19216811.live36
the system administrators if email alerting is converted. There are two modes that can be
configured, either
Inspection Only
or
Prevention.
Inspection Only will only inspect the traffic
and if the DFL-1100 sees anything it will log, email an alert (if configured) and pass on the
traffic, if Prevention is used the traffic will be dropped and logged and if configured a email
alert will be sent.
D-Link updates the attack database periodically. Since firmware version 1.30.00 automatic
updates are possible. If IDS or IDP is enabled for at least one of the policies or port mappings,
auto updating of the IDS database will be enabled. The firewall will then automatically
download the latest database from the D-Link website.
Traffic Shaping
The simplest way to obtain quality of service in a network, seen from a security as well as
a functionality perspective, is to have the components in the network, not the applications, be
responsible for network traffic control in well-defined choke points.
Traffic shaping works by measuring and queuing IP packets, in transit, with respect to a
number of configurable parameters. Differentiated rate limits and traffic guarantees based on
source, destination and protocol parameters can be created; much the same way firewall
policies are implemented.
There are three different priorities when configuring the traffic shaping,
Normal
,
High
and
Critical
.
Limit
works by limiting the inbound and outbound traffic to the specified speed. This is the
maximum bandwidth that can be used by traffic using this policy. Note however that if you
have other policies using limit; which in total is more then your total internet connection and
have configured the traffic limits on the WAN interface this limit is sometimes lowered to allow
traffic with higher priorities to have precedence.
By using
Guarantee
, you can traffic using a policy a minimum bandwidth, this will only
work if the traffic limits for the WAN interface are configured correctly.
Policy Routing
Normal routing can be said to be a simple form of policy based routing; the "policy" is the
routing table, and the only data that can be filtered on is the destination IP address of the
packet. What is commonly referred to as policy based routing, is, simply put, an extension of
what fields of the packet we look at to determine the routing decision. In the DFL-1100, each
rule in the firewall policy can specify its own routing decision; in essence, we route according
to the source and destination IP addresses
and
ports.
Policy based routing can for example be used to route certain protocols through
transparent proxies such as web caches and anti-virus scanners, without adding another point
of failure for the network as a whole. It’s very important to know that the proxy must support
this also for it to work.
There are two ways to configure Policy Routing; both include specifying the Gateway to
send the traffic over. The first one,
Redirect via routing (make gateway next hop),
will just
reroute the traffic to the given gateway as if it was just another router. The second mode,
Via
address translation (change destination IP)
, will change the destination IP in the IP header