Anda di halaman 1dari 75

FVS336G PROSAFE DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN

Presented by Hien Ly L3 Support Engineer

Course Agenda
Introductions Course Objectives FVS336G Features Specific features on FVS336G Firewall & Router overview VPN overview SSL overview FVS336G Administration GUI walk-through FVS336G User SSL Portal walk-through FAQ Known Issues Q&A

.1996-2006 NETGEAR . All rights reserved

Introduction
Course Description: This training is intended to provide background and update information about the new ProSafe dual WAN gigabit firewall with IPSec and SSL VPN Course Audience: L2, L3, SE, VAR Course Prerequisites: Familiarity & knowledge of NETGEAR ProSafe VPN firewall products Basic knowledge & understanding for VPN (IPSec & SSL) concepts Basic usage of VPN configuration on the NETGEAR ProSafe VPN products
.1996-2006 NETGEAR . All rights reserved

Course Objectives
At the end of this course, Technical Support Engineers should be able to do the following: Identify the differences between the FVS336G and other NETGEAR Firewall VPN routers List and describe unique features on the FVS336G Identify and list the differences SSL features on the FVS336G and the SSL312 Configure and setup SSL Portal on the FVS336G

.1996-2006 NETGEAR . All rights reserved

FVS336G Usage

.1996-2006 NETGEAR . All rights reserved

Features & Benefits


Dual 10/100/1000 Mbps Gigabit Ethernet WAN ports for load balancing or failover/rollover. Built-in four-port 10/100/1000 Mbps Gigabit Ethernet LAN switch. Supports 25 concurrent IPsec VPN tunnels. Supports 10 concurrent SSL VPN sessions. Bundled with the single-user license of the NETGEAR ProSafe VPN Client software (VPN01L) Supports SNMP v2c Italicized are new features specific to the FVS336G only

.1996-2006 NETGEAR . All rights reserved

Package Contents
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN. One AC power cable (100-240 VAC, 50-60 Hz). Rubber feet. One Category 5 (Cat5) Ethernet cable. Installation Guide: FVS336G ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN. Resource CD, including: Application Notes and other helpful information. ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual ProSafe VPN Client Software one user license. Warranty and Support Information Card.

.1996-2006 NETGEAR . All rights reserved

Front Panel

.1996-2006 NETGEAR . All rights reserved

Rear Panel

Factory Defaults button Using a sharp object, press and hold this button for about ten seconds until the front panel TEST light flashes to reset the FVS336G to factory default settings. All configuration settings will be lost and the default password will be restored. LAN & WAN ports Auto MDI/MDIX, Gigabit Ethernet ports AC Power Universal AC input (100-240 VAC, 50-60 Hz) On/off power switch

.1996-2006 NETGEAR . All rights reserved

Bottom label

Default LAN IP address: 192.168.1.1 Default username: admin Default password: password

.1996-2006 NETGEAR . All rights reserved

10

Hardware Specifications
Processor Speed: 300 MHz (Cavium CN3005SCP) Memory: 16 MB flash, 64 MB DRAM Power adapter: 12V DC, 1.2A -plug is localized to country of sale Dimensions: 25.4 x 17.8 x 3.96 cm (10 x 7 x 1.56 in) Weight: 1.7 kg (3.7 lb) Operating temperature: 0 to 40C (32 to 104F) Operating humidity: 90% maximum relative humidity, non-condensing

.1996-2006 NETGEAR . All rights reserved

11

Technical Support Info


Serial Prefix: 1PD
Item Number FVS336G-100AUS FVS336G-100EES FVS336G-100EES FVS336G-100ISS FVS336G-100ISS FVS336G-100ISS FVS336G-100NAS FVS336G-100NAS FVS336G-100UKS FVS336G-100UKS
.1996-2006 NETGEAR . All rights reserved

Business Unit DCIHKN DCINLN DCINLN DCIHKN DCINLN DCINLN DCUSN DCUSN DCINLN DCINLN

Quantity 70 200 40 70 500 280 30 700 400 150

XF Date 10/19/2007 10/12/2007 10/26/2007 10/12/2007 10/12/2007 10/19/2007 9/28/2007 10/12/2007 10/19/2007 10/26/2007

Ship Mode ETA at DC S S S S S S S S S S 9/21/2007 10/16/2007 11/27/2007 9/28/2007 10/16/2007 10/16/2007 10/22/2007 10/8/2007 10/16/2007 11/27/2007
12

Performance Spec
Throughput: LAN-to-WAN: 60 Mbps total IPsec VPN (3DES): 16 Mbps SSL VPN: 10 Mbps Connections: 10,000 concurrent sessions

.1996-2006 NETGEAR . All rights reserved

13

FVS336G GUI

Admin GUI
http://192.168.1.1 Username: admin Password: password Domain: geardomain

.1996-2006 NETGEAR . All rights reserved

15

Network WAN settings

.1996-2006 NETGEAR . All rights reserved

16

Network WAN mode

.1996-2006 NETGEAR . All rights reserved

17

WAN Mode

.1996-2006 NETGEAR . All rights reserved

18

WAN Mode Auto-Rollover


If you want to use a redundant ISP link for backup purposes, select the WAN port that will act as the primary link for this mode. Ensure that the backup WAN port has also been configured and that you configure the WAN Failure Detection Method to support Auto-Rollover. Link failure is detected in one of the following ways: By sending DNS queries to a DNS server, or By sending a Ping request to an IP address, or None (no failure detection is performed). WAN2 will kick in after the defined number of retry intervals is exhausted From each WAN interface, DNS queries or Ping requests are sent to the specified IP address. If replies are not received, after a specified number of retries, the corresponding WAN interface is considered down. As long as the primary link is up, all traffic is sent over the primary link. Once the primary WAN interface goes down, the rollover link is brought up to send the traffic. Traffic will automatically roll back to the original primary link once the original primary link is back up and running again.
.1996-2006 NETGEAR . All rights reserved

19

WAN Mode Load Balancing

.1996-2006 NETGEAR . All rights reserved

20

WAN Mode Load Balancing


The VPN firewall distributes the outbound traffic equally among the WAN interfaces that are functional. Scenarios could arise when load balancing needs to be bypassed for certain traffic or applications. If certain traffic needs to travel on a specific WAN interface, configure protocol binding rules for that WAN interface. The rule should match the desired traffic. In the Protocol Binding menu, you specify a protocol such as HTTP, and this causes all outbound traffic of that protocol to use that WAN port.

.1996-2006 NETGEAR . All rights reserved

21

Dynamic DNS

.1996-2006 NETGEAR . All rights reserved

22

LAN Settings

.1996-2006 NETGEAR . All rights reserved

23

LAN Settings Multi-homing

The secondary LAN IP address will be assigned to the LAN interface of the router and can be used as a gateway by computers on the secondary subnet

.1996-2006 NETGEAR . All rights reserved

24

LAN Settings Multi-homing


If you have computers on your LAN using different IP address ranges (for example, 172.16.2.0 or 10.0.0.0), you can add aliases to the LAN port, giving computers on those networks access to the Internet through the router. This allows the router to act as a gateway to additional logical subnets on your LAN NOTE: IP addresses on these secondary subnets cannot be configured in the DHCP server. The hosts on the secondary subnets must be manually configured with IP addresses, gateway IP addresses, and DNS server IP addresses.

.1996-2006 NETGEAR . All rights reserved

25

Security Services

.1996-2006 NETGEAR . All rights reserved

26

Security Scheduling

.1996-2006 NETGEAR . All rights reserved

27

Security Block Sites

.1996-2006 NETGEAR . All rights reserved

28

Security Firewall Rules

.1996-2006 NETGEAR . All rights reserved

29

Firewall Rules Adding Inbound

.1996-2006 NETGEAR . All rights reserved

30

Firewall Rules Adding Outbound

.1996-2006 NETGEAR . All rights reserved

31

Security Source MAC Filter

.1996-2006 NETGEAR . All rights reserved

32

Security Port Triggering

.1996-2006 NETGEAR . All rights reserved

33

Security Port Triggering


Once configured, operation is as follows: 1. A PC makes an outgoing connection using a port number defined in the Port Triggering table. 2. This Router records this connection, opens the INCOMING port or ports associated with this entry in the Port Triggering table, and associates them with the PC. 3. The remote system receives the PCs request, and responds using a different port number. 4. This Router matches the response to the previous request, and forwards the response to the PC. (Without Port Triggering, this response would be treated as a new connection request rather than a response. As such, it would be handled in accordance with the Port Forwarding rules.)
Note: Only 1 PC can use a "Port Triggering" application at any time. After a PC has finished using a "Port Triggering" application, there is a "Time-out" period before the application can be used by another PC. This is required because this Router cannot be sure when the application has terminated. Normally for games and chat.
.1996-2006 NETGEAR . All rights reserved

34

IPSec VPN

Netgear IPSec VPN VPN Wizard Box-to-box

.1996-2006 NETGEAR . All rights reserved

36

Netgear IPSec VPN VPN Wizard Client-to-box

.1996-2006 NETGEAR . All rights reserved

37

VPN Policy

.1996-2006 NETGEAR . All rights reserved

38

VPN Policy Traffic Selection

.1996-2006 NETGEAR . All rights reserved

39

VPN Policy Policy Parameters

.1996-2006 NETGEAR . All rights reserved

40

IKE Policy

.1996-2006 NETGEAR . All rights reserved

41

IKE Policy IKE parameters

.1996-2006 NETGEAR . All rights reserved

42

VPN Certificate Authority (CA)

.1996-2006 NETGEAR . All rights reserved

43

Generate Self-sign Certificate

.1996-2006 NETGEAR . All rights reserved

44

View Certificate Request

.1996-2006 NETGEAR . All rights reserved

45

Certificate Revocation List (CRL)

.1996-2006 NETGEAR . All rights reserved

46

Mode Config

.1996-2006 NETGEAR . All rights reserved

47

VPN Client RADIUS Client

.1996-2006 NETGEAR . All rights reserved

48

SSL VPN

SSL VPN Setup Process


1. Create User Portal VPN > SSL VPN > Portal Layouts 2. Create Domain Users > Domains Select the authentication scheme Link the new domain to the new portal that you have created in step #1 3. Create Group Users > Groups A default group will be created when a domain is created (this is be indicated with a *) You can create other groups under each domain 4. Create User Users > Users Define Login policies
.1996-2006 NETGEAR . All rights reserved

50

SSL Portal Layout

.1996-2006 NETGEAR . All rights reserved

51

SSL Domain

.1996-2006 NETGEAR . All rights reserved

52

SSL Groups

.1996-2006 NETGEAR . All rights reserved

53

SSL Users

.1996-2006 NETGEAR . All rights reserved

54

SSL User Policies


Deny/Allow users login

NOTE: This apply to Remote Management access for ALL users, including Administrator access.

.1996-2006 NETGEAR . All rights reserved

55

SSL User Policies


Deny/Allow client access based on Source IP address

.1996-2006 NETGEAR . All rights reserved

56

SSL User Policies


Deny/Allow client access based on web browser

.1996-2006 NETGEAR . All rights reserved

57

Administrator Settings & Troubleshooting

Administrative Features

.1996-2006 NETGEAR . All rights reserved

59

Traffic Meter

.1996-2006 NETGEAR . All rights reserved

60

Traffic Meter
Allows you to measure and limit the traffic routed by the router. The router will keep a record of the volume of traffic going from the selected interface. The router can also be configured to place a restriction on the volume of data being transferred.

.1996-2006 NETGEAR . All rights reserved

61

Attack Checks

.1996-2006 NETGEAR . All rights reserved

62

Firewall Logs

.1996-2006 NETGEAR . All rights reserved

63

Email Logs

.1996-2006 NETGEAR . All rights reserved

64

Syslog

.1996-2006 NETGEAR . All rights reserved

65

VPN Logs

.1996-2006 NETGEAR . All rights reserved

66

Frequently Asked Questions & Known Issues

Full Tunnel vs. Split Tunnel


Full Tunnel Mode will allow a remote user full access to the LAN without restrictions. I found this level of access to be more than necessary, as it also routes simple web surfing for the remote client through the VPN tunnel. Split Tunnel Mode is a subset of a Full Tunnel mode. This option allows a remote client full access to the LAN behind the 336G, while leaving web surfing to the end user's local connection. In this mode, the remote client is issued an IP address different from the NETGEAR LAN subnet, which is then routed to the LAN subnet Using a different subnet for SSL VPN clients is similar to NETGEARs Mode Config option for IPSec VPN clients in that it creates separate routed networks between VPN clients and the main LAN. Restrictions can then be applied to the VPN subnet, enhancing security with the ability to limit access based on originating IP addresses.
.1996-2006 NETGEAR . All rights reserved

68

Full Tunnel vs. Split Tunnel


Split Tunnel Mode requires setting up a static route between the VPN Client subnet and the NETGEAR LAN subnet. It's a two-step process, enabled by deselecting Full Tunnel mode and entering the LAN subnet as shown below.

With Split Tunnel Mode, a remote client has routed access to the NETGEAR LAN 192.168.3.0 /24 from anywhere with an Internet Connection.
.1996-2006 NETGEAR . All rights reserved

69

FAQ
Does the SSL require any additional VPN software? No, the main intention of the SSL VPN is that users do not need to install any client software on their PCs. Users only need a web browser that can support ActiveX or Java. How many simultaneous VPN connections does FVS336G support? It supports up to 25 IPSec VPN tunnels and 10 SSL VPN tunnels. Can I manage the box using a port number different from standard HTTPS port number 443, and use 443 for portforwarding to an internal web server? No, not yet. You need to use standard port number 443 to manage the box via HTTPS. To access internal web server by port 443, please use SSL or IPSEC VPN tunnel access.
.1996-2006 NETGEAR . All rights reserved

70

FAQ
How many simultaneous VPN connections does FVS336G support? It supports up to 25 IPSEC VPN tunnels and 10 SSL VPN tunnels. Does the FVS336G have all the features of the SSL312 VPN Concentrator? No, the FVS336G SSL VPN only provide full SSL VPN tunnel and Port Forwarding. For full features of the SSL VPN, we recommend that you purchase a stand alone SSL312 SSL VPN concentrator. Do you need additional hardware to use the SSL VPN feature? No, the SSL VPN is part of the software feature available on the FVS336G. You may need an authentication server if you are not using the local user database on the FVS336G.

.1996-2006 NETGEAR . All rights reserved

71

Known Issues
Dropped packets are not logged thought it matches firewall rule with log option turns on. Admin and guest login from WAN are enabled by default Disabling remote management will disable SSL VPN Vonage incoming call form WAN rings, but no voice VPN rollover does not work if both WAN interfaces are on the same subnet (not common) Inbound rule with second public address on a different subnet from WAN interface address does not work if the traffic is initiated from a host directly on this subnet (Not common, normally there is a router in between and that works). In Load Balancing mode, a host directly connected to WAN port can ping WAN1, not WAN2. (not a common case, normally there is a router in between and that works.) In load balancing mode, SSL VPN user directly connected to WAN port can establish VPN tunnel to WAN1, not WAN2. (not a common case, normally there is a router inbetween and that works.)
72

.1996-2006 NETGEAR . All rights reserved

Known Issues
Login page is not displayed properly if if admin comes in via FVX538 inbound rule to login to the WAN port of FVS336G. (This is a common deployment case). Host names in SSL port forwarding cannot mix upper and lower case letters. SSL VPN denial policy does not block ping traffic unless the high port number is blank. SSL VPN global policy "edit" button does not display "Service" on the edit web page (The work-around is to delete the policy and recreate it). The change password option should be grayed out if SSL VPN user is authenticated via Active Directory, Radius or LDAP. It has no effect. Port forwarding https port 443 via a secondary public WAN IP in inbound rule cannot reach internal web server (The work-around is to use SSL VPN to access internal web server). PPPoE auto-detect displays "No service detected", although it has already acquired WAN IP address and is functioning.
.1996-2006 NETGEAR . All rights reserved

73

Known Issues
When adding a SSL VPN resource, the IP address is not part of the configuration and is only availabe from "edit" button. Raritan KVM client through SSL Port Forwarding gets disconnected after being idle for a while (The work around is to use SSL VPN tunnel instead of Port Forwarding).

.1996-2006 NETGEAR . All rights reserved

74

Thank You! Q&A

Anda mungkin juga menyukai