NETGEAR Product Training Firewall VPN Products Presented by Hien Ly Level 3, Sr. Tech Support Engineer November, 2007

NETGEAR Product TrainingFirewall VPN Products

Presented by Hien LyLevel 3, Sr. Tech Support EngineerNovember, 2007

2.© 1996-2006 NETGEAR® . All rights reserved

Agenda

» Introduction to NETGEAR Firewall VPN Products• Firewall Overview

» Types of Firewall» DMZ

• NETGEAR DMZ» How to Choose a Firewall?

• VPN Overview» What is VPN?» Encryption» IPsec Basics

• IPsec Protocols• Security Associations (SA)• IKE Phases

» SSL312 VPN Introduction» NETGEAR Firewall VPN Router Features

• Unique Features highlight• NETGEAR VPN Configuration Screenshots• ProSafe VPN Client Software

» Troubleshooting Tips and Lab• VPN Troubleshooting Flow• Hands-on lab


Course Objectives

» Agents should be able to do the following after this course:• Recognize the Firewall VPN products that NETGEAR has to offer• Be able to understand the basic Firewall concepts• Be able to understand the basic VPN concepts• Be able to understand the differences between IPSec and SSL

VPN• Be able to understand the different types of firewall settings on the

NETGEAR routers• Be able to configure and establish VPN sessions using various

NETGEAR products:

» Box-to-box VPN» Client-to-box VPN» Hub & Spoke VPN


NETGEAR Firewall VPN

Product Description Model No.ProSafe VPN Firewall 200 Dual WAN with 8-port 10/100 and 1 Gigabit LAN switch (200 VPN Tunnels) FVX538

ProSafe VPN Firewall 50 with Dial Back-up (50 VPN Tunnels) FVS338

ProSafe VPN Firewall with ADSL Modem and 802.11g Wireless (50 VPN Tunnels) DGFV338

ProSafe Dual WAN gigabit firewall with IPSec & SSL VPN (25 IPSec & 10 SSL tunnels) FVS336G

ProSafe VPN Firewall with 802.11g Wireless and 8-Port 10/100 Switch (8 VPN Tunnels) FVG318

ProSafe VPN Firewall 8 w/8 Port 10/100 Switch (8 VPN Tunnels) FVS318v3

ProSafe VPN Firewall 8 w/8 Port 10/100 Switch (8 VPN Tunnels) FVS114

ProSafe SSL VPN Concentrator 25 SSL312


ProSafe VPN Firewall Line-up

FVS33850 Tunnels

Dial-up Failover

FVX538

8 Tunnels

FVS1148 Tunnels

“Wired” Fire

walls

Wireless Fire

walls

DGFV338

108Mbps 802.11g50 VPN tunnels

w/ ADSL2+ modemFVG318

108Mbps 802.11g8 VPN Tunnels

200+ Tunnels Dual WAN port1 Gig LAN Port

FVS336G25 IPSec tunnels10 SSL tunnels

4 Gig LANDual Gig WAN

FVS318v3New

SSL31225 SSL Tunnels

New

Firewall 101


Firewall 101

» A firewall is a set of components that sit between networks and acts as a gatekeeper to allow in or keep out traffic based on certain criteria.

» Firewall types:• Stateful Packet Inspection• Hybrids• Packet filters• Applications proxy


Stateful Packet Inspection (SPI)

» Examine each packet passed through.» Allows or drops packets depends of rules.» Maintains tables of information about current connections.

• Information traveling from inside the firewall to the outside is monitored for specific defining characteristics, then incoming information is compared to these characteristics. If the comparison yields a reasonable match, the information is allowed through. Otherwise it is discarded.

» Use current state of connections in tables to determine if it will allow or drops incoming packets.

» When a connection terminates, it removes the reference from the internal table.

Most of the Firewalls available today are Hybrids. Most of the Firewalls available today are Hybrids.


Hybrid Firewall

» Offers the best of all world:• Application-Level Packet Filtering• Proxy-ARP Transparency isolates internal systems from

attack• Policy-based routing for efficient use of dual network

connections• Multiple redundant / balanced Internet links for fail-safe

operation• Traffic shaping and QOS control for priority services• Address translation and port/address forwarding hides the

internal network


Packet Filters

» A packet filter examines every network packets that passes through it.

» It drops or forwards the packets depends on a set of rules.» Rules are depends on:

• IP Address• Protocol (TCP, UDP, IP, ICMP)• Port number (HTTP, FTP, TELNET)• Direction (inbound, outbound)

» Fast» No application or content awareness.» Each packet is examined on a standalone basis.


Applications Proxy

» Application awareness.» Acts as a “man in the middle”.» Never allows a packet to pass through the proxy.» Receive and send out packets on behalf of the internal users.

• The net effect of this action is that the remote computer hosting the Web page never comes into direct contact with anything on your home network, other than the proxy server.

» Computational intensive.» Need proxy for each applications.

Internal system Web Server

Applications Proxy

HTTP Rquest HTTP Rquest

Web Page response Web Page response


DMZ (Demilitarized Zone) » A segment of network for hosting public accessible services

(web servers, mail servers, ftp servers).» Limit damage to private network even if DMZ is compromised.

DMZ

Internal

INTERNET

Internal PCInternal PC

Firewall

Web Server

mail server

FTP server

Internal PC

Only available on FVX538


DMZ in NETGEAR routers» Only available on FVX538

» This zone can be used to host servers and give public access to them. Port 8 on the LAN of the router can be dedicated as a hardware DMZ port and safely provide the Internet services without compromising security on your LAN.

Note: The IP subnet of the DMZ should be different from that of the LAN port and the WAN port(s).

Example:WAN 1: 10.0.0.1 with subnet 255.0.0.0WAN2: 20.0.0.1 with subnet 255.0.0.0LAN: 192.168.1.1 with subnet 255.255.255.0DMZ: 192.168.10.1 with subnet 255.255.255.0


How to choose a firewall?

» Security.» Features:

• Flexibility in defining rules – by time/date.• User authentications.• URL Filtering.• Content filtering.• Port forwarding (NAT).

» Performance» Support – updates, enhancement.» Audit Trail – logs, alarms.» Manageability – a firewall is as security as it is configured.

VPN Overview


VPN Overview

Web Server Web ServerLeased Line, T1, Frame Relay

INTERNET

Web Server Web Server

Web Server Web Server

encryption

VPN


What is a VPN?

» VPN is a secure path through a public shared network.» Data is secured by encryption.» Types of VPN:

• IPSEC (Internet Protocol Security)• PPTP (Point-to-Point Tunneling Protocol)• L2TP (Layer Two Tunneling Protocol)• SSL (Secure Socket Layer)


Encryption

» A mathematical function to convert data into secret.» Encryption convert cleartext to ciphertext.

- Encrypt(cleartext, key) = ciphertext

- Decrypt(ciphertext, key) = cleartext» Symmetric encryption (DES, 3DES)» Asymmetric encryption (public key)» Hash algorithm - Hash(A, key) = B

Low probability that another data will be hashed into B. Fast.


Private key Encryption (Symmetric)» Encrypt and decrypt with the same key.» Need special procedure for key distribution.» Fast and computational inexpensive

• Used for preserving confidentiality

» Encrypt with public key and decryption with private key.

• Encrypt (cleartext, KEYpublic) = ciphertext

• Decrypt (ciphertext, KEYprivate) = cleartext

» Public key can be freely distributed.

» Slow and computational intensive

• used for achieving authentication and non-repudiation.

Encryption Overview

Public key Encryption (Asymmetric)


Public Key Encryption at work

1. You give John (aka Sender) a copy of your public key.2. John uses your public key to encrypt the plaintext to produce a ciphertext for you. 3. He then gives (just) the ciphertext to you, and 4. You use your private key to decrypt the ciphertext to reproduce the plaintext.


IPsec Basics

» Applications transparency.» Automated key management.» Interoperability with PKI (Public Key Infrastructure).» Fast deployment.» Implemented in existing routers/CPE.


» Three main Protocols of IPsec• IKE (Internet Key Exchange)

» Defines a method for the secure exchange of the initial encryption keys between the two endpoints of a VPN (establishing SA).

» UDP protocol 500

• AH (Authentication Header)» Used to ensure integrity of the header information and payload as the packet

makes its way through the Internet. Authentication only, no encryption» 128-bit MD5 or 160-bit SHA-1 keys used to compute the integrity checksum

value (ICV)» TCP protocol 51

• ESP (Encapsulating Security Payload)» Performs the actual encryption of the data to provide data confidentiality, and

data integrity.» Encrypt with DES/3DES.» TCP protocol 50

IPsec Protocols


» What is Security Associations (SA)?• Basic concepts of IPsec• Represents a policy contract between two VPN endpoints

describing how they will use IPsec to secure network traffic• Contains all the security parameters to establish VPN connection• Unidirectional – one SA for each direction.• Each established SA is identified by a 32-bit number (SPI)• SPI are written into IPsec packet headers to locate the appropriate

SA.

Security Associations (SA)


» What are the components of the SA?• Authentication/encryption algorithm, key length, key lifetime, etc…• Session keys• Specification of network traffic which IPsec will apply• IPsec encapsulation protocol (AH/ESP) and mode (Transport/Tunnel).

C

San Jose New York

SA 1000

VPNSA database:San Jose to New York:SPI = 1000ESP/3DES/MD5Key1, Key2, ...key lifetime = 3600New York to San JoseSPI=1001ESP/DES/SHA-1Key3, Key4key lifetime = 3600

SA database:San Jose to New YorkSPI = 1000ESP/3DES/MD5Key1, Key2, ...key lifetime = 3600New York to San JoseSPI=1001ESP/DES/SHA-1Key3, Key4key lifetime = 3600

Security Association (SA) Components


» Tunnel Mode:• Between two IPsec gateways• Encapsulate both header and data.

» Hides the original IP header

» Transport Mode:• Between two IPsec hosts.

» IP address of the hosts must be Public IP addresses• Only encapsulate data.

IPSec Data Exchange Modes


AH & ESP Protocols

Normal IP Packet


» ISAKMP (Internet Security Association and Key Management Protocol)• Protocol to negotiate and establish SA.

» Oakley• Define mechanism for key exchange over the IKE session• By default, use Diffie-Hellman algorithm for key exchange

» Each IKE peer has an IKE identitiy which based on:• IP address• FQDN (Fully qualified domain name)• X.500 (certificate) name• Email address

» IKE session are protected by cryptographic algorithms.

» IKE peers must agree exactly on a set of algorithms and protocols to protect the IKE session

IKE – Internet Key Exchange Protocol


IKE on NETGEAR


» Phase1 (Authentication Phase)• Main mode or Aggressive mode• Used to establish a secure channel, authenticate the

negotiating parties, and generate shared keys to protect IKE protocol messages

• Negotiates IKE SA

» Phase2 (Key Exchange Phase)• AKA: Quick mode• Used to establish the IPSec SA and to generate new keying

material • Negotiates IPsec SA

IKE Operations


» Use 6 messages to establish the IKE SA.• First 2 – negotiate security policy that will be used• Next 2 – performs Diffie-Hellman key exchange and pass Nonces (random # for

signing) to each other• Last 2 – used to authenticate peers

» Hides identity of the IKE peers.

IKE Main Mode Message Exchange


» Less negotiation flexibility for IKE session protection.» Will not hide identity (all identities of parties involved are revealed).

IKE Aggressive Mode Message Exchange


» Quick Mode• Fast.• If an IKE SA is in place, only quick mode exchanges are used to

negotiate new key or re-key.• PFS (Perfect Forward Secrecy)

» Generate new key that is independent of the current key (from Phase1).

IKE Quick Mode Message Exchange


IPsec Inbound Packet Processing


IPse

c O

utb

ou

nd

Pac

ket

Pro

cess

ing


Host to Host VPN Traffic Process


1) Initialization


2) IKE Phase 1 Triggering


3) IKE Phase 1 Completed


4) IKE Phase 2


5) IPsec VPN Established


VPN Policy requirements?

» Who are the VPN parties?• IKE Identifiers (WAN IP, FQDN, FQUN, DN).

» Where are the VPN parties?• VPN gateway addresses (WAN IP, FQDN).

» What traffics are included in the VPN?• Local VPN subnet, remote VPN subnet.

» How the VPN secure the communication?• Main mode / Aggressive mode.• Pre-shared key.• Key lifetime.• ESP / AH (authentication algorithm, encryption algorithm).• PFS?


EthernetEthernet

INTERNET

ProSafe VPN router ProSafe VPN Router

192.168.0.0/255.255.255.0

66.126.237.201

192.168.4.0/255.255.255.0

66.126.237.204

Network A Network B

Network A Network BLocal Identifier WAN IP WAN IPRemote Identifer WAN IP WAN IPLocal subnet 192.168.0.0/24 192.168.4.0/24Remote subnet 192.168.4.0/24 192.168.0.0/24Remote VPN Endpoint 66.126.237.204 66.126.237.201Shared Key 12345678 12345678Encryption Algorithm 3DES 3DESAuthentication Algorithm SHA-1 SHA-1

VPN Gateway-to-Gateway Example


Ethernet

INTERNET

ProSafe VPN router

192.168.1.0/255.255.255.0

66.126.237.203

Remote UserVPN Client

Network A Remote ClientLocal Identifier WAN IP remoteClientRemote Identifer remoteClient WAN IPLocal subnet 192.168.1.0/24 192.168.100.1Remote subnet 192.168.100.1 192.168.1.0/24Remote VPN Endpoint 66.126.237.203 0.0.0.0Shared Key 12345678 12345678Encryption Algorithm 3DES 3DESAuthentication Algorithm MD5 MD5

VPN Client-to-Gateway Example


What is SSL VPN?

» SSL VPNs create secure tunnels by performing two functions:• Requiring authentication from users before allowing access so that

only authorized parties can establish tunnels• Encrypting all data transmitted to and from the user by

implementing the actual tunnel using SSL» The process of establishing an SSL tunnel requires exchange of

different configuration information between the computers on either end of the connection.


SSL VPN on OSI Network Model

» IPSec VPN operates at the Network Layer – Layer 3» SSL VPN establish connectivity using SSL, which functions at

Layers 4 & 5» Information gets encapsulate at Layer 6 & 7 of the OSI model» So why don't SSL VPNs simply use SSL to tunnel network-level

communications as IPSec does and not worry about the higher levels?

• Technical limitations of many devices prevent the establishment of Network-Layer communications over SSL, but allow application-layer access from a web browser.

• Security considerations and policies normally prohibit attaching Internet kiosks and borrowed computers as nodes on your corporate network.

» Cannot install VPN client software on public Kiosks


SSL VPN


Home

Kiosk or Laptop

B2B Partner

Segmentation in SSL VPN

Corporate Applications

ProSafe VPN Firewall

InternetSecure SSL VPN

connections

PDA

Internet Café

Email Web Database File server

ProSafe SSL312 VPN Concentrator

Full access

Restricted access

Unique Router Features


Serial Modem – FR328S, FVS328, FWG114P


Serial Port – Auto Failover FVS328, FR328S, FWG114P


Serial Port – Dial inFVS328, FR328S, FWG114P


Serial Port – LAN to LANFVS328, FR328S, FWG114P


Dial up ISP – FVS338


ADSL Interface– DGFV338


Wireless – FVG318, DGFV338


WAN Mode w/ Dialup – FVS338


Auto-Rollover – DGFV338, FVS336G, FVX538


» If you want to use a redundant ISP link for backup purposes, select the WAN port that will act as the primary link for this mode. Ensure that the backup WAN port has also been configured and that you configure the WAN Failure Detection Method to support Auto-Rollover.

» Link failure is detected in one of the following ways:• By sending DNS queries to a DNS server, or• By sending a Ping request to an IP address, or• None (no failure detection is performed).

» From each WAN interface, DNS queries or Ping requests are sent to the specified IP address. If replies are not received, after a specified number of retries, the corresponding WAN interface is considered down.

» As long as the primary link is up, all traffic is sent over the primary link. Once the primary WAN interface goes down, the rollover link is brought up to send the traffic. Traffic will automatically roll back to the original primary link once the original primary link is back up and running again.

Auto-Rollover – DGFV338, FVS336G, FVX538


Load Balancing / Protocol BindingFVS336G, FVX538


» The VPN firewall distributes the outbound traffic equally among the WAN interfaces that are functional.

» Scenarios could arise when load balancing needs to be bypassed for certain traffic or applications. If certain traffic needs to travel on a specific WAN interface, configure protocol binding rules for that WAN interface. The rule should match the desired traffic.

• In the Protocol Binding menu, you specify a protocol such as HTTP, and this causes all outbound traffic of that protocol to use that WAN port.

Load Balancing / Protocol BindingFVS336G, FVX538


Multi Home LAN IP – DGFV338, FVS336G, FVS338, FVX538

The secondary LAN IP address will be assigned to the LAN interface of the router and can be used as a gateway by computers on the secondary subnet


» If you have computers on your LAN using different IP address ranges (for example, 172.16.2.0 or 10.0.0.0), you can add “aliases” to the LAN port, giving computers on those networks access to the Internet through the router. This allows the router to act as a gateway to additional logical subnets on your LAN

NOTE: IP addresses on these secondary subnets cannot be configured in the DHCP server. The hosts on the secondary subnets must be manually configured with IP addresses, gateway IP addresses, and DNS server IP addresses.

Multi Home LAN IP – DGFV338, FVS336G, FVS338, FVX538


Traffic Meter – FVS336G, FVS338, FVX538


» Allows you to measure and limit the traffic routed by the router.» The router will keep a record of the volume of traffic going from the

selected interface. » The router can also be configured to place a restriction on the volume

of data being transferred.

Traffic Meter – FVS336G, FVS338, FVX538


Session Limit – FVS338, FVX538

"Total Number of Packets Dropped due to Session Limit:" shows total number of packets dropped when session limit is reached


» Allows you to specify total number sessions per user (IP) allowed across the router.

» You can give the maximum number of sessions per IP either in percentage of maximum sessions or absolute number of maximum sessions.

» The percentage is computed on the total connection capacity of the device. "User Limit" specifies the maximum number of sessions that should be allowed via box from a single source machine (i.e. session limiting is per machine based) as percentage of total connection capacity

» NOTE: Please note that some protocols like FTP, RSTP create 2 sessions per connection which should be considered when configuring session limiting

Session Limit – FVS338, FVX538


UPnP – DGFV338, FVG318

UPnP (Universal Plug and Play) is a feature that allows for automatic discovery of devices that can communicate with this router.

Firewall Features


Static Routes


Dynamic DNS

» Alias a dynamic IP address to a static hostname.» Requires a dynamic DNS provider.» When dynamic IP changes on network devices, devices log onto DDNS server and change

the record of the hostname to map to new IP address.» Some DDNS providers expire hostname if IP address remain idle for a period of time. (Use

“Update every 30 days” check box to prevent hostname from expiring.


SNMP – FVS336G, FVS338, FVX538DGFV338


Groups and Hosts


Groups and Hosts – Add


Groups and Hosts – Edit


Address Filter – Source MAC Filter


Services


Scheduling


Block Sites


Firewall Rules


Firewall Rules – Adding Inbound


Firewall Rules – Adding Outbound


Address Filter – IP/MAC Binding


Address Filter – IP/MAC BindingEdit


Port Triggering


Port Triggering

Once configured, operation is as follows:

1. A PC makes an outgoing connection using a port number defined in the Port Triggering table.

2. This Router records this connection, opens the INCOMING port or ports associated with this entry in the Port Triggering table, and associates them with the PC.

3. The remote system receives the PCs request, and responds using a different port number.

4. This Router matches the response to the previous request, and forwards the response to the PC. (Without Port Triggering, this response would be treated as a new connection request rather than a response. As such, it would be handled in accordance with the Port Forwarding rules.)


Port Triggering

Note: » Only 1 PC can use a "Port Triggering" application at any time. » After a PC has finished using a "Port Triggering" application,

there is a "Time-out" period before the application can be used by another PC. This is required because this Router cannot be sure when the application has terminated.

» Normally for games and chat.


Bandwidth Profile


Attack Checks


Firewall Logs


Email Logs


Syslog


VPN Logs

Troubleshooting Features


Diagnostics

FVS338, FVS336G, FVX538, DGFV338

FVG318


Diagnostics – Packets Capture

VPN Features


Netgear VPN – VPN Wizard Box-to-box


Netgear VPN – VPN Wizard Client-to-box


VPN Policy


VPN Policy – General


VPN Policy – Traffic Selection


VPN Policy – Policy Parameters


IKE Policy


IKE Policy – EditFVS336G, FVS338, FVX538


IKE Policy – Edit for FVG318


IKE Policy – IKE parameters


VPN – Certificate Authority (CA)


Generate Self-sign Certificate


View Certificate Request


Certificate Revocation List (CRL)


Mode Config


VPN Client – User Database


VPN Client – RADIUS Client

VPN01L_VPN05LProSafe VPN Client Software


Client to Gateway VPN Example


ProSafe VPN Client Software

» Securely enables mobile workers or single-user remote access to corporate network resources

» Broad security support, standards-based• Implements IPSec security protocol with

optional certificates or Smart Cards

» Easy-to-configure and deploy

» Compatible with any IPSec-compliant VPN devices

» Optimized for NETGEAR ProSafe VPN Firewalls


VPN Client – Security Policy Editor


VPN Client – Global Config


VPN Client – Security Policy


VPN Client – Authentication


VPN Client – Key Exchange


VPN Client – My Identity

IKE Identifier


VPN Client – Preshared key


FVX538 – Client VPN Policy


FVX538 – VPN Client

50.0.0.0

fvx_local.com

IKE Identifier


fvx_remote.com

fvx_remote.com

FVX538 – VPN Client

ExerciseSet up the following two scenario


Box-to-Box VPN

Ethernet

Ethernet

VPN Gateway #2VPN Gateway #1

Internal Router

Internal Subnet #3

Internal Subet #2

Internal Subet #1

» Create a VPN tunnel between 2 NETGEAR VPN routers


Hub and Spoke VPN

Local Area Network #1

Hub VPN Gateway

Local Area Network #2

Spoke VPN Gateway1

secure connection through VPN gateway#1

Spoke VPN Gateway #2or VPN Client

» Spoke sites access each other through hub site.

» VPN policy on hub site.• Local VPN network includes spoke site.

» VPN policy on spoke site.• Remote VPN network includes spoke site.


VPN Troubleshooting

» Can the other VPN end point reach you?• What is the remote VPN endpoint?

» FQDN: resolve to remote WAN IP?» IP Address: Is IP address reachable?» 0.0.0.0: VPN uses aggressive mode?

» Do the VPN parameters matches on both endpoints?• What are the remote/local IKE identities?

» Do they match the remote endpoint’s local/remote IKE identities?• What are the local/remote VPN networks?

» Do they match remote endpoint’s remote/local VPN networks?• What is the pre-shared key?

» Does it match the remote endpoint’s pre-shared key?• What are the encryption/authentication algorithms?

» Do they match the remote endpoint’s algorithms?• What is the IKE mode (main/aggressive)?

» Does it match the remote endpoint’s IKE mode?


VPN Troubleshooting flow

VPN not working

Dynamic IP onlocal WAN?

Dynanmic IPon remote

WAN?

Check dynamicDNS setting, make

sure FQDNresolve to local

WAN IP

Use FQDN

Setup dynamicDNS

VPN mode mustmatches in bothremote and local

VPN policies

Preshared keymust matches inboth remote and

local VPN policies

Encryptionalgorithm mustmatches in bothlocal and remote

VPN policies

Authenticationalgorthm must

matches in bothremote and local

VPN policies

Y

N

Y

Y

N Y Y

N

Y

N

Use dynamicDNS?

Use FQDN aslocal VPNidentity?

Use dynamicDNS?

Use FQDN asremote VPN

identity?

FQDN resolveto WAN IP?

Preshared keymatches?

FQDN resolveto WAN IP?

Authenticationalgorithimmtaches?

Check dynamicDNS setting, make

sure FQDNresolve to remotel

WAN IP

Setup dynamicDNS

Use FQDN

Encryptionalgorithmmatches?

VPN modematches

N

N

Y

N

Y Y

N

N

N

N

Y

N

Refer to Premiumsupport

Y


Questions & Answers

Documents

NETGEAR Product Training Firewall VPN Products Presented by Hien Ly Level 3, Sr. Tech Support Engineer November, 2007