Quick Reference Guide

ManualsBrandsNetgear ManualsPC ComponentsNetgear FVS114

202-10098-01, April 2005

202-10098-01

April 2005

NETGEAR, Inc.

4500 Great America Parkway

Santa Clara, CA 95054 USA

Reference Manual for the

ProSafe VPN Firewall

FVS114

Summary of content (212 pages)

PAGE 1
Reference Manual for the ProSafe VPN Firewall FVS114 NETGEAR, Inc.
PAGE 2
© 2005 by NETGEAR, Inc. All rights reserved. Trademarks NETGEAR is a trademark of Netgear, Inc. Microsoft, Windows, and Windows NT are registered trademarks of Microsoft Corporation. Other brand and product names are registered trademarks or trademarks of their respective holders. Statement of Conditions In the interest of improving internal design, operational function, and/or reliability, NETGEAR reserves the right to make changes to the products described in this document without notice.
PAGE 3
Product and Publication Details Model Number: FVS114 Publication Date: April 2005 Product Family: Router Product Name: FVS114 ProSafe VPN Firewall Home or Business Product: Business Language: English iii 202-10098-01, April 2005
PAGE 4
iv 202-10098-01, April 2005
PAGE 5
Contents Chapter 1 About This Manual Audience, Scope, Conventions, and Formats ................................................................1-1 How to Use This Manual ................................................................................................1-2 How to Print this Manual .................................................................................................1-3 Chapter 2 Introduction Key Features of the VPN Firewall ...........................................................
PAGE 6
Using the Smart Setup Wizard .....................................................................................3-10 How to Manually Configure Your Internet Connection .................................................. 3-11 Chapter 4 Firewall Protection and Content Filtering Firewall Protection and Content Filtering Overview ........................................................4-1 Block Sites ...............................................................................................................
PAGE 7
Procedure to Configure a Gateway-to-Gateway VPN Tunnel ................................5-21 VPN Tunnel Control ......................................................................................................5-26 Activating a VPN Tunnel ........................................................................................5-26 Start Using a VPN Tunnel to Activate It ...........................................................5-26 Using the VPN Status Page to Activate a VPN Tunnel ......................
PAGE 8
Erasing the Configuration .........................................................................................7-7 Changing the Administrator Password ...........................................................................7-8 Diagnostics .....................................................................................................................7-8 Chapter 8 Advanced Configuration WAN Setup ......................................................................................................
PAGE 9
What is a Router? ................................................................................................... B-2 Routing Information Protocol ................................................................................... B-2 IP Addresses and the Internet ....................................................................................... B-2 Netmask .................................................................................................................. B-4 Subnet Addressing ......
PAGE 10
VPN Tunnel Between Gateways ............................................................................. C-8 VPNC IKE Security Parameters .................................................................................. C-10 VPNC IKE Phase I Parameters ............................................................................. C-10 VPNC IKE Phase II Parameters ............................................................................ C-11 Testing and Troubleshooting ...................................
PAGE 11
B .................................................................................................................................... G-2 C .................................................................................................................................... G-3 D .................................................................................................................................... G-3 E .............................................................................................
PAGE 12
xii Contents 202-10098-01, April 2005
PAGE 13
Chapter 1 About This Manual This chapter describes the intended audience, scope, conventions, and formats of this manual. Audience, Scope, Conventions, and Formats This reference manual assumes that the reader has basic to intermediate computer and Internet skills. However, basic computer network, Internet, firewall, and VPN technologies tutorial information is provided in the Appendices and on the NETGEAR Web site. This guide uses the following typographical conventions: Table 1-1.
PAGE 14
Reference Manual for the ProSafe VPN Firewall FVS114 How to Use This Manual The HTML version of this manual includes the following: • Buttons, at a time and , for browsing forwards or backwards through the manual one page • A button that displays the table of contents and an button. Double-click on a link in the table of contents or index to navigate directly to where the topic is described in the manual. • A product model. • Links to PDF versions of the full manual and individual chapters.
PAGE 15
Reference Manual for the ProSafe VPN Firewall FVS114 How to Print this Manual To print this manual you can choose one of the following several options, according to your needs. • Printing a Page in the HTML View. Each page in the HTML version of the manual is dedicated to a major topic. Use the Print button on the browser toolbar to print the page contents. • Printing a Chapter. Use the PDF of This Chapter link at the top left of any page.
PAGE 16
Reference Manual for the ProSafe VPN Firewall FVS114 1-4 About This Manual 202-10098-01, April 2005
PAGE 17
Chapter 2 Introduction This chapter describes the features of the NETGEAR FVS114 ProSafe VPN Firewall. Key Features of the VPN Firewall The FVS114 ProSafe VPN Firewall with four-port switch connects your local area network (LAN) to the Internet through an external access device such as a cable modem or DSL modem. The FVS114 is a complete security solution that protects your network from attacks and intrusions.
PAGE 18
Reference Manual for the ProSafe VPN Firewall FVS114 A Powerful, True Firewall with Content Filtering Unlike simple Internet sharing NAT firewalls, the FVS114 is a true firewall, using stateful packet inspection to defend against hacker attacks. Its firewall features include: • DoS protection. Automatically detects and thwarts DoS attacks such as Ping of Death, SYN Flood, LAND Attack, and IP Spoofing. • Blocks unwanted traffic from the Internet to your LAN.
PAGE 19
Reference Manual for the ProSafe VPN Firewall FVS114 Autosensing Ethernet Connections with Auto Uplink With its internal eight-port 10/100 switch, the FVS114 can connect to either a 10 Mbps standard Ethernet network or a 100 Mbps Fast Ethernet network. Both the LAN and WAN interfaces are autosensing and capable of full-duplex or half-duplex operation. The firewall incorporates Auto UplinkTM technology.
PAGE 20
Reference Manual for the ProSafe VPN Firewall FVS114 Easy Installation and Management You can install, configure, and operate the FVS114 ProSafe VPN Firewall within minutes after connecting it to the network. The following features simplify installation and management tasks: • Browser-based management Browser-based configuration allows you to easily configure your firewall from almost any type of personal computer, such as Windows, Macintosh, or Linux.
PAGE 21
Reference Manual for the ProSafe VPN Firewall FVS114 Package Contents The product package should contain the following items: • • • • • FVS114 ProSafe VPN Firewall. AC power adapter. Category 5 (Cat 5) Ethernet cable. Installation Guide. Resource CD (240-10207-01) for ProSafe VPN Firewall, including: — This guide. — Application Notes and other helpful information. • Registration and Warranty Card. If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer.
PAGE 22
Reference Manual for the ProSafe VPN Firewall FVS114 Table 2-1. LED Descriptions LED Label Activity Description PWR On Power is supplied to the firewall. TEST On Off The system is initializing. The system is ready and running. 100 (100 Mbps) On Off The Internet (WAN) port is operating at 100 Mbps. The Internet (WAN) port is operating at 10 Mbps. LINK/ACT (Link/Activity) On Blinking The Internet port has detected a link with an attached device.
PAGE 23
Reference Manual for the ProSafe VPN Firewall FVS114 • • DC power input ON/OFF switch NETGEAR-Related Products NETGEAR products related to the FVS114 are listed in the following table: Table 2-2. NETGEAR-Related Products Category Wireless Wired Notebooks WAG511 108 Mbps Dual Band PC Card WG511T 108 Mbps PC Card WG511 54 Mbps PC Card WG111 54 Mbps USB 2.0 Adapter MA521 802.11b PC Card FA511 CardBus Adapter FA120 USB 2.
PAGE 24
Reference Manual for the ProSafe VPN Firewall FVS114 Documentation is available on the Resource CD and at http://kbserver.netgear.com. When the VPN firewall router is connected to the Internet, click the Knowledge Base or the Documentation link under the Web Support menu to view support information or the documentation for the VPN firewall router.
PAGE 25
Chapter 3 Connecting the Firewall to the Internet This chapter describes how to set up the firewall on your LAN, connect to the Internet, perform basic configuration of your FVS114 ProSafe VPN Firewall using the Setup Wizard, or how to manually configure your Internet connection. Follow these instructions to set up your firewall.
PAGE 26
Reference Manual for the ProSafe VPN Firewall FVS114 c. Locate the Ethernet cable (Cable 1 in the diagram) that connects your PC to the modem. &DEOH A ,QWHUQHW &RPSXWHU 0RGHP Figure 3-1: Disconnect the Ethernet cable from the computer d. Disconnect the cable at the computer end only, point A in the diagram. e. Look at the label on the bottom of the VPN firewall router. Locate the Internet port.
PAGE 27
Reference Manual for the ProSafe VPN Firewall FVS114 f. Securely insert the blue cable that came with your VPN firewall router (the blue NETGEAR cable in the diagram below) into a LOCAL port on the firewall such as LOCAL port 4 (point C in the diagram), and the other end into the Ethernet port of your computer (point D in the diagram).
PAGE 28
Reference Manual for the ProSafe VPN Firewall FVS114 Power Test Internet Local Port 4 Figure 3-4: Status lights d. Check the VPN firewall router status lights to verify the following: • PWR: The power light should turn solid green. If it does not, see “Troubleshooting Tips” on page 3-6. • TEST: The test light blinks when the firewall is first turned on then goes off. If after two minutes it is still on, see “Troubleshooting Tips” on page 3-6. • INTERNET: The Internet LINK/ACT light should be lit.
PAGE 29
Reference Manual for the ProSafe VPN Firewall FVS114 With the VPN firewall router in its factory default state, your browser will automatically display the NETGEAR Smart Wizard Configuration Assistant welcome page. Figure 3-5: NETGEAR Smart Wizard Configuration Assistant welcome screen Note: If you do not see this page, type http://www.routerlogin.net in the browser address bar and press Enter. If you still cannot see this screen, see “How to Bypass the Configuration Assistant” on page 3-9.
PAGE 30
Reference Manual for the ProSafe VPN Firewall FVS114 Troubleshooting Tips Here are some tips for correcting simple problems you may have. Be sure to restart your network in this sequence: 1. Turn off the VPN firewall router, shut down the computer, and unplug and turn off the modem. 2. Turn on the modem and wait two minutes 3. Turn on the VPN firewall router and wait one minute 4. Turn on the computer. Make sure the Ethernet cables are securely plugged in.
PAGE 31
Reference Manual for the ProSafe VPN Firewall FVS114 Overview of How to Access the FVS114 VPN Firewall The table below describes how you access the VPN firewall router, depending on the state of the VPN firewall router. Table 3-1.
PAGE 32
Reference Manual for the ProSafe VPN Firewall FVS114 How to Log On to the FVS114 After Configuration Settings Have Been Applied 1. Connect to the VPN firewall router by typing http://www.routerlogin.net in the address field of your browser, then press Enter. Figure 3-6: Login URL 2. For security reasons, the firewall has its own user name and password. When prompted, enter admin for the firewall user name and password for the firewall password, both in lower case letters.
PAGE 33
Reference Manual for the ProSafe VPN Firewall FVS114 Once you have entered your user name and password, your Web browser should find the FVS114 VPN Firewall and display the home page as shown below. Figure 3-8: Login result: FVS114 home page When the VPN firewall router is connected to the Internet, click the Knowledge Base or the Documentation link under the Web Support menu to view support information or the documentation for the VPN firewall router.
PAGE 34
Reference Manual for the ProSafe VPN Firewall FVS114 2. The browser then displays the FVS114 settings home page shown in “Login result: FVS114 home page” on page 3-9. If you do not click Logout, the VPN firewall router waits five minutes after there is no activity before it automatically logs you out. Using the Smart Setup Wizard You can use the Smart Setup Wizard to assist with manual configuration or to verify the Internet connection.
PAGE 35
Reference Manual for the ProSafe VPN Firewall FVS114 How to Manually Configure Your Internet Connection You can manually configure your firewall using the menu below, or you can allow the Setup Wizard to determine your configuration as described in the previous section. ISP Does Not Require Login ISP Does Require Login Figure 3-9: Browser-based configuration Basic Settings menu You can manually configure the firewall using the Basic Settings menu shown in Figure 3-9 using these steps: 1.
PAGE 36
Reference Manual for the ProSafe VPN Firewall FVS114 a. Account: Enter your Account Name (may also be called Host Name) and Domain Name. These parameters may be necessary to access your ISP’s services such as mail or news servers. b. Internet IP Address: If your ISP has assigned you a permanent, fixed (static) IP address for your PC, select “Use static IP address”. Enter the IP address that your ISP assigned. Also enter the netmask and the Gateway IP address.
PAGE 37
Reference Manual for the ProSafe VPN Firewall FVS114 a. For connections that require a login using protocols such as PPPoE, PPTP, Telstra Bigpond Cable broadband connections, select your Internet service provider from the drop-down list. Figure 3-10: Basic Settings ISP list b. The screen will change according to the ISP settings requirements of the ISP you select. c. Fill in the parameters for your ISP according to the Wizard-detected procedures starting on page 3-10. d.
PAGE 38
Reference Manual for the ProSafe VPN Firewall FVS114 3-14 Connecting the Firewall to the Internet 202-10098-01, April 2005
PAGE 39
Chapter 4 Firewall Protection and Content Filtering This chapter describes how to use the content filtering features of the FVS114 ProSafe VPN Firewall to protect your network. These features can be found by clicking on the Security heading in the main menu of the browser interface. Firewall Protection and Content Filtering Overview The FVS114 ProSafe VPN Firewall provides you with Web content filtering options, plus browsing activity reporting and instant alerts via e-mail.
PAGE 40
Reference Manual for the ProSafe VPN Firewall FVS114 Block Sites The FVS114 allows you to restrict access based on Web addresses and Web address keywords. Up to 255 entries are supported in the Keyword list. The Block Sites menu is shown in Figure 4-1: Figure 4-1: Block Sites menu Web Components: You can use these to block undesirable Web componenents or behavior. Select the desired options: • Turn Proxy filtering on: Block use of a remote Proxy Server.
PAGE 41
Reference Manual for the ProSafe VPN Firewall FVS114 • Turn Cookies filtering on: Block all cookies. Note: Many Web sites will not function correctly if these components are blocked. Keyword Blocking: To enable keyword blocking, check Turn keyword blocking on, then click Apply. • To add a keyword or domain, type it in the Keyword box, click Add Keyword, then click Apply. • To delete a keyword or domain, select it from the list, click Delete Keyword, then click Apply.
PAGE 42
Reference Manual for the ProSafe VPN Firewall FVS114 These default rules are shown in the Rules table of the Rules menu in Figure 4-2: Figure 4-2: Rules menu You may define additional rules that specify exceptions to the default rules. By adding custom rules, you can block or allow access based on the service or application, source or destination IP addresses, and time of day. You can also choose to log traffic that matches or does not match the rule you have defined.
PAGE 43
Reference Manual for the ProSafe VPN Firewall FVS114 An example of the menu for defining or editing a rule is shown in Figure 4-3. The parameters are: • Service. From this list, select the application or service to be allowed or blocked. The list already displays many common services, but you are not limited to these choices. Use the Services menu to add any additional services or applications that do not already appear. • Action. Choose how you would like this type of traffic to be handled.
PAGE 44
Reference Manual for the ProSafe VPN Firewall FVS114 – Block non-standard packets — Abnormal packets are often used by hackers and in DoS attacks, but may also be generated by other network devices. This setting should normally be enabled. – Enable DNS proxy — DNS proxy will forward DNS queries to the DNS. If the DNS proxy is disabled, the Router will ignore DNS queries it receives. PCs will then need to contact the DNS directly. This setting should normally be enabled.
PAGE 45
Reference Manual for the ProSafe VPN Firewall FVS114 Figure 4-3: Rule example: a local public Web server Inbound Rule Example: Allowing a Videoconference from Restricted Addresses If you want to allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses, such as from a branch office, you can create an inbound rule. In the example shown in Figure 4-4, CU-SEEME connections are allowed only from a specified range of external IP addresses.
PAGE 46
Reference Manual for the ProSafe VPN Firewall FVS114 Considerations for Inbound Rules • If your external IP address is assigned dynamically by your ISP, the IP address may change periodically as the DHCP lease expires. Consider using the Dyamic DNS feature in the Advanced menus so that external users can always find your network. • If the IP address of the local server PC is assigned by DHCP, it may change when the PC is rebooted.
PAGE 47
Reference Manual for the ProSafe VPN Firewall FVS114 Outbound Rule Example: Blocking Instant Messenger If you want to block Instant Messenger usage by employees during working hours, you can create an outbound rule to block that application from any internal IP address to any external address according to the schedule that you have created in the Schedule menu. You can also have the firewall log any attempt to use Instant Messenger during that blocked period.
PAGE 48
Reference Manual for the ProSafe VPN Firewall FVS114 Order of Precedence for Rules As you define new rules, they are added to the tables in the Rules table, as shown below: Figure 4-6: Rules table For any traffic attempting to pass through the firewall, the packet information is subjected to the rules in the order shown in the Rules table, beginning at the top and proceeding to the default rules at the bottom.
PAGE 49
Reference Manual for the ProSafe VPN Firewall FVS114 Services Services are functions performed by server computers at the request of client computers. For example, Web servers serve Web pages, time servers serve time and date information, and game hosts serve data about other players’ moves. When a computer on the Internet sends a request for service to a server computer, the requested service is identified by a service or port number.
PAGE 50
Reference Manual for the ProSafe VPN Firewall FVS114 To add a service: 1. When you have the port number information, go the Services menu and click on the Add Custom Service button. The Add Services menu appears as shown in Figure 4-8: Figure 4-8: Add Custom Service menu 2. Enter a descriptive name for the service so that you will remember what it is. 3. Select whether the service uses TCP or UDP as its transport protocol. If you can’t determine which is used, select both. 4.
PAGE 51
Reference Manual for the ProSafe VPN Firewall FVS114 Using a Schedule to Block or Allow Specific Traffic If you enabled content filtering in the Block Sites menu, or if you defined an outbound rule to use a schedule, you can set up a schedule for when blocking occurs or when access is restricted.
PAGE 52
Reference Manual for the ProSafe VPN Firewall FVS114 To block keywords or Internet domains based on a schedule, select Every Day or select one or more days. If you want to limit access completely for the selected days, select All Day. Otherwise, If you want to limit access during certain times for the selected days, type a Start Blocking time and an End Blocking time. Note: Enter the values as 24-hour time.
PAGE 53
Reference Manual for the ProSafe VPN Firewall FVS114 Getting E-Mail Notifications of Event Logs and Alerts In order to receive logs and alerts by e-mail, you must provide your e-mail information in the Send alerts and logs by e-mail area: Figure 4-10: E-mail menu • Turn e-mail notification on. Check this box if you wish to receive e-mail logs and alerts from the firewall. • Send alerts and logs by e-mail. If your enable e-mail notification, these boxes cannot be blank.
PAGE 54
Reference Manual for the ProSafe VPN Firewall FVS114 – • If a user on your LAN attempts to access a Web site that you blocked using the Block Sites menu. Send logs according to this schedule. You can specify that logs are sent to you according to a schedule. Select whether you would like to receive the logs None, Hourly, Daily, Weekly, or When Full. Depending on your selection, you may also need to specify: – Day for sending log Relevant when the log is sent weekly or daily.
PAGE 55
Reference Manual for the ProSafe VPN Firewall FVS114 Viewing Logs of Web Access or Attempted Web Access The firewall logs security-related events such as denied incoming and outgoing service requests, hacker probes, and administrator logins. If you enable content filtering in the Block Sites menu, the Log page will also show you when someone on your network tried to access a blocked site. If you enabled e-mail notification, you'll receive these logs in an e-mail message.
PAGE 56
Reference Manual for the ProSafe VPN Firewall FVS114 Log entries are described in Table 4-1 Table 4-1. Log entry descriptions Field Description Date and Time The date and time the log entry was recorded. Description or Action The type of event and what action was taken if any. Source IP The IP address of the initiating device for this log entry. Source port and interface The service port number of the initiating device, and whether it originated from the LAN or WAN.
PAGE 57
Chapter 5 Basic Virtual Private Networking This chapter describes how to use the virtual private networking (VPN) features of the FVS114 VPN Firewall. VPN communications paths are called tunnels. VPN tunnels provide secure, encrypted communications between your local network and a remote network or computer. The VPN information is organized as follows: • “Overview of VPN Configuration” on page 5-2 provides an overview of the two most common VPN configurations: client-to-gateway and gateway-to-gateway.
PAGE 58
Reference Manual for the ProSafe VPN Firewall FVS114 Overview of VPN Configuration Two common scenarios for configuring VPN tunnels are between a remote personal computer and a network gateway and between two or more network gateways. The FVS114 supports both of these types of VPN configurations. The FVS114 VPN Firewall supports up to eight concurrent tunnels.
PAGE 59
Reference Manual for the ProSafe VPN Firewall FVS114 VPN Tunnel VPN Gateway B VPN Gateway A PCs PCs Figure 5-2: Gateway-to-gateway VPN tunnel A VPN between two or more NETGEAR VPN-enabled firewalls is a good way to connect branch or home offices and business partners over the Internet. VPN tunnels also enable access to network resources across the Internet. In this case, use FVS114s on each end of the tunnel to form the VPN tunnel end points.
PAGE 60
Reference Manual for the ProSafe VPN Firewall FVS114 FQDNs supplied by Dynamic DNS providers can allow a VPN endpoint with a dynamic IP address to initiate or respond to a tunnel request. Otherwise, the side using a dynamic IP address must always be the initiator. • What method will you use to configure your VPN tunnels? — The VPN Wizard using VPNC defaults (see Table 5-1) — Advanced methods (see Chapter 6, “Advanced Virtual Private Networking”) Table 5-1.
PAGE 61
Reference Manual for the ProSafe VPN Firewall FVS114 VPN Tunnel Configuration There are two tunnel configurations and three ways to configure them: • Use the VPN Wizard to configure a VPN tunnel (recommended for most situations): — See “How to Set Up a Client-to-Gateway VPN Configuration” on page 5-5. — See “How to Set Up a Gateway-to-Gateway VPN Configuration” on page 5-20.
PAGE 62
Reference Manual for the ProSafe VPN Firewall FVS114 Step 1: Configuring the Client-to-Gateway VPN Tunnel on the FVS114 Note: This section uses the VPN Wizard to set up the VPN tunnel using the VPNC default parameters listed in Table 5-1 on page 5-4. If you have special requirements not covered by these VPNC-recommended parameters, refer to Chapter 6, “Advanced Virtual Private Networking” to set up the VPN tunnel. Follow this procedure to configure a client-to-gateway VPN tunnel using the VPN Wizard. 1.
PAGE 63
Reference Manual for the ProSafe VPN Firewall FVS114 Enter the new Connection Name: (RoadWarrior in this example) Enter the pre-shared key: (12345678 in this example) Select the radio button: A remote VPN client (single PC) Figure 5-5: Connection Name and Remote IP Type The Summary screen below displays.
PAGE 64
Reference Manual for the ProSafe VPN Firewall FVS114 To view the VPNC recommended authentication and encryption settings used by the VPN Wizard, click the here link (see Figure 5-6). Click Back to return to the Summary screen. Figure 5-7: VPNC Recommended Settings 3. Click Done on the Summary screen (see Figure 5-6) to complete the configuration procedure. The VPN Policies menu below displays showing that the new tunnel is enabled.
PAGE 65
Reference Manual for the ProSafe VPN Firewall FVS114 Step 2: Configuring the NETGEAR ProSafe VPN Client on the Remote PC This procedure describes how to configure the NETGEAR ProSafe VPN Client. This example assumes the PC running the client has a dynamically assigned IP address. The PC must have the NETGEAR ProSafe VPN Client program installed that supports IPSec. Go to the NETGEAR Web site (http://www.netgear.
PAGE 66
Reference Manual for the ProSafe VPN Firewall FVS114 Note: In this example, the Connection Name used on the client side of the VPN tunnel is NETGEAR_VPN_router and it does not have to match the RoadWarrior Connection Name used on the gateway side of the VPN tunnel (see Figure 5-5) because Connection Names are unrelated to how the VPN tunnel functions. Tip: Choose Connection Names that make sense to the people using and administrating the VPN.
PAGE 67
Reference Manual for the ProSafe VPN Firewall FVS114 d. Select IP Subnet in the ID Type menu. In this example, type 192.168.3.1 in the Subnet field as the network address of the FVS114. e. Enter 255.255.255.0 in the Mask field as the LAN Subnet Mask of the FVS114. f. Select All in the Protocol menu to allow all traffic through the VPN tunnel. g. Select the Connect using Secure Gateway Tunnel check box. h. Select IP Address in the ID Type menu below the check box. i.
PAGE 68
Reference Manual for the ProSafe VPN Firewall FVS114 In this step, you will provide information about the remote VPN client PC. You will need to provide: — The Pre-Shared Key that you configured in the FVS114. — Either a fixed IP address or a “fixed virtual” IP address of the VPN client PC. a. In the Network Security Policy list on the left side of the Security Policy Editor window, click on My Identity. Figure 5-12: Security Policy Editor My Identity b. Choose None in the Select Certificate box. c.
PAGE 69
Reference Manual for the ProSafe VPN Firewall FVS114 Figure 5-13: Security Policy Editor Pre-Shared Key 5. Configure the VPN Client Authentication Proposal. In this step, you will provide the type of encryption (DES or 3DES) to be used for this connection. This selection must match your selection in the FVS114 configuration. a.
PAGE 70
Reference Manual for the ProSafe VPN Firewall FVS114 6. f. In the SA Life menu, select Unspecified. g. In the Key Group menu, select Diffie-Hellman Group 2. Configure the VPN Client Key Exchange Proposal. In this step, you will provide the type of encryption (DES or 3DES) to be used for this connection. This selection must match your selection in the FVS114 configuration. a. Expand the Key Exchange subheading by double clicking its name or clicking on the “+” symbol.
PAGE 71
Reference Manual for the ProSafe VPN Firewall FVS114 After you have configured and saved the VPN client information, your PC will automatically open the VPN connection when you attempt to access any IP addresses in the range of the remote VPN firewall’s LAN. 8. Check the VPN Connection. To check the VPN Connection, you can initiate a request from the remote PC to the FVS114’s network by using the “Connect” option in the NETGEAR ProSafe menu bar.
PAGE 72
Reference Manual for the ProSafe VPN Firewall FVS114 Once the connection is established, you can open the browser of the PC and enter the LAN IP address of the remote FVS114. After a short wait, you should see the login screen of the VPN Firewall (unless another PC already has the FVS114 management interface open). Monitoring the Progress and Status of the VPN Client Connection Information on the progress and status of the VPN client connection can be viewed by opening the NETGEAR ProSafe Log Viewer. 1.
PAGE 73
Reference Manual for the ProSafe VPN Firewall FVS114 2. The Connection Monitor screen for a similar connection is shown below: Figure 5-19: Connection Monitor screen In this example you can see the following: • • • The FVS114 has a public IP WAN address of 22.23.24.25. The FVS114 has a LAN IP address of 192.168.3.1. The VPN client PC has a dynamically assigned address of 192.168.2.2.
PAGE 74
Reference Manual for the ProSafe VPN Firewall FVS114 Step 1: Select Export Security Policy from the File pulldown. Step 2: Click Export once you decide the name of the file and directory where you want to store the client policy. In this example, the exported policy is named policy.spd and is being stored on the C drive. Figure 5-20: Exporting a security policy Importing a Security Policy The following procedure (Figure 5-21) enables you to import an existing security policy.
PAGE 75
Reference Manual for the ProSafe VPN Firewall FVS114 Step 1: Invoke the NETGEAR ProSafe VPN Client and select Import Security Policy from the File pulldown. Step 2: Select the security policy to import. In this example, the security policy file is named FVS114_clientpolicy_direct.spd and located on the Desktop. FVS114 FVS114 The security policy is now imported. In this example, the connection name is Scenario_1.
PAGE 76
Reference Manual for the ProSafe VPN Firewall FVS114 How to Set Up a Gateway-to-Gateway VPN Configuration Note: This section uses the VPN Wizard to set up the VPN tunnel using the VPNC default parameters listed in Table 5-1 on page 5-4. If you have special requirements not covered by these VPNC-recommended parameters, refer to Chapter 6, “Advanced Virtual Private Networking” to set up the VPN tunnel.
PAGE 77
Reference Manual for the ProSafe VPN Firewall FVS114 Procedure to Configure a Gateway-to-Gateway VPN Tunnel Follow this procedure to configure a gateway-to-gateway VPN tunnel using the VPN Wizard. 1. Log in to the FVS114 on LAN A at its default LAN address of http://192.168.0.1 with its default user name of admin and password of password. Click the VPN Wizard link in the main menu to display this screen. Click Next to proceed. Figure 5-23: VPN Wizard start screen 2.
PAGE 78
Reference Manual for the ProSafe VPN Firewall FVS114 3. Fill in the IP Address or FQDN for the target VPN endpoint WAN connection and click Next. Enter the WAN IP address of the remote VPN gateway: (22.23.24.25 in this example) Figure 5-25: Remote IP 4. Identify the IP addresses at the target endpoint that can use this tunnel, and click Next. Enter the LAN IP settings of the remote VPN gateway: • IP Address (192.168.3.1 in this example) • Subnet Mask (255.255.255.
PAGE 79
Reference Manual for the ProSafe VPN Firewall FVS114 The Summary screen below displays.
PAGE 80
Reference Manual for the ProSafe VPN Firewall FVS114 To view the VPNC recommended authentication and encryption settings used by the VPN Wizard, click the here link (see Figure 5-27). Click Back to return to the Summary screen. Figure 5-28: VPN Recommended Settings 5. Click Done on the Summary screen (see Figure 5-27) to complete the configuration procedure. The VPN Policies menu below displays showing that the new tunnel is enabled.
PAGE 81
Reference Manual for the ProSafe VPN Firewall FVS114 6. Repeat for the FVS114 on LAN B. Pay special attention and use the following network settings as appropriate. • WAN IP of the remote VPN gateway (e.g., 14.15.16.17) • LAN IP settings of the remote VPN gateway: — IP Address (e.g, 192.168.0.1) — Subnet Mask (e.g., 255.255.255.0) — Preshared Key (e.g., 12345678) 7.
PAGE 82
Reference Manual for the ProSafe VPN Firewall FVS114 Figure 5-31: Current VPN Tunnels (SAs) Screen c. Look at the VPN Status/Log screen (Figure 5-30) to verify that the tunnel is connected. VPN Tunnel Control Activating a VPN Tunnel There are three ways to activate a VPN tunnel: • • • Start using the VPN tunnel. Use the VPN Status page. Activate the VPN tunnel by pinging the remote endpoint.
PAGE 83
Reference Manual for the ProSafe VPN Firewall FVS114 Figure 5-32: VPN Status/Log screen 3. Click VPN Status (Figure 5-32) to get the Current VPN Tunnels (SAs) screen (Figure 5-33). Click Connect for the VPN tunnel you want to activate. Figure 5-33: Current VPN Tunnels (SAs) screen Activate the VPN Tunnel by Pinging the Remote Endpoint Note: This section uses 192.168.3.1 for an example remote endpoint LAN IP address. To activate the VPN tunnel by pinging the remote endpoint (192.168.3.
PAGE 84
Reference Manual for the ProSafe VPN Firewall FVS114 a. Establish an Internet connection from the PC. b. On the Windows taskbar, click the Start button, and then click Run. c. Type ping -t 192.168.3.1 and then click OK. Figure 5-34: Running a Ping test to the LAN from the PC This will cause a continuous ping to be sent to the first FVS114. Within two minutes, the ping response should change from “timed out” to “reply.” Note: Use Ctrl-C to stop the pinging.
PAGE 85
Reference Manual for the ProSafe VPN Firewall FVS114 Figure 5-36: Pinging test results Note: The pings may fail the first time. If so, then try the pings a second time. Verifying the Status of a VPN Tunnel To use the VPN Status page to determine the status of a VPN tunnel, perform the following steps: 1. Log in to the VPN Firewall. 2. Open the FVS114 management interface and click VPN Status under VPN to get the VPN Status/Log screen (Figure 5-37).
PAGE 86
Reference Manual for the ProSafe VPN Firewall FVS114 • 3. Click Clear Log to delete all log entries. Click VPN Status (Figure 5-37) to get the Current VPN Tunnels (SAs) screen (Figure 5-38). Figure 5-38: Current VPN Tunnels (SAs) screen This page lists the following data for each active VPN Tunnel. • SPI—each SA has a unique SPI (Security Parameter Index) for traffic in each direction. For Manual key exchange, the SPI is specified in the Policy definition.
PAGE 87
Reference Manual for the ProSafe VPN Firewall FVS114 Figure 5-39: VPN Policies 3. Clear the Enable check box for the VPN tunnel you want to deactivate and click Apply. (To reactivate the tunnel, check the Enable box and click Apply.) Using the VPN Status Page to Deactivate a VPN Tunnel To use the VPN Status page to deactivate a VPN tunnel, perform the following steps: 1. Log in to the VPN Firewall. 2. Click VPN Status under VPN to get the VPN Status/Log screen (Figure 5-40).
PAGE 88
Reference Manual for the ProSafe VPN Firewall FVS114 3. Click VPN Status (Figure 5-40) to get the Current VPN Tunnels (SAs) screen (Figure 5-41). Click Drop for the VPN tunnel you want to deactivate. Figure 5-41: Current VPN Tunnels (SAs) screen Note: When NETBIOS is enabled (which it is in the VPNC defaults implemented by the VPN Wizard), automatic traffic will reactivate the tunnel.
PAGE 89
Chapter 6 Advanced Virtual Private Networking This chapter describes how to use the advanced virtual private networking (VPN) features of the FVS114 VPN Firewall. See Chapter 5, “Basic Virtual Private Networking” for a description on how to use the basic VPN features. Overview of FVS114 Policy-Based VPN Configuration The FVS114 uses state-of-the-art firewall and security technology to facilitate controlled and actively monitored VPN connectivity.
PAGE 90
Reference Manual for the ProSafe VPN Firewall FVS114 Using Policies to Manage VPN Traffic You create policy definitions to manage VPN traffic on the FVS114. There are two kinds of policies: • IKE Policies: Define the authentication scheme and automatically generate the encryption keys. As an alternative option, to further automate the process, you can create an IKE policy that uses a trusted certificate authority to provide the authentication while the IKE policy still handles the encryption.
PAGE 91
Reference Manual for the ProSafe VPN Firewall FVS114 IKE Policies’ Automatic Key and Authentication Management Click the IKE Policies link from the VPN section of the main menu, and then click the Add button of the IKE Policies screen to display the IKE Policy Configuration menu shown in Figure 6-2.
PAGE 92
Reference Manual for the ProSafe VPN Firewall FVS114 The IKE Policy Configuration fields are defined in the following table. Table 6-1. IKE Policy Configuration fields Field Description General These settings identify this policy and determine its major characteristics. Policy Name The descriptive name of the IKE policy. Each policy should have a unique policy name. This name is not supplied to the remote VPN endpoint. It is only used to help you identify IKE policies.
PAGE 93
Reference Manual for the ProSafe VPN Firewall FVS114 Table 6-1. IKE Policy Configuration fields Field Description Remote These parameters apply to the target remote FVS114, VPN gateway, or VPN client. Remote Identity Type Use this field to identify the remote FVS114. You can choose one of the following four options from the drop-down list: • By its Internet (WAN) port IP address. • By its Fully Qualified Domain Name (FQDN) — your domain name.
PAGE 94
Reference Manual for the ProSafe VPN Firewall FVS114 Figure 6-3: VPN - Auto Policy menu 6-6 Advanced Virtual Private Networking 202-10098-01, April 2005
PAGE 95
Reference Manual for the ProSafe VPN Firewall FVS114 The VPN – Auto Policy fields are defined in the following table. Table 6-1. VPN – Auto Policy Configuration Fields Field Description General These settings identify this policy and determine its major characteristics. Policy Name The descriptive name of the VPN policy. Each policy should have a unique policy name. This name is not supplied to the remote VPN endpoint. It is only used to help you identify VPN policies.
PAGE 96
Reference Manual for the ProSafe VPN Firewall FVS114 Table 6-1. VPN – Auto Policy Configuration Fields Field Description Traffic Selector These settings determine if and when a VPN tunnel will be established. If network traffic meets all criteria, then a VPN tunnel will be created. Local IP The drop-down menu allows you to configure the source IP address of the outbound network traffic for which this VPN policy will provide security. Usually, this address is from your network address space.
PAGE 97
Reference Manual for the ProSafe VPN Firewall FVS114 Table 6-1. VPN – Auto Policy Configuration Fields Field Authentication Algorithm NETBIOS Enable Description If you enable AH, then use this menu to select which authentication algorithm will be employed. The choices are: • MD5 — the default • SHA1 — more secure Check this if you wish NETBIOS traffic to be forwarded over the VPN tunnel. The NETBIOS protocol is used by Microsoft Networking for such features as Network Neighborhood.
PAGE 98
Reference Manual for the ProSafe VPN Firewall FVS114 Figure 6-4: VPN - Manual Policy menu 6-10 Advanced Virtual Private Networking 202-10098-01, April 2005
PAGE 99
Reference Manual for the ProSafe VPN Firewall FVS114 The VPN Manual Policy fields are defined in the following table. Table 6-1. VPN Manual Policy Configuration Fields Field Description General These settings identify this policy and determine its major characteristics. Policy Name The name of the VPN policy. Each policy should have a unique policy name. This name is not supplied to the remote VPN Endpoint. It is used to help you identify VPN policies.
PAGE 100
Reference Manual for the ProSafe VPN Firewall FVS114 Table 6-1. VPN Manual Policy Configuration Fields Field Description Authentication Algorithm If you enable AH, then select the authentication algorithm: • MD5 — the default • SHA1 — more secure Enter the keys in the fields provided. For MD5, the keys should be 16 characters. For SHA-1, the keys should be 20 characters. Key - In Enter the keys. • For MD5, the keys should be 16 characters. • For SHA-1, the keys should be 20 characters.
PAGE 101
Reference Manual for the ProSafe VPN Firewall FVS114 Table 6-1. VPN Manual Policy Configuration Fields Field Description Enable Authentication Use this check box to enable or disable ESP authentication for this VPN policy. Authentication Algorithm If you enable authentication, then use this menu to select the algorithm: • MD5 — the default • SHA1 — more secure Key - In Enter the key. • For MD5, the key should be 16 characters. • For SHA-1, the key should be 20 characters.
PAGE 102
Reference Manual for the ProSafe VPN Firewall FVS114 Each CA has its own certificate. The certificates of a CA are added to the FVS114 and then can be used to form IKE policies for the user. Once a CA certificate is added to the FVS114 and a certificate is created for a user, the corresponding IKE policy is added to the FVS114.
PAGE 103
Reference Manual for the ProSafe VPN Firewall FVS114 The PC must have the NETGEAR ProSafe VPN Client program installed that supports IPSec. Go to the NETGEAR Web site (http://www.netgear.com) and select VPN01L_VPN05L in the Product Quick Find drop down menu for information on how to purchase the NETGEAR ProSafe VPN Client. Note: Before installing the NETGEAR ProSafe VPN Client software, be sure to turn off any virus protection or firewall software you may be running on your PC.
PAGE 104
Reference Manual for the ProSafe VPN Firewall FVS114 The IKE Phase 2 parameters used in Scenario 1 are: • • • • • • • TripleDES SHA-1 ESP tunnel mode MODP group 2 (1024 bits) Perfect forward secrecy for rekeying SA lifetime of 3600 seconds (one hour) with no kilobytes rekeying Selectors for all IP protocols, all ports, between 10.5.6.0/24 and 172.23.9.0/24, using IPv4 subnets FVS114 Scenario 1: FVS114 to Gateway B IKE and VPN Policies Note: This scenario assumes all ports are open on the FVS114.
PAGE 105
Reference Manual for the ProSafe VPN Firewall FVS114 WAN IP addresses ISP provides these addresses Figure 6-7: FVS114 Internet IP Address menu b. Configure the WAN Internet Address according to the settings above and click Apply to save your settings. For more information on configuring the WAN IP settings in the Basic Settings topics, please see “How to Manually Configure Your Internet Connection” on page 3-11.
PAGE 106
Reference Manual for the ProSafe VPN Firewall FVS114 c. From the main menu Advanced section, click the LAN IP Setup link. The following menu appears Figure 6-8: LAN IP Setup menu d. Configure the LAN IP address according to the settings above and click Apply to save your settings. For more information on LAN TCP/IP setup topics, please see “Configuring LAN TCP/IP Setup Parameters” on page 8-5.
PAGE 107
Reference Manual for the ProSafe VPN Firewall FVS114 3. Set up the IKE Policy illustrated below on the FVS114. a. From the main menu VPN section, click on the IKE Policies link, and then click the Add button to display the screen below. Figure 6-9: Scenario 1 IKE Policy b. Configure the IKE Policy according to the settings in the illustration above and click Apply to save your settings.
PAGE 108
Reference Manual for the ProSafe VPN Firewall FVS114 4. Set up the FVS114 VPN -Auto Policy illustrated below. a. From the main menu VPN section, click on the VPN Policies link, and then click on the Add Auto Policy button. WAN IP address LAN IP addresses Figure 6-10: Scenario 1 VPN - Auto Policy b. 5. Configure the IKE Policy according to the settings in the illustration above and click Apply to save your settings.
PAGE 109
Reference Manual for the ProSafe VPN Firewall FVS114 How to Check VPN Connections You can test connectivity and view VPN status information on the FVS114 (see also “VPN Tunnel Control” on page 5-26). Testing the Gateway A FVS114 LAN and the Gateway B LAN 1. Using our example, from a PC attached to the FVS114 on LAN A, on a Windows PC click the Start button on the taskbar and then click Run. 2. Type ping -t 172.23.9.1, and then click OK. 3.
PAGE 110
Reference Manual for the ProSafe VPN Firewall FVS114 FVS114 Scenario 2: FVS114 to FVS114 with RSA Certificates The following is a typical gateway-to-gateway VPN that uses Public Key Infrastructure x.509 (PKIX) certificates for authentication. The network setup is identical to the one given in Scenario 1. The IKE Phase 1 and Phase 2 parameters are identical to the ones given in Scenario 1, with the exception that the identification is done with signatures authenticated by PKIX certificates.
PAGE 111
Reference Manual for the ProSafe VPN Firewall FVS114 b. Click the Generate Request button to display the screen illustrated in Figure 6-11 below. . FVS114 Figure 6-11: Generate Self Certificate Request menu c. Fill in the fields on the Add Self Certificate screen. • • Required – Name. Enter a name to identify this certificate. – Subject. This is the name that other organizations will see as the holder (owner) of this certificate.
PAGE 112
Reference Manual for the ProSafe VPN Firewall FVS114 d. – Domain Name. If you have a domain name, you can enter it here. Otherwise, you should leave this blank. – E-mail Address. You can enter you e-mail address here. Click the Next button to continue. The FVS114 generates a Self Certificate Request as shown below. Highlight, copy and paste this data into a text file. Figure 6-12: Self Certificate Request data 4. Transmit the Self Certificate Request data to the Trusted Root CA. a.
PAGE 113
Reference Manual for the ProSafe VPN Firewall FVS114 c. When you have finished gathering the Self Certificate Request data, click the Done button. You will return to the Certificates screen where your pending “FVS114” Self Certificate Request will be listed, as illustrated in Figure 6-13 below. FVS114 Figure 6-13: Self Certificate Requests table 5. Receive the certificate back from the Trusted Root CA and save it as a text file.
PAGE 114
Reference Manual for the ProSafe VPN Firewall FVS114 f. You will now see the “FVS114” entry in the Active Self Certificates table and the pending “FVS114” Self Certificate Request is gone, as illustrated below. FVS114 Figure 6-14: Self Certificates table 7. Associate the new certificate and the Trusted Root CA certificate on the FVS114. a.
PAGE 115
Reference Manual for the ProSafe VPN Firewall FVS114 Now, the traffic from devices within the range of the LAN subnet addresses on FVS114 A and Gateway B will be authenticated using the certificates rather than via a shared key. 8. Set up Certificate Revocation List (CRL) checking. a. Get a copy of the CRL from the CA and save it as a text file.
PAGE 116
Reference Manual for the ProSafe VPN Firewall FVS114 6-28 Advanced Virtual Private Networking 202-10098-01, April 2005
PAGE 117
Chapter 7 Maintenance This chapter describes how to use the maintenance features of your FVS114 ProSafe VPN Firewall. These features can be found by clicking on the Maintenance heading in the main menu of the browser interface. Viewing VPN Firewall Status Information The Router Status menu provides status and usage information. From the main menu of the browser interface, click Maintenance, then select Router Status to view this screen.
PAGE 118
Reference Manual for the ProSafe VPN Firewall FVS114 This screen shows the following parameters: Table 7-1. FVS114 Status fields Field Description System Name The System Name assigned to the firewall. Firmware Version The firewall firmware version. WAN Port These parameters apply to the Internet (WAN) port of the firewall. MAC Address The MAC address used by the Internet (WAN) port of the firewall. IP Address The IP address used by the Internet (WAN) port of the firewall.
PAGE 119
Reference Manual for the ProSafe VPN Firewall FVS114 Click Show WAN Status to display the WAN connection status. Figure 7-2: WAN Connection Status screen This screen shows the following statistics:. Table 7-1. Connection Status fields Field Description Connection Time The length of time the firewall has been connected to your Internet service provider’s network. Connection Method The method used to obtain an IP address from your Internet service provider.
PAGE 120
Reference Manual for the ProSafe VPN Firewall FVS114 Click Show Statistics to display firewall usage statistics. Figure 7-3: Router Statistics screen This screen shows the following statistics: Table 7-1. Router Statistics fields Field Description Interface The statistics for the WAN (Internet), LAN (local), 802.11a, and 802.11b/g interfaces. For each interface, the screen displays: Status The link status of the interface.
PAGE 121
Reference Manual for the ProSafe VPN Firewall FVS114 Viewing a List of Attached Devices The Attached Devices menu contains a table of all IP devices that the firewall has discovered on the local network. From the main menu of the browser interface, under the Maintenance heading, select Attached Devices to view the table, shown below: Figure 7-4: Attached Devices menu For each device, the table shows the IP address, NetBIOS Host Name (if available), and Ethernet MAC address.
PAGE 122
Reference Manual for the ProSafe VPN Firewall FVS114 Figure 7-5: Router Upgrade menu To upload new firmware: 1. Download and unzip the new software file from NETGEAR. 2. In the Router Upgrade menu, click the Browse button and browse to the location of the binary (.BIN) upgrade file 3. Click Upload. Note: When uploading software to the FVS114 VPN Firewall, it is important not to interrupt the Web browser by closing the window, clicking a link, or loading a new page.
PAGE 123
Reference Manual for the ProSafe VPN Firewall FVS114 Figure 7-6: Settings Backup menu You can use the Settings Backup menu to back up your configuration in a file, restore from that file, or erase the configuration settings. Backing Up the Configuration To save your settings, select the Backup tab. Click the Backup button. Your browser will extract the configuration file from the firewall and prompts you for a location on your PC to store the file.
PAGE 124
Reference Manual for the ProSafe VPN Firewall FVS114 To restore the factory default configuration settings without knowing the login password or IP address, you must use the reset button on the rear panel of the firewall. See “Restoring the Default Configuration and Password” on page 9-7. Changing the Administrator Password The default password for the firewall’s Web Configuration Manager is password. NETGEAR recommends that you change this password to a more secure password.
PAGE 125
Reference Manual for the ProSafe VPN Firewall FVS114 Figure 7-8: Diagnostics menu • Ping or Trace an IP address – Ping: Use this to send a "ping" packet request to the specified IP address. This is often used to test a connection. If the request "times out" (no reply is received), this usually means the destination is unreachable. However, some network devices can be configured not to respond to a ping. The ping results will be displayed in a new screen; click "Back" to return to the Diagnostics screen.
PAGE 126
Reference Manual for the ProSafe VPN Firewall FVS114 Note: Rebooting will break any existing connections either to the Router (such as this one) or through the Router (for example, LAN users accessing the Internet). However, connections to the Internet will automatically be re-established when possible.
PAGE 127
Chapter 8 Advanced Configuration This chapter describes how to configure the advanced features of your FVS114 ProSafe VPN Firewall. These features can be found under the Advanced heading in the main menu of the browser interface. WAN Setup Using the WAN Setup page, you can set up a Default DMZ Server and allow the router to respond to a 'ping' from the internet. Both of these options have security issues, so use them carefully.
PAGE 128
Reference Manual for the ProSafe VPN Firewall FVS114 • Default DMZ Server: Specifying a Default DMZ Server allows you to set up a computer or server that is available to anyone on the Internet for services that you haven't defined. There are security issues with doing this, so only do this if you're willing to risk open access. If you do not assign a Default DMZ Server, the router discards any incoming service requests which are undefined. To assign a computer or server to be a DMZ server: a.
PAGE 129
Reference Manual for the ProSafe VPN Firewall FVS114 Note: For security, NETGEAR strongly recommends that you avoid using the Default DMZ Server feature. When a computer is designated as the Default DMZ Server, it loses much of the protection of the firewall, and is exposed to many exploits from the Internet. If compromised, the computer can be used to attack your network. To assign a computer or server to be a Default DMZ server: 1. Click Default DMZ Server. 2. Type the IP address for that server. 3.
PAGE 130
Reference Manual for the ProSafe VPN Firewall FVS114 The firewall contains a client that can connect to a dynamic DNS service provider. To use this feature, you must select a service provider and obtain an account with them. After you have configured your account information in the firewall, whenever your ISP-assigned IP address changes, your firewall will automatically contact your dynamic DNS service provider, log in to your account, and register your new IP address. 1.
PAGE 131
Reference Manual for the ProSafe VPN Firewall FVS114 Note: If your ISP assigns a private WAN IP address such as 192.168.x.x or 10.x.x.x, the dynamic DNS service will not work because private addresses will not be routed on the Internet. Using the LAN IP Setup Options The LAN IP Setup menu allows configuration of LAN IP services such as DHCP and RIP. From the main menu of the browser interface, under Advanced, click on LAN IP Setup to view the menu shown below.
PAGE 132
Reference Manual for the ProSafe VPN Firewall FVS114 These addresses are part of the IETF-designated private address range for use in private networks, and should be suitable in most applications. If your network has a requirement to use a different IP addressing scheme, you can make those changes in this menu. The LAN IP parameters are: • IP Address This is the LAN IP address of the firewall. • IP Subnet Mask This is the LAN Subnet Mask of the firewall.
PAGE 133
Reference Manual for the ProSafe VPN Firewall FVS114 Using the Firewall as a DHCP server By default, the firewall functions as a DHCP (Dynamic Host Configuration Protocol) server, allowing it to assign IP, DNS server, and default gateway addresses to all computers connected to the firewall's LAN. The assigned default gateway address is the LAN address of the firewall. IP addresses will be assigned to the attached PCs from a pool of addresses specified in this menu.
PAGE 134
Reference Manual for the ProSafe VPN Firewall FVS114 Figure 8-4: Reserved IP Address menu 2. In the IP Address box, type the IP address to assign to the PC or server. (Choose an IP address from the firewall’s LAN subnet, such as 192.168.0.X.) 3. Type the MAC Address of the PC or server. (Tip: If the PC is already present on your network, you can copy its MAC address from the Attached Devices menu and paste it here.) 4. Click Apply to enter the reserved address into the table.
PAGE 135
Reference Manual for the ProSafe VPN Firewall FVS114 Figure 8-5: Static Routes table To add or edit a Static Route: 1. Click the Add button to open the Add/Edit menu, shown below. Figure 8-6: Static Route Entry and Edit menu 2. Type a route name for this static route in the Route Name box. (This is for identification purpose only.) 3. Select Private if you want to limit access to the LAN only. The static route will not be reported in RIP. 4. Select Active to make this route effective. 5.
PAGE 136
Reference Manual for the ProSafe VPN Firewall FVS114 8. Type a number between 1 and 15 as the Metric value. This represents the number of firewalls between your network and the destination. Usually, a setting of 2 or 3 works, but if this is a direct connection, set it to 1. 9. Click Apply to have the static route entered into the table. Static Route Example As an example of when a static route is needed, consider the following case: • Your primary Internet access is through a cable modem to an ISP.
PAGE 137
Reference Manual for the ProSafe VPN Firewall FVS114 Note: Be sure to change the firewall’s default configuration password to a very secure password. The ideal password should contain no dictionary words from any language, and should be a mixture of letters (both upper and lower case), numbers, and symbols. Your password can be up to 30 characters. Figure 8-7: Remote Management menu To configure your firewall for Remote Management: 1. Select the Turn Remote Management On check box. 2.
PAGE 138
Reference Manual for the ProSafe VPN Firewall FVS114 Web browser access normally uses the standard HTTP service port 80. For greater security, you can change the remote management web interface to a custom port by entering that number in the box provided. Choose a number between 1024 and 65535, but do not use the number of any common service port. The default is 8080, which is a common alternate for HTTP. 4. Click Apply to have your changes take effect. 5.
PAGE 139
Reference Manual for the ProSafe VPN Firewall FVS114 UPnP Universal Plug and Play (UPnP) helps devices, such as Internet appliances and computers, access the network and connect to other devices as needed. UPnP devices can automatically discover the services from other registered UPnP devices on the network. Figure 8-8: UPnP menu • Turn UPnP On: UPnP can be enabled or disabled for automatic device configuration. The default setting for UPnP is disabled.
PAGE 140
Reference Manual for the ProSafe VPN Firewall FVS114 Click Refresh to update the portmap table and to show the active ports that are currently opened by UPnP devices.
PAGE 141
Chapter 9 Troubleshooting This chapter gives information about troubleshooting your FVS114 ProSafe VPN Firewall. After each problem description, instructions are provided to help you diagnose and solve the problem. Basic Functioning After you turn on power to the firewall, the following sequence of events should occur: 1. When power is first applied, verify that the PWR LED is on. 2. After approximately 30 seconds, verify that: a. The TEST LED is not lit. b.
PAGE 142
Reference Manual for the ProSafe VPN Firewall FVS114 LEDs Never Turn Off When the firewall is turned on, the LEDs turn on briefly and then turn off. If all the LEDs stay on, there is a fault within the firewall. If all LEDs are still on one minute after power up: • Cycle the power to see if the firewall recovers. • Clear the firewall’s configuration to factory defaults. This will set the firewall’s IP address to 192.168.0.1.
PAGE 143
Reference Manual for the ProSafe VPN Firewall FVS114 Troubleshooting the Web Configuration Interface If you are unable to access the firewall’s Web Configuration interface from a PC on your local network, check the following: • Check the Ethernet connection between the PC and the firewall as described in the previous section. • Make sure your PC’s IP address is on the same subnet as the firewall. If you are using the recommended addressing scheme, your PC’s address should be in the range of 192.168.0.
PAGE 144
Reference Manual for the ProSafe VPN Firewall FVS114 Troubleshooting the ISP Connection If your firewall is unable to access the Internet, you should first determine whether the firewall is able to obtain a WAN IP address from the ISP. Unless you have been assigned a static IP address, your firewall must request an IP address from the ISP. You can determine whether the request was successful using the Web Configuration Manager. To check the WAN IP address: 1.
PAGE 145
Reference Manual for the ProSafe VPN Firewall FVS114 OR Configure your firewall to spoof your PC’s MAC address. This can be done in the Basic Settings menu. Refer to “How to Manually Configure Your Internet Connection” on page 3-11. If your firewall can obtain an IP address, but your PC is unable to load any Web pages from the Internet: • Your PC may not recognize any DNS server addresses.
PAGE 146
Reference Manual for the ProSafe VPN Firewall FVS114 If the path is working, you see this message: Reply from < IP address >: bytes=32 time=NN ms TTL=xxx If the path is not working, you see this message: Request timed out If the path is not functioning correctly, you could have one of the following problems: • Wrong physical connections — Make sure the LAN port LED is on. If the LED is off, follow the instructions in “LAN or Internet Port LEDs Not On” on page 9-2”.
PAGE 147
Reference Manual for the ProSafe VPN Firewall FVS114 — If your ISP assigned a host name to your PC, enter that host name as the Account Name in the Basic Settings menu. — Your ISP could be rejecting the Ethernet MAC addresses of all but one of your PCs. Many broadband ISPs restrict access by only allowing traffic from the MAC address of your broadband modem, but some ISPs additionally restrict access to the MAC address of a single PC connected to that modem.
PAGE 148
Reference Manual for the ProSafe VPN Firewall FVS114 9-8 Troubleshooting 202-10098-01, April 2005
PAGE 149
Appendix A Technical Specifications This appendix provides technical specifications for the FVS114 ProSafe VPN Firewall. Network Protocol and Standards Compatibility Data and Routing Protocols: TCP/IP, RIP-1, RIP-2, DHCP PPP over Ethernet (PPPoE) Power Adapter North America: 120V, 60 Hz, input United Kingdom, Australia: 240V, 50 Hz, input Europe: 230V, 50 Hz, input Japan: 100V, 50/60 Hz, input All regions (output): 12 V DC @ 1.2 A output, 18W maximum Physical Specifications Dimensions: 39.
PAGE 150
Reference Manual for the ProSafe VPN Firewall FVS114 Electromagnetic Emissions Meets requirements of: FCC Part 15 Class B VCCI Class B EN 55 022 (CISPR 22), Class B Interface Specifications LAN: 10BASE-T or 100BASE-Tx, RJ-45 WAN: 10BASE-T or 100BASE-Tx, RJ-45 A-2 Technical Specifications 202-10098-01, April 2005
PAGE 151
Appendix B Network, Routing, and Firewall Basics This chapter provides an overview of IP networks, routing, and networking. Related Publications As you read this document, you may be directed to various RFC documents for further information. An RFC is a Request For Comment (RFC) published by the Internet Engineering Task Force (IETF), an open organization that defines the architecture and operation of the Internet.
PAGE 152
Reference Manual for the ProSafe VPN Firewall FVS114 What is a Router? A router is a device that forwards traffic between networks based on network layer information in the data and on routing tables maintained by the router. In these routing tables, a router builds up a logical picture of the overall network by gathering and exchanging information with other routers in the network. Using this information, the router chooses the best path for forwarding network traffic.
PAGE 153
Reference Manual for the ProSafe VPN Firewall FVS114 The latter version is easier to remember and easier to enter into your computer. In addition, the 32 bits of the address are subdivided into two parts. The first part of the address identifies the network, and the second part identifies the host node or station on the network. The dividing point may vary depending on the address range and the application. There are five standard classes of IP addresses.
PAGE 154
Reference Manual for the ProSafe VPN Firewall FVS114 • Class C Class C addresses can have 254 hosts on a network. Class C addresses use 24 bits for the network address and eight bits for the node. They are in this range: 192.0.1.x to 223.255.254.x. • Class D Class D addresses are used for multicasts (messages sent to many hosts). Class D addresses are in this range: 224.0.0.0 to 239.255.255.255. • Class E Class E addresses are for experimental use.
PAGE 155
Reference Manual for the ProSafe VPN Firewall FVS114 As a shorter alternative to dotted-decimal notation, the netmask may also be expressed in terms of the number of ones from the left. This number is appended to the IP address, following a backward slash (/), as “/n.” In the example, the address could be written as 192.168.170.237/24, indicating that the netmask is 24 ones followed by 8 zeros.
PAGE 156
Reference Manual for the ProSafe VPN Firewall FVS114 Although the preceding example uses the entire third octet for a subnet address, note that you are not restricted to octet boundaries in subnetting. To create more network numbers, you need only shift some bits from the host address to the network address. For instance, to partition a Class C network number (192.68.135.0) into two, you shift one bit from the host address to the network address. The new netmask (or subnet mask) is 255.255.255.128.
PAGE 157
Reference Manual for the ProSafe VPN Firewall FVS114 Table B-2. Netmask formats 255.255.0.0 /16 255.255.255.0 /24 255.255.255.128 /25 255.255.255.192 /26 255.255.255.224 /27 255.255.255.240 /28 255.255.255.248 /29 255.255.255.252 /30 255.255.255.254 /31 255.255.255.
PAGE 158
Reference Manual for the ProSafe VPN Firewall FVS114 Single IP Address Operation Using NAT In the past, if multiple PCs on a LAN needed to access the Internet simultaneously, you had to obtain a range of IP addresses from the ISP. This type of Internet account is more costly than a single-address account typically used by a single user with a modem, rather than a router. The FVS114 VPN Firewall employs an address-sharing method called Network Address Translation (NAT).
PAGE 159
Reference Manual for the ProSafe VPN Firewall FVS114 MAC Addresses and Address Resolution Protocol An IP address alone cannot be used to deliver data from one LAN device to another. To send data between LAN devices, you must convert the IP address of the destination device to its media access control (MAC) address. Each device on an Ethernet network has a unique MAC address, which is a 48-bit number assigned to each device by the manufacturer.
PAGE 160
Reference Manual for the ProSafe VPN Firewall FVS114 When a PC accesses a resource by its descriptive name, it first contacts a DNS server to obtain the IP address of the resource. The PC sends the desired message using the IP address. Many large organizations, such as ISPs, maintain their own DNS servers and allow their customers to use the servers to look up addresses. IP Configuration by DHCP When an IP-based local area network is installed, each PC must be configured with an IP address.
PAGE 161
Reference Manual for the ProSafe VPN Firewall FVS114 What is a Firewall? A firewall is a device that protects one network from another, while allowing communication between the two. A firewall incorporates the functions of the NAT router, while adding features for dealing with a hacker intrusion or attack. Several known types of intrusion or attack can be recognized when they occur.
PAGE 162
Reference Manual for the ProSafe VPN Firewall FVS114 Table B-3. UTP Ethernet cable wiring, straight-through Pin Wire color Signal 1 Orange/White Transmit (Tx) + 2 Orange Transmit (Tx) - 3 Green/White Receive (Rx) + 4 Blue 5 Blue/White 6 Green 7 Brown/White 8 Brown Receive (Rx) - Category 5 Cable Quality Category 5 distributed cable that meets ANSI/EIA/TIA-568-A building wiring standards can be a maximum of 328 feet (ft.) or 100 meters (m) in length, divided as follows: 20 ft.
PAGE 163
Reference Manual for the ProSafe VPN Firewall FVS114 Inside Twisted Pair Cables For two devices to communicate, the transmitter of each device must be connected to the receiver of the other device. The crossover function is usually implemented internally as part of the circuitry in the device. Computers and workstation adapter cards are usually media-dependent interface ports, called MDI or uplink ports.
PAGE 164
Reference Manual for the ProSafe VPN Firewall FVS114 Figure B-6: Category 5 UTP cable with male RJ-45 plug at each end Note: Flat “silver satin” telephone cable may have the same RJ-45 plug. However, using telephone cable results in excessive collisions, causing the attached port to be partitioned or disconnected from the network.
PAGE 165
Reference Manual for the ProSafe VPN Firewall FVS114 The FVS114 VPN Firewall incorporates Auto UplinkTM technology (also called MDI/MDIX). Each LOCAL Ethernet port will automatically sense whether the Ethernet cable plugged into the port should have a normal connection (e.g. connecting to a PC) or an uplink connection (e.g. connecting to a router, switch, or hub). That port will then configure itself to the correct configuration.
PAGE 166
Reference Manual for the ProSafe VPN Firewall FVS114 B-16 Network, Routing, and Firewall Basics 202-10098-01, April 2005
PAGE 167
Appendix C Virtual Private Networking There have been many improvements in the Internet including Quality of Service, network performance, and inexpensive technologies, such as DSL. But one of the most important advances has been in Virtual Private Networking (VPN) Internet Protocol security (IPSec). IPSec is one of the most complete, secure, and commercially available, standards-based protocols developed for transporting data.
PAGE 168
Reference Manual for the ProSafe VPN Firewall FVS114 • Remote Access: Remote access enables telecommuters and mobile workers to access e-mail and business applications. A dial-up connection to an organization’s modem pool is one method of access for remote workers, but is expensive because the organization must pay the associated long distance telephone and service costs.
PAGE 169
Reference Manual for the ProSafe VPN Firewall FVS114 • Encapsulating Security Payload (ESP): Provides confidentiality, authentication, and integrity. • Authentication Header (AH): Provides authentication and integrity. • Internet Key Exchange (IKE): Provides key management and Security Association (SA) management.
PAGE 170
Reference Manual for the ProSafe VPN Firewall FVS114 The ESP header is inserted into the packet between the IP header and any subsequent packet contents. However, because ESP encrypts the data, the payload is changed. ESP does not encrypt the ESP header, nor does it encrypt the ESP authentication. Authentication Header (AH) AH provides authentication and integrity, which protect against data tampering, using the same algorithms as ESP.
PAGE 171
Reference Manual for the ProSafe VPN Firewall FVS114 Mode SAs operate using modes. A mode is the method in which the IPSec protocol is applied to the packet. IPSec can be used in tunnel mode or transport mode. Typically, the tunnel mode is used for gateway-to-gateway IPSec tunnel protection, while transport mode is used for host-to-host IPSec tunnel protection. A gateway is a device that monitors and manages incoming and outgoing network traffic and routes the traffic accordingly.
PAGE 172
Reference Manual for the ProSafe VPN Firewall FVS114 Key Management IPSec uses the Internet Key Exchange (IKE) protocol to facilitate and automate the SA setup and the exchange of keys between parties transferring data. Using keys ensures that only the sender and receiver of a message can access it. IPSec requires that keys be re-created, or refreshed, frequently so that the parties can communicate securely with each other.
PAGE 173
Reference Manual for the ProSafe VPN Firewall FVS114 VPN Process Overview Even though IPSec is standards-based, each vendor has its own set of terms and procedures for implementing the standard. Because of these differences, it may be a good idea to review some of the terms and the generic processes for connecting two gateways before diving into to the specifics.
PAGE 174
Reference Manual for the ProSafe VPN Firewall FVS114 Table C-1. WAN (Internet/public) and LAN (internal/private) addressing Gateway LAN or WAN VPNC Example Address Gateway A LAN (Private) 10.5.6.1 Gateway A WAN (Public) 14.15.16.17 Gateway B LAN (Private) 22.23.24.25 Gateway B WAN (Public) 172.23.9.1 You need to know the subnet mask of both gateway LAN Connections.
PAGE 175
Reference Manual for the ProSafe VPN Firewall FVS114 VPN Tunnel VPN Gateway B VPN Gateway A PCs PCs Figure C-5: VPN tunnel Security Associaton (SA) The SA contains all the information necessary for gateway A to negotiate a secure and encrypted communication stream with gateway B. This communication is often referred to as a “tunnel.” The gateways contain this information so that it does not have to be loaded onto every computer connected to the gateways.
PAGE 176
Reference Manual for the ProSafe VPN Firewall FVS114 2. IKE Phase I. a. The two parties negotiate the encryption and authentication algorithms to use in the IKE SAs. b. The two parties authenticate each other using a predetermined mechanism, such as preshared keys or digital certificates. c. A shared master key is generated by the Diffie-Hellman Public key algorithm within the IKE framework for the two parties. The master key is also used in the second phase to derive IPSec keys for the SAs. 3.
PAGE 177
Reference Manual for the ProSafe VPN Firewall FVS114 VPNC IKE Phase II Parameters The IKE Phase 2 parameters used in Scenario 1 are: • • • • • • TripleDES SHA-1 ESP tunnel mode MODP group 1 Perfect forward secrecy for rekeying SA lifetime of 28800 seconds (one hour) Testing and Troubleshooting Once you have completed the VPN configuration steps you can use PCs, located behind each of the gateways, to ping various addresses on the LAN-side of the other gateway.
PAGE 178
Reference Manual for the ProSafe VPN Firewall FVS114 Relevant RFCs listed numerically: • [RFC 791] Internet Protocol DARPA Internet Program Protocol Specification, Information Sciences Institute, USC, September 1981. • [RFC 1058] Routing Information Protocol, C Hedrick, Rutgers University, June 1988. • [RFC 1483] Multiprotocol Encapsulation over ATM Adaptation Layer 5, Juha Heinanen, Telecom Finland, July 1993. • [RFC 2401] S. Kent, R.
PAGE 179
Appendix D Preparing Your Network This appendix describes how to prepare your network to connect to the Internet through the FVS114 ProSafe VPN Firewall and how to verify the readiness of broadband Internet service from an Internet service provider (ISP).
PAGE 180
Reference Manual for the ProSafe VPN Firewall FVS114 In your IP network, each PC and the firewall must be assigned a unique IP addresses. Each PC must also have certain other IP configuration information such as a subnet mask (netmask), a domain name server (DNS) address, and a default gateway address. In most cases, you should install TCP/IP so that the PC obtains its specific network configuration information automatically from a DHCP server during bootup.
PAGE 181
Reference Manual for the ProSafe VPN Firewall FVS114 You must have an Ethernet adapter, the TCP/IP protocol, and Client for Microsoft Networks. Note: It is not necessary to remove any other network components shown in the Network window in order to install the adapter, TCP/IP, or Client for Microsoft Networks. If you need to install a new adapter, follow these steps: a. Click the Add button. b. Select Adapter, and then click Add. c.
PAGE 182
Reference Manual for the ProSafe VPN Firewall FVS114 If you need Client for Microsoft Networks: 3. a. Click the Add button. b. Select Client, and then click Add. c. Select Microsoft. d. Select Client for Microsoft Networks, and then click OK. Restart your PC for the changes to take effect.
PAGE 183
Reference Manual for the ProSafe VPN Firewall FVS114 Verify the following settings as shown: • Client for Microsoft Network exists • Ethernet adapter is present • TCP/IP is present • Primary Network Logon is set to Windows logon Click on the Properties button. The following TCP/IP Properties window will display.
PAGE 184
Reference Manual for the ProSafe VPN Firewall FVS114 • By default, the IP Address tab is open on this window. • Verify the following: Obtain an IP address automatically is selected. If not selected, click in the radio button to the left of it to select it. This setting is required to enable the DHCP server to automatically assign an IP address. • Click OK to continue. Restart the PC. Repeat these steps for each PC with this version of Windows on your network. Selecting Windows’ Internet Access Method 1.
PAGE 185
Reference Manual for the ProSafe VPN Firewall FVS114 1. On the Windows taskbar, click the Start button, and then click Run. 2. Type winipcfg, and then click OK. The IP Configuration window opens, which lists (among other things), your IP address, subnet mask, and default gateway. 3. From the drop-down box, select your Ethernet adapter.
PAGE 186
Reference Manual for the ProSafe VPN Firewall FVS114 8. Then, restart your PC. Enabling DHCP to Automatically Configure TCP/IP Settings You will find there are many similarities in the procedures for different Windows systems when using DHCP to configure TCP/IP. The following steps will walk you through the configuration process for each of these versions of Windows. DHCP Configuration of TCP/IP in Windows XP Locate your Network Neighborhood icon.
PAGE 187
Reference Manual for the ProSafe VPN Firewall FVS114 • Now you should be at the Local Area Network Connection Status window. This box displays the connection status, duration, speed, and activity statistics. • Administrator logon access rights are needed to use this window. • Click the Properties button to view details about the connection. • The TCP/IP details are presented on the Support tab page. • Select Internet Protocol, and click Properties to view the configuration information.
PAGE 188
Reference Manual for the ProSafe VPN Firewall FVS114 • Verify that the Obtain an IP address automatically radio button is selected. • Verify that Obtain DNS server address automatically radio button is selected. • Click the OK button. This completes the DHCP configuration of TCP/ IP in Windows XP. Repeat these steps for each PC with this version of Windows on your network.
PAGE 189
Reference Manual for the ProSafe VPN Firewall FVS114 • Click on the My Network Places icon on the Windows desktop. This will bring up a window called Network and Dial-up Connections. • Right click on Local Area Connection and select Properties. • The Local Area Connection Properties dialog box appears. • Verify that you have the correct Ethernet card selected in the Connect using: box.
PAGE 190
Reference Manual for the ProSafe VPN Firewall FVS114 • With Internet Protocol (TCP/IP) selected, click on Properties to open the Internet Protocol (TCP/IP) Properties dialogue box. • Verify that • Obtain an IP address automatically is selected. • Obtain DNS server address automatically is selected. • Click OK to return to Local Area Connection Properties. • Click OK again to complete the configuration process for Windows 2000. Restart the PC.
PAGE 191
Reference Manual for the ProSafe VPN Firewall FVS114 DHCP Configuration of TCP/IP in Windows NT4 Once you have installed the network card, you need to configure the TCP/IP environment for Windows NT 4.0. Follow this procedure to configure TCP/IP with DHCP in Windows NT 4.0. • Choose Settings from the Start Menu, and then select Control Panel. This will display Control Panel window. • Double-click the Network icon in the Control Panel window. The Network panel will display.
PAGE 192
Reference Manual for the ProSafe VPN Firewall FVS114 • Highlight the TCP/IP Protocol in the Network Protocols box, and click on the Properties button.
PAGE 193
Reference Manual for the ProSafe VPN Firewall FVS114 • The TCP/IP Properties dialog box now displays. • Click the IP Address tab. • Select the radio button marked Obtain an IP address from a DHCP server. • Click OK. This completes the configuration of TCP/IP in Windows NT. Restart the PC. Repeat these steps for each PC with this version of Windows on your network. Verifying TCP/IP Properties for Windows XP, 2000, and NT4 To check your PC’s TCP/IP configuration: 1.
PAGE 194
Reference Manual for the ProSafe VPN Firewall FVS114 • 4. The default gateway is 192.168.0.1 Type exit Configuring the Macintosh for TCP/IP Networking Beginning with Macintosh Operating System 7, TCP/IP is already installed on the Macintosh. On each networked Macintosh, you will need to configure TCP/IP to use DHCP. MacOS 8.6 or 9.x 1. From the Apple menu, select Control Panels, then TCP/IP. The TCP/IP Control Panel opens: 2. From the “Connect via” box, select your Macintosh’s Ethernet interface.
PAGE 195
Reference Manual for the ProSafe VPN Firewall FVS114 2. If not already selected, select Built-in Ethernet in the Configure list. 3. If not already selected, Select Using DHCP in the TCP/IP tab. 4. Click Save. Verifying TCP/IP Properties for Macintosh Computers After your Macintosh is configured and has rebooted, you can check the TCP/IP configuration by returning to the TCP/IP Control Panel. From the Apple menu, select Control Panels, then TCP/IP.
PAGE 196
Reference Manual for the ProSafe VPN Firewall FVS114 Verifying the Readiness of Your Internet Account For broadband access to the Internet, you need to contract with an Internet service provider (ISP) for a single-user Internet access account using a cable modem or DSL modem. This modem must be a separate physical box (not a card) and must provide an Ethernet port intended for connection to a Network Interface Card (NIC) in a computer. Your firewall does not support a USB-connected broadband modem.
PAGE 197
Reference Manual for the ProSafe VPN Firewall FVS114 • An IP address and subnet mask • A gateway IP address, which is the address of the ISP’s router • One or more domain name server (DNS) IP addresses • Host name and domain suffix For example, your account’s full server names may look like this: mail.xxx.yyy.com In this example, the domain suffix is xxx.yyy.com. If any of these items are dynamically supplied by the ISP, your firewall automatically acquires them.
PAGE 198
Reference Manual for the ProSafe VPN Firewall FVS114 If an IP address appears under Installed Gateways, write down the address. This is the ISP’s gateway address. Select the address and then click Remove to remove the gateway address. 6. Select the DNS Configuration tab. If any DNS server addresses are shown, write down the addresses. If any information appears in the Host or Domain information box, write it down. Click Disable DNS. 7.
PAGE 199
Reference Manual for the ProSafe VPN Firewall FVS114 Restarting the Network Once you’ve set up your computers to work with the firewall, you must reset the network for the devices to be able to communicate correctly. Restart any computer that is connected to the FVS114 VPN Firewall. After configuring all of your computers for TCP/IP networking and restarting them, and connecting them to the local network of your FVS114 VPN Firewall, you are ready to access and configure the firewall.
PAGE 200
Reference Manual for the ProSafe VPN Firewall FVS114 D-22 Preparing Your Network 202-10098-01, April 2005
PAGE 201
Glossary List of Glossary Terms Use the list below to find definitions for technical terms used in this manual. Numeric 10BASE-T IEEE 802.3 specification for 10 Mbps Ethernet over twisted pair wiring. 100BASE-Tx IEEE 802.3 specification for 100 Mbps Ethernet over twisted pair wiring. 802.1x 802.1x defines port-based, network access control used to provide authenticated network access and automated data encryption key management. The IEEE 802.
PAGE 202
Reference Manual for the ProSafe VPN Firewall FVS114 AES AES stands for Advanced Encryption Standard. AES is a symmetric key encryption technique that will replace the commonly used Data Encryption Standard (DES). Not only does AES provide more security than DES and 3DES, it also has better performance, making AES highly attractive for use in constrained environments.
PAGE 203
Reference Manual for the ProSafe VPN Firewall FVS114 Broadcast A packet sent to all devices on a network. C Class of Service A term to describe treating different types of traffic with different levels of service priority. Higher priority traffic gets faster treatment during times of switch congestion CA A Certificate Authority is a trusted third-party organization or company that issues digital certificates used to create digital signatures and public-private key pairs.
PAGE 204
Reference Manual for the ProSafe VPN Firewall FVS114 Specifying a Default DMZ Server allows you to set up a computer or server that is available to anyone on the Internet for services that you haven't defined. There are security issues with doing this, so only do this if you'll willing to risk open access. DNS Short for Domain Name System (or Service), an Internet service that translates domain names into IP addresses. Because domain names are alphabetic, they're easier to remember.
PAGE 205
Reference Manual for the ProSafe VPN Firewall FVS114 Ethernet A LAN specification developed jointly by Xerox, Intel and Digital Equipment Corporation. Ethernet networks transmit packets at a rate of 10 Mbps. G Gateway A local device, usually a router, that connects hosts on a local network to other networks. I ICMP See “Internet Control Message Protocol” IEEE Institute of Electrical and Electronics Engineers.
PAGE 206
Reference Manual for the ProSafe VPN Firewall FVS114 gateway then forwards the packet directly to the computer whose address is specified. Because a message is divided into a number of packets, each packet can, if necessary, be sent by a different route across the Internet. Packets can arrive in a different order than they were sent. The Internet Protocol just delivers them. It's up to another protocol, the Transmission Control Protocol (TCP) to put them back in the right order.
PAGE 207
Reference Manual for the ProSafe VPN Firewall FVS114 M MAC (1) Medium Access Control. In LANs, the sublayer of the data link control layer that supports medium-dependent functions and uses the services of the physical layer to provide services to the logical link control (LLC) sublayer. The MAC sublayer includes the method of determining when a device has access to the transmission medium. (2) Message Authentication Code.
PAGE 208
Reference Manual for the ProSafe VPN Firewall FVS114 PPP A protocol allowing a computer using TCP/IP to connect directly to the Internet. PPPoA PPPoA. PPP over ATM is a protocol for connecting remote hosts to the Internet over an always-on connection by simulating a dial-up connection. PPPoE PPPoE. PPP over Ethernet is a protocol for connecting remote hosts to the Internet over an always-on connection by simulating a dial-up connection. PPP over ATM PPPoA.
PAGE 209
Reference Manual for the ProSafe VPN Firewall FVS114 R RADIUS Short for Remote Authentication Dial-In User Service, RADIUS is an authentication system. Using RADIUS, you must enter your user name and password before gaining access to a network. This information is passed to a RADIUS server, which checks that the information is correct, and then authorizes access. Though not an official standard, the RADIUS specification is maintained by a working group of the IETF. RFC Request For Comment.
PAGE 210
Reference Manual for the ProSafe VPN Firewall FVS114 U Universal Plug and Play UPnP. A networking architecture that provides compatibility among networking technology. UPnP compliant routers provide broadband users at home and small businesses with a seamless way to participate in online games, videoconferencing and other peer-to-peer services. UTP Unshielded twisted pair is the cable used by 10BASE-T and 100BASE-Tx Ethernet networks.
PAGE 211
Reference Manual for the ProSafe VPN Firewall FVS114 Glossary 11 202-10098-01, April 2005
PAGE 212
Reference Manual for the ProSafe VPN Firewall FVS114 Glossary 12 202-10098-01, April 2005