Home » Netgear Manuals » Bridges & Routers » Netgear FVS336G » Manual Viewer

Netgear FVS336G FVS336G Reference Manual - Page 82

Blocking Internet Sites (Content Filtering), Block UDP flood, Disable Ping Reply on LAN Ports - ssl application proxy

UPC - 606449052015

Add to My Manuals
Save this manual to your list of manuals

Page 82 highlights

ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual - Block UDP flood-A UDP flood is a form of denial of service attack in which the attacking machine sends a large number of UDP packets to random ports to the victim host. As a result, the victim host will check for the application listening at that port, see that no application is listening at that port, and reply with an ICMP Destination Unreachable packet. When the victimized system is flooded, it is forced to send many ICMP packets, eventually making it unreachable by other clients. The attacker may also spoof the IP address of the UDP packets, ensuring that the excessive ICMP return packets do not reach him, making the attacker's network location anonymous. If flood checking is enabled, the VPN firewall will not accept more than 20 simultaneous, active UDP connections from a single computer on the LAN. - Disable Ping Reply on LAN Ports. To prevent the VPN firewall from responding to Ping requests from the LAN, click this checkbox. - Disable DNS Proxy. Whether DNS Proxy is enabled or disabled in the DHCP server configuration (see "Configuring the LAN Setup Options" on page 3-2), the VPN firewall will service DNS requests sent to its own LAN IP address. To disable this service, check this checkbox. • VPN Pass through-When the FVS336G is in NAT mode, all packets going to the Remote VPN Gateway are first filtered through NAT and then encrypted per the VPN policy. If a VPN client or gateway on the LAN side of the VPN firewall wants to connect to another VPN endpoint on the WAN, with the FVS336G between the two VPN end points, all encrypted packets will be sent to the FVS336G. Since the FVS336G filters the encrypted packets through NAT, the packets become invalid. IPSec, PPTP, and L2TP represent different types of VPN tunnels that can pass through the FVS336G. To allow the VPN traffic to pass through without filtering, enable those options for the type of tunnel(s) that will pass through the FVS336G. Blocking Internet Sites (Content Filtering) To restrict internal LAN users from access to certain sites on the Internet, you can use the VPN firewall's Content Filtering and Web Components filtering. By default, these features are disabled; all requested traffic from any Web site is allowed. If you enable one or more of these features and users try to access a blocked site, they will see a "Blocked by NETGEAR" message. Several types of blocking are available: 4-20 Firewall Protection and Content Filtering v1.2, June 2008

Section	Page
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual	1
Contents	7
About This Manual	13
Conventions, Formats, and Scope	13
How to Use This Manual	14
How to Print this Manual	14
Revision History	15
Chapter 1 Introduction	17
Key Features	17
Dual WAN Ports for Increased Reliability or Outbound Load Balancing	18
Advanced VPN Support for Both IPsec and SSL	18
A Powerful, True Firewall with Content Filtering	19
Autosensing Ethernet Connections with Auto Uplink	19
Extensive Protocol Support	20
Easy Installation and Management	20
Maintenance and Support	21
Package Contents	21
Front Panel Features	22
Rear Panel Features	23
Default IP Address, Login Name, and Password Location	24
Qualified Web Browsers	24
Chapter 2 Connecting the FVS336G to the Internet	27
Understanding the Connection Steps	27
Logging into the VPN Firewall Router	28
Navigating the Menus	30
Configuring the Internet Connections	30
Automatically Detecting and Connecting	30
Manually Configuring the Internet Connection	34
Configuring the WAN Mode (Required for Dual WAN)	37
Network Address Translation	38
Classical Routing	38
Configuring Auto-Rollover Mode	39
Configuring Load Balancing	41
Configuring Dynamic DNS (Optional)	43
Configuring the Advanced WAN Options (Optional)	45
Additional WAN Related Configuration	47
Chapter 3 LAN Configuration	49
Using the VPN Firewall as a DHCP server	49
Configuring the LAN Setup Options	50
Managing Groups and Hosts (LAN Groups)	53
Viewing the LAN Groups Database	54
Changing Group Names in the LAN Groups Database	55
Configuring DHCP Address Reservation	56
Configuring Multi Home LAN IP Addresses	57
Configuring Static Routes	58
Configuring Static Routes	58
Configuring Routing Information Protocol (RIP)	60
Chapter 4 Firewall Protection and Content Filtering	63
About Firewall Protection and Content Filtering	63
Using Rules to Block or Allow Specific Kinds of Traffic	64
About Services-Based Rules	65
Viewing the Rules	69
Order of Precedence for Rules	70
Setting the Default Outbound Policy	70
Creating a LAN WAN Outbound Services Rule	71
Creating a LAN WAN Inbound Services Rule	72
Inbound Rules Examples	74
Outbound Rules Example	77
Adding Customized Services	77
Setting Quality of Service (QoS) Priorities	79
Attack Checks	80
Blocking Internet Sites (Content Filtering)	82
Configuring Source MAC Filtering	86
Configuring IP/MAC Address Binding Alerts	88
Configuring Port Triggering	89
Setting a Schedule to Block or Allow Specific Traffic	91
Configuring a Bandwidth Profile	92
Configuring Session Limits	94
E-Mail Notifications of Event Logs and Alerts	95
Administrator Tips	95
Chapter 5 Virtual Private Networking Using IPsec	97
Considerations for Dual WAN Port Systems	97
Configuring an IPsec VPN Connection using the VPN Wizard	100
Creating a VPN Tunnel to a Gateway	100
Creating a VPN Tunnel Connection to a VPN Client	104
Managing VPN Tunnel Policies	109
About IKE	109
Managing IKE Policies	109
About the IKE Policy Table	110
VPN Policy	110
VPN Tunnel Connection Status	112
Creating a VPN Client Connection: VPN Client to FVS336G	112
Configuring the FVS336G	113
Configuring the VPN Client	113
Testing the Connection	115
Configuring Extended Authentication (XAUTH)	115
Configuring XAUTH for VPN Clients	116
User Database Configuration	117
RADIUS Client Configuration	117
Manually Assigning IP Addresses to Remote Users (ModeConfig)	119
Mode Config Operation	119
Configuring the VPN Firewall	120
Configuring the ProSafe VPN Client for ModeConfig	123
Configuring Keepalives and Dead Peer Detection	125
Configuring Keepalive	125
Configuring NetBIOS Bridging with VPN	127
Chapter 6 Virtual Private Networking Using SSL Connections	129
Understanding the Portal Options	129
Planning for SSL VPN	130
Creating the Portal Layout	131
Configuring Domains, Groups, and Users	135
Configuring Applications for Port Forwarding	135
Adding Servers	136
Adding A New Host Name	137
Configuring the SSL VPN Client	138
Configuring the Client IP Address Range	139
Adding Routes for VPN Tunnel Clients	140
Replacing and Deleting Client Routes	140
Using Network Resource Objects to Simplify Policies	141
Adding New Network Resources	141
Configuring User, Group, and Global Policies	143
Viewing Policies	144
Adding a Policy	145
Chapter 7 Managing Users, Authentication, and Certificates	149
Adding Authentication Domains, Groups, and Users	149
Creating a Domain	149
Creating a Group	151
Creating a New User Account	152
Setting User Login Policies	154
Managing Certificates	156
Viewing and Loading CA Certificates	157
Viewing Active Self Certificates	158
Obtaining a Self Certificate from a Certificate Authority	159
Managing your Certificate Revocation List (CRL)	162
Chapter 8 Router and Network Management	165
Performance Management	165
Bandwidth Capacity	165
Features That Reduce Traffic	166
Features That Increase Traffic	169
Using QoS to Shift the Traffic Mix	172
Tools for Traffic Management	172
Changing Passwords and Administrator Settings	172
Enabling Remote Management Access	174
Using the Command Line Interface	176
Using an SNMP Manager	177
Configuration File Management	179
Upgrading the Firmware	181
Configuring Date and Time Service	182
Chapter 9 Monitoring System Performance	185
Enabling the Traffic Meter	185
Activating Notification of Events and Alerts	188
Viewing Firewall Logs	190
Viewing Router Configuration and System Status	191
Monitoring the Status of WAN Ports	193
Monitoring Attached Devices	194
Reviewing the DHCP Log	196
Monitoring Active Users	196
Viewing Port Triggering Status	197
Monitoring VPN Tunnel Connection Status	198
Reviewing the VPN Logs	199
Chapter 10 Troubleshooting	201
Basic Functions	201
Power LED Not On	202
LEDs Never Turn Off	202
LAN or WAN Port LEDs Not On	202
Troubleshooting the Web Configuration Interface	203
Troubleshooting the ISP Connection	204
Troubleshooting a TCP/IP Network Using a Ping Utility	205
Testing the LAN Path to Your VPN Firewall	205
Testing the Path from Your PC to a Remote Device	206
Restoring the Default Configuration and Password	207
Problems with Date and Time	207
Using the Diagnostics Utilities	208
Appendix A Default Settings and Technical Specifications	211
Appendix B Related Documents	215
Appendix C Network Planning for Dual WAN Ports	217
What You Will Need to Do Before You Begin	217
Cabling and Computer Hardware Requirements	219
Computer Network Configuration Requirements	219
Internet Configuration Requirements	220
Where Do I Get the Internet Configuration Parameters?	220
Internet Connection Information Form	221
Overview of the Planning Process	222
Inbound Traffic	222
Virtual Private Networks (VPNs)	222
The Roll-over Case for Firewalls With Dual WAN Ports	223
The Load Balancing Case for Firewalls With Dual WAN Ports	223
Inbound Traffic	224
Inbound Traffic to Single WAN Port (Reference Case)	224
Inbound Traffic to Dual WAN Port Systems	224
Virtual Private Networks (VPNs)	226
VPN Road Warrior (Client-to-Gateway)	227
VPN Gateway-to-Gateway	230
VPN Telecommuter (Client-to-Gateway Through a NAT Router)	233

Match case Limit results 1 per page

ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual

4-20

Firewall Protection and Content Filtering

v1.2, June 2008

–

Block UDP flood—

A UDP flood is a form of denial of service attack in which the

attacking machine sends a large number of UDP packets to random ports to the victim

host. As a result, the victim host will check for the application listening at that port, see

that no application is listening at that port, and reply with an ICMP Destination

Unreachable packet.

When the victimized system is flooded, it is forced to send many ICMP packets,

eventually making it unreachable by other clients. The attacker may also spoof the IP

address of the UDP packets, ensuring that the excessive ICMP return packets do not reach

him, making the attacker’s network location anonymous.

If flood checking is enabled, the VPN firewall will not accept more than 20 simultaneous,

active UDP connections from a single computer on the LAN.

–

Disable Ping Reply on LAN Ports

. To prevent the VPN firewall from responding to Ping

requests from the LAN, click this checkbox.

–

Disable DNS Proxy

. Whether DNS Proxy is enabled or disabled in the DHCP server

configuration (see

“Configuring the LAN Setup Options” on page 3-2

), the VPN firewall

will service DNS requests sent to its own LAN IP address. To disable this service, check

this checkbox.

•

VPN Pass through—

When the FVS336G is in NAT mode, all packets going to the Remote

VPN Gateway are first filtered through NAT and then encrypted per the VPN policy.

If a VPN client or gateway on the LAN side of the VPN firewall wants to connect to another

VPN endpoint on the WAN, with the FVS336G between the two VPN end points, all

encrypted packets will be sent to the FVS336G. Since the FVS336G filters the encrypted

packets through NAT, the packets become invalid.

IPSec, PPTP, and L2TP represent different types of VPN tunnels that can pass through the

FVS336G. To allow the VPN traffic to pass through without filtering, enable those options for

the type of tunnel(s) that will pass through the FVS336G.

Blocking Internet Sites (Content Filtering)

To restrict internal LAN users from access to certain sites on the Internet, you can use the VPN

firewall’s Content Filtering and Web Components filtering. By default, these features are disabled;

all requested traffic from any Web site is allowed. If you enable one or more of these features and

users try to access a blocked site, they will see a “Blocked by NETGEAR” message.

Several types of blocking are available: