D-Link DFL-700 Firewall Router - I"m impressed

Post removed (X-No-Archive: yes)

Re: D-Link DFL-700 Firewall Router - I"m impressed

Thanks Leythos, for the info. Good network firewalls in the $200-$400
bracket is where the "hole" in the market is right now, IMHO. I will
definitely look at this alternative.

-Frank

"Leythos" wrote in message
news:Br79g.31888$mh.27858@tornado.ohiordc.rr.com...
>I just got another DFL-700 Firewall for a small company, I'm impressed
> with this unit:
>
> Some features I like:
>
> Blocks items in HTTP Sessions (here is the default list)
> #
> # Example for blocking all access to a whole site:
> #
> # example.com/*
> # *.example.com/*
> #
> # Or, a shorter variant that runs the risk of blocking sites whose
> # names end with the same text:
> #
> # *example.com/*
> #
>
> # I entered this so that yahoo mail would not be available
> mail.yahoo.com/*
>
> #
> # Deny access to potentially dangerous file types:
> #
>
> # Malicious executables can be downloaded by exploits
> *.exe
> *.scr
> *.cpl
> *.pif
> # *.com -- probably not a good idea given the .com TLD
>
> # Malicious scripts can be downloaded by exploits
> *.vb
> *.vbd
> *.vbe
> *.vbs
> *.vbx
> *.bat
> *.cmd
> *.wsc
> *.wsf
> *.wsh
> *.sct
>
> # Shell scraps can contain executables and invoke nearly any command
> *.shb
> *.shs
>
> # Windows installer files - prevent unauthorized downloads and installs
> *.msi
> *.msp
>
> # "HTML Applications" -- affected by vulnerabilities
> *.hta
> *.htc
>
> # Windows media player skin file -- affected by vulnerabilities
> *.wms
> *.wmz
> *.wmd
>
> # Multiple vulnerabilities use compiled HTML (chm) files, especially in
> conjunction with HTML Help, so block .hlp too
> *.chm
> *.hlp
>
> # Vulnerabilities in MIDI decoders
> *.mid
> *.midi
>
> # The Office suite has had multiple vulnerabilities over the years
> *.ade
> *.adp
> *.clp
> *.csv
> *.dif
> *.doc
> *.dot
> *.mad
> *.maf
> *.mam
> *.maq
> *.mar
> *.mat
> *.mcw
> *.mda
> *.mdb
> *.mde
> *.mdn
> *.mdt
> *.mdv
> *.mdw
> *.mst
> *.odc
> *.ofn
> *.pbk
> *.pcd
> *.pip
> *.pot
> *.ppa
> *.pps
> *.ppt
> *.ppz
> *.pwz
> *.slk
> # *.rtf -- can contain ms word data too though
> *.w51
> *.w60
> *.w61
> *.wbk
> *.wiz
> *.wk1
> *.wk3
> *.wkb
> *.wks
> *.wll
> *.wmc
> *.wri
> *.wp
> *.wp4
> *.wp5
> *.wp6
> *.wpc
> *.wpd
> *.wpf
> *.wpg
> *.wpj
> *.wpk
> *.wpm
> *.wpp
> *.wpt
> *.wpw
> *.wwl
> *.wwp
> *.wzs
> *.xl
> *.xla
> *.xlb
> *.xlc
> *.xld
> *.xlk
> *.xll
> *.xlm
> *.xls
> *.xlt
> *.xlv
> *.xlw
>
>
> # "Internet Settings" files -- shouldn't come from the outside
> *.ins
> *.isp
>
> # Outlook email/news archive file
> *.eml
> *.nws
>
> # "Multipurpose HTML archive" -- affected by vulnerabilities
> *.mht
> *.mhtml
>
> # HTTP-based database access -- not used by browsers
> *.idc
> *.htx
>
> # URL/Link files have no business being downloaded by browsers
> *.url
> *.lnk
>
> # Others
> *.reg
> *.inf
>
> It has a whitelist filter also.
>
> Acts as a PPTP Server with multiple users able to be setup in groups for
> permissions. Also does IPSec tunnels, but the PPTP Server was a very
> nice feature.
>
> Has Port Mapping rules for all combinations:
> # LAN->WAN policy - 7 rules, NAT enabled
> # WAN->LAN policy - 0 rules
> # LAN->DMZ policy - 3 rules
> # DMZ->LAN policy - 0 rules
> # WAN->DMZ policy - 0 rules
> # DMZ->WAN policy - 4 rules, NAT enabled
>
> It has a real LAN and real DMZ dedicated jacks, and each can be assigned
> a unique subnet and each has it's own DHCP Service!
>
> Has DNS and DHCP relay options/settings.
>
> Has reasonable logging features.
>
> Oh, and it has a RADIUS Server interface ability!
>
> All that for $350.
>
> --
>
> spam999free@rrohio.com
> remove 999 in order to email me

Re: D-Link DFL-700 Firewall Router - I"m impressed

Post removed (X-No-Archive: yes)

Re: D-Link DFL-700 Firewall Router - I"m impressed

Leythos wrote:
> I just got another DFL-700 Firewall for a small company, I'm impressed
> with this unit:

aBOUT a 1/3rd of what you can do with IPCop.

> All that for $350.

Which is still $350 more than IPCop.
E.

Re: D-Link DFL-700 Firewall Router - I"m impressed

Post removed (X-No-Archive: yes)

Re: D-Link DFL-700 Firewall Router - I"m impressed

Leythos wrote:
> In article <4465f83d$1@mail.netspeed.com.au>, bellyup@the.bar says...
>> Leythos wrote:
>>> I just got another DFL-700 Firewall for a small company, I'm impressed
>>> with this unit:
>> aBOUT a 1/3rd of what you can do with IPCop.
>>
>>> All that for $350.
>> Which is still $350 more than IPCop.
>
> And IPCop requires a computer, requires setup by a competent user,
> requires that you maintain the computer....
>
> IPCop doesn't make sense for a small business without a person that
> understands computers, linux, etc....
>
>
>
You would need that for anyone to make any use of most of the features
you mentioned anyway.

"{Acts as a PPTP Server with multiple users able to be setup in groups
or permissions. Also does IPSec tunnels, but the PPTP Server was a very
nice feature."

IPSEC is a pain to set up, very fiddly. PPTP is proven insecure. Good
luck doing either without a competent computer guy on hand.

"Has Port Mapping rules for all combinations:
# LAN->WAN policy - 7 rules, NAT enabled
# WAN->LAN policy - 0 rules
# LAN->DMZ policy - 3 rules
# DMZ->LAN policy - 0 rules
# WAN->DMZ policy - 0 rules
# DMZ->WAN policy - 4 rules, NAT enabled"

99.9%+ of all non-computer geeks won't have the foggiest damn clue what
you're talking about here.

"It has a real LAN and real DMZ dedicated jacks, and each can be
assigned a unique subnet and each has it's own DHCP Service!"

Computer noob: What's a subnet? What's DHCP? What's a DMZ? Isn't that in
Korea?

"Has DNS and DHCP relay options/settings."

So you've set up DNS and DHCP servers but you're too stupid to set up IPCOP?

"Has reasonable logging features."

Ditto for a syslog server?

"Oh, and it has a RADIUS Server interface ability!"

Oh, wow? And a RADIUS Server? With LDAP or AD I presume?

IPCOP is good. I prefer Endian, which is based on IPCOP.

Feature list:

- Firewall (statefull inspection)

- Outgoing Firewall

- IPSec Gateway to gateway VPN

- IPSec Remote client to gateway VPN (roadwarrior)

- NAT

- Multi-IP address support (aliases)

- Dynamic DNS

- DMZ support

- HTTPS Web Interface

- Detailed network traffic graphs

- View currently active connections

- Event log management

- Log redirection to external server

- Server DHCP

- Server NTP

- Traffic Shaping / QoS

- Transparent POP3 antivirus/antispam proxy

- Transparent HTTP proxy

- Web Proxy with local users, windows domain, samba, LDAP, radius server
management

- Intrusion Detection System

- ADSL modem support

- Configuration backup and restore

- Remote update

- SIP VoIP Proxy

- SMTP Proxy

- HTTP Antivirus

- Endian Security Tools for Windows Desktop

- Transparent SMTP antivirus/antispam proxy

- Gateway to gateway VPN with OpenVPN

- Remote client to gateway VPN (roadwarrior) with OpenVPN

- Bridged and Routed VPN mode

- Endian Client VPN – Windows, Linux, MacOSX

- URL filter

- Web content analysis/filter

- Whitelists and blacklists management

- Web surfing time limits

For those of you who prefer the certified appliances, Endian
(www.efw.it) is also a commercial company and you will very soon be able
to purchase an ICSA certified appliance from them. But you will also
always be able to download an iso of the OS for free and set up your own
system on an older box (recommended 450 MHz Pentium w/ 256 MB ram). Like
IPCOP it supports four zones: Red (Internet), Green (Internal), Orange
(DMZ), and Blue (Wireless). It will also very soon support Failover and
Load Balancing. This is a serious firewall solution.

--

Rod

Re: D-Link DFL-700 Firewall Router - I"m impressed

"Leythos" wrote in message
news:ATZ9g.25439$YI5.425@tornado.ohiordc.rr.com...
> In article <4465f83d$1@mail.netspeed.com.au>, bellyup@the.bar says...
>> Leythos wrote:
>> > I just got another DFL-700 Firewall for a small company, I'm impressed
>> > with this unit:
>>
>> aBOUT a 1/3rd of what you can do with IPCop.
>>
>> > All that for $350.
>>
>> Which is still $350 more than IPCop.
>
> And IPCop requires a computer, requires setup by a competent user,
> requires that you maintain the computer....
>
> IPCop doesn't make sense for a small business without a person that
> understands computers, linux, etc....
>

Agreed. Also, although I have no problem with software network firewalls (I
use them and like them) I usually do not recommend them for small business
clients. Few reasons... (I know you know all this, just a convenient place
to post it)

First, most small businesses do not have the proverbial "old spare computer"
laying around. They throw them out when they are too old to perform becuase
they take up too much (PAID OR LEASED) storage space. Space that can be used
for other things. like PEOPLE.

Next, even if an "old compuer" was available, you still have the issue of
space, maintenance, and support. You need an OS (which is very likely to
need upgrading, at some $ expense). You may need to upgrade memory to run a
decent FW application (more $). Telling a small business (most of which hate
computers but consider them a necessary evil to run their business) that
they should BUY another computer doesn't really appeal to them.

Also, The space thing is a biggie. Most small businesses much prefer a
device they can bolt on the back of a desk, or on a wall, or hide under the
desk on the floor, than (yet another) full fledged computer that is in the
way and not even used by anyone (their view).

Again, personally, I like the OS based firewalls because of the rich feature
set you can get for the same money and the always fantasttic logging
abilities. Admittedly though, after factoring in the total cost of ownership
of another computer, it may not be that much cheaper.

Also, when you say "support", you are talking about having to call (yet
again) your computer consultant in, for big bucks, to make sure all the
latest upgrades/patches/AVs, etc. are on the OS holding the FW.

Bottom line... all this "just use an old computer laying around" stuff is
fine for geeks and hobbyists, but usually not small businesses (or large
businesses either, for that matter).

-Frank

Re: D-Link DFL-700 Firewall Router - I"m impressed

Post removed (X-No-Archive: yes)

Re: D-Link DFL-700 Firewall Router - I"m impressed

Frankster wrote:
> "Leythos" wrote in message
> news:ATZ9g.25439$YI5.425@tornado.ohiordc.rr.com...
>> In article <4465f83d$1@mail.netspeed.com.au>, bellyup@the.bar says...
>>> Leythos wrote:
>>>> I just got another DFL-700 Firewall for a small company, I'm impressed
>>>> with this unit:
>>> aBOUT a 1/3rd of what you can do with IPCop.
>>>
>>>> All that for $350.
>>> Which is still $350 more than IPCop.
>> And IPCop requires a computer, requires setup by a competent user,
>> requires that you maintain the computer....
>>
>> IPCop doesn't make sense for a small business without a person that
>> understands computers, linux, etc....
>>
>
> Agreed. Also, although I have no problem with software network firewalls (I
> use them and like them) I usually do not recommend them for small business
> clients. Few reasons... (I know you know all this, just a convenient place
> to post it)
>
> First, most small businesses do not have the proverbial "old spare computer"
> laying around. They throw them out when they are too old to perform becuase
> they take up too much (PAID OR LEASED) storage space. Space that can be used
> for other things. like PEOPLE.

I run mine on a laptop with PCMCIA cards for interfaces. I can also use
the USB nics if I wanted.

>
> Next, even if an "old compuer" was available, you still have the issue of
> space, maintenance, and support. You need an OS (which is very likely to
> need upgrading, at some $ expense).

The only OS's that requires money to upgrade are proprietary like Cisco
IOS or Windows. Anyone that would use a firewall based on Windows is an
idiot anyway.


You may need to upgrade memory to run a
> decent FW application (more $).

Firewalls aren't particularly hardware intensive. The Cisco PIX 501 runs
on a 200 MHz processor with 16 MB of ram. I have 192 MB on my firewall
box and I don't even come close to using swap.

Telling a small business (most of which hate
> computers but consider them a necessary evil to run their business) that
> they should BUY another computer doesn't really appeal to them.

But spending $350 on a firewall does... interesting.

>
> Also, The space thing is a biggie. Most small businesses much prefer a
> device they can bolt on the back of a desk, or on a wall, or hide under the
> desk on the floor, than (yet another) full fledged computer that is in the
> way and not even used by anyone (their view).

I remind you that I'm running mine on an old laptop. It isn't
significantly larger than the DFL-700.


>
> Again, personally, I like the OS based firewalls because of the rich feature
> set you can get for the same money and the always fantastic logging
> abilities. Admittedly though, after factoring in the total cost of ownership
> of another computer, it may not be that much cheaper.
>
> Also, when you say "support", you are talking about having to call (yet
> again) your computer consultant in, for big bucks, to make sure all the
> latest upgrades/patches/AVs, etc. are on the OS holding the FW.

Have you looked at the specs on the DFL-700? You can't seriously tell me
that administering and maintaining that thing is going to be any easier
than IPCOP or Endian. You either learn how to do it yourself or you hire
someone to do it for you. Otherwise you may as well get a cheap home
unit for $50 because you are just wasting the capabilities of the DFL.
It's $350 spent on feeling good.

--

Rod

Re: D-Link DFL-700 Firewall Router - I"m impressed

Post removed (X-No-Archive: yes)

Re: D-Link DFL-700 Firewall Router - I"m impressed

Leythos wrote:
> In article <27%9g.2$re.68676@news.sisna.com>, rod.engelsman@gmail.com
> says...
>> Leythos wrote:
>>> In article <4465f83d$1@mail.netspeed.com.au>, bellyup@the.bar says...
>>>> Leythos wrote:
>>>>> I just got another DFL-700 Firewall for a small company, I'm impressed
>>>>> with this unit:
>>>> aBOUT a 1/3rd of what you can do with IPCop.
>>>>
>>>>> All that for $350.
>>>> Which is still $350 more than IPCop.
>>> And IPCop requires a computer, requires setup by a competent user,
>>> requires that you maintain the computer....
>>>
>>> IPCop doesn't make sense for a small business without a person that
>>> understands computers, linux, etc....
>>>
>>>
>>>
>> You would need that for anyone to make any use of most of the features
>> you mentioned anyway.
>
> You misunderstand my reply - I can setup any soft/hard based firewall,
> it's not something "I" worry about.
>
> When it comes to clients, most of them don't want an uncertified
> solution or one that has no support path.

The DFL-700 isn't on the ICSA certified list. In fact, NO D-Link
products are ICSA certified. As far as support goes, all I can find on
the site are the usual firmware downloads, faq's, and knowledge base. I
suppose you can e-mail Tech support, but in the end this looks a lot
like a do-it-yourself situation. I went to the contact page and the
phone number for TS is blank.

>
> Additionally if I install an IPCop solutions on an old clunker, well,
> that doesn't exactly pass the SOX audit rules, nor does it pass other
> audits as it's a "self" built solution. I can purchase most cheap
> certified firewalls and pass most audits and I can also get vendor
> support for them.
>
> Since most clients are not going to accept a solution that includes an
> old P1 or P2 with used parts, etc... as their firewall solution, it
> doesn't matter how good IPCop is, it's still running on a computer that
> requires support/maintenance and is only as good as the person that
> installed the OS/rules.

ANY machine needs support and maintenance. You can get a brand-new white
box from Dell for less than $300 and you end up with much more
capability for the same or less money. You don't HAVE to use
old/recycled computers. I'd be interested to see what the default
rule-set is for the DFL. Because unless you know what you're doing or
hire somebody you will most likely screw it up.


>
> In the case of most appliances, they have a higher MTBF, don't include a
> disk drive, have been certified, have support, etc....
>

No disc drive = "you need a syslog server if you want any significant
logging"

Bottom line is that security isn't easy, it isn't for amateurs, and it's
not going to be free. I just don't see how you get around having someone
knowledgeable administering it.

--

Rod

Re: D-Link DFL-700 Firewall Router - I"m impressed

Post removed (X-No-Archive: yes)

Re: D-Link DFL-700 Firewall Router - I"m impressed

Leythos wrote:
> In article , rod.engelsman@gmail.com
> says...
>> Bottom line is that security isn't easy, it isn't for amateurs, and it's
>> not going to be free. I just don't see how you get around having someone
>> knowledgeable administering it.
>
> Some things don't need "administered" to the same level as others.
> Filtering content doesn't need administering, NAT doesn't need
> administering, etc... The logs get sent to another computer, and the
> interface to the syslog app is very simple to understand....

Yep. And my unit has a 40 Gig hard drive and keeps the logs right there.
No need for a server, but it can do so if you want.

>
> Before you knock the DFL-700, get one for testing an see for yourself.
> I've installed about every firewall on the market over the last 6 years,
> soft, hard, dedicated, etc... Appliances are my choice in all cases, as
> they are far more reliable,

That explains why it has all of a one-year warranty. And no
certification (at least not ICSA).

far easier to get support from a third party
> source (read that as vendor), etc....
>
> Like it or not, the DFL-700 device is a good unit for most home users
> and small businesses,

I don't see home users ponying up $350 for a firewall. You can just
about buy a PC for that much.


the only thing it really needs is SMTP content
> filtering.
>

I've got that. And POP3 proxying, too.

I'm not really knocking the DFL-700; it seems like a fine little unit.
I'm just trying to resolve a bit of cognitive dissonance. On the one
hand, you're bragging about it's capabilities. On the other, you claim
the market is home and small business users who aren't technically savvy
and don't want to spend money on consultants. If the latter is true,
then the DFL-700 is about 10 times overkill because they're not going to
understand what half that stuff does much less how to use it. I mean if
you can set up a web or mail server (what else are you going to use the
DMZ for?) then I'm sure you can handle IPCOP, or Smoothwall, or Endian.

Re: D-Link DFL-700 Firewall Router - I"m impressed

>I just got another DFL-700 Firewall for a small company, I'm impressed
> with this unit:
>
> Some features I like:
>
> Blocks items in HTTP Sessions (here is the default list)
> #
> # Example for blocking all access to a whole site:
> #
> # example.com/*
> # *.example.com/*

How many URLs can the DFL 700 filter? Our Netgear router is limited to
about two dozen.

Best,
Christopher

Re: D-Link DFL-700 Firewall Router - I"m impressed

Post removed (X-No-Archive: yes)

Re: D-Link DFL-700 Firewall Router - I"m impressed

Christopher Glaeser wrote:
> >I just got another DFL-700 Firewall for a small company, I'm impressed
> > with this unit:
> >
> > Some features I like:
> >
> > Blocks items in HTTP Sessions (here is the default list)
> > #
> > # Example for blocking all access to a whole site:
> > #
> > # example.com/*
> > # *.example.com/*
>
> How many URLs can the DFL 700 filter? Our Netgear router is limited to
> about two dozen.
>
> Best,
> Christopher

I am still using a DI-704UP for my small business. Is the DFL-700
worth the extra $300??
- the VPN would be nice (I don't have a remote office and I am used to
SSHing for remote access)
- the 704 only logs failures. That has always bugged me as you don't
see succesfull break-in attempts
- I don't know if the 700 is actually faster and can handle more load
(bandwith, filterring work) than the 704
- I love my print server on the 704UP and I will miss not having it
- I have problems with some sites (maybe their problem) loosing
packets. Perhaps it's the DI-704??

While the DLF-700 has more firewall features (and probably memory), is
it a much faster CPU/OS than the DI-704 to keep up with the traffic
(especially for the extra $300)? If it is, perhaps it will solve my
dropped packet problems.