DFL-500 SOHO Firewall User’s Manual Rev. 02 (March, 2002) D-Link Systems, Inc.
© Copyright 2002 D-Link Systems, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of D-Link Systems, Inc. DFL-500 User Manual Version 2.2 30 March 2002 Trademarks Products mentioned in this document are trademarks or registered trademarks of their respective holders.
Table of Contents Introducing the DFL-500 ................................................................................ 9 Firewall............................................................................................................................................................ 9 Network Address Translation (NAT)........................................................................................................... 9 Transparent mode ............................................................
Adding policies.......................................................................................................................................... 24 Editing policies .......................................................................................................................................... 26 Policy matching......................................................................................................................................... 26 Arranging policies in the policy list...
Adding an IPSec VPN policy .................................................................................................................... 49 Configuring the IPSec VPN client ............................................................................................................. 50 Manual key exchange IPSec VPN between two networks ........................................................................... 50 Configuring the VPN tunnel ..............................................................
Medium level virus protection for incoming connections .......................................................................... 74 Low level virus protection for incoming connections ................................................................................ 75 Worm protection............................................................................................................................................ 75 Worm protection for your internal network...........................................
Restoring system settings to factory defaults ........................................................................................... 90 Restarting the DFL-500 ............................................................................................................................ 92 Shutting down the DFL-500 ...................................................................................................................... 92 System status monitor ..................................................
DFL-500 User’s Manual 8
Introducing the DFL-500 The DFL-500 is one of a series of new generation all-layer security products that provide comprehensive protection for your internal network. These products, Application Security Gateways, combine key security technologies into a dedicated platform designed for high performance and reliability.
Transparent mode Transparent Mode provides even quicker and easier installation when the requirement is to provide firewall protection to a pre-existing network with public addresses. The internal and external network interfaces of the DFL-500 can be in the same network; therefore, the DFL-500 can be inserted into your network at any point without the need to make any changes to your network.
• IPSec and PPTP VPN pass through so that computers or subnets on your internal network can connect to a VPN gateway on the Internet Virus and worm protection D-Link's DFL-500 secure gateway solution adds anti-virus and anti-worm functionality to conventional VPN and firewall security.
Secure installation, configuration, and management Installation is quick and simple. All that is required to get the DFL-500 up and running and protecting your network is to connect to the web-based manager and use the firewall setup wizard. You can also do the basic configuration from the DFL-500 command line interface (CLI). When initially connected to your network, the DFL-500 comes with a default configuration that provides basic security features.
• Report traffic that was denied by firewall policies • Report configuration changes Logs can be sent to a remote syslog server. About this document This user manual describes how to install and configure the DFL-500.
Installing the DFL-500 This chapter describes how to install the DFL-500 firewall between your network and the Internet. After you have completed the procedures in this chapter, your DFL-500 will be up and running and protecting your internal network.
PPPoE User Name Password In the space below, record the IP addresses of the primary and secondary DNS servers provided by your ISP. 4. DNS Server Primary Secondary If you plan to use the DFL-500 as a DHCP server to assign IP addresses to the computers on your internal network, you must specify the IP address range reserved to be assigned by the DHCP server. 5. DHCP Server (optional) Starting IP Ending IP 6.
Primary Secondary Unpacking the DFL-500 The DFL-500 package contains the following items: • The DFL-500 firewall • A blue cross-over ethernet cable • A gray regular ethernet cable • A null-modem cable • The DFL-500 Quick Start Guide • A CD containing this DFL-500 User Manual • A AC adapter DFL-500 package contents Mounting the DFL-500 The DFL-500 can be installed on any stable surface. Make sure the appliance has at least 1.5 in. (3.
Environmental specifications • Operating Temperature: 32 to 104 °F (0 to 40 °C) • Storage Temperature: -13 to 158 °F (-25 to 70 °C) • Humidity: 5 to 95% non-condensing Powering on the DFL-500 To power on the DFL-500: • Connect the power cord to the power connection at the back of the DFL-500. • Connect the power cord to a power outlet. The DFL-500 starts up. The Power and Status lights light. The Status light flashes while the DFL-500 is starting up and remains lit when the system is up and running.
DFL-500 login page Starting the firewall setup wizard To start the firewall setup wizard: Click the Wizard button at the upper right of the web-based manager. • Select the operating mode: Network Address Translation (NAT) or Transparent. • If you selected Network Address Translation (NAT), use the information that you gathered in NAT mode configuration information to fill in the wizard fields. Click the next button to step through the wizard pages.
Configuring the DFL-500 from the CLI To connect to the DFL-500 command line interface (CLI) you require: • A computer with an available communications port • A null modem cable with a 9-pin connector to connect to the communications port on the back panel of the DFL-500 • Terminal emulation software such as HyperTerminal for Windows The following procedure describes how to connect to the DFL-500 CLI using Windows HyperTerminal software. You can use any terminal emulation program.
set system interface internal ip 192.168.1.1 255.255.255.0 • Set the IP address and netmask of the external interface to the External IP Address and Netmask that you recorded in NAT mode configuration information. To set the Manual IP address and netmask, enter: set system interface external manual ip Example set system interface external manual ip 204.23.1.5 255.255.255.
Configuring the Transparent mode management IP address • Login to the CLI if you are not already logged in. • Set the IP address and netmask of the Management IP to the IP address and netmask that you recorded in Transparent mode configuration information. Enter: set system manageip ip Example set system manageip ip 10.10.10.2 255.255.255.0 • Confirm that the address is correct. Enter: get system manageip The CLI lists Management IP address and netmask.
DFL-500 network connections: Configuring your internal network If you are running the DFL-500 in NAT mode, your internal network must be configured to route all internet traffic to the address of the internal interface of the DFL-500. This means changing the default gateway address of all computers and routers connected directly to the internal network. If you are using the DFL-500 as the DHCP server for your internal network, configure the computers on your internal network for DHCP.
Firewall Configuration This chapter describes how to use firewall policies to establish and control connectivity through the DFL-500 firewall.
Policy information Policies direct the firewall to perform actions when a connection request matches the identifying information. A policy can specify that the firewall accepts, denies, or requests authentication for the connection. A policy can also trigger traffic log messages when the policy processes traffic and can apply traffic shaping to the traffic controlled by the policy.
To add a policy: Go to Firewall > Policy . Click the tab corresponding to the type of policy to add. Before adding Incoming policies in NAT mode, you must configure Virtual IP Mapping. For more information about incoming policies, see Virtual IPs. Click New to add a policy. You can also click Insert Policy before on a policy in the list to add the new policy above that one. Configure the policy. Source Select the source address for the policy.
Editing policies To edit a policy: • Go to Firewall > Policy . • Click the tab corresponding to the type of policy to edit. • Choose a policy to edit and click Edit • Edit the policy settings as required. You can change any of the policy settings. • Click OK to save your changes. . Policy matching For every connection attempt, the DFL-500 must choose the policy to apply to the connection.
Accepting incoming connections in NAT mode Running the DFL-500 in NAT mode hides the actual addresses of the computers on your internal network from the Internet. To provide Internet access to a server on your internal network, you must add a Virtual IP that creates an association between the Internet IP address of the server and the actual address of the computer on your internal network that is running the server.
Since policy matching works on a first-match principle, you must add the deny policy above the accept policy in the policy list. For more information, see Policy matching and Arranging policies in the policy list. Adding an incoming policy to deny connections • Add the schedule for denying access. See Schedules. • Add any addresses for which to deny connections. See Addresses. • Go to Firewall > Policy > Incoming .
• To addresses on the Internet (see Adding addresses) • To services (see Services) • According to a one-time or recurring schedule (see Schedules) Since policy matching works on a first-match principle, you must add deny policies above the default policy. You must also add deny policies above matching policies that accept connections. For more information, see Policy matching and Arranging policies in the policy list.
For example, if a policy denies connections to a subnet, you can add a policy that accepts connections from one of the computers on the subnet. Policies that accept connections in this way must be added to the policy list above the connections that they are exceptions to. • Delete the default policy and then add policies to accept only the connections that you want the firewall to accept In this way you can limit Internet access to that allowed in the policies that you create.
Addresses All DFL-500 policies require source and destination IP addresses.
Example internal address: Editing addresses • Go to Firewall > Address . Click the tab corresponding to the type of address you want to edit. • Choose an address to edit and click Edit • Make the required changes and click OK to save your changes. . Services Use services to control the types of communication accepted or denied by the firewall. You can add any of the pre-configured services listed in DFL-500 pre-defined services to a policy.
IMAP IMAP email protocol for reading email from an IMAP server. tcp 1-65535 143 IRC Internet relay chat for connecting to chat groups. tcp 1-65535 6660-6669 tcp 1-65535 udp 1-65535 NFS Network file services for sharing files. 111 2049 111 2049 NNTP Protocol for transmitting Usenet news. tcp 1-65535 119 NTP Network time protocol for synchronizing a computer's time with a time server. tcp 1-65535 123 udp 1-65535 123 PING For testing connections to other computers.
• Specify a port number range for the service by adding the low and high port numbers. If the service uses one port number, add this number to both the Low and High fields. • If the service has more than one port range, click Add to specify additional protocols and port ranges. If you mistakenly add too many port range rows, click delete • to remove the extra row. Click OK to add the custom service. You can now add this custom service to a policy (see Policies).
Adding a service group: Schedules Use scheduling to control when policies are active or inactive. You can create one-time schedules and recurring schedules. You can use one-time schedules to create policies that are effective once only for the period of time specified in the schedule. Recurring schedules repeat weekly. You can use recurring schedules to create policies that are effective only at specified times of the day or on specified days of the week.
• Specify the Stop date and time for the schedule. One-time schedules use the 24-hour clock. • Click OK to add the One-time schedule. Sample one-time schedule: Creating recurring schedules You can create a recurring schedule that activates or deactivates policies at specified times of the day or on specified days of the week. For instance, you may wish to prevent internet use outside of working hours by creating a recurring schedule. • Go to Firewall > Schedule > Recurring .
Sample recurring schedule: Applying a schedule to a policy Once you have created schedules you can add them to policies to schedule when the policies are active. • Go to Firewall > Policy . • Click the tab corresponding to the type of policy to add. • Click New to add a policy. • Configure the policy as required. • Add a schedule by selecting it from the Schedule list. • Click OK to save the policy • Arrange the policy in the policy list to have the effect that you expect.
Requiring passwords is not supported in Transparent mode. You can add authentication to Int to Ext policies, but not to Incoming policies. Users can only enter passwords using HTTP, FTP, or Telnet. If users are required to enter a user name and password to access the Internet, they must connect to the firewall using a web browser, FTP, or Telnet to enter their user name and password.
• Click the tab corresponding to the type of policy to add. • You can add authentication to Int to Ext policies. • Click New to add a policy or click Edit • Configure the policy as required. • Set Action to Auth. • Click OK to save the policy to edit a policy to add authentication. • Arrange the policy in the policy list to have the effect that you expect.
Adding a Virtual IP: IP/MAC binding IP/MAC binding provides added security against IP Spoofing attacks. IP Spoofing attempts to use the IP address of a trusted computer to access the DFL-500 from a different computer. The IP address of a computer can easily be changed to a trusted address, but MAC addresses are added to ethernet cards at the factory and cannot easily be changed. You can enter the IP addresses and corresponding MAC addresses of trusted computers into the DFL-500 firewall configuration.
• Click Apply to save your changes. Traffic shaping You can use traffic shaping to guarantee the amount of bandwidth available through the firewall for a policy. Guarantee bandwidth to make sure that there is enough bandwidth available for a hi-priority service. You can also use traffic shaping to limit the amount of bandwidth available through the firewall for a policy. Limit bandwidth to keep less important services from using bandwidth needed for more important services.
IPSec VPNs Using DFL-500 IPSec Virtual Private Networking (VPN), you can join two or more widely separated private networks together through the Internet. For example, a company that has two offices in different cities, each with its own private network, can use VPN to create a secure tunnel between the offices. In addition, remote or travelling workers can use a VPN client to create a secure tunnel between their computer and their office private network.
Example VPN between two internal networks: Autokey IPSec VPN between two networks Use the following procedures to configure a VPN that provides a direct communication link between users and computers on two different networks. Example VPN between two internal networks shows an example VPN between the main office and a branch office of a company.
Creating the VPN tunnel A VPN tunnel consists of a name for the tunnel, the IP address of the VPN gateway at the opposite end of the tunnel, the keylife for the tunnel, and the authentication key to be used to start the tunnel. You must create complementary VPN tunnels on each of the VPN gateways. On both gateways the tunnel should have the same name, keylife, and authentication key.
• Click OK to save the Autokey IKE VPN tunnel. Example Main Office Autokey IKE VPN tunnel: Adding internal and external addresses The next step in configuring the VPN is to add the addresses of the networks that are to be connected using the VPN tunnel.
Complete the following procedure on both VPN gateways to add the internal and external IP addresses: • Go to Firewall > Address > Internal . • Click New to add a new internal address. • Enter the Address Name and the IP Address and NetMask of the internal network that can connect to the VPN. Example internal address for VPN Gateway 1: • Click OK to save the internal address. • Go to Firewall > Address > External . • Click New to add a new external address.
Example Main Office VPN policy: Autokey IPSec VPN for remote clients Use the following procedures to configure a VPN that allows remote VPN clients to connect to users and computers on a Main Office internal network (See Example VPN between an internal network and remote clients). A remote VPN client can be any computer connected to the Internet and running VPN client software that uses IPSec and Autokey IKE. The client can have a static IP address or a dynamic IP address.
Use the following procedures to configure an IPSec Autokey IKE VPN that allows VPN clients to connect to an internal network: • Configuring the VPN tunnel for the client VPN • Adding internal and external addresses • Adding an IPSec VPN policy • Configuring the IPSec VPN client Configuring the VPN tunnel for the client VPN A VPN tunnel consists of a name for the tunnel, the remote gateway IP address (which is the IP address of the client), the keylife for the tunnel, and the authentication key to be
Adding internal and external addresses The next step in configuring the VPN is to add the addresses of the VPN clients and the address of the internal network to the VPN gateway. You do not have to add addresses for remote clients with dynamic IP addresses. Example VPN Gateway IP Addresses shows the internal and external addresses required for the VPN Gateway shown in Example VPN between an internal network and remote clients.
Address VPN Tunnel Name The name of the VPN tunnel to be created between the VPN gateway and the VPN client (See Example VPN Tunnel configuration). Client_VPN Complete the following procedure on the VPN gateway to add the VPN policy: • Go to VPN > IPSEC > Policy . • Click New to add a new IPSec VPN policy. • Select the Source IP address, Destination IP address, and the VPN tunnel to add to the IPSec VPN policy. • Click OK to save the VPN policy.
• Configure the VPN tunnel. VPN Tunnel Name Enter a name for the tunnel. The name can contain numbers (0-9) and upper and lower case letters (A-Z, a-z), and the special characters - and _. Spaces and the @ character are not allowed. If you are configuring a VPN between two DFL-500 gateways, it is recommended that you use the same tunnel name on both sides of the VPN. Local SPI (Secure Parameter Index) Enter a hexadecimal number of up to eight digits (digits can be 0 to 9, a to f).
Adding an IPSec VPN policy Use the procedure Adding an IPSec VPN policy to configure the outgoing policy that connects from the local internal network through the VPN tunnel to the remote internal network. Manual key exchange IPSec VPN for remote clients Use the following procedures to configure a VPN that allows remote clients to connect to computers on a Main Office internal network (Example VPN between an internal network and remote clients).
Testing a VPN To confirm that a VPN between two networks has been configured correctly, use the ping command from one internal network to connect to a computer on the other internal network. The IPSec VPN tunnel starts automatically when the first data packet destined for the VPN is intercepted by the DFL-500. To confirm that a VPN between a network and one or more clients has been configured correctly, start a VPN client and use the ping command to connect to a computer on the internal network.
are forwarded to the destination IPSec VPN gateway with a source address of the external interface of the DFL-500 firewall. IPSec client connecting to a VPN in the Internet using VPN pass through: IPSec network to network VPN pass through Use the following procedure to create the configuration shown in IPSec network to network VPN pass through. In this configuration, the Internal IPSec VPN gateway connects an Internal network to the destination IPSec VPN gateway on the Internet.
IPSec network to network VPN pass through: When a computer on the internal IPSec VPN network connects to the internal network behind the destination IPSec VPN gateway, the DFL-500 firewall accepts IPSec VPN connections from the internal network and performs network address translation on them. The VPN packets are forwarded to the destination IPSec VPN gateway with a source address of the external interface of the DFL-500 firewall.
PPTP and L2TP VPNs Using DFL-500 PPTP and L2TP Virtual Private Networking (VPN), you can create a secure connection between a client computer running Windows and an internal network protected by a DFL-500. PPTP is a Microsoft Windows VPN standard. You can use PPTP to connect computers running Microsoft Windows to a DFL-500-protected private network without using third party VPN client software. L2TP combines Windows PPTP functionality with IPSec security.
Make sure that your ISP supports PPTP connections. PPTP VPN between a Windows client and the DFL-500: This section describes: • Configuring the DFL-500 as a PPTP server • Configuring a Windows 98 client for PPTP • Configuring a Windows 2000 Client for PPTP • Configuring a Windows XP Client to connect to a DFL-500 PPTP VPN Configuring the DFL-500 as a PPTP server Use the following procedure to configure the DFL-500 to be a PPTP server. • Go to VPN > PPTP > PPTP User .
To turn on RADIUS support, see RADIUS authentication for PPTP and L2TP VPNs. • Click Apply to enable PPTP through the DFL-500. Sample PPTP Range configuration: Configuring a Windows 98 client for PPTP Use the following procedure to configure a client machine running Windows 98 so that it can connect to a DFL-500 PPTP VPN. To configure the Windows 98 client, you must install and configure windows dial-up networking and virtual private networking support.
• Click on TCP/IP Settings. • Turn off Use IP header compression. • Turn off Use default gateway on remote network. • Click OK twice. Connecting to the PPTP VPN • Start the dial-up connection that you configured in the previous procedure. • Enter your PPTP VPN User Name and Password. • Click Connect. Configuring a Windows 2000 Client for PPTP Use the following procedure to configure a client machine running Windows 2000 so that it can connect to a DFL-500 PPTP VPN.
• Name the connection and click Next. • If the Public Network dialog box appears, choose the appropriate initial connection and click Next. • In the VPN Server Selection dialog, enter the external IP address or hostname of the DFL-500 to connect to and click Next. • Click Finish. Configure the VPN connection • Right click the icon that you have created. • Select Properties > Security . • Click Typical to configure typical settings. • Click to select Require data encryption.
• A subnet on your Internal network, protected by a VPN gateway, can connect through your DFL-500 to a VPN on the Internet No special VPN configuration is required for the client or VPN gateway on your internal network. The VPN tunnel configuration of the VPN gateway on the Internet must be changed to accept connections from the IP address of the external interface of the DFL-500.
VPN packets are forwarded to the PPTP VPN gateway with a source address of the external interface of the DFL-500 firewall. L2TP VPN configuration This section describes how to configure the DFL-500 as an L2TP VPN server. This section also describes how to configure Windows 2000 and Windows XP clients to connect to the L2TP VPN. Configuring L2TP is similar to configuring PPTP. You must configure the DFL-500 to support L2TP by adding L2TP users and specifying an L2TP address range.
A client can connect to the L2TP VPN with this user name and password. • Click OK. • Repeat steps Go to VPN > L2TP > L2TP User. to Click OK. to add more L2TP user names and passwords as required. • Go to VPN > L2TP > L2TP Range . • Click Enable L2TP. • Specify the L2TP address range. The L2TP address range is the range of addresses on your internal network that must be reserved for remote L2TP clients.
• Set VPN server type to Layer-2 Tunneling Protocol (L2TP). • Save your changes and continue with the following procedure. Disabling IPsec • Click the Networking tab. • Click Internet Protocol (TCP/IP) properties. • Double-click the Advanced tab. • Go to the Options tab and click IP security properties. • Make sure Do not use IPSEC is checked. • Click OK and close the connection properties window.
• If the Public Network dialog box appears, choose the appropriate initial connection and click Next. • In the VPN Server Selection dialog, enter the external IP address or hostname of the DFL-500 to connect to and click Next. • Click Finish. Configuring the VPN connection • Right click the icon that you have created. • Select Properties > Security . • Click Typical to configure typical settings. • Click to select Require data encryption. • Click Advanced to configure advanced settings.
Connecting to the L2TP VPN • Connect to your ISP. • Start the VPN connection that you configured in the previous procedure. • Enter your L2TP VPN User Name and Password. • Click Connect. • In the connect window, enter the User Name and Password you use to connect to your dial-up network connection. This user name and password is not the same as your VPN user name and password.
Example RADIUS configuration: Turning on RADIUS authentication for PPTP RADIUS authentication can be turned on separately for PPTP and L2TP. To turn on RADIUS authentication for PPTP users: • Go to VPN > PPTP > PPTP Range . • Click to check Enable RADIUS. • Click Apply. Turning on RADIUS authentication for L2TP RADIUS authentication can be turned on separately for PPTP and L2TP. To turn on RADIUS authentication for L2TP users: • Go to VPN > L2TP > L2TP Range . • Click to check Enable RADIUS.
Intrusion detection system (IDS) You can configure the IDS to detect and prevent common network attacks and to send an alert email if the IDS detects an attack. This chapter describes: • Attack prevention • Alert email Attack prevention With attack prevention configured, the DFL-500 monitors Internet connections for up to 11 common network attacks. If the DFL-500 detects one of these attacks, it takes action to prevent the attack from affecting your Internet connection.
Configuring alert email • In NAT mode go to IDS > Alert Email . In Transparent mode go to System > Config > Alert Mail . • In the SMTP Server field, enter the name of the SMTP server to which the DFL-500 should send email. The SMTP server can be located on the internal network or on the Internet. • In the SMTP User field, enter the email address of a valid user of the SMTP server (for example, user@D-Link.com). This is the address that the mail will originate from.
Virus protection D-Link's DFL-500 secure gateway solution adds anti-virus and anti-worm functionality to conventional VPN and firewall technology.
• High level virus protection for your internal network • Medium level virus protection for your internal network • Low level virus protection for your internal network To protect your internal network from viruses, you must configure outgoing virus protection. Even though viruses are introduced to your internal network by being downloaded through your firewall, an outgoing connection from your internal network to the web page or email server must first be started.
Example HTTP high level file blocking configuration • Click OK and click Apply. • Go to Anti-Virus > SMTP > Outgoing and repeat steps Click High to block files from being downloaded from web pages. to Click OK and click Apply. to configure high level virus protection to block the downloading of email attachments in SMTP email traffic. • Go to Anti-Virus > POP3 > Outgoing and repeat steps Click High to block files from being downloaded from web pages. to Click OK and click Apply.
Example SMTP virus protection settings • Click OK and click Apply. • Go to Anti-Virus > HTTP > Outgoing and repeat steps Click Medium to virus scan target files in email attachments in SMTP traffic. to Click OK and click Apply. to configure medium level virus protection to virus scan target files downloaded from Internet web pages. • Go to Anti-Virus > POP3 > Outgoing and repeat steps Click Medium to virus scan target files in email attachments in SMTP traffic. to Click OK and click Apply.
• SMTP, to prevent users on your internal network from sending email attachments that contain viruses to addresses on the Internet • POP3, if you allow users on the Internet to connect to a POP3 server on your internal network • IMAP, if you allow users on the Internet to connect to an IMAP server on your internal network Even though viruses are distributed from your internal network by being uploaded through your firewall, an incoming connection to a server on your internal network must first be start
Medium level virus scanning prevents known viruses from passing through the firewall from your internal network to the Internet while still allowing virus free HTTP downloads and email attachments to pass through the firewall. To configure medium level virus protection to prevent the distribution of viruses from your internal network: • Go to Anti-Virus > HTTP > Incoming. • Click Medium to virus scan target files downloaded from your web server to users on the Internet.
• Worm protection for your internal network • Worm protection for incoming connections Worm protection for your internal network When configured for worm protection, the virus scanning engine checks HTTP requests by scanning their originating web page for known worm patterns. For example, Code Red attempts to gain entry to MS IIS servers by trying to exploit a known buffer overflow bug in these servers.
This section describes: • Manual antivirus database updates • Automatic antivirus database updates Manual antivirus database updates Use the following procedure to update your antivirus database manually. This procedure restarts the DFL-500. If you have configured automatic virus database updates, you can also manually update your antivirus database by going to Anti-Virus > Config > Update and clicking Update Now. • Download the latest antivirus database from the D-Link support website at http://tsd.
At any time, you can click Update Now to update your anti-virus database immediately by downloading the latest database from one of the configured update centres. Configuring automatic antivirus database updates Displaying virus and worm lists Use the following procedure to display the lists of viruses and worms in the antivirus database: • To display the virus list, go to Anti-Virus > Config > Virus List . • Scroll through the virus list to view the names of all of the viruses in the list.
Web content filtering Use DFL-500 Web content filtering to block Web sites containing unwanted content. You can configure the DFL-500 to: • Block web pages that contain unwanted content • Block access to Internet sites • Remove scripts from web pages Web content filtering is only supported in NAT mode.
• Repeat these steps to add all of the required banned words. You can also add words to the banned word list by entering them into a text file and then uploading the text file to the DFL-500. See Creating the banned word list using a text editor. Temporarily disabling the banned word list • Go to Web Filter > Content Block . • Uncheck Enable Banned Word to disable content blocking. Temporarily disabling individual words in the banned word list • Go to Web Filter > Content Block .
• Click Download Banned Word list to download the banned word list to your management computer. The DFL-500 downloads the banned word list to a text file on the management computer. Block access to Internet sites To block access to internet sites, enable URL blocking and then create a list of URLs and URL patterns to be blocked. With URL blocking enabled and a list of URLs to be blocked, the DFL-500 blocks access to all web pages with the specified URLs or URL patterns.
You can also add URLs to the URL block list by entering them into a text file and then uploading the text file to the DFL-500. See Creating the URL block list using a text editor. Temporarily disabling the URL block list • Go to Web Filter > URL Block . • Uncheck Enable URL Block to disable the URL blocking. Temporarily disabling blocking individual URLs • Go to Web Filter > URL Block .
Remove scripts from web pages Use the following procedure to configure the DFL-500 to remove scripts from web pages. You can configure the DFL-500 to block Java Applets, Cookies, Malicious Scripts and ActiveX. Blocking of any of these items may prevent some web pages from working properly. • Go to Web Filter > Script Filter . • Click the filtering options that you want to enable. • Click Apply to enable script filtering.
Logging and reporting You can configure the DFL-500 to record 3 types of logs: • Traffic logs record all traffic that attempts to connect through the DFL-500 • Event logs record changes to the system configuration • Attack logs record network events that appear to be attacks on the DFL-500 This chapter describes: • Configuring logging • Log message formats Configuring logging You can configure logging to record logs on a remote computer. You can also configure the kind of information that is logged.
Example log settings Selecting what to log Use the following procedure to configure the type of information recorded in DFL-500 logs. When running in Transparent mode, the DFL-500 only supports Log All Internal Traffic to Firewall, Log All External Traffic to Firewall, and Log All Events. • Go to Log&Report > Log setting . • Click Sent Alert Email to add an entry to the event log whenever the DFL-500 sends an alert email.
Traffic log message format Traffic logs record each connection made to a DFL-500 interface. Each traffic log message records the date and time at which the connection was made, the source and destination address of the connection, and whether the connection was accepted or denied by the firewall.
Attack log message format Attack logs record attacks made on the DFL-500. Each attack log message records the date and time at which the attack was made, a description of the attack, and the IP address of the computer from which the attack originated. When running in Transparent mode, the DFL-500 does not create an Attack log. Attack log messages are created when the DFL-500 detects one of the attacks listed on the IDS > Attack Prevention page.
Administering the DFL-500 This chapter describes how to use the DFL-500 web-based manager to administer and maintain the DFL-500. It contains the following sections: • Logging into the web-based manager • System status • Network configuration • System configuration Logging into the web-based manager To connect to the DFL-500 using the web-based manager you require: • A computer with an ethernet connection • Internet Explorer version 4.
System status Go to System > Status to make any of the following changes to the DFL-500 system status: • Changing the operating mode • Upgrading the DFL-500 firmware • Updating your antivirus database • Displaying the DFL-500 serial number • Backing-up system settings • Restoring system settings • Restoring system settings to factory defaults • Restarting the DFL-500 • Shutting down the DFL-500 • System status monitor Changing the operating mode Use the following procedure to switch the
Displaying the DFL-500 serial number • Go to System > Status . The serial number does not change with firmware upgrades. Backing-up system settings This procedure does not back-up the Web content filtering lists. To back-up these lists see Downloading the banned word list and Downloading the URL block list. You can back-up system settings by downloading them to a text file on the management computer. • Go to System > Status . • Click System Settings Download. • Click Download System Settings.
You can restore your system settings by uploading a previously downloaded system settings text file to the DFL-500. Default NAT mode system configuration When the DFL-500 is first powered up or when it is reset to default, the system has the following standard configuration: • Operation Mode: Network Address Translation • Internal Address: 192.168.1.99, mask 255.255.255.0 • External Address: 192.168.100.99, mask 255.255.255.0 • Management Address: 10.10.10.1, mask 255.255.255.
Restarting the DFL-500 Use the following procedure to restart the DFL-500 from the web-based manager. • Go to System > Status . • Click Restart. The DFL-500 restarts. Shutting down the DFL-500 Use the following procedure to shutdown the DFL-500 from the web-based manager. • Go to System > Status . • Click Shutdown. The DFL-500 shuts down and all traffic flow through the firewall stops. The DFL-500 can only be restarted after shutdown by turning the power off and on.
To Port The destination port of the connection. Expire The time, in seconds, before the connection expires.
gateway IP address fields. These fields are colored grey to indicate that the addresses have not been assigned manually. Changing MTU size to improve network performance To improve the performance of your internet connection, you can adjust the maximum transmission unit (MTU) of the packets that the DFL-500 transmits from its external interface. Ideally, you want this MTU to be the same as the smallest MTU of all the networks between your machine and the Internet.
You can also control the IP addresses from which administrators can access the web-based manager. See Adding and editing administrator accounts. Setting management access Configuring routing If there are multiple routers installed on your network, you can configure static routes to determine the path that data follows over your network before and after it passes through the DFL-500. You can also use static routing to allow different IP domain users to access the Internet through the DFL-500.
• Click Internal interface to enable RIP server support from the internal interface. • Click External interface to enable RIP server support from the external interface. Providing DHCP services to your internal network If it is operating in NAT mode, you can configure the DFL-500 to be the DHCP server for your internal network. • Go to System > Network > DNS . • If they have not already been added, add the primary and secondary DNS server addresses provided to you by your ISP.
Sample DHCP settings System configuration Go to System > Config to make any of the following changes to the DFL-500 system configuration: • Setting system date and time • Changing web-based manager options • Adding and editing administrator accounts • Configuring SNMP Setting system date and time For effective scheduling and logging, the DFL-500 time should be accurate.
• Click Apply. Example date and time setting Changing web-based manager options You can change the web-based manager idle timeout, firewall user authentication timeout and character set used by the web-based manager. • Go to System > Config > Options . • Set the web-based manager idle time-out. Set the idle time-out to control the amount of inactive time that the web-based manager waits before requiring the administrator to log in again. The default idle time-out is 5 minutes.
• Adding new administrator accounts • Editing administrator accounts Adding new administrator accounts From the admin account, use the following procedure to add new administrator accounts to the DFL-500 and control their permission levels. • Go to System > Config > Admin . • Click New to add an administrator account. • Type a login name for the administrator account. • Type and confirm a password for the administrator account.
Configuring SNMP Configure SNMP for the DFL-500 so that the SNMP agent running on the DFL-500 can report system information and send traps. Traps can alert system administrators about problems with the DFL-500. • Go to System > Config > SNMP . • Select Enable SNMP. • Configure SNMP settings: • System Name Specify a name for this DFL-500. System Location Describe the physical location of the DFL-500. Contact Information Add the contact information for the person responsible for this DFL-500.
Using the DFL-500 CLI The command line interface (CLI) is intended as a troubleshooting tool to help diagnose and fix system problems that cannot be solved from the web-based manager. This chapter explains how to connect to the DFL-500 CLI and also describes some of the basics of using the CLI. You can use CLI commands to view all system information and to change all system configuration settings.
• Type the password for this administrator and press Enter. The following prompt appears: Type ? for a list of commands. Connecting to the DFL-500 CLI using SSH SSH provides strong secure authentication and secure communications to the DFL-500 CLI over your internal network or the Internet. Once the DFL-500 is configured to accept SSH connections, you can run an SSH client on your management computer and use this client to connect to the DFL-500 CLI.
Recalling commands You can recall commands by using the Up and Down arrow keys to cycle through commands you have entered. Editing commands Use the Left and Right arrow keys to move the cursor back and forth on the command line. Use the Backspace and Delete keys to edit the command. You can also use control keys to edit commands. Control keys for editing commands lists control keys for editing commands.
This procedure deletes all of the changes that you have made to the DFL-500 configuration and reverts the system to its default configuration, including resetting interface addresses. Before installing new firmware make sure you download your configuration file, see Backing-up system settings. You can also upgrade the DFL-500 from the web-based manager (see Upgrading the DFL-500 firmware).
Total 32768k Bytes Are Unzipped. Do You Want To Save The Image ?[Y/n] Type Y . Programming The Boot Device Now. ................................ Read Boot Image 548405 Bytes. Initializing Firewall ... D-Link Login: The installation can take a few minutes to complete. You must then restore your previous configuration. Begin by changing the interface addresses.
Glossary Connection : A link between machines, applications, processes, etc. that can be logical, physical, or both. DNS, Domain Name Service : A service that converts symbolic node names to IP addresses. Ethernet : A local-area network (LAN) architecture that uses a bus or star topology and supports data transfer rates of 10 Mbps. Ethernet is one of the most widely implemented LAN standards. A newer version of Ethernet, called 100Base-T (or Fast Ethernet), supports data transfer rates of 100 Mbps.
NTP , Network Time Protocol : Used to synchronize the time of a computer to an NTP server. NTP provides accuracies within a tens of milliseconds across the Internet relative to Coordinated Universal Time (UTC). Packet : A piece of a message transmitted over a packet-switching network. One of the key features of a packet is that it contains the destination address in addition to the data. In IP networks, packets are often called datagrams.
VPN, Virtual Private Network : A network that links private networks over the Internet. VPNs use encryption and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted. Virus : A computer program that attaches itself to other programs, spreading itself through computers or networks by this mechanism usually with harmful intent.
Troubleshooting FAQs The following troubleshooting FAQs are available: • General administration • Network configuration • Firewall policies • Schedules • VPN • Virus protection • Web content filtering • Logging General administration Q: I am trying to set up some of the firewall options, but it keeps asking me for a password while I work. See Changing web-based manager options. Q: I can't find the administrator pages on the firewall. See Logging into the web-based manager.
Q: My policies are set correctly but I still cannot connect to the Internet from one or more of the computers on my internal network. Check the default gateway setting on that particular computer. Its default gateway must match the internal address of the DFL-500. Q: I checked the default gateway and it matches but I still cannot connect to the Internet. Make sure that the external address and external gateway of the firewall have been properly set to your Internet Service Provider's (ISP) specifications.
Virus protection Q: I am worried about viruses so I set the Anti-Virus options to the highest level. Now people are complaining that some files that they need are blocked. When Anti-Virus protection for HTTP or any of the email protocols is set to high, all files of potentially dangerous types are blocked. The simple cure for this problem is to set a lower Security Protection Level. Under normal conditions, all of the Anti-Virus Security Protection Levels can safely be set to Medium.
Technical Support Offices AUSTRALIA BENELUX CANADA CHILE CHINA DENMARK EGYPT FINLAND FRANCE GERMANY IBERIA INDIA ITALY JAPAN NORWAY RUSSIA SINGAPORE S. AFRICA SWEDEN TAIWAN U.K. U.S.A. D-LINK AUSTRALIA Unit 16, 390 Eastern Valley Way, Roseville, NSW 2069, Australia TEL: 61-2-9417-7100 FAX: 61-2-9417-1077 TOLL FREE: 1800-177-100 (Australia), 0800-900900 (New Zealand) E-MAIL: support@dlink.com.au, info@dlink.com.au URL: www.dlink.com.
Registration Card Print, type or use block letters. Your name: Mr./Ms _____________________________________________________________________________ Organization: ________________________________________________ Dept.
DFL-500 User’s Manual 114