcs12 -in gateway.pfx -out gateway.pem -nodes

, , CA-,
gateway.pfx ,
OpenSSL.

gateway.pfx 3 : CA-,
. gateway.pem ,
.


OpenSSL
, .

3. (, Windows)
. , .cer .key .
, gateway.cer gateway.key might.

4. , .pem ,

-----BEGIN RSA PRIVATE KEY -----

3. ,
:
131
END RSA PRIVATE KEY ---

6. .key .

7. .pem , :

BEGIN CERTIFICATE ---

,
:

END CERTIFICATE ---

8. .cer .

.key .cer NetDefendOS.

3.8. (Date) (Time)


3.8.1.
NetDefendOS.
, - IDP ,
.

, , ,
. ,
.

NetDefendOS
,
, ,
(Time Servers).

3.8.2.

,
NetDefendOS.

3.20.

CLI

132
gw-world:/> time -set YYYY-mm-DD HH:MM:SS

YYYY-mm-DD HH:MM:SS - (, ) . ,
, , . , 9:25 , 27 2008 :

gw-world:/> time -set 2008-04-27 09:25:00

Web-

1. System > Date and Time

2. Set Date and Time

3. , ,

4. OK

:
.
.

(Time Zones)
, (Greenwich Mean Time
(GMT)) , ,
.
GMT
. , , ,
GMT .

NetDefendOS ,
NetDefend.

3.21.

NetDefend :

CLI

gw-world:/> set DateTime Timezone=GMTplus1

Web-

1. System > Date and Time

2. (GMT+01:00) Timezone

3. OK

(Daylight Saving Time)

(Daylight Saving Time, DST), ..


. , ,
, . NetDefendOS
. , ,
.

, : DST- DST-.
DST- . DST-

133
.

3.22. DST

DST , :

CLI

gw-world:/> set DateTime DSTEnabled=Yes

Web-

1. System/Date and Time

2. Enable daylight saving time

3. OK

3.8.3. (Time Servers)


, NetDefendOS,
.
, .

NetDefendOS , ,
,
. NetDefendOS ,
.

(Time Synchronization Protocols)

- Time Synchronization Protocols


. NetDefendOS
:

SNTP

RFC 2030,
NTP (RFC 1305). NetDefendOS NTP-
.

UDP/TIME

- Time Protocol (UDP/TIME) ,


. -
. .

NTP SNTP-.

(Configuring Time Servers)

.

. NetDefendOS ,
, .
-.

: NetDefendOS DNS-
134
URL- , NetDefendOS
DNS-. ( .
3.9, DNS). IP-.

3.23. SNTP

NTP-
(Swedish National Laboratory for Time and Frequency) SNTP-. URL NTP-
: ntp1.sp.se ntp2.sp.se.

CLI

gw-world:/> set DateTime TimeSynchronization=custom


TimeSyncServer1=dns:ntp1.sp.se
TimeSyncServer2=dns:ntp2.sp.se
TimeSyncInterval=86400

Web-

1. System > Date and Time

2. Enable time synchronization

3. :
Time Server Type: SNTP

Primary Time Server: dns:ntp1.sp.se

Secondary Time Server: dns:ntp2.sp.se

4. OK

URL- dns ( DNS-).


NetDefendOS DNS-.


CLI TimeSyncInterval
,
86400

3.24.
CLI. :

CLI

gw-world:/> time -sync


Attempting to synchronize system time...

Server time: 2008-02-27 12:21:52 (UTC+00:00)


Local time: 2008-02-27 12:24:30 (UTC+00:00) (diff: 158)

Local time successfully changed to server time.

(Maximum Time Adjustment)

,
(Maximum Adjustment) ( ).
NetDefendOS , ,
, , ,
. , 60
NetDefendOS 16:42:35. , : 16:43:38,
63 , , .. .

135
3.25.

gw-world:/> set DateTime TimeSyncMaxAdjust=40000

Web-

1. System > Date and Time

2. Maximum time drift that a server is allowed to adjust


.

3. OK

,
. ,
.
, .

3.26.

CLI

gw-world:/> time -sync force

.
86,400 (1 ).

D-Link

NetDefendOS
D-Link, . D-Link
NetDefendOS SNTP-.

D-Link Server , .

3.27. D-Link NTP Server


CLI

gw-world:/> set DateTime TimeSynchronization=D-Link

Web-

1. System > Date and Time

2. D-Link TimeSync Server

3.OK

136
, URL D-Link
DNS.

3.8.4.
:

Time Zone
.

: 0

DST-Offset

: 0

DST Start Date


DST- , : MM-DD.

: none

DST End Date


DST- , : MM-DD.

: none

Time Sync Server Type


, , UDPTime SNTP (Simple Network

Time Protocol).

: SNTP

Primary Time Server


DNS- IP- 1.

: None

Secondary Time Server


DNS- IP- 2.

: None

teriary Time Server


DNS- IP- 3.
137
: None

Interval between synchronization


.

: 86400

Max time drift


( ), .

: 600

Group interval

, .

: 10

3.9. DNS


DNS- - Fully Qualified Domain Name (FQDN)
IP-. FQDN ,
DNS-. FQDN IP-
.
- Uniform Resource Locator (URL) FQDN ,
FQDN. , web-
: http//:.
FQDN NetDefendOS IP-
DNS- IP-.

DNS NetDefendOS
DNS NetDefendOS DNS-,
DNS-: Primary Server ( ),
Secondary Server ( ) Tertiary Server ( ). DNS
primary server.
.

, DNS
DNS-
NetDefendOS:

(Automatic time synchronization).

authority server CA .

UTM- , anti-virus IDP.

138
3.28. DNS-

DNS- primary secondary DNS-


IP- 10.0.0.1 10.0.0.2 .

CLI

gw-world:/> set DNS DNSServer1=10.0.0.1 DNSServer2=10.0.0.2

Web-

1. System > DNS

2. :

Primary Server: 10.0.0.1

Secondary Server: 10.0.0.2

3. OK

DNS (Dynamic DNS)

DNS- NetDefendOS DNS-


IP- NetDefend. Dynamic DNS
IP- NetDefend.

Dynamic DNS VPN-,


IP-. ,
NetDefendOS VPN keep alive .

System > Misc. Clients WebUI DNS-.


HTTP Poster- DNS-, 3
URL Delay in seconds until all URLs are refetched ( 604800
7 ).

HTTP Poster HTTP GET-


URL.

NetDefendOS,
- IP- ,
DNS-.

HTTP Poster DNS- WebUI


URL. ,
URL, . , URL- http:// dyndns.org
:

myuid:mypwd@members.dyndns.org/nic/update?hostname=mydns.dyndns.org

HTTP Poster URL


NetDefendOS DynDNS
, dyndns.org.

NetDefendOS CLI
httpposter.

139
:

DNS-
IP-,
.

HTTP Poster . NetDefendOS


HTTP GET-.

140
4.
IP- NetDefendOS.


(PBR)

OSPF

4.1.
IP- NetDefendOS.
NetDefend IP- , , ,
, .

NetDefendOS :

NetDefendOS route monitoring (


),
.

4.2. (Static Routing)


.
,
().

- ,
IP- .
, ,
.
.

NetDefendOS
4.5, OSPF. ,
.

4.2.1.
IP- TCP/IP- IP-
,
.

( ) ,
.

141
, :

(Interface)

, . , ,
IP- (
).

VPN-
( NetDefendOS VPN-
).

(Network)

IP- .
IP-,
. , , IP-
.

all-nets ( )
ISP.

(Gateway)

IP- IP- .
, ,
NetDefend .

, , ,
ISP IP-,
.

IP- (Local IP address)

. ,
NetDefendOS ARP- .

IP- ,
.

(Metric)

.
, ,
.

(Route Failover)
(Route Load Balancing).

4.4.
.

NetDefend.

142
4.1

: LAN-, 192.168.0.0/24, DMZ-,


10.4.0.0/16, WAN- 195.66.77.0/24 ISP- 195.66.77.4
.


(Route #) (Interface) (Destination) (Gateway)
1 lan 192.168.0.0/24
2 dmz 10.4.0.0/16
3 wan 195.66.77.0/24
4 wan all-nets 195.66.77.4

1 (Route #1)

, 192.168.0.0/24, LAN-
. , ,
,
LAN-.

2 (Route #2)

, 10.4.0.0/16, DMZ-
. .

3 (Route #3)

, 195.66.77.0/24, WAN-
. .

4 (Route #4)

, ( all-nets ),
WAN- IP- 195.66.77.4.
.

all-nets Default Route ( ),


143
, , .
, .

.
.
, ,
.

192.168.0.4
, ,
.

IP- (Local IP Address Parameter)

IP-.

, LAN- ,
. ,
NetDefend ARP-
. NetDefendOS , ARP
.

,
IP- , ..
.
NetDefend, ARP- .

NetDefendOS
:

: , .

: IP- .

IP-: IP- .

(Default Gateway)
IP-,
.

IP- NetDefendOS
IP-, ARP- .

, . 10.1.1.0/24
10.1.1.1. 10.2.2.0/24
IP- .

144
4.2. IP-

ARP- 10.2.2.0/24
NetDefendOS IP- 10.2.2.1.
NetDefend
10.2.2.1.

,
. ,
,
, .

NetDefendOS .
, , .

, ,
. NetDefendOS ,
(reverse route lookup).
,
. , NetDefendOS
Default Access Rule.

, Core (
NetDefendOS), ICMP ping-,
. Core.

4.2.2.

NetDefendOS .

NetDefendOS .
main. ,
.

Policy Based Routing

145
(PBR), IP-,
. ( PBR 4.3,
(PBR)).

(Route Lookup)

NetDefendOS
,
. IP- ,
, .
NetDefendOS Stateful inspection,
.

IP-
, .

. ,
.

, .
,
(, IP-), NetDefendOS
, .
.

NetDefendOS

NetDefendOS .

IP-.
Microsoft Windows XP :

NetDefendOS:

146
NetDefendOS

NetDefendOS
.

,
, :

, IP- .

IP- ,
.

NetDefendOS ,
,
.

, IP- : 192.168.0.5
192.168.0.17 192.168.0.18 192.168.0.254,
NetDefendOS .

, ,
, , ,
.

.
, OSPF,
,
OSPF-. .

4.1. main

, main.

(Command-Line)

gw-world:/> cc RoutingTable main

gw-world:/main> show

Route
# Interface Network Gateway Local IP
- --------- -------- ------------- --------
1 wan all-nets 213.124.165.1 (none)
2 lan lannet (none) (none)
3 wan wannet (none) (none)

:
147
gw-world:/> routes

Flags Network Iface Gateway Local IP Metric

----- ------------------ ------- --------------- -------- ------


192.168.0.0/24 lan 0
213.124.165.0/24 wan 0
0.0.0.0/0 wan 213.124.165.1 0

Web-

1. Routing > Routing Tables

2. main

Routes
Status, .

: CLI-
cc
CLI, ,

cc (change category
change context).
.

, (Default Static Routes)


NetDefendOS
main .
IP- ,
IP-.

:
100
,
, 100.

.
Automatically add a route for this interface
using the given network ( ,
). , ,
.

all-nets ( )

all-nets ,
ISP. NetDefendOS setup wizard
.

,
. Web- all-nets
Ethernet- Automatically add a default route for this interface using the
148
given default gateway (
, ).

all-nets
main .

Core (Core Routes)

NetDefendOS Core.

. , .
, LAN WAN- 192.168.0.10 193.55.66.77
:


(Route #) (Interface) (Destination) (Gateway)
1 core 192.168.0.10
2 core 193.55.66.77

IP-, IP-,
core, NetDefendOS.


(Route #) (Interface) (Destination) (Gateway)
1 core 224.0.0.0/4

Core ,
.

4.2. Core
, Core .

CLI

gw-world:/> routes all

Flags Network Iface Gateway Local IP Metric


----- ------------------ ---------- ------------- -------- ------
127.0.0.1 core (Shared IP) 0
192.168.0.1 core (Iface IP) 0
213.124.165.181 core (Iface IP) 0
127.0.3.1 core (Iface IP) 0
127.0.4.1 core (Iface IP) 0
192.168.0.0/24 lan 0
213.124.165.0/24 wan 0
224.0.0.0/4 core (Iface IP) 0
0.0.0.0/0 wan 213.124.165.1 0

Web-

1. Routes Status

2. Show all routes Apply

3. , core.

CLI-

149
(CLI Reference Guide).

4.2.3. (Route Failover)


NetDefend ,
. , ,
, .


. - ,
.

NetDefendOS
(Route Failover):
. NetDefendOS
, Route Monitoring,
.

4.3. Route Failover ISP

Route Failover

Route Failover Route Monitoring.


Route Monitoring,
( ). Route
Monitoring , :

Interface Link Status NetDefendOS


, .
, .
,

.

Gateway Monitoring ,
ARP-. ,
,
.

150

, Route Monitoring
, , -.
,
NetDefendOS.

Route Monitoring , ,
.

(Route Metric)

(metric) .
, .
NetDefendOS
( ,
, ).

, .

. ,
,
. : 10 , 20
30 .
.

(Failover Processing)

NetDefendOS
.
, .

.

, , , ,
all-nets, .
Route
Monitoring. .


(Route #) (Interface) (Gateway) (Monitoring)
(Destination) (Metric)
1 wan all-nets 195.66.77.1 10 On
2 wan all-nets 193.54.68.1 20 Off


. WAN-
NetDefendOS .
.

NetDefendOS , .
, .

,
, , ,
, .
151
:

IP-, NAT HTTP-,


WAN-:


(Action) (Parameters)
(Src Iface) (Src Net) (Dest Iface) (Dest Net)
NAT lan lannet wan all-nets http

, :


(Interface) (Gateway) (Monitoring)
(Destination) (Metric)
wan all-nets 195.66.77.1 10 Off

DSL- Route
Monitoring. :


(Route #) (Interface) (Gateway) (Monitoring)
(Destination) (Metric)
1 wan all-nets 195.66.77.1 10 On
2 Dsl all-nets 193.54.68.1 20 Off

, Route Monitoring .

, WAN- .
WAN- , .

, ,
DSL-. HTTP- ,
DSL- . ,
IP-, NAT, WAN- .

, -, NAT
.


, Security/Transport Equivalent.
.
3.3.6, Interface Groups.

Gratuitous ARP-

NetDefendOS Gratuitous ARP-


.
.
Gratuitous ARP on Fail.

4.2.4. (Host Monitoring)


NetDefendOS Host Monitoring


.
152

.

Host Monitoring:


.
.

Host Monitoring
(Quality of Service) ( ).

, .

Host Monitoring

(Host Monitoring),
.

, .

Host Monitoring :

Grace Period
NetDefend,
NetDefendOS Route Monitoring.

.

Minimum Number of Hosts ,


Available , .

, Host Monitoring,
:

Method

ICMP ICMP- ping. IP-.

TCP TCP- .
IP- .

HTTP HTTP- c URL. URL-


string,
Web-. ,
.

IP Address

IP- ICMP TCP.

Port Number

TCP.

Interval
153
( ) .
10000, 100 .

Sample

,
(Percentage Loss) (Average Latency). 1.

Maximum Failed Poll Attempts

. ,
.

Max Average Latency

( ) .
, . Average Latency
. ,
.

(Reachability Required)

Reachability Required , .
, , . ,
, , , , ,
.

,
Reachability Required. NetDefendOS
, .

HTTP

HTTP, :

Request URL

URL

Expected Response

Web-.

,
Web-. , , Web-
Database OK, ,
, - .

, ,

- .
, ,
NetDefend . -
( all-nets),
, ,
.

, ARP-
.

154
4.2.5. Route Failover

Route Failover NetDefendOS


:

Iface poll interval

( ) ,
.

: 500

ARP poll interval

( ) (ARP-lookup).
.

: 1000

Ping poll interval

( ) Ping-.

: 1000

Grace time

( )
.

: 30

Consecutive fails

, ,
.

: 5

Consecutive success

, ,
.

: 5

Gratuitous ARP on fail

Gratuitous ARP- (High Availability, HA)


Ethernet- IP-.

4.2.6. Proxy ARP


3.4, ARP, ARP IP-,


Ethernet-, MAC- .

155
Ethernet- ,
NetDefend. NetDefendOS
ARP-, ,
NetDefend, Proxy ARP.

Proxy ARP Ethernet-


, . NetDefendOS
, , IP-.


NetDefend .

ARP-
MAC- IP-. Proxy ARP NetDefendOS
MAC- .
NetDefendOS,
. NetDefendOS
IP-.

Proxy ARP

Proxy ARP . :
, net_1 net_2.

net_1 if1, net_2 if2. Route_1


NetDefendOS, , net_1 if1.

route_1 Proxy ARP net_1 if2.


ARP- net_2, if2,
NetDefendOS IP- net_1. , NetDefendOS
, net_1 if2,
net_1.

, Proxy ARP, net_2 if1


.

Proxy ARP
(Route #) (Network) (Interface) (Proxy ARP Published)
1 net_1 if1 if2
2 net_2 if2 if1

,
.
Proxy ARP.

, ARP- IP-,
, , .
:

156
4.4. Proxy ARP

Proxy ARP (Transparent Mode)

Ethernet- .

.
4.7, (Transparent Mode).

Proxy ARP (High Availability Clusters)

HA-,
; HA- Proxy ARP.

:
Proxy ARP
Proxy ARP VLAN Ethernet-
.
NetDefendOS Proxy ARP .

, Proxy ARP ,
, -.
,
NetDefendOS.

Proxy ARP ,
, , .

4.3. (PBR)
4.3.1.

(PBR, Policy-Based Routing)


, . PBR
,
.

IP- ,
. ,
OSPF, SPF- .
PBR , .

157
PBR :

Source based routing


. -
, PBR
. ,

ISP,
ISP.

Service-based Routing .
PBR ,
HTTP, proxy-, , Web-.

-.

User based Routing


,
.
,
ISP-.

NetDefendOS :

main, ,
.

PBR
.

4.3.2. PBR-
NetDefendOS ,
main, Ordering,
main.
4.3.5, Ordering

4.3.3. PBR
PBR .
PBR (, HTTP),
/ /.

4.3.4.
, ,
:

1. ,
. , main

158
(all-nets), ,
.

2. , , :
/ /.
, .
, main.

3. ,
IP- .
(Access Rules) (
6.1, Access Rules). ,
,
IP- . , , Log
Default access rule.

4. ,
.
Ordering, .
Only.

5. IP-.
SAT, . ,
,
. ,

.

6. IP- , NetDefendOS
.

4.3.5. Ordering (Ordering parameter)


,
Ordering , (main)
. :

1. Default main.
all-nets
(0.0.0.0/0), .
,
main.

2. First
. ,
main.
all-nets (0.0.0.0/0), , .

3. Only ,
, .
, .
,
.

, main
, .

: all-nets
main

159
all-nets,
main PBR.

all-
nets, (drop).

4.3. (Policy-based Routing


Table)

TestPBRTable

Web-

1. Routing > Routing Tables > Add > Routing Table

2. :

Name: TestPBRTable

Ordering:

First TestPBRTable.
, main.

Default main.
, (all-nets),
TestPBRTable. , .

Only TestPBRTable.
, main .

3. Remove Interface IP Routes, core


.

4. OK

4.4.
TestPBRTable, .

Web-

1. Routing > Routing Tables > TestPBRTable > Add > Route

2. :

Interface:

Network:

Gateway:

Local IP Address: IP-


. IP- ARP-
. IP- , IP- .

Metric: ( ).

3. OK

4.5. PBR
ISP, PBR.
:

160
ISP IP- . : ISP,
10.10.10.0/24, A 20.20.20.0/24 B. ISP-:
10.10.10.1 20.20.20.1 .

NetDefend ,
.

, , IP-,
. IP-, .
.

, -,
ISP, BGP-, IP-
. , PBR.

main ISP A r2,


, ISP B.

ProxyARP
(Interface) (Network) (Gateway)
lan1 10.10.10.0/24 wan1
lan1 20.20.20.0/24 wan2
wan1 10.10.10.1/32 lan1
wan2 20.20.20.1/32 lan1
wan1 all-nets 10.10.10.1

PBR r2:


(Interface) (Network) (Gateway)
wan2 all-nets 20.20.20.1

Ordering r2 Default,
, , (all-nets).

PBR:

VR-
VR-
(Source (Source (Destination (Destination (Selected/ (Return
Interface) Range) Interface) Range) Service) (Forward VR table)
VR
table)

lan1 10.10.10.0/24 wan2 all-nets ALL r2 r2


wan2 all-nets lan1 20.20.20.0/24 ALL r2 r2

Web-:

1. , main,
.

2. r2 Ordering- Default.

3. r2, .

4. VR-, .

Routing > Routing Rules > Add > Routing Rule

, .

161


, .

4.4. Route Load Balancing


NetDefendOS ,
Route Load Balancing (RLB).
.

, .

, VPN-,
.

RLB

RLB RLB
Instance, : RLB-.
Instance.

RLB Instance :

Round Robin

Destination

Round Robin, , ,
IP- , .

Spillover


, .

RLB

Instance RLB .

RLB

RLB Instance.
:

1. ;
. IP-.

162
2. ,
.

3. , RLB.
RLB Instance:

Round Robin

.
, ,
, ,
.

4.5. RLB- Round Robin

Destination

Round Robin, , ,
IP- ,
. ,
IP- .

Spillover

, .
, .
, ( Hold Timer),
( Spillover
Limits). ,
.

Spillover Limits Hold Timer ( 30 )


RLB Algorithm Settings.

Spillover
Limits Hold Timer,
.

163
4.6. RLB- Spillover

Spillover Limits.
, .
,
Spillover Limit Hold Timer. Spillover Limit
/, /, /.

Round Robin

,
. Round Robin Destination
, ,
.
, .

ISP ,
ISP, RLB
ISP, ISP,
.

Spillover

Spillover :

NetDefendOS
. ,

, Spillover.

, ,
.

Spillover Setting
, ,
. , ,
Spillover Limits Hold Timer,
.

Spillover Limit,
164
.

IP-

, IP- , RLB
, ,
.

, 10.4.16.0/24, 10.4.16.0/16,
, IP-
.

, Route Lookup
IP-. 10.4.16.0/24,
IP-, 10.4.16.0/16 IP-
10.4.16.0/16.

RLB (RLB Reset)

RLB- :

NetDefendOS.

RLB (RLB Limitations)

,
.
.

RLB-
. RLB-
, ,
, - .

RLB

4.7 RLB. ,
LAN- NetDefend, .

, , GW1 GW2,
WAN1 WAN2. RLB
ISP.

165
4.7 Route Load Balancing

ISP main:


(Route ) (Interface) (Destination) (Gateway) (Metric)
1 WAN1 all-nets GW1 100
2 WAN2 all-nets GW2 100

Spillover ,
, , , 100.

RLB- Destination, ,
, IP- . NAT,
IP- WAN1 WAN2.

, , IP-.
ISP
NAT , IP- WAN1 WAN2.


(Action)
(Rule )
1 NAT lan lannet WAN1 all-nets All
1 NAT lan lannet WAN2 all-nets All

IP- All,
.

4.6. RLB

RLB. IP-
.

IP- WAN1 WAN2 , ISP, IP-


GW1 GW2 IP- ISP.

1. main.

2. RLB- Instance.

RLB- Instance Destination, IP-


, IP- (WAN1 WAN2).

CLI

166
gw-world:/> add RouteBalancingInstance main Algorithm=Destination

Web-

1. Routing > Route Load Balancing > Instances > Add > Route Balancing Instance

2. route balancing instance :

Routing Table: main

Algorithm: Destination

OK

3. IP-, .

, IP- IP-, .
IP-,
.

RLB VPN

RLB VPN .

RLB IPSec-
, (Remote Endpoint)
. :

ISP, ISP,
. RLB
.

main
, ISP.

ISP-.

VPN, IPSec-,
.

, , IPSec-,
IPSec GRE- ( IPSec- GRE-). GRE
, .
GRE- 3.3.5 GRE-.

4.4. OSPF
NetDefendOS (Dynamic Routing)
OSPF-.


, OSPF
OSPF-.

4.5.1. (Dynamic Routing)


OSPF , ,
OSPF.
OSPF.

167

, ,
, NetDefend,
.


,
.
.

,
,
.
:

(Distance Vector, DV)

(Link State, LS)

,
.
.

(Distance Vector, DV)

,
.


.
, ,
, .

RIP- DV-,
,
.
, ().

,
,
.

(Link State, LS)

DV- LS- ,
.


.
LS-, , .

, ,
.

LS-

, LS-,
, OSPF,
.
,
. RIP,

168
, OSPF .

OSPF

Open Shortest Path First (OSPF) , LS-.


NetDefendOS OSPF-
.

: OSPF-
D-Link
OSPF- D-Link NetDefend: DFL-800,
860, 1600, 1660 2500, 2560 2560G.

DFL-210 260 OSPF.

OSPF ,
,
.
OSPF .

OSPF-
, IP- ,
. OSPF
,
.

OSPF () , ,
, . OSPF
.

OSPF

, , OSPF.
A B OSPF-
( (area) ).

4.8. OSPF

OSPF A , Y,
B. OSPF
B A,
.

B , X
A.

OSPF, .

OSPF (Route Redundancy)

NetDefend C,
, .
.

169
4.9. OSPF

, .
, A C , OSPF
B.

X, Z
B.

,
. OSPF ,
,
.

170
:

, OSPF,
NetDefend ,
.
,

(Metric Routing)

OSPF
(Metric Routing).

, ,
.
.
:

Path Length .
(hop count)
,
.

Item Bandwidth , /.

Load , ,
CPU.

Delay , .
,
, .

4.5.2. OSPF

Open Shortest Path First (OSPF) , IETF (Internet


Engineering Task Force) IP-. NetDefend OSPF RFC 2328,
RFC 1583.

: OSPF-
D-Link
OSPF- D-Link NetDefend: DFL-800,
860, 1600, 1660 2500, 2560 2560G.

DFL-210 260 OSPF.

OSPF IP-, IP-


, IP-. IP- ,
, Autonomous System (AS),
.

(Autonomous System, AS)


171
Autonomous System ,
, .
,
OSPF.

NetDefendOS AS OSPF Router,


OSPF. OSPF Router
NetDefend OSPF-. OSPF Router NetDefendOS
4.5.3.1, OSPF Router Process.

OSPF ,
(,
) .

Link-State- (Link-state Routing, LS)

OSPF LS-, LS- (Link-State Advertisement,


LSA) , .
LS- , .
,
, .
.

, OSPF- .
, ,
AS. NetDefendOS ,
MD5-.

NetDefendOS .

OSPF Area

OSPF Area .
,
(internal router). ,
.

AS.
. ,
, ,
. ,
IP- .

NetDefendOS OSPF Area


AS, OSPF Router.
, OSPF Router
OSPF Area. ,
, OSPF-.

4.5.3.2, OSPF Area.

OSPF Area

OSPF- .

ABR (Area Border Router)


,
.
, .

172
ASBR (Autonomous
System Boundary Routers) ,

.
.

Backbone Area OSPF-


(Backbone Area), OSPF-
ID 0. ,
.

.
, .

OSPF-
.

Stub Area (Stub) , /


.
,
,
,
.

Transit Area
.

Designated Router (DR)

OSPF- Designated
Router (DR) Backup Designated Router (BDR).
DR BDR, OSPF- Hello
. DR,
.

NetDefendOS DR BDR .

, .
Hello,
IP-.
, Hello. ,
.

(Neighbor State).

Down .

Init Hello ,
ID .

Hello,
ID
Hello, 2-Way.

2-Way
(bi-directional).

OSPF- Point-to-Point Point-to-Multipoint

173
Full. Full
DR/DBR ,
2-way.

ExStart .

Exchange LS- .

Loading LS-.

Full DR/BDR,
LS- .

(Aggregates)

OSPF-
, .

4.5.3.5, OSPF Aggregate.

A. , .

B. (areas) , .

A. ,

Backbone Area .
,
(Virtual Link),
.

(ABR),
.
(Area 1), , fw1
.

4.10.

174
fw1 fw2 Area1,
. ID
(Router ID). fw2 fw1 ID
192.168.1.1 .
Area1.

B. ( )

OSPF .
ABR,
.

4.11. ,

fw1 fw2 Area1, .


ID (Router ID).
, fw2 fw1 ID 192.168.1.1
. Area1.

4.5.3.6, OSPF.

OSPF

HA OSPF:

HA-
, ,
. (master) (slave) HA-

DR BDR .
0.

OSPF HA , NetDefend
, ,
, . ,

.

175
, HA- ,
(
- 0). ,
, - (point-to-point).
HA-
. HA-
3 : ,
,
.

OSPF NetDefendOS

OSPF NetDefendOS :
. OSPF
,
,
.

OSPF ,
, ,

, .

,

. .
, .

4.5.3. OSPF
NetDefendOS,
OSPF-. OSPF-.
NetDefend, OSPF-
.

OSPF- NetDefendOS .

4.12. OSPF- NetDefendOS

4.5.3.1. OSPF Router Process

176
(Autonomous System) OSPF-.
Router Process OSPF-
.

Name OSPF.

Router ID IP-,
.
Router ID , ID,
IP- ,
OSPF.

Private Router ID HA-, ID


, HA- .

OSPF HA-


Private Router ID,
.

Reference Bandwidth
(cost) ,
.
OSPF-
(bandwidth),
:

Cost = reference bandwidth/bandwidth

RFC 1583 Compatibility ,


NetDefend ,
RFC 1583.

(Debug)

,
OSPF- .

Off .

Low .

Medium , Low, .

High .


High
,
. Log Send Per Sec Limit
.

(Authentification)

177
OSPF :

No (null) authentification OSPF-


Passphrase OSPF-
.

MD5 Digest MD5-


(key ID) 128- .
128- MD5-.
, OSPF- .
OSPF- ,
VPN. ,
IPSec.
OSPF- IPSec
4.5.5, OSPF.

:
.
OSPF- MD5,
OSPF-
.

, NetDefend
.

SPF Hold Time ( ) SPF-.


10 . 0
.

SPF Delay Time ,


SPF-. 5
. 0 .
, SPF- CPU,
.

LSA Group Pacing ( ), OSPF LSA


.
LSA , LSA
.

Routes Hold Time ( ),


OSPF-
HA.

Memory Max Usage ( ) ,


OSPF,
, 1 % .
0 , OSPF
178

.

4.5.3.2. OSPF Area


, (Area),
, . OSPF-,
, (aggregates) .

OSPF Area OSPF Router Process, Router Process


.
. Router Process, OSPF Area
NetDefend OSPF-.

Name OSPF-.

ID . 0.0.0.0,
.

,
.
,
, .

Is stub area ,
.

Become Default Router


, .

(Import Filter)

,
OSPF - (,
) OSPF-.

External , OSPF-
.

Interarea ,
OSPF-.

4.5.3.3. OSPF Interface


OSPF-. OSPF-
OSPF-. , OSPF-
NetDefend OSPF- . OSPF-
, OSPF-.

: OSPF-
.
, OSPF-
. OSPF-
179
, VLAN.

: OSPF-
.
, OSPF-
. OSPF- ,
VLAN.

Interface ,
OSPF-.

Network OSPF-.

Interface Type :

Auto
.
.

Broadcast ,
2 OSI
/ .
/
Ethernet-.

OSPF OSPF-
Hello IP- 224.0.0.5.
OSPF- .

OSPF Neighbor .

Point-to-Point
( ,
). VPN-,
OSPF
. ()
OSPF Neighbor.

VPN-
4.5.5, OSPF.

Point-to-Multipoint Point-to-Multipoint
Point-to-Point,
,
/ 2
OSI.

Metric OSPF-.
, .
.

Bandwidth ,
. ,
.

(Authentification)
180
OSPF-
MD5-.

Use Default for Router Process, ,


Router Process. , :

No authentication.

Passphrase.

MD5 Digest.

Hello Interval ( ) Hello-


.
Router Dead Interval
Hello-, ,
.
RXMT Interval ( ) LSA
.

InfTrans Delay
. ,
LSA- .

Wait Interval ( ) DR
BDR. , Hello Interval.

Router Priority , ,
DR BDR. 0,
DR/BDR.

HA- 0
DR BDR.

OSPF Routing Process, ,


, OSPF. : No OSPF router
connected to this interface (Passive).


OSPF Routing Process.

Ignore received OSPF MTU restrictions, MTU


.

4.5.3.4. OSPF Neighbor


OSPF-
, , .

VPN-
, NetDefendOS , OSPF-
. VPN IPSec-
4.5.5, OSPF.

NetDefendOS OSPF Neighbor OSPF Area,

181
:

Interface OSPF-,
.

IP Address IP- IP-


OSPF-, .
VPN- IP- ,
.

Metric .

4.5.3.5. OSPF Aggregate


OSPF-
. (Advertise) ,
, ,
.
NetDefendOS OSPF Aggregate OSPF Area,
:

Network , .

Advertise , .

, OSPF, OSPF Aggregate


.

4.5.3.6. OSPF VLink


OSPF AS ( ID
0). ,
(Virtual Link, VLink).

NetDefendOS OSPF VLink OSPF Area,


:

Name .

Neighbor Router ID .

Use Default For AS .

:
()
,
.

, OSPF, OSPF VLink


.
182
183
4.5.4 (Dynamic
Routing Rule)
, ,
AS
,
.

4.5.4.1.
OSPF

OSPF-
NetDefend,
,
OSPF .

OSPF,
.


.
.
.

OSPF
, , , ..
, ,
OSPF-.

OSPF

OSPF
:

OSPF AS .

OSPF AS.

OSPF SA .


,
.

OSPF , , (Import Rule)

NetDefendOS .
OSPF , ,
.

OSPF Router Process,


184
, OSPF AS .

,
, . , Or is
within all-nets .

(Export Rule)

OSPF AS,
. , OSPF-
, .

, ,

. all-nets,
ISP, .

NetDefendOS
.

4.13.

4.5.4.2. Dynamic Routing Rule (


)
:

Name .

From OSPF AS , OSPF AS ( OSPF Router Process)


OSPF AS
.

From Routing Table ,


OSPF AS
.

Destination Interface ,
.

185

Exactly Matches ,
.

Or is within , .

Next Hop (
) .

Metric ,
.

Router ID Router ID.

OSPF Route Type OSPF-.

OSPF Tag , (tag)


.

4.5.4.3. OSPF Action


, OSPF-:

Export to Process , OSPF AS


Forward , IP,
.

Tag (tag) ,
.

Route Type , 1
(type1) OSPF-. 2 (Type 2).
,
.

OffsetMetric .

Limit Metric To .
, ,
.

4.5.4.4. Routing Action



.

Destination ,
OSPF AS .

186
Offset Metric .

Offset Metric Type 2


Type2.

Limit Metric To .
, ,
.
Static Route Override .

Default Route Override , .

4.5.5. OSPF
OSPF -
. OSPF-,
NetDefendOS .

NetDefend, .

NetDefend OSPF, ,
.
OSPF-,
OSPF AS. OSPF-
.

NetDefendOS .

1. OSPF Router

NetDefendOS OSPF Router Process,


OSPF AS ( OSPF-).
. Router ID ,
NetDefendOS .

2. OSPF Area OSPF Router

OSPF Router Process, ,


OSPF Area, , 0.0.0.0 Area ID.

,
. ID 0.0.0.0 ,
.

3. OSPF Area OSPF Interface

OSPF Area, , OSPF


Interface .

OSPF Interface :

Interface OSPF-.

Network , .

, , ,
. , lan-,
lannet.

187
Interface Type Auto
.

No OSPF routers connected to this interface ,


OSPF-
( , NetDefend,
OSPF-). ,
, .

,
, OSPF-. ,
, .

4.

OSPF-
. :

I. Dynamic Routing Policy Rule.


, From OSPF Process
OSPF Router Process.
OSPF AS.

, Or is within all-
nets. ,
.

II. Dynamic Routing Policy Rule


Routing Action ,
OSPF , Selected.

main.


, OSPF Interface
.

, ( ,
). .
all-nets -
. .

5. all-nets

all-nets
, , ISP.
:

I. Dynamic Routing Policy Rule ,


From Routing Table main,
Selected.

, Or is within all-
nets.

II. Dynamic Routing Policy Rule


OSPF Action. Export to Process
OSPF Router Process, OSPF AS.

6.

188
1 5 NetDefend OSPF-.
OSPF Router OSPF Area . OSPF
Interface , OSPF .
OSPF- ,
.

OSPF-

, OSPF
. OSPF
, ,
.


Router Process, OSPF
.

OSPF

OSPF ,
.

, CLI Web-
. OSPF
. , routes
:

gw-world:/> routes

Flags Network Iface Gateway Local IP Metric


----- -------------------- ----------- ------------------ ---------- ------
192.168.1.0/24 lan 0
172.16.0.0/16 wan 0
o 192.168.2.0/24 wan 172.16.2.1 1

192.168.2.0/24 OSPF
wan- 172.16.2.1.
NetDefend, . ,
, OSPF , .

OSPF-

NetDefened,
OSPF-Router , ,
.

VPN-
OSPF, OSPF-.
, IPSec VPN-.

, OSPF ( )
:

1. IPSec-

IPSec-
A B. IPSec 9.2,
IPSec.

OSPF IPSec- .

2. IP-

189
IP- IP-
. , A 192.168.55.0/24.

OSPF
.

3. OSPF-

NetDefendOS OSPF Interface,


Interface IPSec-. Type point-
to-point, Network , 192.168.55.0/24.

OSPF Interface NetDefendOS , OSPF


, 192.168.55.0/24 IPSec-.

4. OSPF Neighbor

OSPF, OSPF-,
NetDefendOS OSPF Neighbor.
IPSec- ( ) IP-
.

IP- IP- 192.168.55.0/24.


, 192.168.55.1.

OSPF OSPF Neighbor


IP- 192.168.55.1. OSPF Interface, ,
NetDefendOS , , OSPF IP-
IPSec-.

5. IP .

A
, IPSec- B:

I. IPSec-, Local Network all-nets.


, .

II. IPSec, Specify address


manually ( ) IP-, , 192.168.55.1.
IP , 192.168.55.1, OSPF-
A IP- .

core OSPF-
, A. ,
NetDefendOS.

6.

OSPF- A
B. B,
IPSec-, IP-
OSPF.

: OSPF-
VPN- OSPF-
.
OSPF-.

190
4.5.6. OSPF

4.5.5, OSPF. VPN IPSec .

4.7. OSPF Router Process


OSPF AS OSPF Router Process.

Web-

1. Routing > OSPF > Add > OSPF Routing Process

2. , as_0

3. OK

NetDefend, OSPF AS.

4.8. OSPF Area


OSPF Router Process as_0 OSPF Area,
ID 0.0.0.0.

Web-

1. Routing > OSPF

2. as_0

3. Add > OSPF Area

4. :

. , area_0

Area ID 0.0.0.0.

5. OK

NetDefend, OSPF AS.

4.9. OSPF Interface


OSPF- area_0 OSPF Interface.

Web-

1. Routing > OSPF > as_0 > area_0 > OSPF Interfaces

2. Add > OSPF Interface

3. Interface. , lan

4. OK

Interface Network ,
. lannet.

OSPF-,
NetDefend, , OSPF AS.

4.10. OSPF AS main

191
Web-

1. : Routing > Dynamic Routing Rules > Add > Dynamic Routing Policy Rule

2. , ImportOSPFRoutes.

3. From OSPF Process

4. as0 Available Selected

5. all-nets Or is within

6. OK

, .
, , main.
Web-

1. : Routing > Dynamic Routing Rules

2. ImportOSPFRoutes.

3. : OSPF Routing Action > Add > DynamicRountingRuleAddRoute

4. main Available Selected

5. OK

4.11. ,
OSPF
all-nets,
main OSPF AS as_0. ,
all-nets .

-, .

Web-

1. : Routing > Dynamic Routing Rules > Add > Dynamic routing policy rule

2. , ExportAllNets

3. From Routing Table

4. main Selected

5. all-nets Or is within

6. OK

OSPF Action,
OSPF AS.

Web-

1. : Routing > Dynamic Routing Rules

2. ExportAllNets

3. : OSPF Actions > Add > DynamicRoutingRuleExportOSPF

4. Export to process as_0

5. OK

192
4.6. (Multicast Routing)
4.6.1.

-, ,
.
IP-
. ,
.
.


,
.

IETF- :

IP- D. IP-
.

(Internet Group Membership Protocol, IGMP)



.

, (Protocol Independent Multicast, PIM)


,
.


IGMP-.
PIM , ,
, (distribution tree) . ,
PIM
, OSPF, .

(Reverse Path Forwarding)


(Reverse Path Forwarding).
.
, , .
.

core
NetDefendOS ( NetDefendOS).
, IP- SAT Multiplex.
.

: (multicast
handling) On
Auto.
193
Ethernet-
NetDefend, (multicast
handling) On Auto.
Ethernet- 3.3.2, Ethernet-
.

4.6.2. (Multicast Forwarding)


SAT
Multiplex (SAT Multiplex Rules)

SAT Multiplex
. NetDefendOS ,
.

, ,
; , ,
core.

IP- 224.0.0.0/4 core,


.
SAT .
Interface Interface/Net Tuple ,
IPAddress.
IP-.

SAT Multiplex :

IGMP

,
, IGMP-
. NetDefendOS .

IGMP

IGMP-.

: Allow
NAT
SAT,
Allow NAT.

4.6.2.1.
(Multicast Forwarding - No Address Translation)
IGMP.
192.168.10.1 239.192.10.0/24:1234, wan-
if1, if2 if3.
IGMP-.

,
. IGMP 4.6.3.1, IGMP-
.

194
4.14.

: SAT Multiplex
Allow.
SAT Multiplex
Allow.

NAT
( ), FwdFast SAT
.

4.12. SAT
Multiplex-
Multiplex-, ,
239.192.10.0/24:1234 if1, if2 if3.
192.168.10.1, wan-.

, IGMP
, .
(IGMP ):

Web-:

A. multicast_service :

1. Objects > Services > Add > TCP/UDP

2. :

Name: multicast_service

Type: UDP

Destination: 1234

B. IP-:

1. Rules > IP Rules > Add > IP Rule

2. General :

Name: , Multicast_Multiplex

Action: Multiplex SAT

Service: multicast_service

3. Address Filter :

Source Interface: wan

195
Source Network: 192.168.10.1

Destination Interface: core

Destination Network: 239.192.10.0/24

4. Multiplex SAT if1, if1 if3. IP


Address , .

5. forwarded using IGMP

6. OK

CLI

CLI .
, , IPRuleset.

Gw-world:/> cc IPRuleset main

CLI- :

gw-world:/main> add IPRule SourceNetwork=<srcnet> SourceInterface=<srcif>


DestinationInterface=<srcif> DestinationNetwork=<destnet> Action=MultiplexSAT Service=<service>
MultiplexArgument={outif1;ip1},{outif2;ip2},{outif3;ip3}...

{outif;ip} , ,
IP- .
, if2 if3
239.192.100.50, :

gw-world:/main> add IPRule SourceNetwork=<srcnet> SourceInterface=<if1>


DestinationInterface=core DestinationNetwork=239.192.100.50
Action=MultiplexSAT Service=<service>
MultiplexArgument={if2;},{if3;}

239.192.100.50, core.
, , , if2,
:

MultiplexArgument = {if2; <new_ip_address>}, {if3;}

4.6.2.2.
(Multicast Forwarding - Address Translation Scenario)

196
4.15

,
. 239.192.10.0/24 if2,
237.192.10.0/24.

if1.


, SAT Multiplex
Allow.

4.13.
SAT Multiplex- .

Web-

A. multicast_service :

1. Objects > Services > Add > TCP/UDP

2. :

Name: multicast_service

Type: UDP

Destination: 1234

. IP-:

1. Rules > IP Rules > Add > IP Rule

2. General :

Name: , Multicast_Multiplex

Action: Multiplex SAT

Service: multicast_service

3. Address Filter :

Source Interface: wan

Source Network: 192.168.10.1

197
Destination Interface: core

Destination Network: 239.192.10.0/24

4. Multiplex SAT.

5. if1, IPAddress

6. if2, IPAdress 237.192.10.0

7. Forwarded using IGMP

8. OK

: ,
Allow NAT.
,
Allow, SAT Multiplex NAT.

4.6.3. IGMP
IGMP- :

IGMP- (IGMP Reports)

,

.

IGMP- (IGMP Queries)

IGMP-, ,
, .

IGMP,
:

1. ,
, IGMP- (query rule) .

2.
NetDefend , IGMP- .

NetDefendOS IGMP:

Snoop (Snoop Mode)

Proxy (Proxy Mode)

198
4.16. Snoop

4.17. Proxy

Snoop NetDefend IGMP-


IGMP-. IGMP-
IGMP- .

Proxy, , IGMP-
. ,
,
.

4.6.3.1. IGMP-
IGMP
.
, IGMP
Proxy.

199
4.14. IGMP
IfGrpClients, if1,
if2 if3. IP- IGMP- UpstreamRouterIP.

. (report rule), ,
if1, if2 if3 IP-
239.192.10.0/24. (query rule),
.

Web-

A. IGMP-:

1. Routing > IGMP > IGMP Rules > Add > IGMP Rule

2. General :

Name: , Reports

Type: Report

Action: Proxy

Output: wan ( )

3. Address Filter :

Source Interface: IfGrpClients

Source Network: if1net, if2net, if3net

Destination Interface: core

Destination Network: auto

Multicast Source: 192.168.10.1

Multicast Destination: 239.192.10.0/24

4. OK

. IGMP-

1. Routing > IGMP > IGMP Rules > Add > IGMP Rule

2. General :

Name: , Queries

Type: Query

Action: Proxy

Output: IfGrpClients ( )

3. Address Filter :

Source Interface: wan

Source Network: UpstreamRouterIp

Destination Interface: core

Destination Network: auto

Multicast Source: 192.168.10.1

Multicast Destination: 239.192.10.0/24

200
4. OK

4.6.3.2. IGMP-
IGMP
, 4.6.2.2.
IGMP-, . if1
, if2
237.192.10.0/24. IGMP-,
if2, if1.

IGMP- IGMP-. IP-


IGMP- UpstreamRouterIP.

4.15. if1
report query if1 :

Web-

A. IGMP-:

1. Routing > IGMP > IGMP Rules > Add > IGMP Rule

2. General :

Name: , Reports_if1

Type: Report

Action: Proxy

Output: wan ( )

3. Address Filter :

Source Interface: if1

Source Network: if1net

Destination Interface: core

Destination Network: auto

Multicast Source: 192.168.10.1

Multicast Destination: 239.192.10.0/24

4. OK

. IGMP-

1. Routing > IGMP > IGMP Rules > Add > IGMP Rule

2. General :

Name: , Queries_if1

Type: Query

Action: Proxy

Output: if1 ( )

201
3. Address Filter :

Source Interface: wan

Source Network: UpstreamRouterIp

Destination Interface: core

Destination Network: auto

Multicast Source: 192.168.10.1

Multicast Destination: 239.192.10.0/24

4. OK

4.16. if2
report query if2
. , ,
IGMP- IP-, IP-.

Web-

A. IGMP-:

1. Routing > IGMP > IGMP Rules > Add > IGMP Rule

2. General :

Name: , Reports_if2

Type: Report

Action: Proxy

Output: wan ( )

3. Address Filter :

Source Interface: if2

Source Network: if2net

Destination Interface: core

Destination Network: auto

Multicast Source: 192.168.10.1

Multicast Destination: 239.192.10.0/24

4. OK

. IGMP-

1. Routing > IGMP > IGMP Rules > Add > IGMP Rule

2. General :

Name: , Queries_if2

Type: Query

Action: Proxy

Output: if2 ( )

3. Address Filter :
202
Source Interface: wan

Source Network: UpstreamRouterIp

Destination Interface: core

Destination Network: auto

Multicast Source: 192.168.10.1

Multicast Destination: 239.192.10.0/24

4. OK

: IGMP
IGMP
,
IGMP.

4.6.4. IGMP
Auto Add Multicast Core Route ( core
)

core
IP- 224.0.0.0/4. ,
.

IGMP Before Rules (IGMP )


IGMP- IGMP-, IP-
.

IGMP React To Own Queries ( IGMP )

IGMP ,
. , IGMP-
.

IGMP Lowest Compatible Version ( IGMP)

IGMP- .
, IGMP- .

: IGMPv3

IGMP Router Version ( IGMP-)

IGMP, ,
IGMP. IGMP
203
IGMP . ,
IGMP- .

: IGMPv3

IGMP Last Member Query Interval ( IGMP-)

( ),
. , IGMP-
.

: 5,000

IGMP Max Total Requests ( IGMP-)

IGMP-, .

: 1000

IGMP Max Interface Requests ( IGMP- )

. ,
IGMP- .

: 100

IGMP Query Interval ( IGMP)

( ) (General Queries),
, IGMP-. ,
IGMP- .

: 125,000

IGMP Query Response Interval ( IGMP)

( ),
. , IGMP-
.

: 10,000

IGMP Robustness Variable (, IGMP)

, IGMP .
, IGMP- .

: 2

IGMP Startup Query Count

IGMP(General Queries)
, Startup Query Count
IGMPStartupQueryInterval. , IGMP-
.

: 2

IGMP Startup Query Interval

( ),
, IGMP- .

204
: 30,000

IGMP Unsolicated Report Interval

( )
. , IGMP- .
: 1,000

205
4.7. (Transparent Mode)
4.7.1.

NetDefendOS NetDefend

.
, . NetDefendOS
(, HTTP)
. , ,
NetDefend.

NetDefend, ,
,
- .


. , all-nets
. Ethernet- NetDefendOS,
, ARP-
, IP .

all-nets ,
, ,
.


.
(, HTTP) ,
.
NetDefend ,
, .

,
IP- ,
, IP-
. , IP-
HTTP.
4.7.2,
.

(Routing Mode)

NetDefend : ,
,
.

NetDefend
206
3 OSI.
,
.
IP-
.
.

NetDefend
2 OSI, IP-

IP Ethernet-. , NetDefendOS
MAC- Ethernet-,
, IP- (. D,
OSI).

IP-
(, IP- )
, (, HTTP, FTP),
.

IP- .

:

NetDefend
: .
, .
.

,
.

NetDefendOS ARP-
NetDefend, ARP-
IP-, . NetDefendOS
IP-. ARP-
NetDefend.


ARP-. NetDefendOS , ARP-
, .
, NetDefendOS ARP-
, , ARP-, ARP-
, .

ARP-, NetDefendOS ,
: Content Addressable Memory (CAM, -
) 3 . CAM MAC-,
, 3 IP- MAC-. 3
IP-,
.

IP-, NetDefend,
. 3
, NetDefendOS ,
. MAC-,
NetDefendOS .
207
,
.

NetDefendOS ARP ICMP- (ping),


, IP-
, . ARP-,
NetDefendOS CAM- 3 .

CAM- 3
. ARP ICMP-, NetDefendOS
, .

Transparent Mode ( )

NetDefendOS
:

1. ,
. ,
, ,
Security transport equivalent.

2.
, .
.

Network all-nets
IP-,
( ).

3. IP- IP-,
, .


, .
IP-.


(Action) (Service)
(Src Interface) (Src Network) (Dest Interface) (Dest Network)
Allow any all-nets any all-nets all

Network

NetDefendOS ARP-, single host routes (


) IP-.
: IP-.
. ,
.

Network
: IP- all-nets
.
, IP-
.
.

208
, ,
, .
, .
. ,
, NetDefendOS. ,
( )
.

, if1 if6
, , .

,
, .

A B,
if1, if2 if3, A, if4,
if5 if6, B.

,
. ,
,
.

Routing Table Membership


. , ,
Routing Table MemberShip.

Routing Table MemberShip


.
(main), ,
MemberShip .

VLAN


VLAN.
ARP- , VLAN-,
VLAN ID ,
VLAN-.

, if1 if2 VLAN- vlan5.


, .
209
VLAN- vlan5_if1 vlan5_if2
VLAN ID.

VLAN- c
Ordering only, 2 :

Network Interface
all-nets vlan5_if1
all-nets vlan5_if2


, , ,
VLAN ID.

PBR-.

,
.
,
.
.

,

(High Availability Clusters, HA).

, ,
Proxy ARP,
Proxy ARP 4.2.6, Proxy ARP. Proxy ARP:
NetDefendOS,
IP- Proxy ARP .

DHCP


IP- DHCP ( )
. ,
NetDefendOS IP- ARP-
.

, DHCP-
IP- . - IP-
DHCP- . NetDefendOS
DHCP (DHCP Relayer), DHCP-
DHCP-.

4.7.2.
:
?
IP- lannet - gw_ip.

210
4.18


(Route type) (Interface) (Destination) (Gateway)
Non-switch If1 all-nets gw-ip

, Ethernet-,
(pn1) Ethernet- (pn2)
( NetDefend ).
Ethernet IP-
(192.168.10.0/24).

4.19

all-nets
all-nets (
).
Ethernet- pn2 .

- .
- IP-
NetDefend,
IP-, - gw_ip.

NetDefendOS

DNS- (DNS lookup), Web (Web


Content Filtering) IDP, NetDefendOS
. IP- ,
-,
c IP- .
NetDefendOS IP- 85.12.184.39 194.142.215.15,
:


(Route type) (Interface) (Destination) (Gateway)
Switch if1 all-nets
Switch if2 all-nets
Non-switch if1 85.12.184.39 gw-ip
Non-switch if1 194.142.215.15 gw-ip

211
IP- ,
NetDefend.

IP-

IP-,
. IP-
85.12.184.39 194.142.215.15 .

NAT

NetDefend ,
2 , (NAT) ,
OSI.

,
IP-.

NAT, , IP-
, ,
, 192.168.10.0/24 .
IP- Ethernet- pn2.

4.7.3
1

,
.
- IP-. ,
NAT , 10.0.0.0/24.
HTTP-.

4.20 1

4.17. 1
Web-

1. Interfaces > Ethernet > Edit (wan)

2. :

212
IP Address: 10.0.0.1

Network: 10.0.0.0/24

Default Gateway: 10.0.0.1

Transparent Mode: Enable

3. OK

4. Interfaces > Ethernet > Edit (lan)

5. :

IP Address: 10.0.0.2

Network: 10.0.0.0/24

Transparent Mode: Enable

6. OK

1. Rules > IP Rules > Add > IPRule

2. :

Name: HTTPAllow

Action: Allow

Service: http

Source Interface: lan

Destination Interface: any

Source Network: 10.0.0.0/24

Destination Network: all-nets (0.0.0.0/0)

3. OK

NetDefend
, .

, LAN DMZ (lan- dmz-)


10.1.0.0/16. ,
IP- ,
.
HTTP- DMZ-, , , .
NetDefend DMZ LAN ,
IP-.

213
4.21 2

4.18. 2
LAN DMZ- 10.1.0.0/16
(, WAN- )

Web-

1. Interfaces > Ethernet > Edit (lan)

2. :

IP Address: 10.1.0.1

Network: 10.1.0.0/16

Transparent Mode: Disable

Add route for interface network: Disable

3. OK

4. Interfaces > Ethernet > Edit (dmz)

5. :

IP Address: 10.1.0.2

Network: 10.1.0.0/16

Transparent Mode: Disable

Add route for interface network: Disable

6. OK

1. Interfaces > Interface Groups > Add > InterfaceGroup

2. :

Name: TransparentGroup

Security/Transport Equivalent: Disable

214
Interfaces: lan dmz

3. OK

1. Routing > Main Routing Table > Add > SwitchRoute

2. :

Switched Interfaces: TransparentGroup

Network: 10.1.0.0/16

Metric: 0

3. OK

1. Rules > IP Rules > Add > IPRule

2. :

Name: HTTP-LAN-to-DMZ

Action: Allow

Service: http

Source Interface: lan

Destination Interface: dmz

Source Network: 10.1.0.0/16

Destination Network: 10.1.4.10

3. OK

4. Rules > IP Rules > Add > IPRule

5. :

Name: HTTP-WAN-to-DMZ

Action: SAT

Service: http

Source Interface: wan

Destination Interface: dmz

Source Network: all-nets

Destination Network: wan_ip

Translate: Select Destination IP

New IP Address: 10.1.4.10

6. OK

7. Rules > IP Rules > Add > IPRule

8. :

Name: HTTP-WAN-to-DMZ

Action: Allow

215
Service: http

Source Interface: wan

Destination Interface: dmz

Source Network: all-nets

Destination Network: wan_ip

9. OK

4.7.4. Spanning Tree BPDU


NetDefendOS BPDU- (Bridge Protocol Data Unit),
NetDefend. STP (Spanning Tree Protocol) BPDU-
2 . STP
, .

, , : BPDU-
, STP-
. ,
. , ,
, NetDefendOS BPDU-
, .

4.22. BPDU-

BPDU-Relaying

BPDU- NetDefendOS STP-


:

Normal Spanning Tree Protocol (STP)

Rapid Spanning Tree Protocol (RSTP)

Multiple Spanning Tree Protocol (MSTP)


216
Cisco proprietary PVST+ Protocol (Per VLAN Spanning Tree Plus).

NetDefendOS BPDU-
. , .

/ BPDU-Relaying

BPDU-Relaying ,
Relay Spanning-tree BPDU.
BPDU- . , STP, RSTP
MSTP BPDU- ,
.

4.7.5
CAM To L3 Cache Dest Learning

,
, CAM-.

Decrement TTL

TTL , ,
, .

Dynamic CAM Size

, CAM-.
.

CAM Size

Dynamic CAM Size ,


CAM-.

: 8192

Dynamic L3C Size

3 .

L3 Cache Size

3 .
Dynamic L3C Size.

Transparency ATS Expire

217
( ) ARP- (ARP Transaction
State, ATS) ARP-. : 1-60 .

: 3

Transparency ATS Size

ARP- (ATS).
: 128-65536 .

: 4096

: ATS
Transparency ATS Expire Transparency ATS Size
ATS .

Null Enet Sender

, MAC-
Ethernet- (00:00:00:00:00:00). :

Drop

DropLog

: DropLog

Broadcast Enet Sender

, MAC-
Ethernet- Ethernet- (FF:FF:FF:FF:FF:FF).
:

Accept

AcceptLog

Rewrite MAC-

RewriteLog MAC-

Drop

DropLog

: DropLog

Multicast Enet Sender

, MAC-
Ethernet- Ethernet- .
:

Accept

AcceptLog

Rewrite MAC-

218
RewriteLog MAC-

Drop

DropLog

: DropLog

Relay Spanning-tree BPDUs

Ignore, STP, RSTP MSTP BPDU-


, ,
.
:

Ignore

Log

Drop

DropLog

: Drop

Relay MPLS

Ignore, MPLS- .
:

Ignore

Log

Drop

DropLog

: Drop

219
5. DHCP
DHCP- NetDefendOS.

DHCP-

DHCP Relay

IP-

5.1.
DHCP (Dynamic Host Configuration Protocol )
, IP-
.

IP-

DHCP- IP- DHCP-.


IP-, DHCP. DHCP-
DHCP-, (,
IP-, MAC-, , IP-) .

DHCP

,
IP-, DHCP-
.
, .

, IP- , ,
IP-.
IP-, IP-.

DHCP-.

5.2. DHCP-
DHCP- IP- IP- .
NetDefendOS DHCP- IP-,
IP-, IP-
NetDefendOS.

DHCP-

NetDefendOS DHCP-
. DHCP- DHCP-
.
220

NetDefendOS , ,
DHCP-. , NetDefendOS DHCP- IP-
.

IP- (Relayer IP)


IP- , IP-,
. all-nets ( ) IP- ,
DHCP- .
.

DHCP- , .. ,
, . NetDefendOS
DHCP- , .
, (
IP- , DHCP Relay). ,
.
DHCP- .

IP-

, DHCP-
IP- . DNS-
IP- . :

all-nets ( )
all-nets (0.0.0.0/0) . all-nets
DHCP-, ,
DHCP Relayer.

0.0.0.0
0.0.0.0 DHCP-, .
, DHCP Relayer, .

IP-
IP- DHCP- (DHCP Relayer),
. DHCP- .

DHCP-

DHCP- :

Name () .

.
Interface Filter ( ,
) NetDefendOS DHCP-
. ,
(Interface group).
IP Address Pool ( IP-) IP- ( ),
DHCP- IP-
.
Netmask ( ) , DHCP-
221
.

Default GW ( ) IP- ,
,
(,
)
Domain ( ) , DNS IP-
. , domain.com.
Lease Time ( ) DHCP- .
DHCP-
.
Primary/Secondary DNS IP- DNS-.
(/ DNS-
)
Primary/Secondary IP- WINS- Microsoft,
NBNS/WINS NBNS-
(/ IP-
NBNS/WINS-) NetBIOS.
Next Server ( IP- .
) TFTP-.

DHCP-

DHCP- .
Auto Save Policy ()

IP- . :
1. Never IP-.
2. ReconfShut IP-
.
3. ReconfShutTimer IP- ,
.
Lease Store Interval.
Lease Store Interval ( )
IP-
. 86400 .

5.1. DHCP-

DHCP- DHCPServer1, IP-


DHCPRange1 .

, IP- DHCP- .

CLI

gw-world:/> add DHCPServer DHCPServer1 Interface=lan


IPAddressPool=DHCPRange1 Netmask=255.255.255.0

Web-

222
1. System > DHCP > DHCP Servers >Add > DHCPServer

2. :

Name: DHCPServer1

Interface Filter: lan

IP Address Pool: DHCPRange1

Netmask: 255.255.255.0

3. OK

5.2. DHCP-

CLI

gw-world:/> dhcpserver

IP-:

gw-world:/> dhcpserver -show

IP- MAC-

IP- MAC-,
DHCP-, (
):

gw-world:/> dhcpserver -show -mappings

DHCP- IP- MAC-:


Client IP Client MAC Mode
--------------- ----------------- -------------
10.4.13.240 00-1e-0b-a0-c6-5f ACTIVE(STATIC)
10.4.13.241 00-0c-29-04-f8-3c ACTIVE(STATIC)
10.4.13.242 00-1e-0b-aa-ae-11 ACTIVE(STATIC)
10.4.13.243 00-1c-c4-36-6c-c4 INACTIVE(STATIC)
10.4.13.244 00-00-00-00-02-14 INACTIVE(STATIC)
10.4.13.254 00-00-00-00-02-54 INACTIVE(STATIC)
10.4.13.1 00-12-79-3b-dd-45 ACTIVE
10.4.13.2 00-12-79-c4-06-e7 ACTIVE
10.4.13.3 *00-a0-f8-23-45-a3 ACTIVE
10.4.13.4 *00-0e-7f-4b-e2-29 ACTIVE

* MAC- , DHCP- MAC-


, (Client Identifier), .

: IP-
IP-
NetDefendOS .
DHCP-
223
.

DHCP- NetDefendOS
, :

IP- (Static Hosts).

(Custom Options).
.

. 5.1. DHCP-

DHCP-
.

5.2.1 DHCP-
IP-
, NetDefendOS IP-
MAC- . , IP-.

IP-

DHCP-
:

Host () IP-,

MAC Address (MAC- MAC- . MAC-


) , , , Client
Identified.

Client Identified
( MAC-, , ,
) , DHCP-. Client
Identified
( ASCII ).

5.3. DHCP-

224
IP- 192.168.1.1 MAC- 00-90-12-13-14-15.
, DHCP- DHCPServer1 .

CLI

1. -, DHCPServer1:

gw-world:/> cc DHCPServer DHCPServer1

2. DHCP-:

gw-world:/> add DHCPServerPoolStaticHost Host=192.168.1.1


MACAddress=00-90-12-13-14-15

3. DHCP- :

gw-world:/> show

# Comments
- -------
+ 1 (none)

4. DHCP- :

gw-world:/> show DHCPServerPoolStaticHost 1

Property Value
----------- -----------------
Index: 1
Host: 192.168.1.1
MACAddress: 00-90-12-13-14-15
Comments: (none)

5. , DHCP- IP- 192.168.1.12


:

gw-world:/> set DHCPServerPoolStaticHost 1 Host=192.168.1.12


MACAddress=00-90-12-13-14-15

Web-

1. System > DHCP > DHCP Servers > DHCPServer1 > Static Hosts > Add > Static Host Entry

2. :

Host: 192.168.1.1

MAC: 00-90-12-13-14-15

3. OK

5.2.2
DHCP-
, ,
DHCP-.
, IP- TFTP-,
.

Code () , , .
.

225
Type () , . ,
String, .

Data , , .
() , .

Code () Type (). ,


66 ( TFTP-), Type
String, Data ,
tftp.mycompany.com.
DHCP-. :
RFC 2132 DHCP Options and BOOTP Vendor Extensions
, RFC 2132. ,
, NetDefendOS
Type () Data ().

5.3. DHCP Relaying


DHCP

DHCP -, DHCP-,
.
. , DHCP-
. ,
, DHCP-.
DHCP Relayer.

DHCP Relayer

DHCP Relayer DHCP-


DHCP-.
DHCP-. DHCP- ,
. DHCP Relayer
TCP/IP Bootstrap Protocol (BOOTP). DHCP Relayer
BOOTP (BOOTP relay agent).

IP- DHCP-

DHCP- NetDefendOS
, NetDefendOS ,
, NetDefendOS
.
NetDefendOS (..
, IP- Core
), DHCP- .
, , core.

5.4. DHCP Relayer

IP- NetDefendOS VLAN DHCP-


. , NetDefend VLAN-
vlan1 vlan2 DHCP Relay, IP- DHCP- NetDefendOS
ip-dhcp. NetDefendOS IP- DHCP,
.

CLI

226
1. VLAN vlan1 vlan2 ipgrp-dhcp:

gw-world:/> add Interface InterfaceGroup ipgrp-dhcp


Members=vlan1,vlan2

2. DHCP Relayer vlan-to-dhcpserver:

gw-world:/> add DHCPRelay vlan-to-dhcpserver Action=Relay


TargetDHCPServer=ip-dhcp
SourceInterface=ipgrp-dhcp
AddRoute=Yes
ProxyARPInterfaces=ipgrp-dhcp

Web-

VLAN vlan1 vlan2 ipgrp-dhcp:

1. Interface > Interface Groups > Add > InterfaceGroup

2.

Name: ipgrp-dhcp

Interfaces: vlan1 vlan2 Available () Selected


().

3. OK

DHCP Relayer vlan-to-dhcpserver

1. System > DHCP > Add > DHCP Relay

2.

Name: vlan-to-dhcpserver

Action: Relay

Source Interface: ipgrp-dhcp

DHCP Server to relay to: ip-dhcp

Allowed IP offers from server: all-nets

3. Add Route ( ) Add dynamic routes for this relayed DHCP lease
( DHCP-)

4. OK

5.3.1. DHCP Relay


DHCP Relay:

Max Transactions


: 32

Transaction Timeout

DHCP-
: 10

Max PPM
227
DHCP-, NetDefendOS DHCP-
.
: 500

Max Hops

DHCP- DHCP-.
: 5

Max lease Time

, NetDefendOS. DHCP-
, .
: 10000

Max Auto Routes

.
: 256

Auto Save Policy

IP- . : Disabled, ReconfShut


ReconfShutTimer.
: ReconfShut

Auto Save Interval

( ) IP- ,
DHCPServer_SaveRelayPolicy ReconfShutTimer
: 86400

5.4. IP-

IP-
IP-. IP-
DHCP- ( IP-). IP-
DHCP-, , ,
NetDefendOS. IP-
.
DHCP- :

DHCP- ;

IP-.

IP- Config Mode

IP- IKE Config Mode,


IP- , IPsec-.
9.4.3, Roaming Clients (,
).

228
IP-

IP- :

DHCP Server behind interface , IP-


(DHCP- ) DHCP- .

Specify DHCP Server Address IP-() DHCP-(-)


(IP- DHCP-) .
.

loopback- 127.0.0.1 ,
DHCP- NetDefendOS.

Server filter ( ) , ,
.
, DHCP-
.
( ),
.

Client IP filter ( IP- , ,


) IP- .

all-nets ( ),
.
IP- .

IP- ,
DHCP- IP-
.

IP-

IP- :

Routing Table (
)
DHCP-.

Receive Interface (
) DHCP-.
, ,
IP- DHCP-
. , ..
DHCP- Receive
Interface.

DHCP-
IP- -
, .. ,
NetDefendOS.
Receive Interface
, ,
DHCP-
.

MAC Range ( MAC- MAC-,


229
) DHCP-.
, DHCP- (-)
MAC-. DHCP-
IP-
,
MAC-.

Prefetch leases ( IP-,


) .

, ..
IP- (
IP- ).

Maximum free ( IP-


IP-) .

. IP-
IP- ( DHCP-
)
.

Maximum clients ( IP- ,


) (IP-)
IP-.

Sender IP (IP- ) IP- ,


DHCP-.

IP-

, Prefetched Leases ( )
- IP-, NetDefendOS. -
IP-
. , ,
IP- , ,
.
IP- ,
DHCP- , . ,

-.
CLI ippools IP-.
:
gw-world:/> ippool -show

IP- .
:
Zombies (IP- ) , IP-.
In progress ( ) IP-,
.
Free maintained in pool ( IP- ) IP-,
.
Used by subsystems ( )
IP-.
ippool IP-,
IP- .
230
CLI.

5.5. IP-

IP-, DHCP- IP-


28.10.14.1 10 IP- . , IP-
IP- ippool_dhcp.

CLI

1. VLAN vlan1 vlan2 ipgrp-dhcp:

gw-world:/> add IPPool ip_pool_1 DHCPServerType=ServerIP


ServerIP=ippool_dhcp PrefetchLeases=10

Web-

1. Objects > IP Pools > Add > IP Pool

2. Name: ip_pool_1

3. Specify DHCP Server Address

4. ippool_dhcp Selected

5. Advanced

6. Prefetched Leases 10

7. OK

231
6.
NetDefendOS.

ALG

Web-

Denial-of-Service ( )

6.1.
6.1.1.
NetDefendOS
. NetDefendOS
IP-, LAN-
,
.
IP-, NetDefendOS
.
, ,
.
.


- ,
.
,
(reverse lookup)
NetDefendOS. ,
, , ,
, . ,
Default
Access Rule.
,
Default Access Rule .
, ,
IP- .

()
,
.
, , IP spoofing,
. ,
- , - .
232
NetDefendOS -
, .

6.1.2. IP Spoofing
IP- , ,
. Spoofing.
IP spoofing spoofing. IP-
, . IP-
, .
.
,
Denial of Service (DoS).
VPN spoofing, , VPN
, , spoofing
, .
, , ,
, . :
IP- ,
, .
IP- , ,
.

. , ,
spoof.

6.1.3.
.
Filtering Fields, Action (), .
, NetDefendOS .

Filtering Fields

Filtering Fields, :

Interface: , .

Network: IP-, .

Actions ()

, :

Drop: , .

Accept: , ,
.

Expect: Network (),


, , , .
, , Accept.
, , Drop.

233
:
.

Default Access Rule


-
Default Access Rule, ,
Drop ().

,
,
NetDefendOS.
, , VPN-.
,
- , , VPN-.

6.1.

, , lan,
lan-.

gw-world:/> add Access Name=lan_Access Interface=lan


Network=lannet Action=Expect

Web-

1. Interface > Interface Groups > Add > InterfaceGroup


2. Access Rule Add menu
3. :
Name: lan_Access
Action: Expect
Interface: lan
Network: lannet

4. OK

6.2. ALG
6.2.1.
,
, IP, TCP, UDP ICMP,
NetDefend Application Layer Gateways (ALGs),
OSI, .
ALG -
, , Web-,
. (ALG)
,
,
234
TCP/IP.

NetDefendOS ALGs:

HTTP

FTP

TFTP

SMTP

POP3

SIP

H.323

TLS

ALG
ALG ,
-, Service (), IP-
IP- NetDefendOS.

. 6.1 ALG


ALG Max Sessions
(. - ), ALG. ,
HTTP ALG 1000, ,
HTTP-.
:

HTTP ALG - 1000

FTP ALG - 200

235
TFTP ALG - 200

SMTP ALG - 200

POP3 ALG - 200

H.323 ALG - 100

SIP ALG - 200

: HTTP

,
NetDefend, HTTP
,
.

6.2.2. HTTP ALG


HTTP (HyperText Transfer Protocol) - , World Wide
Web (WWW). HTTP /.
, .
, Web-, TCP/IP-
( , 80) . ,
. , , HTML- Web-,
ActiveX, , .
HTTP- ,
Web- , , .

HTTP ALG
HTTP ALG NetDefendOS, , :
(Static Content Filtering)
, URL-.
1. URL-

URL- , ,
. URL-
(Wildcarding).

2. URL-

, URL-
. URL-
(Wildcarding).

, URL-, ,
, Web-.


HTTP-, URL- .

6.3.3, .

(Dynamic Content Filtering)


URL-
Web-.
, .

6.3.4, Web-

236
.

(Anti-Virus Scanning) ,
HTTP, .
.

ALGs 6.4,
.

(Verify File Integrity)


.
: Verify MIME type Allow/Block Selected Types,
:

1. Verify MIME type


( ).

, NetDefendOS,
C, MIME, . ,
MIME, ,
, NetDefendOS
.

2. Allow/Block Selected Types

MIME, ,
,
C, MIME, .
Block Selected ( ), Allow Selected
( ). :

i. Block Selected ( )

, , .
NetDefendOS (, MIME)
,
.

, , .exe , .jpg
( ) .exe,
. , ,
.

ii. Allow Selected ( )

,
. ,
. , , .jpg ,
.jpg .exe,
. , ,
.

,
, Allow/Block, ,
,
.

:
NetDefendOS
Verify MIME type Allow/Block Selected Types
FTP, POP3
SMTP ALGs.

237
Download File Size Limit
( HTTP SMTP
ALG).

HTTP
HTTP ,
SMTP ALG:

1. .

2. .

3. Web- ( ).

4. ( ).

, URL- , ,
. ,
, , URL- .
Web-, , - URL-
, , URL- .
, URL-
.

. 6.2. HTTP ALG

Wildcards ()

, ,
(wildcarding) ,
URL-. * -
.

, *.some_domain.com , URL-
some_domain.com.

, ,
my_page.my_company.com,

238
, .

HTTP ALG

, HTTP ,
IP-.
HTTP- ALG. ,
http. IP-, ALG
, IP-.

https ( http-all) HTTP ALG,


HTTPS- .

6.2.3. FTP ALG


File Transfer Protocol (FTP) TCP/IP,
. , FTP-.
, , . ,
/, / (
). FTP ALG FTP-
NetDefend.

FTP-

FTP- :
. FTP-, FTP- TCP- ( )
21 ( ) FTP. , FTP
.

FTP-

FTP : .
.

FTP- FTP-, IP- ,


. FTP-
FTP-, .

FTP- FTP- .
FTP- ,
.

FTP

FTP NetDefend.

, FTP-
FTP- . IP-,
FTP- 21 FTP-.

NetDefendOS , FTP-
FTP-.
. ,
, ,
FTP- FTP-, .
239
FTP-
. , NetDefendOS - ,
FTP- .
, FTP- FTP-.
,
. , FTP- .

NetDefendOS ALG

FTP ALG NetDefendOS TCP-


FTP- . NetDefendOS
, . , FTP ALG

.

Hybrid Mode ( )

FTP ALG NetDefendOS


, ,
FTP- . FTP ALG
(hybrid mode).

FTP- , .

FTP- , .

FTP- NetDefend
FTP- ,
.

, FTP-, FTP-
. ,
FTP- , FTP- .
.

. 6.3. FTP ALG

240
:

(Hybrid mode).
.

FTP ALG FTP- FTP-


:

Allow the client to use active mode ( )


, FTP- ,
. FTP- , NetDefendOS
FTP ALG .
, .
,
. 1024-65535.

Allow the server to use passive mode ( )


, FTP- ,
. ,
. NetDefendOS ,
.
, .
,
. 1024-65535.

,
. , ,
, , FTP ALG
.

FTP ALGs

NetDefendOS 4 FTP ALG,


, .

ftp-inbound ,

ftp-outbound ,

ftp-passthrough , .

ftp-internal ,

FTP ALG

241
FTP , .
NetDefendOS FTP ALG , ,
. , :

FTP-

, ALG
.

SITE EXEC FTP-.

RESUME,
.

:

, , ,
. , FTP-
ALG,
.

FTP ALG FTP,


FTP-:

Maximum line length in control channel (


)

,
. .
256.

, , ,
.

Maximum number of commands per second ( )

FTP-,
. 20 .

Allow 8-bit strings in control channel ( 8-


)

8-
. 8- ,
. ,
.

FTP ALG , HTTP ALG.


:

MIME Type Verification


242
, NetDefendOS
. ,
.

Allow/Block Selected Types

,
. ,
.

NetDefendOS , ,
.
.

, , ,
HTTP ALG. 6.2.2, The HTTP ALG.

FTP-
.
.

ALGs 6.4,
.

FTP ALG ZoneDefense


FTP ALG, ZoneDefense
, . :

A. , .

B. , .

A. , .

, .
FTP, NetDefendOS
,
.
.

: ZoneDefense ,

FTP-
, ZoneDefense
, .
, NetDefend.

B. ,

, FTP-
, .
.
, .

ZoneDefense FTP ALG:


243
ZoneDefense ZoneDefense Web-.

FTP ALG.

ALG ZoneDefense
.

, , 12, ZoneDefense.

6.2. FTP- ALG

, FTP- NetDefend DMZ


IP-:

FTP ALG.

FTP ALG Allow client to use active mode, ,


, .

FTP ALG Allow server to use passive mode.


, . FTP ALG
, .

Web-

A. ALG:

1. Objects > ALG > Add > FTP ALG

2. Name: ftp-inbound

3. Allow client to use active mode

4. Allow server to use passive mode

5. OK

244
. Service:

1. Objects > Services > Add > TCP/UDP Service

2. :

Name: ftp-inbound-service

Type: TCP

Destination: 21 ( FTP-)

ALG: ftp-inbound,

3. OK

. , IP- 21
FTP-:

1. Rules > IP Rules > Add > IPRule

2. :

Name: SAT-ftp-inbound

Action: SAT

Service: ftp-inbound-service

3. Address Filter :

Source Interface:

Destination Interface: core

Source Network: all-nets

Destination Network: wan_ip

4. SAT Translate the Destination IP Address

5. To: New IP Address: ftp-internal (, IP- FTP-


)

6. New Port: 21

7. OK

. IP-:

1. Rules > IP Rules > Add > IPRule

2. :

Name: NAT-ftp

Action: NAT

Service: ftp-inbound-service

3. Address Filter :

Source Interface: dmz

Destination Interface: core

Source Network: dmznet

Destination Network: wan_ip

4. NAT Use Interface Address

5. OK

. (SAT Allow):

245
1. Rules > IP Rules > Add > IPRule

2. :

Name: Allow-ftp

Action: Allow

Service: ftp-inbound-service

3. Address Filter :

Source Interface:

Destination Interface: core

Source Network: all-nets

Destination Network: wan_ip

4. OK

6.3. FTP-

, , NetDefend ,
FTP- .

FTP ALG.

FTP ALG Allow client to use active mode, ,


. .

FTP ALG Allow server to use passive mode. FTP-


, .

Web-

A. FTP ALG
1. Objects > ALG > Add > FTP ALG
2. Name: ftp-outbound
3. Allow client to use active mode
4. Allow server to use passive mode
5. OK
.
1. Objects > Services > Add > TCP/UDP Service
2. :
Name: ftp-outbound-service
Type: TCP
Destination: 21 ( ftp-)
ALG: ftp-outbound
3. OK
. IP-
IP-, FTP-,

246
, IP- : .
i. IP-
IP-, , ,
/. - ftp-outbound-service,
ALG ftp-outbound, .

1. Rules > IP Rules > Add > IPRule


2. :
Name: Allow-ftp-outbound
Action:
Service: ftp-outbound-service

3. Address Filter :
Source Interface: lan
Destination Interface: wan
Source Network: lannet
Destination Network: all-nets

4. OK
ii. IP-
IP- IP-,
NAT:
1. Rules > IP Rules > Add > IPRule

2. :
Name: NAT-ftp-outbound
Action: NAT
Service: ftp-outbound-service

3. Address Filter :
Source Interface: lan
Destination Interface: wan
Source Network: lannet
Destination Network: all-nets

4. Use Interface Address

5. OK

FTP-

, FTP-, NetDefend,
NetDefendOS SAT-Allow ,
, .
FTP- , FTP-
IP- , .

, IP-
FTP- IP- ,
. , , FTP
ALG.

FTP- , IP-
FTP-.

6.2.4. TFTP ALG


Trivial File Transfer Protocol (TFTP) FTP-
,
. TFTP UDP-
, UDP.

TFTP
. TFTP

247
. NetDefendOS ALG TFTP
, .

TFTP
Allow/Disallow Read TFTP GET, ,
TFTP.
Allow ().

Allow/Disallow Write TFTP PUT, ,


TFTP- .
Allow ().

Remove Request Option ,


. False,
.

Allow Unknown Options ,


, ,
, .
.

TFTP-
Remove Request false (
), :

Maximum Blocksize .
0 65,464 .
65,464 .

Maximum File Size


. 999,999
.

Block Directory Traversal Directory Traversal


, ...

NetDefendOS TFTP ALG TFTP- IP-


. ,
TFTP-
.

6.2.5. SMTP ALG


Simple Mail Transfer Protocol (SMTP) ,
. , SMTP- DMZ,
, , SMTP-,
( 6.2.5.1,
DNSBL) .
email , SMTP-
.

SMTP , SMTP ALG


SMTP- .

248
SMTP ALG

SMTP ALG:

Email rate limiting


email .
IP- ,
, ,
, ,
email.
,
,
,
.

Email size limiting email


.

, : ,
,
. ,
email, , 100 ,
,
100 .
120 , ..
.


.

Email address blacklisting


,
.
,
,
,
.

Email address whitelisting


,
ALG ,

.

Verify MIME type


.
, ,
C,
MIME. HTTP ALG,
6.2.2, HTTP
ALG.

Block/Allow filetype

,
. HTTP ALG,

6.2.2, HTTP ALG.

Anti-Virus scanning NetDefendOS


email
.
249
.
ALGs
6.4, .

SMTP-

SMTP- , HTTP ALG


:

1. .

2. .

3. ( ).

4. ( ).

, , ,
. ( )
, email, ,
, . ( )
, email .

, ,
.

. 6.4. SMTP ALG

(Wildcards)

,
(wildcarding) ,
. *
.

250
, *@some_domain.com
some_domain.com.

, , (wildcarding)
my_company,
*@my_company.com.


my_department my_company,
my_department@my_company.com.

SMTP

SMTP- (ESMTP) RFC 1869


SMTP.

SMTP- SMPT-, ESMTP,


EHLO. ESMTP, ,
. RFC. , RFC 2920
SMTP Pipelining. Chunking,
RFC 3030.

NetDefendOS SMTP ALG ESMTP, Pipelining Chunking.


ALG
, SMTP- ,
NetDefend. , :

unsupported_extension
capability_removed

"capa=" , ALG .
, :

capa=PIPELINING

, pipelining SMTP-
EHLO.

, ESMTP ALG
, , -
. ,
, ALG.

SMTP ALG ZoneDefense


SMTP , ,
, .
ZoneDefense SMTP ALG ,
, .

ZoneDefense ,
SMTP-,
. ,
, , ,
ZoneDefense
, .
ZoneDefense SMTP ALG email.

,
ZoneDefense, SMTP-.

251
:



ZoneDefense Exclude.

, ,
ZoneDefense .

ZoneDefense SMTP ALG:

ZoneDefense
ZoneDefense Web-.

FTP ALG.

ALG ZoneDefense
.

12, ZoneDefense.

6.2.5.1. DNSBL
, ,
, . ,
, ,
, , Web-
, .

NetDefendOS SMTP ALG ,


.
,
NetDefend. NetDefendOS :

.
email .

email .

NetDefendOS

SMTP- email .
NetDefendOS ,
SMTP- SMTP- (
). , SMTP-
DMZ - , -,
.

IP- SMTP-
, , .
DNS Black List (DNSBL),
, NetDefendOS.
:

, IP- -
DNSBL-, IP- DNSBL (
NetDefendOS IP-). , IP-
, . , IP- ,
252
DSNBL- , ,
, , TXT,
.

. 6.5. DNSBL

NetDefendOS SMTP ALG DNSBL-


email.
, ,
, . NetDefendOS
, , (weighted sum)
.
, :

1. Dropped ( )
Drop threshold,

.
, SMTP-
(
).

2. Flagged as SPAM ( )
SPAM threshold,

.

, DNSBL-: dnsbl1, dnsbl2 dnsbl3.


3, 2 2 . 5.

dnsbl1 dnsbl2 , , dnsbl3 ,


3+2+0=5. 5 ( ) ,
email .

Drop threshold 7, DNSBL-


, (3+2+2=7) .

253

Drop threshold,
. ,
:

.
, TXT, DNSBL- ( ),
, NetDefendOS
.

, NetDefendOS.
,
TXT DNSBL-, ,
.

,
, Drop, (Subject)
, .
, (
).

, :

Buy this stock today!

*** SPAM ***,


:

*** SPAM *** Buy this stock today!

.

, , .

X-SPAM

,
, Add TXT Records
( TXT ). TXT , DNSBL,
.
X-SPAM, . X-SPAM:

X-Spam-Flag Yes.

X-Spam-Checker-Version NetDefendOS .

X-Spam-Status DNSBL.

X-Spam-Report DNSBL-, .

X-Spam-TXT-Records TXT, DNSBL-,


.
X-Spam_Sender-IP IP-, .

,
.

254
DNSBL

, DNSBL-,
, NetDefendOS , ,
,
, .

DNSBL- ,
.
( ),
.

DNSBL- ,
.
.


,
SMTP- .
, , ,
.

, :

,
IP, , DNSBL-
.

DNSBL- , DNSBL-
.

DNBSL- ,
.

DNSBL SMTP ALG,


:

, DNSBL- .
. ,
.

,
, , .

. ,
. :

i. Spam , .

ii. Drop .

Spam Drop.
Drop.

,
.

email,
(, , ). ,
255
TXT DNSBL-, ,
.

NetDefendOS
. , ,
. ,
:

, . ,
. NetDefendOS,
.

.
, DNSBL-
.

600 .

DNSBL:

, .

DNSBL-:

( )

DNSBL-.

, DNSBL-.

( ) DNSBL-.

CLI dnsbl

CLI dnsbl
. dnsbl ALG.
SMTP ALG, SMTP, my_smtp_alg,
:

gw-world:/> dnsbl
DNSBL Contexts:
Name Status Spam Drop Accept
------------------------ -------- -------- -------- --------
my_smtp_alg active 156 65 34299
256
alt_smtp_alg inactive 0 0 0

-show ,
ALG.
my_smtp_alg, ALG .

gw-world:/> dnsbl my_smtp_alg show

Drop Threshold : 20
Spam Threshold : 10
Use TXT records : yes
IP Cache disabled
Configured BlackLists : 4
Disabled BlackLists : 0
Current Sessions : 0
Statistics:
Total number of mails checked : 0
Number of mails dropped : 0
Number of mails spam tagged : 0
Number of mails accepted : 0

BlackList Status Value Total Matches Failed


------------------------- -------- ----- -------- -------- --------
zen.spamhaus.org active 25 0 0 0
cbl.abuseat.org active 20 0 0 0
dnsbl.sorbs.net active 5 0 0 0
asdf.egrhb.net active 5 0 0 0

DNSBL- .

gw-world:/> dnsbl smtp_test zen.spamhaus.org show

BlackList: zen.spamhaus.org
Status : active
Weight value : 25
Number of mails checked : 56
Number of matches in list : 3
Number of failed checks (times disabled) : 0

dnsbl my_smtp_alg ,
:

gw-world:/> dnsbl my_smtp_alg -clean

: DNSBL-
DNSBL- :
http://en.wikipedia.org/wiki/Comparison_of_DNS_blacklists.

6.2.6. POP3 ALG


POP3 , SMTP- ,
,
.

POP3 ALG

257
POP3 ALG:
Block clients from sending USER
and PASS command ,
/ ,
(
).

Hide User POP3-,


.
,
.

Allow Unknown Commands POP3,


ALG.

Fail Mode
, .


Verify MIME type .
C,
MIME, .
HTTP ALG,
6.2.2, HTTP ALG

Block/Allow type
,
.
HTTP ALG,
6.2.2, The HTTP ALG.

Anti-Virus Scanning NetDefendOS



.
.
ALG
6.4,

6.2.7. PPTP ALG

PPTP ALG

PPTP ALG , PPTP-


NAT.

, NetDefend
, . NAT-
. ,
IP- .

A PPTP- .
. IP- NAT
IP- .

, , B
IP- ,
. , PPTP-
IP- .
258
. 6.6. PPTP ALG

PPTP ALG . ALG


PPTP- .

PPTP ALG

PPTP ALG ALG. ALG


, IP-.
:

PPTP ALG , pptp_alg.


ALG .

ALG .
pptp-ctl.
, ,
pptp_service. :

i. Type () TCP.

ii. (Source) 0-65535.

iii. (Destination) 1723.

iv. ALG, PPTP ALG, .


, pptp_alg.

IP- NAT,
PPTP-. , ,
all-nets.
IP- pptp_service
NAT. , PPTP-,
lannet, lan.
wan, ,
all-nets .



NAT lan lannet wan all-nets pptp_service

259
PPTP ALG

PPTP ALG :

Name ALG.

Echo timeout Echo PPTP-.

Idle timeout

PPTP-.

,
.

6.2.8. SIP ALG


Session Initiation Protocol (SIP) ASCII (UTF-8),
IP-. -,
HTTP SMTP. , SIP,
Voice-Over-IP (VoIP) -
. SIP VoIP , IP-,
.

SIP
, . , , SIP,
RTP / RTCP
( UDP), TCP-. RTP / RTCP-
TCP TLS .

SIP IETF RFC 3261 , VoIP. SIP


- H.323, ,
, H.323. ( VoIP .
6.2.9 ", H.323 ALG".)
: (Traffic
shaping) SIP ALG

, IP-
, SIP ALG,
(Traffic shaping).

SIP

SIP-:

User Agents ,
-. , ,
IP-.
user agent (
).

Proxy Servers Proxy- SIP-,


, .
Proxy- ,

. .

Proxy ,
260
NetDefend, .
NetDefendOS.

Registrars , SIP REGISTER,


Registrar. Registrar
, , .

Registrar Proxy-
.

SIP-

SIP : session makes use of a number of protocols. These


are:

SDP Session Description Protocol (RFC4566), -.


RTP Real-time Transport Protocol (RFC3550), -
UDP-.

RTCP Real-time Control Protocol (RFC3550), RTP-,


.

NetDefendOS SIP

NetDefendOS SIP- :

SIP-.

SIP ALG, .

IP- SIP-,
.

SIP ALG

SIP ALG :

Maximum Sessions ,
per ID . 5.

Maximum SIP Registrar.


Registration Time 3600 .

SIP Signal Timeout , SIP-.


43200 .

Data Channel ,
Timeout SIP-. 120 .

Allow Media Bypass , , RTP / RTCP ,



NetDefend. ,

. Disabled ().

SIP Proxy Record-Route


261
, SIP NetDefendOS,
SIP proxy Record-Route. SIP proxy ,
Record-Route. , proxy-
Stateful proxy. , proxy- ,
SIP .

SIP-, INVITE SIP proxy-. SIP


proxy proxy-,
. proxy INVITE
. , IP- ,
SIP proxy-.
, proxies
SIP-.

proxy- , IP- NetDefendOS


SIP- NetDefend,
,
, IP-. , proxy-
Record-Route. SIP-
proxy-.

, , Record-Route ,
IP-, 1
Proxy, Internet.

IP- -

SIP- :

SIP-, -.

-, , ,
VoIP-.

SIP, , IP-,
, SIP
. IP-
, -. SIP ALG
( SIP pinholes),
NetDefend.

IP-,
.

SIP

NetDefendOS SIP.
:

1
Proxy-

SIP- , NetDefend
, , . SIP proxy
, NetDefend. ,
262
, ,
proxy- , .

2
proxy Proxy-
,

SIP- , NetDefend
, , . SIP Proxy
, NetDefend
, ,
, .
.

3
proxy- Proxy-
DMZ

SIP- , NetDefend
, , . SIP Proxy
DMZ ,
proxy-.

, ,
, .

1
Proxy-

, VoIP ,
NAT. .

263
SIP proxy .
Record-Route SIP-,
, SIP Proxy. ,
, SIP
SIP Proxy-.

NAT .

NAT, , .

: NAT
traversal
NAT Traversal SIP SIP
Proxies. , Simple Traversal of UDP through NATs
(STUN). NetDefendOS SIP ALG , NAT traversal SIP.

1. SIP ALG, , .

2. , SIP ALG.

5060 ( SIP).

TCP/UDP.

3. IP-:

NAT- , SIP Proxy


. SIP ALG ,
NAT. IP-,
. , proxy- ,
.
Allow SIP-, SIP proxy- IP
NetDefend. core ( , NetDefendOS)
. NAT, .
, NetDefendOS ,
SIP- .

SAT SIP-, ALG


SIP- .
SIP- NetDefend SIP
proxy-, NetDefendOS IP-
SIP proxy-. NetDefendOS
. ALG
.

4. , . SIP Proxy-
, . IP- proxy-
ALG.
, IP- proxy-
, , DHCP.

: NAT
264
traversal
NAT Traversal SIP SIP Proxies. ,
Simple Traversal of UDP through NATs (STUN). NetDefendOS SIP
ALG , NAT traversal SIP.

IP- Record-Route , ,
NAT (..).


(Action)
Allow lan lannet wan ip_proxy
( NAT)
Allow wan ip_proxy lan lannet
( core) ( wan_ip)

IP- Record-Route ,
, NAT
(..).


(Action)
Allow lan lannet wan <All possible IPs>
( NAT)
Allow wan <All possible IPs> lan lannet
( core) (or ipwan)

Record-Route ,
IP-.

: IP-
, IP-, ,
, .
SIP.

2
proxy- Proxy-
,

, SIP proxy-.
Proxy- , , SIP
-, . .

265
:

NAT .

NAT, , .

A NAT

, proxy- IP-
NetDefend. :

1. SIP ALG, , .

2. , SIP ALG. :

- 5060 ( SIP)

- TCP/UDP

3. 3 IP-:
NAT- , -
, , , . SIP ALG
, NAT.
IP-, . , proxy-
, .
SIP proxy- Record-Route, NAT
SIP proxy-, .
SAT SIP- IP-
proxy-. core
( , NetDefendOS),
IP- SIP proxy-.
Allow, , SAT
.


(Action)
(Src (Src (Dest (Dest
Interface) Network) Interface) Network)
OutboundFrom NAT lan lannet wan all-nets
ProxyUsers
InboundTo SAT wan (ip_proxy) core wan_ip
ProxyAndClients SETDEST
ip_proxy
InboundTo Allow wan all-nets core wan_ip
266
ProxyAndClients

Record-Route ,
proxy- ip_proxy.
, SIP ALG SAT SIP
proxy-. Proxy-, , .
Record-Route proxy-, SIP-c, SIP
ALG SIP-
SIP proxy-. .

B NAT
NAT , NAT Allow.
SAT Allow Allow.


(Action)
(Src (Src (Dest (Dest
Interface) Network) Interface) Network)
OutboundFrom Allow lan lannet wan all-nets
Proxy&Clients (ip_proxy)

InboundTo Allow wan all-nets lan lannet


Proxy&Clients (ip_proxy)

Record-Route ,
(ip_proxy) .

3
proxy- Proxy-
DMZ

, SIP proxy-
. .
, SIP
, .

, SIP-

267
: , , DMZ ,
proxy- ,
. :

1,2 INVITE proxy-, DMZ.

3,4 proxy- SIP .

5,6 proxy- proxy-.

7,8 proxy- .
, DMZ
( A), NAT (
B).

A - NAT

IP- SIP proxy- .


NetDefend proxy- DMZ.

IP- DMZ .
, .

1. SIP ALG, , .

2. , SIP ALG. :

5060 ( SIP)

TCP/UDP

3. 4 IP-:

NAT , ,
, proxy-, DMZ. SIP ALG
NAT. IP-,
.

268

, proxy-
DMZ, IP- DMZ-.

Allow , proxy-,
DMZ-, .

Allow SIP-, SIP proxy-,


DMZ-, IP- NetDefend.
core .

NAT, . ,
NetDefendOS ,
SIP- . SIP
ALG.

Allow , , , , proxy-
, DMZ.

4. proxy- Record-Route,
proxy-.
Record-Route :

NAT , ,
, proxy-, , . SIP ALG
NAT.
IP-, .

Allow SIP-, , , IP-


DMZ-. ,
IP- DMZ-, proxy-
, DMZ.
core .
, NetDefendOS
,
SIP- . SIP
ALG.

Record-Route IP-:


(Action)
(Src (Src (Dest (Dest
Interface) Network) Interface) Network)
OutboundToProxy NAT lan lannet dmz ip_proxy
OutboundFromProxy Allow dmz ip_proxy wan all-nets
InboundFromProxy Allow dmz ip_proxy core dmz_ip
InboundToProxy Allow wan all-nets dmz ip_proxy

Record-Route , IP-:


(Action)
(Src (Src (Dest (Dest
Interface) Network) Interface) Network)
OutboundBypassProxy NAT lan lannet wan all-nets
InboundBypassProxy Allow wan all-nets core ipdmz

269
B NAT

1. SIP ALG, , .

2. , SIP ALG. :

- 5060 ( SIP)

- TCP/UDP

3. 4 IP-:

Allow ,
proxy-, DMZ-.

Allow , proxy-,
DMZ-, .

Allow SIP- SIP proxy- DMZ-


, .

Allow SIP- proxy-


proxy- DMZ-.

4. proxy- Record-Route,
SIP- proxy-.
Record-Route :

Allow
proxy- .

Allow SIP- .

Record-Route IP-:


(Action)
(Src (Src (Dest (Dest
Interface) Network) Interface) Network)
OutboundToProxy Allow lan lannet dmz ip_proxy
OutboundFromProxy Allow dmz ip_proxy lan lannet
InboundFromProxy Allow dmz ip_proxy core dmz_ip
InboundToProxy Allow wan all-nets dmz ip_proxy

Record-Route , IP-:


(Action)
(Src (Src (Dest (Dest
Interface) Network) Interface) Network)
OutboundBypassProxy Allow lan lannet wan all-nets
InboundBypassProxy Allow wan all-nets lan lannet

6.2.9. H.323 ALG


H.323 ,
(International Telecommunication Union, ITU)
270
IP-. H.323 ,
, , , .
H.323 , , IP-
voice-over-IP (VoIP).

H.323

H.323 4- :

(Terminals) , ,
, ,
, "NetMeeting".

(Gateways)
H.323 , ,
(PSTN),
-.
H.323
.

(Gatekeepers) H.323,
,
.
, ,
.


, Follow-me/find-
me, Forward on busy ..
H.323
IP-.

(MCUs)
(Multipoint H.323 . H.323,
Control Units) ,
.
, ,
-,
.

H.323

H.323 :

H.225 RAS signalling and Call Control .


(Setup) signalling
H.323.
H.323
H.323 .
H.323,
TCP- 1720.
UDP- 1719 (RAS-
H.225).

H.245 Media Control and Transport ,


H.323.
271

.
, , ,
. ,

T.120 .

T.120 .
H.323, T.120
,
, ,
, , White board
( ).

H.323 ALG
H.323 ALG , H.323,
H.323 ,
, NetDefend.
H.323 NAT, IP-
H.323. H.323 ALG H.323,
,
NetDefend.

H.323 ALG :

H.323 ALG 5 H.323.


H.225.0 v5 H.245 v10.

-, H.323 ALG
T.120. T.120 TCP,
UDP.

ALG RAS-
H.323 ,
NetDefend.

NAT SAT IP-


NetDefend.

H.323 ALG
H.323 ALG
. :

Allow TCP Data Channels


TCP. , , T.120.

Number of TCP Data Channels


TCP.

Address Translation Network () ,


. External IP ( IP) Network IP-,
NAT. IP- Auto,
IP- route lookup.

Translate Logical Channel Addresses , .


,
IP- ,
272
.

Gatekeeper Registration Lifetime


,
. , ,
, , ,
.

, H.323 ALG.
ALG . :

(UDP ALL > 1719)

H323 (H.323 ALG, TCP ALL > 1720)

H323- (H.323 ALG, UDP > 1719)

6.4. NetDefend
H.323 NetDefend (lannet) IP-
. H.323 ,
H.323 ,
. , ,
/ .

Web-

1. Rules > IP Rules > Add > IPRule

2. :

Name: H323AllowOut

Action: Allow

Service: H323

Source Interface: lan

Destination Interface: any

Source Network: lannet

Destination Network: 0.0.0.0/0 (all-nets)

Comment: Allow outgoing calls

273
3. OK

1. Rules > IP Rules > Add > IPRule

2. :

Name: H323AllowOut

Action: Allow

Service: H323

Source Interface: any

Destination Interface: lan

Source Network: 0.0.0.0/0 (all-nets)

Destination Network: lannet

Comment: Allow incoming calls

3. OK

6.5. H.323 IP-


H.323 NetDefend IP-.
H.323 ,
H.323 ,
. , ,
/ . IP-
, SAT, . ip-
ip- H.323.

Web-

1. Rules > IP Rules > Add > IPRule

2. :

Name: H323Out

Action: NAT

Service: H323

Source Interface: lan

Destination Interface: any

Source Network: lannet

Destination Network: 0.0.0.0/0 (all-nets)

Comment: Allow outgoing calls

3. OK

1. Rules > IP Rules > Add > IPRule

2. :

Name: H323In

Action: SAT

Service: H323

Source Interface: any

274
Destination Interface: core

Source Network: 0.0.0.0/0 (all-nets)

Destination Network: wan_ip ( IP- )

Comment: Allow incoming calls to H.323 phone at ip-phone

3. SAT Translate Destination IP Address: To New IP Address: ip-phone (IP- )

4. OK

1. Rules > IP Rules > Add > IPRule

2. :

Name: H323In

Action: Allow

Service: H323

Source Interface: any

Destination Interface: core

Source Network: 0.0.0.0/0 (all-nets)

Destination Network: wan_ip ( IP- )

Comment: Allow incoming calls to H.323 phone at ip-phone

3. OK

NetDefend,
IP- . NetDefend
H.323 ALG,
SAT. , . ,
H.323 H.323 with Gatekeeper,
.

6.6.
H.323,
NetDefend IP-.
, .
, / .

Web-


275
1. Rules > IP Rules > Add > IPRule

2. :

Name: H323AllowOut

Action: Allow

Service: H323

Source Interface: lan

Destination Interface: any

Source Network: lannet

Destination Network: 0.0.0.0/0 (all-nets)

Comment: Allow outgoing calls

3. OK

1. Rules > IP Rules > Add > IPRule

2. :

Name: H323AllowIn

Action: Allow

Service: H323

Source Interface: any

Destination Interface: lan

Source Network: 0.0.0.0/0 (all-nets)

Destination Network: lannet

Comment: Allow incoming calls

3. OK

6.7. IP-
H.323,
NetDefend IP-. ,
. ,
/ .
IP- , SAT, .
ip- ip- H.323.

Web-

1. Rules > IP Rules > Add > IPRule

2. :

Name: H323Out

Action: NAT

Service: H323

Source Interface: lan

Destination Interface: any


276
Source Network: lannet

Destination Network: 0.0.0.0/0 (all-nets)

Comment: Allow outgoing calls

3. OK

1. Rules > IP Rules > Add > IPRule

2. :

Name: H323In

Action: SAT

Service: H323

Source Interface: any

Destination Interface: core

Source Network: 0.0.0.0/0 (all-nets)

Destination Network: wan_ip ( IP- )

Comment: Allow incoming calls to H.323 phone at ip-phone

3. SAT Translate Destination IP Address: To New IP Address: ip-phone (IP- )

4. OK

1. Rules > IP Rules > Add > IPRule

2. :

Name: H323In

Action: Allow

Service: H323

Source Interface: any

Destination Interface: core

Source Network: 0.0.0.0/0 (all-nets)

Destination Network: wan_ip ( IP- )

Comment: Allow incoming calls to H.323 phone at ip-phone

3. OK

NetDefend,
IP- . NetDefend
H.323 ALG,
SAT. , . ,
H.323 H.323 with Gatekeeper,
.

6.8. H.323
H.323 DMZ NetDefend.
, ,
H.323 DMZ. .

277
. ,
/ .

Web-

1. Rules > IP Rules > Add > IPRule

2. :

Name: H323In

Action: SAT

Service: H323-Gatekeeper

Source Interface: any

Destination Interface: core

Source Network: 0.0.0.0/0 (all-nets)

Destination Network: wan_ip (external IP of the firewall)

Comment: SAT rule for incoming communication with the Gatekeeper located at ip-gatekeeper

3. SAT Translate Destination IP Address: To New IP Address: ip-gatekeeper (IP- ).

4. OK

1. Rules > IP Rules > Add > IPRule

2. :

Name: H323In

Action: Allow

Service: H323-Gatekeeper

Source Interface: any

Destination Interface: core

Source Network: 0.0.0.0/0 (all-nets)

Destination Network: wan_ip ( IP- )

Comment: Allow incoming communication with the Gatekeeper

3. OK

1. Rules > IP Rules > Add > IPRule

278
2. :

Name: H323In

Action: Allow

Service: H323-Gatekeeper

Source Interface: lan

Destination Interface: dmz

Source Network: lannet

Destination Network: ip-gatekeeper (IP address of the gatekeeper)

Comment: Allow incoming communication with the Gatekeeper

3. OK


. NetDefendOS
,
,
, .

6.9.
3, , NetDefend
"" . NetDefend , DMZ,
3. NetDefend ,
. .
, / .

Web-

279
1. Rules > IP Rules > Add > IPRule

2. :

Name: H323Out

Action: NAT

Service: H323-Gatekeeper

Source Interface: lan

Destination Interface: any

Source Network: lannet

Destination Network: 0.0.0.0/0 (all-nets)

Comment: Allow outgoing communication with a gatekeeper

3. OK

.
NetDefendOS
, ,
,
.

6.10. H.323 ALG


, H.323 ALG
. H.323 DMZ H.323,
, .
. , VPN-
, IP- . ""
(IP-),
.

280
H.323 DMZ NetDefend.
:

Web-

1. Rules > IP Rules > Add > IPRule

2. :

Name: LanToGK

Action: Allow

Service: H323-Gatekeeper

Source Interface: lan

Destination Interface: dmz

Source Network: lannet

Destination Network: ip-gatekeeper

Comment: Allow H.323 entities on lannet to connect to the Gatekeeper

3. OK

1. Rules > IP Rules > Add > IPRule

2. :

Name: LanToGK

Action: Allow

Service: H323-Gatekeeper

Source Interface: lan

281
Destination Interface: dmz

Source Network: lannet

Destination Network: ip-gateway

Comment: Allow H.323 entities on lannet to call phones connected to the H.323 Gateway on the DMZ

3. OK

1. Rules > IP Rules > Add > IPRule

2. :

Name: GWToLan

Action: Allow

Service: H323-Gatekeeper

Source Interface: dmz

Destination Interface: lan

Source Network: ip-gateway

Destination Network: lannet

Comment: Allow communication from the Gateway to H.323 phones on lannet

3. OK

1. Rules > IP Rules > Add > IPRule

2. :

Name: BranchToGW

Action: Allow

Service: H323-Gatekeeper

Source Interface: vpn-branch

Destination Interface: dmz

Source Network: branch-net

Destination Network: ip-gatekeeper, ip-gateway

Comment: Allow communication with the Gatekeeper on DMZ from the Branch network

3. OK

1. Rules > IP Rules > Add > IPRule

2. :

Name: BranchToGW

Action: Allow

Service: H323-Gatekeeper

Source Interface: vpn-remote

Destination Interface: dmz

Source Network: remote-net

Destination Network: ip-gatekeeper

Comment: Allow communication with the Gatekeeper on DMZ from the Remotenetwork

282
3. OK

6.11. H.323
H.323
H.323 , NetDefend
: ( ,
).

Web-

1. Rules > IP Rules > Add > IPRule

2. :

Name: ToGK

Action: Allow

Service: H323-Gatekeeper

Source Interface: lan

Destination Interface: vpn-hq

Source Network: lannet

Destination Network: hq-net

Comment: Allow communication with the Gatekeeper connected to the Head Office DMZ

3. OK

1. Rules > IP Rules > Add > IPRule

2. :

Name: H323In

Action: Allow

Service: H323-Gatekeeper

Source Interface: any

Destination Interface: core

Source Network: 0.0.0.0/0 (all-nets)

Destination Network: wan_ip ( IP- )

Comment: Allow incoming communication with the Gatekeeper

3. OK

1. Rules > IP Rules > Add > IPRule

2. :

Name: H323In

Action: Allow

Service: H323-Gatekeeper

Source Interface: lan

Destination Interface: dmz

Source Network: lannet

Destination Network: ip-gatekeeper (IP address of the gatekeeper)


283
Comment: Allow incoming communication with the Gatekeeper

3. OK

6.12. H.323
H.323 NetDefend, , DMZ.
H.323 ,
:

Web-

1. Rules > IP Rules > Add > IPRule

2. :

Name: GWToGK

Action: Allow

Service: H323-Gatekeeper

Source Interface: dmz

Destination Interface: vpn-hq

Source Network: ip-branchgw

Destination Network: hq-net

Comment: Allow the Gateway to communicate with the Gatekeeper connected to the Head Office

3. OK


. NetDefendOS
,
,
, .

6.2.10. TLS ALG


TLS (Transport Layer Security) - ,


,
.

, TLS /
. TLS , Web-
, TLS, , -

284
. HTTPS-
, .

TLS
, VPN, ,
IPsec. Web- TLS
.

SSL

TLS Secure Sockets Layer (SSL), .


, TLS SSL
. TLS ALG , NetDefend
SSL (SSL termination),
SSL.

SSL TLS, NetDefendOS


SSL 3.0, TLS 1.0, RFC 2246, TLS
1.0 ( NetDefendOS RFC 2246).

TLS

TLS ,
TLS
, .
(Certificate Authority (CA)), Web-
.

CA.
, Web- ,
.

. 6.7 TLS

NetDefendOS TLS

TLS ,
, , NetDefend,
NetDefendOS TLS. NetDefendOS
TLS / ,
285
, .
:

TLS NetDefend
.

NetDefend,
. , ( wildcard
certificate) .

/ , TLS,
NetDefend. SSL acceleration.

, NetDefend.

TLS- NetDefendOS,
traffic shaping IDP-.

TLS (server load


balancing) NetDefendOS .

TLS

TLS NetDefendOS :

1. NetDefendOS TLS-
.

2. TLS ALG,
. ,
.

3. TCP-.

4. TLS ALG .

5. IP- NAT Allow .

6. SAT,
.
SLB_SAT (
).

URL-,

, NetDefendOS TLS URL-


Web-c, , NetDefend.

, Web-,
NetDefend, https://, Web-, ,
URL-, http:// (,
), URL-,
NetDefendOS https://.
URL-,

286
, NetDefendOS TLS

NetDefendOS TLS :

1. TLS_RSA_WITH_RC4_128_SHA.

2. TLS_RSA_WITH_RC4_128_MD5.

3. TLS_RSA_EXPORT_WITH_RC4_56_SHA ( 1024 ).

4. TLS_RSA_EXPORT_WITH_RC4_40_MD5 ( 1024 ).

5. TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 ( 1024 ).

6. TLS_RSA_WITH_NULL_MD5.

7. TLS_RSA_WITH_NULL_SHA.

NetDefendOS TLS

, NetDefendOS TLS
. :

( NetDefend
).

, ,
, .

NetDefendOS 2
.

6.3. Web-
6.3.1.
Web-
. Web-
. -
.

C HTTP ALG NetDefendOS


Web-:

Active Content Handling Web-


, , ,
ActiveX Java Applets.

Static Content Filtering ( )


Web- .
287
/ URL-.

Dynamic Content Filtering ( )


, Web-
,
.
.

: WCF
Web- HTTP ALG,
6.2.2. HTTP ALG.

6.3.2.

Web- ,
. , ,
Web-.

NetDefendOS
Web-:

ActiveX ( Flash)
Java applets
Javascript/VBScript
Cookies
UTF-8 (
URL- Web-)

, ,
HTTP Application Layer Gateway.

:
Web-
. Web- Javascript
, .
scripting,
, Web-
. ,
Web-, -
. Active Content Handling
.

6.13. ActiveX Java applets


, HTTP Application Layer Gateway ActiveX
Java applets. content_filtering ALG
.

CLI

gw-world:/> set ALG ALG_HTTP content_filtering


RemoveActiveX=Yes RemoveApplets=Yes

288
Web-

1. Objects > ALG

2. HTTP ALG, content_filtering

3. Strip ActiveX objects ( flash)

4. Strip Java applets

5. OK

6.3.3.

HTTP ALG NetDefendOS


Web- URL-,
/ . Static Content Filtering.

, .


( ),
. ,
on-line,

. URL-
HTTP Application Layer Gateway, URL- ,
.

(Wildcarding)

, URL- URL-
.
URL- , , .

URL-
:

*.example.com/* . example.com
Web-, .
www.example.com/* . Web- www.example.com
Web-.
*/*.gif . .gif.

www.example.com .
Web-. , www.example.com/index.html,
.
*example.com/* . www.myexample.com,
,
example.com.

:

Web- URL-
,
289
6.7, .

6.14. /
,
NetDefendOS Web-
.

.exe-. , Web- D-Link


, .

CLI

HTTP ALG HTTP-:

gw-world:/> add ALG ALG_HTTP content_filtering

HTTP ALG URL :

gw-world:/> cc ALG ALG_HTTP content_filtering

gw-world:/content_filtering> add ALG_HTTP_URL


URL=*/*.exe
Action=Blacklist

, :

gw-world:/content_filtering> add ALG_HTTP_URL


URL=www.D-Link.com/*.exe
Action=Blacklist

Web-

HTTP ALG HTTP-:

1. Objects > ALG > Add > HTTP ALG

2. ALG, , content_filtering

3. OK

HTTP ALG URL :

1. Objects > ALG

2. HTTP ALG

3. HTTP URL

4. Add HTTP ALG URL

5. Blacklist Action

6. */*.exe URL

7. OK

1. Objects > ALG

2. HTTP ALG

3. HTTP URL

4. Add HTTP ALG URL

5. Whitelist Action

6. URL www.D-Link.com/*.exe
290
7. OK

/ , .

6.3.4. Web-
6.3.4.1.

HTTP ALG, NetDefendOS Web-


(WCF), Web-
Web-.

Dynamic WFC

Dynamic WCF NetDefendOS Web-


,
URL-. , D-Link
, URL- Web-,
, , ,
, , ..

URL- , ,
URL- . URL-
, Web- , ,
.

: Dynamic WCF

NetDefend

Dynamic WCF
NetDefend: DFL-260, 860, 1660, 2560 2560G.

WCF Processing Flow

Web- Web-,
NetDefendOS Dynamic WCF
.
.

, Web-, ,
. NetDefendOS -,
URL-.
, , , ,
Web-.

291
. 6.8

URL- Web- , Web-


URL- D-Link
.
, URL , NetDefendOS
URL-. Dynamic WCF .

: URL-

, , URL-
.

Web-,

Web-, . ,
Web- , ,
. NetDefendOS , ,
Web-.

WFC

- URL- , WCF.
URL- , .
, URL-
, .

6.3.4.2. WCF

,
292
. NetDefendOS.

HTTP Application Layer Gateway


(ALG). , IP-
, .
, IP-
.

:
,
,
IP-.
, , . 3.6, .

Setting Fail Mode

HTTP ALG fail mode , ALG,


WCF , , . fail mode
, , ,
, NetDefendOS
URL-.
fail mode:

Deny URL- ,
, , . Web-,
, .

Allow WCF , URL-


, .

6.15. Web-
HTTP-,
intnet all-nets. ,
, NAT HTTP-, intnet all-nets.

CLI

HTTP Application Layer Gateway (ALG):

gw-world:/> add ALG ALG_HTTP content_filtering


WebContentFilteringMode=Enabled
FilteringCategories=SEARCH_SITES

, HTTP ALG:

gw-world:/> add ServiceTCPUDP http_content_filtering Type=TCP


DestinationPorts=80
ALG=content_filtering

NAT .
NATHttp:

gw-world:/> set IPRule NATHttp Service=http_content_filtering

Web-

HTTP Application Layer Gateway (ALG):

293
1. Objects > ALG > Add > HTTP ALG

2. ALG, , content_filtering

3. Web Content Filtering

4. Enabled Mode

5. Blocked Categories, Search Sites >>.

6. OK

, HTTP ALG:

1. Local Objects > Services > Add > TCP/UDP service

2. , , http_content_filtering

3. TCP Type

4. 80 Destination Port

5. HTTP ALG, ALG

6. OK

NAT :

1. Rules > IP Rules

2. NAT HTTP-

3. Service

4. http_content_filtering, Service

5. OK

Web-,
lannet all-nets.

1. lannet Web-.

2. . , www.google.com.

3. , Web-, ,
.

Web-
, Web- -
. ,
, Web- .

, Web-
,
WCF.

Web- .
.
294
, .
, .

6.16. Audit
, , .

CLI

HTTP Application Layer Gateway (ALG):

gw-world:/> add ALG ALG_HTTP content_filtering


WebContentFilteringMode=Audit
FilteringCategories=SEARCH_SITES

Web-

HTTP Application Layer Gateway (ALG):

1. Objects > ALG > Add > HTTP ALG

2. ALG, , content_filtering

3. Web Content Filtering

4. Audit Mode

5. Blocked Categories Search Sites >>

6. OK

, HTTP ALG, NAT


.

Allowing Override

,
. : ,
. , Web-
. Web-,
.

, NetDefendOS Allow Override.


, ,
Web-,
, Web- .
restricted site notice. Web-, .

, , ,
.

: Overriding the restriction of a site


Restricted site notice,

. , -
. 5 ,
, .

,
295
, . NetDefendOS
,
.

HTTP-ALG, ,

.

Web- ,
Web- , .
, Web- ,
.

URL- Web-,
D-Link .
Web-, ,
, .

6.17.
, Web-,
, . HTTP ALG.

CLI

HTTP Application Layer Gateway (ALG):

gw-world:/> add ALG ALG_HTTP content_filtering


WebContentFilteringMode=Enable
FilteringCategories=SEARCH_SITES
AllowReclassification=Yes

NAT,
.

Web-

HTTP Application Layer Gateway (ALG):

1. Objects > ALG > Add > HTTP ALG

2. ALG, , content_filtering

3. Web Content Filtering

4. Enabled Mode

5. Blocked Categories Search Sites >>

6. Check the Allow Reclassification control

7. OK

NAT,
.

Web-,
lannet all-nets
. :

1. lannet Web-.

2. . , www.google.com.

3. , Web-,
.

296
4.
.

6.3.4.3.

,
, .

1:

Web- ,
, , .
Web-, , ,
(21). :

www.naughtychix.com
www.fullonxxx.com

2:

Web- ,
, (, ,
), . ,
,
. ,
(11), ,
(16). :

www.newsunlimited.com
www.dailyscoop.com

3:

Web- ,
. ,
,
. :

www.allthejobs.com
www.yourcareer.com

4:

Web- ,
, ,
. , ,
.
, (10).
:

297
www.blackjackspot.com
www.pickapony.net

5: /

Web- /, ,
, ,
. :

www.flythere.nu
www.reallycheaptix.com.au

6:

Web- ,
, ,
. ,
, . :

www.megamall.com
www.buy-alcohol.se

8:

Web- ,
, - . , , ,
, -. , Web-,
. :
(1), (4), (8), (10), (16),
(22) (23). :

www.celebnews.com
www.hollywoodlatest.com

8:

Web- ,
. , ,
, URL- . :

www.thetalkroom.com
www.yazoo.com

9:

Web- ,
, ,
(, / ) . :

www.adultmatefinder.com
www.marriagenow.com

298
10:

Web- ,
, ,
, . :

www.gamesunlimited.com
www.gameplace.com

11:

Web- ,
, .
, ,
, .
,
(12). :

www.loadsofmoney.com.au
www.putsandcalls.com

12:

Web- ,
, .
, ,
(11). :

www.nateast.co.uk
www.borganfanley.com

13: /

Web- /,
, . :

www. beatthecrook.com.

14: /

Web- /,
, , . :

www.paganfed.demon.co.uk
www.cultdeadcrow.com

15:

Web- ,
, , .
:

www.democrats.org.au
www.political.com

299
16:

Web- , ,
,
. :

www.sportstoday.com.
www.soccerball.com

17: www-Email

Web- www-Email,
Web . :

www.coldmail.com.
www.yazoo.com

18: /

Web- / ,
. ,
, ,
. :

www.itstinks.com.
www.ratemywaste.com

19:

Web- ,
, .
URL- -,
. :

hastalavista.baby.nu

20:

Web- ,
. :

www. zoogle.com
www. yazoo.com

21:

Web- , ,
, ,
. ,
. :

www. thehealthzone.com
www. safedrugs.com
300
22:

Web- ,
, . Web-
. :

www. sierra.org
www. walkingclub.org

23:

Web- ,
, ,
. :

www.onlymp3s.com
www. mp3space.com

24:

Web- ,
, , Web-.
, ,
.

25: ,

URL- , ,
. :

www.verynastystuff.com
www.unpleasantvids.com

26:

Web-, , ,
,
. :

highschoolessays.org
www.learn-at-home.com

27:

Web- , ,
. :

www. admessages.com
www. tripleclick.com

28: /

Web- /,
, . URL-
, , .

301
:

www.the-cocktail-guide.com
www. stiffdrinks.com

29: /IT

Web- /IT,
, . :

www.purplehat.com
www.gnu.org

30: //-

Web- //-,
, -
. :

www.vickys-secre.com
sportspictured.cnn.com/features/2002/swimsuit

31:

Web- ,
. :

kaqsovdij.gjibhgk.info
www. pleaseupdateyourdetails.com

32:

,
. , ,
URL-.

6.3.4.4. HTML-

Web- HTML- ,
, .
Web-, HTTP banner files, NetDefendOS,
, . WebUI ,
. :

CompressionForbidden
ContentForbidden
URLForbidden
RestrictedSiteNotice
ReclassifyURL

ALG Banner Files.


ALG Banner
Files. NetDefendOS.
Default .
.

302
6.18. SNMP Traps SNMP Trap Receiver

, URL forbidden HTML:

Web-

1. Objects > HTTP Banner files > Add > ALG Banner Files

2. , new_forbidden OK

3. ALG banner files

4. Edit & Preview

5. URLForbidden Page

6. HTML, Forbidden URL page

7. Preview ,

8. Save,

9. OK,

10. User Authentication > User Authentication Rules

11. HTML ALG Agent Options

12. new_forbidden HTTP Banners

13. OK

14. Configuration > Save & Activate

15. Save, OK

SNMP traps
Alert SNMP trap receiver IP- 195.11.22.55.

:
HTML-
, ,
Save ,
.

SCP

HTTP Banner files SCP.


:

1. SCP HTML ,
WebUI ,
.

2. ALG Banner Files , (-


). mytxt, CLI :

,
.

3. SCP.
HTTPALGBanner mytxt URLForbidden.
URLForbidden my.html, Open SSH SCP
:

303
SCP- 2.1.6., Secure Copy.

4. CLI HTTP ALG mytxt


banner files. ALG my_http_alg, :

5. , NetDefend
activate, CLI commit.

HTML-

HTML- :

%URL% - URL-

%IPADDR% - IP-

%REASON% -

6.4
6.4.1.

NetDefendOS ,
. Web- HTTP,
FTP, , , , SMTP.
,
, , ,
.
, .

(IDP),
,
, . NetDefendOS
,
, .
IDP ,
. ,
,
.

ALG

NetDefendOS ALG. ,
ALG ALG:

HTTP ALG
FTP ALG
POP3 ALG
SMTP ALG

304
: NetDefendOS


NetDefend: DFL-260, 860, 1660, 2560
2560G.

6.4.2.

NetDefend,
NetDefendOS ,
. ,
, .


,
NetDefend.
, .

, ALG
, HTTP, FTP, SMTP POP3 ALG. :

, ALGs, .

, ZIP GZIP .

,
. ,
.

,
NetDefend. ,
.

Protocol Specific behavior

(ALG),
NetDefendOS . FTP, ,

, ,
.

IDP

IPD
. ,
.

IDP , ,
305
IDP, , HTTP,
. ,
, .
, ALG, IDP
.

6.4.3.

ALG

ALG, .
ALG .
ALG .
IP-,
, ALG.


IP- ,
, . IP- ,
ALG ,
IP- / .
, ,
.

6.4.4.

SafeStream

NetDefendOS D-Link
SafeStream. SafeStream
, .
, , ,
backdoor .
.

SafeStream .
, ,
. NetDefendOS SafeStream
,
D-Link.

6.4.5. D-Link

D-Link D-Link
.
SafeStream
.

306
6.4.6.

ALG, :

1.

:
i. Disabled .
ii. Audit ,
.
iii. Protect .

.

Fail mode behavior -


,
,
. Allow (),
,
,
. , ,
,
, .

2. Scan Exclude

, .
,
, , ,
HTTP.

NetDefendOS MIME , C,
MIME, ,
, .
( ,
C, MIME, ),
.

3.

, NetDefendOS
. ,
. ,
, , .
NetDefendOS
.

,
(Compression Ratio). 10, ,
10 , , .
:

Allow

Scan

Drop

307
MIME

ALG File Integrity


, , MIME.

MIME- . , .gif ,
, .
, . .gif,
, .

, .
MIME C, MIME, .

NetDefendOS,
.
, .

.
Web-.

NetDefend
. .

. ,
:

1. , .

2.
.

3. , ,
.
4. ,
.

5. ,
, .

ZoneDefense

ZoneDefense , .

, ZoneDefense ,
.
, NetDefendOS
.

ZoneDefense ,
, .

: FTP
. NetDefendOS . ,
NetDefendOS .
, FTP-

308
, NetDefendOS . IP-
.

NetDefendOS , ,
ZoneDefense.
.

ALG.
, ,
.

. 12, ZoneDefense.

6.19.
HTTP-, lannet
all-nets. , NAT IP- .

CLI

HTTP Application Layer Gateway (ALG)


:

gw-world:/> set ALG ALG_HTTP anti_virus Antivirus=Protect

HTTP ALG:

gw-world:/> add ServiceTCPUDP http_anti_virus Type=TCP


DestinationPorts=80
ALG=anti_virus

NAT :

gw-world:/> set IPRule NATHttp Service=http_anti_virus

Web-

A. HTTP ALG:

1. Objects > ALG > Add > HTTP ALG

2. ALG, , anti_virus

3. Antivirus

4. Protect Mode

5. OK

B. HTTP ALG:

1. Local Objects > Services > Add > TCP/UDP service

2. , , http_anti_virus

3. TCP Type

4. 80 Destination Port

5. HTTP ALG ALG

6. OK

C. NAT ( NATHttp) :

1. Rules > IP Rules

2. NAT lannet all-nets


309
3. Service

4. , http_anti_virus, Service

5. OK

Web- lannet
all-nets.

6.5.
6.5.1.

, backdoor,
. ,
intrusions ().

, , , ,
. -,
.
, .
NetDefendOS IDP .

(IDP) NetDefendOS,
.
, NetDefend, ,
. , NetDefendOS IDP
, .

IDP

IDP,
:

1. ?

2. ?

3. ?

NetDefendOS IDP

NetDefendOS IDP :

1. IDP-, ,
.

2. Pattern Matching, NetDefendOS IDP ,


IDP- .

3. NetDefendOS IDP , ,
IDP-.

IDP-, Pattern Matching IDP- .


310
6.5.2. IDP D-Link

Maintenance Advanced IDP

D-Link IDP:

Maintenance IDP

Maintenance IDP IDP NetDefend


DFL-210, 800, 1600 2500.

Maintenance IDP IDP,


Advanced IDP,
.

IDP DFL-260, 860, 1660, 2560 2560G;


Advanced IDP.

Advanced IDP

Advanced IDP IDP


.
12 , IDP.

IDP D-Link NetDefend, ,


Maintenance IDP.

Maintenance IDP , Advanced IDP


, Advanced IDP.

D-Link Advanced IDP

Advanced IDP NetDefendOS.


, IDP NetDefendOS, ,
.

311
. 6.9. IDP

, NetDefendOS
. HTTP-
D-Link, .
, ,
.

IDP, IPS IDS

Intrusion Detection and Prevention (IDP), Intrusion Prevention System (IDP) Intrusion
Detection System (IDS) D-Link.
IDP.

NetDefendOS,
.
, .

.
Web-.


IDP NetDefend
. .

. ,
:

1. , .

2.
.
312
3. , ,
.

4. ,
.

5. ,
, .

,
.
. 11, .

6.5.3. IDP-

IDP , . IDP IP-


. IDP
NetDefendOS, , IP-. IDP
/ /, Service,
. IDP.
, IDP .

HTTP

IDP- HTTP.
, ,
URI HTTP-.
(URI),
.

IDP :

UTF8

UTF8 URI.

, ,
, .
,
, ,
.

,
.
%2526, 25%
HTTP- '%', '%26'.
'&'.

IDP :
313
1. NetDefendOS .
, IP- ,
IDP. ,
IDP.
IP- , .

2. IDP,
. ,
IDP, , .
, , IDP ,
IP- .

NetDefendOS IDP , ,
IP- , ,
.
.
, .

6.5.4. Insertion/Evasion

IP- Protect against


Insertion/Evasion attack. Insertion/Evasion Attack ,
IDP. , TCP / IP,
,
, . Insertions
Evasions .

Insertion

Insertion , , IDP
,
. .

, , 4 : p1, p2, p3 p4.


p1 p4 .
IDP, , p2 p3, ,
. , p2 p3,
, IDP. IDP
, .
, p2 p3, ,
, ,
IDP.

Evasion

Evasion , Insertion,
: , IDP, ,
, ,
, IDP, .

Insertion/Evasion Insertion/Evasion Protect,


314
NetDefendOS , ,
.

Insertion/Evasion

Insertion/Evasion Attack NetDefendOS


:

Attack Detected, , .

Unable to Detect, , NetDefendOS


TCP / IP, .
.

, Insertion/Evasion IDP-
. :

Increasing throughput ( ) -
, ,
.

Excessive False Positives ( ) -


Insertion/Evasion,
.

6.5.5. IDP

IDP , ,
. ,
, NetDefendOS IDP
. IDP .

, FTP-.
passwd FTP-
FTP RETR passwd. , ASCII
RETR passwd, , .
,
.

, , .
, . , D-Link IDP
, ,
, . ,
, , , ,
.

Advisory

Advisory .
, , .
,
D-Link, Web- D-Link:

315
http://security.dlink.com.tw

, NetDefend IDS NetDefend Live.

IDP

IDP ,
:

Intrusion Protection Signatures (IPS) ,


. Protect.
.

Intrusion Detection Signatures (IDS) , IPS,


, ,
Protect Audit.

Policy Signatures - .
,
.

6.5.6. IDP

, ,
.
, , , . ,
, FTP-, . ,
, .
, NetDefendOS ,
.

IDP . C Type
, Category Sub-Category.
POLICY_DB_MSSQL , Policy Type, DB
Category MSSQL Sub-Category. 3 :

1.

IDS, IPS Policy. .

2.

. :

BACKUP
DB
DNS
FTP
HTTP

3. Signature Group Sub-Category

, , MSSQL.
, Type Category,
, APP_ITUNES.

316
IDP

IDP B, IDP.
, Category, Sub-Category, Type IDS, IPS
POLICY.

IDP , Protect,
.
, . .

(Wildcarding) IDP

IDP (Wildcarding).
? .
* .

:
IDP


.
, ,
. , IDP-
IDS_WEB*, IPS_WEB*, IDS_HTTP* * IPS_HTTP*
HTTP-.



,
.

6.5.7. IDP

, , IDP.
IDP-:

Ignore , ,
.
Audit , .
Protect (
" " ZoneDefense,
).

IDP

Protect " " ,


IDP. , , ,
" ", NetDefendOS.
. 6.7,
.

317
ZoneDefense IDP

Protect D-Link,
IDP, ZoneDefense.
ZoneDefense, . 12, ZoneDefense.

6.5.8. SMTP Log Receiver IDP

IDP,
SMTP Log receiver. IDP,
, .

, IDP, NetDefendOS (Hold Time)


, . ,
, , ,
, Log Threshold. , NetDefendOS
(Minimum Repeat Time) , .

IP- SMTP Log Receivers

SMTP log receiver, IP- . ,


dns: smtp.domain.com .

6.20. SMTP Log Receiver


IDP SMTP Log Receiver. IDP,
. Hold Time, 120 ,
, ( 2 ).
, IDP.
IDP, "" ,
NetDefendOS 600 (10 ). , SMTP-
smpt-.

CLI

SMTP log receiver:

gw-world:/> add LogReceiver LogReceiverSMTP smt4IDP IPAddress=smtp-server


Receiver1=youremail@yourcompany.com

IDP:

gw-world:/> cc IDPRule examplerule

gw-world:/examplerule> set IDPRuleAction 1 LogEnabled=Yes

Web-

SMTP log receiver:

1. System > Log and Event Receivers > Add > SMTP Event Receiver

2. :

Name: smtp4IDP
SMTP Server: smtp-server
Server Port: 25
email ( 3)
Sender: hostmaster
Subject: Log event from NetDefendOS
Minimum Repeat Delay: 600
Hold Time: 120
Log Threshold: 2
OK

318
IDP:

1. IDP > IDP Rules

2. Edit

3. , Edit

4. Enable logging Log Settings

5. OK

6.21. IDP
IDP ,
DMZ IP-.
WAN- , .

IDP IDPMailSrvRule, Service SMTP.


, , , .
, , ,
. , .

CLI

IDP:

gw-world:/> add IDPRule Service=smtp SourceInterface=wan


SourceNetwork=wannet
DestinationInterface=dmz
DestinationNetwork=ip_mailserver
Name=IDPMailSrvRule

gw-world:/> cc IDPRule IDPMailSrvRule

gw-world:/IDPMailSrvRule> add IDPRuleAction Action=Protect


IDPServity=All Signatures=IPS_MAIL_SMTP

Web-

IDP:

IDP IDPMailSrvRule SMPT.


, , , .
, , , .

319
, .
1. IDP > IDP Rules > Add > IDP Rule

2. :

Name: IDPMailSrvRule
Service: smtp
: , ,
( , , ),
Protect against insertion/evasion attacks.
Source Interface: wan
Source Network: wannet
Destination Interface: dmz
Destination Network: ip_mailserver
OK

, IDP
, NetDefendOS, . ,
, , Protect.
IPS_MAIL_SMTP, ,
, SMTP-.

1. Rule Action IDP

2. :

Action: Protect
Signatures: IPS_MAIL_SMTP
Click OK

, , "Rule Actions"
IDP . Severity All,
SMTP-.

, : , IDP
. IPS_MAIL_SMTP,
, , ..

6.6. Denial-of-Service
6.6.1.
, .
.
,
. ,
IP- , .

, , ,
, .

- -
, .

(DoS), Web-,
.

DoS . ,
DoS ,
- , .

NetDefend
320
DoS.

6.6.2. DoS
DoS, :

, ,
, CPU.

, , .

, ..
DoS -
(flood) ,
, .
Unix Windows ,

.

DoS:

Ping of Death / Jolt


Fragmentation overlap ( ): Teardrop / Bonk / Boink / Nestea
Land LaTierra
WinNuke
: Smurf, Papasmurf, Fraggle
TCP SYN Flood
Jolt2

6.6.3. Ping of Death Jolt Attacks

Ping of Death 3/4.


- ping-1 65 510 1.2.3.4 Windows 95, 1.2.3.4 - IP-
-. Jolt
, ping
.

, -
65535 , ,
16- . ,
.

NetDefendOS , ,
65535 . , IP-
.

Ping of Death Jolt NetDefendOS Ping of Death


LogOversizedPackets. IP-
.

6.6.4. Fragmentation overlap: Teardrop, Bonk, Boink


Nestea
321
Teardrop - . IP-
( ), .

NetDefendOS .
.

Teardrop NetDefendOS
IllegalFrags. IP- .

6.6.5. Land LaTierra


Land LaTierra , -
, , , , ..
, .

IP- - Source
Destination.

NetDefendOS Land, IP- .


, NetDefendOS
; , ,
, .

Land LaTierra NetDefendOS


AutoAccess , ,
, , .
IP- , IP- .

6.6.6. WinNuke
WinNuke TCP-,
out-of-band (TCP URG), .
, .

NetBIOS TCP/IP WINDOWS-,


.

NetDefendOS :


. .

URG TCP,
( Advanced Settings> TCP> TCPUrg).

, WinNuke NetDefendOS
, . ,
, TCP DROP ( TCPUrg),
TCPUrg. IP- ;
out-of-band.

6.6.7. : Smurf, Papasmurf,


Fraggle
,
. ,
322
- .
,
. ,
, , , .

Smurf Papasmurf echo- ICMP


, IP- .
.

Fraggle Smurf, echo- UDP 7.


, Fraggle , echo
.

Smurf NetDefendOS ICMP


Echo Reply. IP-. Fraggle
NetDefendOS (
).
IP-.

, NetDefendOS ,
( Advanced Settings > IP >
DirectedBroadcasts). ,
.

Smurf , ,
-. ,
.
, .

, NetDefendOS ,
, , , -
, .

flood- Smurf Papasmurf ICMP Echo


. FwdFast,
, , , .

Fraggle UDP- ,
. .

Traffic Shaping flood-


.

6.6.8. TCP SYN Flood


TCP SYN Flood TCP
SYN SYN ACK, .
TCP- Web- , ,
SYN,
.

NetDefendOS flood- TCP SYN, SYN Flood Protection


, IP-.
SYN Relay.

flood- http-in,
https-in, smtp-in ssh-in.
, flood- .

323
SYN Flood

SYN Flood 3-
. NetDefendOS

, , .
5 ,
, NetDefendOS ,
- . ,
, .

SYN Floods

TCP SYN flood NetDefendOS


( , ). IP-
.

ALG flood-

, SYN Flood
, ALG. ALG SYN flood.

6.6.9. Jolt2
Jolt2
-.
.

NetDefendOS .
, , ,
, , .
, .

, ,
Advanced Settings>LengthLim NetDefendOS,
. Jolt2 NetDefendOS.
,
NetDefendOS
LogOversizedPackets. ,
. IP- .

6.6.10. Distributed DoS (DDoS)


DoS- Distributed Denial of Service.
,
DDoS -
. , ,
, , .

DDoS , , ,
, - , .
, DDoS-, Trin00, TribeFlood Network (TFN),
TFN2K Stacheldraht.

324
6.7.

NetDefendOS IP- ,
.

NetDefendOS
. :

(IDP)

( NetDefend
. 10.3, )

IDP
, Protect .
:

Time to Block Host/Network in , ,


Seconds
, .
,

, (
, ).

Block only this Service


.

Exempt already established


connections from Blacklisting , ,
, .

IP- ,
.


NetDefend .

-, ,
, ,
NetDefendOS . IP-
.

: IP-

NetDefend ,
IP- ,

325
.

,
, NetDefendOS (,
) .
, .

. 6.5.7, IDP, 10.3.8,


10.3, .

- ,
(. 6.3,
Web-).

CLI blacklist

blacklist ,
.
:

blacklist
-unblock.

326
7.

NetDefendOS.

, . 334

NAT, . 335

NAT-, . 340

SAT, . 343

7.1.
NetDefendOS IP- ,
NetDefend, () IP-.

IP- .
.

IP-,
. , IP-
.

, ,
. IP-
, .

NetDefendOS :

Dynamic Network Address Translation (NAT) ;

Static Address Translation (SAT) .

NetDefendOS.
/ /,
. NetDefendOS
IP-: NAT- SAT-.

NAT- SAT-.

7.2. NAT
(NAT)
IP- . IP-
. IP- , ,
IP-.

NAT:

IP- IP- ;
327
IP-.
IP-,
IP-.

NAT IP-

NAT IP- . ,
NAT- IP- IP-
IP- .

, ,
, IP-
. IP- , NetDefendOS
. .. ,
, IP- IP-,
.

NAT.

. 7.1. NAT- IP-

IP- A, B C,
NAT IP- N. .

NAT-, NetDefendOS
.
.

NAT- 64 500.
IP-. IP-
, IP- -
NetDefendOS IP- . IP-
NAT- ,
IP-. 64 500
NetDefend.

:
, NAT-.
,
,
IP-, .
NAT-
NetDefend IP-,
NetDefendOS, NAT-.
IP- .

7.3. NAT-
328
.

IP- , NAT

NetDefendOS IP- ,
NAT:

IP-

,
. NetDefendOS , IP-
IP- .
IP- .

IP-

IP- IP-.
, IP- ARP , ..
, NetDefend.
, IP-
. , , -
NAT IP- .

IP- NAT-

IP- NAT- IP-,


. IP- NAT
IP- . NAT-
. NAT- NAT-
. 7.3. NAT-.

NAT-

NAT
.

1. 192.168.1.5 1038
195.55.66.77 80.

192.168.1.5:1038 => 195.55.66.77:80

2. Use Interface Address, 195.11.22.33


.
NetDefend 1024.
, 32789. .

195.11.22.33:32789 => 195.55.66.77:80

3. - .

195.55.66.77:80 => 195.11.22.33:32789

4. NetDefendOS
. ,
.

195.55.66.77:80 => 192.168.1.5:1038

5. - .

329
:

. 7.2. NAT

7.1. NAT-

NAT-,
HTTP- .

CLI

-, IP- main:

gw-world:/> cc IPRuleSet main

, IP-:

gw-world:/> add IPRule Action=NAT Service=http


SourceInterface=lan
SourceNetwork=lannet
DestinationInterface=any
DestinationNetwork=all-nets
Name=NAT_HTTP
NATAction=UseInterfaceAddress

gw-world:/> cc

Web-

1. Rules > IP Rules > Add > IPRule

2. , , NAT_HTTP

3. :

Action: NAT

Service: http

Source Interface: lan

Source Network: lannet

Destination Interface: any

Destination Network: all-nets

330
4. , NAT Use Interface Address

5. OK

NAT

TCP, UDP
ICMP, ,
, .
IP-, ,
.


, IP-;


, IP-;


, IP-;


, IP-;


, IP-.

:
IP-
IP-
, OSPF L2TP.
TCP, UDP ICMP.
telnet, FTP, HTTP SMTP, TCP
UDP.

NetDefendOS
TCP UDP, , ..
IP-.

- NAT

NAT NetDefendOS
.
, IP- ,
.

, NetDefend PPTP-
PPTP- PPTP-. ,
, -, PPTP.
, NetDefend,
, PPTP-, PPTP-.
.

331
. 7.3. NAT.

IP- NetDefendOS NAT-.


NAT .
PPTP-. PPTP- .
, PPTP.

, , , Web- ,
IP- IP- .
,
PPTP-. IP- , ..
PPTP- NetDefendOS.

,
IP-. IP-,
.

,
,
.

PPTP- L2TP, .
9.5.4, PPTP/L2TP-.

7.3. NAT-

(Network Address Translation, NAT)


IP-
IP- (
7.2., NAT). IP-
, NAT-,
IP- .

NAT- ,
. NetDefendOS 65 000
IP- IP- .
, , ,
.

332
, -.

IP- NAT-
IP-.

NAT-

NAT-,
:

Stateful ( )

Stateless ( )

Fixed ()

NAT- .

NAT- Stateful
NAT- Stateful, NetDefendOS
IP-,
, , .
NetDefendOS.
/ IP-.


- ,
IP- ,
HTTP, cookies-.
, NetDefendOS
,
.


, (State Keepalive)
, ,
. NetDefendOS ,

. ,

IP- NAT-.

.. , ,
Max States NAT-. ,
.
NetDefend, ,
. Max
States, , .
, . ,
Max States
.

NAT- , , NAT-
IP- NAT,
.

NAT- Stateless
NAT- Stateless, , ,
IP-, , IP-
. ..
IP-
.

NAT- Stateless ,

333
IP-
. ,
. ,
, IP-.

NAT- Fixed
NAT- Fixed, ,
IP- .
,
, ,
IP-.

Fixed ,

. ,

.

IP-
IP- NAT- .
IP- NetDefendOS. IP- IP-
DHCP- IP- NAT-.
5.4, IP-.

Proxy ARP
ARP- NetDefend,
ARP- NetDefendOS IP- NAT-.
,
Proxy ARP.

NAT- ,
NAT- . Proxy ARP
NAT- , ,
, . ,
, Proxy ARP NAT-,
.

NAT-
NAT- IP- NAT.
NAT- NAT-,
. NAT-
.

7.2. NAT-

NAT- IP- 10.6.13.10


10.16.13.15, IP- NAT HTTP- WAN-.

Web-

. -, :

1. Objects > Address Book > Add > IP address

2. IP- , , nat_pool_range

3. 10.6.13.10 10.16.13.15 IP Address ( ,


10.6.13.0/24 IP- 0 255 ).

4. OK

. NAT- Stateful stateful_natpool:

1. Objects > NAT Pools > Add > NAT Pool


334
2. :

Name: stateful_natpool

Pool type: stateful

IP Range: nat_pool_range

3. Proxy ARP WAN-.

4. OK

. NAT- IP-:

1. Rules > IP Rules > Add > IP Rule

2. General :

Name: , nat_pool_rule

Action: NAT

3. Address filter :

Source Interface: int

Source Network: int-net

Destination Interface: wan

Destination Network: all-nets

Service: HTTP

4. NAT:

Use NAT Pool

stateful_natpool

5. OK

7.4. SAT
NetDefendOS IP- / .

,
/.
NetDefendOS (Static
Address Translation, SAT).

: Port forwarding ( )

port forwarding SAT.
.

SAT IP-
NAT, SAT IP-, . SAT-
, , ,
335
NetDefendOS SAT-.
Allow, NAT- FwdFast-. ,
SAT- .

SAT- . ,
, , Allow, ,
.

IP-

IP- SAT , , , Allow
IP- .
Allow , ,
SAT-.

, SAT- 1.1.1.1 2.2.2.2,


1.1.1.1,
2.2.2.2.

.
NetDefendOS ,
.

7.4.1. IP-
SAT IP-.

DMZ IP-.

DMZ

(Demilitarized Zone, DMZ).

DMZ ,
, .

.

DMZ,
, NetDefendOS
DMZ
, DMZ-.

7.4.
NetDefend, DMZ,
LAN .

336
7.4. DMZ.

: DMZ
NetDefend D-link
Ethernet-,
DMZ
DMZ-. ,
, Ethernet-
DMZ.

337
7.3. WEB- DMZ

SAT-,
WEB-, DMZ. NetDefend
WAN- wan_ip, IP- 195.55.66.77. IP-
WEB- 10.10.10.5. DMZ-.

CLI

-, IP- main:

gw-world:/> cc IPRuleSet main

, IP- SAT:

gw-world:/> add IPRule Action=SAT Service=http


SourceInterface=any
SourceNetwork=all-nets
DestinationInterface=core
DestinationNetwork=wan_ip
SATTranslate=DestinationIP
SATTranslateToIP=10.10.10.5
Name=SAT_HTTP_To_DMZ

Allow

gw-world:/main> add IPRule action=Allow Service=http


SourceInterface=any
SourceNetwork=all-nets
DestinationInterface=core
DestinationNetwork=wan_ip
Name=Allow_HTTP_To_DMZ

Web-

-, SAT-:

1. Rules > IP Rules > Add > IPRule

2. SAT- , , SAT_HTTP_To_DMZ

3. :

Action: SAT

Service: http

Source Interface: any

Source Network: all-nets

Destination Interface: core

Destination Network: wan_ip

4. , SAT Destination IP Address.

5. New IP Address 10.10.10.5.

6. OK

Allow

1. Rules > IP Rules > Add > IPRule

2. , , Allow_HTTP_To_DMZ:

3. :

Action: Allow

338
Service: http

Source Interface: any

Source Network: all-nets

Destination Interface: core

Destination Network: wan_ip

4. Service Predefined http:

5. OK

7.3. , :


#

1 SAT any all-nets core wan_ip http SETDEST 10.10.10.5 80
2 Allow any all-nets core wan_ip http

WEB- IP- NetDefend.


1 , , ,
2 .

, ,
. NAT-,
:

#

3 NAT lan lannet any all-nets All

,
, , .. , IP-
DMZ. 2, ,
WAN- 80 wan_ip, , ..
. ,
DMZ ,
; , DMZ.

1. 2 , .

2. 2 3, NAT-
Allow.

? .
.

, , ext2 NetDefend
, .

1, :

#

1 SAT any all-nets core wan_ip http SETDEST 10.10.10.5 80
2 Allow wan all-nets core wan_ip http
3 Allow ext2 ext2net core wan_ip http
4 NAT lan lannet any all-nets All

, WEB-.

339
, .

2, :

#

1 SAT any all-nets core wan_ip http SETDEST 10.10.10.5 80
2 NAT lan lannet any all-nets All
3 Allow any all-nets core wan_ip http

,
WEB-.
, WEB-, ,
WEB-, Drop-.

7.4. WEB-

WEB- IP-, .
, .. WEB- ,
, DMZ. , ..
.

WEB-,
. 80 IP-
NetDefend 80 WEB-:


#

1 SAT any all-nets core wan_ip http SETDEST wwwsrv 80
2 Allow any all-nets core wan_ip http

WEB- IP- NetDefend.


1 , , ,
2 .

,
. ,
NAT:


#

3 NAT lan lannet any all-nets All

, .

, , IP-:

wan_ip (195.55.66.77) IP-

lan_ip (10.0.0.1) IP- NetDefend

wwwsrv (10.0.0.2) IP- WEB-

PC1 (10.0.0.3) IP-

PC1 wan_ip, www.ourcompany.com:


340
10.0.0.3:1038 => 195.55.66.77:80

NetDefendOS 1
2:

10.0.0.3:1038 => 10.0.0.2:80

WEB- wwwsrv :

10.0.0.2:80 => 10.0.0.3:1038

PC1, , .

PC1 195.55.66.77:80, 10.0.0.2:80. ,


PC1 , 195.55.66.77:80.

, ,
7.3, , , , 2.


#

1 SAT any all-nets core wan_ip http SETDEST wwwsrv 80
2 NAT lan lannet any all-nets All
3 Allow any all-nets core wan_ip http

PC1 wan_ip, www.ourcompany.com:

10.0.0.3:1038 => 195.55.66.77:80

NetDefendOS 1
2:

10.0.0.1:32789 => 10.0.0.2:80

WEB- wwwsrv :

10.0.0.2:80 => 10.0.0.1:32789

195.55.66.77:80 => 10.0.0.3:1038

PC1 .


10.0.0.2.
, , .

7.4.2. IP-
SAT- IP-.
IP- IP-
..

, SAT , 194.1.2.16/29
192.168.0.50.
, :

194.1.2.16 192.168.0.50
194.1.2.17 192.168.0.51
194.1.2.18 192.168.0.52

341
194.1.2.19 192.168.0.53
194.1.2.20 192.168.0.54
194.1.2.21 192.168.0.55
194.1.2.22 192.168.0.56
194.1.2.23 192.168.0.57

194.1.2.16 192.168.0.50.

194.1.2.22 192.168.0.56.

,
, DMZ, IP-
.

7.5. WEB-

SAT-,
WEB-, DMZ. NetDefend
WAN-, IP- 10.10.10.5
10.10.10.9, DMZ-.

, :

, IP-.

IP- WEB-.

IP- WAN-, ARP.

SAT-, .

Allow, HTTP-.

CLI

, IP-:

gw-world:/> add Address IP4Address wwwsrv_pub


Address=195.55.66.77-195.55.66.81

, IP- WEB-:

gw-world:/> add Address IP4Address wwwsrv_priv_base


Address=10.10.10.5

IP- WAN-, ARP. ARP


IP-:

gw-world:/main> add ARP Interface=wan IP=195.55.66.77 mode=Publish

IP-.

IP- main:

gw-world:/> cc IPRuleSet main

SAT- :

gw-world:/> add IPRule Action=SAT Service=http


SourceInterface=any
SourceNetwork=all-nets
DestinationInterface=wan
DestinationNetwork=wwwsrv_pub
SATTranslateToIP=wwwsrv_priv_base
SATTranslate=DestinationIP

342
Allow

gw-world:/> add IPRule Action=Allow Service=http


SourceInterface=any
SourceNetwork=all-nets
DestinationInterface=wan
DestinationNetwork=wwwsrv_pub

Web-

, IP-:

1. Objects > Address Book > Add > IP address

2. , , wwwsrv_pub

3. IP Address 195.55.66.77 195.55.66.77.81

4. OK

, IP- WEB-:

1. Objects > Address Book > Add > IP address

2. , , wwwsrv_priv_base

3. IP Address 10.10.10.5

4. OK

IP- WAN-, ARP. ARP


IP-:

1. Interfaces > ARP > Add > ARP

2. :

Mode: Publish

Interface: wan

IP Address: 195.55.66.77

3. OK 5 IP-.

SAT- :

1. Rules > IP Rules > Add > IPRule

2. , , SAT_HTTP_To_DMZ

3. :

Action: SAT

Servce: http

Source Interface: any

Source Network: all-nets

Destination Interface: wan

Destination Network: wwwsrv_pub

4. SAT

5. , Destination IP Address

343
6. New IP Address wwwsrv_priv

7. OK

Allow

1. Rules > IP Rules > Add > IPRule

2. , , Allow_HTTP_To_DMZ:

3. :

Action: Allow

Service: http

Source Interface: any

Source Network: all-nets

Destination Interface: wan

Destination Network: wwwsrv_pub

4. OK

7.4.3.
NetDefendOS / IP- IP-.


#

194.1.2.16
http SETDEST all-to-one
1 SAT any all-nets wan 194.1.2.20,
192.168.0.50 80
194.1.2.30


194.1.2.16 194.1.2.20 194.1.2.30 IP- 192.168.0.50.

194.1.2.16 80 192.168.0.50.

194.1.2.30 80 192.168.0.50.

:
(all-nets),
.

7.4.4. -
- (Port Address Translation, PAT) ,
.


#

TCP 80-85 SETDEST
1 SAT any all-nets wan wwwsrv_pub
192.168.0.50 1000

80
85 1080 1085.

344
WEB- 80
WEB- 1080.

WEB- 84
WEB- 1084.

: -
Custom Service
SAT-,
-,
Custom Service.

7.4.5. SAT
,
. ,
, ,
.

, SAT,
NAT. .

, .
VPN-.

IP- TCP UDP, , IP-,


. FTP Logon
NT NetBIOS.


, ,
.

,
. , VPN-, ,
,
.

7.4.6. SAT-
NetDefendOS SAT-,
Allow, NAT- FwdFast-. ,
NetDefendOS .

SAT-, , .
SAT-,
, .


#

TCP 80-85 SETDEST
1 SAT any all-nets core wwwsrv_pub
192.168.0.50 1080
2 SAT lan lannet all-nets Standard SETSRC pubnet

, , .
pubnet
. ,
WEB- .


#

1 SAT lan lannet wwwsrv_pub TCP 80-85 SETDEST intrasrv 1080
2 SAT any all-nets wwwsrv_pub TCP 80-85 SETDEST wwwsrv-priv 1080
345
,
. WEB-
, .
WEB-,
WEB-.

, ,
Allow.

7.4.7. SAT- FwdFast-


FwdFast-,
.


FwdFast- WEB-, .


#

1 SAT any all-nets core wan_ip http SETDEST wwwsrv 80
2 SAT lan wwwsrv any all-nets 80 -> All SETSRC wan_ip 80
3 FwdFast any all-nets core wan_ip http
4 FwdFast lan wwwsrv any all-nets 80 -> All

NAT-,
.


#

1 NAT lan lannet any all-nets All

wan_ip:80 1 3 wwwsrv.
.

wwwsrv:80 2 4,
wan_ip:80. .

wan_ip:80 1 3 wwwsrv.
. wwwsrv,
wwwsrv:80 .
, ..
.

, NAT- SAT-
FwdFast-.


#

1 SAT any all-nets core wan_ip http SETDEST wwwsrv 80
2 SAT lan wwwsrv any all-nets 80 -> All SETSRC wan_ip 80
3 NAT lan lannet any all-nets All
4 FwdFast any all-nets core wan_ip http
5 FwdFast lan wwwsrv any all-nets 80 -> All

, .

wan_ip:80 1 3 wwwsrv.
.

wwwsrv:80 2 3,
. ,
.
346
:


#

1 SAT any all-nets core wan_ip http SETDEST wwwsrv 80
2 SAT lan wwwsrv any all-nets 80 -> All SETSRC wan_ip 80
3 FwdFast lan wwwsrv any all-nets 80 -> All
4 NAT lan lannet any all-nets All
5 FwdFast lan wwwsrv any all-nets 80 -> All

wan_ip:80 1 5 wwwsrv.

wwwsrv:80 2 3.

wan_ip:80 1 4 wwwsrv.
IP- NetDefend,
NetDefend.


(Stateful Inspection) NetDefend.

8.

NetDefendOS.

HTML-

8.1.

NetDefend, , .

NetDefend,
, .

,
.
.

. : ,
, .

. - : , -, X.507,
.

. -: , .

() , ,
.
347
() ()
. : , -
, - .
() () , , , -
PIN-.

,

.
NetDefend HTTP.


, ,
.

8 , ;

( ,
);

, , .

8.2.
8.2.1.
(User Authentication)
NetDefendOS :

(Authentication Source),
, .
:

1. ,
NetDefendOS.

2. RADIUS, NetDefendOS.

3. LDAP, NetDefendOS.

(Authentication Rule), , ,

.
8.2.5 .

, IP- IP- ,
. IP-
originator IP
(Authentication Group).

348
IP-, , ,
IP-, .

8.2.2. .

8.2.3. RADIUS.

8.2.4. LDAP.

8.2.5. .

8.2.2.
NetDefendOS,
.
WEB- .

.


. (
administrators auditors, ),
.
. ,
IP-, IP-.

IP-

(Source Network) IP- IP-,


. , IP-
,
.


IP-, .
, IP- ,
, .

, ,
:

administrators

NetDefendOS WEB-,

NetDefendOS.

auditors

administrators, ,
auditors , .

PPTP/L2TP

NetDefend PPTP/L2TP, ,
NetDefendOS,
:

349
IP- (Static Client IP Address)

IP-, .
, IP-.
IP-.

(Network behind user)

, ,
main NetDefendOS .
, ,
, PPTP/L2TP .

:


. , all-nets ( )
.

(Metric for Networks)

(Network behind user) , ,


NetDefendOS, .
, ,
.

:
PPTP/L2TP .

SSH

PPTP/L2TP-
/.
SSH
Client Key NetDefendOS.
.
.

, SSH Client Key


NetDefendOS .
(Authentication Objects) WEB-.
, .

8.2.3. RADIUS


.
,
.
, NetDefendOS,
/.
NetDefendOS RADIUS (Remote Authentication Dial-in
User Service).

RADIUS NetDefendOS
350
NetDefendOS RADIUS,
RADIUS-, RADIUS-.
RADIUS-
. NetDefendOS
.

RADIUS
(shared secret)
RADIUS- RADIUS-.
, RADIUS- ,
. 100 .

RADIUS PPP
RADIUS-, PPP, PAP CHAP. RADIUS-
UDP- UDP 1812.


RADIUS- .
administrators auditors.

8.2.4. LDAP
LDAP (Lightweight Directory Access Protocol )
NetDefendOS .
NetDefend
LDAP-. , ,
.

LDAP-
LDAP-.

LDAP-
NetDefendOS.

LDAP-
.

LDAP- , . ,
, .

.
,
.

, LDAP
LDAP- , , RADIUS.
, LDAP- NetDefendOS,
. :

LDAP- . NetDefendOS
LDAP-,

.

PPTP- L2TP-
LDAP-. .

Microsoft Active Directory LDAP-


Active Directory Microsoft NetDefendOS
LDAP-. LDAP- NetDefendOS ,
Active Directory (Name Attribute).
SAMAccountName.
351
LDAP-
NetDefendOS LDAP-.
NetDefendOS , LDAP- ,
.

LDAP- NetDefendOS, ..
LDAP-
LDAP. LDAP- (schema) LDAP- ,
LDAP- (attribute).

LDAP-
, LDAP, . :

(Name);

(Membership);

(Password).

LDAP- (LDAP attribute) , (


) .
,
.

-, LDAP-
.
.

(Name)

, NetDefendOS. ,
NetDefendOS , .

, .
NetDefendOS, LDAP-.

IP- (IP Address)

IP- LDAP-.

(Port)

LDAP-, ,
TCP/IP.

389.

- (Timeout)

, LDAP-
. ,
.

- 5 .

(Name Attribute)

LDAP-
. NetDefendOS uid,
UNIX.

Microsoft Active Directory,

352
SAMAccountName ( ).
Active Directory,
SAMAccountName Account.

: LDAP-

LDAP-
.

(Retrieve Group Membership)

, ,
LDAP-.
- .

,
.

(Membership Attribute)

, .

( administrators revisors)
NetDefendOS. ,
.
MemberOf.

Microsoft Active Directory , ,


MemberOf, .

(Use Domain Name)


. ,
LDAP-, , myldapserver. Use Domain Name
:

) None . ,
testuser.

) Username Prefix
. , myldapserver/testuser.

) Username Postfix
@ . , testuser@myldapserver.

None,
.

LDAP- -,
. Windows Active
Directory Postfix.

(Routing Table)

NetDefendOS,
IP- .
main.

(Base Object)

353
,
LDAP.

, LDAP-,
.
. LDAP-, ..
, .

:

,
,
.
.

domainComponent (DC).
myldapserver.local.eu.com ,
:
DC=myldapserver,DC=local,DC=eu,DC=com

myldapserver.

(Administrator Account)

LDAP- , , ,
.
.
(.
).

/ (Password/Confirm Password)

, .

(Domain Name)

. Domain Name
. , ,
myldapserver.
, , , myldapserver.local.eu.com.

, (Server Type) Other.

, , LDAP-
BIND-.

(Password Attribute)

LDAP- .
userPassword.

, , LDAP-
, PPP CHAP, MS-CHAPv1
MS-CHAPv2.

,
LDAP, . LDAP-
, .
.

BIND-

354
LDAP-
LDAP- BIND- (Bind Request Authentication).
, LDAP- ,
.

BIND- LDAP-.
, LDAP- .

LDAP-
NetDefendOS LDAP- ,
:

, .

PPP CHAP, MS-CHAPv1 MS-CHAPv2,


, NetDefendOS (
).

, .

-, .
, .
,
.



LDAP- , .
mydomain.com, myuser
myuser@mydomain.com. LDAP- myuser@domain,
mydomain.com\myuser mydomain\myuser.
, .


LDAP-
:

CLI LDAP-
CLI-, LDAP- ,
LDAPDatabase- (LDAP-, ,
LDAPServer- CLI).

LDAP-, NetDefendOS ,
:
gw-world:/> show LDAPDatabase <object_name>

:
gw-world:/> show LDAPDatabase

355
LDAP- PPP
PPP- PPTP L2TP LDAP-
CHAP, MS-CHAPv1 MS-CHAPv2 ,
. : () PPP-
() PPP- .

. LDAP-

LDAP- Webauth, XAuth, PPP


PAP . BIND-
LDAP-,
BIND- .

8.1. LDAP-.

, LDAP-
,
.

. PPP- CHAP, MS-CHAPv1 MS-CHAPv2

PPP CHAP, MS-CHAPv1 MS-CHAPv2,


NetDefendOS .
LDAP-, .. . NetDefendOS
LDAP-, .
, .
LDAP-, NetDefendOS.

LDAP- :

NetDefendOS.
LDAP-, .


356
( LDAP- userPassword).
description LDAP.


, LDAP- ,
. LDAP-
, .

.

, ,
LDAP-,
. ,
LDAP PPP- CHAP, MS-CHAPv1 MS-
CHAPv2 .

NetDefendOS ,
(Search Request) LDAP-. (Search Response),
- .
NetDefendOS . 8.2 .

8.2. LDAP PPP CHAP, MS-CHAPv1 MS-CHAPv2

: LDAP-

LDAP- NetDefendOS
, NetDefend
. , ,
, VPN-.

LDAP- ,
.

8.2.5.
(Authentication Rule) ,
NetDefend
.


NetDefendOS. , .
,
357
.

(Authentication Agent)

, . :

) HTTP

HTTP WEB-
WEB- ( HTTP ).

) HTTPS

HTTPS WEB-
WEB- ( HTTP ).

) XAUTH

IKE-,
VPN- IPsec.

XAuth IKE-,
IPsec. , VPN,
, .

, XAuth,
.. XAuth IPsec-.

.

) PPP

L2TP- PPTP-.

(Authentication Source)

) LDAP LDAP-.

) RADIUS RADIUS.

) Disallow ,
, .
.

Disallow-
.

) Local ,
NetDefendOS.

) Allow ,
, .
.

(Interface)

, . .

Originator IP

IP- , . XAuth PPP


originator IP .

358
Terminator IP

IP-, .
, PPP.

(Idle Timeout)

, (
1800 ).

(Session Timeout)

( ).

, Use timeouts received


from the authentication server ( - )
.


,
(multiple logins), .. IP-
.
:

,
.


, ,
,
.

8.2.6.
NetDefendOS
.

1. NetDefend.

2. NetDefendOS

, :

HTTP-;

HTTPS-;

IPsec-;

L2TP-;

PPTP-.

3. , (
), .

4. , ,
NetDefendOS .

5. ,
.
359
6. NetDefendOS
, .
NetDefendOS, RADIUS LDAP-
.

7. NetDefendOS , ..

IP-. , ,
No Defined Credentials ( ),
,
.

8. ,
,
.

IP-, , .

8.2.7.
,
192.168.1.0/24 lan .
important_net int ,
(trusted) . ,
(untrusted), regular_net
dmz .


, ,
(Group). trusted,
untrusted.

IP- 192.168.1.0/24. IP- untrusted_net.


untrusted. IP- trusted_net
trusted.

IP-, :

360

#

1 Allow lan trusted_net int important_net All
2 Allow lan untrusted_net dmz regular_net All

trusted regular_net,
:


#

1 Allow lan trusted_net int important_net All
2 Allow lan trusted_net dmz regular_net All
3 Allow int untrusted_net dmz regular_net All

8.2.8. HTTP-
WEB-, HTTP,
HTML-.
WebAuth.

WebUI
HTTP-
WebUI, TCP- 80. ,
WebUI . ,
Remote Management > advanced settings WebUI
WebUI HTTP Port. 80 81.


HTTP- HTTPS- ,
(Agent Options). :

(Login Type).

) FORM HTML-
, NetDefendOS POST.

) BASICAUTH 401
Authentication Required,
.
Realm String.

FORM , BASICAUTH,
.

HTTPS,
, NetDefendOS.

IP-
HTTP- , , ,
IP-. ,
lannet WAN-. IP-
:


#

1 Allow lan lannet core lan_ip http-all
2 NAT lan trusted_users wan all-nets http-all
3 NAT lan lannet wan all-nets dns-all

,
IP- lan_ip, IP- NetDefend,
.
361
, lannet
, ..
. IP- trusted_users,
lannet,
No Defined Credentials,
(, ).

DNS- URL-.


IP-,
, IP- lan_ip,
, .. .
SAT-
Allow-. :


#

1 Allow lan lannet core lan_ip http-all
2 NAT lan trusted_users wan all-nets http-all
3 NAT lan lannet wan all-nets dns-all
all-nets
4 SAT lan lannet wan all-to-one http-all
127.0.0.1
5 Allow lan lannet wan all-nets http-all

SAT- ,
all-to-one,
127.0.0.1, core.

8.1.

,
users lannet.
NetDefendOS.

Web-

1. User Authentication > Local User Databases > Add > LocalUserDatabase

2. :

Name: lannet_auth_users

Comments: "lannet" "users"

3. OK

1. lannet_auth_users > Add > User

2. :

Username: , , user1

Password:

Confirm Password:

Groups: .
( ). users.

362
3. OK

4. , lannet, users,
lannet_auth_users.

8.2. WEB

HTTP-
users lannet. IP- , users,
WEB- .

, lannet, users, lan_ip,


lannet_auth_users lannet_users .

Web-

. IP-

1. Rules > IP Rules > Add > IP rule

2. :

Name: http2fw

Action: Allow

Service: HTTP

Source Interface: lan

Source Network: lannet

Destination Interface: core

Destination Network: lan_ip

3. OK

1. User Authentication > User Authentication Rules > Add > User Authentication Rule

2. :

Name: HTTPLogin

Agent: HTTP

Authentication Source: Local

Interface: lan

Originator IP: lannet

3. Local User DB lannet_auth_users

4. Login Type HTMLForm

5. OK

. IP-, WEB-
.

1. Rules > IP Rules > Add> IP rule

363
2. :

Name: Allow_http_auth

Action: NAT

Service: HTTP

Source Interface: lan

Source Network: lannet_users

Destination Interface: any

Destination Network: all-nets

3. OK

8.3. RADIUS

RADIUS.

Web-

1. User Authentication > External User Databases> Add > External User Database

2. :

) Name: , , ex-users

) Type: RADIUS

) IP Address: IP- ,
(Address Book)

) Port: 1812 ( RADIUS UDP- 1812)

) Retry Timeout: 2 ( NetDefendOS


2 , ,
. .)

) Shared Secret: RADIUS

) Confirm Secret:
RADIUS

3. OK

8.3. HTML-
HTML-
. HTTP-:

WEB-
FormLogin.
.


364
LoginSuccess, .

HTTP-
WEB- HTTP- (HTTP banner files) NetDefendOS
. WEB-
, SCP- ,
.

, :
FormLogin
LoginSuccess
LoginFailure
LoginAlreadyDone
LoginChallenge
LoginChallengeTimeout
LoginSuccess
LoginSuccessBasicAuth
LoginFailure
FileNotFound


WebUI ,
HTML NetDefendOS. ,
, 6.3.4.4. HTML-.

, Auth Banner Files


. Auth Banner
Files . NetDefendOS.
. , ,
.

HTML-
HTLM- , ,
. :

%URL% URL;

%IPADDR% IP- ;

%REASON% ;

%REDIRURL% ULR WEB- .

%REDIRURL%
%REDIRURL% WEB-. ,
, URL,
.

%REDIRURL% ,
WEB-, FormLogin, .

8.4. HTTP-

, URL HTML-.

Web-

1. Objects > HTTP Banner files > Add > Auth Banner Files

2. : , , new_forbidden OK

3. ALG-.

365
4. Edit & Preview tab

5. Page FormLogin

6. HTML-, URL

7. Preview,

8. Save

9. OK,

10. Objects > ALG HTML ALG

11. HTML Banner new_forbidden

12. OK

13. Configuration > Save & Activate,

: ,
HTML-
, ,
HTML- .
,
Save.

SCP
HTTP- SCP.
:

1. SCP HTML ,
WebUI ,
-.

2. Auth Banner Files, ,


. CLI-
ua_html:
gw-world:/> add HTTPAuthBanners ua_html

, ,
.

3. SCP. ua_html
HTTPAuthBanner FormLogin.
Formlogon my.html Open SSH SCP,
:

pscp my.html admin@10.5.62.11:HTTPAuthBanners/ua_html/FormLogin

SCP- 2.1.6 Secure Copy.

4. ua_html.
my_auth_rule, c :

set UserAuthRule my_auth_rule HTTPBanners=ua_html

5. CLI- activate commit,


, NetDefend.

366
9. VPN
Virtual Private Network (VPN)
NetDefendOS.

VPN

IPsec

IPsec

PPTP/L2TP

(CA)

VPN

9.1.
9.1.1. VPN
,
.
,
, .
, , ,
, . (VPN)
,
,
, .
VPN ,
. , . ,
, .
VPN:

4. LAN to LAN connection ,


. , NetDefend
VPN-.

367
5. Client to LAN connection ,
.
NetDefend, ,
VPN-.

9.1.2. VPN-
VPN- .
:

,
.

.

,
,
. ,

.

,
;
. ,
.

, VPN .
, ,
.

9.1.3. VPN
, , VPN-, VPN-
, . VPN-
. ,

368
,
. .
VPN , .
:

VPN- ,
;

DMZ , VPN;

VPN- ;

, VPN-

. , VPN-
,
.
, ,
, VPN. ,
. ,
VPN .

DMZ

VPN- .
DMZ ,
. , VPN-
,
.

9.1.4.
.
:

? .
.

? ?
? LAN-to-LAN?
LAN-to-LAN? ,
, , ,
() .

, , , ?
, .

, ,
, VPN? ? ,
369
? -? ,
?

9.1.5. TLS VPN


Web- HTTP,
NetDefend TLS
, .
. 6.2.10, TLS ALG.

9.2. VPN

VPN.
,
, VPN.
VPN :

IPsec LAN to LAN ;

IPsec LAN to LAN ;

IPsec ;

IPsec ;

L2TP ;

L2TP ;

PPTP- .

,
NetDefendOS VPN- .

, . NetDefendOS
, , IPsec Tunnel.

,
NetDefendOS. NetDefendOS ,
, ,
, .

,
.

,
. , NetDefendOS,
.
370
IP-, VPN-

IP-, .
, ,
IP-.

IP- , ,
.
VPN
, .

9.2.1. IPsec- LAN to LAN



1. Pre-shared Key ( ).
2. ,
, IKE
Algorithms / IPsec Algorithms.
VPN-.

3. Address Book ( ) IP- :

VPN-, IP-
( remote_gw).

, VPN- ( remote_net).

NetDefend,
. , lannet
lan NetDefendOS.

4. IPsec Tunnel ( ipsec_tunnel).


:

lannet Local Network.

remote_net Remote Network.

371
remote_gw Remote Endpoint.

Tunnel Encapsulation mode.

Authentication Pre-shared Key ( ),


(1).

IPsec Tunnel , Interface


NetDefendOS.

5. IP- IP- :

Allow ,
ipsec_tunnel Destination Interface. (Destination Network)
remote_net.

Allow ,
ipsec_tunnel Source Interface. (Source Network)
remote_net.




Allow lan lannet ipsec_tunnel remote_net All




Allow ipsec_tunnel remote_net lan lannet All

All,
.

6. (Route) NetDefendOS, , VPN


ipsec_tunnel ,
.


ipsec_tunnel remote_net <empty>

9.2.2. IPsec- LAN to LAN



, LAN to LAN ,
X.509. ,
(Certificate Authority, CA), CA
.
LAN to LAN
, , .
,
.
LAN to LAN , CA (
, ).
:
1. Web- NetDefend .
2. Authentication Objects ( ) Root Certificate Host Certificate.
:
. .
372
3. IPsec Tunnel , ,
Authentication. :

. X.509 Certificate.

. Root Certificate.
. Gateway Certificate.
4. Web- NetDefend
.

:

NetDefendOS,
.
9.6, CA,
.
, CA,
LAN to LAN, Web-
. ,
NetDefendOS. ,
, NetDefendOS ,
, . ,
.
,
: ,
, ,
. :
.
CA ,
CA .

9.2.3. IPsec-

373

IPsec . :
A. IP- .
. IP- NetDefendOS
.

A. IP-
IP-
. IP- .
1. . XAuth
IPsec, , (
).
:

(Local User DB).

.
.
.

:

Local User DB ( TrustedUsers).

TrustedUsers. , ,
.
Group,
. Group ( )
Authentication IP-. IP- Source Network
IP-, , Group
Group IP-.


Group
(Authentication Rules).

(User Authentication Rule)


(Authentication Source), TrustedUsers.
:

Agent Auth Source Src Network Interface Client Source IP


XAUTH Local all-nets any all-nets (0.0.0.0/0)
2. IPsec Tunnel ipsec_tunnel :

lannet Local Network.

all-nets Remote Network.

all-nets Remote Endpoint.

Tunnel Encapsulation mode.

IPsec IKE, .

374
,

(Dynamically add route to the remote network when tunnel established). all-nets
, (Add route for
remote network).



LAN to LAN.

Require IKE XAuth user authentication for inbound IPsec tunnels.


XAUTH .
3. IP- :



Allow ipsec_tunnel all-nets lan lannet All
Allow , ,
. all-nets, ,
IP-,
IP-.

. IP- NetDefendOS
IP- , NetDefendOS.
:
1. IP-, :

Config Mode Pool ( , NetDefendOS)


.

IKE Config Mode IPsec Tunnel ipsec_tunnel.


2. IP- DHCP:

IP Pool DHCP-. DHCP-


IP- , ,
. DHCP-, loopback 127.0.0.1
IP- DHCP-.

Config Mode Pool ( , NetDefendOS)


IP Pool, .

IKE Config Mode IPsec Tunnel ipsec_tunnel.

IPsec-
(A) (), , IPsec-.
( ):

URL IP- NetDefend.


.

, IPsec security.

NetDefendOS IPsec,
.

, .
IPsec, ,

375
.
, .

9.2.4. IPsec-

IPsec- ,
Pre-shared Key,
:
1. NetDefendOS.
: .
.
2. IPsec Tunnel Authentication.
:

. X.509 Certificate.

. Gateway Certificate ( ).

. Root Certificate ( ).
3. IPsec
IP-. ,
- .
,
.

:

NetDefendOS,
.
9.6, CA,
.

9.2.5. L2TP-

L2TP, Microsoft Windows, VPN- .
, L2TP IPsec, IPsec
transport mode tunnel mode. L2TP over IPsec :
1. IP- ( l2tp_pool), IP-
. :

, .
192.168.0.0/24, 192.168.0.10 192.168.0.20.
IP-
.

,
, .
2. IP-:

ip_ext IP- (, IP-


ext).

ip_int IP- (
int).
376
3. (Pre-shared Key) IPsec-.
4. IPsec Tunnel ( ipsec_tunnel) :

Local Network ( ) ip_ext ( all-nets,


NetDefendOS , NAT).

Remote Network ( ) all-nets.

Remote Endpoint ( ) none.

Authentication () Pre-shared Key,


.

Encapsulation Mode ( ) Transport.

IPsec IKE.


(Dynamically add route to the remote network when tunnel established).

all-nets, ,
(Add route for remote network).
.
5. PPTP/L2TP- ( l2tp_tunnel) :

Inner IP Address ip_int.

Tunnel Protocol L2TP.

Outer Interface Filter ipsec_tunnel.

Outer Server IP ip_ext.

Microsoft Point-to-Point Encryption. IPsec,


None, ,
.

IP Pool ( IP-) l2tp_pool.

Proxy ARP int, .

, ,
. , main.
6. :

Local User DB ( TrustedUsers).

TrustedUsers. , ,
.

Group,
IPsec Roaming Clients.

:
Agent Auth Source Src Network Interface Client Source IP
PPP Local all-nets l2tp_tunnel all-nets (0.0.0.0/0)
7. L2TP-,
IP-:



Allow l2tp_tunnel l2tp_pool any int_net All
377
NAT ipsec_tunnel l2tp_pool ext all-nets All
Web- ext
NetDefend. IP-,
NAT ,
.
8. . Windows XP
(Create new connection)
(Network Connections). ,
: URL- , , IP-
ip_ext.
(Network) > (Properties).
L2TP- (Properties). Networking
Force to L2TP. L2TP-, (Security)
IPsec (IPsec Settings). .

9.2.6. L2TP-

L2TP- ,
:
1. NetDefendOS,
.
2. NetDefendOS.
3. IPsec Tunnel, , .
:

. X.509 Certificate.
. Gateway Certificate.

. Root Certificate.
4. L2TP- Windows XP,
, Windows
.
.
, 9.6, CA,
.

9.2.7. PPTP-
PPTP , L2TP, IPsec
, .
NAT PPTP ,
,
NetDefend. NAT,
.
PPTP :
1. (Address Book) IP-:

pptp_pool IP-, .

int_net , .

378
ip_int IP- , . ,
int.

ip_ext , (,
ext).

2. PPTP/L2TP ( pptp_tunnel) :

Inner IP Address ip_net.

Tunnel Protocol PPTP.

Outer Interface Filter ext.

Outer server IP ip_ext.

Microsoft Point-to-Point Encryption


128- .

IP Pool pptp_pool.

Proxy ARP int.

L2TP
.

3. , L2TP:
Agent Auth Source Src Network Interface Client Source IP
PPP Local all-nets pptp_tunnel all-nets (0.0.0.0/0)

4. IP- IP-:
Action Src Interface Src Network Dest Interface Dest Network Service
Allow pptp_tunnel pptp_pool any int_net All
NAT pptp_tunnel pptp_pool ext all-nets All

L2TP, NAT
NetDefend.

5. . Windows XP ,
L2TP, .

9.3. IPsec
IPsec , ,
VPN IPsec.

9.3.1.
Internet Protocol Security (IPsec) , IETF (Internet
Engineering Task Force) . VPN
IPsec :

IKE (Internet Key Exchange)

IPsec (AH/ESP/)

, IKE, ,
VPN ,
IP-. , IKE ,
379
(Security Associations, SA) .
SA , , , IPsec-
.

IP- ,
IKE. ;
IPsec- ESP, AH .

IKE IKE

IKE IPsec

IPsec VPN

9.3.2. IKE (Internet Key Exchange)


IKE (Internet Key Exchange), .

, ,
, . IKE (Internet Key Exchange),
, VPN
.

IKE :

, .

IPsec- ( SA)

(SA)
IKE , (SA)
. SA , , ,
IPsec- (ESP/AH/), ,
/ / / .

SA ,
. , VPN,
. ,
ESP AH, SA,
, . , ESP AH,
SA.

IKE
.
.

IKE Phase-1 IKE

IKE Phase-2 IPsec

-1,
VPN-.

IKE IPsec
380
IKE IPsec ,
() ().
, .

IPsec , IKE.
, , 5 . IPsec-
, -2.
-1 IKE.

IKE Algorithm Proposals


IKE
IPsec. VPN-, IPsec-,
, ,
, , .

VPN-, ,
, ,
. ,
, , , , ,
.

, ,
IPsec-,
IKE.


, , IKE.
IKE IKE .

IKE Phase-1 - IKE Security Negotiation


IKE . 1
VPN VPN-, ,
.

IKE , ,
. ,
VPN-. ,
-
.

, ,
.
. NetDefendOS VPN- PSK
.

IKE Phase-2 - IPsec Security Negotiation


2 IPsec-.

2 -,
VPN.

PFS (Perfect Forwarding Secrecy), 2


-. ,
, ;
. ,
, .

2 VPN- .

IKE

, VPN-.
VPN,
381
.

VPN,
, NetDefendOS ,
. , , VPN-
.

Endpoint Identification Local ID ,


VPN-.
, .


-.

Local and Remote ,


. LAN-to-LAN
Networks/Hosts LAN.

,
all-nets, ,
.

Tunnel / Transport Mode IPsec tunnel transport.

tunnel ,
, / ,

.

transport, , ,
VPN-.
, VPN-
NetDefend, ,
.

, tunnel.

Remote Endpoint ( )
, / VPN

. None,
NetDefend
.
, IP- VPN-
. "none" IP-
, "remote network"
, , VPN-,
,
.

URL- , ,
vpn.company.com.
dns:. , URL-
dns:vpn.company.com.

Transport.

Main/Aggressive Mode IKE : Main Aggressive.

,
Aggressive
,
.

Aggressive,

382
, - PFS,
,
.

IPsec Protocols IPsec, .


AH (Authentication Header) ESP
(Encapsulating Security Payload).

ESP ,
. ,
,
.

, AH .
ESP , AH
IP-, ,
, ,
, .


NetDefendOS
AH.

IKE Encryption , IKE


, ,
.

, NetDefendOS IPsec:

DES

DES
, VPN.
DES , ,
,
.

IKE Authentication ,
IKE.

, NetDefendOS IPsec:

SHA1

MD5

IKE DH Group Diffi-Hellmann, IKE.


DH .

IKE Lifetime IKE-.


() ().
, -1.
,

VPN-. ,
IPsec SA.

PFS PFS (Perfect Forwarding Secrecy)


IKE -1

383
. , -2 IKE,
.
PFS
.
, ,
.

PFS : PFS on keys,


-2.
PFS on identities,
, -1
SA -2 , ,
, -2,
.

PFS ,
.

PFS DH Group -, PFS. DH


.

IPsec DH Group -, IPsec.


DH
-.

IPsec Encryption , IPsec.

AH ESP
, IPsec .

, VPN NetDefend:

DES

IPsec Authentication , .

ESP ,
, , ESP
.

, NetDefend:

SH1

MD5

IPsec Lifetime VPN-


() ().
,

IPsec.
VPN-,
.

, IKE
lifetime.

-
- (Diffie-Hellman, DH) ,
, ,
.
, -
.

384
- IKE, IPsec
PFS.

Diffie-Hellman , DH.
, , , .
NetDefendOS DH:

DH 1 (768-)

DH 2 (1024-)

DH 5 (1536-)

HA IKE, IPsec PFS.

9.3.3. IKE

VPN manual keying (
). IKE ;
,
VPN-.


NetDefendOS .


, ,
. IKE .
IKE IPsec SA.


,
IKE IKE. ,
, ,
/ - (anti-replay services).
/ .

(replay attacks),
, , ,
, .
VPN ,
. IKE .

PSK
PSK (Pre-shared Key) VPN .
, IKE, , , IKE,
, .

PSK

. , , .
IKE.
,
, .

PSK
385
, PSK .
PSK VPN-
? , PSK .
PSK , .


VPN ( )
.

, :

,
.

, -, .


. ,
VPN- , ,
. ,
, .
.


.
,
VPN- . ,
, ,
.

9.3.4. IPsec (ESP/AH)


IPsec- , VPN.
, , IKE.

, IPsec: AH ESP. .

AH (Authentication Header)
AH , .

. 9.1 AH

AH - MAC IP-

386
. MAC ,
IP-, ,
. IP-, AH
IP-.

AH AH IP-. Tunnel
AH , , IP-
.

ESP (Encapsulating Security Payload)


ESP ESP IP-, Tunnel,
ESP , , IP-
.

ESP / . AH
, ESP IP-. ,
ESP ESP; , IP-
.

ESP , IP-,
.

. 9.2 ESP

9.3.5. NAT Traversal


IKE IPsec NAT.
NAT NAT traversal. NAT traversal
IKE IPsec
NAT. NetDefendOS RFC3947
NAT-Traversal IKE.

NAT traversal :

IKE, IPsec ,
NAT traversal . NetDefendOS
RFC3947 NAT-Traversal IKE.

ESP. NAT traversal ESP UDP,


NAT.

, IKE
IPsec.

387
NAT traversal ,
. VPN- NAT traversal
vendor ID , , NAT traversal,
.

NAT
NAT IPsec IP- UDP-
, IKE. ,
, IP- , .
, NAT ,
, NAT traversal. /
, NAT.


IPsec NAT traversal, IKE UDP-
500 4500. , NAT
UDP- 500 UDP, IKE.
, IKE-
IKE, .

UDP
, NAT traversal, , ESP- IP-
. , TCP UDP,
,
. ESP- UDP. ESP-UDP
4500, IKE NAT traversal. ,
IKE 4500.
Keep-alive NAT-.

NAT Traversal
NAT traversal ,
. ,
:

Remote Endpoint ( )
IP- IKE-.
IP- NAT.

,
, NAT
, , Local ID . Local ID
:

Auto IP-
. , ,
IP-.

IP IP-

DNS DNS-

Email Email

388
9.3.6. (Algorithm Proposal
Lists)
VPN- .
security associations (SA) IKE IPsec. C (proposal list)
.
, VPN- (
tunnel endpoint).
, ,
.

: IKE IPsec. IKE -1 IKE (IKE


Security Negotiation), IPsec -2 IKE (IPsec Security Negotiation).

VPN,
, .

IKE IPsec:

High

. : MD5,
SHA1.

Medium

. : MD5, SHA1.

9.1.
IPSec
VPN-. - DES.
- SHA1 MD5, , . ,
, IPsec tunnel,
.

CLI

IPsec:

gw-world:/> add IPsecAlgorithms esp-l2tptunnel


DESEnabled=Yes DES3Enabled=Yes
SHA1Enabled=Yes MD5Enabled=Yes

, IPsec:

gw-world:/> set Interface IPsecTunnel MyIPsecTunnel


IPsecAlgorithms=esp-l2tptunnel

Web-

IPsec:

1. Objects > VPN Objects > IPsec Algorithms > Add > IPsec Algorithms

2. , , esp-l2tptunnel

3. :

DES
SHA1
MD5

4. OK

IPsec:

1. Interfaces > IPsec

389
2. IPsec

3. esp-l2tptunnel IPsec Algorithms

4. OK

9.3.7.
VPN-.
, .
, .
. ,
.

Web-,
CLI pskgen (
CLI).

, ,
ASCII!
PSK ,
,
ASCII. Windows, , , ,
ASCII, UTF-16, NetDefendOS
UTF-8. ,
, L2TP- Windows,
NetDefendOS.

9.2.
VPN-.
,
. ,
. ,
IPsec-.

CLI

. 64- ( ) :

gw-world:/> pskgen MyPSK

, 512- , :

gw-world:/> pskgen MyPSK -size=512

, , :

gw-world:/> add PSK MyPSK Type=HEX PSKHex=<enter the key here>

IPsec-:

gw-world:/> set Interface IPsecTunnel MyIPsecTunnel PSK=MyPSK

Web-

1. Objects > Authentication Objects > Add > Pre-shared key

2. , , MyPSK

3. Hexadecimal Key ( ) Generate Random Key (


) , Passphrase ( ).

4. OK
390
IPsec:

1. Interfaces > IPsec

2. IPsec

3. Authentication Pre-shared Key MyPSK

4. OK

9.3.8.
IPsec- , NetDefend
VPN-, ,
(Certificate Authorities).
, .


,
VPN-. ,
.
. ,
, - .


IP- VPN- , VPN-
. ,
.


.
(ID),
. , ,
,
IPsec-.

9.3.
VPN-.
DN (distinguished name) -
, . ,
IPsec-.

CLI

gw-world:/> add IDList MyIDList

ID:

gw-world:/> cc IDList MyIDList

gw-world:/> add ID JohnDoe Type=DistinguishedName


CommonName="John Doe"
OrganizationName=D-Link
OrganizationalUnit=Support
Country=Sweden
EmailAddress=john.doe@D-Link.com

gw-world:/> cc

391
IPsec-:

gw-world:/> set Interface IPsecTunnel MyIPsecTunnel


AuthMethod=Certificate IDList=MyIDList
RootCertificates=AdminCert
GatewayCertificate=AdminCert

Web-

1. Objects > VPN Objects > ID List > Add > ID List

2. , , MyIDList

3. OK

ID:

1. Objects > VPN Objects > IKE ID List > Add > ID List

2. MyIDList

3. , , JohnDoe

4. Distinguished name Type

5. :

Common Name: John Doe

Organization Name: D-Link

Organizational Unit: Support

Country: Sweden

Email Address: john.doe@D-Link.com

6. OK

IPsec:

1. Interfaces > IPsec

2. IPsec

3. Authentication X.509 Certificate

4. Root Certificate(s) Gateway Certificate

5. MyIDList Identification List

6. OK

9.4. IPsec-
IPsec- NetDefendOS,
, .

392
9.4.1.
IPsec- . IPsec-
NetDefendOS, ,
.


NetDefend IPsec (
) IPsec VPN-
, IPsec-,
NetDefendOS. , .
IKE IPsec,
.



, IPsec-.
NetDefendOS , IP- IPsec-
NetDefend.

IP-
, IPsec- , ,
, . ,
IP-.
IPsec-,
NetDefendOS.

,
, NetDefendOS IP- IPsec-.

(Returning Traffic)
, , IPsec-,
. .
, NetDefendOS IPsec-, .
, NetDefendOS
, IPSec-.

IPsec- IP-
IPsec- , , IPsec-,
(
NetDefendOS). , IP-,
IPsec-.

IKE ESP IPsec engine NetDefendOS


IP- .

IPsec IPsec
Before Rules.
IPsec, IP- .
NetDefendOS IPsec engine IP-.
, IP- , .

(Dead Peer Detection)


IPsec- DPD (Dead Peer Detection).
DPD ,
.
( DPD Metric) ,
NetDefendOS DPD-R-U-THERE , ,
.

(
393
DPD Expire Time),
. NetDefendOS
( DPD Keep Time).

DPD 9.4.6, IPsec. IPsec-


NetDefendOS DPD .
DPD-R-U-THERE .

Keep-alive
IPsec Keep-alive ,
. ICMP Ping
. ping,
.
LAN to LAN.

IP- / . IP-
, ICMP. IP-
, NetDefendOS IP- .

keep-alive, LAN to LAN


,
. , , keep-alive ,
,
.

DPD Keep-alive
DPD Keep-alive , ,
IPsec- . ,
:

Keep-alive IPsec- LAN to LAN.


.

Keep-alive ,
, .

Keep-alive DPD LAN to


LAN, , keep-alive pings, DPD .

IPsec-
IPsec-.
:

9.2.1, IPsec- LAN to LAN .

9.2.2, IPsec- LAN to LAN .

9.2.3, IPsec-
.

9.2.4, IPsec-
.

,
.

9.4.2. LAN to LAN



VPN (LAN)
394
. ,
LAN
, , .

IPsec , VPN-
VPN- . NetDefend
VPN, ,
. LAN to LAN,
(PSK).

, LAN to LAN :

VPN tunnel properties, .

VPN tunnel properties.

Route (main) ( ).

Rules ( 2 ).

9.4.3.
,
,
. VPN-,
, IP- .
IP- NetDefendOS
.

IP-
IP- , NetDefend
.
IPSec-.

, IP-,
Remote Network all-nets (IP address: 0.0.0.0/0),
IPv4- .

, VPN- ,
, NetDefendOS.

PSK
PSK.

9.4. VPN- PSK


IPsec- ,
NetDefend. , ,
. 10.0.1.0/24 IP-
wan_ip.

Web-

. IPsec:

1. Objects > Authentication Objects > Add > Pre-Shared Key

2. :

Name: , , SecretKey

Shared Secret:

395
Confirm Secret:

3. OK

. IPsec-:

1. Interfaces > IPsec > Add > IPsec Tunnel

2. :

Name: RoamingIPsecTunnel

Local Network: 10.0.1.0/24 ( , )

Remote Network: all-nets

Remote Endpoint: (None)

Encapsulation Mode: Tunnel

3. (Algorithms) :

IKE Algorithms: Medium High

IPsec Algorithms: Medium High

4. (Authentication) :

Pre-Shared Key: ,

5. Routing:

: Dynamically add route to the remote network when a tunnel is established.

6. OK

. IP-, .

9.5. VPN-

IPsec- ,
NetDefend. , ,
. 10.0.1.0/24 IP-
IP wan_ip.

Web-

. IPsec:

Web-
. PEM (Privacy Enhanced Mail).

. :

1. Objects > Authentication Objects > Add > Certificate

2.

3. X.509 Certificate

4. OK

. :

396
1. Objects > VPN Objects > ID List > Add > ID List

2. , , sales

3. OK

4. Objects > VPN Objects > ID List > Sales > Add > ID

5.

6. Email Type

7. Email address, ,

8. ,
.

. IPsec-:

1. Interfaces > IPsec > Add > IPsec Tunnel

2. :

Name: RoamingIPsecTunnel

Local Network: 10.0.1.0/24 ( , ).

Remote Network: all-nets

Remote Endpoint: (None)

Encapsulation Mode: Tunnel

3. (Algorithms) :

IKE Algorithms: Medium High

IPsec Algorithms: Medium High

4. (Authentication) :

X.509 Certificate

Root Certificate(s): Selected

Gateway Certificate:

Identification List: , VPN-.


, sales

5. Routing:

Dynamically add route to the remote network when a tunnel is established.

6. OK

. IP-, .


, ,
, .

. ,
, Windows 2000, (
Windows 2000 Certificate Services).
, , . 3.7, .

9.6. VPN-

IPsec- ,
NetDefend. , ,
. 10.0.1.0/24 IP-
IP wan_ip.
397
Web-

. :

1. Objects > Authentication Objects > Add > Certificate

2.

3. X.509 Certificate

4. OK

. :

1. Objects > VPN Objects > ID List > Add > ID List

2. , , sales

3. OK

4. Objects > VPN Objects > ID List > Sales > Add > ID

5.

6. Email Type

7. Email address, ,

8. ,
.

. IPsec-:

1. Interfaces > IPsec > Add > IPsec Tunnel

2. :

Name: RoamingIPsecTunnel

Local Network: 10.0.1.0/24 ( , ).

Remote Network: all-nets

Remote Endpoint: (None)

Encapsulation Mode: Tunnel

3. (Algorithms) :

IKE Algorithms: Medium High

IPsec Algorithms: Medium High

4. (Authentication) :

X.509 Certificate

Root Certificate(s): , ,
Selected

Gateway Certificate:

Identification List: , VPN-.


, sales

5. Routing:

Dynamically add route to the remote network when a tunnel is established.

6. OK

. IP-, .

(Config Mode)

398
IKE Configuration Mode (Config Mode) IKE,
NetDefendOS LAN.
IPsec- IP-
, DHCP. IP-, ,
IP-,
, DHCP-, IP Pool.

IP- IP-, DHCP-.


. IP-
, DNS WINS / NBNS, DHCP-.
( . 5.4, IP-.)

Config Mode
NetDefendOS Config Mode,
Config Mode Pool. , , :

Use Predefined IP Pool Object IP-, IP-.

Use a Static Pool IP-


IP-.

DNS IP- DNS, URL (


IP-).

NBNS/WINS IP- NBNS/WINS ( IP-


).

DHCP DHCP-
.

Subnets , .

9.7. Config Mode


Config Mode Pool IP Pool,
ip_pool1.

Web-

1. Objects > VPN Objects > IKE Config Mode Pool

2. Web- Config Mode

3. Use a predefined IPPool object

4. ip_pool1 IP Pool

5. OK

Config Mode, Config Mode IPsec-.

9.8. Config Mode IPsec-


, vpn_tunnel1, ,
Config Mode .

Web-

Interfaces > IPsec

vpn_tunnel1

IKE Config Mode

OK

399
IP-
NetDefendOS , IP-
IPsec- IP-, IPsec- IKE Config Mode.
, ,
(Warning). IP-,
.

, , SA
.
IPsecDeleteSAOnIPValidationFailure.
.

9.4.4. RL, LDAP-



, IP-
, CRL NetDefend.
LDAP (Lightweight Directory Access Protocol).

,
LDAP-. LDAP-
LDAP.

9.9. LDAP-
LDAP- .

CLI

gw-world:/> add LDAPServer Host=192.168.101.146 Username=myusername


Password=mypassword Port=389

Web-

1. Objects > VPN Objects > LDAP > Add > LDAP Server

2. :

IP Address: 192.168.101.146

Username: myusername

Password: mypassword

Confirm Password: mypassword

Port: 389

3. OK

9.4.5.
ikesnoop
VPN-
IPsec- , ,
, VPN-
, .
ikesnoop verbose ,
, .

ikesnoop
ikesnoop CLI RS232.
400
:

, ikesnoop IKE-
VPN-. IP-, , IP-
-10.1.1.10, :

IP- IP- VPN- ( IP-


, IP-).
:

verbose ,
.
ikesnoop . .
,
, .

ikesnoop
CLI.

, ,
. ,
, , .

1. ,

verbose ,
.
. ,
/, .
/, ,
. IKE.

IkeSnoop: Received IKE packet from 192.168.0.10:500 Exchange type :


Identity Protection (main mode) ISAKMP Version : 1.0

Flags :
Cookies : 0x6098238b67d97ea6 -> 0x00000000
Message ID : 0x00000000
Packet length : 324 bytes
# payloads : 8
Payloads:
SA (Security Association)
Payload data length : 152 bytes
DOI : 1 (IPsec DOI)
Proposal 1/1
Protocol 1/1
Protocol ID : ISAKMP
SPI Size : 0
Transform 1/4
Transform ID : IKE
Encryption algorithm : DES-cbc
Hash algorithm : MD5
Authentication method : Pre-Shared Key
Group description : MODP 1024
Life type : Seconds
Life duration : 43200
401
Life type : Kilobytes
Life duration : 50000
Transform 2/4
Transform ID : IKE
Encryption algorithm : DES-cbc
Hash algorithm : SHA
Authentication method : Pre-Shared Key
Group description : MODP 1024
Life type : Seconds
Life duration : 43200
Life type : Kilobytes
Life duration : 50000
VID (Vendor ID)
Payload data length : 16 bytes
Vendor ID : 8f 9c c9 4e 01 24 8e cd f1 47 59 4c 28 4b 21 3b
Description : SSH Communications Security QuickSec 2.1.0
VID (Vendor ID)
Payload data length : 16 bytes
Vendor ID : 27 ba b5 dc 01 ea 07 60 ea 4e 31 90 ac 27 c0 d0
Description : draft-stenberg-ipsec-nat-traversal-01
VID (Vendor ID)
Payload data length : 16 bytes
Vendor ID : 61 05 c4 22 e7 68 47 e4 3f 96 84 80 12 92 ae cd
Description : draft-stenberg-ipsec-nat-traversal-02
VID (Vendor ID)
Payload data length : 16 bytes
Vendor ID : 44 85 15 2d 18 b6 bb cd 0b e8 a8 46 95 79 dd cc
Description : draft-ietf-ipsec-nat-t-ike-00
VID (Vendor ID)
Payload data length : 16 bytes
Vendor ID : cd 60 46 43 35 df 21 f8 7c fd b2 fc 68 b6 a4 48
Description : draft-ietf-ipsec-nat-t-ike-02
VID (Vendor ID)
Payload data length : 16 bytes
Vendor ID : 90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f
Description : draft-ietf-ipsec-nat-t-ike-02
VID (Vendor ID)
Payload data length : 16 bytes
Vendor ID : 7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56
Description : draft-ietf-ipsec-nat-t-ike-03

Exchange type: Main Aggressive


Cookies:
Encryption algorithm:
Key length:
Hash algorithm: -
Authentication method:
Group description: Diffie Hellman (DH)
Life type:
Life duration:
VID: IPsec . ,
NAT-T

2.

. ,
. , No
proposal chosen ( ),
ikesnoop .

IkeSnoop: Sending IKE packet from 192.168.0.10:500 Exchange type :


Identity Protection (main mode) ISAKMP Version : 1.0

Flags :
Cookies : 0x6098238b67d97ea6 -> 0x5e347cb76e95a
402
Message ID : 0x00000000
Packet length : 224 bytes
# payloads : 8
Payloads:
SA (Security Association)
Payload data length : 52 bytes
DOI : 1 (IPsec DOI)
Proposal 1/1
Protocol 1/1
Protocol ID : ISAKMP
SPI Size : 0
Transform 1/1
Transform ID : IKE
Encryption algorithm : DES
Key length : 56
Hash algorithm : MD5
Authentication method : Pre-Shared Key
Group description : MODP 1024
Life type : Seconds
Life duration : 43200
VID (Vendor ID)
Payload data length : 16 bytes
Vendor ID : 8f 9c c9 4e 01 24 8e cd f1 47 59 4c 28 4b 21 3b
Description : SSH Communications Security QuickSec 2.1.0
VID (Vendor ID)
Payload data length : 16 bytes
Vendor ID : 27 ba b5 dc 01 ea 07 60 ea 4e 31 90 ac 27 c0 d0
Description : draft-stenberg-ipsec-nat-traversal-01
VID (Vendor ID)
Payload data length : 16 bytes
Vendor ID : 61 05 c4 22 e7 68 47 e4 3f 96 84 80 12 92 ae cd
Description : draft-stenberg-ipsec-nat-traversal-02
VID (Vendor ID)
Payload data length : 16 bytes
Vendor ID : 44 85 15 2d 18 b6 bb cd 0b e8 a8 46 95 79 dd cc
Description : draft-ietf-ipsec-nat-t-ike-00
VID (Vendor ID)
Payload data length : 16 bytes
Vendor ID : cd 60 46 43 35 df 21 f8 7c fd b2 fc 68 b6 a4 48
Description : draft-ietf-ipsec-nat-t-ike-02
VID (Vendor ID)
Payload data length : 16 bytes
Vendor ID : 90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f
Description : draft-ietf-ipsec-nat-t-ike-02
VID (Vendor ID)
Payload data length : 16 bytes
Vendor ID : 7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56
Description : draft-ietf-ipsec-nat-t-ike-03

3.

, . ,
NAT detection payloads, ,
NAT.

IkeSnoop: Received IKE packet from 192.168.0.10:500 Exchange type :


Identity Protection (main mode) ISAKMP Version : 1.0

Flags :
Cookies : 0x6098238b67d97ea6 -> 0x5e347cb76e95a
Message ID : 0x00000000
Packet length : 220 bytes
# payloads : 4
Payloads:
KE (Key Exchange)
Payload data length : 128 bytes
NONCE (Nonce)
Payload data length : 16 bytes
NAT-D (NAT Detection)
Payload data length : 16 bytes
NAT-D (NAT Detection)
Payload data length : 16 bytes

403
4.

IkeSnoop: Sending IKE packet from 192.168.0.10:500 Exchange type :


Identity Protection (main mode) ISAKMP Version : 1.0

Flags :
Cookies : 0x6098238b67d97ea6 -> 0x5e347cb76e95a
Message ID : 0x00000000
Packet length : 220 bytes
# payloads : 4
Payloads:
KE (Key Exchange)
Payload data length : 128 bytes
NONCE (Nonce)
Payload data length : 16 bytes
NAT-D (NAT Detection)
Payload data length : 16 bytes
NAT-D (NAT Detection)
Payload data length : 16 bytes

5.

, , , IP-
, .

IkeSnoop: Received IKE packet from 192.168.0.10:500 Exchange type :


Identity Protection (main mode) ISAKMP Version : 1.0

Flags : E (encryption)
Cookies : 0x6098238b67d97ea6 -> 0x5e347cb76e95a
Message ID : 0x00000000
Packet length : 72 bytes
# payloads : 3
Payloads:
ID (Identification)
Payload data length : 8 bytes
ID : ipv4(any:0,[0..3]=192.168.0.10)
HASH (Hash)
Payload data length : 16 bytes
N (Notification)
Payload data length : 8 bytes
Protocol ID : ISAKMP
Notification : Initial contact

Flags: E encryption () ( ).
ID:

Notification Initial Contact, ,


.

6.

IkeSnoop: Sending IKE packet from 192.168.0.10:500 Exchange type :


Identity Protection (main mode) ISAKMP Version : 1.0

404
Flags : E (encryption)
Cookies : 0x6098238b67d97ea6 -> 0x5e347cb76e95a
Message ID : 0x00000000
Packet length : 60 bytes
# payloads : 2
Payloads:
ID (Identification)
Payload data length : 8 bytes
ID : ipv4(any:0,[0..3]=192.168.0.20)
HASH (Hash)
Payload data length : 16 bytes

7. C IPsec

IPsec .
/, .

IkeSnoop: Received IKE packet from 192.168.0.10:500 Exchange type :


Quick mode ISAKMP Version : 1.0

Flags : E (encryption)
Cookies : 0x6098238b67d97ea6 -> 0x5e347cb76e95a
Message ID : 0xaa71428f
Packet length : 264 bytes
# payloads : 5
Payloads:
HASH (Hash)
Payload data length : 16 bytes
SA (Security Association)
Payload data length : 164 bytes
DOI : 1 (IPsec DOI)
Proposal 1/1
Protocol 1/1
Protocol ID
Protocol ID : ESP
SPI Size : 4
SPI Value : 0x4c83cad2
Transform 1/4
Transform ID : DES
Key length : 128
Authentication algorithm : HMAC-MD5
SA life type : Seconds
SA life duration : 21600
SA life type : Kilobytes
SA life duration : 50000
Encapsulation mode : Tunnel
NONCE (Nonce)
Payload data length : 16 bytes
ID (Identification)
Payload data length : 8 bytes
ID : ipv4(any:0,[0..3]=10.4.2.6)
ID (Identification)
Payload data length : 12 bytes
ID : ipv4_subnet(any:0,[0..7]=10.4.0.0/16)

Transform ID:
Key length:
Authentication algorithm: HMAC ()
Group description: PFS PFS
SA life type:
SA life duration:
Encapsulation mode: transport, tunnel UDP tunnel (NAT-T)
ID: ipv4(:0,[0..3]=10.4.2.6)

,
. - ,
, SA SA .
405
8. C

IPsec- ,
. 2 , ,
No proposal chosen,
ikesnoop .

IkeSnoop: Sending IKE packet from 192.168.0.10:500 Exchange type :


Quick mode ISAKMP Version : 1.0

Flags : E (encryption)
Cookies : 0x6098238b67d97ea6 -> 0x5e347cb76e95a
Message ID : 0xaa71428f
Packet length : 156 bytes
# payloads : 5
Payloads:
HASH (Hash)
Payload data length : 16 bytes
SA (Security Association)
Payload data length : 56 bytes
DOI : 1 (IPsec DOI)
Proposal 1/1
Protocol 1/1
Protocol ID : ESP
SPI Size : 4
SPI Value : 0xafba2d15
Transform 1/1
Transform ID : DES
Key length : 128
Authentication algorithm : HMAC-MD5
SA life type : Seconds
SA life duration : 21600
SA life type : Kilobytes
SA life duration : 50000
Encapsulation mode : Tunnel
NONCE (Nonce)
Payload data length : 16 bytes
ID (Identification)
Payload data length : 8 bytes
ID : ipv4(any:0,[0..3]=10.4.2.6)
ID (Identification)
Payload data length : 12 bytes
ID : ipv4_subnet(any:0,[0..7]=10.4.0.0/16)

9.

, ,
. / .

IkeSnoop: Received IKE packet from 192.168.0.10:500 Exchange type :


Quick mode ISAKMP Version : 1.0
Flags : E (encryption)
Cookies : 0x6098238b67d97ea6 -> 0x5e347cb76e95a
Message ID : 0xaa71428f
Packet length : 48 bytes
# payloads : 1
Payloads:
HASH (Hash)
Payload data length : 16 bytes

9.4.6. IPsec
IPsec- .

IPsec Max Rules

IP- IPsec-
406
. 4 IPsecMaxTunnels
, . ,
, , .

IPsec Max Rules 4 IPsec Max Tunnels,


. IPsec Max Rules , ,
IPsec Max Tunnels IPsec Max
Rules.

: 4 IPsec Max Tunnels

IPsec Max Tunnels

IPsec-.
,
. NetDefendOS , IPsec. IPsec
, .
.

, ,
90% .

IKE Send Initial Contact

IKE - Initial contact.



IPsec SA.

IKE Send CRLs

CRL (Certificate Revocation Lists)


IKE. , ENABLE, ,
CRL.

, .

IPsec Before Rules

IKE IPsec (ESP/AH), NetDefendOS,


IPsec .

IKE CRL Validity Time

CRL next update, , CRL


. CRL ,
, .
CRL , , next
update , CRL 12 ,
CRL .

CRL. CRL

407
IKECRLVailityTime next update, ,
.

: 86400

IKE Max CA Path

, NetDefendOS
issuer name , , .
, , ,
, .. ,
(trusted) ,
.

, ,
.

: 15

IPsec Cert Cache Max Certs

/CRL, .
, LRU (Least Recently Used).

: 1024

IPsec Gateway Name Cache Time

/CRL, .
, LRU (Least Recently Used).

: 1024

DPD Metric

, ()
IKE. , DPD-
,
.

, ( )
, .
DPD, (, IKE
) , DPD-
R-U- .

: 3 ( , 3 x 10 = 30 )

DPD Keep Time

, ,
NetDefendOS. , NetDefendOS
DPD- . ,
.

, , SA
. SA ,
DPD-RU-THERE DPD Expire Time
408
10 , . SA
, NetDefendOS .
, SA , SA . DPD
, SA .

IKEv1.

: 2 ( , 2 10 = 20 )

DPD Expired Time

, DPD-.
, .

, ,
DPD-R-U-THERE. ,
(). SA .

IKEv1.

: 15

9.5. PPTP/L2TP
, (dial-up), , IP-
, VPN . PPTP
L2TP VPN-.
NetDefendOS PPTP
L2TP-, .
NetDefendOS PPTP L2TP-.

PPTP/L2TP

L2TP PPTP.
:

9.2.5, L2TP-

9.2.6, L2TP-

9.2.7, PPTP-

9.5.1 PPTP-

PPTP- (Point to Point Tunneling Protocol) PPTP ,


Microsoft. 2 OSI data-link (. ,
OSI) PPP- (Point to Point Protocol),
(dial-up). ,
VPN- dial-up,
.

PPTP- VPN
409
. PPP- Generic
Routing Encapsulation (GRE - IP- 47).
PPP- TCP/IP-
NetDefend, PPTP-
( TCP- 1723). VPN,
PPTP- . PPTP . ,
Microsoft Point-to-Point Encryption (MPPE).

PPTP- ,
. PPTP- , L2TP,
/
. , ,
, PPTP. PPTP- IPsec,
PPTP- NAT NAT traversal
. Microsoft PPTP ,
Windows 95 , ,
.

PPTP

PPTP- , /
TCP- 1723 / IP- 47 PPTP-
NetDefend. ,
:

9.10. PPTP-
PPTP-. ,
.

IP- PPTP-, IP- (


PPTP-) IP-, PPTP-
IP- .

CLI

gw-world:/> add Interface L2TPServer MyPPTPServer


ServerIP=lan_ip Interface=any
IP=wan_ip IPPool=pp2p_Pool
TunnelProtocol=PPTP
AllowedRoutes=all-nets

Web-

1. Interfaces > PPTP/L2TP Servers > Add > PPTP/L2TP Server

2. PPTP-, , MyPPTPServer

3. :

Inner IP Address: lan_ip

Tunnel Protocol: PPTP

Outer Interface Filter: any

Outer Server IP: wan_ip

4. PPP Parameters pptp_Pool IP Pool

5. Add Route, all_nets Allowed Networks

410
6. OK

Use User Authentication Rules ( )


. PPTP-
, .

9.5.2. L2TP-
L2TP- (Layer 2 Tunneling Protocol) IETF,
PPTP. L2F- (Layer 2 Forwarding ) PPTP-
, . L2TP
, , , IETF, L2TP/IPsec,
L2TP- IPsec.

LAC (Local Access Concentrator) LAC


LNS- (L2TP Network Server). LNS-
. LAC , , PPP, IPsec .
LAC.

L2TP- ,
, PPTP-.
L2TP, PPTP,
. L2TP IPsec, NAT traversal (NAT-T)
LNS.

9.11. L2TP-
L2TP-. ,
IP-. IP- L2TP-,
IP- ( L2TP-) IP-, L2TP-
IP- .

CLI

gw-world:/> add Interface L2TPServer MyL2TPServer ServerIP=ip_l2tp


Interface=any IP=wan_ip
IPPool=L2TP_Pool TunnelProtocol=L2TP
AllowedRoutes=all-nets

Web-

1. Interfaces > L2TP Servers > Add > L2TPServer

2. L2TP-, , MyL2TPServer

3. :

Inner IP Address: ip_l2tp

Tunnel Protocol: L2TP

Outer Interface Filter: any

Outer Server IP: wan_ip

4. PPP Parameters L2TP_Pool IP Pool

5. Add Route tab, all_nets Allowed Networks

6. OK

Use User Authentication Rules ( )


. PPTP

411
, .

9.12. L2TP over IPsec


L2TP- IPsec-,
VPN. , , ,
L2TP-. PSK.
, .

L2TP-
.

. :

CLI

gw-world:/> add LocalUserDatabase UserDB

gw-world:/> cc LocalUserDatabase UserDB

gw-world:/> add User testuser Password=mypassword

Web-

1. User Authentication > Local User Databases > Add > Local User Database

2. , , UserDB

3. User Authentication > Local User Databases > UserDB > Add > User

4. :

Username: testuser

Password: mypassword

Confirm Password: mypassword

5. OK

IPsec-, L2TP.
L2TP, IP-, L2TP-, wan_ip. ,
IPsec- .

. IPsec-

CLI

gw-world:/> add Interface IPsecTunnel l2tp_ipsec LocalNetwork=wan_ip


RemoteNetwork=all-nets IKEAlgorithms=Medium
IPsecAlgorithms=esp-l2tptunnel
PSK=MyPSK EncapsulationMode=Transport
DHCPOverIPsec=Yes AddRouteToRemoteNet=Yes
IPsecLifeTimeKilobytes=250000
IPsecLifeTimeSeconds=3600

Web-

1. Interfaces > IPsec > Add > IPsec Tunnel

2. IPsec-, , l2tp_ipsec

3. :

. Local Network: wan_ip

. Remote Network: all-nets

. Remote Endpoint: none

412
. Encapsulation Mode: Transport

. IKE Algorithms: High

. IPsec Algorithms: esp-l2tptunnel

4. 3600 IPsec Life Time seconds

5. 250000 IPsec Life Time kilobytes

6. Authentication, Pre-shared Key

7. MyPSK Pre-shared Key

8. Routing, :

Allow DHCP over IPsec from single-host clients

Dynamically add route to the remote network when a tunnel is established

9. OK

L2TP-. IP- ,
IP-, lan_ip. - , L2TP-
, l2tp_ipsec. IP, L2TP-,
ProxyARP.

. L2TP-

CLI

gw-world:/> add Interface L2TPServer l2tp_tunnel IP=lan_ip


Interface=l2tp_ipsec ServerIP=wan_ip
IPPool=l2tp_pool TunnelProtocol=L2TP
AllowedRoutes=all-nets
ProxyARPInterfaces=lan

Web-

1. Interfaces > L2TP Servers > Add > L2TPServer

2. L2TP-, , l2tp_ipsec

3. :

Inner IP Address: lan_ip

Tunnel Protocol: L2TP

Outer Interface Filter: l2tp_ipsec

Server IP: wan_ip

4. PPP Parameters Use User Authentication Rules

5. l2tp_pool IP Pool

6. Add Route all-nets Allowed Networks

7. Add Route all-nets Allowed Networks

8. OK

L2TP-
.

. L2TP-

CLI

gw-world:/> add Interface L2TPServer l2tp_tunnel IP=lan_ip


Interface=l2tp_ipsec ServerIP=wan_ip
IPPool=l2tp_pool TunnelProtocol=L2TP
AllowedRoutes=all-nets
ProxyARPInterfaces=lan

Web-

413
1. User Authentication > User Authentication Rules > Add > UserAuthRule

2. , , L2TP_Auth

3. :

Agent: PPP

Authentication Source: Local

Interface: l2tp_tunnel

Originator IP: all-nets

Terminator IP: wan_ip

4. Authentication Options UserDB Local User DB

5. OK

.
, .

. :

CLI

main () IP-:

gw-world:/> cc IPRuleSet main

IP-:

gw-world:/> add IPRule action=Allow Service=all_services


SourceInterface=l2tp_tunnel
SourceNetwork=l2tp_pool
DestinationInterface=any
DestinationNetwork=all-nets
name=AllowL2TP

gw-world:/> add IPRule action=NAT Service=all_services


SourceInterface=l2tp_tunnel
SourceNetwork=l2tp_pool
DestinationInterface=any
DestinationNetwork=all-nets
name=NATL2TP

Web-

1. Rules > IP Rules > Add > IPRule

2. , , AllowL2TP

3. :

Action: Allow

Service: all_services

Source Interface: l2tp_tunnel

Source Network: l2tp_pool

Destination Interface: any

Destination Network: all-nets

4. OK

5. Rules > IP Rules > Add > IPRule

6. , , NATL2TP

7. :

Action: NAT

414
Service: all_services

Source Interface: l2tp_tunnel

Source Network: l2tp_pool

Destination Interface: any

Destination Network: all-nets

8. OK

9.5.3. L2TP/PPTP-
L2TP/PPTP-:

L2TP Before Rules

L2TP-,
NetDefend, L2TP-, .

PPTP Before Rules

PPTP-, NetDefend, PPTP-


, .

Default:

Max PPP Resends

PPP.

: 10

9.5.4. L2TP/PPTP-
PPTP L2TP .
PPTP L2TP-, NetDefendOS
PPTP L2TP-. , VPN-
IPsec PPTP L2TP. NetDefend
, .

PPTP L2TP :

Name

Interface Type : PPTP L2TP

415
Remote Endpoint IP- . URL, dns:
.

PPTP L2TP IP- PPP


LCP-. NetDefendOS
/. :

Inner IP Address , IP-.


0.0.0.0, PPTP/L2TP-
PPTP/L2TP- IP-.

Automatically pick name , NetDefendOS


PPTP/L2TP-, , ip_PPTPTunnel1.

Primary/Secondary DNS Name DNS-


.

:
PPTP/L2TP
PPTP/L2TP- ,
, PPTP/L2TP-
. PPTP/L2TP , ,
PPTP/L2TP- .

Username , PPTP/L2TP-
Password
Authentication , .
MPPE MPPE (Microsoft Point-
to-Point Encryption).

Dial On Demand, PPTP/L2TP- ,


. :
Activity Sense Dial-on-demand
Send Recv, .
Idle Timeout ( ) .

PPTP-
PPTP- .

, NAT
NetDefendOS PPTP-
NetDefend. PPTP- ,
PPTP-,
NAT.

NAT PPTP-
PPTP- PPTP-.
:

PPTP- NetDefendOS .

NetDefendOS, ,
PPTP-.

416

. 9.3. PPTP-

9.6.

VPN-
,
. URL
(CRL Distribution Point), CA,
HTTP GET HTTP. (
URL- FQDN - Fully Qualified Domain Name.)

:
, ,
. FQDN DNS-.

, , VPN-
. IP- DNS- ,
. ,
DNS-.

VPN- .

FQDN
CA IP-. :

417
1. NetDefend,
, , ,
NetDefendOS.

IP- DNS-
, , FQDN . DNS-
NetDefendOS ,
, NetDefendOS .

2. ,
, , NetDefendOS.
:

. DNS- , NetDefendOS
.

. DNS- IP-
NetDefend , FQDN , ,
. , NetDefendOS
ca.company.com, IP-
NetDefend DNS-.

,
.

3. . , ,
DNS- FQDN. ,
NetDefendOS DNS-,
FQDN .

. 9.4.

VPN- , NetDefend,
VPN- .
VPN- . Microsoft,
, Vista, . Microsoft Vista
418
. ( Microsoft) ,
.


NetDefend. ,
. (, ,
DMZ) NetDefendOS.

,
DNS- , .
NetDefendOS
, IP- DNS-
NetDefendOS, , .


.
NetDefendOS Disable
CRLs . ,
.

9.7. VPN
VPN.

9.7.1.
VPN :

IP-

ICMP Ping .
Pinging. ping
IP-
NetDefend ( LAN to LAN ping ).
NetDefendOS ping, IP-
:

Action Src Interface Src Network Dest Interface Dest Network Service
Allow vpn_tunnel all-nets core all-nets ICMP

, IPsec Tunnel . NetDefendOS


,
all-nets Remote Network none Remote Endpoint
. Incorrect Pre-shared
Key.

IP- ,
, , .
419
, , Wi-Fi ,
IP- DHCP- Wi-Fi. IP-
, Windows - , IP-
. .

/ IP-
Windows.

/,
, :

IPsec Before Rules IPsec-

L2TP Before Rules L2TP-

PPTP Before Rules PPTP-

,
NetDefendOS IP-.
, IP-,
NetDefendOS.
core.

URL, , dns:
URL. , vpn.company.com,
dns:vpn.company.com.

9.7.2.

VPN ,
:

, .cer .key . , my_cert.key


my_cert.cer.

, .
, ,
.

, NetDefendOS .
, , ,
.

, . ,
NetDefend, CA ,
, .

(Certificate Revocation List, CRL),


, CA.
CA 9.6, .

420
9.7.3. IPsec
IPsec- :

ipsecstat

ipsecstat IPsec-.
:

gw-world:/> ipsecstat

--- IPsec SAs:

Displaying one line per SA-bundle

IPsec Tunnel Local Net Remote Net Remote GW


------------ -------------- ------------ -------------
L2TP_IPSec 214.237.225.43 84.13.193.179 84.13.193.179
IPsec_Tun1 192.168.0.0/24 172.16.1.0/24 82.242.91.203

IKE :

y.

:
-num=all
,
-num=all,
.

, :

,
, -num=10.

ikesnoop

IPsec :
421
. ikesnoop
.
:

Kl ICMP ping NetDefend


. ikesnoop
.

,
verbose . ,
, IP- ( IP-
, IP- ). :

Ikesnoop :

9.4.5,
ikesnoop.

9.7.4. VPN
VPN- , , ,
, VPN-
.

,
all-nets VPN-. VPN-
, ,
NetDefend .

VPN- all-
nets, ,
.

9.7.5.
,
VPN-:

1. Could not find acceptable proposal / no proposal chosen.


2. Incorrect pre-shared key.
3. Ike_invalid_payload, Ike_invalid_cookie.
4. Payload_Malformed.
5. No public key found.

1. Could not find acceptable proposal / no proposal chosen


, IPsec. ,
, , IKE
IPSec , ,
.

,
, , .

-1 IKE

422
IKE proposal . , IKE proposal
. ikesnoop verbose
. ,
, IKE
proposal. -1 . ,
, . :
() IKE, .

-2 IPsec

IPsec . , IPsec
.
ikesnoop, , .
IPsec , , ,
IPsec proposal ,
. (-)
. , SA
IPsec, SA ( , ). ,
,
.

IKE IPsec- ,
No proposal chosen. Main Aggressive, DH ( IKE)
PFS ( IPsec).

2. Incorrect pre-shared key


.
, ,
. , (
), .

NetDefendOS
. NetDefendOS
IPsec- .
, all-nets, .
, , .

, IPsec-:

Name Local Network Remote Network Remote Gateway


VPN-1 lannet office1net office1gw
VPN-2 lannet office2net office2gw
L2TP ip_wan all-nets all-nets
VPN-3 lannet office3net office3gw

L2TP- VPN-3,
VPN-3 - all-nets (all-nets ).
, Incorrect pre-
shared key.

VPN-3 L2TP.
office3gw NetDefendOS
VPN-3.

3. Ike_invalid_payload, Ike_invalid_cookie
IPsec NetDefendOS IPsec IKE,
IKE.

VPN- ,
, , . ,
, -
. ,

423
, , .

, -
. , . ,
DPD / Keep-Alive .
, DELETE, .

4. Payload_Malformed
Incorrect pre-shared key, .
, PSK
( ).

, IPsec- .
, , ,
.

5. No public key found


VPN-
.

,
. ,
ikesnoop , ikesnoop
, .
PSK,
, ,
( ).

.
- , CA,
NetDefend, , .

NetDefend
(Certificate Revocation List, CRL) , .
CRL . (
CRL). , NetDefendOS DNS-
CRL.

: L2TP Microsoft Vista


L2TP Microsoft Vista
CRL, Microsoft XP .
Vista .


, ,

. ,
, ,
.

L2TP-
Windows.
.

424
9.7.6.
:

1. .

2. , ikesnoop config mode


XAuth, XAuth .

1.
/
(-).

,
, IKE proposal IPsec
.

, , IPsec-:

= 192.168.10.0/24

= 10.10.10.0/24

= 10.10.10.0/24

= 192.168.10.0/16

,
. ,
, . ,
, , . ,
.
proposal.

2. .
XAuth
No proposal chosen.
. NetDefendOS ,
,
, .

ikesnoop, , ,
-2. . ,
.

425
426
10.
NetDefendOS.

Traffic Shaping

IDP Traffic Shaping

10.1. Traffic Shaping


10.1.1.
QoS TCP/IP

TCP/IP Quality of Service (QoS). QoS


. ,
Differentiated Services (Diffserv),
QoS
QoS.

Diffserv NetDefendOS

NetDefendOS Diffserv :

NetDefendOS 6 ,
(Differentiated Services Code Point (DSCP) Diffserv),
VPN- .

, Traffic shaping NetDefendOS DSCP-


, NetDefend.

, Traffic shaping NetDefendOS Diffserv


NetDefend. Traffic shaping
NetDefendOS, , NetDefendOS
Diffserv, .

Traffic Shaping

, Diffserv ,
QoS.
. ,
.

NetDefendOS QoS,
, NetDefend.
traffic shaping
, ,
. Traffic shaping , VPN-.

Traffic Shaping

Traffic shaping IP-


. :

427
,
. , ,
.

, .
, .

.
, ,
,
.

. ,
( ) . ,
, ,
, .

, Traffic shaping
.
,
,
.

: Traffic shaping SIP ALG


, IP- ,
SIP ALG, traffic
shaping.

10.1.2. Traffic Shaping NetDefendOS


NetDefendOS Traffic shaping ,
NetDefend.
, ,
IP-.

Traffic shaping NetDefendOS:

(Pipes)

(Pipe Rules)

(Pipes)
Traffic shaping ,
. ,
.
. .

, ,
. ,
, , , ,
/ ( 10.1.6,
).

NetDefendOS ,
. ,
,
.
428
-, .

(Pipe Rules)
NetDefendOS,
, .

, NetDefendOS:
/ /, , .
IP- ,
.

, IP-, ( )
. , , ,
Traffic shaping. , ,
, Traffic shaping
.

:


. Traffic
shaping .

(Pipe Rules)
,
:

(Forward Chain)

, ,
NetDefend. , .

(Return Chain)

,
NetDefend. , .

. 10.1.

429
. , ,
. ,
, . 8.

Traffic Shaping
, , ,
- . ,
,
.

Traffic shaping.
, ,
Traffic Shaping .

IP- FwdFast
, Traffic shaping ,
IP- FwdFast IP- NetDefendOS.

, Traffic shaping (state


engine) NetDefendOS, , . IP-
FwdFast .

, .

430
. 10.2. FwdFast Traffic Shaping

10.1.3.
,
.
.
-.

10.1.
, 2 /,
.

CLI

gw-world:/> add Pipe std-in LimitKbpsTotal=2000

Web-

1. Traffic Management > Traffic Shaping > Pipes > Add > Pipe

2. , , std-in

3. 2000 Total Pipe Limits

4. OK

, .

.
, . Traffic shaping
, , , .

, .
(return chain). , ,
(outside-in), std-in.

CLI

gw-world:/> add PipeRule ReturnChain=std-in SourceInterface=lan


SourceNetwork=lannet DestinationInterface=wan
DestinationNetwork=all-nets Service=all_services name=Outbound

Web-

1. Traffic Management > Traffic Shaping > Pipes > Add > Pipe Rule

2. , , outbound

3. :

Service: all_services

Source Interface: lan

Source Network: lannet

Destination Interface: wan

Destination Network: all-nets

4. Traffic Shaping std-in Return Chain

431
5. OK

() 2 /. ,
.

10.1.4.

, , ,
. NetDefendOS
,
.

.
. ,
?

std-in (forward chain) ,


2 /
2 / . (2 /)
(2 /), 4 /.
2 / 1 /
.

4 / ,
, 2 / 2 /
. 3 / 1 / ,
4 /.


: , .
2 /.
.

10.2.
:

CLI

gw-world:/> add Pipe std-out LimitKbpsTotal=2000

Web-

1. Traffic Management > Traffic Shaping > Pipes > Add > Pipe

2. , , std-out

3. 2000 Total

4. OK

,
, :

CLI

gw-world:/> set PipeRule Outbound ForwardChain=std-out

432
Web-

1. Traffic Management > Traffic Shaping > Pipes > Add > Pipe Rules

2. , , Edit

3. Traffic Shaping std-out Forward Chain

4. OK

2 / .

10.1.5.

.
, Web- , ?
, 250 /, 125 /
, Web-.

Web- .
, , ,
Web- ,
.

surf-in 125 /.
Web-, surf-in
, std-in. ,
, Web-, surf-in,
, .

,
125 /, 250 /.
: 250 /, 125 /,
375 / , 250
/.

, surf-in std-in,
, Web-.
surf-in 125 /.
std-in ,
250 /.

433
. 10.3.

Web- 125 / , 125 /


std-in, 125 / .
Web- , 250 /, std-in,
.

Web-,
125 / 125 /
. Web-
125 / :
. 125 /,
, .

10.1.6.

, Traffic shaping NetDefendOS,


(Precedence). , , ,
, 0.

, 0 7. 0
(), 7 ().
; 2
0, 4 2.

. 10.4.

434

, , , ,
. , Traffic shaping
, 4 6 0 3
.

,
, .

DSCP-

DSCP- . DSCP Diffserv,


Type of Service (ToS) IP-.

(Default Precedence),
(Minimum Precedence) (Maximum
Precedence). :

: 0

: 0

: 7

, , , ,
.

,
. ,
. ,
, .


. /
( , ,
).

:
, ,
Kilo 1000, 1024. , 3 Kbps
3000 .

, Mega
.

, .
, , ,
.

435
, .
.

(Best Effort)

() :
(Best Effort).
.

, ,
, (best effort)
.

2,

6. 2 (best effort).

. 10.5.

, (best effort),
,
. , ,
, . ,
,
.

436

, ,
. ,
( ), .

NetDefendOS :
, ,
.
. , .

, ,
, , ,
, .

Traffic shaping, , SSH


Telnet .
SSH Telnet
, 2. ,
.

, SSH Telnet
, ,
, . ,
, ,
.
, ,
, .
(throttling back), .

,
, , ,

, Web-, DNS FTP. ,

,
(Bandwidth Guarantees).


. , , ,
, .

SSH Telnet ,
96 /, std-in
96 /.

, SSH Telnet 96 /.
,
.

2 96 /, ,
,
(best effort). (best effort)
.

, 32 /
Telnet 64 / SSH. 32
437
/ 2, 64 / 4
. ,
:

? ,
Traffic shaping.

. ,
, ?.

: Telnet
SSH, , surf.

96 / std-in, : ssh-in
telnet-in. 2 , ,
, 2 32 64 /.

, , 22-23
22 23 :

std-out.
,
, .

22 ssh-in
std-in. 23 telnet-in
std-in.

Use defaults from first pipe;


ssh-in telnet-in 2.

, 2
, SSH Telnet,
ssh-in telnet-in.

, ssh-in telnet-in.
, std-in,
.

ssh-in telnet-in (priority filter):


std-in
2 (64 32 / ). SSH Telnet,
, std-in 0,
std-in ssh-in.

:


. std-in ssh-in telnet-in,
std-in ,
, 250 /
.

10.1.7.
NetDefendOS

.

IP- (Source IP)

438
IP- (Destination IP)

(Source Network)

(Destination Network)

(Source Port) ( IP-)

(Destination Port) ( IP-)

(Source Interface)

(Destination Interface)

Grouping.
/ ,
. , IP- ,
IP- .

IP-

, IP-. , 1024
1024 .
IP-, .


,
. NetDefendOS .


(Group
Limits). :


. , IP- ,
100 /, , IP- 100
/ .


.
( ) . , 3
50 /, ,
( , IP- ,
) 50 /
.


, . ,
IP- , IP-
.


, , ,
.


.
439
, :

, .

, IP-
.

. 10.6. , IP-


,
400 /. IP-
, IP- 100 /
, :

400 /.

Grouping Destination IP.

Group Limits 100 /.

, , IP-
100 /.
400 /.


, ,
IP- Group Limits.
,
Pipe Limits?

Group Limits ,
Pipe Limits . ,
IP- , Group Limits 5 5
/, Pipe Limits 5 20 /,
IP- (4 5 = 20 /)
440
, .


Dynamic Balancing.

. .


100 /, ,
.


,
. 2
30 /, , 2
30 /, ,
. , , 30
/ 2,
.

,
, SSH-.
.

ssh-in ,
. ,
ssh-in Destination
IP.

, 2
16 / . ,
16 / SSH-.
, - , , 40
/.

5 SSH, , 5 16
/ , 64 /. ,
2
, .
- 16 /, .

, 5
. 5-
SSH-, 13 / (64
/, 5 ).

. ,
,

(best-effort), ,
.

10.1.8. Traffic shaping



Traffic shaping , NetDefendOS .
, ,
. 500 /,
400 / 90 /
, 10 / ,
- .
441
, ,
.

VPN
Traffic shaping VPN-.
- ,
, , VPN-. VPN-, ,
IPsec, ,
VPN- 20%
.


, ,
.
, , ,
.
Destination
IP . ,
. ,
.

, ,
, .
500 /, 600 /,
, .



.
95% .
, 5%
.


NetDefendOS. ,
NetDefend, , NetDefendOS
, , ,
, .

,
Traffic shaping
, ,
NetDefendOS .


Traffic shaping , , , DoS
flood-. NetDefendOS ,
NetDefend, ,
flood-.


Traffic shaping , ,
, , NetDefendOS.

-, ,
, - .

, , , . ,
, ,

442
, .


, ,
:

10.1.9. Traffic shaping


Traffic shaping NetDefendOS
.
:

, (Pipe Rules).

(Pipes).

,
.

, , .

(
).

, ,
.

,
. , , ,
(Best Effort).

(best effort)
.

(Group).
, IP- . (, IP-
) ,
/.

,
.

,
.

10.1.10.

Traffic shaping
.


443
, ,
1 .

. 10.7. Traffic Shaping

2 ,
.
, , ADSL.

2 in-pipe out-pipe :

Pipe Name Min Prec Def Prec Max Prec Grouping Net size Pipe limit
in-pipe 0 0 7 PerDestIP 24 1000kb
out-pipe 0 0 7 PerSrcIP 24 1000kb

.
PerDestIP PerSrcIP PerDestNet PerSrcNet .

, .

Rule Forward Return Source Source Destination Destination Service


Name Pipes Pipes Interface Network Interface Network
all_1mbps out-pipe in-pipe lan lannet wan all-nets all

, ,
1 /.
,
.


, -,
.

, 2/2 / .
:
444
6 VoIP (500 /)

4 Citrix (250 /)

2 (1000 /)

0 Web

in-pipe out-pipe.
(Pipe Limits) . :

6 500

4 250

2 1000

Rule Forward Return Source Source Dest Dest Selected Prece


Name Pipes Pipes Interface Network Interface Network Service dence
web_surf out-pipe in-pipe lan lannet wan all-nets http_all 0
voip out-pipe in-pipe lan lannet wan all-nets H323 6
citrix out-pipe in-pipe lan lannet wan all-nets citrix 4
other out-pipe in-pipe lan lannet wan all-nets All 2


. , ,
. all ,
, ,
, .


, 2 (
) 1000 /, , 0.
, in-other
out-other (Pipe Limit) 1000.
:

Rule Forward Return Source Source Dest Dest Selected Prece


Name Pipes Pipes Interface Network Interface Network Service dence
other out-other in- lan lannet wan all-nets All 2
out-pipe other
in-pipe

, in-other out-other
. ,
in-pipe out-pipe VoIP, Citrix ,
.

VPN
Traffic shaping NetDefend.
, VPN ,
. VPN ,
.

, , ,
, VPN-
. , 1700 /
VPN- 2 /.

445
,
VPN, .

VPN .
VPN- ,
, VPN- ,
.

.
VoIP- VPN- .
(best effort). ,
2/2 /.

vpn-in

6: VoIP (500 /)

0: Best Effort

Total: 1700

vpn-out

6: VoIP 500 /

0: Best Effort

Total: 1700

in-pipe

6: VoIP 500 /

Total: 2000

out-pipe

6: VoIP 500 /

Total: 2000

Rule Forward Return Src Source Dest Destination Selected Prece


Name Pipes Pipes Int Network Int Network Service dence
vpn_voip_out vpn-out vpn-in lan lannet vpn vpn_remote_net H323 6
out-pipe in-pipe
vpn_out vpn-out vpn-in lan lannet vpn vpn_remote_net All 0
out-pipe in-pipe
vpn_voip_in vpn-in vpn-out vpn vpn_remote_net lan lannet H323 6
in-pipe out-pipe
vpn_in vpn-in vpn-out vpn vpn_remote_net lan lannet All 0
in-pipe out-pipe
out out-pipe in-pipe lan lannet wan all-nets All 0
in in-pipe out-pipe wan all-nets lan lannet All 0

VPN- 1700 /,
2000 / VoIP-
500 / , 500 /
.

SAT

446
SAT, , Web- FTP-,
, Traffic shaping
QoS. , ,
:
in-pipe, out-pipe.

catch-all-inbound,
, . ,
, IP-
, (wan).
:

Rule Forward Return Source Source Dest Dest Selected Prece


Name Pipes Pipes Interface Network Interface Network Service dence
all-in in-pipe out- wan all-nets core all-nets All 0
pipe

: SAT IP- ARP-


SAT IP-, ARP-
,
wan.

10.2. Traffic Shaping IDP


10.2.1.
Traffic Shaping IDP ,
, (Intrusion
Detection and Prevention, IDP) NetDefendOS ( . 6.5,
).

Traffic Shaping IDP ,


. ,
, peer-to-peer (P2P), ,
Bit Torrent Direct Connect.

, P2P-,
.
,
, Traffic Shaping IDP .

IDP Traffic Shaping

, P2P,
. NetDefendOS
,
NetDefendOS
Traffic shaping NetDefendOS ,
.

Traffic Shaping IDP , ,


IDP,
Traffic shaping .

447
10.2.2. Traffic Shaping IDP
Traffic Shaping IDP :

1. IDP-, .

IDP- , , ,
, POLICY,
.

2. Pipe.

, , ,
Traffic Shaping IDP.

3. .

, .
, ,
,
.

, IDP, .

4. ().

, Traffic shaping
.

, P2P-
,
.

IDP,
, ,
Traffic shaping. ,
, Traffic shaping.

0 , Traffic shaping
, , .
, IDP-
Traffic shaping.

5. ()

0, . IP-
,
IDP-, Traffic shaping.
Traffic shaping,
IP-.

10.2.3.
, , , ,
Traffic Shaping IDP:

1. NetDefend,
. NetDefendOS IP-
.

2. IDP-. IDP- Pipe,


, Traffic Shaping
, IDP-.

448
3. , IDP,
IP- , , .
IP-,
Network, , Traffic shaping
, .

Network ,
, ,
.

10.2.4.
IDP
, .
IDP , .
, .
, , Traffic shaping
, .


, P2P- IDP
ID-, Pipe, ,
Traffic shaping. ,
, HTTP-, IDP ,
Traffic shaping , .


, IP-
Network, IP- .
NetDefendOS ,
, IDP-,
Traffic shaping.

, ,
, ,
Traffic shaping, P2P.

, ,
Traffic shaping, , , .

10.2.5. P2P
, ,
P2P-. :

IP- 192.168.1.15 P2P-


(1) Tracking server 81.150.0.10.

IDP- NetDefendOS, IDP,


P2P-.

Pipe Traffic shaping ,


.

(2) - 92.92.92.92
IDP-,
Traffic shaping.

449
. 10.8. Traffic shaping IDP P2P

10.2.6. Traffic Shaping



Traffic shaping IDP CLI, idppipes,
,
Traffic shaping .

, Traffic shaping IDP,


:

, IP- 192.168.1.1, Traffic shaping


:

idppipes
CLI.


Traffic Shaping IDP NetDefendOS,
. Traffic Shaping
.

,
Traffic Shaping Web-,
450
CLI pipes. ,
CLI:

Traffic Shaping IDP ,


.


NetDefendOS , Traffic Shaping
IDP, IDPPipe_<bandwidth> ()
IDPPipe_<bandwidth>R () .
, .

, , 1000 / IDPPipe_1000
IDPPipe_1000R .
IDPPipe_1000_(2) IDPPipe_1000R_(2).
, (3).


IDP- .
: ()
, ().
, Per Source
IP, Per Destination IP.

10.2.7.

Traffic Shaping IDP
, .

, , 10 ,
, IDP-
Pipe .
Traffic shaping ,
.

10.2.8.
Traffic Shaping IDP
:

IDP- Pipe,
Network

, .

,
, ,
.

451
, .
.

10.3.
10.3.1.
,
, . ,
, , IP-
.
, . (
, TCP, UDP
ICMP, NetDefendOS).

: NetDefend

DFL-800, 860, 1600, 1660,
2500, 2560 2560G.


, NetDefendOS,
/ / , ,
HTTP. , ,
.

, :

Action ()

. Audit,
Protect.

Group by ( )

: Host Network.

Threshold ()

, .

Threshold Type ( )

,
.

452
10.3.2. /



, NetDefend.



, NetDefend.

, - , P2P-
, NAT.

10.3.3.
:

Host Based ( ) ,
IP-.

Network Based ( )
.

10.3.4.
:

Audit , .

Protect .

, .
Audit,
Protect.

10.3.5.
NetDefendOS
. ,
.

, Type Grouping (
) ,
.

10.3.6. ,
, ,
Before Rules,
IP- NetDefendOS, . Before Rules

453
, .

10.3.7. ZoneDefense
D-Link ZoneDefense
. 12,
ZoneDefense.

10.3.8.
Protect, , ,
, IP- .
Protect ,
NetDefendOS , .


.
, . ,
.

,
, , , ,
, NetDefendOS.

, ( )
.

6.7, .

10.4.
10.4.1.
SLB (Server Load Balancing)
, IP- SLB_SAT.

SLB - , :

SLB ,
,
( server farm),
, .

: NetDefend
SLB
SLB DFL-800, 860, 1600, 1660, 2500,
454
2560 2560G.

SLB, -
.

. 10.9.

SLB
SLB
:

SLB
, . NetDefendOS SLB
,
.

SLB
. , ,

, .


DoS (Denial Of Service).

SLB
SLB :

SLB
455
(stickiness)


SLB ,
. , server farm,
, .
, SLB .

10.4.2. SLB
. NetDefendOS SLB
:

Round-robin
.

.
.
, ,

,
.

,
,
,

.

Connection-rate ,

. Window Time. SLB
,

Window Time ( ).

Window Time ,
. 10 .

10.4.3.
(Stickiness)
, , SSL-, ,
.
(Stickiness),
round-robin, connection-rate. Stickiness :

Per-state Distribution ,
Stickiness .
, IP-
. ,
,
.

456
,

, .
Stickiness.

IP Address Stickiness ,
( IP-) ,
. TLS SSL,
, HTTPS,
.

Network Stickiness IP stickiness ,


( ) IP-
. .

, 24 (
), IP- 10.01.01.02
10.01.01.00/24,
.


IP- (IP stickiness)
(Network stickiness), :

Idle Timeout ( )

, IP- . IP-
.
(Idle Timeout). ,
IP- ,
. , ,
,
IP- .

10 .

. - (Max Slots)

.
, , ,
(.. Idle Timeout).

IP-
. Max Slots
, .

2048 .

(Net Size)

,
IP-. (Network Stickiness)
.

(Network Stickiness) Net Size ,


IP- .
, , IP- ,
, . IP-
, .

24.

457
10.4.4. SLB (Stickiness)
SLB.

NetDefend
.
(Stickiness) .

.10.10. ,

Round-robin, R1 R2, 1,
, 1.
R3 2 2. R4 3
1.

. 10.11. (Stickiness) Round-Robin

onnection-rate, R1 R2 ,
, R3 R4
,
Window Time .

458
. 10.12. (Stickiness) Connection-rate

, , ,
. ,
.

10.4.5.
SLB ,
. SLB OSI
. , , ,
, .

D-Link :

ICMP Ping 3- OSI. SLB ping IP-


. ping
.

TCP Connection 4- OSI. SLB


. , Web- 80,
SLB TCP SYN . SLB TCP
SYN/ACK , 80 . SLB
: no response, normal response closed port
response.

10.4.6. SLB_SAT
SLB IP- SLB_SAT.
:

1. IP- , SLB.

2. IP-, .

3. SLB_SAT IP-, IP-


SLB.

4. , / /
SLB_SAT, .
, :

Allow

NAT

: FwdFast
SLB
459
SLB , state engine
NetDefendOS . IP- FwdFast
SLB, , ,
state engine.

Web-
NetDefend, .
Allow Web-.




WEB_SLB SLB_SAT any all-nets core ip_ext
WEB_SLB_ALW Allow any all-nets core ip_ext

, Web-,
NAT:




WEB_SLB SLB_SAT any all-nets core ip_ext
WEB_SLB_NAT NAT lan lannet core ip_ext
WEB_SLB_ALW Allow any all-nets core ip_ext

, core.
Allow , Web- IP-,
. NAT Web- IP-
NetDefend.

10.3. SLB
Web- HTTP,
NetDefend. IP- Web-: 192.168.1.10
192.168.1.11, . , (stickiness)
SLB .

NAT SLB_SAT ,
Web-. Allow .

Web-

. Web-:

1. Objects > Address Book > Add > IP Address

2. , , server1

3. IP-, 192.168.1.10

4. OK

5. , server2 IP- 192.168.1.11

. , Web-:

1. Objects > Address Book > Add > IP4 Group

2. , , server_group

3. server1 server2

4. OK

. IP- SLB_SAT:

460
1. Rules > IP Rule Sets > main > Add > IP Rule

2. :

Name: Web_SLB

Action: SLB_SAT

Service: HTTP

Source Interface: any

Source Network: all-nets

Destination Interface: core

Destination Network: ip_ext

3. SAT SLB

4. Server Addresses server_group Selected

5. OK

. IP- NAT :

1. Rules > IP Rule Sets > main > Add > IP Rule

2. :

Name: Web_SLB_NAT

Action: NAT

Service: HTTP

Source Interface: lan

Source Network: lannet

Destination Interface: core

Destination Network: ip_ext

3. OK

. IP- Allow :

1. Rules > IP Rule Sets > main > Add > IP Rule

2. :

Name: Web_SLB_ALW

Action: Allow

Service: HTTP

Source Interface: any

Source Network: all-nets

Destination Interface: core

Destination Network: ip_ext

3. OK

461
462
11.

NetDefend.

HA-

HA-

HA-

HA-

11.1.
HA-

NetDefendOS NetDefend
.
NetDefend: (master)
(slave).
HA-. ,
, .. .

, slave-
. , master-
, , .. slave-
.
master- , slave- ,
master- ,
. - (active-passive)
.

:

NetDefend.

D-Link
NetDefend DFL-1600/1660/2500/2560/2560G.

master-

, master-
.


NetDefend, . Slave-
, master-
.

master- slave- ,
NetDefendOS (sync interface).
463
master- slave-
.
NetDefendOS
,
(heartbeats).
. , ,
.
11.2
.

HA-, NetDefend,
,
NetDefend. , ,
IP-, ,
: , .

HA- D-Link ,
.. ,
. NetDefend (master slave)
.

.

D-Link
NetDefend.
, .

NetDefend . ,
, HA-.

HA- . ,
,
.

11.2.

, NetDefend
.

D-Link
. , ,
,
. ,
, ,
,
.

,
(Cluster Heartbeats).
464
, .

NetDefendOS 5
, (.. 0,6 ),
.
.
, ,
, ,
, .
, .

, ,
.
, ,
,
.


. , ..
, ,
.

.
. NetDefendOS

, ..
. .

IP- IP- ,
.

IP- ,
.

(TTL) IP- 255.


NetDefendOS TTL, ,
.
.

UDP-, 999 999.

MAC- Ethernet- ,
. , 11-00-00-1-4A-nn.

. ,
,
.

,
. TCP
. TCP
,
. UDP
, .. , .

465
IP- ARP

Master- slave- IP-. ARP-


IP- IP-
ARP Proxy ARP
.

IP-
. , MAC-
NetDefendOS 10-00-00-C1-4A-nn, nn
(Cluster ID), (Advanced Settings)
/ / .
.

.. IP- ,
ARP- ,
.

, ,
Gratuitous ARP- ,
.
, ,
. ,
, - .


, ARP-
.

IDP-

NetDefendOS
(IDP),
.
D-Link,
.

HA-:

6. (master) D-
Link. IP- .

7. (master)
.

8. (slave)
.

9. (master)

slave-.

10. , master- ,
, master- .

sync-

HA- sync- master- slave-,



.

,
. ,
.
, .. sync-.

466
sync-
hasync_connection_failed_timeout. ,
, , ,
.

sync-
.
stats-. IPsec-,
ipsecglobalstat -verbose. IPsec SA,
IKE SA, IP- .
sync- ,
, .

sync- , ,

. . :

,
,
.

,
.

:
.

.

.

11.3. HA-
HA-.

11.3.1. HA-
HA-:

1. HA- NetDefend.
,
.

master- slave-
, , ,
,
.

2. :

master- slave-
.
.

sync-.
( ).

3. IP- .
467
,
IP- ,
IP4 HA Address.
:

, IP4 HA Address
. IP-
ping ICMP, IP- (
, ICMP- IP- ).

, IP-
. IP- .
,
IP- .

IP4 HA Address,
(localhost) , IP-
127.0.0.0/8.

ARP- IP-, IP4 HA Address,


, ,
IP-.

IP- ,
, , ,
.

:
IP- .
IP-
. ,
SSH
NetDefend, HA-,
IP-
. IP- IP4 HA Address, .

HA-

HA- .
master- slave-
. master-
slave- ( )
.

468
, LAN- master- LAN- slave-
, .
WAN- master- WAN- slave-
, .

: sync-,
.
,
, sync-
.
.

11.3.2. HA-
NetDefendOS
HA-, :

1. master- WEB-.

2. System > High Availability.

3. Enable High Availability.

4. Cluster ID.
.

5. sync- Sync Interface.

6. Master.

7. Objects > Address Book IP4 HA Address


. IP- master-
slave-.

,
, (
(localhost) , IP-
469
127.0.0.0/8).

8. Interfaces > Ethernet IP


Address IP- .

Advanced
High Availability, Private IP Address IP4 HA Address,
( NetDefendOS
master- slave-
).

: IP- IP-
.
IP-
. IP-, IP4 HA
Address ,
.

9. Save and activate.

10. NetDefend,
Slave.

HA-

NetDefend .
. -
master-, slave-
, , .
.

11.3.3. HA-
, ,
ha .
( master-):

gw-world:/> ha

This device is an HA MASTER


This device is currently ACTIVE (will forward traffic)
HA cluster peer is ALIVE

stat , master- slave-


. :

Connections 2726 out of 128000

, ,
. .

,
Cluster ID , ( 0).
MAC- .

Use Unique Share MAC


MAC-. ,
MAC-
.

, High Buffers
automatic .
470
NetDefendOS
.
.

(, )
,
automatic. High Buffers
, .

11.3.4. Unique Shared Mac Addresses


, NetDefendOS
Use Unique Shared MAC Address.
.

Unique Shared MAC Address

, MAC-
. ,
lan1 master- MAC-, lan1 slave-
.

HA- , ,
, .. , ARP-
. . , ,
.

HA- , Unique Shared


MAC Address .
MAC- .

11.4. HA-
HA- :

IP-


IP4. IP- local host.
, .

SNMP

SNMP- master- slave-. SNMP-


.
.

IP-

IP- master- slave-


- . , , IP-
NAT
, , .. IP- ,
, , .

471
IP- 0.0.0.0

IP- 0.0.0.0 IP-.


IP- 0.0.0.0 IP-
NetDefend (Lockdown Mode).

, ,
NetDefendOS. ,
,
,
.

. -
, IP-,
, LAN-, ..
ARP- .
ARP-.

-, ,
. ,
.

.
, .

.

OSPF

OSPF,
(designated router).

OSPF ,
OSPF- (OSPF area), .
,
OSPF, .

PPPoE- DHCP-

, IP- HA-,
PPPoE- DHCP- HA-.

11.5. HA-
NetDefendOS master- slave- HA-
. NetDefendOS ,
,
.

,
,
.

472
, ,
.

,
,
.

, .

NetDefend.

. ,

,
.
ha. :

gw-world:/> ha

This device is a HA SLAVE


This device is currently ACTIVE (will forward traffic)
This device has been active: 430697 sec
HA cluster peer is ALIVE

Slave- . , master-
.

,
NetDefend. ,
. , WEB-.

: ,
ALIVE
,
,
.

CLI- ha.
ALIVE.
gw-world:/> ha

This device is a HA SLAVE


This device is currently INACTIVE (won't forward traffic)
This device has been inactive: 2 sec
HA cluster peer is ALIVE

(
NetDefendOS)
ha -deactivate. .
, .
gw-world:/> ha deactivate

HA Was: ACTIVE
HA going INACTIVE...

, ,
ha,
INACTIVE is ALIVE.

. ,
473
, ,
, NetDefend.
, .. , .

,
, .
.

, ,
CLI- ha -active.

11.6. HA-
NetDefendOS
:

Sync Buffer Size

, ( ),
.

: 1024

Sync Packet Max Burst

, .

: 20

Initial Silence

( )
, .
HA- , ,
,
, .
, ,
. .

: 5

Use Unique Shared Mac

MAC-.
11.3.4 Unique Shared Mac Addresses.

Deactivate Before Reconf

, ,
.
, .
,
.

Reconf Failover Time

474

HA-. 0 .

: 0

475
12. ZoneDefense
D-Link ZoneDefense.

ZoneDefense

ZoneDefense

12.1.
ZoneDefense

ZoneDefense NetDefend
.
.


, ,
.

ZoneDefense (Threshold Rules) ,


, . Threshold
Rules ,
.


IP- CIDR ( IP- IP-
).

ACL

NetDefendOS , ,
ACL- (Access Control List) ,
, .
,
Web- CLI.

: ZoneDefense
NetDefend
ZoneDefense D-Link: DFL-800,
860, 1600, 1660, 2500,2560, 2560G.

12.2. ZoneDefense
, ,
. ,
, :

IP-

476

SNMP community ( write)

ZoneDefense :

DES-3226S ( R4.02-B26 )

DES-3250TG ( R3.00-B09 )

DES-3326S ( R4.01-B39 )

DES-3350SR ( R3.02-B12 )

DES-3526 R3.x ( R3.06-B20)

DES-3526 R4.x ( R4.01-B19 )

DES-3550 R3.x ( R3.05-B38)

DES-3550 R4.x ( R4.01-B19 )

DES-3800 ( R2.00-B13 )

DGS-3200 ( R1.10-B06 )

DGS-3324SR/Sri ( R4.30-B11 )

DGS-3400 R1.x ( R1.00-B35)

DGS-3400 R2.x ( R2.00-B52 )

DXS-3326GSR ( R4.30-B11 )

DXS-3350SR ( R4.30-B11 )

DHS-3618 ( R1.00-B03 )

DHS-3626 ( R1.00-B03 )

:

ZoneDefence
,
.

12.3. ZoneDefense
12.3.1. SNMP
(Simple Network Management Protocol, SNMP)
. SNMP
.

SNMP-

477
(), NetDefend,
SNMP-
.
SNMP Community (SNMP Community String). (
)
. write,
.

() SNMP-. D-Link
SNMP-, MIB (Management
Information Base)
SNMP-.

12.3.2. (Threshold Rules)


ZoneDefense
, , :

Connection Rate Limit


.

Total Connections Limit


.

IP- ,
.

: /

,
/, ZoneDefense,
/ . -
IP- . ,
, .


10.3 .

12.3.3. Exclude
(Exclude Lists)
,
.
.
, .
478

Exclude. IP-
MAC- ZoneDefense,
.

12.1. ZoneDefense
, ZoneDefense. ,
.

HTTP 10 . ,
(,
192.168.2.0/24).

D-Link DES-3226S
192.168.1.250, 192.168.1.1.
Exclude, .

Web-

ZoneDefense:

1. ZoneDefense > Switches > Add > ZoneDefense switch

2. :

Name: switch1

Switch model: DES-3226S

IP Address: 192.168.1.250

3. SNMP Community Write Community String, .

4. Check Switch
SNMP Community.

5. OK

Exclude:

1. ZoneDefense > Exclude list

2. Addresses 192.168.1.1 Available


Selected.

3. OK

, 10 , HTTP:

1. Traffic Management > Threshold Rules > Add > Threshold Rule

2. Threshold Rule :

Name: HTTP-Threshold
479
Service: http

3. Address Filter :

Source Interface:

Destination Interface: any

Source Network: 192.168.2.0/24 ( )

Destination Network: all-nets

4. OK

, , :

1. Add > Threshold Action

2. Threshold Action:

Action: Protect

Group By: Host-based

Threshold: 10

: Connection/Second

Use ZoneDefense

OK

12.3.4. ZoneDefense
ZoneDefense
NetDefendOS, ,
, ,
ZoneDefense. ALG:

HTTP ZoneDefense HTTP-,


.

FTP ZoneDefense FTP-


.

SMTP ZoneDefense SMTP-


e-mail.

12.3.5.
ZoneDefense .

.

.
,
.

480
,
. 50
, 800 ( ,
). ,
.

: ACL-

ZoneDefense ACL-
.
,
ZoneDefense ACL-
.

481
13.
NetDefendOS,
.
Web- System > Advanced Settings.

:
NetDefendOS
.

IP-

TCP-

ICMP-

13.1. IP-
Log Checksum Errors

IP-,
. , -
. , , , IP-,
.
.

Log non IP4

IP-,
4. NetDefendOS IP- 4;
.

Log Received TTL 0

IP-
TTL (Time To Live), 0.
TTL 0.
482
:

Block 0000 Src

0.0.0.0 .

Block 0 Net

0.* .

: DropLog

Block 127 Net

127.* .

: DropLog

Block Multicast Src

IP-
224.0.0.0 255.255.255.255.

: DropLog

TTL Min

TTL, .

: 3

TTL on Low

, ,
TTL TTLMin.

: DropLog

Multicast TTL on Low

, ,
TTL Multicast TTLMin.

: DropLog

Default TTL

TTL NetDefendOS,
. , 64 255.

: 255

483
Layer Size Consistency

, (Ethernet, IP,
TCP, UDP, ICMP) .

: ValidateLogBad

SecuRemoteUDP Compatibility

8 UDP IP-. Checkpoint SecuRemote


NAT-T.

IP Option Sizes

IP-.
, IP-.
,
, IP-.

: ValidateLogBad

IP Option Source/Return

, .
, .
, . NetDefendOS
, ,
.

: DropLog

IP Options Timestamps

(Time stamp)
.
. ,
. NetDefendOS
, .

: DropLog

IP router alert option

IP-, .

: ValidateLogBad

IP Options Other

, .

: DropLog

Directed Broadcasts

484
NetDefendOS ,
.
. ,
, .

: DropLog

IP Reserved Flag

NetDefendOS,
IP- .
0. (Fingerprinting).

: DropLog

Strip DontFragment

,
, .

: 65535

Multicast Mismatch

, , Ethernet IP multicast .

: DropLog

Min Broadcast TTL

Time-To-Live IP broadcast, .

: 1

Low Broadcast TTL Action

, TTL broadcast.

: DropLog

13.2. TCP-

TCP Option Sizes

TCP-. ,
IPOptionSizes, .

: ValidateLogBad

TCP MSS Min

TCP MSS. , MSS


, .
485
: 100

TCP MSS on Low

, , MSS
TCPMSSMin. TCP.

: DropLog

TCP MSS Max

TCP MSS. , MSS


, .

: 1460

TCP MSS VPN Max

TCPMSSMax, TCP . ,
MSS VPN-. , NetDefendOS
, TCP VPN-.
TCP VPN- ,
MTU.

: 1400

TCP MSS On High

, , MSS
TCPMSSMax.

, .

: Adjust

TCP MSS Log Level

TCP MSS,
TCPMSSOnHigh.

: 7000

TCP Auto Clamping

TCP MSS MTU ,


TCPMSSMax.

TCP Zero Unused ACK

NetDefendOS 0 Sequence
Number Acknowledgment Number TCP-, .
,
.

:
486
TCP Zero Unused URG

URG .

TCP Option WSOPT

Window-Scaling , TCP,
, ,
, ACK.
(Fingerprinting). WSOPT .

: ValidateLogBad

TCP Option SACK

Selective Acknowledgement (SACK) TCP ACK


, ,
.
(Fingerprinting). SACK .

: ValidateLogBad

TCP Option TSOPT

Time Stamp ( ). PAWS (Protect Against Wrapped Sequence


numbers), TSOPT
(32- ) .

, . TSOPT TCP
, , .
. (Fingerprinting).
TSOPT .

: ValidateLogBad

TCP Option ALTCHKREQ

.
TCP. ,
.

: StripLog

TCP Option ALTCHKDATA


ALTCHKREQ. , .

: StripLog

TCP Option Con Timeout

NetDefendOS .

487
: StripLogBad

TCP Option Other

TCP-. , .

: StripLog

TCP SYN/URG

NetDefendOS TCP- SYN


() URG ( ). SYN
, URG , ,
. ,
.

: DropLog

TCP SYN/PSH

NetDefendOS TCP- SYN PSH


(push). PSH ,
.

,
. , Apple MAC TCP
SYN- PSH.
NetDefendOS, , PSH ,
, .

: StripSilent

TCP SYN/RST

TCP RST SYN, , (strip=strip RST).

: DropLog

TCP SYN/FIN

TCP FIN SYN, , (strip=strip FIN).

: DropLog

TCP FIN/URG

NetDefendOS TCP- FIN


( ) URG. , ,
.
,
(Fingerprinting).

: DropLog

TCP URG

NetDefendOS TCP- URG,


488
. TCP-
Urgent, . ,
, FTP MS SQL Server, URG.

: StripLog

TCPE ECN
NetDefendOS TCP- Xmas
Ymas. , (Fingerprinting).

, Explicit Congestion Notification


,
, .

: StripLog

TCP Reserved Field

NetDefendOS ,
TCP, , 0. Xmas Ymas.
(Fingerprinting).

: DropLog

TCP NULL

NetDefendOS TCP- SYN, ACK,


FIN RST. TCP
(Fingerprinting), ,
.

: DropLog

TCP Sequence Numbers

TCP- Sequence number TCP-


.

Sequence number TCP- ,


state-engine ( , FwdFast).

Ignore . , Sequence number .


ValidateSilent .
ValidateLogBad ,
.
ValidateReopen ;
.
ValidateReopenLog ;
, .
ReopenValidate ;
.
ReopenValidLog ; ,
.
: ValidateLogBad

TCPSequenceNumbers
489
ValidateLogBad ( ValidateSilent)
TCP-, ,
Sequence number .

ValidateReopen ValidReopenLog ,
NetDefendOS,
Sequence number ( )
TCP. ,
ValidateLogBad/ValidateSilent, TCP-
. ,
Web- (,
), TCP
.

, ValidateReopen ValidateReopenLog,
TCP-.
, , .

ReopenValidate ReopenValidLog , ValidateLogBad ValidateSilent.


/
Sequence number TCP- ( ,
), .
, , Web-,
.
Sequence number TCP-
. Sequence number
TCP-.

Allow TCP Reopen

TCP-.

13.3. ICMP-

ICMP Sends Per Sec Limit

ICMP- , NetDefendOS,
ping, Destination unreachable ( ),
TCP RST. ,
, (Reject rules) .

: 500

Silently Drop State ICMPErrors

NetDefendOS ICMP-
. ,
.

490
13.4.

Connection Replace

NetDefendOS
, .

: ReplaceLog

Log Open Fails

, , Stateful
Inspection , . , ,
TCP-,
, SYN.
. , ICMP-, ICMP ECHO (Ping),
. NetDefendOS
.

Log Reverse Opens

NetDefendOS ,
.
TCP- SYN ICMP ECHO.
, , UDP, ,
.

Log State Violations

NetDefendOS ,
, , TCP FIN
TCP SYN.

Log Connections

NetDefendOS:

NoLog , , ,
Allow NAT IP-;
. , FwdFast, Drop Reject ,
.

Log ;
, , SAT.
, .

LogOC , Log, ,
. ,
.

LogOCAll , .
TCP SYN, FIN RST.
491
LogAll .

: Log

Log Connection Usage

,
, state-engine NetDefendOS. ,
, , NetDefendOS,
.

, , , , IP-
/.
,
.

Dynamic Max Connections

Max Connections

, Dynamic Max Connections .



, NetDefendOS. 150
RAM. , NetDefendOS ,
.

: 8192

13.5.
, ..
, ,
. , , ,
. ,
0.

TCP SYN Idle Lifetime

( ) TCP-
.

: 60

TCP Idle Lifetime

( ) TCP- .
, SYN
.

492
: 262144

TCP FIN Idle Lifetime

( ) TCP- .
, FIN
.

: 80

UDP Idle Lifetime

( ) UDP- . ,
, UDP
.

: 130

UDP Bidirectional Keep-alive

UDP-.
, ( )
, . , ,
, UDP,
.

Ping Idle Lifetime

( ) Ping (ICMP ECHO) .

: 8

IGMP Idle Lifetime

( ) IGMP-.

: 12

Other Idle Lifetime

( ) , .

: 130

493
13.6.
, IP-
, TCP, UDP ICMP.

, , IP-, .
Ethernet, 1480 IP- . ,
20 IP- 14 Ethernet,
, Ethernet 1514 .

Max TCP Length

TCP-, . ,
IP-, , TCP,
, . ,
20-50 VPN-.

: 1480

Max UDP Length

UDP-, ( ). ,
, ,
, UDP- .
, , UDP-, 1480 .

: 60000

Max ICMP Length

ICMP- ( ). ICMP-
600 , Ping , .
1000 ,
Ping .

: 10000

Max GRE Length

GRE- ( ). GRE (Generic Routing Encapsulation)


, PPTP (Point to Point
Tunneling Protocol).
, VPN-,
, 50 .

: 2000

Max ESP Length

( ) ESP-. ESP (Encapsulation Security Payload)


IPsec .
, VPN-,
, 50 .

: 2000

Max AH Length
494
AH- ( ). AH (Authentication Header) IPsec
.
, VPN-,
, 50 .

: 2000

Max SKIP Length

SKIP- ( ).

: 2000

Max OSPF Length


OSPF- ( ). OSPF ,
LAN.

: 1480

Max IPIP/FWZ Length

IP-in-IP ( ). IP-in-IP VPN


Checkpoint Firewall-1 , IPsec .
,
VPN-, ,
50 .

: 2000

Max IPsec IPComp Length


IPComp- ( ).

: 2000

Max L2TP Length

, 2 (
).

: 2000

Max Other Length


( ), , .

: 1480

Log Oversized Packets

NetDefendOS ,
.

495
13.7.
IP- 65536 . , ,
, Ethernet, .
, , IP-
,
.

, IP- ,
, . NetDefendOS
.

Pseudo Reass Max Concurrent

.
, 0 PseudoReass_MaxConcurrent.

: 1024

Illegal Fragments
.
, ,
. . :

Drop , .
, ,
.

DropLog .
, ,
.

DropPacket
.
ReassIllegalLinger ( ).

DropLogPacket , DropPacket, .

DropLogAll , DropLogPacket, ,
, ReassIllegalLinger ( ).

:
:

,
, ,
, , , .

: DropLog ,
, .

Duplicated Fragment Data


, ,
, , .
496
, NetDefendOS .
2 - 512 ,
.
, . ,
CPU.

: Check8 8 , 32
.

Failed Fragment Reassembly

, ReassTimeout
ReassTimeLimit. ,
, .

NetDefendOS ,
, .
.

.
, .
, , , IllegalFrags Drop,
DropPacket.

FragReassemblyFail :

NoLog .

LogSuspect
.

LogSuspectSubseq , LogSuspect,
.

LogAll .

LogAllSubseq , LogAll,
.

: LogSuspectSubseq

Dropped Fragments

, ,
. DroppedFrags
NetDefendOS. :

NoLog ( ,
).

LogSuspect ,
.

LogAll .

: LogSuspect

Duplicate Fragments
497
, ,
- , ,
. DuplicateFrags
. , DuplicateFragData ,
, , . :

NoLog .

LogSuspect ,
.

LogAll .

: LogSuspect

Fragmented ICMP

ICMP ECHO (Ping), ICMP- ,


, .
FragmentedICMP , , NetDefendOS
ICMP-, ICMP ECHO,
ECHOREPLY.

: DropLog

Minimum Fragment Length

,
.


, .
. ,
1480 VPN-
MTU 1440 .
1440 40 .
, NetDefendOS
, 8 . ,
, 200 .

: 8

Reassembly Timeout

, ( )
.

: 65

Max Reassembly Time Limit

Reassembly Time Limit


.

: 90

Reassembly Done Limit

NetDefendOS
498
, , ,
.

: 20

Reassembly Illegal Limit

, , NetDefendOS
,
.

: 60

13.8.

Max Concurrent

: 256

Max Size

, .

: 1000

Large Buffers

( 2K) .

: 32

13.9.

UDP Source Port 0

UDP- 0.

: DropLog

Port 0

TCP/UDP- 0 TCP-
0.

: DropLog

499
Watchdog Time

Watchdog.

: 180

Flood Reboot Time

NetDefendOS ,
. .

: 3600

Max Connections

IP- IP- , TCP,


,

.

.
. 1,
100.

: 80

Max Memory

,
.
. 1, 100.

: 3

Max Pipe Users

.
20- , ,
,
. , ,
.
, . 10.1, Traffic Shaping.

: 512

500
.

(AV) , (IDP)
Web- D-Link,
, URL.
, ,
D-Link. :

D-Link.

,
.

> Web- NetDefend


. NetDefendOS ,
( , ).

:



web- D-Link.


web- > , ,
.

:
!
.


Web-
Maintenance > Update. .

Web- Update now,


.



IDP (AV)
.

501

IDP :


IDP :

AV :


,
IDP . IDP
:

502
, IDP
.

:


.
.
, , .
.

. IDP
IDP .
IDP D-Link.
IDS, IPS Policy. 6.5,
.

APP_AMANDA Amanda,
APP_ETHEREAL Ethereal
APP_ITUNES Apple iTunes
APP_REALPLAYER RealNetworks
APP_REALSERVER RealServer RealNetworks
APP_WINAMP WinAMP
APP_WMP MS Windows
AUTHENTICATION_GENERAL
AUTHENTICATION_KERBEROS Kerberos
AUTHENTICATION_XTACACS XTACACS
BACKUP_ARKEIA
BACKUP_BRIGHTSTOR ,
BACKUP_GENERAL
BACKUP_NETVAULT
BACKUP_VERITAS
-, , IRC-
BOT_GENERAL

BROWSER_FIREFOX Mozilla Firefox
BROWSER_GENERAL web-/
BROWSER_IE Microsoft IE
BROWSER_MOZILLA Mozilla
COMPONENT_ENCODER
COMPONENT_INFECTION
COMPONENT_SHELLCODE -
DB_GENERAL
DB_MSSQL MS SQL
DB_MYSQL MySQL DBMS
DB_ORACLE Oracle DBMS
DB_SYBASE Sybase
DCOM_GENERAL MS DCOM
DHCP_CLIENT DHCP-
DHCP_GENERAL DHCP-
DHCP_SERVER DHCP-
DNS_EXPLOIT DNS-
DNS_GENERAL
DNS_OVERFLOW DNS
DNS_QUERY ,
ECHO_GENERAL Echo
ECHO_OVERFLOW Echo
503
FINGER_BACKDOOR Finger backdoor
FINGER_GENERAL Finger
FINGER_OVERFLOW Finger
FS_AFS AFS (Andrew File System)
FTP_DIRNAME Directory name attack
FTP_FORMATSTRING Format string attack
FTP_GENERAL FTP-
FTP_LOGIN
FTP_OVERFLOW FTP
GAME_BOMBERCLONE Bomberclone
GAME_GENERAL Generic game servers/clients
GAME_UNREAL UnReal
HTTP_APACHE Apache httpd
HTTP_BADBLUE Web- Badblue
HTTP_CGI HTTP CGI
HTTP_CISCO Web Cisco
HTTP_GENERAL HTTP
HTTP_MICROSOFTIIS HTTP , Web MS IIS
HTTP_OVERFLOWS HTTP-
HTTP_TOMCAT Tomcat JSP
ICMP_GENERAL ICMP-
IGMP_GENERAL IGMP
IMAP_GENERAL IMAP-
IM_AOL AOL IM
IM_GENERAL
IM_MSN MSN Messenger
IM_YAHOO Yahoo Messenger
IP_GENERAL IP-
IP_OVERFLOW IP
IRC_GENERAL Internet Relay Chat
LDAP_GENERAL LDAP /
LDAP_OPENLDAP LDAP
LICENSE_CA-LICENSE CA
LICENSE_GENERAL
MALWARE_GENERAL
METASPLOIT_FRAME c metasploit frame
METASPLOIT_GENERAL Metasploit general attack
MISC_GENERAL
MSDTC_GENERAL MS DTC
MSHELP_GENERAL Microsoft Windows
NETWARE_GENERAL NetWare
NFS_FORMAT
NFS_GENERAL NFS-
NNTP_GENERAL NNTP-
OS_SPECIFIC-AIX AIX specific
OS_SPECIFIC-GENERAL OS general
OS_SPECIFIC-HPUX HP-UX related
OS_SPECIFIC-LINUX Linux specific
OS_SPECIFIC-SCO SCO specific
OS_SPECIFIC-SOLARIS Solaris specific
OS_SPECIFIC-WINDOWS Windows specific
P2P_EMULE eMule P2P
P2P_GENERAL P2P
P2P_GNUTELLA Gnutella P2P
PACKINGTOOLS_GENERAL General packing tools
PBX_GENERAL PBX
POP3_DOS Denial of Service POP
POP3_GENERAL Post Office Protocol v3
POP3_LOGIN-ATTACKS
POP3_OVERFLOW POP3
504
POP3_REQUEST-ERRORS
PORTMAPPER_GENERAL PortMapper
PRINT_GENERAL LP printing server: LPR LPD
IP
PRINT_OVERFLOW
LPR/LPD
REMOTEACCESS_GOTOMYPC
REMOTEACCESS_PCANYWHERE PcAnywhere
REMOTEACCESS_RADMIN
REMOTEACCESS_VNC-CLIENT VNC-
REMOTEACCESS_VNC-SERVER VNC-
REMOTEACCESS_WIN-TERMINAL Windows terminal/
RLOGIN_GENERAL RLogin
RLOGIN_LOGIN-ATTACK
ROUTER_CISCO Cisco
ROUTER_GENERAL
ROUTING_BGP BGP
RPC_GENERAL RFC-
RPC_JAVA-RMI Java RMI
RSYNC_GENERAL Rsync
SCANNER_GENERAL
SCANNER_NESSUS Nessus
SECURITY_GENERAL
SECURITY_ISS
SECURITY_MCAFEE McAfee
SECURITY_NAV Symantec AV
SMB_ERROR SMB
SMB_EXPLOIT SMB Exploit
SMB_GENERAL SMB
SMB_NETBIOS NetBIOS
SMB_WORMS SMB
SMTP_COMMAND-ATTACK SMTP command attack
SMTP_DOS Denial of Service SMTP
SMTP_GENERAL SMTP-
SMTP_OVERFLOW SMTP
SMTP_SPAM
SNMP_ENCODING SNMP
SNMP_GENERAL SNMP-
SOCKS_GENERAL SOCKS-
SSH_GENERAL SSH-
SSH_LOGIN-ATTACK
SSH_OPENSSH OpenSSH
SSL_GENERAL SSL-
TCP_GENERAL TCP-
TCP_PPTP Point-to-Point Tunneling Protocol
TELNET_GENERAL Telnet
TELNET_OVERFLOW Telnet buffer overflow attack
TFTP_DIR_NAME Directory Name attack
TFTP_GENERAL TFTP-
TFTP_OPERATION ,
TFTP_OVERFLOW TFTP
TFTP_REPLY TFTP Reply attack
TFTP_REQUEST TFTP request attack
TROJAN_GENERAL
UDP_GENERAL UDP
UDP_POPUP MS Windows
UPNP_GENERAL UPNP
VERSION_CVS CVS

VERSION_SVN

VIRUS_GENERAL
505
VOIP_GENERAL VoIP-
VOIP_SIP SIP-
WEB_CF-FILE-INCLUSION Coldfusion
WEB_FILE-INCLUSION
WEB_GENERAL Web application attacks
WEB_JSP-FILE-INCLUSION JSP
WEB_PACKAGES Web-
WEB_PHP-XML-RPC PHP XML RPC
WEB_SQL-INJECTION SQL-
WEB_XSS Cross-Site-Scripting
WINS_GENERAL MS WINS
WORM_GENERAL
X_GENERAL Generic X applications

506
. MIME,

NetDefendOS (ALG)
, ,
. ALG:

HTTP ALG

FTP ALG

POP3 ALG

SMTP ALG

ALG, ,
, .

6.2.2, HTTP ALG.


3ds 3d Studio
3gp 3GPP
aac MPEG-2 Advanced Audio Coding
ab Applix Builder
ace ACE
ad3 3-bit
ag Applix Graphic
aiff, aif Audio Interchange
am Applix SHELF Macro
arc
alz ALZip
avi Audio Video Interleave
arj
ark QuArk
arq
as Applix
asf Advanced Streaming Format
avr Audio Visual Research
aw Applix Word
bh Blackhole
bmp Windows OS/2
box
bsa BSARC
bz, bz2 Bzip UNIX
cab Cabinet (Microsoft )
cdr Corel
cgm
chz ChArc
class Java byte code
cmf Creative
core/coredump Unix core dump
cpl
dbm
dcx
deb Debian Linux
djvu DjVu
dll
507
dpa DPA
dvi dvi
eet EET
egg Allegro datafile
elc eMacs Lisp
emd ABT EMD
esp Encapsulated PostScript
exe Windows
fgf Free Graphics Format
flac Free Lossless Audio Codec
flc FLIC
fli FLIC
flv Macromedia Flash Video
gdbm
gif GIF
gzip, gz, tgz gzip
hap HAP
hpk HPack
hqx Macintosh BinHex 4
icc ICC, Kodak Color Management System
icm
ico
imf Imago Orpheus module
Inf
it Impulse Tracker
java Java
jar Java JAR
jng JNG
jpg, jpeg, jpe, jff, jfif, jif JPEG
jrc Jrchive
jsw Just System Word Processor Ichitaro
kdelnk KDE link
lha LHA
lim LIM
lisp LISP
lzh LZH
md MDCD
mdb Microsoft Access
mid,midi Musical Instrument Digital Interface (MIDI)
mmf Yamaha SMAF Synthetic Music Mobile Application
mng Multi-image Network Graphic
mod Ultratracker
mp3 MP3 MPEG Layer III
mp4 MPEG-4
mpg,mpeg MPEG 1 System Stream
mpv MPEG-1
Microsoft files Microsoft
msa Atari MSA
niff, nif Navy Interchange
noa Nancy Video CODEC
nsf NES
obj, o Windows, linux
ocx
ogg Ogg Vorbis
out Linux
pac CrossePAC
pbf
pbm
pdf Adobe Acrobat
pe Portable Executable
508
pfb ()
pgm
pkg SysV R4 PKG Datastreams
pll PAKLeo
pma PMarc
png Portable (Public) Network Graphic
ppm PBM
ps PostScript
psa PSA
psd Photoshop
qt, mov, moov Quicktime
qxd Quark Xpress
ra, ram RealMedia
rar RAR
rbs () Rebirth
riff, rif Fractal Painter
sar SAR
sbi Sound Blaster
sc sc
sgi Silicon Graphics IRIS
sid Commodore 64 (C64) SID
sit Stuffit
sky SKY
snd, au AU (Sun/NeXT)
so UNIX
sof ReSOF
sqw SQWEZ
sqz Squeeze It
stm Scream Tracker 2
svg Scalable Vector Graphics
svr4 SysV R4 PKG Datastreams
swf Macromedia Flash
tar tar
tfm TeX font metric
tiff, tif Tagged Image
tnef Transport Neutral Encapsulation
torrent BitTorrent Metainfo
ttf TrueType Font
txw Yamaha TX Wave
ufa UFA
vcf Vcard
viv VivoActive Player Streaming Video
wav WAV
wk Lotus 1-2-3
wmv Windows Media
wrl, vrml Plain Text VRML
xcf GIMP
xm Fasttracker 2
xml XML
xmcd xmcd kscd
xpm BMC Software Patrol UNIX Icon
yc YAC
zif ZIF
zip ZIP
zoo zoo
zpk ZPack
z compress

509
. OSI

OSI (Open Systems Interconnection) . OSI


. OSI
.

:
, ,
.
, ,
.
NetDefendOS, ARP, ALG.


7
6
5
4
3
2
1

7 OSI

7 -
. : HTTP, FTP, TFTP. DNS,
SMTP, Telnet, SNMP .. ALG.

6
.

5 , .
: NetBIOS, RPC ..

4 .
: TCP, UDP ..

3 . : IP, OSPF, ICMP,


IGMP ..

2

/ . : Ethernet, PPP
.. ARP.

1 .

510