Firewalls Training Material

D-Link Security

1

2006 DFL-210/800/1600/2500 Technical Training

©Copyright 2006. All rights reserved

©Copyright 2006. By D-Link HQ

D-Link Security

2

• Appliance Overview • Firewall Concept

• Basic Configuration • Scenario & Hands-on • Troubleshooting

Agenda

D-Link Security

3



Agenda

D-Link Security

4

Appliance Overview model of firewall

DFL-800

WAN1

WAN2

LAN

DMZ

Console

back

D-Link Security

5

DFL-1600

WAN1

WAN2

LAN1

DMZ

Console

LAN3

LAN2

back

Appliance Overview

model of firewall

D-Link Security

6

DFL-2500

Appliance Overview model of firewall

WAN3 WAN4

Console

LAN3

LAN2

LAN1

DMZWAN1 WAN2

back

D-Link Security

7

Appliance Overview

and for DFL-1600/2500 Brand new user-friendly , no GUI confusion issue. Neater and more professional look for firewall product line. mechanism with D-Link switches prevents threat

spreading. Advanced firewall features including to ease the

implementation.

DFL-1600 DFL-2500DFL-800

Characters of firewall

Transparent Mode

ZoneDefense

ID

GUI

High Port Density Giga Interface

D-Link Security

8

LED

Power System

Keypad

Keypad for “Right ” , “Left” , “Upper “ and “Confirm “

System Information Traffic Monitor Alert Monitor Configuration Display

LCD Display

Auto-Sensing Copper Port LAN Port WAN Port and DMZ port

Ethernet

Console

Serial Console Port Concealed Look

Appliance Overview LED panel

D-Link Security

9

Setup Mode

Press Keypad to enter setup mode “in 5 seconds” after the firewall is switched on

Enter the Setup Mode

Use Left or Right button to select 1.Start Firewall: Start off the firewall system 2.Reset Firewall: Reset the firewall to factory default.

After reset firewall, choose “start firewall”

After switch on the firewall 5 seconds, the firewall will enter Status Mode automatically


D-Link Security

10

Status ModeModel name: Display the device model name.

System Status: Display system working status.

CPU Load and Connections: Show the CPU utilization and concurrent session

Total BPS and PPS: Concurrent traffic statistics and packets statistics per second.

Date and Time: Display device current date and time

Uptime: Device boot up time.

Mem: System memory utilization.

IDS Sigs: Display IDS signature information.

WAN DMZ LAN: Display each interface IP address

Core Version: Display firewall firmware version.


D-Link Security

11



Agenda

D-Link Security

12

Firewall ConceptQuestions

What is firewall?Which firewall is the safest?

– Firewall does not protect against application errors.

D-Link Security

13

Firewall ConceptIP Start Communication

SYN FLOOD– 1. Sending a packet to the web server with the ”SYN” flag. The client

uses a fake IP address

– 2. The server responds with a SYN.ACK. Then the server waits until the client responds with an ACK packet

– 3. The client repeats step one until it is satisfied that the damage is done

ClientWeb Server

(1.) 1024 -> 80 SYN

(2.) SYN.ACK 1024 <- 80

(3.) 1024 -> 80 ACK

Connection established

D-Link Security

14

Firewall ConceptIP Start Communication

• More bits

– SYN – Synchronize = New connection

– ACK – Acknowledge = Acknowledge that data has been received

– PSH - Push = “Push received data to application layer now"

– URG - Urgent = Urgent data, Process first (Beg. 70)

– FIN - Finish = End communication with an handshake

– RST - Reset = “Do not communicate with me!”

D-Link Security

15

Firewall ConceptFirewall deployments in a network

Static Route Static routes are needed for the Firewall to communicate with Networks that

are not locally attached on the same subnet

NAT Internal address are private addresses from RFC1918 All private addresses are translated to a valid IP address before accessing the

Internet

Transparent No changes required on any end station, router or server Routing protocols can be configured to pass through the firewall in

Transparent mode The firewall offers full firewall and VPN capabilities

D-Link Security

16

2.2.20.0Sales

2.2.30.0Support

2.2.40.0Marketing

Corporate Web2.2.100.2

DMZ DNS2.2.100.4

Mail Relay2.2.100.3

Internet Router2.2.2.254

LAN 2.2.10.1 WAN 2.2.2.10

DMZ 2.2.100.1

Intranet Web2.2.10.5

Corp Mail2.2.10.6

Intranet DNS2.2.10.7

AdminPC 12.2.10.13

AdminPC 22.2.10.18

AdminPC 32.2.10.33


Static Route

D-Link Security

17

10.1.20.0Sales

10.1.30.0Support

10.1.40.0Marketing


DMZ DNS2.2.100.4

Mail Relay2.2.100.3


LAN 10.1.10.1 WAN 2.2.2.10

DMZ 2.2.100.1

Intranet Web10.1.10.5

Corp Mail10.1.10.6

Intranet DNS10.1.10.7

AdminPC 110.1.10.13

AdminPC 210.1.10.18

AdminPC 310.1.10.33


NAT

D-Link Security

18

Intranet Web2.2.2.5

Corp Mail2.2.2.6

Intranet DNS2.2.2.7

AdminPC 12.2.2.13

AdminPC 22.2.2.18

AdminPC 32.2.2.33

2.2.20.0Sales

2.2.30.0Support

2.2.40.0Marketing


DMZ DNS2.2.2.4

Mail Relay2.2.2.3


LAN 2.2.2.253 WAN 2.2.2.253

DMZ 2.2.2.253


Transparent

D-Link Security

19

Firewall Concept Firewall Generations

• First generation– Packet filtering

• Second generation– Proxy

• Third generation– Stateful Inspection

• Fourth generation– IDS/IDP

D-Link Security

20

Firewall Concept 1.Packet Filtering

• Works with the IP & TCP level• Disadvantages:

– Does not re-create fragmented packets

– Does not understand the relationship between packets

• Advantages– High speed of packets process

7. Applikation6. Presentation5. Session4. Transport3. Network2. DataLink1. Physical

OSI Model

D-Link Security

21

Firewall Concept 2.Proxy

• Receives packets, reads and re-creates the packets– No physical connection between the client and the server.

• Disadvantages – Slow– The proxy must understand the application protocol– Mostly based on complex operating system

• Advantages– Attacks on the TCP/IP level will never penetrate through the protected network– Able to analyze application data

• Able to strip things like ActiveX and Java.


OSI Model

D-Link Security

22

Firewall Concept 3.Stateful Inspection

• Re-create fragmented packets

• Understand the relationship between packets

• Advantages– Does not need to understand the application data to work

– Great flexibility

– Better performance than proxy

• Disadvantages– Harder to analyze the application data (but still possible)


OSI Model

D-Link Security

23

Firewall Concept 4.IDS/IDP

• Receives packets, reads and re-creates the packets– No physical connection between the client and the server.

• Disadvantages – Slow– The proxy must understand the application protocol– Mostly based on complex operating system

• Advantages– Attacks on the TCP/IP level will never penetrate through the protected network– Able to analyze application data

• Able to strip things like ActiveX and Java.


OSI Model

D-Link Security

24

1. Packet inspection2. Priority processes3. Allow? Drop? NAT? Reject?

1. Packet inspection2. Priority processes3. Allow? Drop? NAT? Reject?

INTERNET

IP: 192.168.1.100

WAN IP: 203.126.142.96

Firewall ConceptPacket flow

D-Link Security

25

When all traffic get in the firewall,they will be inspected by VLAN first (If VLAN is used ).

The IDS rule is the primary filter which is configured to allow or disallow certain types of network traffic through the firewall.

Then these traffic will be inspected by IP rule and routing rule

After that the traffic will be inspected by Zone Defense and Traffic Shaping


D-Link Security

26

Inbound packet VLAN packet?

De-capsulate

Basic sanity checks,Including verification of

IP header

Check IDS signatures

Drop

Fragment?

Yes

No

Yes

Found matching Connection?

Verify TCP/UDPheader

Forward packet

Apply Rules

Process fragment Drop

Yes

failed

false

No

true

Traffic Shaping

ZD

ZD

Open Connction Traffic Shaping

Route IPSAT_ApplyRulePack

Traffic Shaping DestIP = FW?

Allow/NAT/SAT

FwdFast/SAT

Drop Drop

Yes


D-Link Security

27



Agenda

D-Link Security

28

Basic Configuration Default Interface Attribute Definition(DFL-800)

http://192.168.1.1LAN can be managed and pingedThe firewall disable DHCP

D-Link Security

29


http://192.168.1.1LAN1 can be managed and pingedThe firewall disable DHCP

D-Link Security

30


http://192.168.1.1LAN1 can be managed and pingedThe firewall disable DHCP

D-Link Security

31

Basic Configuration design concept of UI

Any undesired rules or objects are being created without hitting the “ok” button, users must hit “cancel” button or that rule or object would still be in the list and named “untitle”.

Traffic is being examined by the pattern where the rules were created from top down

When right-click any rules or objects and select delete, a strike line will show on that rule or object.

The “save and activate” button will not be available if the “untitle” rule or object is not deleted

After click “save and activate” , must reconnect to it within 30 seconds (default setting) for the configuration changes to be finalized. If this fails, the unit will revert to its previous configuration. The reconnecting time can be adjustable.

D-Link Security

32

Basic Configuration

Configure Static IP address on your laptop or PC

User will be authenticated before logging to the firewall

Default login: admin, Password: admin

User will be presented with;

– Menu Bar

– Tree View List

– Main Window

back

D-Link Security

33

Tree View List

Menu Bar Main windows Basic Configuration

D-Link Security

34

UI of System

Basic Configuration

D-Link Security

35

UI of Object

Basic Configuration

D-Link Security

36

UI of Rules

Basic Configuration

D-Link Security

37

UI of Interfaces

Basic Configuration

D-Link Security

38

UI of Routing

Basic Configuration

D-Link Security

39

UI of IDS/IDP

Basic Configuration

D-Link Security

40

UI of User Authentication

Basic Configuration

D-Link Security

41

UI of Traffic Shaping

Basic Configuration

D-Link Security

42

UI of ZoneDefense

Basic Configuration

D-Link Security

43

Three Steps to Configure

1.Create and verify the object

2.Create the rule (IP rule ,IDS rule ,user authentication rule and Pipes rule )

3.Create and verify routing rule

Basic Configuration

D-Link Security

44

First Step to Configure

1.Create and verify the object

The most important in firewall configuration is OBJECT.Objects are basic network elements defined in the firewall.It is a list of symbolic names associated with various types of addresses, including IP addresses of host and network

Object items are heavily used through a firewall configuration; in routing tables, rule-set, interface definitions, VPN Tunnels among others

Basic Configuration

D-Link Security

45

• Hosts & Networks configuration items are symbolic names for IP networks

Basic Configuration

Objects – Address Book

D-Link Security

46

• ALGs are designed to manage specific protocols • Examine the payload data and carry out appropriate actions based on defin

ed rules• Appropriate Application Layer Gateway definition is selected in a Service

configuration item. Network traffic which matches the service definition will thus be managed by the selected Application Layer Gateway.

Basic ConfigurationObjects – ALG

D-Link Security

47

• A definition of a specific IP protocol with corresponding parameters. The service http, for instance, is defined as to use the TCP protocol with destination port 80.

Basic ConfigurationObjects – Services

D-Link Security

48

• The Schedule will only allow those firewall rules to be used at those designated times only. Any activities outside the scheduled time slot will not follow the rules and will therefore unlikely be permitted to pass through the firewall

Basic ConfigurationObjects – Schedules

D-Link Security

49

• A certificate is a digital proof of identity. It links an identity to a public key in a trustworthy manner. Certificates can be used on authenticate individual users or other entities. These types of certificates are commonly called end-entity certificates.

Basic ConfigurationObjects – Certificate

D-Link Security

50

Second Step to Configure

2.Create the rule

The Rules configuration section represents the rule-set, the "heart" of the firewall. The rule-set is the primary filter which is configured to allow or disallow certain types of network traffic through the firewall. The rule-set also regulates how address translation and bandwidth management, traffic shaping, is applied to traffic flowing through the firewall.

Basic Configuration

D-Link Security

51

• Packets matching Drop rules will be immediately dropped. Such packets will be logged if logging has been enabled in the Log Settings page

Basic ConfigurationIP Rules – Drop

D-Link Security

52

Basic Configuration

IP Rules – Drop

DROP RULE

DROPPING LOG

D-Link Security

53

• Reject works basically the same way as Drop. In addition, the firewall sends an ICMP UNREACHABLE message back to the sender or, if the rejected packet is a TCP packet, a TCP RST message.

Basic ConfigurationIP Rules – Reject

D-Link Security

54

Basic ConfigurationIP Rules – Reject

REJECTING LOGICMP UnreachableTCP RST

REJECT RULE

D-Link Security

55

Basic ConfigurationIP Rules – FwdFast

• Packets matched FwdFast rules are allowed through immediately.• Firewall does not memorize the open connections and does not statefully in

spect traffic which has passed through it. • For one single packet, it is indeed faster than first having to open a state-tra

cked connection and then passing the packet to it. But when several packets pass the same connection, state tracking (Allow) is faster

D-Link Security

56

Basic Configuration

IP Rules – FwdFast

Packets matching FwdFast Rules Packets matching FwdFast Rules

No Statefully traffic Inspection (does not

remember open connections)

No Statefully traffic Inspection (does not

remember open connections)

Remember that that there need to be a FwdFast rule in each direction.

INTERNET

Note: Allow is usually faster then FwdFast

D-Link Security

57

Basic ConfigurationIP Rules – Allow

• Packets matched Allow rules are passed to the stateful inspection engine, which will memorize that a connection has been opened

• Rules for return traffic will not be required as traffic belonging to open connections which is automatically dealt with before it reaches the rule set

D-Link Security

58

Basic ConfigurationIP Rules – Allow

Packets matching Allow Rules Packets matching Allow Rules

Logging & Stateful Inspection

Logging & Stateful Inspection

INTERNET

D-Link Security

59

Basic Configuration

IP Rules – SAT • Nothing happens when a packet matches a SAT rule at the beginning• The firewall will memorize where to send the traffic and continue to look

for a matching rule that will allow the packet to pass and a static address translation will be performed at that stage

D-Link Security

60

Basic Configuration

IP Rules – SAT

DMZ

FTP SERVER

220.255.14.123220.255.14.123172.16.1.100172.16.1.100WAN IP: 203.126.142.100WAN IP: 203.126.142.100

The public_ip should be bound to the WAN of firewall firstredirect_address is used to redirect incoming connection from public_ip to private_ip

The public_ip should be bound to the WAN of firewall firstredirect_address is used to redirect incoming connection from public_ip to private_ip

I want the file from FTP server

D-Link Security

61

Basic ConfigurationIP Rules – NAT

• The rules perform dynamic address translation and NAT hide the sender address.

• Mostly hiding all machines on a protected network to appear at the outside

world as if they use a single IP address

D-Link Security

62

Basic ConfigurationIP Rules – NAT

Network Address Translation Network Address Translation

INTERNET

IP: 192.168.1.100

WAN IP: 203.126.142.96

D-Link Security

63

Third Step to Configure

3.Create and verify routing rule

Main Route:

The Routes configuration section describes the firewall’s routing table.Firewall uses a slightly different way of describing routes compared to most other systems.

Policy- Base Route:

The rules in the PBR rule-set are able to specify which routing table to be used in the forward as well as return direction (Select routing priority)

Basic Configuration

D-Link Security

64

Basic ConfigurationMain Routing Table

• Routing tells the firewall in which direction it should send packets destined for a given IP address

D-Link Security

65

Basic ConfigurationPolicy Based Routing

Connect to two or more ISPs , and accept inbound connections from all of them. Return traffic is routed back through the ISP that delivered the incoming requests.

Route certain protocols through transparent proxies such as web caches and anti-virus scanners, without adding another point of failure for the network as a whole.

Create provider-independent metropolitan area networks, i.e. one where all users share a common active backbone, but able to use different ISPs, subscribe to different streaming media providers, etc.

D-Link Security

66

Basic ConfigurationPolicy Based Routing

Intranet192.168.1.0/24

Extranet192.168.174.0/24

Internet

WAN1

WAN2DMZ

D-Link Security

67



Agenda

D-Link Security

68

1. Basic Configuration(WAN/LAN/DMZ Transparent mode)

2. Configure Load Sharing and Route Failover (use 2 WANs)

3. Configure ZoneDefend

4. Port mapping for server(SAT and server load balance)

5. Runtime Authentication configuration

6. Traffic shaping

7. Configure VPN tunnel(PPTP L2TP and IPsec)

Scenario & Hands-on

D-Link Security

69

Internal LAN1IP: 192.168.1.0/24



WAN2(Static IP)

DMZDFL-1600

FTP Server172.16.1.1

DFL-800

Remote LANInternal LANIP: 192.168.10.0/24

WAN1IP: 192.168.174.71/24

IPSec VPN Tunnel

Hands on:1. Basic Configuration2. Load Sharing and Route Failover

3. ZoneDefense 4. Port mapping for server5. User Authentication 6. Traffic Shaping7. VPN tunnel

Scenario & Hands-onAccomplished all scenarios topology

WAN1(DHCP)

D-Link Security

70

Internet

G1G4

G2 G3

Scenario & Hands-on Network topology for hands-on

All WAN1 port connect to switch

back

main switch

D-Link Security

71

Scenario & Hands-on Network topology for every group

main switch

group switch

Four persons in one group LAN1 port connects to

group switch

D-Link Security

72

Scenario & Hands-on 1 Basic Configuration

(Configure WAN type ,modify IP address of LAN and enable transparent mode)




WAN1PPPoE , DHCPStatic IP:192.168.174.70/24

Internal DMZIP: 172.17.100.1/24

Objective:

How to modify IP address for LAN and DMZ in Object

How to use DHCP, Static IP and PPPoE to access Internet

How to enable transparent mode

D-Link Security

73




Internal DMZIP: 172.17.100.1/24

Notes:

DFL-800 only has LAN and DMZDFL-1600/2500 has LAN1 , LAN2 ,LAN3 , and DMZPay attention to default manageable status Confirm connecting port

DFL-800 DFL-1600 DFL-2500

Bind a secondary IP address to match the new network IP segment.After configuration, use new LAN IP address for default gateway on laptop

Scenario & Hands-on 1-1 Basic Configuration-Modify IP address for LAN and DMZ

Network topology

D-Link Security

74

Objectives

Access to LAN1 IP address successfully (Ping) or mange Web UI by new IP address

The Logics of Configuration Bind a secondary IP address to match the new network IP segment. After configuration, use new LAN IP address for default gateway in your laptop Modify objects of IP address and network in address book of Object


D-Link Security

75

Scenario & Hands-onBind two IP address on one NIC

1

2

3

D-Link Security

76

Scenario & Hands-onBind two IP address on one NIC

4

5

6

D-Link Security

77


Use web browser such as Internet Explorer 6 or Firefox 1.0 to connect to Web UI

D-Link Security

78

Change the IP address in address book of Object

•Click “Interface Addresses” in Object

•Key in the correct IP address and network

1 2 3


1

2

D-Link Security

79

Change the IP address in address book of Object or Ethernet of Interface

•Key in correct IP address and network

1 2 3


1 2

D-Link Security

80

After all configurations are done , Click “configuration” in main bar

•Click “Save and Activate”

1 2 3


D-Link Security

81

Testing Result


Ping LAN IP address

D-Link Security

82

After you click” save and active” you can adjust the reconnection time

•Click “Click here to edit the configuration verification timeout.”

Scenario & Hands-on 1-1 How to modify reconnection Web UI time

D-Link Security

83


Use new LAN IP address for default gateway on laptop

1

2

3

D-Link Security

84



4

5

6

D-Link Security

85



7

8

D-Link Security

86

Scenario & Hands-on 1-1 Exercise 1-1- Modify IP address for LAN and DMZ

Internal LAN1

Objective:

1. Change IP address of LAN1

2. Ping the new IP address of LAN1 and access to Web UI by new IP successfully

Internal LAN2

Internal LAN3

Internal DMZ

LAN1 IP:Group A(1): 192.168.10.1/24Group B(2):192.168.20.1/24 . .Group I(9): 192.168.90.1/24

Group J(10): 192.168.100.1/24

D-Link Security

87

Internal LAN1IP: 192.168.174.70/24

WAN1IP:192.168.174.70/24

192.168.174.72/24192.168.174.72/24

192.168.174.71/24192.168.174.71/24

Scenario & Hands-on 1-2Basic Configuration-Transparent mode

Network topology

Note:

Configure default gateway Configure DHCP relay, if firewall is

in DHCP environment

D-Link Security

88

Objectives

Implement firewall in transparent mode without changing exist network setting Allow or deny specific service and traffic (allow WAN1 to LAN1for ICMP service, allow LAN1to WAN1 for all service)

The Logics of Configuration Enable transparent mode Configure IP Rules and objects in firewall Bind a secondary IP address to match the new network IP segment.

Scenario & Hands-on 1-2 Basic Configuration-Transparent mode

D-Link Security

89

Configure the IP object in address book of Object to same

•Click “address book” in Object

•Configure IP address of WAN1 and LAN1

1 2 3 4 5


6

D-Link Security

90

Enable transparent mode for WAN1 and LAN1•Click “Ethernet” under “Interface”•Enable transparent in WAN1 interface and add the object of gateway to “Default Gateway”•Disable “add route for interface network”

1 2 3 4 5


6

1

2

3

D-Link Security

91

Enable transparent mode for WAN1 and LAN1

•Click “Ethernet” in Interface

•Enable transparent on LAN1 interface

•Disable “add route for interface network”

1 2 3 4 5


6

1 3

2

D-Link Security

92

Add the “Service” rule under IP rules(WAN1 to LAN1 and LAN1 to WAN1)

•Click “IP rules” in Rules

•Choose the correct Action,Service,Interface and Network for the rule

1 2 3 4 5


6

1

2

3

4

D-Link Security

93

• Create the DHCP relay for LAN1 to WAN1

• Click “DHCP relays” under “System” “DHCP Settings”

• Choose the correct Action,Service,Interface and Network for the rule

1 2 3 4 5


6

D-Link Security

94


After all configuration , Click “configuration” in main bar

• Click “Save and Activate”

1 2 3 4 65

D-Link Security

95


Get IP address from DHCP server and ping to gateway

Testing Result

D-Link Security

96

Scenario & Hands-on 1-2Exercise 1-2- Transparent mode

Internal LAN1

WAN1

Objectives:

1. Enable transparent mode2. Allow ping from WAN to LAN3. Allow all service from LAN to WAN

WAN1 IP LAN1 IPGroup1: 192.168.200.1/24 192.168.200.1/24 Group2: 192.168.200.2/24 192.168.200.2/24 . .Group9: 192.168.200.9/24 192.168.200.9/24

Group10:192.168.200.10/24 192.168.200.10/24

DHCP server IP address :192.168.200.254

D-Link Security

97


WAN1(Static)IP:192.168.174.70/24WAN1-gatwayIP:192.168.174.254/24

Scenario & Hands-on 1-3 Basic Configuration- WAN type-Static IP

Network topology

Note:

Configure default gateway

D-Link Security

98

Objectives

Configure WAN type with Static IP address

The Logics of Configuration Before configuring WAN type with static IP, please reset the device to default Create an object for WAN1 gateway to apply to the interface of WAN1 Choose the correct Action, Service, Interface and Network for the rule


D-Link Security

99

Create the correct gateway object under “Address Book”

•Click “address book” under “Object”

•Add an object for IP4 Host/Network

•Verify the IP addresses of wan1_ip and wan1net

Scenario & Hands-on 1-3 Basic Configuration- WAN type-Static IP1 2 3 4

D-Link Security

100

Apply the gateway object to WAN Interface

•Click “Ethernet” under “Interfaces”

•Add the gateway object for “Default Gateway”


1

2

D-Link Security

101

Create the service rule in IP rules

•Click “IP rules” under “Rules”



1

2

D-Link Security

102




1 2 3 4

D-Link Security

103

Testing Result


Ping to Internet (tw.yahoo.com)

D-Link Security

104

Internal LAN1Group private IP

WAN1:Group IP

Objective

1. Change WAN type with static IP address of following IP addresses

2. Use “NAT” mode to access the Internet

Scenario & Hands-on 1-3 Exercise 1-3- WAN type-Static IP

LAN1 Group1: 192.168.10.1/24Group2: 192.168.20.1/24 . .Group9: 192.168.90.1/24

Group10: 192.168.100.1/24

WAN1Group1: 192.168.200.1/24Group2: 192.168.200.2/24 . . Group9: 192.168.200.9/24

Group10: 192.168.200.10/24

WAN1-Gateway:192.168.200.254

D-Link Security

105

Scenario & Hands-on 1-4 Basic Configuration – WAN type-PPPoE

Network topology


WAN1PPPoE

Note:

Configure PPPoE tunnel Apply the PPPoE tunnel to IP rule

D-Link Security

106

Objectives

Configure WAN type on PPPoE tunnel to access Internet by NAT mode

The Logics of Configuration

Create a PPPoE tunnel and apply it to the IP rule Choose the correct Action, Service, Interface and Network for the rule

Scenario & Hands-on 1-4 Basic Configuration- WAN type-PPPoE

D-Link Security

107

Create an object for PPPoE rule in “PPPoE Tunnels” under “Interfaces”

•Click “PPPoE Tunnels” under “Interfaces”

•Apply correct Physical Interface, Remote Network,Username and Password in the object

Scenario & Hands-on 1-4 Basic Configuration – WAN type-PPPoE1 2 3

D-Link Security

108

Create the IP rule

•Click “IP rules” under “Rules”

•Choose the correct Action, Service, Interface and Network for the rule

Scenario & Hands-on 1-4 Basic Configuration – WAN type-PPPoE1 2 3

1

2

D-Link Security

109


After all configuration , Click “configuration” in the main bar


1 2 3

D-Link Security

110

Testing Result


Ping to Internet (tw.yahoo.com)

D-Link Security

111

Scenario & Hands-on 1-4 Exercise 1-4- WAN type-PPPoE


WAN1PPPoE

Objective:

1. Configure WAN type on PPPoE tunnel and local user could access Internet

D-Link Security

112

Scenario & Hands-on 1-5 Basic Configuration- WAN type-DHCP

Network topology


WAN1DHCP

Note:

Enable DHCP client in WAN interface

D-Link Security

113

Objectives

Dynamically assign IP to WAN interface and local users could access internet by NAT

The Logics of Configuration Enable “DHCP client” in Interface Create the IP rule and choose correct Action, Service, Interface and Network for

the rule


D-Link Security

114

2

Enable the DHCP client in “Ethernet” under “Interfaces”

•Click “Ethernet” under “Interfaces”

•Enable “DHCP Client”

Scenario & Hands-on 1-5 Basic Configuration- WAN type-DHCP1 2 3

1

D-Link Security

115

Create the service rule in “IP rules”

•Click “IP rules” in Rules


Scenario & Hands-on 1-5 Basic Configuration- WAN type-DHCP1 2 3

1

2

D-Link Security

116



• Click “Save and Active”

1 2 3

D-Link Security

117

Testing Result

Scenario & Hands-on 1-5 Basic Configuration – WAN type-DHCP

Verify the WAN IP from “Status” in tool bar

D-Link Security

118

Scenario & Hands-on 1-5 Exercise 1-5- WAN type-DHCP


WAN1DHCP server

Objective

1. Dynamically assign IP to WAN interface and local users could access

internet

D-Link Security

119

Scenario & Hands-on 2-1WAN Failover

Network topology




WAN2(static IP)IP: 192.168.174.70/24WAN2-gatewayIP:192.168.174.254

WAN1DHCP

Note:

Manually add default route in main routing table

Enable “Monitor “feature on routes WAN2 is back up link

D-Link Security

120

Objectives

WAN1 is the main link,WAN2 is the backup link When WAN1 is disconnected ,all traffic will go through WAN2 to Internet When WAN1 back to normal, all traffic would go through WAN1 to Internet


Create routing policy in main routing table Applying routing policy between DHCP and static IP in WAN connection Create the IP rule and choose correct Action, Service, Interface and Network for

the rule

Scenario & Hands-on 2-1 WAN Failover

D-Link Security

121

Enable the DHCP client in “Ethernet” under “Interfaces”


•Uncheck “Add default route if default gateway is specified”

1 2 3 4 5 6 7Scenario & Hands-on 2-1

WAN Failover 8

1

2

3

D-Link Security

122

Create the correct gateway object in “Address Book” under “Object” (WAN2)

•Click “address book” in Object

•Add the object for IP4 Host/Network

•Modify wan2_ip and wan2net


WAN Failover 8

D-Link Security

123

Apply the gateway object to WAN Interface and disable “add default route”


•Disable default route in Interface


WAN Failover 8

1

2

3

D-Link Security

124

Combine WAN1 and WAN2 to the object of WAN

•Click “interface Groups” in Interface

•Create the object and choose WAN1 and WAN2


WAN Failover 8

D-Link Security

125

Create the IP rule for WAN group

•Click “Rules” in IP Rule

•Choose correct Action, Service, Interface and Network in the rule


WAN Failover 8

D-Link Security

126

Create the WAN1 routing rule and enable “monitor this route”

•Click “Main Routing Table” under “Routing “

•Create the routing rule for WAN1

•Choose lower Metric value and enable “monitor this route”


WAN Failover 8

1

2

3

4

D-Link Security

127

Create the WAN2 routing rule and enable “monitor this route”

•Click “Main Routing Table” under “Routing “

•Create the routing rule for WAN2

•Choose higher Metric valueand enable “monitor this route”


WAN Failover 8

1

2

3

4

D-Link Security

128

Scenario & Hands-on 2-1WAN Failover



1 2 3 4 5 6 7 8

D-Link Security

129

Scenario & Hands-on 2-1Exercise 2-1- WAN Failover

Internal LAN1Group IP

WAN2Group IP (Static IP)WAN1

DHCP

Objectives:

1. WAN1 is the main link,WAN2 is the backup link

2. When WAN1 is disconnected, all traffic would failover to WAN2

WAN2 LAN1Group1: 10.2.1.1/24 192.168.10.1/24Group2: 10.2.1.2/24 192.168.20.1/24 . . . . Group9: 10.2.1.9/24 192.168.90.1/24

Group10: 10.2.1.10/24 192.168.100.1/24

WAN2-Gateway:10.2.1.254

D-Link Security

130

Scenario & Hands-on 2-2Load Sharing and WAN failover

Network topology




WAN1DHCP

WAN2(static IP)IP: 192.168.174.70/24WAN2-gatewayIP:192.168.174.254

Notes:

Create PBR table and apply it to route policy

D-Link Security

131

Objectives

All services go through WAN1 but the FTP service and specific IP range go through WAN2

When WAN1 is disconnected ,all traffic will go through WAN2 to Internet When WAN1 back to normal, all traffic would go through WAN1 to Internet When WAN2 is disconnected, the specified traffic and service can access to

Internet by WAN1


Modify PBR routing table and routing rule


D-Link Security

132

Create the IP address object specifically for LAN1•Click “Address Book” under “Objects”•Click “Ethernet” under “Interfaces”

1 2 3 4Scenario & Hands-on 2-2

Load Sharing and WAN failover

D-Link Security

133

Add the route of WAN2(Static) in PBR

•Click “PBR table ” under “Routing”

•Choose higher metric in PBR table and enable function of monitor

1 2 3 4

1

2

3


D-Link Security

134

Add the route rule of WAN1 in PBR

•Click “PBR policy” under “Routing”

•Choose correct Forward, Return table, interface and network

1 2 3 4

1

2


D-Link Security

135



1 2 43 Scenario & Hands-on 2-2Load Sharing and WAN failover

D-Link Security

136

Internal LAN1IP: 192.168.x.0/24

WAN2Static IPWAN1

DHCP

Objectives:1. For Load Sharing: Except for

ping-outbound and specific IP

range 192.168.X.10-100 traffic by WAN2 then other service will pass through to Internet by WAN1.

2. For Fail Over: When unplug any WAN cable, users still can access the Internet via a different WAN port.

Scenario & Hands-on 2-2Exercise 2-2- Load Sharing

D-Link Security

137

How to enable the function of “tracer”

Modify the value of TTL min to 1

• Click “IP Setting of Advanced Setting” in “System”

• Key in the smallest value (1)

1

2

1 2

D-Link Security

138

How to enable the function of “tracer”

Enable “Pass returned from ICMP error messages from destination”

• Click “Services” in “Objects” and choose the object of “all_icmp”

• Enable “Pass returned from ICMP error messages from destination”

1

2 3

1 2

D-Link Security

139

DMZ

Subnet A

WAN

Subnet B

Subnet C

Firewall

Infected Host

When there’s any infected host spreading worm into the network

Firewall can stop the malicious traffic flooding to other subnets but have no way to stop it infecting its network [subnet A]

The most effective solution will be: Firewall triggers the ACL in LAN switches to perform real time filtering on any malicious traffic found

Set ACL to block specificMAC or IP address

D-Link Firewalls implement ZoneDefense feature to perform proactive network security with D-Link switches

DES-3x26S

DES-3350SR

DES-3250TG

DES-3500 series

DES-3800 series xStack series

Scenario & Hands-on 3ZoneDefense

D-Link Security

140

• Uniquely from D-LINK – It operates with D-LINK switches to isolate infected host that is generating unusual traffic to the LAN

• Uses Threshold rules to examine connections through the firewall and take actions upon them. The threshold rules monitor the number of connections per second

• When a pre-defined limit is reached, the firewall sends block requests to the switches configured for ZoneDefense


D-Link Security

141

Internet


D-Link Security

142

WAN1IP: 192.168.174.70/24

PCPC

LAN1 IP: 192.168.1.1/24Switch IP: 192.168.1.250/24

DGS-3324SR

INTERNET

Block HTTP Request exceeding 4 sessionsFor every host


Note:

Verify the model of supporting switch Verify the IP address of switch Verify the community between switch

and firewall

D-Link Security

143

Objectives

When traffic of every host exceed 4 sessions, switch create the ACLs rule to block illegal traffic by firewall


Configure the switch Choose the correct model of switch Exclude switch and administrator Create and configure the threshold rule

Scenario & Hands-on 3 ZoneDefense

D-Link Security

144


Reset to default and configure the IP address of switch

•Use CLI of switch to inspect

•Key in “reset config”

•Key in “config ipif System ipaddress 192.168.1.250/24”

1 2 3 4 5 6 7

D-Link Security

145

Verify the communication between firewall and switch and inspect the community in switch

•Use CLI of switch to inspect

•Key in “show snmp community”

Scenario & Hands-on 3ZoneDefense1 2 3 4 5 6 7

D-Link Security

146

Create the object of IP address for switch and administrator

•Click “Address Book” under “Objects”

•Add the object for IP4 Host/Network


D-Link Security

147

Create the switch object in ZoneDefense

•Click “switches” under “ZoneDefense”

•Choose the correct switch model and Key in the SNMP Community

•Verity the firewall can communicate with the switch


1

2

D-Link Security

148

Exclude the switch and the administrator

•Click “Exclude” under “ZoneDefense”

•Choose the correct object


D-Link Security

149

Create the threshold rule in ZoneDefense

•Click “Threshold” under “ZoneDefense “

•Choose the correct interface and network • Key in the threshold condition (the value of host-base must be smaller then network)


1

2

3

D-Link Security

150



• Click “Save and Active”

1 2 3 4 5 76

D-Link Security

151

Block status form firewall

Block status form Switch

Testing Result


D-Link Security

152

WAN1DHCP

PCPC

LAN1 IP: Group IP address

Switch IP: an IP that’s the same segment as the LAN1 IP

DGS-3324SR

INTERNET

Scenario & Hands-on 3 Exercise-3 ZoneDefense

Objective:

1. When web traffic of every host exceed 2 sessions, switch create the ACLs rule to block illegal traffic by firewall

D-Link Security

153




WAN1IP: 192.168.174.70/24FTP ServerIP:192.168.174.71/24 FTP Server

172.16.1.1

DMZ

Scenario & Hands-on 4-1 Port mapping for server

Network topology

WAN1IP: 192.168.174.70/24FTP ServerIP:192.168.174.71/24

Note:

Add another public IP address in “ARP table”

Verify the sequence of IP rule

Back

D-Link Security

154

Objectives

Access the FTP server by public IP address(192.168.174.71)

The Logic of Configuration

Create objects of public and private IP addresses for FTP server Create ARP object in ARP Table Create the IP rule (SAT and allow) for FTP server


D-Link Security

155

Add the objects of both public and virtual IP addresses for FTP server

*Click “Address Book” under Objects

•Key in the correct IP addresses

1 2 3 4

Scenario & Hands-on 4-1 Port mapping for server 5

1 2

D-Link Security

156

Create the object in ARP Table •Click “ARP Table” under “Interfaces”

•Apply objects with the FTP IP address

1 2 3 4


D-Link Security

157

Create the IP rule to map FTP server (SAT)

•Click “IP Rule” under “Rules”

•Choose the correct Action,Service,Interface,SAT setting and Network for the rule

1 2 3 4


1

2

3

D-Link Security

158

Create the IP rule to allow FTP server (allow FTP)



1 2 3 4


1

2

D-Link Security

159




1 2 3 54

D-Link Security

160

Succeed to get in FTP server


topology

D-Link Security

161

WAN1:DHCPFTP Server: Group public IP address

FTP ServerGroup private IP

DMZ

Scenario & Hands-on 4-1 Exercise 4-1 - Port mapping for server

Objective:

1. Access to FTP server by group’s public IP address successfully

FTP Server public IPGroup1: 192.168.200.51/24Group2: 192.168.200.52/24 . .Group9: 192.168.200.59/24

Group10: 192.168.200.60/24

FTP Server private IP172.17.100.1/24

DMZ IP :172.17.100.254DFL-800 : Port DMZDFL-1600: Port #3DFL-2500: Port #5

D-Link Security

162

WAN1PPPoE




FTP Server172.16.1.1

DMZ

Scenario & Hands-on 4-2 SAT in PPPoE connection

Network topology

Note:

Add PPPoE in Interfaces Verify the sequence of IP rule

Back

D-Link Security

163

Objectives

When using PPPoE connection, internal FTP server could be accessed by public


Create objects of PPPoE connection Create private IP addresses for FTP server Create the IP rule (SAT and allow) for FTP server


D-Link Security

164

1 2 3 4

Scenario & Hands-on 4-2 SAT in PPPoE connection 5

Create an object for PPPoE rule in “PPPoE Tunnels” under “Interfaces”

•Click “PPPoE Tunnels” under “Interfaces”

•Apply correct Physical Interface, Remote Network,Username and Password in the object

D-Link Security

165

1 2 3 4


Add the object of virtual IP addresses for FTP server

*Click “Address Book” under Objects

•Key in the correct IP addresses

D-Link Security

166

If use PPPoE connection, create the IP rule to map FTP server (SAT)


•Choose the correct Action,Service,Interface,SAT setting and Network for the rule

1 2 3 4


2

31

D-Link Security

167




1 2 3 4


1

2

D-Link Security

168




1 2 3 54

D-Link Security

169

Succeed to get in FTP server


topology

D-Link Security

170

WAN1:PPPoEFTP Server: Group public IP address

FTP ServerGroup private IP

DMZ

Scenario & Hands-on 4-2 Exercise 4-2 - SAT in PPPoE connection

Objective:

1. Access to FTP server by group’s public IP address successfully


Group10: 192.168.200.60/24

FTP Server private IP172.17.100.1/24

DMZ IP :172.17.100.254DFL-800 : Port DMZDFL-1600: Port #3DFL-2500: Port #5

D-Link Security

171




WAN1IP: 192.168.174.70/24FTP ServerIP:192.168.174.71/24

FTP Server-1172.16.1.1

DMZ

Scenario & Hands-on 4-3 SAT and server load balance

Network topology

FTP Server-1172.16.1.2Note:

Add another public IP address in “ARP table”

Verify the sequence of IP rule

D-Link Security

172

Objectives

Access two FTP servers by one public IP address (192.168.174.71)


Create objects of public and private IP addresses for two FTP servers Create ARP object in ARP Table Cerate the IP rule (SAT_SLB and allow) for FTP server


D-Link Security

173

Add the public IP address object for two FTP servers


•Key in the correct IP address

1 2 3 4 5

Scenario & Hands-on 4-3 SAT and server load balance6

D-Link Security

174

Add two virtual IP address objects for two FTP servers


•Key in the correct IP address

1 2 3 4 5


1 2

D-Link Security

175

Apply the object of IP address to ARP Table

•Click “ARP Table” under “Interfaces”

•Apply objects for the FTP IP address

1 2 3 4 5


D-Link Security

176

Create the IP rule of FTP server

•Click “IP Rule” in Rules

•Choose correct Action,Service,Interface,SLB_SAT and Network in the rule

1 2 3 4 5


1

2

3

D-Link Security

177



•Choose correct Action,Service,Interface and Network in the rule

1 2 3 4 5


1

2

D-Link Security

178


After all configuration , Click “configuration” on main menu bar


1 2 3 4 65

D-Link Security

179

WAN1:DHCPFTP Server-1:Group public IP

FTP Server-1Group private IP-1

DMZ

Scenario & Hands-on 4-3 Exercise 4-3- SAT and server load balance

FTP Server-1Group private IP-2


Group10: 192.168.200.60/24

FTP Server private IP-2Group1: 172.17.100.2/24

FTP Server private IP-1172.17.100.1/24

DMZ:192.168.100.254

Objective:

1. Access to two FTP servers by group’s public IP address successfully

D-Link Security

180

Internet

http request

Scenario & Hands-on 5 Runtime Authentication configuration

Process of authentication

D-Link Security

181

• For authorize users to accessing the Internet, LAN and Intranet services either through the Local DB or RADIUS Server.

• The user authentication rules must be save & activated in order to apply the settings.


D-Link Security

182

WAN LANCore

192.168.10.1 10.0.100.97


The Core owns the IP addresses

D-Link Security

183


Network topologyWAN1

IP: 192.168.174.70/24

PCPC

LAN1 IP: 192.168.1.1/24Switch IP: 192.168.1.250/24

DES-3226S

Authenticated user accessing the Internet

Note:

Modify the Web UI http port Verify the sequence of IP rule

D-Link Security

184

Objectives When user open a web browser, it will be a screen pop out automatically, and

request for login. Services will be allowed after authentication. When user logout, they can choose either logout manually, or it will logout

automatically when the preset idle time reaches.

The Logic of Configuration Change Web UI http port Create an object for specific traffic network Create a local user database Create IP rules for Authentication


D-Link Security

185

1 2 3 4 5 6 7 8

Scenario & Hands-on 5 Runtime Authentication configuration9 10 11

Change the remote management http port to avoid port conflict

•Click “Remote Management” then click “modify advanced setting”

•Change WebUI http port

1

2

D-Link Security

186

Create the user database for Authentication

•Click “Local User Database” in User Authentication

•Key in the authenticated user(user name/password)

1 2 3 4 5 6 7 8


1

2

3

4

9 10 11

D-Link Security

187


Create the User Authentication Rules

• Click “User Authentication Rules” in User Authentication

• Choose the correspond settings

1 2 3 4 5 6 7 8 9 10 11

1

2

D-Link Security

188


Create the User Authentication Rules

• Click “User Authentication Rules” in User Authentication

• Choose the correspond settings

1 2 43 5 6 7 8 9 10 11

1

2

D-Link Security

189

Create the IP address for Authenticating users

•Click “Address Book ” in Objects

•Add an object for authenticating users

•Key in the correct IP address and group name

Scenario & Hands-on 5 Runtime Authentication configuration1 2 3 54 6 7 8 9 10 11

1 2

D-Link Security

190

Create the “allow” rule (rule-1)




1

2

D-Link Security

191

Create the “NAT-DNS” rule (rule-2)




1

2

D-Link Security

192

Create the “NAT-all_service” rule (rule-3)




1

2

D-Link Security

193

Create the “SAT” rule (rule-4)




1

2

3

D-Link Security

194

Create the “Allow” rule (rule-5)




1

2

D-Link Security

195




1 2 3 4 5 6 1187 9 10

D-Link Security

196

Allow manual log-out web page Allow user to look up the DNS Allow authorized users to use networking service All HTTP traffic will be mapped to firewall LAN1 IP address Allow all HTTP traffic to map to LAN1 IP address


Action1

Action1

Action2

Action2

Action2

Action3

Action3

D-Link Security

197


Testing Result

D-Link Security

198

Scenario & Hands-on 5 Exercise 5- Runtime Authentication configuration

WAN1DHCP

PCPC

LAN1 IP: 192.168.1.1/24Switch IP: 192.168.1.250/24

DES-3226S

Authenticated user accessing the Internet

Objective:

1. The specific user or network must be authorized before access to the Internet

2. When user logout, they can choose either logout manually, or it will logout automatically when the preset idle time reaches.

D-Link Security

199

Pipe

RULE View

Rule 1

Rule 2

Rule 3

Rule 4

Rule 5

Rule 6

Anti-Spoofing

Rule 1

Rule 2

Rule 3

Rule 4

Rule 5

Rule 6

Pipe

Pipe

Pipe

Incomm

ing

inte

rface

Ou

tgo

ing inte

rface

Incommingpackets

Outgoingpackets

Scenario & Hands-on 6 Traffic Shaping

Pipes concept

D-Link Security

200

G

G

G

G

G

W

WW

W

W

User1

User2

User3

User4

User5

W = Kbps want to have

G = Kbps gets

• This diagram shows not using the Dynamic balancing


The Concept of Dynamic balancing

D-Link Security

201

G G G

G

G

WW

W

W

User1

User2

User3

User4

User5

W = Kbps want to have

G = Kbps gets

• When using the function of Dynamic balancing


The Concept of Dynamic balancing

D-Link Security

202


The Concept of Precedence

Highest

Low

Medium

HighPipe

D-Link Security

203

Bandwidth of Leased Line with 1Mbps in both directions(two pipes)

Std-out pipe (1 Mbps)

LEASED LINE1Mbps

from our ISP

Std-in pipe (1 Mbps)

Data

Data

The pipe throughput should be less than the physical pipe!


Concept of Design (Pipe 1Mbps)

D-Link Security

204


Concept of Design (Pipe 1Mbps) - download

HTTP 250Kbps Highest

1Mbps

FTP 250Kbps High

SMTP 500Kbps Low

HTTP 250Kbps Highest

1Mbps

FTP 250Kbps High

SMTP 500Kbps Low

D-Link Security

205

• All measuring, limiting, guaranteeing and balancing is carried out in pipes

• A pipe by itself is meaningless unless it is put into use in the Rules section. Each rule can pass traffic through one or more pipes, in a precedence (priority) of your choice.


Pipes

D-Link Security

206


Precedence

Determine the bandwidth of precedence

D-Link Security

207

• Plan your traffic shaping requirements. If you do not know how traffic should be limited, prioritized, guaranteed, or distributed, you will likely

find the configuration work more confusing than helpful.


Pipes rules

D-Link Security

208


Precedence

Assign precedence

D-Link Security

209


Network topology

Internal LAN1

Bandwidth of leased lineDownload: 1MbpsUpload: 1Mbps

1.For inbound and outbound HTTP and HTTPS, the maximum bandwidth is 500Kb.

2.For inbound and outbound POP3, the guarantee bandwidth is 300Kb. (maximum bandwidth is 1000Kb)3.For other inbound and outbound

service, the remaining bandwidth will be used.

4.Above all services are dedicating bandwidth value.

External WAN1

Note:

Before use the traffic shaping for specified application. Please make sure that the IP rule has been created for the specified application.

D-Link Security

210

Objective

For inbound and outbound HTTP and HTTPS, the maximum bandwidth is 500Kb.

For inbound and outbound POP3, the guarantee bandwidth is 300Kb. (maximum bandwidth is 1000Kb)

For other inbound and outbound service, the remaining bandwidth will be used. Above all services are dedicating bandwidth value.

The logic of Configuration

Make sure to create IP rule Create objects of Pipe Create rules of Pipe Choose correct Action, Service, Interface and Network in the rule Key in correct value at Precedence and Total bandwidth value


D-Link Security

211

Create object of the input pipe (Create the pipe of standard-in)

•Click “Pipes” in Traffic Shaping

•Key in correspond value for Precedence and total bandwidth value

Scenario & Hands-on 6 Traffic Shaping32 4 521 6 7 8 9 10

D-Link Security

212

Create object of the output pipe (Create the pipe of outbound)



Scenario & Hands-on 6 Traffic Shaping1 3 4 51 2 6 7 8 9 10

D-Link Security

213

Create object of the HTTP input (Create the pipe HTTP-in)



Scenario & Hands-on 6 Traffic Shaping1 2 4 51 2 3 6 7 8 9 10

D-Link Security

214

1 2 3

Scenario & Hands-on 6 Traffic Shaping51 2 3 4 6 7 8 9

•Create object of the HTTP output (Create the pipe of HTTP-in) •Click “Pipes” in Traffic Shaping•Key in correct value at Precedence and Total bandwidth value

10

D-Link Security

215


Create Rules of the HTTP (Create the rule of HTTP )

• Click “Pipes Rules” in Traffic Shaping

• Key in correspond value for Precedence and total bandwidth value

1 2 3 54 6 7 8 9 10

1

2

3

4

D-Link Security

216


Create object of the POP3 input (Create a pipe of POP3-in )

• Click “Pipes” in Traffic Shaping


1 2 3 64 5 7 8 9 10

D-Link Security

217

Scenario & Hands-on 6 Traffic Shaping1 2 3 74 65 8 9

Create object of the POP3 output (Create a pipe of POP3-out )

• Click “Pipes” in Traffic Shaping


10

D-Link Security

218

Scenario & Hands-on 6 Traffic Shaping1 2 3 84 65 7 9

Create the rules of POP3 (Create the rule of POP3 )


• Choose correct Action,Service,Interface and Network in the rule

10

1

2

3

4

D-Link Security

219


Create Rules of other service (Create the rule of other service )


• Choose correct Action,Service,Interface and Network in the rule

1 2 3 94 65 7 8 10

1

2

3

4

D-Link Security

220




1 2 3 104 65 87 9

D-Link Security

221

• Before use the traffic shaping for specified application. Please make sure that the IP rule has been created for the specified application.


D-Link Security

222

• First step: Create two bidirectional pipes for the physical WAN link

• Second step: Create two bidirectional pipes for the specified application


D-Link Security

223

• Third step: Create pipe rules for the specified application


D-Link Security

224

Scenario & Hands-on 6 Exercise 6- Traffic Shaping

Internal LAN1

Bandwidth of leased lineDownload: 1MbpsUpload: 1Mbps

External WAN1 Objectives

1. For inbound and outbound SMTP, the maximum bandwidth is 400Kb.

2. For inbound and outbound FTP, the guarantee bandwidth is 250Kb.(maximum bandwidth is 500Kb)

3. For other inbound and outbound service, the maximum bandwidth is 350Kb.

4. Above all services are dedicating bandwidth value.

D-Link Security

225




WAN1DHCP IP: 192.168.174.70/24

DFL-1600

PPTP ClientIP: 192.168.174.71/24

VPN Tunnel

Scenario & Hands-on 7-1 VPN Configuration-PPTP

Network topology

Note:

Choose correct inner IP address and Outer Interface filter for PPTP tunnel

D-Link Security

226

Objectives The user dial-up to firewall by Windows PPTP client software . Dial-up user communicate with LAN1 of firewall

The logic of configuration Create object for PPTP server IP address and IP address range Create Authenticating database Configure PPTP server Create the IP rule for PPTP tunnel


D-Link Security

227

Create object for PPTP server IP address and IP address range

•Click “Address” in Objects

•Key in the correspond IP address

Scenario & Hands-on 7-1 VPN Configuration-PPTP1 2 3 4 5 6

D-Link Security

228

Create Local Database for PPTP authentication

•Click “Local User Databases ” in User Authentication

•Key in the correct Username and Password

1 2 3 4 5Scenario & Hands-on 7-1

VPN Configuration-PPTP6

D-Link Security

229

Create PPTP tunnel

•Click “PPTP/L2TP Servers ” in Interface

•Choose the correspond configuration



D-Link Security

230

Create User Authentication Rules for PPTP tunnel

•Click “User Authentication Rules ” in User Authentication


•Enable Log setting and choose local user database



D-Link Security

231

Create IP Rules for PPTP tunnel

•Click “IP Rules ” in Rules


•Enable Log setting



D-Link Security

232


After all configuration, Click “configuration” on main menu bar


1 2 3 4 65

D-Link Security

233

Testing Result


D-Link Security

234

Scenario & Hands-on 7-1 Exercise 7-1- VPN Configuration-PPTP




WAN1DHCP IP

DFL-1600

PPTP Client

VPN Tunnel

Objectives:

1. Use Windows client to Dial-up PPTP

2. Ping the IP address of LAN in firewall

D-Link Security

235

Scenario & Hands-on 7-2 VPN Configuration-L2TP/IPsec

Network topology




WAN1DHCP

DFL-1600

L2TP/IPsec ClientIP: 192.168.174.71/24

VPN Tunnel

Note:

L2TP/IPsec must use transport mode Choose correct local net and remote n

et for IPsec tunnel Choose correct inner IP address and O

uter Interface filter for L2TP tunnel

D-Link Security

236

Objectives The user dial-up to firewall by Windows L2TP/IPsec client software Dial-up user communicate with LAN1 of firewall

The logic of configuration Create objects for L2TP server IP address and IP address range Create Authenticating database Configure IPsec tunnel Configure L2TP server Create the IP rule for L2TP tunnel

Scenario & Hands-on 7-2 VPN Configuration-IPsec

D-Link Security

237

Create objects for L2TP server IP address and IP address range



1 2 3 4 5 6 7 8 9 10Scenario & Hands-on 7-2

VPN Configuration-L2TP/IPsec11

D-Link Security

238

Create Local Database for L2TP authentication

•Click “Local User Databases ” in User Authentication

•Key in correct Username and Password



D-Link Security

239

Create the pre-shared key for L2TP

•Click “Pre-Share Keys ” in VPN Objects

•Key in the correspond value



D-Link Security

240

Create the IPsec tunnel

•Click “IPsec Tunnels” in Interface

•Choose correspond configuration



D-Link Security

241

Verify the IPsec tunnel

•Click “Authentication” in this IPsec tunnel

•Apply pre-shared key to this IPsec tunnel



D-Link Security

242


•Click “Routing” in this IPsec tunnel

•Enable “Dynamically add routes to remote network when a tunnel is established “in this IPsec tunnel



D-Link Security

243


•Click “Advanced” in this IPsec tunnel

•Disable “Add route for remote network “in this IPsec tunnel



D-Link Security

244

Create the L2TP tunnel

•Click “PPTP/L2TP Servers ” in Interface




D-Link Security

245

Create User Authentication Rules for L2TP tunnel

•Click “User Authentication Rules ” in User Authentication


•Enable Log setting and choose local user database



D-Link Security

246

Create IP Rules for L2TP tunnel

•Click “IP Rules” in Rules





D-Link Security

247




1 2 3 4 5 6 7 8 9 1110

D-Link Security

248

Testing Result


D-Link Security

249

Scenario & Hands-on 7-2 Exercise 7-2- VPN Configuration-L2TP/IPsec




WAN1DHCP IP

DFL-1600

L2TP/IPsec Client

VPN Tunnel

Objectives:

1. The user dial-up to firewall by Windows L2TP/IPsec client software

2. Ping the IP address of LAN in firewall

D-Link Security

250

• For users to authenticate VPN tunnels

• 2 types of method to enter PSK – ASCII and HEX

– ASCII – type in passphrase

– HEX – type in passphrase and use “generate” to cipher passphrase

Scenario & Hands-on 7-3 VPN Configuration- IPsec

VPN Objects – Pre Shared Keys

D-Link Security

251

• For secured authentication to established over VPN, CA need to be downloaded to LDAP Server


VPN Objects – LDAP

D-Link Security

252

• The Concept of ID Lists is to manage and control accessibility of the VPN clients and gateways

• Mobile clients can be restricted from accessing Internal networks by ID Lists


ID Lists

D-Link Security

253

• Predefined IKE & IPSec Algorithms by default

• High – Very Secured

• Medium – Secured

• You can defined your own algorithms


IKE/IPsec Algorithms

D-Link Security

254


Network topology




WAN1Static IP: 192.168.174.70/24

DFL-1600

DFL-1600


WAN1IP: 192.168.174.71/24

VPN Tunnel

Note:

Use same pre-share key and algorithm between two IPsec settings

Choose correct local net and remote net for IPsec tunnel

D-Link Security

255

Objectives Two firewalls communicate to each other by IPsec tunnel . The client of local-net ping to the client of remote-net

The logic of configuration Create VPN Object( pre-shared key) Configure IPsec tunnel Create the IP rule for IPsec tunnel

Scenario & Hands-on 7-3 VPN Configuration-IPsec

D-Link Security

256

Create objects for IP address of remote IP address and network



1 2 3 4 5

Scenario & Hands-on 7-3 VPN Configuration- IPsec6

D-Link Security

257

Create the pre-shared key for IPsec tunnel

•Click “Pre-Share Keys ” in VPN Objects

•Key in the correct value

1 2 3 4 5


D-Link Security

258

Create the IPsec tunnel

•Click “IPsec Tunnels” in Interface

•Choose the correspond configuration! Note: If remote firewall wan IP is not static IP, in other words Remote Endpoint is using dynamic IP address from dynamic DNS server, administrator can enter DDNS domain name in here directly.

1 2 3 4 5


D-Link Security

259

Combine two interfaces to one interface group•Click “Interface Groups” in this Interface•Choose the correspond interfaces

1 2 3 4 5


D-Link Security

260

Create IP Rules for L2TP tunnel

•Click “IP Rules” in Rules



1 2 3 4 5


D-Link Security

261




1 2 3 4 65

D-Link Security

262

Scenario & Hands-on 7-3 Exercise 7-3- VPN Configuration-IPsec

Internal LAN1

Even group

DFL-1600

DFL-1600

Remote LANInternal LAN

Odd group

VPN Tunnel

Objectives:

1. Two firewalls communicate to each other by IPsec tunnel

2. The client of local-net ping to the client of remote-net

D-Link Security

263

Scenario & Hands-on 7-4 VPN Configuration- IPsec with NetScreen 204

Network topology




WAN1Static IP: 192.168.174.70/24

DFL-1600

NetScreen 204


WAN1IP: 192.168.174.71/24

VPN Tunnel

Note:

Use same pre-share key and algorithm between two DFL-1600 and NS-204

Choose correct local net and remote net for IPsec tunnel

D-Link Security

264

Objectives Two firewalls communicate to each other by IPsec tunnel . The client of local-net ping to the client of remote-net

The logic of configuration Create VPN Object( pre-shared key, remote net/gateway and algorithm ) Configure IPsec tunnel Create the IP rule for IPsec tunnel

Scenario & Hands-on 7-4 VPN Configuration- NetScreen 204

D-Link Security

265

Create network objects for DFL-1600 (remote network )

•Click “List” under “Addresses” in Objects

•Key in the corresponding network

1 2 3 4 5


1

2

7 8

D-Link Security

266

Create IP address objects for DFL-1600 (remote gateway )

•Click “List” under “Addresses” in Objects

•Key in the corresponding IP address

21 3 4 5

Scenario & Hands-on 7-4VPN Configuration- NetScreen 2046

1

2

7 8

D-Link Security

267

Create P1(Phase 1) Proposal of DFL-1600 for VPN configuration

•Click “P1 Proposal” under “AutoKey Advanced” in VPNs

•Choose in the corresponding Algorithm and DH Group

321 4 5


1

2

6 6

D-Link Security

268

Create P2(Phase 2) Proposal of DFL-1600 for VPN configuration

•Click “P2 Proposal” under “AutoKey Advanced” in VPNs

•Choose in the corresponding Algorithm and DH Group

42 31 5Scenario & Hands-on 7-4

VPN Configuration- NetScreen 2046

1

2

7 8

D-Link Security

269

Create Gateway objects of DFL-1600 for VPN configuration

•Click “Gateway” under “AutoKey Advanced” in VPNs

•Key in the corresponding IP address and Preshared Key

•Click “Advanced”

52 3 41


1

2

3 4

5

6

7 8

D-Link Security

270

“Advanced“ of Gateway objects

•Choose “Custom” in User Defined and Phase 1 Proposal

•Choose “Main” mode

62 3 4 5


1

2

3

4

7 8

D-Link Security

271

Create IPsec VPN tunnel for DFL-1600

•Choose “Security Level” and “Predefined” for Remote Gateway

•Choose “Outgoing Interface” and Click “Advanced”



2

1

3

4

5

1 8

D-Link Security

272

Create IPsec VPN policy for DFL-1600

•Choose correct Action ,Service, Network in the rule

•Enable ”Modify matching bidirectional VPN policy”



1

2

3

4

5

6

71

D-Link Security

273

Testing Result


D-Link Security

274

DFL-1600 IPsec VPN status


NetScreen VPN status

D-Link Security

275



Agenda

D-Link Security

276

• Confirm configuration of firewall

• Inspect the firewall status

• Use “Console command” to get more information

• Capture packets to analyze (ethereal and sniffer )

Troubleshooting Four Ways to troubleshooting

D-Link Security

277

Troubleshooting Flow Chart

The problem Confirm configuration Found main cause

Inspect the firewall

status

Verify configuration

Use console command

to inspect

Verify network

environments

Found main cause

Yes

No

Found main cause

Configuration cause

or

Environment cause

Capture packets to

analyze

The problem have solved

No

Configuration cause

Environment cause

No

Yes

Yes

Dtrack System

D-Link Security

278

IP address or network in “Object” Configuration in “Interface” Configuration in “IP rules”

Action and service Interface and network

Configuration in “Main routing” Routing table Metric

Configuration in “PBR” Routing table and rules Metric

Advanced configuration Zone defense Traffic shaping User Authentication

Troubleshooting Confirm configuration of firewall

D-Link Security

279

• Click “Status” on main menu bar

System Logging Connection Interfaces IPsec User Auth Routes DHCP server IDS SLB Zone Defense

Troubleshooting Inspect the firewall status

D-Link Security

280

1.Start HyperTerminal (Hypertrm.exe).

2.Enter a name for the connection (for example, DFL-800) in the Name box.

3.Click an icon for the connection in the Icon box, and then click OK.

4.In the Connect Using box, click Direct To Com (choose “Restore Default”) and then click OK.

5.Verify the settings on the part settings tab and then click OK.

How to use “Console command” with HyperTerminal in MS Windows

Troubleshooting Console commands

D-Link Security

281

• The first command you should learn is the HELP or H command. The help command prints a list of available commands at the console

• About (Displays information about the firewall core)

• Crashdump (dump all crash and error information)

• Access (Prints the active anti-spoof section)

• Arp [interface] (Displays the cached ARP information for all interfaces. If you add a specific interface name to the command, you will get only the specified interface.)

• Arpsnoop [interface] (Displays ARP queries and responses. You enable this by typing ARPSNOOP [interface]. The same command again disables it. You can also use the all string for ALL interfaces. To disable all the arpsnoop printout you can use the string NONE.)

• Buffers [buf num] (Displays the 20 most recently freed buffers. You can examine a specific buffer by adding the number.)

• Cfglog (Displays the boot log of the firewall configuration.)


D-Link Security

282


• Connections (Displays the connections in the firewall.)

• CPUid (Displays processor information.)

• DHCP [switches] <interface> (With this command you can renew (-renew) or release (-release) the DHCP IP address on a specific interface.)

• Frags (Display the 20 most recent fragment reassembly attempts. This includes both ongoing and completed attempts.)

• Ifstat [interface] (Displays interfaces. If you add an interface you will get statistics for this interface.)

• Loghosts (Displays configured loghosts.)

• Logout (Secures the console with the configured password.)

• Netcon (Displays the active console connection or management connections to the firewall.)

• Netobjects (Displays the active host & network configurations.)

• Ping (Is the normal ping command to verify an IP connection. You can use Ping [IP address] [num] where “num” is the amount of ping requests.)

• Reconfigure (Reloads the configuration from the boot media.)

D-Link Security

283


• Ikesnoop [on/off/verbose] (Ikesnoop is used to diagnose problems with IPsec tunnels.)

• DHCPRelay (Displays if the DHCP boot relay is enabled or disabled.)

• Remote (Displays the active configuration of the remote section.)

• Routes (Displays the active configuration of the route section.)

• Rules (Displays the active configuration of the rule section. There are several string commands that you can add. The –v string enables all available information {like usages}.)

• Scrsave (Runs the screen saver)• Services (Displays the active services within the configuration.)

• Shutdown (Shuts down the firewall.)

• Stats (Displays statistics information for the firewall.)

• Time (Displays the firewalls current time.)

D-Link Security

284

• Set up a laptop with software such as Ethereal or Sniffer to capture packets from the problem node

• The laptop needs to connect to the problem node through a hub

• If it connects through a switch, the port mirror function will have to be enabled in the switch mirror function

Troubleshooting Capture packets to analyze

intranet

Ethereal or Sniffer Ethereal or Sniffer

Problem nodeProblem node

D-Link Security

285

• Inspect IP address of Source, Destination and Protocol to analyze problematic network status

Troubleshooting Capture packets to analyze

D-Link Security

286

Questions & Answers

THANK YOU

Date post:	23-Oct-2014
Category:	Documents
Upload:	aldo-pizarro-espinoza
View:	111 times
Download:	0 times

Firewalls Training Material

Documents