Download presentation
1
NETGEAR Product Training Firewall VPN Products
Presented by Hien Ly Level 3, Sr. Tech Support Engineer November, 2007
2
Agenda Introduction to NETGEAR Firewall VPN Products Firewall Overview
Types of Firewall DMZ NETGEAR DMZ How to Choose a Firewall? VPN Overview What is VPN? Encryption IPsec Basics IPsec Protocols Security Associations (SA) IKE Phases SSL312 VPN Introduction NETGEAR Firewall VPN Router Features Unique Features highlight NETGEAR VPN Configuration Screenshots ProSafe VPN Client Software Troubleshooting Tips and Lab VPN Troubleshooting Flow Hands-on lab
3
Course Objectives Box-to-box VPN Client-to-box VPN Hub & Spoke VPN
Agents should be able to do the following after this course: Recognize the Firewall VPN products that NETGEAR has to offer Be able to understand the basic Firewall concepts Be able to understand the basic VPN concepts Be able to understand the differences between IPSec and SSL VPN Be able to understand the different types of firewall settings on the NETGEAR routers Be able to configure and establish VPN sessions using various NETGEAR products: Box-to-box VPN Client-to-box VPN Hub & Spoke VPN
4
NETGEAR Firewall VPN Product Description Model No.
ProSafe VPN Firewall 200 Dual WAN with 8-port 10/100 and 1 Gigabit LAN switch (200 VPN Tunnels) FVX538 ProSafe VPN Firewall 50 with Dial Back-up (50 VPN Tunnels) FVS338 ProSafe VPN Firewall with ADSL Modem and g Wireless (50 VPN Tunnels) DGFV338 ProSafe Dual WAN gigabit firewall with IPSec & SSL VPN (25 IPSec & 10 SSL tunnels) FVS336G ProSafe VPN Firewall with g Wireless and 8-Port 10/100 Switch (8 VPN Tunnels) FVG318 ProSafe VPN Firewall 8 w/8 Port 10/100 Switch (8 VPN Tunnels) FVS318v3 FVS114 ProSafe SSL VPN Concentrator 25 SSL312
5
ProSafe VPN Firewall Line-up
SSL312 25 SSL Tunnels FVX538 200+ Tunnels Dual WAN port 1 Gig LAN Port FVS338 50 Tunnels Dial-up Failover “Wired” Firewalls FVS336G New IPSec tunnels 10 SSL tunnels 4 Gig LAN Dual Gig WAN Wireless Firewalls New DGFV338 108Mbps g 50 VPN tunnels w/ ADSL2+ modem FVS318v3 8 Tunnels FVS114 8 Tunnels FVG318 108Mbps g 8 VPN Tunnels
6
Firewall 101
7
Firewall 101 A firewall is a set of components that sit between networks and acts as a gatekeeper to allow in or keep out traffic based on certain criteria. Firewall types: Stateful Packet Inspection Hybrids Packet filters Applications proxy
8
Stateful Packet Inspection (SPI)
Examine each packet passed through. Allows or drops packets depends of rules. Maintains tables of information about current connections. Information traveling from inside the firewall to the outside is monitored for specific defining characteristics, then incoming information is compared to these characteristics. If the comparison yields a reasonable match, the information is allowed through. Otherwise it is discarded. Use current state of connections in tables to determine if it will allow or drops incoming packets. When a connection terminates, it removes the reference from the internal table. Most of the Firewalls available today are Hybrids.
9
Hybrid Firewall Offers the best of all world:
Application-Level Packet Filtering Proxy-ARP Transparency isolates internal systems from attack Policy-based routing for efficient use of dual network connections Multiple redundant / balanced Internet links for fail-safe operation Traffic shaping and QOS control for priority services Address translation and port/address forwarding hides the internal network
10
Packet Filters A packet filter examines every network packets that passes through it. It drops or forwards the packets depends on a set of rules. Rules are depends on: IP Address Protocol (TCP, UDP, IP, ICMP) Port number (HTTP, FTP, TELNET) Direction (inbound, outbound) Fast No application or content awareness. Each packet is examined on a standalone basis.
11
Applications Proxy Application awareness.
Acts as a “man in the middle”. Never allows a packet to pass through the proxy. Receive and send out packets on behalf of the internal users. The net effect of this action is that the remote computer hosting the Web page never comes into direct contact with anything on your home network, other than the proxy server. Computational intensive. Need proxy for each applications.
12
DMZ (Demilitarized Zone)
A segment of network for hosting public accessible services (web servers, mail servers, ftp servers). Limit damage to private network even if DMZ is compromised. Only available on FVX538
13
DMZ in NETGEAR routers Only available on FVX538
This zone can be used to host servers and give public access to them. Port 8 on the LAN of the router can be dedicated as a hardware DMZ port and safely provide the Internet services without compromising security on your LAN. Note: The IP subnet of the DMZ should be different from that of the LAN port and the WAN port(s). Example: WAN 1: with subnet WAN2: with subnet LAN: with subnet DMZ: with subnet
14
How to choose a firewall?
Security. Features: Flexibility in defining rules – by time/date. User authentications. URL Filtering. Content filtering. Port forwarding (NAT). Performance Support – updates, enhancement. Audit Trail – logs, alarms. Manageability – a firewall is as security as it is configured.
15
VPN Overview
16
VPN Overview
17
What is a VPN? VPN is a secure path through a public shared network.
Data is secured by encryption. Types of VPN: IPSEC (Internet Protocol Security) PPTP (Point-to-Point Tunneling Protocol) L2TP (Layer Two Tunneling Protocol) SSL (Secure Socket Layer)
18
Encryption A mathematical function to convert data into secret.
Encryption convert cleartext to ciphertext. - Encrypt(cleartext, key) = ciphertext - Decrypt(ciphertext, key) = cleartext Symmetric encryption (DES, 3DES) Asymmetric encryption (public key) Hash algorithm - Hash(A, key) = B Low probability that another data will be hashed into B. Fast.
19
Private key Encryption (Symmetric)
Encryption Overview Private key Encryption (Symmetric) Encrypt and decrypt with the same key. Need special procedure for key distribution. Fast and computational inexpensive Used for preserving confidentiality Public key Encryption (Asymmetric) Encrypt with public key and decryption with private key. Encrypt (cleartext, KEYpublic) = ciphertext Decrypt (ciphertext, KEYprivate) = cleartext Public key can be freely distributed. Slow and computational intensive used for achieving authentication and non-repudiation.
20
Public Key Encryption at work
You give John (aka Sender) a copy of your public key. John uses your public key to encrypt the plaintext to produce a ciphertext for you. He then gives (just) the ciphertext to you, and You use your private key to decrypt the ciphertext to reproduce the plaintext.
21
IPsec Basics Applications transparency. Automated key management.
Interoperability with PKI (Public Key Infrastructure). Fast deployment. Implemented in existing routers/CPE.
22
IPsec Protocols Three main Protocols of IPsec
IKE (Internet Key Exchange) Defines a method for the secure exchange of the initial encryption keys between the two endpoints of a VPN (establishing SA). UDP protocol 500 AH (Authentication Header) Used to ensure integrity of the header information and payload as the packet makes its way through the Internet. Authentication only, no encryption 128-bit MD5 or 160-bit SHA-1 keys used to compute the integrity checksum value (ICV) TCP protocol 51 ESP (Encapsulating Security Payload) Performs the actual encryption of the data to provide data confidentiality, and data integrity. Encrypt with DES/3DES. TCP protocol 50
23
Security Associations (SA)
What is Security Associations (SA)? Basic concepts of IPsec Represents a policy contract between two VPN endpoints describing how they will use IPsec to secure network traffic Contains all the security parameters to establish VPN connection Unidirectional – one SA for each direction. Each established SA is identified by a 32-bit number (SPI) SPI are written into IPsec packet headers to locate the appropriate SA.
24
Security Association (SA) Components
What are the components of the SA? Authentication/encryption algorithm, key length, key lifetime, etc… Session keys Specification of network traffic which IPsec will apply IPsec encapsulation protocol (AH/ESP) and mode (Transport/Tunnel).
25
IPSec Data Exchange Modes
Transport Mode: Between two IPsec hosts. IP address of the hosts must be Public IP addresses Only encapsulate data. Tunnel Mode: Between two IPsec gateways Encapsulate both header and data. Hides the original IP header
26
AH & ESP Protocols Normal IP Packet
27
IKE – Internet Key Exchange Protocol
ISAKMP (Internet Security Association and Key Management Protocol) Protocol to negotiate and establish SA. Oakley Define mechanism for key exchange over the IKE session By default, use Diffie-Hellman algorithm for key exchange Each IKE peer has an IKE identitiy which based on: IP address FQDN (Fully qualified domain name) X.500 (certificate) name address IKE session are protected by cryptographic algorithms. IKE peers must agree exactly on a set of algorithms and protocols to protect the IKE session
28
IKE on NETGEAR
29
IKE Operations Phase1 (Authentication Phase)
Main mode or Aggressive mode Used to establish a secure channel, authenticate the negotiating parties, and generate shared keys to protect IKE protocol messages Negotiates IKE SA Phase2 (Key Exchange Phase) AKA: Quick mode Used to establish the IPSec SA and to generate new keying material Negotiates IPsec SA
30
IKE Main Mode Message Exchange
Use 6 messages to establish the IKE SA. First 2 – negotiate security policy that will be used Next 2 – performs Diffie-Hellman key exchange and pass Nonces (random # for signing) to each other Last 2 – used to authenticate peers Hides identity of the IKE peers. The first two messages to negotiate the security policy that will be used to protect the phase II messages. The next two messages perform a Diffie-Hellman key exchange and pass nonces (random numbers sent for signing) to each other. The last two messages are used to authenticate the peers
31
IKE Aggressive Mode Message Exchange
Less negotiation flexibility for IKE session protection. Will not hide identity (all identities of parties involved are revealed).
32
IKE Quick Mode Message Exchange
Fast. If an IKE SA is in place, only quick mode exchanges are used to negotiate new key or re-key. PFS (Perfect Forward Secrecy) Generate new key that is independent of the current key (from Phase1).
33
IPsec Inbound Packet Processing
34
IPsec Outbound Packet Processing
35
Host to Host VPN Traffic Process
36
1) Initialization
37
2) IKE Phase 1 Triggering
38
3) IKE Phase 1 Completed
39
4) IKE Phase 2
40
5) IPsec VPN Established
41
VPN Policy requirements?
Who are the VPN parties? IKE Identifiers (WAN IP, FQDN, FQUN, DN). Where are the VPN parties? VPN gateway addresses (WAN IP, FQDN). What traffics are included in the VPN? Local VPN subnet, remote VPN subnet. How the VPN secure the communication? Main mode / Aggressive mode. Pre-shared key. Key lifetime. ESP / AH (authentication algorithm, encryption algorithm). PFS?
42
VPN Gateway-to-Gateway Example
43
VPN Client-to-Gateway Example
44
What is SSL VPN? SSL VPNs create secure tunnels by performing two functions: Requiring authentication from users before allowing access so that only authorized parties can establish tunnels Encrypting all data transmitted to and from the user by implementing the actual tunnel using SSL The process of establishing an SSL tunnel requires exchange of different configuration information between the computers on either end of the connection.
45
SSL VPN on OSI Network Model
IPSec VPN operates at the Network Layer – Layer 3 SSL VPN establish connectivity using SSL, which functions at Layers 4 & 5 Information gets encapsulate at Layer 6 & 7 of the OSI model So why don't SSL VPNs simply use SSL to tunnel network-level communications as IPSec does and not worry about the higher levels? Technical limitations of many devices prevent the establishment of Network-Layer communications over SSL, but allow application-layer access from a web browser. Security considerations and policies normally prohibit attaching Internet kiosks and borrowed computers as nodes on your corporate network. Cannot install VPN client software on public Kiosks
46
SSL VPN
47
Segmentation in SSL VPN
Corporate Applications Full access Restricted access Web Database File server ProSafe SSL312 VPN Concentrator ProSafe VPN Firewall Secure SSL VPN connections Internet Here we have our customer’s network. 1st click: By adding the NETGEAR ProSafe™ SSL312 VPN Concentrator, your customer has true mobility. Secure SSL VPN remote access … anywhere, anytime Whether you’re at home, at a B2B partner site, using your PDA, or from an internet café, all you need is a web browser and an internet connection. Further, NETGEAR’s SSL312 VPN appliance gives you granular user access control … 2nd click: For example, your customer’s IT manager will probably need access to all resources & corporate applications from their laptop, whereas, your B2B partner may only need access to database applications. Your customer can control access simply and easily with the SSL312’s ability to integrate with user databases such as Active Directory, LDAP and RADIUS. Kiosk or Laptop Internet Café Home PDA B2B Partner
48
Unique Router Features
49
Serial Modem – FR328S, FVS328, FWG114P
EOL
50
Serial Port – Auto Failover FVS328, FR328S, FWG114P
EOL
51
Serial Port – Dial in FVS328, FR328S, FWG114P
EOL
52
Serial Port – LAN to LAN FVS328, FR328S, FWG114P
EOL
53
Dial up ISP – FVS338
54
ADSL Interface– DGFV338
55
Wireless – FVG318, DGFV338
56
WAN Mode w/ Dialup – FVS338
57
Auto-Rollover – DGFV338, FVS336G, FVX538
58
Auto-Rollover – DGFV338, FVS336G, FVX538
If you want to use a redundant ISP link for backup purposes, select the WAN port that will act as the primary link for this mode. Ensure that the backup WAN port has also been configured and that you configure the WAN Failure Detection Method to support Auto-Rollover. Link failure is detected in one of the following ways: By sending DNS queries to a DNS server, or By sending a Ping request to an IP address, or None (no failure detection is performed). From each WAN interface, DNS queries or Ping requests are sent to the specified IP address. If replies are not received, after a specified number of retries, the corresponding WAN interface is considered down. As long as the primary link is up, all traffic is sent over the primary link. Once the primary WAN interface goes down, the rollover link is brought up to send the traffic. Traffic will automatically roll back to the original primary link once the original primary link is back up and running again.
59
Load Balancing / Protocol Binding FVS336G, FVX538
60
Load Balancing / Protocol Binding FVS336G, FVX538
The VPN firewall distributes the outbound traffic equally among the WAN interfaces that are functional. Scenarios could arise when load balancing needs to be bypassed for certain traffic or applications. If certain traffic needs to travel on a specific WAN interface, configure protocol binding rules for that WAN interface. The rule should match the desired traffic. In the Protocol Binding menu, you specify a protocol such as HTTP, and this causes all outbound traffic of that protocol to use that WAN port.
61
Multi Home LAN IP – DGFV338, FVS336G, FVS338, FVX538
The secondary LAN IP address will be assigned to the LAN interface of the router and can be used as a gateway by computers on the secondary subnet
62
Multi Home LAN IP – DGFV338, FVS336G, FVS338, FVX538
If you have computers on your LAN using different IP address ranges (for example, or ), you can add “aliases” to the LAN port, giving computers on those networks access to the Internet through the router. This allows the router to act as a gateway to additional logical subnets on your LAN NOTE: IP addresses on these secondary subnets cannot be configured in the DHCP server. The hosts on the secondary subnets must be manually configured with IP addresses, gateway IP addresses, and DNS server IP addresses.
63
Traffic Meter – FVS336G, FVS338, FVX538
64
Traffic Meter – FVS336G, FVS338, FVX538
Allows you to measure and limit the traffic routed by the router. The router will keep a record of the volume of traffic going from the selected interface. The router can also be configured to place a restriction on the volume of data being transferred.
65
Session Limit – FVS338, FVX538 "Total Number of Packets Dropped due to Session Limit:" shows total number of packets dropped when session limit is reached
66
Session Limit – FVS338, FVX538 Allows you to specify total number sessions per user (IP) allowed across the router. You can give the maximum number of sessions per IP either in percentage of maximum sessions or absolute number of maximum sessions. The percentage is computed on the total connection capacity of the device. "User Limit" specifies the maximum number of sessions that should be allowed via box from a single source machine (i.e. session limiting is per machine based) as percentage of total connection capacity NOTE: Please note that some protocols like FTP, RSTP create 2 sessions per connection which should be considered when configuring session limiting
67
UPnP – DGFV338, FVG318 UPnP (Universal Plug and Play) is a feature that allows for automatic discovery of devices that can communicate with this router.
68
Firewall Features
69
Static Routes
70
Dynamic DNS Alias a dynamic IP address to a static hostname.
Requires a dynamic DNS provider. When dynamic IP changes on network devices, devices log onto DDNS server and change the record of the hostname to map to new IP address. Some DDNS providers expire hostname if IP address remain idle for a period of time. (Use “Update every 30 days” check box to prevent hostname from expiring.
71
SNMP – FVS336G, FVS338, FVX538 DGFV338
72
Groups and Hosts
73
Groups and Hosts – Add
74
Groups and Hosts – Edit
75
Address Filter – Source MAC Filter
76
Services
77
Scheduling
78
Block Sites
79
Firewall Rules
80
Firewall Rules – Adding Inbound
81
Firewall Rules – Adding Outbound
82
Address Filter – IP/MAC Binding
83
Address Filter – IP/MAC Binding Edit
84
Port Triggering
85
Port Triggering Once configured, operation is as follows:
A PC makes an outgoing connection using a port number defined in the Port Triggering table. This Router records this connection, opens the INCOMING port or ports associated with this entry in the Port Triggering table, and associates them with the PC. The remote system receives the PCs request, and responds using a different port number. This Router matches the response to the previous request, and forwards the response to the PC. (Without Port Triggering, this response would be treated as a new connection request rather than a response. As such, it would be handled in accordance with the Port Forwarding rules.)
86
Port Triggering Note: Only 1 PC can use a "Port Triggering" application at any time. After a PC has finished using a "Port Triggering" application, there is a "Time-out" period before the application can be used by another PC. This is required because this Router cannot be sure when the application has terminated. Normally for games and chat.
87
Bandwidth Profile
88
Attack Checks
89
Firewall Logs
90
Logs
91
Syslog
92
VPN Logs
93
Troubleshooting Features
94
Diagnostics FVG318 FVS338, FVS336G, FVX538, DGFV338
95
Diagnostics – Packets Capture
96
VPN Features
97
Netgear VPN – VPN Wizard Box-to-box
98
Netgear VPN – VPN Wizard Client-to-box
99
VPN Policy
100
VPN Policy – General
101
VPN Policy – Traffic Selection
102
VPN Policy – Policy Parameters
103
IKE Policy
104
IKE Policy – Edit FVS336G, FVS338, FVX538
105
IKE Policy – Edit for FVG318
106
IKE Policy – IKE parameters
107
VPN – Certificate Authority (CA)
108
Generate Self-sign Certificate
109
View Certificate Request
110
Certificate Revocation List (CRL)
111
Mode Config
112
VPN Client – User Database
113
VPN Client – RADIUS Client
114
VPN01L_VPN05L ProSafe VPN Client Software
115
Client to Gateway VPN Example
116
ProSafe VPN Client Software
Securely enables mobile workers or single-user remote access to corporate network resources Broad security support, standards-based Implements IPSec security protocol with optional certificates or Smart Cards Easy-to-configure and deploy Compatible with any IPSec-compliant VPN devices Optimized for NETGEAR ProSafe VPN Firewalls
117
VPN Client – Security Policy Editor
118
VPN Client – Global Config
119
VPN Client – Security Policy
120
VPN Client – Authentication
121
VPN Client – Key Exchange
122
VPN Client – My Identity
IKE Identifier
123
VPN Client – Preshared key
124
FVX538 – Client VPN Policy
125
FVX538 – VPN Client fvx_local.com IKE Identifier
126
FVX538 – VPN Client fvx_remote.com fvx_remote.com
127
Set up the following two scenario
Exercise Set up the following two scenario
128
Box-to-Box VPN Create a VPN tunnel between 2 NETGEAR VPN routers
129
Hub and Spoke VPN Spoke sites access each other through hub site.
VPN policy on hub site. Local VPN network includes spoke site. VPN policy on spoke site. Remote VPN network includes spoke site.
130
VPN Troubleshooting Can the other VPN end point reach you?
What is the remote VPN endpoint? FQDN: resolve to remote WAN IP? IP Address: Is IP address reachable? : VPN uses aggressive mode? Do the VPN parameters matches on both endpoints? What are the remote/local IKE identities? Do they match the remote endpoint’s local/remote IKE identities? What are the local/remote VPN networks? Do they match remote endpoint’s remote/local VPN networks? What is the pre-shared key? Does it match the remote endpoint’s pre-shared key? What are the encryption/authentication algorithms? Do they match the remote endpoint’s algorithms? What is the IKE mode (main/aggressive)? Does it match the remote endpoint’s IKE mode?
131
VPN Troubleshooting flow
132
Questions & Answers
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.