DrayTek Logo
 Quick Links 

   Downloads 

Home Products Comparison Support About Contact Press

  VigorPro 5510 UTM Firewall with Anti-Virus & Anti-Spam   Enterprise  
  • Anti-Virus, Anti-Intrusion & Anti-Spam
  • Deep Packet Inspection with DrayTek MSSI™
  • Load Balancing & Failover between WAN ports
  • Intrusion Detection & Prevention (Inline, Realtime)
  • DoS/DDos Protection & Stateful Packet Inspection
  • VPN - Up to 200 concurrent tunnels
  • 3G (Cellular) USB modem connectivity for WAN backup
  • QoS (Quality of Service) Assurance
  • Parental Control/Categorical Web Site Filtering
  • Web Content Filtering
  • Five Gigabit Ethernet LAN ports

Overview

VigorPro 5510 Unified Security Firewall

The VigorPro Security Firewall featuring UTM (Unified Threat Management) protects from network threats at the point of entry. Combined with your own prudent personnel policy, the VigorPro enables you to provide far stronger protection and detection than with simpler firewalls. VPN facilities also make the VigorPro ideal for your world connecitivity for remote offices and teleworkers.

The VigorPro also provides two WAN ports to allow you to have load balancing/bandwith aggegation across two separate WAN feeds, or use the secondary WAN port as a backup on another feed in case your first Internet feed (e.g. broadband connection) fails. In summary, the VigorPro provides your network with far greater security, productivity and resilience.

In Depth

The VigorPro Security Firewall featuring UTM - Unified Threat Management, protecting from many types of Network threat at the point of entry. In this document we explain some of the threats your network faces, and how the VigorPro helps defeat those threats.

Unified Threat Management

The online world is more extensive, useful and busy than ever, but with such ease of propagation, those with malicious intent have a far bigger ballpark with a greater variety and number of targets. A threat may not cause any damage, but is something you always want to avoid. There are various reasons why threats exist - some are deliberate, others not. All threats to your network or systems fall into one or more of the following six threat categories - these are the reasons for the threat existing (excluding circumstances where you deliberately stop or compromise your own network):

The Five Network Threats
 
1
Malicious
 
2
Mischeivous
3
Fraudulent
4
Consequential
5
Failure

Understanding each of the categories can be important in your network planning. Network border protection is just one aspect, and the one the VigorPro can help with (other protection includes physical security, such as door locks or alarms). The six categories can be descibed as follows:

MaliciousIntended to cause loss, embarrasment or inconvenience for spite or commercial advantage.
MischeivousIntended to cause damage or inconvenience for noteriety, publicity, entertainment or to test/expose vulnerabilities.
FraudulentIntended to obtain either financial/commercial advantage or access to priviledged information.
ConsequentialUnitentenional loss, effect, exposure or damage as a consequence of omission or other activity.
FailureThe failure or loss of a system or connection.

The VigorPro provides many different types of threat detection and protection, each protection method covering one or more of the attack types mentioned above. Later on, we'll give examples of how each VigorPro defence method protects against each category. Of course, border control is not the complete solution - any installation should be coupled with prudent staff/household policies to protect data and hardware physically too but the Vigor's extensive range of protection methods goes a great way in helping to protect your network, data and resources.

Stateful Packet Inspection

In a plain routed connection, data passes freely from source to destination, across as many 'hops' as is required. As most Internet protocols are reciprocal (or connection-oriented) reply packets are sent, either as acknowledgement that the data was received, or a response requested in the originating packet. With a typical LAN, your PCs will not want to be left open to the outside world; an unsolicited and potentially harmful packet arriving at the WAN interace of your router should be blocked (discarded).

Note: If you are running a public service on a computer on your network, then you must allow unsolicited public access, but only on appropriate ports/services. For SPI here, we're referring only to PCs which are not intending to host public services.

In order to allow LAN users to access the internet, and get replies to page requests (for example) the firewall needs to distinguish between solicitied (requested) replies from the outside world, forwarding them back through to the LAN client, and incoming data which was not requested.

Deep Packet Inspection

Worms and viruses are typically contained within emails as attachments but attachments are normally encoded in several different protocol layers for transport; each layer serves a specific purpose. Examining the data stream is not sufficient to detect hostile content as it would not be recognisable; each encoding method changes the appearance of the data. The VigorPro's deep packet inspection technology breaks down the protocol layers beyond ISO Layer 4, up to Layer 7 (application). A standard firewall doesn't examine beyond layer 3/4. Decoding each encapsulation or encoding layer reveals the next until eventually you have the raw data.

In a data stream there is firstly the transport layer itself; the TCP/IP packets which consist of a header and, typically, a payload. At this layer (layer 3 & 4, according to convention), the VigorPro's DoS (Denial of Service) Protection examines and verifies the headers for any suspicious signatures or patterns, and stateful packet inspection and IP filtering will stop unauthorised packets but in order to detect malicious content, the Payload must be examined.

Only once the data stream has been decoded all the way down is the raw binary data visible, and any trojan or malicious code recognisable. In the case of email for example, a virus/trojan might firstly be contained in a ZIP (compressed) format, then UUEncoded for 7-bit transport, then MIME encoded for email attachment, then transferred using the POP3 protocol. The example of an email containing a malicious attachment in a ZIP file is illustated in the diagram below:

Deep Packet Inspection - VigorPro

The VigorPro will decode each of these sequential methods in real time using DrayTek's patent-pending MSSI™ - Multi-Stack Stateful Inspection. With MSSI™, separate protocol stacks take care of each layer which allows for varied protocols and cross-packet inspection (where content is fragmented in transit). Most importantly, MSSI scans data inline in real time - there is no proxy and no file size limitation and thanks to the dedicated CICP (Content Inspection Co-Processor), active scanning adds no processing overhead to the VigorPro's main CPU.

In the above example, the trojan (or other malicious code) was contained in an email, but the VigorPro will also scan other common methods of transfer including HTTP, FTP, SMTP and IMAP and if you are using the VigorPro to create VPN connections too, the scanning engine will scan within the VPN tunnels as well as regular Internet traffic.

The diagram on the right shows how cross packet inspection allows the VigorPro to detect content event when it is broken up or interrupted by packet borders. The VigorPro's Deep Packet Inspection can defend against Network Threat Categories 1 to 5.

VigorPro Cross Packet Inspection

Anti-Virus / Anti-Trojan

Using the above methods, the VigorPro scans connections for any virus or trojan signatures. On detecting a Virus, the VigorPro will destroy it; if the virus is in an email (IMAP/POP3/SMTP) that email is destroyed. If the virus is in a downloaded file (FTP/HTTP) then that file is destroyed. The VigorPro's response can be recorded via syslog. Instead of destroying the virus, the current connection can be reset, or even no action taken (other than logging), depending on your own preference. Where a an email file attachment has been removed, or destroyed, it is replaced with a harmless dummy file so that it's clear that something has been removed.

The VigorPro stores the current library of known threats. This is updated automatically by the VigorPro whenever a new signature library is available in order that your VigorPro is kept up to date. When you purchase the VigorPro, it includes 12 month's of Anti-virus/Anti-Intrusion updates from DrayTek Labs (D-SWAT Team). As an option, you can select Kapersky Labs virus signature file as an alternative at additional cost.

Anti-Spam

Spam (unsolicited bulk email) is one of the most serious threats to email productivity and also Internet bandwidth usage. It is estimated that a staggering 90 billion spam emails are sent every day and that over 80% of all email sent across the Internet is Spam. You can't stop it being sent so intercepting or identifying it before it reaches your PC at least reduces your wasted time, processing and annoyance.

The VigorPro uses a method called RPD (Recurrent Pattern Detection) for identifying Spam. RPD uses a signatureless method based on the spam's unique distribution patterns. This provides the ability to identify spam from zero-day distribution - i.e. before it has been widely distributed and recognised by specific content. This method also improves performance as it is not necessary for the whole message to be examined by a remote server. A VigorPro 5510 operating RPD anti-spam can process up to 180 emails simultaneously and process a single email in 200 milliseconds. By detecting spam at your network borders, the impact on local network bandwidth is reduced as well as the processing overhead on local resources (mail servers and clients etc.).

When the VigorPro determines that a message is likely to be spam or bulk email, the message headers (subject field) will be modified with a message string of your choice so that your email software or server can re-route or destroy the message as required.

DoS & DDos Attack Protection

Denial of Service (DoS) attacks generally and most commonly occur at Layer 3/4 - the TCP/IP protocol layer. Such attacks are intended to block, disrupt or slow a network's Internet access by either confusing or overwhelming the router with data patterns known to confuse some network devices. These attacks most often use deliberately corrupted packet headers.

A Distributed DoS attack (DDoS) is a DoS which is launched from several (even thousands) of different locations at the same target simultaneously. Normally the owner of the DDoS launch site will be an unwitting party, having had their network infected with the DDos code through a trojan, for example.

The VigorPro protects against DoS attacks firstly by having a robust TCP/IP stack - code which is designed not to be confused or act illogically by anomalous packet headers, secondly by recognising common DoS attack types by their telltale pattern signatures and thirdly, by helping to stop your own network being used as a DDoS launchpad by preventing infection from a DDos trojan. DoS atacks generally fall into Network Threat Categories 1,2 & 3.

Intrusion Detection

Whereas a trojan virus is malicious code which is transferred in latent form within an otherwise innocent email or file awaiting execution (triggering) once delivered, other exploit types are carried on their own self-instigated transport stream. These non-trojan types of exploit typically rely on flaws within operating systems, web protocols or Internet-facing servers (for example the 'CodeRed' Exploit). They can also be code accidentally downloaded when visiting an infectioous web site where the user allows the download of malicious code without realising. The VigorPro, using MSSI™, will decode HTTP streams in real time to detect the signatures of any known exploits. The VigorPro's instrusion library has several categories of Exploit/Intrusion including:

Intrusion Prevention System (IPS)

IDS (Intrusion Detection System) is a method of detecting intrusions and alerting the system administrator; typically the detection is carried about by a 'sniffing' device or proxy method. DrayTek's IPS uses inline-IDS which means that as well as alerting the system administrator, the suspicious content is blocked by the VigorPro (by resetting the connection or dropping the packets).

Employee Internet Abuse - The Enemy Within

Internet Abuse - the unacceptable/unauthorised use of the Internet for non-work related matters during work hours - is an insideous problem which eats away at your company's effectiveness, harming your competitive edge and costing you money. Internet abuse is all too often overlooked by companies, and dismissed by the staff involved as insignificant. A little leeway and occasional use might be acceptable or tolerated, but there are some staff who will spend hours per week using the Internet instead of working. As well as the company time they waste, their usage can also impact of other people's legitimate usage, by creating unnecessary traffic on your Internet feeds. There is also the risk of exposing your company to embarrassment or litigation if a staff member uses access for any unlawful or immoral purpose (pornography, file sharing etc.). The problem of corporate espionage can also be exacerbated by weak AUPs or lack of enforcement (Network Threat 5).

Sometimes the problem exists because companies have not laid down AUPs (Acceptable Use Policies) for staff Internet Usage, but even where such policies exist, a minority of staff will still seek to abuse their employer's trust. Stealing company time can be as serious as stealing company property. Staff, or even household members who abuse Internet access are not only betraying their employer, but their colleagues too. This isn't the occasional checking of personal email, but sometimes hours upon hours of personal web surfing.

Whilst this might paint a picture that 'all' employees are betraying their employer's trust, thankfully it is only a small minority, but a small minority making serious abuses of company Internet access - perhaps hundreds of hours per year spent on personal Internet usage during work time - will effect the effectiveness of the whole team - cheating emloyers and hard-working colleagues alink. Of course, abuse of company resources isn't new - telephones and postage, for example, have been abused for years, but the Internet eats almost invisibly into your company's most valuable resource - people's time. Internet abuse can damage a company normally for one or more of the following reasons:

  1. Waste of Employee Time - If an employee if chatting in an instant messaging (IM) system, they are not doing thier job. IM in particularl has shown to be addictive and a real threat to employee effectiveness.
  2. Risk to Data - Uncontrolled or Unauthorised installed software, for example Peer-to-Peer software may have file sharing facilities or remote control which risk company data - risks which even the user may not be aware of.
  3. Risk to Security - The more exposure personnel have to unauthorised systems, external networks or proprietary software the greater the risk of exposure to uncontrolled network infections or trojans.
  4. Staff Relations - Whilst colleagues may be aware of someone's Internet abuse, they may be unwilling to report it, but might become resentful of the lack of team contribution from that person. This is bad for morale and will effect team effectiveness.
  5. Exposure to Litigation or Criminal Investigation - If a staff member conducts any illegal or immoral activity using company resources, this could lead to investigation into the company, even implicating the company. If a member of staff conducts any personal business affairs using company resources, this could also reflect on the company.

Some of the blocking methods can also be switched on and off according to time schedules, for example allowing access to employee's private email web sites during lunch times. The example screenshots to the right give an example of how easy it is to block content which is unacceptable to your company, for example instant messaging, file-swapping software or web sites. This can be specific web sites, for example, or categories of web sites (managed by the Surfcontrol™ database). IP filtering is also available to set up manual filters at the IP layer, for the more advanced sysadmin.

VigorPro100 Content Filtering

The VigorPro has several functional relating to Internet facility blocking. You can combine these to make a system which corresponds with your own staff access policies or AUP and help protect your company resources (Typically Threat Categories 3 & 5):

Quality of Service (QoS) Assurance

Any Internet connection has finite bandwidth available and in an Enterprise/Corporate environment, different data will have different priorities. Company email, for example, might be most important, whereas general web browsing might be less important. The VigorPro's QoS management facilities allow you to select priority for different traffic types. The rules can be based on protocol, destination, source and various other factors. With QoS enabled, mission critical data will always be given the specified percentange or fixed amount of your available bandwidth. When the high priority application(s) doesn't need it, the bandwidth is made available for all other users. QoS helps against network threat No.4 - consequential problems of Internet use, in this case, delayed data due to sharing bandwidth with non-essential or low priority traffic.

WAN Failover & Load Balancing

The VigorPro 5510 has two WAN ports. These Ethernet ports are your connection to the outside world, via any Ethernet based Internet feed, for example a cable modem, ADSL modem or any other Ethernet based connection. In the simplest environment, you will have just one Internet connection in to the first WAN port.

If you have multiple Internet feeds, you can connect both of them to the VigorPro to provide greater total bandwidth by using both at once; this uses load balancing to distribute the traffic evenly across both feeds, or you can set an uneven ratio. With failover backup, the secondary connection is normally inactive but is used automatically in the event of the primary connection failing. Bandwidth-on-Demand (BoD) is where the second WAN interface is used whenever the first WAN interface exceeds preset throughput thresholds. This flexible dual-WAN facility provides redunancy and fault tolerance to your mission-critical network (Threat category 5).

3G Modem WAN Failover

As well as the two Ethernet WAN ports, the VigorPro 5510 can connect to a 3G USB modem or suitable cellphone to provide additional wireless backup using the new 3G data networks (Vodafone, T-Mobile, Orange, 3 etc.). For more details of the feature, Click Here.

SSL VPN

SSL VPNs

VPNs (Virtual Private Networks) enable you to link two remote computers or networks securely using the public Internet. An encrypted tunnel is created to carry your private data between the two sites. Tunnels making use of PPTP, L2TP, AES and IPSec protocols have been available on Vigor routers for many years and provide a simple to set up solution for your site-to-site or teleworker VPNs. SSL VPNs provide a new method for teleworker to central site VPN, providing great convenience, low TCO and simplicity where other methods may not be possible.

The need for SSL VPNs

One potential drawback of using the above methods for a Teleworker-to-central site VPN is that they need compatiable protocol stacks at each end (e.g. an IPSec client or hardware) and most importantly those protocols need to be freely passed by your local host network. This isn't normally a problem where you own the computers and the network in use and you can install any client, software or hardware you choose, as well as allowing any traffic types you like. Where it can become a problem is where you are using someone else's computer or network where either you cannot use the O/S VPN client, or the host network blocks VPN protocols or makes them unreliable. This is most commonly a problem when using WiFi hotspots or other public Internet access methods (hotels, conference centres etc.).

You may already have heard of SSL previously, and you have almost certainly used it. SSL (Secure Sockets Layer) is the protocol used by all web browsers for accessing 'secure' web sites. You will have used secure web sites whenver you have used your credit card online or accessed your banking web sites, for example. SSL is supported by all web browsers, and as it is so commonly used, all hotspots and other public Internet will always allow SSL to pass properly. By using the SSL protocol for your telework VPN tunnel you therefore have some important benefits:

Traditional VPN (e.g. AES/IPSecSSL VPN
Requires VPN Client or HardwareUses Standard Web Browser SSL
Support for popular O/S's onlyCompatible with all computers/browsers
Licence fees all for some vendor
client software (Not DrayTek though!)
No client licence fees
Requires user to operate VPN ClientNo special operator procedures.
Just use your web browser.
At OSI 'network' layerAt OSI 'session' layer
AES/DES/3DES EncryptionSSL Encryption
Full network access (unless filtered)Ability to easily restrict users to
specific web applications
Network Level Access as standard.Network level access via
DrayTel Active-X SSL Tunnel Plug-in
Teleworker or Site-to-Site (LAN-to-LAN)Teleworker-to-Host site only

Another advantage of web based SSL VPN is that your host Vigor router presents the user with his/her login page to the network within their browser and then can provide access only to the web based applications or local servers which you allow as opposed to a regular VPN which connects the user to the network directly for access to any resource which is accessible locally. No TCP/UDP ports have to be opened on your host router; if the user cannot login to the VPN, they won't get access.

As mentioned previously, an SSL VPN uses your standard web browser; this means that for your web based applications running at your office (webmail, Intranet, Thin Clients etc.) SSL VPNs work really well for this access method, which is called 'SSL Web Proxy' mode. A very common application for SSL VPN is remote desktop. By using the Windows 'Remote Desktop Web Connection', your office desktop will be accessible from your web browser whereever you are and whoever's computer you're using. In addition, by using Vigor web proxy, you can browse external web sites via the tunnel, thus bypassing any local web site blocking policy (content filtering or local polcies). If you are familiar with 'port redirection' or 'open ports setup' on Vigor routers, SSL Proxy to your internal web services is very similar in concept to this except that the data passes through a secured tunnel, hence increasing security and privacy.

SSL VPNs beyond the Browser

Using the web browser for your remote access is great for accessing web-based applications (intranet, webmail, remote web desktop etc.) but it does not provide access to the actual network directly, for example for shared directory access, network resources or other applications which are not browser based. Only data or applications which are available in your web browser locally are available remotely via the SSL Proxy (see above).

For full network access, DrayTek provide an Active-X Tunnel plug-in (a VPN client, effectively) which can transfer at the network layer, making a fully VPN tunnel. This is called SSL Tunnel mode. This plug-in is downloaded automatically by your browser from the host Vigor router when you log into the SSL VPN and select Tunnel mode. You are then fully connected to the remote network for direct network resource access. In this way, you are no longer limited to running web-based applications and can access shares and other network resources.

DrayTek SSL VPN ActiveX CLient

If you'd like to see just how easy it is to set up a DrayTek SSL VPN, Click Here.

3G

3G Cellular Data Features

The VigorPro 5510's USB port can host a compatible 3G modem or cellphone for access to the cellular network for full Internet Access. Most UK networks now provide high speed HSDPA data connections at up to 3.6Mb/s download speed. The 3G connection can be used as your primary/only Internet access, or as backup to your main ADSL line connection. This is not only ideal for homes or offices which don't want to pay fixed line + broadband rental, but also for temporary locations, or those to where fixed lines aren't available.

Supported 3G Modems / Phones

  • Huawei E220 (As used by Vodafone, T-Mobile, 3)
  • Huawei E226
  • Huawei E270
  • Huawei E272
  • Huawei E172
  • Nokia N70
  • Nokia N95
  • Nokia 6233
  • Nokia N73
  • Nokia E65
  • Option Globesurfer iCon
  • Option Globesurfer iCcon 7.2
  • Sierra Aircard 876u
  • Sierra 875U
  • Telstra HSDPA USB Modem
  • 4G System XSPlug P3
  • MomoDesign MD-@
  • Benq EF91
  • LG U8380
  • Telstra Next G 3G USB
  • Bandrich Bandluxe C100
  • Bandrich Bandluxe C100S
  • Bandrich Bandluxe C120
  • Amoi H01
  • Aiko 76E
  • BigPond Next G
  • C-Motech D-50
  • ASUS T500 Modem
  • Zapp Telemodem Z020
  • ZTE AC8700 3G
  • ZTE MF622

A USB connection cable is required for your phone (not supplied).

 

The VigorPro and 3G cellular modem setup is ideal for:

VigorPro 5510 with 3G Modem

Note: DrayTek have no control over local network/provider operations, changes in network facilities/tarrifs nor make any claim over specific network compatibility. Please assure yourself that the router will be compatible with your chosen cellular network and provider and that you have adequate signal coverage before committing to any contract term. Please also ensure that your chosen provider and the tariff allows access to all of your required applications (e.g. VPN, VoIP, Messaging etc.) as many packages exist, some blocking certain data types.

Awards

For the full reviews, click on the logo or review rating:

Recent Awards

VigorPro5500 Recommended Award PC Pro Trusted Reviews VigorPro 5510 Award SC Magazine Europe 2008 Award - Highly Commended PC Pro Magazine Award Finalist Best SME Security Solution - Highly Commended

Review Ratings

PC Pro VigorPro5510 Trusted Reviews VigorPro5510

Subscription

Subscription Information

Every day, new viruses, spams, trojans, web sites are being developed and distributed, so it's important that your VigorPro is kept up to date with the latest threat information. The VigorPro updates itself automatically to ensure that it has the latest threat information. There are various options and the VigorPro includes some subscriptions as standard.

FeatureService
Included
Renewal (1 Year)
Anti-Virus/Anti-IntrusionDrayTek (D-SWAT)3-YearsTBA
Anti-Virus/Anti-IntrusionKapersky Labs1-YearTBA
Web Content FilteringSurfControl30 DaysUS$50-US$240 est.
Anti-SpamCommTouch-£90
Notes: You can operate either DrayTek or Kapersky AV-AI solution, but not both at the same time. The 'included' period is supplied with new VigorPro units at no extra cost and run concurrently even if not used. All other listed features of the VigorPro (firewalling, QoS, VPN) are included with the product as standard without further licencing requirements. All pricing shown is RRP, charged by third parties and is subject to change.

Screenshots

DrayTek Enterprise Product

VigorPro's web interface Interactive Tour : Click Here.

Accessories

VigorPro Anti-Spam Licence VigorPro Anti-Virus Licence

Specification

VigorPro 5510 - Specification

Security Features :

Connectivity Features

VPN Features

Quality of Service Assurance

Physical Characteristics

Comparison

Router Comparison Chart

DrayTek Vigor Router Comparison Chart

The above comparison chart is provided for approximate guidance; please refer to the full specification of each model for the exact product capabilities. E&OE. ©2008

©2008. Reproduction prohibited without written permission. Specification subject to change at any time without notice. E&OE. All sales are subject to standard terms. Trademarks are acknowledged of their respective owners. No specific endorsement is implied by the mention of any particular service provider.