by November 17, 2005 0 comments



This firewall product is designed by D-Link for the SMB, SOHO and BFSI segment. This device uses the Intel Xscale (533Mhz) processor with 16 MB flash and 32 MB SDRAM. This device is best for those who do not have just a single internal network with an Internet connection to secure but also have infrastructure services like web, mail or VPN etc which also have to be accessed from over the Internet. And this is so because this device has a DMZ as well as standard WAN and LAN ports. The firewall provides 10/100Mbps Ethernet ports. It also comes with a console port with which you can configure the device — but we do not recommend that you use this method, unless you are conversant with Linux networking commands. The Box uses a Linux based firewall called iGateway from Intoto. (For more info visit
http://www.intoto.com/firewall.shtml
)

Features 
This device is the first product from D-Link to use a Intel Xscale and Linux combo for a firewall. The device gives you options for NAT (Network Address Translation), Secure NAT VPN (Virtual Private Networking), And of course a statefull Firewall. Some other features of the device are an easy to use web based management console, an Independent DMZ port, where you can connect all your Company servers and machines which you have to access from outside the network and that too, securely. Some other features are, e-mail notifications for system events and attack events. You can even customize the notification and select for which type of events you want alert. For example you can configure the device to send alerts on DoS attacks but not on Sniffing attacks and so on. You can even set alerts for syslog events in which you sent set weather you want notification in case of system overload such as (processor or memory overload). 

Performance
To test the device we created a test bed where we connected the WAN port with our local network with a network address of 192.168.3.0. Then we connected a switch with the LAN port of the device and connected a Windows Laptop with it and created a new subnet at 192.168.1.0 network. We used a second switch to connect it to the DMZ port and made it a member of the same 192.168.3.0 network. To this switch we connected a Windows 2000 Machine running IIS server. Now from our Labs network we connected a Laptop which has a set of vulnerability accessing tools like Nessus, Firewalk, Ettercap, Dsniff and other DDoS attacking software. 

Now we created a NAT connection so that the laptop connected with the LAN port of the device can access the internet through our Labs network via the WAN port. Then we started running both the firewall testing benchmarks — Nessus and Firewalk. The device stopped the attack and Firewalk was not able to penetrate the device with the default configuration.

When we ran nessus and NMap they were able to detect the version of the OS installed on the device and also figured out the open port 80. But both of them are not really ‘threats’ unless someone tries to exploit them. You can also configure them to be undiscoverable by changing the default settings of the device to ‘stealth’ mode where both the tools got nothing in our tests.
Then we tried to run some sniffing and DoS attacks on the device. The device again detected both attacks and intimated us with immediate e-mail notification. But here one thing that we noticed was that, while the DoS attacks were running on the WAN port of the device it became a bit slow when accessing the web interface from the internal network. This can cause a problem if you haven’t configured the e-mail notification because then the only way for you to check for intrusion attempts is to visit the Web interface and read the logs which can again become slow in case of some really heavy DDoS attacks.

The final test we did was the DMZ test where we ran Nessus on the IIS server running inside the DMZ network. The result was that none of the attacks were successful except for one warning, which was because the IIS server was not patched up properly. 

Bottom Line: Overall a nice and cost efficient product if you have a need of secure DMZ zone and a much secure LAN.

Anindya Roy

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.

Your data will be safe!Your e-mail address will not be published. Also other data will not be shared with third person.