SSL VPN Modes
NETGEAR’s implementation of SSL VPN offers a greater level of access control and security to network administrators in the form of three options: Full Tunnel Mode, Split Tunnel Mode, and Port Forwarding.
Full Tunnel Mode will allow a remote user full access to the LAN without restrictions. I found this level of access to be more than necessary, as it also routes simple web surfing for the remote client through the VPN tunnel.
A subset of Full Tunnel Mode is Split Tunnel Mode. This option allows a remote client full access to the LAN behind the 336G, while leaving web surfing to the end user's local connection.
In this mode, the remote client is issued an IP address different from the NETGEAR LAN subnet, which is then routed to the LAN subnet. As shown in Figure 8, my PC has received IP 192.168.251.2, which the NETGEAR routes to my LAN subnet (192.168.3.0 /24)
Figure 8: SSL VPN IP address
Using a different subnet for SSL VPN clients is similar to NETGEAR’s Mode Config option for IPSec VPN clients in that it creates separate routed networks between VPN clients and the main LAN. Restrictions can then be applied to the VPN subnet, enhancing security with the ability to limit access based on originating IP addresses.
Split Tunnel Mode requires setting up a static route between the VPN Client subnet and the NETGEAR LAN subnet. It's a two-step process, enabled by de-selecting Full Tunnel mode and entering the LAN subnet as shown in Figure 9.
Figure 9: Setting up Split Tunnel Mode
With Split Tunnel Mode, a remote client has routed access to the NETGEAR LAN 192.168.3.0 /24 from anywhere with an Internet Connection. Using the NETGEAR SSL VPN implementation, I was able to access my Windows and Linux servers via Remote Desktop, VNC, and SSH services, as well as map to my network drives.
I was also impressed that pinging LAN devices through the VPN tunnel added minimal latency. As shown in Table 2 previously, there was virtually no difference in ping times to the WAN interface and to LAN devices through the VPN tunnel. Encapsulating and encrypting packets in a VPN tunnel adds some expected delay. It was impressive to see 1ms or no difference between pinging the WAN interface and pinging a LAN IP.
NETGEAR’s third SSL VPN option, Port Forwarding, is similar to common firewall Port Forwarding. This feature enables restricting VPN access to only specific TCP ports, such as web and email servers, or other TCP-based applications. Note: UDP-based applications, such as VOIP, won't work in this mode.
Additional configuration options for SSL VPN client exist through the use of User, Group, and Domain configurations. Further, the FVS336G can be configured to use a RADIUS server for user authentication. Finally, User Policies can be created to define which browsers are permitted for end user access.