DrayTek
  Vigor 2955 SSL VPN Firewall   SME  
DrayTek Vigor 2955
  • High Performance Firewall Router
  • VPN - Up to 200 concurrent IPSEC tunnels
  • 20,000 NAT/Firewall Sessions - New
  • SSL VPN - Proxy & Full Tunnelling - New
  • Mobile One-Time Passwords for VPN
  • 3G Modem Support for connectivity/failover - New
  • Dual-WAN - Two Ethernet + 3G Option - New
  • Load Balancing & Failover between WAN ports
  • VPN Bonding (Trunking) - Increase VPN bandwidth - New
  • QoS (Quality of Service) Assurance
  • Web Content Filtering - New
  • Five Gigabit Ethernet LAN ports
  • Traffic Graphs & Session Monitors - New
  • SmartMonitor Activity/Traffic Logging - New
  • Optional VigorCare Available

Overview

Vigor 2955 SSL VPN Firewall & Load Balancer

The Vigor 2955 combines Internet security with dual-WAN load balancing and SSL VPN Termination, as well as comprehensive support for traditional IPSec VPNs. The Vigor 2955 provides high throughput, capacity and stability. VPN Encryption and authentication is all handled by a dedicated VPN co-processor, thus maintaining maximum router performance. The Vigor 2955 also provides high-security firewall options with both IP-layer and content based protection.

A USB port provides connectivity for a 3G Modem - Available from all cellular networks, your USB 3G 'dongle' can be used for Internet connectivity or backup/failover in the event of your primary Internet connection failing. The USB port can also be used to connect a printer - Connect a regular printer and all of your LAN users can print to it.

The Vigor 2955 also includes DrayTek's new Web Content Management System. this allows you to control what your users can access on the Internet, saving wated time and exposure to potentially damaging (infected) sites, or inappropriate web usage. DrayTek Web Content Filtering now features GlobalView Categoric Site blocking. For full details on DrayTek Web Content Filtering click here.

Dual WAN/3G

Dual-WAN Ports for Failover or Load Balancing

For Internet connectivity protection, the Vigor 2955 has two Ethernet WAN ports and a USB Interface for a 3G modem (dongle)) which can set to work together in failover mode (secondary ISP used if the primary ISP fails) or in load-balancing mode, where the two ISPs can share the Internet loading. Specific rules can be set for routing traffic via specific WAN connections, or automatic balancing will make best use of resources. Instead of the secondary Ethernet WAN port, you can use a 3G cellular USB modem for WAN failover. Vigor 2955 Dual-WAN

A Vigor 2955 with a pair of Vigor 120 ADSL modems for load-balancing
With a Vigor 2955 and a pair of Vigor 120 modems, you can have a complete
load balancing or failover solution using multiple ADSL lines.

SSL VPN

SSL VPNs

VPNs (Virtual Private Networks) enable you to link two remote computers or networks securely using the public Internet. An encrypted tunnel is created to carry your private data between the two sites. Tunnels making use of PPTP, L2TP, AES and IPSec protocols have been available on Vigor routers for many years and provide a simple to set up solution for your site-to-site or teleworker VPNs. SSL VPNs provide a new method for teleworker to central site VPN, providing great convenience, low TCO and simplicity where other methods may not be possible.

The benefits of SSL VPNs

One potential drawback of using the above methods for a Teleworker-to-central site VPN is that they need compatiable protocol stacks at each end (e.g. an IPSec client or hardware) and most importantly those protocols need to be freely passed by your local host network. This isn't normally a problem where you own the computers and the network in use and you can install any client, software or hardware you choose, as well as allowing any traffic types you like. Where it can become a problem is where you are using someone else's computer or network where either you cannot use the O/S VPN client, or the host network blocks VPN protocols or makes them unreliable. This is most commonly a problem when using WiFi hotspots or other public Internet access methods (hotels, conference centres etc.).

SSL (Secure Sockets Layer) is the protocol used by all web browsers for accessing 'secure' web sites (banking etc.). SSL is supported by all web browsers, and as it is so commonly used, all hotspots and other public Internet will always allow SSL to pass through (whereas other VPN protocols may be blocked or have difficulty). By using the SSL protocol for your teleworker VPNs you have some real benefits:

Traditional VPN (e.g. AES/IPSecSSL VPN
Requires VPN Client or HardwareUses Standard Web Browser SSL
Support for popular O/S's onlyCompatible with all computers/browsers
Licence fees all for some vendor
client software (Not DrayTek though!)		No client licence fees
Requires user to operate VPN ClientNo special operator procedures.
Just use your web browser.
At OSI 'network' layerAt OSI 'session' layer
AES/DES/3DES EncryptionSSL Encryption
Full network access (unless filtered)Ability to easily restrict users to
specific web applications
Network Level Access as standard.Network level access via
DrayTel Active-X SSL Tunnel Plug-in
Teleworker or Site-to-Site (LAN-to-LAN)Teleworker-to-Host site only

Another advantage of web based SSL VPN is that your host Vigor router presents the user with his/her login page to the network within their browser and then can provide access only to the web based applications or local servers which you allow as opposed to a regular VPN which connects the user to the network directly for access to any resource which is accessible locally. No TCP/UDP ports have to be opened on your host router; if the user cannot login to the VPN, they won't get access. Remote user profiles can be stored within the router or integrated with an LDAP or Radius server.

As an SSL VPN uses your standard web browser, web based applications running at your office (webmail, Remote Desktop, Terminal Services, Intranet, Thin Clients etc.) work really well for this SSL VPN access method, which is called 'SSL Web Proxy' mode. In addition, by using the Vigor 2955 web proxy, you can browse external web sites via the tunnel, thus bypassing any local web site blocking policy at your current remote location (content filtering or local polcies). If you are familiar with 'port redirection' or 'open ports setup' on Vigor routers, SSL Proxy to your internal web services is very similar in concept to this except that the data passes through a secured tunnel, hence increasing security and privacy.

SSL VPNs beyond the Browser

Using the web browser for your remote access is great for accessing web-based applications (intranet, webmail, remote web desktop etc.) but it does not provide access to the actual network directly, for example for shared directory access, network resources or other applications which are not browser based. Only data or applications which are available in your web browser locally are available remotely via the SSL Proxy (see above).

For full network access, DrayTek provide a Java applet (a VPN client, effectively) which can transfer at the network layer, making a fully VPN tunnel. This is called SSL Tunnel mode. This plug-in is downloaded automatically by your browser from the host Vigor router when you log into the SSL VPN and select Tunnel mode. You are then fully connected to the remote network for direct network resource access. In this way, you are no longer limited to running web-based applications and can access shares and other network resources. As the soft client is Java based, not Activ-X, it is cross platform/browser compatible.

If you'd like to see just how easy it is to set up a DrayTek SSL VPN, Click Here.

 DrayTek SSL VPN ActiveX CLient

One-Time Passwords

One-Time Passwords

For teleworkers or remote users, they will typically have a password to log into your office VPN. That means that if they save the password on their PC, write it down or are seen typing it, your VPN and therefore your network is immediately compromised.

A single password provides just a single layer of security; only one fixed piece of information to crack, intercept or otherwise get hold of, and that piece requires only the user's memory. Once intercepted, an authorised person can log into your VPN whenever they wish. By introducing a second security factor, of a different type, you introduce a two-layer authentication. By different 'type' we mean that it cannot just be an extra password to remember; it has to be something that uses a method other than the user's memory.'

Authentication devices are now commonly used for online banking to provide a second layer of security; instead of just a password held in the user's head, they also require some other real-time method of credential generation. Most commonly that is a small keypad or display unit to be carried around.

With DrayTek Mobile One-Time Passwords (MOTP), instead of carrying around an extra device, you install a program on your mobile phone and that becomes your authentication device. When you initially install the MOTP applet, you create a relationship with your VPN host (router) by entering a unique authentication phrase into the router which the phone generates. You also select a secret PIN. After that, each time want to log into your VPN you enter your PIN into the phone and it generates your one-time password for that session.

In this way, you need both your phone and your PIN to connect the VPN so it is now a two-layer authentication method. Only your own phone will work (unless you pair another phone with the Vigor VPN server. ) Next time you connect, a different login password will be generated by your phone.

The One-Time Password program is Java based and can be installed on most modern cellular phones, including Nokia, Apple iPhone, Palm. The One-Time Password feature can be used for any type of teleworker dial-in VPN - SSL, IPSec, L2TP or PPTP. There is no cost for the phone applet and it can be downloaded directly to the phone if your phone has Internet access.

DrayTek Mobile One-Time Password

DrayTek Mobile One-Time Passwords

VPN Bonding

VPN Bonding (Trunking)

VPN Trunking (or Bonding) )is the facility to create more than one VPN tunnel to the same remote location in order to provide either increased bandwidth between the two sites (load balancing) or resilience (failover) in the event that one tunnel/connection is interrupted. The Vigor 2955 supports both Failover and Load Balancing modes for VPN Trunks.

The Vigor 2955 already supports load balancing to the Internet using its dual-WAN ports. VPN trunking enables two tunnels to be created (one through each WAN connection) to the same remote location. This creates a single virtual tunnel, as far as the traffic and LAN devices/clients are concerned so you truly have the full bandwidth available across the VPN.

DrayTek VPN Trunking

In the diagram above, you can see a single virtual tunnel as far as the LAN at each end is concerned. Within the router, two WAN connections are being used with each router, across which the VPN tunnel can be spread, increasing total capacity and/or redundancy (for failover).

3G

3G Cellular Data Features

The Vigor 2955's USB port can host a compatible 3G modem or cellphone for access to the cellular network for full Internet Access. Most UK networks now provide high speed HSDPA data connections at up to 3.6Mb/s download speed (and later maybe up to 7Mb/s)). The 3G connection can be used as your primary/only Internet access, or as backup to your main ADSL line connection. This is not only ideal for homes or offices which don't want to pay fixed line + broadband rental, but also for temporary locations, or those to where fixed lines aren't available.

With the Wireless LAN equipped models of the Vigor 2820 series, your local users can be connected wirelessly to the router, so instant free 'hotspots' can be deployed quickly and easily. Mains power is required for the router's PSU, but this could be from a mobile generator or equivalent so you need to plan for this.

Supported 3G Modems / Phones

  • Huawei E156G
  • Huawei E160 / E / X / G
  • Huawei E169 / G
  • Huawei E170
  • Huawei E172
  • Huawei E180
  • Huawei E220
  • Huawei E226
  • Huawei E230
  • Huawei E270
  • Huawei E272
  • Huawei E1550
  • Vodafone K3565 / K3565-H (not K3565-z)
  • Vodafone K3520 / K3520-H (not K3520-z)
  • Vodafone K3760
  • T-Mobile 110
  • T-Mobile Web'n'walk Stick III
  • Nokia N70
  • Nokia N95
  • Nokia 6233
  • Nokia N73
  • Nokia E65
  • Novatel MC950D
  • Novatel MC930D
  • Option Globesurfer iCon 7.2
  • Option Globesurfer iCon 225
  • Sierra Aircard 876u
  • Sierra 875U
  • Sierra 885
  • Telstra HSDPA USB Modem
  • 4G System XSPlug P3
  • MomoDesign MD-@
  • Benq EF91
  • LG U8380
  • Telstra Next G 3G USB
  • Bandrich Bandluxe C100
  • Bandrich Bandluxe C100S
  • Bandrich Bandluxe C120
  • Amoi H01
  • Aiko 76E
  • BigPond Next G
  • C-Motech D-50
  • ASUS T500 Modem
  • Zapp Telemodem Z020
  • ZTE AC8700 3G
  • ZTE MF622
  • ZTE MF627
  • Additional Modem Support is added continuously or you can request specific models by following the Instructions Here.

A USB connection cable is required for your phone (not supplied).

   3G Modems for the DrayTek Vigor 2820 compatible with Vodafone, 3, Orange, T-Mobile and O2

The Vigor 2955 and 3G cellular modem setup is ideal for:

  • Backup to your primary Internet feed (ADSL, cable etc.)
  • Providing lower cost broadband than a fixed line solution
  • Areas without fixed line broadband access
  • Compatible with a wide range of 3G modems/phones
  • Temporary Locations
  • Mobile Homes
  • Locations on the move - coaches, trains
  • Fairgrounds & temporary exhibitions
  • Outdoor locations (the router and modem itself must be indoors!)
  • Disaster Planning & High Availability

Vigor2820 with 3G Modem

Vigor 2910 at an outdoor cafe Vigor 2910VG on a bus
Example Use : Installation in a mobile café or moving bus

There is more information about DrayTek 3G solutions here.

Note: DrayTek have no control over local network/provider operations, changes in network facilities/tarrifs nor make any claim over specific network compatibility. Please assure yourself that the router will be compatible with your chosen cellular network and provider and that you have adequate signal coverage before committing to any contract term. Please also ensure that your chosen provider and the tariff allows access to all of your required applications (e.g. VPN, VoIP, Messaging etc.) as many packages exist, some blocking certain data types.

Specification

Vigor 2955 Specification

  • Load Balancing featuring:
    • Two dedicated Ethernet WAN Ports (10/100Mb/s)
    • WAN Failover or Load-Balanced Connectivity
    • Service/IP Based Preference Rules or auto-weight
  • Total WAN Throughput up to 90Mb/s
  • Five Gigabit Ethernet LAN Ports (10/100/1000 Mb/s)
  • High-Security Firewall with Stateful Packet Inspection (SPI)
  • Robust TCP/IP Stack with Selectable DoS/DDos Protection
  • LAN Mirroring & Monitoring Port (Ethernet Port No. 5)
  • Compatible with DrayTek SmartMonitor
  • QoS (Quality of Service) Assurance:
    • Set Priority or Reserved Bandwidth on WAN traffic
    • Set by traffic type, client or destinaton IP
    • DiffServ Codepoints (IP Precedence, AF Class, EF Class )
    • Limit sessions / Bandwidth Limit per user
  • High Capacity VPN Concentrator featuring:
    • Dedicated VPN Co-Processor for encryption/authentication
    • VPN Throughput up to 50Mb/s
    • Up to 200 Simultaneous IPSECTunnels
    • Dial-in or dial-out, LAN-to-LAN or Teleworker-to-LAN
    • Protocol support for PPTP, L2TP, IPSec
    • MD-5 & SHA-1 Hardware-Based Authentication
    • Encryption : MPPE, DES/3DES & AES
    • PFS (Perfect Forward Secrecy) - Adds additional key protection
    • Pre-shared/IKE keying & PKI (X.509) certificate support
    • SSL VPN Host for remote clients (up to 50 simultaneously)
    • SSL VPN Encryption Modes : 
    • IKE Phase 1 Agressive/Standard Modes & Phase 2 Selectable lifetimes
    • Dead Peer Detection (DPD) and NAT-Traversal (NAT-T)
    • Local, Radius and LDAP profiles for dial-in teleworker profiles
    • No additional client or remote site licencing required
    • Smart-VPN Software Utility provided for teleworker convenience (Windows)
    • Compatible with other leading 3rd party vendor VPN devices
  • Internet CSM (Content Security Management) featuring:
    • URL Keyword Filtering - Whitelist or Blacklist specific sites or keywords in URLs
    • DrayTek GlobalView Support - Block web sites by category (subject to subscription)
    • Prevent accessing of web sites by using their direct IP address (thus URLs only)
    • Blocking automatic download of Java applets and ActiveX controls
    • Blocking of web site cookies
    • Block http downloads of file types (binary, compressed, multimedia):
    • Time Schedules & exclusions for enabling/disabling these restrictions
    • Block P2P (Peer-to-Peer) file sharing programs (e.g. Kazza, WinMX etc. )
    • Block Instant Messaging programs (e.g. IRC, MSN/Yahoo Messenger)
  • QoS (Quality of Service) Assurance:
    • User-Defined Class-Based Rules
    • DiffServ Codepoint Classifying
    • 4 Priority Levels (Inbound/Outbound)
    • Bandwidth Borrowing
    • Individual IP Bandwidth/Session Limitation
  • VLAN Blocking across LAN Ethernet ports
  • Flexible DHCP with 'IP-MAC Binding'
  • Enhanced DHCP Options (66 & 60)
  • PPPoE Client and Static/Dynamic WAN IP modes
  • NAT, Multi-NAT & Flexible Mapping/Forwarding
  • Up to 20,000 simultaneous NAT Sessions supported
  • Comprehensive Diagnostics & Reporting
  • Real Time Data Flow Monitor, with instant block
  • Rack Mountable (Brackets supplied) & Integral Power Supply
  • Warranty : 2 Years Manufacturer's RTB included

Screenshots

Screenshots

Live Web Interface Demo

©2010. Reproduction prohibited without written permission. Specification subject to change at any time without notice. E&OE. All sales are subject to standard terms. Trademarks are acknowledged of their respective owners. No specific endorsement is implied by the mention of any particular service provider.