Home » Netgear Manuals » Network Security & Firewall Devices » Netgear FVX538v1 » Manual Viewer

Netgear FVX538v1 FVX538 Reference Manual - Page 123

Certificate Authorities, Trusted Certificates CA, Certificates, Active Self Certificates

Add to My Manuals
Save this manual to your list of manuals

Page 123 highlights

Certificate Authorities ProSafe VPN Firewall 200 FVX538 Reference Manual Digital Self Certificates are used to authenticate the identity of users and systems, and are issued by various CAs (Certification Authorities). Digital Certificates are used by this router during the IKE (Internet Key Exchange) authentication phase as an alternative authentication method. Self Certificates are issued to you by various CAs (Certification Authorities). The FVX538 uses Digital Certificates (also known as X509 Certificates) during the Internet Key Exchange (IKE) authentication phase to authenticate connecting VPN gateways or clients, or to be authenticated by remote entities. The same Digital Certificates are extended for secure web access via SSL VPN connections over HTTPS. Digital Certificates can be either self signed or can be issued by Certification Authorities (CA) such as via an in-house Windows server, or by an external organization such as Verisign or Thawte. However, if the Digital Certificates contain the extKeyUsage extension then the certificate must be used for one of the purposes defined by the extension. For example, if the Digital Certificate contains the extKeyUsage extension defined to SNMPV2 then the same certificate cannot be used for secure web management. The extKeyUsage would govern the certificate acceptance criteria in the FVX538 when the same digital certificate is being used for secure web management. In the FVX538, the uploaded digital certificate is checked for validity and also the purpose of the certificate is verified. Upon passing the validity test and the purpose matches its use (has to be SSL and VPN) the digital certificate is accepted. The additional check for the purpose of the uploaded digital certificate must correspond to use for VPN and secure web remote management via HTTPS. If the purpose defined is for VPN & HTTPS then the certificate is uploaded to the HTTPS certificate repository and as well in the VPN certificate repository. If the purpose defined is ONLY for VPN then the certificate is only uploaded to the VPN certificate repository. Thus, certificates used by HTTPS and IPSec will be different if their purpose is not defined to be VPN and HTTPS. Each CA also issues a CA Identity certificate shown in the Trusted Certificates (CA Certificates) table. This Certificate is required in order to validate communication with the CA. It is a three-step process. First, you generate a CA request; then, when the request is granted, you upload the Self Certificate (shown in the Active Self Certificates table) and then you upload the CA Identity certificate (shown in the Trusted Certificates table. The Trusted Certificates table lists the certificates generated and signed by a publicly known organization or authority called the Certificate Authority. The table lists the certificates of each CA and contains the following data: Virtual Private Networking v1.0, March 2009 5-19

Section	Page
ProSafe VPN Firewall 200 FVX538 Reference Manual	1
Contents	7
About This Manual	15
Conventions, Formats and Scope	15
Revision History	16
Chapter 1 Introduction	17
Key Features	17
Dual WAN Ports for Increased Reliability or Outbound Load Balancing	18
A Powerful, True Firewall with Content Filtering	18
Security Features	19
Autosensing Ethernet Connections with Auto Uplink	19
Extensive Protocol Support	20
Easy Installation and Management	20
Maintenance and Support	21
Package Contents	21
Router Front and Rear Panels	22
Rack Mounting Hardware	24
The Router’s IP Address, Login Name, and Password	25
Chapter 2 Connecting the FVX538 to the Internet	27
Logging into the VPN Firewall	27
Configuring the Internet Connections to Your ISPs	28
Setting the Router’s MAC Address	30
Manually Configuring Your Internet Connection	30
Programming the Traffic Meter (if Desired)	32
Configuring the WAN Mode (Required for Dual WAN)	34
Setting Up Auto-Rollover Mode	35
Setting Up Load Balancing	38
Configuring Dynamic DNS (If Needed)	40
Configuring the Advanced WAN Options (If Needed)	43
Chapter 3 LAN Configuration	45
Choosing the Firewall DHCP Options	45
Configuring the LAN Setup Options	46
Configuring Multi Home LAN IPs	49
Managing Groups and Hosts (LAN Groups)	50
Creating the Network Database	51
Setting Up Address Reservation	53
Configuring and Enabling the DMZ Port	54
Static Routes	56
Configuring Static Routes	56
Routing Information Protocol (RIP)	58
Static Route Example	60
Chapter 4 Firewall Protection and Content Filtering	61
About Firewall Protection and Content Filtering	61
Using Rules to Block or Allow Specific Kinds of Traffic	62
Services-Based Rules	62
Order of Precedence for Rules	69
Setting LAN WAN Rules	69
Setting DMZ WAN Rules	72
Setting LAN DMZ Rules	74
Attack Checks	76
Session Limit	78
Inbound Rules Examples	80
Outbound Rules Example	84
Adding Customized Services	85
Setting Quality of Service (QoS) Priorities	87
Setting a Schedule to Block or Allow Specific Traffic	88
Setting Block Sites (Content Filtering)	89
Enabling Source MAC Filtering	91
IP/MAC Binding	93
Port Triggering	95
Bandwidth Limiting	97
E-Mail Notifications of Event Logs and Alerts	99
Administrator Tips	103
Chapter 5 Virtual Private Networking	105
Considerations for Dual WAN Port Systems	105
Using the VPN Wizard for Client and Gateway Configurations	107
Creating Gateway to Gateway VPN Tunnels with the Wizard	107
Creating a Client to Gateway VPN Tunnel	110
Testing the Connections and Viewing Status Information	116
NETGEAR VPN Client Status and Log Information	116
FVX538 VPN Connection Status and Logs	118
VPN Tunnel Policies	119
IKE Policy	119
VPN Policy	121
Certificate Authorities	123
Generating a Self Certificate Request	124
Uploading a Trusted Certificate	126
Managing your Certificate Revocation List (CRL)	126
Extended Authentication (XAUTH) Configuration	127
Configuring XAUTH for VPN Clients	128
User Database Configuration	129
RADIUS Client Configuration	131
Assigning IP Addresses to Remote Users (ModeConfig)	133
Mode Config Operation	133
Configuring the VPN Firewall	134
Configuring the ProSafe VPN Client for ModeConfig	137
Chapter 6 Router and Network Management	143
Performance Management	143
Bandwidth Capacity	143
VPN Firewall Features That Reduce Traffic	144
VPN Firewall Features That Increase Traffic	147
Using QoS to Shift the Traffic Mix	149
Tools for Traffic Management	150
Administration	150
Changing Passwords and Settings	150
RADIUS Server External Authentication	152
Enabling Remote Management Access	153
Using a SNMP Manager	156
Settings Backup and Firmware Upgrade	157
Setting the Time Zone	161
Monitoring the Router	162
Enabling the Traffic Meter	162
Setting Login Failures and Attacks Notification	164
Viewing Port Triggering Status	166
Viewing Router Configuration and System Status	167
Monitoring WAN Ports Status	168
Monitoring VPN Tunnel Connection Status	169
VPN Logs	170
DHCP Log	171
Performing Diagnostics	171
Chapter 7 Troubleshooting	175
Basic Functions	175
Power LED Not On	175
LEDs Never Turn Off	176
LAN or Internet Port LEDs Not On	176
Troubleshooting the Web Configuration Interface	176
Troubleshooting the ISP Connection	178
Troubleshooting a TCP/IP Network Using a Ping Utility	179
Testing the LAN Path to Your Firewall	179
Testing the Path from Your PC to a Remote Device	180
Restoring the Default Configuration and Password	181
Problems with Date and Time	181
Appendix A Default Settings and Technical Specifications	183
Appendix B Network Planning for Dual WAN Ports	187
What You Will Need to Do Before You Begin	187
Cabling and Computer Hardware Requirements	189
Computer Network Configuration Requirements	189
Internet Configuration Requirements	189
Where Do I Get the Internet Configuration Parameters?	189
Internet Connection Information Form	191
Overview of the Planning Process	192
Inbound Traffic	192
Virtual Private Networks (VPNs)	192
The Roll-over Case for Firewalls With Dual WAN Ports	193
The Load Balancing Case for Firewalls With Dual WAN Ports	193
Inbound Traffic	194
Inbound Traffic to Single WAN Port (Reference Case)	194
Inbound Traffic to Dual WAN Port Systems	194
Virtual Private Networks (VPNs)	196
VPN Road Warrior (Client-to-Gateway)	197
VPN Gateway-to-Gateway	200
VPN Telecommuter (Client-to-Gateway Through a NAT Router)	203
Appendix C System Logs and Error Messages	207
System Log Messages	207
System Startup	207
Reboot	208
NTP	208
Login/Logout	209
Firewall Restart	209
IPSec Restart	210
WAN Status	210
Web Filtering and Content Filtering Logs	213
Traffic Metering Logs	215
Unicast Logs	215
FTP Logging	216
Invalid Packet Logging	216
Routing Logs	219
LAN to WAN Logs	219
LAN to DMZ Logs	220
DMZ to WAN Logs	220
WAN to LAN Logs	220
DMZ to LAN Logs	220
WAN to DMZ Logs	221
Appendix D Related Documents	223
Appendix E Two Factor Authentication	225
Why do I need Two-Factor Authentication?	225
What are the benefits of Two-Factor Authentication?	225
What is Two-Factor Authentication	226
NETGEAR Two-Factor Authentication Solutions	226

Match case Limit results 1 per page

ProSafe VPN Firewall 200 FVX538 Reference Manual

Virtual Private Networking

5-19

v1.0, March 2009

Certificate Authorities

Digital Self Certificates are used to authenticate the identity of users and systems, and are issued

by various CAs (Certification Authorities). Digital Certificates are used by this router during the

IKE (Internet Key Exchange) authentication phase as an alternative authentication method. Self

Certificates are issued to you by various CAs (Certification Authorities).

The FVX538 uses Digital Certificates (also known as X509 Certificates) during the Internet Key

Exchange (IKE) authentication phase to authenticate connecting VPN gateways or clients, or to be

authenticated by remote entities. The same Digital Certificates are extended for secure web access

via SSL VPN connections over HTTPS.

Digital Certificates can be either self signed or can be issued by Certification Authorities (CA)

such as via an in-house Windows server, or by an external organization such as Verisign or

Thawte.

However, if the Digital Certificates contain the extKeyUsage extension then the certificate must be

used for one of the purposes defined by the extension. For example, if the Digital Certificate

contains the extKeyUsage extension defined to SNMPV2 then the same certificate cannot be used

for secure web management.

The extKeyUsage would govern the certificate acceptance criteria in the FVX538 when the same

digital certificate is being used for secure web management.

In the FVX538, the uploaded digital certificate is checked for validity and also the purpose of the

certificate is verified. Upon passing the validity test and the purpose matches its use (has to be SSL

and VPN) the digital certificate is accepted. The additional check for the purpose of the uploaded

digital certificate must correspond to use for VPN and secure web remote management via

HTTPS. If the purpose defined is for VPN & HTTPS then the certificate is uploaded to the HTTPS

certificate repository and as well in the VPN certificate repository. If the purpose defined is ONLY

for VPN then the certificate is only uploaded to the VPN certificate repository. Thus, certificates

used by HTTPS and IPSec will be different if their purpose is not defined to be VPN and HTTPS.

Each CA also issues a CA Identity certificate shown in the

Trusted Certificates (CA

Certificates)

table. This Certificate is required in order to validate communication with the CA. It

is a three-step process. First, you generate a CA request; then, when the request is granted, you

upload the Self Certificate (shown in the

Active Self Certificates

table) and then you upload the

CA Identity certificate (shown in the

Trusted Certificates

table.

The

Trusted Certificates

table lists the certificates generated and signed by a publicly known

organization or authority called the Certificate Authority. The table lists the certificates of each CA

and contains the following data: