The SRX supports three kinds of VPN connections. It supports Site-to-Site IPSec connections to other routers, Client-to-Site IPSec connections for remote PCs, and SSL VPN connections for remote users. As mentioned earlier, the SRX supports 125 simultaneous IPSec VPN tunnels and 50 simultaneous SSL VPN tunnels.
NETGEAR's Site-to-Site IPSec VPN menu is easy to configure. I've set up Site-to-Site IPSec VPN connections on Cisco, SonicWall, Linksys, Draytek, Zyxel, and other brand routers. In my opinion, NETGEAR's VPN configuration menu is the most intuitive.
The SRX5308 supports DES, 3DES and AES encryption, plus MD5 and SHA-1 authentication. There is a simple wizard for setting up a Site-to-Site IPSec VPN tunnel, which makes setting up an IPSec tunnel between two NETGEAR routers quite easy. As with NETGEAR's other IPsec routers, the SRX includes a Mode Config option that allows remote VPN clients to be assigned an IP address in a different subnet than the devices on the LAN. This is a useful feature to restrict remote clients from accessing various services on the LAN.
Manually setting up a tunnel isn't difficult. I had no issues setting up a Site-to-Site VPN connection between the SRX5308 and a SonicWall TZ100W using 3DES and SHA-1 for VPN encryption and authentication. My active tunnel is shown in Figure 10.
Figure 10: Active Site-to-Site IPsec tunnel status
The SRX comes bundled with a single-user license of VPN Client software. Because of issues with Windows 7 support, NETGEAR is using a different IPSec client with the SRX5308. Instead of the Safenet client that came with the FVS336G and FVS318G, Netgear is going with software from TheGreenbow. Netgear supplied me with a beta client version, which I installed on a Windows 7 64 bit PC.
Setting up the router for IPSec VPN client access is easy via the Netgear VPN Client Wizard. Simply give the connection a name, enter a pre-shared key, and click apply. The Wizard configures the router with default local and remote IDs, 3DES, SHA-1, Aggressive mode, PFS, and DH2.
Setting up the IPSec client software took a few more steps, however. You must enter each of the parameters for the Phase 1 and Phase 2 configurations, as shown in Figure 11.
Figure 11: SRX5308 IPsec Phase 1, 2 test configuration
While I was waiting for NETGEAR to get me a copy of the Win 7 32 bit TheGreenbow client, I tried using Win 7's built-in VPN connection wizard, but without success. This is probably because the SRX5308 doesn't support L2TP, which made setting up an IPsec tunnel a breeze when Tim tried it with the Draytek 2130n, which does support L2TP.
I remain a fan of NETGEAR's SSL VPN solution (check the FVS336G review for details). It's a no-brainer. You just enter a user name and password as a SSL VPN user on the SRX and you're good to go. There are no encryption or authentication options, no software to install on the PC, and it just works.
With Dynamic DNS configured on the WAN port, all you have to do is browse to https://(your Dynamic DNS domain) and enter the SSL VPN username and password. While on a recent business trip, I was able to access my network via the NETGEAR SSL VPN from the airport and my hotel many miles away from home.
The SRX supports SSL VPN connections using IE, Opera, Netscape Navigator, Mozilla, and Firefox running on Windows 2000 / XP / Vista / Windows 7 (32, 64 bit) and MAC OS X 10.4+ operating systems. Note that there is no SSL or IPsec support for any Linux-based OSes.
Firewall and Bandwidth Controls
There are eight sub menus in the Security menu, including Services, Schedule, Firewall, Address Filter, Port Triggering, UPnP, Bandwidth Profile, and Content Filtering.
The Services menu allows for defining TCP/UDP/ICMP traffic flows, which can then be permitted or denied through the firewall. The Schedule menu allows for creating three different Time of Day and Time of Week schedules for applying traffic profiles.
Traffic profiles are created in the QoS Profile menu and Bandwidth Profile menus. QoS Profiles allow you to define traffic marking for prioritization of traffic such as VoIP. Bandwidth Profiles allow you to define bandwidth limits for specific types of traffic, such as FTP or web surfing.
Services, Schedules, QoS Profiles and Bandwidth Profiles are used to create each Firewall rule via the Firewall menu. In this menu, Services can be permitted or denied on inbound or outbound traffic flows between the WAN, LAN, and DMZ interfaces.
Figure 12 has a screen shot of a rule I created to allow inbound traffic. This rule uses a Service I created called iperf to permit inbound TCP port 5001 traffic from the WAN to go to a PC with IP address 192.168.1.4. (In other routers, this could be called a port forwarding rule.)
Figure 12: Firewall rules
Address Filtering adds another measure of traffic control, providing the ability to control traffic by MAC address. Port Triggering is a way to dynamically open inbound ports in response to outbound traffic.
Figure 13 shows a port triggering rule for SIP based VoIP calling. A SIP device will send out periodic SIP messages, typically to port 5060. When the SIP device sends an outbound message to port 5060, this rule triggers the firewall to open ports 1-65535 (all) for incoming traffic to that SIP device. I've found this to be a useful firewall rule in many routers to resolve one-way calling or no-audio issues for VoIP traffic.
Figure 13: Port triggering rules
Also in the Security section, UPnP traffic can be permitted or denied, and there is a basic Content Filter. The SRX's Content Filter will block web browsing technologies including Proxy Servers, Java, Active X and Cookies. In addition, user defined keywords and domains can be blocked. Users surfing to a website with a blocked browsing technology, keyword, or domain will receive a “Blocked by NETGEAR” message.
I ran a port scan on the SRX to see if there were any open ports other than the ones I had intentionally opened. An NMAP port scan on a WAN interface of the router only showed port 443 open, which is expected since it is used for SSL VPN connections. NMAP also indicated the SRX is running on a Linux 2.6 kernel.
The SRX's port 4 can be configured as a DMZ port by simply clicking a checkbox. This works identically to the FVS318G's port 8, including the indicator light that illuminates when the DMZ port is enabled.
Although not part of the Security menu, authenticating users is a key element of network security. The SRX5308 supports user authentication via a Local Database (stored on the router) or over a network via RADIUS, WIKID, MIAS, NT Domains, Active Directory and LDAP.
Finally, the SRX supports writing log entries over a network to a syslog server and automatically emailing log files to an email address you specify. Further, the SRX can be configured to communicate to a network management system via SNMP.