Sign in with
Sign up | Sign in
Your question

Netgear\'s Breakthrough SSL VPN Gateway

Last response: in Toms Network
Share
September 26, 2006 2:01:35 PM

Phillip Howell finds that Netgear's under-$500 SSL VPN blue box is poised to take some business from its bigger cousins.
September 29, 2006 2:36:37 PM

I'm a bit new to vpn's.
Is this device designed to be accessed from the outside?
If so, would you have to port forward 443 on your router or firewall to this device?
In the article it seems to describe everything on a LAN.
How would you configure it to be accessed from home?
Netgear has no documentation on it.
September 29, 2006 4:09:41 PM

Netgear isn't the only one, Take a look to Sonicwall SSL VPN 100. For the same price you get a very good SSL box.

Anyway, for proffesional firewall, Checkpoint FW, Cisco PIX/ASA, Juniper/Netscreen, i know them all. Sonicwall also have a wide product portofolio and *VERY* good firewall products for a *VERY* good price. It got almost the same capabilities as the PIX or this Juniper/Netscreens.
Read good: I say *almost* the same, beacuse Sonicwall doesn't do Actice/Actie full state :(  (yet)

Ok, yes, i like Sonicwall, because it's by *FAR* the easiest firewall to deploy, also when using Enhanced OS, it is by *FAR* much better GUI configurable then like PIX/ASA.... (i work with all of those guys).
The PIX/ASA GUI for the firewall version 7.1 is *HORRIBLE* to use... it still isn't intuitive.

My favorit firewalls to play withm Checkpoint & Sonicwall.

Less favorit firewalls, PIX/ASA & Watchguard....(don't conisder ever to use Watchguard in a proffesional enviroment).
Related resources
September 29, 2006 11:11:45 PM

PL6,

Yes, it is designed to provide you with convenient connectivity to your internal network from an external network (i.e. the Internet) in a secure fashion (SSL). You would place it inside your network on your LAN. Next, forward all incoming HTTPS traffic (port 443) to the SSL312. Obviously the previous step will vary depending upon what kind of router/firewall you have on your network connecting you to the Internet.

Hope that helps,
KernelPacket
September 29, 2006 11:30:39 PM

Sokolum,

I could not find the Sonicwall SSL VPN 100. However, I did find the information for the Sonicwall SSL VPN 200. A cursory review of the specifications finds it to be almost identical in function and features to the SSL312. From a price perspective I was able to consistently find the SSL312 about $100 cheaper from most online vendors (CDW has the SSL312 right now for $384.99). Thanks for the heads up though about the Sonicwall appliance.

I too tend to favor Sonicwall/Juniper. I manage a Sonicwall PRO 2060 for our corporate office. I have a Juniper Netscreen 5 GT on my home network. And yes, I really dislike the PIX series as well.

Thanks for your feedback,
KernelPacket
September 30, 2006 12:04:06 AM

Gary said:
Quote:
I liked your article on the Netgear SSL312, but I was curious about your
statement about comparisons to the Netscreen SA700 and Cisco ASA 5500 and the prices. Have you ever looked at the Fortinet products? Particularly the Fortigate 50A or Fortigate 60A. The 50A - barebones is $495 and 60A is $595.

These products are Intrusion Prevention / Firewall / VPN / Antivirus/ Web
content filter / Spam filter in a single box. The Antivirus/Web-Spam filters
are subscription based services costing $200 with purchase and $300 per year there after. But even without the subscription services, these units offer more than the SSL312 at only a slightly higher cost.

For example, the SSL312 according to Netgear's site is to part of a firewalled environment. The Fortigate units include the firewall. The Fotigate devices offer gateway to gateway tunnels, the SSL312 does not. The Netgear FVS318 is $110 and the FVS338 is $160 for the firewall and IPSec VPN. The FVS318 offers firewall/8 VPN at 12/1.2Mbps and the FVS338 firewall/50 tunnel performance is 90/60Mbps. The Fortigate 50A allows 20 VPN tunnels (IPSec or SSL) at 50/15Mbps and 60A allows 50 VPN tunnels at 70/20Mbps.

The costs are slightly higher, but performance is comparable and you only need to manage one box, not two. If you want to control WEB access, block viruses at the wall plate and reduce spam, you have that option. The Netgear devices also offer some filtering, but at additional costs and lower performance.

I use high Fortinet products at my employment so I was aware of the features. I also have a part time consulting business and I was looking to buy a Fortigate 60A for a client who is looking to connect to the internet for the first time and needs both SSL and firewall to firewall VPN capabilities. Your article was timely in helping me to decide on continuing with the Fortinet 60A.

I would be interested in seeing Toms Hardware do a performance review or comparison between VPN/FireWall/Security devices.
September 30, 2006 12:24:20 AM

Gary,

I must say that I have not ever looked at the Fortinet products. Thanks for bringing them to my attention. At $495 the Fortinet 50A is still about $100 more expensive than the SSL312. I realize the value to some of being able to have everything in one box. I tend to prefer discrete components however primarily because of the diversification factor. By not having all "your eggs in one basket" you can support a failure or two down the chain and still remain functional.

Also, by having discrete components you tend to create individual "layers" of security which can make it much more difficult for someone with malicious intent to compromise. And lastly, some people already have an investment in a firewall which they are happy with and intend to keep but that lacks SSL VPN connectivity. Obviously, for someone who is in the market for a new firewall the Fortinet sounds like a feature packed appliance which should definitely be considered.

On a closing note, one of the reasons that I recommend SSL VPNs to those who are relatively new to VPN technologies is that as a general rule, SSL VPNs do not have as steep a learning curve and they usually have less interoperability issues than their IPsec/PPTP cousins. Thanks again for your feedback and suggestion.

KernelPacket
October 2, 2006 12:00:00 PM

Quote:
Sokolum,

I could not find the Sonicwall SSL VPN 100. However, I did find the information for the Sonicwall SSL VPN 200.

Thanks for your feedback,
KernelPacket


Woops, als those product names & numbers, it makes you confuse sometimes.
You are correct, yes indeed, it is a Sonicwall SSL VPN 200, his bigger brother is a SSL VPN 2000. And the sister is upcomming, Sonicwall SSL VPN 4000 (not metnioned yet on the Sonicwall site).
October 3, 2006 12:10:21 PM

$400 may be much cheaper then Cisco or Juniper, but it is still a heck of a lot more then the Asus SL1000 which goes around $150 or less and does VPN at near wire speeds (80-90 MBit/s). Tom's Networking allready reviewed the Asus SL1000 way back in 2004, but it seems it still wins hands down...
October 3, 2006 12:18:54 PM

Quote:
$400 may be much cheaper then Cisco or Juniper, but it is still a heck of a lot more then the Asus SL1000 which goes around $150 or less and does VPN at near wire speeds (80-90 MBit/s). Tom's Networking allready reviewed the Asus SL1000 way back in 2004, but it seems it still wins hands down...

The SL1000 is an IPsec endpoint VPN router. The SSL312 is an SSL gateway. Both provide remote secure connections but through very different methods.
October 7, 2006 5:32:55 PM

Quote:
The SL1000 is an IPsec endpoint VPN router. The SSL312 is an SSL gateway. Both provide remote secure connections but through very different methods.


The Linksys RVL200 uses the same chipset as the SSL312 but only handles 5 SSL connections so far, however its layout and functions are similar but different and it also handles 1 IPSec for Gateway-to-Gateway Tunnel for branch office connectivity. it includes 1 WAN and 4 LAN ports. it is priced sub $200 :)  it think the time is near for the SSL VPN revolution.
October 20, 2006 3:20:21 PM

Quote:


The Linksys RVL200 uses the same chipset as the SSL312 but only handles 5 SSL connections so far, however its layout and functions are similar but different and it also handles 1 IPSec for Gateway-to-Gateway Tunnel for branch office connectivity.


Could this Netgear handle Gateway to Gateway tunnel for that connectivity as well?
October 20, 2006 9:06:58 PM

afaik the netgear does not handle ANY IPSec tunnels as yet. the chipset is capable of IPSec tunnels, but with the Amount of SSL tunnels this may affect any IPSec tunnel being added and SSL is much harder on the processor and throughput is much slower.

You could however put the SSL router behind a IPSec VPN router whhich would act as the gateway and forward any 443 activity to the SSL router.
October 24, 2006 6:56:59 PM

Quote:
Could this Netgear handle Gateway to Gateway tunnel for that connectivity as well?

Netgear says that the SSL312 does not support gateway to gateway tunnels.
November 4, 2006 10:29:40 AM

I've purchased the SSL312 - as the marketing is clear that it also supports Mac OS X via a Java client. If you log on to the portal with a Safari browser, a different VPN client page is displayed with the option to download a Java applet which runs as the SSL VPN client.

Just a note to all to beware - after plenty of testing (11 machines!) it has been shown that the Java client packaged in the SSL312 does not execute correctly on an Intel based Mac.

If you're still on PowerPC technology - then it all works perfectly (tested up to OS X 10.4.8 and J2SE 5.0/JRE 1.5.0) and you can use your VPN tunnel with joy :roll:

I've submitted a problem report to Netgear - and expect them to issue an update for the SSL312 as soon as they've found their Java coder :) 

For those who are interested - the Java exception on an Intel Mac is NoClassDefFoundError.

No workaround has been found yet ...

Cheers,
Rob.
November 4, 2006 10:39:00 AM

Quote:
Could this Netgear handle Gateway to Gateway tunnel for that connectivity as well?

Netgear says that the SSL312 does not support gateway to gateway tunnels.

Yes Tim, thats what they say. however the chipset can handle them. its just that Netgear wont add any IPSec feature, or can't :) 
February 1, 2007 9:19:59 PM

There's a new firmware release for this - 1.4.20, but Netgear has still not compiled the libNetGearDialler.jnilib java library as a Universal Binary.

This means that the Java VPN client included for Mac machines will still only run on a PowerPC based Mac.

Do not buy this device if you want to use it with Intel based machines.

Also - be aware that NetGear are obviously unable to respond to customer feedback as there have been multiple support cases raised for this issue for over 2 months and they have yet to release any fix (which to be blunt only means recompiling the binary on a different machine!).

Perhaps they can't afford to buy an Intel Mac? Seems a shame as you haven't been able to buy a new PowerPC mac for quite a while now ...
May 18, 2007 4:25:16 PM

So here we are in may and still no Intel/Mac support. I sent the 312 back and ordered a SonicWall VPN-200 and...
It does support Vista but it does NOT support Intel/Mac with the "NetExtender" feature (No real tunnel) so here we are, still without any real VPN support for Mac from any of the low price vendors.
Makes OpenVPN look better every day.
December 16, 2007 1:04:32 PM

A nice feature Netgear can add to SSL312 is a virtual keyboard on the login page. This will help prevent keyloggers capturing user's password from a regular keyboard. Does anyone know another device that has this feature?
!