DrayTek
  Vigor 2950 High Performance Firewall   SME  
DrayTek Vigor 2950
  • High Performance Firewall Router
  • VPN - Up to 200 concurrent tunnels
  • SSL VPN
  • Load Balancing & Failover between WAN ports
  • DoS/DDos Protection & Stateful Packet Inspection
  • VPN Trunking - Increase VPN bandwidth - New
  • QoS (Quality of Service) Assurance
  • Parental Control/Categorical Web Site Filtering
  • Web Content Filtering
  • Five Gigabit Ethernet LAN ports
  • Weekly Traffic Graphing/Reporting

Overview

Vigor 2950 High-Performance Firewall

The Vigor 2950 Security Firewall combines Internet security, high throghput and high capacity VPN capabilities. For remote teleworkers and inter-office links, the Vigor 2950 can support up to 200 simultaneous VPN tunnels. Encryption and authentication is all handled by a dedicated VPN co-processor, thus maintaining maximum router performance. The Vigor 2950 also provides high-security firewall options with both IP-layer and content based protection.

 DrayTek Vigor 2950 LEDs
Two Megabit WAN Ports
& Five Gigabit LAN Ports

Dual WAN

Dual-WAN Ports for Failover or Load Balancing

For Internet connectivity protection, the Vigor 2950 has two Ethernet WAN ports which can be used in failover mode (secondary ISP used if the primary ISP fails) or in load-balancing mode, where the two ISPs can share the Internet loading. Specific rules can be set for routing traffic via specific WAN connections, or automatic balancing will make best use of resources Vigor 2950 Dual-WAN

A Vigor 2950 with a pair of Vigor 120 ADSL modems for load-balancing
With a Vigor 2950 and a pair of Vigor 120 modems, you can have a complete
load balancing or failover solution using multiple ADSL lines.

SSL VPN

SSL VPNs

VPNs (Virtual Private Networks) enable you to link two remote computers or networks securely using the public Internet. An encrypted tunnel is created to carry your private data between the two sites. Tunnels making use of PPTP, L2TP, AES and IPSec protocols have been available on Vigor routers for many years and provide a simple to set up solution for your site-to-site or teleworker VPNs. SSL VPNs provide a new method for teleworker to central site VPN, providing great convenience, low TCO and simplicity where other methods may not be possible.

The benefits of SSL VPNs

One potential drawback of using the above methods for a Teleworker-to-central site VPN is that they need compatiable protocol stacks at each end (e.g. an IPSec client or hardware) and most importantly those protocols need to be freely passed by your local host network. This isn't normally a problem where you own the computers and the network in use and you can install any client, software or hardware you choose, as well as allowing any traffic types you like. Where it can become a problem is where you are using someone else's computer or network where either you cannot use the O/S VPN client, or the host network blocks VPN protocols or makes them unreliable. This is most commonly a problem when using WiFi hotspots or other public Internet access methods (hotels, conference centres etc.).

You may already have heard of SSL previously, and you have almost certainly used it. SSL (Secure Sockets Layer) is the protocol used by all web browsers for accessing 'secure' web sites. You will have used secure web sites whenver you have used your credit card online or accessed your banking web sites, for example. SSL is supported by all web browsers, and as it is so commonly used, all hotspots and other public Internet will always allow SSL to pass properly. By using the SSL protocol for your telework VPN tunnel you therefore have some important benefits:

Traditional VPN (e.g. AES/IPSecSSL VPN
Requires VPN Client or HardwareUses Standard Web Browser SSL
Support for popular O/S's onlyCompatible with all computers/browsers
Licence fees all for some vendor
client software (Not DrayTek though!)		No client licence fees
Requires user to operate VPN ClientNo special operator procedures.
Just use your web browser.
At OSI 'network' layerAt OSI 'session' layer
AES/DES/3DES EncryptionSSL Encryption
Full network access (unless filtered)Ability to easily restrict users to
specific web applications
Network Level Access as standard.Network level access via
DrayTel Active-X SSL Tunnel Plug-in
Teleworker or Site-to-Site (LAN-to-LAN)Teleworker-to-Host site only

Another advantage of web based SSL VPN is that your host Vigor router presents the user with his/her login page to the network within their browser and then can provide access only to the web based applications or local servers which you allow as opposed to a regular VPN which connects the user to the network directly for access to any resource which is accessible locally. No TCP/UDP ports have to be opened on your host router; if the user cannot login to the VPN, they won't get access.

As mentioned previously, an SSL VPN uses your standard web browser; this means that for your web based applications running at your office (webmail, Intranet, Thin Clients etc.) SSL VPNs work really well for this access method, which is called 'SSL Web Proxy' mode. A very common application for SSL VPN is remote desktop. By using the Windows 'Remote Desktop Web Connection', your office desktop will be accessible from your web browser whereever you are and whoever's computer you're using. In addition, by using Vigor web proxy, you can browse external web sites via the tunnel, thus bypassing any local web site blocking policy (content filtering or local polcies). If you are familiar with 'port redirection' or 'open ports setup' on Vigor routers, SSL Proxy to your internal web services is very similar in concept to this except that the data passes through a secured tunnel, hence increasing security and privacy.

SSL VPNs beyond the Browser

Using the web browser for your remote access is great for accessing web-based applications (intranet, webmail, remote web desktop etc.) but it does not provide access to the actual network directly, for example for shared directory access, network resources or other applications which are not browser based. Only data or applications which are available in your web browser locally are available remotely via the SSL Proxy (see above).

For full network access, DrayTek provide an Active-X Tunnel plug-in (a VPN client, effectively) which can transfer at the network layer, making a fully VPN tunnel. This is called SSL Tunnel mode. This plug-in is downloaded automatically by your browser from the host Vigor router when you log into the SSL VPN and select Tunnel mode. You are then fully connected to the remote network for direct network resource access. In this way, you are no longer limited to running web-based applications and can access shares and other network resources.

If you'd like to see just how easy it is to set up a DrayTek SSL VPN, Click Here.

 DrayTek SSL VPN ActiveX CLient

Microsoft SSTP

Microsoft has developed their own version of SSL VPN called 'SSTP' (Secure Socket Tunnelling Protocol) which is supported by Windows Vista. DrayTek Corp. has signed a licencing agreement with Microsoft to develop SSTP capability on their firewalls/routers. The Vigor2950 SSTP firmware is due ETA Q4/08.

VPN Trunking

VPN Trunking

VPN Trunking is the facility to create more than one VPN tunnel to the same remote location in order to provide either increased bandwidth between the two sites (load balancing) or resilience (failover) in the event that one tunnel/connection is interrupted. The Vigor 2950 supports both Failover and Load Balancing modes for VPN Trunks.

The Vigor 2950 already supports load balancing to the Internet using its dual-WAN ports. What VPN trunking does is enables a tunnel to be created down each WAN connection to the same remote location creating a single virtual tunnel, as far as the traffic and LAN devices/clients are concerned.

DrayTek VPN Trunking

In the diagram above, you can see a single virtual tunnel as far as the LAN at each end is concerned. Within the router, two WAN connections are being used with each router, across which the VPN tunnel can be spread, increasing total capacity and/or redundancy (for failover).

Specification

Vigor 2950 Specification

  • Load Balancing featuring:
    • Two dedicated Ethernet WAN Ports (10/100Mb/s)
    • WAN Failover or Load-Balanced Connectivity
    • Service/IP Based Preference Rules or auto-weight
  • Total WAN Throughput up to 90Mb/s
  • Five Gigabit Ethernet LAN Ports (10/100/1000 Mb/s)
  • High-Security Firewall with Stateful Packet Inspection (SPI)
  • Robust TCP/IP Stack with Selectable DoS/DDos Protection
  • LAN Mirroring & Monitoring Port (Ethernet Port No. 5)
  • High Capacity VPN Concentrator featuring:
    • Dedicated VPN Co-Processor for encryption/authentication
    • VPN Throughput up to 50Mb/s
    • Up to 200 Simultaneous Tunnels
    • Dial-in or dial-out, LAN-to-LAN or Teleworker-to-LAN
    • Protocol support for PPTP, L2TP, IPSec
    • MD-5 & SHA-1 Hardware-Based Authentication
    • Encryption : MPPE, DES/3DES & AES
    • PFS (Perfect Forward Secrecy) - Adds additional key protection
    • Pre-shared/IKE keying & PKI (X.509) certificate support
    • IKE Phase 1 Agressive/Standard Modes & Phase 2 Selectable lifetimes
    • Dead Peer Detection (DPD) and NAT-Traversal (NAT-T)
    • Radius Support for dial-in teleworker profiles
    • No additional client or remote site licencing required
    • Smart-VPN Software Utility provided for teleworker convenience (Windows)
    • Compatible with other leading 3rd party vendor VPN devices
  • Internet CSM (Content Security Management) featuring:
    • URL Keyword Filtering - Whitelist or Blacklist specific sites or keywords in URLs
    • Surfcontrol Support - Block web sites by category (subject to subscription)
    • Prevent accessing of web sites by using their direct IP address (thus URLs only)
    • Blocking automatic download of Java applets and ActiveX controls
    • Blocking of web site cookies
    • Block http downloads of file types (binary, compressed, multimedia):
    • Time Schedules & exclusions for enabling/disabling these restrictions
    • Block P2P (Peer-to-Peer) file sharing programs (e.g. Kazza, WinMX etc. )
    • Block Instant Messaging programs (e.g. IRC, MSN/Yahoo Messenger)
  • New DrayOS Version 3 Operating System including new object-based Firewall
  • QoS (Quality of Service) Assurance:
    • User-Defined Class-Based Rules
    • DiffServ Codepoint Classifying
    • 4 Priority Levels (Inbound/Outbound)
    • Bandwidth Borrowing
    • Individual IP Bandwidth/Session Limitation
  • VLAN Blocking across LAN Ethernet ports
  • Flexible DHCP with 'IP-MAC Binding'
  • PPPoE Client and Static/Dynamic WAN IP modes
  • NAT, Multi-NAT & Flexible Mapping/Forwarding
  • Up to 15,000 simultaneous NAT Sessions supported
  • Comprehensive Diagnostics & Reporting
  • Real Time Data Flow Monitor, with instant block
  • Rack Mountable (Brackets supplied) & Integral Power Supply
  • Warranty : 2 Years Manufacturer's RTB included

Screenshots

Screenshots

Live Web Interface Demo

©2009. Reproduction prohibited without written permission. Specification subject to change at any time without notice. E&OE. All sales are subject to standard terms. Trademarks are acknowledged of their respective owners. No specific endorsement is implied by the mention of any particular service provider.