Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 NETGEAR, Inc. 4500 Great America Parkway Santa Clara, CA 95054 USA SM-FWAG114NA-0 Version 1.0 June 2003 © 2003 by NETGEAR, Inc. All rights reserved. Trademarks NETGEAR is a trademark of Netgear, Inc. Microsoft, Windows, and Windows NT are registered trademarks of Microsoft Corporation. Other brand and product names are registered trademarks or trademarks of their respective holders. Statement of Conditions In the interest of improving internal design, operational function, and/or reliability, NETGEAR reserves the right to make changes to the products described in this document without notice. NETGEAR does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein. Federal Communications Commission (FCC) Compliance Notice: Radio Frequency Notice This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures: · · · · Reorient or relocate the receiving antenna. Increase the separation between the equipment and receiver. Connect the equipment into an outlet on a circuit different from that to which the receiver is connected. Consult the dealer or an experienced radio/TV technician for help. FCC Caution 1. FCC RF Radiation Exposure Statement: The equipment complies with FCC RF radiation exposure limits set forth for an uncontrolled environment. This equipment should be installed and operated with a minimum distance of 20 centimeters between the radiator and your body. This Transmitter must not be co-located or operating in conjunction with any other antenna or transmitter. 3. Changes or modifications to this unit not expressly approved by the party responsible for compliance could void the user authority to operate the equipment. 2. EN 55 022 Declaration of Conformance This is to certify that the ProSafe Dual Band Wireless VPN Firewall FWAG114 is shielded against the generation of radio interference in accordance with the application of Council Directive 89/336/EEC, Article 4a. Conformity is declared by the application of EN 55 022 Class B (CISPR 22). ii Bestätigung des Herstellers/Importeurs Es wird hiermit bestätigt, daß das ProSafe Dual Band Wireless VPN Firewall FWAG114 gemäß der im BMPT-AmtsblVfg 243/1991 und Vfg 46/1992 aufgeführten Bestimmungen entstört ist. Das vorschriftsmäßige Betreiben einiger Geräte (z.B. Testsender) kann jedoch gewissen Beschränkungen unterliegen. Lesen Sie dazu bitte die Anmerkungen in der Betriebsanleitung. Das Bundesamt für Zulassungen in der Telekommunikation wurde davon unterrichtet, daß dieses Gerät auf den Markt gebracht wurde und es ist berechtigt, die Serie auf die Erfüllung der Vorschriften hin zu überprüfen. Certificate of the Manufacturer/Importer It is hereby certified that the ProSafe Dual Band Wireless VPN Firewall FWAG114 has been suppressed in accordance with the conditions set out in the BMPT-AmtsblVfg 243/1991 and Vfg 46/1992. The operation of some equipment (for example, test transmitters) in accordance with the regulations may, however, be subject to certain restrictions. Please refer to the notes in the operating instructions. Federal Office for Telecommunications Approvals has been notified of the placing of this equipment on the market and has been granted the right to test the series for compliance with the regulations. Voluntary Control Council for Interference (VCCI) Statement This equipment is in the second category (information equipment to be used in a residential area or an adjacent area thereto) and conforms to the standards set by the Voluntary Control Council for Interference by Data Processing Equipment and Electronic Office Machines aimed at preventing radio interference in such residential areas. When used near a radio or TV receiver, it may become the cause of radio interference. Read instructions for correct handling. iii iv Contents Chapter 1 About This Manual Audience .........................................................................................................................1-1 Typographical Conventions ............................................................................................1-1 Special Message Formats ..............................................................................................1-1 Features of the HTML Version of this Manual ................................................................1-2 Chapter 2 Introduction Key Features of the VPN Firewall ..................................................................................2-1 802.11g and 802.11b Wireless Networking ..............................................................2-2 A Powerful, True Firewall with Content Filtering ......................................................2-2 Security ....................................................................................................................2-3 Autosensing Ethernet Connections with Auto Uplink ...............................................2-3 Extensive Protocol Support ......................................................................................2-3 Easy Installation and Management ..........................................................................2-4 Maintenance and Support ........................................................................................2-5 Package Contents ..........................................................................................................2-5 The FWAG114's Front Panel ...................................................................................2-6 The FWAG114's Rear Panel ....................................................................................2-7 Chapter 3 Connecting the FWAG114 to the Internet What You Will Need Before You Begin ...........................................................................3-1 Cabling and Computer Hardware Requirements .....................................................3-1 Computer Network Configuration Requirements .....................................................3-1 Internet Configuration Requirements .......................................................................3-2 Where Do I Get the Internet Configuration Parameters? .........................................3-2 Record Your Internet Connection Information ..........................................................3-3 Connecting the ProSafe Dual Band Wireless VPN Firewall FWAG114 to Your LAN .....3-4 PPPoE Wizard-Detected Option ..............................................................................3-8 Contents v Dynamic IP Wizard-Detected Option .....................................................................3-10 Fixed IP Account Wizard-Detected Option ............................................................. 3-11 Manually Configuring Your Internet Connection ...........................................................3-12 Chapter 4 Wireless Configuration Observe Performance, Placement, and Range Guidelines ............................................4-1 Implement Appropriate Wireless Security ......................................................................4-2 Understanding Wireless Settings ...................................................................................4-4 Common Wireless Settings ......................................................................................4-5 Understanding WEP Authentication and Encryption ................................................4-6 Authentication Type ...........................................................................................4-6 WEP ..................................................................................................................4-7 Default Factory Settings ...........................................................................................4-7 Before You Change the SSID and WEP Settings ....................................................4-8 How to Set Up and Test Basic Wireless Connectivity ..............................................4-9 How to Restrict Wireless Access by MAC Address ...............................................4-10 How to Configure WEP ..........................................................................................4-12 Chapter 5 Firewall Protection and Content Filtering Firewall Protection and Content Filtering Overview ........................................................5-1 Block Sites ......................................................................................................................5-2 Using Rules to Block or Allow Specific Kinds of Traffic ..................................................5-3 Inbound Rules (Port Forwarding) .............................................................................5-5 Inbound Rule Example: A Local Public Web Server ..........................................5-5 Inbound Rule Example: Allowing Videoconference from Restricted Addresses 5-6 Considerations for Inbound Rules .....................................................................5-6 Outbound Rules (Service Blocking) .........................................................................5-7 Following is an application example of outbound rules: ....................................5-7 Outbound Rule Example: Blocking Instant Messenger .....................................5-7 Order of Precedence for Rules ................................................................................5-8 Default DMZ Server .................................................................................................5-8 Respond to Ping on Internet WAN Port ...................................................................5-9 Services ........................................................................................................................5-10 Using a Schedule to Block or Allow Specific Traffic ......................................................5-12 Time Zone ........................................................................................................5-13 vi Contents Getting E-Mail Notifications of Event Logs and Alerts ..................................................5-14 Viewing Logs of Web Access or Attempted Web Access .............................................5-16 Syslog ....................................................................................................................5-17 Chapter 6 Maintenance Viewing VPN Firewall Status Information .......................................................................5-1 Viewing a List of Attached Devices .................................................................................5-5 Upgrading the Router Software ......................................................................................5-5 Configuration File Management .....................................................................................5-6 Restoring and Backing Up the Configuration ...........................................................5-7 Erasing the Configuration .........................................................................................5-8 Changing the Administrator Password ...........................................................................5-8 Chapter 7 Virtual Private Networking Overview of FWAG114 Policy-Based VPN Configuration ..............................................6-1 Using Policies to Manage VPN Traffic .....................................................................6-2 Using Automatic Key Management ..........................................................................6-2 IKE Policies' Automatic Key and Authentication Management ................................6-3 VPN Policy Configuration for Auto Key Negotiation .................................................6-6 VPN Policy Configuration for Manual Key Exchange ...............................................6-9 Using Digital Certificates for IKE Auto-Policy Authentication .......................................6-14 Certificate Revocation List (CRL) ...........................................................................6-14 Walk-Through of Configuration Scenarios on the FWAG114 .......................................6-15 VPN ...