Home » Netgear Manuals » Wireless » Netgear FWG114P » Manual Viewer

Netgear FWG114P FWG114P Reference Manual - Page 114

Using Digital Certificates for IKE Auto-Policy Authentication, Certificate Revocation List (CRL)

UPC - 606449029819

Add to My Manuals
Save this manual to your list of manuals

Page 114 highlights

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P Table 8-1. VPN Manual Policy Configuration Fields Field Description Key - Out Enter the key in the fields provided. • For MD5, the key should be 16 characters. • For SHA-1, the key should be 20 characters. Any value is acceptable, provided the remote VPN endpoint has the same value in its Authentication Algorithm "Key - In" field. NETBIOS Enable Check this if you wish NETBIOS traffic to be forwarded over the VPN tunnel. The NETBIOS protocol is used by Microsoft Networking for such features as Network Neighborhood. Using Digital Certificates for IKE Auto-Policy Authentication Digital certificates are strings generated using encryption and authentication schemes which cannot be duplicated by anyone without access to the different values used in the production of the string. They are issued by Certification Authorities (CAs) to authenticate a person or a workstation uniquely. The CAs are authorized to issue these certificates by Policy Certification Authorities (PCAs), who are in turn certified by the Internet Policy Registration Authority (IPRA). The FWG114P is able to use certificates to authenticate users at the end points during the IKE key exchange process. The certificates can be obtained from a certificate server an organization might maintain internally or from the established public CAs. The certificates are produced by providing the particulars of the user being identified to the CA. The information provided may include the user's name, e-mail ID, domain name, and so on. Each CA has its own certificate. The certificates of a CA are added to the FWG114P and can then be used to form IKE policies for the user. Once a CA certificate is added to the FWG114P and a certificate is created for a user, the corresponding IKE policy is added to the FWG114P. Whenever the user tries to send traffic through the FWG114P, the certificates are used in place of pre-shared keys during initial key exchange as the authentication and key generation mechanism. Once the keys are established and the tunnel is set up the connection proceeds according to the VPN policy. Certificate Revocation List (CRL) Each Certification Authority (CA) maintains a list of the revoked certificates. The list of these revoked certificates is known as the Certificate Revocation List (CRL). 8-14 March 2004, 202-10027-01 Virtual Private Networking

Section	Page
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P	1
Contents	5
Chapter 1 About This Manual	15
Audience, Conventions, Scope	15
How to Use this Manual	16
How to Print this Manual	17
Chapter 2 Introduction	19
Key Features of the FWG114P	19
Full Routing on Both the Broadband and Serial Ports	20
802.11g and 802.11b Wireless Networking	20
Virtual Private Networking	21
A Powerful, True Firewall with Content Filtering	21
Security	22
Autosensing Ethernet Connections with Auto Uplink	22
Extensive Protocol Support	22
Easy Installation and Management	23
Package Contents	24
The FWG114P Front Panel	25
The FWG114P Rear Panel	26
Chapter 3 Connecting the FWG114P to the Internet	27
What You Will Need Before You Begin	27
Cabling and Computer Hardware Requirements	27
Computer Network Configuration Requirements	27
Internet Configuration Requirements	28
Where Do I Get the Internet Configuration Parameters?	28
Record Your Internet Connection Information	29
Connecting the FWG114P Wireless Firewall/Print Server	30
Verify That Basic Requirements Are Met	30
Basic Setup Troubleshooting Tips	35
FWG114P Setup Wizard Auto Detection	35
Wizard-Detected Login Account Setup	36
Wizard-Detected Dynamic IP Account Setup	38
Wizard-Detected Fixed IP Account Setup	39
How to Configure the Serial Port as the Primary Internet Connection	40
Testing Your Internet Connection	42
Manually Configuring Your Internet Connection	43
How to Manually Configure the Primary Internet Connection	44
Chapter 4 Wireless Configuration	47
Observing Performance, Placement, and Range Guidelines	47
Implementing Appropriate Wireless Security	48
Understanding Wireless Settings	49
Default Factory Settings	53
Before You Change the SSID and WEP Settings	54
How to Set Up and Test Basic Wireless Connectivity	55
How to Restrict Wireless Access by MAC Address	56
How to Configure WEP	57
How to Configure WPA	58
How to Configure WPA-PSK	59
Chapter 5 Serial Port Configuration	61
Configuring a Serial Port Modem	62
Basic Requirements for Serial Port Modem Configuration	62
How to Configure a Serial Port Modem	62
Configuring Auto-Rollover	63
Basic Requirements for Auto-Rollover	63
How to Configure Auto-Rollover	63
Configuring Dial-in on the Serial Port	64
Basic Requirements for Dial-in	65
How to Configure Dial-in	65
Configuring LAN-to-LAN Settings	66
Basic Requirements for LAN-to-LAN Connections	66
How to Configure LAN-to-LAN Connections	66
Chapter 6 Firewall Protection and Content Filtering	69
Firewall Protection and Content Filtering Overview	69
Using the Block Sites Menu to Screen Content	69
Services and Rules Regulate Inbound and Outbound Traffic	71
Defining a Service	71
Using Inbound/Outbound Rules to Block or Allow Services	72
Examples of Using Services and Rules to Regulate Traffic	74
Inbound Rules (Port Forwarding)	74
Example: Port Forwarding to a Local Public Web Server	75
Example: Port Forwarding for Videoconferencing	76
Example: Port Forwarding for VPN Tunnels when NAT is Off	76
Outbound Rules (Service Blocking or Port Filtering)	77
Outbound Rule Example: Blocking Instant Messaging	78
Other Rules Considerations	78
Order of Precedence for Rules	79
Rules Menu Options	79
Using a Schedule to Block or Allow Content or Traffic	80
Setting the Time Zone	81
Getting E-Mail Notifications of Event Logs and Alerts	81
Viewing Logs of Web Access or Attempted Web Access	84
What to Include in the Event Log	85
Chapter 7 Print Server	87
Printing Options	87
For Windows XP and 2000, Use TCP/IP LPR Printing	88
For Windows 95/98/Me, Use the Netgear Printer Port Driver	91
Printing from the Macintosh	94
Windows Printer Port Management	95
Troubleshooting the Print Server	97
Chapter 8 Virtual Private Networking	101
Overview of FWG114P Policy-Based VPN Configuration	101
Using Policies to Manage VPN Traffic	102
Using Automatic Key Management	102
IKE Policies’ Automatic Key and Authentication Management	103
VPN Policy Configuration for Auto Key Negotiation	106
VPN Policy Configuration for Manual Key Exchange	109
Using Digital Certificates for IKE Auto-Policy Authentication	114
Certificate Revocation List (CRL)	114
Walk-Through of Configuration Scenarios on the FWG114P	115
How to Use the VPN Wizard to Configure a VPN Tunnel	115
VPNC Scenario 1: Gateway to Gateway with Preshared Secrets	119
Scenario 1: FWG114P to FWG114P with Preshared Secrets	120
How to Check VPN Connections	124
VPNC Scenario 2: Gateway-to-Gateway with Certificates	125
Scenario 2: FWG114P to FWG114P with Certificates	126
Netgear VPN Client to FWG114P	132
Configuration Profile	132
Step-By-Step Configuration of FWG114P Gateway	133
Step-By-Step Configuration of the Netgear VPN Client	138
Testing the VPN Connection	145
From the Client PC to the FWG114P	145
From the FWG114P to the Client PC	146
Monitoring the PC VPN Connection	146
Viewing the FWG114P VPN Status and Log Information	147
Chapter 9 Maintenance	149
Viewing Wireless Firewall/Print Server Status Information	149
Viewing a List of Attached Devices	153
Upgrading the Router Software	154
Configuration File Management	154
Restoring and Backing Up the Configuration	155
Erasing the Configuration	156
Changing the Administrator Password	156
Chapter 10 Advanced Configuration	157
Using the WAN Setup Options	157
How to Configure Dynamic DNS	159
Using the LAN IP Setup Options	161
Configuring LAN TCP/IP Setup Parameters	161
Using the Router as a DHCP server	163
Using Address Reservation	163
Configuring Static Routes	164
Enabling Remote Management Access	166
Using Universal Plug and Play (UPnP)	167
Advanced Wireless Settings	168
Chapter 11 Troubleshooting	171
Basic Functioning	171
Power LED Not On	171
LEDs Never Turn Off	172
LAN or Internet Port LEDs Not On	172
Troubleshooting the Web Configuration Interface	173
Troubleshooting the ISP Connection	174
Troubleshooting a TCP/IP Network Using a Ping Utility	175
Testing the LAN Path to Your Router	175
Testing the Path from Your Computer to a Remote Device	176
Restoring the Default Configuration and Password	177
Problems with Date and Time	177
Appendix A Technical Specifications	179
Appendix B Networks, Routing, and Firewall Basics	181
Related Publications	181
Basic Router Concepts	181
What is a Router?	181
Routing Information Protocol	182
IP Addresses and the Internet	182
Netmask	184
Subnet Addressing	184
Private IP Addresses	187
Single IP Address Operation Using NAT	187
MAC Addresses and Address Resolution Protocol	189
Related Documents	189
Domain Name Server	189
IP Configuration by DHCP	190
Internet Security and Firewalls	190
What is a Firewall?	191
Stateful Packet Inspection	191
Denial of Service Attack	191
Ethernet Cabling	191
Category 5 Cable Quality	192
Inside Twisted Pair Cables	193
Uplink Switches, Crossover Cables, and MDI/MDIX Switching	194
Appendix C Preparing Your Network	197
Preparing Your Computers for TCP/IP Networking	197
Configuring Windows 95, 98, and Me for TCP/IP Networking	198
Install or Verify Windows Networking Components	198
Enabling DHCP to Automatically Configure TCP/IP Settings	200
Selecting Windows’ Internet Access Method	200
Verifying TCP/IP Properties	201
Configuring Windows NT, 2000 or XP for IP Networking	201
Installing or Verifying Windows Networking Components	201
Verifying TCP/IP Properties	202
Configuring the Macintosh for TCP/IP Networking	202
MacOS 8.6 or 9.x	202
MacOS X	203
Verifying TCP/IP Properties for Macintosh Computers	204
Verifying the Readiness of Your Internet Account	205
Are Login Protocols Used?	205
What Is Your Configuration Information?	205
Obtaining ISP Configuration Information for Windows Computers	206
Obtaining ISP Configuration Information for Macintosh Computers	207
Restarting the Network	208
Appendix D Firewall Log Formats	209
Action List	209
Field List	209
Outbound Log	209
Inbound Log	210
Other IP Traffic	210
Router Operation	211
Other Connections and Traffic to this Router	212
DoS Attack/Scan	212
Access Block Site	214
All Web Sites and News Groups Visited	214
System Admin Sessions	214
Policy Administration LOG	215
Appendix E Wireless Networking Basics	217
Wireless Networking Overview	217
Infrastructure Mode	217
Ad Hoc Mode (Peer-to-Peer Workgroup)	218
Network Name: Extended Service Set Identification (ESSID)	218
Authentication and WEP Data Encryption	218
802.11 Authentication	219
Open System Authentication	219
Shared Key Authentication	220
Overview of WEP Parameters	221
Key Size	222
WEP Configuration Options	223
Wireless Channels	223
WPA Wireless Security	224
How Does WPA Compare to WEP?	225
How Does WPA Compare to IEEE 802.11i?	226
What are the Key Features of WPA Security?	226
WPA Authentication: Enterprise-level User Authentication via 802.1x/EAP and RADIUS	228
WPA Data Encryption Key Management	230
Is WPA Perfect?	232
Product Support for WPA	232
Supporting a Mixture of WPA and WEP Wireless Clients is Discouraged	232
Changes to Wireless Access Points	233
Changes to Wireless Network Adapters	233
Changes to Wireless Client Programs	234
Appendix F Virtual Private Networking	235
What is a VPN?	235
What is IPSec and How Does It Work?	236
IPSec Security Features	236
IPSec Components	236
Encapsulating Security Payload (ESP)	237
Authentication Header (AH)	238
IKE Security Association	238
Mode	239
Key Management	240
Understand the Process Before You Begin	240
VPN Process Overview	241
Network Interfaces and Addresses	241
Interface Addressing	241
Firewalls	242
Setting Up a VPN Tunnel Between Gateways	242
VPNC IKE Security Parameters	244
VPNC IKE Phase I Parameters	244
VPNC IKE Phase II Parameters	245
Testing and Troubleshooting	245
Additional Reading	245
Appendix G NETGEAR VPN Configuration FVS318 or FVM318 to FWG114P	247
Configuration Template	247
Step-By-Step Configuration of FVS318 or FVM318 Gateway A	248
Step-By-Step Configuration of FWG114P Gateway B	251
Test the VPN Connection	255
Appendix H NETGEAR VPN Configuration FVS318 or FVM318 with FQDN to FVS328	257
Configuration Template	257
Using DDNS and Fully Qualified Domain Names (FQDN)	258
Step-By-Step Configuration of FVS318 or FVM318 Gateway A	259
Step-By-Step Configuration of FVS328 Gateway B	263
Test the VPN Connection	267
Glossary	269
List of Glossary Terms	269

Match case Limit results 1 per page

Reference Manual for the ProSafe Wireless 802.11g

Firewall/Print Server Model FWG114P

8-14

Virtual Private Networking

March 2004, 202-10027-01

Using Digital Certificates for IKE Auto-Policy Authentication

Digital certificates are strings generated using encryption and authentication schemes which

cannot be duplicated by anyone without access to the different values used in the production of the

string. They are issued by Certification Authorities (CAs) to authenticate a person or a workstation

uniquely. The CAs are authorized to issue these certificates by Policy Certification Authorities

(PCAs), who are in turn certified by the Internet Policy Registration Authority (IPRA). The

FWG114P is able to use certificates to authenticate users at the end points during the IKE key

exchange process.

The certificates can be obtained from a certificate server an organization might maintain internally

or from the established public CAs. The certificates are produced by providing the particulars of

the user being identified to the CA. The information provided may include the user's name, e-mail

ID, domain name, and so on.

Each CA has its own certificate. The certificates of a CA are added to the FWG114P and can then

be used to form IKE policies for the user. Once a CA certificate is added to the FWG114P and a

certificate is created for a user, the corresponding IKE policy is added to the FWG114P. Whenever

the user tries to send traffic through the FWG114P, the certificates are used in place of pre-shared

keys during initial key exchange as the authentication and key generation mechanism. Once the

keys are established and the tunnel is set up the connection proceeds according to the VPN policy.

Certificate Revocation List (CRL)

Each Certification Authority (CA) maintains a list of the revoked certificates. The list of these

revoked certificates is known as the Certificate Revocation List (CRL).

Key - Out

Enter the key in the fields provided.

•

For MD5, the key should be 16 characters.

•

For SHA-1, the key should be 20 characters.

Any value is acceptable, provided the remote VPN endpoint has the same

value in its Authentication Algorithm "Key - In" field.

NETBIOS Enable

Check this if you wish NETBIOS traffic to be forwarded over the VPN

tunnel. The NETBIOS protocol is used by Microsoft Networking for such

features as Network Neighborhood.

Table 8-1.

VPN Manual Policy Configuration Fields

Field

Description