Verdict

The move towards affordable SSL-VPN appliances is definitely under way. We’ve already looked at Billion’s slick little BiGuard S10 and now its Netgear’s turn with its even lower cost ProSafe SSL312.

The tedious complexity of IPsec VPNs can make them a poor choice for small businesses with limited access to IT support. They’re not too tricky to set up for secure site-to-site links but configuring IPsec VPN connections for mobile workers can be a real pain. SSL VPNs score highly for the latter function as users don’t need any special client software installed on their PCs or laptops as they simply access the appliance with nothing more than a standard web browser. ActiveX clients are downloaded and run on demand to create a secure tunnel over HTTPS and when a session is finished they clean up after themselves and disappear without a trace.


The lower price of the SSL312 is reflected in a reduced feature set as unlike the BiGuard S10 it has no integral firewall so isn’t designed to front a company’s Internet connection. Instead, it is deployed behind an existing firewall which will require port forwarding rules to be configured for HTTPS traffic. The appliance does have a couple of Fast Ethernet ports but in this scenario only one would be used in what Netgear coins a ‘one-arm’ mode. Alternatively, it can be connected to a firewall’s DMZ port or used in-line with both interfaces activated.

The appliance supports up to 25 simultaneous SSL VPN tunnels and has a reasonable hardware specification to handle them which consists of a 200MHz processor and 128MB of memory.

For testing, we linked one port to our LAN and placed a few Windows XP systems on the second port to act as remote clients. We configured the appliance to route traffic between the ports but we wouldn’t recommend using this mode in a live environment as the appliance doesn’t even perform NAT between them so you have no protection from the outside. The SSL VPN client supports a wide range of browsers but FireFox users need not apply as this is not currently on the list.

Netgear supports a good range of authentication schemes as you can use its internal user and group database or go for NT domain or Active Directory authentication, query an LDAP (Lightweight Directory Access Protocol) server or use one of four different RADIUS server authentication schemes. We opted for the simple route and used the internal database for testing.

You get a default portal layout provided but you can assign a different one to each authentication scheme and this determines precisely what a user is allowed to access. You can display a message on the home page, activate the ActiveX cache cleaner, add your own custom banners and graphics, decide what pages are to be displayed and what services will be available. Specific applications can be defined within the portal although we had to modify Netgear’s predefined Office applications as they all pointed to the wrong executable location for Office 2003. It was also annoying that they can’t be edited but must be deleted and new ones created in their place.

Nevertheless, these will appear to the user in their portal and selecting one fires up a Terminal Services session over RDP5 for the selected application only. You can’t access anything else on the remote system and when you close the application the entire session will be terminated. You can access Windows XP and Server systems and for the former you need to make sure that the Remote Desktop function in the System Properties is ticked.


Selecting the VPN Tunnel option creates a virtual network adapter which takes its IP address from the range you defined on the appliance. This provides full access to the local network and shuts down the moment the browser is closed. If you want tighter control you can use the port forwarding option which is actually identical to Billion’s Network Extender feature and uses the same ActiveX control at the client which is a lighter version than the standard VPN Tunnel client. You use this is you want to define applications by their IP address and port number. You also get a Network Places option which provides a simple Windows Explorer style interface for browsing remote networks and uploading or downloading files.

”’Verdict”’

For the price Netgear is offering a very well featured SSL-VPN appliance. It doesn’t offer the same firewall protection, traffic management, packet filtering and QoS features available with the Billion alternative but many businesses may already have these in place making the SSL312 a better choice for secure remote access.

Access policies can be assigned to specific mobile users to restrict what they can do on the LAN.

—-


The user portal can be customised and the VPN Tunnel ActiveX client creates a virtual network adapter.

—-
You can decide what applications and services are to be made available for selection in the portal.

—-
Here we have an RDP5 connection to a Windows XP client on the LAN but only to allow us to remotely run IE.

—-


The appliance provides detailed activity logs of all SSL VPN activity.

—-

Trusted Score