User manual D-LINK DFL-2500

[. . . ] . xvi xvii xvii xvii xviii II Product Overview 2 3 3 1 Capabilities 1. 1 Product Highlights . . III Introduction to Networking 6 7 9 9 9 9 10 11 11 11 13 13 14 2 The OSI Model 3 Firewall Principles 3. 1 The Role of the Firewall . 3. 2. 1 Attacks on Insecure pre-installed Components 3. 2. 2 Inexperienced Users on protected Networks . . 18 19 19 19 19 22 23 25 25 25 26 28 28 29 29 31 31 32 34 35 35 4 Configuration Platform 4. 1 Configuring Via WebUI . [. . . ] Application Layer Gateway ALG: select "ftp-outbound" that has been created. Rules (Using Public IPs) The following rule need to be added to the IP rules in the firewall if the firewall is using public IP's; make sure there is not rules disallowing or allowing the same kind of ports/traffic before these rules. The service in use is the "ftp-outbound", which should be using the ALG definition "ftp-outbound" as described earlier. ­ Allow connections to ftp-servers on the outside: Rules - > IP Rules - > Add - > IP Rule: General: Name: Allow-ftp-outbound Action: Allow Service: ftp-outbound Address Filter: Source Destination Interface: lan wan Network: lannet all-nets Then click OK. D-Link Firewalls User's Guide 18. 3. Rules (Using Private IPs) If the firewall is using private IP's, the following NAT rule need to be added instead. Rules - > IP Rules - > Add - > IP Rule: General: Name: NAT-ftp-outbound Action: NAT Service: ftp-outbound Address Filter: Source Destination Interface: lan wan Network: lannet all-nets NAT: Check Use Interface Address Then click OK. 18. 3 HTTP Hyper Text Transfer Protocol (HTTP), is the primary protocol used to access the World Wide Web (WWW). It is a connectionless, stateless application layer protocol (OSI layer 7), which is based on the request/response architecture. The client, such as Web browser, typically sends a request by establishing a TCP/IP connection to a particular port (usually port 80) on a remote server. The server answers with a response string, followed by a message of its own, for example, a HTML file to be shown in the Web browser, an active-x component to be executed on the client, or an error message. 18. 3. 1 Components & Security Issues To enable more advanced functions and extensions to HTTP services, some add-on components, known as "active contents", are usually accompanied with the HTTP response to the client computer. Application Layer Gateway (ALG) ActiveX objects An ActiveX object is a HTTP component, which is downloaded and executed on the client computer. Because it is executed on the client, certain security issues exists, which could cause harm to the local computer system. JavaScript/VBScript In order to display more advanced and dynamic HTML pages, scripts can be used. A script is executed by the web browser, and can be used to control the browser functionality, validate user's input, or a number of other features. It could potentially be used by an attacker in an attempt to cause harm to a computer system, or to cause various annoyances, such as pop-up windows. Java Applets A java applet is written in JAVA programming language, and a java-enabled browser can download and execute this code on the client computer. An applet can contain malicious code, which lead to security problems. Cookies A cookie is a small text file, stored locally on the client computer. Its objective is to make a web server remember certain information about a user, which has been entered previously. This can also contain confidential information. 18. 3. 2 Solution D-Link firewalls address the security issues shown in the previous section by Stripping Contents and URL Filtering. Stripping Contents In D-Link HTTP ALG configuration, some or all of the active contents mentioned previously can be stripped away from HTTP traffic upon administrator's requests. HTTP 157 URL Filtering A Uniform Resource Locator (URL) is an address to a resource on the WWW. As a part of a security policy, it might be useful to restrict access to certain sites, or even to block certain file types to be downloaded. [. . . ] It is not necessary to perform a shutdown before the firewall is powered off, as it does not keep any open files while running. · Syntax: shutdown <seconds> -- Shutdown in <n> seconds (default: 5) Sysmsgs Show the contents of the OS sysmsg buffer. · Syntax: sysmsgs Example: Cmd> sysmsg Contents of OS sysmsg buffer: . . . Settings Shows the contents of the Settings configuration section. · Syntax: -- settings Shows available groups of settings. D-Link Firewalls User's Guide 335 Example: Cmd> sett Available categories in the Settings section: IP - IP (Internet Protocol) Settings TCP - TCP (Transmission Control Protocol) Settings ICMP - ICMP (Internet Control Message Protocol) ARP - ARP (Address Resolution Protocol) Settings State - Stateful Inspection Settings ConnTimeouts - Default Connection timeouts LengthLim - Default Length limits on Sub-IP Protocols Frag - Pseudo Fragment Reassembly settings LocalReass - Local Fragment Reassembly Settings VLAN - VLAN Settings SNMP - SNMP Settings DHCPClient - DHCP (Dynamic Host Configuration Protocol) Client Settings DHCPRelay - DHCP/BOOTP Relaying Settings DHCPServer - DHCP Server Settings IPsec - IPsec and IKE Settings Log - Log Settings SSL - SSL Settings HA - High Availability Settings Timesync - Time Synchronization Settings DNSClient - DNS Client Settings RemoteAdmin - Settings regarding remote administration Transparency - Settings related to transparent mode HTTPPoster - Post user-defined URLs periodically for e. g. dyndns registration, etc WWWSrv - Settings regarding the builtin web server HwPerformance - Hardware performance parameters IfaceMon - Interface Monitor RouteFailOver - Route Fail Over Default values IDS - Intrusion Detection / Prevention Settings PPP - PPP (L2TP/PPTP/PPPoE) Settings Misc - Miscellaneous Settings D-Link Firewalls User's Guide 336 Chapter A. Console Commands Reference -- settings <group name> Shows the settings of the specified group. Example: Cmd> settings arp ARP (Address Resolution ARPMatchEnetSender ARPQueryNoSenderIP ARPSenderIP UnsolicitedARPReplies ARPRequests ARPChanges StaticARPChanges ARPExpire ARPMulticast ARPBroadcast ARPCacheSize ARPHashSizeVLAN Protocol) Settings : DropLog : DropLog : Validate : DropLog : Drop : AcceptLog : DropLog : 900 ARPExpireUnknown : 3 : DropLog : DropLog : 4096 ARPHashSize : 512 : 64 Stats Shows various vital stats and counters. · Syntax: stats Example: Cmd> stats Uptime : . . . [. . . ]