Firewall/UTM by D-Link

Firewall/UTM by D-Link
Arvydas Žiliukas
D-Link Baltija, UAB
Klaip÷da, IT Klubas
D-Link Firewall/UTM introduction
• D-Link firewalls DFL series are hardware standalone firewalls
with D-Link proprietary NetDefendOS.
• D-Link firewalls reliability has high throughput performance
and can implement the key elements of UTM firewall
• D-Link firewalls are suited for SOHO, SMB and Enterprise
customers to enable protections against all varieties of
network threats simultaneously and in real time.
• D-Link firewalls are essential part of D-Link End-to-End
Security Solutions (E2ES) concept.
NetDefendOS Introduction
• NetDefendOS is a proprietary or close architecture, it has
lesser OS vulnerability, and more reliability compared to
others who use Windows OS, Linux or other open sources.
• From
the administrator’s perspective, the conceptual
approach of NetDefendOS is to visualize operations through
a set of logical building blocks of objects, which allow the
configuration of the products in an almost unlimited number
of different ways.
• NetDefendOS incorporates leading technologies of IPS, AntiVirus and Web Content Filtering from well-known market
• D-Link NetDefendOS is Certified by ICSA Labs
General D-Link Firewall Features
Integrated Functions
• SPI Firewall Protection
• Virtual Private Network (VPN)
• Denial of Service (DoS) Protection
• URL/Java Script/Active X/Cookie
• User/Web-based Authentication
• Proactive Security with Zone
Defense Mechanism
UTM features
• Robust Application Security for
• IDS/IPS Protection
• Web Content Filtering (WCF)
• Antivirus (AV) Protection
• E-Mail Filtering/Anti-Spam
Bandwidth Management
• Sophisticated WAN Traffic shaping
• Outbound/Inbound Traffic Load
• Multiple WAN interfaces
• Policy-Based Routing
• DHCP Server/Client/Relay support
• IEEE 802.1Q VLAN support
• OSPF support
• IP Multicast (IGMP v3) support
Fault Tolerance
• WAN Traffic Fail-Overview
• Active/Passive Modes for High
D-Link NetDefend Firewall/UTM family
D-Link NetDefendOS overview
• The fundamental objects within NetDefendOS include:
− Address Book
− Interfaces
− Services
− ALG Objects
− Schedules
− VPN Objects
− Authentication Objects
NetDefend - Address Book
The Address Book contains named objects representing
various type of addresses, including
• IP addresses
• IP networks
• IP range
• Ethernet MAC addresses
NetDefendOS treats all interfaces as logical IP interfaces.
• Physical Interfaces
− Each physical interface represents a physical port. NetDefendOS currently
supports Ethernet as the only physical interface type.
• Physical Sub-Interfaces
NetDefendOS has support for two types of physical sub-interfaces:
− Virtual LAN (VLAN) interfaces as specified by IEEE 802.1Q.
− PPPoE (PPP-over-Ethernet) interfaces for connections to PPPoE servers.
• Tunnel Interfaces
NetDefendOS supports the following tunnel
interface types:
− IPSec interfaces are used as end-points for
IPSec VPN tunnels.
− PPTP/L2TP interfaces are used as end-points for
PPTP or L2TP tunnels.
− GRE interfaces are used to establish GRE
Service object could define
• TCP/UDP service
• ICMP service
• IP protocol service
A large number of Service objects come pre-defined with NetDefendOS. Pre-defined
Services can be used and also modified just like user-defined Services. However, it is
recommended NOT to make any changes to predefined services, but instead create new
ones with the desired parameters.
ALG Objects
• ALG acts as a mediator
• ALG is capable to scan all traffic in Application level rather
than TCP/IP stack
• Following protocols are supported in NetDefendOS ALG:
− POP3
− H.323
HTTP ALG Overview
NetDefendOS supports HTTP ALGs via the following
• Manage Active Web Page Content
− Handles active content such as ActiveX, Java applets,
JavaScript/VBScript, Cookies, and verifies that URL's does not contain
invalid UTF8 encoding.
• File Integrity Verification
− Deals with the file type of downloaded files.
• Static Content Filtering
− Deals with Blacklisting and Whitelisting of specific URLs.
• Dynamic Content Filtering
− Dynamically allows or blocks specific URLs according to policies for
certain types of web content, e.g. Access to news sites might be allowed
whereas access to gaming sites might be blocked.
• Anti-Virus Scanning
− Checks the contents of HTTP file downloads for viruses.
Anti-Virus ALG Actions
• When configuring ALG, the following parameters can be set.
• In General Tab:
− Fail mode behavior: In cases where file integrity or content scanning
fails, the ALG can according to the Fail Mode setting, either allow or deny
the scanned file.
• In Antivirus Tab, Mode must be one of:
− Protect. Means Anti-Virus is active.
− Audit. Means is active but logging will be the only action
− Disable which means Anti-Virus is disable
• In Antivirus Tab, Scan Exclusion Control:
− Add file type what would not trigger antivirus scanning.
• In Antivirus Tab, Compression Ratio Limit:
− Specify compression ratio limit
− Specify one of the Action: Allow, Scan, Drop
• In Antivirus Tab, ZoneDefense option:
− Activate ZoneDefense mechanism and select network/host to block
IPS, AV, WCF and Anti-SPAM licenses
• Anti-SPAM is free. In opposite, IPS, AV and WCF are
chargeable 12-month subscription licenses.
• NetDefend IPS and Anti-SPAM services are available on all
NetDefend Firewall products
• NetDefend AV and WCF services are only available on
NetDefend UTM Firewall products: DFL260/860/260E/860E/1660/2560/2560G
• NetDefend UTM Firewall DFL-260/860/1660/2560/2560G
bundled with 12 month IPS and AV service by default.
• You can see all update history of IPS/Anti-Virus Signature
on NetDefend Center website at
IPS Module Overview
• NetDefendOS IPS feature addresses the above IPS issues
with the following mechanisms:
− IPS Rules
− Pattern Matching
− Action
• NetDefendOS IPS service essential component is signature.
Where are such signatures types:
− IPS (Intrusion Protection Signatures)
− IDS (Intrusion Detection Signatures)
− Policy Signatures
Setting IPS Rules and Actions
After pattern matching recognizes an intrusion in traffic
subject to an IPS Rule one from actions associated with that
Rule is taken.
• Protect
− Drops the connections and the logs event
− D-Link ZoneDefense mechanism might be triggered
− Dynamic Black Listing can block connections for particular time duration
and/or block vulnerable service.
• Pipe
− Configure traffic shaping for hosts that trigger an action. Specify
bandwidth and optionally apply it to network or host
• Audit
− Allow the connection to stay open but log the event
• Ignore
− Do nothing if an intrusion is detected and allow the connection to stay
Anti-Virus Module Overview
• The main purpose of UTM Anti-Virus module feature is to
provide the first level prevention from gateway side, not
instead of client Anti-Virus software.
• The NetDefendOS Anti-Virus module is able to scan the
following types of downloads:
− HTTP, FTP, POP3 or SMTP file downloads
− Any uncompressed file type transferred through these protocols
− Compressed ZIP and GZIP files can be scanned
• Frequently Database Updates
− Anti-Virus Signature is from well-known vendor Kaspersky
− The Anti-Virus signature database is updated on a daily basis with new
virus signatures released.
Anti-Virus Module Overview contd.
• NetDefend Firewall implements Stream-based Virus
Scanning technology without caching the incoming files first,
thus increase the inspection performance of UTM Firewall,
and ease the nightmare of network bottleneck while
enabling anti-virus feature on UTM Firewall.
• Therefore NetDefend Firewall can perform high scanning
speed and without incoming file size limitation.
Figure 1: File-Based Scan
Figure 2: Stream-Based Scan
Activating Anti-Virus Scanning
• Association with an ALG.
• Anti-Virus feature is based on ALG design, user could use
the predefined object for quick deployment.
• The ALG must then be associated with the appropriate
Service object for the protocol to be scanned. This Service
object is then associated with a rule in the IP rule set which
defines the origin and destination of the traffic to which the
ALG is to be applied.
Dynamic Web Content Filtering (WCF)
• NetDefendOS supports Dynamic (WCF) of web traffic, which
enables an administrator automatically to permit or block access to
web pages based on the content of those web pages.
• There are 32 predefined web content categories for these millions
of URLs.
• NetDefendOS dynamic filtering categorizes web pages and not
sites. In other words, a web site may contain particular pages that
should be blocked without blocking the entire site.
• NetDefendOS provides blocking down to the page level so that
users may still access parts of websites that aren't blocked by the
filtering policy.
User Authentication Introduction
• User authentication is frequently used in services, such as
• NetDefendOS uses a username/Password combination as
the primary authentication method, strengthened by
encryption algorithms. More advanced and secured
authentication methods include Public-Private Keys, X.509
Certifications, IPSec/IKE, IKE Xauth, and ID Lists.
• NetDefendOS can either use a locally stored database, or a
database on an external server.
− Local User Database (UserDB)
− External RADIUS server
− External LDAP server
− External MS Active Directory
• Provides four types of authentication agents; HTTP/HTTPS
for web access authentication, XAUTH for VPN
authentication and PPP for PPTP/L2TP authentication.
Run-Time Web Based Authentication
• The most common application of User Authentication is RunTime Web Based User Authentication which is similar to
WAC (Web-based Access Control) of D-Link xStack Switch.
• The firewall will request user authentication before user can
pass through the firewall. While the user first opens the
browser, he/she will automatically be redirected to the login
NetDefend UTM Features Matrix
DFL model
IPS Signature
Pattern Number
File Size
35 / 70 Mbps
No limitation
50 / 100 Mbps
No limitation
225 / 400 Mbps
No limitation
450 / 600 Mbps
No limitation
Traffic Management
• What is Causing Bandwidth Performance Problems?
More application traffic
Recreational traffic
Web-based applications
Voice/video/data network convergence
Disaster readiness
Network Threat Attack
New Breed of Applications
Traffic Management
• How Traffic Management Works?
− Queuing packets when traffic exceeds configured limits
− Dropping packets if the packet buffers are full
− Prioritizing traffic according to the administrator’s choice
− Providing bandwidth guarantees
• There are two key components for traffic shaping in
− Pipes
− Pipes Rules
Traffic Management - What’s the Pipe?
• Pipe is the central concept for all bandwidth.
• Pipe simply measures the traffic pass though it and applies
configured limit.
• Pipe is deployed after a packet has been passed through
firewall IP Rule set.
Pipe Rules
• The Pipe Rules defines a traffic shaping policy by specifying
what network traffic should flow through what pipes.
• Pipe Rules is used to specify what traffic should be pass
through what pipes.
• Only traffic is matched a rule, this traffic will be shaped and
the first matching rule is the first one be applied.
Direction of a Pipe
• Now the pipe have a 2Mbps limit and the physical connection can
only handle 1Mbps in each direction. The pipe will never be full and
the rules of the pipe will not be deployed.
• The best way to manage real network traffic is using two pipes,
one for each direction. Now we can set each pipe to 1Mbps for
total limits. One pipe is for upstream traffic and another one is for
downstream traffic.
Direction of a Pipe with Actual
• The reason we're using two separate pipes, it is mainly
easier to match to the physical capacity (especially for
asynchronous ones, such as 2M/256K ADSL and so on), and
it's easier to follow such a setup.
Downstream Pipe
Upstream Pipe
Pipe Chains
• The Forward Chain List
− These are the pipes that will be used for outgoing (leaving) traffic from
the D-Link Firewall. One, none or a series of pipes may be specified.
• The Return Chain List
− These are the pipes that will be used for incoming (arriving) traffic. One,
none or a series of pipes may be specified.
Pipe Precedence
• Minimum Precedence: The lowest
allowed priority for traffic in this pipe.
• Default Precedence: The default
precedence for the pipe. This value
may range between 0 to 7, but should
be higher than, or equal to, the
minimum precedence.
• Maximum Precedence: The highest
allowed precedence for the pipe. This
value may be range between 0 to 7,
but should be higher than, or equal
to, the default precedence.
Bandwidth Limits
• For each pipe, separate bandwidth
limits may be optionally specified for
each precedence level. In precedence
are used then the total limit for the
pipe as a whole must be specified so
the pipe knows when what its capacity
is and therefore when precedence are
• The precedence have no effect until the
total bandwidth allocated for a pipe is
reached. In other words when the pipe
is "full“ at that point traffic is prioritized
by NetDefendOS with higher
precedence packets being sent before
lower precedence packets. The lower
precedence packets are buffered.
Grouping Users of a Pipe
Example of a pipe with traffic grouped per IP Address
• Grouping may be performed on source network, source IP address,
source port, destination network, destination IP address and
destination port. In the network grouping cases, the network size
may be specified.
Dynamic Bandwidth Balancing
• Dynamic Bandwidth Balancing is
D-Link unique feature in firewall
− General QoS can provide bandwidth
guarantee by specific protocol.
However, all simultaneous users of this
protocol will still try to archive more
bandwidth for themselves.
The impact is difficult to get their fair
share of high-precedence bandwidth
for specific protocol after enable QoS.
To prevent such situations, D-Link
NetDefend Firewall has a feature called
Dynamic Bandwidth Balancing.
This algorithm ensures that the peruser bandwidth limits are dynamically
lowered (and raised) in order to evenly
balance the available bandwidth
between the users of the pipe.
ZoneDefenseTM Technology
Challenge to Current Network Security
•Traditional Firewalls have limited ports & performance. So L3 network
switching still relies on L3 switches
•Whenever there’s an infected user at internal network
•Current network security architecture can’t effectively prevent the
virus/worm infection & outbreak
L3 Core
L2 Switches
Server Farm
It will result in mutual infection between clients, and coming virus/
worm outbreak could even generate DoS effect to network devices
ZoneDefenseTM Technology
New Network Security Architecture
•D-Link architecture is able to stop virus/worm spreading across the
•Communication quarantine is used in interaction of D-Link Firewall and
D-Link xStack series switches
L3 Core
L2 Switches
Server Farm
Firewall detects virus/worm activities and notifies switches to block the
suspected host to effectively stop the mutual infection or virus/ worm
outbreak in time
ZoneDefense configuration examples
•ZoneDefense enabled xStack Switches are:
DES-3526/50,DES-3528/52, DES-3828/52, DGS-3200, DGS-3400,
ZoneDefense configuration examples
•Setup Threshold rules
ZoneDefense configuration examples
•Add Threshold Action from the Threshold rules
ZoneDefense configuration examples
•Check ZoneDefense and xStack Switch state
ZoneDefense Demo