Scenario & Hands-on - Main Menu Application
Download
Report
Transcript Scenario & Hands-on - Main Menu Application
D-Link Security
2006 DFL-210/800/1600/2500 Technical Training
©Copyright 2006. By D-Link HQ
1
©Copyright 2006. All rights reserved
D-Link Security
Agenda
• Appliance Overview
• Firewall Concept
• Basic Configuration
• Scenario & Hands-on
• Troubleshooting
2
D-Link Security
Agenda
• Appliance Overview
• Firewall Concept
• Basic Configuration
• Scenario & Hands-on
• Troubleshooting
3
D-Link Security
Appliance Overview
model of firewall
DFL-800
Console
4
WAN1
LAN
WAN2
DMZ
back
D-Link Security
Appliance Overview
model of firewall
DFL-1600
Console
LAN3
LAN2
5
WAN1
LAN1
WAN2
DMZ
back
D-Link Security
Appliance Overview
model of firewall
DFL-2500
Console
LAN3
LAN2
LAN1
WAN1
6
WAN2
WAN3
WAN4
DMZ
back
D-Link Security
Appliance Overview
Characters of firewall
DFL-800
7
DFL-1600
DFL-2500
and
Giga Interface for DFL-1600/2500
Brand new user-friendly GUI , no GUI confusion issue.
Neater and more professional look ID for firewall product line.
ZoneDefense mechanism with D-Link switches prevents threat spreading.
Advanced firewall features including Transparent Mode to ease the
implementation.
High Port Density
D-Link Security
Appliance Overview
Console
LED
Power
System
Serial Console Port
Concealed Look
LED panel
LCD Display
System Information
Traffic Monitor
Alert Monitor
Configuration Display
Ethernet
Auto-Sensing Copper Port
LAN Port WAN Port and DMZ port
Keypad
8
Keypad for
“Right ” , “Left” , “Upper “ and “Confirm “
D-Link Security
Appliance Overview
LED panel
Setup Mode
Press Keypad to enter setup mode “in 5 seconds” after the firewall is
switched on
Enter the Setup Mode
Use Left or Right button to select
1.Start Firewall: Start off the firewall system
2.Reset Firewall: Reset the firewall to factory default.
After reset firewall, choose “start firewall”
After switch on the firewall 5 seconds, the firewall will enter Status Mode
automatically
9
D-Link Security
Appliance Overview
LED panel
Status Mode
Model name: Display the device model name.
System Status: Display system working status.
CPU Load and Connections: Show the CPU utilization and concurrent
session
Total BPS and PPS: Concurrent traffic statistics and packets statistics per
second.
Date and Time: Display device current date and time
Uptime: Device boot up time.
Mem: System memory utilization.
IDS Sigs: Display IDS signature information.
WAN DMZ LAN: Display each interface IP address
Core Version: Display firewall firmware version.
10
D-Link Security
Agenda
• Appliance Overview
• Firewall Concept
• Basic Configuration
• Scenario & Hands-on
• Troubleshooting
11
D-Link Security
Firewall Concept
Questions
What is firewall?
Which firewall is the safest?
– Firewall does not protect against application errors.
12
D-Link Security
Firewall Concept
IP Start Communication
Web Server
Client
(1.) 1024 -> 80 SYN
(2.) SYN.ACK 1024 <- 80
(3.) 1024 -> 80 ACK
Connection established
SYN FLOOD
– 1. Sending a packet to the web server with the ”SYN” flag. The client
uses a fake IP address
– 2. The server responds with a SYN.ACK. Then the server waits until
the client responds with an ACK packet
– 3. The client repeats step one until it is satisfied that the damage is done
13
D-Link Security
Firewall Concept
IP Start Communication
• More bits
– SYN – Synchronize = New connection
– ACK – Acknowledge = Acknowledge that data has been received
– PSH - Push
= “Push received data to application layer now"
– URG - Urgent
= Urgent data, Process first (Beg. 70)
– FIN - Finish
= End communication with an handshake
– RST - Reset
= “Do not communicate with me!”
14
D-Link Security
Firewall Concept
Firewall deployments in a network
Static Route
Static routes are needed for the Firewall to communicate with Networks that
are not locally attached on the same subnet
NAT
Internal address are private addresses from RFC1918
All private addresses are translated to a valid IP address before accessing the
Internet
Transparent
No changes required on any end station, router or server
Routing protocols can be configured to pass through the firewall in
Transparent mode
The firewall offers full firewall and VPN capabilities
15
D-Link Security
Firewall Concept
Firewall deployments in a network
Static Route
Intranet Web
2.2.10.5
Corp Mail
2.2.10.6
LAN 2.2.10.1
DMZ 2.2.100.1
Intranet DNS
2.2.10.7
AdminPC 1
2.2.10.13
AdminPC 2
2.2.10.18
AdminPC 3
2.2.10.33
16
WAN 2.2.2.10
Internet Router
2.2.2.254
Corporate Web Mail Relay DMZ DNS
2.2.100.2
2.2.100.3 2.2.100.4
2.2.20.0 2.2.30.0 2.2.40.0
Sales Support Marketing
D-Link Security
Firewall Concept
Firewall deployments in a network
NAT
Intranet Web
10.1.10.5
Corp Mail
10.1.10.6
LAN 10.1.10.1
DMZ 2.2.100.1
Intranet DNS
10.1.10.7
AdminPC 1
10.1.10.13
AdminPC 2
10.1.10.18
AdminPC 3
10.1.10.33
17
Corporate Web
2.2.100.2
10.1.20.0 10.1.30.0 10.1.40.0
Sales Support Marketing
WAN 2.2.2.10
Internet Router
2.2.2.254
Mail Relay DMZ DNS
2.2.100.3 2.2.100.4
D-Link Security
Firewall Concept
Firewall deployments in a network
Transparent
Intranet Web
2.2.2.5
Corp Mail
2.2.2.6
LAN 2.2.2.253
WAN 2.2.2.253
DMZ 2.2.2.253
Intranet DNS
2.2.2.7
AdminPC 1
2.2.2.13
AdminPC 2
2.2.2.18
AdminPC 3
2.2.2.33
18
Corporate Web
2.2.2.2
2.2.20.0 2.2.30.0 2.2.40.0
Sales Support Marketing
Internet Router
2.2.2.254
Mail Relay DMZ DNS
2.2.2.3
2.2.2.4
D-Link Security
Firewall Concept
Firewall Generations
• First generation
– Packet filtering
• Second generation
– Proxy
• Third generation
– Stateful Inspection
• Fourth generation
– IDS/IDP
19
D-Link Security
Firewall Concept
1.Packet Filtering
• Works with the IP & TCP level
• Disadvantages:
– Does not re-create fragmented packets
– Does not understand the relationship between
packets
• Advantages
– High speed of packets process
20
OSI Model
7. Applikation
6. Presentation
5. Session
4. Transport
3. Network
2. DataLink
1. Physical
D-Link Security
Firewall Concept
2.Proxy
• Receives packets, reads and re-creates the packets
– No physical connection between the client and the server.
• Disadvantages
– Slow
– The proxy must understand the application protocol
– Mostly based on complex operating system
• Advantages
– Attacks on the TCP/IP level will never penetrate through the
protected network
– Able to analyze application data
• Able to strip things like ActiveX and Java.
21
OSI Model
7. Applikation
6. Presentation
5. Session
4. Transport
3. Network
2. DataLink
1. Physical
D-Link Security
Firewall Concept
3.Stateful Inspection
• Re-create fragmented packets
• Understand the relationship between packets
• Advantages
– Does not need to understand the application data to work
– Great flexibility
– Better performance than proxy
• Disadvantages
– Harder to analyze the application data (but still possible)
22
OSI Model
7. Applikation
6. Presentation
5. Session
4. Transport
3. Network
2. DataLink
1. Physical
D-Link Security
Firewall Concept
4.IDS/IDP
• Receives packets, reads and re-creates the packets
– No physical connection between the client and the server.
• Disadvantages
– Slow
– The proxy must understand the application protocol
– Mostly based on complex operating system
• Advantages
– Attacks on the TCP/IP level will never penetrate through the
protected network
– Able to analyze application data
• Able to strip things like ActiveX and Java.
23
OSI Model
7. Applikation
6. Presentation
5. Session
4. Transport
3. Network
2. DataLink
1. Physical
D-Link Security
Firewall Concept
Packet flow
WAN IP: 203.126.142.96
INTERNE
T
IP: 192.168.1.100
1. Packet inspection
2. Priority processes
3. Allow? Drop? NAT? Reject?
24
D-Link Security
Firewall Concept
Packet flow
When all traffic get in the firewall,they will be inspected
by VLAN first (If VLAN is used ).
The IDS rule is the primary filter which is configured to
allow or disallow certain types of network traffic through the
firewall.
Then these traffic will be inspected by IP rule and routing
rule
After that the traffic will be inspected by Zone Defense
and Traffic Shaping
25
D-Link Security
Firewall Concept
Packet flow
Inbound packet
Basic sanity checks,
Including verification of
IP header
VLAN packet?
Check IDS signatures
Yes
Yes
Drop
De-capsulate
failed
Yes
Fragment?
Process fragment
Drop
No
ZD
false
Open Connction
Traffic Shaping
Allow/NAT/SAT
Yes
Verify TCP/UDP
header
Found matching
Connection?
Apply Rules
FwdFast/SAT
SAT_
ApplyRulePack
Traffic Shaping
No
true
Traffic Shaping
26
Route IP
DestIP = FW?
Forward packet
Drop
ZD
Drop
D-Link Security
Agenda
• Appliance Overview
• Firewall Concept
• Basic Configuration
• Scenario & Hands-on
• Troubleshooting
27
D-Link Security
Basic Configuration
Default Interface Attribute Definition(DFL-800)
http://192.168.1.1
LAN can be managed and pinged
The firewall disable DHCP
28
D-Link Security
Basic Configuration
Default Interface Attribute Definition(DFL-1600)
http://192.168.1.1
LAN1 can be managed and pinged
The firewall disable DHCP
29
D-Link Security
Basic Configuration
Default Interface Attribute Definition(DFL-2500)
http://192.168.1.1
LAN1 can be managed and pinged
The firewall disable DHCP
30
D-Link Security
Basic Configuration
design concept of UI
Any undesired rules or objects are being created without hitting the “ok” button,
users must hit “cancel” button or that rule or object would still be in the list and
named “untitle”.
Traffic is being examined by the pattern where the rules were created from top
down
When right-click any rules or objects and select delete, a strike line will show on
that rule or object.
The “save and activate” button will not be available if the “untitle” rule or object
is not deleted
After click “save and activate” , must reconnect to it within 30 seconds (default
setting) for the configuration changes to be finalized. If this fails, the unit will revert
to its previous configuration. The reconnecting time can be adjustable.
31
D-Link Security
Basic Configuration
Configure Static IP address on
your laptop or PC
User will be authenticated before
logging to the firewall
Default login: admin, Password:
admin
User will be presented with;
– Menu Bar
– Tree View List
– Main Window
32
back
D-Link Security
Basic Configuration
Tree View List
33
Menu Bar
Main windows
D-Link Security
Basic Configuration
UI of System
34
D-Link Security
Basic Configuration
UI of Object
35
D-Link Security
Basic Configuration
UI of Rules
36
D-Link Security
Basic Configuration
UI of Interfaces
37
D-Link Security
Basic Configuration
UI of Routing
38
D-Link Security
Basic Configuration
UI of IDS/IDP
39
D-Link Security
Basic Configuration
UI of User Authentication
40
D-Link Security
Basic Configuration
UI of Traffic Shaping
41
D-Link Security
Basic Configuration
UI of ZoneDefense
42
D-Link Security
Basic Configuration
Three Steps to Configure
1.Create and verify the object
2.Create the rule (IP rule ,IDS rule ,user authentication rule and Pipes rule )
3.Create and verify routing rule
43
D-Link Security
Basic Configuration
First Step to Configure
1.Create and verify the object
The most important in firewall configuration is OBJECT.
Objects are basic network elements defined in the firewall.
It is a list of symbolic names associated with various types
of addresses, including IP addresses of host and network
Object items are heavily used through a firewall configuration; in
routing tables, rule-set, interface definitions, VPN Tunnels among
others
44
D-Link Security
Basic Configuration
Objects – Address Book
• Hosts & Networks configuration items are symbolic names for IP networks
45
D-Link Security
Basic Configuration
Objects – ALG
• ALGs are designed to manage specific protocols
• Examine the payload data and carry out appropriate actions based on
defined rules
• Appropriate Application Layer Gateway definition is selected in a Service
configuration item. Network traffic which matches the service definition
will thus be managed by the selected Application Layer Gateway.
46
D-Link Security
Basic Configuration
Objects – Services
• A definition of a specific IP protocol with corresponding parameters. The
service http, for instance, is defined as to use the TCP protocol with
destination port 80.
47
D-Link Security
Basic Configuration
Objects – Schedules
• The Schedule will only allow those firewall rules to be used at those
designated times only. Any activities outside the scheduled time slot will
not follow the rules and will therefore unlikely be permitted to pass through
the firewall
48
D-Link Security
Basic Configuration
Objects – Certificate
• A certificate is a digital proof of identity. It links an identity to a public key
in a trustworthy manner. Certificates can be used on authenticate individual
users or other entities. These types of certificates are commonly called endentity certificates.
49
D-Link Security
Basic Configuration
Second Step to Configure
2.Create the rule
The Rules configuration section represents the rule-set, the
"heart" of the firewall. The rule-set is the primary filter which is
configured to allow or disallow certain types of network traffic
through the firewall. The rule-set also regulates how address
translation and bandwidth management, traffic shaping, is
applied to traffic flowing through the firewall.
50
D-Link Security
Basic Configuration
IP Rules – Drop
• Packets matching Drop rules will be immediately dropped. Such packets
will be logged if logging has been enabled in the Log Settings page
51
D-Link Security
Basic Configuration
IP Rules – Drop
DROP RULE
DROPPING LOG
52
D-Link Security
Basic Configuration
IP Rules – Reject
• Reject works basically the same way as Drop. In addition, the firewall
sends an ICMP UNREACHABLE message back to the sender or, if the
rejected packet is a TCP packet, a TCP RST message.
53
D-Link Security
Basic Configuration
IP Rules – Reject
REJECT RULE
ICMP Unreachable
TCP RST
54
REJECTING LOG
D-Link Security
Basic Configuration
IP Rules – FwdFast
• Packets matched FwdFast rules are allowed through immediately.
• Firewall does not memorize the open connections and does not statefully
inspect traffic which has passed through it.
• For one single packet, it is indeed faster than first having to open a statetracked connection and then passing the packet to it. But when several
packets pass the same connection, state tracking (Allow) is faster
55
D-Link Security
Basic Configuration
IP Rules – FwdFast
No Statefully traffic
Inspection (does not
remember open connections)
INTERNE
T
Packets matching FwdFast Rules
Note: Allow is usually faster then FwdFast
Remember that that there need to be a FwdFast rule in each direction.
56
D-Link Security
Basic Configuration
IP Rules – Allow
• Packets matched Allow rules are passed to the stateful inspection engine,
which will memorize that a connection has been opened
• Rules for return traffic will not be required as traffic belonging to open
connections which is automatically dealt with before it reaches the rule set
57
D-Link Security
Basic Configuration
IP Rules – Allow
Logging & Stateful
Inspection
INTERNE
T
Packets matching Allow Rules
58
D-Link Security
Basic Configuration
IP Rules – SAT
• Nothing happens when a packet matches a SAT rule at the beginning
• The firewall will memorize where to send the traffic and continue to look
for a matching rule that will allow the packet to pass and a static address
translation will be performed at that stage
59
D-Link Security
Basic Configuration
IP Rules – SAT
I want the file
from FTP server
FTP SERVER
DMZ
220.255.14.123
WAN IP: 203.126.142.100
172.16.1.100
The public_ip should be bound to the WAN of firewall first
redirect_address is used to redirect incoming connection from public_ip to
private_ip
60
D-Link Security
Basic Configuration
IP Rules – NAT
• The rules perform dynamic address translation and NAT hide the sender
address.
• Mostly hiding all machines on a protected network to appear at the outside
world as if they use a single IP address
61
D-Link Security
Basic Configuration
IP Rules – NAT
WAN IP: 203.126.142.96
INTERNE
T
IP: 192.168.1.100
Network Address Translation
62
D-Link Security
Basic Configuration
Third Step to Configure
3.Create and verify routing rule
Main Route:
The Routes configuration section describes the firewall’s routing
table.Firewall uses a slightly different way of describing routes
compared to most other systems.
Policy- Base Route:
The rules in the PBR rule-set are able to specify which routing
table to be used in the forward as well as return direction (Select
routing priority)
63
D-Link Security
Basic Configuration
Main Routing Table
• Routing tells the firewall in which direction it should send packets destined
for a given IP address
64
D-Link Security
Basic Configuration
Policy Based Routing
Connect to two or more ISPs , and accept inbound connections from all of
them. Return traffic is routed back through the ISP that delivered the
incoming requests.
Route certain protocols through transparent proxies such as web caches and
anti-virus scanners, without adding another point of failure for the network
as a whole.
Create provider-independent metropolitan area networks, i.e. one where all
users share a common active backbone, but able to use different ISPs,
subscribe to different streaming media providers, etc.
65
D-Link Security
Basic Configuration
Policy Based Routing
Internet
WAN1
Intranet
192.168.1.0/24
66
Extranet
192.168.174.0/24
DMZ
WAN2
D-Link Security
Agenda
• Appliance Overview
• Firewall Concept
• Basic Configuration
• Scenario & Hands-on
• Troubleshooting
67
D-Link Security
Scenario & Hands-on
1.
2.
3.
4.
5.
6.
7.
68
Basic Configuration(WAN/LAN/DMZ Transparent mode)
Configure Load Sharing and Route Failover (use 2 WANs)
Configure ZoneDefend
Port mapping for server(SAT and server load balance)
Runtime Authentication configuration
Traffic shaping
Configure VPN tunnel(PPTP L2TP and IPsec)
D-Link Security
Scenario & Hands-on
Accomplished all scenarios topology
DFL-800
WAN1
IP: 192.168.174.71/24
WAN1
(DHCP)
DFL-1600
FTP Server
172.16.1.1
WAN2
(Static IP)
Hands on:
DMZ
Internal LAN3
IP: 192.168.3.0/24
Internal LAN1
IP: 192.168.1.0/24
69
Remote LAN
Internal LAN
IP: 192.168.10.0/24
Internal LAN2
IP: 192.168.2.0/24
1.
2.
3.
4.
5.
6.
7.
Basic Configuration
Load Sharing and Route Failover
ZoneDefense
Port mapping for server
User Authentication
Traffic Shaping
VPN tunnel
D-Link Security
Scenario & Hands-on
Network topology for hands-on
Internet
All WAN1 port connect to
switch
main switch
G4
G1
G2
70
G3
back
D-Link Security
Scenario & Hands-on
Network topology for every group
main switch
Four persons in one group
LAN1 port connects to
group switch
group switch
71
D-Link Security
Scenario & Hands-on 1
WAN1
PPPoE , DHCP
Static IP:192.168.174.70/24
Basic Configuration
(Configure WAN type ,modify IP address of LAN
and enable transparent mode)
Objective:
Internal DMZ
IP: 172.17.100.1/24
How to modify IP address for
LAN and DMZ in Object
How to use DHCP, Static IP and
PPPoE to access Internet
How to enable transparent mode
Internal LAN3
IP: 192.168.7.1/24
Internal LAN1
IP: 192.168.3.1/24
72
Internal LAN2
IP: 192.168.5.1/24
D-Link Security
Scenario & Hands-on 1-1
Basic Configuration-Modify IP address for LAN and DMZ
Network topology
Internal LAN1
IP: 192.168.3.1/24
Notes:
Internal LAN2
IP: 192.168.5.1/24
Internal LAN3
IP: 192.168.7.1/24
73
DFL-800 only has LAN and DMZ
DFL-1600/2500 has LAN1 , LAN2 ,LAN3 , and DMZ
Pay attention to default manageable status
Confirm connecting port
DFL-800
DFL-1600
DFL-2500
Bind a secondary IP address to match the new network IP segment.
After configuration, use new LAN IP address for default gateway on laptop
Internal DMZ
IP: 172.17.100.1/24
D-Link Security
Scenario & Hands-on 1-1
Basic Configuration-Modify IP address for LAN and DMZ
Objectives
Access to LAN1 IP address successfully (Ping) or mange Web UI by new IP
address
The Logics of Configuration
74
Bind a secondary IP address to match the new network IP segment.
After configuration, use new LAN IP address for default gateway in your laptop
Modify objects of IP address and network in address book of Object
D-Link Security
Scenario & Hands-on
Bind two IP address on one NIC
1
2
3
75
D-Link Security
Scenario & Hands-on
Bind two IP address on one NIC
5
6
4
76
D-Link Security
Scenario & Hands-on 1-1
Basic Configuration-Modify IP address for LAN and DMZ
Use web browser such as Internet Explorer 6 or Firefox 1.0 to connect to Web UI
77
D-Link Security
Scenario & Hands-on 1-1
1
2
3
Basic Configuration-Modify IP address for LAN and DMZ
1
2
Change the IP address in address book of Object
•Click “Interface Addresses” in Object
•Key in the correct IP address and network
78
D-Link Security
Scenario & Hands-on 1-1
1
1
2
3
Basic Configuration-Modify IP address for LAN and DMZ
2
Change the IP address in address book of Object or Ethernet of Interface
•Key in correct IP address and network
79
D-Link Security
Scenario & Hands-on 1-1
1
2
3
Basic Configuration-Modify IP address for LAN and DMZ
After all configurations are done , Click “configuration” in main bar
•Click “Save and Activate”
80
D-Link Security
Scenario & Hands-on 1-1
Basic Configuration-Modify IP address for LAN and DMZ
Ping LAN IP address
Testing Result
81
D-Link Security
Scenario & Hands-on 1-1
How to modify reconnection Web UI time
After you click” save and active” you can adjust the reconnection time
•Click “Click here to edit the configuration verification timeout.”
82
D-Link Security
Scenario & Hands-on 1-1
Basic Configuration-Modify IP address for LAN and DMZ
Use new LAN IP address for default gateway on laptop
1
2
3
83
D-Link Security
Scenario & Hands-on 1-1
Basic Configuration-Modify IP address for LAN and DMZ
Use new LAN IP address for default gateway on laptop
5
4
6
84
D-Link Security
Scenario & Hands-on 1-1
Basic Configuration-Modify IP address for LAN and DMZ
Use new LAN IP address for default gateway on laptop
7
8
85
D-Link Security
Scenario & Hands-on 1-1
Exercise 1-1- Modify IP address for LAN and DMZ
Objective:
1.
2.
Change IP address of
LAN1
Internal
DMZ
Ping the new IP address of
LAN1 and access to Web UI by
new IP successfully
Internal
LAN3
Internal
LAN1
86
Internal
LAN2
LAN1 IP:
Group A(1): 192.168.10.1/24
Group B(2):192.168.20.1/24
.
.
Group I(9): 192.168.90.1/24
Group J(10): 192.168.100.1/24
D-Link Security
Scenario & Hands-on 1-2
Basic Configuration-Transparent mode
Network topology
WAN1
IP:192.168.174.70/24
192.168.174.72/24
Note:
Internal LAN1
IP: 192.168.174.70/24
192.168.174.71/24
87
Configure default gateway
Configure DHCP relay, if firewall is
in DHCP environment
D-Link Security
Scenario & Hands-on 1-2
Basic Configuration-Transparent mode
Objectives
Implement firewall in transparent mode without changing exist network setting
Allow or deny specific service and traffic
(allow WAN1 to LAN1for ICMP service, allow LAN1to WAN1 for all service)
The Logics of Configuration
88
Enable transparent mode
Configure IP Rules and objects in firewall
Bind a secondary IP address to match the new network IP segment.
D-Link Security
Scenario & Hands-on 1-2
1
2
3
4
5
6
Basic Configuration-Transparent mode
Configure the IP object in address book of Object to same
•Click “address book” in Object
•Configure IP address of WAN1 and LAN1
89
D-Link Security
Scenario & Hands-on 1-2
1
2
3
4
5
6
Basic Configuration-Transparent mode
1
2
3
Enable transparent mode for WAN1 and LAN1
•Click “Ethernet” under “Interface”
•Enable transparent in WAN1 interface and add the object of gateway to
“Default Gateway”
•Disable “add route for interface network”
90
D-Link Security
Scenario & Hands-on 1-2
1
2
3
4
5
6
Basic Configuration-Transparent mode
1
3
2
Enable transparent mode for WAN1 and LAN1
•Click “Ethernet” in Interface
•Enable transparent on LAN1 interface
•Disable “add route for interface network”
91
D-Link Security
Scenario & Hands-on 1-2
1
2
3
4
5
Basic Configuration-Transparent mode
6
3
1
2
4
Add the “Service” rule under IP rules(WAN1 to LAN1 and LAN1 to WAN1)
•Click “IP rules” in Rules
•Choose the correct Action,Service,Interface and Network for the rule
92
D-Link Security
Scenario & Hands-on 1-2
1
2
3
4
5
6
Basic Configuration-Transparent mode
• Create the DHCP relay for LAN1 to WAN1
• Click “DHCP relays” under “System” “DHCP Settings”
• Choose the correct Action,Service,Interface and Network for the rule
93
D-Link Security
Scenario & Hands-on 1-2
1
2
3
4
5
6
Basic Configuration-Transparent mode
After all configuration , Click “configuration” in main bar
• Click “Save and Activate”
94
D-Link Security
Scenario & Hands-on 1-2
Basic Configuration-Transparent mode
Get IP address from DHCP server and ping to gateway
Testing Result
95
D-Link Security
Scenario & Hands-on 1-2
Exercise 1-2- Transparent mode
WAN1
Objectives:
1.
2.
3.
Internal LAN1
Enable transparent mode
Allow ping from WAN to LAN
Allow all service from LAN to WAN
WAN1 IP
Group1: 192.168.200.1/24
Group2: 192.168.200.2/24
.
.
Group9: 192.168.200.9/24
Group10:192.168.200.10/24
LAN1 IP
192.168.200.1/24
192.168.200.2/24
192.168.200.9/24
192.168.200.10/24
DHCP server IP address :192.168.200.254
96
D-Link Security
Scenario & Hands-on 1-3
WAN1(Static)
IP:192.168.174.70/24
WAN1-gatway
IP:192.168.174.254/24
Basic Configuration- WAN type-Static IP
Network topology
Note:
Internal LAN1
IP: 192.168.3.1/24
97
Configure default gateway
D-Link Security
Scenario & Hands-on 1-3
Basic Configuration- WAN type-Static IP
Objectives
Configure WAN type with Static IP address
The Logics of Configuration
98
Before configuring WAN type with static IP, please reset the device to default
Create an object for WAN1 gateway to apply to the interface of WAN1
Choose the correct Action, Service, Interface and Network for the rule
D-Link Security
Scenario & Hands-on 1-3
1
99
2
3
4
Basic Configuration- WAN type-Static IP
Create the correct gateway object under “Address Book”
•Click “address book” under “Object”
•Add an object for IP4 Host/Network
•Verify the IP addresses of wan1_ip and wan1net
D-Link Security
Scenario & Hands-on 1-3
1
2
3
4
Basic Configuration- WAN type-Static IP
1
2
Apply the gateway object to WAN Interface
•Click “Ethernet” under “Interfaces”
•Add the gateway object for “Default Gateway”
100
D-Link Security
Scenario & Hands-on 1-3
1
2
3
Basic Configuration- WAN type-Static IP
4
1
2
Create the service rule in IP rules
•Click “IP rules” under “Rules”
•Choose the correct Action,Service,Interface and Network for the rule
101
D-Link Security
Scenario & Hands-on 1-3
1
2
3
4
Basic Configuration- WAN type-Static IP
After all configuration , Click “configuration” in main bar
• Click “Save and Activate”
102
D-Link Security
Scenario & Hands-on 1-3
Basic Configuration- WAN type-Static IP
Ping to Internet (tw.yahoo.com)
Testing Result
103
D-Link Security
WAN1:Group IP
Scenario & Hands-on 1-3
Exercise 1-3- WAN type-Static IP
Objective
Internal LAN1
Group private IP
1.
Change WAN type with static IP address
of following IP addresses
2.
Use “NAT” mode to access the Internet
LAN1
Group1: 192.168.10.1/24
Group2: 192.168.20.1/24
.
.
Group9: 192.168.90.1/24
Group10: 192.168.100.1/24
WAN1
Group1: 192.168.200.1/24
Group2: 192.168.200.2/24
.
.
Group9: 192.168.200.9/24
Group10: 192.168.200.10/24
WAN1-Gateway:192.168.200.254
104
D-Link Security
Scenario & Hands-on 1-4
WAN1
PPPoE
Basic Configuration – WAN type-PPPoE
Network topology
Note:
Internal LAN1
IP: 192.168.3.1/24
105
Configure PPPoE tunnel
Apply the PPPoE tunnel to IP rule
D-Link Security
Scenario & Hands-on 1-4
Basic Configuration- WAN type-PPPoE
Objectives
Configure WAN type on PPPoE tunnel to access Internet by NAT mode
The Logics of Configuration
106
Create a PPPoE tunnel and apply it to the IP rule
Choose the correct Action, Service, Interface and Network for the rule
D-Link Security
Scenario & Hands-on 1-4
1
107
2
3
Basic Configuration – WAN type-PPPoE
Create an object for PPPoE rule in “PPPoE Tunnels” under “Interfaces”
•Click “PPPoE Tunnels” under “Interfaces”
•Apply correct Physical Interface, Remote Network,Username and
Password in the object
D-Link Security
Scenario & Hands-on 1-4
1
2
3
Basic Configuration – WAN type-PPPoE
1
2
Create the IP rule
•Click “IP rules” under “Rules”
•Choose the correct Action, Service, Interface and Network for the rule
108
D-Link Security
Scenario & Hands-on 1-4
1
2
3
Basic Configuration – WAN type-PPPoE
After all configuration , Click “configuration” in the main bar
• Click “Save and Activate”
109
D-Link Security
Scenario & Hands-on 1-4
Basic Configuration – WAN type-PPPoE
Ping to Internet (tw.yahoo.com)
Testing Result
110
D-Link Security
WAN1
PPPoE
Scenario & Hands-on 1-4
Exercise 1-4- WAN type-PPPoE
Objective:
1.
Internal LAN1
IP: 192.168.3.1/24
111
Configure WAN type on PPPoE tunnel
and local user could access Internet
D-Link Security
Scenario & Hands-on 1-5
WAN1
DHCP
Basic Configuration- WAN type-DHCP
Network topology
Note:
Internal LAN1
IP: 192.168.3.1/24
112
Enable DHCP client in WAN interface
D-Link Security
Scenario & Hands-on 1-5
Basic Configuration- WAN type-DHCP
Objectives
Dynamically assign IP to WAN interface and local users could access internet by
NAT
The Logics of Configuration
113
Enable “DHCP client” in Interface
Create the IP rule and choose correct Action, Service, Interface and Network for
the rule
D-Link Security
Scenario & Hands-on 1-5
1
2
3
Basic Configuration- WAN type-DHCP
1
2
Enable the DHCP client in “Ethernet” under “Interfaces”
•Click “Ethernet” under “Interfaces”
•Enable “DHCP Client”
114
D-Link Security
Scenario & Hands-on 1-5
1
2
3
Basic Configuration- WAN type-DHCP
1
2
Create the service rule in “IP rules”
•Click “IP rules” in Rules
•Choose the correct Action,Service,Interface and Network for the rule
115
D-Link Security
Scenario & Hands-on 1-5
1
2
3
Basic Configuration- WAN type-DHCP
After all configuration , Click “configuration” in main bar
• Click “Save and Active”
116
D-Link Security
Scenario & Hands-on 1-5
Basic Configuration – WAN type-DHCP
Verify the WAN IP from “Status” in tool bar
Testing Result
117
D-Link Security
Scenario & Hands-on 1-5
Exercise 1-5- WAN type-DHCP
WAN1
DHCP server
Objective
1. Dynamically assign IP to WAN
interface and local users could access
internet
Internal LAN1
IP: 192.168.3.1/24
118
D-Link Security
Scenario & Hands-on 2-1
WAN2(static IP)
IP: 192.168.174.70/24
WAN2-gateway
IP:192.168.174.254
WAN1
DHCP
WAN Failover
Network topology
Note:
Manually add default route in main
routing table
Enable “Monitor “feature on routes
WAN2 is back up link
Internal LAN3
IP: 192.168.3.0/24
Internal LAN1
IP: 192.168.1.0/16
119
Internal LAN2
IP: 192.168.2.0/24
D-Link Security
Scenario & Hands-on 2-1
WAN Failover
Objectives
WAN1 is the main link,WAN2 is the backup link
When WAN1 is disconnected ,all traffic will go through WAN2 to Internet
When WAN1 back to normal, all traffic would go through WAN1 to Internet
The Logics of Configuration
120
Create routing policy in main routing table
Applying routing policy between DHCP and static IP in WAN connection
Create the IP rule and choose correct Action, Service, Interface and Network for
the rule
D-Link Security
1
2
3
4
5
6
7
Scenario & Hands-on 2-1
8
WAN Failover
1
3
2
Enable the DHCP client in “Ethernet” under “Interfaces”
•Click “Ethernet” in Interface
•Uncheck “Add default route if default gateway is specified”
121
D-Link Security
1
2
3
4
5
6
7
8
Scenario & Hands-on 2-1
WAN Failover
122
Create the correct gateway object in “Address Book” under “Object” (WAN2)
•Click “address book” in Object
•Add the object for IP4 Host/Network
•Modify wan2_ip and wan2net
D-Link Security
1
2
3
4
5
6
7
8
Scenario & Hands-on 2-1
WAN Failover
1
3
2
Apply the gateway object to WAN Interface and disable “add default route”
•Click “Ethernet” in Interface
•Disable default route in Interface
123
D-Link Security
1
2
3
4
5
6
7
8
Scenario & Hands-on 2-1
WAN Failover
Combine WAN1 and WAN2 to the object of WAN
•Click “interface Groups” in Interface
•Create the object and choose WAN1 and WAN2
124
D-Link Security
1
2
3
4
5
6
7
8
Scenario & Hands-on 2-1
WAN Failover
125
Create the IP rule for WAN group
•Click “Rules” in IP Rule
•Choose correct Action, Service, Interface and Network in the rule
D-Link Security
1
2
3
4
5
6
7
Scenario & Hands-on 2-1
8
WAN Failover
3
1
4
2
Create the WAN1 routing rule and enable “monitor this route”
•Click “Main Routing Table” under “Routing “
•Create the routing rule for WAN1
•Choose lower Metric value and enable “monitor this route”
126
D-Link Security
1
2
3
4
5
6
7
8
Scenario & Hands-on 2-1
WAN Failover
3
1
4
2
Create the WAN2 routing rule and enable “monitor this route”
•Click “Main Routing Table” under “Routing “
•Create the routing rule for WAN2
•Choose higher Metric valueand enable “monitor this route”
127
D-Link Security
1
2
3
4
5
6
7
8
Scenario & Hands-on 2-1
WAN Failover
After all configuration , Click “configuration” in main bar
• Click “Save and Activate”
128
D-Link Security
Scenario & Hands-on 2-1
Exercise 2-1- WAN Failover
WAN2
Group IP (Static IP)
WAN1
DHCP
Objectives:
1.
2.
Internal LAN1
Group IP
WAN1 is the main link,WAN2 is the
backup link
When WAN1 is disconnected, all
traffic would failover to WAN2
WAN2
Group1: 10.2.1.1/24
Group2: 10.2.1.2/24
.
.
Group9: 10.2.1.9/24
Group10: 10.2.1.10/24
WAN2-Gateway:10.2.1.254
129
LAN1
192.168.10.1/24
192.168.20.1/24
.
.
192.168.90.1/24
192.168.100.1/24
D-Link Security
Scenario & Hands-on 2-2
WAN2(static IP)
IP: 192.168.174.70/24
WAN2-gateway
IP:192.168.174.254
WAN1
DHCP
Load Sharing and WAN failover
Network topology
Notes:
Create PBR table and apply it to route
policy
Internal LAN3
IP: 192.168.3.0/24
Internal LAN1
IP: 192.168.1.0/16
130
Internal LAN2
IP: 192.168.2.0/24
D-Link Security
Scenario & Hands-on 2-2
Load Sharing and WAN failover
Objectives
All services go through WAN1 but the FTP service and specific IP range go
through WAN2
When WAN1 is disconnected ,all traffic will go through WAN2 to Internet
When WAN1 back to normal, all traffic would go through WAN1 to Internet
When WAN2 is disconnected, the specified traffic and service can access to
Internet by WAN1
The Logics of Configuration
131
Modify PBR routing table and routing rule
D-Link Security
1
2
3
4
Scenario & Hands-on 2-2
Load Sharing and WAN failover
Create the IP address object specifically for LAN1
•Click “Address Book” under “Objects”
•Click “Ethernet” under “Interfaces”
132
D-Link Security
1
2
3
Scenario & Hands-on 2-2
4
Load Sharing and WAN failover
3
1
2
Add the route of WAN2(Static) in PBR
•Click “PBR table ” under “Routing”
•Choose higher metric in PBR table and enable function of monitor
133
D-Link Security
Scenario & Hands-on 2-2
1
2
3
4
Load Sharing and WAN failover
1
2
Add the route rule of WAN1 in PBR
•Click “PBR policy” under “Routing”
•Choose correct Forward, Return table, interface and network
134
D-Link Security
1
2
3
4
Scenario & Hands-on 2-2
Load Sharing and WAN failover
After all configuration , Click “configuration” in main bar
• Click “Save and Activate”
135
D-Link Security
WAN2
Static IP
WAN1
DHCP
Scenario & Hands-on 2-2
Exercise 2-2- Load Sharing
Objectives:
1.
2.
Internal LAN1
IP: 192.168.x.0/24
136
For Load Sharing: Except for
ping-outbound and specific IP
range 192.168.X.10-100 traffic
by WAN2 then other service will
pass through to Internet by
WAN1.
For Fail Over: When unplug any
WAN cable, users still can
access the Internet via a different
WAN port.
D-Link Security
1
2
How to enable the function of “tracer”
2
1
Modify the value of TTL min to 1
• Click “IP Setting of Advanced Setting” in “System”
• Key in the smallest value (1)
137
D-Link Security
1
2
2
How to enable the function of “tracer”
3
1
Enable “Pass returned from ICMP error messages from destination”
• Click “Services” in “Objects” and choose the object of “all_icmp”
• Enable “Pass returned from ICMP error messages from destination”
138
D-Link Security
Scenario & Hands-on 3
ZoneDefense
When there’s any infected host spreading worm into the network
Firewall can stop the malicious traffic flooding to other subnets but have no
way to stop it infecting its network [subnet A]
The most effective solution will be: Firewall triggers the ACL in LAN
switches to perform real time filtering on any malicious traffic found
Set ACL to block specific
MAC or IP address
D-Link Firewalls implement
ZoneDefense feature to
perform proactive network
security with D-Link switches
WAN
Firewall
DES-3x26S
DES-3350SR
DES-3250TG
DES-3500 series
DES-3800 series
xStack series
Infected Host
139
D-Link Security
Scenario & Hands-on 3
ZoneDefense
• Uniquely from D-LINK – It operates with D-LINK switches to isolate
infected host that is generating unusual traffic to the LAN
• Uses Threshold rules to examine connections through the firewall and take
actions upon them. The threshold rules monitor the number of connections
per second
• When a pre-defined limit is reached, the firewall sends block requests to
the switches configured for ZoneDefense
140
D-Link Security
Scenario & Hands-on 3
ZoneDefense
Internet
141
D-Link Security
Scenario & Hands-on 3
ZoneDefense
INTERNET
Note:
WAN1
IP: 192.168.174.70/24
Verify the model of supporting switch
Verify the IP address of switch
Verify the community between switch
and firewall
LAN1 IP: 192.168.1.1/24
Switch IP: 192.168.1.250/24
DGS-3324SR
PC
PC
142
Block HTTP Request
exceeding 4 sessions
For every host
D-Link Security
Scenario & Hands-on 3
ZoneDefense
Objectives
When traffic of every host exceed 4 sessions, switch create the ACLs rule to
block illegal traffic by firewall
The Logics of Configuration
143
Configure the switch
Choose the correct model of switch
Exclude switch and administrator
Create and configure the threshold rule
D-Link Security
Scenario & Hands-on 3
1
144
2
3
4
5
6
7
Reset to default and configure the IP address of switch
•Use CLI of switch to inspect
•Key in “reset config”
•Key in “config ipif System ipaddress 192.168.1.250/24”
ZoneDefense
D-Link Security
Scenario & Hands-on 3
1
145
2
3
4
5
6
7
ZoneDefense
Verify the communication between firewall and switch and inspect the
community in switch
•Use CLI of switch to inspect
•Key in “show snmp community”
D-Link Security
Scenario & Hands-on 3
1
2
3
4
5
6
7
Create the object of IP address for switch and administrator
•Click “Address Book” under “Objects”
•Add the object for IP4 Host/Network
146
ZoneDefense
D-Link Security
Scenario & Hands-on 3
1
2
3
4
5
6
ZoneDefense
7
1
2
Create the switch object in ZoneDefense
•Click “switches” under “ZoneDefense”
•Choose the correct switch model and Key in the SNMP Community
•Verity the firewall can communicate with the switch
147
D-Link Security
Scenario & Hands-on 3
1
2
3
4
5
6
7
Exclude the switch and the administrator
•Click “Exclude” under “ZoneDefense”
•Choose the correct object
148
ZoneDefense
D-Link Security
Scenario & Hands-on 3
1
2
3
4
5
6
ZoneDefense
7
1
3
2
149
Create the threshold rule in ZoneDefense
•Click “Threshold” under “ZoneDefense “
•Choose the correct interface and network
• Key in the threshold condition (the value of host-base must be smaller then network)
D-Link Security
Scenario & Hands-on 3
1
2
3
4
5
6
7
After all configuration , Click “configuration” in main bar
• Click “Save and Active”
150
ZoneDefense
D-Link Security
Scenario & Hands-on 3
ZoneDefense
Testing Result
Block status form firewall
Block status form Switch
151
D-Link Security
Scenario & Hands-on 3
Exercise-3 ZoneDefense
INTERNET
Objective:
1.
WAN1
DHCP
When web traffic of every host
exceed 2 sessions, switch create
the ACLs rule to block illegal
traffic by firewall
LAN1 IP: Group IP address
DGS-3324SR Switch IP: an IP that’s the same
segment as the LAN1 IP
PC
PC
152
D-Link Security
Scenario & Hands-on 4-1
Port mapping for server
Network topology
WAN1
IP: 192.168.174.70/24
FTP Server
IP:192.168.174.71/24
FTP Server
172.16.1.1
Note:
Add another public IP address in
“ARP table”
Verify the sequence of IP rule
DMZ
Internal LAN3
IP: 192.168.3.0/24
Internal LAN1
IP: 192.168.1.0/24
Internal LAN2
IP: 192.168.2.0/24
Back
153
D-Link Security
Scenario & Hands-on 4-1
Port mapping for server
Objectives
Access the FTP server by public IP address(192.168.174.71)
The Logic of Configuration
Create objects of public and private IP addresses for FTP server
Create ARP object in ARP Table
Create the IP rule (SAT and allow) for FTP server
154
D-Link Security
Scenario & Hands-on 4-1
1
2
3
4
5
Port mapping for server
1
2
Add the objects of both public and virtual IP addresses for FTP server
*Click “Address Book” under Objects
•Key in the correct IP addresses
155
D-Link Security
Scenario & Hands-on 4-1
1
2
3
4
5
Create the object in ARP Table
•Click “ARP Table” under “Interfaces”
•Apply objects with the FTP IP address
156
Port mapping for server
D-Link Security
Scenario & Hands-on 4-1
1
2
3
4
5
Port mapping for server
1
3
2
157
Create the IP rule to map FTP server (SAT)
•Click “IP Rule” under “Rules”
•Choose the correct Action,Service,Interface,SAT setting and Network for the
D-Link Security
Scenario & Hands-on 4-1
1
2
3
4
5
Port mapping for server
1
2
158
Create the IP rule to allow FTP server (allow FTP)
•Click “IP Rule” under “Rules”
•Choose the correct Action,Service,Interface and Network for the rule
D-Link Security
Scenario & Hands-on 4-1
1
2
3
4
5
Port mapping for server
After all configuration , Click “configuration” in main bar
• Click “Save and Activate”
159
D-Link Security
Scenario & Hands-on 4-1
Port mapping for server
Succeed to get in FTP server
topology
160
D-Link Security
Scenario & Hands-on 4-1
Exercise 4-1 - Port mapping for server
WAN1:DHCP
FTP Server: Group public IP address
FTP Server
Group private IP
Objective:
1.
161
Access to FTP server by group’s
public IP address successfully
DMZ
FTP Server public IP
FTP Server private IP
Group1: 192.168.200.51/24
Group2: 192.168.200.52/24
.
.
Group9: 192.168.200.59/24
Group10: 192.168.200.60/24
172.17.100.1/24
DMZ IP :172.17.100.254
DFL-800 : Port DMZ
DFL-1600: Port #3
DFL-2500: Port #5
D-Link Security
Scenario & Hands-on 4-2
SAT in PPPoE connection
Network topology
WAN1
PPPoE
FTP Server
172.16.1.1
Note:
Add PPPoE in Interfaces
Verify the sequence of IP rule
DMZ
Internal LAN3
IP: 192.168.3.0/24
Internal LAN1
IP: 192.168.1.0/24
Internal LAN2
IP: 192.168.2.0/24
Back
162
D-Link Security
Scenario & Hands-on 4-2
SAT in PPPoE connection
Objectives
When using PPPoE connection, internal FTP server could be accessed by public
The Logic of Configuration
Create objects of PPPoE connection
Create private IP addresses for FTP server
Create the IP rule (SAT and allow) for FTP server
163
D-Link Security
Scenario & Hands-on 4-2
1
164
2
3
4
5
SAT in PPPoE connection
Create an object for PPPoE rule in “PPPoE Tunnels” under “Interfaces”
•Click “PPPoE Tunnels” under “Interfaces”
•Apply correct Physical Interface, Remote Network,Username and
Password in the object
D-Link Security
Scenario & Hands-on 4-2
1
2
3
4
5
Add the object of virtual IP addresses for FTP server
*Click “Address Book” under Objects
•Key in the correct IP addresses
165
SAT in PPPoE connection
D-Link Security
Scenario & Hands-on 4-2
1
2
3
4
5
SAT in PPPoE connection
1
3
2
166
If use PPPoE connection, create the IP rule to map FTP server (SAT)
•Click “IP Rule” under “Rules”
•Choose the correct Action,Service,Interface,SAT setting and Network for the
rule
D-Link Security
Scenario & Hands-on 4-2
1
2
3
4
5
SAT in PPPoE connection
1
2
167
Create the IP rule to allow FTP server (allow FTP)
•Click “IP Rule” under “Rules”
•Choose the correct Action,Service,Interface and Network for the rule
D-Link Security
Scenario & Hands-on 4-2
1
2
3
4
5
SAT in PPPoE connection
After all configuration , Click “configuration” in main bar
• Click “Save and Activate”
168
D-Link Security
Scenario & Hands-on 4-2
SAT in PPPoE connection
Succeed to get in FTP server
topology
169
D-Link Security
Scenario & Hands-on 4-2
Exercise 4-2 - SAT in PPPoE connection
WAN1:PPPoE
FTP Server: Group public IP address
FTP Server
Group private IP
Objective:
1.
170
Access to FTP server by group’s
public IP address successfully
DMZ
FTP Server public IP
FTP Server private IP
Group1: 192.168.200.51/24
Group2: 192.168.200.52/24
.
.
Group9: 192.168.200.59/24
Group10: 192.168.200.60/24
172.17.100.1/24
DMZ IP :172.17.100.254
DFL-800 : Port DMZ
DFL-1600: Port #3
DFL-2500: Port #5
D-Link Security
Scenario & Hands-on 4-3
SAT and server load balance
WAN1
IP: 192.168.174.70/24
FTP Server
IP:192.168.174.71/24
FTP Server-1
172.16.1.1
FTP Server-1
172.16.1.2
Note:
Add another public IP address in
“ARP table”
Verify the sequence of IP rule
Network topology
DMZ
Internal LAN3
IP: 192.168.3.0/24
Internal LAN1
IP: 192.168.1.0/24
171
Internal LAN2
IP: 192.168.2.0/24
D-Link Security
Scenario & Hands-on 4-3
SAT and server load balance
Objectives
Access two FTP servers by one public IP address (192.168.174.71)
The Logic of Configuration
Create objects of public and private IP addresses for two FTP servers
Create ARP object in ARP Table
Cerate the IP rule (SAT_SLB and allow) for FTP server
172
D-Link Security
Scenario & Hands-on 4-3
1
2
3
4
5
6
Add the public IP address object for two FTP servers
•Click “Address Book” under “Objects”
•Key in the correct IP address
173
SAT and server load balance
D-Link Security
Scenario & Hands-on 4-3
1
2
3
4
5
6
SAT and server load balance
1
Add two virtual IP address objects for two FTP servers
•Click “Address Book” under “Objects”
•Key in the correct IP address
174
2
D-Link Security
Scenario & Hands-on 4-3
1
2
3
4
5
6
Apply the object of IP address to ARP Table
•Click “ARP Table” under “Interfaces”
•Apply objects for the FTP IP address
175
SAT and server load balance
D-Link Security
Scenario & Hands-on 4-3
1
2
3
4
5
6
SAT and server load balance
3
1
2
176
Create the IP rule of FTP server
•Click “IP Rule” in Rules
•Choose correct Action,Service,Interface,SLB_SAT and Network in the rule
D-Link Security
Scenario & Hands-on 4-3
1
2
3
4
5
6
SAT and server load balance
1
2
177
Create the IP rule to allow FTP server (allow FTP)
•Click “IP Rule” in Rules
•Choose correct Action,Service,Interface and Network in the rule
D-Link Security
Scenario & Hands-on 4-3
1
2
3
4
5
6
SAT and server load balance
After all configuration , Click “configuration” on main menu bar
• Click “Save and Activate”
178
D-Link Security
Scenario & Hands-on 4-3
Exercise 4-3- SAT and server load balance
FTP Server-1
Group private IP-1
WAN1:DHCP
FTP Server-1:Group public IP
FTP Server-1
Group private IP-2
Objective:
1.
DMZ
Access to two FTP servers by
group’s public IP address
successfully
FTP Server public IP
FTP Server private IP-1
FTP Server private IP-2
Group1: 192.168.200.51/24
Group2: 192.168.200.52/24
.
.
Group9: 192.168.200.59/24
Group10: 192.168.200.60/24
172.17.100.1/24
Group1: 172.17.100.2/24
179
DMZ:192.168.100.254
D-Link Security
Scenario & Hands-on 5
Runtime Authentication configuration
Process of authentication
Internet
http request
180
D-Link Security
Scenario & Hands-on 5
Runtime Authentication configuration
• For authorize users to accessing the Internet, LAN and Intranet services
either through the Local DB or RADIUS Server.
• The user authentication rules must be save & activated in order to apply the
settings.
181
D-Link Security
Scenario & Hands-on 5
Runtime Authentication configuration
The Core owns the IP addresses
10.0.100.97
192.168.10.1
WAN
182
Core
LAN
D-Link Security
Scenario & Hands-on 5
Runtime Authentication configuration
Network topology
WAN1
IP: 192.168.174.70/24
Note:
Modify the Web UI http port
Verify the sequence of IP rule
LAN1 IP: 192.168.1.1/24
Switch IP: 192.168.1.250/24
DES-3226S
Authenticated user
accessing the Internet
PC
PC
183
D-Link Security
Scenario & Hands-on 5
Runtime Authentication configuration
Objectives
When user open a web browser, it will be a screen pop out automatically, and
request for login.
Services will be allowed after authentication.
When user logout, they can choose either logout manually, or it will logout
automatically when the preset idle time reaches.
The Logic of Configuration
184
Change Web UI http port
Create an object for specific traffic network
Create a local user database
Create IP rules for Authentication
D-Link Security
Scenario & Hands-on 5
1
2
3
4
5
6
7
8
9
10 11 Runtime Authentication configuration
2
1
185
Change the remote management http port to avoid port conflict
•Click “Remote Management” then click “modify advanced setting”
•Change WebUI http port
D-Link Security
Scenario & Hands-on 5
1
2
3
4
5
6
7
8
9
10 11 Runtime Authentication configuration
1
3
2
4
Create the user database for Authentication
•Click “Local User Database” in User Authentication
•Key in the authenticated user(user name/password)
186
D-Link Security
Scenario & Hands-on 5
1
2
3
4
5
6
7
8
9
10 11 Runtime Authentication configuration
1
2
Create the User Authentication Rules
• Click “User Authentication Rules” in User Authentication
• Choose the correspond settings
187
D-Link Security
Scenario & Hands-on 5
1
2
3
4
5
6
7
8
9
10 11 Runtime Authentication configuration
2
1
Create the User Authentication Rules
• Click “User Authentication Rules” in User Authentication
• Choose the correspond settings
188
D-Link Security
Scenario & Hands-on 5
1
2
3
4
5
6
7
8
9
10 11 Runtime Authentication configuration
1
Create the IP address for Authenticating users
•Click “Address Book ” in Objects
•Add an object for authenticating users
•Key in the correct IP address and group name
189
2
D-Link Security
Scenario & Hands-on 5
1
2
3
4
5
6
7
8
9
10 11 Runtime Authentication configuration
1
2
Create the “allow” rule (rule-1)
•Click “IP Rule” in Rules
•Choose correct Action,Service,Interface and Network in the rule
190
D-Link Security
Scenario & Hands-on 5
1
2
3
4
5
6
7
8
9
10 11 Runtime Authentication configuration
1
2
Create the “NAT-DNS” rule (rule-2)
•Click “IP Rule” in Rules
•Choose correct Action,Service,Interface and Network in the rule
191
D-Link Security
Scenario & Hands-on 5
1
2
3
4
5
6
7
8
9
10 11 Runtime Authentication configuration
1
2
Create the “NAT-all_service” rule (rule-3)
•Click “IP Rule” in Rules
•Choose correct Action,Service,Interface and Network in the rule
192
D-Link Security
Scenario & Hands-on 5
1
2
3
4
5
6
7
8
9
10 11 Runtime Authentication configuration
1
3
2
Create the “SAT” rule (rule-4)
•Click “IP Rule” in Rules
•Choose correct Action,Service,Interface and Network in the rule
193
D-Link Security
Scenario & Hands-on 5
1
2
3
4
5
6
7
8
9
10 11 Runtime Authentication configuration
1
2
Create the “Allow” rule (rule-5)
•Click “IP Rule” in Rules
•Choose correct Action,Service,Interface and Network in the rule
194
D-Link Security
Scenario & Hands-on 5
1
2
3
4
5
6
7
8
9
10 11 Runtime Authentication configuration
After all configuration , Click “configuration” on main menu bar
• Click “Save and Activate”
195
D-Link Security
Scenario & Hands-on 5
Runtime Authentication configuration
Action1
Action3
Action2
196
Allow manual log-out web page
Allow user to look up the DNS Action1
Allow authorized users to use networking service Action3
All HTTP traffic will be mapped to firewall LAN1 IP address Action2
Allow all HTTP traffic to map to LAN1 IP address Action2
D-Link Security
Scenario & Hands-on 5
Runtime Authentication configuration
Testing Result
197
D-Link Security
Scenario & Hands-on 5
Exercise 5- Runtime Authentication configuration
WAN1
DHCP
LAN1 IP: 192.168.1.1/24
Switch IP: 192.168.1.250/24
Objective:
DES-3226S
1.
2.
Authenticated user
accessing the Internet
PC
PC
198
The specific user or network
must be authorized before access
to the Internet
When user logout, they can
choose either logout manually,
or it will logout automatically
when the preset idle time
reaches.
D-Link Security
Scenario & Hands-on 6
Traffic Shaping
Pipes concept
Anti-Spoofing
Rule 1
Rule 1
Rule 2
Rule 2
Rule 3
Rule 3
Pipe
Rule 4
Rule 4
Pipe
Pipe
Rule 5
Rule 5
Rule 6
Rule 6
Pipe
Outgoing interface
199
Incomming interface
Incomming
packets
RULE View
Outgoing
packets
D-Link Security
Scenario & Hands-on 6
Traffic Shaping
The Concept of Dynamic balancing
W
W
W
W
W = Kbps want to have
G = Kbps gets
G
G
G
W
G
G
User
1
User
2
User
3
User
4
User
5
• This diagram shows not using the Dynamic balancing
200
D-Link Security
Scenario & Hands-on 6
Traffic Shaping
The Concept of Dynamic balancing
W
W
W
W
W = Kbps want to have
G = Kbps gets
G
G
G
G
G
User
1
User
2
User
3
User
4
User
5
• When using the function of Dynamic balancing
201
D-Link Security
Scenario & Hands-on 6
Traffic Shaping
The Concept of Precedence
Highest
High
Pipe
Medium
Low
202
D-Link Security
Scenario & Hands-on 6
Traffic Shaping
Concept of Design (Pipe 1Mbps)
Bandwidth of Leased Line with 1Mbps in both
directions(two pipes)
Data
Std-in pipe (1 Mbps)
Std-out pipe (1 Mbps)
Data
LEASED LINE
1Mbps
from our ISP
The pipe throughput should be less than the physical pipe!
203
D-Link Security
Scenario & Hands-on 6
Traffic Shaping
Concept of Design (Pipe 1Mbps) - download
HTTP 250Kbps
Highest
1Mbps
FTP 250Kbps
High
SMTP 500Kbps
Low
HTTP 250Kbps
Highest
1Mbps
FTP 250Kbps
High
SMTP 500Kbps
Low
204
D-Link Security
Scenario & Hands-on 6
Traffic Shaping
Pipes
• All measuring, limiting, guaranteeing and balancing is carried out in pipes
• A pipe by itself is meaningless unless it is put into use in the Rules section.
Each rule can pass traffic through one or more pipes, in a precedence
(priority) of your choice.
205
D-Link Security
Scenario & Hands-on 6
Traffic Shaping
Precedence
Determine the bandwidth of precedence
206
D-Link Security
Scenario & Hands-on 6
Traffic Shaping
Pipes rules
• Plan your traffic shaping requirements. If you do not know how traffic
should be limited, prioritized, guaranteed, or distributed, you will likely
find the configuration work more confusing than helpful.
207
D-Link Security
Scenario & Hands-on 6
Traffic Shaping
Precedence
Assign precedence
208
D-Link Security
Scenario & Hands-on 6
Traffic Shaping
Network topology
1.For inbound and outbound HTTP
and HTTPS, the maximum
bandwidth is 500Kb.
2.For inbound and outbound POP3,
the guarantee bandwidth is 300Kb.
(maximum bandwidth is 1000Kb)
3.For other inbound and outbound
service, the remaining bandwidth
will be used.
4.Above all services are dedicating
bandwidth value.
External WAN1
Bandwidth of leased line
Download: 1Mbps
Upload: 1Mbps
Note:
Internal LAN1
209
Before use the traffic shaping for
specified application. Please make
sure that the IP rule has been created
for the specified application.
D-Link Security
Scenario & Hands-on 6
Traffic Shaping
Objective
For inbound and outbound HTTP and HTTPS, the maximum bandwidth is 500Kb.
For inbound and outbound POP3, the guarantee bandwidth is 300Kb. (maximum
bandwidth is 1000Kb)
For other inbound and outbound service, the remaining bandwidth will be used.
Above all services are dedicating bandwidth value.
The logic of Configuration
210
Make sure to create IP rule
Create objects of Pipe
Create rules of Pipe
Choose correct Action, Service, Interface and Network in the rule
Key in correct value at Precedence and Total bandwidth value
D-Link Security
Scenario & Hands-on 6
1
2
3
4
5
6
7
8
9
10
Traffic Shaping
Create object of the input pipe (Create the pipe of standard-in)
•Click “Pipes” in Traffic Shaping
•Key in correspond value for Precedence and total bandwidth value
211
D-Link Security
Scenario & Hands-on 6
1
2
3
4
5
6
7
8
9
10
Traffic Shaping
Create object of the output pipe (Create the pipe of outbound)
•Click “Pipes” in Traffic Shaping
•Key in correspond value for Precedence and total bandwidth value
212
D-Link Security
Scenario & Hands-on 6
1
2
3
4
5
6
7
8
9
10
Traffic Shaping
Create object of the HTTP input (Create the pipe HTTP-in)
•Click “Pipes” in Traffic Shaping
•Key in correspond value for Precedence and total bandwidth value
213
D-Link Security
Scenario & Hands-on 6
1
2
3
4
5
6
7
8
9
10
•Create object of the HTTP output (Create the pipe of HTTP-in)
•Click “Pipes” in Traffic Shaping
•Key in correct value at Precedence and Total bandwidth value
214
Traffic Shaping
D-Link Security
1
2
3
4
5
6
7
8
9
10
Scenario & Hands-on 6
Traffic Shaping
1
3
2
4
Create Rules of the HTTP (Create the rule of HTTP )
• Click “Pipes Rules” in Traffic Shaping
• Key in correspond value for Precedence and total bandwidth value
215
D-Link Security
1
2
3
4
5
6
7
8
9
10
Scenario & Hands-on 6
Traffic Shaping
Create object of the POP3 input (Create a pipe of POP3-in )
• Click “Pipes” in Traffic Shaping
• Key in correspond value for Precedence and total bandwidth value
216
D-Link Security
1
2
3
4
5
6
7
8
9
10
Scenario & Hands-on 6
Traffic Shaping
Create object of the POP3 output (Create a pipe of POP3-out )
• Click “Pipes” in Traffic Shaping
• Key in correspond value for Precedence and total bandwidth value
217
D-Link Security
1
2
3
4
5
6
7
8
9
10
Scenario & Hands-on 6
Traffic Shaping
1
3
2
4
Create the rules of POP3 (Create the rule of POP3 )
• Click “Pipes Rules” in Traffic Shaping
• Choose correct Action,Service,Interface and Network in the rule
218
D-Link Security
1
2
3
4
5
6
7
8
9
10
Scenario & Hands-on 6
Traffic Shaping
1
3
2
4
Create Rules of other service (Create the rule of other service )
• Click “Pipes Rules” in Traffic Shaping
• Choose correct Action,Service,Interface and Network in the rule
219
D-Link Security
1
2
3
4
5
6
7
8
9
10
Scenario & Hands-on 6
After all configuration , Click “configuration” on main menu bar
• Click “Save and Activate”
220
Traffic Shaping
D-Link Security
Scenario & Hands-on 6
Traffic Shaping
• Before use the traffic shaping for specified application. Please make sure
that the IP rule has been created for the specified application.
221
D-Link Security
Scenario & Hands-on 6
Traffic Shaping
• First step: Create two bidirectional pipes for the physical WAN link
• Second step: Create two bidirectional pipes for the specified application
222
D-Link Security
Scenario & Hands-on 6
Traffic Shaping
• Third step: Create pipe rules for the specified application
223
D-Link Security
Scenario & Hands-on 6
Exercise 6- Traffic Shaping
Objectives
External WAN1
1.
Bandwidth of leased line
Download: 1Mbps
Upload: 1Mbps
2.
3.
4.
Internal LAN1
224
For inbound and outbound SMTP, the maximum
bandwidth is 400Kb.
For inbound and outbound FTP, the guarantee
bandwidth is 250Kb.(maximum bandwidth is
500Kb)
For other inbound and outbound service, the
maximum bandwidth is 350Kb.
Above all services are dedicating bandwidth value.
D-Link Security
Scenario & Hands-on 7-1
VPN Configuration-PPTP
Network topology
IP: 192.168.174.71/24
WAN1
DHCP IP: 192.168.174.70/24
PPTP Client
Note:
Choose correct inner IP address and
Outer Interface filter for PPTP tunnel
DFL-1600
Internal LAN3
IP: 192.168.3.0/24
Internal LAN1
IP: 192.168.1.0/24
225
Internal LAN2
IP: 192.168.2.0/24
D-Link Security
Scenario & Hands-on 7-1
VPN Configuration-PPTP
Objectives
The user dial-up to firewall by Windows PPTP client software .
Dial-up user communicate with LAN1 of firewall
The logic of configuration
226
Create object for PPTP server IP address and IP address range
Create Authenticating database
Configure PPTP server
Create the IP rule for PPTP tunnel
D-Link Security
Scenario & Hands-on 7-1
1
2
3
4
5
6
VPN Configuration-PPTP
Create object for PPTP server IP address and IP address range
•Click “Address” in Objects
•Key in the correspond IP address
227
D-Link Security
Scenario & Hands-on 7-1
1
2
3
4
5
6
VPN Configuration-PPTP
Create Local Database for PPTP authentication
•Click “Local User Databases ” in User Authentication
•Key in the correct Username and Password
228
D-Link Security
Scenario & Hands-on 7-1
1
2
3
4
5
6
Create PPTP tunnel
•Click “PPTP/L2TP Servers ” in Interface
•Choose the correspond configuration
229
VPN Configuration-PPTP
D-Link Security
Scenario & Hands-on 7-1
1
2
3
4
5
6
VPN Configuration-PPTP
Create User Authentication Rules for PPTP tunnel
•Click “User Authentication Rules ” in User Authentication
•Choose the correspond configuration
•Enable Log setting and choose local user database
230
D-Link Security
Scenario & Hands-on 7-1
1
231
2
3
4
5
6
Create IP Rules for PPTP tunnel
•Click “IP Rules ” in Rules
•Choose the correspond configuration
•Enable Log setting
VPN Configuration-PPTP
D-Link Security
Scenario & Hands-on 7-1
1
2
3
4
5
6
VPN Configuration-PPTP
After all configuration, Click “configuration” on main menu bar
• Click “Save and Activate”
232
D-Link Security
Scenario & Hands-on 7-1
VPN Configuration-PPTP
Testing Result
233
D-Link Security
Scenario & Hands-on 7-1
Exercise 7-1- VPN Configuration-PPTP
PPTP Client
WAN1
DHCP IP
Objectives:
1.
Use Windows client to Dial-up PPTP
2.
Ping the IP address of LAN in firewall
DFL-1600
Internal LAN3
IP: 192.168.3.0/24
Internal LAN1
IP: 192.168.1.0/24
234
Internal LAN2
IP: 192.168.2.0/24
D-Link Security
Scenario & Hands-on 7-2
VPN Configuration-L2TP/IPsec
Network topology
IP: 192.168.174.71/24
WAN1
DHCP
L2TP/IPsec Client
Note:
DFL-1600
L2TP/IPsec must use transport mode
Choose correct local net and remote
net for IPsec tunnel
Choose correct inner IP address and
Outer Interface filter for L2TP tunnel
Internal LAN3
IP: 192.168.3.0/24
Internal LAN1
IP: 192.168.1.0/24
235
Internal LAN2
IP: 192.168.2.0/24
D-Link Security
Scenario & Hands-on 7-2
VPN Configuration-IPsec
Objectives
The user dial-up to firewall by Windows L2TP/IPsec client software
Dial-up user communicate with LAN1 of firewall
The logic of configuration
236
Create objects for L2TP server IP address and IP address range
Create Authenticating database
Configure IPsec tunnel
Configure L2TP server
Create the IP rule for L2TP tunnel
D-Link Security
Scenario & Hands-on 7-2
1
2
3
4
5
6
7
8
9
10 11
VPN Configuration-L2TP/IPsec
Create objects for L2TP server IP address and IP address range
•Click “Address” in Objects
•Key in the correspond IP address
237
D-Link Security
Scenario & Hands-on 7-2
1
2
3
4
5
6
7
8
9
10 11
VPN Configuration-L2TP/IPsec
Create Local Database for L2TP authentication
•Click “Local User Databases ” in User Authentication
•Key in correct Username and Password
238
D-Link Security
Scenario & Hands-on 7-2
1
2
3
4
5
6
7
8
9
10 11
Create the pre-shared key for L2TP
•Click “Pre-Share Keys ” in VPN Objects
•Key in the correspond value
239
VPN Configuration-L2TP/IPsec
D-Link Security
Scenario & Hands-on 7-2
1
2
3
4
5
6
7
8
9
Create the IPsec tunnel
•Click “IPsec Tunnels” in Interface
•Choose correspond configuration
240
10 11
VPN Configuration-L2TP/IPsec
D-Link Security
Scenario & Hands-on 7-2
1
2
3
4
5
6
7
8
9
10 11
Verify the IPsec tunnel
•Click “Authentication” in this IPsec tunnel
•Apply pre-shared key to this IPsec tunnel
241
VPN Configuration-L2TP/IPsec
D-Link Security
Scenario & Hands-on 7-2
1
242
2
3
4
5
6
7
8
9
10 11
VPN Configuration-L2TP/IPsec
Verify the IPsec tunnel
•Click “Routing” in this IPsec tunnel
•Enable “Dynamically add routes to remote network when a tunnel is
established “in this IPsec tunnel
D-Link Security
Scenario & Hands-on 7-2
1
2
3
4
5
6
7
8
9
10 11
VPN Configuration-L2TP/IPsec
Verify the IPsec tunnel
•Click “Advanced” in this IPsec tunnel
•Disable “Add route for remote network “in this IPsec tunnel
243
D-Link Security
Scenario & Hands-on 7-2
1
2
3
4
5
6
7
8
9
10 11
Create the L2TP tunnel
•Click “PPTP/L2TP Servers ” in Interface
•Choose correspond configuration
244
VPN Configuration-L2TP/IPsec
D-Link Security
Scenario & Hands-on 7-2
1
2
3
4
5
6
7
8
9
10 11
VPN Configuration-L2TP/IPsec
Create User Authentication Rules for L2TP tunnel
•Click “User Authentication Rules ” in User Authentication
•Choose correspond configuration
•Enable Log setting and choose local user database
245
D-Link Security
Scenario & Hands-on 7-2
1
246
2
3
4
5
6
7
8
9
Create IP Rules for L2TP tunnel
•Click “IP Rules” in Rules
•Choose correspond configuration
•Enable Log setting
10 11
VPN Configuration-L2TP/IPsec
D-Link Security
Scenario & Hands-on 7-2
1
2
3
4
5
6
7
8
9
10 11
VPN Configuration-L2TP/IPsec
After all configuration , Click “configuration” on main menu bar
• Click “Save and Activate”
247
D-Link Security
Scenario & Hands-on 7-2
VPN Configuration-L2TP/IPsec
Testing Result
248
D-Link Security
Scenario & Hands-on 7-2
Exercise 7-2- VPN Configuration-L2TP/IPsec
L2TP/IPsec Client
WAN1
DHCP IP
Objectives:
DFL-1600
1.
The user dial-up to firewall by
Windows L2TP/IPsec client software
2.
Ping the IP address of LAN in firewall
Internal LAN3
IP: 192.168.3.0/24
Internal LAN1
IP: 192.168.1.0/24
249
Internal LAN2
IP: 192.168.2.0/24
D-Link Security
Scenario & Hands-on 7-3
VPN Configuration- IPsec
VPN Objects – Pre Shared Keys
• For users to authenticate VPN tunnels
• 2 types of method to enter PSK – ASCII and HEX
– ASCII – type in passphrase
– HEX – type in passphrase and use “generate” to cipher passphrase
250
D-Link Security
Scenario & Hands-on 7-3
VPN Configuration- IPsec
VPN Objects – LDAP
• For secured authentication to established over VPN, CA need to be
downloaded to LDAP Server
251
D-Link Security
Scenario & Hands-on 7-3
VPN Configuration- IPsec
ID Lists
• The Concept of ID Lists is to manage and control accessibility of the VPN
clients and gateways
• Mobile clients can be restricted from accessing Internal networks by ID
Lists
252
D-Link Security
Scenario & Hands-on 7-3
VPN Configuration- IPsec
•
•
•
•
253
IKE/IPsec Algorithms
Predefined IKE & IPSec
Algorithms by default
High – Very Secured
Medium – Secured
You can defined your own
algorithms
D-Link Security
Scenario & Hands-on 7-3
VPN Configuration- IPsec
Network topology
WAN1
IP: 192.168.174.71/24
DFL-1600
Remote LAN
Internal LAN
IP: 192.168.10.0/24
WAN1
Static IP: 192.168.174.70/24
Note:
DFL-1600
Use same pre-share key and algorithm
between two IPsec settings
Choose correct local net and remote
net for IPsec tunnel
Internal LAN3
IP: 192.168.3.0/24
Internal LAN1
IP: 192.168.1.0/24
254
Internal LAN2
IP: 192.168.2.0/24
D-Link Security
Scenario & Hands-on 7-3
VPN Configuration-IPsec
Objectives
Two firewalls communicate to each other by IPsec tunnel .
The client of local-net ping to the client of remote-net
The logic of configuration
Create VPN Object( pre-shared key)
Configure IPsec tunnel
Create the IP rule for IPsec tunnel
255
D-Link Security
Scenario & Hands-on 7-3
1
2
3
4
5
6
VPN Configuration- IPsec
Create objects for IP address of remote IP address and network
•Click “Address” in Objects
•Key in the correspond IP address
256
D-Link Security
Scenario & Hands-on 7-3
1
2
3
4
5
6
Create the pre-shared key for IPsec tunnel
•Click “Pre-Share Keys ” in VPN Objects
•Key in the correct value
257
VPN Configuration- IPsec
D-Link Security
Scenario & Hands-on 7-3
1
2
3
4
5
6
VPN Configuration- IPsec
Create the IPsec tunnel
•Click “IPsec Tunnels” in Interface
•Choose the correspond configuration
258
! Note: If remote firewall wan IP is not static IP, in other words Remote Endpoint is using dynamic IP address from
dynamic DNS server, administrator can enter DDNS domain name in here directly.
D-Link Security
Scenario & Hands-on 7-3
1
2
3
4
5
6
Combine two interfaces to one interface group
•Click “Interface Groups” in this Interface
•Choose the correspond interfaces
259
VPN Configuration- IPsec
D-Link Security
Scenario & Hands-on 7-3
1
260
2
3
4
5
6
Create IP Rules for L2TP tunnel
•Click “IP Rules” in Rules
•Choose correspond configuration
•Enable Log setting
VPN Configuration- IPsec
D-Link Security
Scenario & Hands-on 7-3
1
2
3
4
5
6
VPN Configuration- IPsec
After all configuration , Click “configuration” on main menu bar
• Click “Save and Activate”
261
D-Link Security
Scenario & Hands-on 7-3
Exercise 7-3- VPN Configuration-IPsec
Odd group
DFL-1600
Remote LAN
Internal LAN
Even group
DFL-1600
Objectives:
Internal LAN1
262
1.
Two firewalls communicate to each
other by IPsec tunnel
2.
The client of local-net ping to the
client of remote-net
D-Link Security
Scenario & Hands-on 7-4
VPN Configuration- IPsec with NetScreen 204
Network topology
WAN1
IP: 192.168.174.71/24
NetScreen 204
Remote LAN
Internal LAN
IP: 192.168.10.0/24
WAN1
Static IP: 192.168.174.70/24
Note:
DFL-1600
Use same pre-share key and algorithm
between two DFL-1600 and NS-204
Choose correct local net and remote
net for IPsec tunnel
Internal LAN3
IP: 192.168.3.0/24
Internal LAN1
IP: 192.168.1.0/24
263
Internal LAN2
IP: 192.168.2.0/24
D-Link Security
Scenario & Hands-on 7-4
VPN Configuration- NetScreen 204
Objectives
Two firewalls communicate to each other by IPsec tunnel .
The client of local-net ping to the client of remote-net
The logic of configuration
Create VPN Object( pre-shared key, remote net/gateway and algorithm )
Configure IPsec tunnel
Create the IP rule for IPsec tunnel
264
D-Link Security
Scenario & Hands-on 7-4
1
2
3
4
5
6
7
VPN Configuration- NetScreen 204
8
2
1
Create network objects for DFL-1600 (remote network )
•Click “List” under “Addresses” in Objects
•Key in the corresponding network
265
D-Link Security
Scenario & Hands-on 7-4
1
2
3
4
5
6
7
VPN Configuration- NetScreen 204
8
2
1
Create IP address objects for DFL-1600 (remote gateway )
•Click “List” under “Addresses” in Objects
•Key in the corresponding IP address
266
D-Link Security
Scenario & Hands-on 7-4
1
2
3
4
5
6
6
6
VPN Configuration- NetScreen 204
2
1
Create P1(Phase 1) Proposal of DFL-1600 for VPN configuration
•Click “P1 Proposal” under “AutoKey Advanced” in VPNs
•Choose in the corresponding Algorithm and DH Group
267
D-Link Security
1
2
3
4
5
6
7
8
Scenario & Hands-on 7-4
VPN Configuration- NetScreen 204
2
1
Create P2(Phase 2) Proposal of DFL-1600 for VPN configuration
•Click “P2 Proposal” under “AutoKey Advanced” in VPNs
•Choose in the corresponding Algorithm and DH Group
268
D-Link Security
Scenario & Hands-on 7-4
1
2
3
4
5
6
7
8
VPN Configuration- NetScreen 204
2
3
4
5
6
269
Create Gateway objects of DFL-1600 for VPN configuration
•Click “Gateway” under “AutoKey Advanced” in VPNs
•Key in the corresponding IP address and Preshared Key
•Click “Advanced”
1
D-Link Security
Scenario & Hands-on 7-4
1
2
3
4
5
6
7
VPN Configuration- NetScreen 204
8
2
3
4
1
“Advanced“ of Gateway objects
•Choose “Custom” in User Defined and Phase 1 Proposal
•Choose “Main” mode
270
D-Link Security
1
2
3
4
5
6
7
8
Scenario & Hands-on 7-4
VPN Configuration- NetScreen 204
2
3
4
5
Create IPsec VPN tunnel for DFL-1600
•Choose “Security Level” and “Predefined” for Remote Gateway
•Choose “Outgoing Interface” and Click “Advanced”
271
1
D-Link Security
1
2
3
4
5
6
7
8
Scenario & Hands-on 7-4
VPN Configuration- NetScreen 204
2
3
4
5
6
272
Create IPsec VPN policy for DFL-1600
•Choose correct Action ,Service, Network in the rule
•Enable ”Modify matching bidirectional VPN policy”
1
D-Link Security
Scenario & Hands-on 7-4
VPN Configuration- NetScreen 204
Testing Result
273
D-Link Security
Scenario & Hands-on 7-4
VPN Configuration- NetScreen 204
DFL-1600 IPsec VPN status
NetScreen VPN status
274
D-Link Security
Agenda
• Appliance Overview
• Firewall Concept
• Basic Configuration
• Scenario & Hands-on
• Troubleshooting
275
D-Link Security
Troubleshooting
Four Ways to troubleshooting
• Confirm configuration of firewall
• Inspect the firewall status
• Use “Console command” to get more information
• Capture packets to analyze (ethereal and sniffer )
276
D-Link Security
Troubleshooting
Flow Chart
No
Inspect the firewall
status
No
Confirm configuration
The problem
Found main cause
Yes
Found main cause
Use console command
to inspect
Yes
Capture packets to
analyze
Environment cause
Configuration cause
or
Environment cause
Verify network
environments
Yes
Found main cause
Configuration cause
No
Verify configuration
277
The problem have solved
Dtrack System
D-Link Security
Troubleshooting
Confirm configuration of firewall
IP address or network in “Object”
Configuration in “Interface”
Configuration in “IP rules”
Configuration in “Main routing”
Routing table and rules
Metric
Advanced configuration
278
Routing table
Metric
Configuration in “PBR”
Action and service
Interface and network
Zone defense
Traffic shaping
User Authentication
D-Link Security
Troubleshooting
Inspect the firewall status
• Click “Status” on main menu bar
279
System
Logging
Connection
Interfaces
IPsec
User Auth
Routes
DHCP server
IDS
SLB
Zone Defense
D-Link Security
Troubleshooting
Console commands
How to use “Console command” with HyperTerminal in MS Windows
1.Start HyperTerminal (Hypertrm.exe).
2.Enter a name for the connection (for example,
DFL-800) in the Name box.
3.Click an icon for the connection in the Icon
box, and then click OK.
4.In the Connect Using box, click Direct To
Com (choose “Restore Default”) and then click
OK.
5.Verify the settings on the part settings tab and
then click OK.
280
D-Link Security
Troubleshooting
Console commands
•
The first command you should learn is the HELP or H command. The help command prints a
list of available commands at the console
•
•
•
•
About (Displays information about the firewall core)
Crashdump (dump all crash and error information)
Access (Prints the active anti-spoof section)
Arp [interface] (Displays the cached ARP information for all interfaces. If you add a specific
interface name to the command, you will get only the specified interface.)
Arpsnoop [interface] (Displays ARP queries and responses. You enable this by typing
ARPSNOOP [interface]. The same command again disables it. You can also use the all string
for ALL interfaces. To disable all the arpsnoop printout you can use the string NONE.)
Buffers [buf num] (Displays the 20 most recently freed buffers. You can examine a specific
buffer by adding the number.)
Cfglog (Displays the boot log of the firewall configuration.)
•
•
•
281
D-Link Security
Troubleshooting
Console commands
•
•
•
•
•
•
•
•
•
•
•
282
Connections (Displays the connections in the firewall.)
CPUid (Displays processor information.)
DHCP [switches] <interface> (With this command you can renew (-renew) or release (release) the DHCP IP address on a specific interface.)
Frags (Display the 20 most recent fragment reassembly attempts. This includes both ongoing
and completed attempts.)
Ifstat [interface] (Displays interfaces. If you add an interface you will get statistics for this
interface.)
Loghosts (Displays configured loghosts.)
Logout (Secures the console with the configured password.)
Netcon (Displays the active console connection or management connections to the firewall.)
Netobjects (Displays the active host & network configurations.)
Ping (Is the normal ping command to verify an IP connection. You can use Ping [IP
address] [num] where “num” is the amount of ping requests.)
Reconfigure (Reloads the configuration from the boot media.)
D-Link Security
Troubleshooting
Console commands
283
•
Ikesnoop [on/off/verbose] (Ikesnoop is used to diagnose problems with IPsec tunnels.)
•
•
•
•
DHCPRelay (Displays if the DHCP boot relay is enabled or disabled.)
Remote (Displays the active configuration of the remote section.)
Routes (Displays the active configuration of the route section.)
Rules (Displays the active configuration of the rule section. There are several string
commands that you can add. The –v string enables all available information {like usages}.)
•
Scrsave (Runs the screen saver)
•
•
•
•
Services (Displays the active services within the configuration.)
Shutdown (Shuts down the firewall.)
Stats (Displays statistics information for the firewall.)
Time (Displays the firewalls current time.)
D-Link Security
Troubleshooting
Capture packets to analyze
• Set up a laptop with software such
as Ethereal or Sniffer to capture
packets from the problem node
• The laptop needs to connect to the
problem node through a hub
intranet
• If it connects through a switch, the
port mirror function will have to
be enabled in the switch mirror
function
Problem node
Ethereal or Sniffer
284
D-Link Security
Troubleshooting
Capture packets to analyze
• Inspect IP address of Source, Destination and Protocol to analyze
problematic network status
285
D-Link Security
Questions & Answers
THANK YOU
286