NETGEAR FVS328 - ProSafe VPN Firewall Скачать руководство пользователя

Страница: 91 / 228

Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual

Virtual Private Networking

7-17

May 2004, 202-10031-01

The Summary screen below displays.

Figure 7-9: VPN Wizard Summary

To view the VPNC recommended authentication and encryption Phase 1 and Phase 2 settings
the VPN Wizard used, click the “

here

” link.

Click

Done

to complete the configuration procedure. The VPN Settings menu displays

showing that the new tunnel is enabled

To view or modify the tunnel settings, select the radio button next to the tunnel entry and click
Edit.

Walk-Through of Configuration Scenarios

There are a variety of configurations you might implement with the FVS328. The scenarios listed
below illustrate typical configurations you might use in your organization.

Содержание FVS328 - ProSafe VPN Firewall

Страница 1: ...May 2004 202 10031 01 202 10031 01 May 2004 NETGEAR Inc 4500 Great America Parkway Santa Clara CA 95054 USA Phone 1 888 NETGEAR Model FVS328 ProSafe VPN Firewall with Dial Back up Reference Manual...

Страница 2: ...N 55 022 Declaration of Conformance This is to certify that the FVS328 ProSafe VPN Firewall with Dial Back up is shielded against the generation of radio interference in accordance with the applicatio...

Страница 3: ...ference VCCI Statement This equipment is in the second category information equipment to be used in a residential area or an adjacent area thereto and conforms to the standards set by the Voluntary Co...

Страница 4: ...May 2004 202 10031 01 iv...

Страница 5: ...Virtual Private Networking 2 2 A Powerful True Firewall 2 2 Content Filtering 2 3 Configurable Auto Uplink Ethernet Connection 2 3 Protocol Support 2 3 Easy Installation and Management 2 4 What s in...

Страница 6: ...Basic Requirements for Serial Port Modem Configuration 4 2 How to Configure a Serial Port Modem 4 2 Configuring Auto Rollover 4 3 Basic Requirements for Auto Rollover 4 3 How to Configure Auto Rollove...

Страница 7: ...xamples of Using Services and Rules to Regulate Traffic 6 8 Inbound Rules Port Forwarding 6 8 Example Port Forwarding to a Local Public Web Server 6 9 Example Port Forwarding for Videoconferencing 6 9...

Страница 8: ...Remote Management 8 1 Viewing Router Status and Usage Statistics 8 3 Viewing Attached Devices 8 6 Viewing Selecting and Saving Logged Information 8 7 Changing the Include in Log Settings 8 9 Enabling...

Страница 9: ...bound Log B 1 Inbound Log B 2 Other IP Traffic B 2 Router Operation B 3 Other Connections and Traffic to this Router B 4 DoS Attack Scan B 4 Access Block Site B 6 All Web Sites and News Groups Visited...

Страница 10: ...dows Internet Access Method D 4 Verifying TCP IP Properties D 5 Configuring Windows NT 2000 or XP for IP Networking D 5 Installing or Verifying Windows Networking Components D 5 Verifying TCP IP Prope...

Страница 11: ...g and Troubleshooting E 11 Additional Reading E 11 Appendix F NETGEAR VPN Configuration FVS318 or FVM318 to FVS328 Configuration Profile F 1 Step By Step Configuration of FVS318 or FVM318 Gateway A F...

Страница 12: ...H 2 Step By Step Configuration of the Netgear VPN Client B H 7 Testing the VPN Connection H 14 From the Client PC to the FVS328 H 14 From the FVS328 to the Client PC H 15 Monitoring the PC VPN Connec...

Страница 13: ...firewall and VPN technology tutorial information is provided in the Appendices and on the NETGEAR Web site Scope This manual is written for the FVS328 Firewall according to these specifications Table...

Страница 14: ...Formats This guide uses the following formats to highlight special messages Table 1 2 Typographical conventions italics Emphasis bold times roman User input Enter Named keys in text are shown enclose...

Страница 15: ...JavaScript enabled 2 Toolbar buttons Use the toolbar buttons across the top to navigate print pages and more The Show in Contents button locates the current topic in the Contents tab Previous Next bu...

Страница 16: ...at the top right of any page Click the PDF of This Chapter link at the top right of any page in the chapter you want to print A new browser window opens showing the PDF version of the chapter you were...

Страница 17: ...rnet sharing routers that rely on Network Address Translation NAT for security the FVS328 uses Stateful Packet Inspection for Denial of Service DoS attack protection and intrusion detection The 8 port...

Страница 18: ...patible with many other VPN products Support for up to 168 bit encryption 3DES for maximum security Support for VPN Main Mode Aggressive mode or Manual Keying Support for Fully Qualified Domain Name F...

Страница 19: ...f to the correct configuration This feature also eliminates the need to worry about crossover cables as Auto Uplink will accommodate either type of cable to make the right connection Protocol Support...

Страница 20: ...ins a client that can connect to many popular Dynamic DNS services to register your dynamic IP address See Configuring Dynamic DNS on page 5 6 Easy Installation and Management You can install configur...

Страница 21: ...SPs like Telstra DSL and BigPond or Deutsche Telekom What s in the Box The product package should contain the following items FVS328 ProSafe VPN Firewall with Dial Back up AC power adapter FVS328 Reso...

Страница 22: ...MODEM On Blinking The port detected a link with the Internet WAN connection or Remote Access Server Blinking indicates data transmission INTERNET 100 On Blinking The Internet port is operating at 100...

Страница 23: ...he rear panel contains the following elements DB 9 serial port for modem connection Reset Factory Default push button push to reset push and hold for 20 seconds to reset to factory default settings Ei...

Страница 24: ...Model FVS328 ProSafe VPN Firewall with Dial Back up Reference Manual 2 8 Introduction May 2004 202 10031 01...

Страница 25: ...ardware Requirements The FVS328 Firewall connects to your LAN via twisted pair Ethernet cables To use the FVS328 Firewall on your network each computer must have an installed Ethernet Network Interfac...

Страница 26: ...this information you can ask your ISP to provide it or you can try one of the options below If you have a computer already connected using the active Internet access account you can gather the configu...

Страница 27: ...t IP Address ______ ______ ______ ______ Subnet Mask ______ ______ ______ ______ Gateway IP Address ______ ______ ______ ______ ISP DNS Server Addresses If you were given DNS server addresses fill in...

Страница 28: ...your broadband modem c Connect a Cat 5 Ethernet cable from the Internet port of the FVS328 to the broadband modem d Connect the Cat 5 Ethernet cable which came with the firewall from your computer to...

Страница 29: ...1 FVS328 status lights Check the status lights and verify the following Power The power light goes on when your turn the firewall on Test The Test light turns on blinks then goes off solid after less...

Страница 30: ...Navigator c For security reasons the router has its own user name and password When prompted enter admin for the router user name and password for the router password both in lower case letters Note...

Страница 31: ...se the Setup Wizard you can manually configure your Internet connection settings by following the procedure Manually Configuring Your Internet Connection on page 3 14 Unless your ISP automatically ass...

Страница 32: ...cess the Internet When you start an Internet application the firewall will automatically log you in 3 Enable or disable NAT Network Address Translation NAT allows all LAN computers to gain Internet ac...

Страница 33: ...DNS addresses to the firewall during login select Use these DNS servers and enter the IP address of your ISP s Primary DNS Server If a Secondary DNS Server address is available enter it also A DNS se...

Страница 34: ...ing an Internet name such as www netgear com to a numeric IP address For a fixed IP address configuration you must obtain DNS server addresses from your ISP and enter them manually here You should reb...

Страница 35: ...configuration menu c Fill in the ISDN or analog ISP Internet configuration parameters as appropriate For a Dial up Account enter the Account information Check Connect as required to enable the firewal...

Страница 36: ...28000 bps For dial up modems 56000 bps would be a typical setting Select the Modem Type For ISDN select Permanent connection leased line For dial up select your modem from the list Standard Modem shou...

Страница 37: ...our network Your firewall automatically connects to the Internet when one of your computers requires access It is not necessary to run a dialer or login application such as Dial Up Networking or Enter...

Страница 38: ...031 01 Manually Configuring Your Internet Connection You can manually configure your firewall using the menu below or you can allow the Setup Wizard to determine your configuration as described in the...

Страница 39: ...AT select the Disable radio button Before disabling NAT back up your current configuration settings 5 Internet IP Address If your ISP assigned you a permanent fixed IP address for your PC select Use s...

Страница 40: ...d They will then only accept traffic from the MAC address of that PC This feature allows your firewall to masquerade as that PC by cloning its MAC address To change the MAC address select Use this Com...

Страница 41: ...configuration options Modem Use this option to configure the serial modem settings for any of the features below Auto Rollover Use this option to provide a backup connection for your broadband servic...

Страница 42: ...A serial analog or ISDN modem 2 A serial modem cable with a DB9 connector 3 An active phone or ISDN line How to Configure a Serial Port Modem Follow the steps below to configure a serial port modem 1...

Страница 43: ...rea of the NETGEAR web site 3 Click Apply to save your settings Configuring Auto Rollover You can configure the serial port of the FVS328 to provide an auto rollover backup connection for your broadba...

Страница 44: ...onfiguration menu 3 Configure the Auto Rollover settings 4 Click Apply for the changes to take effect Configuring Dial in on the Serial Port Dial in lets a single remote computer connect to the FVS328...

Страница 45: ...modem properly configured and attached to the DB9 connector on the serial port 4 The Dial in settings configured and applied to the FVS328 How to Configure Dial in Follow the steps below to configure...

Страница 46: ...alog phone line with an active ISDN or dial up ISP account 2 A serial modem properly configured and attached to the DB9 connector on the serial port 3 A broadband connection to one FVS328 for LAN to L...

Страница 47: ...l Serial Port Configuration 4 7 May 2004 202 10031 01M 10207 01 Reference Manual v2 Figure 4 5 LAN to LAN configuration menu 3 Configure the LAN to LAN settings Note The LAN subnet address of each FVS...

Страница 48: ...Model FVS328 ProSafe VPN Firewall with Dial Back up Reference Manual 4 8 Serial Port Configuration May 2004 202 10031 01M 10207 01 Reference Manual v2...

Страница 49: ...ess range for use in private networks and should be suitable in most applications If your network has a requirement to use a different IP addressing scheme you can make those changes The LAN TCP IP Se...

Страница 50: ...will be assigned to the attached PCs from a pool of addresses specified in this menu Each pool address is tested before it is assigned to avoid duplicate addresses on the LAN For most applications the...

Страница 51: ...a Primary DNS address in the Basic Settings menu otherwise the firewall s LAN IP address Secondary DNS Server if you entered a Secondary DNS address in the Basic Settings menu How to Configure LAN TCP...

Страница 52: ...of the PC or server Note If the PC is already present on your network you can copy its MAC address from the Attached Devices menu and paste it here 4 Click Apply to enter the reserved address into th...

Страница 53: ...roperly with them but there are other applications that may not function well In some cases one local PC can run the application properly if that PC s IP address is entered as the default DMZ server I...

Страница 54: ...MTU size 1 Under MTU Size select Custom 2 Enter a new size between 64 and 1500 3 Click Apply to save the new configuration Configuring Dynamic DNS If your network has a permanently assigned IP address...

Страница 55: ...Using Static Routes Static Routes provide additional routing information to your firewall Under normal circumstances the firewall has adequate routing information after it has been configured for Inte...

Страница 56: ...re 5 3 In this example The Destination IP Address and IP Subnet Mask fields specify that this static route applies to all 134 177 x x addresses The Gateway IP Address fields specifies that all traffic...

Страница 57: ...want to limit access to the LAN only The static route will not be reported in RIP e Type the Destination IP Address of the final destination f Type the IP Subnet Mask for this destination If the desti...

Страница 58: ...Model FVS328 ProSafe VPN Firewall with Dial Back up Reference Manual 5 10 WAN and LAN Configuration May 2004 202 10031 01...

Страница 59: ...Note The user name and password are not the same as any user name or password your may use to log in to your Internet connection NETGEAR recommends that you change this password to a more secure passw...

Страница 60: ...do a new backup so that the saved settings file includes the new password How to Change the Administrator Login Timeout For security the administrator s login to the firewall configuration will time o...

Страница 61: ...estrict access based on the following categories Use of a proxy server Type of file Java ActiveX Cookie Web addresses Web address keywords These options are discussed below The Keyword Blocking menu i...

Страница 62: ...only Web sites with other domain suffixes such as edu or gov can be viewed If you want to block all Internet browsing access enter the keyword Up to 255 entries are supported in the Keyword list To sp...

Страница 63: ...8 already holds a list of many service port numbers you are not limited to these choices Use the Services menu to add additional services and applications to the list for use in defining firewall rule...

Страница 64: ...o private resources selectively allowing only specific outside users to access specific resources Outbound rules LAN to WAN determine what outside resources local users can have access to A firewall h...

Страница 65: ...list already displays many common services but you are not limited to these choices Use the Services menu to add any additional services or applications that do not already appear Action Choose how yo...

Страница 66: ...when setting up port forwarding inbound rules If your external IP address is assigned dynamically by your ISP the IP address may change periodically as the DHCP lease expires Consider using the Dynami...

Страница 67: ...any outside IP address to the IP address of your Web server any time of day Figure 6 4 Rule example A Local Public Web Server This rule is shown in Figure 6 4 Example Port Forwarding for Videoconferen...

Страница 68: ...arameters Figure 6 5 Rule example Videoconference from Restricted Addresses Example Port Forwarding for VPN Tunnels when NAT is Off If you want to allow incoming VPN IPSec tunnels to be initiated from...

Страница 69: ...ress Outbound Rules Service Blocking or Port Filtering The FVS328 allows you to block the use of certain Internet services by computers on your network This is called service blocking or port filterin...

Страница 70: ...nstant Messenger Other Rules Considerations The order of precedence of rules is determined by the position of the rule on a list of many rules Also there are optional Rules settings you can configure...

Страница 71: ...Normally this should NOT be checked Block TCP flood If checked when a TCP flood attack is detected the port used will be closed and no traffic will be able to use that port Block UDP flood If checked...

Страница 72: ...lt User Name of admin default password of password or using whatever password and LAN address you have chosen for the firewall 2 Click Schedule on the Security menu to display menu shown below Figure...

Страница 73: ...s blocking in the Block Services menu or Port forwarding in the Ports menu you can set up a schedule for when blocking occurs or when access isn t restricted 1 Log in to the firewall at its default LA...

Страница 74: ...Model FVS328 ProSafe VPN Firewall with Dial Back up Reference Manual 6 16 Protecting Your Network May 2004 202 10031 01...

Страница 75: ...e FVS328 uses state of the art firewall and security technology to facilitate controlled and actively monitored VPN connectivity Since the FVS328 strictly conforms to Internet Engineering Task Force I...

Страница 76: ...to the inbound VPN parameters on other end and vice versa When the network traffic enters into the FVS328 from the LAN network interface if there is no VPN policy found for a type of network traffic t...

Страница 77: ...2004 202 10031 01 IKE Policies Automatic Key and Authentication Management Click the IKE Policies link from the VPN section of the main menu and then click the Add button of the IKE Policies screen to...

Страница 78: ...coming client connections where the IP address of the remote client is unknown If Remote Access is selected the Exchange Mode MUST be Aggressive and the Identities below both Local and Remote MUST be...

Страница 79: ...3DES is more secure and is the default Authentication Algorithm If you enable Authentication Headers AH this menu lets you select from these authentication algorithms MD5 the default SHA 1 more secur...

Страница 80: ...orking May 2004 202 10031 01 VPN Policy Configuration for Auto Key Negotiation An already defined IKE policy is required for VPN Auto Policy configuration From the VPN Policies section of the main men...

Страница 81: ...endpoint must have this FVS328 s Local Identity Data entered as its Remote VPN Endpoint By its IP Address By its Fully Qualified Domain Name FQDN your domain name SA Life Time The duration of the Secu...

Страница 82: ...unnel preventing for example remote management or response to ping Single IP Address Range of IP Addresses Subnet Address Authenticating Header AH Configuration AH specifies the authentication protoco...

Страница 83: ...olicies link from the VPN section of the main menu to display the menu shown below Authentication Algorithm If you enable AH then use this menu to select which authentication algorithm will be employe...

Страница 84: ...Model FVS328 ProSafe VPN Firewall with Dial Back up Reference Manual 7 10 Virtual Private Networking May 2004 202 10031 01 Figure 7 4 VPN Manual Policy Menu...

Страница 85: ...be established If network traffic meets all criteria then a VPN tunnel will be created Local IP The drop down menu allows you to configure the source IP address of the outbound network traffic for wh...

Страница 86: ...t SHA1 more secure Enter the keys in the fields provided For MD5 the keys should be 16 characters For SHA 1 the keys should be 20 characters Key In Enter the keys For MD5 the keys should be 16 charact...

Страница 87: ...provided the remote VPN endpoint has the same value in its Encryption Algorithm Key In field Enable Authentication Use this check box to enable or disable ESP authentication for this VPN policy Authe...

Страница 88: ...e man in the middle security threats A self certificate has your public key and the name of your CA and relies on the CA s certificate to authenticate Each CA has its own certificate The certificates...

Страница 89: ...192 168 0 x 1 Log in to the FVS318 on LAN A at its default LAN address of http 192 168 0 1 with its default user name of admin and password of password Click the VPN Wizard link in the main menu to d...

Страница 90: ...02 10031 01 Figure 7 6 Connection Name and Remote IP Type 3 Fill in the IP Address or FQDN for the target VPN endpoint WAN connection and click Next Figure 7 7 Remote IP 4 Identify the IP addresses at...

Страница 91: ...the VPN Wizard used click the here link 5 Click Done to complete the configuration procedure The VPN Settings menu displays showing that the new tunnel is enabled To view or modify the tunnel settings...

Страница 92: ...the same thing See Appendix E Virtual Private Networking for a full discussion of VPN and the configuration templates NETGEAR developed for publishing multi vendor VPN integration configuration case...

Страница 93: ...he full range of IP addresses For example 10 5 6 0 24 refers to IP address 10 5 6 0 with the netmask 255 255 255 0 The IKE Phase 1 parameters used in Scenario 1 are Main mode TripleDES SHA 1 MODP grou...

Страница 94: ...Figure 7 11 LAN to LAN VPN access from an FVS328 to an FVS328 1 Log in to the FVS328 labeled Gateway A as in the illustration Log in to the firewall at its default LAN address of http 192 168 0 1 wit...

Страница 95: ...en NAT is disabled only standard routing is performed by this Router c Configure the WAN Internet Address according to the settings in Figure 7 11 above and click Apply to save your settings For more...

Страница 96: ...o connect to the built in Web based configuration manager of the FVS328 3 Set up the IKE Policy illustrated below on the FVS328 a From the main menu VPN section click the IKE Policies link and then cl...

Страница 97: ...From the main menu VPN section click the VPN Policies link and then click the Add Auto Policy button Figure 7 14 Scenario 1 VPN Auto Policy b Configure the IKE Policy according to the settings in the...

Страница 98: ...can test connectivity and view VPN status information on the FVS328 1 To test connectivity between the Gateway A FVS328 LAN and the Gateway B LAN follow these steps a Using our example from a compute...

Страница 99: ...hould turn off this feature when you are finished with testing 3 To view the FVS328 event log and status of Security Associations follow these steps a Go to the FVS328 main menu VPN section and click...

Страница 100: ...server might provide it to you via e mail b Save the certificate as a text file called trust txt 2 Install the trusted CA certificate for the Trusted Root CA a Log in to the FVS328 b From the main me...

Страница 101: ...ill see as the holder owner of this certificate This should be your registered business name or official company name Generally all certificates should have the same value in the Subject field Hash Al...

Страница 102: ...aste it into a text file b Give the certificate request data to the CA In the case of a Windows 2000 internal CA you might simply e mail it to the CA administrator The procedures of a CA like Verisign...

Страница 103: ...CA administrator might simply email it to back to you Follow the procedures of your CA Save the certificate you get back from the CA as a text file called final txt 6 Upload the new certificate a From...

Страница 104: ...20 Self Certificates table 7 Associate the new certificate and the Trusted Root CA certificate on the FVS328 a Create a new IKE policy called Scenario_2 with all the same properties of Scenario_1 see...

Страница 105: ...save it as a text file Note The procedure for obtaining a CRL differs from a CA like Verisign and a CA such as a Windows 2000 certificate server which an organization operates for providing certificat...

Страница 106: ...Model FVS328 ProSafe VPN Firewall with Dial Back up Reference Manual 7 32 Virtual Private Networking May 2004 202 10031 01...

Страница 107: ...tever password and LAN address you have chosen for the firewall 2 In the Advanced section on the left navigator select Remote Management 3 Select the Turn Remote Management On check box 4 Specify what...

Страница 108: ...you connect to your ISP There are 2 solutions to this problem a Have your ISP allocate you a Fixed IP address b Use the DDNS Dynamic DNS feature so you can connect using a domain name rather than an...

Страница 109: ...ge Statistics From the Main Menu under Maintenance select Router Status to view the screen in Figure 8 1 Figure 8 1 Router Status screen The Router Status menu provides a limited amount of status and...

Страница 110: ...default is 255 255 255 0 DHCP If set to OFF the firewall will not assign IP addresses to local PCs on the LAN If set to ON the firewall is configured to assign IP addresses to local PCs on the LAN WAN...

Страница 111: ...The link status of the port TxPkts The number of packets transmitted on this port since reset or manual clear RxPkts The number of packets received on this port since reset or manual clear Collisions...

Страница 112: ...ading select Attached Devices to view the table shown in Figure 8 3 Figure 8 3 Attached Devices menu For each device the table shows the IP address Device Name NetBIOS Host Name if available and the E...

Страница 113: ...incoming service requests hacker probes and administrator logins If you enabled content filtering in the Block Sites menu the Logs page shows you when someone on your network tries to access a blocke...

Страница 114: ...entry Source port and interface The service port number of the initiating device and whether it originated from the LAN or WAN Destination The name or IP address of the destination device or Web site...

Страница 115: ...n to the Web based interface of this Router Other connections and traffic to this Router if selected this will log traffic sent to this Router rather than through this Router to the Internet Allow dup...

Страница 116: ...ct this check box if you want to receive e mail logs and alerts from the firewall Your outgoing mail server Enter the name or IP address of your ISP s outgoing SMTP mail server such as mail myISP com...

Страница 117: ...eekly If the Weekly Daily or Hourly option is selected and the log fills up before the specified period the log is automatically e mailed to the specified e mail address After the log is sent the log...

Страница 118: ...Log in to the firewall at its default LAN address of http 192 168 0 1 with its default user name of admin default password of password or using whatever Password and LAN address you have chosen for th...

Страница 119: ...e the Default Reset button on the rear panel of the firewall See How to Use the Default Reset Button on page 9 7 Running Diagnostic Utilities and Rebooting the Router The FVS328 Firewall has a diagnos...

Страница 120: ...ased by NETGEAR Upgrade files can be downloaded from the NETGEAR Web site If the upgrade file is compressed ZIP file you must first extract the binary BIN or IMG file before uploading it to the firewa...

Страница 121: ...erface under the Maintenance heading select the Router Upgrade heading to display the menu shown in Figure 8 10 Figure 8 10 Router Upgrade menu 4 In the Router Upgrade menu click Browse to locate the...

Страница 122: ...Model FVS328 ProSafe VPN Firewall with Dial Back up Reference Manual 8 16 Managing Your Network May 2004 202 10031 01...

Страница 123: ...ting the ISP Connection on page 9 4 I can t remember the firewall s configuration password or I want to clear the configuration and start over again Go to Restoring the Default Configuration and Passw...

Страница 124: ...that you are using the 12VDC power adapter supplied by NETGEAR for this product If the error persists you have a hardware problem and should contact technical support Test LED Never Turns On or Test L...

Страница 125: ...your computer s IP address is on the same subnet as the firewall If you are using the recommended addressing scheme your computer s address should be in the range of 192 168 0 2 to 192 168 0 254 Refer...

Страница 126: ...the firewall is able to obtain a WAN IP address from the ISP Unless you have been assigned a static IP address your firewall must request an IP address from the ISP You can determine whether the requ...

Страница 127: ...an IP address but your computer is unable to load any Web pages from the Internet Your computer may not recognize any DNS server addresses A DNS server is a host on the Internet that translates Inter...

Страница 128: ...orking you see this message Request timed out If the path is not functioning correctly you could have one of the following problems Wrong physical connections Make sure the LAN port LED is on If the L...

Страница 129: ...ing the Ethernet MAC addresses of all but one of your computers Many broadband ISPs restrict access by only allowing traffic from the MAC address of your broadband modem but some ISPs additionally res...

Страница 130: ...rrent time from one of several Network Time Servers on the Internet Each entry in the log is stamped with the date and time of day Problems with the date and time function can include Date shown is Ja...

Страница 131: ...P 1 RIP 2 DHCP PPP over Ethernet PPPoE Power Adapter North America 120V 60 Hz input United Kingdom Australia 240V 50 Hz input Europe 230V 50 Hz input Japan 100V 50 60 Hz input All regions output 12 V...

Страница 132: ...anual A 2 Technical Specifications May 2004 202 10031 01 Electromagnetic Emissions Meets requirements of FCC Part 15 Class B VCCI Class B EN 55 022 CISPR 22 Class B Interface Specifications Local 10BA...

Страница 133: ...es and modified prior to being forwarded and or replied to Field List DATE TIME Log s date and time EVENT Event is that access the device or access other host via the device PKT_TYPE Packet type pass...

Страница 134: ...efault rule match PKT_TYPE UDP packet TCP connection ICMP packet Inbound Log Incoming packets that match the Firewall rules are logged The format is DATE TIME PKT_TYPE SRC_IP SRC_INF DST_IP DST_INF AC...

Страница 135: ...N Packet Wed 2003 07 30 18 44 50 IP Packet Type Field 321 Source 18 7 21 69 192 168 0 3 Drop Notes DESCRIPTION VPN Packet PKT_TYPE GRE AH ESP IP packet Type Field Num IPSEC ACTION Forward Drop Router...

Страница 136: ...Fri 2003 12 05 22 59 56 ICMP Packet Echo Request Source 192 168 0 10 Destination 192 168 0 1 Receive The format is DATE TIME EVENT SRC_IP SRC_PORT SRC_INF DST_IP DST_PORT DST_INF ACTION Wed 2003 07 3...

Страница 137: ...2 63 WAN Destination 172 31 12 157 LAN Drop ICMP Flood Fri 2003 12 05 21 33 52 UDP Packet Source 127 0 0 1 0 WAN Destination 172 31 12 157 0 LAN Drop Fragment Attack Fri 2003 12 05 19 20 00 TCP Sessio...

Страница 138: ...Source 192 168 0 10 LAN Destination www google com WAN Drop Notes EVENT Attempt to access blocked sites SRC_INF LAN DST_INF WAN All Web Sites and News Groups Visited All Web sites and News groups that...

Страница 139: ...Inbound Policy to Service BGP is Added Fri 2003 12 05 21 49 41 Administrator Action Outbound Policy to Service BGP is Added Fri 2003 12 05 21 50 14 Administrator Action Inbound Policy to Service BGP...

Страница 140: ...Model FVS328 ProSafe VPN Firewall with Dial Back up Reference Manual B 8 Firewall Log Formats May 2004 202 10031 01...

Страница 141: ...LAN However providing high bandwidth between a local network and the Internet can be very expensive Because of this expense Internet access is usually provided by a slower speed wide area network WAN...

Страница 142: ...org The Internet Protocol IP uses a 32 bit address structure The address is usually written in dot notation also called dotted decimal notation in which each group of eight bits is written in decimal...

Страница 143: ...can have up to 65 354 hosts on a network A Class B address uses a 16 bit network number and a 16 bit node number Class B addresses are in this range 128 1 x x to 191 254 x x Class C Class C addresses...

Страница 144: ...lass A B and C addresses are 255 0 0 0 255 255 0 0 and 255 255 255 0 respectively For example the address 192 168 170 237 is a Class C IP address whose network portion is the upper 24 bits When combin...

Страница 145: ...on to extending the number of addresses available subnet addressing provides other benefits Subnet addressing allows a network manager to construct an address scheme for the network by using different...

Страница 146: ...ork with subnet mask 255 255 255 0 into 16 subnets 4 bits the new subnet mask becomes 255 255 255 240 The following table displays several common netmask values in both the dotted decimal and the mask...

Страница 147: ...5 255 192 168 0 0 192 168 255 255 NETGEAR recommends that you choose your private network number from this range The DHCP server of the FVS328 Firewall is preconfigured to automatically assign private...

Страница 148: ...following figure illustrates a single IP address operation Figure 9 3 Single IP Address Operation Using NAT This scheme offers the additional benefit of firewall like protection because the internal L...

Страница 149: ...sponds to the ARP request All other stations discard the request Related Documents The station with the correct IP address responds with its own MAC address directly to the sending device The receivin...

Страница 150: ...ynamic Host Configuration Protocol DHCP server The DHCP server stores a list or pool of IP addresses along with other information such as gateway and DNS addresses that it may assign to the other devi...

Страница 151: ...ll filtering to protect your network from attacks and intrusions Since user level applications such as FTP and Web browsers can create complex patterns of network traffic it is necessary for the firew...

Страница 152: ...ansmit pair must be exchanged with the receive pair This exchange is done by one of two mechanisms Most hubs provide an uplink switch which will exchange the pairs on one port allowing that port to be...

Страница 153: ...nd 10BASE T will often tolerate low quality cables but at 100 Mbits second 10BASE Tx the cable must be rated as Category 5 or Cat 5 by the Electronic Industry Association EIA This rating will be print...

Страница 154: ...Model FVS328 ProSafe VPN Firewall with Dial Back up Reference Manual C 14 Networks Routing and Firewall Basics May 2004 202 10031 01...

Страница 155: ...ncludes the software components for establishing a TCP IP network Windows 3 1 does not include a TCP IP component You need to purchase a third party TCP IP application package such as NetManage Chamel...

Страница 156: ...he firewall assigns the following TCP IP configuration information automatically when the computers are rebooted PC or workstation IP addresses 192 168 0 2 through 192 168 0 254 Subnet mask 255 255 25...

Страница 157: ...w these steps a Click the Add button b Select Adapter and then click Add c Select the manufacturer and model of your Ethernet adapter and then click OK If you need TCP IP a Click the Add button b Sele...

Страница 158: ...he recommended default addresses follow these steps 1 Connect all computers to the firewall then restart the firewall and allow it to boot 2 On each attached PC open the Network control panel refer to...

Страница 159: ...uld match the values below if you are using the default TCP IP settings that NETGEAR recommends The IP address is between 192 168 0 2 and 192 168 0 254 The subnet mask is 255 255 255 0 The default gat...

Страница 160: ...figuration 1 On the Windows taskbar click the Start button and then click Run The Run window opens 2 Type cmd and then click OK A command window opens 3 Type ipconfig all Your IP Configuration informa...

Страница 161: ...net interface 3 From the Configure box select Using DHCP Server You can leave the DHCP Client ID box empty 4 Close the TCP IP Control Panel 5 Repeat this for each Macintosh on your network MacOS X 1 F...

Страница 162: ...From the Apple menu select Control Panels then TCP IP The panel is updated to show your settings which should match the values below if you are using the default TCP IP settings that NETGEAR recommend...

Страница 163: ...s Internet port is connected to the broadband modem the firewall appears to be a single PC to the ISP The firewall then allows the computers on the local network to masquerade as the single PC to acce...

Страница 164: ...firewall These procedures are described next Obtaining ISP Configuration Information for Windows Computers As mentioned above you may need to collect configuration information from your PC so that yo...

Страница 165: ...from your Macintosh so that you can use this information when you configure the FVS328 Firewall Following this procedure is only necessary when your ISP does not dynamically supply the account inform...

Страница 166: ...computers to work with the firewall you must reset the network for the devices to be able to communicate correctly Restart any computer that is connected to the firewall After configuring all of your...

Страница 167: ...a flowing across the network is protected by encryption technologies Private networks lack data security which allows data attackers to tap directly into the network and read the data IPSec based VPNs...

Страница 168: ...ly and inexpensively installed on existing Internet connections What is IPSec and How Does It Work IPSec is an Internet Engineering Task Force IETF standard suite of protocols that provides data authe...

Страница 169: ...unforgeable identifier for each packet which is a data equivalent of a fingerprint This fingerprint allows the device to determine if a packet has been tampered with Furthermore packets that are not...

Страница 170: ...known In addition AH does not protect the data s confidentiality If data is intercepted and only AH is used the message contents can be read ESP protects data confidentiality For added protection in c...

Страница 171: ...essed with IPSec the new IP packet contains the old IP header with the source and destination IP addresses unchanged and the processed packet payload Transport mode does not shield the information in...

Страница 172: ...VPN Consortium has developed specific scenarios to aid system administrators in the often confusing process of connecting two different vendor implementations of the IPSec standard The case studies i...

Страница 173: ...lic facing address WAN side and a private facing address LAN side These addresses are referred to as the network interface in documentation regarding the construction of VPN communication Please note...

Страница 174: ...that you intend to allow Setting Up a VPN Tunnel Between Gateways An SA frequently called a tunnel is the set of information that allows two entities networks PCs routers firewalls gateways to trust e...

Страница 175: ...ablished by IPSec As illustrated below the most common method of accomplishing this process is via the Internet Key Exchange IKE protocol which automates some of the negotiation procedures Alternative...

Страница 176: ...lgorithms to use in the IPSec SAs b The master key is used to derive the IPSec keys for the SAs Once the SA keys are created and exchanged the IPSec SAs are ready to protect user data between the two...

Страница 177: ...otiation is working Common problems encountered in setting up VPNs include Parameters may be configured differently on Gateway A vs Gateway B Two LANs set up with similar or overlapping addressing sch...

Страница 178: ...998 RFC 2407 D Piper The Internet IP Security Domain of Interpretation for ISAKMP November 1998 RFC 2474 K Nichols S Blake F Baker D Black Definition of the Differentiated Services Field DS Field in t...

Страница 179: ...formation before you begin the configuration process Verify whether the firmware is up to date all of the addresses that will be necessary and all of the parameters that need to be set on both sides C...

Страница 180: ...e illustration Out of the box the FVS318 or FVM318 is set for its default LAN address of http 192 168 0 1 with its default user name of admin and default password of password For this example we will...

Страница 181: ...IPSec Identifier name for the NETGEAR FVS318 Gateway A This name must be entered in the other endpoint as Remote IPSec Identifier In this example we used 14 15 16 17 as the local identifier Enter a Re...

Страница 182: ...Figure 4 NETGEAR FVS318 VPN Settings part 2 Main Mode From the Secure Association drop down box select Main Mode Next to Perfect Forward Secrecy select the Enabled radio button From the Encryption Pr...

Страница 183: ...s will open the IKE Policies Menu Click Add This will open a new screen titled IKE Policy Configuration Figure F 5 NETGEAR FVS328 IKE Policy Configuration Part 1 Enter an appropriate name for the poli...

Страница 184: ...ld type hr5xb84l6aa9r6 You must make sure the key is the same for both gateways From the Diffie Hellman DH Group drop down box select Group 1 768 Bit In the SA Life Time field type 28800 3 Click the A...

Страница 185: ...being the FVS318 IKE Policy From the Remote VPN Endpoint Address Type drop down box select IP Address Type the WAN IP Address of Gateway A 14 15 16 17 in our example in the Remote VPN Endpoint Addres...

Страница 186: ...dress of Gateway A 0 0 0 0 in our example in the Remote IP Finish IP Address field Type the LAN Subnet Mask of Gateway A 255 255 255 0 in our example in the Remote IP Subnet Mask field From the AH Con...

Страница 187: ...way B LAN Interface address example address 172 23 9 1 2 From a PC behind the FVS328 gateway B attempt to ping the remote NETGEAR FVS318 or FVM318 gateway A LAN Interface address example address 10 5...

Страница 188: ...Model FVS328 ProSafe VPN Firewall with Dial Back up Reference Manual F 10 NETGEAR VPN Configuration FVS318 or FVM318 to FVS328 May 2004 202 10031 01...

Страница 189: ...e VPN Consortium Gather all the necessary information before you begin the configuration process Verify whether the firmware is up to date all of the addresses that will be necessary and all of the pa...

Страница 190: ...name It provides a central public database where information such as email addresses host names and IP addresses can be stored and retrieved Now a gateway can be configured to use a 3rd party service...

Страница 191: ...nformation necessary to set up the gateways Step By Step Configuration of FVS318 or FVM318 Gateway A 1 Log in to the FVS318 or FVM318 labeled Gateway A as in the illustration Out of the box the FVS318...

Страница 192: ...lete FQDN we are using is netgear dyndns org and the Host Name is netgear Type the Password or key for your dynamic DNS account 5 Click Apply to save your configuration 6 Click on the VPN Settings lin...

Страница 193: ...fier name for the remote NETGEAR FVS328 Gateway B This name must be entered in the other endpoint as Local IPSec Identifier In this example we used 22 23 24 25 as the remote identifier Choose a subnet...

Страница 194: ...ox select Main Mode Next to Perfect Forward Secrecy select the Enabled radio button From the Encryption Protocol drop down box select 3DES In the PreShared Key box type a unique text string to be used...

Страница 195: ...dd on the IKE Policies Menu Figure G 6 NETGEAR FVS328 IKE Policy Configuration Part 1 Enter an appropriate name for the policy in the Policy Name field This name is not supplied to the remote VPN Endp...

Страница 196: ...hared Key field type hr5xb84l6aa9r6 You must make sure the key is the same for both gateways From the Diffie Hellman DH Group drop down box select Group 1 768 Bit In the SA Life Time field type 28800...

Страница 197: ...dpoint Address Type drop down box select IP Address Type the WAN IP Address of Gateway A 14 15 16 17 in our example in the Remote VPN Endpoint Address Data field Type 300 in the SA Life Time Seconds f...

Страница 198: ...IP Address of Gateway A 0 0 0 0 in our example in the Remote IP Finish IP Address field Type the LAN Subnet Mask of Gateway A 255 255 255 0 in our example in the Remote IP Subnet Mask field From the...

Страница 199: ...nection 1 From a PC behind the NETGEAR FVS318 or FVM318 Gateway A attempt to ping the remote FVS328 Gateway B LAN Interface address example address 172 23 9 1 2 From the FVS318 or FVM318 click the Rou...

Страница 200: ...Model FVS328 ProSafe VPN Firewall with Dial Back up Reference Manual G 12 NETGEAR VPN Configuration FVS318 or FVM318 with FQDN to FVS328 May 2004 202 10031 01...

Страница 201: ...addressing and configuration mechanics defined by the VPN Consortium Gather all the necessary information before you begin the configuration process Verify whether the firmware is up to date all of t...

Страница 202: ...0 1 with its default user name of admin and default password of password Even though the remainder of this document will refer to the FVS328 the login procedures and configuration menu screens are the...

Страница 203: ...guration Enter a descriptive name for the policy in the Policy Name field This name is not supplied to the remote VPN endpoint It is used to help you manage the IKE policies In our example we used VPN...

Страница 204: ...ion Method radio button select Pre shared Key This will also be selected in the VPN Client Security Policy Authentication Phase 1 Proposal 1 Authentication Method field as seen in Connection Security...

Страница 205: ...l take you to the VPN Policies Menu page Click Add Auto Policy This will open a new screen titled VPN Auto Policy Figure H 3 NETGEAR FVS328 VPN Auto Policy General settings Enter a unique name to iden...

Страница 206: ...of the FVS328 in the Local IP Start IP Address field For this example we used 192 168 0 0 which is the default LAN IP address of the FVS328 This will also be entered in the VPN Client Connection Remo...

Страница 207: ...box is selected Click Apply to save your changes Step By Step Configuration of the Netgear VPN Client B This procedure describes linking a remote PC and a LAN The LAN will connect to the Internet usin...

Страница 208: ...boot your PC after installing the client software 2 Configure the Connection Network Settings Figure H 4 Security Policy Editor New Connection a Run the Security Policy Editor program and create a VPN...

Страница 209: ...ateway Tunnel check box is selected c In this example select IP Subnet as the ID Type 192 168 0 0 in the Subnet field the Subnet address is the LAN IP Address of the FVS328 with 0 as the last number a...

Страница 210: ...re the Connection Identity Settings a In the Network Security Policy list click the Security Policy subheading Figure H 9 Security Policy b For this example ensure that the following settings are conf...

Страница 211: ...ing choices in this procedure follow the VPNC guidelines Figure H 10 Connection Security Policy Authentication Phase 1 a Configure the Authentication Phase 1 Settings Expand the Security Policy headin...

Страница 212: ...Configure the Key Exchange Phase 2 Expand the Key Exchange Phase 2 heading and click on Proposal 1 For this example ensure that the following settings are configured In the SA Life menu select Unspeci...

Страница 213: ...Allow to Specify Internal Network Address check box and click OK 7 Save the VPN Client Settings From the File menu at the top of the Security Policy Editor window select Save After you have configure...

Страница 214: ...esults of the attempt to connect Once the connection is established you can access resources of the network connected to the FVS328 Another method is to ping from the remote PC to the LAN IP address o...

Страница 215: ...rom the FVS328 to the Client PC You can use the FVS328 Diagnostic utilities to test the VPN connection from the FVS328 to the client PC Run ping tests from the Diagnostics link of the FVS328 main menu...

Страница 216: ...address of 192 168 0 1 The VPN client PC is behind a home NAT router and has a dynamically assigned address of 192 168 0 3 While the connection is being established the Connection Name field in this m...

Страница 217: ...N Firewall with Dial Back up Reference Manual NETGEAR VPN Client to NETGEAR the FVS328 H 17 May 2004 202 10031 01 The FVS328 VPN Status screen for a successful connection is shown below Figure H 15 FV...

Страница 218: ...Model FVS328 ProSafe VPN Firewall with Dial Back up Reference Manual H 18 NETGEAR VPN Client to NETGEAR the FVS328 May 2004 202 10031 01...

Страница 219: ...nt with a financial institution such as a credit card company which provides it with information to confirm an individual s claimed identity CAs are a critical component in data security and electroni...

Страница 220: ...Domain Name Server resolves descriptive names of network resources such as www NETGEAR com to numeric IP addresses Dynamic Host Configuration Protocol DHCP An Ethernet protocol specifying how a centra...

Страница 221: ...ary for any type of Internet access Because it s a simpler version of X 500 LDAP is sometimes called X 500 lite local area network LAN A communications network serving users within a limited area such...

Страница 222: ...re packet A block of information sent over a network A packet typically contains a source and destination network address some protocol and length information a block of data and a checksum PPP See Po...

Страница 223: ...100BASE Tx Ethernet networks VPN Virtual Private Network A method for securely transporting data between two private networks by using a public network such as the Internet as a connection VPNC Virtua...

Страница 224: ...Model FVS328 ProSafe VPN Firewall with Dial Back up Reference Manual 6 Glossary May 2004 202 10031 01...

Страница 225: ...d time 9 8 Daylight Savings Time 6 15 9 8 daylight savings time 6 14 Default DMZ Server 5 5 default reset button 9 7 Denial of Service DoS protection 2 2 denial of service attack C 11 DHCP 2 3 5 2 C 1...

Страница 226: ...private C 7 translating C 9 IP configuration by DHCP C 10 IP networking for Macintosh D 6 for Windows D 2 D 5 IPSec E 1 IPSec Components E 2 IPSec SA negotiation E 9 IPSec Security Features E 2 ISP 3...

Страница 227: ...C 1 Routing Information Protocol 2 3 C 2 RTS Threshold 4 3 4 5 4 6 rules inbound 6 8 outbound 6 11 S SA E 4 Scope of Document 1 1 Secondary DNS Server 3 8 3 9 3 10 3 15 Serial 3 3 3 10 3 12 4 2 seria...

Страница 228: ...al Private Networking 2 3 VPN E 1 VPN Consortium E 6 VPN Process Overview E 7 VPNC IKE Phase I Parameters E 10 VPNC IKE Phase II Parameters E 11 W Windows configuring for IP routing D 2 D 5 winipcfg u...

Результаты поиска

Содержание FVS328 - ProSafe VPN Firewall

Отзывы:

Похожие инструкции для FVS328 - ProSafe VPN Firewall

Бренды по названию

Популярные бренды

NETGEAR FVS328 - ProSafe VPN Firewall, Справочное руководство

Результаты поиска

Содержание FVS328 - ProSafe VPN Firewall

Отзывы:

Похожие инструкции для FVS328 - ProSafe VPN Firewall

Бренды по названию

Популярные бренды