NETGEAR ProSafe FWAG114, Reference Manual

Page 1: ...SM FWAG114NA 0 Version 1 0 June 2003 NETGEAR Inc 4500 Great America Parkway Santa Clara CA 95054 USA Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 ...

Page 2: ...n a particular installation If this equipment does cause harmful interference to radio or television reception which can be determined by turning the equipment off and on the user is encouraged to try to correct the interference by one or more of the following measures Reorient or relocate the receiving antenna Increase the separation between the equipment and receiver Connect the equipment into a...

Page 3: ...ions set out in the BMPT AmtsblVfg 243 1991 and Vfg 46 1992 The operation of some equipment for example test transmitters in accordance with the regulations may however be subject to certain restrictions Please refer to the notes in the operating instructions Federal Office for Telecommunications Approvals has been notified of the placing of this equipment on the market and has been granted the ri...

Page 4: ...iv ...

Page 5: ...otocol Support 2 3 Easy Installation and Management 2 4 Maintenance and Support 2 5 Package Contents 2 5 The FWAG114 s Front Panel 2 6 The FWAG114 s Rear Panel 2 7 Chapter 3 Connecting the FWAG114 to the Internet What You Will Need Before You Begin 3 1 Cabling and Computer Hardware Requirements 3 1 Computer Network Configuration Requirements 3 1 Internet Configuration Requirements 3 2 Where Do I G...

Page 6: ...t Wireless Access by MAC Address 4 10 How to Configure WEP 4 12 Chapter 5 Firewall Protection and Content Filtering Firewall Protection and Content Filtering Overview 5 1 Block Sites 5 2 Using Rules to Block or Allow Specific Kinds of Traffic 5 3 Inbound Rules Port Forwarding 5 5 Inbound Rule Example A Local Public Web Server 5 5 Inbound Rule Example Allowing Videoconference from Restricted Addres...

Page 7: ...licies Automatic Key and Authentication Management 6 3 VPN Policy Configuration for Auto Key Negotiation 6 6 VPN Policy Configuration for Manual Key Exchange 6 9 Using Digital Certificates for IKE Auto Policy Authentication 6 14 Certificate Revocation List CRL 6 14 Walk Through of Configuration Scenarios on the FWAG114 6 15 VPN Consortium Scenario 1 Gateway to Gateway with Preshared Secrets 6 16 F...

Page 8: ...efault Configuration and Password 7 7 Problems with Date and Time 7 7 Appendix A Technical Specifications Appendix B Network Routing Firewall and Basics Related Publications B 1 Basic Router Concepts B 1 What is a Router B 2 Routing Information Protocol B 2 IP Addresses and the Internet B 2 Netmask B 4 Subnet Addressing B 5 Private IP Addresses B 7 Single IP Address Operation Using NAT B 8 MAC Add...

Page 9: ...n Windows XP C 8 DHCP Configuration of TCP IP in Windows 2000 C 10 DHCP Configuration of TCP IP in Windows NT4 C 13 Verifying TCP IP Properties for Windows XP 2000 and NT4 C 15 Configuring the Macintosh for TCP IP Networking C 16 MacOS 8 6 or 9 x C 16 MacOS X C 16 Verifying TCP IP Properties for Macintosh Computers C 17 Verifying the Readiness of Your Internet Account C 18 Are Login Protocols Used...

Page 10: ...k E 2 IPSec Security Features E 2 IPSec Components E 3 Encapsulating Security Payload ESP E 3 Authentication Header AH E 4 IKE Security Association E 5 Mode E 5 Key Management E 6 Understand the Process Before You Begin E 7 VPN Process Overview E 7 Network Interfaces and Addresses E 8 Interface Addressing E 8 Firewalls E 9 Setting Up a VPN Tunnel Between Gateways E 9 VPNC IKE Security Parameters E...

Page 11: ... Internet skills However basic computer network Internet firewall and VPN technologies tutorial information is provided in the Appendices and on the Netgear website Typographical Conventions This guide uses the following typographical conventions Special Message Formats This guide uses the following formats to highlight special messages Table 1 Typographical conventions italics Emphasis bold times...

Page 12: ...ages and more The Show in Contents button locates the currently displayed topic in the Contents tab Previous Next buttons display the topic that precedes or follows the current topic The PDF button links to a PDF version of the full manual The E mail button enables you to send feedback by e mail to Netgear support The Print button prints the currently displayed topic Using this button when a step ...

Page 13: ...s The FWAG114 wireless firewall provides you with multiple Web content filtering options plus browsing activity reporting and instant alerts both via e mail Parents and network administrators can establish restricted access policies based on time of day Website addresses and address keywords and share high speed cable DSL Internet access for up to 253 personal computers In addition to NAT the buil...

Page 14: ...ned off so that only devices that have the network name SSID can connect A Powerful True Firewall with Content Filtering Unlike simple Internet sharing NAT routers the FWAG114 is a true firewall using stateful packet inspection to defend against hacker attacks Its firewall features include DoS protection Automatically detects and thwarts DoS attacks such as Ping of Death SYN Flood LAND Attack and ...

Page 15: ...on the service port number of the incoming request or to one designated DNS host computer You can specify forwarding of single ports or ranges of ports Autosensing Ethernet Connections with Auto Uplink With its internal 8 port 10 100 switch the FWAG114 can connect to either a 10 Mbps standard Ethernet network or a 100 Mbps Fast Ethernet network Both the LAN and WAN interfaces are autosensing and c...

Page 16: ... ISP during connection setup and forwards DNS requests from the LAN PPP over Ethernet PPPoE PPPoE is a protocol for connecting remote hosts to the Internet over a DSL connection by simulating a dial up connection This feature eliminates the need to run a login program such as Entersys or WinPOET on your PC Easy Installation and Management You can install configure and operate the ProSafe Dual Band...

Page 17: ...NETGEAR offers the following features to help you maximize your use of the FWAG114 wireless firewall Flash memory for firmware upgrade Free technical support seven days a week twenty four hours a day Package Contents The product package should contain the following items ProSafe Dual Band Wireless VPN Firewall FWAG114 AC power adapter Category 5 Cat 5 Ethernet cable Resource CD for ProSafe Dual Ba...

Page 18: ...izing The system is ready and running INTERNET 100 100 Mbps On Off The Internet WAN port is operating at 100 Mbps The Internet WAN port is operating at 10 Mbps LINK ACT Link Activity On Blinking The Internet port has detected a link with an attached device Data is being transmitted or received by the Internet port LOCAL 100 100 Mbps On Off The Local port is operating at 100 Mbps The Local port is ...

Page 19: ...ains the port connections listed below Figure 1 2 FWAG114 Rear Panel Viewed from left to right the rear panel contains the following features Wireless antenna AC power adapter outlet Factory Default Reset push button Internet WAN Ethernet port for connecting the router to a cable or DSL modem Four LAN Ethernet ports Wireless antenna 12VDC 1 2A Internet 4 3 2 1 Reset ...

Page 20: ...Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 2 8 Introduction ...

Page 21: ...dware Requirements To use the FWAG114 wireless firewall on your network each computer must have an installed Ethernet Network Interface Card NIC and an Ethernet cable If the computer will connect to your network at 100 Mbps you must use a Category 5 CAT5 cable such as the one provided with your router Computer Network Configuration Requirements The FWAG114 includes a built in Web Configuration Man...

Page 22: ...des all the information needed to connect to the Internet If you cannot locate this information you can ask your ISP to provide it or you can try one of the options below If you have a computer already connected using the active Internet access account you can gather the configuration information from that computer For Windows 95 98 ME open the Network control panel select the TCP IP entry for the...

Page 23: ...tatic IP address record the following information For example 169 254 141 148 could be a valid IP address Fixed or Static Internet IP Address ______ ______ ______ ______ Gateway IP Address ______ ______ ______ ______ Subnet Mask ______ ______ ______ ______ ISP DNS Server Addresses If you were given DNS server addresses fill in the following Primary DNS Server IP Address ______ ______ ______ ______...

Page 24: ...ure Procedure Connecting the VPN Firewall There are three steps to connecting your router 1 Connect the router to your network 2 Log in to the router 3 Connect to the Internet Follow the steps below to connect your router to your network You can also refer to the Resource CD included with your router which contains an animated Installation Assistant to help you through this procedure 1 Connect the...

Page 25: ... the cable or DSL Modem to the router d Connect the Ethernet cable which came with the router from a Local port on the router B to your computer Figure 3 3 Connect the computers on your network to the router FWAG114 ProSafe Wireless VPN Firewall I N TE R N E T R E S E T 5 1 2 V DC LA N LA N LA N LA N Broadband Modem A FWAG114 ProSafe Wireless VPN Firewall I N TE R N E T R E S E T 5 1 2 V DC LA N L...

Page 26: ...ected to it The router s Internet light is lit indicating a link has been established to the cable or DSL modem Note For wireless placement and range guidelines and wireless configuration instructions please see Chapter 4 Wireless Configuration 2 Log in to the VPN firewall Note To connect to the router your computer needs to be configured to obtain an IP address automatically via DHCP If you need ...

Page 27: ...b Click Next and follow the steps in the Setup Wizard for inputting the configuration parameters from your ISP to connect to the Internet Note If you choose not to use the Setup Wizard you can manually configure your Internet connection settings by following the procedure Manually Configuring Your Internet Connection on page 3 12 Unless your ISP automatically assigns your configuration automatical...

Page 28: ... physical connection between your router and the cable or DSL line d The Setup Wizard will report the type of connection it finds The options are Connections which require a login using protocols such as PPPoE DHCP or Static IP broadband connections Connections which use dynamic IP address assignment Connections which use fixed IP address assignment The procedures for filling in the configuration ...

Page 29: ...the ISP s login program on your PC in order to access the Internet When you start an Internet application your router will automatically log you in If you know that your ISP does not automatically transmit DNS addresses to the router during login select Use these DNS servers and enter the IP address of your ISP s Primary DNS Server If a Secondary DNS Server address is available enter it also Note ...

Page 30: ...iscover the domain Otherwise you may need to enter it manually If you know that your ISP does not automatically transmit DNS addresses to the router during login select Use these DNS servers and enter the IP address of your ISP s Primary DNS Server If a Secondary DNS Server address is available enter it also Note If you enter DNS addresses restart your computers so that these settings take effect ...

Page 31: ...uld have been provided to you by your ISP You will need the configuration parameters from your ISP you recorded in Record Your Internet Connection Information on page 3 3 Enter the IP address of your ISP s Primary and Secondary DNS Server addresses Note Restart the computers on your network so that these settings take effect If your ISP requires a specific MAC address for the connection you may ne...

Page 32: ...Manually Configuring Your Internet Connection You can manually configure your router using the menu below or you can allow the Setup Wizard to determine your configuration as described in the previous section Figure 3 10 Browser based configuration Basic Settings menus ISP Does Not Require Login ISP Does Require Login ...

Page 33: ... router will connect c Domain Name Server DNS Address If you know that your ISP does not automatically transmit DNS addresses to the router during login select Use these DNS servers and enter the IP address of your ISP s Primary DNS Server If a Secondary DNS Server address is available enter it also Note If you enter an address here restart the computers on your network so that these settings take...

Page 34: ...am on your PC in order to access the Internet When you start an Internet application your router will automatically log you in a Select you Internet service provisory from the drop down list b The screen will change according to the ISP settings requirements of the ISP you select c Fill in the parameters for your ISP according to the Wizard detected procedures starting on page 3 8 d Click Apply to...

Page 35: ...ce your VPN firewall Near the center of the area in which your PCs will operate In an elevated location such as a high shelf where the wirelessly connected PCs have line of sight access even if through walls The best location is elevated such as wall mounted or on the top of a cubicle and at the center of your wireless coverage area for all the mobile devices Away from sources of interference such...

Page 36: ...mpatible adapter For this reason use the security features of your wireless equipment The FWAG114 wireless firewall provides highly effective security features which are covered in detail in this chapter Deploy the security features appropriate to your needs Figure 4 1 FWAG114 wireless data security options Note Indoors computers can connect over 802 11 wireless networks at ranges of 300 feet or m...

Page 37: ...Network Name SSID If you disable broadcast of the SSID only devices that have the correct SSID can connect This nullifies the wireless network discovery feature of some products such as Windows XP but the data is still fully exposed Turn Off Bridging to the Wired LAN If you disable bridging to the LAN wireless devices cannot communicate with computers on the Ethernet LAN but can still access the I...

Page 38: ...s Configuration Understanding Wireless Settings To configure the wireless settings of your FWAG114 click the Wireless 11a or Wireless 11b g link in the Setup section of the main menu The wireless settings menu will appear as shown below Figure 4 2 Wireless 11a and 11b g Settings menus ...

Page 39: ...s network will need to use this SSID for that network The FWAG114 default SSID is NETGEAR Options Channel Frequency This field determines which operating frequency will be used It should not be necessary to change the wireless channel unless you notice interference problems with another nearby access point For more information on the wireless channel frequencies please refer to Wireless Channels o...

Page 40: ...enable bridging to the wired LAN If you disable bridging to the LAN wireless devices cannot communicate with computers on the Ethernet LAN but can still access the Internet Although the types of settings described above are the same for either type of wireless network the choices you make in each type of network can be different For example you can disable the SSID broadcast in you 802 11a wireles...

Page 41: ...e of 802 11a 152 bit WEP When 64 128 or 152 Bit WEP is selected WEP encryption will be applied If WEP is enabled you can manually or automatically program the four data encryption keys These values must be identical on all PCs and access points in your network There are two methods for creating WEP encryption keys Passphrase Enter a word or group of printable characters in the Passphrase box and c...

Page 42: ...e below Note The SSID in the VPN firewall is the SSID you configure in the wireless adapter card All wireless nodes in the same network must be configured with the same SSID 802 11a SSID ______________________________ 802 11b SSID ______________________________ Authentication The two bands can use different authentication settings Choose Shared Key for more security 802 11a SSID circle one Open Sy...

Page 43: ..._____________________________ Key 2 ___________________________________ Key 3 ___________________________________ Key 4 ___________________________________ Use the procedures described in the following sections to configure the FWAG114 Store this information in a safe place How to Set Up and Test Basic Wireless Connectivity Follow the instructions below to set up and test basic wireless connectivi...

Page 44: ... Encryption Strength set to Disable 7 Click Apply to save your changes 8 Configure and test your PCs for wireless connectivity Program the wireless adapter of your PCs to have the same SSID that you configured in the FWAG114 Check that they have a wireless link and are able to obtain an IP address by DHCP from the VPN firewall Once your PCs have basic wireless connectivity to the VPN firewall then...

Page 45: ...this menu To do this configure each wireless PC to obtain a wireless link to the VPN firewall The PC should then appear in the Attached Devices menu 6 Click the Back button to return to the Wireless Settings menu 7 Be sure to click Apply to save your trusted wireless PCs list settings Now only devices on this list will be allowed to wirelessly connect to the FWAG114 Note When configuring the FWAG1...

Page 46: ...ese values must be identical on all PCs and Access Points in your network Automatic Enter a word or group of printable characters in the Passphrase box and click the Generate button The four key boxes will be automatically populated with key values Manual Enter ten hexadecimal digits any combination of 0 9 a f or A F Select which of the four keys will be active Please refer to Overview of WEP Para...

Page 47: ... chat or games A firewall is a special category of router that protects one network the trusted network such as your LAN from another the untrusted network such as the Internet while allowing communication between the two A firewall incorporates the functions of a NAT Network Address Translation router while adding features for dealing with a hacker intrusion or attack and for controlling the type...

Page 48: ...hen click Apply To add a keyword or domain type it in the Keyword box click Add Keyword then click Apply To delete a keyword or domain select it from the list click Delete Keyword then click Apply Keyword application examples If the keyword XXX is specified the URL http www badstuff com xxx html is blocked as is the newsgroup alt pictures XXX If the keyword com is specified only websites with othe...

Page 49: ...ic passing through from one side to the other Inbound rules WAN to LAN restrict access by outsiders to private resources selectively allowing only specific outside users to access specific resources Outbound rules LAN to WAN determine what outside resources local users can have access to A firewall has two default rules one for inbound traffic and one for outbound The default rules of the FWAG114 ...

Page 50: ... list already displays many common services but you are not limited to these choices Use the Services menu to add any additional services or applications that do not already appear Action Choose how you would like this type of traffic to be handled You can block or allow always or you can choose to block or allow according to the schedule you have defined in the Schedule menu Source Address Specif...

Page 51: ...member that allowing inbound services opens holes in your FWAG114 wireless firewall Only enable those ports that are necessary for your network Following are two application examples of inbound rules Inbound Rule Example A Local Public Web Server If you host a public web server on your local network you can define a rule to allow inbound web HTTP requests from any outside IP address to the IP addr...

Page 52: ... do not match the allowed parameters Figure 5 4 Rule example Videoconference from Restricted Addresses Considerations for Inbound Rules If your external IP address is assigned dynamically by your ISP the IP address may change periodically as the DHCP lease expires Consider using the Dyamic DNS feature in the Advanced menus so that external users can always find your network If the IP address of th...

Page 53: ...of the Internet site being contacted destination address Time of day Type of service being requested service port number Following is an application example of outbound rules Outbound Rule Example Blocking Instant Messenger If you want to block Instant Messenger usage by employees during working hours you can create an outbound rule to block that application from any internal IP address to any ext...

Page 54: ...eginning at the top and proceeding to the default rules at the bottom In some cases the order of precedence of two or more rules may be important in determining the disposition of a packet The Move button allows you to relocate a defined rule to a new position in the table Default DMZ Server Incoming traffic from the Internet is normally discarded by the router unless the traffic is a response to ...

Page 55: ...to a ping from the Internet click the Respond to Ping on Internet WAN Port check box This should only be used as a diagnostic tool since it allows your router to be discovered Don t check this box unless you have a specific reason to do so Note For security NETGEAR strongly recommends that you avoid using the Default DMZ Server feature When a computer is designated as the Default DMZ Server it los...

Page 56: ... port number in the transmitted IP packets For example a packet that is sent with destination port number 80 is an HTTP Web server request The service numbers for many common protocols are defined by the Internet Engineering Task Force IETF and published in RFC1700 Assigned Numbers Service numbers for other applications are typically chosen from the range 1024 to 65535 by the authors of the applic...

Page 57: ...d Custom Service button The Add Services menu will appear as shown in Figure 5 8 Figure 5 8 Add Custom Service menu To add a service 1 Enter a descriptive name for the service so that you will remember what it is 2 Select whether the service uses TCP or UDP as its transport protocol If you can t determine which is used select both 3 Enter the lowest port number used by the service 4 Enter the high...

Page 58: ...or Allow Specific Traffic If you enabled content filtering in the Block Sites menu or if you defined an outbound rule to use a schedule you can set up a schedule for when blocking occurs or when access is restricted The router allows you to specify when blocking will be enforced by configuring the Schedule tab shown below Figure 5 9 Schedule menu ...

Page 59: ...y when you have finished configuring this menu Time Zone The FWAG114 wireless firewall uses the Network Time Protocol NTP to obtain the current time and date from one of several Network Time Servers on the Internet In order to localize the time for your log entries you must specify your Time Zone Time Zone Select your local time zone This setting will be used for the blocking schedule and for time...

Page 60: ...ur enable e mail notification these boxes cannot be blank Enter the name or IP address of your ISP s outgoing SMTP mail server such as mail myISP com You may be able to find this information in the configuration menu of your e mail program Enter the e mail address to which logs and alerts are sent This e mail address will also be used as the From address If you leave this box blank log and alert m...

Page 61: ...on your selection you may also need to specify Day for sending log Relevant when the log is sent weekly or daily Time for sending log Relevant when the log is sent daily or weekly If the Weekly Daily or Hourly option is selected and the log fills up before the specified period the log is automatically e mailed to the specified e mail address After the log is sent the log is cleared from the router...

Page 62: ...oming and outgoing service requests hacker probes and administrator logins If you enable content filtering in the Block Sites menu the Log page will also show you when someone on your network tried to access a blocked site If you enabled e mail notification you ll receive these logs in an e mail message If you don t have e mail notification enabled you can view the logs here An example is shown in...

Page 63: ...n Date and Time The date and time the log entry was recorded Description or Action The type of event and what action was taken if any Source IP The IP address of the initiating device for this log entry Source port and interface The service port number of the initiating device and whether it originated from the LAN or WAN Destination The name or IP address of the destination device or website Dest...

Page 64: ...Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 5 18 Firewall Protection and Content Filtering ...

Page 65: ... These features can be found by clicking on the Maintenance heading in the Main Menu of the browser interface Viewing VPN Firewall Status Information The Router Status menu provides status and usage information From the main menu of the browser interface click on Maintenance then select Router Status to view this screen Figure 6 1 Router Status screen ...

Page 66: ...o Client the router is configured to obtain an IP address dynamically from the ISP LAN Port These parameters apply to the Local WAN port of the router MAC Address This field displays the Media Access Control address being used by the LAN port of the router IP Address This field displays the IP address being used by the Local LAN port of the router The default is 192 168 0 1 IP Subnet Mask This fie...

Page 67: ...on Connection Time The length of time the router has been connected to your Internet service provider s network Connection Method The method used to obtain an IP address from your Internet service provider IP Address The WAN Internet IP Address assigned to the router Network Mask The WAN Internet Subnet Mask assigned to the router Default Gateway The WAN Internet default gateway the router communi...

Page 68: ...e TxPkts The number of packets transmitted on this interface since reset or manual clear RxPkts The number of packets received on this interface since reset or manual clear Collisions The number of collisions on this interface since reset or manual clear Tx B s The current transmission outbound bandwidth used on the interfaces Rx B s The current reception inbound bandwidth used on the interfaces U...

Page 69: ...if the router is rebooted the table data is lost until the router rediscovers the devices To force the router to look for attached devices click the Refresh button Upgrading the Router Software The routing software of the FWAG114 wireless firewall is stored in FLASH memory and can be upgraded as new software is released by NETGEAR Upgrade files can be downloaded from Netgear s website If the upgra...

Page 70: ... Browse button and browse to the location of the binary BIN upgrade file 3 Click Upload Note When uploading software to the FWAG114 wireless firewall it is important not to interrupt the Web browser by closing the window clicking a link or loading a new page If the browser is interrupted it may corrupt the software When the upload is complete your router will automatically restart The upgrade proc...

Page 71: ... menu allow you to save and retrieve a file containing your router s configuration settings To save your settings select the Backup tab Click the Backup button Your browser will extract the configuration file from the router and will prompt you for a location on your PC to store the file You can give the file a meaningful name at this time such as pacbell cfg To restore your settings from a saved ...

Page 72: ...on settings without knowing the login password or IP address you must use the Default Reset button on the rear panel of the router See Restoring the Default Configuration and Password on page 7 7 Changing the Administrator Password The default password for the router s Web Configuration Manager is password Netgear recommends that you change this password to a more secure password From the main men...

Page 73: ...k and a remote network or computer Overview of FWAG114 Policy Based VPN Configuration The FWAG114 uses state of the art firewall and security technology to facilitate controlled and actively monitored VPN connectivity Since the FWAG114 strictly conforms to IETF standards it is interoperable with devices from major network equipment vendors Figure 7 1 Secure access through FWAG114 VPN routers VPN t...

Page 74: ...g VPN policies on both the local and remote FWAG114 wireless firewalls The outbound VPN policy on one end must match to the inbound VPN policy on other end and vice versa When the network traffic enters into the FWAG114 from the LAN network interface if there is no VPN policy found for a type of network traffic then that traffic passes through without any change However if the traffic is selected ...

Page 75: ...rking 7 3 IKE Policies Automatic Key and Authentication Management Click the IKE Policies link from the VPN section of the main menu and then click the Add button of the IKE Policies screen to display the IKE Policy Configuration menu shown in Figure 7 2 Figure 7 2 IKE Policy Configuration Menu ...

Page 76: ...the IP address of the remote client is unknown If Remote Access is selected the Exchange Mode MUST be Aggressive and the Identities below both Local and Remote MUST be Name On the matching VPN Policy the IP address of the remote VPN endpoint should be set to 0 0 0 0 Exchange Mode Main Mode or Aggressive Mode This setting must match the setting used on the remote VPN endpoint Main Mode is slower bu...

Page 77: ... Association Encryption Algorithm Choose the encryption algorithm for this IKE policy DES is the default 3DES is more secure Authentication Algorithm If you enable Authentication Header AH this menu lets you to select from these authentication algorithms MD5 the default SHA 1 more secure Authentication Method You may select Pre Shared Key or RSA Signature Pre Shared Key Specify the key according t...

Page 78: ...l Private Networking VPN Policy Configuration for Auto Key Negotiation An already defined IKE policy is required for VPN Auto Policy configuration From the VPN Policies section of the main menu you can navigate to the VPN Auto Policy configuration menu Figure 7 3 VPN Auto Policy Menu ...

Page 79: ...ame By its IP Address Address Type The address type used to locate the remote VPN firewall or client to which you wish to connect By its Fully Qualified Domain Name FQDN your domain name By its IP Address Address Data The address used to locate the remote VPN firewall or client to which you wish to connect The remote VPN endpoint must have this FWAG114 s Local Identity Data entered as its Remote V...

Page 80: ...e choices are ANY for all valid IP addresses in the Internet address space Single IP Address Range of IP Addresses Subnet Address Authenticating Header AH Configuration AH specifies the authentication protocol for the VPN header These settings must match the remote VPN endpoint Enable Authentication Use this checkbox to enable or disable AH for this VPN policy Authentication Algorithm If you enabl...

Page 81: ...this checkbox to enable or disable ESP transform for this VPN policy You can select the ESP mode also with this menu Two ESP modes are available Plain ESP ESP with authentication Authentication Algorithm If you enable AH then use this menu to select which authentication algorithm will be employed The choices are MD5 the default SHA1 more secure NETBIOS Enable Check this if you wish NETBIOS traffic...

Page 82: ...Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 7 10 Virtual Private Networking Figure 7 4 VPN Manual Policy Menu ...

Page 83: ...source IP address of the outbound network traffic for which this VPN policy will provide security Usually this address will be from your network address space The choices are ANY for all valid IP addresses in the Internet address space Single IP Address Range of IP Addresses Subnet Address Remote IP The drop down menu allows you to configure the destination IP address of the outbound network traff...

Page 84: ...vided For MD5 the keys should be 16 characters For SHA 1 the keys should be 20 characters Any value is acceptable provided the remote VPN endpoint has the same value in its Authentication Algorithm Key In field Encapsulated Security Payload ESP Configuration ESP provides security for the payload data sent through the VPN tunnel Generally you will want to enable both encryption and authentication w...

Page 85: ...r this VPN policy Authentication Algorithm If you enable authentication then use this menu to select the algorithm MD5 the default SHA1 more secure Key In Enter the key For MD5 the key should be 16 characters For SHA 1 the key should be 20 characters Any value is acceptable provided the remote VPN endpoint has the same value in its Authentication Algorithm Key Out field Key Out Enter the key in th...

Page 86: ...ertificate The certificates of a CA are added to the FWAG114 and can then be used to form IKE policies for the user Once a CA certificate is added to the FWAG114 and a certificate is created for a user the corresponding IKE policy is added to the FWAG114 Whenever the user tries to send traffic through the FWAG114 the certificates are used in place of pre shared keys during initial key exchange as ...

Page 87: ...eroperate NETGEAR is providing you with both of these scenarios in the following two formats VPN Consortium Scenarios without Any Product Implementation Details VPN Consortium Scenarios Based on the FWAG114 User Interface The purpose of providing these two versions of the same scenarios is to help you determine where the two vendors use different vocabulary Seeing the examples presented in these d...

Page 88: ...Internet interface has the address 22 23 24 25 Gateway B s LAN interface address 172 23 9 1 can be used for testing IPsec but is not needed for configuring Gateway A The IKE Phase 1 parameters used in Scenario 1 are Main mode TripleDES SHA 1 MODP group 2 1024 bits pre shared secret of hr5xb84l6aa9r6 SA lifetime of 28800 seconds eight hours with no kbytes rekeying The IKE Phase 2 parameters used in...

Page 89: ...and configuration screens as a model to build your configuration 1 Log in to the FWAG114 labeled Gateway A as in the illustration Log in at the default address of http 192 168 0 1 with the default user name of admin and default password of password or using whatever password and LAN address you have chosen 2 Configure the WAN Internet and LAN IP addresses of the FWAG114 a From the main menu Setup ...

Page 90: ...menu Advanced section click on the LAN IP Setup link Figure 7 8 LAN IP configuration menu d Configure the LAN IP address according to the settings above and click Apply to save your settings For more information on LAN TCP IP setup topics please see How to Configure LAN TCP IP Setup Settings on page 6 5 Note After you click Apply to change the LAN IP address settings your workstation will be disco...

Page 91: ... menu VPN section click on the IKE Policies link and then click the Add button to display the screen below Figure 7 9 Scenario 1 IKE Policy b Configure the IKE Policy according to the settings in the illustration above and click Apply to save your settings For more information on IKE Policy topics please see IKE Policies Automatic Key and Authentication Management on page 7 3 ...

Page 92: ...igure the IKE Policy according to the settings in the illustration above and click Apply to save your settings For more information on IKE Policy topics please see IKE Policies Automatic Key and Authentication Management on page 7 3 5 After applying these changes all traffic from the range of LAN IP addresses specified on FWAG114 A and FWAG114 B will flow over a secure VPN tunnel How to Check VPN ...

Page 93: ...the WAN port of Gateway B enter 22 23 24 25 and then click Ping c This will cause a ping to be sent to the WAN interface of Gateway B After between several seconds and two minutes the ping response should change from timed out to reply You may have to run this test several times before you get the reply message back from the target FWAG114 d At this point the connection is established Note If you ...

Page 94: ...this topic please see How to Set Your Time Zone on page 3 14 1 Obtain a root certificate a Obtain the root certificate which includes the public key from a Certificate Authority CA Note The procedure for obtaining certificates differs from a CA like Verisign and a CA such as a Windows 2000 certificate server which an organization operates for providing certificates for its members For example an a...

Page 95: ...owner of this certificate This should be your registered business name or official company name Generally all certificates should have the same value in the Subject field Hash Algorithm Select the desired option MD5 or SHA1 Signature Algorithm Select the desired option DSS or RSA Signature Key Length Select the desired option 512 1024 or 2048 Optional IP Address If you use IP type in the IKE polic...

Page 96: ...ificate Request data to the Trusted Root CA a Highlight the text in the Data to supply to CA area copy it and paste it into a text file b Give the certificate request data to the CA In the case of a Windows 2000 internal CA you might simply e mail it to the CA administrator The procedures of a CA like Verisign and a CA such as a Windows 2000 certificate server administrator will differ Follow the ...

Page 97: ...k from the Trusted Root CA and save it as a text file Note In the case of a Windows 2000 internal CA the CA administrator might simply email it to back to you Follow the procedures of your CA Save the certificate you get back from the CA as a text file called final txt 6 Upload the new certificate a From the main menu VPN section click on the Certificates link b Click the radio button of the Self ...

Page 98: ...ertificates table 7 Associate the new certificate and the Trusted Root CA certificate on the FWAG114 a Create a new IKE policy called Scenario_2 with all the same properties of Scenario_1 see Scenario 1 IKE Policy on page 6 19 except now use the RSA Signature instead of the shared key Figure 7 15 IKE policy using RSA Signature b Create a new VPN Auto Policy called scenario2a with all the same prop...

Page 99: ...Note The procedure for obtaining a CRL differs from a CA like Verisign and a CA such as a Windows 2000 certificate server which an organization operates for providing certificates for its members Follow the procedures of your CA b From the main menu VPN section click on the CRL link c Click Add to add a CRL d Click Browse to locate the CRL file e Click Upload Now expired or revoked certificates wi...

Page 100: ...Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 7 28 Virtual Private Networking ...

Page 101: ...ned IP address you will not know in advance what your IP address will be and the address can change frequently In this case you can use a commercial dynamic DNS service which will allow you to register your domain to their IP address and will forward traffic directed to your domain to your frequently changing IP address The router contains a client that can connect to a dynamic DNS service provide...

Page 102: ...t the name of your dynamic DNS Service Provider 6 Type the host name that your dynamic DNS service provider gave you The dynamic DNS service provider may call this the domain name If your URL is myName dyndns org then your host name is myName 7 Type the user name for your dynamic DNS account 8 Type the password or key for your dynamic DNS account 9 If your dynamic DNS provider allows the use of wi...

Page 103: ...he LAN IP Setup menu shown below Figure 8 1 LAN IP Setup Menu Configuring LAN TCP IP Setup Parameters The router is shipped preconfigured to use private IP addresses on the LAN side and to act as a DHCP server The router s default LAN IP configuration is LAN IP addresses 192 168 0 1 Subnet mask 255 255 255 0 These addresses are part of the IETF designated private address range for use in private n...

Page 104: ... packets received RIP Version This controls the format and the broadcasting method of the RIP packets that the router sends It recognizes both formats when receiving By default this is set for RIP 1 RIP 1 is universally supported RIP 1 is probably adequate for most networks unless you have an unusual network setup RIP 2 carries more information RIP 2B uses subnet broadcasting Using the Router as a...

Page 105: ...fixed addresses The router will deliver the following parameters to any LAN device that requests DHCP An IP Address from the range you have defined Subnet Mask Gateway IP Address the router s LAN IP address Primary DNS Server if you entered a Primary DNS address in the Basic Settings menu otherwise the router s LAN IP address Secondary DNS Server if you entered a Secondary DNS address in the Basic...

Page 106: ... Static Routes Static Routes provide additional routing information to your router Under normal circumstances the router has adequate routing information after it has been configured for Internet access and you do not need to configure additional static routes You must configure static routes only for unusual cases such as multiple routers or multiple IP subnets located on your network From the Ma...

Page 107: ...ation If the destination is a single host type 255 255 255 255 7 Type the Gateway IP Address which must be a router on the same LAN segment as the router 8 Type a number between 1 and 15 as the Metric value This represents the number of routers between your network and the destination Usually a setting of 2 or 3 works but if this is a direct connection set it to 1 9 Click Apply to have the static ...

Page 108: ...hat this static route applies to all 134 177 x x addresses The Gateway IP Address fields specifies that all traffic for these addresses should be forwarded to the ISDN router at 192 168 0 100 A Metric value of 1 will work since the ISDN router is on the LAN Private is selected only as a precautionary security measure in case RIP is activated Enabling Remote Management Access Using the Remote Manag...

Page 109: ... Web browser access normally uses the standard HTTP service port 80 For greater security you can change the remote management web interface to a custom port by entering that number in the box provided Choose a number between 1024 and 65535 but do not use the number of any common service port The default is 8080 which is a common alternate for HTTP 4 Click Apply to have your changes take effect Not...

Page 110: ...Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 8 10 Advanced Configuration ...

Page 111: ...e Wireless 802 11a is off and the LED is not lit until the country selection has been set If a port s LED is lit a link has been established to the connected device If a LAN port is connected to a 100 Mbps device verify that the port s LED is green If the port is 10 Mbps the LED will be amber If any of these conditions does not occur refer to the appropriate following section Power LED Not On If t...

Page 112: ...ault Configuration and Password on page 7 7 If the error persists you might have a hardware problem and should contact technical support LAN or Internet Port LEDs Not On If either the LAN LEDs or Internet LED do not light when the Ethernet connection is made check the following Make sure that the Ethernet cable connections are secure at the router and at the hub or workstation Make sure that power...

Page 113: ...f 169 254 x x If your IP address is in this range check the connection from the PC to the router and reboot your PC If your router s IP address has been changed and you don t know the current IP address clear the router s configuration to factory defaults This will set the router s IP address to 192 168 0 1 This procedure is explained in Restoring the Default Configuration and Password on page 7 7...

Page 114: ...n IP address from the ISP you may need to force your cable or DSL modem to recognize your new router by performing the following procedure 1 Turn off power to the cable or DSL modem 2 Turn off power to your router 3 Wait five minutes and reapply power to the cable or DSL modem 4 When the modem s LEDs indicate that it has reacquired sync with the ISP reapply power to your router If your router is s...

Page 115: ...ed in your operating system documentation Your PC may not have the router configured as its TCP IP gateway If your PC obtains its information from the router by DHCP reboot the PC and verify the gateway address as described in Verifying TCP IP Properties on page 3 5 Troubleshooting a TCP IP Network Using a Ping Utility Most TCP IP terminal devices and routers contain a ping utility that sends an e...

Page 116: ... and your workstation are correct and that the addresses are on the same subnet Testing the Path from Your PC to a Remote Device After verifying that the LAN path works correctly test the path from your PC to a remote device From the Windows run menu type PING n 10 IP address where IP address is the IP address of a remote device such as your ISP s DNS server If the path is functioning correctly re...

Page 117: ... rear panel of the router Use this method for cases when the administration password or IP address is not known To restore the factory default configuration settings without knowing the administration password or IP address you must use the Default Reset button on the rear panel of the router 1 Press and hold the Default Reset button until the Test LED turns on about 10 seconds 2 Release the Defau...

Page 118: ...Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 9 8 Troubleshooting ...

Page 119: ...RIP 2 DHCP PPP over Ethernet PPPoE Power Adapter North America 120V 60 Hz input United Kingdom Australia 240V 50 Hz input Europe 230V 50 Hz input Japan 100V 50 60 Hz input All regions output 12 V DC 1 2 A output 18W maximum Physical Specifications Dimensions 28 x 175 x 118 mm 1 1 x 6 89 x 4 65 in Weight 0 3 kg 0 66 lb Environmental Specifications Operating temperature 0 to 40 C 32º to 104º F Opera...

Page 120: ... 412 2 484 GHz Japan 2 457 2 472 GHz France 2 412 2 472 GHz Europe ETSI 802 11b and g Operating Range Outdoor environment Indoor environment 11 Mbps 398 ft 120 m 198 ft 60 m 5 5 Mbps 561 ft 170 m 264 ft 80 m 2 Mbps 890 ft 270 m 430 ft 130 m 1 Mbps 1485 ft 450 m 660 ft 200 m 802 11b and g Encryption 40 bits also called 64 bits 128 bits WEP data encryption 802 11a Radio Data Rate 6 9 12 18 24 36 48 ...

Page 121: ...the Internet The documents are listed on the World Wide Web at www ietf org and are mirrored and indexed at many other sites worldwide Basic Router Concepts Large amounts of bandwidth can be provided easily and relatively inexpensively in a local area network LAN However providing high bandwidth between a local network and the Internet can be very expensive Because of this expense Internet access ...

Page 122: ...mation Protocol RIP Using RIP routers periodically update one another and check for changes to add to the routing table The FWAG114 wireless firewall supports both the older RIP 1 and the newer RIP 2 protocols Among other improvements RIP 2 supports subnet and multicast protocols RIP is not required for most home applications IP Addresses and the Internet Because TCP IP networks are interconnected...

Page 123: ... network Each address type begins with a unique bit pattern which is used by the TCP IP software to identify the address class After the address class has been determined the software can correctly identify the host section of the address The follow figure shows the three main address classes including network and host sections of the address for each address type Figure 9 1 Three Main Address Cla...

Page 124: ...dress of the range host address of all ones is not assigned but is used as the broadcast address for simultaneously sending a packet to all hosts with the same network address Netmask In each of the address classes previously described the size of the two parts network address and host address is implied by the class This partitioning scheme can also be expressed by a netmask associated with the I...

Page 125: ...ddress into smaller multiple physical networks known as subnetworks Some of the node numbers are used as a subnet number instead A Class B address gives us 16 bits of node numbers translating to 64 000 nodes Most organizations do not use 64 000 nodes so there are free bits that can be reassigned Subnet addressing makes use of those bits that are free as shown below Figure 9 2 Example of Subnetting...

Page 126: ...to 192 68 135 254 The following table lists the additional subnet mask bits in dotted decimal notation To use the table write down the original class netmask and replace the 0 value octets with the dotted decimal value of the additional subnet bits For example to partition your Class C network with subnet mask 255 255 255 0 into 16 subnets 4 bits the new subnet mask becomes 255 255 255 240 The fol...

Page 127: ... hosts without problems However the IANA has reserved the following three blocks of IP addresses specifically for private networks 10 0 0 0 10 255 255 255 172 16 0 0 172 31 255 255 192 168 0 0 192 168 255 255 Choose your private network number from this range The DHCP server of the FWAG114 wireless firewall is preconfigured to automatically assign private addresses Regardless of your particular si...

Page 128: ...several networked PCs to share an Internet account using only a single IP address which may be statically or dynamically assigned by your ISP The router accomplishes this address sharing by translating the internal LAN IP addresses to a single address that is globally unique on the Internet The internal LAN IP addresses can be either private addresses or registered addresses For more information a...

Page 129: ... resolution Internet Protocol uses the Address Resolution Protocol ARP to resolve MAC addresses If a device sends data to another station on the network and the destination MAC address is not yet recorded ARP is used An ARP request is broadcast onto the network All stations on the network receive and read the request The destination IP address for the chosen station is included as part of the mess...

Page 130: ... with a gateway address and one or more DNS server addresses As an alternative to manual configuration there is a method by which each PC on the network can automatically obtain this configuration information A device on the network may act as a Dynamic Host Configuration Protocol DHCP server The DHCP server stores a list or pool of IP addresses along with other information such as gateway and DNS...

Page 131: ...ering to protect your network from attacks and intrusions Since user level applications such as FTP and Web browsers can create complex patterns of network traffic it is necessary for the firewall to analyze groups of network connection states Using Stateful Packet Inspection an incoming packet is intercepted at the network layer and then analyzed for state related information associated with all ...

Page 132: ...X When connecting a PC to a PC or a hub port to another hub port the transmit pair must be exchanged with the receive pair This exchange is done by one of two mechanisms Most hubs provide an Uplink switch which will exchange the pairs on one port allowing that port to be connected to another hub using a normal Ethernet cable The second method is to use a crossover cable which is a special cable in...

Page 133: ...he correct configuration This feature also eliminates the need to worry about crossover cables as Auto UplinkTM will accommodate either type of cable to make the right connection Cable Quality A twisted pair Ethernet network operating at 10 Mbits second 10BASE T will often tolerate low quality cables but at 100 Mbits second 10BASE Tx the cable must be rated as Category 5 or Cat 5 or Cat V by the E...

Page 134: ...Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 B 14 Network Routing Firewall and Basics ...

Page 135: ...he software components for establishing a TCP IP network Windows 3 1 does not include a TCP IP component You need to purchase a third party TCP IP application package such as NetManage Chameleon Macintosh Operating System 7 or later includes the software components for establishing a TCP IP network All versions of UNIX or Linux include TCP IP components Follow the instructions provided with your o...

Page 136: ...e firewall assigns the following TCP IP configuration information automatically when the PCs are rebooted PC or workstation IP addresses 192 168 0 2 through 192 168 0 254 Subnet mask 255 255 255 0 Gateway address the firewall 192 168 0 1 These addresses are part of the IETF designated private address range for use in private networks Configuring Windows 95 98 and Me for TCP IP Networking As part o...

Page 137: ...steps a Click the Add button b Select Adapter and then click Add c Select the manufacturer and model of your Ethernet adapter and then click OK If you need TCP IP a Click the Add button b Select Protocol and then click Add c Select Microsoft d Select TCP IP and then click OK Note It is not necessary to remove any other network components shown in the Network window in order to install the adapter ...

Page 138: ...way to configure this information is to allow the PC to obtain the information from a DHCP server in the network You will find there are many similarities in the procedures for different Windows systems when using DHCP to configure TCP IP The following steps will walk you through the configuration process for each of these versions of Windows Locate your Network Neighborhood icon If the Network Ne...

Page 139: ...reparing Your Network C 5 Verify the following settings as shown Client for Microsoft Network exists Ethernet adapter is present TCP IP is present Primary Network Logon is set to Windows logon Click on the Properties button The following TCP IP Properties window will display ...

Page 140: ...n the LAN Internet Configuration screen and click Next 6 Proceed to the end of the Wizard Verifying TCP IP Properties After your PC is configured and has rebooted you can check the TCP IP configuration using the utility winipcfg exe 1 On the Windows taskbar click the Start button and then click Run By default the IP Address tab is open on this window Verify the following Obtain an IP address autom...

Page 141: ...process you may need to install and configure TCP IP on each networked PC Before starting locate your Windows CD you may need to insert it during the TCP IP installation process Install or Verify Windows Networking Components To install or verify the necessary components for IP networking 1 On the Windows taskbar click the Start button point to Settings and then click Control Panel 2 Double click ...

Page 142: ... through the configuration process for each of these versions of Windows DHCP Configuration of TCP IP in Windows XP Locate your Network Neighborhood icon Select Control Panel from the Windows XP new Start Menu Select the Network Connections icon on the Control Panel This will take you to the next step Now the Network Connection window displays The Connections List that shows all the network connec...

Page 143: ...tus window This box displays the connection status duration speed and activity statistics Administrator logon access rights are needed to use this window Click the Properties button to view details about the connection The TCP IP details are presented on the Support tab page Select Internet Protocol and click Properties to view the configuration information ...

Page 144: ...efault and set to DHCP without your having to configure it However if there are problems follow these steps to configure TCP IP with DHCP for Windows 2000 Verify that the Obtain an IP address automatically radio button is selected Verify that Obtain DNS server address automatically radio button is selected Click the OK button This completes the DHCP configuration of TCP IP in Windows XP Repeat the...

Page 145: ... up Connections Right click on Local Area Connection and select Properties The Local Area Connection Properties dialog box appears Verify that you have the correct Ethernet card selected in the Connect using box Verify that at least the following two items are displayed and selected in the box of Components checked are used by this connection Client for Microsoft Networks and Internet Protocol TCP...

Page 146: ...nternet Protocol TCP IP Properties dialogue box Verify that Obtain an IP address automatically is selected Obtain DNS server address automatically is selected Click OK to return to Local Area Connection Properties Click OK again to complete the configuration process for Windows 2000 Restart the PC Repeat these steps for each PC with this version of Windows on your network ...

Page 147: ...etwork card you need to configure the TCP IP environment for Windows NT 4 0 Follow this procedure to configure TCP IP with DHCP in Windows NT 4 0 Choose Settings from the Start Menu and then select Control Panel This will display Control Panel window Double click the Network icon in the Control Panel window The Network panel will display Select the Protocols tab to continue ...

Page 148: ...Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 C 14 Preparing Your Network Highlight the TCP IP Protocol in the Network Protocols box and click on the Properties button ...

Page 149: ...iguration information will be listed and should match the values below if you are using the default TCP IP settings that NETGEAR recommends for connecting through a router or gateway The IP address is between 192 168 0 2 and 192 168 0 254 The subnet mask is 255 255 255 0 The TCP IP Properties dialog box now displays Click the IP Address tab Select the radio button marked Obtain an IP address from ...

Page 150: ... each networked Macintosh you will need to configure TCP IP to use DHCP MacOS 8 6 or 9 x 1 From the Apple menu select Control Panels then TCP IP The TCP IP Control Panel opens 2 From the Connect via box select your Macintosh s Ethernet interface 3 From the Configure box select Using DHCP Server You can leave the DHCP Client ID box empty 4 Close the TCP IP Control Panel 5 Repeat this for each Macin...

Page 151: ... the TCP IP configuration by returning to the TCP IP Control Panel From the Apple menu select Control Panels then TCP IP The panel is updated to show your settings which should match the values below if you are using the default TCP IP settings that NETGEAR recommends The IP Address is between 192 168 0 2 and 192 168 0 254 The Subnet mask is 255 255 255 0 The Router address is 192 168 0 1 If you d...

Page 152: ...ernet port is connected to the broadband modem the firewall appears to be a single PC to the ISP The firewall then allows the PCs on the local network to masquerade as the single PC to access the Internet through the broadband modem The method used by the firewall to accomplish this is called Network Address Translation NAT or IP masquerading Are Login Protocols Used Some ISPs require a special lo...

Page 153: ...se procedures are described next Obtaining ISP Configuration Information for Windows Computers As mentioned above you may need to collect configuration information from your PC so that you can use this information when you configure the FWAG114 wireless firewall Following this procedure is only necessary when your ISP does not dynamically supply the account information To get the information you n...

Page 154: ...cintosh so that you can use this information when you configure the FWAG114 wireless firewall Following this procedure is only necessary when your ISP does not dynamically supply the account information To get the information you need to configure the firewall for Internet access 1 From the Apple menu select Control Panels then TCP IP The TCP IP Control Panel opens which displays a list of configu...

Page 155: ... the firewall you must reset the network for the devices to be able to communicate correctly Restart any computer that is connected to the FWAG114 wireless firewall After configuring all of your computers for TCP IP networking and restarting them and connecting them to the local network of your FWAG114 wireless firewall you are ready to access and configure the firewall ...

Page 156: ...Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 C 22 Preparing Your Network ...

Page 157: ... spectrum at 2 5GHz The maximum data rate for the 802 11b wireless link is 11 Mbps but it will automatically back down from 11 Mbps to 5 5 2 and 1 Mbps when the radio signal is weak or when interference is detected The 802 11g auto rate sensing rates are 1 2 5 5 6 9 12 18 24 36 48 and 54 Mbps Likewise the 802 11a wireless link offers a maximum data rate of 54 Mbps but will automatically back down ...

Page 158: ...cate with any other node There is no Access Point involved in this configuration This mode enables you to quickly set up a small wireless workgroup and allows workgroup members to exchange data or share printers as supported by Microsoft networking in the various Windows operating systems Some vendors also refer to ad hoc networking as peer to peer group networking In this configuration network pa...

Page 159: ...red Key authentication only those PCs that possess the correct authentication key can join the network By default IEEE 802 11 wireless devices operate in an Open System network Wired Equivalent Privacy WEP data encryption is used when the wireless devices are configured to operate in Shared Key authentication mode 802 11 Authentication The 802 11 standard defines several services that govern how t...

Page 160: ...ocedures are described below Open System Authentication The following steps occur when two devices use Open System Authentication 1 The station sends an authentication request to the access point 2 The access point authenticates the station 3 The station associates with the access point and joins the network This process is illustrated in below Figure 9 4 Open system authentication Shared Key Auth...

Page 161: ...l refuse to authenticate the station and the station will be unable to communicate with either the 802 11 network or Ethernet network This process is illustrated in below Figure 9 5 Shared key authentication Overview of WEP Parameters Before enabling WEP on an 802 11 network you must first consider what type of encryption you require and the key size you want to use Typically there are three WEP E...

Page 162: ...input to generate a 64 bit encryption key The 24 factory set bits are not user configurable This encryption key will be used to encrypt decrypt all data transmitted via the wireless interface Some vendors refer to the 64 bit WEP data encryption as 40 bit WEP data encryption since the user configurable portion of the encryption key is 40 bits wide The 128 bit WEP data encryption method consists of ...

Page 163: ...he 802 11 client adapters on the network must have the same WEP settings Note Whatever keys you enter for an AP you must also enter the same keys for the client adapter in the same order In other words WEP key 1 on the AP must match WEP key 1 on the client adapter WEP key 2 on the AP must match WEP key 2 on the client adapter etc Note The AP and the client adapters can have different default WEP K...

Page 164: ...ll decrease the amount of channel cross talk and provide a noticeable performance increase over networks with minimal channel separation The radio frequency channels used in 802 11b g networks are listed in Table D 2 Note The available channels supported by the wireless products in various countries are different For example Channels 1 to 11 are supported in the U S and Canada and Channels 1 to 13...

Page 165: ...otal 300 MHz into three distinct domains each with a different legal maximum power output Below is a table of summary for different regulatory domains Table D 3 802 11a Radio Frequency Channels Note Please check your local Authority for updated information on the available frequency and maximum power output IEEE 802 11a uses Orthogonal Frequency Division Multiplexing OFDM a new encoding scheme tha...

Page 166: ...1 802 11a Turbo Mode Off Radio Frequency Channels The FWAG114 user can use five channels in turbo mode Note The available channels supported by the wireless products in various countries are different Turbo Mode OFF Channel Frequency 36 40 44 48 52 56 60 64 149 5 745 GHz 153 5 765 GHz 157 5 785 GHz 161 5 805 GHz 165 5 825 GHz Turbo Mode ON Channel Frequency 42 5 21 GHz 50 5 25 GHz 58 5 29 GHz 152 ...

Page 167: ...ccess The term VPN was originally used to describe a secure connection over the Internet Today however VPN is also used to describe private networks such as Frame Relay Asynchronous Transfer Mode ATM and Multiprotocol Label Switching MPLS A key aspect of data security is that the data flowing across the network is protected by encryption technologies Private networks lack data security which allow...

Page 168: ...e organizations Common uses for extranets include supply chain management development partnerships and subscription services These undertakings can be difficult using legacy network technologies due to connection costs time delays and access availability IPSec based VPNs are ideal for extranet connections IPSec capable devices can be quickly and inexpensively installed on existing Internet connect...

Page 169: ...stry standard algorithms such as SHA and MD5 The algorithms IPSec uses produce a unique and unforgeable identifier for each packet which is a data equivalent of a fingerprint This fingerprint allows the device to determine if a packet has been tampered with Furthermore packets that are not authenticated are discarded and not delivered to the intended receiver ESP also provides all encryption servi...

Page 170: ...thms as ESP AH also provides optional anti replay protection which protects against unauthorized retransmission of packets The authentication header is inserted into the packet between the IP header and any subsequent packet contents The payload is not touched Although AH protects the packet s origin destination and contents from being tampered with the identity of the sender and receiver is known...

Page 171: ... business partners Mode SAs operate using modes A mode is the method in which the IPSec protocol is applied to the packet IPSec can be used in tunnel mode or transport mode Typically the tunnel mode is used for gateway to gateway IPSec tunnel protection while transport mode is used for host to host IPSec tunnel protection A gateway is a device that monitors and manages incoming and outgoing networ...

Page 172: ... from and where it is going Note AH and ESP can be used in both transport mode or tunnel mode Figure 4 9 Original packet and packet with IPSec ESP in Tunnel mode Key Management IPSec uses the Internet Key Exchange IKE protocol to facilitate and automate the SA setup and the exchange of keys between parties transferring data Using keys ensures that only the sender and receiver of a message can acce...

Page 173: ...ary information required to establish a VPN before you begin the configuration process You should understand whether the firmware is up to date all of the addresses that will be necessary and all of the parameters that need to be set on both sides Try to understand any incompatibilities before you begin so that you minimize any potential complications which may arise from normal firewall or WAN pr...

Page 174: ... example Interface Addressing This TechNote uses example addresses provided the VPN Consortium It is important to understand that you will be using addresses specific to the devices that you are attempting to connect via IPSec VPN Figure 4 10 VPNC Example Network Interface Addressing It is also important to make sure the addresses do not overlap or conflict That is each set of addresses should be ...

Page 175: ...l instructions for both gateways to understand how to open specific protocols ports and addresses that you intend to allow Setting Up a VPN Tunnel Between Gateways A SA frequently called a tunnel is the set of information that allows two entities networks PCs routers firewalls gateways to trust each other and communicate securely as they pass information over the Internet Gateway B LAN Private 22 ...

Page 176: ...strated below the most common method of accomplishing this process is via the Internet Key Exchange IKE protocol which automates some of the negotiation procedures Alternatively you can configure your gateways using manual key exchange which involves manually configuring each paramter on both gateways Figure 4 12 IPSec SA negotiation 1 The IPSec software on Host A initiates the IPSec process in an...

Page 177: ... use in the IPSec SAs b The master key is used to derive the IPSec keys for the SAs Once the SA keys are created and exchanged the IPSec SAs are ready to protect user data between the two VPN gateways 4 Data transfer Data is transferred between IPSec peers based on the IPSec parameters and keys stored in the SA database 5 IPSec tunnel termination IPSec SAs terminate through deletion or by timing o...

Page 178: ... is working Common problems encountered in setting up VPNs include Parameters may be configured differently on Gateway A vs Gateway B Two LANs set up with similar or overlapping addressing schemes So many required configuration parameters mean errors such as mistyped information or mismatched parameter selections on either side are more likely to happen Additional Reading Building and Managing Vir...

Page 179: ...2407 D Piper The Internet IP Security Domain of Interpretation for ISAKMP November 1998 RFC 2474 K Nichols S Blake F Baker D Black Definition of the Differentiated Services Field DS Field in the IPv4 and IPv6 Headers December 1998 RFC 2475 S Blake D Black M Carlson E Davies Z Wang and W Weiss An Architecture for Differentiated Services December 1998 RFC 2481 K Ramakrishnan S Floyd A Proposal to Ad...

Page 180: ...Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 E 14 Virtual Private Networking ...

Page 181: ...n cards Kerberos one time passwords certificates and public key authentication For details on EAP specifically refer to IETF s RFC 2284 802 11b IEEE specification for wireless networking at 11 Mbps using direct sequence spread spectrum DSSS technology and operating in the unlicensed radio spectrum at 2 5GHz 802 11g A soon to be ratified IEEE specification for wireless networking at 54 Mbps using d...

Page 182: ...the Electronic Industry Association EIA This rating will be printed on the cable jacket Cat 5 cable contains eight conductors arranged in four twisted pairs and terminated with an RJ45 type connector In addition there are restrictions on maximum cable length for both 10 and 100 Mbits second networks Certificate Authority A Certificate Authority is a trusted third party organization or company that...

Page 183: ...from 1 5 to 9 Mbps when receiving data known as the downstream rate and from 16 to 640 Kbps when sending data known as the upstream rate ADSL requires a special ADSL modem ADSL is growing in popularity as more areas around the world gain access Dynamic Host Configuration Protocol DHCP An Ethernet protocol specifying how a centralized DHCP server can assign network configuration information to mult...

Page 184: ...ared network devices such as storage and printers Although many technologies exist to implement a LAN Ethernet is the most common for connecting personal computers MAC address The Media Access Control address is a unique 48 bit hardware address assigned to every network interface card Usually written in the form 01 23 45 67 89 ab Mbps Megabits per second MD5 MD5 creates digital signatures using a ...

Page 185: ...192 or as 28 appended to the IP address Network Address Translation A technique by which several hosts share a single IP address for access to the Internet packet A block of information sent over a network A packet typically contains a source and destination network address some protocol and length information a block of data and a checksum Point to Point Protocol PPP A protocol allowing a compute...

Page 186: ...iable The second TLS layer is the TLS Handshake Protocol which allows authentication between the server and client and the negotiation of an encryption algorithm and cryptographic keys before data is transmitted or received Based on Netscape s SSL 3 0 TLS supercedes and is an extension of SSL TLS and SSL are not interoperable UTP Unshielded twisted pair is the cable used by 10BASE T and 100BASE Tx...

Page 187: ...t its local hosts This allows your PCs to browse that remote network using the Windows Network Neighborhood feature WINS WINS Windows Internet Naming Service is a server process for resolving Windows based computer names to IP addresses Wireless Network Name SSID Wireless Network Name SSID is the name assigned to a wireless network This is the same as the SSID or ESSID configuration parameter ...

Page 188: ...Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 8 Glossary ...

Page 189: ... 5 7 erasing 5 8 restore 5 6 router initial 3 1 content filtering 2 2 5 1 conventions typography 1 1 crossover cable 2 3 7 2 B 12 B 13 G 2 D date and time 7 7 Daylight Savings Time 7 7 daylight savings time 5 13 Denial of Service DoS protection 2 2 denial of service attack B 11 DHCP B 10 DHCP Client ID C 16 DMZ 2 3 DMZ Server 5 8 DNS Proxy 2 4 DNS server 3 10 3 13 C 20 domain C 20 Domain Name 3 10...

Page 190: ... NAT B 8 and the Internet B 2 assigning B 2 B 9 auto generated 7 3 private B 7 translating B 9 IP configuration by DHCP B 10 IP networking for Macintosh C 16 for Windows C 2 C 7 IPSec E 1 IPSec Components E 3 IPSec SA negotiation E 10 IPSec Security Features E 2 ISP 3 1 L LAN IP Setup Menu 6 3 LEDs description 2 6 troubleshooting 7 2 log sending 5 14 M MAC address 7 7 B 9 spoofing 3 13 7 5 Macinto...

Page 191: ... restore configuration 5 6 restore factory settings 5 8 Restrict Wireless Access by MAC Address 4 10 RFC 1466 B 7 B 9 1597 B 7 B 9 1631 B 8 B 9 finding B 7 RIP Router Information Protocol 6 4 router concepts B 1 Router Status 5 1 Routing Information Protocol 2 3 B 2 rules inbound 5 5 order of precedence 5 8 outbound 5 7 S SA E 5 Secondary DNS Server 3 9 3 10 3 11 3 13 security 2 1 2 3 service bloc...

Page 192: ...ortium E 7 VPN Process Overview E 7 VPNC IKE Phase I Parameters E 11 VPNC IKE Phase II Parameters E 12 W WEP D 3 Wi Fi D 1 Windows configuring for IP routing C 2 C 7 winipcfg utility C 6 WinPOET C 18 Wired Equivalent Privacy See WEP Wireless Authentication 4 6 wireless authentication scheme 4 6 Wireless Encryption 4 6 Wireless Ethernet D 1 Wireless Network Settings 4 5 Wireless Security 4 2 ...