D-Link D DFL-500 DFL-500 User Manual

DFL-500 SOHO Firewall User’s Manual Rev. 02 (March, 2002) D-Link Systems, Inc. DFL-500 User’s Manual 1

Transparent mode Transparent Mode provides even quicker and easier installation when the requirement is to provide firewall protection to a pre-existi

Configuring SNMP Configure SNMP for the DFL-500 so that the SNMP agent running on the DFL-500 can report system information and send traps. Traps can

Using the DFL-500 CLI The command line interface (CLI) is intended as a troubleshooting tool to help diagnose and fix system problems that cannot be s

• Type the password for this administrator and press Enter. The following prompt appears: Type ? for a list of commands. Connecting to the DFL-500 C

Recalling commands You can recall commands by using the Up and Down arrow keys to cycle through commands you have entered. Editing commands Use the Le

This procedure deletes all of the changes that you have made to the DFL-500 configuration and reverts the system to its default configuration, in

Total 32768k Bytes Are Unzipped. Do You Want To Save The Image ?[Y/n] Type Y . Programming The Boot Device Now. ... Read

Glossary Connection : A link between machines, applications, processes, etc. that can be logical, physical, or both. DNS, Domain Name Service : A serv

NTP , Network Time Protocol : Used to synchronize the time of a computer to an NTP server. NTP provides accuracies within a tens of milliseconds acros

VPN, Virtual Private Network : A network that links private networks over the Internet. VPNs use encryption and other security mechanisms to ensure th

Troubleshooting FAQs The following troubleshooting FAQs are available: • General administration • Network configuration • Firewall policies • Sche

• IPSec and PPTP VPN pass through so that computers or subnets on your internal network can connect to a VPN gateway on the Internet Virus and worm p

Q: My policies are set correctly but I still cannot connect to the Internet from one or more of the computers on my internal network. Check the defau

Virus protection Q: I am worried about viruses so I set the Anti-Virus options to the highest level. Now people are complaining that some files that t

Technical Support Offices AUSTRALIA D-LINK AUSTRALIA Unit 16, 390 Eastern Valley Way, Roseville, NSW 2069, Australia TEL: 61-2-9417-7100 FAX:

Registration Card Print, type or use block letters. Your name: Mr./Ms _____________________________________________________________________________ Or

DFL-500 User’s Manual 114

Secure installation, configuration, and management Installation is quick and simple. All that is required to get the DFL-500 up and running and protec

• Report traffic that was denied by firewall policies • Report configuration changes Logs can be sent to a remote syslog server. About this document

Installing the DFL-500 This chapter describes how to install the DFL-500 firewall between your network and the Internet. After you have completed the

PPPoE User Name Password 4. DNS Server In the space below, record the IP addresses of the primary and secondary DNS servers provided by your I

Primary Secondary Unpacking the DFL-500 The DFL-500 package contains the following items: • The DFL-500 firewall • A blue cross-over ethernet ca

Environmental specifications • Operating Temperature: 32 to 104 °F (0 to 40 °C) • Storage Temperature: -13 to 158 °F (-25 to 70 °C) • Humidity: 5 t

DFL-500 login page Starting the firewall setup wizard To start the firewall setup wizard: Click the Wizard button at the upper right of the web-base

Configuring the DFL-500 from the CLI To connect to the DFL-500 command line interface (CLI) you require: • A computer with an available communication

© Copyright 2002 D-Link Systems, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may b

set system interface internal ip 192.168.1.1 255.255.255.0 • Set the IP address and netmask of the external interface to the External IP Address and

Configuring the Transparent mode management IP address • Login to the CLI if you are not already logged in. • Set the IP address and netmask of the

DFL-500 network connections: Configuring your internal network If you are running the DFL-500 in NAT mode, your internal network must be configured

Firewall Configuration This chapter describes how to use firewall policies to establish and control connectivity through the DFL-500 firewall. This ch

Policy information Policies direct the firewall to perform actions when a connection request matches the identifying information. A policy can specify

To add a policy: Go to Firewall > Policy . Click the tab corresponding to the type of policy to add. Before adding Incoming policies in NAT m

Editing policies To edit a policy: • Go to Firewall > Policy . • Click the tab corresponding to the type of policy to edit. • Choose a policy to

Accepting incoming connections in NAT mode Running the DFL-500 in NAT mode hides the actual addresses of the computers on your internal network from t

Since policy matching works on a first-match principle, you must add the deny policy above the accept policy in the policy list. For more information,

• To addresses on the Internet (see Adding addresses) • To services (see Services) • According to a one-time or recurring schedule (see Schedules)

Table of Contents Introducing the DFL-500 ... 9 Firewall...

For example, if a policy denies connections to a subnet, you can add a policy that accepts connections from one of the computers on the subnet. Polici

Addresses All DFL-500 policies require source and destination IP addresses. By default the DFL-500 includes two addresses that cannot be edited or del

Example internal address: Editing addresses • Go to Firewall > Address . Click the tab corresponding to the type of address you want to edit. •

IMAP IMAP email protocol for reading email from an IMAP server. tcp 1-65535 143 IRC Internet relay chat for connecting to chat groups. tcp 1-65

• Specify a port number range for the service by adding the low and high port numbers. If the service uses one port number, add this number to both t

Adding a service group: Schedules Use scheduling to control when policies are active or inactive. You can create one-time schedules and recurring s

• Specify the Stop date and time for the schedule. One-time schedules use the 24-hour clock. • Click OK to add the One-time schedule. Sample one-tim

Sample recurring schedule: Applying a schedule to a policy Once you have created schedules you can add them to policies to schedule when the polici

Requiring passwords is not supported in Transparent mode.You can add authentication to Int to Ext policies, but not to Incoming policies. Users ca

• Click the tab corresponding to the type of policy to add. • You can add authentication to Int to Ext policies. • Click New to add a policy or cli

Adding policies...

Adding a Virtual IP: IP/MAC binding IP/MAC binding provides added security against IP Spoofing attacks. IP Spoofing attempts to use the IP address

• Click Apply to save your changes. Traffic shaping You can use traffic shaping to guarantee the amount of bandwidth available through the firewall f

IPSec VPNs Using DFL-500 IPSec Virtual Private Networking (VPN), you can join two or more widely separated private networks together through the Inter

Example VPN between two internal networks: Autokey IPSec VPN between two networks Use the following procedures to configure a VPN that provides a d

Creating the VPN tunnel A VPN tunnel consists of a name for the tunnel, the IP address of the VPN gateway at the opposite end of the tunnel, the keyli

• Click OK to save the Autokey IKE VPN tunnel. Example Main Office Autokey IKE VPN tunnel: Adding internal and external addresses The next step in

Complete the following procedure on both VPN gateways to add the internal and external IP addresses: • Go to Firewall > Address > Internal . •

Example Main Office VPN policy: Autokey IPSec VPN for remote clients Use the following procedures to configure a VPN that allows remote VPN clients

Use the following procedures to configure an IPSec Autokey IKE VPN that allows VPN clients to connect to an internal network: • Configuring the VPN t

Adding internal and external addresses The next step in configuring the VPN is to add the addresses of the VPN clients and the address of the internal

Adding an IPSec VPN policy ... 49 Con

Address VPN Tunnel Name The name of the VPN tunnel to be created between the VPN gateway and the VPN client (See Example VPN Tunnel configuration). Cl

• Configure the VPN tunnel. VPN Tunnel Name Enter a name for the tunnel. The name can contain numbers (0-9) and upper and lower case letters (A-Z,

Adding an IPSec VPN policy Use the procedure Adding an IPSec VPN policy to configure the outgoing policy that connects from the local internal network

Testing a VPN To confirm that a VPN between two networks has been configured correctly, use the ping command from one internal network to connect to a

are forwarded to the destination IPSec VPN gateway with a source address of the external interface of the DFL-500 firewall. IPSec client connecting to

IPSec network to network VPN pass through: When a computer on the internal IPSec VPN network connects to the internal network behind the destina

PPTP and L2TP VPNs Using DFL-500 PPTP and L2TP Virtual Private Networking (VPN), you can create a secure connection between a client computer running

Make sure that your ISP supports PPTP connections.PPTP VPN between a Windows client and the DFL-500: This section describes: • Configuring t

To turn on RADIUS support, see RADIUS authentication for PPTP and L2TP VPNs. • Click Apply to enable PPTP through the DFL-500. Sample PPTP Range conf

• Click on TCP/IP Settings. • Turn off Use IP header compression. • Turn off Use default gateway on remote network. • Click OK twice. Connecting t

Medium level virus protection for incoming connections ...74 Low level virus pr

• Name the connection and click Next. • If the Public Network dialog box appears, choose the appropriate initial connection and click Next. • In t

• A subnet on your Internal network, protected by a VPN gateway, can connect through your DFL-500 to a VPN on the Internet No special VPN configurati

VPN packets are forwarded to the PPTP VPN gateway with a source address of the external interface of the DFL-500 firewall. L2TP VPN configuration This

A client can connect to the L2TP VPN with this user name and password. • Click OK. • Repeat steps Go to VPN > L2TP > L2TP User. to Click OK.

• Set VPN server type to Layer-2 Tunneling Protocol (L2TP). • Save your changes and continue with the following procedure. Disabling IPsec • Click

• If the Public Network dialog box appears, choose the appropriate initial connection and click Next. • In the VPN Server Selection dialog, enter th

Connecting to the L2TP VPN • Connect to your ISP. • Start the VPN connection that you configured in the previous procedure. • Enter your L2TP VPN U

Example RADIUS configuration: Turning on RADIUS authentication for PPTP RADIUS authentication can be turned on separately for PPTP and L2TP. To tur

Intrusion detection system (IDS) You can configure the IDS to detect and prevent common network attacks and to send an alert email if the IDS detects

Configuring alert email • In NAT mode go to IDS > Alert Email . In Transparent mode go to System > Config > Alert Mail . • In the SMTP Serv

Restoring system settings to factory defaults ... 90 Restartin

Virus protection D-Link's DFL-500 secure gateway solution adds anti-virus and anti-worm functionality to conventional VPN and firewall technology

• High level virus protection for your internal network • Medium level virus protection for your internal network • Low level virus protection for

Example HTTP high level file blocking configuration • Click OK and click Apply. • Go to Anti-Virus > SMTP > Outgoing and repeat steps Click

Example SMTP virus protection settings • Click OK and click Apply. • Go to Anti-Virus > HTTP > Outgoing and repeat steps Click Medium to vi

• SMTP, to prevent users on your internal network from sending email attachments that contain viruses to addresses on the Internet • POP3, if you al

Medium level virus scanning prevents known viruses from passing through the firewall from your internal network to the Internet while still allowing v

• Worm protection for your internal network • Worm protection for incoming connections Worm protection for your internal network When configured for

This section describes: • Manual antivirus database updates • Automatic antivirus database updates Manual antivirus database updates Use the followi

At any time, you can click Update Now to update your anti-virus database immediately by downloading the latest database from one of the configured

Web content filtering Use DFL-500 Web content filtering to block Web sites containing unwanted content. You can configure the DFL-500 to: • Block web

DFL-500 User’s Manual 8

• Repeat these steps to add all of the required banned words. You can also add words to the banned word list by entering them into a text file

• Click Download Banned Word list to download the banned word list to your management computer. The DFL-500 downloads the banned word list to a text

You can also add URLs to the URL block list by entering them into a text file and then uploading the text file to the DFL-500. See Creating the

Remove scripts from web pages Use the following procedure to configure the DFL-500 to remove scripts from web pages. You can configure the DFL-500 to

Logging and reporting You can configure the DFL-500 to record 3 types of logs: • Traffic logs record all traffic that attempts to connect through the

Example log settings Selecting what to log Use the following procedure to configure the type of information recorded in DFL-500 logs. When runn

Traffic log message format Traffic logs record each connection made to a DFL-500 interface. Each traffic log message records the date and time at whic

Attack log message format Attack logs record attacks made on the DFL-500. Each attack log message records the date and time at which the attack was ma

Administering the DFL-500 This chapter describes how to use the DFL-500 web-based manager to administer and maintain the DFL-500. It contains the foll

System status Go to System > Status to make any of the following changes to the DFL-500 system status: • Changing the operating mode • Upgrading

Introducing the DFL-500 The DFL-500 is one of a series of new generation all-layer security products that provide comprehensive protection for your in

Displaying the DFL-500 serial number • Go to System > Status . The serial number does not change with firmware upgrades. Backing-up system setting

You can restore your system settings by uploading a previously downloaded system settings text file to the DFL-500. Default NAT mode system configurat

Restarting the DFL-500 Use the following procedure to restart the DFL-500 from the web-based manager. • Go to System > Status . • Click Restart.

To Port The destination port of the connection. Expire The time, in seconds, before the connection expires.Network configuration Go to System > Net

gateway IP address fields. These fields are colored grey to indicate that the addresses have not been assigned manually. Changing MTU size to improve

You can also control the IP addresses from which administrators can access the web-based manager. See Adding and editing administrator accounts.

• Click Internal interface to enable RIP server support from the internal interface. • Click External interface to enable RIP server support from th

Sample DHCP settings System configuration Go to System > Config to make any of the following changes to the DFL-500 system configuration: • Set

• Click Apply. Example date and time setting Changing web-based manager options You can change the web-based manager idle timeout, firewall user a

• Adding new administrator accounts • Editing administrator accounts Adding new administrator accounts From the admin account, use the following pro