NETGEAR FVS328 - ProSafe VPN Firewall Reference Manual Download Page 92 | Manualshive

Page: 92 / 228

background image

Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual

7-18

Virtual Private Networking

May 2004, 202-10031-01

In order to help make it easier to set up an IPsec system, the following two scenarios are provided.
These scenarios were developed by the VPN Consortium (

http://www.vpnc.org

). The goal is to

make it easier to get the systems from different vendors to interoperate. NETGEAR is providing
you with both of these scenarios in the following two formats:

•

VPN Consortium Scenarios without any product implementation details

•

VPN Consortium Scenarios based on the FVS328 user interface

The purpose of providing these two versions of the same scenarios is to help you determine where
the two vendors use different vocabulary. Seeing the examples presented in these different ways
will reveal how systems from different vendors do the same thing. See

Appendix E, “Virtual

Private Networking

” for a full discussion of VPN and the configuration templates NETGEAR

developed for publishing multi-vendor VPN integration configuration case studies.

VPNC Scenario 1: Gateway-to-Gateway with Preshared Secrets

The following is a typical gateway-to-gateway VPN that uses a preshared secret for authentication.

Figure 7-10: VPN Consortium Scenario 1

Gateway A connects the internal LAN 10.5.6.0/24 to the Internet. Gateway A's LAN interface has
the address 10.5.6.1, and its WAN (Internet) interface has the address 14.15.16.17.

Note:

See

Appendix F, “NETGEAR VPN Configuration FVS318 or FVM318 to

FVS328

for a detailed procedure for configuring VPN communications between a

NETGEAR FVS318 and a FVS328. NETGEAR publishes additional interoperability
scenarios with various gateway and client software products. Look on the NETGEAR
Web site at

www.netgear.com/support/main.asp

for more details.

10.5.6.0/24

10.5.6.1

Gateway A

14.15.16.17

22.23.24.25

172.23.9.0/24

Internet

Gateway B

172.23.9.1

«
...
90
91
92
93
94
...
»

Summary of Contents for FVS328 - ProSafe VPN Firewall

Page 1: ...May 2004 202 10031 01 202 10031 01 May 2004 NETGEAR Inc 4500 Great America Parkway Santa Clara CA 95054 USA Phone 1 888 NETGEAR Model FVS328 ProSafe VPN Firewall with Dial Back up Reference Manual...

Page 2: ...N 55 022 Declaration of Conformance This is to certify that the FVS328 ProSafe VPN Firewall with Dial Back up is shielded against the generation of radio interference in accordance with the applicatio...

Page 3: ...ference VCCI Statement This equipment is in the second category information equipment to be used in a residential area or an adjacent area thereto and conforms to the standards set by the Voluntary Co...

Page 4: ...May 2004 202 10031 01 iv...

Page 5: ...Virtual Private Networking 2 2 A Powerful True Firewall 2 2 Content Filtering 2 3 Configurable Auto Uplink Ethernet Connection 2 3 Protocol Support 2 3 Easy Installation and Management 2 4 What s in...

Page 6: ...Basic Requirements for Serial Port Modem Configuration 4 2 How to Configure a Serial Port Modem 4 2 Configuring Auto Rollover 4 3 Basic Requirements for Auto Rollover 4 3 How to Configure Auto Rollove...

Page 7: ...xamples of Using Services and Rules to Regulate Traffic 6 8 Inbound Rules Port Forwarding 6 8 Example Port Forwarding to a Local Public Web Server 6 9 Example Port Forwarding for Videoconferencing 6 9...

Page 8: ...Remote Management 8 1 Viewing Router Status and Usage Statistics 8 3 Viewing Attached Devices 8 6 Viewing Selecting and Saving Logged Information 8 7 Changing the Include in Log Settings 8 9 Enabling...

Page 9: ...bound Log B 1 Inbound Log B 2 Other IP Traffic B 2 Router Operation B 3 Other Connections and Traffic to this Router B 4 DoS Attack Scan B 4 Access Block Site B 6 All Web Sites and News Groups Visited...

Page 10: ...dows Internet Access Method D 4 Verifying TCP IP Properties D 5 Configuring Windows NT 2000 or XP for IP Networking D 5 Installing or Verifying Windows Networking Components D 5 Verifying TCP IP Prope...

Page 11: ...g and Troubleshooting E 11 Additional Reading E 11 Appendix F NETGEAR VPN Configuration FVS318 or FVM318 to FVS328 Configuration Profile F 1 Step By Step Configuration of FVS318 or FVM318 Gateway A F...

Page 12: ...H 2 Step By Step Configuration of the Netgear VPN Client B H 7 Testing the VPN Connection H 14 From the Client PC to the FVS328 H 14 From the FVS328 to the Client PC H 15 Monitoring the PC VPN Connec...

Page 13: ...firewall and VPN technology tutorial information is provided in the Appendices and on the NETGEAR Web site Scope This manual is written for the FVS328 Firewall according to these specifications Table...

Page 14: ...Formats This guide uses the following formats to highlight special messages Table 1 2 Typographical conventions italics Emphasis bold times roman User input Enter Named keys in text are shown enclose...

Page 15: ...JavaScript enabled 2 Toolbar buttons Use the toolbar buttons across the top to navigate print pages and more The Show in Contents button locates the current topic in the Contents tab Previous Next bu...

Page 16: ...at the top right of any page Click the PDF of This Chapter link at the top right of any page in the chapter you want to print A new browser window opens showing the PDF version of the chapter you were...

Page 17: ...rnet sharing routers that rely on Network Address Translation NAT for security the FVS328 uses Stateful Packet Inspection for Denial of Service DoS attack protection and intrusion detection The 8 port...

Page 18: ...patible with many other VPN products Support for up to 168 bit encryption 3DES for maximum security Support for VPN Main Mode Aggressive mode or Manual Keying Support for Fully Qualified Domain Name F...

Page 19: ...f to the correct configuration This feature also eliminates the need to worry about crossover cables as Auto Uplink will accommodate either type of cable to make the right connection Protocol Support...

Page 20: ...ins a client that can connect to many popular Dynamic DNS services to register your dynamic IP address See Configuring Dynamic DNS on page 5 6 Easy Installation and Management You can install configur...

Page 21: ...SPs like Telstra DSL and BigPond or Deutsche Telekom What s in the Box The product package should contain the following items FVS328 ProSafe VPN Firewall with Dial Back up AC power adapter FVS328 Reso...

Page 22: ...MODEM On Blinking The port detected a link with the Internet WAN connection or Remote Access Server Blinking indicates data transmission INTERNET 100 On Blinking The Internet port is operating at 100...

Page 23: ...he rear panel contains the following elements DB 9 serial port for modem connection Reset Factory Default push button push to reset push and hold for 20 seconds to reset to factory default settings Ei...

Page 24: ...Model FVS328 ProSafe VPN Firewall with Dial Back up Reference Manual 2 8 Introduction May 2004 202 10031 01...

Page 25: ...ardware Requirements The FVS328 Firewall connects to your LAN via twisted pair Ethernet cables To use the FVS328 Firewall on your network each computer must have an installed Ethernet Network Interfac...

Page 26: ...this information you can ask your ISP to provide it or you can try one of the options below If you have a computer already connected using the active Internet access account you can gather the configu...

Page 27: ...t IP Address ______ ______ ______ ______ Subnet Mask ______ ______ ______ ______ Gateway IP Address ______ ______ ______ ______ ISP DNS Server Addresses If you were given DNS server addresses fill in...

Page 28: ...your broadband modem c Connect a Cat 5 Ethernet cable from the Internet port of the FVS328 to the broadband modem d Connect the Cat 5 Ethernet cable which came with the firewall from your computer to...

Page 29: ...1 FVS328 status lights Check the status lights and verify the following Power The power light goes on when your turn the firewall on Test The Test light turns on blinks then goes off solid after less...

Page 30: ...Navigator c For security reasons the router has its own user name and password When prompted enter admin for the router user name and password for the router password both in lower case letters Note...

Page 31: ...se the Setup Wizard you can manually configure your Internet connection settings by following the procedure Manually Configuring Your Internet Connection on page 3 14 Unless your ISP automatically ass...

Page 32: ...cess the Internet When you start an Internet application the firewall will automatically log you in 3 Enable or disable NAT Network Address Translation NAT allows all LAN computers to gain Internet ac...

Page 33: ...DNS addresses to the firewall during login select Use these DNS servers and enter the IP address of your ISP s Primary DNS Server If a Secondary DNS Server address is available enter it also A DNS se...

Page 34: ...ing an Internet name such as www netgear com to a numeric IP address For a fixed IP address configuration you must obtain DNS server addresses from your ISP and enter them manually here You should reb...

Page 35: ...configuration menu c Fill in the ISDN or analog ISP Internet configuration parameters as appropriate For a Dial up Account enter the Account information Check Connect as required to enable the firewal...

Page 36: ...28000 bps For dial up modems 56000 bps would be a typical setting Select the Modem Type For ISDN select Permanent connection leased line For dial up select your modem from the list Standard Modem shou...

Page 37: ...our network Your firewall automatically connects to the Internet when one of your computers requires access It is not necessary to run a dialer or login application such as Dial Up Networking or Enter...

Page 38: ...031 01 Manually Configuring Your Internet Connection You can manually configure your firewall using the menu below or you can allow the Setup Wizard to determine your configuration as described in the...

Page 39: ...AT select the Disable radio button Before disabling NAT back up your current configuration settings 5 Internet IP Address If your ISP assigned you a permanent fixed IP address for your PC select Use s...

Page 40: ...d They will then only accept traffic from the MAC address of that PC This feature allows your firewall to masquerade as that PC by cloning its MAC address To change the MAC address select Use this Com...

Page 41: ...configuration options Modem Use this option to configure the serial modem settings for any of the features below Auto Rollover Use this option to provide a backup connection for your broadband servic...

Page 42: ...A serial analog or ISDN modem 2 A serial modem cable with a DB9 connector 3 An active phone or ISDN line How to Configure a Serial Port Modem Follow the steps below to configure a serial port modem 1...

Page 43: ...rea of the NETGEAR web site 3 Click Apply to save your settings Configuring Auto Rollover You can configure the serial port of the FVS328 to provide an auto rollover backup connection for your broadba...

Page 44: ...onfiguration menu 3 Configure the Auto Rollover settings 4 Click Apply for the changes to take effect Configuring Dial in on the Serial Port Dial in lets a single remote computer connect to the FVS328...

Page 45: ...modem properly configured and attached to the DB9 connector on the serial port 4 The Dial in settings configured and applied to the FVS328 How to Configure Dial in Follow the steps below to configure...

Page 46: ...alog phone line with an active ISDN or dial up ISP account 2 A serial modem properly configured and attached to the DB9 connector on the serial port 3 A broadband connection to one FVS328 for LAN to L...

Page 47: ...l Serial Port Configuration 4 7 May 2004 202 10031 01M 10207 01 Reference Manual v2 Figure 4 5 LAN to LAN configuration menu 3 Configure the LAN to LAN settings Note The LAN subnet address of each FVS...

Page 48: ...Model FVS328 ProSafe VPN Firewall with Dial Back up Reference Manual 4 8 Serial Port Configuration May 2004 202 10031 01M 10207 01 Reference Manual v2...

Page 49: ...ess range for use in private networks and should be suitable in most applications If your network has a requirement to use a different IP addressing scheme you can make those changes The LAN TCP IP Se...

Page 50: ...will be assigned to the attached PCs from a pool of addresses specified in this menu Each pool address is tested before it is assigned to avoid duplicate addresses on the LAN For most applications the...

Page 51: ...a Primary DNS address in the Basic Settings menu otherwise the firewall s LAN IP address Secondary DNS Server if you entered a Secondary DNS address in the Basic Settings menu How to Configure LAN TCP...

Page 52: ...of the PC or server Note If the PC is already present on your network you can copy its MAC address from the Attached Devices menu and paste it here 4 Click Apply to enter the reserved address into th...

Page 53: ...roperly with them but there are other applications that may not function well In some cases one local PC can run the application properly if that PC s IP address is entered as the default DMZ server I...

Page 54: ...MTU size 1 Under MTU Size select Custom 2 Enter a new size between 64 and 1500 3 Click Apply to save the new configuration Configuring Dynamic DNS If your network has a permanently assigned IP address...

Page 55: ...Using Static Routes Static Routes provide additional routing information to your firewall Under normal circumstances the firewall has adequate routing information after it has been configured for Inte...

Page 56: ...re 5 3 In this example The Destination IP Address and IP Subnet Mask fields specify that this static route applies to all 134 177 x x addresses The Gateway IP Address fields specifies that all traffic...

Page 57: ...want to limit access to the LAN only The static route will not be reported in RIP e Type the Destination IP Address of the final destination f Type the IP Subnet Mask for this destination If the desti...

Page 58: ...Model FVS328 ProSafe VPN Firewall with Dial Back up Reference Manual 5 10 WAN and LAN Configuration May 2004 202 10031 01...

Page 59: ...Note The user name and password are not the same as any user name or password your may use to log in to your Internet connection NETGEAR recommends that you change this password to a more secure passw...

Page 60: ...do a new backup so that the saved settings file includes the new password How to Change the Administrator Login Timeout For security the administrator s login to the firewall configuration will time o...

Page 61: ...estrict access based on the following categories Use of a proxy server Type of file Java ActiveX Cookie Web addresses Web address keywords These options are discussed below The Keyword Blocking menu i...

Page 62: ...only Web sites with other domain suffixes such as edu or gov can be viewed If you want to block all Internet browsing access enter the keyword Up to 255 entries are supported in the Keyword list To sp...

Page 63: ...8 already holds a list of many service port numbers you are not limited to these choices Use the Services menu to add additional services and applications to the list for use in defining firewall rule...

Page 64: ...o private resources selectively allowing only specific outside users to access specific resources Outbound rules LAN to WAN determine what outside resources local users can have access to A firewall h...

Page 65: ...list already displays many common services but you are not limited to these choices Use the Services menu to add any additional services or applications that do not already appear Action Choose how yo...

Page 66: ...when setting up port forwarding inbound rules If your external IP address is assigned dynamically by your ISP the IP address may change periodically as the DHCP lease expires Consider using the Dynami...

Page 67: ...any outside IP address to the IP address of your Web server any time of day Figure 6 4 Rule example A Local Public Web Server This rule is shown in Figure 6 4 Example Port Forwarding for Videoconferen...

Page 68: ...arameters Figure 6 5 Rule example Videoconference from Restricted Addresses Example Port Forwarding for VPN Tunnels when NAT is Off If you want to allow incoming VPN IPSec tunnels to be initiated from...

Page 69: ...ress Outbound Rules Service Blocking or Port Filtering The FVS328 allows you to block the use of certain Internet services by computers on your network This is called service blocking or port filterin...

Page 70: ...nstant Messenger Other Rules Considerations The order of precedence of rules is determined by the position of the rule on a list of many rules Also there are optional Rules settings you can configure...

Page 71: ...Normally this should NOT be checked Block TCP flood If checked when a TCP flood attack is detected the port used will be closed and no traffic will be able to use that port Block UDP flood If checked...

Page 72: ...lt User Name of admin default password of password or using whatever password and LAN address you have chosen for the firewall 2 Click Schedule on the Security menu to display menu shown below Figure...

Page 73: ...s blocking in the Block Services menu or Port forwarding in the Ports menu you can set up a schedule for when blocking occurs or when access isn t restricted 1 Log in to the firewall at its default LA...

Page 74: ...Model FVS328 ProSafe VPN Firewall with Dial Back up Reference Manual 6 16 Protecting Your Network May 2004 202 10031 01...

Page 75: ...e FVS328 uses state of the art firewall and security technology to facilitate controlled and actively monitored VPN connectivity Since the FVS328 strictly conforms to Internet Engineering Task Force I...

Page 76: ...to the inbound VPN parameters on other end and vice versa When the network traffic enters into the FVS328 from the LAN network interface if there is no VPN policy found for a type of network traffic t...

Page 77: ...2004 202 10031 01 IKE Policies Automatic Key and Authentication Management Click the IKE Policies link from the VPN section of the main menu and then click the Add button of the IKE Policies screen to...

Page 78: ...coming client connections where the IP address of the remote client is unknown If Remote Access is selected the Exchange Mode MUST be Aggressive and the Identities below both Local and Remote MUST be...

Page 79: ...3DES is more secure and is the default Authentication Algorithm If you enable Authentication Headers AH this menu lets you select from these authentication algorithms MD5 the default SHA 1 more secur...

Page 80: ...orking May 2004 202 10031 01 VPN Policy Configuration for Auto Key Negotiation An already defined IKE policy is required for VPN Auto Policy configuration From the VPN Policies section of the main men...

Page 81: ...endpoint must have this FVS328 s Local Identity Data entered as its Remote VPN Endpoint By its IP Address By its Fully Qualified Domain Name FQDN your domain name SA Life Time The duration of the Secu...

Page 82: ...unnel preventing for example remote management or response to ping Single IP Address Range of IP Addresses Subnet Address Authenticating Header AH Configuration AH specifies the authentication protoco...

Page 83: ...olicies link from the VPN section of the main menu to display the menu shown below Authentication Algorithm If you enable AH then use this menu to select which authentication algorithm will be employe...

Page 84: ...Model FVS328 ProSafe VPN Firewall with Dial Back up Reference Manual 7 10 Virtual Private Networking May 2004 202 10031 01 Figure 7 4 VPN Manual Policy Menu...

Page 85: ...be established If network traffic meets all criteria then a VPN tunnel will be created Local IP The drop down menu allows you to configure the source IP address of the outbound network traffic for wh...

Page 86: ...t SHA1 more secure Enter the keys in the fields provided For MD5 the keys should be 16 characters For SHA 1 the keys should be 20 characters Key In Enter the keys For MD5 the keys should be 16 charact...

Page 87: ...provided the remote VPN endpoint has the same value in its Encryption Algorithm Key In field Enable Authentication Use this check box to enable or disable ESP authentication for this VPN policy Authe...

Page 88: ...e man in the middle security threats A self certificate has your public key and the name of your CA and relies on the CA s certificate to authenticate Each CA has its own certificate The certificates...

Page 89: ...192 168 0 x 1 Log in to the FVS318 on LAN A at its default LAN address of http 192 168 0 1 with its default user name of admin and password of password Click the VPN Wizard link in the main menu to d...

Page 90: ...02 10031 01 Figure 7 6 Connection Name and Remote IP Type 3 Fill in the IP Address or FQDN for the target VPN endpoint WAN connection and click Next Figure 7 7 Remote IP 4 Identify the IP addresses at...

Page 91: ...the VPN Wizard used click the here link 5 Click Done to complete the configuration procedure The VPN Settings menu displays showing that the new tunnel is enabled To view or modify the tunnel settings...

Page 92: ...the same thing See Appendix E Virtual Private Networking for a full discussion of VPN and the configuration templates NETGEAR developed for publishing multi vendor VPN integration configuration case...

Page 93: ...he full range of IP addresses For example 10 5 6 0 24 refers to IP address 10 5 6 0 with the netmask 255 255 255 0 The IKE Phase 1 parameters used in Scenario 1 are Main mode TripleDES SHA 1 MODP grou...

Page 94: ...Figure 7 11 LAN to LAN VPN access from an FVS328 to an FVS328 1 Log in to the FVS328 labeled Gateway A as in the illustration Log in to the firewall at its default LAN address of http 192 168 0 1 wit...

Page 95: ...en NAT is disabled only standard routing is performed by this Router c Configure the WAN Internet Address according to the settings in Figure 7 11 above and click Apply to save your settings For more...

Page 96: ...o connect to the built in Web based configuration manager of the FVS328 3 Set up the IKE Policy illustrated below on the FVS328 a From the main menu VPN section click the IKE Policies link and then cl...

Page 97: ...From the main menu VPN section click the VPN Policies link and then click the Add Auto Policy button Figure 7 14 Scenario 1 VPN Auto Policy b Configure the IKE Policy according to the settings in the...

Page 98: ...can test connectivity and view VPN status information on the FVS328 1 To test connectivity between the Gateway A FVS328 LAN and the Gateway B LAN follow these steps a Using our example from a compute...

Page 99: ...hould turn off this feature when you are finished with testing 3 To view the FVS328 event log and status of Security Associations follow these steps a Go to the FVS328 main menu VPN section and click...

Page 100: ...server might provide it to you via e mail b Save the certificate as a text file called trust txt 2 Install the trusted CA certificate for the Trusted Root CA a Log in to the FVS328 b From the main me...

Page 101: ...ill see as the holder owner of this certificate This should be your registered business name or official company name Generally all certificates should have the same value in the Subject field Hash Al...

Page 102: ...aste it into a text file b Give the certificate request data to the CA In the case of a Windows 2000 internal CA you might simply e mail it to the CA administrator The procedures of a CA like Verisign...

Page 103: ...CA administrator might simply email it to back to you Follow the procedures of your CA Save the certificate you get back from the CA as a text file called final txt 6 Upload the new certificate a From...

Page 104: ...20 Self Certificates table 7 Associate the new certificate and the Trusted Root CA certificate on the FVS328 a Create a new IKE policy called Scenario_2 with all the same properties of Scenario_1 see...

Page 105: ...save it as a text file Note The procedure for obtaining a CRL differs from a CA like Verisign and a CA such as a Windows 2000 certificate server which an organization operates for providing certificat...

Page 106: ...Model FVS328 ProSafe VPN Firewall with Dial Back up Reference Manual 7 32 Virtual Private Networking May 2004 202 10031 01...

Page 107: ...tever password and LAN address you have chosen for the firewall 2 In the Advanced section on the left navigator select Remote Management 3 Select the Turn Remote Management On check box 4 Specify what...

Page 108: ...you connect to your ISP There are 2 solutions to this problem a Have your ISP allocate you a Fixed IP address b Use the DDNS Dynamic DNS feature so you can connect using a domain name rather than an...

Page 109: ...ge Statistics From the Main Menu under Maintenance select Router Status to view the screen in Figure 8 1 Figure 8 1 Router Status screen The Router Status menu provides a limited amount of status and...

Page 110: ...default is 255 255 255 0 DHCP If set to OFF the firewall will not assign IP addresses to local PCs on the LAN If set to ON the firewall is configured to assign IP addresses to local PCs on the LAN WAN...

Page 111: ...The link status of the port TxPkts The number of packets transmitted on this port since reset or manual clear RxPkts The number of packets received on this port since reset or manual clear Collisions...

Page 112: ...ading select Attached Devices to view the table shown in Figure 8 3 Figure 8 3 Attached Devices menu For each device the table shows the IP address Device Name NetBIOS Host Name if available and the E...

Page 113: ...incoming service requests hacker probes and administrator logins If you enabled content filtering in the Block Sites menu the Logs page shows you when someone on your network tries to access a blocke...

Page 114: ...entry Source port and interface The service port number of the initiating device and whether it originated from the LAN or WAN Destination The name or IP address of the destination device or Web site...

Page 115: ...n to the Web based interface of this Router Other connections and traffic to this Router if selected this will log traffic sent to this Router rather than through this Router to the Internet Allow dup...

Page 116: ...ct this check box if you want to receive e mail logs and alerts from the firewall Your outgoing mail server Enter the name or IP address of your ISP s outgoing SMTP mail server such as mail myISP com...

Page 117: ...eekly If the Weekly Daily or Hourly option is selected and the log fills up before the specified period the log is automatically e mailed to the specified e mail address After the log is sent the log...

Page 118: ...Log in to the firewall at its default LAN address of http 192 168 0 1 with its default user name of admin default password of password or using whatever Password and LAN address you have chosen for th...

Page 119: ...e the Default Reset button on the rear panel of the firewall See How to Use the Default Reset Button on page 9 7 Running Diagnostic Utilities and Rebooting the Router The FVS328 Firewall has a diagnos...

Page 120: ...ased by NETGEAR Upgrade files can be downloaded from the NETGEAR Web site If the upgrade file is compressed ZIP file you must first extract the binary BIN or IMG file before uploading it to the firewa...

Page 121: ...erface under the Maintenance heading select the Router Upgrade heading to display the menu shown in Figure 8 10 Figure 8 10 Router Upgrade menu 4 In the Router Upgrade menu click Browse to locate the...

Page 122: ...Model FVS328 ProSafe VPN Firewall with Dial Back up Reference Manual 8 16 Managing Your Network May 2004 202 10031 01...

Page 123: ...ting the ISP Connection on page 9 4 I can t remember the firewall s configuration password or I want to clear the configuration and start over again Go to Restoring the Default Configuration and Passw...

Page 124: ...that you are using the 12VDC power adapter supplied by NETGEAR for this product If the error persists you have a hardware problem and should contact technical support Test LED Never Turns On or Test L...

Page 125: ...your computer s IP address is on the same subnet as the firewall If you are using the recommended addressing scheme your computer s address should be in the range of 192 168 0 2 to 192 168 0 254 Refer...

Page 126: ...the firewall is able to obtain a WAN IP address from the ISP Unless you have been assigned a static IP address your firewall must request an IP address from the ISP You can determine whether the requ...

Page 127: ...an IP address but your computer is unable to load any Web pages from the Internet Your computer may not recognize any DNS server addresses A DNS server is a host on the Internet that translates Inter...

Page 128: ...orking you see this message Request timed out If the path is not functioning correctly you could have one of the following problems Wrong physical connections Make sure the LAN port LED is on If the L...

Page 129: ...ing the Ethernet MAC addresses of all but one of your computers Many broadband ISPs restrict access by only allowing traffic from the MAC address of your broadband modem but some ISPs additionally res...

Page 130: ...rrent time from one of several Network Time Servers on the Internet Each entry in the log is stamped with the date and time of day Problems with the date and time function can include Date shown is Ja...

Page 131: ...P 1 RIP 2 DHCP PPP over Ethernet PPPoE Power Adapter North America 120V 60 Hz input United Kingdom Australia 240V 50 Hz input Europe 230V 50 Hz input Japan 100V 50 60 Hz input All regions output 12 V...

Page 132: ...anual A 2 Technical Specifications May 2004 202 10031 01 Electromagnetic Emissions Meets requirements of FCC Part 15 Class B VCCI Class B EN 55 022 CISPR 22 Class B Interface Specifications Local 10BA...

Page 133: ...es and modified prior to being forwarded and or replied to Field List DATE TIME Log s date and time EVENT Event is that access the device or access other host via the device PKT_TYPE Packet type pass...

Page 134: ...efault rule match PKT_TYPE UDP packet TCP connection ICMP packet Inbound Log Incoming packets that match the Firewall rules are logged The format is DATE TIME PKT_TYPE SRC_IP SRC_INF DST_IP DST_INF AC...

Page 135: ...N Packet Wed 2003 07 30 18 44 50 IP Packet Type Field 321 Source 18 7 21 69 192 168 0 3 Drop Notes DESCRIPTION VPN Packet PKT_TYPE GRE AH ESP IP packet Type Field Num IPSEC ACTION Forward Drop Router...

Page 136: ...Fri 2003 12 05 22 59 56 ICMP Packet Echo Request Source 192 168 0 10 Destination 192 168 0 1 Receive The format is DATE TIME EVENT SRC_IP SRC_PORT SRC_INF DST_IP DST_PORT DST_INF ACTION Wed 2003 07 3...

Page 137: ...2 63 WAN Destination 172 31 12 157 LAN Drop ICMP Flood Fri 2003 12 05 21 33 52 UDP Packet Source 127 0 0 1 0 WAN Destination 172 31 12 157 0 LAN Drop Fragment Attack Fri 2003 12 05 19 20 00 TCP Sessio...

Page 138: ...Source 192 168 0 10 LAN Destination www google com WAN Drop Notes EVENT Attempt to access blocked sites SRC_INF LAN DST_INF WAN All Web Sites and News Groups Visited All Web sites and News groups that...

Page 139: ...Inbound Policy to Service BGP is Added Fri 2003 12 05 21 49 41 Administrator Action Outbound Policy to Service BGP is Added Fri 2003 12 05 21 50 14 Administrator Action Inbound Policy to Service BGP...

Page 140: ...Model FVS328 ProSafe VPN Firewall with Dial Back up Reference Manual B 8 Firewall Log Formats May 2004 202 10031 01...

Page 141: ...LAN However providing high bandwidth between a local network and the Internet can be very expensive Because of this expense Internet access is usually provided by a slower speed wide area network WAN...

Page 142: ...org The Internet Protocol IP uses a 32 bit address structure The address is usually written in dot notation also called dotted decimal notation in which each group of eight bits is written in decimal...

Page 143: ...can have up to 65 354 hosts on a network A Class B address uses a 16 bit network number and a 16 bit node number Class B addresses are in this range 128 1 x x to 191 254 x x Class C Class C addresses...

Page 144: ...lass A B and C addresses are 255 0 0 0 255 255 0 0 and 255 255 255 0 respectively For example the address 192 168 170 237 is a Class C IP address whose network portion is the upper 24 bits When combin...

Page 145: ...on to extending the number of addresses available subnet addressing provides other benefits Subnet addressing allows a network manager to construct an address scheme for the network by using different...

Page 146: ...ork with subnet mask 255 255 255 0 into 16 subnets 4 bits the new subnet mask becomes 255 255 255 240 The following table displays several common netmask values in both the dotted decimal and the mask...

Page 147: ...5 255 192 168 0 0 192 168 255 255 NETGEAR recommends that you choose your private network number from this range The DHCP server of the FVS328 Firewall is preconfigured to automatically assign private...

Page 148: ...following figure illustrates a single IP address operation Figure 9 3 Single IP Address Operation Using NAT This scheme offers the additional benefit of firewall like protection because the internal L...

Page 149: ...sponds to the ARP request All other stations discard the request Related Documents The station with the correct IP address responds with its own MAC address directly to the sending device The receivin...

Page 150: ...ynamic Host Configuration Protocol DHCP server The DHCP server stores a list or pool of IP addresses along with other information such as gateway and DNS addresses that it may assign to the other devi...

Page 151: ...ll filtering to protect your network from attacks and intrusions Since user level applications such as FTP and Web browsers can create complex patterns of network traffic it is necessary for the firew...

Page 152: ...ansmit pair must be exchanged with the receive pair This exchange is done by one of two mechanisms Most hubs provide an uplink switch which will exchange the pairs on one port allowing that port to be...

Page 153: ...nd 10BASE T will often tolerate low quality cables but at 100 Mbits second 10BASE Tx the cable must be rated as Category 5 or Cat 5 by the Electronic Industry Association EIA This rating will be print...

Page 154: ...Model FVS328 ProSafe VPN Firewall with Dial Back up Reference Manual C 14 Networks Routing and Firewall Basics May 2004 202 10031 01...

Page 155: ...ncludes the software components for establishing a TCP IP network Windows 3 1 does not include a TCP IP component You need to purchase a third party TCP IP application package such as NetManage Chamel...

Page 156: ...he firewall assigns the following TCP IP configuration information automatically when the computers are rebooted PC or workstation IP addresses 192 168 0 2 through 192 168 0 254 Subnet mask 255 255 25...

Page 157: ...w these steps a Click the Add button b Select Adapter and then click Add c Select the manufacturer and model of your Ethernet adapter and then click OK If you need TCP IP a Click the Add button b Sele...

Page 158: ...he recommended default addresses follow these steps 1 Connect all computers to the firewall then restart the firewall and allow it to boot 2 On each attached PC open the Network control panel refer to...

Page 159: ...uld match the values below if you are using the default TCP IP settings that NETGEAR recommends The IP address is between 192 168 0 2 and 192 168 0 254 The subnet mask is 255 255 255 0 The default gat...

Page 160: ...figuration 1 On the Windows taskbar click the Start button and then click Run The Run window opens 2 Type cmd and then click OK A command window opens 3 Type ipconfig all Your IP Configuration informa...

Page 161: ...net interface 3 From the Configure box select Using DHCP Server You can leave the DHCP Client ID box empty 4 Close the TCP IP Control Panel 5 Repeat this for each Macintosh on your network MacOS X 1 F...

Page 162: ...From the Apple menu select Control Panels then TCP IP The panel is updated to show your settings which should match the values below if you are using the default TCP IP settings that NETGEAR recommend...

Page 163: ...s Internet port is connected to the broadband modem the firewall appears to be a single PC to the ISP The firewall then allows the computers on the local network to masquerade as the single PC to acce...

Page 164: ...firewall These procedures are described next Obtaining ISP Configuration Information for Windows Computers As mentioned above you may need to collect configuration information from your PC so that yo...

Page 165: ...from your Macintosh so that you can use this information when you configure the FVS328 Firewall Following this procedure is only necessary when your ISP does not dynamically supply the account inform...

Page 166: ...computers to work with the firewall you must reset the network for the devices to be able to communicate correctly Restart any computer that is connected to the firewall After configuring all of your...

Page 167: ...a flowing across the network is protected by encryption technologies Private networks lack data security which allows data attackers to tap directly into the network and read the data IPSec based VPNs...

Page 168: ...ly and inexpensively installed on existing Internet connections What is IPSec and How Does It Work IPSec is an Internet Engineering Task Force IETF standard suite of protocols that provides data authe...

Page 169: ...unforgeable identifier for each packet which is a data equivalent of a fingerprint This fingerprint allows the device to determine if a packet has been tampered with Furthermore packets that are not...

Page 170: ...known In addition AH does not protect the data s confidentiality If data is intercepted and only AH is used the message contents can be read ESP protects data confidentiality For added protection in c...

Page 171: ...essed with IPSec the new IP packet contains the old IP header with the source and destination IP addresses unchanged and the processed packet payload Transport mode does not shield the information in...

Page 172: ...VPN Consortium has developed specific scenarios to aid system administrators in the often confusing process of connecting two different vendor implementations of the IPSec standard The case studies i...

Page 173: ...lic facing address WAN side and a private facing address LAN side These addresses are referred to as the network interface in documentation regarding the construction of VPN communication Please note...

Page 174: ...that you intend to allow Setting Up a VPN Tunnel Between Gateways An SA frequently called a tunnel is the set of information that allows two entities networks PCs routers firewalls gateways to trust e...

Page 175: ...ablished by IPSec As illustrated below the most common method of accomplishing this process is via the Internet Key Exchange IKE protocol which automates some of the negotiation procedures Alternative...

Page 176: ...lgorithms to use in the IPSec SAs b The master key is used to derive the IPSec keys for the SAs Once the SA keys are created and exchanged the IPSec SAs are ready to protect user data between the two...

Page 177: ...otiation is working Common problems encountered in setting up VPNs include Parameters may be configured differently on Gateway A vs Gateway B Two LANs set up with similar or overlapping addressing sch...

Page 178: ...998 RFC 2407 D Piper The Internet IP Security Domain of Interpretation for ISAKMP November 1998 RFC 2474 K Nichols S Blake F Baker D Black Definition of the Differentiated Services Field DS Field in t...

Page 179: ...formation before you begin the configuration process Verify whether the firmware is up to date all of the addresses that will be necessary and all of the parameters that need to be set on both sides C...

Page 180: ...e illustration Out of the box the FVS318 or FVM318 is set for its default LAN address of http 192 168 0 1 with its default user name of admin and default password of password For this example we will...

Page 181: ...IPSec Identifier name for the NETGEAR FVS318 Gateway A This name must be entered in the other endpoint as Remote IPSec Identifier In this example we used 14 15 16 17 as the local identifier Enter a Re...

Page 182: ...Figure 4 NETGEAR FVS318 VPN Settings part 2 Main Mode From the Secure Association drop down box select Main Mode Next to Perfect Forward Secrecy select the Enabled radio button From the Encryption Pr...

Page 183: ...s will open the IKE Policies Menu Click Add This will open a new screen titled IKE Policy Configuration Figure F 5 NETGEAR FVS328 IKE Policy Configuration Part 1 Enter an appropriate name for the poli...

Page 184: ...ld type hr5xb84l6aa9r6 You must make sure the key is the same for both gateways From the Diffie Hellman DH Group drop down box select Group 1 768 Bit In the SA Life Time field type 28800 3 Click the A...

Page 185: ...being the FVS318 IKE Policy From the Remote VPN Endpoint Address Type drop down box select IP Address Type the WAN IP Address of Gateway A 14 15 16 17 in our example in the Remote VPN Endpoint Addres...

Page 186: ...dress of Gateway A 0 0 0 0 in our example in the Remote IP Finish IP Address field Type the LAN Subnet Mask of Gateway A 255 255 255 0 in our example in the Remote IP Subnet Mask field From the AH Con...

Page 187: ...way B LAN Interface address example address 172 23 9 1 2 From a PC behind the FVS328 gateway B attempt to ping the remote NETGEAR FVS318 or FVM318 gateway A LAN Interface address example address 10 5...

Page 188: ...Model FVS328 ProSafe VPN Firewall with Dial Back up Reference Manual F 10 NETGEAR VPN Configuration FVS318 or FVM318 to FVS328 May 2004 202 10031 01...

Page 189: ...e VPN Consortium Gather all the necessary information before you begin the configuration process Verify whether the firmware is up to date all of the addresses that will be necessary and all of the pa...

Page 190: ...name It provides a central public database where information such as email addresses host names and IP addresses can be stored and retrieved Now a gateway can be configured to use a 3rd party service...

Page 191: ...nformation necessary to set up the gateways Step By Step Configuration of FVS318 or FVM318 Gateway A 1 Log in to the FVS318 or FVM318 labeled Gateway A as in the illustration Out of the box the FVS318...

Page 192: ...lete FQDN we are using is netgear dyndns org and the Host Name is netgear Type the Password or key for your dynamic DNS account 5 Click Apply to save your configuration 6 Click on the VPN Settings lin...

Page 193: ...fier name for the remote NETGEAR FVS328 Gateway B This name must be entered in the other endpoint as Local IPSec Identifier In this example we used 22 23 24 25 as the remote identifier Choose a subnet...

Page 194: ...ox select Main Mode Next to Perfect Forward Secrecy select the Enabled radio button From the Encryption Protocol drop down box select 3DES In the PreShared Key box type a unique text string to be used...

Page 195: ...dd on the IKE Policies Menu Figure G 6 NETGEAR FVS328 IKE Policy Configuration Part 1 Enter an appropriate name for the policy in the Policy Name field This name is not supplied to the remote VPN Endp...

Page 196: ...hared Key field type hr5xb84l6aa9r6 You must make sure the key is the same for both gateways From the Diffie Hellman DH Group drop down box select Group 1 768 Bit In the SA Life Time field type 28800...

Page 197: ...dpoint Address Type drop down box select IP Address Type the WAN IP Address of Gateway A 14 15 16 17 in our example in the Remote VPN Endpoint Address Data field Type 300 in the SA Life Time Seconds f...

Page 198: ...IP Address of Gateway A 0 0 0 0 in our example in the Remote IP Finish IP Address field Type the LAN Subnet Mask of Gateway A 255 255 255 0 in our example in the Remote IP Subnet Mask field From the...

Page 199: ...nection 1 From a PC behind the NETGEAR FVS318 or FVM318 Gateway A attempt to ping the remote FVS328 Gateway B LAN Interface address example address 172 23 9 1 2 From the FVS318 or FVM318 click the Rou...

Page 200: ...Model FVS328 ProSafe VPN Firewall with Dial Back up Reference Manual G 12 NETGEAR VPN Configuration FVS318 or FVM318 with FQDN to FVS328 May 2004 202 10031 01...

Page 201: ...addressing and configuration mechanics defined by the VPN Consortium Gather all the necessary information before you begin the configuration process Verify whether the firmware is up to date all of t...

Page 202: ...0 1 with its default user name of admin and default password of password Even though the remainder of this document will refer to the FVS328 the login procedures and configuration menu screens are the...

Page 203: ...guration Enter a descriptive name for the policy in the Policy Name field This name is not supplied to the remote VPN endpoint It is used to help you manage the IKE policies In our example we used VPN...

Page 204: ...ion Method radio button select Pre shared Key This will also be selected in the VPN Client Security Policy Authentication Phase 1 Proposal 1 Authentication Method field as seen in Connection Security...

Page 205: ...l take you to the VPN Policies Menu page Click Add Auto Policy This will open a new screen titled VPN Auto Policy Figure H 3 NETGEAR FVS328 VPN Auto Policy General settings Enter a unique name to iden...

Page 206: ...of the FVS328 in the Local IP Start IP Address field For this example we used 192 168 0 0 which is the default LAN IP address of the FVS328 This will also be entered in the VPN Client Connection Remo...

Page 207: ...box is selected Click Apply to save your changes Step By Step Configuration of the Netgear VPN Client B This procedure describes linking a remote PC and a LAN The LAN will connect to the Internet usin...

Page 208: ...boot your PC after installing the client software 2 Configure the Connection Network Settings Figure H 4 Security Policy Editor New Connection a Run the Security Policy Editor program and create a VPN...

Page 209: ...ateway Tunnel check box is selected c In this example select IP Subnet as the ID Type 192 168 0 0 in the Subnet field the Subnet address is the LAN IP Address of the FVS328 with 0 as the last number a...

Page 210: ...re the Connection Identity Settings a In the Network Security Policy list click the Security Policy subheading Figure H 9 Security Policy b For this example ensure that the following settings are conf...

Page 211: ...ing choices in this procedure follow the VPNC guidelines Figure H 10 Connection Security Policy Authentication Phase 1 a Configure the Authentication Phase 1 Settings Expand the Security Policy headin...

Page 212: ...Configure the Key Exchange Phase 2 Expand the Key Exchange Phase 2 heading and click on Proposal 1 For this example ensure that the following settings are configured In the SA Life menu select Unspeci...

Page 213: ...Allow to Specify Internal Network Address check box and click OK 7 Save the VPN Client Settings From the File menu at the top of the Security Policy Editor window select Save After you have configure...

Page 214: ...esults of the attempt to connect Once the connection is established you can access resources of the network connected to the FVS328 Another method is to ping from the remote PC to the LAN IP address o...

Page 215: ...rom the FVS328 to the Client PC You can use the FVS328 Diagnostic utilities to test the VPN connection from the FVS328 to the client PC Run ping tests from the Diagnostics link of the FVS328 main menu...

Page 216: ...address of 192 168 0 1 The VPN client PC is behind a home NAT router and has a dynamically assigned address of 192 168 0 3 While the connection is being established the Connection Name field in this m...

Page 217: ...N Firewall with Dial Back up Reference Manual NETGEAR VPN Client to NETGEAR the FVS328 H 17 May 2004 202 10031 01 The FVS328 VPN Status screen for a successful connection is shown below Figure H 15 FV...

Page 218: ...Model FVS328 ProSafe VPN Firewall with Dial Back up Reference Manual H 18 NETGEAR VPN Client to NETGEAR the FVS328 May 2004 202 10031 01...

Page 219: ...nt with a financial institution such as a credit card company which provides it with information to confirm an individual s claimed identity CAs are a critical component in data security and electroni...

Page 220: ...Domain Name Server resolves descriptive names of network resources such as www NETGEAR com to numeric IP addresses Dynamic Host Configuration Protocol DHCP An Ethernet protocol specifying how a centra...

Page 221: ...ary for any type of Internet access Because it s a simpler version of X 500 LDAP is sometimes called X 500 lite local area network LAN A communications network serving users within a limited area such...

Page 222: ...re packet A block of information sent over a network A packet typically contains a source and destination network address some protocol and length information a block of data and a checksum PPP See Po...

Page 223: ...100BASE Tx Ethernet networks VPN Virtual Private Network A method for securely transporting data between two private networks by using a public network such as the Internet as a connection VPNC Virtua...

Page 224: ...Model FVS328 ProSafe VPN Firewall with Dial Back up Reference Manual 6 Glossary May 2004 202 10031 01...

Page 225: ...d time 9 8 Daylight Savings Time 6 15 9 8 daylight savings time 6 14 Default DMZ Server 5 5 default reset button 9 7 Denial of Service DoS protection 2 2 denial of service attack C 11 DHCP 2 3 5 2 C 1...

Page 226: ...private C 7 translating C 9 IP configuration by DHCP C 10 IP networking for Macintosh D 6 for Windows D 2 D 5 IPSec E 1 IPSec Components E 2 IPSec SA negotiation E 9 IPSec Security Features E 2 ISP 3...

Page 227: ...C 1 Routing Information Protocol 2 3 C 2 RTS Threshold 4 3 4 5 4 6 rules inbound 6 8 outbound 6 11 S SA E 4 Scope of Document 1 1 Secondary DNS Server 3 8 3 9 3 10 3 15 Serial 3 3 3 10 3 12 4 2 seria...

Page 228: ...al Private Networking 2 3 VPN E 1 VPN Consortium E 6 VPN Process Overview E 7 VPNC IKE Phase I Parameters E 10 VPNC IKE Phase II Parameters E 11 W Windows configuring for IP routing D 2 D 5 winipcfg u...

Reviews:

No comments

Related manuals for FVS328 - ProSafe VPN Firewall

Brand: PaloAlto Networks Pages: 2

Brand: Watchguard Pages: 24

Brand: Watchguard Pages: 2

freeGuard Blaze 2100

Brand: Freedom9 Pages: 224

Brand: Avanu Pages: 141

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands