Overview

Vigor 2950 High-Performance Firewall

The Vigor 2950 Security Firewall combines Internet security, high throghput and high capacity VPN capabilities. For remote teleworkers and inter-office links, the Vigor 2950 can support up to 200 simultaneous VPN tunnels. Encryption and authentication is all handled by a dedicated VPN co-processor, thus maintaining maximum router performance. The Vigor 2950 also provides high-security firewall options with both IP-layer and content based protection.

Two Megabit WAN Ports & Five Gigabit LAN Ports

Dual WAN

Dual-WAN Ports for Failover or Load Balancing

For Internet connectivity protection, the Vigor 2950 has two Ethernet WAN ports which can be used in failover mode (secondary ISP used if the primary ISP fails) or in load-balancing mode, where the two ISPs can share the Internet loading. Specific rules can be set for routing traffic via specific WAN connections, or automatic balancing will make best use of resources

With a Vigor 2950 and a pair of Vigor 100 modems, you can have a complete
load balancing or failover solution using multiple ADSL lines.

SSL VPN

SSL VPN

DrayTek routers' traditional VPN methods (for example IPSEC) provide reliable and secure access between branches, head offices or teleworkers. A remote client can connect using a computer's software VPN client or another VPN capable router. This uses IPSec, PPTP, 3DES, AES etc. This works well for site locations which you operate, or homes/offices where you can choose the hardware, but cannot be used on public computers (e.g. Internet Cafes) where you cannot install additional hardware/clients or the configuration has been firewalled/locked down.

SSL (Secure Socket Layer) is the encryption system used for Secure web sites; the method which makes the padlock symbol appear on web sites. As secure web sites are so commonly used by all users, they are always allowed (not blocked) by web cafes, wireless hotspots, hotels or other public access points. Therefore, SSL can be used where regular VPN methods are blocked and doesn't require any client configuration or hardware changes.

SSL Web Proxy

In its simplest implementation, DrayTek's SSL VPN lets you open your web browser at your remote location and enter the IP address, URL or DDNS name or your head office (where the Vigor2950 is installed). The padlock symbol appears in your browser to show that the page and communication will be encrypted. You enter your username and password which has been set up for you on the Vigor. Once you have been verified, the Vigor will display to the remote user a list of permitted web-based services (e.g. your company Intranet, internal webmail etc). This type of connection is very easy to set up and is called a 'clientless' connection as no VPN client software is needed; it's just using your web browser to access web services on your remote network.

SSL Tunnel SSL Web Proxy (above) works really well for web based services (those you view normally in your web browser), but more commonly your remote access will be used for remote desktop, directory shares, mail server access or other IP based applications. For this, the Vigor provides a full SSL tunnel at the 'sockets' layer. This is an ActiveX component, automatically downloaded by your web browser from the Vigor. Once downloaded, your PC creates a full tunnel between your PC and the remote (host) network. Across this you can run all of your normal IP services. It's still using SSL (SSL 3.0 128 bit encryption), so should pass through all public firewalls, NAT systems or other impediments.

The difference between SSL Web Proxy and SSL Tunnel

To help understand the difference between SSL Web Proxy and SSL Tunnel, imagine that you have an internal web server running on your head office LAN. This is a private web server for staff use only (an Intranet, not for general public access). Clients within the HQ can access the Intranet locally. Regular VPN (PPTP/IPSec) users can access the web server through their VPN.

The remote user (say, in a web cafe) can access the web server securely using SSL Web Proxy. He would do so within his web browser, using a URL in the form https://myoffice.com/webproxy/192.168.1.10. That isn't an actual working example as the actual URL is generated by the web proxy system automatically after you log in, however note that the actual secure site address is the WAN IP address or URL of your head office (myoffice.com in this example).

You can also use the SSL tunnel method to access the same internal web server at your head office. The difference is that with a full SSL tunnel your browser automatically downloads and installs the Vigor ActiveX client which creates a SSL layer tunnel. Once done, you can access remote resources at your head office by their actual IP address, not a proxy. If its the same web server as above, this means you can now browse directly to http://192.168.1.10.

Advantages of DrayTek SSL VPN

• Very easy to setup and deploy
• No VPN client installation/setup required
• Works in public Internet access locations (e.g. hotspots, Internet Cafes)
• Passes through firewalls or NAT systems which block regular VPN methods
• SSL Web Proxy mode creates tunnel directly to your remote HTTP based servers (e.g. Intranet)
• Allows you to access sites via your HQ which might be blocked via local connection
• SSL Tunnel provides automatic ActiveX component to connect to any remote LAN device
• Can be used on public/shared computers which needing to change their configuration

Specification

Vigor 2950 Specification

• Load Balancing featuring:
  • Two dedicated Ethernet WAN Ports (10/100Mb/s)
  • WAN Failover or Load-Balanced Connectivity
  • Service/IP Based Preference Rules or auto-weight
• Total WAN Throughput up to 90Mb/s
• Five Gigabit Ethernet LAN Ports (10/100/1000 Mb/s)
• High-Security Firewall with Stateful Packet Inspection (SPI)
• Robust TCP/IP Stack with Selectable DoS/DDos Protection
• LAN Mirroring & Monitoring Port (Ethernet Port No. 5)
• High Capacity VPN Concentrator featuring:
  • Dedicated VPN Co-Processor for encryption/authentication
  • VPN Throughput up to 50Mb/s
  • Up to 200 Simultaneous Tunnels
  • Dial-in or dial-out, LAN-to-LAN or Teleworker-to-LAN
  • Protocol support for PPTP, L2TP, IPSec
  • MD-5 & SHA-1 Hardware-Based Authentication
  • Encryption : MPPE, DES/3DES & AES
  • PFS (Perfect Forward Secrecy) - Adds additional key protection
  • Pre-shared/IKE keying & PKI (X.509) certificate support
  • IKE Phase 1 Agressive/Standard Modes & Phase 2 Selectable lifetimes
  • Dead Peer Detection (DPD) and NAT-Traversal (NAT-T)
  • Radius Support for dial-in teleworker profiles
  • No additional client or remote site licencing required
  • Smart-VPN Software Utility provided for teleworker convenience (Windows)
  • Compatible with other leading 3rd party vendor VPN devices
• Internet CSM (Content Security Management) featuring:
  • URL Keyword Filtering - Whitelist or Blacklist specific sites or keywords in URLs
  • Surfcontrol Support - Block web sites by category (subject to subscription)
  • Prevent accessing of web sites by using their direct IP address (thus URLs only)
  • Blocking automatic download of Java applets and ActiveX controls
  • Blocking of web site cookies
  • Block http downloads of file types (binary, compressed, multimedia):
  • Time Schedules & exclusions for enabling/disabling these restrictions
  • Block P2P (Peer-to-Peer) file sharing programs (e.g. Kazza, WinMX etc. )
  • Block Instant Messaging programs (e.g. IRC, MSN/Yahoo Messenger)
• New DrayOS Version 3 Operating System including new object-based Firewall
• QoS (Quality of Service) Assurance:
  • User-Defined Class-Based Rules
  • DiffServ Codepoint Classifying
  • 4 Priority Levels (Inbound/Outbound)
  • Bandwidth Borrowing
  • Individual IP Bandwidth/Session Limitation
• VLAN Blocking across LAN Ethernet ports
• Flexible DHCP with 'IP-MAC Binding'
• PPPoE Client and Static/Dynamic WAN IP modes
• NAT, Multi-NAT & Flexible Mapping/Forwarding
• Up to 15,000 simultaneous NAT Sessions supported
• Comprehensive Diagnostics & Reporting
• Real Time Data Flow Monitor, with instant block
• Rack Mountable (Brackets supplied) & Integral Power Supply
• Warranty : 2 Years Manufacturer's RTB included

Screenshots

Screenshots

Live Web Interface Demo

Comparison

Router Comparison Chart

The above comparison chart is provided for approximate guidance; please refer to the full specification of each model for the exact product capabilities. E&OE. ©2008