Quick Reference Guide

ManualsBrandsNetgear ManualsPC ComponentsNetgear FVM318

SM-FVM318NA-0

December 2002

NETGEAR, Inc.

4500 Great America Parkway

Santa Clara, CA 95054 USA

Phone 1-888-NETGEAR

Reference Manual for the

Model FVM318 Cable/DSL

ProSafe Wireless VPN

Security Firewall

Summary of content (184 pages)

PAGE 1
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall NETGEAR, Inc.
PAGE 2
© 2002 by NETGEAR, Inc. All rights reserved. Trademarks NETGEAR, the Netgear logo, The Gear Guy, Everybody's Connecting and Auto Uplink are trademarks or registered trademarks of Netgear, Inc. in the United States and/or other countries. Microsoft and Windows are trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries. Other brand and product names are trademarks or registered trademarks of their respective holders.
PAGE 3
Bestätigung des Herstellers/Importeurs Es wird hiermit bestätigt, daß dasFVM318 Cable/DSL ProSafe Wireless VPN Security Firewall gemäß der im BMPT-AmtsblVfg 243/1991 und Vfg 46/1992 aufgeführten Bestimmungen entstört ist. Das vorschriftsmäßige Betreiben einiger Geräte (z.B. Testsender) kann jedoch gewissen Beschränkungen unterliegen. Lesen Sie dazu bitte die Anmerkungen in der Betriebsanleitung.
PAGE 4
iv
PAGE 5
Contents Preface About This Manual Chapter 1 Introduction Key Features of the FVM318 ..........................................................................................1-1 Virtual Private Networking (VPN) .............................................................................1-1 Enhanced Wireless Security Through IPSec ...........................................................1-2 A Powerful, True Firewall with Content Filtering ......................................................
PAGE 6
Observe Performance, Placement and Range Guidelines ......................................3-1 Implement Appropriate Wireless Security ................................................................3-2 Understanding Wireless Settings ...................................................................................3-3 Wireless Network Settings .......................................................................................3-3 Restricting Access Based on the Wireless Card Access List ................
PAGE 7
Viewing, Selecting, and Saving Logged Information ................................................6-5 Selecting What Information to Include in the Log ..............................................6-6 Enabling SYSLOG .............................................................................................6-7 Examples of log messages ......................................................................................6-7 Activation and Administration .....................................................
PAGE 8
Appendix A Technical Specifications Appendix B Network, Routing, Firewall, and Wireless Basics Related Publications ...................................................................................................... B-1 Basic Router Concepts .................................................................................................. B-1 Internet Security and Firewalls .................................................................................... B-10 Wireless Networking ......................
PAGE 9
Configuring the Macintosh for TCP/IP Networking ...................................................... C-17 Verifying the Readiness of Your Internet Account ....................................................... C-19 Restarting the Network ................................................................................................
PAGE 10
x Contents
PAGE 11
List of Procedures Procedure 2-1: Record Your Internet Connection Information ......................................2-3 Procedure 2-2: Connecting the Firewall to Your LAN ....................................................2-4 Procedure 2-3: Configuring the Internet Connection Manually ...................................2-13 Procedure 3-1: Set Up and Test Basic Wireless Connectivity .......................................3-7 Procedure 3-2: Restrict Wireless Access by MAC Address ............................
PAGE 12
xii
PAGE 13
Preface About This Manual Thank your for purchasing the NETGEAR® FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall. This manual describes the features of the firewall and provides installation and configuration instructions. Audience This reference manual assumes that the reader has intermediate to advanced computer and Internet skills. However, basic computer network, Internet, firewall, and VPN technologies tutorial information is provided in the Appendices.
PAGE 14
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall Special Message Formats This guide uses the following formats to highlight special messages: Note: This format is used to highlight information of importance or special interest. Warning: This format is used to highlight information about the possibility of injury or equipment damage. Danger: This format is used to alert you that there is the potential for incurring an electrical shock if you mishandle the equipment.
PAGE 15
Chapter 1 Introduction This chapter describes the features of the NETGEAR® FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall. Key Features of the FVM318 The FVM318 firewall is a complete security solution that protects your network from attacks and intrusions while allowing secure connections with other trusted users over the Internet and across your local wireless network.
PAGE 16
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall Enhanced Wireless Security Through IPSec The FVM318 firewall allows you to easily create an IPSec-encrypted VPN tunnel from your wireless PC to the firewall. • Easy to deploy - The included SafeNet SoftRemote Basic VPN client requires only three parameters to configure a secure connection to the firewall. • 256 bit AES encryption provides a much higher level of protection than WEP.
PAGE 17
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall The firewall incorporates Auto UplinkTM technology. Each LOCAL Ethernet port will automatically sense whether the Ethernet cable plugged into the port should have a ‘normal’ connection such as to a PC or an ‘uplink’ connection such as to a switch or hub. That port will then configure itself to the correct configuration.
PAGE 18
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall Dynamic DNS services allow remote users to find your network using a domain name when your IP address is not permanently assigned. The firewall contains a client that can connect to a Dynamic DNS service to register your dynamic IP address. Easy Installation and Management You can install, configure, and operate the FVM318 within minutes after connecting it to the network.
PAGE 19
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall What’s in the Box? The product package should contain the following items: • • • • FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall. AC power adapter. Category 5 (CAT5) Ethernet cable. FVM318 Resource CD, including: — This manual. — Application Notes, Tools, and other helpful information. — SafeNet SoftRemote Basic VPN client software. • • Warranty and registration card. Support information card.
PAGE 20
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall You can use some of the LEDs to identify the status of the firewall and verify connections. Table 1-1 describes each LED on the front panel of the firewall. These LEDs are green when lit, except for the TEST LED, which is amber. Table 1-1: LED Descriptions Label Activity Description POWER On Power is supplied to the firewall. TEST On Off The system is initializing. The system is ready and running.
PAGE 21
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall The Firewall’s Rear Panel The rear panel of the FVM318 (Figure 1-2) contains the connections identified below. LOCAL 10/100M 8 7 6 5 4 3 2 2 1 IN TERN ET 12VDC O.5A OFF ON Figure 1-2: FVM318 Rear Panel Viewed from left to right, the rear panel contains the following elements: • Ground connector. • Factory Default Reset push button.
PAGE 22
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall 1-8 Introduction
PAGE 23
Chapter 2 Connecting the Firewall to the Internet This chapter describes how to set up the firewall on your Local Area Network (LAN), connect to the Internet, perform basic configuration of your FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall using the Setup Wizard, or how to manually configure your Internet connection. What You Will Need Before You Begin You need to prepare these three things before you begin: 1.
PAGE 24
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall The cable or DSL modem broadband access device must provide a standard 10 Mbps (10BASE-T) Ethernet interface. Internet Configuration Requirements Depending on how your ISP set up your Internet account, you will need one or more of these configuration parameters to connect your firewall to the Internet: • • • • Host and Domain Names. ISP Login Name and Password. ISP Domain Name Server (DNS) Addresses.
PAGE 25
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall Procedure 2-1: Record Your Internet Connection Information Print this page. Fill in the configuration parameters from your Internet Service Provider (ISP). ISP Login Name: The login name and password are case sensitive and must be entered exactly as given by your ISP. Some ISPs use your full e-mail address as the login name. The Service Name is not required by all ISPs.
PAGE 26
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall Connecting the FVM318 to Your LAN This section provides instructions for connecting the FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall to your LAN. The Resource CD included with your firewall contains an animated Installation Assistant to help you through this procedure. Procedure 2-2: Connecting the Firewall to Your LAN There are three steps to connecting your firewall: Connect the firewall to your network. 2.
PAGE 27
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall c. Connect the Ethernet cable (A) from the modem to the FVM318’s Internet port. A LO CA L 10/ 100M 8 7 6 5 4 3 2 2 1 IN TER N ET 1 2 V DC O .5 A O FF Model FVM318 Wireless VPN ON Security Firewall Cable or DSL modem Figure 2-2: Connect the cable or DSL Modem to the firewall d. Connect the Ethernet cable (B) which came with the firewall from a local port on the router to your computer.
PAGE 28
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall Note: The FVM318 firewall incorporates Auto UplinkTM technology. Each LAN Ethernet port will automatically sense whether the cable plugged into the port should have a 'normal' connection (e.g. connecting to a PC) or an 'uplink' connection (e.g. connecting to a switch or hub). That port will then configure itself to the correct configuration.
PAGE 29
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall A login window opens like the one shown below. Figure 2-5: Login window b. For security reasons, the firewall has its own user name and password. When prompted, enter admin for the firewall user name and password for the firewall password, both in lower case letters. Note: The user name and password are not the same as any user name or password you may use to log in to your Internet connection. 3.
PAGE 30
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall a. You are now connected to the firewall. If you do not see the menu above, click the Setup Wizard link on the upper left of the main menu. b. Click Next and follow the steps in the Setup Wizard for inputting the configuration parameters from your ISP to connect to the Internet.
PAGE 31
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall PPPoE Wizard-Detected Option If the Setup Wizard discovers that your ISP uses PPPoE, you will see this menu: Figure 2-7: Setup Wizard menu for PPPoE accounts • • Enter the Account Name, Domain Name, Login, and password as provided by your ISP. These fields are case sensitive. The firewall will try to discover the domain automatically if you leave the Domain Name blank. Otherwise, you may need to enter it manually.
PAGE 32
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall Dynamic IP Wizard-Detected Option If the Setup Wizard discovers that your ISP uses Dynamic IP assignment, you will see this menu: Figure 2-8: Setup Wizard menu for Dynamic IP address accounts • • Enter your Account Name (may also be called Host Name) and Domain Name. These parameters may be necessary to access your ISP’s services such as mail or news servers.
PAGE 33
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall Fixed IP Account Wizard-Detected Option If the Setup Wizard discovers that your ISP uses Fixed IP assignment, you will see this menu: Figure 2-9: Setup Wizard menu for Fixed IP address accounts • • Fixed IP is also called Static IP. Enter your assigned IP Address, Subnet Mask, and the IP Address of your ISP’s gateway router. This information should have been provided to you by your ISP.
PAGE 34
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall Manually Configuring Your Internet Connection You can manually configure your firewall using the menu below, or you can allow the Setup Wizard to determine your configuration as described in the previous section.
PAGE 35
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall Procedure 2-3: Configuring the Internet Connection Manually You can manually configure the firewall using the Basic Settings menu shown in Figure 2-10 using these steps: 1. Log in to the firewall at its default address of http://192.168.0.1 using a browser like Internet Explorer or Netscape® Navigator. 2. Click the Basic Settings link under the Setup section of the main menu. 3.
PAGE 36
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall 4. If your Internet connection does require a login, fill in the settings according to the instructions below. Select Yes if you normally must launch a login program such as Enternet or WinPOET in order to access the Internet. Note: After you finish setting up your firewall, you will no longer need to launch the ISP’s login program on your PC in order to access the Internet.
PAGE 37
Chapter 3 Wireless Configuration This chapter describes how to configure the wireless features of your FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall. Considerations For A Wireless Network In planning your wireless network, you should consider the level of security required. You should also select the physical placement of your firewall in order to maximize the network speed.
PAGE 38
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall Implement Appropriate Wireless Security Unlike wired network data, your wireless data transmissions can extend beyond your walls and can be received by anyone with a compatible adapter. For this reason, use the security features of your wireless equipment. Note: Indoors, computers can connect over 802.11b wireless networks at a maximum range of up to 500 feet.
PAGE 39
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall Understanding Wireless Settings To configure the Wireless settings of your firewall, click the Wireless link in the main menu of the browser interface. The Wireless Settings menu will appear, as shown below. Figure 3-2: Wireless Settings menu Wireless Network Settings The Wireless Settings menu sections are discussed below. • Name (SSID). The Service Set Identification is also known as the wireless network name.
PAGE 40
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall Restricting Access Based on the Wireless Card Access List Figure 3-3: Wireless Card Access List menu This setting determines which hardware devices will be allowed to connect to the firewall. • Everyone. The FVM318 will not restrict wireless access based on MAC address. • Trusted PCs Only.
PAGE 41
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall If your wireless adapter requires you to configure an authentication scheme, set it accordingly. Please refer to “Authentication and WEP Encryption” on page B-13 for a full explanation of each of these options, as defined by the IEEE 802.11b wireless communication standard. Encryption Strength Choices Choose the encryption strength from the drop-down list. Disable No encryption will be applied.
PAGE 42
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall Figure 3-6: IPSec encryption protocol DES is the least strong and AES - 256 is the strongest. AES - 256 is the default. The SafeNet SoftRemote Basic VPN Client for Windows requires either 3DES or AES - 256. — DES - The Data Encryption Standard (DES) processes input data that is 64 bits wide, encrypting these values using a 56 bit key. Faster but less secure than 3DES or AES.
PAGE 43
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall WEP provides some degree of privacy, but can be defeated without great difficulty. If WEP is enabled, you can manually or automatically program the four data encryption keys. These values must be identical on all PCs and access points in your network.
PAGE 44
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall 1. Log in to the FVM318 firewall at its default LAN address of http://192.168.0.1 with its default user name of admin and default password of password, or using whatever LAN address and password you have set up. 2. Click the Wireless Settings link in the main menu of the FVM318 firewall. Figure 3-9: Wireless Settings menu 3. Choose a suitable descriptive name for the wireless network name (SSID).
PAGE 45
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall Note: If you are configuring the firewall from a wireless PC and you change the firewall’s SSID, channel, or security settings, you will lose your wireless connection when you click on Apply. You must then change the wireless settings of your PC to match the firewall’s new settings. 8. Configure and test your PCs for wireless connectivity.
PAGE 46
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall 4. Enter the MAC address of the authorized PC. Enter a descriptive name for the PC in the Device Name field. The MAC address is usually printed on the wireless card, or it may appear in the firewall’s “Attached Devices” DHCP table. Note: You can copy and paste the MAC addresses from the firewall’s Attached Devices menu into the MAC Address box of this menu.
PAGE 47
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall 3. From the Security Encryption menu drop-down list, select the WEP encryption type you will use. Figure 3-11. 4. Wireless Settings encryption menu You can manually or automatically program the four data encryption keys. These values must be identical on all PCs and Access Points in your network. • • Automatic - Enter a word or group of printable characters in the Passphrase box and click the Generate button.
PAGE 48
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall Configuring IPSec Wireless Connections Unique to the FVM318, you have the option of using the highly secure VPN communications protocols over your wireless connection. Wireless VPN Tunnel FVM318 IN TER N ET Cable/DSL ProSafeWirelessVPN Security Firewall PWR W LA N MODEL LO CA L LNK TEST ACT FVM318 100 Enable LNK/ACT 1 2 3 4 5 6 7 8 VPN client software Figure 3-12.
PAGE 49
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall Procedure 3-4: Configure Basic IPSec Wireless Connections The SafeNet SoftRemote Basic VPN client installer program is on the FVM318 Resource CD. Observe the following guidelines when using the SafeNet SoftRemote Basic VPN client: • The SoftRemote Basic client requires Windows 95 or later. • The SoftRemote Basic client may not be compatible with other VPN clients.
PAGE 50
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall d. Click Add to display the IPSec client setting menu, as shown below. Figure 3-14. IPSec Client Settings menu e. Enter a descriptive name for this PC in Connection Name. This name is for your convenience only, and is not used in the VPN negotiation. f. Enter the user name. An email address is an easy to remember user name. g. Enter a Pre-Shared Key value for this connection. h.
PAGE 51
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall At this point, the SafeNet icon has a diagonal red bar through it, indicating that the VPN client is currently disabled. 3. Configure the SoftRemote Basic VPN Client. a. In the taskbar tray, right-click on the SafeNet icon and select Edit Security Policy in the VPN client task menu, as shown below. Figure 3-16. SafeNet system tray icon menu The VPN client Security Policy menu will appear as shown below.
PAGE 52
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall b. In most cases, you can leave the IPSec Gateway as “LAN Gateway”, which indicates the firewall. If you are not using the firewall as your network’s default gateway, change IPSec Gateway to indicate either the IP Address or the network name of the firewall. c. Enter the User Name and the Pre-Shared Key value that you programmed for this PC in the firewall’s IPSec Client Settings menu. d. Click OK. e.
PAGE 53
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall This will cause a continuous ping to be sent to the firewall. Within thirty seconds, the ping response should change from timed out to reply. Figure 3-20. Ping results At this point, the SafeNet tray icon should change to read on as shown below: Figure 3-21. c. SafeNet system tray icon showing ON condition Once the connection is established, you can open the browser of the PC and browse.
PAGE 54
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall Procedure 3-5: Configuring the SoftRemoteLT Full Client To configure a policy for a secure local wireless connection to the FVM318 firewall using the SoftRemoteLT client, use the FVM318 configuration from “Configure Basic IPSec Wireless Connections” on page 3-13 and follow procedure below for configuring the full VPN client. 1.
PAGE 55
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall You will need to provide: A descriptive name for the connection; and the LAN address of the FVM318 firewall. a. From the Edit menu at the top of the Security Policy Editor window, click Add, then Connection. A New Connection listing will appear in the list of policies. Figure 3-23. SafeNet Security Policy Editor new connection menu b.
PAGE 56
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall 4. Configure the Security Policy. Note: These settings do not depend on your network configuration information. a. In the Network Security Policy list on the left side of the Security Policy Editor window, expand the new connection by double clicking its name or clicking on the “+” symbol. My Identity and Security Policy subheadings should appear below the connection name. b.
PAGE 57
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall a. Click on My Identity in the Network Security Policy list on the left side of the Security Policy Editor window. Figure 3-25. 6. SafeNet Security Policy Editor edit identity menu b. Choose None in the Select Certificate menu. c. Select Domain Name in the ID Type menu. d. In the box below ID Type, enter the user name that you configured in the FVM318 firewall. e. Select Disabled in the Virtual Adapter box.
PAGE 58
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall 7. b. Expand the Authentication subheading by double clicking its name or clicking on the “+” symbol. Then select Proposal 1 below Authentication. c. Select Pre-Shared key in the Authentication Method menu. d. Select AES-256 in the Encrypt Alg menu. If your VPN client does not offer this selection, select Triple DES. e. Select SHA-1 in the Hash Alg menu. f. Select Seconds and enter 21600 in the SA Life menu.
PAGE 59
Chapter 4 Protecting Your Network This chapter describes how to use the basic firewall features of the FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall to protect your network. Protecting Access to Your FVM318 firewall For security reasons, the firewall has its own user name and password to protect access to its configuration menus. Also, after a period of inactivity for a set length of time, the administrator login will automatically disconnect.
PAGE 60
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall 2. From the main menu of the browser interface, under the Maintenance heading, select Set Password to bring up the menu shown below. Figure 4-1: Set Password menu 3. To change the password, first enter the old password, and then enter the new password twice. 4. Click Apply to save your changes. Note: After changing the password, you will be required to log in again to continue the configuration.
PAGE 61
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall Procedure 4-2: Changing the Administrator Login Timeout For security, the administrator's login to the firewall configuration will timeout after a period of inactivity. To change the login timeout period: 1. In the Set Password menu, type a number in ‘Administrator login times out’ field. The suggested default value is 5 minutes. 2. Click Apply to save your changes or click Cancel to keep the current period.
PAGE 62
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall Procedure 4-3: Blocking Functions, Keywords, and Sites The FVM318 firewall allows you to restrict access to Internet content based on functions such as Java or Cookies, Web addresses and Web address keywords. 1. Log in to the firewall at its default LAN address of http://192.168.0.
PAGE 63
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall • If the keyword “XXX” is specified, the URL is blocked, as is the newsgroup alt.pictures.xxx. • If the keyword “.com” is specified, only websites with other domain suffixes (such as .edu or .gov) can be viewed. • Enter the keyword “.” to block all Internet browsing access. Up to 32 entries are supported in the Keyword list. 5.
PAGE 64
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall Procedure 4-4: Configuring Services Blocking 1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default user name of admin, default password of password, or using whatever password and LAN address you have chosen for the firewall. 2. Click the Block Services link of the Security section of the main menu to display this screen. Figure 4-3: Block Services menu • • • 3.
PAGE 65
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall The parameters are: • Service. From this list, select the application or service to be allowed or blocked. The list already displays many common services, but you are not limited to these choices. Use the Add Services menu to add any additional services or applications that do not already appear. • Action. Choose how you would like this type of traffic to be handled.
PAGE 66
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall Procedure 4-5: Setting Your Time Zone In order to localize the time for your log entries, you must specify your Time Zone: 1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default user name of admin, default password of password, or using whatever password and LAN address you have chosen for the firewall. 2.
PAGE 67
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall 3. Select your Time Zone. This setting will be used for the blocking schedule according to your local time zone and for time-stamping log entries. Check the Daylight Savings Time box if your time zone is currently in daylight savings time. Note: If your region uses Daylight Savings Time, you must manually check Adjust for Daylight Savings Time on the first day of Daylight Savings Time, and uncheck it at the end.
PAGE 68
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall 4-10 Protecting Your Network
PAGE 69
Chapter 5 Virtual Private Networking This chapter describes how to use the VPN features of the FVM318 firewall. VPN tunnels provide secure, encrypted communications between your local wireless and Ethernet network, and remote networks or computers. FVM318 VPN Overview Two common scenarios for configuring VPN tunnels are between two or more networks, and between a remote computer and a network. The FVM318 adds the option of VPN tunnels over wireless links to the FVM318.
PAGE 70
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall access to network resources when NAT is enabled and remote computers have been assigned private IP addresses. In this configuration, based on the remote LAN IP and subnet mask addresses specified in the VPN settings of the remote system, some or all of the network resources connected to the FVM318 are visible to the users connected via the tunnel from the remote network.
PAGE 71
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall FVM318 VPN Configuration Planning When you set up a VPN, it is helpful to plan the network configuration and record the configuration parameters on a worksheet. These topics are discussed below and a blank worksheets are provided at the end of this chapter on page 5-22. To set up a VPN connection, you must configure each endpoint with specific identification and connection information describing the other endpoint.
PAGE 72
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall Procedure 5-1: Configuring a Network to Network VPN Tunnel Follow this procedure to configure a VPN tunnel between two LANs via a FVM318 at each end.
PAGE 73
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall 1. Set up the two LANs to have different IP address ranges. This procedure uses the settings in the configuration worksheet above. To configure your network, print and fill out the blank “Network to Network IKE VPN Tunnel Configuration Worksheet” on page 5-22 for your network configuration. Then follow the procedures below. a. Log in to the FVM318 on LAN A at its default LAN address of http://192.168.0.
PAGE 74
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall 2. Configure the VPN settings on each FVM318. a. From Setup section of the main menu of the FVM318, click the VPN Settings link. Click Add. The VPN Settings - Main Mode window opens as shown below: LAN A LAN B Figure 5-4: VPN Settings - Main Mode IKE Edit menu b. Fill in the Connection Name VPN settings as illustrated.
PAGE 75
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall • Remote LAN IP Address in the FVM318 on LAN B: 192.168.3.1 and Remote Subnet Mask in the FVM318 on LAN B: 255.255.255.0 This is the LAN IP Address for the FVM318 on LAN A. • Remote WAN IP Address in the FVM318 on LAN A: 10.0.0.1 This is the WAN IP Address for the FVM318 on LAN B. You can look up the WAN IP Address of the FVM318 on LAN B by viewing the its WAN Status screen.
PAGE 76
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall 3. Check the VPN Connection To check the VPN Connection, you can initiate a request from one network to the other. If one FVM318 has a dynamically assigned WAN IP address, you must initiate the request from that FVM318’s network. The simplest method is to ping the LAN IP address of the other FVM318. a.
PAGE 77
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall Note: If your situation is different, for example, if you wish to use different VPN client software, please see http://www.netgear.com/docs for additional VPN configuration information. VPN Tunnel LAN A IN TER N ET Cable/DSL ProSafeWirelessVPN Security Firewall PWR W LA N MODEL LO CA L LNK TEST ACT FVM318 100 Enable LNK/ACT 1 2 3 4 5 6 7 8 Remote user with VPN client software 192.168.3.
PAGE 78
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall 1. Configure the VPN Tunnel on the FVM318 on LAN A. To configure the firewall, follow these steps: a. From the Setup Menu, click the VPN Settings link, then click Add to configure a new VPN tunnel. The VPN Settings - IKE window opens as shown below: Figure 5-8: VPN Edit menu for connecting with a VPN client b. Fill in the Connection Name VPN settings as illustrated.
PAGE 79
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall Note: Only one side can have a dynamic IP address, and that side must always initiate the connection. c. Under Secure Association, select Main Mode and fill in the settings below. • Enable Perfect Forward Secrecy. • For Encryption Protocol, select: DES • Enter the case sensitive PreShared Key: r>T(h4&3@#kB This combination of letters, numbers and symbols, provides greater security.
PAGE 80
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall Figure 5-9: Security Policy Editor New Connection b. 5-12 Add a new connection • Run the SafeNet Security Policy Editor program and, using the “PC to Network VPN Tunnel Configuration Worksheet” on page 5-9, create a VPN Connection. • From the Edit menu of the Security Policy Editor, click Add, then Connection. A “New Connection” listing appears in the list of policies.
PAGE 81
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall c. Configure the Security Policy in the SafeNet VPN Client Software. • In the Network Security Policy list, expand the new connection by double clicking its name or clicking on the “+” symbol. My Identity and Security Policy subheadings appear below the connection name. • Click on the Security Policy subheading to show the Security Policy menu.
PAGE 82
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall d. Configure the Global Policy Settings. Figure 5-11: Security Policy Editor Global Policy Options e. • From the Options menu at the top of the Security Policy Editor window, select Global Policy Settings. • Increase the Retransmit Interval period to 45 seconds. • Check the Allow to Specify Internal Network Address checkbox and click OK.
PAGE 83
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall Figure 5-12: Security Policy Editor My Identity f. • Choose None in the Select Certificate menu. • Select IP Address in the ID Type menu. If you are using a virtual fixed IP address, enter this address in the Internal Network IP Address box. Otherwise, leave this box empty. Use 192.168.100.2 for this example. • In the Internet Interface box, select the adapter you use to access the Internet.
PAGE 84
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall g. • Expand the Authentication subheading by double clicking its name or clicking on the “+” symbol. Then select Proposal 1 below Authentication. • In the Authentication Method menu, select Pre-Shared key. • In the Encrypt Alg menu, select the type of encryption to correspond with what you configured for the Encryption Protocol in the FVM318 in “Configuring a Remote PC to Network VPN“ on page 5-8.
PAGE 85
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall 3. Check the VPN Connection. To check the VPN Connection, you can initiate a request from the remote PC to the FVM318’s network. Since the remote PC has a dynamically assigned WAN IP address, it must initiate the request. The simplest method is to ping from the remote PC to the LAN IP address of the FVM318. Using our example, start from the remote PC: a. Establish an Internet connection from the PC. b.
PAGE 86
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall Monitoring the PC VPN Connection Using SafeNet Tools Information on the progress and status of the VPN client connection can be viewed by opening the SafeNet Connection Monitor or Log Viewer. To launch these functions, click on the Windows Start button, then select Programs, then SafeNet SoftRemote, then either the Connection Monitor or Log Viewer.
PAGE 87
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall • • • • The FVM318 has a public IP WAN address of 134.177.100.11 The FVM318 has a LAN IP address of 192.168.0.1 The VPN client PC has a dynamically assigned address of 12.236.5.184 The VPN client PC is using a “virtual fixed” IP address of 192.168.100.100 While the connection is being established, the Connection Name field in this menu will say “SA” before the name of the connection.
PAGE 88
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall Figure 5-17: VPN Edit menu for Manual Keying 2. Incoming SPI - Enter a Security Parameter Index that the remote host will send to identify the Security Association (SA). This will be the remote host’s Outgoing SPI. 3. Outgoing SPI - Enter a Security Parameter Index that this firewall will send to identify the Security Association (SA). This will be the remote host’s Incoming SPI.
PAGE 89
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall 4. For Encryption Protocol, select one: Figure 5-18: VPN encryption options Null - Fastest, but no security. b. DES - The Data Encryption Standard (DES) processes input data that is 64 bits wide, encrypting these values using a 56 bit key. Faster but less secure than 3DES or AES. c. 3DES - (Triple DES) achieves a higher level of security by encrypting the data three times using DES with three different, unrelated keys.
PAGE 90
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall Blank VPN Tunnel Configuration Worksheets The blank configuration worksheets below are provided to aid you in collecting and recording the parameters used in the VPN configuration procedure.
PAGE 91
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall Table 5-2: PC to Network IKE VPN Tunnel Settings Configuration Worksheet IKE Tunnel Security Association Settings Connection Name: PreShared Key: Secure Association -- Main Mode or Aggressive Mode: Perfect Forward Secrecy: WAN Encryption Protocol -- Null -- IPSec (DES, 3DES, or AES 128, 192, or 256) Wireless Encryption Protocol -- Disable -- IPSec (DES, 3DES, or AES 128, 192, or 256) -- WEP (64-bit or 128-bit) Key Life
PAGE 92
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall 5-24 Virtual Private Networking
PAGE 93
Chapter 6 Managing Your Network This chapter describes how to perform network management tasks with your FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall. Network Management Information The FVM318 firewall provides a variety of status and usage information which is discussed below. Viewing Router Status and Usage Statistics From the main menu Maintenance section, select Router Status to view the screenbelow.
PAGE 94
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall The Router Status menu provides a limited amount of status and usage information. From the main menu of the browser interface, under Maintenance, select Router Status to view the status screen shown in Figure 6-1. This screen shows the following parameters: Table 6-1. Router Status Fields Field Description System Name This field displays the Host Name assigned to the firewall in the Basic Settings menu.
PAGE 95
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall Click on the “Show Statistics” button to display firewall usage statistics, as shown in Figure 6-2 below: Figure 6-2. Router Statistics screen This screen shows the following statistics:. Table 6-2. Router Statistics Fields Field Description WAN, LAN, or Serial Port The statistics for the WAN (Internet), LAN (local), and Serial ports. For each port, the screen displays: Status The link status of the port.
PAGE 96
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall Viewing Attached Devices The Attached Devices menu contains a table of all IP devices that the firewall has discovered on the local network.
PAGE 97
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall Viewing, Selecting, and Saving Logged Information The firewall will log security-related events such as denied incoming service requests, hacker probes, and administrator logins. If you enabled content filtering in the Block Sites menu, the Logs page shows you when someone on your network tried to access a blocked site. If you enabled e-mail notification, you'll receive these logs in an e-mail message.
PAGE 98
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall Log entries are described in Table 6-5 Table 6-5: Security Log entry descriptions Field Description Date and Time The date and time the log entry was recorded. Description or Action The type of event and what action was taken if any. Source IP The IP address of the initiating device for this log entry.
PAGE 99
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall • Router operation (start up, get time, etc.) • Known DoS attacks and Port Scans Enabling SYSLOG You can choose to write the logs to a PC running a SYSLOG program. To activate this feature, check the box under Syslog and enter the IP address of the server where the log file will be written. Examples of log messages Following are examples of log messages.
PAGE 100
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall Enabling Security Event E-mail Notification In order to receive logs and alerts by e-mail, you must provide your e-mail information in the E-Mail subheading: Figure 6-7: E-mail menu • Turn e-mail notification on Check this box if you wish to receive e-mail logs and alerts from the firewall. • Your outgoing mail server Enter the name or IP address of your ISP’s outgoing (SMTP) mail server (such as mail.myISP.com).
PAGE 101
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall • Send to this e-mail address Enter the e-mail address to which logs and alerts are sent. This e-mail address will also be used as the From address. If you leave this box blank, log and alert messages will not be sent via e-mail.
PAGE 102
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall 2. From the Maintenance heading of the main menu, select Backup to view the menu seen below. Figure 6-8: Settings Backup menu 3. Click Backup to save a copy of the current settings. 4. Store the.cfg file on a computer on your network. Procedure 6-2: Restore a Configuration from a File 1. Log in to the firewall at its default LAN address of http://192.168.0.
PAGE 103
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall 1. To erase the configuration, from the Maintenance menu Settings Backup link, click the Erase button on the screen. 2. The firewall will then reboot automatically. After an erase, the firewall's administrator user name will be admin, the password will be password, the LAN IP address will be 192.168.0.1, and the router's DHCP client will be enabled.
PAGE 104
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall From the main menu of the browser interface, under the Maintenance heading, select the Router Diagnostics heading to display the menu shown in Figure 6-9. Figure 6-9: Diagnostics menu Enabling Remote Management Using the Remote Management page, you can allow a user or users on the Internet to configure, upgrade and check the status of your NETGEAR Cable/DSL ProSafe VPN Firewall.
PAGE 105
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall 3. Specify what external addresses will be allowed to access the firewall’s remote management. For security, NETGEAR recommends that you restrict access to as few external IP addresses as practical. 4. a. To allow access from any IP address on the Internet, select Everyone. b. To allow access from a range of IP addresses on the Internet, select IP address range.
PAGE 106
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall Procedure 6-5: Router Upgrade 1. Download and unzip the new software file from NETGEAR. 2. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default user name of admin, default password of password, or using whatever password and LAN address you have chosen for the firewall. 3.
PAGE 107
Chapter 7 Advanced Configuration This chapter describes how to configure the advanced features of your FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall. Configuring Advanced Security The FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall provides a variety of advanced features, such as: • Setting up a Demilitarized Zone (DMZ) Server • The flexibility of configuring your LAN TCP/IP settings These features are discussed below.
PAGE 108
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall To assign a computer or server to be a Default DMZ server: 1. Click Default DMZ Server. 2. Type the IP address for that server. 3. Click Apply. Respond to Ping on Internet WAN Port If you want the firewall to respond to a 'ping' from the Internet, click the ‘Respond to Ping on Internet WAN Port’ check box. This should only be used as a diagnostic tool, since it allows your firewall to be discovered.
PAGE 109
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall The LAN TCP/IP Setup parameters are: • IP Address This is the LAN IP address of the firewall. • IP Subnet Mask This is the LAN Subnet Mask of the firewall. Combined with the IP address, the IP Subnet Mask allows a device to know which other addresses are local to it, and which must be reached through a gateway or router.
PAGE 110
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall MTU Size The normal MTU (Maximum Transmit Unit) value for most Ethernet networks is 1500 Bytes. For some ISPs, particularly some using PPPoE, you may need to reduce the MTU. This is rarely required, and should not be done unless you are sure it is necessary for your ISP connection.
PAGE 111
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall • Primary DNS Server, if you entered a Primary DNS address in the Basic Settings menu; otherwise, the firewall’s LAN IP address • Secondary DNS Server, if you entered a Secondary DNS address in the Basic Settings menu • WINS Server, short for Windows Internet Naming Service Server, determines the IP address associated with a particular Windows computer.
PAGE 112
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall Procedure 7-2: Configuring LAN TCP/IP Settings 1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default user name of admin, default password of password, or using whatever password and LAN address you have chosen for the firewall. 2. From the main menu, under Advanced, click the LAN IP Setup link to view the menu, shown below. Figure 7-1: LAN IP Setup Menu 3.
PAGE 113
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall Configuring Dynamic DNS If your network has a permanently assigned IP address, you can register a domain name and have that name linked with your IP address by public Domain Name Servers (DNS). However, if your Internet account uses a dynamically assigned IP address, you will not know in advance what your IP address will be, and the address can change frequently.
PAGE 114
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall Note: If your ISP assigns a private WAN IP address such as 192.168.x.x or 10.x.x.x, the dynamic DNS service will not work because private addresses will not be routed on the Internet. Using Static Routes Static Routes provide additional routing information to your firewall.
PAGE 115
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall • A Metric value of 1 will work since the ISDN router is on the LAN. This represents the number of routers between your network and the destination. This is a direct connection so it is set to 1. • Private is selected only as a precautionary security measure in case RIP is activated. Procedure 7-4: Configuring Static Routes 1. Log in to the firewall at its default LAN address of http://192.168.0.
PAGE 116
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall 4. b. Type a route name for this static route in the Route Name box under the table. This is for identification purpose only. c. Click the Active check box to make this route effective. d. Click the Private check box if you want to limit access to the LAN only. The static route will not be reported in RIP. e. Type the Destination IP Address of the final destination. f.
PAGE 117
Chapter 8 Troubleshooting This chapter gives information about troubleshooting your FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall. For the common problems listed, go to the section indicated. • Is the firewall on? • Have I connected the firewall correctly? Go to “Basic Functions” on page 8-1. • I can’t access the firewall’s configuration with my browser. Go to “Troubleshooting the Web Configuration Interface” on page 8-3. • I’ve configured the firewall but I can’t access the Internet.
PAGE 118
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall If a port’s Link LED is lit, a link has been established to the connected device. If a port is connected to a 100 Mbps device, verify that the port’s 100 LED is lit. If any of these conditions does not occur, refer to the appropriate following section.
PAGE 119
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall • Be sure you are using the correct cable: — When connecting the firewall’s Internet port to a cable or DSL modem, use the cable that was supplied with the cable or DSL modem. This cable could be a standard straight-through Ethernet cable or an Ethernet crossover cable.
PAGE 120
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall • Click the Refresh or Reload button in the Web browser. The changes may have occurred, but the Web browser may be caching the old configuration. Troubleshooting the ISP Connection If your firewall is unable to access the Internet, you should first determine whether the firewall is able to obtain a WAN IP address from the ISP.
PAGE 121
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall • Your ISP only allows one Ethernet MAC address to connect to Internet, and may check for your PC’s MAC address. In this case: Inform your ISP that you have bought a new network device, and ask them to use the firewall’s MAC address. OR Configure your firewall to spoof your PC’s MAC address. This can be done in the Basic Settings menu. Refer to “Manually Configuring Your Internet Connection” on page 2-12.
PAGE 122
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall Procedure 8-5: Testing the LAN Path to Your Firewall You can ping the firewall from your PC to verify that the LAN path to your firewall is set up correctly. To ping the firewall from a PC running Windows 95 or later: 1. From the Windows toolbar, click on the Start button and select Run. 2. In the field provided, type Ping followed by the IP address of the firewall, as in this example: ping 192.168.0.1 3.
PAGE 123
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall Procedure 8-6: Testing the Path from Your PC to a Remote Device After verifying that the LAN path works correctly, test the path from your PC to a remote device. From the Windows run menu, type: PING -n 10 where is the IP address of a remote device such as your ISP’s DNS server. If the path is functioning correctly, replies as in the previous section are displayed.
PAGE 124
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall • Use the Default Reset button on the rear panel of the firewall. Use this method for cases when the administration password or IP address is not known. Procedure 8-7: Using the Default Reset button To restore the factory default configuration settings without knowing the administration password or IP address, you must use the Default Reset button on the rear panel of the firewall.
PAGE 125
Appendix A Technical Specifications This appendix provides technical specifications for the FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall. Network Protocol and Standards Compatibility Data and Routing Protocols: TCP/IP, RIP-1, RIP-2, DHCP, PPTP, Telstra BigPond, PPP over Ethernet (PPPoE) Power Adapter North America: 120V, 60 Hz, input United Kingdom, Australia: 240V, 50 Hz, input Europe: 230V, 50 Hz, input Japan: 100V, 50/60 Hz, input All regions (output): 12 V DC @ 1.
PAGE 126
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall Electromagnetic Emissions Meets requirements of: FCC Part 15 Class B VCCI Class B EN 55 022 (CISPR 22), Class B Interface Specifications Local: 10BASE-T or 100BASE-Tx, RJ-45 Internet: 10BASE-T, RJ-45 Wireless Radio Data Rate 1, 2, 5.5, 11Mbps Auto Rate Sensing Frequency 2.4-2.5Ghz Data Encoding: Direct Sequence Spread Spectrum (DSSS) 802.11b Operating Range @ 11 Mbps @ 5.
PAGE 127
Appendix B Network, Routing, Firewall, and Wireless Basics This chapter provides an overview of IP networks, routing, and wireless networking. Related Publications As you read this document, you may be directed to various RFC documents for further information. An RFC is a Request For Comment (RFC) published by the Internet Engineering Task Force (IETF), an open organization that defines the architecture and operation of the Internet.
PAGE 128
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall What is a Router? A router is a device that forwards traffic between networks based on network layer information in the data and on routing tables maintained by the router. In these routing tables, a router builds up a logical picture of the overall network by gathering and exchanging information with other routers in the network. Using this information, the router chooses the best path for forwarding network traffic.
PAGE 129
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall 195.34.12.7 The latter version is easier to remember and easier to enter into your computer. In addition, the 32 bits of the address are subdivided into two parts. The first part of the address identifies the network, and the second part identifies the host node or station on the network. The dividing point may vary depending on the address range and the application. There are five standard classes of IP addresses.
PAGE 130
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall 128.1.x.x to 191.254.x.x. • Class C Class C addresses can have 254 hosts on a network. Class C addresses use 24 bits for the network address and eight bits for the node. They are in this range: 192.0.1.x to 223.255.254.x. • Class D Class D addresses are used for multicasts (messages sent to many hosts). Class D addresses are in this range: 224.0.0.0 to 239.255.255.255.
PAGE 131
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall As a shorter alternative to dotted-decimal notation, the netmask may also be expressed in terms of the number of ones from the left. This number is appended to the IP address, following a backward slash ( / ), as “/n.” In the example, the address could be written as 192.168.170.237/24, indicating that the netmask is 24 ones followed by 8 zeros.
PAGE 132
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall Although the preceding example uses the entire third octet for a subnet address, note that you are not restricted to octet boundaries in subnetting. To create more network numbers, you need only shift some bits from the host address to the network address. For instance, to partition a Class C network number (192.68.135.0) into two, you shift one bit from the host address to the network address.
PAGE 133
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall Table 8-2. Netmask Formats 255.255.255.0 /24 255.255.255.128 /25 255.255.255.192 /26 255.255.255.224 /27 255.255.255.240 /28 255.255.255.248 /29 255.255.255.252 /30 255.255.255.254 /31 255.255.255.
PAGE 134
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall Single IP Address Operation Using NAT In the past, if multiple PCs on a LAN needed to access the Internet simultaneously, you had to obtain a range of IP addresses from the ISP. This type of Internet account is more costly than a single-address account typically used by a single user with a modem, rather than a router. The FVM318 firewall employs an address-sharing method called Network Address Translation (NAT).
PAGE 135
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall MAC Addresses and Address Resolution Protocol An IP address alone cannot be used to deliver data from one LAN device to another. To send data between LAN devices, you must convert the IP address of the destination device to its media access control (MAC) address. Each device on an Ethernet network has a unique MAC address, which is a 48-bit number assigned to each device by the manufacturer.
PAGE 136
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall When a PC accesses a resource by its descriptive name, it first contacts a DNS server to obtain the IP address of the resource. The PC sends the desired message using the IP address. Many large organizations, such as ISPs, maintain their own DNS servers and allow their customers to use the servers to look up addresses.
PAGE 137
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall What is a Firewall? A firewall is a device that protects one network from another, while allowing communication between the two. A firewall incorporates the functions of the NAT router, while adding features for dealing with a hacker intrusion or attack. Several known types of intrusion or attack can be recognized when they occur.
PAGE 138
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall Wireless Networking The FVM318 firewall conforms to the Institute of Electrical and Electronics Engineers (IEEE) 802.11b standard for wireless LANs (WLANs). On an 802.11b wireless link, data is encoded using direct-sequence spread-spectrum (DSSS) technology and is transmitted in the unlicensed radio spectrum at 2.5GHz.
PAGE 139
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall In the infrastructure mode, the wireless access point converts airwave data into wired Ethernet data, acting as a bridge between the wired LAN and wireless clients. Connecting multiple Access Points via a wired Ethernet backbone can further extend the wireless network coverage. As a mobile computing device moves out of the range of one access point, it moves into the range of another.
PAGE 140
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall 2. The station listens for messages from any access points that are in range. 3. The station finds a message from an access point that has a matching SSID. 4. The station sends an authentication request to the access point. 5. The access point authenticates the station. 6. The station sends an association request to the access point. 7. The access point associates with the station. 8.
PAGE 141
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall This process is illustrated in below. 802.11b Authentication Open System Steps Access Point 1) Authentication request sent to AP 2) AP authenticates IN TER N ET Cable/DSL ProSafeWirelessVPN Security Firewall PWR W LA N ACT FVM318 100 Enable LNK/ACT 1 Client attempting to connect MODEL LO CA L LNK TEST 2 3 4 5 3) Client connects to network 6 7 8 Cable or DLS modem Figure 8-4: 802.
PAGE 142
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall This process is illustrated in below. 802.
PAGE 143
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall Key Size The IEEE 802.11b standard supports two types of WEP encryption: 40-bit and 128-bit. The 64-bit WEP data encryption method, allows for a five-character (40-bit) input. Additionally, 24 factory-set bits are added to the forty-bit input to generate a 64-bit encryption key. (The 24 factory-set bits are not user-configurable).
PAGE 144
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall Note: The AP and the client adapters can have different default WEP Keys as long as the keys are in the same order. In other words, the AP can use WEP key 2 as its default key to transmit while a client adapter can use WEP key 3 as its default key to transmit. The two devices will communicate as long as the AP’s WEP key 2 is the same as the client’s WEP key 2 and the AP’s WEP key 3 is the same as the client’s WEP key 3.
PAGE 145
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall Note: The available channels supported by the wireless products in various countries are different. The preferred channel separation between the channels in neighboring wireless networks is 25 MHz (5 channels). This means that you can apply up to three different channels within your wireless network. There are only 11 usable wireless channels in the United States.
PAGE 146
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall When connecting a PC to a PC, or a hub port to another hub port, the transmit pair must be exchanged with the receive pair. This exchange is done by one of two mechanisms. Most hubs provide an Uplink switch which will exchange the pairs on one port, allowing that port to be connected to another hub using a normal Ethernet cable.
PAGE 147
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall How Does VPN Work? A VPN can be thought of as a secure tunnel passing through the Internet, connecting two devices such as a PC or router, which form the two tunnel endpoints. At one endpoint, data is encapsulated and encrypted, then transmitted through the Internet. At the far endpoint, the data is received, unencapsulated and decrypted.
PAGE 148
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall • Exchange keys • Keep track of the agreements Negotiating the SA - the Internet Key Exchange (IKE) IKE provides a way to: • Ensure that the key exchange and the IPSec communication occurs only between authenticated parties; • Negotiate the protocols, algorithms and keys to be used between the two IPSec hosts • Securely update and renegotiate SAs when they have expired. IKE functions in two phases: 1. Phase 1.
PAGE 149
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall b. The responder sends its own Diffie-Hellman value. c. The initiator confirms the exchange. Key Exchange: Phase 2 Quick mode is used in the second phase. Quick mode negotiates the IPSec SA. • Once the SA has been established, the parties use Quick mode to negotiate security services and generate fresh key material. • A single SA negotiation results in two SAs, one inbound and one outbound. Both SAs are one-way.
PAGE 150
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall In some cases, the client PC may connect to the Internet through a local non-VPN-enabled router, as shown below: CLIENT A A TN L TA SIMPLE ROUTER VPN ROUTER INTERNET B AY S R C AN T L A LAN Figure 8-8: Client to LAN access through simple router to VPN router If the non-VPN router is performing NAT, it must support “VPN-passthrough” of IPSec-encoded data.
PAGE 151
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall Relevant RFCs listed numerically: • [RFC 791] Internet Protocol DARPA Internet Program Protocol Specification, Information Sciences Institute, USC, September 1981. • [RFC 1058] Routing Information Protocol, C Hedrick, Rutgers University, June 1988. • [RFC 1483] Multiprotocol Encapsulation over ATM Adaptation Layer 5, Juha Heinanen, Telecom Finland, July 1993. • [RFC 2401] S. Kent, R.
PAGE 152
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall B-26 Network, Routing, Firewall, and Wireless Basics
PAGE 153
Appendix C Preparing Your Network This appendix describes how to prepare your network to connect to the Internet through the FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall and how to verify the readiness of broadband Internet service from an Internet service provider (ISP).
PAGE 154
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall In your IP network, each PC and the firewall must be assigned a unique IP addresses. Each PC must also have certain other IP configuration information such as a subnet mask (netmask), a domain name server (DNS) address, and a default gateway address. In most cases, you should install TCP/IP so that the PC obtains its specific network configuration information automatically from a DHCP server during bootup.
PAGE 155
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall You must have an Ethernet adapter, the TCP/IP protocol, and Client for Microsoft Networks. Note: It is not necessary to remove any other network components shown in the Network window in order to install the adapter, TCP/IP, or Client for Microsoft Networks. If you need to install a new adapter, follow these steps: a. Click the Add button. b. Select Adapter, and then click Add. c.
PAGE 156
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall 3. a. Click the Add button. b. Select Client, and then click Add. c. Select Microsoft. d. Select Client for Microsoft Networks, and then click OK. Restart your PC for the changes to take effect. Enabling DHCP in Windows 95B, 98, and Me After the TCP/IP protocol components are installed, each PC must be assigned specific information about itself and resources that are available on its network.
PAGE 157
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall Verify the following settings as shown: • Client for Microsoft Network exists • Ethernet adapter is present • TCP/IP is present • Primary Network Logon is set to Windows logon Click on the Properties button. The following TCP/IP Properties window will display.
PAGE 158
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall By default, the IP Address tab is open on this window. Verify the following: • Obtain an IP address automatically is selected. If not selected, click in the radio button to the left of it to select it. This setting is required to enable the DHCP server to automatically assign an IP address. • Click OK to continue. • Restart the PC. Repeat these steps for each PC with this version of Windows on your network.
PAGE 159
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall 2. Type winipcfg, and then click OK. The IP Configuration window opens, which lists (among other things), your IP address, subnet mask, and default gateway. 3. From the drop-down box, select your Ethernet adapter.
PAGE 160
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall DHCP Configuration of TCP/IP in Windows XP, 2000, or NT4 You will find there are many similarities in the procedures for different Windows systems when using DHCP to configure TCP/IP. The following steps will walk you through the configuration process for each of these versions of Windows. DHCP Configuration of TCP/IP in Windows XP Locate your Network Neighborhood icon.
PAGE 161
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall Now the Network Connection window displays. The Connections List that shows all the network connections set up on the PC, located to the right of the window. • Right-click on the Connection with the wireless icon and choose Status. Now you should be at the Local Area Network Connection Status window. This box displays the connection status, duration, speed, and activity statistics.
PAGE 162
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall The TCP/IP details are presented on the Support tab page. • C-10 Select Internet Protocol, and click Properties to view the configuration information.
PAGE 163
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall Verify that the Obtain an IP address automatically radio button is selected. • Verify that Obtain DNS server address automatically radio button is selected. • Click the OK button. This completes the DHCP configuration of TCP/IP in Windows XP. Repeat these steps for each PC with this version of Windows on your network.
PAGE 164
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall • Click on the My Network Places icon on the Windows desktop. This will bring up a window called Network and Dial-up Connections. • Right click on Local Area Connection and select Properties. The Local Area Connection Properties dialog box appears. • Verify that you have the correct Ethernet card selected in the Connect using: box.
PAGE 165
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall • With Internet Protocol (TCP/IP) selected, click on Properties to open the Internet Protocol (TCP/IP) Properties dialogue box. Verify that – Obtain an IP address automatically is selected. – Obtain DNS server address automatically is selected. • Click OK to return to Local Area Connection Properties. • Click OK again to complete the configuration process for Windows 2000. • Restart the PC.
PAGE 166
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall DHCP Configuration of TCP/IP in Windows NT4 Once you have installed the network card, you need to configure the TCP/IP environment for Windows NT 4.0. Again, remember Cox only sets up TCP/IP dynamically (i.e., it uses DHCP to obtain TCP/IP settings). Following are the procedures you use to configure TCP/IP with DHCP in Windows NT 4.0. • Choose Settings from the Start Menu, and then select Control Panel.
PAGE 167
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall • Highlight the TCP/IP Protocol in the Network Protocols box, and click on the Properties button.
PAGE 168
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall The TCP/IP Properties dialog box now displays. • Click the IP Address tab. • Select the radio button marked Obtain an IP address from a DHCP server. • Click OK. This completes the configuration of TCP/IP in Windows NT. Restart the PC. Repeat these steps for each PC with this version of Windows on your network. Verifying TCP/IP Properties for Windows XP, 2000, and NT4 To check your PC’s TCP/IP configuration: 1.
PAGE 169
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall • 4. The default gateway is 192.168.0.1 Type exit Configuring the Macintosh for TCP/IP Networking Beginning with Macintosh Operating System 7, TCP/IP is already installed on the Macintosh. On each networked Macintosh, you will need to configure TCP/IP to use DHCP. MacOS 8.6 or 9.x 1. From the Apple menu, select Control Panels, then TCP/IP. The TCP/IP Control Panel opens: 2.
PAGE 170
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall MacOS X 1. From the Apple menu, choose System Preferences, then Network. 2. If not already selected, select Built-in Ethernet in the Configure list. 3. If not already selected, Select Using DHCP in the TCP/IP tab. 4. Click Save. Verifying TCP/IP Properties for Macintosh Computers After your Macintosh is configured and has rebooted, you can check the TCP/IP configuration by returning to the TCP/IP Control Panel.
PAGE 171
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall Verifying the Readiness of Your Internet Account For broadband access to the Internet, you need to contract with an Internet service provider (ISP) for a single-user Internet access account using a cable modem or DSL modem. This modem must be a separate physical box (not a card) and must provide an Ethernet port intended for connection to a Network Interface Card (NIC) in a computer.
PAGE 172
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall • An IP address and subnet mask • A gateway IP address, which is the address of the ISP’s router • One or more domain name server (DNS) IP addresses • Host name and domain suffix For example, your account’s full server names may look like this: mail.xxx.yyy.com In this example, the domain suffix is xxx.yyy.com. If any of these items are dynamically supplied by the ISP, your firewall automatically acquires them.
PAGE 173
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall If an IP address appears under Installed Gateways, write down the address. This is the ISP’s gateway address. Select the address and then click Remove to remove the gateway address. 6. Select the DNS Configuration tab. If any DNS server addresses are shown, write down the addresses. If any information appears in the Host or Domain information box, write it down. Click Disable DNS. 7.
PAGE 174
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall Restarting the Network Once you’ve set up your computers to work with the firewall, you must reset the network for the devices to be able to communicate correctly. Restart any computer that is connected to the firewall. After configuring all of your computers for TCP/IP networking and restarting them, and connecting them to the local network of your FVM318 firewall, you are ready to access and configure the firewall.
PAGE 175
Glossary 10BASE-T IEEE 802.3 specification for 10 Mbps Ethernet over twisted pair wiring. 100BASE-Tx IEEE 802.3 specification for 100 Mbps Ethernet over twisted pair wiring. 3DES 3DES (Triple DES) achieves a high level of security by encrypting the data three times using DES with three different, unrelated keys. 802.11b IEEE specification for wireless networking at 11 Mbps using direct-sequence spread-spectrum (DSSS) technology and operating in the unlicensed radio spectrum at 2.5GHz.
PAGE 176
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall 2 DMZ A Demilitarized Zone is used by a company that wants to host its own Internet services without sacrificing unauthorized access to its private network. The DMZ sits between the Internet and an internal network's line of defense, usually some combination of firewalls and bastion hosts.
PAGE 177
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall IP Internet Protocol. The main internetworking protocol used in the Internet. Used in conjunction with the Transfer Control Protocol (TCP) to form TCP/IP. IP Address A four-position number uniquely defining each host on the Internet. Ranges of addresses are assigned by Internic, an organization formed for this purpose. Usually written in dotted-decimal notation with periods separating the bytes (for example, 134.177.
PAGE 178
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall 4 netmask A number that explains which part of an IP address comprises the network address and which part is the host address on that network. It can be expressed in dotted-decimal notation or as a number appended to the IP address. For example, a 28-bit mask starting from the MSB can be shown as 255.255.255.192 or as /28 appended to the IP address.
PAGE 179
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall subnet mask See netmask. UPnP See Universal Plug and Play. Universal Plug and Play UPnP. A networking architecture that provides compatibility among networking equipment, software and peripherals of the 400+ vendors that are part of the Universal Plug and Play Forum.
PAGE 180
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall 6 Wireless Network Name (SSID) Wireless Network Name (SSID). The name assigned to a wireless network. This is the same as the SSID or ESSID configuration parameter. There can be multiple wireless networks in a given area. You can connect to only one wireless network at a time. See also SSID and ESSID. WINS See Windows Internet Naming Service.
PAGE 181
Chapter 1 In dex Numerics 3DES 3-6 64 or 128 bit WEP 3-6 802.
PAGE 182
EnterNet C-19 IP configuration by DHCP B-10 EPROM, for firmware upgrade 1-4 IP networking for Macintosh C-17 for Windows C-2, C-7 ESSID 3-8, B-13 Ethernet 1-2 Ethernet cable B-19 IPSec B-21 IPSec Wireless Connections 3-12 F ISP 2-1 factory settings, restoring 6-10 J features 1-1 firewall features 1-2 FLASH memory 6-13 front panel 1-5 Java 4-3 K Key Life 5-7, 5-11 G gateway address C-21 L LAN IP Setup Menu 5-5, 7-6 host name 2-10, 2-13 LEDs description 1-6 troubleshooting 8-2 I log sending
PAGE 183
N rear panel 1-7 NAT C-19 requirements hardware 2-1 NAT.
PAGE 184
verifying for Macintosh C-18 verifying for Windows C-6, C-16 Wireless Range Guidelines 3-1 Wireless Security 3-2 time of day 8-8 time zone 4-9 timeout, administrator login 4-3 time-stamping 4-9 troubleshooting 8-1 Trusted Host 4-5 Trusted PCs Only 3-4 tunnel B-21 typographical conventions 1-xiii U Uplink switch B-20 USB C-19 V VPN 1-1 W web proxy 4-3 WEP B-13 Wi-Fi B-12 Windows, configuring for IP routing C-2, C-7 winipcfg utility C-6 WinPOET C-19 WINS 7-5 Wired Equivalent Privacy.