NETGEAR ProSafe FVM318, Reference Manual

Page 1: ...Inc 4500 Great America Parkway Santa Clara CA 95054 USA Phone 1 888 NETGEAR Reference Manual for the Model FVM318 Cable DSL ProSafe Wireless VPN Security Firewall Reference Manual FVM318 book Page i W...

Page 2: ...elevision reception which can be determined by turning the equipment off and on the user is encouraged to try to correct the interference by one or more of the following measures Reorient or relocate...

Page 3: ...ation This equipment generates uses and can radiate radio frequency energy and if not installed and used in accordance with the instructions may cause harmful interference to radio communications Howe...

Page 4: ...r to the notes in the operating instructions Federal Office for Telecommunications Approvals has been notified of the placing of this equipment on the market and has been granted the right to test the...

Page 5: ...iv FVM318 book Page iv Wednesday September 18 2002 5 20 PM...

Page 6: ...ement 1 3 What s in the Box 1 5 The Firewall s Front Panel 1 5 The Firewall s Rear Panel 1 6 Chapter 2 Connecting the Firewall to the Internet What You Will Need Before You Begin 2 1 LAN Hardware Requ...

Page 7: ...s 4 2 Sample Network to Network VPN Tunnel Configuration Worksheet 4 3 Using the VPN Connection 4 11 Configuring a Remote PC to Network VPN 4 12 Sample PC to Network VPN Tunnel Configuration Worksheet...

Page 8: ...o Restrict Wireless Access by MAC Address 6 4 Configuring Wired Equivalent Privacy WEP 6 5 Chapter 7 Advanced Configuration Configuring Advanced Security 7 1 Setting Up A Default DMZ Server 7 1 Respon...

Page 9: ...Router Concepts B 1 What is a Router B 2 Routing Information Protocol B 2 IP Addresses and the Internet B 2 Netmask B 4 Subnet Addressing B 5 Private IP Addresses B 7 Single IP Address Operation Usin...

Page 10: ...lecting Windows Internet Access Method C 4 Verifying TCP IP Properties C 5 Configuring Windows NT 2000 or XP for IP Networking C 5 Install or Verify Windows Networking Components C 5 Verifying TCP IP...

Page 11: ...x Contents FVM318 book Page x Wednesday September 18 2002 5 20 PM...

Page 12: ...2 Block Functions Keywords and Sites 3 4 Procedure 3 3 Block Services 3 6 Procedure 3 4 Setting Your Time Zone 3 7 Procedure 3 5 Scheduling Firewall Services 3 9 Procedure 4 1 Configuring a Network to...

Page 13: ...xii FVM318 book Page xii Wednesday September 18 2002 5 20 PM...

Page 14: ...s tutorial information is provided in the Appendices Typographical Conventions This guide uses the following typographical conventions italics Book titles and UNIX file command and directory names cou...

Page 15: ...ase answers to frequently asked questions and a means for submitting technical questions online Note This format is used to highlight information of importance or special interest Procedure This forma...

Page 16: ...Reference Manual for the Model FVM318 Cable DSL ProSafe Wireless VPN Security Firewall About This Manual xv FVM318 book Page xv Wednesday September 18 2002 5 20 PM...

Page 17: ...FVM318 book Page xvi Wednesday September 18 2002 5 20 PM...

Page 18: ...r connectivity through the serial port provides highly reliable Internet access for up to 253 users Key Features The FVM318 offers the following features A Powerful True Firewall Unlike simple Interne...

Page 19: ...ocal LAN and the Internet WAN interfaces are autosensing and capable of full duplex or half duplex operation The firewall incorporates Auto UplinkTM technology Each LOCAL Ethernet port will automatica...

Page 20: ...s allow remote users to find your network using a domain name when your IP address is not permanently assigned The firewall contains a client that can connect to many popular Dynamic DNS services to r...

Page 21: ...tic functions The firewall incorporates built in diagnostic functions such as Ping DNS lookup and remote reboot These functions allow you to test Internet connectivity and reboot the firewall You can...

Page 22: ...pful information Warranty and registration card Support information card If any of the parts are incorrect missing or damaged contact your NETGEAR dealer Keep the carton including the original packing...

Page 23: ...ED Descriptions Label Activity Description POWER On Power is supplied to the firewall TEST On Off The system is initializing The system is ready and running MODEM On Blinking The port detected a link...

Page 24: ...ive Internet service such as that provided by a DSL or Cable modem account 3 The Internet Service Provider ISP configuration information for your DSL or Cable modem account LAN Hardware Requirements T...

Page 25: ...nternet connection information Your ISP should have provided you with all the information needed to connect to the Internet If you cannot locate this information you can ask your ISP to provide it or...

Page 26: ...___ Subnet Mask ______ ______ ______ ______ Gateway IP Address ______ ______ ______ ______ ISP DNS Server Addresses If you were given DNS server addresses fill in the following Primary DNS Server IP A...

Page 27: ...stallation Assistant to help you through this procedure Procedure 2 2 Connecting the Firewall to Your LAN There are three steps to connecting your firewall 1 Connect the firewall to your network 2 Log...

Page 28: ...net cable A from your computer which connects to your Cable or DSL modem Figure 2 1 Disconnect the Cable or DSL Modem c Connect the Ethernet cable A from your Cable or DSL modem to the FR328S s Intern...

Page 29: ...lf to the correct configuration This feature also eliminates the need to worry about crossover cables as Auto Uplink will accommodate either type of cable to make the right connection e Turn on the Ca...

Page 30: ...ERNET LINK light is lit indicating a link has been established to the cable or DSL modem c Next use a browser like Internet Explorer or Netscape to log in to the firewall at its default address of htt...

Page 31: ...The firewall is now properly attached to your network You are now ready to configure your firewall to connect to the Internet There are two ways you can configure your firewall to connect to the Inte...

Page 32: ...ld launch automatically When the Wizard launches select Yes in the menu below to allow the firewall to automatically determine your connection Figure 2 7 Built in Web based Configuration Manager Setup...

Page 33: ...ount Setup If the Setup Wizard determines that your Internet service account uses a login protocol such as PPP over Ethernet PPPoE you will be directed to a menu like the PPPoE menu in Figure 2 8 Figu...

Page 34: ...ur ISP s Primary DNS Server If a Secondary DNS Server address is available enter it also If you enter an address here after you finish configuring the firewall reboot your PCs so that the settings tak...

Page 35: ...login If the ISP does not transfer an address you must obtain it from the ISP and enter it manually here If you enter an address here you should reboot your PCs after configuring the firewall 3 The Ro...

Page 36: ...s from your ISP you recorded in Record Your Internet Connection Information on page 2 3 2 Enter the IP address of your ISP s Primary DNS Server If a Secondary DNS Server address is available enter it...

Page 37: ...gure your firewall using the menu below or you can allow the Setup Wizard to determine your configuration as described in the previous section Figure 2 11 Browser based configuration Basic Settings me...

Page 38: ...address The Gateway is the ISP s router to which your firewall will connect 5 Domain Name Server DNS Address If you know that your ISP does not automatically transmit DNS addresses to the firewall dur...

Page 39: ...16 Connecting the Firewall to the Internet 7 Click Apply to save your settings 8 Click on the Test button to test your Internet connection If the NETGEAR website does not appear within one minute ref...

Page 40: ...nnect the firewall to your ISDN or dial up analog modem 2 Configure the firewall 3 Connect to the Internet Follow the steps below to configure a serial port Internet connection on your firewall 1 Conn...

Page 41: ...ase refer to Appendix C Preparing Your Network a Use a browser to log in to the firewall at http 192 168 0 1 with its default User Name of admin and default Password of password or using whatever User...

Page 42: ...ial the number If you want to enable a Idle Time disconnect check the box and enter a time in minutes To configure the TCP IP settings fill in whatever address parameters your ISP provided e Configure...

Page 43: ...ISP and then copying the modem string settings from the PC configuration and pasting them into the FR328S Modem Properties Initial String field For more information on this procedure please refer to...

Page 44: ...tomatically connects to the Internet when one of your computers requires access It is not necessary to run a dialer or login application such as Dial Up Networking or Enternet to connect log in or dis...

Page 45: ...Reference Manual for the Model FVM318 Cable DSL ProSafe Wireless VPN Security Firewall 2 22 Connecting the Firewall to the Internet FVM318 book Page 22 Wednesday September 18 2002 5 20 PM...

Page 46: ...er admin for the firewall User Name and password for the firewall Password You can use procedures below to change the firewall s password and the amount of time for the administrator s login timeout N...

Page 47: ...o the firewall 2 From the Main Menu of the browser interface under the Maintenance heading select Set Password to bring up the menu shown in Figure 3 2 Figure 3 2 Set Password menu 3 To change the pas...

Page 48: ...filtering feature the FVM318 firewall prevents objectionable content from reaching your PCs The FR114P allows you to control access to Internet content by screening for keywords within Web addresses...

Page 49: ...2 Block Functions Keywords and Sites The FVM318 firewall allows you to restrict access to Internet content based on functions such as Java or Cookies Web addresses and Web address keywords 1 Log in to...

Page 50: ...u may specify one Trusted User which is a PC that will be exempt from blocking and logging Since the Trusted User will be identified by an IP address you should configure that PC with a fixed IP addre...

Page 51: ...k on the Block Sites link of the Security menu to display the Block Services menu shown in Figure 3 4 Figure 3 4 Block Services menu To create a new Block Services rule click the Add button To edit an...

Page 52: ...ge If you select a range of addresses enter the range in the start and finish boxes If you select a single address enter it in the start box Log You can select whether the traffic will be logged The c...

Page 53: ...e blocking schedule according to your local time zone and for time stamping log entries Check the Daylight Savings Time box if your time zone is currently in daylight savings time Note If your region...

Page 54: ...ng whatever User Name Password and LAN address you have chosen for the firewall 2 Click on the Schedule link of the Security menu to display menu shown in the Schedule Services menu on page 8 3 To blo...

Page 55: ...Reference Manual for the Model FVM318 Cable DSL ProSafe Wireless VPN Security Firewall 3 10 Protecting Your Network FVM318 book Page 10 Wednesday September 18 2002 5 20 PM...

Page 56: ...mote Computer to Network VPNs Two common scenarios for configuring VPN tunnels are between two or more networks and between a remote computer and a network The FVS318 supports these configurations Fig...

Page 57: ...figure each endpoint with specific identification and connection information describing the other endpoint This set of configuration information defines a security association SA between the two point...

Page 58: ...tion Worksheet The sample configuration worksheet below is filled in with the parameters used in the procedure examples below A blank worksheet is provided below at Network to Network IKE VPN Tunnel C...

Page 59: ...procedures below refer to the Sample Network to Network IKE VPN Tunnel Configuration Worksheet on page 4 3 To configure your actual network print and fill out the blank Network to Network IKE VPN Tun...

Page 60: ...the Local LAN A via the LAN IP Setup Menu c Change the settings as follows IP Address to 192 168 3 1 DHCP Starting Address to 192 168 3 2 DHCP Ending Address to 192 168 3 100 Change any Reserved IP A...

Page 61: ...configuration 2 Configure the VPN Settings of the FVS318 firewall A on the local LAN a Log in to the first FVS318 router A at its new LAN address of http 192 168 3 1 with its default User Name of admi...

Page 62: ...the Security Association of LANs A and B For example enter VPNAB as the Connection Name Enter the unique Local IPSec Identifier name for the local FVS318 A For example enter LAN_A Note This IPSec name...

Page 63: ...and fill in the settings below Note The alternative to IKE is Manual Keying which is covered Using Manual Keying as an Alternative to IKE on page 4 24 To configure the IKE settings for firewall A ente...

Page 64: ...p menu click the VPN Settings link The VPN Settings window opens c Click the button next to an unused profile in the table and click Edit The VPN Settings Main Mode window opens as shown in Figure 4 8...

Page 65: ...ient or PPPOE then it is a dynamic address For a dynamic address enter 0 0 0 0 in the configuration screen of the FVS318 on LAN B as the WAN IP Address for the FVS318 on LAN A Note Only one side may h...

Page 66: ...FVS318 on LAN A on the Windows taskbar click the Start button and then click Run 2 Type ping t 192 168 0 1 and then click OK Figure 4 9 Running a Ping test from Windows 3 This will cause a continuous...

Page 67: ...el Configuration Worksheet The sample configuration worksheet below is filled in with the parameters used in the procedure examples below A blank worksheet is at PC to Network IKE VPN Tunnel Settings...

Page 68: ...use different VPN client software please refer to NETGEAR s web site for additional VPN applications information Procedure 4 3 Configuring a Remote PC to Network VPN 1 Configure the VPN Tunnel on the...

Page 69: ...must match the name of the Security Association defined in the VPN client on the remote PC e Enter LANAPCIPSEC as the Local IPSec Identifier for the FVS318 on LAN A Note This IPSec name must not be u...

Page 70: ...e Default is 28800 seconds 8 hours A shorter time increases security but users will be temporarily disconnected upon renegotiation p If you need to run Microsoft networking functions such as Network N...

Page 71: ...the New Connection so that it matches the Connection Name you entered in the VPN Settings of the FVS318 A In this example it would be VPNLANPC In the Connection Security box select Secure In the ID Ty...

Page 72: ...t expand the new connection by double clicking its name or clicking on the symbol My Identity and Security Policy subheadings appear below the connection name b Click on the Security Policy subheading...

Page 73: ...olicy Options h Increase the Retransmit Interval period to 45 seconds i Check the Allow to Specify Internal Network Address checkbox and click OK 5 Configure the VPN Client Identity In this step you w...

Page 74: ...e Internal Network IP Address box Otherwise leave this box empty For this example use 192 168 100 2 e In the Internet Interface box select the adapter you use to access the Internet Select PPP Adapter...

Page 75: ...e used for this connection This selection must match your selection in the FVS318 configuration a Expand the Key Exchange subheading by double clicking its name or clicking on the symbol Then select P...

Page 76: ...s a dynamically assigned WAN IP address it must initiate the request The simplest method is to ping from the remote PC to the LAN IP address of the FVS318 Using our example start from the remote PC 1...

Page 77: ...LAN IP Address of the remote FVS318 After a short wait you should see the login screen of the firewall Monitoring the PC to Network VPN Connection Using SafeNet Tools Information on the progress and s...

Page 78: ...Name field in this menu will say SA before the name of the connection When the connection is successful the SA will change to the yellow key symbol shown in the illustration above Deleting a Security...

Page 79: ...When editing the VPN Settings you may select manual keying At that time the edit menu changes to look like Figure 4 21 Figure 4 21 VPN Edit menu for Manual Keying 2 Incoming SPI Enter a Security Para...

Page 80: ...re 5 Enter a hexadecimal Encryption Key For DES enter 16 hexadecimal 0 9 A F characters For 3DES enter 48 hexadecimal 0 9 A F characters The encryption key must match exactly the key used by the remot...

Page 81: ...on procedure Table 4 3 Network to Network IKE VPN Tunnel Configuration Worksheet IKE Tunnel Security Association Settings Connection Name PreShared Key Secure Association Main Mode or Aggressive Mode...

Page 82: ...ty Association Settings Connection Name PreShared Key Secure Association Main Mode or Aggressive Mode Perfect Forward Secrecy Encryption Protocol Null 56 bit DES or 168 bit 3DES Key Life in seconds IK...