ProSafe VPN Firewall 200 FVX538 Reference Manual

xvi

About This Manual

v1.0, March 2009

For more information about network, Internet, firewall, and VPN technologies, see the links to the

NETGEAR website in

Appendix D, “Related Documents

.”

Revision History

Danger:

This is a safety warning. Failure to take heed of this notice may result in

personal injury or death.

Note:

Updates to this product are available on the NETGEAR, Inc. website at

.

Part Number

Version

Number

Date

Description

202-10062-04

1.0

Aug. 2006

Product update: New firmware and a new user interface.

202-10062-05

1.0

Jan. 2007

Remove Trend Micro

202-10062-06

1.0

Jul. 2007

New features: IP/MAC Binding; Bandwidth Limits; Session Limits;

IKE Keep Alive; Dead Peer Detection; Oray Support

202-10062-06

1.1

Oct. 2007

Document corrections

202-10062-06

1.2

Oct. 2007

Document additions to Appendix C

202-10062-07

1.0

Mar. 08

Maintenance release

202-10062-09

1.0

Mar. 09

Adds these corrections and topics for the March 2009 firmware

maintenance release:

•

WIKID 2 factor authentication

•

SIP AGL support

•

DHCP Relay support

•

Update VPN configuration procedure topics

•

Update the Certificate management topic

•

Correct the firewall scheduling topic

Introduction

1-1

v1.0, March 2009

Chapter 1

Introduction

The ProSafe VPN Firewall 200 with eight 10/100 ports and one 1/100/1000 port connects your

local area network (LAN) to the Internet through an external access device such as a cable modem

or DSL modem.

The FVX538 is a complete security solution that protects your network from attacks and

intrusions. For example, the FVX538 provides support for Stateful Packet Inspection, Denial of

Service (DoS) attack protection and multi-NAT support. The VPN firewall supports multiple Web

content filtering options, plus browsing activity reporting and instant alerts—both via e-mail.

Network administrators can establish restricted access policies based on time-of-day, Website

addresses and address keywords.

The FVX538 is a plug-and-play device that can be installed and configured within minutes.

This chapter contains the following sections:

•

“Key Features” on page 1-1

•

“Package Contents” on page 1-5

•

“Router Front and Rear Panels” on page 1-6

•

“The Router’s IP Address, Login Name, and Password” on page 1-9

Key Features

The VPN firewall provides the following features:

•

Dual 10/100 Mbps Ethernet WAN ports for load balancing or failover protection, providing

increased system reliability and load balancing. The WAN ports do not respond at all to

unsolicited traffic (stealth mode).

•

Support for up to 200 simultaneous IPSec VPN tunnels.

•

Support for up to 400 internal LAN users (and 50K connections).

•

Bundled with the 5-user license of the NETGEAR ProSafe VPN Client software (VPN05L)

•

Quality of Service (QoS) and SIP 2.0 support for traffic prioritization, voice, and multimedia.

•

Built-in 10/100 Mbps ports plus 1 Gigabit Switch port.

•

One console port for local management.

ProSafe VPN Firewall 200 FVX538 Reference Manual

1-2

Introduction

v1.0, March 2009

•

SNMP Manageable, optimized for the NETGEAR ProSafe Network Management Software

(NMS100).

•

Easy, web-based setup for installation and management.

•

Advanced SPI Firewall and Multi-NAT support.

•

Extensive Protocol Support.

•

Login capability.

•

Front panel LEDs for easy monitoring of status and activity.

•

Flash memory for firmware upgrade.

•

One U Rack mountable.

Dual WAN Ports for Increased Reliability or Outbound Load

Balancing

The FVX538 has two broadband WAN ports, WAN1 and WAN2, each capable of operating

independently at speeds of either 10 Mbps or 100 Mbps. The two WAN ports let you connect a

second broadband Internet line that can be configured on a mutually-exclusive basis to:

•

Provide backup and rollover if one line is inoperable, ensuring you are never disconnected.

•

Load balance, or use both Internet lines simultaneously for the outgoing traffic. The firewall

balances users between the two lines for maximum bandwidth efficiency.

See

“Network Planning for Dual WAN Ports” on page B-1

for the planning factors to consider

when implementing the following capabilities with dual WAN port gateways:

•

Single or multiple exposed hosts

•

Virtual private networks

A Powerful, True Firewall with Content Filtering

Unlike simple Internet sharing NAT routers, the FVX538 is a true firewall, using stateful packet

inspection to defend against hacker attacks. Its firewall features include:

•

DoS protection.

Automatically detects and thwarts DoS attacks such as Ping of Death, SYN

Flood, LAND Attack, and IP Spoofing.

•

Secure Firewall

. Blocks unwanted traffic from the Internet to your LAN.

•

Block Sites.

Blocks access from your LAN to Internet locations or services that you specify as

off-limits.

ProSafe VPN Firewall 200 FVX538 Reference Manual

Introduction

1-3

v1.0, March 2009

•

Logs security incidents.

The FVX538 will log security events such as blocked incoming

traffic, port scans, attacks, and administrator logins. You can configure the firewall to email

the log to you at specified intervals. You can also configure the firewall to send immediate

alert messages to your email address or email pager whenever a significant event occurs.

•

Keyword Filtering.

With its URL keyword filtering feature, the FVX538 prevents

objectionable content from reaching your PCs. The firewall allows you to control access to

Internet content by screening for keywords within Web addresses. You can configure the

firewall to log and report attempts to access objectionable Internet sites.

Security Features

The VPN firewall is equipped with several features designed to maintain security, as described in

this section.

•

PCs Hidden by NAT

. NAT opens a temporary path to the Internet for requests originating

from the local network. Requests originating from outside the LAN are discarded, preventing

users outside the LAN from finding and directly accessing the PCs on the LAN.

•

Port Forwarding with NAT.

Although NAT prevents Internet locations from directly

accessing the PCs on the LAN, the firewall allows you to direct incoming traffic to specific

PCs based on the service port number of the incoming request. You can specify forwarding of

single ports or ranges of ports.

•

DMZ port

. Incoming traffic from the Internet is normally discarded by the firewall unless the

traffic is a response to one of your local computers or a service for which you have configured

an inbound rule. Instead of discarding this traffic, you can have it forwarded to one computer

on your network.

Autosensing Ethernet Connections with Auto Uplink

With its internal 8-port 10/100 switch, the FVX538 can connect to either a 10 Mbps standard

Ethernet network or a 100 Mbps Fast Ethernet network. Both the LAN and WAN interfaces are

autosensing and capable of full-duplex or half-duplex operation.

The firewall incorporates Auto Uplink

TM

technology. Each Ethernet port will automatically sense

whether the Ethernet cable plugged into the port should have a ‘normal’ connection such as to a

PC or an ‘uplink’ connection such as to a switch or hub. That port will then configure itself to the

correct configuration. This feature also eliminates the need to worry about crossover cables, as

Auto Uplink will accommodate either type of cable to make the right connection.

ProSafe VPN Firewall 200 FVX538 Reference Manual

1-4

Introduction

v1.0, March 2009

Extensive Protocol Support

The VPN firewall supports the Transmission Control Protocol/Internet Protocol (TCP/IP) and

Routing Information Protocol

(RIP). For further information about TCP/IP, refer

to

“Internet Configuration Requirements” in Appendix B

.”

•

IP Address Sharing by NAT

. The VPN firewall allows several networked PCs to share an

Internet account using only a single IP address, which may be statically or dynamically

assigned by your Internet service provider (ISP). This technique, known as NAT, allows the

use of an inexpensive single-user ISP account.

•

Automatic Configuration of Attached PCs by DHCP

. The VPN firewall dynamically

assigns network configuration information, including IP, gateway, and domain name server

(DNS) addresses, to attached PCs on the LAN using the Dynamic Host Configuration Protocol

(DHCP). This feature greatly simplifies configuration of PCs on your local network.

•

DNS Proxy

. When DHCP is enabled and no DNS addresses are specified, the firewall

provides its own address as a DNS server to the attached PCs. The firewall obtains actual DNS

addresses from the ISP during connection setup and forwards DNS requests from the LAN.

•

PPP over Ethernet (PPPoE)

. PPPoE is a protocol for connecting remote hosts to the Internet

over a DSL connection by simulating a dial-up connection. This feature eliminates the need to

run a login program such as EnterNet or WinPOET on your PC.

Easy Installation and Management

You can install, configure, and operate the ProSafe VPN Firewall 200 within minutes after

connecting it to the network. The following features simplify installation and management tasks:

•

Browser-Based Management.

Browser-based configuration allows you to easily configure

your firewall from almost any type of personal computer, such as Windows, Macintosh, or

Linux. A user-friendly Setup Wizard is provided and online help documentation is built into

the browser-based Web Management Interface.

•

Auto Detect

. The VPN firewall automatically senses the type of Internet connection, asking

you only for the information required for your type of ISP account.

•

VPN Wizard.

The VPN firewall includes the NETGEAR VPN Wizard to easily configure

VPN tunnels according to the recommendations of the Virtual Private Network Consortium

(VPNC) to ensure the VPN tunnels are interoperable with other VPNC-compliant VPN routers

and clients.

•

SNMP.

The VPN firewall supports the Simple Network Management Protocol (SNMP) to let

you monitor and manage log resources from an SNMP-compliant system manager. The SNMP

system configuration lets you change the system variables for MIB2.