The move towards affordable SSL-VPN appliances is definitely under way. We’ve already looked at Billion’s slick little BiGuard S10 and now its Netgear’s turn with its even lower cost ProSafe SSL312.
The tedious complexity of IPsec VPNs can make them a poor choice for small businesses with limited access to IT support. They’re not too tricky to set up for secure site-to-site links but configuring IPsec VPN connections for mobile workers can be a real pain. SSL VPNs score highly for the latter function as users don’t need any special client software installed on their PCs or laptops as they simply access the appliance with nothing more than a standard web browser. ActiveX clients are downloaded and run on demand to create a secure tunnel over HTTPS and when a session is finished they clean up after themselves and disappear without a trace.
The lower price of the SSL312 is reflected in a reduced feature set as unlike the BiGuard S10 it has no integral firewall so isn’t designed to front a company’s Internet connection. Instead, it is deployed behind an existing firewall which will require port forwarding rules to be configured for HTTPS traffic. The appliance does have a couple of Fast Ethernet ports but in this scenario only one would be used in what Netgear coins a ‘one-arm’ mode. Alternatively, it can be connected to a firewall’s DMZ port or used in-line with both interfaces activated.
The appliance supports up to 25 simultaneous SSL VPN tunnels and has a reasonable hardware specification to handle them which consists of a 200MHz processor and 128MB of memory.
For testing, we linked one port to our LAN and placed a few Windows XP systems on the second port to act as remote clients. We configured the appliance to route traffic between the ports but we wouldn’t recommend using this mode in a live environment as the appliance doesn’t even perform NAT between them so you have no protection from the outside. The SSL VPN client supports a wide range of browsers but FireFox users need not apply as this is not currently on the list.
Netgear supports a good range of authentication schemes as you can use its internal user and group database or go for NT domain or Active Directory authentication, query an LDAP (Lightweight Directory Access Protocol) server or use one of four different RADIUS server authentication schemes. We opted for the simple route and used the internal database for testing.