Powerful, True Firewall with Content Filtering | NETGEAR fvs114

Reference Manual for the ProSafe VPN Firewall FVS114

A Powerful, True Firewall with Content Filtering

Unlike simple Internet sharing NAT firewalls, the FVS114 is a true firewall, using stateful packet inspection to defend against hacker attacks. Its firewall features include:

•DoS protection.

Automatically detects and thwarts DoS attacks such as Ping of Death, SYN Flood, LAND Attack, and IP Spoofing.

•Blocks unwanted traffic from the Internet to your LAN.

•Blocks access from your LAN to Internet locations or services that you specify as off-limits.

•Logs security incidents.

The FVS114 logs security events such as blocked incoming traffic, port scans, attacks, and administrator logins. You can configure the firewall to email the log to you at specified intervals. You can also configure the firewall to send immediate alert messages to your e-mail address or email pager whenever a significant event occurs.

•With its content filtering feature, the FVS114 prevents objectionable content from reaching your PCs. The firewall allows you to control access to Internet content by screening for keywords within Web addresses. You can configure the firewall to log and report attempts to access objectionable Internet sites.

Security

The FVS114 VPN Firewall is equipped with several features designed to maintain security, as described in this section.

•PCs Hidden by NAT

NAT opens a temporary path to the Internet for requests originating from the local network. Requests originating from outside the LAN are discarded, preventing users outside the LAN from finding and directly accessing the PCs on the LAN.

•Port Forwarding with NAT

Although NAT prevents Internet locations from directly accessing the PCs on the LAN, the firewall allows you to direct incoming traffic to specific PCs based on the service port number of the incoming request, or to one designated “DNS” host computer. You can specify forwarding of single ports or ranges of ports.

2-2	Introduction

202-10098-01, April 2005

Image 18

NETGEAR fvs114 manual Powerful, True Firewall with Content Filtering, Security

Contents

Reference Manual for the ProSafe VPN Firewall FVS114 EN 55 022 Declaration of Conformance TrademarksStatement of Conditions Certificate of the Manufacturer/Importer Product and Publication Details 202-10098-01, April Contents Chapter Firewall Protection Content Filtering Chapter Advanced Virtual Private Networking Chapter Advanced Configuration Appendix C Virtual Private Networking Appendix D Preparing Your Network Contents Xii Contents Typographical Conventions Chapter About This ManualAudience, Scope, Conventions, and Formats Manual Scope How to Use This Manual Printing a Chapter How to Print this ManualPrinting a Page in the Html View Printing the Full Manual Reference Manual for the ProSafe VPN Firewall FVS114 Key Features of the VPN Firewall Chapter Introduction Powerful, True Firewall with Content Filtering Security Autosensing Ethernet Connections with Auto Uplink Extensive Protocol Support Easy Installation and Management Maintenance and Support Package Contents FVS114 Rear Panel LED Descriptions Netgear Product Registration, Support, and Documentation DC power input ON/OFF switchNETGEAR-Related Products NETGEAR-Related Products Reference Manual for the ProSafe VPN Firewall FVS114 Connecting the Firewall to the Internet Prepare to Install Your FVS114 ProSafe VPN FirewallFirst, Connect the FVS114 VPN Firewall Modem Restart Your Network in the Correct Sequence Now, Configure the FVS114 for Internet Access Status lights Netgear Smart Wizard Configuration Assistant welcome screen Be sure to restart your network in this sequence Troubleshooting TipsMake sure the network settings of the computer are correct Make sure the Ethernet cables are securely plugged Overview of How to Access the FVS114 VPN Firewall Ways to access the firewall Login URL How to Bypass the Configuration Assistant Login result FVS114 home Using the Smart Setup Wizard How to Manually Configure Your Internet Connection ISP Does Not Require Login Reference Manual for the ProSafe VPN Firewall FVS114 10 Basic Settings ISP list Reference Manual for the ProSafe VPN Firewall FVS114 Chapter Firewall Protection Content Filtering Firewall Protection and Content Filtering Overview Block Sites Block Sites menu Using Rules to Block or Allow Specific Kinds of Traffic Rules menu Reference Manual for the ProSafe VPN Firewall FVS114 Inbound Rules Port Forwarding Inbound Rule Example a Local Public Web Server Rule example a local public Web server Outbound Rules Service Blocking Considerations for Inbound Rules Outbound Rule Example Blocking Instant Messenger Rule example blocking Instant Messenger Order of Precedence for Rules Rules table Services Services menu Add Custom Service menu Using a Schedule to Block or Allow Specific Traffic Schedule Time Zone Getting E-Mail Notifications of Event Logs and Alerts 10 E-mail menu Reference Manual for the ProSafe VPN Firewall FVS114 Viewing Logs of Web Access or Attempted Web Access 11 Logs menu Log action buttons are described in Table SyslogLog entries are described in Table Log entry descriptions Chapter Basic Virtual Private Networking VPN Tunnel Single Advanced methods see , Advanced Virtual Private Networking Configuration VPN Tunnel Configuring the Client-to-Gateway VPN Tunnel on the FVS114 VPN Wizard start screen Summary screen below displays Connection Name and Remote IP Type Vpnc Recommended Settings Configuring the Netgear ProSafe VPN Client on the Remote PC Select Secure in the Connection Security check box Security Policy Editor new connection 11 Security Policy Editor Security Policy 12 Security Policy Editor My Identity 13 Security Policy Editor Pre-Shared Key 15 Security Policy Editor Key Exchange 16 Running a Ping test to the LAN from the PC 18 Log Viewer screen Transferring a Security Policy to Another Client Exporting a Security Policy Select Export Security Policy from the File pulldown Importing a Security Policy Select the security policy to import Scenario1 FVS114 VPN Firewall PCs Procedure to Configure a Gateway-to-Gateway VPN Tunnel 23 VPN Wizard start screen 25 Remote IP 27 VPN Wizard Summary 28 VPN Recommended Settings 30 VPN Status/Log screen VPN Tunnel Control Start Using a VPN Tunnel to Activate ItUsing the VPN Status Page to Activate a VPN Tunnel Activating a VPN Tunnel Activate the VPN Tunnel by Pinging the Remote Endpoint 32 VPN Status/Log screen Type ping -t 192.168.3.1 and then click OK Type ping Verifying the Status of a VPN Tunnel 36 Pinging test results Deactivating a VPN Tunnel 38 Current VPN Tunnels SAs screen Using the VPN Status Page to Deactivate a VPN Tunnel 39 VPN Policies Deleting a VPN Tunnel 41 Current VPN Tunnels SAs screen Virtual Private Using Policies to Manage VPN Traffic Using Automatic Key Management IKE Policies’ Automatic Key and Authentication Management IKE Policy Configuration Menu IKE Policy Configuration fields Field Description General VPN Policy Configuration for Auto Key Negotiation Field Description Remote VPN Auto Policy menu VPN Auto Policy Configuration Fields VPN Auto Policy fields are defined in the following table Authenticating Header AH VPN Policy Configuration for Manual Key Exchange Netbios Enable VPN Manual Policy menu VPN Manual Policy Configuration Fields VPN Manual Policy fields are defined in the following table Value in its Authentication Algorithm Key Out field Netbios Enable Walk-Through of Configuration Scenarios on the FVS114 Certificate Revocation List CRL VPN Consortium Scenario From Settings menu Are IPv4 WAN IP addresses FVS114 Internet IP Address menu LAN IP Setup menu Set up the IKE Policy illustrated below on the FVS114 Scenario 1 IKE Policy Set up the FVS114 VPN -Auto Policy illustrated below 10 Scenario 1 VPN Auto Policy How to Check VPN Connections Testing the Gateway a FVS114 LAN and the Gateway B LAN Obtain a root certificate Install the trusted CA certificate for the Trusted Root CAFVS114 Scenario 2 FVS114 to FVS114 with RSA Certificates Create a certificate request for the FVS114 11 Generate Self Certificate Request menu Highlight, copy and paste this data into a text file 12 Self Certificate Request data Click the Upload Certificate button 13 Self Certificate Requests table 14 Self Certificates table Set up Certificate Revocation List CRL checking Reference Manual for the ProSafe VPN Firewall FVS114 Chapter Maintenance Viewing VPN Firewall Status Information This screen shows the following parameters FVS114 Status fields Connection Status fields Click Show WAN Status to display the WAN connection statusThis screen shows the following statistics Connection Status action buttons Click Show Statistics to display firewall usage statistics WAN Status action buttons are described in the table belowRouter Statistics fields Viewing a List of Attached Devices Upgrading the Firewall Software Configuration File Management Router Upgrade menu Backing Up the Configuration Restoring the ConfigurationErasing the Configuration Changing the Administrator Password Diagnostics Diagnostics menu Ping or Trace an IP address Reference Manual for the ProSafe VPN Firewall FVS114 Chapter Advanced Configuration WAN Setup Default DMZ Server Click Default DMZ Server How to Configure Dynamic DNSTo assign a computer or server to be a Default DMZ server Respond to Ping on Internet WAN Port Dynamic DNS Using the LAN IP Setup Options Configuring LAN TCP/IP Setup Parameters Reference Manual for the ProSafe VPN Firewall FVS114 Using the Firewall as a Dhcp server Using Address Reservation Configuring Static Routes Click Edit or Delete Static Routes table Enabling Remote Management Access Static Route Example Remote Management menu Https//134.177.0.1238080 UPnP UPnP menu Reference Manual for the ProSafe VPN Firewall FVS114 Chapter Troubleshooting Power LED Not OnBasic Functioning LEDs Never Turn Off LAN or Internet Port LEDs Not On Troubleshooting the Web Configuration Interface Troubleshooting the ISP Connection Troubleshooting a TCP/IP Network Using a Ping Utility Testing the LAN Path to Your Firewall If the path is not working, you see this message Testing the Path from Your PC to a Remote DeviceIf the path is working, you see this message Ping -n 10 IP address Restoring the Default Configuration and Password Problems with Date and Time Reference Manual for the ProSafe VPN Firewall FVS114 Appendix a Technical Specifications Data and Routing ProtocolsPPP over Ethernet PPPoE Interface Specifications 10BASE-T or 100BASE-Tx, RJ-45Electromagnetic Emissions Appendix B Network, Routing, and Firewall Basics Related Publications Basic Router Concepts Routing Information Protocol What is a Router?IP Addresses and the Internet Is normally written as Figure B-1 Three Main Address Classes Netmask Combined withEquals Subnet Addressing Figure B-2 Example of Subnetting a Class B Address Table B-1 Netmask notation translation table for one octet Table B-2. Netmask formats Private IP Addresses Table B-2 Netmask formats Single IP Address Operation Using NAT Figure B-3 Single IP Address Operation Using NAT MAC Addresses and Address Resolution Protocol Related DocumentsDomain Name Server IP Configuration by Dhcp Internet Security and Firewalls Ethernet Cabling What is a Firewall?Denial of Service Attack Stateful Packet Inspection Table B-3 UTP Ethernet cable wiring, straight-through Category 5 Cable Quality Inside Twisted Pair Cables Figure B-4illustrates straight-through twisted pair cable Uplink Switches, Crossover Cables, and MDI/MDIX Switching Reference Manual for the ProSafe VPN Firewall FVS114 Reference Manual for the ProSafe VPN Firewall FVS114 What is a VPN? Appendix C Virtual Private Networking IPSec Components What Is IPSec and How Does It Work?IPSec Security Features IPSec contains the following elements Encapsulating Security Payload ESP Authentication Header AH IKE Security Association Mode Understand the Process Before You Begin Key Management VPN Process Overview AddressesIt functions as a VPN Tunnel Between Gateways FirewallsTable C-2 Subnet addressing IPSec Security Association IKE VPN Tunnel Negotiation Steps IPSec Security Association SA negotiation Vpnc IKE Phase I Parameters Vpnc IKE Security Parameters Testing and Troubleshooting Vpnc IKE Phase II ParametersAdditional Reading Relevant RFCs listed numerically Appendix D Preparing Your Network Preparing Your Computers for TCP/IP Networking Configuring Windows 95, 98, and Me for TCP/IP Networking Install or Verify Windows Networking Components Select Microsoft Select TCP/IP, and then click OK Enabling Dhcp to Automatically Configure TCP/IP Settings Choose Settings, and then Control PanelRestart your PC for the changes to take effect Primary Network Logon is set to Windows logon Selecting Windows’ Internet Access Method Verifying TCP/IP PropertiesClick OK to continue Restart the PC Configuring Windows NT4, 2000 or XP for IP Networking Double-click the Network and Dialup Connections icon Dhcp Configuration of TCP/IP in Windows XP Then, restart your PCLocate your Network Neighborhood icon Reference Manual for the ProSafe VPN Firewall FVS114 Dhcp Configuration of TCP/IP in Windows Reference Manual for the ProSafe VPN Firewall FVS114 Obtain an IP address automatically is selected Dhcp Configuration of TCP/IP in Windows NT4 Reference Manual for the ProSafe VPN Firewall FVS114 Verifying TCP/IP Properties for Windows XP, 2000, and NT4 TCP/IP Properties dialog box now displays MacOS 8.6 or Configuring the Macintosh for TCP/IP NetworkingDefault gateway is Type exit MacOS Verifying TCP/IP Properties for Macintosh Computers Are Login Protocols Used? What Is Your Configuration Information?Verifying the Readiness of Your Internet Account Select the IP Address tab Select the Gateway tab Reference Manual for the ProSafe VPN Firewall FVS114 Restarting the Network Reference Manual for the ProSafe VPN Firewall FVS114 List of Glossary Terms Numeric AES Packet sent to all devices on a network DNS See Internet Control Message Protocol Internet service provider Megabits per second Set of rules for communication between devices on a network Radius See Wide Area Network Reference Manual for the ProSafe VPN Firewall FVS114 Reference Manual for the ProSafe VPN Firewall FVS114