Presentation is loading. Please wait.

Presentation is loading. Please wait.

` 1.

Similar presentations


Presentation on theme: "` 1."— Presentation transcript:

1 ` 1

2 NetDefend Family Overview & Strategy NetDefendOS Feature Introduction
Course Outline NetDefend Family Overview & Strategy NetDefendOS Feature Introduction UTM Feature & NetDefend Subscription This material contains four chapters: NetDefend Family Overview & Strategy: This chapter would give you the whole picture of NetDefend Family, and what strategy we have toward this security industry NetDefendOS Feature Introduction In this chapter, you would learn important features in NetDefendOS UTM Feature & NetDefend Subscription This chapter introduces the UTM features and NetDefend subscription, let users understand what service is included in our device and how to purchase and activate these services. TCP/IP Essential The fundamental knowledge of network. If you are freshman in network industry, we strongly suggest you starting from this chapter. Of course, if you are experienced user, you could simply skip it. 2 2

3 NETDEFEND FAMILY OVERVIEW & STRATEGY
DSC-Security NETDEFEND FAMILY OVERVIEW & STRATEGY 3 3

4 NetDefend Family Overview & Strategy
D-Link NetDefand Family Introduction NetDefendOS Introduction 4 4 4

5 D-Link NetDefend Family Introduction
NetDefend Family Overview & Strategy D-Link NetDefend Family Introduction After this section, you should be capable to express: All NetDefend Family D-Link VPN client DS-601/605 How to introduce NetDefend IPS Firewall? How to introduce NetDefend UTM Firewall? The competitiveness of NetDefend Firewall Family NetDefend Firewall selling point. 5 5 5

6 NetDefend Family Overview & Strategy Product Line Overview
NetDefend VPN Firewall / UTM Family SOHO Small Business Medium Business Enterprise DFL-260 DFL-860 DFL-1660 DFL-2560 DFL-210 DFL-800 DFL-1600 DFL-2500 VPN Remote Client Software These are several products in NetDefend Family: DS-601/605 is D-link VPN remote client software NetDefend Firewall Family contains two series UTM firewall series DFL-260 is for SOHO DFL-860 is for small business. IPS firewall series, DFL-210 for SOHO DFL-800 for small business DFL-1600 for medium business DFL-2500 for enterprise DS-601 / 605 6 6

7 D-Link VPN Client Introduction-DS-601/605
NetDefend Family Overview & Strategy VPN Client DS-601/605 D-Link VPN Client Introduction-DS-601/605 Software installable on Windows NT, 98 SE, ME, 2000 or XP platform. DS-601: For single user license. DS-605: For 5 users licenses. For remote users’ VPN connection from home/outside the office. Support Tunnel and Transport mode for easy communication between client and gateway. Certified interoperability with whole series of D-Link NetDefend IPS/UTM Firewalls and VPN router to ensure users seamless connection environment. D-Link DS-601/605 is a VPN client software, it should install in windows platform, mobile user can connect to enterprise intranet to access internal resource via DS-601/605. D-Link DS-601 is for single user license, DS-605 is for 5 users licenses; Both DS-601 and DS-605 have VPNC certification, which prove that DS-601/605 is compatible with other VPNC certified devices. 7 7

8 NetDefend Family Overview & Strategy VPN Client DS-601/605
DS-601/605 Q&A What version does NOT DS-601/605 support? (Multiple Choice) a. XP b. Vista c. 2000 d. MAC OS How many user license does DS-605 provide? a. 1 b. 3 c. 5 d. 7 What is major difference between DS-601 and DS-605? a. License b. Specification c. support service level d. OS platform 4. Which model can DS-601/605 establish VPN connection with? (Multiple Choice) a. DFL-800 b. DFL-M510 c. DI-804 HV d. DSA-5100 B, D C A A, C 8 8

9 NetDefend Family Overview & Strategy NetDefendOS
NetDefendOS Introduction Platform Compatibility: DFL-210/260/800/860/1600/2500 After this section, you should be capable to express: 1. What is NetDefendOS? 2. What management User Interface does NetDefendOS provide? 3. What is ICSA Labs? 4. What is ICSA firewall certified? D-Link IPS/UTM firewall DFL-210/260/800/860/1600/2500 are hardware standalone firewall with D-link proprietary NetDefendOS, its various innovation features can provide network against internal and external attacks. For management, NetDefend Firewalls have two kinds of management interface, one is Web User Interface, which adopts object-oriented to provide a user-friendly and intuitive graphical management interface. Another is Command Line Interface, which provides the most fine-granular control via serial port or remotely using the secure shell. 9 9

10 NetDefend Family Overview & Strategy NetDefendOS
NetDefendOS Introduction The hardware of D-Link Firewalls DFL-210/260/800/860/1600/2500 is driven and controlled by NetDefendOS. Designed as a dedicated firewall operating system, NetDefendOS features high throughput performance with high reliability while at the same time implementing the key elements of IPS/UTM firewall. From the administrator's perspective the conceptual approach of NetDefendOS is to visualize operations through a set of logical building blocks or objects, which allow the configuration of the product in an almost limitless number of different ways. This granular control allows the administrator to meet the requirements of the most demanding network security scenario. NetDefendOS provides two types of management interfaces: Command Line Interface (CLI): The Command Line Interface, accessible locally via serial console port or remotely using the Secure Shell (SSH) protocol, provides the most fine-granular control over all parameters in NetDefendOS. Web User Interface: The Web User Interface provides a user-friendly and intuitive graphical management interface, accessible from a standard web browser. D-Link IPS/UTM firewall DFL-210/260/800/860/1600/2500 are hardware standalone firewall with D-link proprietary NetDefendOS, its various innovation features can provide network against internal and external attacks. For management, NetDefend Firewalls have two kind of management interface, one is Web User Interface, which adopts object-oriented to provide a user-friendly and intuitive graphical management interface. Another is Command Line Interface, which provides the most fine-granular control via serial port or remotely using the secure shell. 10

11 NetDefend Family Overview & Strategy NetDefendOS
NetDefendOS Introduction NetDefendOS Benefit NetDefendOS is a proprietary, close architecture, it has less OS vulnerability, and more reliability comparing with other competitors who use window OS, Linux or others open source. NetDefendOS Certified by ICSA labs: D-Link’s NetDefend IPS Firewall has passed the strictest firewall certification in “ICSA Labs – Corporate Firewalls”. The D-Link IPS NetDefend Firewalls have to pass a series of rigorous tests, including system installation and configuration, setting security policies, system management, system logging, event testing, port security and more. Not only did the NetDefend Firewall passes these tests, but it also earned praise from ICSA Labs’ Network Security Labs for unique features in the web administration interface that allow administrators to safely make changes to the firewall’s configuration remotely D-Link Certified in ICSA Labs: ICSA Labs focuses on the security industry's central authority for research, intelligence, and certification testing of products. ICSA Labs sets standards for information security products and certifies over 95% of the installed base of anti-virus, firewall, IPSec VPN, cryptography, SSL VPN, network IPS, anti-spyware and PC firewall products commonly deployed. In the world today, most of professional security providers such as Cisco, Fortinet and SonicWALL, which prove its firewall products is professional and stable with Firewall Certified of ICSA labs. 11

12 NetDefend IPS Firewall Introduction
NetDefend Family Overview & Strategy NetDefend IPS Firewall NetDefend IPS Firewall Introduction Enterprise DFL-2500 DFL-1600 Medium Business DFL-800 Small Business DFL-210 There are four NetDefend IPS Firewall models for different business segment, from DFL-210, 80 Mbps throughput for SOHO to DFL-2500, 600 Mbps throughput for Enterprise Branch Office Performance 80 Mbps 150 Mbps 320 Mbps 600 Mbps 12 12

13 High Performance & Cost Efficiency
NetDefend Family Overview & Strategy NetDefend IPS Firewall High Performance & Cost Efficiency DFL- 210 Targets SOHO Firewall Throughput: 80Mbps VPN Performance: 25Mbps (3DES/AES) 1 Ethernet WAN Port, 4 Ethernet LAN Ports, 1 Configurable DMZ Ethernet Port DFL- 800 Targets Small Business Firewall Throughput: 150Mbps VPN Performance: 60Mbps (3DES/AES) 2 Ethernet WAN Ports, 7 Ethernet LAN Ports, Configurable DMZ Ethernet Port DFL-210 DMZ port can be configured to WAN port, for second WAN line backup. DFL-800 has high port density design, it can provide 2 WAN, 1 DMZ and 7 LAN ports to fulfill SMB customer for different network application. 13 13

14 NetDefend Family Overview & Strategy NetDefend IPS Firewall
High Performance & Cost Efficiency DFL Targets Medium Business Firewall Throughput: 320Mbps VPN Performance: 120Mbps (3DES/AES) 6 User-Configurable Gigabit Ports DFL Targets Enterprise Firewall Throughput: 600Mbps VPN Performance: 300Mbps (3DES/AES) 8 User-Configurable Gigabit Ports DFL-1600 and DFL-2500 provide all gigabit interface to support gigabit network architecture and DMZ servers, the performance of these model also perform high throughput for large network implementation. 14 14

15 NetDefend Family Overview & Strategy NetDefend IPS Firewall
Features of DFL – 210 / 800 / 1600 / 2500 Integrated Functions Fault Tolerance Firewall Protection Proactive Security With ZoneDefense Mechanism Content Filtering/Intrusion Detection Parental Access Control User Authentication Instant Message/P2P Blocking Denial of Service (DoS) Protection Virtual Private Network (VPN) Security Bandwidth Management WAN Traffic Fail-Over Active/Passive Modes for High Availability Bandwidth Management WAN Traffic Bandwidth Management Multi-WAN Interfaces for Traffic Load Sharing Outbound Traffic Load Balancing* Policy-Based Routing Content Filtering URL/ Filtering Java Script/Active X/Cookie Filtering IM/P2P Program Filtering Firmware upgraded feature. 15 15

16 DFL-210 Competitors on the Market
NetDefend Family Overview & Strategy NetDefend IPS Firewall DFL-210 Competitors on the Market Small Business Advantages Firewall System Application Layer Gateway H.323 NAT Traversal support RADIUS, LDAP, Active Directory user authentication support Networking IEEE 802.1q VLAN support IP Multicast (IGMP) support VPN Versatile encryption methods Numerous VPN tunnel support PPTP/L2TP Server support Traffic Load Balance Outbound Traffic load balancing* Others IP and MAC binding IM/P2P blocking support Unrestricted user licenses Competitors SonicWALL TZ170 Fortinet Fortigate 60 WatchGuard SOHO 6 Juniper NetScreen 5GT ZyXELL ZyWALL 5 / 35 Cisco 501 The most difference in DFL-210 when comparing with DFL-800/1600/2500 is: NO ZoneDefense feature. The reason is simple, because DFL-210 is for SOHO market, and in that segment, this feature is not necessary. Firmware upgraded feature. 16 16

17 DFL-800 Competitors on the Market
NetDefend Family Overview & Strategy NetDefend IPS Firewall DFL-800 Competitors on the Market Small Business Advantages Firewall System Zone Defense Application Layer Gateway H.323 NAT Traversal support RADIUS, LDAP, Active Directory user authentication support Networking IEEE 802.1q VLAN support IP Multicast (IGMP) support VPN Versatile encryption methods Numerous VPN tunnel support PPTP/L2TP Server support Traffic Load Balance Outbound Traffic load balancing* Others IP and MAC binding IM/P2P blocking support Unrestricted user licenses Competitors Cisco PIX 506E ZyXELL ZyWALL 70 WatchGuard Firebox X500 Fortinet Fortigate 100A Juniper NetScreen 25 Firmware upgraded feature. 17 17

18 DFL-1600 Competitors on the Market
NetDefend Family Overview & Strategy NetDefend IPS Firewall DFL-1600 Competitors on the Market Medium Business Advantages Interface High port density with configurable Gigabit port Firewall System Zone Defense Application Layer Gateway RADIUS, LDAP, Active Directory user authentication support Networking IP Multicast (IGMP) support VPN Versatile encryption methods PPTP/L2TP server support PPTP/L2TP/IPSec VPN client pass through support Traffic Load Balance Outbound Traffic load balancing* Server load balancing Others IP and MAC binding IM/P2P blocking support Unrestricted user licenses Competitors SonicWALL 3060 Fortinet Fortigate 200A WatchGuard Firebox X2500 Fortinet Fortigate 300A Juniper NetScreen 204 Cisco PIX 525E From DFL-1600 and up, the HA(High Availability) feature is available. Firmware upgraded feature. 18 18

19 DFL-2500 Competitors on the Market
NetDefend Family Overview & Strategy NetDefend IPS Firewall DFL-2500 Competitors on the Market Enterprice Advantages Interface High port density with configurable Gigabit port System Performance Higher concurrent session Firewall System Zone Defense Application Layer Gateway RADIUS, LDAP, Active Directory user authentication support Networking IP Multicast (IGMP) support VPN Versatile encryption methods PPTP/L2TP server support PPTP/L2TP/IPSec VPN client pass through support Traffic Load Balance Outbound Traffic load balancing* Server load balancing Others IP and MAC binding IM/P2P blocking support Unrestricted user licenses Competitors Fortinet Fortigate 500A Juniper NetScreen 208 Firmware upgraded feature. 19 19

20 NetDefend IPS Firewall Q&A
NetDefend Family Overview & Strategy NetDefend IPS Firewall NetDefend IPS Firewall Q&A Which segment do NetDefend Firewalls fulfill?(Multiple Choice ) a. Home b. SOHO c. Telecom d. SMB Which model do NetDefend Firewall provide gigabit interface? (Multiple Choice ) a. DFL-800 b. DFL-210 c. DFL-1600 d. DFL-2500 What is the competitor for DFL-210? a. Fortinet Fortigate 60 b. WatchGuard Firebox X500 c. Juniper NetScreen 25 d. Cisco PIX 515 4. What is the competitor for DFL-800? c. Juniper NetScreen 204 d. Cisco PIX 506 B, D C,D A B 20 20

21 NetDefend IPS Firewall Q&A
NetDefend Family Overview & Strategy NetDefend IPS Firewall NetDefend IPS Firewall Q&A 5. What is the competitor for DFL-1600? a. Fortinet Fortigate 300A b. WatchGuard Firebox X500 c. Juniper NetScreen 204 d. SonicWALL Pro 2040 6. What is the competitor for DFL-2500? a. Fortinet Fortigate 400A b. WatchGuard Firebox X2500 c. Juniper NetScreen 208 d. SonicWALL Pro 3060 7. Which model does support port configurable? a. DFL-210 b. DFL-800 c. DFL-1600 d. DFL-2500 e. All of Above 5. C 6. C 7. E 21 21

22 NetDefend IPS Firewall Q&A
NetDefend Family Overview & Strategy NetDefend IPS Firewall NetDefend IPS Firewall Q&A 8. What feature does NOT NetDefend DFL-210 Firewall support? a. Traffic Shaping b. Server load balancing c. IPS d. Policy based routing 9. What model can support HA? (Multiple Choice ) a. DFL-210 b. DFL-800 c. DFL-1600 d. DFL-2500 10. What model can NOT support ZoneDefense? 8. B 9.C, D 10. A 22 22

23 NetDefend IPS Firewall Q&A
NetDefend Family Overview & Strategy NetDefend IPS Firewall NetDefend IPS Firewall Q&A 11. Which detail is WRONG for firewall/VPN throughput? a. DFL /25 Mbps b. DFL /80 Mbps c. DFL /120 Mbps d. DFL /300Mbps 12. What kind of user authentication does firewall support? a. LDAP b. RADIUS c. Active Directory d. All of above 13 How many user license does DFL-210 support? a. 100 b. 200 c. 300 d. Unrestricted user licenses 11. B 12. D 13. D 23 23

24 NetDefend IPS Firewall Q&A
NetDefend Family Overview & Strategy NetDefend IPS Firewall NetDefend IPS Firewall Q&A 14. Which model is for branch office? a. DFL-210 b. DFL-800 c. DFL-1600 d. DFL-2500 15. Which model is for small business? 16. What is NetDefend Firewall ‘s advantage? a. Firewall and VPN throughput b. Joint defense with switch c. Comprehensive feature set d. Flexible interface module 17. Which feature can integrate Switch into security solution from gateway to endpoint? a. Web Contend Filtering b. Anti-Virus c. Intrusion Prevention System d. ZoneDefense 14. A 15. B 16. D 17. D 24 24

25 NetDefend Family Overview & Strategy NetDefend UTM Firewall
NetDefend UTM Product Overview Stemming from NetDefendOS Adopting the same kernel certified by ICSA Labs, NetDefend UTM Firewall also integrates innovative technologies from world leading IPS, AV and WCF partners. NetDefend UTM Firewall Portfolio Firewall VPN IPS Antivirus Web Content Filtering Application Control Targets at SMBs and Enterprises to enable protections against all varieties of network threats simultaneously in real time. Positions at high throughput and high performance UTM Firewalls with Truly Hardware Acceleration Incorporates leading technologies of IPS, Antivirus and Web Content Filtering from well-known vendors NetDefendOS in NetDefend UTM firewall is the same as NetDefend IPS Firewall, that includes firewall features, reliability and software architecture. All features of NetDefend UTM Firewall are using the same technologies with NetDefend IPS Firewall DFL-210/800/1600/2500, but NetDefend UTM Firewall integrates more security services into NetDefend Firewall , including IPS, Anti-Virus and Web content filtering, besides that, NetDefend UTM Firewall adopt a hardware accelerator to improve Layer 7 content inspection performance. 25 25

26 NetDefend Family Overview & Strategy NetDefend UTM Firewall
NetDefend UTM Firewall Introduction NetDefend UTM firewall DFL-260/860 series is D-Link’s brand new Unified Threat Management (UTM) Firewall solution which further integrates IPS, Anti-Virus and Web Content Filtering, providing more secure and productive networking for SMBs. All hardware design of NetDefend UTM Firewall such as housing, Ethernet interface and Web GUI are same as NetDefend IPS firewall, additionally, NetDefend UTM Firewall equips with hardware acceleration for speeding up IPS and Anti-Virus scanning performance, outranges Cisco, WatchGuard, SonicWALL, Juniper and Fortinet in the same market segment. DFL- 260 Targets SOHO DFL- 860 Targets Small Business Firewall Throughput: 80Mbps VPN Performance: 25Mbps IPS Performance: 25Mbps Anti-Virus Performance: 25Mbps Web Content Filtering: 30+ Categories Firewall Throughput: 150Mbps VPN Performance: 60Mbps IPS Performance: 50Mbps Anti-Virus Performance: 50Mbps Web Content Filtering: 30+ Categories 26 26

27 NetDefend Family Overview & Strategy UTM/IPS Firewall Key Competency
You already learned a lot of IPS and UTM firewall features in previous slides. The followings are IPS/UTM firewall key advantages to compete with our competitors in the market UTM/IPS Firewall Key Competency NetDefend IPS/UTM Firewall delivers rich advanced features in friendly and easy configuration, enables the stability, flexibility and scalability of IT infrastructure, makes it a cost-effective solution for Small to Medium Business (SMB). Emerging network threats and Zero-Day attacks drive the market demand toward seeking a more robust security mechanism. Built with advanced IPS signatures technology and powered by Kaspersky anti-virus solution (only UTM Firewall), NetDefend IPS/UTM Firewall is the efficient and effective solution to stop various network threats and attacks for SMBs. NetDefend UTM Firewall delivers with High Port Density, and built-in Multiple WAN Ports and WAN / LAN / DMZ Port Configurable enables customers scale their infrastructure on their own demands. 27 27

28 NetDefend Family Overview & Strategy UTM/IPS Firewall Key Competency
NetDefend UTM Firewall offers High Network Throughputs and High Network Performance for customers, providing up to 80 / 150 Mbps Firewall Throughput, and 25 / 60 Mbps IPSec VPN Throughput, in respective with DFL-260 / 860. NetDefend UTM Firewall enables WAN Load Balance, WAN Fail-over, and Server Load Balance to provide customers continuous Internet connection and smooth network services mechanism. NetDefend UTM Firewall provides advanced Traffic Shaping Technology, which allows prioritize and differentiate network traffic according to the service precedence. For Mission-critical service, the bandwidth can always be guaranteed and optimized, meanwhile for the minor service, the bandwidth can be adjusted dynamically upon network traffic condition. NetDefend UTM Firewall features not only an intuitive and object-oriented user interface that can be easily configured via a web console, but also a Command-Line Interface (CLI) with full function sets for advanced users. User can easily configure or perform the administrative functions of the firewalls. 28 28

29 NetDefend Family Overview & Strategy UTM/IPS Firewall Key Competency
Multiple Encryption Methods are implemented on NetDefend UTM Firewall, including DES, 3DES, AES, Twofish, Blowfish and CAST-128, to provide secure VPN connections for SMB and enterprises. NetDefend UTM Firewall features Built-in IPS and Anti-Virus proactive engine, commit customers to effectively detect and prevent hybrid network threats with low false-positive rate. ZoneDefense integrates D-Link NetDefend Firewall and xStack Switch to enable the Proactive Network Security mechanism. Whenever network virus or worm attacks are detected by the Firewall, ZoneDefense triggers and notifies D-Link Switches automatically, in real time the infected hosts are disconnected to further stop mutual infection among internal hosts. 29 29

30 NetDefend Family Overview & Strategy NetDefend UTM Firewall
High Performance of NetDefend UTM Firewall NetDefend UTM Firewall equip with a hardware accelerator for layer 7 content inspection, which increase IPS and Anti-Virus high performance of NetDefend UTM Firewall than other competitors. DFL-260 DFL-860 UTM Firewall Performance 80Mbps 150Mbps VPN Performance 25Mbps 60Mbps IPS Performance 50Mbps Anti-Virus Performance Web Content Filtering Y We also compare IPS and Anti-Virus performance with a famous security provider J company’s UTM firewall in next slides for your reference. 30 30

31 NetDefend Family Overview & Strategy NetDefend UTM Firewall
High IPS performance with hardware accelerator. UTM firewall throughput is Triple higher than J company XX 20. For more detail will be introduced in IPS Feature chapter *Test Criteria: 5 concurrent users download 10 MB file by HTTP protocol 31 31

32 NetDefend Family Overview & Strategy NetDefend UTM Firewall
Super fast Anti-Virus scanning by hardware accelerator. Scanning capability is Triple faster than J company XX 20. D-Link ONLY spends 8 seconds to finish 10MB file transmission, but J company needs to speed 30 seconds. For more detail will be introduced in Anti-Virus Feature chapter *Test Criteria: 5 concurrent users download 10 MB file by HTTP protocol 32 32

33 NetDefend Family Overview & Strategy NetDefend UTM Firewall
Huge and comprehensive IPS signature database. IPS database is 10x larger than J company XX 20. 33 33

34 NetDefend Family Overview & Strategy NetDefend UTM Firewall
DFL-860 J company XX 20 Anti-Virus / IPS Performance 54 / 52 Mbps* 22 / 16 Mbps IPS Signature Number 8000+ 808 File Transmission Speed (10MB) 14 seconds 35 seconds File size limitation No limitation 10MB Double more performance for Anti-Virus scanning. Triple performance for Intrusion Prevention System. Providing signatures to cover most intrusion attacks and high IPS performance 52 Mbps compete with J company who is using few IPS signatures (#808) and poor performance (13 Mbps). * Value is based on real traffic. For more detail will be introduced in IPS and Anti-Virus Feature chapter. 34 34

35 NetDefend Family Overview & Strategy NetDefend UTM Firewall
DFL-860 J company XX 20 Anti-Virus / IPS Performance 54 / 52 Mbps 22 / 16 Mbps IPS Signature Number 8000+ 808 File Transmission Speed (10MB) 14 seconds 35 seconds File size limitation No limitation 10MB No File size limitation, supporting large file scanning for Anti-Virus. Streaming Based Technology speeds up 2X UTM performance for Anti-Virus scanning. No current Session Limited, keep high performance with uses increased. Other competitors as J company, implement Proxy Mode that have to store file, and then scan it, the bottleneck of file size and connection number are limited by device memory size. For more detail will be introduced in IPS and Anti-Virus Feature chapter 35 35

36 Competitive Comparison & Analysis
NetDefend Family Overview & Strategy NetDefend UTM Firewall Competitive Comparison & Analysis UTM Performance Firewall Throughput: 80Mbps VPN Throughput: 25Mbps Hardware Based IPS Hardware Based Anti-Virus DFL-260 Firewall Throughput: 75Mbps VPN Throughput: 20Mbps Software Based IPS Software Based Anti-Virus ZyWall 5 UTM SonicWALL TZ 190 Juniper 5GT Fortigate 60 Comparing with these competitors, DFL-260 has the best performance and affordable cost for SOHO, in terms of IPS and AV engine, DFL-260 adopts hardware base engine for packet inspection, most of competitors adopt software engine to process virus scanning and intrusion dectection. Firewall Throughput: 70Mbps VPN Throughput: 20Mbps Software Based IPS Software Based Anti-Virus Firewall Throughput: 90Mbps VPN Throughput: 30+Mbps Software Based IPS Software Based Anti-Virus Expensive optional license charge is required ! Firewall Throughput: 65Mbps VPN Throughput: 25Mbps Hardware Based IPS Hardware Based Anti-Virus Price 36 36

37 Competitive Comparison & Analysis
NetDefend Family Overview & Strategy NetDefend UTM Firewall Competitive Comparison & Analysis Firewall Throughput: 150Mbps VPN Throughput: 60Mbps Hardware Based IPS Hardware Based Anti-Virus UTM Performance DFL-860 Juniper SSG 20 SonicWALL Pro 2040 Fortinet 200A Firewall Throughput: 160Mbps VPN Throughput: 40Mbps Software Based IPS ZyWall 70 WatchGuard X550e Firewall Throughput: 100Mbps VPN Throughput: 40Mbps Hardware Based IPS Hardware Based Anti-Virus In DFL-860, the competition are the same to DFL-260, the key of competition is hardware base engine for anti-virus and IPS. Firewall Throughput: 150Mbps VPN Throughput: 70Mbps Poor IPS& AV performance Firewall Throughput: 200Mbps VPN Throughput: 50Mbps Software Based IPS Software Based Anti-Virus Expensive optional license charge is required ! Firewall Throughput: 125Mbps VPN Throughput: 20Mbps Software Based IPS Software Based Anti-Virus Price 37 37

38 Summary: NetDefend UTM Firewall Selling Point
NetDefend Family Overview & Strategy NetDefend UTM Firewall Summary: NetDefend UTM Firewall Selling Point Adopting the same kernel certified by ICSA Labs, NetDefend UTM Firewall also integrates innovative technologies from world leading IPS, AV and WCF partners. High throughput, high performance with truly Hardware Acceleration. Fast file transmission speed for Anti-Virus scanning capability. Comprehensive IPS signature database (8000+). No file size and connection limitation for Anti-Virus scanning. Other competitors can not prevent virus hidden in over specific file size and not able to support large concurrent sessions. Well-Known Anti-Virus database by Kaspersky Triggering ZoneDefense by IPS and Anti-Virus* to real-time protect virus or network worm outbreak. NetDefend Center website provides great value information for network security * Support in future release 38 38

39 NetDefend Family Overview & Strategy NetDefend UTM Firewall
NetDefend UTM Firewall Q&A Which NetDefend UTM Firewall are available now? (Multiple Choice ) a. DFL-260 b. DFL-860 c. DFL-1660 d. DFL-2560 What new feature does NetDefend firewall support after firmware version 2.20? a. IPS b. Anti-Virus c. Web Content Filtering d. Anti-SPAM Why can D-Link UTM Firewall reach high performance? a. Embed hardware accelerator b. Anti-Virus Engine by Kaspersky c. New CPU processor d. New software core 4. What is the IPS and Anti-Virus performance of DFL-860? a. 30/30 Mbps b. 50/50 Mbps c. 45/45 Mbps d. 60/60 Mbps A, B D A B 39 39

40 NetDefend Family Overview & Strategy NetDefend UTM Firewall
NetDefend UTM Firewall Q&A 5. What is the IPS and Anti-Virus performance of DFL-260? a. 20/20 Mbps b. 40/20 Mbps c. 30/30 Mbps d. 35/35 Mbps 6. How many MB is file size limitation of UTM Firewall for anti-virus? a. 3 MB b. 5MB c. 10 MB d. No limitation 7. Who is the anti-virus signature vendor? a. Trendmicro b. Symantec c. McAfee d. Kaspersky 8. How many number of IPS signatures is in UTM database? a b c d 5. B 6. D 7. D 8. C 40 40

41 NetDefend Family Overview & Strategy NetDefend UTM Firewall
NetDefend UTM Firewall Q&A 9. What is major difference between UTM firewall and IPS firewall? a. UTM firewall has VPN, but IPS firewall has not b. UTM firewall has Anti-Virus and WCF, but IPS firewall does not c. UTM firewall has IPS and Anti-Virus, but IPS firewall has IPS and WCF d. UTM firewall has WCF and Anti-Virus, but IPS firewall has IPS and Anti-Virus. 10. What is D-Link UTM’s advantages? a. Performance b. Signature number c. scanning file size d. ZoneDefense (exclude DFL-260) e. all of above 9. B 10. E 41 41

42 NetDefend Family’s Competency
NetDefend Family Overview & Strategy Competitive Comparison & Analysis NetDefend Family’s Competency Following is our advantage: Sufficient features Solution oriented Outstanding performance Affordable price How to fight with our major competitors? Fortinet SonicWALL Juniper ZyXEL When competing with other security vendors, please keep our advantages in mind, detail as following: Sufficient features: Even though we are not innovator in security industry, we sill offer sufficient feature set for fulfilling different markets. Solution oriented: Integration of NetDefend Firewall and xStack Switch could deliver customers an enterprise level solution Outstanding performance: Our performance is always outstanding when competing with others in the same position Affordable price: Our product is always the most cost effective one in the same position. 42 42

43 NetDefend Family Overview & Strategy Competitive Comparison & Analysis
Compare with Fortinet Myth of Fortinet NetDefend’s Advantages and & Counterplot Fortinet is a innovator which provides many advanced security features in security market. How to Compete with Fortinet? Weakness Poor performance with anti-virus or IPS enabled Complete firewall products, but have no total solution Only provide 30 days free trial for UTM service Anti-Virus database is not from well-known provider IPS signature is only 2,000 Service coverage focus on main countries Conclusion Comparing with D-Link security product, Forinet seems to have complete product line, but the performance and feature of D-Link firewall are excellent. D-Link is to provides network total solution to customers, not single product, firewalls integrate xStack switch to be ZoneDefense solution, unified switch integrates access point to be a wireless management solution. D-Link have complete service coverage by 130+ office on 70+ countries worldwide. Even though Fortinet highlights they have good performance with Fortinet ASIC, but from the Fortinet datasheet, the anti-virus throughput of Fortigate 100A is only 8 Mbps. Fortinet owns themselves anti-virus database, not well-known anti-virus vendor worldwide, all of customers concern the update frequency, signature accuracy , and response time, Fortinet is hard to convince customer of these concerns. 43 43

44 NetDefend Family Overview & Strategy Competitive Comparison & Analysis
Compare with SonicWALL Myth of SonicWALL NetDefend’s Advantages and & Counterplot SonicWALL promotes his deep packet inspection technology and integrated security features. How to Compete with SonicWALL? Several advanced features have to purchase enhanced OS and upgrade license, such as Policy-based routing, advanced NAT feature, sufficient Policy number, HA, Load Balancing, Object-based Management and LDAP. Though the client purchases enhanced OS to support HA feature, SonicWALL still does not provide Firewall and VPN session synchronization. It’s a lame solution for H.A. After license upgrade, SonicWALL still lacks some enhanced network feature, such as PPTP Server and 802.1q VLAN support. Bandwidth / traffic control is always their weak point, they never mentioned traffic shaping and traffic load balancing feature. No Gigabit interfaces and VPN tunnel number is limited Conclusion Without purchasing extra license, D-Link NetDefend firewall is already built-in many advanced network features in signal license D-Link delivers enterprise-level security solution, ZoneDefense, to customers for fulfilling Joint Security. D-Link NetDefend Firewall delivers the best Total Costs of Ownership (TCO) for customers. 44 44

45 NetDefend Family Overview & Strategy Competitive Comparison & Analysis
Compare with Juniper Myth of Juniper NetDefend’s Advantages and & Counterplot Juniper is the market leader in security market. Juniper Firewall enables L2 and L3 operation mode, meanwhile highlight their signature pack for network security. How to Compete with Juniper? L2 mode (Transparent mode) or L3 mode (Router / NAT mode) cannot co-exist, meanwhile the operation mode change will lose all of the configuration. 10MB file size limitation for file based Anti-Virus scanning. It needs more latency time especially for multiple files transfer for real environment. Juniper only delivers simple QoS for traffic prioritization. There are no any advanced and granular setting to guarantee per-user bandwidth control. Juniper still lacks some enhanced network feature, such as PPTP Server, Server Load Balancing, Dynamic Bandwidth Balancing Mechanism. Conclusion D-Link NetDefend Firewall has high C/P rate and reduce business Total Cost Ownership. No extra cost for full set features. D-Link can integrate all xStack switch series to enable client-less with end-point security solution: ZoneDefense technology. Full set functionality: High port density (entry level) and all Gbe Copper interfaces (Enterprise) which can fulfill different environment requests. 45 45

46 NetDefend Family Overview & Strategy Competitive Comparison & Analysis
Compare with ZyXEL Myth of ZyXEL NetDefend’s Advantages and & Counterplot ZyXEL’s ZyWALL is ICSA-certified, and earns excellent reputation in SMB segment of security appliance market in Europe. How to Compete with ZyXEL? ZyWALL Firewall and UTM series have limited port interfaces, lack of expansibility for SMBs. ZyWALL Firewall and UTM series provide limited number of VPN tunnels. For ZyWALL 70 UTM, its VPN tunnels at most is 1,000. Only ZyWALL 1050 supports 802.1Q VLAN, for the rest models, they do not support 802.1Q at all. ZyWALL Firewall and UTM series do not support L2TP Server. ZyWALL security service bundles Anti-Virus and IDP together, customers cannot buy either one individually. ZyWALL Firewall and UTM series are ICSA-certified with the testing criteria “Residential” only, rather than the “Corporate” criteria. Conclusion D-Link NetDefend Firewall and UTM series pass ICSA Corporate Level testing criteria, however ZyWALL pass ICSA Residential Lcevel only . D-Link can integrate all xStack switch series to enable client-less with end-point security solution: ZoneDefense technology. Compared with ZyXEL, D-Link’s brand is more sounding and has more comprehensive office and tech-support network around the world. 46

47 NETDEFENDOS FEATURE INTRODUCTION
DCS-Security NETDEFENDOS FEATURE INTRODUCTION 47

48 Key Features in NetDefendOS
NetDefendOS Feature Introduction Key Features in NetDefendOS Routing Features Route Failover Virtual Private Network (VPN) Virtual Local Area Network (VLAN) High Availability (HA) Traffic Management User Authentication ZoneDefense In this chapter, we are going to present you the feature set in NetDefendOS. The NetDefendOS is adopted in both NetDefend IPS Firewall and NetDefend UTM Firewall, so the feature set in this chapter is applied in both product lines. The following list is the important but not limited features in NetDefendOS: Routing Features: routing determines the path from source to destination Route Failover: when specific route to destination is fail, the routing could be switched to another one automatically VPN: a technology makes public connection as secure as dedicated and private connection VLAN: a technology to divide a physical network into different segments for access control purpose High Availability (HA): two identical devices which could be the backup of the other when it is not available Traffic Management: the inbound and outbound packet flow and bandwidth control User Authentication: only specific user or group could gain privilege for accessing network ZoneDefense: a technology to integrate NetDefend and xStack family together to fulfill the idea of Joint Security 48 48

49 Routing Features in NetDefendOS
NetDefendOS Feature Introduction Routing Features Routing Features in NetDefendOS Platform Compatibility: DFL-210/260/800/860/1600/2500 After this section, you should be capable to express: 1. What is static routing? 2. What is the PBR (Policy Based Route)? 3. What could we achieve when using this feature? 4. What is load sharing? 5. What is the key component of load sharing? 6. What is dynamic routing? 7. What is the difference between dynamic and static routing? In this course, we are going to present you the fundamental knowledge in the NetDefendOS, routing feature . 49 49 49

50 Static Route & Route Failover
NetDefendOS Feature Introduction Routing Features Static Route & Route Failover Internet ISP1 ISP2 Red Line Green Line When PCs under different network segments would like to communicate with each other, they have to connect to the gateway within the same network segment first. However the gateway is not connected to the destination directly, the gateway is responsible for transmit the packet to the next know-where-to-go node. This mechanism is called routing. After repeating the routing process several times on different node, the communication between PCs could be fulfilled. If we have to setup routing rule manually, this is so called static routing. More than this, it is quite common to have backup Internet connectivity using a secondary Internet Service Provider (ISP). The connections to the two service providers often use different access methods to avoid a single point of failure. To facilitate a scenario such as multiple ISPs, NetDefendOS provides a Route Failover capability. When one route fail, traffic can automatically failover to another alternate route. NetDefendOS implements Route Failover through the use of Route Monitoring in which NetDefendOS monitors the availability of routes and switches traffic to an alternate route when preferred one fail. Taking the above diagram for example, for DFL device, there are two routes to Server, one is red line and the other is green line. In Static Routing, you could define red or green line as your preferred route. Of course, you could implement both red and green lines as your routes, and enable Route Monitoring feature in both route. When one is fail, the Route Failover would be trigger, and the other would take over. LAN Net 50 50 50

51 NetDefendOS Feature Introduction Routing Features
Policy Based Route The NetDefendOS provides following types of PBR Source-based routing Service-based routing Benefit of Policy Based Route: Load sharing between multiple WAN links Policy-based Routing is an extension to the standard approach to routing described previously. It offers administrators significant flexibility in implementing routing decision policies by defining Policy-based Routing Rules. Normal routing forwards packets according to destination IP address information derived from static routes or from a dynamic routing protocol. Policy-based Routing means that the routes chosen for traffic can be based on various parameters, such as the source address or service type. NetDefendOS implements routing by not only looking at packets one by one, but by implementing it on a state or connection basis so that routing policy provides control on both the forward and return routing directions. Policy-based Routing can also be applied on an application basis by allowing: Source-based routing: When more than one ISP is used to provide Internet services, Policy-based Routing can route traffic originating from different sets of users through different routes. For example, traffic from one address range might be routed through one ISP, whilst traffic from another address range might be through a second ISP. Service-based routing: Policy-based Routing can route a given protocols such as HTTP, through transparent proxies such as Web caches. 51 51 51

52 NetDefendOS Feature Introduction Routing Features
Dynamic Routing Why do we need dynamic routing? What is dynamic routing? What dynamic routing do we support? OSPF (Open Shortest Path First) Why do we need dynamic routing? Due to the static routing is the manual approach, static routing is most appropriate to use in smaller network deployments where addresses are fairly fixed and where the amount of connected networks are limited to a few. For larger networks however (or whenever the network topology is complex), the work of manually maintaining static routing tables will be time-consuming and problematic. As a consequence, dynamic routing should be used in those cases. More then this, dynamic routing could detect the availability of specific route, if any one of them is not available, it could automatically update it’s routing table. What is dynamic routing? Dynamic routing is different to static routing in that the D-Link Firewall will adapt to changes of network topology or traffic load automatically. NetDefendOS first learns of all the directly connected networks and gets further route information from other routers. Detected routes are sorted and the most suitable routes for destinations are added into the routing table and this information is distributed to other routers. Dynamic Routing responds to routing updates on the fly but has the disadvantage that it is more susceptible to certain problems such as routing loops. In the Internet, two types of dynamic routing algorithm are used: the Distance Vector(DV) algorithm (RIP adopts DV algorithm ) and the Link State(LS) algorithm (OSPF adopts LS algorithm). How a router decides the optimal or "best" route and shares updated information with other routers depends on the type of algorithm used. What dynamic routing do we support? OSPF (Open Shortest Path First) only. 52 52 52

53 NetDefendOS Feature Introduction Routing Features
Load Sharing More than two internet connections Interoperate with PBR Source-based routing Service-based routing As we state before, it is quite common to have backup Internet connectivity using a secondary Internet Service Provider (ISP). The connections to the two service providers often use different access methods to avoid a single point of failure. More than this, we could utilize the two connections well to share network traffic. As you could imagine, the load sharing feature is an application of PBR (Policy Based Route). If more than one line we could use for internet traffic, we could share the network traffic based on: Source IP: when internet access comes from different source IP, NetDefendOS would use different network connections. Service: when accessing different internet services, NetDefendOS would use different network connections. 53 53 53

54 Competitive Analysis Static Route, PBR, OSPF
NetDefendOS Feature Introduction Routing Features Competitive Analysis Static Route, PBR, OSPF Static Route PBR OSPF Load Sharing SonicWALL WatchGuard Fortinet Juniper Cisco 54 54

55 Summary: Routing Features in NetDefendOS
NetDefendOS Feature Introduction Routing Features Summary: Routing Features in NetDefendOS Routing determines the path from source to destination Static Routing: predefined path Dynamic Routing: learning and updating the path automatically Policy Based Route (PBR) determines path according to Service type; different traffics (HTTP or FTP) use different routes Source IP address; different users use different routes Via Policy Based Route (PBR), load sharing between multiple WAN links could be achieved 55 55 55

56 NetDefendOS Feature Introduction Routing Features
Routing Features Q&A 1. What kind of dynamic routing protocol does NetDefendOS support? a. RIP (Routing Information Protocol) b. OSPF (Open Shortest Path First) c. BGP (Border Gateway Protocol) d. EGP (Exterior Gateway Protocol) 2. Does NetDefendOS support Route Failover feature? a. YES b. No 3. What of following feature is NOT supported in NetDefendOS Firewall? a. Static Route b. Policy Based Route c. RIP (Routing Information Protocol) d. OSPF (Open Shortest Path Fast) B Only OSPF is supported in NetDefendOS. A NetDefendOS supports route failover feature. C RIP is NOT supported in NetDefendOS 56 56 56

57 NetDefendOS Feature Introduction Routing Features
Routing Features Q&A 4. Which of following PBR is NOT supported in NetDefendOS ? (Multiple Choice) a. Source-based routing b. Service-based routing c. Schedule-based routing d. Port-based routing With which feature, NetDefendOS could support load sharing between multiple WAN links? a. Static Route b. Traffic Management c. Dynamic Route d. Policy Based Route Which model support load sharing feature? a. DFL-210 b. DFL-800 c. DFL-1600 d. DFL-2500 e. All above 4. C, D Schedule-based routing and Port-based routing are NOT supported in NetDefendOS D Policy Based Route (PBR) is the key component for load sharing between multiple WAN links. E Load sharing feature is enabled by Policy Based Route (PRB), which is supported by all models within NetDefend Firewall. 57 57 57

58 NetDefendOS Feature Introduction Route Failover
Platform Compatibility: DFL-210/260/800/860/1600/2500 After completing this section, you will be able to: 1. Describe what is Route Failover and its benefits 2. Describe how to implement Route Failover solution 3. Describe the selling point for Route Failover 58 58

59 NetDefendOS Feature Introduction Route Failover
What is Route Failover Firewall is often deployed as the gateway of a network where availability and connectivity is crucial. Today corporations are relying heavily on the access to the Internet, and their operations will be severely disrupted if an Internet connection fails. To utilize multiple ISPs/ WAN links, NetDefendOS provides a Route Failover capability. Therefore, when one route fail, traffic can automatically failover to another alternative route. In today’s enterprise network, it is quite common to have backup Internet connectivity using a secondary Internet Service Provider (ISP). The connections to the two service providers often use different access methods to avoid a single point of failure. D-Link NetDefendOS features with a Route Failover capability, whenever a route failed is detected, traffic can automatically failover to another, alternate route. NetDefendOS implements the Route Failover feature through the use of Route Monitoring in which NetDefendOS monitors the availability of routes and switches traffic to an alternate route if the primary, preferred one fail. 59 59 59

60 A Typical Scenario of Failover
NetDefendOS Feature Introduction Route Failover A Typical Scenario of Failover Route Failover allows the connections to different Internet Service Providers to avoid a single point of failure. Consequently, it enables enterprises to have backup Internet connectivity using a secondary Internet Service Provider (ISP). By default NetDefendOS generates a Gratuitous ARP request when a route failover occurs. The reason for this is to notify surrounding systems that there has been a route change. 60 60 60

61 How NetDefendOS Delivers Failover
NetDefendOS Feature Introduction Route Failover How NetDefendOS Delivers Failover For a route with Route Monitoring enabled, one of Route Monitoring methods must be chosen: Interface Link Status Gateway Monitoring For a route with Route Monitoring enabled, one of Route Monitoring methods must be chosen: > Interface Link Status NetDefendOS will monitor the link status of the interface specified in the route. As long as the interface is up, the route is diagnosed as healthy. This method is appropriate for monitoring that the interface is physically attached and that the cabling is working as expected. As any changes to the link status are instantly noticed, this method provides the fastest response to failure. > Gateway Monitoring If a specific gateway has been specified as the next hop for a route, accessibility to that gateway can be monitored by sending periodic ARP requests. As long as the gateway responds to these requests, the route is considered to be functioning correctly. 61 61 61

62 Competitive Analysis – Failover Feature Comparison
NetDefendOS Feature Introduction Route Failover Competitive Analysis – Failover Feature Comparison The D-Link NetDefend Route Failover Feature Comparison: SonicWALL ZyXEL WatchGuard Cisco Juniper Fortinet In the following section, we are going to compare the Route Failover feature with other key competitors on the security appliance market. The corresponding competitive matrix will be shown for you according to NetDefend models. 62 62 62

63 NetDefendOS Feature Introduction Route Failover
DFL-210 Small-to-Medium Business Segment D-Link SonicWALL ZyXEL WatchGuard Firebox Features / Competitors DFL-210 TZ Node Lic / 25 Node Lic TZ 190 ZyWALL 5 ZyWALL 35 X Edge 5 X Edge 15 Failover Y Not Available Optional Small-to-Medium Business Segment D-Link Cisco Juniper Fortinet Features / Competitors DFL-210 PIX 501 PIX 506E 5XT 5GT FortiGate- 60 FortiGate-100A Failover Y Not Available Optional With regard to the Failover feature, we only focus on the segment of DFL-210/260/800/860. For more high end models, e.g. the segment of DFL-1600 and 2500, this feature is already a must for the products. In the segment of DFL-210, neither Cisco PIX 501 or 506E supports the Route Fail Over feature. For Juniper or WatchGuard, they all require customers pay extra costs for the feature. 63 63 63

64 NetDefendOS Feature Introduction Route Failover
DFL-260 Small-to-Medium Business Segment D-Link SonicWALL ZyXEL WatchGuard Firebox Features / Competitors DFL-260 Pro Standard / Enhanced ZyWALL 5 UTM ZyWALL 35 UTM X Edge X10e X Edge X20e Failover Y Not Available Optional Small-to-Medium Business Segment D-Link Cisco Juniper Fortinet Features / Competitors DFL-260 N/A 5XT 5GT FortiGate-60/60A FortiGate-100A Failover Y Optional In the segment of DFL-260, Cisco doesn’t have UTM product in this segment. For Juniper or WatchGuard, they all require customers pay extra costs for the feature. 64 64 64

65 NetDefendOS Feature Introduction Route Failover
DFL-800 Small-to-Medium Business Segment D-Link SonicWALL ZyXEL WatchGuard Firebox Features / Competitors DFL-800 Pro Standard / Enhanced Pro Standard / Enhanced ZyWALL 70 X Core X500 Standard / Advanced X Core X700 Standard / Advanced Failover Y Optional / Yes Small-to-Medium Business Segment D-Link Cisco Juniper Fortinet Features / Competitors DFL-800 PIX 506E PIX 515E (R, DMZ) / (UR, FO, FO-AA) NetScreen-25 NetScreen-50 FortiGate-100A FortiGate-200A Failover Y Not Available Not Available / Y In the segment of DFL-800, Cisco’s PIX 506E and PIX515E R / DMZ version do not provide the Route Failover feature. For WatchGuard, Firebox always requires customers pay extra costs for the feature. 65 65 65

66 NetDefendOS Feature Introduction Route Failover
DFL-860 Small-to-Medium Business Segment D-Link SonicWALL ZyXEL WatchGuard Features / Competitors DFL-860 Pro Standard / Enhanced Pro Standard / Enhanced ZyWALL 70 UTM X Core X500 Standard / Advanced X Core X700 Standard / Advanced Failover Y Optional / Yes Small-to-Medium Business Segment D-Link Cisco Juniper Fortinet Features / Competitors DFL-860 ASA 5505 Base / Security Plus SSG 5 Base / Extended SSG 20 Base / Extended FortiGate-100A FortiGate-200A Failover Y Not Available / Y In the segment of DFL-860, Cisco’s ASA 5505 and WatchGuard’s Firebox require customers pay extra costs for the feature. 66 66 66

67 Summary: Route Failover
NetDefendOS Feature Introduction Route Failover Summary: Route Failover Today the low costs of xDSL lines makes it possible to allow SMBs utilize multiple ISPs/ WAN links as WAN backup via Route Failover feature to prevent operations severely disrupted due to Internet connection fails. In the entry level model segment such as DFL-210/260/800/860, most competitors deliver Route Failover feature as an option, and require to pay extra fee for this feature. Different from our competitors, considering the IT demands of SMB, the D-Link NetDefend IPS/UTM Firewall family generously bundles the Route Failover feature with no need to pay extra costs for the license upgrade. D-Link NetDefend IPS/UTM Firewall family delivers the affordable price with best-value security feature set for SMBs. 67 67 67

68 NetDefendOS Feature Introduction VPN
Platform Compatibility: DFL-210/260/800/860/1600/2500 After completing this section, you will be able to: 1. Describe what is VPN and its benefits 2. Describe how to implement VPN solutions 3. Describe the selling point for VPN 68 68

69 NetDefendOS Feature Introduction VPN
What is VPN? A Virtual Private Network (VPN) is a private network connection that occurs through a public network. VPNs can be used to connect LANs together across the Internet or other public networks. With a VPN, the remote end appears to be connected to the network as if it were connected locally. VPN has attracted the attention of many organizations looking to both expand their networking capabilities and reduce their costs. 69 69

70 A Typical Scenario of VPN Solutions
NetDefendOS Feature Introduction VPN A Typical Scenario of VPN Solutions Tunneling Protocol: L2TP PPTP IPSec Internet Remote Access VPN Site-to-Site VPN Local Network Local Network VPNs are becoming the connection of choice when establishing an extranet or intranet between two or more remote offices. While implementing VPN, the major security concern is encryption. The typical tunneling protocols that applied to VPNs, including Layer 2 Tunneling Protocol (L2TP), IPSec, or Point-to-Point Tunneling Protocol (PPTP). This connection appears to be a local connection, and all message traffic and protocols are available across the VPN. PPTP offers some encryption capabilities, though it did not provide strong protection. IPSec offers higher security, and it’s becoming the encryption system used in many secure VPN environments. In the following slides, we are going to discuss more about VPN solutions: Site-to-Site VPN and Remote Access VPN. 70 70 70

71 A Close Look at IPSec VPN Topology
NetDefendOS Feature Introduction VPN A Close Look at IPSec VPN Topology Site-to-Site Topology Internet DFL-2500 Local Network DFL-210/260/800/860 VPN Tunnel is dedicated. Local Network Server Head Office Site-to-site VPNs are an alternative to traditional WAN connections, such as Frame Relay or leased-line, which allow organizations extend network resources to branch offices, home offices, and business partner sites. Typically, all traffic between sites is encrypted using IP Security (IPSec). Site-to-site VPNs can be one of two types: Intranet-based - If a company has one or more remote locations that they wish to join in a single private network, they can create an intranet VPN to connect LAN to LAN. Extranet-based - When a company has a close relationship with another company (for example, a partner, supplier or customer), they can build an extranet VPN that connects LAN to LAN, and that allows all of the various companies to work in a shared environment. Client Remote Office / Branch Office (ROBO) 71 71 71

72 A Close Look at IPSec VPN Topology
NetDefendOS Feature Introduction VPN A Close Look at IPSec VPN Topology Hub-and-Spoke Topology Internet Local Network DFL-210/260/800/860 Remote Office 1 Client DFL-2500 Head Office Hub Remote Office 2 Spoke The advanced application of Site-to-Site VPN is Hub-and-Spoke VPN. In this scenario, VPN tunnels are built between The VPN Hub (Head Office) and individual Spoke (Remote Office). The encrypted traffic can pass between 2 remote office networks via the VPN Hub, however, there is no need to setup a tunnel between the individual VPN spoke appliance. The Hub encrypts and decrypts the data which are relayed, thus through the Hub-and-Spoke topology, enterprises can largely reduce the number of VPNs to be created. Therefore, the Hub-and-Spoke topology can help enterprises reduce the complexity of building VPN tunnels between each remote site. 72 72 72

73 More Discussion about IPSec VPNs
NetDefendOS Feature Introduction VPN More Discussion about IPSec VPNs Rules and Routing play the key role in IPSec VPN configuration NetDefendOS provides IPSec VPN connection via Rule-based VPN Configuration Rule-based Configuration enables granular controls for administrators to decide what traffic should go through the tunnel. FTP Server on the Internet Internet DFL-2500 DFL-210/260/800/860 Rule Action: Allow Service: FTP Local Network Local Network Now, let’s discuss more about the IPSec VPN configuration. Please bear in mind that Rules and Routing play the key role in IPSec VPN configuration. NetDefendOS provides IPSec VPN connection via Rule-based VPN Configuration Rule-based Configuration enables granular controls for administrators to decide what traffic should go through the tunnel. Thus, in this example, the FTP traffic is encrypted, and allowed to pass through the tunnel. The client is not allowed to access FTP servers on the Internet; however, he/she is allowed to access the internal FTP server at the Head Office via VPN tunnel Head Office Remote Office Client FTP Server 73 73 73

74 NetDefendOS Feature Introduction VPN
Remote Access VPNs The IP address of remote access clients are normally dynamic. Users usually require to install a VPN software on the machine. Tunnel connections are between a remote user’s computer and the VPN appliance. Internet Local Network The main characteristic of Remote Access VPN is that: the IP address of the mobile user is usually dynamic. To provide a secure connection, first of all, the mobile user have to install a VPN software on the machine. Tunnel connections then are built between a remote user’s computer and the VPN appliance. Whenever a mobile user need to access network resources within enterprise network, the Remote Access VPN is the ideal and secure solution for the user. VPN Remote Client Software 74 74 74

75 NetDefendOS Feature Introduction VPN
Planning a VPN In designing a VPN, there are many considerations that need to be addressed, including: Protecting mobile and home computers Restricting access through the VPN to needed services, only when mobile computers are potentially vulnerable Creating DMZs for services that need to be shared with other companies through VPNs Adapting VPN access policies for different groups of users Creating key distribution policies 75 75 75

76 Competitive Analysis – VPN Feature Comparison
NetDefendOS Feature Introduction VPN Competitive Analysis – VPN Feature Comparison The D-Link NetDefend VPN Feature Comparison: SonicWALL ZyXEL WatchGuard Cisco Juniper Fortinet In the following section, we are going to compare the VPN feature with other key competitors on the security appliance market. The corresponding competitive matrix will be shown for you according to NetDefend models. 76 76 76

77 NetDefendOS Feature Introduction VPN
DFL-210 Small-to-Medium Business Segment D-Link SonicWALL ZyXEL WatchGuard Firebox Features / Competitors DFL-210 TZ Node Lic / 25 Node Lic TZ 190 ZyWALL 5 ZyWALL 35 X Edge 5 X Edge 15 Firewall Throughput 80Mbps 90+Mbps 65Mbps 70Mbps 95Mbps VPN VPN Throughput 25Mbps 30+Mbps 30Mbps 35Mbps Site-to-Site Tunnel 100 2 / 10 15 10 35 2 Client-to-Site Tunnel 0 (Bundled) - 5 (Max) / 1 (Bundled) -25 (Max) 2 (Bundled) - 25 1/11 5/25 From the competitive matrix, DFL-210 provides fairly good firewall / VPN performance, compared with other competitors. However, for the max number of VPN tunnels, DFL-210 provides 100, far outranging other competitors. 77 77 77

78 NetDefendOS Feature Introduction VPN
DFL-210 Small-to-Medium Business Segment D-Link Cisco Juniper Fortinet Features / Competitors DFL-210 PIX 501 PIX 506E 5XT 5GT FortiGate-60 FortiGate-100A Firewall Throughput 80Mbps 60Mbps 100Mbps 70Mbps 75Mbps VPN VPN Throughput 25Mbps 3Mbps 15Mbps 20Mbps 40Mbps Site-to-Site Tunnel 100 10 25 50 80 Client-to-Site Tunnel Comparing with Cisco/Juniper/Fortinet, DFL-210 outperforms in both firewall / VPN performance as well as tunneling capability. 78 78

79 NetDefendOS Feature Introduction VPN
DFL-260 Small-to-Medium Business Segment D-Link SonicWALL ZyXEL WatchGuard Firebox Features / Competitors DFL-260 Pro Standard / Enhanced ZyWALL 5 UTM ZyWALL 35 UTM X Edge X10e X Edge X20e Firewall Throughput 80Mbps 90Mbps 65Mbps 70Mbps 100Mbps VPN VPN Throughput 25Mbps 30Mbps 35Mbps Site-to-Site Tunnel 100 25 10 35 5 15 Client-to-Site Tunnel 50 5 (Bundled) - 11 5 (Bundled) - 25 5 (Bundled) - 55 D-Link DFL-260 provides fairly good firewall / VPN performance, and compared with other competitors. For the max number of VPN tunnels, DFL-260 provides 100, far outranging other competitors. 79 79 79

80 NetDefendOS Feature Introduction VPN
DFL-260 Small-to-Medium Business Segment D-Link Cisco Juniper Fortinet Features / Competitors DFL-260 N/A 5XT 5GT FortiGate-60/60A FortiGate-100A Firewall Throughput 80Mbps 70Mbps 75Mbps 100Mbps VPN VPN Throughput 25Mbps 20Mbps 40Mbps Site-to-Site Tunnel 100 10 50 80 Client-to-Site Tunnel Compare to Cisco/Juniper/Fortinet, DFL-260 outperforms in both firewall / VPN performance as well as tunneling capability. 80 80

81 NetDefendOS Feature Introduction VPN
DFL-800 Small-to-Medium Business Segment D-Link SonicWALL ZyXEL WatchGuard Firebox Features / Competitors DFL-800 Pro Standard / Enhanced Pro Standard / Enhanced ZyWALL 70 X Core X500 Standard / Advanced X Core X700 Standard / Advanced Firewall Throughput 150Mbps 90Mbps 200Mbps 100/110 Mbps 150/160 Mbps VPN VPN Throughput 60Mbps 30Mbps 50Mbps 40Mbps 20/30 Mbps 40/60 Mbps Site-to-Site Tunnel 300 25 50 100 (Need to Upgrade) Client-to-Site Tunnel 5 (Bundled) - 50 10 (Bundled) - 50/200 10 (Bundled) - 100 DFL-800 provides nearly the best firewall / VPN performance, compared with SonicWALL, ZyXEL and WatchGuard. Regarding the max number of VPN tunnel, unlike other competitors, they only ship with default minimum tunnel such as 0 or 5. DFL-800 by default offers 300 VPN tunnels without charging any extra costs or upgrade fee. DFL-800 provides a high performance/costs ratio for SMBs. 81 81 81

82 NetDefendOS Feature Introduction VPN
DFL-800 Small-to-Medium Business Segment D-Link Cisco Juniper Fortinet Features / Competitors DFL-800 PIX 506E PIX 515E (R, DMZ) / (UR, FO, FO-AA) NetScreen-25 NetScreen-50 FortiGate-100A FortiGate-200A Firewall Throughput 150Mbps 100Mbps 190Mbps 170Mbps VPN VPN Throughput 60Mbps 15Mbps 20 / 60 Mbps 20Mbps 45Mbps 40Mbps 70Mbps Site-to-Site Tunnel 300 25 Not Available / 2000 125 500 80 200 Client-to-Site Tunnel DFL-800 provides the outstanding VPN performance, compared with Cisco, Juniper and Fortinet. Regarding the max number of VPN tunnel, unlike other competitors, DFL-800 by default offers 300 VPN tunnels without charging any extra costs or upgrade fee. DFL-800 provides a high performance/costs ratio for SMBs. 82 82

83 NetDefendOS Feature Introduction VPN
DFL-860 Small-to-Medium Business Segment D-Link SonicWALL ZyXEL WatchGuard Features / Competitors DFL-860 Pro Standard / Enhanced Pro Standard / Enhanced ZyWALL 70 UTM X Core X500 Standard / Advanced X Core X700 Standard / Advanced Firewall Throughput 150Mbps 90Mbps 200Mbps 100/110 Mbps 150/160 Mbps VPN VPN Throughput 60Mbps 30Mbps 50Mbps 40Mbps 20/30 Mbps 40/60 Mbps Site-to-Site Tunnel 300 25 50 100 (Need to Upgrade) Client-to-Site Tunnel 5 (Bundled) - 50 10 (Bundled) - 50/200 10 (Bundled) - 100 DFL-860 provides nearly the best firewall / VPN performance, compared with SonicWALL, ZyXEL and WatchGuard. Regarding the max number of VPN tunnel, unlike other competitors, they only ship with default minimum tunnel such as 0 or 5. DFL-860 by default offers 300 VPN tunnels without charging any extra costs or upgrade fee. DFL-860 is the best UTM solution for SMBs. 83 83 83

84 NetDefendOS Feature Introduction VPN
DFL-860 Small-to-Medium Business Segment D-Link Cisco Juniper Fortinet Features / Competitors DFL-860 ASA 5505 Base / Security Plus SSG 5 Base / Extended SSG 20 Base / Extended FortiGate-100A FortiGate-200A Firewall Throughput 150Mbps 160Mbps 100Mbps VPN VPN Throughput 60Mbps 40Mbps 70Mbps Site-to-Site Tunnel 300 10 / 25 25 / 40 80 200 Client-to-Site Tunnel DFL-860 provides the outstanding VPN performance, compared with Cisco, Juniper and Fortinet. Regarding the max number of VPN tunnel, unlike other competitors, DFL-860 by default offers 300 VPN tunnels without charging any extra costs or upgrade fee. DFL-860 is the best UTM solution for SMBs. 84 84

85 NetDefendOS Feature Introduction VPN
DFL-1600 Small-to-Medium Business Segment D-Link SonicWALL ZyXEL WatchGuard Features / Competitors DFL-1600 Pro 3060 Standard / Enhanced Pro 4060 Enhanced ZyWALL 1050 X Core X1000 Standard / Advanced X Core X2500 Standard / Advanced X Core X550e (UTM) Standard / Advanced Firewall Throughput 320Mbps 290Mbps 300Mbps 225 / 240 Mbps 275+ / 300+ Mbps 300+ Mbps VPN VPN Throughput 120Mbps 75Mbps 190Mbps 100Mbps 75 / 100 Mbps 100 / 130 Mbps 35 Mbps Site-to-Site Tunnel 1,200 500/1,000 3,000 1,000 400 35 (Bundled) - 45 Client-to-Site Tunnel 25 (Bundled) - 500 50 (Bundled) - 1,000 1,000 (Bundled) 5 (Bundled) - 75 DFL-1600 provides excellent firewall / VPN performance. Compared with SonicWALL, ZyXEL and WatchGuard, DFL-1600 by default offers 1200 VPN tunnels without charging any extra costs or upgrade fee for more tunnels. DFL-1600 is a cost-effective Firewall solution for mid-sized organizations. 85 85 85

86 NetDefendOS Feature Introduction VPN
DFL-1600 Small-to-Medium Business Segment D-Link Cisco Juniper Fortinet Features / Competitors DFL-1600 PIX 525 (R) / (UR, FO, FO-AA) ASA 5510 Base / Security Plus SSG 140 NetScreen-204 NetScreen-208 FortiGate-300A Firewall Throughput 320Mbps 330Mbps 300Mbps 350+Mbps 375Mbps 400Mbps VPN VPN Throughput 120Mbps 30 / 70Mbps 170Mbps 100Mbps 175Mbps Site-to-Site Tunnel 1200 Not Available / 2,000 250 125 1,000 1,500 Client-to-Site Tunnel DFL-1600 provides excellent firewall / VPN performance. Compared with Cisco, Juniper and Fortinet, DFL-1600 by default offers 1200 VPN tunnels. DFL-1600 is a cost-effective Firewall solution for mid-sized organizations. 86 86

87 NetDefendOS Feature Introduction VPN
DFL-2500 Small-to-Medium Business Segment D-Link SonicWALL ZyXEL WatchGuard Firebox Features / Competitors DFL-2500 Pro 4060 Enhanced Pro 4100 Enhanced N/A X Peak X5000 Advanced X Peak X6000 Advanced Firewall Throughput 600Mbps 300Mbps 700Mbps 400 Mbps 700 Mbps VPN VPN Throughput 190Mbps 400Mbps 190 Mbps 300 Mbps Site-to-Site Tunnel 2,500 3,000 3,500 400 Client-to-Site Tunnel 4,500 1,200 (Bundled) - 4,000 1,600 (Bundled) - 5,000 DFL-2500 provides excellent firewall / VPN performance. Regarding the max number of VPN tunnel, DFL-2500 by default offers 2500 VPN tunnels without charging any extra costs or upgrade fee for more tunnels. From the competitive matrix, SonicWALL, WatchGuard and Juniper do not have products in the segment of 600 Mbps Firewall Throughput range. The product position of this space can be take over by DFL-2500, if there is any potential sales opportunity. From the viewpoint of performance-costs ratio, DFL-2500 is the best Firewall solution for mid-to-large sized organizations. 87 87 87

88 NetDefendOS Feature Introduction VPN
DFL-2500 Small-to-Medium Business Segment D-Link Cisco Juniper Fortinet Features / Competitors DFL-2500 ASA 5520 ASA 5540 NetScreen-208 NetScreen-500 FortiGate-400A FortiGate-500A Firewall Throughput 600Mbps 450Mbps 650Mbps 375Mbps 700Mbps 500Mbps VPN VPN Throughput 300Mbps 225Mbps 325Mbps 175Mbps 250Mbps 140Mbps 150Mbps Site-to-Site Tunnel 2,500 750 5,000 1,000 2,000 3,000 Client-to-Site Tunnel 10,000 DFL-2500 provides outstanding firewall / VPN performance. Regarding the max number of VPN tunnel, DFL-2500 by default offers 2500 VPN tunnels. Compared with Cisco, Juniper, and Fortinet, DFL-2500 provides nearly the best in VPN performance. From the viewpoint of performance-costs ratio, DFL-2500 is the best Firewall solution for mid-to-large sized organizations. 88 88

89 Summary: VPN (Virtual Private Network )
NetDefendOS Feature Introduction VPN Summary: VPN (Virtual Private Network ) The D-Link NetDefend IPS/UTM Firewall family provides outstanding firewall / VPN performance compared with other key players on the market. Meanwhile, for the max number of VPN tunnel, NetDefend IPS/UTM Firewall family by default bundles more tunnels than our competitors, without charging any extra costs or upgrade fee for extra tunnels. From the viewpoint of either performance-costs or value-costs ratio, D-Link NetDefend IPS/UTM Firewall family is the best Firewall / UTM solution for mid-to-large sized organizations. 89 89 89

90 NetDefendOS Feature Introduction VPN
VPN Q&A 1. What is the maximum number of VPNs supported on a DFL-800/860 Firewall/UTM device running NetDefendOS? a. 100 b. 150 c. 200 d. 250 e. 300 2. Which of the following protocols isn’t a tunneling protocol but is probably used at your site by tunneling protocols for network security? a. IPSec b. PPTP c. L2TP d. L2F E D 90 90 90

91 NetDefendOS Feature Introduction VPN
VPN Q&A 3. Which answer below is NOT the benefits of VPN encryption: a. Confidentiality b. Authentication c. Integrity d. Non-repudiation e. None of the above 4. What is the maximum VPN throughput of DFL-800 / 860 device running NetDefendOS? a. 50 Mbps b. 60 Mbps c. 70 Mbps d. 80 Mbps e. 90 Mbps 3. E 4.B 91 91 91

92 NetDefendOS Feature Introduction VPN
VPN Q&A 5. What is the maximum VPN throughput of DFL-1600 device running NetDefendOS? a. 100 Mbps b. 110 Mbps c. 120 Mbps d. 150 Mbps e. 200 Mbps 6. What is the maximum VPN throughput of DFL-2500 device running NetDefendOS? b. 150 Mbps c. 200 Mbps d. 250 Mbps e. 300 Mbps 5. C 6. E 92 92 92

93 NetDefendOS Feature Introduction VPN
VPN Q&A 7. Which two settings are important in IPSec VPN configuration, and will decide weather the traffic should go through the tunnel? (Multiple Choice) a. Network Interfaces b. Routing c. IPSec Interface d. Rules e. None of the above 8. How does NetDefendOS provide IPSec VPN configuration ? a. Policy-based Configuration b. Interface-based Configuration c. Rule-based Configuration d. Route-based Configuration e. Security-based Configuration 7. B, D 8. C 93 93 93

94 NetDefendOS Feature Introduction VLAN
Platform Compatibility: DFL-210/260/800/860/1600/2500 After completing this section, you will be able to: 1. Describe what is VLAN and its benefits 2. Describe how to implement VLAN solutions 3. Describe the selling point for VLAN 94 94

95 NetDefendOS Feature Introduction VLAN
What is VLAN A Virtual Local Area Network (VLAN) allows administrators to create logical groups of users and systems and segment them on the network. This network segmentation enables administrators hide segments of the network from other segments and hence control network resource access. Also administrators can set up VLANs to control the paths that data takes to get from one point to another. VLAN technology is a good way to contain network traffic to a certain area in a network. A VLAN is a switched network that is logically segmented on an organizational basis, by functions, project teams, or applications rather than on a physical or geographical basis. A VLAN consists of a number of end systems, either hosts or network equipment (such as bridges and routers), connected by a single bridging domain. The bridging domain is supported on various pieces of network equipment; for example, LAN switches that operate bridging protocols between them with a separate bridge group for each VLAN. A VLAN is defined as a broadcast domain within a switched network, and a broadcast domain represents the extent that a network propagates a broadcast frame generated by a host. Creating VLANs enables administrators to build broadcast domains with fewer users in each broadcast domain. This increases the bandwidth available to users because fewer users will contend for the bandwidth. Another benefit for administrators is that a Virtual Local Area Network (VLAN) allows administrators to create logical groups of users and systems and segment them on the network, this network segmentation enables administrators configure ACLs and hide segments of the network from other segments and hence control network resource access. Thus, VLAN technology is a good way to contain network traffic to a certain area in a network. 95 95 95

96 A Typical Scenario of VLAN
NetDefendOS Feature Introduction VLAN A Typical Scenario of VLAN Internet VLAN allows administrators group computers and users logically which connected physically in the enterprise network. 96 96 96

97 NetDefendOS Provides Cost-Effective VLAN Solution for SMB
NetDefendOS Feature Introduction VLAN NetDefendOS Provides Cost-Effective VLAN Solution for SMB Internet D-Link NetDefend IPS/UTM Firewalls In typical VLAN scenario, the Layer3 core switch always plays the key role. However, for SMBs as a such cost-sensitive customer group, buying a Layer3 core switch generally will increase the budget burden for SMBs. Now, D-Link NetDefend Firewalls with high port density & high performance, is able to take over L3 switching and enable security policies between LANs. Without adding any extra expenditure, SMBs now can take advantage of VLAN feature in NetDefendOS to construct a comprehensive and secure infrastructure which is common in enterprise networks. 97 97 97

98 How NetDefendOS Supports VLAN
NetDefendOS Feature Introduction VLAN How NetDefendOS Supports VLAN NetDefendOS is fully compliant with the IEEE 802.1Q specification for Virtual LANs. On a protocol level, Virtual LANs work by adding a Virtual LAN identifier (VLAN ID) to the Ethernet frame header. The VLAN ID is a number from 0 to 4095 and is used to identify a specific Virtual LAN. In this way, Ethernet frames can belong to different Virtual LANs, but still share the same physical media. The Virtual LAN support in NetDefendOS works by defining one or more Virtual LAN interfaces. Each Virtual LAN interface is interpreted as a logical interface by the system. Ethernet frames received by the system are examined for a VLAN ID. If a VLAN ID is found, and a matching Virtual LAN interface has been defined, the system will consider that interface to be the receiving interface for the frame before further processing takes place. Virtual LANs are useful in several different scenarios, for instance, when filtering is needed between different Virtual LANs in an organization, or when the number of interfaces needs to be expanded. 98 98

99 Competitive Analysis – VLAN Feature Comparison
NetDefendOS Feature Introduction VLAN Competitive Analysis – VLAN Feature Comparison The D-Link NetDefend VLAN Feature Comparison: SonicWALL ZyXEL WatchGuard Cisco Juniper Fortinet In the following section, we are going to compare the VLAN feature with other key competitors on the security appliance market. The corresponding competitive matrix will be shown for you according to NetDefend models. 99 99 99

100 NetDefendOS Feature Introduction VLAN
DFL-210 Small-to-Medium Business Segment D-Link SonicWALL ZyXEL WatchGuard Firebox Features / Competitors DFL-210 TZ Node Lic / 25 Node Lic TZ 190 ZyWALL 5 ZyWALL 35 X Edge 5 X Edge 15 Max. No. of VLAN 8 Not Available Small-to-Medium Business Segment D-Link Cisco Juniper Fortinet Features / Competitors DFL-210 PIX 501 PIX 506E 5XT 5GT FortiGate-60 FortiGate-100A Max. No. of VLAN 8 Not Available 2 3 10 (Bundled) – 25, 50, 100, 250 (via Lic Upgrade) 10 (Bundled) - 25, 50, 100, 250 (via Lic Upgrade) The max number of VLAN of DFL-210 is 8. SonicWALL, ZyXEL and WatchGuard do not provide VLAN feature in this segment. Juniper at most only provides 3 VLANs, and cannot expand via license upgrade. For Cisco, this feature is not available on PIX 501. However, on PIX 506E, they offer 2 VLANs only. 100 100 100

101 NetDefendOS Feature Introduction VLAN
DFL-260 Small-to-Medium Business Segment D-Link SonicWALL ZyXEL WatchGuard Firebox Features / Competitors DFL-260 Pro Standard / Enhanced ZyWALL 5 UTM ZyWALL 35 UTM X Edge X10e X Edge X20e Max. No. of VLAN 8 Not Available / 25 Not Available Small-to-Medium Business Segment D-Link Cisco Juniper Fortinet Features / Competitors DFL-260 N/A 5XT 5GT FortiGate-60/60A FortiGate-100A Max. No. of VLAN 8 3 10 (Bundled) – 25, 50, 100, 250 (via Lic Upgrade) 10 (Bundled) - 25, 50, 100, 250 (via Lic Upgrade) The max number of VLAN of DFL-260 is 8. ZyXEL and WatchGuard do not provide VLAN feature in this segment. Juniper at most only provides 3 VLANs, and cannot expand via license upgrade. Regarding to SonicWALL, they offers 0 VLANs by default, requires the license upgrade for this feature. 101 101 101

102 NetDefendOS Feature Introduction VLAN
DFL-800 Small-to-Medium Business Segment D-Link SonicWALL ZyXEL WatchGuard Firebox Features / Competitors DFL-800 Pro Standard / Enhanced Pro Standard / Enhanced ZyWALL 70 X Core X500 Standard / Advanced X Core X700 Standard / Advanced Max. No. of VLAN 16 Not Available / 25 Not Available Small-to-Medium Business Segment D-Link Cisco Juniper Fortinet Features / Competitors DFL-800 PIX 506E PIX 515E (R, DMZ) / (UR, FO, FO-AA) NetScreen-25 NetScreen-50 FortiGate-100A FortiGate-200A Max. No. of VLAN 16 2 10 / 25 10 (Bundled) – 25, 50, 100, 250 (via Lic Upgrade) 10 (Bundled) - 25, 50, 100, 250 (via Lic Upgrade) The max number of VLAN of DFL-800 is 16. For ZyXEL and WatchGuard, they do not provide VLAN feature in this segment. For other players, they provide either 0 or 10 VLANs by default, if customers require more VLANs, they need to pay extra costs for the license upgrade. 102 102 102

103 NetDefendOS Feature Introduction VLAN
DFL-860 Small-to-Medium Business Segment D-Link SonicWALL ZyXEL WatchGuard Features / Competitors DFL-860 Pro Standard / Enhanced Pro Standard / Enhanced ZyWALL 70 UTM X Core X500 Standard / Advanced X Core X700 Standard / Advanced Max. No. of VLAN 16 Not Available / 25 Not Available Small-to-Medium Business Segment D-Link Cisco Juniper Fortinet Features / Competitors DFL-860 ASA 5505 Base / Security Plus SSG 5 Base / Extended SSG 20 Base / Extended FortiGate-100A FortiGate-200A Max. No. of VLAN 16 3 (Trunking Disabled) / 3 (Trunking Enabled) 10 / 50 10 (Bundled) – 25, 50, 100, 250 (via Lic Upgrade) 10 (Bundled) - 25, 50, 100, 250 (via Lic Upgrade) The max number of VLAN of DFL-860 is 16. For ZyXEL and WatchGuard, they do not provide VLAN feature in this segment. For other players, they provide either 0 or 10 VLANs by default, if customers require more VLANs, they need to pay extra costs for the license upgrade. 103 103 103

104 NetDefendOS Feature Introduction VLAN
DFL-1600 Small-to-Medium Business Segment D-Link SonicWALL ZyXEL WatchGuard Features / Competitors DFL-1600 Pro 3060 Standard / Enhanced Pro 4060 Enhanced ZyWALL 1050 X Core X1000 Standard / Advanced X Core X2500 Standard / Advanced X Core X550e (UTM) Standard / Advanced Max. No. of VLAN 128 Not Available / 50 200 Y Not Available Not Available / 25 Small-to-Medium Business Segment D-Link Cisco Juniper Fortinet Features / Competitors DFL-1600 PIX 525 (R) / (UR, FO, FO-AA) ASA 5510 Base / Security Plus SSG 140 NetScreen-204 NetScreen-208 FortiGate-300A Max. No. of VLAN 128 25 /100 10 / 25 100 32 10 (Bundled) – 25, 50, 100, 250 (via Lic Upgrade) The max number of VLAN of DFL-1600 is 128, outranging other competitors. For Fortinet, they only bundle with 10 VLANs for customers, if customers require more VLANs, they need to pay extra costs for the license upgrade. 104 104 104

105 NetDefendOS Feature Introduction VLAN
DFL-2500 Small-to-Medium Business Segment D-Link SonicWALL ZyXEL WatchGuard Firebox Features / Competitors DFL-2500 Pro 4060 Enhanced Pro 4100 Enhanced N/A X Peak X5000 Advanced X Peak X6000 Advanced Max. No. of VLAN 1024 200 300 Not Available Small-to-Medium Business Segment D-Link Cisco Juniper Fortinet Features / Competitors DFL-2500 ASA 5520 ASA 5540 NetScreen-208 NetScreen-500 FortiGate-400A FortiGate-500A Max. No. of VLAN 1024 100 200 32 800 (100 per port) 10 (Bundled) – 25, 50, 100, 250 (via Lic Upgrade) ZyXEL does not have any product to fulfill this segment. Compared with other competitors, DFL-2500 provides the max number of VLAN for customers. 105 105 105

106 Summary : VLAN (Virtual Local Area Network )
NetDefendOS Feature Introduction VLAN Summary : VLAN (Virtual Local Area Network ) With the VLAN feature, organizations can enable routing capability between VLANs, and implement security policies among different LAN segments, therefore different departments, e.g. RD and Sales, can have different access controls toward network resources. In the entry level model segment such as DFL-210/260/800/860, most competitors do not deliver VLAN feature, this negatives the infrastructure expandability for SMBs. Having an insight into IT demands of SMB, the D-Link NetDefend IPS/UTM Firewall family all bundles more VLAN number than other competitors with no need to pay extra costs for the license upgrade. D-Link NetDefend IPS/UTM Firewall family is the best partner with the business and infrastructure growth of SMBs. 106 106 106

107 NetDefendOS Feature Introduction VLAN
VLAN Q&A 1. VLAN tagging within a NetDefend device is based on which industry standard? a d b q c q d e 2. What is the valid range of VLAN tag numbers that are usable on a NetDefend device? a. 0 thru 500 b. 1 thru 500 c. 0 thru 2048 d. 0 thru 4095 e. 1 thru 4094 B D 107 107 107

108 NetDefendOS Feature Introduction VLAN
VLAN Q&A 3. What is the maximum number of VLANs supported on a DFL-800/860 IPS/UTM Firewall device running NetDefendOS? a. 10 b. 16 c. 20 d. 25 e. 50 4. What is the maximum number of VLANs supported on a DFL-2500 Firewall device running NetDefendOS? a. 100 b. 200 c. 512 d. 1000 e. 1024 3. B 4. E 108 108 108

109 NetDefendOS Feature Introduction VLAN
VLAN Q&A 5. In the DFL-210 segment, which competitors do NOT provide VLAN feature? (Multiple Choice ) a. Cisco b. Juniper c. SonicWALL d. Fortinet e. WatchGuard f. ZyXEL 6. In the DFL-860 segment, which competitors by default with Standard Firmware do NOT provide VLAN feature? (Multiple Choice ) a. WatchGuard b. Fortinet c. Juniper d. SonicWALL e. ZyXEL f. Cisco 5. C, E, F 6. A, D, E 109 109 109

110 NetDefendOS Feature Introduction VLAN
VLAN Q&A 7. What is NetDefendOS’ main advantage in VLAN support, comparing to other competitors? (Multiple Choice ) a. Supported more VLAN by default. b. VLAN number upgrade as an option. c. No need to pay extra costs for VLAN number d. Support 5 VLANs by default. e. Support VLAN feature on entry level models. 8. What is the benefit of NetDefendOS’ VLAN support ? (Multiple Choice ) a. Allow to contain network traffic, and increase network performance b. Create VLAN ID c. Enable security control between VLANs d. Enable L3 routing between VLANs e. Allow physical network connection 7. A, C, E 8. A,C, D 110 110 110

111 High Availability (HA)
NetDefendOS Feature Introduction High Availability High Availability (HA) Platform Compatibility: DFL-1600/2500 After completing this section, you will be able to: 1. Describe NetDefend firewall HA feature and how it works 2. Describe what HA will do / will not do for you 3. Describe the requirements before HA implementation 111

112 NetDefendOS Feature Introduction High Availability
Overview High Availability (HA) is a hardware fault-tolerant capability that is available on certain models of D-Link NetDefend Firewalls. Currently the firewalls that offer this feature are the DFL-1600 and DFL-2500 models with active-passive HA implementation. D-Link High Availability works by adding a Backup D-Link firewall to an existing firewall. The Backup firewall has the same configuration as the Primary firewall. Therefore, this feature must have two identical firewall model to perform this feature. Throughout this chapter, the phrases “Master firewall" and “Primary firewall" are used interchangeably, as are the phrases “Slave firewall" and “Backup firewall". 112

113 How High Availability Works
NetDefendOS Feature Introduction High Availability How High Availability Works Two firewall appliances are required, one is for Master and another one is for Backup. When a failure on the Master firewall occurs, the Backup firewall transitions to active mode and assumes the configuration and role of Master. Backup firewall contains a real-time mirrored configuration of Master firewall via a dedicated Ethernet cable link. High Availability (HA) requires one NetDefend firewall appliance configured as the Master Firewall, and an identical NetDefend firewall appliance configured as the Backup Firewall. During normal operation, the Master Firewall is in an Active state and the Backup Firewall in an Idle state. When a failure on the Master firewall occurs, the Backup Firewall transitions to Active mode and assumes the configuration and role of Master. The failover applies to loss of functionality or network-layer connectivity on the Master firewall. NetDefend firewall configuration is performed on only the Master Firewall. The Backup Firewall contains a real-time mirrored configuration of the Master Firewall via a dedicated Ethernet cable link. 113 113

114 What High Availability will do for you
NetDefendOS Feature Introduction High Availability What High Availability will do for you Hardware-based redundant State-synchronized solution When the cluster failover to the inactive firewall, it knows which connections are active and communication may continue to flow uninterrupted. Extremely less failover time (< 800ms) D-Link High Availability will provide a redundant, state-synchronized failover solution. This means that the state of the active firewall, i.e. connection table and other vital information, is continuously copied to the inactive firewall. When the cluster fails over to the inactive firewall, it knows which connections are active, and communication may continue to flow uninterrupted. The failover time is typically about one second; well in the scope for the normal TCP retransmit timeout, which is normally over one minute. Clients connecting through the firewall will merely experience the failover procedure as a slight burst of packet loss, and, as TCP always does in such situations, retransmit the lost packets within a second or two, and go on communicating. 114 114

115 What High Availability will NOT do for you
NetDefendOS Feature Introduction High Availability What High Availability will NOT do for you It’s not a panacea for all communication failures It will not create a load-sharing cluster. Only two firewalls, a "Master" and a "Slave", are supported. Broken interfaces will not be detected by HA Interface Broken Adding redundancy to your firewall setup will eliminate one of the single points of failure in your communication path. However, it is not a panacea for all possible communication failures. D-Link High Availability clusters will not create a load-sharing cluster. One firewall will be active, and the other will be inactive. Multiple back-up firewalls cannot be used in a cluster. Only two firewalls, a "Master" and a "Slave", is supported. Broken interfaces will not be detected by the current implementation of the HA, unless they are broken to the point where the firewall cannot continue to run. This means that failover will not occur if the active firewall can communicate “being alive” to the inactive firewall through any of its interfaces, even though one or more interfaces may be inoperative. 115 115

116 High Availability Scenario Example
NetDefendOS Feature Introduction High Availability High Availability Scenario Example NetDefend firewall with hardware failover mechanism to prevent single point failure situation which ensure network communication to be keep-alive. If Master Firewall fails, Slave Firewall would take over Hardware Failover allows two identical NetDefend firewall security appliances to be configured to provide a reliable, continuous connection to the public Internet. In the event of the failure of the Primary firewall, the Backup firewall takes over to secure a reliable connection between the protected network and the Internet. 116 116

117 Requirements before using HA
NetDefendOS Feature Introduction High Availability Requirements before using HA The High Availability is only supported on DFL-1600 and DFL-2500 The Master and Slave NetDefend Firewall must be using the same hardware model – mixing and matching D-Link of different hardware types is not currently supported. NetDefend High Availability does not support PPP protocols and dynamic IP address assignment from your ISP. D-Link NetDefend Firewall in the High Availability pair must have the same firmware version installed. The high availability feature requires THREE unique static LAN IP addresses to operate normally. Before attempting to implement two NetDefend Firewalls as a high availability scenario for hardware failover pair, check the following requirements: NetDefend High Availability does not support PPP protocols and dynamic IP address assignment from your ISP. Such as the Dynamic PPPoE and DHCP client. The high availability feature requires three unique static LAN IP addresses to operate normally. -- the first IP address is used as a virtual gateway IP address, the second is used as the unique LAN IP address for the primary device, and the third is used as the unique LAN IP address for the backup device. 117 117

118 NetDefendOS Feature Introduction High Availability
Feature Matrix DFL-200 DFL-210 DFL-800 DFL-1600 DFL-2500 Active-Passive mode N/A Yes Active-Active mode State Synchronization VPN Synchronization Device Failure Detection Dead Link Detection Dead Gateway Detection Dead Interface Detection Average Failover Time <800ms Synchronization Method Dedicated Ethernet Interface HA Operating Mode introduction Active-Passive HA An active-passive (A-P) HA cluster provides hot standby failover protection. An active-passive cluster consists of a primary unit that processes traffic, and one subordinate unit. The subordinate unit is connected to the network and to the primary unit but do not process traffic. Instead, the subordinate units run in a standby state. In this standby state, the subordinate units receive cluster state information from the primary unit. Cluster state information includes a list of all communication sessions being processed by the primary unit. The subordinate units use this information to resume processing network traffic if the primary unit fails. Active-Active HA Active-active (A-A) HA load balances network traffic among all cluster units. An active-active HA cluster consists of a primary unit that processes traffic and one subordinate unit that also process traffic. It means all UDP, ICMP, multicast, and broadcast traffic is processed continuously simultaneously by the primary and secondary unit. DFL-1600 and DFL-2500 don’t support this HA mode. 118

119 Summary: HA (High Availability)
NetDefendOS Feature Introduction High Availability Summary: HA (High Availability) The HA feature is offered on both DFL-1600 and DFL-2500 with active-passive mode. NetDefend High Availability (HA) provides a solution for two key requirements of critical enterprise networking components: enhanced reliability and prevent single point failure from appliance perspective. NetDefend HA is implemented by configuring two firewall units to operate as an HA cluster. The HA must be using same hardware model and firmware version 119

120 High Availability (HA) Q&A
NetDefendOS Feature Introduction High Availability High Availability (HA) Q&A 1. Which of the following feature is NOT supported for NetDefend High Availability? a. Active-Passive HA mode b. Dead link detection c. Hardware failover mechanism between Master and Backup d. Hardware Load balancing between Master and Backup e. Firewall state and VPN synchronization 2. Which of the following condition is NOT required before using NetDefend High Availability? a. Static WAN IP address b. Same hardware model c. Additional Ethernet cable for synchronization d. Same firmware version installed e. Redundant power supply D E 120

121 High Availability (HA) Q&A
NetDefendOS Feature Introduction High Availability High Availability (HA) Q&A 3. Which following characteristic about High Availability is NOT true? a. Only two firewalls are supported b. Connection link failover c. Single point failure prevention d. Increasing network reliability e. None of the above 3. B 121

122 NetDefendOS Feature Introduction Traffic Management
Platform Compatibility: DFL-210/260/800/860/1600/2500 After completing this section, you will be able to: 1. Describe terminologies and feature definitions associated with Traffic Management 2. Describe what Traffic Management purpose is 3. Describe the selling point for Traffic Management 122

123 Strategies for Optimizing Applications on the WAN
NetDefendOS Feature Introduction Traffic Management Strategies for Optimizing Applications on the WAN Managing application performance can be quite a challenge. Productivity drops and frustration climbs when performance turns inconsistent, unpredictable, and slow. Do any of these problems sound familiar to you? • Repeated bandwidth upgrades fail to address performance but do increase costs substantially. • A branch office’s ERP performance plummets whenever an employee synchs . • Enthusiasm for VoIP (Voice over IP) fades when callers routinely face stutter and static during peak network usage. • Surges from recreational and infected traffic cause urgent, interactive applications to struggle. • Nightly server backups that haven’t finished by the next morning. For many companies, application performance on the WAN declined gradually from adequate to unworkable. In other organizations, a single event, such as deploying a new application or relocating servers, seems to precipitate the decline. 123 123

124 What’s Causing Bandwidth Performance Problems?
NetDefendOS Feature Introduction Traffic Management What’s Causing Bandwidth Performance Problems? More application traffic Recreational traffic Web-based applications Voice/video/data network convergence Disaster readiness Network Threat Attack New Breed of Applications Recent changes in application and network environments have wreaked havoc on performance. Increasing traffic, diverse performance requirements, and a capacity mismatch between local and wide-area networks have prompted the decline in performance. Traffic growth stems from trends in applications, networks, and users habits, including: • More application traffic: An explosion of application size, user demand, and richness of media • Recreational traffic: Abundant traffic resulting from recent trends in Internet radio, MP3 downloads, instant messaging, web browsing, interactive gaming, and more. • Web-based applications: Applications with web-based user interfaces; typically consume 5 to 10 times their former bandwidth • Voice/video/data network convergence: One network that supports voice, video, and data with their variety in bandwidth demands and performance requirements • Disaster readiness: Redundant data centers, mirroring large amounts of data • Network Threat Attack: Worms, viruses, and denial-of-service (DoS) attacks (ranked as the top source of network congestion in a recent Network World survey) • New Breed of Applications: It includes audio and video streaming, demand high data throughput capacity (bandwidth) and have low latency requirements when used in two-way communications (i.e. conferencing and telephony) 124 124

125 What is Quality of Service ?
NetDefendOS Feature Introduction Traffic Management What is Quality of Service ? Quality of Service (QoS) means providing consistent, predictable data delivery service. In other words, satisfying customer application requirements. QoS feature is called “Traffic Management” on NetDefendOS Web GUI. It’s the allocation of the appropriate amount of network bandwidth to every users and applications on an interface. It works by measuring and queuing IP packets Traffic Management is a tool to handle traffic passing our firewall. With this tool we can give the customers and employee a QoS (Quality of Service). NetDefendOS can prioritize certain traffic, setup bandwidth limitations and divide traffic between objects like IP addresses, port, network segments. It is the allocation of the appropriate amount of network bandwidth to every user and application on an interface. The appropriate amount of bandwidth is defined as cost-effective carrying capacity at a guaranteed Quality of Service (QoS). You use a security device to shape traffic by creating policies and by applying appropriate rate controls to each class of traffic going through the device. Traffic shaping works by measuring and queuing IP packets, in transit, with respect to a number of configurable parameters. Differentiated rate limits and traffic guarantees based on source, destination and protocol parameters can be created, much the same way firewall rules are implemented. 125 125

126 NetDefendOS Feature Introduction Traffic Management
Why QoS is Needed ? Internet Protocol (IP) does not provide reliable mechanism to assure timely delivery for data throughput. Unlike “Pure Virtual Circuit” technologies, such as ATM and Frame Relay, IP does not make hard allocations of resource. Typical network traffic is bursty rather than continuous. Mission-critical information can not tolerate unpredictable losses. The conferencing, telephony and video streaming demand high data throughput and low-latency requirements when use two-way communications. 126

127 How Traffic Management Works?
NetDefendOS Feature Introduction Traffic Management How Traffic Management Works? Queuing Packets when traffic exceeds configured limits. Dropping packets if the packet buffers are full. Prioritizing traffic according to the administrator's choice. Providing bandwidth guarantees. How Traffic Management works Applying bandwidth limits by queuing packets that would exceed configured limits, and sending them later when the momentary demand for bandwidth is lower. Dropping packets if the packet buffers are full. The packet to be dropped should be chosen from those that are responsible for the "jam". Prioritizing traffic according to the administrator's choice; if the traffic in a higher priority increases while a communications line is full, traffic in lower priorities should be temporarily limited to make room for the high-priority traffic. Providing bandwidth guarantees. This is typically accomplished by treating a certain amount of traffic (the guaranteed amount) as a higher priority, and traffic exceeding the guarantee as the same priority as "any other traffic", which then gets to compete with the rest of the non-prioritized traffic. 127 127

128 NetDefendOS Feature Introduction Traffic Management
Traffic Management Scenario Example You could use Traffic Management to achieve following purpose: SMTP guaranteed to 800Kbps and maximum limit is 1600Kbps, Highest Priority. HTTP guaranteed to 600Kbps and maximum limit is 1200Kbps, Second Priority FTP guaranteed to 400Kbps and maximum bandwidth limit is 800Kbps, Third Priority. Other protocols is NOT guaranteed and limited. But It can burst its traffic to use all available bandwidth if SMTP/HTTP/HTTPS/FTP is not full traffic load. The benefit to enable traffic management feature: Traffic Management is ability to increase require quality for mission-critical applications deployed over IP networks. Control application maximum traffic utilization to reserve enough bandwidth for other protocols. Priority attribution can provide more scalability and efficiency to utilize total physical bandwidth. Applications are getting more demanding. Mission-critical applications deployed over IP networks increasingly require quality, reliability, and timeliness assurances. In particular, applications that use voice, video streams, or multi-media must be carefully managed within an IP network to preserve their integrity.

129 NetDefendOS Feature Introduction Traffic Management
Key Advantages Granular control for traffic prioritizing, guaranteeing and limiting Nicely integrated with the firewall ruleset Accurately control and manage bandwidth utilization IPSec tunnel traffic can be integrated by QoS Dynamic Bandwidth Balancing (D-Link unique) 129 129

130 Traffic Management Q&A
NetDefendOS Feature Introduction Traffic Management Traffic Management Q&A 1. Which of the following firewall model does NOT support traffic management feature? a. DFL-210 b. DFL-800 c. DFL-1600 d. DFL-2500 e. None of Above. 2. Which of the following features is D-Link unique one than other firewall suppliers for traffic management? a. Guarantee bandwidth b. Queuing packets c. Dropping packets if the packet buffers is full d. Dynamic Bandwidth Balancing e. Maximum bandwidth Limiting E D 130

131 Traffic Management Q&A
NetDefendOS Feature Introduction Traffic Management Traffic Management Q&A 3. Which of the following scenario does NOT supported in Traffic Management feature on NetDefend Firewall? a. Two-Way bandwidth limits b. Per-user traffic limits and guarantee c. Manage bandwidth in IPSec Tunnel d. increasing reliability by traffic failover e. By VLAN interfaces to manage bandwidth usage 3. D 131 131

132 Traffic Management Q&A
NetDefendOS Feature Introduction Traffic Management Traffic Management Q&A 4. Which of the following description is incorrect for Traffic Management feature advantage on NetDefend Firewall? a. Traffic Management could enable bandwidth priority, bandwidth guarantee and bandwidth load balancing. b. The VLAN interfaces could be performed Traffic Management in NetDefend Firewall Series c. The IPSec tunnel can be integrated by Traffic Management. d. The dynamic bandwidth balancing feature is able to ensures that the per-user bandwidth limits are dynamically lowered (and raised) in order to evenly balance the available bandwidth between the users of the pipe. e. Traffic management can perform packet based bandwidth utilization control. 4. A 132 132

133 NetDefendOS Feature Introduction User Authentication
Platform Compatibility: DFL-210/260/800/860/1600/2500 After completing this section, you will be able to: 1. Describe what is User Authentication 2. Describe what is Run-Time Web Base Authentication 3. Describe what is Accounting Server 4. Describe the selling point for User Authentication 133

134 User Authentication Introduction
NetDefendOS Feature Introduction User Authentication User Authentication Introduction User authentication is frequently used in services, such as HTTP, FTP, and VPN. NetDefendOS uses a Username/Password combination as the primary authentication method, strengthened by encryption algorithms. More advanced and secure means of authentication include Public-Private Keys, X.509 Certificates, IPsec/IKE, IKE XAuth, and ID Lists. User Types NetDefendOS has authentication schemes which support diverse users. These can be: Administrators Normal users accessing the network PPPoE/PPTP/L2TP users using PPP authentication methods IPsec\IKE users - the entities authentication during the IKE negotiation phases (Implemented by Pre-shared Keys or Certificates). IKE XAuth users - an extension to IKE authentication, occurring between negotiation phase 1 and phase 2 User groups - groups of users that are subject to same criteria. In user authentication, user can manage Administrator Group for firewall management, or create specific user group for http, Ftp and VPN service. 134 134

135 User Authentication Introduction
NetDefendOS Feature Introduction User Authentication User Authentication Introduction NetDefendOS can either use a locally stored database, or a database on an external server to provide user authentication. The Local User Database (UserDB): support 150 items External Authentication Servers: RADIUS server (Remote Authentication Dial In User Service) Authentication Agents Four different agents built into NetDefendOS can be used to perform username/password authentication. They are: HTTP - Authentication via web browsing. Users surf to the firewall and login either through a HTML form or a "401 - Authentication Required" dialog. HTTPS - Authentication via secure web browsing. Similar to HTTP agent except that Host and Root Certificates are used to establish SSL connection to the firewall. XAUTH - Authentication during IKE negotiation in IPsec VPN (if the IPSec tunnel has been configured to require XAUTH authentication). PPP - Authentication when PPTP/L2TP tunnels are set up (if the PPTP/L2TP tunnel has been configured to require user authentication). NetDefend Firewall provide local database sever which support 150 number of user accounts, and support external Authentication Server: RADIUS server. NetDefend Firewall provide four type for authentication agents, Http/Https for web access authentication, XAUTH for VPN authentication and PPP for PPTP/L2TP authentication. For other service, FTP, SMTP, POP3.., you can also use Http/Https authentication agent to require user authentication before they use these services. 135 135

136 Run-Time Web Base Authentication
NetDefendOS Feature Introduction User Authentication Run-Time Web Base Authentication The most common application of User Authentication is Run-Time Web Base User Authentication which is similar to WAC ( Web-based Access Control ) of D-Link xStack Switch. The firewall will request user authentication before he/She can pass through the firewall. While the user firstly open this browser, he/She will automatically be redirected to the login page. Internet NetDefend Firewall Web Surfing Local Network Client 136 136

137 NetDefendOS Feature Introduction User Authentication
Accounting Server NetDefendOS also support “Accounting” through the RADIUS server, in order to count those bytes or packets that were sent and received. Some vendors use different term in this feature, D-Link terms this feature name Accounting Server in firewall Web GUI and User manual When a user establishing a new connection through the D-Link Firewall, NetDefendOS sends an Accounting Request START message to a nominated RADIUS server, to record the start of the new session. When a admin/user is no longer authenticated, for example, after the admin/user logs out or the session time expires, an Accounting Request STOP message is sent by NetDefendOS containing the relevant session statistics. 137 137

138 NetDefendOS Feature Introduction User Authentication
Competitive Analysis D-Link Fortinet Juniper SonicWALL ZyXEL Build-in Database V External Database: RADIUS External Database: LDAP* Enhanced OS only External Database: MS IAS XAUTH for IPSec Authentication Run-Time Web base Authentication All service Only Http Compare with these competitors, D-Link NetDefend Firewall is the only supports Accounting Server for LDAP and Microsoft IAS server, and without any extra cost, but SonicWALL is not. D-Link firewall’s User Authentication feature can manage user to access all service by web base authentication, but other vendors is not. Fortinet can support it for http service only *Available in future firmware upgrade 138 138

139 Summary: User Authentication
NetDefendOS Feature Introduction User Authentication Summary: User Authentication Provide four authentication agents, Http, XAUTH and PPP. Provide a local database and support external database: RADIUS Server Support Accounting through RADIUS Server. 139 139

140 User Authentication Q&A
NetDefendOS Feature Introduction User Authentication User Authentication Q&A What authentication agents that D-Link does NOT support? a. FTP b. XAuth c. Http/Https d. PPTP/L2TP What user database that D-Link does NOT support now? a. TACAS + b. RADIUS c. Microsoft IAS d. LDAP Which vendor does support web authentication in their firewall product line? (Multiple Choice) a. D-Link b. Fortinet c. ZyXEL d. Juniper A A B 140 140

141 User Authentication Q&A
NetDefendOS Feature Introduction User Authentication User Authentication Q&A 4. What is “Accounting Server”? a. Provide statistic information of RADIUS session b. Transfer corporate policy into network policy c. The device for corporate policy enforcement d. The server provide user log-in and log-off services 5. How many items does D-Link local database support? a. 150 b. 200 c. 250 d. 300 6. Which database type does Accounting Server support? a. Local database b. RADIUS server c. LDAP server d. RACAS+ server 4. A 5. A 6. B 141 141

142 NetDefendOS Feature Introduction ZoneDefense
Platform Compatibility: DFL-800/860/1600/2500 In this section, you will learn the following: What is D-Link’s complete security solution? What is Gateway Security? What is Endpoint Security? What is Joint Security? What role is ZoneDefense in D-Link’s complete security solution? What’s the difference between D-Link and our competitors in security solution offering? 142 142 142

143 D-Link’s complete security solution
NetDefendOS Feature Introduction ZoneDefense D-Link’s complete security solution Enterprise Network Gateway Security Endpoint Security Joint Security In D-Link’s complete security solution, there are 3 components: Gateway Security: NetDefend IPS/UTM Firewall is located in the border of the whole network topology. It could secure the valuable resources inside from malicious outsiders. Endpoint Security: xStack Switch contains fruitful features for securing LAN access. We would brief you in the following slides. Joint Security: this is the technology to integrate Gateway Security and Endpoint Security. Every vendor has its own approach, in D-Link, the cutting edge technology – ZoneDefense plays this important role. 143 143

144 NetDefendOS Feature Introduction ZoneDefense
Endpoint Security Solution 802.1x: Guest VLAN, Identity Based VLAN/Security/QoS Web-based Access Control: WAC, Web Authentication(HP), Network Login(Extreme), Captive Portal MAC-based Access Control: MAC, MAC Authentication(HP), RADA(3Com) Addressing Control: DHCP Snooping/ARP Inspection(Cisco), IMP Binding NAC: Cisco NAC, TCG NAC, Vendor Specific NAC Microsoft NAP D-Link xStack Switch provides comprehensive features to enable Endpoint Security. Though some features other competitors call them another names. Detail feature explanation will be presented in DCS-Switch. High Lighted are currently supported by D-Link xStack Switch 144 144

145 Joint Security - ZoneDefense Technology
NetDefendOS Feature Introduction ZoneDefense Joint Security - ZoneDefense Technology Challenge to Current Network Security Traditional Firewalls have limited ports & performance, so L3 network switching still relies on L3 switches Whenever there’s an infected mobile user Current network security architecture can’t effectively prevent the virus/worm infection & outbreak Firewall L3 Core Switch Server Farm It will result in mutual infection between clients, and coming virus/ worm outbreak could even generate DoS effect to network devices 145 145

146 Joint Security - ZoneDefense Technology
NetDefendOS Feature Introduction ZoneDefense Joint Security - ZoneDefense Technology New Network Security Architecture New high port density & high performance firewalls will be able to take over L3 switching and enable security policies between LANs Whenever there’s an infected mobile user New architecture will be able to stop the virus/ worm infection across LANs Firewall Server Farm D-Link ZoneDefenseTM L3 Core Switch ZoneDefense could be triggered by threshold rule and IPS. In threshold rule, it will trigger ZoneDefense to block out a specific host or a network if the connection limit specified in the rule is exceeded. The limit can be one of two types: Connection Rate Limit - This can be triggered if the rate of new connections per second to the firewall exceeds a specified threshold. Total Connections Limit - This can be triggered if the total number of connections to the firewall exceeds a specified threshold. The ZoneDefense triggered by AV feature is not available now, however this is feature is in our roadmap. For Windows platform, lots of network attacks would exploit SMB (Server Message Block) protocol. The victim would generate bunch of network traffics via TCP port 445 and then flood the whole network. However if we adopt ZoneDefense feature, we could prevent this disaster happened. Detail as following: 1. Under ZoneDefense, setting the threshold of TCP port 445 traffic, let's say "10 connections/second" from TCP port 445 per host 2. Configure relevant xStack Switches within the topology 3. If victim try to flood the network via TCP port 445 4. NetDefend IPS/UTM Firewall detects the total connection number from this victim is over the threshold 5. NetDefend IPS/UTM Firewall would command xStack Switch to block this victim away 6. Totally proactive & automatic without any manual intervention and real-time limit any malicious flood Further, when Firewall detects virus/ worm activities, it will notify the access layer switches to block the suspected host to effectively stop the mutual infection or virus/ worm outbreak in time 146 146

147 NetDefendOS Feature Introduction ZoneDefense
Joint Security Gateway Security, supported NetDefend Model: NetDefend IPS Firewall DFL-800/DFL-1600/DFL-2500 NetDefend UTM Firewall DFL-860 Endpoint Security, supported D-Link Switch All xStack Series Competitors in Joint Security Cisco, HP The Joint Security is proactive security architecture, which could collaborate NetDefend Firewall with xStack Switch to provide customer a comprehensive security solution. For levering this cutting edge technology – ZoneDefense, there are several requirements in NetDefend Firewall and xStack switch. Following is the detail. NetDefend Firewall: NetDefend IPS Firewall (with firmware v or later) DFL-800/DFL-1600/DFL-2500 NetDefend UTM Firewall (with firmware v or later) DFL-860 xStack Switch: D-Link DES-3526 Rev 3.x (firmware: R3.06-B20 only) D-Link DES-3526 Rev 4.x (firmware: R4.01-B19 or later) D-Link DES-3550 Rev 3.x (firmware: R3.05-B38 only) D-Link DES-3550 Rev 4.x (firmware: R4.01-B19 or later) D-Link DES-3800 series (firmware: R2.00-B13 or later) D-Link DGS-3324SR/SRi (firmware: R4.30-B11 or later) D-Link DXS-3326GSR/3350SR (firmware: R4.30-B11 or later) D-Link DGS-3400 series (firmware: R1.00-B35 or later) Legacy Switch: D-Link DES-3226S (firmware: R4.02-B26 or later) D-Link DES-3250TG (firmware: R3.00-B09 or later) D-Link DES-3326S (firmware: R4.01-B39 or later) D-Link DES-3350SR (firmware: R3.02-B12 or later) HP maybe the one (besides Cisco) who shows similar intent on the Joint Security concept, following slides would show you the general idea how to compete with HP. 147 147 147

148 Joint Security Comparison Table D-Link v.s. HP – Solution Match
NetDefendOS Feature Introduction ZoneDefense Joint Security Comparison Table D-Link v.s. HP – Solution Match HP D-Link Authentication ProCurve Manager Plus + IDM (Identity Driven Manager) Microsoft NAP support D-View Security Plug-in* MAC, WAC, 802.1x, Guest VLAN MAC, WAC, 802.1x, Guest VLAN, IP-MAC-Port Binding Malicious Traffic Mitigation ProCurve Manager Plus + NIM (Network Immunity Manager) ZoneDefense Virus Throttling Per flow Bandwidth Control & Reaction* This is a comparison table between D-Link and HP in Joint Security solution. As you could see, D-Link and HP have its own approach on authentication and malicious traffic mitigation parts. HP just announced 2 components to enhance its offering: Network Immunity Manager (NIM): NIM acts as malicious traffic detector, when the malicious traffic is found, NIM could collaborate with HP’s switch for mitigation. In D-Link’s approach, we use the NetDefend firewall to act as malicious traffic detector, and use ZoneDefense technology for fulfilling the collaboration with xStack switch. Identity Driven Manager (IDM): IDM acts as RADIUS server which could contain user database and behave as policy server. In our approach, we would lever Microsoft to achieve the same goal, because there is alliance between D-Link and Microsoft. The Network Policy Server in Microsoft Windows Server 2008 (Codename: Longhorn) not only could cover all functionality within IDM, but more flexible and scalable. This table could bring you general idea of difference between these two vendors. The following two slides would show you more detail. * in plan 148 148 148

149 D-Link v.s. HP Authentication
NetDefendOS Feature Introduction ZoneDefense D-Link v.s. HP Authentication HP D-Link Solution ProCurve Manager Plus + IDM Microsoft NAP support Pros User-based ACL - authorization setting based on user, time & location. User-based Traffic prioritization and Rate limit Prevailing vendor with strong 3rd party support Not only authentication but also health checking (up-to-date patch, virus patterns, personal firewall status, etc) Allocate guest VLAN even when auth or health checking failed Cons Proprietary solution, may not integrate with other vendors’ solution in the future Extra effort - Client software needs to be installed Needs to installed 3rd party software if host health check is needed Not able to set up user-based Traffic prioritization and Rate limit Even though D-Link doesn’t develop its own authentication server, however via the alliance with Microsoft, we adopt the Active Directory and NAP(Network Access Protection) technologies. With NAP, we could not only authenticate users, but also do the health check when users want to access network resource. 149 149

150 D-Link v.s. HP Malicious Traffic Mitigation
NetDefendOS Feature Introduction ZoneDefense D-Link v.s. HP Malicious Traffic Mitigation HP D-Link Solution ProCurve Manager Plus + NIM ZoneDefense Pros Can provide detailed response actions: lock out MAC, bandwidth limitation, etc Ease of deployment, lower maintenance cost Fully integrated xStack & NetDefend solutions Cons Rely on 3rd party IPS/UTM to provide pattern matching trigger Complex architecture with expensive price Currently block IP only Virus Throttling Virus incident containment Dynamic Bandwidth limitation ZoneDefense can be triggered not only based on traffic threshold, but also IPS & AV*. True pattern matching, minimize the chance of false positives. Not true edge protection - Only HP’s higher end switches support Virus Throttle Not true pattern-matching, but threshold setting with high false positives All xStack Switch supports ZoneDefense NetDefend Firewall is needed In HP’s solution, there are extra cost for purchasing other devices/software to integrate security and switch products. However in D-Link’s solution, when purchasing xStack Switch and NetDefend IPS/UTM Firewall, the ZoneDefense feature is built-in, there is no extra cost for Joint Security solution. * in plan 150 150

151 NetDefendOS Feature Introduction ZoneDefense
Summary: ZoneDefense The Joint Security is composition of Gateway Security and Endpoint Security Gateway Security: ICSA Labs certified NetDefend IPS/UTM Firewall Endpoint Security: xStack Switch Joint Security: D-Link delivers ZoneDefense to integrate firewall and switch product lines. Comparing with our competitors, D-Link has the most comprehensive solution: Security competitors lack of switch products Switch competitors lack of security products 151

152 NetDefendOS Feature Introduction ZoneDefense
ZoneDefense Q&A 1. Which of following is NOT the component within D-Link’s security solution? a. Gateway Security b. Seamless Security c. Endpoint Security d. Joint Security 2. What’s D-Link’s innovative technology to enable Joint Security between NetDefend and xStack? a. ZoneDefense b. NAP (Network Access Protection) c. Network Immunity Manager (NIM) d. Identity Driven Manager (IDM) 3. Which model does NOT support ZoneDefense feature? a. DFL-260 b. DFL-800 c. DFL-1600 d. DFL-2500 B Gateway Security, Endpoint Security and Joint Security are the three components of D-Link’s security solution. 2. A ZoneDefense is the innovative technology to enable Joint Security between NetDefend and xStack. 3. A Only DFL-800/860/1600/2500 supports ZoneDefense feature. 152 152 152

153 NetDefendOS Feature Introduction ZoneDefense
ZoneDefense Q&A 4. ZoneDefense is the key component to integrate the Endpoint feature within NetDefend and xStack to fulfill the Joint Security. a. True b. False 5. Which of following feature within NetDefend firewall could NOT trigger ZoneDefense? a. Connection Rate Limit b. Total Connection Limit c. IPS d. WCF 6. Which of following switch model does NOT support the ZoneDefense technology? (Multiple Choice) a. DGS-3427 b. DES-3828 c. DES-3026 d. DGS-3024 4. A True, ZoneDefense is the key component to integrate the Endpoint feature within NetDefend and xStack to fulfill the Joint Security. 5. D At current firmware, the AV could not trigger ZoneDefense feature. 6. C, D Only xStack Switch would support ZoneDefense feature. DES/DGS-30xx series are not xStack series. 153 153 153

154 UTM FEATURE & NETDEFEND SUBSCRIPTION
DCS-Security UTM FEATURE & NETDEFEND SUBSCRIPTION 154

155 UTM Feature & NetDefend Subscription
UTM Firewall Family Enterprise DFL-2560 (future) Medium Business DFL-1660 (future) DFL-860 Small Business At this moment, there are two available models in D-Link NetDefend UTM Firewall: DFL-260 and DFL-860, which allow businesses to securely control traffic and content, entering and exiting their networks, to provide them with the highest level of network performance and availability for the SOHO and Small to Medium-sized Business (SMB). DFL-260 Branch Office Price / Performance 155 155

156 NetDefend UTM Feature Overview
UTM Feature & NetDefend Subscription NetDefend UTM Feature Overview Intrusion Prevention Service (IPS) IPS Signature Service. To secure your network with D-Link high accuracy hardware IPS engine. Anti-Virus (AV) NetDefend UTM Firewall incorporates Anti-virus Service. To protect your network with D-Link high performance hardware AV engine. Web Content Filtering (WCF) NetDefend UTM Firewall provides Web Content Filtering Service. To access D-Link’s millions of URL database and to stay with secure web surfing. NetDefend Subscription For keeping IPS, AV and WCF in good status, customer needs to maintain those subscriptions in effective period. Unique IPS technology - Component-Based The new D-Link firewalls adopt a unique technology called Component-Based signatures, which effectively recognizes most known and varied attacks. To cover a wide range of signatures, their built-in database includes data from a global attack sensor-grid and exploits collected from public sites such as the National Vulnerability Database and Bugtraq. Stream-Based Virus Scanning The new D-Link firewalls can directly scan files of any sizes, using an innovative Stream-Based Virus Scanning technology. This method of scanning incoming files is in contrast with the traditional one, which requires scanned data to be reassembled and packed in the hardware memory. D-Link’s scanning method not only increases inspection performance but also eliminates network bottlenecks, while imposing no limit on incoming file size. In order to provide users with the most reliable, accurate and constantly updated antivirus signatures, the new D-Link firewalls use virus signatures from a well-known, well-respected antivirus company named Kaspersky Labs. Viruses and malware consequently can be effectively blocked before they reach the network's desktops or mobile devices. This allows a second layer of Anti-Virus security to be built in front of the desktop-level AV, and reduces the chance of virus infection due to inadequate personal AV protection or out-of-date signatures. Web Content Filtering To prevent employees’ unrestricted web access that can lower businesses’ productivity, create bandwidth congestion and cause hacker intrusion, the new D-Link firewalls provide Web Content Filtering (WCF) services to manage employees’ web surfing and protect company information. This WCF service is a self learning system which not only contains comprehensive URL database, but also updates and refines the company’s database on a 24 hour basis. The D-Link WCF categorizes millions of URLs into more than 30 categories, and features a simplified method of specifying URLs, which allows IT personnel to select categories, such as sports, finance, adult and politics, instead of requiring them to manually type in individual URLs. NetDefend Subscription Default shipped with 12 months free for IPS service. Default shipped with 12 months free for Anti-Virus service. 90 days free for WCF service. After update service period is expired, you need to subscribe NetDefend Service and enter authentication code to renew your NetDefend Service. 156 156

157 Intrusion Prevention Service
UTM Feature & NetDefend Subscription Intrusion Prevention Service Intrusion Prevention Service Platform Compatibility: DFL-210/260/800/860/1600/2500 After completing this section, you will be able to: 1. Describe the basis of network attack and protection solution 2. Understanding the difference between IDS and IPS 3. Describe the difference between maintenance IPS service and Advanced IPS service 4. Understanding product registration 157

158 Attack Protection solution: IDS vs. IPS
UTM Feature & NetDefend Subscription Intrusion Prevention Service Attack Protection solution: IDS vs. IPS Intrusion Detection System (IDS) The IDS is intended to provide a network monitoring, analysis and notification of defense by detecting attacks. Generally, most of detection mechanism is based on pattern matching technology. It will send alarms once IDS system detect abnormal/attack traffic. The most important point is that they are unable to stop the attack. Intrusion Prevention System (IPS) The IPS is a new generation prevention system which is improved from IDS. It’s built-in all of features for IDS has, and it could provide additional feature: Block/Drop packets. It could further avoid internal hosts to be attacked by malicious traffic. Now, as the attackers use various methods to attack networks, the networks are always in danger. Then, how are these attacks to be detected? Let’s see the different methods of attack detection provided by IDS and IPS. 1. The Traffic Anomaly methods of detection help to detect reconnaissance. 2. The Protocol Anomaly, pattern matching and SynFlood Protection help to prevent more serious attacks which include known and unknown attacks and Denial-of-Service (DoS) attacks. 158

159 D-Link NetDefend IPS Filtering Methods
UTM Feature & NetDefend Subscription Intrusion Prevention Service D-Link NetDefend IPS Filtering Methods Signature Protocol Anomaly Vulnerability Traffic Anomaly Uses: Fixed Patterns Regular Expressions To Detect and Prevent: Viruses Trojans Root-kits Unknown Exploits Known Exploits IM/P2P Apps Uses: RFC Compliance Protocol Decoders SYN Proxy Normalization To Detect and Prevent: Evasions Unknown Exploits Traffic Anomalies Unauthorized Access SYN Floods Uses: Protocol Decoders Regular Expressions Application Message Parsing To Detect and Prevent: Unknown Exploits Worms Unauthorized Access Uses: Traffic Thresholds Connection Limits Connection Rate Limits To Detect and Prevent: DDoS Attacks Unknown Attacks Traffic Anomalies The D-Link NetDefend IPS could efficiently capture: • Hostile probing: port scans, backdoor probes, host sweeps and other inappropriate network and application interrogations. • Exploits of vulnerabilities in: DNS, FTP, HTTP, ICMP, SMTP, POP3, RPC and other network protocols. • Attacks on vulnerabilities in popular and custom applications such as: IIS, Oracle, MySQL, SQL server, Internet Explorer, Apache and more. 159

160 Dual IPS Engines & Signature databases
UTM Feature & NetDefend Subscription Intrusion Prevention Service Dual IPS Engines & Signature databases Built-in IPS Engine and compact signature database For NetDefend IPS Firewall only (DFL-210/800/1600/2500) The frequency of database update is not guaranteed Customers can get free maintenance service after their firewall is registered. D-Link provide IDS database maintenance service for signature error correction or signature optimization when it’s necessary. 160

161 UTM Feature & NetDefend Subscription Intrusion Prevention Service
Dual IPS Engines & Signature databases (Contd.) Advanced IPS Engine and Signature Database For both NetDefend IPS and UTM Firewall (DFL-210/260/800/860/1600/2500) IPS Firewalls provide 90 days free trail advanced IPS Service. UTM Firewalls provide 12 months advanced IPS update service bundled. Customers have to apply for a free trial Activation Code on NetDefend Center or purchase NetDefend IPS Subscription, then enter the Activation Code on firewall Web UI to enable advanced IPS update service. For IPS Firewall (DFL-210/800/1600/2500), it will switch back to built-in IPS engine and maintenance signature database after trial update service expired. 161

162 Summary: IPS (Intrusion Prevention Service)
UTM Feature & NetDefend Subscription Intrusion Prevention Service Summary: IPS (Intrusion Prevention Service) UTM models will built-in Hardware Accelerator to reach high performance for intrusion detection and prevention. Advanced IPS database with more than 8,000 signatures could provide better protection and accuracy. Comparing with competitors, D-Link provides longest IPS trial period (90 days). D-Link promotes the IPS functionality as a second layer of defense inside the security gateway. The IPS functionality is capable of identifying application and protocol driven attacks which a standard firewall can not. Only NetDefend IPS Firewall has built-in IPS engine and compact signature database by default. It can upgrade to advanced one. NetDefend UTM Firewall bundles 1 year Advanced IPS Service by default. 162

163 Intrusion Prevention Service Q&A
UTM Feature & NetDefend Subscription Intrusion Prevention Service Intrusion Prevention Service Q&A 3, what will happen when trial Advanced IPS Service is expired for IPS Firewall (DFL-210/800/1600/2500)? a. Pops up a warning message and guide user to purchase Advanced IPS Service. b. The IPS feature is disabled, however the advanced IPS signature database will not have any update. c The IPS feature is still working, however the advanced IPS signature database will not have any update. d. The IPS feature is still working, however it would be switched back to built-in IPS engine with compact signature database. e. The IPS feature is disabled, all the signatures would be cleared. 3. D 163

164 Intrusion Prevention Service Q&A
UTM Feature & NetDefend Subscription Intrusion Prevention Service Intrusion Prevention Service Q&A 4. What will happen when trial Advanced IPS Service is expired for UTM firewall models (DFL-260 and DFL-860)? a. Pops up a warning message and guide user to purchase Advanced IPS Service. b. The IPS feature is disabled, however the advanced IPS signature database will not have any update. c. The IPS feature is still working, however t the advanced IPS signature database will not have any update. d. The IPS feature is still working, however it would be switched back to built-in IPS engine with compact signature database. e. The IPS feature is disabled, all the signatures would be cleared. 4. C 164

165 UTM Feature & NetDefend Subscription Anti-Virus
Platform Compatibility: DFL-260/860 After completing this section, you will be able to know and describe: 1. D-Link anti-virus technology 2. D-Link anti-virus advantages 3. What is D-Link UTM firewall’s competitiveness for anti-virus competition 4. How to activate anti-virus update service 165

166 D-Link Anti-Virus Module Introduction
UTM Feature & NetDefend Subscription Anti-Virus D-Link Anti-Virus Module Introduction The NetDefendOS Anti-Virus module protects against malicious code carried in file downloads. The main purpose of UTM Anti-Virus feature is to provide the first level prevention from gateway side, not instead of client Anti-Virus software. Anti-Virus module of UTM firewall is able to prevent the most virus from network, but Anti-Virus client software is to prevent virus from others connectivity, such as USB drive, wireless or local network. Types of Files Scanned The NetDefendOS Anti-Virus module is able to scan the following types of downloads: HTTP, FTP or SMTP file downloads Any uncompressed file type transferred through these protocols Compressed ZIP and GZIP files can be scanned The anti-virus database is created and maintained by Kaspersky, a company which is a world leader in the field of virus detection. The database provides protection against virtually all known virus threats including Trojans, Worms, Backdoor exploits and others. The database is also thoroughly tested to provide near zero false positives. The anti-virus signature database is updated on a daily basis with new virus signatures. Older signatures are seldom retired but instead are replaced with more generic signatures covering several viruses. The local NetDefendOS copy of the database should therefore be updated regularly and this updating service is enabled as part of the subscription to the D-Link Anti-Virus subscription. Frequently Database Updates Anti-Virus signature is from well-known vendor Kaspersky The Anti-Virus signature database is updated on a daily basis with new virus signatures released. 166 166

167 D-Link Anti-Virus Module Introduction
UTM Feature & NetDefend Subscription Anti-Virus D-Link Anti-Virus Module Introduction Built-in extreme perforamce AV accleration engine together with Stream-Based Virus Scanning technology, NetDefend UTM Firewall blocks virus and malware before they ever reach the desktops or mobile devices, thus creates a safer network environment for SMB and enterprises. NetDefend UTM Firewall implements Stream-Based Virus Scanning technology without caching the incoming files first, thus increase the inspection performance of UTM Firewall, and ease the nightmair of network bottlenetck while enabling antivirus feature on UTM Firewall. Figure 1: File-Based Scan Figure 2: Stream-Based Scan Please refer to this picture, due to D-Link adopts a Hardware Accelerator with Stream-Based Virus Scanning technology, which inspects network traffic packet by packet, and doesn’t need to cache and reassemble file in the device memory for virus scanning. Therefore NetDefend UTM firewall can perform high scanning speed and without incoming file size limitation. 167 167

168 D-Link Anti-Virus Module Advantage
UTM Feature & Subscription Anti-Virus D-Link Anti-Virus Module Advantage Model Name SonicWALL Pro 2040 Juniper SSG 20 D-Link DFL-860 D-Link DFL260 Firmware version Sonic OS Enchanced e 5.4.0r1.0 IPS signature number N/A 800 8,000 AV signature number 25,000 100,000 (File Based) 4,000 Firewall Throughput 200 Mbps 160 Mbps 80 Mbps NAT + Firewall + AV HTTP: Packet Size(Bytes) : 1460 7.31 Mbps 6.09 Mbps 10.2 Mbps 4.04 Mbps FTP: Packet Size(Bytes) : 1460 8.45 Mbps 5.82 Mbps 28 Mbps 19.3 Mbps NAT + Firewall + IPS 15.62 Mbps 13.85 Mbps 52.2 Mbps 40 Mbps 23.49 Mbps *79.73 Mbps 46.3 Mbps 32.5 Mbps NAT + Firewall + IPS + AV 4.85 Mbps 4.01 Mbps 8.4 Mbps 3.83 Mbps 5.84 Mbps 5.98 Mbps 18.4 Mbps 15 Mbps 1. UTM firewall with software base engine as SonicWALL and Juniper have poor performance, especially enables IPS and Anti-Virus scanning together 2. DFL-860 anti-virus throughput is higher than other competitors like SonicWALL and Juniper 3. DFL-860 IPS throughput is double higher than these competitors 4. DFL-860 always keeps good and stable performance when enables the packet inspection of anti-virus and IPS together. 5. Although DFL-260 is a entry level product, smaller than SonicWALL Pro 2040 and Juniper SSG 20, but its AV/IPS performance is also higher than them. * In IPS testing, Juniper firewall doesn't inspect packets in FTP data channel, so the performance almost reaches to pure forwarding 168 168

169 D-Link Anti-Virus Module Advantage
UTM Feature & Subscription Anti-Virus D-Link Anti-Virus Module Advantage ZyXEL WatchGuard Juniper SonicWALL D-Link Support Protocol FTP/POP3/HTTP/SMTP HTTP/SMTP/TCP proxies FTP/POP3/HTTP/SMTP/IMAP FTP/POP3/HTTP/SMTP/IMAP/NetBIOS Http/SMTP/FTP Support Compression Format Zip file ZIP, GZIP, BZIP, TAR, BZIP2, RAR, MS CAB, MD5 Zip/Tar/Gzip Zip/Gzip/Deflate/LHZ/Base64 Zip/Gzip The number of anti-virus signature 1,600 20,000 (File Based) 100,000 (File Based) 25,000 / 4,500* 4,000 Support scanning file size No file size limitation 12MB 10MB, But AV+IPS is only 6 MB AV scanning over VPN No Support N/A Yes Signature Databse Kaspersky Clam AV McAfee Decompressed Level/Recursive 1 10 4 AV Subscription AV+IPS for 12 months 12 Month AV AV Free Trail 90 days 30 days 12 months Comparing with all competitors, D-Link offers the longest trial period in AV: 12 months. Comparing with ZyXEL, D-Link have sufficient anti-virus signature number Comparing with WatchGuard and Juniper, D-Link doesn’t have file size limitation when scanning virus. Comparing with SonicWALL, there is no extra cost for 12 months subscription. * The signature number in SonicWALL TZ series is 4500, in SonicWALL Pro series with Enhanced OS is 169 169

170 UTM Feature & NetDefend Subscription Anti-Virus
Summary: Anti-Virus Bundles 12 months Anti-Virus Service when shipping out Well-Known Anti-Virus database by Kaspersky Because of unique stream based scanning technology, it is not necessary to cache the file before scanning, which can perform high speed virus scanning Comparing with WatchGuard and Juniper, there is no file size and connection limitation within D-Link UTM firewall 4,000+ anti-virus signatures within database, although WatchGuard and Juniper provide more Anti-Virus signatures, however they are file-based and software-based anti-virus engine, it will cause file size limitation and performance issue when scanning D-Link and ZyXEL are the only two to provide built-in Hardware Accelerator to perform extremely good performance for virus scanning, but ZyXEL provides less Anti-Virus signatures than D-Link 170 170

171 NetDefend Anti-Virus Q&A
UTM Feature & NetDefend Subscription Anti-Virus NetDefend Anti-Virus Q&A What compression format does D-Link support? (Multiple Choice) a. Zip + b. Tar c. RAR d. Gzip What protocol does NOT D-Link support for anti-virus? a. POP3 b. SMTP c. HTTP d. FTP Why can D-Link UTM Firewall reach high performance? a. Embed hardware accelerator b. Anti-Virus Engine by Kaspersky c. New CPU processor d. New software core A, D A 171 171

172 NetDefend Anti-Virus Q&A
UTM Feature & NetDefend Subscription Anti-Virus NetDefend Anti-Virus Q&A How big is the file size limitation of UTM Firewall for anti-virus? a. 3 MB b. 5MB c. 10 MB d. No limitation 5. What is our advantage for anti-virus over competitors? a. High performance b. no file limitation c. rich anti-Virus signature d. all of above 6. What is the weakness of general UTM Firewall? a. Poor performance b. Limited incoming file size support c. less signature database 4. D 5. D 6. D 172 172

173 Web Content Filtering Service
UTM Feature & NetDefend Subscription Web Content Filtering Service Web Content Filtering Service Platform Compatibility: DFL-260/860 After completing this section, you will be able to describe: 1. What is Web Content Filtering Service and its benefits 2. How to implement Web Content Filtering solution 3. The selling point for Web Content Filtering Service 173 173

174 What is Web Content Filtering
UTM Feature & NetDefend Subscription Web Content Filtering Service What is Web Content Filtering Web traffic is one of the biggest sources for security issues and misuse of the Internet. Inappropriate surfing habits can expose a network to many security threats as well as legal and regulatory liabilities. Productivity and internet bandwidth can also be impaired. NetDefendOS provides three mechanisms for filtering out web content that is deemed inappropriate for an organization or group of users: Active Content Handling can be used to "scrub" web pages of content that the administrator considers a potential threat, such as ActiveX objects and Java Applets. Static Content Filtering provides a means for manually classifying web sites as "good" or "bad". This is also known as URL blacklisting and whitelisting. Dynamic Content Filtering is a powerful feature that enables the administrator to allow or block access to web sites depending on the category they have been classified into by an automatic classification service. Dynamic content filtering requires a minimum of administration effort and has very high accuracy. 174 174

175 Key Advantages of WCF Module
UTM Feature & NetDefend Subscription Web Content Filtering Service Key Advantages of WCF Module Monitor non-business related web surfing. Control pornographic and illegal Internet content entering the workplace by blocking and coaching. Secure users against spyware and other malicious threats. D-Link Web Content Filtering service enforces protection and management policy in terms of Internet resources access for your organization. 175 175 175

176 How D-Link WCF Module Works
UTM Feature & NetDefend Subscription Web Content Filtering Service How D-Link WCF Module Works Lite Service Management No Need to download and maintain database No additional equipment needed No complex configuration maintenance Performance Optimized Optimized category classification Local Cache Artificial Intelligence Automatic classification through neural networks (AI) Close-Knit Integration Integral part of D-Link’s HTTP ALG Combine with e.g. User Authentication Base on the same configuration logic like IPS and Anti-Virus module, WCF module is integrated in part of D-Link’s HTTP ALG. To provide a stable and reliable WCF service, D-Link constructs database servers in global, which includes millions of URL database and are always up-to-date. Without any manual analysis, the database is updated instantly. Adopting Artificial Intelligence technology for categorizing web sites, the accuracy can achieve more than % hit rate. Categories of recently visited website are cached locally in the D-Link Security Gateway to maximize performance for subsequent requests. 176 176 176

177 UTM Feature & NetDefend Subscription Web Content Filtering Service
D-Link categorizes millions of URLs into 32 groups, enables network administrators a flexible configuration to block unwanted website access simply via add and remove action D-Link Web Content Filtering provides “black list” and “white list” of domain designations, and file types filtering such as Cookies, Java™ and ActiveX® for privacy. Besides these, D-Link Web Content Filtering also includes millions of URLs on global database server for real-time webpage checking, allows network administrators to block unwanted website access with the configuration of scheduling; D-Link Web Content Filtering provides network administrators with a flexible configuration combination. 177 177

178 Benefits D-Link WCF Module Delivers
UTM Feature & NetDefend Subscription Web Content Filtering Service Benefits D-Link WCF Module Delivers A reduction in wasted staff time (by reducing inappropriate web surfing). Reduced Internet access costs and achieving bandwidth savings – by limiting and / or controlling non-business related use, and improve network response Reducing legal exposure to work place relations (e.g. sexual harassment cases / child pornography and the adverse publicity that an incident would generate) Reduced costs for recovering from an attack as less in-approrpiate content will be allowed to enter into the network D-Link’s WCF Module helps organizations Monitor, Manage, and Control employee usage of and access to Internet resources. It puts management back in control, enabling a more business orientated and cost effective usage of the Internet. D-Link’s WCF Module allows organizations to gain significant cost savings through: A reduction in wasted staff time (by reducing inappropriate web surfing). Reduced Internet access costs and achieving bandwidth savings – by limiting and / or controlling non-business related use, and improve network response Reducing legal exposure to work place relations (e.g. sexual harassment cases / child pornography and the adverse publicity that an incident would generate) Reduced costs for recovering from an attack as less in-approrpiate content will be allowed to enter into the network 178 178 178

179 Competitive Analysis – WCF Feature Comparison
UTM Feature & NetDefend Subscription Web Content Filtering Service Competitive Analysis – WCF Feature Comparison The D-Link NetDefend WCF Feature Comparison: SonicWALL ZyXEL WatchGuard Cisco Juniper Fortinet In the following section, we are going to compare the WCF feature with other key competitors on the security appliance market. The corresponding competitive matrix will be shown for you according to NetDefend models. 179 179 179

180 UTM Feature & NetDefend Subscription Web Content Filtering Service
Competitive Analysis – WCF Feature Comparison D-Link SonicWALL ZyXEL WatchGuard Cisco Juniper Fortinet Database ContentKeeper WebSense Bluecoat SurfControl Websense / SurfControl Trial Period 90 days 30 days N/A Comparing with all competitors, D-Link offers longest trail period in WCF: 90 days. 180 180

181 Summary: WCF (Web Content Filtering) Service
UTM Feature & NetDefend Subscription Web Content Filtering Service Summary: WCF (Web Content Filtering) Service D-Link Web Content Filtering service provides millions of URLs on global servers for real-time webpage checking. With predefined 32 web content categories for these millions of URLs. Simply via add and remove action, D-Link NetDefend UTM Firewall family offers administrators an easy and flexible configuration to manage employee’s Internet access behavior. D-Link Web Content Filtering service enables organizations to reduce wasted staff time, save wasted bandwidth, and prevent internal users visit malicious websites, thus increase productivity and restrict inappropriate online content. 181 181 181

182 UTM Feature & NetDefend Subscription Web Content Filtering Service
WCF Q&A 1. Which of the following is NOT the mechanisms that NetDefendOS provides for filtering out the web content ? a. White list b. ActiveX c. Flash d. Gray list e. Cookies 2. How many web content categories that NetDefend WCF feature predefines? a. 25 b. 30 c. 32 d. 37 e. 40 D C 182 182

183 UTM Feature & NetDefend Subscription Web Content Filtering Service
WCF Q&A 3. What are the benefits the D-Link WCF module delivers? a. A reduction in wasted staff time b. Reduced Internet access costs c. Reducing legal exposure d. Reduced costs for recovering from an attack e. All of the above 4. How does the D-Link WCF module handle a http request? a. Send query to global server directly, and let global servers decide its corresponding action. b. Check local memory cache first, if no category match, send query to global servers for the category of the webpage, then decide its action based on configuration. c. Send query to local database servers for the category of the webpage, then decide its action based on configuration. d. Block the webpage by default. 3. E 4. B 183 183

184 NetDefend Subscription
UTM Feature & NetDefend Subscription NetDefend Subscription NetDefend Subscription Platform Compatibility: DFL-210/260/800/860/1600/2500 After completing this section, you will be able to: 1. Know NetDefend Subscription 2. Know NetDefend Subscription Package 3. Know NetDefend Subscription part number for each model 4. Know product registration 5. Know NetDefend Center web site 184 184

185 NetDefend Subscription Overview
UTM Feature & NetDefend Subscription NetDefend Subscription NetDefend Subscription Overview Including IPS, AV, CF Update service program includes 3 optional services – IPS, AV and WCF. Customer can purchase either one of the 3 or any service combination as they need. Both IPS and UTM firewall have corresponding IPS Update Service Only UTM Firewall can apply AV and WCF services All update services would be chargeable IPS and AV Signature release is up-to-date 185

186 UTM Feature & NetDefend Subscription NetDefend Subscription
NetDefend Subscription Overview If the update service is going to be overdue, Customer has to purchase the NetDefend UTM Subscription which looks as below Package Size: 140 mm x 125 mm x 6 mm The package contains: 1. Authorization Letter 2. Authorization Card 186 186

187 UTM Feature & NetDefend Subscription NetDefend Subscription
NetDefend Subscription Overview User has to enter the authentication code to renew Update Service via D-Link NetDefend Center (web site). Authorization Card Authentication Code License Term Part Number Serial Number 12 months services license Card Size: 75 mm x 48 mm 187

188 UTM Feature & NetDefend Subscription NetDefend Subscription
NetDefend Center 188 188

189 Benefit of Being a Member
UTM Feature & NetDefend Subscription NetDefend Subscription Benefit of Being a Member DFL-210/260/800/860/1600/2500 Download Get the free trial update service (IPS/AV/WCF) for IPS and UTM firewall Download related product documents NetDefend Update Service No update service until product registered, including IPS and AV Enable auto-update service after user registered Security Consultant Automatically publish security advisory to registered customers Authorize customers to access related technical documentation 189

190 Apply for a D-Link Membership
UTM Feature & NetDefend Subscription NetDefend Subscription Apply for a D-Link Membership DFL-210/260/800/860/1600/2500 Visit NetDefend Center at Step 1: Create User Account Create User login ID and Password Key in user and company information Step 2: Product Registration Key in Serial number and MAC address of your device Key in device information Step 3: Confirmation Confirm and submit all information if it is correct Check the service is activated and service period 190 190

191 How to Activate NetDefend Services
UTM Feature & NetDefend Subscription NetDefend Subscription How to Activate NetDefend Services Via NetDefend UTM Firewall Web UI, you can activate IPS, AV and WCF services, and view each subscription duration. Note: please register your firewall on NetDefend Center first before you activate the update service After registering your firewall, you could activate NetDefend Services to have thoroughly protection. Following is the steps to activate NetDefend Firewall. Go to Maintenance > License Enter activation code You can get 90 days free trial activation code from NetDefend Center after product registration, or purchase UTM Subscription and get 12 months activation code Please note that each NetDefend service has its own activation code, you have to enter them separately. Note: For NetDefend IPS firewall, it will not appear Anti-Virus and content filtering services ! 191 191

192 How to Update IPS/AV Signature
UTM Feature & NetDefend Subscription NetDefend Subscription How to Update IPS/AV Signature You can enable auto-update feature for IPS/Anti-Virus signature, and view the last update information Note: The default time setting is daily for IDP/Anti-Virus Auto-Update. Click History tab, all of update history are listed in this page. After activating IPS and AV services, the next thing is to keep your signature database up-to-date. Following is the steps: Go to Maintenance > Update Center In General tab, Click Update Now button, and click OK In Timer Setting tab, choose your preferred update interval Go to Configuration, click Save and Activate In History tab, you could find the update log When WCF is enabled, user's web access authority is based on the category setting within NetDefend UTM Firewall. NetDefend UTM Firewall would query outside database for determining the specific URL is allowable or not. The URL update frequency of outside database is real time and transparent to users, therefore no extra user interaction is required. 192 192

193 IPS/AV Signature Status on Device
UTM Feature & NetDefend Subscription NetDefend Subscription IPS/AV Signature Status on Device You can see all number of IDP/Anti-Virus Signature on Firewall Web UI. The number of IDP signature database is over 10,000 signatures. The number of Anti-Virus signature database is 4,000 signatures. Via web GUI, you could find the following information related to IPS/AV signature.: Total number of IPS/AV signatures When is the last updated signature The last information is valuable for user to check the update status of signature database on the device. Note: For NetDefend IPS firewall, it will not appear Anti-Virus information on WebUI! 193 193

194 IPS/AV Signature Status on NetDefend Center
UTM Feature & NetDefend Subscription NetDefend Subscription IPS/AV Signature Status on NetDefend Center You can see all update history of IPS/Anti-Virus Signature on NetDefend Center web site at D-Link provides frequent signature updates for IPS & Anti-Virus. 194 194

195 Summary: NetDefend Subscription
UTM Feature & NetDefend Subscription NetDefend Subscription Summary: NetDefend Subscription NetDefend IPS Firewall supports Advanced IPS Service. Customers could logon NetDefend Center to get trial code of Advanced IPS Service. The trial period is 90 days. NetDefend UTM Firewall supports Advanced IPS Service, Anti-Virus Service and Web Content Filtering Service. When shipping out NetDefend UTM Firewall models, the Advanced IPS Service and Anti-Virus Service are bundled. Therefore by default, customers could use Advanced IPS Service for 12 months Anti-Virus Service for 12 months and WCF Service for 90 days. When service is expired, customers need to purchase subscription pack from OBU or SI partner and enter authentication code to renew your service. 195 195 195

196 NetDefend Subscription Q&A
UTM Feature & NetDefend Subscription NetDefend Subscription NetDefend Subscription Q&A 1. Why should I buy D-Link NetDefend IPS subscription? a. update frequency is often b. sufficient signature number c. prevent zero-day attack d. detect rate is much better than Snort e. all above 2. Once my advanced IPS update service is expired, will the IPS/IDP feature still continue to operate if I don’t renew this service? 3. What is the Trial Period for WCF module that a NetDefend device bundles with? a. 30 Days b. 60 Days c. 90 Days d. 1 Year E Answer: Yes, The IPS/IDP feature will be able to continue to operate but firewall will not process any IPS signature update procedure. Caution: Running with the latest signatures is critical in detecting exploits. Products using old signatures will provide inadequate detection and increase unnecessary security risk. 3. C 196

197 NetDefend Subscription Q&A
UTM Feature & NetDefend Subscription NetDefend Subscription NetDefend Subscription Q&A 4. What is the default service bundle period for UTM ? a. IPS 30 Days, WCF 90 Days, AV 60 Days b. IPS 1 Year, AV 1 Year, WCF 1 Year c. IPS 1 Year, AV 1 Year, WCF 90 Days d. IPS 90 Days, AV 90 Days, WCF 90 Days 5. How can customer extend UTM Service ? a. Buy UTM service from NetDefend Center’s on-line store b. It is perpetual free, no need to purchase c. Buy UTM service from D-Link’s SI partners d. Buy UTM service from Taiwan headquarter directly 6. What period package of UTM Subscription does D-Link provide ? a. Only 12 months package b. 3 months, 6 months, and 12 months package c. 1 Year, 2 Years, and 3 Years package d. Depending on customers request 4. C 5. C 6. A 197

198 End


Download ppt "` 1."

Similar presentations


Ads by Google