Home

Netgear FVL328 User's Manual

1. CheckPoint V PN 1 Cisco IOS Cyberguard E Soft Instagate N etB SD NetScreen 5X P OS3 and OS4 OpenBSD k SSH QuickSec e TheFVL328 s VPN operating system O S has been verified by ICSA certification 1 0b for interoperability for the following mre moao oD a Furukawa Electric Company InfoNet V P100 b Furukawa Electric Company MUCHO EV PK c Lucent Technologies Lucent VPN Firewall d NetScreen Technologies NetScreen 100 e Network Associates Gauntlet VPN for HP UX 41 42 43 44 45 46 47 48 49 FVL328 Cable DSL ProSafe High Speed VPN Firewall Page f Network Associates Gauntlet VPN for Solaris g Network Associates PGP 300 for Solaris h Nortel Networks Contivity Extranet Switch 1600 Safenet SafeN et Soft PK client j Secure Computing Sidewinder k Symantec Corporation Symantec Enterprise VPN SEV PN What about backward compatibility with the FR318 and FV318 Y ou cannot set up a box to box V PN tunnel with the older FV 318 and FR318 due to firmware limitations on the older devices Can use another VPN router at the remote site in order to get more VPN tunnels to other locations This technique Known as a hub and spoke VPN method is supported This allows for a mesh topology between many sites What platforms does the FVL328 support For the routing portion the FV L 328 can be used on platforms such as M acintosh Linux UNIX etc that employ th
2. What VPN client software is supported on the FVL328 The FV L328 supports the Safenet SoftR emote client available at www safenet inc com What about other VPN clients NETGEAR will provide application notes for set ups of other V PN clients such as Microsoft Nortel CheckPoint etc once testing and compatibility have been established and completed and they will be available at the NETGEAR support site These clients will not be supported as part of the standard technical support service but support can be purchased on a per incident or per minute basis See the details at www netgear com under the technical support section What about other VPN hardware devices NETGEAR FVL328 has been tested to be compatible with other FV L328s and will be supported through the technical support site M uch like the V PN software clients application notes will be posted on the technical support site for other VPN hardware devices but will not be part of the standard technical support service However support can be purchased on a per incident or per minute basis See the details at www netgear com under the technical support section What VPN products are compatible with FVL328 e NETGEAR FVS318 ProSafe V PN Firewall Router e FVL328 has also been tested through the VPN Consortium V PNC an independent member supported entity to be compatible with the following A dtran Ashley Laurent B roadway Asita V PN
3. businesses the increased reliance on home computers to store valuable information and the development of applications that share content over the Internet through networked PCs network security becomes an important issue Simply connecting aPC to a DSL or cable modem does not provide the necessary security to prevent someone from hacking into a computer Having a box that provides firewall or network address translation NAT capability provides a simple solution to this problem 20 What is network address translation NAT NAT is used in the router to prevent hacking into the local area network LAN NAT substitutes the private IP address of devices located on the LAN side of the router with a new public IP address that is visible on the Internet side of the router By virtue of this simple implementation any device up to 253 located on the LAN will be hidden or masqueraded from Internet hackers trying to get to a specific PC Only the router s IP address is visible on the Internet This technology provides crude protection against hackers and is used widely in broadband routers 21 Is this the same as a firewall No Though the term firewall has been used generically when describing a router s ability to masquerade the PC s IP address a true firewall employs a technology called Stateful Packet Inspection SPI Firewalls provide a greater level of security and as a result are generally more expensive than
4. the web configuration screen for the FVL328 What can I do e You may have to remove proxy settings on your Internet browser i e Netscape or Internet Explorer Or remove the dial up settings on your browser e ThePC may not have received an IP address Restart the PC or run the winipcfg utility Windows ME or earlier or Ipconfig utility on Windows NT platforms to dynamically assign the IP address and then launch the browser What is PPPoE PPPoE Point to Point Protocol over Ethernet is an informational RFC 2516 from the PPP working group of IETF PPPoE is a much simpler way of supporting PPP over DSL accesses for Ethernet attached DSL modems It takes advantage of Ethernet s shared environment along with PPP s familiar and secure dial access user model Other benefits to PPPoE include e Taking advantage of Ethernet s shared environments e Allows for a single PC to set up PPP sessions to different destination networks at one time e Enables ashared LAN and multiple PC s to simultaneously establish PPP sessions to different destination networks Does the FVL328 support VPN other than through VPN end point capability Y es the FV L328 supports VPN passively through IPSec and PPTP pass through Does the FVL328 support secure remote management Y es secure remote management can be done via the web using the SSL security of your browser In addition you can set up remote management to allow for anyone a particular ran
5. AT is turned off Where can I buy this product The FVL328 Cable DSL VPN Router will be available in the major stocking distributors beginning mid December 2002 What kind of processor is used in the FVL328 The FV L328 uses a 150M hz M IPS32 processor How much memory does the FVL328 have The FV L328 has 2M b of flash and 16M b of DRAM memory on board giving the user plenty of room to upgrade future functionality What other products do need to purchase to use with the FVL328 To use the FV L328 you will need to have an Ethernet A dapter and High Speed Broadband Internet connection i e Cable or DSL Since the FV L328 has a 100M bps WAN port you can also use this with other devices such as routers with 100M bps connections 35 36 37 38 39 40 FVL328 Cable DSL ProSafe High Speed VPN Firewall Page 6 How about if want to establish 1 VPN tunnel to another site To establish a VPN tunnel you ll need the following e A device that can establish a VPN tunnel such as an FV L328 at the main office e Either client software for the mobile user or another device that can terminate the VPN tunnel such as another FV L328 Y ou can also use a router that supports IPSec pass through used in conjunction with the client software for secure connection sharing at the remote site What if need multiple site VPNs Use the above rules for multiple sites using the same client software or firewall router for each
6. E security association SA automatically negotiates encryption and authentication keys With IKE and initial exchange authenticates the VPN session and automatically negotiates keys that will be used to pass IP traffic What is Authentication Header AH AH provides authentication and integrity which protect against data tampering using the same algorithms as ESP AH also provides optional anti replay protection which protects against unauthorized retransmission of packets The authentication header is inserted into the packet between the IP header and any subsequent packet contents The payload is not touched Although AH protects the packet s origin destination and contents from being tampered with the identity of the sender and receiver is known In 14 15 16 17 18 FVL328 Cable DSL ProSafe High Speed VPN Firewall Page 3 addition AH does not protect the data s confidentiality If data is intercepted and only AH is used the message contents can be read ESP protects data confidentiality For added protection in certain cases AH and ESP can be used together In the following table IP HDR represents the IP header and includes both source and destination IP addresses What is Encapsulating Security Payload ESP ESP provides authentication integrity and confidentiality which protect against data tampering and most importantly provide message content protection IPSec provides an open framework for implementin
7. N throughput 50 M bps e Support for 100 hardware encrypted VPN tunnels FV 318 has support for 8 software encrypted tunnels e Better 3DES VPN tunneling throughput 15M bps e Oneof the lowest prices per port of any comparable VPN router product in the industry e A wider array of compatibility with other VPN products on the market as demonstrated in testing by the VPN Consortium 5 What is Virtual Private Networking Commonly known as a VPN and defined differently by different entities it is a group of two or more computer systems typically connected to a private network a network built and maintained by an organization solely for its own use with limited public network access that communicates securely viaa VPN tunnel over a public network such as the Internet VPNs may exist between an individual machine and a private network client to server or a remote LAN and a private network server to server Security features differ from product to product but most security experts agree that V PNs include encryption strong authentication of remote users or hosts and mechanisms for hiding or masking information about the private network topology from potential attackers on the public network 6 What is VPN end point and what can it do VPN end point capability within a router provides the ability to initiate a VPN tunnel to some other location that supports either a VPN client client to box or has VPN end point capability b
8. _ aH VRELES o NETGEAR Everybody s connecting FVL328 Cable DSL ProSafe High Speed VPN Firewall Frequently Asked Questions 1 What is the FVL328 Cable DSL ProSafe High Speed VPN Firewall FV L328 is a network security device used to connect a Local Area network LAN securely via a broadband Internet connection to many other private LANs or individual remote users It can also be used as a standalone firewall behind an existing router The product provides 100 V PN tunnels and Stateful Packet Inspection SPI true firewall functionality 2 Is the FVL328 a router Y es itis a router and much more The FV L328 provides all the functionality of a Network Address Translation NAT router plus many more security features 3 What is significant about the FVL328 FV L328 provides additional security to the network in that it provides five significant features that do not exist in conventional NAT routers e 100 tunnel VPN End point support with IPSec 3DES encryption capability Static content filtering URL URL keywords Denial of Service DoS prevention through Stateful Packet Inspection Logging reporting and alerts Intrusion Detection System Greatly increased performance using a high speed CPU 4 What is the difference between the FVL328 and NETGEAR s previously shipping FVS318 The FV L328 has new features that provide better performance and functionality than the FV 318 Specifically the FV L328 has e Better WAN to LA
9. a NAT router Firewalls give the administrator the ability to set up specific IP addresses or domain names that are allowed to be accessed while refusing the rest filtering Firewalls can also allow remote access to the private network through the use of secure login procedures and authentication certificates Virtual Private Networks or VPNs Firewalls are used to prevent Denial of Service DoS attacks and can use software to provide content filtering to deny access to unwanted web sites There are also extensive reporting capabilities known as an Intrusion Detection System The FV L328 and its siblings the FV 318 FR314 and FR318 are true firewalls 22 What is Stateful Packet Inspection SPI SPI is a technology used in firewalls which instead of simply hiding an IP address from the Internet will look at each individual packet for information such as its source and destination addresses and the protocol that is being used in order to take certain actions based upon a set of pre established criteria SPI can be used to prevent DoS attacks since the contents within the packet are known 23 Can I turn off the NAT function on the router and use it just as a firewall behind the router that already have The FV L328 will have this functionality in version 1 1 of the firmware and will provide the ability to be used as simply a firewall V PN device It will also provide the ability to support static routes in order to set up subnets for larger sc
10. ale networks 24 What are Denial of Service DoS attacks Packets or requests for service sent from one or multiple PCs that cause disruption of functionality in the target PC or server One way to employ a DoS would be to relentlessly ping the target server known as Ping of Death which requires the target server to respond to the ping If there were enough pings requested the unfortunate server would not be able to respond quickly enough to the pings and at the same time perform other functions The result is a denial of service 25 How does SPI prevent Ping of Death or SYN Flood DoS attacks The router will look at each packet and if the router notices a specific amount of ping requests over a certain amount of time coming from the same address the packets will be dropped In another example the router 26 27 28 29 30 31 32 33 34 FVL328 Cable DSL ProSafe High Speed VPN Firewall Page 5 will know if the source address that is being sent is from within the LAN or external to the LAN If an attack were launched from the WAN and an internal source address was used In the offending packet normal routers would slow down as they would not be able to tell where to respond SPI based routers are able to compare the state of the packet relative to previous packets and determine that the source address iS incorrect and therefore the offending packet would be dropped thereby avoiding a slow d
11. e TCP IP protocol and can use a browser such as Netscape and M icrosoft Internet Explorer Will the FVL328 work with other LAN networking products beside NETGEAR The FVL328 will work with other networking products beside NETGEAR if these products are using Ethernet Standards 802 3 How easy is it to connect to the Internet using the FVL328 Y ou can setup the FV L328 using your existing web browser i e Netscape or Internet Explorer Simply connect your Cable DSL modem to the WAN port on the back of the FV L328 connect the rest of computer s to the LAN ports then configure the FV L328 by typing 192 168 0 1 at the URL address line on your Web browser After logging in launch the Smart W izard and follow the instructions Please refer to the manual for complete information already have a 10 or 100Mbps Ethernet card is it compatible with the FVL328 Y es the FV L328 has a built in 10 100M bps A uto sensing switch which supports both 10 and 100M bps The FVL328 supports Auto Uplink What is Auto Uplink Auto Uplink provides the ability for the LAN ports on the firewall to detect the correct connection requirements either M DI or MDI X when connecting to other LAN devices such as hubs or switches B y virtue of this functionality it eliminates the need for cross over cables and physical uplink switches on the device and makes connecting to other devices easier Does the FVL328 work with my current Cable
12. g industry standard algorithms such as SHA and MD5 The algorithms IPSec uses produce a unique and unforgeable identifier for each packet which Is a data equivalent of a fingerprint This fingerprint allows the device to determine if a packet has been tampered with Furthermore packets that are not authenticated are discarded and not delivered to the intended receiver ESP also provides all encryption services in IPSec Encryption translates a readable message into an unreadable format to hide the message content The opposite process called decryption translates the message content from an unreadable format to a readable message Encryption decryption allows only the sender and the authorized receiver to read the data In addition ESP has an option to perform authentication called ESP authentication Using ESP authentication ESP provides authentication and integrity for the payload and not for the IP header The ESP header is inserted into the packet between the IP header and any subsequent packet contents However because ESP encrypts the data the payload is changed ESP does not encrypt the ESP header nor does it encrypt the ESP authentication What is a Security Association A group of security settings related to a specific VPN tunnel A Security Association SA groups together all the necessary settings needed to create a VPN tunnel Different SAs may be created to connect branch offices allow secure remote management and pass unsup
13. ge of IP addresses or only a specific IP address to remotely manage the device Be sure to pick a good password for this function What is Secure Sockets Layer SSL functionality and does the FVL328 support on the remote management portion of the router A method of encryption of data sent through a web browser SSL prevents someone from sniffing the HTTP transaction when the administrator is accessing the remote management portion of the router This is a popular method used when making credit card transactions over the W orld Wide Web and indicated by the httos in the address of the browser and the locked padlock icon in the browser s status bar Does the FVL328 support IPX or AppleTalk No the FVL328 does not support IPX or AppleTalk Does the FVL328 support NetBEUI No the FVL328 does not support N etB EUI 59 60 61 62 63 64 FVL328 Cable DSL ProSafe High Speed VPN Firewall Page 9 Does the FVL328 support any Operating System Y es the FV L328 is compatible with other Operating System provided the system supports TCP IP i e can Support a web browser How do set restriction on what web sites my employees are allow to view Y ou can use the content filtering page on the FV L328 to setup these options Please refer to the FV L 328 manual for a more complete description of how to set up the FVL328 Can I change the factory default password Y es you can please refer to the User M anua
14. l for more Information on changing these parameters How do check to see if my ports are secured Y ou can check by using a third party scanning utility 1 e htto www grc com or www sygatetech com How do contact Technical Support Y ou can contact NETGEAR Technical Support by e Call 1 888 NETGEAR 638 4327 e Email support NETGEAR com How do find out more about VPN Check out www netgear com and click on the PlanetV PN tab in the Firewall V PN routers section
15. le by security experts It also requires a great deal more processing power resulting in increased latency and decreased throughput unless hardware acceleration is provided as in the FV L328 What is IPSec Internet Protocol Security is a robust V PN standard that covers authentication and encryption of data traffic over the Internet IPSec employs three components encapsulating security payload ESP authentication header AH and Internet key exchange IK E technology VPN technology employing IPSec will encrypt all outgoing data and decrypt all incoming data so that a public network can be used like the internet as transportation media IPSec can support two encryption modes transport and tunnel Transport mode encrypts the data portion of each packet but leaves the header unencrypted The more secure the tunnel mode encrypts both the header and the data The FV L328 supports both At the receiving end an IPSec compliant device decrypts each packet For IPSec to work the sending and receiving devices must share a key IKE protocol is a key management protocol standard which is commonly used in conjunction with the IPSec standard Unlike PPTP IPSec is specific only to the Internet Protocol IP and does not provide security for other protocols PPTP supports multiple protocols but is not as secure What is IKE Internet K ey Exchange is a negotiation and key exchange protocol specified by the Internet Engineering Task Force IETF An IK
16. or DSL Internet Service The FV L328 should work with most Cable or DSL Internet Service Providers Y our modem must have an Ethernet port to connect to the router What is the difference between static IP and dynamic IP addressing Static IP address is an IP address that is permanently assigned to the subscribers when they first sign up for their Internet Service Dynamically allocated IP address is assigned to you temporarily when you connect to the Internet The address has a pre determined time limit 50 51 52 53 54 55 56 57 58 FVL328 Cable DSL ProSafe High Speed VPN Firewall Page 8 How can play Internet games i e Ages of Empire Quake Unreal Tournament etc and applications i e Napster ICQ AOL Instant Messenger etc with the FVL328 Enable the public servers inbound rules feature of the web configuration screen Generally VPN products aren t recommended for gamers since the level of security the processing required for the secure connections and the encryption generally slows down the throughput and may have adverse effects on the response time Does the FVL328 support a DMZ Y es the FV L328 supports an exposed host otherwise know as DM Z This allows you to set a device such as a web server or PC used for games outside the firewall Refer to the manual for details The FV L328 does not have a hardware DM Z port am not able to get to
17. own on the network What are the types DoS attacks e Those that exploits bugs ina TCP IP implementation such as Ping of Death and T eardrop e Those that exploits weaknesses in the TCP IP specification such as SY N Flood and LAN Attacks e Brute force attacks that flood a network with useless data such as Smurf attack e P Spoofing What other security functions do get with the FVL328 A long with true firewall functionality the FV L328 also comes with Freedom Anti virus and privacy software from Zero K nowledge Systems This complete one year subscription service is free with the purchase of the FV L328 The software can be used on up to 8 PCs on the LAN There are other upgrades that are available if you have more than 8 PCs or wish to take advantage of other security functionality offered by ZKS See www netgear com for details What is content filtering It is the ability of the router to deny users access to a web site based upon a pre determined set of rules Content filtering can be done in a number of ways Some of the more popular ways include filtering based upon the web page URL Key words within the URL and based upon the time of day and day of the week Does the FVL328 filter content this way Y es These are included as standard features This type of filtering is Known as static content filtering How many users does the FVL328 support The FV L328 supports up to 253 users in NAT mode and can support more when N
18. ox to box T 10 11 12 13 FVL328 Cable DSL ProSafe High Speed VPN Firewall Page 2 How many VPN tunnels can the FVL328 support at one time A s a standard feature the FV L328 has the ability to support up to 100 VPN tunnels at one time This can be a combination of branch office mobile users or partner connections What is encryption A mathematical operation that transforms data from clear text to cipher text which cannot be interpreted U sually the mathematical operation requires that an alphanumeric key be supplied along with the clear text The key and clear text are processed by the encryption operation which leads to data scrambling that makes it secure Decryption is the opposite of encryption itis the mathematical operation that transforms cipher text to clear text How is the data encrypted on the FVL328 VPN The data is hardware encrypted through the embedded encryption accelerator in the microprocessor What is DES and 3DES DES or Digital Encryption Standard is encryption used for data communications where both the sender and receiver must know the same secret key which can be used to encrypt and decrypt the message or to generate and verify a message authentication code NETGEAR DES encryption uses a 56 bit key 3DES or triple DES on the other hand is a variation on DES that uses a 168 bit key to provide more secure data transmission than DES TripleDES is considered to be virtually unbreakab
19. ported traffic All SAs require a specified encryption method IPSec gateway address and destination network address What is PKI Public Key Infrastructure PKI is a method by which valid VPN users are authenticated through the use of certificate authorities What is a Certificate Authority CA A Certificate A uthority is an organization that provides certificates and provides a mechanism for verifying their authenticity Certificate authentication is amethod whereby the computer would have a pre assigned certificate any X 503 based certificate such as Entrust V eriSign Baltimore etc that is necessary for the PSec based authentication algorithm to use for generating keys to exchange between the two VPN devices It is generally recognized as a more secure method of authentication What is PPTP Point to point Tunneling Protocol builds on the functionality of the Point to Point protocol PPP to provide remote access that can be tunneled though the Internet to a destination site or computer PPTP encapsulates PPP packets using generic routing encapsulation GRE protocol which gives PPTP the flexibility of handling protocols other than IP The FV L328 supports pass through mode for PPTP but does not support end point mode FVL328 Cable DSL ProSafe High Speed VPN Firewall Page 4 19 Why do need a router or firewall when have a connection to the Internet through my PC already W ith the advent of computer hacking into homes and

Netgear FVL328 User's Manual

Contents

Download Pdf Manuals

Related Search

Related Contents