Presentation is loading. Please wait.

Presentation is loading. Please wait.

D-Link Security 1 2006 DFL-210/800/1600/2500 Technical Training ©Copyright 2006. All rights reserved ©Copyright 2006. By D-Link HQ.

Similar presentations


Presentation on theme: "D-Link Security 1 2006 DFL-210/800/1600/2500 Technical Training ©Copyright 2006. All rights reserved ©Copyright 2006. By D-Link HQ."— Presentation transcript:

1 D-Link Security DFL-210/800/1600/2500 Technical Training ©Copyright All rights reserved ©Copyright By D-Link HQ

2 D-Link Security 2 Appliance Overview Firewall Concept Basic Configuration Scenario & Hands-on Troubleshooting Agenda

3 D-Link Security 3 Appliance Overview Firewall Concept Basic Configuration Scenario & Hands-on Troubleshooting Agenda

4 D-Link Security 4 Appliance Overview model of firewall DFL-800 WAN1 WAN2 LAN DMZ Console back

5 D-Link Security 5 DFL-1600 WAN1 WAN2 LAN1 DMZ Console LAN3 LAN2 back Appliance Overview model of firewall

6 D-Link Security 6 DFL-2500 Appliance Overview model of firewall WAN3WAN4 Console LAN3 LAN2 LAN1 DMZWAN1WAN2 back

7 D-Link Security 7 Appliance Overview and for DFL-1600/2500 Brand new user-friendly, no GUI confusion issue. Neater and more professional look for firewall product line. mechanism with D-Link switches prevents threat spreading. Advanced firewall features including to ease the implementation. DFL-1600 DFL-2500DFL-800 Characters of firewall Transparent Mode ZoneDefense ID GUI High Port DensityGiga Interface

8 D-Link Security 8 LED Power System Keypad Keypad for “Right ”, “Left”, “Upper “ and “Confirm “ System Information Traffic Monitor Alert Monitor Configuration Display LCD Display Auto-Sensing Copper Port LAN Port WAN Port and DMZ port Ethernet Console Serial Console Port Concealed Look Appliance Overview LED panel

9 D-Link Security 9 Setup Mode Press Keypad to enter setup mode “in 5 seconds” after the firewall is switched on Enter the Setup Mode Use Left or Right button to select  1.Start Firewall: Start off the firewall system  2.Reset Firewall: Reset the firewall to factory default. After reset firewall, choose “start firewall” After switch on the firewall 5 seconds, the firewall will enter Status Mode automatically Appliance Overview LED panel

10 D-Link Security 10 Status Mode Model name: Display the device model name. System Status: Display system working status. CPU Load and Connections: Show the CPU utilization and concurrent session Total BPS and PPS: Concurrent traffic statistics and packets statistics per second. Date and Time: Display device current date and time Uptime: Device boot up time. Mem: System memory utilization. IDS Sigs: Display IDS signature information. WAN DMZ LAN: Display each interface IP address Core Version: Display firewall firmware version. Appliance Overview LED panel

11 D-Link Security 11 Appliance Overview Firewall Concept Basic Configuration Scenario & Hands-on Troubleshooting Agenda

12 D-Link Security 12 Firewall Concept Questions What is firewall? Which firewall is the safest? –Firewall does not protect against application errors.

13 D-Link Security 13 Firewall Concept IP Start Communication SYN FLOOD –1. Sending a packet to the web server with the ”SYN” flag. The client uses a fake IP address –2. The server responds with a SYN.ACK. Then the server waits until the client responds with an ACK packet –3. The client repeats step one until it is satisfied that the damage is done Client Web Server (1.) > 80 SYN (2.) SYN.ACK 1024 <- 80 ( 3.) > 80 ACK Connection established

14 D-Link Security 14 Firewall Concept IP Start Communication More bits –SYN – Synchronize = New connection –ACK – Acknowledge = Acknowledge that data has been received –PSH - Push = “Push received data to application layer now" –URG - Urgent = Urgent data, Process first (Beg. 70) –FIN - Finish = End communication with an handshake –RST - Reset = “Do not communicate with me!”

15 D-Link Security 15 Firewall Concept Firewall deployments in a network Static Route Static routes are needed for the Firewall to communicate with Networks that are not locally attached on the same subnet NAT Internal address are private addresses from RFC1918 All private addresses are translated to a valid IP address before accessing the Internet Transparent No changes required on any end station, router or server Routing protocols can be configured to pass through the firewall in Transparent mode The firewall offers full firewall and VPN capabilities

16 D-Link Security Sales Support Marketing Corporate Web DMZ DNS Mail Relay Internet Router LAN WAN DMZ Intranet Web Corp Mail Intranet DNS AdminPC AdminPC AdminPC Firewall Concept Firewall deployments in a network Static Route

17 D-Link Security Sales Support Marketing Corporate Web DMZ DNS Mail Relay Internet Router LAN WAN DMZ Intranet Web Corp Mail Intranet DNS AdminPC AdminPC AdminPC Firewall Concept Firewall deployments in a network NAT

18 D-Link Security 18 Intranet Web Corp Mail Intranet DNS AdminPC AdminPC AdminPC Sales Support Marketing Corporate Web DMZ DNS Mail Relay Internet Router LAN WAN DMZ Firewall Concept Firewall deployments in a network Transparent

19 D-Link Security 19 Firewall Concept Firewall Generations First generation –Packet filtering Second generation –Proxy Third generation –Stateful Inspection Fourth generation –IDS/IDP

20 D-Link Security 20 Firewall Concept 1.Packet Filtering Works with the IP & TCP level Disadvantages: –Does not re-create fragmented packets –Does not understand the relationship between packets Advantages –High speed of packets process 7. Applikation 6. Presentation 5. Session 4. Transport 3. Network 2. DataLink 1. Physical OSI Model

21 D-Link Security 21 Firewall Concept 2.Proxy Receives packets, reads and re-creates the packets –No physical connection between the client and the server. Disadvantages –Slow –The proxy must understand the application protocol –Mostly based on complex operating system Advantages –Attacks on the TCP/IP level will never penetrate through the protected network –Able to analyze application data Able to strip things like ActiveX and Java. 7. Applikation 6. Presentation 5. Session 4. Transport 3. Network 2. DataLink 1. Physical OSI Model

22 D-Link Security 22 Firewall Concept 3.Stateful Inspection Re-create fragmented packets Understand the relationship between packets Advantages –Does not need to understand the application data to work –Great flexibility –Better performance than proxy Disadvantages –Harder to analyze the application data (but still possible) 7. Applikation 6. Presentation 5. Session 4. Transport 3. Network 2. DataLink 1. Physical OSI Model

23 D-Link Security 23 Firewall Concept 4.IDS/IDP Receives packets, reads and re-creates the packets –No physical connection between the client and the server. Disadvantages –Slow –The proxy must understand the application protocol –Mostly based on complex operating system Advantages –Attacks on the TCP/IP level will never penetrate through the protected network –Able to analyze application data Able to strip things like ActiveX and Java. 7. Applikation 6. Presentation 5. Session 4. Transport 3. Network 2. DataLink 1. Physical OSI Model

24 D-Link Security 24 1.Packet inspection 2.Priority processes 3.Allow? Drop? NAT? Reject? 1.Packet inspection 2.Priority processes 3.Allow? Drop? NAT? Reject? INTERNE T IP: WAN IP: Firewall Concept Packet flow

25 D-Link Security 25 When all traffic get in the firewall,they will be inspected by VLAN first (If VLAN is used ). The IDS rule is the primary filter which is configured to allow or disallow certain types of network traffic through the firewall. Then these traffic will be inspected by IP rule and routing rule After that the traffic will be inspected by Zone Defense and Traffic Shaping Firewall Concept Packet flow

26 D-Link Security 26 Inbound packet VLAN packet? De-capsulate Basic sanity checks, Including verification of IP header Check IDS signatures Drop Fragment? Yes No Yes Found matching Connection? Verify TCP/UDP header Forward packet Apply Rules Process fragment Drop Yes failed false No true Traffic Shaping ZD Open ConnctionTraffic Shaping Route IP SAT_ ApplyRulePack Traffic Shaping DestIP = FW? Allow/NAT/SAT FwdFast/SAT Drop Yes Firewall Concept Packet flow

27 D-Link Security 27 Appliance Overview Firewall Concept Basic Configuration Scenario & Hands-on Troubleshooting Agenda

28 D-Link Security 28 Basic Configuration Default Interface Attribute Definition(DFL-800) LAN can be managed and pinged The firewall disable DHCP

29 D-Link Security 29 Basic Configuration Default Interface Attribute Definition(DFL-1600) LAN1 can be managed and pinged The firewall disable DHCP

30 D-Link Security 30 Basic Configuration Default Interface Attribute Definition(DFL-2500) LAN1 can be managed and pinged The firewall disable DHCP

31 D-Link Security 31 Basic Configuration design concept of UI Any undesired rules or objects are being created without hitting the “ok” button, users must hit “cancel” button or that rule or object would still be in the list and named “untitle”. Traffic is being examined by the pattern where the rules were created from top down When right-click any rules or objects and select delete, a strike line will show on that rule or object. The “save and activate” button will not be available if the “untitle” rule or object is not deleted After click “save and activate”, must reconnect to it within 30 seconds (default setting) for the configuration changes to be finalized. If this fails, the unit will revert to its previous configuration. The reconnecting time can be adjustable.

32 D-Link Security 32 Basic Configuration Configure Static IP address on your laptop or PC User will be authenticated before logging to the firewall Default login: admin, Password: admin User will be presented with; –Menu Bar –Tree View List –Main Window back

33 D-Link Security 33 Tree View List Menu BarMain windows Basic Configuration

34 D-Link Security 34 UI of System Basic Configuration

35 D-Link Security 35 UI of Object Basic Configuration

36 D-Link Security 36 UI of Rules Basic Configuration

37 D-Link Security 37 UI of Interfaces Basic Configuration

38 D-Link Security 38 UI of Routing Basic Configuration

39 D-Link Security 39 UI of IDS/IDP Basic Configuration

40 D-Link Security 40 UI of User Authentication Basic Configuration

41 D-Link Security 41 UI of Traffic Shaping Basic Configuration

42 D-Link Security 42 UI of ZoneDefense Basic Configuration

43 D-Link Security 43 Three Steps to Configure 1.Create and verify the object 2.Create the rule (IP rule,IDS rule,user authentication rule and Pipes rule ) 3.Create and verify routing rule Basic Configuration

44 D-Link Security 44 First Step to Configure 1.Create and verify the object The most important in firewall configuration is OBJECT. Objects are basic network elements defined in the firewall. It is a list of symbolic names associated with various types of addresses, including IP addresses of host and network Object items are heavily used through a firewall configuration; in routing tables, rule-set, interface definitions, VPN Tunnels among others Basic Configuration

45 D-Link Security 45 Hosts & Networks configuration items are symbolic names for IP networks Basic Configuration Objects – Address Book

46 D-Link Security 46 ALGs are designed to manage specific protocols Examine the payload data and carry out appropriate actions based on defined rules Appropriate Application Layer Gateway definition is selected in a Service configuration item. Network traffic which matches the service definition will thus be managed by the selected Application Layer Gateway.Service Basic Configuration Objects – ALG

47 D-Link Security 47 A definition of a specific IP protocol with corresponding parameters. The service http, for instance, is defined as to use the TCP protocol with destination port 80. Basic Configuration Objects – Services

48 D-Link Security 48 The Schedule will only allow those firewall rules to be used at those designated times only. Any activities outside the scheduled time slot will not follow the rules and will therefore unlikely be permitted to pass through the firewall Basic Configuration Objects – Schedules

49 D-Link Security 49 A certificate is a digital proof of identity. It links an identity to a public key in a trustworthy manner. Certificates can be used on authenticate individual users or other entities. These types of certificates are commonly called end- entity certificates. Basic Configuration Objects – Certificate

50 D-Link Security 50 Second Step to Configure 2.Create the rule The Rules configuration section represents the rule-set, the "heart" of the firewall. The rule-set is the primary filter which is configured to allow or disallow certain types of network traffic through the firewall. The rule-set also regulates how address translation and bandwidth management, traffic shaping, is applied to traffic flowing through the firewall. Basic Configuration

51 D-Link Security 51 Packets matching Drop rules will be immediately dropped. Such packets will be logged if logging has been enabled in the Log Settings page Basic Configuration IP Rules – Drop

52 D-Link Security 52 Basic Configuration IP Rules – Drop DROP RULE DROPPING LOG

53 D-Link Security 53 Reject works basically the same way as Drop. In addition, the firewall sends an ICMP UNREACHABLE message back to the sender or, if the rejected packet is a TCP packet, a TCP RST message. Basic Configuration IP Rules – Reject

54 D-Link Security 54 Basic Configuration IP Rules – Reject REJECTING LOG ICMP Unreachable TCP RST REJECT RULE

55 D-Link Security 55 Basic Configuration IP Rules – FwdFast Packets matched FwdFast rules are allowed through immediately. Firewall does not memorize the open connections and does not statefully inspect traffic which has passed through it. For one single packet, it is indeed faster than first having to open a state- tracked connection and then passing the packet to it. But when several packets pass the same connection, state tracking (Allow) is faster

56 D-Link Security 56 Basic Configuration IP Rules – FwdFast Packets matching FwdFast Rules No Statefully traffic Inspection (does not remember open connections) Remember that that there need to be a FwdFast rule in each direction. INTERNE T Note: Allow is usually faster then FwdFast

57 D-Link Security 57 Basic Configuration IP Rules – Allow Packets matched Allow rules are passed to the stateful inspection engine, which will memorize that a connection has been opened Rules for return traffic will not be required as traffic belonging to open connections which is automatically dealt with before it reaches the rule set

58 D-Link Security 58 Basic Configuration IP Rules – Allow Packets matching Allow Rules Logging & Stateful Inspection Logging & Stateful Inspection INTERNE T

59 D-Link Security 59 Basic Configuration IP Rules – SAT Nothing happens when a packet matches a SAT rule at the beginning The firewall will memorize where to send the traffic and continue to look for a matching rule that will allow the packet to pass and a static address translation will be performed at that stage

60 D-Link Security 60 Basic Configuration IP Rules – SAT DMZ FTP SERVER WAN IP: The public_ip should be bound to the WAN of firewall first redirect_address is used to redirect incoming connection from public_ip to private_ip The public_ip should be bound to the WAN of firewall first redirect_address is used to redirect incoming connection from public_ip to private_ip I want the file from FTP server

61 D-Link Security 61 Basic Configuration IP Rules – NAT The rules perform dynamic address translation and NAT hide the sender address. Mostly hiding all machines on a protected network to appear at the outside world as if they use a single IP address

62 D-Link Security 62 Basic Configuration IP Rules – NAT Network Address Translation INTERNE T IP: WAN IP:

63 D-Link Security 63 Third Step to Configure 3.Create and verify routing rule Main Route: The Routes configuration section describes the firewall’s routing table.Firewall uses a slightly different way of describing routes compared to most other systems. Policy- Base Route: The rules in the PBR rule-set are able to specify which routing table to be used in the forward as well as return direction (Select routing priority) Basic Configuration

64 D-Link Security 64 Basic Configuration Main Routing Table Routing tells the firewall in which direction it should send packets destined for a given IP address

65 D-Link Security 65 Basic Configuration Policy Based Routing Connect to two or more ISPs, and accept inbound connections from all of them. Return traffic is routed back through the ISP that delivered the incoming requests. Route certain protocols through transparent proxies such as web caches and anti-virus scanners, without adding another point of failure for the network as a whole. Create provider-independent metropolitan area networks, i.e. one where all users share a common active backbone, but able to use different ISPs, subscribe to different streaming media providers, etc.

66 D-Link Security 66 Basic Configuration Policy Based Routing Intranet /24 Extranet /24 Internet WAN1 WAN2 DMZ

67 D-Link Security 67 Appliance Overview Firewall Concept Basic Configuration Scenario & Hands-on Troubleshooting Agenda

68 D-Link Security 68 1.Basic Configuration(WAN/LAN/DMZ Transparent mode) 2.Configure Load Sharing and Route Failover (use 2 WANs) 3.Configure ZoneDefend 4.Port mapping for server(SAT and server load balance) 5.Runtime Authentication configuration 6.Traffic shaping 7.Configure VPN tunnel(PPTP L2TP and IPsec) Scenario & Hands-on

69 D-Link Security 69 Internal LAN1 IP: /24 Internal LAN2 IP: /24 Internal LAN3 IP: /24 WAN2 (Static IP) DMZ DFL-1600 FTP Server DFL-800 Remote LAN Internal LAN IP: /24 WAN1 IP: /24 IPSec VPN Tunnel Hands on: 1.Basic Configuration 2.Load Sharing and Route Failover 3.ZoneDefense 4.Port mapping for server 5.User Authentication 6.Traffic Shaping 7.VPN tunnel Scenario & Hands-on Accomplished all scenarios topology WAN1 (DHCP)

70 D-Link Security 70 Internet G1 G4 G2G3 Scenario & Hands-on Network topology for hands-on  All WAN1 port connect to switch back main switch

71 D-Link Security 71 Scenario & Hands-on Network topology for every group main switch group switch  Four persons in one group  LAN1 port connects to group switch

72 D-Link Security 72 Scenario & Hands-on 1 Basic Configuration (Configure WAN type,modify IP address of LAN and enable transparent mode) Internal LAN1 IP: /24 Internal LAN2 IP: /24 Internal LAN3 IP: /24 WAN1 PPPoE, DHCP Static IP: /24 Internal DMZ IP: /24 Objective: How to modify IP address for LAN and DMZ in Object How to use DHCP, Static IP and PPPoE to access Internet How to enable transparent mode

73 D-Link Security 73 Internal LAN1 IP: /24 Internal LAN2 IP: /24 Internal LAN3 IP: /24 Internal DMZ IP: /24 Notes: DFL-800 only has LAN and DMZ DFL-1600/2500 has LAN1, LAN2,LAN3, and DMZ Pay attention to default manageable status Pay attention to default manageable status Confirm connecting port  DFL-800DFL-800  DFL-1600DFL-1600  DFL-2500DFL-2500 Bind a secondary IP address to match the new network IP segment. After configuration, use new LAN IP address for default gateway on laptop Scenario & Hands-on 1-1 Basic Configuration - Modify IP address for LAN and DMZ Network topology

74 D-Link Security 74 Objectives Access to LAN1 IP address successfully (Ping) or mange Web UI by new IP address The Logics of Configuration Bind a secondary IP address to match the new network IP segment. After configuration, use new LAN IP address for default gateway in your laptop Modify objects of IP address and network in address book of Object Scenario & Hands-on 1-1 Basic Configuration-Modify IP address for LAN and DMZ

75 D-Link Security 75 Scenario & Hands-on Bind two IP address on one NIC 1 2 3

76 D-Link Security 76 Scenario & Hands-on Bind two IP address on one NIC 4 5 6

77 D-Link Security 77 Scenario & Hands-on 1-1 Basic Configuration - Modify IP address for LAN and DMZ Use web browser such as Internet Explorer 6 or Firefox 1.0 to connect to Web UI

78 D-Link Security 78 Change the IP address in address book of Object Click “Interface Addresses” in Object Key in the correct IP address and network 123 Scenario & Hands-on 1-1 Basic Configuration - Modify IP address for LAN and DMZ 1 2

79 D-Link Security 79 Change the IP address in address book of Object or Ethernet of Interface Key in correct IP address and network 123 Scenario & Hands-on 1-1 Basic Configuration - Modify IP address for LAN and DMZ 12

80 D-Link Security 80 After all configurations are done, Click “configuration” in main bar Click “Save and Activate” 123 Scenario & Hands-on 1-1 Basic Configuration - Modify IP address for LAN and DMZ

81 D-Link Security 81 Testing Result Scenario & Hands-on 1-1 Basic Configuration - Modify IP address for LAN and DMZ Ping LAN IP address

82 D-Link Security 82 After you click” save and active” you can adjust the reconnection time Click “Click here to edit the configuration verification timeout. ” Scenario & Hands-on 1-1 How to modify reconnection Web UI time

83 D-Link Security 83 Scenario & Hands-on 1-1 Basic Configuration - Modify IP address for LAN and DMZ Use new LAN IP address for default gateway on laptop 1 2 3

84 D-Link Security 84 Scenario & Hands-on 1-1 Basic Configuration - Modify IP address for LAN and DMZ Use new LAN IP address for default gateway on laptop 4 5 6

85 D-Link Security 85 Scenario & Hands-on 1-1 Basic Configuration - Modify IP address for LAN and DMZ Use new LAN IP address for default gateway on laptop 7 8

86 D-Link Security 86 Scenario & Hands-on 1-1 Exercise 1-1- Modify IP address for LAN and DMZ Internal LAN1 Objective: 1.Change IP address of LAN1 2.Ping the new IP address of LAN1 and access to Web UI by new IP successfully Internal LAN2 Internal LAN3 Internal DMZ LAN1 IP: Group A(1): /24 Group B(2): /24. Group I(9): /24 Group J(10): /24

87 D-Link Security 87 Internal LAN1 IP: /24 WAN1 IP: / / /24 Scenario & Hands-on 1-2 Basic Configuration-Transparent mode Network topology Note: Configure default gateway Configure DHCP relay, if firewall is in DHCP environment

88 D-Link Security 88 Objectives Implement firewall in transparent mode without changing exist network setting Allow or deny specific service and traffic (allow WAN1 to LAN1for ICMP service, allow LAN1to WAN1 for all service) The Logics of Configuration Enable transparent mode Configure IP Rules and objects in firewall Bind a secondary IP address to match the new network IP segment. Scenario & Hands-on 1-2 Basic Configuration-Transparent mode

89 D-Link Security 89 Configure the IP object in address book of Object to same Click “address book” in Object Configure IP address of WAN1 and LAN Scenario & Hands-on 1-2 Basic Configuration-Transparent mode 6

90 D-Link Security 90 Enable transparent mode for WAN1 and LAN1 Click “Ethernet” under “Interface” Enable transparent in WAN1 interface and add the object of gateway to “Default Gateway” Disable “add route for interface network” Scenario & Hands-on 1-2 Basic Configuration-Transparent mode

91 D-Link Security 91 Enable transparent mode for WAN1 and LAN1 Click “Ethernet” in Interface Enable transparent on LAN1 interface Disable “add route for interface network” Scenario & Hands-on 1-2 Basic Configuration-Transparent mode

92 D-Link Security 92 Add the “Service” rule under IP rules(WAN1 to LAN1 and LAN1 to WAN1) Click “IP rules” in Rules Choose the correct Action,Service,Interface and Network for the rule Scenario & Hands-on 1-2 Basic Configuration-Transparent mode

93 D-Link Security 93 Create the DHCP relay for LAN1 to WAN1 Click “DHCP relays” under “System”  “DHCP Settings” Choose the correct Action,Service,Interface and Network for the rule Scenario & Hands-on 1-2 Basic Configuration-Transparent mode 6

94 D-Link Security 94 Scenario & Hands-on 1-2 Basic Configuration-Transparent mode After all configuration, Click “configuration” in main bar Click “Save and Activate”

95 D-Link Security 95 Scenario & Hands-on 1-2 Basic Configuration-Transparent mode Get IP address from DHCP server and ping to gateway Testing Result

96 D-Link Security 96 Scenario & Hands-on 1-2 Exercise 1-2- Transparent mode Internal LAN1 WAN1 Objectives: 1.Enable transparent mode 2.Allow ping from WAN to LAN 3.Allow all service from LAN to WAN WAN1 IP LAN1 IP Group1: / /24 Group2: / /24. Group9: / /24 Group10: / /24 DHCP server IP address :

97 D-Link Security 97 Internal LAN1 IP: /24 WAN1(Static) IP: /24 WAN1-gatway IP: /24 Scenario & Hands-on 1-3 Basic Configuration- WAN type-Static IP Network topology Note: Configure default gateway

98 D-Link Security 98 Objectives Configure WAN type with Static IP address The Logics of Configuration Before configuring WAN type with static IP, please reset the device to default Create an object for WAN1 gateway to apply to the interface of WAN1 Choose the correct Action, Service, Interface and Network for the rule Scenario & Hands-on 1-3 Basic Configuration- WAN type-Static IP

99 D-Link Security 99 Create the correct gateway object under “Address Book” Click “address book” under “Object” Add an object for IP4 Host/Network Verify the IP addresses of wan1_ip and wan1net Scenario & Hands-on 1-3 Basic Configuration- WAN type-Static IP 1234

100 D-Link Security 100 Apply the gateway object to WAN Interface Click “Ethernet” under “Interfaces” Add the gateway object for “Default Gateway” Scenario & Hands-on 1-3 Basic Configuration- WAN type-Static IP

101 D-Link Security 101 Create the service rule in IP rules Click “IP rules” under “Rules” Choose the correct Action,Service,Interface and Network for the rule Scenario & Hands-on 1-3 Basic Configuration- WAN type-Static IP

102 D-Link Security 102 Scenario & Hands-on 1-3 Basic Configuration- WAN type-Static IP After all configuration, Click “configuration” in main bar Click “Save and Activate” 1234

103 D-Link Security 103 Testing Result Scenario & Hands-on 1-3 Basic Configuration- WAN type-Static IP Ping to Internet (tw.yahoo.com)

104 D-Link Security 104 Internal LAN1 Group private IP WAN1:Group IP Objective 1.Change WAN type with static IP address of following IP addresses 2.Use “NAT” mode to access the Internet Scenario & Hands-on 1-3 Exercise 1-3- WAN type-Static IP LAN1 Group1: /24 Group2: /24. Group9: /24 Group10: /24 WAN1 Group1: /24 Group2: /24. Group9: /24 Group10: /24 WAN1-Gateway:

105 D-Link Security 105 Scenario & Hands-on 1-4 Basic Configuration – WAN type-PPPoE Network topology Internal LAN1 IP: /24 WAN1 PPPoE Note: Configure PPPoE tunnel Apply the PPPoE tunnel to IP rule

106 D-Link Security 106 Objectives Configure WAN type on PPPoE tunnel to access Internet by NAT mode The Logics of Configuration Create a PPPoE tunnel and apply it to the IP rule Choose the correct Action, Service, Interface and Network for the rule Scenario & Hands-on 1-4 Basic Configuration- WAN type-PPPoE

107 D-Link Security 107 Create an object for PPPoE rule in “PPPoE Tunnels” under “Interfaces” Click “PPPoE Tunnels” under “Interfaces” Apply correct Physical Interface, Remote Network,Username and Password in the object Scenario & Hands-on 1-4 Basic Configuration – WAN type-PPPoE 123

108 D-Link Security 108 Create the IP rule Click “IP rules” under “Rules” Choose the correct Action, Service, Interface and Network for the rule Scenario & Hands-on 1-4 Basic Configuration – WAN type-PPPoE

109 D-Link Security 109 Scenario & Hands-on 1-4 Basic Configuration – WAN type-PPPoE After all configuration, Click “configuration” in the main bar Click “Save and Activate” 123

110 D-Link Security 110 Testing Result Scenario & Hands-on 1-4 Basic Configuration – WAN type-PPPoE Ping to Internet (tw.yahoo.com)

111 D-Link Security 111 Scenario & Hands-on 1-4 Exercise 1-4- WAN type-PPPoE Internal LAN1 IP: /24 WAN1 PPPoE Objective: 1.Configure WAN type on PPPoE tunnel and local user could access Internet

112 D-Link Security 112 Scenario & Hands-on 1-5 Basic Configuration- WAN type-DHCP Network topology Internal LAN1 IP: /24 WAN1 DHCP Note: Enable DHCP client in WAN interface

113 D-Link Security 113 Objectives Dynamically assign IP to WAN interface and local users could access internet by NAT The Logics of Configuration Enable “DHCP client” in Interface Create the IP rule and choose correct Action, Service, Interface and Network for the rule Scenario & Hands-on 1-5 Basic Configuration- WAN type-DHCP

114 D-Link Security Enable the DHCP client in “Ethernet” under “Interfaces” Click “Ethernet” under “Interfaces” Enable “DHCP Client” Scenario & Hands-on 1-5 Basic Configuration- WAN type-DHCP 123 1

115 D-Link Security 115 Create the service rule in “IP rules” Click “IP rules” in Rules Choose the correct Action,Service,Interface and Network for the rule Scenario & Hands-on 1-5 Basic Configuration- WAN type-DHCP

116 D-Link Security 116 Scenario & Hands-on 1-5 Basic Configuration- WAN type-DHCP After all configuration, Click “configuration” in main bar Click “Save and Active” 123

117 D-Link Security 117 Testing Result Scenario & Hands-on 1-5 Basic Configuration – WAN type-DHCP Verify the WAN IP from “Status” in tool bar

118 D-Link Security 118 Scenario & Hands-on 1-5 Exercise 1-5- WAN type-DHCP Internal LAN1 IP: /24 WAN1 DHCP server Objective 1.Dynamically assign IP to WAN interface and local users could access internet

119 D-Link Security 119 Scenario & Hands-on 2-1 WAN Failover Network topology Internal LAN1 IP: /16 Internal LAN2 IP: /24 Internal LAN3 IP: /24 WAN2(static IP) IP: /24 WAN2-gateway IP: WAN1 DHCP Note: Manually add default route in main routing table Enable “Monitor “feature on routes WAN2 is back up link

120 D-Link Security 120 Objectives WAN1 is the main link,WAN2 is the backup link When WAN1 is disconnected,all traffic will go through WAN2 to Internet When WAN1 back to normal, all traffic would go through WAN1 to Internet The Logics of Configuration Create routing policy in main routing table Applying routing policy between DHCP and static IP in WAN connection Create the IP rule and choose correct Action, Service, Interface and Network for the rule Scenario & Hands-on 2-1 WAN Failover

121 D-Link Security 121 Enable the DHCP client in “Ethernet” under “Interfaces” Click “Ethernet” in Interface Uncheck “Add default route if default gateway is specified” Scenario & Hands-on 2-1 WAN Failover

122 D-Link Security 122 Create the correct gateway object in “Address Book” under “Object” (WAN2) Click “address book” in Object Add the object for IP4 Host/Network Modify wan2_ip and wan2net Scenario & Hands-on 2-1 WAN Failover 8

123 D-Link Security 123 Apply the gateway object to WAN Interface and disable “add default route” Click “Ethernet” in Interface Disable default route in Interface Scenario & Hands-on 2-1 WAN Failover

124 D-Link Security 124 Combine WAN1 and WAN2 to the object of WAN Click “interface Groups” in Interface Create the object and choose WAN1 and WAN Scenario & Hands-on 2-1 WAN Failover 8

125 D-Link Security 125 Create the IP rule for WAN group Click “Rules” in IP Rule Choose correct Action, Service, Interface and Network in the rule Scenario & Hands-on 2-1 WAN Failover 8

126 D-Link Security 126 Create the WAN1 routing rule and enable “monitor this route” Click “Main Routing Table” under “Routing “ Create the routing rule for WAN1 Choose lower Metric value and enable “monitor this route” Scenario & Hands-on 2-1 WAN Failover

127 D-Link Security 127 Create the WAN2 routing rule and enable “monitor this route” Click “Main Routing Table” under “Routing “ Create the routing rule for WAN2 Choose higher Metric valueand enable “monitor this route” Scenario & Hands-on 2-1 WAN Failover

128 D-Link Security 128 Scenario & Hands-on 2-1 WAN Failover After all configuration, Click “configuration” in main bar Click “Save and Activate”

129 D-Link Security 129 Scenario & Hands-on 2-1 Exercise 2-1- WAN Failover Internal LAN1 Group IP WAN2 Group IP (Static IP) WAN1 DHCP Objectives: 1.WAN1 is the main link,WAN2 is the backup link 2.When WAN1 is disconnected, all traffic would failover to WAN2 WAN2 LAN1 Group1: / /24 Group2: / /24.. Group9: / /24 Group10: / /24 WAN2-Gateway:

130 D-Link Security 130 Scenario & Hands-on 2-2 Load Sharing and WAN failover Network topology Internal LAN1 IP: /16 Internal LAN2 IP: /24 Internal LAN3 IP: /24 WAN1 DHCP WAN2(static IP) IP: /24 WAN2-gateway IP: Notes: Create PBR table and apply it to route policy

131 D-Link Security 131 Objectives All services go through WAN1 but the FTP service and specific IP range go through WAN2 When WAN1 is disconnected,all traffic will go through WAN2 to Internet When WAN1 back to normal, all traffic would go through WAN1 to Internet When WAN2 is disconnected, the specified traffic and service can access to Internet by WAN1 The Logics of Configuration Modify PBR routing table and routing rule Scenario & Hands-on 2-2 Load Sharing and WAN failover

132 D-Link Security 132 Create the IP address object specifically for LAN1 Click “Address Book” under “Objects” Click “Ethernet” under “Interfaces” 1234 Scenario & Hands-on 2-2 Load Sharing and WAN failover

133 D-Link Security 133 Add the route of WAN2(Static) in PBR Click “PBR table ” under “Routing” Choose higher metric in PBR table and enable function of monitor Scenario & Hands-on 2-2 Load Sharing and WAN failover

134 D-Link Security 134 Add the route rule of WAN1 in PBR Click “PBR policy” under “Routing” Choose correct Forward, Return table, interface and network Scenario & Hands-on 2-2 Load Sharing and WAN failover

135 D-Link Security 135 After all configuration, Click “configuration” in main bar Click “Save and Activate” 1243 Scenario & Hands-on 2-2 Load Sharing and WAN failover

136 D-Link Security 136 Internal LAN1 IP: x.0/24 WAN2 Static IP WAN1 DHCP Objectives: 1.For Load Sharing: Except for ping-outbound and specific IP range X traffic by WAN2 then other service will pass through to Internet by WAN1. 2.For Fail Over: When unplug any WAN cable, users still can access the Internet via a different WAN port. Scenario & Hands-on 2-2 Exercise 2-2- Load Sharing

137 D-Link Security 137 How to enable the function of “tracer” Modify the value of TTL min to 1 Click “IP Setting of Advanced Setting” in “System” Key in the smallest value (1)

138 D-Link Security 138 How to enable the function of “tracer” Enable “Pass returned from ICMP error messages from destination” Click “Services” in “Objects” and choose the object of “all_icmp” Enable “Pass returned from ICMP error messages from destination”

139 D-Link Security 139 DMZ Subnet A WAN Subnet B Subnet C Firewall Infected Host  When there’s any infected host spreading worm into the network  Firewall can stop the malicious traffic flooding to other subnets but have no way to stop it infecting its network [subnet A]  The most effective solution will be: Firewall triggers the ACL in LAN switches to perform real time filtering on any malicious traffic found Set ACL to block specific MAC or IP address D-Link Firewalls implement ZoneDefense feature to perform proactive network security with D-Link switches DES-3x26S DES-3350SR DES-3250TG DES-3500 series DES-3800 series xStack series Scenario & Hands-on 3 ZoneDefense

140 D-Link Security 140 Uniquely from D-LINK – It operates with D-LINK switches to isolate infected host that is generating unusual traffic to the LAN Uses Threshold rules to examine connections through the firewall and take actions upon them. The threshold rules monitor the number of connections per second When a pre-defined limit is reached, the firewall sends block requests to the switches configured for ZoneDefense Scenario & Hands-on 3 ZoneDefense

141 D-Link Security 141 Internet Scenario & Hands-on 3 ZoneDefense

142 D-Link Security 142 WAN1 IP: /24 PC LAN1 IP: /24 Switch IP: /24 DGS-3324SR INTERNET Block HTTP Request exceeding 4 sessions For every host Scenario & Hands-on 3 ZoneDefense Note: Verify the model of supporting switch Verify the IP address of switch Verify the community between switch and firewall

143 D-Link Security 143 Objectives When traffic of every host exceed 4 sessions, switch create the ACLs rule to block illegal traffic by firewall The Logics of Configuration Configure the switch Choose the correct model of switch Exclude switch and administrator Create and configure the threshold rule Scenario & Hands-on 3 ZoneDefense

144 D-Link Security 144 Scenario & Hands-on 3 ZoneDefense Reset to default and configure the IP address of switch Use CLI of switch to inspect Key in “reset config” Key in “config ipif System ipaddress /24”

145 D-Link Security 145 Verify the communication between firewall and switch and inspect the community in switch Use CLI of switch to inspect Key in “show snmp community” Scenario & Hands-on 3 ZoneDefense

146 D-Link Security 146 Create the object of IP address for switch and administrator Click “Address Book” under “Objects” Add the object for IP4 Host/Network Scenario & Hands-on 3 ZoneDefense

147 D-Link Security 147 Create the switch object in ZoneDefense Click “switches” under “ZoneDefense” Choose the correct switch model and Key in the SNMP Community Verity the firewall can communicate with the switch Scenario & Hands-on 3 ZoneDefense

148 D-Link Security 148 Exclude the switch and the administrator Click “Exclude” under “ZoneDefense” Choose the correct object Scenario & Hands-on 3 ZoneDefense

149 D-Link Security 149 Create the threshold rule in ZoneDefense Click “Threshold” under “ZoneDefense “ Choose the correct interface and network Key in the threshold condition (the value of host-base must be smaller then network) Scenario & Hands-on 3 ZoneDefense

150 D-Link Security 150 Scenario & Hands-on 3 ZoneDefense After all configuration, Click “configuration” in main bar Click “Save and Active”

151 D-Link Security 151 Block status form firewall Block status form Switch Testing Result Scenario & Hands-on 3 ZoneDefense

152 D-Link Security 152 WAN1 DHCP PC LAN1 IP: Group IP address Switch IP: an IP that’s the same segment as the LAN1 IP DGS-3324SR INTERNET Scenario & Hands-on 3 Exercise-3 ZoneDefense Objective: 1.When web traffic of every host exceed 2 sessions, switch create the ACLs rule to block illegal traffic by firewall

153 D-Link Security 153 Internal LAN1 IP: /24 Internal LAN2 IP: /24 Internal LAN3 IP: /24 WAN1 IP: /24 FTP Server IP: /24 FTP Server DMZ Scenario & Hands-on 4-1 Port mapping for server Network topology WAN1 IP: /24 FTP Server IP: /24 Note: Add another public IP address in “ARP table” Verify the sequence of IP rule Back

154 D-Link Security 154 Objectives Access the FTP server by public IP address( ) The Logic of Configuration Create objects of public and private IP addresses for FTP server Create ARP object in ARP Table Create the IP rule (SAT and allow) for FTP server Scenario & Hands-on 4-1 Port mapping for server

155 D-Link Security 155 Add the objects of both public and virtual IP addresses for FTP server *Click “Address Book” under Objects Key in the correct IP addresses 1234 Scenario & Hands-on 4-1 Port mapping for server 5 12

156 D-Link Security 156 Create the object in ARP Table Click “ARP Table” under “Interfaces” Apply objects with the FTP IP address 1234 Scenario & Hands-on 4-1 Port mapping for server 5

157 D-Link Security 157 Create the IP rule to map FTP server (SAT) Click “IP Rule” under “Rules” Choose the correct Action,Service,Interface,SAT setting and Network for the rule 1234 Scenario & Hands-on 4-1 Port mapping for server

158 D-Link Security 158 Create the IP rule to allow FTP server (allow FTP) Click “IP Rule” under “Rules” Choose the correct Action,Service,Interface and Network for the rule 1234 Scenario & Hands-on 4-1 Port mapping for server 5 1 2

159 D-Link Security 159 Scenario & Hands-on 4-1 Port mapping for server After all configuration, Click “configuration” in main bar Click “Save and Activate” 12354

160 D-Link Security 160 Succeed to get in FTP server Scenario & Hands-on 4-1 Port mapping for server topology

161 D-Link Security 161 WAN1:DHCP FTP Server: Group public IP address FTP Server Group private IP DMZ Scenario & Hands-on 4-1 Exercise Port mapping for server Objective: 1.Access to FTP server by group’s public IP address successfully FTP Server public IP Group1: /24 Group2: /24. Group9: /24 Group10: /24 FTP Server private IP /24 DMZ IP : DFL-800 : Port DMZ DFL-1600: Port #3 DFL-2500: Port #5

162 D-Link Security 162 WAN1 PPPoE Internal LAN1 IP: /24 Internal LAN2 IP: /24 Internal LAN3 IP: /24 FTP Server DMZ Scenario & Hands-on 4-2 SAT in PPPoE connection Network topology Note: Add PPPoE in Interfaces Verify the sequence of IP rule Back

163 D-Link Security 163 Objectives When using PPPoE connection, internal FTP server could be accessed by public The Logic of Configuration Create objects of PPPoE connection Create private IP addresses for FTP server Create the IP rule (SAT and allow) for FTP server Scenario & Hands-on 4-2 SAT in PPPoE connection

164 D-Link Security Scenario & Hands-on 4-2 SAT in PPPoE connection 5 Create an object for PPPoE rule in “PPPoE Tunnels” under “Interfaces” Click “PPPoE Tunnels” under “Interfaces” Apply correct Physical Interface, Remote Network,Username and Password in the object

165 D-Link Security Scenario & Hands-on 4-2 SAT in PPPoE connection 5 Add the object of virtual IP addresses for FTP server *Click “Address Book” under Objects Key in the correct IP addresses

166 D-Link Security 166 If use PPPoE connection, create the IP rule to map FTP server (SAT) Click “IP Rule” under “Rules” Choose the correct Action,Service,Interface,SAT setting and Network for the rule 1234 Scenario & Hands-on 4-2 SAT in PPPoE connection

167 D-Link Security 167 Create the IP rule to allow FTP server (allow FTP) Click “IP Rule” under “Rules” Choose the correct Action,Service,Interface and Network for the rule 1234 Scenario & Hands-on 4-2 SAT in PPPoE connection 5 1 2

168 D-Link Security 168 Scenario & Hands-on 4-2 SAT in PPPoE connection After all configuration, Click “configuration” in main bar Click “Save and Activate” 12354

169 D-Link Security 169 Succeed to get in FTP server Scenario & Hands-on 4-2 SAT in PPPoE connection topology

170 D-Link Security 170 WAN1:PPPoE FTP Server: Group public IP address FTP Server Group private IP DMZ Scenario & Hands-on 4-2 Exercise SAT in PPPoE connection Objective: 1.Access to FTP server by group’s public IP address successfully FTP Server public IP Group1: /24 Group2: /24. Group9: /24 Group10: /24 FTP Server private IP /24 DMZ IP : DFL-800 : Port DMZ DFL-1600: Port #3 DFL-2500: Port #5

171 D-Link Security 171 Internal LAN1 IP: /24 Internal LAN2 IP: /24 Internal LAN3 IP: /24 WAN1 IP: /24 FTP Server IP: /24 FTP Server DMZ Scenario & Hands-on 4-3 SAT and server load balance Network topology FTP Server Note: Add another public IP address in “ARP table” Verify the sequence of IP rule

172 D-Link Security 172 Objectives Access two FTP servers by one public IP address ( ) The Logic of Configuration Create objects of public and private IP addresses for two FTP servers Create ARP object in ARP Table Cerate the IP rule (SAT_SLB and allow) for FTP server Scenario & Hands-on 4-3 SAT and server load balance

173 D-Link Security 173 Add the public IP address object for two FTP servers Click “Address Book” under “Objects” Key in the correct IP address Scenario & Hands-on 4-3 SAT and server load balance 6

174 D-Link Security 174 Add two virtual IP address objects for two FTP servers Click “Address Book” under “Objects” Key in the correct IP address Scenario & Hands-on 4-3 SAT and server load balance 6 12

175 D-Link Security 175 Apply the object of IP address to ARP Table Click “ARP Table” under “Interfaces” Apply objects for the FTP IP address Scenario & Hands-on 4-3 SAT and server load balance 6

176 D-Link Security 176 Create the IP rule of FTP server Click “IP Rule” in Rules Choose correct Action,Service,Interface,SLB_SAT and Network in the rule Scenario & Hands-on 4-3 SAT and server load balance

177 D-Link Security 177 Create the IP rule to allow FTP server (allow FTP) Click “IP Rule” in Rules Choose correct Action,Service,Interface and Network in the rule Scenario & Hands-on 4-3 SAT and server load balance 6 1 2

178 D-Link Security 178 Scenario & Hands-on 4-3 SAT and server load balance After all configuration, Click “configuration” on main menu bar Click “Save and Activate”

179 D-Link Security 179 WAN1:DHCP FTP Server-1:Group public IP FTP Server-1 Group private IP-1 DMZ Scenario & Hands-on 4-3 Exercise 4-3- SAT and server load balance FTP Server-1 Group private IP-2 FTP Server public IP Group1: /24 Group2: /24. Group9: /24 Group10: /24 FTP Server private IP-2 Group1: /24 FTP Server private IP /24 DMZ: Objective: 1.Access to two FTP servers by group’s public IP address successfully

180 D-Link Security 180 Internet http request Scenario & Hands-on 5 Runtime Authentication configuration Process of authentication

181 D-Link Security 181 For authorize users to accessing the Internet, LAN and Intranet services either through the Local DB or RADIUS Server. The user authentication rules must be save & activated in order to apply the settings. Scenario & Hands-on 5 Runtime Authentication configuration

182 D-Link Security 182 WAN LAN Core Scenario & Hands-on 5 Runtime Authentication configuration The Core owns the IP addresses

183 D-Link Security 183 Scenario & Hands-on 5 Runtime Authentication configuration Network topology WAN1 IP: /24 PC LAN1 IP: /24 Switch IP: /24 DES-3226S Authenticated user accessing the Internet Note: Modify the Web UI http port Verify the sequence of IP rule

184 D-Link Security 184 Objectives When user open a web browser, it will be a screen pop out automatically, and request for login. Services will be allowed after authentication. When user logout, they can choose either logout manually, or it will logout automatically when the preset idle time reaches. The Logic of Configuration Change Web UI http port Create an object for specific traffic network Create a local user database Create IP rules for Authentication Scenario & Hands-on 5 Runtime Authentication configuration

185 D-Link Security Scenario & Hands-on 5 Runtime Authentication configuration Change the remote management http port to avoid port conflict Click “Remote Management” then click “modify advanced setting” Change WebUI http port 1 2

186 D-Link Security 186 Create the user database for Authentication Click “Local User Database” in User Authentication Key in the authenticated user(user name/password) Scenario & Hands-on 5 Runtime Authentication configuration

187 D-Link Security 187 Scenario & Hands-on 5 Runtime Authentication configuration Create the User Authentication Rules Click “User Authentication Rules” in User Authentication Choose the correspond settings

188 D-Link Security 188 Scenario & Hands-on 5 Runtime Authentication configuration Create the User Authentication Rules Click “User Authentication Rules” in User Authentication Choose the correspond settings

189 D-Link Security 189 Create the IP address for Authenticating users Click “Address Book ” in Objects Add an object for authenticating users Key in the correct IP address and group name Scenario & Hands-on 5 Runtime Authentication configuration

190 D-Link Security 190 Create the “allow” rule (rule-1) Click “IP Rule” in Rules Choose correct Action,Service,Interface and Network in the rule Scenario & Hands-on 5 Runtime Authentication configuration

191 D-Link Security 191 Create the “NAT-DNS” rule (rule-2) Click “IP Rule” in Rules Choose correct Action,Service,Interface and Network in the rule Scenario & Hands-on 5 Runtime Authentication configuration

192 D-Link Security 192 Create the “NAT-all_service” rule (rule-3) Click “IP Rule” in Rules Choose correct Action,Service,Interface and Network in the rule Scenario & Hands-on 5 Runtime Authentication configuration

193 D-Link Security 193 Create the “SAT” rule (rule-4) Click “IP Rule” in Rules Choose correct Action,Service,Interface and Network in the rule Scenario & Hands-on 5 Runtime Authentication configuration

194 D-Link Security 194 Create the “Allow” rule (rule-5) Click “IP Rule” in Rules Choose correct Action,Service,Interface and Network in the rule Scenario & Hands-on 5 Runtime Authentication configuration

195 D-Link Security 195 Scenario & Hands-on 5 Runtime Authentication configuration After all configuration, Click “configuration” on main menu bar Click “Save and Activate”

196 D-Link Security 196 Allow manual log-out web page Allow user to look up the DNS Allow authorized users to use networking service All HTTP traffic will be mapped to firewall LAN1 IP address Allow all HTTP traffic to map to LAN1 IP address Scenario & Hands-on 5 Runtime Authentication configuration Action1 Action2 Action3

197 D-Link Security 197 Scenario & Hands-on 5 Runtime Authentication configuration Testing Result

198 D-Link Security 198 Scenario & Hands-on 5 Exercise 5- Runtime Authentication configuration WAN1 DHCP PC LAN1 IP: /24 Switch IP: /24 DES-3226S Authenticated user accessing the Internet Objective: 1.The specific user or network must be authorized before access to the Internet 2.When user logout, they can choose either logout manually, or it will logout automatically when the preset idle time reaches.

199 D-Link Security 199 Scenario & Hands-on 6 Traffic Shaping Pipes concept

200 D-Link Security 200 This diagram shows not using the Dynamic balancing Scenario & Hands-on 6 Traffic Shaping The Concept of Dynamic balancing

201 D-Link Security 201 When using the function of Dynamic balancing Scenario & Hands-on 6 Traffic Shaping The Concept of Dynamic balancing

202 D-Link Security 202 Scenario & Hands-on 6 Traffic Shaping The Concept of Precedence Highest Low Medium High Pipe

203 D-Link Security 203 Bandwidth of Leased Line with 1Mbps in both directions(two pipes) The pipe throughput should be less than the physical pipe! Scenario & Hands-on 6 Traffic Shaping Concept of Design (Pipe 1Mbps)

204 D-Link Security 204 Scenario & Hands-on 6 Traffic Shaping Concept of Design (Pipe 1Mbps) - download HTTP 250Kbps Highest 1Mbps FTP 250Kbps High SMTP 500Kbps Low HTTP 250Kbps Highest 1Mbps FTP 250Kbps High SMTP 500Kbps Low

205 D-Link Security 205 All measuring, limiting, guaranteeing and balancing is carried out in pipes A pipe by itself is meaningless unless it is put into use in the Rules section. Each rule can pass traffic through one or more pipes, in a precedence (priority) of your choice. Scenario & Hands-on 6 Traffic Shaping Pipes

206 D-Link Security 206 Scenario & Hands-on 6 Traffic Shaping Precedence Determine the bandwidth of precedence

207 D-Link Security 207 Plan your traffic shaping requirements. If you do not know how traffic should be limited, prioritized, guaranteed, or distributed, you will likely find the configuration work more confusing than helpful. Scenario & Hands-on 6 Traffic Shaping Pipes rules

208 D-Link Security 208 Scenario & Hands-on 6 Traffic Shaping Precedence Assign precedence

209 D-Link Security 209 Scenario & Hands-on 6 Traffic Shaping Network topology Internal LAN1 Bandwidth of leased line Download: 1Mbps Upload: 1Mbps 1.For inbound and outbound HTTP and HTTPS, the maximum bandwidth is 500Kb. 2.For inbound and outbound POP3, the guarantee bandwidth is 300Kb. ( maximum bandwidth is 1000Kb ) 3.For other inbound and outbound service, the remaining bandwidth will be used. 4.Above all services are dedicating bandwidth value. External WAN1 Note: Before use the traffic shaping for specified application. Please make sure that the IP rule has been created for the specified application.

210 D-Link Security 210 Objective For inbound and outbound HTTP and HTTPS, the maximum bandwidth is 500Kb. For inbound and outbound POP3, the guarantee bandwidth is 300Kb. (maximum bandwidth is 1000Kb) For other inbound and outbound service, the remaining bandwidth will be used. Above all services are dedicating bandwidth value. The logic of Configuration Make sure to create IP rule Create objects of Pipe Create rules of Pipe Choose correct Action, Service, Interface and Network in the rule Key in correct value at Precedence and Total bandwidth value Scenario & Hands-on 6 Traffic Shaping

211 D-Link Security 211 Create object of the input pipe (Create the pipe of standard-in) Click “Pipes” in Traffic Shaping Key in correspond value for Precedence and total bandwidth value Scenario & Hands-on 6 Traffic Shaping

212 D-Link Security 212 Create object of the output pipe (Create the pipe of outbound) Click “Pipes” in Traffic Shaping Key in correspond value for Precedence and total bandwidth value Scenario & Hands-on 6 Traffic Shaping

213 D-Link Security 213 Create object of the HTTP input (Create the pipe HTTP-in) Click “Pipes” in Traffic Shaping Key in correspond value for Precedence and total bandwidth value Scenario & Hands-on 6 Traffic Shaping

214 D-Link Security Scenario & Hands-on 6 Traffic Shaping Create object of the HTTP output (Create the pipe of HTTP-in) Click “Pipes” in Traffic Shaping Key in correct value at Precedence and Total bandwidth value 10

215 D-Link Security 215 Scenario & Hands-on 6 Traffic Shaping Create Rules of the HTTP (Create the rule of HTTP ) Click “Pipes Rules” in Traffic Shaping Key in correspond value for Precedence and total bandwidth value

216 D-Link Security 216 Scenario & Hands-on 6 Traffic Shaping Create object of the POP3 input (Create a pipe of POP3-in ) Click “Pipes” in Traffic Shaping Key in correspond value for Precedence and total bandwidth value

217 D-Link Security 217 Scenario & Hands-on 6 Traffic Shaping Create object of the POP3 output (Create a pipe of POP3-out ) Click “Pipes” in Traffic Shaping Key in correspond value for Precedence and total bandwidth value 10

218 D-Link Security 218 Scenario & Hands-on 6 Traffic Shaping Create the rules of POP3 (Create the rule of POP3 ) Click “Pipes Rules” in Traffic Shaping Choose correct Action,Service,Interface and Network in the rule

219 D-Link Security 219 Scenario & Hands-on 6 Traffic Shaping Create Rules of other service (Create the rule of other service ) Click “Pipes Rules” in Traffic Shaping Choose correct Action,Service,Interface and Network in the rule

220 D-Link Security 220 Scenario & Hands-on 6 Traffic Shaping After all configuration, Click “configuration” on main menu bar Click “Save and Activate”

221 D-Link Security 221 Before use the traffic shaping for specified application. Please make sure that the IP rule has been created for the specified application. Scenario & Hands-on 6 Traffic Shaping

222 D-Link Security 222 First step: Create two bidirectional pipes for the physical WAN link Second step: Create two bidirectional pipes for the specified application Scenario & Hands-on 6 Traffic Shaping

223 D-Link Security 223 Third step: Create pipe rules for the specified application Scenario & Hands-on 6 Traffic Shaping

224 D-Link Security 224 Scenario & Hands-on 6 Exercise 6- Traffic Shaping Internal LAN1 Bandwidth of leased line Download: 1Mbps Upload: 1Mbps External WAN1 Objectives 1.For inbound and outbound SMTP, the maximum bandwidth is 400Kb. 2.For inbound and outbound FTP, the guarantee bandwidth is 250Kb.(maximum bandwidth is 500Kb) 3.For other inbound and outbound service, the maximum bandwidth is 350Kb. 4.Above all services are dedicating bandwidth value.

225 D-Link Security 225 Internal LAN1 IP: /24 Internal LAN2 IP: /24 Internal LAN3 IP: /24 WAN1 DHCP IP: /24 DFL-1600 PPTP Client IP: /24 VPN Tunnel Scenario & Hands-on 7-1 VPN Configuration-PPTP Network topology Note: Choose correct inner IP address and Outer Interface filter for PPTP tunnel

226 D-Link Security 226 Objectives The user dial-up to firewall by Windows PPTP client software. Dial-up user communicate with LAN1 of firewall The logic of configuration Create object for PPTP server IP address and IP address range Create Authenticating database Configure PPTP server Create the IP rule for PPTP tunnel Scenario & Hands-on 7-1 VPN Configuration-PPTP

227 D-Link Security 227 Create object for PPTP server IP address and IP address range Click “Address” in Objects Key in the correspond IP address Scenario & Hands-on 7-1 VPN Configuration-PPTP

228 D-Link Security 228 Create Local Database for PPTP authentication Click “Local User Databases ” in User Authentication Key in the correct Username and Password Scenario & Hands-on 7-1 VPN Configuration-PPTP 6

229 D-Link Security 229 Create PPTP tunnel Click “PPTP/L2TP Servers ” in Interface Choose the correspond configuration Scenario & Hands-on 7-1 VPN Configuration-PPTP 6

230 D-Link Security 230 Create User Authentication Rules for PPTP tunnel Click “User Authentication Rules ” in User Authentication Choose the correspond configuration Enable Log setting and choose local user database Scenario & Hands-on 7-1 VPN Configuration-PPTP 6

231 D-Link Security 231 Create IP Rules for PPTP tunnel Click “IP Rules ” in Rules Choose the correspond configuration Enable Log setting Scenario & Hands-on 7-1 VPN Configuration-PPTP 6

232 D-Link Security 232 Scenario & Hands-on 7-1 VPN Configuration-PPTP After all configuration, Click “configuration” on main menu bar Click “Save and Activate”

233 D-Link Security 233 Testing Result Scenario & Hands-on 7-1 VPN Configuration-PPTP

234 D-Link Security 234 Scenario & Hands-on 7-1 Exercise 7-1- VPN Configuration-PPTP Internal LAN1 IP: /24 Internal LAN2 IP: /24 Internal LAN3 IP: /24 WAN1 DHCP IP DFL-1600 PPTP Client VPN Tunnel Objectives: 1.Use Windows client to Dial-up PPTP 2.Ping the IP address of LAN in firewall

235 D-Link Security 235 Scenario & Hands-on 7-2 VPN Configuration-L2TP/IPsec Network topology Internal LAN1 IP: /24 Internal LAN2 IP: /24 Internal LAN3 IP: /24 WAN1 DHCP DFL-1600 L2TP/IPsec Client IP: /24 VPN Tunnel Note: L2TP/IPsec must use transport mode Choose correct local net and remote net for IPsec tunnel Choose correct inner IP address and Outer Interface filter for L2TP tunnel

236 D-Link Security 236 Objectives The user dial-up to firewall by Windows L2TP/IPsec client software Dial-up user communicate with LAN1 of firewall The logic of configuration Create objects for L2TP server IP address and IP address range Create Authenticating database Configure IPsec tunnel Configure L2TP server Create the IP rule for L2TP tunnel Scenario & Hands-on 7-2 VPN Configuration-IPsec

237 D-Link Security 237 Create objects for L2TP server IP address and IP address range Click “Address” in Objects Key in the correspond IP address Scenario & Hands-on 7-2 VPN Configuration-L2TP/IPsec 11

238 D-Link Security 238 Create Local Database for L2TP authentication Click “Local User Databases ” in User Authentication Key in correct Username and Password Scenario & Hands-on 7-2 VPN Configuration-L2TP/IPsec 11

239 D-Link Security 239 Create the pre-shared key for L2TP Click “Pre-Share Keys ” in VPN Objects Key in the correspond value Scenario & Hands-on 7-2 VPN Configuration-L2TP/IPsec 11

240 D-Link Security 240 Create the IPsec tunnel Click “IPsec Tunnels” in Interface Choose correspond configuration Scenario & Hands-on 7-2 VPN Configuration-L2TP/IPsec 11

241 D-Link Security 241 Verify the IPsec tunnel Click “Authentication” in this IPsec tunnel Apply pre-shared key to this IPsec tunnel Scenario & Hands-on 7-2 VPN Configuration-L2TP/IPsec 11

242 D-Link Security 242 Verify the IPsec tunnel Click “Routing” in this IPsec tunnel Enable “Dynamically add routes to remote network when a tunnel is established “in this IPsec tunnel Scenario & Hands-on 7-2 VPN Configuration-L2TP/IPsec 11

243 D-Link Security 243 Verify the IPsec tunnel Click “Advanced” in this IPsec tunnel Disable “Add route for remote network “in this IPsec tunnel Scenario & Hands-on 7-2 VPN Configuration-L2TP/IPsec 11

244 D-Link Security 244 Create the L2TP tunnel Click “PPTP/L2TP Servers ” in Interface Choose correspond configuration Scenario & Hands-on 7-2 VPN Configuration-L2TP/IPsec 11

245 D-Link Security 245 Create User Authentication Rules for L2TP tunnel Click “User Authentication Rules ” in User Authentication Choose correspond configuration Enable Log setting and choose local user database Scenario & Hands-on 7-2 VPN Configuration-L2TP/IPsec 11

246 D-Link Security 246 Create IP Rules for L2TP tunnel Click “IP Rules” in Rules Choose correspond configuration Enable Log setting Scenario & Hands-on 7-2 VPN Configuration-L2TP/IPsec 11

247 D-Link Security 247 Scenario & Hands-on 7-2 VPN Configuration-L2TP/IPsec After all configuration, Click “configuration” on main menu bar Click “Save and Activate”

248 D-Link Security 248 Testing Result Scenario & Hands-on 7-2 VPN Configuration-L2TP/IPsec

249 D-Link Security 249 Scenario & Hands-on 7-2 Exercise 7-2- VPN Configuration-L2TP/IPsec Internal LAN1 IP: /24 Internal LAN2 IP: /24 Internal LAN3 IP: /24 WAN1 DHCP IP DFL-1600 L2TP/IPsec Client VPN Tunnel Objectives: 1.The user dial-up to firewall by Windows L2TP/IPsec client software 2.Ping the IP address of LAN in firewall

250 D-Link Security 250 For users to authenticate VPN tunnels 2 types of method to enter PSK – ASCII and HEX –ASCII – type in passphrase –HEX – type in passphrase and use “generate” to cipher passphrase Scenario & Hands-on 7-3 VPN Configuration- IPsec VPN Objects – Pre Shared Keys

251 D-Link Security 251 For secured authentication to established over VPN, CA need to be downloaded to LDAP Server Scenario & Hands-on 7-3 VPN Configuration- IPsec VPN Objects – LDAP

252 D-Link Security 252 The Concept of ID Lists is to manage and control accessibility of the VPN clients and gateways Mobile clients can be restricted from accessing Internal networks by ID Lists Scenario & Hands-on 7-3 VPN Configuration- IPsec ID Lists

253 D-Link Security 253 Predefined IKE & IPSec Algorithms by default High – Very Secured Medium – Secured You can defined your own algorithms Scenario & Hands-on 7-3 VPN Configuration- IPsec IKE/IPsec Algorithms

254 D-Link Security 254 Scenario & Hands-on 7-3 VPN Configuration- IPsec Network topology Internal LAN1 IP: /24 Internal LAN2 IP: /24 Internal LAN3 IP: /24 WAN1 Static IP: /24 DFL-1600 Remote LAN Internal LAN IP: /24 WAN1 IP: /24 VPN Tunnel Note: Use same pre-share key and algorithm between two IPsec settings Choose correct local net and remote net for IPsec tunnel

255 D-Link Security 255 Objectives Two firewalls communicate to each other by IPsec tunnel. The client of local-net ping to the client of remote-net The logic of configuration Create VPN Object( pre-shared key) Configure IPsec tunnel Create the IP rule for IPsec tunnel Scenario & Hands-on 7-3 VPN Configuration-IPsec

256 D-Link Security 256 Create objects for IP address of remote IP address and network Click “Address” in Objects Key in the correspond IP address Scenario & Hands-on 7-3 VPN Configuration- IPsec 6

257 D-Link Security 257 Create the pre-shared key for IPsec tunnel Click “Pre-Share Keys ” in VPN Objects Key in the correct value Scenario & Hands-on 7-3 VPN Configuration- IPsec 6

258 D-Link Security 258 Create the IPsec tunnel Click “IPsec Tunnels” in Interface Choose the correspond configuration ! Note: If remote firewall wan IP is not static IP, in other words Remote Endpoint is using dynamic IP address from dynamic DNS server, administrator can enter DDNS domain name in here directly Scenario & Hands-on 7-3 VPN Configuration- IPsec 6

259 D-Link Security 259 Combine two interfaces to one interface group Click “Interface Groups” in this Interface Choose the correspond interfaces Scenario & Hands-on 7-3 VPN Configuration- IPsec 6

260 D-Link Security 260 Create IP Rules for L2TP tunnel Click “IP Rules” in Rules Choose correspond configuration Enable Log setting Scenario & Hands-on 7-3 VPN Configuration- IPsec 6

261 D-Link Security 261 Scenario & Hands-on 7-3 VPN Configuration- IPsec After all configuration, Click “configuration” on main menu bar Click “Save and Activate”

262 D-Link Security 262 Scenario & Hands-on 7-3 Exercise 7-3- VPN Configuration-IPsec Internal LAN1 Even group DFL-1600 Remote LAN Internal LAN Odd group VPN Tunnel Objectives: 1.Two firewalls communicate to each other by IPsec tunnel 2.The client of local-net ping to the client of remote-net

263 D-Link Security 263 Scenario & Hands-on 7-4 VPN Configuration- IPsec with NetScreen 204 Network topology Internal LAN1 IP: /24 Internal LAN2 IP: /24 Internal LAN3 IP: /24 WAN1 Static IP: /24 DFL-1600 NetScreen 204 Remote LAN Internal LAN IP: /24 WAN1 IP: /24 VPN Tunnel Note: Use same pre-share key and algorithm between two DFL-1600 and NS-204 Choose correct local net and remote net for IPsec tunnel

264 D-Link Security 264 Objectives Two firewalls communicate to each other by IPsec tunnel. The client of local-net ping to the client of remote-net The logic of configuration Create VPN Object( pre-shared key, remote net/gateway and algorithm ) Configure IPsec tunnel Create the IP rule for IPsec tunnel Scenario & Hands-on 7-4 VPN Configuration- NetScreen 204

265 D-Link Security 265 Create network objects for DFL-1600 (remote network ) Click “List” under “Addresses” in Objects Key in the corresponding network Scenario & Hands-on 7-4 VPN Configuration- NetScreen

266 D-Link Security 266 Create IP address objects for DFL-1600 (remote gateway ) Click “List” under “Addresses” in Objects Key in the corresponding IP address Scenario & Hands-on 7-4 VPN Configuration- NetScreen

267 D-Link Security 267 Create P1(Phase 1) Proposal of DFL-1600 for VPN configuration Click “P1 Proposal” under “AutoKey Advanced” in VPNs Choose in the corresponding Algorithm and DH Group Scenario & Hands-on 7-4 VPN Configuration- NetScreen

268 D-Link Security 268 Create P2(Phase 2) Proposal of DFL-1600 for VPN configuration Click “P2 Proposal” under “AutoKey Advanced” in VPNs Choose in the corresponding Algorithm and DH Group Scenario & Hands-on 7-4 VPN Configuration- NetScreen

269 D-Link Security 269 Create Gateway objects of DFL-1600 for VPN configuration Click “Gateway” under “AutoKey Advanced” in VPNs Key in the corresponding IP address and Preshared Key Click “Advanced” Scenario & Hands-on 7-4 VPN Configuration- NetScreen

270 D-Link Security 270 “Advanced“ of Gateway objects Choose “Custom” in User Defined and Phase 1 Proposal Choose “Main” mode Scenario & Hands-on 7-4 VPN Configuration- NetScreen

271 D-Link Security 271 Create IPsec VPN tunnel for DFL-1600 Choose “Security Level” and “Predefined” for Remote Gateway Choose “Outgoing Interface” and Click “Advanced” Scenario & Hands-on 7-4 VPN Configuration- NetScreen

272 D-Link Security 272 Create IPsec VPN policy for DFL-1600 Choose correct Action,Service, Network in the rule Enable ”Modify matching bidirectional VPN policy” Scenario & Hands-on 7-4 VPN Configuration- NetScreen

273 D-Link Security 273 Testing Result Scenario & Hands-on 7-4 VPN Configuration- NetScreen 204

274 D-Link Security 274 DFL-1600 IPsec VPN status Scenario & Hands-on 7-4 VPN Configuration- NetScreen 204 NetScreen VPN status

275 D-Link Security 275 Appliance Overview Firewall Concept Basic Configuration Scenario & Hands-on Troubleshooting Agenda

276 D-Link Security 276 Confirm configuration of firewall Inspect the firewall status Use “Console command” to get more information Capture packets to analyze (ethereal and sniffer ) Troubleshooting Four Ways to troubleshooting

277 D-Link Security 277 Troubleshooting Flow Chart The problem Confirm configuration Found main cause Inspect the firewall status Verify configuration Use console command to inspect Verify network environments Found main cause Yes No Found main cause Configuration cause or Environment cause Capture packets to analyze The problem have solved No Configuration cause Environment cause No Yes Dtrack System

278 D-Link Security 278 IP address or network in “Object” Configuration in “Interface” Configuration in “IP rules”  Action and service  Interface and network Configuration in “Main routing”  Routing table  Metric Configuration in “PBR”  Routing table and rules  Metric Advanced configuration  Zone defense  Traffic shaping  User Authentication Troubleshooting Confirm configuration of firewall

279 D-Link Security 279 Click “Status” on main menu bar  System  Logging  Connection  Interfaces  IPsec  User Auth  Routes  DHCP server  IDS  SLB  Zone Defense Troubleshooting Inspect the firewall status

280 D-Link Security Start HyperTerminal (Hypertrm.exe). 2.Enter a name for the connection (for example, DFL-800) in the Name box. 3.Click an icon for the connection in the Icon box, and then click OK. 4.In the Connect Using box, click Direct To Com (choose “Restore Default”) and then click OK. 5.Verify the settings on the part settings tab and then click OK. How to use “Console command” with HyperTerminal in MS Windows Troubleshooting Console commands

281 D-Link Security 281 The first command you should learn is the HELP or H command. The help command prints a list of available commands at the console About (Displays information about the firewall core) Crashdump (dump all crash and error information) Access (Prints the active anti-spoof section) Arp [interface] (Displays the cached ARP information for all interfaces. If you add a specific interface name to the command, you will get only the specified interface.) Arpsnoop [interface] (Displays ARP queries and responses. You enable this by typing ARPSNOOP [interface]. The same command again disables it. You can also use the all string for ALL interfaces. To disable all the arpsnoop printout you can use the string NONE.) Buffers [buf num] (Displays the 20 most recently freed buffers. You can examine a specific buffer by adding the number.) Cfglog (Displays the boot log of the firewall configuration.) Troubleshooting Console commands

282 D-Link Security 282 Troubleshooting Console commands Connections (Displays the connections in the firewall.) CPUid (Displays processor information.) DHCP [switches] (With this command you can renew (-renew) or release (- release) the DHCP IP address on a specific interface.) Frags (Display the 20 most recent fragment reassembly attempts. This includes both ongoing and completed attempts.) Ifstat [interface] (Displays interfaces. If you add an interface you will get statistics for this interface.) Loghosts (Displays configured loghosts.) Logout (Secures the console with the configured password.) Netcon (Displays the active console connection or management connections to the firewall.) Netobjects (Displays the active host & network configurations.) Ping (Is the normal ping command to verify an IP connection. You can use Ping [IP address] [num] where “num” is the amount of ping requests.) Reconfigure (Reloads the configuration from the boot media.)

283 D-Link Security 283 Troubleshooting Console commands Ikesnoop [on/off/verbose] ( Ikesnoop is used to diagnose problems with IPsec tunnels.) DHCPRelay (Displays if the DHCP boot relay is enabled or disabled.) Remote (Displays the active configuration of the remote section.) Routes (Displays the active configuration of the route section.) Rules (Displays the active configuration of the rule section. There are several string commands that you can add. The –v string enables all available information {like usages}.) Scrsave (Runs the screen saver) Services (Displays the active services within the configuration.) Shutdown (Shuts down the firewall.) Stats (Displays statistics information for the firewall.) Time (Displays the firewalls current time.)

284 D-Link Security 284 Set up a laptop with software such as Ethereal or Sniffer to capture packets from the problem node The laptop needs to connect to the problem node through a hub If it connects through a switch, the port mirror function will have to be enabled in the switch mirror function Troubleshooting Capture packets to analyze intranet Ethereal or Sniffer Problem node

285 D-Link Security 285 Inspect IP address of Source, Destination and Protocol to analyze problematic network status Troubleshooting Capture packets to analyze

286 D-Link Security 286 Questions & Answers THANK YOU


Download ppt "D-Link Security 1 2006 DFL-210/800/1600/2500 Technical Training ©Copyright 2006. All rights reserved ©Copyright 2006. By D-Link HQ."

Similar presentations


Ads by Google