Presentation is loading. Please wait.

Presentation is loading. Please wait.

NETGEAR Product Training Firewall VPN Products

Similar presentations


Presentation on theme: "NETGEAR Product Training Firewall VPN Products"— Presentation transcript:

1 NETGEAR Product Training Firewall VPN Products
Presented by Hien Ly Level 3, Sr. Tech Support Engineer November, 2007

2 Agenda Introduction to NETGEAR Firewall VPN Products Firewall Overview
Types of Firewall DMZ NETGEAR DMZ How to Choose a Firewall? VPN Overview What is VPN? Encryption IPsec Basics IPsec Protocols Security Associations (SA) IKE Phases SSL312 VPN Introduction NETGEAR Firewall VPN Router Features Unique Features highlight NETGEAR VPN Configuration Screenshots ProSafe VPN Client Software Troubleshooting Tips and Lab VPN Troubleshooting Flow Hands-on lab

3 Course Objectives Box-to-box VPN Client-to-box VPN Hub & Spoke VPN
Agents should be able to do the following after this course: Recognize the Firewall VPN products that NETGEAR has to offer Be able to understand the basic Firewall concepts Be able to understand the basic VPN concepts Be able to understand the differences between IPSec and SSL VPN Be able to understand the different types of firewall settings on the NETGEAR routers Be able to configure and establish VPN sessions using various NETGEAR products: Box-to-box VPN Client-to-box VPN Hub & Spoke VPN

4 NETGEAR Firewall VPN Product Description Model No.
ProSafe VPN Firewall 200 Dual WAN with 8-port 10/100 and 1 Gigabit LAN switch (200 VPN Tunnels) FVX538 ProSafe VPN Firewall 50 with Dial Back-up (50 VPN Tunnels) FVS338 ProSafe VPN Firewall with ADSL Modem and g Wireless (50 VPN Tunnels) DGFV338 ProSafe Dual WAN gigabit firewall with IPSec & SSL VPN (25 IPSec & 10 SSL tunnels) FVS336G ProSafe VPN Firewall with g Wireless and 8-Port 10/100 Switch (8 VPN Tunnels) FVG318 ProSafe VPN Firewall 8 w/8 Port 10/100 Switch (8 VPN Tunnels) FVS318v3 FVS114 ProSafe SSL VPN Concentrator 25 SSL312

5 ProSafe VPN Firewall Line-up
SSL312 25 SSL Tunnels FVX538 200+ Tunnels Dual WAN port 1 Gig LAN Port FVS338 50 Tunnels Dial-up Failover “Wired” Firewalls FVS336G New IPSec tunnels 10 SSL tunnels 4 Gig LAN Dual Gig WAN Wireless Firewalls New DGFV338 108Mbps g 50 VPN tunnels w/ ADSL2+ modem FVS318v3 8 Tunnels FVS114 8 Tunnels FVG318 108Mbps g 8 VPN Tunnels

6 Firewall 101

7 Firewall 101 A firewall is a set of components that sit between networks and acts as a gatekeeper to allow in or keep out traffic based on certain criteria. Firewall types: Stateful Packet Inspection Hybrids Packet filters Applications proxy

8 Stateful Packet Inspection (SPI)
Examine each packet passed through. Allows or drops packets depends of rules. Maintains tables of information about current connections. Information traveling from inside the firewall to the outside is monitored for specific defining characteristics, then incoming information is compared to these characteristics. If the comparison yields a reasonable match, the information is allowed through. Otherwise it is discarded. Use current state of connections in tables to determine if it will allow or drops incoming packets. When a connection terminates, it removes the reference from the internal table. Most of the Firewalls available today are Hybrids.

9 Hybrid Firewall Offers the best of all world:
Application-Level Packet Filtering Proxy-ARP Transparency isolates internal systems from attack Policy-based routing for efficient use of dual network connections Multiple redundant / balanced Internet links for fail-safe operation Traffic shaping and QOS control for priority services Address translation and port/address forwarding hides the internal network

10 Packet Filters A packet filter examines every network packets that passes through it. It drops or forwards the packets depends on a set of rules. Rules are depends on: IP Address Protocol (TCP, UDP, IP, ICMP) Port number (HTTP, FTP, TELNET) Direction (inbound, outbound) Fast No application or content awareness. Each packet is examined on a standalone basis.

11 Applications Proxy Application awareness.
Acts as a “man in the middle”. Never allows a packet to pass through the proxy. Receive and send out packets on behalf of the internal users. The net effect of this action is that the remote computer hosting the Web page never comes into direct contact with anything on your home network, other than the proxy server. Computational intensive. Need proxy for each applications.

12 DMZ (Demilitarized Zone)
A segment of network for hosting public accessible services (web servers, mail servers, ftp servers). Limit damage to private network even if DMZ is compromised. Only available on FVX538

13 DMZ in NETGEAR routers Only available on FVX538
This zone can be used to host servers and give public access to them. Port 8 on the LAN of the router can be dedicated as a hardware DMZ port and safely provide the Internet services without compromising security on your LAN. Note: The IP subnet of the DMZ should be different from that of the LAN port and the WAN port(s). Example: WAN 1: with subnet WAN2: with subnet LAN: with subnet DMZ: with subnet

14 How to choose a firewall?
Security. Features: Flexibility in defining rules – by time/date. User authentications. URL Filtering. Content filtering. Port forwarding (NAT). Performance Support – updates, enhancement. Audit Trail – logs, alarms. Manageability – a firewall is as security as it is configured.

15 VPN Overview

16 VPN Overview

17 What is a VPN? VPN is a secure path through a public shared network.
Data is secured by encryption. Types of VPN: IPSEC (Internet Protocol Security) PPTP (Point-to-Point Tunneling Protocol) L2TP (Layer Two Tunneling Protocol) SSL (Secure Socket Layer)

18 Encryption A mathematical function to convert data into secret.
Encryption convert cleartext to ciphertext. - Encrypt(cleartext, key) = ciphertext - Decrypt(ciphertext, key) = cleartext Symmetric encryption (DES, 3DES) Asymmetric encryption (public key) Hash algorithm - Hash(A, key) = B Low probability that another data will be hashed into B. Fast.

19 Private key Encryption (Symmetric)
Encryption Overview Private key Encryption (Symmetric) Encrypt and decrypt with the same key. Need special procedure for key distribution. Fast and computational inexpensive Used for preserving confidentiality Public key Encryption (Asymmetric) Encrypt with public key and decryption with private key. Encrypt (cleartext, KEYpublic) = ciphertext Decrypt (ciphertext, KEYprivate) = cleartext Public key can be freely distributed. Slow and computational intensive used for achieving authentication and non-repudiation.

20 Public Key Encryption at work
You give John (aka Sender) a copy of your public key. John uses your public key to encrypt the plaintext to produce a ciphertext for you. He then gives (just) the ciphertext to you, and You use your private key to decrypt the ciphertext to reproduce the plaintext.

21 IPsec Basics Applications transparency. Automated key management.
Interoperability with PKI (Public Key Infrastructure). Fast deployment. Implemented in existing routers/CPE.

22 IPsec Protocols Three main Protocols of IPsec
IKE (Internet Key Exchange) Defines a method for the secure exchange of the initial encryption keys between the two endpoints of a VPN (establishing SA). UDP protocol 500 AH (Authentication Header) Used to ensure integrity of the header information and payload as the packet makes its way through the Internet. Authentication only, no encryption 128-bit MD5 or 160-bit SHA-1 keys used to compute the integrity checksum value (ICV) TCP protocol 51 ESP (Encapsulating Security Payload) Performs the actual encryption of the data to provide data confidentiality, and data integrity. Encrypt with DES/3DES. TCP protocol 50

23 Security Associations (SA)
What is Security Associations (SA)? Basic concepts of IPsec Represents a policy contract between two VPN endpoints describing how they will use IPsec to secure network traffic Contains all the security parameters to establish VPN connection Unidirectional – one SA for each direction. Each established SA is identified by a 32-bit number (SPI) SPI are written into IPsec packet headers to locate the appropriate SA.

24 Security Association (SA) Components
What are the components of the SA? Authentication/encryption algorithm, key length, key lifetime, etc… Session keys Specification of network traffic which IPsec will apply IPsec encapsulation protocol (AH/ESP) and mode (Transport/Tunnel).

25 IPSec Data Exchange Modes
Transport Mode: Between two IPsec hosts. IP address of the hosts must be Public IP addresses Only encapsulate data. Tunnel Mode: Between two IPsec gateways Encapsulate both header and data. Hides the original IP header

26 AH & ESP Protocols Normal IP Packet

27 IKE – Internet Key Exchange Protocol
ISAKMP (Internet Security Association and Key Management Protocol) Protocol to negotiate and establish SA. Oakley Define mechanism for key exchange over the IKE session By default, use Diffie-Hellman algorithm for key exchange Each IKE peer has an IKE identitiy which based on: IP address FQDN (Fully qualified domain name) X.500 (certificate) name address IKE session are protected by cryptographic algorithms. IKE peers must agree exactly on a set of algorithms and protocols to protect the IKE session

28 IKE on NETGEAR

29 IKE Operations Phase1 (Authentication Phase)
Main mode or Aggressive mode Used to establish a secure channel, authenticate the negotiating parties, and generate shared keys to protect IKE protocol messages Negotiates IKE SA Phase2 (Key Exchange Phase) AKA: Quick mode Used to establish the IPSec SA and to generate new keying material Negotiates IPsec SA

30 IKE Main Mode Message Exchange
Use 6 messages to establish the IKE SA. First 2 – negotiate security policy that will be used Next 2 – performs Diffie-Hellman key exchange and pass Nonces (random # for signing) to each other Last 2 – used to authenticate peers Hides identity of the IKE peers. The first two messages to negotiate the security policy that will be used to protect the phase II messages. The next two messages perform a Diffie-Hellman key exchange and pass nonces (random numbers sent for signing) to each other. The last two messages are used to authenticate the peers

31 IKE Aggressive Mode Message Exchange
Less negotiation flexibility for IKE session protection. Will not hide identity (all identities of parties involved are revealed).

32 IKE Quick Mode Message Exchange
Fast. If an IKE SA is in place, only quick mode exchanges are used to negotiate new key or re-key. PFS (Perfect Forward Secrecy) Generate new key that is independent of the current key (from Phase1).

33 IPsec Inbound Packet Processing

34 IPsec Outbound Packet Processing

35 Host to Host VPN Traffic Process

36 1) Initialization

37 2) IKE Phase 1 Triggering

38 3) IKE Phase 1 Completed

39 4) IKE Phase 2

40 5) IPsec VPN Established

41 VPN Policy requirements?
Who are the VPN parties? IKE Identifiers (WAN IP, FQDN, FQUN, DN). Where are the VPN parties? VPN gateway addresses (WAN IP, FQDN). What traffics are included in the VPN? Local VPN subnet, remote VPN subnet. How the VPN secure the communication? Main mode / Aggressive mode. Pre-shared key. Key lifetime. ESP / AH (authentication algorithm, encryption algorithm). PFS?

42 VPN Gateway-to-Gateway Example

43 VPN Client-to-Gateway Example

44 What is SSL VPN? SSL VPNs create secure tunnels by performing two functions: Requiring authentication from users before allowing access so that only authorized parties can establish tunnels Encrypting all data transmitted to and from the user by implementing the actual tunnel using SSL The process of establishing an SSL tunnel requires exchange of different configuration information between the computers on either end of the connection.

45 SSL VPN on OSI Network Model
IPSec VPN operates at the Network Layer – Layer 3 SSL VPN establish connectivity using SSL, which functions at Layers 4 & 5 Information gets encapsulate at Layer 6 & 7 of the OSI model So why don't SSL VPNs simply use SSL to tunnel network-level communications as IPSec does and not worry about the higher levels? Technical limitations of many devices prevent the establishment of Network-Layer communications over SSL, but allow application-layer access from a web browser. Security considerations and policies normally prohibit attaching Internet kiosks and borrowed computers as nodes on your corporate network. Cannot install VPN client software on public Kiosks

46 SSL VPN

47 Segmentation in SSL VPN
Corporate Applications Full access Restricted access Web Database File server ProSafe SSL312 VPN Concentrator ProSafe VPN Firewall Secure SSL VPN connections Internet Here we have our customer’s network. 1st click: By adding the NETGEAR ProSafe™ SSL312 VPN Concentrator, your customer has true mobility. Secure SSL VPN remote access … anywhere, anytime Whether you’re at home, at a B2B partner site, using your PDA, or from an internet café, all you need is a web browser and an internet connection. Further, NETGEAR’s SSL312 VPN appliance gives you granular user access control … 2nd click: For example, your customer’s IT manager will probably need access to all resources & corporate applications from their laptop, whereas, your B2B partner may only need access to database applications. Your customer can control access simply and easily with the SSL312’s ability to integrate with user databases such as Active Directory, LDAP and RADIUS. Kiosk or Laptop Internet Café Home PDA B2B Partner

48 Unique Router Features

49 Serial Modem – FR328S, FVS328, FWG114P
EOL

50 Serial Port – Auto Failover FVS328, FR328S, FWG114P
EOL

51 Serial Port – Dial in FVS328, FR328S, FWG114P
EOL

52 Serial Port – LAN to LAN FVS328, FR328S, FWG114P
EOL

53 Dial up ISP – FVS338

54 ADSL Interface– DGFV338

55 Wireless – FVG318, DGFV338

56 WAN Mode w/ Dialup – FVS338

57 Auto-Rollover – DGFV338, FVS336G, FVX538

58 Auto-Rollover – DGFV338, FVS336G, FVX538
If you want to use a redundant ISP link for backup purposes, select the WAN port that will act as the primary link for this mode. Ensure that the backup WAN port has also been configured and that you configure the WAN Failure Detection Method to support Auto-Rollover. Link failure is detected in one of the following ways: By sending DNS queries to a DNS server, or By sending a Ping request to an IP address, or None (no failure detection is performed). From each WAN interface, DNS queries or Ping requests are sent to the specified IP address. If replies are not received, after a specified number of retries, the corresponding WAN interface is considered down. As long as the primary link is up, all traffic is sent over the primary link. Once the primary WAN interface goes down, the rollover link is brought up to send the traffic. Traffic will automatically roll back to the original primary link once the original primary link is back up and running again.

59 Load Balancing / Protocol Binding FVS336G, FVX538

60 Load Balancing / Protocol Binding FVS336G, FVX538
The VPN firewall distributes the outbound traffic equally among the WAN interfaces that are functional. Scenarios could arise when load balancing needs to be bypassed for certain traffic or applications. If certain traffic needs to travel on a specific WAN interface, configure protocol binding rules for that WAN interface. The rule should match the desired traffic. In the Protocol Binding menu, you specify a protocol such as HTTP, and this causes all outbound traffic of that protocol to use that WAN port.

61 Multi Home LAN IP – DGFV338, FVS336G, FVS338, FVX538
The secondary LAN IP address will be assigned to the LAN interface of the router and can be used as a gateway by computers on the secondary subnet

62 Multi Home LAN IP – DGFV338, FVS336G, FVS338, FVX538
If you have computers on your LAN using different IP address ranges (for example, or ), you can add “aliases” to the LAN port, giving computers on those networks access to the Internet through the router. This allows the router to act as a gateway to additional logical subnets on your LAN NOTE: IP addresses on these secondary subnets cannot be configured in the DHCP server. The hosts on the secondary subnets must be manually configured with IP addresses, gateway IP addresses, and DNS server IP addresses.

63 Traffic Meter – FVS336G, FVS338, FVX538

64 Traffic Meter – FVS336G, FVS338, FVX538
Allows you to measure and limit the traffic routed by the router. The router will keep a record of the volume of traffic going from the selected interface. The router can also be configured to place a restriction on the volume of data being transferred.

65 Session Limit – FVS338, FVX538 "Total Number of Packets Dropped due to Session Limit:" shows total number of packets dropped when session limit is reached

66 Session Limit – FVS338, FVX538 Allows you to specify total number sessions per user (IP) allowed across the router. You can give  the maximum number of sessions per IP either in percentage of maximum sessions or absolute number of maximum sessions. The percentage is computed on the total connection capacity of the device. "User Limit" specifies the maximum number of sessions that should be allowed via box from a single source machine (i.e. session limiting is per machine based) as percentage of total connection capacity NOTE: Please note that some protocols like FTP, RSTP create 2 sessions per connection which should be considered when configuring session limiting

67 UPnP – DGFV338, FVG318 UPnP (Universal Plug and Play) is a feature that allows for automatic discovery of devices that can communicate with this router.

68 Firewall Features

69 Static Routes

70 Dynamic DNS Alias a dynamic IP address to a static hostname.
Requires a dynamic DNS provider. When dynamic IP changes on network devices, devices log onto DDNS server and change the record of the hostname to map to new IP address. Some DDNS providers expire hostname if IP address remain idle for a period of time. (Use “Update every 30 days” check box to prevent hostname from expiring.

71 SNMP – FVS336G, FVS338, FVX538 DGFV338

72 Groups and Hosts

73 Groups and Hosts – Add

74 Groups and Hosts – Edit

75 Address Filter – Source MAC Filter

76 Services

77 Scheduling

78 Block Sites

79 Firewall Rules

80 Firewall Rules – Adding Inbound

81 Firewall Rules – Adding Outbound

82 Address Filter – IP/MAC Binding

83 Address Filter – IP/MAC Binding Edit

84 Port Triggering

85 Port Triggering Once configured, operation is as follows:
A PC makes an outgoing connection using a port number defined in the Port Triggering table. This Router records this connection, opens the INCOMING port or ports associated with this entry in the Port Triggering table, and associates them with the PC. The remote system receives the PCs request, and responds using a different port number. This Router matches the response to the previous request, and forwards the response to the PC. (Without Port Triggering, this response would be treated as a new connection request rather than a response. As such, it would be handled in accordance with the Port Forwarding rules.)

86 Port Triggering Note: Only 1 PC can use a "Port Triggering" application at any time. After a PC has finished using a "Port Triggering" application, there is a "Time-out" period before the application can be used by another PC. This is required because this Router cannot be sure when the application has terminated. Normally for games and chat.

87 Bandwidth Profile

88 Attack Checks

89 Firewall Logs

90 Logs

91 Syslog

92 VPN Logs

93 Troubleshooting Features

94 Diagnostics FVG318 FVS338, FVS336G, FVX538, DGFV338

95 Diagnostics – Packets Capture

96 VPN Features

97 Netgear VPN – VPN Wizard Box-to-box

98 Netgear VPN – VPN Wizard Client-to-box

99 VPN Policy

100 VPN Policy – General

101 VPN Policy – Traffic Selection

102 VPN Policy – Policy Parameters

103 IKE Policy

104 IKE Policy – Edit FVS336G, FVS338, FVX538

105 IKE Policy – Edit for FVG318

106 IKE Policy – IKE parameters

107 VPN – Certificate Authority (CA)

108 Generate Self-sign Certificate

109 View Certificate Request

110 Certificate Revocation List (CRL)

111 Mode Config

112 VPN Client – User Database

113 VPN Client – RADIUS Client

114 VPN01L_VPN05L ProSafe VPN Client Software

115 Client to Gateway VPN Example

116 ProSafe VPN Client Software
Securely enables mobile workers or single-user remote access to corporate network resources Broad security support, standards-based Implements IPSec security protocol with optional certificates or Smart Cards Easy-to-configure and deploy Compatible with any IPSec-compliant VPN devices Optimized for NETGEAR ProSafe VPN Firewalls

117 VPN Client – Security Policy Editor

118 VPN Client – Global Config

119 VPN Client – Security Policy

120 VPN Client – Authentication

121 VPN Client – Key Exchange

122 VPN Client – My Identity
IKE Identifier

123 VPN Client – Preshared key

124 FVX538 – Client VPN Policy

125 FVX538 – VPN Client fvx_local.com IKE Identifier

126 FVX538 – VPN Client fvx_remote.com fvx_remote.com

127 Set up the following two scenario
Exercise Set up the following two scenario

128 Box-to-Box VPN Create a VPN tunnel between 2 NETGEAR VPN routers

129 Hub and Spoke VPN Spoke sites access each other through hub site.
VPN policy on hub site. Local VPN network includes spoke site. VPN policy on spoke site. Remote VPN network includes spoke site.

130 VPN Troubleshooting Can the other VPN end point reach you?
What is the remote VPN endpoint? FQDN: resolve to remote WAN IP? IP Address: Is IP address reachable? : VPN uses aggressive mode? Do the VPN parameters matches on both endpoints? What are the remote/local IKE identities? Do they match the remote endpoint’s local/remote IKE identities? What are the local/remote VPN networks? Do they match remote endpoint’s remote/local VPN networks? What is the pre-shared key? Does it match the remote endpoint’s pre-shared key? What are the encryption/authentication algorithms? Do they match the remote endpoint’s algorithms? What is the IKE mode (main/aggressive)? Does it match the remote endpoint’s IKE mode?

131 VPN Troubleshooting flow

132 Questions & Answers


Download ppt "NETGEAR Product Training Firewall VPN Products"

Similar presentations


Ads by Google