Home » Netgear Manuals » Bridges & Routers » Netgear FVS328 » Manual Viewer

Netgear FVS328 FVS328 Reference Manual - Page 88

Using Digital Certificates for IKE Auto-Policy Authentication, Certificate Revocation List (CRL)

UPC - 606449026528

Add to My Manuals
Save this manual to your list of manuals

Page 88 highlights

Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Using Digital Certificates for IKE Auto-Policy Authentication Digital certificates are character strings generated using encryption and authentication schemes which cannot be duplicated by anyone without access to the different values used in the production of the string. They are issued by Certification Authorities (CAs) to authenticate a person or a workstation uniquely. The CAs are authorized to issue these certificates by Policy Certification Authorities (PCAs), who are in turn certified by the Internet Policy Registration Authority (IPRA). The FVS328 is able to use certificates to authenticate users at the endpoints during the IKE key exchange process. The certificates can be obtained from a certificate server an organization might maintain internally or from the established public CAs. The certificates are produced by providing the particulars of the user being identified to the CA. The information provided may include the user's name, e-mail ID, domain name, etc. A CA is part of a trust chain. A CA has a public key which is signed. The combination of the signed public key and the private key enables the CA process to eliminate 'man in the middle' security threats. A 'self' certificate has your public key and the name of your CA, and relies on the CA's certificate to authenticate. Each CA has its own certificate. The certificates of a CA are added to the FVS328 and can then be used to form IKE policies for the user. Once a CA certificate is added to the FVS328 and a certificate is created for a user, the corresponding IKE policy is added to the FVS328. Whenever the user tries to send traffic through the FVS328, the certificates are used in place of pre-shared keys during initial key exchange as the authentication and key generation mechanism. Once the keys are established and the tunnel is set up the connection proceeds according to the VPN policy. Certificate Revocation List (CRL) Each Certification Authority (CA) maintains a list of the revoked certificates. The list of these revoked certificates is known as the Certificate Revocation List (CRL). Whenever an IKE policy receives the certificate from a peer, it checks for this certificate in the CRL on the FVS328 obtained from the corresponding CA. If the certificate is not present in the CRL it means that the certificate is not revoked. IKE can then use this certificate for authentication. If the certificate is present in the CRL it means that the certificate is revoked, and the IKE will not authenticate the client. You must manually update the FVS328 CRL regularly in order for the CA-based authentication process to remain valid. 7-14 May 2004, 202-10031-01 Virtual Private Networking

Section	Page
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual	1
Trademarks	2
Statement of Conditions	2
EN 55 022 Declaration of Conformance	2
Certificate of the Manufacturer/Importer	2
Bestätigung des Herstellers/Importeurs	3
Voluntary Control Council for Interference (VCCI) Statement	3
Technical Support	3
World Wide Web	3
Contents	5
Chapter 1 About This Manual	13
Audience	13
Scope	13
Typographical Conventions	14
Special Message Formats	14
How to Use this Manual	15
How to Print this Manual	16
Chapter 2 Introduction	17
About the FVS328	17
Key Features	17
Full Routing on Both the Broadband and Serial Ports	17
Virtual Private Networking	18
A Powerful, True Firewall	18
Content Filtering	19
Configurable Auto Uplink™ Ethernet Connection	19
Protocol Support	19
Easy Installation and Management	20
What’s in the Box?	21
The Firewall’s Front Panel	21
The Firewall’s Rear Panel	23
Chapter 3 Connecting the FVS328 to the Internet	25
What You Will Need Before You Begin	25
LAN Hardware Requirements	25
LAN Configuration Requirements	25
Internet Configuration Requirements	26
Where Do I Get the Internet Configuration Parameters?	26
Worksheet for Recording Your Internet Connection Information	27
Connecting the FVS328 to Your LAN	28
How to Connect the FVS328 to Your LAN	28
Configuring a Wizard-Detected Login Account	32
Configuring a Wizard-Detected Dynamic IP Account	33
Configuring a Wizard-Detected Fixed IP (Static) Account	34
How to Configure the Serial Port for an Internet Connection	34
Testing Your Internet Connection	37
Manually Configuring Your Internet Connection	38
How to Manually Configure the Primary Internet Connection	39
Chapter 4 Serial Port Configuration	41
Configuring a Serial Port Modem	42
Basic Requirements for Serial Port Modem Configuration	42
How to Configure a Serial Port Modem	42
Configuring Auto-Rollover	43
Basic Requirements for Auto-Rollover	43
How to Configure Auto-Rollover	43
Configuring Dial-in on the Serial Port	44
Basic Requirements for Dial-in	45
How to Configure Dial-in	45
Configuring LAN-to-LAN Settings	46
Basic Requirements for LAN-to-LAN Connections	46
How to Configure LAN-to-LAN Connections	46
Chapter 5 WAN and LAN Configuration	49
Configuring LAN IP Settings	49
Using the Router as a DHCP Server	50
How to Configure LAN TCP/IP Setup Settings	51
How to Configure Reserved IP Addresses	52
Configuring WAN Settings	52
Connecting Automatically, as Required	53
Setting Up a Default DMZ Server	53
How to Assign a Default DMZ Server	53
Responding to Ping on Internet WAN Port	54
How to Set the MTU Size	54
Configuring Dynamic DNS	54
How to Configure Dynamic DNS	55
Using Static Routes	55
Static Route Example	55
How to Configure Static Routes	56
Chapter 6 Protecting Your Network	59
Protecting Access to Your FVS328 Firewall	59
How to Change the Built-In Password	59
How to Change the Administrator Login Timeout	60
Configuring Basic Firewall Services	60
Using the Block Sites Menu to Screen Content	61
Services and Rules Regulate Inbound and Outbound Traffic	62
Defining a Service	63
Using Inbound/Outbound Rules to Block or Allow Services	64
Examples of Using Services and Rules to Regulate Traffic	66
Inbound Rules (Port Forwarding)	66
Example: Port Forwarding to a Local Public Web Server	67
Example: Port Forwarding for Videoconferencing	67
Example: Port Forwarding for VPN Tunnels when NAT is Off	68
Outbound Rules (Service Blocking or Port Filtering)	69
Outbound Rule Example: Blocking Instant Messaging	70
Other Rules Considerations	70
Order of Precedence for Rules	70
Rules Menu Options	71
Setting Times and Scheduling Firewall Services	71
How to Set Your Time Zone	72
How to Schedule Firewall Services	73
Chapter 7 Virtual Private Networking	75
Overview of FVS328 Policy-Based VPN Configuration	75
Using Policies to Manage VPN Traffic	75
Using Automatic Key Management	76
IKE Policies’ Automatic Key and Authentication Management	77
VPN Policy Configuration for Auto Key Negotiation	80
VPN Policy Configuration for Manual Key Exchange	83
Using Digital Certificates for IKE Auto-Policy Authentication	88
Certificate Revocation List (CRL)	88
How to Use the VPN Wizard to Configure a VPN Tunnel	89
Walk-Through of Configuration Scenarios	91
VPNC Scenario 1: Gateway-to-Gateway with Preshared Secrets	92
FVS328 Scenario 1: How to Configure the IKE and VPN Policies	94
How to Check VPN Connections	98
FVS328 Scenario 2: Authenticating with RSA Certificates	99
Chapter 8 Managing Your Network	107
Network Management	107
How to Configure Remote Management	107
Viewing Router Status and Usage Statistics	109
Viewing Attached Devices	112
Viewing, Selecting, and Saving Logged Information	113
Changing the Include in Log Settings	115
Enabling the Syslog Feature	115
Enabling Security Event E-mail Notification	116
Backing Up, Restoring, or Erasing Your Settings	117
How to Back Up the FVS328 Configuration to a File	117
How to Restore a Configuration from a File	118
How to Erase the Configuration	119
Running Diagnostic Utilities and Rebooting the Router	119
Upgrading the Router’s Firmware	120
How to Upgrade the Router	121
Chapter 9 Troubleshooting	123
Basic Functions	123
Power LED Not On	124
Test LED Never Turns On or Test LED Stays On	124
Local or Internet Port Link LEDs Not On	125
Troubleshooting the Web Configuration Interface	125
Troubleshooting the ISP Connection	126
Troubleshooting a TCP/IP Network Using a Ping Utility	127
How to Test the LAN Path to Your Firewall	128
How to Test the Path from Your PC to a Remote Device	128
Restoring the Default Configuration and Password	129
How to Use the Default Reset Button	129
Problems with Date and Time	130
Appendix A Technical Specifications	131
Appendix B Firewall Log Formats	133
Action List	133
Field List	133
Outbound Log	133
Inbound Log	134
Other IP Traffic	134
Router Operation	135
Other Connections and Traffic to this Router	136
DoS Attack/Scan	136
Access Block Site	138
All Web Sites and News Groups Visited	138
System Admin Sessions	138
Policy Administration LOG	139
Appendix C Networks, Routing, and Firewall Basics	141
Related Publications	141
Basic Router Concepts	141
What is a Router?	141
Routing Information Protocol	142
IP Addresses and the Internet	142
Netmask	144
Subnet Addressing	144
Private IP Addresses	147
Single IP Address Operation Using NAT	147
MAC Addresses and Address Resolution Protocol	149
Related Documents	149
Domain Name Server	149
IP Configuration by DHCP	150
Internet Security and Firewalls	150
What is a Firewall?	151
Stateful Packet Inspection	151
Denial of Service Attack	151
Ethernet Cabling	152
Uplink Switches and Crossover Cables	152
Cable Quality	153
Appendix D Preparing Your Network	155
Preparing Your Computers for TCP/IP Networking	155
Configuring Windows 95, 98, and Me for TCP/IP Networking	156
Install or Verify Windows Networking Components	156
Enabling DHCP to Automatically Configure TCP/IP Settings	158
Selecting Windows’ Internet Access Method	158
Verifying TCP/IP Properties	159
Configuring Windows NT, 2000 or XP for IP Networking	159
Installing or Verifying Windows Networking Components	159
Verifying TCP/IP Properties	160
Configuring the Macintosh for TCP/IP Networking	160
MacOS 8.6 or 9.x	160
MacOS X	161
Verifying TCP/IP Properties for Macintosh Computers	162
Verifying the Readiness of Your Internet Account	163
Are Login Protocols Used?	163
What Is Your Configuration Information?	163
Obtaining ISP Configuration Information for Windows Computers	164
Obtaining ISP Configuration Information for Macintosh Computers	165
Restarting the Network	166
Appendix E Virtual Private Networking	167
What is a VPN?	167
What is IPSec and How Does It Work?	168
IPSec Security Features	168
IPSec Components	168
Encapsulating Security Payload (ESP)	169
Authentication Header (AH)	170
IKE Security Association	170
Mode	171
Key Management	172
Understand the Process Before You Begin	172
VPN Process Overview	173
Network Interfaces and Addresses	173
Interface Addressing	173
Firewalls	174
Setting Up a VPN Tunnel Between Gateways	174
VPNC IKE Security Parameters	176
VPNC IKE Phase I Parameters	176
VPNC IKE Phase II Parameters	177
Testing and Troubleshooting	177
Additional Reading	177
Appendix F NETGEAR VPN Configuration FVS318 or FVM318 to FVS328	179
Configuration Profile	179
Step-By-Step Configuration of FVS318 or FVM318 Gateway A	180
Step-By-Step Configuration of FVS328 Gateway B	183
Test the VPN Connection	187
Appendix G NETGEAR VPN Configuration FVS318 or FVM318 with FQDN to FVS328	189
Configuration Profile	189
Using DDNS and Fully Qualified Domain Names (FQDN)	190
Step-By-Step Configuration of FVS318 or FVM318 Gateway A	191
Step-By-Step Configuration of FVS328 Gateway B	195
Test the VPN Connection	199
Appendix H NETGEAR VPN Client to NETGEAR the FVS328	201
Profile: Traveling User or Telecommuter at Home	201
Step-By-Step Configuration of FVS328 Gateway	202
Step-By-Step Configuration of the Netgear VPN Client B	207
Testing the VPN Connection	214
From the Client PC to the FVS328	214
From the FVS328 to the Client PC	215
Monitoring the PC VPN Connection	215
Viewing the FVS328 VPN Status and Log Information	216
Glossary	219

Match case Limit results 1 per page

Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual

7-14

Virtual Private Networking

May 2004, 202-10031-01

Using Digital Certificates for IKE Auto-Policy Authentication

Digital certificates are character strings generated using encryption and authentication schemes

which cannot be duplicated by anyone without access to the different values used in the production

of the string. They are issued by Certification Authorities (CAs) to authenticate a person or a

workstation uniquely. The CAs are authorized to issue these certificates by Policy Certification

Authorities (PCAs), who are in turn certified by the Internet Policy Registration Authority (IPRA).

The FVS328 is able to use certificates to authenticate users at the endpoints during the IKE key

exchange process.

The certificates can be obtained from a certificate server an organization might maintain internally

or from the established public CAs. The certificates are produced by providing the particulars of

the user being identified to the CA. The information provided may include the user's name, e-mail

ID, domain name, etc.

A CA is part of a trust chain. A CA has a public key which is signed. The combination of the

signed public key and the private key enables the CA process to eliminate ‘man in the middle’

security threats. A ‘self’ certificate has your public key and the name of your CA, and relies on the

CA’s certificate to authenticate. Each CA has its own certificate. The certificates of a CA are added

to the FVS328 and can then be used to form IKE policies for the user. Once a CA certificate is

added to the FVS328 and a certificate is created for a user, the corresponding IKE policy is added

to the FVS328. Whenever the user tries to send traffic through the FVS328, the certificates are

used in place of pre-shared keys during initial key exchange as the authentication and key

generation mechanism. Once the keys are established and the tunnel is set up the connection

proceeds according to the VPN policy.

Certificate Revocation List (CRL)

Each Certification Authority (CA) maintains a list of the revoked certificates. The list of these

revoked certificates is known as the Certificate Revocation List (CRL).

Whenever an IKE policy receives the certificate from a peer, it checks for this certificate in the

CRL on the FVS328 obtained from the corresponding CA. If the certificate is not present in the

CRL it means that the certificate is not revoked. IKE can then use this certificate for

authentication. If the certificate is present in the CRL it means that the certificate is revoked, and

the IKE will not authenticate the client.

You must manually update the FVS328 CRL regularly in order for the CA-based authentication

process to remain valid.