Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2

4

About This Manual

May 2004, 202-10030-02

How to Print this Manual

To print this manual you can choose one of the following options, according to your needs.

•

Printing a “How To” Sequence of Steps in the HTML View

. Use the

Print

button on the

upper right side of the toolbar to print the currently displayed topic. Use this button when a

step-by-step procedure is displayed to send the entire procedure to your printer. You do not

have to worry about specifying the range of pages.

•

Printing a Chapter

. Use the

link at the top right of any page.

–

Click the “PDF of This Chapter” link at the top right of any page in the chapter you want

to print. A new browser window opens showing the PDF version of the chapter you were

viewing.

–

Click the print icon in the upper left of the window.

–

Tip

: If your printer supports printing two pages on a single sheet of paper, you can save

paper and printer ink by selecting this feature.

•

Printing the Full Manual

. Use the PDF button in the toolbar at the top right of the browser

window.

–

Click the PDF button. A new browser window opens showing the PDF version of the full

manual.

–

Click the print icon in the upper left side of the window.

–

Tip

: If your printer supports printing two pages on a single sheet of paper, you can save

paper and printer ink by selecting this feature.

Introduction

2-1

May 2004, 202-10030-02

Chapter 2

Introduction

This chapter describes the features of the NETGEAR FVL328 Prosafe High Speed VPN Firewall.

The FVL328 Firewall is now ICSA certified. It provides connections for multiple computers to the

Internet through an external broadband access device (such as a cable modem or DSL modem) and

supports IPSec-based secure tunnels to IPSec-compatible VPN servers.

About the FVL328

The FVL328 is a complete security solution that protects your network from attacks and intrusions

and enables secure communications using Virtual Private Networks (VPN). Unlike simple Internet

sharing routers that rely on Network Address Translation (NAT) for security, the FVL328 uses

Stateful Packet Inspection for Denial of Service (DoS) attack protection and intrusion detection.

The 8-port FVL328 provides highly reliable Internet access for up to 253 users with up to 100

concurrent VPN tunnels.

Summary of New Features in the FVL328

The NETGEAR FVL328 VPN ProSafe Firewall contains many new features, including:

•

Multi-DMZ (One-to-One DMZ)

–

Up to 7 different WAN IPs can be mapped, one-to-one, to up to 7 private LAN IPs.

•

Resettable WAN traffic meter

–

Programmable traffic limit

–

Can block traffic or send e-mail when limit reached

•

VPN Wizard that simplifies VPN setup and uses the VPNC defaults

•

Four groups for keyword blocking

•

E-mail authentication

Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2

2-2

Introduction

May 2004, 202-10030-02

•

IP-MAC access control: ensures a computer with an assigned MAC address always

gets the same IP address when using DHCP

•

Port Triggering

•

Ease of Use Improvements

–

Period (.) can be used to advance IP address, like using Tab

–

Clearer VPN status page

–

Advanced e-mail settings: Authentication, change

from

address Support for PPPoE with

static IP address

–

Trace route support added in diagnostic page

–

On services page, if the Finish port number is blank then the Start port number is used.

–

Allow broadcast IP for Syslog if e-mail enabled to send logs, log will be sent if reboot, etc.

–

Logs sent when reboots are initiated if e-mail is enabled

•

ICSA Certified firewall, SMB 4.0 criteria

Key Features

The FVL328 features are highlighted below.

Virtual Private Networking

The FVL328 Firewall provides a secure encrypted connection between your local network and

remote networks or clients. Its VPN features include:

•

VPN Wizard: Simplifies VPN setup, uses VPNC defaults.

•

Support for up to 100 simultaneous VPN connections.

•

Support for industry standard VPN protocols.

The FVL328 Prosafe High Speed VPN Firewall supports standard keying methods (Manual or

IKE), standard authentication methods (MD5 and SHA-1), and standard encryption methods

(DES, 3DES). It is compatible with many other VPN products.

•

Support for up to 168 bit encryption (3DES) for maximum security.

•

Support for VPN Main Mode, Aggressive mode, or Manual Keying.

Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2

Introduction

2-3

May 2004, 202-10030-02

•

Support for Fully Qualified Domain Name (FQDN) configuration when the Dynamic DNS

feature is enabled with one of the supported service providers.

•

VPNC Certified.

A Powerful, True Firewall

Unlike simple Internet sharing NAT routers, the FVL328 is a true firewall, using stateful packet

inspection to defend against hacker attacks. Its firewall features include:

•

Firewall Policies: A firewall policy can be set for each of the 7 private LAN IPs

•

DoS protection

Automatically detects and thwarts DoS attacks such as Ping of Death, SYN Flood, Land

Attack and IP Spoofing.

•

Blocks unwanted traffic from the Internet to your LAN.

•

Blocks access from your LAN to Internet locations or services that you specify as off-limits.

•

Logs security incidents

The FVL328 will log security events such as blocked incoming traffic, port scans, attacks, and

administrator logins. You can configure the firewall to e-mail the log to you at specified

intervals. You can also configure the firewall to send immediate alert messages to your e-mail

address or e-mail pager whenever a significant event occurs.

•

ICSA Certified, Small/Medium Business (SMB) Category version 4.0

Content Filtering

With its content filtering feature, the FVL328 prevents objectionable content from reaching your

computers. The firewall allows you to control access to Internet content by screening for keywords

within Web addresses. You can configure the firewall to log and report attempts to access

objectionable Internet sites. You can also create up to four groups, each with keyword blocking.

Configurable Auto Uplink™ Ethernet Connection

With its internal 8-port 10/100 switch, the FVL328 can connect to either a 10 Mbps standard

Ethernet network or a 100 Mbps Fast Ethernet network. Both the local LAN and the Internet WAN

interfaces are 10/100 Mbps, autosensing, and capable of full-duplex or half-duplex operation.

Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2

2-4

Introduction

May 2004, 202-10030-02

The firewall incorporates Auto Uplink

TM

technology. Each local Ethernet port will automatically

sense whether the Ethernet cable plugged into the port should have a ‘normal’ connection such as

to a PC or an ‘uplink’ connection such as to a switch or hub. That port will then configure itself to

the correct configuration. This feature also eliminates the need to worry about crossover cables, as

Auto Uplink will accommodate either type of cable to make the right connection.

Protocol Support

The FVL328 supports the Transmission Control Protocol/Internet Protocol (TCP/IP) and Routing

Information Protocol (RIP).

Appendix B, “Networks, Routing, and Firewall Basics”

provides

further information on TCP/IP. Supported protocols include:

•

The Ability to Enable or Disable IP Address Sharing by NAT

The FVL328 allows several networked computers to share an Internet account using only a

single IP address, which may be statically or dynamically assigned by your Internet service

provider (ISP). This technique, known as NAT, allows the use of an inexpensive single-user

ISP account. This feature can also be turned off completely for using the FVL328 in settings

where you want to manage the IP address scheme of your organization.

•

Automatic Configuration of Attached computers by DHCP

The FVL328 dynamically assigns network configuration information, including IP, gateway,

and domain name server (DNS) addresses, to attached computers using Dynamic Host

Configuration Protocol (DHCP). This feature greatly simplifies configuration of computers on

your local network. IP-MAC address locking ensures the same PC always gets the same IP

address.

•

DNS Proxy

When DHCP is enabled and no DNS addresses are specified, the firewall provides its own

address as a DNS server to the attached computers. The firewall obtains actual DNS addresses

from the ISP during connection setup and forwards DNS requests from the LAN. There is a

checkbox to disable this feature.

•

PPP over Ethernet (PPPoE)

PPPoE is a protocol for connecting remote hosts to the Internet over a DSL connection by

simulating a dial-up connection. This feature eliminates the need to run a login program such

as EnterNet or WinPOET on your computer. The FVL328 now supports fixed IP with login.

•

Point-to-Point Tunneling Protocol PPTP login support for European ISPs and BigPond login

for Telstra cable in Australia.