Академический Документы
Профессиональный Документы
Культура Документы
D-Link Security
Agenda
Appliance Overview Firewall Concept Basic Configuration Scenario & Hands-on Troubleshooting
D-Link Security
Agenda
Appliance Overview Firewall Concept Basic Configuration Scenario & Hands-on Troubleshooting
D-Link Security
Appliance Overview
model of firewall
DFL-800
Console
WAN1
LAN
WAN2
DMZ
back
D-Link Security
Appliance Overview
model of firewall
DFL-1600
Console
LAN3
LAN2
WAN1
LAN1
WAN2
DMZ
back
D-Link Security
Appliance Overview
model of firewall
DFL-2500
Console
LAN3
LAN2
LAN1
WAN1
WAN2
WAN3
WAN4
DMZ
back
D-Link Security
Appliance Overview
Characters of firewall
DFL-800 DFL-1600 DFL-2500
and Giga Interface for DFL-1600/2500 Brand new user-friendly GUI , no GUI confusion issue. Neater and more professional look ID for firewall product line. ZoneDefense mechanism with D-Link switches prevents threat spreading. Advanced firewall features including Transparent Mode to ease the implementation.
High Port Density
D-Link Security
Appliance Overview
LED Power System
Console
LED panel
LCD Display System Information Traffic Monitor Alert Monitor Configuration Display
Ethernet
Auto-Sensing Copper Port LAN Port WAN Port and DMZ port
Keypad
D-Link Security
Appliance Overview
LED panel
Setup Mode
Press Keypad to enter setup mode in 5 seconds after the firewall is switched on Enter the Setup Mode Use Left or Right button to select
1.Start Firewall: Start off the firewall system 2.Reset Firewall: Reset the firewall to factory default.
After reset firewall, choose start firewall After switch on the firewall 5 seconds, the firewall will enter Status Mode automatically
D-Link Security
Appliance Overview
LED panel
Status Mode
Model name: Display the device model name. System Status: Display system working status. CPU Load and Connections: Show the CPU utilization and concurrent session Total BPS and PPS: Concurrent traffic statistics and packets statistics per second. Date and Time: Display device current date and time Uptime: Device boot up time. Mem: System memory utilization. IDS Sigs: Display IDS signature information. WAN DMZ LAN: Display each interface IP address Core Version: Display firewall firmware version.
10
D-Link Security
Agenda
Appliance Overview Firewall Concept Basic Configuration Scenario & Hands-on Troubleshooting
11
D-Link Security
Firewall Concept
Questions
12
D-Link Security
Firewall Concept
IP Start Communication
Web Server Client
(1.) 1024 -> 80 SYN (2.) SYN.ACK 1024 <- 80 (3.) 1024 -> 80 ACK
Connection established
SYN FLOOD
1. Sending a packet to the web server with the SYN flag. The client uses a fake IP address 2. The server responds with a SYN.ACK. Then the server waits until the client responds with an ACK packet 3. The client repeats step one until it is satisfied that the damage is done
13
D-Link Security
Firewall Concept
IP Start Communication
More bits SYN Synchronize = New connection ACK Acknowledge = Acknowledge that data has been received PSH - Push = Push received data to application layer now" URG - Urgent = Urgent data, Process first (Beg. 70) FIN - Finish = End communication with an handshake RST - Reset = Do not communicate with me!
14
D-Link Security
Firewall Concept
Firewall deployments in a network
Static Route
Static routes are needed for the Firewall to communicate with Networks that are not locally attached on the same subnet
NAT
Internal address are private addresses from RFC1918 All private addresses are translated to a valid IP address before accessing the Internet
Transparent
No changes required on any end station, router or server Routing protocols can be configured to pass through the firewall in Transparent mode The firewall offers full firewall and VPN capabilities
15
D-Link Security
Firewall Concept
Firewall deployments in a network Static Route
Intranet Web 2.2.10.5 Corp Mail 2.2.10.6 Intranet DNS 2.2.10.7 AdminPC 1 2.2.10.13 AdminPC 2 2.2.10.18 AdminPC 3 2.2.10.33 LAN 2.2.10.1 WAN 2.2.2.10
DMZ 2.2.100.1
Corporate Web Mail Relay DMZ DNS 2.2.100.2 2.2.100.3 2.2.100.4 2.2.20.0 2.2.30.0 2.2.40.0 Sales Support Marketing
16
D-Link Security
Firewall Concept
Firewall deployments in a network NAT
Intranet Web 10.1.10.5 Corp Mail 10.1.10.6 Intranet DNS 10.1.10.7 AdminPC 1 10.1.10.13 AdminPC 2 10.1.10.18 AdminPC 3 10.1.10.33 LAN 10.1.10.1 WAN 2.2.2.10
DMZ 2.2.100.1
17
D-Link Security
Firewall Concept
Firewall deployments in a network Transparent
Intranet Web 2.2.2.5 Corp Mail 2.2.2.6 Intranet DNS 2.2.2.7 AdminPC 1 2.2.2.13 AdminPC 2 2.2.2.18 AdminPC 3 2.2.2.33 LAN 2.2.2.253
WAN 2.2.2.253
DMZ 2.2.2.253
18
D-Link Security
Firewall Concept
Firewall Generations
First generation
Packet filtering
Second generation
Proxy
Third generation
Stateful Inspection
Fourth generation
IDS/IDP
19
D-Link Security
Firewall Concept
1.Packet Filtering
Advantages
High speed of packets process
20
D-Link Security
Firewall Concept
2.Proxy
Receives packets, reads and re-creates the packets
No physical connection between the client and the server.
Disadvantages
Slow The proxy must understand the application protocol Mostly based on complex operating system
Advantages
Attacks on the TCP/IP level will never penetrate through the protected network Able to analyze application data Able to strip things like ActiveX and Java.
OSI Model 7. Applikation 6. Presentation 5. Session 4. Transport 3. Network 2. DataLink 1. Physical
21
D-Link Security
Firewall Concept
3.Stateful Inspection Re-create fragmented packets Understand the relationship between packets Advantages
Does not need to understand the application data to work Great flexibility Better performance than proxy
Disadvantages
Harder to analyze the application data (but still possible)
22
D-Link Security
Firewall Concept
4.IDS/IDP
Receives packets, reads and re-creates the packets
No physical connection between the client and the server.
Disadvantages
Slow The proxy must understand the application protocol Mostly based on complex operating system
Advantages
Attacks on the TCP/IP level will never penetrate through the protected network Able to analyze application data Able to strip things like ActiveX and Java.
OSI Model 7. Applikation 6. Presentation 5. Session 4. Transport 3. Network 2. DataLink 1. Physical
23
D-Link Security
Firewall Concept
Packet flow
INTERNE T
IP: 192.168.1.100
24
D-Link Security
Firewall Concept
Packet flow
When all traffic get in the firewall,they will be inspected by VLAN first (If VLAN is used ). The IDS rule is the primary filter which is configured to allow or disallow certain types of network traffic through the firewall. Then these traffic will be inspected by IP rule and routing rule After that the traffic will be inspected by Zone Defense and Traffic Shaping
25
D-Link Security
Firewall Concept
Packet flow
Inbound packet VLAN packet? Basic sanity checks, Including verification of IP header Check IDS signatures Yes Yes De-capsulate Drop
No ZD false Verify TCP/UDP header Found matching Connection? true Apply Rules Allow/NAT/SAT
Open Connction
Traffic Shaping
Traffic Shaping
Forward packet
Drop
ZD
Drop
26
D-Link Security
Agenda
Appliance Overview Firewall Concept Basic Configuration Scenario & Hands-on Troubleshooting
27
D-Link Security
Basic Configuration
Default Interface Attribute Definition(DFL-800)
http://192.168.1.1 LAN can be managed and pinged The firewall disable DHCP
28
D-Link Security
Basic Configuration
Default Interface Attribute Definition(DFL-1600)
http://192.168.1.1 LAN1 can be managed and pinged The firewall disable DHCP
29
D-Link Security
Basic Configuration
Default Interface Attribute Definition(DFL-2500)
http://192.168.1.1 LAN1 can be managed and pinged The firewall disable DHCP
30
D-Link Security
Basic Configuration
design concept of UI
Any undesired rules or objects are being created without hitting the ok button, users must hit cancel button or that rule or object would still be in the list and named untitle. Traffic is being examined by the pattern where the rules were created from top down When right-click any rules or objects and select delete, a strike line will show on that rule or object. The save and activate button will not be available if the untitle rule or object is not deleted After click save and activate , must reconnect to it within 30 seconds (default setting) for the configuration changes to be finalized. If this fails, the unit will revert to its previous configuration. The reconnecting time can be adjustable.
31
D-Link Security
Basic Configuration
Configure Static IP address on your laptop or PC User will be authenticated before logging to the firewall Default login: admin, Password: admin User will be presented with; Menu Bar Tree View List Main Window
32
back
D-Link Security
Basic Configuration
Tree View List Menu Bar Main windows
33
D-Link Security
Basic Configuration
UI of System
34
D-Link Security
Basic Configuration
UI of Object
35
D-Link Security
Basic Configuration
UI of Rules
36
D-Link Security
Basic Configuration
UI of Interfaces
37
D-Link Security
Basic Configuration
UI of Routing
38
D-Link Security
Basic Configuration
UI of IDS/IDP
39
D-Link Security
Basic Configuration
UI of User Authentication
40
D-Link Security
Basic Configuration
UI of Traffic Shaping
41
D-Link Security
Basic Configuration
UI of ZoneDefense
42
D-Link Security
Basic Configuration
Three Steps to Configure
1.Create and verify the object 2.Create the rule (IP rule ,IDS rule ,user authentication rule and Pipes rule ) 3.Create and verify routing rule
43
D-Link Security
Basic Configuration
First Step to Configure 1.Create and verify the object
The most important in firewall configuration is OBJECT. Objects are basic network elements defined in the firewall. It is a list of symbolic names associated with various types of addresses, including IP addresses of host and network
Object items are heavily used through a firewall configuration; in routing tables, rule-set, interface definitions, VPN Tunnels among others
44
D-Link Security
Basic Configuration
Objects Address Book
Hosts & Networks configuration items are symbolic names for IP networks
45
D-Link Security
Basic Configuration
Objects ALG
ALGs are designed to manage specific protocols Examine the payload data and carry out appropriate actions based on defined rules Appropriate Application Layer Gateway definition is selected in a Service configuration item. Network traffic which matches the service definition will thus be managed by the selected Application Layer Gateway.
46
D-Link Security
Basic Configuration
Objects Services
A definition of a specific IP protocol with corresponding parameters. The service http, for instance, is defined as to use the TCP protocol with destination port 80.
47
D-Link Security
Basic Configuration
Objects Schedules
The Schedule will only allow those firewall rules to be used at those designated times only. Any activities outside the scheduled time slot will not follow the rules and will therefore unlikely be permitted to pass through the firewall
48
D-Link Security
Basic Configuration
Objects Certificate
A certificate is a digital proof of identity. It links an identity to a public key in a trustworthy manner. Certificates can be used on authenticate individual users or other entities. These types of certificates are commonly called endentity certificates.
49
D-Link Security
Basic Configuration
Second Step to Configure 2.Create the rule The Rules configuration section represents the rule-set, the "heart" of the firewall. The rule-set is the primary filter which is configured to allow or disallow certain types of network traffic through the firewall. The rule-set also regulates how address translation and bandwidth management, traffic shaping, is applied to traffic flowing through the firewall.
50
D-Link Security
Basic Configuration
IP Rules Drop
Packets matching Drop rules will be immediately dropped. Such packets will be logged if logging has been enabled in the Log Settings page
51
D-Link Security
Basic Configuration
IP Rules Drop
DROP RULE
DROPPING LOG
52
D-Link Security
Basic Configuration
IP Rules Reject
Reject works basically the same way as Drop. In addition, the firewall sends an ICMP UNREACHABLE message back to the sender or, if the rejected packet is a TCP packet, a TCP RST message.
53
D-Link Security
Basic Configuration
IP Rules Reject
REJECT RULE
REJECTING LOG
54
D-Link Security
Basic Configuration
IP Rules FwdFast
Packets matched FwdFast rules are allowed through immediately. Firewall does not memorize the open connections and does not statefully inspect traffic which has passed through it. For one single packet, it is indeed faster than first having to open a statetracked connection and then passing the packet to it. But when several packets pass the same connection, state tracking (Allow) is faster
55
D-Link Security
Basic Configuration
IP Rules FwdFast
No Statefully traffic Inspection (does not remember open connections)
INTERNE T
Packets matching FwdFast Rules Note: Allow is usually faster then FwdFast Remember that that there need to be a FwdFast rule in each direction.
56
D-Link Security
Basic Configuration
IP Rules Allow
Packets matched Allow rules are passed to the stateful inspection engine, which will memorize that a connection has been opened Rules for return traffic will not be required as traffic belonging to open connections which is automatically dealt with before it reaches the rule set
57
D-Link Security
Basic Configuration
IP Rules Allow
Logging & Stateful Inspection INTERNE T
58
D-Link Security
Basic Configuration
IP Rules SAT
Nothing happens when a packet matches a SAT rule at the beginning The firewall will memorize where to send the traffic and continue to look for a matching rule that will allow the packet to pass and a static address translation will be performed at that stage
59
D-Link Security
Basic Configuration
IP Rules SAT
FTP SERVER
DMZ
220.255.14.123 WAN IP: 203.126.142.100 172.16.1.100
The public_ip should be bound to the WAN of firewall first redirect_address is used to redirect incoming connection from public_ip to private_ip
60
D-Link Security
Basic Configuration
IP Rules NAT
The rules perform dynamic address translation and NAT hide the sender address. Mostly hiding all machines on a protected network to appear at the outside world as if they use a single IP address
61
D-Link Security
Basic Configuration
IP Rules NAT
INTERNE T
IP: 192.168.1.100
62
D-Link Security
Basic Configuration
Third Step to Configure 3.Create and verify routing rule Main Route: The Routes configuration section describes the firewalls routing table.Firewall uses a slightly different way of describing routes compared to most other systems. Policy- Base Route: The rules in the PBR rule-set are able to specify which routing table to be used in the forward as well as return direction (Select routing priority)
63
D-Link Security
Basic Configuration
Main Routing Table
Routing tells the firewall in which direction it should send packets destined for a given IP address
64
D-Link Security
Basic Configuration
Policy Based Routing
Connect to two or more ISPs , and accept inbound connections from all of them. Return traffic is routed back through the ISP that delivered the incoming requests.
Route certain protocols through transparent proxies such as web caches and anti-virus scanners, without adding another point of failure for the network as a whole. Create provider-independent metropolitan area networks, i.e. one where all users share a common active backbone, but able to use different ISPs, subscribe to different streaming media providers, etc.
65
D-Link Security
Basic Configuration
Policy Based Routing
Internet
Extranet 192.168.174.0/24
DMZ
WAN2
66
D-Link Security
Agenda
Appliance Overview Firewall Concept Basic Configuration Scenario & Hands-on Troubleshooting
67
D-Link Security
68
D-Link Security
Hands on:
1. 2. 3. 4. 5. 6. 7. Basic Configuration Load Sharing and Route Failover ZoneDefense Port mapping for server User Authentication Traffic Shaping VPN tunnel
DFL-1600
Internal LAN3 IP: 192.168.3.0/24 Internal LAN1 IP: 192.168.1.0/24 Internal LAN2 IP: 192.168.2.0/24
69
D-Link Security
G4 G1 G2
70
G3
back
D-Link Security
main switch
group switch
71
D-Link Security
Basic Configuration (Configure WAN type ,modify IP address of LAN and enable transparent mode)
Objective:
How to modify IP address for LAN and DMZ in Object How to use DHCP, Static IP and PPPoE to access Internet How to enable transparent mode
D-Link Security
Notes:
DFL-800 only has LAN and DMZ DFL-1600/2500 has LAN1 , LAN2 ,LAN3 , and DMZ Pay attention to default manageable status Confirm connecting port DFL-800 DFL-1600 DFL-2500 Bind a secondary IP address to match the new network IP segment. After configuration, use new LAN IP address for default gateway on laptop
73
D-Link Security
Objectives
Access to LAN1 IP address successfully (Ping) or mange Web UI by new IP address
74
D-Link Security
2 3
75
D-Link Security
6 4
76
D-Link Security
Use web browser such as Internet Explorer 6 or Firefox 1.0 to connect to Web UI
77
D-Link Security
Change the IP address in address book of Object Click Interface Addresses in Object Key in the correct IP address and network
78
D-Link Security
Change the IP address in address book of Object or Ethernet of Interface Key in correct IP address and network
79
D-Link Security
After all configurations are done , Click configuration in main bar Click Save and Activate
80
D-Link Security
Testing Result
81
D-Link Security
After you click save and active you can adjust the reconnection time Click Click here to edit the configuration verification timeout.
82
D-Link Security
2 3
83
D-Link Security
4 6
84
D-Link Security
8
85
D-Link Security
Scenario & Hands-on 1-1 Exercise 1-1- Modify IP address for LAN and DMZ
Objective:
1. Change IP address of LAN1 Ping the new IP address of LAN1 and access to Web UI by new IP successfully Internal LAN3 Internal LAN1 Internal LAN2 Internal DMZ
2.
86
LAN1 IP: Group A(1): 192.168.10.1/24 Group B(2):192.168.20.1/24 . . Group I(9): 192.168.90.1/24 Group J(10): 192.168.100.1/24
D-Link Security
192.168.174.72/24
Note:
Configure default gateway Configure DHCP relay, if firewall is in DHCP environment
192.168.174.71/24
87
D-Link Security
Objectives
Implement firewall in transparent mode without changing exist network setting Allow or deny specific service and traffic (allow WAN1 to LAN1for ICMP service, allow LAN1to WAN1 for all service)
88
D-Link Security
Configure the IP object in address book of Object to same Click address book in Object Configure IP address of WAN1 and LAN1
89
D-Link Security
1 2 3
Enable transparent mode for WAN1 and LAN1 Click Ethernet under Interface Enable transparent in WAN1 interface and add the object of gateway to Default Gateway Disable add route for interface network
90
D-Link Security
3 2
Enable transparent mode for WAN1 and LAN1 Click Ethernet in Interface Enable transparent on LAN1 interface Disable add route for interface network
91
D-Link Security
Add the Service rule under IP rules(WAN1 to LAN1 and LAN1 to WAN1) Click IP rules in Rules Choose the correct Action,Service,Interface and Network for the rule
92
D-Link Security
Create the DHCP relay for LAN1 to WAN1 Click DHCP relays under System DHCP Settings Choose the correct Action,Service,Interface and Network for the rule
93
D-Link Security
After all configuration , Click configuration in main bar Click Save and Activate
94
D-Link Security
Testing Result
95
D-Link Security
Objectives:
1. 2. 3. Enable transparent mode Allow ping from WAN to LAN Allow all service from LAN to WAN
Internal LAN1
192.168.200.9/24 192.168.200.10/24
96
D-Link Security
Note:
Configure default gateway
97
D-Link Security
Objectives
Configure WAN type with Static IP address
98
D-Link Security
99
Create the correct gateway object under Address Book Click address book under Object Add an object for IP4 Host/Network Verify the IP addresses of wan1_ip and wan1net
D-Link Security
Apply the gateway object to WAN Interface Click Ethernet under Interfaces Add the gateway object for Default Gateway
100
D-Link Security
Create the service rule in IP rules Click IP rules under Rules Choose the correct Action,Service,Interface and Network for the rule
101
D-Link Security
After all configuration , Click configuration in main bar Click Save and Activate
102
D-Link Security
Testing Result
103
D-Link Security
WAN1:Group IP
2.
WAN1 Group1: 192.168.200.1/24 Group2: 192.168.200.2/24 . . Group9: 192.168.200.9/24 Group10: 192.168.200.10/24 WAN1-Gateway:192.168.200.254
104
D-Link Security
Note:
Configure PPPoE tunnel Apply the PPPoE tunnel to IP rule
105
D-Link Security
Objectives
Configure WAN type on PPPoE tunnel to access Internet by NAT mode
106
D-Link Security
107
Create an object for PPPoE rule in PPPoE Tunnels under Interfaces Click PPPoE Tunnels under Interfaces Apply correct Physical Interface, Remote Network,Username and Password in the object
D-Link Security
Create the IP rule Click IP rules under Rules Choose the correct Action, Service, Interface and Network for the rule
108
D-Link Security
After all configuration , Click configuration in the main bar Click Save and Activate
109
D-Link Security
Testing Result
110
D-Link Security
WAN1 PPPoE
Objective:
1. Configure WAN type on PPPoE tunnel and local user could access Internet
111
D-Link Security
Note:
Enable DHCP client in WAN interface
112
D-Link Security
Objectives
Dynamically assign IP to WAN interface and local users could access internet by NAT
113
D-Link Security
Enable the DHCP client in Ethernet under Interfaces Click Ethernet under Interfaces Enable DHCP Client
114
D-Link Security
Create the service rule in IP rules Click IP rules in Rules Choose the correct Action,Service,Interface and Network for the rule
115
D-Link Security
After all configuration , Click configuration in main bar Click Save and Active
116
D-Link Security
Testing Result
117
D-Link Security
118
D-Link Security
Note:
Manually add default route in main routing table Enable Monitor feature on routes WAN2 is back up link
D-Link Security
Objectives
WAN1 is the main link,WAN2 is the backup link When WAN1 is disconnected ,all traffic will go through WAN2 to Internet When WAN1 back to normal, all traffic would go through WAN1 to Internet
120
D-Link Security
1 3
Enable the DHCP client in Ethernet under Interfaces Click Ethernet in Interface Uncheck Add default route if default gateway is specified
121
D-Link Security
122
Create the correct gateway object in Address Book under Object (WAN2) Click address book in Object Add the object for IP4 Host/Network Modify wan2_ip and wan2net
D-Link Security
1 3 2
Apply the gateway object to WAN Interface and disable add default route Click Ethernet in Interface Disable default route in Interface
123
D-Link Security
Combine WAN1 and WAN2 to the object of WAN Click interface Groups in Interface Create the object and choose WAN1 and WAN2
124
D-Link Security
125
Create the IP rule for WAN group Click Rules in IP Rule Choose correct Action, Service, Interface and Network in the rule
D-Link Security
3 1 4 2
Create the WAN1 routing rule and enable monitor this route Click Main Routing Table under Routing Create the routing rule for WAN1 Choose lower Metric value and enable monitor this route
126
D-Link Security
3 1 4 2
Create the WAN2 routing rule and enable monitor this route Click Main Routing Table under Routing Create the routing rule for WAN2 Choose higher Metric valueand enable monitor this route
127
D-Link Security
After all configuration , Click configuration in main bar Click Save and Activate
128
D-Link Security
WAN1 DHCP
WAN2 Group1: 10.2.1.1/24 Group2: 10.2.1.2/24 . . Group9: 10.2.1.9/24 Group10: 10.2.1.10/24 WAN2-Gateway:10.2.1.254
D-Link Security
D-Link Security
131
D-Link Security
Create the IP address object specifically for LAN1 Click Address Book under Objects Click Ethernet under Interfaces
132
D-Link Security
3 1 2
Add the route of WAN2(Static) in PBR Click PBR table under Routing Choose higher metric in PBR table and enable function of monitor
133
D-Link Security
Add the route rule of WAN1 in PBR Click PBR policy under Routing Choose correct Forward, Return table, interface and network
134
D-Link Security
After all configuration , Click configuration in main bar Click Save and Activate
135
D-Link Security
WAN1 DHCP
WAN2 Static IP
2.
D-Link Security
2 1
Modify the value of TTL min to 1 Click IP Setting of Advanced Setting in System Key in the smallest value (1)
137
D-Link Security
Enable Pass returned from ICMP error messages from destination Click Services in Objects and choose the object of all_icmp Enable Pass returned from ICMP error messages from destination
138
D-Link Security
The most effective solution will be: Firewall triggers the ACL in LAN
switches to perform real time filtering on any malicious traffic found
WAN
Firewall DES-3x26S DES-3350SR DES-3250TG DES-3500 series DES-3800 series xStack series Infected Host
139
D-Link Security
140
D-Link Security
141
D-Link Security
PC PC
142
D-Link Security
Objectives
When traffic of every host exceed 4 sessions, switch create the ACLs rule to block illegal traffic by firewall
143
D-Link Security
ZoneDefense
144
Reset to default and configure the IP address of switch Use CLI of switch to inspect Key in reset config Key in config ipif System ipaddress 192.168.1.250/24
D-Link Security
ZoneDefense
145
Verify the communication between firewall and switch and inspect the community in switch Use CLI of switch to inspect Key in show snmp community
D-Link Security
ZoneDefense
Create the object of IP address for switch and administrator Click Address Book under Objects Add the object for IP4 Host/Network
146
D-Link Security
ZoneDefense
Create the switch object in ZoneDefense Click switches under ZoneDefense Choose the correct switch model and Key in the SNMP Community Verity the firewall can communicate with the switch
147
D-Link Security
ZoneDefense
Exclude the switch and the administrator Click Exclude under ZoneDefense Choose the correct object
148
D-Link Security
ZoneDefense
1 3
149
Create the threshold rule in ZoneDefense Click Threshold under ZoneDefense Choose the correct interface and network Key in the threshold condition (the value of host-base must be smaller then network)
D-Link Security
ZoneDefense
After all configuration , Click configuration in main bar Click Save and Active
150
D-Link Security
151
D-Link Security
LAN1 IP: Group IP address DGS-3324SR Switch IP: an IP thats the same segment as the LAN1 IP
PC PC
152
D-Link Security
D-Link Security
Objectives
Access the FTP server by public IP address(192.168.174.71)
154
D-Link Security
Add the objects of both public and virtual IP addresses for FTP server *Click Address Book under Objects Key in the correct IP addresses
155
D-Link Security
Create the object in ARP Table Click ARP Table under Interfaces Apply objects with the FTP IP address
156
D-Link Security
157
Create the IP rule to map FTP server (SAT) Click IP Rule under Rules Choose the correct Action,Service,Interface,SAT setting and Network for the
D-Link Security
158
Create the IP rule to allow FTP server (allow FTP) Click IP Rule under Rules Choose the correct Action,Service,Interface and Network for the rule
D-Link Security
After all configuration , Click configuration in main bar Click Save and Activate
159
D-Link Security
160
D-Link Security
Scenario & Hands-on 4-1 Exercise 4-1 - Port mapping for server
WAN1:DHCP FTP Server: Group public IP address FTP Server Group private IP
Objective:
1. Access to FTP server by groups public IP address successfully
DMZ
161
D-Link Security
WAN1 PPPoE
FTP Server 172.16.1.1 DMZ
Note:
Add PPPoE in Interfaces Verify the sequence of IP rule
D-Link Security
Objectives
When using PPPoE connection, internal FTP server could be accessed by public
163
D-Link Security
164
Create an object for PPPoE rule in PPPoE Tunnels under Interfaces Click PPPoE Tunnels under Interfaces Apply correct Physical Interface, Remote Network,Username and Password in the object
D-Link Security
Add the object of virtual IP addresses for FTP server *Click Address Book under Objects Key in the correct IP addresses
165
D-Link Security
166
If use PPPoE connection, create the IP rule to map FTP server (SAT) Click IP Rule under Rules Choose the correct Action,Service,Interface,SAT setting and Network for the rule
D-Link Security
167
Create the IP rule to allow FTP server (allow FTP) Click IP Rule under Rules Choose the correct Action,Service,Interface and Network for the rule
D-Link Security
After all configuration , Click configuration in main bar Click Save and Activate
168
D-Link Security
169
D-Link Security
Objective:
1. Access to FTP server by groups public IP address successfully
DMZ
170
D-Link Security
Network topology
Note:
Add another public IP address in ARP table Verify the sequence of IP rule
D-Link Security
Objectives
Access two FTP servers by one public IP address (192.168.174.71)
172
D-Link Security
Add the public IP address object for two FTP servers Click Address Book under Objects Key in the correct IP address
173
D-Link Security
Add two virtual IP address objects for two FTP servers Click Address Book under Objects Key in the correct IP address
174
D-Link Security
Apply the object of IP address to ARP Table Click ARP Table under Interfaces Apply objects for the FTP IP address
175
D-Link Security
3 1
176
Create the IP rule of FTP server Click IP Rule in Rules Choose correct Action,Service,Interface,SLB_SAT and Network in the rule
D-Link Security
177
Create the IP rule to allow FTP server (allow FTP) Click IP Rule in Rules Choose correct Action,Service,Interface and Network in the rule
D-Link Security
After all configuration , Click configuration on main menu bar Click Save and Activate
178
D-Link Security
Scenario & Hands-on 4-3 Exercise 4-3- SAT and server load balance
WAN1:DHCP FTP Server-1:Group public IP FTP Server-1 Group private IP-1
Objective:
1. Access to two FTP servers by groups public IP address successfully
DMZ
179
D-Link Security
Process of authentication
Internet
http request
180
D-Link Security
181
D-Link Security
192.168.10.1
10.0.100.97
WAN
Core
LAN
182
D-Link Security
D-Link Security
Objectives
When user open a web browser, it will be a screen pop out automatically, and request for login. Services will be allowed after authentication. When user logout, they can choose either logout manually, or it will logout
automatically when the preset idle time reaches.
184
D-Link Security
185
Change the remote management http port to avoid port conflict Click Remote Management then click modify advanced setting Change WebUI http port
D-Link Security
Create the user database for Authentication Click Local User Database in User Authentication Key in the authenticated user(user name/password)
186
D-Link Security
Create the User Authentication Rules Click User Authentication Rules in User Authentication Choose the correspond settings
187
D-Link Security
Create the User Authentication Rules Click User Authentication Rules in User Authentication Choose the correspond settings
188
D-Link Security
Create the IP address for Authenticating users Click Address Book in Objects Add an object for authenticating users Key in the correct IP address and group name
189
D-Link Security
Create the allow rule (rule-1) Click IP Rule in Rules Choose correct Action,Service,Interface and Network in the rule
190
D-Link Security
Create the NAT-DNS rule (rule-2) Click IP Rule in Rules Choose correct Action,Service,Interface and Network in the rule
191
D-Link Security
Create the NAT-all_service rule (rule-3) Click IP Rule in Rules Choose correct Action,Service,Interface and Network in the rule
192
D-Link Security
1 3
Create the SAT rule (rule-4) Click IP Rule in Rules Choose correct Action,Service,Interface and Network in the rule
193
D-Link Security
Create the Allow rule (rule-5) Click IP Rule in Rules Choose correct Action,Service,Interface and Network in the rule
194
D-Link Security
After all configuration , Click configuration on main menu bar Click Save and Activate
195
D-Link Security
Action1 Action3
Action2
Allow manual log-out web page Allow user to look up the DNS Action1 Allow authorized users to use networking service Action3 All HTTP traffic will be mapped to firewall LAN1 IP address Action2 Allow all HTTP traffic to map to LAN1 IP address Action2
196
D-Link Security
197
D-Link Security
2.
D-Link Security
Incomming interface
Outgoing interface
Rule 2
Rule 2
Rule 3
Rule 3
Rule 4
Rule 4
Incomming packets
Rule 5
Rule 5
Pipe
Outgoing packets
Rule 6
Rule 6
199
D-Link Security
W G
W G G
User 1
User 2
User 3
User 4
User 5
D-Link Security
W W
G G
User 1
User 2
User 3
User 4
User 5
D-Link Security
Highest
High
Pipe Medium
Low
202
D-Link Security
203
D-Link Security
1Mbps
1Mbps
204
D-Link Security
205
D-Link Security
206
D-Link Security
207
D-Link Security
Assign precedence
208
D-Link Security
1.For inbound and outbound HTTP and HTTPS, the maximum bandwidth is 500Kb. 2.For inbound and outbound POP3, the guarantee bandwidth is 300Kb. (maximum bandwidth is 1000Kb) 3.For other inbound and outbound service, the remaining bandwidth will be used. 4.Above all services are dedicating bandwidth value.
Note: Internal LAN1
Before use the traffic shaping for specified application. Please make sure that the IP rule has been created for the specified application.
209
D-Link Security
Objective
For inbound and outbound HTTP and HTTPS, the maximum bandwidth is 500Kb. For inbound and outbound POP3, the guarantee bandwidth is 300Kb. (maximum bandwidth is 1000Kb) For other inbound and outbound service, the remaining bandwidth will be used. Above all services are dedicating bandwidth value.
210
D-Link Security
Traffic Shaping
Create object of the input pipe (Create the pipe of standard-in) Click Pipes in Traffic Shaping Key in correspond value for Precedence and total bandwidth value
211
D-Link Security
Traffic Shaping
Create object of the output pipe (Create the pipe of outbound) Click Pipes in Traffic Shaping Key in correspond value for Precedence and total bandwidth value
212
D-Link Security
Traffic Shaping
Create object of the HTTP input (Create the pipe HTTP-in) Click Pipes in Traffic Shaping Key in correspond value for Precedence and total bandwidth value
213
D-Link Security
Traffic Shaping
Create object of the HTTP output (Create the pipe of HTTP-in) Click Pipes in Traffic Shaping Key in correct value at Precedence and Total bandwidth value
214
D-Link Security
10
1 3 2
Create Rules of the HTTP (Create the rule of HTTP ) Click Pipes Rules in Traffic Shaping Key in correspond value for Precedence and total bandwidth value
215
D-Link Security
10
Create object of the POP3 input (Create a pipe of POP3-in ) Click Pipes in Traffic Shaping Key in correspond value for Precedence and total bandwidth value
216
D-Link Security
10
Create object of the POP3 output (Create a pipe of POP3-out ) Click Pipes in Traffic Shaping Key in correspond value for Precedence and total bandwidth value
217
D-Link Security
10
1 3
2 4
Create the rules of POP3 (Create the rule of POP3 ) Click Pipes Rules in Traffic Shaping Choose correct Action,Service,Interface and Network in the rule
218
D-Link Security
10
1 3
Create Rules of other service (Create the rule of other service ) Click Pipes Rules in Traffic Shaping Choose correct Action,Service,Interface and Network in the rule
219
D-Link Security
10
After all configuration , Click configuration on main menu bar Click Save and Activate
220
D-Link Security
Before use the traffic shaping for specified application. Please make sure that the IP rule has been created for the specified application.
221
D-Link Security
First step: Create two bidirectional pipes for the physical WAN link Second step: Create two bidirectional pipes for the specified application
222
D-Link Security
223
D-Link Security
Objectives
1. For inbound and outbound SMTP, the maximum bandwidth is 400Kb. For inbound and outbound FTP, the guarantee bandwidth is 250Kb.(maximum bandwidth is 500Kb) For other inbound and outbound service, the maximum bandwidth is 350Kb. Above all services are dedicating bandwidth value.
2.
3. 4.
Internal LAN1
224
D-Link Security
Note:
Choose correct inner IP address and Outer Interface filter for PPTP tunnel
DFL-1600
Internal LAN3 IP: 192.168.3.0/24 Internal LAN1 IP: 192.168.1.0/24 Internal LAN2 IP: 192.168.2.0/24
225
D-Link Security
Objectives
The user dial-up to firewall by Windows PPTP client software .
Dial-up user communicate with LAN1 of firewall
226
D-Link Security
VPN Configuration-PPTP
Create object for PPTP server IP address and IP address range Click Address in Objects Key in the correspond IP address
227
D-Link Security
VPN Configuration-PPTP
Create Local Database for PPTP authentication Click Local User Databases in User Authentication Key in the correct Username and Password
228
D-Link Security
VPN Configuration-PPTP
Create PPTP tunnel Click PPTP/L2TP Servers in Interface Choose the correspond configuration
229
D-Link Security
VPN Configuration-PPTP
Create User Authentication Rules for PPTP tunnel Click User Authentication Rules in User Authentication Choose the correspond configuration Enable Log setting and choose local user database
230
D-Link Security
VPN Configuration-PPTP
231
Create IP Rules for PPTP tunnel Click IP Rules in Rules Choose the correspond configuration Enable Log setting
D-Link Security
VPN Configuration-PPTP
After all configuration, Click configuration on main menu bar Click Save and Activate
232
D-Link Security
233
D-Link Security
WAN1 DHCP IP
Objectives:
1. Use Windows client to Dial-up PPTP Ping the IP address of LAN in firewall
DFL-1600 2.
Internal LAN3 IP: 192.168.3.0/24 Internal LAN1 IP: 192.168.1.0/24 Internal LAN2 IP: 192.168.2.0/24
234
D-Link Security
WAN1 DHCP
Note:
L2TP/IPsec must use transport mode Choose correct local net and remote net for IPsec tunnel Choose correct inner IP address and Outer Interface filter for L2TP tunnel
DFL-1600
Internal LAN3 IP: 192.168.3.0/24 Internal LAN1 IP: 192.168.1.0/24 Internal LAN2 IP: 192.168.2.0/24
235
D-Link Security
Objectives
The user dial-up to firewall by Windows L2TP/IPsec client software
Dial-up user communicate with LAN1 of firewall
236
D-Link Security
VPN Configuration-L2TP/IPsec
Create objects for L2TP server IP address and IP address range Click Address in Objects Key in the correspond IP address
237
D-Link Security
VPN Configuration-L2TP/IPsec
Create Local Database for L2TP authentication Click Local User Databases in User Authentication Key in correct Username and Password
238
D-Link Security
VPN Configuration-L2TP/IPsec
Create the pre-shared key for L2TP Click Pre-Share Keys in VPN Objects Key in the correspond value
239
D-Link Security
VPN Configuration-L2TP/IPsec
Create the IPsec tunnel Click IPsec Tunnels in Interface Choose correspond configuration
240
D-Link Security
VPN Configuration-L2TP/IPsec
Verify the IPsec tunnel Click Authentication in this IPsec tunnel Apply pre-shared key to this IPsec tunnel
241
D-Link Security
VPN Configuration-L2TP/IPsec
242
Verify the IPsec tunnel Click Routing in this IPsec tunnel Enable Dynamically add routes to remote network when a tunnel is established in this IPsec tunnel
D-Link Security
VPN Configuration-L2TP/IPsec
Verify the IPsec tunnel Click Advanced in this IPsec tunnel Disable Add route for remote network in this IPsec tunnel
243
D-Link Security
VPN Configuration-L2TP/IPsec
Create the L2TP tunnel Click PPTP/L2TP Servers in Interface Choose correspond configuration
244
D-Link Security
VPN Configuration-L2TP/IPsec
Create User Authentication Rules for L2TP tunnel Click User Authentication Rules in User Authentication Choose correspond configuration Enable Log setting and choose local user database
245
D-Link Security
VPN Configuration-L2TP/IPsec
246
Create IP Rules for L2TP tunnel Click IP Rules in Rules Choose correspond configuration Enable Log setting
D-Link Security
VPN Configuration-L2TP/IPsec
After all configuration , Click configuration on main menu bar Click Save and Activate
247
D-Link Security
248
D-Link Security
WAN1 DHCP IP
Objectives:
1. The user dial-up to firewall by Windows L2TP/IPsec client software
DFL-1600
2.
Internal LAN3 IP: 192.168.3.0/24 Internal LAN1 IP: 192.168.1.0/24 Internal LAN2 IP: 192.168.2.0/24
249
D-Link Security
250
D-Link Security
251
D-Link Security
252
D-Link Security
253
D-Link Security
Note:
DFL-1600
Use same pre-share key and algorithm between two IPsec settings Choose correct local net and remote net for IPsec tunnel
Internal LAN3 IP: 192.168.3.0/24 Internal LAN1 IP: 192.168.1.0/24 Internal LAN2 IP: 192.168.2.0/24
254
D-Link Security
Objectives
Two firewalls communicate to each other by IPsec tunnel .
The client of local-net ping to the client of remote-net
255
D-Link Security
Create objects for IP address of remote IP address and network Click Address in Objects Key in the correspond IP address
256
D-Link Security
Create the pre-shared key for IPsec tunnel Click Pre-Share Keys in VPN Objects Key in the correct value
257
D-Link Security
Create the IPsec tunnel Click IPsec Tunnels in Interface Choose the correspond configuration
258
! Note: If remote firewall wan IP is not static IP, in other words Remote Endpoint is using dynamic IP address from dynamic DNS server, administrator can enter DDNS domain name in here directly.
D-Link Security
Combine two interfaces to one interface group Click Interface Groups in this Interface Choose the correspond interfaces
259
D-Link Security
260
Create IP Rules for L2TP tunnel Click IP Rules in Rules Choose correspond configuration Enable Log setting
D-Link Security
After all configuration , Click configuration on main menu bar Click Save and Activate
261
D-Link Security
Even group
DFL-1600
Objectives:
1. Internal LAN1 Two firewalls communicate to each other by IPsec tunnel
2.
262
D-Link Security
Note:
DFL-1600
Use same pre-share key and algorithm between two DFL-1600 and NS-204 Choose correct local net and remote net for IPsec tunnel
Internal LAN3 IP: 192.168.3.0/24 Internal LAN1 IP: 192.168.1.0/24 Internal LAN2 IP: 192.168.2.0/24
263
D-Link Security
Objectives
Two firewalls communicate to each other by IPsec tunnel .
The client of local-net ping to the client of remote-net
264
D-Link Security
Create network objects for DFL-1600 (remote network ) Click List under Addresses in Objects Key in the corresponding network
265
D-Link Security
Create IP address objects for DFL-1600 (remote gateway ) Click List under Addresses in Objects Key in the corresponding IP address
266
D-Link Security
Create P1(Phase 1) Proposal of DFL-1600 for VPN configuration Click P1 Proposal under AutoKey Advanced in VPNs Choose in the corresponding Algorithm and DH Group
267
D-Link Security
Create P2(Phase 2) Proposal of DFL-1600 for VPN configuration Click P2 Proposal under AutoKey Advanced in VPNs Choose in the corresponding Algorithm and DH Group
268
D-Link Security
2 3 4
269
Create Gateway objects of DFL-1600 for VPN configuration Click Gateway under AutoKey Advanced in VPNs Key in the corresponding IP address and Preshared Key Click Advanced
D-Link Security
2 3
Advanced of Gateway objects Choose Custom in User Defined and Phase 1 Proposal Choose Main mode
270
D-Link Security
4 5 1
Create IPsec VPN tunnel for DFL-1600 Choose Security Level and Predefined for Remote Gateway Choose Outgoing Interface and Click Advanced
271
D-Link Security
5 6
272
Create IPsec VPN policy for DFL-1600 Choose correct Action ,Service, Network in the rule Enable Modify matching bidirectional VPN policy
D-Link Security
Testing Result
273
D-Link Security
274
D-Link Security
Agenda
Appliance Overview Firewall Concept Basic Configuration Scenario & Hands-on Troubleshooting
275
D-Link Security
Troubleshooting
Four Ways to troubleshooting
276
D-Link Security
Troubleshooting
Flow Chart
Inspect the firewall status
No
The problem Confirm configuration Found main cause
No
Found main cause
Yes
Yes
Environment cause Configuration cause or Environment cause Configuration cause Verify network environments
Yes
Found main cause
No
Verify configuration The problem have solved Dtrack System
277
D-Link Security
Troubleshooting
Confirm configuration of firewall IP address or network in Object Configuration in Interface Configuration in IP rules
Action and service Interface and network Routing table Metric Routing table and rules Metric Zone defense Traffic shaping User Authentication
Configuration in PBR
Advanced configuration
278
D-Link Security
Troubleshooting
Inspect the firewall status Click Status on main menu bar
279
System Logging Connection Interfaces IPsec User Auth Routes DHCP server IDS SLB Zone Defense
D-Link Security
Troubleshooting
Console commands How to use Console command with HyperTerminal in MS Windows
1.Start HyperTerminal (Hypertrm.exe). 2.Enter a name for the connection (for example, DFL-800) in the Name box. 3.Click an icon for the connection in the Icon box, and then click OK. 4.In the Connect Using box, click Direct To Com (choose Restore Default) and then click OK. 5.Verify the settings on the part settings tab and then click OK.
280
D-Link Security
Troubleshooting
Console commands
The first command you should learn is the HELP or H command. The help command prints a list of available commands at the console About (Displays information about the firewall core) Crashdump (dump all crash and error information) Access (Prints the active anti-spoof section) Arp [interface] (Displays the cached ARP information for all interfaces. If you add a specific interface name to the command, you will get only the specified interface.) Arpsnoop [interface] (Displays ARP queries and responses. You enable this by typing ARPSNOOP [interface]. The same command again disables it. You can also use the all string for ALL interfaces. To disable all the arpsnoop printout you can use the string NONE.) Buffers [buf num] (Displays the 20 most recently freed buffers. You can examine a specific buffer by adding the number.) Cfglog (Displays the boot log of the firewall configuration.)
281
D-Link Security
Troubleshooting
Console commands
Connections (Displays the connections in the firewall.) CPUid (Displays processor information.) DHCP [switches] <interface> (With this command you can renew (-renew) or release (release) the DHCP IP address on a specific interface.) Frags (Display the 20 most recent fragment reassembly attempts. This includes both ongoing and completed attempts.) Ifstat [interface] (Displays interfaces. If you add an interface you will get statistics for this interface.) Loghosts (Displays configured loghosts.) Logout (Secures the console with the configured password.) Netcon (Displays the active console connection or management connections to the firewall.) Netobjects (Displays the active host & network configurations.)
Ping (Is the normal ping command to verify an IP connection. You can use Ping [IP address] [num] where num is the amount of ping requests.) Reconfigure (Reloads the configuration from the boot media.)
282
D-Link Security
Troubleshooting
Console commands
283
D-Link Security
Troubleshooting
Capture packets to analyze Set up a laptop with software such as Ethereal or Sniffer to capture packets from the problem node The laptop needs to connect to the problem node through a hub If it connects through a switch, the port mirror function will have to be enabled in the switch mirror function
intranet
Problem node
Ethereal or Sniffer
284
D-Link Security
Troubleshooting
Capture packets to analyze
Inspect IP address of Source, Destination and Protocol to analyze problematic network status
285
D-Link Security
286