Date post: | 23-Oct-2014 |
Category: |
Documents |
Upload: | aldo-pizarro-espinoza |
View: | 111 times |
Download: | 0 times |
D-Link Security
1
2006 DFL-210/800/1600/2500 Technical Training
©Copyright 2006. All rights reserved
©Copyright 2006. By D-Link HQ
D-Link Security
2
• Appliance Overview • Firewall Concept
• Basic Configuration • Scenario & Hands-on • Troubleshooting
Agenda
D-Link Security
3
• Appliance Overview • Firewall Concept
• Basic Configuration • Scenario & Hands-on • Troubleshooting
Agenda
D-Link Security
4
Appliance Overview model of firewall
DFL-800
WAN1
WAN2
LAN
DMZ
Console
back
D-Link Security
5
DFL-1600
WAN1
WAN2
LAN1
DMZ
Console
LAN3
LAN2
back
Appliance Overview
model of firewall
D-Link Security
6
DFL-2500
Appliance Overview model of firewall
WAN3 WAN4
Console
LAN3
LAN2
LAN1
DMZWAN1 WAN2
back
D-Link Security
7
Appliance Overview
and for DFL-1600/2500 Brand new user-friendly , no GUI confusion issue. Neater and more professional look for firewall product line. mechanism with D-Link switches prevents threat
spreading. Advanced firewall features including to ease the
implementation.
DFL-1600 DFL-2500DFL-800
Characters of firewall
Transparent Mode
ZoneDefense
ID
GUI
High Port Density Giga Interface
D-Link Security
8
LED
Power System
Keypad
Keypad for “Right ” , “Left” , “Upper “ and “Confirm “
System Information Traffic Monitor Alert Monitor Configuration Display
LCD Display
Auto-Sensing Copper Port LAN Port WAN Port and DMZ port
Ethernet
Console
Serial Console Port Concealed Look
Appliance Overview LED panel
D-Link Security
9
Setup Mode
Press Keypad to enter setup mode “in 5 seconds” after the firewall is switched on
Enter the Setup Mode
Use Left or Right button to select 1.Start Firewall: Start off the firewall system 2.Reset Firewall: Reset the firewall to factory default.
After reset firewall, choose “start firewall”
After switch on the firewall 5 seconds, the firewall will enter Status Mode automatically
Appliance Overview LED panel
D-Link Security
10
Status ModeModel name: Display the device model name.
System Status: Display system working status.
CPU Load and Connections: Show the CPU utilization and concurrent session
Total BPS and PPS: Concurrent traffic statistics and packets statistics per second.
Date and Time: Display device current date and time
Uptime: Device boot up time.
Mem: System memory utilization.
IDS Sigs: Display IDS signature information.
WAN DMZ LAN: Display each interface IP address
Core Version: Display firewall firmware version.
Appliance Overview LED panel
D-Link Security
11
• Appliance Overview • Firewall Concept
• Basic Configuration • Scenario & Hands-on • Troubleshooting
Agenda
D-Link Security
12
Firewall ConceptQuestions
What is firewall?Which firewall is the safest?
– Firewall does not protect against application errors.
D-Link Security
13
Firewall ConceptIP Start Communication
SYN FLOOD– 1. Sending a packet to the web server with the ”SYN” flag. The client
uses a fake IP address
– 2. The server responds with a SYN.ACK. Then the server waits until the client responds with an ACK packet
– 3. The client repeats step one until it is satisfied that the damage is done
ClientWeb Server
(1.) 1024 -> 80 SYN
(2.) SYN.ACK 1024 <- 80
(3.) 1024 -> 80 ACK
Connection established
D-Link Security
14
Firewall ConceptIP Start Communication
• More bits
– SYN – Synchronize = New connection
– ACK – Acknowledge = Acknowledge that data has been received
– PSH - Push = “Push received data to application layer now"
– URG - Urgent = Urgent data, Process first (Beg. 70)
– FIN - Finish = End communication with an handshake
– RST - Reset = “Do not communicate with me!”
D-Link Security
15
Firewall ConceptFirewall deployments in a network
Static Route Static routes are needed for the Firewall to communicate with Networks that
are not locally attached on the same subnet
NAT Internal address are private addresses from RFC1918 All private addresses are translated to a valid IP address before accessing the
Internet
Transparent No changes required on any end station, router or server Routing protocols can be configured to pass through the firewall in
Transparent mode The firewall offers full firewall and VPN capabilities
D-Link Security
16
2.2.20.0Sales
2.2.30.0Support
2.2.40.0Marketing
Corporate Web2.2.100.2
DMZ DNS2.2.100.4
Mail Relay2.2.100.3
Internet Router2.2.2.254
LAN 2.2.10.1 WAN 2.2.2.10
DMZ 2.2.100.1
Intranet Web2.2.10.5
Corp Mail2.2.10.6
Intranet DNS2.2.10.7
AdminPC 12.2.10.13
AdminPC 22.2.10.18
AdminPC 32.2.10.33
Firewall ConceptFirewall deployments in a network
Static Route
D-Link Security
17
10.1.20.0Sales
10.1.30.0Support
10.1.40.0Marketing
Corporate Web2.2.100.2
DMZ DNS2.2.100.4
Mail Relay2.2.100.3
Internet Router2.2.2.254
LAN 10.1.10.1 WAN 2.2.2.10
DMZ 2.2.100.1
Intranet Web10.1.10.5
Corp Mail10.1.10.6
Intranet DNS10.1.10.7
AdminPC 110.1.10.13
AdminPC 210.1.10.18
AdminPC 310.1.10.33
Firewall ConceptFirewall deployments in a network
NAT
D-Link Security
18
Intranet Web2.2.2.5
Corp Mail2.2.2.6
Intranet DNS2.2.2.7
AdminPC 12.2.2.13
AdminPC 22.2.2.18
AdminPC 32.2.2.33
2.2.20.0Sales
2.2.30.0Support
2.2.40.0Marketing
Corporate Web2.2.2.2
DMZ DNS2.2.2.4
Mail Relay2.2.2.3
Internet Router2.2.2.254
LAN 2.2.2.253 WAN 2.2.2.253
DMZ 2.2.2.253
Firewall ConceptFirewall deployments in a network
Transparent
D-Link Security
19
Firewall Concept Firewall Generations
• First generation– Packet filtering
• Second generation– Proxy
• Third generation– Stateful Inspection
• Fourth generation– IDS/IDP
D-Link Security
20
Firewall Concept 1.Packet Filtering
• Works with the IP & TCP level• Disadvantages:
– Does not re-create fragmented packets
– Does not understand the relationship between packets
• Advantages– High speed of packets process
7. Applikation6. Presentation5. Session4. Transport3. Network2. DataLink1. Physical
OSI Model
D-Link Security
21
Firewall Concept 2.Proxy
• Receives packets, reads and re-creates the packets– No physical connection between the client and the server.
• Disadvantages – Slow– The proxy must understand the application protocol– Mostly based on complex operating system
• Advantages– Attacks on the TCP/IP level will never penetrate through the protected network– Able to analyze application data
• Able to strip things like ActiveX and Java.
7. Applikation6. Presentation5. Session4. Transport3. Network2. DataLink1. Physical
OSI Model
D-Link Security
22
Firewall Concept 3.Stateful Inspection
• Re-create fragmented packets
• Understand the relationship between packets
• Advantages– Does not need to understand the application data to work
– Great flexibility
– Better performance than proxy
• Disadvantages– Harder to analyze the application data (but still possible)
7. Applikation6. Presentation5. Session4. Transport3. Network2. DataLink1. Physical
OSI Model
D-Link Security
23
Firewall Concept 4.IDS/IDP
• Receives packets, reads and re-creates the packets– No physical connection between the client and the server.
• Disadvantages – Slow– The proxy must understand the application protocol– Mostly based on complex operating system
• Advantages– Attacks on the TCP/IP level will never penetrate through the protected network– Able to analyze application data
• Able to strip things like ActiveX and Java.
7. Applikation6. Presentation5. Session4. Transport3. Network2. DataLink1. Physical
OSI Model
D-Link Security
24
1. Packet inspection2. Priority processes3. Allow? Drop? NAT? Reject?
1. Packet inspection2. Priority processes3. Allow? Drop? NAT? Reject?
INTERNET
IP: 192.168.1.100
WAN IP: 203.126.142.96
Firewall ConceptPacket flow
D-Link Security
25
When all traffic get in the firewall,they will be inspected by VLAN first (If VLAN is used ).
The IDS rule is the primary filter which is configured to allow or disallow certain types of network traffic through the firewall.
Then these traffic will be inspected by IP rule and routing rule
After that the traffic will be inspected by Zone Defense and Traffic Shaping
Firewall ConceptPacket flow
D-Link Security
26
Inbound packet VLAN packet?
De-capsulate
Basic sanity checks,Including verification of
IP header
Check IDS signatures
Drop
Fragment?
Yes
No
Yes
Found matching Connection?
Verify TCP/UDPheader
Forward packet
Apply Rules
Process fragment Drop
Yes
failed
false
No
true
Traffic Shaping
ZD
ZD
Open Connction Traffic Shaping
Route IPSAT_ApplyRulePack
Traffic Shaping DestIP = FW?
Allow/NAT/SAT
FwdFast/SAT
Drop Drop
Yes
Firewall ConceptPacket flow
D-Link Security
27
• Appliance Overview • Firewall Concept
• Basic Configuration • Scenario & Hands-on • Troubleshooting
Agenda
D-Link Security
28
Basic Configuration Default Interface Attribute Definition(DFL-800)
http://192.168.1.1LAN can be managed and pingedThe firewall disable DHCP
D-Link Security
29
Basic Configuration Default Interface Attribute Definition(DFL-1600)
http://192.168.1.1LAN1 can be managed and pingedThe firewall disable DHCP
D-Link Security
30
Basic Configuration Default Interface Attribute Definition(DFL-2500)
http://192.168.1.1LAN1 can be managed and pingedThe firewall disable DHCP
D-Link Security
31
Basic Configuration design concept of UI
Any undesired rules or objects are being created without hitting the “ok” button, users must hit “cancel” button or that rule or object would still be in the list and named “untitle”.
Traffic is being examined by the pattern where the rules were created from top down
When right-click any rules or objects and select delete, a strike line will show on that rule or object.
The “save and activate” button will not be available if the “untitle” rule or object is not deleted
After click “save and activate” , must reconnect to it within 30 seconds (default setting) for the configuration changes to be finalized. If this fails, the unit will revert to its previous configuration. The reconnecting time can be adjustable.
D-Link Security
32
Basic Configuration
Configure Static IP address on your laptop or PC
User will be authenticated before logging to the firewall
Default login: admin, Password: admin
User will be presented with;
– Menu Bar
– Tree View List
– Main Window
back
D-Link Security
33
Tree View List
Menu Bar Main windows Basic Configuration
D-Link Security
34
UI of System
Basic Configuration
D-Link Security
35
UI of Object
Basic Configuration
D-Link Security
36
UI of Rules
Basic Configuration
D-Link Security
37
UI of Interfaces
Basic Configuration
D-Link Security
38
UI of Routing
Basic Configuration
D-Link Security
39
UI of IDS/IDP
Basic Configuration
D-Link Security
40
UI of User Authentication
Basic Configuration
D-Link Security
41
UI of Traffic Shaping
Basic Configuration
D-Link Security
42
UI of ZoneDefense
Basic Configuration
D-Link Security
43
Three Steps to Configure
1.Create and verify the object
2.Create the rule (IP rule ,IDS rule ,user authentication rule and Pipes rule )
3.Create and verify routing rule
Basic Configuration
D-Link Security
44
First Step to Configure
1.Create and verify the object
The most important in firewall configuration is OBJECT.Objects are basic network elements defined in the firewall.It is a list of symbolic names associated with various types of addresses, including IP addresses of host and network
Object items are heavily used through a firewall configuration; in routing tables, rule-set, interface definitions, VPN Tunnels among others
Basic Configuration
D-Link Security
45
• Hosts & Networks configuration items are symbolic names for IP networks
Basic Configuration
Objects – Address Book
D-Link Security
46
• ALGs are designed to manage specific protocols • Examine the payload data and carry out appropriate actions based on defin
ed rules• Appropriate Application Layer Gateway definition is selected in a Service
configuration item. Network traffic which matches the service definition will thus be managed by the selected Application Layer Gateway.
Basic ConfigurationObjects – ALG
D-Link Security
47
• A definition of a specific IP protocol with corresponding parameters. The service http, for instance, is defined as to use the TCP protocol with destination port 80.
Basic ConfigurationObjects – Services
D-Link Security
48
• The Schedule will only allow those firewall rules to be used at those designated times only. Any activities outside the scheduled time slot will not follow the rules and will therefore unlikely be permitted to pass through the firewall
Basic ConfigurationObjects – Schedules
D-Link Security
49
• A certificate is a digital proof of identity. It links an identity to a public key in a trustworthy manner. Certificates can be used on authenticate individual users or other entities. These types of certificates are commonly called end-entity certificates.
Basic ConfigurationObjects – Certificate
D-Link Security
50
Second Step to Configure
2.Create the rule
The Rules configuration section represents the rule-set, the "heart" of the firewall. The rule-set is the primary filter which is configured to allow or disallow certain types of network traffic through the firewall. The rule-set also regulates how address translation and bandwidth management, traffic shaping, is applied to traffic flowing through the firewall.
Basic Configuration
D-Link Security
51
• Packets matching Drop rules will be immediately dropped. Such packets will be logged if logging has been enabled in the Log Settings page
Basic ConfigurationIP Rules – Drop
D-Link Security
52
Basic Configuration
IP Rules – Drop
DROP RULE
DROPPING LOG
D-Link Security
53
• Reject works basically the same way as Drop. In addition, the firewall sends an ICMP UNREACHABLE message back to the sender or, if the rejected packet is a TCP packet, a TCP RST message.
Basic ConfigurationIP Rules – Reject
D-Link Security
54
Basic ConfigurationIP Rules – Reject
REJECTING LOGICMP UnreachableTCP RST
REJECT RULE
D-Link Security
55
Basic ConfigurationIP Rules – FwdFast
• Packets matched FwdFast rules are allowed through immediately.• Firewall does not memorize the open connections and does not statefully in
spect traffic which has passed through it. • For one single packet, it is indeed faster than first having to open a state-tra
cked connection and then passing the packet to it. But when several packets pass the same connection, state tracking (Allow) is faster
D-Link Security
56
Basic Configuration
IP Rules – FwdFast
Packets matching FwdFast Rules Packets matching FwdFast Rules
No Statefully traffic Inspection (does not
remember open connections)
No Statefully traffic Inspection (does not
remember open connections)
Remember that that there need to be a FwdFast rule in each direction.
INTERNET
Note: Allow is usually faster then FwdFast
D-Link Security
57
Basic ConfigurationIP Rules – Allow
• Packets matched Allow rules are passed to the stateful inspection engine, which will memorize that a connection has been opened
• Rules for return traffic will not be required as traffic belonging to open connections which is automatically dealt with before it reaches the rule set
D-Link Security
58
Basic ConfigurationIP Rules – Allow
Packets matching Allow Rules Packets matching Allow Rules
Logging & Stateful Inspection
Logging & Stateful Inspection
INTERNET
D-Link Security
59
Basic Configuration
IP Rules – SAT • Nothing happens when a packet matches a SAT rule at the beginning• The firewall will memorize where to send the traffic and continue to look
for a matching rule that will allow the packet to pass and a static address translation will be performed at that stage
D-Link Security
60
Basic Configuration
IP Rules – SAT
DMZ
FTP SERVER
220.255.14.123220.255.14.123172.16.1.100172.16.1.100WAN IP: 203.126.142.100WAN IP: 203.126.142.100
The public_ip should be bound to the WAN of firewall firstredirect_address is used to redirect incoming connection from public_ip to private_ip
The public_ip should be bound to the WAN of firewall firstredirect_address is used to redirect incoming connection from public_ip to private_ip
I want the file from FTP server
D-Link Security
61
Basic ConfigurationIP Rules – NAT
• The rules perform dynamic address translation and NAT hide the sender address.
• Mostly hiding all machines on a protected network to appear at the outside
world as if they use a single IP address
D-Link Security
62
Basic ConfigurationIP Rules – NAT
Network Address Translation Network Address Translation
INTERNET
IP: 192.168.1.100
WAN IP: 203.126.142.96
D-Link Security
63
Third Step to Configure
3.Create and verify routing rule
Main Route:
The Routes configuration section describes the firewall’s routing table.Firewall uses a slightly different way of describing routes compared to most other systems.
Policy- Base Route:
The rules in the PBR rule-set are able to specify which routing table to be used in the forward as well as return direction (Select routing priority)
Basic Configuration
D-Link Security
64
Basic ConfigurationMain Routing Table
• Routing tells the firewall in which direction it should send packets destined for a given IP address
D-Link Security
65
Basic ConfigurationPolicy Based Routing
Connect to two or more ISPs , and accept inbound connections from all of them. Return traffic is routed back through the ISP that delivered the incoming requests.
Route certain protocols through transparent proxies such as web caches and anti-virus scanners, without adding another point of failure for the network as a whole.
Create provider-independent metropolitan area networks, i.e. one where all users share a common active backbone, but able to use different ISPs, subscribe to different streaming media providers, etc.
D-Link Security
66
Basic ConfigurationPolicy Based Routing
Intranet192.168.1.0/24
Extranet192.168.174.0/24
Internet
WAN1
WAN2DMZ
D-Link Security
67
• Appliance Overview • Firewall Concept
• Basic Configuration • Scenario & Hands-on • Troubleshooting
Agenda
D-Link Security
68
1. Basic Configuration(WAN/LAN/DMZ Transparent mode)
2. Configure Load Sharing and Route Failover (use 2 WANs)
3. Configure ZoneDefend
4. Port mapping for server(SAT and server load balance)
5. Runtime Authentication configuration
6. Traffic shaping
7. Configure VPN tunnel(PPTP L2TP and IPsec)
Scenario & Hands-on
D-Link Security
69
Internal LAN1IP: 192.168.1.0/24
Internal LAN2IP: 192.168.2.0/24
Internal LAN3IP: 192.168.3.0/24
WAN2(Static IP)
DMZDFL-1600
FTP Server172.16.1.1
DFL-800
Remote LANInternal LANIP: 192.168.10.0/24
WAN1IP: 192.168.174.71/24
IPSec VPN Tunnel
Hands on:1. Basic Configuration2. Load Sharing and Route Failover
3. ZoneDefense 4. Port mapping for server5. User Authentication 6. Traffic Shaping7. VPN tunnel
Scenario & Hands-onAccomplished all scenarios topology
WAN1(DHCP)
D-Link Security
70
Internet
G1G4
G2 G3
Scenario & Hands-on Network topology for hands-on
All WAN1 port connect to switch
back
main switch
D-Link Security
71
Scenario & Hands-on Network topology for every group
main switch
group switch
Four persons in one group LAN1 port connects to
group switch
D-Link Security
72
Scenario & Hands-on 1 Basic Configuration
(Configure WAN type ,modify IP address of LAN and enable transparent mode)
Internal LAN1IP: 192.168.3.1/24
Internal LAN2IP: 192.168.5.1/24
Internal LAN3IP: 192.168.7.1/24
WAN1PPPoE , DHCPStatic IP:192.168.174.70/24
Internal DMZIP: 172.17.100.1/24
Objective:
How to modify IP address for LAN and DMZ in Object
How to use DHCP, Static IP and PPPoE to access Internet
How to enable transparent mode
D-Link Security
73
Internal LAN1IP: 192.168.3.1/24
Internal LAN2IP: 192.168.5.1/24
Internal LAN3IP: 192.168.7.1/24
Internal DMZIP: 172.17.100.1/24
Notes:
DFL-800 only has LAN and DMZDFL-1600/2500 has LAN1 , LAN2 ,LAN3 , and DMZPay attention to default manageable status Confirm connecting port
DFL-800 DFL-1600 DFL-2500
Bind a secondary IP address to match the new network IP segment.After configuration, use new LAN IP address for default gateway on laptop
Scenario & Hands-on 1-1 Basic Configuration-Modify IP address for LAN and DMZ
Network topology
D-Link Security
74
Objectives
Access to LAN1 IP address successfully (Ping) or mange Web UI by new IP address
The Logics of Configuration Bind a secondary IP address to match the new network IP segment. After configuration, use new LAN IP address for default gateway in your laptop Modify objects of IP address and network in address book of Object
Scenario & Hands-on 1-1 Basic Configuration-Modify IP address for LAN and DMZ
D-Link Security
75
Scenario & Hands-onBind two IP address on one NIC
1
2
3
D-Link Security
76
Scenario & Hands-onBind two IP address on one NIC
4
5
6
D-Link Security
77
Scenario & Hands-on 1-1 Basic Configuration-Modify IP address for LAN and DMZ
Use web browser such as Internet Explorer 6 or Firefox 1.0 to connect to Web UI
D-Link Security
78
Change the IP address in address book of Object
•Click “Interface Addresses” in Object
•Key in the correct IP address and network
1 2 3
Scenario & Hands-on 1-1 Basic Configuration-Modify IP address for LAN and DMZ
1
2
D-Link Security
79
Change the IP address in address book of Object or Ethernet of Interface
•Key in correct IP address and network
1 2 3
Scenario & Hands-on 1-1 Basic Configuration-Modify IP address for LAN and DMZ
1 2
D-Link Security
80
After all configurations are done , Click “configuration” in main bar
•Click “Save and Activate”
1 2 3
Scenario & Hands-on 1-1 Basic Configuration-Modify IP address for LAN and DMZ
D-Link Security
81
Testing Result
Scenario & Hands-on 1-1 Basic Configuration-Modify IP address for LAN and DMZ
Ping LAN IP address
D-Link Security
82
After you click” save and active” you can adjust the reconnection time
•Click “Click here to edit the configuration verification timeout.”
Scenario & Hands-on 1-1 How to modify reconnection Web UI time
D-Link Security
83
Scenario & Hands-on 1-1 Basic Configuration-Modify IP address for LAN and DMZ
Use new LAN IP address for default gateway on laptop
1
2
3
D-Link Security
84
Scenario & Hands-on 1-1 Basic Configuration-Modify IP address for LAN and DMZ
Use new LAN IP address for default gateway on laptop
4
5
6
D-Link Security
85
Scenario & Hands-on 1-1 Basic Configuration-Modify IP address for LAN and DMZ
Use new LAN IP address for default gateway on laptop
7
8
D-Link Security
86
Scenario & Hands-on 1-1 Exercise 1-1- Modify IP address for LAN and DMZ
Internal LAN1
Objective:
1. Change IP address of LAN1
2. Ping the new IP address of LAN1 and access to Web UI by new IP successfully
Internal LAN2
Internal LAN3
Internal DMZ
LAN1 IP:Group A(1): 192.168.10.1/24Group B(2):192.168.20.1/24 . .Group I(9): 192.168.90.1/24
Group J(10): 192.168.100.1/24
D-Link Security
87
Internal LAN1IP: 192.168.174.70/24
WAN1IP:192.168.174.70/24
192.168.174.72/24192.168.174.72/24
192.168.174.71/24192.168.174.71/24
Scenario & Hands-on 1-2Basic Configuration-Transparent mode
Network topology
Note:
Configure default gateway Configure DHCP relay, if firewall is
in DHCP environment
D-Link Security
88
Objectives
Implement firewall in transparent mode without changing exist network setting Allow or deny specific service and traffic (allow WAN1 to LAN1for ICMP service, allow LAN1to WAN1 for all service)
The Logics of Configuration Enable transparent mode Configure IP Rules and objects in firewall Bind a secondary IP address to match the new network IP segment.
Scenario & Hands-on 1-2 Basic Configuration-Transparent mode
D-Link Security
89
Configure the IP object in address book of Object to same
•Click “address book” in Object
•Configure IP address of WAN1 and LAN1
1 2 3 4 5
Scenario & Hands-on 1-2Basic Configuration-Transparent mode
6
D-Link Security
90
Enable transparent mode for WAN1 and LAN1•Click “Ethernet” under “Interface”•Enable transparent in WAN1 interface and add the object of gateway to “Default Gateway”•Disable “add route for interface network”
1 2 3 4 5
Scenario & Hands-on 1-2Basic Configuration-Transparent mode
6
1
2
3
D-Link Security
91
Enable transparent mode for WAN1 and LAN1
•Click “Ethernet” in Interface
•Enable transparent on LAN1 interface
•Disable “add route for interface network”
1 2 3 4 5
Scenario & Hands-on 1-2Basic Configuration-Transparent mode
6
1 3
2
D-Link Security
92
Add the “Service” rule under IP rules(WAN1 to LAN1 and LAN1 to WAN1)
•Click “IP rules” in Rules
•Choose the correct Action,Service,Interface and Network for the rule
1 2 3 4 5
Scenario & Hands-on 1-2Basic Configuration-Transparent mode
6
1
2
3
4
D-Link Security
93
• Create the DHCP relay for LAN1 to WAN1
• Click “DHCP relays” under “System” “DHCP Settings”
• Choose the correct Action,Service,Interface and Network for the rule
1 2 3 4 5
Scenario & Hands-on 1-2Basic Configuration-Transparent mode
6
D-Link Security
94
Scenario & Hands-on 1-2Basic Configuration-Transparent mode
After all configuration , Click “configuration” in main bar
• Click “Save and Activate”
1 2 3 4 65
D-Link Security
95
Scenario & Hands-on 1-2Basic Configuration-Transparent mode
Get IP address from DHCP server and ping to gateway
Testing Result
D-Link Security
96
Scenario & Hands-on 1-2Exercise 1-2- Transparent mode
Internal LAN1
WAN1
Objectives:
1. Enable transparent mode2. Allow ping from WAN to LAN3. Allow all service from LAN to WAN
WAN1 IP LAN1 IPGroup1: 192.168.200.1/24 192.168.200.1/24 Group2: 192.168.200.2/24 192.168.200.2/24 . .Group9: 192.168.200.9/24 192.168.200.9/24
Group10:192.168.200.10/24 192.168.200.10/24
DHCP server IP address :192.168.200.254
D-Link Security
97
Internal LAN1IP: 192.168.3.1/24
WAN1(Static)IP:192.168.174.70/24WAN1-gatwayIP:192.168.174.254/24
Scenario & Hands-on 1-3 Basic Configuration- WAN type-Static IP
Network topology
Note:
Configure default gateway
D-Link Security
98
Objectives
Configure WAN type with Static IP address
The Logics of Configuration Before configuring WAN type with static IP, please reset the device to default Create an object for WAN1 gateway to apply to the interface of WAN1 Choose the correct Action, Service, Interface and Network for the rule
Scenario & Hands-on 1-3 Basic Configuration- WAN type-Static IP
D-Link Security
99
Create the correct gateway object under “Address Book”
•Click “address book” under “Object”
•Add an object for IP4 Host/Network
•Verify the IP addresses of wan1_ip and wan1net
Scenario & Hands-on 1-3 Basic Configuration- WAN type-Static IP1 2 3 4
D-Link Security
100
Apply the gateway object to WAN Interface
•Click “Ethernet” under “Interfaces”
•Add the gateway object for “Default Gateway”
Scenario & Hands-on 1-3 Basic Configuration- WAN type-Static IP1 2 3 4
1
2
D-Link Security
101
Create the service rule in IP rules
•Click “IP rules” under “Rules”
•Choose the correct Action,Service,Interface and Network for the rule
Scenario & Hands-on 1-3 Basic Configuration- WAN type-Static IP1 2 3 4
1
2
D-Link Security
102
Scenario & Hands-on 1-3 Basic Configuration- WAN type-Static IP
After all configuration , Click “configuration” in main bar
• Click “Save and Activate”
1 2 3 4
D-Link Security
103
Testing Result
Scenario & Hands-on 1-3 Basic Configuration- WAN type-Static IP
Ping to Internet (tw.yahoo.com)
D-Link Security
104
Internal LAN1Group private IP
WAN1:Group IP
Objective
1. Change WAN type with static IP address of following IP addresses
2. Use “NAT” mode to access the Internet
Scenario & Hands-on 1-3 Exercise 1-3- WAN type-Static IP
LAN1 Group1: 192.168.10.1/24Group2: 192.168.20.1/24 . .Group9: 192.168.90.1/24
Group10: 192.168.100.1/24
WAN1Group1: 192.168.200.1/24Group2: 192.168.200.2/24 . . Group9: 192.168.200.9/24
Group10: 192.168.200.10/24
WAN1-Gateway:192.168.200.254
D-Link Security
105
Scenario & Hands-on 1-4 Basic Configuration – WAN type-PPPoE
Network topology
Internal LAN1IP: 192.168.3.1/24
WAN1PPPoE
Note:
Configure PPPoE tunnel Apply the PPPoE tunnel to IP rule
D-Link Security
106
Objectives
Configure WAN type on PPPoE tunnel to access Internet by NAT mode
The Logics of Configuration
Create a PPPoE tunnel and apply it to the IP rule Choose the correct Action, Service, Interface and Network for the rule
Scenario & Hands-on 1-4 Basic Configuration- WAN type-PPPoE
D-Link Security
107
Create an object for PPPoE rule in “PPPoE Tunnels” under “Interfaces”
•Click “PPPoE Tunnels” under “Interfaces”
•Apply correct Physical Interface, Remote Network,Username and Password in the object
Scenario & Hands-on 1-4 Basic Configuration – WAN type-PPPoE1 2 3
D-Link Security
108
Create the IP rule
•Click “IP rules” under “Rules”
•Choose the correct Action, Service, Interface and Network for the rule
Scenario & Hands-on 1-4 Basic Configuration – WAN type-PPPoE1 2 3
1
2
D-Link Security
109
Scenario & Hands-on 1-4 Basic Configuration – WAN type-PPPoE
After all configuration , Click “configuration” in the main bar
• Click “Save and Activate”
1 2 3
D-Link Security
110
Testing Result
Scenario & Hands-on 1-4 Basic Configuration – WAN type-PPPoE
Ping to Internet (tw.yahoo.com)
D-Link Security
111
Scenario & Hands-on 1-4 Exercise 1-4- WAN type-PPPoE
Internal LAN1IP: 192.168.3.1/24
WAN1PPPoE
Objective:
1. Configure WAN type on PPPoE tunnel and local user could access Internet
D-Link Security
112
Scenario & Hands-on 1-5 Basic Configuration- WAN type-DHCP
Network topology
Internal LAN1IP: 192.168.3.1/24
WAN1DHCP
Note:
Enable DHCP client in WAN interface
D-Link Security
113
Objectives
Dynamically assign IP to WAN interface and local users could access internet by NAT
The Logics of Configuration Enable “DHCP client” in Interface Create the IP rule and choose correct Action, Service, Interface and Network for
the rule
Scenario & Hands-on 1-5 Basic Configuration- WAN type-DHCP
D-Link Security
114
2
Enable the DHCP client in “Ethernet” under “Interfaces”
•Click “Ethernet” under “Interfaces”
•Enable “DHCP Client”
Scenario & Hands-on 1-5 Basic Configuration- WAN type-DHCP1 2 3
1
D-Link Security
115
Create the service rule in “IP rules”
•Click “IP rules” in Rules
•Choose the correct Action,Service,Interface and Network for the rule
Scenario & Hands-on 1-5 Basic Configuration- WAN type-DHCP1 2 3
1
2
D-Link Security
116
Scenario & Hands-on 1-5 Basic Configuration- WAN type-DHCP
After all configuration , Click “configuration” in main bar
• Click “Save and Active”
1 2 3
D-Link Security
117
Testing Result
Scenario & Hands-on 1-5 Basic Configuration – WAN type-DHCP
Verify the WAN IP from “Status” in tool bar
D-Link Security
118
Scenario & Hands-on 1-5 Exercise 1-5- WAN type-DHCP
Internal LAN1IP: 192.168.3.1/24
WAN1DHCP server
Objective
1. Dynamically assign IP to WAN interface and local users could access
internet
D-Link Security
119
Scenario & Hands-on 2-1WAN Failover
Network topology
Internal LAN1IP: 192.168.1.0/16
Internal LAN2IP: 192.168.2.0/24
Internal LAN3IP: 192.168.3.0/24
WAN2(static IP)IP: 192.168.174.70/24WAN2-gatewayIP:192.168.174.254
WAN1DHCP
Note:
Manually add default route in main routing table
Enable “Monitor “feature on routes WAN2 is back up link
D-Link Security
120
Objectives
WAN1 is the main link,WAN2 is the backup link When WAN1 is disconnected ,all traffic will go through WAN2 to Internet When WAN1 back to normal, all traffic would go through WAN1 to Internet
The Logics of Configuration
Create routing policy in main routing table Applying routing policy between DHCP and static IP in WAN connection Create the IP rule and choose correct Action, Service, Interface and Network for
the rule
Scenario & Hands-on 2-1 WAN Failover
D-Link Security
121
Enable the DHCP client in “Ethernet” under “Interfaces”
•Click “Ethernet” in Interface
•Uncheck “Add default route if default gateway is specified”
1 2 3 4 5 6 7Scenario & Hands-on 2-1
WAN Failover 8
1
2
3
D-Link Security
122
Create the correct gateway object in “Address Book” under “Object” (WAN2)
•Click “address book” in Object
•Add the object for IP4 Host/Network
•Modify wan2_ip and wan2net
1 2 3 4 5 6 7Scenario & Hands-on 2-1
WAN Failover 8
D-Link Security
123
Apply the gateway object to WAN Interface and disable “add default route”
•Click “Ethernet” in Interface
•Disable default route in Interface
1 2 3 4 5 6 7Scenario & Hands-on 2-1
WAN Failover 8
1
2
3
D-Link Security
124
Combine WAN1 and WAN2 to the object of WAN
•Click “interface Groups” in Interface
•Create the object and choose WAN1 and WAN2
1 2 3 4 5 6 7Scenario & Hands-on 2-1
WAN Failover 8
D-Link Security
125
Create the IP rule for WAN group
•Click “Rules” in IP Rule
•Choose correct Action, Service, Interface and Network in the rule
1 2 3 4 5 6 7Scenario & Hands-on 2-1
WAN Failover 8
D-Link Security
126
Create the WAN1 routing rule and enable “monitor this route”
•Click “Main Routing Table” under “Routing “
•Create the routing rule for WAN1
•Choose lower Metric value and enable “monitor this route”
1 2 3 4 5 6 7Scenario & Hands-on 2-1
WAN Failover 8
1
2
3
4
D-Link Security
127
Create the WAN2 routing rule and enable “monitor this route”
•Click “Main Routing Table” under “Routing “
•Create the routing rule for WAN2
•Choose higher Metric valueand enable “monitor this route”
1 2 3 4 5 6 7Scenario & Hands-on 2-1
WAN Failover 8
1
2
3
4
D-Link Security
128
Scenario & Hands-on 2-1WAN Failover
After all configuration , Click “configuration” in main bar
• Click “Save and Activate”
1 2 3 4 5 6 7 8
D-Link Security
129
Scenario & Hands-on 2-1Exercise 2-1- WAN Failover
Internal LAN1Group IP
WAN2Group IP (Static IP)WAN1
DHCP
Objectives:
1. WAN1 is the main link,WAN2 is the backup link
2. When WAN1 is disconnected, all traffic would failover to WAN2
WAN2 LAN1Group1: 10.2.1.1/24 192.168.10.1/24Group2: 10.2.1.2/24 192.168.20.1/24 . . . . Group9: 10.2.1.9/24 192.168.90.1/24
Group10: 10.2.1.10/24 192.168.100.1/24
WAN2-Gateway:10.2.1.254
D-Link Security
130
Scenario & Hands-on 2-2Load Sharing and WAN failover
Network topology
Internal LAN1IP: 192.168.1.0/16
Internal LAN2IP: 192.168.2.0/24
Internal LAN3IP: 192.168.3.0/24
WAN1DHCP
WAN2(static IP)IP: 192.168.174.70/24WAN2-gatewayIP:192.168.174.254
Notes:
Create PBR table and apply it to route policy
D-Link Security
131
Objectives
All services go through WAN1 but the FTP service and specific IP range go through WAN2
When WAN1 is disconnected ,all traffic will go through WAN2 to Internet When WAN1 back to normal, all traffic would go through WAN1 to Internet When WAN2 is disconnected, the specified traffic and service can access to
Internet by WAN1
The Logics of Configuration
Modify PBR routing table and routing rule
Scenario & Hands-on 2-2Load Sharing and WAN failover
D-Link Security
132
Create the IP address object specifically for LAN1•Click “Address Book” under “Objects”•Click “Ethernet” under “Interfaces”
1 2 3 4Scenario & Hands-on 2-2
Load Sharing and WAN failover
D-Link Security
133
Add the route of WAN2(Static) in PBR
•Click “PBR table ” under “Routing”
•Choose higher metric in PBR table and enable function of monitor
1 2 3 4
1
2
3
Scenario & Hands-on 2-2Load Sharing and WAN failover
D-Link Security
134
Add the route rule of WAN1 in PBR
•Click “PBR policy” under “Routing”
•Choose correct Forward, Return table, interface and network
1 2 3 4
1
2
Scenario & Hands-on 2-2Load Sharing and WAN failover
D-Link Security
135
After all configuration , Click “configuration” in main bar
• Click “Save and Activate”
1 2 43 Scenario & Hands-on 2-2Load Sharing and WAN failover
D-Link Security
136
Internal LAN1IP: 192.168.x.0/24
WAN2Static IPWAN1
DHCP
Objectives:1. For Load Sharing: Except for
ping-outbound and specific IP
range 192.168.X.10-100 traffic by WAN2 then other service will pass through to Internet by WAN1.
2. For Fail Over: When unplug any WAN cable, users still can access the Internet via a different WAN port.
Scenario & Hands-on 2-2Exercise 2-2- Load Sharing
D-Link Security
137
How to enable the function of “tracer”
Modify the value of TTL min to 1
• Click “IP Setting of Advanced Setting” in “System”
• Key in the smallest value (1)
1
2
1 2
D-Link Security
138
How to enable the function of “tracer”
Enable “Pass returned from ICMP error messages from destination”
• Click “Services” in “Objects” and choose the object of “all_icmp”
• Enable “Pass returned from ICMP error messages from destination”
1
2 3
1 2
D-Link Security
139
DMZ
Subnet A
WAN
Subnet B
Subnet C
Firewall
Infected Host
When there’s any infected host spreading worm into the network
Firewall can stop the malicious traffic flooding to other subnets but have no way to stop it infecting its network [subnet A]
The most effective solution will be: Firewall triggers the ACL in LAN switches to perform real time filtering on any malicious traffic found
Set ACL to block specificMAC or IP address
D-Link Firewalls implement ZoneDefense feature to perform proactive network security with D-Link switches
DES-3x26S
DES-3350SR
DES-3250TG
DES-3500 series
DES-3800 series xStack series
Scenario & Hands-on 3ZoneDefense
D-Link Security
140
• Uniquely from D-LINK – It operates with D-LINK switches to isolate infected host that is generating unusual traffic to the LAN
• Uses Threshold rules to examine connections through the firewall and take actions upon them. The threshold rules monitor the number of connections per second
• When a pre-defined limit is reached, the firewall sends block requests to the switches configured for ZoneDefense
Scenario & Hands-on 3ZoneDefense
D-Link Security
141
Internet
Scenario & Hands-on 3ZoneDefense
D-Link Security
142
WAN1IP: 192.168.174.70/24
PCPC
LAN1 IP: 192.168.1.1/24Switch IP: 192.168.1.250/24
DGS-3324SR
INTERNET
Block HTTP Request exceeding 4 sessionsFor every host
Scenario & Hands-on 3ZoneDefense
Note:
Verify the model of supporting switch Verify the IP address of switch Verify the community between switch
and firewall
D-Link Security
143
Objectives
When traffic of every host exceed 4 sessions, switch create the ACLs rule to block illegal traffic by firewall
The Logics of Configuration
Configure the switch Choose the correct model of switch Exclude switch and administrator Create and configure the threshold rule
Scenario & Hands-on 3 ZoneDefense
D-Link Security
144
Scenario & Hands-on 3ZoneDefense
Reset to default and configure the IP address of switch
•Use CLI of switch to inspect
•Key in “reset config”
•Key in “config ipif System ipaddress 192.168.1.250/24”
1 2 3 4 5 6 7
D-Link Security
145
Verify the communication between firewall and switch and inspect the community in switch
•Use CLI of switch to inspect
•Key in “show snmp community”
Scenario & Hands-on 3ZoneDefense1 2 3 4 5 6 7
D-Link Security
146
Create the object of IP address for switch and administrator
•Click “Address Book” under “Objects”
•Add the object for IP4 Host/Network
Scenario & Hands-on 3ZoneDefense1 2 3 4 5 6 7
D-Link Security
147
Create the switch object in ZoneDefense
•Click “switches” under “ZoneDefense”
•Choose the correct switch model and Key in the SNMP Community
•Verity the firewall can communicate with the switch
Scenario & Hands-on 3ZoneDefense1 2 3 4 5 6 7
1
2
D-Link Security
148
Exclude the switch and the administrator
•Click “Exclude” under “ZoneDefense”
•Choose the correct object
Scenario & Hands-on 3ZoneDefense1 2 3 4 5 6 7
D-Link Security
149
Create the threshold rule in ZoneDefense
•Click “Threshold” under “ZoneDefense “
•Choose the correct interface and network • Key in the threshold condition (the value of host-base must be smaller then network)
Scenario & Hands-on 3ZoneDefense1 2 3 4 5 6 7
1
2
3
D-Link Security
150
Scenario & Hands-on 3ZoneDefense
After all configuration , Click “configuration” in main bar
• Click “Save and Active”
1 2 3 4 5 76
D-Link Security
151
Block status form firewall
Block status form Switch
Testing Result
Scenario & Hands-on 3ZoneDefense
D-Link Security
152
WAN1DHCP
PCPC
LAN1 IP: Group IP address
Switch IP: an IP that’s the same segment as the LAN1 IP
DGS-3324SR
INTERNET
Scenario & Hands-on 3 Exercise-3 ZoneDefense
Objective:
1. When web traffic of every host exceed 2 sessions, switch create the ACLs rule to block illegal traffic by firewall
D-Link Security
153
Internal LAN1IP: 192.168.1.0/24
Internal LAN2IP: 192.168.2.0/24
Internal LAN3IP: 192.168.3.0/24
WAN1IP: 192.168.174.70/24FTP ServerIP:192.168.174.71/24 FTP Server
172.16.1.1
DMZ
Scenario & Hands-on 4-1 Port mapping for server
Network topology
WAN1IP: 192.168.174.70/24FTP ServerIP:192.168.174.71/24
Note:
Add another public IP address in “ARP table”
Verify the sequence of IP rule
Back
D-Link Security
154
Objectives
Access the FTP server by public IP address(192.168.174.71)
The Logic of Configuration
Create objects of public and private IP addresses for FTP server Create ARP object in ARP Table Create the IP rule (SAT and allow) for FTP server
Scenario & Hands-on 4-1 Port mapping for server
D-Link Security
155
Add the objects of both public and virtual IP addresses for FTP server
*Click “Address Book” under Objects
•Key in the correct IP addresses
1 2 3 4
Scenario & Hands-on 4-1 Port mapping for server 5
1 2
D-Link Security
156
Create the object in ARP Table •Click “ARP Table” under “Interfaces”
•Apply objects with the FTP IP address
1 2 3 4
Scenario & Hands-on 4-1 Port mapping for server 5
D-Link Security
157
Create the IP rule to map FTP server (SAT)
•Click “IP Rule” under “Rules”
•Choose the correct Action,Service,Interface,SAT setting and Network for the rule
1 2 3 4
Scenario & Hands-on 4-1 Port mapping for server 5
1
2
3
D-Link Security
158
Create the IP rule to allow FTP server (allow FTP)
•Click “IP Rule” under “Rules”
•Choose the correct Action,Service,Interface and Network for the rule
1 2 3 4
Scenario & Hands-on 4-1 Port mapping for server 5
1
2
D-Link Security
159
Scenario & Hands-on 4-1 Port mapping for server
After all configuration , Click “configuration” in main bar
• Click “Save and Activate”
1 2 3 54
D-Link Security
160
Succeed to get in FTP server
Scenario & Hands-on 4-1 Port mapping for server
topology
D-Link Security
161
WAN1:DHCPFTP Server: Group public IP address
FTP ServerGroup private IP
DMZ
Scenario & Hands-on 4-1 Exercise 4-1 - Port mapping for server
Objective:
1. Access to FTP server by group’s public IP address successfully
FTP Server public IPGroup1: 192.168.200.51/24Group2: 192.168.200.52/24 . .Group9: 192.168.200.59/24
Group10: 192.168.200.60/24
FTP Server private IP172.17.100.1/24
DMZ IP :172.17.100.254DFL-800 : Port DMZDFL-1600: Port #3DFL-2500: Port #5
D-Link Security
162
WAN1PPPoE
Internal LAN1IP: 192.168.1.0/24
Internal LAN2IP: 192.168.2.0/24
Internal LAN3IP: 192.168.3.0/24
FTP Server172.16.1.1
DMZ
Scenario & Hands-on 4-2 SAT in PPPoE connection
Network topology
Note:
Add PPPoE in Interfaces Verify the sequence of IP rule
Back
D-Link Security
163
Objectives
When using PPPoE connection, internal FTP server could be accessed by public
The Logic of Configuration
Create objects of PPPoE connection Create private IP addresses for FTP server Create the IP rule (SAT and allow) for FTP server
Scenario & Hands-on 4-2 SAT in PPPoE connection
D-Link Security
164
1 2 3 4
Scenario & Hands-on 4-2 SAT in PPPoE connection 5
Create an object for PPPoE rule in “PPPoE Tunnels” under “Interfaces”
•Click “PPPoE Tunnels” under “Interfaces”
•Apply correct Physical Interface, Remote Network,Username and Password in the object
D-Link Security
165
1 2 3 4
Scenario & Hands-on 4-2 SAT in PPPoE connection 5
Add the object of virtual IP addresses for FTP server
*Click “Address Book” under Objects
•Key in the correct IP addresses
D-Link Security
166
If use PPPoE connection, create the IP rule to map FTP server (SAT)
•Click “IP Rule” under “Rules”
•Choose the correct Action,Service,Interface,SAT setting and Network for the rule
1 2 3 4
Scenario & Hands-on 4-2 SAT in PPPoE connection 5
2
31
D-Link Security
167
Create the IP rule to allow FTP server (allow FTP)
•Click “IP Rule” under “Rules”
•Choose the correct Action,Service,Interface and Network for the rule
1 2 3 4
Scenario & Hands-on 4-2 SAT in PPPoE connection 5
1
2
D-Link Security
168
Scenario & Hands-on 4-2 SAT in PPPoE connection
After all configuration , Click “configuration” in main bar
• Click “Save and Activate”
1 2 3 54
D-Link Security
169
Succeed to get in FTP server
Scenario & Hands-on 4-2 SAT in PPPoE connection
topology
D-Link Security
170
WAN1:PPPoEFTP Server: Group public IP address
FTP ServerGroup private IP
DMZ
Scenario & Hands-on 4-2 Exercise 4-2 - SAT in PPPoE connection
Objective:
1. Access to FTP server by group’s public IP address successfully
FTP Server public IPGroup1: 192.168.200.51/24Group2: 192.168.200.52/24 . .Group9: 192.168.200.59/24
Group10: 192.168.200.60/24
FTP Server private IP172.17.100.1/24
DMZ IP :172.17.100.254DFL-800 : Port DMZDFL-1600: Port #3DFL-2500: Port #5
D-Link Security
171
Internal LAN1IP: 192.168.1.0/24
Internal LAN2IP: 192.168.2.0/24
Internal LAN3IP: 192.168.3.0/24
WAN1IP: 192.168.174.70/24FTP ServerIP:192.168.174.71/24
FTP Server-1172.16.1.1
DMZ
Scenario & Hands-on 4-3 SAT and server load balance
Network topology
FTP Server-1172.16.1.2Note:
Add another public IP address in “ARP table”
Verify the sequence of IP rule
D-Link Security
172
Objectives
Access two FTP servers by one public IP address (192.168.174.71)
The Logic of Configuration
Create objects of public and private IP addresses for two FTP servers Create ARP object in ARP Table Cerate the IP rule (SAT_SLB and allow) for FTP server
Scenario & Hands-on 4-3 SAT and server load balance
D-Link Security
173
Add the public IP address object for two FTP servers
•Click “Address Book” under “Objects”
•Key in the correct IP address
1 2 3 4 5
Scenario & Hands-on 4-3 SAT and server load balance6
D-Link Security
174
Add two virtual IP address objects for two FTP servers
•Click “Address Book” under “Objects”
•Key in the correct IP address
1 2 3 4 5
Scenario & Hands-on 4-3 SAT and server load balance6
1 2
D-Link Security
175
Apply the object of IP address to ARP Table
•Click “ARP Table” under “Interfaces”
•Apply objects for the FTP IP address
1 2 3 4 5
Scenario & Hands-on 4-3 SAT and server load balance6
D-Link Security
176
Create the IP rule of FTP server
•Click “IP Rule” in Rules
•Choose correct Action,Service,Interface,SLB_SAT and Network in the rule
1 2 3 4 5
Scenario & Hands-on 4-3 SAT and server load balance6
1
2
3
D-Link Security
177
Create the IP rule to allow FTP server (allow FTP)
•Click “IP Rule” in Rules
•Choose correct Action,Service,Interface and Network in the rule
1 2 3 4 5
Scenario & Hands-on 4-3 SAT and server load balance6
1
2
D-Link Security
178
Scenario & Hands-on 4-3 SAT and server load balance
After all configuration , Click “configuration” on main menu bar
• Click “Save and Activate”
1 2 3 4 65
D-Link Security
179
WAN1:DHCPFTP Server-1:Group public IP
FTP Server-1Group private IP-1
DMZ
Scenario & Hands-on 4-3 Exercise 4-3- SAT and server load balance
FTP Server-1Group private IP-2
FTP Server public IPGroup1: 192.168.200.51/24Group2: 192.168.200.52/24 . .Group9: 192.168.200.59/24
Group10: 192.168.200.60/24
FTP Server private IP-2Group1: 172.17.100.2/24
FTP Server private IP-1172.17.100.1/24
DMZ:192.168.100.254
Objective:
1. Access to two FTP servers by group’s public IP address successfully
D-Link Security
180
Internet
http request
Scenario & Hands-on 5 Runtime Authentication configuration
Process of authentication
D-Link Security
181
• For authorize users to accessing the Internet, LAN and Intranet services either through the Local DB or RADIUS Server.
• The user authentication rules must be save & activated in order to apply the settings.
Scenario & Hands-on 5 Runtime Authentication configuration
D-Link Security
182
WAN LANCore
192.168.10.1 10.0.100.97
Scenario & Hands-on 5 Runtime Authentication configuration
The Core owns the IP addresses
D-Link Security
183
Scenario & Hands-on 5 Runtime Authentication configuration
Network topologyWAN1
IP: 192.168.174.70/24
PCPC
LAN1 IP: 192.168.1.1/24Switch IP: 192.168.1.250/24
DES-3226S
Authenticated user accessing the Internet
Note:
Modify the Web UI http port Verify the sequence of IP rule
D-Link Security
184
Objectives When user open a web browser, it will be a screen pop out automatically, and
request for login. Services will be allowed after authentication. When user logout, they can choose either logout manually, or it will logout
automatically when the preset idle time reaches.
The Logic of Configuration Change Web UI http port Create an object for specific traffic network Create a local user database Create IP rules for Authentication
Scenario & Hands-on 5 Runtime Authentication configuration
D-Link Security
185
1 2 3 4 5 6 7 8
Scenario & Hands-on 5 Runtime Authentication configuration9 10 11
Change the remote management http port to avoid port conflict
•Click “Remote Management” then click “modify advanced setting”
•Change WebUI http port
1
2
D-Link Security
186
Create the user database for Authentication
•Click “Local User Database” in User Authentication
•Key in the authenticated user(user name/password)
1 2 3 4 5 6 7 8
Scenario & Hands-on 5 Runtime Authentication configuration
1
2
3
4
9 10 11
D-Link Security
187
Scenario & Hands-on 5 Runtime Authentication configuration
Create the User Authentication Rules
• Click “User Authentication Rules” in User Authentication
• Choose the correspond settings
1 2 3 4 5 6 7 8 9 10 11
1
2
D-Link Security
188
Scenario & Hands-on 5 Runtime Authentication configuration
Create the User Authentication Rules
• Click “User Authentication Rules” in User Authentication
• Choose the correspond settings
1 2 43 5 6 7 8 9 10 11
1
2
D-Link Security
189
Create the IP address for Authenticating users
•Click “Address Book ” in Objects
•Add an object for authenticating users
•Key in the correct IP address and group name
Scenario & Hands-on 5 Runtime Authentication configuration1 2 3 54 6 7 8 9 10 11
1 2
D-Link Security
190
Create the “allow” rule (rule-1)
•Click “IP Rule” in Rules
•Choose correct Action,Service,Interface and Network in the rule
Scenario & Hands-on 5 Runtime Authentication configuration1 2 3 4 65 7 8 9 10 11
1
2
D-Link Security
191
Create the “NAT-DNS” rule (rule-2)
•Click “IP Rule” in Rules
•Choose correct Action,Service,Interface and Network in the rule
Scenario & Hands-on 5 Runtime Authentication configuration1 2 3 4 5 76 8 9 10 11
1
2
D-Link Security
192
Create the “NAT-all_service” rule (rule-3)
•Click “IP Rule” in Rules
•Choose correct Action,Service,Interface and Network in the rule
Scenario & Hands-on 5 Runtime Authentication configuration1 2 3 4 5 6 87 9 10 11
1
2
D-Link Security
193
Create the “SAT” rule (rule-4)
•Click “IP Rule” in Rules
•Choose correct Action,Service,Interface and Network in the rule
Scenario & Hands-on 5 Runtime Authentication configuration1 2 3 4 5 6 97 8 10 11
1
2
3
D-Link Security
194
Create the “Allow” rule (rule-5)
•Click “IP Rule” in Rules
•Choose correct Action,Service,Interface and Network in the rule
Scenario & Hands-on 5 Runtime Authentication configuration1 2 3 4 5 6 7 108 9 11
1
2
D-Link Security
195
Scenario & Hands-on 5 Runtime Authentication configuration
After all configuration , Click “configuration” on main menu bar
• Click “Save and Activate”
1 2 3 4 5 6 1187 9 10
D-Link Security
196
Allow manual log-out web page Allow user to look up the DNS Allow authorized users to use networking service All HTTP traffic will be mapped to firewall LAN1 IP address Allow all HTTP traffic to map to LAN1 IP address
Scenario & Hands-on 5 Runtime Authentication configuration
Action1
Action1
Action2
Action2
Action2
Action3
Action3
D-Link Security
197
Scenario & Hands-on 5 Runtime Authentication configuration
Testing Result
D-Link Security
198
Scenario & Hands-on 5 Exercise 5- Runtime Authentication configuration
WAN1DHCP
PCPC
LAN1 IP: 192.168.1.1/24Switch IP: 192.168.1.250/24
DES-3226S
Authenticated user accessing the Internet
Objective:
1. The specific user or network must be authorized before access to the Internet
2. When user logout, they can choose either logout manually, or it will logout automatically when the preset idle time reaches.
D-Link Security
199
Pipe
RULE View
Rule 1
Rule 2
Rule 3
Rule 4
Rule 5
Rule 6
Anti-Spoofing
Rule 1
Rule 2
Rule 3
Rule 4
Rule 5
Rule 6
Pipe
Pipe
Pipe
Incomm
ing
inte
rface
Ou
tgo
ing inte
rface
Incommingpackets
Outgoingpackets
Scenario & Hands-on 6 Traffic Shaping
Pipes concept
D-Link Security
200
G
G
G
G
G
W
WW
W
W
User1
User2
User3
User4
User5
W = Kbps want to have
G = Kbps gets
• This diagram shows not using the Dynamic balancing
Scenario & Hands-on 6 Traffic Shaping
The Concept of Dynamic balancing
D-Link Security
201
G G G
G
G
WW
W
W
User1
User2
User3
User4
User5
W = Kbps want to have
G = Kbps gets
• When using the function of Dynamic balancing
Scenario & Hands-on 6 Traffic Shaping
The Concept of Dynamic balancing
D-Link Security
202
Scenario & Hands-on 6 Traffic Shaping
The Concept of Precedence
Highest
Low
Medium
HighPipe
D-Link Security
203
Bandwidth of Leased Line with 1Mbps in both directions(two pipes)
Std-out pipe (1 Mbps)
LEASED LINE1Mbps
from our ISP
Std-in pipe (1 Mbps)
Data
Data
The pipe throughput should be less than the physical pipe!
Scenario & Hands-on 6 Traffic Shaping
Concept of Design (Pipe 1Mbps)
D-Link Security
204
Scenario & Hands-on 6 Traffic Shaping
Concept of Design (Pipe 1Mbps) - download
HTTP 250Kbps Highest
1Mbps
FTP 250Kbps High
SMTP 500Kbps Low
HTTP 250Kbps Highest
1Mbps
FTP 250Kbps High
SMTP 500Kbps Low
D-Link Security
205
• All measuring, limiting, guaranteeing and balancing is carried out in pipes
• A pipe by itself is meaningless unless it is put into use in the Rules section. Each rule can pass traffic through one or more pipes, in a precedence (priority) of your choice.
Scenario & Hands-on 6 Traffic Shaping
Pipes
D-Link Security
206
Scenario & Hands-on 6 Traffic Shaping
Precedence
Determine the bandwidth of precedence
D-Link Security
207
• Plan your traffic shaping requirements. If you do not know how traffic should be limited, prioritized, guaranteed, or distributed, you will likely
find the configuration work more confusing than helpful.
Scenario & Hands-on 6 Traffic Shaping
Pipes rules
D-Link Security
208
Scenario & Hands-on 6 Traffic Shaping
Precedence
Assign precedence
D-Link Security
209
Scenario & Hands-on 6 Traffic Shaping
Network topology
Internal LAN1
Bandwidth of leased lineDownload: 1MbpsUpload: 1Mbps
1.For inbound and outbound HTTP and HTTPS, the maximum bandwidth is 500Kb.
2.For inbound and outbound POP3, the guarantee bandwidth is 300Kb. (maximum bandwidth is 1000Kb)3.For other inbound and outbound
service, the remaining bandwidth will be used.
4.Above all services are dedicating bandwidth value.
External WAN1
Note:
Before use the traffic shaping for specified application. Please make sure that the IP rule has been created for the specified application.
D-Link Security
210
Objective
For inbound and outbound HTTP and HTTPS, the maximum bandwidth is 500Kb.
For inbound and outbound POP3, the guarantee bandwidth is 300Kb. (maximum bandwidth is 1000Kb)
For other inbound and outbound service, the remaining bandwidth will be used. Above all services are dedicating bandwidth value.
The logic of Configuration
Make sure to create IP rule Create objects of Pipe Create rules of Pipe Choose correct Action, Service, Interface and Network in the rule Key in correct value at Precedence and Total bandwidth value
Scenario & Hands-on 6 Traffic Shaping
D-Link Security
211
Create object of the input pipe (Create the pipe of standard-in)
•Click “Pipes” in Traffic Shaping
•Key in correspond value for Precedence and total bandwidth value
Scenario & Hands-on 6 Traffic Shaping32 4 521 6 7 8 9 10
D-Link Security
212
Create object of the output pipe (Create the pipe of outbound)
•Click “Pipes” in Traffic Shaping
•Key in correspond value for Precedence and total bandwidth value
Scenario & Hands-on 6 Traffic Shaping1 3 4 51 2 6 7 8 9 10
D-Link Security
213
Create object of the HTTP input (Create the pipe HTTP-in)
•Click “Pipes” in Traffic Shaping
•Key in correspond value for Precedence and total bandwidth value
Scenario & Hands-on 6 Traffic Shaping1 2 4 51 2 3 6 7 8 9 10
D-Link Security
214
1 2 3
Scenario & Hands-on 6 Traffic Shaping51 2 3 4 6 7 8 9
•Create object of the HTTP output (Create the pipe of HTTP-in) •Click “Pipes” in Traffic Shaping•Key in correct value at Precedence and Total bandwidth value
10
D-Link Security
215
Scenario & Hands-on 6 Traffic Shaping
Create Rules of the HTTP (Create the rule of HTTP )
• Click “Pipes Rules” in Traffic Shaping
• Key in correspond value for Precedence and total bandwidth value
1 2 3 54 6 7 8 9 10
1
2
3
4
D-Link Security
216
Scenario & Hands-on 6 Traffic Shaping
Create object of the POP3 input (Create a pipe of POP3-in )
• Click “Pipes” in Traffic Shaping
• Key in correspond value for Precedence and total bandwidth value
1 2 3 64 5 7 8 9 10
D-Link Security
217
Scenario & Hands-on 6 Traffic Shaping1 2 3 74 65 8 9
Create object of the POP3 output (Create a pipe of POP3-out )
• Click “Pipes” in Traffic Shaping
• Key in correspond value for Precedence and total bandwidth value
10
D-Link Security
218
Scenario & Hands-on 6 Traffic Shaping1 2 3 84 65 7 9
Create the rules of POP3 (Create the rule of POP3 )
• Click “Pipes Rules” in Traffic Shaping
• Choose correct Action,Service,Interface and Network in the rule
10
1
2
3
4
D-Link Security
219
Scenario & Hands-on 6 Traffic Shaping
Create Rules of other service (Create the rule of other service )
• Click “Pipes Rules” in Traffic Shaping
• Choose correct Action,Service,Interface and Network in the rule
1 2 3 94 65 7 8 10
1
2
3
4
D-Link Security
220
Scenario & Hands-on 6 Traffic Shaping
After all configuration , Click “configuration” on main menu bar
• Click “Save and Activate”
1 2 3 104 65 87 9
D-Link Security
221
• Before use the traffic shaping for specified application. Please make sure that the IP rule has been created for the specified application.
Scenario & Hands-on 6 Traffic Shaping
D-Link Security
222
• First step: Create two bidirectional pipes for the physical WAN link
• Second step: Create two bidirectional pipes for the specified application
Scenario & Hands-on 6 Traffic Shaping
D-Link Security
223
• Third step: Create pipe rules for the specified application
Scenario & Hands-on 6 Traffic Shaping
D-Link Security
224
Scenario & Hands-on 6 Exercise 6- Traffic Shaping
Internal LAN1
Bandwidth of leased lineDownload: 1MbpsUpload: 1Mbps
External WAN1 Objectives
1. For inbound and outbound SMTP, the maximum bandwidth is 400Kb.
2. For inbound and outbound FTP, the guarantee bandwidth is 250Kb.(maximum bandwidth is 500Kb)
3. For other inbound and outbound service, the maximum bandwidth is 350Kb.
4. Above all services are dedicating bandwidth value.
D-Link Security
225
Internal LAN1IP: 192.168.1.0/24
Internal LAN2IP: 192.168.2.0/24
Internal LAN3IP: 192.168.3.0/24
WAN1DHCP IP: 192.168.174.70/24
DFL-1600
PPTP ClientIP: 192.168.174.71/24
VPN Tunnel
Scenario & Hands-on 7-1 VPN Configuration-PPTP
Network topology
Note:
Choose correct inner IP address and Outer Interface filter for PPTP tunnel
D-Link Security
226
Objectives The user dial-up to firewall by Windows PPTP client software . Dial-up user communicate with LAN1 of firewall
The logic of configuration Create object for PPTP server IP address and IP address range Create Authenticating database Configure PPTP server Create the IP rule for PPTP tunnel
Scenario & Hands-on 7-1 VPN Configuration-PPTP
D-Link Security
227
Create object for PPTP server IP address and IP address range
•Click “Address” in Objects
•Key in the correspond IP address
Scenario & Hands-on 7-1 VPN Configuration-PPTP1 2 3 4 5 6
D-Link Security
228
Create Local Database for PPTP authentication
•Click “Local User Databases ” in User Authentication
•Key in the correct Username and Password
1 2 3 4 5Scenario & Hands-on 7-1
VPN Configuration-PPTP6
D-Link Security
229
Create PPTP tunnel
•Click “PPTP/L2TP Servers ” in Interface
•Choose the correspond configuration
1 2 3 4 5Scenario & Hands-on 7-1
VPN Configuration-PPTP6
D-Link Security
230
Create User Authentication Rules for PPTP tunnel
•Click “User Authentication Rules ” in User Authentication
•Choose the correspond configuration
•Enable Log setting and choose local user database
1 2 3 4 5Scenario & Hands-on 7-1
VPN Configuration-PPTP6
D-Link Security
231
Create IP Rules for PPTP tunnel
•Click “IP Rules ” in Rules
•Choose the correspond configuration
•Enable Log setting
1 2 3 4 5Scenario & Hands-on 7-1
VPN Configuration-PPTP6
D-Link Security
232
Scenario & Hands-on 7-1 VPN Configuration-PPTP
After all configuration, Click “configuration” on main menu bar
• Click “Save and Activate”
1 2 3 4 65
D-Link Security
233
Testing Result
Scenario & Hands-on 7-1 VPN Configuration-PPTP
D-Link Security
234
Scenario & Hands-on 7-1 Exercise 7-1- VPN Configuration-PPTP
Internal LAN1IP: 192.168.1.0/24
Internal LAN2IP: 192.168.2.0/24
Internal LAN3IP: 192.168.3.0/24
WAN1DHCP IP
DFL-1600
PPTP Client
VPN Tunnel
Objectives:
1. Use Windows client to Dial-up PPTP
2. Ping the IP address of LAN in firewall
D-Link Security
235
Scenario & Hands-on 7-2 VPN Configuration-L2TP/IPsec
Network topology
Internal LAN1IP: 192.168.1.0/24
Internal LAN2IP: 192.168.2.0/24
Internal LAN3IP: 192.168.3.0/24
WAN1DHCP
DFL-1600
L2TP/IPsec ClientIP: 192.168.174.71/24
VPN Tunnel
Note:
L2TP/IPsec must use transport mode Choose correct local net and remote n
et for IPsec tunnel Choose correct inner IP address and O
uter Interface filter for L2TP tunnel
D-Link Security
236
Objectives The user dial-up to firewall by Windows L2TP/IPsec client software Dial-up user communicate with LAN1 of firewall
The logic of configuration Create objects for L2TP server IP address and IP address range Create Authenticating database Configure IPsec tunnel Configure L2TP server Create the IP rule for L2TP tunnel
Scenario & Hands-on 7-2 VPN Configuration-IPsec
D-Link Security
237
Create objects for L2TP server IP address and IP address range
•Click “Address” in Objects
•Key in the correspond IP address
1 2 3 4 5 6 7 8 9 10Scenario & Hands-on 7-2
VPN Configuration-L2TP/IPsec11
D-Link Security
238
Create Local Database for L2TP authentication
•Click “Local User Databases ” in User Authentication
•Key in correct Username and Password
1 2 3 4 5 6 7 8 9 10Scenario & Hands-on 7-2
VPN Configuration-L2TP/IPsec11
D-Link Security
239
Create the pre-shared key for L2TP
•Click “Pre-Share Keys ” in VPN Objects
•Key in the correspond value
1 2 3 4 5 6 7 8 9 10Scenario & Hands-on 7-2
VPN Configuration-L2TP/IPsec11
D-Link Security
240
Create the IPsec tunnel
•Click “IPsec Tunnels” in Interface
•Choose correspond configuration
1 2 3 4 5 6 7 8 9 10Scenario & Hands-on 7-2
VPN Configuration-L2TP/IPsec11
D-Link Security
241
Verify the IPsec tunnel
•Click “Authentication” in this IPsec tunnel
•Apply pre-shared key to this IPsec tunnel
1 2 3 4 5 6 7 8 9 10Scenario & Hands-on 7-2
VPN Configuration-L2TP/IPsec11
D-Link Security
242
Verify the IPsec tunnel
•Click “Routing” in this IPsec tunnel
•Enable “Dynamically add routes to remote network when a tunnel is established “in this IPsec tunnel
1 2 3 4 5 6 7 8 9 10Scenario & Hands-on 7-2
VPN Configuration-L2TP/IPsec11
D-Link Security
243
Verify the IPsec tunnel
•Click “Advanced” in this IPsec tunnel
•Disable “Add route for remote network “in this IPsec tunnel
1 2 3 4 5 6 7 8 9 10Scenario & Hands-on 7-2
VPN Configuration-L2TP/IPsec11
D-Link Security
244
Create the L2TP tunnel
•Click “PPTP/L2TP Servers ” in Interface
•Choose correspond configuration
1 2 3 4 5 6 7 8 9 10Scenario & Hands-on 7-2
VPN Configuration-L2TP/IPsec11
D-Link Security
245
Create User Authentication Rules for L2TP tunnel
•Click “User Authentication Rules ” in User Authentication
•Choose correspond configuration
•Enable Log setting and choose local user database
1 2 3 4 5 6 7 8 9 10Scenario & Hands-on 7-2
VPN Configuration-L2TP/IPsec11
D-Link Security
246
Create IP Rules for L2TP tunnel
•Click “IP Rules” in Rules
•Choose correspond configuration
•Enable Log setting
1 2 3 4 5 6 7 8 9 10Scenario & Hands-on 7-2
VPN Configuration-L2TP/IPsec11
D-Link Security
247
Scenario & Hands-on 7-2 VPN Configuration-L2TP/IPsec
After all configuration , Click “configuration” on main menu bar
• Click “Save and Activate”
1 2 3 4 5 6 7 8 9 1110
D-Link Security
248
Testing Result
Scenario & Hands-on 7-2 VPN Configuration-L2TP/IPsec
D-Link Security
249
Scenario & Hands-on 7-2 Exercise 7-2- VPN Configuration-L2TP/IPsec
Internal LAN1IP: 192.168.1.0/24
Internal LAN2IP: 192.168.2.0/24
Internal LAN3IP: 192.168.3.0/24
WAN1DHCP IP
DFL-1600
L2TP/IPsec Client
VPN Tunnel
Objectives:
1. The user dial-up to firewall by Windows L2TP/IPsec client software
2. Ping the IP address of LAN in firewall
D-Link Security
250
• For users to authenticate VPN tunnels
• 2 types of method to enter PSK – ASCII and HEX
– ASCII – type in passphrase
– HEX – type in passphrase and use “generate” to cipher passphrase
Scenario & Hands-on 7-3 VPN Configuration- IPsec
VPN Objects – Pre Shared Keys
D-Link Security
251
• For secured authentication to established over VPN, CA need to be downloaded to LDAP Server
Scenario & Hands-on 7-3 VPN Configuration- IPsec
VPN Objects – LDAP
D-Link Security
252
• The Concept of ID Lists is to manage and control accessibility of the VPN clients and gateways
• Mobile clients can be restricted from accessing Internal networks by ID Lists
Scenario & Hands-on 7-3 VPN Configuration- IPsec
ID Lists
D-Link Security
253
• Predefined IKE & IPSec Algorithms by default
• High – Very Secured
• Medium – Secured
• You can defined your own algorithms
Scenario & Hands-on 7-3 VPN Configuration- IPsec
IKE/IPsec Algorithms
D-Link Security
254
Scenario & Hands-on 7-3 VPN Configuration- IPsec
Network topology
Internal LAN1IP: 192.168.1.0/24
Internal LAN2IP: 192.168.2.0/24
Internal LAN3IP: 192.168.3.0/24
WAN1Static IP: 192.168.174.70/24
DFL-1600
DFL-1600
Remote LANInternal LANIP: 192.168.10.0/24
WAN1IP: 192.168.174.71/24
VPN Tunnel
Note:
Use same pre-share key and algorithm between two IPsec settings
Choose correct local net and remote net for IPsec tunnel
D-Link Security
255
Objectives Two firewalls communicate to each other by IPsec tunnel . The client of local-net ping to the client of remote-net
The logic of configuration Create VPN Object( pre-shared key) Configure IPsec tunnel Create the IP rule for IPsec tunnel
Scenario & Hands-on 7-3 VPN Configuration-IPsec
D-Link Security
256
Create objects for IP address of remote IP address and network
•Click “Address” in Objects
•Key in the correspond IP address
1 2 3 4 5
Scenario & Hands-on 7-3 VPN Configuration- IPsec6
D-Link Security
257
Create the pre-shared key for IPsec tunnel
•Click “Pre-Share Keys ” in VPN Objects
•Key in the correct value
1 2 3 4 5
Scenario & Hands-on 7-3 VPN Configuration- IPsec6
D-Link Security
258
Create the IPsec tunnel
•Click “IPsec Tunnels” in Interface
•Choose the correspond configuration! Note: If remote firewall wan IP is not static IP, in other words Remote Endpoint is using dynamic IP address from dynamic DNS server, administrator can enter DDNS domain name in here directly.
1 2 3 4 5
Scenario & Hands-on 7-3 VPN Configuration- IPsec6
D-Link Security
259
Combine two interfaces to one interface group•Click “Interface Groups” in this Interface•Choose the correspond interfaces
1 2 3 4 5
Scenario & Hands-on 7-3 VPN Configuration- IPsec6
D-Link Security
260
Create IP Rules for L2TP tunnel
•Click “IP Rules” in Rules
•Choose correspond configuration
•Enable Log setting
1 2 3 4 5
Scenario & Hands-on 7-3 VPN Configuration- IPsec6
D-Link Security
261
Scenario & Hands-on 7-3 VPN Configuration- IPsec
After all configuration , Click “configuration” on main menu bar
• Click “Save and Activate”
1 2 3 4 65
D-Link Security
262
Scenario & Hands-on 7-3 Exercise 7-3- VPN Configuration-IPsec
Internal LAN1
Even group
DFL-1600
DFL-1600
Remote LANInternal LAN
Odd group
VPN Tunnel
Objectives:
1. Two firewalls communicate to each other by IPsec tunnel
2. The client of local-net ping to the client of remote-net
D-Link Security
263
Scenario & Hands-on 7-4 VPN Configuration- IPsec with NetScreen 204
Network topology
Internal LAN1IP: 192.168.1.0/24
Internal LAN2IP: 192.168.2.0/24
Internal LAN3IP: 192.168.3.0/24
WAN1Static IP: 192.168.174.70/24
DFL-1600
NetScreen 204
Remote LANInternal LANIP: 192.168.10.0/24
WAN1IP: 192.168.174.71/24
VPN Tunnel
Note:
Use same pre-share key and algorithm between two DFL-1600 and NS-204
Choose correct local net and remote net for IPsec tunnel
D-Link Security
264
Objectives Two firewalls communicate to each other by IPsec tunnel . The client of local-net ping to the client of remote-net
The logic of configuration Create VPN Object( pre-shared key, remote net/gateway and algorithm ) Configure IPsec tunnel Create the IP rule for IPsec tunnel
Scenario & Hands-on 7-4 VPN Configuration- NetScreen 204
D-Link Security
265
Create network objects for DFL-1600 (remote network )
•Click “List” under “Addresses” in Objects
•Key in the corresponding network
1 2 3 4 5
Scenario & Hands-on 7-4 VPN Configuration- NetScreen 2046
1
2
7 8
D-Link Security
266
Create IP address objects for DFL-1600 (remote gateway )
•Click “List” under “Addresses” in Objects
•Key in the corresponding IP address
21 3 4 5
Scenario & Hands-on 7-4VPN Configuration- NetScreen 2046
1
2
7 8
D-Link Security
267
Create P1(Phase 1) Proposal of DFL-1600 for VPN configuration
•Click “P1 Proposal” under “AutoKey Advanced” in VPNs
•Choose in the corresponding Algorithm and DH Group
321 4 5
Scenario & Hands-on 7-4 VPN Configuration- NetScreen 2046
1
2
6 6
D-Link Security
268
Create P2(Phase 2) Proposal of DFL-1600 for VPN configuration
•Click “P2 Proposal” under “AutoKey Advanced” in VPNs
•Choose in the corresponding Algorithm and DH Group
42 31 5Scenario & Hands-on 7-4
VPN Configuration- NetScreen 2046
1
2
7 8
D-Link Security
269
Create Gateway objects of DFL-1600 for VPN configuration
•Click “Gateway” under “AutoKey Advanced” in VPNs
•Key in the corresponding IP address and Preshared Key
•Click “Advanced”
52 3 41
Scenario & Hands-on 7-4 VPN Configuration- NetScreen 2046
1
2
3 4
5
6
7 8
D-Link Security
270
“Advanced“ of Gateway objects
•Choose “Custom” in User Defined and Phase 1 Proposal
•Choose “Main” mode
62 3 4 5
Scenario & Hands-on 7-4 VPN Configuration- NetScreen 2041
1
2
3
4
7 8
D-Link Security
271
Create IPsec VPN tunnel for DFL-1600
•Choose “Security Level” and “Predefined” for Remote Gateway
•Choose “Outgoing Interface” and Click “Advanced”
72 3 4 5Scenario & Hands-on 7-4
VPN Configuration- NetScreen 2046
2
1
3
4
5
1 8
D-Link Security
272
Create IPsec VPN policy for DFL-1600
•Choose correct Action ,Service, Network in the rule
•Enable ”Modify matching bidirectional VPN policy”
82 3 4 5Scenario & Hands-on 7-4
VPN Configuration- NetScreen 2046
1
2
3
4
5
6
71
D-Link Security
273
Testing Result
Scenario & Hands-on 7-4 VPN Configuration- NetScreen 204
D-Link Security
274
DFL-1600 IPsec VPN status
Scenario & Hands-on 7-4 VPN Configuration- NetScreen 204
NetScreen VPN status
D-Link Security
275
• Appliance Overview • Firewall Concept
• Basic Configuration • Scenario & Hands-on • Troubleshooting
Agenda
D-Link Security
276
• Confirm configuration of firewall
• Inspect the firewall status
• Use “Console command” to get more information
• Capture packets to analyze (ethereal and sniffer )
Troubleshooting Four Ways to troubleshooting
D-Link Security
277
Troubleshooting Flow Chart
The problem Confirm configuration Found main cause
Inspect the firewall
status
Verify configuration
Use console command
to inspect
Verify network
environments
Found main cause
Yes
No
Found main cause
Configuration cause
or
Environment cause
Capture packets to
analyze
The problem have solved
No
Configuration cause
Environment cause
No
Yes
Yes
Dtrack System
D-Link Security
278
IP address or network in “Object” Configuration in “Interface” Configuration in “IP rules”
Action and service Interface and network
Configuration in “Main routing” Routing table Metric
Configuration in “PBR” Routing table and rules Metric
Advanced configuration Zone defense Traffic shaping User Authentication
Troubleshooting Confirm configuration of firewall
D-Link Security
279
• Click “Status” on main menu bar
System Logging Connection Interfaces IPsec User Auth Routes DHCP server IDS SLB Zone Defense
Troubleshooting Inspect the firewall status
D-Link Security
280
1.Start HyperTerminal (Hypertrm.exe).
2.Enter a name for the connection (for example, DFL-800) in the Name box.
3.Click an icon for the connection in the Icon box, and then click OK.
4.In the Connect Using box, click Direct To Com (choose “Restore Default”) and then click OK.
5.Verify the settings on the part settings tab and then click OK.
How to use “Console command” with HyperTerminal in MS Windows
Troubleshooting Console commands
D-Link Security
281
• The first command you should learn is the HELP or H command. The help command prints a list of available commands at the console
• About (Displays information about the firewall core)
• Crashdump (dump all crash and error information)
• Access (Prints the active anti-spoof section)
• Arp [interface] (Displays the cached ARP information for all interfaces. If you add a specific interface name to the command, you will get only the specified interface.)
• Arpsnoop [interface] (Displays ARP queries and responses. You enable this by typing ARPSNOOP [interface]. The same command again disables it. You can also use the all string for ALL interfaces. To disable all the arpsnoop printout you can use the string NONE.)
• Buffers [buf num] (Displays the 20 most recently freed buffers. You can examine a specific buffer by adding the number.)
• Cfglog (Displays the boot log of the firewall configuration.)
Troubleshooting Console commands
D-Link Security
282
Troubleshooting Console commands
• Connections (Displays the connections in the firewall.)
• CPUid (Displays processor information.)
• DHCP [switches] <interface> (With this command you can renew (-renew) or release (-release) the DHCP IP address on a specific interface.)
• Frags (Display the 20 most recent fragment reassembly attempts. This includes both ongoing and completed attempts.)
• Ifstat [interface] (Displays interfaces. If you add an interface you will get statistics for this interface.)
• Loghosts (Displays configured loghosts.)
• Logout (Secures the console with the configured password.)
• Netcon (Displays the active console connection or management connections to the firewall.)
• Netobjects (Displays the active host & network configurations.)
• Ping (Is the normal ping command to verify an IP connection. You can use Ping [IP address] [num] where “num” is the amount of ping requests.)
• Reconfigure (Reloads the configuration from the boot media.)
D-Link Security
283
Troubleshooting Console commands
• Ikesnoop [on/off/verbose] (Ikesnoop is used to diagnose problems with IPsec tunnels.)
• DHCPRelay (Displays if the DHCP boot relay is enabled or disabled.)
• Remote (Displays the active configuration of the remote section.)
• Routes (Displays the active configuration of the route section.)
• Rules (Displays the active configuration of the rule section. There are several string commands that you can add. The –v string enables all available information {like usages}.)
• Scrsave (Runs the screen saver)• Services (Displays the active services within the configuration.)
• Shutdown (Shuts down the firewall.)
• Stats (Displays statistics information for the firewall.)
• Time (Displays the firewalls current time.)
D-Link Security
284
• Set up a laptop with software such as Ethereal or Sniffer to capture packets from the problem node
• The laptop needs to connect to the problem node through a hub
• If it connects through a switch, the port mirror function will have to be enabled in the switch mirror function
Troubleshooting Capture packets to analyze
intranet
Ethereal or Sniffer Ethereal or Sniffer
Problem nodeProblem node
D-Link Security
285
• Inspect IP address of Source, Destination and Protocol to analyze problematic network status
Troubleshooting Capture packets to analyze
D-Link Security
286
Questions & Answers
THANK YOU