D-Link Corporation Firewall Specification Version 1.10

D-Link Corporation
Firewall Specification
NetDefend SOHO UTM Firewall
DFL-160 ver. A1
4*10/100/1000 Mbps LAN Port + 1*10/100/1000 Mbps DMZ Port +
1*10/100 Mbps WAN Port
Version 1.10
Date: 2008/10/20
This document contains confidential proprietary information and is the property of D-Link Corporation.
The contents of this document may not be disclosed to unauthorized persons without the written consent
of D-Link Corporation.
D-Link Confidential
DFL-160 Specification Revision History
Version Revised Date
Author
1.00
2008/9/1
Jeff Ko
1.10
2008/10/20
Jeff
Description
Initial Draft
1. Change Firewall, VPN and IPS/AV performance number.
2. Change Current session to be 6,000.
3. Remove Perfect Forward Secrecy (DH Group), Aggressive mode,
x.509, manual key, DPD, VPN tunnel keep alive and IPSec IKE config
mode for VPN feature.
4. Add XAUTH authentication support.
5. Remove Multiple PPPoE Tunnel, DHCP relay, DHCP over IPSec,
Static DHCP Addresses Assignment, IP NAT Pool, IP Alias, Static
Routes.
6. Remove cjb.net, dyndns.cx, TZO.com, dhs.org, Peanut Hull
(oray.net) from DDNS support, H.323 NAT Traversal, SIP ALG and
H.323 ALG.
7. Remove Install Wizard.
8. Remove Trust host for remote management.
9. Remove External database support and User Group-Base
authentication.
10. Increase internal log capacity to be 500.
11. Modify Support Log Receiver number to be 2 receivers supported.
12. Remove Event log and alarm, Support SNMP v1, v2c.
13. Add separate internal logging for IDP, AV, WCF.
14. Change Bandwidth Management to be in future release.
15. Add Decompression Explosion Protection and Scan Exclusion
Control for Anti-Virus.
16. Remove Scripts Type: Java Applet, Java Scripts, VB Scripts,
Cookies, Active X for WCF.
17. Change Anti-Spam to be in future release.
D-Link Confidential
1
Product Description:
In D-Link firewall product line, DFL-160 is the small UTM firewall with five gigabit ports, which adopts
D-Link's own Home-Router GUI design for smoothing user experience of non-IT customers, and targeting
at SOHO market.
For product positioning and differentiating, DFL-160 would belong to NetDefend SOHO series, not
professional NetDefend series
1. Product General Feature Information
1.1 Hardware Specification
Š CPU: Intel IXP435 @ 400MHz
Š Flash: 128 MB
Š DRAM: 128 MB
Š Ethernet Interface: 5 10/100/1000 + 1 10/100 Mbps Ethernet ports
Š Console Interface: DB-9 RS-232 connector *1
Š Other: USB 2.0 port *1
Š VPN accelerator for better VPN performance
1.2 Software Features
1.2.1 Maximum Performance and Capacity
Š Firewall Performance: 70 Mbps
Š 3DES/AES Performance: 25 Mbps
Š IPS/Antivirus Performance: 15 Mbps
Š Current Session: 6,000
Š New Session/second: 5,000
Š Policies: 300
Š Support Users: Unrestricted
1.2.2 Firewall Mode of Operation
Š Layer 3 mode: Route mode, NAT mode
Š Layer 2 mode: Transparent mode
Š Network Address Translation (NAT)
Š Port Address Translation (PAT)
Š Port Forwarding
Š Time-Scheduled policies configuration
D-Link Confidential
2
1.2.3 Virtual Private Network (VPN)
Š IPSec Protocol: ESP
Š IPSec Mode: Tunnel mode, Transport mode
Š Encryption Method: DES/3DES/AES/Twofish/Blowfish/CAST-128/NULL
Š Authentication Algorithm: MD5, SHA-1
Š Support PPTP/L2TP/IPSec VPN Server
Š PPTP Server support MPPE encryption
Š Site to Site VPN, Remote Access VPN for IPSec
Š Dedicated VPN Tunnels: up to 30
Š IKE mode: Main mode
Š Key Management:
‚ Pre-share key
Š IPSec NAT Traversal (NAT-T)
Š Prevent Replay Attack
Š XAUTH authentication support
1.2.4 IP Assignment & Routing
Š Static IP address
Š PPPoE for xDSL, PPTP Client for xDSL, DHCP Client for WAN interface
Š Internal DHCP Server
1.2.5 Networking
Š IP Multicast: IGMP v3 routing and forwarding (compatible with v1 and v2)
Š DDNS Client: D-Link DDNS, DynDNS.org.
Š Support ALG (Application Layer Gateway)
‚ HTTP, FTP, POP3, SMTP, TFTP
1.2.6 System Management
Š Console Interface
Š Web UI Interface
Š SNTP and UDP Time Synchronization
Š Support D-Link NTP Server
1.2.7 User and Device Administration
Š Multi-level user permission control (Administrator and Read-Only)
Š Software upgrade, Configuration Backup/Restore from:
‚ Web UI
D-Link Confidential
3
1.2.8 User Authentication
Š Build-in user database: 250 items
1.2.9 Logging and Monitoring
Š Internal log capacity: 500 records
Š Log viewer
Š Email notification for IDP log
Š Support external log server: syslog server
Š Support 2 log receivers
Š VPN tunnel monitor
Š Separate internal logging for IDP, AV, WCF
1.2.10 Bandwidth Management *
Š Guaranteed Bandwidth
Š Maximum Bandwidth
Š Priority-Bandwidth utilization
1.2.11 Intrusion Detection and Prevention System (IPS/IDP)
Š Support advanced IPS/IDP update service.
Š NIDS pattern auto update
Š DoS, DDoS attack protection
Š Detect Nimda, CodeRed attack
Š IP black-listing: It will be triggered by network threshold or IPS/IDP signature database.
Š Attack alarm via email notification
1.2.12 Anti-Virus Packet Inspection
Š Supported Protocol: HTTP, FTP, SMTP, POP3
Š Anti-Virus over VPN
Š Protocol/Port Configurable
Š Scanning of all MIME types
Š Supported Compression File Formats: ZIP, GZIP
Š Decompression Explosion Protection
Š Scan Exclusion Control
1.2.13 Dynamic Web Content Filtering
Š HTTP Type: Web URL filter. (Only for HTTP protocol, it doesn’t support HTTPS
protocol)
Š Over 30 number of Web content category
D-Link Confidential
4
1.2.14 Email Security *
Š Support Protocol: SMTP
Š Sender/Recipient Email address Blacklist/Exempt List filtering (for SMTP protocol only)
Š MIME header check for file extensions filtering
Š Email rate protection (for SMTP protocol only)
Š Email size protection (for SMTP protocol only)
Š Anti-Spam (for SMTP protocol only)
‚ Real-Time DNSBL/Open Relay Database Server
‚ Weight-based DNS blacklist
‚ Customize spam tag information in email subject
‚ Forward blocked emails
Note: Mark * indicates the specific feature will be announced in future release firmware.
2. LED indicators
Location
Per Device
LED Indicative Color
Power
Green
Status
Description
Solid Light
Power On
Light off
Power Off
When there is a secure
Solid Green
10/100Mbps Fast Ethernet
connection (or link) at any of
the ports.
When there is reception or
LED Per
10/100/1000
Mbps Port
transmission (i.e.
Blinking Green Activity—Act) of data
occurring at a Fast Ethernet
connected port.
Link/Act/Speed Green/Amber
When there is a secure
Solid Amber
1000Mbps Ethernet
connection (or link) at any of
the ports.
When there is reception or
transmission (i.e.
Blinking Amber Activity—Act) of data
occurring at an Ethernet
connected port.
Light off
D-Link Confidential
5
No link
3. Physical & Environment
3.1 AC input
−
−
100-240 VAC, 50/60Hz
External power supply
3.2 Operation Temperature
−
0-50°C
3.3 Storage Temperature
−
-40-70°C
3.4 Humidity
−
−
Operation: 10%-90% RH
Storage: 5% ~ 90% RH
3.5 Power Consumption
−
Below 20W
4. Mechanical
Metal Case
□ 19" Metal Case
□11" Metal Case □ Others
Plastic Case
□ D-Link Big Size 235x162x36mm
□ D-Link Middle Size 193x118x31mm
□ D-Link Small Size 142x109x31mm
□ D-Link Palm Size 104x61x28mm
□ D-Link Mini D Size 90x82x31mm
□ D-Link Pocket Size 80x52x27mm
■ Others 220(L) X 150(W) X 32.5(H) mm
5. Emission (EMI), Safety and other certification
Š EMI: FCC Class B, CE Class B, C-Tick, VCCI
Š Safety: UL/cUL, LVD (EN60950-1)
6. Production Requirement
At least 60℃, 4 hours burn-in process
All manufacturing process must be Lead-Free process
7. Package Content
One DFL-160 Device
Gift Box
Quick Installation Guide
Master CD
RS-232 Console cable
Power Adopter AC/DC
One Cat. 5.e Cable
D-Link Confidential
6