Phillip Howell finds that Netgear's under-$500 SSL VPN blue box is poised to take some business from its bigger cousins.

I'm a bit new to vpn's.
Is this device designed to be accessed from the outside?
If so, would you have to port forward 443 on your router or firewall to this device?
In the article it seems to describe everything on a LAN.
How would you configure it to be accessed from home?
Netgear has no documentation on it.

Netgear isn't the only one, Take a look to Sonicwall SSL VPN 100. For the same price you get a very good SSL box.
 
Anyway, for proffesional firewall, Checkpoint FW, Cisco PIX/ASA, Juniper/Netscreen, i know them all. Sonicwall also have a wide product portofolio and *VERY* good firewall products for a *VERY* good price. It got almost the same capabilities as the PIX or this Juniper/Netscreens.
Read good: I say *almost* the same, beacuse Sonicwall doesn't do Actice/Actie full state (yet)
 
Ok, yes, i like Sonicwall, because it's by *FAR* the easiest firewall to deploy, also when using Enhanced OS, it is by *FAR* much better GUI configurable then like PIX/ASA.... (i work with all of those guys).
The PIX/ASA GUI for the firewall version 7.1 is *HORRIBLE* to use... it still isn't intuitive.
 
My favorit firewalls to play withm Checkpoint & Sonicwall.
 
Less favorit firewalls, PIX/ASA & Watchguard....(don't conisder ever to use Watchguard in a proffesional enviroment).

PL6,
 
Yes, it is designed to provide you with convenient connectivity to your internal network from an external network (i.e. the Internet) in a secure fashion (SSL). You would place it inside your network on your LAN. Next, forward all incoming HTTPS traffic (port 443) to the SSL312. Obviously the previous step will vary depending upon what kind of router/firewall you have on your network connecting you to the Internet.
 
Hope that helps,
KernelPacket

Sokolum,
 
I could not find the Sonicwall SSL VPN 100. However, I did find the information for the Sonicwall SSL VPN 200. A cursory review of the specifications finds it to be almost identical in function and features to the SSL312. From a price perspective I was able to consistently find the SSL312 about $100 cheaper from most online vendors (CDW has the SSL312 right now for $384.99). Thanks for the heads up though about the Sonicwall appliance.
 
I too tend to favor Sonicwall/Juniper. I manage a Sonicwall PRO 2060 for our corporate office. I have a Juniper Netscreen 5 GT on my home network. And yes, I really dislike the PIX series as well.
 
Thanks for your feedback,
KernelPacket

Gary said:

Gary,
 
I must say that I have not ever looked at the Fortinet products. Thanks for bringing them to my attention. At $495 the Fortinet 50A is still about $100 more expensive than the SSL312. I realize the value to some of being able to have everything in one box. I tend to prefer discrete components however primarily because of the diversification factor. By not having all "your eggs in one basket" you can support a failure or two down the chain and still remain functional.  
 
Also, by having discrete components you tend to create individual "layers" of security which can make it much more difficult for someone with malicious intent to compromise. And lastly, some people already have an investment in a firewall which they are happy with and intend to keep but that lacks SSL VPN connectivity. Obviously, for someone who is in the market for a  new firewall the Fortinet sounds like a feature packed appliance which should definitely be considered.  
 
On a closing note, one of the reasons that I recommend SSL VPNs to those who are relatively new to VPN technologies is that as a general rule, SSL VPNs do not have as steep a learning curve and they usually have less interoperability issues than their IPsec/PPTP cousins. Thanks again for your feedback and suggestion.
 
KernelPacket

 
Woops, als those product names & numbers, it makes you confuse sometimes.
You are correct, yes indeed, it is a Sonicwall SSL VPN 200, his bigger brother is a SSL VPN 2000. And the sister is upcomming, Sonicwall SSL VPN 4000 (not metnioned yet on the Sonicwall site).

$400 may be much cheaper then Cisco or Juniper, but it is still a heck of a lot more then the Asus SL1000 which goes around $150 or less and does VPN at near wire speeds (80-90 MBit/s). Tom's Networking allready reviewed the Asus SL1000 way back in 2004, but it seems it still wins hands down...

The SL1000 is an IPsec endpoint VPN router. The SSL312 is an SSL gateway. Both provide remote secure connections but through very different methods.

 
The Linksys RVL200 uses the same chipset as the SSL312 but only handles 5 SSL connections so far, however its layout and functions are similar but different and it also handles 1 IPSec for Gateway-to-Gateway Tunnel for branch office connectivity.  it includes 1 WAN and 4 LAN ports.  it is priced sub $200  it think the time is near for the SSL VPN revolution.

 
Could this Netgear handle Gateway to Gateway tunnel for that connectivity as well?

afaik the netgear does not handle ANY IPSec tunnels as yet. the chipset is capable of IPSec tunnels, but with the Amount of SSL tunnels this may affect any IPSec tunnel being added and SSL is much harder on the processor and throughput is much slower.
 
You could however put the SSL router behind a IPSec VPN router whhich would act as the gateway and forward any 443 activity to the SSL router.

Netgear says that the SSL312 does not support gateway to gateway tunnels.

I've purchased the SSL312 - as the marketing is clear that it also supports Mac OS X via a Java client. If you log on to the portal with a Safari browser, a different VPN client page is displayed with the option to download a Java applet which runs as the SSL VPN client.
 
Just a note to all to beware - after plenty of testing (11 machines!) it has been shown that the Java client packaged in the SSL312 does not execute correctly on an Intel based Mac.  
 
If you're still on PowerPC technology - then it all works perfectly (tested up to OS X 10.4.8 and J2SE 5.0/JRE 1.5.0) and you can use your VPN tunnel with joy    
 
I've submitted a problem report to Netgear - and expect them to issue an update for the SSL312 as soon as they've found their Java coder    
 
For those who are interested - the Java exception on an Intel Mac is NoClassDefFoundError.  
 
No workaround has been found yet ...
 
Cheers,
Rob.

Netgear says that the SSL312 does not support gateway to gateway tunnels.
 
Yes Tim, thats what they say.  however the chipset can handle them.  its just that Netgear wont add any IPSec feature, or can't

There's a new firmware release for this - 1.4.20, but Netgear has still not compiled the libNetGearDialler.jnilib java library as a Universal Binary.
 
This means that the Java VPN client included for Mac machines will still only run on a PowerPC based Mac.
 
Do not buy this device if you want to use it with Intel based machines.
 
Also - be aware that NetGear are obviously unable to respond to customer feedback as there have been multiple support cases raised for this issue for over 2 months and they have yet to release any fix (which to be blunt only means recompiling the binary on a different machine!).
 
Perhaps they can't afford to buy an Intel Mac? Seems a shame as you haven't been able to buy a new PowerPC mac for quite a while now ...

So here we are in may and still no Intel/Mac support. I sent the 312 back and ordered a SonicWall VPN-200 and...
It does support Vista but it does NOT support Intel/Mac with the "NetExtender" feature (No real tunnel) so here we are, still without any real VPN support for Mac from any of the low price vendors.
Makes OpenVPN look better every day.

A nice feature Netgear can add to SSL312 is a virtual keyboard on the login page. This will help prevent keyloggers capturing user's password from a regular keyboard. Does anyone know another device that has this feature?