ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual NETGEAR, Inc. 350 East Plumeria Drive San Jose, CA 95134 202-10416-02 v1.
© 2008–2010 by NETGEAR, Inc. All rights reserved.. Technical Support Please refer to the support information card that shipped with your product. By registering your product at http://www.netgear.com/register, we can provide you with faster expert technical support and timely notices of product and software upgrades. NETGEAR, INC. Support Information Phone: 1-888-NETGEAR, for US & Canada only. For other countries, see your Support information card. E-mail: support@netgear.
Bestätigung des Herstellers/Importeurs Es wird hiermit bestätigt, daß das ProSafe Wireless-N VPN Firewall gemäß der im BMPT-AmtsblVfg 243/1991 und Vfg 46/1992 aufgeführten Bestimmungen entstört ist. Das vorschriftsmäßige Betreiben einiger Geräte (z.B. Testsender) kann jedoch gewissen Beschränkungen unterliegen. Lesen Sie dazu bitte die Anmerkungen in der Betriebsanleitung.
Open SSL Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions * are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2.
PPP Copyright (c) 1989 Carnegie Mellon University. All rights reserved. Redistribution and use in source and binary forms are permitted provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising materials, and other materials related to such distribution and use acknowledge that the software was developed by Carnegie Mellon University.
vi v1.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Contents ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual About This Manual Conventions, Formats, and Scope ..................................................................................xiii How to Print this Manual ..................................................................................................xiv Revision History ........................................................................................................
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Configuring the WAN Mode ................................................................................... 2-11 Configuring Dynamic DNS ...........................................................................................2-12 Configuring the Advanced WAN Options (Optional) .....................................................2-14 Additional WAN Related Configuration ..................................................................
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Chapter 5 Firewall Security and Content Filtering About Firewall Security and Content Filtering ................................................................5-1 Using Rules & Services to Block or Allow Traffic ............................................................5-2 Services-Based Rules ..............................................................................................5-2 Viewing the Firewall Rules ...............................
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Configuring the VPN Firewall ...................................................................................6-7 Configuring the VPN Client ......................................................................................6-7 Testing the Connection ...........................................................................................6-10 Viewing VPN Firewall VPN Connection Status and Logs .............................................
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Adding a Policy ......................................................................................................7-18 Chapter 8 Managing Users, Authentication, and Certificates Adding Authentication Domains, Groups, and Users .....................................................8-1 Creating a Domain ...................................................................................................8-1 Creating a Group ............................
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Monitoring Attached Devices ...................................................................................... 10-11 Viewing the DHCP Log ...............................................................................................10-13 Monitoring Active Users ..............................................................................................10-14 Viewing the Port Triggering Status ....................................................
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual About This Manual The NETGEAR® ProSafe™ Wireless-N VPN FirewallReference Manual describes how to configure and troubleshoot a ProSafe Wireless-N VPN Firewall. The information in this manual is intended for readers with intermediate computer and networking skills. Conventions, Formats, and Scope The conventions, formats, and scope of this manual are described in the following paragraphs: • • Typographical Conventions.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • Scope. This manual is written for the VPN firewall according to these specifications: Product ProSafe Wireless-N VPN Firewall Manual Publication Date January 2010 For more information about network, Internet, firewall, and VPN technologies, see the links to the NETGEAR website in Appendix C, “Related Documents.”. Note: Product updates are available on the NETGEAR, Inc. website at http://kbserver.netgear.com/products/SRXN3205.asp.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 202-10416-02 1.0 (continued) January 2009 (continued) • Support for an address range for inbound LAN rules on the Add LAN WAN Inbound Service screen (see “Inbound Rules (Port Forwarding)” and “Creating a LAN WAN Inbound Services Rule”). • Support for new log options such as Resolved DNS Names and VPN on the Firewall Logs & E-mail screen (see “Activating Notification of Events and Alerts”).
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 202-10416-02 1.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Chapter 1 Introduction The ProSafe Wireless-N VPN Firewall SRXN3205 provides Internet connectivity to your local Ethernet and wireless networks via a broadband cable or DSL modem. The SRXN3205 is a complete security solution with a powerful and flexible firewall to safeguard your networks along with advanced IPsec and SSL VPN technologies for secure wired and wireless connections.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • Advanced stateful packet inspection (SPI) firewall with multi-NAT support • Easy, web-based setup for installation and management • Front panel LEDs for easy monitoring of status and activity • Flash memory for firmware upgrade • AC-DC power adapter for low current draw A Powerful, True Firewall with Content Filtering Unlike simple Internet sharing NAT routers, the SRXN3205 is a true firewall, using stateful packet inspection (SPI) to de
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Extensive Protocol Support The SRXN3205 supports the Transmission Control Protocol/Internet Protocol (TCP/IP) and Routing Information Protocol (RIP). For further information about TCP/IP, see the document that you can access from “TCP/IP Networking Basics” in Appendix C. • IP Address Sharing by NAT.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • SSL VPN provides remote access for mobile users to selected corporate resources without requiring a pre-installed VPN client on their computers. – Uses the familiar Secure Sockets Layer (SSL) protocol, commonly used for e-commerce transactions, to provide client-free access with customizable user portals and support for a wide variety of user repositories.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Easy Installation and Management You can install, configure, and operate the SRXN3205 within minutes after connecting it to the network. The following features simplify installation and management tasks: • Browser-Based Management. Browser-based configuration allows you to easily configure your SRXN3205 and Wireless access from almost any type of personal computer, such as Windows, Macintosh, or Linux.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Package Contents The SRXN3205 product package contains the following items: • ProSafe Wireless-N VPN Firewall SRXN3205 • Rubber feet (4) with adhesive backing • One AC-DC power adapter (12V, 1.5A) with cord (approximately 6 ft, or 183 cm) • Three dual-band antennas (SMA connectors): 2 dipole (long); 1 patch (square) • One Straight through Category 5 (Cat5) Ethernet cable. • Installation Guide, SRXN3205 ProSafe Wireless-N VPN Firewall .
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Table 1-1. Description of Front Panel Items Item Activity Description PWR (Power) On Green Off Power is supplied to the SRXN3205. Power is not supplied to the SRXN3205. On Amber Blinking Amber Off Test mode: The system is initializing (On) or the initialization has failed (Blinking). Writing to Flash memory (during upgrading or resetting to defaults). The system has booted successfully. Off WLAN 802.11n/a (5GHz) mode is disabled.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Rear Panel Features The rear panel of the SRXN3205 is shown below. 1 2 Figure 1-2 1. Detachable (SMA) Antennas: The SRXN3205 provides three SMA connectors for the detachable antennas (two dipole and one patch). For the best performance, attach the patch antenna to the middle connector and attach the dipole antennas to the two connectors on both corners. The three antennas can be positioned horizontally or vertically for the best coverage. 2.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Default IP Address, Login Name, and Password Location Check the label on the bottom of the SRXN3205’s enclosure if you need a reminder of the following factory default information: IP Address User Name Password Figure 1-3 Qualified Web Browsers To configure the SRXN3205, an administrator must use Internet Explorer 5.1 or higher, Apple Safari 1.2 or higher, or Mozilla Firefox l.x Web browser with JavaScript, cookies, and SSL enabled.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 1-10 Introduction v1.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Chapter 2 Connecting to the Internet (WAN) The initial Internet configuration of the ProSafe Wireless-N VPN Firewall SRXN3205 is described in this chapter.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 6. Configure the WAN options (optional). Optionally, you can enable each WAN port to respond to a ping, and you can change the factory default MTU size and port speed. However, these are advanced features and changing them is not usually required. See “Configuring the Advanced WAN Options (Optional)” on page 2-14. Each of these tasks is detailed separately in this chapter.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Figure 2-2 Navigating the Menus The Web Configuration Manager menus are organized in a layered structure of main categories and submenus: • Main menu. The horizontal orange bar near the top of the screen is the main menu, containing the primary configuration categories. Clicking on a primary category changes the contents of the submenu bar. • Submenu.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • Tab. Immediately below the submenu bar, at the top of the menu active window, are one or more tabs, further subdividing the currently selected subcategory if necessary. • Option arrow. To the right of the tabs on some menus are one or more blue dots with an arrow in the center. Clicking an option arrow brings up either a popup window or an advanced option menu.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Figure 2-3 2. Click Auto Detect at the bottom of the screen. Connecting to the Internet (WAN) 2-5 v1.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Auto Detect will probe the WAN port for a range of connection methods and suggest one that your ISP appears to support. a. If Auto Detect is successful, a status bar at the top of the screen will display the results:. Figure 2-4 b. If Auto Detect senses a connection method that requires input from you, it will prompt you for the information. All methods with the required settings are detailed in the following table. Table 2-1.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Figure 2-5 The WAN Status window should show a valid IP address and gateway. If the configuration was not successful, go to “Manually Configuring the Internet Connection” following this section, or see “Troubleshooting the ISP Connection” on page 11-4. Note: If the configuration process was successful, you are connected to the Internet through the WAN port. 4. Click Test to evaluate your entries.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual To manually configure your WAN ISP Settings: 1. Select Network Configuration > WAN ISP Settings. The WAN ISP Settings screen is displayed (see Figure 2-3 on page 2-5 for the entire screen). 2. In the ISP Login section, choose one of these options: • If your ISP requires an initial login to establish an Internet connection, click Yes (this is the default). • If a login is not required, click No and ignore the Login and Password fields.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • – Idle Timeout. Select Keep Connected, to keep the connection always on. To logout after the connection is idle for a period of time, click Idle Time and in the timeout field enter the number of minutes to wait before disconnecting. – Connection Reset. Select this checkbox to to specify a time when the PPPoE WAN connection is reset, that is, the connection is disconnected momentarily and then reestablished.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • Get Dynamically from ISP. If your ISP has not assigned a static IP address, select this radio button. The ISP will automatically assign an IP address to the VPN firewall using DHCP network protocol. The IP address and subnet mask fields will be inactivated. As an option, you can select the following checkboxes: – – • Client Identifier.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Configuring the WAN Mode To access the WAN Mode, click on Network Configuration > WAN Settings and select the WAN Mode tab. The WAN Mode screen displays. Figure 2-10 The WAN Mode screen allows you to configure how your firewall uses the external Internet connection. This screen gives you two choices for accessing the external Internet connection. • Network Address Translation (NAT).
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Classical Routing In classical routing mode, the VPN firewall performs routing, but without NAT. To gain Internet access, each PC on your LAN must have a valid static Internet IP address. If your ISP has allocated a number of static IP addresses to you, and you have assigned one of these addresses to each PC, you can choose classical routing. Or, you can use classical routing for routing private IP addresses within a campus environment.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • For load balancing mode, you may still need a fully qualified domain name (FQDN) either for convenience or if you have a dynamic IP address. Note: If your ISP assigns a private WAN IP address such as 192.168.x.x or 10.x.x.x, the dynamic DNS service will not work because private addresses will not be routed on the Internet. To configure dynamic DNS: 1. Select Network Configuration > Dynamic DNS from the main/submenu.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual d. If your dynamic DNS provider allows the use of wildcards in resolving your URL, check Use wildcards to activate this feature. For example, the wildcard feature will cause anything.yourhost.dyndns.org to be aliased to the same IP address as yourhost.dyndns.org e. If your dynamic DNS provider requires you to renew your account monthly, check Update every 30 days to have the VPN firewall renew the account automatically. 5.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual b. Port Speed. In most cases, your VPN firewall can automatically determine the connection speed of the WAN port. If you cannot establish an Internet connection and the WAN Link or Speed LED blinks continuously, you may need to manually select the port speed. AutoSense is the default. If you know the Ethernet port speed that your broadband modem supports, select it; otherwise, select 10M.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 2-16 Connecting to the Internet (WAN) v1.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Chapter 3 LAN Configuration This chapter describes how to configure the advanced LAN features of your ProSafe Wireless-N VPN Firewall SRXN3205.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Specify the pool of IP addresses to be assigned by setting the starting IP address and ending IP address. These addresses should be part of the same IP address subnet as the VPN firewall’s LAN IP address. Using the default addressing scheme, you would define a range between 192.168.1.2 and 192.168.1.100, although you may wish to save part of the range for devices with fixed addresses.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual To modify your LAN setup, follow these steps: 1. Select Network Configuration > LAN Settings from the main/submenu. The LAN Settings tabs (LAN Setup, LAN Groups, and LAN Multi-homing) are displayed with the LAN Setup screen in view.. Figure 3-1 2. In the LAN TCP/IP Setup section, configure the following settings: • IP Address. The LAN address of your VPN firewall (factory default: 192.168.1.1).
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • IP Subnet Mask. The subnet mask specifies the network number portion of an IP address. Your VPN firewall will automatically calculate the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use 255.255.255.0 as the subnet mask. 3. In the DHCP section, select Disable DHCP Server, Enable DHCP Server, or DHCP Relay.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual If you will use a Lightweight Directory Access Protocol (LDAP) authentication server for network-validated domain-based authentication, select Enable LDAP Information to enable the DHCP server to provide LDAP server information. Enter the following settings: • LDAP Server. Specifies the name or the IP address of the device that hosts the LDAP server. • Search Base.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual The LAN Groups Database is updated by these methods: • DHCP Client Requests. By default, the DHCP server in this VPN firewall is enabled, and will accept and respond to DHCP client requests from PCs and other network devices. These requests also generate an entry in the LAN Groups Database. Because of this, leaving the DHCP server feature (LAN Setup screen) enabled is strongly recommended. • Scanning the Network.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Viewing the LAN Groups Database To view the LAN Groups Database, follow these steps: 1. Select Network Configuration > LAN Settings from the main/submenu. The LAN Setup screen displays (see Figure 3-1 on page 3-3). 2. Click the LAN Groups tab. The LAN Groups screen is displayed. Figure 3-2 The Known PCs and Devices table lists the entries in the LAN Groups Database. For each computer or device, the following fields are displayed: • Name.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • Action. Allows modification of the selected entry by clicking edit. Note: If the VPN firewall is rebooted, the table data is lost until the VPN firewall rediscovers the devices. Adding Devices to the LAN Groups Database To add devices manually to the LAN Groups Database, follow these steps: 1. In the Add Known PCs and Devices section, make the following entries: • Name. Enter the name of the PC or device. • IP Address Type.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Changing Group Names in the LAN Groups Database By default, the LAN Groups are named Group1 through Group8. You can rename these group names to be more descriptive, such as Engineering or Marketing. To edit the names of any of the eight available groups: 1. From the LAN Groups tab, click the Edit Group Names link to the right of the tabs. The Network Database Group Names screen appears. Figure 3-3 2.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Note: The reserved address will not be assigned until the next time the PC contacts the VPN firewall’s DHCP server. Reboot the PC or access its IP configuration and force a DHCP release and renew. Configuring Multi Home LAN IP Addresses If you have computers on your LAN using different IP address ranges (for example, 172.16.2.0 or 10.0.0.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 3. In the Add Secondary LAN IP Address section, enter the additional IP address and subnet mask to be assigned to the LAN port of the VPN firewall. 4. Click Add. The new Secondary LAN IP address will appear in the Available Secondary LAN IPs table. Note: IP addresses on these secondary subnets cannot be configured in the DHCP server.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 2. Click add. The Add Static Route screen is displayed. Figure 3-6 3. Enter a route name for this static route in the Route Name field (for identification and management). 4. Select Active to make this route effective. 5. Select Private if you want to limit access to the LAN only. The static route will not be advertised in RIP. 6. Enter the Destination IP Address to the host or network where the route leads. 7.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Configuring Routing Information Protocol (RIP) RIP (Routing Information Protocol, RFC 2453) is an Interior Gateway Protocol (IGP) that is commonly used in internal networks (LANs). It allows a router to exchange its routing information automatically with other routers, and allows it to dynamically adjust its routing tables and adapt to changes in the network. RIP is disabled by default. To configure RIP: 1.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • In Only. The VPN firewall accepts RIP information from other routers, but does not broadcast its routing table. • Out Only. The VPN firewall broadcasts its routing table periodically but does not accept RIP information from other routers. • Both. The VPN firewall broadcasts its routing table and also processes RIP information received from other routers. 4.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Chapter 4 Wireless Configuration This chapter describes how to set up your ProSafe Wireless-N VPN Firewall SRXN3205 for wireless connectivity to your LAN. This basic configuration will enable computers with 802.11b/ g/n or 802.11a/n wireless adapters to do such things as connect to the Internet, or access printers and files on your LAN. Note: Indoors, computers can connect over 802.11b/g/n or 802.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Wireless Equipment Placement and Range Guidelines The operating distance or range of your wireless connection can vary significantly based on the physical placement of the VPN firewall. The latency, data throughput performance, and notebook power consumption of wireless adapters also vary depending on your configuration choices.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Figure 4-1 There are several ways you can enhance the security of your wireless network: • Restrict Access Based on MAC address. You can restrict access to only trusted PCs so that unknown PCs cannot wirelessly connect to the VPN firewall. MAC address filtering adds an obstacle against unwanted access to your network, but the data broadcast over the wireless link is fully exposed. • Turn Off the Broadcast of the Wireless Network Name (SSID).
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Configuring Basic Wireless Setup (Without Security) Test wireless connectivity in your environment by setting up the unit without wireless security. To configure the VPN firewall for basic Wireless access, follow these simple steps: 1. Select Network Configuration > Wireless Settings from the main/submenu. The Wireless Settings screen is displayed. Use this screen to set up your wireless connectivity requirements.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 2. In the Wireless Access Point section of the screen, configure the following settings: • Enable Wireless Access Point. Select this checkbox to allow multiple devices in the wireless network to access the WAN network and other LAN devices through the wireless VPN firewall. This checkbox is deselected by default. • Allow Broadcast of Name (SSID).
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 6. Prepare a PC as the wireless PC Client with a wireless Ethernet adapter installed. Verify that you can wirelessly access a file or a printer on the LAN connected to the VPN firewall.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 6. Prepare PC(s) as the wireless PC Client(s) with wireless Ethernet adapters installed. 7. Configure the Client PCs to obtain the IP and DNS addresses automatically using the internal DHCP server (DHCP is the default firewall setting). 8. Configure the wireless adapters of your Client PCs to have the same SSID that you configured on the VPN firewall. 9.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual – – 20/40 MHz. The dynamic, compatibility mode. Legacy clients can connect to 20 MHz and 11n clients can connect to 40 MHz. 40 MHz. The static, high-throughput mode. Legacy clients will not be able to connect in this mode. 3. Click Apply to save your wireless settings.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual SSID and WEP/WPA Settings Setup Form 802.11b/g/n Configuration For a new wireless network, print or copy this form and fill in the configuration parameters. For an existing wireless network, the person who set it up or is responsible for the network will be able to provide this information. Be sure to set the Regulatory Domain correctly as the first step.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 802.11a/n Configuration For a new wireless network, print or copy this form and fill in the configuration parameters. For an existing wireless network, the person who set up or is responsible for the network will be able to provide this information. Be sure to set the Regulatory Domain correctly as the first step. • SSID: The Service Set Identification (SSID) requires the identity or name of the wireless local area network.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Configuring WEP Security To configure WEP data encryption on the Wireless Settings screen: 1. Click the WEP radio button in the Wireless Security Type section of the screen to enable WEP data encryption. When you select WEP data encryption, the WEP fields in the WEP section of the screen are made active: 2. From the Authentication pull-down menu, select Automatic, Open System, or Shared Key authentication. 3.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Configuring WPA Security Without RADIUS Not all wireless adapters support WPA and WPA2. Client software is required on the client: • Windows XP and Windows 2000 with Service Pack 3 or above do include the client software that supports WPA. The wireless adapter hardware and driver must also support WPA. • Service Pack 3 does not include the client software that supports WPA2. Make sure your client card supports WPA2.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 2. In the PSK Settings section of the screen, configure the following: a. In the Passphrase field, enter a phrase consisting of 8-63 characters. b. In the the Key Lifetime field, enter a value in minutes. This setting determines how often the encryption key is changed; shorter periods are more secure but may slow down the overall authentication times. The default setting is 1440 minutes (24 hours). 3. Click Apply to save your settings.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Configuring WPA with RADIUS To configure WPA with RADIUS on the Wireless Settings screen: 1. In the Wireless Security Type section of the screen, configure the following: a. Click the WPA radio button to enable WPA data encryption. The WPA fields in the PSK Settings section of the screen are made active. b. From the WPA with pull-down menu, select RADIUS. The RADIUS fields in the Radius Server Settings section of the screen are made active.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual b. In the the Key Lifetime field, enter a value in minutes. This setting determines how often the encryption key is changed; shorter periods are more secure but may slow down the overall authentication times. The default setting is 1440 minutes (24 hours). 1. In the Radius Server Settings section of the screen, configure the following: a. Server Name / IP Address. The name or IP address of the RADIUS server. b. Radius Port.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Verifying Wireless Connectivity (With Security) Using a Client PC with an 802.11b/g/n or 802.11a/n wireless adapter with the correct wireless and security settings for connection to the VPN firewall (SSID, WEP/WPA settings, and so on), verify connectivity by using a browser such as Mozilla Firefox or Internet Explorer to browse the Internet, or check for file and printer access on your network.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Note: By default, the VPN firewall is configured with the DHCP client enabled. If your network uses dynamic IP addresses, you must change this setting. To connect to the VPN firewall after the DHCP server on your network assigns it a new IP address, enter the VPN firewall name into your Web browser. The default VPN firewall name is netgearxxxxxx, where xxxxxx represents the last 6 bytes of the MAC address.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 3. Enter the appropriate information in the fields described below: • RTS Threshold (256 - 2346, default 2346). The RTS (Request to Send Threshold) is the packet size that determines if the CSMA/CD (Carrier Sense Multiple Access with Collision Detection) mechanism or the CSMA/CA (CSMA with Collision Avoidance) mechanism should be used for packet transmission.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual To restrict access based on MAC addresses: 1. Click the Network Configurations > Wireless Settings in the main/submenu. 2. Click the Setup Access List link to the right of the Wireless Settings tab. The Access Control List tab and Available Wireless Stations tab appear on screen with the Access Control List screen in view. Figure 4-4 3. Select the Yes radio button in the ACL Enable section of the screen to enable the access control list.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual To manually add MAC address to the Trusted Wireless Station table on the Access Control List screen: 1. Enter the MAC address in the MAC Address field of the Add New Trusted Station Manually section of the screen. The MAC address should be in the xx:xx:xx:xx:xx:xx format. You can usually find the MAC address printed on the bottom of the wireless adapter. 2. Click the Add button.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Chapter 5 Firewall Security and Content Filtering This chapter describes how to set up your firewall and use the content filtering features of the ProSafe Wireless-N VPN Firewall SRXN3205 to protect your network.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual uses a process called stateful packet inspection to protect your network from attacks and intrusions. NAT performs a very limited stateful inspection in that it considers whether the incoming packet is in response to an outgoing request, but true Stateful Packet Inspection goes far beyond NAT.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • Inbound Rules (port forwarding). Inbound traffic is normally blocked by the firewall unless the traffic is in response to a request from the LAN side. The firewall can be configured to allow this otherwise blocked traffic. • Customized Services. Additional services can be added to the list of services in the factory default list.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Table 5-1. Outbound Rules (continued) Item Description LAN Users These settings determine which computers on your network are affected by this rule. Select the desired options: • Any – All PCs and devices on your LAN. • Single address – Enter the required address and the rule will be applied to that particular PC. • Address range – If this option is selected, you must enter the start and finish fields.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Whether or not DHCP is enabled, how the PCs will access the server’s LAN address impacts the inbound rules. For example: • If your external IP address is assigned dynamically by your ISP (DHCP enabled), the IP address may change periodically as the DHCP lease expires. Consider using dynamic DNS so that external users can always find your network (see “Configuring Dynamic DNS” on page 212).
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Table 5-2. Inbound Rules (continued) Item Description Translate to Port Check this box and enter a port number to assign the LAN server to a different service Number port number. Inbound traffic to the service port will have the destination port number modified to the port number configured here. WAN Destination IP Address This setting determines the destination IP address applicable to incoming traffic.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Viewing the Firewall Rules To view the firewall rules, go to Security > Firewall from the main/submenu. The LAN WAN Rules screen displays (Figure 5-1 shows some examples). Figure 5-1 Order of Precedence for Rules As you define new rules, they are added to the tables in the LAN WAN Rules screen as the last item in the list, as shown in Figure 5-1.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual To change the default outbound policy, follow these steps: 1. Go to the LAN WAN Rules screen, shown in Figure 5-1 on page 5-7. 2. Add the outbound rules you plan to use. 3. Change the outbound policy by choosing Block Always from the pull-down menu. 4. Click Apply.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 2. Configure the settings as explained in Table 5-1 on page 5-3. 3. Click Apply to save your changes. The new rule is added to the Outbound Services table on the LAN WAN Rules screen. Creating a LAN WAN Inbound Services Rule The Inbound Services table lists all existing rules for inbound traffic. If you have not defined any rules, no rules will be listed. By default, all inbound traffic is blocked.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Modifying Rules To make changes to an existing outbound or inbound service rule on the the LAN WAN Rules screen, in the Action column to the right of to the rule, click on of the following table buttons: • edit. Allows you to make any changes to the rule definition of an existing rule.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Inbound Rules Examples LAN WAN Inbound Rule: Hosting a Local Public Web Server If you host a public Web server on your local network, you can define a rule to allow inbound Web (HTTP) requests from any outside IP address to the IP address of your Web server at any time of day. In the example shown in Figure 5-4, unrestricted access is provided from the Internet to the local Web server at LAN IP address 192.168.1.99.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Figure 5-5 LAN WAN Inbound Rule: Setting Up One-to-One NAT Mapping If you arrange with your ISP to have more than one public IP address for your use, you can use the additional public IP addresses to map to servers on your LAN. One of these public IP addresses will be used as the primary IP address of the VPN firewall. This address will be used to provide Internet access to your LAN PCs through NAT.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • Web server PC on the VPN firewall’s LAN – LAN IP address: 192.168.1.11 – Port number for Web service: 8080 Figure 5-6 To test the connection from a PC on the WAN side, type http://10.1.0.5. The home page of the Web server should appear. LAN WAN Inbound Rule: Specifying an Exposed Host Specifying an exposed host allows you to set up a computer or server that is available to anyone on the Internet for services that you have not yet defined.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Outbound Rules Example Outbound rules let you prevent users from using applications such as Instant Messenger, Real Audio, or other non-essential services.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual To enable the appropriate Attack Checks for your environment: 1. Select Security > Firewall from the main/submenu. 2. Click the Attack Checks tab. The Attack Checks screen is displayed. Figure 5-8 3. Check the boxes for the Attack Checks you wish to monitor. The various types of attack checks are listed and defined below. 4. Click Apply to save your settings.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual – Block TCP Flood. A SYN flood is a form of denial of service attack in which an attacker sends a succession of SYN requests to a target system. When the system responds, the attacker does not complete the connection, thus saturating the server with half-open connections. No legitimate connections can then be made.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Configuring Session Limits To prevent one user or group from using excessive system resources, you can limit the total number of IP sessions allowed through the VPN firewall for an individual or group. You can specify the maximum number of sessions by either a percentage of maximum sessions or an absolute number of maximum sessions. Session limiting is disabled by default. To configure session limits: 1.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Note: Some protocols (such as FTP or RSTP) create two sessions per connection which should be considered when configuring Session Limiting. The Total Number of Packets Dropped due to Session Limit field shows total number of packets dropped when session limit is reached. 6. In the Session Timeout section, modify the TCP, UDP and ICMP timeout values as you require.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Creating Services, QoS Profiles, and Bandwidth Profiles When you create inbound and outbound firewall rules, you use firewall objects such as services, QoS profiles, bandwidth profiles, and schedules to narrow down the firewall rules: • Services. A service narrows down the firewall rule to an application and a port number. For information about adding services, see “Adding Customized Services” on page 5-19. • QoS profiles.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual To add a custom service: 1. Select Security > Services from the main/submenu. The Services screen is displayed. Figure 5-11 2. In the Add Custom Services section, enter a descriptive name for the service (this name is for your convenience). 3. Select the Layer 3 transport protocol of the service: TCP, UDP, or ICMP. 4. Enter the first TCP or UDP port of the range that the service uses. 5. Enter the last port of the range that the service uses.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Setting Quality of Service (QoS) Priorities The QoS setting determines the priority of a service, which in turn determines the quality of that service for the traffic passing through the firewall. You can change the QoS Priority: • On the Services screen in the Custom Services Table for customized services (see Figure 5-11 on page 5-20). • On the Add LAN WAN Outbound Services screen (see Figure 5-2 on page 5-8).
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual An exception occurs for an individual bandwidth profile if the classes are per source IP. The source IP is the IP of the first packet of the connection: The class is deleted when all the connections using the class expire. To add a bandwidth profile: 1. Select Security > Bandwidth Profile from the main/submenu. The Bandwidth Profile screen is displayed. Figure 5-12 2. Click Add to add a new bandwidth profile.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 3. Enter the following information: a. Enter a Profile Name. This name will become available in the firewall rules definition menus. b. From the Direction pull-down box, select whether the profile will apply to outbound, inbound, or both outbound and inbound traffic. c. Depending on the direction that you selected, enter the minimum and maximum bandwidths to be allowed: • Enter the Outbound Minimum Bandwidth and Outbound Maximum Bandwidth in Kbps.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Setting Schedules to Block or Allow Specific Traffic If you enabled content filtering on the Block Sites screen, or if you defined an outbound or inbound rule to use a schedule, you can set up a schedule for when blocking occurs or when access is restricted. The firewall allows you to specify when blocking will be enforced by configuring one of the Schedules—Schedule 1, Schedule 2 or Schedule 3.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Blocking Internet Sites (Content Filtering) To restrict internal LAN users from access to certain sites on the Internet, you can use the VPN firewall’s Content Filtering and Web Components filtering. By default, these features are disabled; all requested traffic from any website is allowed. If you enable one or more of these features and users try to access a blocked site, they will see a “Blocked by NETGEAR” message.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual You can apply the keywords to one or more groups. Requests from the PCs in the groups will be blocked where keyword blocking has been enabled. Blocking does not occur for the PCs in the groups where keyword blocking has been disabled. You can bypass Keyword blocking for trusted domains by adding the exact matching domain to the list of Trusted Domains.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Figure 5-15 Firewall Security and Content Filtering 5-27 v1.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Enabling Source MAC Filtering (Address Filtering) In the Address Filter submenu, the Source MAC Filter screen allows you to block traffic coming from certain known machines or devices. • By default, the source MAC address filter is disabled. Traffic received from any MAC address is allowed.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 3. Select the action to be taken on outbound traffic from the listed MAC addresses: – Block this list and permit all other MAC addresses. – Permit this list and block all other MAC addresses. 4. Enter a MAC Address in the Add Source MAC Address checkbox and click Add. The MAC address will appear in the MAC Addresses table. Repeat this process to add additional MAC addresses.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • • Host2: Matching IP address but inconsistent MAC address in the IP/MAC Bindings table. Host3: Matching MAC address but inconsistent IP address in the IP/MAC Bindings table. The VPN firewall will block the traffic coming from Host2 and Host3, but allow the traffic coming from Host1 to any external network. The total count of dropped packets will be displayed. To enable IP/MAC Binding and add IP and MAC address for binding: 1.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 5. Click Add. The new IP/MAC rule will be appear the IP/MAC Bindings table. The IP/MAC Bindings table lists the currently defined IP/MAC Bind rules: • Name. Displays the user-defined name for this rule. • MAC Addresses. Displays the MAC addresses for this rule. • IP Addresses. Displays the IP addresses for this rule. • Log Dropped Packets. Displays the logging option for this rule. To edit an IP/MAC bind rule, click edit adjacent to the entry.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 2. The VPN firewall records this connection, opens the additional incoming port or ports associated with this entry in the Port Triggering table, and associates them with the PC. 3. The remote system receives the PC’s request and responds using the different port numbers that you have now opened. 4. The VPN firewall matches the response to the previous request, and forwards the response to the PC.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 2. Enter a user-defined name for this rule in the Name field. 3. From the Enable pull-down menu, indicate if the rule is enabled or disabled. 4. From the Protocol pull-down menu, choose either TCP or UDP transport protocol. 5. In the Outgoing (Trigger) Port Range fields: a. Enter the Start Port range (1 - 65534). b. Enter the End Port range (1 - 65534). 6. In the Incoming (Response) Port Range fields: a. Enter the Start Port range (1 - 65534). b.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual To check the status of the port triggering, click the Status link to the right of the Port Triggering tab on the Port Triggering screen. Figure 5-20 For more information, see “Viewing the Port Triggering Status” on page 10-14. Configuring UPnP (Universal Plug and Play) The UPnP (Universal Plug and Play) feature allows the VPN Firewall to automatically discover and configure the devices when it searches over LAN and WAN. 1.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 2. To enable the UPnP feature, click the Yes radio button. (The feature is enabled by default.) To disable the feature, click or No. 3. Configure the following fields: – Advertisement Period. Enter the period in minutes that specified how often the VPN firewall should broadcast its UPnP information to all devices within its range. – Advertisement Time to Live.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Administrator Tips Consider the following operational items: • As an option, you can enable remote management if you have to manage distant sites from a central location (see “Enabling Remote Management Access” on page 9-9).
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Chapter 6 Virtual Private Networking Using IPsec This chapter describes how to use the IPsec virtual private networking (VPN) features of the ProSafe Wireless-N VPN Firewall SRXN3205 to provide secure, encrypted communications between your local network and a remote network or computer.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Creating Gateway to Gateway VPN Tunnels with the Wizard You can configure multiple gateway VPN tunnel policies through the VPN Wizard. You can also set up multiple remote VPN client policies through the VPN Wizard. To set up a gateway VPN Tunnel using the VPN Wizard: 1. Select VPN > IPsec VPN from the main/submenu. 2. Click the VPN Wizard tab. The VPN Wizard screen is displayed.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Figure 6-2 3. Select Gateway as your VPN tunnel connection type. 4. Create a Connection Name. Enter an appropriate name for the connection. This name is not supplied to the remote VPN endpoint. It is used to help you manage the VPN settings. 5. Enter a Pre-shared Key. The key must be entered both here and on the remote VPN gateway, or the remote VPN client. This key should be minimum of 8 characters and should not exceed 49 characters.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 7. Enter the Local WAN IP Address or FQDN of your VPN firewall. Note: When the VPN firewall is online, this IP address is automatically filled in. The Local WAN IP address is used in the IKE negotiation phase. The WAN IP address assigned by your ISP may display automatically. You can modify the address to use your FQDN. 8. Enter the Remote LAN IP Address and Subnet Mask of the remote gateway.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual To view or modify the VPN policy, see “Configuring VPN Policies” on page 6-20. Creating a Client to Gateway VPN Tunnel with the Wizard Follow these steps to configure the VPN client. 1. Select VPN > IPsec VPN from the main/submenu. 2. Click the VPN Wizard tab. The VPN Wizard screen is displayed.. Figure 6-4 3. Select VPN Client as your VPN tunnel connection type. 4. Create a Connection Name such as “client”.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 5. Enter a Pre-shared Key. The key must be entered both here and on the VPN Client. This key length should be minimum 8 characters and should not exceed 49 characters. 6. The public Remote and Local Identifier are automatically filled in by pre-pending the first several letters of the model number of your gateway to form FQDNs used in the VPN policies. In this example, we are using srxn_remote.com, and srxn_local.com.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Each PC will use NETGEAR’s ProSafe VPN Client software. Since the PC’s IP address is assumed to be unknown, the PC must always be the initiator of the connection. This procedure was developed and tested using the following products: • NETGEAR ProSafe Wireless-N VPN Firewall SRXN3205 • NETGEAR ProSafe VPN Client • NETGEAR ProSafe VPN firewall 200 FVX538 functioning as a NAT router.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 2. Configure the following: • From the ID Type pull-down menu, choose IP Subnet. • Enter the LAN IP Subnet Address and Subnet Mask of the VPN firewall’s LAN. Check the Connect using radio box and choose Secure Gateway Tunnel from the pull-down menu. • From the first ID Type pull-down menus, choose Domain Name and enter the FQDN address of the VPN firewall.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 7. In the left frame, click Security Policy. Figure 6-8 8. Configure the following: • For the Phase 1 Negotiation Mode, select the Aggressive Mode radio box. • Deselect the Enable Perfect Forward Secrecy (PFS) radio box. • Select the Enable Replay Detection radio box. 9. In the left frame, expand Authentication (Phase 1). Figure 6-9 Virtual Private Networking Using IPsec 6-9 v1.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 10. Choose Proposal 1. The Proposal 1 fields should mirror those in Figure 6-9 on page 6-9. No changes should be necessary. 11. In the left frame, expand Key Exchange (Phase 2). Figure 6-10 12. Choose Proposal 1. The fields in this proposal should also mirror those in Figure 6-9. No changes should be necessary. 13. In the upper left of the window, click the disk icon to save the policy.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Viewing VPN Firewall VPN Connection Status and Logs To view recent VPN tunnel activity, select VPN > Connection Status from the main/submenu. The IPSec VPN Connection Status screen is displayed. Figure 6-11 You can set a Poll Interval (in seconds) to check the connection status of all active IKE policies to obtain the latest VPN tunnel activity.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Figure 6-12 Managing IPsec VPN Policies After you use the VPN Wizard to set up a VPN tunnel, a VPN policy and an IKE policy are stored in separate policy tables. The name you selected as the VPN tunnel connection name during Wizard setup identifies both the VPN policy and IKE policy. You can edit existing policies, or add new VPN and IKE policies directly in the policy tables.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual IKE policies are activated when the following occur: 1. The VPN Policy Selector determines that some traffic matches an existing VPN policy. If the VPN policy is of type “Auto”, then the Auto Policy Parameters defined in the VPN policy are accessed which specify which IKE Policy to use. 2.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Each policy contains the data that are explained in Table 6-1 These fields are explained in more detail in Table 6-2 on page 6-16. Table 6-1. List of IKE Policies Information Item Description (or Subfield and Description) Name The name that identifies the IKE policy. When you use the VPN Wizard to set up a VPN policy, an accompanying IKE policy is automatically created with the same name that you select for the VPN policy.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Manually Adding or Editing an IKE Policy To manually add an IKE policy: 1. Select VPN > IPsec VPN from the main/submenu. The IPsec VPN submenu tabs appear with the IKE Policies screen in view (see Figure 6-13 on page 6-13). 2. Under the List of IKE Policies table, click the add button. The Add IKE Policy screen is displayed. Figure 6-14 Virtual Private Networking Using IPsec 6-15 v1.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 3. Complete the fields, select the radio buttons, and make your selections from the pull-down menus as explained Table 6-2. Table 6-2. Add IKE Policy Settings Item Description (or Subfield and Description) Mode Config Record Do you want to use Mode Config Record? Specify whether or not the IKE policy uses a Mode Config Record. For information about how to define a Mode Config Record, see “Mode Config Operation” on page 6-28.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Table 6-2. Add IKE Policy Settings (continued) Item Description (or Subfield and Description) Local Identifier Type From the pull-down menu, select one of the following ISAKMP identifiers to be used by the VPN firewall, and then specify the identifier in the field below: • Local Wan IP. The WAN IP address of the VPN firewall. When you select this option, the Identifier field automatically shows the IP address of the selected WAN interface. • FQDN.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Table 6-2. Add IKE Policy Settings (continued) Item Description (or Subfield and Description) Authentication Method Select one of the following radio buttons to specify the authentication method: • Pre-shared key. A secret that is shared between the VPN firewall and the remote endpoint. • RSA-Signature. Uses the active Self Certificate that you uploaded on the Certificates screen (see “Managing Certificates” on page 8-11).
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Table 6-2. Add IKE Policy Settings (continued) Item Description (or Subfield and Description) Extended Authentication XAUTH Configuration Note: For more information about XAUTH and its authentication modes, see “Configuring XAUTH for VPN Clients” on page 6-34.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 4. Click Apply to save your changes. The modified IKE policy is displayed in the List of IKE Policies table. Configuring VPN Policies You can create two types of VPN policies. When using the VPN Wizard to create a VPN policy, only the Auto method is available. • Manual. All settings (including the keys) for the VPN tunnel are manually entered at each end (both VPN endpoints). No third party server or organization is involved. • Auto.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 2. Click the VPN Policies tab. The VPN Policies screen is displayed. Figure 6-15 Each policy contains the data that are explained in Table 6-3. These fields are explained in more detail in Table 6-4 on page 6-24. Table 6-3. List of VPN Policies Information Item Description (or Subfield and Description) ! (Status) Indicates whether the policy is enabled (green circle) or disabled (grey circle).
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual To delete one or more VPN polices: 1. Select the checkbox to the left of the policy that you want to delete or click the select all table button to select all VPN policies. 2. Click the delete table button. To enable or disable one ore more VPN policies: 1. Select the checkbox to the left of the policy that you want to delete or click the select all table button to select all IKE Policies. 2. Click the enable or disable table button.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Figure 6-16 4. Complete the fields, select the radio buttons and checkboxes, and make your selections from the pull-down menus as explained Table 6-4 on page 6-24. Virtual Private Networking Using IPsec 6-23 v1.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Table 6-4. Add VPN Policy Settings Item Description (or Subfield and Description) General Policy Name A descriptive name of the VPN policy for identification and management purposes. Note: The name is not supplied to the remote VPN endpoint. Policy Type From the pull-down menu, select one of the following policy types: • Auto Policy.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Table 6-4. Add VPN Policy Settings (continued) Item Description (or Subfield and Description) Traffic Selection Local IP From the pull-down menu, select the address or addresses that are part of the VPN tunnel on the VPN firewall: • Any. All PCs and devices on the network. Note: You cannot select Any for both the VPN firewall and the remote endpoint. • Single. A single IP address on the network. Enter the IP address in the Start IP Address field.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Table 6-4. Add VPN Policy Settings (continued) Item Description (or Subfield and Description) Integrity Algorithm From the pull-down menu, select one of the following two algorithms to be used in the VPN header for the authentication process: • SHA-1. Hash algorithm that produces a 160-bit digest. This is the default setting. • MD5. Hash algorithm that produces a 128-bit digest. Key-In The integrity key for the inbound policy.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Table 6-4. Add VPN Policy Settings (continued) Item Description (or Subfield and Description) PFS Key Group Select this checkbox to enable Perfect Forward Secrecy (PFS), and then select a Diffie-Hellman (DH) group from the pull-down menu. The DH Group sets the strength of the algorithm in bits. The higher the group, the more secure the exchange. From the pull-down menu, select one of the following three strengths: • Group 1 (768 bit).
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual In the following example, we configured the VPN firewall using ModeConfig, and then configured a PC running ProSafe VPN Client software using these IP addresses. • • ProSafe Wireless-N VPN Firewall SRXN3205 – WAN IP address: 172.21.4.1 – LAN IP address/subnet: 192.168.2.1/255.255.255.0 ProSafe VPN Client software IP address: 192.168.1.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Figure 6-17 3. Click add. The Add Mode Config Record screen is displayed. Figure 6-18 4. Enter a descriptive Record Name such as “Sales”. Virtual Private Networking Using IPsec 6-29 v1.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 5. Assign at least one range of IP Pool addresses in the First IP Pool field to give to remote VPN clients. Note: The IP Pool should not be within your local network IP addresses. Use a different range of private IP addresses such as 172.20.xx.xx. 6. If you have a WINS Server on your local network, enter its IP address. 7. Enter one or two DNS Server IP addresses to be used by remote VPN clients. 8.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 4. In the General section: a. Enter a descriptive name in the Policy Name Field such as “salesperson”. This name will be used as part of the remote identifier in the VPN client configuration. b. Set Direction/Type to Responder. c. The Exchange Mode will automatically be set to Aggressive. 5. For Local information: a. Select FQDN for the Local Identity Type. b.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 10. Click Apply. The new policy will appear in the List of IKE Policies table. Configuring Mode Config Operation on the VPN Client From a client PC running NETGEAR ProSafe VPN Client software, configure the remote VPN client connection. To configure the client PC: 1. Right-click the VPN client icon in the Windows toolbar. In the upper left of the Policy Editor window, click the New Policy editor icon. a.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 3. On the left-side of the menu, choose Security Policy. a. Under Security Policy, Phase 1 Negotiation Mode, check the Aggressive Mode radio button. b. Check the Enable Perfect Forward Secrecy (PFS) radio button, and choose the DiffieHellman Group 2 from the PFS Key Group pull-down menu. c. Enable Replay Detection should be checked. 4. Click on Authentication (Phase 1) on the left-side of the menu and choose Proposal 1.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual XAUTH can be enabled when adding or editing an IKE Policy. Two types of XAUTH are available: • Edge Device. If this is selected, the VPN firewall is used as a VPN concentrator where one or more gateway tunnels terminate. If this option is chosen, you must specify the authentication type to be used in verifying credentials of the remote VPN gateways: User Database, RADIUS-PAP, or RADIUS-CHAP. • IPsec Host.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 3. You can add XAUTH to an existing IKE policy by clicking edit adjacent to the policy to be modified or you can create a new IKE policy incorporating XAUTH by clicking add. 4. In the Extended Authentication section, check the Edge Device radio box to use this VPN firewall as a VPN concentrator where one or more gateway tunnels terminate. You then must specify the authentication type to be used in verifying credentials of the remote VPN gateways.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual or server in the network when a user requests access to network resources. During the establishment of a VPN connection, the VPN gateway can interrupt the process with an XAUTH request. At that point, the remote user must provide authentication information such as a username/password or some encrypted response using his username/password information.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • Secret Phrase. Transactions between the client and the RADIUS server are authenticated using a shared secret phrase, so the same Secret Phrase must be configured on both client and server. • Primary Server NAS Identifier. (Network Access Server). This Identifier must be present in a RADIUS request. Ensure the NAS Identifier is configured identically on both client and server.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Configuring Keepalives The keepalive feature maintains the IPSec SA by sending periodic ping requests to a host across the tunnel and monitoring the replies. To configure the keepalive on a configured VPN policy, follow these steps: 1. Select VPN > Policies from the main/submenu. 2. Click the VPN Policies tab, then click the edit button next to the desired VPN policy. 3.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Configuring Dead Peer Detection The Dead Peer Detection feature maintains the IKE SA by exchanging periodic messages with the remote VPN peer. To configure Dead Peer Detection on a configured IKE policy, follow these steps: 1. Select VPN > Policies from the main/submenu. 2. Click the IKE Policies tab, then click the edit button next to the desired VPN policy. 3.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Configuring NetBIOS Bridging with VPN Windows networks use the Network Basic Input/Output System (NetBIOS) for several basic network services such as naming and neighborhood device discovery. Because VPN routers do not normally pass NetBIOS traffic, these network services do not work for hosts on opposite ends of a VPN connection. To solve this problem, you can configure the VPN firewall to bridge NetBIOS traffic over the VPN tunnel.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Chapter 7 Virtual Private Networking Using SSL The ProSafe Wireless-N VPN Firewall SRXN3205 provides a hardware-based SSL VPN solution designed specifically to provide remote access for mobile users to their corporate resources, bypassing the need for a pre-installed VPN client on their computers.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Upon successful connection, an ActiveX-based SSL VPN client is downloaded to the remote PC that will allow the remote user to virtually join the corporate network. The SSL VPN Client provides a PPP (point-to-point) connection between the client and the VPN firewall, and a virtual network interface is created on the user’s PC.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 3. Create one or more groups for your SSL VPN users. When you define the SSL VPN policies that determine network resource access for your SSL VPN users, you can define global policies, group policies, or individual policies. Because you must assign an authentication domain when creating a group, the group is created after you have created the domain. 4. Create one or more SSL VPN user accounts.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Portal Layouts are applied by selecting from available portal layouts in the configuration of a Domain. When you have completed your Portal Layout, you can apply the Portal Layout to one or more authentication domains (see “Creating a Domain” on page 8-1 to apply a Portal Layout to a Domain). You can also make the new portal the default portal for the SSL VPN gateway by selecting the default radio button adjacent to the portal layout name.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Figure 7-2 4. In the Portal Layout and Theme Name section of the screen, configure the following entries: a. Enter a descriptive name for the portal layout in the Portal Layout Name field. This name will be part of the path of the SSL VPN portal URL. Note: Custom portals are accessed at a different URL than the default portal. For example, if your SSL VPN portal is hosted at https://vpn.company.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual c. To display a banner message to users before they log in to the portal, enter the banner title text in the Banner Title field. Also enter the banner message text in the Banner Message text area. Enter a plain text message or include HTML and JavaScript tags. The maximum length of the login screen message is 4096 characters.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual These directives help prevent clients browsers from caching SSL VPN portal screens and other web content. Note: NETGEAR strongly recommends enabling HTTP meta tags for security reasons and to prevent out-of-date Web pages, themes, and data being stored in a user’s Web browser cache. e. Check the “ActiveX web cache cleaner checkbox to load an ActiveX cache control when users log in to the SSL VPN portal.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Configuring Applications for Port Forwarding Port Forwarding provides access to specific defined network services. To define these services, you must specify the internal addresses and TCP applications (port numbers) that will be intercepted by the Port Forwarding client on the user’s PC. The client will reroute this traffic to the VPN firewall.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 4. In the TCP Port field, enter the TCP port number of the application to be tunneled. The table below lists many commonly used TCP applications and port numbers. Table 7-1.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 2. Select the Port Forwarding tab. The Port Forwarding screen is displayed. (see Figure 7-4 on page 7-8). 3. If the server that you want to name does not appear in the List of Configured Applications for Port Forwarding table, you must add it before you can rename it. 4. In the Add New Host Name for Port Forwarding section, enter the IP address of the server that you want to name. 5.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual – • Create a static route on the corporate network’s firewall to forward local traffic intended for the VPN tunnel clients to the VPN firewall. Select whether you want to enable full tunnel or split tunnel support based on your bandwidth: – Full tunnel. Sends all of the client’s traffic across the VPN tunnel. – Split tunnel. Sends only traffic destined for the corporate network based on the specified client routes.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 3. Select Enable Full Tunnel Support unless you want split tunneling. Note: In split tunneling, appropriate client routes must be added to allow traffic to be directed through the VPN tunnel. In full tunneling, all traffic is forwarded through the tunnel, including Internet traffic; client routes are not required. 4. (Optional) Enter a DNS Suffix to be appended to incomplete DNS search strings. 5.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 3. In the Add Routes for VPN Tunnel Clients section, enter the destination network IP address of a local area network or subnet. For example, enter 192.168.0.0. 4. Enter the appropriate Subnet Mask. 5. Click Add. The “Operation succeeded” message appears at the top of the screen and the new client route is listed in the Configured Client Routes table. Restart the VPN firewall if VPN tunnel clients are currently connected.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Figure 7-6 3. In the Add New Resource section, type the (qualified) resource name in the Resource Name field. 4. In the Service pull-down menu, select the type of service to apply to the resource: either VPN Tunnel or Port Forwarding. 5. Click Add. The “Operation succeeded” message appears at the top of the screen, and the newly-added resource name appears on the List of Resources table. 6. Adjacent to the new resource, click the edit button.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Figure 7-7 7. From the Object Type pull-down menu, select one of the following: • IP Address. Enter an IP address or fully qualified domain name in the IP Address/Name field. • IP Network. Enter the IP network address in the Network Address field. Enter the mask length in the Mask Length (0-31) field. 8. Enter the Port Range or Port Number for the IP address or IP network you selected. 9.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 3. If two or more user, group, or global policies are configured, the most specific policy takes precedence. For example, a policy configured for a single IP address takes precedence over a policy configured for a range of addresses. And a policy that applies to a range of IP addresses takes precedence over a policy applied to all IP addresses. If two or more IP address ranges are configured, then the smallest address range takes precedence.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Viewing Policies To view the existing policies, follow these steps: 1. Select VPN > SSL VPN from the main/submenu. 2. Select the Policies tab. The Policies screen is displayed. Figure 7-8 3. Make your selection from the following Query options: • Click Global to view all global policies. • Click Group to view group policies, and choose the relevant group’s name from the pulldown menu.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Adding a Policy To add a policy, follow these steps: 1. Select VPN > SSL VPN from the main/submenu. 2. Select the Policies tab. The Policies screen will be displayed (see Figure 7-8 on this page). 3. Make your selection from the following Query options: • Click Global if this new policy is to exclude all users and groups. • Click Group if this new policy is to be limited to a selected group.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual If a needed network resource has not been defined, you can add it before proceeding with this new policy. See “Adding New Network Resources ” on page 7-13. • If you choose IP Address, enter a descriptive policy name in the Policy Name field, enter the specific IP Address, then choose the Service and relevant Permission from the pulldown menus.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • If you choose All Addresses, enter a descriptive policy name in the Policy Name field, then choose the Service and relevant Permission from the pull-down menus. Figure 7-12 6. When you are finished making your selections, click Apply. The Policies screen reappears. The new policy goes into effect immediately and is added to the policies in the List of SSL VPN Policies table on this screen.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Chapter 8 Managing Users, Authentication, and Certificates This chapter contains the following sections: • • “Adding Authentication Domains, Groups, and Users” on this page “Managing Certificates” on page 8-11 Adding Authentication Domains, Groups, and Users You must create name and password accounts for all users who will connect to the VPN firewall. This includes administrators and SSL VPN clients.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Table 8-1 summarizes the authentication protocols and methods that the VPN firewall supports. Table 8-1.Authentication Protocols and Methods Authentication Description (or Subfield and Description) Protocol or Method PAP Password Authentication Protocol (PAP) is a simple protocol in which the client sends a password in clear text.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual To create a domain: 1. Select Users > Domains from the main/submenu. The Domains screen is displayed. Figure 8-1 2. Click add. The Add Domain screen is displayed. Figure 8-2 3. Configure the following fields: a. Enter a descriptive name for the domain in the Domain Name field. Managing Users, Authentication, and Certificates v1.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual b. Select the Authentication Type. The required fields are activated in varying combinations according to your selection of Authentication Type: Table 8-2.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Creating a Group The use of groups simplifies the configuration of VPN policies when different sets of users will have different restrictions and access controls. Note: Groups that are defined on the User screen are used for setting SSL VPN policies. These groups should not be confused with LAN groups that are defined on the LAN Groups screen, which are used to simplify firewall policies. To create a group: 1.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Creating a New User Account To add individual user accounts: 1. Select Users > Users from the main/submenu. The Users screen is displayed.. Figure 8-4 2. Click add. The Add User screen is displayed. Figure 8-5 3. Configure the following fields: a. User Name. Enter a unique identifier, using any alphanumeric characters. b. User Type. Select either Administrator, SSL VPN User, or IPsec VPN User.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual c. Select Group. Select from a list of configured groups. The user will be associated with the domain that is associated with that group. d. Password/Confirm Password. The password can contain alphanumeric characters, dash, and underscore. e. Idle Timeout. For an Administrator, this is the period at which an idle user will be automatically logged out of the Web Configuration Manager. 4. Click Apply to save and apply your entries.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual To restrict logging in based on IP address: 1. In the Action column of the List of Users table, click Policies adjacent to the user policy you want to configure. The Login Policies screen is displayed. 2. Select the by Source IP Address tab. The by Source IP Address screen is displayed. Figure 8-7 3.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual To restrict logging in based on the user’s browser: 1. In the Action column of the List of Users table, click Policies adjacent to the user policy you want to configure. The Login Policies screen is displayed. 1. Select the by Client Browser tab. The by Client Browser screen is displayed. Figure 8-8 2. In the Defined Browsers Status section, select: • the Deny Login from Defined Browsers to deny logging in from browsers that you will specify.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual To modify user settings, including administrative user settings: 1. Select Users > Users from the main/submenu. The Users screen is displayed (see Figure 8-4 on page 8-6). 2. In the Action column of the List of Users table, click edit for the user for which you want to modify the settings. The Edit User screen is displayed. Figure 8-9 3. Configure the following fields: a. Select User Type.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual c. Idle Timeout. Change the idle logout time to the number of minutes you require. The default is 5 minutes. 4. Click Apply to save your settings or Cancel to return to your previous settings. Note: The password and time-out value you enter will be changed back to password and 10 minutes, respectively, after a factory defaults reset.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual The VPN firewall uses digital certificates to authenticate connecting VPN gateways or clients, and to be authenticated by remote entities. A certificate that authenticates a server, for example, is a file that contains: • A public encryption key to be used by clients for encrypting messages to the server. • Information identifying the operator of the server. • A digital signature confirming the identity of the operator of the server.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Figure 8-10 When you obtain a self certificate from a CA, you will also receive the CA certificate. In addition, many CAs make their certificates available on their websites. To load a CA certificate into your VPN firewall: 1. Store the CA certificate file on your computer. 2. Under Upload Trusted Certificates on the Certificates screen, click Browse and locate the CA certificate file. 3. Click upload.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • Subject Name. This is the name that other organizations will see as the holder (owner) of this certificate. This should be your registered business name or official company name. Generally, all of your certificates should have the same value in the Subject field. • Serial Number. This is a serial number maintained by the CA. It is used to identify the certificate with in the CA. • Issuer Name. The name of the CA that issued the certificate.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Figure 8-12 3. Complete the Optional fields, if desired, with the following information: • IP Address. If you have a fixed IP address, you may enter it here. Otherwise, you should leave this field blank. • Domain Name. If you have an Internet domain name, you can enter it here. Otherwise, you should leave this field blank. • E-mail Address. Enter the e-mail address of a technical contact in your organization. 4. Click generate.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 5. In the Self Certificate Requests table, click view in the Action column to view the request. Figure 8-14 6. Copy the contents of the Data to supply to CA text box into a text file, including all of the data contained from “----BEGIN CERTIFICATE REQUEST---” to “---END CERTIFICATE REQUEST---”. 7. Submit your certificate request to a CA: a. Connect to the website of the CA. b. Start the Self Certificate request procedure. c.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 9. Return to the Certificates screen and locate the Self Certificate Requests section. Figure 8-15 10. Select the checkbox next to the certificate request, then click Browse and locate the certificate file on your PC. 11. Click upload. The certificate file will be uploaded to this device and will appear in the Active Self Certificates table.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual The Certificate Revocation Lists (CRL) table lists your active CAs and their critical release dates: • CA Identify – The official name of the CA which issued this CRL. • Last Update – The date when this CRL was released. • Next Update – The date when the next CRL will be released. 2. Click Browse and locate the CRL file you previously downloaded from a CA. 3. Click upload.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Chapter 9 VPN Firewall and Network Management This chapter describes how to use the network management features of your ProSafe Wireless-N VPN Firewall SRXN3205. The VPN firewall offers many tools for managing the network traffic to optimize its performance. You can also control administrator access, be alerted to important events requiring prompt action, monitor the firewall status, perform diagnostics, and manage the firewall configuration file.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual In practice, the WAN side bandwidth capacity will be much lower when DSL or cable modems are used to connect to the Internet. As a result and depending on the traffic being carried, the WAN side of the firewall will be the limiting factor to throughput for most installations.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • WAN Users. These settings determine which Internet locations are covered by the rule, based on the IP address. – Any. The rule applies to all Internet IP address. – Single address. The rule applies to a single Internet IP address. – Address range. The rule is applied to a range of Internet IP addresses. • Services. You can specify the desired services or applications to be covered a rule.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Blocking Sites If you want to reduce traffic by preventing access to certain sites on the Internet, you can use the VPN firewall’s filtering feature. By default, this feature is disabled; all requested traffic from any website is allowed. • Keyword (and Domain Name) Blocking.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Port Forwarding The firewall always blocks DoS (Denial of Service) attacks. A DoS attack does not attempt to steal data or damage your PCs, but overloads your Internet connection so you can not use it (that is, the service is unavailable). You can also create additional firewall rules that are customized to block or allow specific traffic.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • WAN Users. These settings determine which Internet locations are covered by the rule, based on the IP address. – Any. The rule applies to all Internet IP address. – Single address. The rule applies to a single Internet IP address. – Address range. The rule is applied to a range of Internet IP addresses. • Destination Address. These settings determine the destination IP address for this rule which will be applicable to incoming traffic.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual – After a PC has finished using a port triggering application, there is a time-out period before the application can be used by another PC. This is required because the firewall cannot be sure when the application has terminated. See “Configuring Port Triggering” on page 5-31 for the procedure on how to use this feature. VPN Tunnels The VPN firewall permits up to 5 IPsec VPN tunnels and 3 SSL VPN tunnels not to exceed 8 total tunnels at a time.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Changing Passwords and Administrator Settings The default administrator and guest password for the Web Configuration Manager is password. Netgear recommends that you change this password to a more secure password. You can also configure a separate password for the guest account. To modify the Administrator user account settings, including the password: 1. Select Users > Users from the main/submenu. The List of Users screen is displayed.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Figure 9-2 3. Select the Check to Edit Password checkbox. The password fields become active. 4. Enter the old password, then enter the new password twice. 5. (Optional) To change the idle timeout for an administrator login session, enter a new number of minutes in the Idle Timeout field. 6. Click Apply to save your settings or Reset to return to your previous settings.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual To configure the VPN firewallfor remote management: 1. Select Administration > Remote Management from the main/submenu. The Remote Management screen is displayed. Figure 9-3 2. Click the Yes radio button to enable secure HTTP management (enabled by default), and configure the external IP addresses that will be allowed to connect. a. To allow access from any IP address on the Internet, select Everyone. b.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 4. To enable remote management by the command line interface (CLI) over Telnet, click Yes to Allow Telnet Management, and configure the external IP addresses that will be allowed to connect. a. To allow access from any IP address on the Internet, select Everyone. b. To allow access from a range of IP addresses on the Internet, select IP address range. Enter a beginning and ending IP address to define the allowed range. c.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Note: If you disable HTTPS remote management, all SSL VPN user connections will also be disabled. Tip: If you are using a dynamic DNS service such as TZO, you can identify the WAN IP address of your VPN firewall by running tracert from the Windows Run menu option. Trace the route to your registered FQDN. For example, enter tracert SRXN3205.mynetgear.net, and the WAN IP address that your ISP assigned to the VPN firewall is displayed.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 2. Configure the following fields in the Create New SNMP Configuration Entry section: • Enter the IP address of the SNMP manager in the IP Address field and the subnet mask in the Subnet Mask field. – If you want to allow only the host address to access the VPN firewall and receive traps, enter an IP Address of, for example, 192.168.1.101 with a subnet mask of 255.255.255.255.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 2. Modify any of the information that you want the SNMP Manager to use. You can edit the system contact, system location, and system name. 3. Click Apply to save your settings. Managing the Configuration File Once you have installed the VPN firewall and have it working properly, you should back up a copy of your settings, in case something gets corrupted. When you backup the settings, these are saved as a file on your computer.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 2. Click backup to save a copy of your current settings. • If your browser is not set up to save downloaded files automatically, locate where you want to save the file, specify file name, and click Save. • If you have your browser set up to save downloaded files automatically, the file will be saved to your browser’s download location on the hard disk.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Upgrading the Firmware You can install a different version of the VPN firewall firmware from the Settings Backup and Firmware Upgrade screen. To view the current version of the firmware that your VPN firewall is running, select Monitoring from the main menu. The Router Status screen is displayed, showing all of the VPN firewall router statistics, including the firmware version.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Configuring Date and Time Service The Time Zone screen provides settings for date, time and NTP server designations. The Network Time Protocol (NTP) is used to synchronize computer clock times in a network of computers. To set date, time, and NTP servers: 1. Select Administration > Time Zone from the main/submenu. The Time Zone screen is displayed. Figure 9-7 2. From the Date/Time pull-down menu, select the local time zone.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Note: If you select the default NTP servers or if you enter a custom server FQDN, the VPN firewall must determine the IP address of the NTP server by a DNS lookup. You must configure a DNS server address on the WAN ISP Settings screen before the VPN firewall can perform this lookup. 5. Click Apply to save your settings. 9-18 VPN Firewall and Network Management v1.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Chapter 10 Monitoring System Performance This chapter describes the full set of system monitoring features of your ProSafe Wireless-N VPN Firewall SRXN3205. You can be alerted to important events such as {{WAN port rollover}}, WAN traffic limits reached, and login failures and attacks. You can also view status information about the firewall, WAN port, LAN ports, and VPN tunnels.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual You must have e-mail notification enabled to receive the logs in an e-mail message. If you do not have e-mail notification enabled, you can view the logs by clicking the View Log link to the right of the Firewall Logs & E-mail tab (see “Viewing the Logs” on page 10-4). Selecting all events will increase the size of the log, so it is good practice to select only those events which are required. To configure logging and notifications: 1.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 2. In the Log Options section, enter the name of the log in the Log Identifier field, which is a mandatory field used to identify which device sent the log messages. The identifier is appended to log messages. 3. In the Routing Logs section, select the network segments for which you would like logs to be sent (for example, LAN to WAN under Dropped Packets). 4.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Table 10-1.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual If the E-mail Logs option has been enabled on the Firewall Logs & E-mail screen, you can send a copy of the log by clicking send log. Click refresh log to retrieve the latest update. Click clear log to delete all entries. Log entries are described in Log entries are described in Table 10-2. Table 10-2. Firewall Log Field Descriptions Field Description Date and Time The date and time the log entry was recorded.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Figure 10-3 3. Enable the traffic meter by clicking the Yes radio box under Do you want to enable Traffic Metering on WAN? The traffic meter will record the volume of Internet traffic passing through the WAN. Select the following options: • • • • No Limit. Any specified restrictions will not be applied when traffic limit is reached. Download only. The specified restrictions will be applied to the incoming traffic only Both Directions.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Note: Both incoming and outgoing traffic are included in the limit. • Increase this month limit by. Temporarily increase the Traffic Limit if you have reached the monthly limit, but need to continue accessing the Internet. Select the checkbox and enter the desired increase. (The checkbox will automatically be cleared when saved so that the increase is only applied once.) • This month limit. Displays the limit for the current month. 4.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual To display a report of Internet traffic by type, click the Traffic by Protocol link to the right of the WAN Traffic Meter tab. The volume of traffic for each protocol will be displayed in a popup window. Traffic counters are updated in MBytes scale; the counter starts only when traffic passed is at least 1MB. Figure 10-4 Viewing VPN Firewall Configuration and System Status The Router Status screen provides status and usage information.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Table 10-3. Router Status Fields (continued) Item Description WAN Configuration • • • For configuration, • see “Configuring • the Internet • Connection • (WAN)” on • page 2-4 • • WAN State: UP or DOWN. NAT: Enabled or Disabled. Connection Type: Static IP, DHCP, PPPoE, or PPTP. Connection State: Connected or Disconnected. WAN IP Address.: The IP address of the WAN interface. Subnet Mask: The IP subnet mask of the WAN interface.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Monitoring VPN Firewall Statistics To display the VPN firewall statistics: 1. Select Monitoring > Router Status from the menu. The Router Status screen is displayed. 2. Click the Show Statistics link in the upper right-hand section of the screen. The Router Statistics screen is displayed.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 2. Click the WAN Status link to the very right of the WAN ISP Settings screen. The Connection Status popup window is displayed. Figure 10-7 Depending on the type of connections, any of the following buttons may be displayed on the Connection Status screen: • renew. Click to renew the DHCP lease. • release. Click to disconnect the DHCP connection. • disconnect. Click to disconnect the static IP connection.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 2. Click the LAN Groups tab. The LAN Groups screen is displayed. Figure 10-8 The Known PCs and Devices table on the contains a list of all known PCs and network devices that are assigned dynamic IP addresses by the VPN firewall, or have been discovered by other means. Collectively, these entries make up the LAN Groups Database. The LAN Groups Database is updated by these methods: • DHCP Client Requests.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • IP Address. The current IP address of the computer. For DHCP clients of the VPN firewall, this IP address will not change. If a computer is assigned a static IP addresses, you will need to update this entry manually if the IP address on the computer has been changed. • MAC Address. The MAC address of the PC’s network interface. • Group. Each PC or device can be assigned to a single group.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Monitoring Active Users The Active Users screen displays a list of administrators and SSL VPN users currently logged into the device. To display the list of active users: Select Monitoring > Active Users from the main/submenu. The Active Users screen is displayed. Figure 10-10 The active user’s username, group, and IP address are listed in the table with a timestamp indicating the time and date that the user logged in.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual The status window displays the following information: Table 10-4. Port Triggering Status Item Description Rule The name of the port triggering rule associated with this entry. LAN IP Address The IP address of the PC currently using this rule. Open Ports The incoming ports which are associated the this rule. Incoming traffic using one of these ports will be sent to the IP address above.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Table 10-5. IPsec Connection Status Fields Item Description Policy Name The name of the VPN policy associated with this SA. Endpoint The IP address on the remote VPN endpoint. Tx (KB) The amount of data transmitted over this SA. Tx (Packets) The number of IP packets transmitted over this SA. State The current status of the SA. Phase 1 is Authentication phase and Phase 2 is Key Exchange phase.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Viewing the VPN Logs To view VPN firewall IPsec VPN logs: Select Monitoring > VPN Logs from the main/submenu. The IPsec VPN Logs screen is displayed. Figure 10-14 To view the most recent entries, click refresh log; to delete all the existing log entries, click clear log. To view VPN firewall SSL VPN logs: 1. Select Monitoring > VPN Logs from the main/submenu. The IPsec VPN Logs screen is displayed. 2. Select the SSL VPN Logs tab.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Figure 10-15 To view the most recent entries, click refresh log; to delete all the existing log entries, click clear log. 10-18 Monitoring System Performance v1.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Chapter 11 Troubleshooting This chapter provides troubleshooting tips and information for your ProSafe Wireless-N VPN Firewall SRXN3205. After each problem description, instructions are provided to help you diagnose and solve the problem.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Power LED Not On If the Power and other LEDs are off when your VPN firewall is turned on: • Verify the power adapter cord is properly connected to your VPN firewall and the power adapter is properly connected to a functioning power outlet. • Verify you are using the 12VDC, 1.5A power adapter supplied by NETGEAR for this product. If the error persists, you have a hardware problem and should contact technical support.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Troubleshooting the Web Configuration Interface If you are unable to access the VPN firewall’s Web Configuration interface from a PC on your local network, check the following: • Check the Ethernet connection between the PC and the VPN firewall as described in the previous section. • Ensure your PC’s IP address is on the same subnet as the VPN firewall.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual If the VPN firewall does not save changes you have made in the Web Configuration Interface, check the following: • When entering configuration settings, be sure to click the Apply button before moving to another screen, or your changes are lost. • Click the Refresh or Reload button in the Web browser. The changes may have occurred, but the Web browser may be caching the old configuration.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • Your ISP may check for your PC's host name. Assign the PC Host Name of your ISP account as the Account Name in the WAN ISP Settings screen (see Figure 2-3 on page 2-5). • Your ISP only allows one Ethernet MAC address to connect to the Internet, and may check for your PC’s MAC address.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Pinging with 32 bytes of data If the path is working, you will see this message: Reply from : bytes=32 time=NN ms TTL=xxx If the path is not working, you will see this message: Request timed out If the path is not functioning correctly, you could have one of the following problems: • • Wrong physical connections – Make sure the LAN port LED is on.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual – If your ISP assigned a host name to your PC, enter that host name as the Account Name on the WAN ISP Settings screen (see Figure 2-3 on page 2-5). – Your ISP could be rejecting the Ethernet MAC addresses of all but one of your PCs. Many broadband ISPs restrict access by only allowing traffic from the MAC address of your broadband modem, but some ISPs additionally restrict access to the MAC address of a single PC connected to that modem.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Problems with the date and time function can include: • Date shown is January 1, 2000. Cause: The VPN firewall has not yet successfully reached a Network Time Server. Verify your Internet access settings are configured correctly. If you have just completed configuring the VPN firewall, wait at least five minutes and check the date and time again. • Time is off by one hour.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Table 11-1 explains the utilities that are available on the Diagnostic screen. Table 11-1. Diagnostics Item Description Ping or trace an IP address Ping. Used to send a ping packet request to a specified IP address—most often, to test a connection. If the request times out (no reply is received), it usually means that the destination is unreachable. However, some network devices can be configured not to respond to a ping.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 11-10 Troubleshooting v1.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Appendix A Default Settings and Technical Specifications You can use the reset button located on the rear panel to reset all settings to their factory defaults. This is called a hard reset. • To perform a hard reset, press and hold the reset button for approximately 10 seconds (until the TEST LED blinks rapidly). Your device will return to the factory configuration settings shown in Table A-1 below.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Table A-1. VPN firewall Default Configuration Settings (continued) Feature Default Behavior Local Network (LAN) (continued) DHCP Starting IP Address 192.168.1.2 DHCP Ending IP Address 192.168.1.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Technical Specifications Table A-2. VPN firewall Technical Specifications Feature Specifications Network Protocol and Standards Compatibility Data and Routing Protocols: TCP/IP, RIP-1, RIP-2, DHCP PPP over Ethernet (PPPoE) Power Adapter North America: 120V, 60 Hz, input United Kingdom, Australia: 240V, 50 Hz, input Europe: 230V, 50 Hz, input Japan: 100V, 50/60 Hz, input Physical Specifications Dimensions: 1.7 x 10 x 7.2 in.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Table A-3. SSL VPN Technical Specifications Parameter Specification Network Management Web-based configuration and status monitoring Concurrent Users Supported 10 tunnels Encryption DES, 3DES, AES, MD5, SHA-1 Authentication Local User database, RADIUS, LDAP, MS Active Directory Certificates supported X.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Table A-4. Wireless Technical Specifications (continued) Parameter ProSafe Wireless-N VPN Firewall 802.11ng Data Rates Data Rates for Channel Width=20MHz and Guard Interval=short (400ms): Best, 7.2 Mbps, 14.4 Mbps, 21.7 Mbps, 28.9 Mbps, 43.3 Mbps, 57.8 Mbps, 65 Mbps, 72.2 Mbps, 14.44 Mbps, 28.88 Mbps, 43.33 Mbps, 57.77 Mbps, 86.66 Mbps, 115.56 Mbps, 130 Mbps, 144.44 Mbps Data Rates for Channel Width=20MHz and Guard Interval=long (800ms): Best, 6.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual A-6 Default Settings and Technical Specifications v1.
Appendix B Two Factor Authentication This appendix provides an overview of Two-Factor Authentication, and an example of how to implement the WiKID solution. This appendix contains the following sections: • • “Why do I need Two-Factor Authentication?” on this page.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • Quick to deploy and manage. The WiKID solution integrates seamlessly with the NETGEAR SSL and VPN firewall products. • Proven regulatory compliance. Two-Factor Authentication has been used as a mandatory authentication process for many corporations and enterprises worldwide.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual The request-response architecture is capable of self-service initialization by end-users, dramatically reducing implementation and maintenance costs. Here is an example of how WiKID works. 1. The user launches the WiKID token software, enter the PIN that has been given to them (something they know) and then press “continue” to receive the OTP from the WiKID authentication server: Figure B-1 2.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Note: The one-time passcode is time synchronized to the authentication server so that the OTP can only be used once and must be used before the expiration time. If a user does not use this passcode before it is expired, the user must go through the request process again to generate a new OTP. 3. The user then proceeds to the Two-Factor Authentication login screen and enters the generated one-time passcode as the login password.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Appendix C Related Documents This appendix provides links to reference documents you can use to gain a more complete understanding of the technologies used in your NETGEAR product. Document Link TCP/IP Networking Basics http://documentation.netgear.com/reference/enu/tcpip/index.htm Wireless Networking Basics http://documentation.netgear.com/reference/enu/wireless/index.htm Preparing Your Network http://documentation.netgear.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual C-2 Related Documents v1.
Index Numerics Attack Checks about 5-14 3322.org 2-12 Attack Checks screen 5-15 authentication for IPsec VPN pre-shared key 6-18 RSA signature 6-18 See also RADIUS, MIAS, WiKID, NT Domain, Active Directory, or LDAP.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual crossover cable 1-2, 11-2 example of 5-14 CSMA/CD 4-18 Broadcast Wireless Network Name. See SSID CSR 8-14 C customized service adding 5-3, 5-20 editing 5-20 CA about 8-12 Carrier Sense Multiple Access with Collision Detection. See CSMA/CD. certificate generate new CSR 8-14 D Data Encryption Standard. See DES.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual lease time 3-4 diagnostics DNS lookup 11-8 packet capture 11-8 ping 11-8 rebooting 11-8 routing table 11-8 Diagnostics screen 11-8 Diffie-Hellman. See DH (group).
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual default setting 4-18 fragmented IP packets 9-5 Inbound Service Rule modifying 5-10 fully qualified domain name. See FQDN. Inbound Services field descriptions 5-5 G increasing traffic 9-4 Port Forwarding 9-5 Port Triggering 9-6 VPN Tunnels 9-7 Global Policies 7-15 Group Names editing 3-9 installation 1-5 Group Policies 7-15 interference sources 4-2 groups, managing 3-5 Interior Gateway Protocol. See IGP.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual M list of 3-7, 10-12 MAC address 4-18, 11-7 authentication by ISP 2-15 configuring 2-6 format 2-15 in LAN groups database 3-8 restricting access 4-3 spoofing 11-5 trusted PCs 4-3 L L2TP 5-16 LAN configuration 3-1 using LAN IP setup options 3-2 LAN Groups Database about 3-5, 10-12 advantages of 3-6 fields 3-7 MAC addresses blocked, adding 5-28 main menu 2-3 LAN Groups menu 3-7, 10-12 LAN Setup screen 3-3 MD5 IKE polices 6-17 VPN policies 6-26
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual firewall, use with 5-1 multi-NAT 5-12 one-to-one mapping 2-11 one-to-one mapping example 5-12 P package contents 1-6 packet capture 11-9 NetBIOS, VPN tunnels 6-24 PAP. See also RADIUS-PAP, MIAS-PAP, or WiKIDPAP. 8-2 Network 9-17 Password Authentication Protocol. See PAP. Network Access Server. See NAS. passwords and login timeout changing 8-9, 9-8 NetBIOS bridging over VPN 6-40 Network Address Translation. See NAT.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Port Triggering screen 5-32 Portal Site Title 7-5 power adapter 1-8 PPP connection 7-2 PPP over Ethernet. See PPPoE.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual rules blocking traffic 5-2 inbound 5-4 inbound example 5-12 outbound 5-3 service blocking 5-3 services-based 5-2 running tracert 9-12 S SA IKE policies 6-14, 6-17 VPN policies 6-25, 6-26 schedule blocking traffic 5-24 Schedule 1 screen 5-24 secondary IP addresses DHCP, use with 3-11 Secondary LAN IPs see Multi Home LAN IPs 3-10 Secure Hash Algorithm 1. See SHA-1. security network enhancements 4-3 WPA 4-3 WPA-PSK 4-3 security association. See SA.
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual ISP connection 11-4 NTP 11-7 testing your setup 11-6 Web configuration 11-3 static IP address configuring 2-10 detecting 2-6 static routes about 3-11 configuring 3-11 metric 3-12 Trusted Certificates 8-12 Trusted Domains building list of 5-26 stealth mode 5-15, 9-5 Trusted Wireless Stations 4-19 submenu 2-3 trusted wireless stations MAC address filtering, use with 1-4 SYN flood 5-16, 9-5 SysLog Server IP Address 10-3 Turn Access Control On 4-
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual ModeConfig 6-16 XAUTH 6-19 increasing traffic 9-7 IPsec 5-16 keepalives 6-24 L2TP 5-16 NetBIOS 6-24 PPTP 5-16 pre-shared key 6-18 RSA signature 6-18 authentication, overview B-1 description 8-2 WinPoET 2-8 WINS server 3-4 wireless access point default name 4-17 deployment of 4-16 verifying connectivity 4-16 wireless connectivity testing 4-6 VPN Wizard Gateway tunnel 6-2 VPN Client, configuring 6-5 Wireless Multimedia 1-5 VPN Wizard Default Values