1 The Services Menu
2 DHCP The DHCP (Dynamic Host Configuration Protocol) feature provides a fully- compliant DHCP server capable of serving any internal network including Green (LAN), Orange (DMZ), and Blue (WIFI), each with their own scope. It also provides the ability to provision fixed leases, allowing the assignment of a static IP address to any given MAC address. This can be useful when configuring a static IP on the client device itself is not desired or possible.
3 The Services Menu DHCP Interface
4 The Services Menu DHCP Fixed Lease Interface Mac Address: The client´s Mac Address IP Address: The IP address that will always be assigned to this client Description: Optional description Next Address: The address of the TFTP Server (Only for thin clients/network boot) Filename: The boot file name (Only for thin clients/network boot) Root Path: The path of the boot image file (Only for thin clients/network boot)
5 The Services Menu DNS Proxy Diagram
6 The Services Menu DNS Overview The GD eSeries appliance does not offer any standalone DNS server capability but can provide some basic DNS services to internal clients. Externally the GD eSeries can be setup as a standard static IP host with a static DNS name or, alternatively, as a Dynamic DNS (DDNS) client to provide name resolution on dynamic public IP addresses. The GD eSeries DNS system is composed of two parts: (1) the local DNS host file which provides hostname-to-IP mapping for the appliance and (2) the DNS proxy which can transparently intercept and provide additional resolution capabilities based on the local DNS settings. By using these, one can create local host resolution (i.e. A records) for any internal clients who use the GD eSeries.
7 The Services Menu DNS Proxy
8 The Services Menu DNS Routing
9 The Services Menu Why using DNS on GD eSeries By far the most popular use of simple DNS on the GD eSeries is to provide location resolution for “split DNS” capabilities to internal clients. This might be a situation where you have a DMZ with servers who use public IP addresses (which works fine externally), but you also wish to provide local resolution to internal clients using DNS hostnames. With GD eSeries you can create local (only) DNS resolutions for your servers to use for internal workstations while still maintaining your existing external DNS setup. This has the added security benefit of not creating messy NAT rules and keeping all internal traffic inside the firewall (no external traffic).
10 The Services Menu Split DNS Example
11 The Services Menu DNS Example
12 The Services Menu DNS Anti-spyware feature Did you know that not only does the DNS proxy help to improve internal DNS resolution with caching but also can enhance the network security provided through the DNS resolution by enabling the Anti-Spyware feature. This feature will automatically check every internal DNS request against a known list of malware domains and block access by not resolving the request.
13 The Services Menu DNS Anti-Spyware
14 The Services Menu NTP G D eSeries can be setup to synchronize with NTP servers to provide accurate network time. There is an option to specify custom NTP servers instead of the default ones used by GateDefender (x.pool.ntp.org). Also, GD eSeries will automatically serve any internal network as an NTP server, so you can point your internal clients to the GD eSeries to provide universal network time.
15 The Services Menu Intrusion Prevention System (IPS) The GD eSeries appliance provides a full featured Intrusion Prevention System (IPS) to monitor, prevent and control network-based threats. The major advantage of the IPS is that it can perform deep packet inspection to more accurately and consistently identify and block network traffic what other applications cannot. The Intrusion Prevention System is built on Snort. The GD eSeries platform has seamlessly integrated all of the power and functionality of Snort and made it easy to configure and manage regardless of network size and complexity. It operates transparently and in combination with all of the additional security functionality like firewall and the application proxies (web, , etc.).
16 The Services Menu Enabling IPS IPS is not active by default, so a grey switch next to the “Enable Intrusion Prevention System” label appears on the page, which can be clicked on to start the service. A message appears, informing that the service is being restarted and after a short interval, the box will contain configuration options. Automatically fetch SNORT Rules: Ticking this box will let the GateDefender automatically download the IPS rules. Choose update schedule: The frequency of download of the rules: A drop-down menu allows to choose one of the hourly, daily, weekly, or monthly options. This option appears only if the previous option has been activated. Custom SNORT Rules: A file containing custom Snort IPS rules that should be uploaded. Pick a file from the file selection window that opens upon clicking the “Browse“ button, and upload it by clicking on the “Upload custom rules” button.
17 The Services Menu IPS Configuration
18 The Services Menu IPS Editor At the top of the Editor page the rulesets that can be edited are shown. To choose more than one at a time, hold the CTRL key and click on the desired rulesets. After selecting and clicking on the Edit button, the list of the rules included in the selected ruleset(s) is shown. The list can be narrowed down by entering some terms in the text box next to the Search label. Like in the Rules page, the policy of every entry can be changed.
19 The Services Menu IPS and Firewall Configuration Turning on the IPS only implies that snort is running, but traffic is not yet necessarily filtered at that point. For IPS to filter packets, the “Allow with IPS” filter policy must be selected for the rules defined in the various Firewall configuration pages. It is also important to consider that while the IPS has its own web interface to manage logging/blocking of categories/individual rules and to set update frequencies, the actual implementation of the IPS is configured using the Firewall (specifically DNAT and Outgoing sections).
20 The Services Menu Quality Of Service (QoS) The GD eSeries appliance includes by default a full-featured Quality of Service (QoS) engine to provide adequate bandwidth management. Using this mechanism, administrators can define granular network policies to ensure the proper flow of network traffic and prevent any unnecessary network bottlenecks or bandwidth abuse. Similar to the IPS engine, the GD eSeries QoS System is tightly integrated with the firewall to provide a higher degree of user control over the appropriate network policies, as to properly manage network bandwidth in and out of the GD eSeries appliance.
21 The Services Menu When to use QoS? In general, QoS can provide some value under the following conditions: You have a small set of applications that are time-sensitive and cannot tolerate delays (e.g. VoIP, video). You have limited bandwidth capacity that cannot be upgraded or it is not cost effective to upgrade (dedicated circuits, satellite). Your network suffers from periods of moderate to heavy traffic loads, mostly due to non business-critical applications.
22 The Services Menu When NOT to use QoS? In general, QoS does not provide much value under the following conditions: You have a large number of applications that are time-sensitive and cannot tolerate delays. If the network is full of high priority traffic, then something has to be delayed in order for something else to get prioritized – QoS won’t work. You have cheap bandwidth capacity that can easily be upgraded. In almost all cases, adding bandwidth provides greater returns in terms of overall traffic quality (everything gets to it’s destination faster) and reduces the relative resource overhead required by QoS.
23 The Services Menu QoS Limitations: Destination QoS only works on traffic leaving YOUR device. Traffic through any HTTP, SMTP, POP3, or FTP proxy, cannot be filtered by source (only destination). This is due to how a proxy works which is a two-step process: A)The user makes a request that is sent to the proxy either transparently or non- transparently B) The proxy makes the request to the original destination on behalf of the user
24 The Services Menu QoS Architecture Devices: Network Zones (one or more physical interfaces) with defined upload/download bandwidth Classes: Definition of network priorities to be applied to various network traffic; each device has it’s own set of classes. Rules: Specific definition (using the firewall) of what type of traffic will be sent to any given class to assign network priority.
25 The Services Menu QoS Devices The Device tab is also the starting page for the QoS and it’s initially empty. Once populated, a table showing a list of all the Quality of Service devices appears, and for each device some parameters and the available actions are displayed. New QoS devices can be added by clicking on the “Create new item” link: Ta rget Device: The network interface that will be used by this devices. Choices are among the network interfaces or zones enabled on the system and can be selected from a drop-down menu. Downstream Bandwidth (kbit/s): The downstream speed of the interface. Upstream Bandwidth (kbit/s): The upstream speed of the interface. Enable: Enables the QoS (default) or not. The actions available on the devices are to edit, to enable/disable, or to remove a device and can be carried out by clicking on the corresponding icon.
26 The Services Menu QoS Classes This tab shows a list of all Quality of Service classes that have been created, if any. New items can be added by clicking on the “Create new item” link. Name: The name of the Quality of Service class. Device: The Quality of Service device for which the class was created. Reserved: The percentage of bandwidth that has been reserved for this class from the device’s overall available bandwith. Limit: The maximum percentage of bandwidth this class may use. Priority: The priority of the class.
27 The Services Menu QoS Rules The third tab displays a list of the already defined Quality of Service Rules and allows to specify which type of traffic should belong to each of the classes. To add a new Quality of Service rule click on the Add Quality of Service Rule link. Source: Choose the traffic source, either a Zone or interface, a network, an IP or MAC address. Depending on this choice, different values can be specified: A zone or interface from the available ones from those that will be displayed, or one or more IP addresses, networks, or MAC addresses. Destination Device/Traffic Class: Choose the device/class and then the destination IP addresses or networks. Service/Port, Protocol: The next two drop-down menus are used to define the service, protocol, and a destination port for the rule. There are some predefined combinations of Service/Protocol/Port available. TOS/DSCP: The type of TOS or DSCP value to match, if needed. Match Traffic: Choosing TOS or DSCP class in the previous drop-down menu allows to choose a suitable value for the traffic to match from another drop-down menu. Otherwise, the choice DSCP Value, allows entering a custom value that should match the rule. Comment: A comment to identify this rule. Enabled: Tick the checkbox to enable the rule.
28 The Services Menu QoS Rules If there is more than one service in a Quality of Service class, then all these services together will share the reserved bandwidth.