NETGEAR FVL328 User Manual
Everybody’s connecting.
FVL328 Cable/DSL ProSafe High-Speed VPN Firewall
Frequently Asked Questions
1. What is the FVL328 Cable/DSL ProSafe High Speed VPN Firewall?
FVL328 is a network security device used to connect a Local Area network (LAN) securely via a broadband
Internet connection to many other private LANs or individual remote users. It can also be used as a
standalone firewall behind an existing router. The product provides 100 VPN tunnels and Stateful Packet
Inspection (SPI) true firewall functionality.
2. Is the FVL328 a router?
Yes, it is a router and much more. The FVL328 provides all the functionality of a Network Address
Translation (NAT) router, plus many more security features.
3. What is significant about the FVL328?
FVL328 provides additional security to the network in that it provides five significant features that do not
exist in conventional NAT routers:
100 tunnel VPN End point support with IPSec 3DES encryption capability •
•
Static content filtering (URL, URL keywords)
•
Denial of Service (DoS) prevention through Stateful Packet Inspection
•
Logging, reporting and alerts (Intrusion Detection System)
•
Greatly increased performance using a high-speed CPU
4. What is the difference between the FVL328 and NETGEAR’s previously shipping FVS318?
The FVL328 has new features that provide better performance and functionality than the FVS318.
Specifically, the FVL328 has:
•
Better WAN-to-LAN throughput (50+Mbps)
•
Support for 100 hardware-encrypted VPN tunnels (FVS318 has support for 8 software encrypted
tunnels)
•
Better 3DES VPN tunneling throughput (15Mbps)
•
One of the lowest prices-per-port of any comparable VPN router product in the industry
•
A wider array of compatibility with other VPN products on the market, as demonstrated in testing by
the VPN Consortium
5. What is Virtual Private Networking?
Commonly known as a VPN and defined differently by different entities, it is a group of two or more
computer systems, typically connected to a private network (a network built and maintained by an
organization solely for its own use) with limited public-network access, that communicates “securely” (via a
VPN “tunnel”) over a public network, such as the Internet. VPNs may exist between an individual machine
and a private network (client-to-server) or a remote LAN and a private network (server-to-server). Security
features differ from product to product, but most security experts agree that VPNs include encryption,
strong authentication of remote users or hosts, and mechanisms for hiding or masking information about the
private network topology from potential attackers on the public network.
6. What is VPN end point, and what can it do?
VPN end point capability within a router provides the ability to initiate a VPN tunnel to some other location
that supports either a VPN client (client-to-box) or has VPN end point capability (box-to-box).
FVL328 Cable/DSL ProSafe High-Speed VPN Firewall
Page 2
7. How many VPN tunnels can the FVL328 support at one time?
As a standard feature, the FVL328 has the ability to support up to 100 VPN tunnels at one time. This can be
a combination of branch office, mobile users or partner connections.
8. What is encryption?
A mathematical operation that transforms data from "clear text" to "cipher text," which cannot be
interpreted. Usually the mathematical operation requires that an alphanumeric key be supplied along with
the clear text. The key and clear text are processed by the encryption operation, which leads to data
scrambling that makes it secure. Decryption is the opposite of encryption; it is the mathematical operation
that transforms cipher text to clear text.
9. How is the data encrypted on the FVL328 VPN?
The data is hardware-encrypted through the embedded encryption accelerator in the microprocessor.
10. What is DES and 3DES?
DES, or Digital Encryption Standard, is encryption used for data communications where both the sender and
receiver must know the same secret key, which can be used to encrypt and decrypt the message, or to
generate and verify a message authentication code. NETGEAR DES encryption uses a 56-bit key. 3DES, or
“triple DES” on the other hand, is a variation on DES that uses a 168-bit key to provide more secure data
transmission than DES. TripleDES is considered to be virtually unbreakable by security experts. It also
requires a great deal more processing power, resulting in increased latency and decreased throughput unless
hardware acceleration is provided, as in the FVL328.
11. What is IPSec?
Internet Protocol Security is a robust VPN standard that covers authentication and encryption of data traffic
over the Internet. IPSec employs three components, encapsulating security payload (ESP), authentication
header (AH), and Internet key exchange (IKE) technology. VPN technology employing IPSec will encrypt
all outgoing data and decrypt all incoming data so that a public network can be used, like the internet, as
transportation media. IPSec can support two encryption modes: transport and tunnel. Transport mode
encrypts the data portion of each packet but leaves the header unencrypted. The more secure the tunnel
mode encrypts both the header and the data. The FVL328 supports both. At the receiving end, an IPSec-
compliant device decrypts each packet. For IPSec to work, the sending and receiving devices must share a
key. IKE protocol is a key management protocol standard which is commonly used in conjunction with the
IPSec standard. Unlike PPTP, IPSec is specific only to the Internet Protocol (IP) and does not provide
security for other protocols. PPTP supports multiple protocols, but is not as secure.
12. What is IKE?
Internet Key Exchange is a negotiation and key exchange protocol specified by the Internet Engineering
Task Force (IETF). An IKE security association (SA) automatically negotiates encryption and
authentication keys. With IKE, and initial exchange authenticates the VPN session and automatically
negotiates keys that will be used to pass IP traffic.
13. What is Authentication Header (AH)?
AH provides authentication and integrity, which protect against data tampering, using the same algorithms
as ESP. AH also provides optional anti-replay protection, which protects against unauthorized
retransmission of packets. The authentication header is inserted into the packet between the IP header and
any subsequent packet contents. The payload is not touched. Although AH protects the packet’s origin,
destination, and contents from being tampered with, the identity of the sender and receiver is known. In
FVL328 Cable/DSL ProSafe High-Speed VPN Firewall
Page 3
addition, AH does not protect the data’s confidentiality. If data is intercepted and only AH is used, the
message contents can be read. ESP protects data confidentiality. For added protection in certain cases, AH
and ESP can be used together. In the following table, IP HDR represents the IP header and includes both
source and destination IP addresses.
14. What is Encapsulating Security Payload (ESP)?
ESP provides authentication, integrity, and confidentiality, which protect against data tampering and, most
importantly, provide message content protection.
IPSec provides an open framework for implementing industry standard algorithms, such as SHA and MD5.
The algorithms IPSec uses produce a unique and unforgeable identifier for each packet, which is a data
equivalent of a fingerprint. This fingerprint allows the device to determine if a packet has been tampered
with. Furthermore, packets that are not authenticated are discarded and not delivered to the intended
receiver.
ESP also provides all encryption services in IPSec. Encryption translates a readable message into an
unreadable format to hide the message content. The opposite process, called decryption, translates the
message content from an unreadable format to a readable message. Encryption/decryption allows only the
sender and the authorized receiver to read the data. In addition, ESP has an option to perform authentication,
called ESP authentication. Using ESP authentication, ESP provides authentication and integrity for the
payload and not for the IP header.
The ESP header is inserted into the packet between the IP header and any subsequent packet contents.
However, because ESP encrypts the data, the payload is changed. ESP does not encrypt the ESP header, nor
does it encrypt the ESP authentication.
15. What is a Security Association?
A group of security settings related to a specific VPN tunnel. A Security Association (SA) groups together
all the necessary settings needed to create a VPN tunnel. Different SAs may be created to connect branch
offices, allow secure remote management, and pass unsupported traffic. All SAs require a specified
encryption method, IPSec gateway address and destination network address.
16. What is PKI?
Public Key Infrastructure (PKI) is a method by which valid VPN users are authenticated through the use of
certificate authorities.
17. What is a Certificate Authority (CA)?
A Certificate Authority is an organization that provides certificates and provides a mechanism for verifying
their authenticity. Certificate authentication is a method whereby the computer would have a pre-assigned
certificate (any X.503-based certificate, such as Entrust
the IPSec-based authentication algorithm to use for generating keys to exchange between the two VPN
devices. It is generally recognized as a more secure method of authentication.
18. What is PPTP?
Point-to-point Tunneling Protocol builds on the functionality of the Point-to-Point protocol (PPP) to provide
remote access that can be tunneled though the Internet to a destination site or computer. PPTP encapsulates
PPP packets using generic routing encapsulation (GRE) protocol, which gives PPTP the flexibility of
handling protocols other than IP. The FVL328 supports pass-through mode for PPTP, but does not support
end-point mode.
®
, VeriSign®, Baltimore, etc.) that is necessary for
Loading...