background image

Reference Manual for the ProSafe VPN Firewall FVS114

4-2

Firewall Protection and Content Filtering

202-10098-01, April 2005

Block Sites

The FVS114 allows you to restrict access based on Web addresses and Web address keywords. Up 
to 255 entries are supported in the Keyword list. The Block Sites menu is shown in 

Figure 4-1

:

Figure 4-1:  Block Sites menu

Web Components

: You can use these to block undesirable Web componenents or behavior. Select 

the desired options: 

Turn Proxy filtering on: Block use of a remote Proxy Server. A Proxy Server can be used to 
hide the real name or address of the site which your LAN users are connecting to. By enabling 
this option, you force LAN users to connect directly, so their activity can be logged and/or 
blocked.

Turn Java filtering on: Block Java applets.

Turn ActiveX filtering on: Block ActiveX components (OCX files) used by IE on Windows, 
and by Windows Update.

Summary of Contents for FVS114NA

Page 1: ...202 10098 01 April 2005 202 10098 01 April 2005 NETGEAR Inc 4500 Great America Parkway Santa Clara CA 95054 USA Reference Manual for the ProSafe VPN Firewall FVS114...

Page 2: ...lar installation If this equipment does cause harmful interference to radio or television reception which can be determined by turning the equipment off and on the user is encouraged to try to correct...

Page 3: ...1 April 2005 iii Product and Publication Details Model Number FVS114 Publication Date April 2005 Product Family Router Product Name FVS114 ProSafe VPN Firewall Home or Business Product Business Langua...

Page 4: ...202 10098 01 April 2005 iv...

Page 5: ...and Management 2 4 Maintenance and Support 2 4 Package Contents 2 5 The FVS114 Front Panel 2 5 The FVS114 Rear Panel 2 6 NETGEAR Related Products 2 7 NETGEAR Product Registration Support and Document...

Page 6: ...4 11 Using a Schedule to Block or Allow Specific Traffic 4 13 Time Zone 4 14 Getting E Mail Notifications of Event Logs and Alerts 4 15 Viewing Logs of Web Access or Attempted Web Access 4 17 Syslog 4...

Page 7: ...g Automatic Key Management 6 2 IKE Policies Automatic Key and Authentication Management 6 3 VPN Policy Configuration for Auto Key Negotiation 6 5 VPN Policy Configuration for Manual Key Exchange 6 9 U...

Page 8: ...te Example 8 10 Enabling Remote Management Access 8 10 UPnP 8 13 Chapter 9 Troubleshooting Basic Functioning 9 1 Power LED Not On 9 1 LEDs Never Turn Off 9 2 LAN or Internet Port LEDs Not On 9 2 Troub...

Page 9: ...ful Packet Inspection B 11 Denial of Service Attack B 11 Ethernet Cabling B 11 Category 5 Cable Quality B 12 Inside Twisted Pair Cables B 13 Uplink Switches Crossover Cables and MDI MDIX Switching B 1...

Page 10: ...7 Install or Verify Windows Networking Components D 7 Enabling DHCP to Automatically Configure TCP IP Settings D 8 DHCP Configuration of TCP IP in Windows XP D 8 DHCP Configuration of TCP IP in Windo...

Page 11: ...Contents xi 202 10098 01 April 2005 B G 2 C G 3 D G 3 E G 4 G G 5 I G 5 L G 6 M G 7 P G 7 Q G 8 R G 9 S G 9 T G 9 U G 10 W G 10...

Page 12: ...202 10098 01 April 2005 xii Contents...

Page 13: ...de uses the following typographical conventions This guide uses the following formats to highlight special messages This manual is written for the FVS114 VPN Firewall according to these specifications...

Page 14: ...sing forwards or backwards through the manual one page at a time A button that displays the table of contents and an button Double click on a link in the table of contents or index to navigate directl...

Page 15: ...wing opens in a browser window Note Your computer must have the free Adobe Acrobat reader installed in order to view and print PDF files The Acrobat reader is available on the Adobe Web site at http w...

Page 16: ...Reference Manual for the ProSafe VPN Firewall FVS114 1 4 About This Manual 202 10098 01 April 2005...

Page 17: ...sers The FVS114 VPN Firewall provides you with multiple Web content filtering options plus browsing activity reporting and instant alerts both via e mail Parents and network administrators can establi...

Page 18: ...ddress or email pager whenever a significant event occurs With its content filtering feature the FVS114 prevents objectionable content from reaching your PCs The firewall allows you to control access...

Page 19: ...t TCP IP refer to Appendix B Network Routing and Firewall Basics IP Address Sharing by NAT The FVS114 VPN Firewall allows several networked PCs to share an Internet account using only a single IP addr...

Page 20: ...all automatically senses the type of Internet connection asking you only for the information required for your type of ISP account Diagnostic functions The firewall incorporates built in diagnostic fu...

Page 21: ...information Registration and Warranty Card If any of the parts are incorrect missing or damaged contact your NETGEAR dealer Keep the carton including the original packing materials in case you need to...

Page 22: ...n Power is supplied to the firewall TEST On Off The system is initializing The system is ready and running INTERNET 100 100 Mbps On Off The Internet WAN port is operating at 100 Mbps The Internet WAN...

Page 23: ...ired Notebooks WAG511 108 Mbps Dual Band PC Card WG511T 108 Mbps PC Card WG511 54 Mbps PC Card WG111 54 Mbps USB 2 0 Adapter MA521 802 11b PC Card FA511 CardBus Adapter FA120 USB 2 0 Adapter Desktops...

Page 24: ...Documentation is available on the Resource CD and at http kbserver netgear com When the VPN firewall router is connected to the Internet click the Knowledge Base or the Documentation link under the W...

Page 25: ...vice When you perform the VPN firewall router setup steps be sure to use the computer you first registered with your cable ISP For DSL Service You may need information such as the DSL login name e mai...

Page 26: ...ter d Disconnect the cable at the computer end only point A in the diagram e Look at the label on the bottom of the VPN firewall router Locate the Internet port Securely insert the Ethernet cable from...

Page 27: ...re connected and you are ready to restart your network 2 RESTART YOUR NETWORK IN THE CORRECT SEQUENCE Warning Failure to restart your network in the correct sequence could prevent you from connecting...

Page 28: ...Internet LINK ACT light should be lit If not make sure the Ethernet cable is securely attached to the VPN firewall router Internet port and the modem and the modem is powered on LOCAL A LOCAL light sh...

Page 29: ...nd DNS server addresses automatically which is usually so For help with this see Appendix D Preparing Your Network or the animated tutorials on the Resource CD 2 Click OK Follow the prompts to proceed...

Page 30: ...els on the front and back of the VPN firewall router identify the number of each LOCAL port Make sure the network settings of the computer are correct LAN connected computers must be configured to obt...

Page 31: ...ng http www routerlogin net basicsetting htm in the browser address bar and pressing Enter You will not be prompted for a user name or password This will enable you to manually configure the VPN firew...

Page 32: ...en press Enter Figure 3 6 Login URL 2 For security reasons the firewall has its own user name and password When prompted enter admin for the firewall user name and password for the firewall password b...

Page 33: ...e Knowledge Base or the Documentation link under the Web Support menu to view support information or the documentation for the VPN firewall router If you do not click Logout the VPN firewall router wi...

Page 34: ...n settings follow this procedure 1 Connect to the VPN firewall router by typing http www routerlogin net in the address field of your browser then press Enter 2 For security reasons the firewall has i...

Page 35: ...n manually configure the firewall using the Basic Settings menu shown in Figure 3 9 using these steps 1 Log in to the firewall at its default address of http www routerlogin net using a browser like I...

Page 36: ...tings take effect d Firewall s MAC Address This section determines the Ethernet MAC address that will be used by the firewall on the Internet port Some ISPs will register the Ethernet MAC address of t...

Page 37: ...PPPoE PPTP Telstra Bigpond Cable broadband connections select your Internet service provider from the drop down list Figure 3 10 Basic Settings ISP list b The screen will change according to the ISP...

Page 38: ...Reference Manual for the ProSafe VPN Firewall FVS114 3 14 Connecting the Firewall to the Internet 202 10098 01 April 2005...

Page 39: ...ames A firewall is a special category of router that protects one network the trusted network such as your LAN from another the untrusted network such as the Internet while allowing communication betw...

Page 40: ...menu Web Components You can use these to block undesirable Web componenents or behavior Select the desired options Turn Proxy filtering on Block use of a remote Proxy Server A Proxy Server can be used...

Page 41: ...wsing access enter the keyword Trusted User To specify a Trusted User enter that PC s IP address in the Trusted User box and click Apply You may specify one Trusted User which is a PC that will be exe...

Page 42: ...application source or destination IP addresses and time of day You can also choose to log traffic that matches or does not match the rule you have defined To create a new rule click the Add button To...

Page 43: ...AN of the Source Address As with the Source Address you can select Any a Single address or a Range unless NAT is enabled and the destination is the LAN In that case you must enter a Single LAN address...

Page 44: ...er or game server visible and available to the Internet The rule tells the firewall to direct inbound traffic for a particular service to one local server based on the destination port number This is...

Page 45: ...llow incoming videoconferencing to be initiated from a restricted range of outside IP addresses such as from a branch office you can create an inbound rule In the example shown in Figure 4 4 CU SEEME...

Page 46: ...eature in the LAN IP menu to keep the PC s IP address constant Each local PC must access the local server using the PC s local LAN address 192 168 0 99 in this example Attempts by local PCs to access...

Page 47: ...ck Instant Messenger usage by employees during working hours you can create an outbound rule to block that application from any internal IP address to any external address according to the schedule th...

Page 48: ...Figure 4 6 Rules table For any traffic attempting to pass through the firewall the packet information is subjected to the rules in the order shown in the Rules table beginning at the top and proceedin...

Page 49: ...P Web server request The service numbers for many common protocols are defined by the Internet Engineering Task Force IETF and published in RFC1700 Assigned Numbers Service numbers for other applicati...

Page 50: ...om Service menu 2 Enter a descriptive name for the service so that you will remember what it is 3 Select whether the service uses TCP or UDP as its transport protocol If you can t determine which is u...

Page 51: ...r Allow Specific Traffic If you enabled content filtering in the Block Sites menu or if you defined an outbound rule to use a schedule you can set up a schedule for when blocking occurs or when access...

Page 52: ...Apply when you have finished configuring this page Time Zone The FVS114 VPN Firewall uses the Network Time Protocol NTP to obtain the current time and date from one of several Network Time Servers on...

Page 53: ...mail If your enable e mail notification these boxes cannot be blank Enter the name or IP address of your ISP s outgoing SMTP mail server such as mail myISP com You may be able to find this informatio...

Page 54: ...on your selection you may also need to specify Day for sending log Relevant when the log is sent weekly or daily Time for sending log Relevant when the log is sent daily or weekly If the Weekly Daily...

Page 55: ...oming and outgoing service requests hacker probes and administrator logins If you enable content filtering in the Block Sites menu the Log page will also show you when someone on your network tried to...

Page 56: ...try descriptions Field Description Date and Time The date and time the log entry was recorded Description or Action The type of event and what action was taken if any Source IP The IP address of the i...

Page 57: ...nced Virtual Private Networking How to Set Up a Client to Gateway VPN Configuration on page 5 5 provides the steps needed to configure a VPN tunnel between a remote PC and a network gateway using the...

Page 58: ...re access from a remote PC such as a telecommuter connecting to an office network see Figure 5 1 Figure 5 1 Client to gateway VPN tunnel A VPN client access allows a remote PC to connect to your netwo...

Page 59: ...ngs on one end to match the inbound VPN settings on other end and vice versa This set of configuration information defines a security association SA between the two VPN endpoints When planning your VP...

Page 60: ...ster but less secure than 3DES 3DES 3DES Triple DES achieves a higher level of security by encrypting the data three times using DES with three different unrelated keys AES AES Advanced Encryption Sta...

Page 61: ...C defaults see Table 5 1 on page 5 4 are not appropriate for your special circumstances How to Set Up a Client to Gateway VPN Configuration Setting up a VPN between a remote PC running the NETGEAR Pro...

Page 62: ...Wizard link in the main menu to display this screen Click Next to proceed Figure 5 4 VPN Wizard start screen 2 Fill in the Connection Name and the pre shared key select the type of target end point an...

Page 63: ...10098 01 April 2005 Figure 5 5 Connection Name and Remote IP Type The Summary screen below displays Figure 5 6 VPN Wizard Summary Enter the new Connection Name RoadWarrior in this example Enter the p...

Page 64: ...lick the here link see Figure 5 6 Click Back to return to the Summary screen Figure 5 7 VPNC Recommended Settings 3 Click Done on the Summary screen see Figure 5 6 to complete the configuration proced...

Page 65: ...isregard this message c Install the IPSec Component You may have the option to install either the VPN Adapter or the IPSec Component or both The VPN Adapter is not necessary d The system should show t...

Page 66: ...es not have to match the RoadWarrior Connection Name used on the gateway side of the VPN tunnel see Figure 5 5 because Connection Names are unrelated to how the VPN tunnel functions Tip Choose Connect...

Page 67: ...check box i Enter the public WAN IP Address of the FVS114 in the field directly below the ID Type menu In this example 22 23 24 25 would be used The resulting Connection Settings are shown in Figure 5...

Page 68: ...elect Certificate box c Select IP Address in the ID Type box If you are using a virtual fixed IP address enter this address in the Internal Network IP Address box Otherwise leave this box empty d In t...

Page 69: ...4 configuration a In the Network Security Policy list on the left side of the Security Policy Editor window expand the Security Policy heading by double clicking its name or clicking on the symbol b E...

Page 70: ...the Key Exchange subheading by double clicking its name or clicking on the symbol Then select Proposal 1 below Key Exchange Figure 5 15 Security Policy Editor Key Exchange b In the SA Life menu select...

Page 71: ...the NETGEAR ProSafe menu bar The NETGEAR ProSafe client will report the results of the attempt to connect Since the remote PC has a dynamically assigned WAN IP address it must initiate the request To...

Page 72: ...nitoring the Progress and Status of the VPN Client Connection Information on the progress and status of the VPN client connection can be viewed by opening the NETGEAR ProSafe Log Viewer 1 To launch th...

Page 73: ...A before the name of the connection When the connection is successful the SA will change to the yellow key symbol shown in the illustration above Transferring a Security Policy to Another Client This...

Page 74: ...Security Policy The following procedure Figure 5 21 enables you to import an existing security policy Step 1 Select Export Security Policy from the File pulldown Step 2 Click Export once you decide t...

Page 75: ...Step 1 Invoke the NETGEAR ProSafe VPN Client and select Import Security Policy from the File pulldown Step 2 Select the security policy to import In this example the security policy file is named FVS...

Page 76: ...anges of each VPN endpoint must be different The connection will fail if both are using the NETGEAR default address range of 192 168 0 x In this example LAN A uses 192 168 0 1 and LAN B uses 192 168 3...

Page 77: ...s of http 192 168 0 1 with its default user name of admin and password of password Click the VPN Wizard link in the main menu to display this screen Click Next to proceed Figure 5 23 VPN Wizard start...

Page 78: ...and click Next Figure 5 25 Remote IP 4 Identify the IP addresses at the target endpoint that can use this tunnel and click Next Figure 5 26 Secure Connection Remote Accessibility Enter the WAN IP addr...

Page 79: ...Reference Manual for the ProSafe VPN Firewall FVS114 Basic Virtual Private Networking 5 23 202 10098 01 April 2005 The Summary screen below displays Figure 5 27 VPN Wizard Summary...

Page 80: ...n and encryption settings used by the VPN Wizard click the here link see Figure 5 27 Click Back to return to the Summary screen Figure 5 28 VPN Recommended Settings 5 Click Done on the Summary screen...

Page 81: ...5 0 Preshared Key e g 12345678 7 Use the VPN Status screen to activate the VPN tunnel by performing the following steps a Open the FVS114 management interface and click on VPN Status under VPN to get...

Page 82: ...ing the VPN tunnel Use the VPN Status page Activate the VPN tunnel by pinging the remote endpoint Start Using a VPN Tunnel to Activate It To use a VPN tunnel use a Web browser to go to a URL whose IP...

Page 83: ...le remote endpoint LAN IP address To activate the VPN tunnel by pinging the remote endpoint 192 168 3 1 do the following steps depending on whether your configuration is client to gateway or gateway t...

Page 84: ...FVS114 Within two minutes the ping response should change from timed out to reply Note Use Ctrl C to stop the pinging Figure 5 35 Ping test results Once the connection is established you can open the...

Page 85: ...mine the status of a VPN tunnel perform the following steps 1 Log in to the VPN Firewall 2 Open the FVS114 management interface and click VPN Status under VPN to get the VPN Status Log screen Figure 5...

Page 86: ...emote VPN Endpoint Action the action will be either a Drop or a Connect button SLifeTime Secs the remaining Soft Lifetime for this SA in seconds When the Soft Lifetime becomes zero the SA Security Ass...

Page 87: ...tunnel you want to deactivate and click Apply To reactivate the tunnel check the Enable box and click Apply Using the VPN Status Page to Deactivate a VPN Tunnel To use the VPN Status page to deactiva...

Page 88: ...Log in to the VPN Firewall 2 Click VPN Policies under VPN to display the VPN Policies screen Figure 5 42 Select the radio button for the VPN tunnel to be deleted and click the Delete button Figure 5 4...

Page 89: ...king for a description on how to use the basic VPN features Overview of FVS114 Policy Based VPN Configuration The FVS114 uses state of the art firewall and security technology to facilitate controlled...

Page 90: ...ching VPN policies on both the local and remote FVS114 VPN Firewalls The outbound VPN policy on one end must match to the inbound VPN policy on other end and vice versa When the network traffic enters...

Page 91: ...8 01 April 2005 IKE Policies Automatic Key and Authentication Management Click the IKE Policies link from the VPN section of the main menu and then click the Add button of the IKE Policies screen to d...

Page 92: ...ns where the IP address of the remote client is unknown If Remote Access is selected the Exchange Mode must be Aggressive and the Identities below both Local and Remote must be Name On the matching VP...

Page 93: ...dentify the target remote FVS114 by name IKE SA Parameters These parameters determine the properties of the IKE Security Association Encryption Algorithm Choose the encryption algorithm for this IKE p...

Page 94: ...Reference Manual for the ProSafe VPN Firewall FVS114 6 6 Advanced Virtual Private Networking 202 10098 01 April 2005 Figure 6 3 VPN Auto Policy menu...

Page 95: ...main name By its IP Address Address Type The address type used to locate the remote VPN firewall or client to which you wish to connect By its Fully Qualified Domain Name FQDN your domain name By its...

Page 96: ...P Addresses Subnet Address Authenticating Header AH Configuration AH specifies the authentication protocol for the VPN header These settings must match the remote VPN endpoint Enable Authentication Us...

Page 97: ...licies link from the VPN section of the main menu to display the menu shown below Authentication Algorithm If you enable AH then use this menu to select which authentication algorithm will be employed...

Page 98: ...Reference Manual for the ProSafe VPN Firewall FVS114 6 10 Advanced Virtual Private Networking 202 10098 01 April 2005 Figure 6 4 VPN Manual Policy menu...

Page 99: ...address space The choices are ANY for all valid IP addresses in the Internet address space Single IP Address Range of IP Addresses Subnet Address Remote IP The drop down menu allows you to configure t...

Page 100: ...tication when you use ESP Two ESP modes are available Plain ESP encryption ESP encryption with authentication These settings must match the remote VPN endpoint SPI Incoming Enter a hexadecimal value 3...

Page 101: ...es are produced by providing the particulars of the user being identified to the CA The information provided may include the user s name e mail ID and domain name Enable Authentication Use this check...

Page 102: ...eans that the certificate is not revoked IKE can then use this certificate for authentication If the certificate is present in the CRL it means that the certificate is revoked and the IKE will not aut...

Page 103: ...4 to the Internet Gateway A s LAN interface has the address 10 5 6 1 and its WAN Internet interface has the address 14 15 16 17 Gateway B connects the internal LAN 172 23 9 0 24 to the Internet Gatewa...

Page 104: ...by reviewing the security settings as seen in the Figure 4 2 on page 4 4 Figure 6 6 LAN to LAN VPN access from an FVS114 to an FVS114 Use this scenario illustration and configuration screens as a mod...

Page 105: ...nternet IP Address menu b Configure the WAN Internet Address according to the settings above and click Apply to save your settings For more information on configuring the WAN IP settings in the Basic...

Page 106: ...IP address according to the settings above and click Apply to save your settings For more information on LAN TCP IP setup topics please see Configuring LAN TCP IP Setup Parameters on page 8 5 Note Aft...

Page 107: ...main menu VPN section click on the IKE Policies link and then click the Add button to display the screen below Figure 6 9 Scenario 1 IKE Policy b Configure the IKE Policy according to the settings in...

Page 108: ...licy button Figure 6 10 Scenario 1 VPN Auto Policy b Configure the IKE Policy according to the settings in the illustration above and click Apply to save your settings For more information on IKE Poli...

Page 109: ...on and click the Diagnostics link b To test connectivity to the WAN port of Gateway B enter 22 23 24 25 and then click Ping c This causes a ping to be sent to the WAN interface of Gateway B Within two...

Page 110: ...r instructions on this topic see Time Zone on page 4 14 1 Obtain a root certificate a Obtain the root certificate that includes the public key from a Certificate Authority CA Note The procedure for ob...

Page 111: ...ificate Subject This is the name that other organizations will see as the holder owner of this certificate This should be your registered business name or official company name Generally all certifica...

Page 112: ...s shown below Figure 6 12 Self Certificate Request data 4 Transmit the Self Certificate Request data to the Trusted Root CA a Highlight the text in the Data to supply to CA area copy it and paste it i...

Page 113: ...cate back from the Trusted Root CA and save it as a text file Note In the case of a Windows 2000 internal CA the CA administrator might simply email it to back to you Follow the procedures of your CA...

Page 114: ...lf Certificates table 7 Associate the new certificate and the Trusted Root CA certificate on the FVS114 a Create a new IKE policy called Scenario_2 with all the same properties of Scenario_1 see Scena...

Page 115: ...t file Note The procedure for obtaining a CRL differs from a CA like Verisign and a CA such as a Windows 2000 certificate server which an organization operates for providing certificates for its membe...

Page 116: ...Reference Manual for the ProSafe VPN Firewall FVS114 6 28 Advanced Virtual Private Networking 202 10098 01 April 2005...

Page 117: ...all These features can be found by clicking on the Maintenance heading in the main menu of the browser interface Viewing VPN Firewall Status Information The Router Status menu provides status and usag...

Page 118: ...e Internet IP Subnet Mask The IP Subnet Mask being used by the Internet WAN port of the firewall DHCP The protocol on the WAN port used to obtain the WAN IP address This field can show DHCP Client Fix...

Page 119: ...n Connection Time The length of time the firewall has been connected to your Internet service provider s network Connection Method The method used to obtain an IP address from your Internet service pr...

Page 120: ...mitted on this interface since reset or manual clear RxPkts The number of packets received on this interface since reset or manual clear Collisions The number of collisions on this interface since res...

Page 121: ...o force the firewall to look for attached devices click the Refresh button Upgrading the Firewall Software The routing software of the FVS114 VPN Firewall is stored in FLASH memory and can be upgraded...

Page 122: ...ading a new page If the browser is interrupted it may corrupt the software When the upload is complete your firewall will automatically restart The upgrade process will typically take about one minute...

Page 123: ...gful name at this time such as sanjose cfg Restoring the Configuration To restore your settings from a saved configuration file enter the full path to the file on your PC or click the Browse button to...

Page 124: ...d NETGEAR recommends that you change this password to a more secure password From the main menu of the browser interface under the Maintenance heading select Set Password to bring up this menu Figure...

Page 125: ...his will list all Routers between the source this device and the destination IP address The Trace Route results will be displayed in a new screen click Back to return to the Diagnostics screen Perform...

Page 126: ...e 202 10098 01 April 2005 Note Rebooting will break any existing connections either to the Router such as this one or through the Router for example LAN users accessing the Internet However connection...

Page 127: ...uter to respond to a ping from the internet Both of these options have security issues so use them carefully Figure 8 1 WAN Setup menu Connect Automatically as Required Normally this option should be...

Page 128: ...need to reduce the MTU But this is rarely required and should not be done unless you are sure it is necessary for your ISP connection Port Speed In most cases your router can automatically determine...

Page 129: ...ddress you will not know in advance what your IP address will be and the address can change frequently In this case you can use a commercial dynamic DNS service which will allow you to register your d...

Page 130: ...chosen for the firewall 2 From the main menu of the browser interface under Advanced click on Dynamic DNS Figure 8 2 Dynamic DNS page 3 Access the Web site of one of the dynamic DNS service providers...

Page 131: ...tup to view the menu shown below Figure 8 3 LAN IP Setup Menu Configuring LAN TCP IP Setup Parameters The firewall is shipped preconfigured to use private IP addresses on the LAN side and to act as a...

Page 132: ...ng information with other firewalls The RIP Direction selection controls how the firewall sends and receives RIP packets Both is the default When set to Both or Out Only the firewall broadcasts its ro...

Page 133: ...ear the Use router as DHCP server check box Otherwise leave it checked To specify the pool of IP addresses to be assigned set the Starting IP Address and Ending IP Address These addresses should be pa...

Page 134: ...contacts the firewall s DHCP server Reboot the PC or access its IP configuration and force a DHCP release and renew To edit or delete a reserved address entry 1 Click the button next to the reserved...

Page 135: ...or this static route in the Route Name box This is for identification purpose only 3 Select Private if you want to limit access to the LAN only The static route will not be reported in RIP 4 Select Ac...

Page 136: ...ur local network for all 192 168 0 x addresses With this configuration if you attempt to access a device on the 134 177 0 0 network your firewall will forward your request to the ISP The ISP forwards...

Page 137: ...select Everyone b To allow access from a range of IP addresses on the Internet select IP address range Enter a beginning and ending IP address to define the allowed range c To allow access from a sin...

Page 138: ...your browser followed by a colon and the custom port number For example if your WAN IP address is 134 177 0 123 and you use port number 8080 type the following in your browser https 134 177 0 123 808...

Page 139: ...ter durations will ensure that control points have current device status at the expense of additional network traffic Longer durations may compromise the freshness of the device status but can signifi...

Page 140: ...Manual for the ProSafe VPN Firewall FVS114 8 14 Advanced Configuration 202 10098 01 April 2005 Click Refresh to update the portmap table and to show the active ports that are currently opened by UPnP...

Page 141: ...e connected c The Internet port LED is lit If a port s LED is lit a link has been established to the connected device If a LAN port is connected to a 100 Mbps device verify that the port s LED is gree...

Page 142: ...t Configuration and Password on page 9 7 If the error persists you might have a hardware problem and should contact technical support LAN or Internet Port LEDs Not On If either the LAN LEDs or Interne...

Page 143: ...all and reboot your PC If your firewall s IP address has been changed and you don t know the current IP address clear the firewall s configuration to factory defaults This will set the firewall s IP a...

Page 144: ...ain an IP address from the ISP you may need to force your cable or DSL modem to recognize your new firewall by performing the following procedure 1 Turn off power to the cable or DSL modem 2 Turn off...

Page 145: ...not have the firewall configured as its TCP IP gateway If your PC obtains its information from the firewall by DHCP reboot the PC and verify the gateway address Troubleshooting a TCP IP Network Using...

Page 146: ...IP address for your firewall and your workstation are correct and that the addresses are on the same subnet Testing the Path from Your PC to a Remote Device After verifying that the LAN path works co...

Page 147: ...ion of the firewall see Erasing the Configuration on page 7 7 Use the Reset button on the rear panel of the firewall Use this method for cases when the administration password or IP address are not kn...

Page 148: ...Reference Manual for the ProSafe VPN Firewall FVS114 9 8 Troubleshooting 202 10098 01 April 2005...

Page 149: ...1 RIP 2 DHCP PPP over Ethernet PPPoE Power Adapter North America 120V 60 Hz input United Kingdom Australia 240V 50 Hz input Europe 230V 50 Hz input Japan 100V 50 60 Hz input All regions output 12 V D...

Page 150: ...A 2 Technical Specifications 202 10098 01 April 2005 Electromagnetic Emissions Meets requirements of FCC Part 15 Class B VCCI Class B EN 55 022 CISPR 22 Class B Interface Specifications LAN 10BASE T...

Page 151: ...edures for the Internet The documents are listed on the World Wide Web at www ietf org and are mirrored and indexed at many other sites worldwide Basic Router Concepts Large amounts of bandwidth can b...

Page 152: ...col RIP Using RIP routers periodically update one another and check for changes to add to the routing table The FVS114 VPN Firewall supports both the older RIP 1 and the newer RIP 2 protocols Among ot...

Page 153: ...ess type begins with a unique bit pattern which is used by the TCP IP software to identify the address class After the address class has been determined the software can correctly identify the host se...

Page 154: ...range host address of all ones is not assigned but is used as the broadcast address for simultaneously sending a packet to all hosts with the same network address Netmask In each of the address class...

Page 155: ...address into smaller multiple physical networks known as subnetworks Some of the node numbers are used as a subnet number instead A Class B address gives us 16 bits of node numbers translating to 64 0...

Page 156: ...135 129 to 192 68 135 254 The following table lists the additional subnet mask bits in dotted decimal notation To use the table write down the original class netmask and replace the 0 value octets wit...

Page 157: ...sts without problems However the IANA has reserved the following three blocks of IP addresses specifically for private networks 10 0 0 0 10 255 255 255 172 16 0 0 172 31 255 255 192 168 0 0 192 168 25...

Page 158: ...al LAN IP addresses to a single address that is globally unique on the Internet The internal LAN IP addresses can be either private addresses or registered addresses For more information about IP addr...

Page 159: ...o the ARP request All other stations discard the request Related Documents The station with the correct IP address responds with its own MAC address directly to the sending device The receiving statio...

Page 160: ...a Dynamic Host Configuration Protocol DHCP server The DHCP server stores a list or pool of IP addresses along with other information such as gateway and DNS addresses that it may assign to the other d...

Page 161: ...ewall to analyze groups of network connection states Using Stateful Packet Inspection an incoming packet is intercepted at the network layer and then analyzed for state related information associated...

Page 162: ...egory 5 Only 0 5 inch 1 5 cm of untwist in the wire pair is allowed at any termination point A twisted pair Ethernet network operating at 10 Mbits second 10BASE T will often tolerate low quality cable...

Page 163: ...omputers and workstation adapter cards are usually media dependent interface ports called MDI or uplink ports Most repeaters and switch ports are configured as media dependent interfaces with built in...

Page 164: ...to as Media Dependant Interface Crossover MDI X When connecting a PC to a PC or a hub port to another hub port the transmit pair must be exchanged with the receive pair This exchange is done by one o...

Page 165: ...port will automatically sense whether the Ethernet cable plugged into the port should have a normal connection e g connecting to a PC or an uplink connection e g connecting to a router switch or hub...

Page 166: ...Reference Manual for the ProSafe VPN Firewall FVS114 B 16 Network Routing and Firewall Basics 202 10098 01 April 2005...

Page 167: ...e data flowing across the network is protected by encryption technologies Private networks lack data security so data attackers can tap directly into the network and read the data IPSec based VPNs use...

Page 168: ...inexpensively installed on existing Internet connections What Is IPSec and How Does It Work IPSec is an Internet Engineering Task Force IETF standard suite of protocols that provides data authenticati...

Page 169: ...eable identifier for each packet which is a data equivalent of a fingerprint This fingerprint allows the device to determine if a packet has been tampered with Furthermore packets that are not authent...

Page 170: ...addition AH does not protect the data s confidentiality If data is intercepted and only AH is used the message contents can be read ESP protects data confidentiality For added protection in certain c...

Page 171: ...he new IP packet contains the old IP header with the source and destination IP addresses unchanged and the processed packet payload Transport mode does not shield the information in the IP header ther...

Page 172: ...The VPN Consortium has developed specific scenarios to aid system administrators in the often confusing process of connecting two different vendor implementations of the IPSec standard The case studi...

Page 173: ...most cases each gateway will have a public facing address WAN side and a private facing address LAN side These addresses are referred to as the network interface in documentation regarding the constru...

Page 174: ...nderstand how to open specific protocols ports and addresses that you intend to allow VPN Tunnel Between Gateways A Security Association SA frequently called a tunnel is the set of information that al...

Page 175: ...below the most common method of accomplishing this process is via the Internet Key Exchange IKE protocol which automates some of the negotiation procedures Figure C 6 IPSec Security Association SA ne...

Page 176: ...tion algorithms to use in the IPSec SAs b The master key is used to derive the IPSec keys for the SAs Once the SA keys are created and exchanged the IPSec SAs are ready to protect user data between th...

Page 177: ...f IKE negotiation is working Common problems encountered in setting up VPNs include Parameters may be configured differently on Gateway A and Gateway B Two LANs set up with similar or overlapping addr...

Page 178: ...November 1998 RFC 2407 D Piper The Internet IP Security Domain of Interpretation for ISAKMP November 1998 RFC 2474 K Nichols S Blake F Baker D Black Definition of the Differentiated Services Field DS...

Page 179: ...the software components for establishing a TCP IP network Windows 3 1 does not include a TCP IP component You need to purchase a third party TCP IP application package such as NetManage Chameleon Maci...

Page 180: ...firewall assigns the following TCP IP configuration information automatically when the PCs are rebooted PC or workstation IP addresses 192 168 0 2 through 192 168 0 254 Subnet mask 255 255 255 0 Gatew...

Page 181: ...steps a Click the Add button b Select Adapter and then click Add c Select the manufacturer and model of your Ethernet adapter and then click OK If you need TCP IP a Click the Add button b Select Prot...

Page 182: ...way to configure this information is to allow the PC to obtain the information from a DHCP server in the network You will find there are many similarities in the procedures for different Windows syst...

Page 183: ...5 202 10098 01 April 2005 Verify the following settings as shown Client for Microsoft Network exists Ethernet adapter is present TCP IP is present Primary Network Logon is set to Windows logon Click...

Page 184: ...d click Next 5 Uncheck all boxes in the LAN Internet Configuration screen and click Next 6 Proceed to the end of the Wizard Verifying TCP IP Properties After your PC is configured and has rebooted you...

Page 185: ...r IP Networking As part of the PC preparation process you may need to install and configure TCP IP on each networked PC Before starting locate your Windows CD you may need to insert it during the TCP...

Page 186: ...ill walk you through the configuration process for each of these versions of Windows DHCP Configuration of TCP IP in Windows XP Locate your Network Neighborhood icon Select Control Panel from the Wind...

Page 187: ...atus window This box displays the connection status duration speed and activity statistics Administrator logon access rights are needed to use this window Click the Properties button to view details a...

Page 188: ...default and set to DHCP without your having to configure it However if there are problems follow these steps to configure TCP IP with DHCP for Windows 2000 Verify that the Obtain an IP address automat...

Page 189: ...l up Connections Right click on Local Area Connection and select Properties The Local Area Connection Properties dialog box appears Verify that you have the correct Ethernet card selected in the Conne...

Page 190: ...Internet Protocol TCP IP Properties dialogue box Verify that Obtain an IP address automatically is selected Obtain DNS server address automatically is selected Click OK to return to Local Area Connect...

Page 191: ...network card you need to configure the TCP IP environment for Windows NT 4 0 Follow this procedure to configure TCP IP with DHCP in Windows NT 4 0 Choose Settings from the Start Menu and then select C...

Page 192: ...Reference Manual for the ProSafe VPN Firewall FVS114 D 14 Preparing Your Network 202 10098 01 April 2005 Highlight the TCP IP Protocol in the Network Protocols box and click on the Properties button...

Page 193: ...figuration information will be listed and should match the values below if you are using the default TCP IP settings that NETGEAR recommends for connecting through a router or gateway The IP address i...

Page 194: ...n each networked Macintosh you will need to configure TCP IP to use DHCP MacOS 8 6 or 9 x 1 From the Apple menu select Control Panels then TCP IP The TCP IP Control Panel opens 2 From the Connect via...

Page 195: ...k the TCP IP configuration by returning to the TCP IP Control Panel From the Apple menu select Control Panels then TCP IP The panel is updated to show your settings which should match the values below...

Page 196: ...ternet port is connected to the broadband modem the firewall appears to be a single PC to the ISP The firewall then allows the PCs on the local network to masquerade as the single PC to access the Int...

Page 197: ...These procedures are described next Obtaining ISP Configuration Information for Windows Computers As mentioned above you may need to collect configuration information from your PC so that you can use...

Page 198: ...r Macintosh so that you can use this information when you configure the FVS114 VPN Firewall Following this procedure is only necessary when your ISP does not dynamically supply the account information...

Page 199: ...rk with the firewall you must reset the network for the devices to be able to communicate correctly Restart any computer that is connected to the FVS114 VPN Firewall After configuring all of your comp...

Page 200: ...Reference Manual for the ProSafe VPN Firewall FVS114 D 22 Preparing Your Network 202 10098 01 April 2005...

Page 201: ...ption keys 802 1x uses a protocol called EAP Extensible Authentication Protocol and supports multiple authentication methods such as token cards Kerberos one time passwords certificates and public key...

Page 202: ...es the algorithm to behave slightly differently so the increasing key sizes not only offer a larger number of bits with which you can scramble the data but also increase the complexity of the cipher a...

Page 203: ...in four twisted pairs and terminated with an RJ45 type connector In addition there are restrictions on maximum cable length for both 10 and 100 Mbits second networks Certificate Authority A Certificat...

Page 204: ...ber of predefined top level suffixes such as com edu uk etc For example in the address mail NETGEAR com mail is a server name and NETGEAR com is the domain DSL Short for digital subscriber line but is...

Page 205: ...t Control Message Protocol ICMP is an extension to the Internet Protocol IP that supports packets containing error control and informational messages The PING command for example uses ICMP to test an...

Page 206: ...er The most widely used version of IP today is IP version 4 IPv4 However IP version 6 IPv6 is also beginning to be supported IPv6 provides for much longer addresses and therefore for the possibility o...

Page 207: ...nterface card Usually written in the form 01 23 45 67 89 ab Maximum Receive Unit The size in bytes of the largest packet that can be sent or received Maximum Transmit Unit The size in bytes of the lar...

Page 208: ...on connection by simulating a dial up connection PPP over Ethernet PPPoE PPP over Ethernet is a protocol for connecting remote hosts to the Internet over an always on connection by simulating a dial u...

Page 209: ...documents published by the Internet Engineering Task Force IETF proposing standard protocols and procedures for the Internet RFCs can be found at www ietf org router A device that forwards data betwe...

Page 210: ...the Internet from behind a firewall The proxy server listens for requests from clients within the firewall and forwards these requests to remote Internet servers outside the firewall The proxy server...

Page 211: ...Reference Manual for the ProSafe VPN Firewall FVS114 Glossary 11 202 10098 01 April 2005...

Page 212: ...Reference Manual for the ProSafe VPN Firewall FVS114 12 Glossary 202 10098 01 April 2005...

Reviews: