D-Link DFL-700 User Manual

D-Link DFL-700 Network Security Firewall Manual Building Networks for People Ver.1.02 (20050419)

10Package Contents Contents of Package: • D-Link DFL-700 Firewall • Manual and CD • Quick Installation Guide • AC Power adapter Note: Using a pow

100 5. Add a new user, Firewall->Users: Under Users in local database click Add new Name the new user BranchOffice Enter password: 12345678

A more secure LAN-to-LAN VPN solution Go get a more secure solution, policies should be created instead of allowing all traffic between the two offic

102 4. Setup the new rule: Name the new rule: allow_pop3 Select action: Allow Select service: pop3 Select schedule: Always We don’t want any Intrusi

5. The first policy rule is now created. Repeat step 4 to create services named allow_imap, allow_ftp and allow_http. The services for these polici

104Settings for Main office 1. Setup policies for the new tunnel, Firewall->Policy: Click Global policy parameters Disable Allow all VPN traffic:

Windows XP client and PPTP server Settings for the Windows XP client 1. Open the control panel (Start button -> Control panel). 2. If you are usi

106 5. Select Connect to the network at my workplace and click Next

6. Select Virtual Private Network connection and click Next

108 7. Name the connection MainOffice and click Next

8. Select Do not dial the initial connection and click Next

Managing D-Link DFL-700 When a change is done to the configuration a new icon named Activate Changes will appear. When all changes and administrator w

110 9. Type the IP address to the server, 194.0.2.20, and click Next 10. Click Finish

11. Type user name HomeUser and password 1234567890 (Note! You should use a password that is hard to guess) 12. Click Properties

112 13. Select the Networking tab and change Type of VPN to PPTP VPN. Click OK. All settings needed for the XP client is now done. When we have set u

Settings for Main office 1. Setup interfaces, System->Interfaces: WAN IP:193.0.2.20 LAN IP: 192.168.1.1, Subnet mask: 255.255.255.0 2. Setup PP

114Leave static client IP empty (could also be set to eg 192.168.1.200. If no IP is set here the IP pool from the PPTP server settings are used). Cl

Windows XP client and L2TP server The Windows XP client to L2TP server setup is quite similar to the PPTP setup above. Settings for the Windows XP cl

1162. Select the Security tab and click IPsec Settings 3. Check Use pre-shared key for authentication, type the key and click OK

Settings for Main office 1. Setup interfaces, System->Interfaces: WAN IP:193.0.2.20 LAN IP: 192.168.1.1, Subnet mask: 255.255.255.0 2. Setup L2

118Leave static client IP empty (could also be set to eg 192.168.1.200. If no IP is set here the IP pool from the PPTP server settings are used). Cl

Content filtering To enable content filtering, follow these steps: 1. Update the content filtering settings, Firewall->Content Filtering: Select

12Administration Settings Administrative Access Ping – If enabled, specifies who can ping the interface IP of the DFL-700. Default if enabled is to

1202. Make sure the http-outbound service exists and is using the HTTP ALG, Firewall->Services: Find the http-outbound service in the list and cl

4. Edit the new policy we just created Name the rule allow_http Enter position 2 Select action Allow Select service http-outbound Select sche

122 The new policy should now be added to position two in the list (if not, it can be moved to the right position by clicking on the up and down arro

Intrusion detection and prevention Intrusion detection and prevention can be enabled for both policies and port mappings. In this example we are usi

1242. Set up the newly created port mapping: Name the rule map_www Select service http-in-all Enter pass to IP: 192.168.2.5 (the IP of the web s

The new mapping is now in the list. 3. Setup email server and enable alerting, System->Logging: Check Enable E-mail alerting for IDS/IDP events

126 Traffic shaping In these examples we assume that the WAN port of the firewall is connected to Internet with an up and downstream bandwidth of 2 m

Now all FTP traffic from 192.168.1.125 on the LAN network will be limited to 400kbit/s in both directions. If more than one IP is required, a comma-s

128Select service: ftp_outbound Schedule should be always Check the Traffic shaping box and enter 1000 as up and downstream guarantee. Click Apply

Appendixes Appendix A: ICMP Types and Codes The Internet Control Message Protocol (ICMP) has many messages that are identified by a “type” field; many

Add ping access to an interface To add ping access click on the interface you would like to add it to. Follow these steps to add ping access to an int

130 1 Redirect Datagram for the Host RFC792 2 Redirect Datagram for the Type of Service and Network RFC792 3 Redirect Datagram for the Typ

Appendix B: Common IP Protocol Numbers These are some of the more common IP Protocols, for all follow the link after the table. Decimal Keyword Desc

132LIMITED WARRANTY D-Link provides this limited warranty for its product only to the person or entity who originally purchased the product from D-Li

Registration Card. The Registration Card provided at the back of this manual must be completed and returned to an Authorized D-Link Service Office for

134PRODUCT RETURNED TO D-LINK FOR WARRANTY SERVICE) RESULTING FROM THE USE OF THE PRODUCT, RELATING TO WARRANTY SERVICE, OR ARISING OUT OF ANY BREACH

Somit stellen Sie die Betriebssicherheit des Gerätes sicher. 18. Zum Netzanschluß dieses Gerätes ist eine geprüfte Leitung zu verwenden, Für einen Nen

136-Consult the dealer or an experienced radio/ TV technician for help. VCCI Warning

Offices AUSTRALIA D-LINK AUSTRALIA 1 Giffnock Ave,North Ryde, NSW 2113, Australia TEL: 61-2-8899-1800 FAX: 61-2-8899-1868 TOLL FREE: 1800-177-100

138Tel /fax +7 (095) 744-00-99 mailto:[email protected] , Web: www.dlink.ru SINGAPORE D-LINK INTERNATIONAL 1 International Business Park, #03-12 The

14Add Read-only access to an interface To add read-only access click on the interface you would like to add it to, note that if you only have read-on

140

System Interfaces Click on System in the menu bar, and then click interfaces below it. Change IP of the LAN or DMZ interface Follow these steps to cha

16WAN Interface Settings – Using Static IP If you are using Static IP you have to fill in the IP address information provided to you by your ISP. All

WAN Interface Settings – Using PPPoE Use the following procedure to configure the DFL-700 external interface to use PPPoE (Point-to-Point Protocol ove

18WAN Interface Settings – Using PPTP PPTP over Ethernet connections are used in some DSL and cable modem networks. You need your account details, an

WAN Interface Settings – Using BigPond The ISP Telstra BigPond uses BigPond for authentication; the IP is assigned with DHCP. • Username – The login

2Contents Introduction ... 7 Features and Benefits ...

20MTU Configuration To improve the performance of your Internet connection, you can adjust the maximum transmission unit (MTU) of the packets that t

Routing Click on System in the menu bar, and then click Routing below it, this will give a list of all configured routes, it will look something like

22Add a new Static Route Follow these steps to add a new route. Step 1. Go to System and Routing. Step 2. Click on Add new in the bottom of the routi

Logging Click on System in the menu bar, and then click Logging below it. Logging, the ability to audit decisions made by the firewall, is a vital pa

24configurable. It’s also possible to have E-mail alerting for IDS/IDP events to up to three email addresses. Enable Logging Follow these steps to en

Intrusion attacks will always be logged in the usual logs if IDS is enabled for any of the rules. For more information about how to enable intrusion

26Time Click on System in the menu bar, and then click Time below it. This will give you the option to either set the system time by syncing to an I

Changing time zone Follow these steps to change the time zone. Step 1. Choose the correct time zone in the drop down menu. Step 2. Specify your daylig

28Firewall Policy The Firewall Policy configuration section is the "heart" of the firewall. The policies are the primary filter that is con

Source and Destination Filter Source Nets – Specifies the sender span of IP addresses to be compared to the received packet. Leave this blank to match

Setting time and date manually ...27 Firewall ...

30the system administrators if email alerting is converted. There are two modes that can be configured, either Inspection Only or Prevention. Inspect

Add a new policy Follow these steps to add a new outgoing policy. Step 1. Choose the LAN->WAN policy list from the available policy lists. Step 2.

32Change order of policy Follow these steps to change order of a policy. Step 1. Choose the policy list you would like do change order in from the av

Configure Intrusion Prevention Follow these steps to configure IDP on a policy. Step 1. Choose the policy you would like have IDP on. Step 2. Click on

34Port mapping / Virtual Servers The Port mapping / Virtual Servers configuration section is where you can configure virtual servers like Web servers

Delete mapping Follow these steps to delete a mapping. Step 1. Choose the mapping list (WAN, LAN or DMZ) you would like do delete the mapping from. St

36Administrative users Click on Firewall in the menu bar, and then click Users below it. This will show all the users, and the first section is the

Change Administrative User Access level To change the access lever of a user click on the user name and you will see the following screen. From here y

38Delete Administrative User To delete a user click on the user name and you will see the following screen. Follow these steps to delete an Administ

Users User Authentication allows an administrator to grant or reject access to specific users from specific IP addresses, based on their user credenti

4MS-CHAP v1 ...49 MS-CHAP v2 ...

40Enable User Authentication via HTTP / HTTPS Follow these steps to enable User Authentication. Step 1. Enable the checkbox for User Authentication.

Add User Follow these steps to add a new user. Step 1. Click on add after the type of user you would like to add, Admin or Read-only. Step 2. Fill in

42Delete User To delete a user click on the user name and you will see the following screen. Follow these steps to delete a user. Step 1. Click on t

Schedules It is possible to configure a schedule for policies to take affect. By creating a schedule, the DFL-700 is allowing the firewall policies

44Services A service is basically a definition of a specific IP protocol with corresponding parameters. The service http, for instance, is defined as

Adding IP Protocol When the type of the service is IP Protocol, an IP protocol number may be specified in the text field. To have the service match th

46Protocol-independent settings Allow ICMP errors from the destination to the source – ICMP error messages are sent in several situations: for exampl

VPN Introduction to IPsec This chapter introduces IPsec, the method, or rather set of methods used to provide VPN functionality. IPSec, Internet Proto

48Introduction to PPTP PPTP, Point-to-Point Tunneling Protocol, is used to provide IP security at the network layer. A PPTP based VPN is made up by t

Authentication Protocols PPP supports different authentication protocols, PAP, CHAP, MS-CHAP v1 and MS-CHAP v2 is supported. Which authentication prot

Ping ... 68 Ping Example...

50L2TP/PPTP Clients General parameters Name – Specifies a name for the PPTP/L2TP Client. Username - Specify the username to use for this PPTP/L2TP Cl

L2TP/PPTP Servers Name – Specifies a name for this PPTP/L2TP Server. Outer IP - Specifies the IP that the PPTP/L2TP server should listen on, leave it

52 MPPE encryption If MPPE encryption is going to be used, this is where the encryption level is configured. If L2TP or PPTP over IPSec is going to b

VPN between two networks In the following example users on the main office internal network can connect to the branch office internal network vice ver

54VPN between client and an internal network In the following example users can connect to the main office internal network from anywhere on the Inte

Adding a L2TP/PPTP VPN Client Follow these steps to add a L2TP or PPTP VPN Client configuration. Step 1. Go to Firewall and VPN and choose Add new PPT

56VPN – Advanced Settings Advanced settings for a VPN tunnel is used when one need change some characteristics of the tunnel when using for example t

Proposal Lists To agree on the VPN connection parameters, a negotiation process is performed. As the result of the negotiations, the IKE and IPSec sec

58Certificates A certificate is a digital proof of identity. It links an identity to a public key in a trustworthy manner. Certificates can be used t

Certificate Authorities This is a list of all CA certificates. To add a new Certificate Authority certificate, click Add new. The following pages will

6Settings for the Windows XP client ...105 Settings for Main office ...

60Content Filtering DFL-700 HTTP content filtering can be configured to scan all HTTP content protocol streams for URLs or for web page content. You

Edit the URL Global Whitelist Follow these steps to add or remove a url. Step 1. Go to Firewall and Content Filtering and choose Edit global URL whit

62Edit the URL Global Blacklist Follow these steps to add or remove a url. Step 1. Go to Firewall and Content Filtering and choose Edit global URL b

Active content handling Active content handling can be enabled or disabled by checking the checkbox before each type you would like to strip. For exam

64Servers DHCP Server Settings The DFL-700 contains a DHCP server; DHCP (Dynamic Host Configuration Protocol) is a protocol that lets network adminis

Enable DHCP Server To enable the DHCP Server on an interface, click on Servers in the menu bar, and then click DHCP Server below it. Follow these step

66DNS Relayer Settings Click on Servers in the menu bar, and then click DNS Relay below it. The DFL-700 contains a DNS relayer that you can be config

Disable DNS Relayer Follow these steps to disable the DNS Relayer. Step 1. Disable by un-checking the Enable DNS Relayer box. Click the Apply button b

68Tools Ping Click on Tools in the menu bar, and then click Ping below it. This tool is used to send a specified number of ICMP Echo Request packets

Dynamic DNS The Dynamic DNS (require Dynamic DNS Service) allows you to alias a dynamic IP address to a static hostname, allowing your device to be m

Introduction The DFL-700 provides three 10/100M Ethernet network interface ports, which are (1) Internal/LAN, (1) External/WAN, and (1) DMZ port. It a

70Backup Click on Tools in the menu bar, and then click Backup below it. Here a administrator can backup and restore the configuration. The configur

Restart/Reset Restarting the DFL-700 Follow these steps restart the DFL-700. Step 1. Choose if you want to do a quick or full restart. Step 2. Click R

72Step 1. Under the Tools menu and the Reset section, click on the Reset to Factory Defaults button. Step 2. Click OK in the dialog to reset the un

Upgrade The DFL-700’s software, IDS signatures and system parameters are all stored on a flash memory card. The flash memory card is re-writable and r

74Status In this section, the DFL-700 displays the status information about the Firewall. Administrator may use Status to check the System Status, In

Interfaces Click on Status in the menu bar, and then click Interfaces below it. A window will appear providing information about the interfaces in the

76VPN Click on Status in the menu bar, and then click Interfaces below it. A window will appear providing information about the VPN connections done

Connections Click on Status in the menu bar, and then click Connections below it. A window will appear providing information about the content of the

78DHCP Server Click on Status in the menu bar, and then click DHCP Server below it. A window will appear providing information about the configured D

Users Click on Status in the menu bar, and then click Users below it. A window will appear providing user information. Currently authenticated users

8Introduction to Local Area Networking Local Area Networking (LAN) is the term used when connecting several computers together over a small area such

80How to read the logs Although the exact format of each log entry depends on how your syslog recipient works, most are very much alike. The way in w

One event will be generated when a connection is established. This event will include information about protocol, receiving interface, source IP addre

82Step by step guides In the following guides example IPs, users, sites and passwords are used. You will have to exchange the IP addresses and sites

LAN-to-LAN VPN using IPsec Settings for Branch office 1. Setup interfaces, System->Interfaces: WAN IP: 193.0.2.10 LAN IP: 192.168.4.1, Subnet ma

84 Retype PSK: 1234567890 Select Tunnel type: LAN-to-LAN tunnel Remote Net: 192.168.1.0/24 Remote Gateway: 194.0.2.20 Enable Automatically a

4. Click Activate and wait for the firewall to restart Settings for Main office 1. Setup interfaces, System->Interfaces: WAN IP: 193.0.2.20 L

86 Select Tunnel type: LAN-to-LAN tunnel Remote Net: 192.168.4.0/24 Remote Gateway: 194.0.2.10 Enable “Automatically add a route for the remo

LAN-to-LAN VPN using PPTP Settings for Branch office 1. Setup interfaces, System->Interfaces: WAN IP: 193.0.2.10 LAN IP: 192.168.4.1, Subnet ma

88 Username: BranchOffice Password: 1234567890 (Note! You should use a password that is hard to guess) Retype password: 1234567890 Interface

Under MPPE encryption 128 bit should be the only checked option. Leave Use IPsec encryption unchecked Click Apply 3. Setup policies for the new tunn

LEDs Power: A solid light indicates a proper connection to the power supply. Status: System status indicators, flashes to indicate an active system.

90Settings for Main office 1. Setup interfaces, System->Interfaces: WAN IP: 193.0.2.20 LAN IP: 192.168.1.1, Subnet mask: 255.255.255.0 2. Setu

Under authentication MSCHAPv2 should be the only checked option. Under MPPE encryption 128 bit should be the only checked option. Leave Use IPsec enc

924. Set up authentication source, Firewall->Users: Select Local database Click Apply 5. Add a new user, Firewall->Users: Under Users in

Click Apply 6. Click Activate and wait for the firewall to restart. This example will allow all traffic between the two offices. To get a more secu

94LAN-to-LAN VPN using L2TP Settings for Branch office 1. Setup interfaces, System->Interfaces: WAN IP: 193.0.2.10 LAN IP: 192.168.4.1, Subnet

Username: BranchOffice Password: 1234567890 (Note! You should use a password that is hard to guess) Retype password: 1234567890 Interface IP:

96 Under MPPE encryption only None should be checked Check Use IPsec encryption Enter key 1234567890 (Note! You should use a key that is hard to gues

4. Click Activate and wait for the firewall to restart Settings for Main office 1. Setup interfaces, System->Interfaces: WAN IP: 193.0.2.20 LAN

98 Leave WINS settings blank Under authentication MSCHAPv2 should be the only checked option. Under MPPE encryption None should be the only checke

3. Setup policies for the new tunnel, Firewall->Policy: Click Global policy parameters Enable Allow all VPN traffic: internal->VPN, VPN->