Transcript D-Link
D-Link Airplus Xtreme G DI-624 Wireless Router Packet Filtering Firewall w/NAT H. Victoria Bryant Packet Filtering Firewall • The DI-624’s firewall is static packet filtering firewall which can be set, via the web-based control panel, to allow or deny deny packets based on administrator defined rules. • Packets can be marked as “allow” or “deny” based on: – Their source and/or destination IP address, destination port number, protocol (TCP, UDP, TCMP) and interface type – If a packet is denied, the packet is dropped at the firewall, if the packet is allowed, the it is forwarded onto its destination, or the firewall can choose to send a reply message to the source of the packet. Network Address Translation • Network Access Translation or NAT, is a way in which IP addresses can be preserved. • NATs map outer IP addresses to inner IP addresses and vice versa – When the packet arrives at the NAT the IP address in the packet's header is replaced with the corresponding inner or outer IP address depending on whether it is incoming or outgoing – The packet's checksum is recalculated and verified – Finally, the TCP header's checksum is recalculated with the new IP address • The DI-624's NAT is static, so the inner IP addresses are statically assigned to a non-user defined outer IP address WEP/WPA • The DI-624's firewall allows both 64-bit and 126-bit encryption. • It uses WEP (Wired Equivalent Privacy) for the 64-bit encryption that encrypts packets with a RC4 key – RC4 key is a pre-shared 64-bit key composed of: • A 24-bit Initialization Vector and a 40 -bit WEP key – Encrypts the packet with an XOR of the RC4 cipher stream and the original packet • WPA (Wi-Fi Protected Access) is used for the 128-bit encryption encrypts packets with either a shared key or individually assigned keys from an authentication server – Key is composed of a 48-bit user-defined Initialization Vector with the 128-bit WPA key, and an 8-byte MIC – Dynamically changes the key while in use with Temporal Key Integrity Protocol Domain Blocking • Domain Blocking allows one or more domains to be blocked or allowed based on keywords • DI-624's firewall allows either all domains containing a keyword to be either blocked or allowed. • The more detailed the keyword, the more domains will either be allowed or blocked • Not only blocks URLs on a domain, but all p2p, FTP and any other applications originating from that domain Filtering: IP/URL/MAC • Three types of filters are provided: – IP filter • Blocks or allows all traffic to or from listed LAN IP addresses – URL filter • Allows or blocks all URLs containing a certain keyword, unlike domain blocking, only the URL is blocked, not the whole domain – MAC filter • Allows or denies the listed MAC addresses to access the network – Most helpful when set to allow only the listed MAC addresses, so that only the machines that are supposed to be on the network are able to access the internet over the wireless network • Helps to prevent hackers from using the network to perform illegal acts on your network VPN Passthrough • The firewall provided with the DI-624 allows for VPN (Virtual Private Network) passthrough • Machines inside of the firewall can connect to a VPN server from a locally installed VPN client program • A VPN connection provides an encrypted connection to a machine outside of the firewall • VPN is helpful when sending and receiving private data over the internet Scheduling • Scheduling allows the network administrator to set a schedule when the individual filters are turned on or off, domains are blocked and packets are allowed or denied • For instance, a parent could choose to block certain domains Monday-Friday from 3:00 pm to 10:00pm, and Satuday-Sunday from 6:00am to 12:00am and allow access to those domains at all other times. References DI-624's website on www.dlink.com http://www.dlink.com/products/?sec=3&pid=6 “Network Access Translation” White Paper, Enteratsys, http://www.enterasys.com/products/whitepapers/ssr/network-trans/. “WEP (Wired Equivalent Privacy)”, www.NetworkWorld.com Encyclopedia, excerpt from What's wrong with WEP?,Network World, 09/09/02. http://www.networkworld.com/details/715.html “Wi-Fi Protected Access”, Wikipedia.org http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access “What is Domain Blocking?” www.firewalling.com http://www.firewalling.com/concepts/DomainBlocking.htm “URL Filtering”, www.CrossBeamSystems.com http://www.crossbeamsystems.com/products_urlfiltering.asp “What is MAC Filtering?” www.firewalling.com http://www.firewalling.com/concepts/MACfiltering.htm