Netgear\'s Breakthrough SSL VPN Gateway

Phillip Howell finds that Netgear's under-$500 SSL VPN blue box is poised to take some business from its bigger cousins.

Netgear isn't the only one, Take a look to Sonicwall SSL VPN 100. For the same price you get a very good SSL box.

Anyway, for proffesional firewall, Checkpoint FW, Cisco PIX/ASA, Juniper/Netscreen, i know them all. Sonicwall also have a wide product portofolio and *VERY* good firewall products for a *VERY* good price. It got almost the same capabilities as the PIX or this Juniper/Netscreens.
Read good: I say *almost* the same, beacuse Sonicwall doesn't do Actice/Actie full state (yet)

Ok, yes, i like Sonicwall, because it's by *FAR* the easiest firewall to deploy, also when using Enhanced OS, it is by *FAR* much better GUI configurable then like PIX/ASA.... (i work with all of those guys).
The PIX/ASA GUI for the firewall version 7.1 is *HORRIBLE* to use... it still isn't intuitive.

My favorit firewalls to play withm Checkpoint & Sonicwall.

Less favorit firewalls, PIX/ASA & Watchguard....(don't conisder ever to use Watchguard in a proffesional enviroment).

Sokolum,

I could not find the Sonicwall SSL VPN 100. However, I did find the information for the Sonicwall SSL VPN 200. A cursory review of the specifications finds it to be almost identical in function and features to the SSL312. From a price perspective I was able to consistently find the SSL312 about $100 cheaper from most online vendors (CDW has the SSL312 right now for $384.99). Thanks for the heads up though about the Sonicwall appliance.

I too tend to favor Sonicwall/Juniper. I manage a Sonicwall PRO 2060 for our corporate office. I have a Juniper Netscreen 5 GT on my home network. And yes, I really dislike the PIX series as well.

Thanks for your feedback,
KernelPacket

Gary,

I must say that I have not ever looked at the Fortinet products. Thanks for bringing them to my attention. At $495 the Fortinet 50A is still about $100 more expensive than the SSL312. I realize the value to some of being able to have everything in one box. I tend to prefer discrete components however primarily because of the diversification factor. By not having all "your eggs in one basket" you can support a failure or two down the chain and still remain functional.

Also, by having discrete components you tend to create individual "layers" of security which can make it much more difficult for someone with malicious intent to compromise. And lastly, some people already have an investment in a firewall which they are happy with and intend to keep but that lacks SSL VPN connectivity. Obviously, for someone who is in the market for a new firewall the Fortinet sounds like a feature packed appliance which should definitely be considered.

On a closing note, one of the reasons that I recommend SSL VPNs to those who are relatively new to VPN technologies is that as a general rule, SSL VPNs do not have as steep a learning curve and they usually have less interoperability issues than their IPsec/PPTP cousins. Thanks again for your feedback and suggestion.

KernelPacket

$400 may be much cheaper then Cisco or Juniper, but it is still a heck of a lot more then the Asus SL1000 which goes around $150 or less and does VPN at near wire speeds (80-90 MBit/s). Tom's Networking allready reviewed the Asus SL1000 way back in 2004, but it seems it still wins hands down...

The Linksys RVL200 uses the same chipset as the SSL312 but only handles 5 SSL connections so far, however its layout and functions are similar but different and it also handles 1 IPSec for Gateway-to-Gateway Tunnel for branch office connectivity. it includes 1 WAN and 4 LAN ports. it is priced sub $200 it think the time is near for the SSL VPN revolution.

afaik the netgear does not handle ANY IPSec tunnels as yet. the chipset is capable of IPSec tunnels, but with the Amount of SSL tunnels this may affect any IPSec tunnel being added and SSL is much harder on the processor and throughput is much slower.

You could however put the SSL router behind a IPSec VPN router whhich would act as the gateway and forward any 443 activity to the SSL router.

I've purchased the SSL312 - as the marketing is clear that it also supports Mac OS X via a Java client. If you log on to the portal with a Safari browser, a different VPN client page is displayed with the option to download a Java applet which runs as the SSL VPN client.

Just a note to all to beware - after plenty of testing (11 machines!) it has been shown that the Java client packaged in the SSL312 does not execute correctly on an Intel based Mac.

If you're still on PowerPC technology - then it all works perfectly (tested up to OS X 10.4.8 and J2SE 5.0/JRE 1.5.0) and you can use your VPN tunnel with joy

I've submitted a problem report to Netgear - and expect them to issue an update for the SSL312 as soon as they've found their Java coder

For those who are interested - the Java exception on an Intel Mac is NoClassDefFoundError.

No workaround has been found yet ...

Cheers,
Rob.

There's a new firmware release for this - 1.4.20, but Netgear has still not compiled the libNetGearDialler.jnilib java library as a Universal Binary.

This means that the Java VPN client included for Mac machines will still only run on a PowerPC based Mac.

Do not buy this device if you want to use it with Intel based machines.

Also - be aware that NetGear are obviously unable to respond to customer feedback as there have been multiple support cases raised for this issue for over 2 months and they have yet to release any fix (which to be blunt only means recompiling the binary on a different machine!).

Perhaps they can't afford to buy an Intel Mac? Seems a shame as you haven't been able to buy a new PowerPC mac for quite a while now ...

A nice feature Netgear can add to SSL312 is a virtual keyboard on the login page. This will help prevent keyloggers capturing user's password from a regular keyboard. Does anyone know another device that has this feature?