Firewalls Training Material

D-Link Security
2006 DFL-210/800/1600/2500 Technical Training

Copyright 2006. By D-Link HQ
Copyright 2006. All rights reserved
D-Link Security
Agenda
Appliance Overview Firewall Concept Basic Configuration Scenario & Hands-on Troubleshooting
D-Link Security
Agenda
D-Link Security
Appliance Overview
model of firewall
DFL-800
Console
WAN1
LAN
WAN2
DMZ
back
D-Link Security
Appliance Overview
model of firewall
DFL-1600
Console
LAN3
LAN2
WAN1
LAN1
WAN2
DMZ
back
D-Link Security
Appliance Overview
model of firewall
DFL-2500
Console
LAN3
LAN2
LAN1
WAN1
WAN2
WAN3
WAN4
DMZ
back
D-Link Security
Appliance Overview
Characters of firewall
DFL-800 DFL-1600 DFL-2500
and Giga Interface for DFL-1600/2500 Brand new user-friendly GUI , no GUI confusion issue. Neater and more professional look ID for firewall product line. ZoneDefense mechanism with D-Link switches prevents threat spreading. Advanced firewall features including Transparent Mode to ease the implementation.
High Port Density
D-Link Security
Appliance Overview
LED Power System
Console
Serial Console Port Concealed Look
LED panel
LCD Display System Information Traffic Monitor Alert Monitor Configuration Display
Ethernet

Auto-Sensing Copper Port LAN Port WAN Port and DMZ port
Keypad
Keypad for Right , Left , Upper and Confirm
D-Link Security
Appliance Overview
LED panel
Setup Mode
Press Keypad to enter setup mode in 5 seconds after the firewall is switched on Enter the Setup Mode Use Left or Right button to select
1.Start Firewall: Start off the firewall system 2.Reset Firewall: Reset the firewall to factory default.
After reset firewall, choose start firewall After switch on the firewall 5 seconds, the firewall will enter Status Mode automatically
D-Link Security
Appliance Overview
LED panel
Status Mode
Model name: Display the device model name. System Status: Display system working status. CPU Load and Connections: Show the CPU utilization and concurrent session Total BPS and PPS: Concurrent traffic statistics and packets statistics per second. Date and Time: Display device current date and time Uptime: Device boot up time. Mem: System memory utilization. IDS Sigs: Display IDS signature information. WAN DMZ LAN: Display each interface IP address Core Version: Display firewall firmware version.
10
D-Link Security
Agenda
11
D-Link Security
Firewall Concept
Questions
What is firewall? Which firewall is the safest?

Firewall does not protect against application errors.
12
D-Link Security
Firewall Concept
IP Start Communication
Web Server Client
(1.) 1024 -> 80 SYN (2.) SYN.ACK 1024 <- 80 (3.) 1024 -> 80 ACK
Connection established
SYN FLOOD
1. Sending a packet to the web server with the SYN flag. The client uses a fake IP address 2. The server responds with a SYN.ACK. Then the server waits until the client responds with an ACK packet 3. The client repeats step one until it is satisfied that the damage is done
13
D-Link Security
Firewall Concept
IP Start Communication
More bits SYN Synchronize = New connection ACK Acknowledge = Acknowledge that data has been received PSH - Push = Push received data to application layer now" URG - Urgent = Urgent data, Process first (Beg. 70) FIN - Finish = End communication with an handshake RST - Reset = Do not communicate with me!
14
D-Link Security
Firewall Concept
Firewall deployments in a network
Static Route
Static routes are needed for the Firewall to communicate with Networks that are not locally attached on the same subnet
NAT
Internal address are private addresses from RFC1918 All private addresses are translated to a valid IP address before accessing the Internet
Transparent
No changes required on any end station, router or server Routing protocols can be configured to pass through the firewall in Transparent mode The firewall offers full firewall and VPN capabilities
15
D-Link Security
Firewall Concept
Firewall deployments in a network Static Route
Intranet Web 2.2.10.5 Corp Mail 2.2.10.6 Intranet DNS 2.2.10.7 AdminPC 1 2.2.10.13 AdminPC 2 2.2.10.18 AdminPC 3 2.2.10.33 LAN 2.2.10.1 WAN 2.2.2.10
DMZ 2.2.100.1
Internet Router 2.2.2.254
Corporate Web Mail Relay DMZ DNS 2.2.100.2 2.2.100.3 2.2.100.4 2.2.20.0 2.2.30.0 2.2.40.0 Sales Support Marketing
16
D-Link Security
Firewall Concept
Firewall deployments in a network NAT
Intranet Web 10.1.10.5 Corp Mail 10.1.10.6 Intranet DNS 10.1.10.7 AdminPC 1 10.1.10.13 AdminPC 2 10.1.10.18 AdminPC 3 10.1.10.33 LAN 10.1.10.1 WAN 2.2.2.10
DMZ 2.2.100.1
Corporate Web 2.2.100.2

10.1.20.0 10.1.30.0 10.1.40.0 Sales Support Marketing
Mail Relay DMZ DNS 2.2.100.3 2.2.100.4
17
D-Link Security
Firewall Concept
Firewall deployments in a network Transparent
Intranet Web 2.2.2.5 Corp Mail 2.2.2.6 Intranet DNS 2.2.2.7 AdminPC 1 2.2.2.13 AdminPC 2 2.2.2.18 AdminPC 3 2.2.2.33 LAN 2.2.2.253
WAN 2.2.2.253
DMZ 2.2.2.253
Corporate Web 2.2.2.2

2.2.20.0 2.2.30.0 2.2.40.0 Sales Support Marketing
Mail Relay DMZ DNS 2.2.2.3 2.2.2.4
18
D-Link Security
Firewall Concept
Firewall Generations
First generation
Packet filtering
Second generation
Proxy
Third generation
Stateful Inspection
Fourth generation
IDS/IDP
19
D-Link Security
Firewall Concept
1.Packet Filtering
Works with the IP & TCP level Disadvantages:

Does not re-create fragmented packets Does not understand the relationship between packets
Advantages
High speed of packets process
OSI Model 7. Applikation 6. Presentation 5. Session 4. Transport 3. Network 2. DataLink 1. Physical
20
D-Link Security
Firewall Concept
2.Proxy
Receives packets, reads and re-creates the packets
No physical connection between the client and the server.
Disadvantages
Slow The proxy must understand the application protocol Mostly based on complex operating system
Advantages
Attacks on the TCP/IP level will never penetrate through the protected network Able to analyze application data Able to strip things like ActiveX and Java.
21
D-Link Security
Firewall Concept
3.Stateful Inspection Re-create fragmented packets Understand the relationship between packets Advantages
Does not need to understand the application data to work Great flexibility Better performance than proxy
Disadvantages
Harder to analyze the application data (but still possible)
22
D-Link Security
Firewall Concept
4.IDS/IDP
Receives packets, reads and re-creates the packets
No physical connection between the client and the server.
Disadvantages
Slow The proxy must understand the application protocol Mostly based on complex operating system
Advantages
Attacks on the TCP/IP level will never penetrate through the protected network Able to analyze application data Able to strip things like ActiveX and Java.
23
D-Link Security
Firewall Concept
Packet flow
WAN IP: 203.126.142.96
INTERNE T
IP: 192.168.1.100
1. Packet inspection 2. Priority processes 3. Allow? Drop? NAT? Reject?
24
D-Link Security
Firewall Concept
Packet flow
When all traffic get in the firewall,they will be inspected by VLAN first (If VLAN is used ). The IDS rule is the primary filter which is configured to allow or disallow certain types of network traffic through the firewall. Then these traffic will be inspected by IP rule and routing rule After that the traffic will be inspected by Zone Defense and Traffic Shaping
25
D-Link Security
Firewall Concept
Packet flow
Inbound packet VLAN packet? Basic sanity checks, Including verification of IP header Check IDS signatures Yes Yes De-capsulate Drop
failed Yes Fragment? Process fragment Drop
No ZD false Verify TCP/UDP header Found matching Connection? true Apply Rules Allow/NAT/SAT
Open Connction
Traffic Shaping
Yes FwdFast/SAT SAT_ ApplyRulePack Traffic Shaping DestIP = FW? No Route IP
Traffic Shaping
Forward packet
Drop
ZD
Drop
26
D-Link Security
Agenda
27
D-Link Security
Basic Configuration
Default Interface Attribute Definition(DFL-800)
http://192.168.1.1 LAN can be managed and pinged The firewall disable DHCP
28
D-Link Security
Basic Configuration
http://192.168.1.1 LAN1 can be managed and pinged The firewall disable DHCP
29
D-Link Security
Basic Configuration
http://192.168.1.1 LAN1 can be managed and pinged The firewall disable DHCP
30
D-Link Security
Basic Configuration
design concept of UI
Any undesired rules or objects are being created without hitting the ok button, users must hit cancel button or that rule or object would still be in the list and named untitle. Traffic is being examined by the pattern where the rules were created from top down When right-click any rules or objects and select delete, a strike line will show on that rule or object. The save and activate button will not be available if the untitle rule or object is not deleted After click save and activate , must reconnect to it within 30 seconds (default setting) for the configuration changes to be finalized. If this fails, the unit will revert to its previous configuration. The reconnecting time can be adjustable.
31
D-Link Security
Basic Configuration
Configure Static IP address on your laptop or PC User will be authenticated before logging to the firewall Default login: admin, Password: admin User will be presented with; Menu Bar Tree View List Main Window
32
back
D-Link Security
Basic Configuration
Tree View List Menu Bar Main windows
33
D-Link Security
Basic Configuration
UI of System
34
D-Link Security
Basic Configuration
UI of Object
35
D-Link Security
Basic Configuration
UI of Rules
36
D-Link Security
Basic Configuration
UI of Interfaces
37
D-Link Security
Basic Configuration
UI of Routing
38
D-Link Security
Basic Configuration
UI of IDS/IDP
39
D-Link Security
Basic Configuration
UI of User Authentication
40
D-Link Security
Basic Configuration
UI of Traffic Shaping
41
D-Link Security
Basic Configuration
UI of ZoneDefense
42
D-Link Security
Basic Configuration
Three Steps to Configure
1.Create and verify the object 2.Create the rule (IP rule ,IDS rule ,user authentication rule and Pipes rule ) 3.Create and verify routing rule
43
D-Link Security
Basic Configuration
First Step to Configure 1.Create and verify the object
The most important in firewall configuration is OBJECT. Objects are basic network elements defined in the firewall. It is a list of symbolic names associated with various types of addresses, including IP addresses of host and network
Object items are heavily used through a firewall configuration; in routing tables, rule-set, interface definitions, VPN Tunnels among others
44
D-Link Security
Basic Configuration
Objects Address Book
Hosts & Networks configuration items are symbolic names for IP networks
45
D-Link Security
Basic Configuration
Objects ALG
ALGs are designed to manage specific protocols Examine the payload data and carry out appropriate actions based on defined rules Appropriate Application Layer Gateway definition is selected in a Service configuration item. Network traffic which matches the service definition will thus be managed by the selected Application Layer Gateway.
46
D-Link Security
Basic Configuration
Objects Services
A definition of a specific IP protocol with corresponding parameters. The service http, for instance, is defined as to use the TCP protocol with destination port 80.
47
D-Link Security
Basic Configuration
Objects Schedules
The Schedule will only allow those firewall rules to be used at those designated times only. Any activities outside the scheduled time slot will not follow the rules and will therefore unlikely be permitted to pass through the firewall
48
D-Link Security
Basic Configuration
Objects Certificate
A certificate is a digital proof of identity. It links an identity to a public key in a trustworthy manner. Certificates can be used on authenticate individual users or other entities. These types of certificates are commonly called endentity certificates.
49
D-Link Security
Basic Configuration
Second Step to Configure 2.Create the rule The Rules configuration section represents the rule-set, the "heart" of the firewall. The rule-set is the primary filter which is configured to allow or disallow certain types of network traffic through the firewall. The rule-set also regulates how address translation and bandwidth management, traffic shaping, is applied to traffic flowing through the firewall.
50
D-Link Security
Basic Configuration
IP Rules Drop
Packets matching Drop rules will be immediately dropped. Such packets will be logged if logging has been enabled in the Log Settings page
51
D-Link Security
Basic Configuration
IP Rules Drop
DROP RULE
DROPPING LOG
52
D-Link Security
Basic Configuration
IP Rules Reject
Reject works basically the same way as Drop. In addition, the firewall sends an ICMP UNREACHABLE message back to the sender or, if the rejected packet is a TCP packet, a TCP RST message.
53
D-Link Security
Basic Configuration
IP Rules Reject
REJECT RULE
ICMP Unreachable TCP RST
REJECTING LOG
54
D-Link Security
Basic Configuration
IP Rules FwdFast
Packets matched FwdFast rules are allowed through immediately. Firewall does not memorize the open connections and does not statefully inspect traffic which has passed through it. For one single packet, it is indeed faster than first having to open a statetracked connection and then passing the packet to it. But when several packets pass the same connection, state tracking (Allow) is faster
55
D-Link Security
Basic Configuration
IP Rules FwdFast
No Statefully traffic Inspection (does not remember open connections)
INTERNE T
Packets matching FwdFast Rules Note: Allow is usually faster then FwdFast Remember that that there need to be a FwdFast rule in each direction.
56
D-Link Security
Basic Configuration
IP Rules Allow
Packets matched Allow rules are passed to the stateful inspection engine, which will memorize that a connection has been opened Rules for return traffic will not be required as traffic belonging to open connections which is automatically dealt with before it reaches the rule set
57
D-Link Security
Basic Configuration
IP Rules Allow
Logging & Stateful Inspection INTERNE T
Packets matching Allow Rules
58
D-Link Security
Basic Configuration
IP Rules SAT
Nothing happens when a packet matches a SAT rule at the beginning The firewall will memorize where to send the traffic and continue to look for a matching rule that will allow the packet to pass and a static address translation will be performed at that stage
59
D-Link Security
Basic Configuration
IP Rules SAT
I want the file from FTP server
FTP SERVER
DMZ
220.255.14.123 WAN IP: 203.126.142.100 172.16.1.100
The public_ip should be bound to the WAN of firewall first redirect_address is used to redirect incoming connection from public_ip to private_ip
60
D-Link Security
Basic Configuration
IP Rules NAT
The rules perform dynamic address translation and NAT hide the sender address. Mostly hiding all machines on a protected network to appear at the outside world as if they use a single IP address
61
D-Link Security
Basic Configuration
IP Rules NAT
WAN IP: 203.126.142.96
INTERNE T
IP: 192.168.1.100
Network Address Translation
62
D-Link Security
Basic Configuration
Third Step to Configure 3.Create and verify routing rule Main Route: The Routes configuration section describes the firewalls routing table.Firewall uses a slightly different way of describing routes compared to most other systems. Policy- Base Route: The rules in the PBR rule-set are able to specify which routing table to be used in the forward as well as return direction (Select routing priority)
63
D-Link Security
Basic Configuration
Main Routing Table
Routing tells the firewall in which direction it should send packets destined for a given IP address
64
D-Link Security
Basic Configuration
Policy Based Routing
Connect to two or more ISPs , and accept inbound connections from all of them. Return traffic is routed back through the ISP that delivered the incoming requests.
Route certain protocols through transparent proxies such as web caches and anti-virus scanners, without adding another point of failure for the network as a whole. Create provider-independent metropolitan area networks, i.e. one where all users share a common active backbone, but able to use different ISPs, subscribe to different streaming media providers, etc.
65
D-Link Security
Basic Configuration
Policy Based Routing
Internet
WAN1 Intranet 192.168.1.0/24
Extranet 192.168.174.0/24
DMZ
WAN2
66
D-Link Security
Agenda
67
D-Link Security
Scenario & Hands-on

1. 2. 3. 4. 5. 6. 7. Basic Configuration(WAN/LAN/DMZ Transparent mode) Configure Load Sharing and Route Failover (use 2 WANs) Configure ZoneDefend Port mapping for server(SAT and server load balance) Runtime Authentication configuration Traffic shaping Configure VPN tunnel(PPTP L2TP and IPsec)
68
D-Link Security
Scenario & Hands-on

Accomplished all scenarios topology
DFL-800
WAN1 IP: 192.168.174.71/24 WAN1 (DHCP) FTP Server 172.16.1.1 DMZ
Remote LAN Internal LAN IP: 192.168.10.0/24
WAN2 (Static IP)
Hands on:
1. 2. 3. 4. 5. 6. 7. Basic Configuration Load Sharing and Route Failover ZoneDefense Port mapping for server User Authentication Traffic Shaping VPN tunnel
DFL-1600
Internal LAN3 IP: 192.168.3.0/24 Internal LAN1 IP: 192.168.1.0/24 Internal LAN2 IP: 192.168.2.0/24
69
D-Link Security
Scenario & Hands-on

Network topology for hands-on
Internet
All WAN1 port connect to switch main switch
G4 G1 G2
70
G3
back
D-Link Security
Scenario & Hands-on

Network topology for every group
main switch
Four persons in one group LAN1 port connects to group switch
group switch
71
D-Link Security
Scenario & Hands-on 1

WAN1 PPPoE , DHCP Static IP:192.168.174.70/24
Basic Configuration (Configure WAN type ,modify IP address of LAN and enable transparent mode)
Objective:
How to modify IP address for LAN and DMZ in Object How to use DHCP, Static IP and PPPoE to access Internet How to enable transparent mode
Internal DMZ IP: 172.17.100.1/24
Internal LAN3 IP: 192.168.7.1/24 Internal LAN1 IP: 192.168.3.1/24

72
Internal LAN2 IP: 192.168.5.1/24
D-Link Security
Scenario & Hands-on 1-1

Basic Configuration-Modify IP address for LAN and DMZ Network topology
Notes:
DFL-800 only has LAN and DMZ DFL-1600/2500 has LAN1 , LAN2 ,LAN3 , and DMZ Pay attention to default manageable status Confirm connecting port DFL-800 DFL-1600 DFL-2500 Bind a secondary IP address to match the new network IP segment. After configuration, use new LAN IP address for default gateway on laptop
Internal DMZ IP: 172.17.100.1/24
73
D-Link Security

Basic Configuration-Modify IP address for LAN and DMZ
Objectives
Access to LAN1 IP address successfully (Ping) or mange Web UI by new IP address
The Logics of Configuration

Bind a secondary IP address to match the new network IP segment. After configuration, use new LAN IP address for default gateway in your laptop Modify objects of IP address and network in address book of Object
74
D-Link Security
Scenario & Hands-on

Bind two IP address on one NIC
2 3
75
D-Link Security
Scenario & Hands-on

Bind two IP address on one NIC
6 4
76
D-Link Security

Use web browser such as Internet Explorer 6 or Firefox 1.0 to connect to Web UI
77
D-Link Security

1 2 3
Change the IP address in address book of Object Click Interface Addresses in Object Key in the correct IP address and network
78
D-Link Security

1 2 3
Change the IP address in address book of Object or Ethernet of Interface Key in correct IP address and network
79
D-Link Security

1 2 3
After all configurations are done , Click configuration in main bar Click Save and Activate
80
D-Link Security

Basic Configuration-Modify IP address for LAN and DMZ Ping LAN IP address
Testing Result
81
D-Link Security

How to modify reconnection Web UI time
After you click save and active you can adjust the reconnection time Click Click here to edit the configuration verification timeout.
82
D-Link Security

Basic Configuration-Modify IP address for LAN and DMZ Use new LAN IP address for default gateway on laptop
2 3
83
D-Link Security

4 6
84
D-Link Security

8
85
D-Link Security
Scenario & Hands-on 1-1 Exercise 1-1- Modify IP address for LAN and DMZ
Objective:
1. Change IP address of LAN1 Ping the new IP address of LAN1 and access to Web UI by new IP successfully Internal LAN3 Internal LAN1 Internal LAN2 Internal DMZ
2.
86
LAN1 IP: Group A(1): 192.168.10.1/24 Group B(2):192.168.20.1/24 . . Group I(9): 192.168.90.1/24 Group J(10): 192.168.100.1/24
D-Link Security

Basic Configuration-Transparent mode Network topology
WAN1 IP:192.168.174.70/24
192.168.174.72/24
Note:
Configure default gateway Configure DHCP relay, if firewall is in DHCP environment
Internal LAN1 IP: 192.168.174.70/24
192.168.174.71/24
87
D-Link Security

Basic Configuration-Transparent mode
Objectives
Implement firewall in transparent mode without changing exist network setting Allow or deny specific service and traffic (allow WAN1 to LAN1for ICMP service, allow LAN1to WAN1 for all service)

Enable transparent mode Configure IP Rules and objects in firewall Bind a secondary IP address to match the new network IP segment.
88
D-Link Security

1 2 3 4 5 6
Configure the IP object in address book of Object to same Click address book in Object Configure IP address of WAN1 and LAN1
89
D-Link Security

1 2 3 4 5 6
1 2 3
Enable transparent mode for WAN1 and LAN1 Click Ethernet under Interface Enable transparent in WAN1 interface and add the object of gateway to Default Gateway Disable add route for interface network
90
D-Link Security

1 2 3 4 5 6
3 2
Enable transparent mode for WAN1 and LAN1 Click Ethernet in Interface Enable transparent on LAN1 interface Disable add route for interface network
91
D-Link Security

1 2 3 4 5 6
Add the Service rule under IP rules(WAN1 to LAN1 and LAN1 to WAN1) Click IP rules in Rules Choose the correct Action,Service,Interface and Network for the rule
92
D-Link Security

1 2 3 4 5 6
Create the DHCP relay for LAN1 to WAN1 Click DHCP relays under System DHCP Settings Choose the correct Action,Service,Interface and Network for the rule
93
D-Link Security

1 2 3 4 5 6
After all configuration , Click configuration in main bar Click Save and Activate
94
D-Link Security

Basic Configuration-Transparent mode Get IP address from DHCP server and ping to gateway
Testing Result
95
D-Link Security
Scenario & Hands-on 1-2 Exercise 1-2- Transparent mode

WAN1
Objectives:
1. 2. 3. Enable transparent mode Allow ping from WAN to LAN Allow all service from LAN to WAN
Internal LAN1
WAN1 IP Group1: 192.168.200.1/24 Group2: 192.168.200.2/24 . . Group9: 192.168.200.9/24 Group10:192.168.200.10/24
LAN1 IP 192.168.200.1/24 192.168.200.2/24
192.168.200.9/24 192.168.200.10/24
DHCP server IP address :192.168.200.254
96
D-Link Security

WAN1(Static) IP:192.168.174.70/24 WAN1-gatway IP:192.168.174.254/24
Basic Configuration- WAN type-Static IP Network topology
Note:
Configure default gateway
97
D-Link Security

Basic Configuration- WAN type-Static IP
Objectives
Configure WAN type with Static IP address

Before configuring WAN type with static IP, please reset the device to default Create an object for WAN1 gateway to apply to the interface of WAN1 Choose the correct Action, Service, Interface and Network for the rule
98
D-Link Security

1 2 3 4
99
Create the correct gateway object under Address Book Click address book under Object Add an object for IP4 Host/Network Verify the IP addresses of wan1_ip and wan1net
D-Link Security

1 2 3 4
Apply the gateway object to WAN Interface Click Ethernet under Interfaces Add the gateway object for Default Gateway
100
D-Link Security

1 2 3 4
Create the service rule in IP rules Click IP rules under Rules Choose the correct Action,Service,Interface and Network for the rule
101
D-Link Security

1 2 3 4
102
D-Link Security

Basic Configuration- WAN type-Static IP Ping to Internet (tw.yahoo.com)
Testing Result
103
D-Link Security
WAN1:Group IP
Scenario & Hands-on 1-3 Exercise 1-3- WAN type-Static IP

Objective
1. Change WAN type with static IP address of following IP addresses Use NAT mode to access the Internet
2.
Internal LAN1 Group private IP
LAN1 Group1: 192.168.10.1/24 Group2: 192.168.20.1/24 . . Group9: 192.168.90.1/24 Group10: 192.168.100.1/24
WAN1 Group1: 192.168.200.1/24 Group2: 192.168.200.2/24 . . Group9: 192.168.200.9/24 Group10: 192.168.200.10/24 WAN1-Gateway:192.168.200.254
104
D-Link Security

WAN1 PPPoE
Basic Configuration WAN type-PPPoE Network topology
Note:
Configure PPPoE tunnel Apply the PPPoE tunnel to IP rule
105
D-Link Security

Basic Configuration- WAN type-PPPoE
Objectives
Configure WAN type on PPPoE tunnel to access Internet by NAT mode

Create a PPPoE tunnel and apply it to the IP rule Choose the correct Action, Service, Interface and Network for the rule
106
D-Link Security

1 2 3
Basic Configuration WAN type-PPPoE
107
Create an object for PPPoE rule in PPPoE Tunnels under Interfaces Click PPPoE Tunnels under Interfaces Apply correct Physical Interface, Remote Network,Username and Password in the object
D-Link Security

1 2 3
Create the IP rule Click IP rules under Rules Choose the correct Action, Service, Interface and Network for the rule
108
D-Link Security

1 2 3
After all configuration , Click configuration in the main bar Click Save and Activate
109
D-Link Security

Basic Configuration WAN type-PPPoE Ping to Internet (tw.yahoo.com)
Testing Result
110
D-Link Security
WAN1 PPPoE
Scenario & Hands-on 1-4 Exercise 1-4- WAN type-PPPoE
Objective:
1. Configure WAN type on PPPoE tunnel and local user could access Internet
111
D-Link Security

WAN1 DHCP
Basic Configuration- WAN type-DHCP Network topology
Note:
Enable DHCP client in WAN interface
112
D-Link Security

Basic Configuration- WAN type-DHCP
Objectives
Dynamically assign IP to WAN interface and local users could access internet by NAT

Enable DHCP client in Interface Create the IP rule and choose correct Action, Service, Interface and Network for the rule
113
D-Link Security

1 2 3
Enable the DHCP client in Ethernet under Interfaces Click Ethernet under Interfaces Enable DHCP Client
114
D-Link Security

1 2 3
Create the service rule in IP rules Click IP rules in Rules Choose the correct Action,Service,Interface and Network for the rule
115
D-Link Security

1 2 3
After all configuration , Click configuration in main bar Click Save and Active
116
D-Link Security

Basic Configuration WAN type-DHCP Verify the WAN IP from Status in tool bar
Testing Result
117
D-Link Security
Scenario & Hands-on 1-5 Exercise 1-5- WAN type-DHCP

WAN1 DHCP server Objective
1. Dynamically assign IP to WAN interface and local users could access internet
118
D-Link Security

WAN1 DHCP WAN2(static IP) IP: 192.168.174.70/24 WAN2-gateway IP:192.168.174.254
WAN Failover Network topology
Note:
Manually add default route in main routing table Enable Monitor feature on routes WAN2 is back up link

119
D-Link Security

WAN Failover
Objectives
WAN1 is the main link,WAN2 is the backup link When WAN1 is disconnected ,all traffic will go through WAN2 to Internet When WAN1 back to normal, all traffic would go through WAN1 to Internet

Create routing policy in main routing table Applying routing policy between DHCP and static IP in WAN connection Create the IP rule and choose correct Action, Service, Interface and Network for the rule
120
D-Link Security

WAN Failover
1 3
Enable the DHCP client in Ethernet under Interfaces Click Ethernet in Interface Uncheck Add default route if default gateway is specified
121
D-Link Security

WAN Failover
122
Create the correct gateway object in Address Book under Object (WAN2) Click address book in Object Add the object for IP4 Host/Network Modify wan2_ip and wan2net
D-Link Security

WAN Failover
1 3 2
Apply the gateway object to WAN Interface and disable add default route Click Ethernet in Interface Disable default route in Interface
123
D-Link Security

WAN Failover
Combine WAN1 and WAN2 to the object of WAN Click interface Groups in Interface Create the object and choose WAN1 and WAN2
124
D-Link Security

WAN Failover
125
Create the IP rule for WAN group Click Rules in IP Rule Choose correct Action, Service, Interface and Network in the rule
D-Link Security

WAN Failover
3 1 4 2
Create the WAN1 routing rule and enable monitor this route Click Main Routing Table under Routing Create the routing rule for WAN1 Choose lower Metric value and enable monitor this route
126
D-Link Security

WAN Failover
3 1 4 2
Create the WAN2 routing rule and enable monitor this route Click Main Routing Table under Routing Create the routing rule for WAN2 Choose higher Metric valueand enable monitor this route
127
D-Link Security

WAN Failover
128
D-Link Security
WAN1 DHCP
WAN2 Group IP (Static IP)
Scenario & Hands-on 2-1 Exercise 2-1- WAN Failover

Objectives:
1. 2. WAN1 is the main link,WAN2 is the backup link When WAN1 is disconnected, all traffic would failover to WAN2
Internal LAN1 Group IP

129
WAN2 Group1: 10.2.1.1/24 Group2: 10.2.1.2/24 . . Group9: 10.2.1.9/24 Group10: 10.2.1.10/24 WAN2-Gateway:10.2.1.254
LAN1 192.168.10.1/24 192.168.20.1/24 . . 192.168.90.1/24 192.168.100.1/24
D-Link Security

WAN1 DHCP WAN2(static IP) IP: 192.168.174.70/24 WAN2-gateway IP:192.168.174.254
Load Sharing and WAN failover Network topology

Notes:
Create PBR table and apply it to route policy

130
D-Link Security

Load Sharing and WAN failover Objectives
All services go through WAN1 but the FTP service and specific IP range go through WAN2 When WAN1 is disconnected ,all traffic will go through WAN2 to Internet When WAN1 back to normal, all traffic would go through WAN1 to Internet When WAN2 is disconnected, the specified traffic and service can access to Internet by WAN1

Modify PBR routing table and routing rule
131
D-Link Security

Load Sharing and WAN failover
Create the IP address object specifically for LAN1 Click Address Book under Objects Click Ethernet under Interfaces
132
D-Link Security

3 1 2
Add the route of WAN2(Static) in PBR Click PBR table under Routing Choose higher metric in PBR table and enable function of monitor
133
D-Link Security

1 2 3 4
Add the route rule of WAN1 in PBR Click PBR policy under Routing Choose correct Forward, Return table, interface and network
134
D-Link Security

135
D-Link Security
WAN1 DHCP
WAN2 Static IP
Scenario & Hands-on 2-2 Exercise 2-2- Load Sharing

Objectives:
1. For Load Sharing: Except for ping-outbound and specific IP range 192.168.X.10-100 traffic by WAN2 then other service will pass through to Internet by WAN1. For Fail Over: When unplug any WAN cable, users still can access the Internet via a different WAN port.
2.
Internal LAN1 IP: 192.168.x.0/24

136
D-Link Security
How to enable the function of tracer
2 1
Modify the value of TTL min to 1 Click IP Setting of Advanced Setting in System Key in the smallest value (1)
137
D-Link Security
How to enable the function of tracer
Enable Pass returned from ICMP error messages from destination Click Services in Objects and choose the object of all_icmp Enable Pass returned from ICMP error messages from destination
138
D-Link Security

ZoneDefense
When theres any infected host spreading worm into the network Firewall can stop the malicious traffic flooding to other subnets but have no
way to stop it infecting its network [subnet A] D-Link Firewalls implement ZoneDefense feature to perform proactive network security with D-Link switches
The most effective solution will be: Firewall triggers the ACL in LAN
switches to perform real time filtering on any malicious traffic found
Set ACL to block specific MAC or IP address
WAN
Firewall DES-3x26S DES-3350SR DES-3250TG DES-3500 series DES-3800 series xStack series Infected Host
139
D-Link Security

ZoneDefense Uniquely from D-LINK It operates with D-LINK switches to isolate infected host that is generating unusual traffic to the LAN Uses Threshold rules to examine connections through the firewall and take actions upon them. The threshold rules monitor the number of connections per second When a pre-defined limit is reached, the firewall sends block requests to the switches configured for ZoneDefense
140
D-Link Security

ZoneDefense
Internet
141
D-Link Security

ZoneDefense
INTERNET Note: WAN1 IP: 192.168.174.70/24
Verify the model of supporting switch Verify the IP address of switch Verify the community between switch and firewall
Switch IP: 192.168.1.250/24
LAN1 IP: 192.168.1.1/24 DGS-3324SR
PC PC
142
Block HTTP Request exceeding 4 sessions For every host
D-Link Security

ZoneDefense
Objectives
When traffic of every host exceed 4 sessions, switch create the ACLs rule to block illegal traffic by firewall

Configure the switch Choose the correct model of switch Exclude switch and administrator Create and configure the threshold rule
143
D-Link Security

1 2 3 4 5 6 7
ZoneDefense
144
Reset to default and configure the IP address of switch Use CLI of switch to inspect Key in reset config Key in config ipif System ipaddress 192.168.1.250/24
D-Link Security

1 2 3 4 5 6 7
ZoneDefense
145
Verify the communication between firewall and switch and inspect the community in switch Use CLI of switch to inspect Key in show snmp community
D-Link Security

1 2 3 4 5 6 7
ZoneDefense
Create the object of IP address for switch and administrator Click Address Book under Objects Add the object for IP4 Host/Network
146
D-Link Security

1 2 3 4 5 6 7
ZoneDefense
Create the switch object in ZoneDefense Click switches under ZoneDefense Choose the correct switch model and Key in the SNMP Community Verity the firewall can communicate with the switch
147
D-Link Security

1 2 3 4 5 6 7
ZoneDefense
Exclude the switch and the administrator Click Exclude under ZoneDefense Choose the correct object
148
D-Link Security

1 2 3 4 5 6 7
ZoneDefense
1 3
149
Create the threshold rule in ZoneDefense Click Threshold under ZoneDefense Choose the correct interface and network Key in the threshold condition (the value of host-base must be smaller then network)
D-Link Security

1 2 3 4 5 6 7
ZoneDefense
After all configuration , Click configuration in main bar Click Save and Active
150
D-Link Security

ZoneDefense Testing Result
Block status form firewall
Block status form Switch
151
D-Link Security
Scenario & Hands-on 3 Exercise-3 ZoneDefense

INTERNET WAN1 DHCP Objective:
1. When web traffic of every host exceed 2 sessions, switch create the ACLs rule to block illegal traffic by firewall
LAN1 IP: Group IP address DGS-3324SR Switch IP: an IP thats the same segment as the LAN1 IP
PC PC
152
D-Link Security

Port mapping for server
Network topology WAN1 IP: 192.168.174.70/24 FTP Server IP:192.168.174.71/24 Note:
Add another public IP address in ARP table Verify the sequence of IP rule
FTP Server 172.16.1.1 DMZ

153

Back
D-Link Security

Objectives
Access the FTP server by public IP address(192.168.174.71)
The Logic of Configuration

Create objects of public and private IP addresses for FTP server Create ARP object in ARP Table Create the IP rule (SAT and allow) for FTP server
154
D-Link Security

1 2 3 4 5
Add the objects of both public and virtual IP addresses for FTP server *Click Address Book under Objects Key in the correct IP addresses
155
D-Link Security

1 2 3 4 5
Create the object in ARP Table Click ARP Table under Interfaces Apply objects with the FTP IP address
156
D-Link Security

1 2 3 4 5
157
Create the IP rule to map FTP server (SAT) Click IP Rule under Rules Choose the correct Action,Service,Interface,SAT setting and Network for the
D-Link Security

1 2 3 4 5
158
Create the IP rule to allow FTP server (allow FTP) Click IP Rule under Rules Choose the correct Action,Service,Interface and Network for the rule
D-Link Security

1 2 3 4 5
159
D-Link Security

Succeed to get in FTP server

topology
160
D-Link Security
Scenario & Hands-on 4-1 Exercise 4-1 - Port mapping for server
WAN1:DHCP FTP Server: Group public IP address FTP Server Group private IP
Objective:
1. Access to FTP server by groups public IP address successfully
DMZ
DMZ IP :172.17.100.254 DFL-800 : Port DMZ DFL-1600: Port #3 DFL-2500: Port #5
FTP Server public IP

Group1: 192.168.200.51/24 Group2: 192.168.200.52/24 . . Group9: 192.168.200.59/24 Group10: 192.168.200.60/24
FTP Server private IP

172.17.100.1/24
161
D-Link Security

SAT in PPPoE connection
Network topology
WAN1 PPPoE
FTP Server 172.16.1.1 DMZ
Note:
Add PPPoE in Interfaces Verify the sequence of IP rule

162

Back
D-Link Security

Objectives
When using PPPoE connection, internal FTP server could be accessed by public

Create objects of PPPoE connection Create private IP addresses for FTP server Create the IP rule (SAT and allow) for FTP server
163
D-Link Security

1 2 3 4 5
164
Create an object for PPPoE rule in PPPoE Tunnels under Interfaces Click PPPoE Tunnels under Interfaces Apply correct Physical Interface, Remote Network,Username and Password in the object
D-Link Security

1 2 3 4 5
Add the object of virtual IP addresses for FTP server *Click Address Book under Objects Key in the correct IP addresses
165
D-Link Security

1 2 3 4 5
166
If use PPPoE connection, create the IP rule to map FTP server (SAT) Click IP Rule under Rules Choose the correct Action,Service,Interface,SAT setting and Network for the rule
D-Link Security

1 2 3 4 5
167
Create the IP rule to allow FTP server (allow FTP) Click IP Rule under Rules Choose the correct Action,Service,Interface and Network for the rule
D-Link Security

1 2 3 4 5
168
D-Link Security

Succeed to get in FTP server

topology
169
D-Link Security
Scenario & Hands-on 4-2 Exercise 4-2 - SAT in PPPoE connection

WAN1:PPPoE FTP Server: Group public IP address FTP Server Group private IP
Objective:
1. Access to FTP server by groups public IP address successfully
DMZ
DMZ IP :172.17.100.254 DFL-800 : Port DMZ DFL-1600: Port #3 DFL-2500: Port #5

FTP Server private IP

172.17.100.1/24
170
D-Link Security

SAT and server load balance
WAN1 IP: 192.168.174.70/24 FTP Server IP:192.168.174.71/24
FTP Server-1 172.16.1.1
Network topology
Note:
Add another public IP address in ARP table Verify the sequence of IP rule
FTP Server-1 172.16.1.2 DMZ

171
D-Link Security

Objectives
Access two FTP servers by one public IP address (192.168.174.71)

Create objects of public and private IP addresses for two FTP servers Create ARP object in ARP Table Cerate the IP rule (SAT_SLB and allow) for FTP server
172
D-Link Security

1 2 3 4 5 6
Add the public IP address object for two FTP servers Click Address Book under Objects Key in the correct IP address
173
D-Link Security

1 2 3 4 5 6
Add two virtual IP address objects for two FTP servers Click Address Book under Objects Key in the correct IP address
174
D-Link Security

1 2 3 4 5 6
Apply the object of IP address to ARP Table Click ARP Table under Interfaces Apply objects for the FTP IP address
175
D-Link Security

1 2 3 4 5 6
3 1
176
Create the IP rule of FTP server Click IP Rule in Rules Choose correct Action,Service,Interface,SLB_SAT and Network in the rule
D-Link Security

1 2 3 4 5 6
177
Create the IP rule to allow FTP server (allow FTP) Click IP Rule in Rules Choose correct Action,Service,Interface and Network in the rule
D-Link Security

1 2 3 4 5 6
After all configuration , Click configuration on main menu bar Click Save and Activate
178
D-Link Security
Scenario & Hands-on 4-3 Exercise 4-3- SAT and server load balance
WAN1:DHCP FTP Server-1:Group public IP FTP Server-1 Group private IP-1
FTP Server-1 Group private IP-2
Objective:
1. Access to two FTP servers by groups public IP address successfully
DMZ

FTP Server private IP-1

172.17.100.1/24 DMZ:192.168.100.254
FTP Server private IP-2

Group1: 172.17.100.2/24
179
D-Link Security

Runtime Authentication configuration
Process of authentication
Internet
http request
180
D-Link Security

Runtime Authentication configuration For authorize users to accessing the Internet, LAN and Intranet services either through the Local DB or RADIUS Server. The user authentication rules must be save & activated in order to apply the settings.
181
D-Link Security

Runtime Authentication configuration The Core owns the IP addresses
192.168.10.1
10.0.100.97
WAN
Core
LAN
182
D-Link Security

Runtime Authentication configuration Network topology
Note:
Modify the Web UI http port Verify the sequence of IP rule
WAN1 IP: 192.168.174.70/24
Switch IP: 192.168.1.250/24
LAN1 IP: 192.168.1.1/24 DES-3226S
Authenticated user accessing the Internet PC PC

183
D-Link Security

Objectives
When user open a web browser, it will be a screen pop out automatically, and request for login. Services will be allowed after authentication. When user logout, they can choose either logout manually, or it will logout
automatically when the preset idle time reaches.

Change Web UI http port Create an object for specific traffic network Create a local user database Create IP rules for Authentication
184
D-Link Security

1 2 3 4 5 6 7 8 9 10 11 Runtime Authentication configuration
185
Change the remote management http port to avoid port conflict Click Remote Management then click modify advanced setting Change WebUI http port
D-Link Security

Create the user database for Authentication Click Local User Database in User Authentication Key in the authenticated user(user name/password)
186
D-Link Security

Create the User Authentication Rules Click User Authentication Rules in User Authentication Choose the correspond settings
187
D-Link Security

Create the User Authentication Rules Click User Authentication Rules in User Authentication Choose the correspond settings
188
D-Link Security

Create the IP address for Authenticating users Click Address Book in Objects Add an object for authenticating users Key in the correct IP address and group name
189
D-Link Security

Create the allow rule (rule-1) Click IP Rule in Rules Choose correct Action,Service,Interface and Network in the rule
190
D-Link Security

Create the NAT-DNS rule (rule-2) Click IP Rule in Rules Choose correct Action,Service,Interface and Network in the rule
191
D-Link Security

Create the NAT-all_service rule (rule-3) Click IP Rule in Rules Choose correct Action,Service,Interface and Network in the rule
192
D-Link Security

1 3
Create the SAT rule (rule-4) Click IP Rule in Rules Choose correct Action,Service,Interface and Network in the rule
193
D-Link Security

Create the Allow rule (rule-5) Click IP Rule in Rules Choose correct Action,Service,Interface and Network in the rule
194
D-Link Security

195
D-Link Security

Action1 Action3
Action2
Allow manual log-out web page Allow user to look up the DNS Action1 Allow authorized users to use networking service Action3 All HTTP traffic will be mapped to firewall LAN1 IP address Action2 Allow all HTTP traffic to map to LAN1 IP address Action2
196
D-Link Security

Runtime Authentication configuration Testing Result
197
D-Link Security
Scenario & Hands-on 5 Exercise 5- Runtime Authentication configuration

WAN1 DHCP
LAN1 IP: 192.168.1.1/24 Switch IP: 192.168.1.250/24 Objective: DES-3226S

1. The specific user or network must be authorized before access to the Internet When user logout, they can choose either logout manually, or it will logout automatically when the preset idle time reaches.
Authenticated user accessing the Internet PC PC

198
2.
D-Link Security

Traffic Shaping Pipes concept
Anti-Spoofing Rule 1 RULE View Rule 1
Incomming interface
Outgoing interface
Rule 2
Rule 2
Rule 3
Rule 3
Pipe Pipe Pipe
Rule 4
Rule 4
Incomming packets
Rule 5
Rule 5
Pipe
Outgoing packets
Rule 6
Rule 6
199
D-Link Security

Traffic Shaping The Concept of Dynamic balancing
W
W W = Kbps want to have G = Kbps gets G
W G
W G G
User 1
User 2
User 3
User 4
User 5
This diagram shows not using the Dynamic balancing

200
D-Link Security

Traffic Shaping The Concept of Dynamic balancing
W W
W = Kbps want to have G = Kbps gets
G G
User 1
User 2
User 3
User 4
User 5
When using the function of Dynamic balancing

201
D-Link Security

Traffic Shaping The Concept of Precedence
Highest
High
Pipe Medium
Low
202
D-Link Security

Traffic Shaping Concept of Design (Pipe 1Mbps) Bandwidth of Leased Line with 1Mbps in both directions(two pipes)
Data
Std-in pipe (1 Mbps) Std-out pipe (1 Mbps)

Data
LEASED LINE 1Mbps from our ISP
The pipe throughput should be less than the physical pipe!
203
D-Link Security

Traffic Shaping Concept of Design (Pipe 1Mbps) - download
HTTP 250Kbps Highest FTP 250Kbps High SMTP 500Kbps Low
1Mbps
HTTP 250Kbps Highest FTP 250Kbps High
1Mbps
SMTP 500Kbps Low
204
D-Link Security

Traffic Shaping Pipes All measuring, limiting, guaranteeing and balancing is carried out in pipes A pipe by itself is meaningless unless it is put into use in the Rules section. Each rule can pass traffic through one or more pipes, in a precedence (priority) of your choice.
205
D-Link Security

Traffic Shaping Precedence
Determine the bandwidth of precedence
206
D-Link Security

Traffic Shaping Pipes rules Plan your traffic shaping requirements. If you do not know how traffic should be limited, prioritized, guaranteed, or distributed, you will likely find the configuration work more confusing than helpful.
207
D-Link Security

Traffic Shaping Precedence
Assign precedence
208
D-Link Security

Traffic Shaping
Network topology External WAN1
Bandwidth of leased line Download: 1Mbps Upload: 1Mbps
1.For inbound and outbound HTTP and HTTPS, the maximum bandwidth is 500Kb. 2.For inbound and outbound POP3, the guarantee bandwidth is 300Kb. (maximum bandwidth is 1000Kb) 3.For other inbound and outbound service, the remaining bandwidth will be used. 4.Above all services are dedicating bandwidth value.
Note: Internal LAN1
Before use the traffic shaping for specified application. Please make sure that the IP rule has been created for the specified application.
209
D-Link Security

Traffic Shaping
Objective
For inbound and outbound HTTP and HTTPS, the maximum bandwidth is 500Kb. For inbound and outbound POP3, the guarantee bandwidth is 300Kb. (maximum bandwidth is 1000Kb) For other inbound and outbound service, the remaining bandwidth will be used. Above all services are dedicating bandwidth value.
The logic of Configuration

Make sure to create IP rule Create objects of Pipe Create rules of Pipe Choose correct Action, Service, Interface and Network in the rule Key in correct value at Precedence and Total bandwidth value
210
D-Link Security

1 2 3 4 5 6 7 8 9 10
Traffic Shaping
Create object of the input pipe (Create the pipe of standard-in) Click Pipes in Traffic Shaping Key in correspond value for Precedence and total bandwidth value
211
D-Link Security

1 2 3 4 5 6 7 8 9 10
Traffic Shaping
Create object of the output pipe (Create the pipe of outbound) Click Pipes in Traffic Shaping Key in correspond value for Precedence and total bandwidth value
212
D-Link Security

1 2 3 4 5 6 7 8 9 10
Traffic Shaping
Create object of the HTTP input (Create the pipe HTTP-in) Click Pipes in Traffic Shaping Key in correspond value for Precedence and total bandwidth value
213
D-Link Security

1 2 3 4 5 6 7 8 9 10
Traffic Shaping
Create object of the HTTP output (Create the pipe of HTTP-in) Click Pipes in Traffic Shaping Key in correct value at Precedence and Total bandwidth value
214
D-Link Security
10

Traffic Shaping
1 3 2
Create Rules of the HTTP (Create the rule of HTTP ) Click Pipes Rules in Traffic Shaping Key in correspond value for Precedence and total bandwidth value
215
D-Link Security
10

Traffic Shaping
Create object of the POP3 input (Create a pipe of POP3-in ) Click Pipes in Traffic Shaping Key in correspond value for Precedence and total bandwidth value
216
D-Link Security
10

Traffic Shaping
Create object of the POP3 output (Create a pipe of POP3-out ) Click Pipes in Traffic Shaping Key in correspond value for Precedence and total bandwidth value
217
D-Link Security
10

Traffic Shaping
1 3
2 4
Create the rules of POP3 (Create the rule of POP3 ) Click Pipes Rules in Traffic Shaping Choose correct Action,Service,Interface and Network in the rule
218
D-Link Security
10

Traffic Shaping
1 3
Create Rules of other service (Create the rule of other service ) Click Pipes Rules in Traffic Shaping Choose correct Action,Service,Interface and Network in the rule
219
D-Link Security
10

Traffic Shaping
220
D-Link Security

Traffic Shaping
Before use the traffic shaping for specified application. Please make sure that the IP rule has been created for the specified application.
221
D-Link Security

Traffic Shaping
First step: Create two bidirectional pipes for the physical WAN link Second step: Create two bidirectional pipes for the specified application
222
D-Link Security

Traffic Shaping
Third step: Create pipe rules for the specified application
223
D-Link Security
Scenario & Hands-on 6 Exercise 6- Traffic Shaping

External WAN1
Objectives
1. For inbound and outbound SMTP, the maximum bandwidth is 400Kb. For inbound and outbound FTP, the guarantee bandwidth is 250Kb.(maximum bandwidth is 500Kb) For other inbound and outbound service, the maximum bandwidth is 350Kb. Above all services are dedicating bandwidth value.
Bandwidth of leased line Download: 1Mbps Upload: 1Mbps
2.
3. 4.
Internal LAN1
224
D-Link Security

VPN Configuration-PPTP Network topology
IP: 192.168.174.71/24 PPTP Client
WAN1 DHCP IP: 192.168.174.70/24
Note:
Choose correct inner IP address and Outer Interface filter for PPTP tunnel
DFL-1600
225
D-Link Security

VPN Configuration-PPTP
Objectives
The user dial-up to firewall by Windows PPTP client software .
Dial-up user communicate with LAN1 of firewall
The logic of configuration

Create object for PPTP server IP address and IP address range Create Authenticating database Configure PPTP server Create the IP rule for PPTP tunnel
226
D-Link Security

1 2 3 4 5 6
Create object for PPTP server IP address and IP address range Click Address in Objects Key in the correspond IP address
227
D-Link Security

1 2 3 4 5 6
Create Local Database for PPTP authentication Click Local User Databases in User Authentication Key in the correct Username and Password
228
D-Link Security

1 2 3 4 5 6
Create PPTP tunnel Click PPTP/L2TP Servers in Interface Choose the correspond configuration
229
D-Link Security

1 2 3 4 5 6
Create User Authentication Rules for PPTP tunnel Click User Authentication Rules in User Authentication Choose the correspond configuration Enable Log setting and choose local user database
230
D-Link Security

1 2 3 4 5 6
231
Create IP Rules for PPTP tunnel Click IP Rules in Rules Choose the correspond configuration Enable Log setting
D-Link Security

1 2 3 4 5 6
After all configuration, Click configuration on main menu bar Click Save and Activate
232
D-Link Security

VPN Configuration-PPTP Testing Result
233
D-Link Security
Scenario & Hands-on 7-1 Exercise 7-1- VPN Configuration-PPTP

PPTP Client
WAN1 DHCP IP
Objectives:
1. Use Windows client to Dial-up PPTP Ping the IP address of LAN in firewall
DFL-1600 2.
234
D-Link Security

VPN Configuration-L2TP/IPsec
Network topology
IP: 192.168.174.71/24 L2TP/IPsec Client
WAN1 DHCP
Note:
L2TP/IPsec must use transport mode Choose correct local net and remote net for IPsec tunnel Choose correct inner IP address and Outer Interface filter for L2TP tunnel
DFL-1600
235
D-Link Security

VPN Configuration-IPsec
Objectives
The user dial-up to firewall by Windows L2TP/IPsec client software
Dial-up user communicate with LAN1 of firewall

Create objects for L2TP server IP address and IP address range Create Authenticating database Configure IPsec tunnel Configure L2TP server Create the IP rule for L2TP tunnel
236
D-Link Security

1 2 3 4 5 6 7 8 9 10 11
Create objects for L2TP server IP address and IP address range Click Address in Objects Key in the correspond IP address
237
D-Link Security

1 2 3 4 5 6 7 8 9 10 11
Create Local Database for L2TP authentication Click Local User Databases in User Authentication Key in correct Username and Password
238
D-Link Security

1 2 3 4 5 6 7 8 9 10 11
Create the pre-shared key for L2TP Click Pre-Share Keys in VPN Objects Key in the correspond value
239
D-Link Security

1 2 3 4 5 6 7 8 9 10 11
Create the IPsec tunnel Click IPsec Tunnels in Interface Choose correspond configuration
240
D-Link Security

1 2 3 4 5 6 7 8 9 10 11
Verify the IPsec tunnel Click Authentication in this IPsec tunnel Apply pre-shared key to this IPsec tunnel
241
D-Link Security

1 2 3 4 5 6 7 8 9 10 11
242
Verify the IPsec tunnel Click Routing in this IPsec tunnel Enable Dynamically add routes to remote network when a tunnel is established in this IPsec tunnel
D-Link Security

1 2 3 4 5 6 7 8 9 10 11
Verify the IPsec tunnel Click Advanced in this IPsec tunnel Disable Add route for remote network in this IPsec tunnel
243
D-Link Security

1 2 3 4 5 6 7 8 9 10 11
Create the L2TP tunnel Click PPTP/L2TP Servers in Interface Choose correspond configuration
244
D-Link Security

1 2 3 4 5 6 7 8 9 10 11
Create User Authentication Rules for L2TP tunnel Click User Authentication Rules in User Authentication Choose correspond configuration Enable Log setting and choose local user database
245
D-Link Security

1 2 3 4 5 6 7 8 9 10 11
246
Create IP Rules for L2TP tunnel Click IP Rules in Rules Choose correspond configuration Enable Log setting
D-Link Security

1 2 3 4 5 6 7 8 9 10 11
247
D-Link Security

VPN Configuration-L2TP/IPsec Testing Result
248
D-Link Security
Scenario & Hands-on 7-2 Exercise 7-2- VPN Configuration-L2TP/IPsec

L2TP/IPsec Client
WAN1 DHCP IP
Objectives:
1. The user dial-up to firewall by Windows L2TP/IPsec client software
DFL-1600
2.
Ping the IP address of LAN in firewall
249
D-Link Security

VPN Configuration- IPsec VPN Objects Pre Shared Keys For users to authenticate VPN tunnels 2 types of method to enter PSK ASCII and HEX ASCII type in passphrase HEX type in passphrase and use generate to cipher passphrase
250
D-Link Security

VPN Configuration- IPsec VPN Objects LDAP For secured authentication to established over VPN, CA need to be downloaded to LDAP Server
251
D-Link Security

VPN Configuration- IPsec ID Lists The Concept of ID Lists is to manage and control accessibility of the VPN clients and gateways Mobile clients can be restricted from accessing Internal networks by ID Lists
252
D-Link Security

VPN Configuration- IPsec IKE/IPsec Algorithms Predefined IKE & IPSec Algorithms by default High Very Secured Medium Secured You can defined your own algorithms
253
D-Link Security

VPN Configuration- IPsec Network topology
WAN1 IP: 192.168.174.71/24 DFL-1600
WAN1 Static IP: 192.168.174.70/24
Note:
DFL-1600
Use same pre-share key and algorithm between two IPsec settings Choose correct local net and remote net for IPsec tunnel
254
D-Link Security

VPN Configuration-IPsec
Objectives
Two firewalls communicate to each other by IPsec tunnel .
The client of local-net ping to the client of remote-net

Create VPN Object( pre-shared key) Configure IPsec tunnel Create the IP rule for IPsec tunnel
255
D-Link Security

1 2 3 4 5 6
VPN Configuration- IPsec
Create objects for IP address of remote IP address and network Click Address in Objects Key in the correspond IP address
256
D-Link Security

1 2 3 4 5 6
Create the pre-shared key for IPsec tunnel Click Pre-Share Keys in VPN Objects Key in the correct value
257
D-Link Security

1 2 3 4 5 6
Create the IPsec tunnel Click IPsec Tunnels in Interface Choose the correspond configuration
258
! Note: If remote firewall wan IP is not static IP, in other words Remote Endpoint is using dynamic IP address from dynamic DNS server, administrator can enter DDNS domain name in here directly.
D-Link Security

1 2 3 4 5 6
Combine two interfaces to one interface group Click Interface Groups in this Interface Choose the correspond interfaces
259
D-Link Security

1 2 3 4 5 6
260
Create IP Rules for L2TP tunnel Click IP Rules in Rules Choose correspond configuration Enable Log setting
D-Link Security

1 2 3 4 5 6
261
D-Link Security
Scenario & Hands-on 7-3 Exercise 7-3- VPN Configuration-IPsec

Odd group
DFL-1600
Remote LAN Internal LAN
Even group
DFL-1600
Objectives:
1. Internal LAN1 Two firewalls communicate to each other by IPsec tunnel
2.
262
D-Link Security

VPN Configuration- IPsec with NetScreen 204 Network topology
WAN1 IP: 192.168.174.71/24 NetScreen 204
WAN1 Static IP: 192.168.174.70/24
Note:
DFL-1600
Use same pre-share key and algorithm between two DFL-1600 and NS-204 Choose correct local net and remote net for IPsec tunnel
263
D-Link Security

VPN Configuration- NetScreen 204
Objectives
Two firewalls communicate to each other by IPsec tunnel .

Create VPN Object( pre-shared key, remote net/gateway and algorithm ) Configure IPsec tunnel Create the IP rule for IPsec tunnel
264
D-Link Security

1 2 3 4 5 6 7 8
Create network objects for DFL-1600 (remote network ) Click List under Addresses in Objects Key in the corresponding network
265
D-Link Security

1 2 3 4 5 6 7 8
Create IP address objects for DFL-1600 (remote gateway ) Click List under Addresses in Objects Key in the corresponding IP address
266
D-Link Security

1 2 3 4 5 6 6 6
Create P1(Phase 1) Proposal of DFL-1600 for VPN configuration Click P1 Proposal under AutoKey Advanced in VPNs Choose in the corresponding Algorithm and DH Group
267
D-Link Security

Create P2(Phase 2) Proposal of DFL-1600 for VPN configuration Click P2 Proposal under AutoKey Advanced in VPNs Choose in the corresponding Algorithm and DH Group
268
D-Link Security

1 2 3 4 5 6 7 8
2 3 4
269
Create Gateway objects of DFL-1600 for VPN configuration Click Gateway under AutoKey Advanced in VPNs Key in the corresponding IP address and Preshared Key Click Advanced
D-Link Security

1 2 3 4 5 6 7 8
2 3
Advanced of Gateway objects Choose Custom in User Defined and Phase 1 Proposal Choose Main mode
270
D-Link Security

2 3
4 5 1
Create IPsec VPN tunnel for DFL-1600 Choose Security Level and Predefined for Remote Gateway Choose Outgoing Interface and Click Advanced
271
D-Link Security

2 3
5 6
272
Create IPsec VPN policy for DFL-1600 Choose correct Action ,Service, Network in the rule Enable Modify matching bidirectional VPN policy
D-Link Security

Testing Result
273
D-Link Security

VPN Configuration- NetScreen 204 DFL-1600 IPsec VPN status
NetScreen VPN status
274
D-Link Security
Agenda
275
D-Link Security
Troubleshooting
Four Ways to troubleshooting
Confirm configuration of firewall
Inspect the firewall status

Use Console command to get more information Capture packets to analyze (ethereal and sniffer )
276
D-Link Security
Troubleshooting
Flow Chart
Inspect the firewall status
No
The problem Confirm configuration Found main cause
No
Found main cause
Yes
Use console command to inspect
Yes
Capture packets to analyze
Environment cause Configuration cause or Environment cause Configuration cause Verify network environments
Yes
Found main cause
No
Verify configuration The problem have solved Dtrack System
277
D-Link Security
Troubleshooting
Confirm configuration of firewall IP address or network in Object Configuration in Interface Configuration in IP rules
Action and service Interface and network Routing table Metric Routing table and rules Metric Zone defense Traffic shaping User Authentication
Configuration in Main routing

Configuration in PBR
Advanced configuration
278
D-Link Security
Troubleshooting
Inspect the firewall status Click Status on main menu bar
279
System Logging Connection Interfaces IPsec User Auth Routes DHCP server IDS SLB Zone Defense
D-Link Security
Troubleshooting
Console commands How to use Console command with HyperTerminal in MS Windows
1.Start HyperTerminal (Hypertrm.exe). 2.Enter a name for the connection (for example, DFL-800) in the Name box. 3.Click an icon for the connection in the Icon box, and then click OK. 4.In the Connect Using box, click Direct To Com (choose Restore Default) and then click OK. 5.Verify the settings on the part settings tab and then click OK.
280
D-Link Security
Troubleshooting
Console commands
The first command you should learn is the HELP or H command. The help command prints a list of available commands at the console About (Displays information about the firewall core) Crashdump (dump all crash and error information) Access (Prints the active anti-spoof section) Arp [interface] (Displays the cached ARP information for all interfaces. If you add a specific interface name to the command, you will get only the specified interface.) Arpsnoop [interface] (Displays ARP queries and responses. You enable this by typing ARPSNOOP [interface]. The same command again disables it. You can also use the all string for ALL interfaces. To disable all the arpsnoop printout you can use the string NONE.) Buffers [buf num] (Displays the 20 most recently freed buffers. You can examine a specific buffer by adding the number.) Cfglog (Displays the boot log of the firewall configuration.)
281
D-Link Security
Troubleshooting
Console commands
Connections (Displays the connections in the firewall.) CPUid (Displays processor information.) DHCP [switches] <interface> (With this command you can renew (-renew) or release (release) the DHCP IP address on a specific interface.) Frags (Display the 20 most recent fragment reassembly attempts. This includes both ongoing and completed attempts.) Ifstat [interface] (Displays interfaces. If you add an interface you will get statistics for this interface.) Loghosts (Displays configured loghosts.) Logout (Secures the console with the configured password.) Netcon (Displays the active console connection or management connections to the firewall.) Netobjects (Displays the active host & network configurations.)
Ping (Is the normal ping command to verify an IP connection. You can use Ping [IP address] [num] where num is the amount of ping requests.) Reconfigure (Reloads the configuration from the boot media.)
282
D-Link Security
Troubleshooting
Console commands
Ikesnoop [on/off/verbose] (Ikesnoop is used to diagnose problems with IPsec tunnels.)

DHCPRelay (Displays if the DHCP boot relay is enabled or disabled.) Remote (Displays the active configuration of the remote section.) Routes (Displays the active configuration of the route section.) Rules (Displays the active configuration of the rule section. There are several string commands that you can add. The v string enables all available information {like usages}.)
Scrsave (Runs the screen saver)

Services (Displays the active services within the configuration.) Shutdown (Shuts down the firewall.) Stats (Displays statistics information for the firewall.) Time (Displays the firewalls current time.)
283
D-Link Security
Troubleshooting
Capture packets to analyze Set up a laptop with software such as Ethereal or Sniffer to capture packets from the problem node The laptop needs to connect to the problem node through a hub If it connects through a switch, the port mirror function will have to be enabled in the switch mirror function
intranet
Problem node
Ethereal or Sniffer
284
D-Link Security
Troubleshooting
Capture packets to analyze
Inspect IP address of Source, Destination and Protocol to analyze problematic network status
285
D-Link Security
Questions & Answers

THANK YOU
286

Firewalls Training Material

Загружено:

Сведения о документе

Исходное описание:

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Firewalls Training Material

Загружено:

Авторское право:

Доступные форматы

D-Link Security

2006 DFL-210/800/1600/2500 Technical Training

Copyright 2006. All rights reserved

Serial Console Port Concealed Look

Keypad for Right , Left , Upper and Confirm

What is firewall? Which firewall is the safest?

Internet Router 2.2.2.254

Internet Router 2.2.2.254

Corporate Web 2.2.100.2

Mail Relay DMZ DNS 2.2.100.3 2.2.100.4

Internet Router 2.2.2.254

Corporate Web 2.2.2.2

Mail Relay DMZ DNS 2.2.2.3 2.2.2.4

Works with the IP & TCP level Disadvantages:

OSI Model 7. Applikation 6. Presentation 5. Session 4. Transport 3. Network 2. DataLink 1. Physical

OSI Model 7. Applikation 6. Presentation 5. Session 4. Transport 3. Network 2. DataLink 1. Physical

WAN IP: 203.126.142.96

1. Packet inspection 2. Priority processes 3. Allow? Drop? NAT? Reject?

failed Yes Fragment? Process fragment Drop

Yes FwdFast/SAT SAT_ ApplyRulePack Traffic Shaping DestIP = FW? No Route IP

ICMP Unreachable TCP RST

Packets matching Allow Rules

I want the file from FTP server

WAN IP: 203.126.142.96

Network Address Translation

WAN1 Intranet 192.168.1.0/24

Scenario & Hands-on

Scenario & Hands-on

WAN1 IP: 192.168.174.71/24 WAN1 (DHCP) FTP Server 172.16.1.1 DMZ

Remote LAN Internal LAN IP: 192.168.10.0/24

WAN2 (Static IP)

Scenario & Hands-on

All WAN1 port connect to switch main switch

Scenario & Hands-on

Four persons in one group LAN1 port connects to group switch

Scenario & Hands-on 1

Internal DMZ IP: 172.17.100.1/24

Internal LAN3 IP: 192.168.7.1/24 Internal LAN1 IP: 192.168.3.1/24

Internal LAN2 IP: 192.168.5.1/24

Scenario & Hands-on 1-1

Internal LAN2 IP: 192.168.5.1/24

Internal LAN3 IP: 192.168.7.1/24

Internal DMZ IP: 172.17.100.1/24

Scenario & Hands-on 1-1

The Logics of Configuration

Scenario & Hands-on

Scenario & Hands-on

Scenario & Hands-on 1-1

Scenario & Hands-on 1-1

Basic Configuration-Modify IP address for LAN and DMZ

Scenario & Hands-on 1-1

Basic Configuration-Modify IP address for LAN and DMZ

Scenario & Hands-on 1-1

Basic Configuration-Modify IP address for LAN and DMZ

Scenario & Hands-on 1-1

Scenario & Hands-on 1-1

Scenario & Hands-on 1-1

Scenario & Hands-on 1-1

Scenario & Hands-on 1-1

Scenario & Hands-on 1-2

Internal LAN1 IP: 192.168.174.70/24

Scenario & Hands-on 1-2

The Logics of Configuration